diff options
Diffstat (limited to 'auth-options.c')
| -rw-r--r-- | auth-options.c | 20 |
1 files changed, 15 insertions, 5 deletions
diff --git a/auth-options.c b/auth-options.c index 696ba6ac6..98afdf5fe 100644 --- a/auth-options.c +++ b/auth-options.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: auth-options.c,v 1.92 2020/03/06 18:15:38 markus Exp $ */ | 1 | /* $OpenBSD: auth-options.c,v 1.93 2020/08/27 01:07:09 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2018 Damien Miller <djm@mindrot.org> | 3 | * Copyright (c) 2018 Damien Miller <djm@mindrot.org> |
| 4 | * | 4 | * |
| @@ -119,7 +119,10 @@ cert_option_list(struct sshauthopt *opts, struct sshbuf *oblob, | |||
| 119 | } | 119 | } |
| 120 | } | 120 | } |
| 121 | if (!found && (which & OPTIONS_CRITICAL) != 0) { | 121 | if (!found && (which & OPTIONS_CRITICAL) != 0) { |
| 122 | if (strcmp(name, "force-command") == 0) { | 122 | if (strcmp(name, "verify-required") == 0) { |
| 123 | opts->require_verify = 1; | ||
| 124 | found = 1; | ||
| 125 | } else if (strcmp(name, "force-command") == 0) { | ||
| 123 | if ((r = sshbuf_get_cstring(data, &command, | 126 | if ((r = sshbuf_get_cstring(data, &command, |
| 124 | NULL)) != 0) { | 127 | NULL)) != 0) { |
| 125 | error("Unable to parse \"%s\" " | 128 | error("Unable to parse \"%s\" " |
| @@ -134,8 +137,7 @@ cert_option_list(struct sshauthopt *opts, struct sshbuf *oblob, | |||
| 134 | } | 137 | } |
| 135 | opts->force_command = command; | 138 | opts->force_command = command; |
| 136 | found = 1; | 139 | found = 1; |
| 137 | } | 140 | } else if (strcmp(name, "source-address") == 0) { |
| 138 | if (strcmp(name, "source-address") == 0) { | ||
| 139 | if ((r = sshbuf_get_cstring(data, &allowed, | 141 | if ((r = sshbuf_get_cstring(data, &allowed, |
| 140 | NULL)) != 0) { | 142 | NULL)) != 0) { |
| 141 | error("Unable to parse \"%s\" " | 143 | error("Unable to parse \"%s\" " |
| @@ -351,6 +353,8 @@ sshauthopt_parse(const char *opts, const char **errstrp) | |||
| 351 | ret->permit_x11_forwarding_flag = r == 1; | 353 | ret->permit_x11_forwarding_flag = r == 1; |
| 352 | } else if ((r = opt_flag("touch-required", 1, &opts)) != -1) { | 354 | } else if ((r = opt_flag("touch-required", 1, &opts)) != -1) { |
| 353 | ret->no_require_user_presence = r != 1; /* NB. flip */ | 355 | ret->no_require_user_presence = r != 1; /* NB. flip */ |
| 356 | } else if ((r = opt_flag("verify-required", 1, &opts)) != -1) { | ||
| 357 | ret->require_verify = r == 1; | ||
| 354 | } else if ((r = opt_flag("pty", 1, &opts)) != -1) { | 358 | } else if ((r = opt_flag("pty", 1, &opts)) != -1) { |
| 355 | ret->permit_pty_flag = r == 1; | 359 | ret->permit_pty_flag = r == 1; |
| 356 | } else if ((r = opt_flag("user-rc", 1, &opts)) != -1) { | 360 | } else if ((r = opt_flag("user-rc", 1, &opts)) != -1) { |
| @@ -572,6 +576,7 @@ sshauthopt_merge(const struct sshauthopt *primary, | |||
| 572 | } | 576 | } |
| 573 | 577 | ||
