1 /* $OpenBSD: pvkfmt.c,v 1.28 2024/02/18 15:45:42 tb Exp $ */
2 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2005.
4 */
5 /* ====================================================================
6 * Copyright (c) 2005 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59 /* Support for PVK format keys and related structures (such a PUBLICKEYBLOB
60 * and PRIVATEKEYBLOB).
61 */
62
63 #include <stdlib.h>
64 #include <string.h>
65
66 #include <openssl/opensslconf.h>
67
68 #include <openssl/bn.h>
69 #include <openssl/err.h>
70 #include <openssl/pem.h>
71
72 #if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DSA)
73 #include <openssl/dsa.h>
74 #include <openssl/rsa.h>
75
76 #include "bn_local.h"
77 #include "dsa_local.h"
78 #include "evp_local.h"
79 #include "rsa_local.h"
80
81 /* Utility function: read a DWORD (4 byte unsigned integer) in little endian
82 * format
83 */
84
85 static unsigned int
read_ledword(const unsigned char ** in)86 read_ledword(const unsigned char **in)
87 {
88 const unsigned char *p = *in;
89 unsigned int ret;
90
91 ret = *p++;
92 ret |= (*p++ << 8);
93 ret |= (*p++ << 16);
94 ret |= (*p++ << 24);
95 *in = p;
96 return ret;
97 }
98
99 /* Read a BIGNUM in little endian format. The docs say that this should take up
100 * bitlen/8 bytes.
101 */
102
103 static int
read_lebn(const unsigned char ** in,unsigned int nbyte,BIGNUM ** r)104 read_lebn(const unsigned char **in, unsigned int nbyte, BIGNUM **r)
105 {
106 const unsigned char *p;
107 unsigned char *tmpbuf, *q;
108 unsigned int i;
109
110 p = *in + nbyte - 1;
111 tmpbuf = malloc(nbyte);
112 if (!tmpbuf)
113 return 0;
114 q = tmpbuf;
115 for (i = 0; i < nbyte; i++)
116 *q++ = *p--;
117 *r = BN_bin2bn(tmpbuf, nbyte, NULL);
118 free(tmpbuf);
119 if (*r) {
120 *in += nbyte;
121 return 1;
122 } else
123 return 0;
124 }
125
126
127 /* Convert private key blob to EVP_PKEY: RSA and DSA keys supported */
128
129 #define MS_PUBLICKEYBLOB 0x6
130 #define MS_PRIVATEKEYBLOB 0x7
131 #define MS_RSA1MAGIC 0x31415352L
132 #define MS_RSA2MAGIC 0x32415352L
133 #define MS_DSS1MAGIC 0x31535344L
134 #define MS_DSS2MAGIC 0x32535344L
135
136 #define MS_KEYALG_RSA_KEYX 0xa400
137 #define MS_KEYALG_DSS_SIGN 0x2200
138
139 #define MS_KEYTYPE_KEYX 0x1
140 #define MS_KEYTYPE_SIGN 0x2
141
142 /* The PVK file magic number: seems to spell out "bobsfile", who is Bob? */
143 #define MS_PVKMAGIC 0xb0b5f11eL
144 /* Salt length for PVK files */
145 #define PVK_SALTLEN 0x10
146
147 static EVP_PKEY *b2i_rsa(const unsigned char **in, unsigned int length,
148 unsigned int bitlen, int ispub);
149 static EVP_PKEY *b2i_dss(const unsigned char **in, unsigned int length,
150 unsigned int bitlen, int ispub);
151
152 static int
do_blob_header(const unsigned char ** in,unsigned int length,unsigned int * pmagic,unsigned int * pbitlen,int * pisdss,int * pispub)153 do_blob_header(const unsigned char **in, unsigned int length,
