• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright 2005-2021 The OpenSSL Project Authors. All Rights Reserved.
3  *
4  * Licensed under the Apache License 2.0 (the "License").  You may not use
5  * this file except in compliance with the License.  You can obtain a copy
6  * in the file LICENSE in the source distribution or at
7  * https://www.openssl.org/source/license.html
8  */
9 
10 /*
11  * Support for PVK format keys and related structures (such a PUBLICKEYBLOB
12  * and PRIVATEKEYBLOB).
13  */
14 
15 /*
16  * RSA and DSA low level APIs are deprecated for public use, but still ok for
17  * internal use.
18  */
19 #include "internal/deprecated.h"
20 
21 #include <openssl/pem.h>
22 #include <openssl/rand.h>
23 #include <openssl/bn.h>
24 #include <openssl/dsa.h>
25 #include <openssl/rsa.h>
26 #include "internal/cryptlib.h"
27 #include "crypto/pem.h"
28 #include "crypto/evp.h"
29 
30 /*
31  * Utility function: read a DWORD (4 byte unsigned integer) in little endian
32  * format
33  */
34 
read_ledword(const unsigned char ** in)35 static unsigned int read_ledword(const unsigned char **in)
36 {
37     const unsigned char *p = *in;
38     unsigned int ret;
39 
40     ret = (unsigned int)*p++;
41     ret |= (unsigned int)*p++ << 8;
42     ret |= (unsigned int)*p++ << 16;
43     ret |= (unsigned int)*p++ << 24;
44     *in = p;
45     return ret;
46 }
47 
48 /*
49  * Read a BIGNUM in little endian format. The docs say that this should take
50  * up bitlen/8 bytes.
51  */
52 
read_lebn(const unsigned char ** in,unsigned int nbyte,BIGNUM ** r)53 static int read_lebn(const unsigned char **in, unsigned int nbyte, BIGNUM **r)
54 {
55     *r = BN_lebin2bn(*in, nbyte, NULL);
56     if (*r == NULL)
57         return 0;
58     *in += nbyte;
59     return 1;
60 }
61 
62 /*
63  * Create an EVP_PKEY from a type specific key.
64  * This takes ownership of |key|, as long as the |evp_type| is acceptable
65  * (EVP_PKEY_RSA or EVP_PKEY_DSA), even if the resulting EVP_PKEY wasn't
66  * created.
67  */
68 #define isdss_to_evp_type(isdss)                                \
69     (isdss == 0 ? EVP_PKEY_RSA : isdss == 1 ? EVP_PKEY_DSA : EVP_PKEY_NONE)
evp_pkey_new0_key(void * key,int evp_type)70 static EVP_PKEY *evp_pkey_new0_key(void *key, int evp_type)
71 {
72     EVP_PKEY *pkey = NULL;
73 
74     /*
75      * It's assumed that if |key| is NULL, something went wrong elsewhere
76      * and suitable errors are already reported.
77      */
78     if (key == NULL)
79         return NULL;
80 
81     if (!ossl_assert(evp_type == EVP_PKEY_RSA || evp_type == EVP_PKEY_DSA)) {
82         ERR_raise(ERR_LIB_PEM, ERR_R_INTERNAL_ERROR);
83         return NULL;
84     }
85 
86     if ((pkey = EVP_PKEY_new()) != NULL) {
87         switch (evp_type) {
88         case EVP_PKEY_RSA:
89             if (EVP_PKEY_set1_RSA(pkey, key))
90                 break;
91             EVP_PKEY_free(pkey);
92             pkey = NULL;
93             break;
94 #ifndef OPENSSL_NO_DSA
95         case EVP_PKEY_DSA:
96             if (EVP_PKEY_set1_DSA(pkey, key))
97                 break;
98             EVP_PKEY_free(pkey);
99             pkey = NULL;
100             break;
101 #endif
102         }
103     }
104 
105     switch (evp_type) {
106     case EVP_PKEY_RSA:
107         RSA_free(key);
108         break;
109 #ifndef OPENSSL_NO_DSA
110     case EVP_PKEY_DSA:
111         DSA_free(key);
112         break;
113 #endif
114     }
115 
116     if (pkey == NULL)
117         ERR_raise(ERR_LIB_PEM, ERR_R_MALLOC_FAILURE);
118     return pkey;
119 }
120 
121 /* Convert private key blob to EVP_PKEY: RSA and DSA keys supported */
122 
123 # define MS_PUBLICKEYBLOB        0x6
124 # define MS_PRIVATEKEYBLOB       0x7
125 # define MS_RSA1MAGIC            0x31415352L
126 # define MS_RSA2MAGIC            0x32415352L
127 # define MS_DSS1MAGIC            0x31535344L
128 # define MS_DSS2MAGIC            0x32535344L
129 
130 # define MS_KEYALG_RSA_KEYX      0xa400
131 # define MS_KEYALG_DSS_SIGN      0x2200
132 
133 # define MS_KEYTYPE_KEYX         0x1
134 # define MS_KEYTYPE_SIGN         0x2
135 
136 /* The PVK file magic number: seems to spell out "bobsfile", who is Bob? */
137 # define MS_PVKMAGIC             0xb0b5f11eL
138 /* Salt length for PVK files */
139 # define PVK_SALTLEN             0x10
140 /* Maximum length in PVK header */
141 # define PVK_MAX_KEYLEN          102400
142 /* Maximum salt length */
143 # define PVK_MAX_SALTLEN         10240
144 
145 /*
146  * Read the MSBLOB header and get relevant data from it.
147  *
148  * |pisdss| and |pispub| have a double role, as they can be used for
149  * discovery as well as to check the the blob meets expectations.
150  * |*pisdss| is the indicator for whether the key is a DSA key or not.
151  * |*pispub| is the indicator for whether the key is public or not.
152  * In both cases, the following input values apply:
153  *
154  * 0    Expected to not be what the variable indicates.
155  * 1    Expected to be what the variable indicates.
