Mercurial > dropbear
comparison keyimport.c @ 391:00fcf5045160
propagate from branch 'au.asn.ucc.matt.ltc.dropbear' (head c1db4398d56c56c6d06ae1e20c1e0d04dbb598ed)
to branch 'au.asn.ucc.matt.dropbear' (head d26d5eb2837f46b56a33fb0e7573aa0201abd4d5)
author | Matt Johnston <matt@ucc.asn.au> |
---|---|
date | Thu, 11 Jan 2007 04:29:08 +0000 |
parents | 454a34b2dfd1 |
children | 9dbc0c443497 |
comparison
equal
deleted
inserted
replaced
390:d8e44bef7917 | 391:00fcf5045160 |
---|---|
1 /* | |
2 * Based on PuTTY's import.c for importing/exporting OpenSSH and SSH.com | |
3 * keyfiles. | |
4 * | |
5 * The horribleness of the code is probably mine (matt). | |
6 * | |
7 * Modifications copyright 2003 Matt Johnston | |
8 * | |
9 * PuTTY is copyright 1997-2003 Simon Tatham. | |
10 * | |
11 * Portions copyright Robert de Bath, Joris van Rantwijk, Delian | |
12 * Delchev, Andreas Schultz, Jeroen Massar, Wez Furlong, Nicolas Barry, | |
13 * Justin Bradford, and CORE SDI S.A. | |
14 * | |
15 * Permission is hereby granted, free of charge, to any person | |
16 * obtaining a copy of this software and associated documentation files | |
17 * (the "Software"), to deal in the Software without restriction, | |
18 * including without limitation the rights to use, copy, modify, merge, | |
19 * publish, distribute, sublicense, and/or sell copies of the Software, | |
20 * and to permit persons to whom the Software is furnished to do so, | |
21 * subject to the following conditions: | |
22 * | |
23 * The above copyright notice and this permission notice shall be | |
24 * included in all copies or substantial portions of the Software. | |
25 * | |
26 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, | |
27 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF | |
28 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND | |
29 * NONINFRINGEMENT. IN NO EVENT SHALL THE COPYRIGHT HOLDERS BE LIABLE | |
30 * FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF | |
31 * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION | |
32 * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. | |
33 */ | |
34 | |
35 #include "keyimport.h" | |
36 #include "bignum.h" | |
37 #include "buffer.h" | |
38 #include "dbutil.h" | |
39 | |
40 #define PUT_32BIT(cp, value) do { \ | |
41 (cp)[3] = (unsigned char)(value); \ | |
42 (cp)[2] = (unsigned char)((value) >> 8); \ | |
43 (cp)[1] = (unsigned char)((value) >> 16); \ | |
44 (cp)[0] = (unsigned char)((value) >> 24); } while (0) | |
45 | |
46 #define GET_32BIT(cp) \ | |
47 (((unsigned long)(unsigned char)(cp)[0] << 24) | \ | |
48 ((unsigned long)(unsigned char)(cp)[1] << 16) | \ | |
49 ((unsigned long)(unsigned char)(cp)[2] << 8) | \ | |
50 ((unsigned long)(unsigned char)(cp)[3])) | |
51 | |
52 static int openssh_encrypted(const char *filename); | |
53 static sign_key *openssh_read(const char *filename, char *passphrase); | |
54 static int openssh_write(const char *filename, sign_key *key, | |
55 char *passphrase); | |
56 | |
57 static int dropbear_write(const char*filename, sign_key * key); | |
58 static sign_key *dropbear_read(const char* filename); | |
59 | |
60 #if 0 | |
61 static int sshcom_encrypted(const char *filename, char **comment); | |
62 static struct ssh2_userkey *sshcom_read(const char *filename, char *passphrase); | |
63 static int sshcom_write(const char *filename, struct ssh2_userkey *key, | |
64 char *passphrase); | |
65 #endif | |
66 | |
67 int import_encrypted(const char* filename, int filetype) { | |
68 | |
69 if (filetype == KEYFILE_OPENSSH) { | |
70 return openssh_encrypted(filename); | |
71 #if 0 | |
72 } else if (filetype == KEYFILE_SSHCOM) { | |
73 return sshcom_encrypted(filename, NULL); | |
74 #endif | |
75 } | |
76 return 0; | |
77 } | |
78 | |
79 sign_key *import_read(const char *filename, char *passphrase, int filetype) { | |
80 | |
81 if (filetype == KEYFILE_OPENSSH) { | |
82 return openssh_read(filename, passphrase); | |
83 } else if (filetype == KEYFILE_DROPBEAR) { | |
84 return dropbear_read(filename); | |
85 #if 0 | |
86 } else if (filetype == KEYFILE_SSHCOM) { | |
87 return sshcom_read(filename, passphrase); | |
88 #endif | |
89 } | |
90 return NULL; | |
91 } | |
92 | |
93 int import_write(const char *filename, sign_key *key, char *passphrase, | |
94 int filetype) { | |
95 | |
96 if (filetype == KEYFILE_OPENSSH) { | |
97 return openssh_write(filename, key, passphrase); | |
98 } else if (filetype == KEYFILE_DROPBEAR) { | |
99 return dropbear_write(filename, key); | |
100 #if 0 | |
101 } else if (filetype == KEYFILE_SSHCOM) { | |
102 return sshcom_write(filename, key, passphrase); | |
103 #endif | |
104 } | |
105 return 0; | |
106 } | |
107 | |
108 static sign_key *dropbear_read(const char* filename) { | |
109 | |
110 buffer * buf = NULL; | |
111 sign_key *ret = NULL; | |
112 int type; | |
113 | |
114 buf = buf_new(MAX_PRIVKEY_SIZE); | |
115 if (buf_readfile(buf, filename) == DROPBEAR_FAILURE) { | |
116 goto error; | |
117 } | |
118 | |
119 buf_setpos(buf, 0); | |
120 ret = new_sign_key(); | |
121 | |
122 type = DROPBEAR_SIGNKEY_ANY; | |
123 if (buf_get_priv_key(buf, ret, &type) == DROPBEAR_FAILURE){ | |
124 goto error; | |
125 } | |
126 buf_free(buf); | |
127 | |
128 return ret; | |
129 | |
130 error: | |
131 if (buf) { | |
132 buf_free(buf); | |
133 } | |
134 if (ret) { | |
135 sign_key_free(ret); | |
136 } | |
137 return NULL; | |
138 } | |
139 | |
140 /* returns 0 on fail, 1 on success */ | |
141 static int dropbear_write(const char*filename, sign_key * key) { | |
142 | |
143 int keytype = -1; | |
144 buffer * buf; | |
145 FILE*fp; | |
146 int len; | |
147 int ret; | |
148 | |
149 #ifdef DROPBEAR_RSA | |
150 if (key->rsakey != NULL) { | |
151 keytype = DROPBEAR_SIGNKEY_RSA; | |
152 } | |
153 #endif | |
154 #ifdef DROPBEAR_DSS | |
155 if (key->dsskey != NULL) { | |
156 keytype = DROPBEAR_SIGNKEY_DSS; | |
157 } | |
158 #endif | |
159 | |
160 buf = buf_new(MAX_PRIVKEY_SIZE); | |
161 buf_put_priv_key(buf, key, keytype); | |
162 | |
163 fp = fopen(filename, "w"); | |
164 if (!fp) { | |
165 ret = 0; | |
166 goto out; | |
167 } | |
168 | |
169 buf_setpos(buf, 0); | |
170 do { | |
171 len = fwrite(buf_getptr(buf, buf->len - buf->pos), | |
172 1, buf->len - buf->pos, fp); | |
173 buf_incrpos(buf, len); | |
174 } while (len > 0 && buf->len != buf->pos); | |
175 | |
176 fclose(fp); | |
177 | |
178 if (buf->pos != buf->len) { | |
179 ret = 0; | |
180 } else { | |
181 ret = 1; | |
182 } | |
183 out: | |
184 buf_free(buf); | |
185 return ret; | |
186 } | |
187 | |
188 | |
189 /* ---------------------------------------------------------------------- | |
190 * Helper routines. (The base64 ones are defined in sshpubk.c.) | |
191 */ | |
192 | |
193 #define isbase64(c) ( ((c) >= 'A' && (c) <= 'Z') || \ | |
194 ((c) >= 'a' && (c) <= 'z') || \ | |
195 ((c) >= '0' && (c) <= '9') || \ | |
196 (c) == '+' || (c) == '/' || (c) == '=' \ | |
197 ) | |
198 | |
