pvkfmt.c revision 296341
1/* 2 * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project 3 * 2005. 4 */ 5/* ==================================================================== 6 * Copyright (c) 2005 The OpenSSL Project. All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in 17 * the documentation and/or other materials provided with the 18 * distribution. 19 * 20 * 3. All advertising materials mentioning features or use of this 21 * software must display the following acknowledgment: 22 * "This product includes software developed by the OpenSSL Project 23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" 24 * 25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 26 * endorse or promote products derived from this software without 27 * prior written permission. For written permission, please contact 28 * licensing@OpenSSL.org. 29 * 30 * 5. Products derived from this software may not be called "OpenSSL" 31 * nor may "OpenSSL" appear in their names without prior written 32 * permission of the OpenSSL Project. 33 * 34 * 6. Redistributions of any form whatsoever must retain the following 35 * acknowledgment: 36 * "This product includes software developed by the OpenSSL Project 37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" 38 * 39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 50 * OF THE POSSIBILITY OF SUCH DAMAGE. 51 * ==================================================================== 52 * 53 * This product includes cryptographic software written by Eric Young 54 * (eay@cryptsoft.com). This product includes software written by Tim 55 * Hudson (tjh@cryptsoft.com). 56 * 57 */ 58 59/* 60 * Support for PVK format keys and related structures (such a PUBLICKEYBLOB 61 * and PRIVATEKEYBLOB). 62 */ 63 64#include "cryptlib.h" 65#include <openssl/pem.h> 66#include <openssl/rand.h> 67#include <openssl/bn.h> 68#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DSA) 69# include <openssl/dsa.h> 70# include <openssl/rsa.h> 71 72/* 73 * Utility function: read a DWORD (4 byte unsigned integer) in little endian 74 * format 75 */ 76 77static unsigned int read_ledword(const unsigned char **in) 78{ 79 const unsigned char *p = *in; 80 unsigned int ret; 81 ret = *p++; 82 ret |= (*p++ << 8); 83 ret |= (*p++ << 16); 84 ret |= (*p++ << 24); 85 *in = p; 86 return ret; 87} 88 89/* 90 * Read a BIGNUM in little endian format. The docs say that this should take 91 * up bitlen/8 bytes. 92 */ 93 94static int read_lebn(const unsigned char **in, unsigned int nbyte, BIGNUM **r) 95{ 96 const unsigned char *p; 97 unsigned char *tmpbuf, *q; 98 unsigned int i; 99 p = *in + nbyte - 1; 100 tmpbuf = OPENSSL_malloc(nbyte); 101 if (!tmpbuf) 102 return 0; 103 q = tmpbuf; 104 for (i = 0; i < nbyte; i++) 105 *q++ = *p--; 106 *r = BN_bin2bn(tmpbuf, nbyte, NULL); 107 OPENSSL_free(tmpbuf); 108 if (*r) { 109 *in += nbyte; 110 return 1; 111 } else 112 return 0; 113} 114 115/* Convert private key blob to EVP_PKEY: RSA and DSA keys supported */ 116 117# define MS_PUBLICKEYBLOB 0x6 118# define MS_PRIVATEKEYBLOB 0x7 119# define MS_RSA1MAGIC 0x31415352L 120# define MS_RSA2MAGIC 0x32415352L 121# define MS_DSS1MAGIC 0x31535344L 122# define MS_DSS2MAGIC 0x32535344L 123 124# define MS_KEYALG_RSA_KEYX 0xa400 125# define MS_KEYALG_DSS_SIGN 0x2200 126 127# define MS_KEYTYPE_KEYX 0x1 128# define MS_KEYTYPE_SIGN 0x2 129 130/* The PVK file magic number: seems to spell out "bobsfile", who is Bob? */ 131# define MS_PVKMAGIC 0xb0b5f11eL 132/* Salt length for PVK files */ 133# define PVK_SALTLEN 0x10 134 135static EVP_PKEY *b2i_rsa(const unsigned char **in, unsigned int length, 136 unsigned int bitlen, int ispub); 137static EVP_PKEY *b2i_dss(const unsigned char **in, unsigned int length, 138 unsigned int bitlen, int ispub); 139 140static int do_blob_header(const unsigned char **in, unsigned int length, 141 unsigned int *pmagic, unsigned int *pbitlen, 142 int *pisdss, int *pispub) 143{ 144 const unsigned char *p = *in; 145 if (length < 16) 146 return 0; 147 /* bType */ 148 if (*p == MS_PUBLICKEYBLOB) { 149 if (*pispub == 0) { 150 PEMerr(PEM_F_DO_BLOB_HEADER, PEM_R_EXPECTING_PRIVATE_KEY_BLOB); 151 return 0; 152 } 153 *pispub = 1; 154 } else if (*p == MS_PRIVATEKEYBLOB) { 155 if (*pispub == 1) { 156 PEMerr(PEM_F_DO_BLOB_HEADER, PEM_R_EXPECTING_PUBLIC_KEY_BLOB); 157 return 0; 158 } 159 *pispub = 0; 160 } else 161 return 0; 162 p++; 163 /* Version */ 164 if (*p++ != 0x2) { 165 PEMerr(PEM_F_DO_BLOB_HEADER, PEM_R_BAD_VERSION_NUMBER); 166 return 0; 167 } 168 /* Ignore reserved, aiKeyAlg */ 169 p += 6; 170 *pmagic = read_ledword(&p); 171 *pbitlen = read_ledword(&p); 172 *pisdss = 0; 173 switch (*pmagic) { 174 175 case MS_DSS1MAGIC: 176 *pisdss = 1; 177 case MS_RSA1MAGIC: 178 if (*pispub == 0) { 179 PEMerr(PEM_F_DO_BLOB_HEADER, PEM_R_EXPECTING_PRIVATE_KEY_BLOB); 180 return 0; 181 } 182 break; 183 184 case MS_DSS2MAGIC: 185 *pisdss = 1; 186 case MS_RSA2MAGIC: 187 if (*pispub == 1) { 188 PEMerr(PEM_F_DO_BLOB_HEADER, PEM_R_EXPECTING_PUBLIC_KEY_BLOB); 189 return 0; 190 } 191 break; 192 193 default: 194 PEMerr(PEM_F_DO_BLOB_HEADER, PEM_R_BAD_MAGIC_NUMBER); 195 return -1; 196 } 197 *in = p; 198 return 1; 199} 200 201static unsigned int blob_length(unsigned bitlen, int isdss, int ispub) 202{ 203 unsigned int nbyte, hnbyte; 204 nbyte = (bitlen + 7) >> 3; 205 hnbyte = (bitlen + 15) >> 4; 206 if (isdss) { 207 208 /* 209 * Expected length: 20 for q + 3 components bitlen each + 24 for seed 210 * structure. 211 */ 212 if (ispub) 213 return 44 + 3 * nbyte; 214 /* 215 * Expected length: 20 for q, priv, 2 bitlen components + 24 for seed 216 * structure. 217 */ 218 else 219 return 64 + 2 * nbyte; 220 } else { 221 /* Expected length: 4 for 'e' + 'n' */ 222 if (ispub) 223 return 4 + nbyte; 224 else 225 /* 226 * Expected length: 4 for 'e' and 7 other components. 2 227 * components are bitlen size, 5 are bitlen/2 228 */ 229 return 4 + 2 * nbyte + 5 * hnbyte; 230 } 231 232} 233 234static EVP_PKEY *do_b2i(const unsigned char **in, unsigned int length, 235 int ispub) 236{ 237 const unsigned char *p = *in; 238 unsigned int bitlen, magic; 239 int isdss; 240 if (do_blob_header(&p, length, &magic, &bitlen, &isdss, &ispub) <= 0) { 241 PEMerr(PEM_F_DO_B2I, PEM_R_KEYBLOB_HEADER_PARSE_ERROR); 242 return NULL; 243 } 244 length -= 16; 245 if (length < blob_length(bitlen, isdss, ispub)) { 246 PEMerr(PEM_F_DO_B2I, PEM_R_KEYBLOB_TOO_SHORT); 247 return NULL; 248 } 249 if (isdss) 250 return b2i_dss(&p, length, bitlen, ispub); 251 else 252 return b2i_rsa(&p, length, bitlen, ispub); 253} 254 255static EVP_PKEY *do_b2i_bio(BIO *in, int ispub) 256{ 257 const unsigned char *p; 258 unsigned char hdr_buf[16], *buf = NULL; 259 unsigned int bitlen, magic, length; 260 int isdss; 261 EVP_PKEY *ret = NULL; 262 if (BIO_read(in, hdr_buf, 16) != 16) { 263 PEMerr(PEM_F_DO_B2I_BIO, PEM_R_KEYBLOB_TOO_SHORT); 264 return NULL; 265 } 266 p = hdr_buf; 267 if (do_blob_header(&p, 16, &magic, &bitlen, &isdss, &ispub) <= 0) 268 return NULL; 269 270 length = blob_length(bitlen, isdss, ispub); 271 buf = OPENSSL_malloc(length); 272 if (!buf) { 273 PEMerr(PEM_F_DO_B2I_BIO, ERR_R_MALLOC_FAILURE); 274 goto err; 275 } 276 p = buf; 277 if (BIO_read(in, buf, length) != (int)length) { 278 PEMerr(PEM_F_DO_B2I_BIO, PEM_R_KEYBLOB_TOO_SHORT); 279 goto err; 280 } 281 282 if (isdss) 283 ret = b2i_dss(&p, length, bitlen, ispub); 284 else 285 ret = b2i_rsa(&p, length, bitlen, ispub); 286 287 err: 288 if (buf) 289 OPENSSL_free(buf); 290 return ret; 291} 292 293static EVP_PKEY *b2i_dss(const unsigned char **in, unsigned int length, 294 unsigned int bitlen, int ispub) 295{ 296 const unsigned char *p = *in; 297 EVP_PKEY *ret = NULL; 298 DSA *dsa = NULL; 299 BN_CTX *ctx = NULL; 300 unsigned int nbyte; 301 nbyte = (bitlen + 7) >> 3; 302 303 dsa = DSA_new(); 304 ret = EVP_PKEY_new(); 305 if (!dsa || !ret) 306 goto memerr; 307 if (!read_lebn(&p, nbyte, &dsa->p)) 308 goto memerr; 309 if (!read_lebn(&p, 20, &dsa->q)) 310 goto memerr; 311 if (!read_lebn(&p, nbyte, &dsa->g)) 312 goto memerr; 313 if (ispub) { 314 if (!read_lebn(&p, nbyte, &dsa->pub_key)) 315 goto memerr; 316 } else { 317 if (!read_lebn(&p, 20, &dsa->priv_key)) 318 goto memerr; 319 /* Calculate public key */ 320 if (!(dsa->pub_key = BN_new())) 321 goto memerr; 322 if (!(ctx = BN_CTX_new())) 323 goto memerr; 324 325 if (!BN_mod_exp(dsa->pub_key, dsa->g, dsa->priv_key, dsa->p, ctx)) 326 327 goto memerr; 328 BN_CTX_free(ctx); 329 } 330 331 EVP_PKEY_set1_DSA(ret, dsa); 332 DSA_free(dsa); 333 *in = p; 334 return ret; 335 336 memerr: 337 PEMerr(PEM_F_B2I_DSS, ERR_R_MALLOC_FAILURE); 338 if (dsa) 339 DSA_free(dsa); 340 if (ret) 341 EVP_PKEY_free(ret); 342 if (ctx) 343 BN_CTX_free(ctx); 344 return NULL; 345} 346 347static EVP_PKEY *b2i_rsa(const unsigned char **in, unsigned int length, 348 unsigned int bitlen, int ispub) 349{ 350 const unsigned char *p = *in; 351 EVP_PKEY *ret = NULL; 352 RSA *rsa = NULL; 353 unsigned int nbyte, hnbyte; 354 nbyte = (bitlen + 7) >> 3; 355 hnbyte = (bitlen + 15) >> 4; 356 rsa = RSA_new(); 357 ret = EVP_PKEY_new(); 358 if (!rsa || !ret) 359 goto memerr; 360 rsa->e = BN_new(); 361 if (!rsa->e) 362 goto memerr; 363 if (!BN_set_word(rsa->e, read_ledword(&p))) 364 goto memerr; 365 if (!read_lebn(&p, nbyte, &rsa->n)) 366 goto memerr; 367 if (!ispub) { 368 if (!read_lebn(&p, hnbyte, &rsa->p)) 369 goto memerr; 370 if (!read_lebn(&p, hnbyte, &rsa->q)) 371 goto memerr; 372 if (!read_lebn(&p, hnbyte, &rsa->dmp1)) 373 goto memerr; 374 if (!read_lebn(&p, hnbyte, &rsa->dmq1)) 375 goto memerr; 376 if (!read_lebn(&p, hnbyte, &rsa->iqmp)) 377 goto memerr; 378 if (!read_lebn(&p, nbyte, &rsa->d)) 379 goto memerr; 380 } 381 382 EVP_PKEY_set1_RSA(ret, rsa); 383 RSA_free(rsa); 384 *in = p; 385 return ret; 386 memerr: 387 PEMerr(PEM_F_B2I_RSA, ERR_R_MALLOC_FAILURE); 388 if (rsa) 389 RSA_free(rsa); 390 if (ret) 391 EVP_PKEY_free(ret); 392 return NULL; 393} 394 395EVP_PKEY *b2i_PrivateKey(const unsigned char **in, long length) 396{ 397 return do_b2i(in, length, 0); 398} 399 400EVP_PKEY *b2i_PublicKey(const unsigned char **in, long length) 401{ 402 return do_b2i(in, length, 1); 403} 404 405EVP_PKEY *b2i_PrivateKey_bio(BIO *in) 406{ 407 return do_b2i_bio(in, 0); 408} 409 410EVP_PKEY *b2i_PublicKey_bio(BIO *in) 411{ 412 return do_b2i_bio(in, 1); 413} 414 415static void write_ledword(unsigned char **out, unsigned int dw) 416{ 417 unsigned char *p = *out; 418 *p++ = dw & 0xff; 419 *p++ = (dw >> 8) & 0xff; 420 *p++ = (dw >> 16) & 0xff; 421 *p++ = (dw >> 24) & 0xff; 422 *out = p; 423} 424 425static void write_lebn(unsigned char **out, const BIGNUM *bn, int len) 426{ 427 int nb, i; 428 unsigned char *p = *out, *q, c; 429 nb = BN_num_bytes(bn); 430 BN_bn2bin(bn, p); 431 q = p + nb - 1; 432 /* In place byte order reversal */ 433 for (i = 0; i < nb / 2; i++) { 434 c = *p; 435 *p++ = *q; 436 *q-- = c; 437 } 438 *out += nb; 439 /* Pad with zeroes if we have to */ 440 if (len > 0) { 441 len -= nb; 442 if (len > 0) { 443 memset(*out, 0, len); 444 *out += len; 445 } 446 } 447} 448 449static int check_bitlen_rsa(RSA *rsa, int ispub, unsigned int *magic); 450static int check_bitlen_dsa(DSA *dsa, int ispub, unsigned int *magic); 451 452static void write_rsa(unsigned char **out, RSA *rsa, int ispub); 453static void write_dsa(unsigned char **out, DSA *dsa, int ispub); 454 455static int do_i2b(unsigned char **out, EVP_PKEY *pk, int ispub) 456{ 457 unsigned char *p; 458 unsigned int bitlen, magic = 0, keyalg; 459 int outlen, noinc = 0; 460 if (pk->type == EVP_PKEY_DSA) { 461 bitlen = check_bitlen_dsa(pk->pkey.dsa, ispub, &magic); 462 keyalg = MS_KEYALG_DSS_SIGN; 463 } else if (pk->type == EVP_PKEY_RSA) { 464 bitlen = check_bitlen_rsa(pk->pkey.rsa, ispub, &magic); 465 keyalg = MS_KEYALG_RSA_KEYX; 466 } else 467 return -1; 468 if (bitlen == 0) 469 return -1; 470 outlen = 16 + blob_length(bitlen, 471 keyalg == MS_KEYALG_DSS_SIGN ? 1 : 0, ispub); 472 if (out == NULL) 473 return outlen; 474 if (*out) 475 p = *out; 476 else { 477 p = OPENSSL_malloc(outlen); 478 if (!p) 479 return -1; 480 *out = p; 481 noinc = 1; 482 } 483 if (ispub) 484 *p++ = MS_PUBLICKEYBLOB; 485 else 486 *p++ = MS_PRIVATEKEYBLOB; 487 *p++ = 0x2; 488 *p++ = 0; 489 *p++ = 0; 490 write_ledword(&p, keyalg); 491 write_ledword(&p, magic); 492 write_ledword(&p, bitlen); 493 if (keyalg == MS_KEYALG_DSS_SIGN) 494 write_dsa(&p, pk->pkey.dsa, ispub); 495 else 496 write_rsa(&p, pk->pkey.rsa, ispub); 497 if (!noinc) 498 *out += outlen; 499 return outlen; 500} 501 502static int do_i2b_bio(BIO *out, EVP_PKEY *pk, int ispub) 503{ 504 unsigned char *tmp = NULL; 505 int outlen, wrlen; 506 outlen = do_i2b(&tmp, pk, ispub); 507 if (outlen < 0) 508 return -1; 509 wrlen = BIO_write(out, tmp, outlen); 510 OPENSSL_free(tmp); 511 if (wrlen == outlen) 512 return outlen; 513 return -1; 514} 515 516static int check_bitlen_dsa(DSA *dsa, int ispub, unsigned int *pmagic) 517{ 518 int bitlen; 519 bitlen = BN_num_bits(dsa->p); 520 if ((bitlen & 7) || (BN_num_bits(dsa->q) != 160) 521 || (BN_num_bits(dsa->g) > bitlen)) 522 goto badkey; 523 if (ispub) { 524 if (BN_num_bits(dsa->pub_key) > bitlen) 525 goto badkey; 526 *pmagic = MS_DSS1MAGIC; 527 } else { 528 if (BN_num_bits(dsa->priv_key) > 160) 529 goto badkey; 530 *pmagic = MS_DSS2MAGIC; 531 } 532 533 return bitlen; 534 badkey: 535 PEMerr(PEM_F_CHECK_BITLEN_DSA, PEM_R_UNSUPPORTED_KEY_COMPONENTS); 536 return 0; 537} 538 539static int check_bitlen_rsa(RSA *rsa, int ispub, unsigned int *pmagic) 540{ 541 int nbyte, hnbyte, bitlen; 542 if (BN_num_bits(rsa->e) > 32) 543 goto badkey; 544 bitlen = BN_num_bits(rsa->n); 545 nbyte = BN_num_bytes(rsa->n); 546 hnbyte = (BN_num_bits(rsa->n) + 15) >> 4; 547 if (ispub) { 548 *pmagic = MS_RSA1MAGIC; 549 return bitlen; 550 } else { 551 *pmagic = MS_RSA2MAGIC; 552 /* 553 * For private key each component must fit within nbyte or hnbyte. 554 */ 555 if (BN_num_bytes(rsa->d) > nbyte) 556 goto badkey; 557 if ((BN_num_bytes(rsa->iqmp) > hnbyte) 558 || (BN_num_bytes(rsa->p) > hnbyte) 559 || (BN_num_bytes(rsa->q) > hnbyte) 560 || (BN_num_bytes(rsa->dmp1) > hnbyte) 561 || (BN_num_bytes(rsa->dmq1) > hnbyte)) 562 goto badkey; 563 } 564 return bitlen; 565 badkey: 566 PEMerr(PEM_F_CHECK_BITLEN_RSA, PEM_R_UNSUPPORTED_KEY_COMPONENTS); 567 return 0; 568} 569 570static void write_rsa(unsigned char **out, RSA *rsa, int ispub) 571{ 572 int nbyte, hnbyte; 573 nbyte = BN_num_bytes(rsa->n); 574 hnbyte = (BN_num_bits(rsa->n) + 15) >> 4; 575 write_lebn(out, rsa->e, 4); 576 write_lebn(out, rsa->n, -1); 577 if (ispub) 578 return; 579 write_lebn(out, rsa->p, hnbyte); 580 write_lebn(out, rsa->q, hnbyte); 581 write_lebn(out, rsa->dmp1, hnbyte); 582 write_lebn(out, rsa->dmq1, hnbyte); 583 write_lebn(out, rsa->iqmp, hnbyte); 584 write_lebn(out, rsa->d, nbyte); 585} 586 587static void write_dsa(unsigned char **out, DSA *dsa, int ispub) 588{ 589 int nbyte; 590 nbyte = BN_num_bytes(dsa->p); 591 write_lebn(out, dsa->p, nbyte); 592 write_lebn(out, dsa->q, 20); 593 write_lebn(out, dsa->g, nbyte); 594 if (ispub) 595 write_lebn(out, dsa->pub_key, nbyte); 596 else 597 write_lebn(out, dsa->priv_key, 20); 598 /* Set "invalid" for seed structure values */ 599 memset(*out, 0xff, 24); 600 *out += 24; 601 return; 602} 603 604int i2b_PrivateKey_bio(BIO *out, EVP_PKEY *pk) 605{ 606 return do_i2b_bio(out, pk, 0); 607} 608 609int i2b_PublicKey_bio(BIO *out, EVP_PKEY *pk) 610{ 611 return do_i2b_bio(out, pk, 1); 612} 613 614# ifndef OPENSSL_NO_RC4 615 616static int do_PVK_header(const unsigned char **in, unsigned int length, 617 int skip_magic, 618 unsigned int *psaltlen, unsigned int *pkeylen) 619{ 620 const unsigned char *p = *in; 621 unsigned int pvk_magic, is_encrypted; 622 if (skip_magic) { 623 if (length < 20) { 624 PEMerr(PEM_F_DO_PVK_HEADER, PEM_R_PVK_TOO_SHORT); 625 return 0; 626 } 627 length -= 20; 628 } else { 629 if (length < 24) { 630 PEMerr(PEM_F_DO_PVK_HEADER, PEM_R_PVK_TOO_SHORT); 631 return 0; 632 } 633 length -= 24; 634 pvk_magic = read_ledword(&p); 635 if (pvk_magic != MS_PVKMAGIC) { 636 PEMerr(PEM_F_DO_PVK_HEADER, PEM_R_BAD_MAGIC_NUMBER); 637 return 0; 638 } 639 } 640 /* Skip reserved */ 641 p += 4; 642 /* 643 * keytype = 644 */ read_ledword(&p); 645 is_encrypted = read_ledword(&p); 646 *psaltlen = read_ledword(&p); 647 *pkeylen = read_ledword(&p); 648 649 if (is_encrypted && !*psaltlen) { 650 PEMerr(PEM_F_DO_PVK_HEADER, PEM_R_INCONSISTENT_HEADER); 651 return 0; 652 } 653 654 *in = p; 655 return 1; 656} 657 658static int derive_pvk_key(unsigned char *key, 659 const unsigned char *salt, unsigned int saltlen, 660 const unsigned char *pass, int passlen) 661{ 662 EVP_MD_CTX mctx; 663 int rv = 1; 664 EVP_MD_CTX_init(&mctx); 665 if (!EVP_DigestInit_ex(&mctx, EVP_sha1(), NULL) 666 || !EVP_DigestUpdate(&mctx, salt, saltlen) 667 || !EVP_DigestUpdate(&mctx, pass, passlen) 668 || !EVP_DigestFinal_ex(&mctx, key, NULL)) 669 rv = 0; 670 671 EVP_MD_CTX_cleanup(&mctx); 672 return rv; 673} 674 675static EVP_PKEY *do_PVK_body(const unsigned char **in, 676 unsigned int saltlen, unsigned int keylen, 677 pem_password_cb *cb, void *u) 678{ 679 EVP_PKEY *ret = NULL; 680 const unsigned char *p = *in; 681 unsigned int magic; 682 unsigned char *enctmp = NULL, *q; 683 EVP_CIPHER_CTX cctx; 684 EVP_CIPHER_CTX_init(&cctx); 685 if (saltlen) { 686 char psbuf[PEM_BUFSIZE]; 687 unsigned char keybuf[20]; 688 int enctmplen, inlen; 689 if (cb) 690 inlen = cb(psbuf, PEM_BUFSIZE, 0, u); 691 else 692 inlen = PEM_def_callback(psbuf, PEM_BUFSIZE, 0, u); 693 if (inlen <= 0) { 694 PEMerr(PEM_F_DO_PVK_BODY, PEM_R_BAD_PASSWORD_READ); 695 return NULL; 696 } 697 enctmp = OPENSSL_malloc(keylen + 8); 698 if (!enctmp) { 699 PEMerr(PEM_F_DO_PVK_BODY, ERR_R_MALLOC_FAILURE); 700 return NULL; 701 } 702 if (!derive_pvk_key(keybuf, p, saltlen, 703 (unsigned char *)psbuf, inlen)) 704 return NULL; 705 p += saltlen; 706 /* Copy BLOBHEADER across, decrypt rest */ 707 memcpy(enctmp, p, 8); 708 p += 8; 709 if (keylen < 8) { 710 PEMerr(PEM_F_DO_PVK_BODY, PEM_R_PVK_TOO_SHORT); 711 return NULL; 712 } 713 inlen = keylen - 8; 714 q = enctmp + 8; 715 if (!EVP_DecryptInit_ex(&cctx, EVP_rc4(), NULL, keybuf, NULL)) 716 goto err; 717 if (!EVP_DecryptUpdate(&cctx, q, &enctmplen, p, inlen)) 718 goto err; 719 if (!EVP_DecryptFinal_ex(&cctx, q + enctmplen, &enctmplen)) 720 goto err; 721 magic = read_ledword((const unsigned char **)&q); 722 if (magic != MS_RSA2MAGIC && magic != MS_DSS2MAGIC) { 723 q = enctmp + 8; 724 memset(keybuf + 5, 0, 11); 725 if (!EVP_DecryptInit_ex(&cctx, EVP_rc4(), NULL, keybuf, NULL)) 726 goto err; 727 OPENSSL_cleanse(keybuf, 20); 728 if (!EVP_DecryptUpdate(&cctx, q, &enctmplen, p, inlen)) 729 goto err; 730 if (!EVP_DecryptFinal_ex(&cctx, q + enctmplen, &enctmplen)) 731 goto err; 732 magic = read_ledword((const unsigned char **)&q); 733 if (magic != MS_RSA2MAGIC && magic != MS_DSS2MAGIC) { 734 PEMerr(PEM_F_DO_PVK_BODY, PEM_R_BAD_DECRYPT); 735 goto err; 736 } 737 } else 738 OPENSSL_cleanse(keybuf, 20); 739 p = enctmp; 740 } 741 742 ret = b2i_PrivateKey(&p, keylen); 743 err: 744 EVP_CIPHER_CTX_cleanup(&cctx); 745 if (enctmp && saltlen) 746 OPENSSL_free(enctmp); 747 return ret; 748} 749 750EVP_PKEY *b2i_PVK_bio(BIO *in, pem_password_cb *cb, void *u) 751{ 752 unsigned char pvk_hdr[24], *buf = NULL; 753 const unsigned char *p; 754 int buflen; 755 EVP_PKEY *ret = NULL; 756 unsigned int saltlen, keylen; 757 if (BIO_read(in, pvk_hdr, 24) != 24) { 758 PEMerr(PEM_F_B2I_PVK_BIO, PEM_R_PVK_DATA_TOO_SHORT); 759 return NULL; 760 } 761 p = pvk_hdr; 762 763 if (!do_PVK_header(&p, 24, 0, &saltlen, &keylen)) 764 return 0; 765 buflen = (int)keylen + saltlen; 766 buf = OPENSSL_malloc(buflen); 767 if (!buf) { 768 PEMerr(PEM_F_B2I_PVK_BIO, ERR_R_MALLOC_FAILURE); 769 return 0; 770 } 771 p = buf; 772 if (BIO_read(in, buf, buflen) != buflen) { 773 PEMerr(PEM_F_B2I_PVK_BIO, PEM_R_PVK_DATA_TOO_SHORT); 774 goto err; 775 } 776 ret = do_PVK_body(&p, saltlen, keylen, cb, u); 777 778 err: 779 if (buf) { 780 OPENSSL_cleanse(buf, buflen); 781 OPENSSL_free(buf); 782 } 783 return ret; 784} 785 786static int i2b_PVK(unsigned char **out, EVP_PKEY *pk, int enclevel, 787 pem_password_cb *cb, void *u) 788{ 789 int outlen = 24, pklen; 790 unsigned char *p, *salt = NULL; 791 EVP_CIPHER_CTX cctx; 792 EVP_CIPHER_CTX_init(&cctx); 793 if (enclevel) 794 outlen += PVK_SALTLEN; 795 pklen = do_i2b(NULL, pk, 0); 796 if (pklen < 0) 797 return -1; 798 outlen += pklen; 799 if (!out) 800 return outlen; 801 if (*out) 802 p = *out; 803 else { 804 p = OPENSSL_malloc(outlen); 805 if (!p) { 806 PEMerr(PEM_F_I2B_PVK, ERR_R_MALLOC_FAILURE); 807 return -1; 808 } 809 *out = p; 810 } 811 812 write_ledword(&p, MS_PVKMAGIC); 813 write_ledword(&p, 0); 814 if (pk->type == EVP_PKEY_DSA) 815 write_ledword(&p, MS_KEYTYPE_SIGN); 816 else 817 write_ledword(&p, MS_KEYTYPE_KEYX); 818 write_ledword(&p, enclevel ? 1 : 0); 819 write_ledword(&p, enclevel ? PVK_SALTLEN : 0); 820 write_ledword(&p, pklen); 821 if (enclevel) { 822 if (RAND_bytes(p, PVK_SALTLEN) <= 0) 823 goto error; 824 salt = p; 825 p += PVK_SALTLEN; 826 } 827 do_i2b(&p, pk, 0); 828 if (enclevel == 0) 829 return outlen; 830 else { 831 char psbuf[PEM_BUFSIZE]; 832 unsigned char keybuf[20]; 833 int enctmplen, inlen; 834 if (cb) 835 inlen = cb(psbuf, PEM_BUFSIZE, 1, u); 836 else 837 inlen = PEM_def_callback(psbuf, PEM_BUFSIZE, 1, u); 838 if (inlen <= 0) { 839 PEMerr(PEM_F_I2B_PVK, PEM_R_BAD_PASSWORD_READ); 840 goto error; 841 } 842 if (!derive_pvk_key(keybuf, salt, PVK_SALTLEN, 843 (unsigned char *)psbuf, inlen)) 844 goto error; 845 if (enclevel == 1) 846 memset(keybuf + 5, 0, 11); 847 p = salt + PVK_SALTLEN + 8; 848 if (!EVP_EncryptInit_ex(&cctx, EVP_rc4(), NULL, keybuf, NULL)) 849 goto error; 850 OPENSSL_cleanse(keybuf, 20); 851 if (!EVP_DecryptUpdate(&cctx, p, &enctmplen, p, pklen - 8)) 852 goto error; 853 if (!EVP_DecryptFinal_ex(&cctx, p + enctmplen, &enctmplen)) 854 goto error; 855 } 856 EVP_CIPHER_CTX_cleanup(&cctx); 857 return outlen; 858 859 error: 860 EVP_CIPHER_CTX_cleanup(&cctx); 861 return -1; 862} 863 864int i2b_PVK_bio(BIO *out, EVP_PKEY *pk, int enclevel, 865 pem_password_cb *cb, void *u) 866{ 867 unsigned char *tmp = NULL; 868 int outlen, wrlen; 869 outlen = i2b_PVK(&tmp, pk, enclevel, cb, u); 870 if (outlen < 0) 871 return -1; 872 wrlen = BIO_write(out, tmp, outlen); 873 OPENSSL_free(tmp); 874 if (wrlen == outlen) { 875 PEMerr(PEM_F_I2B_PVK_BIO, PEM_R_BIO_WRITE_FAILURE); 876 return outlen; 877 } 878 return -1; 879} 880 881# endif 882 883#endif 884