Lines Matching +full:unlock +full:- +full:keys
1 /* $OpenBSD: ssh-agent.c,v 1.306 2024/03/09 05:12:13 djm Exp $ */
50 #include "openbsd-compat/sys-queue.h"
54 #include "openbsd-compat/openssl-compat.h"
90 #include "ssh-pkcs11.h"
91 #include "sk-api.h"
162 pid_t parent_pid = -1;
174 /* Pattern-list of allowed PKCS#11/Security key paths */
178 * Allows PKCS11 providers or SK keys that use non-internal providers to
179 * be added over a remote connection (identified by session-bind@openssh.com).
198 /* Refuse signing of non-SSH messages for web-origin FIDO keys */
203 * close_socket(). When it reaches 0, ssh-agent will exit. Since it is
204 * normally initialized to 1, it will never reach 0. However, if the -x
206 * ssh-agent will exit as soon as it has had at least one client but no
217 if (e->type == AUTH_CONNECTION) { in close_socket()
218 debug("xcount %d -> %d", xcount, xcount - 1); in close_socket()
219 if (--xcount == 0) in close_socket()
222 close(e->fd); in close_socket()
223 sshbuf_free(e->input); in close_socket()
224 sshbuf_free(e->output); in close_socket()
225 sshbuf_free(e->request); in close_socket()
226 for (i = 0; i < e->nsession_ids; i++) { in close_socket()
227 sshkey_free(e->session_ids[i].key); in close_socket()
228 sshbuf_free(e->session_ids[i].sid); in close_socket()
230 free(e->session_ids); in close_socket()
232 e->fd = -1; in close_socket()
233 e->type = AUTH_UNUSED; in close_socket()
242 TAILQ_INIT(&idtab->idlist); in idtab_init()
243 idtab->nentries = 0; in idtab_init()
253 free(dch->user); in free_dest_constraint_hop()
254 free(dch->hostname); in free_dest_constraint_hop()
255 for (i = 0; i < dch->nkeys; i++) in free_dest_constraint_hop()
256 sshkey_free(dch->keys[i]); in free_dest_constraint_hop()
257 free(dch->keys); in free_dest_constraint_hop()
258 free(dch->key_is_ca); in free_dest_constraint_hop()
281 out->user = dch->user == NULL ? NULL : xstrdup(dch->user); in dup_dest_constraint_hop()
282 out->hostname = dch->hostname == NULL ? NULL : xstrdup(dch->hostname); in dup_dest_constraint_hop()
283 out->is_ca = dch->is_ca; in dup_dest_constraint_hop()
284 out->nkeys = dch->nkeys; in dup_dest_constraint_hop()
285 out->keys = out->nkeys == 0 ? NULL : in dup_dest_constraint_hop()
286 xcalloc(out->nkeys, sizeof(*out->keys)); in dup_dest_constraint_hop()
287 out->key_is_ca = out->nkeys == 0 ? NULL : in dup_dest_constraint_hop()
288 xcalloc(out->nkeys, sizeof(*out->key_is_ca)); in dup_dest_constraint_hop()
289 for (i = 0; i < dch->nkeys; i++) { in dup_dest_constraint_hop()
290 if (dch->keys[i] != NULL && in dup_dest_constraint_hop()
291 (r = sshkey_from_private(dch->keys[i], in dup_dest_constraint_hop()
292 &(out->keys[i]))) != 0) in dup_dest_constraint_hop()
294 out->key_is_ca[i] = dch->key_is_ca[i]; in dup_dest_constraint_hop()
323 dch->user == NULL ? "(null)" : dch->user, in dump_dest_constraint_hop()
324 dch->hostname == NULL ? "(null)" : dch->hostname, in dump_dest_constraint_hop()
325 dch->is_ca, dch->nkeys); in dump_dest_constraint_hop()
326 for (i = 0; i < dch->nkeys; i++) { in dump_dest_constraint_hop()
328 if (dch->keys[i] != NULL && in dump_dest_constraint_hop()
329 (fp = sshkey_fingerprint(dch->keys[i], in dump_dest_constraint_hop()
332 debug_f("key %u/%u: %s%s%s key_is_ca %d", i, dch->nkeys, in dump_dest_constraint_hop()
333 dch->keys[i] == NULL ? "" : sshkey_ssh_name(dch->keys[i]), in dump_dest_constraint_hop()
334 dch->keys[i] == NULL ? "" : " ", in dump_dest_constraint_hop()
335 dch->keys[i] == NULL ? "none" : fp, in dump_dest_constraint_hop()
336 dch->key_is_ca[i]); in dump_dest_constraint_hop()
363 sshkey_free(id->key); in free_identity()
364 free(id->provider); in free_identity()
365 free(id->comment); in free_identity()
366 free(id->sk_provider); in free_identity()
367 free_dest_constraints(id->dest_constraints, id->ndest_constraints); in free_identity()
373 * Returns 0 on success or -1 otherwise.
380 const char *hostname = dch->hostname ? dch->hostname : "(ORIGIN)"; in match_key_hop()
385 return -1; in match_key_hop()
390 debug3_f("%s: entering hostname %s, requested key %s %s, %u keys avail", in match_key_hop()
391 tag, hostname, sshkey_type(key), fp, dch->nkeys); in match_key_hop()
393 for (i = 0; i < dch->nkeys; i++) { in match_key_hop()
394 if (dch->keys[i] == NULL) in match_key_hop()
395 return -1; in match_key_hop()
397 if ((fp = sshkey_fingerprint(dch->keys[i], SSH_FP_HASH_DEFAULT, in match_key_hop()
401 dch->key_is_ca[i] ? "CA " : "", in match_key_hop()
402 sshkey_type(dch->keys[i]), fp); in match_key_hop()
406 if (dch->key_is_ca[i] || in match_key_hop()
407 !sshkey_equal(key, dch->keys[i])) in match_key_hop()
412 if (!dch->key_is_ca[i]) in match_key_hop()
414 if (key->cert == NULL || key->cert->signature_key == NULL) in match_key_hop()
415 return -1; /* shouldn't happen */ in match_key_hop()
416 if (!sshkey_equal(key->cert->signature_key, dch->keys[i])) in match_key_hop()
421 key->cert->key_id, hostname, reason); in match_key_hop()
426 return -1; in match_key_hop()
440 for (i = 0; i < id->ndest_constraints; i++) { in permitted_by_dest_constraints()
441 d = id->dest_constraints + i; in permitted_by_dest_constraints()
443 debug2_f("constraint %zu %s%s%s (%u keys) > %s%s%s (%u keys)", in permitted_by_dest_constraints()
444 i, d->from.user ? d->from.user : "", in permitted_by_dest_constraints()
445 d->from.user ? "@" : "", in permitted_by_dest_constraints()
446 d->from.hostname ? d->from.hostname : "(ORIGIN)", in permitted_by_dest_constraints()
447 d->from.nkeys, in permitted_by_dest_constraints()
448 d->to.user ? d->to.user : "", d->to.user ? "@" : "", in permitted_by_dest_constraints()
449 d->to.hostname ? d->to.hostname : "(ANY)", d->to.nkeys); in permitted_by_dest_constraints()
454 if (d->from.hostname != NULL || d->from.nkeys != 0) in permitted_by_dest_constraints()
456 } else if (match_key_hop("from", fromkey, &d->from) != 0) in permitted_by_dest_constraints()
460 if (tokey != NULL && match_key_hop("to", tokey, &d->to) != 0) in permitted_by_dest_constraints()
464 if (d->to.user != NULL && user != NULL && in permitted_by_dest_constraints()
465 !match_pattern(user, d->to.user)) in permitted_by_dest_constraints()
470 *hostnamep = d->to.hostname; in permitted_by_dest_constraints()
472 d->to.hostname == NULL ? "*" : d->to.hostname); in permitted_by_dest_constraints()
477 sshkey_type(id->key), id->comment); in permitted_by_dest_constraints()
478 return -1; in permitted_by_dest_constraints()
484 * Returns 0 on success or -1 otherwise.
