1 /* $OpenBSD: pvkfmt.c,v 1.28 2024/02/18 15:45:42 tb Exp $ */ 2 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 3 * project 2005. 4 */ 5 /* ==================================================================== 6 * Copyright (c) 2005 The OpenSSL Project. All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in 17 * the documentation and/or other materials provided with the 18 * distribution. 19 * 20 * 3. All advertising materials mentioning features or use of this 21 * software must display the following acknowledgment: 22 * "This product includes software developed by the OpenSSL Project 23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" 24 * 25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 26 * endorse or promote products derived from this software without 27 * prior written permission. For written permission, please contact 28 * licensing@OpenSSL.org. 29 * 30 * 5. Products derived from this software may not be called "OpenSSL" 31 * nor may "OpenSSL" appear in their names without prior written 32 * permission of the OpenSSL Project. 33 * 34 * 6. Redistributions of any form whatsoever must retain the following 35 * acknowledgment: 36 * "This product includes software developed by the OpenSSL Project 37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" 38 * 39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 50 * OF THE POSSIBILITY OF SUCH DAMAGE. 51 * ==================================================================== 52 * 53 * This product includes cryptographic software written by Eric Young 54 * (eay@cryptsoft.com). This product includes software written by Tim 55 * Hudson (tjh@cryptsoft.com). 56 * 57 */ 58 59 /* Support for PVK format keys and related structures (such a PUBLICKEYBLOB 60 * and PRIVATEKEYBLOB). 61 */ 62 63 #include <stdlib.h> 64 #include <string.h> 65 66 #include <openssl/opensslconf.h> 67 68 #include <openssl/bn.h> 69 #include <openssl/err.h> 70 #include <openssl/pem.h> 71 72 #if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DSA) 73 #include <openssl/dsa.h> 74 #include <openssl/rsa.h> 75 76 #include "bn_local.h" 77 #include "dsa_local.h" 78 #include "evp_local.h" 79 #include "rsa_local.h" 80 81 /* Utility function: read a DWORD (4 byte unsigned integer) in little endian 82 * format 83 */ 84 85 static unsigned int 86 read_ledword(const unsigned char **in) 87 { 88 const unsigned char *p = *in; 89 unsigned int ret; 90 91 ret = *p++; 92 ret |= (*p++ << 8); 93 ret |= (*p++ << 16); 94 ret |= (*p++ << 24); 95 *in = p; 96 return ret; 97 } 98 99 /* Read a BIGNUM in little endian format. The docs say that this should take up 100 * bitlen/8 bytes. 