[openssh-commits] [openssh] 08/14: upstream: add new agent key constraint for U2F/FIDO provider

git+noreply at mindrot.org git+noreply at mindrot.org
Fri Nov 1 09:47:17 AEDT 2019 

This is an automated email from the git hooks/post-receive script.

djm pushed a commit to branch master
in repository openssh.

commit b9dd14d3091e31fb836f69873d3aa622eb7b4a1c
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Thu Oct 31 21:19:14 2019 +0000

    upstream: add new agent key constraint for U2F/FIDO provider
    
    feedback & ok markus@
    
    OpenBSD-Commit-ID: d880c380170704280b4003860a1744d286c7a172
---
 authfd.c     | 25 +++++++++++++++++++------
 authfd.h     |  6 ++++--
 ssh-add.c    |  6 +++---
 sshconnect.c |  4 ++--
 4 files changed, 28 insertions(+), 13 deletions(-)

diff --git a/authfd.c b/authfd.c
index a5162790..1f0cd2ab 100644
--- a/authfd.c
+++ b/authfd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: authfd.c,v 1.117 2019/09/03 08:29:15 djm Exp $ */
+/* $OpenBSD: authfd.c,v 1.118 2019/10/31 21:19:14 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo at cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -423,7 +423,8 @@ ssh_agent_sign(int sock, const struct sshkey *key,
 
 
 static int
-encode_constraints(struct sshbuf *m, u_int life, u_int confirm, u_int maxsign)
+encode_constraints(struct sshbuf *m, u_int life, u_int confirm, u_int maxsign,
+    const char *provider)
 {
 	int r;
 
@@ -441,6 +442,14 @@ encode_constraints(struct sshbuf *m, u_int life, u_int confirm, u_int maxsign)
 		    (r = sshbuf_put_u32(m, maxsign)) != 0)
 			goto out;
 	}
+	if (provider != NULL) {
+		if ((r = sshbuf_put_u8(m,
+		    SSH_AGENT_CONSTRAIN_EXTENSION)) != 0 ||
+		    (r = sshbuf_put_cstring(m,
+		    "sk-provider at openssh.com")) != 0 ||
+		    (r = sshbuf_put_cstring(m, provider)) != 0)
+			goto out;
+	}
 	r = 0;
  out:
 	return r;
@@ -452,10 +461,11 @@ encode_constraints(struct sshbuf *m, u_int life, u_int confirm, u_int maxsign)
  */
 int
 ssh_add_identity_constrained(int sock, struct sshkey *key,
-    const char *comment, u_int life, u_int confirm, u_int maxsign)
+    const char *comment, u_int life, u_int confirm, u_int maxsign,
+    const char *provider)
 {
 	struct sshbuf *msg;
-	int r, constrained = (life || confirm || maxsign);
+	int r, constrained = (life || confirm || maxsign || provider);
 	u_char type;
 
 	if ((msg = sshbuf_new()) == NULL)
@@ -469,6 +479,8 @@ ssh_add_identity_constrained(int sock, struct sshkey *key,
 	case KEY_DSA_CERT:
 	case KEY_ECDSA:
 	case KEY_ECDSA_CERT:
+	case KEY_ECDSA_SK:
+	case KEY_ECDSA_SK_CERT:
 #endif
 	case KEY_ED25519:
 	case KEY_ED25519_CERT:
@@ -488,7 +500,8 @@ ssh_add_identity_constrained(int sock, struct sshkey *key,
 		goto out;
 	}
 	if (constrained &&
-	    (r = encode_constraints(msg, life, confirm, maxsign)) != 0)
+	    (r = encode_constraints(msg, life, confirm, maxsign,
+	    provider)) != 0)
 		goto out;
 	if ((r = ssh_request_reply(sock, msg, msg)) != 0)
 		goto out;
@@ -566,7 +579,7 @@ ssh_update_card(int sock, int add, const char *reader_id, const char *pin,
 	    (r = sshbuf_put_cstring(msg, pin)) != 0)
 		goto out;
 	if (constrained &&
-	    (r = encode_constraints(msg, life, confirm, 0)) != 0)
+	    (r = encode_constraints(msg, life, confirm, 0, NULL)) != 0)
 		goto out;
 	if ((r = ssh_request_reply(sock, msg, msg)) != 0)
 		goto out;
diff --git a/authfd.h b/authfd.h
index 57907650..443771a0 100644
--- a/authfd.h
+++ b/authfd.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: authfd.h,v 1.46 2019/09/03 08:29:15 djm Exp $ */
+/* $OpenBSD: authfd.h,v 1.47 2019/10/31 21:19:15 djm Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo at cs.hut.fi>
@@ -30,7 +30,8 @@ int	ssh_lock_agent(int sock, int lock, const char *password);
 int	ssh_fetch_identitylist(int sock, struct ssh_identitylist **idlp);
 void	ssh_free_identitylist(struct ssh_identitylist *idl);
 int	ssh_add_identity_constrained(int sock, struct sshkey *key,
-	    const char *comment, u_int life, u_int confirm, u_int maxsign);
+	    const char *comment, u_int life, u_int confirm, u_int maxsign,
+	    const char *provider);
 int	ssh_agent_has_key(int sock, struct sshkey *key);
 int	ssh_remove_identity(int sock, struct sshkey *key);
 int	ssh_update_card(int sock, int add, const char *reader_id,
@@ -77,6 +78,7 @@ int	ssh_agent_sign(int sock, const struct sshkey *key,
 #define	SSH_AGENT_CONSTRAIN_LIFETIME		1
 #define	SSH_AGENT_CONSTRAIN_CONFIRM		2
 #define	SSH_AGENT_CONSTRAIN_MAXSIGN		3
+#define	SSH_AGENT_CONSTRAIN_EXTENSION		255
 
 /* extended failure messages */
 #define SSH2_AGENT_FAILURE			30
diff --git a/ssh-add.c b/ssh-add.c
index ebfb8a32..2c65d027 100644
--- a/ssh-add.c
+++ b/ssh-add.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-add.c,v 1.141 2019/09/06 05:23:55 djm Exp $ */
+/* $OpenBSD: ssh-add.c,v 1.142 2019/10/31 21:19:15 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo at cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -311,7 +311,7 @@ add_file(int agent_fd, const char *filename, int key_only, int qflag)
 	}
 
 	if ((r = ssh_add_identity_constrained(agent_fd, private, comment,
-	    lifetime, confirm, maxsign)) == 0) {
+	    lifetime, confirm, maxsign, NULL)) == 0) {
 		ret = 0;
 		if (!qflag) {
 			fprintf(stderr, "Identity added: %s (%s)\n",
@@ -364,7 +364,7 @@ add_file(int agent_fd, const char *filename, int key_only, int qflag)
 	sshkey_free(cert);
 
 	if ((r = ssh_add_identity_constrained(agent_fd, private, comment,
-	    lifetime, confirm, maxsign)) != 0) {
+	    lifetime, confirm, maxsign, NULL)) != 0) {
 		error("Certificate %s (%s) add failed: %s", certpath,
 		    private->cert->key_id, ssh_err(r));
 		goto out;
diff --git a/sshconnect.c b/sshconnect.c
index 6230dad3..223074bd 100644
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshconnect.c,v 1.319 2019/09/13 04:31:19 djm Exp $ */
+/* $OpenBSD: sshconnect.c,v 1.320 2019/10/31 21:19:15 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo at cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -1426,7 +1426,7 @@ maybe_add_key_to_agent(char *authfile, struct sshkey *private,
 	}
 
 	if ((r = ssh_add_identity_constrained(auth_sock, private, comment, 0,
-	    (options.add_keys_to_agent == 3), 0)) == 0)
+	    (options.add_keys_to_agent == 3), 0, NULL)) == 0)
 		debug("identity added to agent: %s", authfile);
 	else
 		debug("could not add identity to agent: %s (%d)", authfile, r);

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.

More information about the openssh-commits mailing list