Pageant: allow adding encrypted key to cleartext.

The protocol already allowed adding an encrypted form to a cleartext key already held by the agent, and you might want to do so if, say, the key happened to originally be added in cleartext-only form but you want to be able to forget that with 'pageant -R' in future.
2025-01-09 09:27:59 +00:00 · 2021-04-05 15:07:09 +01:00 · 2021-04-05 15:07:09 +01:00 · 569fc2681c
commit 569fc2681c
parent 70a31df9f1
1 changed files with 21 additions and 7 deletions
--- a/pageant.c
+++ b/pageant.c
@ -1989,24 +1989,38 @@ int pageant_add_keyfile(Filename *filename, const char *passphrase,

            for (size_t i = 0; i < kl->nkeys; i++) {
                /*
-                 * If the key already exists in the agent, we're done
-                 * ... *unless* it's encrypted in the agent and we're
-                 * being asked to add it unencrypted, in which case we
-                 * still want to upload the unencrypted version to
-                 * cause the key to become decrypted.
+                 * If the key already exists in the agent, we're done,
+                 * except in the following special cases:
                 *
+                 * It's encrypted in the agent, and we're being asked
+                 * to add it unencrypted, in which case we still want
+                 * to upload the unencrypted version to cause the key
+                 * to become decrypted.
                 * (Rationale: if you know in advance you're going to
                 * want it, and don't want to be interrupted at an
                 * unpredictable moment to be asked for the
                 * passphrase.)
+                 *
+                 * The agent only has cleartext, and we're being asked
+                 * to add it encrypted, in which case we'll add the
+                 * encrypted form.
+                 * (Rationale: if you might want to re-encrypt the key
+                 * at some future point, but it happened to have been
+                 * initially added in cleartext, perhaps by something
+                 * other than Pageant.)
                 */
                if (ptrlen_eq_ptrlen(ptrlen_from_strbuf(blob),
                                     kl->keys[i].blob)) {
                    bool have_unencrypted =
                        !(kl->keys[i].flags &
                          LIST_EXTENDED_FLAG_HAS_NO_CLEARTEXT_KEY);
-                    if (have_unencrypted || add_encrypted) {
-                        /* Key is already present; we can now leave. */
+                    bool have_encrypted =
+                        (kl->keys[i].flags &
+                         LIST_EXTENDED_FLAG_HAS_ENCRYPTED_KEY_FILE);
+                    if ((have_unencrypted && !add_encrypted)
+                        || (have_encrypted && add_encrypted)) {
+                        /* Key is already present in the desired form;
+                         * we can now leave. */
                        keylist_free(kl);
                        strbuf_free(blob);
                        return PAGEANT_ACTION_OK;