Git-Mirrors/keepassxc
1
0
Fork 0
mirror of https://github.com/keepassxreboot/keepassxc.git synced 2025-05-23 16:51:22 -04:00
Code Issues Projects Releases Packages Wiki Activity

SSH Agent: Support old AES-128-CBC encrypted keys

Browse source
This commit is contained in:
Toni Spets 2018-02-06 19:23:03 +02:00 committed by Janek Bevendorff
parent d2359df2b0
commit d58e3ca34d
4 changed files with 74 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

30
src/sshagent/OpenSSHKey.cpp
View file

@ -204,9 +204,10 @@ bool OpenSSHKey::parsePEM(const QByteArray& in, QByteArray& out)
rows.removeFirst();
} while (!rows.isEmpty());
if (pemOptions.contains("Proc-Type")) {
m_error = tr("Encrypted keys are not yet supported");
return false;
if (pemOptions.value("Proc-Type").compare("4,encrypted", Qt::CaseInsensitive) == 0) {
m_kdfName = "md5";
m_cipherName = pemOptions.value("DEK-Info").section(",", 0, 0);
m_cipherIV = QByteArray::fromHex(pemOptions.value("DEK-Info").section(",", 1, 1).toLatin1());
}
out = QByteArray::fromBase64(rows.join("").toLatin1());
@ -308,7 +309,9 @@ bool OpenSSHKey::openPrivateKey(const QString& passphrase)
return false;
}
if (m_cipherName == "aes256-cbc") {
if (m_cipherName.compare("aes-128-cbc", Qt::CaseInsensitive) == 0) {
cipher.reset(new SymmetricCipher(SymmetricCipher::Aes128, SymmetricCipher::Cbc, SymmetricCipher::Decrypt));
} else if (m_cipherName == "aes256-cbc") {
cipher.reset(new SymmetricCipher(SymmetricCipher::Aes256, SymmetricCipher::Cbc, SymmetricCipher::Decrypt));
} else if (m_cipherName == "aes256-ctr") {
cipher.reset(new SymmetricCipher(SymmetricCipher::Aes256, SymmetricCipher::Ctr, SymmetricCipher::Decrypt));
@ -355,6 +358,21 @@ bool OpenSSHKey::openPrivateKey(const QString& passphrase)
m_error = cipher->errorString();
return false;
}
} else if (m_kdfName == "md5") {
if (m_cipherIV.length() < 8) {
m_error = tr("Cipher IV is too short for MD5 kdf");
return false;
}
QCryptographicHash hash(QCryptographicHash::Md5);
hash.addData(passphrase.toUtf8());
hash.addData(m_cipherIV.data(), 8);
QByteArray keyData = hash.result();
if (!cipher->init(keyData, m_cipherIV)) {
m_error = cipher->errorString();
return false;
}
} else if (m_kdfName != "none") {
m_error = tr("Unknown KDF: %1").arg(m_kdfName);
return false;
@ -373,14 +391,14 @@ bool OpenSSHKey::openPrivateKey(const QString& passphrase)
if (m_privateType == TYPE_DSA) {
if (!ASN1Key::parseDSA(rawPrivateData, *this)) {
m_error = tr("Reading DSA private key failed, only unencrypted keys are supported at this time");
m_error = tr("Decryption failed, wrong passphrase?");
return false;
}
return true;
} else if (m_privateType == TYPE_RSA) {
if (!ASN1Key::parseRSA(rawPrivateData, *this)) {
m_error = tr("Reading RSA private key failed, only unencrypted keys are supported at this time");
m_error = tr("Decryption failed, wrong passphrase?");
return false;
}

1
src/sshagent/OpenSSHKey.h
View file

@ -63,6 +63,7 @@ private:
QString m_type;
QString m_cipherName;
QByteArray m_cipherIV;
QString m_kdfName;
QByteArray m_kdfOptions;
QByteArray m_rawPrivateData;