- (djm) [sshd.c] Drop supplemental groups if started as root

[openssh.git] / authfd.c

diff --git a/authfd.c b/authfd.c
index 3d20da8be0238b79413629cea5400f8b37edc20f..42ca08256d24bb75773b6b68dd18d409ccbf626b 100644 (file)
--- a/authfd.c
+++ b/authfd.c
@@ -35,7 +35,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: authfd.c,v 1.58 2003/01/23 13:50:27 markus Exp $");
+RCSID("$OpenBSD: authfd.c,v 1.63 2003/11/21 11:57:03 djm Exp $");
 
 #include <openssl/evp.h>
 
@@ -114,7 +114,8 @@ ssh_get_authentication_socket(void)
 static int
 ssh_request_reply(AuthenticationConnection *auth, Buffer *request, Buffer *reply)
 {
-       int l, len;
+       int l;
+       u_int len;
        char buf[1024];
 
        /* Get the length of the message, and format it in the buffer. */
@@ -122,8 +123,8 @@ ssh_request_reply(AuthenticationConnection *auth, Buffer *request, Buffer *reply
        PUT_32BIT(buf, len);
 
        /* Send the length and then the packet to the agent. */
-       if (atomicio(write, auth->fd, buf, 4) != 4 ||
-           atomicio(write, auth->fd, buffer_ptr(request),
+       if (atomicio(vwrite, auth->fd, buf, 4) != 4 ||
+           atomicio(vwrite, auth->fd, buffer_ptr(request),
            buffer_len(request)) != buffer_len(request)) {
                error("Error writing to authentication socket.");
                return 0;
@@ -147,7 +148,7 @@ ssh_request_reply(AuthenticationConnection *auth, Buffer *request, Buffer *reply
        /* Extract the length, and check it for sanity. */
        len = GET_32BIT(buf);
        if (len > 256 * 1024)
-               fatal("Authentication response too long: %d", len);
+               fatal("Authentication response too long: %u", len);
 
        /* Read the rest of the response in to the buffer. */
        buffer_clear(reply);
@@ -292,7 +293,7 @@ ssh_get_num_identities(AuthenticationConnection *auth, int version)
 
        /* Get the number of entries in the response and check it for sanity. */
        auth->howmany = buffer_get_int(&auth->identities);
-       if (auth->howmany > 1024)
+       if ((u_int)auth->howmany > 1024)
                fatal("Too many identities in authentication reply: %d",
                    auth->howmany);
 
@@ -589,16 +590,33 @@ ssh_remove_identity(AuthenticationConnection *auth, Key *key)
 }
 
 int
-ssh_update_card(AuthenticationConnection *auth, int add, const char *reader_id, const char *pin)
+ssh_update_card(AuthenticationConnection *auth, int add,
+    const char *reader_id, const char *pin, u_int life, u_int confirm)
 {
        Buffer msg;
-       int type;
+       int type, constrained = (life || confirm);
+
+       if (add) {
+               type = constrained ?
+                   SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED :
+                   SSH_AGENTC_ADD_SMARTCARD_KEY;
+       } else
+               type = SSH_AGENTC_REMOVE_SMARTCARD_KEY;
 
        buffer_init(&msg);
-       buffer_put_char(&msg, add ? SSH_AGENTC_ADD_SMARTCARD_KEY :
-           SSH_AGENTC_REMOVE_SMARTCARD_KEY);
+       buffer_put_char(&msg, type);
        buffer_put_cstring(&msg, reader_id);
        buffer_put_cstring(&msg, pin);
+
+       if (constrained) {
+               if (life != 0) {
+                       buffer_put_char(&msg, SSH_AGENT_CONSTRAIN_LIFETIME);
+                       buffer_put_int(&msg, life);
+               }
+               if (confirm != 0)
+                       buffer_put_char(&msg, SSH_AGENT_CONSTRAIN_CONFIRM);
+       }
+
        if (ssh_request_reply(auth, &msg, &msg) == 0) {
                buffer_free(&msg);
                return 0;