1 /* $OpenBSD: pvkfmt.c,v 1.25 2022/01/07 09:55:31 tb Exp $ */ 2 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 3 * project 2005. 4 */ 5 /* ==================================================================== 6 * Copyright (c) 2005 The OpenSSL Project. All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in 17 * the documentation and/or other materials provided with the 18 * distribution. 19 * 20 * 3. All advertising materials mentioning features or use of this 21 * software must display the following acknowledgment: 22 * "This product includes software developed by the OpenSSL Project 23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" 24 * 25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 26 * endorse or promote products derived from this software without 27 * prior written permission. For written permission, please contact 28 * licensing@OpenSSL.org. 29 * 30 * 5. Products derived from this software may not be called "OpenSSL" 31 * nor may "OpenSSL" appear in their names without prior written 32 * permission of the OpenSSL Project. 33 * 34 * 6. Redistributions of any form whatsoever must retain the following 35 * acknowledgment: 36 * "This product includes software developed by the OpenSSL Project 37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" 38 * 39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 50 * OF THE POSSIBILITY OF SUCH DAMAGE. 51 * ==================================================================== 52 * 53 * This product includes cryptographic software written by Eric Young 54 * (eay@cryptsoft.com). This product includes software written by Tim 55 * Hudson (tjh@cryptsoft.com). 56 * 57 */ 58 59 /* Support for PVK format keys and related structures (such a PUBLICKEYBLOB 60 * and PRIVATEKEYBLOB). 61 */ 62 63 #include <stdlib.h> 64 #include <string.h> 65 66 #include <openssl/opensslconf.h> 67 68 #include <openssl/bn.h> 69 #include <openssl/err.h> 70 #include <openssl/pem.h> 71 72 #if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DSA) 73 #include <openssl/dsa.h> 74 #include <openssl/rsa.h> 75 76 #include "bn_lcl.h" 77 #include "dsa_locl.h" 78 #include "evp_locl.h" 79 #include "rsa_locl.h" 80 81 /* Utility function: read a DWORD (4 byte unsigned integer) in little endian 82 * format 83 */ 84 85 static unsigned int 86 read_ledword(const unsigned char **in) 87 { 88 const unsigned char *p = *in; 89 unsigned int ret; 90 91 ret = *p++; 92 ret |= (*p++ << 8); 93 ret |= (*p++ << 16); 94 ret |= (*p++ << 24); 95 *in = p; 96 return ret; 97 } 98 99 /* Read a BIGNUM in little endian format. The docs say that this should take up 100 * bitlen/8 bytes. 