pvkfmt.c 23 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882
  1. /*
  2. * Copyright 2005-2018 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the OpenSSL license (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. /*
  10. * Support for PVK format keys and related structures (such a PUBLICKEYBLOB
  11. * and PRIVATEKEYBLOB).
  12. */
  13. #include "internal/cryptlib.h"
  14. #include <openssl/pem.h>
  15. #include <openssl/rand.h>
  16. #include <openssl/bn.h>
  17. #if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DSA)
  18. # include <openssl/dsa.h>
  19. # include <openssl/rsa.h>
  20. /*
  21. * Utility function: read a DWORD (4 byte unsigned integer) in little endian
  22. * format
  23. */
  24. static unsigned int read_ledword(const unsigned char **in)
  25. {
  26. const unsigned char *p = *in;
  27. unsigned int ret;
  28. ret = *p++;
  29. ret |= (*p++ << 8);
  30. ret |= (*p++ << 16);
  31. ret |= (*p++ << 24);
  32. *in = p;
  33. return ret;
  34. }
  35. /*
  36. * Read a BIGNUM in little endian format. The docs say that this should take
  37. * up bitlen/8 bytes.
  38. */
  39. static int read_lebn(const unsigned char **in, unsigned int nbyte, BIGNUM **r)
  40. {
  41. *r = BN_lebin2bn(*in, nbyte, NULL);
  42. if (*r == NULL)
  43. return 0;
  44. *in += nbyte;
  45. return 1;
  46. }
  47. /* Convert private key blob to EVP_PKEY: RSA and DSA keys supported */
  48. # define MS_PUBLICKEYBLOB 0x6
  49. # define MS_PRIVATEKEYBLOB 0x7
  50. # define MS_RSA1MAGIC 0x31415352L
  51. # define MS_RSA2MAGIC 0x32415352L
  52. # define MS_DSS1MAGIC 0x31535344L
  53. # define MS_DSS2MAGIC 0x32535344L
  54. # define MS_KEYALG_RSA_KEYX 0xa400
  55. # define MS_KEYALG_DSS_SIGN 0x2200
  56. # define MS_KEYTYPE_KEYX 0x1
  57. # define MS_KEYTYPE_SIGN 0x2
  58. /* Maximum length of a blob after header */
  59. # define BLOB_MAX_LENGTH 102400
  60. /* The PVK file magic number: seems to spell out "bobsfile", who is Bob? */
  61. # define MS_PVKMAGIC 0xb0b5f11eL
  62. /* Salt length for PVK files */
  63. # define PVK_SALTLEN 0x10
  64. /* Maximum length in PVK header */
  65. # define PVK_MAX_KEYLEN 102400
  66. /* Maximum salt length */
  67. # define PVK_MAX_SALTLEN 10240
  68. static EVP_PKEY *b2i_rsa(const unsigned char **in,
  69. unsigned int bitlen, int ispub);
  70. static EVP_PKEY *b2i_dss(const unsigned char **in,
  71. unsigned int bitlen, int ispub);
  72. static int do_blob_header(const unsigned char **in, unsigned int length,
  73. unsigned int *pmagic, unsigned int *pbitlen,
  74. int *pisdss, int *pispub)
  75. {
  76. const unsigned char *p = *in;
  77. if (length < 16)
  78. return 0;
  79. /* bType */
  80. if (*p == MS_PUBLICKEYBLOB) {
  81. if (*pispub == 0) {
  82. PEMerr(PEM_F_DO_BLOB_HEADER, PEM_R_EXPECTING_PRIVATE_KEY_BLOB);
  83. return 0;
  84. }
  85. *pispub = 1;
  86. } else if (*p == MS_PRIVATEKEYBLOB) {
  87. if (*pispub == 1) {
  88. PEMerr(PEM_F_DO_BLOB_HEADER, PEM_R_EXPECTING_PUBLIC_KEY_BLOB);
  89. return 0;
  90. }
  91. *pispub = 0;
  92. } else
