upstream commit

prefer agent-hosted keys to keys from PKCS#11; ok markus

Upstream-ID: 7417f7653d58d6306d9f8c08d0263d050e2fd8f4

1 files changed, 24 insertions, 24 deletions

diff --git a/sshconnect2.c b/sshconnect2.c
index 945471f15..c0814e5bc 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshconnect2.c,v 1.243 2016/05/02 10:26:04 djm Exp $ */
+/* $OpenBSD: sshconnect2.c,v 1.244 2016/05/23 23:30:50 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  * Copyright (c) 2008 Damien Miller.  All rights reserved.
@@ -1299,29 +1299,6 @@ pubkey_prepare(Authctxt *authctxt)
                 id->userprovided = options.identity_file_userprovided[i];
                 TAILQ_INSERT_TAIL(&files, id, next);
         }
-        /* Prefer PKCS11 keys that are explicitly listed */
-        TAILQ_FOREACH_SAFE(id, &files, next, tmp) {
-                if (id->key == NULL || (id->key->flags & SSHKEY_FLAG_EXT) == 0)
-                        continue;
-                found = 0;
-                TAILQ_FOREACH(id2, &files, next) {
-                        if (id2->key == NULL ||
-                            (id2->key->flags & SSHKEY_FLAG_EXT) == 0)
-                                continue;
-                        if (sshkey_equal(id->key, id2->key)) {
-                                TAILQ_REMOVE(&files, id, next);
-                                TAILQ_INSERT_TAIL(preferred, id, next);
-                                found = 1;
-                                break;
-                        }
-                }
-                /* If IdentitiesOnly set and key not found then don't use it */
-                if (!found && options.identities_only) {
-                        TAILQ_REMOVE(&files, id, next);
-                        explicit_bzero(id, sizeof(*id));
-                        free(id);
-                }
-        }
         /* list of certificates specified by user */
         for (i = 0; i < options.num_certificate_files; i++) {
                 key = options.certificates[i];
@@ -1380,6 +1357,29 @@ pubkey_prepare(Authctxt *authctxt)
                 }
                 authctxt->agent_fd = agent_fd;
         }
+        /* Prefer PKCS11 keys that are explicitly listed */
+        TAILQ_FOREACH_SAFE(id, &files, next, tmp) {
+                if (id->key == NULL || (id->key->flags & SSHKEY_FLAG_EXT) == 0)
+                        continue;
+                found = 0;
+                TAILQ_FOREACH(id2, &files, next) {
+                        if (id2->key == NULL ||
+                            (id2->key->flags & SSHKEY_FLAG_EXT) == 0)
+                                continue;
+                        if (sshkey_equal(id->key, id2->key)) {
+                                TAILQ_REMOVE(&files, id, next);
+                                TAILQ_INSERT_TAIL(preferred, id, next);
+                                found = 1;
+                                break;
+                        }
+                }
+                /* If IdentitiesOnly set and key not found then don't use it */
+                if (!found && options.identities_only) {
+                        TAILQ_REMOVE(&files, id, next);
+                        explicit_bzero(id, sizeof(*id));
+                        free(id);
+                }
+        }
         /* append remaining keys from the config file */
         for (id = TAILQ_FIRST(&files); id; id = TAILQ_FIRST(&files)) {
                 TAILQ_REMOVE(&files, id, next);