101 */ 102 103 static int 104 read_lebn(const unsigned char **in, unsigned int nbyte, BIGNUM **r) 105 { 106 const unsigned char *p; 107 unsigned char *tmpbuf, *q; 108 unsigned int i; 109 110 p = *in + nbyte - 1; 111 tmpbuf = malloc(nbyte); 112 if (!tmpbuf) 113 return 0; 114 q = tmpbuf; 115 for (i = 0; i < nbyte; i++) 116 *q++ = *p--; 117 *r = BN_bin2bn(tmpbuf, nbyte, NULL); 118 free(tmpbuf); 119 if (*r) { 120 *in += nbyte; 121 return 1; 122 } else 123 return 0; 124 } 125 126 127 /* Convert private key blob to EVP_PKEY: RSA and DSA keys supported */ 128 129 #define MS_PUBLICKEYBLOB 0x6 130 #define MS_PRIVATEKEYBLOB 0x7 131 #define MS_RSA1MAGIC 0x31415352L 132 #define MS_RSA2MAGIC 0x32415352L 133 #define MS_DSS1MAGIC 0x31535344L 134 #define MS_DSS2MAGIC 0x32535344L 135 136 #define MS_KEYALG_RSA_KEYX 0xa400 137 #define MS_KEYALG_DSS_SIGN 0x2200 138 139 #define MS_KEYTYPE_KEYX 0x1 140 #define MS_KEYTYPE_SIGN 0x2 141 142 /* The PVK file magic number: seems to spell out "bobsfile", who is Bob? */ 143 #define MS_PVKMAGIC 0xb0b5f11eL 144 /* Salt length for PVK files */ 145 #define PVK_SALTLEN 0x10 146 147 static EVP_PKEY *b2i_rsa(const unsigned char **in, unsigned int length, 148 unsigned int bitlen, int ispub); 149 static EVP_PKEY *b2i_dss(const unsigned char **in, unsigned int length, 150 unsigned int bitlen, int ispub); 151 152 static int 153 do_blob_header(const unsigned char **in, unsigned int length, 154 unsigned int *pmagic, unsigned int *pbitlen, int *pisdss, int *pispub) 155 { 156 const unsigned char *p = *in; 157 158 if (length < 16) 159 return 0; 160 /* bType */ 161 if (*p == MS_PUBLICKEYBLOB) { 162 if (*pispub == 0) { 163 PEMerror(PEM_R_EXPECTING_PRIVATE_KEY_BLOB); 164 return 0; 165 } 166 *pispub = 1; 167 } else if (*p == MS_PRIVATEKEYBLOB) { 168 if (*pispub == 1) { 169 PEMerror(PEM_R_EXPECTING_PUBLIC_KEY_BLOB); 170 return 0; 171 } 172 *pispub = 0; 173 } else 174 return 0; 175 p++; 176 /* Version */ 177 if (*p++ != 0x2) { 178 PEMerror(PEM_R_BAD_VERSION_NUMBER); 179 return 0; 180 } 181 /* Ignore reserved, aiKeyAlg */ 182 p += 6; 183 *pmagic = read_ledword(&p); 184 *pbitlen = read_ledword(&p); 185 if (*pbitlen > 65536) { 186 PEMerror(PEM_R_INCONSISTENT_HEADER); 187 return 0; 188 } 189 *pisdss = 0; 190 switch (*pmagic) { 191 192 case MS_DSS1MAGIC: 193 *pisdss = 1; 194 case MS_RSA1MAGIC: 195 if (*pispub == 0) { 196 PEMerror(PEM_R_EXPECTING_PRIVATE_KEY_BLOB); 197 return 0; 198 } 199 break; 200 201 case MS_DSS2MAGIC: 202 *pisdss = 1; 203 case MS_RSA2MAGIC: 204 if (*pispub == 1) { 205 PEMerror(PEM_R_EXPECTING_PUBLIC_KEY_BLOB); 206 return 0; 207 } 208 break; 209 210 default: 211 PEMerror(PEM_R_BAD_MAGIC_NUMBER); 212 return -1; 213 } 214 *in = p; 215 return 1; 216 } 217 218 static unsigned int 219 blob_length(unsigned bitlen, int isdss, int ispub) 220 { 221 unsigned int nbyte, hnbyte; 222 223 nbyte = (bitlen + 7) >> 3; 224 hnbyte = (bitlen + 15) >> 4; 225 if (isdss) { 226 227 /* Expected length: 20 for q + 3 components bitlen each + 24 228 * for seed structure. 