- markus@cvs.openbsd.org 2002/06/15 01:27:48

[authfd.c authfd.h ssh-add.c ssh-agent.c] remove the CONSTRAIN_IDENTITY messages and introduce a new ADD_ID message with contraints instead. contraints can be only added together with the private key.
author: Ben Lindstrom <mouring@eviladmin.org> 2002-06-21 00:08:39 +0000
committer: Ben Lindstrom <mouring@eviladmin.org> 2002-06-21 00:08:39 +0000
commit: 2b266b7f083e969cba04a035eba46a6d96c0c1e3 (patch)
tree: fb9ecf1af23c8d94a3608c22e7c7779a3419c42e
parent: c90f8a98eaffccb8248111206416e1c9ed206da9 (diff)
5 files changed, 59 insertions, 116 deletions
diff --git a/ChangeLog b/ChangeLog
index eab258ada..8001c8847 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -12,6 +12,11 @@
   - markus@cvs.openbsd.org 2002/06/15 00:07:38
     [authfd.c authfd.h ssh-add.c ssh-agent.c]
     fix stupid typo
+  - markus@cvs.openbsd.org 2002/06/15 01:27:48
+     [authfd.c authfd.h ssh-add.c ssh-agent.c]
+     remove the CONSTRAIN_IDENTITY messages and introduce a new
+     ADD_ID message with contraints instead. contraints can be
+     only added together with the private key.
 20020613
 - (bal) typo of setgroup for cygwin.  Patch by vinschen@redhat.com
@@ -940,4 +945,4 @@
 - (stevesk) entropy.c: typo in debug message
 - (djm) ssh-keygen -i needs seeded RNG; report from markus@
-$Id: ChangeLog,v 1.2220 2002/06/21 00:06:54 mouring Exp $
+$Id: ChangeLog,v 1.2221 2002/06/21 00:08:39 mouring Exp $
diff --git a/authfd.c b/authfd.c
index 14438ddf0..c8a952755 100644
--- a/authfd.c
+++ b/authfd.c
@@ -35,7 +35,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: authfd.c,v 1.53 2002/06/15 00:07:38 markus Exp $");
+RCSID("$OpenBSD: authfd.c,v 1.54 2002/06/15 01:27:48 markus Exp $");
 #include <openssl/evp.h>
@@ -439,8 +439,6 @@ ssh_agent_sign(AuthenticationConnection *auth,
 static void
 ssh_encode_identity_rsa1(Buffer *b, RSA *key, const char *comment)
 {
-        buffer_clear(b);
-        buffer_put_char(b, SSH_AGENTC_ADD_RSA_IDENTITY);
        buffer_put_int(b, BN_num_bits(key->n));
        buffer_put_bignum(b, key->n);
        buffer_put_bignum(b, key->e);
@@ -455,8 +453,6 @@ ssh_encode_identity_rsa1(Buffer *b, RSA *key, const char *comment)
 static void
 ssh_encode_identity_ssh2(Buffer *b, Key *key, const char *comment)
 {
-        buffer_clear(b);
-        buffer_put_char(b, SSH2_AGENTC_ADD_IDENTITY);
        buffer_put_cstring(b, key_ssh_name(key));
        switch (key->type) {
        case KEY_RSA:
@@ -484,19 +480,28 @@ ssh_encode_identity_ssh2(Buffer *b, Key *key, const char *comment)
 */
 int
-ssh_add_identity(AuthenticationConnection *auth, Key *key, const char *comment)
+ssh_add_identity_constrained(AuthenticationConnection *auth, Key *key,
+    const char *comment, u_int life)
 {
        Buffer msg;
-        int type;
+        int type, constrained = (life != 0);
        buffer_init(&msg);
        switch (key->type) {
        case KEY_RSA1:
+                type = constrained ?
+                    SSH_AGENTC_ADD_RSA_ID_CONSTRAINED :
+                    SSH_AGENTC_ADD_RSA_IDENTITY;
+                buffer_put_char(&msg, type);
                ssh_encode_identity_rsa1(&msg, key->rsa, comment);
                break;
        case KEY_RSA:
        case KEY_DSA:
+                type = constrained ?
