From b9dd14d3091e31fb836f69873d3aa622eb7b4a1c Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Thu, 31 Oct 2019 21:19:14 +0000 Subject: upstream: add new agent key constraint for U2F/FIDO provider feedback & ok markus@ OpenBSD-Commit-ID: d880c380170704280b4003860a1744d286c7a172 --- authfd.c | 25 +++++++++++++++++++------ authfd.h | 6 ++++-- ssh-add.c | 6 +++--- sshconnect.c | 4 ++-- 4 files changed, 28 insertions(+), 13 deletions(-) diff --git a/authfd.c b/authfd.c index a5162790f..1f0cd2ab3 100644 --- a/authfd.c +++ b/authfd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: authfd.c,v 1.117 2019/09/03 08:29:15 djm Exp $ */ +/* $OpenBSD: authfd.c,v 1.118 2019/10/31 21:19:14 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -423,7 +423,8 @@ ssh_agent_sign(int sock, const struct sshkey *key, static int -encode_constraints(struct sshbuf *m, u_int life, u_int confirm, u_int maxsign) +encode_constraints(struct sshbuf *m, u_int life, u_int confirm, u_int maxsign, + const char *provider) { int r; @@ -441,6 +442,14 @@ encode_constraints(struct sshbuf *m, u_int life, u_int confirm, u_int maxsign) (r = sshbuf_put_u32(m, maxsign)) != 0) goto out; } + if (provider != NULL) { + if ((r = sshbuf_put_u8(m, + SSH_AGENT_CONSTRAIN_EXTENSION)) != 0 || + (r = sshbuf_put_cstring(m, + "sk-provider@openssh.com")) != 0 || + (r = sshbuf_put_cstring(m, provider)) != 0) + goto out; + } r = 0; out: return r; @@ -452,10 +461,11 @@ encode_constraints(struct sshbuf *m, u_int life, u_int confirm, u_int maxsign) */ int ssh_add_identity_constrained(int sock, struct sshkey *key, - const char *comment, u_int life, u_int confirm, u_int maxsign) + const char *comment, u_int life, u_int confirm, u_int maxsign, + const char *provider) { struct sshbuf *msg; - int r, constrained = (life || confirm || maxsign); + int r, constrained = (life || confirm || maxsign || provider); u_char type; if ((msg = sshbuf_new()) == NULL) @@ -469,6 +479,8 @@ ssh_add_identity_constrained(int sock, struct sshkey *key, case KEY_DSA_CERT: case KEY_ECDSA: case KEY_ECDSA_CERT: + case KEY_ECDSA_SK: + case KEY_ECDSA_SK_CERT: #endif case KEY_ED25519: case KEY_ED25519_CERT: @@ -488,7 +500,8 @@ ssh_add_identity_constrained(int sock, struct sshkey *key, goto out; } if (constrained && - (r = encode_constraints(msg, life, confirm, maxsign)) != 0) + (r = encode_constraints(msg, life, confirm, maxsign, + provider)) != 0) goto out; if ((r = ssh_request_reply(sock, msg, msg)) != 0) goto out; @@ -566,7 +579,7 @@ ssh_update_card(int sock, int add, const char *reader_id, const char *pin, (r = sshbuf_put_cstring(msg, pin)) != 0) goto out; if (constrained && - (r = encode_constraints(msg, life, confirm, 0)) != 0) + (r = encode_constraints(msg, life, confirm, 0, NULL)) != 0) goto out; if ((r = ssh_request_reply(sock, msg, msg)) != 0) goto out; diff --git a/authfd.h b/authfd.h index 579076504..443771a00 100644 --- a/authfd.h +++ b/authfd.h @@ -1,4 +1,4 @@ -/* $OpenBSD: authfd.h,v 1.46 2019/09/03 08:29:15 djm Exp $ */ +/* $OpenBSD: authfd.h,v 1.47 2019/10/31 21:19:15 djm Exp $ */ /* * Author: Tatu Ylonen @@ -30,7 +30,8 @@ int ssh_lock_agent(int sock, int lock, const char *password); int ssh_fetch_identitylist(int sock, struct ssh_identitylist **idlp); void ssh_free_identitylist(struct ssh_identitylist *idl); int ssh_add_identity_constrained(int sock, struct sshkey *key, - const char *comment, u_int life, u_int confirm, u_int maxsign); + const char *comment, u_int life, u_int confirm, u_int maxsign, + const char *provider); int ssh_agent_has_key(int sock, struct sshkey *key); int ssh_remove_identity(int sock, struct sshkey *key); int ssh_update_card(int sock, int add, const char *reader_id, @@ -77,6 +78,7 @@ int ssh_agent_sign(int sock, const struct sshkey *key, #define SSH_AGENT_CONSTRAIN_LIFETIME 1 #define SSH_AGENT_CONSTRAIN_CONFIRM 2 #define SSH_AGENT_CONSTRAIN_MAXSIGN 3 +#define SSH_AGENT_CONSTRAIN_EXTENSION 255 /* extended failure messages */ #define SSH2_AGENT_FAILURE 30 diff --git a/ssh-add.c b/ssh-add.c index ebfb8a32b..2c65d0272 100644 --- a/ssh-add.c +++ b/ssh-add.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-add.c,v 1.141 2019/09/06 05:23:55 djm Exp $ */ +/* $OpenBSD: ssh-add.c,v 1.142 2019/10/31 21:19:15 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -311,7 +311,7 @@ add_file(int agent_fd, const char *filename, int key_only, int qflag) } if ((r = ssh_add_identity_constrained(agent_fd, private, comment, - lifetime, confirm, maxsign)) == 0) { + lifetime, confirm, maxsign, NULL)) == 0) { ret = 0; if (!qflag) { fprintf(stderr, "Identity added: %s (%s)\n", @@ -364,7 +364,7 @@ add_file(int agent_fd, const char *filename, int key_only, int qflag) sshkey_free(cert); if ((r = ssh_add_identity_constrained(agent_fd, private, comment, - lifetime, confirm, maxsign)) != 0) { + lifetime, confirm, maxsign, NULL)) != 0) { error("Certificate %s (%s) add failed: %s", certpath, private->cert->key_id, ssh_err(r)); goto out; diff --git a/sshconnect.c b/sshconnect.c index 6230dad32..223074bd6 100644 --- a/sshconnect.c +++ b/sshconnect.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect.c,v 1.319 2019/09/13 04:31:19 djm Exp $ */ +/* $OpenBSD: sshconnect.c,v 1.320 2019/10/31 21:19:15 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1426,7 +1426,7 @@ maybe_add_key_to_agent(char *authfile, struct sshkey *private, } if ((r = ssh_add_identity_constrained(auth_sock, private, comment, 0, - (options.add_keys_to_agent == 3), 0)) == 0) + (options.add_keys_to_agent == 3), 0, NULL)) == 0) debug("identity added to agent: %s", authfile); else debug("could not add identity to agent: %s (%d)", authfile, r); -- cgit v1.2.3