2 * Generic SSH public-key handling operations. In particular,
3 * reading of SSH public-key files, and also the generic `sign'
4 * operation for SSH-2 (which checks the type of the key and
5 * dispatches to the appropriate key-type specific function).
16 #define rsa_signature "SSH PRIVATE KEY FILE FORMAT 1.1\n"
18 #define BASE64_TOINT(x) ( (x)-'A'<26 ? (x)-'A'+0 :\
19 (x)-'a'<26 ? (x)-'a'+26 :\
20 (x)-'0'<10 ? (x)-'0'+52 :\
24 static int key_type_fp(FILE *fp);
26 static int loadrsakey_main(FILE * fp, struct RSAKey *key, int pub_only,
27 char **commentptr, const char *passphrase,
30 unsigned char buf[16384];
31 unsigned char keybuf[16];
35 struct MD5Context md5c;
40 /* Slurp the whole file (minus the header) into a buffer. */
41 len = fread(buf, 1, sizeof(buf), fp);
43 if (len < 0 || len == sizeof(buf)) {
44 *error = "error reading file";
45 goto end; /* file too big or not read */
49 *error = "file format error";
52 * A zero byte. (The signature includes a terminating NUL.)
54 if (len - i < 1 || buf[i] != 0)
58 /* One byte giving encryption type, and one reserved uint32. */
62 if (ciphertype != 0 && ciphertype != SSH_CIPHER_3DES)
66 goto end; /* reserved field not present */
67 if (buf[i] != 0 || buf[i + 1] != 0 || buf[i + 2] != 0
68 || buf[i + 3] != 0) goto end; /* reserved field nonzero, panic! */
71 /* Now the serious stuff. An ordinary SSH-1 public key. */
72 j = makekey(buf + i, len - i, key, NULL, 1);
74 goto end; /* overran */
77 /* Next, the comment field. */
78 j = toint(GET_32BIT(buf + i));
80 if (j < 0 || len - i < j)
82 comment = snewn(j + 1, char);
84 memcpy(comment, buf + i, j);
89 *commentptr = dupstr(comment);
91 key->comment = comment;
101 ret = ciphertype != 0;
107 * Decrypt remainder of buffer.
111 MD5Update(&md5c, (unsigned char *)passphrase, strlen(passphrase));
112 MD5Final(keybuf, &md5c);
113 des3_decrypt_pubkey(keybuf, buf + i, (len - i + 7) & ~7);
114 smemclr(keybuf, sizeof(keybuf)); /* burn the evidence */
118 * We are now in the secret part of the key. The first four
119 * bytes should be of the form a, b, a, b.
123 if (buf[i] != buf[i + 2] || buf[i + 1] != buf[i + 3]) {
124 *error = "wrong passphrase";
131 * After that, we have one further bignum which is our
132 * decryption exponent, and then the three auxiliary values
135 j = makeprivate(buf + i, len - i, key);
138 j = ssh1_read_bignum(buf + i, len - i, &key->iqmp);
141 j = ssh1_read_bignum(buf + i, len - i, &key->q);
144 j = ssh1_read_bignum(buf + i, len - i, &key->p);
148 if (!rsa_verify(key)) {
149 *error = "rsa_verify failed";
156 smemclr(buf, sizeof(buf)); /* burn the evidence */
160 int loadrsakey(const Filename *filename, struct RSAKey *key,
161 const char *passphrase, const char **errorstr)
166 const char *error = NULL;
168 fp = f_open(filename, "rb", FALSE);
170 error = "can't open file";
175 * Read the first line of the file and see if it's a v1 private
178 if (fgets(buf, sizeof(buf), fp) && !strcmp(buf, rsa_signature)) {
180 * This routine will take care of calling fclose() for us.
182 ret = loadrsakey_main(fp, key, FALSE, NULL, passphrase, &error);
188 * Otherwise, we have nothing. Return empty-handed.
190 error = "not an SSH-1 RSA file";
195 if ((ret != 1) && errorstr)
201 * See whether an RSA key is encrypted. Return its comment field as
204 int rsakey_encrypted(const Filename *filename, char **comment)
209 fp = f_open(filename, "rb", FALSE);
211 return 0; /* doesn't even exist */
214 * Read the first line of the file and see if it's a v1 private
217 if (fgets(buf, sizeof(buf), fp) && !strcmp(buf, rsa_signature)) {
220 * This routine will take care of calling fclose() for us.
222 return loadrsakey_main(fp, NULL, FALSE, comment, NULL, &dummy);
225 return 0; /* wasn't the right kind of file */
229 * Return a malloc'ed chunk of memory containing the public blob of
230 * an RSA key, as given in the agent protocol (modulus bits,
231 * exponent, modulus).
233 int rsakey_pubblob(const Filename *filename, void **blob, int *bloblen,
234 char **commentptr, const char **errorstr)
240 const char *error = NULL;
242 /* Default return if we fail. */
247 fp = f_open(filename, "rb", FALSE);
249 error = "can't open file";
254 * Read the first line of the file and see if it's a v1 private
257 if (fgets(buf, sizeof(buf), fp) && !strcmp(buf, rsa_signature)) {
258 memset(&key, 0, sizeof(key));
259 if (loadrsakey_main(fp, &key, TRUE, commentptr, NULL, &error)) {
260 *blob = rsa_public_blob(&key, bloblen);
264 fp = NULL; /* loadrsakey_main unconditionally closes fp */
267 * Try interpreting the file as an SSH-1 public key.