156  * -1   No expectations, this function will assign 0 or 1 depending on
157  *      header data.
158  */
ossl_do_blob_header(const unsigned char ** in,unsigned int length,unsigned int * pmagic,unsigned int * pbitlen,int * pisdss,int * pispub)159 int ossl_do_blob_header(const unsigned char **in, unsigned int length,
160                         unsigned int *pmagic, unsigned int *pbitlen,
161                         int *pisdss, int *pispub)
162 {
163     const unsigned char *p = *in;
164 
165     if (length < 16)
166         return 0;
167     /* bType */
168     switch (*p) {
169     case MS_PUBLICKEYBLOB:
170         if (*pispub == 0) {
171             ERR_raise(ERR_LIB_PEM, PEM_R_EXPECTING_PRIVATE_KEY_BLOB);
172             return 0;
173         }
174         *pispub = 1;
175         break;
176 
177     case MS_PRIVATEKEYBLOB:
178         if (*pispub == 1) {
179             ERR_raise(ERR_LIB_PEM, PEM_R_EXPECTING_PUBLIC_KEY_BLOB);
180             return 0;
181         }
182         *pispub = 0;
183         break;
184 
185     default:
186         return 0;
187     }
188     p++;
189     /* Version */
190     if (*p++ != 0x2) {
191         ERR_raise(ERR_LIB_PEM, PEM_R_BAD_VERSION_NUMBER);
192         return 0;
193     }
194     /* Ignore reserved, aiKeyAlg */
195     p += 6;
196     *pmagic = read_ledword(&p);
197     *pbitlen = read_ledword(&p);
198 
199     /* Consistency check for private vs public */
200     switch (*pmagic) {
201     case MS_DSS1MAGIC:
202     case MS_RSA1MAGIC:
203         if (*pispub == 0) {
204             ERR_raise(ERR_LIB_PEM, PEM_R_EXPECTING_PRIVATE_KEY_BLOB);
205             return 0;
206         }
207         break;
208 
209     case MS_DSS2MAGIC:
210     case MS_RSA2MAGIC:
211         if (*pispub == 1) {
212             ERR_raise(ERR_LIB_PEM, PEM_R_EXPECTING_PUBLIC_KEY_BLOB);
213             return 0;
214         }
215         break;
216 
217     default:
218         ERR_raise(ERR_LIB_PEM, PEM_R_BAD_MAGIC_NUMBER);
219         return -1;
220     }
221 
222     /* Check that we got the expected type */
223     switch (*pmagic) {
224     case MS_DSS1MAGIC:
225     case MS_DSS2MAGIC:
226         if (*pisdss == 0) {
227             ERR_raise(ERR_LIB_PEM, PEM_R_EXPECTING_DSS_KEY_BLOB);
228             return 0;
229         }
230         *pisdss = 1;
231         break;
232     case MS_RSA1MAGIC:
233     case MS_RSA2MAGIC:
234         if (*pisdss == 1) {
235             ERR_raise(ERR_LIB_PEM, PEM_R_EXPECTING_RSA_KEY_BLOB);
236             return 0;
237         }
238         *pisdss = 0;
239         break;
240 
241     default:
242         ERR_raise(ERR_LIB_PEM, PEM_R_BAD_MAGIC_NUMBER);
243         return -1;
244     }
245     *in = p;
246     return 1;
247 }
248 
ossl_blob_length(unsigned bitlen,int isdss,int ispub)249 unsigned int ossl_blob_length(unsigned bitlen, int isdss, int ispub)
250 {
251     unsigned int nbyte = (bitlen + 7) >> 3;
252     unsigned int hnbyte = (bitlen + 15) >> 4;
253 
254     if (isdss) {
255 
256         /*
257          * Expected length: 20 for q + 3 components bitlen each + 24 for seed
258          * structure.
259          */
260         if (ispub)
261             return 44 + 3 * nbyte;
262         /*
263          * Expected length: 20 for q, priv, 2 bitlen components + 24 for seed
264          * structure.
265          */
266         else
267             return 64 + 2 * nbyte;
268     } else {
269         /* Expected length: 4 for 'e' + 'n' */
270         if (ispub)
271             return 4 + nbyte;
272         else
273             /*
274              * Expected length: 4 for 'e' and 7 other components. 2
275              * components are bitlen size, 5 are bitlen/2
276              */
277             return 4 + 2 * nbyte + 5 * hnbyte;
278     }
279 
280 }
281 
do_b2i_key(const unsigned char ** in,unsigned int length,int * isdss,int * ispub)282 static void *do_b2i_key(const unsigned char **in, unsigned int length,
283                         int *isdss, int *ispub)
284 {
285     const unsigned char *p = *in;
286     unsigned int bitlen, magic;
287     void *key = NULL;
288 
289     if (ossl_do_blob_header(&p, length, &magic, &bitlen, isdss, ispub) <= 0) {
290         ERR_raise(ERR_LIB_PEM, PEM_R_KEYBLOB_HEADER_PARSE_ERROR);
291         return NULL;
292     }
293     length -= 16;
294     if (length < ossl_blob_length(bitlen, *isdss, *ispub)) {
295         ERR_raise(ERR_LIB_PEM, PEM_R_KEYBLOB_TOO_SHORT);
296         return NULL;
297     }
298     if (!*isdss)
299         key = ossl_b2i_RSA_after_header(&p, bitlen, *ispub);
300 #ifndef OPENSSL_NO_DSA
301     else
302         key = ossl_b2i_DSA_after_header(&p, bitlen, *ispub);
303 #endif
304 
305     if (key == NULL) {
306         ERR_raise(ERR_LIB_PEM, PEM_R_UNSUPPORTED_PUBLIC_KEY_TYPE);
307         return NULL;
308     }
309 
310     return key;
311 }
312 
ossl_b2i(const unsigned char ** in,unsigned int length,int * ispub)313 EVP_PKEY *ossl_b2i(const unsigned char **in, unsigned int length, int *ispub)
314 {
315     int isdss = -1;
