1 /*-
2 * Copyright (c) 2009 The NetBSD Foundation, Inc.
3 * All rights reserved.
4 *
5 * This code is derived from software contributed to The NetBSD Foundation
6 * by Alistair Crooks (agc@NetBSD.org)
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
18 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
19 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
20 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
21 * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
22 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
23 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
24 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
25 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
26 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
27 * POSSIBILITY OF SUCH DAMAGE.
28 */
29 /*
30 * Copyright (c) 2005-2008 Nominet UK (www.nic.uk)
31 * All rights reserved.
32 * Contributors: Ben Laurie, Rachel Willmer. The Contributors have asserted
33 * their moral rights under the UK Copyright Design and Patents Act 1988 to
34 * be recorded as the authors of this copyright work.
35 *
36 * Licensed under the Apache License, Version 2.0 (the "License"); you may not
37 * use this file except in compliance with the License.
38 *
39 * You may obtain a copy of the License at
40 * http://www.apache.org/licenses/LICENSE-2.0
41 *
42 * Unless required by applicable law or agreed to in writing, software
43 * distributed under the License is distributed on an "AS IS" BASIS,
44 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
45 *
46 * See the License for the specific language governing permissions and
47 * limitations under the License.
48 */
49
50 /** \file
51 */
52 #include "config.h"
53
54 #ifdef HAVE_SYS_CDEFS_H
55 #include <sys/cdefs.h>
56 #endif
57
58 #if defined(__NetBSD__)
59 __COPYRIGHT("@(#) Copyright (c) 2009 The NetBSD Foundation, Inc. All rights reserved.");
60 __RCSID("$NetBSD: openssl_crypto.c,v 1.35 2022/08/26 19:18:38 jhigh Exp $");
61 #endif
62
63 #ifdef HAVE_OPENSSL_DSA_H
64 #include <openssl/dsa.h>
65 #endif
66
67 #ifdef HAVE_OPENSSL_RSA_H
68 #include <openssl/rsa.h>
69 #endif
70
71 #ifdef HAVE_OPENSSL_ERR_H
72 #include <openssl/err.h>
73 #endif
74
75 #include <openssl/pem.h>
76 #include <openssl/evp.h>
77
78 #include <stdlib.h>
79 #include <string.h>
80
81 #ifdef HAVE_UNISTD_H
82 #include <unistd.h>
83 #endif
84
85 #include "crypto.h"
86 #include "keyring.h"
87 #include "readerwriter.h"
88 #include "netpgpdefs.h"
89 #include "netpgpdigest.h"
90 #include "netpgpsdk.h"
91 #include "packet.h"
92
93 static void
takeRSA(const RSA * orsa,pgp_rsa_pubkey_t * pk,pgp_rsa_seckey_t * sk)94 takeRSA(const RSA *orsa, pgp_rsa_pubkey_t *pk, pgp_rsa_seckey_t *sk)
95 {
96 const BIGNUM *n, *e, *d, *q, *p;
97 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
98 RSA_get0_key(orsa, &n, &e, &d);
99 RSA_get0_factors(orsa, &q, &p);
100 #else
101 n = orsa->n;
102 e = orsa->e;
103 d = orsa->d;
104 p = orsa->p;
105 q = orsa->q;
106 #endif
107 if (sk) {
108 sk->d = BN_dup(d);
109 sk->p = BN_dup(p);
110 sk->q = BN_dup(q);
111 }
112 if (pk) {
113 pk->n = BN_dup(n);
114 pk->e = BN_dup(e);
115 }
116 }
117
118 static RSA *
makeRSA(const pgp_rsa_pubkey_t * pubkey,const pgp_rsa_seckey_t * seckey)119 makeRSA(const pgp_rsa_pubkey_t *pubkey, const pgp_rsa_seckey_t *seckey)
