nhyatt/putty-source
1
0
Fork 0
mirror of https://git.tartarus.org/simon/putty.git synced 2025-07-20 04:17:06 -05:00
Code Issues Projects Releases Wiki Activity

Certificate trust scope: change to a boolean-expression system.

Browse Source 
This replaces the previous placeholder scheme of having a list of
hostname wildcards with implicit logical-OR semantics (if any wildcard
matched then the certificate would be trusted to sign for that host).
That scheme didn't allow for exceptions within a domain ('everything
in example.com except extra-high-security-machine.example.com'), and
also had no way to specify port numbers.

In the new system, you can still write a hostname wildcard by itself
in the simple case, but now those are just atomic subexpressions in a
boolean-logic domain-specific language I've made up. So if you want
multiple wildcards, you can separate them with || in a single longer
expression, and also you can use && and ! to impose exceptions on top
of that.

Full details of the expression language are in the comment at the top
of utils/cert-expr.c. It'll need documenting properly before release,
of course.

For the sake of backwards compatibility for early adopters who've
already set up configuration in the old system, I've put in some code
that will read the old MatchHosts configuration and automatically
translate it into the equivalent boolean expression (by simply
stringing together the list of wildcards with || between them).
This commit is contained in:
Simon Tatham
2022-06-12 10:04:26 +01:00
parent 08d58fe13e
commit f579b3c01e
11 changed files with 1057 additions and 140 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
misc.h
View File

@ -507,4 +507,18 @@ static inline ptrlen ptrlen_from_lf(LoadedFile *lf)
* is made to handle difficult overlap cases. */
void memxor(uint8_t *out, const uint8_t *in1, const uint8_t *in2, size_t size);
/* Boolean expressions used in OpenSSH certificate configuration */
bool cert_expr_valid(const char *expression,
char **error_msg, ptrlen *error_loc);
bool cert_expr_match_str(const char *expression,
const char *hostname, unsigned port);
/* Build a certificate expression out of hostname wildcards. Required
* to handle legacy configuration from early in development, when
* multiple wildcards were stored separately in config, implicitly
* ORed together. */
CertExprBuilder *cert_expr_builder_new();
void cert_expr_builder_free(CertExprBuilder *eb);
void cert_expr_builder_add(CertExprBuilder *eb, const char *wildcard);
char *cert_expr_expression(CertExprBuilder *eb);
#endif