| 574 | #define OPTFLAG_AND(x) ret->x = (primary->x == 1) && (additional->x == 1) | 578 | #define OPTFLAG_AND(x) ret->x = (primary->x == 1) && (additional->x == 1) |
| 579 | #define OPTFLAG_OR(x) ret->x = (primary->x == 1) || (additional->x == 1) | ||
| 575 | /* Permissive flags are logical-AND (i.e. must be set in both) */ | 580 | /* Permissive flags are logical-AND (i.e. must be set in both) */ |
| 576 | OPTFLAG_AND(permit_port_forwarding_flag); | 581 | OPTFLAG_AND(permit_port_forwarding_flag); |
| 577 | OPTFLAG_AND(permit_agent_forwarding_flag); | 582 | OPTFLAG_AND(permit_agent_forwarding_flag); |
| @@ -579,6 +584,8 @@ sshauthopt_merge(const struct sshauthopt *primary, | |||
| 579 | OPTFLAG_AND(permit_pty_flag); | 584 | OPTFLAG_AND(permit_pty_flag); |
| 580 | OPTFLAG_AND(permit_user_rc); | 585 | OPTFLAG_AND(permit_user_rc); |
| 581 | OPTFLAG_AND(no_require_user_presence); | 586 | OPTFLAG_AND(no_require_user_presence); |
| 587 | /* Restrictive flags are logical-OR (i.e. must be set in either) */ | ||
| 588 | OPTFLAG_OR(require_verify); | ||
| 582 | #undef OPTFLAG_AND | 589 | #undef OPTFLAG_AND |
| 583 | 590 | ||
| 584 | /* Earliest expiry time should win */ | 591 | /* Earliest expiry time should win */ |
| @@ -649,6 +656,7 @@ sshauthopt_copy(const struct sshauthopt *orig) | |||
| 649 | OPTSCALAR(force_tun_device); | 656 | OPTSCALAR(force_tun_device); |
| 650 | OPTSCALAR(valid_before); | 657 | OPTSCALAR(valid_before); |
| 651 | OPTSCALAR(no_require_user_presence); | 658 | OPTSCALAR(no_require_user_presence); |
| 659 | OPTSCALAR(require_verify); | ||
| 652 | #undef OPTSCALAR | 660 | #undef OPTSCALAR |
| 653 | #define OPTSTRING(x) \ | 661 | #define OPTSTRING(x) \ |
| 654 | do { \ | 662 | do { \ |
| @@ -781,7 +789,8 @@ sshauthopt_serialise(const struct sshauthopt *opts, struct sshbuf *m, | |||
| 781 | (r = sshbuf_put_u8(m, opts->permit_user_rc)) != 0 || | 789 | (r = sshbuf_put_u8(m, opts->permit_user_rc)) != 0 || |
| 782 | (r = sshbuf_put_u8(m, opts->restricted)) != 0 || | 790 | (r = sshbuf_put_u8(m, opts->restricted)) != 0 || |
| 783 | (r = sshbuf_put_u8(m, opts->cert_authority)) != 0 || | 791 | (r = sshbuf_put_u8(m, opts->cert_authority)) != 0 || |
| 784 | (r = sshbuf_put_u8(m, opts->no_require_user_presence)) != 0) | 792 | (r = sshbuf_put_u8(m, opts->no_require_user_presence)) != 0 || |
| 793 | (r = sshbuf_put_u8(m, opts->require_verify)) != 0) | ||
| 785 | return r; | 794 | return r; |
| 786 | 795 | ||
| 787 | /* Simple integer options */ | 796 | /* Simple integer options */ |
| @@ -844,6 +853,7 @@ sshauthopt_deserialise(struct sshbuf *m, struct sshauthopt **optsp) | |||
| 844 | OPT_FLAG(restricted); | 853 | OPT_FLAG(restricted); |
| 845 | OPT_FLAG(cert_authority); | 854 | OPT_FLAG(cert_authority); |
| 846 | OPT_FLAG(no_require_user_presence); | 855 | OPT_FLAG(no_require_user_presence); |
| 856 | OPT_FLAG(require_verify); | ||
| 847 | #undef OPT_FLAG | 857 | #undef OPT_FLAG |
| 848 | 858 | ||
| 849 | /* Simple integer options */ | 859 | /* Simple integer options */ |