[openssh-commits] [openssh] 01/03: upstream: correctness wrt draft-ietf-sshm-ssh-agent:
git+noreply at mindrot.org
git+noreply at mindrot.org
Thu Mar 5 16:45:33 AEDT 2026
This is an automated email from the git hooks/post-receive script.
djm pushed a commit to branch master
in repository openssh.
commit 511f5bc41aeca7f6ee6611e9b24d48e4dd6ae3d5
Author: djm at openbsd.org <djm at openbsd.org>
AuthorDate: Thu Mar 5 05:35:44 2026 +0000
upstream: correctness wrt draft-ietf-sshm-ssh-agent:
extension requests should indicate failure using
SSH_AGENT_EXTENSION_FAILURE rather than the generic SSH_AGENT_FAILURE
error code. This allows the client to discern between "the request
failed" and "the agent doesn't support this extension".
ok markus@
OpenBSD-Commit-ID: d15d89f210cc973271d68147f09550163df731c9
---
authfd.c | 3 ++-
ssh-agent.c | 30 ++++++++++++++++++++++--------
2 files changed, 24 insertions(+), 9 deletions(-)
diff --git a/authfd.c b/authfd.c
index 7e8dcdd7a..07925be44 100644
--- a/authfd.c
+++ b/authfd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: authfd.c,v 1.139 2026/03/03 09:57:25 dtucker Exp $ */
+/* $OpenBSD: authfd.c,v 1.140 2026/03/05 05:35:44 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo at cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -62,6 +62,7 @@
/* macro to check for "agent failure" message */
#define agent_failed(x) \
((x == SSH_AGENT_FAILURE) || \
+ (x == SSH_AGENT_EXTENSION_FAILURE) || \
(x == SSH_COM_AGENT2_FAILURE) || \
(x == SSH2_AGENT_FAILURE))
diff --git a/ssh-agent.c b/ssh-agent.c
index f58d02b5d..57167a699 100644
--- a/ssh-agent.c
+++ b/ssh-agent.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-agent.c,v 1.319 2026/02/16 23:47:06 jsg Exp $ */
+/* $OpenBSD: ssh-agent.c,v 1.320 2026/03/05 05:35:44 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo at cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -598,16 +598,22 @@ confirm_key(Identity *id, const char *extra)
}
static void
-send_status(SocketEntry *e, int success)
+send_status_generic(SocketEntry *e, u_int code)
{
int r;
if ((r = sshbuf_put_u32(e->output, 1)) != 0 ||
- (r = sshbuf_put_u8(e->output, success ?
- SSH_AGENT_SUCCESS : SSH_AGENT_FAILURE)) != 0)
+ (r = sshbuf_put_u8(e->output, code)) != 0)
fatal_fr(r, "compose");
}
+static void
+send_status(SocketEntry *e, int success)
+{
+ return send_status_generic(e,
+ success ? SSH_AGENT_SUCCESS : SSH_AGENT_FAILURE);
+}
+
/* send list of supported public keys to 'client' */
static void
process_request_identities(SocketEntry *e)
@@ -1785,18 +1791,26 @@ process_extension(SocketEntry *e)
debug2_f("entering");
if ((r = sshbuf_get_cstring(e->request, &name, NULL)) != 0) {
error_fr(r, "parse");
- goto send;
+ send_status(e, 0);
+ return;
}
+
if (strcmp(name, "query") == 0)
success = process_ext_query(e);
else if (strcmp(name, "session-bind at openssh.com") == 0)
success = process_ext_session_bind(e);
- else
+ else {
debug_f("unsupported extension \"%s\"", name);
+ free(name);
+ send_status(e, 0);
+ return;
+ }
free(name);
-send:
- send_status(e, success);
+ /* Agent failures are signalled with a different error code */
+ send_status_generic(e,
+ success ? SSH_AGENT_SUCCESS : SSH_AGENT_EXTENSION_FAILURE);
}
+
/*
* dispatch incoming message.
* returns 1 on success, 0 for incomplete messages or -1 on error.
--
To stop receiving notification emails like this one, please contact
djm at mindrot.org.
More information about the openssh-commits
mailing list