upstream: add new agent key constraint for U2F/FIDO provider

feedback & ok markus@ OpenBSD-Commit-ID: d880c380170704280b4003860a1744d286c7a172
author: djm@openbsd.org <djm@openbsd.org> 2019-10-31 21:19:14 +0000
committer: Damien Miller <djm@mindrot.org> 2019-11-01 09:46:09 +1100
commit: b9dd14d3091e31fb836f69873d3aa622eb7b4a1c (patch)
tree: 5bfc91dba85b8ab3522431cc123fd0da63f8ed9a /authfd.c
parent: 884416bdb10468f1252e4d7c13d51b43dccba7f6 (diff)
1 files changed, 19 insertions, 6 deletions
diff --git a/authfd.c b/authfd.c
index a5162790f..1f0cd2ab3 100644
--- a/authfd.c
+++ b/authfd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: authfd.c,v 1.117 2019/09/03 08:29:15 djm Exp $ */
+/* $OpenBSD: authfd.c,v 1.118 2019/10/31 21:19:14 djm Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -423,7 +423,8 @@ ssh_agent_sign(int sock, const struct sshkey *key,
 static int
-encode_constraints(struct sshbuf *m, u_int life, u_int confirm, u_int maxsign)
+encode_constraints(struct sshbuf *m, u_int life, u_int confirm, u_int maxsign,
+    const char *provider)
 {
        int r;
@@ -441,6 +442,14 @@ encode_constraints(struct sshbuf *m, u_int life, u_int confirm, u_int maxsign)
                    (r = sshbuf_put_u32(m, maxsign)) != 0)
                        goto out;
        }
+        if (provider != NULL) {
+                if ((r = sshbuf_put_u8(m,
+                    SSH_AGENT_CONSTRAIN_EXTENSION)) != 0 ||
+                    (r = sshbuf_put_cstring(m,
+                    "sk-provider@openssh.com")) != 0 ||
+                    (r = sshbuf_put_cstring(m, provider)) != 0)
+                        goto out;
+        }
        r = 0;
 out:
        return r;
@@ -452,10 +461,11 @@ encode_constraints(struct sshbuf *m, u_int life, u_int confirm, u_int maxsign)
 */
 int
 ssh_add_identity_constrained(int sock, struct sshkey *key,
-    const char *comment, u_int life, u_int confirm, u_int maxsign)
+    const char *comment, u_int life, u_int confirm, u_int maxsign,
+    const char *provider)
 {
        struct sshbuf *msg;
-        int r, constrained = (life || confirm || maxsign);
+        int r, constrained = (life || confirm || maxsign || provider);
        u_char type;
        if ((msg = sshbuf_new()) == NULL)
@@ -469,6 +479,8 @@ ssh_add_identity_constrained(int sock, struct sshkey *key,
        case KEY_DSA_CERT:
        case KEY_ECDSA:
        case KEY_ECDSA_CERT:
+        case KEY_ECDSA_SK:
+        case KEY_ECDSA_SK_CERT:
 #endif
        case KEY_ED25519:
        case KEY_ED25519_CERT:
@@ -488,7 +500,8 @@ ssh_add_identity_constrained(int sock, struct sshkey *key,
                goto out;
        }
        if (constrained &&
-            (r = encode_constraints(msg, life, confirm, maxsign)) != 0)
+            (r = encode_constraints(msg, life, confirm, maxsign,
+            provider)) != 0)
                goto out;
        if ((r = ssh_request_reply(sock, msg, msg)) != 0)
                goto out;
@@ -566,7 +579,7 @@ ssh_update_card(int sock, int add, const char *reader_id, const char *pin,
            (r = sshbuf_put_cstring(msg, pin)) != 0)
                goto out;
        if (constrained &&
-            (r = encode_constraints(msg, life, confirm, 0)) != 0)
+            (r = encode_constraints(msg, life, confirm, 0, NULL)) != 0)
                goto out;
        if ((r = ssh_request_reply(sock, msg, msg)) != 0)
                goto out;
author	djm@openbsd.org <djm@openbsd.org>	2019-10-31 21:19:14 +0000
committer	Damien Miller <djm@mindrot.org>	2019-11-01 09:46:09 +1100
commit	b9dd14d3091e31fb836f69873d3aa622eb7b4a1c (patch)
tree	5bfc91dba85b8ab3522431cc123fd0da63f8ed9a /authfd.c
parent	884416bdb10468f1252e4d7c13d51b43dccba7f6 (diff)