diff options
| author | Ed Maste <emaste@FreeBSD.org> | 2021-02-14 21:09:58 +0000 |
|---|---|---|
| committer | Ed Maste <emaste@FreeBSD.org> | 2021-02-14 21:09:58 +0000 |
| commit | 3bbd8dc96b4466d8e4f850fc0adf7d02e1df2dc7 (patch) | |
| tree | 755d79f61bc5fe47efc42cd39ac819b2a5cd9390 /monitor.c | |
| parent | db903103f46785ea0bba0f228691e1f8fb3a643d (diff) | |
| download | src-3bbd8dc96b4466d8e4f850fc0adf7d02e1df2dc7.tar.gz src-3bbd8dc96b4466d8e4f850fc0adf7d02e1df2dc7.zip | |
Vendor import of OpenSSH 8.4p1vendor/openssh/8.4p1
Diffstat (limited to 'monitor.c')
| -rw-r--r-- | monitor.c | 21 |
1 files changed, 17 insertions, 4 deletions
diff --git a/monitor.c b/monitor.c index b6e855d5d999..4cf79dfc98cd 100644 --- a/monitor.c +++ b/monitor.c @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor.c,v 1.210 2020/03/13 03:17:07 djm Exp $ */ +/* $OpenBSD: monitor.c,v 1.214 2020/08/27 01:07:09 djm Exp $ */ /* * Copyright 2002 Niels Provos <provos@citi.umich.edu> * Copyright 2002 Markus Friedl <markus@openbsd.org> @@ -679,7 +679,7 @@ mm_answer_sign(struct ssh *ssh, int sock, struct sshbuf *m) if ((key = get_hostkey_by_index(keyid)) != NULL) { if ((r = sshkey_sign(key, &signature, &siglen, p, datlen, alg, - options.sk_provider, compat)) != 0) + options.sk_provider, NULL, compat)) != 0) fatal("%s: sshkey_sign failed: %s", __func__, ssh_err(r)); } else if ((key = get_hostkey_public_by_index(keyid, ssh)) != NULL && @@ -1387,7 +1387,8 @@ mm_answer_keyverify(struct ssh *ssh, int sock, struct sshbuf *m) const u_char *signature, *data, *blob; char *sigalg = NULL, *fp = NULL; size_t signaturelen, datalen, bloblen; - int r, ret, req_presence = 0, valid_data = 0, encoded_ret; + int r, ret, req_presence = 0, req_verify = 0, valid_data = 0; + int encoded_ret; struct sshkey_sig_details *sig_details = NULL; if ((r = sshbuf_get_string_direct(m, &blob, &bloblen)) != 0 || @@ -1452,6 +1453,18 @@ mm_answer_keyverify(struct ssh *ssh, int sock, struct sshbuf *m) ssh_remote_port(ssh)); ret = SSH_ERR_SIGNATURE_INVALID; } + req_verify = (options.pubkey_auth_options & + PUBKEYAUTH_VERIFY_REQUIRED) || key_opts->require_verify; + if (req_verify && + (sig_details->sk_flags & SSH_SK_USER_VERIFICATION_REQD) == 0) { + error("public key %s %s signature for %s%s from %.128s " + "port %d rejected: user verification requirement " + "not met ", sshkey_type(key), fp, + authctxt->valid ? "" : "invalid user ", + authctxt->user, ssh_remote_ipaddr(ssh), + ssh_remote_port(ssh)); + ret = SSH_ERR_SIGNATURE_INVALID; + } } auth2_record_key(authctxt, ret == 0, key); @@ -1568,7 +1581,7 @@ mm_answer_pty(struct ssh *ssh, int sock, struct sshbuf *m) if (fd0 != 0) error("%s: fd0 %d != 0", __func__, fd0); - /* slave is not needed */ + /* slave side of pty is not needed */ close(s->ttyfd); s->ttyfd = s->ptyfd; /* no need to dup() because nobody closes ptyfd */ |