154 unsigned int *pmagic, unsigned int *pbitlen, int *pisdss, int *pispub)
155 {
156 const unsigned char *p = *in;
157
158 if (length < 16)
159 return 0;
160 /* bType */
161 if (*p == MS_PUBLICKEYBLOB) {
162 if (*pispub == 0) {
163 PEMerror(PEM_R_EXPECTING_PRIVATE_KEY_BLOB);
164 return 0;
165 }
166 *pispub = 1;
167 } else if (*p == MS_PRIVATEKEYBLOB) {
168 if (*pispub == 1) {
169 PEMerror(PEM_R_EXPECTING_PUBLIC_KEY_BLOB);
170 return 0;
171 }
172 *pispub = 0;
173 } else
174 return 0;
175 p++;
176 /* Version */
177 if (*p++ != 0x2) {
178 PEMerror(PEM_R_BAD_VERSION_NUMBER);
179 return 0;
180 }
181 /* Ignore reserved, aiKeyAlg */
182 p += 6;
183 *pmagic = read_ledword(&p);
184 *pbitlen = read_ledword(&p);
185 if (*pbitlen > 65536) {
186 PEMerror(PEM_R_INCONSISTENT_HEADER);
187 return 0;
188 }
189 *pisdss = 0;
190 switch (*pmagic) {
191
192 case MS_DSS1MAGIC:
193 *pisdss = 1;
194 case MS_RSA1MAGIC:
195 if (*pispub == 0) {
196 PEMerror(PEM_R_EXPECTING_PRIVATE_KEY_BLOB);
197 return 0;
198 }
199 break;
200
201 case MS_DSS2MAGIC:
202 *pisdss = 1;
203 case MS_RSA2MAGIC:
204 if (*pispub == 1) {
205 PEMerror(PEM_R_EXPECTING_PUBLIC_KEY_BLOB);
206 return 0;
207 }
208 break;
209
210 default:
211 PEMerror(PEM_R_BAD_MAGIC_NUMBER);
212 return -1;
213 }
214 *in = p;
215 return 1;
216 }
217
218 static unsigned int
blob_length(unsigned bitlen,int isdss,int ispub)219 blob_length(unsigned bitlen, int isdss, int ispub)
220 {
221 unsigned int nbyte, hnbyte;
222
223 nbyte = (bitlen + 7) >> 3;
224 hnbyte = (bitlen + 15) >> 4;
225 if (isdss) {
226
227 /* Expected length: 20 for q + 3 components bitlen each + 24
228 * for seed structure.
229 */
230 if (ispub)
231 return 44 + 3 * nbyte;
232 /* Expected length: 20 for q, priv, 2 bitlen components + 24
233 * for seed structure.
234 */
235 else
236 return 64 + 2 * nbyte;
237 } else {
238 /* Expected length: 4 for 'e' + 'n' */
239 if (ispub)
240 return 4 + nbyte;
241 else
242 /* Expected length: 4 for 'e' and 7 other components.
243 * 2 components are bitlen size, 5 are bitlen/2
244 */
245 return 4 + 2*nbyte + 5*hnbyte;
246 }
247
248 }
249
250 static EVP_PKEY *
do_b2i(const unsigned char ** in,unsigned int length,int ispub)251 do_b2i(const unsigned char **in, unsigned int length, int ispub)
252 {
253 const unsigned char *p = *in;
254 unsigned int bitlen, magic;
255 int isdss;
256
257 if (do_blob_header(&p, length, &magic, &bitlen, &isdss, &ispub) <= 0) {
258 PEMerror(PEM_R_KEYBLOB_HEADER_PARSE_ERROR);
259 return NULL;
260 }
261 length -= 16;
262 if (length < blob_length(bitlen, isdss, ispub)) {
263 PEMerror(PEM_R_KEYBLOB_TOO_SHORT);
264 return NULL;
265 }
266 if (isdss)
267 return b2i_dss(&p, length, bitlen, ispub);
268 else
269 return b2i_rsa(&p, length, bitlen, ispub);
270 }
271
272 static EVP_PKEY *
do_b2i_bio(BIO * in,int ispub)273 do_b2i_bio(BIO *in, int ispub)
274 {
