1 /*-
2  * Copyright (c) 2009 The NetBSD Foundation, Inc.
3  * All rights reserved.
4  *
5  * This code is derived from software contributed to The NetBSD Foundation
6  * by Alistair Crooks (agc@NetBSD.org)
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  * 1. Redistributions of source code must retain the above copyright
12  *    notice, this list of conditions and the following disclaimer.
13  * 2. Redistributions in binary form must reproduce the above copyright
14  *    notice, this list of conditions and the following disclaimer in the
15  *    documentation and/or other materials provided with the distribution.
16  *
17  * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
18  * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
19  * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
20  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
21  * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
22  * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
23  * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
24  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
25  * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
26  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
27  * POSSIBILITY OF SUCH DAMAGE.
28  */
29 /*
30  * Copyright (c) 2005-2008 Nominet UK (www.nic.uk)
31  * All rights reserved.
32  * Contributors: Ben Laurie, Rachel Willmer. The Contributors have asserted
33  * their moral rights under the UK Copyright Design and Patents Act 1988 to
34  * be recorded as the authors of this copyright work.
35  *
36  * Licensed under the Apache License, Version 2.0 (the "License"); you may not
37  * use this file except in compliance with the License.
38  *
39  * You may obtain a copy of the License at
40  *     http://www.apache.org/licenses/LICENSE-2.0
41  *
42  * Unless required by applicable law or agreed to in writing, software
43  * distributed under the License is distributed on an "AS IS" BASIS,
44  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
45  *
46  * See the License for the specific language governing permissions and
47  * limitations under the License.
48  */
49 
50 /** \file
51  */
52 #include "config.h"
53 
54 #ifdef HAVE_SYS_CDEFS_H
55 #include <sys/cdefs.h>
56 #endif
57 
58 #if defined(__NetBSD__)
59 __COPYRIGHT("@(#) Copyright (c) 2009 The NetBSD Foundation, Inc. All rights reserved.");
60 __RCSID("$NetBSD: openssl_crypto.c,v 1.33 2010/11/07 08:39:59 agc Exp $");
61 #endif
62 
63 #ifdef HAVE_OPENSSL_DSA_H
64 #include <openssl/dsa.h>
65 #endif
66 
67 #ifdef HAVE_OPENSSL_RSA_H
68 #include <openssl/rsa.h>
69 #endif
70 
71 #ifdef HAVE_OPENSSL_ERR_H
72 #include <openssl/err.h>
73 #endif
74 
75 #include <openssl/pem.h>
76 #include <openssl/evp.h>
77 
78 #include <stdlib.h>
79 #include <string.h>
80 
81 #ifdef HAVE_UNISTD_H
82 #include <unistd.h>
83 #endif
84 
85 #include "crypto.h"
86 #include "keyring.h"
87 #include "readerwriter.h"
88 #include "netpgpdefs.h"
89 #include "netpgpdigest.h"
90 #include "packet.h"
91 
92 
93 static void
test_seckey(const pgp_seckey_t * seckey)94 test_seckey(const pgp_seckey_t *seckey)
95 {
96 	RSA            *test = RSA_new();
97 
98 	test->n = BN_dup(seckey->pubkey.key.rsa.n);
99 	test->e = BN_dup(seckey->pubkey.key.rsa.e);
100 
101 	test->d = BN_dup(seckey->key.rsa.d);
102 	test->p = BN_dup(seckey->key.rsa.p);
103 	test->q = BN_dup(seckey->key.rsa.q);
104 
105 	if (RSA_check_key(test) != 1) {
106 		(void) fprintf(stderr,
107 			"test_seckey: RSA_check_key failed\n");
108 	}
109 	RSA_free(test);
110 }
111 
112 static int
md5_init(pgp_hash_t * hash)113 md5_init(pgp_hash_t *hash)
114 {
115 	if (hash->data) {
