summaryrefslogtreecommitdiff
path: root/usr.bin
diff options
context:
space:
mode:
authorDamien Miller <djm@cvs.openbsd.org>2019-10-31 21:19:16 +0000
committerDamien Miller <djm@cvs.openbsd.org>2019-10-31 21:19:16 +0000
commit2d57ef57ac1cbb660d991d83667d939f2e2d909e (patch)
tree32ebdce58320a3c8b81215532a14b3a4eb8752e0 /usr.bin
parent11c64ae5f11e396027c03eaabd226f81e0f68fdc (diff)
add new agent key constraint for U2F/FIDO provider
feedback & ok markus@
Diffstat (limited to 'usr.bin')
-rw-r--r--usr.bin/ssh/authfd.c25
-rw-r--r--usr.bin/ssh/authfd.h6
-rw-r--r--usr.bin/ssh/ssh-add.c6
-rw-r--r--usr.bin/ssh/sshconnect.c4
4 files changed, 28 insertions, 13 deletions
diff --git a/usr.bin/ssh/authfd.c b/usr.bin/ssh/authfd.c
index bc0631eff24..d23d52b5271 100644
--- a/usr.bin/ssh/authfd.c
+++ b/usr.bin/ssh/authfd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: authfd.c,v 1.117 2019/09/03 08:29:15 djm Exp $ */
+/* $OpenBSD: authfd.c,v 1.118 2019/10/31 21:19:14 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -421,7 +421,8 @@ ssh_agent_sign(int sock, const struct sshkey *key,
static int
-encode_constraints(struct sshbuf *m, u_int life, u_int confirm, u_int maxsign)
+encode_constraints(struct sshbuf *m, u_int life, u_int confirm, u_int maxsign,
+ const char *provider)
{
int r;
@@ -439,6 +440,14 @@ encode_constraints(struct sshbuf *m, u_int life, u_int confirm, u_int maxsign)
(r = sshbuf_put_u32(m, maxsign)) != 0)
goto out;
}
+ if (provider != NULL) {
+ if ((r = sshbuf_put_u8(m,
+ SSH_AGENT_CONSTRAIN_EXTENSION)) != 0 ||
+ (r = sshbuf_put_cstring(m,
+ "sk-provider@openssh.com")) != 0 ||
+ (r = sshbuf_put_cstring(m, provider)) != 0)
+ goto out;
+ }
r = 0;
out:
return r;
@@ -450,10 +459,11 @@ encode_constraints(struct sshbuf *m, u_int life, u_int confirm, u_int maxsign)
*/
int
ssh_add_identity_constrained(int sock, struct sshkey *key,
- const char *comment, u_int life, u_int confirm, u_int maxsign)
+ const char *comment, u_int life, u_int confirm, u_int maxsign,
+ const char *provider)
{
struct sshbuf *msg;
- int r, constrained = (life || confirm || maxsign);
+ int r, constrained = (life || confirm || maxsign || provider);
u_char type;
if ((msg = sshbuf_new()) == NULL)
@@ -467,6 +477,8 @@ ssh_add_identity_constrained(int sock, struct sshkey *key,
case KEY_DSA_CERT:
case KEY_ECDSA:
case KEY_ECDSA_CERT:
+ case KEY_ECDSA_SK:
+ case KEY_ECDSA_SK_CERT:
#endif
case KEY_ED25519:
case KEY_ED25519_CERT:
@@ -486,7 +498,8 @@ ssh_add_identity_constrained(int sock, struct sshkey *key,
goto out;
}
if (constrained &&
- (r = encode_constraints(msg, life, confirm, maxsign)) != 0)
+ (r = encode_constraints(msg, life, confirm, maxsign,
+ provider)) != 0)
goto out;
if ((r = ssh_request_reply(sock, msg, msg)) != 0)
goto out;
@@ -564,7 +577,7 @@ ssh_update_card(int sock, int add, const char *reader_id, const char *pin,
(r = sshbuf_put_cstring(msg, pin)) != 0)
goto out;
if (constrained &&
- (r = encode_constraints(msg, life, confirm, 0)) != 0)
+ (r = encode_constraints(msg, life, confirm, 0, NULL)) != 0)
goto out;
