/*
* Serialises the authentication (private) key to a blob, encrypting it with
* passphrase. The identification of the blob (lowest 64 bits of n) will
* precede the key to provide identification of the key without needing a
* passphrase.
*/
static int
sshkey_private_rsa1_to_blob(struct sshkey *key, struct sshbuf *blob,
const char *passphrase, const char *comment)
{
struct sshbuf *buffer = NULL, *encrypted = NULL;
u_char buf[8];
int r, cipher_num;
struct sshcipher_ctx ciphercontext;
const struct sshcipher *cipher;
u_char *cp;
/*
* If the passphrase is empty, use SSH_CIPHER_NONE to ease converting
* to another cipher; otherwise use SSH_AUTHFILE_CIPHER.
*/
cipher_num = (strcmp(passphrase, "") == 0) ?
SSH_CIPHER_NONE : SSH_AUTHFILE_CIPHER;
if ((cipher = cipher_by_number(cipher_num)) == NULL)
return SSH_ERR_INTERNAL_ERROR;
/* This buffer is used to build the secret part of the private key. */
if ((buffer = sshbuf_new()) == NULL)
return SSH_ERR_ALLOC_FAIL;
/* Put checkbytes for checking passphrase validity. */
if ((r = sshbuf_reserve(buffer, 4, &cp)) != 0)
goto out;
arc4random_buf(cp, 2);
memcpy(cp + 2, cp, 2);
/*
* Store the private key (n and e will not be stored because they
* will be stored in plain text, and storing them also in encrypted
* format would just give known plaintext).
* Note: q and p are stored in reverse order to SSL.
*/
if ((r = sshbuf_put_bignum1(buffer, key->rsa->d)) != 0 ||
(r = sshbuf_put_bignum1(buffer, key->rsa->iqmp)) != 0 ||
(r = sshbuf_put_bignum1(buffer, key->rsa->q)) != 0 ||
(r = sshbuf_put_bignum1(buffer, key->rsa->p)) != 0)
goto out;
/* Pad the part to be encrypted to a size that is a multiple of 8. */
bzero(buf, 8);
if ((r = sshbuf_put(buffer, buf, 8 - (sshbuf_len(buffer) % 8))) != 0)
goto out;
/* This buffer will be used to contain the data in the file. */
if ((encrypted = sshbuf_new()) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
/* First store keyfile id string. */
if ((r = sshbuf_put(encrypted, authfile_id_string,
sizeof(authfile_id_string))) != 0)
goto out;
/* Store cipher type and "reserved" field. */
if ((r = sshbuf_put_u8(encrypted, cipher_num)) != 0 ||
(r = sshbuf_put_u32(encrypted, 0)) != 0)
goto out;
/* Store public key. This will be in plain text. */
if ((r = sshbuf_put_u32(encrypted, BN_num_bits(key->rsa->n))) != 0 ||
(r = sshbuf_put_bignum1(encrypted, key->rsa->n) != 0) ||
(r = sshbuf_put_bignum1(encrypted, key->rsa->e) != 0) ||
(r = sshbuf_put_cstring(encrypted, comment) != 0))
goto out;
/* Allocate space for the private part of the key in the buffer. */
if ((r = sshbuf_reserve(encrypted, sshbuf_len(buffer), &cp)) != 0)
goto out;
if ((r = cipher_set_key_string(&ciphercontext, cipher, passphrase,
CIPHER_ENCRYPT)) != 0)
goto out;
if ((r = cipher_crypt(&ciphercontext, cp,
sshbuf_ptr(buffer), sshbuf_len(buffer), 0, 0)) != 0)
goto out;
if ((r = cipher_cleanup(&ciphercontext)) != 0)
goto out;
r = sshbuf_putb(blob, encrypted);
out:
bzero(&ciphercontext, sizeof(ciphercontext));
bzero(buf, sizeof(buf));
if (buffer != NULL)
sshbuf_free(buffer);
if (encrypted != NULL)
sshbuf_free(encrypted);
return r;
}
static int
sshkey_parse_private_rsa1(struct sshbuf *blob, const char *passphrase,
struct sshkey **keyp, char **commentp)
{
int r;
u_int16_t check1, check2;
u_int8_t cipher_type;
struct sshbuf *decrypted = NULL, *copy = NULL;
u_char *cp;
char *comment = NULL;
struct sshcipher_ctx ciphercontext;
const struct sshcipher *cipher;
struct sshkey *prv = NULL;
*keyp = NULL;
if (commentp != NULL)
*commentp = NULL;
/* Check that it is at least big enough to contain the ID string. */
if (sshbuf_len(blob) < sizeof(authfile_id_string))
return SSH_ERR_INVALID_FORMAT;
/*
* Make sure it begins with the id string. Consume the id string
* from the buffer.
