2 * Generic SSH public-key handling operations. In particular,
3 * reading of SSH public-key files, and also the generic `sign'
4 * operation for SSH-2 (which checks the type of the key and
5 * dispatches to the appropriate key-type specific function).
16 #define rsa_signature "SSH PRIVATE KEY FILE FORMAT 1.1\n"
18 #define BASE64_TOINT(x) ( (x)-'A'<26 ? (x)-'A'+0 :\
19 (x)-'a'<26 ? (x)-'a'+26 :\
20 (x)-'0'<10 ? (x)-'0'+52 :\
24 static int key_type_fp(FILE *fp);
26 static int loadrsakey_main(FILE * fp, struct RSAKey *key, int pub_only,
27 char **commentptr, const char *passphrase,
30 unsigned char buf[16384];
31 unsigned char keybuf[16];
35 struct MD5Context md5c;
40 /* Slurp the whole file (minus the header) into a buffer. */
41 len = fread(buf, 1, sizeof(buf), fp);
43 if (len < 0 || len == sizeof(buf)) {
44 *error = "error reading file";
45 goto end; /* file too big or not read */
49 *error = "file format error";
52 * A zero byte. (The signature includes a terminating NUL.)
54 if (len - i < 1 || buf[i] != 0)
58 /* One byte giving encryption type, and one reserved uint32. */
62 if (ciphertype != 0 && ciphertype != SSH_CIPHER_3DES)
66 goto end; /* reserved field not present */
67 if (buf[i] != 0 || buf[i + 1] != 0 || buf[i + 2] != 0
68 || buf[i + 3] != 0) goto end; /* reserved field nonzero, panic! */
71 /* Now the serious stuff. An ordinary SSH-1 public key. */
72 j = makekey(buf + i, len - i, key, NULL, 1);
74 goto end; /* overran */
77 /* Next, the comment field. */
78 j = toint(GET_32BIT(buf + i));
80 if (j < 0 || len - i < j)
82 comment = snewn(j + 1, char);
84 memcpy(comment, buf + i, j);
89 *commentptr = dupstr(comment);
91 key->comment = comment;
101 ret = ciphertype != 0;
107 * Decrypt remainder of buffer.
111 MD5Update(&md5c, (unsigned char *)passphrase, strlen(passphrase));
112 MD5Final(keybuf, &md5c);
113 des3_decrypt_pubkey(keybuf, buf + i, (len - i + 7) & ~7);
114 smemclr(keybuf, sizeof(keybuf)); /* burn the evidence */
118 * We are now in the secret part of the key. The first four
119 * bytes should be of the form a, b, a, b.
123 if (buf[i] != buf[i + 2] || buf[i + 1] != buf[i + 3]) {
124 *error = "wrong passphrase";
131 * After that, we have one further bignum which is our
132 * decryption exponent, and then the three auxiliary values
135 j = makeprivate(buf + i, len - i, key);
138 j = ssh1_read_bignum(buf + i, len - i, &key->iqmp);
141 j = ssh1_read_bignum(buf + i, len - i, &key->q);
144 j = ssh1_read_bignum(buf + i, len - i, &key->p);
148 if (!rsa_verify(key)) {
149 *error = "rsa_verify failed";
156 smemclr(buf, sizeof(buf)); /* burn the evidence */
160 int loadrsakey(const Filename *filename, struct RSAKey *key,
161 const char *passphrase, const char **errorstr)
166 const char *error = NULL;
168 fp = f_open(filename, "rb", FALSE);
170 error = "can't open file";
175 * Read the first line of the file and see if it's a v1 private
178 if (fgets(buf, sizeof(buf), fp) && !strcmp(buf, rsa_signature)) {
180 * This routine will take care of calling fclose() for us.
182 ret = loadrsakey_main(fp, key, FALSE, NULL, passphrase, &error);
188 * Otherwise, we have nothing. Return empty-handed.
190 error = "not an SSH-1 RSA file";
195 if ((ret != 1) && errorstr)
201 * See whether an RSA key is encrypted. Return its comment field as
204 int rsakey_encrypted(const Filename *filename, char **comment)
209 fp = f_open(filename, "rb", FALSE);
211 return 0; /* doesn't even exist */
214 * Read the first line of the file and see if it's a v1 private
217 if (fgets(buf, sizeof(buf), fp) && !strcmp(buf, rsa_signature)) {
220 * This routine will take care of calling fclose() for us.
222 return loadrsakey_main(fp, NULL, FALSE, comment, NULL, &dummy);
225 return 0; /* wasn't the right kind of file */
229 * Return a malloc'ed chunk of memory containing the public blob of
230 * an RSA key, as given in the agent protocol (modulus bits,
231 * exponent, modulus).
233 int rsakey_pubblob(const Filename *filename, void **blob, int *bloblen,
234 char **commentptr, const char **errorstr)
240 const char *error = NULL;
242 /* Default return if we fail. */
247 fp = f_open(filename, "rb", FALSE);
249 error = "can't open file";
254 * Read the first line of the file and see if it's a v1 private
257 if (fgets(buf, sizeof(buf), fp) && !strcmp(buf, rsa_signature)) {
258 memset(&key, 0, sizeof(key));
259 if (loadrsakey_main(fp, &key, TRUE, commentptr, NULL, &error)) {
260 *blob = rsa_public_blob(&key, bloblen);
264 fp = NULL; /* loadrsakey_main unconditionally closes fp */
267 * Try interpreting the file as an SSH-1 public key.
