1 /* $OpenBSD: pvkfmt.c,v 1.11 2014/07/12 16:03:37 miod Exp $ */ 2 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 3 * project 2005. 4 */ 5 /* ==================================================================== 6 * Copyright (c) 2005 The OpenSSL Project. All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in 17 * the documentation and/or other materials provided with the 18 * distribution. 19 * 20 * 3. All advertising materials mentioning features or use of this 21 * software must display the following acknowledgment: 22 * "This product includes software developed by the OpenSSL Project 23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" 24 * 25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 26 * endorse or promote products derived from this software without 27 * prior written permission. For written permission, please contact 28 * licensing@OpenSSL.org. 29 * 30 * 5. Products derived from this software may not be called "OpenSSL" 31 * nor may "OpenSSL" appear in their names without prior written 32 * permission of the OpenSSL Project. 33 * 34 * 6. Redistributions of any form whatsoever must retain the following 35 * acknowledgment: 36 * "This product includes software developed by the OpenSSL Project 37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" 38 * 39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 50 * OF THE POSSIBILITY OF SUCH DAMAGE. 51 * ==================================================================== 52 * 53 * This product includes cryptographic software written by Eric Young 54 * (eay@cryptsoft.com). This product includes software written by Tim 55 * Hudson (tjh@cryptsoft.com). 56 * 57 */ 58 59 /* Support for PVK format keys and related structures (such a PUBLICKEYBLOB 60 * and PRIVATEKEYBLOB). 61 */ 62 63 #include <string.h> 64 65 #include <openssl/opensslconf.h> 66 67 #include <openssl/bn.h> 68 #include <openssl/err.h> 69 #include <openssl/pem.h> 70 #include <openssl/rand.h> 71 72 #if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DSA) 73 #include <openssl/dsa.h> 74 #include <openssl/rsa.h> 75 76 /* Utility function: read a DWORD (4 byte unsigned integer) in little endian 77 * format 78 */ 79 80 static unsigned int 81 read_ledword(const unsigned char **in) 82 { 83 const unsigned char *p = *in; 84 unsigned int ret; 85 86 ret = *p++; 87 ret |= (*p++ << 8); 88 ret |= (*p++ << 16); 89 ret |= (*p++ << 24); 90 *in = p; 91 return ret; 92 } 93 94 /* Read a BIGNUM in little endian format. The docs say that this should take up 95 * bitlen/8 bytes. 