+                    SSH2_AGENTC_ADD_ID_CONSTRAINED :
+                    SSH2_AGENTC_ADD_IDENTITY;
+                buffer_put_char(&msg, type);
                ssh_encode_identity_ssh2(&msg, key, comment);
                break;
        default:
@@ -504,6 +509,12 @@ ssh_add_identity(AuthenticationConnection *auth, Key *key, const char *comment)
                return 0;
                break;
        }
+        if (constrained) {
+                if (life != 0) {
+                        buffer_put_char(&msg, SSH_AGENT_CONSTRAIN_LIFETIME);
+                        buffer_put_int(&msg, life);
+                }
+        }
        if (ssh_request_reply(auth, &msg, &msg) == 0) {
                buffer_free(&msg);
                return 0;
@@ -513,6 +524,12 @@ ssh_add_identity(AuthenticationConnection *auth, Key *key, const char *comment)
        return decode_reply(type);
 }
+int
+ssh_add_identity(AuthenticationConnection *auth, Key *key, const char *comment)
+{
+        return ssh_add_identity_constrained(auth, key, comment, 0);
+}
 /*
 * Removes an identity from the authentication server.  This call is not
 * meant to be used by normal applications.
@@ -552,42 +569,6 @@ ssh_remove_identity(AuthenticationConnection *auth, Key *key)
 }
 int
-ssh_constrain_identity(AuthenticationConnection *auth, Key *key, u_int life)
-{
-        Buffer msg;
-        int type;
-        u_char *blob;
-        u_int blen;
-        buffer_init(&msg);
-        if (key->type == KEY_RSA1) {
-                buffer_put_char(&msg, SSH_AGENTC_CONSTRAIN_IDENTITY1);
-                buffer_put_int(&msg, BN_num_bits(key->rsa->n));
-                buffer_put_bignum(&msg, key->rsa->e);
-                buffer_put_bignum(&msg, key->rsa->n);
-        } else if (key->type == KEY_DSA || key->type == KEY_RSA) {
-                key_to_blob(key, &blob, &blen);
-                buffer_put_char(&msg, SSH_AGENTC_CONSTRAIN_IDENTITY);
-                buffer_put_string(&msg, blob, blen);
-                xfree(blob);
-        } else {
-                buffer_free(&msg);
-                return 0;
-        }
-        buffer_put_char(&msg, SSH_AGENT_CONSTRAIN_LIFETIME);
-        buffer_put_int(&msg, life);
-        if (ssh_request_reply(auth, &msg, &msg) == 0) {
-                buffer_free(&msg);
-                return 0;
-        }
-        type = buffer_get_char(&msg);
-        buffer_free(&msg);
-        return decode_reply(type);
-}
-int
 ssh_update_card(AuthenticationConnection *auth, int add, const char *reader_id, const char *pin)
 {
        Buffer msg;
diff --git a/authfd.h b/authfd.h
index 496abc272..d7344bf4b 100644
--- a/authfd.h
+++ b/authfd.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: authfd.h,v 1.28 2002/06/15 00:07:38 markus Exp $      */
+/*      $OpenBSD: authfd.h,v 1.29 2002/06/15 01:27:48 markus Exp $      */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -46,9 +46,9 @@
 #define SSH_AGENTC_LOCK                         22
 #define SSH_AGENTC_UNLOCK                       23
-/* constrain key usage */
+/* add key with constraints */
-#define SSH_AGENTC_CONSTRAIN_IDENTITY1          24
+#define SSH_AGENTC_ADD_RSA_ID_CONSTRAINED       24
-#define SSH_AGENTC_CONSTRAIN_IDENTITY           25
+#define SSH2_AGENTC_ADD_ID_CONSTRAINED          25
 #define SSH_AGENT_CONSTRAIN_LIFETIME            1
@@ -75,7 +75,7 @@ int	 ssh_get_num_identities(AuthenticationConnection *, int);
 Key     *ssh_get_first_identity(AuthenticationConnection *, char **, int);
 Key     *ssh_get_next_identity(AuthenticationConnection *, char **, int);
 int      ssh_add_identity(AuthenticationConnection *, Key *, const char *);
-int      ssh_constrain_identity(AuthenticationConnection *, Key *, u_int);
+int      ssh_add_identity_constrained(AuthenticationConnection *, Key *, const char *, u_int);
 int      ssh_remove_identity(AuthenticationConnection *, Key *);
