File openssh-New-option-parsing-functions.patch of Package openssh-testuser.26950

Overview Repositories Revisions Requests Users Attributes Meta

File openssh-New-option-parsing-functions.patch of Package openssh-testuser.26950

From fb066a1ae8f96891086d574bdfb59b248b63fae8 Mon Sep 17 00:00:00 2001
From: Michal Suchanek <msuchanek@suse.de>
Date: Fri, 11 Nov 2022 08:14:19 +0100
Subject: [PATCH] New option parsing functions

sshsig depends on new opttion parsing API. Upstream the old API is
removed and whole openssh is switched to the new API but ssuch rewrites
do not work right away and require numerous fixups. Only add the new API
in parallel to the old here.

Patch-mainline: V_7_8_P1
Git-commit: 7082bb58a2eb878d23ec674587c742e5e9673c36 (partial - only add strdelimw)
OpenBSD-Commit-ID: cfbb00d9b0e10c1ffff1d83424351fd961d1f2be

upstream: add a SetEnv directive to ssh_config that allows setting

environment variables for the remote session (subject to the server accepting
them)

refactor SendEnv to remove the arbitrary limit of variable names.

ok markus@

Patch-mainline: V_7_7_P1
Git-commit: 90c4bec8b5f9ec4c003ae4abdf13fc7766f00c8b
OpenBSD-Commit-ID: 98badda102cd575210d7802943e93a34232c80a2

upstream: Introduce a new API for handling authorized_keys options.

This API parses options to a dedicated structure rather than the old API's
approach of setting global state. It also includes support for merging
options, e.g. from authorized_keys, authorized_principals and/or
certificates.

feedback and ok markus@

Differences in 7.2
- upstream the old API is removed and existing code overhauled to use
  this API, here only backported new feature uses the new API, and the
  old API remains

Patch-mainline: V_7_7_P1
Git-commit: 7c856857607112a3dfe6414696bf4c7ab7fb0cb3 (partial - only add skip_space and skip_past_options)
OpenBSD-Commit-ID: dece6cae0f47751b9892080eb13d6625599573df

upstream: switch over to the new authorized_keys options API and

Patch-mainline: V_8_1_P1
Git-commit: c72d78ccbe642e08591a626e5de18381489716e0
OpenBSD-Commit-ID: caa77e8a3b210948e29ad3e28c5db00852961eae

upstream: move skip_space() to misc.c and make it public; ok
markus@

Patch-mainline: V_8_1_P1
Git-commit: dd8002fbe63d903ffea5be7b7f5fc2714acab4a0
OpenBSD-Commit-ID: edda2fbba2c5b1f48e60f857a2010479e80c5f3c

upstream: move advance_past_options to authfile.c and make it
public; ok markus@

Patch-mainline: V_8_1_P1
Git-commit: 5485f8d50a5bc46aeed829075ebf5d9c617027ea
OpenBSD-Commit-ID: c18bcb2a687227b3478377c981c2d56af2638ea2

upstream: move authorized_keys option parsing helpsers to misc.c
and make them public; ok markus@
---
 auth-options.c | 758 +++++++++++++++++++++++++++++++++++++++++++++++++
 auth-options.h |  68 +++++
 auth2-pubkey.c |   1 +
 authfile.c     |  22 ++
 authfile.h     |   1 +
 misc.c         | 112 +++++++-
 misc.h         |   7 +
 7 files changed, 964 insertions(+), 5 deletions(-)

diff --git a/auth-options.c b/auth-options.c
index edbaf80b..e8e97dbe 100644
--- a/auth-options.c
+++ b/auth-options.c
@@ -9,6 +9,21 @@
  * incompatible with the protocol description in the RFC file, it must be
  * called by a name other than "ssh" or "Secure Shell".
  */
+/*
+ * Copyright (c) 2018 Damien Miller <djm@mindrot.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
 
 #include "includes.h"
 
@@ -19,6 +34,8 @@
 #include <string.h>
 #include <stdio.h>
 #include <stdarg.h>
+#include <ctype.h>
+#include <limits.h>
 
 #include "openbsd-compat/sys-queue.h"
 
@@ -27,6 +44,7 @@
 #include "xmalloc.h"
 #include "match.h"
 #include "ssherr.h"
+#include "ssh2.h"
 #include "log.h"
 #include "canohost.h"
 #include "sshbuf.h"
@@ -637,3 +655,743 @@ auth_cert_options(struct sshkey *k, struct passwd *pw)
 	return 0;
 }
 
