diff options
Diffstat (limited to 'authfd.c')
| -rw-r--r-- | authfd.c | 63 |
1 files changed, 46 insertions, 17 deletions
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: authfd.c,v 1.117 2019/09/03 08:29:15 djm Exp $ */ | 1 | /* $OpenBSD: authfd.c,v 1.121 2019/12/21 02:19:13 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
| 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
| @@ -44,8 +44,8 @@ | |||
| 44 | #include <fcntl.h> | 44 | #include <fcntl.h> |
| 45 | #include <stdlib.h> | 45 | #include <stdlib.h> |
| 46 | #include <signal.h> | 46 | #include <signal.h> |
| 47 | #include <stdarg.h> | ||
| 48 | #include <string.h> | 47 | #include <string.h> |
| 48 | #include <stdarg.h> | ||
| 49 | #include <unistd.h> | 49 | #include <unistd.h> |
| 50 | #include <errno.h> | 50 | #include <errno.h> |
| 51 | 51 | ||
| @@ -82,21 +82,16 @@ decode_reply(u_char type) | |||
| 82 | return SSH_ERR_INVALID_FORMAT; | 82 | return SSH_ERR_INVALID_FORMAT; |
| 83 | } | 83 | } |
| 84 | 84 | ||
| 85 | /* Returns the number of the authentication fd, or -1 if there is none. */ | 85 | /* |
| 86 | * Opens an authentication socket at the provided path and stores the file | ||
| 87 | * descriptor in fdp. Returns 0 on success and an error on failure. | ||
| 88 | */ | ||
| 86 | int | 89 | int |
| 87 | ssh_get_authentication_socket(int *fdp) | 90 | ssh_get_authentication_socket_path(const char *authsocket, int *fdp) |
| 88 | { | 91 | { |
| 89 | const char *authsocket; | ||
| 90 | int sock, oerrno; | 92 | int sock, oerrno; |
| 91 | struct sockaddr_un sunaddr; | 93 | struct sockaddr_un sunaddr; |
| 92 | 94 | ||
| 93 | if (fdp != NULL) | ||
| 94 | *fdp = -1; | ||
| 95 | |||
| 96 | authsocket = getenv(SSH_AUTHSOCKET_ENV_NAME); | ||
| 97 | if (authsocket == NULL || *authsocket == '\0') | ||
| 98 | return SSH_ERR_AGENT_NOT_PRESENT; | ||
| 99 | |||
| 100 | memset(&sunaddr, 0, sizeof(sunaddr)); | 95 | memset(&sunaddr, 0, sizeof(sunaddr)); |
| 101 | sunaddr.sun_family = AF_UNIX; | 96 | sunaddr.sun_family = AF_UNIX; |
| 102 | strlcpy(sunaddr.sun_path, authsocket, sizeof(sunaddr.sun_path)); | 97 | strlcpy(sunaddr.sun_path, authsocket, sizeof(sunaddr.sun_path)); |
| @@ -119,6 +114,25 @@ ssh_get_authentication_socket(int *fdp) | |||
| 119 | return 0; | 114 | return 0; |
| 120 | } | 115 | } |
| 121 | 116 | ||
| 117 | /* | ||
| 118 | * Opens the default authentication socket and stores the file descriptor in | ||
| 119 | * fdp. Returns 0 on success and an error on failure. | ||
| 120 | */ | ||
| 121 | int | ||
| 122 | ssh_get_authentication_socket(int *fdp) | ||
| 123 | { | ||
| 124 | const char *authsocket; | ||
| 125 | |||
| 126 | if (fdp != NULL) | ||
| 127 | *fdp = -1; | ||
| 128 | |||
| 129 | authsocket = getenv(SSH_AUTHSOCKET_ENV_NAME); | ||
| 130 | if (authsocket == NULL || *authsocket == '\0') | ||
| 131 | return SSH_ERR_AGENT_NOT_PRESENT; | ||
| 132 | |||
| 133 | return ssh_get_authentication_socket_path(authsocket, fdp); | ||
| 134 | } | ||
| 135 | |||
| 122 | /* Communicate with agent: send request and read reply */ | 136 | /* Communicate with agent: send request and read reply */ |
| 123 | static int | 137 | static int |
| 124 | ssh_request_reply(int sock, struct sshbuf *request, struct sshbuf *reply) | 138 | ssh_request_reply(int sock, struct sshbuf *request, struct sshbuf *reply) |
| @@ -423,7 +437,8 @@ ssh_agent_sign(int sock, const struct sshkey *key, | |||
| 423 | 437 | ||
| 424 | 438 | ||
| 425 | static int | 439 | static int |
| 426 | encode_constraints(struct sshbuf *m, u_int life, u_int confirm, u_int maxsign) | 440 | encode_constraints(struct sshbuf *m, u_int life, u_int confirm, u_int maxsign, |
