1 /*        $NetBSD: authfd.h,v 1.17 2023/12/20 17:15:20 christos Exp $ */
2 /* $OpenBSD: authfd.h,v 1.52 2023/12/18 14:46:56 djm Exp $ */
3 
4 /*
5  * Author: Tatu Ylonen <ylo@cs.hut.fi>
6  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
7  *                    All rights reserved
8  * Functions to interface with the SSH_AUTHENTICATION_FD socket.
9  *
10  * As far as I am concerned, the code I have written for this software
11  * can be used freely for any purpose.  Any derived versions of this
12  * software must be clearly marked as such, and if the derived work is
13  * incompatible with the protocol description in the RFC file, it must be
14  * called by a name other than "ssh" or "Secure Shell".
15  */
16 
17 #ifndef AUTHFD_H
18 #define AUTHFD_H
19 
20 struct sshbuf;
21 struct sshkey;
22 
23 /* List of identities returned by ssh_fetch_identitylist() */
24 struct ssh_identitylist {
25           size_t nkeys;
26           struct sshkey **keys;
27           char **comments;
28 };
29 
30 /* Key destination restrictions */
31 struct dest_constraint_hop {
32           char *user;         /* wildcards allowed */
33           char *hostname; /* used to matching cert principals and for display */
34           int is_ca;
35           u_int nkeys;        /* number of entries in *both* 'keys' and 'key_is_ca' */
36           struct sshkey **keys;
37           int *key_is_ca;
38 };
39 struct dest_constraint {
40           struct dest_constraint_hop from;
41           struct dest_constraint_hop to;
42 };
43 
44 int       ssh_get_authentication_socket(int *fdp);
45 int       ssh_get_authentication_socket_path(const char *authsocket, int *fdp);
46 void      ssh_close_authentication_socket(int sock);
47 
48 int       ssh_lock_agent(int sock, int lock, const char *password);
49 int       ssh_fetch_identitylist(int sock, struct ssh_identitylist **idlp);
50 void      ssh_free_identitylist(struct ssh_identitylist *idl);
51 int       ssh_add_identity_constrained(int sock, struct sshkey *key,
52     const char *comment, u_int life, u_int confirm, u_int maxsign,
53     const char *provider, struct dest_constraint **dest_constraints,
54     size_t ndest_constraints);
55 int       ssh_agent_has_key(int sock, const struct sshkey *key);
56 int       ssh_remove_identity(int sock, const struct sshkey *key);
57 int       ssh_update_card(int sock, int add, const char *reader_id,
58               const char *pin, u_int life, u_int confirm,
59               struct dest_constraint **dest_constraints,
60               size_t ndest_constraints,
61               int cert_only, struct sshkey **certs, size_t ncerts);
62 int       ssh_remove_all_identities(int sock, int version);
63 
64 int       ssh_agent_sign(int sock, const struct sshkey *key,
65               u_char **sigp, size_t *lenp,
66               const u_char *data, size_t datalen, const char *alg, u_int compat);
67 
68 int       ssh_agent_bind_hostkey(int sock, const struct sshkey *key,
69     const struct sshbuf *session_id, const struct sshbuf *signature,
70     int forwarding);
71 
72 /* Messages for the authentication agent connection. */
73 #define SSH_AGENTC_REQUEST_RSA_IDENTITIES         1
74 #define SSH_AGENT_RSA_IDENTITIES_ANSWER           2
75 #define SSH_AGENTC_RSA_CHALLENGE                  3
76 #define SSH_AGENT_RSA_RESPONSE                              4
77 #define SSH_AGENT_FAILURE                         5
78 #define SSH_AGENT_SUCCESS                         6
79 #define SSH_AGENTC_ADD_RSA_IDENTITY               7
80 #define SSH_AGENTC_REMOVE_RSA_IDENTITY            8
81 #define SSH_AGENTC_REMOVE_ALL_RSA_IDENTITIES      9
82 
83 /* private OpenSSH extensions for SSH2 */
84 #define SSH2_AGENTC_REQUEST_IDENTITIES            11
85 #define SSH2_AGENT_IDENTITIES_ANSWER              12
86 #define SSH2_AGENTC_SIGN_REQUEST                  13
87 #define SSH2_AGENT_SIGN_RESPONSE                  14
88 #define SSH2_AGENTC_ADD_IDENTITY                  17
89 #define SSH2_AGENTC_REMOVE_IDENTITY               18
90 #define SSH2_AGENTC_REMOVE_ALL_IDENTITIES         19
91 
92 /* smartcard */
93 #define SSH_AGENTC_ADD_SMARTCARD_KEY              20
94 #define SSH_AGENTC_REMOVE_SMARTCARD_KEY           21
95 
96 /* lock/unlock the agent */
97 #define SSH_AGENTC_LOCK                                     22
98 #define SSH_AGENTC_UNLOCK                         23
99 
100 /* add key with constraints */
101 #define SSH_AGENTC_ADD_RSA_ID_CONSTRAINED         24
102 #define SSH2_AGENTC_ADD_ID_CONSTRAINED            25
103 #define SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED 26
104 
105 /* generic extension mechanism */
106 #define SSH_AGENTC_EXTENSION                      27
107 
108 #define   SSH_AGENT_CONSTRAIN_LIFETIME            1
109 #define   SSH_AGENT_CONSTRAIN_CONFIRM             2
110 #define   SSH_AGENT_CONSTRAIN_MAXSIGN             3
111 #define   SSH_AGENT_CONSTRAIN_EXTENSION           255
112 
113 /* extended failure messages */
114 #define SSH2_AGENT_FAILURE                        30
115 
116 /* additional error code for ssh.com's ssh-agent2 */
117 #define SSH_COM_AGENT2_FAILURE                              102
118 
119 #define   SSH_AGENT_OLD_SIGNATURE                           0x01
120 #define   SSH_AGENT_RSA_SHA2_256                            0x02
121 #define   SSH_AGENT_RSA_SHA2_512                            0x04
122 
123 #endif                                  /* AUTHFD_H */
124