version 1.45, 2010/02/26 20:29:54 |
version 1.46, 2010/03/03 01:44:36 |
|
|
auth_cert_constraints(Buffer *c_orig, struct passwd *pw) |
auth_cert_constraints(Buffer *c_orig, struct passwd *pw) |
{ |
{ |
u_char *name = NULL, *data_blob = NULL; |
u_char *name = NULL, *data_blob = NULL; |
u_int len; |
u_int nlen, dlen, clen; |
Buffer c, data; |
Buffer c, data; |
int ret = -1; |
int ret = -1; |
|
|
|
|
buffer_append(&c, buffer_ptr(c_orig), buffer_len(c_orig)); |
buffer_append(&c, buffer_ptr(c_orig), buffer_len(c_orig)); |
|
|
while (buffer_len(&c) > 0) { |
while (buffer_len(&c) > 0) { |
if ((name = buffer_get_string_ret(&c, NULL)) == NULL || |
if ((name = buffer_get_string_ret(&c, &nlen)) == NULL || |
(data_blob = buffer_get_string_ret(&c, &len)) == NULL) { |
(data_blob = buffer_get_string_ret(&c, &dlen)) == NULL) { |
error("Certificate constraints corrupt"); |
error("Certificate constraints corrupt"); |
goto out; |
goto out; |
} |
} |
buffer_append(&data, data_blob, len); |
buffer_append(&data, data_blob, dlen); |
debug3("found certificate constraint \"%.100s\" len %u", |
debug3("found certificate constraint \"%.100s\" len %u", |
name, len); |
name, dlen); |
|
if (strlen(name) != nlen) { |
|
error("Certificate constraint name contains \\0"); |
|
goto out; |
|
} |
if (strcmp(name, "permit-X11-forwarding") == 0) |
if (strcmp(name, "permit-X11-forwarding") == 0) |
cert_no_x11_forwarding_flag = 0; |
cert_no_x11_forwarding_flag = 0; |
else if (strcmp(name, "permit-agent-forwarding") == 0) |
else if (strcmp(name, "permit-agent-forwarding") == 0) |
|
|
else if (strcmp(name, "permit-user-rc") == 0) |
else if (strcmp(name, "permit-user-rc") == 0) |
cert_no_user_rc = 0; |
cert_no_user_rc = 0; |
else if (strcmp(name, "force-command") == 0) { |
else if (strcmp(name, "force-command") == 0) { |
char *command = buffer_get_string_ret(&data, NULL); |
char *command = buffer_get_string_ret(&data, &clen); |
|
|
if (command == NULL) { |
if (command == NULL) { |
error("Certificate constraint \"%s\" corrupt", |
error("Certificate constraint \"%s\" corrupt", |
name); |
name); |
goto out; |
goto out; |
} |
} |
|
if (strlen(command) != clen) { |
|
error("force-command constrain contains \\0"); |
|
goto out; |
|
} |
if (cert_forced_command != NULL) { |
if (cert_forced_command != NULL) { |
error("Certificate has multiple " |
error("Certificate has multiple " |
"forced-command constraints"); |
"forced-command constraints"); |
|
|
} |
} |
cert_forced_command = command; |
cert_forced_command = command; |
} else if (strcmp(name, "source-address") == 0) { |
} else if (strcmp(name, "source-address") == 0) { |
char *allowed = buffer_get_string_ret(&data, NULL); |
char *allowed = buffer_get_string_ret(&data, &clen); |
const char *remote_ip = get_remote_ipaddr(); |
const char *remote_ip = get_remote_ipaddr(); |
|
|
if (allowed == NULL) { |
if (allowed == NULL) { |
error("Certificate constraint \"%s\" corrupt", |
error("Certificate constraint \"%s\" corrupt", |
name); |
name); |
|
goto out; |
|
} |
|
if (strlen(allowed) != clen) { |
|
error("source-address constrain contains \\0"); |
goto out; |
goto out; |
} |
} |
if (cert_source_address_done++) { |
if (cert_source_address_done++) { |