=================================================================== RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/ssh-agent.c,v retrieving revision 1.105.2.2 retrieving revision 1.106 diff -u -r1.105.2.2 -r1.106 --- src/usr.bin/ssh/ssh-agent.c 2003/09/16 21:20:27 1.105.2.2 +++ src/usr.bin/ssh/ssh-agent.c 2003/01/21 18:14:36 1.106 @@ -35,7 +35,7 @@ #include "includes.h" #include -RCSID("$OpenBSD: ssh-agent.c,v 1.105.2.2 2003/09/16 21:20:27 brad Exp $"); +RCSID("$OpenBSD: ssh-agent.c,v 1.106 2003/01/21 18:14:36 marc Exp $"); #include #include @@ -50,8 +50,6 @@ #include "authfd.h" #include "compat.h" #include "log.h" -#include "readpass.h" -#include "misc.h" #ifdef SMARTCARD #include "scard.h" @@ -79,7 +77,6 @@ Key *key; char *comment; u_int death; - u_int confirm; } Identity; typedef struct { @@ -161,30 +158,6 @@ return (NULL); } -/* Check confirmation of keysign request */ -static int -confirm_key(Identity *id) -{ - char *p, prompt[1024]; - int ret = -1; - - p = key_fingerprint(id->key, SSH_FP_MD5, SSH_FP_HEX); - snprintf(prompt, sizeof(prompt), "Allow use of key %s?\n" - "Key fingerprint %s.", id->comment, p); - xfree(p); - p = read_passphrase(prompt, RP_ALLOW_EOF); - if (p != NULL) { - /* - * Accept empty responses and responses consisting - * of the word "yes" as affirmative. - */ - if (*p == '\0' || *p == '\n' || strcasecmp(p, "yes") == 0) - ret = 0; - xfree(p); - } - return (ret); -} - /* send list of supported public keys to 'client' */ static void process_request_identities(SocketEntry *e, int version) @@ -248,7 +221,7 @@ goto failure; id = lookup_identity(key, 1); - if (id != NULL && (!id->confirm || confirm_key(id) == 0)) { + if (id != NULL) { Key *private = id->key; /* Decrypt the challenge using the private key. */ if (rsa_private_decrypt(challenge, challenge, private->rsa) <= 0) @@ -257,7 +230,7 @@ /* The response is MD5 of decrypted challenge plus session id. */ len = BN_num_bytes(challenge); if (len <= 0 || len > 32) { - logit("process_authentication_challenge: bad challenge length %d", len); + log("process_authentication_challenge: bad challenge length %d", len); goto failure; } memset(buf, 0, 32); @@ -308,7 +281,7 @@ key = key_from_blob(blob, blen); if (key != NULL) { Identity *id = lookup_identity(key, 2); - if (id != NULL && (!id->confirm || confirm_key(id) == 0)) + if (id != NULL) ok = key_sign(id->key, &signature, &slen, data, dlen); } key_free(key); @@ -346,7 +319,7 @@ buffer_get_bignum(&e->request, key->rsa->n); if (bits != key_size(key)) - logit("Warning: identity keysize mismatch: actual %u, announced %u", + log("Warning: identity keysize mismatch: actual %u, announced %u", key_size(key), bits); break; case 2: @@ -428,7 +401,7 @@ process_add_identity(SocketEntry *e, int version) { Idtab *tab = idtab_lookup(version); - int type, success = 0, death = 0, confirm = 0; + int type, success = 0, death = 0; char *type_name, *comment; Key *k = NULL; @@ -479,17 +452,6 @@ } break; } - /* enable blinding */ - switch (k->type) { - case KEY_RSA: - case KEY_RSA1: - if (RSA_blinding_on(k->rsa, NULL) != 1) { - error("process_add_identity: RSA_blinding_on failed"); - key_free(k); - goto send; - } - break; - } comment = buffer_get_string(&e->request, NULL); if (k == NULL) { xfree(comment); @@ -501,9 +463,6 @@ case SSH_AGENT_CONSTRAIN_LIFETIME: death = time(NULL) + buffer_get_int(&e->request); break; - case SSH_AGENT_CONSTRAIN_CONFIRM: - confirm = 1; - break; default: break; } @@ -515,7 +474,6 @@ id->key = k; id->comment = comment; id->death = death; - id->confirm = confirm; TAILQ_INSERT_TAIL(&tab->idlist, id, next); /* Increment the number of identities. */ tab->nentries++; @@ -576,29 +534,13 @@ process_add_smartcard_key (SocketEntry *e) { char *sc_reader_id = NULL, *pin; - int i, version, success = 0, death = 0, confirm = 0; + int i, version, success = 0; Key **keys, *k; Identity *id; Idtab *tab; sc_reader_id = buffer_get_string(&e->request, NULL); pin = buffer_get_string(&e->request, NULL); - - while (buffer_len(&e->request)) { - switch (buffer_get_char(&e->request)) { - case SSH_AGENT_CONSTRAIN_LIFETIME: - death = time(NULL) + buffer_get_int(&e->request); - break; - case SSH_AGENT_CONSTRAIN_CONFIRM: - confirm = 1; - break; - default: - break; - } - } - if (lifetime && !death) - death = time(NULL) + lifetime; - keys = sc_get_keys(sc_reader_id, pin); xfree(sc_reader_id); xfree(pin); @@ -614,9 +556,8 @@ if (lookup_identity(k, version) == NULL) { id = xmalloc(sizeof(Identity)); id->key = k; - id->comment = sc_get_key_label(k); - id->death = death; - id->confirm = confirm; + id->comment = xstrdup("smartcard key"); + id->death = 0; TAILQ_INSERT_TAIL(&tab->idlist, id, next); tab->nentries++; success = 1; @@ -760,7 +701,6 @@ break; #ifdef SMARTCARD case SSH_AGENTC_ADD_SMARTCARD_KEY: - case SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED: process_add_smartcard_key(e); break; case SSH_AGENTC_REMOVE_SMARTCARD_KEY: @@ -998,8 +938,7 @@ int main(int ac, char **av) { - int c_flag = 0, d_flag = 0, k_flag = 0, s_flag = 0; - int sock, fd, ch, nalloc; + int sock, c_flag = 0, d_flag = 0, k_flag = 0, s_flag = 0, ch, nalloc; char *shell, *format, *pidstr, *agentsocket = NULL; fd_set *readsetp = NULL, *writesetp = NULL; struct sockaddr_un sunaddr; @@ -1167,14 +1106,9 @@ } (void)chdir("/"); - if ((fd = open(_PATH_DEVNULL, O_RDWR, 0)) != -1) { - /* XXX might close listen socket */ - (void)dup2(fd, STDIN_FILENO); - (void)dup2(fd, STDOUT_FILENO); - (void)dup2(fd, STDERR_FILENO); - if (fd > 2) - close(fd); - } + close(0); + close(1); + close(2); /* deny core dumps, since memory contains unencrypted private keys */ rlim.rlim_cur = rlim.rlim_max = 0;