diff options
Diffstat (limited to 'monitor.c')
-rw-r--r-- | monitor.c | 21 |
1 files changed, 17 insertions, 4 deletions
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: monitor.c,v 1.210 2020/03/13 03:17:07 djm Exp $ */ | 1 | /* $OpenBSD: monitor.c,v 1.214 2020/08/27 01:07:09 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> | 3 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> |
4 | * Copyright 2002 Markus Friedl <markus@openbsd.org> | 4 | * Copyright 2002 Markus Friedl <markus@openbsd.org> |
@@ -679,7 +679,7 @@ mm_answer_sign(struct ssh *ssh, int sock, struct sshbuf *m) | |||
679 | 679 | ||
680 | if ((key = get_hostkey_by_index(keyid)) != NULL) { | 680 | if ((key = get_hostkey_by_index(keyid)) != NULL) { |
681 | if ((r = sshkey_sign(key, &signature, &siglen, p, datlen, alg, | 681 | if ((r = sshkey_sign(key, &signature, &siglen, p, datlen, alg, |
682 | options.sk_provider, compat)) != 0) | 682 | options.sk_provider, NULL, compat)) != 0) |
683 | fatal("%s: sshkey_sign failed: %s", | 683 | fatal("%s: sshkey_sign failed: %s", |
684 | __func__, ssh_err(r)); | 684 | __func__, ssh_err(r)); |
685 | } else if ((key = get_hostkey_public_by_index(keyid, ssh)) != NULL && | 685 | } else if ((key = get_hostkey_public_by_index(keyid, ssh)) != NULL && |
@@ -1387,7 +1387,8 @@ mm_answer_keyverify(struct ssh *ssh, int sock, struct sshbuf *m) | |||
1387 | const u_char *signature, *data, *blob; | 1387 | const u_char *signature, *data, *blob; |
1388 | char *sigalg = NULL, *fp = NULL; | 1388 | char *sigalg = NULL, *fp = NULL; |
1389 | size_t signaturelen, datalen, bloblen; | 1389 | size_t signaturelen, datalen, bloblen; |
1390 | int r, ret, req_presence = 0, valid_data = 0, encoded_ret; | 1390 | int r, ret, req_presence = 0, req_verify = 0, valid_data = 0; |
1391 | int encoded_ret; | ||
1391 | struct sshkey_sig_details *sig_details = NULL; | 1392 | struct sshkey_sig_details *sig_details = NULL; |
1392 | 1393 | ||
1393 | if ((r = sshbuf_get_string_direct(m, &blob, &bloblen)) != 0 || | 1394 | if ((r = sshbuf_get_string_direct(m, &blob, &bloblen)) != 0 || |
@@ -1452,6 +1453,18 @@ mm_answer_keyverify(struct ssh *ssh, int sock, struct sshbuf *m) | |||
1452 | ssh_remote_port(ssh)); | 1453 | ssh_remote_port(ssh)); |
1453 | ret = SSH_ERR_SIGNATURE_INVALID; | 1454 | ret = SSH_ERR_SIGNATURE_INVALID; |
1454 | } | 1455 | } |
1456 | req_verify = (options.pubkey_auth_options & | ||
1457 | PUBKEYAUTH_VERIFY_REQUIRED) || key_opts->require_verify; | ||
1458 | if (req_verify && | ||
1459 | (sig_details->sk_flags & SSH_SK_USER_VERIFICATION_REQD) == 0) { | ||
1460 | error("public key %s %s signature for %s%s from %.128s " | ||
1461 | "port %d rejected: user verification requirement " | ||
1462 | "not met ", sshkey_type(key), fp, | ||
1463 | authctxt->valid ? "" : "invalid user ", | ||
1464 | authctxt->user, ssh_remote_ipaddr(ssh), | ||
1465 | ssh_remote_port(ssh)); | ||
1466 | ret = SSH_ERR_SIGNATURE_INVALID; | ||
1467 | } | ||
1455 | } | 1468 | } |
1456 | auth2_record_key(authctxt, ret == 0, key); | 1469 | auth2_record_key(authctxt, ret == 0, key); |
1457 | 1470 | ||
@@ -1568,7 +1581,7 @@ mm_answer_pty(struct ssh *ssh, int sock, struct sshbuf *m) | |||
1568 | if (fd0 != 0) | 1581 | if (fd0 != 0) |
1569 | error("%s: fd0 %d != 0", __func__, fd0); | 1582 | error("%s: fd0 %d != 0", __func__, fd0); |
1570 | 1583 | ||
1571 | /* slave is not needed */ | 1584 | /* slave side of pty is not needed */ |
1572 | close(s->ttyfd); | 1585 | close(s->ttyfd); |
1573 | s->ttyfd = s->ptyfd; | 1586 | s->ttyfd = s->ptyfd; |
1574 | /* no need to dup() because nobody closes ptyfd */ | 1587 | /* no need to dup() because nobody closes ptyfd */ |