[openssh-commits] [openssh] 03/05: upstream: don't abuse SSHKEY_FLAG_EXT to signal that a key is in

git+noreply at mindrot.org git+noreply at mindrot.org
Fri Oct 10 13:35:33 AEDT 2025 

This is an automated email from the git hooks/post-receive script.

djm pushed a commit to branch master
in repository openssh.

commit e7b4b3f153713c15e3888aa50df039b2445492dd
Author: djm at openbsd.org <djm at openbsd.org>
AuthorDate: Thu Oct 9 23:26:47 2025 +0000

    upstream: don't abuse SSHKEY_FLAG_EXT to signal that a key is in
    
    the agent, as that triggers special handling on sshkey_free()
    
    OpenBSD-Commit-ID: 2ae2247babd2db167a30cf7a4f7eae4f26c000a8
---
 ssh-keygen.c | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/ssh-keygen.c b/ssh-keygen.c
index 3c582a83a..2f21e4267 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-keygen.c,v 1.485 2025/10/03 00:08:02 djm Exp $ */
+/* $OpenBSD: ssh-keygen.c,v 1.486 2025/10/09 23:26:47 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo at cs.hut.fi>
  * Copyright (c) 1994 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -1713,7 +1713,7 @@ do_ca_sign(struct passwd *pw, const char *ca_key_path, int prefer_agent,
     unsigned long long cert_serial, int cert_serial_autoinc,
     int argc, char **argv)
 {
-	int r, i, found, agent_fd = -1;
+	int r, i, key_in_agent = 0, agent_fd = -1;
 	u_int n;
 	struct sshkey *ca, *public;
 	char valid[64], *otmp, *tmp, *cp, *out, *comment;
@@ -1742,17 +1742,19 @@ do_ca_sign(struct passwd *pw, const char *ca_key_path, int prefer_agent,
 			fatal_r(r, "Cannot use public key for CA signature");
 		if ((r = ssh_fetch_identitylist(agent_fd, &agent_ids)) != 0)
 			fatal_r(r, "Retrieve agent key list");
-		found = 0;
 		for (j = 0; j < agent_ids->nkeys; j++) {
 			if (sshkey_equal(ca, agent_ids->keys[j])) {
-				found = 1;
+				key_in_agent = 1;
+				/* Replace the CA key with the agent one */
+				sshkey_free(ca);
+				ca = agent_ids->keys[j];
+				agent_ids->keys[j] = NULL;
 				break;
 			}
 		}
-		if (!found)
+		if (!key_in_agent)
 			fatal("CA key %s not found in agent", tmp);
 		ssh_free_identitylist(agent_ids);
-		ca->flags |= SSHKEY_FLAG_EXT;
 	} else {
 		/* CA key is assumed to be a private key on the filesystem */
 		ca = load_identity(tmp, NULL);
@@ -1817,7 +1819,7 @@ do_ca_sign(struct passwd *pw, const char *ca_key_path, int prefer_agent,
 		    &public->cert->signature_key)) != 0)
 			fatal_r(r, "sshkey_from_private (ca key)");
 
-		if (agent_fd != -1 && (ca->flags & SSHKEY_FLAG_EXT) != 0) {
+		if (key_in_agent) {
 			if ((r = sshkey_certify_custom(public, ca,
 			    key_type_name, sk_provider, NULL, agent_signer,
 			    &agent_fd)) != 0)

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.

More information about the openssh-commits mailing list