- markus@cvs.openbsd.org 2002/06/15 01:27:48

[authfd.c authfd.h ssh-add.c ssh-agent.c]
     remove the CONSTRAIN_IDENTITY messages and introduce a new
     ADD_ID message with contraints instead. contraints can be
     only added together with the private key.

ChangeLog

@@ -12,6 +12,11 @@
    - markus@cvs.openbsd.org 2002/06/15 00:07:38
      [authfd.c authfd.h ssh-add.c ssh-agent.c]
      fix stupid typo
+  - markus@cvs.openbsd.org 2002/06/15 01:27:48
+     [authfd.c authfd.h ssh-add.c ssh-agent.c]
+     remove the CONSTRAIN_IDENTITY messages and introduce a new
+     ADD_ID message with contraints instead. contraints can be
+     only added together with the private key.
 
 20020613
  - (bal) typo of setgroup for cygwin.  Patch by vinschen@redhat.com
@@ -940,4 +945,4 @@
  - (stevesk) entropy.c: typo in debug message
  - (djm) ssh-keygen -i needs seeded RNG; report from markus@
 
-$Id: ChangeLog,v 1.2220 2002/06/21 00:06:54 mouring Exp $
+$Id: ChangeLog,v 1.2221 2002/06/21 00:08:39 mouring Exp $

authfd.c

@@ -35,7 +35,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: authfd.c,v 1.53 2002/06/15 00:07:38 markus Exp $");
+RCSID("$OpenBSD: authfd.c,v 1.54 2002/06/15 01:27:48 markus Exp $");
 
 #include <openssl/evp.h>
 
@@ -439,8 +439,6 @@ ssh_agent_sign(AuthenticationConnection *auth,
 static void
 ssh_encode_identity_rsa1(Buffer *b, RSA *key, const char *comment)
 {
-	buffer_clear(b);
-	buffer_put_char(b, SSH_AGENTC_ADD_RSA_IDENTITY);
 	buffer_put_int(b, BN_num_bits(key->n));
 	buffer_put_bignum(b, key->n);
 	buffer_put_bignum(b, key->e);
@@ -455,8 +453,6 @@ ssh_encode_identity_rsa1(Buffer *b, RSA *key, const char *comment)
 static void
 ssh_encode_identity_ssh2(Buffer *b, Key *key, const char *comment)
 {
-	buffer_clear(b);
-	buffer_put_char(b, SSH2_AGENTC_ADD_IDENTITY);
 	buffer_put_cstring(b, key_ssh_name(key));
 	switch (key->type) {
 	case KEY_RSA:
@@ -484,19 +480,28 @@ ssh_encode_identity_ssh2(Buffer *b, Key *key, const char *comment)
  */
 
 int
-ssh_add_identity(AuthenticationConnection *auth, Key *key, const char *comment)
+ssh_add_identity_constrained(AuthenticationConnection *auth, Key *key,
+    const char *comment, u_int life)
 {
 	Buffer msg;
-	int type;
+	int type, constrained = (life != 0);
 
 	buffer_init(&msg);
 
 	switch (key->type) {
 	case KEY_RSA1:
+		type = constrained ?
+		    SSH_AGENTC_ADD_RSA_ID_CONSTRAINED :
+		    SSH_AGENTC_ADD_RSA_IDENTITY;
+		buffer_put_char(&msg, type);
 		ssh_encode_identity_rsa1(&msg, key->rsa, comment);
 		break;
 	case KEY_RSA:
 	case KEY_DSA:
+		type = constrained ?
+		    SSH2_AGENTC_ADD_ID_CONSTRAINED :
+		    SSH2_AGENTC_ADD_IDENTITY;
+		buffer_put_char(&msg, type);
 		ssh_encode_identity_ssh2(&msg, key, comment);
 		break;
 	default:
@@ -504,6 +509,12 @@ ssh_add_identity(AuthenticationConnection *auth, Key *key, const char *comment)
 		return 0;
 		break;
 	}
+	if (constrained) {
+		if (life != 0) {
+			buffer_put_char(&msg, SSH_AGENT_CONSTRAIN_LIFETIME);
+			buffer_put_int(&msg, life);
+		}
+	}
 	if (ssh_request_reply(auth, &msg, &msg) == 0) {
 		buffer_free(&msg);
 		return 0;
@@ -513,6 +524,12 @@ ssh_add_identity(AuthenticationConnection *auth, Key *key, const char *comment)
 	return decode_reply(type);
 }
 
+int
+ssh_add_identity(AuthenticationConnection *auth, Key *key, const char *comment)
+{
+	return ssh_add_identity_constrained(auth, key, comment, 0);
+}
+
 /*
  * Removes an identity from the authentication server.  This call is not
  * meant to be used by normal applications.
@@ -551,42 +568,6 @@ ssh_remove_identity(AuthenticationConnection *auth, Key *key)
 	return decode_reply(type);
 }
 
-int
-ssh_constrain_identity(AuthenticationConnection *auth, Key *key, u_int life)
-{
-	Buffer msg;
-	int type;
-	u_char *blob;
-	u_int blen;
-
-	buffer_init(&msg);
-
-	if (key->type == KEY_RSA1) {
-		buffer_put_char(&msg, SSH_AGENTC_CONSTRAIN_IDENTITY1);
-		buffer_put_int(&msg, BN_num_bits(key->rsa->n));
-		buffer_put_bignum(&msg, key->rsa->e);
-		buffer_put_bignum(&msg, key->rsa->n);
-	} else if (key->type == KEY_DSA || key->type == KEY_RSA) {
-		key_to_blob(key, &blob, &blen);
-		buffer_put_char(&msg, SSH_AGENTC_CONSTRAIN_IDENTITY);
-		buffer_put_string(&msg, blob, blen);
-		xfree(blob);
-	} else {
-		buffer_free(&msg);
-		return 0;
-	}
-	buffer_put_char(&msg, SSH_AGENT_CONSTRAIN_LIFETIME);
-	buffer_put_int(&msg, life);
-
-	if (ssh_request_reply(auth, &msg, &msg) == 0) {
-		buffer_free(&msg);
-		return 0;
-	}
-	type = buffer_get_char(&msg);
-	buffer_free(&msg);
-	return decode_reply(type);
-}
-
 int
 ssh_update_card(AuthenticationConnection *auth, int add, const char *reader_id, const char *pin)
 {

authfd.h

@@ -1,4 +1,4 @@
-/*	$OpenBSD: authfd.h,v 1.28 2002/06/15 00:07:38 markus Exp $	*/
+/*	$OpenBSD: authfd.h,v 1.29 2002/06/15 01:27:48 markus Exp $	*/
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -46,9 +46,9 @@
 #define SSH_AGENTC_LOCK				22
 #define SSH_AGENTC_UNLOCK		        23
 
-/* constrain key usage */
-#define	SSH_AGENTC_CONSTRAIN_IDENTITY1		24
-#define	SSH_AGENTC_CONSTRAIN_IDENTITY		25
+/* add key with constraints */
+#define SSH_AGENTC_ADD_RSA_ID_CONSTRAINED	24
+#define SSH2_AGENTC_ADD_ID_CONSTRAINED		25
 
 #define	SSH_AGENT_CONSTRAIN_LIFETIME		1
 
@@ -75,7 +75,7 @@ int	 ssh_get_num_identities(AuthenticationConnection *, int);
 Key	*ssh_get_first_identity(AuthenticationConnection *, char **, int);
 Key	*ssh_get_next_identity(AuthenticationConnection *, char **, int);
 int	 ssh_add_identity(AuthenticationConnection *, Key *, const char *);
-int	 ssh_constrain_identity(AuthenticationConnection *, Key *, u_int);
+int	 ssh_add_identity_constrained(AuthenticationConnection *, Key *, const char *, u_int);
 int	 ssh_remove_identity(AuthenticationConnection *, Key *);
 int	 ssh_remove_all_identities(AuthenticationConnection *, int);
 int	 ssh_lock_agent(AuthenticationConnection *, int, const char *);

ssh-add.c

@@ -35,7 +35,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: ssh-add.c,v 1.59 2002/06/15 00:07:38 markus Exp $");
+RCSID("$OpenBSD: ssh-add.c,v 1.60 2002/06/15 01:27:48 markus Exp $");
 
 #include <openssl/evp.h>
 
@@ -164,22 +164,18 @@ add_file(AuthenticationConnection *ac, const char *filename)
 			strlcpy(msg, "Bad passphrase, try again: ", sizeof msg);
 		}
 	}
-	if (ssh_add_identity(ac, private, comment)) {
+
+	if (ssh_add_identity_constrained(ac, private, comment, lifetime)) {
 		fprintf(stderr, "Identity added: %s (%s)\n", filename, comment);
 		ret = 0;
-	} else
+		if (lifetime != 0)
+                        fprintf(stderr,
+			    "Lifetime set to %d seconds\n", lifetime);
+	} else if (ssh_add_identity(ac, private, comment)) {
+		fprintf(stderr, "Identity added: %s (%s)\n", filename, comment);
+		ret = 0;
+	} else {
 		fprintf(stderr, "Could not add identity: %s\n", filename);
-
-	if (ret == 0 && lifetime != 0) {
-		if (ssh_constrain_identity(ac, private, lifetime)) {
-			fprintf(stderr,
-			    "Lifetime set to %d seconds for: %s (%s)\n",
-			    lifetime, filename, comment);
-		} else {
-			fprintf(stderr,
-			    "Could not set lifetime for identity: %s\n",
-			    filename);
-		}
 	}
 
 	xfree(comment);

ssh-agent.c

@@ -35,7 +35,7 @@
 
 #include "includes.h"
 #include "openbsd-compat/fake-queue.h"
-RCSID("$OpenBSD: ssh-agent.c,v 1.93 2002/06/15 00:07:38 markus Exp $");
+RCSID("$OpenBSD: ssh-agent.c,v 1.94 2002/06/15 01:27:48 markus Exp $");
 
 #include <openssl/evp.h>
 #include <openssl/md5.h>
@@ -395,7 +395,7 @@ process_add_identity(SocketEntry *e, int version)
 	Key *k = NULL;
 	char *type_name;
 	char *comment;
-	int type, success = 0;
+	int type, success = 0, death = 0;
 	Idtab *tab = idtab_lookup(version);
 
 	switch (version) {
@@ -451,46 +451,6 @@ process_add_identity(SocketEntry *e, int version)
 		goto send;
 	}
 	success = 1;
-	if (lookup_identity(k, version) == NULL) {
-		Identity *id = xmalloc(sizeof(Identity));
-		id->key = k;
-		id->comment = comment;
-		id->death = 0;
-		TAILQ_INSERT_TAIL(&tab->idlist, id, next);
-		/* Increment the number of identities. */
-		tab->nentries++;
-	} else {
-		key_free(k);
-		xfree(comment);
-	}
-send:
-	buffer_put_int(&e->output, 1);
-	buffer_put_char(&e->output,
-	    success ? SSH_AGENT_SUCCESS : SSH_AGENT_FAILURE);
-}
-
-static void
-process_constrain_identity(SocketEntry *e, int version)
-{
-	Key *key = NULL;
-	u_char *blob;
-	u_int blen, bits, death = 0;
-	int success = 0;
-
-	switch (version) {
-	case 1:
-		key = key_new(KEY_RSA1);
-		bits = buffer_get_int(&e->request);
-		buffer_get_bignum(&e->request, key->rsa->e);
-		buffer_get_bignum(&e->request, key->rsa->n);
-
-		break;
-	case 2:
-		blob = buffer_get_string(&e->request, &blen);
-		key = key_from_blob(blob, blen);
-		xfree(blob);
-		break;
-	}
 	while (buffer_len(&e->request)) {
 		switch (buffer_get_char(&e->request)) {
 		case SSH_AGENT_CONSTRAIN_LIFETIME:
@@ -500,14 +460,19 @@ process_constrain_identity(SocketEntry *e, int version)
 			break;
 		}
 	}
-	if (key != NULL) {
-		Identity *id = lookup_identity(key, version);
-		if (id != NULL && id->death == 0 && death != 0) {
-			id->death = death;
-			success = 1;
-		}
-		key_free(key);
+	if (lookup_identity(k, version) == NULL) {
+		Identity *id = xmalloc(sizeof(Identity));
+		id->key = k;
+		id->comment = comment;
+		id->death = death;
+		TAILQ_INSERT_TAIL(&tab->idlist, id, next);
+		/* Increment the number of identities. */
+		tab->nentries++;
+	} else {
+		key_free(k);
+		xfree(comment);
 	}
+send:
 	buffer_put_int(&e->output, 1);
 	buffer_put_char(&e->output,
 	    success ? SSH_AGENT_SUCCESS : SSH_AGENT_FAILURE);
@@ -706,6 +671,7 @@ process_message(SocketEntry *e)
 		process_request_identities(e, 1);
 		break;
 	case SSH_AGENTC_ADD_RSA_IDENTITY:
+	case SSH_AGENTC_ADD_RSA_ID_CONSTRAINED:
 		process_add_identity(e, 1);
 		break;
 	case SSH_AGENTC_REMOVE_RSA_IDENTITY:
@@ -714,9 +680,6 @@ process_message(SocketEntry *e)
 	case SSH_AGENTC_REMOVE_ALL_RSA_IDENTITIES:
 		process_remove_all_identities(e, 1);
 		break;
-	case SSH_AGENTC_CONSTRAIN_IDENTITY1:
-		process_constrain_identity(e, 1);
-		break;
 	/* ssh2 */
 	case SSH2_AGENTC_SIGN_REQUEST:
 		process_sign_request2(e);
@@ -725,6 +688,7 @@ process_message(SocketEntry *e)
 		process_request_identities(e, 2);
 		break;
 	case SSH2_AGENTC_ADD_IDENTITY:
+	case SSH2_AGENTC_ADD_ID_CONSTRAINED:
 		process_add_identity(e, 2);
 		break;
 	case SSH2_AGENTC_REMOVE_IDENTITY:
@@ -733,9 +697,6 @@ process_message(SocketEntry *e)
 	case SSH2_AGENTC_REMOVE_ALL_IDENTITIES:
 		process_remove_all_identities(e, 2);
 		break;
-	case SSH_AGENTC_CONSTRAIN_IDENTITY:
-		process_constrain_identity(e, 2);
-		break;
 #ifdef SMARTCARD
 	case SSH_AGENTC_ADD_SMARTCARD_KEY:
 		process_add_smartcard_key(e);