2 * Generic SSH public-key handling operations. In particular,
3 * reading of SSH public-key files, and also the generic `sign'
4 * operation for SSH-2 (which checks the type of the key and
5 * dispatches to the appropriate key-type specific function).
16 #define rsa_signature "SSH PRIVATE KEY FILE FORMAT 1.1\n"
18 #define BASE64_TOINT(x) ( (x)-'A'<26 ? (x)-'A'+0 :\
19 (x)-'a'<26 ? (x)-'a'+26 :\
20 (x)-'0'<10 ? (x)-'0'+52 :\
24 static int key_type_fp(FILE *fp);
26 static int loadrsakey_main(FILE * fp, struct RSAKey *key, int pub_only,
27 char **commentptr, const char *passphrase,
30 unsigned char buf[16384];
31 unsigned char keybuf[16];
35 struct MD5Context md5c;
40 /* Slurp the whole file (minus the header) into a buffer. */
41 len = fread(buf, 1, sizeof(buf), fp);
43 if (len < 0 || len == sizeof(buf)) {
44 *error = "error reading file";
45 goto end; /* file too big or not read */
49 *error = "file format error";
52 * A zero byte. (The signature includes a terminating NUL.)
54 if (len - i < 1 || buf[i] != 0)
58 /* One byte giving encryption type, and one reserved uint32. */
62 if (ciphertype != 0 && ciphertype != SSH_CIPHER_3DES)
66 goto end; /* reserved field not present */
67 if (buf[i] != 0 || buf[i + 1] != 0 || buf[i + 2] != 0
68 || buf[i + 3] != 0) goto end; /* reserved field nonzero, panic! */
71 /* Now the serious stuff. An ordinary SSH-1 public key. */
72 j = makekey(buf + i, len - i, key, NULL, 1);
74 goto end; /* overran */
77 /* Next, the comment field. */
78 j = toint(GET_32BIT(buf + i));
80 if (j < 0 || len - i < j)
82 comment = snewn(j + 1, char);
84 memcpy(comment, buf + i, j);
89 *commentptr = dupstr(comment);
91 key->comment = comment;
101 ret = ciphertype != 0;
107 * Decrypt remainder of buffer.
111 MD5Update(&md5c, (unsigned char *)passphrase, strlen(passphrase));
112 MD5Final(keybuf, &md5c);
113 des3_decrypt_pubkey(keybuf, buf + i, (len - i + 7) & ~7);
114 smemclr(keybuf, sizeof(keybuf)); /* burn the evidence */
118 * We are now in the secret part of the key. The first four
119 * bytes should be of the form a, b, a, b.
123 if (buf[i] != buf[i + 2] || buf[i + 1] != buf[i + 3]) {
124 *error = "wrong passphrase";
131 * After that, we have one further bignum which is our
132 * decryption exponent, and then the three auxiliary values
135 j = makeprivate(buf + i, len - i, key);
138 j = ssh1_read_bignum(buf + i, len - i, &key->iqmp);
141 j = ssh1_read_bignum(buf + i, len - i, &key->q);
144 j = ssh1_read_bignum(buf + i, len - i, &key->p);
148 if (!rsa_verify(key)) {
149 *error = "rsa_verify failed";
156 smemclr(buf, sizeof(buf)); /* burn the evidence */
160 int loadrsakey(const Filename *filename, struct RSAKey *key,
161 const char *passphrase, const char **errorstr)
166 const char *error = NULL;
168 fp = f_open(filename, "rb", FALSE);
170 error = "can't open file";
175 * Read the first line of the file and see if it's a v1 private
178 if (fgets(buf, sizeof(buf), fp) && !strcmp(buf, rsa_signature)) {
180 * This routine will take care of calling fclose() for us.
182 ret = loadrsakey_main(fp, key, FALSE, NULL, passphrase, &error);
188 * Otherwise, we have nothing. Return empty-handed.
190 error = "not an SSH-1 RSA file";
195 if ((ret != 1) && errorstr)
201 * See whether an RSA key is encrypted. Return its comment field as
204 int rsakey_encrypted(const Filename *filename, char **comment)
209 fp = f_open(filename, "rb", FALSE);
211 return 0; /* doesn't even exist */
214 * Read the first line of the file and see if it's a v1 private
217 if (fgets(buf, sizeof(buf), fp) && !strcmp(buf, rsa_signature)) {
220 * This routine will take care of calling fclose() for us.
222 return loadrsakey_main(fp, NULL, FALSE, comment, NULL, &dummy);
225 return 0; /* wasn't the right kind of file */
229 * Return a malloc'ed chunk of memory containing the public blob of
230 * an RSA key, as given in the agent protocol (modulus bits,
231 * exponent, modulus).
233 int rsakey_pubblob(const Filename *filename, void **blob, int *bloblen,
234 char **commentptr, const char **errorstr)
240 const char *error = NULL;
242 /* Default return if we fail. */
247 fp = f_open(filename, "rb", FALSE);
249 error = "can't open file";
254 * Read the first line of the file and see if it's a v1 private
257 if (fgets(buf, sizeof(buf), fp) && !strcmp(buf, rsa_signature)) {
258 memset(&key, 0, sizeof(key));
259 if (loadrsakey_main(fp, &key, TRUE, commentptr, NULL, &error)) {
260 *blob = rsa_public_blob(&key, bloblen);
264 fp = NULL; /* loadrsakey_main unconditionally closes fp */
267 * Try interpreting the file as an SSH-1 public key.