101 */ 102 103 static int 104 read_lebn(const unsigned char **in, unsigned int nbyte, BIGNUM **r) 105 { 106 const unsigned char *p; 107 unsigned char *tmpbuf, *q; 108 unsigned int i; 109 110 p = *in + nbyte - 1; 111 tmpbuf = malloc(nbyte); 112 if (!tmpbuf) 113 return 0; 114 q = tmpbuf; 115 for (i = 0; i < nbyte; i++) 116 *q++ = *p--; 117 *r = BN_bin2bn(tmpbuf, nbyte, NULL); 118 free(tmpbuf); 119 if (*r) { 120 *in += nbyte; 121 return 1; 122 } else 123 return 0; 124 } 125 126 127 /* Convert private key blob to EVP_PKEY: RSA and DSA keys supported */ 128 129 #define MS_PUBLICKEYBLOB 0x6 130 #define MS_PRIVATEKEYBLOB 0x7 131 #define MS_RSA1MAGIC 0x31415352L 132 #define MS_RSA2MAGIC 0x32415352L 133 #define MS_DSS1MAGIC 0x31535344L 134 #define MS_DSS2MAGIC 0x32535344L 135 136 #define MS_KEYALG_RSA_KEYX 0xa400 137 #define MS_KEYALG_DSS_SIGN 0x2200 138 139 #define MS_KEYTYPE_KEYX 0x1 140 #define MS_KEYTYPE_SIGN 0x2 141 142 /* The PVK file magic number: seems to spell out "bobsfile", who is Bob? */ 143 #define MS_PVKMAGIC 0xb0b5f11eL 144 /* Salt length for PVK files */ 145 #define PVK_SALTLEN 0x10 146 147 static EVP_PKEY *b2i_rsa(const unsigned char **in, unsigned int length, 148 unsigned int bitlen, int ispub); 149 static EVP_PKEY *b2i_dss(const unsigned char **in, unsigned int length, 150 unsigned int bitlen, int ispub); 151 152 static int 153 do_blob_header(const unsigned char **in, unsigned int length, 154 unsigned int *pmagic, unsigned int *pbitlen, int *pisdss, int *pispub) 155 { 156 const unsigned char *p = *in; 157 158 if (length < 16) 159 return 0; 160 /* bType */ 161 if (*p == MS_PUBLICKEYBLOB) { 162 if (*pispub == 0) { 163 PEMerror(PEM_R_EXPECTING_PRIVATE_KEY_BLOB); 164 return 0; 165 } 166 *pispub = 1; 167 } else if (*p == MS_PRIVATEKEYBLOB) { 168 if (*pispub == 1) { 169 PEMerror(PEM_R_EXPECTING_PUBLIC_KEY_BLOB); 170 return 0; 171 } 172 *pispub = 0; 173 } else 174 return 0; 175 p++; 176 /* Version */ 177 if (*p++ != 0x2) { 178 PEMerror(PEM_R_BAD_VERSION_NUMBER); 179 return 0; 180 } 181 /* Ignore reserved, aiKeyAlg */ 182 p += 6; 183 *pmagic = read_ledword(&p); 184 *pbitlen = read_ledword(&p); 185 if (*pbitlen > 65536) { 186 PEMerror(PEM_R_INCONSISTENT_HEADER); 187 return 0; 188 } 189 *pisdss = 0; 190 switch (*pmagic) { 191 192 case MS_DSS1MAGIC: 193 *pisdss = 1; 194 case MS_RSA1MAGIC: 195 if (*pispub == 0) { 196 PEMerror(PEM_R_EXPECTING_PRIVATE_KEY_BLOB); 197 return 0; 198 } 199 break; 200 201 case MS_DSS2MAGIC: 202 *pisdss = 1; 203 case MS_RSA2MAGIC: 204 if (*pispub == 1) { 205 PEMerror(PEM_R_EXPECTING_PUBLIC_KEY_BLOB); 206 return 0; 207 } 208 break; 209 210 default: 211 PEMerror(PEM_R_BAD_MAGIC_NUMBER); 212 return -1; 213 } 214 *in = p; 215 return 1; 216 } 217 218 static unsigned int 219 blob_length(unsigned bitlen, int isdss, int ispub) 220 { 221 unsigned int nbyte, hnbyte; 222 223 nbyte = (bitlen + 7) >> 3; 224 hnbyte = (bitlen + 15) >> 4; 225 if (isdss) { 226 227 /* Expected length: 20 for q + 3 components bitlen each + 24 228 * for seed structure. 