version 1.297, 2023/03/09 21:06:24 |
version 1.297.4.1, 2023/07/19 14:07:53 |
|
|
/* Pattern-list of allowed PKCS#11/Security key paths */ |
/* Pattern-list of allowed PKCS#11/Security key paths */ |
static char *allowed_providers; |
static char *allowed_providers; |
|
|
|
/* |
|
* Allows PKCS11 providers or SK keys that use non-internal providers to |
|
* be added over a remote connection (identified by session-bind@openssh.com). |
|
*/ |
|
static int remote_add_provider; |
|
|
/* locking */ |
/* locking */ |
#define LOCK_SIZE 32 |
#define LOCK_SIZE 32 |
#define LOCK_SALT_SIZE 16 |
#define LOCK_SALT_SIZE 16 |
|
|
if (strcasecmp(sk_provider, "internal") == 0) { |
if (strcasecmp(sk_provider, "internal") == 0) { |
debug_f("internal provider"); |
debug_f("internal provider"); |
} else { |
} else { |
|
if (e->nsession_ids != 0 && !remote_add_provider) { |
|
verbose("failed add of SK provider \"%.100s\": " |
|
"remote addition of providers is disabled", |
|
sk_provider); |
|
goto out; |
|
} |
if (realpath(sk_provider, canonical_provider) == NULL) { |
if (realpath(sk_provider, canonical_provider) == NULL) { |
verbose("failed provider \"%.100s\": " |
verbose("failed provider \"%.100s\": " |
"realpath: %s", sk_provider, |
"realpath: %s", sk_provider, |
|
|
error_f("failed to parse constraints"); |
error_f("failed to parse constraints"); |
goto send; |
goto send; |
} |
} |
|
if (e->nsession_ids != 0 && !remote_add_provider) { |
|
verbose("failed PKCS#11 add of \"%.100s\": remote addition of " |
|
"providers is disabled", provider); |
|
goto send; |
|
} |
if (realpath(provider, canonical_provider) == NULL) { |
if (realpath(provider, canonical_provider) == NULL) { |
verbose("failed PKCS#11 add of \"%.100s\": realpath: %s", |
verbose("failed PKCS#11 add of \"%.100s\": realpath: %s", |
provider, strerror(errno)); |
provider, strerror(errno)); |
|
|
break; |
break; |
case 'O': |
case 'O': |
if (strcmp(optarg, "no-restrict-websafe") == 0) |
if (strcmp(optarg, "no-restrict-websafe") == 0) |
restrict_websafe = 0; |
restrict_websafe = 0; |
|
else if (strcmp(optarg, "allow-remote-pkcs11") == 0) |
|
remote_add_provider = 1; |
else |
else |
fatal("Unknown -O option"); |
fatal("Unknown -O option"); |
break; |
break; |