116 		(void) fprintf(stderr, "md5_init: hash data non-null\n");
117 	}
118 	if ((hash->data = calloc(1, sizeof(MD5_CTX))) == NULL) {
119 		(void) fprintf(stderr, "md5_init: bad alloc\n");
120 		return 0;
121 	}
122 	MD5_Init(hash->data);
123 	return 1;
124 }
125 
126 static void
md5_add(pgp_hash_t * hash,const uint8_t * data,unsigned length)127 md5_add(pgp_hash_t *hash, const uint8_t *data, unsigned length)
128 {
129 	MD5_Update(hash->data, data, length);
130 }
131 
132 static unsigned
md5_finish(pgp_hash_t * hash,uint8_t * out)133 md5_finish(pgp_hash_t *hash, uint8_t *out)
134 {
135 	MD5_Final(out, hash->data);
136 	free(hash->data);
137 	hash->data = NULL;
138 	return 16;
139 }
140 
141 static const pgp_hash_t md5 = {
142 	PGP_HASH_MD5,
143 	MD5_DIGEST_LENGTH,
144 	"MD5",
145 	md5_init,
146 	md5_add,
147 	md5_finish,
148 	NULL
149 };
150 
151 /**
152    \ingroup Core_Crypto
153    \brief Initialise to MD5
154    \param hash Hash to initialise
155 */
156 void
pgp_hash_md5(pgp_hash_t * hash)157 pgp_hash_md5(pgp_hash_t *hash)
158 {
159 	*hash = md5;
160 }
161 
162 static int
sha1_init(pgp_hash_t * hash)163 sha1_init(pgp_hash_t *hash)
164 {
165 	if (hash->data) {
166 		(void) fprintf(stderr, "sha1_init: hash data non-null\n");
167 	}
168 	if ((hash->data = calloc(1, sizeof(SHA_CTX))) == NULL) {
169 		(void) fprintf(stderr, "sha1_init: bad alloc\n");
170 		return 0;
171 	}
172 	SHA1_Init(hash->data);
173 	return 1;
174 }
175 
176 static void
sha1_add(pgp_hash_t * hash,const uint8_t * data,unsigned length)177 sha1_add(pgp_hash_t *hash, const uint8_t *data, unsigned length)
178 {
179 	if (pgp_get_debug_level(__FILE__)) {
180 		hexdump(stderr, "sha1_add", data, length);
181 	}
182 	SHA1_Update(hash->data, data, length);
183 }
184 
185 static unsigned
sha1_finish(pgp_hash_t * hash,uint8_t * out)186 sha1_finish(pgp_hash_t *hash, uint8_t *out)
187 {
188 	SHA1_Final(out, hash->data);
189 	if (pgp_get_debug_level(__FILE__)) {
190 		hexdump(stderr, "sha1_finish", out, PGP_SHA1_HASH_SIZE);
191 	}
192 	free(hash->data);
193 	hash->data = NULL;
194 	return PGP_SHA1_HASH_SIZE;
195 }
196 
197 static const pgp_hash_t sha1 = {
198 	PGP_HASH_SHA1,
199 	PGP_SHA1_HASH_SIZE,
200 	"SHA1",
201 	sha1_init,
202 	sha1_add,
203 	sha1_finish,
204 	NULL
205 };
206 
207 /**
208    \ingroup Core_Crypto
209    \brief Initialise to SHA1
210    \param hash Hash to initialise
211 */
212 void
pgp_hash_sha1(pgp_hash_t * hash)213 pgp_hash_sha1(pgp_hash_t *hash)
214 {
215 	*hash = sha1;
216 }
217 
218 static int
sha256_init(pgp_hash_t * hash)219 sha256_init(pgp_hash_t *hash)
220 {
221 	if (hash->data) {
222 		(void) fprintf(stderr, "sha256_init: hash data non-null\n");
223 	}
224 	if ((hash->data = calloc(1, sizeof(SHA256_CTX))) == NULL) {
225 		(void) fprintf(stderr, "sha256_init: bad alloc\n");
226 		return 0;
227 	}
228 	SHA256_Init(hash->data);
229 	return 1;
230 }
231 
232 static void
sha256_add(pgp_hash_t * hash,const uint8_t * data,unsigned length)233 sha256_add(pgp_hash_t *hash, const uint8_t *data, unsigned length)
234 {
235 	if (pgp_get_debug_level(__FILE__)) {
236 		hexdump(stderr, "sha256_add", data, length);
237 	}
238 	SHA256_Update(hash->data, data, length);
239 }
240 
241 static unsigned
sha256_finish(pgp_hash_t * hash,uint8_t * out)242 sha256_finish(pgp_hash_t *hash, uint8_t *out)
243 {
244 	SHA256_Final(out, hash->data);
245 	if (pgp_get_debug_level(__FILE__)) {
246 		hexdump(stderr, "sha1_finish", out, SHA256_DIGEST_LENGTH);
247 	}
248 	free(hash->data);
249 	hash->data = NULL;
250 	return SHA256_DIGEST_LENGTH;
251 }
252 
253 static const pgp_hash_t sha256 = {
254 	PGP_HASH_SHA256,
255 	SHA256_DIGEST_LENGTH,
256 	"SHA256",
257 	sha256_init,
