1 files changed, 79 insertions, 29 deletions
diff --git a/auth-options.h b/auth-options.h
index 4de0f14dc..bf59b30be 100644
--- a/auth-options.h
+++ b/auth-options.h
@@ -1,41 +1,91 @@
-/* $OpenBSD: auth-options.h,v 1.23 2017/05/31 10:54:00 markus Exp $ */
+/* $OpenBSD: auth-options.h,v 1.26 2018/03/12 00:52:01 djm Exp $ */
 /*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 2018 Damien Miller <djm@mindrot.org>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
 *
- * As far as I am concerned, the code I have written for this software
+ * Permission to use, copy, modify, and distribute this software for any
- * can be used freely for any purpose.  Any derived versions of this
+ * purpose with or without fee is hereby granted, provided that the above
- * software must be clearly marked as such, and if the derived work is
+ * copyright notice and this permission notice appear in all copies.
- * incompatible with the protocol description in the RFC file, it must be
+ *
- * called by a name other than "ssh" or "Secure Shell".
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */
 #ifndef AUTH_OPTIONS_H
 #define AUTH_OPTIONS_H
-/* Linked list of custom environment strings */
+struct passwd;
-struct envstring {
+struct sshkey;
-        struct envstring *next;
-        char   *s;
+/*
+ * sshauthopt represents key options parsed from authorized_keys or
+ * from certificate extensions/options.
+ */
+struct sshauthopt {
+        /* Feature flags */
+        int permit_port_forwarding_flag;
+        int permit_agent_forwarding_flag;
+        int permit_x11_forwarding_flag;
+        int permit_pty_flag;
+        int permit_user_rc;
+        /* "restrict" keyword was invoked */
+        int restricted;
+        /* key/principal expiry date */
+        uint64_t valid_before;
+        /* Certificate-related options */
+        int cert_authority;
+        char *cert_principals;
+        int force_tun_device;
+        char *force_command;
+        /* Custom environment */
+        size_t nenv;
+        char **env;
+        /* Permitted port forwardings */
+        size_t npermitopen;
+        char **permitopen;
+        /*
+         * Permitted host/addresses (comma-separated)
+         * Caller must check source address matches both lists (if present).
+         */
+        char *required_from_host_cert;
+        char *required_from_host_keys;
 };
-/* Flags that may be set in authorized_keys options. */
+struct sshauthopt *sshauthopt_new(void);
-extern int no_port_forwarding_flag;
+struct sshauthopt *sshauthopt_new_with_keys_defaults(void);
-extern int no_agent_forwarding_flag;
+void sshauthopt_free(struct sshauthopt *opts);
-extern int no_x11_forwarding_flag;
+struct sshauthopt *sshauthopt_copy(const struct sshauthopt *orig);
-extern int no_pty_flag;
+int sshauthopt_serialise(const struct sshauthopt *opts, struct sshbuf *m, int);
-extern int no_user_rc;
+int sshauthopt_deserialise(struct sshbuf *m, struct sshauthopt **opts);
-extern char *forced_command;
-extern struct envstring *custom_environment;
+/*
-extern int forced_tun_device;
+ * Parse authorized_keys options. Returns an options structure on success
-extern int key_is_cert_authority;
+ * or NULL on failure. Will set errstr on failure.
-extern char *authorized_principals;
+ */
+struct sshauthopt *sshauthopt_parse(const char *s, const char **errstr);
-void    auth_start_parse_options(void);
-int     auth_parse_options(struct passwd *, char *, const char *, u_long);
+/*
-void    auth_clear_options(void);
+ * Parse certification options to a struct sshauthopt.
-int     auth_cert_options(struct sshkey *, struct passwd *, const char **);
+ * Returns options on success or NULL on failure.
+ */
+struct sshauthopt *sshauthopt_from_cert(struct sshkey *k);
+/*
+ * Merge key options.