269 char *line, *p, *bitsp, *expp, *modp, *commentp;
272 line = chomp(fgetline(fp));
276 p += strspn(p, "0123456789");
278 goto not_public_either;
282 p += strspn(p, "0123456789");
284 goto not_public_either;
288 p += strspn(p, "0123456789");
291 goto not_public_either;
298 memset(&key, 0, sizeof(key));
299 key.exponent = bignum_from_decimal(expp);
300 key.modulus = bignum_from_decimal(modp);
301 if (atoi(bitsp) != bignum_bitcount(key.modulus)) {
302 freebn(key.exponent);
305 error = "key bit count does not match in SSH-1 public key file";
309 *commentptr = commentp ? dupstr(commentp) : NULL;
310 *blob = rsa_public_blob(&key, bloblen);
316 error = "not an SSH-1 RSA file";
322 if ((ret != 1) && errorstr)
328 * Save an RSA key file. Return nonzero on success.
330 int saversakey(const Filename *filename, struct RSAKey *key, char *passphrase)
332 unsigned char buf[16384];
333 unsigned char keybuf[16];
334 struct MD5Context md5c;
335 unsigned char *p, *estart;
339 * Write the initial signature.
342 memcpy(p, rsa_signature, sizeof(rsa_signature));
343 p += sizeof(rsa_signature);
346 * One byte giving encryption type, and one reserved (zero)
349 *p++ = (passphrase ? SSH_CIPHER_3DES : 0);
354 * An ordinary SSH-1 public key consists of: a uint32
355 * containing the bit count, then two bignums containing the
356 * modulus and exponent respectively.
358 PUT_32BIT(p, bignum_bitcount(key->modulus));
360 p += ssh1_write_bignum(p, key->modulus);
361 p += ssh1_write_bignum(p, key->exponent);
364 * A string containing the comment field.
367 PUT_32BIT(p, strlen(key->comment));
369 memcpy(p, key->comment, strlen(key->comment));
370 p += strlen(key->comment);
377 * The encrypted portion starts here.
382 * Two bytes, then the same two bytes repeated.
384 *p++ = random_byte();
385 *p++ = random_byte();
391 * Four more bignums: the decryption exponent, then iqmp, then
394 p += ssh1_write_bignum(p, key->private_exponent);
395 p += ssh1_write_bignum(p, key->iqmp);
396 p += ssh1_write_bignum(p, key->q);
397 p += ssh1_write_bignum(p, key->p);
400 * Now write zeros until the encrypted portion is a multiple of
403 while ((p - estart) % 8)
407 * Now encrypt the encrypted portion.
411 MD5Update(&md5c, (unsigned char *)passphrase, strlen(passphrase));
412 MD5Final(keybuf, &md5c);
413 des3_encrypt_pubkey(keybuf, estart, p - estart);
414 smemclr(keybuf, sizeof(keybuf)); /* burn the evidence */
418 * Done. Write the result to the file.
420 fp = f_open(filename, "wb", TRUE);
422 int ret = (fwrite(buf, 1, p - buf, fp) == (size_t) (p - buf));
430 /* ----------------------------------------------------------------------
431 * SSH-2 private key load/store functions.
435 * PuTTY's own format for SSH-2 keys is as follows:
437 * The file is text. Lines are terminated by CRLF, although CR-only
438 * and LF-only are tolerated on input.
440 * The first line says "PuTTY-User-Key-File-2: " plus the name of the
441 * algorithm ("ssh-dss", "ssh-rsa" etc).
443 * The next line says "Encryption: " plus an encryption type.
444 * Currently the only supported encryption types are "aes256-cbc"
447 * The next line says "Comment: " plus the comment string.
449 * Next there is a line saying "Public-Lines: " plus a number N.
450 * The following N lines contain a base64 encoding of the public
451 * part of the key. This is encoded as the standard SSH-2 public key
452 * blob (with no initial length): so for RSA, for example, it will
459 * Next, there is a line saying "Private-Lines: " plus a number N,
460 * and then N lines containing the (potentially encrypted) private
461 * part of the key. For the key type "ssh-rsa", this will be
464 * mpint private_exponent
465 * mpint p (the larger of the two primes)
466 * mpint q (the smaller prime)
467 * mpint iqmp (the inverse of q modulo p)
468 * data padding (to reach a multiple of the cipher block size)
470 * And for "ssh-dss", it will be composed of
472 * mpint x (the private key parameter)
473 * [ string hash 20-byte hash of mpints p || q || g only in old format ]
475 * Finally, there is a line saying "Private-MAC: " plus a hex
476 * representation of a HMAC-SHA-1 of:
478 * string name of algorithm ("ssh-dss", "ssh-rsa")
479 * string encryption type
482 * string private-plaintext (the plaintext version of the
483 * private part, including the final
486 * The key to the MAC is itself a SHA-1 hash of:
488 * data "putty-private-key-file-mac-key"
491 * (An empty passphrase is used for unencrypted keys.)