  93. return 0;
  94. p++;
  95. /* Version */
  96. if (*p++ != 0x2) {
  97. PEMerr(PEM_F_DO_BLOB_HEADER, PEM_R_BAD_VERSION_NUMBER);
  98. return 0;
  99. }
  100. /* Ignore reserved, aiKeyAlg */
  101. p += 6;
  102. *pmagic = read_ledword(&p);
  103. *pbitlen = read_ledword(&p);
  104. *pisdss = 0;
  105. switch (*pmagic) {
  106. case MS_DSS1MAGIC:
  107. *pisdss = 1;
  108. /* fall thru */
  109. case MS_RSA1MAGIC:
  110. if (*pispub == 0) {
  111. PEMerr(PEM_F_DO_BLOB_HEADER, PEM_R_EXPECTING_PRIVATE_KEY_BLOB);
  112. return 0;
  113. }
  114. break;
  115. case MS_DSS2MAGIC:
  116. *pisdss = 1;
  117. /* fall thru */
  118. case MS_RSA2MAGIC:
  119. if (*pispub == 1) {
  120. PEMerr(PEM_F_DO_BLOB_HEADER, PEM_R_EXPECTING_PUBLIC_KEY_BLOB);
  121. return 0;
  122. }
  123. break;
  124. default:
  125. PEMerr(PEM_F_DO_BLOB_HEADER, PEM_R_BAD_MAGIC_NUMBER);
  126. return -1;
  127. }
  128. *in = p;
  129. return 1;
  130. }
  131. static unsigned int blob_length(unsigned bitlen, int isdss, int ispub)
  132. {
  133. unsigned int nbyte, hnbyte;
  134. nbyte = (bitlen + 7) >> 3;
  135. hnbyte = (bitlen + 15) >> 4;
  136. if (isdss) {
  137. /*
  138. * Expected length: 20 for q + 3 components bitlen each + 24 for seed
  139. * structure.
  140. */
  141. if (ispub)
  142. return 44 + 3 * nbyte;
  143. /*
  144. * Expected length: 20 for q, priv, 2 bitlen components + 24 for seed
  145. * structure.
  146. */
  147. else
  148. return 64 + 2 * nbyte;
  149. } else {
  150. /* Expected length: 4 for 'e' + 'n' */
  151. if (ispub)
  152. return 4 + nbyte;
  153. else
  154. /*
  155. * Expected length: 4 for 'e' and 7 other components. 2
  156. * components are bitlen size, 5 are bitlen/2
  157. */
  158. return 4 + 2 * nbyte + 5 * hnbyte;
  159. }
  160. }
  161. static EVP_PKEY *do_b2i(const unsigned char **in, unsigned int length,
  162. int ispub)
  163. {
  164. const unsigned char *p = *in;
  165. unsigned int bitlen, magic;
  166. int isdss;
  167. if (do_blob_header(&p, length, &magic, &bitlen, &isdss, &ispub) <= 0) {
  168. PEMerr(PEM_F_DO_B2I, PEM_R_KEYBLOB_HEADER_PARSE_ERROR);
  169. return NULL;
  170. }
  171. length -= 16;
  172. if (length < blob_length(bitlen, isdss, ispub)) {
  173. PEMerr(PEM_F_DO_B2I, PEM_R_KEYBLOB_TOO_SHORT);
  174. return NULL;
  175. }
  176. if (isdss)
  177. return b2i_dss(&p, bitlen, ispub);
  178. else
  179. return b2i_rsa(&p, bitlen, ispub);
  180. }
  181. static EVP_PKEY *do_b2i_bio(BIO *in, int ispub)
  182. {
  183. const unsigned char *p;
  184. unsigned char hdr_buf[16], *buf = NULL;
  185. unsigned int bitlen, magic, length;
  186. int isdss;
  187. EVP_PKEY *ret = NULL;
  188. if (BIO_read(in, hdr_buf, 16) != 16) {
  189. PEMerr(PEM_F_DO_B2I_BIO, PEM_R_KEYBLOB_TOO_SHORT);
  190. return NULL;
  191. }
  192. p = hdr_buf;
  193. if (do_blob_header(&p, 16, &magic, &bitlen, &isdss, &ispub) <= 0)
  194. return NULL;
  195. length = blob_length(bitlen, isdss, ispub);
  196. if (length > BLOB_MAX_LENGTH) {
  197. PEMerr(PEM_F_DO_B2I_BIO, PEM_R_HEADER_TOO_LONG);
  198. return NULL;
