Bug Summary

File:src/usr.bin/ssh/sshd/../auth-options.c
Warning:line 336, column 8
Although the value stored to 'r' is used in the enclosing expression, the value is never actually read from 'r'

Annotated Source Code

Press '?' to see keyboard shortcuts

clang -cc1 -cc1 -triple amd64-unknown-openbsd7.0 -analyze -disable-free -disable-llvm-verifier -discard-value-names -main-file-name auth-options.c -analyzer-store=region -analyzer-opt-analyze-nested-blocks -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 1 -pic-is-pie -mframe-pointer=all -relaxed-aliasing -fno-rounding-math -mconstructor-aliases -munwind-tables -target-cpu x86-64 -target-feature +retpoline-indirect-calls -target-feature +retpoline-indirect-branches -tune-cpu generic -debugger-tuning=gdb -fcoverage-compilation-dir=/usr/src/usr.bin/ssh/sshd/obj -resource-dir /usr/local/lib/clang/13.0.0 -I /usr/src/usr.bin/ssh/sshd/.. -D WITH_OPENSSL -D WITH_ZLIB -D ENABLE_PKCS11 -D HAVE_DLOPEN -internal-isystem /usr/local/lib/clang/13.0.0/include -internal-externc-isystem /usr/include -O2 -Wno-unused-parameter -fdebug-compilation-dir=/usr/src/usr.bin/ssh/sshd/obj -ferror-limit 19 -fwrapv -D_RET_PROTECTOR -ret-protector -fgnuc-version=4.2.1 -vectorize-loops -vectorize-slp -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-valloc -fno-builtin-free -fno-builtin-strdup -fno-builtin-strndup -analyzer-output=html -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /home/ben/Projects/vmm/scan-build/2022-01-12-194120-40624-1 -x c /usr/src/usr.bin/ssh/sshd/../auth-options.c
1/* $OpenBSD: auth-options.c,v 1.97 2021/07/24 01:55:19 djm Exp $ */
2/*
3 * Copyright (c) 2018 Damien Miller <djm@mindrot.org>
4 *
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17
18#include <sys/types.h>
19#include <sys/queue.h>
20
21#include <stdlib.h>
22#include <netdb.h>
23#include <pwd.h>
24#include <string.h>
25#include <stdio.h>
26#include <stdarg.h>
27#include <ctype.h>
28#include <limits.h>
29
30#include "xmalloc.h"
31#include "ssherr.h"
32#include "log.h"
33#include "sshbuf.h"
34#include "misc.h"
35#include "sshkey.h"
36#include "match.h"
37#include "ssh2.h"
38#include "auth-options.h"
39
40static int
41dup_strings(char ***dstp, size_t *ndstp, char **src, size_t nsrc)
42{
43 char **dst;
44 size_t i, j;
45
46 *dstp = NULL((void *)0);
47 *ndstp = 0;
48 if (nsrc == 0)
49 return 0;
50
51 if ((dst = calloc(nsrc, sizeof(*src))) == NULL((void *)0))
52 return -1;
53 for (i = 0; i < nsrc; i++) {
54 if ((dst[i] = strdup(src[i])) == NULL((void *)0)) {
55 for (j = 0; j < i; j++)
56 free(dst[j]);
57 free(dst);
58 return -1;
59 }
60 }
61 /* success */
62 *dstp = dst;
63 *ndstp = nsrc;
64 return 0;
65}
66
67#define OPTIONS_CRITICAL1 1
68#define OPTIONS_EXTENSIONS2 2
69static int
70cert_option_list(struct sshauthopt *opts, struct sshbuf *oblob,
71 u_int which, int crit)
72{
73 char *command, *allowed;
74 char *name = NULL((void *)0);
75 struct sshbuf *c = NULL((void *)0), *data = NULL((void *)0);
76 int r, ret = -1, found;
77
78 if ((c = sshbuf_fromb(oblob)) == NULL((void *)0)) {
79 error_f("sshbuf_fromb failed")sshlog("/usr/src/usr.bin/ssh/sshd/../auth-options.c", __func__
, 79, 1, SYSLOG_LEVEL_ERROR, ((void *)0), "sshbuf_fromb failed"
);
80 goto out;
81 }
82
83 while (sshbuf_len(c) > 0) {
84 sshbuf_free(data);
85 data = NULL((void *)0);
86 if ((r = sshbuf_get_cstring(c, &name, NULL((void *)0))) != 0 ||
87 (r = sshbuf_froms(c, &data)) != 0) {
88 error_r(r, "Unable to parse certificate options")sshlog("/usr/src/usr.bin/ssh/sshd/../auth-options.c", __func__
, 88, 0, SYSLOG_LEVEL_ERROR, ssh_err(r), "Unable to parse certificate options"
);
89 goto out;
90 }
91 debug3("found certificate option \"%.100s\" len %zu",sshlog("/usr/src/usr.bin/ssh/sshd/../auth-options.c", __func__
