summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--ChangeLog7
-rw-r--r--authfd.c67
-rw-r--r--authfd.h10
-rw-r--r--ssh-add.c24
-rw-r--r--ssh-agent.c67
5 files changed, 59 insertions, 116 deletions
diff --git a/ChangeLog b/ChangeLog
index eab258ada..8001c8847 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -12,6 +12,11 @@
12 - markus@cvs.openbsd.org 2002/06/15 00:07:38 12 - markus@cvs.openbsd.org 2002/06/15 00:07:38
13 [authfd.c authfd.h ssh-add.c ssh-agent.c] 13 [authfd.c authfd.h ssh-add.c ssh-agent.c]
14 fix stupid typo 14 fix stupid typo
15 - markus@cvs.openbsd.org 2002/06/15 01:27:48
16 [authfd.c authfd.h ssh-add.c ssh-agent.c]
17 remove the CONSTRAIN_IDENTITY messages and introduce a new
18 ADD_ID message with contraints instead. contraints can be
19 only added together with the private key.
15 20
1620020613 2120020613
17 - (bal) typo of setgroup for cygwin. Patch by vinschen@redhat.com 22 - (bal) typo of setgroup for cygwin. Patch by vinschen@redhat.com
@@ -940,4 +945,4 @@
940 - (stevesk) entropy.c: typo in debug message 945 - (stevesk) entropy.c: typo in debug message
941 - (djm) ssh-keygen -i needs seeded RNG; report from markus@ 946 - (djm) ssh-keygen -i needs seeded RNG; report from markus@
942 947
943$Id: ChangeLog,v 1.2220 2002/06/21 00:06:54 mouring Exp $ 948$Id: ChangeLog,v 1.2221 2002/06/21 00:08:39 mouring Exp $
diff --git a/authfd.c b/authfd.c
index 14438ddf0..c8a952755 100644
--- a/authfd.c
+++ b/authfd.c
@@ -35,7 +35,7 @@
35 */ 35 */
36 36
37#include "includes.h" 37#include "includes.h"
38RCSID("$OpenBSD: authfd.c,v 1.53 2002/06/15 00:07:38 markus Exp $"); 38RCSID("$OpenBSD: authfd.c,v 1.54 2002/06/15 01:27:48 markus Exp $");
39 39
40#include <openssl/evp.h> 40#include <openssl/evp.h>
41 41
@@ -439,8 +439,6 @@ ssh_agent_sign(AuthenticationConnection *auth,
439static void 439static void
440ssh_encode_identity_rsa1(Buffer *b, RSA *key, const char *comment) 440ssh_encode_identity_rsa1(Buffer *b, RSA *key, const char *comment)
441{ 441{
442 buffer_clear(b);
443 buffer_put_char(b, SSH_AGENTC_ADD_RSA_IDENTITY);
444 buffer_put_int(b, BN_num_bits(key->n)); 442 buffer_put_int(b, BN_num_bits(key->n));
445 buffer_put_bignum(b, key->n); 443 buffer_put_bignum(b, key->n);
446 buffer_put_bignum(b, key->e); 444 buffer_put_bignum(b, key->e);
@@ -455,8 +453,6 @@ ssh_encode_identity_rsa1(Buffer *b, RSA *key, const char *comment)
455static void 453static void
456ssh_encode_identity_ssh2(Buffer *b, Key *key, const char *comment) 454ssh_encode_identity_ssh2(Buffer *b, Key *key, const char *comment)
457{ 455{
458 buffer_clear(b);
459 buffer_put_char(b, SSH2_AGENTC_ADD_IDENTITY);
460 buffer_put_cstring(b, key_ssh_name(key)); 456 buffer_put_cstring(b, key_ssh_name(key));
461 switch (key->type) { 457 switch (key->type) {
462 case KEY_RSA: 458 case KEY_RSA:
@@ -484,19 +480,28 @@ ssh_encode_identity_ssh2(Buffer *b, Key *key, const char *comment)
484 */ 480 */
485 481
486int 482int
487ssh_add_identity(AuthenticationConnection *auth, Key *key, const char *comment) 483ssh_add_identity_constrained(AuthenticationConnection *auth, Key *key,
484 const char *comment, u_int life)
488{ 485{
489 Buffer msg; 486 Buffer msg;
490 int type; 487 int type, constrained = (life != 0);
491 488
492 buffer_init(&msg); 489 buffer_init(&msg);
493 490
494 switch (key->type) { 491 switch (key->type) {
495 case KEY_RSA1: 492 case KEY_RSA1:
493 type = constrained ?
