dropbear: gensignkey.c comparison

Use atomic key generation in all cases

comparison

equal deleted inserted replaced

-:253c08951b96
+:efad433418c4
 		default:
 			return 0;
 	}
 }
-int signkey_generate(enum signkey_type keytype, int bits, const char* filename)
+/* if skip_exist is set it will silently return if the key file exists */
+int signkey_generate(enum signkey_type keytype, int bits, const char* filename, int skip_exist)
 {
 	sign_key * key = NULL;
 	buffer *buf = NULL;
+	char *fn_temp = NULL;
 	int ret = DROPBEAR_FAILURE;
 	if (bits == 0)
 	{
 		bits = get_default_bits(keytype);
 	}
 	buf_put_priv_key(buf, key, keytype);
 	sign_key_free(key);
 	key = NULL;
 	buf_setpos(buf, 0);
-	ret = buf_writefile(buf, filename);
-	buf_burn(buf);
+	fn_temp = m_malloc(strlen(filename) + 30);
-	buf_free(buf);
+	snprintf(fn_temp, strlen(filename)+30, "%s.tmp%d", filename, getpid());
-	buf = NULL;
+	ret = buf_writefile(buf, fn_temp);
+	if (ret == DROPBEAR_FAILURE) {
+		goto out;
+	}
+	if (link(fn_temp, filename) < 0) {
+		/* If generating keys on connection (skipexist) it's OK to get EEXIST
+		- we probably just lost a race with another connection to generate the key */
+		if (!(skip_exist && errno == EEXIST)) {
+			dropbear_log(LOG_ERR, "Failed moving key file to %s: %s", filename,
+				strerror(errno));
+			/* XXX fallback to non-atomic copy for some filesystems? */
+			ret = DROPBEAR_FAILURE;
+			goto out;
+		}
+	}
+out:
+	if (buf) {
+		buf_burn(buf);
+		buf_free(buf);
+	}
+	if (fn_temp) {
+		unlink(fn_temp);
+		m_free(fn_temp);
+	}
 	return ret;
 }

Mercurial > dropbear