+/*
+ * authorized_keys options processing.
+ */
+
+static int
+dup_strings(char ***dstp, size_t *ndstp, char **src, size_t nsrc)
+{
+	char **dst;
+	size_t i, j;
+
+	*dstp = NULL;
+	*ndstp = 0;
+	if (nsrc == 0)
+		return 0;
+
+	if ((dst = calloc(nsrc, sizeof(*src))) == NULL)
+		return -1;
+	for (i = 0; i < nsrc; i++) {
+		if ((dst[i] = strdup(src[i])) == NULL) {
+			for (j = 0; j < i; j++)
+				free(dst[j]);
+			free(dst);
+			return -1;
+		}
+	}
+	/* success */
+	*dstp = dst;
+	*ndstp = nsrc;
+	return 0;
+}
+
+#define OPTIONS_CRITICAL	1
+#define OPTIONS_EXTENSIONS	2
+static int
+cert_option_list(struct sshauthopt *opts, struct sshbuf *oblob,
+    u_int which, int crit)
+{
+	char *command, *allowed;
+	char *name = NULL;
+	struct sshbuf *c = NULL, *data = NULL;
+	int r, ret = -1, found;
+
+	if ((c = sshbuf_fromb(oblob)) == NULL) {
+		error("%s: sshbuf_fromb failed", __func__);
+		goto out;
+	}
+
+	while (sshbuf_len(c) > 0) {
+		sshbuf_free(data);
+		data = NULL;
+		if ((r = sshbuf_get_cstring(c, &name, NULL)) != 0 ||
+		    (r = sshbuf_froms(c, &data)) != 0) {
+			error("Unable to parse certificate options: %s",
+			    ssh_err(r));
+			goto out;
+		}
+		debug3("found certificate option \"%.100s\" len %zu",
+		    name, sshbuf_len(data));
+		found = 0;
+		if ((which & OPTIONS_EXTENSIONS) != 0) {
+			if (strcmp(name, "permit-X11-forwarding") == 0) {
+				opts->permit_x11_forwarding_flag = 1;
+				found = 1;
+			} else if (strcmp(name,
+			    "permit-agent-forwarding") == 0) {
+				opts->permit_agent_forwarding_flag = 1;
+				found = 1;
+			} else if (strcmp(name,
+			    "permit-port-forwarding") == 0) {
+				opts->permit_port_forwarding_flag = 1;
+				found = 1;
+			} else if (strcmp(name, "permit-pty") == 0) {
+				opts->permit_pty_flag = 1;
+				found = 1;
+			} else if (strcmp(name, "permit-user-rc") == 0) {
+				opts->permit_user_rc = 1;
+				found = 1;
+			}
+		}
+		if (!found && (which & OPTIONS_CRITICAL) != 0) {
+			if (strcmp(name, "force-command") == 0) {
+				if ((r = sshbuf_get_cstring(data, &command,
+				    NULL)) != 0) {
+					error("Unable to parse \"%s\" "
+					    "section: %s", name, ssh_err(r));
+					goto out;
+				}
+				if (opts->force_command != NULL) {
+					error("Certificate has multiple "
+					    "force-command options");
+					free(command);
+					goto out;
+				}
+				opts->force_command = command;
+				found = 1;
+			}
+			if (strcmp(name, "source-address") == 0) {
+				if ((r = sshbuf_get_cstring(data, &allowed,
+				    NULL)) != 0) {
+					error("Unable to parse \"%s\" "
+					    "section: %s", name, ssh_err(r));
+					goto out;
+				}
+				if (opts->required_from_host_cert != NULL) {
+					error("Certificate has multiple "
+					    "source-address options");
+					free(allowed);
+					goto out;
+				}
+				/* Check syntax */
+				if (addr_match_cidr_list(NULL, allowed) == -1) {
+					error("Certificate source-address "
+					    "contents invalid");
+					goto out;
+				}
+				opts->required_from_host_cert = allowed;
+				found = 1;
+			}
+		}
+
+		if (!found) {
+			if (crit) {
+				error("Certificate critical option \"%s\" "
+				    "is not supported", name);
+				goto out;
+			} else {
+				logit("Certificate extension \"%s\" "
+				    "is not supported", name);
+			}
+		} else if (sshbuf_len(data) != 0) {
+			error("Certificate option \"%s\" corrupt "
+			    "(extra data)", name);
+			goto out;
+		}
+		free(name);
+		name = NULL;
+	}
+	/* successfully parsed all options */
+	ret = 0;
+
+ out:
+	free(name);
+	sshbuf_free(data);
+	sshbuf_free(c);
+	return ret;
+}
+
+struct sshauthopt *
+sshauthopt_new(void)
+{
+	struct sshauthopt *ret;
+
+	if ((ret = calloc(1, sizeof(*ret))) == NULL)
+		return NULL;
+	ret->force_tun_device = -1;
+	return ret;
+}
+
+void
+sshauthopt_free(struct sshauthopt *opts)
+{
+	size_t i;
+
+	if (opts == NULL)
+		return;
+
+	free(opts->cert_principals);
+	free(opts->force_command);
+	free(opts->required_from_host_cert);
+	free(opts->required_from_host_keys);
+
+	for (i = 0; i < opts->nenv; i++)
+		free(opts->env[i]);
+	free(opts->env);
+
+	for (i = 0; i < opts->npermitopen; i++)
+		free(opts->permitopen[i]);
+	free(opts->permitopen);
+
+	explicit_bzero(opts, sizeof(*opts));
+	free(opts);
+}
+
+struct sshauthopt *
+sshauthopt_new_with_keys_defaults(void)
+{
+	struct sshauthopt *ret = NULL;
+
+	if ((ret = sshauthopt_new()) == NULL)
+		return NULL;
+
+	/* Defaults for authorized_keys flags */
+	ret->permit_port_forwarding_flag = 1;
+	ret->permit_agent_forwarding_flag = 1;
+	ret->permit_x11_forwarding_flag = 1;
+	ret->permit_pty_flag = 1;
+	ret->permit_user_rc = 1;
+	return ret;
+}
+
+struct sshauthopt *
+sshauthopt_parse(const char *opts, const char **errstrp)
+{
+	char **oarray, *opt, *cp, *tmp, *host;
+	int r;
+	struct sshauthopt *ret = NULL;
+	const char *errstr = "unknown error";
+
+	if (errstrp != NULL)
+		*errstrp = NULL;
+	if ((ret = sshauthopt_new_with_keys_defaults()) == NULL)