, 92, 0, SYSLOG_LEVEL_DEBUG3, ((void *)0), "found certificate option \"%.100s\" len %zu"
, name, sshbuf_len(data))
92 name, sshbuf_len(data))sshlog("/usr/src/usr.bin/ssh/sshd/../auth-options.c", __func__
, 92, 0, SYSLOG_LEVEL_DEBUG3, ((void *)0), "found certificate option \"%.100s\" len %zu"
, name, sshbuf_len(data));
93 found = 0;
94 if ((which & OPTIONS_EXTENSIONS2) != 0) {
95 if (strcmp(name, "no-touch-required") == 0) {
96 opts->no_require_user_presence = 1;
97 found = 1;
98 } else if (strcmp(name, "permit-X11-forwarding") == 0) {
99 opts->permit_x11_forwarding_flag = 1;
100 found = 1;
101 } else if (strcmp(name,
102 "permit-agent-forwarding") == 0) {
103 opts->permit_agent_forwarding_flag = 1;
104 found = 1;
105 } else if (strcmp(name,
106 "permit-port-forwarding") == 0) {
107 opts->permit_port_forwarding_flag = 1;
108 found = 1;
109 } else if (strcmp(name, "permit-pty") == 0) {
110 opts->permit_pty_flag = 1;
111 found = 1;
112 } else if (strcmp(name, "permit-user-rc") == 0) {
113 opts->permit_user_rc = 1;
114 found = 1;
115 }
116 }
117 if (!found && (which & OPTIONS_CRITICAL1) != 0) {
118 if (strcmp(name, "verify-required") == 0) {
119 opts->require_verify = 1;
120 found = 1;
121 } else if (strcmp(name, "force-command") == 0) {
122 if ((r = sshbuf_get_cstring(data, &command,
123 NULL((void *)0))) != 0) {
124 error_r(r, "Unable to parse \"%s\" "sshlog("/usr/src/usr.bin/ssh/sshd/../auth-options.c", __func__
, 125, 0, SYSLOG_LEVEL_ERROR, ssh_err(r), "Unable to parse \"%s\" "
"section", name)
125 "section", name)sshlog("/usr/src/usr.bin/ssh/sshd/../auth-options.c", __func__
, 125, 0, SYSLOG_LEVEL_ERROR, ssh_err(r), "Unable to parse \"%s\" "
"section", name);
126 goto out;
127 }
128 if (opts->force_command != NULL((void *)0)) {
129 error("Certificate has multiple "sshlog("/usr/src/usr.bin/ssh/sshd/../auth-options.c", __func__
, 130, 0, SYSLOG_LEVEL_ERROR, ((void *)0), "Certificate has multiple "
"force-command options")
130 "force-command options")sshlog("/usr/src/usr.bin/ssh/sshd/../auth-options.c", __func__
, 130, 0, SYSLOG_LEVEL_ERROR, ((void *)0), "Certificate has multiple "
"force-command options");
131 free(command);
132 goto out;
133 }
134 opts->force_command = command;
135 found = 1;
136 } else if (strcmp(name, "source-address") == 0) {
137 if ((r = sshbuf_get_cstring(data, &allowed,
138 NULL((void *)0))) != 0) {
139 error_r(r, "Unable to parse \"%s\" "sshlog("/usr/src/usr.bin/ssh/sshd/../auth-options.c", __func__
, 140, 0, SYSLOG_LEVEL_ERROR, ssh_err(r), "Unable to parse \"%s\" "
"section", name)
140 "section", name)sshlog("/usr/src/usr.bin/ssh/sshd/../auth-options.c", __func__
, 140, 0, SYSLOG_LEVEL_ERROR, ssh_err(r), "Unable to parse \"%s\" "
"section", name);
141 goto out;
142 }
143 if (opts->required_from_host_cert != NULL((void *)0)) {
144 error("Certificate has multiple "sshlog("/usr/src/usr.bin/ssh/sshd/../auth-options.c", __func__
, 145, 0, SYSLOG_LEVEL_ERROR, ((void *)0), "Certificate has multiple "
"source-address options")
145 "source-address options")sshlog("/usr/src/usr.bin/ssh/sshd/../auth-options.c", __func__
, 145, 0, SYSLOG_LEVEL_ERROR, ((void *)0), "Certificate has multiple "
"source-address options");
146 free(allowed);
147 goto out;
148 }
149 /* Check syntax */
150 if (addr_match_cidr_list(NULL((void *)0), allowed) == -1) {
151 error("Certificate source-address "sshlog("/usr/src/usr.bin/ssh/sshd/../auth-options.c", __func__
, 152, 0, SYSLOG_LEVEL_ERROR, ((void *)0), "Certificate source-address "
"contents invalid")
152 "contents invalid")sshlog("/usr/src/usr.bin/ssh/sshd/../auth-options.c", __func__
, 152, 0, SYSLOG_LEVEL_ERROR, ((void *)0), "Certificate source-address "
"contents invalid");
153 goto out;
154 }
