upstream: Introduce a new API for handling authorized_keys options.

This API parses options to a dedicated structure rather than the old API's approach of setting global state. It also includes support for merging options, e.g. from authorized_keys, authorized_principals and/or certificates. feedback and ok markus@ OpenBSD-Commit-ID: 98badda102cd575210d7802943e93a34232c80a2
author: djm@openbsd.org <djm@openbsd.org> 2018-03-03 03:06:02 +0000
committer: Damien Miller <djm@mindrot.org> 2018-03-03 14:22:11 +1100
commit: 90c4bec8b5f9ec4c003ae4abdf13fc7766f00c8b (patch)
tree: 81333f6969082c66dd6261573f48644dd3203494 /auth-options.h
parent: 26074380767e639ef89321610e146ae11016b385 (diff)
1 files changed, 69 insertions, 1 deletions
diff --git a/auth-options.h b/auth-options.h
index 547f01635..0dbfc325e 100644
--- a/auth-options.h
+++ b/auth-options.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth-options.h,v 1.23 2017/05/31 10:54:00 markus Exp $ */
+/* $OpenBSD: auth-options.h,v 1.24 2018/03/03 03:06:02 djm Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -15,6 +15,9 @@
 #ifndef AUTH_OPTIONS_H
 #define AUTH_OPTIONS_H
+struct passwd;
+struct sshkey;
 /* Linked list of custom environment strings */
 struct envstring {
        struct envstring *next;
@@ -37,4 +40,69 @@ int	auth_parse_options(struct passwd *, char *, const char *, u_long);
 void    auth_clear_options(void);
 int     auth_cert_options(struct sshkey *, struct passwd *, const char **);
+/* authorized_keys options handling */
+/*
+ * sshauthopt represents key options parsed from authorized_keys or
+ * from certificate extensions/options.
+ */
+struct sshauthopt {
+        /* Feature flags */
+        int permit_port_forwarding_flag;
+        int permit_agent_forwarding_flag;
+        int permit_x11_forwarding_flag;
+        int permit_pty_flag;
+        int permit_user_rc;
+        /* "restrict" keyword was invoked */
+        int restricted;
+        /* Certificate-related options */
+        int cert_authority;
+        char *cert_principals;
+        int force_tun_device;
+        char *force_command;
+        /* Custom environment */
+        size_t nenv;
+        char **env;
+        /* Permitted port forwardings */
+        size_t npermitopen;
+        char **permitopen;
+        /*
+         * Permitted host/addresses (comma-separated)
+         * Caller must check source address matches both lists (if present).
+         */
+        char *required_from_host_cert;
+        char *required_from_host_keys;
+};
+struct sshauthopt *sshauthopt_new(void);
+struct sshauthopt *sshauthopt_new_with_keys_defaults(void);
+void sshauthopt_free(struct sshauthopt *opts);
+struct sshauthopt *sshauthopt_copy(const struct sshauthopt *orig);
+int sshauthopt_serialise(const struct sshauthopt *opts, struct sshbuf *m, int);
+int sshauthopt_deserialise(struct sshbuf *m, struct sshauthopt **opts);
+/*
+ * Parse authorized_keys options. Returns an options structure on success
+ * or NULL on failure. Will set errstr on failure.
+ */
+struct sshauthopt *sshauthopt_parse(const char *s, const char **errstr);
+/*
+ * Parse certification options to a struct sshauthopt.
+ * Returns options on success or NULL on failure.
+ */
+struct sshauthopt *sshauthopt_from_cert(struct sshkey *k);
+/*
+ * Merge key options.
