Mercurial > dropbear
comparison keyimport.c @ 285:1b9e69c058d2
propagate from branch 'au.asn.ucc.matt.ltc.dropbear' (head 20dccfc09627970a312d77fb41dc2970b62689c3)
to branch 'au.asn.ucc.matt.dropbear' (head fdf4a7a3b97ae5046139915de7e40399cceb2c01)
author | Matt Johnston <matt@ucc.asn.au> |
---|---|
date | Wed, 08 Mar 2006 13:23:58 +0000 |
parents | ac890087b8c1 |
children | 740e782679be 454a34b2dfd1 |
comparison
equal
deleted
inserted
replaced
281:997e6f7dc01e | 285:1b9e69c058d2 |
---|---|
1 /* | |
2 * Based on PuTTY's import.c for importing/exporting OpenSSH and SSH.com | |
3 * keyfiles. | |
4 * | |
5 * The horribleness of the code is probably mine (matt). | |
6 * | |
7 * Modifications copyright 2003 Matt Johnston | |
8 * | |
9 * PuTTY is copyright 1997-2003 Simon Tatham. | |
10 * | |
11 * Portions copyright Robert de Bath, Joris van Rantwijk, Delian | |
12 * Delchev, Andreas Schultz, Jeroen Massar, Wez Furlong, Nicolas Barry, | |
13 * Justin Bradford, and CORE SDI S.A. | |
14 * | |
15 * Permission is hereby granted, free of charge, to any person | |
16 * obtaining a copy of this software and associated documentation files | |
17 * (the "Software"), to deal in the Software without restriction, | |
18 * including without limitation the rights to use, copy, modify, merge, | |
19 * publish, distribute, sublicense, and/or sell copies of the Software, | |
20 * and to permit persons to whom the Software is furnished to do so, | |
21 * subject to the following conditions: | |
22 * | |
23 * The above copyright notice and this permission notice shall be | |
24 * included in all copies or substantial portions of the Software. | |
25 * | |
26 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, | |
27 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF | |
28 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND | |
29 * NONINFRINGEMENT. IN NO EVENT SHALL THE COPYRIGHT HOLDERS BE LIABLE | |
30 * FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF | |
31 * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION | |
32 * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. | |
33 */ | |
34 | |
35 #include "keyimport.h" | |
36 #include "bignum.h" | |
37 #include "buffer.h" | |
38 #include "dbutil.h" | |
39 | |
40 #define PUT_32BIT(cp, value) do { \ | |
41 (cp)[3] = (unsigned char)(value); \ | |
42 (cp)[2] = (unsigned char)((value) >> 8); \ | |
43 (cp)[1] = (unsigned char)((value) >> 16); \ | |
44 (cp)[0] = (unsigned char)((value) >> 24); } while (0) | |
45 | |
46 #define GET_32BIT(cp) \ | |
47 (((unsigned long)(unsigned char)(cp)[0] << 24) | \ | |
48 ((unsigned long)(unsigned char)(cp)[1] << 16) | \ | |
49 ((unsigned long)(unsigned char)(cp)[2] << 8) | \ | |
50 ((unsigned long)(unsigned char)(cp)[3])) | |
51 | |
52 static int openssh_encrypted(const char *filename); | |
53 static sign_key *openssh_read(const char *filename, char *passphrase); | |
54 static int openssh_write(const char *filename, sign_key *key, | |
55 char *passphrase); | |
56 | |
57 static int dropbear_write(const char*filename, sign_key * key); | |
58 static sign_key *dropbear_read(const char* filename); | |
59 | |
60 #if 0 | |
61 static int sshcom_encrypted(const char *filename, char **comment); | |
62 static struct ssh2_userkey *sshcom_read(const char *filename, char *passphrase); | |
63 static int sshcom_write(const char *filename, struct ssh2_userkey *key, | |
64 char *passphrase); | |
65 #endif | |
66 | |
67 int import_encrypted(const char* filename, int filetype) { | |
68 | |
69 if (filetype == KEYFILE_OPENSSH) { | |
70 return openssh_encrypted(filename); | |
71 #if 0 | |
72 } else if (filetype == KEYFILE_SSHCOM) { | |
73 return sshcom_encrypted(filename, NULL); | |
74 #endif | |
75 } | |
76 return 0; | |
77 } | |
78 | |
79 sign_key *import_read(const char *filename, char *passphrase, int filetype) { | |
80 | |
81 if (filetype == KEYFILE_OPENSSH) { | |
82 return openssh_read(filename, passphrase); | |
83 } else if (filetype == KEYFILE_DROPBEAR) { | |
84 return dropbear_read(filename); | |
85 #if 0 | |
86 } else if (filetype == KEYFILE_SSHCOM) { | |
87 return sshcom_read(filename, passphrase); | |
88 #endif | |
89 } | |
90 return NULL; | |
91 } | |
92 | |
93 int import_write(const char *filename, sign_key *key, char *passphrase, | |
94 int filetype) { | |
95 | |
96 if (filetype == KEYFILE_OPENSSH) { | |
97 return openssh_write(filename, key, passphrase); | |
98 } else if (filetype == KEYFILE_DROPBEAR) { | |
99 return dropbear_write(filename, key); | |
100 #if 0 | |
101 } else if (filetype == KEYFILE_SSHCOM) { | |
102 return sshcom_write(filename, key, passphrase); | |
103 #endif | |
104 } | |
105 return 0; | |
106 } | |
107 | |
108 static sign_key *dropbear_read(const char* filename) { | |
109 | |
110 buffer * buf = NULL; | |
111 sign_key *ret = NULL; | |
112 int type; | |
113 | |
114 buf = buf_new(MAX_PRIVKEY_SIZE); | |
115 if (buf_readfile(buf, filename) == DROPBEAR_FAILURE) { | |
116 goto error; | |
117 } | |
118 | |
119 buf_setpos(buf, 0); | |
120 ret = new_sign_key(); | |
121 | |
122 type = DROPBEAR_SIGNKEY_ANY; | |
123 if (buf_get_priv_key(buf, ret, &type) == DROPBEAR_FAILURE){ | |
124 goto error; | |
125 } | |
126 buf_free(buf); | |
127 | |
128 return ret; | |
129 | |
130 error: | |
131 if (buf) { | |
132 buf_free(buf); | |
133 } | |
134 if (ret) { | |
135 sign_key_free(ret); | |
136 } | |
137 return NULL; | |
138 } | |
139 | |
140 /* returns 0 on fail, 1 on success */ | |
141 static int dropbear_write(const char*filename, sign_key * key) { | |
142 | |
143 int keytype = -1; | |
144 buffer * buf; | |
145 FILE*fp; | |
146 int len; | |
147 int ret; | |
148 | |
149 #ifdef DROPBEAR_RSA | |
150 if (key->rsakey != NULL) { | |
151 keytype = DROPBEAR_SIGNKEY_RSA; | |
152 } | |
153 #endif | |
154 #ifdef DROPBEAR_DSS | |
155 if (key->dsskey != NULL) { | |
156 keytype = DROPBEAR_SIGNKEY_DSS; | |
157 } | |
158 #endif | |
159 | |
160 buf = buf_new(MAX_PRIVKEY_SIZE); | |
161 buf_put_priv_key(buf, key, keytype); | |
162 | |
163 fp = fopen(filename, "w"); | |
164 if (!fp) { | |
165 ret = 0; | |
166 goto out; | |
167 } | |
168 | |
169 buf_setpos(buf, 0); | |
170 do { | |
171 len = fwrite(buf_getptr(buf, buf->len - buf->pos), | |
172 1, buf->len - buf->pos, fp); | |
173 buf_incrpos(buf, len); | |
174 } while (len > 0 && buf->len != buf->pos); | |
175 | |
176 fclose(fp); | |
177 | |
178 if (buf->pos != buf->len) { | |
179 ret = 0; | |
180 } else { | |
181 ret = 1; | |
182 } | |
183 out: | |
184 buf_free(buf); | |
185 return ret; | |
186 } | |
187 | |
188 | |
189 /* ---------------------------------------------------------------------- | |
190 * Helper routines. (The base64 ones are defined in sshpubk.c.) | |
191 */ | |
192 | |
193 #define isbase64(c) ( ((c) >= 'A' && (c) <= 'Z') || \ | |
194 ((c) >= 'a' && (c) <= 'z') || \ | |
195 ((c) >= '0' && (c) <= '9') || \ | |
196 (c) == '+' || (c) == '/' || (c) == '=' \ | |
197 ) | |
198 | |
199 /* cpl has to be less than 100 */ | |
200 static void base64_encode_fp(FILE * fp, unsigned char *data, | |
201 int datalen, int cpl) | |
202 { | |
