- markus@cvs.openbsd.org 2002/06/15 00:01:36

     [authfd.c authfd.h ssh-add.c ssh-agent.c]
     break agent key lifetime protocol and allow other contraints for key
     usage.

diff --git a/ChangeLog b/ChangeLog
index 2b7fad2ce9f1c3e697066052321abbd26b587907..0fc6716aa2217c97c8caad372840bb5e0de3e452 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -5,6 +5,10 @@
    - todd@cvs.openbsd.org 2002/06/14 21:35:00
      [monitor_wrap.c]
      spelling; from Brian Poole <raj@cerias.purdue.edu>
+   - markus@cvs.openbsd.org 2002/06/15 00:01:36
+     [authfd.c authfd.h ssh-add.c ssh-agent.c]
+     break agent key lifetime protocol and allow other contraints for key
+     usage.
 
 20020613
  - (bal) typo of setgroup for cygwin.  Patch by vinschen@redhat.com

diff --git a/authfd.c b/authfd.c
index 0f84e321cf96c45ea642b081affad5383de74c0c..b16bc470b6f3941ae93c24009c6cf02111780817 100644 (file)
--- a/authfd.c
+++ b/authfd.c
@@ -35,7 +35,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: authfd.c,v 1.51 2002/06/05 21:55:44 markus Exp $");
+RCSID("$OpenBSD: authfd.c,v 1.52 2002/06/15 00:01:36 markus Exp $");
 
 #include <openssl/evp.h>
 
@@ -552,7 +552,7 @@ ssh_remove_identity(AuthenticationConnection *auth, Key *key)
 }
 
 int
-ssh_lifetime_identity(AuthenticationConnection *auth, Key *key, u_int life)
+ssh_contrain_identity(AuthenticationConnection *auth, Key *key, u_int life)
 {
        Buffer msg;
        int type;
@@ -562,21 +562,22 @@ ssh_lifetime_identity(AuthenticationConnection *auth, Key *key, u_int life)
        buffer_init(&msg);
 
        if (key->type == KEY_RSA1) {
-               buffer_put_char(&msg, SSH_AGENTC_LIFETIME_IDENTITY1);
-               buffer_put_int(&msg, life);
+               buffer_put_char(&msg, SSH_AGENTC_CONTRAIN_IDENTITY1);
                buffer_put_int(&msg, BN_num_bits(key->rsa->n));
                buffer_put_bignum(&msg, key->rsa->e);
                buffer_put_bignum(&msg, key->rsa->n);
        } else if (key->type == KEY_DSA || key->type == KEY_RSA) {
                key_to_blob(key, &blob, &blen);
-               buffer_put_char(&msg, SSH_AGENTC_LIFETIME_IDENTITY);
-               buffer_put_int(&msg, life);
+               buffer_put_char(&msg, SSH_AGENTC_CONTRAIN_IDENTITY);
                buffer_put_string(&msg, blob, blen);
                xfree(blob);
        } else {
                buffer_free(&msg);
                return 0;
        }
+       buffer_put_char(&msg, SSH_AGENT_CONTRAIN_LIFETIME);
+       buffer_put_int(&msg, life);
+
        if (ssh_request_reply(auth, &msg, &msg) == 0) {
                buffer_free(&msg);
                return 0;

diff --git a/authfd.h b/authfd.h
index 263e4b97d68ae75da7a4262ef23a3cd7b1b5c75b..e3ef6ff5e1ea8c4d4e25018d5084bcf424e0d106 100644 (file)
--- a/authfd.h
+++ b/authfd.h
@@ -1,4 +1,4 @@
-/*     $OpenBSD: authfd.h,v 1.26 2002/06/05 21:55:44 markus Exp $      */
+/*     $OpenBSD: authfd.h,v 1.27 2002/06/15 00:01:36 markus Exp $      */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -46,9 +46,11 @@
 #define SSH_AGENTC_LOCK                                22
 #define SSH_AGENTC_UNLOCK                      23
 
-/* set key lifetime */
-#define        SSH_AGENTC_LIFETIME_IDENTITY1           24
-#define        SSH_AGENTC_LIFETIME_IDENTITY            25
+/* constrain key usage */
+#define        SSH_AGENTC_CONTRAIN_IDENTITY1           24
+#define        SSH_AGENTC_CONTRAIN_IDENTITY            25
+
+#define        SSH_AGENT_CONTRAIN_LIFETIME             1
 