269 char *line, *p, *bitsp, *expp, *modp, *commentp;
272 line = chomp(fgetline(fp));
276 p += strspn(p, "0123456789");
278 goto not_public_either;
282 p += strspn(p, "0123456789");
284 goto not_public_either;
288 p += strspn(p, "0123456789");
291 goto not_public_either;
298 memset(&key, 0, sizeof(key));
299 key.exponent = bignum_from_decimal(expp);
300 key.modulus = bignum_from_decimal(modp);
301 if (atoi(bitsp) != bignum_bitcount(key.modulus)) {
302 freebn(key.exponent);
305 error = "key bit count does not match in SSH-1 public key file";
309 *commentptr = commentp ? dupstr(commentp) : NULL;
310 *blob = rsa_public_blob(&key, bloblen);
318 error = "not an SSH-1 RSA file";
324 if ((ret != 1) && errorstr)
330 * Save an RSA key file. Return nonzero on success.
332 int saversakey(const Filename *filename, struct RSAKey *key, char *passphrase)
334 unsigned char buf[16384];
335 unsigned char keybuf[16];
336 struct MD5Context md5c;
337 unsigned char *p, *estart;
341 * Write the initial signature.
344 memcpy(p, rsa_signature, sizeof(rsa_signature));
345 p += sizeof(rsa_signature);
348 * One byte giving encryption type, and one reserved (zero)
351 *p++ = (passphrase ? SSH_CIPHER_3DES : 0);
356 * An ordinary SSH-1 public key consists of: a uint32
357 * containing the bit count, then two bignums containing the
358 * modulus and exponent respectively.
360 PUT_32BIT(p, bignum_bitcount(key->modulus));
362 p += ssh1_write_bignum(p, key->modulus);
363 p += ssh1_write_bignum(p, key->exponent);
366 * A string containing the comment field.
369 PUT_32BIT(p, strlen(key->comment));
371 memcpy(p, key->comment, strlen(key->comment));
372 p += strlen(key->comment);
379 * The encrypted portion starts here.
384 * Two bytes, then the same two bytes repeated.
386 *p++ = random_byte();
387 *p++ = random_byte();
393 * Four more bignums: the decryption exponent, then iqmp, then
396 p += ssh1_write_bignum(p, key->private_exponent);
397 p += ssh1_write_bignum(p, key->iqmp);
398 p += ssh1_write_bignum(p, key->q);
399 p += ssh1_write_bignum(p, key->p);
402 * Now write zeros until the encrypted portion is a multiple of
405 while ((p - estart) % 8)
409 * Now encrypt the encrypted portion.
413 MD5Update(&md5c, (unsigned char *)passphrase, strlen(passphrase));
414 MD5Final(keybuf, &md5c);
415 des3_encrypt_pubkey(keybuf, estart, p - estart);
416 smemclr(keybuf, sizeof(keybuf)); /* burn the evidence */
420 * Done. Write the result to the file.
422 fp = f_open(filename, "wb", TRUE);
424 int ret = (fwrite(buf, 1, p - buf, fp) == (size_t) (p - buf));
432 /* ----------------------------------------------------------------------
433 * SSH-2 private key load/store functions.
437 * PuTTY's own format for SSH-2 keys is as follows:
439 * The file is text. Lines are terminated by CRLF, although CR-only
440 * and LF-only are tolerated on input.
442 * The first line says "PuTTY-User-Key-File-2: " plus the name of the
443 * algorithm ("ssh-dss", "ssh-rsa" etc).
445 * The next line says "Encryption: " plus an encryption type.
446 * Currently the only supported encryption types are "aes256-cbc"
449 * The next line says "Comment: " plus the comment string.
451 * Next there is a line saying "Public-Lines: " plus a number N.
452 * The following N lines contain a base64 encoding of the public
453 * part of the key. This is encoded as the standard SSH-2 public key
454 * blob (with no initial length): so for RSA, for example, it will
461 * Next, there is a line saying "Private-Lines: " plus a number N,
462 * and then N lines containing the (potentially encrypted) private
463 * part of the key. For the key type "ssh-rsa", this will be
466 * mpint private_exponent
467 * mpint p (the larger of the two primes)
468 * mpint q (the smaller prime)
469 * mpint iqmp (the inverse of q modulo p)
470 * data padding (to reach a multiple of the cipher block size)
472 * And for "ssh-dss", it will be composed of
474 * mpint x (the private key parameter)
475 * [ string hash 20-byte hash of mpints p || q || g only in old format ]
477 * Finally, there is a line saying "Private-MAC: " plus a hex
478 * representation of a HMAC-SHA-1 of:
480 * string name of algorithm ("ssh-dss", "ssh-rsa")
481 * string encryption type
484 * string private-plaintext (the plaintext version of the
485 * private part, including the final
488 * The key to the MAC is itself a SHA-1 hash of:
490 * data "putty-private-key-file-mac-key"
493 * (An empty passphrase is used for unencrypted keys.)
