summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authordjm@openbsd.org <djm@openbsd.org>2016-05-23 23:30:50 +0000
committerDarren Tucker <dtucker@zip.com.au>2016-06-06 11:25:37 +1000
commit82f24c3ddc52053aeb7beb3332fa94c92014b0c5 (patch)
tree135c8c3d774d8a8b311f69dfa5bb8017801a9344
parenta0cb7778fbc9b43458f7072eb68dd858766384d1 (diff)
upstream commit
prefer agent-hosted keys to keys from PKCS#11; ok markus Upstream-ID: 7417f7653d58d6306d9f8c08d0263d050e2fd8f4
-rw-r--r--sshconnect2.c48
1 files changed, 24 insertions, 24 deletions
diff --git a/sshconnect2.c b/sshconnect2.c
index 945471f15..c0814e5bc 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: sshconnect2.c,v 1.243 2016/05/02 10:26:04 djm Exp $ */ 1/* $OpenBSD: sshconnect2.c,v 1.244 2016/05/23 23:30:50 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2000 Markus Friedl. All rights reserved. 3 * Copyright (c) 2000 Markus Friedl. All rights reserved.
4 * Copyright (c) 2008 Damien Miller. All rights reserved. 4 * Copyright (c) 2008 Damien Miller. All rights reserved.
@@ -1299,29 +1299,6 @@ pubkey_prepare(Authctxt *authctxt)
1299 id->userprovided = options.identity_file_userprovided[i]; 1299 id->userprovided = options.identity_file_userprovided[i];
1300 TAILQ_INSERT_TAIL(&files, id, next); 1300 TAILQ_INSERT_TAIL(&files, id, next);
1301 } 1301 }
1302 /* Prefer PKCS11 keys that are explicitly listed */
1303 TAILQ_FOREACH_SAFE(id, &files, next, tmp) {
1304 if (id->key == NULL || (id->key->flags & SSHKEY_FLAG_EXT) == 0)
1305 continue;
1306 found = 0;
1307 TAILQ_FOREACH(id2, &files, next) {
1308 if (id2->key == NULL ||
1309 (id2->key->flags & SSHKEY_FLAG_EXT) == 0)
1310 continue;
1311 if (sshkey_equal(id->key, id2->key)) {
1312 TAILQ_REMOVE(&files, id, next);
1313 TAILQ_INSERT_TAIL(preferred, id, next);
1314 found = 1;
1315 break;
1316 }
1317 }
1318 /* If IdentitiesOnly set and key not found then don't use it */
1319 if (!found && options.identities_only) {
1320 TAILQ_REMOVE(&files, id, next);
1321 explicit_bzero(id, sizeof(*id));
1322 free(id);
1323 }
1324 }
1325 /* list of certificates specified by user */ 1302 /* list of certificates specified by user */
1326 for (i = 0; i < options.num_certificate_files; i++) { 1303 for (i = 0; i < options.num_certificate_files; i++) {
1327 key = options.certificates[i]; 1304 key = options.certificates[i];
@@ -1380,6 +1357,29 @@ pubkey_prepare(Authctxt *authctxt)
1380 } 1357 }
1381 authctxt->agent_fd = agent_fd; 1358 authctxt->agent_fd = agent_fd;
1382 } 1359 }
1360 /* Prefer PKCS11 keys that are explicitly listed */
1361 TAILQ_FOREACH_SAFE(id, &files, next, tmp) {
1362 if (id->key == NULL || (id->key->flags & SSHKEY_FLAG_EXT) == 0)
1363 continue;
1364 found = 0;
1365 TAILQ_FOREACH(id2, &files, next) {
1366 if (id2->key == NULL ||
1367 (id2->key->flags & SSHKEY_FLAG_EXT) == 0)
1368 continue;
1369 if (sshkey_equal(id->key, id2->key)) {
1370 TAILQ_REMOVE(&files, id, next);
1371 TAILQ_INSERT_TAIL(preferred, id, next);
1372 found = 1;
1373 break;
1374 }
1375 }
1376 /* If IdentitiesOnly set and key not found then don't use it */
1377 if (!found && options.identities_only) {
1378 TAILQ_REMOVE(&files, id, next);
1379 explicit_bzero(id, sizeof(*id));
1380 free(id);
1381 }
1382 }
1383 /* append remaining keys from the config file */ 1383 /* append remaining keys from the config file */
1384 for (id = TAILQ_FIRST(&files); id; id = TAILQ_FIRST(&files)) { 1384 for (id = TAILQ_FIRST(&files); id; id = TAILQ_FIRST(&files)) {
1385 TAILQ_REMOVE(&files, id, next); 1385 TAILQ_REMOVE(&files, id, next);