upstream: Add experimental support for PQC XMSS keys (Extended

Hash-Based Signatures) The code is not compiled in by default (see WITH_XMSS
in Makefile.inc) Joint work with stefan-lukas_gazdag at genua.eu See
https://tools.ietf.org/html/draft-irtf-cfrg-xmss-hash-based-signatures-12 ok
djm@

OpenBSD-Commit-ID: ef3eccb96762a5d6f135d7daeef608df7776a7ac

1 files changed, 19 insertions, 5 deletions

diff --git a/ssh-agent.c b/ssh-agent.c
index 39888a72c..2a4578b03 100644
--- a/ssh-agent.c
+++ b/ssh-agent.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-agent.c,v 1.227 2018/01/23 05:27:21 djm Exp $ */
+/* $OpenBSD: ssh-agent.c,v 1.228 2018/02/23 15:58:37 markus Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -245,7 +245,8 @@ process_request_identities(SocketEntry *e)
             (r = sshbuf_put_u32(msg, idtab->nentries)) != 0)
                 fatal("%s: buffer error: %s", __func__, ssh_err(r));
         TAILQ_FOREACH(id, &idtab->idlist, next) {
-                if ((r = sshkey_puts(id->key, msg)) != 0 ||
+                if ((r = sshkey_puts_opts(id->key, msg, SSHKEY_SERIALIZE_INFO))
+                     != 0 ||
                     (r = sshbuf_put_cstring(msg, id->comment)) != 0) {
                         error("%s: put key/comment: %s", __func__,
                             ssh_err(r));
@@ -402,7 +403,7 @@ process_add_identity(SocketEntry *e)
 {
         Identity *id;
         int success = 0, confirm = 0;
-        u_int seconds;
+        u_int seconds, maxsign;
         char *comment = NULL;
         time_t death = 0;
         struct sshkey *k = NULL;
@@ -433,6 +434,18 @@ process_add_identity(SocketEntry *e)
                 case SSH_AGENT_CONSTRAIN_CONFIRM:
                         confirm = 1;
                         break;
+                case SSH_AGENT_CONSTRAIN_MAXSIGN:
+                        if ((r = sshbuf_get_u32(e->request, &maxsign)) != 0) {
+                                error("%s: bad maxsign constraint: %s",
+                                    __func__, ssh_err(r));
+                                goto err;
+                        }
+                        if ((r = sshkey_enable_maxsign(k, maxsign)) != 0) {
+                                error("%s: cannot enable maxsign: %s",
+                                    __func__, ssh_err(r));
+                                goto err;
+                        }
+                        break;
                 default:
                         error("%s: Unknown constraint %d", __func__, ctype);
  err:
@@ -448,14 +461,15 @@ process_add_identity(SocketEntry *e)
                 death = monotime() + lifetime;
         if ((id = lookup_identity(k)) == NULL) {
                 id = xcalloc(1, sizeof(Identity));
-                id->key = k;
                 TAILQ_INSERT_TAIL(&idtab->idlist, id, next);
                 /* Increment the number of identities. */
                 idtab->nentries++;
         } else {
-                sshkey_free(k);
+                /* key state might have been updated */
+                sshkey_free(id->key);
                 free(id->comment);
         }
+        id->key = k;
         id->comment = comment;
         id->death = death;
         id->confirm = confirm;