version 1.128, 2021/12/19 22:08:48 |
version 1.129, 2021/12/19 22:10:24 |
|
|
|
|
/* Encode key for a message to the agent. */ |
/* Encode key for a message to the agent. */ |
|
|
|
static int |
|
encode_dest_constraint_hop(struct sshbuf *m, |
|
const struct dest_constraint_hop *dch) |
|
{ |
|
struct sshbuf *b; |
|
u_int i; |
|
int r; |
|
|
|
if ((b = sshbuf_new()) == NULL) |
|
return SSH_ERR_ALLOC_FAIL; |
|
if ((r = sshbuf_put_cstring(b, dch->user)) != 0 || |
|
(r = sshbuf_put_cstring(b, dch->hostname)) != 0 || |
|
(r = sshbuf_put_string(b, NULL, 0)) != 0) /* reserved */ |
|
goto out; |
|
for (i = 0; i < dch->nkeys; i++) { |
|
if ((r = sshkey_puts(dch->keys[i], b)) != 0 || |
|
(r = sshbuf_put_u8(b, dch->key_is_ca[i] != 0)) != 0) |
|
goto out; |
|
} |
|
if ((r = sshbuf_put_stringb(m, b)) != 0) |
|
goto out; |
|
/* success */ |
|
r = 0; |
|
out: |
|
sshbuf_free(b); |
|
return r; |
|
} |
|
|
static int |
static int |
|
encode_dest_constraint(struct sshbuf *m, const struct dest_constraint *dc) |
|
{ |
|
struct sshbuf *b; |
|
int r; |
|
|
|
if ((b = sshbuf_new()) == NULL) |
|
return SSH_ERR_ALLOC_FAIL; |
|
if ((r = encode_dest_constraint_hop(b, &dc->from) != 0) || |
|
(r = encode_dest_constraint_hop(b, &dc->to) != 0) || |
|
(r = sshbuf_put_string(b, NULL, 0)) != 0) /* reserved */ |
|
goto out; |
|
if ((r = sshbuf_put_stringb(m, b)) != 0) |
|
goto out; |
|
/* success */ |
|
r = 0; |
|
out: |
|
sshbuf_free(b); |
|
return r; |
|
} |
|
|
|
static int |
encode_constraints(struct sshbuf *m, u_int life, u_int confirm, u_int maxsign, |
encode_constraints(struct sshbuf *m, u_int life, u_int confirm, u_int maxsign, |
const char *provider) |
const char *provider, struct dest_constraint **dest_constraints, |
|
size_t ndest_constraints) |
{ |
{ |
int r; |
int r; |
|
struct sshbuf *b = NULL; |
|
size_t i; |
|
|
if (life != 0) { |
if (life != 0) { |
if ((r = sshbuf_put_u8(m, SSH_AGENT_CONSTRAIN_LIFETIME)) != 0 || |
if ((r = sshbuf_put_u8(m, SSH_AGENT_CONSTRAIN_LIFETIME)) != 0 || |
|
|
(r = sshbuf_put_cstring(m, provider)) != 0) |
(r = sshbuf_put_cstring(m, provider)) != 0) |
goto out; |
goto out; |
} |
} |
|
if (dest_constraints != NULL && ndest_constraints > 0) { |
|
if ((b = sshbuf_new()) == NULL) { |
|
r = SSH_ERR_ALLOC_FAIL; |
|
goto out; |
|
} |
|
for (i = 0; i < ndest_constraints; i++) { |
|
if ((r = encode_dest_constraint(b, |
|
dest_constraints[i])) != 0) |
|
goto out; |
|
} |
|
if ((r = sshbuf_put_u8(m, |
|
SSH_AGENT_CONSTRAIN_EXTENSION)) != 0 || |
|
(r = sshbuf_put_cstring(m, |
|
"restrict-destination-v00@openssh.com")) != 0 || |
|
(r = sshbuf_put_stringb(m, b)) != 0) |
|
goto out; |
|
} |
r = 0; |
r = 0; |
out: |
out: |
|
sshbuf_free(b); |
return r; |
return r; |
} |
} |
|
|
|
|
int |
int |
ssh_add_identity_constrained(int sock, struct sshkey *key, |
ssh_add_identity_constrained(int sock, struct sshkey *key, |
const char *comment, u_int life, u_int confirm, u_int maxsign, |
const char *comment, u_int life, u_int confirm, u_int maxsign, |
const char *provider) |
const char *provider, struct dest_constraint **dest_constraints, |
|
size_t ndest_constraints) |
{ |
{ |
struct sshbuf *msg; |
struct sshbuf *msg; |
int r, constrained = (life || confirm || maxsign || provider); |
int r, constrained = (life || confirm || maxsign || |
|
provider || dest_constraints); |
u_char type; |
u_char type; |
|
|
if ((msg = sshbuf_new()) == NULL) |
if ((msg = sshbuf_new()) == NULL) |
|
|
} |
} |
if (constrained && |
if (constrained && |
(r = encode_constraints(msg, life, confirm, maxsign, |
(r = encode_constraints(msg, life, confirm, maxsign, |
provider)) != 0) |
provider, dest_constraints, ndest_constraints)) != 0) |
goto out; |
goto out; |
if ((r = ssh_request_reply_decode(sock, msg)) != 0) |
if ((r = ssh_request_reply_decode(sock, msg)) != 0) |
goto out; |
goto out; |
|
|
*/ |
*/ |
int |
int |
ssh_update_card(int sock, int add, const char *reader_id, const char *pin, |
ssh_update_card(int sock, int add, const char *reader_id, const char *pin, |
u_int life, u_int confirm) |
u_int life, u_int confirm, |
|
struct dest_constraint **dest_constraints, size_t ndest_constraints) |
{ |
{ |
struct sshbuf *msg; |
struct sshbuf *msg; |
int r, constrained = (life || confirm); |
int r, constrained = (life || confirm); |
|
|
(r = sshbuf_put_cstring(msg, pin)) != 0) |
(r = sshbuf_put_cstring(msg, pin)) != 0) |
goto out; |
goto out; |
if (constrained && |
if (constrained && |
(r = encode_constraints(msg, life, confirm, 0, NULL)) != 0) |
(r = encode_constraints(msg, life, confirm, 0, NULL, |
|
dest_constraints, ndest_constraints)) != 0) |
goto out; |
goto out; |
if ((r = ssh_request_reply_decode(sock, msg)) != 0) |
if ((r = ssh_request_reply_decode(sock, msg)) != 0) |
goto out; |
goto out; |