494 SSH_AGENTC_ADD_RSA_ID_CONSTRAINED :
495 SSH_AGENTC_ADD_RSA_IDENTITY;
496 buffer_put_char(&msg, type);
496 ssh_encode_identity_rsa1(&msg, key->rsa, comment); 497 ssh_encode_identity_rsa1(&msg, key->rsa, comment);
497 break; 498 break;
498 case KEY_RSA: 499 case KEY_RSA:
499 case KEY_DSA: 500 case KEY_DSA:
501 type = constrained ?
502 SSH2_AGENTC_ADD_ID_CONSTRAINED :
503 SSH2_AGENTC_ADD_IDENTITY;
504 buffer_put_char(&msg, type);
500 ssh_encode_identity_ssh2(&msg, key, comment); 505 ssh_encode_identity_ssh2(&msg, key, comment);
501 break; 506 break;
502 default: 507 default:
@@ -504,6 +509,12 @@ ssh_add_identity(AuthenticationConnection *auth, Key *key, const char *comment)
504 return 0; 509 return 0;
505 break; 510 break;
506 } 511 }
512 if (constrained) {
513 if (life != 0) {
514 buffer_put_char(&msg, SSH_AGENT_CONSTRAIN_LIFETIME);
515 buffer_put_int(&msg, life);
516 }
517 }
507 if (ssh_request_reply(auth, &msg, &msg) == 0) { 518 if (ssh_request_reply(auth, &msg, &msg) == 0) {
508 buffer_free(&msg); 519 buffer_free(&msg);
509 return 0; 520 return 0;
@@ -513,6 +524,12 @@ ssh_add_identity(AuthenticationConnection *auth, Key *key, const char *comment)
513 return decode_reply(type); 524 return decode_reply(type);
514} 525}
515 526
527int
528ssh_add_identity(AuthenticationConnection *auth, Key *key, const char *comment)
529{
530 return ssh_add_identity_constrained(auth, key, comment, 0);
531}
532
516/* 533/*
517 * Removes an identity from the authentication server. This call is not 534 * Removes an identity from the authentication server. This call is not
518 * meant to be used by normal applications. 535 * meant to be used by normal applications.
@@ -552,42 +569,6 @@ ssh_remove_identity(AuthenticationConnection *auth, Key *key)
552} 569}
553 570
554int 571int
555ssh_constrain_identity(AuthenticationConnection *auth, Key *key, u_int life)
556{
557 Buffer msg;
558 int type;
559 u_char *blob;
560 u_int blen;
561
562 buffer_init(&msg);
563
564 if (key->type == KEY_RSA1) {
565 buffer_put_char(&msg, SSH_AGENTC_CONSTRAIN_IDENTITY1);
566 buffer_put_int(&msg, BN_num_bits(key->rsa->n));
567 buffer_put_bignum(&msg, key->rsa->e);
568 buffer_put_bignum(&msg, key->rsa->n);
569 } else if (key->type == KEY_DSA || key->type == KEY_RSA) {
570 key_to_blob(key, &blob, &blen);
571 buffer_put_char(&msg, SSH_AGENTC_CONSTRAIN_IDENTITY);
572 buffer_put_string(&msg, blob, blen);
573 xfree(blob);
574 } else {
575 buffer_free(&msg);
576 return 0;
577 }
578 buffer_put_char(&msg, SSH_AGENT_CONSTRAIN_LIFETIME);
579 buffer_put_int(&msg, life);
580
581 if (ssh_request_reply(auth, &msg, &msg) == 0) {
582 buffer_free(&msg);
583 return 0;
584 }
585 type = buffer_get_char(&msg);
586 buffer_free(&msg);
587 return decode_reply(type);
588}
589
590int
591ssh_update_card(AuthenticationConnection *auth, int add, const char *reader_id, const char *pin) 572ssh_update_card(AuthenticationConnection *auth, int add, const char *reader_id, const char *pin)
