Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

===================================================================
RCS file: /ftp/cvs/cvsroot/src/crypto/external/bsd/openssh/dist/ssh-agent.c,v
rcsdiff: /ftp/cvs/cvsroot/src/crypto/external/bsd/openssh/dist/ssh-agent.c,v: warning: Unknown phrases like `commitid ...;' are present.
retrieving revision 1.19
retrieving revision 1.19.2.1
diff -u -p -r1.19 -r1.19.2.1
--- src/crypto/external/bsd/openssh/dist/ssh-agent.c	2016/12/25 00:07:47	1.19
+++ src/crypto/external/bsd/openssh/dist/ssh-agent.c	2017/04/21 16:50:57	1.19.2.1
@@ -1,6 +1,5 @@
-/*	$NetBSD: ssh-agent.c,v 1.19 2016/12/25 00:07:47 christos Exp $	*/
-/* $OpenBSD: ssh-agent.c,v 1.215 2016/11/30 03:07:37 djm Exp $ */
-
+/*	$NetBSD: ssh-agent.c,v 1.19.2.1 2017/04/21 16:50:57 bouyer Exp $	*/
+/* $OpenBSD: ssh-agent.c,v 1.218 2017/03/15 03:52:30 deraadt Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -37,7 +36,7 @@
  */
 
 #include "includes.h"
-__RCSID("$NetBSD: ssh-agent.c,v 1.19 2016/12/25 00:07:47 christos Exp $");
+__RCSID("$NetBSD: ssh-agent.c,v 1.19.2.1 2017/04/21 16:50:57 bouyer Exp $");
 
 #include <sys/param.h>	/* MIN MAX */
 #include <sys/types.h>
@@ -83,7 +82,7 @@ __RCSID("$NetBSD: ssh-agent.c,v 1.19 201
 #endif
 
 #ifndef DEFAULT_PKCS11_WHITELIST
-# define DEFAULT_PKCS11_WHITELIST "/usr/lib/*,/usr/local/lib/*"
+# define DEFAULT_PKCS11_WHITELIST "/usr/lib*/*,/usr/local/lib*/*"
 #endif
 
 typedef enum {
@@ -814,7 +813,7 @@ send:
 static void
 process_remove_smartcard_key(SocketEntry *e)
 {
-	char *provider = NULL, *pin = NULL;
+	char *provider = NULL, *pin = NULL, canonical_provider[PATH_MAX];
 	int r, version, success = 0;
 	Identity *id, *nxt;
 	Idtab *tab;
@@ -824,6 +823,13 @@ process_remove_smartcard_key(SocketEntry
 		fatal("%s: buffer error: %s", __func__, ssh_err(r));
 	free(pin);
 
+	if (realpath(provider, canonical_provider) == NULL) {
+		verbose("failed PKCS#11 add of \"%.100s\": realpath: %s",
+		    provider, strerror(errno));
+		goto send;
+	}
+
+	debug("%s: remove %.100s", __func__, canonical_provider);
 	for (version = 1; version < 3; version++) {
 		tab = idtab_lookup(version);
 		for (id = TAILQ_FIRST(&tab->idlist); id; id = nxt) {
@@ -831,18 +837,19 @@ process_remove_smartcard_key(SocketEntry
 			/* Skip file--based keys */
 			if (id->provider == NULL)
 				continue;
-			if (!strcmp(provider, id->provider)) {
+			if (!strcmp(canonical_provider, id->provider)) {
 				TAILQ_REMOVE(&tab->idlist, id, next);
 				free_identity(id);
 				tab->nentries--;
 			}
 		}
 	}
-	if (pkcs11_del_provider(provider) == 0)
+	if (pkcs11_del_provider(canonical_provider) == 0)
 		success = 1;
 	else
 		error("process_remove_smartcard_key:"
 		    " pkcs11_del_provider failed");
+send:
 	free(provider);
 	send_status(e, success);
 }