From bed8be26d706f93701fa08d87c29bc1f5c7c8d7a Mon Sep 17 00:00:00 2001 From: terrafrost Date: Sat, 18 Jan 2020 18:52:47 -0600 Subject: [PATCH] Keys/OpenSSH: throw an exception if you try to encrypt --- phpseclib/Crypt/Common/Formats/Keys/OpenSSH.php | 9 ++++++++- phpseclib/Crypt/DSA/Formats/Keys/OpenSSH.php | 2 +- phpseclib/Crypt/EC/Formats/Keys/OpenSSH.php | 4 ++-- phpseclib/Crypt/RSA/Formats/Keys/OpenSSH.php | 2 +- 4 files changed, 12 insertions(+), 5 deletions(-) diff --git a/phpseclib/Crypt/Common/Formats/Keys/OpenSSH.php b/phpseclib/Crypt/Common/Formats/Keys/OpenSSH.php index 2e890845..e5fb276e 100644 --- a/phpseclib/Crypt/Common/Formats/Keys/OpenSSH.php +++ b/phpseclib/Crypt/Common/Formats/Keys/OpenSSH.php @@ -20,6 +20,7 @@ namespace phpseclib3\Crypt\Common\Formats\Keys; use ParagonIE\ConstantTime\Base64; use phpseclib3\Common\Functions\Strings; use phpseclib3\Crypt\Random; +use phpseclib3\Exception\UnsupportedFormatException; /** * OpenSSH Formatted RSA Key Handler @@ -195,10 +196,16 @@ abstract class OpenSSH * @access public * @param string $publicKey * @param string $privateKey + * @param string $password + * @param array $options * @return string */ - protected static function wrapPrivateKey($publicKey, $privateKey, $options) + protected static function wrapPrivateKey($publicKey, $privateKey, $password, $options) { + if (!empty($password) || is_string($password)) { + throw new UnsupportedFormatException('Encrypted OpenSSH private keys are not supported'); + } + list(, $checkint) = unpack('N', Random::string(4)); $comment = isset($options['comment']) ? $options['comment'] : self::$comment; diff --git a/phpseclib/Crypt/DSA/Formats/Keys/OpenSSH.php b/phpseclib/Crypt/DSA/Formats/Keys/OpenSSH.php index 99ac4932..b160e581 100644 --- a/phpseclib/Crypt/DSA/Formats/Keys/OpenSSH.php +++ b/phpseclib/Crypt/DSA/Formats/Keys/OpenSSH.php @@ -121,6 +121,6 @@ abstract class OpenSSH extends Progenitor $publicKey = self::savePublicKey($p, $q, $g, $y, ['binary' => true]); $privateKey = Strings::packSSH2('si5', 'ssh-dss', $p, $q, $g, $y, $x); - return self::wrapPrivateKey($publicKey, $privateKey, $options); + return self::wrapPrivateKey($publicKey, $privateKey, $password, $options); } } diff --git a/phpseclib/Crypt/EC/Formats/Keys/OpenSSH.php b/phpseclib/Crypt/EC/Formats/Keys/OpenSSH.php index 3b403c7b..5372e11b 100644 --- a/phpseclib/Crypt/EC/Formats/Keys/OpenSSH.php +++ b/phpseclib/Crypt/EC/Formats/Keys/OpenSSH.php @@ -201,7 +201,7 @@ abstract class OpenSSH extends Progenitor $publicKey = Strings::packSSH2('ss', 'ssh-ed25519', $pubKey); $privateKey = Strings::packSSH2('sss', 'ssh-ed25519', $pubKey, $privateKey->secret . $pubKey); - return self::wrapPrivateKey($publicKey, $privateKey, $options); + return self::wrapPrivateKey($publicKey, $privateKey, $password, $options); } $alias = self::getAlias($curve); @@ -211,6 +211,6 @@ abstract class OpenSSH extends Progenitor $privateKey = Strings::packSSH2('sssi', 'ecdsa-sha2-' . $alias, $alias, $points, $privateKey); - return self::wrapPrivateKey($publicKey, $privateKey, $options); + return self::wrapPrivateKey($publicKey, $privateKey, $password, $options); } } diff --git a/phpseclib/Crypt/RSA/Formats/Keys/OpenSSH.php b/phpseclib/Crypt/RSA/Formats/Keys/OpenSSH.php index 3eebcd14..0f92c100 100644 --- a/phpseclib/Crypt/RSA/Formats/Keys/OpenSSH.php +++ b/phpseclib/Crypt/RSA/Formats/Keys/OpenSSH.php @@ -135,6 +135,6 @@ abstract class OpenSSH extends Progenitor $publicKey = self::savePublicKey($n, $e, ['binary' => true]); $privateKey = Strings::packSSH2('si6', 'ssh-rsa', $n, $e, $d, $coefficients[2], $primes[1], $primes[2]); - return self::wrapPrivateKey($publicKey, $privateKey, $options); + return self::wrapPrivateKey($publicKey, $privateKey, $password, $options); } }