199 /* cpl has to be less than 100 */ | |
200 static void base64_encode_fp(FILE * fp, unsigned char *data, | |
201 int datalen, int cpl) | |
202 { | |
203 char out[100]; | |
204 int n; | |
205 unsigned long outlen; | |
206 int rawcpl; | |
207 rawcpl = cpl * 3 / 4; | |
208 dropbear_assert((unsigned int)cpl < sizeof(out)); | |
209 | |
210 while (datalen > 0) { | |
211 n = (datalen < rawcpl ? datalen : rawcpl); | |
212 outlen = sizeof(out); | |
213 base64_encode(data, n, out, &outlen); | |
214 data += n; | |
215 datalen -= n; | |
216 fwrite(out, 1, outlen, fp); | |
217 fputc('\n', fp); | |
218 } | |
219 } | |
220 /* | |
221 * Read an ASN.1/BER identifier and length pair. | |
222 * | |
223 * Flags are a combination of the #defines listed below. | |
224 * | |
225 * Returns -1 if unsuccessful; otherwise returns the number of | |
226 * bytes used out of the source data. | |
227 */ | |
228 | |
229 /* ASN.1 tag classes. */ | |
230 #define ASN1_CLASS_UNIVERSAL (0 << 6) | |
231 #define ASN1_CLASS_APPLICATION (1 << 6) | |
232 #define ASN1_CLASS_CONTEXT_SPECIFIC (2 << 6) | |
233 #define ASN1_CLASS_PRIVATE (3 << 6) | |
234 #define ASN1_CLASS_MASK (3 << 6) | |
235 | |
236 /* Primitive versus constructed bit. */ | |
237 #define ASN1_CONSTRUCTED (1 << 5) | |
238 | |
239 static int ber_read_id_len(void *source, int sourcelen, | |
240 int *id, int *length, int *flags) | |
241 { | |
242 unsigned char *p = (unsigned char *) source; | |
243 | |
244 if (sourcelen == 0) | |
245 return -1; | |
246 | |
247 *flags = (*p & 0xE0); | |
248 if ((*p & 0x1F) == 0x1F) { | |
249 *id = 0; | |
250 while (*p & 0x80) { | |
251 *id = (*id << 7) | (*p & 0x7F); | |
252 p++, sourcelen--; | |
253 if (sourcelen == 0) | |
254 return -1; | |
255 } | |
256 *id = (*id << 7) | (*p & 0x7F); | |
257 p++, sourcelen--; | |
258 } else { | |
259 *id = *p & 0x1F; | |
260 p++, sourcelen--; | |
261 } | |
262 | |
263 if (sourcelen == 0) | |
264 return -1; | |
265 | |
266 if (*p & 0x80) { | |
267 int n = *p & 0x7F; | |
268 p++, sourcelen--; | |
269 if (sourcelen < n) | |
270 return -1; | |
271 *length = 0; | |
272 while (n--) | |
273 *length = (*length << 8) | (*p++); | |
274 sourcelen -= n; | |
275 } else { | |
276 *length = *p; | |
277 p++, sourcelen--; | |
278 } | |
279 | |
280 return p - (unsigned char *) source; | |
281 } | |
282 | |
283 /* | |
284 * Write an ASN.1/BER identifier and length pair. Returns the | |
285 * number of bytes consumed. Assumes dest contains enough space. | |
286 * Will avoid writing anything if dest is NULL, but still return | |
287 * amount of space required. | |
288 */ | |
289 static int ber_write_id_len(void *dest, int id, int length, int flags) | |
290 { | |
291 unsigned char *d = (unsigned char *)dest; | |
292 int len = 0; | |
293 | |
294 if (id <= 30) { | |
295 /* | |
296 * Identifier is one byte. | |
297 */ | |
298 len++; | |
299 if (d) *d++ = id | flags; | |
300 } else { | |
301 int n; | |
302 /* | |
303 * Identifier is multiple bytes: the first byte is 11111 | |
304 * plus the flags, and subsequent bytes encode the value of | |
305 * the identifier, 7 bits at a time, with the top bit of | |
306 * each byte 1 except the last one which is 0. | |
307 */ | |
308 len++; | |
309 if (d) *d++ = 0x1F | flags; | |
310 for (n = 1; (id >> (7*n)) > 0; n++) | |
311 continue; /* count the bytes */ | |
312 while (n--) { | |
313 len++; | |
314 if (d) *d++ = (n ? 0x80 : 0) | ((id >> (7*n)) & 0x7F); | |
315 } | |
316 } | |
317 | |
318 if (length < 128) { | |
319 /* | |
320 * Length is one byte. | |
321 */ | |
322 len++; | |
323 if (d) *d++ = length; | |
324 } else { | |
325 int n; | |
326 /* | |
327 * Length is multiple bytes. The first is 0x80 plus the | |
328 * number of subsequent bytes, and the subsequent bytes | |
329 * encode the actual length. | |
330 */ | |
331 for (n = 1; (length >> (8*n)) > 0; n++) | |
332 continue; /* count the bytes */ | |
333 len++; | |
334 if (d) *d++ = 0x80 | n; | |
335 while (n--) { | |
336 len++; | |
337 if (d) *d++ = (length >> (8*n)) & 0xFF; | |
338 } | |
339 } | |
340 | |
341 return len; | |
342 } | |
343 | |
344 | |
345 /* Simple structure to point to an mp-int within a blob. */ | |
346 struct mpint_pos { void *start; int bytes; }; | |
347 | |
348 /* ---------------------------------------------------------------------- | |
349 * Code to read and write OpenSSH private keys. | |
350 */ | |
351 | |
352 enum { OSSH_DSA, OSSH_RSA }; | |
353 struct openssh_key { | |
354 int type; | |
355 int encrypted; | |
356 char iv[32]; | |
357 unsigned char *keyblob; | |
358 unsigned int keyblob_len, keyblob_size; | |
359 }; | |
360 | |
361 static struct openssh_key *load_openssh_key(const char *filename) | |
362 { | |
363 struct openssh_key *ret; | |
364 FILE *fp = NULL; | |
365 char buffer[256]; | |
366 char *errmsg = NULL, *p = NULL; | |
367 int headers_done; | |
368 unsigned long len, outlen; | |
369 | |
370 ret = (struct openssh_key*)m_malloc(sizeof(struct openssh_key)); | |
371 ret->keyblob = NULL; | |
372 ret->keyblob_len = ret->keyblob_size = 0; | |
373 ret->encrypted = 0; | |
374 memset(ret->iv, 0, sizeof(ret->iv)); | |
375 | |
376 if (strlen(filename) == 1 && filename[0] == '-') { | |
377 fp = stdin; | |
378 } else { | |
379 fp = fopen(filename, "r"); | |
380 } | |
381 if (!fp) { | |
382 errmsg = "Unable to open key file"; | |
383 goto error; | |
384 } | |
385 if (!fgets(buffer, sizeof(buffer), fp) || | |
386 0 != strncmp(buffer, "-----BEGIN ", 11) || | |
387 0 != strcmp(buffer+strlen(buffer)-17, "PRIVATE KEY-----\n")) { | |
388 errmsg = "File does not begin with OpenSSH key header"; | |
389 goto error; | |
390 } | |
391 if (!strcmp(buffer, "-----BEGIN RSA PRIVATE KEY-----\n")) | |
392 ret->type = OSSH_RSA; | |
393 else if (!strcmp(buffer, "-----BEGIN DSA PRIVATE KEY-----\n")) | |
394 ret->type = OSSH_DSA; | |
395 else { | |
396 errmsg = "Unrecognised key type"; | |
397 goto error; | |
398 } | |
399 | |
400 headers_done = 0; | |
401 while (1) { | |
402 if (!fgets(buffer, sizeof(buffer), fp)) { | |
403 errmsg = "Unexpected end of file"; | |
404 goto error; | |
405 } | |
406 if (0 == strncmp(buffer, "-----END ", 9) && | |
407 0 == strcmp(buffer+strlen(buffer)-17, "PRIVATE KEY-----\n")) | |
408 break; /* done */ | |
409 if ((p = strchr(buffer, ':')) != NULL) { | |
410 if (headers_done) { | |
411 errmsg = "Header found in body of key data"; | |
412 goto error; | |
413 } | |
414 *p++ = '\0'; | |
415 while (*p && isspace((unsigned char)*p)) p++; | |
416 if (!strcmp(buffer, "Proc-Type")) { | |
417 if (p[0] != '4' || p[1] != ',') { | |
418 errmsg = "Proc-Type is not 4 (only 4 is supported)"; | |
419 goto error; | |
420 } | |
421 p += 2; | |
422 if (!strcmp(p, "ENCRYPTED\n")) | |
423 ret->encrypted = 1; | |
424 } else if (!strcmp(buffer, "DEK-Info")) { | |
425 int i, j; | |
426 | |
427 if (strncmp(p, "DES-EDE3-CBC,", 13)) { | |
428 errmsg = "Ciphers other than DES-EDE3-CBC not supported"; | |
429 goto error; | |
