upstream: don't try to pledge() the client if a PKCS11Provider is

author djm@openbsd.org <djm@openbsd.org>

Wed, 15 Oct 2025 23:55:01 +0000 (23:55 +0000)

committer Damien Miller <djm@mindrot.org>

Thu, 16 Oct 2025 00:03:08 +0000 (11:03 +1100)
author djm@openbsd.org <djm@openbsd.org>
Wed, 15 Oct 2025 23:55:01 +0000 (23:55 +0000)
committer Damien Miller <djm@mindrot.org>
Thu, 16 Oct 2025 00:03:08 +0000 (11:03 +1100)
diff --git a/clientloop.c b/clientloop.c

index 49d048d85a4fdb644f7162a3330af8d3810c2f0a..15bf7c1e895d1d26deada6cc35bfc9df571939ca 100644 (file)
--- a/clientloop.c
+++ b/clientloop.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: clientloop.c,v 1.415 2025/09/25 06:23:19 jsg Exp $ */
+/* $OpenBSD: clientloop.c,v 1.416 2025/10/15 23:55:01 djm Exp $ */
  /*
   * Author: Tatu Ylonen <ylo@cs.hut.fi>
   * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -942,7 +942,7 @@ client_repledge(void)
         /* Might be able to tighten pledge now that session is established */
         if (options.control_master || options.control_path != NULL ||
             options.forward_x11 || options.fork_after_authentication ||
-           can_update_hostkeys() ||
+           options.pkcs11_provider != NULL || can_update_hostkeys() ||
             (session_ident != -1 && !session_setup_complete)) {
                 /* Can't tighten */
                 return;
author	djm@openbsd.org <djm@openbsd.org>
	Wed, 15 Oct 2025 23:55:01 +0000 (23:55 +0000)
committer	Damien Miller <djm@mindrot.org>
	Thu, 16 Oct 2025 00:03:08 +0000 (11:03 +1100)