ssh-sk-helper: check RP ID against ssh: prefix (#553)
This commit is contained in:
parent
d4b3264993
commit
af7130c91b
|
@ -112,10 +112,20 @@ process_sign(struct sshbuf *req)
|
||||||
|
|
||||||
if ((r = sshkey_private_deserialize(kbuf, &key)) != 0)
|
if ((r = sshkey_private_deserialize(kbuf, &key)) != 0)
|
||||||
fatal_r(r, "%s: Unable to parse private key", __progname);
|
fatal_r(r, "%s: Unable to parse private key", __progname);
|
||||||
|
#ifndef WINDOWS
|
||||||
if (!sshkey_is_sk(key)) {
|
if (!sshkey_is_sk(key)) {
|
||||||
fatal("%s: Unsupported key type %s",
|
fatal("%s: Unsupported key type %s",
|
||||||
__progname, sshkey_ssh_name(key));
|
__progname, sshkey_ssh_name(key));
|
||||||
}
|
}
|
||||||
|
#else
|
||||||
|
if (!sshkey_is_sk(key) || key->sk_application == NULL) {
|
||||||
|
fatal("%s: Unsupported key type %s",
|
||||||
|
__progname, sshkey_ssh_name(key));
|
||||||
|
}
|
||||||
|
if (strncmp(key->sk_application, "ssh:", 4) != 0) {
|
||||||
|
fatal("%s: web-origin key", __progname);
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
debug_f("ready to sign with key %s, provider %s: "
|
debug_f("ready to sign with key %s, provider %s: "
|
||||||
"msg len %zu, compat 0x%lx", sshkey_type(key),
|
"msg len %zu, compat 0x%lx", sshkey_type(key),
|
||||||
|
@ -174,6 +184,10 @@ process_enroll(struct sshbuf *req)
|
||||||
|
|
||||||
if (type > INT_MAX)
|
if (type > INT_MAX)
|
||||||
fatal("%s: bad type %u", __progname, type);
|
fatal("%s: bad type %u", __progname, type);
|
||||||
|
#ifdef WINDOWS
|
||||||
|
if (application == NULL || strncmp(application, "ssh:", 4) != 0)
|
||||||
|
fatal("%s: bogus application", __progname);
|
||||||
|
#endif
|
||||||
if (sshbuf_len(challenge) == 0) {
|
if (sshbuf_len(challenge) == 0) {
|
||||||
sshbuf_free(challenge);
|
sshbuf_free(challenge);
|
||||||
challenge = NULL;
|
challenge = NULL;
|
||||||
|
@ -246,6 +260,11 @@ process_load_resident(struct sshbuf *req)
|
||||||
fatal_r(r, "%s: compose", __progname);
|
fatal_r(r, "%s: compose", __progname);
|
||||||
|
|
||||||
for (i = 0; i < nkeys; i++) {
|
for (i = 0; i < nkeys; i++) {
|
||||||
|
#ifdef WINDOWS
|
||||||
|
if (keys[i]->sk_application == NULL ||
|
||||||
|
strncmp(keys[i]->sk_application, "ssh:", 4) != 0)
|
||||||
|
fatal("%s: non-ssh application", __progname);
|
||||||
|
#endif
|
||||||
debug_f("key %zu %s %s", i, sshkey_type(keys[i]),
|
debug_f("key %zu %s %s", i, sshkey_type(keys[i]),
|
||||||
keys[i]->sk_application);
|
keys[i]->sk_application);
|
||||||
sshbuf_reset(kbuf);
|
sshbuf_reset(kbuf);
|
||||||
|
|
Loading…
Reference in New Issue