229 */ 230 if (ispub) 231 return 44 + 3 * nbyte; 232 /* Expected length: 20 for q, priv, 2 bitlen components + 24 233 * for seed structure. 234 */ 235 else 236 return 64 + 2 * nbyte; 237 } else { 238 /* Expected length: 4 for 'e' + 'n' */ 239 if (ispub) 240 return 4 + nbyte; 241 else 242 /* Expected length: 4 for 'e' and 7 other components. 243 * 2 components are bitlen size, 5 are bitlen/2 244 */ 245 return 4 + 2*nbyte + 5*hnbyte; 246 } 247 248 } 249 250 static EVP_PKEY * 251 do_b2i(const unsigned char **in, unsigned int length, int ispub) 252 { 253 const unsigned char *p = *in; 254 unsigned int bitlen, magic; 255 int isdss; 256 257 if (do_blob_header(&p, length, &magic, &bitlen, &isdss, &ispub) <= 0) { 258 PEMerror(PEM_R_KEYBLOB_HEADER_PARSE_ERROR); 259 return NULL; 260 } 261 length -= 16; 262 if (length < blob_length(bitlen, isdss, ispub)) { 263 PEMerror(PEM_R_KEYBLOB_TOO_SHORT); 264 return NULL; 265 } 266 if (isdss) 267 return b2i_dss(&p, length, bitlen, ispub); 268 else 269 return b2i_rsa(&p, length, bitlen, ispub); 270 } 271 272 static EVP_PKEY * 273 do_b2i_bio(BIO *in, int ispub) 274 { 275 const unsigned char *p; 276 unsigned char hdr_buf[16], *buf = NULL; 277 unsigned int bitlen, magic, length; 278 int isdss; 279 EVP_PKEY *ret = NULL; 280 281 if (BIO_read(in, hdr_buf, 16) != 16) { 282 PEMerror(PEM_R_KEYBLOB_TOO_SHORT); 283 return NULL; 284 } 285 p = hdr_buf; 286 if (do_blob_header(&p, 16, &magic, &bitlen, &isdss, &ispub) <= 0) 287 return NULL; 288 289 length = blob_length(bitlen, isdss, ispub); 290 buf = malloc(length); 291 if (!buf) { 292 PEMerror(ERR_R_MALLOC_FAILURE); 293 goto err; 294 } 295 p = buf; 296 if (BIO_read(in, buf, length) != (int)length) { 297 PEMerror(PEM_R_KEYBLOB_TOO_SHORT); 298 goto err; 299 } 300 301 if (isdss) 302 ret = b2i_dss(&p, length, bitlen, ispub); 303 else 304 ret = b2i_rsa(&p, length, bitlen, ispub); 305 306 err: 307 free(buf); 308 return ret; 309 } 310 311 static EVP_PKEY * 312 b2i_dss(const unsigned char **in, unsigned int length, unsigned int bitlen, 313 int ispub) 314 { 315 const unsigned char *p = *in; 316 EVP_PKEY *ret = NULL; 317 DSA *dsa = NULL; 318 BN_CTX *ctx = NULL; 319 unsigned int nbyte; 320 321 nbyte = (bitlen + 7) >> 3; 322 323 dsa = DSA_new(); 324 ret = EVP_PKEY_new(); 325 if (!dsa || !ret) 326 goto err; 327 if (!read_lebn(&p, nbyte, &dsa->p)) 328 goto err; 329 if (!read_lebn(&p, 20, &dsa->q)) 330 goto err; 331 if (!read_lebn(&p, nbyte, &dsa->g)) 332 goto err; 333 if (ispub) { 334 if (!read_lebn(&p, nbyte, &dsa->pub_key)) 335 goto err; 336 } else { 337 if (!read_lebn(&p, 20, &dsa->priv_key)) 338 goto err; 339 /* Calculate public key */ 340 if (!(dsa->pub_key = BN_new())) 341 goto err; 342 if (!