[Bug 2522] Key parser should reflect errors from OpenSSL

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Wed Jun 29 20:41:33 AEST 2016


--- Comment #7 from Jakub Jelen <jjelen at redhat.com> ---
Created attachment 2844
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2844&action=edit
Do not fallback to PEM parser, if only passphrase is wrong

Thank you for the details. Now I see. When the key in new format have a
passphrase, it is not accepted.

There is assumption that sshkey_load_private returns
SSH_ERR_KEY_WRONG_PASSPHRASE when the initial attempt without
passphrase fails (which quite makes sense).

But parsing the key in  sshkey_parse_private_fileblob_type  goes
through waterfall from parsing openssh format to parsing PEM format.

Current implementation depends on the assumption that 
sshkey_parse_private_pem_fileblob  returns WRONG_PASSPHRASE for
everything that it does not know which gets wrong with the above patch
applied (sorry that I did miss that).

Proper solution would be to pass-through WRONG_PASSPHRASE return value
from sshkey_parse_private2, which indicates that the parser knows the
key type, but the passphrase it wrong and do not let it fall-through to
the PEM parser (which does not know the key format).

I ran the tests from initial bug, from the last comments and the the
regress and all test passed.

You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list