269 char *line, *p, *bitsp, *expp, *modp, *commentp;
272 line = chomp(fgetline(fp));
276 p += strspn(p, "0123456789");
278 goto not_public_either;
282 p += strspn(p, "0123456789");
284 goto not_public_either;
288 p += strspn(p, "0123456789");
291 goto not_public_either;
298 memset(&key, 0, sizeof(key));
299 key.exponent = bignum_from_decimal(expp);
300 key.modulus = bignum_from_decimal(modp);
301 if (atoi(bitsp) != bignum_bitcount(key.modulus)) {
302 freebn(key.exponent);
305 error = "key bit count does not match in SSH-1 public key file";
309 *commentptr = commentp ? dupstr(commentp) : NULL;
310 *blob = rsa_public_blob(&key, bloblen);
318 error = "not an SSH-1 RSA file";
324 if ((ret != 1) && errorstr)
330 * Save an RSA key file. Return nonzero on success.
332 int saversakey(const Filename *filename, struct RSAKey *key, char *passphrase)
334 unsigned char buf[16384];
335 unsigned char keybuf[16];
336 struct MD5Context md5c;
337 unsigned char *p, *estart;
341 * Write the initial signature.
344 memcpy(p, rsa_signature, sizeof(rsa_signature));
345 p += sizeof(rsa_signature);
348 * One byte giving encryption type, and one reserved (zero)
351 *p++ = (passphrase ? SSH_CIPHER_3DES : 0);
356 * An ordinary SSH-1 public key consists of: a uint32
357 * containing the bit count, then two bignums containing the
358 * modulus and exponent respectively.
360 PUT_32BIT(p, bignum_bitcount(key->modulus));
362 p += ssh1_write_bignum(p, key->modulus);
363 p += ssh1_write_bignum(p, key->exponent);
366 * A string containing the comment field.
369 PUT_32BIT(p, strlen(key->comment));
371 memcpy(p, key->comment, strlen(key->comment));
372 p += strlen(key->comment);
379 * The encrypted portion starts here.
384 * Two bytes, then the same two bytes repeated.
386 *p++ = random_byte();
387 *p++ = random_byte();
393 * Four more bignums: the decryption exponent, then iqmp, then
396 p += ssh1_write_bignum(p, key->private_exponent);
397 p += ssh1_write_bignum(p, key->iqmp);
398 p += ssh1_write_bignum(p, key->q);
399 p += ssh1_write_bignum(p, key->p);
402 * Now write zeros until the encrypted portion is a multiple of
405 while ((p - estart) % 8)
409 * Now encrypt the encrypted portion.
413 MD5Update(&md5c, (unsigned char *)passphrase, strlen(passphrase));
414 MD5Final(keybuf, &md5c);
415 des3_encrypt_pubkey(keybuf, estart, p - estart);
416 smemclr(keybuf, sizeof(keybuf)); /* burn the evidence */
420 * Done. Write the result to the file.
422 fp = f_open(filename, "wb", TRUE);
424 int ret = (fwrite(buf, 1, p - buf, fp) == (size_t) (p - buf));
432 /* ----------------------------------------------------------------------
433 * SSH-2 private key load/store functions.
437 * PuTTY's own format for SSH-2 keys is as follows:
439 * The file is text. Lines are terminated by CRLF, although CR-only
440 * and LF-only are tolerated on input.
442 * The first line says "PuTTY-User-Key-File-2: " plus the name of the
443 * algorithm ("ssh-dss", "ssh-rsa" etc).
445 * The next line says "Encryption: " plus an encryption type.
446 * Currently the only supported encryption types are "aes256-cbc"
449 * The next line says "Comment: " plus the comment string.
451 * Next there is a line saying "Public-Lines: " plus a number N.
452 * The following N lines contain a base64 encoding of the public
453 * part of the key. This is encoded as the standard SSH-2 public key
454 * blob (with no initial length): so for RSA, for example, it will
461 * Next, there is a line saying "Private-Lines: " plus a number N,
462 * and then N lines containing the (potentially encrypted) private
463 * part of the key. For the key type "ssh-rsa", this will be
466 * mpint private_exponent
467 * mpint p (the larger of the two primes)
468 * mpint q (the smaller prime)
469 * mpint iqmp (the inverse of q modulo p)
470 * data padding (to reach a multiple of the cipher block size)
472 * And for "ssh-dss", it will be composed of
474 * mpint x (the private key parameter)
475 * [ string hash 20-byte hash of mpints p || q || g only in old format ]
477 * Finally, there is a line saying "Private-MAC: " plus a hex
478 * representation of a HMAC-SHA-1 of:
480 * string name of algorithm ("ssh-dss", "ssh-rsa")
481 * string encryption type
484 * string private-plaintext (the plaintext version of the
485 * private part, including the final
488 * The key to the MAC is itself a SHA-1 hash of:
490 * data "putty-private-key-file-mac-key"
493 * (An empty passphrase is used for unencrypted keys.)