 int      ssh_remove_all_identities(AuthenticationConnection *, int);
 int      ssh_lock_agent(AuthenticationConnection *, int, const char *);
diff --git a/ssh-add.c b/ssh-add.c
index 1ebd1fe2d..2085367ba 100644
--- a/ssh-add.c
+++ b/ssh-add.c
@@ -35,7 +35,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: ssh-add.c,v 1.59 2002/06/15 00:07:38 markus Exp $");
+RCSID("$OpenBSD: ssh-add.c,v 1.60 2002/06/15 01:27:48 markus Exp $");
 #include <openssl/evp.h>
@@ -164,22 +164,18 @@ add_file(AuthenticationConnection *ac, const char *filename)
                        strlcpy(msg, "Bad passphrase, try again: ", sizeof msg);
                }
        }
-        if (ssh_add_identity(ac, private, comment)) {
+        if (ssh_add_identity_constrained(ac, private, comment, lifetime)) {
                fprintf(stderr, "Identity added: %s (%s)\n", filename, comment);
                ret = 0;
-        } else
+                if (lifetime != 0)
+                        fprintf(stderr,
+                            "Lifetime set to %d seconds\n", lifetime);
+        } else if (ssh_add_identity(ac, private, comment)) {
+                fprintf(stderr, "Identity added: %s (%s)\n", filename, comment);
+                ret = 0;
+        } else {
                fprintf(stderr, "Could not add identity: %s\n", filename);
-        if (ret == 0 && lifetime != 0) {
-                if (ssh_constrain_identity(ac, private, lifetime)) {
-                        fprintf(stderr,
-                            "Lifetime set to %d seconds for: %s (%s)\n",
-                            lifetime, filename, comment);
-                } else {
-                        fprintf(stderr,
-                            "Could not set lifetime for identity: %s\n",
-                            filename);
-                }
        }
        xfree(comment);
diff --git a/ssh-agent.c b/ssh-agent.c
index 991774aae..536db2de0 100644
--- a/ssh-agent.c
+++ b/ssh-agent.c
@@ -35,7 +35,7 @@
 #include "includes.h"
 #include "openbsd-compat/fake-queue.h"
-RCSID("$OpenBSD: ssh-agent.c,v 1.93 2002/06/15 00:07:38 markus Exp $");
+RCSID("$OpenBSD: ssh-agent.c,v 1.94 2002/06/15 01:27:48 markus Exp $");
 #include <openssl/evp.h>
 #include <openssl/md5.h>
@@ -395,7 +395,7 @@ process_add_identity(SocketEntry *e, int version)
        Key *k = NULL;
        char *type_name;
        char *comment;
-        int type, success = 0;
+        int type, success = 0, death = 0;
        Idtab *tab = idtab_lookup(version);
        switch (version) {
@@ -451,11 +451,20 @@ process_add_identity(SocketEntry *e, int version)
                goto send;
        }
        success = 1;
+        while (buffer_len(&e->request)) {
+                switch (buffer_get_char(&e->request)) {
+                case SSH_AGENT_CONSTRAIN_LIFETIME:
+                        death = time(NULL) + buffer_get_int(&e->request);
+                        break;
+                default:
+                        break;
+                }
+        }
        if (lookup_identity(k, version) == NULL) {
                Identity *id = xmalloc(sizeof(Identity));
                id->key = k;
                id->comment = comment;
-                id->death = 0;
+                id->death = death;
                TAILQ_INSERT_TAIL(&tab->idlist, id, next);
                /* Increment the number of identities. */
                tab->nentries++;
@@ -469,50 +478,6 @@ send:
            success ? SSH_AGENT_SUCCESS : SSH_AGENT_FAILURE);
 }
-static void
-process_constrain_identity(SocketEntry *e, int version)
-{
-        Key *key = NULL;
-        u_char *blob;
-        u_int blen, bits, death = 0;
-        int success = 0;
-        switch (version) {
-        case 1:
-                key = key_new(KEY_RSA1);
-                bits = buffer_get_int(&e->request);
-                buffer_get_bignum(&e->request, key->rsa->e);
-                buffer_get_bignum(&e->request, key->rsa->n);
