Add passphrase support to _libssh2_pem_parse_memory (libssh2#1746)

LarsNordin-LNdata · willco007 · Will Cosgrove · commit ef8d92056ec2 · 2026-04-07T10:44:39.000-07:00
Notes: Adds passphrase support to _libssh2_pem_parse_memory() and made _libssh2_pem_parse() call this function. Added two errors when the pem algorithm is not supported or MD5 is not supported during PEM parsing. Updated wincng.h to enable MD5. This resolves issue libssh2#1047 --------- Credit: Lars Nordin Co-authored-by: Will Cosgrove <will@panic.com>
diff --git a/src/libssh2_priv.h b/src/libssh2_priv.h
@@ -1239,6 +1239,7 @@ int _libssh2_pem_parse(LIBSSH2_SESSION * session,
 int _libssh2_pem_parse_memory(LIBSSH2_SESSION * session,
                               const char *headerbegin,
                               const char *headerend,
+                              const unsigned char *passphrase,
                               const char *filedata, size_t filedata_len,
                               unsigned char **data, size_t *datalen);
  /* OpenSSL keys */
diff --git a/src/os400qc3.c b/src/os400qc3.c
@@ -2249,13 +2249,15 @@ _libssh2_rsa_new_private_frommemory(libssh2_rsa_ctx **rsa,
        --> PKCS#8 EncryptedPrivateKeyInfo */
     ret = _libssh2_pem_parse_memory(session,
                                     beginencprivkeyhdr, endencprivkeyhdr,
+                                    passphrase,
                                     filedata, filedata_len, &data, &datalen);
 
     /* Try with "PRIVATE KEY" PEM armor.
        --> PKCS#8 PrivateKeyInfo or EncryptedPrivateKeyInfo */
     if(ret)
         ret = _libssh2_pem_parse_memory(session,
                                         beginprivkeyhdr, endprivkeyhdr,
+                                        passphrase,
                                         filedata, filedata_len,
                                         &data, &datalen);
 
diff --git a/src/pem.c b/src/pem.c
@@ -39,6 +39,9 @@
  */
 
 #include "libssh2_priv.h"
+#ifdef LIBSSH2_WINCNG
+#include "wincng.h"     // get MD5 functions
+#endif
 
 static int
 readline(char *line, int line_size, FILE * fp)
@@ -112,32 +115,78 @@ _libssh2_pem_parse(LIBSSH2_SESSION * session,
                    const char *headerend,
                    const unsigned char *passphrase,
                    FILE * fp, unsigned char **data, size_t *datalen)
+{
+    int ret;
+    char *filedata = NULL;
+    size_t filedata_len;
+
+    fseek(fp, 0L, SEEK_END);
+    filedata_len = ftell(fp);
+    fseek(fp, 0L, 0);
+
+    filedata = LIBSSH2_ALLOC(session, filedata_len);
+    if(!filedata) {
+        _libssh2_error(session, LIBSSH2_ERROR_ALLOC,
+            "Unable to allocate memory for PEM parsing");
+        ret = -1;
+        goto out;
+    }
+
+    if(fread(filedata, 1, filedata_len, fp) != filedata_len) {
+        _libssh2_error(session, LIBSSH2_ERROR_FILE,
+            "Bad read in PEM parsing");
+        ret = -1;
+        goto out;
+    }
+
+    ret = _libssh2_pem_parse_memory(session, headerbegin, headerend,
+                                    passphrase, filedata, filedata_len,
+                                    data, datalen);
+
+out:
+    if(filedata) {
+        LIBSSH2_FREE(session, filedata);
+    }
+    return ret;
+}
+
+int
+_libssh2_pem_parse_memory(LIBSSH2_SESSION * session,
+                          const char *headerbegin,
+                          const char *headerend,
+                          const unsigned char *passphrase,
+                          const char *filedata, size_t filedata_len,
+                          unsigned char **data, size_t *datalen)
 {
     char line[LINE_SIZE];
     unsigned char iv[LINE_SIZE];
     char *b64data = NULL;
     size_t b64datalen = 0;
+    size_t off = 0;
     int ret;
-    const LIBSSH2_CRYPT_METHOD *method = NULL;
+    const LIBSSH2_CRYPT_METHOD* method = NULL;
 
     do {
         *line = '\0';
 
-        if(readline(line, LINE_SIZE, fp)) {
+        if(readline_memory(line, LINE_SIZE, filedata, filedata_len, &off)) {
             return -1;
         }
+
+        if(!*line)
+            break;
     } while(strcmp(line, headerbegin) != 0);
 
-    if(readline(line, LINE_SIZE, fp)) {
+    if(readline_memory(line, LINE_SIZE, filedata, filedata_len, &off)) {
         return -1;
     }
 
     if(passphrase &&
-            memcmp(line, crypt_annotation, strlen(crypt_annotation)) == 0) {
-        const LIBSSH2_CRYPT_METHOD **all_methods, *cur_method;
+       memcmp(line, crypt_annotation, strlen(crypt_annotation)) == 0) {
+        const LIBSSH2_CRYPT_METHOD** all_methods, * cur_method;
         int i;
 
-        if(readline(line, LINE_SIZE, fp)) {
+        if(readline_memory(line, LINE_SIZE, filedata, filedata_len, &off)) {
             ret = -1;
             goto out;
         }
@@ -146,31 +195,37 @@ _libssh2_pem_parse(LIBSSH2_SESSION * session,
         /* !checksrc! disable EQUALSNULL 1 */
         while((cur_method = *all_methods++) != NULL) {
             if(*cur_method->pem_annotation &&
-                    memcmp(line, cur_method->pem_annotation,
-                           strlen(cur_method->pem_annotation)) == 0) {
+                memcmp(line, cur_method->pem_annotation,
+                    strlen(cur_method->pem_annotation)) == 0) {
                 method = cur_method;
                 memcpy(iv, line + strlen(method->pem_annotation) + 1,
-                       2*method->iv_len);
+                    2 * method->iv_len);
             }
         }
 
         /* None of the available crypt methods were able to decrypt the key */
-        if(!method)
-            return -1;
+        if(!method) {
+            _libssh2_error(session, LIBSSH2_ERROR_ALGO_UNSUPPORTED,
+                "Unable to decrypt PEM, unsupported algorithm");
+            ret = -1;
+            goto out;
+        }
 
         /* Decode IV from hex */
         for(i = 0; i < method->iv_len; ++i) {
-            iv[i]  = (unsigned char)(hex_decode(iv[2*i]) << 4);
-            iv[i] |= hex_decode(iv[2*i + 1]);
+            iv[i] = (unsigned char)(hex_decode(iv[2 * i]) << 4);
+            iv[i] |= hex_decode(iv[2 * i + 1]);
         }
 
         /* skip to the next line */
-        if(readline(line, LINE_SIZE, fp)) {
+        if(readline_memory(line, LINE_SIZE, filedata, filedata_len, &off)) {
             ret = -1;
             goto out;
         }
     }
 
+    *line = '\0';
+
     do {
         if(*line) {
             char *tmp;
@@ -191,7 +246,7 @@ _libssh2_pem_parse(LIBSSH2_SESSION * session,
 
         *line = '\0';
 
-        if(readline(line, LINE_SIZE, fp)) {
+        if(readline_memory(line, LINE_SIZE, filedata, filedata_len, &off)) {
             ret = -1;
             goto out;
         }
@@ -217,39 +272,40 @@ _libssh2_pem_parse(LIBSSH2_SESSION * session,
     if(method) {
 #if LIBSSH2_MD5_PEM
         /* Set up decryption */
-        int free_iv = 0, free_secret = 0, len_decrypted = 0, padding = 0;
+        int free_iv = 0, free_secret = 0, len_decrypted = 0;
+        size_t padding = 0;
         int blocksize = method->blocksize;
         void *abstract;
-        unsigned char secret[2*MD5_DIGEST_LENGTH];
+        unsigned char secret[2 * MD5_DIGEST_LENGTH];
         libssh2_md5_ctx fingerprint_ctx;
 
         /* Perform key derivation (PBKDF1/MD5) */
         if(!libssh2_md5_init(&fingerprint_ctx) ||
-           !libssh2_md5_update(fingerprint_ctx, passphrase,
-                               strlen((const char *)passphrase)) ||
-           !libssh2_md5_update(fingerprint_ctx, iv, 8) ||
-           !libssh2_md5_final(fingerprint_ctx, secret)) {
+            !libssh2_md5_update(fingerprint_ctx, passphrase,
+                strlen((const char *)passphrase)) ||
+            !libssh2_md5_update(fingerprint_ctx, iv, 8) ||
+            !libssh2_md5_final(fingerprint_ctx, secret)) {
             ret = -1;
             goto out;
         }
         if(method->secret_len > MD5_DIGEST_LENGTH) {
             if(!libssh2_md5_init(&fingerprint_ctx) ||
-               !libssh2_md5_update(fingerprint_ctx,
-                                   secret, MD5_DIGEST_LENGTH) ||
-               !libssh2_md5_update(fingerprint_ctx,
-                                   passphrase,
-                                   strlen((const char *)passphrase)) ||
-               !libssh2_md5_update(fingerprint_ctx, iv, 8) ||
-               !libssh2_md5_final(fingerprint_ctx,
-                                  secret + MD5_DIGEST_LENGTH)) {
+                !libssh2_md5_update(fingerprint_ctx,
+                    secret, MD5_DIGEST_LENGTH) ||
+                !libssh2_md5_update(fingerprint_ctx,
+                    passphrase,
+                    strlen((const char *)passphrase)) ||
+                !libssh2_md5_update(fingerprint_ctx, iv, 8) ||
+                !libssh2_md5_final(fingerprint_ctx,
+                    secret + MD5_DIGEST_LENGTH)) {
                 ret = -1;
                 goto out;
             }
         }
 
         /* Initialize the decryption */
         if(method->init(session, method, iv, &free_iv, secret,
-                         &free_secret, 0, &abstract)) {
+            &free_secret, 0, &abstract)) {
             _libssh2_explicit_zero((char *)secret, sizeof(secret));
             _libssh2_explicit_zero(*data, *datalen);
             LIBSSH2_FREE(session, *data);
@@ -284,11 +340,11 @@ _libssh2_pem_parse(LIBSSH2_SESSION * session,
         else {
             while(len_decrypted <= (int)*datalen - blocksize) {
                 if(method->crypt(session, 0, *data + len_decrypted, blocksize,
-                                &abstract,
-                                len_decrypted == 0 ? FIRST_BLOCK :
-                                ((len_decrypted == (int)*datalen - blocksize) ?
-                                 LAST_BLOCK : MIDDLE_BLOCK)
-                                )) {
+                    &abstract,
+                    len_decrypted == 0 ? FIRST_BLOCK :
+                    ((len_decrypted == (int)*datalen - blocksize) ?
+                        LAST_BLOCK : MIDDLE_BLOCK)
+                )) {
                     ret = LIBSSH2_ERROR_DECRYPT;
                     _libssh2_explicit_zero((char *)secret, sizeof(secret));
                     method->dtor(session, &abstract);
@@ -317,6 +373,8 @@ _libssh2_pem_parse(LIBSSH2_SESSION * session,
         _libssh2_explicit_zero((char *)secret, sizeof(secret));
         method->dtor(session, &abstract);
 #else
+        _libssh2_error(session, LIBSSH2_ERROR_ALGO_UNSUPPORTED,
+            "Unable to decrypt PEM, MD5 not enabled");
         ret = -1;
         goto out;
 #endif
@@ -331,74 +389,6 @@ _libssh2_pem_parse(LIBSSH2_SESSION * session,
     return ret;
 }
 
-int
-_libssh2_pem_parse_memory(LIBSSH2_SESSION * session,
-                          const char *headerbegin,
-                          const char *headerend,
-                          const char *filedata, size_t filedata_len,
-                          unsigned char **data, size_t *datalen)
-{
-    char line[LINE_SIZE];
-    char *b64data = NULL;
-    size_t b64datalen = 0;
-    size_t off = 0;
-    int ret;
-
-    do {
-        *line = '\0';
-
-        if(readline_memory(line, LINE_SIZE, filedata, filedata_len, &off)) {
-            return -1;
-        }
-    } while(strcmp(line, headerbegin) != 0);
-
-    *line = '\0';
-
-    do {
-        if(*line) {
-            char *tmp;
-            size_t linelen;
-
-            linelen = strlen(line);
-            tmp = LIBSSH2_REALLOC(session, b64data, b64datalen + linelen);
-            if(!tmp) {
-                _libssh2_error(session, LIBSSH2_ERROR_ALLOC,
-                               "Unable to allocate memory for PEM parsing");
-                ret = -1;
-                goto out;
-            }
-            memcpy(tmp + b64datalen, line, linelen);
-            b64data = tmp;
-            b64datalen += linelen;
-        }
-
-        *line = '\0';
-
-        if(readline_memory(line, LINE_SIZE, filedata, filedata_len, &off)) {
-            ret = -1;
-            goto out;
-        }
-    } while(strcmp(line, headerend) != 0);
-
-    if(!b64data) {
-        return -1;
-    }
-
-    if(_libssh2_base64_decode(session, (char **) data, datalen,
-                              b64data, b64datalen)) {
-        ret = -1;
-        goto out;
-    }
-
-    ret = 0;
-out:
-    if(b64data) {
-        _libssh2_explicit_zero(b64data, b64datalen);
-        LIBSSH2_FREE(session, b64data);
-    }
-    return ret;
-}
-
 /* OpenSSH formatted keys */
 #define AUTH_MAGIC "openssh-key-v1"
 #define OPENSSH_HEADER_BEGIN "-----BEGIN OPENSSH PRIVATE KEY-----"
diff --git a/src/wincng.c b/src/wincng.c
@@ -949,13 +949,15 @@ static int _libssh2_wincng_load_private_memory(LIBSSH2_SESSION *session,
     if(ret && tryLoadRSA) {
         ret = _libssh2_pem_parse_memory(session,
                                         PEM_RSA_HEADER, PEM_RSA_FOOTER,
+                                        passphrase,
                                         privatekeydata, privatekeydata_len,
                                         &data, &datalen);
     }
 
     if(ret && tryLoadDSA) {
         ret = _libssh2_pem_parse_memory(session,
                                         PEM_DSA_HEADER, PEM_DSA_FOOTER,
+                                        passphrase,
                                         privatekeydata, privatekeydata_len,
                                         &data, &datalen);
     }
diff --git a/src/wincng.h b/src/wincng.h
@@ -53,6 +53,8 @@
 #include <windows.h>
 #include <bcrypt.h>
 
+#define LIBSSH2_MD5_ENABLE
+#define LIBSSH2_MD5_PEM_ENABLE
 #define LIBSSH2_MD5 1
 
 #define LIBSSH2_HMAC_RIPEMD 0