258 	sha256_add,
259 	sha256_finish,
260 	NULL
261 };
262 
263 void
pgp_hash_sha256(pgp_hash_t * hash)264 pgp_hash_sha256(pgp_hash_t *hash)
265 {
266 	*hash = sha256;
267 }
268 
269 /*
270  * SHA384
271  */
272 static int
sha384_init(pgp_hash_t * hash)273 sha384_init(pgp_hash_t *hash)
274 {
275 	if (hash->data) {
276 		(void) fprintf(stderr, "sha384_init: hash data non-null\n");
277 	}
278 	if ((hash->data = calloc(1, sizeof(SHA512_CTX))) == NULL) {
279 		(void) fprintf(stderr, "sha384_init: bad alloc\n");
280 		return 0;
281 	}
282 	SHA384_Init(hash->data);
283 	return 1;
284 }
285 
286 static void
sha384_add(pgp_hash_t * hash,const uint8_t * data,unsigned length)287 sha384_add(pgp_hash_t *hash, const uint8_t *data, unsigned length)
288 {
289 	if (pgp_get_debug_level(__FILE__)) {
290 		hexdump(stderr, "sha384_add", data, length);
291 	}
292 	SHA384_Update(hash->data, data, length);
293 }
294 
295 static unsigned
sha384_finish(pgp_hash_t * hash,uint8_t * out)296 sha384_finish(pgp_hash_t *hash, uint8_t *out)
297 {
298 	SHA384_Final(out, hash->data);
299 	if (pgp_get_debug_level(__FILE__)) {
300 		hexdump(stderr, "sha384_finish", out, SHA384_DIGEST_LENGTH);
301 	}
302 	free(hash->data);
303 	hash->data = NULL;
304 	return SHA384_DIGEST_LENGTH;
305 }
306 
307 static const pgp_hash_t sha384 = {
308 	PGP_HASH_SHA384,
309 	SHA384_DIGEST_LENGTH,
310 	"SHA384",
311 	sha384_init,
312 	sha384_add,
313 	sha384_finish,
314 	NULL
315 };
316 
317 void
pgp_hash_sha384(pgp_hash_t * hash)318 pgp_hash_sha384(pgp_hash_t *hash)
319 {
320 	*hash = sha384;
321 }
322 
323 /*
324  * SHA512
325  */
326 static int
sha512_init(pgp_hash_t * hash)327 sha512_init(pgp_hash_t *hash)
328 {
329 	if (hash->data) {
330 		(void) fprintf(stderr, "sha512_init: hash data non-null\n");
331 	}
332 	if ((hash->data = calloc(1, sizeof(SHA512_CTX))) == NULL) {
333 		(void) fprintf(stderr, "sha512_init: bad alloc\n");
334 		return 0;
335 	}
336 	SHA512_Init(hash->data);
337 	return 1;
338 }
339 
340 static void
sha512_add(pgp_hash_t * hash,const uint8_t * data,unsigned length)341 sha512_add(pgp_hash_t *hash, const uint8_t *data, unsigned length)
342 {
343 	if (pgp_get_debug_level(__FILE__)) {
344 		hexdump(stderr, "sha512_add", data, length);
345 	}
346 	SHA512_Update(hash->data, data, length);
347 }
348 
349 static unsigned
sha512_finish(pgp_hash_t * hash,uint8_t * out)350 sha512_finish(pgp_hash_t *hash, uint8_t *out)
351 {
352 	SHA512_Final(out, hash->data);
353 	if (pgp_get_debug_level(__FILE__)) {
354 		hexdump(stderr, "sha512_finish", out, SHA512_DIGEST_LENGTH);
355 	}
356 	free(hash->data);
357 	hash->data = NULL;
358 	return SHA512_DIGEST_LENGTH;
359 }
360 
361 static const pgp_hash_t sha512 = {
362 	PGP_HASH_SHA512,
363 	SHA512_DIGEST_LENGTH,
364 	"SHA512",
365 	sha512_init,
366 	sha512_add,
367 	sha512_finish,
368 	NULL
369 };
370 
371 void
pgp_hash_sha512(pgp_hash_t * hash)372 pgp_hash_sha512(pgp_hash_t *hash)
373 {
374 	*hash = sha512;
375 }
376 
377 /*
378  * SHA224
379  */
380 
381 static int
sha224_init(pgp_hash_t * hash)382 sha224_init(pgp_hash_t *hash)
383 {
384 	if (hash->data) {
385 		(void) fprintf(stderr, "sha224_init: hash data non-null\n");
386 	}
387 	if ((hash->data = calloc(1, sizeof(SHA256_CTX))) == NULL) {
388 		(void) fprintf(stderr, "sha256_init: bad alloc\n");
389 		return 0;
390 	}
391 	SHA224_Init(hash->data);
392 	return 1;
393 }
394 
395 static void
sha224_add(pgp_hash_t * hash,const uint8_t * data,unsigned length)396 sha224_add(pgp_hash_t *hash, const uint8_t *data, unsigned length)
397 {
398 	if (pgp_get_debug_level(__FILE__)) {
399 		hexdump(stderr, "sha224_add", data, length);
400 	}