+		goto alloc_fail;
+
+	if (opts == NULL)
+		return ret;
+
+	while (*opts && *opts != ' ' && *opts != '\t') {
+		/* flag options */
+		if ((r = opt_flag("restrict", 0, &opts)) != -1) {
+			ret->restricted = 1;
+			ret->permit_port_forwarding_flag = 0;
+			ret->permit_agent_forwarding_flag = 0;
+			ret->permit_x11_forwarding_flag = 0;
+			ret->permit_pty_flag = 0;
+			ret->permit_user_rc = 0;
+		} else if ((r = opt_flag("cert-authority", 0, &opts)) != -1) {
+			ret->cert_authority = r;
+		} else if ((r = opt_flag("port-forwarding", 1, &opts)) != -1) {
+			ret->permit_port_forwarding_flag = r == 1;
+		} else if ((r = opt_flag("agent-forwarding", 1, &opts)) != -1) {
+			ret->permit_agent_forwarding_flag = r == 1;
+		} else if ((r = opt_flag("x11-forwarding", 1, &opts)) != -1) {
+			ret->permit_x11_forwarding_flag = r == 1;
+		} else if ((r = opt_flag("pty", 1, &opts)) != -1) {
+			ret->permit_pty_flag = r == 1;
+		} else if ((r = opt_flag("user-rc", 1, &opts)) != -1) {
+			ret->permit_user_rc = r == 1;
+		} else if (opt_match(&opts, "command")) {
+			if (ret->force_command != NULL) {
+				errstr = "multiple \"command\" clauses";
+				goto fail;
+			}
+			ret->force_command = opt_dequote(&opts, &errstr);
+			if (ret->force_command == NULL)
+				goto fail;
+		} else if (opt_match(&opts, "principals")) {
+			if (ret->cert_principals != NULL) {
+				errstr = "multiple \"principals\" clauses";
+				goto fail;
+			}
+			ret->cert_principals = opt_dequote(&opts, &errstr);
+			if (ret->cert_principals == NULL)
+				goto fail;
+		} else if (opt_match(&opts, "from")) {
+			if (ret->required_from_host_keys != NULL) {
+				errstr = "multiple \"from\" clauses";
+				goto fail;
+			}
+			ret->required_from_host_keys = opt_dequote(&opts,
+			    &errstr);
+			if (ret->required_from_host_keys == NULL)
+				goto fail;
+		} else if (opt_match(&opts, "environment")) {
+			if (ret->nenv > INT_MAX) {
+				errstr = "too many environment strings";
+				goto fail;
+			}
+			if ((opt = opt_dequote(&opts, &errstr)) == NULL)
+				goto fail;
+			/* env name must be alphanumeric and followed by '=' */
+			if ((tmp = strchr(opt, '=')) == NULL) {
+				free(opt);
+				errstr = "invalid environment string";
+				goto fail;
+			}
+			for (cp = opt; cp < tmp; cp++) {
+				if (!isalnum((u_char)*cp)) {
+					free(opt);
+					errstr = "invalid environment string";
+					goto fail;
+				}
+			}
+			/* Append it. */
+			oarray = ret->env;
+			if ((ret->env = recallocarray(ret->env, ret->nenv,
+			    ret->nenv + 1, sizeof(*ret->env))) == NULL) {
+				free(opt);
+				ret->env = oarray; /* put it back for cleanup */
+				goto alloc_fail;
+			}
+			ret->env[ret->nenv++] = opt;
+		} else if (opt_match(&opts, "permitopen")) {
+			if (ret->npermitopen > INT_MAX) {
+				errstr = "too many permitopens";
+				goto fail;
+			}
+			if ((opt = opt_dequote(&opts, &errstr)) == NULL)
+				goto fail;
+			if ((tmp = strdup(opt)) == NULL) {
+				free(opt);
+				goto alloc_fail;
+			}
+			cp = tmp;
+			/* validate syntax of permitopen before recording it. */
+			host = hpdelim(&cp);
+			if (host == NULL || strlen(host) >= NI_MAXHOST) {
+				free(tmp);
+				free(opt);
+				errstr = "invalid permitopen hostname";
+				goto fail;
+			}
+			/*
+			 * don't want to use permitopen_port to avoid
+			 * dependency on channels.[ch] here.
+			 */
+			if (cp == NULL ||
+			    (strcmp(cp, "*") != 0 && a2port(cp) <= 0)) {
+				free(tmp);
+				free(opt);
+				errstr = "invalid permitopen port";
+				goto fail;
+			}
+			/* XXX - add streamlocal support */
+			free(tmp);
+			/* Record it */
+			oarray = ret->permitopen;
+			if ((ret->permitopen = recallocarray(ret->permitopen,
+			    ret->npermitopen, ret->npermitopen + 1,
+			    sizeof(*ret->permitopen))) == NULL) {
+				free(opt);
+				ret->permitopen = oarray;
+				goto alloc_fail;
+			}
+			ret->permitopen[ret->npermitopen++] = opt;
+		} else if (opt_match(&opts, "tunnel")) {
+			if ((opt = opt_dequote(&opts, &errstr)) == NULL)
+				goto fail;
+			ret->force_tun_device = a2tun(opt, NULL);
+			free(opt);
+			if (ret->force_tun_device == SSH_TUNID_ERR) {
+				errstr = "invalid tun device";
+				goto fail;
+			}
+		}
+		/*
+		 * Skip the comma, and move to the next option
+		 * (or break out if there are no more).
+		 */
+		if (*opts == '\0' || *opts == ' ' || *opts == '\t')
+			break;		/* End of options. */
+		/* Anything other than a comma is an unknown option */
+		if (*opts != ',') {
+			errstr = "unknown key option";
+			goto fail;
+		}
+		opts++;
+		if (*opts == '\0') {
+			errstr = "unexpected end-of-options";
+			goto fail;
+		}
+	}
+
+	/* success */
+	if (errstrp != NULL)
+		*errstrp = NULL;
+	return ret;
+
+alloc_fail:
+	errstr = "memory allocation failed";
+fail:
+	sshauthopt_free(ret);
+	if (errstrp != NULL)
+		*errstrp = errstr;
+	return NULL;
+}
+
+struct sshauthopt *
+sshauthopt_from_cert(struct sshkey *k)
+{
