pvkfmt.c@ 98929

Last change on this file since 98929 was 94082, checked in by vboxsync, 3 years ago
libs/openssl-3.0.1: started applying and adjusting our OpenSSL changes to 3.0.1. bugref:10128
File size: 29.5 KB

Line
1	/*
2	* Copyright 2005-2021 The OpenSSL Project Authors. All Rights Reserved.
3	*
4	* Licensed under the Apache License 2.0 (the "License"). You may not use
5	* this file except in compliance with the License. You can obtain a copy
6	* in the file LICENSE in the source distribution or at
7	* https://www.openssl.org/source/license.html
8	*/
9
10	/*
11	* Support for PVK format keys and related structures (such a PUBLICKEYBLOB
12	* and PRIVATEKEYBLOB).
13	*/
14
15	/*
16	* RSA and DSA low level APIs are deprecated for public use, but still ok for
17	* internal use.
18	*/
19	#include "internal/deprecated.h"
20
21	#include <openssl/pem.h>
22	#include <openssl/rand.h>
23	#include <openssl/bn.h>
24	#include <openssl/dsa.h>
25	#include <openssl/rsa.h>
26	#include "internal/cryptlib.h"
27	#include "crypto/pem.h"
28	#include "crypto/evp.h"
29
30	/*
31	* Utility function: read a DWORD (4 byte unsigned integer) in little endian
32	* format
33	*/
34
35	static unsigned int read_ledword(const unsigned char **in)
36	{
37	const unsigned char p = in;
38	unsigned int ret;
39
40	ret = (unsigned int)*p++;
41	ret \|= (unsigned int)*p++ << 8;
42	ret \|= (unsigned int)*p++ << 16;
43	ret \|= (unsigned int)*p++ << 24;
44	*in = p;
45	return ret;
46	}
47
48	/*
49	* Read a BIGNUM in little endian format. The docs say that this should take
50	* up bitlen/8 bytes.
51	*/
52
53	static int read_lebn(const unsigned char in, unsigned int nbyte, BIGNUM r)
54	{
55	r = BN_lebin2bn(in, nbyte, NULL);
56	if (*r == NULL)
57	return 0;
58	*in += nbyte;
59	return 1;
60	}
61
62	/*
63	* Create an EVP_PKEY from a type specific key.
64	* This takes ownership of \|key\|, as long as the \|evp_type\| is acceptable
65	* (EVP_PKEY_RSA or EVP_PKEY_DSA), even if the resulting EVP_PKEY wasn't
66	* created.
67	*/
68	#define isdss_to_evp_type(isdss) \
69	(isdss == 0 ? EVP_PKEY_RSA : isdss == 1 ? EVP_PKEY_DSA : EVP_PKEY_NONE)
70	static EVP_PKEY evp_pkey_new0_key(void key, int evp_type)
71	{
72	EVP_PKEY *pkey = NULL;
73
74	/*
75	* It's assumed that if \|key\| is NULL, something went wrong elsewhere
76	* and suitable errors are already reported.
77	*/
78	if (key == NULL)
79	return NULL;
80
81	if (!ossl_assert(evp_type == EVP_PKEY_RSA \|\| evp_type == EVP_PKEY_DSA)) {
82	ERR_raise(ERR_LIB_PEM, ERR_R_INTERNAL_ERROR);
83	return NULL;
84	}
85
86	if ((pkey = EVP_PKEY_new()) != NULL) {
87	switch (evp_type) {
88	case EVP_PKEY_RSA:
89	if (EVP_PKEY_set1_RSA(pkey, key))
90	break;
91	EVP_PKEY_free(pkey);
92	pkey = NULL;
93	break;
94	#ifndef OPENSSL_NO_DSA
95	case EVP_PKEY_DSA:
96	if (EVP_PKEY_set1_DSA(pkey, key))
97	break;
98	EVP_PKEY_free(pkey);
99	pkey = NULL;
100	break;
101	#endif
102	}
103	}
104
105	switch (evp_type) {
106	case EVP_PKEY_RSA:
107	RSA_free(key);
108	break;
109	#ifndef OPENSSL_NO_DSA
110	case EVP_PKEY_DSA:
111	DSA_free(key);
112	break;
113	#endif
114	}
115
116	if (pkey == NULL)
117	ERR_raise(ERR_LIB_PEM, ERR_R_MALLOC_FAILURE);
118	return pkey;
119	}
120
121	/* Convert private key blob to EVP_PKEY: RSA and DSA keys supported */
122
123	# define MS_PUBLICKEYBLOB 0x6
124	# define MS_PRIVATEKEYBLOB 0x7
125	# define MS_RSA1MAGIC 0x31415352L
126	# define MS_RSA2MAGIC 0x32415352L
127	# define MS_DSS1MAGIC 0x31535344L
128	# define MS_DSS2MAGIC 0x32535344L
129
130	# define MS_KEYALG_RSA_KEYX 0xa400
131	# define MS_KEYALG_DSS_SIGN 0x2200
132
133	# define MS_KEYTYPE_KEYX 0x1
134	# define MS_KEYTYPE_SIGN 0x2
135
136	/* The PVK file magic number: seems to spell out "bobsfile", who is Bob? */
137	# define MS_PVKMAGIC 0xb0b5f11eL
138	/* Salt length for PVK files */
139	# define PVK_SALTLEN 0x10
140	/* Maximum length in PVK header */
141	# define PVK_MAX_KEYLEN 102400
142	/* Maximum salt length */
143	# define PVK_MAX_SALTLEN 10240
144
145	/*
146	* Read the MSBLOB header and get relevant data from it.
