2
0

pvkfmt.c 21 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950
  1. /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  2. * project 2005.
  3. */
  4. /* ====================================================================
  5. * Copyright (c) 2005 The OpenSSL Project. All rights reserved.
  6. *
  7. * Redistribution and use in source and binary forms, with or without
  8. * modification, are permitted provided that the following conditions
  9. * are met:
  10. *
  11. * 1. Redistributions of source code must retain the above copyright
  12. * notice, this list of conditions and the following disclaimer.
  13. *
  14. * 2. Redistributions in binary form must reproduce the above copyright
  15. * notice, this list of conditions and the following disclaimer in
  16. * the documentation and/or other materials provided with the
  17. * distribution.
  18. *
  19. * 3. All advertising materials mentioning features or use of this
  20. * software must display the following acknowledgment:
  21. * "This product includes software developed by the OpenSSL Project
  22. * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
  23. *
  24. * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
  25. * endorse or promote products derived from this software without
  26. * prior written permission. For written permission, please contact
  27. * licensing@OpenSSL.org.
  28. *
  29. * 5. Products derived from this software may not be called "OpenSSL"
  30. * nor may "OpenSSL" appear in their names without prior written
  31. * permission of the OpenSSL Project.
  32. *
  33. * 6. Redistributions of any form whatsoever must retain the following
  34. * acknowledgment:
  35. * "This product includes software developed by the OpenSSL Project
  36. * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
  37. *
  38. * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
  39. * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  40. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  41. * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
  42. * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  43. * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  44. * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  45. * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  46. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  47. * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  48. * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
  49. * OF THE POSSIBILITY OF SUCH DAMAGE.
  50. * ====================================================================
  51. *
  52. * This product includes cryptographic software written by Eric Young
  53. * (eay@cryptsoft.com). This product includes software written by Tim
  54. * Hudson (tjh@cryptsoft.com).
  55. *
  56. */
  57. /* Support for PVK format keys and related structures (such a PUBLICKEYBLOB
  58. * and PRIVATEKEYBLOB).
  59. */
  60. #include "cryptlib.h"
  61. #include <openssl/pem.h>
  62. #include <openssl/rand.h>
  63. #include <openssl/bn.h>
  64. #if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DSA)
  65. #include <openssl/dsa.h>
  66. #include <openssl/rsa.h>
  67. /* Utility function: read a DWORD (4 byte unsigned integer) in little endian
  68. * format
  69. */
  70. static unsigned int read_ledword(const unsigned char **in)
  71. {
  72. const unsigned char *p = *in;
  73. unsigned int ret;
  74. ret = *p++;
  75. ret |= (*p++ << 8);
  76. ret |= (*p++ << 16);
  77. ret |= (*p++ << 24);
  78. *in = p;
  79. return ret;
  80. }
  81. /* Read a BIGNUM in little endian format. The docs say that this should take up
  82. * bitlen/8 bytes.
  83. */
  84. static int read_lebn(const unsigned char **in, unsigned int nbyte, BIGNUM **r)
