1 /* $OpenBSD: pvkfmt.c,v 1.15 2016/03/02 05:02:35 beck Exp $ */ 2 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 3 * project 2005. 4 */ 5 /* ==================================================================== 6 * Copyright (c) 2005 The OpenSSL Project. All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in 17 * the documentation and/or other materials provided with the 18 * distribution. 19 * 20 * 3. All advertising materials mentioning features or use of this 21 * software must display the following acknowledgment: 22 * "This product includes software developed by the OpenSSL Project 23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" 24 * 25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 26 * endorse or promote products derived from this software without 27 * prior written permission. For written permission, please contact 28 * licensing@OpenSSL.org. 29 * 30 * 5. Products derived from this software may not be called "OpenSSL" 31 * nor may "OpenSSL" appear in their names without prior written 32 * permission of the OpenSSL Project. 33 * 34 * 6. Redistributions of any form whatsoever must retain the following 35 * acknowledgment: 36 * "This product includes software developed by the OpenSSL Project 37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" 38 * 39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 50 * OF THE POSSIBILITY OF SUCH DAMAGE. 51 * ==================================================================== 52 * 53 * This product includes cryptographic software written by Eric Young 54 * (eay@cryptsoft.com). This product includes software written by Tim 55 * Hudson (tjh@cryptsoft.com). 56 * 57 */ 58 59 /* Support for PVK format keys and related structures (such a PUBLICKEYBLOB 60 * and PRIVATEKEYBLOB). 61 */ 62 63 #include <stdlib.h> 64 #include <string.h> 65 66 #include <openssl/opensslconf.h> 67 68 #include <openssl/bn.h> 69 #include <openssl/err.h> 70 #include <openssl/pem.h> 71 72 #if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DSA) 73 #include <openssl/dsa.h> 74 #include <openssl/rsa.h> 75 76 /* Utility function: read a DWORD (4 byte unsigned integer) in little endian 77 * format 78 */ 79 80 static unsigned int 81 read_ledword(const unsigned char **in) 82 { 83 const unsigned char *p = *in; 84 unsigned int ret; 85 86 ret = *p++; 87 ret |= (*p++ << 8); 88 ret |= (*p++ << 16); 89 ret |= (*p++ << 24); 90 *in = p; 91 return ret; 92 } 93 94 /* Read a BIGNUM in little endian format. The docs say that this should take up 95 * bitlen/8 bytes. 96 */ 97 98 static int 99 read_lebn(const unsigned char **in, unsigned int nbyte, BIGNUM **r) 100 { 101 const unsigned char *p; 102 unsigned char *tmpbuf, *q; 103 unsigned int i; 104 105 p = *in + nbyte - 1; 106 tmpbuf = malloc(nbyte); 107 if (!tmpbuf) 108 return 0; 109 q = tmpbuf; 110 for (i = 0; i < nbyte; i++) 111 *q++ = *p--; 112 *r = BN_bin2bn(tmpbuf, nbyte, NULL); 113 free(tmpbuf); 114 if (*r) { 115 *in += nbyte; 116 return 1; 117 } else 118 return 0; 119 } 120 121 122 /* Convert private key blob to EVP_PKEY: RSA and DSA keys supported */ 123 124 #define MS_PUBLICKEYBLOB 0x6 125 #define MS_PRIVATEKEYBLOB 0x7 126 #define MS_RSA1MAGIC 0x31415352L 127 #define MS_RSA2MAGIC 0x32415352L 128 #define MS_DSS1MAGIC 0x31535344L 129 #define MS_DSS2MAGIC 0x32535344L 130 131 #define MS_KEYALG_RSA_KEYX 0xa400 132 #define MS_KEYALG_DSS_SIGN 0x2200 133 134 #define MS_KEYTYPE_KEYX 0x1 135 #define MS_KEYTYPE_SIGN 0x2 136 137 /* The PVK file magic number: seems to spell out "bobsfile", who is Bob? */ 138 #define MS_PVKMAGIC 0xb0b5f11eL 139 /* Salt length for PVK files */ 140 #define PVK_SALTLEN 0x10 141 142 static EVP_PKEY *b2i_rsa(const unsigned char **in, unsigned int length, 143 unsigned int bitlen, int ispub); 144 static EVP_PKEY *b2i_dss(const unsigned char **in, unsigned int length, 145 unsigned int bitlen, int ispub); 146 147 static int 148 do_blob_header(const unsigned char **in, unsigned int length, 149 unsigned int *pmagic, unsigned int *pbitlen, int *pisdss, int *pispub) 150 { 151 const unsigned char *p = *in; 152 153 if (length < 16) 154 return 0; 155 /* bType */ 156 if (*p == MS_PUBLICKEYBLOB) { 157 if (*pispub == 0) { 158 PEMerr(PEM_F_DO_BLOB_HEADER, 159 PEM_R_EXPECTING_PRIVATE_KEY_BLOB); 160 return 0; 161 } 162 *pispub = 1; 163 } else if (*p == MS_PRIVATEKEYBLOB) { 164 if (*pispub == 1) { 165 PEMerr(PEM_F_DO_BLOB_HEADER, 166 PEM_R_EXPECTING_PUBLIC_KEY_BLOB); 167 return 0; 168 } 169 *pispub = 0; 170 } else 171 return 0; 172 p++; 173 /* Version */ 174 if (*p++ != 0x2) { 175 PEMerr(PEM_F_DO_BLOB_HEADER, PEM_R_BAD_VERSION_NUMBER); 176 return 0; 177 } 178 /* Ignore reserved, aiKeyAlg */ 179 p += 6; 180 *pmagic = read_ledword(&p); 181 *pbitlen = read_ledword(&p); 182 if (*pbitlen > 65536) { 183 PEMerr(PEM_F_DO_BLOB_HEADER, PEM_R_INCONSISTENT_HEADER); 184 return 0; 185 } 186 *pisdss = 0; 187 switch (*pmagic) { 188 189 case MS_DSS1MAGIC: 190 *pisdss = 1; 191 case MS_RSA1MAGIC: 192 if (*pispub == 0) { 193 PEMerr(PEM_F_DO_BLOB_HEADER, 194 PEM_R_EXPECTING_PRIVATE_KEY_BLOB); 195 return 0; 196 } 197 break; 198 199 case MS_DSS2MAGIC: 200 *pisdss = 1; 201 case MS_RSA2MAGIC: 202 if (*pispub == 1) { 203 PEMerr(PEM_F_DO_BLOB_HEADER, 204 PEM_R_EXPECTING_PUBLIC_KEY_BLOB); 205 return 0; 206 } 207 break; 208 209 default: 210 PEMerr(PEM_F_DO_BLOB_HEADER, PEM_R_BAD_MAGIC_NUMBER); 211 return -1; 212 } 213 *in = p; 214 return 1; 215 } 216 217 static unsigned int 218 blob_length(unsigned bitlen, int isdss, int ispub) 219 { 220 unsigned int nbyte, hnbyte; 221 222 nbyte = (bitlen + 7) >> 3; 223 hnbyte = (bitlen + 15) >> 4; 224 if (isdss) { 225 226 /* Expected length: 20 for q + 3 components bitlen each + 24 227 * for seed structure. 228 */ 229 if (ispub) 230 return 44 + 3 * nbyte; 231 /* Expected length: 20 for q, priv, 2 bitlen components + 24 232 * for seed structure. 233 */ 234 else 235 return 64 + 2 * nbyte; 236 } else { 237 /* Expected length: 4 for 'e' + 'n' */ 238 if (ispub) 239 return 4 + nbyte; 240 else 241 /* Expected length: 4 for 'e' and 7 other components. 242 * 2 components are bitlen size, 5 are bitlen/2 243 */ 244 return 4 + 2*nbyte + 5*hnbyte; 245 } 246 247 } 248 249 static EVP_PKEY * 250 do_b2i(const unsigned char **in, unsigned int length, int ispub) 251 { 252 const unsigned char *p = *in; 253 unsigned int bitlen, magic; 254 int isdss; 255 256 if (do_blob_header(&p, length, &magic, &bitlen, &isdss, &ispub) <= 0) { 257 PEMerr(PEM_F_DO_B2I, PEM_R_KEYBLOB_HEADER_PARSE_ERROR); 258 return NULL; 259 } 260 length -= 16; 261 if (length < blob_length(bitlen, isdss, ispub)) { 262 PEMerr(PEM_F_DO_B2I, PEM_R_KEYBLOB_TOO_SHORT); 263 return NULL; 264 } 265 if (isdss) 266 return b2i_dss(&p, length, bitlen, ispub); 267 else 268 return b2i_rsa(&p, length, bitlen, ispub); 269 } 270 271 static EVP_PKEY * 272 do_b2i_bio(BIO *in, int ispub) 273 { 274 const unsigned char *p; 275 unsigned char hdr_buf[16], *buf = NULL; 276 unsigned int bitlen, magic, length; 277 int isdss; 278 EVP_PKEY *ret = NULL; 279 280 if (BIO_read(in, hdr_buf, 16) != 16) { 281 PEMerr(PEM_F_DO_B2I_BIO, PEM_R_KEYBLOB_TOO_SHORT); 282 return NULL; 283 } 284 p = hdr_buf; 285 if (do_blob_header(&p, 16, &magic, &bitlen, &isdss, &ispub) <= 0) 286 return NULL; 287 288 length = blob_length(bitlen, isdss, ispub); 289 buf = malloc(length); 290 if (!buf) { 291 PEMerr(PEM_F_DO_B2I_BIO, ERR_R_MALLOC_FAILURE); 292 goto err; 293 } 294 p = buf; 295 if (BIO_read(in, buf, length) != (int)length) { 296 PEMerr(PEM_F_DO_B2I_BIO, PEM_R_KEYBLOB_TOO_SHORT); 297 goto err; 298 } 299 300 if (isdss) 301 ret = b2i_dss(&p, length, bitlen, ispub); 302 else 303 ret = b2i_rsa(&p, length, bitlen, ispub); 304 305 err: 306 free(buf); 307 return ret; 308 } 309 310 static EVP_PKEY * 311 b2i_dss(const unsigned char **in, unsigned int length, unsigned int bitlen, 312 int ispub) 313 { 314 const unsigned char *p = *in; 315 EVP_PKEY *ret = NULL; 316 DSA *dsa = NULL; 317 BN_CTX *ctx = NULL; 318 unsigned int nbyte; 319 320 nbyte = (bitlen + 7) >> 3; 321 322 dsa = DSA_new(); 323 ret = EVP_PKEY_new(); 324 if (!dsa || !ret) 325 goto memerr; 326 if (!read_lebn(&p, nbyte, &dsa->p)) 327 goto memerr; 328 if (!read_lebn(&p, 20, &dsa->q)) 329 goto memerr; 330 if (!read_lebn(&p, nbyte, &dsa->g)) 331 goto memerr; 332 if (ispub) { 333 if (!read_lebn(&p, nbyte, &dsa->pub_key)) 334 goto memerr; 335 } else { 336 if (!read_lebn(&p, 20, &dsa->priv_key)) 337 goto memerr; 338 /* Calculate public key */ 339 if (!(dsa->pub_key = BN_new())) 340 goto memerr; 341 if (!