155 opts->required_from_host_cert = allowed;
156 found = 1;
157 }
158 }
159
160 if (!found) {
161 if (crit) {
162 error("Certificate critical option \"%s\" "sshlog("/usr/src/usr.bin/ssh/sshd/../auth-options.c", __func__
, 163, 0, SYSLOG_LEVEL_ERROR, ((void *)0), "Certificate critical option \"%s\" "
"is not supported", name)
163 "is not supported", name)sshlog("/usr/src/usr.bin/ssh/sshd/../auth-options.c", __func__
, 163, 0, SYSLOG_LEVEL_ERROR, ((void *)0), "Certificate critical option \"%s\" "
"is not supported", name);
164 goto out;
165 } else {
166 logit("Certificate extension \"%s\" "sshlog("/usr/src/usr.bin/ssh/sshd/../auth-options.c", __func__
, 167, 0, SYSLOG_LEVEL_INFO, ((void *)0), "Certificate extension \"%s\" "
"is not supported", name)
167 "is not supported", name)sshlog("/usr/src/usr.bin/ssh/sshd/../auth-options.c", __func__
, 167, 0, SYSLOG_LEVEL_INFO, ((void *)0), "Certificate extension \"%s\" "
"is not supported", name);
168 }
169 } else if (sshbuf_len(data) != 0) {
170 error("Certificate option \"%s\" corrupt "sshlog("/usr/src/usr.bin/ssh/sshd/../auth-options.c", __func__
, 171, 0, SYSLOG_LEVEL_ERROR, ((void *)0), "Certificate option \"%s\" corrupt "
"(extra data)", name)
171 "(extra data)", name)sshlog("/usr/src/usr.bin/ssh/sshd/../auth-options.c", __func__
, 171, 0, SYSLOG_LEVEL_ERROR, ((void *)0), "Certificate option \"%s\" corrupt "
"(extra data)", name);
172 goto out;
173 }
174 free(name);
175 name = NULL((void *)0);
176 }
177 /* successfully parsed all options */
178 ret = 0;
179
180 out:
181 free(name);
182 sshbuf_free(data);
183 sshbuf_free(c);
184 return ret;
185}
186
187struct sshauthopt *
188sshauthopt_new(void)
189{
190 struct sshauthopt *ret;
191
192 if ((ret = calloc(1, sizeof(*ret))) == NULL((void *)0))
193 return NULL((void *)0);
194 ret->force_tun_device = -1;
195 return ret;
196}
197
198void
199sshauthopt_free(struct sshauthopt *opts)
200{
201 size_t i;
202
203 if (opts == NULL((void *)0))
204 return;
205
206 free(opts->cert_principals);
207 free(opts->force_command);
208 free(opts->required_from_host_cert);
209 free(opts->required_from_host_keys);
210
211 for (i = 0; i < opts->nenv; i++)
212 free(opts->env[i]);
213 free(opts->env);
214
215 for (i = 0; i < opts->npermitopen; i++)
216 free(opts->permitopen[i]);
217 free(opts->permitopen);
218
219 for (i = 0; i < opts->npermitlisten; i++)
220 free(opts->permitlisten[i]);
221 free(opts->permitlisten);
222
223 freezero(opts, sizeof(*opts));
224}
225
226struct sshauthopt *
227sshauthopt_new_with_keys_defaults(void)
228{
229 struct sshauthopt *ret = NULL((void *)0);
230
231 if ((ret = sshauthopt_new()) == NULL((void *)0))
232 return NULL((void *)0);
233
234 /* Defaults for authorized_keys flags */
235 ret->permit_port_forwarding_flag = 1;
236 ret->permit_agent_forwarding_flag = 1;
237 ret->permit_x11_forwarding_flag = 1;
238 ret->permit_pty_flag = 1;
239 ret->permit_user_rc = 1;
240 return ret;
241}
242
243/*
244 * Parse and record a permitopen/permitlisten directive.
245 * Return 0 on success. Return -1 on failure and sets *errstrp to error reason.
246 */
247static int
248handle_permit(const char **optsp, int allow_bare_port,
249 char ***permitsp, size_t *npermitsp, const char **errstrp)
250{
251 char *opt, *tmp, *cp, *host, **permits = *permitsp;
252 size_t npermits = *npermitsp;
253 const char *errstr = "unknown error";
254
255 if (npermits > SSH_AUTHOPT_PERMIT_MAX4096) {
256 *errstrp = "too many permission directives";
257 return -1;
258 }
259 if ((opt = opt_dequote(optsp, &errstr)) == NULL((void *)0)) {
260 return -1;
261 }
262 if (allow_bare_port && strchr(opt, ':') == NULL((void *)0)) {
263 /*
264 * Allow a bare port number in permitlisten to indicate a
265 * listen_host wildcard.
266 */
267 if (asprintf(&tmp, "*:%s", opt) == -1) {
268 free(opt);
269 *errstrp = "memory allocation failed";
270 return -1;
271 }
272 free(opt);
273 opt = tmp;
274 }
275 if ((tmp = strdup(opt)) == NULL((void *)0)) {
276 free(opt);
277 *errstrp = "memory allocation failed";
278 return -1;
279 }
280 cp = tmp;
281 /* validate syntax before recording it. */
282 host = hpdelim(&cp);
283 if (host == NULL((void *)0) || strlen(host) >= NI_MAXHOST256) {
284 free(tmp);
285 free(opt);
286 *errstrp = "invalid permission hostname";
287 return -1;
288 }
289 /*
290 * don't want to use permitopen_port to avoid
291 * dependency on channels.[ch] here.
292 */
293 if (cp == NULL((void *)0) ||
294 (strcmp(cp, "*") != 0 && a2port(cp) <= 0)) {
295 free(tmp);
296 free(opt);
297 *errstrp = "invalid permission port";
298 return -1;
299 }
300 /* XXX - add streamlocal support */
301 free(tmp);
302 /* Record it */
303 if ((permits = recallocarray(permits, npermits, npermits + 1,
304 sizeof(*permits))) == NULL((void *)0)) {
305 free(opt);
306 /* NB. don't update *permitsp if alloc fails */
307 *errstrp = "memory allocation failed";
308 return -1;
309 }
310 permits[npermits++] = opt;
311 *permitsp = permits;
312 *npermitsp = npermits;
313 return 0;
314}
315
316struct sshauthopt *
317sshauthopt_parse(const char *opts, const char **errstrp)
318{
319 char **oarray, *opt, *cp, *tmp;
320 int r;
321 struct sshauthopt *ret = NULL((void *)0);
322 const char *errstr = "unknown error";
323 uint64_t valid_before;
324 size_t i, l;
325
326 if (errstrp != NULL((void *)0))
327 *errstrp = NULL((void *)0);
328 if ((ret = sshauthopt_new_with_keys_defaults()) == NULL((void *)0))
329 goto alloc_fail;
330
331 if (opts == NULL((void *)0))
332 return ret;
333
334 while (*opts && *opts != ' ' && *opts != '\t') {
335 /* flag options */
336 if ((r = opt_flag("restrict", 0, &opts)) != -1) {
Although the value stored to 'r' is used in the enclosing expression, the value is never actually read from 'r'
337 ret->restricted = 1;
338 ret->permit_port_forwarding_flag = 0;
339 ret->permit_agent_forwarding_flag = 0;
340 ret->permit_x11_forwarding_flag = 0;
341 ret->permit_pty_flag = 0;
342 ret->permit_user_rc = 0;
343 } else if ((r = opt_flag("cert-authority", 0, &opts)) != -1) {
344 ret->cert_authority = r;
345 } else if ((r = opt_flag("port-forwarding", 1, &opts)) != -1) {
346 ret->permit_port_forwarding_flag = r == 1;
347 } else if ((r = opt_flag("agent-forwarding", 1, &opts)) != -1) {
348 ret->permit_agent_forwarding_flag = r == 1;
349 } else if ((r = opt_flag("x11-forwarding", 1, &opts)) != -1) {
350 ret->permit_x11_forwarding_flag = r == 1;
351 } else if ((r = opt_flag("touch-required", 1, &opts)) != -1) {
352 ret->no_require_user_presence = r != 1; /* NB. flip */
353 } else if ((r = opt_flag("verify-required", 1, &opts)) != -1) {
354 ret->require_verify = r == 1;
355 } else if ((r = opt_flag("pty", 1, &opts)) != -1) {
356 ret->permit_pty_flag = r == 1;
357 } else if ((r = opt_flag("user-rc", 1, &opts)) != -1) {
358 ret->permit_user_rc = r == 1;
359 } else if (opt_match(&opts, "command")) {
360 if (ret->force_command != NULL((void *)0)) {
361 errstr = "multiple \"command\" clauses";
362 goto fail;
363 }
364 ret->force_command = opt_dequote(&opts, &errstr);
365 if (ret->force_command == NULL((void *)0))
366 goto fail;
367 } else if (opt_match(&opts, "principals")) {
368 if (ret->cert_principals != NULL((void *)0)) {
369 errstr = "multiple \"principals\" clauses";
370 goto fail;
371 }
372 ret->cert_principals = opt_dequote(&opts, &errstr);
373 if (ret->cert_principals == NULL((void *)0))
374 goto fail;
375 } else if (opt_match(&opts, "from")) {
376 if (ret->required_from_host_keys != NULL((void *)0)) {
377 errstr = "multiple \"from\" clauses";
378 goto fail;
379 }
380 ret->required_from_host_keys = opt_dequote(&opts,
381 &errstr);
382 if (ret->required_from_host_keys == NULL((void *)0))
383 goto fail;
384 } else if (opt_match(&opts, "expiry-time")) {