  199. }
  200. buf = OPENSSL_malloc(length);
  201. if (buf == NULL) {
  202. PEMerr(PEM_F_DO_B2I_BIO, ERR_R_MALLOC_FAILURE);
  203. goto err;
  204. }
  205. p = buf;
  206. if (BIO_read(in, buf, length) != (int)length) {
  207. PEMerr(PEM_F_DO_B2I_BIO, PEM_R_KEYBLOB_TOO_SHORT);
  208. goto err;
  209. }
  210. if (isdss)
  211. ret = b2i_dss(&p, bitlen, ispub);
  212. else
  213. ret = b2i_rsa(&p, bitlen, ispub);
  214. err:
  215. OPENSSL_free(buf);
  216. return ret;
  217. }
  218. static EVP_PKEY *b2i_dss(const unsigned char **in,
  219. unsigned int bitlen, int ispub)
  220. {
  221. const unsigned char *p = *in;
  222. EVP_PKEY *ret = NULL;
  223. DSA *dsa = NULL;
  224. BN_CTX *ctx = NULL;
  225. unsigned int nbyte;
  226. BIGNUM *pbn = NULL, *qbn = NULL, *gbn = NULL, *priv_key = NULL;
  227. BIGNUM *pub_key = NULL;
  228. nbyte = (bitlen + 7) >> 3;
  229. dsa = DSA_new();
  230. ret = EVP_PKEY_new();
  231. if (dsa == NULL || ret == NULL)
  232. goto memerr;
  233. if (!read_lebn(&p, nbyte, &pbn))
  234. goto memerr;
  235. if (!read_lebn(&p, 20, &qbn))
  236. goto memerr;
  237. if (!read_lebn(&p, nbyte, &gbn))
  238. goto memerr;
  239. if (ispub) {
  240. if (!read_lebn(&p, nbyte, &pub_key))
  241. goto memerr;
  242. } else {
  243. if (!read_lebn(&p, 20, &priv_key))
  244. goto memerr;
  245. /* Calculate public key */
  246. pub_key = BN_new();
  247. if (pub_key == NULL)
  248. goto memerr;
  249. if ((ctx = BN_CTX_new()) == NULL)
  250. goto memerr;
  251. if (!BN_mod_exp(pub_key, gbn, priv_key, pbn, ctx))
  252. goto memerr;
  253. BN_CTX_free(ctx);
  254. ctx = NULL;
  255. }
  256. if (!DSA_set0_pqg(dsa, pbn, qbn, gbn))
  257. goto memerr;
  258. pbn = qbn = gbn = NULL;
  259. if (!DSA_set0_key(dsa, pub_key, priv_key))
  260. goto memerr;
  261. pub_key = priv_key = NULL;
  262. if (!EVP_PKEY_set1_DSA(ret, dsa))
  263. goto memerr;
  264. DSA_free(dsa);
  265. *in = p;
  266. return ret;
  267. memerr:
  268. PEMerr(PEM_F_B2I_DSS, ERR_R_MALLOC_FAILURE);
  269. DSA_free(dsa);
  270. BN_free(pbn);
  271. BN_free(qbn);
  272. BN_free(gbn);
  273. BN_free(pub_key);
  274. BN_free(priv_key);
  275. EVP_PKEY_free(ret);
  276. BN_CTX_free(ctx);
  277. return NULL;
  278. }
  279. static EVP_PKEY *b2i_rsa(const unsigned char **in,
  280. unsigned int bitlen, int ispub)
  281. {
  282. const unsigned char *pin = *in;
  283. EVP_PKEY *ret = NULL;
  284. BIGNUM *e = NULL, *n = NULL, *d = NULL;
  285. BIGNUM *p = NULL, *q = NULL, *dmp1 = NULL, *dmq1 = NULL, *iqmp = NULL;
  286. RSA *rsa = NULL;
  287. unsigned int nbyte, hnbyte;
  288. nbyte = (bitlen + 7) >> 3;
  289. hnbyte = (bitlen + 15) >> 4;
  290. rsa = RSA_new();
  291. ret = EVP_PKEY_new();
  292. if (rsa == NULL || ret == NULL)
  293. goto memerr;
  294. e = BN_new();
  295. if (e == NULL)
  296. goto memerr;
  297. if (!BN_set_word(e, read_ledword(&pin)))
  298. goto memerr;
  299. if (!read_lebn(&pin, nbyte, &n))
  300. goto memerr;
  301. if (!ispub) {
  302. if (!read_lebn(&pin, hnbyte, &p))
  303. goto memerr;