430 } | |
431 p += 13; | |
432 for (i = 0; i < 8; i++) { | |
433 if (1 != sscanf(p, "%2x", &j)) | |
434 break; | |
435 ret->iv[i] = j; | |
436 p += 2; | |
437 } | |
438 if (i < 8) { | |
439 errmsg = "Expected 16-digit iv in DEK-Info"; | |
440 goto error; | |
441 } | |
442 } | |
443 } else { | |
444 headers_done = 1; | |
445 len = strlen(buffer); | |
446 outlen = len*4/3; | |
447 if (ret->keyblob_len + outlen > ret->keyblob_size) { | |
448 ret->keyblob_size = ret->keyblob_len + outlen + 256; | |
449 ret->keyblob = (unsigned char*)m_realloc(ret->keyblob, | |
450 ret->keyblob_size); | |
451 } | |
452 outlen = ret->keyblob_size - ret->keyblob_len; | |
453 if (base64_decode(buffer, len, | |
454 ret->keyblob + ret->keyblob_len, &outlen) != CRYPT_OK){ | |
455 errmsg = "Error decoding base64"; | |
456 goto error; | |
457 } | |
458 ret->keyblob_len += outlen; | |
459 } | |
460 } | |
461 | |
462 if (ret->keyblob_len == 0 || !ret->keyblob) { | |
463 errmsg = "Key body not present"; | |
464 goto error; | |
465 } | |
466 | |
467 if (ret->encrypted && ret->keyblob_len % 8 != 0) { | |
468 errmsg = "Encrypted key blob is not a multiple of cipher block size"; | |
469 goto error; | |
470 } | |
471 | |
472 memset(buffer, 0, sizeof(buffer)); | |
473 return ret; | |
474 | |
475 error: | |
476 memset(buffer, 0, sizeof(buffer)); | |
477 if (ret) { | |
478 if (ret->keyblob) { | |
479 memset(ret->keyblob, 0, ret->keyblob_size); | |
480 m_free(ret->keyblob); | |
481 } | |
482 memset(&ret, 0, sizeof(ret)); | |
483 m_free(ret); | |
484 } | |
485 if (fp) { | |
486 fclose(fp); | |
487 } | |
488 if (errmsg) { | |
489 fprintf(stderr, "Error: %s\n", errmsg); | |
490 } | |
491 return NULL; | |
492 } | |
493 | |
494 static int openssh_encrypted(const char *filename) | |
495 { | |
496 struct openssh_key *key = load_openssh_key(filename); | |
497 int ret; | |
498 | |
499 if (!key) | |
500 return 0; | |
501 ret = key->encrypted; | |
502 memset(key->keyblob, 0, key->keyblob_size); | |
503 m_free(key->keyblob); | |
504 memset(&key, 0, sizeof(key)); | |
505 m_free(key); | |
506 return ret; | |
507 } | |
508 | |
509 static sign_key *openssh_read(const char *filename, char *passphrase) | |
510 { | |
511 struct openssh_key *key; | |
512 unsigned char *p; | |
513 int ret, id, len, flags; | |
514 int i, num_integers = 0; | |
515 sign_key *retval = NULL; | |
516 char *errmsg; | |
517 char *modptr = NULL; | |
518 int modlen = -9999; | |
519 int type; | |
520 | |
521 sign_key *retkey; | |
522 buffer * blobbuf = NULL; | |
523 | |
524 key = load_openssh_key(filename); | |
525 | |
526 if (!key) | |
527 return NULL; | |
528 | |
529 if (key->encrypted) { | |
530 errmsg = "encrypted keys not supported currently"; | |
531 goto error; | |
532 #if 0 | |
533 /* matt TODO */ | |
534 /* | |
535 * Derive encryption key from passphrase and iv/salt: | |
536 * | |
537 * - let block A equal MD5(passphrase || iv) | |
538 * - let block B equal MD5(A || passphrase || iv) | |
539 * - block C would be MD5(B || passphrase || iv) and so on | |
540 * - encryption key is the first N bytes of A || B | |
541 */ | |
542 struct MD5Context md5c; | |
543 unsigned char keybuf[32]; | |
544 | |
545 MD5Init(&md5c); | |
546 MD5Update(&md5c, (unsigned char *)passphrase, strlen(passphrase)); | |
547 MD5Update(&md5c, (unsigned char *)key->iv, 8); | |
548 MD5Final(keybuf, &md5c); | |
549 | |
550 MD5Init(&md5c); | |
551 MD5Update(&md5c, keybuf, 16); | |
552 MD5Update(&md5c, (unsigned char *)passphrase, strlen(passphrase)); | |
553 MD5Update(&md5c, (unsigned char *)key->iv, 8); | |
554 MD5Final(keybuf+16, &md5c); | |
555 | |
556 /* | |
557 * Now decrypt the key blob. | |
558 */ | |
559 des3_decrypt_pubkey_ossh(keybuf, (unsigned char *)key->iv, | |
560 key->keyblob, key->keyblob_len); | |
561 | |
562 memset(&md5c, 0, sizeof(md5c)); | |
563 memset(keybuf, 0, sizeof(keybuf)); | |
564 #endif | |
565 } | |
566 | |
567 /* | |
568 * Now we have a decrypted key blob, which contains an ASN.1 | |
569 * encoded private key. We must now untangle the ASN.1. | |
570 * | |
571 * We expect the whole key blob to be formatted as a SEQUENCE | |
572 * (0x30 followed by a length code indicating that the rest of | |
573 * the blob is part of the sequence). Within that SEQUENCE we | |
574 * expect to see a bunch of INTEGERs. What those integers mean | |
575 * depends on the key type: | |
576 * | |
577 * - For RSA, we expect the integers to be 0, n, e, d, p, q, | |
578 * dmp1, dmq1, iqmp in that order. (The last three are d mod | |
579 * (p-1), d mod (q-1), inverse of q mod p respectively.) | |
580 * | |
581 * - For DSA, we expect them to be 0, p, q, g, y, x in that | |
582 * order. | |
583 */ | |
584 | |
585 p = key->keyblob; | |
586 | |
587 /* Expect the SEQUENCE header. Take its absence as a failure to decrypt. */ | |
588 ret = ber_read_id_len(p, key->keyblob_len, &id, &len, &flags); | |
589 p += ret; | |
590 if (ret < 0 || id != 16) { | |
591 errmsg = "ASN.1 decoding failure - wrong password?"; | |
592 goto error; | |
593 } | |
594 | |
595 /* Expect a load of INTEGERs. */ | |
596 if (key->type == OSSH_RSA) | |
597 num_integers = 9; | |
598 else if (key->type == OSSH_DSA) | |
599 num_integers = 6; | |
600 | |
601 /* | |
602 * Space to create key blob in. | |
603 */ | |
604 blobbuf = buf_new(3000); | |
605 | |
606 if (key->type == OSSH_DSA) { | |
607 buf_putstring(blobbuf, "ssh-dss", 7); | |
608 } else if (key->type == OSSH_RSA) { | |
609 buf_putstring(blobbuf, "ssh-rsa", 7); | |
610 } | |
611 | |
612 for (i = 0; i < num_integers; i++) { | |
613 ret = ber_read_id_len(p, key->keyblob+key->keyblob_len-p, | |
614 &id, &len, &flags); | |
615 p += ret; | |
616 if (ret < 0 || id != 2 || | |
617 key->keyblob+key->keyblob_len-p < len) { | |
618 errmsg = "ASN.1 decoding failure"; | |
619 goto error; | |
620 } | |
621 | |
622 if (i == 0) { | |
623 /* | |
624 * The first integer should be zero always (I think | |
625 * this is some sort of version indication). | |
626 */ | |
627 if (len != 1 || p[0] != 0) { | |
628 errmsg = "Version number mismatch"; | |
629 goto error; | |
630 } | |
631 } else if (key->type == OSSH_RSA) { | |
632 /* | |
633 * OpenSSH key order is n, e, d, p, q, dmp1, dmq1, iqmp | |
634 * but we want e, n, d, p, q | |
635 */ | |
636 if (i == 1) { | |
637 /* Save the details for after we deal with number 2. */ | |
638 modptr = (char *)p; | |
639 modlen = len; | |
640 } else if (i >= 2 && i <= 5) { | |
641 buf_putstring(blobbuf, p, len); | |
642 if (i == 2) { | |
643 buf_putstring(blobbuf, modptr, modlen); | |
644 } | |
645 } | |
646 } else if (key->type == OSSH_DSA) { | |
647 /* | |
648 * OpenSSH key order is p, q, g, y, x, | |
649 * we want the same. | |
650 */ | |
651 buf_putstring(blobbuf, p, len); | |
652 } | |
653 | |
654 /* Skip past the number. */ | |
655 p += len; | |
656 } | |
657 | |
658 /* | |
659 * Now put together the actual key. Simplest way to do this is | |
