| version 1.300, 2023/07/19 13:56:33 |
version 1.301, 2023/12/18 14:46:12 |
|
|
| } |
} |
| |
|
| static void |
static void |
| |
dup_dest_constraint_hop(const struct dest_constraint_hop *dch, |
| |
struct dest_constraint_hop *out) |
| |
{ |
| |
u_int i; |
| |
int r; |
| |
|
| |
out->user = dch->user == NULL ? NULL : xstrdup(dch->user); |
| |
out->hostname = dch->hostname == NULL ? NULL : xstrdup(dch->hostname); |
| |
out->is_ca = dch->is_ca; |
| |
out->nkeys = dch->nkeys; |
| |
out->keys = out->nkeys == 0 ? NULL : |
| |
xcalloc(out->nkeys, sizeof(*out->keys)); |
| |
out->key_is_ca = out->nkeys == 0 ? NULL : |
| |
xcalloc(out->nkeys, sizeof(*out->key_is_ca)); |
| |
for (i = 0; i < dch->nkeys; i++) { |
| |
if (dch->keys[i] != NULL && |
| |
(r = sshkey_from_private(dch->keys[i], |
| |
&(out->keys[i]))) != 0) |
| |
fatal_fr(r, "copy key"); |
| |
out->key_is_ca[i] = dch->key_is_ca[i]; |
| |
} |
| |
} |
| |
|
| |
static struct dest_constraint * |
| |
dup_dest_constraints(const struct dest_constraint *dcs, size_t ndcs) |
| |
{ |
| |
size_t i; |
| |
struct dest_constraint *ret; |
| |
|
| |
if (ndcs == 0) |
| |
return NULL; |
| |
ret = xcalloc(ndcs, sizeof(*ret)); |
| |
for (i = 0; i < ndcs; i++) { |
| |
dup_dest_constraint_hop(&dcs[i].from, &ret[i].from); |
| |
dup_dest_constraint_hop(&dcs[i].to, &ret[i].to); |
| |
} |
| |
return ret; |
| |
} |
| |
|
| |
#ifdef DEBUG_CONSTRAINTS |
| |
static void |
| |
dump_dest_constraint_hop(const struct dest_constraint_hop *dch) |
| |
{ |
| |
u_int i; |
| |
char *fp; |
| |
|
| |
debug_f("user %s hostname %s is_ca %d nkeys %u", |
| |
dch->user == NULL ? "(null)" : dch->user, |
| |
dch->hostname == NULL ? "(null)" : dch->hostname, |
| |
dch->is_ca, dch->nkeys); |
| |
for (i = 0; i < dch->nkeys; i++) { |
| |
fp = NULL; |
| |
if (dch->keys[i] != NULL && |
| |
(fp = sshkey_fingerprint(dch->keys[i], |
| |
SSH_FP_HASH_DEFAULT, SSH_FP_DEFAULT)) == NULL) |
| |
fatal_f("fingerprint failed"); |
| |
debug_f("key %u/%u: %s%s%s key_is_ca %d", i, dch->nkeys, |
| |
dch->keys[i] == NULL ? "" : sshkey_ssh_name(dch->keys[i]), |
| |
dch->keys[i] == NULL ? "" : " ", |
| |
dch->keys[i] == NULL ? "none" : fp, |
| |
dch->key_is_ca[i]); |
| |
free(fp); |
| |
} |
| |
} |
| |
#endif /* DEBUG_CONSTRAINTS */ |
| |
|
| |
static void |
| |
dump_dest_constraints(const char *context, |
| |
const struct dest_constraint *dcs, size_t ndcs) |
| |
{ |
| |
#ifdef DEBUG_CONSTRAINTS |
| |
size_t i; |
| |
|
| |
debug_f("%s: %zu constraints", context, ndcs); |
| |
for (i = 0; i < ndcs; i++) { |
| |
debug_f("constraint %zu / %zu: from: ", i, ndcs); |
| |
dump_dest_constraint_hop(&dcs[i].from); |
| |
debug_f("constraint %zu / %zu: to: ", i, ndcs); |
| |
dump_dest_constraint_hop(&dcs[i].to); |
| |
} |
| |
debug_f("done for %s", context); |
| |
#endif /* DEBUG_CONSTRAINTS */ |
| |
} |
| |
|
| |
static void |
| free_identity(Identity *id) |
free_identity(Identity *id) |
| { |
{ |
| sshkey_free(id->key); |
sshkey_free(id->key); |
|
|
| Identity *id; |
Identity *id; |
| struct sshbuf *msg, *keys; |
struct sshbuf *msg, *keys; |
| int r; |
int r; |
| u_int nentries = 0; |
u_int i = 0, nentries = 0; |
| |
char *fp; |
| |
|
| debug2_f("entering"); |
debug2_f("entering"); |
| |
|
| if ((msg = sshbuf_new()) == NULL || (keys = sshbuf_new()) == NULL) |
if ((msg = sshbuf_new()) == NULL || (keys = sshbuf_new()) == NULL) |
| fatal_f("sshbuf_new failed"); |
fatal_f("sshbuf_new failed"); |
| TAILQ_FOREACH(id, &idtab->idlist, next) { |
TAILQ_FOREACH(id, &idtab->idlist, next) { |
| |
if ((fp = sshkey_fingerprint(id->key, SSH_FP_HASH_DEFAULT, |
| |
SSH_FP_DEFAULT)) == NULL) |
| |
fatal_f("fingerprint failed"); |
| |
debug_f("key %u / %u: %s %s", i++, idtab->nentries, |
| |
sshkey_ssh_name(id->key), fp); |
| |
dump_dest_constraints(__func__, |
| |
id->dest_constraints, id->ndest_constraints); |
| |
free(fp); |
| /* identity not visible, don't include in response */ |
/* identity not visible, don't include in response */ |
| if (identity_permitted(id, e, NULL, NULL, NULL) != 0) |
if (identity_permitted(id, e, NULL, NULL, NULL) != 0) |
| continue; |
continue; |
|
|
| sshbuf_reset(e->request); |
sshbuf_reset(e->request); |
| goto out; |
goto out; |
| } |
} |
| |
dump_dest_constraints(__func__, dest_constraints, ndest_constraints); |
| |
|
| if (sk_provider != NULL) { |
if (sk_provider != NULL) { |
| if (!sshkey_is_sk(k)) { |
if (!sshkey_is_sk(k)) { |
|
|
| error_f("failed to parse constraints"); |
error_f("failed to parse constraints"); |
| goto send; |
goto send; |
| } |
} |
| |
dump_dest_constraints(__func__, dest_constraints, ndest_constraints); |
| if (e->nsession_ids != 0 && !remote_add_provider) { |
if (e->nsession_ids != 0 && !remote_add_provider) { |
| verbose("failed PKCS#11 add of \"%.100s\": remote addition of " |
verbose("failed PKCS#11 add of \"%.100s\": remote addition of " |
| "providers is disabled", provider); |
"providers is disabled", provider); |
|
|
| } |
} |
| id->death = death; |
id->death = death; |
| id->confirm = confirm; |
id->confirm = confirm; |
| id->dest_constraints = dest_constraints; |
id->dest_constraints = dup_dest_constraints( |
| |
dest_constraints, ndest_constraints); |
| id->ndest_constraints = ndest_constraints; |
id->ndest_constraints = ndest_constraints; |
| dest_constraints = NULL; /* transferred */ |
|
| ndest_constraints = 0; |
|
| TAILQ_INSERT_TAIL(&idtab->idlist, id, next); |
TAILQ_INSERT_TAIL(&idtab->idlist, id, next); |
| idtab->nentries++; |
idtab->nentries++; |
| success = 1; |
success = 1; |
![[BACK]](/icons/back.gif){kind=icon}
Return to ssh-agent.c CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / ssh