Decryption for OpenSSH keys encrypted with AES-CTR

2025-04-06 04:17:41 +03:00 · 2019-11-19 15:41:11 +00:00 · 2019-11-19 15:41:11 +00:00 · d9fced494d
commit d9fced494d
parent 97e0f34070
3 changed files with 104 additions and 1 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@ -13,11 +13,43 @@ dependencies = [
 "generic-array 0.12.3 (registry+https://github.com/rust-lang/crates.io-index)",
 ]

+[[package]]
+name = "aes-ctr"
+version = "0.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+dependencies = [
+ "aes-soft 0.3.3 (registry+https://github.com/rust-lang/crates.io-index)",
+ "aesni 0.6.0 (registry+https://github.com/rust-lang/crates.io-index)",
+ "ctr 0.3.2 (registry+https://github.com/rust-lang/crates.io-index)",
+ "stream-cipher 0.3.2 (registry+https://github.com/rust-lang/crates.io-index)",
+]
+
+[[package]]
+name = "aes-soft"
+version = "0.3.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+dependencies = [
+ "block-cipher-trait 0.6.2 (registry+https://github.com/rust-lang/crates.io-index)",
+ "byteorder 1.3.2 (registry+https://github.com/rust-lang/crates.io-index)",
+ "opaque-debug 0.2.3 (registry+https://github.com/rust-lang/crates.io-index)",
+]
+
+[[package]]
+name = "aesni"
+version = "0.6.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+dependencies = [
+ "block-cipher-trait 0.6.2 (registry+https://github.com/rust-lang/crates.io-index)",
+ "opaque-debug 0.2.3 (registry+https://github.com/rust-lang/crates.io-index)",
+ "stream-cipher 0.3.2 (registry+https://github.com/rust-lang/crates.io-index)",
+]
+
 [[package]]
 name = "age"
 version = "0.0.0"
 dependencies = [
 "aead 0.1.1 (registry+https://github.com/rust-lang/crates.io-index)",
+ "aes-ctr 0.3.0 (registry+https://github.com/rust-lang/crates.io-index)",
 "base64 0.10.1 (registry+https://github.com/rust-lang/crates.io-index)",
 "blowfish 0.4.0 (registry+https://github.com/rust-lang/crates.io-index)",
 "byteorder 1.3.2 (registry+https://github.com/rust-lang/crates.io-index)",
@ -349,6 +381,15 @@ dependencies = [
 "subtle 1.0.0 (registry+https://github.com/rust-lang/crates.io-index)",
 ]

+[[package]]
+name = "ctr"
+version = "0.3.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+dependencies = [
+ "block-cipher-trait 0.6.2 (registry+https://github.com/rust-lang/crates.io-index)",
+ "stream-cipher 0.3.2 (registry+https://github.com/rust-lang/crates.io-index)",
+]
+
 [[package]]
 name = "curve25519-dalek"
 version = "1.2.3"
@ -1521,6 +1562,9 @@ dependencies = [
 [metadata]
 "checksum adler32 1.0.4 (registry+https://github.com/rust-lang/crates.io-index)" = "5d2e7343e7fc9de883d1b0341e0b13970f764c14101234857d2ddafa1cb1cac2"
 "checksum aead 0.1.1 (registry+https://github.com/rust-lang/crates.io-index)" = "529ae27769da55d955d190396e67896f49b440aff94a5b2f50900e091d168b77"
+"checksum aes-ctr 0.3.0 (registry+https://github.com/rust-lang/crates.io-index)" = "d2e5b0458ea3beae0d1d8c0f3946564f8e10f90646cf78c06b4351052058d1ee"
+"checksum aes-soft 0.3.3 (registry+https://github.com/rust-lang/crates.io-index)" = "cfd7e7ae3f9a1fb5c03b389fc6bb9a51400d0c13053f0dca698c832bfd893a0d"
+"checksum aesni 0.6.0 (registry+https://github.com/rust-lang/crates.io-index)" = "2f70a6b5f971e473091ab7cfb5ffac6cde81666c4556751d8d5620ead8abf100"
 "checksum aho-corasick 0.7.6 (registry+https://github.com/rust-lang/crates.io-index)" = "58fb5e95d83b38284460a5fda7d6470aa0b8844d283a0b614b8535e880800d2d"
 "checksum anyhow 1.0.20 (registry+https://github.com/rust-lang/crates.io-index)" = "768155103fe6b9bf51090758e0657aa34dde4f6618f32ba1c3e45be3b29a0709"
 "checksum arrayref 0.3.5 (registry+https://github.com/rust-lang/crates.io-index)" = "0d382e583f07208808f6b1249e60848879ba3543f57c32277bf52d69c2f0f0ee"
@ -1558,6 +1602,7 @@ dependencies = [
 "checksum crc32fast 1.2.0 (registry+https://github.com/rust-lang/crates.io-index)" = "ba125de2af0df55319f41944744ad91c71113bf74a4646efff39afe1f6842db1"
 "checksum crossbeam-utils 0.6.6 (registry+https://github.com/rust-lang/crates.io-index)" = "04973fa96e96579258a5091af6003abde64af786b860f18622b82e026cca60e6"
 "checksum crypto-mac 0.7.0 (registry+https://github.com/rust-lang/crates.io-index)" = "4434400df11d95d556bac068ddfedd482915eb18fe8bea89bc80b6e4b1c179e5"
+"checksum ctr 0.3.2 (registry+https://github.com/rust-lang/crates.io-index)" = "022cd691704491df67d25d006fe8eca083098253c4d43516c2206479c58c6736"
 "checksum curve25519-dalek 1.2.3 (registry+https://github.com/rust-lang/crates.io-index)" = "8b7dcd30ba50cdf88b55b033456138b7c0ac4afdc436d82e1b79f370f24cc66d"
 "checksum dialoguer 0.4.0 (registry+https://github.com/rust-lang/crates.io-index)" = "116f66c4e7b19af0d52857aa4ff710cc3b4781d9c16616e31540bc55ec57ba8c"
 "checksum digest 0.8.1 (registry+https://github.com/rust-lang/crates.io-index)" = "f3d0c8c8752312f9713efd397ff63acb9f85585afbf179282e720e7704954dd5"
--- a/Cargo.toml
+++ b/Cargo.toml
@ -16,6 +16,7 @@ maintenance = { status = "experimental" }

