[PATCH v2 1/3] sshsig: move cert_filter_principals() for reuse
Fabian Stelzer
fs at gigacodes.de
Wed Nov 3 19:51:10 AEDT 2021
---
sshsig.c | 108 +++++++++++++++++++++++++++----------------------------
1 file changed, 54 insertions(+), 54 deletions(-)
diff --git a/sshsig.c b/sshsig.c
index d0d401a3..40d132d3 100644
--- a/sshsig.c
+++ b/sshsig.c
@@ -812,6 +812,60 @@ parse_principals_key_and_options(const char *path, u_long linenum, char *line,
return r;
}
+static int
+cert_filter_principals(const char *path, u_long linenum,
+ char **principalsp, const struct sshkey *cert, uint64_t verify_time)
+{
+ char *cp, *oprincipals, *principals;
+ const char *reason;
+ struct sshbuf *nprincipals;
+ int r = SSH_ERR_INTERNAL_ERROR, success = 0;
+
+ oprincipals = principals = *principalsp;
+ *principalsp = NULL;
+
+ if ((nprincipals = sshbuf_new()) == NULL) {
+ r = SSH_ERR_ALLOC_FAIL;
+ goto out;
+ }
+
+ while ((cp = strsep(&principals, ",")) != NULL && *cp != '\0') {
+ if (strcspn(cp, "!?*") != strlen(cp)) {
+ debug("%s:%lu: principal \"%s\" not authorized: "
+ "contains wildcards", path, linenum, cp);
+ continue;
+ }
+ /* Check against principals list in certificate */
+ if ((r = sshkey_cert_check_authority(cert, 0, 1, 0,
+ verify_time, cp, &reason)) != 0) {
+ debug("%s:%lu: principal \"%s\" not authorized: %s",
+ path, linenum, cp, reason);
+ continue;
+ }
+ if ((r = sshbuf_putf(nprincipals, "%s%s",
+ sshbuf_len(nprincipals) != 0 ? "," : "", cp)) != 0) {
+ error_f("buffer error");
+ goto out;
+ }
+ }
+ if (sshbuf_len(nprincipals) == 0) {
+ error("%s:%lu: no valid principals found", path, linenum);
+ r = SSH_ERR_KEY_CERT_INVALID;
+ goto out;
+ }
+ if ((principals = sshbuf_dup_string(nprincipals)) == NULL) {
+ error_f("buffer error");
+ goto out;
+ }
+ /* success */
+ success = 1;
+ *principalsp = principals;
+ out:
+ sshbuf_free(nprincipals);
+ free(oprincipals);
+ return success ? 0 : r;
+}
+
static int
check_allowed_keys_line(const char *path, u_long linenum, char *line,
const struct sshkey *sign_key, const char *principal,
@@ -925,60 +979,6 @@ sshsig_check_allowed_keys(const char *path, const struct sshkey *sign_key,
return r == 0 ? SSH_ERR_KEY_NOT_FOUND : r;
}
-static int
-cert_filter_principals(const char *path, u_long linenum,
- char **principalsp, const struct sshkey *cert, uint64_t verify_time)
-{
- char *cp, *oprincipals, *principals;
- const char *reason;
- struct sshbuf *nprincipals;
- int r = SSH_ERR_INTERNAL_ERROR, success = 0;
-
- oprincipals = principals = *principalsp;
- *principalsp = NULL;
-
- if ((nprincipals = sshbuf_new()) == NULL) {
- r = SSH_ERR_ALLOC_FAIL;
- goto out;
- }
-
- while ((cp = strsep(&principals, ",")) != NULL && *cp != '\0') {
- if (strcspn(cp, "!?*") != strlen(cp)) {
- debug("%s:%lu: principal \"%s\" not authorized: "
- "contains wildcards", path, linenum, cp);
- continue;
- }
- /* Check against principals list in certificate */
- if ((r = sshkey_cert_check_authority(cert, 0, 1, 0,
- verify_time, cp, &reason)) != 0) {
- debug("%s:%lu: principal \"%s\" not authorized: %s",
- path, linenum, cp, reason);
- continue;
- }
- if ((r = sshbuf_putf(nprincipals, "%s%s",
- sshbuf_len(nprincipals) != 0 ? "," : "", cp)) != 0) {
- error_f("buffer error");
- goto out;
- }
- }
- if (sshbuf_len(nprincipals) == 0) {
- error("%s:%lu: no valid principals found", path, linenum);
- r = SSH_ERR_KEY_CERT_INVALID;
- goto out;
- }
- if ((principals = sshbuf_dup_string(nprincipals)) == NULL) {
- error_f("buffer error");
- goto out;
- }
- /* success */
- success = 1;
- *principalsp = principals;
- out:
- sshbuf_free(nprincipals);
- free(oprincipals);
- return success ? 0 : r;
-}
-
static int
get_matching_principals_from_line(const char *path, u_long linenum, char *line,
const struct sshkey *sign_key, uint64_t verify_time, char **principalsp)
--
2.31.1
More information about the openssh-unix-dev
mailing list