projects / u / mdw / putty / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Add import of ssh.com private keys.
[u/mdw/putty] / import.c
CommitLineData
9dda6459 1/*
2 * Code for PuTTY to import and export private key files in other
3 * SSH clients' formats.
4 */
5
6#include <stdio.h>
7#include <stdlib.h>
8#include <assert.h>
9#include <ctype.h>
10
11#include "ssh.h"
12#include "misc.h"
13
14#define PUT_32BIT(cp, value) do { \
15 (cp)[3] = (value); \
16 (cp)[2] = (value) >> 8; \
17 (cp)[1] = (value) >> 16; \
18 (cp)[0] = (value) >> 24; } while (0)
19
20#define GET_32BIT(cp) \
21 (((unsigned long)(unsigned char)(cp)[0] << 24) | \
22 ((unsigned long)(unsigned char)(cp)[1] << 16) | \
23 ((unsigned long)(unsigned char)(cp)[2] << 8) | \
24 ((unsigned long)(unsigned char)(cp)[3]))
25
26int openssh_encrypted(char *filename);
27struct ssh2_userkey *openssh_read(char *filename, char *passphrase);
28
7b4ef1ae 29int sshcom_encrypted(char *filename, char **comment);
30struct ssh2_userkey *sshcom_read(char *filename, char *passphrase);
31
9dda6459 32/*
33 * Given a key type, determine whether we know how to import it.
34 */
35int import_possible(int type)
36{
37 if (type == SSH_KEYTYPE_OPENSSH)
38 return 1;
7b4ef1ae 39 if (type == SSH_KEYTYPE_SSHCOM)
40 return 1;
9dda6459 41 return 0;
42}
43
44/*
45 * Given a key type, determine what native key type
46 * (SSH_KEYTYPE_SSH1 or SSH_KEYTYPE_SSH2) it will come out as once
47 * we've imported it.
48 */
49int import_target_type(int type)
50{
51 /*
52 * There are no known foreign SSH1 key formats.
53 */
54 return SSH_KEYTYPE_SSH2;
55}
56
57/*
58 * Determine whether a foreign key is encrypted.
59 */
60int import_encrypted(char *filename, int type, char **comment)
61{
62 if (type == SSH_KEYTYPE_OPENSSH) {
63 *comment = filename; /* OpenSSH doesn't do key comments */
64 return openssh_encrypted(filename);
65 }
7b4ef1ae 66 if (type == SSH_KEYTYPE_SSHCOM) {
67 return sshcom_encrypted(filename, comment);
68 }
9dda6459 69 return 0;
70}
71
72/*
73 * Import an SSH1 key.
74 */
75int import_ssh1(char *filename, int type, struct RSAKey *key, char *passphrase)
76{
77 return 0;
78}
79
80/*
81 * Import an SSH2 key.
82 */
83struct ssh2_userkey *import_ssh2(char *filename, int type, char *passphrase)
84{
85 if (type == SSH_KEYTYPE_OPENSSH)
86 return openssh_read(filename, passphrase);
7b4ef1ae 87 if (type == SSH_KEYTYPE_SSHCOM)
88 return sshcom_read(filename, passphrase);
9dda6459 89 return NULL;
90}
91
92/* ----------------------------------------------------------------------
93 * Helper routines. (The base64 ones are defined in sshpubk.c.)
94 */
95
96#define isbase64(c) ( ((c) >= 'A' && (c) <= 'Z') || \
97 ((c) >= 'a' && (c) <= 'z') || \
98 ((c) >= '0' && (c) <= '9') || \
99 (c) == '+' || (c) == '/' || (c) == '=' \
100 )
101
102extern int base64_decode_atom(char *atom, unsigned char *out);
103extern int base64_lines(int datalen);
104extern void base64_encode_atom(unsigned char *data, int n, char *out);
105extern void base64_encode(FILE * fp, unsigned char *data, int datalen);
106
107/*
108 * Read an ASN.1/BER identifier and length pair.
109 *
110 * Flags are a combination of the #defines listed below.
111 *
112 * Returns -1 if unsuccessful; otherwise returns the number of
113 * bytes used out of the source data.