316     void *key = do_b2i_key(in, length, &isdss, ispub);
317 
318     return evp_pkey_new0_key(key, isdss_to_evp_type(isdss));
319 }
320 
ossl_b2i_bio(BIO * in,int * ispub)321 EVP_PKEY *ossl_b2i_bio(BIO *in, int *ispub)
322 {
323     const unsigned char *p;
324     unsigned char hdr_buf[16], *buf = NULL;
325     unsigned int bitlen, magic, length;
326     int isdss = -1;
327     void *key = NULL;
328     EVP_PKEY *pkey = NULL;
329 
330     if (BIO_read(in, hdr_buf, 16) != 16) {
331         ERR_raise(ERR_LIB_PEM, PEM_R_KEYBLOB_TOO_SHORT);
332         return NULL;
333     }
334     p = hdr_buf;
335     if (ossl_do_blob_header(&p, 16, &magic, &bitlen, &isdss, ispub) <= 0)
336         return NULL;
337 
338     length = ossl_blob_length(bitlen, isdss, *ispub);
339     if (length > BLOB_MAX_LENGTH) {
340         ERR_raise(ERR_LIB_PEM, PEM_R_HEADER_TOO_LONG);
341         return NULL;
342     }
343     buf = OPENSSL_malloc(length);
344     if (buf == NULL) {
345         ERR_raise(ERR_LIB_PEM, ERR_R_MALLOC_FAILURE);
346         goto err;
347     }
348     p = buf;
349     if (BIO_read(in, buf, length) != (int)length) {
350         ERR_raise(ERR_LIB_PEM, PEM_R_KEYBLOB_TOO_SHORT);
351         goto err;
352     }
353 
354     if (!isdss)
355         key = ossl_b2i_RSA_after_header(&p, bitlen, *ispub);
356 #ifndef OPENSSL_NO_DSA
357     else
358         key = ossl_b2i_DSA_after_header(&p, bitlen, *ispub);
359 #endif
360 
361     if (key == NULL) {
362         ERR_raise(ERR_LIB_PEM, PEM_R_UNSUPPORTED_PUBLIC_KEY_TYPE);
363         goto err;
364     }
365 
366     pkey = evp_pkey_new0_key(key, isdss_to_evp_type(isdss));
367  err:
368     OPENSSL_free(buf);
369     return pkey;
370 }
371 
372 #ifndef OPENSSL_NO_DSA
ossl_b2i_DSA_after_header(const unsigned char ** in,unsigned int bitlen,int ispub)373 DSA *ossl_b2i_DSA_after_header(const unsigned char **in, unsigned int bitlen,
374                                int ispub)
375 {
376     const unsigned char *p = *in;
377     DSA *dsa = NULL;
378     BN_CTX *ctx = NULL;
379     BIGNUM *pbn = NULL, *qbn = NULL, *gbn = NULL, *priv_key = NULL;
380     BIGNUM *pub_key = NULL;
381     unsigned int nbyte = (bitlen + 7) >> 3;
382 
383     dsa = DSA_new();
384     if (dsa == NULL)
385         goto memerr;
386     if (!read_lebn(&p, nbyte, &pbn))
387         goto memerr;
388 
389     if (!read_lebn(&p, 20, &qbn))
390         goto memerr;
391 
392     if (!read_lebn(&p, nbyte, &gbn))
393         goto memerr;
394 
395     if (ispub) {
396         if (!read_lebn(&p, nbyte, &pub_key))
397             goto memerr;
398     } else {
399         if (!read_lebn(&p, 20, &priv_key))
400             goto memerr;
401 
402         /* Set constant time flag before public key calculation */
403         BN_set_flags(priv_key, BN_FLG_CONSTTIME);
404 
405         /* Calculate public key */
406         pub_key = BN_new();
407         if (pub_key == NULL)
408             goto memerr;
409         if ((ctx = BN_CTX_new()) == NULL)
410             goto memerr;
411 
412         if (!BN_mod_exp(pub_key, gbn, priv_key, pbn, ctx))
413             goto memerr;
414 
415         BN_CTX_free(ctx);
416         ctx = NULL;
417     }
418     if (!DSA_set0_pqg(dsa, pbn, qbn, gbn))
419         goto memerr;
420     pbn = qbn = gbn = NULL;
421     if (!DSA_set0_key(dsa, pub_key, priv_key))
422         goto memerr;
423     pub_key = priv_key = NULL;
424 
425     *in = p;
426     return dsa;
427 
428  memerr:
429     ERR_raise(ERR_LIB_PEM, ERR_R_MALLOC_FAILURE);
430     DSA_free(dsa);
431     BN_free(pbn);
432     BN_free(qbn);
433     BN_free(gbn);
434     BN_free(pub_key);
435     BN_free(priv_key);
436     BN_CTX_free(ctx);
437     return NULL;
438 }
439 #endif
440 
ossl_b2i_RSA_after_header(const unsigned char ** in,unsigned int bitlen,int ispub)441 RSA *ossl_b2i_RSA_after_header(const unsigned char **in, unsigned int bitlen,
442                                int ispub)
443 {
444     const unsigned char *pin = *in;
445     BIGNUM *e = NULL, *n = NULL, *d = NULL;
446     BIGNUM *p = NULL, *q = NULL, *dmp1 = NULL, *dmq1 = NULL, *iqmp = NULL;
447     RSA *rsa = NULL;
448     unsigned int nbyte = (bitlen + 7) >> 3;
449     unsigned int hnbyte = (bitlen + 15) >> 4;
450 
451     rsa = RSA_new();
452     if (rsa == NULL)
453         goto memerr;
454     e = BN_new();
455     if (e == NULL)
456         goto memerr;
457     if (!BN_set_word(e, read_ledword(&pin)))
458         goto memerr;
459     if (!read_lebn(&pin, nbyte, &n))
460         goto memerr;
461     if (!ispub) {
462         if (!read_lebn(&pin, hnbyte, &p))
463             goto memerr;
464         if (!read_lebn(&pin, hnbyte, &q))
465             goto memerr;
466         if (!read_lebn(&pin, hnbyte, &dmp1))
467             goto memerr;
468         if (!read_lebn(&pin, hnbyte, &dmq1))
469             goto memerr;
470         if (!read_lebn(&pin, hnbyte, &iqmp))
471             goto memerr;
472         if (!read_lebn(&pin, nbyte, &d))
473             goto memerr;
474         if (!RSA_set0_factors(rsa, p, q))
475             goto memerr;
476         p = q = NULL;