+	struct sshauthopt *ret;
+
+	if (k == NULL || !sshkey_type_is_cert(k->type) || k->cert == NULL ||
+	    k->cert->type != SSH2_CERT_TYPE_USER)
+		return NULL;
+
+	if ((ret = sshauthopt_new()) == NULL)
+		return NULL;
+
+	/* Handle options and critical extensions separately */
+	if (cert_option_list(ret, k->cert->critical,
+	    OPTIONS_CRITICAL, 1) == -1) {
+		sshauthopt_free(ret);
+		return NULL;
+	}
+	if (cert_option_list(ret, k->cert->extensions,
+	    OPTIONS_EXTENSIONS, 0) == -1) {
+		sshauthopt_free(ret);
+		return NULL;
+	}
+	/* success */
+	return ret;
+}
+
+/*
+ * Merges "additional" options to "primary" and returns the result.
+ * NB. Some options from primary have primacy.
+ */
+struct sshauthopt *
+sshauthopt_merge(const struct sshauthopt *primary,
+    const struct sshauthopt *additional, const char **errstrp)
+{
+	struct sshauthopt *ret;
+	const char *errstr = "internal error";
+	const char *tmp;
+
+	if (errstrp != NULL)
+		*errstrp = NULL;
+
+	if ((ret = sshauthopt_new()) == NULL)
+		goto alloc_fail;
+
+	/* cert_authority and cert_principals are cleared in result */
+
+	/* Prefer access lists from primary. */
+	/* XXX err is both set and mismatch? */
+	tmp = primary->required_from_host_cert;
+	if (tmp == NULL)
+		tmp = additional->required_from_host_cert;
+	if (tmp != NULL && (ret->required_from_host_cert = strdup(tmp)) == NULL)
+		goto alloc_fail;
+	tmp = primary->required_from_host_keys;
+	if (tmp == NULL)
+		tmp = additional->required_from_host_keys;
+	if (tmp != NULL && (ret->required_from_host_keys = strdup(tmp)) == NULL)
+		goto alloc_fail;
+
+	/* force_tun_device, permitopen and environment prefer the primary. */
+	ret->force_tun_device = primary->force_tun_device;
+	if (ret->force_tun_device == -1)
+		ret->force_tun_device = additional->force_tun_device;
+	if (primary->nenv > 0) {
+		if (dup_strings(&ret->env, &ret->nenv,
+		    primary->env, primary->nenv) != 0)
+			goto alloc_fail;
+	} else if (additional->nenv) {
+		if (dup_strings(&ret->env, &ret->nenv,
+		    additional->env, additional->nenv) != 0)
+			goto alloc_fail;
+	}
+	if (primary->npermitopen > 0) {
+		if (dup_strings(&ret->permitopen, &ret->npermitopen,
+		    primary->permitopen, primary->npermitopen) != 0)
+			goto alloc_fail;
+	} else if (additional->npermitopen > 0) {
+		if (dup_strings(&ret->permitopen, &ret->npermitopen,
+		    additional->permitopen, additional->npermitopen) != 0)
+			goto alloc_fail;
+	}
+
+	/* Flags are logical-AND (i.e. must be set in both for permission) */
+#define OPTFLAG(x) ret->x = (primary->x == 1) && (additional->x == 1)
+	OPTFLAG(permit_port_forwarding_flag);
+	OPTFLAG(permit_agent_forwarding_flag);
+	OPTFLAG(permit_x11_forwarding_flag);
+	OPTFLAG(permit_pty_flag);
+	OPTFLAG(permit_user_rc);
+#undef OPTFLAG
+
+	/*
+	 * When both multiple forced-command are specified, only
+	 * proceed if they are identical, otherwise fail.
+	 */
+	if (primary->force_command != NULL &&
+	    additional->force_command != NULL) {
+		if (strcmp(primary->force_command,
+		    additional->force_command) == 0) {
+			/* ok */
+			ret->force_command = strdup(primary->force_command);
+			if (ret->force_command == NULL)
+				goto alloc_fail;
+		} else {
+			errstr = "forced command options do not match";
+			goto fail;
+		}
+	} else if (primary->force_command != NULL) {
+		if ((ret->force_command = strdup(
+		    primary->force_command)) == NULL)
+			goto alloc_fail;
+	} else if (additional->force_command != NULL) {
+		if ((ret->force_command = strdup(
+		    additional->force_command)) == NULL)
+			goto alloc_fail;
+	}
+	/* success */
+	if (errstrp != NULL)
+		*errstrp = NULL;
+	return ret;
+
+ alloc_fail:
+	errstr = "memory allocation failed";
+ fail:
+	if (errstrp != NULL)
+		*errstrp = errstr;
+	sshauthopt_free(ret);
+	return NULL;
+}
+
+/*
+ * Copy options
+ */
+struct sshauthopt *
+sshauthopt_copy(const struct sshauthopt *orig)
+{
+	struct sshauthopt *ret;
+
+	if ((ret = sshauthopt_new()) == NULL)
+		return NULL;
+
+#define OPTSCALAR(x) ret->x = orig->x
+	OPTSCALAR(permit_port_forwarding_flag);
+	OPTSCALAR(permit_agent_forwarding_flag);
+	OPTSCALAR(permit_x11_forwarding_flag);
+	OPTSCALAR(permit_pty_flag);
+	OPTSCALAR(permit_user_rc);
+	OPTSCALAR(restricted);
+	OPTSCALAR(cert_authority);
+	OPTSCALAR(force_tun_device);
+#undef OPTSCALAR
+#define OPTSTRING(x) \
+	do { \
+		if (orig->x != NULL && (ret->x = strdup(orig->x)) == NULL) { \
+			sshauthopt_free(ret); \
+			return NULL; \
+		} \
+	} while (0)
+	OPTSTRING(cert_principals);
+	OPTSTRING(force_command);
+	OPTSTRING(required_from_host_cert);
+	OPTSTRING(required_from_host_keys);
+#undef OPTSTRING
+
+	if (dup_strings(&ret->env, &ret->nenv, orig->env, orig->nenv) != 0 ||
+	    dup_strings(&ret->permitopen, &ret->npermitopen,
+	    orig->permitopen, orig->npermitopen) != 0) {
+		sshauthopt_free(ret);
+		return NULL;
+	}
+	return ret;
+}
+
+static int