-                break;
-        case 2:
-                blob = buffer_get_string(&e->request, &blen);
-                key = key_from_blob(blob, blen);
-                xfree(blob);
-                break;
-        }
-        while (buffer_len(&e->request)) {
-                switch (buffer_get_char(&e->request)) {
-                case SSH_AGENT_CONSTRAIN_LIFETIME:
-                        death = time(NULL) + buffer_get_int(&e->request);
-                        break;
-                default:
-                        break;
-                }
-        }
-        if (key != NULL) {
-                Identity *id = lookup_identity(key, version);
-                if (id != NULL && id->death == 0 && death != 0) {
-                        id->death = death;
-                        success = 1;
-                }
-                key_free(key);
-        }
-        buffer_put_int(&e->output, 1);
-        buffer_put_char(&e->output,
-            success ? SSH_AGENT_SUCCESS : SSH_AGENT_FAILURE);
-}
 /* XXX todo: encrypt sensitive data with passphrase */
 static void
 process_lock_agent(SocketEntry *e, int lock)
@@ -706,6 +671,7 @@ process_message(SocketEntry *e)
                process_request_identities(e, 1);
                break;
        case SSH_AGENTC_ADD_RSA_IDENTITY:
+        case SSH_AGENTC_ADD_RSA_ID_CONSTRAINED:
                process_add_identity(e, 1);
                break;
        case SSH_AGENTC_REMOVE_RSA_IDENTITY:
@@ -714,9 +680,6 @@ process_message(SocketEntry *e)
        case SSH_AGENTC_REMOVE_ALL_RSA_IDENTITIES:
                process_remove_all_identities(e, 1);
                break;
-        case SSH_AGENTC_CONSTRAIN_IDENTITY1:
-                process_constrain_identity(e, 1);
-                break;
        /* ssh2 */
        case SSH2_AGENTC_SIGN_REQUEST:
                process_sign_request2(e);
@@ -725,6 +688,7 @@ process_message(SocketEntry *e)
                process_request_identities(e, 2);
                break;
        case SSH2_AGENTC_ADD_IDENTITY:
+        case SSH2_AGENTC_ADD_ID_CONSTRAINED:
                process_add_identity(e, 2);
                break;
        case SSH2_AGENTC_REMOVE_IDENTITY:
@@ -733,9 +697,6 @@ process_message(SocketEntry *e)
        case SSH2_AGENTC_REMOVE_ALL_IDENTITIES:
                process_remove_all_identities(e, 2);
                break;
-        case SSH_AGENTC_CONSTRAIN_IDENTITY:
-                process_constrain_identity(e, 2);
-                break;
 #ifdef SMARTCARD
        case SSH_AGENTC_ADD_SMARTCARD_KEY:
                process_add_smartcard_key(e);
author	Ben Lindstrom <mouring@eviladmin.org>	2002-06-21 00:08:39 +0000
committer	Ben Lindstrom <mouring@eviladmin.org>	2002-06-21 00:08:39 +0000
commit	2b266b7f083e969cba04a035eba46a6d96c0c1e3 (patch)
tree	fb9ecf1af23c8d94a3608c22e7c7779a3419c42e
parent	c90f8a98eaffccb8248111206416e1c9ed206da9 (diff)

diff --git a/ChangeLog b/ChangeLog index eab258ada..8001c8847 100644 --- a/ChangeLog +++ b/ChangeLog
@@ -12,6 +12,11 @@
12	- markus@cvs.openbsd.org 2002/06/15 00:07:38	12	- markus@cvs.openbsd.org 2002/06/15 00:07:38
13	[authfd.c authfd.h ssh-add.c ssh-agent.c]	13	[authfd.c authfd.h ssh-add.c ssh-agent.c]
14	fix stupid typo	14	fix stupid typo
		15	- markus@cvs.openbsd.org 2002/06/15 01:27:48
		16	[authfd.c authfd.h ssh-add.c ssh-agent.c]
		17	remove the CONSTRAIN_IDENTITY messages and introduce a new
		18	ADD_ID message with contraints instead. contraints can be
		19	only added together with the private key.
15		20
16	20020613	21	20020613
17	- (bal) typo of setgroup for cygwin. Patch by vinschen@redhat.com	22	- (bal) typo of setgroup for cygwin. Patch by vinschen@redhat.com
@@ -940,4 +945,4 @@
940	- (stevesk) entropy.c: typo in debug message	945	- (stevesk) entropy.c: typo in debug message
941	- (djm) ssh-keygen -i needs seeded RNG; report from markus@	946	- (djm) ssh-keygen -i needs seeded RNG; report from markus@
