Lines Matching +full:cs +full:- +full:extra +full:- +full:delay
1 /* $OpenBSD: ssh-agent.c,v 1.310 2025/02/18 08:02:48 djm Exp $ */
3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
50 #include "openbsd-compat/sys-queue.h"
54 #include "openbsd-compat/openssl-compat.h"
90 #include "ssh-pkcs11.h"
91 #include "sk-api.h"
165 pid_t parent_pid = -1;
178 /* Pattern-list of allowed PKCS#11/Security key paths */
182 * Allows PKCS11 providers or SK keys that use non-internal providers to
183 * be added over a remote connection (identified by session-bind@openssh.com).
202 /* Refuse signing of non-SSH messages for web-origin FIDO keys */
208 * close_socket(). When it reaches 0, ssh-agent will exit. Since it is
209 * normally initialized to 1, it will never reach 0. However, if the -x
211 * ssh-agent will exit as soon as it has had at least one client but no
222 if (e->type == AUTH_CONNECTION) { in close_socket()
223 debug("xcount %d -> %d", xcount, xcount - 1); in close_socket()
224 if (--xcount == 0) in close_socket()
227 close(e->fd); in close_socket()
228 sshbuf_free(e->input); in close_socket()
229 sshbuf_free(e->output); in close_socket()
230 sshbuf_free(e->request); in close_socket()
231 for (i = 0; i < e->nsession_ids; i++) { in close_socket()
232 sshkey_free(e->session_ids[i].key); in close_socket()
233 sshbuf_free(e->session_ids[i].sid); in close_socket()
235 free(e->session_ids); in close_socket()
237 e->fd = -1; in close_socket()
238 e->type = AUTH_UNUSED; in close_socket()
247 TAILQ_INIT(&idtab->idlist); in idtab_init()
248 idtab->nentries = 0; in idtab_init()
258 free(dch->user); in free_dest_constraint_hop()
259 free(dch->hostname); in free_dest_constraint_hop()
260 for (i = 0; i < dch->nkeys; i++) in free_dest_constraint_hop()
261 sshkey_free(dch->keys[i]); in free_dest_constraint_hop()
262 free(dch->keys); in free_dest_constraint_hop()
263 free(dch->key_is_ca); in free_dest_constraint_hop()
286 out->user = dch->user == NULL ? NULL : xstrdup(dch->user); in dup_dest_constraint_hop()
287 out->hostname = dch->hostname == NULL ? NULL : xstrdup(dch->hostname); in dup_dest_constraint_hop()
288 out->is_ca = dch->is_ca; in dup_dest_constraint_hop()
289 out->nkeys = dch->nkeys; in dup_dest_constraint_hop()
290 out->keys = out->nkeys == 0 ? NULL : in dup_dest_constraint_hop()
291 xcalloc(out->nkeys, sizeof(*out->keys)); in dup_dest_constraint_hop()
292 out->key_is_ca = out->nkeys == 0 ? NULL : in dup_dest_constraint_hop()
293 xcalloc(out->nkeys, sizeof(*out->key_is_ca)); in dup_dest_constraint_hop()
294 for (i = 0; i < dch->nkeys; i++) { in dup_dest_constraint_hop()
295 if (dch->keys[i] != NULL && in dup_dest_constraint_hop()
296 (r = sshkey_from_private(dch->keys[i], in dup_dest_constraint_hop()
297 &(out->keys[i]))) != 0) in dup_dest_constraint_hop()
299 out->key_is_ca[i] = dch->key_is_ca[i]; in dup_dest_constraint_hop()
328 dch->user == NULL ? "(null)" : dch->user, in dump_dest_constraint_hop()
329 dch->hostname == NULL ? "(null)" : dch->hostname, in dump_dest_constraint_hop()
330 dch->is_ca, dch->nkeys); in dump_dest_constraint_hop()
331 for (i = 0; i < dch->nkeys; i++) { in dump_dest_constraint_hop()
333 if (dch->keys[i] != NULL && in dump_dest_constraint_hop()
334 (fp = sshkey_fingerprint(dch->keys[i], in dump_dest_constraint_hop()
337 debug_f("key %u/%u: %s%s%s key_is_ca %d", i, dch->nkeys, in dump_dest_constraint_hop()
338 dch->keys[i] == NULL ? "" : sshkey_ssh_name(dch->keys[i]), in dump_dest_constraint_hop()
339 dch->keys[i] == NULL ? "" : " ", in dump_dest_constraint_hop()
340 dch->keys[i] == NULL ? "none" : fp, in dump_dest_constraint_hop()
341 dch->key_is_ca[i]); in dump_dest_constraint_hop()
368 sshkey_free(id->key); in free_identity()
369 free(id->provider); in free_identity()
370 free(id->comment); in free_identity()
371 free(id->sk_provider); in free_identity()
372 free_dest_constraints(id->dest_constraints, id->ndest_constraints); in free_identity()
378 * Returns 0 on success or -1 otherwise.