275 const unsigned char *p;
276 unsigned char hdr_buf[16], *buf = NULL;
277 unsigned int bitlen, magic, length;
278 int isdss;
279 EVP_PKEY *ret = NULL;
280
281 if (BIO_read(in, hdr_buf, 16) != 16) {
282 PEMerror(PEM_R_KEYBLOB_TOO_SHORT);
283 return NULL;
284 }
285 p = hdr_buf;
286 if (do_blob_header(&p, 16, &magic, &bitlen, &isdss, &ispub) <= 0)
287 return NULL;
288
289 length = blob_length(bitlen, isdss, ispub);
290 buf = malloc(length);
291 if (!buf) {
292 PEMerror(ERR_R_MALLOC_FAILURE);
293 goto err;
294 }
295 p = buf;
296 if (BIO_read(in, buf, length) != (int)length) {
297 PEMerror(PEM_R_KEYBLOB_TOO_SHORT);
298 goto err;
299 }
300
301 if (isdss)
302 ret = b2i_dss(&p, length, bitlen, ispub);
303 else
304 ret = b2i_rsa(&p, length, bitlen, ispub);
305
306 err:
307 free(buf);
308 return ret;
309 }
310
311 static EVP_PKEY *
b2i_dss(const unsigned char ** in,unsigned int length,unsigned int bitlen,int ispub)312 b2i_dss(const unsigned char **in, unsigned int length, unsigned int bitlen,
313 int ispub)
314 {
315 const unsigned char *p = *in;
316 EVP_PKEY *ret = NULL;
317 DSA *dsa = NULL;
318 BN_CTX *ctx = NULL;
319 unsigned int nbyte;
320
321 nbyte = (bitlen + 7) >> 3;
322
323 dsa = DSA_new();
324 ret = EVP_PKEY_new();
325 if (!dsa || !ret)
326 goto err;
327 if (!read_lebn(&p, nbyte, &dsa->p))
328 goto err;
329 if (!read_lebn(&p, 20, &dsa->q))
330 goto err;
331 if (!read_lebn(&p, nbyte, &dsa->g))
332 goto err;
333 if (ispub) {
334 if (!read_lebn(&p, nbyte, &dsa->pub_key))
335 goto err;
336 } else {
337 if (!read_lebn(&p, 20, &dsa->priv_key))
338 goto err;
339 /* Calculate public key */
340 if (!(dsa->pub_key = BN_new()))
341 goto err;
342 if (!(ctx = BN_CTX_new()))
343 goto err;
344 if (!BN_mod_exp_ct(dsa->pub_key, dsa->g,
345 dsa->priv_key, dsa->p, ctx))
346 goto err;
347 BN_CTX_free(ctx);
348 }
349
350 EVP_PKEY_set1_DSA(ret, dsa);
351 DSA_free(dsa);
352 *in = p;
353 return ret;
354
355 err:
356 PEMerror(ERR_R_MALLOC_FAILURE);
357 DSA_free(dsa);
358 EVP_PKEY_free(ret);
359 BN_CTX_free(ctx);
360 return NULL;
361 }
362
363 static EVP_PKEY *
b2i_rsa(const unsigned char ** in,unsigned int length,unsigned int bitlen,int ispub)364 b2i_rsa(const unsigned char **in, unsigned int length, unsigned int bitlen,
365 int ispub)
366 {
367 const unsigned char *p = *in;
368 EVP_PKEY *ret = NULL;
369 RSA *rsa = NULL;
370 unsigned int nbyte, hnbyte;
371
372 nbyte = (bitlen + 7) >> 3;
373 hnbyte = (bitlen + 15) >> 4;
374 rsa = RSA_new();
375 ret = EVP_PKEY_new();
376 if (!rsa || !ret)
377 goto err;
378 rsa->e = BN_new();
379 if (!rsa->e)
380 goto err;
381 if (!BN_set_word(rsa->e, read_ledword(&p)))
382 goto err;
383 if (!read_lebn(&p, nbyte, &rsa->n))
384 goto err;
385 if (!ispub) {
386 if (!read_lebn(&p, hnbyte, &rsa->p))
387 goto err;
388 if (!read_lebn(&p, hnbyte, &rsa->q))
389 goto err;
390 if (!read_lebn(&p, hnbyte, &rsa->dmp1))
391 goto err;