203 char out[100]; | |
204 int n; | |
205 unsigned long outlen; | |
206 int rawcpl; | |
207 rawcpl = cpl * 3 / 4; | |
208 dropbear_assert((unsigned int)cpl < sizeof(out)); | |
209 | |
210 while (datalen > 0) { | |
211 n = (datalen < rawcpl ? datalen : rawcpl); | |
212 outlen = sizeof(out); | |
213 base64_encode(data, n, out, &outlen); | |
214 data += n; | |
215 datalen -= n; | |
216 fwrite(out, 1, outlen, fp); | |
217 fputc('\n', fp); | |
218 } | |
219 } | |
220 /* | |
221 * Read an ASN.1/BER identifier and length pair. | |
222 * | |
223 * Flags are a combination of the #defines listed below. | |
224 * | |
225 * Returns -1 if unsuccessful; otherwise returns the number of | |
226 * bytes used out of the source data. | |
227 */ | |
228 | |
229 /* ASN.1 tag classes. */ | |
230 #define ASN1_CLASS_UNIVERSAL (0 << 6) | |
231 #define ASN1_CLASS_APPLICATION (1 << 6) | |
232 #define ASN1_CLASS_CONTEXT_SPECIFIC (2 << 6) | |
233 #define ASN1_CLASS_PRIVATE (3 << 6) | |
234 #define ASN1_CLASS_MASK (3 << 6) | |
235 | |
236 /* Primitive versus constructed bit. */ | |
237 #define ASN1_CONSTRUCTED (1 << 5) | |
238 | |
239 static int ber_read_id_len(void *source, int sourcelen, | |
240 int *id, int *length, int *flags) | |
241 { | |
242 unsigned char *p = (unsigned char *) source; | |
243 | |
244 if (sourcelen == 0) | |
245 return -1; | |
246 | |
247 *flags = (*p & 0xE0); | |
248 if ((*p & 0x1F) == 0x1F) { | |
249 *id = 0; | |
250 while (*p & 0x80) { | |
251 *id = (*id << 7) | (*p & 0x7F); | |
252 p++, sourcelen--; | |
253 if (sourcelen == 0) | |
254 return -1; | |
255 } | |
256 *id = (*id << 7) | (*p & 0x7F); | |
257 p++, sourcelen--; | |
258 } else { | |
259 *id = *p & 0x1F; | |
260 p++, sourcelen--; | |
261 } | |
262 | |
263 if (sourcelen == 0) | |
264 return -1; | |
265 | |
266 if (*p & 0x80) { | |
267 int n = *p & 0x7F; | |
268 p++, sourcelen--; | |
269 if (sourcelen < n) | |
270 return -1; | |
271 *length = 0; | |
272 while (n--) | |
273 *length = (*length << 8) | (*p++); | |
274 sourcelen -= n; | |
275 } else { | |
276 *length = *p; | |
277 p++, sourcelen--; | |
278 } | |
279 | |
280 return p - (unsigned char *) source; | |
281 } | |
282 | |
283 /* | |
284 * Write an ASN.1/BER identifier and length pair. Returns the | |
285 * number of bytes consumed. Assumes dest contains enough space. | |
286 * Will avoid writing anything if dest is NULL, but still return | |
287 * amount of space required. | |
288 */ | |
289 static int ber_write_id_len(void *dest, int id, int length, int flags) | |
290 { | |
291 unsigned char *d = (unsigned char *)dest; | |
292 int len = 0; | |
293 | |
294 if (id <= 30) { | |
295 /* | |
296 * Identifier is one byte. | |
297 */ | |
298 len++; | |
299 if (d) *d++ = id | flags; | |
300 } else { | |
301 int n; | |
302 /* | |
303 * Identifier is multiple bytes: the first byte is 11111 | |
304 * plus the flags, and subsequent bytes encode the value of | |
305 * the identifier, 7 bits at a time, with the top bit of | |
306 * each byte 1 except the last one which is 0. | |
307 */ | |
308 len++; | |
309 if (d) *d++ = 0x1F | flags; | |
310 for (n = 1; (id >> (7*n)) > 0; n++) | |
311 continue; /* count the bytes */ | |
312 while (n--) { | |
313 len++; | |
314 if (d) *d++ = (n ? 0x80 : 0) | ((id >> (7*n)) & 0x7F); | |
315 } | |
316 } | |
317 | |
318 if (length < 128) { | |
319 /* | |
320 * Length is one byte. | |
321 */ | |
322 len++; | |
323 if (d) *d++ = length; | |
324 } else { | |
325 int n; | |
326 /* | |
327 * Length is multiple bytes. The first is 0x80 plus the | |
328 * number of subsequent bytes, and the subsequent bytes | |
329 * encode the actual length. | |
330 */ | |
331 for (n = 1; (length >> (8*n)) > 0; n++) | |
332 continue; /* count the bytes */ | |
333 len++; | |
334 if (d) *d++ = 0x80 | n; | |
335 while (n--) { | |
336 len++; | |
337 if (d) *d++ = (length >> (8*n)) & 0xFF; | |
338 } | |
339 } | |
340 | |
341 return len; | |
342 } | |
343 | |
344 | |
345 /* Simple structure to point to an mp-int within a blob. */ | |
346 struct mpint_pos { void *start; int bytes; }; | |
347 | |
348 /* ---------------------------------------------------------------------- | |
349 * Code to read and write OpenSSH private keys. | |
350 */ | |
351 | |
352 enum { OSSH_DSA, OSSH_RSA }; | |
353 struct openssh_key { | |
354 int type; | |
355 int encrypted; | |
356 char iv[32]; | |
357 unsigned char *keyblob; | |
358 unsigned int keyblob_len, keyblob_size; | |
359 }; | |
360 | |
361 static struct openssh_key *load_openssh_key(const char *filename) | |
362 { | |
363 struct openssh_key *ret; | |
364 FILE *fp; | |
365 char buffer[256]; | |
366 char *errmsg = NULL, *p = NULL; | |
367 int headers_done; | |
368 unsigned long len, outlen; | |
369 | |
370 ret = (struct openssh_key*)m_malloc(sizeof(struct openssh_key)); | |
371 ret->keyblob = NULL; | |
372 ret->keyblob_len = ret->keyblob_size = 0; | |
373 ret->encrypted = 0; | |
374 memset(ret->iv, 0, sizeof(ret->iv)); | |
375 | |
376 if (strlen(filename) == 1 && filename[0] == '-') { | |
377 fp = stdin; | |
378 } else { | |
379 fp = fopen(filename, "r"); | |
380 } | |
381 if (!fp) { | |
382 errmsg = "Unable to open key file"; | |
383 goto error; | |
384 } | |
385 if (!fgets(buffer, sizeof(buffer), fp) || | |
386 0 != strncmp(buffer, "-----BEGIN ", 11) || | |
387 0 != strcmp(buffer+strlen(buffer)-17, "PRIVATE KEY-----\n")) { | |
388 errmsg = "File does not begin with OpenSSH key header"; | |
389 goto error; | |
390 } | |
391 if (!strcmp(buffer, "-----BEGIN RSA PRIVATE KEY-----\n")) | |
392 ret->type = OSSH_RSA; | |
393 else if (!strcmp(buffer, "-----BEGIN DSA PRIVATE KEY-----\n")) | |
394 ret->type = OSSH_DSA; | |
395 else { | |
396 errmsg = "Unrecognised key type"; | |
397 goto error; | |
398 } | |
399 | |
400 headers_done = 0; | |
401 while (1) { | |
402 if (!fgets(buffer, sizeof(buffer), fp)) { | |
403 errmsg = "Unexpected end of file"; | |
404 goto error; | |
405 } | |
406 if (0 == strncmp(buffer, "-----END ", 9) && | |
407 0 == strcmp(buffer+strlen(buffer)-17, "PRIVATE KEY-----\n")) | |
408 break; /* done */ | |
409 if ((p = strchr(buffer, ':')) != NULL) { | |
410 if (headers_done) { | |
411 errmsg = "Header found in body of key data"; | |
412 goto error; | |
413 } | |
414 *p++ = '\0'; | |
415 while (*p && isspace((unsigned char)*p)) p++; | |
416 if (!strcmp(buffer, "Proc-Type")) { | |
417 if (p[0] != '4' || p[1] != ',') { | |
418 errmsg = "Proc-Type is not 4 (only 4 is supported)"; | |
419 goto error; | |
420 } | |
421 p += 2; | |
422 if (!strcmp(p, "ENCRYPTED\n")) | |
423 ret->encrypted = 1; | |
424 } else if (!strcmp(buffer, "DEK-Info")) { | |
425 int i, j; | |
426 | |
427 if (strncmp(p, "DES-EDE3-CBC,", 13)) { | |
428 errmsg = "Ciphers other than DES-EDE3-CBC not supported"; | |
429 goto error; | |
430 } | |
431 p += 13; | |
432 for (i = 0; i < 8; i++) { | |
433 if (1 != sscanf(p, "%2x", &j)) | |
434 break; | |
435 ret->iv[i] = j; | |
436 p += 2; | |
437 } | |
438 if (i < 8) { | |
439 errmsg = "Expected 16-digit iv in DEK-Info"; | |
440 goto error; | |
441 } | |
442 } | |
443 } else { | |
444 headers_done = 1; | |
