upstream: pull passphrase reading and confirmation into a separate
function so it can be used for FIDO2 PINs; no functional change OpenBSD-Commit-ID: bf34f76b8283cc1d3f54633e0d4f13613d87bb2f
This commit is contained in:
djm@openbsd.org
Damien Miller
parent
eb679e2959
commit
5bcfc788b3
65
ssh-keygen.c
65
ssh-keygen.c
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: ssh-keygen.c,v 1.454 2022/06/03 03:17:42 dtucker Exp $ */
|
||||
/* $OpenBSD: ssh-keygen.c,v 1.455 2022/07/20 03:13:04 djm Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
|
|
@ -591,10 +591,13 @@ do_convert_private_ssh2(struct sshbuf *b)
|
|||
error_f("remaining bytes in key blob %d", rlen);
|
||||
|
||||
/* try the key */
|
||||
if (sshkey_sign(key, &sig, &slen, data, sizeof(data),
|
||||
NULL, NULL, NULL, 0) != 0 ||
|
||||
sshkey_verify(key, sig, slen, data, sizeof(data),
|
||||
NULL, 0, NULL) != 0) {
|
||||
if ((r = sshkey_sign(key, &sig, &slen, data, sizeof(data),
|
||||
NULL, NULL, NULL, 0)) != 0)
|
||||
error_fr(r, "signing with converted key failed");
|
||||
else if ((r = sshkey_verify(key, sig, slen, data, sizeof(data),
|
||||
NULL, 0, NULL)) != 0)
|
||||
error_fr(r, "verification with converted key failed");
|
||||
if (r != 0) {
|
||||
sshkey_free(key);
|
||||
free(sig);
|
||||
return NULL;
|
||||
|
|
@ -3026,37 +3029,43 @@ do_moduli_screen(const char *out_file, char **opts, size_t nopts)
|
|||
#endif /* WITH_OPENSSL */
|
||||
}
|
||||
|
||||
/* Read and confirm a passphrase */
|
||||
static char *
|
||||
private_key_passphrase(void)
|
||||
read_check_passphrase(const char *prompt1, const char *prompt2,
|
||||
const char *retry_prompt)
|
||||
{
|
||||
char *passphrase1, *passphrase2;
|
||||
|
||||
/* Ask for a passphrase (twice). */
|
||||
if (identity_passphrase)
|
||||
passphrase1 = xstrdup(identity_passphrase);
|
||||
else if (identity_new_passphrase)
|
||||
passphrase1 = xstrdup(identity_new_passphrase);
|
||||
else {
|
||||
passphrase_again:
|
||||
passphrase1 =
|
||||
read_passphrase("Enter passphrase (empty for no "
|
||||
"passphrase): ", RP_ALLOW_STDIN);
|
||||
passphrase2 = read_passphrase("Enter same passphrase again: ",
|
||||
RP_ALLOW_STDIN);
|
||||
if (strcmp(passphrase1, passphrase2) != 0) {
|
||||
/*
|
||||
* The passphrases do not match. Clear them and
|
||||
* retry.
|
||||
*/
|
||||
freezero(passphrase1, strlen(passphrase1));
|
||||
for (;;) {
|
||||
passphrase1 = read_passphrase(prompt1, RP_ALLOW_STDIN);
|
||||
passphrase2 = read_passphrase(prompt2, RP_ALLOW_STDIN);
|
||||
if (strcmp(passphrase1, passphrase2) == 0) {
|
||||
freezero(passphrase2, strlen(passphrase2));
|
||||
printf("Passphrases do not match. Try again.\n");
|
||||
goto passphrase_again;
|
||||
return passphrase1;
|
||||
}
|
||||
/* Clear the other copy of the passphrase. */
|
||||
/* The passphrases do not match. Clear them and retry. */
|
||||
freezero(passphrase1, strlen(passphrase1));
|
||||
freezero(passphrase2, strlen(passphrase2));
|
||||
fputs(retry_prompt, stdout);
|
||||
fputc('\n', stdout);
|
||||
fflush(stdout);
|
||||
}
|
||||
return passphrase1;
|
||||
/* NOTREACHED */
|
||||
return NULL;
|
||||
}
|
||||
|
||||
static char *
|
||||
private_key_passphrase(void)
|
||||
{
|
||||
if (identity_passphrase)
|
||||
return xstrdup(identity_passphrase);
|
||||
if (identity_new_passphrase)
|
||||
return xstrdup(identity_new_passphrase);
|
||||
|
||||
return read_check_passphrase(
|
||||
"Enter passphrase (empty for no passphrase): ",
|
||||
"Enter same passphrase again: ",
|
||||
"Passphrases do not match. Try again.");
|
||||
}
|
||||
|
||||
static char *
|
||||
|
|
|
|||
Loading…
Reference in New Issue