114 */
115
116/* ASN.1 tag classes. */
117#define ASN1_CLASS_UNIVERSAL (0 << 6)
118#define ASN1_CLASS_APPLICATION (1 << 6)
119#define ASN1_CLASS_CONTEXT_SPECIFIC (2 << 6)
120#define ASN1_CLASS_PRIVATE (3 << 6)
121#define ASN1_CLASS_MASK (3 << 6)
122
123/* Primitive versus constructed bit. */
124#define ASN1_CONSTRUCTED (1 << 5)
125
126int ber_read_id_len(void *source, int sourcelen,
127 int *id, int *length, int *flags)
128{
129 unsigned char *p = (unsigned char *) source;
130
131 if (sourcelen == 0)
132 return -1;
133
134 *flags = (*p & 0xE0);
135 if ((*p & 0x1F) == 0x1F) {
136 *id = 0;
137 while (*p & 0x80) {
138 *id = (*id << 7) | (*p & 0x7F);
139 p++, sourcelen--;
140 if (sourcelen == 0)
141 return -1;
142 }
143 *id = (*id << 7) | (*p & 0x7F);
144 p++, sourcelen--;
145 } else {
146 *id = *p & 0x1F;
147 p++, sourcelen--;
148 }
149
150 if (sourcelen == 0)
151 return -1;
152
153 if (*p & 0x80) {
154 int n = *p & 0x7F;
155 p++, sourcelen--;
156 if (sourcelen < n)
157 return -1;
158 *length = 0;
159 while (n--)
160 *length = (*length << 8) | (*p++);
161 sourcelen -= n;
162 } else {
163 *length = *p;
164 p++, sourcelen--;
165 }
166
167 return p - (unsigned char *) source;
168}
169
7b4ef1ae 170static int put_string(void *target, void *data, int len)
171{
172 unsigned char *d = (unsigned char *)target;
173
174 PUT_32BIT(d, len);
175 memcpy(d+4, data, len);
176 return len+4;
177}
178
179static int put_mp(void *target, void *data, int len)
180{
181 unsigned char *d = (unsigned char *)target;
182 unsigned char *i = (unsigned char *)data;
183
184 if (*i & 0x80) {
185 PUT_32BIT(d, len+1);
186 d[4] = 0;
187 memcpy(d+5, data, len);
188 return len+5;
189 } else {
190 PUT_32BIT(d, len);
191 memcpy(d+4, data, len);
192 return len+4;
193 }
194}
195
9dda6459 196/* ----------------------------------------------------------------------
197 * Code to read OpenSSH private keys.
198 */
199
200enum { OSSH_DSA, OSSH_RSA };
201struct openssh_key {
202 int type;
203 int encrypted;
204 char iv[32];
205 unsigned char *keyblob;
206 int keyblob_len, keyblob_size;
207};
208
209struct openssh_key *load_openssh_key(char *filename)
210{
211 struct openssh_key *ret;
212 FILE *fp;
213 char buffer[256];
214 char *errmsg, *p;
215 int headers_done;
216
217 ret = smalloc(sizeof(*ret));
218 ret->keyblob = NULL;
219 ret->keyblob_len = ret->keyblob_size = 0;
220 ret->encrypted = 0;
221 memset(ret->iv, 0, sizeof(ret->iv));
222
223 fp = fopen(filename, "r");
224 if (!fp) {
225 errmsg = "Unable to open key file";
226 goto error;
227 }
228 if (!fgets(buffer, sizeof(buffer), fp) ||
229 0 != strncmp(buffer, "-----BEGIN ", 11) ||
230 0 != strcmp(buffer+strlen(buffer)-17, "PRIVATE KEY-----\n")) {
231 errmsg = "File does not begin with OpenSSH key header";
232 goto error;
233 }
234 if (!strcmp(buffer, "-----BEGIN RSA PRIVATE KEY-----\n"))
235 ret->type = OSSH_RSA;
236 else if (!strcmp(buffer, "-----BEGIN DSA PRIVATE KEY-----\n"))
237 ret->type = OSSH_DSA;
238 else {
239 errmsg = "Unrecognised key type";
240 goto error;
241 }
242
243 headers_done = 0;
244 while (1) {
245 if (!fgets(buffer, sizeof(buffer), fp)) {
246 errmsg = "Unexpected end of file";
247 goto error;
248 }
249 if (0 == strncmp(buffer, "-----END ", 9) &&
250 0 == strcmp(buffer+strlen(buffer)-17, "PRIVATE KEY-----\n"))
251 break; /* done */
252 if ((p = strchr(buffer, ':')) != NULL) {
