diff options
Diffstat (limited to 'auth-options.c')
-rw-r--r-- | auth-options.c | 20 |
1 files changed, 15 insertions, 5 deletions
diff --git a/auth-options.c b/auth-options.c index 696ba6ac6..98afdf5fe 100644 --- a/auth-options.c +++ b/auth-options.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: auth-options.c,v 1.92 2020/03/06 18:15:38 markus Exp $ */ | 1 | /* $OpenBSD: auth-options.c,v 1.93 2020/08/27 01:07:09 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2018 Damien Miller <djm@mindrot.org> | 3 | * Copyright (c) 2018 Damien Miller <djm@mindrot.org> |
4 | * | 4 | * |
@@ -119,7 +119,10 @@ cert_option_list(struct sshauthopt *opts, struct sshbuf *oblob, | |||
119 | } | 119 | } |
120 | } | 120 | } |
121 | if (!found && (which & OPTIONS_CRITICAL) != 0) { | 121 | if (!found && (which & OPTIONS_CRITICAL) != 0) { |
122 | if (strcmp(name, "force-command") == 0) { | 122 | if (strcmp(name, "verify-required") == 0) { |
123 | opts->require_verify = 1; | ||
124 | found = 1; | ||
125 | } else if (strcmp(name, "force-command") == 0) { | ||
123 | if ((r = sshbuf_get_cstring(data, &command, | 126 | if ((r = sshbuf_get_cstring(data, &command, |
124 | NULL)) != 0) { | 127 | NULL)) != 0) { |
125 | error("Unable to parse \"%s\" " | 128 | error("Unable to parse \"%s\" " |
@@ -134,8 +137,7 @@ cert_option_list(struct sshauthopt *opts, struct sshbuf *oblob, | |||
134 | } | 137 | } |
135 | opts->force_command = command; | 138 | opts->force_command = command; |
136 | found = 1; | 139 | found = 1; |
137 | } | 140 | } else if (strcmp(name, "source-address") == 0) { |
138 | if (strcmp(name, "source-address") == 0) { | ||
139 | if ((r = sshbuf_get_cstring(data, &allowed, | 141 | if ((r = sshbuf_get_cstring(data, &allowed, |
140 | NULL)) != 0) { | 142 | NULL)) != 0) { |
141 | error("Unable to parse \"%s\" " | 143 | error("Unable to parse \"%s\" " |
@@ -351,6 +353,8 @@ sshauthopt_parse(const char *opts, const char **errstrp) | |||
351 | ret->permit_x11_forwarding_flag = r == 1; | 353 | ret->permit_x11_forwarding_flag = r == 1; |
352 | } else if ((r = opt_flag("touch-required", 1, &opts)) != -1) { | 354 | } else if ((r = opt_flag("touch-required", 1, &opts)) != -1) { |
353 | ret->no_require_user_presence = r != 1; /* NB. flip */ | 355 | ret->no_require_user_presence = r != 1; /* NB. flip */ |
356 | } else if ((r = opt_flag("verify-required", 1, &opts)) != -1) { | ||
357 | ret->require_verify = r == 1; | ||
354 | } else if ((r = opt_flag("pty", 1, &opts)) != -1) { | 358 | } else if ((r = opt_flag("pty", 1, &opts)) != -1) { |
355 | ret->permit_pty_flag = r == 1; | 359 | ret->permit_pty_flag = r == 1; |
356 | } else if ((r = opt_flag("user-rc", 1, &opts)) != -1) { | 360 | } else if ((r = opt_flag("user-rc", 1, &opts)) != -1) { |
@@ -572,6 +576,7 @@ sshauthopt_merge(const struct sshauthopt *primary, | |||
572 | } | 576 | } |
573 | 577 | ||
574 | #define OPTFLAG_AND(x) ret->x = (primary->x == 1) && (additional->x == 1) | 578 | #define OPTFLAG_AND(x) ret->x = (primary->x == 1) && (additional->x == 1) |
579 | #define OPTFLAG_OR(x) ret->x = (primary->x == 1) || (additional->x == 1) | ||
575 | /* Permissive flags are logical-AND (i.e. must be set in both) */ | 580 | /* Permissive flags are logical-AND (i.e. must be set in both) */ |
576 | OPTFLAG_AND(permit_port_forwarding_flag); | 581 | OPTFLAG_AND(permit_port_forwarding_flag); |
577 | OPTFLAG_AND(permit_agent_forwarding_flag); | 582 | OPTFLAG_AND(permit_agent_forwarding_flag); |
@@ -579,6 +584,8 @@ sshauthopt_merge(const struct sshauthopt *primary, | |||
579 | OPTFLAG_AND(permit_pty_flag); | 584 | OPTFLAG_AND(permit_pty_flag); |
580 | OPTFLAG_AND(permit_user_rc); | 585 | OPTFLAG_AND(permit_user_rc); |
581 | OPTFLAG_AND(no_require_user_presence); | 586 | OPTFLAG_AND(no_require_user_presence); |
587 | /* Restrictive flags are logical-OR (i.e. must be set in either) */ | ||
588 | OPTFLAG_OR(require_verify); | ||
582 | #undef OPTFLAG_AND | 589 | #undef OPTFLAG_AND |
583 | 590 | ||
584 | /* Earliest expiry time should win */ | 591 | /* Earliest expiry time should win */ |
@@ -649,6 +656,7 @@ sshauthopt_copy(const struct sshauthopt *orig) | |||
649 | OPTSCALAR(force_tun_device); | 656 | OPTSCALAR(force_tun_device); |
650 | OPTSCALAR(valid_before); | 657 | OPTSCALAR(valid_before); |
651 | OPTSCALAR(no_require_user_presence); | 658 | OPTSCALAR(no_require_user_presence); |
659 | OPTSCALAR(require_verify); | ||
652 | #undef OPTSCALAR | 660 | #undef OPTSCALAR |
653 | #define OPTSTRING(x) \ | 661 | #define OPTSTRING(x) \ |
654 | do { \ | 662 | do { \ |
@@ -781,7 +789,8 @@ sshauthopt_serialise(const struct sshauthopt *opts, struct sshbuf *m, | |||
781 | (r = sshbuf_put_u8(m, opts->permit_user_rc)) != 0 || | 789 | (r = sshbuf_put_u8(m, opts->permit_user_rc)) != 0 || |
782 | (r = sshbuf_put_u8(m, opts->restricted)) != 0 || | 790 | (r = sshbuf_put_u8(m, opts->restricted)) != 0 || |
783 | (r = sshbuf_put_u8(m, opts->cert_authority)) != 0 || | 791 | (r = sshbuf_put_u8(m, opts->cert_authority)) != 0 || |
784 | (r = sshbuf_put_u8(m, opts->no_require_user_presence)) != 0) | 792 | (r = sshbuf_put_u8(m, opts->no_require_user_presence)) != 0 || |
793 | (r = sshbuf_put_u8(m, opts->require_verify)) != 0) | ||
785 | return r; | 794 | return r; |
786 | 795 | ||
787 | /* Simple integer options */ | 796 | /* Simple integer options */ |
@@ -844,6 +853,7 @@ sshauthopt_deserialise(struct sshbuf *m, struct sshauthopt **optsp) | |||
844 | OPT_FLAG(restricted); | 853 | OPT_FLAG(restricted); |
845 | OPT_FLAG(cert_authority); | 854 | OPT_FLAG(cert_authority); |
846 | OPT_FLAG(no_require_user_presence); | 855 | OPT_FLAG(no_require_user_presence); |
856 | OPT_FLAG(require_verify); | ||
847 | #undef OPT_FLAG | 857 | #undef OPT_FLAG |
848 | 858 | ||
849 | /* Simple integer options */ | 859 | /* Simple integer options */ |