(ctx = BN_CTX_new())) 342 goto memerr; 343 if (!BN_mod_exp(dsa->pub_key, dsa->g, 344 dsa->priv_key, dsa->p, ctx)) 345 goto memerr; 346 BN_CTX_free(ctx); 347 } 348 349 EVP_PKEY_set1_DSA(ret, dsa); 350 DSA_free(dsa); 351 *in = p; 352 return ret; 353 354 memerr: 355 PEMerr(PEM_F_B2I_DSS, ERR_R_MALLOC_FAILURE); 356 DSA_free(dsa); 357 EVP_PKEY_free(ret); 358 BN_CTX_free(ctx); 359 return NULL; 360 } 361 362 static EVP_PKEY * 363 b2i_rsa(const unsigned char **in, unsigned int length, unsigned int bitlen, 364 int ispub) 365 { 366 const unsigned char *p = *in; 367 EVP_PKEY *ret = NULL; 368 RSA *rsa = NULL; 369 unsigned int nbyte, hnbyte; 370 371 nbyte = (bitlen + 7) >> 3; 372 hnbyte = (bitlen + 15) >> 4; 373 rsa = RSA_new(); 374 ret = EVP_PKEY_new(); 375 if (!rsa || !ret) 376 goto memerr; 377 rsa->e = BN_new(); 378 if (!rsa->e) 379 goto memerr; 380 if (!BN_set_word(rsa->e, read_ledword(&p))) 381 goto memerr; 382 if (!read_lebn(&p, nbyte, &rsa->n)) 383 goto memerr; 384 if (!ispub) { 385 if (!read_lebn(&p, hnbyte, &rsa->p)) 386 goto memerr; 387 if (!read_lebn(&p, hnbyte, &rsa->q)) 388 goto memerr; 389 if (!read_lebn(&p, hnbyte, &rsa->dmp1)) 390 goto memerr; 391 if (!read_lebn(&p, hnbyte, &rsa->dmq1)) 392 goto memerr; 393 if (!read_lebn(&p, hnbyte, &rsa->iqmp)) 394 goto memerr; 395 if (!read_lebn(&p, nbyte, &rsa->d)) 396 goto memerr; 397 } 398 399 EVP_PKEY_set1_RSA(ret, rsa); 400 RSA_free(rsa); 401 *in = p; 402 return ret; 403 404 memerr: 405 PEMerr(PEM_F_B2I_RSA, ERR_R_MALLOC_FAILURE); 406 RSA_free(rsa); 407 EVP_PKEY_free(ret); 408 return NULL; 409 } 410 411 EVP_PKEY * 412 b2i_PrivateKey(const unsigned char **in, long length) 413 { 414 return do_b2i(in, length, 0); 415 } 416 417 EVP_PKEY * 418 b2i_PublicKey(const unsigned char **in, long length) 419 { 420 return do_b2i(in, length, 1); 421 } 422 423 EVP_PKEY * 424 b2i_PrivateKey_bio(BIO *in) 425 { 426 return do_b2i_bio(in, 0); 427 } 428 429 EVP_PKEY * 430 b2i_PublicKey_bio(BIO *in) 431 { 432 return do_b2i_bio(in, 1); 433 } 434 435 static void 436 write_ledword(unsigned char **out, unsigned int dw) 437 { 438 unsigned char *p = *out; 439 440 *p++ = dw & 0xff; 441 *p++ = (dw >> 8) & 0xff; 442 *p++ = (dw >> 16) & 0xff; 443 *p++ = (dw >> 24) & 0xff; 444 *out = p; 445 } 446 447 static void 448 write_lebn(unsigned char **out, const BIGNUM *bn, int len) 449 { 450 int nb, i; 451 unsigned char *p = *out, *q, c; 452 453 nb = BN_num_bytes(bn); 454 BN_bn2bin(bn, p); 455 q = p + nb - 1; 456 /* In place byte order reversal */ 457 for (i = 0; i < nb / 2; i++) { 458 c = *p; 459 *p++ = *q; 460 *q-- = c; 461 } 462 *out += nb; 463 /* Pad with zeroes if we have to */ 464 if (len > 0) { 465 len -= nb; 466 if (len > 0) { 467 memset(*out, 0, len); 468 *out += len; 469 } 470 } 471 } 472 473 474 static int check_bitlen_rsa(RSA *rsa, int ispub, unsigned int *magic); 475 static int check_bitlen_dsa(DSA *dsa, int ispub, unsigned int *magic); 476 477 static void write_rsa(unsigned char **out, RSA *rsa, int ispub); 478 static void write_dsa(unsigned char **out, DSA *dsa, int ispub); 479 480 static int 481 do_i2b(unsigned char **out, EVP_PKEY *pk, int ispub) 482 { 483 unsigned char *p; 484 unsigned int bitlen, magic = 0, keyalg; 485 int outlen, noinc = 0; 486 487 if (pk->type == EVP_PKEY_DSA) { 488 bitlen = check_bitlen_dsa(pk->pkey.dsa, ispub, &magic); 489 keyalg = MS_KEYALG_DSS_SIGN; 490 } else if (pk->type == EVP_PKEY_RSA) { 491 bitlen = check_bitlen_rsa(pk->pkey.rsa, ispub, &magic); 492 keyalg = MS_KEYALG_RSA_KEYX; 493 } else 494 return -1; 495 if (bitlen == 0) 496 return -1; 497 outlen = 16 + blob_length(bitlen, 498 keyalg == MS_KEYALG_DSS_SIGN ? 1 : 0, ispub); 499 if (out == NULL) 500 return outlen; 501 if (*out) 502 p = *out; 503 else { 504 p = malloc(outlen); 505 if (!p) 506 return -1; 507 *out = p; 508 noinc = 1; 509 } 510 if (ispub) 511 *p++ = MS_PUBLICKEYBLOB; 512 else 513 *p++ = MS_PRIVATEKEYBLOB; 514 *p++ = 0x2; 515 *p++ = 0; 516 *p++ = 0; 517 write_ledword(&p, keyalg); 518 write_ledword(&p, magic); 519 write_ledword(&p, bitlen); 520 if (keyalg == MS_KEYALG_DSS_SIGN) 521 write_dsa(&p, pk->pkey.dsa, ispub); 522 else 523 write_rsa(&p, pk->pkey.rsa, ispub); 524 if (!noinc) 525 *out += outlen; 526 return outlen; 527 } 528 529 static int 530 do_i2b_bio(BIO *out, EVP_PKEY *pk, int ispub) 531 { 532 unsigned char *tmp = NULL; 533 int outlen, wrlen; 534 535 outlen = do_i2b(&tmp, pk, ispub); 536 if (outlen < 0) 537 return -1; 538 wrlen = BIO_write(out, tmp, outlen); 539 free(tmp); 540 if (wrlen == outlen) 541 return outlen; 542 return -1; 543 } 544 545 static int 546 check_bitlen_dsa(DSA *dsa, int ispub, unsigned int *pmagic) 547 { 548 int bitlen; 549 550 bitlen = BN_num_bits(dsa->p); 551 if ((bitlen & 7) || (BN_num_bits(dsa->q) != 160) || 552 (BN_num_bits(dsa->g) > bitlen)) 553 goto badkey; 554 if (ispub) { 555 if (BN_num_bits(dsa->pub_key) > bitlen) 556 goto badkey; 557 *pmagic = MS_DSS1MAGIC; 558 } else { 559 if (BN_num_bits(dsa->priv_key) > 160) 560 goto badkey; 561 *pmagic = MS_DSS2MAGIC; 562 } 563 564 return bitlen; 565 566 badkey: 567 PEMerr(PEM_F_CHECK_BITLEN_DSA, PEM_R_UNSUPPORTED_KEY_COMPONENTS); 568 return 0; 569 } 570 571 static int 572 check_bitlen_rsa(RSA *rsa, int ispub, unsigned int *pmagic) 573 { 574 int nbyte, hnbyte, bitlen; 575 576 if (BN_num_bits(rsa->e) > 32) 577 goto badkey; 578 bitlen = BN_num_bits(rsa->n); 579 nbyte = BN_num_bytes(rsa->n); 580 hnbyte = (BN_num_bits(rsa->n) + 15) >> 4; 581 if (ispub) { 582 *pmagic = MS_RSA1MAGIC; 583 return bitlen; 584 } else { 585 *pmagic = MS_RSA2MAGIC; 586 /* For private key each component must fit within nbyte or 587 * hnbyte. 588 */ 589 if (BN_num_bytes(rsa->d) > nbyte) 590 goto badkey; 591 if ((BN_num_bytes(rsa->iqmp) > hnbyte) || 592 (BN_num_bytes(rsa->p) > hnbyte) || 593 (BN_num_bytes(rsa->q) > hnbyte) || 594 (BN_num_bytes(rsa->dmp1) > hnbyte) || 595 (BN_num_bytes(rsa->dmq1) > hnbyte)) 596 goto badkey; 597 } 598 return bitlen; 599 600 badkey: 601 PEMerr(PEM_F_CHECK_BITLEN_RSA, PEM_R_UNSUPPORTED_KEY_COMPONENTS); 602 return 0; 603 } 604 605 static void 606 write_rsa(unsigned char **out, RSA *rsa, int ispub) 607 { 608 int nbyte, hnbyte; 609 610 nbyte = BN_num_bytes(rsa->n); 611 hnbyte = (BN_num_bits(rsa->n) + 15) >> 4; 612 write_lebn(out, rsa->e, 4); 613 write_lebn(out, rsa->n, -1); 614 if (ispub) 615 return; 616 write_lebn(out, rsa->p, hnbyte); 617 write_lebn(out, rsa->q, hnbyte); 618 write_lebn(out, rsa->dmp1, hnbyte); 619 write_lebn(out, rsa->dmq1, hnbyte); 620 write_lebn(out, rsa->iqmp, hnbyte); 621 write_lebn(out, rsa->d, nbyte); 622 } 623 624 static void 625 write_dsa(unsigned char **out, DSA *dsa, int ispub) 626 { 627 int nbyte; 628 629 nbyte = BN_num_bytes(dsa->p); 630 write_lebn(out, dsa->p, nbyte); 631 write_lebn(out, dsa->q, 20); 632 write_lebn(out, dsa->g, nbyte); 633 if (ispub) 634 write_lebn(out, dsa->pub_key, nbyte); 635 else 636 write_lebn(out, dsa->priv_key, 20); 637 /* Set "invalid" for seed structure values */ 638 memset(*out, 0xff, 24); 639 *out += 24; 640 return; 641 } 642 643 int 644 i2b_PrivateKey_bio(BIO *out, EVP_PKEY *pk) 645 { 646 return do_i2b_bio(out, pk, 0); 647 } 648 649 int 650 i2b_PublicKey_bio(BIO *out, EVP_PKEY *pk) 651 { 652 return do_i2b_bio(out, pk, 1); 653 } 654 655 #ifndef OPENSSL_NO_RC4 656 657 static int 658 do_PVK_header(const unsigned char **in, unsigned int length, int skip_magic, 659 unsigned int *psaltlen, unsigned int *pkeylen) 660 { 661 const unsigned char *p = *in; 662 unsigned int pvk_magic, is_encrypted; 663 664 if (skip_magic) { 665 if (length < 20) { 666 PEMerr(PEM_F_DO_PVK_HEADER, PEM_R_PVK_TOO_SHORT); 667 return 0; 668 } 669 length -= 20; 670 } else { 671 if (length < 24) { 672 PEMerr(PEM_F_DO_PVK_HEADER, PEM_R_PVK_TOO_SHORT); 673 return 0; 674 } 675 length -= 24; 676 pvk_magic = read_ledword(&p); 677 if (pvk_magic != MS_PVKMAGIC) { 678 PEMerr(PEM_F_DO_PVK_HEADER, PEM_R_BAD_MAGIC_NUMBER); 679 return 0; 680 } 681 } 682 /* Skip reserved */ 683 p += 4; 684 /*keytype = */read_ledword(&p); 685 is_encrypted = read_ledword(&p); 686 *psaltlen = read_ledword(&p); 687 *pkeylen = read_ledword(&p); 688 if (*psaltlen > 65536 || *pkeylen > 65536) { 689 PEMerr(PEM_F_DO_PVK_HEADER, PEM_R_ERROR_CONVERTING_PRIVATE_KEY); 690 return 0; 691 } 692 693 if (is_encrypted && !*psaltlen) { 694 PEMerr(PEM_F_DO_PVK_HEADER, PEM_R_INCONSISTENT_HEADER); 695 return 0; 696 } 697 698 *in = p; 699 return 1; 700 } 701 702 static int 703 derive_pvk_key(unsigned char *key, const unsigned char *salt, 704 unsigned int saltlen, const unsigned char *pass, int passlen) 705 { 706 EVP_MD_CTX mctx; 707 int rv = 1; 708 709 EVP_MD_CTX_init(&mctx); 710 if (!EVP_DigestInit_ex(&mctx, EVP_sha1(), NULL) || 711 !EVP_DigestUpdate(&mctx, salt, saltlen) || 712 !EVP_DigestUpdate(&mctx, pass, passlen) || 713 !EVP_DigestFinal_ex(&mctx, key, NULL)) 714 rv = 0; 715 716 EVP_MD_CTX_cleanup(&mctx); 717 return rv; 718 } 719 720 static EVP_PKEY * 721 do_PVK_body(const unsigned char **in, unsigned int saltlen, 722 unsigned int keylen, pem_password_cb *cb, void *u) 723 { 724 EVP_PKEY *ret = NULL; 725 const unsigned char *p = *in; 726 unsigned int magic; 727 unsigned char *enctmp = NULL, *q; 728 EVP_CIPHER_CTX cctx; 729 730 EVP_CIPHER_CTX_init(&cctx); 731 if (saltlen) { 732 char psbuf[PEM_BUFSIZE]; 733 unsigned char keybuf[20]; 734 int enctmplen, inlen; 735 736 if (cb) 737 inlen = cb(psbuf, PEM_BUFSIZE, 0, u); 738 else 739 inlen = PEM_def_callback(psbuf, PEM_BUFSIZE, 0, u); 740 if (inlen <= 0) { 741 PEMerr(PEM_F_DO_PVK_BODY, PEM_R_BAD_PASSWORD_READ); 742 goto err; 743 } 744 enctmp = malloc(keylen + 8); 745 if (!enctmp) { 746 PEMerr(PEM_F_DO_PVK_BODY, ERR_R_MALLOC_FAILURE); 747 goto err; 748 } 749 if (!derive_pvk_key(keybuf, p, saltlen, (unsigned char *)psbuf, 750 inlen)) { 751 goto err; 752 } 753 p += saltlen; 754 /* Copy BLOBHEADER across, decrypt rest */ 755 memcpy(enctmp, p, 8); 756 p += 8; 757 if (keylen < 8) { 758 PEMerr(PEM_F_DO_PVK_BODY, PEM_R_PVK_TOO_SHORT); 759 goto err; 760 } 761 inlen = keylen - 8; 762 q = enctmp + 8; 763 if (!EVP_DecryptInit_ex(&cctx, EVP_rc4(), NULL, keybuf, NULL)) 764 goto err; 765 if (!EVP_DecryptUpdate(&cctx, q, &enctmplen, p, inlen)) 766 goto err; 767 if (!EVP_DecryptFinal_ex(&cctx, q + enctmplen, &enctmplen)) 768 goto err; 769 magic = read_ledword((const unsigned char **)&q); 770 if (magic != MS_RSA2MAGIC && magic != MS_DSS2MAGIC) { 771 q = enctmp + 8; 772 memset(keybuf + 5, 0, 11); 773 if (!EVP_DecryptInit_ex(&cctx, EVP_rc4(), NULL, keybuf, 774 NULL)) 775 goto err; 776 explicit_bzero(keybuf, 20); 777 if (!EVP_DecryptUpdate(&cctx, q, &enctmplen, p, inlen)) 778 goto err; 779 if (!EVP_DecryptFinal_ex(&cctx, q + enctmplen, 780 &enctmplen)) 781 goto err; 782 magic = read_ledword((const unsigned char **)&q); 783 if (magic != MS_RSA2MAGIC && magic != MS_DSS2MAGIC) { 784 PEMerr(PEM_F_DO_PVK_BODY, PEM_R_BAD_DECRYPT); 785 goto err; 786 } 787 } else 788 explicit_bzero(keybuf, 20); 789 p = enctmp; 790 } 791 792 ret = b2i_PrivateKey(&p, keylen); 793 794 err: 795 EVP_CIPHER_CTX_cleanup(&cctx); 796 if (enctmp && saltlen) 797 free(enctmp); 798 return ret; 799 } 800 801 802 EVP_PKEY * 803 b2i_PVK_bio(BIO *in, pem_password_cb *cb, void *u) 804 { 805 unsigned char pvk_hdr[24], *buf = NULL; 806 const unsigned char *p; 807 size_t buflen; 808 EVP_PKEY *ret = NULL; 809 unsigned int saltlen, keylen; 810 811 if (BIO_read(in, pvk_hdr, 24) != 24) { 812 PEMerr(PEM_F_B2I_PVK_BIO, PEM_R_PVK_DATA_TOO_SHORT); 813 return NULL; 814 } 815 p = pvk_hdr; 816 817 if (!do_PVK_header(&p, 24, 0, &saltlen, &keylen)) 818 return 0; 819 buflen = keylen + saltlen; 820 buf = malloc(buflen); 821 if (!buf) { 822 PEMerr(PEM_F_B2I_PVK_BIO, ERR_R_MALLOC_FAILURE); 823 return 0; 824 } 825 p = buf; 826 if (BIO_read(in, buf, buflen) != buflen) { 827 PEMerr(PEM_F_B2I_PVK_BIO, PEM_R_PVK_DATA_TOO_SHORT); 828 goto err; 829 } 830 ret = do_PVK_body(&p, saltlen, keylen, cb, u); 831 832 err: 833 if (buf) { 834 explicit_bzero(buf, buflen); 835 free(buf); 836 } 837 return ret; 838 } 839 840 static int 841 i2b_PVK(unsigned char **out, EVP_PKEY*pk, int enclevel, pem_password_cb *cb, 842 void *u) 843 { 844 int outlen = 24, pklen; 845 unsigned char *p, *salt = NULL; 846 EVP_CIPHER_CTX cctx; 847 848 EVP_CIPHER_CTX_init(&cctx); 849 if (enclevel) 850 outlen += PVK_SALTLEN; 851 pklen = do_i2b(NULL, pk, 0); 852 if (pklen < 0) 853 return -1; 854 outlen += pklen; 855 if (!out) 856 return outlen; 857 if (*out) 858 p = *out; 859 else { 860 p = malloc(outlen); 861 if (!p) { 862 PEMerr(PEM_F_I2B_PVK, ERR_R_MALLOC_FAILURE); 863 return -1; 864 } 865 *out = p; 866 } 867 868 write_ledword(&p, MS_PVKMAGIC); 869 write_ledword(&p, 0); 870 if (pk->type == EVP_PKEY_DSA) 871 write_ledword(&p, MS_KEYTYPE_SIGN); 872 else 873 write_ledword(&p, MS_KEYTYPE_KEYX); 874 write_ledword(&p, enclevel ? 1 : 0); 875 write_ledword(&p, enclevel ? PVK_SALTLEN : 0); 876 write_ledword(&p, pklen); 877 if (enclevel) { 878 arc4random_buf(p, PVK_SALTLEN); 879 salt = p; 880 p += PVK_SALTLEN; 881 } 882 do_i2b(&p, pk, 0); 883 if (enclevel == 0) 884 return outlen; 885 else { 886 char psbuf[PEM_BUFSIZE]; 887 unsigned char keybuf[20]; 888 int enctmplen, inlen; 889 if (cb) 890 inlen = cb(psbuf, PEM_BUFSIZE, 1, u); 891 else 892 inlen = PEM_def_callback(psbuf, PEM_BUFSIZE, 1, u); 893 if (inlen <= 0) { 894 PEMerr(PEM_F_I2B_PVK, PEM_R_BAD_PASSWORD_READ); 895 goto error; 896 } 897 if (!derive_pvk_key(keybuf, salt, PVK_SALTLEN, 898 (unsigned char *)psbuf, inlen)) 899 goto error; 900 if (enclevel == 1) 901 memset(keybuf + 5, 0, 11); 902 p = salt + PVK_SALTLEN + 8; 903 if (!EVP_EncryptInit_ex(&cctx, EVP_rc4(), NULL, keybuf, NULL)) 904 goto error; 905 explicit_bzero(keybuf, 20); 906 if (!EVP_DecryptUpdate(&cctx, p, &enctmplen, p, pklen - 8)) 907 goto error; 908 if (!EVP_DecryptFinal_ex(&cctx, p + enctmplen, &enctmplen)) 909 goto error; 910 } 911 EVP_CIPHER_CTX_cleanup(&cctx); 912 return outlen; 913 914 error: 915 EVP_CIPHER_CTX_cleanup(&cctx); 916 return -1; 917 } 918 919 int 920 i2b_PVK_bio(BIO *out, EVP_PKEY *pk, int enclevel, pem_password_cb *cb, void *u) 921 { 922 unsigned char *tmp = NULL; 923 int outlen, wrlen; 924 925 outlen = i2b_PVK(&tmp, pk, enclevel, cb, u); 926 if (outlen < 0) 927 return -1; 928 wrlen = BIO_write(out, tmp, outlen); 929 free(tmp); 930 if (wrlen == outlen) { 931 PEMerr(PEM_F_I2B_PVK_BIO, PEM_R_BIO_WRITE_FAILURE); 932 return outlen; 933 } 934 return -1; 935 } 936 937 #endif 938 939 #endif 940