+serialise_array(struct sshbuf *m, char **a, size_t n)
+{
+	struct sshbuf *b;
+	size_t i;
+	int r;
+
+	if (n > INT_MAX)
+		return SSH_ERR_INTERNAL_ERROR;
+
+	if ((b = sshbuf_new()) == NULL) {
+		return SSH_ERR_ALLOC_FAIL;
+	}
+	for (i = 0; i < n; i++) {
+		if ((r = sshbuf_put_cstring(b, a[i])) != 0) {
+			sshbuf_free(b);
+			return r;
+		}
+	}
+	if ((r = sshbuf_put_u32(m, n)) != 0 ||
+	    (r = sshbuf_put_stringb(m, b)) != 0) {
+		sshbuf_free(b);
+		return r;
+	}
+	/* success */
+	return 0;
+}
+
+static int
+deserialise_array(struct sshbuf *m, char ***ap, size_t *np)
+{
+	char **a = NULL;
+	size_t i, n = 0;
+	struct sshbuf *b = NULL;
+	u_int tmp;
+	int r = SSH_ERR_INTERNAL_ERROR;
+
+	if ((r = sshbuf_get_u32(m, &tmp)) != 0 ||
+	    (r = sshbuf_froms(m, &b)) != 0)
+		goto out;
+	if (tmp > INT_MAX) {
+		r = SSH_ERR_INVALID_FORMAT;
+		goto out;
+	}
+	n = tmp;
+	if (n > 0 && (a = calloc(n, sizeof(*a))) == NULL) {
+		r = SSH_ERR_ALLOC_FAIL;
+		goto out;
+	}
+	for (i = 0; i < n; i++) {
+		if ((r = sshbuf_get_cstring(b, &a[i], NULL)) != 0)
+			goto out;
+	}
+	/* success */
+	r = 0;
+	*ap = a;
+	a = NULL;
+	*np = n;
+	n = 0;
+ out:
+	for (i = 0; i < n; i++)
+		free(a[i]);
+	free(a);
+	sshbuf_free(b);
+	return r;
+}
+
+static int
+serialise_nullable_string(struct sshbuf *m, const char *s)
+{
+	int r;
+
+	if ((r = sshbuf_put_u8(m, s == NULL)) != 0 ||
+	    (r = sshbuf_put_cstring(m, s)) != 0)
+		return r;
+	return 0;
+}
+
+static int
+deserialise_nullable_string(struct sshbuf *m, char **sp)
+{
+	int r;
+	u_char flag;
+
+	*sp = NULL;
+	if ((r = sshbuf_get_u8(m, &flag)) != 0 ||
+	    (r = sshbuf_get_cstring(m, flag ? NULL : sp, NULL)) != 0)
+		return r;
+	return 0;
+}
+
+int
+sshauthopt_serialise(const struct sshauthopt *opts, struct sshbuf *m,
+    int untrusted)
+{
+	int r = SSH_ERR_INTERNAL_ERROR;
+
+	/* Flag options */
+	if ((r = sshbuf_put_u8(m, opts->permit_port_forwarding_flag)) != 0 ||
+	    (r = sshbuf_put_u8(m, opts->permit_agent_forwarding_flag)) != 0 ||
+	    (r = sshbuf_put_u8(m, opts->permit_x11_forwarding_flag)) != 0 ||
+	    (r = sshbuf_put_u8(m, opts->permit_pty_flag)) != 0 ||
+	    (r = sshbuf_put_u8(m, opts->permit_user_rc)) != 0 ||
+	    (r = sshbuf_put_u8(m, opts->restricted)) != 0 ||
+	    (r = sshbuf_put_u8(m, opts->cert_authority)) != 0)
+		return r;
+
+	/* tunnel number can be negative to indicate "unset" */
+	if ((r = sshbuf_put_u8(m, opts->force_tun_device == -1)) != 0 ||
+	    (r = sshbuf_put_u32(m, (opts->force_tun_device < 0) ?
+	    0 : (u_int)opts->force_tun_device)) != 0)
+		return r;
+
+	/* String options; these may be NULL */
+	if ((r = serialise_nullable_string(m,
+	    untrusted ? "yes" : opts->cert_principals)) != 0 ||
+	    (r = serialise_nullable_string(m,
+	    untrusted ? "true" : opts->force_command)) != 0 ||
+	    (r = serialise_nullable_string(m,
+	    untrusted ? NULL : opts->required_from_host_cert)) != 0 ||
+	    (r = serialise_nullable_string(m,
+	     untrusted ? NULL : opts->required_from_host_keys)) != 0)
+		return r;
+
+	/* Array options */
+	if ((r = serialise_array(m, opts->env,
+	    untrusted ? 0 : opts->nenv)) != 0 ||
+	    (r = serialise_array(m, opts->permitopen,
+	    untrusted ? 0 : opts->npermitopen)) != 0)
+		return r;
+
+	/* success */
+	return 0;
+}
+
+int
+sshauthopt_deserialise(struct sshbuf *m, struct sshauthopt **optsp)
+{
+	struct sshauthopt *opts = NULL;
+	int r = SSH_ERR_INTERNAL_ERROR;
+	u_char f;
+	u_int tmp;
+
+	if ((opts = calloc(1, sizeof(*opts))) == NULL)
+		return SSH_ERR_ALLOC_FAIL;
+
+#define OPT_FLAG(x) \
+	do { \
+		if ((r = sshbuf_get_u8(m, &f)) != 0) \
+			goto out; \
+		opts->x = f; \
+	} while (0)
+	OPT_FLAG(permit_port_forwarding_flag);
+	OPT_FLAG(permit_agent_forwarding_flag);
+	OPT_FLAG(permit_x11_forwarding_flag);
+	OPT_FLAG(permit_pty_flag);
+	OPT_FLAG(permit_user_rc);
+	OPT_FLAG(restricted);
+	OPT_FLAG(cert_authority);
+#undef OPT_FLAG
+
+	/* tunnel number can be negative to indicate "unset" */
+	if ((r = sshbuf_get_u8(m, &f)) != 0 ||
+	    (r = sshbuf_get_u32(m, &tmp)) != 0)
+		goto out;
+	opts->force_tun_device = f ? -1 : (int)tmp;
+
+	/* String options may be NULL */
+	if ((r = deserialise_nullable_string(m, &opts->cert_principals)) != 0 ||
+	    (r = deserialise_nullable_string(m, &opts->force_command)) != 0 ||
+	    (r = deserialise_nullable_string(m,
+	    &opts->required_from_host_cert)) != 0 ||
+	    (r = deserialise_nullable_string(m,
+	    &opts->required_from_host_keys)) != 0)
+		goto out;
+
+	/* Array options */
+	if ((r = deserialise_array(m, &opts->env, &opts->nenv)) != 0 ||
+	    (r = deserialise_array(m,
+	    &opts->permitopen, &opts->npermitopen)) != 0)
+		goto out;
+
+	/* success */
+	r = 0;
+	*optsp = opts;
+	opts = NULL;
+ out:
+	sshauthopt_free(opts);
+	return r;
+}
diff --git a/auth-options.h b/auth-options.h
index 34852e5c..769890e0 100644
--- a/auth-options.h
+++ b/auth-options.h
@@ -15,6 +15,9 @@
 #ifndef AUTH_OPTIONS_H
 #define AUTH_OPTIONS_H
 
