New upstream release (8.1p1)

author: Colin Watson <cjwatson@debian.org> 2019-10-09 22:59:48 +0100
committer: Colin Watson <cjwatson@debian.org> 2019-10-09 23:39:39 +0100
commit: 767ee84d3465b6d244a9108de5c167a9ab866df9 (patch)
tree: 69b14ef6a62d7f133298a21d2ad6046f130b7801 /ssh-agent.c
parent: ddeaf9ee7d5c6612b88f1c4a83fc6fbccb93bf60 (diff)
parent: efef12825b9582c1710da3b7e50135870963d4f4 (diff)
1 files changed, 14 insertions, 7 deletions
diff --git a/ssh-agent.c b/ssh-agent.c
index d06ecfd98..9c6680a25 100644
--- a/ssh-agent.c
+++ b/ssh-agent.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-agent.c,v 1.233 2019/01/22 22:58:50 djm Exp $ */
+/* $OpenBSD: ssh-agent.c,v 1.237 2019/06/28 13:35:04 deraadt Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -269,6 +269,11 @@ agent_decode_alg(struct sshkey *key, u_int flags)
                        return "rsa-sha2-256";
                else if (flags & SSH_AGENT_RSA_SHA2_512)
                        return "rsa-sha2-512";
+        } else if (key->type == KEY_RSA_CERT) {
+                if (flags & SSH_AGENT_RSA_SHA2_256)
+                        return "rsa-sha2-256-cert-v01@openssh.com";
+                else if (flags & SSH_AGENT_RSA_SHA2_512)
+                        return "rsa-sha2-512-cert-v01@openssh.com";
        }
        return NULL;
 }
@@ -418,7 +423,10 @@ process_add_identity(SocketEntry *e)
                error("%s: decode private key: %s", __func__, ssh_err(r));
                goto err;
        }
+        if ((r = sshkey_shield_private(k)) != 0) {
+                error("%s: shield private key: %s", __func__, ssh_err(r));
+                goto err;
+        }
        while (sshbuf_len(e->request)) {
                if ((r = sshbuf_get_u8(e->request, &ctype)) != 0) {
                        error("%s: buffer error: %s", __func__, ssh_err(r));
@@ -819,11 +827,11 @@ handle_socket_read(u_int socknum)
        slen = sizeof(sunaddr);
        fd = accept(sockets[socknum].fd, (struct sockaddr *)&sunaddr, &slen);
-        if (fd < 0) {
+        if (fd == -1) {
                error("accept from AUTH_SOCKET: %s", strerror(errno));
                return -1;
        }
-        if (getpeereid(fd, &euid, &egid) < 0) {
+        if (getpeereid(fd, &euid, &egid) == -1) {
                error("getpeereid %d failed: %s", fd, strerror(errno));
                close(fd);
                return -1;
@@ -1096,7 +1104,6 @@ main(int ac, char **av)
        size_t npfd = 0;
        u_int maxfds;
-        ssh_malloc_init();      /* must be called before any mallocs */
        /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
        sanitise_stdfd();
@@ -1305,7 +1312,7 @@ main(int ac, char **av)
 #ifdef HAVE_SETRLIMIT
        /* deny core dumps, since memory contains unencrypted private keys */
        rlim.rlim_cur = rlim.rlim_max = 0;
-        if (setrlimit(RLIMIT_CORE, &rlim) < 0) {
+        if (setrlimit(RLIMIT_CORE, &rlim) == -1) {
                error("setrlimit RLIMIT_CORE: %s", strerror(errno));
                cleanup_exit(1);
        }
@@ -1338,7 +1345,7 @@ skip:
                if (parent_alive_interval != 0)
                        check_parent_exists();
                (void) reaper();        /* remove expired keys */
-                if (result < 0) {
+                if (result == -1) {
                        if (saved_errno == EINTR)
                                continue;
                        fatal("poll: %s", strerror(saved_errno));
author	Colin Watson <cjwatson@debian.org>	2019-10-09 22:59:48 +0100
committer	Colin Watson <cjwatson@debian.org>	2019-10-09 23:39:39 +0100
commit	767ee84d3465b6d244a9108de5c167a9ab866df9 (patch)
tree	69b14ef6a62d7f133298a21d2ad6046f130b7801 /ssh-agent.c
parent	ddeaf9ee7d5c6612b88f1c4a83fc6fbccb93bf60 (diff)
parent	efef12825b9582c1710da3b7e50135870963d4f4 (diff)