493 * If the key is encrypted, the encryption key is derived from the
494 * passphrase by means of a succession of SHA-1 hashes. Each hash
497 * uint32 sequence-number
500 * where the sequence-number increases from zero. As many of these
501 * hashes are used as necessary.
503 * For backwards compatibility with snapshots between 0.51 and
504 * 0.52, we also support the older key file format, which begins
505 * with "PuTTY-User-Key-File-1" (version number differs). In this
506 * format the Private-MAC: field only covers the private-plaintext
507 * field and nothing else (and without the 4-byte string length on
508 * the front too). Moreover, the Private-MAC: field can be replaced
509 * with a Private-Hash: field which is a plain SHA-1 hash instead of
510 * an HMAC (this was generated for unencrypted keys).
513 static int read_header(FILE * fp, char *header)
520 if (c == '\n' || c == '\r' || c == EOF)
521 return 0; /* failure */
527 return 1; /* success! */
530 return 0; /* failure */
534 return 0; /* failure */
537 static char *read_body(FILE * fp)
545 text = snewn(size, char);
551 if (c == '\r' || c == '\n' || c == EOF) {
554 if (c != '\r' && c != '\n')
559 if (len + 1 >= size) {
561 text = sresize(text, size, char);
568 static unsigned char *read_blob(FILE * fp, int nlines, int *bloblen)
575 /* We expect at most 64 base64 characters, ie 48 real bytes, per line. */
576 blob = snewn(48 * nlines, unsigned char);
578 for (i = 0; i < nlines; i++) {
579 line = read_body(fp);
584 linelen = strlen(line);
585 if (linelen % 4 != 0 || linelen > 64) {
590 for (j = 0; j < linelen; j += 4) {
591 k = base64_decode_atom(line + j, blob + len);
606 * Magic error return value for when the passphrase is wrong.
608 struct ssh2_userkey ssh2_wrong_passphrase = {
612 const struct ssh_signkey *find_pubkey_alg_len(int namelen, const char *name)
614 if (match_ssh_id(namelen, name, "ssh-rsa"))
616 else if (match_ssh_id(namelen, name, "ssh-dss"))
618 else if (match_ssh_id(namelen, name, "ecdsa-sha2-nistp256"))
619 return &ssh_ecdsa_nistp256;
620 else if (match_ssh_id(namelen, name, "ecdsa-sha2-nistp384"))
621 return &ssh_ecdsa_nistp384;
622 else if (match_ssh_id(namelen, name, "ecdsa-sha2-nistp521"))
623 return &ssh_ecdsa_nistp521;
624 else if (match_ssh_id(namelen, name, "ssh-ed25519"))
625 return &ssh_ecdsa_ed25519;
630 const struct ssh_signkey *find_pubkey_alg(const char *name)
632 return find_pubkey_alg_len(strlen(name), name);
635 struct ssh2_userkey *ssh2_load_userkey(const Filename *filename,
636 const char *passphrase,
637 const char **errorstr)
640 char header[40], *b, *encryption, *comment, *mac;
641 const struct ssh_signkey *alg;
642 struct ssh2_userkey *ret;
643 int cipher, cipherblk;
644 unsigned char *public_blob, *private_blob;
645 int public_blob_len, private_blob_len;
646 int i, is_mac, old_fmt;
647 int passlen = passphrase ? strlen(passphrase) : 0;
648 const char *error = NULL;
650 ret = NULL; /* return NULL for most errors */
651 encryption = comment = mac = NULL;
652 public_blob = private_blob = NULL;
654 fp = f_open(filename, "rb", FALSE);
656 error = "can't open file";
660 /* Read the first header line which contains the key type. */
661 if (!read_header(fp, header))
663 if (0 == strcmp(header, "PuTTY-User-Key-File-2")) {
665 } else if (0 == strcmp(header, "PuTTY-User-Key-File-1")) {
666 /* this is an old key file; warn and then continue */
667 old_keyfile_warning();
669 } else if (0 == strncmp(header, "PuTTY-User-Key-File-", 20)) {
670 /* this is a key file FROM THE FUTURE; refuse it, but with a
671 * more specific error message than the generic one below */
672 error = "PuTTY key format too new";
675 error = "not a PuTTY SSH-2 private key";
678 error = "file format error";
679 if ((b = read_body(fp)) == NULL)
681 /* Select key algorithm structure. */
682 alg = find_pubkey_alg(b);
689 /* Read the Encryption header line. */
690 if (!read_header(fp, header) || 0 != strcmp(header, "Encryption"))
692 if ((encryption = read_body(fp)) == NULL)
694 if (!strcmp(encryption, "aes256-cbc")) {
697 } else if (!strcmp(encryption, "none")) {
704 /* Read the Comment header line. */
705 if (!read_header(fp, header) || 0 != strcmp(header, "Comment"))
707 if ((comment = read_body(fp)) == NULL)
710 /* Read the Public-Lines header line and the public blob. */
711 if (!read_header(fp, header) || 0 != strcmp(header, "Public-Lines"))
713 if ((b = read_body(fp)) == NULL)
717 if ((public_blob = read_blob(fp, i, &public_blob_len)) == NULL)
720 /* Read the Private-Lines header line and the Private blob. */
721 if (!read_header(fp, header) || 0 != strcmp(header, "Private-Lines"))
723 if ((b = read_body(fp)) == NULL)
727 if ((private_blob = read_blob(fp, i, &private_blob_len)) == NULL)
730 /* Read the Private-MAC or Private-Hash header line. */
731 if (!read_header(fp, header))
733 if (0 == strcmp(header, "Private-MAC")) {
734 if ((mac = read_body(fp)) == NULL)
737 } else if (0 == strcmp(header, "Private-Hash") && old_fmt) {
738 if ((mac = read_body(fp)) == NULL)
748 * Decrypt the private blob.
751 unsigned char key[40];
756 if (private_blob_len % cipherblk)
760 SHA_Bytes(&s, "\0\0\0\0", 4);
761 SHA_Bytes(&s, passphrase, passlen);
762 SHA_Final(&s, key + 0);
764 SHA_Bytes(&s, "\0\0\0\1", 4);
765 SHA_Bytes(&s, passphrase, passlen);
766 SHA_Final(&s, key + 20);
767 aes256_decrypt_pubkey(key, private_blob, private_blob_len);
775 unsigned char binary[20];
776 unsigned char *macdata;
781 /* MAC (or hash) only covers the private blob. */
782 macdata = private_blob;
783 maclen = private_blob_len;
787 int namelen = strlen(alg->name);
788 int enclen = strlen(encryption);
789 int commlen = strlen(comment);
790 maclen = (4 + namelen +
793 4 + public_blob_len +
794 4 + private_blob_len);
795 macdata = snewn(maclen, unsigned char);
797 #define DO_STR(s,len) PUT_32BIT(p,(len));memcpy(p+4,(s),(len));p+=4+(len)
798 DO_STR(alg->name, namelen);
799 DO_STR(encryption, enclen);
800 DO_STR(comment, commlen);
801 DO_STR(public_blob, public_blob_len);
802 DO_STR(private_blob, private_blob_len);
809 unsigned char mackey[20];
810 char header[] = "putty-private-key-file-mac-key";
813 SHA_Bytes(&s, header, sizeof(header)-1);
814 if (cipher && passphrase)
815 SHA_Bytes(&s, passphrase, passlen);
816 SHA_Final(&s, mackey);
818 hmac_sha1_simple(mackey, 20, macdata, maclen, binary);
820 smemclr(mackey, sizeof(mackey));
821 smemclr(&s, sizeof(s));
823 SHA_Simple(macdata, maclen, binary);
827 smemclr(macdata, maclen);
831 for (i = 0; i < 20; i++)
832 sprintf(realmac + 2 * i, "%02x", binary[i]);
834 if (strcmp(mac, realmac)) {
835 /* An incorrect MAC is an unconditional Error if the key is
836 * unencrypted. Otherwise, it means Wrong Passphrase. */
838 error = "wrong passphrase";
839 ret = SSH2_WRONG_PASSPHRASE;
841 error = "MAC failed";
851 * Create and return the key.
853 ret = snew(struct ssh2_userkey);
855 ret->comment = comment;
856 ret->data = alg->createkey(public_blob, public_blob_len,
857 private_blob, private_blob_len);
861 error = "createkey failed";
865 smemclr(private_blob, private_blob_len);
887 smemclr(private_blob, private_blob_len);
895 unsigned char *rfc4716_loadpub(FILE *fp, char **algorithm,
896 int *pub_blob_len, char **commentptr,
897 const char **errorstr)
900 char *line, *colon, *value;
901 char *comment = NULL;
902 unsigned char *pubblob = NULL;
903 int pubbloblen, pubblobsize;
905 unsigned char base64out[3];
909 line = chomp(fgetline(fp));
910 if (!line || 0 != strcmp(line, "---- BEGIN SSH2 PUBLIC KEY ----")) {
911 error = "invalid begin line in SSH-2 public key file";
914 sfree(line); line = NULL;
917 line = chomp(fgetline(fp));
919 error = "truncated SSH-2 public key file";
922 colon = strstr(line, ": ");
928 if (!strcmp(line, "Comment")) {
931 /* Remove containing double quotes, if present */
933 if (*p == '"' && p[strlen(p)-1] == '"') {
934 p[strlen(p)-1] = '\0';
938 /* Remove \-escaping, not in RFC4716 but seen in the wild
940 for (q = line; *p; p++) {
941 if (*p == '\\' && p[1])
947 comment = dupstr(line);
948 } else if (!strcmp(line, "Subject") ||
949 !strncmp(line, "x-", 2)) {
950 /* Headers we recognise and ignore. Do nothing. */
952 error = "unrecognised header in SSH-2 public key file";
956 sfree(line); line = NULL;
960 * Now line contains the initial line of base64 data. Loop round
961 * while it still does contain base64.
