diff options
author | Colin Watson <cjwatson@debian.org> | 2020-02-21 11:57:14 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2020-02-21 11:57:14 +0000 |
commit | f0de78bd4f29fa688c5df116f3f9cd43543a76d0 (patch) | |
tree | 856b0dee3f2764c13a32dad5ffe2424fab7fef41 /auth-options.c | |
parent | 4213eec74e74de6310c27a40c3e9759a08a73996 (diff) | |
parent | 8aa3455b16fddea4c0144a7c4a1edb10ec67dcc8 (diff) |
Import openssh_8.2p1.orig.tar.gz
Diffstat (limited to 'auth-options.c')
-rw-r--r-- | auth-options.c | 38 |
1 files changed, 26 insertions, 12 deletions
diff --git a/auth-options.c b/auth-options.c index 90b0d7f25..2d200944c 100644 --- a/auth-options.c +++ b/auth-options.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: auth-options.c,v 1.89 2019/09/13 04:36:43 dtucker Exp $ */ | 1 | /* $OpenBSD: auth-options.c,v 1.90 2019/11/25 00:54:23 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2018 Damien Miller <djm@mindrot.org> | 3 | * Copyright (c) 2018 Damien Miller <djm@mindrot.org> |
4 | * | 4 | * |
@@ -96,7 +96,10 @@ cert_option_list(struct sshauthopt *opts, struct sshbuf *oblob, | |||
96 | name, sshbuf_len(data)); | 96 | name, sshbuf_len(data)); |
97 | found = 0; | 97 | found = 0; |
98 | if ((which & OPTIONS_EXTENSIONS) != 0) { | 98 | if ((which & OPTIONS_EXTENSIONS) != 0) { |
99 | if (strcmp(name, "permit-X11-forwarding") == 0) { | 99 | if (strcmp(name, "no-touch-required") == 0) { |
100 | opts->no_require_user_presence = 1; | ||
101 | found = 1; | ||
102 | } else if (strcmp(name, "permit-X11-forwarding") == 0) { | ||
100 | opts->permit_x11_forwarding_flag = 1; | 103 | opts->permit_x11_forwarding_flag = 1; |
101 | found = 1; | 104 | found = 1; |
102 | } else if (strcmp(name, | 105 | } else if (strcmp(name, |
@@ -347,6 +350,8 @@ sshauthopt_parse(const char *opts, const char **errstrp) | |||
347 | ret->permit_agent_forwarding_flag = r == 1; | 350 | ret->permit_agent_forwarding_flag = r == 1; |
348 | } else if ((r = opt_flag("x11-forwarding", 1, &opts)) != -1) { | 351 | } else if ((r = opt_flag("x11-forwarding", 1, &opts)) != -1) { |
349 | ret->permit_x11_forwarding_flag = r == 1; | 352 | ret->permit_x11_forwarding_flag = r == 1; |
353 | } else if ((r = opt_flag("touch-required", 1, &opts)) != -1) { | ||
354 | ret->no_require_user_presence = r != 1; /* NB. flip */ | ||
350 | } else if ((r = opt_flag("pty", 1, &opts)) != -1) { | 355 | } else if ((r = opt_flag("pty", 1, &opts)) != -1) { |
351 | ret->permit_pty_flag = r == 1; | 356 | ret->permit_pty_flag = r == 1; |
352 | } else if ((r = opt_flag("user-rc", 1, &opts)) != -1) { | 357 | } else if ((r = opt_flag("user-rc", 1, &opts)) != -1) { |
@@ -567,14 +572,15 @@ sshauthopt_merge(const struct sshauthopt *primary, | |||
567 | goto alloc_fail; | 572 | goto alloc_fail; |
568 | } | 573 | } |
569 | 574 | ||
570 | /* Flags are logical-AND (i.e. must be set in both for permission) */ | 575 | #define OPTFLAG_AND(x) ret->x = (primary->x == 1) && (additional->x == 1) |
571 | #define OPTFLAG(x) ret->x = (primary->x == 1) && (additional->x == 1) | 576 | /* Permissive flags are logical-AND (i.e. must be set in both) */ |
572 | OPTFLAG(permit_port_forwarding_flag); | 577 | OPTFLAG_AND(permit_port_forwarding_flag); |
573 | OPTFLAG(permit_agent_forwarding_flag); | 578 | OPTFLAG_AND(permit_agent_forwarding_flag); |
574 | OPTFLAG(permit_x11_forwarding_flag); | 579 | OPTFLAG_AND(permit_x11_forwarding_flag); |
575 | OPTFLAG(permit_pty_flag); | 580 | OPTFLAG_AND(permit_pty_flag); |
576 | OPTFLAG(permit_user_rc); | 581 | OPTFLAG_AND(permit_user_rc); |