445 len = strlen(buffer); | |
446 outlen = len*4/3; | |
447 if (ret->keyblob_len + outlen > ret->keyblob_size) { | |
448 ret->keyblob_size = ret->keyblob_len + outlen + 256; | |
449 ret->keyblob = (unsigned char*)m_realloc(ret->keyblob, | |
450 ret->keyblob_size); | |
451 } | |
452 outlen = ret->keyblob_size - ret->keyblob_len; | |
453 if (base64_decode(buffer, len, | |
454 ret->keyblob + ret->keyblob_len, &outlen) != CRYPT_OK){ | |
455 errmsg = "Error decoding base64"; | |
456 goto error; | |
457 } | |
458 ret->keyblob_len += outlen; | |
459 } | |
460 } | |
461 | |
462 if (ret->keyblob_len == 0 || !ret->keyblob) { | |
463 errmsg = "Key body not present"; | |
464 goto error; | |
465 } | |
466 | |
467 if (ret->encrypted && ret->keyblob_len % 8 != 0) { | |
468 errmsg = "Encrypted key blob is not a multiple of cipher block size"; | |
469 goto error; | |
470 } | |
471 | |
472 memset(buffer, 0, sizeof(buffer)); | |
473 return ret; | |
474 | |
475 error: | |
476 memset(buffer, 0, sizeof(buffer)); | |
477 if (ret) { | |
478 if (ret->keyblob) { | |
479 memset(ret->keyblob, 0, ret->keyblob_size); | |
480 m_free(ret->keyblob); | |
481 } | |
482 memset(&ret, 0, sizeof(ret)); | |
483 m_free(ret); | |
484 } | |
485 if (errmsg) { | |
486 fprintf(stderr, "Error: %s\n", errmsg); | |
487 } | |
488 return NULL; | |
489 } | |
490 | |
491 static int openssh_encrypted(const char *filename) | |
492 { | |
493 struct openssh_key *key = load_openssh_key(filename); | |
494 int ret; | |
495 | |
496 if (!key) | |
497 return 0; | |
498 ret = key->encrypted; | |
499 memset(key->keyblob, 0, key->keyblob_size); | |
500 m_free(key->keyblob); | |
501 memset(&key, 0, sizeof(key)); | |
502 m_free(key); | |
503 return ret; | |
504 } | |
505 | |
506 static sign_key *openssh_read(const char *filename, char *passphrase) | |
507 { | |
508 struct openssh_key *key; | |
509 unsigned char *p; | |
510 int ret, id, len, flags; | |
511 int i, num_integers = 0; | |
512 sign_key *retval = NULL; | |
513 char *errmsg; | |
514 char *modptr = NULL; | |
515 int modlen = -9999; | |
516 int type; | |
517 | |
518 sign_key *retkey; | |
519 buffer * blobbuf = NULL; | |
520 | |
521 key = load_openssh_key(filename); | |
522 | |
523 if (!key) | |
524 return NULL; | |
525 | |
526 if (key->encrypted) { | |
527 errmsg = "encrypted keys not supported currently"; | |
528 goto error; | |
529 #if 0 | |
530 /* matt TODO */ | |
531 /* | |
532 * Derive encryption key from passphrase and iv/salt: | |
533 * | |
534 * - let block A equal MD5(passphrase || iv) | |
535 * - let block B equal MD5(A || passphrase || iv) | |
536 * - block C would be MD5(B || passphrase || iv) and so on | |
537 * - encryption key is the first N bytes of A || B | |
538 */ | |
539 struct MD5Context md5c; | |
540 unsigned char keybuf[32]; | |
541 | |
542 MD5Init(&md5c); | |
543 MD5Update(&md5c, (unsigned char *)passphrase, strlen(passphrase)); | |
544 MD5Update(&md5c, (unsigned char *)key->iv, 8); | |
545 MD5Final(keybuf, &md5c); | |
546 | |
547 MD5Init(&md5c); | |
548 MD5Update(&md5c, keybuf, 16); | |
549 MD5Update(&md5c, (unsigned char *)passphrase, strlen(passphrase)); | |
550 MD5Update(&md5c, (unsigned char *)key->iv, 8); | |
551 MD5Final(keybuf+16, &md5c); | |
552 | |
553 /* | |
554 * Now decrypt the key blob. | |
555 */ | |
556 des3_decrypt_pubkey_ossh(keybuf, (unsigned char *)key->iv, | |
557 key->keyblob, key->keyblob_len); | |
558 | |
559 memset(&md5c, 0, sizeof(md5c)); | |
560 memset(keybuf, 0, sizeof(keybuf)); | |
561 #endif | |
562 } | |
563 | |
564 /* | |
565 * Now we have a decrypted key blob, which contains an ASN.1 | |
566 * encoded private key. We must now untangle the ASN.1. | |
567 * | |
568 * We expect the whole key blob to be formatted as a SEQUENCE | |
569 * (0x30 followed by a length code indicating that the rest of | |
570 * the blob is part of the sequence). Within that SEQUENCE we | |
571 * expect to see a bunch of INTEGERs. What those integers mean | |
572 * depends on the key type: | |
573 * | |
574 * - For RSA, we expect the integers to be 0, n, e, d, p, q, | |
575 * dmp1, dmq1, iqmp in that order. (The last three are d mod | |
576 * (p-1), d mod (q-1), inverse of q mod p respectively.) | |
577 * | |
578 * - For DSA, we expect them to be 0, p, q, g, y, x in that | |
579 * order. | |
580 */ | |
581 | |
582 p = key->keyblob; | |
583 | |
584 /* Expect the SEQUENCE header. Take its absence as a failure to decrypt. */ | |
585 ret = ber_read_id_len(p, key->keyblob_len, &id, &len, &flags); | |
586 p += ret; | |
587 if (ret < 0 || id != 16) { | |
588 errmsg = "ASN.1 decoding failure - wrong password?"; | |
589 goto error; | |
590 } | |
591 | |
592 /* Expect a load of INTEGERs. */ | |
593 if (key->type == OSSH_RSA) | |
594 num_integers = 9; | |
595 else if (key->type == OSSH_DSA) | |
596 num_integers = 6; | |
597 | |
598 /* | |
599 * Space to create key blob in. | |
600 */ | |
601 blobbuf = buf_new(3000); | |
602 | |
603 if (key->type == OSSH_DSA) { | |
604 buf_putstring(blobbuf, "ssh-dss", 7); | |
605 } else if (key->type == OSSH_RSA) { | |
606 buf_putstring(blobbuf, "ssh-rsa", 7); | |
607 } | |
608 | |
609 for (i = 0; i < num_integers; i++) { | |
610 ret = ber_read_id_len(p, key->keyblob+key->keyblob_len-p, | |
611 &id, &len, &flags); | |
612 p += ret; | |
613 if (ret < 0 || id != 2 || | |
614 key->keyblob+key->keyblob_len-p < len) { | |
615 errmsg = "ASN.1 decoding failure"; | |
616 goto error; | |
617 } | |
618 | |
619 if (i == 0) { | |
620 /* | |
621 * The first integer should be zero always (I think | |
622 * this is some sort of version indication). | |
623 */ | |
624 if (len != 1 || p[0] != 0) { | |
625 errmsg = "Version number mismatch"; | |
626 goto error; | |
627 } | |
628 } else if (key->type == OSSH_RSA) { | |
629 /* | |
630 * OpenSSH key order is n, e, d, p, q, dmp1, dmq1, iqmp | |
631 * but we want e, n, d, p, q | |
632 */ | |
633 if (i == 1) { | |
634 /* Save the details for after we deal with number 2. */ | |
635 modptr = (char *)p; | |
636 modlen = len; | |
637 } else if (i >= 2 && i <= 5) { | |
638 buf_putstring(blobbuf, p, len); | |
639 if (i == 2) { | |
640 buf_putstring(blobbuf, modptr, modlen); | |
641 } | |
642 } | |
643 } else if (key->type == OSSH_DSA) { | |
644 /* | |
645 * OpenSSH key order is p, q, g, y, x, | |
646 * we want the same. | |
647 */ | |
648 buf_putstring(blobbuf, p, len); | |
649 } | |
650 | |
651 /* Skip past the number. */ | |
652 p += len; | |
653 } | |
654 | |
655 /* | |
656 * Now put together the actual key. Simplest way to do this is | |
657 * to assemble our own key blobs and feed them to the createkey | |
658 * functions; this is a bit faffy but it does mean we get all | |
659 * the sanity checks for free. | |
660 */ | |
661 retkey = new_sign_key(); | |
662 buf_setpos(blobbuf, 0); | |
663 type = DROPBEAR_SIGNKEY_ANY; | |
664 if (buf_get_priv_key(blobbuf, retkey, &type) | |
665 != DROPBEAR_SUCCESS) { | |
666 errmsg = "unable to create key structure"; | |
667 sign_key_free(retkey); | |
668 retkey = NULL; | |
669 goto error; | |
670 } | |
671 | |
672 errmsg = NULL; /* no error */ | |
