diff options
Diffstat (limited to 'auth-options.c')
-rw-r--r-- | auth-options.c | 1216 |
1 files changed, 704 insertions, 512 deletions
diff --git a/auth-options.c b/auth-options.c index ccdd0b20a..b528c197a 100644 --- a/auth-options.c +++ b/auth-options.c | |||
@@ -1,13 +1,18 @@ | |||
1 | /* $OpenBSD: auth-options.c,v 1.74 2017/09/12 06:32:07 djm Exp $ */ | 1 | /* $OpenBSD: auth-options.c,v 1.78 2018/03/14 05:35:40 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Copyright (c) 2018 Damien Miller <djm@mindrot.org> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * |
5 | * All rights reserved | 5 | * Permission to use, copy, modify, and distribute this software for any |
6 | * As far as I am concerned, the code I have written for this software | 6 | * purpose with or without fee is hereby granted, provided that the above |
7 | * can be used freely for any purpose. Any derived versions of this | 7 | * copyright notice and this permission notice appear in all copies. |
8 | * software must be clearly marked as such, and if the derived work is | 8 | * |
9 | * incompatible with the protocol description in the RFC file, it must be | 9 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES |
10 | * called by a name other than "ssh" or "Secure Shell". | 10 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF |
11 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR | ||
12 | * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES | ||
13 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN | ||
14 | * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF | ||
15 | * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. | ||
11 | */ | 16 | */ |
12 | 17 | ||
13 | #include "includes.h" | 18 | #include "includes.h" |
@@ -19,99 +24,33 @@ | |||
19 | #include <string.h> | 24 | #include <string.h> |
20 | #include <stdio.h> | 25 | #include <stdio.h> |
21 | #include <stdarg.h> | 26 | #include <stdarg.h> |
27 | #include <ctype.h> | ||
28 | #include <limits.h> | ||
22 | 29 | ||
23 | #include "openbsd-compat/sys-queue.h" | 30 | #include "openbsd-compat/sys-queue.h" |
24 | 31 | ||
25 | #include "key.h" /* XXX for typedef */ | ||
26 | #include "buffer.h" /* XXX for typedef */ | ||
27 | #include "xmalloc.h" | 32 | #include "xmalloc.h" |
28 | #include "match.h" | ||
29 | #include "ssherr.h" | 33 | #include "ssherr.h" |
30 | #include "log.h" | 34 | #include "log.h" |
31 | #include "canohost.h" | ||
32 | #include "packet.h" | ||
33 | #include "sshbuf.h" | 35 | #include "sshbuf.h" |
34 | #include "misc.h" | 36 | #include "misc.h" |
35 | #include "channels.h" | ||
36 | #include "servconf.h" | ||
37 | #include "sshkey.h" | 37 | #include "sshkey.h" |
38 | #include "match.h" | ||
39 | #include "ssh2.h" | ||
38 | #include "auth-options.h" | 40 | #include "auth-options.h" |
39 | #include "hostfile.h" | ||
40 | #include "auth.h" | ||
41 | |||
42 | /* Flags set authorized_keys flags */ | ||
43 | int no_port_forwarding_flag = 0; | ||
44 | int no_agent_forwarding_flag = 0; | ||
45 | int no_x11_forwarding_flag = 0; | ||
46 | int no_pty_flag = 0; | ||
47 | int no_user_rc = 0; | ||
48 | int key_is_cert_authority = 0; | ||
49 | |||
50 | /* "command=" option. */ | ||
51 | char *forced_command = NULL; | ||
52 | |||
53 | /* "environment=" options. */ | ||
54 | struct envstring *custom_environment = NULL; | ||
55 | |||
56 | /* "tunnel=" option. */ | ||
57 | int forced_tun_device = -1; | ||
58 | |||
59 | /* "principals=" option. */ | ||
60 | char *authorized_principals = NULL; | ||
61 | |||
62 | /* Throttle log messages. */ | ||
63 | int logged_from_hostip = 0; | ||
64 | int logged_cert_hostip = 0; | ||
65 | |||
66 | extern ServerOptions options; | ||
67 | |||
68 | /* XXX refactor to be stateless */ | ||
69 | |||
70 | void | ||
71 | auth_start_parse_options(void) | ||
72 | { | ||
73 | logged_from_hostip = 0; | ||
74 | logged_cert_hostip = 0; | ||
75 | } | ||
76 | |||
77 | void | ||
78 | auth_clear_options(void) | ||
79 | { | ||
80 | struct ssh *ssh = active_state; /* XXX */ | ||
81 | |||
82 | no_agent_forwarding_flag = 0; | ||
83 | no_port_forwarding_flag = 0; | ||
84 | no_pty_flag = 0; | ||
85 | no_x11_forwarding_flag = 0; | ||
86 | no_user_rc = 0; | ||
87 | key_is_cert_authority = 0; | ||
88 | while (custom_environment) { | ||
89 | struct envstring *ce = custom_environment; | ||
90 | custom_environment = ce->next; | ||
91 | free(ce->s); | ||
92 | free(ce); | ||
93 | } | ||
94 | free(forced_command); | ||
95 | forced_command = NULL; | ||
96 | free(authorized_principals); | ||
97 | authorized_principals = NULL; | ||
98 | forced_tun_device = -1; | ||
99 | channel_clear_permitted_opens(ssh); | ||
100 | } | ||
101 | 41 | ||
102 | /* | 42 | /* |
103 | * Match flag 'opt' in *optsp, and if allow_negate is set then also match | 43 | * Match flag 'opt' in *optsp, and if allow_negate is set then also match |
104 | * 'no-opt'. Returns -1 if option not matched, 1 if option matches or 0 | 44 | * 'no-opt'. Returns -1 if option not matched, 1 if option matches or 0 |
105 | * if negated option matches. | 45 | * if negated option matches. |
106 | * If the option or negated option matches, then *optsp is updated to | 46 | * If the option or negated option matches, then *optsp is updated to |
107 | * point to the first character after the option and, if 'msg' is not NULL | 47 | * point to the first character after the option. |
108 | * then a message based on it added via auth_debug_add(). | ||
109 | */ | 48 | */ |
110 | static int | 49 | static int |
111 | match_flag(const char *opt, int allow_negate, char **optsp, const char *msg) | 50 | opt_flag(const char *opt, int allow_negate, const char **optsp) |
112 | { | 51 | { |
113 | size_t opt_len = strlen(opt); | 52 | size_t opt_len = strlen(opt); |
114 | char *opts = *optsp; | 53 | const char *opts = *optsp; |
115 | int negate = 0; | 54 | int negate = 0; |
116 | 55 | ||
117 | if (allow_negate && strncasecmp(opts, "no-", 3) == 0) { | 56 | if (allow_negate && strncasecmp(opts, "no-", 3) == 0) { |
@@ -120,371 +59,92 @@ match_flag(const char *opt, int allow_negate, char **optsp, const char *msg) | |||
120 | } | 59 | } |
121 | if (strncasecmp(opts, opt, opt_len) == 0) { | 60 | if (strncasecmp(opts, opt, opt_len) == 0) { |
122 | *optsp = opts + opt_len; | 61 | *optsp = opts + opt_len; |
123 | if (msg != NULL) { | ||
124 | auth_debug_add("%s %s.", msg, | ||
125 | negate ? "disabled" : "enabled"); | ||
126 | } | ||
127 | return negate ? 0 : 1; | 62 | return negate ? 0 : 1; |
128 | } | 63 | } |
129 | return -1; | 64 | return -1; |
130 | } | 65 | } |
131 | 66 | ||
132 | /* | 67 | static char * |
133 | * return 1 if access is granted, 0 if not. | 68 | opt_dequote(const char **sp, const char **errstrp) |
134 | * side effect: sets key option flags | ||
135 | * XXX remove side effects; fill structure instead. | ||
136 | */ | ||
137 | int | ||
138 | auth_parse_options(struct passwd *pw, char *opts, const char *file, | ||
139 | u_long linenum) | ||
140 | { | 69 | { |
141 | struct ssh *ssh = active_state; /* XXX */ | 70 | const char *s = *sp; |
142 | const char *cp; | 71 | char *ret; |
143 | int i, r; | 72 | size_t i; |
144 | 73 | ||
145 | /* reset options */ | 74 | *errstrp = NULL; |
146 | auth_clear_options(); | 75 | if (*s != '"') { |
76 | *errstrp = "missing start quote"; | ||
77 | return NULL; | ||
78 | } | ||
79 | s++; | ||
80 | if ((ret = malloc(strlen((s)) + 1)) == NULL) { | ||
81 | *errstrp = "memory allocation failed"; | ||
82 | return NULL; | ||
83 | } | ||
84 | for (i = 0; *s != '\0' && *s != '"';) { | ||
85 | if (s[0] == '\\' && s[1] == '"') | ||
86 | s++; | ||
87 | ret[i++] = *s++; | ||
88 | } | ||
89 | if (*s == '\0') { | ||
90 | *errstrp = "missing end quote"; | ||
91 | free(ret); | ||
92 | return NULL; | ||
93 | } | ||
94 | ret[i] = '\0'; | ||
95 | s++; | ||
96 | *sp = s; | ||
97 | return ret; | ||
98 | } | ||
147 | 99 | ||
148 | if (!opts) | 100 | static int |
101 | opt_match(const char **opts, const char *term) | ||
102 | { | ||
103 | if (strncasecmp((*opts), term, strlen(term)) == 0 && | ||
104 | (*opts)[strlen(term)] == '=') { | ||
105 | *opts += strlen(term) + 1; | ||
149 | return 1; | 106 | return 1; |
150 | |||
151 | while (*opts && *opts != ' ' && *opts != '\t') { | ||
152 | if ((r = match_flag("cert-authority", 0, &opts, NULL)) != -1) { | ||
153 | key_is_cert_authority = r; | ||
154 | goto next_option; | ||
155 | } | ||
156 | if ((r = match_flag("restrict", 0, &opts, NULL)) != -1) { | ||
157 | auth_debug_add("Key is restricted."); | ||
158 | no_port_forwarding_flag = 1; | ||
159 | no_agent_forwarding_flag = 1; | ||
160 | no_x11_forwarding_flag = 1; | ||
161 | no_pty_flag = 1; | ||
162 | no_user_rc = 1; | ||
163 | goto next_option; | ||
164 | } | ||
165 | if ((r = match_flag("port-forwarding", 1, &opts, | ||
166 | "Port forwarding")) != -1) { | ||
167 | no_port_forwarding_flag = r != 1; | ||
168 | goto next_option; | ||
169 | } | ||
170 | if ((r = match_flag("agent-forwarding", 1, &opts, | ||
171 | "Agent forwarding")) != -1) { | ||
172 | no_agent_forwarding_flag = r != 1; | ||
173 | goto next_option; | ||
174 | } | ||
175 | if ((r = match_flag("x11-forwarding", 1, &opts, | ||
176 | "X11 forwarding")) != -1) { | ||
177 | no_x11_forwarding_flag = r != 1; | ||
178 | goto next_option; | ||
179 | } | ||
180 | if ((r = match_flag("pty", 1, &opts, | ||
181 | "PTY allocation")) != -1) { | ||
182 | no_pty_flag = r != 1; | ||
183 | goto next_option; | ||
184 | } | ||
185 | if ((r = match_flag("user-rc", 1, &opts, | ||
186 | "User rc execution")) != -1) { | ||
187 | no_user_rc = r != 1; | ||
188 | goto next_option; | ||
189 | } | ||
190 | cp = "command=\""; | ||
191 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { | ||
192 | opts += strlen(cp); | ||
193 | free(forced_command); | ||
194 | forced_command = xmalloc(strlen(opts) + 1); | ||
195 | i = 0; | ||
196 | while (*opts) { | ||
197 | if (*opts == '"') | ||
198 | break; | ||
199 | if (*opts == '\\' && opts[1] == '"') { | ||
200 | opts += 2; | ||
201 | forced_command[i++] = '"'; | ||
202 | continue; | ||
203 | } | ||
204 | forced_command[i++] = *opts++; | ||
205 | } | ||
206 | if (!*opts) { | ||
207 | debug("%.100s, line %lu: missing end quote", | ||
208 | file, linenum); | ||
209 | auth_debug_add("%.100s, line %lu: missing end quote", | ||
210 | file, linenum); | ||
211 | free(forced_command); | ||
212 | forced_command = NULL; | ||
213 | goto bad_option; | ||
214 | } | ||
215 | forced_command[i] = '\0'; | ||
216 | auth_debug_add("Forced command."); | ||
217 | opts++; | ||
218 | goto next_option; | ||
219 | } | ||
220 | cp = "principals=\""; | ||
221 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { | ||
222 | opts += strlen(cp); | ||
223 | free(authorized_principals); | ||
224 | authorized_principals = xmalloc(strlen(opts) + 1); | ||
225 | i = 0; | ||
226 | while (*opts) { | ||
227 | if (*opts == '"') | ||
228 | break; | ||
229 | if (*opts == '\\' && opts[1] == '"') { | ||
230 | opts += 2; | ||
231 | authorized_principals[i++] = '"'; | ||
232 | continue; | ||
233 | } | ||
234 | authorized_principals[i++] = *opts++; | ||
235 | } | ||
236 | if (!*opts) { | ||
237 | debug("%.100s, line %lu: missing end quote", | ||
238 | file, linenum); | ||
239 | auth_debug_add("%.100s, line %lu: missing end quote", | ||
240 | file, linenum); | ||
241 | free(authorized_principals); | ||
242 | authorized_principals = NULL; | ||
243 | goto bad_option; | ||
244 | } | ||
245 | authorized_principals[i] = '\0'; | ||
246 | auth_debug_add("principals: %.900s", | ||
247 | authorized_principals); | ||
248 | opts++; | ||
249 | goto next_option; | ||
250 | } | ||
251 | cp = "environment=\""; | ||
252 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { | ||
253 | char *s; | ||
254 | struct envstring *new_envstring; | ||
255 | |||
256 | opts += strlen(cp); | ||
257 | s = xmalloc(strlen(opts) + 1); | ||
258 | i = 0; | ||
259 | while (*opts) { | ||
260 | if (*opts == '"') | ||
261 | break; | ||
262 | if (*opts == '\\' && opts[1] == '"') { | ||
263 | opts += 2; | ||
264 | s[i++] = '"'; | ||
265 | continue; | ||
266 | } | ||
267 | s[i++] = *opts++; | ||
268 | } | ||
269 | if (!*opts) { | ||
270 | debug("%.100s, line %lu: missing end quote", | ||
271 | file, linenum); | ||
272 | auth_debug_add("%.100s, line %lu: missing end quote", | ||
273 | file, linenum); | ||
274 | free(s); | ||
275 | goto bad_option; | ||
276 | } | ||
277 | s[i] = '\0'; | ||
278 | opts++; | ||
279 | if (options.permit_user_env) { | ||
280 | auth_debug_add("Adding to environment: " | ||
281 | "%.900s", s); | ||
282 | debug("Adding to environment: %.900s", s); | ||
283 | new_envstring = xcalloc(1, | ||
284 | sizeof(*new_envstring)); | ||
285 | new_envstring->s = s; | ||
286 | new_envstring->next = custom_environment; | ||
287 | custom_environment = new_envstring; | ||
288 | s = NULL; | ||
289 | } | ||
290 | free(s); | ||
291 | goto next_option; | ||
292 | } | ||
293 | cp = "from=\""; | ||
294 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { | ||
295 | const char *remote_ip = ssh_remote_ipaddr(ssh); | ||
296 | const char *remote_host = auth_get_canonical_hostname( | ||
297 | ssh, options.use_dns); | ||
298 | char *patterns = xmalloc(strlen(opts) + 1); | ||
299 | |||
300 | opts += strlen(cp); | ||
301 | i = 0; | ||
302 | while (*opts) { | ||
303 | if (*opts == '"') | ||
304 | break; | ||
305 | if (*opts == '\\' && opts[1] == '"') { | ||
306 | opts += 2; | ||
307 | patterns[i++] = '"'; | ||
308 | continue; | ||
309 | } | ||
310 | patterns[i++] = *opts++; | ||
311 | } | ||
312 | if (!*opts) { | ||
313 | debug("%.100s, line %lu: missing end quote", | ||
314 | file, linenum); | ||
315 | auth_debug_add("%.100s, line %lu: missing end quote", | ||
316 | file, linenum); | ||
317 | free(patterns); | ||
318 | goto bad_option; | ||
319 | } | ||
320 | patterns[i] = '\0'; | ||
321 | opts++; | ||
322 | switch (match_host_and_ip(remote_host, remote_ip, | ||
323 | patterns)) { | ||
324 | case 1: | ||
325 | free(patterns); | ||
326 | /* Host name matches. */ | ||
327 | goto next_option; | ||
328 | case -1: | ||
329 | debug("%.100s, line %lu: invalid criteria", | ||
330 | file, linenum); | ||
331 | auth_debug_add("%.100s, line %lu: " | ||
332 | "invalid criteria", file, linenum); | ||
333 | /* FALLTHROUGH */ | ||
334 | case 0: | ||
335 | free(patterns); | ||
336 | if (!logged_from_hostip) { | ||
337 | logit("Authentication tried for %.100s with " | ||
338 | "correct key but not from a permitted " | ||
339 | "host (host=%.200s, ip=%.200s).", | ||
340 | pw->pw_name, remote_host, remote_ip); | ||
341 | logged_from_hostip = 1; | ||
342 | } | ||
343 | auth_debug_add("Your host '%.200s' is not " | ||
344 | "permitted to use this key for login.", | ||
345 | remote_host); | ||
346 | break; | ||
347 | } | ||
348 | /* deny access */ | ||
349 | return 0; | ||
350 | } | ||
351 | cp = "permitopen=\""; | ||
352 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { | ||
353 | char *host, *p; | ||
354 | int port; | ||
355 | char *patterns = xmalloc(strlen(opts) + 1); | ||
356 | |||
357 | opts += strlen(cp); | ||
358 | i = 0; | ||
359 | while (*opts) { | ||
360 | if (*opts == '"') | ||
361 | break; | ||
362 | if (*opts == '\\' && opts[1] == '"') { | ||
363 | opts += 2; | ||
364 | patterns[i++] = '"'; | ||
365 | continue; | ||
366 | } | ||
367 | patterns[i++] = *opts++; | ||
368 | } | ||
369 | if (!*opts) { | ||
370 | debug("%.100s, line %lu: missing end quote", | ||
371 | file, linenum); | ||
372 | auth_debug_add("%.100s, line %lu: missing " | ||
373 | "end quote", file, linenum); | ||
374 | free(patterns); | ||
375 | goto bad_option; | ||
376 | } | ||
377 | patterns[i] = '\0'; | ||
378 | opts++; | ||
379 | p = patterns; | ||
380 | /* XXX - add streamlocal support */ | ||
381 | host = hpdelim(&p); | ||
382 | if (host == NULL || strlen(host) >= NI_MAXHOST) { | ||
383 | debug("%.100s, line %lu: Bad permitopen " | ||
384 | "specification <%.100s>", file, linenum, | ||
385 | patterns); | ||
386 | auth_debug_add("%.100s, line %lu: " | ||
387 | "Bad permitopen specification", file, | ||
388 | linenum); | ||
389 | free(patterns); | ||
390 | goto bad_option; | ||
391 | } | ||
392 | host = cleanhostname(host); | ||
393 | if (p == NULL || (port = permitopen_port(p)) < 0) { | ||
394 | debug("%.100s, line %lu: Bad permitopen port " | ||
395 | "<%.100s>", file, linenum, p ? p : ""); | ||
396 | auth_debug_add("%.100s, line %lu: " | ||
397 | "Bad permitopen port", file, linenum); | ||
398 | free(patterns); | ||
399 | goto bad_option; | ||
400 | } | ||
401 | if ((options.allow_tcp_forwarding & FORWARD_LOCAL) != 0) | ||
402 | channel_add_permitted_opens(ssh, host, port); | ||
403 | free(patterns); | ||
404 | goto next_option; | ||
405 | } | ||
406 | cp = "tunnel=\""; | ||
407 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { | ||
408 | char *tun = NULL; | ||
409 | opts += strlen(cp); | ||
410 | tun = xmalloc(strlen(opts) + 1); | ||
411 | i = 0; | ||
412 | while (*opts) { | ||
413 | if (*opts == '"') | ||
414 | break; | ||
415 | tun[i++] = *opts++; | ||
416 | } | ||
417 | if (!*opts) { | ||
418 | debug("%.100s, line %lu: missing end quote", | ||
419 | file, linenum); | ||
420 | auth_debug_add("%.100s, line %lu: missing end quote", | ||
421 | file, linenum); | ||
422 | free(tun); | ||
423 | forced_tun_device = -1; | ||
424 | goto bad_option; | ||
425 | } | ||
426 | tun[i] = '\0'; | ||
427 | forced_tun_device = a2tun(tun, NULL); | ||
428 | free(tun); | ||
429 | if (forced_tun_device == SSH_TUNID_ERR) { | ||
430 | debug("%.100s, line %lu: invalid tun device", | ||
431 | file, linenum); | ||
432 | auth_debug_add("%.100s, line %lu: invalid tun device", | ||
433 | file, linenum); | ||
434 | forced_tun_device = -1; | ||
435 | goto bad_option; | ||
436 | } | ||
437 | auth_debug_add("Forced tun device: %d", forced_tun_device); | ||
438 | opts++; | ||
439 | goto next_option; | ||
440 | } | ||
441 | next_option: | ||
442 | /* | ||
443 | * Skip the comma, and move to the next option | ||
444 | * (or break out if there are no more). | ||
445 | */ | ||
446 | if (!*opts) | ||
447 | fatal("Bugs in auth-options.c option processing."); | ||
448 | if (*opts == ' ' || *opts == '\t') | ||
449 | break; /* End of options. */ | ||
450 | if (*opts != ',') | ||
451 | goto bad_option; | ||
452 | opts++; | ||
453 | /* Process the next option. */ | ||
454 | } | 107 | } |
108 | return 0; | ||
109 | } | ||
455 | 110 | ||
