1 |
|
|
/* $OpenBSD: pvkfmt.c,v 1.19 2017/05/02 03:59:44 deraadt Exp $ */ |
2 |
|
|
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL |
3 |
|
|
* project 2005. |
4 |
|
|
*/ |
5 |
|
|
/* ==================================================================== |
6 |
|
|
* Copyright (c) 2005 The OpenSSL Project. All rights reserved. |
7 |
|
|
* |
8 |
|
|
* Redistribution and use in source and binary forms, with or without |
9 |
|
|
* modification, are permitted provided that the following conditions |
10 |
|
|
* are met: |
11 |
|
|
* |
12 |
|
|
* 1. Redistributions of source code must retain the above copyright |
13 |
|
|
* notice, this list of conditions and the following disclaimer. |
14 |
|
|
* |
15 |
|
|
* 2. Redistributions in binary form must reproduce the above copyright |
16 |
|
|
* notice, this list of conditions and the following disclaimer in |
17 |
|
|
* the documentation and/or other materials provided with the |
18 |
|
|
* distribution. |
19 |
|
|
* |
20 |
|
|
* 3. All advertising materials mentioning features or use of this |
21 |
|
|
* software must display the following acknowledgment: |
22 |
|
|
* "This product includes software developed by the OpenSSL Project |
23 |
|
|
* for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" |
24 |
|
|
* |
25 |
|
|
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to |
26 |
|
|
* endorse or promote products derived from this software without |
27 |
|
|
* prior written permission. For written permission, please contact |
28 |
|
|
* licensing@OpenSSL.org. |
29 |
|
|
* |
30 |
|
|
* 5. Products derived from this software may not be called "OpenSSL" |
31 |
|
|
* nor may "OpenSSL" appear in their names without prior written |
32 |
|
|
* permission of the OpenSSL Project. |
33 |
|
|
* |
34 |
|
|
* 6. Redistributions of any form whatsoever must retain the following |
35 |
|
|
* acknowledgment: |
36 |
|
|
* "This product includes software developed by the OpenSSL Project |
37 |
|
|
* for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" |
38 |
|
|
* |
39 |
|
|
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY |
40 |
|
|
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
41 |
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR |
42 |
|
|
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR |
43 |
|
|
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, |
44 |
|
|
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT |
45 |
|
|
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; |
46 |
|
|
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
47 |
|
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, |
48 |
|
|
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
49 |
|
|
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED |
50 |
|
|
* OF THE POSSIBILITY OF SUCH DAMAGE. |
51 |
|
|
* ==================================================================== |
52 |
|
|
* |
53 |
|
|
* This product includes cryptographic software written by Eric Young |
54 |
|
|
* (eay@cryptsoft.com). This product includes software written by Tim |
55 |
|
|
* Hudson (tjh@cryptsoft.com). |
56 |
|
|
* |
57 |
|
|
*/ |
58 |
|
|
|
59 |
|
|
/* Support for PVK format keys and related structures (such a PUBLICKEYBLOB |
60 |
|
|
* and PRIVATEKEYBLOB). |
61 |
|
|
*/ |
62 |
|
|
|
63 |
|
|
#include <stdlib.h> |
64 |
|
|
#include <string.h> |
65 |
|
|
|
66 |
|
|
#include <openssl/opensslconf.h> |
67 |
|
|
|
68 |
|
|
#include <openssl/bn.h> |
69 |
|
|
#include <openssl/err.h> |
70 |
|
|
#include <openssl/pem.h> |
71 |
|
|
|
72 |
|
|
#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DSA) |
73 |
|
|
#include <openssl/dsa.h> |
74 |
|
|
#include <openssl/rsa.h> |
75 |
|
|
|
76 |
|
|
#include "bn_lcl.h" |
77 |
|
|
|
78 |
|
|
/* Utility function: read a DWORD (4 byte unsigned integer) in little endian |
79 |
|
|
* format |
80 |
|
|
*/ |