477         if (!RSA_set0_crt_params(rsa, dmp1, dmq1, iqmp))
478             goto memerr;
479         dmp1 = dmq1 = iqmp = NULL;
480     }
481     if (!RSA_set0_key(rsa, n, e, d))
482         goto memerr;
483     n = e = d = NULL;
484 
485     *in = pin;
486     return rsa;
487  memerr:
488     ERR_raise(ERR_LIB_PEM, ERR_R_MALLOC_FAILURE);
489     BN_free(e);
490     BN_free(n);
491     BN_free(p);
492     BN_free(q);
493     BN_free(dmp1);
494     BN_free(dmq1);
495     BN_free(iqmp);
496     BN_free(d);
497     RSA_free(rsa);
498     return NULL;
499 }
500 
b2i_PrivateKey(const unsigned char ** in,long length)501 EVP_PKEY *b2i_PrivateKey(const unsigned char **in, long length)
502 {
503     int ispub = 0;
504 
505     return ossl_b2i(in, length, &ispub);
506 }
507 
b2i_PublicKey(const unsigned char ** in,long length)508 EVP_PKEY *b2i_PublicKey(const unsigned char **in, long length)
509 {
510     int ispub = 1;
511 
512     return ossl_b2i(in, length, &ispub);
513 }
514 
b2i_PrivateKey_bio(BIO * in)515 EVP_PKEY *b2i_PrivateKey_bio(BIO *in)
516 {
517     int ispub = 0;
518 
519     return ossl_b2i_bio(in, &ispub);
520 }
521 
b2i_PublicKey_bio(BIO * in)522 EVP_PKEY *b2i_PublicKey_bio(BIO *in)
523 {
524     int ispub = 1;
525 
526     return ossl_b2i_bio(in, &ispub);
527 }
528 
write_ledword(unsigned char ** out,unsigned int dw)529 static void write_ledword(unsigned char **out, unsigned int dw)
530 {
531     unsigned char *p = *out;
532 
533     *p++ = dw & 0xff;
534     *p++ = (dw >> 8) & 0xff;
535     *p++ = (dw >> 16) & 0xff;
536     *p++ = (dw >> 24) & 0xff;
537     *out = p;
538 }
539 
write_lebn(unsigned char ** out,const BIGNUM * bn,int len)540 static void write_lebn(unsigned char **out, const BIGNUM *bn, int len)
541 {
542     BN_bn2lebinpad(bn, *out, len);
543     *out += len;
544 }
545 
546 static int check_bitlen_rsa(const RSA *rsa, int ispub, unsigned int *magic);
547 static void write_rsa(unsigned char **out, const RSA *rsa, int ispub);
548 
549 #ifndef OPENSSL_NO_DSA
550 static int check_bitlen_dsa(const DSA *dsa, int ispub, unsigned int *magic);
551 static void write_dsa(unsigned char **out, const DSA *dsa, int ispub);
552 #endif
553 
do_i2b(unsigned char ** out,const EVP_PKEY * pk,int ispub)554 static int do_i2b(unsigned char **out, const EVP_PKEY *pk, int ispub)
555 {
556     unsigned char *p;
557     unsigned int bitlen = 0, magic = 0, keyalg = 0;
558     int outlen = -1, noinc = 0;
559 
560     if (EVP_PKEY_is_a(pk, "RSA")) {
561         bitlen = check_bitlen_rsa(EVP_PKEY_get0_RSA(pk), ispub, &magic);
562         keyalg = MS_KEYALG_RSA_KEYX;
563 #ifndef OPENSSL_NO_DSA
564     } else if (EVP_PKEY_is_a(pk, "DSA")) {
565         bitlen = check_bitlen_dsa(EVP_PKEY_get0_DSA(pk), ispub, &magic);
566         keyalg = MS_KEYALG_DSS_SIGN;
567 #endif
568     }
569     if (bitlen == 0) {
570         goto end;
571     }
572     outlen = 16
573         + ossl_blob_length(bitlen, keyalg == MS_KEYALG_DSS_SIGN ? 1 : 0, ispub);
574     if (out == NULL)
575         goto end;
576     if (*out)
577         p = *out;
578     else {
579         if ((p = OPENSSL_malloc(outlen)) == NULL) {
580             ERR_raise(ERR_LIB_PEM, ERR_R_MALLOC_FAILURE);
581             outlen = -1;
582             goto end;
583         }
584         *out = p;
585         noinc = 1;
586     }
587     if (ispub)
588         *p++ = MS_PUBLICKEYBLOB;
589     else
590         *p++ = MS_PRIVATEKEYBLOB;
591     *p++ = 0x2;
592     *p++ = 0;
593     *p++ = 0;
594     write_ledword(&p, keyalg);
595     write_ledword(&p, magic);
596     write_ledword(&p, bitlen);
597     if (keyalg == MS_KEYALG_RSA_KEYX)
598         write_rsa(&p, EVP_PKEY_get0_RSA(pk), ispub);
599 #ifndef OPENSSL_NO_DSA
600     else
601         write_dsa(&p, EVP_PKEY_get0_DSA(pk), ispub);
602 #endif
603     if (!noinc)
604         *out += outlen;
605  end:
606     return outlen;
607 }
608 
do_i2b_bio(BIO * out,const EVP_PKEY * pk,int ispub)609 static int do_i2b_bio(BIO *out, const EVP_PKEY *pk, int ispub)
610 {
611     unsigned char *tmp = NULL;
612     int outlen, wrlen;
613 
614     outlen = do_i2b(&tmp, pk, ispub);
615     if (outlen < 0)
616         return -1;
617     wrlen = BIO_write(out, tmp, outlen);
618     OPENSSL_free(tmp);
619     if (wrlen == outlen)
620         return outlen;
621     return -1;
622 }
623 
check_bitlen_rsa(const RSA * rsa,int ispub,unsigned int * pmagic)624 static int check_bitlen_rsa(const RSA *rsa, int ispub, unsigned int *pmagic)
625 {
626     int nbyte, hnbyte, bitlen;
627     const BIGNUM *e;
628 
629     RSA_get0_key(rsa, NULL, &e, NULL);
630     if (BN_num_bits(e) > 32)
631         goto badkey;
632     bitlen = RSA_bits(rsa);
633     nbyte = RSA_size(rsa);
634     hnbyte = (bitlen + 15) >> 4;
635     if (ispub) {
636         *pmagic = MS_RSA1MAGIC;
637         return bitlen;
638     } else {
639         const BIGNUM *d, *p, *q, *iqmp, *dmp1, *dmq1;
640 
641         *pmagic = MS_RSA2MAGIC;
642 
643         /*
644          * For private key each component must fit within nbyte or hnbyte.
