From 3cfb9f15c64407ad94f098ba8c436e9c3804ca6b Mon Sep 17 00:00:00 2001 From: djm Date: Sun, 29 Dec 2013 04:20:04 +0000 Subject: [PATCH] to make sure we don't omit any key types as valid CA keys again, factor the valid key type check into a key_type_is_valid_ca() function --- usr.bin/ssh/key.c | 24 +++++++++++++++++------- 1 file changed, 17 insertions(+), 7 deletions(-) diff --git a/usr.bin/ssh/key.c b/usr.bin/ssh/key.c index b49754e2cba..17384d1a0b6 100644 --- a/usr.bin/ssh/key.c +++ b/usr.bin/ssh/key.c @@ -1,4 +1,4 @@ -/* $OpenBSD: key.c,v 1.113 2013/12/29 02:49:52 djm Exp $ */ +/* $OpenBSD: key.c,v 1.114 2013/12/29 04:20:04 djm Exp $ */ /* * read_bignum(): * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1057,6 +1057,20 @@ key_type_is_cert(int type) return 0; } +static int +key_type_is_valid_ca(int type) +{ + switch (type) { + case KEY_RSA: + case KEY_DSA: + case KEY_ECDSA: + case KEY_ED25519: + return 1; + default: + return 0; + } +} + u_int key_size(const Key *k) { @@ -1431,10 +1445,7 @@ cert_parse(Buffer *b, Key *key, const u_char *blob, u_int blen) error("%s: Signature key invalid", __func__); goto out; } - if (key->cert->signature_key->type != KEY_RSA && - key->cert->signature_key->type != KEY_DSA && - key->cert->signature_key->type != KEY_ECDSA && - key->cert->signature_key->type != KEY_ED25519) { + if (!key_type_is_valid_ca(key->cert->signature_key->type)) { error("%s: Invalid signature key type %s (%d)", __func__, key_type(key->cert->signature_key), key->cert->signature_key->type); @@ -1915,8 +1926,7 @@ key_certify(Key *k, Key *ca) return -1; } - if (ca->type != KEY_RSA && ca->type != KEY_DSA && - ca->type != KEY_ECDSA && ca->type != KEY_ED25519) { + if (!key_type_is_valid_ca(ca->type)) { error("%s: CA key has unsupported type %s", __func__, key_type(ca)); return -1; -- 2.20.1