Relax padding length check on OpenSSH private keys

This commit relaxes a check on the length of the padding in OpenSSH format private keys. The padding is only supposed to be large enough to get to the next multiple of the cipher block size, or a block size of 8 for unencrypted keys. However, PuTTYgen seems to get this wrong and use a larger padding size on unencrypted keys, preventing AsyncSSH from loading some unencrypted keys generated by PuTTYgen. With this change, larger amounts of padding are allowed (up to 255 bytes), which should help avoid this issue with PuTTYgen.
ronf · Aug 31, 2024 · c2599fd · c2599fd
1 parent 22affce
commit c2599fd
Showing 1 changed file with 2 additions and 5 deletions.
diff --git a/asyncssh/public_key.py b/asyncssh/public_key.py
@@ -2541,7 +2541,7 @@ def _decode_openssh_private(
                                      'encrypted private keys')
 
             try:
-                key_size, iv_size, block_size, _, _, _ = \
+                key_size, iv_size, _, _, _, _ = \
                     get_encryption_params(cipher_name)
             except KeyError:
                 raise KeyEncryptionError('Unknown cipher: %s' %
@@ -2579,9 +2579,6 @@ def _decode_openssh_private(
                 raise KeyEncryptionError('Incorrect passphrase')
 
             key_data = decrypted_key
-            block_size = max(block_size, 8)
-        else:
-            block_size = 8
 
         packet = SSHPacket(key_data)
 
@@ -2602,7 +2599,7 @@ def _decode_openssh_private(
         comment = packet.get_string()
         pad = packet.get_remaining_payload()
 
-        if len(pad) >= block_size or pad != bytes(range(1, len(pad) + 1)):
+        if len(pad) >= 256 or pad != bytes(range(1, len(pad) + 1)):
             raise KeyImportError('Invalid OpenSSH private key')
 
         if alg == b'ssh-rsa':