summaryrefslogtreecommitdiff
path: root/authfd.c
diff options
context:
space:
mode:
Diffstat (limited to 'authfd.c')
-rw-r--r--authfd.c63
1 files changed, 46 insertions, 17 deletions
diff --git a/authfd.c b/authfd.c
index a5162790f..05fd45401 100644
--- a/authfd.c
+++ b/authfd.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: authfd.c,v 1.117 2019/09/03 08:29:15 djm Exp $ */ 1/* $OpenBSD: authfd.c,v 1.121 2019/12/21 02:19:13 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -44,8 +44,8 @@
44#include <fcntl.h> 44#include <fcntl.h>
45#include <stdlib.h> 45#include <stdlib.h>
46#include <signal.h> 46#include <signal.h>
47#include <stdarg.h>
48#include <string.h> 47#include <string.h>
48#include <stdarg.h>
49#include <unistd.h> 49#include <unistd.h>
50#include <errno.h> 50#include <errno.h>
51 51
@@ -82,21 +82,16 @@ decode_reply(u_char type)
82 return SSH_ERR_INVALID_FORMAT; 82 return SSH_ERR_INVALID_FORMAT;
83} 83}
84 84
85/* Returns the number of the authentication fd, or -1 if there is none. */ 85/*
86 * Opens an authentication socket at the provided path and stores the file
87 * descriptor in fdp. Returns 0 on success and an error on failure.
88 */
86int 89int
87ssh_get_authentication_socket(int *fdp) 90ssh_get_authentication_socket_path(const char *authsocket, int *fdp)
88{ 91{
89 const char *authsocket;
90 int sock, oerrno; 92 int sock, oerrno;
91 struct sockaddr_un sunaddr; 93 struct sockaddr_un sunaddr;
92 94
93 if (fdp != NULL)
94 *fdp = -1;
95
96 authsocket = getenv(SSH_AUTHSOCKET_ENV_NAME);
97 if (authsocket == NULL || *authsocket == '\0')
98 return SSH_ERR_AGENT_NOT_PRESENT;
99
100 memset(&sunaddr, 0, sizeof(sunaddr)); 95 memset(&sunaddr, 0, sizeof(sunaddr));
101 sunaddr.sun_family = AF_UNIX; 96 sunaddr.sun_family = AF_UNIX;
102 strlcpy(sunaddr.sun_path, authsocket, sizeof(sunaddr.sun_path)); 97 strlcpy(sunaddr.sun_path, authsocket, sizeof(sunaddr.sun_path));
@@ -119,6 +114,25 @@ ssh_get_authentication_socket(int *fdp)
119 return 0; 114 return 0;
120} 115}
121 116
117/*
118 * Opens the default authentication socket and stores the file descriptor in
119 * fdp. Returns 0 on success and an error on failure.
120 */
121int
122ssh_get_authentication_socket(int *fdp)
123{
124 const char *authsocket;
125
126 if (fdp != NULL)
127 *fdp = -1;
128
129 authsocket = getenv(SSH_AUTHSOCKET_ENV_NAME);
130 if (authsocket == NULL || *authsocket == '\0')
131 return SSH_ERR_AGENT_NOT_PRESENT;
132
133 return ssh_get_authentication_socket_path(authsocket, fdp);
134}
135
122/* Communicate with agent: send request and read reply */ 136/* Communicate with agent: send request and read reply */
123static int 137static int
124ssh_request_reply(int sock, struct sshbuf *request, struct sshbuf *reply) 138ssh_request_reply(int sock, struct sshbuf *request, struct sshbuf *reply)
@@ -423,7 +437,8 @@ ssh_agent_sign(int sock, const struct sshkey *key,
423 437
424 438
425static int 439static int
426encode_constraints(struct sshbuf *m, u_int life, u_int confirm, u_int maxsign) 440encode_constraints(struct sshbuf *m, u_int life, u_int confirm, u_int maxsign,
441 const char *provider)
427{ 442{
428 int r; 443 int r;
429 444
@@ -441,6 +456,14 @@ encode_constraints(struct sshbuf *m, u_int life, u_int confirm, u_int maxsign)
441 (r = sshbuf_put_u32(m, maxsign)) != 0) 456 (r = sshbuf_put_u32(m, maxsign)) != 0)
442 goto out; 457 goto out;
443 } 458 }
459 if (provider != NULL) {
460 if ((r = sshbuf_put_u8(m,
461 SSH_AGENT_CONSTRAIN_EXTENSION)) != 0 ||
462 (r = sshbuf_put_cstring(m,
463 "sk-provider@openssh.com")) != 0 ||
464 (r = sshbuf_put_cstring(m, provider)) != 0)
465 goto out;
466 }
444 r = 0; 467 r = 0;
445 out: 468 out:
446 return r; 469 return r;
@@ -452,10 +475,11 @@ encode_constraints(struct sshbuf *m, u_int life, u_int confirm, u_int maxsign)
452 */ 475 */
453int 476int
454ssh_add_identity_constrained(int sock, struct sshkey *key, 477ssh_add_identity_constrained(int sock, struct sshkey *key,
455 const char *comment, u_int life, u_int confirm, u_int maxsign) 478 const char *comment, u_int life, u_int confirm, u_int maxsign,
479 const char *provider)
456{ 480{
457 struct sshbuf *msg; 481 struct sshbuf *msg;
458 int r, constrained = (life || confirm || maxsign); 482 int r, constrained = (life || confirm || maxsign || provider);
459 u_char type; 483 u_char type;
460 484
461 if ((msg = sshbuf_new()) == NULL) 485 if ((msg = sshbuf_new()) == NULL)
@@ -469,9 +493,13 @@ ssh_add_identity_constrained(int sock, struct sshkey *key,
469 case KEY_DSA_CERT: 493 case KEY_DSA_CERT:
470 case KEY_ECDSA: 494 case KEY_ECDSA:
471 case KEY_ECDSA_CERT: 495 case KEY_ECDSA_CERT:
496 case KEY_ECDSA_SK:
497 case KEY_ECDSA_SK_CERT:
472#endif 498#endif
473 case KEY_ED25519: 499 case KEY_ED25519:
474 case KEY_ED25519_CERT: 500 case KEY_ED25519_CERT:
501 case KEY_ED25519_SK:
502 case KEY_ED25519_SK_CERT:
475 case KEY_XMSS: 503 case KEY_XMSS:
476 case KEY_XMSS_CERT: 504 case KEY_XMSS_CERT:
477 type = constrained ? 505 type = constrained ?
@@ -488,7 +516,8 @@ ssh_add_identity_constrained(int sock, struct sshkey *key,
488 goto out; 516 goto out;
489 } 517 }
490 if (constrained && 518 if (constrained &&
491 (r = encode_constraints(msg, life, confirm, maxsign)) != 0) 519 (r = encode_constraints(msg, life, confirm, maxsign,
520 provider)) != 0)
492 goto out; 521 goto out;
493 if ((r = ssh_request_reply(sock, msg, msg)) != 0) 522 if ((r = ssh_request_reply(sock, msg, msg)) != 0)
494 goto out; 523 goto out;
@@ -566,7 +595,7 @@ ssh_update_card(int sock, int add, const char *reader_id, const char *pin,
566 (r = sshbuf_put_cstring(msg, pin)) != 0) 595 (r = sshbuf_put_cstring(msg, pin)) != 0)
567 goto out; 596 goto out;
568 if (constrained && 597 if (constrained &&
569 (r = encode_constraints(msg, life, confirm, 0)) != 0) 598 (r = encode_constraints(msg, life, confirm, 0, NULL)) != 0)
570 goto out; 599 goto out;
571 if ((r = ssh_request_reply(sock, msg, msg)) != 0) 600 if ((r = ssh_request_reply(sock, msg, msg)) != 0)
572 goto out; 601 goto out;