5 * Author: Tatu Ylonen <ylo@cs.hut.fi>
7 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
10 * Created: Mon Mar 27 03:52:05 1995 ylo
12 * This file contains functions for reading and writing identity files, and
13 * for reading the passphrase from the user.
20 #include <openssl/bn.h>
21 #include <openssl/dsa.h>
22 #include <openssl/rsa.h>
23 #include <openssl/pem.h>
24 #include <openssl/evp.h>
33 /* Version identification string for identity files. */
34 #define AUTHFILE_ID_STRING "SSH PRIVATE KEY FILE FORMAT 1.1\n"
37 * Saves the authentication (private) key in a file, encrypting it with
38 * passphrase. The identification of the file (lowest 64 bits of n) will
39 * precede the key to provide identification of the key without needing a
44 save_private_key_rsa(const char *filename, const char *passphrase,
45 RSA *key, const char *comment)
47 Buffer buffer, encrypted;
55 * If the passphrase is empty, use SSH_CIPHER_NONE to ease converting
56 * to another cipher; otherwise use SSH_AUTHFILE_CIPHER.
58 if (strcmp(passphrase, "") == 0)
59 cipher_type = SSH_CIPHER_NONE;
61 cipher_type = SSH_AUTHFILE_CIPHER;
63 /* This buffer is used to built the secret part of the private key. */
66 /* Put checkbytes for checking passphrase validity. */
69 buf[1] = (rand >> 8) & 0xff;
72 buffer_append(&buffer, buf, 4);
75 * Store the private key (n and e will not be stored because they
76 * will be stored in plain text, and storing them also in encrypted
77 * format would just give known plaintext).
79 buffer_put_bignum(&buffer, key->d);
80 buffer_put_bignum(&buffer, key->iqmp);
81 buffer_put_bignum(&buffer, key->q); /* reverse from SSL p */
82 buffer_put_bignum(&buffer, key->p); /* reverse from SSL q */
84 /* Pad the part to be encrypted until its size is a multiple of 8. */
85 while (buffer_len(&buffer) % 8 != 0)
86 buffer_put_char(&buffer, 0);
88 /* This buffer will be used to contain the data in the file. */
89 buffer_init(&encrypted);
91 /* First store keyfile id string. */
92 cp = AUTHFILE_ID_STRING;
93 for (i = 0; cp[i]; i++)
94 buffer_put_char(&encrypted, cp[i]);
95 buffer_put_char(&encrypted, 0);
97 /* Store cipher type. */
98 buffer_put_char(&encrypted, cipher_type);
99 buffer_put_int(&encrypted, 0); /* For future extension */
101 /* Store public key. This will be in plain text. */
102 buffer_put_int(&encrypted, BN_num_bits(key->n));
103 buffer_put_bignum(&encrypted, key->n);
104 buffer_put_bignum(&encrypted, key->e);
105 buffer_put_string(&encrypted, comment, strlen(comment));
107 /* Allocate space for the private part of the key in the buffer. */
108 buffer_append_space(&encrypted, &cp, buffer_len(&buffer));
110 cipher_set_key_string(&cipher, cipher_type, passphrase);
111 cipher_encrypt(&cipher, (unsigned char *) cp,
112 (unsigned char *) buffer_ptr(&buffer),
113 buffer_len(&buffer));
114 memset(&cipher, 0, sizeof(cipher));
116 /* Destroy temporary data. */
117 memset(buf, 0, sizeof(buf));
118 buffer_free(&buffer);
120 fd = open(filename, O_WRONLY | O_CREAT | O_TRUNC, 0600);
123 if (write(fd, buffer_ptr(&encrypted), buffer_len(&encrypted)) !=
124 buffer_len(&encrypted)) {
125 debug("Write to key file %.200s failed: %.100s", filename,
127 buffer_free(&encrypted);
133 buffer_free(&encrypted);
137 /* save DSA key in OpenSSL PEM format */
140 save_private_key_dsa(const char *filename, const char *passphrase,
141 DSA *dsa, const char *comment)
146 int len = strlen(passphrase);
148 if (len > 0 && len <= 4) {
149 error("passphrase too short: %d bytes", len);
153 fd = open(filename, O_WRONLY | O_CREAT | O_TRUNC, 0600);
155 debug("open %s failed", filename);
158 fp = fdopen(fd, "w");
160 debug("fdopen %s failed", filename);
165 if (!PEM_write_DSAPrivateKey(fp, dsa, EVP_des_ede3_cbc(),
166 (char *)passphrase, strlen(passphrase), NULL, NULL))
169 if (!PEM_write_DSAPrivateKey(fp, dsa, NULL,
170 NULL, 0, NULL, NULL))
178 save_private_key(const char *filename, const char *passphrase, Key *key,
183 return save_private_key_rsa(filename, passphrase, key->rsa, comment);
186 return save_private_key_dsa(filename, passphrase, key->dsa, comment);
195 * Loads the public part of the key file. Returns 0 if an error was
196 * encountered (the file does not exist or is not readable), and non-zero
201 load_public_key_rsa(const char *filename, RSA * pub, char **comment_return)
208 fd = open(filename, O_RDONLY);
211 len = lseek(fd, (off_t) 0, SEEK_END);
212 lseek(fd, (off_t) 0, SEEK_SET);
214 buffer_init(&buffer);
215 buffer_append_space(&buffer, &cp, len);
217 if (read(fd, cp, (size_t) len) != (size_t) len) {
218 debug("Read from key file %.200s failed: %.100s", filename,
220 buffer_free(&buffer);
226 /* Check that it is at least big enought to contain the ID string. */
227 if (len < strlen(AUTHFILE_ID_STRING) + 1) {
228 debug("Bad key file %.200s.", filename);
229 buffer_free(&buffer);
233 * Make sure it begins with the id string. Consume the id string
236 for (i = 0; i < (unsigned int) strlen(AUTHFILE_ID_STRING) + 1; i++)
237 if (buffer_get_char(&buffer) != (u_char) AUTHFILE_ID_STRING[i]) {
238 debug("Bad key file %.200s.", filename);
239 buffer_free(&buffer);
242 /* Skip cipher type and reserved data. */
243 (void) buffer_get_char(&buffer); /* cipher type */
244 (void) buffer_get_int(&buffer); /* reserved */
246 /* Read the public key from the buffer. */
247 buffer_get_int(&buffer);
251 buffer_get_bignum(&buffer, pub->n);
255 buffer_get_bignum(&buffer, pub->e);
257 *comment_return = buffer_get_string(&buffer, NULL);
258 /* The encrypted private part is not parsed by this function. */
260 buffer_free(&buffer);
266 load_public_key(const char *filename, Key * key, char **comment_return)
270 return load_public_key_rsa(filename, key->rsa, comment_return);
280 * Loads the private key from the file. Returns 0 if an error is encountered
281 * (file does not exist or is not readable, or passphrase is bad). This
282 * initializes the private key.
283 * Assumes we are called under uid of the owner of the file.
287 load_private_key_rsa(int fd, const char *filename,
288 const char *passphrase, RSA * prv, char **comment_return)
290 int i, check1, check2, cipher_type;
292 Buffer buffer, decrypted;
294 CipherContext cipher;
298 len = lseek(fd, (off_t) 0, SEEK_END);
299 lseek(fd, (off_t) 0, SEEK_SET);
301 buffer_init(&buffer);
302 buffer_append_space(&buffer, &cp, len);
304 if (read(fd, cp, (size_t) len) != (size_t) len) {
305 debug("Read from key file %.200s failed: %.100s", filename,
307 buffer_free(&buffer);
313 /* Check that it is at least big enought to contain the ID string. */
314 if (len < strlen(AUTHFILE_ID_STRING) + 1) {
315 debug("Bad key file %.200s.", filename);
316 buffer_free(&buffer);
320 * Make sure it begins with the id string. Consume the id string
323 for (i = 0; i < (unsigned int) strlen(AUTHFILE_ID_STRING) + 1; i++)
324 if (buffer_get_char(&buffer) != (unsigned char) AUTHFILE_ID_STRING[i]) {
325 debug("Bad key file %.200s.", filename);
326 buffer_free(&buffer);
329 /* Read cipher type. */