96 */ 97 98 static int 99 read_lebn(const unsigned char **in, unsigned int nbyte, BIGNUM **r) 100 { 101 const unsigned char *p; 102 unsigned char *tmpbuf, *q; 103 unsigned int i; 104 105 p = *in + nbyte - 1; 106 tmpbuf = malloc(nbyte); 107 if (!tmpbuf) 108 return 0; 109 q = tmpbuf; 110 for (i = 0; i < nbyte; i++) 111 *q++ = *p--; 112 *r = BN_bin2bn(tmpbuf, nbyte, NULL); 113 free(tmpbuf); 114 if (*r) { 115 *in += nbyte; 116 return 1; 117 } else 118 return 0; 119 } 120 121 122 /* Convert private key blob to EVP_PKEY: RSA and DSA keys supported */ 123 124 #define MS_PUBLICKEYBLOB 0x6 125 #define MS_PRIVATEKEYBLOB 0x7 126 #define MS_RSA1MAGIC 0x31415352L 127 #define MS_RSA2MAGIC 0x32415352L 128 #define MS_DSS1MAGIC 0x31535344L 129 #define MS_DSS2MAGIC 0x32535344L 130 131 #define MS_KEYALG_RSA_KEYX 0xa400 132 #define MS_KEYALG_DSS_SIGN 0x2200 133 134 #define MS_KEYTYPE_KEYX 0x1 135 #define MS_KEYTYPE_SIGN 0x2 136 137 /* The PVK file magic number: seems to spell out "bobsfile", who is Bob? */ 138 #define MS_PVKMAGIC 0xb0b5f11eL 139 /* Salt length for PVK files */ 140 #define PVK_SALTLEN 0x10 141 142 static EVP_PKEY *b2i_rsa(const unsigned char **in, unsigned int length, 143 unsigned int bitlen, int ispub); 144 static EVP_PKEY *b2i_dss(const unsigned char **in, unsigned int length, 145 unsigned int bitlen, int ispub); 146 147 static int 148 do_blob_header(const unsigned char **in, unsigned int length, 149 unsigned int *pmagic, unsigned int *pbitlen, int *pisdss, int *pispub) 150 { 151 const unsigned char *p = *in; 152 153 if (length < 16) 154 return 0; 155 /* bType */ 156 if (*p == MS_PUBLICKEYBLOB) { 157 if (*pispub == 0) { 158 PEMerr(PEM_F_DO_BLOB_HEADER, 159 PEM_R_EXPECTING_PRIVATE_KEY_BLOB); 160 return 0; 161 } 162 *pispub = 1; 163 } else if (*p == MS_PRIVATEKEYBLOB) { 164 if (*pispub == 1) { 165 PEMerr(PEM_F_DO_BLOB_HEADER, 166 PEM_R_EXPECTING_PUBLIC_KEY_BLOB); 167 return 0; 168 } 169 *pispub = 0; 170 } else 171 return 0; 172 p++; 173 /* Version */ 174 if (*p++ != 0x2) { 175 PEMerr(PEM_F_DO_BLOB_HEADER, PEM_R_BAD_VERSION_NUMBER); 176 return 0; 177 } 178 /* Ignore reserved, aiKeyAlg */ 179 p += 6; 180 *pmagic = read_ledword(&p); 181 *pbitlen = read_ledword(&p); 182 *pisdss = 0; 183 switch (*pmagic) { 184 185 case MS_DSS1MAGIC: 186 *pisdss = 1; 187 case MS_RSA1MAGIC: 188 if (*pispub == 0) { 189 PEMerr(PEM_F_DO_BLOB_HEADER, 190 PEM_R_EXPECTING_PRIVATE_KEY_BLOB); 191 return 0; 192 } 193 break; 194 195 case MS_DSS2MAGIC: 196 *pisdss = 1; 197 case MS_RSA2MAGIC: 198 if (*pispub == 1) { 199 PEMerr(PEM_F_DO_BLOB_HEADER, 200 PEM_R_EXPECTING_PUBLIC_KEY_BLOB); 201 return 0; 202 } 203 break; 204 205 default: 206 PEMerr(PEM_F_DO_BLOB_HEADER, PEM_R_BAD_MAGIC_NUMBER); 207 return -1; 208 } 209 *in = p; 210 return 1; 211 } 212 213 static unsigned int 214 blob_length(unsigned bitlen, int isdss, int ispub) 215 { 216 unsigned int nbyte, hnbyte; 217 218 nbyte = (bitlen + 7) >> 3; 219 hnbyte = (bitlen + 15) >> 4; 220 if (isdss) { 221 222 /* Expected length: 20 for q + 3 components bitlen each + 24 223 * for seed structure. 224 */ 225 if (ispub) 226 return 44 + 3 * nbyte; 227 /* Expected length: 20 for q, priv, 2 bitlen components + 24 228 * for seed structure. 