diff options
Diffstat (limited to 'auth-options.c')
| -rw-r--r-- | auth-options.c | 27 |
1 files changed, 21 insertions, 6 deletions
diff --git a/auth-options.c b/auth-options.c index b399b91e3..57b49f7fd 100644 --- a/auth-options.c +++ b/auth-options.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: auth-options.c,v 1.71 2016/03/07 19:02:43 djm Exp $ */ | 1 | /* $OpenBSD: auth-options.c,v 1.72 2016/11/30 02:57:40 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
| 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
| @@ -601,7 +601,7 @@ parse_option_list(struct sshbuf *oblob, struct passwd *pw, | |||
| 601 | * options so this must be called after auth_parse_options(). | 601 | * options so this must be called after auth_parse_options(). |
| 602 | */ | 602 | */ |
| 603 | int | 603 | int |
| 604 | auth_cert_options(struct sshkey *k, struct passwd *pw) | 604 | auth_cert_options(struct sshkey *k, struct passwd *pw, const char **reason) |
| 605 | { | 605 | { |
| 606 | int cert_no_port_forwarding_flag = 1; | 606 | int cert_no_port_forwarding_flag = 1; |
| 607 | int cert_no_agent_forwarding_flag = 1; | 607 | int cert_no_agent_forwarding_flag = 1; |
| @@ -611,6 +611,8 @@ auth_cert_options(struct sshkey *k, struct passwd *pw) | |||
| 611 | char *cert_forced_command = NULL; | 611 | char *cert_forced_command = NULL; |
| 612 | int cert_source_address_done = 0; | 612 | int cert_source_address_done = 0; |
| 613 | 613 | ||
| 614 | *reason = "invalid certificate options"; | ||
| 615 | |||
| 614 | /* Separate options and extensions for v01 certs */ | 616 | /* Separate options and extensions for v01 certs */ |
| 615 | if (parse_option_list(k->cert->critical, pw, | 617 | if (parse_option_list(k->cert->critical, pw, |
| 616 | OPTIONS_CRITICAL, 1, NULL, NULL, NULL, NULL, NULL, | 618 | OPTIONS_CRITICAL, 1, NULL, NULL, NULL, NULL, NULL, |
| @@ -632,11 +634,24 @@ auth_cert_options(struct sshkey *k, struct passwd *pw) | |||
| 632 | no_x11_forwarding_flag |= cert_no_x11_forwarding_flag; | 634 | no_x11_forwarding_flag |= cert_no_x11_forwarding_flag; |
| 633 | no_pty_flag |= cert_no_pty_flag; | 635 | no_pty_flag |= cert_no_pty_flag; |
| 634 | no_user_rc |= cert_no_user_rc; | 636 | no_user_rc |= cert_no_user_rc; |
| 635 | /* CA-specified forced command supersedes key option */ | 637 | /* |
| 636 | if (cert_forced_command != NULL) { | 638 | * Only permit both CA and key option forced-command if they match. |
| 637 | free(forced_command); | 639 | * Otherwise refuse the certificate. |
| 640 | */ | ||
| 641 | if (cert_forced_command != NULL && forced_command != NULL) { | ||
| 642 | if (strcmp(forced_command, cert_forced_command) == 0) { | ||
| 643 | free(forced_command); | ||
| 644 | forced_command = cert_forced_command; | ||
| 645 | } else { | ||
| 646 | *reason = "certificate and key options forced command " | ||
| 647 | "do not match"; | ||
| 648 | free(cert_forced_command); | ||
| 649 | return -1; | ||
| 650 | } | ||
| 651 | } else if (cert_forced_command != NULL) | ||
| 638 | forced_command = cert_forced_command; | 652 | forced_command = cert_forced_command; |
| 639 | } | 653 | /* success */ |
| 654 | *reason = NULL; | ||
| 640 | return 0; | 655 | return 0; |
| 641 | } | 656 | } |
| 642 | 657 | ||