 [dependencies]
 aead = "0.1"
+aes-ctr = "0.3"
 base64 = "0.10"
 blowfish = { version = "0.4", features = ["bcrypt"] }
 byteorder = "1"
--- a/src/openssh.rs
+++ b/src/openssh.rs
@ -1,5 +1,6 @@
 //! Parser for OpenSSH public and private key formats.

+use aes_ctr::{Aes128Ctr, Aes192Ctr, Aes256Ctr};
 use nom::{
    branch::alt,
    bytes::streaming::tag,
@ -33,12 +34,33 @@ enum OpenSshCipher {
    ChaCha20Poly1305,
 }

+impl OpenSshCipher {
+    fn decrypt(self, kdf: &OpenSshKdf, p: String, ct: &[u8]) -> Result<Vec<u8>, &'static str> {
+        match self {
+            OpenSshCipher::Aes128Ctr => Ok(decrypt::aes_ctr::<Aes128Ctr>(kdf, p, ct, 16)),
+            OpenSshCipher::Aes192Ctr => Ok(decrypt::aes_ctr::<Aes192Ctr>(kdf, p, ct, 24)),
+            OpenSshCipher::Aes256Ctr => Ok(decrypt::aes_ctr::<Aes256Ctr>(kdf, p, ct, 32)),
+            _ => Err("Unsupported encryption scheme"),
+        }
+    }
+}
+
 /// OpenSSH-supported KDFs.
 #[derive(Clone, Debug)]
 enum OpenSshKdf {
    Bcrypt { salt: Vec<u8>, rounds: u32 },
 }

+impl OpenSshKdf {
+    fn derive(&self, passphrase: String, out_len: usize) -> Vec<u8> {
+        match self {
+            OpenSshKdf::Bcrypt { salt, rounds } => {
+                bcrypt::bcrypt_pbkdf(&passphrase, &salt, *rounds, out_len)
+            }
+        }
+    }
+}
+
 pub struct EncryptedOpenSshKey {
    ssh_key: Vec<u8>,
    cipher: OpenSshCipher,
@ -46,6 +68,41 @@ pub struct EncryptedOpenSshKey {
    encrypted: Vec<u8>,
 }

+impl EncryptedOpenSshKey {
+    pub fn decrypt(&self, passphrase: String) -> Result<SecretKey, &'static str> {
+        let decrypted = self
+            .cipher
+            .decrypt(&self.kdf, passphrase, &self.encrypted)?;
+
+        let parser = read_ssh::openssh_unencrypted_privkey(&self.ssh_key);
+        parser(&decrypted)
+            .map(|(_, sk)| sk)
+            .map_err(|_| "Invalid private key")
+    }
+}
+
+mod decrypt {
+    use aes_ctr::stream_cipher::{NewStreamCipher, StreamCipher};
+
+    use super::OpenSshKdf;
+
+    pub(super) fn aes_ctr<C: NewStreamCipher + StreamCipher>(
+        kdf: &OpenSshKdf,
+        passphrase: String,
+        ciphertext: &[u8],
+        key_len: usize,
+    ) -> Vec<u8> {
+        let kdf_output = kdf.derive(passphrase, key_len + 16);
+        let (key, nonce) = kdf_output.split_at(key_len);
+
+        let mut cipher = C::new_var(key, nonce).expect("key and nonce are correct length");
+
+        let mut plaintext = ciphertext.to_vec();
+        cipher.decrypt(&mut plaintext);
+        plaintext
+    }
+}
+
 mod read_asn1 {
    use nom::{
        bytes::complete::{tag, take},
@ -303,7 +360,7 @@ mod read_ssh {
    ///
    /// We only support a single key, like OpenSSH.
    #[allow(clippy::needless_lifetimes)]
-    fn openssh_unencrypted_privkey<'a>(
+    pub(super) fn openssh_unencrypted_privkey<'a>(
        ssh_key: &'a [u8],
    ) -> impl Fn(&'a [u8]) -> IResult<&'a [u8], SecretKey> {
        move |input: &[u8]| {