Unix Pageant: -E option to load key files encrypted.

This applies to both server modes ('pageant -E key.ppk [lifetime]') and client mode ('pageant -a -E key.ppk'). I'm not completely confident that the CLI syntax is actually right yet, but for the moment, it's enough that it _exists_. Now I don't have to test the encrypted-key loading via manually mocked-up agent requests.
2025-06-30 19:12:48 -05:00 · 2020-02-08 17:28:46 +00:00
parent 8677ee00fb
commit 55005a08ea
4 changed files with 67 additions and 12 deletions
--- a/pageant.c
+++ b/pageant.c
@ -1604,7 +1604,7 @@ void *pageant_get_keylist2(int *length)
 }

 int pageant_add_keyfile(Filename *filename, const char *passphrase,
-                        char **retstr)
+                        char **retstr, bool add_encrypted)
 {
    RSAKey *rkey = NULL;
    ssh2_userkey *skey = NULL;
@ -1629,6 +1629,11 @@ int pageant_add_keyfile(Filename *filename, const char *passphrase,
        return PAGEANT_ACTION_FAILURE;
    }

+    if (add_encrypted && type == SSH_KEYTYPE_SSH1) {
+        *retstr = dupprintf("Can't add SSH-1 keys in encrypted form");
+        return PAGEANT_ACTION_FAILURE;
+    }
+
    /*
     * See if the key is already loaded (in the primary Pageant,
     * which may or may not be us).
@ -1747,6 +1752,38 @@ int pageant_add_keyfile(Filename *filename, const char *passphrase,
        strbuf_free(blob);
    }

+    if (add_encrypted) {
+        const char *load_error;
+        LoadedFile *lf = lf_load_keyfile(filename, &load_error);
+        if (!lf) {
+            *retstr = dupstr(load_error);
+            return PAGEANT_ACTION_FAILURE;
+        }
+
+        strbuf *request = strbuf_new_for_agent_query();
+        put_byte(request, SSH2_AGENTC_EXTENSION);
+        put_stringpl(request, PUTTYEXT("add-ppk"));
+        put_string(request, lf->data, lf->len);
+
+        lf_free(lf);
+
+        void *vresponse;
+        int resplen;
+        pageant_client_query(request, &vresponse, &resplen);
+        strbuf_free(request);
+
+        unsigned char *response = vresponse;
+        if (resplen < 5 || response[4] != SSH_AGENT_SUCCESS) {
+            *retstr = dupstr("The already running Pageant "
+                             "refused to add the key.");
+            sfree(response);
+            return PAGEANT_ACTION_FAILURE;
+        }
+
+        sfree(response);
+        return PAGEANT_ACTION_OK;
+    }
+
    error = NULL;
    if (type == SSH_KEYTYPE_SSH1)
        needs_pass = rsa1_encrypted_f(filename, &comment);