253 if (headers_done) {
254 errmsg = "Header found in body of key data";
255 goto error;
256 }
257 *p++ = '\0';
258 while (*p && isspace((unsigned char)*p)) p++;
259 if (!strcmp(buffer, "Proc-Type")) {
260 if (p[0] != '4' || p[1] != ',') {
261 errmsg = "Proc-Type is not 4 (only 4 is supported)";
262 goto error;
263 }
264 p += 2;
265 if (!strcmp(p, "ENCRYPTED\n"))
266 ret->encrypted = 1;
267 } else if (!strcmp(buffer, "DEK-Info")) {
268 int i, j;
269
270 if (strncmp(p, "DES-EDE3-CBC,", 13)) {
271 errmsg = "Ciphers other than DES-EDE3-CBC not supported";
272 goto error;
273 }
274 p += 13;
275 for (i = 0; i < 8; i++) {
276 if (1 != sscanf(p, "%2x", &j))
277 break;
278 ret->iv[i] = j;
279 p += 2;
280 }
281 if (i < 8) {
282 errmsg = "Expected 16-digit iv in DEK-Info";
283 goto error;
284 }
285 }
286 } else {
287 headers_done = 1;
288
289 p = buffer;
290 while (isbase64(p[0]) && isbase64(p[1]) &&
291 isbase64(p[2]) && isbase64(p[3])) {
292 int len;
293 unsigned char out[3];
294
295 len = base64_decode_atom(p, out);
296
297 if (len <= 0) {
298 errmsg = "Invalid base64 encoding";
299 goto error;
300 }
301
302 if (ret->keyblob_len + len > ret->keyblob_size) {
303 ret->keyblob_size = ret->keyblob_len + len + 256;
304 ret->keyblob = srealloc(ret->keyblob, ret->keyblob_size);
305 }
306
307 memcpy(ret->keyblob + ret->keyblob_len, out, len);
308 ret->keyblob_len += len;
309
310 p += 4;
311 }
312
313 if (isbase64(*p)) {
314 errmsg = "base64 characters left at end of line";
315 goto error;
316 }
317 }
318 }
319
320 if (ret->keyblob_len == 0 || !ret->keyblob) {
321 errmsg = "Key body not present";
322 goto error;
323 }
324
325 if (ret->encrypted && ret->keyblob_len % 8 != 0) {
326 errmsg = "Encrypted key blob is not a multiple of cipher block size";
327 goto error;
328 }
329
330 return ret;
331
332 error:
333 if (ret) {
334 if (ret->keyblob) sfree(ret->keyblob);
335 sfree(ret);
336 }
337 return NULL;
338}
339
340int openssh_encrypted(char *filename)
341{
342 struct openssh_key *key = load_openssh_key(filename);
343 int ret;
344
345 if (!key)
346 return 0;
347 ret = key->encrypted;
348 sfree(key->keyblob);
349 sfree(key);
350 return ret;
351}
352
353struct ssh2_userkey *openssh_read(char *filename, char *passphrase)
354{
355 struct openssh_key *key = load_openssh_key(filename);
356 struct ssh2_userkey *retkey;
357 unsigned char *p;
358 int ret, id, len, flags;
359 int i, num_integers;
360 struct ssh2_userkey *retval = NULL;
361 char *errmsg;
362 unsigned char *blob;
363 int blobptr, privptr;
364 char *modptr;
365 int modlen;
366
367 if (!key)
368 return NULL;
369
370 if (key->encrypted) {
371 /*
372 * Derive encryption key from passphrase and iv/salt:
373 *
374 * - let block A equal MD5(passphrase || iv)
375 * - let block B equal MD5(A || passphrase || iv)
376 * - block C would be MD5(B || passphrase || iv) and so on
377 * - encryption key is the first N bytes of A || B
378 */
379 struct MD5Context md5c;
380 unsigned char keybuf[32];
381
382 MD5Init(&md5c);
383 MD5Update(&md5c, passphrase, strlen(passphrase));
384 MD5Update(&md5c, key->iv, 8);
385 MD5Final(keybuf, &md5c);
386
387 MD5Init(&md5c);
388 MD5Update(&md5c, keybuf, 16);
389 MD5Update(&md5c, passphrase, strlen(passphrase));
390 MD5Update(&md5c, key->iv, 8);
391 MD5Final(keybuf+16, &md5c);
392
393 /*
394 * Now decrypt the key blob.