392 if (!read_lebn(&p, hnbyte, &rsa->dmq1))
393 goto err;
394 if (!read_lebn(&p, hnbyte, &rsa->iqmp))
395 goto err;
396 if (!read_lebn(&p, nbyte, &rsa->d))
397 goto err;
398 }
399
400 EVP_PKEY_set1_RSA(ret, rsa);
401 RSA_free(rsa);
402 *in = p;
403 return ret;
404
405 err:
406 PEMerror(ERR_R_MALLOC_FAILURE);
407 RSA_free(rsa);
408 EVP_PKEY_free(ret);
409 return NULL;
410 }
411
412 EVP_PKEY *
b2i_PrivateKey(const unsigned char ** in,long length)413 b2i_PrivateKey(const unsigned char **in, long length)
414 {
415 return do_b2i(in, length, 0);
416 }
417 LCRYPTO_ALIAS(b2i_PrivateKey);
418
419 EVP_PKEY *
b2i_PublicKey(const unsigned char ** in,long length)420 b2i_PublicKey(const unsigned char **in, long length)
421 {
422 return do_b2i(in, length, 1);
423 }
424 LCRYPTO_ALIAS(b2i_PublicKey);
425
426 EVP_PKEY *
b2i_PrivateKey_bio(BIO * in)427 b2i_PrivateKey_bio(BIO *in)
428 {
429 return do_b2i_bio(in, 0);
430 }
431 LCRYPTO_ALIAS(b2i_PrivateKey_bio);
432
433 EVP_PKEY *
b2i_PublicKey_bio(BIO * in)434 b2i_PublicKey_bio(BIO *in)
435 {
436 return do_b2i_bio(in, 1);
437 }
438 LCRYPTO_ALIAS(b2i_PublicKey_bio);
439
440 static void
write_ledword(unsigned char ** out,unsigned int dw)441 write_ledword(unsigned char **out, unsigned int dw)
442 {
443 unsigned char *p = *out;
444
445 *p++ = dw & 0xff;
446 *p++ = (dw >> 8) & 0xff;
447 *p++ = (dw >> 16) & 0xff;
448 *p++ = (dw >> 24) & 0xff;
449 *out = p;
450 }
451
452 static void
write_lebn(unsigned char ** out,const BIGNUM * bn,int len)453 write_lebn(unsigned char **out, const BIGNUM *bn, int len)
454 {
455 int nb, i;
456 unsigned char *p = *out, *q, c;
457
458 nb = BN_num_bytes(bn);
459 BN_bn2bin(bn, p);
460 q = p + nb - 1;
461 /* In place byte order reversal */
462 for (i = 0; i < nb / 2; i++) {
463 c = *p;
464 *p++ = *q;
465 *q-- = c;
466 }
467 *out += nb;
468 /* Pad with zeroes if we have to */
469 if (len > 0) {
470 len -= nb;
471 if (len > 0) {
472 memset(*out, 0, len);
473 *out += len;
474 }
475 }
476 }
477
478
479 static int check_bitlen_rsa(RSA *rsa, int ispub, unsigned int *magic);
480 static int check_bitlen_dsa(DSA *dsa, int ispub, unsigned int *magic);
481
482 static void write_rsa(unsigned char **out, RSA *rsa, int ispub);
483 static void write_dsa(unsigned char **out, DSA *dsa, int ispub);
484
485 static int
do_i2b(unsigned char ** out,EVP_PKEY * pk,int ispub)486 do_i2b(unsigned char **out, EVP_PKEY *pk, int ispub)
487 {
488 unsigned char *p;
489 unsigned int bitlen, magic = 0, keyalg;
490 int outlen, noinc = 0;
491
492 if (pk->type == EVP_PKEY_DSA) {
493 bitlen = check_bitlen_dsa(pk->pkey.dsa, ispub, &magic);
494 keyalg = MS_KEYALG_DSS_SIGN;
495 } else if (pk->type == EVP_PKEY_RSA) {
496 bitlen = check_bitlen_rsa(pk->pkey.rsa, ispub, &magic);
497 keyalg = MS_KEYALG_RSA_KEYX;
498 } else
499 return -1;
500 if (bitlen == 0)
501 return -1;
502 outlen = 16 + blob_length(bitlen,
503 keyalg == MS_KEYALG_DSS_SIGN ? 1 : 0, ispub);