+ */
+struct sshauthopt *sshauthopt_merge(const struct sshauthopt *primary,
+    const struct sshauthopt *additional, const char **errstrp);
 #endif
author	djm@openbsd.org <djm@openbsd.org>	2018-03-03 03:06:02 +0000
committer	Damien Miller <djm@mindrot.org>	2018-03-03 14:22:11 +1100
commit	90c4bec8b5f9ec4c003ae4abdf13fc7766f00c8b (patch)
tree	81333f6969082c66dd6261573f48644dd3203494 /auth-options.h
parent	26074380767e639ef89321610e146ae11016b385 (diff)

diff --git a/auth-options.h b/auth-options.h index 547f01635..0dbfc325e 100644 --- a/auth-options.h +++ b/auth-options.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: auth-options.h,v 1.23 2017/05/31 10:54:00 markus Exp $ */	1	/* $OpenBSD: auth-options.h,v 1.24 2018/03/03 03:06:02 djm Exp $ */
2		2
3	/*	3	/*
4	* Author: Tatu Ylonen <ylo@cs.hut.fi>	4	* Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -15,6 +15,9 @@
15	#ifndef AUTH_OPTIONS_H	15	#ifndef AUTH_OPTIONS_H
16	#define AUTH_OPTIONS_H	16	#define AUTH_OPTIONS_H
17		17
		18	struct passwd;
		19	struct sshkey;
		20
18	/* Linked list of custom environment strings */	21	/* Linked list of custom environment strings */
19	struct envstring {	22	struct envstring {
20	struct envstring *next;	23	struct envstring *next;
@@ -37,4 +40,69 @@ int auth_parse_options(struct passwd , char , const char *, u_long);
37	void auth_clear_options(void);	40	void auth_clear_options(void);
38	int auth_cert_options(struct sshkey , struct passwd , const char **);	41	int auth_cert_options(struct sshkey , struct passwd , const char **);
39		42
		43	/* authorized_keys options handling */
		44
		45	/*
		46	* sshauthopt represents key options parsed from authorized_keys or
		47	* from certificate extensions/options.
		48	*/
		49	struct sshauthopt {
		50	/* Feature flags */
		51	int permit_port_forwarding_flag;
		52	int permit_agent_forwarding_flag;
		53	int permit_x11_forwarding_flag;
		54	int permit_pty_flag;
		55	int permit_user_rc;
		56
		57	/* "restrict" keyword was invoked */
		58	int restricted;
		59
		60	/* Certificate-related options */
		61	int cert_authority;
		62	char *cert_principals;
		63
		64	int force_tun_device;
		65	char *force_command;
		66
		67	/* Custom environment */
		68	size_t nenv;
		69	char **env;
		70
		71	/* Permitted port forwardings */
		72	size_t npermitopen;
		73	char **permitopen;
		74
		75	/*
		76	* Permitted host/addresses (comma-separated)
		77	* Caller must check source address matches both lists (if present).
		78	*/
		79	char *required_from_host_cert;
		80	char *required_from_host_keys;
		81	};
		82
		83	struct sshauthopt *sshauthopt_new(void);
		84	struct sshauthopt *sshauthopt_new_with_keys_defaults(void);
		85	void sshauthopt_free(struct sshauthopt *opts);
		86	struct sshauthopt sshauthopt_copy(const struct sshauthopt orig);
		87	int sshauthopt_serialise(const struct sshauthopt opts, struct sshbuf m, int);
		88	int sshauthopt_deserialise(struct sshbuf m, struct sshauthopt *opts);
		89
		90	/*
		91	* Parse authorized_keys options. Returns an options structure on success
		92	* or NULL on failure. Will set errstr on failure.
		93	*/
		94	struct sshauthopt sshauthopt_parse(const char s, const char **errstr);
		95
		96	/*
		97	* Parse certification options to a struct sshauthopt.
		98	* Returns options on success or NULL on failure.
		99	*/
		100	struct sshauthopt sshauthopt_from_cert(struct sshkey k);
		101
		102	/*
		103	* Merge key options.
		104	*/
		105	struct sshauthopt sshauthopt_merge(const struct sshauthopt primary,
		106	const struct sshauthopt additional, const char *errstrp);
		107
40	#endif	108	#endif