Fix private keys encrypted with aes-gcm methods (libssh2#1133)

jakob · web-flow · commit e87bdefac664 · 2023-07-26T09:15:20.000+02:00
libssh2 1.11.0 fails to decrypt private keys encrypted with aes128-gcm@openssh.com and aes256-gcm@openssh.com ciphers. To reproduce the issue, you can create a test key with a command like the following: ```bash ssh-keygen -Z aes256-gcm@openssh.com -f id_aes256-gcm ``` If you attempt to use this key for authentication, libssh2 returns the not-so-helpful error message "Wrong passphrase or invalid/unrecognized private key file format". The problem is that OpenSSH encrypts keys differently than packets. It does not include the length as AAD, and the 16 byte authentication tag is appended after the encrypted key. The length of the authentication tag is not included in the encrypted key length. I have not found any documentation for this behaviour -- I discovered it by looking at the OpenSSH source. See the `private2_decrypt` function in <https://github.com/openssh/openssh-portable/blob/master/sshkey.c>. This patch fixes the code for reading OpenSSH private keys encrypted with AES-GCM methods.
diff --git a/src/pem.c b/src/pem.c
@@ -599,13 +599,17 @@ _libssh2_openssh_pem_parse_data(LIBSSH2_SESSION * session,
         }
 
         while((size_t)len_decrypted <= decrypted.len - blocksize) {
+            /* We always pass MIDDLE_BLOCK here because OpenSSH Key Files
+             * do not use AAD to authenticate the length.
+             * Furthermore, the authentication tag is appended after the
+             * encrypted key, and the length of the authentication tag is
+             * not included in the key length, so we check it after the
+             * loop.
+             */
             if(method->crypt(session, decrypted.data + len_decrypted,
                              blocksize,
                              &abstract,
-                             len_decrypted == 0 ? FIRST_BLOCK : (
-                         ((size_t)len_decrypted == decrypted.len - blocksize) ?
-                               LAST_BLOCK : MIDDLE_BLOCK)
-                             )) {
+                             MIDDLE_BLOCK)) {
                 ret = LIBSSH2_ERROR_DECRYPT;
                 method->dtor(session, &abstract);
                 goto out;
@@ -616,6 +620,26 @@ _libssh2_openssh_pem_parse_data(LIBSSH2_SESSION * session,
 
         /* No padding */
 
+        /* for the AES GCM methods, the 16 byte authentication tag is
+         * appended to the encrypted key */
+        if(strcmp(method->name, "aes256-gcm@openssh.com") == 0 ||
+           strcmp(method->name, "aes128-gcm@openssh.com") == 0) {
+            if(!_libssh2_check_length(&decoded, 16)) {
+                ret = _libssh2_error(session, LIBSSH2_ERROR_PROTO,
+                                     "GCM auth tag missing");
+                method->dtor(session, &abstract);
+                goto out;
+            }
+            if(method->crypt(session, decoded.dataptr, 16, &abstract,
+                             LAST_BLOCK)) {
+                ret = _libssh2_error(session, LIBSSH2_ERROR_DECRYPT,
+                                     "GCM auth tag invalid");
+                method->dtor(session, &abstract);
+                goto out;
+            }
+            decoded.dataptr += 16;
+        }
+
         method->dtor(session, &abstract);
     }
 