81 |
|
|
|
82 |
|
|
static unsigned int |
83 |
|
|
read_ledword(const unsigned char **in) |
84 |
|
|
{ |
85 |
|
|
const unsigned char *p = *in; |
86 |
|
|
unsigned int ret; |
87 |
|
|
|
88 |
|
|
ret = *p++; |
89 |
|
|
ret |= (*p++ << 8); |
90 |
|
|
ret |= (*p++ << 16); |
91 |
|
|
ret |= (*p++ << 24); |
92 |
|
|
*in = p; |
93 |
|
|
return ret; |
94 |
|
|
} |
95 |
|
|
|
96 |
|
|
/* Read a BIGNUM in little endian format. The docs say that this should take up |
97 |
|
|
* bitlen/8 bytes. |
98 |
|
|
*/ |
99 |
|
|
|
100 |
|
|
static int |
101 |
|
|
read_lebn(const unsigned char **in, unsigned int nbyte, BIGNUM **r) |
102 |
|
|
{ |
103 |
|
|
const unsigned char *p; |
104 |
|
|
unsigned char *tmpbuf, *q; |
105 |
|
|
unsigned int i; |
106 |
|
|
|
107 |
|
|
p = *in + nbyte - 1; |
108 |
|
|
tmpbuf = malloc(nbyte); |
109 |
|
|
if (!tmpbuf) |
110 |
|
|
return 0; |
111 |
|
|
q = tmpbuf; |
112 |
|
|
for (i = 0; i < nbyte; i++) |
113 |
|
|
*q++ = *p--; |
114 |
|
|
*r = BN_bin2bn(tmpbuf, nbyte, NULL); |
115 |
|
|
free(tmpbuf); |
116 |
|
|
if (*r) { |
117 |
|
|
*in += nbyte; |
118 |
|
|
return 1; |
119 |
|
|
} else |
120 |
|
|
return 0; |
121 |
|
|
} |
122 |
|
|
|
123 |
|
|
|
124 |
|
|
/* Convert private key blob to EVP_PKEY: RSA and DSA keys supported */ |
125 |
|
|
|
126 |
|
|
#define MS_PUBLICKEYBLOB 0x6 |
127 |
|
|
#define MS_PRIVATEKEYBLOB 0x7 |
128 |
|
|
#define MS_RSA1MAGIC 0x31415352L |
129 |
|
|
#define MS_RSA2MAGIC 0x32415352L |
130 |
|
|
#define MS_DSS1MAGIC 0x31535344L |
131 |
|
|
#define MS_DSS2MAGIC 0x32535344L |
132 |
|
|
|
133 |
|
|
#define MS_KEYALG_RSA_KEYX 0xa400 |
134 |
|
|
#define MS_KEYALG_DSS_SIGN 0x2200 |
135 |
|
|
|
136 |
|
|
#define MS_KEYTYPE_KEYX 0x1 |
137 |
|
|
#define MS_KEYTYPE_SIGN 0x2 |
138 |
|
|
|
139 |
|
|
/* The PVK file magic number: seems to spell out "bobsfile", who is Bob? */ |
140 |
|
|
#define MS_PVKMAGIC 0xb0b5f11eL |
141 |
|
|
/* Salt length for PVK files */ |
142 |
|
|
#define PVK_SALTLEN 0x10 |
143 |
|
|
|
144 |
|
|
static EVP_PKEY *b2i_rsa(const unsigned char **in, unsigned int length, |
145 |
|
|
unsigned int bitlen, int ispub); |
146 |
|
|
static EVP_PKEY *b2i_dss(const unsigned char **in, unsigned int length, |
147 |
|
|
unsigned int bitlen, int ispub); |
148 |
|
|
|
149 |
|
|
static int |
150 |
|
|
do_blob_header(const unsigned char **in, unsigned int length, |
151 |
|
|
unsigned int *pmagic, unsigned int *pbitlen, int *pisdss, int *pispub) |
152 |
|
|
{ |
153 |
|
|
const unsigned char *p = *in; |
154 |
|
|
|
155 |
|
|
if (length < 16) |
156 |
|
|
return 0; |
157 |
|
|
/* bType */ |
158 |
|
|
if (*p == MS_PUBLICKEYBLOB) { |
159 |
|
|
if (*pispub == 0) { |
160 |
|
|
PEMerror(PEM_R_EXPECTING_PRIVATE_KEY_BLOB); |
161 |
|
|
return 0; |
162 |
|
|
} |
163 |
|
|
*pispub = 1; |
164 |
|
|
} else if (*p == MS_PRIVATEKEYBLOB) { |
165 |
|
|
if (*pispub == 1) { |
166 |
|
|
PEMerror(PEM_R_EXPECTING_PUBLIC_KEY_BLOB); |
167 |
|
|
return 0; |
168 |
|
|
} |
169 |
|
|
*pispub = 0; |
170 |
|
|
} else |
171 |
|
|
return 0; |
172 |
|
|
p++; |
173 |
|
|
/* Version */ |
174 |
|
|
if (*p++ != 0x2) { |
175 |
|
|
PEMerror(PEM_R_BAD_VERSION_NUMBER); |
176 |
|
|
return 0; |
177 |
|
|
} |
178 |
|
|
/* Ignore reserved, aiKeyAlg */ |
179 |
|
|
p += 6; |
180 |
|
|
*pmagic = read_ledword(&p); |
181 |
|
|
*pbitlen = read_ledword(&p); |
182 |
|
|
if (*pbitlen > 65536) { |
183 |
|
|
PEMerror(PEM_R_INCONSISTENT_HEADER); |
184 |
|
|
return 0; |
185 |
|
|
} |
186 |
|
|
*pisdss = 0; |
187 |
|
|
switch (*pmagic) { |
188 |
|
|
|
189 |
|
|
case MS_DSS1MAGIC: |
190 |
|
|
*pisdss = 1; |
191 |
|
|
case MS_RSA1MAGIC: |
192 |
|
|
if (*pispub == 0) { |
193 |
|
|
PEMerror(PEM_R_EXPECTING_PRIVATE_KEY_BLOB); |
194 |
|
|
return 0; |
195 |
|
|
} |
196 |
|
|
break; |
197 |
|
|
|
198 |
|
|
case MS_DSS2MAGIC: |
199 |
|
|
*pisdss = 1; |
200 |
|
|
case MS_RSA2MAGIC: |
201 |
|
|
if (*pispub == 1) { |
202 |
|
|
PEMerror(PEM_R_EXPECTING_PUBLIC_KEY_BLOB); |
203 |
|
|
return 0; |
204 |
|
|
} |
205 |
|
|
break; |
206 |
|
|
|
207 |
|
|
default: |
208 |
|
|
PEMerror(PEM_R_BAD_MAGIC_NUMBER); |
209 |
|
|
return -1; |
210 |
|
|
} |
211 |
|
|
*in = p; |
212 |
|
|
return 1; |
213 |
|
|
} |
214 |
|
|
|
215 |
|
|
static unsigned int |
216 |
|
|
blob_length(unsigned bitlen, int isdss, int ispub) |
217 |
|
|
{ |
218 |
|
|
unsigned int nbyte, hnbyte; |
219 |
|
|
|
220 |
|
|
nbyte = (bitlen + 7) >> 3; |
221 |
|
|
hnbyte = (bitlen + 15) >> 4; |
222 |
|
|
if (isdss) { |
223 |
|
|
|
224 |
|
|
/* Expected length: 20 for q + 3 components bitlen each + 24 |
225 |
|
|
* for seed structure. |
226 |
|
|
*/ |
227 |
|
|
if (ispub) |
228 |
|
|
return 44 + 3 * nbyte; |
229 |
|
|
/* Expected length: 20 for q, priv, 2 bitlen components + 24 |
230 |
|
|
* for seed structure. |
231 |
|
|
*/ |
232 |
|
|
else |
233 |
|
|
return 64 + 2 * nbyte; |
234 |
|
|
} else { |
235 |
|
|
/* Expected length: 4 for 'e' + 'n' */ |
236 |
|
|
if (ispub) |
237 |
|
|
return 4 + nbyte; |
238 |
|
|
else |
239 |
|
|
/* Expected length: 4 for 'e' and 7 other components. |
240 |
|
|
* 2 components are bitlen size, 5 are bitlen/2 |
241 |
|
|
*/ |
242 |
|
|
return 4 + 2*nbyte + 5*hnbyte; |
243 |
|
|
} |
244 |
|
|
|
245 |
|
|
} |
246 |
|
|
|
247 |
|
|
static EVP_PKEY * |
248 |
|
|
do_b2i(const unsigned char **in, unsigned int length, int ispub) |
249 |
|
|
{ |
250 |
|
|
const unsigned char *p = *in; |
251 |
|
|
unsigned int bitlen, magic; |
252 |
|
|
int isdss; |
253 |
|
|
|
254 |
|
|
if (do_blob_header(&p, length, &magic, &bitlen, &isdss, &ispub) <= 0) { |
255 |
|
|
PEMerror(PEM_R_KEYBLOB_HEADER_PARSE_ERROR); |
256 |
|
|
return NULL; |
257 |
|
|
} |
258 |
|
|
length -= 16; |
259 |
|
|
if (length < blob_length(bitlen, isdss, ispub)) { |
260 |
|
|
PEMerror(PEM_R_KEYBLOB_TOO_SHORT); |
261 |
|
|
return NULL; |
262 |
|
|
} |
263 |
|
|
if (isdss) |
264 |
|
|
return b2i_dss(&p, length, bitlen, ispub); |
265 |
|
|
else |
266 |
|
|
return b2i_rsa(&p, length, bitlen, ispub); |
267 |
|
|
} |
268 |
|
|
|
269 |
|
|
static EVP_PKEY * |
270 |
|
|
do_b2i_bio(BIO *in, int ispub) |
271 |
|
|
{ |
272 |
|
|
const unsigned char *p; |
273 |
|
|
unsigned char hdr_buf[16], *buf = NULL; |
274 |
|
|
unsigned int bitlen, magic, length; |
275 |
|
|
int isdss; |
276 |
|
|
EVP_PKEY *ret = NULL; |
277 |
|
|
|
278 |
|
|
if (BIO_read(in, hdr_buf, 16) != 16) { |
279 |
|
|
PEMerror(PEM_R_KEYBLOB_TOO_SHORT); |
280 |
|
|
return NULL; |
281 |
|
|
} |
282 |
|
|
p = hdr_buf; |
283 |
|
|
if (do_blob_header(&p, 16, &magic, &bitlen, &isdss, &ispub) <= 0) |
284 |
|
|
return NULL; |
285 |
|
|
|
286 |
|
|
length = blob_length(bitlen, isdss, ispub); |
287 |
|
|
buf = malloc(length); |
288 |
|
|
if (!buf) { |
289 |
|
|
PEMerror(ERR_R_MALLOC_FAILURE); |
290 |
|
|
goto err; |
291 |
|
|
} |
292 |
|
|
p = buf; |
293 |
|
|
if (BIO_read(in, buf, length) != (int)length) { |
294 |
|
|
PEMerror(PEM_R_KEYBLOB_TOO_SHORT); |
295 |
|
|
goto err; |
296 |
|
|
} |
297 |
|
|
|
298 |
|
|
if (isdss) |
299 |
|
|
ret = b2i_dss(&p, length, bitlen, ispub); |
300 |
|
|
else |
301 |
|
|
ret = b2i_rsa(&p, length, bitlen, ispub); |
302 |
|
|
|
303 |
|
|
err: |
304 |
|
|
free(buf); |
305 |
|
|
return ret; |
306 |
|
|
} |
307 |
|
|
|
308 |
|
|
static EVP_PKEY * |
309 |
|
|
b2i_dss(const unsigned char **in, unsigned int length, unsigned int bitlen, |
310 |
|
|
int ispub) |
311 |
|
|
{ |
312 |
|
|
const unsigned char *p = *in; |
313 |
|
|
EVP_PKEY *ret = NULL; |
314 |
|
|
DSA *dsa = NULL; |
315 |
|
|
BN_CTX *ctx = NULL; |
316 |
|
|
unsigned int nbyte; |
317 |
|
|
|
318 |
|
|
nbyte = (bitlen + 7) >> 3; |
319 |
|
|
|
320 |
|
|
dsa = DSA_new(); |
321 |
|
|
ret = EVP_PKEY_new(); |
322 |
|
|
if (!dsa || !ret) |
323 |
|
|
goto memerr; |
324 |
|
|
if (!read_lebn(&p, nbyte, &dsa->p)) |
325 |
|
|
goto memerr; |
326 |