401 	SHA224_Update(hash->data, data, length);
402 }
403 
404 static unsigned
sha224_finish(pgp_hash_t * hash,uint8_t * out)405 sha224_finish(pgp_hash_t *hash, uint8_t *out)
406 {
407 	SHA224_Final(out, hash->data);
408 	if (pgp_get_debug_level(__FILE__)) {
409 		hexdump(stderr, "sha224_finish", out, SHA224_DIGEST_LENGTH);
410 	}
411 	free(hash->data);
412 	hash->data = NULL;
413 	return SHA224_DIGEST_LENGTH;
414 }
415 
416 static const pgp_hash_t sha224 = {
417 	PGP_HASH_SHA224,
418 	SHA224_DIGEST_LENGTH,
419 	"SHA224",
420 	sha224_init,
421 	sha224_add,
422 	sha224_finish,
423 	NULL
424 };
425 
426 void
pgp_hash_sha224(pgp_hash_t * hash)427 pgp_hash_sha224(pgp_hash_t *hash)
428 {
429 	*hash = sha224;
430 }
431 
432 unsigned
pgp_dsa_verify(const uint8_t * hash,size_t hash_length,const pgp_dsa_sig_t * sig,const pgp_dsa_pubkey_t * dsa)433 pgp_dsa_verify(const uint8_t *hash, size_t hash_length,
434 	       const pgp_dsa_sig_t *sig,
435 	       const pgp_dsa_pubkey_t *dsa)
436 {
437 	unsigned	qlen;
438 	DSA_SIG        *osig;
439 	DSA            *odsa;
440 	int             ret;
441 
442 	osig = DSA_SIG_new();
443 	osig->r = sig->r;
444 	osig->s = sig->s;
445 
446 	odsa = DSA_new();
447 	odsa->p = dsa->p;
448 	odsa->q = dsa->q;
449 	odsa->g = dsa->g;
450 	odsa->pub_key = dsa->y;
451 
452 	if (pgp_get_debug_level(__FILE__)) {
453 		hexdump(stderr, "input hash", hash, hash_length);
454 		(void) fprintf(stderr, "Q=%d\n", BN_num_bytes(odsa->q));
455 	}
456 	if ((qlen = (unsigned)BN_num_bytes(odsa->q)) < hash_length) {
457 		hash_length = qlen;
458 	}
459 	ret = DSA_do_verify(hash, (int)hash_length, osig, odsa);
460 	if (pgp_get_debug_level(__FILE__)) {
461 		(void) fprintf(stderr, "ret=%d\n", ret);
462 	}
463 	if (ret < 0) {
464 		(void) fprintf(stderr, "pgp_dsa_verify: DSA verification\n");
465 		return 0;
466 	}
467 
468 	odsa->p = odsa->q = odsa->g = odsa->pub_key = NULL;
469 	DSA_free(odsa);
470 
471 	osig->r = osig->s = NULL;
472 	DSA_SIG_free(osig);
473 
474 	return (unsigned)ret;
475 }
476 
477 /**
478    \ingroup Core_Crypto
479    \brief Recovers message digest from the signature
480    \param out Where to write decrypted data to
481    \param in Encrypted data
482    \param length Length of encrypted data
483    \param pubkey RSA public key
484    \return size of recovered message digest
485 */
486 int
pgp_rsa_public_decrypt(uint8_t * out,const uint8_t * in,size_t length,const pgp_rsa_pubkey_t * pubkey)487 pgp_rsa_public_decrypt(uint8_t *out,
488 			const uint8_t *in,
489 			size_t length,
490 			const pgp_rsa_pubkey_t *pubkey)
491 {
492 	RSA            *orsa;
493 	int             n;
494 
495 	orsa = RSA_new();
496 	orsa->n = pubkey->n;
497 	orsa->e = pubkey->e;
498 
499 	n = RSA_public_decrypt((int)length, in, out, orsa, RSA_NO_PADDING);
500 
501 	orsa->n = orsa->e = NULL;
502 	RSA_free(orsa);
503 
504 	return n;
505 }
506 
507 /**
508    \ingroup Core_Crypto
509    \brief Signs data with RSA
510    \param out Where to write signature
511    \param in Data to sign
512    \param length Length of data
513    \param seckey RSA secret key
514    \param pubkey RSA public key
515    \return number of bytes decrypted
516 */
517 int
pgp_rsa_private_encrypt(uint8_t * out,const uint8_t * in,size_t length,const pgp_rsa_seckey_t * seckey,const pgp_rsa_pubkey_t * pubkey)518 pgp_rsa_private_encrypt(uint8_t *out,
519 			const uint8_t *in,
520 			size_t length,
521 			const pgp_rsa_seckey_t *seckey,
522 			const pgp_rsa_pubkey_t *pubkey)
523 {
524 	RSA            *orsa;
525 	int             n;
526 
527 	orsa = RSA_new();
528 	orsa->n = BN_dup(pubkey->n);
529 	orsa->d = seckey->d;
530 	orsa->p = seckey->q;	/* p and q are round the other way in openssl */
531 	orsa->q = seckey->p;
532 
533 	/* debug */
534 	orsa->e = BN_dup(pubkey->e);
535 	/* If this isn't set, it's very likely that the programmer hasn't */
536 	/* decrypted the secret key. RSA_check_key segfaults in that case. */
537 	/* Use pgp_decrypt_seckey() to do that. */
538 	if (orsa->d == NULL) {
539 		(void) fprintf(stderr, "orsa is not set\n");
540 		return 0;
541 	}
542 	if (RSA_check_key(orsa) != 1) {
543 		(void) fprintf(stderr, "RSA_check_key is not set\n");
544 		return 0;
545 	}
546 	/* end debug */
547 
548 	n = RSA_private_encrypt((int)length, in, out, orsa, RSA_NO_PADDING);
549 
550 	orsa->n = orsa->d = orsa->p = orsa->q = NULL;
551 	RSA_free(orsa);
552 
553 	return n;
554 }
555 
556 /**
557 \ingroup Core_Crypto
558 \brief Decrypts RSA-encrypted data
559 \param out Where to write the plaintext
560 \param in Encrypted data
561 \param length Length of encrypted data
562 \param seckey RSA secret key
563 \param pubkey RSA public key
564 \return size of recovered plaintext
565 */
566 int
pgp_rsa_private_decrypt(uint8_t * out,const uint8_t * in,size_t length,const pgp_rsa_seckey_t * seckey,const pgp_rsa_pubkey_t * pubkey)567 pgp_rsa_private_decrypt(uint8_t *out,
568 			const uint8_t *in,
569 			size_t length,
570 			const pgp_rsa_seckey_t *seckey,
571 			const pgp_rsa_pubkey_t *pubkey)
572 {
573 	RSA            *keypair;
574 	int             n;
575 	char            errbuf[1024];
576 
577 	keypair = RSA_new();
578 	keypair->n = pubkey->n;	/* XXX: do we need n? */
579 	keypair->d = seckey->d;
580 	keypair->p = seckey->q;
581 	keypair->q = seckey->p;
582 
583 	/* debug */
584 	keypair->e = pubkey->e;
585 	if (RSA_check_key(keypair) != 1) {
586 		(void) fprintf(stderr, "RSA_check_key is not set\n");
587 		return 0;
588 	}
589 	/* end debug */
590 
591 	n = RSA_private_decrypt((int)length, in, out, keypair, RSA_NO_PADDING);
592 
593 	if (pgp_get_debug_level(__FILE__)) {
594 		printf("pgp_rsa_private_decrypt: n=%d\n",n);
595 	}
596 
597 	errbuf[0] = '\0';
598 	if (n == -1) {
599 		unsigned long   err = ERR_get_error();
600 
601 		ERR_error_string(err, &errbuf[0]);
602 		(void) fprintf(stderr, "openssl error : %s\n", errbuf);
603 	}
604 	keypair->n = keypair->d = keypair->p = keypair->q = NULL;
605 	RSA_free(keypair);
606 
607 	return n;
608 }
609 
610 /**
611    \ingroup Core_Crypto
612    \brief RSA-encrypts data
613    \param out Where to write the encrypted data
614    \param in Plaintext
615    \param length Size of plaintext
616    \param pubkey RSA Public Key
617 */
618 int
pgp_rsa_public_encrypt(uint8_t * out,const uint8_t * in,size_t length,const pgp_rsa_pubkey_t * pubkey)619 pgp_rsa_public_encrypt(uint8_t *out,
620 			const uint8_t *in,
621 			size_t length,
622 			const pgp_rsa_pubkey_t *pubkey)
623 {
624 	RSA            *orsa;
625 	int             n;
626 
627 	/* printf("pgp_rsa_public_encrypt: length=%ld\n", length); */
628 
629 	orsa = RSA_new();
630 	orsa->n = pubkey->n;
631 	orsa->e = pubkey->e;
632 
633 	/* printf("len: %ld\n", length); */
634 	/* pgp_print_bn("n: ", orsa->n); */
635 	/* pgp_print_bn("e: ", orsa->e); */
636 	n = RSA_public_encrypt((int)length, in, out, orsa, RSA_NO_PADDING);
637 
638 	if (n == -1) {
639 		BIO            *fd_out;
640 
641 		fd_out = BIO_new_fd(fileno(stderr), BIO_NOCLOSE);
642 		ERR_print_errors(fd_out);
643 	}
644 	orsa->n = orsa->e = NULL;
645 	RSA_free(orsa);
646 
647 	return n;
648 }
649 
650 /**
651    \ingroup Core_Crypto
652    \brief Finalise openssl
653    \note Would usually call pgp_finish() instead
654    \sa pgp_finish()
655 */
656 void
pgp_crypto_finish(void)657 pgp_crypto_finish(void)
658 {
659 	CRYPTO_cleanup_all_ex_data();
660 	ERR_remove_state((unsigned long)0);
661 }
662 
663 /**
664    \ingroup Core_Hashes
665    \brief Get Hash name
666    \param hash Hash struct
667    \return Hash name
668 */
669 const char     *
pgp_text_from_hash(pgp_hash_t * hash)670 pgp_text_from_hash(pgp_hash_t *hash)
671 {
672 	return hash->name;
673 }
674 
675 /**
676  \ingroup HighLevel_KeyGenerate
677  \brief Generates an RSA keypair
678  \param numbits Modulus size
679  \param e Public Exponent
680  \param keydata Pointer to keydata struct to hold new key
681  \return 1 if key generated successfully; otherwise 0
682  \note It is the caller's responsibility to call pgp_keydata_free(keydata)
683 */
684 static unsigned
rsa_generate_keypair(pgp_key_t * keydata,const int numbits,const unsigned long e,const char * hashalg,const char * cipher)685 rsa_generate_keypair(pgp_key_t *keydata,
686 			const int numbits,
687 			const unsigned long e,
688 			const char *hashalg,
689 			const char *cipher)
690 {
691 	pgp_seckey_t *seckey;
692 	RSA            *rsa;
693 	BN_CTX         *ctx;
694 	pgp_output_t *output;
695 	pgp_memory_t   *mem;
696 
697 	ctx = BN_CTX_new();
698 	pgp_keydata_init(keydata, PGP_PTAG_CT_SECRET_KEY);
699 	seckey = pgp_get_writable_seckey(keydata);
700 
701 	/* generate the key pair */
702 
703 	rsa = RSA_generate_key(numbits, e, NULL, NULL);
704 
705 	/* populate pgp key from ssl key */
706 
707 	seckey->pubkey.version = PGP_V4;
708 	seckey->pubkey.birthtime = time(NULL);
709 	seckey->pubkey.days_valid = 0;
710 	seckey->pubkey.alg = PGP_PKA_RSA;
711 
712 	seckey->pubkey.key.rsa.n = BN_dup(rsa->n);
713 	seckey->pubkey.key.rsa.e = BN_dup(rsa->e);
714 
715 	seckey->s2k_usage = PGP_S2KU_ENCRYPTED_AND_HASHED;
716 	seckey->s2k_specifier = PGP_S2KS_SALTED;
717 	/* seckey->s2k_specifier=PGP_S2KS_SIMPLE; */
718 	if ((seckey->hash_alg = pgp_str_to_hash_alg(hashalg)) == PGP_HASH_UNKNOWN) {
719 		seckey->hash_alg = PGP_HASH_SHA1;
720 	}
721 	seckey->alg = pgp_str_to_cipher(cipher);
722 	seckey->octetc = 0;
723 	seckey->checksum = 0;
724 
725 	seckey->key.rsa.d = BN_dup(rsa->d);
726 	seckey->key.rsa.p = BN_dup(rsa->p);
727 	seckey->key.rsa.q = BN_dup(rsa->q);
728 	seckey->key.rsa.u = BN_mod_inverse(NULL, rsa->p, rsa->q, ctx);
729 	if (seckey->key.rsa.u == NULL) {
730 		(void) fprintf(stderr, "seckey->key.rsa.u is NULL\n");
731 		return 0;
732 	}
733 	BN_CTX_free(ctx);
734 
735 	RSA_free(rsa);
736 
737 	pgp_keyid(keydata->sigid, PGP_KEY_ID_SIZE, &keydata->key.seckey.pubkey, seckey->hash_alg);
738 	pgp_fingerprint(&keydata->sigfingerprint, &keydata->key.seckey.pubkey, seckey->hash_alg);
739 
740 	/* Generate checksum */
741 
742 	output = NULL;
743 	mem = NULL;
744 
745 	pgp_setup_memory_write(&output, &mem, 128);
746 
747 	pgp_push_checksum_writer(output, seckey);
748 
749 	switch (seckey->pubkey.alg) {
750 	case PGP_PKA_DSA:
751 		return pgp_write_mpi(output, seckey->key.dsa.x);
752 	case PGP_PKA_RSA:
753 	case PGP_PKA_RSA_ENCRYPT_ONLY:
754 	case PGP_PKA_RSA_SIGN_ONLY:
755 		if (!pgp_write_mpi(output, seckey->key.rsa.d) ||
756 		    !pgp_write_mpi(output, seckey->key.rsa.p) ||
757 		    !pgp_write_mpi(output, seckey->key.rsa.q) ||
758 		    !pgp_write_mpi(output, seckey->key.rsa.u)) {
759 			return 0;
760 		}
761 		break;
762 	case PGP_PKA_ELGAMAL:
763 		return pgp_write_mpi(output, seckey->key.elgamal.x);
764 
765 	default:
766 		(void) fprintf(stderr, "Bad seckey->pubkey.alg\n");
767 		return 0;
768 	}
769 
770 	/* close rather than pop, since its the only one on the stack */
771 	pgp_writer_close(output);
772 	pgp_teardown_memory_write(output, mem);
773 
774 	/* should now have checksum in seckey struct */
775 
776 	/* test */
777 	if (pgp_get_debug_level(__FILE__)) {
778 		test_seckey(seckey);
779 	}
780 
781 	return 1;
782 }
783 
784 /**
785  \ingroup HighLevel_KeyGenerate
786  \brief Creates a self-signed RSA keypair
787  \param numbits Modulus size
788  \param e Public Exponent
789  \param userid User ID
790  \return The new keypair or NULL
791 
792  \note It is the caller's responsibility to call pgp_keydata_free(keydata)
793  \sa rsa_generate_keypair()
794  \sa pgp_keydata_free()
795 */
796 pgp_key_t  *
pgp_rsa_new_selfsign_key(const int numbits,const unsigned long e,uint8_t * userid,const char * hashalg,const char * cipher)797 pgp_rsa_new_selfsign_key(const int numbits,
798 				const unsigned long e,
799 				uint8_t *userid,
800 				const char *hashalg,
801 				const char *cipher)
802 {
803 	pgp_key_t  *keydata;
804 
805 	keydata = pgp_keydata_new();
806 	if (!rsa_generate_keypair(keydata, numbits, e, hashalg, cipher) ||
807 	    !pgp_add_selfsigned_userid(keydata, userid)) {
808 		pgp_keydata_free(keydata);
809 		return NULL;
810 	}
811 	return keydata;
812 }
813 
814 DSA_SIG        *
pgp_dsa_sign(uint8_t * hashbuf,unsigned hashsize,const pgp_dsa_seckey_t * secdsa,const pgp_dsa_pubkey_t * pubdsa)815 pgp_dsa_sign(uint8_t *hashbuf,
816 		unsigned hashsize,
817 		const pgp_dsa_seckey_t *secdsa,
818 		const pgp_dsa_pubkey_t *pubdsa)
819 {
820 	DSA_SIG        *dsasig;
821 	DSA            *odsa;
822 
823 	odsa = DSA_new();
824 	odsa->p = pubdsa->p;
825 	odsa->q = pubdsa->q;
826 	odsa->g = pubdsa->g;
827 	odsa->pub_key = pubdsa->y;
828 	odsa->priv_key = secdsa->x;
829 
830 	dsasig = DSA_do_sign(hashbuf, (int)hashsize, odsa);
831 
832 	odsa->p = odsa->q = odsa->g = odsa->pub_key = odsa->priv_key = NULL;
833 	DSA_free(odsa);
834 
835 	return dsasig;
836 }
837 
838 int
openssl_read_pem_seckey(const char * f,pgp_key_t * key,const char * type,int verbose)839 openssl_read_pem_seckey(const char *f, pgp_key_t *key, const char *type, int verbose)
840 {
841 	FILE	*fp;
842 	char	 prompt[BUFSIZ];
843 	char	*pass;
844 	DSA	*dsa;
845 	RSA	*rsa;
846 	int	 ok;
847 
848 	OpenSSL_add_all_algorithms();
849 	if ((fp = fopen(f, "r")) == NULL) {
850 		if (verbose) {
851 			(void) fprintf(stderr, "can't open '%s'\n", f);
852 		}
853 		return 0;
854 	}
855 	ok = 1;
856 	if (strcmp(type, "ssh-rsa") == 0) {
857 		if ((rsa = PEM_read_RSAPrivateKey(fp, NULL, NULL, NULL)) == NULL) {
858 			(void) snprintf(prompt, sizeof(prompt), "netpgp PEM %s passphrase: ", f);
859 			do {
860 				pass = getpass(prompt);
861 				rsa = PEM_read_RSAPrivateKey(fp, NULL, NULL, pass);
862 			} while (rsa == NULL);
863 		}
864 		key->key.seckey.key.rsa.d = rsa->d;
865 		key->key.seckey.key.rsa.p = rsa->p;
866 		key->key.seckey.key.rsa.q = rsa->q;
867 		key->key.seckey.key.rsa.d = rsa->d;
868 	} else if (strcmp(type, "ssh-dss") == 0) {
869 		if ((dsa = PEM_read_DSAPrivateKey(fp, NULL, NULL, NULL)) == NULL) {
870 			ok = 0;
871 		} else {
872 			key->key.seckey.key.dsa.x = dsa->priv_key;
873 		}
874 	} else {
875 		ok = 0;
876 	}
877 	(void) fclose(fp);
878 	return ok;
879 }
880 
881 /*
882  * Decide the number of bits in the random componont k
883  *
884  * It should be in the same range as p for signing (which
885  * is deprecated), but can be much smaller for encrypting.
886  *
887  * Until I research it further, I just mimic gpg behaviour.
888  * It has a special mapping table, for values <= 5120,
889  * above that it uses 'arbitrary high number'.	Following
890  * algorihm hovers 10-70 bits above gpg values.  And for
891  * larger p, it uses gpg's algorihm.
892  *
893  * The point is - if k gets large, encryption will be
894  * really slow.  It does not matter for decryption.
895  */
896 static int
decide_k_bits(int p_bits)897 decide_k_bits(int p_bits)
898 {
899 	return (p_bits <= 5120) ? p_bits / 10 + 160 : (p_bits / 8 + 200) * 3 / 2;
900 }
901 
902 int
pgp_elgamal_public_encrypt(uint8_t * g_to_k,uint8_t * encm,const uint8_t * in,size_t size,const pgp_elgamal_pubkey_t * pubkey)903 pgp_elgamal_public_encrypt(uint8_t *g_to_k, uint8_t *encm,
904 			const uint8_t *in,
905 			size_t size,
906 			const pgp_elgamal_pubkey_t *pubkey)
907 {
908 	int	ret = 0;
909 	int	k_bits;
910 	BIGNUM	   *m;
911 	BIGNUM	   *p;
912 	BIGNUM	   *g;
913 	BIGNUM	   *y;
914 	BIGNUM	   *k;
915 	BIGNUM	   *yk;
916 	BIGNUM	   *c1;
917 	BIGNUM	   *c2;
918 	BN_CTX	   *tmp;
919 
920 	m = BN_bin2bn(in, (int)size, NULL);
921 	p = pubkey->p;
922 	g = pubkey->g;
923 	y = pubkey->y;
924 	k = BN_new();
925 	yk = BN_new();
926 	c1 = BN_new();
927 	c2 = BN_new();
928 	tmp = BN_CTX_new();
929 	if (!m || !p || !g || !y || !k || !yk || !c1 || !c2 || !tmp) {
930 		goto done;
931 	}
932 	/*
933 	 * generate k
934 	 */
935 	k_bits = decide_k_bits(BN_num_bits(p));
936 	if (!BN_rand(k, k_bits, 0, 0)) {
937 		goto done;
938 	}
939 	/*
940 	 * c1 = g^k c2 = m * y^k
941 	 */
942 	if (!BN_mod_exp(c1, g, k, p, tmp)) {
943 		goto done;
944 	}
945 	if (!BN_mod_exp(yk, y, k, p, tmp)) {
946 		goto done;
947 	}
948 	if (!BN_mod_mul(c2, m, yk, p, tmp)) {
949 		goto done;
950 	}
951 	/* result */
952 	BN_bn2bin(c1, g_to_k);
953 	ret = BN_num_bytes(c1);	/* c1 = g^k */
954 	BN_bn2bin(c2, encm);
955 	ret += BN_num_bytes(c2); /* c2 = m * y^k */
956 done:
957 	if (tmp) {
958 		BN_CTX_free(tmp);
959 	}
960 	if (c2) {
961 		BN_clear_free(c2);
962 	}
963 	if (c1) {
964 		BN_clear_free(c1);
965 	}
966 	if (yk) {
967 		BN_clear_free(yk);
968 	}
969 	if (k) {
970 		BN_clear_free(k);
971 	}
972 	if (g) {
973 		BN_clear_free(g);
974 	}
975 	return ret;
976 }
977 
978 int
pgp_elgamal_private_decrypt(uint8_t * out,const uint8_t * g_to_k,const uint8_t * in,size_t length,const pgp_elgamal_seckey_t * seckey,const pgp_elgamal_pubkey_t * pubkey)979 pgp_elgamal_private_decrypt(uint8_t *out,
980 				const uint8_t *g_to_k,
981 				const uint8_t *in,
982 				size_t length,
983 				const pgp_elgamal_seckey_t *seckey,
984 				const pgp_elgamal_pubkey_t *pubkey)
985 {
986 	BIGNUM	*bndiv;
987 	BIGNUM	*c1x;
988 	BN_CTX	*tmp;
989 	BIGNUM	*c1;
990 	BIGNUM	*c2;
991 	BIGNUM	*p;
992 	BIGNUM	*x;
993 	BIGNUM	*m;
994 	int	 ret;
995 
996 	ret = 0;
997 	/* c1 and c2 are in g_to_k and in, respectively*/
998 	c1 = BN_bin2bn(g_to_k, (int)length, NULL);
999 	c2 = BN_bin2bn(in, (int)length, NULL);
1000 	/* other bits */
1001 	p = pubkey->p;
1002 	x = seckey->x;
1003 	c1x = BN_new();
1004 	bndiv = BN_new();
1005 	m = BN_new();
1006 	tmp = BN_CTX_new();
1007 	if (!c1 || !c2 || !p || !x || !c1x || !bndiv || !m || !tmp) {
1008 		goto done;
1009 	}
1010 	/*
1011 	 * m = c2 / (c1^x)
1012 	 */
1013 	if (!BN_mod_exp(c1x, c1, x, p, tmp)) {
1014 		goto done;
1015 	}
1016 	if (!BN_mod_inverse(bndiv, c1x, p, tmp)) {
1017 		goto done;
1018 	}
1019 	if (!BN_mod_mul(m, c2, bndiv, p, tmp)) {
1020 		goto done;
1021 	}
1022 	/* result */
1023 	ret = BN_bn2bin(m, out);
1024 done:
1025 	if (tmp) {
1026 		BN_CTX_free(tmp);
1027 	}
1028 	if (m) {
1029 		BN_clear_free(m);
1030 	}
1031 	if (bndiv) {
1032 		BN_clear_free(bndiv);
1033 	}
1034 	if (c1x) {
1035 		BN_clear_free(c1x);
1036 	}
1037 	if (x) {
1038 		BN_clear_free(x);
1039 	}
1040 	if (p) {
1041 		BN_clear_free(p);
1042 	}
1043 	if (c1) {
1044 		BN_clear_free(c1);
1045 	}
1046 	if (c2) {
1047 		BN_clear_free(c2);
1048 	}
1049 	return ret;
1050 }
1051