499 "%zu constraints", sshkey_type(id->key), id->comment, in identity_permitted()
500 e->nsession_ids, id->ndest_constraints); in identity_permitted()
501 if (id->ndest_constraints == 0) in identity_permitted()
503 if (e->session_bind_attempted && e->nsession_ids == 0) { in identity_permitted()
505 return -1; in identity_permitted()
507 if (e->nsession_ids == 0) in identity_permitted()
513 for (i = 0; i < e->nsession_ids; i++) { in identity_permitted()
514 hks = e->session_ids + i; in identity_permitted()
515 if (hks->key == NULL) in identity_permitted()
523 if ((fp2 = sshkey_fingerprint(hks->key, SSH_FP_HASH_DEFAULT, in identity_permitted()
528 e->fd, i, hks->forwarded ? "FORWARD" : "AUTH", in identity_permitted()
531 sshkey_type(hks->key), fp2); in identity_permitted()
539 if (i == e->nsession_ids - 1) in identity_permitted()
545 if (i == e->nsession_ids - 1) { in identity_permitted()
553 if (hks->forwarded && user != NULL) { in identity_permitted()
555 return -1; in identity_permitted()
557 } else if (!hks->forwarded) { in identity_permitted()
559 return -1; in identity_permitted()
561 if (permitted_by_dest_constraints(fromkey, hks->key, id, in identity_permitted()
563 return -1; in identity_permitted()
564 fromkey = hks->key; in identity_permitted()
571 * destination. This hides keys that are allowed to be used to in identity_permitted()
574 hks = &e->session_ids[e->nsession_ids - 1]; in identity_permitted()
575 if (hks->forwarded && user == NULL && in identity_permitted()
576 permitted_by_dest_constraints(hks->key, NULL, id, in identity_permitted()
579 return -1; in identity_permitted()
589 return e->session_bind_attempted || (e->nsession_ids != 0); in socket_is_remote()
598 TAILQ_FOREACH(id, &idtab->idlist, next) { in lookup_identity()
599 if (sshkey_equal(key, id->key)) in lookup_identity()
610 int ret = -1; in confirm_key()
612 p = sshkey_fingerprint(id->key, fingerprint_hash, SSH_FP_DEFAULT); in confirm_key()
615 id->comment, p, in confirm_key()
628 if ((r = sshbuf_put_u32(e->output, 1)) != 0 || in send_status()
629 (r = sshbuf_put_u8(e->output, success ? in send_status()
634 /* send list of supported public keys to 'client' */
639 struct sshbuf *msg, *keys; in process_request_identities() local
646 if ((msg = sshbuf_new()) == NULL || (keys = sshbuf_new()) == NULL) in process_request_identities()
648 TAILQ_FOREACH(id, &idtab->idlist, next) { in process_request_identities()
649 if ((fp = sshkey_fingerprint(id->key, SSH_FP_HASH_DEFAULT, in process_request_identities()
652 debug_f("key %u / %u: %s %s", i++, idtab->nentries, in process_request_identities()
653 sshkey_ssh_name(id->key), fp); in process_request_identities()
655 id->dest_constraints, id->ndest_constraints); in process_request_identities()
660 if ((r = sshkey_puts_opts(id->key, keys, in process_request_identities()
662 (r = sshbuf_put_cstring(keys, id->comment)) != 0) { in process_request_identities()
668 debug2_f("replying with %u allowed of %u available keys", in process_request_identities()
669 nentries, idtab->nentries); in process_request_identities()
672 (r = sshbuf_putb(msg, keys)) != 0) in process_request_identities()
674 if ((r = sshbuf_put_stringb(e->output, msg)) != 0) in process_request_identities()
677 sshbuf_free(keys); in process_request_identities()
684 if (key->type == KEY_RSA) { in agent_decode_alg()
686 return "rsa-sha2-256"; in agent_decode_alg()
688 return "rsa-sha2-512"; in agent_decode_alg()
689 } else if (key->type == KEY_RSA_CERT) { in agent_decode_alg()
691 return "rsa-sha2-256-cert-v01@openssh.com"; in agent_decode_alg()
693 return "rsa-sha2-512-cert-v01@openssh.com"; in agent_decode_alg()
735 (r = sshbuf_get_u8(b, &sig_follows)) != 0 || /* sig-follows */ in parse_userauth_request()
741 strcmp(service, "ssh-connection") != 0 || in parse_userauth_request()
743 sshkey_type_from_name(pkalg) != expected_key->type) { in parse_userauth_request()
747 if (strcmp(method, "publickey-hostbound-v00@openssh.com") == 0) { in parse_userauth_request()
818 * web-like application string (i.e. one that does not begin with "ssh:".
837 error("web-origin key attempting to sign non-SSH message"); in check_websafe_message_contents()
860 int r, ok = -1, retried = 0; in process_sign_request2()
873 if ((r = sshkey_froms(e->request, &key)) != 0 || in process_sign_request2()
874 (r = sshbuf_get_stringb(e->request, data)) != 0 || in process_sign_request2()
875 (r = sshbuf_get_u32(e->request, &flags)) != 0) { in process_sign_request2()
888 if (id->ndest_constraints != 0) { in process_sign_request2()
889 if (e->nsession_ids == 0) { in process_sign_request2()
890 logit_f("refusing use of destination-constrained key " in process_sign_request2()
896 logit_f("refusing use of destination-constrained key " in process_sign_request2()
907 * registered on the socket - it should have been bound by in process_sign_request2()
911 e->session_ids[e->nsession_ids - 1].sid) != 0) { in process_sign_request2()
914 "key %s %s", e->nsession_ids, user, in process_sign_request2()
915 sshkey_type(id->key), fp); in process_sign_request2()
923 if (e->nsession_ids > 1 && hostkey == NULL) { in process_sign_request2()
924 error_f("refusing use of destination-constrained key: " in process_sign_request2()
930 e->session_ids[e->nsession_ids - 1].key)) { in process_sign_request2()
931 error_f("refusing use of destination-constrained key: " in process_sign_request2()
939 if (id->confirm && confirm_key(id, sig_dest) != 0) { in process_sign_request2()
943 if (sshkey_is_sk(id->key)) { in process_sign_request2()
945 strncmp(id->key->sk_application, "ssh:", 4) != 0 && in process_sign_request2()
950 if (id->key->sk_flags & SSH_SK_USER_PRESENCE_REQD) { in process_sign_request2()
953 sshkey_type(id->key), fp, in process_sign_request2()
959 if ((r = sshkey_sign(id->key, &signature, &slen, in process_sign_request2()
961 id->sk_provider, pin, compat)) != 0) { in process_sign_request2()
963 if (pin == NULL && !retried && sshkey_is_sk(id->key) && in process_sign_request2()
969 (id->key->sk_flags & SSH_SK_USER_PRESENCE_REQD) ? in process_sign_request2()
971 sshkey_type(id->key), fp); in process_sign_request2()
992 if ((r = sshbuf_put_stringb(e->output, msg)) != 0) in process_sign_request2()
1018 if ((r = sshkey_froms(e->request, &key)) != 0) { in process_remove_identity()
1030 if (idtab->nentries < 1) in process_remove_identity()
1031 fatal_f("internal error: nentries %d", idtab->nentries); in process_remove_identity()
1032 TAILQ_REMOVE(&idtab->idlist, id, next); in process_remove_identity()
1034 idtab->nentries--; in process_remove_identity()
1047 /* Loop over all identities and clear the keys. */ in process_remove_all_identities()
1048 for (id = TAILQ_FIRST(&idtab->idlist); id; in process_remove_all_identities()
1049 id = TAILQ_FIRST(&idtab->idlist)) { in process_remove_all_identities()
1050 TAILQ_REMOVE(&idtab->idlist, id, next); in process_remove_all_identities()
1055 idtab->nentries = 0; in process_remove_all_identities()
1061 /* removes expired keys and returns number of seconds until the next expiry */
1068 for (id = TAILQ_FIRST(&idtab->idlist); id; id = nxt) { in reaper()
1070 if (id->death == 0) in reaper()
1072 if (now >= id->death) { in reaper()
1073 debug("expiring key '%s'", id->comment); in reaper()
1074 TAILQ_REMOVE(&idtab->idlist, id, next); in reaper()
1076 idtab->nentries--; in reaper()
1078 deadline = (deadline == 0) ? id->death : in reaper()
1079 MINIMUM(deadline, id->death); in reaper()
1084 return (deadline - now); in reaper()
1097 if ((r = sshbuf_get_cstring(b, &dch->user, NULL)) != 0 || in parse_dest_constraint_hop()
1098 (r = sshbuf_get_cstring(b, &dch->hostname, NULL)) != 0 || in parse_dest_constraint_hop()
1108 if (*dch->hostname == '\0') { in parse_dest_constraint_hop()
1109 free(dch->hostname); in parse_dest_constraint_hop()
1110 dch->hostname = NULL; in parse_dest_constraint_hop()
1112 if (*dch->user == '\0') { in parse_dest_constraint_hop()
1113 free(dch->user); in parse_dest_constraint_hop()
1114 dch->user = NULL; in parse_dest_constraint_hop()
1117 dch->keys = xrecallocarray(dch->keys, dch->nkeys, in parse_dest_constraint_hop()
1118 dch->nkeys + 1, sizeof(*dch->keys)); in parse_dest_constraint_hop()
1119 dch->key_is_ca = xrecallocarray(dch->key_is_ca, dch->nkeys, in parse_dest_constraint_hop()
1120 dch->nkeys + 1, sizeof(*dch->key_is_ca)); in parse_dest_constraint_hop()
1128 dch->user == NULL ? "" : dch->user, in parse_dest_constraint_hop()
1129 dch->user == NULL ? "" : "@", in parse_dest_constraint_hop()
1130 dch->hostname, key_is_ca ? "CA " : "", sshkey_type(k), fp); in parse_dest_constraint_hop()
1132 dch->keys[dch->nkeys] = k; in parse_dest_constraint_hop()
1133 dch->key_is_ca[dch->nkeys] = key_is_ca != 0; in parse_dest_constraint_hop()
1134 dch->nkeys++; in parse_dest_constraint_hop()
1161 if ((r = parse_dest_constraint_hop(frombuf, &dc->from)) != 0 || in parse_dest_constraint()
1162 (r = parse_dest_constraint_hop(tobuf, &dc->to)) != 0) in parse_dest_constraint()
1169 debug2_f("parsed %s (%u keys) > %s%s%s (%u keys)", in parse_dest_constraint()
1170 dc->from.hostname ? dc->from.hostname : "(ORIGIN)", dc->from.nkeys, in parse_dest_constraint()
1171 dc->to.user ? dc->to.user : "", dc->to.user ? "@" : "", in parse_dest_constraint()
1172 dc->to.hostname ? dc->to.hostname : "(ANY)", dc->to.nkeys); in parse_dest_constraint()
1174 if ((dc->from.hostname == NULL) != (dc->from.nkeys == 0) || in parse_dest_constraint()
1175 dc->from.user != NULL) { in parse_dest_constraint()
1180 if (dc->to.hostname == NULL || dc->to.nkeys == 0) { in parse_dest_constraint()
1210 if (strcmp(ext_name, "sk-provider@openssh.com") == 0) { in parse_key_constraint_extension()
1226 "restrict-destination-v00@openssh.com") == 0) { in parse_key_constraint_extension()
1247 "associated-certs-v00@openssh.com") == 0) { in parse_key_constraint_extension()
1379 if ((r = sshkey_private_deserialize(e->request, &k)) != 0 || in process_add_identity()
1381 (r = sshbuf_get_cstring(e->request, &comment, NULL)) != 0) { in process_add_identity()
1385 if (parse_key_constraints(e->request, k, &death, &seconds, &confirm, in process_add_identity()
1389 sshbuf_reset(e->request); in process_add_identity()
1397 "authenticator-hosted key", sshkey_type(k)); in process_add_identity()
1433 TAILQ_INSERT_TAIL(&idtab->idlist, id, next); in process_add_identity()
1435 idtab->nentries++; in process_add_identity()
1441 sshkey_free(id->key); in process_add_identity()
1442 free(id->comment); in process_add_identity()
1443 free(id->sk_provider); in process_add_identity()
1444 free_dest_constraints(id->dest_constraints, in process_add_identity()
1445 id->ndest_constraints); in process_add_identity()
1448 id->key = k; in process_add_identity()
1449 id->comment = comment; in process_add_identity()
1450 id->death = death; in process_add_identity()
1451 id->confirm = confirm; in process_add_identity()
1452 id->sk_provider = sk_provider; in process_add_identity()
1453 id->dest_constraints = dest_constraints; in process_add_identity()
1454 id->ndest_constraints = ndest_constraints; in process_add_identity()
1495 if ((r = sshbuf_get_cstring(e->request, &passwd, &pwlen)) != 0) in process_lock_agent()
1514 debug("unlock failed, delaying %0.1lf seconds", in process_lock_agent()
1542 (r = sshbuf_put_stringb(e->output, msg)) != 0) in no_identities()
1562 id->key = key; in add_p11_identity()
1563 id->comment = comment; in add_p11_identity()
1564 id->provider = xstrdup(provider); in add_p11_identity()
1565 id->death = death; in add_p11_identity()
1566 id->confirm = confirm; in add_p11_identity()
1567 id->dest_constraints = dup_dest_constraints(dest_constraints, in add_p11_identity()
1569 id->ndest_constraints = ndest_constraints; in add_p11_identity()
1570 TAILQ_INSERT_TAIL(&idtab->idlist, id, next); in add_p11_identity()
1571 idtab->nentries++; in add_p11_identity()
1582 struct sshkey **keys = NULL, *k; in process_add_smartcard_key() local
1589 if ((r = sshbuf_get_cstring(e->request, &provider, NULL)) != 0 || in process_add_smartcard_key()
1590 (r = sshbuf_get_cstring(e->request, &pin, NULL)) != 0) { in process_add_smartcard_key()
1594 if (parse_key_constraints(e->request, NULL, &death, &seconds, &confirm, in process_add_smartcard_key()
1620 count = pkcs11_add_provider(canonical_provider, pin, &keys, &comments); in process_add_smartcard_key()
1629 if (!sshkey_equal_public(keys[i], certs[j])) in process_add_smartcard_key()
1631 if (pkcs11_make_cert(keys[i], certs[j], &k) != 0) in process_add_smartcard_key()
1638 if (!cert_only && lookup_identity(keys[i]) == NULL) { in process_add_smartcard_key()
1639 add_p11_identity(keys[i], comments[i], in process_add_smartcard_key()
1642 keys[i] = NULL; /* transferred */ in process_add_smartcard_key()
1646 /* XXX update constraints for existing keys */ in process_add_smartcard_key()
1647 sshkey_free(keys[i]); in process_add_smartcard_key()
1653 free(keys); in process_add_smartcard_key()
1670 if ((r = sshbuf_get_cstring(e->request, &provider, NULL)) != 0 || in process_remove_smartcard_key()
1671 (r = sshbuf_get_cstring(e->request, &pin, NULL)) != 0) { in process_remove_smartcard_key()
1684 for (id = TAILQ_FIRST(&idtab->idlist); id; id = nxt) { in process_remove_smartcard_key()
1686 /* Skip file--based keys */ in process_remove_smartcard_key()
1687 if (id->provider == NULL) in process_remove_smartcard_key()
1689 if (!strcmp(canonical_provider, id->provider)) { in process_remove_smartcard_key()
1690 TAILQ_REMOVE(&idtab->idlist, id, next); in process_remove_smartcard_key()
1692 idtab->nentries--; in process_remove_smartcard_key()
1716 e->session_bind_attempted = 1; in process_ext_session_bind()
1717 if ((r = sshkey_froms(e->request, &key)) != 0 || in process_ext_session_bind()
1718 (r = sshbuf_froms(e->request, &sid)) != 0 || in process_ext_session_bind()
1719 (r = sshbuf_froms(e->request, &sig)) != 0 || in process_ext_session_bind()
1720 (r = sshbuf_get_u8(e->request, &fwd)) != 0) { in process_ext_session_bind()
1734 for (i = 0; i < e->nsession_ids; i++) { in process_ext_session_bind()
1735 if (!e->session_ids[i].forwarded) { in process_ext_session_bind()
1738 r = -1; in process_ext_session_bind()
1741 sid_match = buf_equal(sid, e->session_ids[i].sid) == 0; in process_ext_session_bind()
1742 key_match = sshkey_equal(key, e->session_ids[i].key); in process_ext_session_bind()
1751 r = -1; in process_ext_session_bind()
1755 * new sid with previously-seen key can happen, e.g. multiple in process_ext_session_bind()
1760 if (e->nsession_ids >= AGENT_MAX_SESSION_IDS) { in process_ext_session_bind()
1764 e->session_ids = xrecallocarray(e->session_ids, e->nsession_ids, in process_ext_session_bind()
1765 e->nsession_ids + 1, sizeof(*e->session_ids)); in process_ext_session_bind()
1766 i = e->nsession_ids++; in process_ext_session_bind()
1769 e->session_ids[i].key = key; in process_ext_session_bind()
1770 e->session_ids[i].forwarded = fwd != 0; in process_ext_session_bind()
1773 if ((e->session_ids[i].sid = sshbuf_new()) == NULL) in process_ext_session_bind()
1775 if ((r = sshbuf_putb(e->session_ids[i].sid, sid)) != 0) in process_ext_session_bind()
1794 if ((r = sshbuf_get_cstring(e->request, &name, NULL)) != 0) { in process_extension()
1798 if (strcmp(name, "session-bind@openssh.com") == 0) in process_extension()
1808 * returns 1 on success, 0 for incomplete messages or -1 on error.
1823 if (sshbuf_len(e->input) < 5) in process_message()
1825 cp = sshbuf_ptr(e->input); in process_message()
1829 socknum, e->fd, msg_len, AGENT_MAX_LEN); in process_message()
1830 return -1; in process_message()
1832 if (sshbuf_len(e->input) < msg_len + 4) in process_message()
1835 /* move the current input to e->request */ in process_message()
1836 sshbuf_reset(e->request); in process_message()
1837 if ((r = sshbuf_get_stringb(e->input, e->request)) != 0 || in process_message()
1838 (r = sshbuf_get_u8(e->request, &type)) != 0) { in process_message()
1842 return -1; in process_message()
1847 debug_f("socket %u (fd=%d) type %d", socknum, e->fd, type); in process_message()
1851 sshbuf_reset(e->request); in process_message()
1904 sshbuf_reset(e->request); in process_message()
1919 debug("xcount %d -> %d", xcount, xcount + 1); in new_socket()
1963 if (fd == -1) { in handle_socket_read()
1965 return -1; in handle_socket_read()
1967 if (getpeereid(fd, &euid, &egid) == -1) { in handle_socket_read()
1970 return -1; in handle_socket_read()
1976 return -1; in handle_socket_read()
1990 if (len == -1) { in handle_conn_read()
1996 return -1; in handle_conn_read()
2002 if ((r = process_message(socknum)) == -1) in handle_conn_read()
2003 return -1; in handle_conn_read()
2021 if (len == -1) { in handle_conn_write()
2027 return -1; in handle_conn_write()
2078 activefds--; in after_poll()
2133 * Only prepare to read if we can handle a full-size in prepare_poll()
2195 if (parent_pid != -1 && getppid() != parent_pid) { in check_parent_exists()
2196 /* printf("Parent has died - Authentication agent exiting.\n"); */ in check_parent_exists()
2206 "usage: ssh-agent [-c | -s] [-Ddx] [-a bind_address] [-E fingerprint_hash]\n" in usage()
2207 " [-O option] [-P allowed_providers] [-t life]\n" in usage()
2208 " ssh-agent [-a bind_address] [-E fingerprint_hash] [-O option]\n" in usage()
2209 " [-P allowed_providers] [-t life] command [arg ...]\n" in usage()
2210 " ssh-agent [-c | -s] -k\n"); in usage()
2246 if (getrlimit(RLIMIT_NOFILE, &rlim) == -1) in main()
2253 while ((ch = getopt(ac, av, "cDdksE:a:O:P:t:x")) != -1) { in main()
2257 if (fingerprint_hash == -1) in main()
2269 if (strcmp(optarg, "no-restrict-websafe") == 0) in main()
2271 else if (strcmp(optarg, "allow-remote-pkcs11") == 0) in main()
2274 fatal("Unknown -O option"); in main()
2278 fatal("-P option already specified"); in main()
2300 if ((lifetime = convtime(optarg)) == -1) { in main()
2312 ac -= optind; in main()
2324 strncmp(shell + len - 3, "csh", 3) == 0) in main()
2343 if (kill(pid, SIGTERM) == -1) { in main()
2363 maxfds = rlim.rlim_cur - SSH_AGENT_MIN_FDS; in main()
2389 /* XXX - unix_listener() calls error() not perror() */ in main()
2411 if (pid == -1) { in main()
2415 if (pid != 0) { /* Parent - execute the given command. */ in main()
2427 if (setenv(SSH_AUTHSOCKET_ENV_NAME, socket_name, 1) == -1 || in main()
2428 setenv(SSH_AGENTPID_ENV_NAME, pidstrbuf, 1) == -1) { in main()
2439 if (setsid() == -1) { in main()
2445 if (stdfd_devnull(1, 1, 1) == -1) in main()
2449 /* deny core dumps, since memory contains unencrypted private keys */ in main()
2451 if (setrlimit(RLIMIT_CORE, &rlim) == -1) { in main()
2478 if (pledge("stdio rpath cpath unix id proc exec", NULL) == -1) in main()
2495 (void) reaper(); /* remove expired keys */ in main()
2496 if (result == -1) { in main()