942		947
943	$Id: ChangeLog,v 1.2220 2002/06/21 00:06:54 mouring Exp $	948	$Id: ChangeLog,v 1.2221 2002/06/21 00:08:39 mouring Exp $


diff --git a/authfd.c b/authfd.c index 14438ddf0..c8a952755 100644 --- a/authfd.c +++ b/authfd.c
@@ -35,7 +35,7 @@
35	*/	35	*/
36		36
37	#include "includes.h"	37	#include "includes.h"
38	RCSID("$OpenBSD: authfd.c,v 1.53 2002/06/15 00:07:38 markus Exp $");	38	RCSID("$OpenBSD: authfd.c,v 1.54 2002/06/15 01:27:48 markus Exp $");
39		39
40	#include <openssl/evp.h>	40	#include <openssl/evp.h>
41		41
@@ -439,8 +439,6 @@ ssh_agent_sign(AuthenticationConnection *auth,
439	static void	439	static void
440	ssh_encode_identity_rsa1(Buffer b, RSA key, const char *comment)	440	ssh_encode_identity_rsa1(Buffer b, RSA key, const char *comment)
441	{	441	{
442	buffer_clear(b);
443	buffer_put_char(b, SSH_AGENTC_ADD_RSA_IDENTITY);
444	buffer_put_int(b, BN_num_bits(key->n));	442	buffer_put_int(b, BN_num_bits(key->n));
445	buffer_put_bignum(b, key->n);	443	buffer_put_bignum(b, key->n);
446	buffer_put_bignum(b, key->e);	444	buffer_put_bignum(b, key->e);
@@ -455,8 +453,6 @@ ssh_encode_identity_rsa1(Buffer b, RSA key, const char *comment)
455	static void	453	static void
456	ssh_encode_identity_ssh2(Buffer b, Key key, const char *comment)	454	ssh_encode_identity_ssh2(Buffer b, Key key, const char *comment)
457	{	455	{
458	buffer_clear(b);
459	buffer_put_char(b, SSH2_AGENTC_ADD_IDENTITY);
460	buffer_put_cstring(b, key_ssh_name(key));	456	buffer_put_cstring(b, key_ssh_name(key));
461	switch (key->type) {	457	switch (key->type) {
462	case KEY_RSA:	458	case KEY_RSA:
@@ -484,19 +480,28 @@ ssh_encode_identity_ssh2(Buffer b, Key key, const char *comment)
484	*/	480	*/
485		481
486	int	482	int
487	ssh_add_identity(AuthenticationConnection auth, Key key, const char *comment)	483	ssh_add_identity_constrained(AuthenticationConnection auth, Key key,
		484	const char *comment, u_int life)
488	{	485	{
489	Buffer msg;	486	Buffer msg;
490	int type;	487	int type, constrained = (life != 0);
491		488
492	buffer_init(&msg);	489	buffer_init(&msg);
493		490
494	switch (key->type) {	491	switch (key->type) {
495	case KEY_RSA1:	492	case KEY_RSA1:
		493	type = constrained ?
		494	SSH_AGENTC_ADD_RSA_ID_CONSTRAINED :
		495	SSH_AGENTC_ADD_RSA_IDENTITY;
		496	buffer_put_char(&msg, type);
496	ssh_encode_identity_rsa1(&msg, key->rsa, comment);	497	ssh_encode_identity_rsa1(&msg, key->rsa, comment);
497	break;	498	break;
498	case KEY_RSA:	499	case KEY_RSA:
499	case KEY_DSA:	500	case KEY_DSA:
		501	type = constrained ?
		502	SSH2_AGENTC_ADD_ID_CONSTRAINED :
		503	SSH2_AGENTC_ADD_IDENTITY;
		504	buffer_put_char(&msg, type);
500	ssh_encode_identity_ssh2(&msg, key, comment);	505	ssh_encode_identity_ssh2(&msg, key, comment);
501	break;	506	break;
502	default:	507	default:
@@ -504,6 +509,12 @@ ssh_add_identity(AuthenticationConnection auth, Key key, const char *comment)
504	return 0;	509	return 0;
505	break;	510	break;
506	}	511	}
		512	if (constrained) {
		513	if (life != 0) {
		514	buffer_put_char(&msg, SSH_AGENT_CONSTRAIN_LIFETIME);
		515	buffer_put_int(&msg, life);
		516	}
		517	}
507	if (ssh_request_reply(auth, &msg, &msg) == 0) {	518	if (ssh_request_reply(auth, &msg, &msg) == 0) {
508	buffer_free(&msg);	519	buffer_free(&msg);
509	return 0;	520	return 0;
@@ -513,6 +524,12 @@ ssh_add_identity(AuthenticationConnection auth, Key key, const char *comment)
513	return decode_reply(type);	524	return decode_reply(type);
514	}	525	}
515		526
		527	int
		528	ssh_add_identity(AuthenticationConnection auth, Key key, const char *comment)
		529	{
		530	return ssh_add_identity_constrained(auth, key, comment, 0);
		531	}
		532
516	/*	533	/*
517	* Removes an identity from the authentication server. This call is not	534	* Removes an identity from the authentication server. This call is not
518	* meant to be used by normal applications.	535	* meant to be used by normal applications.
@@ -552,42 +569,6 @@ ssh_remove_identity(AuthenticationConnection auth, Key key)
552	}	569	}
553		570
554	int	571	int
555	ssh_constrain_identity(AuthenticationConnection auth, Key key, u_int life)
556	{
557	Buffer msg;
558	int type;
559	u_char *blob;
560	u_int blen;
561
562	buffer_init(&msg);
563
564	if (key->type == KEY_RSA1) {
565	buffer_put_char(&msg, SSH_AGENTC_CONSTRAIN_IDENTITY1);
566	buffer_put_int(&msg, BN_num_bits(key->rsa->n));
567	buffer_put_bignum(&msg, key->rsa->e);
568	buffer_put_bignum(&msg, key->rsa->n);
569	} else if (key->type == KEY_DSA \|\| key->type == KEY_RSA) {
570	key_to_blob(key, &blob, &blen);
571	buffer_put_char(&msg, SSH_AGENTC_CONSTRAIN_IDENTITY);
572	buffer_put_string(&msg, blob, blen);
573	xfree(blob);
574	} else {
575	buffer_free(&msg);
576	return 0;
577	}
578	buffer_put_char(&msg, SSH_AGENT_CONSTRAIN_LIFETIME);
579	buffer_put_int(&msg, life);
580
581	if (ssh_request_reply(auth, &msg, &msg) == 0) {
582	buffer_free(&msg);
583	return 0;
584	}
585	type = buffer_get_char(&msg);
586	buffer_free(&msg);
587	return decode_reply(type);
588	}
589
590	int
591	ssh_update_card(AuthenticationConnection auth, int add, const char reader_id, const char *pin)	572	ssh_update_card(AuthenticationConnection auth, int add, const char reader_id, const char *pin)
592	{	573	{
593	Buffer msg;	574	Buffer msg;


diff --git a/authfd.h b/authfd.h index 496abc272..d7344bf4b 100644 --- a/authfd.h +++ b/authfd.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: authfd.h,v 1.28 2002/06/15 00:07:38 markus Exp $ */	1	/* $OpenBSD: authfd.h,v 1.29 2002/06/15 01:27:48 markus Exp $ */
2		2
3	/*	3	/*
4	* Author: Tatu Ylonen <ylo@cs.hut.fi>	4	* Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -46,9 +46,9 @@
46	#define SSH_AGENTC_LOCK 22	46	#define SSH_AGENTC_LOCK 22
47	#define SSH_AGENTC_UNLOCK 23	47	#define SSH_AGENTC_UNLOCK 23
48		48
49	/* constrain key usage */	49	/* add key with constraints */
50	#define SSH_AGENTC_CONSTRAIN_IDENTITY1 24	50	#define SSH_AGENTC_ADD_RSA_ID_CONSTRAINED 24
51	#define SSH_AGENTC_CONSTRAIN_IDENTITY 25	51	#define SSH2_AGENTC_ADD_ID_CONSTRAINED 25
52		52
53	#define SSH_AGENT_CONSTRAIN_LIFETIME 1	53	#define SSH_AGENT_CONSTRAIN_LIFETIME 1
54		54
@@ -75,7 +75,7 @@ int ssh_get_num_identities(AuthenticationConnection *, int);
75	Key ssh_get_first_identity(AuthenticationConnection , char **, int);	75	Key ssh_get_first_identity(AuthenticationConnection , char **, int);
76	Key ssh_get_next_identity(AuthenticationConnection , char **, int);	76	Key ssh_get_next_identity(AuthenticationConnection , char **, int);
77	int ssh_add_identity(AuthenticationConnection , Key , const char *);	77	int ssh_add_identity(AuthenticationConnection , Key , const char *);
78	int ssh_constrain_identity(AuthenticationConnection , Key , u_int);	78	int ssh_add_identity_constrained(AuthenticationConnection , Key , const char *, u_int);
79	int ssh_remove_identity(AuthenticationConnection , Key );	79	int ssh_remove_identity(AuthenticationConnection , Key );
80	int ssh_remove_all_identities(AuthenticationConnection *, int);	80	int ssh_remove_all_identities(AuthenticationConnection *, int);
81	int ssh_lock_agent(AuthenticationConnection , int, const char );	81	int ssh_lock_agent(AuthenticationConnection , int, const char );


diff --git a/ssh-add.c b/ssh-add.c index 1ebd1fe2d..2085367ba 100644 --- a/ssh-add.c +++ b/ssh-add.c
@@ -35,7 +35,7 @@