|
|
if (!read_lebn(&p, 20, &dsa->q)) |
327 |
|
|
goto memerr; |
328 |
|
|
if (!read_lebn(&p, nbyte, &dsa->g)) |
329 |
|
|
goto memerr; |
330 |
|
|
if (ispub) { |
331 |
|
|
if (!read_lebn(&p, nbyte, &dsa->pub_key)) |
332 |
|
|
goto memerr; |
333 |
|
|
} else { |
334 |
|
|
if (!read_lebn(&p, 20, &dsa->priv_key)) |
335 |
|
|
goto memerr; |
336 |
|
|
/* Calculate public key */ |
337 |
|
|
if (!(dsa->pub_key = BN_new())) |
338 |
|
|
goto memerr; |
339 |
|
|
if (!(ctx = BN_CTX_new())) |
340 |
|
|
goto memerr; |
341 |
|
|
if (!BN_mod_exp_ct(dsa->pub_key, dsa->g, |
342 |
|
|
dsa->priv_key, dsa->p, ctx)) |
343 |
|
|
goto memerr; |
344 |
|
|
BN_CTX_free(ctx); |
345 |
|
|
} |
346 |
|
|
|
347 |
|
|
EVP_PKEY_set1_DSA(ret, dsa); |
348 |
|
|
DSA_free(dsa); |
349 |
|
|
*in = p; |
350 |
|
|
return ret; |
351 |
|
|
|
352 |
|
|
memerr: |
353 |
|
|
PEMerror(ERR_R_MALLOC_FAILURE); |
354 |
|
|
DSA_free(dsa); |
355 |
|
|
EVP_PKEY_free(ret); |
356 |
|
|
BN_CTX_free(ctx); |
357 |
|
|
return NULL; |
358 |
|
|
} |
359 |
|
|
|
360 |
|
|
static EVP_PKEY * |
361 |
|
|
b2i_rsa(const unsigned char **in, unsigned int length, unsigned int bitlen, |
362 |
|
|
int ispub) |
363 |
|
|
{ |
364 |
|
|
const unsigned char *p = *in; |
365 |
|
|
EVP_PKEY *ret = NULL; |
366 |
|
|
RSA *rsa = NULL; |
367 |
|
|
unsigned int nbyte, hnbyte; |
368 |
|
|
|
369 |
|
|
nbyte = (bitlen + 7) >> 3; |
370 |
|
|
hnbyte = (bitlen + 15) >> 4; |
371 |
|
|
rsa = RSA_new(); |
372 |
|
|
ret = EVP_PKEY_new(); |
373 |
|
|
if (!rsa || !ret) |
374 |
|
|
goto memerr; |
375 |
|
|
rsa->e = BN_new(); |
376 |
|
|
if (!rsa->e) |
377 |
|
|
goto memerr; |
378 |
|
|
if (!BN_set_word(rsa->e, read_ledword(&p))) |
379 |
|
|
goto memerr; |
380 |
|
|
if (!read_lebn(&p, nbyte, &rsa->n)) |
381 |
|
|
goto memerr; |
382 |
|
|
if (!ispub) { |
383 |
|
|
if (!read_lebn(&p, hnbyte, &rsa->p)) |
384 |
|
|
goto memerr; |
385 |
|
|
if (!read_lebn(&p, hnbyte, &rsa->q)) |
386 |
|
|
goto memerr; |
387 |
|
|
if (!read_lebn(&p, hnbyte, &rsa->dmp1)) |
388 |
|
|
goto memerr; |
389 |
|
|
if (!read_lebn(&p, hnbyte, &rsa->dmq1)) |
390 |
|
|
goto memerr; |
391 |
|
|
if (!read_lebn(&p, hnbyte, &rsa->iqmp)) |
392 |
|
|
goto memerr; |
393 |
|
|
if (!read_lebn(&p, nbyte, &rsa->d)) |
394 |
|
|
goto memerr; |
395 |
|
|
} |
396 |
|
|
|
397 |
|
|
EVP_PKEY_set1_RSA(ret, rsa); |
398 |
|
|
RSA_free(rsa); |
399 |
|
|
*in = p; |
400 |
|
|
return ret; |
401 |
|
|
|
402 |
|
|
memerr: |
403 |
|
|
PEMerror(ERR_R_MALLOC_FAILURE); |
404 |
|
|
RSA_free(rsa); |
405 |
|
|
EVP_PKEY_free(ret); |
406 |
|
|
return NULL; |
407 |
|
|
} |
408 |
|
|
|
409 |
|
|
EVP_PKEY * |
410 |
|
|
b2i_PrivateKey(const unsigned char **in, long length) |
411 |
|
|
{ |
412 |
|
|
return do_b2i(in, length, 0); |
413 |
|
|
} |
414 |
|
|
|
415 |
|
|
EVP_PKEY * |
416 |
|
|
b2i_PublicKey(const unsigned char **in, long length) |
417 |
|
|
{ |
418 |
|
|
return do_b2i(in, length, 1); |
419 |
|
|
} |
420 |
|
|
|
421 |
|
|
EVP_PKEY * |
422 |
|
|
b2i_PrivateKey_bio(BIO *in) |
423 |
|
|
{ |
424 |
|
|
return do_b2i_bio(in, 0); |
425 |
|
|
} |
426 |
|
|
|
427 |
|
|
EVP_PKEY * |
428 |
|
|
b2i_PublicKey_bio(BIO *in) |
429 |
|
|
{ |
430 |
|
|
return do_b2i_bio(in, 1); |
431 |
|
|
} |
432 |
|
|
|
433 |
|
|
static void |
434 |
|
|
write_ledword(unsigned char **out, unsigned int dw) |
435 |
|
|
{ |
436 |
|
|
unsigned char *p = *out; |
437 |
|
|
|
438 |
|
|
*p++ = dw & 0xff; |
439 |
|
|
*p++ = (dw >> 8) & 0xff; |
440 |
|
|
*p++ = (dw >> 16) & 0xff; |
441 |
|
|
*p++ = (dw >> 24) & 0xff; |
442 |
|
|
*out = p; |
443 |
|
|
} |
444 |
|
|
|
445 |
|
|
static void |
446 |
|
|
write_lebn(unsigned char **out, const BIGNUM *bn, int len) |
447 |
|
|
{ |
448 |
|
|
int nb, i; |
449 |
|
|
unsigned char *p = *out, *q, c; |
450 |
|
|
|
451 |
|
|
nb = BN_num_bytes(bn); |
452 |
|
|
BN_bn2bin(bn, p); |
453 |
|
|
q = p + nb - 1; |
454 |
|
|
/* In place byte order reversal */ |
