GOST private keys can be wrapped in OCTET STRING, INTEGER or come
unwrapped. Support the latter format.

Sponsored by ROSA Linux

Signed-off-by: Dmitry Baryshkov <dbarysh...@gmail.com>
---
 src/lib/libcrypto/gost/gostr341001_ameth.c | 75 ++++++++++++++++++++--
 1 file changed, 70 insertions(+), 5 deletions(-)

diff --git a/src/lib/libcrypto/gost/gostr341001_ameth.c 
b/src/lib/libcrypto/gost/gostr341001_ameth.c
index 0f816377dde1..70bd3357f184 100644
--- a/src/lib/libcrypto/gost/gostr341001_ameth.c
+++ b/src/lib/libcrypto/gost/gostr341001_ameth.c
@@ -437,6 +437,56 @@ priv_print_gost01(BIO *out, const EVP_PKEY *pkey, int 
indent, ASN1_PCTX *pctx)
        return pub_print_gost01(out, pkey, indent, pctx);
 }
 
+static BIGNUM *unmask_priv_key(EVP_PKEY *pk,
+               const unsigned char *buf, int len, int num_masks)
+{
+       BIGNUM *pknum_masked = NULL, *q = NULL;
+       const GOST_KEY *key_ptr = pk->pkey.gost;
+       const EC_GROUP *group = GOST_KEY_get0_group(key_ptr);
+
+       pknum_masked = GOST_le2bn(buf, len, NULL);
+       if (!pknum_masked) {
+               GOSTerror(ERR_R_MALLOC_FAILURE);
+               return NULL;
+       }
+
+       if (num_masks > 0) {
+               /*
+                * XXX Remove sign by gost94
+                */
+               const unsigned char *p = buf + num_masks * len;
+
+               q = BN_new();
+               if (!q) {
+                       GOSTerror(ERR_R_MALLOC_FAILURE);
+                       BN_free(pknum_masked);
+                       pknum_masked = NULL;
+                       goto end;
+               }
+               if (EC_GROUP_get_order(group, q, NULL) <= 0) {
+                       GOSTerror(ERR_R_EC_LIB);
+                       BN_free(pknum_masked);
+                       pknum_masked = NULL;
+                       goto end;
+               }
+
+               for (; p != buf; p -= len) {
+                       BIGNUM *mask = GOST_le2bn(p, len, NULL);
+                       BN_CTX *ctx = BN_CTX_new();
+
+                       BN_mod_mul(pknum_masked, pknum_masked, mask, q, ctx);
+
+                       BN_CTX_free(ctx);
+                       BN_free(mask);
+               }
+       }
+
+end:
+       if (q)
+               BN_free(q);
+       return pknum_masked;
+}
+
 static int
 priv_decode_gost01(EVP_PKEY *pk, const PKCS8_PRIV_KEY_INFO *p8inf)
 {
@@ -450,6 +500,7 @@ priv_decode_gost01(EVP_PKEY *pk, const PKCS8_PRIV_KEY_INFO 
*p8inf)
        GOST_KEY *ec;
        int ptype = V_ASN1_UNDEF;
        ASN1_STRING *pval = NULL;
+       int expected_key_len;
 
        if (PKCS8_pkey_get0(&palg_obj, &pkey_buf, &priv_len, &palg, p8inf) == 
0) {
                GOSTerror(GOST_R_BAD_KEY_PARAMETERS_FORMAT);
@@ -467,29 +518,43 @@ priv_decode_gost01(EVP_PKEY *pk, const 
PKCS8_PRIV_KEY_INFO *p8inf)
                return 0;
        }
        p = pkey_buf;
-       if (V_ASN1_OCTET_STRING == *p) {
+
+       expected_key_len = (pkey_bits_gost01(pk) + 7) / 8;
+       if (expected_key_len == 0) {
+               EVPerror(EVP_R_DECODE_ERROR);
+               return 0;
+       } else if (priv_len % expected_key_len == 0) {
+               /* Key is not wrapped but masked */
+               pk_num = unmask_priv_key(pk, pkey_buf, expected_key_len,
+                               priv_len / expected_key_len - 1);
+       } else if (V_ASN1_OCTET_STRING == *p) {
                /* New format - Little endian octet string */
                ASN1_OCTET_STRING *s =
                    d2i_ASN1_OCTET_STRING(NULL, &p, priv_len);
 
                if (s == NULL) {
-                       GOSTerror(EVP_R_DECODE_ERROR);
+                       EVPerror(EVP_R_DECODE_ERROR);
                        ASN1_STRING_free(s);
                        return 0;
                }
 
                pk_num = GOST_le2bn(s->data, s->length, NULL);
                ASN1_STRING_free(s);
-       } else {
+       } else if (V_ASN1_INTEGER == *p) {
                priv_key = d2i_ASN1_INTEGER(NULL, &p, priv_len);
-               if (priv_key == NULL)
+               if (priv_key == NULL) {
+                       EVPerror(EVP_R_DECODE_ERROR);
                        return 0;
+               }
                ret = ((pk_num = ASN1_INTEGER_to_BN(priv_key, NULL)) != NULL);
                ASN1_INTEGER_free(priv_key);
                if (ret == 0) {
-                       GOSTerror(EVP_R_DECODE_ERROR);
+                       EVPerror(EVP_R_DECODE_ERROR);
                        return 0;
                }
+       } else {
+               EVPerror(EVP_R_DECODE_ERROR);
+               return 0;
        }
 
        ec = pk->pkey.gost;
-- 
2.25.1

Reply via email to