35	*/	35	*/
36		36
37	#include "includes.h"	37	#include "includes.h"
38	RCSID("$OpenBSD: ssh-add.c,v 1.59 2002/06/15 00:07:38 markus Exp $");	38	RCSID("$OpenBSD: ssh-add.c,v 1.60 2002/06/15 01:27:48 markus Exp $");
39		39
40	#include <openssl/evp.h>	40	#include <openssl/evp.h>
41		41
@@ -164,22 +164,18 @@ add_file(AuthenticationConnection ac, const char filename)
164	strlcpy(msg, "Bad passphrase, try again: ", sizeof msg);	164	strlcpy(msg, "Bad passphrase, try again: ", sizeof msg);
165	}	165	}
166	}	166	}
167	if (ssh_add_identity(ac, private, comment)) {	167
		168	if (ssh_add_identity_constrained(ac, private, comment, lifetime)) {
168	fprintf(stderr, "Identity added: %s (%s)\n", filename, comment);	169	fprintf(stderr, "Identity added: %s (%s)\n", filename, comment);
169	ret = 0;	170	ret = 0;
170	} else	171	if (lifetime != 0)
		172	fprintf(stderr,
		173	"Lifetime set to %d seconds\n", lifetime);
		174	} else if (ssh_add_identity(ac, private, comment)) {
		175	fprintf(stderr, "Identity added: %s (%s)\n", filename, comment);
		176	ret = 0;
		177	} else {
171	fprintf(stderr, "Could not add identity: %s\n", filename);	178	fprintf(stderr, "Could not add identity: %s\n", filename);
172
173	if (ret == 0 && lifetime != 0) {
174	if (ssh_constrain_identity(ac, private, lifetime)) {
175	fprintf(stderr,
176	"Lifetime set to %d seconds for: %s (%s)\n",
177	lifetime, filename, comment);
178	} else {
179	fprintf(stderr,
180	"Could not set lifetime for identity: %s\n",
181	filename);
182	}
183	}	179	}
184		180
185	xfree(comment);	181	xfree(comment);


diff --git a/ssh-agent.c b/ssh-agent.c index 991774aae..536db2de0 100644 --- a/ssh-agent.c +++ b/ssh-agent.c
@@ -35,7 +35,7 @@
35		35
36	#include "includes.h"	36	#include "includes.h"
37	#include "openbsd-compat/fake-queue.h"	37	#include "openbsd-compat/fake-queue.h"
38	RCSID("$OpenBSD: ssh-agent.c,v 1.93 2002/06/15 00:07:38 markus Exp $");	38	RCSID("$OpenBSD: ssh-agent.c,v 1.94 2002/06/15 01:27:48 markus Exp $");
39		39
40	#include <openssl/evp.h>	40	#include <openssl/evp.h>
41	#include <openssl/md5.h>	41	#include <openssl/md5.h>
@@ -395,7 +395,7 @@ process_add_identity(SocketEntry *e, int version)
395	Key *k = NULL;	395	Key *k = NULL;
396	char *type_name;	396	char *type_name;
397	char *comment;	397	char *comment;
398	int type, success = 0;	398	int type, success = 0, death = 0;
399	Idtab *tab = idtab_lookup(version);	399	Idtab *tab = idtab_lookup(version);
400		400
401	switch (version) {	401	switch (version) {
@@ -451,11 +451,20 @@ process_add_identity(SocketEntry *e, int version)
451	goto send;	451	goto send;
452	}	452	}
453	success = 1;	453	success = 1;
		454	while (buffer_len(&e->request)) {
		455	switch (buffer_get_char(&e->request)) {
		456	case SSH_AGENT_CONSTRAIN_LIFETIME:
		457	death = time(NULL) + buffer_get_int(&e->request);
		458	break;
		459	default:
		460	break;
		461	}
		462	}
454	if (lookup_identity(k, version) == NULL) {	463	if (lookup_identity(k, version) == NULL) {
455	Identity *id = xmalloc(sizeof(Identity));	464	Identity *id = xmalloc(sizeof(Identity));
456	id->key = k;	465	id->key = k;
457	id->comment = comment;	466	id->comment = comment;
458	id->death = 0;	467	id->death = death;
459	TAILQ_INSERT_TAIL(&tab->idlist, id, next);	468	TAILQ_INSERT_TAIL(&tab->idlist, id, next);
460	/* Increment the number of identities. */	469	/* Increment the number of identities. */