456 | /* grant access */ | 111 | static int |
457 | return 1; | 112 | dup_strings(char ***dstp, size_t *ndstp, char **src, size_t nsrc) |
113 | { | ||
114 | char **dst; | ||
115 | size_t i, j; | ||
458 | 116 | ||
459 | bad_option: | 117 | *dstp = NULL; |
460 | logit("Bad options in %.100s file, line %lu: %.50s", | 118 | *ndstp = 0; |
461 | file, linenum, opts); | 119 | if (nsrc == 0) |
462 | auth_debug_add("Bad options in %.100s file, line %lu: %.50s", | 120 | return 0; |
463 | file, linenum, opts); | ||
464 | 121 | ||
465 | /* deny access */ | 122 | if ((dst = calloc(nsrc, sizeof(*src))) == NULL) |
123 | return -1; | ||
124 | for (i = 0; i < nsrc; i++) { | ||
125 | if ((dst[i] = strdup(src[i])) == NULL) { | ||
126 | for (j = 0; j < i; j++) | ||
127 | free(dst[j]); | ||
128 | free(dst); | ||
129 | return -1; | ||
130 | } | ||
131 | } | ||
132 | /* success */ | ||
133 | *dstp = dst; | ||
134 | *ndstp = nsrc; | ||
466 | return 0; | 135 | return 0; |
467 | } | 136 | } |
468 | 137 | ||
469 | #define OPTIONS_CRITICAL 1 | 138 | #define OPTIONS_CRITICAL 1 |
470 | #define OPTIONS_EXTENSIONS 2 | 139 | #define OPTIONS_EXTENSIONS 2 |
471 | static int | 140 | static int |
472 | parse_option_list(struct sshbuf *oblob, struct passwd *pw, | 141 | cert_option_list(struct sshauthopt *opts, struct sshbuf *oblob, |
473 | u_int which, int crit, | 142 | u_int which, int crit) |
474 | int *cert_no_port_forwarding_flag, | ||
475 | int *cert_no_agent_forwarding_flag, | ||
476 | int *cert_no_x11_forwarding_flag, | ||
477 | int *cert_no_pty_flag, | ||
478 | int *cert_no_user_rc, | ||
479 | char **cert_forced_command, | ||
480 | int *cert_source_address_done) | ||
481 | { | 143 | { |
482 | struct ssh *ssh = active_state; /* XXX */ | ||
483 | char *command, *allowed; | 144 | char *command, *allowed; |
484 | const char *remote_ip; | ||
485 | char *name = NULL; | 145 | char *name = NULL; |
486 | struct sshbuf *c = NULL, *data = NULL; | 146 | struct sshbuf *c = NULL, *data = NULL; |
487 | int r, ret = -1, result, found; | 147 | int r, ret = -1, found; |
488 | 148 | ||
489 | if ((c = sshbuf_fromb(oblob)) == NULL) { | 149 | if ((c = sshbuf_fromb(oblob)) == NULL) { |
490 | error("%s: sshbuf_fromb failed", __func__); | 150 | error("%s: sshbuf_fromb failed", __func__); |
@@ -505,21 +165,21 @@ parse_option_list(struct sshbuf *oblob, struct passwd *pw, | |||
505 | found = 0; | 165 | found = 0; |
506 | if ((which & OPTIONS_EXTENSIONS) != 0) { | 166 | if ((which & OPTIONS_EXTENSIONS) != 0) { |
507 | if (strcmp(name, "permit-X11-forwarding") == 0) { | 167 | if (strcmp(name, "permit-X11-forwarding") == 0) { |
508 | *cert_no_x11_forwarding_flag = 0; | 168 | opts->permit_x11_forwarding_flag = 1; |
509 | found = 1; | 169 | found = 1; |
510 | } else if (strcmp(name, | 170 | } else if (strcmp(name, |
511 | "permit-agent-forwarding") == 0) { | 171 | "permit-agent-forwarding") == 0) { |
512 | *cert_no_agent_forwarding_flag = 0; | 172 | opts->permit_agent_forwarding_flag = 1; |
513 | found = 1; | 173 | found = 1; |
514 | } else if (strcmp(name, | 174 | } else if (strcmp(name, |
515 | "permit-port-forwarding") == 0) { | 175 | "permit-port-forwarding") == 0) { |
516 | *cert_no_port_forwarding_flag = 0; | 176 | opts->permit_port_forwarding_flag = 1; |
517 | found = 1; | 177 | found = 1; |
518 | } else if (strcmp(name, "permit-pty") == 0) { | 178 | } else if (strcmp(name, "permit-pty") == 0) { |
519 | *cert_no_pty_flag = 0; | 179 | opts->permit_pty_flag = 1; |
520 | found = 1; | 180 | found = 1; |
521 | } else if (strcmp(name, "permit-user-rc") == 0) { | 181 | } else if (strcmp(name, "permit-user-rc") == 0) { |
522 | *cert_no_user_rc = 0; | 182 | opts->permit_user_rc = 1; |
523 | found = 1; | 183 | found = 1; |
524 | } | 184 | } |
525 | } | 185 | } |
@@ -531,13 +191,13 @@ parse_option_list(struct sshbuf *oblob, struct passwd *pw, | |||
531 | "section: %s", name, ssh_err(r)); | 191 | "section: %s", name, ssh_err(r)); |
532 | goto out; | 192 | goto out; |
533 | } | 193 | } |
534 | if (*cert_forced_command != NULL) { | 194 | if (opts->force_command != NULL) { |
535 | error("Certificate has multiple " | 195 | error("Certificate has multiple " |
536 | "force-command options"); | 196 | "force-command options"); |
537 | free(command); | 197 | free(command); |
538 | goto out; | 198 | goto out; |
539 | } | 199 | } |
540 | *cert_forced_command = command; | 200 | opts->force_command = command; |
541 | found = 1; | 201 | found = 1; |
542 | } | 202 | } |
543 | if (strcmp(name, "source-address") == 0) { | 203 | if (strcmp(name, "source-address") == 0) { |
@@ -547,41 +207,19 @@ parse_option_list(struct sshbuf *oblob, struct passwd *pw, | |||
547 | "section: %s", name, ssh_err(r)); | 207 | "section: %s", name, ssh_err(r)); |
548 | goto out; | 208 | goto out; |
549 | } | 209 | } |
550 | if ((*cert_source_address_done)++) { | 210 | if (opts->required_from_host_cert != NULL) { |
551 | error("Certificate has multiple " | 211 | error("Certificate has multiple " |
552 | "source-address options"); | 212 | "source-address options"); |
553 | free(allowed); | 213 | free(allowed); |
554 | goto out; | 214 | goto out; |
555 | } | 215 | } |
556 | remote_ip = ssh_remote_ipaddr(ssh); | 216 | /* Check syntax */ |
557 | result = addr_match_cidr_list(remote_ip, | 217 | if (addr_match_cidr_list(NULL, allowed) == -1) { |
558 | allowed); | ||
559 | free(allowed); | ||
560 | switch (result) { | ||
561 | case 1: | ||
562 | /* accepted */ | ||
563 | break; | ||
564 | case 0: | ||
565 | /* no match */ | ||
566 | if (!logged_cert_hostip) { | ||
567 | logit("Authentication tried for %.100s " | ||
568 | "with valid certificate but not " | ||
569 | "from a permitted host " | ||
570 | "(ip=%.200s).", pw->pw_name, | ||
571 | remote_ip); | ||
572 | logged_cert_hostip = 1; | ||
573 | } | ||
574 | auth_debug_add("Your address '%.200s' " | ||
575 | "is not permitted to use this " | ||
576 | "certificate for login.", | ||
577 | remote_ip); | ||
578 | goto out; | ||
579 | case -1: | ||
580 | default: | ||
581 | error("Certificate source-address " | 218 | error("Certificate source-address " |
