diff options
| -rw-r--r-- | authfd.c | 25 | ||||
| -rw-r--r-- | authfd.h | 6 | ||||
| -rw-r--r-- | ssh-add.c | 6 | ||||
| -rw-r--r-- | sshconnect.c | 4 |
4 files changed, 28 insertions, 13 deletions
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: authfd.c,v 1.117 2019/09/03 08:29:15 djm Exp $ */ | 1 | /* $OpenBSD: authfd.c,v 1.118 2019/10/31 21:19:14 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
| 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
| @@ -423,7 +423,8 @@ ssh_agent_sign(int sock, const struct sshkey *key, | |||
| 423 | 423 | ||
| 424 | 424 | ||
| 425 | static int | 425 | static int |
| 426 | encode_constraints(struct sshbuf *m, u_int life, u_int confirm, u_int maxsign) | 426 | encode_constraints(struct sshbuf *m, u_int life, u_int confirm, u_int maxsign, |
| 427 | const char *provider) | ||
| 427 | { | 428 | { |
| 428 | int r; | 429 | int r; |
| 429 | 430 | ||
| @@ -441,6 +442,14 @@ encode_constraints(struct sshbuf *m, u_int life, u_int confirm, u_int maxsign) | |||
| 441 | (r = sshbuf_put_u32(m, maxsign)) != 0) | 442 | (r = sshbuf_put_u32(m, maxsign)) != 0) |
| 442 | goto out; | 443 | goto out; |
| 443 | } | 444 | } |
| 445 | if (provider != NULL) { | ||
| 446 | if ((r = sshbuf_put_u8(m, | ||
| 447 | SSH_AGENT_CONSTRAIN_EXTENSION)) != 0 || | ||
| 448 | (r = sshbuf_put_cstring(m, | ||
| 449 | "sk-provider@openssh.com")) != 0 || | ||
| 450 | (r = sshbuf_put_cstring(m, provider)) != 0) | ||
| 451 | goto out; | ||
| 452 | } | ||
| 444 | r = 0; | 453 | r = 0; |
| 445 | out: | 454 | out: |
| 446 | return r; | 455 | return r; |
| @@ -452,10 +461,11 @@ encode_constraints(struct sshbuf *m, u_int life, u_int confirm, u_int maxsign) | |||
| 452 | */ | 461 | */ |
| 453 | int | 462 | int |
| 454 | ssh_add_identity_constrained(int sock, struct sshkey *key, | 463 | ssh_add_identity_constrained(int sock, struct sshkey *key, |
| 455 | const char *comment, u_int life, u_int confirm, u_int maxsign) | 464 | const char *comment, u_int life, u_int confirm, u_int maxsign, |
| 465 | const char *provider) | ||
| 456 | { | 466 | { |
| 457 | struct sshbuf *msg; | 467 | struct sshbuf *msg; |
| 458 | int r, constrained = (life || confirm || maxsign); | 468 | int r, constrained = (life || confirm || maxsign || provider); |
| 459 | u_char type; | 469 | u_char type; |
| 460 | 470 | ||
| 461 | if ((msg = sshbuf_new()) == NULL) | 471 | if ((msg = sshbuf_new()) == NULL) |
| @@ -469,6 +479,8 @@ ssh_add_identity_constrained(int sock, struct sshkey *key, | |||
| 469 | case KEY_DSA_CERT: | 479 | case KEY_DSA_CERT: |
| 470 | case KEY_ECDSA: | 480 | case KEY_ECDSA: |
| 471 | case KEY_ECDSA_CERT: | 481 | case KEY_ECDSA_CERT: |
| 482 | case KEY_ECDSA_SK: | ||
| 483 | case KEY_ECDSA_SK_CERT: | ||
| 472 | #endif | 484 | #endif |
| 473 | case KEY_ED25519: | 485 | case KEY_ED25519: |
| 474 | case KEY_ED25519_CERT: | 486 | case KEY_ED25519_CERT: |
| @@ -488,7 +500,8 @@ ssh_add_identity_constrained(int sock, struct sshkey *key, | |||
| 488 | goto out; | 500 | goto out; |
| 489 | } | 501 | } |
| 490 | if (constrained && | 502 | if (constrained && |
| 491 | (r = encode_constraints(msg, life, confirm, maxsign)) != 0) | 503 | (r = encode_constraints(msg, life, confirm, maxsign, |
| 504 | provider)) != 0) | ||
| 492 | goto out; | 505 | goto out; |
| 493 | if ((r = ssh_request_reply(sock, msg, msg)) != 0) | 506 | if ((r = ssh_request_reply(sock, msg, msg)) != 0) |
| 494 | goto out; | 507 | goto out; |
| @@ -566,7 +579,7 @@ ssh_update_card(int sock, int add, const char *reader_id, const char *pin, | |||
| 566 | (r = sshbuf_put_cstring(msg, pin)) != 0) | 579 | (r = sshbuf_put_cstring(msg, pin)) != 0) |
| 567 | goto out; | 580 | goto out; |
| 568 | if (constrained && | 581 | if (constrained && |
| 569 | (r = encode_constraints(msg, life, confirm, 0)) != 0) | 582 | (r = encode_constraints(msg, life, confirm, 0, NULL)) != 0) |
| 570 | goto out; | 583 | goto out; |
| 571 | if ((r = ssh_request_reply(sock, msg, msg)) != 0) | 584 | if ((r = ssh_request_reply(sock, msg, msg)) != 0) |
| 572 | goto out; | 585 | goto out; |
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: authfd.h,v 1.46 2019/09/03 08:29:15 djm Exp $ */ | 1 | /* $OpenBSD: authfd.h,v 1.47 2019/10/31 21:19:15 djm Exp $ */ |
| 2 | 2 | ||
| 3 | /* | 3 | /* |
| 4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