229 */ 230 if (ispub) 231 return 44 + 3 * nbyte; 232 /* Expected length: 20 for q, priv, 2 bitlen components + 24 233 * for seed structure. 234 */ 235 else 236 return 64 + 2 * nbyte; 237 } else { 238 /* Expected length: 4 for 'e' + 'n' */ 239 if (ispub) 240 return 4 + nbyte; 241 else 242 /* Expected length: 4 for 'e' and 7 other components. 243 * 2 components are bitlen size, 5 are bitlen/2 244 */ 245 return 4 + 2*nbyte + 5*hnbyte; 246 } 247 248 } 249 250 static EVP_PKEY * 251 do_b2i(const unsigned char **in, unsigned int length, int ispub) 252 { 253 const unsigned char *p = *in; 254 unsigned int bitlen, magic; 255 int isdss; 256 257 if (do_blob_header(&p, length, &magic, &bitlen, &isdss, &ispub) <= 0) { 258 PEMerror(PEM_R_KEYBLOB_HEADER_PARSE_ERROR); 259 return NULL; 260 } 261 length -= 16; 262 if (length < blob_length(bitlen, isdss, ispub)) { 263 PEMerror(PEM_R_KEYBLOB_TOO_SHORT); 264 return NULL; 265 } 266 if (isdss) 267 return b2i_dss(&p, length, bitlen, ispub); 268 else 269 return b2i_rsa(&p, length, bitlen, ispub); 270 } 271 272 static EVP_PKEY * 273 do_b2i_bio(BIO *in, int ispub) 274 { 275 const unsigned char *p; 276 unsigned char hdr_buf[16], *buf = NULL; 277 unsigned int bitlen, magic, length; 278 int isdss; 279 EVP_PKEY *ret = NULL; 280 281 if (BIO_read(in, hdr_buf, 16) != 16) { 282 PEMerror(PEM_R_KEYBLOB_TOO_SHORT); 283 return NULL; 284 } 285 p = hdr_buf; 286 if (do_blob_header(&p, 16, &magic, &bitlen, &isdss, &ispub) <= 0) 287 return NULL; 288 289 length = blob_length(bitlen, isdss, ispub); 290 buf = malloc(length); 291 if (!buf) { 292 PEMerror(ERR_R_MALLOC_FAILURE); 293 goto err; 294 } 295 p = buf; 296 if (BIO_read(in, buf, length) != (int)length) { 297 PEMerror(PEM_R_KEYBLOB_TOO_SHORT); 298 goto err; 299 } 300 301 if (isdss) 302 ret = b2i_dss(&p, length, bitlen, ispub); 303 else 304 ret = b2i_rsa(&p, length, bitlen, ispub); 305 306 err: 307 free(buf); 308 return ret; 309 } 310 311 static EVP_PKEY * 312 b2i_dss(const unsigned char **in, unsigned int length, unsigned int bitlen, 313 int ispub) 314 { 315 const unsigned char *p = *in; 316 EVP_PKEY *ret = NULL; 317 DSA *dsa = NULL; 318 BN_CTX *ctx = NULL; 319 unsigned int nbyte; 320 321 nbyte = (bitlen + 7) >> 3; 322 323 dsa = DSA_new(); 324 ret = EVP_PKEY_new(); 325 if (!dsa || !ret) 326 goto err; 327 if (!read_lebn(&p, nbyte, &dsa->p)) 328 goto err; 329 if (!read_lebn(&p, 20, &dsa->q)) 330 goto err; 331 if (!read_lebn(&p, nbyte, &dsa->g)) 332 goto err; 333 if (ispub) { 334 if (!read_lebn(&p, nbyte, &dsa->pub_key)) 335 goto err; 336 } else { 337 if (!read_lebn(&p, 20, &dsa->priv_key)) 338 goto err; 339 /* Calculate public key */ 340 if (!(dsa->pub_key = BN_new())) 341 goto err; 342 if (!