2 * Code for PuTTY to import and export private key files in other
3 * SSH clients' formats.
14 #define PUT_32BIT(cp, value) do { \
16 (cp)[2] = (value) >> 8; \
17 (cp)[1] = (value) >> 16; \
18 (cp)[0] = (value) >> 24; } while (0)
20 #define GET_32BIT(cp) \
21 (((unsigned long)(unsigned char)(cp)[0] << 24) | \
22 ((unsigned long)(unsigned char)(cp)[1] << 16) | \
23 ((unsigned long)(unsigned char)(cp)[2] << 8) | \
24 ((unsigned long)(unsigned char)(cp)[3]))
26 int openssh_encrypted(char *filename);
27 struct ssh2_userkey *openssh_read(char *filename, char *passphrase);
29 int sshcom_encrypted(char *filename, char **comment);
30 struct ssh2_userkey *sshcom_read(char *filename, char *passphrase);
33 * Given a key type, determine whether we know how to import it.
35 int import_possible(int type)
37 if (type == SSH_KEYTYPE_OPENSSH)
39 if (type == SSH_KEYTYPE_SSHCOM)
45 * Given a key type, determine what native key type
46 * (SSH_KEYTYPE_SSH1 or SSH_KEYTYPE_SSH2) it will come out as once
49 int import_target_type(int type)
52 * There are no known foreign SSH1 key formats.
54 return SSH_KEYTYPE_SSH2;
58 * Determine whether a foreign key is encrypted.
60 int import_encrypted(char *filename, int type, char **comment)
62 if (type == SSH_KEYTYPE_OPENSSH) {
63 *comment = filename; /* OpenSSH doesn't do key comments */
64 return openssh_encrypted(filename);
66 if (type == SSH_KEYTYPE_SSHCOM) {
67 return sshcom_encrypted(filename, comment);
75 int import_ssh1(char *filename, int type, struct RSAKey *key, char *passphrase)
83 struct ssh2_userkey *import_ssh2(char *filename, int type, char *passphrase)
85 if (type == SSH_KEYTYPE_OPENSSH)
86 return openssh_read(filename, passphrase);
87 if (type == SSH_KEYTYPE_SSHCOM)
88 return sshcom_read(filename, passphrase);
95 int export_ssh1(char *filename, int type, struct RSAKey *key, char *passphrase)
101 * Export an SSH2 key.
103 int export_ssh2(char *filename, int type,
104 struct ssh2_userkey *key, char *passphrase)
107 if (type == SSH_KEYTYPE_OPENSSH)
108 return openssh_write(filename, key, passphrase);
109 if (type == SSH_KEYTYPE_SSHCOM)
110 return sshcom_write(filename, key, passphrase);
115 /* ----------------------------------------------------------------------
116 * Helper routines. (The base64 ones are defined in sshpubk.c.)
119 #define isbase64(c) ( ((c) >= 'A' && (c) <= 'Z') || \
120 ((c) >= 'a' && (c) <= 'z') || \
121 ((c) >= '0' && (c) <= '9') || \
122 (c) == '+' || (c) == '/' || (c) == '=' \
125 extern int base64_decode_atom(char *atom, unsigned char *out);
126 extern int base64_lines(int datalen);
127 extern void base64_encode_atom(unsigned char *data, int n, char *out);
128 extern void base64_encode(FILE * fp, unsigned char *data, int datalen);
131 * Read an ASN.1/BER identifier and length pair.
133 * Flags are a combination of the #defines listed below.
135 * Returns -1 if unsuccessful; otherwise returns the number of
136 * bytes used out of the source data.