+ */
+struct sshauthopt *sshauthopt_merge(const struct sshauthopt *primary,
+    const struct sshauthopt *additional, const char **errstrp);
 #endif

diff --git a/auth-options.h b/auth-options.h index 4de0f14dc..bf59b30be 100644 --- a/auth-options.h +++ b/auth-options.h
@@ -1,41 +1,91 @@
1	/* $OpenBSD: auth-options.h,v 1.23 2017/05/31 10:54:00 markus Exp $ */	1	/* $OpenBSD: auth-options.h,v 1.26 2018/03/12 00:52:01 djm Exp $ */
2		2
3	/*	3	/*
4	* Author: Tatu Ylonen <ylo@cs.hut.fi>	4	* Copyright (c) 2018 Damien Miller <djm@mindrot.org>
5	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
6	* All rights reserved
7	*	5	*
8	* As far as I am concerned, the code I have written for this software	6	* Permission to use, copy, modify, and distribute this software for any
9	* can be used freely for any purpose. Any derived versions of this	7	* purpose with or without fee is hereby granted, provided that the above
10	* software must be clearly marked as such, and if the derived work is	8	* copyright notice and this permission notice appear in all copies.
11	* incompatible with the protocol description in the RFC file, it must be	9	*
12	* called by a name other than "ssh" or "Secure Shell".	10	* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
		11	* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
		12	* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
		13	* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
		14	* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
		15	* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
		16	* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
13	*/	17	*/
14		18
15	#ifndef AUTH_OPTIONS_H	19	#ifndef AUTH_OPTIONS_H
16	#define AUTH_OPTIONS_H	20	#define AUTH_OPTIONS_H
17		21
18	/* Linked list of custom environment strings */	22	struct passwd;
19	struct envstring {	23	struct sshkey;
20	struct envstring *next;	24
21	char *s;	25	/*
		26	* sshauthopt represents key options parsed from authorized_keys or
		27	* from certificate extensions/options.
		28	*/
		29	struct sshauthopt {
		30	/* Feature flags */
		31	int permit_port_forwarding_flag;
		32	int permit_agent_forwarding_flag;
		33	int permit_x11_forwarding_flag;
		34	int permit_pty_flag;
		35	int permit_user_rc;
		36
		37	/* "restrict" keyword was invoked */
		38	int restricted;
		39
		40	/* key/principal expiry date */
		41	uint64_t valid_before;
		42
		43	/* Certificate-related options */
		44	int cert_authority;
		45	char *cert_principals;
		46
		47	int force_tun_device;
		48	char *force_command;
		49
		50	/* Custom environment */
		51	size_t nenv;
		52	char **env;
		53
		54	/* Permitted port forwardings */
		55	size_t npermitopen;
		56	char **permitopen;
		57
		58	/*
		59	* Permitted host/addresses (comma-separated)
		60	* Caller must check source address matches both lists (if present).
		61	*/
		62	char *required_from_host_cert;
		63	char *required_from_host_keys;
22	};	64	};
23		65
24	/* Flags that may be set in authorized_keys options. */	66	struct sshauthopt *sshauthopt_new(void);
25	extern int no_port_forwarding_flag;	67	struct sshauthopt *sshauthopt_new_with_keys_defaults(void);
26	extern int no_agent_forwarding_flag;	68	void sshauthopt_free(struct sshauthopt *opts);
27	extern int no_x11_forwarding_flag;	69	struct sshauthopt sshauthopt_copy(const struct sshauthopt orig);
28	extern int no_pty_flag;	70	int sshauthopt_serialise(const struct sshauthopt opts, struct sshbuf m, int);
29	extern int no_user_rc;	71	int sshauthopt_deserialise(struct sshbuf m, struct sshauthopt *opts);
30	extern char *forced_command;	72
31	extern struct envstring *custom_environment;	73	/*
32	extern int forced_tun_device;	74	* Parse authorized_keys options. Returns an options structure on success
33	extern int key_is_cert_authority;	75	* or NULL on failure. Will set errstr on failure.
34	extern char *authorized_principals;	76	*/
35		77	struct sshauthopt sshauthopt_parse(const char s, const char **errstr);
36	void auth_start_parse_options(void);	78
37	int auth_parse_options(struct passwd , char , const char *, u_long);	79	/*
38	void auth_clear_options(void);	80	* Parse certification options to a struct sshauthopt.
39	int auth_cert_options(struct sshkey , struct passwd , const char **);	81	* Returns options on success or NULL on failure.
		82	*/
		83	struct sshauthopt sshauthopt_from_cert(struct sshkey k);
		84
		85	/*
		86	* Merge key options.
		87	*/
		88	struct sshauthopt sshauthopt_merge(const struct sshauthopt primary,
		89	const struct sshauthopt additional, const char *errstrp);
40		90
41	#endif	91	#endif