summaryrefslogtreecommitdiff
path: root/ssh-agent.c
diff options
context:
space:
mode:
authordjm@openbsd.org <djm@openbsd.org>2019-11-16 22:36:48 +0000
committerDamien Miller <djm@mindrot.org>2019-11-17 09:44:43 +1100
commit05daa211de926f66f50b7380d637f84dc6341574 (patch)
tree1e125b75e29608884496274e439dedb6659cb16d /ssh-agent.c
parentd431778a561d90131814f986b646299f9af33c8c (diff)
upstream: always use ssh-sk-helper, even for the internal USB HID
support. This avoid the need for a wpath pledge in ssh-agent. reported by jmc@ OpenBSD-Commit-ID: 19f799c4d020b870741d221335dbfa5e76691c23
Diffstat (limited to 'ssh-agent.c')
-rw-r--r--ssh-agent.c46
1 files changed, 11 insertions, 35 deletions
diff --git a/ssh-agent.c b/ssh-agent.c
index b1ebe0783..6de62d7fb 100644
--- a/ssh-agent.c
+++ b/ssh-agent.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssh-agent.c,v 1.246 2019/11/15 05:37:27 djm Exp $ */ 1/* $OpenBSD: ssh-agent.c,v 1.247 2019/11/16 22:36:48 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -300,25 +300,6 @@ provider_sign(const char *provider, struct sshkey *key,
300 *sigp = NULL; 300 *sigp = NULL;
301 *lenp = 0; 301 *lenp = 0;
302 302
303 if ((fp = sshkey_fingerprint(key, SSH_FP_HASH_DEFAULT,
304 SSH_FP_DEFAULT)) == NULL)
305 fatal("%s: sshkey_fingerprint failed", __func__);
306 notifier = notify_start(0,
307 "Confirm user presence for key %s %s", sshkey_type(key), fp);
308
309#ifdef ENABLE_SK_INTERNAL
310 if (strcasecmp(provider, "internal") == 0) {
311 r = sshsk_sign(provider, key, sigp, lenp,
312 data, datalen, compat);
313 if (r != 0) {
314 error("%s: sshsk_sign internal: %s",
315 __func__, ssh_err(r));
316 }
317 notify_complete(notifier);
318 return r;
319 }
320#endif
321
322 helper = getenv("SSH_SK_HELPER"); 303 helper = getenv("SSH_SK_HELPER");
323 if (helper == NULL || strlen(helper) == 0) 304 if (helper == NULL || strlen(helper) == 0)
324 helper = _PATH_SSH_SK_HELPER; 305 helper = _PATH_SSH_SK_HELPER;
@@ -361,6 +342,13 @@ provider_sign(const char *provider, struct sshkey *key,
361 (r = sshbuf_put_string(req, data, datalen)) != 0 || 342 (r = sshbuf_put_string(req, data, datalen)) != 0 ||
362 (r = sshbuf_put_u32(req, compat)) != 0) 343 (r = sshbuf_put_u32(req, compat)) != 0)
363 fatal("%s: compose: %s", __func__, ssh_err(r)); 344 fatal("%s: compose: %s", __func__, ssh_err(r));
345
346 if ((fp = sshkey_fingerprint(key, SSH_FP_HASH_DEFAULT,
347 SSH_FP_DEFAULT)) == NULL)
348 fatal("%s: sshkey_fingerprint failed", __func__);
349 notifier = notify_start(0,
350 "Confirm user presence for key %s %s", sshkey_type(key), fp);
351
364 if ((r = ssh_msg_send(pair[0], SSH_SK_HELPER_VERSION, req)) != 0) { 352 if ((r = ssh_msg_send(pair[0], SSH_SK_HELPER_VERSION, req)) != 0) {
365 error("%s: send: %s", __func__, ssh_err(r)); 353 error("%s: send: %s", __func__, ssh_err(r));
366 goto out; 354 goto out;
@@ -426,7 +414,7 @@ process_sign_request2(SocketEntry *e)
426 u_char *signature = NULL; 414 u_char *signature = NULL;
427 size_t dlen, slen = 0; 415 size_t dlen, slen = 0;
428 u_int compat = 0, flags; 416 u_int compat = 0, flags;
429 int was_shielded, r, r2, ok = -1; 417 int r, ok = -1;
430 struct sshbuf *msg; 418 struct sshbuf *msg;
431 struct sshkey *key = NULL; 419 struct sshkey *key = NULL;
432 struct identity *id; 420 struct identity *id;
@@ -449,21 +437,9 @@ process_sign_request2(SocketEntry *e)
449 goto send; 437 goto send;
450 } 438 }
451 if (id->sk_provider != NULL) { 439 if (id->sk_provider != NULL) {
452 was_shielded = sshkey_is_shielded(id->key); 440 if ((r = provider_sign(id->sk_provider, id->key, &signature,
453 if ((r = sshkey_unshield_private(id->key)) != 0) {
454 error("%s: unshield: %s", __func__, ssh_err(r));
455 goto send;
456 }
457 r = provider_sign(id->sk_provider, id->key, &signature,
458 &slen, data, dlen, agent_decode_alg(key, flags), 441 &slen, data, dlen, agent_decode_alg(key, flags),
459 compat); 442 compat)) != 0) {
460 if (was_shielded &&
461 (r2 = sshkey_shield_private(id->key)) != 0) {
462 error("%s: shield: %s", __func__, ssh_err(r));
463 r = r2;
464 goto send;
465 }
466 if (r != 0) {
467 error("%s: sign: %s", __func__, ssh_err(r)); 443 error("%s: sign: %s", __func__, ssh_err(r));
468 goto send; 444 goto send;
469 } 445 }