diff options
Diffstat (limited to 'monitor.c')
-rw-r--r-- | monitor.c | 17 |
1 files changed, 15 insertions, 2 deletions
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: monitor.c,v 1.213 2020/08/27 01:06:18 djm Exp $ */ | 1 | /* $OpenBSD: monitor.c,v 1.214 2020/08/27 01:07:09 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> | 3 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> |
4 | * Copyright 2002 Markus Friedl <markus@openbsd.org> | 4 | * Copyright 2002 Markus Friedl <markus@openbsd.org> |
@@ -1387,7 +1387,8 @@ mm_answer_keyverify(struct ssh *ssh, int sock, struct sshbuf *m) | |||
1387 | const u_char *signature, *data, *blob; | 1387 | const u_char *signature, *data, *blob; |
1388 | char *sigalg = NULL, *fp = NULL; | 1388 | char *sigalg = NULL, *fp = NULL; |
1389 | size_t signaturelen, datalen, bloblen; | 1389 | size_t signaturelen, datalen, bloblen; |
1390 | int r, ret, req_presence = 0, valid_data = 0, encoded_ret; | 1390 | int r, ret, req_presence = 0, req_verify = 0, valid_data = 0; |
1391 | int encoded_ret; | ||
1391 | struct sshkey_sig_details *sig_details = NULL; | 1392 | struct sshkey_sig_details *sig_details = NULL; |
1392 | 1393 | ||
1393 | if ((r = sshbuf_get_string_direct(m, &blob, &bloblen)) != 0 || | 1394 | if ((r = sshbuf_get_string_direct(m, &blob, &bloblen)) != 0 || |
@@ -1452,6 +1453,18 @@ mm_answer_keyverify(struct ssh *ssh, int sock, struct sshbuf *m) | |||
1452 | ssh_remote_port(ssh)); | 1453 | ssh_remote_port(ssh)); |
1453 | ret = SSH_ERR_SIGNATURE_INVALID; | 1454 | ret = SSH_ERR_SIGNATURE_INVALID; |
1454 | } | 1455 | } |
1456 | req_verify = (options.pubkey_auth_options & | ||
1457 | PUBKEYAUTH_VERIFY_REQUIRED) || key_opts->require_verify; | ||
1458 | if (req_verify && | ||
1459 | (sig_details->sk_flags & SSH_SK_USER_VERIFICATION_REQD) == 0) { | ||
1460 | error("public key %s %s signature for %s%s from %.128s " | ||
1461 | "port %d rejected: user verification requirement " | ||
1462 | "not met ", sshkey_type(key), fp, | ||
1463 | authctxt->valid ? "" : "invalid user ", | ||
1464 | authctxt->user, ssh_remote_ipaddr(ssh), | ||
1465 | ssh_remote_port(ssh)); | ||
1466 | ret = SSH_ERR_SIGNATURE_INVALID; | ||
1467 | } | ||
1455 | } | 1468 | } |
1456 | auth2_record_key(authctxt, ret == 0, key); | 1469 | auth2_record_key(authctxt, ret == 0, key); |
1457 | 1470 | ||