229 */ 230 else 231 return 64 + 2 * nbyte; 232 } else { 233 /* Expected length: 4 for 'e' + 'n' */ 234 if (ispub) 235 return 4 + nbyte; 236 else 237 /* Expected length: 4 for 'e' and 7 other components. 238 * 2 components are bitlen size, 5 are bitlen/2 239 */ 240 return 4 + 2*nbyte + 5*hnbyte; 241 } 242 243 } 244 245 static EVP_PKEY * 246 do_b2i(const unsigned char **in, unsigned int length, int ispub) 247 { 248 const unsigned char *p = *in; 249 unsigned int bitlen, magic; 250 int isdss; 251 252 if (do_blob_header(&p, length, &magic, &bitlen, &isdss, &ispub) <= 0) { 253 PEMerr(PEM_F_DO_B2I, PEM_R_KEYBLOB_HEADER_PARSE_ERROR); 254 return NULL; 255 } 256 length -= 16; 257 if (length < blob_length(bitlen, isdss, ispub)) { 258 PEMerr(PEM_F_DO_B2I, PEM_R_KEYBLOB_TOO_SHORT); 259 return NULL; 260 } 261 if (isdss) 262 return b2i_dss(&p, length, bitlen, ispub); 263 else 264 return b2i_rsa(&p, length, bitlen, ispub); 265 } 266 267 static EVP_PKEY * 268 do_b2i_bio(BIO *in, int ispub) 269 { 270 const unsigned char *p; 271 unsigned char hdr_buf[16], *buf = NULL; 272 unsigned int bitlen, magic, length; 273 int isdss; 274 EVP_PKEY *ret = NULL; 275 276 if (BIO_read(in, hdr_buf, 16) != 16) { 277 PEMerr(PEM_F_DO_B2I_BIO, PEM_R_KEYBLOB_TOO_SHORT); 278 return NULL; 279 } 280 p = hdr_buf; 281 if (do_blob_header(&p, 16, &magic, &bitlen, &isdss, &ispub) <= 0) 282 return NULL; 283 284 length = blob_length(bitlen, isdss, ispub); 285 buf = malloc(length); 286 if (!buf) { 287 PEMerr(PEM_F_DO_B2I_BIO, ERR_R_MALLOC_FAILURE); 288 goto err; 289 } 290 p = buf; 291 if (BIO_read(in, buf, length) != (int)length) { 292 PEMerr(PEM_F_DO_B2I_BIO, PEM_R_KEYBLOB_TOO_SHORT); 293 goto err; 294 } 295 296 if (isdss) 297 ret = b2i_dss(&p, length, bitlen, ispub); 298 else 299 ret = b2i_rsa(&p, length, bitlen, ispub); 300 301 err: 302 free(buf); 303 return ret; 304 } 305 306 static EVP_PKEY * 307 b2i_dss(const unsigned char **in, unsigned int length, unsigned int bitlen, 308 int ispub) 309 { 310 const unsigned char *p = *in; 311 EVP_PKEY *ret = NULL; 312 DSA *dsa = NULL; 313 BN_CTX *ctx = NULL; 314 unsigned int nbyte; 315 316 nbyte = (bitlen + 7) >> 3; 317 318 dsa = DSA_new(); 319 ret = EVP_PKEY_new(); 320 if (!dsa || !ret) 321 goto memerr; 322 if (!read_lebn(&p, nbyte, &dsa->p)) 323 goto memerr; 324 if (!read_lebn(&p, 20, &dsa->q)) 325 goto memerr; 326 if (!read_lebn(&p, nbyte, &dsa->g)) 327 goto memerr; 328 if (ispub) { 329 if (!read_lebn(&p, nbyte, &dsa->pub_key)) 330 goto memerr; 331 } else { 332 if (!read_lebn(&p, 20, &dsa->priv_key)) 333 goto memerr; 334 /* Calculate public key */ 335 if (!(dsa->pub_key = BN_new())) 336 goto memerr; 337 if (!