385 const char *hostname = dch->hostname ? dch->hostname : "(ORIGIN)"; in match_key_hop()
390 return -1; in match_key_hop()
396 tag, hostname, sshkey_type(key), fp, dch->nkeys); in match_key_hop()
398 for (i = 0; i < dch->nkeys; i++) { in match_key_hop()
399 if (dch->keys[i] == NULL) in match_key_hop()
400 return -1; in match_key_hop()
402 if ((fp = sshkey_fingerprint(dch->keys[i], SSH_FP_HASH_DEFAULT, in match_key_hop()
406 dch->key_is_ca[i] ? "CA " : "", in match_key_hop()
407 sshkey_type(dch->keys[i]), fp); in match_key_hop()
411 if (dch->key_is_ca[i] || in match_key_hop()
412 !sshkey_equal(key, dch->keys[i])) in match_key_hop()
417 if (!dch->key_is_ca[i]) in match_key_hop()
419 if (key->cert == NULL || key->cert->signature_key == NULL) in match_key_hop()
420 return -1; /* shouldn't happen */ in match_key_hop()
421 if (!sshkey_equal(key->cert->signature_key, dch->keys[i])) in match_key_hop()
426 key->cert->key_id, hostname, reason); in match_key_hop()
431 return -1; in match_key_hop()
445 for (i = 0; i < id->ndest_constraints; i++) { in permitted_by_dest_constraints()
446 d = id->dest_constraints + i; in permitted_by_dest_constraints()
449 i, d->from.user ? d->from.user : "", in permitted_by_dest_constraints()
450 d->from.user ? "@" : "", in permitted_by_dest_constraints()
451 d->from.hostname ? d->from.hostname : "(ORIGIN)", in permitted_by_dest_constraints()
452 d->from.nkeys, in permitted_by_dest_constraints()
453 d->to.user ? d->to.user : "", d->to.user ? "@" : "", in permitted_by_dest_constraints()
454 d->to.hostname ? d->to.hostname : "(ANY)", d->to.nkeys); in permitted_by_dest_constraints()
459 if (d->from.hostname != NULL || d->from.nkeys != 0) in permitted_by_dest_constraints()
461 } else if (match_key_hop("from", fromkey, &d->from) != 0) in permitted_by_dest_constraints()
465 if (tokey != NULL && match_key_hop("to", tokey, &d->to) != 0) in permitted_by_dest_constraints()
469 if (d->to.user != NULL && user != NULL && in permitted_by_dest_constraints()
470 !match_pattern(user, d->to.user)) in permitted_by_dest_constraints()
475 *hostnamep = d->to.hostname; in permitted_by_dest_constraints()
477 d->to.hostname == NULL ? "*" : d->to.hostname); in permitted_by_dest_constraints()
482 sshkey_type(id->key), id->comment); in permitted_by_dest_constraints()
483 return -1; in permitted_by_dest_constraints()
489 * Returns 0 on success or -1 otherwise.