139 /* ASN.1 tag classes. */
140 #define ASN1_CLASS_UNIVERSAL (0 << 6)
141 #define ASN1_CLASS_APPLICATION (1 << 6)
142 #define ASN1_CLASS_CONTEXT_SPECIFIC (2 << 6)
143 #define ASN1_CLASS_PRIVATE (3 << 6)
144 #define ASN1_CLASS_MASK (3 << 6)
146 /* Primitive versus constructed bit. */
147 #define ASN1_CONSTRUCTED (1 << 5)
149 int ber_read_id_len(void *source, int sourcelen,
150 int *id, int *length, int *flags)
152 unsigned char *p = (unsigned char *) source;
157 *flags = (*p & 0xE0);
158 if ((*p & 0x1F) == 0x1F) {
161 *id = (*id << 7) | (*p & 0x7F);
166 *id = (*id << 7) | (*p & 0x7F);
183 *length = (*length << 8) | (*p++);
190 return p - (unsigned char *) source;
193 static int put_string(void *target, void *data, int len)
195 unsigned char *d = (unsigned char *)target;
198 memcpy(d+4, data, len);
202 static int put_mp(void *target, void *data, int len)
204 unsigned char *d = (unsigned char *)target;
205 unsigned char *i = (unsigned char *)data;
210 memcpy(d+5, data, len);
214 memcpy(d+4, data, len);
219 /* ----------------------------------------------------------------------
220 * Code to read OpenSSH private keys.
223 enum { OSSH_DSA, OSSH_RSA };
228 unsigned char *keyblob;
229 int keyblob_len, keyblob_size;
232 struct openssh_key *load_openssh_key(char *filename)
234 struct openssh_key *ret;
240 int base64_chars = 0;
242 ret = smalloc(sizeof(*ret));
244 ret->keyblob_len = ret->keyblob_size = 0;
246 memset(ret->iv, 0, sizeof(ret->iv));
248 fp = fopen(filename, "r");
250 errmsg = "Unable to open key file";
253 if (!fgets(buffer, sizeof(buffer), fp) ||
254 0 != strncmp(buffer, "-----BEGIN ", 11) ||
255 0 != strcmp(buffer+strlen(buffer)-17, "PRIVATE KEY-----\n")) {
256 errmsg = "File does not begin with OpenSSH key header";
259 if (!strcmp(buffer, "-----BEGIN RSA PRIVATE KEY-----\n"))
260 ret->type = OSSH_RSA;
261 else if (!strcmp(buffer, "-----BEGIN DSA PRIVATE KEY-----\n"))
262 ret->type = OSSH_DSA;
264 errmsg = "Unrecognised key type";
270 if (!fgets(buffer, sizeof(buffer), fp)) {
271 errmsg = "Unexpected end of file";
274 if (0 == strncmp(buffer, "-----END ", 9) &&
275 0 == strcmp(buffer+strlen(buffer)-17, "PRIVATE KEY-----\n"))
277 if ((p = strchr(buffer, ':')) != NULL) {
279 errmsg = "Header found in body of key data";
283 while (*p && isspace((unsigned char)*p)) p++;
284 if (!strcmp(buffer, "Proc-Type")) {
285 if (p[0] != '4' || p[1] != ',') {
286 errmsg = "Proc-Type is not 4 (only 4 is supported)";
290 if (!strcmp(p, "ENCRYPTED\n"))
292 } else if (!strcmp(buffer, "DEK-Info")) {
295 if (strncmp(p, "DES-EDE3-CBC,", 13)) {
296 errmsg = "Ciphers other than DES-EDE3-CBC not supported";
300 for (i = 0; i < 8; i++) {
301 if (1 != sscanf(p, "%2x", &j))
307 errmsg = "Expected 16-digit iv in DEK-Info";
315 while (isbase64(*p)) {
316 base64_bit[base64_chars++] = *p;
317 if (base64_chars == 4) {
318 unsigned char out[3];
323 len = base64_decode_atom(base64_bit, out);
326 errmsg = "Invalid base64 encoding";
330 if (ret->keyblob_len + len > ret->keyblob_size) {
331 ret->keyblob_size = ret->keyblob_len + len + 256;
332 ret->keyblob = srealloc(ret->keyblob, ret->keyblob_size);
335 memcpy(ret->keyblob + ret->keyblob_len, out, len);
336 ret->keyblob_len += len;
338 memset(out, 0, sizeof(out));
346 if (ret->keyblob_len == 0 || !ret->keyblob) {