*/
if (memcmp(sshbuf_ptr(blob), authfile_id_string,
sizeof(authfile_id_string)) != 0)
return SSH_ERR_INVALID_FORMAT;
if ((prv = sshkey_new_private(KEY_RSA1)) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
if ((copy = sshbuf_fromb(blob)) == NULL ||
(decrypted = sshbuf_new()) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
if ((r = sshbuf_consume(copy, sizeof(authfile_id_string))) != 0)
goto out;
/* Read cipher type. */
if ((r = sshbuf_get_u8(copy, &cipher_type)) != 0 ||
(r = sshbuf_get_u32(copy, NULL)) != 0) /* reserved */
goto out;
/* Read the public key and comment from the buffer. */
if ((r = sshbuf_get_u32(copy, NULL)) != 0 || /* key bits */
(r = sshbuf_get_bignum1(copy, prv->rsa->n)) != 0 ||
(r = sshbuf_get_bignum1(copy, prv->rsa->e)) != 0 ||
(r = sshbuf_get_cstring(copy, &comment, NULL)) != 0)
goto out;
/* Check that it is a supported cipher. */
cipher = cipher_by_number(cipher_type);
if (cipher == NULL) {
r = SSH_ERR_KEY_UNKNOWN_CIPHER;
goto out;
}
/* Initialize space for decrypted data. */
if ((r = sshbuf_reserve(decrypted, sshbuf_len(copy), &cp)) != 0)
goto out;
/* Rest of the buffer is encrypted. Decrypt it using the passphrase. */
if ((r = cipher_set_key_string(&ciphercontext, cipher, passphrase,
CIPHER_DECRYPT)) != 0)
goto out;
if ((r = cipher_crypt(&ciphercontext, cp,
sshbuf_ptr(copy), sshbuf_len(copy), 0, 0)) != 0) {
cipher_cleanup(&ciphercontext);
goto out;
}
if ((r = cipher_cleanup(&ciphercontext)) != 0)
goto out;
if ((r = sshbuf_get_u16(decrypted, &check1)) != 0 ||
(r = sshbuf_get_u16(decrypted, &check2)) != 0)
goto out;
if (check1 != check2) {
r = SSH_ERR_KEY_WRONG_PASSPHRASE;
goto out;
}
/* Read the rest of the private key. */
if ((r = sshbuf_get_bignum1(decrypted, prv->rsa->d)) != 0 ||
(r = sshbuf_get_bignum1(decrypted, prv->rsa->iqmp)) != 0 ||
(r = sshbuf_get_bignum1(decrypted, prv->rsa->q)) != 0 ||
(r = sshbuf_get_bignum1(decrypted, prv->rsa->p)) != 0)
goto out;
/* calculate p-1 and q-1 */
if ((r = rsa_generate_additional_parameters(prv->rsa)) != 0)
goto out;
/* enable blinding */
if (RSA_blinding_on(prv->rsa, NULL) != 1) {
r = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
r = 0;
*keyp = prv;
prv = NULL;
if (commentp != NULL) {
*commentp = comment;
comment = NULL;
}
out:
bzero(&ciphercontext, sizeof(ciphercontext));
if (comment != NULL)
free(comment);
if (prv != NULL)
sshkey_free(prv);
if (copy != NULL)
sshbuf_free(copy);
if (decrypted != NULL)
sshbuf_free(decrypted);
return r;
}
const char *
cipher_name(int id)
{
const struct sshcipher *c = cipher_by_number(id);
return (c==NULL) ? "<unknown>" : c->name;
}
int
ciphers_valid(const char *names)
{
const Cipher *c;
char *cipher_list, *cp;
char *p;
if (names == NULL || strcmp(names, "") == 0)
return 0;
cipher_list = cp = xstrdup(names);
for ((p = strsep(&cp, CIPHER_SEP)); p && *p != '\0';
(p = strsep(&cp, CIPHER_SEP))) {
c = cipher_by_name(p);
#ifdef NONE_CIPHER_ENABLED
if (c == NULL || (c->number != SSH_CIPHER_SSH2 &&
c->number != SSH_CIPHER_NONE)) {
#else
if (c == NULL || (c->number != SSH_CIPHER_SSH2)) {
#endif
debug("bad cipher %s [%s]", p, names);
free(cipher_list);
return 0;
}
}
debug3("ciphers ok: [%s]", names);
free(cipher_list);
return 1;
}
/*
* Parses the name of the cipher. Returns the number of the corresponding
* cipher, or -1 on error.
*/
int
cipher_number(const char *name)
{
const Cipher *c;
if (name == NULL)
return -1;
for (c = ciphers; c->name != NULL; c++)
if (strcasecmp(c->name, name) == 0)
return c->number;
return -1;
}
char *
cipher_name(int id)
{
const Cipher *c = cipher_by_number(id);
return (c==NULL) ? "<unknown>" : c->name;
}
void
cipher_init(CipherContext *cc, const Cipher *cipher,
const u_char *key, u_int keylen, const u_char *iv, u_int ivlen,
int do_encrypt)
{
static int dowarn = 1;
#ifdef SSH_OLD_EVP
EVP_CIPHER *type;
#else
const EVP_CIPHER *type;
int klen;
#endif
u_char *junk, *discard;
if (cipher->number == SSH_CIPHER_DES) {
if (dowarn) {
error("Warning: use of DES is strongly discouraged "
"due to cryptographic weaknesses");
dowarn = 0;
}
if (keylen > 8)
keylen = 8;
}
cc->plaintext = (cipher->number == SSH_CIPHER_NONE);
cc->encrypt = do_encrypt;
if (keylen < cipher->key_len)
fatal("cipher_init: key length %d is insufficient for %s.",
keylen, cipher->name);
if (iv != NULL && ivlen < cipher_ivlen(cipher))
fatal("cipher_init: iv length %d is insufficient for %s.",
ivlen, cipher->name);
cc->cipher = cipher;
if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) {
chachapoly_init(&cc->cp_ctx, key, keylen);
return;
}
type = (*cipher->evptype)();
EVP_CIPHER_CTX_init(&cc->evp);
#ifdef SSH_OLD_EVP
if (type->key_len > 0 && type->key_len != keylen) {
debug("cipher_init: set keylen (%d -> %d)",
type->key_len, keylen);
type->key_len = keylen;
}
EVP_CipherInit(&cc->evp, type, (u_char *)key, (u_char *)iv,
(do_encrypt == CIPHER_ENCRYPT));
#else
if (EVP_CipherInit(&cc->evp, type, NULL, (u_char *)iv,
(do_encrypt == CIPHER_ENCRYPT)) == 0)
fatal("cipher_init: EVP_CipherInit failed for %s",
cipher->name);
if (cipher_authlen(cipher) &&
!EVP_CIPHER_CTX_ctrl(&cc->evp, EVP_CTRL_GCM_SET_IV_FIXED,
-1, (u_char *)iv))
fatal("cipher_init: EVP_CTRL_GCM_SET_IV_FIXED failed for %s",
cipher->name);
klen = EVP_CIPHER_CTX_key_length(&cc->evp);
if (klen > 0 && keylen != (u_int)klen) {
debug2("cipher_init: set keylen (%d -> %d)", klen, keylen);
if (EVP_CIPHER_CTX_set_key_length(&cc->evp, keylen) == 0)
fatal("cipher_init: set keylen failed (%d -> %d)",
klen, keylen);
}
if (EVP_CipherInit(&cc->evp, NULL, (u_char *)key, NULL, -1) == 0)
fatal("cipher_init: EVP_CipherInit: set key failed for %s",
cipher->name);
#endif
if (cipher->discard_len > 0) {
junk = xmalloc(cipher->discard_len);
discard = xmalloc(cipher->discard_len);
if (EVP_Cipher(&cc->evp, discard, junk,
cipher->discard_len) == 0)
fatal("evp_crypt: EVP_Cipher failed during discard");
explicit_bzero(discard, cipher->discard_len);
free(junk);
free(discard);
}
}
/*
* cipher_crypt() operates as following:
* Copy 'aadlen' bytes (without en/decryption) from 'src' to 'dest'.
* Theses bytes are treated as additional authenticated data for
* authenticated encryption modes.
* En/Decrypt 'len' bytes at offset 'aadlen' from 'src' to 'dest'.
* Use 'authlen' bytes at offset 'len'+'aadlen' as the authentication tag.
* This tag is written on encryption and verified on decryption.
* Both 'aadlen' and 'authlen' can be set to 0.
* cipher_crypt() returns 0 on success and -1 if the decryption integrity
* check fails.
*/
int
cipher_crypt(CipherContext *cc, u_int seqnr, u_char *dest, const u_char *src,
u_int len, u_int aadlen, u_int authlen)
{
if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0)
return chachapoly_crypt(&cc->cp_ctx, seqnr, dest, src, len,
aadlen, authlen, cc->encrypt);
if (authlen) {
u_char lastiv[1];
if (authlen != cipher_authlen(cc->cipher))
fatal("%s: authlen mismatch %d", __func__, authlen);
/* increment IV */
if (!EVP_CIPHER_CTX_ctrl(&cc->evp, EVP_CTRL_GCM_IV_GEN,
1, lastiv))
fatal("%s: EVP_CTRL_GCM_IV_GEN", __func__);
/* set tag on decyption */
if (!cc->encrypt &&
!EVP_CIPHER_CTX_ctrl(&cc->evp, EVP_CTRL_GCM_SET_TAG,
authlen, (u_char *)src + aadlen + len))
fatal("%s: EVP_CTRL_GCM_SET_TAG", __func__);
}
if (aadlen) {
if (authlen &&
EVP_Cipher(&cc->evp, NULL, (u_char *)src, aadlen) < 0)
fatal("%s: EVP_Cipher(aad) failed", __func__);
memcpy(dest, src, aadlen);
}
if (len % cc->cipher->block_size)
fatal("%s: bad plaintext length %d", __func__, len);
if (EVP_Cipher(&cc->evp, dest + aadlen, (u_char *)src + aadlen,
len) < 0)
fatal("%s: EVP_Cipher failed", __func__);
if (authlen) {
/* compute tag (on encrypt) or verify tag (on decrypt) */
if (EVP_Cipher(&cc->evp, NULL, NULL, 0) < 0) {
if (cc->encrypt)
fatal("%s: EVP_Cipher(final) failed", __func__);
else
return -1;
}
if (cc->encrypt &&
!EVP_CIPHER_CTX_ctrl(&cc->evp, EVP_CTRL_GCM_GET_TAG,
authlen, dest + aadlen + len))
fatal("%s: EVP_CTRL_GCM_GET_TAG", __func__);
}
return 0;
}
/* Extract the packet length, including any decryption necessary beforehand */
int
cipher_get_length(CipherContext *cc, u_int *plenp, u_int seqnr,
const u_char *cp, u_int len)
{
if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0)
return chachapoly_get_length(&cc->cp_ctx, plenp, seqnr,
cp, len);
if (len < 4)
return -1;
*plenp = get_u32(cp);
return 0;
}
void
cipher_cleanup(CipherContext *cc)
{
if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0)
explicit_bzero(&cc->cp_ctx, sizeof(cc->cp_ctx));
else if (EVP_CIPHER_CTX_cleanup(&cc->evp) == 0)
error("cipher_cleanup: EVP_CIPHER_CTX_cleanup failed");
}
/*
* Selects the cipher, and keys if by computing the MD5 checksum of the
* passphrase and using the resulting 16 bytes as the key.