504 "%zu constraints", sshkey_type(id->key), id->comment, in identity_permitted()
505 e->nsession_ids, id->ndest_constraints); in identity_permitted()
506 if (id->ndest_constraints == 0) in identity_permitted()
508 if (e->session_bind_attempted && e->nsession_ids == 0) { in identity_permitted()
510 return -1; in identity_permitted()
512 if (e->nsession_ids == 0) in identity_permitted()
518 for (i = 0; i < e->nsession_ids; i++) { in identity_permitted()
519 hks = e->session_ids + i; in identity_permitted()
520 if (hks->key == NULL) in identity_permitted()
528 if ((fp2 = sshkey_fingerprint(hks->key, SSH_FP_HASH_DEFAULT, in identity_permitted()
533 e->fd, i, hks->forwarded ? "FORWARD" : "AUTH", in identity_permitted()
536 sshkey_type(hks->key), fp2); in identity_permitted()
544 if (i == e->nsession_ids - 1) in identity_permitted()
550 if (i == e->nsession_ids - 1) { in identity_permitted()
558 if (hks->forwarded && user != NULL) { in identity_permitted()
560 return -1; in identity_permitted()
562 } else if (!hks->forwarded) { in identity_permitted()
564 return -1; in identity_permitted()
566 if (permitted_by_dest_constraints(fromkey, hks->key, id, in identity_permitted()
568 return -1; in identity_permitted()
569 fromkey = hks->key; in identity_permitted()
579 hks = &e->session_ids[e->nsession_ids - 1]; in identity_permitted()
580 if (hks->forwarded && user == NULL && in identity_permitted()
581 permitted_by_dest_constraints(hks->key, NULL, id, in identity_permitted()
584 return -1; in identity_permitted()
594 return e->session_bind_attempted || (e->nsession_ids != 0); in socket_is_remote()
603 TAILQ_FOREACH(id, &idtab->idlist, next) { in lookup_identity()
604 if (sshkey_equal(key, id->key)) in lookup_identity()
612 confirm_key(Identity *id, const char *extra) in confirm_key() argument
615 int ret = -1; in confirm_key()
617 p = sshkey_fingerprint(id->key, fingerprint_hash, SSH_FP_DEFAULT); in confirm_key()
620 id->comment, p, in confirm_key()
621 extra == NULL ? "" : "\n", extra == NULL ? "" : extra)) in confirm_key()
633 if ((r = sshbuf_put_u32(e->output, 1)) != 0 || in send_status()
634 (r = sshbuf_put_u8(e->output, success ? in send_status()
653 TAILQ_FOREACH(id, &idtab->idlist, next) { in process_request_identities()
654 if ((fp = sshkey_fingerprint(id->key, SSH_FP_HASH_DEFAULT, in process_request_identities()
657 debug_f("key %u / %u: %s %s", i++, idtab->nentries, in process_request_identities()
658 sshkey_ssh_name(id->key), fp); in process_request_identities()
660 id->dest_constraints, id->ndest_constraints); in process_request_identities()
665 if ((r = sshkey_puts_opts(id->key, keys, in process_request_identities()
667 (r = sshbuf_put_cstring(keys, id->comment)) != 0) { in process_request_identities()
674 nentries, idtab->nentries); in process_request_identities()
679 if ((r = sshbuf_put_stringb(e->output, msg)) != 0) in process_request_identities()
689 if (key->type == KEY_RSA) { in agent_decode_alg()
691 return "rsa-sha2-256"; in agent_decode_alg()
693 return "rsa-sha2-512"; in agent_decode_alg()
694 } else if (key->type == KEY_RSA_CERT) { in agent_decode_alg()
696 return "rsa-sha2-256-cert-v01@openssh.com"; in agent_decode_alg()
698 return "rsa-sha2-512-cert-v01@openssh.com"; in agent_decode_alg()
740 (r = sshbuf_get_u8(b, &sig_follows)) != 0 || /* sig-follows */ in parse_userauth_request()
746 strcmp(service, "ssh-connection") != 0 || in parse_userauth_request()
748 sshkey_type_from_name(pkalg) != expected_key->type) { in parse_userauth_request()
752 if (strcmp(method, "publickey-hostbound-v00@openssh.com") == 0) { in parse_userauth_request()
823 * web-like application string (i.e. one that does not begin with "ssh:".
842 error("web-origin key attempting to sign non-SSH message"); in check_websafe_message_contents()
865 int r, ok = -1, retried = 0; in process_sign_request2()
878 if ((r = sshkey_froms(e->request, &key)) != 0 || in process_sign_request2()
879 (r = sshbuf_get_stringb(e->request, data)) != 0 || in process_sign_request2()
880 (r = sshbuf_get_u32(e->request, &flags)) != 0) { in process_sign_request2()
893 if (id->ndest_constraints != 0) { in process_sign_request2()
894 if (e->nsession_ids == 0) { in process_sign_request2()
895 logit_f("refusing use of destination-constrained key " in process_sign_request2()
901 logit_f("refusing use of destination-constrained key " in process_sign_request2()
912 * registered on the socket - it should have been bound by in process_sign_request2()
916 e->session_ids[e->nsession_ids - 1].sid) != 0) { in process_sign_request2()
919 "key %s %s", e->nsession_ids, user, in process_sign_request2()
920 sshkey_type(id->key), fp); in process_sign_request2()
928 if (e->nsession_ids > 1 && hostkey == NULL) { in process_sign_request2()
929 error_f("refusing use of destination-constrained key: " in process_sign_request2()
935 e->session_ids[e->nsession_ids - 1].key)) { in process_sign_request2()
936 error_f("refusing use of destination-constrained key: " in process_sign_request2()
944 if (id->confirm && confirm_key(id, sig_dest) != 0) { in process_sign_request2()
948 if (sshkey_is_sk(id->key)) { in process_sign_request2()
950 match_pattern_list(id->key->sk_application, in process_sign_request2()
956 if (id->key->sk_flags & SSH_SK_USER_PRESENCE_REQD) { in process_sign_request2()
959 sshkey_type(id->key), fp, in process_sign_request2()
965 if ((r = sshkey_sign(id->key, &signature, &slen, in process_sign_request2()
967 id->sk_provider, pin, compat)) != 0) { in process_sign_request2()
969 if (pin == NULL && !retried && sshkey_is_sk(id->key) && in process_sign_request2()
975 (id->key->sk_flags & SSH_SK_USER_PRESENCE_REQD) ? in process_sign_request2()
977 sshkey_type(id->key), fp); in process_sign_request2()
998 if ((r = sshbuf_put_stringb(e->output, msg)) != 0) in process_sign_request2()
1024 if ((r = sshkey_froms(e->request, &key)) != 0) { in process_remove_identity()
1036 if (idtab->nentries < 1) in process_remove_identity()
1037 fatal_f("internal error: nentries %d", idtab->nentries); in process_remove_identity()
1038 TAILQ_REMOVE(&idtab->idlist, id, next); in process_remove_identity()
1040 idtab->nentries--; in process_remove_identity()
1054 for (id = TAILQ_FIRST(&idtab->idlist); id; in remove_all_identities()
1055 id = TAILQ_FIRST(&idtab->idlist)) { in remove_all_identities()
1056 TAILQ_REMOVE(&idtab->idlist, id, next); in remove_all_identities()
1061 idtab->nentries = 0; in remove_all_identities()
1080 for (id = TAILQ_FIRST(&idtab->idlist); id; id = nxt) { in reaper()
1082 if (id->death == 0) in reaper()
1084 if (now >= id->death) { in reaper()
1085 debug("expiring key '%s'", id->comment); in reaper()
1086 TAILQ_REMOVE(&idtab->idlist, id, next); in reaper()
1088 idtab->nentries--; in reaper()
1090 deadline = (deadline == 0) ? id->death : in reaper()
1091 MINIMUM(deadline, id->death); in reaper()
1096 return (deadline - now); in reaper()
1109 if ((r = sshbuf_get_cstring(b, &dch->user, NULL)) != 0 || in parse_dest_constraint_hop()
1110 (r = sshbuf_get_cstring(b, &dch->hostname, NULL)) != 0 || in parse_dest_constraint_hop()
1120 if (*dch->hostname == '\0') { in parse_dest_constraint_hop()