582 | "contents invalid"); | 219 | "contents invalid"); |
583 | goto out; | 220 | goto out; |
584 | } | 221 | } |
222 | opts->required_from_host_cert = allowed; | ||
585 | found = 1; | 223 | found = 1; |
586 | } | 224 | } |
587 | } | 225 | } |
@@ -607,74 +245,628 @@ parse_option_list(struct sshbuf *oblob, struct passwd *pw, | |||
607 | ret = 0; | 245 | ret = 0; |
608 | 246 | ||
609 | out: | 247 | out: |
610 | if (ret != 0 && | ||
611 | cert_forced_command != NULL && | ||
612 | *cert_forced_command != NULL) { | ||
613 | free(*cert_forced_command); | ||
614 | *cert_forced_command = NULL; | ||
615 | } | ||
616 | free(name); | 248 | free(name); |
617 | sshbuf_free(data); | 249 | sshbuf_free(data); |
618 | sshbuf_free(c); | 250 | sshbuf_free(c); |
619 | return ret; | 251 | return ret; |
620 | } | 252 | } |
621 | 253 | ||
254 | struct sshauthopt * | ||
255 | sshauthopt_new(void) | ||
256 | { | ||
257 | struct sshauthopt *ret; | ||
258 | |||
259 | if ((ret = calloc(1, sizeof(*ret))) == NULL) | ||
260 | return NULL; | ||
261 | ret->force_tun_device = -1; | ||
262 | return ret; | ||
263 | } | ||
264 | |||
265 | void | ||
266 | sshauthopt_free(struct sshauthopt *opts) | ||
267 | { | ||
268 | size_t i; | ||
269 | |||
270 | if (opts == NULL) | ||
271 | return; | ||
272 | |||
273 | free(opts->cert_principals); | ||
274 | free(opts->force_command); | ||
275 | free(opts->required_from_host_cert); | ||
276 | free(opts->required_from_host_keys); | ||
277 | |||
278 | for (i = 0; i < opts->nenv; i++) | ||
279 | free(opts->env[i]); | ||
280 | free(opts->env); | ||
281 | |||
282 | for (i = 0; i < opts->npermitopen; i++) | ||
283 | free(opts->permitopen[i]); | ||
284 | free(opts->permitopen); | ||
285 | |||
286 | explicit_bzero(opts, sizeof(*opts)); | ||
287 | free(opts); | ||
288 | } | ||
289 | |||
290 | struct sshauthopt * | ||
291 | sshauthopt_new_with_keys_defaults(void) | ||
292 | { | ||
293 | struct sshauthopt *ret = NULL; | ||
294 | |||
295 | if ((ret = sshauthopt_new()) == NULL) | ||
296 | return NULL; | ||
297 | |||
298 | /* Defaults for authorized_keys flags */ | ||
299 | ret->permit_port_forwarding_flag = 1; | ||
300 | ret->permit_agent_forwarding_flag = 1; | ||
301 | ret->permit_x11_forwarding_flag = 1; | ||
302 | ret->permit_pty_flag = 1; | ||
303 | ret->permit_user_rc = 1; | ||
304 | return ret; | ||
305 | } | ||
306 | |||
307 | struct sshauthopt * | ||
308 | sshauthopt_parse(const char *opts, const char **errstrp) | ||
309 | { | ||
310 | char **oarray, *opt, *cp, *tmp, *host; | ||
311 | int r; | ||
312 | struct sshauthopt *ret = NULL; | ||
313 | const char *errstr = "unknown error"; | ||
314 | uint64_t valid_before; | ||
315 | |||
316 | if (errstrp != NULL) | ||
317 | *errstrp = NULL; | ||
318 | if ((ret = sshauthopt_new_with_keys_defaults()) == NULL) | ||
319 | goto alloc_fail; | ||
320 | |||
321 | if (opts == NULL) | ||
322 | return ret; | ||
323 | |||
324 | while (*opts && *opts != ' ' && *opts != '\t') { | ||
325 | /* flag options */ | ||
326 | if ((r = opt_flag("restrict", 0, &opts)) != -1) { | ||
327 | ret->restricted = 1; | ||
328 | ret->permit_port_forwarding_flag = 0; | ||
329 | ret->permit_agent_forwarding_flag = 0; | ||
330 | ret->permit_x11_forwarding_flag = 0; | ||
331 | ret->permit_pty_flag = 0; | ||
332 | ret->permit_user_rc = 0; | ||
333 | } else if ((r = opt_flag("cert-authority", 0, &opts)) != -1) { | ||
334 | ret->cert_authority = r; | ||
335 | } else if ((r = opt_flag("port-forwarding", 1, &opts)) != -1) { | ||
336 | ret->permit_port_forwarding_flag = r == 1; | ||
337 | } else if ((r = opt_flag("agent-forwarding", 1, &opts)) != -1) { | ||
338 | ret->permit_agent_forwarding_flag = r == 1; | ||
339 | } else if ((r = opt_flag("x11-forwarding", 1, &opts)) != -1) { | ||
340 | ret->permit_x11_forwarding_flag = r == 1; | ||
341 | } else if ((r = opt_flag("pty", 1, &opts)) != -1) { | ||
342 | ret->permit_pty_flag = r == 1; | ||
343 | } else if ((r = opt_flag("user-rc", 1, &opts)) != -1) { | ||
344 | ret->permit_user_rc = r == 1; | ||
345 | } else if (opt_match(&opts, "command")) { | ||
346 | if (ret->force_command != NULL) { | ||
347 | errstr = "multiple \"command\" clauses"; | ||
348 | goto fail; | ||
349 | } | ||
350 | ret->force_command = opt_dequote(&opts, &errstr); | ||
351 | if (ret->force_command == NULL) | ||
352 | goto fail; | ||
353 | } else if (opt_match(&opts, "principals")) { | ||
354 | if (ret->cert_principals != NULL) { | ||
355 | errstr = "multiple \"principals\" clauses"; | ||
356 | goto fail; | ||
357 | } | ||
358 | ret->cert_principals = opt_dequote(&opts, &errstr); | ||
359 | if (ret->cert_principals == NULL) | ||
360 | goto fail; | ||
361 | } else if (opt_match(&opts, "from")) { | ||
362 | if (ret->required_from_host_keys != NULL) { | ||
363 | errstr = "multiple \"from\" clauses"; | ||
364 | goto fail; | ||
365 | } | ||
366 | ret->required_from_host_keys = opt_dequote(&opts, | ||
367 | &errstr); | ||
368 | if (ret->required_from_host_keys == NULL) | ||
369 | goto fail; | ||
370 | } else if (opt_match(&opts, "expiry-time")) { | ||
371 | if ((opt = opt_dequote(&opts, &errstr)) == NULL) | ||
372 | goto fail; | ||
373 | if (parse_absolute_time(opt, &valid_before) != 0 || | ||
374 | valid_before == 0) { | ||
375 | free(opt); | ||
376 | errstr = "invalid expires time"; | ||
377 | goto fail; | ||
378 | } | ||
379 | free(opt); | ||
380 | if (ret->valid_before == 0 || | ||
381 | valid_before < ret->valid_before) | ||
382 | ret->valid_before = valid_before; | ||
383 | } else if (opt_match(&opts, "environment")) { | ||
384 | if (ret->nenv > INT_MAX) { | ||
385 | errstr = "too many environment strings"; | ||
386 | goto fail; | ||
387 | } | ||
388 | if ((opt = opt_dequote(&opts, &errstr)) == NULL) | ||
389 | goto fail; | ||
390 | /* env name must be alphanumeric and followed by '=' */ | ||
391 | if ((tmp = strchr(opt, '=')) == NULL) { | ||
392 | free(opt); | ||
393 | errstr = "invalid environment string"; | ||
394 | goto fail; | ||
395 | } | ||
396 | for (cp = opt; cp < tmp; cp++) { | ||
397 | if (!isalnum((u_char)*cp)) { | ||
398 | free(opt); | ||
399 | errstr = "invalid environment string"; | ||
400 | goto fail; | ||
401 | } | ||
402 | } | ||
403 | /* Append it. */ | ||
404 | oarray = ret->env; | ||
405 | if ((ret->env = recallocarray(ret->env, ret->nenv, | ||
406 | ret->nenv + 1, sizeof(*ret->env))) == NULL) { | ||
407 | free(opt); | ||
408 | ret->env = oarray; /* put it back for cleanup */ | ||
409 | goto alloc_fail; | ||
410 | } | ||
411 | ret->env[ret->nenv++] = opt; | ||
412 | } else if (opt_match(&opts, "permitopen")) { | ||
413 | if (ret->npermitopen > INT_MAX) { | ||
414 | errstr = "too many permitopens"; | ||
415 | goto fail; | ||
416 | } | ||
417 | if ((opt = opt_dequote(&opts, &errstr)) == NULL) | ||
418 | goto fail; | ||
419 | if ((tmp = strdup(opt)) == NULL) { | ||
420 | free(opt); | ||
421 | goto alloc_fail; | ||
422 | } | ||
423 | cp = tmp; | ||
424 | /* validate syntax of permitopen before recording it. */ | ||
425 | host = hpdelim(&cp); | ||
426 | if (host == NULL || strlen(host) >= NI_MAXHOST) { | ||
427 | free(tmp); | ||
428 | free(opt); | ||
429 | errstr = "invalid permitopen hostname"; | ||
430 | goto fail; | ||
431 | } | ||
432 | /* | ||
433 | * don't want to use permitopen_port to avoid | ||
434 | * dependency on channels.[ch] here. | ||
435 | */ | ||
436 | if (cp == NULL || | ||
437 | (strcmp(cp, "*") != 0 && a2port(cp) <= 0)) { | ||
438 | free(tmp); | ||
439 | free(opt); | ||
440 | errstr = "invalid permitopen port"; | ||
441 | goto fail; | ||
442 | } | ||
443 | /* XXX - add streamlocal support */ | ||
444 | free(tmp); | ||
445 | /* Record it */ | ||
446 | oarray = ret->permitopen; | ||
447 | if ((ret->permitopen = recallocarray(ret->permitopen, | ||
448 | ret->npermitopen, ret->npermitopen + 1, | ||
449 | sizeof(*ret->permitopen))) == NULL) { | ||
450 | free(opt); | ||
451 | ret->permitopen = oarray; | ||
452 | goto alloc_fail; | ||
453 | } | ||
454 | ret->permitopen[ret->npermitopen++] = opt; | ||
455 | } else if (opt_match(&opts, "tunnel")) { | ||
456 | if ((opt = opt_dequote(&opts, &errstr)) == NULL) | ||
457 | goto fail; | ||
458 | ret->force_tun_device = a2tun(opt, NULL); | ||
459 | free(opt); | ||
460 | if (ret->force_tun_device == SSH_TUNID_ERR) { | ||
461 | errstr = "invalid tun device"; | ||
462 | goto fail; | ||
463 | } | ||
464 | } | ||
465 | /* | ||
466 | * Skip the comma, and move to the next option | ||
467 | * (or break out if there are no more). | ||
468 | */ | ||
469 | if (*opts == '\0' || *opts == ' ' || *opts == '\t') | ||
470 | break; /* End of options. */ | ||
471 | /* Anything other than a comma is an unknown option */ | ||
472 | if (*opts != ',') { | ||
473 | errstr = "unknown key option"; | ||
474 | goto fail; | ||
475 | } | ||
476 | opts++; | ||
477 | if (*opts == '\0') { | ||
478 | errstr = "unexpected end-of-options"; | ||
479 | goto fail; | ||
480 | } | ||
481 | } | ||
482 | |||
483 | /* success */ | ||
484 | if (errstrp != NULL) | ||
485 | *errstrp = NULL; | ||
486 | return ret; | ||
487 | |||
488 | alloc_fail: | ||
489 | errstr = "memory allocation failed"; | ||
490 | fail: | ||
491 | sshauthopt_free(ret); | ||
492 | if (errstrp != NULL) | ||
493 | *errstrp = errstr; | ||
494 | return NULL; | ||
495 | } | ||
496 | |||
497 | struct sshauthopt * | ||
498 | sshauthopt_from_cert(struct sshkey *k) | ||
499 | { | ||
500 | struct sshauthopt *ret; | ||
501 | |||
502 | if (k == NULL || !sshkey_type_is_cert(k->type) || k->cert == NULL || | ||
503 | k->cert->type != SSH2_CERT_TYPE_USER) | ||
504 | return NULL; | ||
505 | |||
506 | if ((ret = sshauthopt_new()) == NULL) | ||
507 | return NULL; | ||
508 | |||
509 | /* Handle options and critical extensions separately */ | ||
510 | if (cert_option_list(ret, k->cert->critical, | ||
511 | OPTIONS_CRITICAL, 1) == -1) { | ||
512 | sshauthopt_free(ret); | ||
513 | return NULL; | ||
514 | } | ||
515 | if (cert_option_list(ret, k->cert->extensions, | ||
516 | OPTIONS_EXTENSIONS, 0) == -1) { | ||
517 | sshauthopt_free(ret); | ||
518 | return NULL; | ||
519 | } | ||
520 | /* success */ | ||
521 | return ret; | ||
522 | } | ||
523 | |||
622 | /* | 524 | /* |
623 | * Set options from critical certificate options. These supersede user key | 525 | * Merges "additional" options to "primary" and returns the result. |
624 | * options so this must be called after auth_parse_options(). | 526 | * NB. Some options from primary have primacy. |
625 | */ | 527 | */ |
626 | int | 528 | struct sshauthopt * |
627 | auth_cert_options(struct sshkey *k, struct passwd *pw, const char **reason) | 529 | sshauthopt_merge(const struct sshauthopt *primary, |
530 | const struct sshauthopt *additional, const char **errstrp) | ||
628 | { | 531 | { |
629 | int cert_no_port_forwarding_flag = 1; | 532 | struct sshauthopt *ret; |
630 | int cert_no_agent_forwarding_flag = 1; | 533 | const char *errstr = "internal error"; |
631 | int cert_no_x11_forwarding_flag = 1; | 534 | const char *tmp; |
632 | int cert_no_pty_flag = 1; | 535 | |
633 | int cert_no_user_rc = 1; | 536 | if (errstrp != NULL) |
634 | char *cert_forced_command = NULL; | 537 | *errstrp = NULL; |
635 | int cert_source_address_done = 0; | 538 | |
636 | 539 | if ((ret = sshauthopt_new()) == NULL) | |
637 | *reason = "invalid certificate options"; | 540 | goto alloc_fail; |
638 | 541 | ||
639 | /* Separate options and extensions for v01 certs */ | 542 | /* cert_authority and cert_principals are cleared in result */ |
640 | if (parse_option_list(k->cert->critical, pw, | 543 | |
641 | OPTIONS_CRITICAL, 1, NULL, NULL, NULL, NULL, NULL, | 544 | /* Prefer access lists from primary. */ |
642 | &cert_forced_command, | 545 | /* XXX err is both set and mismatch? */ |
643 | &cert_source_address_done) == -1) | 546 | tmp = primary->required_from_host_cert; |
644 | return -1; | 547 | if (tmp == NULL) |
645 | if (parse_option_list(k->cert->extensions, pw, | 548 | tmp = additional->required_from_host_cert; |
646 | OPTIONS_EXTENSIONS, 0, | 549 | if (tmp != NULL && (ret->required_from_host_cert = strdup(tmp)) == NULL) |
647 | &cert_no_port_forwarding_flag, | 550 | goto alloc_fail; |
648 | &cert_no_agent_forwarding_flag, | 551 | tmp = primary->required_from_host_keys; |
649 | &cert_no_x11_forwarding_flag, | 552 | if (tmp == NULL) |
650 | &cert_no_pty_flag, | 553 | tmp = additional->required_from_host_keys; |
651 | &cert_no_user_rc, | 554 | if (tmp != NULL && (ret->required_from_host_keys = strdup(tmp)) == NULL) |
652 | NULL, NULL) == -1) | 555 | goto alloc_fail; |
653 | return -1; | 556 | |
557 | /* force_tun_device, permitopen and environment prefer the primary. */ | ||
558 | ret->force_tun_device = primary->force_tun_device; | ||
559 | if (ret->force_tun_device == -1) | ||
560 | ret->force_tun_device = additional->force_tun_device; | ||
561 | if (primary->nenv > 0) { | ||
562 | if (dup_strings(&ret->env, &ret->nenv, | ||
563 | primary->env, primary->nenv) != 0) | ||
564 | goto alloc_fail; | ||
565 | } else if (additional->nenv) { | ||
566 | if (dup_strings(&ret->env, &ret->nenv, | ||
567 | additional->env, additional->nenv) != 0) | ||
568 | goto alloc_fail; | ||
569 | } | ||
570 | if (primary->npermitopen > 0) { | ||
571 | if (dup_strings(&ret->permitopen, &ret->npermitopen, | ||
572 | primary->permitopen, primary->npermitopen) != 0) | ||
573 | goto alloc_fail; | ||
574 | } else if (additional->npermitopen > 0) { | ||
575 | if (dup_strings(&ret->permitopen, &ret->npermitopen, | ||
576 | additional->permitopen, additional->npermitopen) != 0) | ||
577 | goto alloc_fail; | ||
578 | } | ||
579 | |||
580 | /* Flags are logical-AND (i.e. must be set in both for permission) */ | ||
581 | #define OPTFLAG(x) ret->x = (primary->x == 1) && (additional->x == 1) | ||
582 | OPTFLAG(permit_port_forwarding_flag); | ||
583 | OPTFLAG(permit_agent_forwarding_flag); | ||
584 | OPTFLAG(permit_x11_forwarding_flag); | ||
585 | OPTFLAG(permit_pty_flag); | ||
586 | OPTFLAG(permit_user_rc); | ||
587 | #undef OPTFLAG | ||
588 | |||
589 | /* Earliest expiry time should win */ | ||
590 | if (primary->valid_before != 0) | ||
591 | ret->valid_before = primary->valid_before; | ||
592 | if (additional->valid_before != 0 && | ||
593 | additional->valid_before < ret->valid_before) | ||
594 | ret->valid_before = additional->valid_before; | ||
654 | 595 | ||
655 | no_port_forwarding_flag |= cert_no_port_forwarding_flag; | ||
656 | no_agent_forwarding_flag |= cert_no_agent_forwarding_flag; | ||
657 | no_x11_forwarding_flag |= cert_no_x11_forwarding_flag; | ||
658 | no_pty_flag |= cert_no_pty_flag; | ||
659 | no_user_rc |= cert_no_user_rc; | ||
660 | /* | 596 | /* |
661 | * Only permit both CA and key option forced-command if they match. | 597 | * When both multiple forced-command are specified, only |
662 | * Otherwise refuse the certificate. | 598 | * proceed if they are identical, otherwise fail. |
663 | */ | 599 | */ |
664 | if (cert_forced_command != NULL && forced_command != NULL) { | 600 | if (primary->force_command != NULL && |
665 | if (strcmp(forced_command, cert_forced_command) == 0) { | 601 | additional->force_command != NULL) { |
666 | free(forced_command); | 602 | if (strcmp(primary->force_command, |
667 | forced_command = cert_forced_command; | 603 | additional->force_command) == 0) { |
604 | /* ok */ | ||
605 | ret->force_command = strdup(primary->force_command); | ||
606 | if (ret->force_command == NULL) | ||
607 | goto alloc_fail; | ||
668 | } else { | 608 | } else { |
669 | *reason = "certificate and key options forced command " | 609 | errstr = "forced command options do not match"; |
670 | "do not match"; | 610 | goto fail; |
671 | free(cert_forced_command); | 611 | } |
672 | return -1; | 612 | } else if (primary->force_command != NULL) { |
613 | if ((ret->force_command = strdup( | ||
614 | primary->force_command)) == NULL) | ||
615 | goto alloc_fail; | ||
616 | } else if (additional->force_command != NULL) { | ||
617 | if ((ret->force_command = strdup( | ||
618 | additional->force_command)) == NULL) | ||
619 | goto alloc_fail; | ||
620 | } | ||
621 | /* success */ | ||
622 | if (errstrp != NULL) | ||
623 | *errstrp = NULL; | ||
624 | return ret; | ||
625 | |||
626 | alloc_fail: | ||
627 | errstr = "memory allocation failed"; | ||
628 | fail: | ||
629 | if (errstrp != NULL) | ||
630 | *errstrp = errstr; | ||
631 | sshauthopt_free(ret); | ||
632 | return NULL; | ||
633 | } | ||
634 | |||
635 | /* | ||
636 | * Copy options | ||
637 | */ | ||
638 | struct sshauthopt * | ||
639 | sshauthopt_copy(const struct sshauthopt *orig) | ||
640 | { | ||
641 | struct sshauthopt *ret; | ||
642 | |||
643 | if ((ret = sshauthopt_new()) == NULL) | ||
644 | return NULL; | ||
645 | |||
646 | #define OPTSCALAR(x) ret->x = orig->x | ||
647 | OPTSCALAR(permit_port_forwarding_flag); | ||
648 | OPTSCALAR(permit_agent_forwarding_flag); | ||
649 | OPTSCALAR(permit_x11_forwarding_flag); | ||
650 | OPTSCALAR(permit_pty_flag); | ||
651 | OPTSCALAR(permit_user_rc); | ||
652 | OPTSCALAR(restricted); | ||
653 | OPTSCALAR(cert_authority); | ||
654 | OPTSCALAR(force_tun_device); | ||
655 | OPTSCALAR(valid_before); | ||
656 | #undef OPTSCALAR | ||
657 | #define OPTSTRING(x) \ | ||
658 | do { \ | ||
659 | if (orig->x != NULL && (ret->x = strdup(orig->x)) == NULL) { \ | ||
660 | sshauthopt_free(ret); \ | ||
661 | return NULL; \ | ||
662 | } \ | ||
663 | } while (0) | ||
664 | OPTSTRING(cert_principals); | ||
665 | OPTSTRING(force_command); | ||
666 | OPTSTRING(required_from_host_cert); | ||
667 | OPTSTRING(required_from_host_keys); | ||
668 | #undef OPTSTRING | ||
669 | |||
670 | if (dup_strings(&ret->env, &ret->nenv, orig->env, orig->nenv) != 0 || | ||
671 | dup_strings(&ret->permitopen, &ret->npermitopen, | ||
672 | orig->permitopen, orig->npermitopen) != 0) { | ||
673 | sshauthopt_free(ret); | ||
674 | return NULL; | ||
675 | } | ||
676 | return ret; | ||
677 | } | ||
678 | |||
679 | static int | ||
680 | serialise_array(struct sshbuf *m, char **a, size_t n) | ||
681 | { | ||
682 | struct sshbuf *b; | ||
683 | size_t i; | ||
684 | int r; | ||
685 | |||
686 | if (n > INT_MAX) | ||
687 | return SSH_ERR_INTERNAL_ERROR; | ||
688 | |||
689 | if ((b = sshbuf_new()) == NULL) { | ||
690 | return SSH_ERR_ALLOC_FAIL; | ||
691 | } | ||
692 | for (i = 0; i < n; i++) { | ||
693 | if ((r = sshbuf_put_cstring(b, a[i])) != 0) { | ||
694 | sshbuf_free(b); | ||
695 | return r; | ||
673 | } | 696 | } |
674 | } else if (cert_forced_command != NULL) | 697 | } |
675 | forced_command = cert_forced_command; | 698 | if ((r = sshbuf_put_u32(m, n)) != 0 || |
699 | (r = sshbuf_put_stringb(m, b)) != 0) { | ||
700 | sshbuf_free(b); | ||
701 | return r; | ||
702 | } | ||
676 | /* success */ | 703 | /* success */ |
677 | *reason = NULL; | ||
678 | return 0; | 704 | return 0; |
679 | } | 705 | } |
680 | 706 | ||
707 | static int | ||
708 | deserialise_array(struct sshbuf *m, char ***ap, size_t *np) | ||
709 | { | ||
710 | char **a = NULL; | ||
711 | size_t i, n = 0; | ||
712 | struct sshbuf *b = NULL; | ||
713 | u_int tmp; | ||
714 | int r = SSH_ERR_INTERNAL_ERROR; | ||
715 | |||
716 | if ((r = sshbuf_get_u32(m, &tmp)) != 0 || | ||
717 | (r = sshbuf_froms(m, &b)) != 0) | ||
718 | goto out; | ||
719 | if (tmp > INT_MAX) { | ||
720 | r = SSH_ERR_INVALID_FORMAT; | ||
721 | goto out; | ||
722 | } | ||
723 | n = tmp; | ||
724 | if (n > 0 && (a = calloc(n, sizeof(*a))) == NULL) { | ||
725 | r = SSH_ERR_ALLOC_FAIL; | ||
726 | goto out; | ||
727 | } | ||
728 | for (i = 0; i < n; i++) { | ||
729 | if ((r = sshbuf_get_cstring(b, &a[i], NULL)) != 0) | ||
730 | goto out; | ||
731 | } | ||
732 | /* success */ | ||
733 | r = 0; | ||
734 | *ap = a; | ||
735 | a = NULL; | ||
736 | *np = n; | ||
737 | n = 0; | ||
738 | out: | ||
739 | for (i = 0; i < n; i++) | ||
740 | free(a[i]); | ||
741 | free(a); | ||
742 | sshbuf_free(b); | ||
743 | return r; | ||
744 | } | ||
745 | |||
746 | static int | ||
747 | serialise_nullable_string(struct sshbuf *m, const char *s) | ||
748 | { | ||
749 | int r; | ||
750 | |||
751 | if ((r = sshbuf_put_u8(m, s == NULL)) != 0 || | ||
752 | (r = sshbuf_put_cstring(m, s)) != 0) | ||
753 | return r; | ||
754 | return 0; | ||
755 | } | ||
756 | |||
757 | static int | ||
758 | deserialise_nullable_string(struct sshbuf *m, char **sp) | ||
759 | { | ||
760 | int r; | ||
761 | u_char flag; | ||
762 | |||
763 | *sp = NULL; | ||
764 | if ((r = sshbuf_get_u8(m, &flag)) != 0 || | ||
765 | (r = sshbuf_get_cstring(m, flag ? NULL : sp, NULL)) != 0) | ||
766 | return r; | ||
767 | return 0; | ||
768 | } | ||
769 | |||
770 | int | ||
771 | sshauthopt_serialise(const struct sshauthopt *opts, struct sshbuf *m, | ||
772 | int untrusted) | ||
773 | { | ||
774 | int r = SSH_ERR_INTERNAL_ERROR; | ||
775 | |||
776 | /* Flag and simple integer options */ | ||
777 | if ((r = sshbuf_put_u8(m, opts->permit_port_forwarding_flag)) != 0 || | ||
778 | (r = sshbuf_put_u8(m, opts->permit_agent_forwarding_flag)) != 0 || | ||
779 | (r = sshbuf_put_u8(m, opts->permit_x11_forwarding_flag)) != 0 || | ||
780 | (r = sshbuf_put_u8(m, opts->permit_pty_flag)) != 0 || | ||
781 | (r = sshbuf_put_u8(m, opts->permit_user_rc)) != 0 || | ||
782 | (r = sshbuf_put_u8(m, opts->restricted)) != 0 || | ||
783 | (r = sshbuf_put_u8(m, opts->cert_authority)) != 0 || | ||
784 | (r = sshbuf_put_u64(m, opts->valid_before)) != 0) | ||
785 | return r; | ||
786 | |||
787 | /* tunnel number can be negative to indicate "unset" */ | ||
788 | if ((r = sshbuf_put_u8(m, opts->force_tun_device == -1)) != 0 || | ||
789 | (r = sshbuf_put_u32(m, (opts->force_tun_device < 0) ? | ||
790 | 0 : (u_int)opts->force_tun_device)) != 0) | ||
791 | return r; | ||
792 | |||
793 | /* String options; these may be NULL */ | ||
794 | if ((r = serialise_nullable_string(m, | ||
795 | untrusted ? "yes" : opts->cert_principals)) != 0 || | ||
796 | (r = serialise_nullable_string(m, | ||
797 | untrusted ? "true" : opts->force_command)) != 0 || | ||
798 | (r = serialise_nullable_string(m, | ||
799 | untrusted ? NULL : opts->required_from_host_cert)) != 0 || | ||
800 | (r = serialise_nullable_string(m, | ||
801 | untrusted ? NULL : opts->required_from_host_keys)) != 0) | ||
802 | return r; | ||
803 | |||
804 | /* Array options */ | ||
805 | if ((r = serialise_array(m, opts->env, | ||
806 | untrusted ? 0 : opts->nenv)) != 0 || | ||
807 | (r = serialise_array(m, opts->permitopen, | ||
808 | untrusted ? 0 : opts->npermitopen)) != 0) | ||
809 | return r; | ||
810 | |||
811 | /* success */ | ||
812 | return 0; | ||
813 | } | ||
814 | |||
815 | int | ||
816 | sshauthopt_deserialise(struct sshbuf *m, struct sshauthopt **optsp) | ||
817 | { | ||
818 | struct sshauthopt *opts = NULL; | ||
819 | int r = SSH_ERR_INTERNAL_ERROR; | ||
820 | u_char f; | ||
821 | u_int tmp; | ||
822 | |||
823 | if ((opts = calloc(1, sizeof(*opts))) == NULL) | ||
824 | return SSH_ERR_ALLOC_FAIL; | ||
825 | |||
826 | #define OPT_FLAG(x) \ | ||
827 | do { \ | ||
828 | if ((r = sshbuf_get_u8(m, &f)) != 0) \ | ||
829 | goto out; \ | ||
830 | opts->x = f; \ | ||
831 | } while (0) | ||
832 | OPT_FLAG(permit_port_forwarding_flag); | ||
833 | OPT_FLAG(permit_agent_forwarding_flag); | ||
834 | OPT_FLAG(permit_x11_forwarding_flag); | ||
835 | OPT_FLAG(permit_pty_flag); | ||
836 | OPT_FLAG(permit_user_rc); | ||
837 | OPT_FLAG(restricted); | ||
838 | OPT_FLAG(cert_authority); | ||
839 | #undef OPT_FLAG | ||
840 | |||
841 | if ((r = sshbuf_get_u64(m, &opts->valid_before)) != 0) | ||
842 | goto out; | ||
843 | |||
844 | /* tunnel number can be negative to indicate "unset" */ | ||
845 | if ((r = sshbuf_get_u8(m, &f)) != 0 || | ||
846 | (r = sshbuf_get_u32(m, &tmp)) != 0) | ||
847 | goto out; | ||
848 | opts->force_tun_device = f ? -1 : (int)tmp; | ||
849 | |||
850 | /* String options may be NULL */ | ||
851 | if ((r = deserialise_nullable_string(m, &opts->cert_principals)) != 0 || | ||
852 | (r = deserialise_nullable_string(m, &opts->force_command)) != 0 || | ||
853 | (r = deserialise_nullable_string(m, | ||
854 | &opts->required_from_host_cert)) != 0 || | ||
855 | (r = deserialise_nullable_string(m, | ||
856 | &opts->required_from_host_keys)) != 0) | ||
857 | goto out; | ||
858 | |||
859 | /* Array options */ | ||
860 | if ((r = deserialise_array(m, &opts->env, &opts->nenv)) != 0 || | ||
861 | (r = deserialise_array(m, | ||
862 | &opts->permitopen, &opts->npermitopen)) != 0) | ||
863 | goto out; | ||
864 | |||
865 | /* success */ | ||
866 | r = 0; | ||
867 | *optsp = opts; | ||
868 | opts = NULL; | ||
869 | out: | ||
870 | sshauthopt_free(opts); | ||
871 | return r; | ||
872 | } | ||