diff options
| author | Dag-Erling Smørgrav <des@FreeBSD.org> | 2017-01-31 12:29:48 +0000 |
|---|---|---|
| committer | Dag-Erling Smørgrav <des@FreeBSD.org> | 2017-01-31 12:29:48 +0000 |
| commit | ab4ec008e7abd1c8098428dbf9642c3685383045 (patch) | |
| tree | feb16b3395021bd0f5667967c25f2bb77f8b691e /ssh-agent.c | |
| parent | 8f8c559269bccf737d318b89630a0ef812865b99 (diff) | |
Notes
Diffstat (limited to 'ssh-agent.c')
| -rw-r--r-- | ssh-agent.c | 65 |
1 files changed, 16 insertions, 49 deletions
diff --git a/ssh-agent.c b/ssh-agent.c index 99525d2a48e3..25d6ebc53c94 100644 --- a/ssh-agent.c +++ b/ssh-agent.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-agent.c,v 1.212 2016/02/15 09:47:49 dtucker Exp $ */ +/* $OpenBSD: ssh-agent.c,v 1.213 2016/05/02 08:49:03 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -83,20 +83,11 @@ #include "misc.h" #include "digest.h" #include "ssherr.h" -#include "match.h" #ifdef ENABLE_PKCS11 #include "ssh-pkcs11.h" #endif -#ifndef DEFAULT_PKCS11_WHITELIST -# define DEFAULT_PKCS11_WHITELIST "/usr/lib/*,/usr/local/lib/*" -#endif - -#if defined(HAVE_SYS_PRCTL_H) -#include <sys/prctl.h> /* For prctl() and PR_SET_DUMPABLE */ -#endif - typedef enum { AUTH_UNUSED, AUTH_SOCKET, @@ -144,16 +135,13 @@ pid_t cleanup_pid = 0; char socket_name[PATH_MAX]; char socket_dir[PATH_MAX]; -/* PKCS#11 path whitelist */ -static char *pkcs11_whitelist; - /* locking */ #define LOCK_SIZE 32 #define LOCK_SALT_SIZE 16 #define LOCK_ROUNDS 1 int locked = 0; -char lock_passwd[LOCK_SIZE]; -char lock_salt[LOCK_SALT_SIZE]; +u_char lock_pwhash[LOCK_SIZE]; +u_char lock_salt[LOCK_SALT_SIZE]; extern char *__progname; @@ -685,7 +673,8 @@ static void process_lock_agent(SocketEntry *e, int lock) { int r, success = 0, delay; - char *passwd, passwdhash[LOCK_SIZE]; + char *passwd; + u_char passwdhash[LOCK_SIZE]; static u_int fail_count = 0; size_t pwlen; @@ -697,11 +686,11 @@ process_lock_agent(SocketEntry *e, int lock) if (bcrypt_pbkdf(passwd, pwlen, lock_salt, sizeof(lock_salt), passwdhash, sizeof(passwdhash), LOCK_ROUNDS) < 0) fatal("bcrypt_pbkdf"); - if (timingsafe_bcmp(passwdhash, lock_passwd, LOCK_SIZE) == 0) { + if (timingsafe_bcmp(passwdhash, lock_pwhash, LOCK_SIZE) == 0) { debug("agent unlocked"); locked = 0; fail_count = 0; - explicit_bzero(lock_passwd, sizeof(lock_passwd)); + explicit_bzero(lock_pwhash, sizeof(lock_pwhash)); success = 1; } else { /* delay in 0.1s increments up to 10s */ @@ -718,7 +707,7 @@ process_lock_agent(SocketEntry *e, int lock) locked = 1; arc4random_buf(lock_salt, sizeof(lock_salt)); if (bcrypt_pbkdf(passwd, pwlen, lock_salt, sizeof(lock_salt), - lock_passwd, sizeof(lock_passwd), LOCK_ROUNDS) < 0) + lock_pwhash, sizeof(lock_pwhash), LOCK_ROUNDS) < 0) fatal("bcrypt_pbkdf"); success = 1; } @@ -749,7 +738,7 @@ no_identities(SocketEntry *e, u_int type) static void process_add_smartcard_key(SocketEntry *e) { - char *provider = NULL, *pin, canonical_provider[PATH_MAX]; + char *provider = NULL, *pin; int r, i, version, count = 0, success = 0, confirm = 0; u_int seconds; time_t death = 0; @@ -781,21 +770,10 @@ process_add_smartcard_key(SocketEntry *e) goto send; } } - if (realpath(provider, canonical_provider) == NULL) { - verbose("failed PKCS#11 add of \"%.100s\": realpath: %s", - provider, strerror(errno)); - goto send; - } - if (match_pattern_list(canonical_provider, pkcs11_whitelist, 0) != 1) { - verbose("refusing PKCS#11 add of \"%.100s\": " - "provider not whitelisted", canonical_provider); - goto send; - } - debug("%s: add %.100s", __func__, canonical_provider); if (lifetime && !death) death = monotime() + lifetime; - count = pkcs11_add_provider(canonical_provider, pin, &keys); + count = pkcs11_add_provider(provider, pin, &keys); for (i = 0; i < count; i++) { k = keys[i]; version = k->type == KEY_RSA1 ? 1 : 2; @@ -803,8 +781,8 @@ process_add_smartcard_key(SocketEntry *e) if (lookup_identity(k, version) == NULL) { id = xcalloc(1, sizeof(Identity)); id->key = k; - id->provider = xstrdup(canonical_provider); - id->comment = xstrdup(canonical_provider); /* XXX */ + id->provider = xstrdup(provider); + id->comment = xstrdup(provider); /* XXX */ id->death = death; id->confirm = confirm; TAILQ_INSERT_TAIL(&tab->idlist, id, next); @@ -1195,7 +1173,7 @@ usage(void) { fprintf(stderr, "usage: ssh-agent [-c | -s] [-Dd] [-a bind_address] [-E fingerprint_hash]\n" - " [-P pkcs11_whitelist] [-t life] [command [arg ...]]\n" + " [-t life] [command [arg ...]]\n" " ssh-agent [-c | -s] -k\n"); exit(1); } @@ -1227,10 +1205,7 @@ main(int ac, char **av) setegid(getgid()); setgid(getgid()); -#if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE) - /* Disable ptrace on Linux without sgid bit */ - prctl(PR_SET_DUMPABLE, 0); -#endif + platform_disable_tracing(0); /* strict=no */ #ifdef WITH_OPENSSL OpenSSL_add_all_algorithms(); @@ -1239,7 +1214,7 @@ main(int ac, char **av) __progname = ssh_get_progname(av[0]); seed_rng(); - while ((ch = getopt(ac, av, "cDdksE:a:P:t:")) != -1) { + while ((ch = getopt(ac, av, "cDdksE:a:t:")) != -1) { switch (ch) { case 'E': fingerprint_hash = ssh_digest_alg_by_name(optarg); @@ -1254,11 +1229,6 @@ main(int ac, char **av) case 'k': k_flag++; break; - case 'P': - if (pkcs11_whitelist != NULL) - fatal("-P option already specified"); - pkcs11_whitelist = xstrdup(optarg); - break; case 's': if (c_flag) usage(); @@ -1293,9 +1263,6 @@ main(int ac, char **av) if (ac > 0 && (c_flag || k_flag || s_flag || d_flag || D_flag)) usage(); - if (pkcs11_whitelist == NULL) - pkcs11_whitelist = xstrdup(DEFAULT_PKCS11_WHITELIST); - if (ac == 0 && !c_flag && !s_flag) { shell = getenv("SHELL"); if (shell != NULL && (len = strlen(shell)) > 2 && @@ -1443,7 +1410,7 @@ skip: signal(SIGTERM, cleanup_handler); nalloc = 0; - if (pledge("stdio rpath cpath unix id proc exec", NULL) == -1) + if (pledge("stdio cpath unix id proc exec", NULL) == -1) fatal("%s: pledge: %s", __progname, strerror(errno)); platform_pledge_agent(); |