 /* extended failure messages */
 #define SSH2_AGENT_FAILURE                     30
@@ -73,7 +75,7 @@ int    ssh_get_num_identities(AuthenticationConnection *, int);
 Key    *ssh_get_first_identity(AuthenticationConnection *, char **, int);
 Key    *ssh_get_next_identity(AuthenticationConnection *, char **, int);
 int     ssh_add_identity(AuthenticationConnection *, Key *, const char *);
-int     ssh_lifetime_identity(AuthenticationConnection *, Key *, u_int);
+int     ssh_contrain_identity(AuthenticationConnection *, Key *, u_int);
 int     ssh_remove_identity(AuthenticationConnection *, Key *);
 int     ssh_remove_all_identities(AuthenticationConnection *, int);
 int     ssh_lock_agent(AuthenticationConnection *, int, const char *);

diff --git a/ssh-add.c b/ssh-add.c
index 30d635400f5c3f99f67305377a21fbdc097f8510..cfd622d77588b48f7dac716e51f59a0637848fa3 100644 (file)
--- a/ssh-add.c
+++ b/ssh-add.c
@@ -35,7 +35,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: ssh-add.c,v 1.57 2002/06/10 17:36:23 stevesk Exp $");
+RCSID("$OpenBSD: ssh-add.c,v 1.58 2002/06/15 00:01:36 markus Exp $");
 
 #include <openssl/evp.h>
 
@@ -171,7 +171,7 @@ add_file(AuthenticationConnection *ac, const char *filename)
                fprintf(stderr, "Could not add identity: %s\n", filename);
 
        if (ret == 0 && lifetime != 0) {
-               if (ssh_lifetime_identity(ac, private, lifetime)) {
+               if (ssh_contrain_identity(ac, private, lifetime)) {
                        fprintf(stderr,
                            "Lifetime set to %d seconds for: %s (%s)\n",
                            lifetime, filename, comment);

diff --git a/ssh-agent.c b/ssh-agent.c
index b89ead6e5f8543fff63110d6b73ec25a466ffeb4..4a288199f09aa786d79f0ff2de53cd4ffb216382 100644 (file)
--- a/ssh-agent.c
+++ b/ssh-agent.c
@@ -35,7 +35,7 @@
 
 #include "includes.h"
 #include "openbsd-compat/fake-queue.h"
-RCSID("$OpenBSD: ssh-agent.c,v 1.91 2002/06/11 05:46:20 mpech Exp $");
+RCSID("$OpenBSD: ssh-agent.c,v 1.92 2002/06/15 00:01:36 markus Exp $");
 
 #include <openssl/evp.h>
 #include <openssl/md5.h>
@@ -470,15 +470,13 @@ send:
 }
 
 static void
-process_lifetime_identity(SocketEntry *e, int version)
+process_contrain_identity(SocketEntry *e, int version)
 {
        Key *key = NULL;
        u_char *blob;
-       u_int blen, bits, death;
+       u_int blen, bits, death = 0;
        int success = 0;
 
-       death = time(NULL) + buffer_get_int(&e->request);
-
        switch (version) {
        case 1:
                key = key_new(KEY_RSA1);
@@ -493,9 +491,18 @@ process_lifetime_identity(SocketEntry *e, int version)
                xfree(blob);
                break;
        }
+       while (buffer_len(&e->request)) {
+               switch (buffer_get_char(&e->request)) {
+               case SSH_AGENT_CONTRAIN_LIFETIME:
+                       death = time(NULL) + buffer_get_int(&e->request);
+                       break;
+               default:
+                       break;
+               }
+       }
        if (key != NULL) {
                Identity *id = lookup_identity(key, version);
-               if (id != NULL && id->death == 0) {
+               if (id != NULL && id->death == 0 && death != 0) {
                        id->death = death;
                        success = 1;
                }
@@ -707,8 +714,8 @@ process_message(SocketEntry *e)
        case SSH_AGENTC_REMOVE_ALL_RSA_IDENTITIES:
                process_remove_all_identities(e, 1);
                break;
-       case SSH_AGENTC_LIFETIME_IDENTITY1:
-               process_lifetime_identity(e, 1);
+       case SSH_AGENTC_CONTRAIN_IDENTITY1:
+               process_contrain_identity(e, 1);
                break;
        /* ssh2 */
        case SSH2_AGENTC_SIGN_REQUEST:
@@ -726,8 +733,8 @@ process_message(SocketEntry *e)
        case SSH2_AGENTC_REMOVE_ALL_IDENTITIES:
                process_remove_all_identities(e, 2);
                break;
-       case SSH_AGENTC_LIFETIME_IDENTITY:
-               process_lifetime_identity(e, 2);
+       case SSH_AGENTC_CONTRAIN_IDENTITY:
+               process_contrain_identity(e, 2);
                break;
 #ifdef SMARTCARD
        case SSH_AGENTC_ADD_SMARTCARD_KEY: