summaryrefslogtreecommitdiff
path: root/authfd.c
diff options
context:
space:
mode:
Diffstat (limited to 'authfd.c')
-rw-r--r--authfd.c43
1 files changed, 19 insertions, 24 deletions
diff --git a/authfd.c b/authfd.c
index a460fa350..1eff7ba94 100644
--- a/authfd.c
+++ b/authfd.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: authfd.c,v 1.105 2017/07/01 13:50:45 djm Exp $ */ 1/* $OpenBSD: authfd.c,v 1.108 2018/02/23 15:58:37 markus Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -129,7 +129,7 @@ ssh_request_reply(int sock, struct sshbuf *request, struct sshbuf *reply)
129 129
130 /* Get the length of the message, and format it in the buffer. */ 130 /* Get the length of the message, and format it in the buffer. */
131 len = sshbuf_len(request); 131 len = sshbuf_len(request);
132 put_u32(buf, len); 132 POKE_U32(buf, len);
133 133
134 /* Send the length and then the packet to the agent. */ 134 /* Send the length and then the packet to the agent. */
135 if (atomicio(vwrite, sock, buf, 4) != 4 || 135 if (atomicio(vwrite, sock, buf, 4) != 4 ||
@@ -144,7 +144,7 @@ ssh_request_reply(int sock, struct sshbuf *request, struct sshbuf *reply)
144 return SSH_ERR_AGENT_COMMUNICATION; 144 return SSH_ERR_AGENT_COMMUNICATION;
145 145
146 /* Extract the length, and check it for sanity. */ 146 /* Extract the length, and check it for sanity. */
147 len = get_u32(buf); 147 len = PEEK_U32(buf);
148 if (len > MAX_AGENT_REPLY_LEN) 148 if (len > MAX_AGENT_REPLY_LEN)
149 return SSH_ERR_INVALID_FORMAT; 149 return SSH_ERR_INVALID_FORMAT;
150 150
@@ -353,8 +353,6 @@ ssh_agent_sign(int sock, const struct sshkey *key,
353 353
354 if (datalen > SSH_KEY_MAX_SIGN_DATA_SIZE) 354 if (datalen > SSH_KEY_MAX_SIGN_DATA_SIZE)
355 return SSH_ERR_INVALID_ARGUMENT; 355 return SSH_ERR_INVALID_ARGUMENT;
356 if (compat & SSH_BUG_SIGBLOB)
357 flags |= SSH_AGENT_OLD_SIGNATURE;
358 if ((msg = sshbuf_new()) == NULL) 356 if ((msg = sshbuf_new()) == NULL)
359 return SSH_ERR_ALLOC_FAIL; 357 return SSH_ERR_ALLOC_FAIL;
360 if ((r = sshkey_to_blob(key, &blob, &blen)) != 0) 358 if ((r = sshkey_to_blob(key, &blob, &blen)) != 0)
@@ -393,19 +391,7 @@ ssh_agent_sign(int sock, const struct sshkey *key,
393 391
394 392
395static int 393static int
396ssh_encode_identity_ssh2(struct sshbuf *b, struct sshkey *key, 394encode_constraints(struct sshbuf *m, u_int life, u_int confirm, u_int maxsign)
397 const char *comment)
398{
399 int r;
400
401 if ((r = sshkey_private_serialize(key, b)) != 0 ||
402 (r = sshbuf_put_cstring(b, comment)) != 0)
403 return r;
404 return 0;
405}
406
407static int
408encode_constraints(struct sshbuf *m, u_int life, u_int confirm)
409{ 395{
410 int r; 396 int r;
411 397
@@ -418,6 +404,11 @@ encode_constraints(struct sshbuf *m, u_int life, u_int confirm)
418 if ((r = sshbuf_put_u8(m, SSH_AGENT_CONSTRAIN_CONFIRM)) != 0) 404 if ((r = sshbuf_put_u8(m, SSH_AGENT_CONSTRAIN_CONFIRM)) != 0)
419 goto out; 405 goto out;
420 } 406 }
407 if (maxsign != 0) {
408 if ((r = sshbuf_put_u8(m, SSH_AGENT_CONSTRAIN_MAXSIGN)) != 0 ||
409 (r = sshbuf_put_u32(m, maxsign)) != 0)
410 goto out;
411 }
421 r = 0; 412 r = 0;
422 out: 413 out:
423 return r; 414 return r;
@@ -428,11 +419,11 @@ encode_constraints(struct sshbuf *m, u_int life, u_int confirm)
428 * This call is intended only for use by ssh-add(1) and like applications. 419 * This call is intended only for use by ssh-add(1) and like applications.
429 */ 420 */
430int 421int
431ssh_add_identity_constrained(int sock, struct sshkey *key, const char *comment, 422ssh_add_identity_constrained(int sock, const struct sshkey *key,
432 u_int life, u_int confirm) 423 const char *comment, u_int life, u_int confirm, u_int maxsign)
433{ 424{
434 struct sshbuf *msg; 425 struct sshbuf *msg;
435 int r, constrained = (life || confirm); 426 int r, constrained = (life || confirm || maxsign);
436 u_char type; 427 u_char type;
437 428
438 if ((msg = sshbuf_new()) == NULL) 429 if ((msg = sshbuf_new()) == NULL)
@@ -449,11 +440,15 @@ ssh_add_identity_constrained(int sock, struct sshkey *key, const char *comment,
449#endif 440#endif
450 case KEY_ED25519: 441 case KEY_ED25519:
451 case KEY_ED25519_CERT: 442 case KEY_ED25519_CERT:
443 case KEY_XMSS:
444 case KEY_XMSS_CERT:
452 type = constrained ? 445 type = constrained ?
453 SSH2_AGENTC_ADD_ID_CONSTRAINED : 446 SSH2_AGENTC_ADD_ID_CONSTRAINED :
454 SSH2_AGENTC_ADD_IDENTITY; 447 SSH2_AGENTC_ADD_IDENTITY;
455 if ((r = sshbuf_put_u8(msg, type)) != 0 || 448 if ((r = sshbuf_put_u8(msg, type)) != 0 ||
456 (r = ssh_encode_identity_ssh2(msg, key, comment)) != 0) 449 (r = sshkey_private_serialize_maxsign(key, msg, maxsign,
450 NULL)) != 0 ||
451 (r = sshbuf_put_cstring(msg, comment)) != 0)
457 goto out; 452 goto out;
458 break; 453 break;
459 default: 454 default:
@@ -461,7 +456,7 @@ ssh_add_identity_constrained(int sock, struct sshkey *key, const char *comment,
461 goto out; 456 goto out;
462 } 457 }
463 if (constrained && 458 if (constrained &&
464 (r = encode_constraints(msg, life, confirm)) != 0) 459 (r = encode_constraints(msg, life, confirm, maxsign)) != 0)
465 goto out; 460 goto out;
466 if ((r = ssh_request_reply(sock, msg, msg)) != 0) 461 if ((r = ssh_request_reply(sock, msg, msg)) != 0)
467 goto out; 462 goto out;
@@ -539,7 +534,7 @@ ssh_update_card(int sock, int add, const char *reader_id, const char *pin,
539 (r = sshbuf_put_cstring(msg, pin)) != 0) 534 (r = sshbuf_put_cstring(msg, pin)) != 0)
540 goto out; 535 goto out;
541 if (constrained && 536 if (constrained &&
542 (r = encode_constraints(msg, life, confirm)) != 0) 537 (r = encode_constraints(msg, life, confirm, 0)) != 0)
543 goto out; 538 goto out;
544 if ((r = ssh_request_reply(sock, msg, msg)) != 0) 539 if ((r = ssh_request_reply(sock, msg, msg)) != 0)
545 goto out; 540 goto out;
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-26 18:34:13 +0000