495 * If the key is encrypted, the encryption key is derived from the
496 * passphrase by means of a succession of SHA-1 hashes. Each hash
499 * uint32 sequence-number
502 * where the sequence-number increases from zero. As many of these
503 * hashes are used as necessary.
505 * For backwards compatibility with snapshots between 0.51 and
506 * 0.52, we also support the older key file format, which begins
507 * with "PuTTY-User-Key-File-1" (version number differs). In this
508 * format the Private-MAC: field only covers the private-plaintext
509 * field and nothing else (and without the 4-byte string length on
510 * the front too). Moreover, the Private-MAC: field can be replaced
511 * with a Private-Hash: field which is a plain SHA-1 hash instead of
512 * an HMAC (this was generated for unencrypted keys).
515 static int read_header(FILE * fp, char *header)
522 if (c == '\n' || c == '\r' || c == EOF)
523 return 0; /* failure */
529 return 1; /* success! */
532 return 0; /* failure */
536 return 0; /* failure */
539 static char *read_body(FILE * fp)
547 text = snewn(size, char);
553 if (c == '\r' || c == '\n' || c == EOF) {
556 if (c != '\r' && c != '\n')
561 if (len + 1 >= size) {
563 text = sresize(text, size, char);
570 static unsigned char *read_blob(FILE * fp, int nlines, int *bloblen)
577 /* We expect at most 64 base64 characters, ie 48 real bytes, per line. */
578 blob = snewn(48 * nlines, unsigned char);
580 for (i = 0; i < nlines; i++) {
581 line = read_body(fp);
586 linelen = strlen(line);
587 if (linelen % 4 != 0 || linelen > 64) {
592 for (j = 0; j < linelen; j += 4) {
593 k = base64_decode_atom(line + j, blob + len);
608 * Magic error return value for when the passphrase is wrong.
610 struct ssh2_userkey ssh2_wrong_passphrase = {
614 const struct ssh_signkey *find_pubkey_alg_len(int namelen, const char *name)
616 if (match_ssh_id(namelen, name, "ssh-rsa"))
618 else if (match_ssh_id(namelen, name, "ssh-dss"))
620 else if (match_ssh_id(namelen, name, "ecdsa-sha2-nistp256"))
621 return &ssh_ecdsa_nistp256;
622 else if (match_ssh_id(namelen, name, "ecdsa-sha2-nistp384"))
623 return &ssh_ecdsa_nistp384;
624 else if (match_ssh_id(namelen, name, "ecdsa-sha2-nistp521"))
625 return &ssh_ecdsa_nistp521;
626 else if (match_ssh_id(namelen, name, "ssh-ed25519"))
627 return &ssh_ecdsa_ed25519;
632 const struct ssh_signkey *find_pubkey_alg(const char *name)
634 return find_pubkey_alg_len(strlen(name), name);
637 struct ssh2_userkey *ssh2_load_userkey(const Filename *filename,
638 const char *passphrase,
639 const char **errorstr)
642 char header[40], *b, *encryption, *comment, *mac;
643 const struct ssh_signkey *alg;
644 struct ssh2_userkey *ret;
645 int cipher, cipherblk;
646 unsigned char *public_blob, *private_blob;
647 int public_blob_len, private_blob_len;
648 int i, is_mac, old_fmt;
649 int passlen = passphrase ? strlen(passphrase) : 0;
650 const char *error = NULL;
652 ret = NULL; /* return NULL for most errors */
653 encryption = comment = mac = NULL;
654 public_blob = private_blob = NULL;
656 fp = f_open(filename, "rb", FALSE);
658 error = "can't open file";
662 /* Read the first header line which contains the key type. */
663 if (!read_header(fp, header))
665 if (0 == strcmp(header, "PuTTY-User-Key-File-2")) {
667 } else if (0 == strcmp(header, "PuTTY-User-Key-File-1")) {
668 /* this is an old key file; warn and then continue */
669 old_keyfile_warning();
671 } else if (0 == strncmp(header, "PuTTY-User-Key-File-", 20)) {
672 /* this is a key file FROM THE FUTURE; refuse it, but with a
673 * more specific error message than the generic one below */
674 error = "PuTTY key format too new";
677 error = "not a PuTTY SSH-2 private key";
680 error = "file format error";
681 if ((b = read_body(fp)) == NULL)
683 /* Select key algorithm structure. */
684 alg = find_pubkey_alg(b);
691 /* Read the Encryption header line. */
692 if (!read_header(fp, header) || 0 != strcmp(header, "Encryption"))
694 if ((encryption = read_body(fp)) == NULL)
696 if (!strcmp(encryption, "aes256-cbc")) {
699 } else if (!strcmp(encryption, "none")) {
706 /* Read the Comment header line. */
707 if (!read_header(fp, header) || 0 != strcmp(header, "Comment"))
709 if ((comment = read_body(fp)) == NULL)
712 /* Read the Public-Lines header line and the public blob. */
713 if (!read_header(fp, header) || 0 != strcmp(header, "Public-Lines"))
715 if ((b = read_body(fp)) == NULL)
719 if ((public_blob = read_blob(fp, i, &public_blob_len)) == NULL)
722 /* Read the Private-Lines header line and the Private blob. */
723 if (!read_header(fp, header) || 0 != strcmp(header, "Private-Lines"))
725 if ((b = read_body(fp)) == NULL)
729 if ((private_blob = read_blob(fp, i, &private_blob_len)) == NULL)
732 /* Read the Private-MAC or Private-Hash header line. */
733 if (!read_header(fp, header))
735 if (0 == strcmp(header, "Private-MAC")) {
736 if ((mac = read_body(fp)) == NULL)
739 } else if (0 == strcmp(header, "Private-Hash") && old_fmt) {
740 if ((mac = read_body(fp)) == NULL)
750 * Decrypt the private blob.
753 unsigned char key[40];
758 if (private_blob_len % cipherblk)
762 SHA_Bytes(&s, "\0\0\0\0", 4);
763 SHA_Bytes(&s, passphrase, passlen);
764 SHA_Final(&s, key + 0);
766 SHA_Bytes(&s, "\0\0\0\1", 4);
767 SHA_Bytes(&s, passphrase, passlen);
768 SHA_Final(&s, key + 20);
769 aes256_decrypt_pubkey(key, private_blob, private_blob_len);
777 unsigned char binary[20];
778 unsigned char *macdata;
783 /* MAC (or hash) only covers the private blob. */
784 macdata = private_blob;
785 maclen = private_blob_len;
789 int namelen = strlen(alg->name);
790 int enclen = strlen(encryption);
791 int commlen = strlen(comment);
792 maclen = (4 + namelen +
795 4 + public_blob_len +
796 4 + private_blob_len);
797 macdata = snewn(maclen, unsigned char);
799 #define DO_STR(s,len) PUT_32BIT(p,(len));memcpy(p+4,(s),(len));p+=4+(len)
800 DO_STR(alg->name, namelen);
801 DO_STR(encryption, enclen);
802 DO_STR(comment, commlen);
803 DO_STR(public_blob, public_blob_len);
804 DO_STR(private_blob, private_blob_len);
811 unsigned char mackey[20];
812 char header[] = "putty-private-key-file-mac-key";
815 SHA_Bytes(&s, header, sizeof(header)-1);
816 if (cipher && passphrase)
817 SHA_Bytes(&s, passphrase, passlen);
818 SHA_Final(&s, mackey);
820 hmac_sha1_simple(mackey, 20, macdata, maclen, binary);
822 smemclr(mackey, sizeof(mackey));
823 smemclr(&s, sizeof(s));
825 SHA_Simple(macdata, maclen, binary);
829 smemclr(macdata, maclen);
833 for (i = 0; i < 20; i++)
834 sprintf(realmac + 2 * i, "%02x", binary[i]);
836 if (strcmp(mac, realmac)) {
837 /* An incorrect MAC is an unconditional Error if the key is
838 * unencrypted. Otherwise, it means Wrong Passphrase. */
840 error = "wrong passphrase";
841 ret = SSH2_WRONG_PASSPHRASE;
843 error = "MAC failed";
853 * Create and return the key.
855 ret = snew(struct ssh2_userkey);
857 ret->comment = comment;
858 ret->data = alg->createkey(alg, public_blob, public_blob_len,
859 private_blob, private_blob_len);
863 error = "createkey failed";
867 smemclr(private_blob, private_blob_len);
889 smemclr(private_blob, private_blob_len);
897 unsigned char *rfc4716_loadpub(FILE *fp, char **algorithm,
898 int *pub_blob_len, char **commentptr,
899 const char **errorstr)
902 char *line, *colon, *value;
903 char *comment = NULL;
904 unsigned char *pubblob = NULL;
905 int pubbloblen, pubblobsize;
907 unsigned char base64out[3];
911 line = chomp(fgetline(fp));
912 if (!line || 0 != strcmp(line, "---- BEGIN SSH2 PUBLIC KEY ----")) {
913 error = "invalid begin line in SSH-2 public key file";
916 sfree(line); line = NULL;
919 line = chomp(fgetline(fp));
921 error = "truncated SSH-2 public key file";
924 colon = strstr(line, ": ");
930 if (!strcmp(line, "Comment")) {
933 /* Remove containing double quotes, if present */
935 if (*p == '"' && p[strlen(p)-1] == '"') {
936 p[strlen(p)-1] = '\0';
940 /* Remove \-escaping, not in RFC4716 but seen in the wild
942 for (q = line; *p; p++) {
943 if (*p == '\\' && p[1])
949 sfree(comment); /* *just* in case of multiple Comment headers */
950 comment = dupstr(line);
951 } else if (!strcmp(line, "Subject") ||
952 !strncmp(line, "x-", 2)) {
953 /* Headers we recognise and ignore. Do nothing. */
955 error = "unrecognised header in SSH-2 public key file";
959 sfree(line); line = NULL;
963 * Now line contains the initial line of base64 data. Loop round
964 * while it still does contain base64.
