From 2b266b7f083e969cba04a035eba46a6d96c0c1e3 Mon Sep 17 00:00:00 2001 From: Ben Lindstrom Date: Fri, 21 Jun 2002 00:08:39 +0000 Subject: [PATCH] - markus@cvs.openbsd.org 2002/06/15 01:27:48 [authfd.c authfd.h ssh-add.c ssh-agent.c] remove the CONSTRAIN_IDENTITY messages and introduce a new ADD_ID message with contraints instead. contraints can be only added together with the private key. --- ChangeLog | 7 +++++- authfd.c | 67 ++++++++++++++++++-------------------------------- authfd.h | 10 ++++---- ssh-add.c | 24 ++++++++---------- ssh-agent.c | 71 ++++++++++++----------------------------------------- 5 files changed, 61 insertions(+), 118 deletions(-) diff --git a/ChangeLog b/ChangeLog index eab258ada..8001c8847 100644 --- a/ChangeLog +++ b/ChangeLog @@ -12,6 +12,11 @@ - markus@cvs.openbsd.org 2002/06/15 00:07:38 [authfd.c authfd.h ssh-add.c ssh-agent.c] fix stupid typo + - markus@cvs.openbsd.org 2002/06/15 01:27:48 + [authfd.c authfd.h ssh-add.c ssh-agent.c] + remove the CONSTRAIN_IDENTITY messages and introduce a new + ADD_ID message with contraints instead. contraints can be + only added together with the private key. 20020613 - (bal) typo of setgroup for cygwin. Patch by vinschen@redhat.com @@ -940,4 +945,4 @@ - (stevesk) entropy.c: typo in debug message - (djm) ssh-keygen -i needs seeded RNG; report from markus@ -$Id: ChangeLog,v 1.2220 2002/06/21 00:06:54 mouring Exp $ +$Id: ChangeLog,v 1.2221 2002/06/21 00:08:39 mouring Exp $ diff --git a/authfd.c b/authfd.c index 14438ddf0..c8a952755 100644 --- a/authfd.c +++ b/authfd.c @@ -35,7 +35,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: authfd.c,v 1.53 2002/06/15 00:07:38 markus Exp $"); +RCSID("$OpenBSD: authfd.c,v 1.54 2002/06/15 01:27:48 markus Exp $"); #include @@ -439,8 +439,6 @@ ssh_agent_sign(AuthenticationConnection *auth, static void ssh_encode_identity_rsa1(Buffer *b, RSA *key, const char *comment) { - buffer_clear(b); - buffer_put_char(b, SSH_AGENTC_ADD_RSA_IDENTITY); buffer_put_int(b, BN_num_bits(key->n)); buffer_put_bignum(b, key->n); buffer_put_bignum(b, key->e); @@ -455,8 +453,6 @@ ssh_encode_identity_rsa1(Buffer *b, RSA *key, const char *comment) static void ssh_encode_identity_ssh2(Buffer *b, Key *key, const char *comment) { - buffer_clear(b); - buffer_put_char(b, SSH2_AGENTC_ADD_IDENTITY); buffer_put_cstring(b, key_ssh_name(key)); switch (key->type) { case KEY_RSA: @@ -484,19 +480,28 @@ ssh_encode_identity_ssh2(Buffer *b, Key *key, const char *comment) */ int -ssh_add_identity(AuthenticationConnection *auth, Key *key, const char *comment) +ssh_add_identity_constrained(AuthenticationConnection *auth, Key *key, + const char *comment, u_int life) { Buffer msg; - int type; + int type, constrained = (life != 0); buffer_init(&msg); switch (key->type) { case KEY_RSA1: + type = constrained ? + SSH_AGENTC_ADD_RSA_ID_CONSTRAINED : + SSH_AGENTC_ADD_RSA_IDENTITY; + buffer_put_char(&msg, type); ssh_encode_identity_rsa1(&msg, key->rsa, comment); break; case KEY_RSA: case KEY_DSA: + type = constrained ? + SSH2_AGENTC_ADD_ID_CONSTRAINED : + SSH2_AGENTC_ADD_IDENTITY; + buffer_put_char(&msg, type); ssh_encode_identity_ssh2(&msg, key, comment); break; default: @@ -504,6 +509,12 @@ ssh_add_identity(AuthenticationConnection *auth, Key *key, const char *comment) return 0; break; } + if (constrained) { + if (life != 0) { + buffer_put_char(&msg, SSH_AGENT_CONSTRAIN_LIFETIME); + buffer_put_int(&msg, life); + } + } if (ssh_request_reply(auth, &msg, &msg) == 0) { buffer_free(&msg); return 0; @@ -513,6 +524,12 @@ ssh_add_identity(AuthenticationConnection *auth, Key *key, const char *comment) return decode_reply(type); } +int +ssh_add_identity(AuthenticationConnection *auth, Key *key, const char *comment) +{ + return ssh_add_identity_constrained(auth, key, comment, 0); +} + /* * Removes an identity from the authentication server. This call is not * meant to be used by normal applications. @@ -551,42 +568,6 @@ ssh_remove_identity(AuthenticationConnection *auth, Key *key) return decode_reply(type); } -int -ssh_constrain_identity(AuthenticationConnection *auth, Key *key, u_int life) -{ - Buffer msg; - int type; - u_char *blob; - u_int blen; - - buffer_init(&msg); - - if (key->type == KEY_RSA1) { - buffer_put_char(&msg, SSH_AGENTC_CONSTRAIN_IDENTITY1); - buffer_put_int(&msg, BN_num_bits(key->rsa->n)); - buffer_put_bignum(&msg, key->rsa->e); - buffer_put_bignum(&msg, key->rsa->n); - } else if (key->type == KEY_DSA || key->type == KEY_RSA) { - key_to_blob(key, &blob, &blen); - buffer_put_char(&msg, SSH_AGENTC_CONSTRAIN_IDENTITY); - buffer_put_string(&msg, blob, blen); - xfree(blob); - } else { - buffer_free(&msg); - return 0; - } - buffer_put_char(&msg, SSH_AGENT_CONSTRAIN_LIFETIME); - buffer_put_int(&msg, life); - - if (ssh_request_reply(auth, &msg, &msg) == 0) { - buffer_free(&msg); - return 0; - } - type = buffer_get_char(&msg); - buffer_free(&msg); - return decode_reply(type); -} - int ssh_update_card(AuthenticationConnection *auth, int add, const char *reader_id, const char *pin) { diff --git a/authfd.h b/authfd.h index 496abc272..d7344bf4b 100644 --- a/authfd.h +++ b/authfd.h @@ -1,4 +1,4 @@ -/* $OpenBSD: authfd.h,v 1.28 2002/06/15 00:07:38 markus Exp $ */ +/* $OpenBSD: authfd.h,v 1.29 2002/06/15 01:27:48 markus Exp $ */ /* * Author: Tatu Ylonen @@ -46,9 +46,9 @@ #define SSH_AGENTC_LOCK 22 #define SSH_AGENTC_UNLOCK 23 -/* constrain key usage */ -#define SSH_AGENTC_CONSTRAIN_IDENTITY1 24 -#define SSH_AGENTC_CONSTRAIN_IDENTITY 25 +/* add key with constraints */ +#define SSH_AGENTC_ADD_RSA_ID_CONSTRAINED 24 +#define SSH2_AGENTC_ADD_ID_CONSTRAINED 25 #define SSH_AGENT_CONSTRAIN_LIFETIME 1 @@ -75,7 +75,7 @@ int ssh_get_num_identities(AuthenticationConnection *, int); Key *ssh_get_first_identity(AuthenticationConnection *, char **, int); Key *ssh_get_next_identity(AuthenticationConnection *, char **, int); int ssh_add_identity(AuthenticationConnection *, Key *, const char *); -int ssh_constrain_identity(AuthenticationConnection *, Key *, u_int); +int ssh_add_identity_constrained(AuthenticationConnection *, Key *, const char *, u_int); int ssh_remove_identity(AuthenticationConnection *, Key *); int ssh_remove_all_identities(AuthenticationConnection *, int); int ssh_lock_agent(AuthenticationConnection *, int, const char *); diff --git a/ssh-add.c b/ssh-add.c index 1ebd1fe2d..2085367ba 100644 --- a/ssh-add.c +++ b/ssh-add.c @@ -35,7 +35,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh-add.c,v 1.59 2002/06/15 00:07:38 markus Exp $"); +RCSID("$OpenBSD: ssh-add.c,v 1.60 2002/06/15 01:27:48 markus Exp $"); #include @@ -164,22 +164,18 @@ add_file(AuthenticationConnection *ac, const char *filename) strlcpy(msg, "Bad passphrase, try again: ", sizeof msg); } } - if (ssh_add_identity(ac, private, comment)) { + + if (ssh_add_identity_constrained(ac, private, comment, lifetime)) { fprintf(stderr, "Identity added: %s (%s)\n", filename, comment); ret = 0; - } else + if (lifetime != 0) + fprintf(stderr, + "Lifetime set to %d seconds\n", lifetime); + } else if (ssh_add_identity(ac, private, comment)) { + fprintf(stderr, "Identity added: %s (%s)\n", filename, comment); + ret = 0; + } else { fprintf(stderr, "Could not add identity: %s\n", filename); - - if (ret == 0 && lifetime != 0) { - if (ssh_constrain_identity(ac, private, lifetime)) { - fprintf(stderr, - "Lifetime set to %d seconds for: %s (%s)\n", - lifetime, filename, comment); - } else { - fprintf(stderr, - "Could not set lifetime for identity: %s\n", - filename); - } } xfree(comment); diff --git a/ssh-agent.c b/ssh-agent.c index 991774aae..536db2de0 100644 --- a/ssh-agent.c +++ b/ssh-agent.c @@ -35,7 +35,7 @@ #include "includes.h" #include "openbsd-compat/fake-queue.h" -RCSID("$OpenBSD: ssh-agent.c,v 1.93 2002/06/15 00:07:38 markus Exp $"); +RCSID("$OpenBSD: ssh-agent.c,v 1.94 2002/06/15 01:27:48 markus Exp $"); #include #include @@ -395,7 +395,7 @@ process_add_identity(SocketEntry *e, int version) Key *k = NULL; char *type_name; char *comment; - int type, success = 0; + int type, success = 0, death = 0; Idtab *tab = idtab_lookup(version); switch (version) { @@ -451,46 +451,6 @@ process_add_identity(SocketEntry *e, int version) goto send; } success = 1; - if (lookup_identity(k, version) == NULL) { - Identity *id = xmalloc(sizeof(Identity)); - id->key = k; - id->comment = comment; - id->death = 0; - TAILQ_INSERT_TAIL(&tab->idlist, id, next); - /* Increment the number of identities. */ - tab->nentries++; - } else { - key_free(k); - xfree(comment); - } -send: - buffer_put_int(&e->output, 1); - buffer_put_char(&e->output, - success ? SSH_AGENT_SUCCESS : SSH_AGENT_FAILURE); -} - -static void -process_constrain_identity(SocketEntry *e, int version) -{ - Key *key = NULL; - u_char *blob; - u_int blen, bits, death = 0; - int success = 0; - - switch (version) { - case 1: - key = key_new(KEY_RSA1); - bits = buffer_get_int(&e->request); - buffer_get_bignum(&e->request, key->rsa->e); - buffer_get_bignum(&e->request, key->rsa->n); - - break; - case 2: - blob = buffer_get_string(&e->request, &blen); - key = key_from_blob(blob, blen); - xfree(blob); - break; - } while (buffer_len(&e->request)) { switch (buffer_get_char(&e->request)) { case SSH_AGENT_CONSTRAIN_LIFETIME: @@ -500,14 +460,19 @@ process_constrain_identity(SocketEntry *e, int version) break; } } - if (key != NULL) { - Identity *id = lookup_identity(key, version); - if (id != NULL && id->death == 0 && death != 0) { - id->death = death; - success = 1; - } - key_free(key); + if (lookup_identity(k, version) == NULL) { + Identity *id = xmalloc(sizeof(Identity)); + id->key = k; + id->comment = comment; + id->death = death; + TAILQ_INSERT_TAIL(&tab->idlist, id, next); + /* Increment the number of identities. */ + tab->nentries++; + } else { + key_free(k); + xfree(comment); } +send: buffer_put_int(&e->output, 1); buffer_put_char(&e->output, success ? SSH_AGENT_SUCCESS : SSH_AGENT_FAILURE); @@ -706,6 +671,7 @@ process_message(SocketEntry *e) process_request_identities(e, 1); break; case SSH_AGENTC_ADD_RSA_IDENTITY: + case SSH_AGENTC_ADD_RSA_ID_CONSTRAINED: process_add_identity(e, 1); break; case SSH_AGENTC_REMOVE_RSA_IDENTITY: @@ -714,9 +680,6 @@ process_message(SocketEntry *e) case SSH_AGENTC_REMOVE_ALL_RSA_IDENTITIES: process_remove_all_identities(e, 1); break; - case SSH_AGENTC_CONSTRAIN_IDENTITY1: - process_constrain_identity(e, 1); - break; /* ssh2 */ case SSH2_AGENTC_SIGN_REQUEST: process_sign_request2(e); @@ -725,6 +688,7 @@ process_message(SocketEntry *e) process_request_identities(e, 2); break; case SSH2_AGENTC_ADD_IDENTITY: + case SSH2_AGENTC_ADD_ID_CONSTRAINED: process_add_identity(e, 2); break; case SSH2_AGENTC_REMOVE_IDENTITY: @@ -733,9 +697,6 @@ process_message(SocketEntry *e) case SSH2_AGENTC_REMOVE_ALL_IDENTITIES: process_remove_all_identities(e, 2); break; - case SSH_AGENTC_CONSTRAIN_IDENTITY: - process_constrain_identity(e, 2); - break; #ifdef SMARTCARD case SSH_AGENTC_ADD_SMARTCARD_KEY: process_add_smartcard_key(e);