461	tab->nentries++;	470	tab->nentries++;
@@ -469,50 +478,6 @@ send:
469	success ? SSH_AGENT_SUCCESS : SSH_AGENT_FAILURE);	478	success ? SSH_AGENT_SUCCESS : SSH_AGENT_FAILURE);
470	}	479	}
471		480
472	static void
473	process_constrain_identity(SocketEntry *e, int version)
474	{
475	Key *key = NULL;
476	u_char *blob;
477	u_int blen, bits, death = 0;
478	int success = 0;
479
480	switch (version) {
481	case 1:
482	key = key_new(KEY_RSA1);
483	bits = buffer_get_int(&e->request);
484	buffer_get_bignum(&e->request, key->rsa->e);
485	buffer_get_bignum(&e->request, key->rsa->n);
486
487	break;
488	case 2:
489	blob = buffer_get_string(&e->request, &blen);
490	key = key_from_blob(blob, blen);
491	xfree(blob);
492	break;
493	}
494	while (buffer_len(&e->request)) {
495	switch (buffer_get_char(&e->request)) {
496	case SSH_AGENT_CONSTRAIN_LIFETIME:
497	death = time(NULL) + buffer_get_int(&e->request);
498	break;
499	default:
500	break;
501	}
502	}
503	if (key != NULL) {
504	Identity *id = lookup_identity(key, version);
505	if (id != NULL && id->death == 0 && death != 0) {
506	id->death = death;
507	success = 1;
508	}
509	key_free(key);
510	}
511	buffer_put_int(&e->output, 1);
512	buffer_put_char(&e->output,
513	success ? SSH_AGENT_SUCCESS : SSH_AGENT_FAILURE);
514	}
515
516	/* XXX todo: encrypt sensitive data with passphrase */	481	/* XXX todo: encrypt sensitive data with passphrase */
517	static void	482	static void
518	process_lock_agent(SocketEntry *e, int lock)	483	process_lock_agent(SocketEntry *e, int lock)
@@ -706,6 +671,7 @@ process_message(SocketEntry *e)
706	process_request_identities(e, 1);	671	process_request_identities(e, 1);
707	break;	672	break;
708	case SSH_AGENTC_ADD_RSA_IDENTITY:	673	case SSH_AGENTC_ADD_RSA_IDENTITY:
		674	case SSH_AGENTC_ADD_RSA_ID_CONSTRAINED:
709	process_add_identity(e, 1);	675	process_add_identity(e, 1);
710	break;	676	break;
711	case SSH_AGENTC_REMOVE_RSA_IDENTITY:	677	case SSH_AGENTC_REMOVE_RSA_IDENTITY:
@@ -714,9 +680,6 @@ process_message(SocketEntry *e)
714	case SSH_AGENTC_REMOVE_ALL_RSA_IDENTITIES:	680	case SSH_AGENTC_REMOVE_ALL_RSA_IDENTITIES:
715	process_remove_all_identities(e, 1);	681	process_remove_all_identities(e, 1);
716	break;	682	break;
717	case SSH_AGENTC_CONSTRAIN_IDENTITY1:
718	process_constrain_identity(e, 1);
719	break;
720	/* ssh2 */	683	/* ssh2 */
721	case SSH2_AGENTC_SIGN_REQUEST:	684	case SSH2_AGENTC_SIGN_REQUEST:
722	process_sign_request2(e);	685	process_sign_request2(e);
@@ -725,6 +688,7 @@ process_message(SocketEntry *e)
725	process_request_identities(e, 2);	688	process_request_identities(e, 2);
726	break;	689	break;
727	case SSH2_AGENTC_ADD_IDENTITY:	690	case SSH2_AGENTC_ADD_IDENTITY:
		691	case SSH2_AGENTC_ADD_ID_CONSTRAINED:
728	process_add_identity(e, 2);	692	process_add_identity(e, 2);
729	break;	693	break;
730	case SSH2_AGENTC_REMOVE_IDENTITY:	694	case SSH2_AGENTC_REMOVE_IDENTITY:
@@ -733,9 +697,6 @@ process_message(SocketEntry *e)
733	case SSH2_AGENTC_REMOVE_ALL_IDENTITIES:	697	case SSH2_AGENTC_REMOVE_ALL_IDENTITIES:
734	process_remove_all_identities(e, 2);	698	process_remove_all_identities(e, 2);
735	break;	699	break;
736	case SSH_AGENTC_CONSTRAIN_IDENTITY:
737	process_constrain_identity(e, 2);
738	break;
739	#ifdef SMARTCARD	700	#ifdef SMARTCARD
740	case SSH_AGENTC_ADD_SMARTCARD_KEY:	701	case SSH_AGENTC_ADD_SMARTCARD_KEY:
741	process_add_smartcard_key(e);	702	process_add_smartcard_key(e);