577 | #undef OPTFLAG | 582 | OPTFLAG_AND(no_require_user_presence); |
583 | #undef OPTFLAG_AND | ||
578 | 584 | ||
579 | /* Earliest expiry time should win */ | 585 | /* Earliest expiry time should win */ |
580 | if (primary->valid_before != 0) | 586 | if (primary->valid_before != 0) |
@@ -643,6 +649,7 @@ sshauthopt_copy(const struct sshauthopt *orig) | |||
643 | OPTSCALAR(cert_authority); | 649 | OPTSCALAR(cert_authority); |
644 | OPTSCALAR(force_tun_device); | 650 | OPTSCALAR(force_tun_device); |
645 | OPTSCALAR(valid_before); | 651 | OPTSCALAR(valid_before); |
652 | OPTSCALAR(no_require_user_presence); | ||
646 | #undef OPTSCALAR | 653 | #undef OPTSCALAR |
647 | #define OPTSTRING(x) \ | 654 | #define OPTSTRING(x) \ |
648 | do { \ | 655 | do { \ |
@@ -765,7 +772,7 @@ sshauthopt_serialise(const struct sshauthopt *opts, struct sshbuf *m, | |||
765 | { | 772 | { |
766 | int r = SSH_ERR_INTERNAL_ERROR; | 773 | int r = SSH_ERR_INTERNAL_ERROR; |
767 | 774 | ||
768 | /* Flag and simple integer options */ | 775 | /* Flag options */ |
769 | if ((r = sshbuf_put_u8(m, opts->permit_port_forwarding_flag)) != 0 || | 776 | if ((r = sshbuf_put_u8(m, opts->permit_port_forwarding_flag)) != 0 || |
770 | (r = sshbuf_put_u8(m, opts->permit_agent_forwarding_flag)) != 0 || | 777 | (r = sshbuf_put_u8(m, opts->permit_agent_forwarding_flag)) != 0 || |
771 | (r = sshbuf_put_u8(m, opts->permit_x11_forwarding_flag)) != 0 || | 778 | (r = sshbuf_put_u8(m, opts->permit_x11_forwarding_flag)) != 0 || |
@@ -773,7 +780,11 @@ sshauthopt_serialise(const struct sshauthopt *opts, struct sshbuf *m, | |||
773 | (r = sshbuf_put_u8(m, opts->permit_user_rc)) != 0 || | 780 | (r = sshbuf_put_u8(m, opts->permit_user_rc)) != 0 || |
774 | (r = sshbuf_put_u8(m, opts->restricted)) != 0 || | 781 | (r = sshbuf_put_u8(m, opts->restricted)) != 0 || |
775 | (r = sshbuf_put_u8(m, opts->cert_authority)) != 0 || | 782 | (r = sshbuf_put_u8(m, opts->cert_authority)) != 0 || |
776 | (r = sshbuf_put_u64(m, opts->valid_before)) != 0) | 783 | (r = sshbuf_put_u8(m, opts->no_require_user_presence)) != 0) |
784 | return r; | ||
785 | |||
786 | /* Simple integer options */ | ||
787 | if ((r = sshbuf_put_u64(m, opts->valid_before)) != 0) | ||
777 | return r; | 788 | return r; |
778 | 789 | ||
779 | /* tunnel number can be negative to indicate "unset" */ | 790 | /* tunnel number can be negative to indicate "unset" */ |
@@ -817,6 +828,7 @@ sshauthopt_deserialise(struct sshbuf *m, struct sshauthopt **optsp) | |||
817 | if ((opts = calloc(1, sizeof(*opts))) == NULL) | 828 | if ((opts = calloc(1, sizeof(*opts))) == NULL) |
818 | return SSH_ERR_ALLOC_FAIL; | 829 | return SSH_ERR_ALLOC_FAIL; |
819 | 830 | ||
831 | /* Flag options */ | ||
820 | #define OPT_FLAG(x) \ | 832 | #define OPT_FLAG(x) \ |
821 | do { \ | 833 | do { \ |
822 | if ((r = sshbuf_get_u8(m, &f)) != 0) \ | 834 | if ((r = sshbuf_get_u8(m, &f)) != 0) \ |
@@ -830,8 +842,10 @@ sshauthopt_deserialise(struct sshbuf *m, struct sshauthopt **optsp) | |||
830 | OPT_FLAG(permit_user_rc); | 842 | OPT_FLAG(permit_user_rc); |
831 | OPT_FLAG(restricted); | 843 | OPT_FLAG(restricted); |
832 | OPT_FLAG(cert_authority); | 844 | OPT_FLAG(cert_authority); |
845 | OPT_FLAG(no_require_user_presence); | ||
833 | #undef OPT_FLAG | 846 | #undef OPT_FLAG |
834 | 847 | ||
848 | /* Simple integer options */ | ||
835 | if ((r = sshbuf_get_u64(m, &opts->valid_before)) != 0) | 849 | if ((r = sshbuf_get_u64(m, &opts->valid_before)) != 0) |
836 | goto out; | 850 | goto out; |
837 | 851 | ||