147	*
148	* \|pisdss\| and \|pispub\| have a double role, as they can be used for
149	* discovery as well as to check the the blob meets expectations.
150	* \|*pisdss\| is the indicator for whether the key is a DSA key or not.
151	* \|*pispub\| is the indicator for whether the key is public or not.
152	* In both cases, the following input values apply:
153	*
154	* 0 Expected to not be what the variable indicates.
155	* 1 Expected to be what the variable indicates.
156	* -1 No expectations, this function will assign 0 or 1 depending on
157	* header data.
158	*/
159	int ossl_do_blob_header(const unsigned char **in, unsigned int length,
160	unsigned int pmagic, unsigned int pbitlen,
161	int pisdss, int pispub)
162	{
163	const unsigned char p = in;
164
165	if (length < 16)
166	return 0;
167	/* bType */
168	switch (*p) {
169	case MS_PUBLICKEYBLOB:
170	if (*pispub == 0) {
171	ERR_raise(ERR_LIB_PEM, PEM_R_EXPECTING_PRIVATE_KEY_BLOB);
172	return 0;
173	}
174	*pispub = 1;
175	break;
176
177	case MS_PRIVATEKEYBLOB:
178	if (*pispub == 1) {
179	ERR_raise(ERR_LIB_PEM, PEM_R_EXPECTING_PUBLIC_KEY_BLOB);
180	return 0;
181	}
182	*pispub = 0;
183	break;
184
185	default:
186	return 0;
187	}
188	p++;
189	/* Version */
190	if (*p++ != 0x2) {
191	ERR_raise(ERR_LIB_PEM, PEM_R_BAD_VERSION_NUMBER);
192	return 0;
193	}
194	/* Ignore reserved, aiKeyAlg */
195	p += 6;
196	*pmagic = read_ledword(&p);
197	*pbitlen = read_ledword(&p);
198
199	/* Consistency check for private vs public */
200	switch (*pmagic) {
201	case MS_DSS1MAGIC:
202	case MS_RSA1MAGIC:
203	if (*pispub == 0) {
204	ERR_raise(ERR_LIB_PEM, PEM_R_EXPECTING_PRIVATE_KEY_BLOB);
205	return 0;
206	}
207	break;
208
209	case MS_DSS2MAGIC:
210	case MS_RSA2MAGIC:
211	if (*pispub == 1) {
212	ERR_raise(ERR_LIB_PEM, PEM_R_EXPECTING_PUBLIC_KEY_BLOB);
213	return 0;
214	}
215	break;
216
217	default:
218	ERR_raise(ERR_LIB_PEM, PEM_R_BAD_MAGIC_NUMBER);
219	return -1;
220	}
221
222	/* Check that we got the expected type */
223	switch (*pmagic) {
224	case MS_DSS1MAGIC:
225	case MS_DSS2MAGIC:
226	if (*pisdss == 0) {
227	ERR_raise(ERR_LIB_PEM, PEM_R_EXPECTING_DSS_KEY_BLOB);
228	return 0;
229	}
230	*pisdss = 1;
231	break;
232	case MS_RSA1MAGIC:
233	case MS_RSA2MAGIC:
234	if (*pisdss == 1) {
235	ERR_raise(ERR_LIB_PEM, PEM_R_EXPECTING_RSA_KEY_BLOB);
236	return 0;
237	}
238	*pisdss = 0;
239	break;
240
241	default:
242	ERR_raise(ERR_LIB_PEM, PEM_R_BAD_MAGIC_NUMBER);
243	return -1;
244	}
245	*in = p;
246	return 1;
247	}
248
249	unsigned int ossl_blob_length(unsigned bitlen, int isdss, int ispub)
250	{
251	unsigned int nbyte = (bitlen + 7) >> 3;
252	unsigned int hnbyte = (bitlen + 15) >> 4;
253
254	if (isdss) {
255
256	/*
257	* Expected length: 20 for q + 3 components bitlen each + 24 for seed
258	* structure.
259	*/
260	if (ispub)
261	return 44 + 3 * nbyte;
262	/*
263	* Expected length: 20 for q, priv, 2 bitlen components + 24 for seed
264	* structure.
