- djm@cvs.openbsd.org 2010/08/04 05:40:39
[PROTOCOL.certkeys ssh-keygen.c]
tighten the rules for certificate encoding by requiring that options
appear in lexical order and make our ssh-keygen comply. ok markus@
diff --git a/ChangeLog b/ChangeLog
index eadbb9a..7395473 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -5,6 +5,10 @@
Remove mentions of weird "addr/port" alternate address format for IPv6
addresses combinations. It hasn't worked for ages and we have supported
the more commen "[addr]:port" format for a long time. ok jmc@ markus@
+ - djm@cvs.openbsd.org 2010/08/04 05:40:39
+ [PROTOCOL.certkeys ssh-keygen.c]
+ tighten the rules for certificate encoding by requiring that options
+ appear in lexical order and make our ssh-keygen comply. ok markus@
20100903
- (dtucker) [monitor.c] Bug #1795: Initialize the values to be returned from
diff --git a/PROTOCOL.certkeys b/PROTOCOL.certkeys
index 81b02a0..1d1be13 100644
--- a/PROTOCOL.certkeys
+++ b/PROTOCOL.certkeys
@@ -157,6 +157,9 @@
string name
string data
+Options must be lexically ordered by "name" if they appear in the
+sequence.
+
The name field identifies the option and the data field encodes
option-specific information (see below). All options are
"critical", if an implementation does not recognise a option
@@ -185,9 +188,10 @@
----------
The extensions section of the certificate specifies zero or more
-non-critical certificate extensions. The encoding of extensions in this
-field is identical to that of the critical options. If an implementation
-does not recognise an extension, then it should ignore it.
+non-critical certificate extensions. The encoding and ordering of
+extensions in this field is identical to that of the critical options.
+If an implementation does not recognise an extension, then it should
+ignore it.
The supported extensions and the contents and structure of their data
fields are:
@@ -218,4 +222,4 @@
of this script will not be permitted if
this option is not present.
-$OpenBSD: PROTOCOL.certkeys,v 1.6 2010/05/20 23:46:02 djm Exp $
+$OpenBSD: PROTOCOL.certkeys,v 1.7 2010/08/04 05:40:39 djm Exp $
diff --git a/ssh-keygen.c b/ssh-keygen.c
index 56bfee2..4c60a65 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-keygen.c,v 1.195 2010/07/16 04:45:30 djm Exp $ */
+/* $OpenBSD: ssh-keygen.c,v 1.196 2010/08/04 05:40:39 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -1295,9 +1295,9 @@
prepare_options_buf(Buffer *c, int which)
{
buffer_clear(c);
- if ((which & OPTIONS_EXTENSIONS) != 0 &&
- (certflags_flags & CERTOPT_X_FWD) != 0)
- add_flag_option(c, "permit-X11-forwarding");
+ if ((which & OPTIONS_CRITICAL) != 0 &&
+ certflags_command != NULL)
+ add_string_option(c, "force-command", certflags_command);
if ((which & OPTIONS_EXTENSIONS) != 0 &&
(certflags_flags & CERTOPT_AGENT_FWD) != 0)
add_flag_option(c, "permit-agent-forwarding");
@@ -1310,9 +1310,9 @@
if ((which & OPTIONS_EXTENSIONS) != 0 &&
(certflags_flags & CERTOPT_USER_RC) != 0)
add_flag_option(c, "permit-user-rc");
- if ((which & OPTIONS_CRITICAL) != 0 &&
- certflags_command != NULL)
- add_string_option(c, "force-command", certflags_command);
+ if ((which & OPTIONS_EXTENSIONS) != 0 &&
+ (certflags_flags & CERTOPT_X_FWD) != 0)
+ add_flag_option(c, "permit-X11-forwarding");
if ((which & OPTIONS_CRITICAL) != 0 &&
certflags_src_addr != NULL)
add_string_option(c, "source-address", certflags_src_addr);