(ctx = BN_CTX_new())) 343 goto err; 344 if (!BN_mod_exp_ct(dsa->pub_key, dsa->g, 345 dsa->priv_key, dsa->p, ctx)) 346 goto err; 347 BN_CTX_free(ctx); 348 } 349 350 EVP_PKEY_set1_DSA(ret, dsa); 351 DSA_free(dsa); 352 *in = p; 353 return ret; 354 355 err: 356 PEMerror(ERR_R_MALLOC_FAILURE); 357 DSA_free(dsa); 358 EVP_PKEY_free(ret); 359 BN_CTX_free(ctx); 360 return NULL; 361 } 362 363 static EVP_PKEY * 364 b2i_rsa(const unsigned char **in, unsigned int length, unsigned int bitlen, 365 int ispub) 366 { 367 const unsigned char *p = *in; 368 EVP_PKEY *ret = NULL; 369 RSA *rsa = NULL; 370 unsigned int nbyte, hnbyte; 371 372 nbyte = (bitlen + 7) >> 3; 373 hnbyte = (bitlen + 15) >> 4; 374 rsa = RSA_new(); 375 ret = EVP_PKEY_new(); 376 if (!rsa || !ret) 377 goto err; 378 rsa->e = BN_new(); 379 if (!rsa->e) 380 goto err; 381 if (!BN_set_word(rsa->e, read_ledword(&p))) 382 goto err; 383 if (!read_lebn(&p, nbyte, &rsa->n)) 384 goto err; 385 if (!ispub) { 386 if (!read_lebn(&p, hnbyte, &rsa->p)) 387 goto err; 388 if (!read_lebn(&p, hnbyte, &rsa->q)) 389 goto err; 390 if (!read_lebn(&p, hnbyte, &rsa->dmp1)) 391 goto err; 392 if (!read_lebn(&p, hnbyte, &rsa->dmq1)) 393 goto err; 394 if (!read_lebn(&p, hnbyte, &rsa->iqmp)) 395 goto err; 396 if (!read_lebn(&p, nbyte, &rsa->d)) 397 goto err; 398 } 399 400 EVP_PKEY_set1_RSA(ret, rsa); 401 RSA_free(rsa); 402 *in = p; 403 return ret; 404 405 err: 406 PEMerror(ERR_R_MALLOC_FAILURE); 407 RSA_free(rsa); 408 EVP_PKEY_free(ret); 409 return NULL; 410 } 411 412 EVP_PKEY * 413 b2i_PrivateKey(const unsigned char **in, long length) 414 { 415 return do_b2i(in, length, 0); 416 } 417 418 EVP_PKEY * 419 b2i_PublicKey(const unsigned char **in, long length) 420 { 421 return do_b2i(in, length, 1); 422 } 423 424 EVP_PKEY * 425 b2i_PrivateKey_bio(BIO *in) 426 { 427 return do_b2i_bio(in, 0); 428 } 429 430 EVP_PKEY * 431 b2i_PublicKey_bio(BIO *in) 432 { 433 return do_b2i_bio(in, 1); 434 } 435 436 static void 437 write_ledword(unsigned char **out, unsigned int dw) 438 { 439 unsigned char *p = *out; 440 441 *p++ = dw & 0xff; 442 *p++ = (dw >> 8) & 0xff; 443 *p++ = (dw >> 16) & 0xff; 444 *p++ = (dw >> 24) & 0xff; 445 *out = p; 446 } 447 448 static void 449 write_lebn(unsigned char **out, const BIGNUM *bn, int len) 450 { 451 int nb, i; 452 unsigned char *p = *out, *q, c; 453 454 nb = BN_num_bytes(bn); 455 BN_bn2bin(bn, p); 456 q = p + nb - 1; 457 /* In place byte order reversal */ 458 for (i = 0; i < nb / 2; i++) { 459 c = *p; 460 *p++ = *q; 461 *q-- = c; 462 } 463 *out += nb; 464 /* Pad with zeroes if we have to */ 465 if (len > 0) { 466 len -= nb; 467 if (len > 0) { 468 memset(*out, 0, len); 469 *out += len; 470 } 471 } 472 } 473 474 475 static int check_bitlen_rsa(RSA *rsa, int ispub, unsigned int *magic); 476 static int check_bitlen_dsa(DSA *dsa, int ispub, unsigned int *magic); 477 478 static void write_rsa(unsigned char **out, RSA *rsa, int ispub); 479 static void write_dsa(unsigned char **out, DSA *dsa, int ispub); 480 481 static int 482 do_i2b(unsigned char **out, EVP_PKEY *pk, int ispub) 483 { 484 unsigned char *p; 485 unsigned int bitlen, magic = 0, keyalg; 486 int outlen, noinc = 0; 487 488 if (pk->type == EVP_PKEY_DSA) { 489 bitlen = check_bitlen_dsa(pk->pkey.dsa, ispub, &magic); 490 keyalg = MS_KEYALG_DSS_SIGN; 491 } else if (pk->type == EVP_PKEY_RSA) { 492 bitlen = check_bitlen_rsa(pk->pkey.rsa, ispub, &magic); 493 keyalg = MS_KEYALG_RSA_KEYX; 494 } else 495 return -1; 496 if (bitlen == 0) 497 return -1; 498 outlen = 16 + blob_length(bitlen, 499 keyalg == MS_KEYALG_DSS_SIGN ? 1 : 0, ispub); 500 if (out == NULL) 501 return outlen; 502 if (*out) 503 p = *out; 504 else { 505 p = malloc(outlen); 506 if (!p) 507 return -1; 508 *out = p; 509 noinc = 1; 510 } 511 if (ispub) 512 *p++ = MS_PUBLICKEYBLOB; 513 else 514 *p++ = MS_PRIVATEKEYBLOB; 515 *p++ = 0x2; 516 *p++ = 0; 517 *p++ = 0; 518 write_ledword(&p, keyalg); 519 write_ledword(&p, magic); 520 write_ledword(&p, bitlen); 521 if (keyalg == MS_KEYALG_DSS_SIGN) 522 write_dsa(&p, pk->pkey.dsa, ispub); 523 else 524 write_rsa(&p, pk->pkey.rsa, ispub); 525 if (!noinc) 526 *out += outlen; 527 return outlen; 528 } 529 530 static int 531 do_i2b_bio(BIO *out, EVP_PKEY *pk, int ispub) 532 { 533 unsigned char *tmp = NULL; 534 int outlen, wrlen; 535 536 outlen = do_i2b(&tmp, pk, ispub); 537 if (outlen < 0) 538 return -1; 539 wrlen = BIO_write(out, tmp, outlen); 540 free(tmp); 541 if (wrlen == outlen) 542 return outlen; 543 return -1; 544 } 545 546 static int 547 check_bitlen_dsa(DSA *dsa, int ispub, unsigned int *pmagic) 548 { 549 int bitlen; 550 551 bitlen = BN_num_bits(dsa->p); 552 if ((bitlen & 7) || (BN_num_bits(dsa->q) != 160) || 553 (BN_num_bits(dsa->g) > bitlen)) 554 goto err; 555 if (ispub) { 556 if (BN_num_bits(dsa->pub_key) > bitlen) 557 goto err; 558 *pmagic = MS_DSS1MAGIC; 559 } else { 560 if (BN_num_bits(dsa->priv_key) > 160) 561 goto err; 562 *pmagic = MS_DSS2MAGIC; 563 } 564 565 return bitlen; 566 567 err: 568 PEMerror(PEM_R_UNSUPPORTED_KEY_COMPONENTS); 569 return 0; 570 } 571 572 static int 573 check_bitlen_rsa(RSA *rsa, int ispub, unsigned int *pmagic) 574 { 575 int nbyte, hnbyte, bitlen; 576 577 if (BN_num_bits(rsa->e) > 32) 578 goto err; 579 bitlen = BN_num_bits(rsa->n); 580 nbyte = BN_num_bytes(rsa->n); 581 hnbyte = (BN_num_bits(rsa->n) + 15) >> 4; 582 if (ispub) { 583 *pmagic = MS_RSA1MAGIC; 584 return bitlen; 585 } else { 586 *pmagic = MS_RSA2MAGIC; 587 /* For private key each component must fit within nbyte or 588 * hnbyte. 589 */ 590 if (BN_num_bytes(rsa->d) > nbyte) 591 goto err; 592 if ((BN_num_bytes(rsa->iqmp) > hnbyte) || 593 (BN_num_bytes(rsa->p) > hnbyte) || 594 (BN_num_bytes(rsa->q) > hnbyte) || 595 (BN_num_bytes(rsa->dmp1) > hnbyte) || 596 (BN_num_bytes(rsa->dmq1) > hnbyte)) 597 goto err; 598 } 599 return bitlen; 600 601 err: 602 PEMerror(PEM_R_UNSUPPORTED_KEY_COMPONENTS); 603 return 0; 604 } 605 606 static void 607 write_rsa(unsigned char **out, RSA *rsa, int ispub) 608 { 609 int nbyte, hnbyte; 610 611 nbyte = BN_num_bytes(rsa->n); 612 hnbyte = (BN_num_bits(rsa->n) + 15) >> 4; 613 write_lebn(out, rsa->e, 4); 614 write_lebn(out, rsa->n, -1); 615 if (ispub) 616 return; 617 write_lebn(out, rsa->p, hnbyte); 618 write_lebn(out, rsa->q, hnbyte); 619 write_lebn(out, rsa->dmp1, hnbyte); 620 write_lebn(out, rsa->dmq1, hnbyte); 621 write_lebn(out, rsa->iqmp, hnbyte); 622 write_lebn(out, rsa->d, nbyte); 623 } 624 625 static void 626 write_dsa(unsigned char **out, DSA *dsa, int ispub) 627 { 628 int nbyte; 629 630 nbyte = BN_num_bytes(dsa->p); 631 write_lebn(out, dsa->p, nbyte); 632 write_lebn(out, dsa->q, 20); 633 write_lebn(out, dsa->g, nbyte); 634 if (ispub) 635 write_lebn(out, dsa->pub_key, nbyte); 636 else 637 write_lebn(out, dsa->priv_key, 20); 638 /* Set "invalid" for seed structure values */ 639 memset(*out, 0xff, 24); 640 *out += 24; 641 return; 642 } 643 644 int 645 i2b_PrivateKey_bio(BIO *out, EVP_PKEY *pk) 646 { 647 return do_i2b_bio(out, pk, 0); 648 } 649 650 int 651 i2b_PublicKey_bio(BIO *out, EVP_PKEY *pk) 652 { 653 return do_i2b_bio(out, pk, 1); 654 } 655 656 #ifndef OPENSSL_NO_RC4 657 658 static int 659 do_PVK_header(const unsigned char **in, unsigned int length, int skip_magic, 660 unsigned int *psaltlen, unsigned int *pkeylen) 661 { 662 const unsigned char *p = *in; 663 unsigned int pvk_magic, is_encrypted; 664 665 if (skip_magic) { 666 if (length < 20) { 667 PEMerror(PEM_R_PVK_TOO_SHORT); 668 return 0; 669 } 670 length -= 20; 671 } else { 672 if (length < 24) { 673 PEMerror(PEM_R_PVK_TOO_SHORT); 674 return 0; 675 } 676 length -= 24; 677 pvk_magic = read_ledword(&p); 678 if (pvk_magic != MS_PVKMAGIC) { 679 PEMerror(PEM_R_BAD_MAGIC_NUMBER); 680 return 0; 681 } 682 } 683 /* Skip reserved */ 684 p += 4; 685 /*keytype = */read_ledword(&p); 686 is_encrypted = read_ledword(&p); 687 *psaltlen = read_ledword(&p); 688 *pkeylen = read_ledword(&p); 689 if (*psaltlen > 65536 || *pkeylen > 65536) { 690 PEMerror(PEM_R_ERROR_CONVERTING_PRIVATE_KEY); 691 return 0; 692 } 693 694 if (is_encrypted && !