===================================================================
RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/authfd.h,v
retrieving revision 1.50
retrieving revision 1.51
diff -u -r1.50 -r1.51
--- src/usr.bin/ssh/authfd.h	2021/12/19 22:08:48	1.50
+++ src/usr.bin/ssh/authfd.h	2021/12/19 22:10:24	1.51
@@ -1,4 +1,4 @@
-/* $OpenBSD: authfd.h,v 1.50 2021/12/19 22:08:48 djm Exp $ */
+/* $OpenBSD: authfd.h,v 1.51 2021/12/19 22:10:24 djm Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -17,6 +17,7 @@
 #define AUTHFD_H
 
 struct sshbuf;
+struct sshkey;
 
 /* List of identities returned by ssh_fetch_identitylist() */
 struct ssh_identitylist {
@@ -25,6 +26,20 @@
 	char **comments;
 };
 
+/* Key destination restrictions */
+struct dest_constraint_hop {
+	char *user;	/* wildcards allowed */
+	char *hostname; /* used to matching cert principals and for display */
+	int is_ca;
+	u_int nkeys;	/* number of entries in *both* 'keys' and 'key_is_ca' */
+	struct sshkey **keys;
+	int *key_is_ca;
+};
+struct dest_constraint {
+	struct dest_constraint_hop from;
+	struct dest_constraint_hop to;
+};
+
 int	ssh_get_authentication_socket(int *fdp);
 int	ssh_get_authentication_socket_path(const char *authsocket, int *fdp);
 void	ssh_close_authentication_socket(int sock);
@@ -33,12 +48,15 @@
 int	ssh_fetch_identitylist(int sock, struct ssh_identitylist **idlp);
 void	ssh_free_identitylist(struct ssh_identitylist *idl);
 int	ssh_add_identity_constrained(int sock, struct sshkey *key,
-	    const char *comment, u_int life, u_int confirm, u_int maxsign,
-	    const char *provider);
+    const char *comment, u_int life, u_int confirm, u_int maxsign,
+    const char *provider, struct dest_constraint **dest_constraints,
+    size_t ndest_constraints);
 int	ssh_agent_has_key(int sock, const struct sshkey *key);
 int	ssh_remove_identity(int sock, const struct sshkey *key);
 int	ssh_update_card(int sock, int add, const char *reader_id,
-	    const char *pin, u_int life, u_int confirm);
+	    const char *pin, u_int life, u_int confirm,
+	    struct dest_constraint **dest_constraints,
+	    size_t ndest_constraints);
 int	ssh_remove_all_identities(int sock, int version);
 
 int	ssh_agent_sign(int sock, const struct sshkey *key,