(ctx = BN_CTX_new())) 338 goto memerr; 339 if (!BN_mod_exp(dsa->pub_key, dsa->g, 340 dsa->priv_key, dsa->p, ctx)) 341 goto memerr; 342 BN_CTX_free(ctx); 343 } 344 345 EVP_PKEY_set1_DSA(ret, dsa); 346 DSA_free(dsa); 347 *in = p; 348 return ret; 349 350 memerr: 351 PEMerr(PEM_F_B2I_DSS, ERR_R_MALLOC_FAILURE); 352 DSA_free(dsa); 353 EVP_PKEY_free(ret); 354 BN_CTX_free(ctx); 355 return NULL; 356 } 357 358 static EVP_PKEY * 359 b2i_rsa(const unsigned char **in, unsigned int length, unsigned int bitlen, 360 int ispub) 361 { 362 const unsigned char *p = *in; 363 EVP_PKEY *ret = NULL; 364 RSA *rsa = NULL; 365 unsigned int nbyte, hnbyte; 366 367 nbyte = (bitlen + 7) >> 3; 368 hnbyte = (bitlen + 15) >> 4; 369 rsa = RSA_new(); 370 ret = EVP_PKEY_new(); 371 if (!rsa || !ret) 372 goto memerr; 373 rsa->e = BN_new(); 374 if (!rsa->e) 375 goto memerr; 376 if (!BN_set_word(rsa->e, read_ledword(&p))) 377 goto memerr; 378 if (!read_lebn(&p, nbyte, &rsa->n)) 379 goto memerr; 380 if (!ispub) { 381 if (!read_lebn(&p, hnbyte, &rsa->p)) 382 goto memerr; 383 if (!read_lebn(&p, hnbyte, &rsa->q)) 384 goto memerr; 385 if (!read_lebn(&p, hnbyte, &rsa->dmp1)) 386 goto memerr; 387 if (!read_lebn(&p, hnbyte, &rsa->dmq1)) 388 goto memerr; 389 if (!read_lebn(&p, hnbyte, &rsa->iqmp)) 390 goto memerr; 391 if (!read_lebn(&p, nbyte, &rsa->d)) 392 goto memerr; 393 } 394 395 EVP_PKEY_set1_RSA(ret, rsa); 396 RSA_free(rsa); 397 *in = p; 398 return ret; 399 400 memerr: 401 PEMerr(PEM_F_B2I_RSA, ERR_R_MALLOC_FAILURE); 402 RSA_free(rsa); 403 EVP_PKEY_free(ret); 404 return NULL; 405 } 406 407 EVP_PKEY * 408 b2i_PrivateKey(const unsigned char **in, long length) 409 { 410 return do_b2i(in, length, 0); 411 } 412 413 EVP_PKEY * 414 b2i_PublicKey(const unsigned char **in, long length) 415 { 416 return do_b2i(in, length, 1); 417 } 418 419 EVP_PKEY * 420 b2i_PrivateKey_bio(BIO *in) 421 { 422 return do_b2i_bio(in, 0); 423 } 424 425 EVP_PKEY * 426 b2i_PublicKey_bio(BIO *in) 427 { 428 return do_b2i_bio(in, 1); 429 } 430 431 static void 432 write_ledword(unsigned char **out, unsigned int dw) 433 { 434 unsigned char *p = *out; 435 436 *p++ = dw & 0xff; 437 *p++ = (dw >> 8) & 0xff; 438 *p++ = (dw >> 16) & 0xff; 439 *p++ = (dw >> 24) & 0xff; 440 *out = p; 441 } 442 443 static void 444 write_lebn(unsigned char **out, const BIGNUM *bn, int len) 445 { 446 int nb, i; 447 unsigned char *p = *out, *q, c; 448 449 nb = BN_num_bytes(bn); 450 BN_bn2bin(bn, p); 451 q = p + nb - 1; 452 /* In place byte order reversal */ 453 for (i = 0; i < nb / 2; i++) { 454 c = *p; 455 *p++ = *q; 456 *q-- = c; 457 } 458 *out += nb; 459 /* Pad with zeroes if we have to */ 460 if (len > 0) { 461 len -= nb; 462 if (len > 0) { 463 memset(*out, 0, len); 464 *out += len; 465 } 466 } 467 } 468 469 470 static int check_bitlen_rsa(RSA *rsa, int ispub, unsigned int *magic); 471 static int check_bitlen_dsa(DSA *dsa, int ispub, unsigned int *magic); 472 473 static void write_rsa(unsigned char **out, RSA *rsa, int ispub); 474 static void write_dsa(unsigned char **out, DSA *dsa, int ispub); 475 476 static int 477 do_i2b(unsigned char **out, EVP_PKEY *pk, int ispub) 478 { 479 unsigned char *p; 480 unsigned int bitlen, magic = 0, keyalg; 481 int outlen, noinc = 0; 482 483 if (pk->type == EVP_PKEY_DSA) { 484 bitlen = check_bitlen_dsa(pk->pkey.dsa, ispub, &magic); 485 keyalg = MS_KEYALG_DSS_SIGN; 486 } else if (pk->type == EVP_PKEY_RSA) { 487 bitlen = check_bitlen_rsa(pk->pkey.rsa, ispub, &magic); 488 keyalg = MS_KEYALG_RSA_KEYX; 489 } else 490 return -1; 491 if (bitlen == 0) 492 return -1; 493 outlen = 16 + blob_length(bitlen, 494 keyalg == MS_KEYALG_DSS_SIGN ? 1 : 0, ispub); 495 if (out == NULL) 496 return outlen; 497 if (*out) 498 p = *out; 499 else { 500 p = malloc(outlen); 501 if (!p) 502 return -1; 503 *out = p; 504 noinc = 1; 505 } 506 if (ispub) 507 *p++ = MS_PUBLICKEYBLOB; 508 else 509 *p++ = MS_PRIVATEKEYBLOB; 510 *p++ = 0x2; 511 *p++ = 0; 512 *p++ = 0; 513 write_ledword(&p, keyalg); 514 write_ledword(&p, magic); 515 write_ledword(&p, bitlen); 516 if (keyalg == MS_KEYALG_DSS_SIGN) 517 write_dsa(&p, pk->pkey.dsa, ispub); 518 else 519 write_rsa(&p, pk->pkey.rsa, ispub); 520 if (!noinc) 521 *out += outlen; 522 return outlen; 523 } 524 525 static int 526 do_i2b_bio(BIO *out, EVP_PKEY *pk, int ispub) 527 { 528 unsigned char *tmp = NULL; 529 int outlen, wrlen; 530 531 outlen = do_i2b(&tmp, pk, ispub); 532 if (outlen < 0) 533 return -1; 534 wrlen = BIO_write(out, tmp, outlen); 535 free(tmp); 536 if (wrlen == outlen) 537 return outlen; 538 return -1; 539 } 540 541 static int 542 check_bitlen_dsa(DSA *dsa, int ispub, unsigned int *pmagic) 543 { 544 int bitlen; 545 546 bitlen = BN_num_bits(dsa->p); 547 if ((bitlen & 7) || (BN_num_bits(dsa->q) != 160) || 548 (BN_num_bits(dsa->g) > bitlen)) 549 goto badkey; 550 if (ispub) { 551 if (BN_num_bits(dsa->pub_key) > bitlen) 552 goto badkey; 553 *pmagic = MS_DSS1MAGIC; 554 } else { 555 if (BN_num_bits(dsa->priv_key) > 160) 556 goto badkey; 557 *pmagic = MS_DSS2MAGIC; 558 } 559 560 return bitlen; 561 562 badkey: 563 PEMerr(PEM_F_CHECK_BITLEN_DSA, PEM_R_UNSUPPORTED_KEY_COMPONENTS); 564 return 0; 565 } 566 567 static int 568 check_bitlen_rsa(RSA *rsa, int ispub, unsigned int *pmagic) 569 { 570 int nbyte, hnbyte, bitlen; 571 572 if (BN_num_bits(rsa->e) > 32) 573 goto badkey; 574 bitlen = BN_num_bits(rsa->n); 575 nbyte = BN_num_bytes(rsa->n); 576 hnbyte = (BN_num_bits(rsa->n) + 15) >> 4; 577 if (ispub) { 578 *pmagic = MS_RSA1MAGIC; 579 return bitlen; 580 } else { 581 *pmagic = MS_RSA2MAGIC; 582 /* For private key each component must fit within nbyte or 583 * hnbyte. 