395 */
396 des3_decrypt_pubkey_ossh(keybuf, key->iv,
397 key->keyblob, key->keyblob_len);
398 }
399
400 /*
401 * Now we have a decrypted key blob, which contains an ASN.1
402 * encoded private key. We must now untangle the ASN.1.
403 *
404 * We expect the whole key blob to be formatted as a SEQUENCE
405 * (0x30 followed by a length code indicating that the rest of
406 * the blob is part of the sequence). Within that SEQUENCE we
407 * expect to see a bunch of INTEGERs. What those integers mean
408 * depends on the key type:
409 *
410 * - For RSA, we expect the integers to be 0, n, e, d, p, q,
411 * dmp1, dmq1, iqmp in that order. (The last three are d mod
412 * (p-1), d mod (q-1), inverse of q mod p respectively.)
413 *
414 * - For DSA, we expect them to be 0, p, q, g, y, x in that
415 * order.
416 */
417
418 p = key->keyblob;
419
420 /* Expect the SEQUENCE header. Take its absence as a failure to decrypt. */
421 ret = ber_read_id_len(p, key->keyblob_len, &id, &len, &flags);
422 p += ret;
423 if (ret < 0 || id != 16) {
424 errmsg = "ASN.1 decoding failure";
425 retval = SSH2_WRONG_PASSPHRASE;
426 goto error;
427 }
428
429 /* Expect a load of INTEGERs. */
430 if (key->type == OSSH_RSA)
431 num_integers = 9;
432 else if (key->type == OSSH_DSA)
433 num_integers = 6;
434
435 /*
436 * Space to create key blob in.
437 */
438 blob = smalloc(256+key->keyblob_len);
439 PUT_32BIT(blob, 7);
440 if (key->type == OSSH_DSA)
441 memcpy(blob+4, "ssh-dss", 7);
442 else if (key->type == OSSH_RSA)
443 memcpy(blob+4, "ssh-rsa", 7);
444 blobptr = 4+7;
445 privptr = -1;
446
447 for (i = 0; i < num_integers; i++) {
448 ret = ber_read_id_len(p, key->keyblob+key->keyblob_len-p,
449 &id, &len, &flags);
450 p += ret;
451 if (ret < 0 || id != 2 ||
452 key->keyblob+key->keyblob_len-p < len) {
453 errmsg = "ASN.1 decoding failure";
454 goto error;
455 }
456
457 if (i == 0) {
458 /*
459 * The first integer should be zero always (I think
460 * this is some sort of version indication).
461 */
462 if (len != 1 || p[0] != 0) {
463 errmsg = "Version number mismatch";
464 goto error;
465 }
466 } else if (key->type == OSSH_RSA) {
467 /*
468 * Integers 1 and 2 go into the public blob but in the
469 * opposite order; integers 3, 4, 5 and 8 go into the
470 * private blob. The other two (6 and 7) are ignored.
471 */
472 if (i == 1) {
473 /* Save the details for after we deal with number 2. */
474 modptr = p;
475 modlen = len;
476 } else if (i != 6 && i != 7) {
477 PUT_32BIT(blob+blobptr, len);
478 memcpy(blob+blobptr+4, p, len);
479 blobptr += 4+len;
480 if (i == 2) {
481 PUT_32BIT(blob+blobptr, modlen);
482 memcpy(blob+blobptr+4, modptr, modlen);
483 blobptr += 4+modlen;
484 privptr = blobptr;
485 }
486 }
487 } else if (key->type == OSSH_DSA) {
488 /*
489 * Integers 1-4 go into the public blob; integer 5 goes
490 * into the private blob.
491 */
492 PUT_32BIT(blob+blobptr, len);
493 memcpy(blob+blobptr+4, p, len);
494 blobptr += 4+len;
495 if (i == 4)
496 privptr = blobptr;
497 }
498
499 /* Skip past the number. */
500 p += len;
501 }
502
503 /*
504 * Now put together the actual key. Simplest way to do this is
505 * to assemble our own key blobs and feed them to the createkey
506 * functions; this is a bit faffy but it does mean we get all
507 * the sanity checks for free.