  304. if (!read_lebn(&pin, hnbyte, &q))
  305. goto memerr;
  306. if (!read_lebn(&pin, hnbyte, &dmp1))
  307. goto memerr;
  308. if (!read_lebn(&pin, hnbyte, &dmq1))
  309. goto memerr;
  310. if (!read_lebn(&pin, hnbyte, &iqmp))
  311. goto memerr;
  312. if (!read_lebn(&pin, nbyte, &d))
  313. goto memerr;
  314. if (!RSA_set0_factors(rsa, p, q))
  315. goto memerr;
  316. p = q = NULL;
  317. if (!RSA_set0_crt_params(rsa, dmp1, dmq1, iqmp))
  318. goto memerr;
  319. dmp1 = dmq1 = iqmp = NULL;
  320. }
  321. if (!RSA_set0_key(rsa, n, e, d))
  322. goto memerr;
  323. n = e = d = NULL;
  324. if (!EVP_PKEY_set1_RSA(ret, rsa))
  325. goto memerr;
  326. RSA_free(rsa);
  327. *in = pin;
  328. return ret;
  329. memerr:
  330. PEMerr(PEM_F_B2I_RSA, ERR_R_MALLOC_FAILURE);
  331. BN_free(e);
  332. BN_free(n);
  333. BN_free(p);
  334. BN_free(q);
  335. BN_free(dmp1);
  336. BN_free(dmq1);
  337. BN_free(iqmp);
  338. BN_free(d);
  339. RSA_free(rsa);
  340. EVP_PKEY_free(ret);
  341. return NULL;
  342. }
  343. EVP_PKEY *b2i_PrivateKey(const unsigned char **in, long length)
  344. {
  345. return do_b2i(in, length, 0);
  346. }
  347. EVP_PKEY *b2i_PublicKey(const unsigned char **in, long length)
  348. {
  349. return do_b2i(in, length, 1);
  350. }
  351. EVP_PKEY *b2i_PrivateKey_bio(BIO *in)
  352. {
  353. return do_b2i_bio(in, 0);
  354. }
  355. EVP_PKEY *b2i_PublicKey_bio(BIO *in)
  356. {
  357. return do_b2i_bio(in, 1);
  358. }
  359. static void write_ledword(unsigned char **out, unsigned int dw)
  360. {
  361. unsigned char *p = *out;
  362. *p++ = dw & 0xff;
  363. *p++ = (dw >> 8) & 0xff;
  364. *p++ = (dw >> 16) & 0xff;
  365. *p++ = (dw >> 24) & 0xff;
  366. *out = p;
  367. }
  368. static void write_lebn(unsigned char **out, const BIGNUM *bn, int len)
  369. {
  370. BN_bn2lebinpad(bn, *out, len);
  371. *out += len;
  372. }
  373. static int check_bitlen_rsa(RSA *rsa, int ispub, unsigned int *magic);
  374. static int check_bitlen_dsa(DSA *dsa, int ispub, unsigned int *magic);
  375. static void write_rsa(unsigned char **out, RSA *rsa, int ispub);
  376. static void write_dsa(unsigned char **out, DSA *dsa, int ispub);
  377. static int do_i2b(unsigned char **out, EVP_PKEY *pk, int ispub)
  378. {
  379. unsigned char *p;
  380. unsigned int bitlen, magic = 0, keyalg;
  381. int outlen, noinc = 0;
  382. int pktype = EVP_PKEY_id(pk);
  383. if (pktype == EVP_PKEY_DSA) {
  384. bitlen = check_bitlen_dsa(EVP_PKEY_get0_DSA(pk), ispub, &magic);
  385. keyalg = MS_KEYALG_DSS_SIGN;
  386. } else if (pktype == EVP_PKEY_RSA) {
  387. bitlen = check_bitlen_rsa(EVP_PKEY_get0_RSA(pk), ispub, &magic);
  388. keyalg = MS_KEYALG_RSA_KEYX;
  389. } else
  390. return -1;
  391. if (bitlen == 0)
  392. return -1;
  393. outlen = 16 + blob_length(bitlen,
  394. keyalg == MS_KEYALG_DSS_SIGN ? 1 : 0, ispub);
  395. if (out == NULL)
  396. return outlen;
  397. if (*out)
  398. p = *out;
  399. else {
  400. if ((p = OPENSSL_malloc(outlen)) == NULL) {
  401. PEMerr(PEM_F_DO_I2B, ERR_R_MALLOC_FAILURE);
  402. return -1;