455 |
|
|
for (i = 0; i < nb / 2; i++) { |
456 |
|
|
c = *p; |
457 |
|
|
*p++ = *q; |
458 |
|
|
*q-- = c; |
459 |
|
|
} |
460 |
|
|
*out += nb; |
461 |
|
|
/* Pad with zeroes if we have to */ |
462 |
|
|
if (len > 0) { |
463 |
|
|
len -= nb; |
464 |
|
|
if (len > 0) { |
465 |
|
|
memset(*out, 0, len); |
466 |
|
|
*out += len; |
467 |
|
|
} |
468 |
|
|
} |
469 |
|
|
} |
470 |
|
|
|
471 |
|
|
|
472 |
|
|
static int check_bitlen_rsa(RSA *rsa, int ispub, unsigned int *magic); |
473 |
|
|
static int check_bitlen_dsa(DSA *dsa, int ispub, unsigned int *magic); |
474 |
|
|
|
475 |
|
|
static void write_rsa(unsigned char **out, RSA *rsa, int ispub); |
476 |
|
|
static void write_dsa(unsigned char **out, DSA *dsa, int ispub); |
477 |
|
|
|
478 |
|
|
static int |
479 |
|
|
do_i2b(unsigned char **out, EVP_PKEY *pk, int ispub) |
480 |
|
|
{ |
481 |
|
|
unsigned char *p; |
482 |
|
|
unsigned int bitlen, magic = 0, keyalg; |
483 |
|
|
int outlen, noinc = 0; |
484 |
|
|
|
485 |
|
|
if (pk->type == EVP_PKEY_DSA) { |
486 |
|
|
bitlen = check_bitlen_dsa(pk->pkey.dsa, ispub, &magic); |
487 |
|
|
keyalg = MS_KEYALG_DSS_SIGN; |
488 |
|
|
} else if (pk->type == EVP_PKEY_RSA) { |
489 |
|
|
bitlen = check_bitlen_rsa(pk->pkey.rsa, ispub, &magic); |
490 |
|
|
keyalg = MS_KEYALG_RSA_KEYX; |
491 |
|
|
} else |
492 |
|
|
return -1; |
493 |
|
|
if (bitlen == 0) |
494 |
|
|
return -1; |
495 |
|
|
outlen = 16 + blob_length(bitlen, |
496 |
|
|
keyalg == MS_KEYALG_DSS_SIGN ? 1 : 0, ispub); |
497 |
|
|
if (out == NULL) |
498 |
|
|
return outlen; |
499 |
|
|
if (*out) |
500 |
|
|
p = *out; |
501 |
|
|
else { |
502 |
|
|
p = malloc(outlen); |
503 |
|
|
if (!p) |
504 |
|
|
return -1; |
505 |
|
|
*out = p; |
506 |
|
|
noinc = 1; |
507 |
|
|
} |
508 |
|
|
if (ispub) |
509 |
|
|
*p++ = MS_PUBLICKEYBLOB; |
510 |
|
|
else |
511 |
|
|
*p++ = MS_PRIVATEKEYBLOB; |
512 |
|
|
*p++ = 0x2; |
513 |
|
|
*p++ = 0; |
514 |
|
|
*p++ = 0; |
515 |
|
|
write_ledword(&p, keyalg); |
516 |
|
|
write_ledword(&p, magic); |
517 |
|
|
write_ledword(&p, bitlen); |
518 |
|
|
if (keyalg == MS_KEYALG_DSS_SIGN) |
519 |
|
|
write_dsa(&p, pk->pkey.dsa, ispub); |
520 |
|
|
else |
521 |
|
|
write_rsa(&p, pk->pkey.rsa, ispub); |
522 |
|
|
if (!noinc) |
523 |
|
|
*out += outlen; |
524 |
|
|
return outlen; |
525 |
|
|
} |
526 |
|
|
|
527 |
|
|
static int |
528 |
|
|
do_i2b_bio(BIO *out, EVP_PKEY *pk, int ispub) |
529 |
|
|
{ |
530 |
|
|
unsigned char *tmp = NULL; |
531 |
|
|
int outlen, wrlen; |
532 |
|
|
|
533 |
|
|
outlen = do_i2b(&tmp, pk, ispub); |
534 |
|
|
if (outlen < 0) |
535 |
|
|
return -1; |
536 |
|
|
wrlen = BIO_write(out, tmp, outlen); |
537 |
|
|
free(tmp); |
538 |
|
|
if (wrlen == outlen) |
539 |
|
|
return outlen; |
540 |
|
|
return -1; |
541 |
|
|
} |
542 |
|
|
|
543 |
|
|
static int |
544 |
|
|
check_bitlen_dsa(DSA *dsa, int ispub, unsigned int *pmagic) |
545 |
|
|
{ |
546 |
|
|
int bitlen; |
547 |
|
|
|
548 |
|
|
bitlen = BN_num_bits(dsa->p); |
549 |
|
|
if ((bitlen & 7) || (BN_num_bits(dsa->q) != 160) || |
550 |
|
|
(BN_num_bits(dsa->g) > bitlen)) |
551 |
|
|
goto badkey; |
552 |
|
|
if (ispub) { |
553 |
|
|
if (BN_num_bits(dsa->pub_key) > bitlen) |
554 |
|
|
goto badkey; |
555 |
|
|
*pmagic = MS_DSS1MAGIC; |
556 |
|
|
} else { |
557 |
|
|
if (BN_num_bits(dsa->priv_key) > 160) |
558 |
|
|
goto badkey; |
559 |
|
|
*pmagic = MS_DSS2MAGIC; |
560 |
|
|
} |
561 |
|
|
|
562 |
|
|
return bitlen; |
563 |
|
|
|
564 |
|
|
badkey: |
565 |
|
|
PEMerror(PEM_R_UNSUPPORTED_KEY_COMPONENTS); |
566 |
|
|
return 0; |
567 |
|
|
} |
568 |
|
|
|
569 |
|
|
static int |
570 |
|
|
check_bitlen_rsa(RSA *rsa, int ispub, unsigned int *pmagic) |
571 |
|
|
{ |
572 |
|
|
int nbyte, hnbyte, bitlen; |
573 |
|
|
|
574 |
|
|
if (BN_num_bits(rsa->e) > 32) |
575 |
|
|
goto badkey; |
576 |
|
|
bitlen = BN_num_bits(rsa->n); |
577 |
|
|
nbyte = BN_num_bytes(rsa->n); |
