mirror of
https://github.com/str4d/rage.git
synced 2025-04-04 11:27:43 +03:00
ssh: Support aes256-gcm@openssh.com ciphers for encrypted keys
Closes str4d/rage#370.
This commit is contained in:
Jack Grigg
parent
f3f93f80a3
commit
37c6b697ba
4 changed files with 61 additions and 0 deletions
38
Cargo.lock
generated
38
Cargo.lock
generated
|
|
@ -50,11 +50,26 @@ dependencies = [
|
|||
"cpufeatures",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "aes-gcm"
|
||||
version = "0.10.1"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "82e1366e0c69c9f927b1fa5ce2c7bf9eafc8f9268c0b9800729e8b267612447c"
|
||||
dependencies = [
|
||||
"aead",
|
||||
"aes 0.8.1",
|
||||
"cipher 0.4.3",
|
||||
"ctr",
|
||||
"ghash",
|
||||
"subtle",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "age"
|
||||
version = "0.9.0"
|
||||
dependencies = [
|
||||
"aes 0.8.1",
|
||||
"aes-gcm",
|
||||
"age-core",
|
||||
"atty",
|
||||
"base64",
|
||||
|
|
@ -618,6 +633,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
|
|||
checksum = "1bfb12502f3fc46cca1bb51ac28df9d618d813cdc3d2f25b9fe775a34af26bb3"
|
||||
dependencies = [
|
||||
"generic-array",
|
||||
"rand_core 0.6.4",
|
||||
"typenum",
|
||||
]
|
||||
|
||||
|
|
@ -1069,6 +1085,16 @@ dependencies = [
|
|||
"wasi 0.11.0+wasi-snapshot-preview1",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "ghash"
|
||||
version = "0.5.0"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "d930750de5717d2dd0b8c0d42c076c0e884c81a73e6cab859bbd2339c71e3e40"
|
||||
dependencies = [
|
||||
"opaque-debug",
|
||||
"polyval",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "gimli"
|
||||
version = "0.26.2"
|
||||
|
|
@ -1816,6 +1842,18 @@ dependencies = [
|
|||
"universal-hash",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "polyval"
|
||||
version = "0.6.0"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "7ef234e08c11dfcb2e56f79fd70f6f2eb7f025c0ce2333e82f4f0518ecad30c6"
|
||||
dependencies = [
|
||||
"cfg-if",
|
||||
"cpufeatures",
|
||||
"opaque-debug",
|
||||
"universal-hash",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "pprof"
|
||||
version = "0.10.1"
|
||||
|
|
|
|||
|
|
@ -9,6 +9,8 @@ and this project adheres to Rust's notion of
|
|||
to 1.0.0 are beta releases.
|
||||
|
||||
## [Unreleased]
|
||||
### Added
|
||||
- Support for encrypted OpenSSH keys exported from 1Password.
|
||||
|
||||
## [0.9.0] - 2022-10-27
|
||||
### Added
|
||||
|
|
|
|||
|
|
@ -53,6 +53,7 @@ curve25519-dalek = { version = "3", optional = true }
|
|||
|
||||
# - Encrypted keys
|
||||
aes = { version = "0.8", optional = true }
|
||||
aes-gcm = { version = "0.10", optional = true }
|
||||
bcrypt-pbkdf = { version = "0.9", optional = true }
|
||||
cbc = { version = "0.1", optional = true }
|
||||
cipher = { version = "0.4.3", features = ["alloc"], optional = true }
|
||||
|
|
@ -114,6 +115,7 @@ cli-common = ["atty", "console", "pinentry", "rpassword"]
|
|||
plugin = ["age-core/plugin", "which", "wsl"]
|
||||
ssh = [
|
||||
"aes",
|
||||
"aes-gcm",
|
||||
"bcrypt-pbkdf",
|
||||
"cbc",
|
||||
"cipher",
|
||||
|
|
|
|||
|
|
@ -8,6 +8,7 @@
|
|||
//! a short 32-bit ID of the public key.
|
||||
|
||||
use aes::{Aes128, Aes192, Aes256};
|
||||
use aes_gcm::Aes256Gcm;
|
||||
use age_core::secrecy::{ExposeSecret, SecretString};
|
||||
use bcrypt_pbkdf::bcrypt_pbkdf;
|
||||
use sha2::{Digest, Sha256};
|
||||
|
|
@ -51,6 +52,7 @@ enum OpenSshCipher {
|
|||
Aes128Ctr,
|
||||
Aes192Ctr,
|
||||
Aes256Ctr,
|
||||
Aes256Gcm,
|
||||
}
|
||||
|
||||
impl OpenSshCipher {
|
||||
|
|
@ -65,6 +67,7 @@ impl OpenSshCipher {
|
|||
OpenSshCipher::Aes128Ctr => Ok(decrypt::aes_ctr::<Aes128Ctr>(kdf, p, ct)),
|
||||
OpenSshCipher::Aes192Ctr => Ok(decrypt::aes_ctr::<Aes192Ctr>(kdf, p, ct)),
|
||||
OpenSshCipher::Aes256Ctr => Ok(decrypt::aes_ctr::<Aes256Ctr>(kdf, p, ct)),
|
||||
OpenSshCipher::Aes256Gcm => decrypt::aes_gcm::<Aes256Gcm>(kdf, p, ct),
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -122,6 +125,7 @@ impl EncryptedKey {
|
|||
|
||||
mod decrypt {
|
||||
use aes::cipher::{block_padding::NoPadding, BlockDecryptMut, KeyIvInit, StreamCipher};
|
||||
use aes_gcm::aead::{AeadMut, KeyInit};
|
||||
use age_core::secrecy::SecretString;
|
||||
use cipher::generic_array::{ArrayLength, GenericArray};
|
||||
|
||||
|
|
@ -163,6 +167,18 @@ mod decrypt {
|
|||
cipher.apply_keystream(&mut plaintext);
|
||||
plaintext
|
||||
}
|
||||
|
||||
pub(super) fn aes_gcm<C: AeadMut + KeyInit>(
|
||||
kdf: &OpenSshKdf,
|
||||
passphrase: SecretString,
|
||||
ciphertext: &[u8],
|
||||
) -> Result<Vec<u8>, DecryptError> {
|
||||
let (key, nonce) = derive_key_material::<C::KeySize, C::NonceSize>(kdf, passphrase);
|
||||
let mut cipher = C::new(&key);
|
||||
cipher
|
||||
.decrypt(&nonce, ciphertext)
|
||||
.map_err(|_| DecryptError::KeyDecryptionFailed)
|
||||
}
|
||||
}
|
||||
|
||||
mod read_ssh {
|
||||
|
|
@ -262,6 +278,9 @@ mod read_ssh {
|
|||
map(string_tag("aes256-ctr"), |_| {
|
||||
CipherResult::Supported(OpenSshCipher::Aes256Ctr)
|
||||
}),
|
||||
map(string_tag("aes256-gcm@openssh.com"), |_| {
|
||||
CipherResult::Supported(OpenSshCipher::Aes256Gcm)
|
||||
}),
|
||||
map(string, |s| {
|
||||
CipherResult::Unsupported(String::from_utf8_lossy(s).into_owned())
|
||||
}),
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue