summaryrefslogtreecommitdiff
path: root/auth-options.c
diff options
context:
space:
mode:
Diffstat (limited to 'auth-options.c')
-rw-r--r--auth-options.c21
1 files changed, 11 insertions, 10 deletions
diff --git a/auth-options.c b/auth-options.c
index 69b314fbd..60d5f749b 100644
--- a/auth-options.c
+++ b/auth-options.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth-options.c,v 1.49 2010/03/16 15:46:52 stevesk Exp $ */ 1/* $OpenBSD: auth-options.c,v 1.50 2010/04/16 01:47:26 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -27,10 +27,10 @@
27#include "canohost.h" 27#include "canohost.h"
28#include "buffer.h" 28#include "buffer.h"
29#include "channels.h" 29#include "channels.h"
30#include "auth-options.h"
31#include "servconf.h" 30#include "servconf.h"
32#include "misc.h" 31#include "misc.h"
33#include "key.h" 32#include "key.h"
33#include "auth-options.h"
34#include "hostfile.h" 34#include "hostfile.h"
35#include "auth.h" 35#include "auth.h"
36#ifdef GSSAPI 36#ifdef GSSAPI
@@ -377,11 +377,11 @@ bad_option:
377} 377}
378 378
379/* 379/*
380 * Set options from certificate constraints. These supersede user key options 380 * Set options from critical certificate options. These supersede user key
381 * so this must be called after auth_parse_options(). 381 * options so this must be called after auth_parse_options().
382 */ 382 */
383int 383int
384auth_cert_constraints(Buffer *c_orig, struct passwd *pw) 384auth_cert_options(Key *k, struct passwd *pw)
385{ 385{
386 u_char *name = NULL, *data_blob = NULL; 386 u_char *name = NULL, *data_blob = NULL;
387 u_int nlen, dlen, clen; 387 u_int nlen, dlen, clen;
@@ -400,12 +400,13 @@ auth_cert_constraints(Buffer *c_orig, struct passwd *pw)
400 400
401 /* Make copy to avoid altering original */ 401 /* Make copy to avoid altering original */
402 buffer_init(&c); 402 buffer_init(&c);
403 buffer_append(&c, buffer_ptr(c_orig), buffer_len(c_orig)); 403 buffer_append(&c,
404 buffer_ptr(&k->cert->critical), buffer_len(&k->cert->critical));
404 405
405 while (buffer_len(&c) > 0) { 406 while (buffer_len(&c) > 0) {
406 if ((name = buffer_get_string_ret(&c, &nlen)) == NULL || 407 if ((name = buffer_get_string_ret(&c, &nlen)) == NULL ||
407 (data_blob = buffer_get_string_ret(&c, &dlen)) == NULL) { 408 (data_blob = buffer_get_string_ret(&c, &dlen)) == NULL) {
408 error("Certificate constraints corrupt"); 409 error("Certificate options corrupt");
409 goto out; 410 goto out;
410 } 411 }
411 buffer_append(&data, data_blob, dlen); 412 buffer_append(&data, data_blob, dlen);
@@ -439,7 +440,7 @@ auth_cert_constraints(Buffer *c_orig, struct passwd *pw)
439 } 440 }
440 if (cert_forced_command != NULL) { 441 if (cert_forced_command != NULL) {
441 error("Certificate has multiple " 442 error("Certificate has multiple "
442 "force-command constraints"); 443 "force-command options");
443 xfree(command); 444 xfree(command);
444 goto out; 445 goto out;
445 } 446 }
@@ -459,7 +460,7 @@ auth_cert_constraints(Buffer *c_orig, struct passwd *pw)
459 } 460 }
460 if (cert_source_address_done++) { 461 if (cert_source_address_done++) {
461 error("Certificate has multiple " 462 error("Certificate has multiple "
462 "source-address constraints"); 463 "source-address options");
463 xfree(allowed); 464 xfree(allowed);
464 goto out; 465 goto out;
465 } 466 }
@@ -502,7 +503,7 @@ auth_cert_constraints(Buffer *c_orig, struct passwd *pw)
502 name = data_blob = NULL; 503 name = data_blob = NULL;
503 } 504 }
504 505
505 /* successfully parsed all constraints */ 506 /* successfully parsed all options */
506 ret = 0; 507 ret = 0;
507 508
508 no_port_forwarding_flag |= cert_no_port_forwarding_flag; 509 no_port_forwarding_flag |= cert_no_port_forwarding_flag;