592{ 573{
593 Buffer msg; 574 Buffer msg;
diff --git a/authfd.h b/authfd.h
index 496abc272..d7344bf4b 100644
--- a/authfd.h
+++ b/authfd.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: authfd.h,v 1.28 2002/06/15 00:07:38 markus Exp $ */ 1/* $OpenBSD: authfd.h,v 1.29 2002/06/15 01:27:48 markus Exp $ */
2 2
3/* 3/*
4 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -46,9 +46,9 @@
46#define SSH_AGENTC_LOCK 22 46#define SSH_AGENTC_LOCK 22
47#define SSH_AGENTC_UNLOCK 23 47#define SSH_AGENTC_UNLOCK 23
48 48
49/* constrain key usage */ 49/* add key with constraints */
50#define SSH_AGENTC_CONSTRAIN_IDENTITY1 24 50#define SSH_AGENTC_ADD_RSA_ID_CONSTRAINED 24
51#define SSH_AGENTC_CONSTRAIN_IDENTITY 25 51#define SSH2_AGENTC_ADD_ID_CONSTRAINED 25
52 52
53#define SSH_AGENT_CONSTRAIN_LIFETIME 1 53#define SSH_AGENT_CONSTRAIN_LIFETIME 1
54 54
@@ -75,7 +75,7 @@ int ssh_get_num_identities(AuthenticationConnection *, int);
75Key *ssh_get_first_identity(AuthenticationConnection *, char **, int); 75Key *ssh_get_first_identity(AuthenticationConnection *, char **, int);
76Key *ssh_get_next_identity(AuthenticationConnection *, char **, int); 76Key *ssh_get_next_identity(AuthenticationConnection *, char **, int);
77int ssh_add_identity(AuthenticationConnection *, Key *, const char *); 77int ssh_add_identity(AuthenticationConnection *, Key *, const char *);
78int ssh_constrain_identity(AuthenticationConnection *, Key *, u_int); 78int ssh_add_identity_constrained(AuthenticationConnection *, Key *, const char *, u_int);
79int ssh_remove_identity(AuthenticationConnection *, Key *); 79int ssh_remove_identity(AuthenticationConnection *, Key *);
80int ssh_remove_all_identities(AuthenticationConnection *, int); 80int ssh_remove_all_identities(AuthenticationConnection *, int);
81int ssh_lock_agent(AuthenticationConnection *, int, const char *); 81int ssh_lock_agent(AuthenticationConnection *, int, const char *);
diff --git a/ssh-add.c b/ssh-add.c
index 1ebd1fe2d..2085367ba 100644
--- a/ssh-add.c
+++ b/ssh-add.c
@@ -35,7 +35,7 @@
35 */ 35 */
36 36
37#include "includes.h" 37#include "includes.h"
38RCSID("$OpenBSD: ssh-add.c,v 1.59 2002/06/15 00:07:38 markus Exp $"); 38RCSID("$OpenBSD: ssh-add.c,v 1.60 2002/06/15 01:27:48 markus Exp $");
39 39
40#include <openssl/evp.h> 40#include <openssl/evp.h>
41 41
@@ -164,22 +164,18 @@ add_file(AuthenticationConnection *ac, const char *filename)
164 strlcpy(msg, "Bad passphrase, try again: ", sizeof msg); 164 strlcpy(msg, "Bad passphrase, try again: ", sizeof msg);
165 } 165 }
166 } 166 }
167 if (ssh_add_identity(ac, private, comment)) { 167
168 if (ssh_add_identity_constrained(ac, private, comment, lifetime)) {
168 fprintf(stderr, "Identity added: %s (%s)\n", filename, comment); 169 fprintf(stderr, "Identity added: %s (%s)\n", filename, comment);
169 ret = 0; 170 ret = 0;
170 } else 171 if (lifetime != 0)
172 fprintf(stderr,
