* New upstream release (http://www.openssh.org/txt/release-5.9).

  - Introduce sandboxing of the pre-auth privsep child using an optional
    sshd_config(5) "UsePrivilegeSeparation=sandbox" mode that enables
    mandatory restrictions on the syscalls the privsep child can perform.
  - Add new SHA256-based HMAC transport integrity modes from
    http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-02.txt.
  - The pre-authentication sshd(8) privilege separation slave process now
    logs via a socket shared with the master process, avoiding the need to
    maintain /dev/log inside the chroot (closes: #75043, #429243,
    #599240).
  - ssh(1) now warns when a server refuses X11 forwarding (closes:
    #504757).
  - sshd_config(5)'s AuthorizedKeysFile now accepts multiple paths,
    separated by whitespace (closes: #76312).  The authorized_keys2
    fallback is deprecated but documented (closes: #560156).
  - ssh(1) and sshd(8): set IPv6 traffic class from IPQoS, as well as IPv4
    ToS/DSCP (closes: #498297).
  - ssh-add(1) now accepts keys piped from standard input.  E.g. "ssh-add
    - < /path/to/key" (closes: #229124).
  - Clean up lost-passphrase text in ssh-keygen(1) (closes: #444691).
  - Say "required" rather than "recommended" in unprotected-private-key
    warning (LP: #663455).

1 files changed, 33 insertions, 17 deletions

diff --git a/ssh-add.c b/ssh-add.c
index 64bf89bc0..3e2f9f6ce 100644
--- a/ssh-add.c
+++ b/ssh-add.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-add.c,v 1.100 2010/08/31 12:33:38 djm Exp $ */
+/* $OpenBSD: ssh-add.c,v 1.101 2011/05/04 21:15:29 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -145,8 +145,12 @@ add_file(AuthenticationConnection *ac, const char *filename)
         char *comment = NULL, *fp;
         char msg[1024], *certpath;
         int fd, perms_ok, ret = -1;
+        Buffer keyblob;
 
-        if ((fd = open(filename, O_RDONLY)) < 0) {
+        if (strcmp(filename, "-") == 0) {
+                fd = STDIN_FILENO;
+                filename = "(stdin)";
+        } else if ((fd = open(filename, O_RDONLY)) < 0) {
                 perror(filename);
                 return -1;
         }
@@ -155,18 +159,28 @@ add_file(AuthenticationConnection *ac, const char *filename)
          * Since we'll try to load a keyfile multiple times, permission errors
          * will occur multiple times, so check perms first and bail if wrong.
          */
-        perms_ok = key_perm_ok(fd, filename);
-        close(fd);
-        if (!perms_ok)
+        if (fd != STDIN_FILENO) {
+                perms_ok = key_perm_ok(fd, filename);
+                if (!perms_ok) {
+                        close(fd);
+                        return -1;
+                }
+        }
+        buffer_init(&keyblob);
+        if (!key_load_file(fd, filename, &keyblob)) {
+                buffer_free(&keyblob);
+                close(fd);
                 return -1;
+        }
+        close(fd);
 
         /* At first, try empty passphrase */
-        private = key_load_private(filename, "", &comment);
+        private = key_parse_private(&keyblob, filename, "", &comment);
         if (comment == NULL)
                 comment = xstrdup(filename);
         /* try last */
         if (private == NULL && pass != NULL)
-                private = key_load_private(filename, pass, NULL);
+                private = key_parse_private(&keyblob, filename, pass, NULL);
         if (private == NULL) {
                 /* clear passphrase since it did not work */
                 clear_pass();
@@ -177,9 +191,11 @@ add_file(AuthenticationConnection *ac, const char *filename)
                         if (strcmp(pass, "") == 0) {
                                 clear_pass();
                                 xfree(comment);
+                                buffer_free(&keyblob);
                                 return -1;
                         }
-                        private = key_load_private(filename, pass, &comment);
+                        private = key_parse_private(&keyblob, filename, pass,
+                            &comment);
                         if (private != NULL)
                                 break;
                         clear_pass();
@@ -187,14 +203,7 @@ add_file(AuthenticationConnection *ac, const char *filename)
                             "Bad passphrase, try again for %.200s: ", comment);
                 }
         }
-        if (blacklisted_key(private, &fp) == 1) {
-                fprintf(stderr, "Public key %s blacklisted (see "
-                    "ssh-vulnkey(1)); refusing to add it\n", fp);
-                xfree(fp);
-                key_free(private);
-                xfree(comment);
-                return -1;
-        }
+        buffer_free(&keyblob);
 
         if (ssh_add_identity_constrained(ac, private, comment, lifetime,
             confirm)) {
@@ -209,6 +218,14 @@ add_file(AuthenticationConnection *ac, const char *filename)
         } else {
                 fprintf(stderr, "Could not add identity: %s\n", filename);
         }
+        if (blacklisted_key(private, &fp) == 1) {
+                fprintf(stderr, "Public key %s blacklisted (see "
+                    "ssh-vulnkey(1)); refusing to add it\n", fp);
+                xfree(fp);
+                key_free(private);
+                xfree(comment);
+                return -1;
+        }
 
 
         /* Now try to add the certificate flavour too */
@@ -380,7 +397,6 @@ main(int argc, char **argv)
         sanitise_stdfd();
 
         __progname = ssh_get_progname(argv[0]);
-        init_rng();
         seed_rng();
 
         OpenSSL_add_all_algorithms();