495 * If the key is encrypted, the encryption key is derived from the
496 * passphrase by means of a succession of SHA-1 hashes. Each hash
499 * uint32 sequence-number
502 * where the sequence-number increases from zero. As many of these
503 * hashes are used as necessary.
505 * For backwards compatibility with snapshots between 0.51 and
506 * 0.52, we also support the older key file format, which begins
507 * with "PuTTY-User-Key-File-1" (version number differs). In this
508 * format the Private-MAC: field only covers the private-plaintext
509 * field and nothing else (and without the 4-byte string length on
510 * the front too). Moreover, the Private-MAC: field can be replaced
511 * with a Private-Hash: field which is a plain SHA-1 hash instead of
512 * an HMAC (this was generated for unencrypted keys).
515 static int read_header(FILE * fp, char *header)
522 if (c == '\n' || c == '\r' || c == EOF)
523 return 0; /* failure */
529 return 1; /* success! */
532 return 0; /* failure */
536 return 0; /* failure */
539 static char *read_body(FILE * fp)
547 text = snewn(size, char);
553 if (c == '\r' || c == '\n' || c == EOF) {
556 if (c != '\r' && c != '\n')
561 if (len + 1 >= size) {
563 text = sresize(text, size, char);
570 static unsigned char *read_blob(FILE * fp, int nlines, int *bloblen)
577 /* We expect at most 64 base64 characters, ie 48 real bytes, per line. */
578 blob = snewn(48 * nlines, unsigned char);
580 for (i = 0; i < nlines; i++) {
581 line = read_body(fp);
586 linelen = strlen(line);
587 if (linelen % 4 != 0 || linelen > 64) {
592 for (j = 0; j < linelen; j += 4) {
593 k = base64_decode_atom(line + j, blob + len);
608 * Magic error return value for when the passphrase is wrong.
610 struct ssh2_userkey ssh2_wrong_passphrase = {
614 const struct ssh_signkey *find_pubkey_alg_len(int namelen, const char *name)
616 if (match_ssh_id(namelen, name, "ssh-rsa"))
618 else if (match_ssh_id(namelen, name, "ssh-dss"))
620 else if (match_ssh_id(namelen, name, "ecdsa-sha2-nistp256"))
621 return &ssh_ecdsa_nistp256;
622 else if (match_ssh_id(namelen, name, "ecdsa-sha2-nistp384"))
623 return &ssh_ecdsa_nistp384;
624 else if (match_ssh_id(namelen, name, "ecdsa-sha2-nistp521"))
625 return &ssh_ecdsa_nistp521;
626 else if (match_ssh_id(namelen, name, "ssh-ed25519"))
627 return &ssh_ecdsa_ed25519;
632 const struct ssh_signkey *find_pubkey_alg(const char *name)
634 return find_pubkey_alg_len(strlen(name), name);
637 struct ssh2_userkey *ssh2_load_userkey(const Filename *filename,
638 const char *passphrase,
639 const char **errorstr)
642 char header[40], *b, *encryption, *comment, *mac;
643 const struct ssh_signkey *alg;
644 struct ssh2_userkey *ret;
645 int cipher, cipherblk;
646 unsigned char *public_blob, *private_blob;
647 int public_blob_len, private_blob_len;
648 int i, is_mac, old_fmt;
649 int passlen = passphrase ? strlen(passphrase) : 0;
650 const char *error = NULL;
652 ret = NULL; /* return NULL for most errors */
653 encryption = comment = mac = NULL;
654 public_blob = private_blob = NULL;
656 fp = f_open(filename, "rb", FALSE);
658 error = "can't open file";
662 /* Read the first header line which contains the key type. */
663 if (!read_header(fp, header))
665 if (0 == strcmp(header, "PuTTY-User-Key-File-2")) {
667 } else if (0 == strcmp(header, "PuTTY-User-Key-File-1")) {
668 /* this is an old key file; warn and then continue */
669 old_keyfile_warning();
671 } else if (0 == strncmp(header, "PuTTY-User-Key-File-", 20)) {
672 /* this is a key file FROM THE FUTURE; refuse it, but with a
673 * more specific error message than the generic one below */
674 error = "PuTTY key format too new";
677 error = "not a PuTTY SSH-2 private key";
680 error = "file format error";
681 if ((b = read_body(fp)) == NULL)
683 /* Select key algorithm structure. */
684 alg = find_pubkey_alg(b);
691 /* Read the Encryption header line. */
692 if (!read_header(fp, header) || 0 != strcmp(header, "Encryption"))
694 if ((encryption = read_body(fp)) == NULL)
696 if (!strcmp(encryption, "aes256-cbc")) {
699 } else if (!strcmp(encryption, "none")) {
706 /* Read the Comment header line. */
707 if (!read_header(fp, header) || 0 != strcmp(header, "Comment"))
709 if ((comment = read_body(fp)) == NULL)
712 /* Read the Public-Lines header line and the public blob. */
713 if (!read_header(fp, header) || 0 != strcmp(header, "Public-Lines"))
715 if ((b = read_body(fp)) == NULL)
719 if ((public_blob = read_blob(fp, i, &public_blob_len)) == NULL)
722 /* Read the Private-Lines header line and the Private blob. */
723 if (!read_header(fp, header) || 0 != strcmp(header, "Private-Lines"))
725 if ((b = read_body(fp)) == NULL)
729 if ((private_blob = read_blob(fp, i, &private_blob_len)) == NULL)
732 /* Read the Private-MAC or Private-Hash header line. */
733 if (!read_header(fp, header))
735 if (0 == strcmp(header, "Private-MAC")) {
736 if ((mac = read_body(fp)) == NULL)
739 } else if (0 == strcmp(header, "Private-Hash") && old_fmt) {
740 if ((mac = read_body(fp)) == NULL)
750 * Decrypt the private blob.
