diff options
Diffstat (limited to 'ssh-add.c')
-rw-r--r-- | ssh-add.c | 50 |
1 files changed, 33 insertions, 17 deletions
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: ssh-add.c,v 1.100 2010/08/31 12:33:38 djm Exp $ */ | 1 | /* $OpenBSD: ssh-add.c,v 1.101 2011/05/04 21:15:29 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -145,8 +145,12 @@ add_file(AuthenticationConnection *ac, const char *filename) | |||
145 | char *comment = NULL, *fp; | 145 | char *comment = NULL, *fp; |
146 | char msg[1024], *certpath; | 146 | char msg[1024], *certpath; |
147 | int fd, perms_ok, ret = -1; | 147 | int fd, perms_ok, ret = -1; |
148 | Buffer keyblob; | ||
148 | 149 | ||
149 | if ((fd = open(filename, O_RDONLY)) < 0) { | 150 | if (strcmp(filename, "-") == 0) { |
151 | fd = STDIN_FILENO; | ||
152 | filename = "(stdin)"; | ||
153 | } else if ((fd = open(filename, O_RDONLY)) < 0) { | ||
150 | perror(filename); | 154 | perror(filename); |
151 | return -1; | 155 | return -1; |
152 | } | 156 | } |
@@ -155,18 +159,28 @@ add_file(AuthenticationConnection *ac, const char *filename) | |||
155 | * Since we'll try to load a keyfile multiple times, permission errors | 159 | * Since we'll try to load a keyfile multiple times, permission errors |
156 | * will occur multiple times, so check perms first and bail if wrong. | 160 | * will occur multiple times, so check perms first and bail if wrong. |
157 | */ | 161 | */ |
158 | perms_ok = key_perm_ok(fd, filename); | 162 | if (fd != STDIN_FILENO) { |
159 | close(fd); | 163 | perms_ok = key_perm_ok(fd, filename); |
160 | if (!perms_ok) | 164 | if (!perms_ok) { |
165 | close(fd); | ||
166 | return -1; | ||
167 | } | ||
168 | } | ||
169 | buffer_init(&keyblob); | ||
170 | if (!key_load_file(fd, filename, &keyblob)) { | ||
171 | buffer_free(&keyblob); | ||
172 | close(fd); | ||
161 | return -1; | 173 | return -1; |
174 | } | ||
175 | close(fd); | ||
162 | 176 | ||
163 | /* At first, try empty passphrase */ | 177 | /* At first, try empty passphrase */ |
164 | private = key_load_private(filename, "", &comment); | 178 | private = key_parse_private(&keyblob, filename, "", &comment); |
165 | if (comment == NULL) | 179 | if (comment == NULL) |
166 | comment = xstrdup(filename); | 180 | comment = xstrdup(filename); |
167 | /* try last */ | 181 | /* try last */ |
168 | if (private == NULL && pass != NULL) | 182 | if (private == NULL && pass != NULL) |
169 | private = key_load_private(filename, pass, NULL); | 183 | private = key_parse_private(&keyblob, filename, pass, NULL); |
170 | if (private == NULL) { | 184 | if (private == NULL) { |
171 | /* clear passphrase since it did not work */ | 185 | /* clear passphrase since it did not work */ |
172 | clear_pass(); | 186 | clear_pass(); |
@@ -177,9 +191,11 @@ add_file(AuthenticationConnection *ac, const char *filename) | |||
177 | if (strcmp(pass, "") == 0) { | 191 | if (strcmp(pass, "") == 0) { |
178 | clear_pass(); | 192 | clear_pass(); |
179 | xfree(comment); | 193 | xfree(comment); |
194 | buffer_free(&keyblob); | ||
180 | return -1; | 195 | return -1; |
181 | } | 196 | } |
182 | private = key_load_private(filename, pass, &comment); | 197 | private = key_parse_private(&keyblob, filename, pass, |
198 | &comment); | ||
183 | if (private != NULL) | 199 | if (private != NULL) |
184 | break; | 200 | break; |
185 | clear_pass(); | 201 | clear_pass(); |
@@ -187,14 +203,7 @@ add_file(AuthenticationConnection *ac, const char *filename) | |||
187 | "Bad passphrase, try again for %.200s: ", comment); | 203 | "Bad passphrase, try again for %.200s: ", comment); |
188 | } | 204 | } |
189 | } | 205 | } |
190 | if (blacklisted_key(private, &fp) == 1) { | 206 | buffer_free(&keyblob); |
191 | fprintf(stderr, "Public key %s blacklisted (see " | ||
192 | "ssh-vulnkey(1)); refusing to add it\n", fp); | ||
193 | xfree(fp); | ||
194 | key_free(private); | ||
195 | xfree(comment); | ||
196 | return -1; | ||
197 | } | ||
198 | 207 | ||
199 | if (ssh_add_identity_constrained(ac, private, comment, lifetime, | 208 | if (ssh_add_identity_constrained(ac, private, comment, lifetime, |
200 | confirm)) { | 209 | confirm)) { |
@@ -209,6 +218,14 @@ add_file(AuthenticationConnection *ac, const char *filename) | |||
209 | } else { | 218 | } else { |
210 | fprintf(stderr, "Could not add identity: %s\n", filename); | 219 | fprintf(stderr, "Could not add identity: %s\n", filename); |
211 | } | 220 | } |
221 | if (blacklisted_key(private, &fp) == 1) { | ||
222 | fprintf(stderr, "Public key %s blacklisted (see " | ||
223 | "ssh-vulnkey(1)); refusing to add it\n", fp); | ||
224 | xfree(fp); | ||
225 | key_free(private); | ||
226 | xfree(comment); | ||
227 | return -1; | ||
228 | } | ||
212 | 229 | ||
213 | 230 | ||
214 | /* Now try to add the certificate flavour too */ | 231 | /* Now try to add the certificate flavour too */ |
@@ -380,7 +397,6 @@ main(int argc, char **argv) | |||
380 | sanitise_stdfd(); | 397 | sanitise_stdfd(); |
381 | 398 | ||
382 | __progname = ssh_get_progname(argv[0]); | 399 | __progname = ssh_get_progname(argv[0]); |
383 | init_rng(); | ||
384 | seed_rng(); | 400 | seed_rng(); |
385 | 401 | ||
386 | OpenSSL_add_all_algorithms(); | 402 | OpenSSL_add_all_algorithms(); |