1121 free(dch->hostname); in parse_dest_constraint_hop()
1122 dch->hostname = NULL; in parse_dest_constraint_hop()
1124 if (*dch->user == '\0') { in parse_dest_constraint_hop()
1125 free(dch->user); in parse_dest_constraint_hop()
1126 dch->user = NULL; in parse_dest_constraint_hop()
1129 dch->keys = xrecallocarray(dch->keys, dch->nkeys, in parse_dest_constraint_hop()
1130 dch->nkeys + 1, sizeof(*dch->keys)); in parse_dest_constraint_hop()
1131 dch->key_is_ca = xrecallocarray(dch->key_is_ca, dch->nkeys, in parse_dest_constraint_hop()
1132 dch->nkeys + 1, sizeof(*dch->key_is_ca)); in parse_dest_constraint_hop()
1140 dch->user == NULL ? "" : dch->user, in parse_dest_constraint_hop()
1141 dch->user == NULL ? "" : "@", in parse_dest_constraint_hop()
1142 dch->hostname, key_is_ca ? "CA " : "", sshkey_type(k), fp); in parse_dest_constraint_hop()
1144 dch->keys[dch->nkeys] = k; in parse_dest_constraint_hop()
1145 dch->key_is_ca[dch->nkeys] = key_is_ca != 0; in parse_dest_constraint_hop()
1146 dch->nkeys++; in parse_dest_constraint_hop()
1173 if ((r = parse_dest_constraint_hop(frombuf, &dc->from)) != 0 || in parse_dest_constraint()
1174 (r = parse_dest_constraint_hop(tobuf, &dc->to)) != 0) in parse_dest_constraint()
1182 dc->from.hostname ? dc->from.hostname : "(ORIGIN)", dc->from.nkeys, in parse_dest_constraint()
1183 dc->to.user ? dc->to.user : "", dc->to.user ? "@" : "", in parse_dest_constraint()
1184 dc->to.hostname ? dc->to.hostname : "(ANY)", dc->to.nkeys); in parse_dest_constraint()
1186 if ((dc->from.hostname == NULL) != (dc->from.nkeys == 0) || in parse_dest_constraint()
1187 dc->from.user != NULL) { in parse_dest_constraint()
1192 if (dc->to.hostname == NULL || dc->to.nkeys == 0) { in parse_dest_constraint()
1222 if (strcmp(ext_name, "sk-provider@openssh.com") == 0) { in parse_key_constraint_extension()
1238 "restrict-destination-v00@openssh.com") == 0) { in parse_key_constraint_extension()
1261 "associated-certs-v00@openssh.com") == 0) { in parse_key_constraint_extension()
1395 if ((r = sshkey_private_deserialize(e->request, &k)) != 0 || in process_add_identity()
1397 (r = sshbuf_get_cstring(e->request, &comment, NULL)) != 0) { in process_add_identity()
1401 if (parse_key_constraints(e->request, k, &death, &seconds, &confirm, in process_add_identity()
1405 sshbuf_reset(e->request); in process_add_identity()
1413 "authenticator-hosted key", sshkey_type(k)); in process_add_identity()
1449 TAILQ_INSERT_TAIL(&idtab->idlist, id, next); in process_add_identity()
1451 idtab->nentries++; in process_add_identity()
1457 sshkey_free(id->key); in process_add_identity()
1458 free(id->comment); in process_add_identity()
1459 free(id->sk_provider); in process_add_identity()
1460 free_dest_constraints(id->dest_constraints, in process_add_identity()
1461 id->ndest_constraints); in process_add_identity()
1464 id->key = k; in process_add_identity()
1465 id->comment = comment; in process_add_identity()
1466 id->death = death; in process_add_identity()
1467 id->confirm = confirm; in process_add_identity()
1468 id->sk_provider = sk_provider; in process_add_identity()
1469 id->dest_constraints = dest_constraints; in process_add_identity()
1470 id->ndest_constraints = ndest_constraints; in process_add_identity()
1499 int r, success = 0, delay; in process_lock_agent() local
1511 if ((r = sshbuf_get_cstring(e->request, &passwd, &pwlen)) != 0) in process_lock_agent()
1526 /* delay in 0.1s increments up to 10s */ in process_lock_agent()
1529 delay = 100000 * fail_count; in process_lock_agent()
