upstream: fix shield/unshield for xmss keys: - in ssh-agent we need

to delay the call to shield   until we have received key specific options. -
when serializing xmss keys for shield we need to deal with   all optional
components (e.g. state might not be loaded). ok djm@

OpenBSD-Commit-ID: cc2db82524b209468eb176d6b4d6b9486422f41f

1 files changed, 5 insertions, 5 deletions

diff --git a/ssh-agent.c b/ssh-agent.c
index eb17b18b2..c62c263a6 100644
--- a/ssh-agent.c
+++ b/ssh-agent.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-agent.c,v 1.241 2019/11/12 22:36:44 djm Exp $ */
+/* $OpenBSD: ssh-agent.c,v 1.242 2019/11/13 07:53:10 markus Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -560,10 +560,6 @@ process_add_identity(SocketEntry *e)
                 error("%s: decode private key: %s", __func__, ssh_err(r));
                 goto err;
         }
-        if ((r = sshkey_shield_private(k)) != 0) {
-                error("%s: shield private key: %s", __func__, ssh_err(r));
-                goto err;
-        }
         while (sshbuf_len(e->request)) {
                 if ((r = sshbuf_get_u8(e->request, &ctype)) != 0) {
                         error("%s: buffer error: %s", __func__, ssh_err(r));
@@ -645,6 +641,10 @@ process_add_identity(SocketEntry *e)
                         goto send;
                 }
         }
+        if ((r = sshkey_shield_private(k)) != 0) {
+                error("%s: shield private key: %s", __func__, ssh_err(r));
+                goto err;
+        }
 
         success = 1;
         if (lifetime && !death)