summaryrefslogtreecommitdiff
path: root/usr.bin/ssh
diff options
context:
space:
mode:
Diffstat (limited to 'usr.bin/ssh')
-rw-r--r--usr.bin/ssh/sshkey.c23
-rw-r--r--usr.bin/ssh/sshkey.h3
2 files changed, 24 insertions, 2 deletions
diff --git a/usr.bin/ssh/sshkey.c b/usr.bin/ssh/sshkey.c
index 9b88f11107d..997d107cec4 100644
--- a/usr.bin/ssh/sshkey.c
+++ b/usr.bin/ssh/sshkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshkey.c,v 1.67 2018/09/12 01:31:30 djm Exp $ */
+/* $OpenBSD: sshkey.c,v 1.68 2018/09/12 01:32:54 djm Exp $ */
/*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
* Copyright (c) 2008 Alexander von Gernler. All rights reserved.
@@ -2215,6 +2215,27 @@ get_sigtype(const u_char *sig, size_t siglen, char **sigtypep)
}
/*
+ *
+ * Checks whether a certificate's signature type is allowed.
+ * Returns 0 (success) if the certificate signature type appears in the
+ * "allowed" pattern-list, or the key is not a certificate to begin with.
+ * Otherwise returns a ssherr.h code.
+ */
+int
+sshkey_check_cert_sigtype(const struct sshkey *key, const char *allowed)
+{
+ if (key == NULL || allowed == NULL)
+ return SSH_ERR_INVALID_ARGUMENT;
+ if (!sshkey_type_is_cert(key->type))
+ return 0;
+ if (key->cert == NULL || key->cert->signature_type == NULL)
+ return SSH_ERR_INVALID_ARGUMENT;
+ if (match_pattern_list(key->cert->signature_type, allowed, 0) != 1)
+ return SSH_ERR_SIGN_ALG_UNSUPPORTED;
+ return 0;
+}
+
+/*
* Returns the expected signature algorithm for a given public key algorithm.
*/
const char *
diff --git a/usr.bin/ssh/sshkey.h b/usr.bin/ssh/sshkey.h
index 1acf7f7cc38..2ee661648be 100644
--- a/usr.bin/ssh/sshkey.h
+++ b/usr.bin/ssh/sshkey.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshkey.h,v 1.27 2018/09/12 01:31:30 djm Exp $ */
+/* $OpenBSD: sshkey.h,v 1.28 2018/09/12 01:32:54 djm Exp $ */
/*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
@@ -152,6 +152,7 @@ int sshkey_cert_check_authority(const struct sshkey *, int, int,
const char *, const char **);
size_t sshkey_format_cert_validity(const struct sshkey_cert *,
char *, size_t) __attribute__((__bounded__(__string__, 2, 3)));
+int sshkey_check_cert_sigtype(const struct sshkey *, const char *);
int sshkey_certify(struct sshkey *, struct sshkey *, const char *);
/* Variant allowing use of a custom signature function (e.g. for ssh-agent) */