1531 (double)delay/1000000); in process_lock_agent()
1532 usleep(delay); in process_lock_agent()
1558 (r = sshbuf_put_stringb(e->output, msg)) != 0) in no_identities()
1578 id->key = key; in add_p11_identity()
1579 id->comment = comment; in add_p11_identity()
1580 id->provider = xstrdup(provider); in add_p11_identity()
1581 id->death = death; in add_p11_identity()
1582 id->confirm = confirm; in add_p11_identity()
1583 id->dest_constraints = dup_dest_constraints(dest_constraints, in add_p11_identity()
1585 id->ndest_constraints = ndest_constraints; in add_p11_identity()
1586 TAILQ_INSERT_TAIL(&idtab->idlist, id, next); in add_p11_identity()
1587 idtab->nentries++; in add_p11_identity()
1605 if ((r = sshbuf_get_cstring(e->request, &provider, NULL)) != 0 || in process_add_smartcard_key()
1606 (r = sshbuf_get_cstring(e->request, &pin, NULL)) != 0) { in process_add_smartcard_key()
1610 if (parse_key_constraints(e->request, NULL, &death, &seconds, &confirm, in process_add_smartcard_key()
1686 if ((r = sshbuf_get_cstring(e->request, &provider, NULL)) != 0 || in process_remove_smartcard_key()
1687 (r = sshbuf_get_cstring(e->request, &pin, NULL)) != 0) { in process_remove_smartcard_key()
1700 for (id = TAILQ_FIRST(&idtab->idlist); id; id = nxt) { in process_remove_smartcard_key()
1702 /* Skip file--based keys */ in process_remove_smartcard_key()
1703 if (id->provider == NULL) in process_remove_smartcard_key()
1705 if (!strcmp(canonical_provider, id->provider)) { in process_remove_smartcard_key()
1706 TAILQ_REMOVE(&idtab->idlist, id, next); in process_remove_smartcard_key()
1708 idtab->nentries--; in process_remove_smartcard_key()
1732 e->session_bind_attempted = 1; in process_ext_session_bind()
1733 if ((r = sshkey_froms(e->request, &key)) != 0 || in process_ext_session_bind()
1734 (r = sshbuf_froms(e->request, &sid)) != 0 || in process_ext_session_bind()
1735 (r = sshbuf_froms(e->request, &sig)) != 0 || in process_ext_session_bind()
1736 (r = sshbuf_get_u8(e->request, &fwd)) != 0) { in process_ext_session_bind()
1754 for (i = 0; i < e->nsession_ids; i++) { in process_ext_session_bind()
1755 if (!e->session_ids[i].forwarded) { in process_ext_session_bind()
1758 r = -1; in process_ext_session_bind()
1761 sid_match = buf_equal(sid, e->session_ids[i].sid) == 0; in process_ext_session_bind()
1762 key_match = sshkey_equal(key, e->session_ids[i].key); in process_ext_session_bind()
1771 r = -1; in process_ext_session_bind()
1775 * new sid with previously-seen key can happen, e.g. multiple in process_ext_session_bind()
1780 if (e->nsession_ids >= AGENT_MAX_SESSION_IDS) { in process_ext_session_bind()
1782 r = -1; in process_ext_session_bind()
1785 e->session_ids = xrecallocarray(e->session_ids, e->nsession_ids, in process_ext_session_bind()
1786 e->nsession_ids + 1, sizeof(*e->session_ids)); in process_ext_session_bind()
1787 i = e->nsession_ids++; in process_ext_session_bind()
1790 e->session_ids[i].key = key; in process_ext_session_bind()
1791 e->session_ids[i].forwarded = fwd != 0; in process_ext_session_bind()
1794 if ((e->session_ids[i].sid = sshbuf_new()) == NULL) in process_ext_session_bind()
1796 if ((r = sshbuf_putb(e->session_ids[i].sid, sid)) != 0) in process_ext_session_bind()
1815 if ((r = sshbuf_get_cstring(e->request, &name, NULL)) != 0) { in process_extension()
1819 if (strcmp(name, "session-bind@openssh.com") == 0) in process_extension()
1829 * returns 1 on success, 0 for incomplete messages or -1 on error.
