diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2023-06-21 07:10:26 +0200 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2023-06-21 07:13:56 +0200 |
| commit | c1c2ca1365b3f7b626683690bd2c68265f6d8ffd (patch) | |
| tree | e6a60fdd49b7b57cb35573cbcbbf305b517c0488 /readconf.c | |
| parent | upstream: make `ssh -Q CASignatureAlgorithms` only list signature (diff) | |
| download | openssh-c1c2ca1365b3f7b626683690bd2c68265f6d8ffd.tar.xz openssh-c1c2ca1365b3f7b626683690bd2c68265f6d8ffd.zip | |
upstream: better validate CASignatureAlgorithms in ssh_config and
sshd_config.
Previously this directive would accept certificate algorithm names, but
these were unusable in practice as OpenSSH does not support CA chains.
part of bz3577; ok dtucker@
OpenBSD-Commit-ID: a992d410c8a78ec982701bc3f91043dbdb359912
Diffstat (limited to 'readconf.c')
| -rw-r--r-- | readconf.c | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/readconf.c b/readconf.c index 0816ef6b3..bb3bf767b 100644 --- a/readconf.c +++ b/readconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.c,v 1.376 2023/03/31 04:23:02 djm Exp $ */ +/* $OpenBSD: readconf.c,v 1.377 2023/06/21 05:10:26 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -945,7 +945,7 @@ process_config_line_depth(Options *options, struct passwd *pw, const char *host, char **cpptr, ***cppptr, fwdarg[256]; u_int i, *uintptr, uvalue, max_entries = 0; int r, oactive, negated, opcode, *intptr, value, value2, cmdline = 0; - int remotefwd, dynamicfwd; + int remotefwd, dynamicfwd, ca_only = 0; LogLevel *log_level_ptr; SyslogFacility *log_facility_ptr; long long val64; @@ -1441,6 +1441,7 @@ parse_int: case oHostKeyAlgorithms: charptr = &options->hostkeyalgorithms; + ca_only = 0; parse_pubkey_algos: arg = argv_next(&ac, &av); if (!arg || *arg == '\0') { @@ -1450,7 +1451,7 @@ parse_pubkey_algos: } if (*arg != '-' && !sshkey_names_valid2(*arg == '+' || *arg == '^' ? - arg + 1 : arg, 1)) { + arg + 1 : arg, 1, ca_only)) { error("%s line %d: Bad key types '%s'.", filename, linenum, arg ? arg : "<NONE>"); goto out; @@ -1461,6 +1462,7 @@ parse_pubkey_algos: case oCASignatureAlgorithms: charptr = &options->ca_sign_algorithms; + ca_only = 1; goto parse_pubkey_algos; case oLogLevel: @@ -2117,10 +2119,12 @@ parse_pubkey_algos: case oHostbasedAcceptedAlgorithms: charptr = &options->hostbased_accepted_algos; + ca_only = 0; goto parse_pubkey_algos; case oPubkeyAcceptedAlgorithms: charptr = &options->pubkey_accepted_algos; + ca_only = 0; goto parse_pubkey_algos; case oAddKeysToAgent: |