[PATCH v2 1/3] sshsig: move cert_filter_principals() for reuse

Fabian Stelzer fs at gigacodes.de
Wed Nov 3 19:51:10 AEDT 2021


---
 sshsig.c | 108 +++++++++++++++++++++++++++----------------------------
 1 file changed, 54 insertions(+), 54 deletions(-)

diff --git a/sshsig.c b/sshsig.c
index d0d401a3..40d132d3 100644
--- a/sshsig.c
+++ b/sshsig.c
@@ -812,6 +812,60 @@ parse_principals_key_and_options(const char *path, u_long linenum, char *line,
 	return r;
 }
 
+static int
+cert_filter_principals(const char *path, u_long linenum,
+    char **principalsp, const struct sshkey *cert, uint64_t verify_time)
+{
+	char *cp, *oprincipals, *principals;
+	const char *reason;
+	struct sshbuf *nprincipals;
+	int r = SSH_ERR_INTERNAL_ERROR, success = 0;
+
+	oprincipals = principals = *principalsp;
+	*principalsp = NULL;
+
+	if ((nprincipals = sshbuf_new()) == NULL) {
+		r = SSH_ERR_ALLOC_FAIL;
+		goto out;
+	}
+
+	while ((cp = strsep(&principals, ",")) != NULL && *cp != '\0') {
+		if (strcspn(cp, "!?*") != strlen(cp)) {
+			debug("%s:%lu: principal \"%s\" not authorized: "
+			    "contains wildcards", path, linenum, cp);
+			continue;
+		}
+		/* Check against principals list in certificate */
+		if ((r = sshkey_cert_check_authority(cert, 0, 1, 0,
+		    verify_time, cp, &reason)) != 0) {
+			debug("%s:%lu: principal \"%s\" not authorized: %s",
+			    path, linenum, cp, reason);
+			continue;
+		}
+		if ((r = sshbuf_putf(nprincipals, "%s%s",
+		    sshbuf_len(nprincipals) != 0 ? "," : "", cp)) != 0) {
+			error_f("buffer error");
+			goto out;
+		}
+	}
+	if (sshbuf_len(nprincipals) == 0) {
+		error("%s:%lu: no valid principals found", path, linenum);
+		r = SSH_ERR_KEY_CERT_INVALID;
+		goto out;
+	}
+	if ((principals = sshbuf_dup_string(nprincipals)) == NULL) {
+		error_f("buffer error");
+		goto out;
+	}
+	/* success */
+	success = 1;
+	*principalsp = principals;
+ out:
+	sshbuf_free(nprincipals);
+	free(oprincipals);
+	return success ? 0 : r;
+}
+
 static int
 check_allowed_keys_line(const char *path, u_long linenum, char *line,
     const struct sshkey *sign_key, const char *principal,
@@ -925,60 +979,6 @@ sshsig_check_allowed_keys(const char *path, const struct sshkey *sign_key,
 	return r == 0 ? SSH_ERR_KEY_NOT_FOUND : r;
 }
 
-static int
-cert_filter_principals(const char *path, u_long linenum,
-    char **principalsp, const struct sshkey *cert, uint64_t verify_time)
-{
-	char *cp, *oprincipals, *principals;
-	const char *reason;
-	struct sshbuf *nprincipals;
-	int r = SSH_ERR_INTERNAL_ERROR, success = 0;
-
-	oprincipals = principals = *principalsp;
-	*principalsp = NULL;
-
-	if ((nprincipals = sshbuf_new()) == NULL) {
-		r = SSH_ERR_ALLOC_FAIL;
-		goto out;
-	}
-
-	while ((cp = strsep(&principals, ",")) != NULL && *cp != '\0') {
-		if (strcspn(cp, "!?*") != strlen(cp)) {
-			debug("%s:%lu: principal \"%s\" not authorized: "
-			    "contains wildcards", path, linenum, cp);
-			continue;
-		}
-		/* Check against principals list in certificate */
-		if ((r = sshkey_cert_check_authority(cert, 0, 1, 0,
-		    verify_time, cp, &reason)) != 0) {
-			debug("%s:%lu: principal \"%s\" not authorized: %s",
-			    path, linenum, cp, reason);
-			continue;
-		}
-		if ((r = sshbuf_putf(nprincipals, "%s%s",
-		    sshbuf_len(nprincipals) != 0 ? "," : "", cp)) != 0) {
-			error_f("buffer error");
-			goto out;
-		}
-	}
-	if (sshbuf_len(nprincipals) == 0) {
-		error("%s:%lu: no valid principals found", path, linenum);
-		r = SSH_ERR_KEY_CERT_INVALID;
-		goto out;
-	}
-	if ((principals = sshbuf_dup_string(nprincipals)) == NULL) {
-		error_f("buffer error");
-		goto out;
-	}
-	/* success */
-	success = 1;
-	*principalsp = principals;
- out:
-	sshbuf_free(nprincipals);
-	free(oprincipals);
-	return success ? 0 : r;
-}
-
 static int
 get_matching_principals_from_line(const char *path, u_long linenum, char *line,
     const struct sshkey *sign_key, uint64_t verify_time, char **principalsp)
-- 
2.31.1



More information about the openssh-unix-dev mailing list