[erlang-bugs] [BUG] ssh_file:read_pem64/3 crashes on password protected private keys

Balint Reczey (IJ/ETH) Balint.Reczey@REDACTED
Tue Sep 25 13:27:27 CEST 2007 

Hi,

I tried to connect to a machine using ssh_cm and discovered that it
crashed badly:

5> crypto:start().
ok
6> ssh:start().   
ok
7> ssh_cm:connect("localhost").

=ERROR REPORT==== 17-Sep-2007::14:54:56 ===
** Generic server <0.52.0> terminating 
** Last message in was {connect,<0.50.0>,"localhost",22}
** When Server state ==
{state,client,undefined,16,[],[],0,[],[],undefined}
** Reason for termination == 
** {function_clause,[{ssh_bits,b64d,"-"},
                     {ssh_bits,b64_dec,1},
                     {ssh_bits,b64_dec,1},
                     {ssh_bits,b64_decode,1},
                     {ssh_file,read_pem64,3},
                     {ssh_file,read_private_key_v2,2},
                     {ssh_userauth,public_key,5},
                     {ssh_userauth,auth,3}]}
** exited: {function_clause,[{ssh_bits,b64d,"-"},
                             {ssh_bits,b64_dec,1},
                             {ssh_bits,b64_dec,1},
                             {ssh_bits,b64_decode,1},
                             {ssh_file,read_pem64,3},
                             {ssh_file,read_private_key_v2,2},
                             {ssh_userauth,public_key,5},
                             {ssh_userauth,auth,3}]} **

The private keys generated with ssh-keygen has the following format when
the password is set:

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,BAB972D7825B1E6D

BEoV8pr0r0sR1GfPabGyKJKx3u6+IFIicba1Hy37foyJ3EicFuDWiTymLyiXMuCU
Qm0UZv5uaSfrI7u+RjCNp7H2PCubdzy18SsqTLa6j1GBbqlx9HZtg942G3soly2i
k2534TEBkoEJl5a/UpPFLEwALa3nb0lnCUNjqjH7jVR98Tsok1TjYHY7Tm3j8kah

...

ssh_file:read_pem/2 and ssh_file:read_pem64/3 assumes that the base64
encoded part starts right after the "-----BEGIN RSA PRIVATE KEY-----"
line, like in a not password protected keyfile:

otp_src_R11B-5/lib/ssh/src/ssh_file.erl:
        
        read_pem(Cs, Type) ->
            case read_line(Cs) of
                {"-----BEGIN "++Rest,Cs1} ->
                    case string:tokens(Rest, " ") of
                        [Type, "PRIVATE", "KEY-----"] ->
                            read_pem64(Cs1, [], Type);
                        _ ->
                            {error, bad_format}
                    end;
                {"",Cs1} when Cs1 =/= "" ->
                    read_pem(Cs1,Type);
                {_,""} ->
                    {error, bad_format}
            end.
        
        read_pem64(Cs, Acc, Type) ->
            case read_line(Cs) of
                {"-----END "++Rest,_Cs1} ->
                    case string:tokens(Rest, " ") of
                        [Type, "PRIVATE", "KEY-----"] ->
        
        {ok,ssh_bits:b64_decode(append(reverse(Acc)))};
                        Toks ->
                            error_logger:format("ssh: TOKENS=~p\n",
        [Toks]),
                            {error, bad_format}
                    end;
                {B64, Cs1} when Cs1 =/= "" ->
                    read_pem64(Cs1, [B64|Acc], Type);
                _What ->
                    {error, bad_format}
            end.
        

I think it would be great to support password protected private keys, or
just not crashing on them.

Regards,
Balint

More information about the erlang-bugs mailing list