  403. }
  404. *out = p;
  405. noinc = 1;
  406. }
  407. if (ispub)
  408. *p++ = MS_PUBLICKEYBLOB;
  409. else
  410. *p++ = MS_PRIVATEKEYBLOB;
  411. *p++ = 0x2;
  412. *p++ = 0;
  413. *p++ = 0;
  414. write_ledword(&p, keyalg);
  415. write_ledword(&p, magic);
  416. write_ledword(&p, bitlen);
  417. if (keyalg == MS_KEYALG_DSS_SIGN)
  418. write_dsa(&p, EVP_PKEY_get0_DSA(pk), ispub);
  419. else
  420. write_rsa(&p, EVP_PKEY_get0_RSA(pk), ispub);
  421. if (!noinc)
  422. *out += outlen;
  423. return outlen;
  424. }
  425. static int do_i2b_bio(BIO *out, EVP_PKEY *pk, int ispub)
  426. {
  427. unsigned char *tmp = NULL;
  428. int outlen, wrlen;
  429. outlen = do_i2b(&tmp, pk, ispub);
  430. if (outlen < 0)
  431. return -1;
  432. wrlen = BIO_write(out, tmp, outlen);
  433. OPENSSL_free(tmp);
  434. if (wrlen == outlen)
  435. return outlen;
  436. return -1;
  437. }
  438. static int check_bitlen_dsa(DSA *dsa, int ispub, unsigned int *pmagic)
  439. {
  440. int bitlen;
  441. const BIGNUM *p = NULL, *q = NULL, *g = NULL;
  442. const BIGNUM *pub_key = NULL, *priv_key = NULL;
  443. DSA_get0_pqg(dsa, &p, &q, &g);
  444. DSA_get0_key(dsa, &pub_key, &priv_key);
  445. bitlen = BN_num_bits(p);
  446. if ((bitlen & 7) || (BN_num_bits(q) != 160)
  447. || (BN_num_bits(g) > bitlen))
  448. goto badkey;
  449. if (ispub) {
  450. if (BN_num_bits(pub_key) > bitlen)
  451. goto badkey;
  452. *pmagic = MS_DSS1MAGIC;
  453. } else {
  454. if (BN_num_bits(priv_key) > 160)
  455. goto badkey;
  456. *pmagic = MS_DSS2MAGIC;
  457. }
  458. return bitlen;
  459. badkey:
  460. PEMerr(PEM_F_CHECK_BITLEN_DSA, PEM_R_UNSUPPORTED_KEY_COMPONENTS);
  461. return 0;
  462. }
  463. static int check_bitlen_rsa(RSA *rsa, int ispub, unsigned int *pmagic)
  464. {
  465. int nbyte, hnbyte, bitlen;
  466. const BIGNUM *e;
  467. RSA_get0_key(rsa, NULL, &e, NULL);
  468. if (BN_num_bits(e) > 32)
  469. goto badkey;
  470. bitlen = RSA_bits(rsa);
  471. nbyte = RSA_size(rsa);
  472. hnbyte = (bitlen + 15) >> 4;
  473. if (ispub) {
  474. *pmagic = MS_RSA1MAGIC;
  475. return bitlen;
  476. } else {
  477. const BIGNUM *d, *p, *q, *iqmp, *dmp1, *dmq1;
  478. *pmagic = MS_RSA2MAGIC;
  479. /*
  480. * For private key each component must fit within nbyte or hnbyte.
  481. */
  482. RSA_get0_key(rsa, NULL, NULL, &d);
  483. if (BN_num_bytes(d) > nbyte)
  484. goto badkey;
  485. RSA_get0_factors(rsa, &p, &q);
  486. RSA_get0_crt_params(rsa, &dmp1, &dmq1, &iqmp);
  487. if ((BN_num_bytes(iqmp) > hnbyte)
  488. || (BN_num_bytes(p) > hnbyte)
  489. || (BN_num_bytes(q) > hnbyte)
  490. || (BN_num_bytes(dmp1) > hnbyte)
  491. || (BN_num_bytes(dmq1) > hnbyte))
  492. goto badkey;
  493. }
  494. return bitlen;
  495. badkey:
  496. PEMerr(PEM_F_CHECK_BITLEN_RSA, PEM_R_UNSUPPORTED_KEY_COMPONENTS);
  497. return 0;
  498. }
  499. static void write_rsa(unsigned char **out, RSA *rsa, int ispub)
  500. {
  501. int nbyte, hnbyte;
  502. const BIGNUM *n, *d, *e, *p, *q, *iqmp, *dmp1, *dmq1;
  503. nbyte = RSA_size(rsa);
  504. hnbyte = (RSA_bits(rsa) + 15) >> 4;
