[openssh-commits] [openssh] 03/03: upstream: unshield security key privkey before attempting signature

git+noreply at mindrot.org git+noreply at mindrot.org
Fri Nov 15 16:39:39 AEDT 2019


This is an automated email from the git hooks/post-receive script.

djm pushed a commit to branch master
in repository openssh.

commit c63fba5e3472307167850bbd84187186af7fa9f0
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Fri Nov 15 05:37:27 2019 +0000

    upstream: unshield security key privkey before attempting signature
    
    in agent. spotted by dtucker@
    
    OpenBSD-Commit-ID: fb67d451665385b8a0a55371231c50aac67b91d2
---
 ssh-agent.c | 20 ++++++++++++++++----
 1 file changed, 16 insertions(+), 4 deletions(-)

diff --git a/ssh-agent.c b/ssh-agent.c
index 702dec17..b1ebe078 100644
--- a/ssh-agent.c
+++ b/ssh-agent.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-agent.c,v 1.245 2019/11/15 04:12:32 djm Exp $ */
+/* $OpenBSD: ssh-agent.c,v 1.246 2019/11/15 05:37:27 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo at cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -426,7 +426,7 @@ process_sign_request2(SocketEntry *e)
 	u_char *signature = NULL;
 	size_t dlen, slen = 0;
 	u_int compat = 0, flags;
-	int r, ok = -1;
+	int was_shielded, r, r2, ok = -1;
 	struct sshbuf *msg;
 	struct sshkey *key = NULL;
 	struct identity *id;
@@ -449,9 +449,21 @@ process_sign_request2(SocketEntry *e)
 		goto send;
 	}
 	if (id->sk_provider != NULL) {
-		if ((r = provider_sign(id->sk_provider, id->key, &signature,
+		was_shielded = sshkey_is_shielded(id->key);
+		if ((r = sshkey_unshield_private(id->key)) != 0) {
+			error("%s: unshield: %s", __func__, ssh_err(r));
+			goto send;
+		}
+		r = provider_sign(id->sk_provider, id->key, &signature,
 		    &slen, data, dlen, agent_decode_alg(key, flags),
-		    compat)) != 0) {
+		    compat);
+		if (was_shielded &&
+		    (r2 = sshkey_shield_private(id->key)) != 0) {
+			error("%s: shield: %s", __func__, ssh_err(r));
+			r = r2;
+			goto send;
+		}
+		if (r != 0) {
 			error("%s: sign: %s", __func__, ssh_err(r));
 			goto send;
 		}

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.


More information about the openssh-commits mailing list