385 if ((opt = opt_dequote(&opts, &errstr)) == NULL((void *)0))
386 goto fail;
387 if (parse_absolute_time(opt, &valid_before) != 0 ||
388 valid_before == 0) {
389 free(opt);
390 errstr = "invalid expires time";
391 goto fail;
392 }
393 free(opt);
394 if (ret->valid_before == 0 ||
395 valid_before < ret->valid_before)
396 ret->valid_before = valid_before;
397 } else if (opt_match(&opts, "environment")) {
398 if (ret->nenv > SSH_AUTHOPT_ENV_MAX1024) {
399 errstr = "too many environment strings";
400 goto fail;
401 }
402 if ((opt = opt_dequote(&opts, &errstr)) == NULL((void *)0))
403 goto fail;
404 /* env name must be alphanumeric and followed by '=' */
405 if ((tmp = strchr(opt, '=')) == NULL((void *)0)) {
406 free(opt);
407 errstr = "invalid environment string";
408 goto fail;
409 }
410 if ((cp = strdup(opt)) == NULL((void *)0)) {
411 free(opt);
412 goto alloc_fail;
413 }
414 l = (size_t)(tmp - opt);
415 cp[l] = '\0'; /* truncate at '=' */
416 if (!valid_env_name(cp)) {
417 free(cp);
418 free(opt);
419 errstr = "invalid environment string";
420 goto fail;
421 }
422 /* Check for duplicates; XXX O(n*log(n)) */
423 for (i = 0; i < ret->nenv; i++) {
424 if (strncmp(ret->env[i], cp, l) == 0 &&
425 ret->env[i][l] == '=')
426 break;
427 }
428 free(cp);
429 /* First match wins */
430 if (i >= ret->nenv) {
431 /* Append it. */
432 oarray = ret->env;
433 if ((ret->env = recallocarray(ret->env,
434 ret->nenv, ret->nenv + 1,
435 sizeof(*ret->env))) == NULL((void *)0)) {
436 free(opt);
437 /* put it back for cleanup */
438 ret->env = oarray;
439 goto alloc_fail;
440 }
441 ret->env[ret->nenv++] = opt;
442 opt = NULL((void *)0); /* transferred */
443 }
444 free(opt);
445 } else if (opt_match(&opts, "permitopen")) {
446 if (handle_permit(&opts, 0, &ret->permitopen,
447 &ret->npermitopen, &errstr) != 0)
448 goto fail;
449 } else if (opt_match(&opts, "permitlisten")) {
450 if (handle_permit(&opts, 1, &ret->permitlisten,
451 &ret->npermitlisten, &errstr) != 0)
452 goto fail;
453 } else if (opt_match(&opts, "tunnel")) {
454 if ((opt = opt_dequote(&opts, &errstr)) == NULL((void *)0))
455 goto fail;
456 ret->force_tun_device = a2tun(opt, NULL((void *)0));
457 free(opt);
458 if (ret->force_tun_device == SSH_TUNID_ERR(0x7fffffff - 1)) {
459 errstr = "invalid tun device";
460 goto fail;
461 }
462 }
463 /*
464 * Skip the comma, and move to the next option
465 * (or break out if there are no more).
466 */
467 if (*opts == '\0' || *opts == ' ' || *opts == '\t')
468 break; /* End of options. */
469 /* Anything other than a comma is an unknown option */
470 if (*opts != ',') {
471 errstr = "unknown key option";
472 goto fail;
473 }
474 opts++;
475 if (*opts == '\0') {
476 errstr = "unexpected end-of-options";
477 goto fail;
478 }
479 }
480
481 /* success */
482 if (errstrp != NULL((void *)0))
483 *errstrp = NULL((void *)0);
484 return ret;
485
486alloc_fail:
487 errstr = "memory allocation failed";
488fail:
489 sshauthopt_free(ret);
490 if (errstrp != NULL((void *)0))
491 *errstrp = errstr;
492 return NULL((void *)0);
493}
494
495struct sshauthopt *
496sshauthopt_from_cert(struct sshkey *k)
497{
498 struct sshauthopt *ret;
499
500 if (k == NULL((void *)0) || !sshkey_type_is_cert(k->type) || k->cert == NULL((void *)0) ||
501 k->cert->type != SSH2_CERT_TYPE_USER1)
502 return NULL((void *)0);
503
504 if ((ret = sshauthopt_new()) == NULL((void *)0))
505 return NULL((void *)0);
506
507 /* Handle options and critical extensions separately */
508 if (cert_option_list(ret, k->cert->critical,
509 OPTIONS_CRITICAL1, 1) == -1) {
510 sshauthopt_free(ret);
511 return NULL((void *)0);
512 }
513 if (cert_option_list(ret, k->cert->extensions,
514 OPTIONS_EXTENSIONS2, 0) == -1) {
515 sshauthopt_free(ret);
516 return NULL((void *)0);
517 }
518 /* success */
519 return ret;
520}
521
522/*
523 * Merges "additional" options to "primary" and returns the result.
524 * NB. Some options from primary have primacy.