| @@ -30,7 +30,8 @@ int ssh_lock_agent(int sock, int lock, const char *password); | |||
| 30 | int ssh_fetch_identitylist(int sock, struct ssh_identitylist **idlp); | 30 | int ssh_fetch_identitylist(int sock, struct ssh_identitylist **idlp); |
| 31 | void ssh_free_identitylist(struct ssh_identitylist *idl); | 31 | void ssh_free_identitylist(struct ssh_identitylist *idl); |
| 32 | int ssh_add_identity_constrained(int sock, struct sshkey *key, | 32 | int ssh_add_identity_constrained(int sock, struct sshkey *key, |
| 33 | const char *comment, u_int life, u_int confirm, u_int maxsign); | 33 | const char *comment, u_int life, u_int confirm, u_int maxsign, |
| 34 | const char *provider); | ||
| 34 | int ssh_agent_has_key(int sock, struct sshkey *key); | 35 | int ssh_agent_has_key(int sock, struct sshkey *key); |
| 35 | int ssh_remove_identity(int sock, struct sshkey *key); | 36 | int ssh_remove_identity(int sock, struct sshkey *key); |
| 36 | int ssh_update_card(int sock, int add, const char *reader_id, | 37 | int ssh_update_card(int sock, int add, const char *reader_id, |
| @@ -77,6 +78,7 @@ int ssh_agent_sign(int sock, const struct sshkey *key, | |||
| 77 | #define SSH_AGENT_CONSTRAIN_LIFETIME 1 | 78 | #define SSH_AGENT_CONSTRAIN_LIFETIME 1 |
| 78 | #define SSH_AGENT_CONSTRAIN_CONFIRM 2 | 79 | #define SSH_AGENT_CONSTRAIN_CONFIRM 2 |
| 79 | #define SSH_AGENT_CONSTRAIN_MAXSIGN 3 | 80 | #define SSH_AGENT_CONSTRAIN_MAXSIGN 3 |
| 81 | #define SSH_AGENT_CONSTRAIN_EXTENSION 255 | ||
| 80 | 82 | ||
| 81 | /* extended failure messages */ | 83 | /* extended failure messages */ |
| 82 | #define SSH2_AGENT_FAILURE 30 | 84 | #define SSH2_AGENT_FAILURE 30 |
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssh-add.c,v 1.141 2019/09/06 05:23:55 djm Exp $ */ | 1 | /* $OpenBSD: ssh-add.c,v 1.142 2019/10/31 21:19:15 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
| 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
| @@ -311,7 +311,7 @@ add_file(int agent_fd, const char *filename, int key_only, int qflag) | |||
| 311 | } | 311 | } |
| 312 | 312 | ||
| 313 | if ((r = ssh_add_identity_constrained(agent_fd, private, comment, | 313 | if ((r = ssh_add_identity_constrained(agent_fd, private, comment, |
| 314 | lifetime, confirm, maxsign)) == 0) { | 314 | lifetime, confirm, maxsign, NULL)) == 0) { |
| 315 | ret = 0; | 315 | ret = 0; |
| 316 | if (!qflag) { | 316 | if (!qflag) { |
| 317 | fprintf(stderr, "Identity added: %s (%s)\n", | 317 | fprintf(stderr, "Identity added: %s (%s)\n", |
| @@ -364,7 +364,7 @@ add_file(int agent_fd, const char *filename, int key_only, int qflag) | |||
| 364 | sshkey_free(cert); | 364 | sshkey_free(cert); |
| 365 | 365 | ||
| 366 | if ((r = ssh_add_identity_constrained(agent_fd, private, comment, | 366 | if ((r = ssh_add_identity_constrained(agent_fd, private, comment, |
| 367 | lifetime, confirm, maxsign)) != 0) { | 367 | lifetime, confirm, maxsign, NULL)) != 0) { |
| 368 | error("Certificate %s (%s) add failed: %s", certpath, | 368 | error("Certificate %s (%s) add failed: %s", certpath, |
| 369 | private->cert->key_id, ssh_err(r)); | 369 | private->cert->key_id, ssh_err(r)); |
| 370 | goto out; | 370 | goto out; |
diff --git a/sshconnect.c b/sshconnect.c index 6230dad32..223074bd6 100644 --- a/sshconnect.c +++ b/sshconnect.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: sshconnect.c,v 1.319 2019/09/13 04:31:19 djm Exp $ */ | 1 | /* $OpenBSD: sshconnect.c,v 1.320 2019/10/31 21:19:15 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
| 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
| @@ -1426,7 +1426,7 @@ maybe_add_key_to_agent(char *authfile, struct sshkey *private, | |||
| 1426 | } | 1426 | } |
| 1427 | 1427 | ||
| 1428 | if ((r = ssh_add_identity_constrained(auth_sock, private, comment, 0, | 1428 | if ((r = ssh_add_identity_constrained(auth_sock, private, comment, 0, |
| 1429 | (options.add_keys_to_agent == 3), 0)) == 0) | 1429 | (options.add_keys_to_agent == 3), 0, NULL)) == 0) |
| 1430 | debug("identity added to agent: %s", authfile); | 1430 | debug("identity added to agent: %s", authfile); |
| 1431 | else | 1431 | else |
| 1432 | debug("could not add identity to agent: %s (%d)", authfile, r); | 1432 | debug("could not add identity to agent: %s (%d)", authfile, r); |