*/
void
cipher_set_key_string(CipherContext *cc, const Cipher *cipher,
const char *passphrase, int do_encrypt)
{
u_char digest[16];
if (ssh_digest_memory(SSH_DIGEST_MD5, passphrase, strlen(passphrase),
digest, sizeof(digest)) < 0)
fatal("%s: md5 failed", __func__);
cipher_init(cc, cipher, digest, 16, NULL, 0, do_encrypt);
explicit_bzero(digest, sizeof(digest));
}
char *
cipher_name(int id)
{
Cipher *c = cipher_by_number(id);
return (c==NULL) ? "<unknown>" : c->name;
}
static Key *
key_load_private_rsa1(int fd, const char *filename, const char *passphrase,
char **commentp)
{
int i, check1, check2, cipher_type;
off_t len;
Buffer buffer, decrypted;
u_char *cp;
CipherContext ciphercontext;
Cipher *cipher;
Key *prv = NULL;
struct stat st;
if (fstat(fd, &st) < 0) {
error("fstat for key file %.200s failed: %.100s",
filename, strerror(errno));
close(fd);
return NULL;
}
len = st.st_size;
buffer_init(&buffer);
cp = buffer_append_space(&buffer, len);
if (read(fd, cp, (size_t) len) != (size_t) len) {
debug("Read from key file %.200s failed: %.100s", filename,
strerror(errno));
buffer_free(&buffer);
close(fd);
return NULL;
}
/* Check that it is at least big enough to contain the ID string. */
if (len < sizeof(authfile_id_string)) {
debug3("Not a RSA1 key file %.200s.", filename);
buffer_free(&buffer);
close(fd);
return NULL;
}
/*
* Make sure it begins with the id string. Consume the id string
* from the buffer.
*/
for (i = 0; i < sizeof(authfile_id_string); i++)
if (buffer_get_char(&buffer) != authfile_id_string[i]) {
debug3("Not a RSA1 key file %.200s.", filename);
buffer_free(&buffer);
close(fd);
return NULL;
}
/* Read cipher type. */
cipher_type = buffer_get_char(&buffer);
(void) buffer_get_int(&buffer); /* Reserved data. */
/* Read the public key from the buffer. */
(void) buffer_get_int(&buffer);
prv = key_new_private(KEY_RSA1);
buffer_get_bignum(&buffer, prv->rsa->n);
buffer_get_bignum(&buffer, prv->rsa->e);
if (commentp)
*commentp = buffer_get_string(&buffer, NULL);
else
xfree(buffer_get_string(&buffer, NULL));
/* Check that it is a supported cipher. */
cipher = cipher_by_number(cipher_type);
if (cipher == NULL) {
debug("Unsupported cipher %d used in key file %.200s.",
cipher_type, filename);
buffer_free(&buffer);
goto fail;
}
/* Initialize space for decrypted data. */
buffer_init(&decrypted);
cp = buffer_append_space(&decrypted, buffer_len(&buffer));
/* Rest of the buffer is encrypted. Decrypt it using the passphrase. */
cipher_set_key_string(&ciphercontext, cipher, passphrase,
CIPHER_DECRYPT);
cipher_crypt(&ciphercontext, cp,
buffer_ptr(&buffer), buffer_len(&buffer));
cipher_cleanup(&ciphercontext);
memset(&ciphercontext, 0, sizeof(ciphercontext));
buffer_free(&buffer);
check1 = buffer_get_char(&decrypted);
check2 = buffer_get_char(&decrypted);
if (check1 != buffer_get_char(&decrypted) ||
check2 != buffer_get_char(&decrypted)) {
if (strcmp(passphrase, "") != 0)
debug("Bad passphrase supplied for key file %.200s.",
filename);
/* Bad passphrase. */
buffer_free(&decrypted);
goto fail;
}
/* Read the rest of the private key. */
buffer_get_bignum(&decrypted, prv->rsa->d);
buffer_get_bignum(&decrypted, prv->rsa->iqmp); /* u */
/* in SSL and SSH v1 p and q are exchanged */
buffer_get_bignum(&decrypted, prv->rsa->q); /* p */
buffer_get_bignum(&decrypted, prv->rsa->p); /* q */
/* calculate p-1 and q-1 */
rsa_generate_additional_parameters(prv->rsa);
buffer_free(&decrypted);
/* enable blinding */
if (RSA_blinding_on(prv->rsa, NULL) != 1) {
error("key_load_private_rsa1: RSA_blinding_on failed");
goto fail;
}
close(fd);
return prv;
fail:
if (commentp)
xfree(*commentp);
close(fd);
key_free(prv);
return NULL;
}