525 */
526struct sshauthopt *
527sshauthopt_merge(const struct sshauthopt *primary,
528 const struct sshauthopt *additional, const char **errstrp)
529{
530 struct sshauthopt *ret;
531 const char *errstr = "internal error";
532 const char *tmp;
533
534 if (errstrp != NULL((void *)0))
535 *errstrp = NULL((void *)0);
536
537 if ((ret = sshauthopt_new()) == NULL((void *)0))
538 goto alloc_fail;
539
540 /* cert_authority and cert_principals are cleared in result */
541
542 /* Prefer access lists from primary. */
543 /* XXX err is both set and mismatch? */
544 tmp = primary->required_from_host_cert;
545 if (tmp == NULL((void *)0))
546 tmp = additional->required_from_host_cert;
547 if (tmp != NULL((void *)0) && (ret->required_from_host_cert = strdup(tmp)) == NULL((void *)0))
548 goto alloc_fail;
549 tmp = primary->required_from_host_keys;
550 if (tmp == NULL((void *)0))
551 tmp = additional->required_from_host_keys;
552 if (tmp != NULL((void *)0) && (ret->required_from_host_keys = strdup(tmp)) == NULL((void *)0))
553 goto alloc_fail;
554
555 /*
556 * force_tun_device, permitopen/permitlisten and environment all
557 * prefer the primary.
558 */
559 ret->force_tun_device = primary->force_tun_device;
560 if (ret->force_tun_device == -1)
561 ret->force_tun_device = additional->force_tun_device;
562 if (primary->nenv > 0) {
563 if (dup_strings(&ret->env, &ret->nenv,
564 primary->env, primary->nenv) != 0)
565 goto alloc_fail;
566 } else if (additional->nenv) {
567 if (dup_strings(&ret->env, &ret->nenv,
568 additional->env, additional->nenv) != 0)
569 goto alloc_fail;
570 }
571 if (primary->npermitopen > 0) {
572 if (dup_strings(&ret->permitopen, &ret->npermitopen,
573 primary->permitopen, primary->npermitopen) != 0)
574 goto alloc_fail;
575 } else if (additional->npermitopen > 0) {
576 if (dup_strings(&ret->permitopen, &ret->npermitopen,
577 additional->permitopen, additional->npermitopen) != 0)
578 goto alloc_fail;
579 }
580
581 if (primary->npermitlisten > 0) {
582 if (dup_strings(&ret->permitlisten, &ret->npermitlisten,
583 primary->permitlisten, primary->npermitlisten) != 0)
584 goto alloc_fail;
585 } else if (additional->npermitlisten > 0) {
586 if (dup_strings(&ret->permitlisten, &ret->npermitlisten,
587 additional->permitlisten, additional->npermitlisten) != 0)
588 goto alloc_fail;
589 }
590
591#define OPTFLAG_AND(x) ret->x = (primary->x == 1) && (additional->x == 1)
592#define OPTFLAG_OR(x)ret->x = (primary->x == 1) || (additional->x == 1) ret->x = (primary->x == 1) || (additional->x == 1)
593 /* Permissive flags are logical-AND (i.e. must be set in both) */
594 OPTFLAG_AND(permit_port_forwarding_flag);
595 OPTFLAG_AND(permit_agent_forwarding_flag);
596 OPTFLAG_AND(permit_x11_forwarding_flag);
597 OPTFLAG_AND(permit_pty_flag);
598 OPTFLAG_AND(permit_user_rc);
599 OPTFLAG_AND(no_require_user_presence);
600 /* Restrictive flags are logical-OR (i.e. must be set in either) */
601 OPTFLAG_OR(require_verify)ret->require_verify = (primary->require_verify == 1) ||
(additional->require_verify == 1);
602#undef OPTFLAG_AND
603
604 /* Earliest expiry time should win */
605 if (primary->valid_before != 0)
606 ret->valid_before = primary->valid_before;
607 if (additional->valid_before != 0 &&
608 additional->valid_before < ret->valid_before)
609 ret->valid_before = additional->valid_before;
610
611 /*
612 * When both multiple forced-command are specified, only
613 * proceed if they are identical, otherwise fail.
614 */
615 if (primary->force_command != NULL((void *)0) &&
616 additional->force_command != NULL((void *)0)) {
617 if (strcmp(primary->force_command,
618 additional->force_command) == 0) {
619 /* ok */
620 ret->force_command = strdup(primary->force_command);
621 if (ret->force_command == NULL((void *)0))
622 goto alloc_fail;
623 } else {
624 errstr = "forced command options do not match";
625 goto fail;
626 }
627 } else if (primary->force_command != NULL((void *)0)) {
628 if ((ret->force_command = strdup(
629 primary->force_command)) == NULL((void *)0))
630 goto alloc_fail;
631 } else if (additional->force_command != NULL((void *)0)) {
632 if ((ret->force_command = strdup(
633 additional->force_command)) == NULL((void *)0))
634 goto alloc_fail;
635 }
636 /* success */
637 if (errstrp != NULL((void *)0))
638 *errstrp = NULL((void *)0);
639 return ret;
640
641 alloc_fail:
642 errstr = "memory allocation failed";
643 fail:
644 if (errstrp != NULL((void *)0))
645 *errstrp = errstr;
646 sshauthopt_free(ret);
647 return NULL((void *)0);
648}
649
650/*
651 * Copy options
652 */
653struct sshauthopt *
654sshauthopt_copy(const struct sshauthopt *orig)
655{
656 struct sshauthopt *ret;
657
658 if ((ret = sshauthopt_new()) == NULL((void *)0))
659 return NULL((void *)0);
660
661#define OPTSCALAR(x) ret->x = orig->x
662 OPTSCALAR(permit_port_forwarding_flag);
663 OPTSCALAR(permit_agent_forwarding_flag);
664 OPTSCALAR(permit_x11_forwarding_flag);
665 OPTSCALAR(permit_pty_flag);
666 OPTSCALAR(permit_user_rc);
667 OPTSCALAR(restricted);
668 OPTSCALAR(cert_authority);
669 OPTSCALAR(force_tun_device);
670 OPTSCALAR(valid_before);
671 OPTSCALAR(no_require_user_presence);
672 OPTSCALAR(require_verify);
673#undef OPTSCALAR
674#define OPTSTRING(x) \
675 do { \
676 if (orig->x != NULL((void *)0) && (ret->x = strdup(orig->x)) == NULL((void *)0)) { \
677 sshauthopt_free(ret); \
678 return NULL((void *)0); \
679 } \
680 } while (0)
681 OPTSTRING(cert_principals);
682 OPTSTRING(force_command);
683 OPTSTRING(required_from_host_cert);
684 OPTSTRING(required_from_host_keys);
685#undef OPTSTRING
686
687 if (dup_strings(&ret->env, &ret->nenv, orig->env, orig->nenv) != 0 ||
688 dup_strings(&ret->permitopen, &ret->npermitopen,
689 orig->permitopen, orig->npermitopen) != 0 ||
690 dup_strings(&ret->permitlisten, &ret->npermitlisten,
691 orig->permitlisten, orig->npermitlisten) != 0) {
692 sshauthopt_free(ret);
693 return NULL((void *)0);
694 }
695 return ret;
696}
697
698static int
699serialise_array(struct sshbuf *m, char **a, size_t n)
700{
701 struct sshbuf *b;
702 size_t i;
703 int r;
704
705 if (n > INT_MAX2147483647)
706 return SSH_ERR_INTERNAL_ERROR-1;
707
708 if ((b = sshbuf_new()) == NULL((void *)0)) {
709 return SSH_ERR_ALLOC_FAIL-2;
710 }
711 for (i = 0; i < n; i++) {
712 if ((r = sshbuf_put_cstring(b, a[i])) != 0) {
713 sshbuf_free(b);
714 return r;
715 }
716 }
717 if ((r = sshbuf_put_u32(m, n)) != 0 ||
718 (r = sshbuf_put_stringb(m, b)) != 0) {
719 sshbuf_free(b);
720 return r;
721 }
722 /* success */
723 return 0;
724}
725
726static int
727deserialise_array(struct sshbuf *m, char ***ap, size_t *np)
728{
729 char **a = NULL((void *)0);
730 size_t i, n = 0;
731 struct sshbuf *b = NULL((void *)0);
732 u_int tmp;
733 int r = SSH_ERR_INTERNAL_ERROR-1;
734
735 if ((r = sshbuf_get_u32(m, &tmp)) != 0 ||
736 (r = sshbuf_froms(m, &b)) != 0)
737 goto out;
738 if (tmp > INT_MAX2147483647) {
739 r = SSH_ERR_INVALID_FORMAT-4;
740 goto out;
741 }
742 n = tmp;
743 if (n > 0 && (a = calloc(n, sizeof(*a))) == NULL((void *)0)) {
744 r = SSH_ERR_ALLOC_FAIL-2;
745 goto out;
746 }
747 for (i = 0; i < n; i++) {
748 if ((r = sshbuf_get_cstring(b, &a[i], NULL((void *)0))) != 0)
749 goto out;
750 }
751 /* success */
752 r = 0;
753 *ap = a;
754 a = NULL((void *)0);
755 *np = n;
756 n = 0;
757 out:
758 if (a != NULL((void *)0)) {
759 for (i = 0; i < n; i++)
760 free(a[i]);
761 free(a);
762 }
763 sshbuf_free(b);
764 return r;
765}
766
767static int
768serialise_nullable_string(struct sshbuf *m, const char *s)
769{
770 int r;
771
772 if ((r = sshbuf_put_u8(m, s == NULL((void *)0))) != 0 ||
773 (r = sshbuf_put_cstring(m, s)) != 0)
774 return r;
775 return 0;
776}
777
778static int
779deserialise_nullable_string(struct sshbuf *m, char **sp)
780{
781 int r;
782 u_char flag;
783
784 *sp = NULL((void *)0);
785 if ((r = sshbuf_get_u8(m, &flag)) != 0 ||
786 (r = sshbuf_get_cstring(m, flag ? NULL((void *)0) : sp, NULL((void *)0))) != 0)
787 return r;
788 return 0;
789}
790
791int
792sshauthopt_serialise(const struct sshauthopt *opts, struct sshbuf *m,
793 int untrusted)
794{
795 int r = SSH_ERR_INTERNAL_ERROR-1;
796
797 /* Flag options */
798 if ((r = sshbuf_put_u8(m, opts->permit_port_forwarding_flag)) != 0 ||
799 (r = sshbuf_put_u8(m, opts->permit_agent_forwarding_flag)) != 0 ||
800 (r = sshbuf_put_u8(m, opts->permit_x11_forwarding_flag)) != 0 ||
801 (r = sshbuf_put_u8(m, opts->permit_pty_flag)) != 0 ||
802 (r = sshbuf_put_u8(m, opts->permit_user_rc)) != 0 ||
803 (r = sshbuf_put_u8(m, opts->restricted)) != 0 ||
804 (r = sshbuf_put_u8(m, opts->cert_authority)) != 0 ||
805 (r = sshbuf_put_u8(m, opts->no_require_user_presence)) != 0 ||
806 (r = sshbuf_put_u8(m, opts->require_verify)) != 0)
807 return r;
808
809 /* Simple integer options */
810 if ((r = sshbuf_put_u64(m, opts->valid_before)) != 0)
811 return r;
812
813 /* tunnel number can be negative to indicate "unset" */
814 if ((r = sshbuf_put_u8(m, opts->force_tun_device == -1)) != 0 ||
815 (r = sshbuf_put_u32(m, (opts->force_tun_device < 0) ?
816 0 : (u_int)opts->force_tun_device)) != 0)
817 return r;
818
819 /* String options; these may be NULL */
820 if ((r = serialise_nullable_string(m,
821 untrusted ? "yes" : opts->cert_principals)) != 0 ||
822 (r = serialise_nullable_string(m,
823 untrusted ? "true" : opts->force_command)) != 0 ||
824 (r = serialise_nullable_string(m,
825 untrusted ? NULL((void *)0) : opts->required_from_host_cert)) != 0 ||
826 (r = serialise_nullable_string(m,
827 untrusted ? NULL((void *)0) : opts->required_from_host_keys)) != 0)
828 return r;
829
830 /* Array options */
831 if ((r = serialise_array(m, opts->env,
832 untrusted ? 0 : opts->nenv)) != 0 ||
833 (r = serialise_array(m, opts->permitopen,
834 untrusted ? 0 : opts->npermitopen)) != 0 ||
835 (r = serialise_array(m, opts->permitlisten,
836 untrusted ? 0 : opts->npermitlisten)) != 0)
837 return r;
838
839 /* success */
840 return 0;
841}
842
843int
844sshauthopt_deserialise(struct sshbuf *m, struct sshauthopt **optsp)
845{
846 struct sshauthopt *opts = NULL((void *)0);
847 int r = SSH_ERR_INTERNAL_ERROR-1;
848 u_char f;
849 u_int tmp;
850
851 if ((opts = calloc(1, sizeof(*opts))) == NULL((void *)0))
852 return SSH_ERR_ALLOC_FAIL-2;
853
854 /* Flag options */
855#define OPT_FLAG(x) \
856 do { \
857 if ((r = sshbuf_get_u8(m, &f)) != 0) \
858 goto out; \
859 opts->x = f; \
860 } while (0)
861 OPT_FLAG(permit_port_forwarding_flag);
862 OPT_FLAG(permit_agent_forwarding_flag);
863 OPT_FLAG(permit_x11_forwarding_flag);
864 OPT_FLAG(permit_pty_flag);
865 OPT_FLAG(permit_user_rc);
866 OPT_FLAG(restricted);
867 OPT_FLAG(cert_authority);
868 OPT_FLAG(no_require_user_presence);
869 OPT_FLAG(require_verify);
870#undef OPT_FLAG
871
872 /* Simple integer options */
873 if ((r = sshbuf_get_u64(m, &opts->valid_before)) != 0)
874 goto out;
875
876 /* tunnel number can be negative to indicate "unset" */
877 if ((r = sshbuf_get_u8(m, &f)) != 0 ||
878 (r = sshbuf_get_u32(m, &tmp)) != 0)
879 goto out;
880 opts->force_tun_device = f ? -1 : (int)tmp;
881
882 /* String options may be NULL */
883 if ((r = deserialise_nullable_string(m, &opts->cert_principals)) != 0 ||
884 (r = deserialise_nullable_string(m, &opts->force_command)) != 0 ||
885 (r = deserialise_nullable_string(m,
886 &opts->required_from_host_cert)) != 0 ||
887 (r = deserialise_nullable_string(m,
888 &opts->required_from_host_keys)) != 0)
889 goto out;
890
891 /* Array options */
892 if ((r = deserialise_array(m, &opts->env, &opts->nenv)) != 0 ||
893 (r = deserialise_array(m,
894 &opts->permitopen, &opts->npermitopen)) != 0 ||
895 (r = deserialise_array(m,
896 &opts->permitlisten, &opts->npermitlisten)) != 0)
897 goto out;
898
899 /* success */
900 r = 0;
901 *optsp = opts;
902 opts = NULL((void *)0);
903 out:
904 sshauthopt_free(opts);
905 return r;
906}