265	*/
266	else
267	return 64 + 2 * nbyte;
268	} else {
269	/* Expected length: 4 for 'e' + 'n' */
270	if (ispub)
271	return 4 + nbyte;
272	else
273	/*
274	* Expected length: 4 for 'e' and 7 other components. 2
275	* components are bitlen size, 5 are bitlen/2
276	*/
277	return 4 + 2 * nbyte + 5 * hnbyte;
278	}
279
280	}
281
282	static void do_b2i_key(const unsigned char *in, unsigned int length,
283	int isdss, int ispub)
284	{
285	const unsigned char p = in;
286	unsigned int bitlen, magic;
287	void *key = NULL;
288
289	if (ossl_do_blob_header(&p, length, &magic, &bitlen, isdss, ispub) <= 0) {
290	ERR_raise(ERR_LIB_PEM, PEM_R_KEYBLOB_HEADER_PARSE_ERROR);
291	return NULL;
292	}
293	length -= 16;
294	if (length < ossl_blob_length(bitlen, isdss, ispub)) {
295	ERR_raise(ERR_LIB_PEM, PEM_R_KEYBLOB_TOO_SHORT);
296	return NULL;
297	}
298	if (!*isdss)
299	key = ossl_b2i_RSA_after_header(&p, bitlen, *ispub);
300	#ifndef OPENSSL_NO_DSA
301	else
302	key = ossl_b2i_DSA_after_header(&p, bitlen, *ispub);
303	#endif
304
305	if (key == NULL) {
306	ERR_raise(ERR_LIB_PEM, PEM_R_UNSUPPORTED_PUBLIC_KEY_TYPE);
307	return NULL;
308	}
309
310	return key;
311	}
312
313	EVP_PKEY ossl_b2i(const unsigned char in, unsigned int length, int ispub)
314	{
315	int isdss = -1;
316	void *key = do_b2i_key(in, length, &isdss, ispub);
317
318	return evp_pkey_new0_key(key, isdss_to_evp_type(isdss));
319	}
320
321	EVP_PKEY ossl_b2i_bio(BIO in, int *ispub)
322	{
323	const unsigned char *p;
324	unsigned char hdr_buf[16], *buf = NULL;
325	unsigned int bitlen, magic, length;
326	int isdss = -1;
327	void *key = NULL;
328	EVP_PKEY *pkey = NULL;
329
330	if (BIO_read(in, hdr_buf, 16) != 16) {
331	ERR_raise(ERR_LIB_PEM, PEM_R_KEYBLOB_TOO_SHORT);
332	return NULL;
333	}
334	p = hdr_buf;
335	if (ossl_do_blob_header(&p, 16, &magic, &bitlen, &isdss, ispub) <= 0)
336	return NULL;
337
338	length = ossl_blob_length(bitlen, isdss, *ispub);
339	if (length > BLOB_MAX_LENGTH) {
340	ERR_raise(ERR_LIB_PEM, PEM_R_HEADER_TOO_LONG);
341	return NULL;
342	}
343	buf = OPENSSL_malloc(length);
344	if (buf == NULL) {
345	ERR_raise(ERR_LIB_PEM, ERR_R_MALLOC_FAILURE);
346	goto err;
347	}
348	p = buf;
349	if (BIO_read(in, buf, length) != (int)length) {
350	ERR_raise(ERR_LIB_PEM, PEM_R_KEYBLOB_TOO_SHORT);
351	goto err;
352	}
353
354	if (!isdss)
355	key = ossl_b2i_RSA_after_header(&p, bitlen, *ispub);
356	#ifndef OPENSSL_NO_DSA
357	else
358	key = ossl_b2i_DSA_after_header(&p, bitlen, *ispub);
359	#endif
360
361	if (key == NULL) {
362	ERR_raise(ERR_LIB_PEM, PEM_R_UNSUPPORTED_PUBLIC_KEY_TYPE);
363	goto err;
364	}
365
366	pkey = evp_pkey_new0_key(key, isdss_to_evp_type(isdss));
367	err:
368	OPENSSL_free(buf);
369	return pkey;
370	}
371
372	#ifndef OPENSSL_NO_DSA
373	DSA ossl_b2i_DSA_after_header(const unsigned char *in, unsigned int bitlen,
374	int ispub)
375	{
376	const unsigned char p = in;
377	DSA *dsa = NULL;
378	BN_CTX *ctx = NULL;
379	BIGNUM pbn = NULL, qbn = NULL, gbn = NULL, priv_key = NULL;
380	BIGNUM *pub_key = NULL;
381	unsigned int nbyte = (bitlen + 7) >> 3;
382
383	dsa = DSA_new();
384	if (dsa == NULL)
385	goto memerr;
386	if (!read_lebn(&p, nbyte, &pbn))
387	goto memerr;
388
389	if (!read_lebn(&p, 20, &qbn))
390	goto memerr;
391
392	if (!read_lebn(&p, nbyte, &gbn))
393	goto memerr;
394
395	if (ispub) {
396	if (!read_lebn(&p, nbyte, &pub_key))
397	goto memerr;
398	} else {
399	if (!read_lebn(&p, 20, &priv_key))
400	goto memerr;
401
402	/* Set constant time flag before public key calculation */
403	BN_set_flags(priv_key, BN_FLG_CONSTTIME);
404
405	/* Calculate public key */
406	pub_key = BN_new();
407	if (pub_key == NULL)
408	goto memerr;
409	if ((ctx = BN_CTX_new()) == NULL)
410	goto memerr;
411