(ctx = BN_CTX_new())) 343 goto err; 344 if (!BN_mod_exp_ct(dsa->pub_key, dsa->g, 345 dsa->priv_key, dsa->p, ctx)) 346 goto err; 347 BN_CTX_free(ctx); 348 } 349 350 EVP_PKEY_set1_DSA(ret, dsa); 351 DSA_free(dsa); 352 *in = p; 353 return ret; 354 355 err: 356 PEMerror(ERR_R_MALLOC_FAILURE); 357 DSA_free(dsa); 358 EVP_PKEY_free(ret); 359 BN_CTX_free(ctx); 360 return NULL; 361 } 362 363 static EVP_PKEY * 364 b2i_rsa(const unsigned char **in, unsigned int length, unsigned int bitlen, 365 int ispub) 366 { 367 const unsigned char *p = *in; 368 EVP_PKEY *ret = NULL; 369 RSA *rsa = NULL; 370 unsigned int nbyte, hnbyte; 371 372 nbyte = (bitlen + 7) >> 3; 373 hnbyte = (bitlen + 15) >> 4; 374 rsa = RSA_new(); 375 ret = EVP_PKEY_new(); 376 if (!rsa || !ret) 377 goto err; 378 rsa->e = BN_new(); 379 if (!rsa->e) 380 goto err; 381 if (!BN_set_word(rsa->e, read_ledword(&p))) 382 goto err; 383 if (!read_lebn(&p, nbyte, &rsa->n)) 384 goto err; 385 if (!ispub) { 386 if (!read_lebn(&p, hnbyte, &rsa->p)) 387 goto err; 388 if (!read_lebn(&p, hnbyte, &rsa->q)) 389 goto err; 390 if (!read_lebn(&p, hnbyte, &rsa->dmp1)) 391 goto err; 392 if (!read_lebn(&p, hnbyte, &rsa->dmq1)) 393 goto err; 394 if (!read_lebn(&p, hnbyte, &rsa->iqmp)) 395 goto err; 396 if (!read_lebn(&p, nbyte, &rsa->d)) 397 goto err; 398 } 399 400 EVP_PKEY_set1_RSA(ret, rsa); 401 RSA_free(rsa); 402 *in = p; 403 return ret; 404 405 err: 406 PEMerror(ERR_R_MALLOC_FAILURE); 407 RSA_free(rsa); 408 EVP_PKEY_free(ret); 409 return NULL; 410 } 411 412 EVP_PKEY * 413 b2i_PrivateKey(const unsigned char **in, long length) 414 { 415 return do_b2i(in, length, 0); 416 } 417 LCRYPTO_ALIAS(b2i_PrivateKey); 418 419 EVP_PKEY * 420 b2i_PublicKey(const unsigned char **in, long length) 421 { 422 return do_b2i(in, length, 1); 423 } 424 LCRYPTO_ALIAS(b2i_PublicKey); 425 426 EVP_PKEY * 427 b2i_PrivateKey_bio(BIO *in) 428 { 429 return do_b2i_bio(in, 0); 430 } 431 LCRYPTO_ALIAS(b2i_PrivateKey_bio); 432 433 EVP_PKEY * 434 b2i_PublicKey_bio(BIO *in) 435 { 436 return do_b2i_bio(in, 1); 437 } 438 LCRYPTO_ALIAS(b2i_PublicKey_bio); 439 440 static void 441 write_ledword(unsigned char **out, unsigned int dw) 442 { 443 unsigned char *p = *out; 444 445 *p++ = dw & 0xff; 446 *p++ = (dw >> 8) & 0xff; 447 *p++ = (dw >> 16) & 0xff; 448 *p++ = (dw >> 24) & 0xff; 449 *out = p; 450 } 451 452 static void 453 write_lebn(unsigned char **out, const BIGNUM *bn, int len) 454 { 455 int nb, i; 456 unsigned char *p = *out, *q, c; 457 458 nb = BN_num_bytes(bn); 459 BN_bn2bin(bn, p); 460 q = p + nb - 1; 461 /* In place byte order reversal */ 462 for (i = 0; i < nb / 2; i++) { 463 c = *p; 464 *p++ = *q; 465 *q-- = c; 466 } 467 *out += nb; 468 /* Pad with zeroes if we have to */ 469 if (len > 0) { 470 len -= nb; 471 if (len > 0) { 472 memset(*out, 0, len); 473 *out += len; 474 } 475 } 476 } 477 478 479 static int check_bitlen_rsa(RSA *rsa, int ispub, unsigned int *magic); 480 static int check_bitlen_dsa(DSA *dsa, int ispub, unsigned int *magic); 481 482 static void write_rsa(unsigned char **out, RSA *rsa, int ispub); 483 static void write_dsa(unsigned char **out, DSA *dsa, int ispub); 484 485 static int 486 do_i2b(unsigned char **out, EVP_PKEY *pk, int ispub) 487 { 488 unsigned char *p; 489 unsigned int bitlen, magic = 0, keyalg; 490 int outlen, noinc = 0; 491 492 if (pk->type == EVP_PKEY_DSA) { 493 bitlen = check_bitlen_dsa(pk->pkey.dsa, ispub, &magic); 494 keyalg = MS_KEYALG_DSS_SIGN; 495 } else if (pk->type == EVP_PKEY_RSA) { 496 bitlen = check_bitlen_rsa(pk->pkey.rsa, ispub, &magic); 497 keyalg = MS_KEYALG_RSA_KEYX; 498 } else 499 return -1; 500 if (bitlen == 0) 501 return -1; 502 outlen = 16 + blob_length(bitlen, 503 keyalg == MS_KEYALG_DSS_SIGN ? 1 : 0, ispub); 504 if (out == NULL) 505 return outlen; 506 if (*out) 507 p = *out; 508 else { 509 p = malloc(outlen); 510 if (!p) 511 return -1; 512 *out = p; 513 noinc = 1; 514 } 515 if (ispub) 516 *p++ = MS_PUBLICKEYBLOB; 517 else 518 *p++ = MS_PRIVATEKEYBLOB; 519 *p++ = 0x2; 520 *p++ = 0; 521 *p++ = 0; 522 write_ledword(&p, keyalg); 523 write_ledword(&p, magic); 524 write_ledword(&p, bitlen); 525 if (keyalg == MS_KEYALG_DSS_SIGN) 526 write_dsa(&p, pk->pkey.dsa, ispub); 527 else 528 write_rsa(&p, pk->pkey.rsa, ispub); 529 if (!noinc) 530 *out += outlen; 531 return outlen; 532 } 533 534 static int 535 do_i2b_bio(BIO *out, EVP_PKEY *pk, int ispub) 536 { 537 unsigned char *tmp = NULL; 538 int outlen, wrlen; 539 540 outlen = do_i2b(&tmp, pk, ispub); 541 if (outlen < 0) 542 return -1; 543 wrlen = BIO_write(out, tmp, outlen); 544 free(tmp); 545 if (wrlen == outlen) 546 return outlen; 547 return -1; 548 } 549 550 static int 551 check_bitlen_dsa(DSA *dsa, int ispub, unsigned int *pmagic) 552 { 553 int bitlen; 554 555 bitlen = BN_num_bits(dsa->p); 556 if ((bitlen & 7) || (BN_num_bits(dsa->q) != 160) || 557 (BN_num_bits(dsa->g) > bitlen)) 558 goto err; 559 if (ispub) { 560 if (BN_num_bits(dsa->pub_key) > bitlen) 561 goto err; 562 *pmagic = MS_DSS1MAGIC; 563 } else { 564 if (BN_num_bits(dsa->priv_key) > 160) 565 goto err; 566 *pmagic = MS_DSS2MAGIC; 567 } 568 569 return bitlen; 570 571 err: 572 PEMerror(PEM_R_UNSUPPORTED_KEY_COMPONENTS); 573 return 0; 574 } 575 576 static int 577 check_bitlen_rsa(RSA *rsa, int ispub, unsigned int *pmagic) 578 { 579 int nbyte, hnbyte, bitlen; 580 581 if (BN_num_bits(rsa->e) > 32) 582 goto err; 583 bitlen = BN_num_bits(rsa->n); 584 nbyte = BN_num_bytes(rsa->n); 585 hnbyte = (BN_num_bits(rsa->n) + 15) >> 4; 586 if (ispub) { 587 *pmagic = MS_RSA1MAGIC; 588 return bitlen; 589 } else { 590 *pmagic = MS_RSA2MAGIC; 591 /* For private key each component must fit within nbyte or 592 * hnbyte. 593 */ 594 if (BN_num_bytes(rsa->d) > nbyte) 595 goto err; 596 if ((BN_num_bytes(rsa->iqmp) > hnbyte) || 597 (BN_num_bytes(rsa->p) > hnbyte) || 598 (BN_num_bytes(rsa->q) > hnbyte) || 599 (BN_num_bytes(rsa->dmp1) > hnbyte) || 600 (BN_num_bytes(rsa->dmq1) > hnbyte)) 601 goto err; 602 } 603 return bitlen; 604 605 err: 606 PEMerror(PEM_R_UNSUPPORTED_KEY_COMPONENTS); 607 return 0; 608 } 609 610 static void 611 write_rsa(unsigned char **out, RSA *rsa, int ispub) 612 { 613 int nbyte, hnbyte; 614 615 nbyte = BN_num_bytes(rsa->n); 616 hnbyte = (BN_num_bits(rsa->n) + 15) >> 4; 617 write_lebn(out, rsa->e, 4); 618 write_lebn(out, rsa->n, -1); 619 if (ispub) 620 return; 621 write_lebn(out, rsa->p, hnbyte); 622 write_lebn(out, rsa->q, hnbyte); 623 write_lebn(out, rsa->dmp1, hnbyte); 624 write_lebn(out, rsa->dmq1, hnbyte); 625 write_lebn(out, rsa->iqmp, hnbyte); 626 write_lebn(out, rsa->d, nbyte); 627 } 628 629 static void 630 write_dsa(unsigned char **out, DSA *dsa, int ispub) 631 { 632 int nbyte; 633 634 nbyte = BN_num_bytes(dsa->p); 635 write_lebn(out, dsa->p, nbyte); 636 write_lebn(out, dsa->q, 20); 637 write_lebn(out, dsa->g, nbyte); 638 if (ispub) 639 write_lebn(out, dsa->pub_key, nbyte); 640 else 641 write_lebn(out, dsa->priv_key, 20); 642 /* Set "invalid" for seed structure values */ 643 memset(*out, 0xff, 24); 644 *out += 24; 645 return; 646 } 647 648 int 649 i2b_PrivateKey_bio(BIO *out, EVP_PKEY *pk) 650 { 651 return do_i2b_bio(out, pk, 0); 652 } 653 LCRYPTO_ALIAS(i2b_PrivateKey_bio); 654 655 int 656 i2b_PublicKey_bio(BIO *out, EVP_PKEY *pk) 657 { 658 return do_i2b_bio(out, pk, 1); 659 } 660 LCRYPTO_ALIAS(i2b_PublicKey_bio); 661 662 #ifndef OPENSSL_NO_RC4 663 664 static int 665 do_PVK_header(const unsigned char **in, unsigned int length, int skip_magic, 666 unsigned int *psaltlen, unsigned int *pkeylen) 667 { 668 const unsigned char *p = *in; 669 unsigned int pvk_magic, is_encrypted; 670 671 if (skip_magic) { 672 if (length < 20) { 673 PEMerror(PEM_R_PVK_TOO_SHORT); 674 return 0; 675 } 676 length -= 20; 677 } else { 678 if (length < 24) { 679 PEMerror(PEM_R_PVK_TOO_SHORT); 680 return 0; 681 } 682 length -= 24; 683 pvk_magic = read_ledword(&p); 684 if (pvk_magic != MS_PVKMAGIC) { 685 PEMerror(PEM_R_BAD_MAGIC_NUMBER); 686 return 0; 687 } 688 } 689 /* Skip reserved */ 690 p += 4; 691 /*keytype = */read_ledword(&p); 692 is_encrypted = read_ledword(&p); 693 *psaltlen = read_ledword(&p); 694 *pkeylen = read_ledword(&p); 695 if (*psaltlen > 65536 || *pkeylen > 65536) { 696 PEMerror(PEM_R_ERROR_CONVERTING_PRIVATE_KEY); 697 return 0; 698 } 699 700 if (is_encrypted && !