  505. RSA_get0_key(rsa, &n, &e, &d);
  506. write_lebn(out, e, 4);
  507. write_lebn(out, n, nbyte);
  508. if (ispub)
  509. return;
  510. RSA_get0_factors(rsa, &p, &q);
  511. RSA_get0_crt_params(rsa, &dmp1, &dmq1, &iqmp);
  512. write_lebn(out, p, hnbyte);
  513. write_lebn(out, q, hnbyte);
  514. write_lebn(out, dmp1, hnbyte);
  515. write_lebn(out, dmq1, hnbyte);
  516. write_lebn(out, iqmp, hnbyte);
  517. write_lebn(out, d, nbyte);
  518. }
  519. static void write_dsa(unsigned char **out, DSA *dsa, int ispub)
  520. {
  521. int nbyte;
  522. const BIGNUM *p = NULL, *q = NULL, *g = NULL;
  523. const BIGNUM *pub_key = NULL, *priv_key = NULL;
  524. DSA_get0_pqg(dsa, &p, &q, &g);
  525. DSA_get0_key(dsa, &pub_key, &priv_key);
  526. nbyte = BN_num_bytes(p);
  527. write_lebn(out, p, nbyte);
  528. write_lebn(out, q, 20);
  529. write_lebn(out, g, nbyte);
  530. if (ispub)
  531. write_lebn(out, pub_key, nbyte);
  532. else
  533. write_lebn(out, priv_key, 20);
  534. /* Set "invalid" for seed structure values */
  535. memset(*out, 0xff, 24);
  536. *out += 24;
  537. return;
  538. }
  539. int i2b_PrivateKey_bio(BIO *out, EVP_PKEY *pk)
  540. {
  541. return do_i2b_bio(out, pk, 0);
  542. }
  543. int i2b_PublicKey_bio(BIO *out, EVP_PKEY *pk)
  544. {
  545. return do_i2b_bio(out, pk, 1);
  546. }
  547. # ifndef OPENSSL_NO_RC4
  548. static int do_PVK_header(const unsigned char **in, unsigned int length,
  549. int skip_magic,
  550. unsigned int *psaltlen, unsigned int *pkeylen)
  551. {
  552. const unsigned char *p = *in;
  553. unsigned int pvk_magic, is_encrypted;
  554. if (skip_magic) {
  555. if (length < 20) {
  556. PEMerr(PEM_F_DO_PVK_HEADER, PEM_R_PVK_TOO_SHORT);
  557. return 0;
  558. }
  559. } else {
  560. if (length < 24) {
  561. PEMerr(PEM_F_DO_PVK_HEADER, PEM_R_PVK_TOO_SHORT);
  562. return 0;
  563. }
  564. pvk_magic = read_ledword(&p);
  565. if (pvk_magic != MS_PVKMAGIC) {
  566. PEMerr(PEM_F_DO_PVK_HEADER, PEM_R_BAD_MAGIC_NUMBER);
  567. return 0;
  568. }
  569. }
  570. /* Skip reserved */
  571. p += 4;
  572. /*
  573. * keytype =
  574. */ read_ledword(&p);
  575. is_encrypted = read_ledword(&p);
  576. *psaltlen = read_ledword(&p);
  577. *pkeylen = read_ledword(&p);
  578. if (*pkeylen > PVK_MAX_KEYLEN || *psaltlen > PVK_MAX_SALTLEN)
  579. return 0;
  580. if (is_encrypted && !*psaltlen) {
  581. PEMerr(PEM_F_DO_PVK_HEADER, PEM_R_INCONSISTENT_HEADER);
  582. return 0;
  583. }
  584. *in = p;
  585. return 1;
  586. }
  587. static int derive_pvk_key(unsigned char *key,
  588. const unsigned char *salt, unsigned int saltlen,
  589. const unsigned char *pass, int passlen)
  590. {
  591. EVP_MD_CTX *mctx = EVP_MD_CTX_new();
  592. int rv = 1;
  593. if (mctx == NULL
  594. || !EVP_DigestInit_ex(mctx, EVP_sha1(), NULL)
  595. || !EVP_DigestUpdate(mctx, salt, saltlen)
  596. || !EVP_DigestUpdate(mctx, pass, passlen)
  597. || !EVP_DigestFinal_ex(mctx, key, NULL))
  598. rv = 0;
  599. EVP_MD_CTX_free(mctx);
  600. return rv;
  601. }
  602. static EVP_PKEY *do_PVK_body(const unsigned char **in,
  603. unsigned int saltlen, unsigned int keylen,
  604. pem_password_cb *cb, void *u)
  605. {
  606. EVP_PKEY *ret = NULL;
  607. const unsigned char *p = *in;
  608. unsigned int magic;
  609. unsigned char *enctmp = NULL, *q;
  610. EVP_CIPHER_CTX *cctx = EVP_CIPHER_CTX_new();
  611. if (saltlen) {
  612. char psbuf[PEM_BUFSIZE];
  613. unsigned char keybuf[20];
  614. int enctmplen, inlen;
  615. if (cb)
  616. inlen = cb(psbuf, PEM_BUFSIZE, 0, u);
  617. else
  618. inlen = PEM_def_callback(psbuf, PEM_BUFSIZE, 0, u);
  619. if (inlen <= 0) {
  620. PEMerr(PEM_F_DO_PVK_BODY, PEM_R_BAD_PASSWORD_READ);
  621. goto err;
  622. }
  623. enctmp = OPENSSL_malloc(keylen + 8);
  624. if (enctmp == NULL) {
  625. PEMerr(PEM_F_DO_PVK_BODY, ERR_R_MALLOC_FAILURE);
  626. goto err;
  627. }
  628. if (!derive_pvk_key(keybuf, p, saltlen,
  629. (unsigned char *)psbuf, inlen))
  630. goto err;
  631. p += saltlen;
  632. /* Copy BLOBHEADER across, decrypt rest */
  633. memcpy(enctmp, p, 8);
  634. p += 8;
  635. if (keylen < 8) {
  636. PEMerr(PEM_F_DO_PVK_BODY, PEM_R_PVK_TOO_SHORT);
  637. goto err;
  638. }
  639. inlen = keylen - 8;
  640. q = enctmp + 8;
  641. if (!EVP_DecryptInit_ex(cctx, EVP_rc4(), NULL, keybuf, NULL))
  642. goto err;
  643. if (!EVP_DecryptUpdate(cctx, q, &enctmplen, p, inlen))
  644. goto err;
  645. if (!EVP_DecryptFinal_ex(cctx, q + enctmplen, &enctmplen))
  646. goto err;
  647. magic = read_ledword((const unsigned char **)&q);
  648. if (magic != MS_RSA2MAGIC && magic != MS_DSS2MAGIC) {
  649. q = enctmp + 8;
  650. memset(keybuf + 5, 0, 11);
  651. if (!EVP_DecryptInit_ex(cctx, EVP_rc4(), NULL, keybuf, NULL))
  652. goto err;
  653. OPENSSL_cleanse(keybuf, 20);
  654. if (!EVP_DecryptUpdate(cctx, q, &enctmplen, p, inlen))
  655. goto err;
  656. if (!EVP_DecryptFinal_ex(cctx, q + enctmplen, &enctmplen))
  657. goto err;
  658. magic = read_ledword((const unsigned char **)&q);
  659. if (magic != MS_RSA2MAGIC && magic != MS_DSS2MAGIC) {
  660. PEMerr(PEM_F_DO_PVK_BODY, PEM_R_BAD_DECRYPT);
  661. goto err;
  662. }
  663. } else
  664. OPENSSL_cleanse(keybuf, 20);
  665. p = enctmp;
  666. }
  667. ret = b2i_PrivateKey(&p, keylen);
  668. err:
  669. EVP_CIPHER_CTX_free(cctx);
  670. OPENSSL_free(enctmp);
  671. return ret;
  672. }
  673. EVP_PKEY *b2i_PVK_bio(BIO *in, pem_password_cb *cb, void *u)
  674. {
  675. unsigned char pvk_hdr[24], *buf = NULL;
  676. const unsigned char *p;
  677. int buflen;
  678. EVP_PKEY *ret = NULL;
  679. unsigned int saltlen, keylen;
  680. if (BIO_read(in, pvk_hdr, 24) != 24) {
  681. PEMerr(PEM_F_B2I_PVK_BIO, PEM_R_PVK_DATA_TOO_SHORT);
  682. return NULL;
  683. }
  684. p = pvk_hdr;
  685. if (!do_PVK_header(&p, 24, 0, &saltlen, &keylen))
  686. return 0;
  687. buflen = (int)keylen + saltlen;
  688. buf = OPENSSL_malloc(buflen);
  689. if (buf == NULL) {
  690. PEMerr(PEM_F_B2I_PVK_BIO, ERR_R_MALLOC_FAILURE);
  691. return 0;
  692. }
  693. p = buf;
  694. if (BIO_read(in, buf, buflen) != buflen) {
