From f8e42e89e3404f91d397e325c94af6494786e90f Mon Sep 17 00:00:00 2001 From: Timo Weingärtner Date: Sun, 9 Oct 2016 12:31:27 +0200 Subject: avoid warning about unused result of chdir() --- ssh-agent-filter.C | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'ssh-agent-filter.C') diff --git a/ssh-agent-filter.C b/ssh-agent-filter.C index 2878678..cbf5f45 100644 --- a/ssh-agent-filter.C +++ b/ssh-agent-filter.C @@ -543,8 +543,9 @@ int main (int const argc, char const * const * const argv) { exit(EX_OK); } + // the following stuff is optional, so we don't do error checking setsid(); - chdir("/"); + static_cast(chdir("/")); int devnull = open("/dev/null", O_RDWR); dup2(devnull, 0); dup2(devnull, 1); -- cgit v1.2.3 From 6b20192d53aea20ea5ba9725aebe2b7c7d8d8875 Mon Sep 17 00:00:00 2001 From: Timo Weingärtner Date: Wed, 27 Dec 2017 16:54:54 +0100 Subject: follow API change in nettle 3.4 Closes: 884400 --- ssh-agent-filter.C | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'ssh-agent-filter.C') diff --git a/ssh-agent-filter.C b/ssh-agent-filter.C index cbf5f45..121729a 100644 --- a/ssh-agent-filter.C +++ b/ssh-agent-filter.C @@ -110,18 +110,18 @@ string md5_hex (string const & s) { md5_update(&ctx, s.size(), reinterpret_cast(s.data())); uint8_t bin[MD5_DIGEST_SIZE]; md5_digest(&ctx, MD5_DIGEST_SIZE, bin); - uint8_t hex[BASE16_ENCODE_LENGTH(MD5_DIGEST_SIZE)]; + char hex[BASE16_ENCODE_LENGTH(MD5_DIGEST_SIZE)]; base16_encode_update(hex, MD5_DIGEST_SIZE, bin); - return {reinterpret_cast(hex), sizeof(hex)}; + return {hex, sizeof(hex)}; } string base64_encode (string const & s) { struct base64_encode_ctx ctx; base64_encode_init(&ctx); - uint8_t b64[BASE64_ENCODE_LENGTH(s.size())]; + char b64[BASE64_ENCODE_LENGTH(s.size())]; auto len = base64_encode_update(&ctx, b64, s.size(), reinterpret_cast(s.data())); len += base64_encode_final(&ctx, b64 + len); - return {reinterpret_cast(b64), len}; + return {b64, len}; } void cloexec (int fd) { -- cgit v1.2.3 From c97c3087ad393eef928f961869b0c5e400f8a66f Mon Sep 17 00:00:00 2001 From: Timo Weingärtner Date: Sat, 6 Jan 2018 12:55:28 +0100 Subject: add dissection for cert signing requests --- ssh-agent-filter.C | 61 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 61 insertions(+) (limited to 'ssh-agent-filter.C') diff --git a/ssh-agent-filter.C b/ssh-agent-filter.C index 121729a..7213f7c 100644 --- a/ssh-agent-filter.C +++ b/ssh-agent-filter.C @@ -329,6 +329,65 @@ bool confirm (string const & question) { } } +bool dissect_auth_data_ssh_cert (rfc4251::string const & data, string & request_description) try { + io::stream datastream{data.data(), data.size()}; + arm(datastream); + + // Format specified in https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=1.13 + rfc4251::string keytype{datastream}; + std::string keytype_str{keytype}; + { + // check for and remove suffix to get the base keytype + std::string const suffix{"-cert-v01@openssh.com"}; + if (keytype_str.length() <= suffix.length()) + return false; + auto suffix_start = keytype_str.end() - suffix.length(); + if (!std::equal(suffix.begin(), suffix.end(), suffix_start)) + return false; + keytype_str.erase(suffix_start, keytype_str.end()); + } + rfc4251::string nonce{datastream}; + std::ostringstream key_to_be_signed{}; + if (keytype_str == "ssh-rsa") { + rfc4251::string