diff --git a/ssh-agent.c b/ssh-agent.c index d06ecfd98..9c6680a25 100644 --- a/ssh-agent.c +++ b/ssh-agent.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssh-agent.c,v 1.233 2019/01/22 22:58:50 djm Exp $ */	1	/* $OpenBSD: ssh-agent.c,v 1.237 2019/06/28 13:35:04 deraadt Exp $ */
2	/*	2	/*
3	* Author: Tatu Ylonen <ylo@cs.hut.fi>	3	* Author: Tatu Ylonen <ylo@cs.hut.fi>
4	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland	4	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -269,6 +269,11 @@ agent_decode_alg(struct sshkey *key, u_int flags)
269	return "rsa-sha2-256";	269	return "rsa-sha2-256";
270	else if (flags & SSH_AGENT_RSA_SHA2_512)	270	else if (flags & SSH_AGENT_RSA_SHA2_512)
271	return "rsa-sha2-512";	271	return "rsa-sha2-512";
		272	} else if (key->type == KEY_RSA_CERT) {
		273	if (flags & SSH_AGENT_RSA_SHA2_256)
		274	return "rsa-sha2-256-cert-v01@openssh.com";
		275	else if (flags & SSH_AGENT_RSA_SHA2_512)
		276	return "rsa-sha2-512-cert-v01@openssh.com";
272	}	277	}
273	return NULL;	278	return NULL;
274	}	279	}
@@ -418,7 +423,10 @@ process_add_identity(SocketEntry *e)
418	error("%s: decode private key: %s", __func__, ssh_err(r));	423	error("%s: decode private key: %s", __func__, ssh_err(r));
419	goto err;	424	goto err;
420	}	425	}
421		426	if ((r = sshkey_shield_private(k)) != 0) {
		427	error("%s: shield private key: %s", __func__, ssh_err(r));
		428	goto err;
		429	}
422	while (sshbuf_len(e->request)) {	430	while (sshbuf_len(e->request)) {
423	if ((r = sshbuf_get_u8(e->request, &ctype)) != 0) {	431	if ((r = sshbuf_get_u8(e->request, &ctype)) != 0) {
424	error("%s: buffer error: %s", __func__, ssh_err(r));	432	error("%s: buffer error: %s", __func__, ssh_err(r));
@@ -819,11 +827,11 @@ handle_socket_read(u_int socknum)
819		827
820	slen = sizeof(sunaddr);	828	slen = sizeof(sunaddr);
821	fd = accept(sockets[socknum].fd, (struct sockaddr *)&sunaddr, &slen);	829	fd = accept(sockets[socknum].fd, (struct sockaddr *)&sunaddr, &slen);
822	if (fd < 0) {	830	if (fd == -1) {
823	error("accept from AUTH_SOCKET: %s", strerror(errno));	831	error("accept from AUTH_SOCKET: %s", strerror(errno));
824	return -1;	832	return -1;
825	}	833	}
826	if (getpeereid(fd, &euid, &egid) < 0) {	834	if (getpeereid(fd, &euid, &egid) == -1) {
827	error("getpeereid %d failed: %s", fd, strerror(errno));	835	error("getpeereid %d failed: %s", fd, strerror(errno));
828	close(fd);	836	close(fd);
829	return -1;	837	return -1;
@@ -1096,7 +1104,6 @@ main(int ac, char **av)
1096	size_t npfd = 0;	1104	size_t npfd = 0;
1097	u_int maxfds;	1105	u_int maxfds;
1098		1106
1099	ssh_malloc_init(); /* must be called before any mallocs */
1100	/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */	1107	/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
1101	sanitise_stdfd();	1108	sanitise_stdfd();
1102		1109
@@ -1305,7 +1312,7 @@ main(int ac, char **av)
1305	#ifdef HAVE_SETRLIMIT	1312	#ifdef HAVE_SETRLIMIT
1306	/* deny core dumps, since memory contains unencrypted private keys */	1313	/* deny core dumps, since memory contains unencrypted private keys */
1307	rlim.rlim_cur = rlim.rlim_max = 0;	1314	rlim.rlim_cur = rlim.rlim_max = 0;
1308	if (setrlimit(RLIMIT_CORE, &rlim) < 0) {	1315	if (setrlimit(RLIMIT_CORE, &rlim) == -1) {
1309	error("setrlimit RLIMIT_CORE: %s", strerror(errno));	1316	error("setrlimit RLIMIT_CORE: %s", strerror(errno));
1310	cleanup_exit(1);	1317	cleanup_exit(1);
1311	}	1318	}
@@ -1338,7 +1345,7 @@ skip:
1338	if (parent_alive_interval != 0)	1345	if (parent_alive_interval != 0)
1339	check_parent_exists();	1346	check_parent_exists();
1340	(void) reaper(); /* remove expired keys */	1347	(void) reaper(); /* remove expired keys */
1341	if (result < 0) {	1348	if (result == -1) {
1342	if (saved_errno == EINTR)	1349	if (saved_errno == EINTR)
1343	continue;	1350	continue;
1344	fatal("poll: %s", strerror(saved_errno));	1351	fatal("poll: %s", strerror(saved_errno));