508 */
509 assert(privptr > 0); /* should have bombed by now if not */
510 retkey = smalloc(sizeof(struct ssh2_userkey));
511 retkey->alg = (key->type == OSSH_RSA ? &ssh_rsa : &ssh_dss);
512 retkey->data = retkey->alg->createkey(blob, privptr,
513 blob+privptr, blobptr-privptr);
514 if (!retkey->data) {
515 sfree(retkey);
516 errmsg = "unable to create key data structure";
517 goto error;
518 }
519
520 retkey->comment = dupstr("imported-openssh-key");
521 if (blob) sfree(blob);
522 sfree(key->keyblob);
523 sfree(key);
524 return retkey;
525
526 error:
527 if (blob) sfree(blob);
528 sfree(key->keyblob);
529 sfree(key);
530 return retval;
531}
7b4ef1ae 532
533/* ----------------------------------------------------------------------
534 * Code to read ssh.com private keys.
535 */
536
537/*
538 * The format of the base64 blob is largely ssh2-packet-formatted,
539 * except that mpints are a bit different: they're more like the
540 * old ssh1 mpint. You have a 32-bit bit count N, followed by
541 * (N+7)/8 bytes of data.
542 *
543 * So. The blob contains:
544 *
545 * - uint32 0x3f6ff9eb (magic number)
546 * - uint32 size (total blob size)
547 * - string key-type (see below)
548 * - string cipher-type (tells you if key is encrypted)
549 * - string encrypted-blob
550 *
551 * (The first size field includes the size field itself and the
552 * magic number before it. All other size fields are ordinary ssh2
553 * strings, so the size field indicates how much data is to
554 * _follow_.)
555 *
556 * The encrypted blob, once decrypted, contains a single string
557 * which in turn contains the payload. (This allows padding to be
558 * added after that string while still making it clear where the
559 * real payload ends. Also it probably makes for a reasonable
560 * decryption check.)
561 *
562 * The payload blob, for an RSA key, contains:
563 * - mpint e
564 * - mpint d
565 * - mpint n (yes, the public and private stuff is intermixed)
566 * - mpint u (presumably inverse of p mod q)
567 * - mpint p (p is the smaller prime)
568 * - mpint q (q is the larger)
569 *
570 * For a DSA key, the payload blob contains:
571 * - uint32 0
572 * - mpint p
573 * - mpint g
574 * - mpint q
575 * - mpint y
576 * - mpint x
577 *
578 * Alternatively, if the parameters are `predefined', that
579 * (0,p,g,q) sequence can be replaced by a uint32 1 and a string
580 * containing some predefined parameter specification. *shudder*,
581 * but I doubt we'll encounter this in real life.
582 *
583 * The key type strings are ghastly. The RSA key I looked at had a
584 * type string of
585 *
586 * `if-modn{sign{rsa-pkcs1-sha1},encrypt{rsa-pkcs1v2-oaep}}'
587 *
588 * and the DSA key wasn't much better:
589 *
590 * `dl-modp{sign{dsa-nist-sha1},dh{plain}}'
591 *
592 * It isn't clear that these will always be the same. I think it
593 * might be wise just to look at the `if-modn{sign{rsa' and
594 * `dl-modp{sign{dsa' prefixes.
595 *
596 * Finally, the encryption. The cipher-type string appears to be
597 * either `none' or `3des-cbc'. Looks as if this is SSH2-style
598 * 3des-cbc (i.e. outer cbc rather than inner). The key is created
599 * from the passphrase by means of yet another hashing faff:
600 *
601 * - first 16 bytes are MD5(passphrase)
602 * - next 16 bytes are MD5(passphrase || first 16 bytes)
603 * - if there were more, they'd be MD5(passphrase || first 32),
604 * and so on.
605 */
606
607struct sshcom_key {
608 char comment[256]; /* allowing any length is overkill */
609 unsigned char *keyblob;
610 int keyblob_len, keyblob_size;
611};
612
613struct sshcom_key *load_sshcom_key(char *filename)
614{
615 struct sshcom_key *ret;
616 FILE *fp;
617 char buffer[256];
618 int len;
619 char *errmsg, *p;
620 int headers_done;
621 char base64_bit[4];
622 int base64_chars = 0;
623
624 ret = smalloc(sizeof(*ret));
625 ret->comment[0] = '\0';
626 ret->keyblob = NULL;
627 ret->keyblob_len = ret->keyblob_size = 0;
628
629 fp = fopen(filename, "r");
630 if (!fp) {
631 errmsg = "Unable to open key file";
632 goto error;
633 }
634 if (!fgets(buffer, sizeof(buffer), fp) ||
635 0 != strcmp(buffer, "---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----\n")) {
636 errmsg = "File does not begin with ssh.com key header";
637 goto error;
638 }
639
640 headers_done = 0;
641 while (1) {
642 if (!fgets(buffer, sizeof(buffer), fp)) {
643 errmsg = "Unexpected end of file";
644 goto error;
645 }
646 if (!strcmp(buffer, "---- END SSH2 ENCRYPTED PRIVATE KEY ----\n"))
647 break; /* done */
648 if ((p = strchr(buffer, ':')) != NULL) {
649 if (headers_done) {
650 errmsg = "Header found in body of key data";
651 goto error;
652 }
653 *p++ = '\0';
654 while (*p && isspace((unsigned char)*p)) p++;
655 /*
656 * Header lines can end in a trailing backslash for
657 * continuation.
658 */
659 while ((len = strlen(p)) > sizeof(buffer) - (p-buffer) -1 ||
660 p[len-1] != '\n' || p[len-2] == '\\') {
661 if (len > (p-buffer) + sizeof(buffer)-2) {
662 errmsg = "Header line too long to deal with";
663 goto error;
664 }
665 if (!fgets(p+len-2, sizeof(buffer)-(p-buffer)-(len-2), fp)) {
666 errmsg = "Unexpected end of file";
667 goto error;
668 }
669 }
670 p[strcspn(p, "\n")] = '\0';
671 if (!strcmp(buffer, "Comment")) {
672 /* Strip quotes in comment if present. */
673 if (p[0] == '"' && p[strlen(p)-1] == '"') {
674 p++;
675 p[strlen(p)-1] = '\0';
676 }
677 strncpy(ret->comment, p, sizeof(ret->comment));
678 ret->comment[sizeof(ret->comment)-1] = '\0';
679 }
680 } else {
681 headers_done = 1;
682
683 p = buffer;
684 while (isbase64(*p)) {
685 base64_bit[base64_chars++] = *p;
686 if (base64_chars == 4) {
687 unsigned char out[3];
688
689 base64_chars = 0;
690
691 len = base64_decode_atom(base64_bit, out);
692
693 if (len <= 0) {
694 errmsg = "Invalid base64 encoding";
695 goto error;
696 }
697
698 if (ret->keyblob_len + len > ret->keyblob_size) {
699 ret->keyblob_size = ret->keyblob_len + len + 256;
700 ret->keyblob = srealloc(ret->keyblob, ret->keyblob_size);
701 }
702
703 memcpy(ret->keyblob + ret->keyblob_len, out, len);
704 ret->keyblob_len += len;
705 }
706
707 p++;
708 }
709 }
710 }
711
712 if (ret->keyblob_len == 0 || !ret->keyblob) {
713 errmsg = "Key body not present";
714 goto error;
715 }
716
717 return ret;
718
719 error:
720 if (ret) {
721 if (ret->keyblob) sfree(ret->keyblob);
722 sfree(ret);
723 }
724 return NULL;
725}
726
727int sshcom_encrypted(char *filename, char **comment)
728{
729 struct sshcom_key *key = load_sshcom_key(filename);
730 int pos, len, answer;
731
732 *comment = NULL;
733 if (!key)
734 return 0;
735
736 /*
737 * Check magic number.
738 */
739 if (GET_32BIT(key->keyblob) != 0x3f6ff9eb)
740 return 0; /* key is invalid */
741
742 /*
743 * Find the cipher-type string.
744 */
745 answer = 0;
746 pos = 8;
747 if (key->keyblob_len < pos+4)
748 goto done; /* key is far too short */
749 pos += 4 + GET_32BIT(key->keyblob + pos); /* skip key type */
750 if (key->keyblob_len < pos+4)
751 goto done; /* key is far too short */
752 len = GET_32BIT(key->keyblob + pos); /* find cipher-type length */
753 if (key->keyblob_len < pos+4+len)
754 goto done; /* cipher type string is incomplete */
755 if (len != 4 || 0 != memcmp(key->keyblob + pos + 4, "none", 4))
756 answer = 1;
757
758 done:
759 *comment = dupstr(key->comment);
760 sfree(key->keyblob);
761 sfree(key);
762 return answer;
763}
764
765struct mpint_pos { void *start; int bytes; };
766
767int sshcom_read_mpint(void *data, int len, struct mpint_pos *ret)
768{
769 int bits;
770 int bytes;
771 unsigned char *d = (unsigned char *) data;
772
773 if (len < 4)
774 goto error;
775 bits = GET_32BIT(d);
776
777 bytes = (bits + 7) / 8;
778 if (len < 4+bytes)
779 goto error;
780
781 ret->start = d + 4;
782 ret->bytes = bytes;
783 return bytes+4;
784
785 error:
786 ret->start = NULL;
787 ret->bytes = -1;
788 return len; /* ensure further calls fail as well */
789}
790
791struct ssh2_userkey *sshcom_read(char *filename, char *passphrase)
792{
793 struct sshcom_key *key = load_sshcom_key(filename);
794 char *errmsg;
795 int pos, len;
796 const char prefix_rsa[] = "if-modn{sign{rsa";
797 const char prefix_dsa[] = "dl-modp{sign{dsa";
798 enum { RSA, DSA } type;
799 int encrypted;
800 char *ciphertext;
801 int cipherlen;
802 struct ssh2_userkey *ret = NULL, *retkey;
803 const struct ssh_signkey *alg;
804 unsigned char *blob = NULL;
805 int publen, privlen;
806
807 if (!key)
808 return NULL;
809
810 /*
811 * Check magic number.
