Hello,
I just submitted bug 2366 in bugzilla with a proposed patch for a problem I
found in sshkey.c having to do with decrypting new format private keys when
attempting to use GCM ciphers. Here?s more info from my bug report:
I was trying out the new OpenSSH private key format and I ran into a problem
when trying to work with keys encrypted in aes128-gcm and aes256-gcm format.
While ssh-keygen encrypted these keys correctly, it was not able to decrypt
them. I've identified the problem as an issue with the lengths it passes
into cipher_crypt() when dealing with a cipher with integrated MAC support.
Steps to reproduce:
1) Create a new format key with a command like:
ssh-keygen -t ed25519 -N test -Z aes128-gcm at openssh.com -f new_key
2) Attempt to decrypt this key with a command like:
ssh-keygen -p -P test -N '' -f new_key
With OpenSSH 6.7p1, this fails with the error "Bad passphrase" for
aes128-gcm and aes256-gcm, but works correctly for other ciphers which don't
include a built-in MAC. The error happens for all key types when using the new
private key format.
The error is in the call inside sshkey_parse_private2() where it passes in the
length of the encrypted buffer:
if ((r = cipher_crypt(&ciphercontext, 0, dp, sshbuf_ptr(decoded),
sshbuf_len(decoded), 0, cipher_authlen(cipher))) != 0) {
The length here should be encrypted_len, not sshbuf_len(decoded), as that
includes the cipher_authlen(cipher) additional MAC bytes.
A few additional changes are needed to use encrypted_len safely here and to
later properly consume the auth data. I have attached a patch which I believe
fixes this problem.
With the fix, step 2 above succeeds and properly decrypts the key created in
step 1.
I hope this is helpful. Thanks for your time!
--
Ron Frederick
ronf at timeheart.net