347 errmsg = "Key body not present";
351 if (ret->encrypted && ret->keyblob_len % 8 != 0) {
352 errmsg = "Encrypted key blob is not a multiple of cipher block size";
356 memset(buffer, 0, sizeof(buffer));
357 memset(base64_bit, 0, sizeof(base64_bit));
361 memset(buffer, 0, sizeof(buffer));
362 memset(base64_bit, 0, sizeof(base64_bit));
365 memset(ret->keyblob, 0, ret->keyblob_size);
368 memset(&ret, 0, sizeof(ret));
374 int openssh_encrypted(char *filename)
376 struct openssh_key *key = load_openssh_key(filename);
381 ret = key->encrypted;
382 memset(key->keyblob, 0, key->keyblob_size);
384 memset(&key, 0, sizeof(key));
389 struct ssh2_userkey *openssh_read(char *filename, char *passphrase)
391 struct openssh_key *key = load_openssh_key(filename);
392 struct ssh2_userkey *retkey;
394 int ret, id, len, flags;
396 struct ssh2_userkey *retval = NULL;
399 int blobsize, blobptr, privptr;
406 if (key->encrypted) {
408 * Derive encryption key from passphrase and iv/salt:
410 * - let block A equal MD5(passphrase || iv)
411 * - let block B equal MD5(A || passphrase || iv)
412 * - block C would be MD5(B || passphrase || iv) and so on
413 * - encryption key is the first N bytes of A || B
415 struct MD5Context md5c;
416 unsigned char keybuf[32];
419 MD5Update(&md5c, passphrase, strlen(passphrase));
420 MD5Update(&md5c, key->iv, 8);
421 MD5Final(keybuf, &md5c);
424 MD5Update(&md5c, keybuf, 16);
425 MD5Update(&md5c, passphrase, strlen(passphrase));
426 MD5Update(&md5c, key->iv, 8);
427 MD5Final(keybuf+16, &md5c);
430 * Now decrypt the key blob.
432 des3_decrypt_pubkey_ossh(keybuf, key->iv,
433 key->keyblob, key->keyblob_len);
435 memset(&md5c, 0, sizeof(md5c));
436 memset(keybuf, 0, sizeof(keybuf));
440 * Now we have a decrypted key blob, which contains an ASN.1
441 * encoded private key. We must now untangle the ASN.1.
443 * We expect the whole key blob to be formatted as a SEQUENCE
444 * (0x30 followed by a length code indicating that the rest of
445 * the blob is part of the sequence). Within that SEQUENCE we
446 * expect to see a bunch of INTEGERs. What those integers mean
447 * depends on the key type:
449 * - For RSA, we expect the integers to be 0, n, e, d, p, q,
450 * dmp1, dmq1, iqmp in that order. (The last three are d mod
451 * (p-1), d mod (q-1), inverse of q mod p respectively.)
453 * - For DSA, we expect them to be 0, p, q, g, y, x in that
459 /* Expect the SEQUENCE header. Take its absence as a failure to decrypt. */
460 ret = ber_read_id_len(p, key->keyblob_len, &id, &len, &flags);
462 if (ret < 0 || id != 16) {
463 errmsg = "ASN.1 decoding failure";
464 retval = SSH2_WRONG_PASSPHRASE;
468 /* Expect a load of INTEGERs. */
469 if (key->type == OSSH_RSA)
471 else if (key->type == OSSH_DSA)
475 * Space to create key blob in.
477 blobsize = 256+key->keyblob_len;
478 blob = smalloc(blobsize);
480 if (key->type == OSSH_DSA)
481 memcpy(blob+4, "ssh-dss", 7);
482 else if (key->type == OSSH_RSA)
483 memcpy(blob+4, "ssh-rsa", 7);
487 for (i = 0; i < num_integers; i++) {
488 ret = ber_read_id_len(p, key->keyblob+key->keyblob_len-p,
491 if (ret < 0 || id != 2 ||
492 key->keyblob+key->keyblob_len-p < len) {
493 errmsg = "ASN.1 decoding failure";
499 * The first integer should be zero always (I think
500 * this is some sort of version indication).