584 */ 585 if (BN_num_bytes(rsa->d) > nbyte) 586 goto badkey; 587 if ((BN_num_bytes(rsa->iqmp) > hnbyte) || 588 (BN_num_bytes(rsa->p) > hnbyte) || 589 (BN_num_bytes(rsa->q) > hnbyte) || 590 (BN_num_bytes(rsa->dmp1) > hnbyte) || 591 (BN_num_bytes(rsa->dmq1) > hnbyte)) 592 goto badkey; 593 } 594 return bitlen; 595 596 badkey: 597 PEMerr(PEM_F_CHECK_BITLEN_RSA, PEM_R_UNSUPPORTED_KEY_COMPONENTS); 598 return 0; 599 } 600 601 static void 602 write_rsa(unsigned char **out, RSA *rsa, int ispub) 603 { 604 int nbyte, hnbyte; 605 606 nbyte = BN_num_bytes(rsa->n); 607 hnbyte = (BN_num_bits(rsa->n) + 15) >> 4; 608 write_lebn(out, rsa->e, 4); 609 write_lebn(out, rsa->n, -1); 610 if (ispub) 611 return; 612 write_lebn(out, rsa->p, hnbyte); 613 write_lebn(out, rsa->q, hnbyte); 614 write_lebn(out, rsa->dmp1, hnbyte); 615 write_lebn(out, rsa->dmq1, hnbyte); 616 write_lebn(out, rsa->iqmp, hnbyte); 617 write_lebn(out, rsa->d, nbyte); 618 } 619 620 static void 621 write_dsa(unsigned char **out, DSA *dsa, int ispub) 622 { 623 int nbyte; 624 625 nbyte = BN_num_bytes(dsa->p); 626 write_lebn(out, dsa->p, nbyte); 627 write_lebn(out, dsa->q, 20); 628 write_lebn(out, dsa->g, nbyte); 629 if (ispub) 630 write_lebn(out, dsa->pub_key, nbyte); 631 else 632 write_lebn(out, dsa->priv_key, 20); 633 /* Set "invalid" for seed structure values */ 634 memset(*out, 0xff, 24); 635 *out += 24; 636 return; 637 } 638 639 int 640 i2b_PrivateKey_bio(BIO *out, EVP_PKEY *pk) 641 { 642 return do_i2b_bio(out, pk, 0); 643 } 644 645 int 646 i2b_PublicKey_bio(BIO *out, EVP_PKEY *pk) 647 { 648 return do_i2b_bio(out, pk, 1); 649 } 650 651 #ifndef OPENSSL_NO_RC4 652 653 static int 654 do_PVK_header(const unsigned char **in, unsigned int length, int skip_magic, 655 unsigned int *psaltlen, unsigned int *pkeylen) 656 { 657 const unsigned char *p = *in; 658 unsigned int pvk_magic, is_encrypted; 659 660 if (skip_magic) { 661 if (length < 20) { 662 PEMerr(PEM_F_DO_PVK_HEADER, PEM_R_PVK_TOO_SHORT); 663 return 0; 664 } 665 length -= 20; 666 } else { 667 if (length < 24) { 668 PEMerr(PEM_F_DO_PVK_HEADER, PEM_R_PVK_TOO_SHORT); 669 return 0; 670 } 671 length -= 24; 672 pvk_magic = read_ledword(&p); 673 if (pvk_magic != MS_PVKMAGIC) { 674 PEMerr(PEM_F_DO_PVK_HEADER, PEM_R_BAD_MAGIC_NUMBER); 675 return 0; 676 } 677 } 678 /* Skip reserved */ 679 p += 4; 680 /*keytype = */read_ledword(&p); 681 is_encrypted = read_ledword(&p); 682 *psaltlen = read_ledword(&p); 683 *pkeylen = read_ledword(&p); 684 685 if (is_encrypted && !*psaltlen) { 686 PEMerr(PEM_F_DO_PVK_HEADER, PEM_R_INCONSISTENT_HEADER); 687 return 0; 688 } 689 690 *in = p; 691 return 1; 692 } 693 694 static int 695 derive_pvk_key(unsigned char *key, const unsigned char *salt, 696 unsigned int saltlen, const unsigned char *pass, int passlen) 697 { 698 EVP_MD_CTX mctx; 699 int rv = 1; 700 701 EVP_MD_CTX_init(&mctx); 702 if (!EVP_DigestInit_ex(&mctx, EVP_sha1(), NULL) || 703 !EVP_DigestUpdate(&mctx, salt, saltlen) || 704 !EVP_DigestUpdate(&mctx, pass, passlen) || 705 !EVP_DigestFinal_ex(&mctx, key, NULL)) 