Add comments on OpenSSH AES-encrypted key support, including one

author Simon Tatham <anakin@pobox.com>

Mon, 12 Apr 2010 11:02:06 +0000 (11:02 +0000)

committer Simon Tatham <anakin@pobox.com>

Mon, 12 Apr 2010 11:02:06 +0000 (11:02 +0000)
author Simon Tatham <anakin@pobox.com>
Mon, 12 Apr 2010 11:02:06 +0000 (11:02 +0000)
committer Simon Tatham <anakin@pobox.com>
Mon, 12 Apr 2010 11:02:06 +0000 (11:02 +0000)
diff --git a/import.c b/import.c

index 17bf65b9a8d5eb70ea6eba7691d4a16fe67b0fd9..20a77e5fe1d46b6eda77426ebb3e021615af9a1e 100644 (file)
--- a/import.c
+++ b/import.c
@@ -529,6 +529,10 @@ struct ssh2_userkey *openssh_read(const Filename *filename, char *passphrase,
          *  - let block B equal MD5(A || passphrase || iv)
          *  - block C would be MD5(B || passphrase || iv) and so on
          *  - encryption key is the first N bytes of A || B
+        *
+        * (Note that only 8 bytes of the iv are used for key
+        * derivation, even when the key is encrypted with AES and
+        * hence there are 16 bytes available.)
          */
         struct MD5Context md5c;
         unsigned char keybuf[32];
@@ -872,6 +876,9 @@ int openssh_write(const Filename *filename, struct ssh2_userkey *key,
  
      /*
       * Encrypt the key.
+     *
+     * For the moment, we still encrypt our OpenSSH keys using
+     * old-style 3DES.
       */
      if (passphrase) {
         /*
author	Simon Tatham <anakin@pobox.com>
	Mon, 12 Apr 2010 11:02:06 +0000 (11:02 +0000)
committer	Simon Tatham <anakin@pobox.com>
	Mon, 12 Apr 2010 11:02:06 +0000 (11:02 +0000)