660 * to assemble our own key blobs and feed them to the createkey | |
661 * functions; this is a bit faffy but it does mean we get all | |
662 * the sanity checks for free. | |
663 */ | |
664 retkey = new_sign_key(); | |
665 buf_setpos(blobbuf, 0); | |
666 type = DROPBEAR_SIGNKEY_ANY; | |
667 if (buf_get_priv_key(blobbuf, retkey, &type) | |
668 != DROPBEAR_SUCCESS) { | |
669 errmsg = "unable to create key structure"; | |
670 sign_key_free(retkey); | |
671 retkey = NULL; | |
672 goto error; | |
673 } | |
674 | |
675 errmsg = NULL; /* no error */ | |
676 retval = retkey; | |
677 | |
678 error: | |
679 if (blobbuf) { | |
680 buf_burn(blobbuf); | |
681 buf_free(blobbuf); | |
682 } | |
683 m_burn(key->keyblob, key->keyblob_size); | |
684 m_free(key->keyblob); | |
685 m_burn(key, sizeof(key)); | |
686 m_free(key); | |
687 if (errmsg) { | |
688 fprintf(stderr, "Error: %s\n", errmsg); | |
689 } | |
690 return retval; | |
691 } | |
692 | |
693 static int openssh_write(const char *filename, sign_key *key, | |
694 char *passphrase) | |
695 { | |
696 buffer * keyblob = NULL; | |
697 buffer * extrablob = NULL; /* used for calculated values to write */ | |
698 unsigned char *outblob = NULL; | |
699 int outlen = -9999; | |
700 struct mpint_pos numbers[9]; | |
701 int nnumbers = -1, pos, len, seqlen, i; | |
702 char *header = NULL, *footer = NULL; | |
703 char zero[1]; | |
704 unsigned char iv[8]; | |
705 int ret = 0; | |
706 FILE *fp; | |
707 int keytype = -1; | |
708 | |
709 #ifdef DROPBEAR_RSA | |
710 mp_int dmp1, dmq1, iqmp, tmpval; /* for rsa */ | |
711 | |
712 if (key->rsakey != NULL) { | |
713 keytype = DROPBEAR_SIGNKEY_RSA; | |
714 } | |
715 #endif | |
716 #ifdef DROPBEAR_DSS | |
717 if (key->dsskey != NULL) { | |
718 keytype = DROPBEAR_SIGNKEY_DSS; | |
719 } | |
720 #endif | |
721 | |
722 dropbear_assert(keytype != -1); | |
723 | |
724 /* | |
725 * Fetch the key blobs. | |
726 */ | |
727 keyblob = buf_new(3000); | |
728 buf_put_priv_key(keyblob, key, keytype); | |
729 | |
730 buf_setpos(keyblob, 0); | |
731 /* skip the "ssh-rsa" or "ssh-dss" header */ | |
732 buf_incrpos(keyblob, buf_getint(keyblob)); | |
733 | |
734 /* | |
735 * Find the sequence of integers to be encoded into the OpenSSH | |
736 * key blob, and also decide on the header line. | |
737 */ | |
738 numbers[0].start = zero; numbers[0].bytes = 1; zero[0] = '\0'; | |
739 | |
740 #ifdef DROPBEAR_RSA | |
741 if (keytype == DROPBEAR_SIGNKEY_RSA) { | |
742 | |
743 if (key->rsakey->p == NULL || key->rsakey->q == NULL) { | |
744 fprintf(stderr, "Pre-0.33 Dropbear keys cannot be converted to OpenSSH keys.\n"); | |
745 goto error; | |
746 } | |
747 | |
748 /* e */ | |
749 numbers[2].bytes = buf_getint(keyblob); | |
750 numbers[2].start = buf_getptr(keyblob, numbers[2].bytes); | |
751 buf_incrpos(keyblob, numbers[2].bytes); | |
752 | |
753 /* n */ | |
754 numbers[1].bytes = buf_getint(keyblob); | |
755 numbers[1].start = buf_getptr(keyblob, numbers[1].bytes); | |
756 buf_incrpos(keyblob, numbers[1].bytes); | |
757 | |
758 /* d */ | |
759 numbers[3].bytes = buf_getint(keyblob); | |
760 numbers[3].start = buf_getptr(keyblob, numbers[3].bytes); | |
761 buf_incrpos(keyblob, numbers[3].bytes); | |
762 | |
763 /* p */ | |
764 numbers[4].bytes = buf_getint(keyblob); | |
765 numbers[4].start = buf_getptr(keyblob, numbers[4].bytes); | |
766 buf_incrpos(keyblob, numbers[4].bytes); | |
767 | |
768 /* q */ | |
769 numbers[5].bytes = buf_getint(keyblob); | |
770 numbers[5].start = buf_getptr(keyblob, numbers[5].bytes); | |
771 buf_incrpos(keyblob, numbers[5].bytes); | |
772 | |
773 /* now calculate some extra parameters: */ | |
774 m_mp_init(&tmpval); | |
775 m_mp_init(&dmp1); | |
776 m_mp_init(&dmq1); | |
777 m_mp_init(&iqmp); | |
778 | |
779 /* dmp1 = d mod (p-1) */ | |
780 if (mp_sub_d(key->rsakey->p, 1, &tmpval) != MP_OKAY) { | |
781 fprintf(stderr, "Bignum error for p-1\n"); | |
782 goto error; | |
783 } | |
784 if (mp_mod(key->rsakey->d, &tmpval, &dmp1) != MP_OKAY) { | |
785 fprintf(stderr, "Bignum error for dmp1\n"); | |
786 goto error; | |
787 } | |
788 | |
789 /* dmq1 = d mod (q-1) */ | |
790 if (mp_sub_d(key->rsakey->q, 1, &tmpval) != MP_OKAY) { | |
791 fprintf(stderr, "Bignum error for q-1\n"); | |
792 goto error; | |
793 } | |
794 if (mp_mod(key->rsakey->d, &tmpval, &dmq1) != MP_OKAY) { | |
795 fprintf(stderr, "Bignum error for dmq1\n"); | |
796 goto error; | |
797 } | |
798 | |
799 /* iqmp = (q^-1) mod p */ | |
800 if (mp_invmod(key->rsakey->q, key->rsakey->p, &iqmp) != MP_OKAY) { | |
801 fprintf(stderr, "Bignum error for iqmp\n"); | |
802 goto error; | |
803 } | |
804 | |
805 extrablob = buf_new(2000); | |
806 buf_putmpint(extrablob, &dmp1); | |
807 buf_putmpint(extrablob, &dmq1); | |
808 buf_putmpint(extrablob, &iqmp); | |
809 buf_setpos(extrablob, 0); | |
810 mp_clear(&dmp1); | |
811 mp_clear(&dmq1); | |
812 mp_clear(&iqmp); | |
813 mp_clear(&tmpval); | |
814 | |
815 /* dmp1 */ | |
816 numbers[6].bytes = buf_getint(extrablob); | |
817 numbers[6].start = buf_getptr(extrablob, numbers[6].bytes); | |
818 buf_incrpos(extrablob, numbers[6].bytes); | |
819 | |
820 /* dmq1 */ | |
821 numbers[7].bytes = buf_getint(extrablob); | |
822 numbers[7].start = buf_getptr(extrablob, numbers[7].bytes); | |
823 buf_incrpos(extrablob, numbers[7].bytes); | |
824 | |
825 /* iqmp */ | |
826 numbers[8].bytes = buf_getint(extrablob); | |
827 numbers[8].start = buf_getptr(extrablob, numbers[8].bytes); | |
828 buf_incrpos(extrablob, numbers[8].bytes); | |
829 | |
830 nnumbers = 9; | |
831 header = "-----BEGIN RSA PRIVATE KEY-----\n"; | |
832 footer = "-----END RSA PRIVATE KEY-----\n"; | |
833 } | |
834 #endif /* DROPBEAR_RSA */ | |
835 | |
836 #ifdef DROPBEAR_DSS | |
837 if (keytype == DROPBEAR_SIGNKEY_DSS) { | |
838 | |
839 /* p */ | |
840 numbers[1].bytes = buf_getint(keyblob); | |
841 numbers[1].start = buf_getptr(keyblob, numbers[1].bytes); | |
842 buf_incrpos(keyblob, numbers[1].bytes); | |
843 | |
844 /* q */ | |
845 numbers[2].bytes = buf_getint(keyblob); | |
846 numbers[2].start = buf_getptr(keyblob, numbers[2].bytes); | |
847 buf_incrpos(keyblob, numbers[2].bytes); | |
848 | |
849 /* g */ | |
850 numbers[3].bytes = buf_getint(keyblob); | |
851 numbers[3].start = buf_getptr(keyblob, numbers[3].bytes); | |
852 buf_incrpos(keyblob, numbers[3].bytes); | |
853 | |
854 /* y */ | |
855 numbers[4].bytes = buf_getint(keyblob); | |
856 numbers[4].start = buf_getptr(keyblob, numbers[4].bytes); | |
857 buf_incrpos(keyblob, numbers[4].bytes); | |
858 | |
859 /* x */ | |
860 numbers[5].bytes = buf_getint(keyblob); | |
861 numbers[5].start = buf_getptr(keyblob, numbers[5].bytes); | |
862 buf_incrpos(keyblob, numbers[5].bytes); | |
863 | |
864 nnumbers = 6; | |
865 header = "-----BEGIN DSA PRIVATE KEY-----\n"; | |
866 footer = "-----END DSA PRIVATE KEY-----\n"; | |
867 } | |
868 #endif /* DROPBEAR_DSS */ | |
869 | |
870 /* | |
871 * Now count up the total size of the ASN.1 encoded integers, | |