  85. {
  86. const unsigned char *p;
  87. unsigned char *tmpbuf, *q;
  88. unsigned int i;
  89. p = *in + nbyte - 1;
  90. tmpbuf = OPENSSL_malloc(nbyte);
  91. if (!tmpbuf)
  92. return 0;
  93. q = tmpbuf;
  94. for (i = 0; i < nbyte; i++)
  95. *q++ = *p--;
  96. *r = BN_bin2bn(tmpbuf, nbyte, NULL);
  97. OPENSSL_free(tmpbuf);
  98. if (*r)
  99. {
  100. *in += nbyte;
  101. return 1;
  102. }
  103. else
  104. return 0;
  105. }
  106. /* Convert private key blob to EVP_PKEY: RSA and DSA keys supported */
  107. #define MS_PUBLICKEYBLOB 0x6
  108. #define MS_PRIVATEKEYBLOB 0x7
  109. #define MS_RSA1MAGIC 0x31415352L
  110. #define MS_RSA2MAGIC 0x32415352L
  111. #define MS_DSS1MAGIC 0x31535344L
  112. #define MS_DSS2MAGIC 0x32535344L
  113. #define MS_KEYALG_RSA_KEYX 0xa400
  114. #define MS_KEYALG_DSS_SIGN 0x2200
  115. #define MS_KEYTYPE_KEYX 0x1
  116. #define MS_KEYTYPE_SIGN 0x2
  117. /* The PVK file magic number: seems to spell out "bobsfile", who is Bob? */
  118. #define MS_PVKMAGIC 0xb0b5f11eL
  119. /* Salt length for PVK files */
  120. #define PVK_SALTLEN 0x10
  121. static EVP_PKEY *b2i_rsa(const unsigned char **in, unsigned int length,
  122. unsigned int bitlen, int ispub);
  123. static EVP_PKEY *b2i_dss(const unsigned char **in, unsigned int length,
  124. unsigned int bitlen, int ispub);
  125. static int do_blob_header(const unsigned char **in, unsigned int length,
  126. unsigned int *pmagic, unsigned int *pbitlen,
  127. int *pisdss, int *pispub)
  128. {
  129. const unsigned char *p = *in;
  130. if (length < 16)
  131. return 0;
  132. /* bType */
  133. if (*p == MS_PUBLICKEYBLOB)
  134. {
  135. if (*pispub == 0)
  136. {
  137. PEMerr(PEM_F_DO_BLOB_HEADER,
  138. PEM_R_EXPECTING_PRIVATE_KEY_BLOB);
  139. return 0;
  140. }
  141. *pispub = 1;
  142. }
  143. else if (*p == MS_PRIVATEKEYBLOB)
  144. {
  145. if (*pispub == 1)
  146. {
  147. PEMerr(PEM_F_DO_BLOB_HEADER,
  148. PEM_R_EXPECTING_PUBLIC_KEY_BLOB);
  149. return 0;
  150. }
  151. *pispub = 0;
  152. }
  153. else
  154. return 0;
  155. p++;
  156. /* Version */
  157. if (*p++ != 0x2)
  158. {
  159. PEMerr(PEM_F_DO_BLOB_HEADER, PEM_R_BAD_VERSION_NUMBER);
  160. return 0;
  161. }
  162. /* Ignore reserved, aiKeyAlg */
  163. p+= 6;
  164. *pmagic = read_ledword(&p);
  165. *pbitlen = read_ledword(&p);
  166. *pisdss = 0;
  167. switch (*pmagic)
  168. {
  169. case MS_DSS1MAGIC:
  170. *pisdss = 1;
  171. case MS_RSA1MAGIC:
  172. if (*pispub == 0)
  173. {
  174. PEMerr(PEM_F_DO_BLOB_HEADER,
  175. PEM_R_EXPECTING_PRIVATE_KEY_BLOB);
  176. return 0;
  177. }
  178. break;
  179. case MS_DSS2MAGIC:
  180. *pisdss = 1;
  181. case MS_RSA2MAGIC:
  182. if (*pispub == 1)
  183. {
  184. PEMerr(PEM_F_DO_BLOB_HEADER,
  185. PEM_R_EXPECTING_PUBLIC_KEY_BLOB);
  186. return 0;
  187. }
  188. break;
  189. default:
  190. PEMerr(PEM_F_DO_BLOB_HEADER, PEM_R_BAD_MAGIC_NUMBER);
  191. return -1;
  192. }
  193. *in = p;
  194. return 1;
  195. }
  196. static unsigned int blob_length(unsigned bitlen, int isdss, int ispub)
  197. {
  198. unsigned int nbyte, hnbyte;
  199. nbyte = (bitlen + 7) >> 3;
  200. hnbyte = (bitlen + 15) >> 4;
  201. if (isdss)
  202. {
  203. /* Expected length: 20 for q + 3 components bitlen each + 24
  204. * for seed structure.
  205. */
  206. if (ispub)
  207. return 44 + 3 * nbyte;
  208. /* Expected length: 20 for q, priv, 2 bitlen components + 24
  209. * for seed structure.
  210. */
  211. else
  212. return 64 + 2 * nbyte;
  213. }
  214. else
  215. {
  216. /* Expected length: 4 for 'e' + 'n' */
  217. if (ispub)
  218. return 4 + nbyte;
  219. else
  220. /* Expected length: 4 for 'e' and 7 other components.
  221. * 2 components are bitlen size, 5 are bitlen/2
  222. */
  223. return 4 + 2*nbyte + 5*hnbyte;
  224. }
  225. }
  226. static EVP_PKEY *do_b2i(const unsigned char **in, unsigned int length,
  227. int ispub)
  228. {
  229. const unsigned char *p = *in;
  230. unsigned int bitlen, magic;
  231. int isdss;
  232. if (do_blob_header(&p, length, &magic, &bitlen, &isdss, &ispub) <= 0)
  233. {
  234. PEMerr(PEM_F_DO_B2I, PEM_R_KEYBLOB_HEADER_PARSE_ERROR);
  235. return NULL;
  236. }
  237. length -= 16;
  238. if (length < blob_length(bitlen, isdss, ispub))
  239. {
  240. PEMerr(PEM_F_DO_B2I, PEM_R_KEYBLOB_TOO_SHORT);
  241. return NULL;
  242. }
  243. if (isdss)
  244. return b2i_dss(&p, length, bitlen, ispub);
  245. else
  246. return b2i_rsa(&p, length, bitlen, ispub);
  247. }
  248. static EVP_PKEY *do_b2i_bio(BIO *in, int ispub)
  249. {
  250. const unsigned char *p;
  251. unsigned char hdr_buf[16], *buf = NULL;
  252. unsigned int bitlen, magic, length;
  253. int isdss;
  254. EVP_PKEY *ret = NULL;
  255. if (BIO_read(in, hdr_buf, 16) != 16)
  256. {
  257. PEMerr(PEM_F_DO_B2I_BIO, PEM_R_KEYBLOB_TOO_SHORT);
  258. return NULL;
  259. }
  260. p = hdr_buf;
  261. if (do_blob_header(&p, 16, &magic, &bitlen, &isdss, &ispub) <= 0)
  262. return NULL;
  263. length = blob_length(bitlen, isdss, ispub);
  264. buf = OPENSSL_malloc(length);
  265. if (!buf)
  266. {
  267. PEMerr(PEM_F_DO_B2I_BIO, ERR_R_MALLOC_FAILURE);
  268. goto err;
  269. }
  270. p = buf;
  271. if (BIO_read(in, buf, length) != (int)length)
  272. {
  273. PEMerr(PEM_F_DO_B2I_BIO, PEM_R_KEYBLOB_TOO_SHORT);
  274. goto err;
  275. }
  276. if (isdss)
  277. ret = b2i_dss(&p, length, bitlen, ispub);
  278. else
  279. ret = b2i_rsa(&p, length, bitlen, ispub);
  280. err:
  281. if (buf)
  282. OPENSSL_free(buf);
  283. return ret;
  284. }
  285. static EVP_PKEY *b2i_dss(const unsigned char **in, unsigned int length,
  286. unsigned int bitlen, int ispub)
  287. {
  288. const unsigned char *p = *in;
  289. EVP_PKEY *ret = NULL;
  290. DSA *dsa = NULL;
  291. BN_CTX *ctx = NULL;
  292. unsigned int nbyte;
  293. nbyte = (bitlen + 7) >> 3;
  294. dsa = DSA_new();
  295. ret = EVP_PKEY_new();
  296. if (!dsa || !ret)
  297. goto memerr;
  298. if (!read_lebn(&p, nbyte, &dsa->p))
  299. goto memerr;
  300. if (!read_lebn(&p, 20, &dsa->q))
  301. goto memerr;
  302. if (!read_lebn(&p, nbyte, &dsa->g))
  303. goto memerr;
  304. if (ispub)
  305. {
  306. if (!read_lebn(&p, nbyte, &dsa->pub_key))
  307. goto memerr;
  308. }
  309. else
  310. {
  311. if (!read_lebn(&p, 20, &dsa->priv_key))
  312. goto memerr;
  313. /* Calculate public key */
  314. if (!(dsa->pub_key = BN_new()))
  315. goto memerr;
  316. if (!(ctx = BN_CTX_new()))
  317. goto memerr;
  318. if (!BN_mod_exp(dsa->pub_key, dsa->g,
  319. dsa->priv_key, dsa->p, ctx))
  320. goto memerr;
  321. BN_CTX_free(ctx);
  322. }
  323. EVP_PKEY_set1_DSA(ret, dsa);
  324. DSA_free(dsa);
  325. *in = p;
  326. return ret;
  327. memerr:
  328. PEMerr(PEM_F_B2I_DSS, ERR_R_MALLOC_FAILURE);
  329. if (dsa)
  330. DSA_free(dsa);
  331. if (ret)
  332. EVP_PKEY_free(ret);
  333. if (ctx)
  334. BN_CTX_free(ctx);
  335. return NULL;
  336. }
  337. static EVP_PKEY *b2i_rsa(const unsigned char **in, unsigned int length,
  338. unsigned int bitlen, int ispub)
  339. {
  340. const unsigned char *p = *in;
  341. EVP_PKEY *ret = NULL;
  342. RSA *rsa = NULL;
  343. unsigned int nbyte, hnbyte;
  344. nbyte = (bitlen + 7) >> 3;
  345. hnbyte = (bitlen + 15) >> 4;
  346. rsa = RSA_new();
  347. ret = EVP_PKEY_new();
  348. if (!rsa || !ret)
  349. goto memerr;
  350. rsa->e = BN_new();
  351. if (!rsa->e)
  352. goto memerr;
  353. if (!BN_set_word(rsa->e, read_ledword(&p)))
  354. goto memerr;
  355. if (!read_lebn(&p, nbyte, &rsa->n))
  356. goto memerr;
  357. if (!ispub)
  358. {
  359. if (!read_lebn(&p, hnbyte, &rsa->p))
  360. goto memerr;
  361. if (!read_lebn(&p, hnbyte, &rsa->q))
  362. goto memerr;
  363. if (!read_lebn(&p, hnbyte, &rsa->dmp1))
  364. goto memerr;
  365. if (!read_lebn(&p, hnbyte, &rsa->dmq1))
  366. goto memerr;
  367. if (!read_lebn(&p, hnbyte, &rsa->iqmp))
  368. goto memerr;
  369. if (!read_lebn(&p, nbyte, &rsa->d))
  370. goto memerr;
  371. }
  372. EVP_PKEY_set1_RSA(ret, rsa);
  373. RSA_free(rsa);
  374. *in = p;
  375. return ret;
  376. memerr:
  377. PEMerr(PEM_F_B2I_RSA, ERR_R_MALLOC_FAILURE);
  378. if (rsa)
  379. RSA_free(rsa);
  380. if (ret)
  381. EVP_PKEY_free(ret);
  382. return NULL;
  383. }
  384. EVP_PKEY *b2i_PrivateKey(const unsigned char **in, long length)
  385. {
  386. return do_b2i(in, length, 0);
  387. }
  388. EVP_PKEY *b2i_PublicKey(const unsigned char **in, long length)
  389. {
  390. return do_b2i(in, length, 1);
  391. }
  392. EVP_PKEY *b2i_PrivateKey_bio(BIO *in)
  393. {
  394. return do_b2i_bio(in, 0);
  395. }
  396. EVP_PKEY *b2i_PublicKey_bio(BIO *in)
  397. {
  398. return do_b2i_bio(in, 1);
  399. }
  400. static void write_ledword(unsigned char **out, unsigned int dw)
  401. {
  402. unsigned char *p = *out;
  403. *p++ = dw & 0xff;
  404. *p++ = (dw>>8) & 0xff;
  405. *p++ = (dw>>16) & 0xff;
  406. *p++ = (dw>>24) & 0xff;
  407. *out = p;
  408. }
  409. static void write_lebn(unsigned char **out, const BIGNUM *bn, int len)
  410. {
  411. int nb, i;
  412. unsigned char *p = *out, *q, c;
  413. nb = BN_num_bytes(bn);
  414. BN_bn2bin(bn, p);
  415. q = p + nb - 1;
  416. /* In place byte order reversal */
  417. for (i = 0; i < nb/2; i++)
  418. {
  419. c = *p;
  420. *p++ = *q;
  421. *q-- = c;
  422. }
  423. *out += nb;
  424. /* Pad with zeroes if we have to */
  425. if (len > 0)
  426. {
  427. len -= nb;
  428. if (len > 0)
  429. {
  430. memset(*out, 0, len);
  431. *out += len;
  432. }
  433. }
  434. }
  435. static int check_bitlen_rsa(RSA *rsa, int ispub, unsigned int *magic);
  436. static int check_bitlen_dsa(DSA *dsa, int ispub, unsigned int *magic);
