summaryrefslogtreecommitdiff
path: root/authfd.c
diff options
context:
space:
mode:
authormarkus@openbsd.org <markus@openbsd.org>2018-02-23 15:58:37 +0000
committerDamien Miller <djm@mindrot.org>2018-02-26 11:40:41 +1100
commit1b11ea7c58cd5c59838b5fa574cd456d6047b2d4 (patch)
tree7e96cb41b5234b9d327f7c8f41392f09aed0994e /authfd.c
parent7d330a1ac02076de98cfc8fda05353d57b603755 (diff)
upstream: Add experimental support for PQC XMSS keys (Extended
Hash-Based Signatures) The code is not compiled in by default (see WITH_XMSS in Makefile.inc) Joint work with stefan-lukas_gazdag at genua.eu See https://tools.ietf.org/html/draft-irtf-cfrg-xmss-hash-based-signatures-12 ok djm@ OpenBSD-Commit-ID: ef3eccb96762a5d6f135d7daeef608df7776a7ac
Diffstat (limited to 'authfd.c')
-rw-r--r--authfd.c39
1 files changed, 18 insertions, 21 deletions
diff --git a/authfd.c b/authfd.c
index 148bc9bf..1eff7ba9 100644
--- a/authfd.c
+++ b/authfd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: authfd.c,v 1.107 2018/02/10 09:25:34 djm Exp $ */
+/* $OpenBSD: authfd.c,v 1.108 2018/02/23 15:58:37 markus Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -129,7 +129,7 @@ ssh_request_reply(int sock, struct sshbuf *request, struct sshbuf *reply)
/* Get the length of the message, and format it in the buffer. */
len = sshbuf_len(request);
- put_u32(buf, len);
+ POKE_U32(buf, len);
/* Send the length and then the packet to the agent. */
if (atomicio(vwrite, sock, buf, 4) != 4 ||
@@ -144,7 +144,7 @@ ssh_request_reply(int sock, struct sshbuf *request, struct sshbuf *reply)
return SSH_ERR_AGENT_COMMUNICATION;
/* Extract the length, and check it for sanity. */
- len = get_u32(buf);
+ len = PEEK_U32(buf);
if (len > MAX_AGENT_REPLY_LEN)
return SSH_ERR_INVALID_FORMAT;
@@ -391,19 +391,7 @@ ssh_agent_sign(int sock, const struct sshkey *key,
static int
-ssh_encode_identity_ssh2(struct sshbuf *b, const struct sshkey *key,
- const char *comment)
-{
- int r;
-
- if ((r = sshkey_private_serialize(key, b)) != 0 ||
- (r = sshbuf_put_cstring(b, comment)) != 0)
- return r;
- return 0;
-}
-
-static int
-encode_constraints(struct sshbuf *m, u_int life, u_int confirm)
+encode_constraints(struct sshbuf *m, u_int life, u_int confirm, u_int maxsign)
{
int r;
@@ -416,6 +404,11 @@ encode_constraints(struct sshbuf *m, u_int life, u_int confirm)
if ((r = sshbuf_put_u8(m, SSH_AGENT_CONSTRAIN_CONFIRM)) != 0)
goto out;
}
+ if (maxsign != 0) {
+ if ((r = sshbuf_put_u8(m, SSH_AGENT_CONSTRAIN_MAXSIGN)) != 0 ||
+ (r = sshbuf_put_u32(m, maxsign)) != 0)
+ goto out;
+ }
r = 0;
out:
return r;
@@ -427,10 +420,10 @@ encode_constraints(struct sshbuf *m, u_int life, u_int confirm)
*/
int
ssh_add_identity_constrained(int sock, const struct sshkey *key,
- const char *comment, u_int life, u_int confirm)
+ const char *comment, u_int life, u_int confirm, u_int maxsign)
{
struct sshbuf *msg;
- int r, constrained = (life || confirm);
+ int r, constrained = (life || confirm || maxsign);
u_char type;
if ((msg = sshbuf_new()) == NULL)
@@ -447,11 +440,15 @@ ssh_add_identity_constrained(int sock, const struct sshkey *key,
#endif
case KEY_ED25519:
case KEY_ED25519_CERT:
+ case KEY_XMSS:
+ case KEY_XMSS_CERT:
type = constrained ?
SSH2_AGENTC_ADD_ID_CONSTRAINED :
SSH2_AGENTC_ADD_IDENTITY;
if ((r = sshbuf_put_u8(msg, type)) != 0 ||
- (r = ssh_encode_identity_ssh2(msg, key, comment)) != 0)
+ (r = sshkey_private_serialize_maxsign(key, msg, maxsign,
+ NULL)) != 0 ||
+ (r = sshbuf_put_cstring(msg, comment)) != 0)
goto out;
break;
default:
@@ -459,7 +456,7 @@ ssh_add_identity_constrained(int sock, const struct sshkey *key,
goto out;
}
if (constrained &&
- (r = encode_constraints(msg, life, confirm)) != 0)
+ (r = encode_constraints(msg, life, confirm, maxsign)) != 0)
goto out;
if ((r = ssh_request_reply(sock, msg, msg)) != 0)
goto out;
@@ -537,7 +534,7 @@ ssh_update_card(int sock, int add, const char *reader_id, const char *pin,
(r = sshbuf_put_cstring(msg, pin)) != 0)
goto out;
if (constrained &&
- (r = encode_constraints(msg, life, confirm)) != 0)
+ (r = encode_constraints(msg, life, confirm, 0)) != 0)
goto out;
if ((r = ssh_request_reply(sock, msg, msg)) != 0)
goto out;