===================================================================
RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/auth-options.c,v
retrieving revision 1.89
retrieving revision 1.90
diff -u -r1.89 -r1.90
--- src/usr.bin/ssh/auth-options.c	2019/09/13 04:36:43	1.89
+++ src/usr.bin/ssh/auth-options.c	2019/11/25 00:54:23	1.90
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth-options.c,v 1.89 2019/09/13 04:36:43 dtucker Exp $ */
+/* $OpenBSD: auth-options.c,v 1.90 2019/11/25 00:54:23 djm Exp $ */
 /*
  * Copyright (c) 2018 Damien Miller <djm@mindrot.org>
  *
@@ -93,7 +93,10 @@
 		    name, sshbuf_len(data));
 		found = 0;
 		if ((which & OPTIONS_EXTENSIONS) != 0) {
-			if (strcmp(name, "permit-X11-forwarding") == 0) {
+			if (strcmp(name, "no-touch-required") == 0) {
+				opts->no_require_user_presence = 1;
+				found = 1;
+			} else if (strcmp(name, "permit-X11-forwarding") == 0) {
 				opts->permit_x11_forwarding_flag = 1;
 				found = 1;
 			} else if (strcmp(name,
@@ -344,6 +347,8 @@
 			ret->permit_agent_forwarding_flag = r == 1;
 		} else if ((r = opt_flag("x11-forwarding", 1, &opts)) != -1) {
 			ret->permit_x11_forwarding_flag = r == 1;
+		} else if ((r = opt_flag("touch-required", 1, &opts)) != -1) {
+			ret->no_require_user_presence = r != 1; /* NB. flip */
 		} else if ((r = opt_flag("pty", 1, &opts)) != -1) {
 			ret->permit_pty_flag = r == 1;
 		} else if ((r = opt_flag("user-rc", 1, &opts)) != -1) {
@@ -564,14 +569,15 @@
 			goto alloc_fail;
 	}
 
-	/* Flags are logical-AND (i.e. must be set in both for permission) */
-#define OPTFLAG(x) ret->x = (primary->x == 1) && (additional->x == 1)
-	OPTFLAG(permit_port_forwarding_flag);
-	OPTFLAG(permit_agent_forwarding_flag);
-	OPTFLAG(permit_x11_forwarding_flag);
-	OPTFLAG(permit_pty_flag);
-	OPTFLAG(permit_user_rc);
-#undef OPTFLAG
+#define OPTFLAG_AND(x) ret->x = (primary->x == 1) && (additional->x == 1)
+	/* Permissive flags are logical-AND (i.e. must be set in both) */
+	OPTFLAG_AND(permit_port_forwarding_flag);
+	OPTFLAG_AND(permit_agent_forwarding_flag);
+	OPTFLAG_AND(permit_x11_forwarding_flag);
+	OPTFLAG_AND(permit_pty_flag);
+	OPTFLAG_AND(permit_user_rc);
+	OPTFLAG_AND(no_require_user_presence);
+#undef OPTFLAG_AND
 
 	/* Earliest expiry time should win */
 	if (primary->valid_before != 0)
@@ -640,6 +646,7 @@
 	OPTSCALAR(cert_authority);
 	OPTSCALAR(force_tun_device);
 	OPTSCALAR(valid_before);
+	OPTSCALAR(no_require_user_presence);
 #undef OPTSCALAR
 #define OPTSTRING(x) \
 	do { \
@@ -762,7 +769,7 @@
 {
 	int r = SSH_ERR_INTERNAL_ERROR;
 
-	/* Flag and simple integer options */
+	/* Flag options */
 	if ((r = sshbuf_put_u8(m, opts->permit_port_forwarding_flag)) != 0 ||
 	    (r = sshbuf_put_u8(m, opts->permit_agent_forwarding_flag)) != 0 ||
 	    (r = sshbuf_put_u8(m, opts->permit_x11_forwarding_flag)) != 0 ||
@@ -770,9 +777,13 @@
 	    (r = sshbuf_put_u8(m, opts->permit_user_rc)) != 0 ||
 	    (r = sshbuf_put_u8(m, opts->restricted)) != 0 ||
 	    (r = sshbuf_put_u8(m, opts->cert_authority)) != 0 ||
-	    (r = sshbuf_put_u64(m, opts->valid_before)) != 0)
+	    (r = sshbuf_put_u8(m, opts->no_require_user_presence)) != 0)
 		return r;
 
+	/* Simple integer options */
+	if ((r = sshbuf_put_u64(m, opts->valid_before)) != 0)
+		return r;
+
 	/* tunnel number can be negative to indicate "unset" */
 	if ((r = sshbuf_put_u8(m, opts->force_tun_device == -1)) != 0 ||
 	    (r = sshbuf_put_u32(m, (opts->force_tun_device < 0) ?
@@ -814,6 +825,7 @@
 	if ((opts = calloc(1, sizeof(*opts))) == NULL)
 		return SSH_ERR_ALLOC_FAIL;
 
+	/* Flag options */
 #define OPT_FLAG(x) \
 	do { \
 		if ((r = sshbuf_get_u8(m, &f)) != 0) \
@@ -827,8 +839,10 @@
 	OPT_FLAG(permit_user_rc);
 	OPT_FLAG(restricted);
 	OPT_FLAG(cert_authority);
+	OPT_FLAG(no_require_user_presence);
 #undef OPT_FLAG
 
+	/* Simple integer options */
 	if ((r = sshbuf_get_u64(m, &opts->valid_before)) != 0)
 		goto out;