1844 if (sshbuf_len(e->input) < 5) in process_message()
1846 cp = sshbuf_ptr(e->input); in process_message()
1850 socknum, e->fd, msg_len, AGENT_MAX_LEN); in process_message()
1851 return -1; in process_message()
1853 if (sshbuf_len(e->input) < msg_len + 4) in process_message()
1856 /* move the current input to e->request */ in process_message()
1857 sshbuf_reset(e->request); in process_message()
1858 if ((r = sshbuf_get_stringb(e->input, e->request)) != 0 || in process_message()
1859 (r = sshbuf_get_u8(e->request, &type)) != 0) { in process_message()
1863 return -1; in process_message()
1868 debug_f("socket %u (fd=%d) type %d", socknum, e->fd, type); in process_message()
1872 sshbuf_reset(e->request); in process_message()
1925 sshbuf_reset(e->request); in process_message()
1940 debug("xcount %d -> %d", xcount, xcount + 1); in new_socket()
1984 if (fd == -1) { in handle_socket_read()
1986 return -1; in handle_socket_read()
1988 if (getpeereid(fd, &euid, &egid) == -1) { in handle_socket_read()
1991 return -1; in handle_socket_read()
1997 return -1; in handle_socket_read()
2011 if (len == -1) { in handle_conn_read()
2017 return -1; in handle_conn_read()
2023 if ((r = process_message(socknum)) == -1) in handle_conn_read()
2024 return -1; in handle_conn_read()
2042 if (len == -1) { in handle_conn_write()
2048 return -1; in handle_conn_write()
2099 activefds--; in after_poll()
2154 * Only prepare to read if we can handle a full-size in prepare_poll()
2222 if (parent_pid != -1 && getppid() != parent_pid) { in check_parent_exists()
2223 /* printf("Parent has died - Authentication agent exiting.\n"); */ in check_parent_exists()
2233 "usage: ssh-agent [-c | -s] [-Ddx] [-a bind_address] [-E fingerprint_hash]\n" in usage()
2234 " [-O option] [-P allowed_providers] [-t life]\n" in usage()
2235 " ssh-agent [-a bind_address] [-E fingerprint_hash] [-O option]\n" in usage()
2236 " [-P allowed_providers] [-t life] command [arg ...]\n" in usage()
2237 " ssh-agent [-c | -s] -k\n"); in usage()
2245 int sock = -1, ch, result, saved_errno; in main()
2275 if (getrlimit(RLIMIT_NOFILE, &rlim) == -1) in main()
2282 while ((ch = getopt(ac, av, "cDdksE:a:O:P:t:x")) != -1) { in main()
2286 if (fingerprint_hash == -1) in main()
2298 if (strcmp(optarg, "no-restrict-websafe") == 0) in main()
2300 else if (strcmp(optarg, "allow-remote-pkcs11") == 0) in main()
2303 "websafe-allow=", 0)) != NULL) { in main()
2305 fatal("websafe-allow already set"); in main()
2308 fatal("Unknown -O option"); in main()
2312 fatal("-P option already specified"); in main()
2334 if ((lifetime = convtime(optarg)) == -1) { in main()
2346 ac -= optind; in main()
2360 strncmp(shell + len - 3, "csh", 3) == 0) in main()
2377 if (kill(pid, SIGTERM) == -1) { in main()
2397 maxfds = rlim.rlim_cur - SSH_AGENT_MIN_FDS; in main()
2409 if (fcntl(3, F_GETFL) == -1) in main()
2421 if (sock == -1) { in main()
2438 closefrom(sock == -1 ? STDERR_FILENO + 1 : sock + 1); in main()
2444 if (sock == -1) { in main()
2448 /* XXX - unix_listener() calls error() not perror() */ in main()
2474 if (pid == -1) { in main()
2478 if (pid != 0) { /* Parent - execute the given command. */ in main()
2490 if (setenv(SSH_AUTHSOCKET_ENV_NAME, socket_name, 1) == -1 || in main()
2491 setenv(SSH_AGENTPID_ENV_NAME, pidstrbuf, 1) == -1) { in main()
2502 if (setsid() == -1) { in main()
2508 if (stdfd_devnull(1, 1, 1) == -1) in main()
2514 if (setrlimit(RLIMIT_CORE, &rlim) == -1) { in main()
2543 if (pledge("stdio rpath cpath unix id proc exec", NULL) == -1) in main()
2567 if (result == -1) { in main()