412	if (!BN_mod_exp(pub_key, gbn, priv_key, pbn, ctx))
413	goto memerr;
414
415	BN_CTX_free(ctx);
416	ctx = NULL;
417	}
418	if (!DSA_set0_pqg(dsa, pbn, qbn, gbn))
419	goto memerr;
420	pbn = qbn = gbn = NULL;
421	if (!DSA_set0_key(dsa, pub_key, priv_key))
422	goto memerr;
423	pub_key = priv_key = NULL;
424
425	*in = p;
426	return dsa;
427
428	memerr:
429	ERR_raise(ERR_LIB_PEM, ERR_R_MALLOC_FAILURE);
430	DSA_free(dsa);
431	BN_free(pbn);
432	BN_free(qbn);
433	BN_free(gbn);
434	BN_free(pub_key);
435	BN_free(priv_key);
436	BN_CTX_free(ctx);
437	return NULL;
438	}
439	#endif
440
441	RSA ossl_b2i_RSA_after_header(const unsigned char *in, unsigned int bitlen,
442	int ispub)
443	{
444	const unsigned char pin = in;
445	BIGNUM e = NULL, n = NULL, *d = NULL;
446	BIGNUM p = NULL, q = NULL, dmp1 = NULL, dmq1 = NULL, *iqmp = NULL;
447	RSA *rsa = NULL;
448	unsigned int nbyte = (bitlen + 7) >> 3;
449	unsigned int hnbyte = (bitlen + 15) >> 4;
450
451	rsa = RSA_new();
452	if (rsa == NULL)
453	goto memerr;
454	e = BN_new();
455	if (e == NULL)
456	goto memerr;
457	if (!BN_set_word(e, read_ledword(&pin)))
458	goto memerr;
459	if (!read_lebn(&pin, nbyte, &n))
460	goto memerr;
461	if (!ispub) {
462	if (!read_lebn(&pin, hnbyte, &p))
463	goto memerr;
464	if (!read_lebn(&pin, hnbyte, &q))
465	goto memerr;
466	if (!read_lebn(&pin, hnbyte, &dmp1))
467	goto memerr;
468	if (!read_lebn(&pin, hnbyte, &dmq1))
469	goto memerr;
470	if (!read_lebn(&pin, hnbyte, &iqmp))
471	goto memerr;
472	if (!read_lebn(&pin, nbyte, &d))
473	goto memerr;
474	if (!RSA_set0_factors(rsa, p, q))
475	goto memerr;
476	p = q = NULL;
477	if (!RSA_set0_crt_params(rsa, dmp1, dmq1, iqmp))
478	goto memerr;
479	dmp1 = dmq1 = iqmp = NULL;
480	}
481	if (!RSA_set0_key(rsa, n, e, d))
482	goto memerr;
483	n = e = d = NULL;
484
485	*in = pin;
486	return rsa;
487	memerr:
488	ERR_raise(ERR_LIB_PEM, ERR_R_MALLOC_FAILURE);
489	BN_free(e);
490	BN_free(n);
491	BN_free(p);
492	BN_free(q);
493	BN_free(dmp1);
494	BN_free(dmq1);
495	BN_free(iqmp);
496	BN_free(d);
497	RSA_free(rsa);
498	return NULL;
499	}
500
501	EVP_PKEY b2i_PrivateKey(const unsigned char *in, long length)
502	{
503	int ispub = 0;
504
505	return ossl_b2i(in, length, &ispub);
506	}
507
508	EVP_PKEY b2i_PublicKey(const unsigned char *in, long length)
509	{
510	int ispub = 1;
511
512	return ossl_b2i(in, length, &ispub);
513	}
514
515	EVP_PKEY b2i_PrivateKey_bio(BIO in)
516	{
517	int ispub = 0;
518
519	return ossl_b2i_bio(in, &ispub);
520	}
521
522	EVP_PKEY b2i_PublicKey_bio(BIO in)
523	{
524	int ispub = 1;
525
526	return ossl_b2i_bio(in, &ispub);
527	}
528
529	static void write_ledword(unsigned char **out, unsigned int dw)
530	{
531	unsigned char p = out;
532
533	*p++ = dw & 0xff;
534	*p++ = (dw >> 8) & 0xff;
535	*p++ = (dw >> 16) & 0xff;
536	*p++ = (dw >> 24) & 0xff;
537	*out = p;
538	}
539
540	static void write_lebn(unsigned char *out, const BIGNUM bn, int len)
541	{
542	BN_bn2lebinpad(bn, *out, len);
543	*out += len;
544	}
545
546	static int check_bitlen_rsa(const RSA rsa, int ispub, unsigned int magic);
547	static void write_rsa(unsigned char *out, const RSA rsa, int ispub);
548
549	#ifndef OPENSSL_NO_DSA
550	static int check_bitlen_dsa(const DSA dsa, int ispub, unsigned int magic);
551	static void write_dsa(unsigned char *out, const DSA dsa, int ispub);
552	#endif
553
554	static int do_i2b(unsigned char *out, const EVP_PKEY pk, int ispub)
555	{
556	unsigned char *p;
557	unsigned int bitlen = 0, magic = 0, keyalg = 0;
558	int outlen = -1, noinc = 0;
559
560	if (EVP_PKEY_is_a(pk, "RSA")) {
561	bitlen = check_bitlen_rsa(EVP_PKEY_get0_RSA(pk), ispub, &magic);
562	keyalg = MS_KEYALG_RSA_KEYX;
563	#ifndef OPENSSL_NO_DSA
564	} else if (EVP_PKEY_is_a(pk, "DSA")) {
