diff options
Diffstat (limited to 'ssh-add.c')
-rw-r--r-- | ssh-add.c | 71 |
1 files changed, 50 insertions, 21 deletions
@@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-add.c,v 1.103 2011/10/18 23:37:42 djm Exp $ */ +/* $OpenBSD: ssh-add.c,v 1.108 2013/12/19 00:10:30 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -73,6 +73,7 @@ static char *default_files[] = { #ifdef OPENSSL_HAS_ECC _PATH_SSH_CLIENT_ID_ECDSA, #endif + _PATH_SSH_CLIENT_ID_ED25519, _PATH_SSH_CLIENT_IDENTITY, NULL }; @@ -90,16 +91,16 @@ clear_pass(void) { if (pass) { memset(pass, 0, strlen(pass)); - xfree(pass); + free(pass); pass = NULL; } } static int -delete_file(AuthenticationConnection *ac, const char *filename) +delete_file(AuthenticationConnection *ac, const char *filename, int key_only) { - Key *public; - char *comment = NULL; + Key *public = NULL, *cert = NULL; + char *certpath = NULL, *comment = NULL; int ret = -1; public = key_load_public(filename, &comment); @@ -113,8 +114,33 @@ delete_file(AuthenticationConnection *ac, const char *filename) } else fprintf(stderr, "Could not remove identity: %s\n", filename); - key_free(public); - xfree(comment); + if (key_only) + goto out; + + /* Now try to delete the corresponding certificate too */ + free(comment); + comment = NULL; + xasprintf(&certpath, "%s-cert.pub", filename); + if ((cert = key_load_public(certpath, &comment)) == NULL) + goto out; + if (!key_equal_public(cert, public)) + fatal("Certificate %s does not match private key %s", + certpath, filename); + + if (ssh_remove_identity(ac, cert)) { + fprintf(stderr, "Identity removed: %s (%s)\n", certpath, + comment); + ret = 0; + } else + fprintf(stderr, "Could not remove identity: %s\n", certpath); + + out: + if (cert != NULL) + key_free(cert); + if (public != NULL) + key_free(public); + free(certpath); + free(comment); return ret; } @@ -190,7 +216,7 @@ add_file(AuthenticationConnection *ac, const char *filename, int key_only) pass = read_passphrase(msg, RP_ALLOW_STDIN); if (strcmp(pass, "") == 0) { clear_pass(); - xfree(comment); + free(comment); buffer_free(&keyblob); return -1; } @@ -257,8 +283,8 @@ add_file(AuthenticationConnection *ac, const char *filename, int key_only) fprintf(stderr, "The user must confirm each use of the key\n"); out: if (certpath != NULL) - xfree(certpath); - xfree(comment); + free(certpath); + free(comment); key_free(private); return ret; @@ -267,14 +293,17 @@ add_file(AuthenticationConnection *ac, const char *filename, int key_only) static int update_card(AuthenticationConnection *ac, int add, const char *id) { - char *pin; + char *pin = NULL; int ret = -1; - pin = read_passphrase("Enter passphrase for PKCS#11: ", RP_ALLOW_STDIN); - if (pin == NULL) - return -1; + if (add) { + if ((pin = read_passphrase("Enter passphrase for PKCS#11: ", + RP_ALLOW_STDIN)) == NULL) + return -1; + } - if (ssh_update_card(ac, add, id, pin, lifetime, confirm)) { + if (ssh_update_card(ac, add, id, pin == NULL ? "" : pin, + lifetime, confirm)) { fprintf(stderr, "Card %s: %s\n", add ? "added" : "removed", id); ret = 0; @@ -283,7 +312,7 @@ update_card(AuthenticationConnection *ac, int add, const char *id) add ? "add" : "remove", id); ret = -1; } - xfree(pin); + free(pin); return ret; } @@ -305,14 +334,14 @@ list_identities(AuthenticationConnection *ac, int do_fp) SSH_FP_HEX); printf("%d %s %s (%s)\n", key_size(key), fp, comment, key_type(key)); - xfree(fp); + free(fp); } else { if (!key_write(key, stdout)) fprintf(stderr, "key_write failed"); fprintf(stdout, " %s\n", comment); } key_free(key); - xfree(comment); + free(comment); } } if (!had_identities) { @@ -338,7 +367,7 @@ lock_agent(AuthenticationConnection *ac, int lock) passok = 0; } memset(p2, 0, strlen(p2)); - xfree(p2); + free(p2); } if (passok && ssh_lock_agent(ac, lock, p1)) { fprintf(stderr, "Agent %slocked.\n", lock ? "" : "un"); @@ -346,7 +375,7 @@ lock_agent(AuthenticationConnection *ac, int lock) } else fprintf(stderr, "Failed to %slock agent.\n", lock ? "" : "un"); memset(p1, 0, strlen(p1)); - xfree(p1); + free(p1); return (ret); } @@ -354,7 +383,7 @@ static int do_file(AuthenticationConnection *ac, int deleting, int key_only, char *file) { if (deleting) { - if (delete_file(ac, file) == -1) + if (delete_file(ac, file, key_only) == -1) return -1; } else { if (add_file(ac, file, key_only) == -1) |