summaryrefslogtreecommitdiff
path: root/authfd.c
diff options
context:
space:
mode:
authormarkus@openbsd.org <markus@openbsd.org>2018-02-23 15:58:37 +0000
committerDamien Miller <djm@mindrot.org>2018-02-26 11:40:41 +1100
commit1b11ea7c58cd5c59838b5fa574cd456d6047b2d4 (patch)
tree7e96cb41b5234b9d327f7c8f41392f09aed0994e /authfd.c
parent7d330a1ac02076de98cfc8fda05353d57b603755 (diff)
upstream: Add experimental support for PQC XMSS keys (Extended
Hash-Based Signatures) The code is not compiled in by default (see WITH_XMSS in Makefile.inc) Joint work with stefan-lukas_gazdag at genua.eu See https://tools.ietf.org/html/draft-irtf-cfrg-xmss-hash-based-signatures-12 ok djm@ OpenBSD-Commit-ID: ef3eccb96762a5d6f135d7daeef608df7776a7ac
Diffstat (limited to 'authfd.c')
-rw-r--r--authfd.c39
1 files changed, 18 insertions, 21 deletions
diff --git a/authfd.c b/authfd.c
index 148bc9bfb..1eff7ba94 100644
--- a/authfd.c
+++ b/authfd.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: authfd.c,v 1.107 2018/02/10 09:25:34 djm Exp $ */ 1/* $OpenBSD: authfd.c,v 1.108 2018/02/23 15:58:37 markus Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -129,7 +129,7 @@ ssh_request_reply(int sock, struct sshbuf *request, struct sshbuf *reply)
129 129
130 /* Get the length of the message, and format it in the buffer. */ 130 /* Get the length of the message, and format it in the buffer. */
131 len = sshbuf_len(request); 131 len = sshbuf_len(request);
132 put_u32(buf, len); 132 POKE_U32(buf, len);
133 133
134 /* Send the length and then the packet to the agent. */ 134 /* Send the length and then the packet to the agent. */
135 if (atomicio(vwrite, sock, buf, 4) != 4 || 135 if (atomicio(vwrite, sock, buf, 4) != 4 ||
@@ -144,7 +144,7 @@ ssh_request_reply(int sock, struct sshbuf *request, struct sshbuf *reply)
144 return SSH_ERR_AGENT_COMMUNICATION; 144 return SSH_ERR_AGENT_COMMUNICATION;
145 145
146 /* Extract the length, and check it for sanity. */ 146 /* Extract the length, and check it for sanity. */
147 len = get_u32(buf); 147 len = PEEK_U32(buf);
148 if (len > MAX_AGENT_REPLY_LEN) 148 if (len > MAX_AGENT_REPLY_LEN)
149 return SSH_ERR_INVALID_FORMAT; 149 return SSH_ERR_INVALID_FORMAT;
150 150
@@ -391,19 +391,7 @@ ssh_agent_sign(int sock, const struct sshkey *key,
391 391
392 392
393static int 393static int
394ssh_encode_identity_ssh2(struct sshbuf *b, const struct sshkey *key, 394encode_constraints(struct sshbuf *m, u_int life, u_int confirm, u_int maxsign)
395 const char *comment)
396{
397 int r;
398
399 if ((r = sshkey_private_serialize(key, b)) != 0 ||
400 (r = sshbuf_put_cstring(b, comment)) != 0)
401 return r;
402 return 0;
403}
404
405static int
406encode_constraints(struct sshbuf *m, u_int life, u_int confirm)
407{ 395{
408 int r; 396 int r;
409 397
@@ -416,6 +404,11 @@ encode_constraints(struct sshbuf *m, u_int life, u_int confirm)
416 if ((r = sshbuf_put_u8(m, SSH_AGENT_CONSTRAIN_CONFIRM)) != 0) 404 if ((r = sshbuf_put_u8(m, SSH_AGENT_CONSTRAIN_CONFIRM)) != 0)
417 goto out; 405 goto out;
418 } 406 }
407 if (maxsign != 0) {
408 if ((r = sshbuf_put_u8(m, SSH_AGENT_CONSTRAIN_MAXSIGN)) != 0 ||
409 (r = sshbuf_put_u32(m, maxsign)) != 0)
410 goto out;
411 }
419 r = 0; 412 r = 0;
420 out: 413 out:
421 return r; 414 return r;
@@ -427,10 +420,10 @@ encode_constraints(struct sshbuf *m, u_int life, u_int confirm)
427 */ 420 */
428int 421int
429ssh_add_identity_constrained(int sock, const struct sshkey *key, 422ssh_add_identity_constrained(int sock, const struct sshkey *key,
430 const char *comment, u_int life, u_int confirm) 423 const char *comment, u_int life, u_int confirm, u_int maxsign)
431{ 424{
432 struct sshbuf *msg; 425 struct sshbuf *msg;
433 int r, constrained = (life || confirm); 426 int r, constrained = (life || confirm || maxsign);
434 u_char type; 427 u_char type;
435 428
436 if ((msg = sshbuf_new()) == NULL) 429 if ((msg = sshbuf_new()) == NULL)
@@ -447,11 +440,15 @@ ssh_add_identity_constrained(int sock, const struct sshkey *key,
447#endif 440#endif
448 case KEY_ED25519: 441 case KEY_ED25519:
449 case KEY_ED25519_CERT: 442 case KEY_ED25519_CERT:
443 case KEY_XMSS:
444 case KEY_XMSS_CERT:
450 type = constrained ? 445 type = constrained ?
451 SSH2_AGENTC_ADD_ID_CONSTRAINED : 446 SSH2_AGENTC_ADD_ID_CONSTRAINED :
452 SSH2_AGENTC_ADD_IDENTITY; 447 SSH2_AGENTC_ADD_IDENTITY;
453 if ((r = sshbuf_put_u8(msg, type)) != 0 || 448 if ((r = sshbuf_put_u8(msg, type)) != 0 ||
454 (r = ssh_encode_identity_ssh2(msg, key, comment)) != 0) 449 (r = sshkey_private_serialize_maxsign(key, msg, maxsign,
450 NULL)) != 0 ||
451 (r = sshbuf_put_cstring(msg, comment)) != 0)
455 goto out; 452 goto out;
456 break; 453 break;
457 default: 454 default:
@@ -459,7 +456,7 @@ ssh_add_identity_constrained(int sock, const struct sshkey *key,
459 goto out; 456 goto out;
460 } 457 }
461 if (constrained && 458 if (constrained &&
462 (r = encode_constraints(msg, life, confirm)) != 0) 459 (r = encode_constraints(msg, life, confirm, maxsign)) != 0)
463 goto out; 460 goto out;
464 if ((r = ssh_request_reply(sock, msg, msg)) != 0) 461 if ((r = ssh_request_reply(sock, msg, msg)) != 0)
465 goto out; 462 goto out;
@@ -537,7 +534,7 @@ ssh_update_card(int sock, int add, const char *reader_id, const char *pin,
537 (r = sshbuf_put_cstring(msg, pin)) != 0) 534 (r = sshbuf_put_cstring(msg, pin)) != 0)
538 goto out; 535 goto out;
539 if (constrained && 536 if (constrained &&
540 (r = encode_constraints(msg, life, confirm)) != 0) 537 (r = encode_constraints(msg, life, confirm, 0)) != 0)
541 goto out; 538 goto out;
542 if ((r = ssh_request_reply(sock, msg, msg)) != 0) 539 if ((r = ssh_request_reply(sock, msg, msg)) != 0)
543 goto out; 540 goto out;
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-10 16:09:20 +0000