673 retval = retkey; | |
674 | |
675 error: | |
676 if (blobbuf) { | |
677 buf_burn(blobbuf); | |
678 buf_free(blobbuf); | |
679 } | |
680 m_burn(key->keyblob, key->keyblob_size); | |
681 m_free(key->keyblob); | |
682 m_burn(key, sizeof(key)); | |
683 m_free(key); | |
684 if (errmsg) { | |
685 fprintf(stderr, "Error: %s\n", errmsg); | |
686 } | |
687 return retval; | |
688 } | |
689 | |
690 static int openssh_write(const char *filename, sign_key *key, | |
691 char *passphrase) | |
692 { | |
693 buffer * keyblob = NULL; | |
694 buffer * extrablob = NULL; /* used for calculated values to write */ | |
695 unsigned char *outblob = NULL; | |
696 int outlen = -9999; | |
697 struct mpint_pos numbers[9]; | |
698 int nnumbers = -1, pos, len, seqlen, i; | |
699 char *header = NULL, *footer = NULL; | |
700 char zero[1]; | |
701 unsigned char iv[8]; | |
702 int ret = 0; | |
703 FILE *fp; | |
704 int keytype = -1; | |
705 | |
706 #ifdef DROPBEAR_RSA | |
707 mp_int dmp1, dmq1, iqmp, tmpval; /* for rsa */ | |
708 | |
709 if (key->rsakey != NULL) { | |
710 keytype = DROPBEAR_SIGNKEY_RSA; | |
711 } | |
712 #endif | |
713 #ifdef DROPBEAR_DSS | |
714 if (key->dsskey != NULL) { | |
715 keytype = DROPBEAR_SIGNKEY_DSS; | |
716 } | |
717 #endif | |
718 | |
719 dropbear_assert(keytype != -1); | |
720 | |
721 /* | |
722 * Fetch the key blobs. | |
723 */ | |
724 keyblob = buf_new(3000); | |
725 buf_put_priv_key(keyblob, key, keytype); | |
726 | |
727 buf_setpos(keyblob, 0); | |
728 /* skip the "ssh-rsa" or "ssh-dss" header */ | |
729 buf_incrpos(keyblob, buf_getint(keyblob)); | |
730 | |
731 /* | |
732 * Find the sequence of integers to be encoded into the OpenSSH | |
733 * key blob, and also decide on the header line. | |
734 */ | |
735 numbers[0].start = zero; numbers[0].bytes = 1; zero[0] = '\0'; | |
736 | |
737 #ifdef DROPBEAR_RSA | |
738 if (keytype == DROPBEAR_SIGNKEY_RSA) { | |
739 | |
740 if (key->rsakey->p == NULL || key->rsakey->q == NULL) { | |
741 fprintf(stderr, "Pre-0.33 Dropbear keys cannot be converted to OpenSSH keys.\n"); | |
742 goto error; | |
743 } | |
744 | |
745 /* e */ | |
746 numbers[2].bytes = buf_getint(keyblob); | |
747 numbers[2].start = buf_getptr(keyblob, numbers[2].bytes); | |
748 buf_incrpos(keyblob, numbers[2].bytes); | |
749 | |
750 /* n */ | |
751 numbers[1].bytes = buf_getint(keyblob); | |
752 numbers[1].start = buf_getptr(keyblob, numbers[1].bytes); | |
753 buf_incrpos(keyblob, numbers[1].bytes); | |
754 | |
755 /* d */ | |
756 numbers[3].bytes = buf_getint(keyblob); | |
757 numbers[3].start = buf_getptr(keyblob, numbers[3].bytes); | |
758 buf_incrpos(keyblob, numbers[3].bytes); | |
759 | |
760 /* p */ | |
761 numbers[4].bytes = buf_getint(keyblob); | |
762 numbers[4].start = buf_getptr(keyblob, numbers[4].bytes); | |
763 buf_incrpos(keyblob, numbers[4].bytes); | |
764 | |
765 /* q */ | |
766 numbers[5].bytes = buf_getint(keyblob); | |
767 numbers[5].start = buf_getptr(keyblob, numbers[5].bytes); | |
768 buf_incrpos(keyblob, numbers[5].bytes); | |
769 | |
770 /* now calculate some extra parameters: */ | |
771 m_mp_init(&tmpval); | |
772 m_mp_init(&dmp1); | |
773 m_mp_init(&dmq1); | |
774 m_mp_init(&iqmp); | |
775 | |
776 /* dmp1 = d mod (p-1) */ | |
777 if (mp_sub_d(key->rsakey->p, 1, &tmpval) != MP_OKAY) { | |
778 fprintf(stderr, "Bignum error for p-1\n"); | |
779 goto error; | |
780 } | |
781 if (mp_mod(key->rsakey->d, &tmpval, &dmp1) != MP_OKAY) { | |
782 fprintf(stderr, "Bignum error for dmp1\n"); | |
783 goto error; | |
784 } | |
785 | |
786 /* dmq1 = d mod (q-1) */ | |
787 if (mp_sub_d(key->rsakey->q, 1, &tmpval) != MP_OKAY) { | |
788 fprintf(stderr, "Bignum error for q-1\n"); | |
789 goto error; | |
790 } | |
791 if (mp_mod(key->rsakey->d, &tmpval, &dmq1) != MP_OKAY) { | |
792 fprintf(stderr, "Bignum error for dmq1\n"); | |
793 goto error; | |
794 } | |
795 | |
796 /* iqmp = (q^-1) mod p */ | |
797 if (mp_invmod(key->rsakey->q, key->rsakey->p, &iqmp) != MP_OKAY) { | |
798 fprintf(stderr, "Bignum error for iqmp\n"); | |
799 goto error; | |
800 } | |
801 | |
802 extrablob = buf_new(2000); | |
803 buf_putmpint(extrablob, &dmp1); | |
804 buf_putmpint(extrablob, &dmq1); | |
805 buf_putmpint(extrablob, &iqmp); | |
806 buf_setpos(extrablob, 0); | |
807 mp_clear(&dmp1); | |
808 mp_clear(&dmq1); | |
809 mp_clear(&iqmp); | |
810 mp_clear(&tmpval); | |
811 | |
812 /* dmp1 */ | |
813 numbers[6].bytes = buf_getint(extrablob); | |
814 numbers[6].start = buf_getptr(extrablob, numbers[6].bytes); | |
815 buf_incrpos(extrablob, numbers[6].bytes); | |
816 | |
817 /* dmq1 */ | |
818 numbers[7].bytes = buf_getint(extrablob); | |
819 numbers[7].start = buf_getptr(extrablob, numbers[7].bytes); | |
820 buf_incrpos(extrablob, numbers[7].bytes); | |
821 | |
822 /* iqmp */ | |
823 numbers[8].bytes = buf_getint(extrablob); | |
824 numbers[8].start = buf_getptr(extrablob, numbers[8].bytes); | |
825 buf_incrpos(extrablob, numbers[8].bytes); | |
826 | |
827 nnumbers = 9; | |
828 header = "-----BEGIN RSA PRIVATE KEY-----\n"; | |
829 footer = "-----END RSA PRIVATE KEY-----\n"; | |
830 } | |
831 #endif /* DROPBEAR_RSA */ | |
832 | |
833 #ifdef DROPBEAR_DSS | |
834 if (keytype == DROPBEAR_SIGNKEY_DSS) { | |
835 | |
836 /* p */ | |
837 numbers[1].bytes = buf_getint(keyblob); | |
838 numbers[1].start = buf_getptr(keyblob, numbers[1].bytes); | |
839 buf_incrpos(keyblob, numbers[1].bytes); | |
840 | |
841 /* q */ | |
842 numbers[2].bytes = buf_getint(keyblob); | |
843 numbers[2].start = buf_getptr(keyblob, numbers[2].bytes); | |
844 buf_incrpos(keyblob, numbers[2].bytes); | |
845 | |
846 /* g */ | |
847 numbers[3].bytes = buf_getint(keyblob); | |
848 numbers[3].start = buf_getptr(keyblob, numbers[3].bytes); | |
849 buf_incrpos(keyblob, numbers[3].bytes); | |
850 | |
851 /* y */ | |
852 numbers[4].bytes = buf_getint(keyblob); | |
853 numbers[4].start = buf_getptr(keyblob, numbers[4].bytes); | |
854 buf_incrpos(keyblob, numbers[4].bytes); | |
855 | |
856 /* x */ | |
857 numbers[5].bytes = buf_getint(keyblob); | |
858 numbers[5].start = buf_getptr(keyblob, numbers[5].bytes); | |
859 buf_incrpos(keyblob, numbers[5].bytes); | |
860 | |
861 nnumbers = 6; | |
862 header = "-----BEGIN DSA PRIVATE KEY-----\n"; | |
863 footer = "-----END DSA PRIVATE KEY-----\n"; | |
864 } | |
865 #endif /* DROPBEAR_DSS */ | |
866 | |
867 /* | |
868 * Now count up the total size of the ASN.1 encoded integers, | |
869 * so as to determine the length of the containing SEQUENCE. | |
870 */ | |
871 len = 0; | |
872 for (i = 0; i < nnumbers; i++) { | |
873 len += ber_write_id_len(NULL, 2, numbers[i].bytes, 0); | |
874 len += numbers[i].bytes; | |
875 } | |
876 seqlen = len; | |
877 /* Now add on the SEQUENCE header. */ | |
878 len += ber_write_id_len(NULL, 16, seqlen, ASN1_CONSTRUCTED); | |
879 /* Round up to the cipher block size, ensuring we have at least one | |
880 * byte of padding (see below). */ | |
881 outlen = len; | |
882 if (passphrase) | |
883 outlen = (outlen+8) &~ 7; | |
884 | |
885 /* | |
886 * Now we know how big outblob needs to be. Allocate it. | |
887 */ | |
888 outblob = (unsigned char*)m_malloc(outlen); | |
889 | |
890 /* | |
891 * And write the data into it. | |
892 */ | |
893 pos = 0; | |
894 pos += ber_write_id_len(outblob+pos, 16, seqlen, ASN1_CONSTRUCTED); | |
895 for (i = 0; i < nnumbers; i++) { | |
896 pos += ber_write_id_len(outblob+pos, 2, numbers[i].bytes, 0); | |
897 memcpy(outblob+pos, numbers[i].start, numbers[i].bytes); | |
898 pos += numbers[i].bytes; | |
899 } | |
900 | |
901 /* | |
902 * Padding on OpenSSH keys is deterministic. The number of | |
903 * padding bytes is always more than zero, and always at most | |
904 * the cipher block length. The value of each padding byte is | |
905 * equal to the number of padding bytes. So a plaintext that's | |
906 * an exact multiple of the block size will be padded with 08 | |
907 * 08 08 08 08 08 08 08 (assuming a 64-bit block cipher); a | |
908 * plaintext one byte less than a multiple of the block size | |
909 * will be padded with just 01. | |
910 * | |
911 * This enables the OpenSSL key decryption function to strip | |
912 * off the padding algorithmically and return the unpadded | |
913 * plaintext to the next layer: it looks at the final byte, and | |
914 * then expects to find that many bytes at the end of the data | |
915 * with the same value. Those are all removed and the rest is | |
916 * returned. | |
917 */ | |
918 dropbear_assert(pos == len); | |
919 while (pos < outlen) { | |
920 outblob[pos++] = outlen - len; | |
921 } | |
922 | |
923 /* | |
924 * Encrypt the key. | |
925 */ | |
926 if (passphrase) { | |
927 fprintf(stderr, "Encrypted keys aren't supported currently\n"); | |
928 goto error; | |
929 #if 0 | |
930 /* | |
931 * Invent an iv. Then derive encryption key from passphrase | |
932 * and iv/salt: | |
933 * | |
934 * - let block A equal MD5(passphrase || iv) | |
935 * - let block B equal MD5(A || passphrase || iv) | |
936 * - block C would be MD5(B || passphrase || iv) and so on | |
937 * - encryption key is the first N bytes of A || B | |
938 */ | |
939 struct MD5Context md5c; | |
940 unsigned char keybuf[32]; | |
941 | |
942 for (i = 0; i < 8; i++) iv[i] = random_byte(); | |
943 | |
944 MD5Init(&md5c); | |
945 MD5Update(&md5c, (unsigned char *)passphrase, strlen(passphrase)); | |
946 MD5Update(&md5c, iv, 8); | |
947 MD5Final(keybuf, &md5c); | |
948 | |
949 MD5Init(&md5c); | |
950 MD5Update(&md5c, keybuf, 16); | |
951 MD5Update(&md5c, (unsigned char *)passphrase, strlen(passphrase)); | |
952 MD5Update(&md5c, iv, 8); | |
953 MD5Final(keybuf+16, &md5c); | |
954 | |
955 /* | |
956 * Now encrypt the key blob. | |
957 */ | |
958 des3_encrypt_pubkey_ossh(keybuf, iv, outblob, outlen); | |
959 | |
960 memset(&md5c, 0, sizeof(md5c)); | |
961 memset(keybuf, 0, sizeof(keybuf)); | |
962 #endif | |
963 } | |
964 | |
965 /* | |
966 * And save it. We'll use Unix line endings just in case it's | |
967 * subsequently transferred in binary mode. | |
968 */ | |
969 if (strlen(filename) == 1 && filename[0] == '-') { | |
970 fp = stdout; | |
971 } else { | |
972 fp = fopen(filename, "wb"); /* ensure Unix line endings */ | |
973 } | |
974 if (!fp) { | |
975 fprintf(stderr, "Failed opening output file\n"); | |
976 goto error; | |
977 } | |
978 fputs(header, fp); | |
979 if (passphrase) { | |
980 fprintf(fp, "Proc-Type: 4,ENCRYPTED\nDEK-Info: DES-EDE3-CBC,"); | |
981 for (i = 0; i < 8; i++) | |
982 fprintf(fp, "%02X", iv[i]); | |
983 fprintf(fp, "\n\n"); | |
984 } | |
985 base64_encode_fp(fp, outblob, outlen, 64); | |
986 fputs(footer, fp); | |
987 fclose(fp); | |
988 ret = 1; | |
989 | |
990 error: | |
991 if (outblob) { | |
992 memset(outblob, 0, outlen); | |
993 m_free(outblob); | |
994 } | |
995 if (keyblob) { | |
996 buf_burn(keyblob); | |
997 buf_free(keyblob); | |
998 } | |
999 if (extrablob) { | |
1000 buf_burn(extrablob); | |
1001 buf_free(extrablob); | |
1002 } | |
1003 return ret; | |
1004 } | |
1005 | |
1006 #if 0 | |
1007 /* XXX TODO ssh.com stuff isn't going yet */ | |
1008 | |
1009 /* ---------------------------------------------------------------------- | |
1010 * Code to read ssh.com private keys. | |
1011 */ | |
1012 | |
1013 /* | |
1014 * The format of the base64 blob is largely ssh2-packet-formatted, | |
1015 * except that mpints are a bit different: they're more like the | |
1016 * old ssh1 mpint. You have a 32-bit bit count N, followed by | |
1017 * (N+7)/8 bytes of data. | |
1018 * | |
1019 * So. The blob contains: | |
1020 * | |
1021 * - uint32 0x3f6ff9eb (magic number) | |
1022 * - uint32 size (total blob size) | |
1023 * - string key-type (see below) | |
1024 * - string cipher-type (tells you if key is encrypted) | |
1025 * - string encrypted-blob | |
1026 * | |
1027 * (The first size field includes the size field itself and the | |
1028 * magic number before it. All other size fields are ordinary ssh2 | |
1029 * strings, so the size field indicates how much data is to | |
1030 * _follow_.) | |
1031 * | |
1032 * The encrypted blob, once decrypted, contains a single string | |
1033 * which in turn contains the payload. (This allows padding to be | |
1034 * added after that string while still making it clear where the | |
1035 * real payload ends. Also it probably makes for a reasonable | |
1036 * decryption check.) | |
1037 * | |
1038 * The payload blob, for an RSA key, contains: | |
1039 * - mpint e | |
1040 * - mpint d | |
1041 * - mpint n (yes, the public and private stuff is intermixed) | |
1042 * - mpint u (presumably inverse of p mod q) | |
1043 * - mpint p (p is the smaller prime) | |
1044 * - mpint q (q is the larger) | |
1045 * | |
1046 * For a DSA key, the payload blob contains: | |
1047 * - uint32 0 | |
1048 * - mpint p | |
1049 * - mpint g | |
1050 * - mpint q | |
1051 * - mpint y | |
1052 * - mpint x | |
1053 * | |
1054 * Alternatively, if the parameters are `predefined', that | |
1055 * (0,p,g,q) sequence can be replaced by a uint32 1 and a string | |
1056 * containing some predefined parameter specification. *shudder*, | |
1057 * but I doubt we'll encounter this in real life. | |
1058 * | |
1059 * The key type strings are ghastly. The RSA key I looked at had a | |
1060 * type string of | |
1061 * | |
1062 * `if-modn{sign{rsa-pkcs1-sha1},encrypt{rsa-pkcs1v2-oaep}}' | |
1063 * | |
1064 * and the DSA key wasn't much better: | |
1065 * | |
1066 * `dl-modp{sign{dsa-nist-sha1},dh{plain}}' | |
1067 * | |
1068 * It isn't clear that these will always be the same. I think it | |
1069 * might be wise just to look at the `if-modn{sign{rsa' and | |
1070 * `dl-modp{sign{dsa' prefixes. | |
1071 * | |
1072 * Finally, the encryption. The cipher-type string appears to be | |
1073 * either `none' or `3des-cbc'. Looks as if this is SSH2-style | |
1074 * 3des-cbc (i.e. outer cbc rather than inner). The key is created | |
1075 * from the passphrase by means of yet another hashing faff: | |
1076 * | |
1077 * - first 16 bytes are MD5(passphrase) | |
1078 * - next 16 bytes are MD5(passphrase || first 16 bytes) | |
1079 * - if there were more, they'd be MD5(passphrase || first 32), | |
1080 * and so on. | |
1081 */ | |
1082 | |
1083 #define SSHCOM_MAGIC_NUMBER 0x3f6ff9eb | |
1084 | |
1085 struct sshcom_key { | |
1086 char comment[256]; /* allowing any length is overkill */ | |
1087 unsigned char *keyblob; | |
1088 int keyblob_len, keyblob_size; | |
1089 }; | |
1090 | |
1091 static struct sshcom_key *load_sshcom_key(const char *filename) | |
1092 { | |
1093 struct sshcom_key *ret; | |
1094 FILE *fp; | |
1095 char buffer[256]; | |
1096 int len; | |
1097 char *errmsg, *p; | |
1098 int headers_done; | |
1099 char base64_bit[4]; | |
1100 int base64_chars = 0; | |
1101 | |
1102 ret = snew(struct sshcom_key); | |
1103 ret->comment[0] = '\0'; | |
1104 ret->keyblob = NULL; | |
1105 ret->keyblob_len = ret->keyblob_size = 0; | |
1106 | |
1107 fp = fopen(filename, "r"); | |
1108 if (!fp) { | |
1109 errmsg = "Unable to open key file"; | |
1110 goto error; | |
1111 } | |
1112 if (!fgets(buffer, sizeof(buffer), fp) || | |
1113 0 != strcmp(buffer, "---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----\n")) { | |
1114 errmsg = "File does not begin with ssh.com key header"; | |
1115 goto error; | |
1116 } | |
1117 | |
1118 headers_done = 0; | |
1119 while (1) { | |
1120 if (!fgets(buffer, sizeof(buffer), fp)) { | |
1121 errmsg = "Unexpected end of file"; | |
1122 goto error; | |
1123 } | |
1124 if (!strcmp(buffer, "---- END SSH2 ENCRYPTED PRIVATE KEY ----\n")) | |
1125 break; /* done */ | |
1126 if ((p = strchr(buffer, ':')) != NULL) { | |
1127 if (headers_done) { | |
1128 errmsg = "Header found in body of key data"; | |
1129 goto error; | |
1130 } | |
1131 *p++ = '\0'; | |
1132 while (*p && isspace((unsigned char)*p)) p++; | |
1133 /* | |
1134 * Header lines can end in a trailing backslash for | |
1135 * continuation. | |
1136 */ | |
1137 while ((len = strlen(p)) > (int)(sizeof(buffer) - (p-buffer) -1) || | |
1138 p[len-1] != '\n' || p[len-2] == '\\') { | |
1139 if (len > (int)((p-buffer) + sizeof(buffer)-2)) { | |
1140 errmsg = "Header line too long to deal with"; | |
1141 goto error; | |
1142 } | |
1143 if (!fgets(p+len-2, sizeof(buffer)-(p-buffer)-(len-2), fp)) { | |
1144 errmsg = "Unexpected end of file"; | |
1145 goto error; | |
1146 } | |
1147 } | |
1148 p[strcspn(p, "\n")] = '\0'; | |
1149 if (!strcmp(buffer, "Comment")) { | |
1150 /* Strip quotes in comment if present. */ | |
1151 if (p[0] == '"' && p[strlen(p)-1] == '"') { | |
1152 p++; | |
1153 p[strlen(p)-1] = '\0'; | |
1154 } | |
1155 strncpy(ret->comment, p, sizeof(ret->comment)); | |
1156 ret->comment[sizeof(ret->comment)-1] = '\0'; | |
1157 } | |
1158 } else { | |
1159 headers_done = 1; | |
1160 | |
1161 p = buffer; | |
1162 while (isbase64(*p)) { | |
1163 base64_bit[base64_chars++] = *p; | |
1164 if (base64_chars == 4) { | |
1165 unsigned char out[3]; | |
1166 | |
1167 base64_chars = 0; | |
1168 | |
1169 len = base64_decode_atom(base64_bit, out); | |
1170 | |
1171 if (len <= 0) { | |
1172 errmsg = "Invalid base64 encoding"; | |
1173 goto error; | |
1174 } | |
1175 | |
1176 if (ret->keyblob_len + len > ret->keyblob_size) { | |
1177 ret->keyblob_size = ret->keyblob_len + len + 256; | |
1178 ret->keyblob = sresize(ret->keyblob, ret->keyblob_size, | |
1179 unsigned char); | |
1180 } | |
1181 | |
1182 memcpy(ret->keyblob + ret->keyblob_len, out, len); | |
1183 ret->keyblob_len += len; | |
1184 } | |
1185 | |
1186 p++; | |
1187 } | |
1188 } | |
1189 } | |
1190 | |
1191 if (ret->keyblob_len == 0 || !ret->keyblob) { | |
1192 errmsg = "Key body not present"; | |
1193 goto error; | |
1194 } | |
1195 | |
1196 return ret; | |
1197 | |
1198 error: | |
1199 if (ret) { | |
1200 if (ret->keyblob) { | |
1201 memset(ret->keyblob, 0, ret->keyblob_size); | |
1202 m_free(ret->keyblob); | |
1203 } | |
1204 memset(&ret, 0, sizeof(ret)); | |
1205 m_free(ret); | |
1206 } | |
1207 return NULL; | |
1208 } | |
1209 | |
1210 int sshcom_encrypted(const char *filename, char **comment) | |
1211 { | |
1212 struct sshcom_key *key = load_sshcom_key(filename); | |
1213 int pos, len, answer; | |
1214 | |
1215 *comment = NULL; | |
1216 if (!key) | |
1217 return 0; | |
1218 | |
1219 /* | |
1220 * Check magic number. | |
1221 */ | |
1222 if (GET_32BIT(key->keyblob) != 0x3f6ff9eb) | |
1223 return 0; /* key is invalid */ | |
1224 | |
1225 /* | |
1226 * Find the cipher-type string. | |
1227 */ | |
1228 answer = 0; | |
1229 pos = 8; | |
1230 if (key->keyblob_len < pos+4) | |
1231 goto done; /* key is far too short */ | |
1232 pos += 4 + GET_32BIT(key->keyblob + pos); /* skip key type */ | |
1233 if (key->keyblob_len < pos+4) | |
1234 goto done; /* key is far too short */ | |
1235 len = GET_32BIT(key->keyblob + pos); /* find cipher-type length */ | |
1236 if (key->keyblob_len < pos+4+len) | |
1237 goto done; /* cipher type string is incomplete */ | |
1238 if (len != 4 || 0 != memcmp(key->keyblob + pos + 4, "none", 4)) | |
1239 answer = 1; | |
1240 | |
1241 done: | |
1242 *comment = dupstr(key->comment); | |
1243 memset(key->keyblob, 0, key->keyblob_size); | |
1244 m_free(key->keyblob); | |
1245 memset(&key, 0, sizeof(key)); | |
1246 m_free(key); | |
1247 return answer; | |
1248 } | |
1249 | |
1250 static int sshcom_read_mpint(void *data, int len, struct mpint_pos *ret) | |
1251 { | |
1252 int bits; | |
1253 int bytes; | |
1254 unsigned char *d = (unsigned char *) data; | |
1255 | |
1256 if (len < 4) | |
1257 goto error; | |
1258 bits = GET_32BIT(d); | |
1259 | |
1260 bytes = (bits + 7) / 8; | |
1261 if (len < 4+bytes) | |
1262 goto error; | |
1263 | |
1264 ret->start = d + 4; | |
1265 ret->bytes = bytes; | |
1266 return bytes+4; | |
1267 | |
1268 error: | |
1269 ret->start = NULL; | |
1270 ret->bytes = -1; | |
1271 return len; /* ensure further calls fail as well */ | |
1272 } | |
1273 | |
1274 static int sshcom_put_mpint(void *target, void *data, int len) | |
1275 { | |
1276 unsigned char *d = (unsigned char *)target; | |
1277 unsigned char *i = (unsigned char *)data; | |
1278 int bits = len * 8 - 1; | |
1279 | |
1280 while (bits > 0) { | |
1281 if (*i & (1 << (bits & 7))) | |
1282 break; | |
1283 if (!(bits-- & 7)) | |
1284 i++, len--; | |
1285 } | |
1286 | |
1287 PUT_32BIT(d, bits+1); | |
1288 memcpy(d+4, i, len); | |
1289 return len+4; | |
1290 } | |
1291 | |
1292 sign_key *sshcom_read(const char *filename, char *passphrase) | |
1293 { | |
1294 struct sshcom_key *key = load_sshcom_key(filename); | |
1295 char *errmsg; | |
1296 int pos, len; | |
1297 const char prefix_rsa[] = "if-modn{sign{rsa"; | |
1298 const char prefix_dsa[] = "dl-modp{sign{dsa"; | |
1299 enum { RSA, DSA } type; | |
1300 int encrypted; | |
1301 char *ciphertext; | |
1302 int cipherlen; | |
1303 struct ssh2_userkey *ret = NULL, *retkey; | |
1304 const struct ssh_signkey *alg; | |
1305 unsigned char *blob = NULL; | |
1306 int blobsize, publen, privlen; | |
1307 | |
1308 if (!key) | |
1309 return NULL; | |
1310 | |
1311 /* | |
1312 * Check magic number. | |
1313 */ | |
1314 if (GET_32BIT(key->keyblob) != SSHCOM_MAGIC_NUMBER) { | |
1315 errmsg = "Key does not begin with magic number"; | |
1316 goto error; | |
1317 } | |
1318 | |
1319 /* | |
1320 * Determine the key type. | |
1321 */ | |
1322 pos = 8; | |
1323 if (key->keyblob_len < pos+4 || | |
