version 1.276, 2021/02/02 22:35:14 |
version 1.277, 2021/02/12 03:14:18 |
|
|
} |
} |
|
|
static int |
static int |
|
parse_key_constraint_extension(struct sshbuf *m, char **sk_providerp) |
|
{ |
|
char *ext_name = NULL; |
|
int r; |
|
|
|
if ((r = sshbuf_get_cstring(m, &ext_name, NULL)) != 0) { |
|
error_fr(r, "parse constraint extension"); |
|
goto out; |
|
} |
|
debug_f("constraint ext %s", ext_name); |
|
if (strcmp(ext_name, "sk-provider@openssh.com") == 0) { |
|
if (sk_providerp == NULL) { |
|
error_f("%s not valid here", ext_name); |
|
r = SSH_ERR_INVALID_FORMAT; |
|
goto out; |
|
} |
|
if (*sk_providerp != NULL) { |
|
error_f("%s already set", ext_name); |
|
r = SSH_ERR_INVALID_FORMAT; |
|
goto out; |
|
} |
|
if ((r = sshbuf_get_cstring(m, sk_providerp, NULL)) != 0) { |
|
error_fr(r, "parse %s", ext_name); |
|
goto out; |
|
} |
|
} else { |
|
error_f("unsupported constraint \"%s\"", ext_name); |
|
r = SSH_ERR_FEATURE_UNSUPPORTED; |
|
goto out; |
|
} |
|
/* success */ |
|
r = 0; |
|
out: |
|
free(ext_name); |
|
return r; |
|
} |
|
|
|
static int |
parse_key_constraints(struct sshbuf *m, struct sshkey *k, time_t *deathp, |
parse_key_constraints(struct sshbuf *m, struct sshkey *k, time_t *deathp, |
u_int *secondsp, int *confirmp, char **sk_providerp) |
u_int *secondsp, int *confirmp, char **sk_providerp) |
{ |
{ |
u_char ctype; |
u_char ctype; |
int r; |
int r; |
u_int seconds, maxsign = 0; |
u_int seconds, maxsign = 0; |
char *ext_name = NULL; |
|
struct sshbuf *b = NULL; |
|
|
|
while (sshbuf_len(m)) { |
while (sshbuf_len(m)) { |
if ((r = sshbuf_get_u8(m, &ctype)) != 0) { |
if ((r = sshbuf_get_u8(m, &ctype)) != 0) { |
error_fr(r, "parse constraint type"); |
error_fr(r, "parse constraint type"); |
goto err; |
goto out; |
} |
} |
switch (ctype) { |
switch (ctype) { |
case SSH_AGENT_CONSTRAIN_LIFETIME: |
case SSH_AGENT_CONSTRAIN_LIFETIME: |
if (*deathp != 0) { |
if (*deathp != 0) { |
error_f("lifetime already set"); |
error_f("lifetime already set"); |
goto err; |
r = SSH_ERR_INVALID_FORMAT; |
|
goto out; |
} |
} |
if ((r = sshbuf_get_u32(m, &seconds)) != 0) { |
if ((r = sshbuf_get_u32(m, &seconds)) != 0) { |
error_fr(r, "parse lifetime constraint"); |
error_fr(r, "parse lifetime constraint"); |
goto err; |
goto out; |
} |
} |
*deathp = monotime() + seconds; |
*deathp = monotime() + seconds; |
*secondsp = seconds; |
*secondsp = seconds; |
|
|
case SSH_AGENT_CONSTRAIN_CONFIRM: |
case SSH_AGENT_CONSTRAIN_CONFIRM: |
if (*confirmp != 0) { |
if (*confirmp != 0) { |
error_f("confirm already set"); |
error_f("confirm already set"); |
goto err; |
r = SSH_ERR_INVALID_FORMAT; |
|
goto out; |
} |
} |
*confirmp = 1; |
*confirmp = 1; |
break; |
break; |
case SSH_AGENT_CONSTRAIN_MAXSIGN: |
case SSH_AGENT_CONSTRAIN_MAXSIGN: |
if (k == NULL) { |
if (k == NULL) { |
error_f("maxsign not valid here"); |
error_f("maxsign not valid here"); |
goto err; |
r = SSH_ERR_INVALID_FORMAT; |
|
goto out; |
} |
} |
if (maxsign != 0) { |
if (maxsign != 0) { |
error_f("maxsign already set"); |
error_f("maxsign already set"); |
goto err; |
r = SSH_ERR_INVALID_FORMAT; |
|
goto out; |
} |
} |
if ((r = sshbuf_get_u32(m, &maxsign)) != 0) { |
if ((r = sshbuf_get_u32(m, &maxsign)) != 0) { |
error_fr(r, "parse maxsign constraint"); |
error_fr(r, "parse maxsign constraint"); |
goto err; |
goto out; |
} |
} |
if ((r = sshkey_enable_maxsign(k, maxsign)) != 0) { |
if ((r = sshkey_enable_maxsign(k, maxsign)) != 0) { |
error_fr(r, "enable maxsign"); |
error_fr(r, "enable maxsign"); |
goto err; |
goto out; |
} |
} |
break; |
break; |
case SSH_AGENT_CONSTRAIN_EXTENSION: |
case SSH_AGENT_CONSTRAIN_EXTENSION: |
if ((r = sshbuf_get_cstring(m, &ext_name, NULL)) != 0) { |
if ((r = parse_key_constraint_extension(m, |
error_fr(r, "parse constraint extension"); |
sk_providerp)) != 0) |
goto err; |
goto out; /* error already logged */ |
} |
|
debug_f("constraint ext %s", ext_name); |
|
if (strcmp(ext_name, "sk-provider@openssh.com") == 0) { |
|
if (sk_providerp == NULL) { |
|
error_f("%s not valid here", ext_name); |
|
goto err; |
|
} |
|
if (*sk_providerp != NULL) { |
|
error_f("%s already set", ext_name); |
|
goto err; |
|
} |
|
if ((r = sshbuf_get_cstring(m, |
|
sk_providerp, NULL)) != 0) { |
|
error_fr(r, "parse %s", ext_name); |
|
goto err; |
|
} |
|
} else { |
|
error_f("unsupported constraint \"%s\"", |
|
ext_name); |
|
goto err; |
|
} |
|
free(ext_name); |
|
break; |
break; |
default: |
default: |
error_f("Unknown constraint %d", ctype); |
error_f("Unknown constraint %d", ctype); |
err: |
r = SSH_ERR_FEATURE_UNSUPPORTED; |
free(ext_name); |
goto out; |
sshbuf_free(b); |
|
return -1; |
|
} |
} |
} |
} |
/* success */ |
/* success */ |
return 0; |
r = 0; |
|
out: |
|
return r; |
} |
} |
|
|
static void |
static void |