e{datastream}; + rfc4251::string n{datastream}; + key_to_be_signed << rfc4251::string{keytype_str} << e << n; + } else if (keytype_str == "ssh-dss") { + rfc4251::string p{datastream}; + rfc4251::string q{datastream}; + rfc4251::string g{datastream}; + rfc4251::string y{datastream}; + key_to_be_signed << rfc4251::string{keytype_str} << p << q << g << y; + } else if (keytype_str == "ecdsa-sha2-nistp256" + || keytype_str == "ecdsa-sha2-nistp384" + || keytype_str == "ecdsa-sha2-nistp521") { + rfc4251::string curve{datastream}; + rfc4251::string public_key{datastream}; + key_to_be_signed << rfc4251::string{keytype_str} << curve << public_key; + } else if (keytype_str == "ssh-ed25519") { + rfc4251::string pk{datastream}; + key_to_be_signed << rfc4251::string{keytype_str} << pk; + } else { + return false; + } + rfc4251::uint64 serial{datastream}; + rfc4251::uint32 type{datastream}; + rfc4251::string key_id{datastream}; + rfc4251::string valid_principals{datastream}; + rfc4251::uint64 valid_after{datastream}; + rfc4251::uint64 valid_before{datastream}; + rfc4251::string critical_options{datastream}; + rfc4251::string extensions{datastream}; + rfc4251::string reserved{datastream}; + rfc4251::string signature_key{datastream}; + + request_description = "The request is for a certificate signature on key " + base64_encode(key_to_be_signed.str()) + "."; + + return true; +} catch (...) { + return false; +} + bool dissect_auth_data_ssh (rfc4251::string const & data, string & request_description) try { io::stream datastream{data.data(), data.size()}; arm(datastream); @@ -447,6 +506,8 @@ rfc4251::string handle_request (rfc4251::string const & r) { if (it != confirmed_pubkeys.end()) { string request_description; bool dissect_ok{false}; + if (!dissect_ok) + dissect_ok = dissect_auth_data_ssh_cert(data, request_description); if (!dissect_ok) dissect_ok = dissect_auth_data_ssh(data, request_description); if (!dissect_ok) -- cgit v1.2.3 From 3b9460a74b51119e15e0d57dafb2e0c66326890a Mon Sep 17 00:00:00 2001 From: Timo Weingärtner Date: Mon, 8 Jan 2018 21:08:09 +0100 Subject: update copyright --- Makefile | 2 +- ssh-agent-filter.C | 2 +- tests | 19 +++++++++++++++++++ 3 files changed, 21 insertions(+), 2 deletions(-) (limited to 'ssh-agent-filter.C') diff --git a/Makefile b/Makefile index 9e112a3..9c6a8a4 100644 --- a/Makefile +++ b/Makefile @@ -1,4 +1,4 @@ -# Copyright (C) 2013-2016 Timo Weingärtner +# Copyright (C) 2013-2018 Timo Weingärtner # # This file is part of ssh-agent-filter. # diff --git a/ssh-agent-filter.C b/ssh-agent-filter.C index 7213f7c..74b15ab 100644 --- a/ssh-agent-filter.C +++ b/ssh-agent-filter.C @@ -1,7 +1,7 @@ /* * ssh-agent-filter.C -- filtering proxy for ssh-agent meant to be forwarded to untrusted servers * - * Copyright (C) 2013-2016 Timo Weingärtner + * Copyright (C) 2013-2018 Timo Weingärtner * * This file is part of ssh-agent-filter. * diff --git a/tests b/tests index b952141..d47daf1 100755 --- a/tests +++ b/tests @@ -1,5 +1,24 @@ #!/bin/sh +# tests for ssh-agent-filter +# +# Copyright (C) 2018 Timo Weingärtner +# +# This file is part of ssh-agent-filter. +# +# ssh-agent-filter is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# ssh-agent-filter is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with ssh-agent-filter. If not, see . + oneTimeSetUp () { set -e -- cgit v1.2.3