812 */
813 if (GET_32BIT(key->keyblob) != 0x3f6ff9eb) {
814 errmsg = "Key does not begin with magic number";
815 goto error;
816 }
817
818 /*
819 * Determine the key type.
820 */
821 pos = 8;
822 if (key->keyblob_len < pos+4 ||
823 (len = GET_32BIT(key->keyblob + pos)) > key->keyblob_len - pos - 4) {
824 errmsg = "Key blob does not contain a key type string";
825 goto error;
826 }
827 if (len > sizeof(prefix_rsa) - 1 &&
828 !memcmp(key->keyblob+pos+4, prefix_rsa, sizeof(prefix_rsa) - 1)) {
829 type = RSA;
830 } else if (len > sizeof(prefix_dsa) - 1 &&
831 !memcmp(key->keyblob+pos+4, prefix_dsa, sizeof(prefix_dsa) - 1)) {
832 type = DSA;
833 } else {
834 errmsg = "Key is of unknown type";
835 goto error;
836 }
837 pos += 4+len;
838
839 /*
840 * Determine the cipher type.
841 */
842 if (key->keyblob_len < pos+4 ||
843 (len = GET_32BIT(key->keyblob + pos)) > key->keyblob_len - pos - 4) {
844 errmsg = "Key blob does not contain a cipher type string";
845 goto error;
846 }
847 if (len == 4 && !memcmp(key->keyblob+pos+4, "none", 4))
848 encrypted = 0;
849 else if (len == 8 && !memcmp(key->keyblob+pos+4, "3des-cbc", 8))
850 encrypted = 1;
851 else {
852 errmsg = "Key encryption is of unknown type";
853 goto error;
854 }
855 pos += 4+len;
856
857 /*
858 * Get hold of the encrypted part of the key.
859 */
860 if (key->keyblob_len < pos+4 ||
861 (len = GET_32BIT(key->keyblob + pos)) > key->keyblob_len - pos - 4) {
862 errmsg = "Key blob does not contain actual key data";
863 goto error;
864 }
865 ciphertext = key->keyblob + pos + 4;
866 cipherlen = len;
867 if (cipherlen == 0) {
868 errmsg = "Length of key data is zero";
869 goto error;
870 }
871
872 /*
873 * Decrypt it if necessary.
874 */
875 if (encrypted) {
876 /*
877 * Derive encryption key from passphrase and iv/salt:
878 *
879 * - let block A equal MD5(passphrase)
880 * - let block B equal MD5(passphrase || A)
881 * - block C would be MD5(passphrase || A || B) and so on
882 * - encryption key is the first N bytes of A || B
883 */
884 struct MD5Context md5c;
885 unsigned char keybuf[32], iv[8];
886
887 if (cipherlen % 8 != 0) {
888 errmsg = "Encrypted part of key is not a multiple of cipher block"
889 " size";
890 goto error;
891 }
892
893 MD5Init(&md5c);
894 MD5Update(&md5c, passphrase, strlen(passphrase));
895 MD5Final(keybuf, &md5c);
896
897 MD5Init(&md5c);
898 MD5Update(&md5c, passphrase, strlen(passphrase));
899 MD5Update(&md5c, keybuf, 16);
900 MD5Final(keybuf+16, &md5c);
901
902 /*
903 * Now decrypt the key blob.
904 */
905 memset(iv, 0, 8);
906 des3_decrypt_pubkey_ossh(keybuf, iv, ciphertext, cipherlen);
907
908 /*
909 * Hereafter we return WRONG_PASSPHRASE for any parsing
910 * error. (But not if we haven't just tried to decrypt it!)
911 */
912 if (encrypted)
913 ret = SSH2_WRONG_PASSPHRASE;
914 }
915
916 /*
917 * Strip away the containing string to get to the real meat.
918 */
919 len = GET_32BIT(ciphertext);
920 if (len > cipherlen-4) {
921 errmsg = "containing string was ill-formed";
922 goto error;
923 }
924 ciphertext += 4;
925 cipherlen = len;
926
927 /*
928 * Now we break down into RSA versus DSA. In either case we'll
929 * construct public and private blobs in our own format, and
930 * end up feeding them to alg->createkey().
931 */
932 blob = smalloc(cipherlen + 256);
933 privlen = 0;
934 if (type == RSA) {
935 struct mpint_pos n, e, d, u, p, q;
936 int pos = 0;
937 pos += sshcom_read_mpint(ciphertext+pos, cipherlen-pos, &e);
938 pos += sshcom_read_mpint(ciphertext+pos, cipherlen-pos, &d);
939 pos += sshcom_read_mpint(ciphertext+pos, cipherlen-pos, &n);
940 pos += sshcom_read_mpint(ciphertext+pos, cipherlen-pos, &u);
941 pos += sshcom_read_mpint(ciphertext+pos, cipherlen-pos, &p);
942 pos += sshcom_read_mpint(ciphertext+pos, cipherlen-pos, &q);
943 if (!q.start) {
944 errmsg = "key data did not contain six integers";
945 goto error;
946 }
947
948 alg = &ssh_rsa;
949 pos = 0;
950 pos += put_string(blob+pos, "ssh-rsa", 7);
951 pos += put_mp(blob+pos, e.start, e.bytes);
952 pos += put_mp(blob+pos, n.start, n.bytes);
953 publen = pos;
954 pos += put_string(blob+pos, d.start, d.bytes);
955 pos += put_mp(blob+pos, q.start, q.bytes);
956 pos += put_mp(blob+pos, p.start, p.bytes);
957 pos += put_mp(blob+pos, u.start, u.bytes);
958 privlen = pos - publen;
959 } else if (type == DSA) {
960 struct mpint_pos p, q, g, x, y;
961 int pos = 4;
962 if (GET_32BIT(ciphertext) != 0) {
963 errmsg = "predefined DSA parameters not supported";
964 goto error;
965 }
966 pos += sshcom_read_mpint(ciphertext+pos, cipherlen-pos, &p);
967 pos += sshcom_read_mpint(ciphertext+pos, cipherlen-pos, &g);
968 pos += sshcom_read_mpint(ciphertext+pos, cipherlen-pos, &q);
969 pos += sshcom_read_mpint(ciphertext+pos, cipherlen-pos, &y);
970 pos += sshcom_read_mpint(ciphertext+pos, cipherlen-pos, &x);
971 if (!x.start) {
972 errmsg = "key data did not contain five integers";
973 goto error;
974 }
975
976 alg = &ssh_dss;
977 pos = 0;
978 pos += put_string(blob+pos, "ssh-dss", 7);
979 pos += put_mp(blob+pos, p.start, p.bytes);
980 pos += put_mp(blob+pos, q.start, q.bytes);
981 pos += put_mp(blob+pos, g.start, g.bytes);
982 pos += put_mp(blob+pos, y.start, y.bytes);
983 publen = pos;
984 pos += put_mp(blob+pos, x.start, x.bytes);
985 privlen = pos - publen;
986 }
987
988 assert(privlen > 0); /* should have bombed by now if not */
989
990 retkey = smalloc(sizeof(struct ssh2_userkey));
991 retkey->alg = alg;
992 retkey->data = alg->createkey(blob, publen, blob+publen, privlen);
993 if (!retkey->data) {
994 sfree(retkey);
995 errmsg = "unable to create key data structure";
996 goto error;
997 }
998 retkey->comment = dupstr(key->comment);
999
1000 errmsg = NULL; /* no error */
1001 ret = retkey;
1002
1003 error:
1004 if (blob) sfree(blob);
1005 sfree(key->keyblob);
1006 sfree(key);
1007 return ret;
1008}
Local modifications for Simon Tatham's `PuTTY' SSH client and terminal emulator