*psaltlen) { 695 PEMerror(PEM_R_INCONSISTENT_HEADER); 696 return 0; 697 } 698 699 *in = p; 700 return 1; 701 } 702 703 static int 704 derive_pvk_key(unsigned char *key, const unsigned char *salt, 705 unsigned int saltlen, const unsigned char *pass, int passlen) 706 { 707 EVP_MD_CTX mctx; 708 int rv = 1; 709 710 EVP_MD_CTX_init(&mctx); 711 if (!EVP_DigestInit_ex(&mctx, EVP_sha1(), NULL) || 712 !EVP_DigestUpdate(&mctx, salt, saltlen) || 713 !EVP_DigestUpdate(&mctx, pass, passlen) || 714 !EVP_DigestFinal_ex(&mctx, key, NULL)) 715 rv = 0; 716 717 EVP_MD_CTX_cleanup(&mctx); 718 return rv; 719 } 720 721 static EVP_PKEY * 722 do_PVK_body(const unsigned char **in, unsigned int saltlen, 723 unsigned int keylen, pem_password_cb *cb, void *u) 724 { 725 EVP_PKEY *ret = NULL; 726 const unsigned char *p = *in; 727 unsigned int magic; 728 unsigned char *enctmp = NULL, *q; 729 EVP_CIPHER_CTX *cctx = NULL; 730 731 if ((cctx = EVP_CIPHER_CTX_new()) == NULL) { 732 PEMerror(ERR_R_MALLOC_FAILURE); 733 goto err; 734 } 735 if (saltlen) { 736 char psbuf[PEM_BUFSIZE]; 737 unsigned char keybuf[20]; 738 int enctmplen, inlen; 739 740 if (cb) 741 inlen = cb(psbuf, PEM_BUFSIZE, 0, u); 742 else 743 inlen = PEM_def_callback(psbuf, PEM_BUFSIZE, 0, u); 744 if (inlen <= 0) { 745 PEMerror(PEM_R_BAD_PASSWORD_READ); 746 goto err; 747 } 748 enctmp = malloc(keylen + 8); 749 if (!enctmp) { 750 PEMerror(ERR_R_MALLOC_FAILURE); 751 goto err; 752 } 753 if (!derive_pvk_key(keybuf, p, saltlen, (unsigned char *)psbuf, 754 inlen)) { 755 goto err; 756 } 757 p += saltlen; 758 /* Copy BLOBHEADER across, decrypt rest */ 759 memcpy(enctmp, p, 8); 760 p += 8; 761 if (keylen < 8) { 762 PEMerror(PEM_R_PVK_TOO_SHORT); 763 goto err; 764 } 765 inlen = keylen - 8; 766 q = enctmp + 8; 767 if (!EVP_DecryptInit_ex(cctx, EVP_rc4(), NULL, keybuf, NULL)) 768 goto err; 769 if (!EVP_DecryptUpdate(cctx, q, &enctmplen, p, inlen)) 770 goto err; 771 if (!EVP_DecryptFinal_ex(cctx, q + enctmplen, &enctmplen)) 772 goto err; 773 magic = read_ledword((const unsigned char **)&q); 774 if (magic != MS_RSA2MAGIC && magic != MS_DSS2MAGIC) { 775 q = enctmp + 8; 776 memset(keybuf + 5, 0, 11); 777 if (!EVP_DecryptInit_ex(cctx, EVP_rc4(), NULL, keybuf, 778 NULL)) 779 goto err; 780 explicit_bzero(keybuf, 20); 781 if (!EVP_DecryptUpdate(cctx, q, &enctmplen, p, inlen)) 782 goto err; 783 if (!EVP_DecryptFinal_ex(cctx, q + enctmplen, 784 &enctmplen)) 785 goto err; 786 magic = read_ledword((const unsigned char **)&q); 787 if (magic != MS_RSA2MAGIC && magic != MS_DSS2MAGIC) { 788 PEMerror(PEM_R_BAD_DECRYPT); 789 goto err; 790 } 791 } else 792 explicit_bzero(keybuf, 20); 793 p = enctmp; 794 } 795 796 ret = b2i_PrivateKey(&p, keylen); 797 798 err: 799 EVP_CIPHER_CTX_free(cctx); 800 if (enctmp && saltlen) 801 free(enctmp); 802 return ret; 803 } 804 805 806 EVP_PKEY * 807 b2i_PVK_bio(BIO *in, pem_password_cb *cb, void *u) 808 { 809 unsigned char pvk_hdr[24], *buf = NULL; 810 const unsigned char *p; 811 size_t buflen; 812 EVP_PKEY *ret = NULL; 813 unsigned int saltlen, keylen; 814 815 if (BIO_read(in, pvk_hdr, 24) != 24) { 816 PEMerror(PEM_R_PVK_DATA_TOO_SHORT); 817 return NULL; 818 } 819 p = pvk_hdr; 820 821 if (!do_PVK_header(&p, 