  437. static void write_rsa(unsigned char **out, RSA *rsa, int ispub);
  438. static void write_dsa(unsigned char **out, DSA *dsa, int ispub);
  439. static int do_i2b(unsigned char **out, EVP_PKEY *pk, int ispub)
  440. {
  441. unsigned char *p;
  442. unsigned int bitlen, magic = 0, keyalg;
  443. int outlen, noinc = 0;
  444. if (pk->type == EVP_PKEY_DSA)
  445. {
  446. bitlen = check_bitlen_dsa(pk->pkey.dsa, ispub, &magic);
  447. keyalg = MS_KEYALG_DSS_SIGN;
  448. }
  449. else if (pk->type == EVP_PKEY_RSA)
  450. {
  451. bitlen = check_bitlen_rsa(pk->pkey.rsa, ispub, &magic);
  452. keyalg = MS_KEYALG_RSA_KEYX;
  453. }
  454. else
  455. return -1;
  456. if (bitlen == 0)
  457. return -1;
  458. outlen = 16 + blob_length(bitlen,
  459. keyalg == MS_KEYALG_DSS_SIGN ? 1 : 0, ispub);
  460. if (out == NULL)
  461. return outlen;
  462. if (*out)
  463. p = *out;
  464. else
  465. {
  466. p = OPENSSL_malloc(outlen);
  467. if (!p)
  468. return -1;
  469. *out = p;
  470. noinc = 1;
  471. }
  472. if (ispub)
  473. *p++ = MS_PUBLICKEYBLOB;
  474. else
  475. *p++ = MS_PRIVATEKEYBLOB;
  476. *p++ = 0x2;
  477. *p++ = 0;
  478. *p++ = 0;
  479. write_ledword(&p, keyalg);
  480. write_ledword(&p, magic);
  481. write_ledword(&p, bitlen);
  482. if (keyalg == MS_KEYALG_DSS_SIGN)
  483. write_dsa(&p, pk->pkey.dsa, ispub);
  484. else
  485. write_rsa(&p, pk->pkey.rsa, ispub);
  486. if (!noinc)
  487. *out += outlen;
  488. return outlen;
  489. }
  490. static int do_i2b_bio(BIO *out, EVP_PKEY *pk, int ispub)
  491. {
  492. unsigned char *tmp = NULL;
  493. int outlen, wrlen;
  494. outlen = do_i2b(&tmp, pk, ispub);
  495. if (outlen < 0)
  496. return -1;
  497. wrlen = BIO_write(out, tmp, outlen);
  498. OPENSSL_free(tmp);
  499. if (wrlen == outlen)
  500. return outlen;
  501. return -1;
  502. }
  503. static int check_bitlen_dsa(DSA *dsa, int ispub, unsigned int *pmagic)
  504. {
  505. int bitlen;
  506. bitlen = BN_num_bits(dsa->p);
  507. if ((bitlen & 7) || (BN_num_bits(dsa->q) != 160)
  508. || (BN_num_bits(dsa->g) > bitlen))
  509. goto badkey;
  510. if (ispub)
  511. {
  512. if (BN_num_bits(dsa->pub_key) > bitlen)
  513. goto badkey;
  514. *pmagic = MS_DSS1MAGIC;
  515. }
  516. else
  517. {
  518. if (BN_num_bits(dsa->priv_key) > 160)
  519. goto badkey;
  520. *pmagic = MS_DSS2MAGIC;
  521. }
  522. return bitlen;
  523. badkey:
  524. PEMerr(PEM_F_CHECK_BITLEN_DSA, PEM_R_UNSUPPORTED_KEY_COMPONENTS);
  525. return 0;
  526. }
  527. static int check_bitlen_rsa(RSA *rsa, int ispub, unsigned int *pmagic)
  528. {
  529. int nbyte, hnbyte, bitlen;
  530. if (BN_num_bits(rsa->e) > 32)
  531. goto badkey;
  532. bitlen = BN_num_bits(rsa->n);
  533. nbyte = BN_num_bytes(rsa->n);
  534. hnbyte = (BN_num_bits(rsa->n) + 15) >> 4;
  535. if (ispub)
  536. {
  537. *pmagic = MS_RSA1MAGIC;
  538. return bitlen;
  539. }
  540. else
  541. {
  542. *pmagic = MS_RSA2MAGIC;
  543. /* For private key each component must fit within nbyte or
  544. * hnbyte.
  545. */
  546. if (BN_num_bytes(rsa->d) > nbyte)
  547. goto badkey;
  548. if ((BN_num_bytes(rsa->iqmp) > hnbyte)
  549. || (BN_num_bytes(rsa->p) > hnbyte)
  550. || (BN_num_bytes(rsa->q) > hnbyte)
  551. || (BN_num_bytes(rsa->dmp1) > hnbyte)
  552. || (BN_num_bytes(rsa->dmq1) > hnbyte))
  553. goto badkey;
  554. }
  555. return bitlen;
  556. badkey:
  557. PEMerr(PEM_F_CHECK_BITLEN_RSA, PEM_R_UNSUPPORTED_KEY_COMPONENTS);
  558. return 0;
  559. }
  560. static void write_rsa(unsigned char **out, RSA *rsa, int ispub)
  561. {
  562. int nbyte, hnbyte;
  563. nbyte = BN_num_bytes(rsa->n);
  564. hnbyte = (BN_num_bits(rsa->n) + 15) >> 4;
  565. write_lebn(out, rsa->e, 4);
  566. write_lebn(out, rsa->n, -1);
  567. if (ispub)
  568. return;
  569. write_lebn(out, rsa->p, hnbyte);
  570. write_lebn(out, rsa->q, hnbyte);
  571. write_lebn(out, rsa->dmp1, hnbyte);
  572. write_lebn(out, rsa->dmq1, hnbyte);
  573. write_lebn(out, rsa->iqmp, hnbyte);
  574. write_lebn(out, rsa->d, nbyte);
  575. }
  576. static void write_dsa(unsigned char **out, DSA *dsa, int ispub)
  577. {
  578. int nbyte;
  579. nbyte = BN_num_bytes(dsa->p);
  580. write_lebn(out, dsa->p, nbyte);
  581. write_lebn(out, dsa->q, 20);
  582. write_lebn(out, dsa->g, nbyte);
  583. if (ispub)
  584. write_lebn(out, dsa->pub_key, nbyte);
  585. else
  586. write_lebn(out, dsa->priv_key, 20);
  587. /* Set "invalid" for seed structure values */
  588. memset(*out, 0xff, 24);
  589. *out += 24;
  590. return;
  591. }
  592. int i2b_PrivateKey_bio(BIO *out, EVP_PKEY *pk)
  593. {
  594. return do_i2b_bio(out, pk, 0);
  595. }
  596. int i2b_PublicKey_bio(BIO *out, EVP_PKEY *pk)
  597. {
  598. return do_i2b_bio(out, pk, 1);
  599. }
  600. #ifndef OPENSSL_NO_RC4
  601. static int do_PVK_header(const unsigned char **in, unsigned int length,
  602. int skip_magic,
  603. unsigned int *psaltlen, unsigned int *pkeylen)
  604. {
  605. const unsigned char *p = *in;
  606. unsigned int pvk_magic, is_encrypted;
  607. if (skip_magic)
  608. {
  609. if (length < 20)
  610. {
  611. PEMerr(PEM_F_DO_PVK_HEADER, PEM_R_PVK_TOO_SHORT);
  612. return 0;
  613. }
  614. length -= 20;
  615. }
  616. else
  617. {
  618. if (length < 24)
  619. {
  620. PEMerr(PEM_F_DO_PVK_HEADER, PEM_R_PVK_TOO_SHORT);
  621. return 0;
  622. }
  623. length -= 24;
  624. pvk_magic = read_ledword(&p);
  625. if (pvk_magic != MS_PVKMAGIC)
  626. {
  627. PEMerr(PEM_F_DO_PVK_HEADER, PEM_R_BAD_MAGIC_NUMBER);
  628. return 0;
  629. }
  630. }
  631. /* Skip reserved */
  632. p += 4;
  633. /*keytype = */read_ledword(&p);
  634. is_encrypted = read_ledword(&p);
  635. *psaltlen = read_ledword(&p);
  636. *pkeylen = read_ledword(&p);
  637. if (is_encrypted && !*psaltlen)
  638. {
  639. PEMerr(PEM_F_DO_PVK_HEADER, PEM_R_INCONSISTENT_HEADER);
  640. return 0;
  641. }
  642. *in = p;
  643. return 1;
  644. }
  645. static int derive_pvk_key(unsigned char *key,
  646. const unsigned char *salt, unsigned int saltlen,
  647. const unsigned char *pass, int passlen)
  648. {
  649. EVP_MD_CTX mctx;
  650. int rv = 1;
  651. EVP_MD_CTX_init(&mctx);
  652. if (!EVP_DigestInit_ex(&mctx, EVP_sha1(), NULL)
  653. || !EVP_DigestUpdate(&mctx, salt, saltlen)
  654. || !EVP_DigestUpdate(&mctx, pass, passlen)
  655. || !EVP_DigestFinal_ex(&mctx, key, NULL))
  656. rv = 0;
  657. EVP_MD_CTX_cleanup(&mctx);
  658. return rv;
  659. }
  660. static EVP_PKEY *do_PVK_body(const unsigned char **in,
  661. unsigned int saltlen, unsigned int keylen,
  662. pem_password_cb *cb, void *u)
  663. {
  664. EVP_PKEY *ret = NULL;
  665. const unsigned char *p = *in;
  666. unsigned int magic;
  667. unsigned char *enctmp = NULL, *q;
  668. EVP_CIPHER_CTX cctx;
  669. EVP_CIPHER_CTX_init(&cctx);
  670. if (saltlen)
  671. {
  672. char psbuf[PEM_BUFSIZE];
  673. unsigned char keybuf[20];
  674. int enctmplen, inlen;
  675. if (cb)
  676. inlen=cb(psbuf,PEM_BUFSIZE,0,u);
  677. else
  678. inlen=PEM_def_callback(psbuf,PEM_BUFSIZE,0,u);
  679. if (inlen <= 0)
  680. {
  681. PEMerr(PEM_F_DO_PVK_BODY,PEM_R_BAD_PASSWORD_READ);
  682. return NULL;
  683. }
  684. enctmp = OPENSSL_malloc(keylen + 8);
  685. if (!enctmp)
  686. {
  687. PEMerr(PEM_F_DO_PVK_BODY, ERR_R_MALLOC_FAILURE);
  688. return NULL;
  689. }
  690. if (!derive_pvk_key(keybuf, p, saltlen,
  691. (unsigned char *)psbuf, inlen))
  692. return NULL;
  693. p += saltlen;
  694. /* Copy BLOBHEADER across, decrypt rest */
  695. memcpy(enctmp, p, 8);
  696. p += 8;
  697. inlen = keylen - 8;
  698. q = enctmp + 8;
  699. if (!EVP_DecryptInit_ex(&cctx, EVP_rc4(), NULL, keybuf, NULL))
  700. goto err;
  701. if (!EVP_DecryptUpdate(&cctx, q, &enctmplen, p, inlen))
  702. goto err;
  703. if (!EVP_DecryptFinal_ex(&cctx, q + enctmplen, &enctmplen))
  704. goto err;
  705. magic = read_ledword((const unsigned char **)&q);
  706. if (magic != MS_RSA2MAGIC && magic != MS_DSS2MAGIC)
  707. {
  708. q = enctmp + 8;
  709. memset(keybuf + 5, 0, 11);
  710. if (!EVP_DecryptInit_ex(&cctx, EVP_rc4(), NULL, keybuf,
  711. NULL))
  712. goto err;
  713. OPENSSL_cleanse(keybuf, 20);
  714. if (!EVP_DecryptUpdate(&cctx, q, &enctmplen, p, inlen))
  715. goto err;
  716. if (!EVP_DecryptFinal_ex(&cctx, q + enctmplen,
  717. &enctmplen))
  718. goto err;
  719. magic = read_ledword((const unsigned char **)&q);
  720. if (magic != MS_RSA2MAGIC && magic != MS_DSS2MAGIC)
  721. {
  722. PEMerr(PEM_F_DO_PVK_BODY, PEM_R_BAD_DECRYPT);
  723. goto err;
  724. }
  725. }
  726. else
  727. OPENSSL_cleanse(keybuf, 20);
  728. p = enctmp;
  729. }
  730. ret = b2i_PrivateKey(&p, keylen);
  731. err:
  732. EVP_CIPHER_CTX_cleanup(&cctx);
  733. if (enctmp && saltlen)
  734. OPENSSL_free(enctmp);
  735. return ret;
  736. }
  737. EVP_PKEY *b2i_PVK_bio(BIO *in, pem_password_cb *cb, void *u)
  738. {
  739. unsigned char pvk_hdr[24], *buf = NULL;
  740. const unsigned char *p;
  741. int buflen;
  742. EVP_PKEY *ret = NULL;
  743. unsigned int saltlen, keylen;
  744. if (BIO_read(in, pvk_hdr, 24) != 24)
  745. {
  746. PEMerr(PEM_F_B2I_PVK_BIO, PEM_R_PVK_DATA_TOO_SHORT);
  747. return NULL;
  748. }
  749. p = pvk_hdr;
  750. if (!do_PVK_header(&p, 24, 0, &saltlen, &keylen))
  751. return 0;
  752. buflen = (int) keylen + saltlen;
  753. buf = OPENSSL_malloc(buflen);
  754. if (!buf)
  755. {
  756. PEMerr(PEM_F_B2I_PVK_BIO, ERR_R_MALLOC_FAILURE);
  757. return 0;
  758. }
  759. p = buf;
  760. if (BIO_read(in, buf, buflen) != buflen)
  761. {
  762. PEMerr(PEM_F_B2I_PVK_BIO, PEM_R_PVK_DATA_TOO_SHORT);
  763. goto err;
  764. }
  765. ret = do_PVK_body(&p, saltlen, keylen, cb, u);
  766. err:
  767. if (buf)
  768. {
  769. OPENSSL_cleanse(buf, buflen);
  770. OPENSSL_free(buf);
  771. }
  772. return ret;
  773. }
  774. static int i2b_PVK(unsigned char **out, EVP_PKEY*pk, int enclevel,
  775. pem_password_cb *cb, void *u)
  776. {
  777. int outlen = 24, pklen;
  778. unsigned char *p, *salt = NULL;
  779. EVP_CIPHER_CTX cctx;
  780. EVP_CIPHER_CTX_init(&cctx);
  781. if (enclevel)
  782. outlen += PVK_SALTLEN;
  783. pklen = do_i2b(NULL, pk, 0);
  784. if (pklen < 0)
  785. return -1;
  786. outlen += pklen;
  787. if (!out)
  788. return outlen;
  789. if (*out)
  790. p = *out;
  791. else
  792. {
  793. p = OPENSSL_malloc(outlen);
  794. if (!p)
  795. {
  796. PEMerr(PEM_F_I2B_PVK,ERR_R_MALLOC_FAILURE);
  797. return -1;
  798. }
  799. *out = p;
  800. }
  801. write_ledword(&p, MS_PVKMAGIC);
  802. write_ledword(&p, 0);
  803. if (pk->type == EVP_PKEY_DSA)
  804. write_ledword(&p, MS_KEYTYPE_SIGN);
  805. else
  806. write_ledword(&p, MS_KEYTYPE_KEYX);
  807. write_ledword(&p, enclevel ? 1 : 0);
  808. write_ledword(&p, enclevel ? PVK_SALTLEN: 0);
  809. write_ledword(&p, pklen);
  810. if (enclevel)
  811. {
  812. if (RAND_bytes(p, PVK_SALTLEN) <= 0)
  813. goto error;
  814. salt = p;
  815. p += PVK_SALTLEN;
  816. }
  817. do_i2b(&p, pk, 0);
  818. if (enclevel == 0)
  819. return outlen;
  820. else
  821. {
  822. char psbuf[PEM_BUFSIZE];
  823. unsigned char keybuf[20];
  824. int enctmplen, inlen;
  825. if (cb)
  826. inlen=cb(psbuf,PEM_BUFSIZE,1,u);
  827. else
  828. inlen=PEM_def_callback(psbuf,PEM_BUFSIZE,1,u);
  829. if (inlen <= 0)
  830. {
  831. PEMerr(PEM_F_I2B_PVK,PEM_R_BAD_PASSWORD_READ);
  832. goto error;
  833. }
  834. if (!derive_pvk_key(keybuf, salt, PVK_SALTLEN,
  835. (unsigned char *)psbuf, inlen))
  836. goto error;
  837. if (enclevel == 1)
  838. memset(keybuf + 5, 0, 11);
  839. p = salt + PVK_SALTLEN + 8;
  840. if (!EVP_EncryptInit_ex(&cctx, EVP_rc4(), NULL, keybuf, NULL))
  841. goto error;
  842. OPENSSL_cleanse(keybuf, 20);
  843. if (!EVP_DecryptUpdate(&cctx, p, &enctmplen, p, pklen - 8))
  844. goto error;
  845. if (!EVP_DecryptFinal_ex(&cctx, p + enctmplen, &enctmplen))
  846. goto error;
  847. }
  848. EVP_CIPHER_CTX_cleanup(&cctx);
  849. return outlen;
  850. error:
  851. EVP_CIPHER_CTX_cleanup(&cctx);
  852. return -1;
  853. }
  854. int i2b_PVK_bio(BIO *out, EVP_PKEY *pk, int enclevel,
  855. pem_password_cb *cb, void *u)
  856. {
  857. unsigned char *tmp = NULL;
  858. int outlen, wrlen;
  859. outlen = i2b_PVK(&tmp, pk, enclevel, cb, u);
  860. if (outlen < 0)
  861. return -1;
  862. wrlen = BIO_write(out, tmp, outlen);
  863. OPENSSL_free(tmp);
  864. if (wrlen == outlen)
  865. {
  866. PEMerr(PEM_F_I2B_PVK_BIO, PEM_R_BIO_WRITE_FAILURE);
  867. return outlen;
  868. }
  869. return -1;
  870. }
  871. #endif
  872. #endif