+struct passwd;
+struct sshkey;
+
 /* Linked list of custom environment strings */
 struct envstring {
 	struct envstring *next;
@@ -37,4 +40,69 @@ int	auth_parse_options(struct passwd *, char *, char *, u_long);
 void	auth_clear_options(void);
 int	auth_cert_options(struct sshkey *, struct passwd *);
 
+/* authorized_keys options handling */
+
+/*
+ * sshauthopt represents key options parsed from authorized_keys or
+ * from certificate extensions/options.
+ */
+struct sshauthopt {
+	/* Feature flags */
+	int permit_port_forwarding_flag;
+	int permit_agent_forwarding_flag;
+	int permit_x11_forwarding_flag;
+	int permit_pty_flag;
+	int permit_user_rc;
+
+	/* "restrict" keyword was invoked */
+	int restricted;
+
+	/* Certificate-related options */
+	int cert_authority;
+	char *cert_principals;
+
+	int force_tun_device;
+	char *force_command;
+
+	/* Custom environment */
+	size_t nenv;
+	char **env;
+
+	/* Permitted port forwardings */
+	size_t npermitopen;
+	char **permitopen;
+
+	/*
+	 * Permitted host/addresses (comma-separated)
+	 * Caller must check source address matches both lists (if present).
+	 */
+	char *required_from_host_cert;
+	char *required_from_host_keys;
+};
+
+struct sshauthopt *sshauthopt_new(void);
+struct sshauthopt *sshauthopt_new_with_keys_defaults(void);
+void sshauthopt_free(struct sshauthopt *opts);
+struct sshauthopt *sshauthopt_copy(const struct sshauthopt *orig);
+int sshauthopt_serialise(const struct sshauthopt *opts, struct sshbuf *m, int);
+int sshauthopt_deserialise(struct sshbuf *m, struct sshauthopt **opts);
+
+/*
+ * Parse authorized_keys options. Returns an options structure on success
+ * or NULL on failure. Will set errstr on failure.
+ */
+struct sshauthopt *sshauthopt_parse(const char *s, const char **errstr);
+
+/*
+ * Parse certification options to a struct sshauthopt.
+ * Returns options on success or NULL on failure.
+ */
+struct sshauthopt *sshauthopt_from_cert(struct sshkey *k);
+
+/*
+ * Merge key options.
+ */
+struct sshauthopt *sshauthopt_merge(const struct sshauthopt *primary,
+    const struct sshauthopt *additional, const char **errstrp);
+
 #endif
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index be05b0ed..a6689343 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -744,6 +744,7 @@ match_principals_command(struct passwd *user_pw, struct sshkey_cert *cert)
 	free(username);
 	return found_principal;
 }
+
 /*
  * Checks whether key is allowed in authorized_keys-format file,
  * returns 1 if the key is allowed or 0 otherwise.
diff --git a/authfile.c b/authfile.c
index d2f04290..c7f49d2b 100644
--- a/authfile.c
+++ b/authfile.c
@@ -583,3 +583,25 @@ sshkey_check_revoked(struct sshkey *key, const char *revoked_keys_file)
 	}
 }
 
+/*
+ * Advanced *cpp past the end of key options, defined as the first unquoted
+ * whitespace character. Returns 0 on success or -1 on failure (e.g.
+ * unterminated quotes).
+ */
+int
+sshkey_advance_past_options(char **cpp)
+{
+	char *cp = *cpp;
+	int quoted = 0;
+
+	for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) {
+		if (*cp == '\\' && cp[1] == '"')
+			cp++;	/* Skip both */
+		else if (*cp == '"')
+			quoted = !quoted;
+	}
+	*cpp = cp;
+	/* return failure for unterminated quotes */
+	return (*cp == '\0' && quoted) ? -1 : 0;
+}
+
diff --git a/authfile.h b/authfile.h
index 624d269f..08b99612 100644
--- a/authfile.h
+++ b/authfile.h
@@ -48,5 +48,6 @@ int sshkey_load_private_type_fd(int fd, int type, const char *passphrase,
 int sshkey_perm_ok(int, const char *);
 int sshkey_in_file(struct sshkey *, const char *, int, int);
 int sshkey_check_revoked(struct sshkey *key, const char *revoked_keys_file);
+int sshkey_advance_past_options(char **cpp);
 
 #endif
diff --git a/misc.c b/misc.c
index de7e1fac..907d09b1 100644
--- a/misc.c
+++ b/misc.c
@@ -162,8 +162,8 @@ set_nodelay(int fd)
 #define QUOTE	"\""
 
