diff options
author | djm@openbsd.org <djm@openbsd.org> | 2019-11-16 22:36:48 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2019-11-17 09:44:43 +1100 |
commit | 05daa211de926f66f50b7380d637f84dc6341574 (patch) | |
tree | 1e125b75e29608884496274e439dedb6659cb16d /ssh-agent.c | |
parent | d431778a561d90131814f986b646299f9af33c8c (diff) |
upstream: always use ssh-sk-helper, even for the internal USB HID
support. This avoid the need for a wpath pledge in ssh-agent.
reported by jmc@
OpenBSD-Commit-ID: 19f799c4d020b870741d221335dbfa5e76691c23
Diffstat (limited to 'ssh-agent.c')
-rw-r--r-- | ssh-agent.c | 46 |
1 files changed, 11 insertions, 35 deletions
diff --git a/ssh-agent.c b/ssh-agent.c index b1ebe0783..6de62d7fb 100644 --- a/ssh-agent.c +++ b/ssh-agent.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: ssh-agent.c,v 1.246 2019/11/15 05:37:27 djm Exp $ */ | 1 | /* $OpenBSD: ssh-agent.c,v 1.247 2019/11/16 22:36:48 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -300,25 +300,6 @@ provider_sign(const char *provider, struct sshkey *key, | |||
300 | *sigp = NULL; | 300 | *sigp = NULL; |
301 | *lenp = 0; | 301 | *lenp = 0; |
302 | 302 | ||
303 | if ((fp = sshkey_fingerprint(key, SSH_FP_HASH_DEFAULT, | ||
304 | SSH_FP_DEFAULT)) == NULL) | ||
305 | fatal("%s: sshkey_fingerprint failed", __func__); | ||
306 | notifier = notify_start(0, | ||
307 | "Confirm user presence for key %s %s", sshkey_type(key), fp); | ||
308 | |||
309 | #ifdef ENABLE_SK_INTERNAL | ||
310 | if (strcasecmp(provider, "internal") == 0) { | ||
311 | r = sshsk_sign(provider, key, sigp, lenp, | ||
312 | data, datalen, compat); | ||
313 | if (r != 0) { | ||
314 | error("%s: sshsk_sign internal: %s", | ||
315 | __func__, ssh_err(r)); | ||
316 | } | ||
317 | notify_complete(notifier); | ||
318 | return r; | ||
319 | } | ||
320 | #endif | ||
321 | |||
322 | helper = getenv("SSH_SK_HELPER"); | 303 | helper = getenv("SSH_SK_HELPER"); |
323 | if (helper == NULL || strlen(helper) == 0) | 304 | if (helper == NULL || strlen(helper) == 0) |
324 | helper = _PATH_SSH_SK_HELPER; | 305 | helper = _PATH_SSH_SK_HELPER; |
@@ -361,6 +342,13 @@ provider_sign(const char *provider, struct sshkey *key, | |||
361 | (r = sshbuf_put_string(req, data, datalen)) != 0 || | 342 | (r = sshbuf_put_string(req, data, datalen)) != 0 || |
362 | (r = sshbuf_put_u32(req, compat)) != 0) | 343 | (r = sshbuf_put_u32(req, compat)) != 0) |
363 | fatal("%s: compose: %s", __func__, ssh_err(r)); | 344 | fatal("%s: compose: %s", __func__, ssh_err(r)); |
345 | |||
346 | if ((fp = sshkey_fingerprint(key, SSH_FP_HASH_DEFAULT, | ||
347 | SSH_FP_DEFAULT)) == NULL) | ||
348 | fatal("%s: sshkey_fingerprint failed", __func__); | ||
349 | notifier = notify_start(0, | ||
350 | "Confirm user presence for key %s %s", sshkey_type(key), fp); | ||
351 | |||
364 | if ((r = ssh_msg_send(pair[0], SSH_SK_HELPER_VERSION, req)) != 0) { | 352 | if ((r = ssh_msg_send(pair[0], SSH_SK_HELPER_VERSION, req)) != 0) { |
365 | error("%s: send: %s", __func__, ssh_err(r)); | 353 | error("%s: send: %s", __func__, ssh_err(r)); |
366 | goto out; | 354 | goto out; |
@@ -426,7 +414,7 @@ process_sign_request2(SocketEntry *e) | |||
426 | u_char *signature = NULL; | 414 | u_char *signature = NULL; |
427 | size_t dlen, slen = 0; | 415 | size_t dlen, slen = 0; |
428 | u_int compat = 0, flags; | 416 | u_int compat = 0, flags; |
429 | int was_shielded, r, r2, ok = -1; | 417 | int r, ok = -1; |
430 | struct sshbuf *msg; | 418 | struct sshbuf *msg; |
431 | struct sshkey *key = NULL; | 419 | struct sshkey *key = NULL; |
432 | struct identity *id; | 420 | struct identity *id; |
@@ -449,21 +437,9 @@ process_sign_request2(SocketEntry *e) | |||
449 | goto send; | 437 | goto send; |
450 | } | 438 | } |
451 | if (id->sk_provider != NULL) { | 439 | if (id->sk_provider != NULL) { |
452 | was_shielded = sshkey_is_shielded(id->key); | 440 | if ((r = provider_sign(id->sk_provider, id->key, &signature, |
453 | if ((r = sshkey_unshield_private(id->key)) != 0) { | ||
454 | error("%s: unshield: %s", __func__, ssh_err(r)); | ||
455 | goto send; | ||
456 | } | ||
457 | r = provider_sign(id->sk_provider, id->key, &signature, | ||
458 | &slen, data, dlen, agent_decode_alg(key, flags), | 441 | &slen, data, dlen, agent_decode_alg(key, flags), |
459 | compat); | 442 | compat)) != 0) { |
460 | if (was_shielded && | ||
461 | (r2 = sshkey_shield_private(id->key)) != 0) { | ||
462 | error("%s: shield: %s", __func__, ssh_err(r)); | ||
463 | r = r2; | ||
464 | goto send; | ||
465 | } | ||
466 | if (r != 0) { | ||
467 | error("%s: sign: %s", __func__, ssh_err(r)); | 443 | error("%s: sign: %s", __func__, ssh_err(r)); |
468 | goto send; | 444 | goto send; |
469 | } | 445 | } |