1324 (len = GET_32BIT(key->keyblob + pos)) > key->keyblob_len - pos - 4) { | |
1325 errmsg = "Key blob does not contain a key type string"; | |
1326 goto error; | |
1327 } | |
1328 if (len > sizeof(prefix_rsa) - 1 && | |
1329 !memcmp(key->keyblob+pos+4, prefix_rsa, sizeof(prefix_rsa) - 1)) { | |
1330 type = RSA; | |
1331 } else if (len > sizeof(prefix_dsa) - 1 && | |
1332 !memcmp(key->keyblob+pos+4, prefix_dsa, sizeof(prefix_dsa) - 1)) { | |
1333 type = DSA; | |
1334 } else { | |
1335 errmsg = "Key is of unknown type"; | |
1336 goto error; | |
1337 } | |
1338 pos += 4+len; | |
1339 | |
1340 /* | |
1341 * Determine the cipher type. | |
1342 */ | |
1343 if (key->keyblob_len < pos+4 || | |
1344 (len = GET_32BIT(key->keyblob + pos)) > key->keyblob_len - pos - 4) { | |
1345 errmsg = "Key blob does not contain a cipher type string"; | |
1346 goto error; | |
1347 } | |
1348 if (len == 4 && !memcmp(key->keyblob+pos+4, "none", 4)) | |
1349 encrypted = 0; | |
1350 else if (len == 8 && !memcmp(key->keyblob+pos+4, "3des-cbc", 8)) | |
1351 encrypted = 1; | |
1352 else { | |
1353 errmsg = "Key encryption is of unknown type"; | |
1354 goto error; | |
1355 } | |
1356 pos += 4+len; | |
1357 | |
1358 /* | |
1359 * Get hold of the encrypted part of the key. | |
1360 */ | |
1361 if (key->keyblob_len < pos+4 || | |
1362 (len = GET_32BIT(key->keyblob + pos)) > key->keyblob_len - pos - 4) { | |
1363 errmsg = "Key blob does not contain actual key data"; | |
1364 goto error; | |
1365 } | |
1366 ciphertext = (char *)key->keyblob + pos + 4; | |
1367 cipherlen = len; | |
1368 if (cipherlen == 0) { | |
1369 errmsg = "Length of key data is zero"; | |
1370 goto error; | |
1371 } | |
1372 | |
1373 /* | |
1374 * Decrypt it if necessary. | |
1375 */ | |
1376 if (encrypted) { | |
1377 /* | |
1378 * Derive encryption key from passphrase and iv/salt: | |
1379 * | |
1380 * - let block A equal MD5(passphrase) | |
1381 * - let block B equal MD5(passphrase || A) | |
1382 * - block C would be MD5(passphrase || A || B) and so on | |
1383 * - encryption key is the first N bytes of A || B | |
1384 */ | |
1385 struct MD5Context md5c; | |
1386 unsigned char keybuf[32], iv[8]; | |
1387 | |
1388 if (cipherlen % 8 != 0) { | |
1389 errmsg = "Encrypted part of key is not a multiple of cipher block" | |
1390 " size"; | |
1391 goto error; | |
1392 } | |
1393 | |
1394 MD5Init(&md5c); | |
1395 MD5Update(&md5c, (unsigned char *)passphrase, strlen(passphrase)); | |
1396 MD5Final(keybuf, &md5c); | |
1397 | |
1398 MD5Init(&md5c); | |
1399 MD5Update(&md5c, (unsigned char *)passphrase, strlen(passphrase)); | |
1400 MD5Update(&md5c, keybuf, 16); | |
1401 MD5Final(keybuf+16, &md5c); | |
1402 | |
1403 /* | |
1404 * Now decrypt the key blob. | |
1405 */ | |
1406 memset(iv, 0, sizeof(iv)); | |
1407 des3_decrypt_pubkey_ossh(keybuf, iv, (unsigned char *)ciphertext, | |
1408 cipherlen); | |
1409 | |
1410 memset(&md5c, 0, sizeof(md5c)); | |
1411 memset(keybuf, 0, sizeof(keybuf)); | |
1412 | |
1413 /* | |
1414 * Hereafter we return WRONG_PASSPHRASE for any parsing | |
1415 * error. (But only if we've just tried to decrypt it! | |
1416 * Returning WRONG_PASSPHRASE for an unencrypted key is | |
1417 * automatic doom.) | |
1418 */ | |
1419 if (encrypted) | |
1420 ret = SSH2_WRONG_PASSPHRASE; | |
1421 } | |
1422 | |
1423 /* | |
1424 * Strip away the containing string to get to the real meat. | |
1425 */ | |
1426 len = GET_32BIT(ciphertext); | |
1427 if (len > cipherlen-4) { | |
1428 errmsg = "containing string was ill-formed"; | |
1429 goto error; | |
1430 } | |
1431 ciphertext += 4; | |
1432 cipherlen = len; | |
1433 | |
1434 /* | |
1435 * Now we break down into RSA versus DSA. In either case we'll | |
1436 * construct public and private blobs in our own format, and | |
1437 * end up feeding them to alg->createkey(). | |
1438 */ | |
1439 blobsize = cipherlen + 256; | |
1440 blob = snewn(blobsize, unsigned char); | |
1441 privlen = 0; | |
1442 if (type == RSA) { | |
1443 struct mpint_pos n, e, d, u, p, q; | |
1444 int pos = 0; | |
1445 pos += sshcom_read_mpint(ciphertext+pos, cipherlen-pos, &e); | |
1446 pos += sshcom_read_mpint(ciphertext+pos, cipherlen-pos, &d); | |
1447 pos += sshcom_read_mpint(ciphertext+pos, cipherlen-pos, &n); | |
1448 pos += sshcom_read_mpint(ciphertext+pos, cipherlen-pos, &u); | |
1449 pos += sshcom_read_mpint(ciphertext+pos, cipherlen-pos, &p); | |
1450 pos += sshcom_read_mpint(ciphertext+pos, cipherlen-pos, &q); | |
1451 if (!q.start) { | |
1452 errmsg = "key data did not contain six integers"; | |
1453 goto error; | |
1454 } | |
1455 | |
1456 alg = &ssh_rsa; | |
1457 pos = 0; | |
1458 pos += put_string(blob+pos, "ssh-rsa", 7); | |
1459 pos += put_mp(blob+pos, e.start, e.bytes); | |
1460 pos += put_mp(blob+pos, n.start, n.bytes); | |
1461 publen = pos; | |
1462 pos += put_string(blob+pos, d.start, d.bytes); | |
1463 pos += put_mp(blob+pos, q.start, q.bytes); | |
1464 pos += put_mp(blob+pos, p.start, p.bytes); | |
1465 pos += put_mp(blob+pos, u.start, u.bytes); | |
1466 privlen = pos - publen; | |
1467 } else if (type == DSA) { | |
1468 struct mpint_pos p, q, g, x, y; | |
1469 int pos = 4; | |
1470 if (GET_32BIT(ciphertext) != 0) { | |
1471 errmsg = "predefined DSA parameters not supported"; | |
1472 goto error; | |
1473 } | |
1474 pos += sshcom_read_mpint(ciphertext+pos, cipherlen-pos, &p); | |
1475 pos += sshcom_read_mpint(ciphertext+pos, cipherlen-pos, &g); | |
1476 pos += sshcom_read_mpint(ciphertext+pos, cipherlen-pos, &q); | |
1477 pos += sshcom_read_mpint(ciphertext+pos, cipherlen-pos, &y); | |
1478 pos += sshcom_read_mpint(ciphertext+pos, cipherlen-pos, &x); | |
1479 if (!x.start) { | |
1480 errmsg = "key data did not contain five integers"; | |
1481 goto error; | |
1482 } | |
1483 | |
1484 alg = &ssh_dss; | |
1485 pos = 0; | |
1486 pos += put_string(blob+pos, "ssh-dss", 7); | |
1487 pos += put_mp(blob+pos, p.start, p.bytes); | |
1488 pos += put_mp(blob+pos, q.start, q.bytes); | |
1489 pos += put_mp(blob+pos, g.start, g.bytes); | |
1490 pos += put_mp(blob+pos, y.start, y.bytes); | |
1491 publen = pos; | |
1492 pos += put_mp(blob+pos, x.start, x.bytes); | |
1493 privlen = pos - publen; | |
1494 } | |
1495 | |
1496 dropbear_assert(privlen > 0); /* should have bombed by now if not */ | |
1497 | |
1498 retkey = snew(struct ssh2_userkey); | |
1499 retkey->alg = alg; | |
1500 retkey->data = alg->createkey(blob, publen, blob+publen, privlen); | |
1501 if (!retkey->data) { | |
1502 m_free(retkey); | |
1503 errmsg = "unable to create key data structure"; | |
1504 goto error; | |
1505 } | |
1506 retkey->comment = dupstr(key->comment); | |
1507 | |
1508 errmsg = NULL; /* no error */ | |
1509 ret = retkey; | |
1510 | |
1511 error: | |
1512 if (blob) { | |
1513 memset(blob, 0, blobsize); | |
1514 m_free(blob); | |
1515 } | |
1516 memset(key->keyblob, 0, key->keyblob_size); | |
1517 m_free(key->keyblob); | |
1518 memset(&key, 0, sizeof(key)); | |
1519 m_free(key); | |
1520 return ret; | |
1521 } | |
1522 | |
1523 int sshcom_write(const char *filename, sign_key *key, | |
1524 char *passphrase) | |