578 |
|
|
hnbyte = (BN_num_bits(rsa->n) + 15) >> 4; |
579 |
|
|
if (ispub) { |
580 |
|
|
*pmagic = MS_RSA1MAGIC; |
581 |
|
|
return bitlen; |
582 |
|
|
} else { |
583 |
|
|
*pmagic = MS_RSA2MAGIC; |
584 |
|
|
/* For private key each component must fit within nbyte or |
585 |
|
|
* hnbyte. |
586 |
|
|
*/ |
587 |
|
|
if (BN_num_bytes(rsa->d) > nbyte) |
588 |
|
|
goto badkey; |
589 |
|
|
if ((BN_num_bytes(rsa->iqmp) > hnbyte) || |
590 |
|
|
(BN_num_bytes(rsa->p) > hnbyte) || |
591 |
|
|
(BN_num_bytes(rsa->q) > hnbyte) || |
592 |
|
|
(BN_num_bytes(rsa->dmp1) > hnbyte) || |
593 |
|
|
(BN_num_bytes(rsa->dmq1) > hnbyte)) |
594 |
|
|
goto badkey; |
595 |
|
|
} |
596 |
|
|
return bitlen; |
597 |
|
|
|
598 |
|
|
badkey: |
599 |
|
|
PEMerror(PEM_R_UNSUPPORTED_KEY_COMPONENTS); |
600 |
|
|
return 0; |
601 |
|
|
} |
602 |
|
|
|
603 |
|
|
static void |
604 |
|
|
write_rsa(unsigned char **out, RSA *rsa, int ispub) |
605 |
|
|
{ |
606 |
|
|
int nbyte, hnbyte; |
607 |
|
|
|
608 |
|
|
nbyte = BN_num_bytes(rsa->n); |
609 |
|
|
hnbyte = (BN_num_bits(rsa->n) + 15) >> 4; |
610 |
|
|
write_lebn(out, rsa->e, 4); |
611 |
|
|
write_lebn(out, rsa->n, -1); |
612 |
|
|
if (ispub) |
613 |
|
|
return; |
614 |
|
|
write_lebn(out, rsa->p, hnbyte); |
615 |
|
|
write_lebn(out, rsa->q, hnbyte); |
616 |
|
|
write_lebn(out, rsa->dmp1, hnbyte); |
617 |
|
|
write_lebn(out, rsa->dmq1, hnbyte); |
618 |
|
|
write_lebn(out, rsa->iqmp, hnbyte); |
619 |
|
|
write_lebn(out, rsa->d, nbyte); |
620 |
|
|
} |
621 |
|
|
|
622 |
|
|
static void |
623 |
|
|
write_dsa(unsigned char **out, DSA *dsa, int ispub) |
624 |
|
|
{ |
625 |
|
|
int nbyte; |
626 |
|
|
|
627 |
|
|
nbyte = BN_num_bytes(dsa->p); |
628 |
|
|
write_lebn(out, dsa->p, nbyte); |
629 |
|
|
write_lebn(out, dsa->q, 20); |
630 |
|
|
write_lebn(out, dsa->g, nbyte); |
631 |
|
|
if (ispub) |
632 |
|
|
write_lebn(out, dsa->pub_key, nbyte); |
633 |
|
|
else |
634 |
|
|
write_lebn(out, dsa->priv_key, 20); |
635 |
|
|
/* Set "invalid" for seed structure values */ |
636 |
|
|
memset(*out, 0xff, 24); |
637 |
|
|
*out += 24; |
638 |
|
|
return; |
639 |
|
|
} |
640 |
|
|
|
641 |
|
|
int |
642 |
|
|
i2b_PrivateKey_bio(BIO *out, EVP_PKEY *pk) |
643 |
|
|
{ |
644 |
|
|
return do_i2b_bio(out, pk, 0); |
645 |
|
|
} |
646 |
|
|
|
647 |
|
|
int |
648 |
|
|
i2b_PublicKey_bio(BIO *out, EVP_PKEY *pk) |
649 |
|
|
{ |
650 |
|
|
return do_i2b_bio(out, pk, 1); |
651 |
|
|
} |
652 |
|
|
|
653 |
|
|
#ifndef OPENSSL_NO_RC4 |
654 |
|
|
|
655 |
|
|
static int |
656 |
|
|
do_PVK_header(const unsigned char **in, unsigned int length, int skip_magic, |
657 |
|
|
unsigned int *psaltlen, unsigned int *pkeylen) |
658 |
|
|
{ |
659 |
|
|
const unsigned char *p = *in; |
660 |
|
|
unsigned int pvk_magic, is_encrypted; |
661 |
|
|
|
662 |
|
|
if (skip_magic) { |
663 |
|
|
if (length < 20) { |
664 |
|
|
PEMerror(PEM_R_PVK_TOO_SHORT); |
665 |
|
|
return 0; |
666 |
|
|
} |
667 |
|
|
length -= 20; |
668 |
|
|
} else { |
669 |
|
|
if (length < 24) { |
670 |
|
|
PEMerror(PEM_R_PVK_TOO_SHORT); |
671 |
|
|
return 0; |
672 |
|
|
} |
673 |
|
|
length -= 24; |
674 |
|
|
pvk_magic = read_ledword(&p); |
675 |
|
|
if (pvk_magic != MS_PVKMAGIC) { |
676 |
|
|
PEMerror(PEM_R_BAD_MAGIC_NUMBER); |
677 |
|
|
return 0; |
678 |
|
|
} |
679 |
|
|
} |
680 |
|
|
/* Skip reserved */ |
681 |
|
|
p += 4; |
682 |
|
|
/*keytype = */read_ledword(&p); |
683 |
|
|
is_encrypted = read_ledword(&p); |
684 |
|
|
*psaltlen = read_ledword(&p); |
685 |
|
|
*pkeylen = read_ledword(&p); |
686 |
|
|
if (*psaltlen > 65536 || *pkeylen > 65536) { |
687 |
|
|
PEMerror(PEM_R_ERROR_CONVERTING_PRIVATE_KEY); |
688 |
|
|
return 0; |
689 |
|
|
} |
690 |
|
|
|
691 |
|
|
if (is_encrypted && !*psaltlen) { |
692 |
|
|
PEMerror(PEM_R_INCONSISTENT_HEADER); |
693 |
|
|
return 0; |
694 |
|
|
} |
695 |
|
|
|
696 |
|
|
*in = p; |
697 |
|
|
return 1; |
