src - OpenBSD base system

diff options


context:
space:
mode:

author	Damien Miller <djm@cvs.openbsd.org>	2003-06-11 11:18:39 +0000
committer	Damien Miller <djm@cvs.openbsd.org>	2003-06-11 11:18:39 +0000
commit	cf3de089d90be8cd8c9098cc49c54b4cd38e0c0e (patch)
tree	3f7aa92535ec8a18939e07e927478e2023a132b6 /usr.bin/ssh
parent	dd9283af0d9a9094628ace5f9e4d2f3e40564575 (diff)

make agent constraints (lifetime, confirm) work with smartcard keys; ok markus@

Diffstat (limited to 'usr.bin/ssh')

-rw-r--r--

usr.bin/ssh/authfd.c

-rw-r--r--

usr.bin/ssh/authfd.h

-rw-r--r--

usr.bin/ssh/ssh-add.c

-rw-r--r--

usr.bin/ssh/ssh-agent.c

4 files changed, 49 insertions, 13 deletions

diff --git a/usr.bin/ssh/authfd.c b/usr.bin/ssh/authfd.c
index 7e96269a468..368544b17b6 100644
--- a/usr.bin/ssh/authfd.c
+++ b/usr.bin/ssh/authfd.c

@@ -35,7 +35,7 @@

#include "includes.h"

-RCSID("$OpenBSD: authfd.c,v 1.59 2003/04/08 20:21:28 itojun Exp $");

+RCSID("$OpenBSD: authfd.c,v 1.60 2003/06/11 11:18:38 djm Exp $");

#include <openssl/evp.h>

@@ -589,16 +589,33 @@ ssh_remove_identity(AuthenticationConnection *auth, Key *key)

}

int

-ssh_update_card(AuthenticationConnection *auth, int add, const char *reader_id, const char *pin)

+ssh_update_card(AuthenticationConnection *auth, int add,

+ const char *reader_id, const char *pin, u_int life, u_int confirm)

{

Buffer msg;

- int type;

+ int type, constrained = (life || confirm);

+ if (add) {

+ type = constrained ?

+ SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED :

+ SSH_AGENTC_ADD_SMARTCARD_KEY;

+ } else

+ type = SSH_AGENTC_REMOVE_SMARTCARD_KEY;

buffer_init(&msg);

- buffer_put_char(&msg, add ? SSH_AGENTC_ADD_SMARTCARD_KEY :

- SSH_AGENTC_REMOVE_SMARTCARD_KEY);

+ buffer_put_char(&msg, type);

buffer_put_cstring(&msg, reader_id);

buffer_put_cstring(&msg, pin);

+ if (constrained) {

+ if (life != 0) {

+ buffer_put_char(&msg, SSH_AGENT_CONSTRAIN_LIFETIME);

+ buffer_put_int(&msg, life);

+ }

+ if (confirm != 0)

+ buffer_put_char(&msg, SSH_AGENT_CONSTRAIN_CONFIRM);

+ }

if (ssh_request_reply(auth, &msg, &msg) == 0) {

buffer_free(&msg);

return 0;

diff --git a/usr.bin/ssh/authfd.h b/usr.bin/ssh/authfd.h
index 2a8751ec18b..74b825c51d1 100644
--- a/usr.bin/ssh/authfd.h
+++ b/usr.bin/ssh/authfd.h

@@ -1,4 +1,4 @@

-/* $OpenBSD: authfd.h,v 1.32 2003/01/23 13:50:27 markus Exp $ */

+/* $OpenBSD: authfd.h,v 1.33 2003/06/11 11:18:38 djm Exp $ */

* Author: Tatu Ylonen <ylo@cs.hut.fi>

@@ -49,6 +49,7 @@

/* add key with constraints */

#define SSH_AGENTC_ADD_RSA_ID_CONSTRAINED 24

#define SSH2_AGENTC_ADD_ID_CONSTRAINED 25

+#define SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED 26

#define SSH_AGENT_CONSTRAIN_LIFETIME 1

#define SSH_AGENT_CONSTRAIN_CONFIRM 2

@@ -82,7 +83,8 @@ int ssh_add_identity_constrained(AuthenticationConnection *, Key *,

int ssh_remove_identity(AuthenticationConnection *, Key *);

int ssh_remove_all_identities(AuthenticationConnection *, int);

int ssh_lock_agent(AuthenticationConnection *, int, const char *);

