summaryrefslogtreecommitdiff
path: root/ssh-agent.c
diff options
context:
space:
mode:
Diffstat (limited to 'ssh-agent.c')
-rw-r--r--ssh-agent.c24
1 files changed, 9 insertions, 15 deletions
diff --git a/ssh-agent.c b/ssh-agent.c
index c38906d94..25d6ebc53 100644
--- a/ssh-agent.c
+++ b/ssh-agent.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssh-agent.c,v 1.212 2016/02/15 09:47:49 dtucker Exp $ */ 1/* $OpenBSD: ssh-agent.c,v 1.213 2016/05/02 08:49:03 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -88,10 +88,6 @@
88#include "ssh-pkcs11.h" 88#include "ssh-pkcs11.h"
89#endif 89#endif
90 90
91#if defined(HAVE_SYS_PRCTL_H)
92#include <sys/prctl.h> /* For prctl() and PR_SET_DUMPABLE */
93#endif
94
95typedef enum { 91typedef enum {
96 AUTH_UNUSED, 92 AUTH_UNUSED,
97 AUTH_SOCKET, 93 AUTH_SOCKET,
@@ -144,8 +140,8 @@ char socket_dir[PATH_MAX];
144#define LOCK_SALT_SIZE 16 140#define LOCK_SALT_SIZE 16
145#define LOCK_ROUNDS 1 141#define LOCK_ROUNDS 1
146int locked = 0; 142int locked = 0;
147char lock_passwd[LOCK_SIZE]; 143u_char lock_pwhash[LOCK_SIZE];
148char lock_salt[LOCK_SALT_SIZE]; 144u_char lock_salt[LOCK_SALT_SIZE];
149 145
150extern char *__progname; 146extern char *__progname;
151 147
@@ -677,7 +673,8 @@ static void
677process_lock_agent(SocketEntry *e, int lock) 673process_lock_agent(SocketEntry *e, int lock)
678{ 674{
679 int r, success = 0, delay; 675 int r, success = 0, delay;
680 char *passwd, passwdhash[LOCK_SIZE]; 676 char *passwd;
677 u_char passwdhash[LOCK_SIZE];
681 static u_int fail_count = 0; 678 static u_int fail_count = 0;
682 size_t pwlen; 679 size_t pwlen;
683 680
@@ -689,11 +686,11 @@ process_lock_agent(SocketEntry *e, int lock)
689 if (bcrypt_pbkdf(passwd, pwlen, lock_salt, sizeof(lock_salt), 686 if (bcrypt_pbkdf(passwd, pwlen, lock_salt, sizeof(lock_salt),
690 passwdhash, sizeof(passwdhash), LOCK_ROUNDS) < 0) 687 passwdhash, sizeof(passwdhash), LOCK_ROUNDS) < 0)
691 fatal("bcrypt_pbkdf"); 688 fatal("bcrypt_pbkdf");
692 if (timingsafe_bcmp(passwdhash, lock_passwd, LOCK_SIZE) == 0) { 689 if (timingsafe_bcmp(passwdhash, lock_pwhash, LOCK_SIZE) == 0) {
693 debug("agent unlocked"); 690 debug("agent unlocked");
694 locked = 0; 691 locked = 0;
695 fail_count = 0; 692 fail_count = 0;
696 explicit_bzero(lock_passwd, sizeof(lock_passwd)); 693 explicit_bzero(lock_pwhash, sizeof(lock_pwhash));
697 success = 1; 694 success = 1;
698 } else { 695 } else {
699 /* delay in 0.1s increments up to 10s */ 696 /* delay in 0.1s increments up to 10s */
@@ -710,7 +707,7 @@ process_lock_agent(SocketEntry *e, int lock)
710 locked = 1; 707 locked = 1;
711 arc4random_buf(lock_salt, sizeof(lock_salt)); 708 arc4random_buf(lock_salt, sizeof(lock_salt));
712 if (bcrypt_pbkdf(passwd, pwlen, lock_salt, sizeof(lock_salt), 709 if (bcrypt_pbkdf(passwd, pwlen, lock_salt, sizeof(lock_salt),
713 lock_passwd, sizeof(lock_passwd), LOCK_ROUNDS) < 0) 710 lock_pwhash, sizeof(lock_pwhash), LOCK_ROUNDS) < 0)
714 fatal("bcrypt_pbkdf"); 711 fatal("bcrypt_pbkdf");
715 success = 1; 712 success = 1;
716 } 713 }
@@ -1208,10 +1205,7 @@ main(int ac, char **av)
1208 setegid(getgid()); 1205 setegid(getgid());
1209 setgid(getgid()); 1206 setgid(getgid());
1210 1207
1211#if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE) 1208 platform_disable_tracing(0); /* strict=no */
1212 /* Disable ptrace on Linux without sgid bit */
1213 prctl(PR_SET_DUMPABLE, 0);
1214#endif
1215 1209
1216#ifdef WITH_OPENSSL 1210#ifdef WITH_OPENSSL
1217 OpenSSL_add_all_algorithms(); 1211 OpenSSL_add_all_algorithms();
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-11 09:09:57 +0000