*psaltlen) { 701 PEMerror(PEM_R_INCONSISTENT_HEADER); 702 return 0; 703 } 704 705 *in = p; 706 return 1; 707 } 708 709 static int 710 derive_pvk_key(unsigned char *key, const unsigned char *salt, 711 unsigned int saltlen, const unsigned char *pass, int passlen) 712 { 713 EVP_MD_CTX mctx; 714 int rv = 1; 715 716 EVP_MD_CTX_legacy_clear(&mctx); 717 if (!EVP_DigestInit_ex(&mctx, EVP_sha1(), NULL) || 718 !EVP_DigestUpdate(&mctx, salt, saltlen) || 719 !EVP_DigestUpdate(&mctx, pass, passlen) || 720 !EVP_DigestFinal_ex(&mctx, key, NULL)) 721 rv = 0; 722 723 EVP_MD_CTX_cleanup(&mctx); 724 return rv; 725 } 726 727 static EVP_PKEY * 728 do_PVK_body(const unsigned char **in, unsigned int saltlen, 729 unsigned int keylen, pem_password_cb *cb, void *u) 730 { 731 EVP_PKEY *ret = NULL; 732 const unsigned char *p = *in; 733 unsigned int magic; 734 unsigned char *enctmp = NULL, *q; 735 EVP_CIPHER_CTX *cctx = NULL; 736 737 if ((cctx = EVP_CIPHER_CTX_new()) == NULL) { 738 PEMerror(ERR_R_MALLOC_FAILURE); 739 goto err; 740 } 741 if (saltlen) { 742 char psbuf[PEM_BUFSIZE]; 743 unsigned char keybuf[20]; 744 int enctmplen, inlen; 745 746 if (cb) 747 inlen = cb(psbuf, PEM_BUFSIZE, 0, u); 748 else 749 inlen = PEM_def_callback(psbuf, PEM_BUFSIZE, 0, u); 750 if (inlen <= 0) { 751 PEMerror(PEM_R_BAD_PASSWORD_READ); 752 goto err; 753 } 754 enctmp = malloc(keylen + 8); 755 if (!enctmp) { 756 PEMerror(ERR_R_MALLOC_FAILURE); 757 goto err; 758 } 759 if (!derive_pvk_key(keybuf, p, saltlen, (unsigned char *)psbuf, 760 inlen)) { 761 goto err; 762 } 763 p += saltlen; 764 /* Copy BLOBHEADER across, decrypt rest */ 765 memcpy(enctmp, p, 8); 766 p += 8; 767 if (keylen < 8) { 768 PEMerror(PEM_R_PVK_TOO_SHORT); 769 goto err; 770 } 771 inlen = keylen - 8; 772 q = enctmp + 8; 773 if (!EVP_DecryptInit_ex(cctx, EVP_rc4(), NULL, keybuf, NULL)) 774 goto err; 775 if (!EVP_DecryptUpdate(cctx, q, &enctmplen, p, inlen)) 776 goto err; 777 if (!EVP_DecryptFinal_ex(cctx, q + enctmplen, &enctmplen)) 778 goto err; 779 magic = read_ledword((const unsigned char **)&q); 780 if (magic != MS_RSA2MAGIC && magic != MS_DSS2MAGIC) { 781 q = enctmp + 8; 782 memset(keybuf + 5, 0, 11); 783 if (!EVP_DecryptInit_ex(cctx, EVP_rc4(), NULL, keybuf, 784 NULL)) 785 goto err; 786 explicit_bzero(keybuf, 20); 787 if (!EVP_DecryptUpdate(cctx, q, &enctmplen, p, inlen)) 788 goto err; 789 if (!EVP_DecryptFinal_ex(cctx, q + enctmplen, 790 &enctmplen)) 791 goto err; 792 magic = read_ledword((const unsigned char **)&q); 793 if (magic != MS_RSA2MAGIC && magic != MS_DSS2MAGIC) { 794 PEMerror(PEM_R_BAD_DECRYPT); 795 goto err; 796 } 797 } else 798 explicit_bzero(keybuf, 20); 799 p = enctmp; 800 } 801 802 ret = b2i_PrivateKey(&p, keylen); 803 804 err: 805 EVP_CIPHER_CTX_free(cctx); 806 if (enctmp && saltlen) 807 free(enctmp); 808 return ret; 809 } 810 811 812 EVP_PKEY * 813 b2i_PVK_bio(BIO *in, pem_password_cb *cb, void *u) 814 { 815 unsigned char pvk_hdr[24], *buf = NULL; 816 const unsigned char *p; 817 size_t buflen; 818 EVP_PKEY *ret = NULL; 819 unsigned int saltlen, keylen; 820 821 if (BIO_read(in, pvk_hdr, 24) != 24) { 822 PEMerror(PEM_R_PVK_DATA_TOO_SHORT); 823 return NULL; 824 } 825 p = pvk_hdr; 826 827 if (!do_PVK_header(&p, 24, 0, &saltlen, &keylen)) 