964 pubblob = snewn(pubblobsize, unsigned char);
967 while (line && line[0] != '-') {
969 for (p = line; *p; p++) {
970 base64in[base64bytes++] = *p;
971 if (base64bytes == 4) {
972 int n = base64_decode_atom(base64in, base64out);
973 if (pubbloblen + n > pubblobsize) {
974 pubblobsize = (pubbloblen + n) * 5 / 4 + 1024;
975 pubblob = sresize(pubblob, pubblobsize, unsigned char);
977 memcpy(pubblob + pubbloblen, base64out, n);
982 sfree(line); line = NULL;
983 line = chomp(fgetline(fp));
987 * Finally, check the END line makes sense.
989 if (!line || 0 != strcmp(line, "---- END SSH2 PUBLIC KEY ----")) {
990 error = "invalid end line in SSH-2 public key file";
993 sfree(line); line = NULL;
996 * OK, we now have a public blob and optionally a comment. We must
997 * return the key algorithm string too, so look for that at the
998 * start of the public blob.
1000 if (pubbloblen < 4) {
1001 error = "not enough data in SSH-2 public key file";
1004 alglen = toint(GET_32BIT(pubblob));
1005 if (alglen < 0 || alglen > pubbloblen-4) {
1006 error = "invalid algorithm prefix in SSH-2 public key file";
1010 *algorithm = dupprintf("%.*s", alglen, pubblob+4);
1012 *pub_blob_len = pubbloblen;
1014 *commentptr = comment;
1028 unsigned char *openssh_loadpub(FILE *fp, char **algorithm,
1029 int *pub_blob_len, char **commentptr,
1030 const char **errorstr)
1033 char *line, *base64;
1034 char *comment = NULL;
1035 unsigned char *pubblob = NULL;
1036 int pubbloblen, pubblobsize;
1039 line = chomp(fgetline(fp));
1041 base64 = strchr(line, ' ');
1043 error = "no key blob in OpenSSH public key file";
1048 comment = strchr(base64, ' ');
1051 comment = dupstr(comment);
1054 pubblobsize = strlen(base64) / 4 * 3;
1055 pubblob = snewn(pubblobsize, unsigned char);
1058 while (!memchr(base64, '\0', 4)) {
1059 assert(pubbloblen + 3 <= pubblobsize);
1060 pubbloblen += base64_decode_atom(base64, pubblob + pubbloblen);
1064 error = "invalid length for base64 data in OpenSSH public key file";
1069 * Sanity check: the first word on the line should be the key
1070 * algorithm, and should match the encoded string at the start of
1073 alglen = strlen(line);
1074 if (pubbloblen < alglen + 4 ||
1075 GET_32BIT(pubblob) != alglen ||
1076 0 != memcmp(pubblob + 4, line, alglen)) {
1077 error = "key algorithms do not match in OpenSSH public key file";
1085 *algorithm = dupstr(line);
1087 *pub_blob_len = pubbloblen;
1089 *commentptr = comment;
1103 unsigned char *ssh2_userkey_loadpub(const Filename *filename, char **algorithm,
1104 int *pub_blob_len, char **commentptr,
1105 const char **errorstr)
1108 char header[40], *b;
1109 const struct ssh_signkey *alg;
1110 unsigned char *public_blob;
1111 int public_blob_len;
1113 const char *error = NULL;
1114 char *comment = NULL;
1118 fp = f_open(filename, "rb", FALSE);
1120 error = "can't open file";
1124 /* Initially, check if this is a public-only key file. Sometimes
1125 * we'll be asked to read a public blob from one of those. */
1126 type = key_type_fp(fp);
1127 if (type == SSH_KEYTYPE_SSH2_PUBLIC_RFC4716) {
1128 unsigned char *ret = rfc4716_loadpub(fp, algorithm, pub_blob_len,
1129 commentptr, errorstr);
1132 } else if (type == SSH_KEYTYPE_SSH2_PUBLIC_OPENSSH) {
1133 unsigned char *ret = openssh_loadpub(fp, algorithm, pub_blob_len,
1134 commentptr, errorstr);
1137 } else if (type != SSH_KEYTYPE_SSH2) {
1138 error = "not a PuTTY SSH-2 private key";
1142 /* Read the first header line which contains the key type. */
1143 if (!read_header(fp, header)
1144 || (0 != strcmp(header, "PuTTY-User-Key-File-2") &&
1145 0 != strcmp(header, "PuTTY-User-Key-File-1"))) {
1146 if (0 == strncmp(header, "PuTTY-User-Key-File-", 20))
1147 error = "PuTTY key format too new";
1149 error = "not a PuTTY SSH-2 private key";
1152 error = "file format error";
1153 if ((b = read_body(fp)) == NULL)
1155 /* Select key algorithm structure. */
1156 alg = find_pubkey_alg(b);
1162 /* Read the Encryption header line. */
1163 if (!read_header(fp, header) || 0 != strcmp(header, "Encryption"))
1165 if ((b = read_body(fp)) == NULL)
1167 sfree(b); /* we don't care */
1169 /* Read the Comment header line. */
1170 if (!read_header(fp, header) || 0 != strcmp(header, "Comment"))
1172 if ((comment = read_body(fp)) == NULL)
1176 *commentptr = comment;
1180 /* Read the Public-Lines header line and the public blob. */
1181 if (!read_header(fp, header) || 0 != strcmp(header, "Public-Lines"))
1183 if ((b = read_body(fp)) == NULL)
1187 if ((public_blob = read_blob(fp, i, &public_blob_len)) == NULL)
1192 *pub_blob_len = public_blob_len;
1194 *algorithm = alg->name;
1207 if (comment && commentptr) {
1214 int ssh2_userkey_encrypted(const Filename *filename, char **commentptr)
1217 char header[40], *b, *comment;
1223 fp = f_open(filename, "rb", FALSE);
1226 if (!read_header(fp, header)
1227 || (0 != strcmp(header, "PuTTY-User-Key-File-2") &&
1228 0 != strcmp(header, "PuTTY-User-Key-File-1"))) {
1232 if ((b = read_body(fp)) == NULL) {
1236 sfree(b); /* we don't care about key type here */
1237 /* Read the Encryption header line. */
1238 if (!read_header(fp, header) || 0 != strcmp(header, "Encryption")) {
1242 if ((b = read_body(fp)) == NULL) {
1247 /* Read the Comment header line. */
1248 if (!read_header(fp, header) || 0 != strcmp(header, "Comment")) {
1253 if ((comment = read_body(fp)) == NULL) {
1260 *commentptr = comment;
1265 if (!strcmp(b, "aes256-cbc"))
1273 int base64_lines(int datalen)
1275 /* When encoding, we use 64 chars/line, which equals 48 real chars. */
1276 return (datalen + 47) / 48;
1279 void base64_encode(FILE *fp, const unsigned char *data, int datalen, int cpl)
1285 while (datalen > 0) {
1286 n = (datalen < 3 ? datalen : 3);
1287 base64_encode_atom(data, n, out);
1290 for (i = 0; i < 4; i++) {
1291 if (linelen >= cpl) {
1302 int ssh2_save_userkey(const Filename *filename, struct ssh2_userkey *key,
1306 unsigned char *pub_blob, *priv_blob, *priv_blob_encrypted;
1307 int pub_blob_len, priv_blob_len, priv_encrypted_len;
1312 unsigned char priv_mac[20];
1315 * Fetch the key component blobs.
1317 pub_blob = key->alg->public_blob(key->data, &pub_blob_len);
1318 priv_blob = key->alg->private_blob(key->data, &priv_blob_len);
1319 if (!pub_blob || !priv_blob) {
1326 * Determine encryption details, and encrypt the private blob.
1329 cipherstr = "aes256-cbc";
1335 priv_encrypted_len = priv_blob_len + cipherblk - 1;
1336 priv_encrypted_len -= priv_encrypted_len % cipherblk;
1337 priv_blob_encrypted = snewn(priv_encrypted_len, unsigned char);
1338 memset(priv_blob_encrypted, 0, priv_encrypted_len);
1339 memcpy(priv_blob_encrypted, priv_blob, priv_blob_len);
1340 /* Create padding based on the SHA hash of the unpadded blob. This prevents
1341 * too easy a known-plaintext attack on the last block. */
1342 SHA_Simple(priv_blob, priv_blob_len, priv_mac);
1343 assert(priv_encrypted_len - priv_blob_len < 20);
1344 memcpy(priv_blob_encrypted + priv_blob_len, priv_mac,
1345 priv_encrypted_len - priv_blob_len);
1347 /* Now create the MAC. */
1349 unsigned char *macdata;
1352 int namelen = strlen(key->alg->name);
1353 int enclen = strlen(cipherstr);
1354 int commlen = strlen(key->comment);
1356 unsigned char mackey[20];
1357 char header[] = "putty-private-key-file-mac-key";
1359 maclen = (4 + namelen +
1363 4 + priv_encrypted_len);
1364 macdata = snewn(maclen, unsigned char);
1366 #define DO_STR(s,len) PUT_32BIT(p,(len));memcpy(p+4,(s),(len));p+=4+(len)
1367 DO_STR(key->alg->name, namelen);
1368 DO_STR(cipherstr, enclen);
1369 DO_STR(key->comment, commlen);
1370 DO_STR(pub_blob, pub_blob_len);
1371 DO_STR(priv_blob_encrypted, priv_encrypted_len);
1374 SHA_Bytes(&s, header, sizeof(header)-1);
1376 SHA_Bytes(&s, passphrase, strlen(passphrase));
1377 SHA_Final(&s, mackey);
1378 hmac_sha1_simple(mackey, 20, macdata, maclen, priv_mac);
1379 smemclr(macdata, maclen);
1381 smemclr(mackey, sizeof(mackey));
1382 smemclr(&s, sizeof(s));
1386 unsigned char key[40];
1389 passlen = strlen(passphrase);
1392 SHA_Bytes(&s, "\0\0\0\0", 4);
1393 SHA_Bytes(&s, passphrase, passlen);
1394 SHA_Final(&s, key + 0);
1396 SHA_Bytes(&s, "\0\0\0\1", 4);
1397 SHA_Bytes(&s, passphrase, passlen);
1398 SHA_Final(&s, key + 20);
1399 aes256_encrypt_pubkey(key, priv_blob_encrypted,
1400 priv_encrypted_len);
1402 smemclr(key, sizeof(key));
1403 smemclr(&s, sizeof(s));
1406 fp = f_open(filename, "w", TRUE);
1409 smemclr(priv_blob, priv_blob_len);
1411 smemclr(priv_blob_encrypted, priv_blob_len);
1412 sfree(priv_blob_encrypted);
1415 fprintf(fp, "PuTTY-User-Key-File-2: %s\n", key->alg->name);
1416 fprintf(fp, "Encryption: %s\n", cipherstr);
1417 fprintf(fp, "Comment: %s\n", key->comment);
1418 fprintf(fp, "Public-Lines: %d\n", base64_lines(pub_blob_len));
1419 base64_encode(fp, pub_blob, pub_blob_len, 64);
1420 fprintf(fp, "Private-Lines: %d\n", base64_lines(priv_encrypted_len));
1421 base64_encode(fp, priv_blob_encrypted, priv_encrypted_len, 64);
1422 fprintf(fp, "Private-MAC: ");
1423 for (i = 0; i < 20; i++)
1424 fprintf(fp, "%02x", priv_mac[i]);
1429 smemclr(priv_blob, priv_blob_len);
1431 smemclr(priv_blob_encrypted, priv_blob_len);
1432 sfree(priv_blob_encrypted);
1436 /* ----------------------------------------------------------------------
1437 * Output public keys.
1439 char *ssh1_pubkey_str(struct RSAKey *key)
1444 dec1 = bignum_decimal(key->exponent);
1445 dec2 = bignum_decimal(key->modulus);
1446 buffer = dupprintf("%d %s %s%s%s", bignum_bitcount(key->modulus),
1448 key->comment ? " " : "",
1449 key->comment ? key->comment : "");
1455 void ssh1_write_pubkey(FILE *fp, struct RSAKey *key)
1457 char *buffer = ssh1_pubkey_str(key);
1458 fprintf(fp, "%s\n", buffer);
1462 static char *ssh2_pubkey_openssh_str_internal(const char *comment,
1463 const void *v_pub_blob,
1466 const unsigned char *ssh2blob = (const unsigned char *)v_pub_blob;
1475 alglen = GET_32BIT(ssh2blob);
1476 if (alglen > 0 && alglen < pub_len - 4) {
1477 alg = (const char *)ssh2blob + 4;
1484 alg = "INVALID-ALGORITHM";
1485 alglen = strlen(alg);
1488 buffer = snewn(alglen +
1489 4 * ((pub_len+2) / 3) +
1490 (comment ? strlen(comment) : 0) + 3, char);
1491 p = buffer + sprintf(buffer, "%.*s ", alglen, alg);
1493 while (i < pub_len) {
1494 int n = (pub_len - i < 3 ? pub_len - i : 3);
1495 base64_encode_atom(ssh2blob + i, n, p);
1508 char *ssh2_pubkey_openssh_str(struct ssh2_userkey *key)
1511 unsigned char *blob;
1514 blob = key->alg->public_blob(key->data, &bloblen);
1515 ret = ssh2_pubkey_openssh_str_internal(key->comment, blob, bloblen);
1521 void ssh2_write_pubkey(FILE *fp, const char *comment,
1522 const void *v_pub_blob, int pub_len,
1525 unsigned char *pub_blob = (unsigned char *)v_pub_blob;
1527 if (keytype == SSH_KEYTYPE_SSH2_PUBLIC_RFC4716) {
1531 fprintf(fp, "---- BEGIN SSH2 PUBLIC KEY ----\n");
1534 fprintf(fp, "Comment: \"");
1535 for (p = comment; *p; p++) {
1536 if (*p == '\\' || *p == '\"')
1540 fprintf(fp, "\"\n");
1545 while (i < pub_len) {
1547 int n = (pub_len - i < 3 ? pub_len - i : 3);
1548 base64_encode_atom(pub_blob + i, n, buf);
1552 if (++column >= 16) {
1560 fprintf(fp, "---- END SSH2 PUBLIC KEY ----\n");
1561 } else if (keytype == SSH_KEYTYPE_SSH2_PUBLIC_OPENSSH) {
1562 char *buffer = ssh2_pubkey_openssh_str_internal(comment,
1563 v_pub_blob, pub_len);
1564 fprintf(fp, "%s\n", buffer);
1567 assert(0 && "Bad key type in ssh2_write_pubkey");
1571 /* ----------------------------------------------------------------------
1572 * Utility functions to compute SSH-2 fingerprints in a uniform way.
1574 char *ssh2_fingerprint_blob(const void *blob, int bloblen)
1576 unsigned char digest[16];
1577 char fingerprint_str[16*3];
1580 const struct ssh_signkey *alg;
1584 * The fingerprint hash itself is always just the MD5 of the blob.
1586 MD5Simple(blob, bloblen, digest);
1587 for (i = 0; i < 16; i++)
1588 sprintf(fingerprint_str + i*3, "%02x%s", digest[i], i==15 ? "" : ":");
1591 * Identify the key algorithm, if possible.
1593 alglen = toint(GET_32BIT((const unsigned char *)blob));
1594 if (alglen > 0 && alglen < bloblen-4) {
1595 algstr = (const char *)blob + 4;
1598 * If we can actually identify the algorithm as one we know
1599 * about, get hold of the key's bit count too.