173 "Lifetime set to %d seconds\n", lifetime);
174 } else if (ssh_add_identity(ac, private, comment)) {
175 fprintf(stderr, "Identity added: %s (%s)\n", filename, comment);
176 ret = 0;
177 } else {
171 fprintf(stderr, "Could not add identity: %s\n", filename); 178 fprintf(stderr, "Could not add identity: %s\n", filename);
172
173 if (ret == 0 && lifetime != 0) {
174 if (ssh_constrain_identity(ac, private, lifetime)) {
175 fprintf(stderr,
176 "Lifetime set to %d seconds for: %s (%s)\n",
177 lifetime, filename, comment);
178 } else {
179 fprintf(stderr,
180 "Could not set lifetime for identity: %s\n",
181 filename);
182 }
183 } 179 }
184 180
185 xfree(comment); 181 xfree(comment);
diff --git a/ssh-agent.c b/ssh-agent.c
index 991774aae..536db2de0 100644
--- a/ssh-agent.c
+++ b/ssh-agent.c
@@ -35,7 +35,7 @@
35 35
36#include "includes.h" 36#include "includes.h"
37#include "openbsd-compat/fake-queue.h" 37#include "openbsd-compat/fake-queue.h"
38RCSID("$OpenBSD: ssh-agent.c,v 1.93 2002/06/15 00:07:38 markus Exp $"); 38RCSID("$OpenBSD: ssh-agent.c,v 1.94 2002/06/15 01:27:48 markus Exp $");
39 39
40#include <openssl/evp.h> 40#include <openssl/evp.h>
41#include <openssl/md5.h> 41#include <openssl/md5.h>
@@ -395,7 +395,7 @@ process_add_identity(SocketEntry *e, int version)
395 Key *k = NULL; 395 Key *k = NULL;
396 char *type_name; 396 char *type_name;
397 char *comment; 397 char *comment;
398 int type, success = 0; 398 int type, success = 0, death = 0;
399 Idtab *tab = idtab_lookup(version); 399 Idtab *tab = idtab_lookup(version);
400 400
401 switch (version) { 401 switch (version) {
@@ -451,11 +451,20 @@ process_add_identity(SocketEntry *e, int version)
451 goto send; 451 goto send;
452 } 452 }
453 success = 1; 453 success = 1;
454 while (buffer_len(&e->request)) {
455 switch (buffer_get_char(&e->request)) {
456 case SSH_AGENT_CONSTRAIN_LIFETIME:
457 death = time(NULL) + buffer_get_int(&e->request);
458 break;
459 default:
460 break;
461 }
462 }
454 if (lookup_identity(k, version) == NULL) { 463 if (lookup_identity(k, version) == NULL) {
455 Identity *id = xmalloc(sizeof(Identity)); 464 Identity *id = xmalloc(sizeof(Identity));
456 id->key = k; 465 id->key = k;
457 id->comment = comment; 466 id->comment = comment;
458 id->death = 0; 467 id->death = death;
459 TAILQ_INSERT_TAIL(&tab->idlist, id, next); 468 TAILQ_INSERT_TAIL(&tab->idlist, id, next);
460 /* Increment the number of identities. */ 469 /* Increment the number of identities. */
461 tab->nentries++; 470 tab->nentries++;
@@ -469,50 +478,6 @@ send:
469 success ? SSH_AGENT_SUCCESS : SSH_AGENT_FAILURE); 478 success ? SSH_AGENT_SUCCESS : SSH_AGENT_FAILURE);
470} 479}
471 480
472static void
473process_constrain_identity(SocketEntry *e, int version)
474{
475 Key *key = NULL;
476 u_char *blob;
477 u_int blen, bits, death = 0;
478 int success = 0;
479
480 switch (version) {
481 case 1:
482 key = key_new(KEY_RSA1);
483 bits = buffer_get_int(&e->request);