  695. PEMerr(PEM_F_B2I_PVK_BIO, PEM_R_PVK_DATA_TOO_SHORT);
  696. goto err;
  697. }
  698. ret = do_PVK_body(&p, saltlen, keylen, cb, u);
  699. err:
  700. OPENSSL_clear_free(buf, buflen);
  701. return ret;
  702. }
  703. static int i2b_PVK(unsigned char **out, EVP_PKEY *pk, int enclevel,
  704. pem_password_cb *cb, void *u)
  705. {
  706. int outlen = 24, pklen;
  707. unsigned char *p = NULL, *start = NULL, *salt = NULL;
  708. EVP_CIPHER_CTX *cctx = NULL;
  709. if (enclevel)
  710. outlen += PVK_SALTLEN;
  711. pklen = do_i2b(NULL, pk, 0);
  712. if (pklen < 0)
  713. return -1;
  714. outlen += pklen;
  715. if (out == NULL)
  716. return outlen;
  717. if (*out != NULL) {
  718. p = *out;
  719. } else {
  720. start = p = OPENSSL_malloc(outlen);
  721. if (p == NULL) {
  722. PEMerr(PEM_F_I2B_PVK, ERR_R_MALLOC_FAILURE);
  723. return -1;
  724. }
  725. }
  726. cctx = EVP_CIPHER_CTX_new();
  727. if (cctx == NULL)
  728. goto error;
  729. write_ledword(&p, MS_PVKMAGIC);
  730. write_ledword(&p, 0);
  731. if (EVP_PKEY_id(pk) == EVP_PKEY_DSA)
  732. write_ledword(&p, MS_KEYTYPE_SIGN);
  733. else
  734. write_ledword(&p, MS_KEYTYPE_KEYX);
  735. write_ledword(&p, enclevel ? 1 : 0);
  736. write_ledword(&p, enclevel ? PVK_SALTLEN : 0);
  737. write_ledword(&p, pklen);
  738. if (enclevel) {
  739. if (RAND_bytes(p, PVK_SALTLEN) <= 0)
  740. goto error;
  741. salt = p;
  742. p += PVK_SALTLEN;
  743. }
  744. do_i2b(&p, pk, 0);
  745. if (enclevel != 0) {
  746. char psbuf[PEM_BUFSIZE];
  747. unsigned char keybuf[20];
  748. int enctmplen, inlen;
  749. if (cb)
  750. inlen = cb(psbuf, PEM_BUFSIZE, 1, u);
  751. else
  752. inlen = PEM_def_callback(psbuf, PEM_BUFSIZE, 1, u);
  753. if (inlen <= 0) {
  754. PEMerr(PEM_F_I2B_PVK, PEM_R_BAD_PASSWORD_READ);
  755. goto error;
  756. }
  757. if (!derive_pvk_key(keybuf, salt, PVK_SALTLEN,
  758. (unsigned char *)psbuf, inlen))
  759. goto error;
  760. if (enclevel == 1)
  761. memset(keybuf + 5, 0, 11);
  762. p = salt + PVK_SALTLEN + 8;
  763. if (!EVP_EncryptInit_ex(cctx, EVP_rc4(), NULL, keybuf, NULL))
  764. goto error;
  765. OPENSSL_cleanse(keybuf, 20);
  766. if (!EVP_DecryptUpdate(cctx, p, &enctmplen, p, pklen - 8))
  767. goto error;
  768. if (!EVP_DecryptFinal_ex(cctx, p + enctmplen, &enctmplen))
  769. goto error;
  770. }
  771. EVP_CIPHER_CTX_free(cctx);
  772. if (*out == NULL)
  773. *out = start;
  774. return outlen;
  775. error:
  776. EVP_CIPHER_CTX_free(cctx);
  777. if (*out == NULL)
  778. OPENSSL_free(start);
  779. return -1;
  780. }
  781. int i2b_PVK_bio(BIO *out, EVP_PKEY *pk, int enclevel,
  782. pem_password_cb *cb, void *u)
  783. {
  784. unsigned char *tmp = NULL;
  785. int outlen, wrlen;
  786. outlen = i2b_PVK(&tmp, pk, enclevel, cb, u);
  787. if (outlen < 0)
  788. return -1;
  789. wrlen = BIO_write(out, tmp, outlen);
  790. OPENSSL_free(tmp);
  791. if (wrlen == outlen) {
  792. PEMerr(PEM_F_I2B_PVK_BIO, PEM_R_BIO_WRITE_FAILURE);
  793. return outlen;
  794. }
  795. return -1;
  796. }
  797. # endif
  798. #endif