502 if (len != 1 || p[0] != 0) {
503 errmsg = "Version number mismatch";
506 } else if (key->type == OSSH_RSA) {
508 * Integers 1 and 2 go into the public blob but in the
509 * opposite order; integers 3, 4, 5 and 8 go into the
510 * private blob. The other two (6 and 7) are ignored.
513 /* Save the details for after we deal with number 2. */
516 } else if (i != 6 && i != 7) {
517 PUT_32BIT(blob+blobptr, len);
518 memcpy(blob+blobptr+4, p, len);
521 PUT_32BIT(blob+blobptr, modlen);
522 memcpy(blob+blobptr+4, modptr, modlen);
527 } else if (key->type == OSSH_DSA) {
529 * Integers 1-4 go into the public blob; integer 5 goes
530 * into the private blob.
532 PUT_32BIT(blob+blobptr, len);
533 memcpy(blob+blobptr+4, p, len);
539 /* Skip past the number. */
544 * Now put together the actual key. Simplest way to do this is
545 * to assemble our own key blobs and feed them to the createkey
546 * functions; this is a bit faffy but it does mean we get all
547 * the sanity checks for free.
549 assert(privptr > 0); /* should have bombed by now if not */
550 retkey = smalloc(sizeof(struct ssh2_userkey));
551 retkey->alg = (key->type == OSSH_RSA ? &ssh_rsa : &ssh_dss);
552 retkey->data = retkey->alg->createkey(blob, privptr,
553 blob+privptr, blobptr-privptr);
556 errmsg = "unable to create key data structure";
560 retkey->comment = dupstr("imported-openssh-key");
561 errmsg = NULL; /* no error */
566 memset(blob, 0, blobsize);
569 memset(key->keyblob, 0, key->keyblob_size);
571 memset(&key, 0, sizeof(key));
576 /* ----------------------------------------------------------------------
577 * Code to read ssh.com private keys.
581 * The format of the base64 blob is largely ssh2-packet-formatted,
582 * except that mpints are a bit different: they're more like the
583 * old ssh1 mpint. You have a 32-bit bit count N, followed by
584 * (N+7)/8 bytes of data.
586 * So. The blob contains:
588 * - uint32 0x3f6ff9eb (magic number)
589 * - uint32 size (total blob size)
590 * - string key-type (see below)
591 * - string cipher-type (tells you if key is encrypted)
592 * - string encrypted-blob
594 * (The first size field includes the size field itself and the
595 * magic number before it. All other size fields are ordinary ssh2
596 * strings, so the size field indicates how much data is to
599 * The encrypted blob, once decrypted, contains a single string
600 * which in turn contains the payload. (This allows padding to be
601 * added after that string while still making it clear where the
602 * real payload ends. Also it probably makes for a reasonable
605 * The payload blob, for an RSA key, contains:
608 * - mpint n (yes, the public and private stuff is intermixed)
609 * - mpint u (presumably inverse of p mod q)
610 * - mpint p (p is the smaller prime)
611 * - mpint q (q is the larger)
613 * For a DSA key, the payload blob contains:
621 * Alternatively, if the parameters are `predefined', that
622 * (0,p,g,q) sequence can be replaced by a uint32 1 and a string
623 * containing some predefined parameter specification. *shudder*,
624 * but I doubt we'll encounter this in real life.
626 * The key type strings are ghastly. The RSA key I looked at had a
629 * `if-modn{sign{rsa-pkcs1-sha1},encrypt{rsa-pkcs1v2-oaep}}'
631 * and the DSA key wasn't much better:
633 * `dl-modp{sign{dsa-nist-sha1},dh{plain}}'
635 * It isn't clear that these will always be the same. I think it
636 * might be wise just to look at the `if-modn{sign{rsa' and
637 * `dl-modp{sign{dsa' prefixes.
639 * Finally, the encryption. The cipher-type string appears to be
640 * either `none' or `3des-cbc'. Looks as if this is SSH2-style
641 * 3des-cbc (i.e. outer cbc rather than inner). The key is created
642 * from the passphrase by means of yet another hashing faff:
644 * - first 16 bytes are MD5(passphrase)
645 * - next 16 bytes are MD5(passphrase || first 16 bytes)
646 * - if there were more, they'd be MD5(passphrase || first 32),
651 char comment[256]; /* allowing any length is overkill */
652 unsigned char *keyblob;
653 int keyblob_len, keyblob_size;
656 struct sshcom_key *load_sshcom_key(char *filename)
658 struct sshcom_key *ret;
665 int base64_chars = 0;
667 ret = smalloc(sizeof(*ret));
668 ret->comment[0] = '\0';
670 ret->keyblob_len = ret->keyblob_size = 0;
672 fp = fopen(filename, "r");
674 errmsg = "Unable to open key file";
677 if (!fgets(buffer, sizeof(buffer), fp) ||
678 0 != strcmp(buffer, "---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----\n")) {
679 errmsg = "File does not begin with ssh.com key header";
685 if (!fgets(buffer, sizeof(buffer), fp)) {
686 errmsg = "Unexpected end of file";
689 if (!strcmp(buffer, "---- END SSH2 ENCRYPTED PRIVATE KEY ----\n"))
691 if ((p = strchr(buffer, ':')) != NULL) {
693 errmsg = "Header found in body of key data";
697 while (*p && isspace((unsigned char)*p)) p++;
699 * Header lines can end in a trailing backslash for
702 while ((len = strlen(p)) > sizeof(buffer) - (p-buffer) -1 ||
703 p[len-1] != '\n' || p[len-2] == '\\') {
704 if (len > (p-buffer) + sizeof(buffer)-2) {
705 errmsg = "Header line too long to deal with";
708 if (!fgets(p+len-2, sizeof(buffer)-(p-buffer)-(len-2), fp)) {
709 errmsg = "Unexpected end of file";
713 p[strcspn(p, "\n")] = '\0';
714 if (!strcmp(buffer, "Comment")) {
715 /* Strip quotes in comment if present. */
716 if (p[0] == '"' && p[strlen(p)-1] == '"') {
718 p[strlen(p)-1] = '\0';
720 strncpy(ret->comment, p, sizeof(ret->comment));
721 ret->comment[sizeof(ret->comment)-1] = '\0';
727 while (isbase64(*p)) {
728 base64_bit[base64_chars++] = *p;
729 if (base64_chars == 4) {
730 unsigned char out[3];
734 len = base64_decode_atom(base64_bit, out);
737 errmsg = "Invalid base64 encoding";
741 if (ret->keyblob_len + len > ret->keyblob_size) {
742 ret->keyblob_size = ret->keyblob_len + len + 256;
743 ret->keyblob = srealloc(ret->keyblob, ret->keyblob_size);
746 memcpy(ret->keyblob + ret->keyblob_len, out, len);
747 ret->keyblob_len += len;
755 if (ret->keyblob_len == 0 || !ret->keyblob) {
756 errmsg = "Key body not present";
765 memset(ret->keyblob, 0, ret->keyblob_size);
768 memset(&ret, 0, sizeof(ret));
774 int sshcom_encrypted(char *filename, char **comment)
776 struct sshcom_key *key = load_sshcom_key(filename);
777 int pos, len, answer;
784 * Check magic number.
786 if (GET_32BIT(key->keyblob) != 0x3f6ff9eb)
787 return 0; /* key is invalid */
790 * Find the cipher-type string.
794 if (key->keyblob_len < pos+4)
795 goto done; /* key is far too short */
796 pos += 4 + GET_32BIT(key->keyblob + pos); /* skip key type */
797 if (key->keyblob_len < pos+4)
798 goto done; /* key is far too short */
799 len = GET_32BIT(key->keyblob + pos); /* find cipher-type length */
800 if (key->keyblob_len < pos+4+len)
801 goto done; /* cipher type string is incomplete */
802 if (len != 4 || 0 != memcmp(key->keyblob + pos + 4, "none", 4))
806 *comment = dupstr(key->comment);
807 memset(key->keyblob, 0, key->keyblob_size);
809 memset(&key, 0, sizeof(key));
814 struct mpint_pos { void *start; int bytes; };
816 int sshcom_read_mpint(void *data, int len, struct mpint_pos *ret)
820 unsigned char *d = (unsigned char *) data;
826 bytes = (bits + 7) / 8;
837 return len; /* ensure further calls fail as well */
840 struct ssh2_userkey *sshcom_read(char *filename, char *passphrase)
842 struct sshcom_key *key = load_sshcom_key(filename);
845 const char prefix_rsa[] = "if-modn{sign{rsa";
846 const char prefix_dsa[] = "dl-modp{sign{dsa";
847 enum { RSA, DSA } type;
851 struct ssh2_userkey *ret = NULL, *retkey;
852 const struct ssh_signkey *alg;
853 unsigned char *blob = NULL;
854 int blobsize, publen, privlen;
860 * Check magic number.
862 if (GET_32BIT(key->keyblob) != 0x3f6ff9eb) {
863 errmsg = "Key does not begin with magic number";
868 * Determine the key type.
871 if (key->keyblob_len < pos+4 ||
872 (len = GET_32BIT(key->keyblob + pos)) > key->keyblob_len - pos - 4) {
873 errmsg = "Key blob does not contain a key type string";
876 if (len > sizeof(prefix_rsa) - 1 &&
877 !memcmp(key->keyblob+pos+4, prefix_rsa, sizeof(prefix_rsa) - 1)) {
879 } else if (len > sizeof(prefix_dsa) - 1 &&
880 !memcmp(key->keyblob+pos+4, prefix_dsa, sizeof(prefix_dsa) - 1)) {
883 errmsg = "Key is of unknown type";
889 * Determine the cipher type.
891 if (key->keyblob_len < pos+4 ||
892 (len = GET_32BIT(key->keyblob + pos)) > key->keyblob_len - pos - 4) {
893 errmsg = "Key blob does not contain a cipher type string";
896 if (len == 4 && !memcmp(key->keyblob+pos+4, "none", 4))
898 else if (len == 8 && !memcmp(key->keyblob+pos+4, "3des-cbc", 8))
901 errmsg = "Key encryption is of unknown type";
907 * Get hold of the encrypted part of the key.
909 if (key->keyblob_len < pos+4 ||
910 (len = GET_32BIT(key->keyblob + pos)) > key->keyblob_len - pos - 4) {
911 errmsg = "Key blob does not contain actual key data";
914 ciphertext = key->keyblob + pos + 4;
916 if (cipherlen == 0) {
917 errmsg = "Length of key data is zero";
922 * Decrypt it if necessary.
926 * Derive encryption key from passphrase and iv/salt:
928 * - let block A equal MD5(passphrase)
929 * - let block B equal MD5(passphrase || A)
930 * - block C would be MD5(passphrase || A || B) and so on
931 * - encryption key is the first N bytes of A || B
933 struct MD5Context md5c;
934 unsigned char keybuf[32], iv[8];
936 if (cipherlen % 8 != 0) {
937 errmsg = "Encrypted part of key is not a multiple of cipher block"
943 MD5Update(&md5c, passphrase, strlen(passphrase));
944 MD5Final(keybuf, &md5c);
947 MD5Update(&md5c, passphrase, strlen(passphrase));
948 MD5Update(&md5c, keybuf, 16);
949 MD5Final(keybuf+16, &md5c);
952 * Now decrypt the key blob.
954 memset(iv, 0, sizeof(iv));
955 des3_decrypt_pubkey_ossh(keybuf, iv, ciphertext, cipherlen);
957 memset(&md5c, 0, sizeof(md5c));
958 memset(keybuf, 0, sizeof(keybuf));
961 * Hereafter we return WRONG_PASSPHRASE for any parsing
962 * error. (But only if we've just tried to decrypt it!
963 * Returning WRONG_PASSPHRASE for an unencrypted key is
967 ret = SSH2_WRONG_PASSPHRASE;
971 * Strip away the containing string to get to the real meat.
973 len = GET_32BIT(ciphertext);
974 if (len > cipherlen-4) {
975 errmsg = "containing string was ill-formed";
982 * Now we break down into RSA versus DSA. In either case we'll
983 * construct public and private blobs in our own format, and
984 * end up feeding them to alg->createkey().
986 blobsize = cipherlen + 256;
987 blob = smalloc(blobsize);
990 struct mpint_pos n, e, d, u, p, q;
992 pos += sshcom_read_mpint(ciphertext+pos, cipherlen-pos, &e);
993 pos += sshcom_read_mpint(ciphertext+pos, cipherlen-pos, &d);
994 pos += sshcom_read_mpint(ciphertext+pos, cipherlen-pos, &n);
995 pos += sshcom_read_mpint(ciphertext+pos, cipherlen-pos, &u);
996 pos += sshcom_read_mpint(ciphertext+pos, cipherlen-pos, &p);
997 pos += sshcom_read_mpint(ciphertext+pos, cipherlen-pos, &q);
999 errmsg = "key data did not contain six integers";
1005 pos += put_string(blob+pos, "ssh-rsa", 7);
1006 pos += put_mp(blob+pos, e.start, e.bytes);
1007 pos += put_mp(blob+pos, n.start, n.bytes);
1009 pos += put_string(blob+pos, d.start, d.bytes);
1010 pos += put_mp(blob+pos, q.start, q.bytes);
1011 pos += put_mp(blob+pos, p.start, p.bytes);
1012 pos += put_mp(blob+pos, u.start, u.bytes);
1013 privlen = pos - publen;
1014 } else if (type == DSA) {
1015 struct mpint_pos p, q, g, x, y;
1017 if (GET_32BIT(ciphertext) != 0) {
1018 errmsg = "predefined DSA parameters not supported";
1021 pos += sshcom_read_mpint(ciphertext+pos, cipherlen-pos, &p);
1022 pos += sshcom_read_mpint(ciphertext+pos, cipherlen-pos, &g);
1023 pos += sshcom_read_mpint(ciphertext+pos, cipherlen-pos, &q);
1024 pos += sshcom_read_mpint(ciphertext+pos, cipherlen-pos, &y);
1025 pos += sshcom_read_mpint(ciphertext+pos, cipherlen-pos, &x);
1027 errmsg = "key data did not contain five integers";
1033 pos += put_string(blob+pos, "ssh-dss", 7);
1034 pos += put_mp(blob+pos, p.start, p.bytes);
1035 pos += put_mp(blob+pos, q.start, q.bytes);
1036 pos += put_mp(blob+pos, g.start, g.bytes);
1037 pos += put_mp(blob+pos, y.start, y.bytes);
1039 pos += put_mp(blob+pos, x.start, x.bytes);
1040 privlen = pos - publen;
1043 assert(privlen > 0); /* should have bombed by now if not */
1045 retkey = smalloc(sizeof(struct ssh2_userkey));
1047 retkey->data = alg->createkey(blob, publen, blob+publen, privlen);
1048 if (!retkey->data) {
1050 errmsg = "unable to create key data structure";
1053 retkey->comment = dupstr(key->comment);
1055 errmsg = NULL; /* no error */
1060 memset(blob, 0, blobsize);
1063 memset(key->keyblob, 0, key->keyblob_size);
1064 sfree(key->keyblob);
1065 memset(&key, 0, sizeof(key));