diff options
Diffstat (limited to 'monitor.c')
-rw-r--r-- | monitor.c | 21 |
1 files changed, 17 insertions, 4 deletions
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: monitor.c,v 1.210 2020/03/13 03:17:07 djm Exp $ */ | 1 | /* $OpenBSD: monitor.c,v 1.214 2020/08/27 01:07:09 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> | 3 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> |
4 | * Copyright 2002 Markus Friedl <markus@openbsd.org> | 4 | * Copyright 2002 Markus Friedl <markus@openbsd.org> |
@@ -698,7 +698,7 @@ mm_answer_sign(struct ssh *ssh, int sock, struct sshbuf *m) | |||
698 | 698 | ||
699 | if ((key = get_hostkey_by_index(keyid)) != NULL) { | 699 | if ((key = get_hostkey_by_index(keyid)) != NULL) { |
700 | if ((r = sshkey_sign(key, &signature, &siglen, p, datlen, alg, | 700 | if ((r = sshkey_sign(key, &signature, &siglen, p, datlen, alg, |
701 | options.sk_provider, compat)) != 0) | 701 | options.sk_provider, NULL, compat)) != 0) |
702 | fatal("%s: sshkey_sign failed: %s", | 702 | fatal("%s: sshkey_sign failed: %s", |
703 | __func__, ssh_err(r)); | 703 | __func__, ssh_err(r)); |
704 | } else if ((key = get_hostkey_public_by_index(keyid, ssh)) != NULL && | 704 | } else if ((key = get_hostkey_public_by_index(keyid, ssh)) != NULL && |
@@ -1433,7 +1433,8 @@ mm_answer_keyverify(struct ssh *ssh, int sock, struct sshbuf *m) | |||
1433 | const u_char *signature, *data, *blob; | 1433 | const u_char *signature, *data, *blob; |
1434 | char *sigalg = NULL, *fp = NULL; | 1434 | char *sigalg = NULL, *fp = NULL; |
1435 | size_t signaturelen, datalen, bloblen; | 1435 | size_t signaturelen, datalen, bloblen; |
1436 | int r, ret, req_presence = 0, valid_data = 0, encoded_ret; | 1436 | int r, ret, req_presence = 0, req_verify = 0, valid_data = 0; |
1437 | int encoded_ret; | ||
1437 | struct sshkey_sig_details *sig_details = NULL; | 1438 | struct sshkey_sig_details *sig_details = NULL; |
1438 | 1439 | ||
1439 | if ((r = sshbuf_get_string_direct(m, &blob, &bloblen)) != 0 || | 1440 | if ((r = sshbuf_get_string_direct(m, &blob, &bloblen)) != 0 || |
@@ -1498,6 +1499,18 @@ mm_answer_keyverify(struct ssh *ssh, int sock, struct sshbuf *m) | |||
1498 | ssh_remote_port(ssh)); | 1499 | ssh_remote_port(ssh)); |
1499 | ret = SSH_ERR_SIGNATURE_INVALID; | 1500 | ret = SSH_ERR_SIGNATURE_INVALID; |
1500 | } | 1501 | } |
1502 | req_verify = (options.pubkey_auth_options & | ||
1503 | PUBKEYAUTH_VERIFY_REQUIRED) || key_opts->require_verify; | ||
1504 | if (req_verify && | ||
1505 | (sig_details->sk_flags & SSH_SK_USER_VERIFICATION_REQD) == 0) { | ||
1506 | error("public key %s %s signature for %s%s from %.128s " | ||
1507 | "port %d rejected: user verification requirement " | ||
1508 | "not met ", sshkey_type(key), fp, | ||
1509 | authctxt->valid ? "" : "invalid user ", | ||
1510 | authctxt->user, ssh_remote_ipaddr(ssh), | ||
1511 | ssh_remote_port(ssh)); | ||
1512 | ret = SSH_ERR_SIGNATURE_INVALID; | ||
1513 | } | ||
1501 | } | 1514 | } |
1502 | auth2_record_key(authctxt, ret == 0, key); | 1515 | auth2_record_key(authctxt, ret == 0, key); |
1503 | 1516 | ||
@@ -1614,7 +1627,7 @@ mm_answer_pty(struct ssh *ssh, int sock, struct sshbuf *m) | |||
1614 | if (fd0 != 0) | 1627 | if (fd0 != 0) |
1615 | error("%s: fd0 %d != 0", __func__, fd0); | 1628 | error("%s: fd0 %d != 0", __func__, fd0); |
1616 | 1629 | ||
1617 | /* slave is not needed */ | 1630 | /* slave side of pty is not needed */ |
1618 | close(s->ttyfd); | 1631 | close(s->ttyfd); |
1619 | s->ttyfd = s->ptyfd; | 1632 | s->ttyfd = s->ptyfd; |
1620 | /* no need to dup() because nobody closes ptyfd */ | 1633 | /* no need to dup() because nobody closes ptyfd */ |