if ((r = ssh_request_reply(sock, msg, msg)) != 0)
goto out;
diff --git a/usr.bin/ssh/authfd.h b/usr.bin/ssh/authfd.h
index 57907650480..443771a000c 100644
--- a/usr.bin/ssh/authfd.h
+++ b/usr.bin/ssh/authfd.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: authfd.h,v 1.46 2019/09/03 08:29:15 djm Exp $ */
+/* $OpenBSD: authfd.h,v 1.47 2019/10/31 21:19:15 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -30,7 +30,8 @@ int ssh_lock_agent(int sock, int lock, const char *password);
int ssh_fetch_identitylist(int sock, struct ssh_identitylist **idlp);
void ssh_free_identitylist(struct ssh_identitylist *idl);
int ssh_add_identity_constrained(int sock, struct sshkey *key,
- const char *comment, u_int life, u_int confirm, u_int maxsign);
+ const char *comment, u_int life, u_int confirm, u_int maxsign,
+ const char *provider);
int ssh_agent_has_key(int sock, struct sshkey *key);
int ssh_remove_identity(int sock, struct sshkey *key);
int ssh_update_card(int sock, int add, const char *reader_id,
@@ -77,6 +78,7 @@ int ssh_agent_sign(int sock, const struct sshkey *key,
#define SSH_AGENT_CONSTRAIN_LIFETIME 1
#define SSH_AGENT_CONSTRAIN_CONFIRM 2
#define SSH_AGENT_CONSTRAIN_MAXSIGN 3
+#define SSH_AGENT_CONSTRAIN_EXTENSION 255
/* extended failure messages */
#define SSH2_AGENT_FAILURE 30
diff --git a/usr.bin/ssh/ssh-add.c b/usr.bin/ssh/ssh-add.c
index 5a4f6891f2e..2d26f01fc81 100644
--- a/usr.bin/ssh/ssh-add.c
+++ b/usr.bin/ssh/ssh-add.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-add.c,v 1.141 2019/09/06 05:23:55 djm Exp $ */
+/* $OpenBSD: ssh-add.c,v 1.142 2019/10/31 21:19:15 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -303,7 +303,7 @@ add_file(int agent_fd, const char *filename, int key_only, int qflag)
}
if ((r = ssh_add_identity_constrained(agent_fd, private, comment,
- lifetime, confirm, maxsign)) == 0) {
+ lifetime, confirm, maxsign, NULL)) == 0) {
ret = 0;
if (!qflag) {
fprintf(stderr, "Identity added: %s (%s)\n",
@@ -356,7 +356,7 @@ add_file(int agent_fd, const char *filename, int key_only, int qflag)
sshkey_free(cert);
if ((r = ssh_add_identity_constrained(agent_fd, private, comment,
- lifetime, confirm, maxsign)) != 0) {
+ lifetime, confirm, maxsign, NULL)) != 0) {
error("Certificate %s (%s) add failed: %s", certpath,
private->cert->key_id, ssh_err(r));
goto out;
diff --git a/usr.bin/ssh/sshconnect.c b/usr.bin/ssh/sshconnect.c
index 7749ab44dc4..fefce1cd453 100644
--- a/usr.bin/ssh/sshconnect.c
+++ b/usr.bin/ssh/sshconnect.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshconnect.c,v 1.319 2019/09/13 04:31:19 djm Exp $ */
+/* $OpenBSD: sshconnect.c,v 1.320 2019/10/31 21:19:15 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -1387,7 +1387,7 @@ maybe_add_key_to_agent(char *authfile, struct sshkey *private,
}
if ((r = ssh_add_identity_constrained(auth_sock, private, comment, 0,
- (options.add_keys_to_agent == 3), 0)) == 0)
+ (options.add_keys_to_agent == 3), 0, NULL)) == 0)
debug("identity added to agent: %s", authfile);
else
debug("could not add identity to agent: %s (%d)", authfile, r);