diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2019-10-31 21:19:14 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2019-11-01 09:46:09 +1100 |
| commit | b9dd14d3091e31fb836f69873d3aa622eb7b4a1c (patch) | |
| tree | 5bfc91dba85b8ab3522431cc123fd0da63f8ed9a /authfd.c | |
| parent | 884416bdb10468f1252e4d7c13d51b43dccba7f6 (diff) | |
| download | openssh-git-b9dd14d3091e31fb836f69873d3aa622eb7b4a1c.tar.gz | |
upstream: add new agent key constraint for U2F/FIDO provider
feedback & ok markus@
OpenBSD-Commit-ID: d880c380170704280b4003860a1744d286c7a172
Diffstat (limited to 'authfd.c')
| -rw-r--r-- | authfd.c | 25 |
1 files changed, 19 insertions, 6 deletions
@@ -1,4 +1,4 @@ -/* $OpenBSD: authfd.c,v 1.117 2019/09/03 08:29:15 djm Exp $ */ +/* $OpenBSD: authfd.c,v 1.118 2019/10/31 21:19:14 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -423,7 +423,8 @@ ssh_agent_sign(int sock, const struct sshkey *key, static int -encode_constraints(struct sshbuf *m, u_int life, u_int confirm, u_int maxsign) +encode_constraints(struct sshbuf *m, u_int life, u_int confirm, u_int maxsign, + const char *provider) { int r; @@ -441,6 +442,14 @@ encode_constraints(struct sshbuf *m, u_int life, u_int confirm, u_int maxsign) (r = sshbuf_put_u32(m, maxsign)) != 0) goto out; } + if (provider != NULL) { + if ((r = sshbuf_put_u8(m, + SSH_AGENT_CONSTRAIN_EXTENSION)) != 0 || + (r = sshbuf_put_cstring(m, + "sk-provider@openssh.com")) != 0 || + (r = sshbuf_put_cstring(m, provider)) != 0) + goto out; + } r = 0; out: return r; @@ -452,10 +461,11 @@ encode_constraints(struct sshbuf *m, u_int life, u_int confirm, u_int maxsign) */ int ssh_add_identity_constrained(int sock, struct sshkey *key, - const char *comment, u_int life, u_int confirm, u_int maxsign) + const char *comment, u_int life, u_int confirm, u_int maxsign, + const char *provider) { struct sshbuf *msg; - int r, constrained = (life || confirm || maxsign); + int r, constrained = (life || confirm || maxsign || provider); u_char type; if ((msg = sshbuf_new()) == NULL) @@ -469,6 +479,8 @@ ssh_add_identity_constrained(int sock, struct sshkey *key, case KEY_DSA_CERT: case KEY_ECDSA: case KEY_ECDSA_CERT: + case KEY_ECDSA_SK: + case KEY_ECDSA_SK_CERT: #endif case KEY_ED25519: case KEY_ED25519_CERT: @@ -488,7 +500,8 @@ ssh_add_identity_constrained(int sock, struct sshkey *key, goto out; } if (constrained && - (r = encode_constraints(msg, life, confirm, maxsign)) != 0) + (r = encode_constraints(msg, life, confirm, maxsign, + provider)) != 0) goto out; if ((r = ssh_request_reply(sock, msg, msg)) != 0) goto out; @@ -566,7 +579,7 @@ ssh_update_card(int sock, int add, const char *reader_id, const char *pin, (r = sshbuf_put_cstring(msg, pin)) != 0) goto out; if (constrained && - (r = encode_constraints(msg, life, confirm, 0)) != 0) + (r = encode_constraints(msg, life, confirm, 0, NULL)) != 0) goto out; if ((r = ssh_request_reply(sock, msg, msg)) != 0) goto out; |