706 rv = 0; 707 708 EVP_MD_CTX_cleanup(&mctx); 709 return rv; 710 } 711 712 static EVP_PKEY * 713 do_PVK_body(const unsigned char **in, unsigned int saltlen, 714 unsigned int keylen, pem_password_cb *cb, void *u) 715 { 716 EVP_PKEY *ret = NULL; 717 const unsigned char *p = *in; 718 unsigned int magic; 719 unsigned char *enctmp = NULL, *q; 720 EVP_CIPHER_CTX cctx; 721 722 EVP_CIPHER_CTX_init(&cctx); 723 if (saltlen) { 724 char psbuf[PEM_BUFSIZE]; 725 unsigned char keybuf[20]; 726 int enctmplen, inlen; 727 728 if (cb) 729 inlen = cb(psbuf, PEM_BUFSIZE, 0, u); 730 else 731 inlen = PEM_def_callback(psbuf, PEM_BUFSIZE, 0, u); 732 if (inlen <= 0) { 733 PEMerr(PEM_F_DO_PVK_BODY, PEM_R_BAD_PASSWORD_READ); 734 return NULL; 735 } 736 enctmp = malloc(keylen + 8); 737 if (!enctmp) { 738 PEMerr(PEM_F_DO_PVK_BODY, ERR_R_MALLOC_FAILURE); 739 return NULL; 740 } 741 if (!derive_pvk_key(keybuf, p, saltlen, (unsigned char *)psbuf, 742 inlen)) { 743 free(enctmp); 744 return NULL; 745 } 746 p += saltlen; 747 /* Copy BLOBHEADER across, decrypt rest */ 748 memcpy(enctmp, p, 8); 749 p += 8; 750 if (keylen < 8) { 751 PEMerr(PEM_F_DO_PVK_BODY, PEM_R_PVK_TOO_SHORT); 752 free(enctmp); 753 return NULL; 754 } 755 inlen = keylen - 8; 756 q = enctmp + 8; 757 if (!EVP_DecryptInit_ex(&cctx, EVP_rc4(), NULL, keybuf, NULL)) 758 goto err; 759 if (!EVP_DecryptUpdate(&cctx, q, &enctmplen, p, inlen)) 760 goto err; 761 if (!EVP_DecryptFinal_ex(&cctx, q + enctmplen, &enctmplen)) 762 goto err; 763 magic = read_ledword((const unsigned char **)&q); 764 if (magic != MS_RSA2MAGIC && magic != MS_DSS2MAGIC) { 765 q = enctmp + 8; 766 memset(keybuf + 5, 0, 11); 767 if (!EVP_DecryptInit_ex(&cctx, EVP_rc4(), NULL, keybuf, 768 NULL)) 769 goto err; 770 OPENSSL_cleanse(keybuf, 20); 771 if (!EVP_DecryptUpdate(&cctx, q, &enctmplen, p, inlen)) 772 goto err; 773 if (!EVP_DecryptFinal_ex(&cctx, q + enctmplen, 774 &enctmplen)) 775 goto err; 776 magic = read_ledword((const unsigned char **)&q); 777 if (magic != MS_RSA2MAGIC && magic != MS_DSS2MAGIC) { 778 PEMerr(PEM_F_DO_PVK_BODY, PEM_R_BAD_DECRYPT); 779 goto err; 780 } 781 } else 782 OPENSSL_cleanse(keybuf, 20); 783 p = enctmp; 784 } 785 786 ret = b2i_PrivateKey(&p, keylen); 787 788 err: 789 EVP_CIPHER_CTX_cleanup(&cctx); 790 if (enctmp && saltlen) 791 free(enctmp); 792 return ret; 793 } 794 795 796 EVP_PKEY * 797 b2i_PVK_bio(BIO *in, pem_password_cb *cb, void *u) 798 { 799 unsigned char pvk_hdr[24], *buf = NULL; 800 const unsigned char *p; 801 int buflen; 802 EVP_PKEY *ret = NULL; 803 unsigned int saltlen, keylen; 804 805 if (BIO_read(in, pvk_hdr, 24) != 24) { 806 PEMerr(PEM_F_B2I_PVK_BIO, PEM_R_PVK_DATA_TOO_SHORT); 807 return NULL; 808 } 809 p = pvk_hdr; 810 811 if (!do_PVK_header(&p, 24, 0, &saltlen, &keylen)) 812 return 0; 813 buflen = (int) keylen + saltlen; 814 buf = malloc(buflen); 815 if (!buf) { 816 PEMerr(PEM_F_B2I_PVK_BIO, ERR_R_MALLOC_FAILURE); 817 return 0; 818 } 819 p = buf; 820 if (BIO_read(in, buf, buflen) != buflen) { 821 PEMerr(PEM_F_B2I_PVK_BIO, PEM_R_PVK_DATA_TOO_SHORT); 822 goto err; 823 } 824 ret = do_PVK_body(&p, saltlen, keylen, cb, u); 825 826 err: 827 if (buf) { 828 OPENSSL_cleanse(buf, buflen); 829 free(buf); 830 } 831 return ret; 832 } 833 834 static int 835 i2b_PVK(unsigned char **out, EVP_PKEY*pk, int enclevel, pem_password_cb *cb, 836 void *u) 837 { 838 int outlen = 24, pklen; 839 unsigned char *p, *salt = NULL; 840 EVP_CIPHER_CTX cctx; 841 842 EVP_CIPHER_CTX_init(&cctx); 843 if (enclevel) 844 outlen += PVK_SALTLEN; 845 pklen = do_i2b(NULL, pk, 0); 846 if (pklen < 0) 847 return -1; 848 outlen += pklen; 849 if (!out) 850 return outlen; 851 if (*out) 852 p = *out; 853 else { 854 p = malloc(outlen); 855 if (!p) { 856 PEMerr(PEM_F_I2B_PVK, ERR_R_MALLOC_FAILURE); 857 return -1; 858 } 859 *out = p; 860 } 861 862 write_ledword(&p, MS_PVKMAGIC); 863 write_ledword(&p, 0); 864 if (pk->type == EVP_PKEY_DSA) 865 write_ledword(&p, MS_KEYTYPE_SIGN); 866 else 867 write_ledword(&p, MS_KEYTYPE_KEYX); 868 write_ledword(&p, enclevel ? 1 : 0); 869 write_ledword(&p, enclevel ? PVK_SALTLEN : 0); 870 write_ledword(&p, pklen); 871 if (enclevel) { 872 if (RAND_bytes(p, PVK_SALTLEN) <= 0) 873 goto error; 874 salt = p; 875 p += PVK_SALTLEN; 876 } 877 do_i2b(&p, pk, 0); 878 if (enclevel == 0) 879 return outlen; 880 else { 881 char psbuf[PEM_BUFSIZE]; 882 unsigned char keybuf[20]; 883 int enctmplen, inlen; 884 if (cb) 885 inlen = cb(psbuf, PEM_BUFSIZE, 1, u); 886 else 887 inlen = PEM_def_callback(psbuf, PEM_BUFSIZE, 1, u); 888 if (inlen <= 0) { 889 PEMerr(PEM_F_I2B_PVK, PEM_R_BAD_PASSWORD_READ); 890 goto error; 891 } 892 if (!derive_pvk_key(keybuf, salt, PVK_SALTLEN, 893 (unsigned char *)psbuf, inlen)) 894 goto error; 895 if (enclevel == 1) 896 memset(keybuf + 5, 0, 11); 897 p = salt + PVK_SALTLEN + 8; 898 if (!EVP_EncryptInit_ex(&cctx, EVP_rc4(), NULL, keybuf, NULL)) 899 goto error; 900 OPENSSL_cleanse(keybuf, 20); 901 if (!EVP_DecryptUpdate(&cctx, p, &enctmplen, p, pklen - 8)) 902 goto error; 903 if (!EVP_DecryptFinal_ex(&cctx, p + enctmplen, &enctmplen)) 904 goto error; 905 } 906 EVP_CIPHER_CTX_cleanup(&cctx); 907 return outlen; 908 909 error: 910 EVP_CIPHER_CTX_cleanup(&cctx); 911 return -1; 912 } 913 914 int 915 i2b_PVK_bio(BIO *out, EVP_PKEY *pk, int enclevel, pem_password_cb *cb, void *u) 916 { 917 unsigned char *tmp = NULL; 918 int outlen, wrlen; 919 920 outlen = i2b_PVK(&tmp, pk, enclevel, cb, u); 921 if (outlen < 0) 922 return -1; 923 wrlen = BIO_write(out, tmp, outlen); 924 free(tmp); 925 if (wrlen == outlen) { 926 PEMerr(PEM_F_I2B_PVK_BIO, PEM_R_BIO_WRITE_FAILURE); 927 return outlen; 928 } 929 return -1; 930 } 931 932 #endif 933 934 #endif 935