Keep rounds when changing passphrase and comment in private key file
This patch fixes the keygen-change regression test.
---
ssh-keygen.c | 18 ++++++++++++++----
1 file changed, 14 insertions(+), 4 deletions(-)
diff --git a/ssh-keygen.c b/ssh-keygen.c
index 6dd17c48be5e..a848edc33b5d 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -1425,6 +1425,7 @@ do_change_passphrase(struct passwd *pw)
char *old_passphrase, *passphrase1, *passphrase2;
struct stat st;
struct sshkey *private;
+ struct sshkey_vault *vault_info;
int r;
if (!have_identity)
@@ -1432,7 +1433,7 @@ do_change_passphrase(struct passwd *pw)
if (stat(identity_file, &st) == -1)
fatal("%s: %s", identity_file, strerror(errno));
/* Try to load the file with empty passphrase. */
- r = sshkey_load_private(identity_file, "", &private, &comment, NULL);
+ r = sshkey_load_private(identity_file, "", &private, &comment,
&vault_info);
if (r == SSH_ERR_KEY_WRONG_PASSPHRASE) {
if (identity_passphrase)
old_passphrase = xstrdup(identity_passphrase);
@@ -1441,7 +1442,7 @@ do_change_passphrase(struct passwd *pw)
read_passphrase("Enter old passphrase: ",
RP_ALLOW_STDIN);
r = sshkey_load_private(identity_file, old_passphrase,
- &private, &comment, NULL);
+ &private, &comment, &vault_info);
freezero(old_passphrase, strlen(old_passphrase));
if (r != 0)
goto badkey;
@@ -1476,6 +1477,10 @@ do_change_passphrase(struct passwd *pw)
freezero(passphrase2, strlen(passphrase2));
}
+ if (vault_info != NULL && vault_info->kdfname != NULL &&
strcmp(vault_info->kdfname, "bcrypt") == 0 && rounds == 0) {
+ rounds = vault_info->rounds;
+ printf("Keeping existing rounds %d\n", rounds);
+ }
/* Save the file using the new passphrase. */
if ((r = sshkey_save_private(private, identity_file, passphrase1,
comment, private_key_format, openssh_format_cipher, rounds)) !=
0) {
@@ -1532,6 +1537,7 @@ do_change_comment(struct passwd *pw, const char
*identity_comment)
char new_comment[1024], *comment, *passphrase;
struct sshkey *private;
struct sshkey *public;
+ struct sshkey_vault *vault_info;
struct stat st;
FILE *f;
int r, fd;
@@ -1541,7 +1547,7 @@ do_change_comment(struct passwd *pw, const char
*identity_comment)
if (stat(identity_file, &st) == -1)
fatal("%s: %s", identity_file, strerror(errno));
if ((r = sshkey_load_private(identity_file, "",
- &private, &comment, NULL)) == 0)
+ &private, &comment, &vault_info)) == 0)
passphrase = xstrdup("");
else if (r != SSH_ERR_KEY_WRONG_PASSPHRASE)
fatal("Cannot load private key \"%s\": %s.",
@@ -1556,7 +1562,7 @@ do_change_comment(struct passwd *pw, const char
*identity_comment)
RP_ALLOW_STDIN);
/* Try to load using the passphrase. */
if ((r = sshkey_load_private(identity_file, passphrase,
- &private, &comment, NULL)) != 0) {
+ &private, &comment, &vault_info)) != 0) {
freezero(passphrase, strlen(passphrase));
fatal("Cannot load private key \"%s\": %s.",
identity_file, ssh_err(r));
@@ -1596,6 +1602,10 @@ do_change_comment(struct passwd *pw, const char
*identity_comment)
exit(0);
}
+ if (vault_info != NULL && vault_info->kdfname != NULL &&
strcmp(vault_info->kdfname, "bcrypt") == 0 && rounds == 0) {
+ rounds = vault_info->rounds;
+ printf("Keeping existing rounds %d\n", rounds);
+ }
/* Save the file using the new passphrase. */
if ((r = sshkey_save_private(private, identity_file, passphrase,
new_comment, private_key_format, openssh_format_cipher,
--
2.17.1
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