645          */
646         RSA_get0_key(rsa, NULL, NULL, &d);
647         if (BN_num_bytes(d) > nbyte)
648             goto badkey;
649         RSA_get0_factors(rsa, &p, &q);
650         RSA_get0_crt_params(rsa, &dmp1, &dmq1, &iqmp);
651         if ((BN_num_bytes(iqmp) > hnbyte)
652             || (BN_num_bytes(p) > hnbyte)
653             || (BN_num_bytes(q) > hnbyte)
654             || (BN_num_bytes(dmp1) > hnbyte)
655             || (BN_num_bytes(dmq1) > hnbyte))
656             goto badkey;
657     }
658     return bitlen;
659  badkey:
660     ERR_raise(ERR_LIB_PEM, PEM_R_UNSUPPORTED_KEY_COMPONENTS);
661     return 0;
662 }
663 
write_rsa(unsigned char ** out,const RSA * rsa,int ispub)664 static void write_rsa(unsigned char **out, const RSA *rsa, int ispub)
665 {
666     int nbyte, hnbyte;
667     const BIGNUM *n, *d, *e, *p, *q, *iqmp, *dmp1, *dmq1;
668 
669     nbyte = RSA_size(rsa);
670     hnbyte = (RSA_bits(rsa) + 15) >> 4;
671     RSA_get0_key(rsa, &n, &e, &d);
672     write_lebn(out, e, 4);
673     write_lebn(out, n, nbyte);
674     if (ispub)
675         return;
676     RSA_get0_factors(rsa, &p, &q);
677     RSA_get0_crt_params(rsa, &dmp1, &dmq1, &iqmp);
678     write_lebn(out, p, hnbyte);
679     write_lebn(out, q, hnbyte);
680     write_lebn(out, dmp1, hnbyte);
681     write_lebn(out, dmq1, hnbyte);
682     write_lebn(out, iqmp, hnbyte);
683     write_lebn(out, d, nbyte);
684 }
685 
686 #ifndef OPENSSL_NO_DSA
check_bitlen_dsa(const DSA * dsa,int ispub,unsigned int * pmagic)687 static int check_bitlen_dsa(const DSA *dsa, int ispub, unsigned int *pmagic)
688 {
689     int bitlen;
690     const BIGNUM *p = NULL, *q = NULL, *g = NULL;
691     const BIGNUM *pub_key = NULL, *priv_key = NULL;
692 
693     DSA_get0_pqg(dsa, &p, &q, &g);
694     DSA_get0_key(dsa, &pub_key, &priv_key);
695     bitlen = BN_num_bits(p);
696     if ((bitlen & 7) || (BN_num_bits(q) != 160)
697         || (BN_num_bits(g) > bitlen))
698         goto badkey;
699     if (ispub) {
700         if (BN_num_bits(pub_key) > bitlen)
701             goto badkey;
702         *pmagic = MS_DSS1MAGIC;
703     } else {
704         if (BN_num_bits(priv_key) > 160)
705             goto badkey;
706         *pmagic = MS_DSS2MAGIC;
707     }
708 
709     return bitlen;
710  badkey:
711     ERR_raise(ERR_LIB_PEM, PEM_R_UNSUPPORTED_KEY_COMPONENTS);
712     return 0;
713 }
714 
write_dsa(unsigned char ** out,const DSA * dsa,int ispub)715 static void write_dsa(unsigned char **out, const DSA *dsa, int ispub)
716 {
717     int nbyte;
718     const BIGNUM *p = NULL, *q = NULL, *g = NULL;
719     const BIGNUM *pub_key = NULL, *priv_key = NULL;
720 
721     DSA_get0_pqg(dsa, &p, &q, &g);
722     DSA_get0_key(dsa, &pub_key, &priv_key);
723     nbyte = BN_num_bytes(p);
724     write_lebn(out, p, nbyte);
725     write_lebn(out, q, 20);
726     write_lebn(out, g, nbyte);
727     if (ispub)
728         write_lebn(out, pub_key, nbyte);
729     else
730         write_lebn(out, priv_key, 20);
731     /* Set "invalid" for seed structure values */
732     memset(*out, 0xff, 24);
733     *out += 24;
734     return;
735 }
736 #endif
737 
i2b_PrivateKey_bio(BIO * out,const EVP_PKEY * pk)738 int i2b_PrivateKey_bio(BIO *out, const EVP_PKEY *pk)
739 {
740     return do_i2b_bio(out, pk, 0);
741 }
742 
i2b_PublicKey_bio(BIO * out,const EVP_PKEY * pk)743 int i2b_PublicKey_bio(BIO *out, const EVP_PKEY *pk)
744 {
745     return do_i2b_bio(out, pk, 1);
746 }
747 
ossl_do_PVK_header(const unsigned char ** in,unsigned int length,int skip_magic,unsigned int * psaltlen,unsigned int * pkeylen)748 int ossl_do_PVK_header(const unsigned char **in, unsigned int length,
749                        int skip_magic,
750                        unsigned int *psaltlen, unsigned int *pkeylen)
751 {
752     const unsigned char *p = *in;
753     unsigned int pvk_magic, is_encrypted;
754 
755     if (skip_magic) {
756         if (length < 20) {
757             ERR_raise(ERR_LIB_PEM, PEM_R_PVK_TOO_SHORT);
758             return 0;
759         }
760     } else {
761         if (length < 24) {
762             ERR_raise(ERR_LIB_PEM, PEM_R_PVK_TOO_SHORT);
763             return 0;
764         }
765         pvk_magic = read_ledword(&p);
766         if (pvk_magic != MS_PVKMAGIC) {
767             ERR_raise(ERR_LIB_PEM, PEM_R_BAD_MAGIC_NUMBER);
768             return 0;
769         }
770     }
771     /* Skip reserved */
772     p += 4;
773     /*
774      * keytype =
775      */ read_ledword(&p);
776     is_encrypted = read_ledword(&p);
777     *psaltlen = read_ledword(&p);
778     *pkeylen = read_ledword(&p);
779 
780     if (*pkeylen > PVK_MAX_KEYLEN || *psaltlen > PVK_MAX_SALTLEN)
781         return 0;
782 
783     if (is_encrypted && *psaltlen == 0) {
784         ERR_raise(ERR_LIB_PEM, PEM_R_INCONSISTENT_HEADER);
785         return 0;
786     }
787 
788     *in = p;
789     return 1;
790 }
791 
792 #ifndef OPENSSL_NO_RC4
derive_pvk_key(unsigned char * key,const unsigned char * salt,unsigned int saltlen,const unsigned char * pass,int passlen,OSSL_LIB_CTX * libctx,const char * propq)793 static int derive_pvk_key(unsigned char *key,
794                           const unsigned char *salt, unsigned int saltlen,
795                           const unsigned char *pass, int passlen,
796                           OSSL_LIB_CTX *libctx, const char *propq)
797 {
798     EVP_MD_CTX *mctx = EVP_MD_CTX_new();
799     int rv = 0;
800     EVP_MD *sha1 = NULL;
801 
802     if ((sha1 = EVP_MD_fetch(libctx, SN_sha1, propq)) == NULL)
803         goto err;
804 
805     if (mctx == NULL
806         || !EVP_DigestInit_ex(mctx, sha1, NULL)
807         || !EVP_DigestUpdate(mctx, salt, saltlen)
808         || !EVP_DigestUpdate(mctx, pass, passlen)
809         || !EVP_DigestFinal_ex(mctx, key, NULL))
810         goto err;
811 
812     rv = 1;
813 err:
814     EVP_MD_CTX_free(mctx);
815     EVP_MD_free(sha1);
816     return rv;
817 }
818 #endif
819 
do_PVK_body_key(const unsigned char ** in,unsigned int saltlen,unsigned int keylen,pem_password_cb * cb,void * u,int * isdss,int * ispub,OSSL_LIB_CTX * libctx,const char * propq)820 static void *do_PVK_body_key(const unsigned char **in,
821                              unsigned int saltlen, unsigned int keylen,
822                              pem_password_cb *cb, void *u,
823                              int *isdss, int *ispub,
824                              OSSL_LIB_CTX *libctx, const char *propq)
825 {
826     const unsigned char *p = *in;
827     unsigned char *enctmp = NULL;
828     unsigned char keybuf[20];
829     void *key = NULL;
830 #ifndef OPENSSL_NO_RC4
831     EVP_CIPHER *rc4 = NULL;
832 #endif
833     EVP_CIPHER_CTX *cctx = EVP_CIPHER_CTX_new();
834 
835     if (cctx == NULL) {
836         ERR_raise(ERR_LIB_PEM, ERR_R_MALLOC_FAILURE);
837         goto err;
838     }
839 
840     if (saltlen) {
841 #ifndef OPENSSL_NO_RC4
842         unsigned int magic;
843         char psbuf[PEM_BUFSIZE];
844         int enctmplen, inlen;
845         unsigned char *q;
846 
847         if (cb)
848             inlen = cb(psbuf, PEM_BUFSIZE, 0, u);
849         else
850             inlen = PEM_def_callback(psbuf, PEM_BUFSIZE, 0, u);
851         if (inlen < 0) {
852             ERR_raise(ERR_LIB_PEM, PEM_R_BAD_PASSWORD_READ);
853             goto err;
854         }
855         enctmp = OPENSSL_malloc(keylen + 8);
856         if (enctmp == NULL) {
857             ERR_raise(ERR_LIB_PEM, ERR_R_MALLOC_FAILURE);
858             goto err;
859         }
860         if (!derive_pvk_key(keybuf, p, saltlen,
861                             (unsigned char *)psbuf, inlen, libctx, propq))
862             goto err;
863         p += saltlen;
864         /* Copy BLOBHEADER across, decrypt rest */
865         memcpy(enctmp, p, 8);
866         p += 8;
867         if (keylen < 8) {
868             ERR_raise(ERR_LIB_PEM, PEM_R_PVK_TOO_SHORT);
869             goto err;
870         }
871         inlen = keylen - 8;
872         q = enctmp + 8;
873         if ((rc4 = EVP_CIPHER_fetch(libctx, "RC4", propq)) == NULL)
874             goto err;
875         if (!EVP_DecryptInit_ex(cctx, rc4, NULL, keybuf, NULL))
876             goto err;
877         if (!EVP_DecryptUpdate(cctx, q, &enctmplen, p, inlen))
878             goto err;
879         if (!EVP_DecryptFinal_ex(cctx, q + enctmplen, &enctmplen))
880             goto err;
881         magic = read_ledword((const unsigned char **)&q);
882         if (magic != MS_RSA2MAGIC && magic != MS_DSS2MAGIC) {
883             q = enctmp + 8;
884             memset(keybuf + 5, 0, 11);
885             if (!EVP_DecryptInit_ex(cctx, rc4, NULL, keybuf, NULL))
886                 goto err;
887             if (!EVP_DecryptUpdate(cctx, q, &enctmplen, p, inlen))
888                 goto err;
889             if (!EVP_DecryptFinal_ex(cctx, q + enctmplen, &enctmplen))
890                 goto err;
891             magic = read_ledword((const unsigned char **)&q);
892             if (magic != MS_RSA2MAGIC && magic != MS_DSS2MAGIC) {
893                 ERR_raise(ERR_LIB_PEM, PEM_R_BAD_DECRYPT);
894                 goto err;
895             }
896         }
897         p = enctmp;
898 #else
899         ERR_raise(ERR_LIB_PEM, PEM_R_UNSUPPORTED_CIPHER);
900         goto err;
901 #endif
902     }
903 
904     key = do_b2i_key(&p, keylen, isdss, ispub);
905  err:
906     EVP_CIPHER_CTX_free(cctx);
907 #ifndef OPENSSL_NO_RC4
908     EVP_CIPHER_free(rc4);
909 #endif
910     if (enctmp != NULL) {
911         OPENSSL_cleanse(keybuf, sizeof(keybuf));
912         OPENSSL_free(enctmp);
913     }
914     return key;
915 }
916 
do_PVK_key_bio(BIO * in,pem_password_cb * cb,void * u,int * isdss,int * ispub,OSSL_LIB_CTX * libctx,const char * propq)917 static void *do_PVK_key_bio(BIO *in, pem_password_cb *cb, void *u,
918                             int *isdss, int *ispub,
919                             OSSL_LIB_CTX *libctx, const char *propq)
920 {
921     unsigned char pvk_hdr[24], *buf = NULL;
922     const unsigned char *p;
923     int buflen;
924     void *key = NULL;
925     unsigned int saltlen, keylen;
926 
927     if (BIO_read(in, pvk_hdr, 24) != 24) {
928         ERR_raise(ERR_LIB_PEM, PEM_R_PVK_DATA_TOO_SHORT);
929         return NULL;
930     }
931     p = pvk_hdr;
932 
933     if (!ossl_do_PVK_header(&p, 24, 0, &saltlen, &keylen))
934         return 0;
935     buflen = (int)keylen + saltlen;
936     buf = OPENSSL_malloc(buflen);
937     if (buf == NULL) {
938         ERR_raise(ERR_LIB_PEM, ERR_R_MALLOC_FAILURE);
939         return 0;
940     }
941     p = buf;
942     if (BIO_read(in, buf, buflen) != buflen) {
943         ERR_raise(ERR_LIB_PEM, PEM_R_PVK_DATA_TOO_SHORT);
944         goto err;
945     }
946     key = do_PVK_body_key(&p, saltlen, keylen, cb, u, isdss, ispub, libctx, propq);
947 
948  err:
949     OPENSSL_clear_free(buf, buflen);
950     return key;
951 }
952 
953 #ifndef OPENSSL_NO_DSA
b2i_DSA_PVK_bio_ex(BIO * in,pem_password_cb * cb,void * u,OSSL_LIB_CTX * libctx,const char * propq)954 DSA *b2i_DSA_PVK_bio_ex(BIO *in, pem_password_cb *cb, void *u,
955                         OSSL_LIB_CTX *libctx, const char *propq)
956 {
957     int isdss = 1;
958     int ispub = 0;               /* PVK keys are always private */
959 
960     return do_PVK_key_bio(in, cb, u, &isdss, &ispub, libctx, propq);
961 }
962 
b2i_DSA_PVK_bio(BIO * in,pem_password_cb * cb,void * u)963 DSA *b2i_DSA_PVK_bio(BIO *in, pem_password_cb *cb, void *u)
964 {
965     return b2i_DSA_PVK_bio_ex(in, cb, u, NULL, NULL);
966 }
967 #endif
968 
b2i_RSA_PVK_bio_ex(BIO * in,pem_password_cb * cb,void * u,OSSL_LIB_CTX * libctx,const char * propq)969 RSA *b2i_RSA_PVK_bio_ex(BIO *in, pem_password_cb *cb, void *u,
970                         OSSL_LIB_CTX *libctx, const char *propq)
971 {
972     int isdss = 0;
973     int ispub = 0;               /* PVK keys are always private */
974 
975     return do_PVK_key_bio(in, cb, u, &isdss, &ispub, libctx, propq);
976 }
977 
b2i_RSA_PVK_bio(BIO * in,pem_password_cb * cb,void * u)978 RSA *b2i_RSA_PVK_bio(BIO *in, pem_password_cb *cb, void *u)
979 {
980     return b2i_RSA_PVK_bio_ex(in, cb, u, NULL, NULL);
981 }
982 
b2i_PVK_bio_ex(BIO * in,pem_password_cb * cb,void * u,OSSL_LIB_CTX * libctx,const char * propq)983 EVP_PKEY *b2i_PVK_bio_ex(BIO *in, pem_password_cb *cb, void *u,
984                          OSSL_LIB_CTX *libctx, const char *propq)
985 {
986     int isdss = -1;
987     int ispub = -1;
988     void *key = do_PVK_key_bio(in, cb, u, &isdss, &ispub, NULL, NULL);
989 
990     return evp_pkey_new0_key(key, isdss_to_evp_type(isdss));
991 }
992 
b2i_PVK_bio(BIO * in,pem_password_cb * cb,void * u)993 EVP_PKEY *b2i_PVK_bio(BIO *in, pem_password_cb *cb, void *u)
994 {
995     return b2i_PVK_bio_ex(in, cb, u, NULL, NULL);
996 }
997 
i2b_PVK(unsigned char ** out,const EVP_PKEY * pk,int enclevel,pem_password_cb * cb,void * u,OSSL_LIB_CTX * libctx,const char * propq)998 static int i2b_PVK(unsigned char **out, const EVP_PKEY *pk, int enclevel,
999                    pem_password_cb *cb, void *u, OSSL_LIB_CTX *libctx,
1000                    const char *propq)
1001 {
1002     int ret = -1;
1003     int outlen = 24, pklen;
1004     unsigned char *p = NULL, *start = NULL;
1005     EVP_CIPHER_CTX *cctx = NULL;
1006 #ifndef OPENSSL_NO_RC4
1007     unsigned char *salt = NULL;
1008     EVP_CIPHER *rc4 = NULL;
1009 #endif
1010 
1011     if (enclevel)
1012         outlen += PVK_SALTLEN;
1013     pklen = do_i2b(NULL, pk, 0);
1014     if (pklen < 0)
1015         return -1;
1016     outlen += pklen;
1017     if (out == NULL)
1018         return outlen;
1019     if (*out != NULL) {
1020         p = *out;
1021     } else {
1022         start = p = OPENSSL_malloc(outlen);
1023         if (p == NULL) {
1024             ERR_raise(ERR_LIB_PEM, ERR_R_MALLOC_FAILURE);
1025             return -1;
1026         }
1027     }
1028 
1029     cctx = EVP_CIPHER_CTX_new();
1030     if (cctx == NULL)
1031         goto error;
1032 
1033     write_ledword(&p, MS_PVKMAGIC);
1034     write_ledword(&p, 0);
1035     if (EVP_PKEY_get_id(pk) == EVP_PKEY_RSA)
1036         write_ledword(&p, MS_KEYTYPE_KEYX);
1037 #ifndef OPENSSL_NO_DSA
1038     else
1039         write_ledword(&p, MS_KEYTYPE_SIGN);
1040 #endif
1041     write_ledword(&p, enclevel ? 1 : 0);
1042     write_ledword(&p, enclevel ? PVK_SALTLEN : 0);
1043     write_ledword(&p, pklen);
1044     if (enclevel) {
1045 #ifndef OPENSSL_NO_RC4
1046         if (RAND_bytes_ex(libctx, p, PVK_SALTLEN, 0) <= 0)
1047             goto error;
1048         salt = p;
1049         p += PVK_SALTLEN;
1050 #endif
1051     }
1052     do_i2b(&p, pk, 0);
1053     if (enclevel != 0) {
1054 #ifndef OPENSSL_NO_RC4
1055         char psbuf[PEM_BUFSIZE];
1056         unsigned char keybuf[20];
1057         int enctmplen, inlen;
1058         if (cb)
1059             inlen = cb(psbuf, PEM_BUFSIZE, 1, u);
1060         else
1061             inlen = PEM_def_callback(psbuf, PEM_BUFSIZE, 1, u);
1062         if (inlen <= 0) {
1063             ERR_raise(ERR_LIB_PEM, PEM_R_BAD_PASSWORD_READ);
1064             goto error;
1065         }
1066         if (!derive_pvk_key(keybuf, salt, PVK_SALTLEN,
1067                             (unsigned char *)psbuf, inlen, libctx, propq))
1068             goto error;
1069         if ((rc4 = EVP_CIPHER_fetch(libctx, "RC4", propq)) == NULL)
1070             goto error;
1071         if (enclevel == 1)
1072             memset(keybuf + 5, 0, 11);
1073         p = salt + PVK_SALTLEN + 8;
1074         if (!EVP_EncryptInit_ex(cctx, rc4, NULL, keybuf, NULL))
1075             goto error;
1076         OPENSSL_cleanse(keybuf, 20);
1077         if (!EVP_EncryptUpdate(cctx, p, &enctmplen, p, pklen - 8))
1078             goto error;
1079         if (!EVP_EncryptFinal_ex(cctx, p + enctmplen, &enctmplen))
1080             goto error;
1081 #else
1082         ERR_raise(ERR_LIB_PEM, PEM_R_UNSUPPORTED_CIPHER);
1083         goto error;
1084 #endif
1085     }
1086 
1087     if (*out == NULL)
1088         *out = start;
1089     ret = outlen;
1090  error:
1091     EVP_CIPHER_CTX_free(cctx);
1092 #ifndef OPENSSL_NO_RC4
1093     EVP_CIPHER_free(rc4);
1094 #endif
1095     if (*out == NULL)
1096         OPENSSL_free(start);
1097 
1098     return ret;
1099 }
1100 
i2b_PVK_bio_ex(BIO * out,const EVP_PKEY * pk,int enclevel,pem_password_cb * cb,void * u,OSSL_LIB_CTX * libctx,const char * propq)1101 int i2b_PVK_bio_ex(BIO *out, const EVP_PKEY *pk, int enclevel,
1102                    pem_password_cb *cb, void *u, OSSL_LIB_CTX *libctx,
1103                    const char *propq)
1104 {
1105     unsigned char *tmp = NULL;
1106     int outlen, wrlen;
1107 
1108     outlen = i2b_PVK(&tmp, pk, enclevel, cb, u, libctx, propq);
1109     if (outlen < 0)
1110         return -1;
1111     wrlen = BIO_write(out, tmp, outlen);
1112     OPENSSL_free(tmp);
1113     if (wrlen == outlen) {
1114         return outlen;
1115     }
1116     ERR_raise(ERR_LIB_PEM, PEM_R_BIO_WRITE_FAILURE);
1117     return -1;
1118 }
1119 
i2b_PVK_bio(BIO * out,const EVP_PKEY * pk,int enclevel,pem_password_cb * cb,void * u)1120 int i2b_PVK_bio(BIO *out, const EVP_PKEY *pk, int enclevel,
1121                 pem_password_cb *cb, void *u)
1122 {
1123     return i2b_PVK_bio_ex(out, pk, enclevel, cb, u, NULL, NULL);
1124 }
1125 
1126