565	bitlen = check_bitlen_dsa(EVP_PKEY_get0_DSA(pk), ispub, &magic);
566	keyalg = MS_KEYALG_DSS_SIGN;
567	#endif
568	}
569	if (bitlen == 0) {
570	goto end;
571	}
572	outlen = 16
573	+ ossl_blob_length(bitlen, keyalg == MS_KEYALG_DSS_SIGN ? 1 : 0, ispub);
574	if (out == NULL)
575	goto end;
576	if (*out)
577	p = *out;
578	else {
579	if ((p = OPENSSL_malloc(outlen)) == NULL) {
580	ERR_raise(ERR_LIB_PEM, ERR_R_MALLOC_FAILURE);
581	outlen = -1;
582	goto end;
583	}
584	*out = p;
585	noinc = 1;
586	}
587	if (ispub)
588	*p++ = MS_PUBLICKEYBLOB;
589	else
590	*p++ = MS_PRIVATEKEYBLOB;
591	*p++ = 0x2;
592	*p++ = 0;
593	*p++ = 0;
594	write_ledword(&p, keyalg);
595	write_ledword(&p, magic);
596	write_ledword(&p, bitlen);
597	if (keyalg == MS_KEYALG_RSA_KEYX)
598	write_rsa(&p, EVP_PKEY_get0_RSA(pk), ispub);
599	#ifndef OPENSSL_NO_DSA
600	else
601	write_dsa(&p, EVP_PKEY_get0_DSA(pk), ispub);
602	#endif
603	if (!noinc)
604	*out += outlen;
605	end:
606	return outlen;
607	}
608
609	static int do_i2b_bio(BIO out, const EVP_PKEY pk, int ispub)
610	{
611	unsigned char *tmp = NULL;
612	int outlen, wrlen;
613
614	outlen = do_i2b(&tmp, pk, ispub);
615	if (outlen < 0)
616	return -1;
617	wrlen = BIO_write(out, tmp, outlen);
618	OPENSSL_free(tmp);
619	if (wrlen == outlen)
620	return outlen;
621	return -1;
622	}
623
624	static int check_bitlen_rsa(const RSA rsa, int ispub, unsigned int pmagic)
625	{
626	int nbyte, hnbyte, bitlen;
627	const BIGNUM *e;
628
629	RSA_get0_key(rsa, NULL, &e, NULL);
630	if (BN_num_bits(e) > 32)
631	goto badkey;
632	bitlen = RSA_bits(rsa);
633	nbyte = RSA_size(rsa);
634	hnbyte = (bitlen + 15) >> 4;
635	if (ispub) {
636	*pmagic = MS_RSA1MAGIC;
637	return bitlen;
638	} else {
639	const BIGNUM d, p, q, iqmp, dmp1, dmq1;
640
641	*pmagic = MS_RSA2MAGIC;
642
643	/*
644	* For private key each component must fit within nbyte or hnbyte.
645	*/
646	RSA_get0_key(rsa, NULL, NULL, &d);
647	if (BN_num_bytes(d) > nbyte)
648	goto badkey;
649	RSA_get0_factors(rsa, &p, &q);
650	RSA_get0_crt_params(rsa, &dmp1, &dmq1, &iqmp);
651	if ((BN_num_bytes(iqmp) > hnbyte)
652	\|\| (BN_num_bytes(p) > hnbyte)
653	\|\| (BN_num_bytes(q) > hnbyte)
654	\|\| (BN_num_bytes(dmp1) > hnbyte)
655	\|\| (BN_num_bytes(dmq1) > hnbyte))
656	goto badkey;
657	}
658	return bitlen;
659	badkey:
660	ERR_raise(ERR_LIB_PEM, PEM_R_UNSUPPORTED_KEY_COMPONENTS);
661	return 0;
662	}
663
664	static void write_rsa(unsigned char *out, const RSA rsa, int ispub)
665	{
666	int nbyte, hnbyte;
667	const BIGNUM n, d, e, p, q, iqmp, dmp1, dmq1;
668
669	nbyte = RSA_size(rsa);
670	hnbyte = (RSA_bits(rsa) + 15) >> 4;
671	RSA_get0_key(rsa, &n, &e, &d);
672	write_lebn(out, e, 4);
673	write_lebn(out, n, nbyte);
674	if (ispub)
675	return;
676	RSA_get0_factors(rsa, &p, &q);
677	RSA_get0_crt_params(rsa, &dmp1, &dmq1, &iqmp);
678	write_lebn(out, p, hnbyte);
679	write_lebn(out, q, hnbyte);
680	write_lebn(out, dmp1, hnbyte);
681	write_lebn(out, dmq1, hnbyte);
682	write_lebn(out, iqmp, hnbyte);
683	write_lebn(out, d, nbyte);
684	}
685
686	#ifndef OPENSSL_NO_DSA
687	static int check_bitlen_dsa(const DSA dsa, int ispub, unsigned int pmagic)
688	{
689	int bitlen;
690	const BIGNUM p = NULL, q = NULL, *g = NULL;
691	const BIGNUM pub_key = NULL, priv_key = NULL;
692
693	DSA_get0_pqg(dsa, &p, &q, &g);
694	DSA_get0_key(dsa, &pub_key, &priv_key);
695	bitlen = BN_num_bits(p);
696	if ((bitlen & 7) \|\| (BN_num_bits(q) != 160)
697	\|\| (BN_num_bits(g) > bitlen))
698	goto badkey;
699	if (ispub) {
700	if (BN_num_bits(pub_key) > bitlen)
701	goto badkey;
702	*pmagic = MS_DSS1MAGIC;
703	} else {
704	if (BN_num_bits(priv_key) > 160)
705	goto badkey;
706	*pmagic = MS_DSS2MAGIC;
707	}
708
709	return bitlen;
710	badkey:
711	ERR_raise(ERR_LIB_PEM, PEM_R_UNSUPPORTED_KEY_COMPONENTS);
712	return 0;
713	}
714
715	static void write_dsa(unsigned char *out, const DSA dsa, int ispub)
716	{
717	int nbyte;
718	const BIGNUM p = NULL, q = NULL, *g = NULL;
719	const BIGNUM pub_key = NULL, priv_key = NULL;
720
721	DSA_get0_pqg(dsa, &p, &q, &g);
722	DSA_get0_key(dsa, &pub_key, &priv_key);
723	nbyte = BN_num_bytes(p);
724	write_lebn(out, p, nbyte);
725	write_lebn(out, q, 20);
726	write_lebn(out, g, nbyte);
727	if (ispub)
728	write_lebn(out, pub_key, nbyte);
729	else
730	write_lebn(out, priv_key, 20);
731	/* Set "invalid" for seed structure values */
732	memset(*out, 0xff, 24);
733	*out += 24;
734	return;
735	}
736	#endif
737
738	int i2b_PrivateKey_bio(BIO out, const EVP_PKEY pk)
739	{
740	return do_i2b_bio(out, pk, 0);
741	}
742
743	int i2b_PublicKey_bio(BIO out, const EVP_PKEY pk)
744	{
745	return do_i2b_bio(out, pk, 1);
746	}
747
748	int ossl_do_PVK_header(const unsigned char **in, unsigned int length,
749	int skip_magic,
750	unsigned int psaltlen, unsigned int pkeylen)
751	{
752	const unsigned char p = in;
753	unsigned int pvk_magic, is_encrypted;
754
755	if (skip_magic) {
756	if (length < 20) {
757	ERR_raise(ERR_LIB_PEM, PEM_R_PVK_TOO_SHORT);
758	return 0;
759	}
760	} else {
761	if (length < 24) {
762	ERR_raise(ERR_LIB_PEM, PEM_R_PVK_TOO_SHORT);
763	return 0;
764	}
765	pvk_magic = read_ledword(&p);
766	if (pvk_magic != MS_PVKMAGIC) {
767	ERR_raise(ERR_LIB_PEM, PEM_R_BAD_MAGIC_NUMBER);
768	return 0;
769	}
770	}
771	/* Skip reserved */
772	p += 4;
773	/*
774	* keytype =
775	*/ read_ledword(&p);
776	is_encrypted = read_ledword(&p);
777	*psaltlen = read_ledword(&p);
778	*pkeylen = read_ledword(&p);
779
780	if (pkeylen > PVK_MAX_KEYLEN \|\| psaltlen > PVK_MAX_SALTLEN)
781	return 0;
782
783	if (is_encrypted && *psaltlen == 0) {
784	ERR_raise(ERR_LIB_PEM, PEM_R_INCONSISTENT_HEADER);
785	return 0;
786	}
787
788	*in = p;
789	return 1;
790	}
791
792	#ifndef OPENSSL_NO_RC4
793	static int derive_pvk_key(unsigned char *key,
794	const unsigned char *salt, unsigned int saltlen,
795	const unsigned char *pass, int passlen,
796	OSSL_LIB_CTX libctx, const char propq)
797	{
798	EVP_MD_CTX *mctx = EVP_MD_CTX_new();
799	int rv = 0;
800	EVP_MD *sha1 = NULL;
801
802	if ((sha1 = EVP_MD_fetch(libctx, SN_sha1, propq)) == NULL)
803	goto err;
804
805	if (mctx == NULL
806	\|\| !EVP_DigestInit_ex(mctx, sha1, NULL)
807	\|\| !EVP_DigestUpdate(mctx, salt, saltlen)
808	\|\| !EVP_DigestUpdate(mctx, pass, passlen)
809	\|\| !EVP_DigestFinal_ex(mctx, key, NULL))
810	goto err;
811
812	rv = 1;
813	err:
814	EVP_MD_CTX_free(mctx);
815	EVP_MD_free(sha1);
816	return rv;
817	}
818	#endif
819
820	static void do_PVK_body_key(const unsigned char *in,
821	unsigned int saltlen, unsigned int keylen,
822	pem_password_cb cb, void u,
823	int isdss, int ispub,
824	OSSL_LIB_CTX libctx, const char propq)
825	{
826	const unsigned char p = in;
827	unsigned char *enctmp = NULL;
828	unsigned char keybuf[20];
829	void *key = NULL;
830	#ifndef OPENSSL_NO_RC4
831	EVP_CIPHER *rc4 = NULL;
832	#endif
833	EVP_CIPHER_CTX *cctx = EVP_CIPHER_CTX_new();
834
835	if (cctx == NULL) {
836	ERR_raise(ERR_LIB_PEM, ERR_R_MALLOC_FAILURE);
837	goto err;
838	}
839
840	if (saltlen) {
841	#ifndef OPENSSL_NO_RC4
842	unsigned int magic;
843	char psbuf[PEM_BUFSIZE];
844	int enctmplen, inlen;
845	unsigned char *q;
846
847	if (cb)
848	inlen = cb(psbuf, PEM_BUFSIZE, 0, u);
849	else
850	inlen = PEM_def_callback(psbuf, PEM_BUFSIZE, 0, u);
851	if (inlen < 0) {
852	ERR_raise(ERR_LIB_PEM, PEM_R_BAD_PASSWORD_READ);
853	goto err;
854	}
855	enctmp = OPENSSL_malloc(keylen + 8);
856	if (enctmp == NULL) {
857	ERR_raise(ERR_LIB_PEM, ERR_R_MALLOC_FAILURE);
858	goto err;
859	}