| 441 | const char *provider) | ||
| 427 | { | 442 | { |
| 428 | int r; | 443 | int r; |
| 429 | 444 | ||
| @@ -441,6 +456,14 @@ encode_constraints(struct sshbuf *m, u_int life, u_int confirm, u_int maxsign) | |||
| 441 | (r = sshbuf_put_u32(m, maxsign)) != 0) | 456 | (r = sshbuf_put_u32(m, maxsign)) != 0) |
| 442 | goto out; | 457 | goto out; |
| 443 | } | 458 | } |
| 459 | if (provider != NULL) { | ||
| 460 | if ((r = sshbuf_put_u8(m, | ||
| 461 | SSH_AGENT_CONSTRAIN_EXTENSION)) != 0 || | ||
| 462 | (r = sshbuf_put_cstring(m, | ||
| 463 | "sk-provider@openssh.com")) != 0 || | ||
| 464 | (r = sshbuf_put_cstring(m, provider)) != 0) | ||
| 465 | goto out; | ||
| 466 | } | ||
| 444 | r = 0; | 467 | r = 0; |
| 445 | out: | 468 | out: |
| 446 | return r; | 469 | return r; |
| @@ -452,10 +475,11 @@ encode_constraints(struct sshbuf *m, u_int life, u_int confirm, u_int maxsign) | |||
| 452 | */ | 475 | */ |
| 453 | int | 476 | int |
| 454 | ssh_add_identity_constrained(int sock, struct sshkey *key, | 477 | ssh_add_identity_constrained(int sock, struct sshkey *key, |
| 455 | const char *comment, u_int life, u_int confirm, u_int maxsign) | 478 | const char *comment, u_int life, u_int confirm, u_int maxsign, |
| 479 | const char *provider) | ||
| 456 | { | 480 | { |
| 457 | struct sshbuf *msg; | 481 | struct sshbuf *msg; |
| 458 | int r, constrained = (life || confirm || maxsign); | 482 | int r, constrained = (life || confirm || maxsign || provider); |
| 459 | u_char type; | 483 | u_char type; |
| 460 | 484 | ||
| 461 | if ((msg = sshbuf_new()) == NULL) | 485 | if ((msg = sshbuf_new()) == NULL) |
| @@ -469,9 +493,13 @@ ssh_add_identity_constrained(int sock, struct sshkey *key, | |||
| 469 | case KEY_DSA_CERT: | 493 | case KEY_DSA_CERT: |
| 470 | case KEY_ECDSA: | 494 | case KEY_ECDSA: |
| 471 | case KEY_ECDSA_CERT: | 495 | case KEY_ECDSA_CERT: |
| 496 | case KEY_ECDSA_SK: | ||
| 497 | case KEY_ECDSA_SK_CERT: | ||
| 472 | #endif | 498 | #endif |
| 473 | case KEY_ED25519: | 499 | case KEY_ED25519: |
| 474 | case KEY_ED25519_CERT: | 500 | case KEY_ED25519_CERT: |
| 501 | case KEY_ED25519_SK: | ||
| 502 | case KEY_ED25519_SK_CERT: | ||
| 475 | case KEY_XMSS: | 503 | case KEY_XMSS: |
| 476 | case KEY_XMSS_CERT: | 504 | case KEY_XMSS_CERT: |
| 477 | type = constrained ? | 505 | type = constrained ? |
| @@ -488,7 +516,8 @@ ssh_add_identity_constrained(int sock, struct sshkey *key, | |||
| 488 | goto out; | 516 | goto out; |
| 489 | } | 517 | } |
| 490 | if (constrained && | 518 | if (constrained && |
| 491 | (r = encode_constraints(msg, life, confirm, maxsign)) != 0) | 519 | (r = encode_constraints(msg, life, confirm, maxsign, |
| 520 | provider)) != 0) | ||
| 492 | goto out; | 521 | goto out; |
| 493 | if ((r = ssh_request_reply(sock, msg, msg)) != 0) | 522 | if ((r = ssh_request_reply(sock, msg, msg)) != 0) |
| 494 | goto out; | 523 | goto out; |
| @@ -566,7 +595,7 @@ ssh_update_card(int sock, int add, const char *reader_id, const char *pin, | |||
| 566 | (r = sshbuf_put_cstring(msg, pin)) != 0) | 595 | (r = sshbuf_put_cstring(msg, pin)) != 0) |
| 567 | goto out; | 596 | goto out; |
| 568 | if (constrained && | 597 | if (constrained && |
| 569 | (r = encode_constraints(msg, life, confirm, 0)) != 0) | 598 | (r = encode_constraints(msg, life, confirm, 0, NULL)) != 0) |
| 570 | goto out; | 599 | goto out; |
| 571 | if ((r = ssh_request_reply(sock, msg, msg)) != 0) | 600 | if ((r = ssh_request_reply(sock, msg, msg)) != 0) |
| 572 | goto out; | 601 | goto out; |