753 unsigned char key[40];
758 if (private_blob_len % cipherblk)
762 SHA_Bytes(&s, "\0\0\0\0", 4);
763 SHA_Bytes(&s, passphrase, passlen);
764 SHA_Final(&s, key + 0);
766 SHA_Bytes(&s, "\0\0\0\1", 4);
767 SHA_Bytes(&s, passphrase, passlen);
768 SHA_Final(&s, key + 20);
769 aes256_decrypt_pubkey(key, private_blob, private_blob_len);
777 unsigned char binary[20];
778 unsigned char *macdata;
783 /* MAC (or hash) only covers the private blob. */
784 macdata = private_blob;
785 maclen = private_blob_len;
789 int namelen = strlen(alg->name);
790 int enclen = strlen(encryption);
791 int commlen = strlen(comment);
792 maclen = (4 + namelen +
795 4 + public_blob_len +
796 4 + private_blob_len);
797 macdata = snewn(maclen, unsigned char);
799 #define DO_STR(s,len) PUT_32BIT(p,(len));memcpy(p+4,(s),(len));p+=4+(len)
800 DO_STR(alg->name, namelen);
801 DO_STR(encryption, enclen);
802 DO_STR(comment, commlen);
803 DO_STR(public_blob, public_blob_len);
804 DO_STR(private_blob, private_blob_len);
811 unsigned char mackey[20];
812 char header[] = "putty-private-key-file-mac-key";
815 SHA_Bytes(&s, header, sizeof(header)-1);
816 if (cipher && passphrase)
817 SHA_Bytes(&s, passphrase, passlen);
818 SHA_Final(&s, mackey);
820 hmac_sha1_simple(mackey, 20, macdata, maclen, binary);
822 smemclr(mackey, sizeof(mackey));
823 smemclr(&s, sizeof(s));
825 SHA_Simple(macdata, maclen, binary);
829 smemclr(macdata, maclen);
833 for (i = 0; i < 20; i++)
834 sprintf(realmac + 2 * i, "%02x", binary[i]);
836 if (strcmp(mac, realmac)) {
837 /* An incorrect MAC is an unconditional Error if the key is
838 * unencrypted. Otherwise, it means Wrong Passphrase. */
840 error = "wrong passphrase";
841 ret = SSH2_WRONG_PASSPHRASE;
843 error = "MAC failed";
853 * Create and return the key.
855 ret = snew(struct ssh2_userkey);
857 ret->comment = comment;
858 ret->data = alg->createkey(alg, public_blob, public_blob_len,
859 private_blob, private_blob_len);
863 error = "createkey failed";
867 smemclr(private_blob, private_blob_len);
889 smemclr(private_blob, private_blob_len);
897 unsigned char *rfc4716_loadpub(FILE *fp, char **algorithm,
898 int *pub_blob_len, char **commentptr,
899 const char **errorstr)
902 char *line, *colon, *value;
903 char *comment = NULL;
904 unsigned char *pubblob = NULL;
905 int pubbloblen, pubblobsize;
907 unsigned char base64out[3];
911 line = chomp(fgetline(fp));
912 if (!line || 0 != strcmp(line, "---- BEGIN SSH2 PUBLIC KEY ----")) {
913 error = "invalid begin line in SSH-2 public key file";
916 sfree(line); line = NULL;
919 line = chomp(fgetline(fp));
921 error = "truncated SSH-2 public key file";
924 colon = strstr(line, ": ");
930 if (!strcmp(line, "Comment")) {
933 /* Remove containing double quotes, if present */
935 if (*p == '"' && p[strlen(p)-1] == '"') {
936 p[strlen(p)-1] = '\0';
940 /* Remove \-escaping, not in RFC4716 but seen in the wild
942 for (q = line; *p; p++) {
943 if (*p == '\\' && p[1])
949 comment = dupstr(line);
950 } else if (!strcmp(line, "Subject") ||
951 !strncmp(line, "x-", 2)) {
952 /* Headers we recognise and ignore. Do nothing. */
954 error = "unrecognised header in SSH-2 public key file";
958 sfree(line); line = NULL;
962 * Now line contains the initial line of base64 data. Loop round
963 * while it still does contain base64.
966 pubblob = snewn(pubblobsize, unsigned char);
969 while (line && line[0] != '-') {
971 for (p = line; *p; p++) {
972 base64in[base64bytes++] = *p;
973 if (base64bytes == 4) {
974 int n = base64_decode_atom(base64in, base64out);
975 if (pubbloblen + n > pubblobsize) {
976 pubblobsize = (pubbloblen + n) * 5 / 4 + 1024;
977 pubblob = sresize(pubblob, pubblobsize, unsigned char);
979 memcpy(pubblob + pubbloblen, base64out, n);
984 sfree(line); line = NULL;
985 line = chomp(fgetline(fp));
989 * Finally, check the END line makes sense.