860	if (!derive_pvk_key(keybuf, p, saltlen,
861	(unsigned char *)psbuf, inlen, libctx, propq))
862	goto err;
863	p += saltlen;
864	/* Copy BLOBHEADER across, decrypt rest */
865	memcpy(enctmp, p, 8);
866	p += 8;
867	if (keylen < 8) {
868	ERR_raise(ERR_LIB_PEM, PEM_R_PVK_TOO_SHORT);
869	goto err;
870	}
871	inlen = keylen - 8;
872	q = enctmp + 8;
873	if ((rc4 = EVP_CIPHER_fetch(libctx, "RC4", propq)) == NULL)
874	goto err;
875	if (!EVP_DecryptInit_ex(cctx, rc4, NULL, keybuf, NULL))
876	goto err;
877	if (!EVP_DecryptUpdate(cctx, q, &enctmplen, p, inlen))
878	goto err;
879	if (!EVP_DecryptFinal_ex(cctx, q + enctmplen, &enctmplen))
880	goto err;
881	magic = read_ledword((const unsigned char **)&q);
882	if (magic != MS_RSA2MAGIC && magic != MS_DSS2MAGIC) {
883	q = enctmp + 8;
884	memset(keybuf + 5, 0, 11);
885	if (!EVP_DecryptInit_ex(cctx, rc4, NULL, keybuf, NULL))
886	goto err;
887	if (!EVP_DecryptUpdate(cctx, q, &enctmplen, p, inlen))
888	goto err;
889	if (!EVP_DecryptFinal_ex(cctx, q + enctmplen, &enctmplen))
890	goto err;
891	magic = read_ledword((const unsigned char **)&q);
892	if (magic != MS_RSA2MAGIC && magic != MS_DSS2MAGIC) {
893	ERR_raise(ERR_LIB_PEM, PEM_R_BAD_DECRYPT);
894	goto err;
895	}
896	}
897	p = enctmp;
898	#else
899	ERR_raise(ERR_LIB_PEM, PEM_R_UNSUPPORTED_CIPHER);
900	goto err;
901	#endif
902	}
903
904	key = do_b2i_key(&p, keylen, isdss, ispub);
905	err:
906	EVP_CIPHER_CTX_free(cctx);
907	#ifndef OPENSSL_NO_RC4
908	EVP_CIPHER_free(rc4);
909	#endif
910	if (enctmp != NULL) {
911	OPENSSL_cleanse(keybuf, sizeof(keybuf));
912	OPENSSL_free(enctmp);
913	}
914	return key;
915	}
916
917	static void do_PVK_key_bio(BIO in, pem_password_cb cb, void u,
918	int isdss, int ispub,
919	OSSL_LIB_CTX libctx, const char propq)
920	{
921	unsigned char pvk_hdr[24], *buf = NULL;
922	const unsigned char *p;
923	int buflen;
924	void *key = NULL;
925	unsigned int saltlen, keylen;
926
927	if (BIO_read(in, pvk_hdr, 24) != 24) {
928	ERR_raise(ERR_LIB_PEM, PEM_R_PVK_DATA_TOO_SHORT);
929	return NULL;
930	}
931	p = pvk_hdr;
932
933	if (!ossl_do_PVK_header(&p, 24, 0, &saltlen, &keylen))
934	return 0;
935	buflen = (int)keylen + saltlen;
936	buf = OPENSSL_malloc(buflen);
937	if (buf == NULL) {
938	ERR_raise(ERR_LIB_PEM, ERR_R_MALLOC_FAILURE);
939	return 0;
940	}
941	p = buf;
942	if (BIO_read(in, buf, buflen) != buflen) {
943	ERR_raise(ERR_LIB_PEM, PEM_R_PVK_DATA_TOO_SHORT);
944	goto err;
945	}
946	key = do_PVK_body_key(&p, saltlen, keylen, cb, u, isdss, ispub, libctx, propq);
947
948	err:
949	OPENSSL_clear_free(buf, buflen);
950	return key;
951	}
952
953	#ifndef OPENSSL_NO_DSA
954	DSA b2i_DSA_PVK_bio_ex(BIO in, pem_password_cb cb, void u,
955	OSSL_LIB_CTX libctx, const char propq)
956	{
957	int isdss = 1;
958	int ispub = 0; /* PVK keys are always private */
959
960	return do_PVK_key_bio(in, cb, u, &isdss, &ispub, libctx, propq);
961	}
962
963	DSA b2i_DSA_PVK_bio(BIO in, pem_password_cb cb, void u)
964	{
965	return b2i_DSA_PVK_bio_ex(in, cb, u, NULL, NULL);
966	}
967	#endif
968
969	RSA b2i_RSA_PVK_bio_ex(BIO in, pem_password_cb cb, void u,
970	OSSL_LIB_CTX libctx, const char propq)
971	{
972	int isdss = 0;
973	int ispub = 0; /* PVK keys are always private */
974
975	return do_PVK_key_bio(in, cb, u, &isdss, &ispub, libctx, propq);
976	}
977
978	RSA b2i_RSA_PVK_bio(BIO in, pem_password_cb cb, void u)
979	{
980	return b2i_RSA_PVK_bio_ex(in, cb, u, NULL, NULL);
981	}
982
983	EVP_PKEY b2i_PVK_bio_ex(BIO in, pem_password_cb cb, void u,
984	OSSL_LIB_CTX libctx, const char propq)
985	{
986	int isdss = -1;
987	int ispub = -1;
988	void *key = do_PVK_key_bio(in, cb, u, &isdss, &ispub, NULL, NULL);
989
990	return evp_pkey_new0_key(key, isdss_to_evp_type(isdss));
991	}
992