330 cipher_type = buffer_get_char(&buffer);
331 (void) buffer_get_int(&buffer); /* Reserved data. */
333 /* Read the public key from the buffer. */
334 buffer_get_int(&buffer);
336 buffer_get_bignum(&buffer, prv->n);
338 buffer_get_bignum(&buffer, prv->e);
340 *comment_return = buffer_get_string(&buffer, NULL);
342 xfree(buffer_get_string(&buffer, NULL));
344 /* Check that it is a supported cipher. */
345 if (((cipher_mask1() | SSH_CIPHER_NONE | SSH_AUTHFILE_CIPHER) &
346 (1 << cipher_type)) == 0) {
347 debug("Unsupported cipher %.100s used in key file %.200s.",
348 cipher_name(cipher_type), filename);
349 buffer_free(&buffer);
352 /* Initialize space for decrypted data. */
353 buffer_init(&decrypted);
354 buffer_append_space(&decrypted, &cp, buffer_len(&buffer));
356 /* Rest of the buffer is encrypted. Decrypt it using the passphrase. */
357 cipher_set_key_string(&cipher, cipher_type, passphrase);
358 cipher_decrypt(&cipher, (unsigned char *) cp,
359 (unsigned char *) buffer_ptr(&buffer),
360 buffer_len(&buffer));
362 buffer_free(&buffer);
364 check1 = buffer_get_char(&decrypted);
365 check2 = buffer_get_char(&decrypted);
366 if (check1 != buffer_get_char(&decrypted) ||
367 check2 != buffer_get_char(&decrypted)) {
368 if (strcmp(passphrase, "") != 0)
369 debug("Bad passphrase supplied for key file %.200s.", filename);
370 /* Bad passphrase. */
371 buffer_free(&decrypted);
373 BN_clear_free(prv->n);
375 BN_clear_free(prv->e);
378 xfree(*comment_return);
381 /* Read the rest of the private key. */
383 buffer_get_bignum(&decrypted, prv->d);
384 prv->iqmp = BN_new();
385 buffer_get_bignum(&decrypted, prv->iqmp); /* u */
386 /* in SSL and SSH p and q are exchanged */
388 buffer_get_bignum(&decrypted, prv->q); /* p */
390 buffer_get_bignum(&decrypted, prv->p); /* q */
395 BN_sub(aux, prv->q, BN_value_one());
396 prv->dmq1 = BN_new();
397 BN_mod(prv->dmq1, prv->d, aux, ctx);
399 BN_sub(aux, prv->p, BN_value_one());
400 prv->dmp1 = BN_new();
401 BN_mod(prv->dmp1, prv->d, aux, ctx);
406 buffer_free(&decrypted);
412 load_private_key_dsa(int fd, const char *passphrase, Key *k, char **comment_return)
418 in = BIO_new(BIO_s_file());
420 error("BIO_new failed");
423 fp = fdopen(fd, "r");
425 error("fdopen failed");
428 BIO_set_fp(in, fp, BIO_NOCLOSE);
429 dsa = PEM_read_bio_DSAPrivateKey(in, NULL, NULL, (char *)passphrase);
431 debug("PEM_read_bio_DSAPrivateKey failed");
433 /* replace k->dsa with loaded key */
440 *comment_return = xstrdup("dsa w/o comment");
441 debug("read DSA private key done");
443 DSA_print_fp(stderr, dsa, 8);
445 return dsa != NULL ? 1 : 0;
449 load_private_key(const char *filename, const char *passphrase, Key *key,
450 char **comment_return)
456 fd = open(filename, O_RDONLY);
460 /* check owner and modes */
461 if (fstat(fd, &st) < 0 ||
462 (st.st_uid != 0 && st.st_uid != getuid()) ||
463 (st.st_mode & 077) != 0) {
465 error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
466 error("@ WARNING: UNPROTECTED PRIVATE KEY FILE! @");
467 error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
468 error("Bad ownership or mode(0%3.3o) for '%s'.",
469 st.st_mode & 0777, filename);
470 error("It is recommended that your private key files are NOT accessible by others.");
475 if (key->rsa->e != NULL) {
476 BN_clear_free(key->rsa->e);
479 if (key->rsa->n != NULL) {
480 BN_clear_free(key->rsa->n);
483 ret = load_private_key_rsa(fd, filename, passphrase,
484 key->rsa, comment_return);
487 ret = load_private_key_dsa(fd, passphrase, key, comment_return);