991 if (!line || 0 != strcmp(line, "---- END SSH2 PUBLIC KEY ----")) {
992 error = "invalid end line in SSH-2 public key file";
995 sfree(line); line = NULL;
998 * OK, we now have a public blob and optionally a comment. We must
999 * return the key algorithm string too, so look for that at the
1000 * start of the public blob.
1002 if (pubbloblen < 4) {
1003 error = "not enough data in SSH-2 public key file";
1006 alglen = toint(GET_32BIT(pubblob));
1007 if (alglen < 0 || alglen > pubbloblen-4) {
1008 error = "invalid algorithm prefix in SSH-2 public key file";
1012 *algorithm = dupprintf("%.*s", alglen, pubblob+4);
1014 *pub_blob_len = pubbloblen;
1016 *commentptr = comment;
1030 unsigned char *openssh_loadpub(FILE *fp, char **algorithm,
1031 int *pub_blob_len, char **commentptr,
1032 const char **errorstr)
1035 char *line, *base64;
1036 char *comment = NULL;
1037 unsigned char *pubblob = NULL;
1038 int pubbloblen, pubblobsize;
1041 line = chomp(fgetline(fp));
1043 base64 = strchr(line, ' ');
1045 error = "no key blob in OpenSSH public key file";
1050 comment = strchr(base64, ' ');
1053 comment = dupstr(comment);
1056 pubblobsize = strlen(base64) / 4 * 3;
1057 pubblob = snewn(pubblobsize, unsigned char);
1060 while (!memchr(base64, '\0', 4)) {
1061 assert(pubbloblen + 3 <= pubblobsize);
1062 pubbloblen += base64_decode_atom(base64, pubblob + pubbloblen);
1066 error = "invalid length for base64 data in OpenSSH public key file";
1071 * Sanity check: the first word on the line should be the key
1072 * algorithm, and should match the encoded string at the start of
1075 alglen = strlen(line);
1076 if (pubbloblen < alglen + 4 ||
1077 GET_32BIT(pubblob) != alglen ||
1078 0 != memcmp(pubblob + 4, line, alglen)) {
1079 error = "key algorithms do not match in OpenSSH public key file";
1087 *algorithm = dupstr(line);
1089 *pub_blob_len = pubbloblen;
1091 *commentptr = comment;
1106 unsigned char *ssh2_userkey_loadpub(const Filename *filename, char **algorithm,
1107 int *pub_blob_len, char **commentptr,
1108 const char **errorstr)
1111 char header[40], *b;
1112 const struct ssh_signkey *alg;
1113 unsigned char *public_blob;
1114 int public_blob_len;
1116 const char *error = NULL;
1117 char *comment = NULL;
1121 fp = f_open(filename, "rb", FALSE);
1123 error = "can't open file";
1127 /* Initially, check if this is a public-only key file. Sometimes
1128 * we'll be asked to read a public blob from one of those. */
1129 type = key_type_fp(fp);
1130 if (type == SSH_KEYTYPE_SSH2_PUBLIC_RFC4716) {
1131 unsigned char *ret = rfc4716_loadpub(fp, algorithm, pub_blob_len,
1132 commentptr, errorstr);
1135 } else if (type == SSH_KEYTYPE_SSH2_PUBLIC_OPENSSH) {
1136 unsigned char *ret = openssh_loadpub(fp, algorithm, pub_blob_len,
1137 commentptr, errorstr);
1140 } else if (type != SSH_KEYTYPE_SSH2) {
1141 error = "not a PuTTY SSH-2 private key";
1145 /* Read the first header line which contains the key type. */
1146 if (!read_header(fp, header)
1147 || (0 != strcmp(header, "PuTTY-User-Key-File-2") &&
1148 0 != strcmp(header, "PuTTY-User-Key-File-1"))) {
1149 if (0 == strncmp(header, "PuTTY-User-Key-File-", 20))
1150 error = "PuTTY key format too new";
1152 error = "not a PuTTY SSH-2 private key";
1155 error = "file format error";
1156 if ((b = read_body(fp)) == NULL)
1158 /* Select key algorithm structure. */
1159 alg = find_pubkey_alg(b);
1165 /* Read the Encryption header line. */
1166 if (!read_header(fp, header) || 0 != strcmp(header, "Encryption"))
1168 if ((b = read_body(fp)) == NULL)
1170 sfree(b); /* we don't care */
1172 /* Read the Comment header line. */
1173 if (!read_header(fp, header) || 0 != strcmp(header, "Comment"))
1175 if ((comment = read_body(fp)) == NULL)
1179 *commentptr = comment;
1183 /* Read the Public-Lines header line and the public blob. */
1184 if (!read_header(fp, header) || 0 != strcmp(header, "Public-Lines"))
1186 if ((b = read_body(fp)) == NULL)
1190 if ((public_blob = read_blob(fp, i, &public_blob_len)) == NULL)
1195 *pub_blob_len = public_blob_len;
1197 *algorithm = dupstr(alg->name);
1210 if (comment && commentptr) {
1217 int ssh2_userkey_encrypted(const Filename *filename, char **commentptr)
1220 char header[40], *b, *comment;
1226 fp = f_open(filename, "rb", FALSE);
1229 if (!read_header(fp, header)
1230 || (0 != strcmp(header, "PuTTY-User-Key-File-2") &&
1231 0 != strcmp(header, "PuTTY-User-Key-File-1"))) {
1235 if ((b = read_body(fp)) == NULL) {
1239 sfree(b); /* we don't care about key type here */
1240 /* Read the Encryption header line. */
1241 if (!read_header(fp, header) || 0 != strcmp(header, "Encryption")) {
1245 if ((b = read_body(fp)) == NULL) {
1250 /* Read the Comment header line. */
1251 if (!read_header(fp, header) || 0 != strcmp(header, "Comment")) {
1256 if ((comment = read_body(fp)) == NULL) {
1263 *commentptr = comment;
1268 if (!strcmp(b, "aes256-cbc"))
1276 int base64_lines(int datalen)
1278 /* When encoding, we use 64 chars/line, which equals 48 real chars. */
1279 return (datalen + 47) / 48;
1282 void base64_encode(FILE *fp, const unsigned char *data, int datalen, int cpl)
1288 while (datalen > 0) {
1289 n = (datalen < 3 ? datalen : 3);
1290 base64_encode_atom(data, n, out);
1293 for (i = 0; i < 4; i++) {
1294 if (linelen >= cpl) {
1305 int ssh2_save_userkey(const Filename *filename, struct ssh2_userkey *key,
1309 unsigned char *pub_blob, *priv_blob, *priv_blob_encrypted;
1310 int pub_blob_len, priv_blob_len, priv_encrypted_len;
1314 const char *cipherstr;
1315 unsigned char priv_mac[20];
1318 * Fetch the key component blobs.
1320 pub_blob = key->alg->public_blob(key->data, &pub_blob_len);
1321 priv_blob = key->alg->private_blob(key->data, &priv_blob_len);
1322 if (!pub_blob || !priv_blob) {
1329 * Determine encryption details, and encrypt the private blob.
1332 cipherstr = "aes256-cbc";
1338 priv_encrypted_len = priv_blob_len + cipherblk - 1;
1339 priv_encrypted_len -= priv_encrypted_len % cipherblk;
1340 priv_blob_encrypted = snewn(priv_encrypted_len, unsigned char);
1341 memset(priv_blob_encrypted, 0, priv_encrypted_len);
1342 memcpy(priv_blob_encrypted, priv_blob, priv_blob_len);
1343 /* Create padding based on the SHA hash of the unpadded blob. This prevents
1344 * too easy a known-plaintext attack on the last block. */
1345 SHA_Simple(priv_blob, priv_blob_len, priv_mac);
1346 assert(priv_encrypted_len - priv_blob_len < 20);
1347 memcpy(priv_blob_encrypted + priv_blob_len, priv_mac,
1348 priv_encrypted_len - priv_blob_len);
1350 /* Now create the MAC. */
1352 unsigned char *macdata;
1355 int namelen = strlen(key->alg->name);
1356 int enclen = strlen(cipherstr);
1357 int commlen = strlen(key->comment);
1359 unsigned char mackey[20];
1360 char header[] = "putty-private-key-file-mac-key";
1362 maclen = (4 + namelen +
1366 4 + priv_encrypted_len);
1367 macdata = snewn(maclen, unsigned char);
1369 #define DO_STR(s,len) PUT_32BIT(p,(len));memcpy(p+4,(s),(len));p+=4+(len)
1370 DO_STR(key->alg->name, namelen);
1371 DO_STR(cipherstr, enclen);
1372 DO_STR(key->comment, commlen);
1373 DO_STR(pub_blob, pub_blob_len);
1374 DO_STR(priv_blob_encrypted, priv_encrypted_len);
1377 SHA_Bytes(&s, header, sizeof(header)-1);
1379 SHA_Bytes(&s, passphrase, strlen(passphrase));
1380 SHA_Final(&s, mackey);
1381 hmac_sha1_simple(mackey, 20, macdata, maclen, priv_mac);
1382 smemclr(macdata, maclen);
1384 smemclr(mackey, sizeof(mackey));
1385 smemclr(&s, sizeof(s));
1389 unsigned char key[40];
1392 passlen = strlen(passphrase);
1395 SHA_Bytes(&s, "\0\0\0\0", 4);
1396 SHA_Bytes(&s, passphrase, passlen);
1397 SHA_Final(&s, key + 0);
1399 SHA_Bytes(&s, "\0\0\0\1", 4);
1400 SHA_Bytes(&s, passphrase, passlen);
1401 SHA_Final(&s, key + 20);
1402 aes256_encrypt_pubkey(key, priv_blob_encrypted,
1403 priv_encrypted_len);
1405 smemclr(key, sizeof(key));
1406 smemclr(&s, sizeof(s));
1409 fp = f_open(filename, "w", TRUE);
1412 smemclr(priv_blob, priv_blob_len);
1414 smemclr(priv_blob_encrypted, priv_blob_len);
1415 sfree(priv_blob_encrypted);
1418 fprintf(fp, "PuTTY-User-Key-File-2: %s\n", key->alg->name);
1419 fprintf(fp, "Encryption: %s\n", cipherstr);
1420 fprintf(fp, "Comment: %s\n", key->comment);
1421 fprintf(fp, "Public-Lines: %d\n", base64_lines(pub_blob_len));
1422 base64_encode(fp, pub_blob, pub_blob_len, 64);
1423 fprintf(fp, "Private-Lines: %d\n", base64_lines(priv_encrypted_len));
1424 base64_encode(fp, priv_blob_encrypted, priv_encrypted_len, 64);
1425 fprintf(fp, "Private-MAC: ");
1426 for (i = 0; i < 20; i++)
1427 fprintf(fp, "%02x", priv_mac[i]);
1432 smemclr(priv_blob, priv_blob_len);
1434 smemclr(priv_blob_encrypted, priv_blob_len);
1435 sfree(priv_blob_encrypted);
1439 /* ----------------------------------------------------------------------
1440 * Output public keys.
1442 char *ssh1_pubkey_str(struct RSAKey *key)
1447 dec1 = bignum_decimal(key->exponent);
1448 dec2 = bignum_decimal(key->modulus);
1449 buffer = dupprintf("%d %s %s%s%s", bignum_bitcount(key->modulus),
1451 key->comment ? " " : "",
1452 key->comment ? key->comment : "");
1458 void ssh1_write_pubkey(FILE *fp, struct RSAKey *key)
1460 char *buffer = ssh1_pubkey_str(key);
1461 fprintf(fp, "%s\n", buffer);
1465 static char *ssh2_pubkey_openssh_str_internal(const char *comment,
1466 const void *v_pub_blob,
1469 const unsigned char *ssh2blob = (const unsigned char *)v_pub_blob;
1478 alglen = GET_32BIT(ssh2blob);
1479 if (alglen > 0 && alglen < pub_len - 4) {
1480 alg = (const char *)ssh2blob + 4;
1487 alg = "INVALID-ALGORITHM";
1488 alglen = strlen(alg);
1491 buffer = snewn(alglen +
1492 4 * ((pub_len+2) / 3) +
1493 (comment ? strlen(comment) : 0) + 3, char);
1494 p = buffer + sprintf(buffer, "%.*s ", alglen, alg);
1496 while (i < pub_len) {
1497 int n = (pub_len - i < 3 ? pub_len - i : 3);
1498 base64_encode_atom(ssh2blob + i, n, p);
1511 char *ssh2_pubkey_openssh_str(struct ssh2_userkey *key)
1514 unsigned char *blob;
1517 blob = key->alg->public_blob(key->data, &bloblen);
1518 ret = ssh2_pubkey_openssh_str_internal(key->comment, blob, bloblen);
1524 void ssh2_write_pubkey(FILE *fp, const char *comment,
1525 const void *v_pub_blob, int pub_len,
1528 unsigned char *pub_blob = (unsigned char *)v_pub_blob;
1530 if (keytype == SSH_KEYTYPE_SSH2_PUBLIC_RFC4716) {
1534 fprintf(fp, "---- BEGIN SSH2 PUBLIC KEY ----\n");
1537 fprintf(fp, "Comment: \"");
1538 for (p = comment; *p; p++) {
1539 if (*p == '\\' || *p == '\"')
1543 fprintf(fp, "\"\n");
1548 while (i < pub_len) {
1550 int n = (pub_len - i < 3 ? pub_len - i : 3);
1551 base64_encode_atom(pub_blob + i, n, buf);
1555 if (++column >= 16) {
1563 fprintf(fp, "---- END SSH2 PUBLIC KEY ----\n");
1564 } else if (keytype == SSH_KEYTYPE_SSH2_PUBLIC_OPENSSH) {
1565 char *buffer = ssh2_pubkey_openssh_str_internal(comment,
1566 v_pub_blob, pub_len);
1567 fprintf(fp, "%s\n", buffer);
1570 assert(0 && "Bad key type in ssh2_write_pubkey");
1574 /* ----------------------------------------------------------------------
1575 * Utility functions to compute SSH-2 fingerprints in a uniform way.
1577 char *ssh2_fingerprint_blob(const void *blob, int bloblen)
1579 unsigned char digest[16];
1580 char fingerprint_str[16*3];
1583 const struct ssh_signkey *alg;
1587 * The fingerprint hash itself is always just the MD5 of the blob.
1589 MD5Simple(blob, bloblen, digest);
1590 for (i = 0; i < 16; i++)
1591 sprintf(fingerprint_str + i*3, "%02x%s", digest[i], i==15 ? "" : ":");
1594 * Identify the key algorithm, if possible.
1596 alglen = toint(GET_32BIT((const unsigned char *)blob));
1597 if (alglen > 0 && alglen < bloblen-4) {
1598 algstr = (const char *)blob + 4;
1601 * If we can actually identify the algorithm as one we know
1602 * about, get hold of the key's bit count too.
1604 alg = find_pubkey_alg_len(alglen, algstr);
1606 int bits = alg->pubkey_bits(alg, blob, bloblen);
1607 return dupprintf("%.*s %d %s", alglen, algstr,
1608 bits, fingerprint_str);
1610 return dupprintf("%.*s %s", alglen, algstr, fingerprint_str);
1614 * No algorithm available (which means a seriously confused
1615 * key blob, but there we go). Return only the hash.
1617 return dupstr(fingerprint_str);
1621 char *ssh2_fingerprint(const struct ssh_signkey *alg, void *data)
1624 unsigned char *blob = alg->public_blob(data, &len);
1625 char *ret = ssh2_fingerprint_blob(blob, len);
1630 /* ----------------------------------------------------------------------
1631 * Determine the type of a private key file.
1633 static int key_type_fp(FILE *fp)
1636 const char public_std_sig[] = "---- BEGIN SSH2 PUBLIC KEY";
1637 const char putty2_sig[] = "PuTTY-User-Key-File-";
1638 const char sshcom_sig[] = "---- BEGIN SSH2 ENCRYPTED PRIVAT";
1639 const char openssh_new_sig[] = "-----BEGIN OPENSSH PRIVATE KEY";
1640 const char openssh_sig[] = "-----BEGIN ";
1644 i = fread(buf, 1, sizeof(buf)-1, fp);
1648 return SSH_KEYTYPE_UNOPENABLE;
1650 return SSH_KEYTYPE_UNKNOWN;
1651 assert(i > 0 && i < sizeof(buf));
1653 if (!memcmp(buf, rsa_signature, sizeof(rsa_signature)-1))
1654 return SSH_KEYTYPE_SSH1;
1655 if (!memcmp(buf, public_std_sig, sizeof(public_std_sig)-1))
1656 return SSH_KEYTYPE_SSH2_PUBLIC_RFC4716;
1657 if (!memcmp(buf, putty2_sig, sizeof(putty2_sig)-1))
1658 return SSH_KEYTYPE_SSH2;
1659 if (!memcmp(buf, openssh_new_sig, sizeof(openssh_new_sig)-1))
1660 return SSH_KEYTYPE_OPENSSH_NEW;
1661 if (!memcmp(buf, openssh_sig, sizeof(openssh_sig)-1))
1662 return SSH_KEYTYPE_OPENSSH_PEM;
1663 if (!memcmp(buf, sshcom_sig, sizeof(sshcom_sig)-1))
1664 return SSH_KEYTYPE_SSHCOM;
1665 if ((p = buf + strspn(buf, "0123456789"), *p == ' ') &&
1666 (p = p+1 + strspn(p+1, "0123456789"), *p == ' ') &&
1667 (p = p+1 + strspn(p+1, "0123456789"), *p == ' ' || *p == '\n' || !*p))
1668 return SSH_KEYTYPE_SSH1_PUBLIC;
1669 if ((p = buf + strcspn(buf, " "), find_pubkey_alg_len(p-buf, buf)) &&
1670 (p = p+1 + strspn(p+1, "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghij"
1671 "klmnopqrstuvwxyz+/="),
1672 *p == ' ' || *p == '\n' || !*p))
1673 return SSH_KEYTYPE_SSH2_PUBLIC_OPENSSH;
1674 return SSH_KEYTYPE_UNKNOWN; /* unrecognised or EOF */
1677 int key_type(const Filename *filename)
1682 fp = f_open(filename, "r", FALSE);
1684 return SSH_KEYTYPE_UNOPENABLE;
1685 ret = key_type_fp(fp);
1691 * Convert the type word to a string, for `wrong type' error
1694 const char *key_type_to_str(int type)
1697 case SSH_KEYTYPE_UNOPENABLE: return "unable to open file"; break;
1698 case SSH_KEYTYPE_UNKNOWN: return "not a recognised key file format"; break;
1699 case SSH_KEYTYPE_SSH1_PUBLIC: return "SSH-1 public key"; break;
1700 case SSH_KEYTYPE_SSH2_PUBLIC_RFC4716: return "SSH-2 public key (RFC 4716 format)"; break;
1701 case SSH_KEYTYPE_SSH2_PUBLIC_OPENSSH: return "SSH-2 public key (OpenSSH format)"; break;
1702 case SSH_KEYTYPE_SSH1: return "SSH-1 private key"; break;
1703 case SSH_KEYTYPE_SSH2: return "PuTTY SSH-2 private key"; break;
1704 case SSH_KEYTYPE_OPENSSH_PEM: return "OpenSSH SSH-2 private key (old PEM format)"; break;
1705 case SSH_KEYTYPE_OPENSSH_NEW: return "OpenSSH SSH-2 private key (new format)"; break;
1706 case SSH_KEYTYPE_SSHCOM: return "ssh.com SSH-2 private key"; break;
1708 * This function is called with a key type derived from
1709 * looking at an actual key file, so the output-only type
1710 * OPENSSH_AUTO should never get here, and is much an INTERNAL
1711 * ERROR as a code we don't even understand.
1713 case SSH_KEYTYPE_OPENSSH_AUTO: return "INTERNAL ERROR (OPENSSH_AUTO)"; break;
1714 default: return "INTERNAL ERROR"; break;
projects / PuTTY.git / blob