Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

===================================================================
RCS file: /ftp/cvs/cvsroot/src/crypto/external/bsd/openssh/dist/monitor.c,v
rcsdiff: /ftp/cvs/cvsroot/src/crypto/external/bsd/openssh/dist/monitor.c,v: warning: Unknown phrases like `commitid ...;' are present.
retrieving revision 1.34
retrieving revision 1.35
diff -u -p -r1.34 -r1.35
--- src/crypto/external/bsd/openssh/dist/monitor.c	2020/05/28 17:05:49	1.34
+++ src/crypto/external/bsd/openssh/dist/monitor.c	2020/12/04 18:42:50	1.35
@@ -1,5 +1,6 @@
-/*	$NetBSD: monitor.c,v 1.34 2020/05/28 17:05:49 christos Exp $	*/
-/* $OpenBSD: monitor.c,v 1.210 2020/03/13 03:17:07 djm Exp $ */
+/*	$NetBSD: monitor.c,v 1.35 2020/12/04 18:42:50 christos Exp $	*/
+/* $OpenBSD: monitor.c,v 1.214 2020/08/27 01:07:09 djm Exp $ */
+
 /*
  * Copyright 2002 Niels Provos <provos@citi.umich.edu>
  * Copyright 2002 Markus Friedl <markus@openbsd.org>
@@ -27,7 +28,7 @@
  */
 
 #include "includes.h"
-__RCSID("$NetBSD: monitor.c,v 1.34 2020/05/28 17:05:49 christos Exp $");
+__RCSID("$NetBSD: monitor.c,v 1.35 2020/12/04 18:42:50 christos Exp $");
 #include <sys/types.h>
 #include <sys/wait.h>
 #include <sys/socket.h>
@@ -659,7 +660,7 @@ mm_answer_sign(struct ssh *ssh, int sock
 
 	if ((key = get_hostkey_by_index(keyid)) != NULL) {
 		if ((r = sshkey_sign(key, &signature, &siglen, p, datlen, alg,
-		    options.sk_provider, compat)) != 0)
+		    options.sk_provider, NULL, compat)) != 0)
 			fatal("%s: sshkey_sign failed: %s",
 			    __func__, ssh_err(r));
 	} else if ((key = get_hostkey_public_by_index(keyid, ssh)) != NULL &&
@@ -1389,7 +1390,8 @@ mm_answer_keyverify(struct ssh *ssh, int
 	const u_char *signature, *data, *blob;
 	char *sigalg = NULL, *fp = NULL;
 	size_t signaturelen, datalen, bloblen;
-	int r, ret, req_presence = 0, valid_data = 0, encoded_ret;
+	int r, ret, req_presence = 0, req_verify = 0, valid_data = 0;
+	int encoded_ret;
 	struct sshkey_sig_details *sig_details = NULL;
 	Authctxt *authctxt = ssh->authctxt;
 
@@ -1455,6 +1457,18 @@ mm_answer_keyverify(struct ssh *ssh, int
 			    ssh_remote_port(ssh));
 			ret = SSH_ERR_SIGNATURE_INVALID;
 		}
+		req_verify = (options.pubkey_auth_options &
+		    PUBKEYAUTH_VERIFY_REQUIRED) || key_opts->require_verify;
+		if (req_verify &&
+		    (sig_details->sk_flags & SSH_SK_USER_VERIFICATION_REQD) == 0) {
+			error("public key %s %s signature for %s%s from %.128s "
+			    "port %d rejected: user verification requirement "
+			    "not met ", sshkey_type(key), fp,
+			    authctxt->valid ? "" : "invalid user ",
+			    authctxt->user, ssh_remote_ipaddr(ssh),
+			    ssh_remote_port(ssh));
+			ret = SSH_ERR_SIGNATURE_INVALID;
+		}
 	}
 	auth2_record_key(authctxt, ret == 0, key);
 
@@ -1572,7 +1586,7 @@ mm_answer_pty(struct ssh *ssh, int sock,
 	if (fd0 != 0)
 		error("%s: fd0 %d != 0", __func__, fd0);
 
-	/* slave is not needed */
+	/* slave side of pty is not needed */
 	close(s->ttyfd);
 	s->ttyfd = s->ptyfd;
 	/* no need to dup() because nobody closes ptyfd */