967 pubblob = snewn(pubblobsize, unsigned char);
970 while (line && line[0] != '-') {
972 for (p = line; *p; p++) {
973 base64in[base64bytes++] = *p;
974 if (base64bytes == 4) {
975 int n = base64_decode_atom(base64in, base64out);
976 if (pubbloblen + n > pubblobsize) {
977 pubblobsize = (pubbloblen + n) * 5 / 4 + 1024;
978 pubblob = sresize(pubblob, pubblobsize, unsigned char);
980 memcpy(pubblob + pubbloblen, base64out, n);
985 sfree(line); line = NULL;
986 line = chomp(fgetline(fp));
990 * Finally, check the END line makes sense.
992 if (!line || 0 != strcmp(line, "---- END SSH2 PUBLIC KEY ----")) {
993 error = "invalid end line in SSH-2 public key file";
996 sfree(line); line = NULL;
999 * OK, we now have a public blob and optionally a comment. We must
1000 * return the key algorithm string too, so look for that at the
1001 * start of the public blob.
1003 if (pubbloblen < 4) {
1004 error = "not enough data in SSH-2 public key file";
1007 alglen = toint(GET_32BIT(pubblob));
1008 if (alglen < 0 || alglen > pubbloblen-4) {
1009 error = "invalid algorithm prefix in SSH-2 public key file";
1013 *algorithm = dupprintf("%.*s", alglen, pubblob+4);
1015 *pub_blob_len = pubbloblen;
1017 *commentptr = comment;
1031 unsigned char *openssh_loadpub(FILE *fp, char **algorithm,
1032 int *pub_blob_len, char **commentptr,
1033 const char **errorstr)
1036 char *line, *base64;
1037 char *comment = NULL;
1038 unsigned char *pubblob = NULL;
1039 int pubbloblen, pubblobsize;
1042 line = chomp(fgetline(fp));
1044 base64 = strchr(line, ' ');
1046 error = "no key blob in OpenSSH public key file";
1051 comment = strchr(base64, ' ');
1054 comment = dupstr(comment);
1057 pubblobsize = strlen(base64) / 4 * 3;
1058 pubblob = snewn(pubblobsize, unsigned char);
1061 while (!memchr(base64, '\0', 4)) {
1062 assert(pubbloblen + 3 <= pubblobsize);
1063 pubbloblen += base64_decode_atom(base64, pubblob + pubbloblen);
1067 error = "invalid length for base64 data in OpenSSH public key file";
1072 * Sanity check: the first word on the line should be the key
1073 * algorithm, and should match the encoded string at the start of
1076 alglen = strlen(line);
1077 if (pubbloblen < alglen + 4 ||
1078 GET_32BIT(pubblob) != alglen ||
1079 0 != memcmp(pubblob + 4, line, alglen)) {
1080 error = "key algorithms do not match in OpenSSH public key file";
1088 *algorithm = dupstr(line);
1090 *pub_blob_len = pubbloblen;
1092 *commentptr = comment;
1107 unsigned char *ssh2_userkey_loadpub(const Filename *filename, char **algorithm,
1108 int *pub_blob_len, char **commentptr,
1109 const char **errorstr)
1112 char header[40], *b;
1113 const struct ssh_signkey *alg;
1114 unsigned char *public_blob;
1115 int public_blob_len;
1117 const char *error = NULL;
1118 char *comment = NULL;
1122 fp = f_open(filename, "rb", FALSE);
1124 error = "can't open file";
1128 /* Initially, check if this is a public-only key file. Sometimes
1129 * we'll be asked to read a public blob from one of those. */
1130 type = key_type_fp(fp);
1131 if (type == SSH_KEYTYPE_SSH2_PUBLIC_RFC4716) {
1132 unsigned char *ret = rfc4716_loadpub(fp, algorithm, pub_blob_len,
1133 commentptr, errorstr);
1136 } else if (type == SSH_KEYTYPE_SSH2_PUBLIC_OPENSSH) {
1137 unsigned char *ret = openssh_loadpub(fp, algorithm, pub_blob_len,
1138 commentptr, errorstr);
1141 } else if (type != SSH_KEYTYPE_SSH2) {
1142 error = "not a PuTTY SSH-2 private key";
1146 /* Read the first header line which contains the key type. */
1147 if (!read_header(fp, header)
1148 || (0 != strcmp(header, "PuTTY-User-Key-File-2") &&
1149 0 != strcmp(header, "PuTTY-User-Key-File-1"))) {
1150 if (0 == strncmp(header, "PuTTY-User-Key-File-", 20))
1151 error = "PuTTY key format too new";
1153 error = "not a PuTTY SSH-2 private key";
1156 error = "file format error";
1157 if ((b = read_body(fp)) == NULL)
1159 /* Select key algorithm structure. */
1160 alg = find_pubkey_alg(b);
1166 /* Read the Encryption header line. */
1167 if (!read_header(fp, header) || 0 != strcmp(header, "Encryption"))
1169 if ((b = read_body(fp)) == NULL)
1171 sfree(b); /* we don't care */
1173 /* Read the Comment header line. */
1174 if (!read_header(fp, header) || 0 != strcmp(header, "Comment"))
1176 if ((comment = read_body(fp)) == NULL)
1180 *commentptr = comment;
1184 /* Read the Public-Lines header line and the public blob. */
1185 if (!read_header(fp, header) || 0 != strcmp(header, "Public-Lines"))
1187 if ((b = read_body(fp)) == NULL)
1191 if ((public_blob = read_blob(fp, i, &public_blob_len)) == NULL)
1196 *pub_blob_len = public_blob_len;
1198 *algorithm = dupstr(alg->name);
1211 if (comment && commentptr) {
1218 int ssh2_userkey_encrypted(const Filename *filename, char **commentptr)
1221 char header[40], *b, *comment;
1227 fp = f_open(filename, "rb", FALSE);
1230 if (!read_header(fp, header)
1231 || (0 != strcmp(header, "PuTTY-User-Key-File-2") &&
1232 0 != strcmp(header, "PuTTY-User-Key-File-1"))) {
1236 if ((b = read_body(fp)) == NULL) {
1240 sfree(b); /* we don't care about key type here */
1241 /* Read the Encryption header line. */
1242 if (!read_header(fp, header) || 0 != strcmp(header, "Encryption")) {
1246 if ((b = read_body(fp)) == NULL) {
1251 /* Read the Comment header line. */
1252 if (!read_header(fp, header) || 0 != strcmp(header, "Comment")) {
1257 if ((comment = read_body(fp)) == NULL) {
1264 *commentptr = comment;
1269 if (!strcmp(b, "aes256-cbc"))
1277 int base64_lines(int datalen)
1279 /* When encoding, we use 64 chars/line, which equals 48 real chars. */
1280 return (datalen + 47) / 48;
1283 void base64_encode(FILE *fp, const unsigned char *data, int datalen, int cpl)
1289 while (datalen > 0) {
1290 n = (datalen < 3 ? datalen : 3);
1291 base64_encode_atom(data, n, out);
1294 for (i = 0; i < 4; i++) {
1295 if (linelen >= cpl) {
1306 int ssh2_save_userkey(const Filename *filename, struct ssh2_userkey *key,
1310 unsigned char *pub_blob, *priv_blob, *priv_blob_encrypted;
1311 int pub_blob_len, priv_blob_len, priv_encrypted_len;
1315 const char *cipherstr;
1316 unsigned char priv_mac[20];
1319 * Fetch the key component blobs.
1321 pub_blob = key->alg->public_blob(key->data, &pub_blob_len);
1322 priv_blob = key->alg->private_blob(key->data, &priv_blob_len);
1323 if (!pub_blob || !priv_blob) {
1330 * Determine encryption details, and encrypt the private blob.
1333 cipherstr = "aes256-cbc";
1339 priv_encrypted_len = priv_blob_len + cipherblk - 1;
1340 priv_encrypted_len -= priv_encrypted_len % cipherblk;
1341 priv_blob_encrypted = snewn(priv_encrypted_len, unsigned char);
1342 memset(priv_blob_encrypted, 0, priv_encrypted_len);
1343 memcpy(priv_blob_encrypted, priv_blob, priv_blob_len);
1344 /* Create padding based on the SHA hash of the unpadded blob. This prevents
1345 * too easy a known-plaintext attack on the last block. */
1346 SHA_Simple(priv_blob, priv_blob_len, priv_mac);
1347 assert(priv_encrypted_len - priv_blob_len < 20);
1348 memcpy(priv_blob_encrypted + priv_blob_len, priv_mac,
1349 priv_encrypted_len - priv_blob_len);
1351 /* Now create the MAC. */
1353 unsigned char *macdata;
1356 int namelen = strlen(key->alg->name);
1357 int enclen = strlen(cipherstr);
1358 int commlen = strlen(key->comment);
1360 unsigned char mackey[20];
1361 char header[] = "putty-private-key-file-mac-key";
1363 maclen = (4 + namelen +
1367 4 + priv_encrypted_len);
1368 macdata = snewn(maclen, unsigned char);
1370 #define DO_STR(s,len) PUT_32BIT(p,(len));memcpy(p+4,(s),(len));p+=4+(len)
1371 DO_STR(key->alg->name, namelen);
1372 DO_STR(cipherstr, enclen);
1373 DO_STR(key->comment, commlen);
1374 DO_STR(pub_blob, pub_blob_len);
1375 DO_STR(priv_blob_encrypted, priv_encrypted_len);
1378 SHA_Bytes(&s, header, sizeof(header)-1);
1380 SHA_Bytes(&s, passphrase, strlen(passphrase));
1381 SHA_Final(&s, mackey);
1382 hmac_sha1_simple(mackey, 20, macdata, maclen, priv_mac);
1383 smemclr(macdata, maclen);
1385 smemclr(mackey, sizeof(mackey));
1386 smemclr(&s, sizeof(s));
1390 unsigned char key[40];
1393 passlen = strlen(passphrase);
1396 SHA_Bytes(&s, "\0\0\0\0", 4);
1397 SHA_Bytes(&s, passphrase, passlen);
1398 SHA_Final(&s, key + 0);
1400 SHA_Bytes(&s, "\0\0\0\1", 4);
1401 SHA_Bytes(&s, passphrase, passlen);
1402 SHA_Final(&s, key + 20);
1403 aes256_encrypt_pubkey(key, priv_blob_encrypted,
1404 priv_encrypted_len);
1406 smemclr(key, sizeof(key));
1407 smemclr(&s, sizeof(s));
1410 fp = f_open(filename, "w", TRUE);
1413 smemclr(priv_blob, priv_blob_len);
1415 smemclr(priv_blob_encrypted, priv_blob_len);
1416 sfree(priv_blob_encrypted);
1419 fprintf(fp, "PuTTY-User-Key-File-2: %s\n", key->alg->name);
1420 fprintf(fp, "Encryption: %s\n", cipherstr);
1421 fprintf(fp, "Comment: %s\n", key->comment);
1422 fprintf(fp, "Public-Lines: %d\n", base64_lines(pub_blob_len));
1423 base64_encode(fp, pub_blob, pub_blob_len, 64);
1424 fprintf(fp, "Private-Lines: %d\n", base64_lines(priv_encrypted_len));
1425 base64_encode(fp, priv_blob_encrypted, priv_encrypted_len, 64);
1426 fprintf(fp, "Private-MAC: ");
1427 for (i = 0; i < 20; i++)
1428 fprintf(fp, "%02x", priv_mac[i]);
1433 smemclr(priv_blob, priv_blob_len);
1435 smemclr(priv_blob_encrypted, priv_blob_len);
1436 sfree(priv_blob_encrypted);
1440 /* ----------------------------------------------------------------------
1441 * Output public keys.
1443 char *ssh1_pubkey_str(struct RSAKey *key)
1448 dec1 = bignum_decimal(key->exponent);
1449 dec2 = bignum_decimal(key->modulus);
1450 buffer = dupprintf("%d %s %s%s%s", bignum_bitcount(key->modulus),
1452 key->comment ? " " : "",
1453 key->comment ? key->comment : "");
1459 void ssh1_write_pubkey(FILE *fp, struct RSAKey *key)
1461 char *buffer = ssh1_pubkey_str(key);
1462 fprintf(fp, "%s\n", buffer);
1466 static char *ssh2_pubkey_openssh_str_internal(const char *comment,
1467 const void *v_pub_blob,
1470 const unsigned char *ssh2blob = (const unsigned char *)v_pub_blob;
1479 alglen = GET_32BIT(ssh2blob);
1480 if (alglen > 0 && alglen < pub_len - 4) {
1481 alg = (const char *)ssh2blob + 4;
1488 alg = "INVALID-ALGORITHM";
1489 alglen = strlen(alg);
1492 buffer = snewn(alglen +
1493 4 * ((pub_len+2) / 3) +
1494 (comment ? strlen(comment) : 0) + 3, char);
1495 p = buffer + sprintf(buffer, "%.*s ", alglen, alg);
1497 while (i < pub_len) {
1498 int n = (pub_len - i < 3 ? pub_len - i : 3);
1499 base64_encode_atom(ssh2blob + i, n, p);
1512 char *ssh2_pubkey_openssh_str(struct ssh2_userkey *key)
1515 unsigned char *blob;
1518 blob = key->alg->public_blob(key->data, &bloblen);
1519 ret = ssh2_pubkey_openssh_str_internal(key->comment, blob, bloblen);
1525 void ssh2_write_pubkey(FILE *fp, const char *comment,
1526 const void *v_pub_blob, int pub_len,
1529 unsigned char *pub_blob = (unsigned char *)v_pub_blob;
1531 if (keytype == SSH_KEYTYPE_SSH2_PUBLIC_RFC4716) {
1535 fprintf(fp, "---- BEGIN SSH2 PUBLIC KEY ----\n");
1538 fprintf(fp, "Comment: \"");
1539 for (p = comment; *p; p++) {
1540 if (*p == '\\' || *p == '\"')
1544 fprintf(fp, "\"\n");
1549 while (i < pub_len) {
1551 int n = (pub_len - i < 3 ? pub_len - i : 3);
1552 base64_encode_atom(pub_blob + i, n, buf);
1556 if (++column >= 16) {
1564 fprintf(fp, "---- END SSH2 PUBLIC KEY ----\n");
1565 } else if (keytype == SSH_KEYTYPE_SSH2_PUBLIC_OPENSSH) {
1566 char *buffer = ssh2_pubkey_openssh_str_internal(comment,
1567 v_pub_blob, pub_len);
1568 fprintf(fp, "%s\n", buffer);
1571 assert(0 && "Bad key type in ssh2_write_pubkey");
1575 /* ----------------------------------------------------------------------
1576 * Utility functions to compute SSH-2 fingerprints in a uniform way.
1578 char *ssh2_fingerprint_blob(const void *blob, int bloblen)
1580 unsigned char digest[16];
1581 char fingerprint_str[16*3];
1584 const struct ssh_signkey *alg;
1588 * The fingerprint hash itself is always just the MD5 of the blob.
1590 MD5Simple(blob, bloblen, digest);
1591 for (i = 0; i < 16; i++)
1592 sprintf(fingerprint_str + i*3, "%02x%s", digest[i], i==15 ? "" : ":");
1595 * Identify the key algorithm, if possible.
1597 alglen = toint(GET_32BIT((const unsigned char *)blob));
1598 if (alglen > 0 && alglen < bloblen-4) {
1599 algstr = (const char *)blob + 4;
1602 * If we can actually identify the algorithm as one we know
1603 * about, get hold of the key's bit count too.
1605 alg = find_pubkey_alg_len(alglen, algstr);
1607 int bits = alg->pubkey_bits(alg, blob, bloblen);
1608 return dupprintf("%.*s %d %s", alglen, algstr,
1609 bits, fingerprint_str);
1611 return dupprintf("%.*s %s", alglen, algstr, fingerprint_str);
1615 * No algorithm available (which means a seriously confused
1616 * key blob, but there we go). Return only the hash.
1618 return dupstr(fingerprint_str);
1622 char *ssh2_fingerprint(const struct ssh_signkey *alg, void *data)
1625 unsigned char *blob = alg->public_blob(data, &len);
1626 char *ret = ssh2_fingerprint_blob(blob, len);
1631 /* ----------------------------------------------------------------------
1632 * Determine the type of a private key file.
1634 static int key_type_fp(FILE *fp)
1637 const char public_std_sig[] = "---- BEGIN SSH2 PUBLIC KEY";
1638 const char putty2_sig[] = "PuTTY-User-Key-File-";
1639 const char sshcom_sig[] = "---- BEGIN SSH2 ENCRYPTED PRIVAT";
1640 const char openssh_new_sig[] = "-----BEGIN OPENSSH PRIVATE KEY";
1641 const char openssh_sig[] = "-----BEGIN ";
1645 i = fread(buf, 1, sizeof(buf)-1, fp);
1649 return SSH_KEYTYPE_UNOPENABLE;
1651 return SSH_KEYTYPE_UNKNOWN;
1652 assert(i > 0 && i < sizeof(buf));
1654 if (!memcmp(buf, rsa_signature, sizeof(rsa_signature)-1))
1655 return SSH_KEYTYPE_SSH1;
1656 if (!memcmp(buf, public_std_sig, sizeof(public_std_sig)-1))
1657 return SSH_KEYTYPE_SSH2_PUBLIC_RFC4716;
1658 if (!memcmp(buf, putty2_sig, sizeof(putty2_sig)-1))
1659 return SSH_KEYTYPE_SSH2;
1660 if (!memcmp(buf, openssh_new_sig, sizeof(openssh_new_sig)-1))
1661 return SSH_KEYTYPE_OPENSSH_NEW;
1662 if (!memcmp(buf, openssh_sig, sizeof(openssh_sig)-1))
1663 return SSH_KEYTYPE_OPENSSH_PEM;
1664 if (!memcmp(buf, sshcom_sig, sizeof(sshcom_sig)-1))
1665 return SSH_KEYTYPE_SSHCOM;
1666 if ((p = buf + strspn(buf, "0123456789"), *p == ' ') &&
1667 (p = p+1 + strspn(p+1, "0123456789"), *p == ' ') &&
1668 (p = p+1 + strspn(p+1, "0123456789"), *p == ' ' || *p == '\n' || !*p))
1669 return SSH_KEYTYPE_SSH1_PUBLIC;
1670 if ((p = buf + strcspn(buf, " "), find_pubkey_alg_len(p-buf, buf)) &&
1671 (p = p+1 + strspn(p+1, "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghij"
1672 "klmnopqrstuvwxyz+/="),
1673 *p == ' ' || *p == '\n' || !*p))
1674 return SSH_KEYTYPE_SSH2_PUBLIC_OPENSSH;
1675 return SSH_KEYTYPE_UNKNOWN; /* unrecognised or EOF */
1678 int key_type(const Filename *filename)
1683 fp = f_open(filename, "r", FALSE);
1685 return SSH_KEYTYPE_UNOPENABLE;
1686 ret = key_type_fp(fp);
1692 * Convert the type word to a string, for `wrong type' error
1695 const char *key_type_to_str(int type)
1698 case SSH_KEYTYPE_UNOPENABLE: return "unable to open file"; break;
1699 case SSH_KEYTYPE_UNKNOWN: return "not a recognised key file format"; break;
1700 case SSH_KEYTYPE_SSH1_PUBLIC: return "SSH-1 public key"; break;
1701 case SSH_KEYTYPE_SSH2_PUBLIC_RFC4716: return "SSH-2 public key (RFC 4716 format)"; break;
1702 case SSH_KEYTYPE_SSH2_PUBLIC_OPENSSH: return "SSH-2 public key (OpenSSH format)"; break;
1703 case SSH_KEYTYPE_SSH1: return "SSH-1 private key"; break;
1704 case SSH_KEYTYPE_SSH2: return "PuTTY SSH-2 private key"; break;
1705 case SSH_KEYTYPE_OPENSSH_PEM: return "OpenSSH SSH-2 private key (old PEM format)"; break;
1706 case SSH_KEYTYPE_OPENSSH_NEW: return "OpenSSH SSH-2 private key (new format)"; break;
1707 case SSH_KEYTYPE_SSHCOM: return "ssh.com SSH-2 private key"; break;
1709 * This function is called with a key type derived from
1710 * looking at an actual key file, so the output-only type
1711 * OPENSSH_AUTO should never get here, and is much an INTERNAL
1712 * ERROR as a code we don't even understand.
1714 case SSH_KEYTYPE_OPENSSH_AUTO: return "INTERNAL ERROR (OPENSSH_AUTO)"; break;
1715 default: return "INTERNAL ERROR"; break;