698 |
|
|
} |
699 |
|
|
|
700 |
|
|
static int |
701 |
|
|
derive_pvk_key(unsigned char *key, const unsigned char *salt, |
702 |
|
|
unsigned int saltlen, const unsigned char *pass, int passlen) |
703 |
|
|
{ |
704 |
|
|
EVP_MD_CTX mctx; |
705 |
|
|
int rv = 1; |
706 |
|
|
|
707 |
|
|
EVP_MD_CTX_init(&mctx); |
708 |
|
|
if (!EVP_DigestInit_ex(&mctx, EVP_sha1(), NULL) || |
709 |
|
|
!EVP_DigestUpdate(&mctx, salt, saltlen) || |
710 |
|
|
!EVP_DigestUpdate(&mctx, pass, passlen) || |
711 |
|
|
!EVP_DigestFinal_ex(&mctx, key, NULL)) |
712 |
|
|
rv = 0; |
713 |
|
|
|
714 |
|
|
EVP_MD_CTX_cleanup(&mctx); |
715 |
|
|
return rv; |
716 |
|
|
} |
717 |
|
|
|
718 |
|
|
static EVP_PKEY * |
719 |
|
|
do_PVK_body(const unsigned char **in, unsigned int saltlen, |
720 |
|
|
unsigned int keylen, pem_password_cb *cb, void *u) |
721 |
|
|
{ |
722 |
|
|
EVP_PKEY *ret = NULL; |
723 |
|
|
const unsigned char *p = *in; |
724 |
|
|
unsigned int magic; |
725 |
|
|
unsigned char *enctmp = NULL, *q; |
726 |
|
|
EVP_CIPHER_CTX cctx; |
727 |
|
|
|
728 |
|
|
EVP_CIPHER_CTX_init(&cctx); |
729 |
|
|
if (saltlen) { |
730 |
|
|
char psbuf[PEM_BUFSIZE]; |
731 |
|
|
unsigned char keybuf[20]; |
732 |
|
|
int enctmplen, inlen; |
733 |
|
|
|
734 |
|
|
if (cb) |
735 |
|
|
inlen = cb(psbuf, PEM_BUFSIZE, 0, u); |
736 |
|
|
else |
737 |
|
|
inlen = PEM_def_callback(psbuf, PEM_BUFSIZE, 0, u); |
738 |
|
|
if (inlen <= 0) { |
739 |
|
|
PEMerror(PEM_R_BAD_PASSWORD_READ); |
740 |
|
|
goto err; |
741 |
|
|
} |
742 |
|
|
enctmp = malloc(keylen + 8); |
743 |
|
|
if (!enctmp) { |
744 |
|
|
PEMerror(ERR_R_MALLOC_FAILURE); |
745 |
|
|
goto err; |
746 |
|
|
} |
747 |
|
|
if (!derive_pvk_key(keybuf, p, saltlen, (unsigned char *)psbuf, |
748 |
|
|
inlen)) { |
749 |
|
|
goto err; |
750 |
|
|
} |
751 |
|
|
p += saltlen; |
752 |
|
|
/* Copy BLOBHEADER across, decrypt rest */ |
753 |
|
|
memcpy(enctmp, p, 8); |
754 |
|
|
p += 8; |
755 |
|
|
if (keylen < 8) { |
756 |
|
|
PEMerror(PEM_R_PVK_TOO_SHORT); |
757 |
|
|
goto err; |
758 |
|
|
} |
759 |
|
|
inlen = keylen - 8; |
760 |
|
|
q = enctmp + 8; |
761 |
|
|
if (!EVP_DecryptInit_ex(&cctx, EVP_rc4(), NULL, keybuf, NULL)) |
762 |
|
|
goto err; |
763 |
|
|
if (!EVP_DecryptUpdate(&cctx, q, &enctmplen, p, inlen)) |
764 |
|
|
goto err; |
765 |
|
|
if (!EVP_DecryptFinal_ex(&cctx, q + enctmplen, &enctmplen)) |
766 |
|
|
goto err; |
767 |
|
|
magic = read_ledword((const unsigned char **)&q); |
768 |
|
|
if (magic != MS_RSA2MAGIC && magic != MS_DSS2MAGIC) { |
769 |
|
|
q = enctmp + 8; |
770 |
|
|
memset(keybuf + 5, 0, 11); |
771 |
|
|
if (!EVP_DecryptInit_ex(&cctx, EVP_rc4(), NULL, keybuf, |
772 |
|
|
NULL)) |
773 |
|
|
goto err; |
774 |
|
|
explicit_bzero(keybuf, 20); |
775 |
|
|
if (!EVP_DecryptUpdate(&cctx, q, &enctmplen, p, inlen)) |
776 |
|
|
goto err; |
777 |
|
|
if (!EVP_DecryptFinal_ex(&cctx, q + enctmplen, |
778 |
|
|
&enctmplen)) |
779 |
|
|
goto err; |
780 |
|
|
magic = read_ledword((const unsigned char **)&q); |
781 |
|
|
if (magic != MS_RSA2MAGIC && magic != MS_DSS2MAGIC) { |
782 |
|
|
PEMerror(PEM_R_BAD_DECRYPT); |
783 |
|
|
goto err; |
784 |
|
|
} |
785 |
|
|
} else |
786 |
|
|
explicit_bzero(keybuf, 20); |
787 |
|
|
p = enctmp; |
788 |
|
|
} |
789 |
|
|
|
790 |
|
|
ret = b2i_PrivateKey(&p, keylen); |
791 |
|
|
|
792 |
|
|
err: |
793 |
|
|
EVP_CIPHER_CTX_cleanup(&cctx); |
794 |
|
|
if (enctmp && saltlen) |
795 |
|
|
free(enctmp); |
796 |
|
|
return ret; |
797 |
|
|
} |
798 |
|
|
|
799 |
|
|
|
800 |
|
|
EVP_PKEY * |
801 |
|
|
b2i_PVK_bio(BIO *in, pem_password_cb *cb, void *u) |
802 |
|
|
{ |
803 |
|
|
unsigned char pvk_hdr[24], *buf = NULL; |
804 |
|
|
const unsigned char *p; |
805 |
|
|
size_t buflen; |
806 |
|
|
EVP_PKEY *ret = NULL; |
807 |
|
|
unsigned int saltlen, keylen; |
808 |
|
|
|
809 |
|
|
if (BIO_read(in, pvk_hdr, 24) != 24) { |
810 |
|
|
PEMerror(PEM_R_PVK_DATA_TOO_SHORT); |
