From e4e150855fb9b50356aafffa11c098a8dbfc0c67 Mon Sep 17 00:00:00 2001
From: djm <djm@openbsd.org>
Date: Wed, 4 Aug 2010 05:40:39 +0000
Subject: [PATCH] tighten the rules for certificate encoding by requiring that
 options appear in lexical order and make our ssh-keygen comply. ok markus@

---
 usr.bin/ssh/PROTOCOL.certkeys | 12 ++++++++----
 usr.bin/ssh/ssh-keygen.c      | 14 +++++++-------
 2 files changed, 15 insertions(+), 11 deletions(-)

diff --git a/usr.bin/ssh/PROTOCOL.certkeys b/usr.bin/ssh/PROTOCOL.certkeys
index 81b02a078b7..1d1be13da77 100644
--- a/usr.bin/ssh/PROTOCOL.certkeys
+++ b/usr.bin/ssh/PROTOCOL.certkeys
@@ -157,6 +157,9 @@ is a sequence of zero or more tuples:
     string       name
     string       data
 
+Options must be lexically ordered by "name" if they appear in the
+sequence.
+
 The name field identifies the option and the data field encodes
 option-specific information (see below). All options are
 "critical", if an implementation does not recognise a option
@@ -185,9 +188,10 @@ Extensions
 ----------
 
 The extensions section of the certificate specifies zero or more
-non-critical certificate extensions. The encoding of extensions in this
-field is identical to that of the critical options. If an implementation
-does not recognise an extension, then it should ignore it.
+non-critical certificate extensions. The encoding and ordering of
+extensions in this field is identical to that of the critical options.
+If an implementation does not recognise an extension, then it should
+ignore it.
 
 The supported extensions and the contents and structure of their data
 fields are:
@@ -218,4 +222,4 @@ permit-user-rc          empty         Flag indicating that execution of
                                       of this script will not be permitted if
                                       this option is not present.
 
-$OpenBSD: PROTOCOL.certkeys,v 1.6 2010/05/20 23:46:02 djm Exp $
+$OpenBSD: PROTOCOL.certkeys,v 1.7 2010/08/04 05:40:39 djm Exp $
diff --git a/usr.bin/ssh/ssh-keygen.c b/usr.bin/ssh/ssh-keygen.c
index dbb9675dfbc..3bb28dec92f 100644
--- a/usr.bin/ssh/ssh-keygen.c
+++ b/usr.bin/ssh/ssh-keygen.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-keygen.c,v 1.195 2010/07/16 04:45:30 djm Exp $ */
+/* $OpenBSD: ssh-keygen.c,v 1.196 2010/08/04 05:40:39 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -1287,9 +1287,9 @@ static void
 prepare_options_buf(Buffer *c, int which)
 {
 	buffer_clear(c);
-	if ((which & OPTIONS_EXTENSIONS) != 0 &&
-	    (certflags_flags & CERTOPT_X_FWD) != 0)
-		add_flag_option(c, "permit-X11-forwarding");
+	if ((which & OPTIONS_CRITICAL) != 0 &&
+	    certflags_command != NULL)
+		add_string_option(c, "force-command", certflags_command);
 	if ((which & OPTIONS_EXTENSIONS) != 0 &&
 	    (certflags_flags & CERTOPT_AGENT_FWD) != 0)
 		add_flag_option(c, "permit-agent-forwarding");
@@ -1302,9 +1302,9 @@ prepare_options_buf(Buffer *c, int which)
 	if ((which & OPTIONS_EXTENSIONS) != 0 &&
 	    (certflags_flags & CERTOPT_USER_RC) != 0)
 		add_flag_option(c, "permit-user-rc");
-	if ((which & OPTIONS_CRITICAL) != 0 &&
-	    certflags_command != NULL)
-		add_string_option(c, "force-command", certflags_command);
+	if ((which & OPTIONS_EXTENSIONS) != 0 &&
+	    (certflags_flags & CERTOPT_X_FWD) != 0)
+		add_flag_option(c, "permit-X11-forwarding");
 	if ((which & OPTIONS_CRITICAL) != 0 &&
 	    certflags_src_addr != NULL)
 		add_string_option(c, "source-address", certflags_src_addr);
-- 
2.20.1