504 if (out == NULL)
505 return outlen;
506 if (*out)
507 p = *out;
508 else {
509 p = malloc(outlen);
510 if (!p)
511 return -1;
512 *out = p;
513 noinc = 1;
514 }
515 if (ispub)
516 *p++ = MS_PUBLICKEYBLOB;
517 else
518 *p++ = MS_PRIVATEKEYBLOB;
519 *p++ = 0x2;
520 *p++ = 0;
521 *p++ = 0;
522 write_ledword(&p, keyalg);
523 write_ledword(&p, magic);
524 write_ledword(&p, bitlen);
525 if (keyalg == MS_KEYALG_DSS_SIGN)
526 write_dsa(&p, pk->pkey.dsa, ispub);
527 else
528 write_rsa(&p, pk->pkey.rsa, ispub);
529 if (!noinc)
530 *out += outlen;
531 return outlen;
532 }
533
534 static int
do_i2b_bio(BIO * out,EVP_PKEY * pk,int ispub)535 do_i2b_bio(BIO *out, EVP_PKEY *pk, int ispub)
536 {
537 unsigned char *tmp = NULL;
538 int outlen, wrlen;
539
540 outlen = do_i2b(&tmp, pk, ispub);
541 if (outlen < 0)
542 return -1;
543 wrlen = BIO_write(out, tmp, outlen);
544 free(tmp);
545 if (wrlen == outlen)
546 return outlen;
547 return -1;
548 }
549
550 static int
check_bitlen_dsa(DSA * dsa,int ispub,unsigned int * pmagic)551 check_bitlen_dsa(DSA *dsa, int ispub, unsigned int *pmagic)
552 {
553 int bitlen;
554
555 bitlen = BN_num_bits(dsa->p);
556 if ((bitlen & 7) || (BN_num_bits(dsa->q) != 160) ||
557 (BN_num_bits(dsa->g) > bitlen))
558 goto err;
559 if (ispub) {
560 if (BN_num_bits(dsa->pub_key) > bitlen)
561 goto err;
562 *pmagic = MS_DSS1MAGIC;
563 } else {
564 if (BN_num_bits(dsa->priv_key) > 160)
565 goto err;
566 *pmagic = MS_DSS2MAGIC;
567 }
568
569 return bitlen;
570
571 err:
572 PEMerror(PEM_R_UNSUPPORTED_KEY_COMPONENTS);
573 return 0;
574 }
575
576 static int
check_bitlen_rsa(RSA * rsa,int ispub,unsigned int * pmagic)577 check_bitlen_rsa(RSA *rsa, int ispub, unsigned int *pmagic)
578 {
579 int nbyte, hnbyte, bitlen;
580
581 if (BN_num_bits(rsa->e) > 32)
582 goto err;
583 bitlen = BN_num_bits(rsa->n);
584 nbyte = BN_num_bytes(rsa->n);
585 hnbyte = (BN_num_bits(rsa->n) + 15) >> 4;
586 if (ispub) {
587 *pmagic = MS_RSA1MAGIC;
588 return bitlen;
589 } else {
590 *pmagic = MS_RSA2MAGIC;
591 /* For private key each component must fit within nbyte or
592 * hnbyte.
593 */
594 if (BN_num_bytes(rsa->d) > nbyte)
595 goto err;
596 if ((BN_num_bytes(rsa->iqmp) > hnbyte) ||
597 (BN_num_bytes(rsa->p) > hnbyte) ||
598 (BN_num_bytes(rsa->q) > hnbyte) ||
599 (BN_num_bytes(rsa->dmp1) > hnbyte) ||
600 (BN_num_bytes(rsa->dmq1) > hnbyte))
601 goto err;
602 }
603 return bitlen;
604
605 err:
606 PEMerror(PEM_R_UNSUPPORTED_KEY_COMPONENTS);
607 return 0;
608 }
609
610 static void
write_rsa(unsigned char ** out,RSA * rsa,int ispub)611 write_rsa(unsigned char **out, RSA *rsa, int ispub)
612 {
613 int nbyte, hnbyte;
614
615 nbyte = BN_num_bytes(rsa->n);
616 hnbyte = (BN_num_bits(rsa->n) + 15) >> 4;
617 write_lebn(out, rsa->e, 4);
618 write_lebn(out, rsa->n, -1);
619 if (ispub)
620 return;
621 write_lebn(out, rsa->p, hnbyte);
622 write_lebn(out, rsa->q, hnbyte);
623 write_lebn(out, rsa->dmp1, hnbyte);
624 write_lebn(out, rsa->dmq1, hnbyte);
625 write_lebn(out, rsa->iqmp, hnbyte);
626 write_lebn(out, rsa->d, nbyte);
627 }
628
629 static void
write_dsa(unsigned char ** out,DSA * dsa,int ispub)630 write_dsa(unsigned char **out, DSA *dsa, int ispub)
631 {
632 int nbyte;
633
634 nbyte = BN_num_bytes(dsa->p);
635 write_lebn(out, dsa->p, nbyte);
636 write_lebn(out, dsa->q, 20);
637 write_lebn(out, dsa->g, nbyte);
638 if (ispub)
639 write_lebn(out, dsa->pub_key, nbyte);
640 else
641 write_lebn(out, dsa->priv_key, 20);
642 /* Set "invalid" for seed structure values */
643 memset(*out, 0xff, 24);
644 *out += 24;
645 return;
646 }
647
648 int
i2b_PrivateKey_bio(BIO * out,EVP_PKEY * pk)649 i2b_PrivateKey_bio(BIO *out, EVP_PKEY *pk)
650 {
651 return do_i2b_bio(out, pk, 0);
652 }
653 LCRYPTO_ALIAS(i2b_PrivateKey_bio);
654
655 int
i2b_PublicKey_bio(BIO * out,EVP_PKEY * pk)656 i2b_PublicKey_bio(BIO *out, EVP_PKEY *pk)
657 {
658 return do_i2b_bio(out, pk, 1);
659 }
660 LCRYPTO_ALIAS(i2b_PublicKey_bio);
661
662 #ifndef OPENSSL_NO_RC4
663
664 static int
do_PVK_header(const unsigned char ** in,unsigned int length,int skip_magic,unsigned int * psaltlen,unsigned int * pkeylen)665 do_PVK_header(const unsigned char **in, unsigned int length, int skip_magic,
666 unsigned int *psaltlen, unsigned int *pkeylen)
667 {
668 const unsigned char *p = *in;
669 unsigned int pvk_magic, is_encrypted;
670
671 if (skip_magic) {
672 if (length < 20) {
673 PEMerror(PEM_R_PVK_TOO_SHORT);
674 return 0;
675 }
676 length -= 20;
677 } else {
678 if (length < 24) {
679 PEMerror(PEM_R_PVK_TOO_SHORT);
680 return 0;
681 }
682 length -= 24;
683 pvk_magic = read_ledword(&p);
684 if (pvk_magic != MS_PVKMAGIC) {
685 PEMerror(PEM_R_BAD_MAGIC_NUMBER);
686 return 0;
687 }
688 }
689 /* Skip reserved */
690 p += 4;
691 /*keytype = */read_ledword(&p);
692 is_encrypted = read_ledword(&p);
693 *psaltlen = read_ledword(&p);
694 *pkeylen = read_ledword(&p);
695 if (*psaltlen > 65536 || *pkeylen > 65536) {
696 PEMerror(PEM_R_ERROR_CONVERTING_PRIVATE_KEY);
697 return 0;
698 }
699
700 if (is_encrypted && !*psaltlen) {
701 PEMerror(PEM_R_INCONSISTENT_HEADER);
702 return 0;
703 }
704
705 *in = p;
706 return 1;
707 }
708
709 static int
derive_pvk_key(unsigned char * key,const unsigned char * salt,unsigned int saltlen,const unsigned char * pass,int passlen)710 derive_pvk_key(unsigned char *key, const unsigned char *salt,
711 unsigned int saltlen, const unsigned char *pass, int passlen)
712 {
713 EVP_MD_CTX mctx;
714 int rv = 1;
715
716 EVP_MD_CTX_legacy_clear(&mctx);
717 if (!EVP_DigestInit_ex(&mctx, EVP_sha1(), NULL) ||
718 !EVP_DigestUpdate(&mctx, salt, saltlen) ||
719 !EVP_DigestUpdate(&mctx, pass, passlen) ||
720 !EVP_DigestFinal_ex(&mctx, key, NULL))
721 rv = 0;
722
723 EVP_MD_CTX_cleanup(&mctx);
724 return rv;
725 }
726