484 buffer_get_bignum(&e->request, key->rsa->e);
485 buffer_get_bignum(&e->request, key->rsa->n);
486
487 break;
488 case 2:
489 blob = buffer_get_string(&e->request, &blen);
490 key = key_from_blob(blob, blen);
491 xfree(blob);
492 break;
493 }
494 while (buffer_len(&e->request)) {
495 switch (buffer_get_char(&e->request)) {
496 case SSH_AGENT_CONSTRAIN_LIFETIME:
497 death = time(NULL) + buffer_get_int(&e->request);
498 break;
499 default:
500 break;
501 }
502 }
503 if (key != NULL) {
504 Identity *id = lookup_identity(key, version);
505 if (id != NULL && id->death == 0 && death != 0) {
506 id->death = death;
507 success = 1;
508 }
509 key_free(key);
510 }
511 buffer_put_int(&e->output, 1);
512 buffer_put_char(&e->output,
513 success ? SSH_AGENT_SUCCESS : SSH_AGENT_FAILURE);
514}
515
516/* XXX todo: encrypt sensitive data with passphrase */ 481/* XXX todo: encrypt sensitive data with passphrase */
517static void 482static void
518process_lock_agent(SocketEntry *e, int lock) 483process_lock_agent(SocketEntry *e, int lock)
@@ -706,6 +671,7 @@ process_message(SocketEntry *e)
706 process_request_identities(e, 1); 671 process_request_identities(e, 1);
707 break; 672 break;
708 case SSH_AGENTC_ADD_RSA_IDENTITY: 673 case SSH_AGENTC_ADD_RSA_IDENTITY:
674 case SSH_AGENTC_ADD_RSA_ID_CONSTRAINED:
709 process_add_identity(e, 1); 675 process_add_identity(e, 1);
710 break; 676 break;
711 case SSH_AGENTC_REMOVE_RSA_IDENTITY: 677 case SSH_AGENTC_REMOVE_RSA_IDENTITY:
@@ -714,9 +680,6 @@ process_message(SocketEntry *e)
714 case SSH_AGENTC_REMOVE_ALL_RSA_IDENTITIES: 680 case SSH_AGENTC_REMOVE_ALL_RSA_IDENTITIES:
715 process_remove_all_identities(e, 1); 681 process_remove_all_identities(e, 1);
716 break; 682 break;
717 case SSH_AGENTC_CONSTRAIN_IDENTITY1:
718 process_constrain_identity(e, 1);
719 break;
720 /* ssh2 */ 683 /* ssh2 */
721 case SSH2_AGENTC_SIGN_REQUEST: 684 case SSH2_AGENTC_SIGN_REQUEST:
722 process_sign_request2(e); 685 process_sign_request2(e);
@@ -725,6 +688,7 @@ process_message(SocketEntry *e)
725 process_request_identities(e, 2); 688 process_request_identities(e, 2);
726 break; 689 break;
727 case SSH2_AGENTC_ADD_IDENTITY: 690 case SSH2_AGENTC_ADD_IDENTITY:
691 case SSH2_AGENTC_ADD_ID_CONSTRAINED:
728 process_add_identity(e, 2); 692 process_add_identity(e, 2);
729 break; 693 break;
730 case SSH2_AGENTC_REMOVE_IDENTITY: 694 case SSH2_AGENTC_REMOVE_IDENTITY:
@@ -733,9 +697,6 @@ process_message(SocketEntry *e)
733 case SSH2_AGENTC_REMOVE_ALL_IDENTITIES: 697 case SSH2_AGENTC_REMOVE_ALL_IDENTITIES:
734 process_remove_all_identities(e, 2); 698 process_remove_all_identities(e, 2);
735 break; 699 break;
736 case SSH_AGENTC_CONSTRAIN_IDENTITY:
737 process_constrain_identity(e, 2);
738 break;
739#ifdef SMARTCARD 700#ifdef SMARTCARD
740 case SSH_AGENTC_ADD_SMARTCARD_KEY: 701 case SSH_AGENTC_ADD_SMARTCARD_KEY:
741 process_add_smartcard_key(e); 702 process_add_smartcard_key(e);