From 2aeefc3f8a8174d7c23f7ec8e92ecebb47db0b49 Mon Sep 17 00:00:00 2001 From: Nicola Murino Date: Sun, 3 Sep 2023 18:26:04 +0200 Subject: ssh: add support for SSH_AGENT_CONSTRAIN_EXTENSION with id 255 it was changed in the following draft https://datatracker.ietf.org/doc/html/draft-miller-ssh-agent-03 The id 3 is now used for SSH_AGENT_CONSTRAIN_MAXSIGN key constraint, an OpenSSH extension to the protocol that we do not currently support. Instead, we added a compatibility layer for SSH_AGENT_CONSTRAIN_EXTENSION with ID 3. Fixes golang/go#62311 Change-Id: I421aee92aee9e693e43f66e6a5515c055333cb9b Reviewed-on: https://go-review.googlesource.com/c/crypto/+/525355 Reviewed-by: Matthew Dempsky Run-TryBot: Nicola Murino Reviewed-by: Filippo Valsorda TryBot-Result: Gopher Robot Reviewed-by: Than McIntosh --- ssh/agent/client.go | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) (limited to 'ssh/agent/client.go') diff --git a/ssh/agent/client.go b/ssh/agent/client.go index 9f09aae..fecba8e 100644 --- a/ssh/agent/client.go +++ b/ssh/agent/client.go @@ -141,9 +141,14 @@ const ( agentAddSmartcardKeyConstrained = 26 // 3.7 Key constraint identifiers - agentConstrainLifetime = 1 - agentConstrainConfirm = 2 - agentConstrainExtension = 3 + agentConstrainLifetime = 1 + agentConstrainConfirm = 2 + // Constraint extension identifier up to version 2 of the protocol. A + // backward incompatible change will be required if we want to add support + // for SSH_AGENT_CONSTRAIN_MAXSIGN which uses the same ID. + agentConstrainExtensionV00 = 3 + // Constraint extension identifier in version 3 and later of the protocol. + agentConstrainExtension = 255 ) // maxAgentResponseBytes is the maximum agent reply size that is accepted. This @@ -205,7 +210,7 @@ type constrainLifetimeAgentMsg struct { } type constrainExtensionAgentMsg struct { - ExtensionName string `sshtype:"3"` + ExtensionName string `sshtype:"255|3"` ExtensionDetails []byte // Rest is a field used for parsing, not part of message -- cgit v1.3