828 return 0; 829 buflen = keylen + saltlen; 830 buf = malloc(buflen); 831 if (!buf) { 832 PEMerror(ERR_R_MALLOC_FAILURE); 833 return 0; 834 } 835 p = buf; 836 if (BIO_read(in, buf, buflen) != buflen) { 837 PEMerror(PEM_R_PVK_DATA_TOO_SHORT); 838 goto err; 839 } 840 ret = do_PVK_body(&p, saltlen, keylen, cb, u); 841 842 err: 843 freezero(buf, buflen); 844 return ret; 845 } 846 LCRYPTO_ALIAS(b2i_PVK_bio); 847 848 static int 849 i2b_PVK(unsigned char **out, EVP_PKEY*pk, int enclevel, pem_password_cb *cb, 850 void *u) 851 { 852 int outlen = 24, pklen; 853 unsigned char *p = NULL, *start = NULL, *salt = NULL; 854 EVP_CIPHER_CTX *cctx = NULL; 855 856 if ((cctx = EVP_CIPHER_CTX_new()) == NULL) { 857 PEMerror(ERR_R_MALLOC_FAILURE); 858 goto err; 859 } 860 if (enclevel != 0) 861 outlen += PVK_SALTLEN; 862 pklen = do_i2b(NULL, pk, 0); 863 if (pklen < 0) 864 goto err; 865 outlen += pklen; 866 start = p = malloc(outlen); 867 if (!p) { 868 PEMerror(ERR_R_MALLOC_FAILURE); 869 goto err; 870 } 871 872 write_ledword(&p, MS_PVKMAGIC); 873 write_ledword(&p, 0); 874 if (pk->type == EVP_PKEY_DSA) 875 write_ledword(&p, MS_KEYTYPE_SIGN); 876 else 877 write_ledword(&p, MS_KEYTYPE_KEYX); 878 write_ledword(&p, enclevel ? 1 : 0); 879 write_ledword(&p, enclevel ? PVK_SALTLEN : 0); 880 write_ledword(&p, pklen); 881 if (enclevel != 0) { 882 arc4random_buf(p, PVK_SALTLEN); 883 salt = p; 884 p += PVK_SALTLEN; 885 } 886 do_i2b(&p, pk, 0); 887 if (enclevel != 0) { 888 char psbuf[PEM_BUFSIZE]; 889 unsigned char keybuf[20]; 890 int enctmplen, inlen; 891 if (cb) 892 inlen = cb(psbuf, PEM_BUFSIZE, 1, u); 893 else 894 inlen = PEM_def_callback(psbuf, PEM_BUFSIZE, 1, u); 895 if (inlen <= 0) { 896 PEMerror(PEM_R_BAD_PASSWORD_READ); 897 goto err; 898 } 899 if (!derive_pvk_key(keybuf, salt, PVK_SALTLEN, 900 (unsigned char *)psbuf, inlen)) 901 goto err; 902 if (enclevel == 1) 903 memset(keybuf + 5, 0, 11); 904 p = salt + PVK_SALTLEN + 8; 905 if (!EVP_EncryptInit_ex(cctx, EVP_rc4(), NULL, keybuf, NULL)) 906 goto err; 907 explicit_bzero(keybuf, 20); 908 if (!EVP_EncryptUpdate(cctx, p, &enctmplen, p, pklen - 8)) 909 goto err; 910 if (!EVP_EncryptFinal_ex(cctx, p + enctmplen, &enctmplen)) 911 goto err; 912 } 913 EVP_CIPHER_CTX_free(cctx); 914 *out = start; 915 return outlen; 916 917 err: 918 EVP_CIPHER_CTX_free(cctx); 919 free(start); 920 return -1; 921 } 922 923 int 924 i2b_PVK_bio(BIO *out, EVP_PKEY *pk, int enclevel, pem_password_cb *cb, void *u) 925 { 926 unsigned char *tmp = NULL; 927 int outlen, wrlen; 928 929 outlen = i2b_PVK(&tmp, pk, enclevel, cb, u); 930 if (outlen < 0) 931 return -1; 932 wrlen = BIO_write(out, tmp, outlen); 933 free(tmp); 934 if (wrlen != outlen) { 935 PEMerror(PEM_R_BIO_WRITE_FAILURE); 936 return -1; 937 } 938 return outlen; 939 } 940 LCRYPTO_ALIAS(i2b_PVK_bio); 941 942 #endif 943 944 #endif 945