diff options
| author | Damien Miller <djm@cvs.openbsd.org> | 2019-11-16 22:36:49 +0000 |
|---|---|---|
| committer | Damien Miller <djm@cvs.openbsd.org> | 2019-11-16 22:36:49 +0000 |
| commit | 910ee7ecf33bee8ba403db63750673bd4cd62738 (patch) | |
| tree | da8dbba284b430acca4252886db7f0160c0a41c2 | |
| parent | 6b450d74bbb6452f5c9f97b3ff88da3832bdfe85 (diff) | |
always use ssh-sk-helper, even for the internal USB HID support.
This avoid the need for a wpath pledge in ssh-agent.
reported by jmc@
| -rw-r--r-- | usr.bin/ssh/ssh-agent.c | 44 |
1 files changed, 11 insertions, 33 deletions
diff --git a/usr.bin/ssh/ssh-agent.c b/usr.bin/ssh/ssh-agent.c index 91e69a1d01e..059788a4333 100644 --- a/usr.bin/ssh/ssh-agent.c +++ b/usr.bin/ssh/ssh-agent.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-agent.c,v 1.246 2019/11/15 05:37:27 djm Exp $ */ +/* $OpenBSD: ssh-agent.c,v 1.247 2019/11/16 22:36:48 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -285,23 +285,6 @@ provider_sign(const char *provider, struct sshkey *key, *sigp = NULL; *lenp = 0; - if ((fp = sshkey_fingerprint(key, SSH_FP_HASH_DEFAULT, - SSH_FP_DEFAULT)) == NULL) - fatal("%s: sshkey_fingerprint failed", __func__); - notifier = notify_start(0, - "Confirm user presence for key %s %s", sshkey_type(key), fp); - - if (strcasecmp(provider, "internal") == 0) { - r = sshsk_sign(provider, key, sigp, lenp, - data, datalen, compat); - if (r != 0) { - error("%s: sshsk_sign internal: %s", - __func__, ssh_err(r)); - } - notify_complete(notifier); - return r; - } - helper = getenv("SSH_SK_HELPER"); if (helper == NULL || strlen(helper) == 0) helper = _PATH_SSH_SK_HELPER; @@ -344,6 +327,13 @@ provider_sign(const char *provider, struct sshkey *key, (r = sshbuf_put_string(req, data, datalen)) != 0 || (r = sshbuf_put_u32(req, compat)) != 0) fatal("%s: compose: %s", __func__, ssh_err(r)); + + if ((fp = sshkey_fingerprint(key, SSH_FP_HASH_DEFAULT, + SSH_FP_DEFAULT)) == NULL) + fatal("%s: sshkey_fingerprint failed", __func__); + notifier = notify_start(0, + "Confirm user presence for key %s %s", sshkey_type(key), fp); + if ((r = ssh_msg_send(pair[0], SSH_SK_HELPER_VERSION, req)) != 0) { error("%s: send: %s", __func__, ssh_err(r)); goto out; @@ -409,7 +399,7 @@ process_sign_request2(SocketEntry *e) u_char *signature = NULL; size_t dlen, slen = 0; u_int compat = 0, flags; - int was_shielded, r, r2, ok = -1; + int r, ok = -1; struct sshbuf *msg; struct sshkey *key = NULL; struct identity *id; @@ -432,21 +422,9 @@ process_sign_request2(SocketEntry *e) goto send; } if (id->sk_provider != NULL) { - was_shielded = sshkey_is_shielded(id->key); - if ((r = sshkey_unshield_private(id->key)) != 0) { - error("%s: unshield: %s", __func__, ssh_err(r)); - goto send; - } - r = provider_sign(id->sk_provider, id->key, &signature, + if ((r = provider_sign(id->sk_provider, id->key, &signature, &slen, data, dlen, agent_decode_alg(key, flags), - compat); - if (was_shielded && - (r2 = sshkey_shield_private(id->key)) != 0) { - error("%s: shield: %s", __func__, ssh_err(r)); - r = r2; - goto send; - } - if (r != 0) { + compat)) != 0) { error("%s: sign: %s", __func__, ssh_err(r)); goto send; } |