-int ssh_update_card(AuthenticationConnection *, int, const char *, const char *);

+int ssh_update_card(AuthenticationConnection *, int, const char *,

+ const char *, u_int, u_int);

int

ssh_decrypt_challenge(AuthenticationConnection *, Key *, BIGNUM *, u_char[16],

diff --git a/usr.bin/ssh/ssh-add.c b/usr.bin/ssh/ssh-add.c
index 08c545ab8c6..7e4f1156614 100644
--- a/usr.bin/ssh/ssh-add.c
+++ b/usr.bin/ssh/ssh-add.c

@@ -35,7 +35,7 @@

#include "includes.h"

-RCSID("$OpenBSD: ssh-add.c,v 1.66 2003/03/05 22:33:43 markus Exp $");

+RCSID("$OpenBSD: ssh-add.c,v 1.67 2003/06/11 11:18:38 djm Exp $");

#include <openssl/evp.h>

@@ -195,7 +195,7 @@ update_card(AuthenticationConnection *ac, int add, const char *id)

if (pin == NULL)

return -1;

- if (ssh_update_card(ac, add, id, pin)) {

+ if (ssh_update_card(ac, add, id, pin, lifetime, confirm)) {

fprintf(stderr, "Card %s: %s\n",

add ? "added" : "removed", id);

ret = 0;

diff --git a/usr.bin/ssh/ssh-agent.c b/usr.bin/ssh/ssh-agent.c
index d29beda5d6f..6b9c3564a18 100644
--- a/usr.bin/ssh/ssh-agent.c
+++ b/usr.bin/ssh/ssh-agent.c

@@ -35,7 +35,7 @@

#include "includes.h"

#include <sys/queue.h>

-RCSID("$OpenBSD: ssh-agent.c,v 1.109 2003/04/08 20:21:29 itojun Exp $");

+RCSID("$OpenBSD: ssh-agent.c,v 1.110 2003/06/11 11:18:38 djm Exp $");

#include <openssl/evp.h>

#include <openssl/md5.h>

@@ -576,13 +576,29 @@ static void

process_add_smartcard_key (SocketEntry *e)

{

char *sc_reader_id = NULL, *pin;

- int i, version, success = 0;

+ int i, version, success = 0, death = 0, confirm = 0;

Key **keys, *k;

Identity *id;

Idtab *tab;

sc_reader_id = buffer_get_string(&e->request, NULL);

pin = buffer_get_string(&e->request, NULL);

+ while (buffer_len(&e->request)) {

+ switch (buffer_get_char(&e->request)) {

+ case SSH_AGENT_CONSTRAIN_LIFETIME:

+ death = time(NULL) + buffer_get_int(&e->request);

+ break;

+ case SSH_AGENT_CONSTRAIN_CONFIRM:

+ confirm = 1;

+ break;

+ default:

+ break;

+ }

+ if (lifetime && !death)

+ death = time(NULL) + lifetime;

keys = sc_get_keys(sc_reader_id, pin);

xfree(sc_reader_id);

xfree(pin);

@@ -599,8 +615,8 @@ process_add_smartcard_key (SocketEntry *e)

id = xmalloc(sizeof(Identity));

id->key = k;

id->comment = xstrdup("smartcard key");

- id->death = 0;

- id->confirm = 0;

+ id->death = death;

+ id->confirm = confirm;

TAILQ_INSERT_TAIL(&tab->idlist, id, next);

tab->nentries++;

success = 1;

@@ -744,6 +760,7 @@ process_message(SocketEntry *e)

break;

#ifdef SMARTCARD

case SSH_AGENTC_ADD_SMARTCARD_KEY:

+ case SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED:

process_add_smartcard_key(e);

break;

case SSH_AGENTC_REMOVE_SMARTCARD_KEY: