[openssh-commits] [openssh] 02/04: upstream: ssh-keygen: implement "verify-required" certificate option.

Fri Jun 3 13:38:32 AEST 2022

This is an automated email from the git hooks/post-receive script.

dtucker pushed a commit to branch master
in repository openssh.

commit 6b3fb624675082a1e5aa615d1b8479873d8b5731
Author: naddy at openbsd.org <naddy at openbsd.org>
Date:   Tue May 31 14:05:12 2022 +0000

    upstream: ssh-keygen: implement "verify-required" certificate option.
    
    This was already documented when support for user-verified FIDO
    keys was added, but the ssh-keygen(1) code was missing.
    
    ok djm@
    
    OpenBSD-Commit-ID: f660f973391b593fea4b7b25913c9a15c3eb8a06
---
 ssh-keygen.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/ssh-keygen.c b/ssh-keygen.c
index e7600732..35e70a10 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-keygen.c,v 1.452 2022/05/09 03:09:53 djm Exp $ */
+/* $OpenBSD: ssh-keygen.c,v 1.453 2022/05/31 14:05:12 naddy Exp $ */
 /*
  * Author: Tatu Ylonen <ylo at cs.hut.fi>
  * Copyright (c) 1994 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -127,6 +127,7 @@ static u_int64_t cert_valid_to = ~0ULL;
 #define CERTOPT_PTY				(1<<3)
 #define CERTOPT_USER_RC				(1<<4)
 #define CERTOPT_NO_REQUIRE_USER_PRESENCE	(1<<5)
+#define CERTOPT_REQUIRE_VERIFY			(1<<6)
 #define CERTOPT_DEFAULT	(CERTOPT_X_FWD|CERTOPT_AGENT_FWD| \
 			 CERTOPT_PORT_FWD|CERTOPT_PTY|CERTOPT_USER_RC)
 static u_int32_t certflags_flags = CERTOPT_DEFAULT;
@@ -1672,6 +1673,8 @@ finalise_cert_exts(void)
 		cert_ext_add("force-command", certflags_command, 1);
 	if (certflags_src_addr != NULL)
 		cert_ext_add("source-address", certflags_src_addr, 1);
+	if ((certflags_flags & CERTOPT_REQUIRE_VERIFY) != 0)
+		cert_ext_add("verify-required", NULL, 1);
 	/* extensions */
 	if ((certflags_flags & CERTOPT_X_FWD) != 0)
 		cert_ext_add("permit-X11-forwarding", NULL, 0);
@@ -1993,6 +1996,10 @@ add_cert_option(char *opt)
 		certflags_flags &= ~CERTOPT_NO_REQUIRE_USER_PRESENCE;
 	else if (strcasecmp(opt, "no-touch-required") == 0)
 		certflags_flags |= CERTOPT_NO_REQUIRE_USER_PRESENCE;
+	else if (strcasecmp(opt, "no-verify-required") == 0)
+		certflags_flags &= ~CERTOPT_REQUIRE_VERIFY;
+	else if (strcasecmp(opt, "verify-required") == 0)
+		certflags_flags |= CERTOPT_REQUIRE_VERIFY;
 	else if (strncasecmp(opt, "force-command=", 14) == 0) {
 		val = opt + 14;
 		if (*val == '\0')
@@ -2051,6 +2058,9 @@ show_options(struct sshbuf *optbuf, int in_critical)
 				fatal_fr(r, "parse critical");
 			printf(" %s\n", arg);
 			free(arg);
+		} else if (in_critical &&
+		    strcmp(name, "verify-required") == 0) {
+			printf("\n");
 		} else if (sshbuf_len(option) > 0) {
 			hex = sshbuf_dtob16(option);
 			printf(" UNKNOWN OPTION: %s (len %zu)\n",

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.