 /* return next token in configuration line */
-char *
-strdelim(char **s)
+static char *
+strdelim_internal(char **s, int split_equals)
 {
 	char *old;
 	int wspace = 0;
@@ -173,7 +173,8 @@ strdelim(char **s)
 
 	old = *s;
 
-	*s = strpbrk(*s, WHITESPACE QUOTE "=");
+	*s = strpbrk(*s,
+	    split_equals ? WHITESPACE QUOTE "=" : WHITESPACE QUOTE);
 	if (*s == NULL)
 		return (old);
 
@@ -190,18 +191,37 @@ strdelim(char **s)
 	}
 
 	/* Allow only one '=' to be skipped */
-	if (*s[0] == '=')
+	if (split_equals && *s[0] == '=')
 		wspace = 1;
 	*s[0] = '\0';
 
 	/* Skip any extra whitespace after first token */
 	*s += strspn(*s + 1, WHITESPACE) + 1;
-	if (*s[0] == '=' && !wspace)
+	if (split_equals && *s[0] == '=' && !wspace)
 		*s += strspn(*s + 1, WHITESPACE) + 1;
 
 	return (old);
 }
 
+/*
+ * Return next token in configuration line; splts on whitespace or a
+ * single '=' character.
+ */
+char *
+strdelim(char **s)
+{
+	return strdelim_internal(s, 1);
+}
+
+/*
+ * Return next token in configuration line; splts on whitespace only.
+ */
+char *
+strdelimw(char **s)
+{
+	return strdelim_internal(s, 0);
+}
+
 struct passwd *
 pwcopy(struct passwd *pw)
 {
@@ -1119,3 +1139,85 @@ sock_set_v6only(int s)
 		error("setsockopt IPV6_V6ONLY: %s", strerror(errno));
 #endif
 }
+
+void
+skip_space(char **cpp)
+{
+	char *cp;
+
+	for (cp = *cpp; *cp == ' ' || *cp == '\t'; cp++)
+		;
+	*cpp = cp;
+}
+
+/* authorized_key-style options parsing helpers */
+
+/*
+ * Match flag 'opt' in *optsp, and if allow_negate is set then also match
+ * 'no-opt'. Returns -1 if option not matched, 1 if option matches or 0
+ * if negated option matches.
+ * If the option or negated option matches, then *optsp is updated to
+ * point to the first character after the option.
+ */
+int
+opt_flag(const char *opt, int allow_negate, const char **optsp)
+{
+	size_t opt_len = strlen(opt);
+	const char *opts = *optsp;
+	int negate = 0;
+
+	if (allow_negate && strncasecmp(opts, "no-", 3) == 0) {
+		opts += 3;
+		negate = 1;
+	}
+	if (strncasecmp(opts, opt, opt_len) == 0) {
+		*optsp = opts + opt_len;
+		return negate ? 0 : 1;
+	}
+	return -1;
+}
+
+char *
+opt_dequote(const char **sp, const char **errstrp)
+{
+	const char *s = *sp;
+	char *ret;
+	size_t i;
+
+	*errstrp = NULL;
+	if (*s != '"') {
+		*errstrp = "missing start quote";
+		return NULL;
+	}
+	s++;
+	if ((ret = malloc(strlen((s)) + 1)) == NULL) {
+		*errstrp = "memory allocation failed";
+		return NULL;
+	}
+	for (i = 0; *s != '\0' && *s != '"';) {
+		if (s[0] == '\\' && s[1] == '"')
+			s++;
+		ret[i++] = *s++;
+	}
+	if (*s == '\0') {
+		*errstrp = "missing end quote";
+		free(ret);
+		return NULL;
+	}
+	ret[i] = '\0';
+	s++;
+	*sp = s;
+	return ret;
+}
+
+int
+opt_match(const char **opts, const char *term)
+{
+	if (strncasecmp((*opts), term, strlen(term)) == 0 &&
+	    (*opts)[strlen(term)] == '=') {
+		*opts += strlen(term) + 1;
+		return 1;
+	}
+	return 0;
+}
+
diff --git a/misc.h b/misc.h
index 374c33ce..39960015 100644
--- a/misc.h
+++ b/misc.h
@@ -37,7 +37,9 @@ struct ForwardOptions {
 /* misc.c */
 
 char	*chop(char *);
+void	skip_space(char **);
 char	*strdelim(char **);
+char	*strdelimw(char **);
 int	 set_nonblock(int);
 int	 unset_nonblock(int);
 void	 set_nodelay(int);
@@ -124,6 +126,11 @@ int parse_ipqos(const char *);
 const char *iptos2str(int);
 void mktemp_proto(char *, size_t);
 
+/* authorized_key-style options parsing helpers */
+int	opt_flag(const char *opt, int allow_negate, const char **optsp);
+char	*opt_dequote(const char **sp, const char **errstrp);
+int	opt_match(const char **opts, const char *term);
+
 /* readpass.c */
 
 #define RP_ECHO			0x0001
-- 
2.38.0

Places

File openssh-New-option-parsing-functions.patch of Package openssh-testuser.26950

Places