727 static EVP_PKEY *
do_PVK_body(const unsigned char ** in,unsigned int saltlen,unsigned int keylen,pem_password_cb * cb,void * u)728 do_PVK_body(const unsigned char **in, unsigned int saltlen,
729 unsigned int keylen, pem_password_cb *cb, void *u)
730 {
731 EVP_PKEY *ret = NULL;
732 const unsigned char *p = *in;
733 unsigned int magic;
734 unsigned char *enctmp = NULL, *q;
735 EVP_CIPHER_CTX *cctx = NULL;
736
737 if ((cctx = EVP_CIPHER_CTX_new()) == NULL) {
738 PEMerror(ERR_R_MALLOC_FAILURE);
739 goto err;
740 }
741 if (saltlen) {
742 char psbuf[PEM_BUFSIZE];
743 unsigned char keybuf[20];
744 int enctmplen, inlen;
745
746 if (cb)
747 inlen = cb(psbuf, PEM_BUFSIZE, 0, u);
748 else
749 inlen = PEM_def_callback(psbuf, PEM_BUFSIZE, 0, u);
750 if (inlen <= 0) {
751 PEMerror(PEM_R_BAD_PASSWORD_READ);
752 goto err;
753 }
754 enctmp = malloc(keylen + 8);
755 if (!enctmp) {
756 PEMerror(ERR_R_MALLOC_FAILURE);
757 goto err;
758 }
759 if (!derive_pvk_key(keybuf, p, saltlen, (unsigned char *)psbuf,
760 inlen)) {
761 goto err;
762 }
763 p += saltlen;
764 /* Copy BLOBHEADER across, decrypt rest */
765 memcpy(enctmp, p, 8);
766 p += 8;
767 if (keylen < 8) {
768 PEMerror(PEM_R_PVK_TOO_SHORT);
769 goto err;
770 }
771 inlen = keylen - 8;
772 q = enctmp + 8;
773 if (!EVP_DecryptInit_ex(cctx, EVP_rc4(), NULL, keybuf, NULL))
774 goto err;
775 if (!EVP_DecryptUpdate(cctx, q, &enctmplen, p, inlen))
776 goto err;
777 if (!EVP_DecryptFinal_ex(cctx, q + enctmplen, &enctmplen))
778 goto err;
779 magic = read_ledword((const unsigned char **)&q);
780 if (magic != MS_RSA2MAGIC && magic != MS_DSS2MAGIC) {
781 q = enctmp + 8;
782 memset(keybuf + 5, 0, 11);
783 if (!EVP_DecryptInit_ex(cctx, EVP_rc4(), NULL, keybuf,
784 NULL))
785 goto err;
786 explicit_bzero(keybuf, 20);
787 if (!EVP_DecryptUpdate(cctx, q, &enctmplen, p, inlen))
788 goto err;
789 if (!EVP_DecryptFinal_ex(cctx, q + enctmplen,
790 &enctmplen))
791 goto err;
792 magic = read_ledword((const unsigned char **)&q);
793 if (magic != MS_RSA2MAGIC && magic != MS_DSS2MAGIC) {
794 PEMerror(PEM_R_BAD_DECRYPT);
795 goto err;
796 }
797 } else
798 explicit_bzero(keybuf, 20);
799 p = enctmp;
800 }
801
802 ret = b2i_PrivateKey(&p, keylen);
803
804 err:
805 EVP_CIPHER_CTX_free(cctx);
806 if (enctmp && saltlen)
807 free(enctmp);
808 return ret;
809 }
810
811
812 EVP_PKEY *
b2i_PVK_bio(BIO * in,pem_password_cb * cb,void * u)813 b2i_PVK_bio(BIO *in, pem_password_cb *cb, void *u)
814 {
815 unsigned char pvk_hdr[24], *buf = NULL;
816 const unsigned char *p;
817 size_t buflen;
818 EVP_PKEY *ret = NULL;
819 unsigned int saltlen, keylen;
820
821 if (BIO_read(in, pvk_hdr, 24) != 24) {
822 PEMerror(PEM_R_PVK_DATA_TOO_SHORT);
823 return NULL;
824 }
825 p = pvk_hdr;
826
827 if (!do_PVK_header(&p, 24, 0, &saltlen, &keylen))
828 return 0;
829 buflen = keylen + saltlen;
830 buf = malloc(buflen);
831 if (!buf) {
832 PEMerror(ERR_R_MALLOC_FAILURE);
833 return 0;
834 }
835 p = buf;
836 if (BIO_read(in, buf, buflen) != buflen) {
837 PEMerror(PEM_R_PVK_DATA_TOO_SHORT);
838 goto err;
839 }
840 ret = do_PVK_body(&p, saltlen, keylen, cb, u);
841
842 err:
843 freezero(buf, buflen);
844 return ret;
845 }
846 LCRYPTO_ALIAS(b2i_PVK_bio);
847
848 static int
i2b_PVK(unsigned char ** out,EVP_PKEY * pk,int enclevel,pem_password_cb * cb,void * u)849 i2b_PVK(unsigned char **out, EVP_PKEY*pk, int enclevel, pem_password_cb *cb,
850 void *u)
851 {
852 int outlen = 24, pklen;
853 unsigned char *p = NULL, *start = NULL, *salt = NULL;
854 EVP_CIPHER_CTX *cctx = NULL;
855
856 if ((cctx = EVP_CIPHER_CTX_new()) == NULL) {
857 PEMerror(ERR_R_MALLOC_FAILURE);
858 goto err;
859 }
860 if (enclevel != 0)
861 outlen += PVK_SALTLEN;
862 pklen = do_i2b(NULL, pk, 0);
863 if (pklen < 0)
864 goto err;
865 outlen += pklen;
866 start = p = malloc(outlen);
867 if (!p) {
868 PEMerror(ERR_R_MALLOC_FAILURE);
869 goto err;
870 }
871
872 write_ledword(&p, MS_PVKMAGIC);
873 write_ledword(&p, 0);
874 if (pk->type == EVP_PKEY_DSA)
875 write_ledword(&p, MS_KEYTYPE_SIGN);
876 else
877 write_ledword(&p, MS_KEYTYPE_KEYX);
878 write_ledword(&p, enclevel ? 1 : 0);
879 write_ledword(&p, enclevel ? PVK_SALTLEN : 0);
880 write_ledword(&p, pklen);
881 if (enclevel != 0) {
882 arc4random_buf(p, PVK_SALTLEN);
883 salt = p;
884 p += PVK_SALTLEN;
885 }
886 do_i2b(&p, pk, 0);
887 if (enclevel != 0) {
888 char psbuf[PEM_BUFSIZE];
889 unsigned char keybuf[20];
890 int enctmplen, inlen;
891 if (cb)
892 inlen = cb(psbuf, PEM_BUFSIZE, 1, u);
893 else
894 inlen = PEM_def_callback(psbuf, PEM_BUFSIZE, 1, u);
895 if (inlen <= 0) {
896 PEMerror(PEM_R_BAD_PASSWORD_READ);
897 goto err;
898 }
899 if (!derive_pvk_key(keybuf, salt, PVK_SALTLEN,
900 (unsigned char *)psbuf, inlen))
901 goto err;
902 if (enclevel == 1)
903 memset(keybuf + 5, 0, 11);
904 p = salt + PVK_SALTLEN + 8;
905 if (!EVP_EncryptInit_ex(cctx, EVP_rc4(), NULL, keybuf, NULL))
906 goto err;
907 explicit_bzero(keybuf, 20);
908 if (!EVP_EncryptUpdate(cctx, p, &enctmplen, p, pklen - 8))
909 goto err;
910 if (!EVP_EncryptFinal_ex(cctx, p + enctmplen, &enctmplen))
911 goto err;
912 }
913 EVP_CIPHER_CTX_free(cctx);
914 *out = start;
915 return outlen;
916
917 err:
918 EVP_CIPHER_CTX_free(cctx);
919 free(start);
920 return -1;
921 }
922
923 int
i2b_PVK_bio(BIO * out,EVP_PKEY * pk,int enclevel,pem_password_cb * cb,void * u)924 i2b_PVK_bio(BIO *out, EVP_PKEY *pk, int enclevel, pem_password_cb *cb, void *u)
925 {
926 unsigned char *tmp = NULL;
927 int outlen, wrlen;
928
929 outlen = i2b_PVK(&tmp, pk, enclevel, cb, u);
930 if (outlen < 0)
931 return -1;
932 wrlen = BIO_write(out, tmp, outlen);
933 free(tmp);
934 if (wrlen != outlen) {
935 PEMerror(PEM_R_BIO_WRITE_FAILURE);
936 return -1;
937 }
938 return outlen;
939 }
940 LCRYPTO_ALIAS(i2b_PVK_bio);
941
942 #endif
943
944 #endif
945