993	EVP_PKEY b2i_PVK_bio(BIO in, pem_password_cb cb, void u)
994	{
995	return b2i_PVK_bio_ex(in, cb, u, NULL, NULL);
996	}
997
998	static int i2b_PVK(unsigned char *out, const EVP_PKEY pk, int enclevel,
999	pem_password_cb cb, void u, OSSL_LIB_CTX *libctx,
1000	const char *propq)
1001	{
1002	int ret = -1;
1003	int outlen = 24, pklen;
1004	unsigned char p = NULL, start = NULL;
1005	EVP_CIPHER_CTX *cctx = NULL;
1006	#ifndef OPENSSL_NO_RC4
1007	unsigned char *salt = NULL;
1008	EVP_CIPHER *rc4 = NULL;
1009	#endif
1010
1011	if (enclevel)
1012	outlen += PVK_SALTLEN;
1013	pklen = do_i2b(NULL, pk, 0);
1014	if (pklen < 0)
1015	return -1;
1016	outlen += pklen;
1017	if (out == NULL)
1018	return outlen;
1019	if (*out != NULL) {
1020	p = *out;
1021	} else {
1022	start = p = OPENSSL_malloc(outlen);
1023	if (p == NULL) {
1024	ERR_raise(ERR_LIB_PEM, ERR_R_MALLOC_FAILURE);
1025	return -1;
1026	}
1027	}
1028
1029	cctx = EVP_CIPHER_CTX_new();
1030	if (cctx == NULL)
1031	goto error;
1032
1033	write_ledword(&p, MS_PVKMAGIC);
1034	write_ledword(&p, 0);
1035	if (EVP_PKEY_get_id(pk) == EVP_PKEY_RSA)
1036	write_ledword(&p, MS_KEYTYPE_KEYX);
1037	#ifndef OPENSSL_NO_DSA
1038	else
1039	write_ledword(&p, MS_KEYTYPE_SIGN);
1040	#endif
1041	write_ledword(&p, enclevel ? 1 : 0);
1042	write_ledword(&p, enclevel ? PVK_SALTLEN : 0);
1043	write_ledword(&p, pklen);
1044	if (enclevel) {
1045	#ifndef OPENSSL_NO_RC4
1046	if (RAND_bytes_ex(libctx, p, PVK_SALTLEN, 0) <= 0)
1047	goto error;
1048	salt = p;
1049	p += PVK_SALTLEN;
1050	#endif
1051	}
1052	do_i2b(&p, pk, 0);
1053	if (enclevel != 0) {
1054	#ifndef OPENSSL_NO_RC4
1055	char psbuf[PEM_BUFSIZE];
1056	unsigned char keybuf[20];
1057	int enctmplen, inlen;
1058	if (cb)
1059	inlen = cb(psbuf, PEM_BUFSIZE, 1, u);
1060	else
1061	inlen = PEM_def_callback(psbuf, PEM_BUFSIZE, 1, u);
1062	if (inlen <= 0) {
1063	ERR_raise(ERR_LIB_PEM, PEM_R_BAD_PASSWORD_READ);
1064	goto error;
1065	}
1066	if (!derive_pvk_key(keybuf, salt, PVK_SALTLEN,
1067	(unsigned char *)psbuf, inlen, libctx, propq))
1068	goto error;
1069	if ((rc4 = EVP_CIPHER_fetch(libctx, "RC4", propq)) == NULL)
1070	goto error;
1071	if (enclevel == 1)
1072	memset(keybuf + 5, 0, 11);
1073	p = salt + PVK_SALTLEN + 8;
1074	if (!EVP_EncryptInit_ex(cctx, rc4, NULL, keybuf, NULL))
1075	goto error;
1076	OPENSSL_cleanse(keybuf, 20);
1077	if (!EVP_EncryptUpdate(cctx, p, &enctmplen, p, pklen - 8))
1078	goto error;
1079	if (!EVP_EncryptFinal_ex(cctx, p + enctmplen, &enctmplen))
1080	goto error;
1081	#else
1082	ERR_raise(ERR_LIB_PEM, PEM_R_UNSUPPORTED_CIPHER);
1083	goto error;
1084	#endif
1085	}
1086
1087	if (*out == NULL)
1088	*out = start;
1089	ret = outlen;
1090	error:
1091	EVP_CIPHER_CTX_free(cctx);
1092	#ifndef OPENSSL_NO_RC4
1093	EVP_CIPHER_free(rc4);
1094	#endif
1095	if (*out == NULL)
1096	OPENSSL_free(start);
1097
1098	return ret;
1099	}
1100
1101	int i2b_PVK_bio_ex(BIO out, const EVP_PKEY pk, int enclevel,
1102	pem_password_cb cb, void u, OSSL_LIB_CTX *libctx,
1103	const char *propq)
1104	{
1105	unsigned char *tmp = NULL;
1106	int outlen, wrlen;
1107
1108	outlen = i2b_PVK(&tmp, pk, enclevel, cb, u, libctx, propq);
1109	if (outlen < 0)
1110	return -1;
1111	wrlen = BIO_write(out, tmp, outlen);
1112	OPENSSL_free(tmp);
1113	if (wrlen == outlen) {
1114	return outlen;
1115	}
1116	ERR_raise(ERR_LIB_PEM, PEM_R_BIO_WRITE_FAILURE);
1117	return -1;
1118	}
1119
1120	int i2b_PVK_bio(BIO out, const EVP_PKEY pk, int enclevel,
1121	pem_password_cb cb, void u)
1122	{
1123	return i2b_PVK_bio_ex(out, pk, enclevel, cb, u, NULL, NULL);
1124	}
1125

Note: See TracBrowser for help on using the repository browser.

source: vbox/trunk/src/libs/openssl-3.0.7/crypto/pem/pvkfmt.c@ 98929

Download in other formats: