diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2023-12-18 15:46:56 +0100 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2023-12-18 15:52:55 +0100 |
| commit | 4448a2938abc76e6bd33ba09b2ec17a216dfb491 (patch) | |
| tree | 1b2ef94eda1b9139e580dbd4dde416fb831b4602 /authfd.c | |
| parent | upstream: apply destination constraints to all p11 keys (diff) | |
| download | openssh-4448a2938abc76e6bd33ba09b2ec17a216dfb491.tar.xz openssh-4448a2938abc76e6bd33ba09b2ec17a216dfb491.zip | |
upstream: Make it possible to load certs from PKCS#11 tokens
Adds a protocol extension to allow grafting certificates supplied by
ssh-add to keys loaded from PKCS#11 tokens in the agent.
feedback/ok markus@
OpenBSD-Commit-ID: bb5433cd28ede2bc910996eb3c0b53e20f86037f
Diffstat (limited to 'authfd.c')
| -rw-r--r-- | authfd.c | 40 |
1 files changed, 32 insertions, 8 deletions
@@ -1,4 +1,4 @@ -/* $OpenBSD: authfd.c,v 1.133 2023/03/09 21:06:24 jcs Exp $ */ +/* $OpenBSD: authfd.c,v 1.134 2023/12/18 14:46:56 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -504,9 +504,10 @@ encode_dest_constraint(struct sshbuf *m, const struct dest_constraint *dc) } static int -encode_constraints(struct sshbuf *m, u_int life, u_int confirm, u_int maxsign, - const char *provider, struct dest_constraint **dest_constraints, - size_t ndest_constraints) +encode_constraints(struct sshbuf *m, u_int life, u_int confirm, + u_int maxsign, const char *provider, + struct dest_constraint **dest_constraints, size_t ndest_constraints, + int cert_only, struct sshkey **certs, size_t ncerts) { int r; struct sshbuf *b = NULL; @@ -550,6 +551,27 @@ encode_constraints(struct sshbuf *m, u_int life, u_int confirm, u_int maxsign, "restrict-destination-v00@openssh.com")) != 0 || (r = sshbuf_put_stringb(m, b)) != 0) goto out; + sshbuf_free(b); + b = NULL; + } + if (ncerts != 0) { + if ((b = sshbuf_new()) == NULL) { + r = SSH_ERR_ALLOC_FAIL; + goto out; + } + for (i = 0; i < ncerts; i++) { + if ((r = sshkey_puts(certs[i], b)) != 0) + goto out; + } + if ((r = sshbuf_put_u8(m, + SSH_AGENT_CONSTRAIN_EXTENSION)) != 0 || + (r = sshbuf_put_cstring(m, + "associated-certs-v00@openssh.com")) != 0 || + (r = sshbuf_put_u8(m, cert_only != 0)) != 0 || + (r = sshbuf_put_stringb(m, b)) != 0) + goto out; + sshbuf_free(b); + b = NULL; } r = 0; out: @@ -607,7 +629,7 @@ ssh_add_identity_constrained(int sock, struct sshkey *key, } if (constrained && (r = encode_constraints(msg, life, confirm, maxsign, - provider, dest_constraints, ndest_constraints)) != 0) + provider, dest_constraints, ndest_constraints, 0, NULL, 0)) != 0) goto out; if ((r = ssh_request_reply_decode(sock, msg)) != 0) goto out; @@ -662,10 +684,11 @@ ssh_remove_identity(int sock, const struct sshkey *key) int ssh_update_card(int sock, int add, const char *reader_id, const char *pin, u_int life, u_int confirm, - struct dest_constraint **dest_constraints, size_t ndest_constraints) + struct dest_constraint **dest_constraints, size_t ndest_constraints, + int cert_only, struct sshkey **certs, size_t ncerts) { struct sshbuf *msg; - int r, constrained = (life || confirm || dest_constraints); + int r, constrained = (life || confirm || dest_constraints || certs); u_char type; if (add) { @@ -683,7 +706,8 @@ ssh_update_card(int sock, int add, const char *reader_id, const char *pin, goto out; if (constrained && (r = encode_constraints(msg, life, confirm, 0, NULL, - dest_constraints, ndest_constraints)) != 0) + dest_constraints, ndest_constraints, + cert_only, certs, ncerts)) != 0) goto out; if ((r = ssh_request_reply_decode(sock, msg)) != 0) goto out; |