1601 alg = find_pubkey_alg_len(alglen, algstr);
1603 int bits = alg->pubkey_bits(blob, bloblen);
1604 return dupprintf("%.*s %d %s", alglen, algstr,
1605 bits, fingerprint_str);
1607 return dupprintf("%.*s %s", alglen, algstr, fingerprint_str);
1611 * No algorithm available (which means a seriously confused
1612 * key blob, but there we go). Return only the hash.
1614 return dupstr(fingerprint_str);
1618 char *ssh2_fingerprint(const struct ssh_signkey *alg, void *data)
1621 unsigned char *blob = alg->public_blob(data, &len);
1622 char *ret = ssh2_fingerprint_blob(blob, len);
1627 /* ----------------------------------------------------------------------
1628 * Determine the type of a private key file.
1630 static int key_type_fp(FILE *fp)
1633 const char public_std_sig[] = "---- BEGIN SSH2 PUBLIC KEY";
1634 const char putty2_sig[] = "PuTTY-User-Key-File-";
1635 const char sshcom_sig[] = "---- BEGIN SSH2 ENCRYPTED PRIVAT";
1636 const char openssh_new_sig[] = "-----BEGIN OPENSSH PRIVATE KEY";
1637 const char openssh_sig[] = "-----BEGIN ";
1641 i = fread(buf, 1, sizeof(buf)-1, fp);
1645 return SSH_KEYTYPE_UNOPENABLE;
1647 return SSH_KEYTYPE_UNKNOWN;
1648 assert(i > 0 && i < sizeof(buf));
1650 if (!memcmp(buf, rsa_signature, sizeof(rsa_signature)-1))
1651 return SSH_KEYTYPE_SSH1;
1652 if (!memcmp(buf, public_std_sig, sizeof(public_std_sig)-1))
1653 return SSH_KEYTYPE_SSH2_PUBLIC_RFC4716;
1654 if (!memcmp(buf, putty2_sig, sizeof(putty2_sig)-1))
1655 return SSH_KEYTYPE_SSH2;
1656 if (!memcmp(buf, openssh_new_sig, sizeof(openssh_new_sig)-1))
1657 return SSH_KEYTYPE_OPENSSH_NEW;
1658 if (!memcmp(buf, openssh_sig, sizeof(openssh_sig)-1))
1659 return SSH_KEYTYPE_OPENSSH_PEM;
1660 if (!memcmp(buf, sshcom_sig, sizeof(sshcom_sig)-1))
1661 return SSH_KEYTYPE_SSHCOM;
1662 if ((p = buf + strspn(buf, "0123456789"), *p == ' ') &&
1663 (p = p+1 + strspn(p+1, "0123456789"), *p == ' ') &&
1664 (p = p+1 + strspn(p+1, "0123456789"), *p == ' ' || *p == '\n' || !*p))
1665 return SSH_KEYTYPE_SSH1_PUBLIC;
1666 if ((p = buf + strcspn(buf, " "), find_pubkey_alg_len(p-buf, buf)) &&
1667 (p = p+1 + strspn(p+1, "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghij"
1668 "klmnopqrstuvwxyz+/="),
1669 *p == ' ' || *p == '\n' || !*p))
1670 return SSH_KEYTYPE_SSH2_PUBLIC_OPENSSH;
1671 return SSH_KEYTYPE_UNKNOWN; /* unrecognised or EOF */
1674 int key_type(const Filename *filename)
1679 fp = f_open(filename, "r", FALSE);
1681 return SSH_KEYTYPE_UNOPENABLE;
1682 ret = key_type_fp(fp);
1688 * Convert the type word to a string, for `wrong type' error
1691 char *key_type_to_str(int type)
1694 case SSH_KEYTYPE_UNOPENABLE: return "unable to open file"; break;
1695 case SSH_KEYTYPE_UNKNOWN: return "not a recognised key file format"; break;
1696 case SSH_KEYTYPE_SSH1_PUBLIC: return "SSH-1 public key"; break;
1697 case SSH_KEYTYPE_SSH2_PUBLIC_RFC4716: return "SSH-2 public key (RFC 4716 format)"; break;
1698 case SSH_KEYTYPE_SSH2_PUBLIC_OPENSSH: return "SSH-2 public key (OpenSSH format)"; break;
1699 case SSH_KEYTYPE_SSH1: return "SSH-1 private key"; break;
1700 case SSH_KEYTYPE_SSH2: return "PuTTY SSH-2 private key"; break;
1701 case SSH_KEYTYPE_OPENSSH_PEM: return "OpenSSH SSH-2 private key (old PEM format)"; break;
1702 case SSH_KEYTYPE_OPENSSH_NEW: return "OpenSSH SSH-2 private key (new format)"; break;
1703 case SSH_KEYTYPE_SSHCOM: return "ssh.com SSH-2 private key"; break;
1705 * This function is called with a key type derived from
1706 * looking at an actual key file, so the output-only type
1707 * OPENSSH_AUTO should never get here, and is much an INTERNAL
1708 * ERROR as a code we don't even understand.
1710 case SSH_KEYTYPE_OPENSSH_AUTO: return "INTERNAL ERROR (OPENSSH_AUTO)"; break;
1711 default: return "INTERNAL ERROR"; break;