24, 0, &saltlen, &keylen)) 822 return 0; 823 buflen = keylen + saltlen; 824 buf = malloc(buflen); 825 if (!buf) { 826 PEMerror(ERR_R_MALLOC_FAILURE); 827 return 0; 828 } 829 p = buf; 830 if (BIO_read(in, buf, buflen) != buflen) { 831 PEMerror(PEM_R_PVK_DATA_TOO_SHORT); 832 goto err; 833 } 834 ret = do_PVK_body(&p, saltlen, keylen, cb, u); 835 836 err: 837 freezero(buf, buflen); 838 return ret; 839 } 840 841 static int 842 i2b_PVK(unsigned char **out, EVP_PKEY*pk, int enclevel, pem_password_cb *cb, 843 void *u) 844 { 845 int outlen = 24, pklen; 846 unsigned char *p = NULL, *start = NULL, *salt = NULL; 847 EVP_CIPHER_CTX *cctx = NULL; 848 849 if ((cctx = EVP_CIPHER_CTX_new()) == NULL) { 850 PEMerror(ERR_R_MALLOC_FAILURE); 851 goto err; 852 } 853 if (enclevel != 0) 854 outlen += PVK_SALTLEN; 855 pklen = do_i2b(NULL, pk, 0); 856 if (pklen < 0) 857 goto err; 858 outlen += pklen; 859 start = p = malloc(outlen); 860 if (!p) { 861 PEMerror(ERR_R_MALLOC_FAILURE); 862 goto err; 863 } 864 865 write_ledword(&p, MS_PVKMAGIC); 866 write_ledword(&p, 0); 867 if (pk->type == EVP_PKEY_DSA) 868 write_ledword(&p, MS_KEYTYPE_SIGN); 869 else 870 write_ledword(&p, MS_KEYTYPE_KEYX); 871 write_ledword(&p, enclevel ? 1 : 0); 872 write_ledword(&p, enclevel ? PVK_SALTLEN : 0); 873 write_ledword(&p, pklen); 874 if (enclevel != 0) { 875 arc4random_buf(p, PVK_SALTLEN); 876 salt = p; 877 p += PVK_SALTLEN; 878 } 879 do_i2b(&p, pk, 0); 880 if (enclevel != 0) { 881 char psbuf[PEM_BUFSIZE]; 882 unsigned char keybuf[20]; 883 int enctmplen, inlen; 884 if (cb) 885 inlen = cb(psbuf, PEM_BUFSIZE, 1, u); 886 else 887 inlen = PEM_def_callback(psbuf, PEM_BUFSIZE, 1, u); 888 if (inlen <= 0) { 889 PEMerror(PEM_R_BAD_PASSWORD_READ); 890 goto err; 891 } 892 if (!derive_pvk_key(keybuf, salt, PVK_SALTLEN, 893 (unsigned char *)psbuf, inlen)) 894 goto err; 895 if (enclevel == 1) 896 memset(keybuf + 5, 0, 11); 897 p = salt + PVK_SALTLEN + 8; 898 if (!EVP_EncryptInit_ex(cctx, EVP_rc4(), NULL, keybuf, NULL)) 899 goto err; 900 explicit_bzero(keybuf, 20); 901 if (!EVP_EncryptUpdate(cctx, p, &enctmplen, p, pklen - 8)) 902 goto err; 903 if (!EVP_EncryptFinal_ex(cctx, p + enctmplen, &enctmplen)) 904 goto err; 905 } 906 EVP_CIPHER_CTX_free(cctx); 907 *out = start; 908 return outlen; 909 910 err: 911 EVP_CIPHER_CTX_free(cctx); 912 free(start); 913 return -1; 914 } 915 916 int 917 i2b_PVK_bio(BIO *out, EVP_PKEY *pk, int enclevel, pem_password_cb *cb, void *u) 918 { 919 unsigned char *tmp = NULL; 920 int outlen, wrlen; 921 922 outlen = i2b_PVK(&tmp, pk, enclevel, cb, u); 923 if (outlen < 0) 924 return -1; 925 wrlen = BIO_write(out, tmp, outlen); 926 free(tmp); 927 if (wrlen != outlen) { 928 PEMerror(PEM_R_BIO_WRITE_FAILURE); 929 return -1; 930 } 931 return outlen; 932 } 933 934 #endif 935 936 #endif 937