872 * so as to determine the length of the containing SEQUENCE. | |
873 */ | |
874 len = 0; | |
875 for (i = 0; i < nnumbers; i++) { | |
876 len += ber_write_id_len(NULL, 2, numbers[i].bytes, 0); | |
877 len += numbers[i].bytes; | |
878 } | |
879 seqlen = len; | |
880 /* Now add on the SEQUENCE header. */ | |
881 len += ber_write_id_len(NULL, 16, seqlen, ASN1_CONSTRUCTED); | |
882 /* Round up to the cipher block size, ensuring we have at least one | |
883 * byte of padding (see below). */ | |
884 outlen = len; | |
885 if (passphrase) | |
886 outlen = (outlen+8) &~ 7; | |
887 | |
888 /* | |
889 * Now we know how big outblob needs to be. Allocate it. | |
890 */ | |
891 outblob = (unsigned char*)m_malloc(outlen); | |
892 | |
893 /* | |
894 * And write the data into it. | |
895 */ | |
896 pos = 0; | |
897 pos += ber_write_id_len(outblob+pos, 16, seqlen, ASN1_CONSTRUCTED); | |
898 for (i = 0; i < nnumbers; i++) { | |
899 pos += ber_write_id_len(outblob+pos, 2, numbers[i].bytes, 0); | |
900 memcpy(outblob+pos, numbers[i].start, numbers[i].bytes); | |
901 pos += numbers[i].bytes; | |
902 } | |
903 | |
904 /* | |
905 * Padding on OpenSSH keys is deterministic. The number of | |
906 * padding bytes is always more than zero, and always at most | |
907 * the cipher block length. The value of each padding byte is | |
908 * equal to the number of padding bytes. So a plaintext that's | |
909 * an exact multiple of the block size will be padded with 08 | |
910 * 08 08 08 08 08 08 08 (assuming a 64-bit block cipher); a | |
911 * plaintext one byte less than a multiple of the block size | |
912 * will be padded with just 01. | |
913 * | |
914 * This enables the OpenSSL key decryption function to strip | |
915 * off the padding algorithmically and return the unpadded | |
916 * plaintext to the next layer: it looks at the final byte, and | |
917 * then expects to find that many bytes at the end of the data | |
918 * with the same value. Those are all removed and the rest is | |
919 * returned. | |
920 */ | |
921 dropbear_assert(pos == len); | |
922 while (pos < outlen) { | |
923 outblob[pos++] = outlen - len; | |
924 } | |
925 | |
926 /* | |
927 * Encrypt the key. | |
928 */ | |
929 if (passphrase) { | |
930 fprintf(stderr, "Encrypted keys aren't supported currently\n"); | |
931 goto error; | |
932 } | |
933 | |
934 /* | |
935 * And save it. We'll use Unix line endings just in case it's | |
936 * subsequently transferred in binary mode. | |
937 */ | |
938 if (strlen(filename) == 1 && filename[0] == '-') { | |
939 fp = stdout; | |
940 } else { | |
941 fp = fopen(filename, "wb"); /* ensure Unix line endings */ | |
942 } | |
943 if (!fp) { | |
944 fprintf(stderr, "Failed opening output file\n"); | |
945 goto error; | |
946 } | |
947 fputs(header, fp); | |
948 base64_encode_fp(fp, outblob, outlen, 64); | |
949 fputs(footer, fp); | |
950 fclose(fp); | |
951 ret = 1; | |
952 | |
953 error: | |
954 if (outblob) { | |
955 memset(outblob, 0, outlen); | |
956 m_free(outblob); | |
957 } | |
958 if (keyblob) { | |
959 buf_burn(keyblob); | |
960 buf_free(keyblob); | |
961 } | |
962 if (extrablob) { | |
963 buf_burn(extrablob); | |
964 buf_free(extrablob); | |
965 } | |
966 return ret; | |
967 } | |
968 | |
969 #if 0 | |
970 /* XXX TODO ssh.com stuff isn't going yet */ | |
971 | |
972 /* ---------------------------------------------------------------------- | |
973 * Code to read ssh.com private keys. | |
974 */ | |
975 | |
976 /* | |
977 * The format of the base64 blob is largely ssh2-packet-formatted, | |
978 * except that mpints are a bit different: they're more like the | |
979 * old ssh1 mpint. You have a 32-bit bit count N, followed by | |
980 * (N+7)/8 bytes of data. | |
981 * | |
982 * So. The blob contains: | |
983 * | |
984 * - uint32 0x3f6ff9eb (magic number) | |
985 * - uint32 size (total blob size) | |
986 * - string key-type (see below) | |
987 * - string cipher-type (tells you if key is encrypted) | |
988 * - string encrypted-blob | |
989 * | |
990 * (The first size field includes the size field itself and the | |
991 * magic number before it. All other size fields are ordinary ssh2 | |
992 * strings, so the size field indicates how much data is to | |
993 * _follow_.) | |
994 * | |
995 * The encrypted blob, once decrypted, contains a single string | |
996 * which in turn contains the payload. (This allows padding to be | |
997 * added after that string while still making it clear where the | |
998 * real payload ends. Also it probably makes for a reasonable | |
999 * decryption check.) | |
1000 * | |
1001 * The payload blob, for an RSA key, contains: | |
1002 * - mpint e | |
1003 * - mpint d | |
1004 * - mpint n (yes, the public and private stuff is intermixed) | |
1005 * - mpint u (presumably inverse of p mod q) | |
1006 * - mpint p (p is the smaller prime) | |
1007 * - mpint q (q is the larger) | |
1008 * | |
1009 * For a DSA key, the payload blob contains: | |
1010 * - uint32 0 | |
1011 * - mpint p | |
1012 * - mpint g | |
1013 * - mpint q | |
1014 * - mpint y | |
1015 * - mpint x | |
1016 * | |
1017 * Alternatively, if the parameters are `predefined', that | |
1018 * (0,p,g,q) sequence can be replaced by a uint32 1 and a string | |
1019 * containing some predefined parameter specification. *shudder*, | |
1020 * but I doubt we'll encounter this in real life. | |
1021 * | |
1022 * The key type strings are ghastly. The RSA key I looked at had a | |
1023 * type string of | |
1024 * | |
1025 * `if-modn{sign{rsa-pkcs1-sha1},encrypt{rsa-pkcs1v2-oaep}}' | |
1026 * | |
1027 * and the DSA key wasn't much better: | |
1028 * | |
1029 * `dl-modp{sign{dsa-nist-sha1},dh{plain}}' | |
1030 * | |
1031 * It isn't clear that these will always be the same. I think it | |
1032 * might be wise just to look at the `if-modn{sign{rsa' and | |
1033 * `dl-modp{sign{dsa' prefixes. | |
1034 * | |
1035 * Finally, the encryption. The cipher-type string appears to be | |
1036 * either `none' or `3des-cbc'. Looks as if this is SSH2-style | |
1037 * 3des-cbc (i.e. outer cbc rather than inner). The key is created | |
1038 * from the passphrase by means of yet another hashing faff: | |
1039 * | |
1040 * - first 16 bytes are MD5(passphrase) | |
1041 * - next 16 bytes are MD5(passphrase || first 16 bytes) | |
1042 * - if there were more, they'd be MD5(passphrase || first 32), | |
1043 * and so on. | |
1044 */ | |
1045 | |
1046 #define SSHCOM_MAGIC_NUMBER 0x3f6ff9eb | |
1047 | |
1048 struct sshcom_key { | |
1049 char comment[256]; /* allowing any length is overkill */ | |
1050 unsigned char *keyblob; | |
1051 int keyblob_len, keyblob_size; | |
1052 }; | |
1053 | |
1054 static struct sshcom_key *load_sshcom_key(const char *filename) | |
1055 { | |
1056 struct sshcom_key *ret; | |
1057 FILE *fp; | |
1058 char buffer[256]; | |
1059 int len; | |
1060 char *errmsg, *p; | |
1061 int headers_done; | |
1062 char base64_bit[4]; | |
1063 int base64_chars = 0; | |