1525 { | |
1526 unsigned char *pubblob, *privblob; | |
1527 int publen, privlen; | |
1528 unsigned char *outblob; | |
1529 int outlen; | |
1530 struct mpint_pos numbers[6]; | |
1531 int nnumbers, initial_zero, pos, lenpos, i; | |
1532 char *type; | |
1533 char *ciphertext; | |
1534 int cipherlen; | |
1535 int ret = 0; | |
1536 FILE *fp; | |
1537 | |
1538 /* | |
1539 * Fetch the key blobs. | |
1540 */ | |
1541 pubblob = key->alg->public_blob(key->data, &publen); | |
1542 privblob = key->alg->private_blob(key->data, &privlen); | |
1543 outblob = NULL; | |
1544 | |
1545 /* | |
1546 * Find the sequence of integers to be encoded into the OpenSSH | |
1547 * key blob, and also decide on the header line. | |
1548 */ | |
1549 if (key->alg == &ssh_rsa) { | |
1550 int pos; | |
1551 struct mpint_pos n, e, d, p, q, iqmp; | |
1552 | |
1553 pos = 4 + GET_32BIT(pubblob); | |
1554 pos += ssh2_read_mpint(pubblob+pos, publen-pos, &e); | |
1555 pos += ssh2_read_mpint(pubblob+pos, publen-pos, &n); | |
1556 pos = 0; | |
1557 pos += ssh2_read_mpint(privblob+pos, privlen-pos, &d); | |
1558 pos += ssh2_read_mpint(privblob+pos, privlen-pos, &p); | |
1559 pos += ssh2_read_mpint(privblob+pos, privlen-pos, &q); | |
1560 pos += ssh2_read_mpint(privblob+pos, privlen-pos, &iqmp); | |
1561 | |
1562 dropbear_assert(e.start && iqmp.start); /* can't go wrong */ | |
1563 | |
1564 numbers[0] = e; | |
1565 numbers[1] = d; | |
1566 numbers[2] = n; | |
1567 numbers[3] = iqmp; | |
1568 numbers[4] = q; | |
1569 numbers[5] = p; | |
1570 | |
1571 nnumbers = 6; | |
1572 initial_zero = 0; | |
1573 type = "if-modn{sign{rsa-pkcs1-sha1},encrypt{rsa-pkcs1v2-oaep}}"; | |
1574 } else if (key->alg == &ssh_dss) { | |
1575 int pos; | |
1576 struct mpint_pos p, q, g, y, x; | |
1577 | |
1578 pos = 4 + GET_32BIT(pubblob); | |
1579 pos += ssh2_read_mpint(pubblob+pos, publen-pos, &p); | |
1580 pos += ssh2_read_mpint(pubblob+pos, publen-pos, &q); | |
1581 pos += ssh2_read_mpint(pubblob+pos, publen-pos, &g); | |
1582 pos += ssh2_read_mpint(pubblob+pos, publen-pos, &y); | |
1583 pos = 0; | |
1584 pos += ssh2_read_mpint(privblob+pos, privlen-pos, &x); | |
1585 | |
1586 dropbear_assert(y.start && x.start); /* can't go wrong */ | |
1587 | |
1588 numbers[0] = p; | |
1589 numbers[1] = g; | |
1590 numbers[2] = q; | |
1591 numbers[3] = y; | |
1592 numbers[4] = x; | |
1593 | |
1594 nnumbers = 5; | |
1595 initial_zero = 1; | |
1596 type = "dl-modp{sign{dsa-nist-sha1},dh{plain}}"; | |
1597 } else { | |
1598 dropbear_assert(0); /* zoinks! */ | |
1599 } | |
1600 | |
1601 /* | |
1602 * Total size of key blob will be somewhere under 512 plus | |
1603 * combined length of integers. We'll calculate the more | |
1604 * precise size as we construct the blob. | |
1605 */ | |
1606 outlen = 512; | |
1607 for (i = 0; i < nnumbers; i++) | |
1608 outlen += 4 + numbers[i].bytes; | |
1609 outblob = snewn(outlen, unsigned char); | |
1610 | |
1611 /* | |
1612 * Create the unencrypted key blob. | |
1613 */ | |
1614 pos = 0; | |
1615 PUT_32BIT(outblob+pos, SSHCOM_MAGIC_NUMBER); pos += 4; | |
1616 pos += 4; /* length field, fill in later */ | |
1617 pos += put_string(outblob+pos, type, strlen(type)); | |
1618 { | |
1619 char *ciphertype = passphrase ? "3des-cbc" : "none"; | |
1620 pos += put_string(outblob+pos, ciphertype, strlen(ciphertype)); | |
1621 } | |
1622 lenpos = pos; /* remember this position */ | |
1623 pos += 4; /* encrypted-blob size */ | |
1624 pos += 4; /* encrypted-payload size */ | |
1625 if (initial_zero) { | |
1626 PUT_32BIT(outblob+pos, 0); | |
1627 pos += 4; | |
1628 } | |
1629 for (i = 0; i < nnumbers; i++) | |
1630 pos += sshcom_put_mpint(outblob+pos, | |
1631 numbers[i].start, numbers[i].bytes); | |
1632 /* Now wrap up the encrypted payload. */ | |
1633 PUT_32BIT(outblob+lenpos+4, pos - (lenpos+8)); | |
1634 /* Pad encrypted blob to a multiple of cipher block size. */ | |
1635 if (passphrase) { | |
1636 int padding = -(pos - (lenpos+4)) & 7; | |
1637 while (padding--) | |
1638 outblob[pos++] = random_byte(); | |
1639 } | |
1640 ciphertext = (char *)outblob+lenpos+4; | |
1641 cipherlen = pos - (lenpos+4); | |
1642 dropbear_assert(!passphrase || cipherlen % 8 == 0); | |
1643 /* Wrap up the encrypted blob string. */ | |
1644 PUT_32BIT(outblob+lenpos, cipherlen); | |
1645 /* And finally fill in the total length field. */ | |
1646 PUT_32BIT(outblob+4, pos); | |
1647 | |
1648 dropbear_assert(pos < outlen); | |
1649 | |
1650 /* | |
1651 * Encrypt the key. | |
1652 */ | |
1653 if (passphrase) { | |
1654 /* | |
1655 * Derive encryption key from passphrase and iv/salt: | |
1656 * | |
1657 * - let block A equal MD5(passphrase) | |
1658 * - let block B equal MD5(passphrase || A) | |
1659 * - block C would be MD5(passphrase || A || B) and so on | |
1660 * - encryption key is the first N bytes of A || B | |
1661 */ | |
1662 struct MD5Context md5c; | |
1663 unsigned char keybuf[32], iv[8]; | |
1664 | |
1665 MD5Init(&md5c); | |
1666 MD5Update(&md5c, (unsigned char *)passphrase, strlen(passphrase)); | |
1667 MD5Final(keybuf, &md5c); | |
1668 | |
1669 MD5Init(&md5c); | |
1670 MD5Update(&md5c, (unsigned char *)passphrase, strlen(passphrase)); | |
1671 MD5Update(&md5c, keybuf, 16); | |
1672 MD5Final(keybuf+16, &md5c); | |
1673 | |
1674 /* | |
1675 * Now decrypt the key blob. | |
1676 */ | |
1677 memset(iv, 0, sizeof(iv)); | |
1678 des3_encrypt_pubkey_ossh(keybuf, iv, (unsigned char *)ciphertext, | |
1679 cipherlen); | |
1680 | |
1681 memset(&md5c, 0, sizeof(md5c)); | |
1682 memset(keybuf, 0, sizeof(keybuf)); | |
1683 } | |
1684 | |
1685 /* | |
1686 * And save it. We'll use Unix line endings just in case it's | |
1687 * subsequently transferred in binary mode. | |
1688 */ | |
1689 fp = fopen(filename, "wb"); /* ensure Unix line endings */ | |
1690 if (!fp) | |
1691 goto error; | |
1692 fputs("---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----\n", fp); | |
1693 fprintf(fp, "Comment: \""); | |
1694 /* | |
1695 * Comment header is broken with backslash-newline if it goes | |
1696 * over 70 chars. Although it's surrounded by quotes, it | |
1697 * _doesn't_ escape backslashes or quotes within the string. | |
1698 * Don't ask me, I didn't design it. | |
1699 */ | |
1700 { | |
1701 int slen = 60; /* starts at 60 due to "Comment: " */ | |
1702 char *c = key->comment; | |
1703 while ((int)strlen(c) > slen) { | |
1704 fprintf(fp, "%.*s\\\n", slen, c); | |
1705 c += slen; | |
1706 slen = 70; /* allow 70 chars on subsequent lines */ | |
1707 } | |
1708 fprintf(fp, "%s\"\n", c); | |
1709 } | |
1710 base64_encode_fp(fp, outblob, pos, 70); | |
1711 fputs("---- END SSH2 ENCRYPTED PRIVATE KEY ----\n", fp); | |
1712 fclose(fp); | |
1713 ret = 1; | |
1714 | |
1715 error: | |
1716 if (outblob) { | |
1717 memset(outblob, 0, outlen); | |
1718 m_free(outblob); | |
1719 } | |
1720 if (privblob) { | |
1721 memset(privblob, 0, privlen); | |
1722 m_free(privblob); | |
1723 } | |
1724 if (pubblob) { | |
1725 memset(pubblob, 0, publen); | |
1726 m_free(pubblob); | |
1727 } | |
1728 return ret; | |
1729 } | |
1730 #endif /* ssh.com stuff disabled */ |