mirror of git://anongit.mindrot.org/openssh.git
upstream: add new agent key constraint for U2F/FIDO provider
feedback & ok markus@ OpenBSD-Commit-ID: d880c380170704280b4003860a1744d286c7a172
This commit is contained in:
parent
884416bdb1
commit
b9dd14d309
25
authfd.c
25
authfd.c
|
@ -1,4 +1,4 @@
|
||||||
/* $OpenBSD: authfd.c,v 1.117 2019/09/03 08:29:15 djm Exp $ */
|
/* $OpenBSD: authfd.c,v 1.118 2019/10/31 21:19:14 djm Exp $ */
|
||||||
/*
|
/*
|
||||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||||
|
@ -423,7 +423,8 @@ ssh_agent_sign(int sock, const struct sshkey *key,
|
||||||
|
|
||||||
|
|
||||||
static int
|
static int
|
||||||
encode_constraints(struct sshbuf *m, u_int life, u_int confirm, u_int maxsign)
|
encode_constraints(struct sshbuf *m, u_int life, u_int confirm, u_int maxsign,
|
||||||
|
const char *provider)
|
||||||
{
|
{
|
||||||
int r;
|
int r;
|
||||||
|
|
||||||
|
@ -441,6 +442,14 @@ encode_constraints(struct sshbuf *m, u_int life, u_int confirm, u_int maxsign)
|
||||||
(r = sshbuf_put_u32(m, maxsign)) != 0)
|
(r = sshbuf_put_u32(m, maxsign)) != 0)
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
if (provider != NULL) {
|
||||||
|
if ((r = sshbuf_put_u8(m,
|
||||||
|
SSH_AGENT_CONSTRAIN_EXTENSION)) != 0 ||
|
||||||
|
(r = sshbuf_put_cstring(m,
|
||||||
|
"sk-provider@openssh.com")) != 0 ||
|
||||||
|
(r = sshbuf_put_cstring(m, provider)) != 0)
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
r = 0;
|
r = 0;
|
||||||
out:
|
out:
|
||||||
return r;
|
return r;
|
||||||
|
@ -452,10 +461,11 @@ encode_constraints(struct sshbuf *m, u_int life, u_int confirm, u_int maxsign)
|
||||||
*/
|
*/
|
||||||
int
|
int
|
||||||
ssh_add_identity_constrained(int sock, struct sshkey *key,
|
ssh_add_identity_constrained(int sock, struct sshkey *key,
|
||||||
const char *comment, u_int life, u_int confirm, u_int maxsign)
|
const char *comment, u_int life, u_int confirm, u_int maxsign,
|
||||||
|
const char *provider)
|
||||||
{
|
{
|
||||||
struct sshbuf *msg;
|
struct sshbuf *msg;
|
||||||
int r, constrained = (life || confirm || maxsign);
|
int r, constrained = (life || confirm || maxsign || provider);
|
||||||
u_char type;
|
u_char type;
|
||||||
|
|
||||||
if ((msg = sshbuf_new()) == NULL)
|
if ((msg = sshbuf_new()) == NULL)
|
||||||
|
@ -469,6 +479,8 @@ ssh_add_identity_constrained(int sock, struct sshkey *key,
|
||||||
case KEY_DSA_CERT:
|
case KEY_DSA_CERT:
|
||||||
case KEY_ECDSA:
|
case KEY_ECDSA:
|
||||||
case KEY_ECDSA_CERT:
|
case KEY_ECDSA_CERT:
|
||||||
|
case KEY_ECDSA_SK:
|
||||||
|
case KEY_ECDSA_SK_CERT:
|
||||||
#endif
|
#endif
|
||||||
case KEY_ED25519:
|
case KEY_ED25519:
|
||||||
case KEY_ED25519_CERT:
|
case KEY_ED25519_CERT:
|
||||||
|
@ -488,7 +500,8 @@ ssh_add_identity_constrained(int sock, struct sshkey *key,
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
if (constrained &&
|
if (constrained &&
|
||||||
(r = encode_constraints(msg, life, confirm, maxsign)) != 0)
|
(r = encode_constraints(msg, life, confirm, maxsign,
|
||||||
|
provider)) != 0)
|
||||||
goto out;
|
goto out;
|
||||||
if ((r = ssh_request_reply(sock, msg, msg)) != 0)
|
if ((r = ssh_request_reply(sock, msg, msg)) != 0)
|
||||||
goto out;
|
goto out;
|
||||||
|
@ -566,7 +579,7 @@ ssh_update_card(int sock, int add, const char *reader_id, const char *pin,
|
||||||
(r = sshbuf_put_cstring(msg, pin)) != 0)
|
(r = sshbuf_put_cstring(msg, pin)) != 0)
|
||||||
goto out;
|
goto out;
|
||||||
if (constrained &&
|
if (constrained &&
|
||||||
(r = encode_constraints(msg, life, confirm, 0)) != 0)
|
(r = encode_constraints(msg, life, confirm, 0, NULL)) != 0)
|
||||||
goto out;
|
goto out;
|
||||||
if ((r = ssh_request_reply(sock, msg, msg)) != 0)
|
if ((r = ssh_request_reply(sock, msg, msg)) != 0)
|
||||||
goto out;
|
goto out;
|
||||||
|
|
6
authfd.h
6
authfd.h
|
@ -1,4 +1,4 @@
|
||||||
/* $OpenBSD: authfd.h,v 1.46 2019/09/03 08:29:15 djm Exp $ */
|
/* $OpenBSD: authfd.h,v 1.47 2019/10/31 21:19:15 djm Exp $ */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||||
|
@ -30,7 +30,8 @@ int ssh_lock_agent(int sock, int lock, const char *password);
|
||||||
int ssh_fetch_identitylist(int sock, struct ssh_identitylist **idlp);
|
int ssh_fetch_identitylist(int sock, struct ssh_identitylist **idlp);
|
||||||
void ssh_free_identitylist(struct ssh_identitylist *idl);
|
void ssh_free_identitylist(struct ssh_identitylist *idl);
|
||||||
int ssh_add_identity_constrained(int sock, struct sshkey *key,
|
int ssh_add_identity_constrained(int sock, struct sshkey *key,
|
||||||
const char *comment, u_int life, u_int confirm, u_int maxsign);
|
const char *comment, u_int life, u_int confirm, u_int maxsign,
|
||||||
|
const char *provider);
|
||||||
int ssh_agent_has_key(int sock, struct sshkey *key);
|
int ssh_agent_has_key(int sock, struct sshkey *key);
|
||||||
int ssh_remove_identity(int sock, struct sshkey *key);
|
int ssh_remove_identity(int sock, struct sshkey *key);
|
||||||
int ssh_update_card(int sock, int add, const char *reader_id,
|
int ssh_update_card(int sock, int add, const char *reader_id,
|
||||||
|
@ -77,6 +78,7 @@ int ssh_agent_sign(int sock, const struct sshkey *key,
|
||||||
#define SSH_AGENT_CONSTRAIN_LIFETIME 1
|
#define SSH_AGENT_CONSTRAIN_LIFETIME 1
|
||||||
#define SSH_AGENT_CONSTRAIN_CONFIRM 2
|
#define SSH_AGENT_CONSTRAIN_CONFIRM 2
|
||||||
#define SSH_AGENT_CONSTRAIN_MAXSIGN 3
|
#define SSH_AGENT_CONSTRAIN_MAXSIGN 3
|
||||||
|
#define SSH_AGENT_CONSTRAIN_EXTENSION 255
|
||||||
|
|
||||||
/* extended failure messages */
|
/* extended failure messages */
|
||||||
#define SSH2_AGENT_FAILURE 30
|
#define SSH2_AGENT_FAILURE 30
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
/* $OpenBSD: ssh-add.c,v 1.141 2019/09/06 05:23:55 djm Exp $ */
|
/* $OpenBSD: ssh-add.c,v 1.142 2019/10/31 21:19:15 djm Exp $ */
|
||||||
/*
|
/*
|
||||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||||
|
@ -311,7 +311,7 @@ add_file(int agent_fd, const char *filename, int key_only, int qflag)
|
||||||
}
|
}
|
||||||
|
|
||||||
if ((r = ssh_add_identity_constrained(agent_fd, private, comment,
|
if ((r = ssh_add_identity_constrained(agent_fd, private, comment,
|
||||||
lifetime, confirm, maxsign)) == 0) {
|
lifetime, confirm, maxsign, NULL)) == 0) {
|
||||||
ret = 0;
|
ret = 0;
|
||||||
if (!qflag) {
|
if (!qflag) {
|
||||||
fprintf(stderr, "Identity added: %s (%s)\n",
|
fprintf(stderr, "Identity added: %s (%s)\n",
|
||||||
|
@ -364,7 +364,7 @@ add_file(int agent_fd, const char *filename, int key_only, int qflag)
|
||||||
sshkey_free(cert);
|
sshkey_free(cert);
|
||||||
|
|
||||||
if ((r = ssh_add_identity_constrained(agent_fd, private, comment,
|
if ((r = ssh_add_identity_constrained(agent_fd, private, comment,
|
||||||
lifetime, confirm, maxsign)) != 0) {
|
lifetime, confirm, maxsign, NULL)) != 0) {
|
||||||
error("Certificate %s (%s) add failed: %s", certpath,
|
error("Certificate %s (%s) add failed: %s", certpath,
|
||||||
private->cert->key_id, ssh_err(r));
|
private->cert->key_id, ssh_err(r));
|
||||||
goto out;
|
goto out;
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
/* $OpenBSD: sshconnect.c,v 1.319 2019/09/13 04:31:19 djm Exp $ */
|
/* $OpenBSD: sshconnect.c,v 1.320 2019/10/31 21:19:15 djm Exp $ */
|
||||||
/*
|
/*
|
||||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||||
|
@ -1426,7 +1426,7 @@ maybe_add_key_to_agent(char *authfile, struct sshkey *private,
|
||||||
}
|
}
|
||||||
|
|
||||||
if ((r = ssh_add_identity_constrained(auth_sock, private, comment, 0,
|
if ((r = ssh_add_identity_constrained(auth_sock, private, comment, 0,
|
||||||
(options.add_keys_to_agent == 3), 0)) == 0)
|
(options.add_keys_to_agent == 3), 0, NULL)) == 0)
|
||||||
debug("identity added to agent: %s", authfile);
|
debug("identity added to agent: %s", authfile);
|
||||||
else
|
else
|
||||||
debug("could not add identity to agent: %s (%d)", authfile, r);
|
debug("could not add identity to agent: %s (%d)", authfile, r);
|
||||||
|
|
Loading…
Reference in New Issue