1064 | |
1065 ret = snew(struct sshcom_key); | |
1066 ret->comment[0] = '\0'; | |
1067 ret->keyblob = NULL; | |
1068 ret->keyblob_len = ret->keyblob_size = 0; | |
1069 | |
1070 fp = fopen(filename, "r"); | |
1071 if (!fp) { | |
1072 errmsg = "Unable to open key file"; | |
1073 goto error; | |
1074 } | |
1075 if (!fgets(buffer, sizeof(buffer), fp) || | |
1076 0 != strcmp(buffer, "---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----\n")) { | |
1077 errmsg = "File does not begin with ssh.com key header"; | |
1078 goto error; | |
1079 } | |
1080 | |
1081 headers_done = 0; | |
1082 while (1) { | |
1083 if (!fgets(buffer, sizeof(buffer), fp)) { | |
1084 errmsg = "Unexpected end of file"; | |
1085 goto error; | |
1086 } | |
1087 if (!strcmp(buffer, "---- END SSH2 ENCRYPTED PRIVATE KEY ----\n")) | |
1088 break; /* done */ | |
1089 if ((p = strchr(buffer, ':')) != NULL) { | |
1090 if (headers_done) { | |
1091 errmsg = "Header found in body of key data"; | |
1092 goto error; | |
1093 } | |
1094 *p++ = '\0'; | |
1095 while (*p && isspace((unsigned char)*p)) p++; | |
1096 /* | |
1097 * Header lines can end in a trailing backslash for | |
1098 * continuation. | |
1099 */ | |
1100 while ((len = strlen(p)) > (int)(sizeof(buffer) - (p-buffer) -1) || | |
1101 p[len-1] != '\n' || p[len-2] == '\\') { | |
1102 if (len > (int)((p-buffer) + sizeof(buffer)-2)) { | |
1103 errmsg = "Header line too long to deal with"; | |
1104 goto error; | |
1105 } | |
1106 if (!fgets(p+len-2, sizeof(buffer)-(p-buffer)-(len-2), fp)) { | |
1107 errmsg = "Unexpected end of file"; | |
1108 goto error; | |
1109 } | |
1110 } | |
1111 p[strcspn(p, "\n")] = '\0'; | |
1112 if (!strcmp(buffer, "Comment")) { | |
1113 /* Strip quotes in comment if present. */ | |
1114 if (p[0] == '"' && p[strlen(p)-1] == '"') { | |
1115 p++; | |
1116 p[strlen(p)-1] = '\0'; | |
1117 } | |
1118 strncpy(ret->comment, p, sizeof(ret->comment)); | |
1119 ret->comment[sizeof(ret->comment)-1] = '\0'; | |
1120 } | |
1121 } else { | |
1122 headers_done = 1; | |
1123 | |
1124 p = buffer; | |
1125 while (isbase64(*p)) { | |
1126 base64_bit[base64_chars++] = *p; | |
1127 if (base64_chars == 4) { | |
1128 unsigned char out[3]; | |
1129 | |
1130 base64_chars = 0; | |
1131 | |
1132 len = base64_decode_atom(base64_bit, out); | |
1133 | |
1134 if (len <= 0) { | |
1135 errmsg = "Invalid base64 encoding"; | |
1136 goto error; | |
1137 } | |
1138 | |
1139 if (ret->keyblob_len + len > ret->keyblob_size) { | |
1140 ret->keyblob_size = ret->keyblob_len + len + 256; | |
1141 ret->keyblob = sresize(ret->keyblob, ret->keyblob_size, | |
1142 unsigned char); | |
1143 } | |
1144 | |
1145 memcpy(ret->keyblob + ret->keyblob_len, out, len); | |
1146 ret->keyblob_len += len; | |
1147 } | |
1148 | |
1149 p++; | |
1150 } | |
1151 } | |
1152 } | |
1153 | |
1154 if (ret->keyblob_len == 0 || !ret->keyblob) { | |
1155 errmsg = "Key body not present"; | |
1156 goto error; | |
1157 } | |
1158 | |
1159 return ret; | |
1160 | |
1161 error: | |
1162 if (ret) { | |
1163 if (ret->keyblob) { | |
1164 memset(ret->keyblob, 0, ret->keyblob_size); | |
1165 m_free(ret->keyblob); | |
1166 } | |
1167 memset(&ret, 0, sizeof(ret)); | |
1168 m_free(ret); | |
1169 } | |
1170 return NULL; | |
1171 } | |
1172 | |
1173 int sshcom_encrypted(const char *filename, char **comment) | |
1174 { | |
1175 struct sshcom_key *key = load_sshcom_key(filename); | |
1176 int pos, len, answer; | |
1177 | |
1178 *comment = NULL; | |
1179 if (!key) | |
1180 return 0; | |
1181 | |
1182 /* | |
1183 * Check magic number. | |
1184 */ | |
1185 if (GET_32BIT(key->keyblob) != 0x3f6ff9eb) | |
1186 return 0; /* key is invalid */ | |
1187 | |
1188 /* | |
1189 * Find the cipher-type string. | |
1190 */ | |
1191 answer = 0; | |
1192 pos = 8; | |
1193 if (key->keyblob_len < pos+4) | |
1194 goto done; /* key is far too short */ | |
1195 pos += 4 + GET_32BIT(key->keyblob + pos); /* skip key type */ | |
1196 if (key->keyblob_len < pos+4) | |
1197 goto done; /* key is far too short */ | |
1198 len = GET_32BIT(key->keyblob + pos); /* find cipher-type length */ | |
1199 if (key->keyblob_len < pos+4+len) | |
1200 goto done; /* cipher type string is incomplete */ | |
1201 if (len != 4 || 0 != memcmp(key->keyblob + pos + 4, "none", 4)) | |
1202 answer = 1; | |
1203 | |
1204 done: | |
1205 *comment = dupstr(key->comment); | |
1206 memset(key->keyblob, 0, key->keyblob_size); | |
1207 m_free(key->keyblob); | |
1208 memset(&key, 0, sizeof(key)); | |
1209 m_free(key); | |
1210 return answer; | |
1211 } | |
1212 | |
1213 static int sshcom_read_mpint(void *data, int len, struct mpint_pos *ret) | |
1214 { | |
1215 int bits; | |
1216 int bytes; | |
1217 unsigned char *d = (unsigned char *) data; | |
1218 | |
1219 if (len < 4) | |
1220 goto error; | |
1221 bits = GET_32BIT(d); | |
1222 | |
1223 bytes = (bits + 7) / 8; | |
1224 if (len < 4+bytes) | |
1225 goto error; | |
1226 | |
1227 ret->start = d + 4; | |
1228 ret->bytes = bytes; | |
1229 return bytes+4; | |
1230 | |
1231 error: | |
1232 ret->start = NULL; | |
1233 ret->bytes = -1; | |
1234 return len; /* ensure further calls fail as well */ | |
1235 } | |
1236 | |
1237 static int sshcom_put_mpint(void *target, void *data, int len) | |
1238 { | |
1239 unsigned char *d = (unsigned char *)target; | |
1240 unsigned char *i = (unsigned char *)data; | |
1241 int bits = len * 8 - 1; | |
1242 | |
1243 while (bits > 0) { | |
1244 if (*i & (1 << (bits & 7))) | |
1245 break; | |
1246 if (!(bits-- & 7)) | |
1247 i++, len--; | |
1248 } | |
1249 | |
1250 PUT_32BIT(d, bits+1); | |
1251 memcpy(d+4, i, len); | |
1252 return len+4; | |
1253 } | |
1254 | |
1255 sign_key *sshcom_read(const char *filename, char *passphrase) | |
1256 { | |
1257 struct sshcom_key *key = load_sshcom_key(filename); | |
1258 char *errmsg; | |
1259 int pos, len; | |
1260 const char prefix_rsa[] = "if-modn{sign{rsa"; | |
1261 const char prefix_dsa[] = "dl-modp{sign{dsa"; | |
1262 enum { RSA, DSA } type; | |
1263 int encrypted; | |
1264 char *ciphertext; | |
1265 int cipherlen; | |
1266 struct ssh2_userkey *ret = NULL, *retkey; | |
1267 const struct ssh_signkey *alg; | |
1268 unsigned char *blob = NULL; | |
1269 int blobsize, publen, privlen; | |
1270 | |
1271 if (!key) | |
1272 return NULL; | |
1273 | |
1274 /* | |
1275 * Check magic number. | |
1276 */ | |
1277 if (GET_32BIT(key->keyblob) != SSHCOM_MAGIC_NUMBER) { | |
1278 errmsg = "Key does not begin with magic number"; | |
1279 goto error; | |
1280 } | |
1281 | |
1282 /* | |
1283 * Determine the key type. | |
1284 */ | |
1285 pos = 8; | |
1286 if (key->keyblob_len < pos+4 || | |
1287 (len = GET_32BIT(key->keyblob + pos)) > key->keyblob_len - pos - 4) { | |
1288 errmsg = "Key blob does not contain a key type string"; | |
1289 goto error; | |
1290 } | |
1291 if (len > sizeof(prefix_rsa) - 1 && | |
1292 !memcmp(key->keyblob+pos+4, prefix_rsa, sizeof(prefix_rsa) - 1)) { | |
1293 type = RSA; | |
1294 } else if (len > sizeof(prefix_dsa) - 1 && | |
1295 !memcmp(key->keyblob+pos+4, prefix_dsa, sizeof(prefix_dsa) - 1)) { | |
1296 type = DSA; | |
1297 } else { | |
1298 errmsg = "Key is of unknown type"; | |
1299 goto error; | |
1300 } | |
1301 pos += 4+len; | |
1302 | |
1303 /* | |
1304 * Determine the cipher type. | |
1305 */ | |
1306 if (key->keyblob_len < pos+4 || | |
1307 (len = GET_32BIT(key->keyblob + pos)) > key->keyblob_len - pos - 4) { | |
1308 errmsg = "Key blob does not contain a cipher type string"; | |
1309 goto error; | |
1310 } | |
1311 if (len == 4 && !memcmp(key->keyblob+pos+4, "none", 4)) | |
1312 encrypted = 0; | |
1313 else if (len == 8 && !memcmp(key->keyblob+pos+4, "3des-cbc", 8)) | |
1314 encrypted = 1; | |
1315 else { | |
1316 errmsg = "Key encryption is of unknown type"; | |
1317 goto error; | |
1318 } | |
1319 pos += 4+len; | |
1320 | |
1321 /* | |
1322 * Get hold of the encrypted part of the key. | |
1323 */ | |
1324 if (key->keyblob_len < pos+4 || | |
1325 (len = GET_32BIT(key->keyblob + pos)) > key->keyblob_len - pos - 4) { | |
1326 errmsg = "Key blob does not contain actual key data"; | |
1327 goto error; | |
1328 } | |
1329 ciphertext = (char *)key->keyblob + pos + 4; | |
1330 cipherlen = len; | |
1331 if (cipherlen == 0) { | |
1332 errmsg = "Length of key data is zero"; | |
1333 goto error; | |
1334 } | |
1335 | |
1336 /* | |
1337 * Decrypt it if necessary. | |
1338 */ | |
1339 if (encrypted) { | |
1340 /* | |
1341 * Derive encryption key from passphrase and iv/salt: | |
1342 * | |
1343 * - let block A equal MD5(passphrase) | |
1344 * - let block B equal MD5(passphrase || A) | |
1345 * - block C would be MD5(passphrase || A || B) and so on | |
1346 * - encryption key is the first N bytes of A || B | |
1347 */ | |
1348 struct MD5Context md5c; | |
1349 unsigned char keybuf[32], iv[8]; | |
1350 | |
1351 if (cipherlen % 8 != 0) { | |
1352 errmsg = "Encrypted part of key is not a multiple of cipher block" | |
1353 " size"; | |
1354 goto error; | |
1355 } | |
1356 | |
1357 MD5Init(&md5c); | |
1358 MD5Update(&md5c, (unsigned char *)passphrase, strlen(passphrase)); | |
1359 MD5Final(keybuf, &md5c); | |
1360 | |
1361 MD5Init(&md5c); | |
1362 MD5Update(&md5c, (unsigned char *)passphrase, strlen(passphrase)); | |
1363 MD5Update(&md5c, keybuf, 16); | |
1364 MD5Final(keybuf+16, &md5c); | |
1365 | |
1366 /* | |
1367 * Now decrypt the key blob. | |
1368 */ | |
1369 memset(iv, 0, sizeof(iv)); | |
1370 des3_decrypt_pubkey_ossh(keybuf, iv, (unsigned char *)ciphertext, | |
1371 cipherlen); | |
1372 | |
1373 memset(&md5c, 0, sizeof(md5c)); | |
1374 memset(keybuf, 0, sizeof(keybuf)); | |
1375 | |
1376 /* | |
1377 * Hereafter we return WRONG_PASSPHRASE for any parsing | |
1378 * error. (But only if we've just tried to decrypt it! | |
1379 * Returning WRONG_PASSPHRASE for an unencrypted key is | |
1380 * automatic doom.) | |
1381 */ | |
1382 if (encrypted) | |
1383 ret = SSH2_WRONG_PASSPHRASE; | |
1384 } | |
1385 | |
1386 /* | |
1387 * Strip away the containing string to get to the real meat. | |
1388 */ | |
1389 len = GET_32BIT(ciphertext); | |
1390 if (len > cipherlen-4) { | |
1391 errmsg = "containing string was ill-formed"; | |
1392 goto error; | |
1393 } | |
1394 ciphertext += 4; | |
1395 cipherlen = len; | |
1396 | |
1397 /* | |
1398 * Now we break down into RSA versus DSA. In either case we'll | |
1399 * construct public and private blobs in our own format, and | |
1400 * end up feeding them to alg->createkey(). | |
1401 */ | |
1402 blobsize = cipherlen + 256; | |
1403 blob = snewn(blobsize, unsigned char); | |
1404 privlen = 0; | |
1405 if (type == RSA) { | |
1406 struct mpint_pos n, e, d, u, p, q; | |
1407 int pos = 0; | |
1408 pos += sshcom_read_mpint(ciphertext+pos, cipherlen-pos, &e); | |
1409 pos += sshcom_read_mpint(ciphertext+pos, cipherlen-pos, &d); | |
1410 pos += sshcom_read_mpint(ciphertext+pos, cipherlen-pos, &n); | |
1411 pos += sshcom_read_mpint(ciphertext+pos, cipherlen-pos, &u); | |
1412 pos += sshcom_read_mpint(ciphertext+pos, cipherlen-pos, &p); | |
1413 pos += sshcom_read_mpint(ciphertext+pos, cipherlen-pos, &q); | |
1414 if (!q.start) { | |
1415 errmsg = "key data did not contain six integers"; | |
1416 goto error; | |
1417 } | |
1418 | |
1419 alg = &ssh_rsa; | |
1420 pos = 0; | |
1421 pos += put_string(blob+pos, "ssh-rsa", 7); | |
1422 pos += put_mp(blob+pos, e.start, e.bytes); | |
1423 pos += put_mp(blob+pos, n.start, n.bytes); | |
1424 publen = pos; | |
1425 pos += put_string(blob+pos, d.start, d.bytes); | |
1426 pos += put_mp(blob+pos, q.start, q.bytes); | |
1427 pos += put_mp(blob+pos, p.start, p.bytes); | |
1428 pos += put_mp(blob+pos, u.start, u.bytes); | |
1429 privlen = pos - publen; | |
1430 } else if (type == DSA) { | |
1431 struct mpint_pos p, q, g, x, y; | |
1432 int pos = 4; | |
1433 if (GET_32BIT(ciphertext) != 0) { | |
1434 errmsg = "predefined DSA parameters not supported"; | |
1435 goto error; | |
1436 } | |
1437 pos += sshcom_read_mpint(ciphertext+pos, cipherlen-pos, &p); | |
1438 pos += sshcom_read_mpint(ciphertext+pos, cipherlen-pos, &g); | |
1439 pos += sshcom_read_mpint(ciphertext+pos, cipherlen-pos, &q); | |
1440 pos += sshcom_read_mpint(ciphertext+pos, cipherlen-pos, &y); | |
1441 pos += sshcom_read_mpint(ciphertext+pos, cipherlen-pos, &x); | |
1442 if (!x.start) { | |
1443 errmsg = "key data did not contain five integers"; | |
1444 goto error; | |
1445 } | |
1446 | |
1447 alg = &ssh_dss; | |
1448 pos = 0; | |
1449 pos += put_string(blob+pos, "ssh-dss", 7); | |
1450 pos += put_mp(blob+pos, p.start, p.bytes); | |
1451 pos += put_mp(blob+pos, q.start, q.bytes); | |
1452 pos += put_mp(blob+pos, g.start, g.bytes); | |
1453 pos += put_mp(blob+pos, y.start, y.bytes); | |
1454 publen = pos; | |
1455 pos += put_mp(blob+pos, x.start, x.bytes); | |
1456 privlen = pos - publen; | |
1457 } | |
1458 | |
1459 dropbear_assert(privlen > 0); /* should have bombed by now if not */ | |
1460 | |
1461 retkey = snew(struct ssh2_userkey); | |
1462 retkey->alg = alg; | |
1463 retkey->data = alg->createkey(blob, publen, blob+publen, privlen); | |
1464 if (!retkey->data) { | |
1465 m_free(retkey); | |
1466 errmsg = "unable to create key data structure"; | |
1467 goto error; | |
1468 } | |
1469 retkey->comment = dupstr(key->comment); | |
1470 | |
1471 errmsg = NULL; /* no error */ | |
1472 ret = retkey; | |
1473 | |
1474 error: | |
1475 if (blob) { | |
1476 memset(blob, 0, blobsize); | |
1477 m_free(blob); | |
1478 } | |
1479 memset(key->keyblob, 0, key->keyblob_size); | |
1480 m_free(key->keyblob); | |
1481 memset(&key, 0, sizeof(key)); | |
1482 m_free(key); | |
1483 return ret; | |
1484 } | |
1485 | |
1486 int sshcom_write(const char *filename, sign_key *key, | |
1487 char *passphrase) | |
1488 { | |
1489 unsigned char *pubblob, *privblob; | |
1490 int publen, privlen; | |
1491 unsigned char *outblob; | |
1492 int outlen; | |
1493 struct mpint_pos numbers[6]; | |
1494 int nnumbers, initial_zero, pos, lenpos, i; | |
1495 char *type; | |
1496 char *ciphertext; | |
1497 int cipherlen; | |
1498 int ret = 0; | |
1499 FILE *fp; | |
1500 | |
1501 /* | |
1502 * Fetch the key blobs. | |
1503 */ | |
1504 pubblob = key->alg->public_blob(key->data, &publen); | |
1505 privblob = key->alg->private_blob(key->data, &privlen); | |
1506 outblob = NULL; | |
1507 | |
1508 /* | |
1509 * Find the sequence of integers to be encoded into the OpenSSH | |
1510 * key blob, and also decide on the header line. | |
1511 */ | |
1512 if (key->alg == &ssh_rsa) { | |
1513 int pos; | |
1514 struct mpint_pos n, e, d, p, q, iqmp; | |
1515 | |
1516 pos = 4 + GET_32BIT(pubblob); | |
1517 pos += ssh2_read_mpint(pubblob+pos, publen-pos, &e); | |
1518 pos += ssh2_read_mpint(pubblob+pos, publen-pos, &n); | |
1519 pos = 0; | |
1520 pos += ssh2_read_mpint(privblob+pos, privlen-pos, &d); | |
1521 pos += ssh2_read_mpint(privblob+pos, privlen-pos, &p); | |
1522 pos += ssh2_read_mpint(privblob+pos, privlen-pos, &q); | |
1523 pos += ssh2_read_mpint(privblob+pos, privlen-pos, &iqmp); | |
1524 | |
1525 dropbear_assert(e.start && iqmp.start); /* can't go wrong */ | |
1526 | |
1527 numbers[0] = e; | |
1528 numbers[1] = d; | |
1529 numbers[2] = n; | |
1530 numbers[3] = iqmp; | |
1531 numbers[4] = q; | |
1532 numbers[5] = p; | |
1533 | |
1534 nnumbers = 6; | |
1535 initial_zero = 0; | |
1536 type = "if-modn{sign{rsa-pkcs1-sha1},encrypt{rsa-pkcs1v2-oaep}}"; | |
1537 } else if (key->alg == &ssh_dss) { | |
1538 int pos; | |
1539 struct mpint_pos p, q, g, y, x; | |
1540 | |
1541 pos = 4 + GET_32BIT(pubblob); | |
1542 pos += ssh2_read_mpint(pubblob+pos, publen-pos, &p); | |
1543 pos += ssh2_read_mpint(pubblob+pos, publen-pos, &q); | |
1544 pos += ssh2_read_mpint(pubblob+pos, publen-pos, &g); | |
1545 pos += ssh2_read_mpint(pubblob+pos, publen-pos, &y); | |
1546 pos = 0; | |
1547 pos += ssh2_read_mpint(privblob+pos, privlen-pos, &x); | |
1548 | |
1549 dropbear_assert(y.start && x.start); /* can't go wrong */ | |
1550 | |
1551 numbers[0] = p; | |
1552 numbers[1] = g; | |
1553 numbers[2] = q; | |
1554 numbers[3] = y; | |
1555 numbers[4] = x; | |
1556 | |
1557 nnumbers = 5; | |
1558 initial_zero = 1; | |
1559 type = "dl-modp{sign{dsa-nist-sha1},dh{plain}}"; | |
1560 } else { | |
1561 dropbear_assert(0); /* zoinks! */ | |
1562 } | |
1563 | |
1564 /* | |
1565 * Total size of key blob will be somewhere under 512 plus | |
1566 * combined length of integers. We'll calculate the more | |
1567 * precise size as we construct the blob. | |
1568 */ | |
1569 outlen = 512; | |
1570 for (i = 0; i < nnumbers; i++) | |
1571 outlen += 4 + numbers[i].bytes; | |
1572 outblob = snewn(outlen, unsigned char); | |
1573 | |
1574 /* | |
1575 * Create the unencrypted key blob. | |
1576 */ | |
1577 pos = 0; | |
1578 PUT_32BIT(outblob+pos, SSHCOM_MAGIC_NUMBER); pos += 4; | |
1579 pos += 4; /* length field, fill in later */ | |
1580 pos += put_string(outblob+pos, type, strlen(type)); | |
1581 { | |
1582 char *ciphertype = passphrase ? "3des-cbc" : "none"; | |
1583 pos += put_string(outblob+pos, ciphertype, strlen(ciphertype)); | |
1584 } | |
1585 lenpos = pos; /* remember this position */ | |
1586 pos += 4; /* encrypted-blob size */ | |
1587 pos += 4; /* encrypted-payload size */ | |
1588 if (initial_zero) { | |
1589 PUT_32BIT(outblob+pos, 0); | |
1590 pos += 4; | |
1591 } | |
1592 for (i = 0; i < nnumbers; i++) | |
1593 pos += sshcom_put_mpint(outblob+pos, | |
1594 numbers[i].start, numbers[i].bytes); | |
1595 /* Now wrap up the encrypted payload. */ | |
1596 PUT_32BIT(outblob+lenpos+4, pos - (lenpos+8)); | |
1597 /* Pad encrypted blob to a multiple of cipher block size. */ | |
1598 if (passphrase) { | |
1599 int padding = -(pos - (lenpos+4)) & 7; | |
1600 while (padding--) | |
1601 outblob[pos++] = random_byte(); | |
1602 } | |
1603 ciphertext = (char *)outblob+lenpos+4; | |
1604 cipherlen = pos - (lenpos+4); | |
1605 dropbear_assert(!passphrase || cipherlen % 8 == 0); | |
1606 /* Wrap up the encrypted blob string. */ | |
1607 PUT_32BIT(outblob+lenpos, cipherlen); | |
1608 /* And finally fill in the total length field. */ | |
1609 PUT_32BIT(outblob+4, pos); | |
1610 | |
1611 dropbear_assert(pos < outlen); | |
1612 | |
1613 /* | |
1614 * Encrypt the key. | |
1615 */ | |
1616 if (passphrase) { | |
1617 /* | |
1618 * Derive encryption key from passphrase and iv/salt: | |
1619 * | |
1620 * - let block A equal MD5(passphrase) | |
1621 * - let block B equal MD5(passphrase || A) | |
1622 * - block C would be MD5(passphrase || A || B) and so on | |
1623 * - encryption key is the first N bytes of A || B | |
1624 */ | |
1625 struct MD5Context md5c; | |
1626 unsigned char keybuf[32], iv[8]; | |
1627 | |
1628 MD5Init(&md5c); | |
1629 MD5Update(&md5c, (unsigned char *)passphrase, strlen(passphrase)); | |
1630 MD5Final(keybuf, &md5c); | |
1631 | |
1632 MD5Init(&md5c); | |
1633 MD5Update(&md5c, (unsigned char *)passphrase, strlen(passphrase)); | |
1634 MD5Update(&md5c, keybuf, 16); | |
1635 MD5Final(keybuf+16, &md5c); | |
1636 | |
1637 /* | |
1638 * Now decrypt the key blob. | |
1639 */ | |
1640 memset(iv, 0, sizeof(iv)); | |
1641 des3_encrypt_pubkey_ossh(keybuf, iv, (unsigned char *)ciphertext, | |
1642 cipherlen); | |
1643 | |
1644 memset(&md5c, 0, sizeof(md5c)); | |
1645 memset(keybuf, 0, sizeof(keybuf)); | |
1646 } | |
1647 | |
1648 /* | |
1649 * And save it. We'll use Unix line endings just in case it's | |
1650 * subsequently transferred in binary mode. | |
1651 */ | |
1652 fp = fopen(filename, "wb"); /* ensure Unix line endings */ | |
1653 if (!fp) | |
1654 goto error; | |
1655 fputs("---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----\n", fp); | |
1656 fprintf(fp, "Comment: \""); | |
1657 /* | |
1658 * Comment header is broken with backslash-newline if it goes | |
1659 * over 70 chars. Although it's surrounded by quotes, it | |
1660 * _doesn't_ escape backslashes or quotes within the string. | |
1661 * Don't ask me, I didn't design it. | |
1662 */ | |
1663 { | |
1664 int slen = 60; /* starts at 60 due to "Comment: " */ | |
1665 char *c = key->comment; | |
1666 while ((int)strlen(c) > slen) { | |
1667 fprintf(fp, "%.*s\\\n", slen, c); | |
1668 c += slen; | |
1669 slen = 70; /* allow 70 chars on subsequent lines */ | |
1670 } | |
1671 fprintf(fp, "%s\"\n", c); | |
1672 } | |
1673 base64_encode_fp(fp, outblob, pos, 70); | |
1674 fputs("---- END SSH2 ENCRYPTED PRIVATE KEY ----\n", fp); | |
1675 fclose(fp); | |
1676 ret = 1; | |
1677 | |
1678 error: | |
1679 if (outblob) { | |
1680 memset(outblob, 0, outlen); | |
1681 m_free(outblob); | |
1682 } | |
1683 if (privblob) { | |
1684 memset(privblob, 0, privlen); | |
1685 m_free(privblob); | |
1686 } | |
1687 if (pubblob) { | |
1688 memset(pubblob, 0, publen); | |
1689 m_free(pubblob); | |
1690 } | |
1691 return ret; | |
1692 } | |
1693 #endif /* ssh.com stuff disabled */ |