811 |
|
|
return NULL; |
812 |
|
|
} |
813 |
|
|
p = pvk_hdr; |
814 |
|
|
|
815 |
|
|
if (!do_PVK_header(&p, 24, 0, &saltlen, &keylen)) |
816 |
|
|
return 0; |
817 |
|
|
buflen = keylen + saltlen; |
818 |
|
|
buf = malloc(buflen); |
819 |
|
|
if (!buf) { |
820 |
|
|
PEMerror(ERR_R_MALLOC_FAILURE); |
821 |
|
|
return 0; |
822 |
|
|
} |
823 |
|
|
p = buf; |
824 |
|
|
if (BIO_read(in, buf, buflen) != buflen) { |
825 |
|
|
PEMerror(PEM_R_PVK_DATA_TOO_SHORT); |
826 |
|
|
goto err; |
827 |
|
|
} |
828 |
|
|
ret = do_PVK_body(&p, saltlen, keylen, cb, u); |
829 |
|
|
|
830 |
|
|
err: |
831 |
|
|
freezero(buf, buflen); |
832 |
|
|
return ret; |
833 |
|
|
} |
834 |
|
|
|
835 |
|
|
static int |
836 |
|
|
i2b_PVK(unsigned char **out, EVP_PKEY*pk, int enclevel, pem_password_cb *cb, |
837 |
|
|
void *u) |
838 |
|
|
{ |
839 |
|
|
int outlen = 24, pklen; |
840 |
|
|
unsigned char *p, *salt = NULL; |
841 |
|
|
EVP_CIPHER_CTX cctx; |
842 |
|
|
|
843 |
|
|
EVP_CIPHER_CTX_init(&cctx); |
844 |
|
|
if (enclevel) |
845 |
|
|
outlen += PVK_SALTLEN; |
846 |
|
|
pklen = do_i2b(NULL, pk, 0); |
847 |
|
|
if (pklen < 0) |
848 |
|
|
return -1; |
849 |
|
|
outlen += pklen; |
850 |
|
|
if (!out) |
851 |
|
|
return outlen; |
852 |
|
|
if (*out) |
853 |
|
|
p = *out; |
854 |
|
|
else { |
855 |
|
|
p = malloc(outlen); |
856 |
|
|
if (!p) { |
857 |
|
|
PEMerror(ERR_R_MALLOC_FAILURE); |
858 |
|
|
return -1; |
859 |
|
|
} |
860 |
|
|
*out = p; |
861 |
|
|
} |
862 |
|
|
|
863 |
|
|
write_ledword(&p, MS_PVKMAGIC); |
864 |
|
|
write_ledword(&p, 0); |
865 |
|
|
if (pk->type == EVP_PKEY_DSA) |
866 |
|
|
write_ledword(&p, MS_KEYTYPE_SIGN); |
867 |
|
|
else |
868 |
|
|
write_ledword(&p, MS_KEYTYPE_KEYX); |
869 |
|
|
write_ledword(&p, enclevel ? 1 : 0); |
870 |
|
|
write_ledword(&p, enclevel ? PVK_SALTLEN : 0); |
871 |
|
|
write_ledword(&p, pklen); |
872 |
|
|
if (enclevel) { |
873 |
|
|
arc4random_buf(p, PVK_SALTLEN); |
874 |
|
|
salt = p; |
875 |
|
|
p += PVK_SALTLEN; |
876 |
|
|
} |
877 |
|
|
do_i2b(&p, pk, 0); |
878 |
|
|
if (enclevel == 0) |
879 |
|
|
return outlen; |
880 |
|
|
else { |
881 |
|
|
char psbuf[PEM_BUFSIZE]; |
882 |
|
|
unsigned char keybuf[20]; |
883 |
|
|
int enctmplen, inlen; |
884 |
|
|
if (cb) |
885 |
|
|
inlen = cb(psbuf, PEM_BUFSIZE, 1, u); |
886 |
|
|
else |
887 |
|
|
inlen = PEM_def_callback(psbuf, PEM_BUFSIZE, 1, u); |
888 |
|
|
if (inlen <= 0) { |
889 |
|
|
PEMerror(PEM_R_BAD_PASSWORD_READ); |
890 |
|
|
goto error; |
891 |
|
|
} |
892 |
|
|
if (!derive_pvk_key(keybuf, salt, PVK_SALTLEN, |
893 |
|
|
(unsigned char *)psbuf, inlen)) |
894 |
|
|
goto error; |
895 |
|
|
if (enclevel == 1) |
896 |
|
|
memset(keybuf + 5, 0, 11); |
897 |
|
|
p = salt + PVK_SALTLEN + 8; |
898 |
|
|
if (!EVP_EncryptInit_ex(&cctx, EVP_rc4(), NULL, keybuf, NULL)) |
899 |
|
|
goto error; |
900 |
|
|
explicit_bzero(keybuf, 20); |
901 |
|
|
if (!EVP_DecryptUpdate(&cctx, p, &enctmplen, p, pklen - 8)) |
902 |
|
|
goto error; |
903 |
|
|
if (!EVP_DecryptFinal_ex(&cctx, p + enctmplen, &enctmplen)) |
904 |
|
|
goto error; |
905 |
|
|
} |
906 |
|
|
EVP_CIPHER_CTX_cleanup(&cctx); |
907 |
|
|
return outlen; |
908 |
|
|
|
909 |
|
|
error: |
910 |
|
|
EVP_CIPHER_CTX_cleanup(&cctx); |
911 |
|
|
return -1; |
912 |
|
|
} |
913 |
|
|
|
914 |
|
|
int |
915 |
|
|
i2b_PVK_bio(BIO *out, EVP_PKEY *pk, int enclevel, pem_password_cb *cb, void *u) |
916 |
|
|
{ |
917 |
|
|
unsigned char *tmp = NULL; |
918 |
|
|
int outlen, wrlen; |
919 |
|
|
|
920 |
|
|
outlen = i2b_PVK(&tmp, pk, enclevel, cb, u); |
921 |
|
|
if (outlen < 0) |
922 |
|
|
return -1; |
923 |
|
|
wrlen = BIO_write(out, tmp, outlen); |
924 |
|
|
free(tmp); |
925 |
|
|
if (wrlen == outlen) { |
926 |
|
|
PEMerror(PEM_R_BIO_WRITE_FAILURE); |
927 |
|
|
return outlen; |
928 |
|
|
} |
929 |
|
|
return -1; |
930 |
|
|
} |
931 |
|
|
|
932 |
|
|
#endif |
933 |
|
|
|
934 |
|
|
#endif |