[PATCH 3/3] Keep rounds when changing passphrase and comment in private key file

Loïc loic at venez.fr
Sat Apr 25 11:01:14 AEST 2020


 Keep rounds when changing passphrase and comment in private key file

This patch fixes the keygen-change regression test.


---
 ssh-keygen.c | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

diff --git a/ssh-keygen.c b/ssh-keygen.c
index 6dd17c48be5e..a848edc33b5d 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -1425,6 +1425,7 @@ do_change_passphrase(struct passwd *pw)
     char *old_passphrase, *passphrase1, *passphrase2;
     struct stat st;
     struct sshkey *private;
+    struct sshkey_vault *vault_info;
     int r;
 
     if (!have_identity)
@@ -1432,7 +1433,7 @@ do_change_passphrase(struct passwd *pw)
     if (stat(identity_file, &st) == -1)
         fatal("%s: %s", identity_file, strerror(errno));
     /* Try to load the file with empty passphrase. */
-    r = sshkey_load_private(identity_file, "", &private, &comment, NULL);
+    r = sshkey_load_private(identity_file, "", &private, &comment,
&vault_info);
     if (r == SSH_ERR_KEY_WRONG_PASSPHRASE) {
         if (identity_passphrase)
             old_passphrase = xstrdup(identity_passphrase);
@@ -1441,7 +1442,7 @@ do_change_passphrase(struct passwd *pw)
                 read_passphrase("Enter old passphrase: ",
                 RP_ALLOW_STDIN);
         r = sshkey_load_private(identity_file, old_passphrase,
-            &private, &comment, NULL);
+            &private, &comment, &vault_info);
         freezero(old_passphrase, strlen(old_passphrase));
         if (r != 0)
             goto badkey;
@@ -1476,6 +1477,10 @@ do_change_passphrase(struct passwd *pw)
         freezero(passphrase2, strlen(passphrase2));
     }
 
+    if (vault_info != NULL && vault_info->kdfname != NULL &&
strcmp(vault_info->kdfname, "bcrypt") == 0 && rounds == 0) {
+        rounds = vault_info->rounds;
+        printf("Keeping existing rounds %d\n", rounds);
+    }
     /* Save the file using the new passphrase. */
     if ((r = sshkey_save_private(private, identity_file, passphrase1,
         comment, private_key_format, openssh_format_cipher, rounds)) !=
0) {
@@ -1532,6 +1537,7 @@ do_change_comment(struct passwd *pw, const char
*identity_comment)
     char new_comment[1024], *comment, *passphrase;
     struct sshkey *private;
     struct sshkey *public;
+    struct sshkey_vault *vault_info;
     struct stat st;
     FILE *f;
     int r, fd;
@@ -1541,7 +1547,7 @@ do_change_comment(struct passwd *pw, const char
*identity_comment)
     if (stat(identity_file, &st) == -1)
         fatal("%s: %s", identity_file, strerror(errno));
     if ((r = sshkey_load_private(identity_file, "",
-        &private, &comment, NULL)) == 0)
+        &private, &comment, &vault_info)) == 0)
         passphrase = xstrdup("");
     else if (r != SSH_ERR_KEY_WRONG_PASSPHRASE)
         fatal("Cannot load private key \"%s\": %s.",
@@ -1556,7 +1562,7 @@ do_change_comment(struct passwd *pw, const char
*identity_comment)
                 RP_ALLOW_STDIN);
         /* Try to load using the passphrase. */
         if ((r = sshkey_load_private(identity_file, passphrase,
-            &private, &comment, NULL)) != 0) {
+            &private, &comment, &vault_info)) != 0) {
             freezero(passphrase, strlen(passphrase));
             fatal("Cannot load private key \"%s\": %s.",
                 identity_file, ssh_err(r));
@@ -1596,6 +1602,10 @@ do_change_comment(struct passwd *pw, const char
*identity_comment)
         exit(0);
     }
 
+    if (vault_info != NULL && vault_info->kdfname != NULL &&
strcmp(vault_info->kdfname, "bcrypt") == 0 && rounds == 0) {
+        rounds = vault_info->rounds;
+        printf("Keeping existing rounds %d\n", rounds);
+    }
     /* Save the file using the new passphrase. */
     if ((r = sshkey_save_private(private, identity_file, passphrase,
         new_comment, private_key_format, openssh_format_cipher,
-- 
2.17.1




More information about the openssh-unix-dev mailing list