120 {
121 BIGNUM *n, *e, *d, *p, *q;
122 RSA *orsa;
123
124 orsa = RSA_new();
125 n = BN_dup(pubkey->n);
126 e = BN_dup(pubkey->e);
127
128 if (seckey) {
129 d = BN_dup(seckey->d);
130 p = BN_dup(seckey->p);
131 q = BN_dup(seckey->q);
132 } else {
133 d = p = q = NULL;
134 }
135
136 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
137 RSA_set0_key(orsa, n, e, d);
138 RSA_set0_factors(orsa, p, q);
139 #else
140 BN_free(orsa->n);
141 BN_free(orsa->e);
142 orsa->n = n;
143 orsa->e = e;
144 if (d) {
145 BN_free(orsa->d);
146 orsa->d = d;
147 }
148 if (p) {
149 BN_free(orsa->p);
150 orsa->p = p;
151 }
152 if (q) {
153 BN_free(orsa->q);
154 orsa->q = q;
155 }
156 #endif
157 return orsa;
158 }
159
160 static DSA_SIG *
makeDSA_SIG(const pgp_dsa_sig_t * sig)161 makeDSA_SIG(const pgp_dsa_sig_t *sig)
162 {
163 DSA_SIG *osig;
164 BIGNUM *r, *s;
165
166 osig = DSA_SIG_new();
167 r = BN_dup(sig->r);
168 s = BN_dup(sig->s);
169
170 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
171 DSA_SIG_set0(osig, r, s);
172 #else
173 BN_free(osig->r);
174 BN_free(osig->s);
175 osig->r = r;
176 osig->s = s;
177 #endif
178
179 return osig;
180 }
181
182 static DSA *
makeDSA(const pgp_dsa_pubkey_t * dsa,const pgp_dsa_seckey_t * secdsa)183 makeDSA(const pgp_dsa_pubkey_t *dsa, const pgp_dsa_seckey_t *secdsa)
184 {
185 DSA *odsa;
186 BIGNUM *p, *q, *g, *y, *x;
187
188 odsa = DSA_new();
189
190 p = BN_dup(dsa->p);
191 q = BN_dup(dsa->q);
192 g = BN_dup(dsa->g);
193 y = BN_dup(dsa->y);
194 x = secdsa ? secdsa->x : NULL;
195
196 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
197 DSA_set0_key(odsa, y, x);
198 #else
199 BN_free(odsa->p);
200 BN_free(odsa->q);
201 BN_free(odsa->g);
202 BN_free(odsa->pub_key);
203 odsa->p = p;
204 odsa->q = q;
205 odsa->g = g;
206 odsa->pub_key = y;
207 if (x) {
208 BN_free(odsa->priv_key);
209 odsa->priv_key = x;
210 }
211 #endif
212 return odsa;
213 }
214
215 static void
takeDSA(const DSA * odsa,pgp_dsa_seckey_t * sk)216 takeDSA(const DSA *odsa, pgp_dsa_seckey_t *sk)
217 {
218 const BIGNUM *x;
219 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
220 DSA_get0_key(odsa, NULL, &x);
221 #else
222 x = odsa->priv_key;
223 #endif
224 sk->x = BN_dup(x);
225 }
226
227 static ECDSA_SIG *
makeECDSADSA_SIG(const pgp_ecdsa_sig_t * sig)228 makeECDSADSA_SIG(const pgp_ecdsa_sig_t *sig)
229 {
230 ECDSA_SIG *osig;
231 BIGNUM *r, *s;
232
233 osig = ECDSA_SIG_new();
234 r = BN_dup(sig->r);
235 s = BN_dup(sig->s);
236
237 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
238 ECDSA_SIG_set0(osig, r, s);
239 #else
240 BN_free(osig->r);
241 BN_free(osig->s);
242 osig->r = r;
243 osig->s = s;
244 #endif
245
246 return osig;
247 }
248
249 static EC_KEY *
makeECDSA(const pgp_ecdsa_pubkey_t * ecdsa,const pgp_ecdsa_seckey_t * sececdsa)250 makeECDSA(const pgp_ecdsa_pubkey_t *ecdsa, const pgp_ecdsa_seckey_t *sececdsa)
251 {
252 EC_KEY *key;
253 BIGNUM *x;
254 BIGNUM *y;
255 EC_GROUP *group;
256 EC_POINT *pub_key;
257 EC_POINT *point;
258 int nid;
259
260 key = EC_KEY_new();
261 x = BN_new();
262 y = BN_new();
263
264 nid = ecdsa_nid(ecdsa);
265 if (nid == -1) {
266 (void) fprintf(stderr,"makeECDSA: failed to determine NID\n");
267 return 0;
268 }
269
270 group = EC_GROUP_new_by_curve_name(nid);
271 if (group == NULL) {
272 (void) fprintf(stderr,"makeECDSA: failed to get group for specified NID\n");
273 return 0;
274 }
275
276 pub_key = EC_POINT_new(group);
277 if (pub_key == NULL) {
278 (void) fprintf(stderr,"makeECDSA: failed to alloc point\n");
279 return 0;
280 }
281
282 point = EC_POINT_bn2point(group, ecdsa->p, NULL, NULL);
283 if (point == NULL) {
284 (void) fprintf(stderr,"makeECDSA: failed to conv BN to point\n");
285 return 0;
286 }
287
288
289 if ((EC_POINT_get_affine_coordinates(group, point, x, y, NULL)) == 0) {
290 (void) fprintf(stderr,"makeECDSA: failed to get coordinates from point\n");
291 return 0;
292 }
293
294 if ((EC_POINT_set_affine_coordinates(group, pub_key, x, y, NULL)) == 0) {
295 (void) fprintf(stderr,"makeECDSA: failed to set coordinates from point\n");
296 return 0;
297 }
298
299 if ((EC_KEY_set_group(key, group)) == 0) {
300 (void) fprintf(stderr,"makeECDSA: failed to set group for key\n");
301 return 0;
302 }
303
304 if ((EC_KEY_set_public_key(key, pub_key)) == 0) {
305 (void) fprintf(stderr,"makeECDSA: failed to set pubkey for key\n");
306 return 0;
307 }
308
309 if (sececdsa) {
310 if ((EC_KEY_set_private_key(key, sececdsa->x)) == 0) {
311 (void) fprintf(stderr,"makeECDSA: failed to set seckey for key\n");
312 return 0;
313 }
314
315 if ((EC_POINT_mul(group, pub_key, sececdsa->x, NULL, NULL, NULL)) == 0) {
316 (void) fprintf(stderr,"makeECDSA: failed to calculate generator\n");
317 return 0;
318 }
319 }
320
321 return key;
322 }
323
324 static void
test_seckey(const pgp_seckey_t * seckey)325 test_seckey(const pgp_seckey_t *seckey)
326 {
327 RSA *test = makeRSA(&seckey->pubkey.key.rsa, &seckey->key.rsa);
328
329 if (RSA_check_key(test) != 1) {
330 (void) fprintf(stderr,
331 "test_seckey: RSA_check_key failed\n");
332 }
333 RSA_free(test);
334 }
335
336 static int
md5_init(pgp_hash_t * hash)337 md5_init(pgp_hash_t *hash)
338 {
339 if (hash->data) {
340 (void) fprintf(stderr, "md5_init: hash data non-null\n");
341 }
342 if ((hash->data = calloc(1, sizeof(MD5_CTX))) == NULL) {
343 (void) fprintf(stderr, "md5_init: bad alloc\n");
344 return 0;
345 }
346 MD5_Init(hash->data);
347 return 1;
348 }
349
350 static void
md5_add(pgp_hash_t * hash,const uint8_t * data,unsigned length)351 md5_add(pgp_hash_t *hash, const uint8_t *data, unsigned length)
352 {
353 MD5_Update(hash->data, data, length);
354 }
355
356 static unsigned
md5_finish(pgp_hash_t * hash,uint8_t * out)357 md5_finish(pgp_hash_t *hash, uint8_t *out)
358 {
359 MD5_Final(out, hash->data);
360 free(hash->data);
361 hash->data = NULL;
362 return 16;
363 }
364
365 static const pgp_hash_t md5 = {
366 PGP_HASH_MD5,
367 MD5_DIGEST_LENGTH,
368 "MD5",
369 md5_init,
370 md5_add,
371 md5_finish,
372 NULL
373 };
374
375 /**
376 \ingroup Core_Crypto
377 \brief Initialise to MD5
378 \param hash Hash to initialise
379 */
380 void
pgp_hash_md5(pgp_hash_t * hash)381 pgp_hash_md5(pgp_hash_t *hash)
382 {
383 *hash = md5;
384 }
385
386 static int
sha1_init(pgp_hash_t * hash)387 sha1_init(pgp_hash_t *hash)
388 {
389 if (hash->data) {
390 (void) fprintf(stderr, "sha1_init: hash data non-null\n");
391 }
392 if ((hash->data = calloc(1, sizeof(SHA_CTX))) == NULL) {
393 (void) fprintf(stderr, "sha1_init: bad alloc\n");
394 return 0;
395 }
396 SHA1_Init(hash->data);
397 return 1;
398 }
399
400 static void
sha1_add(pgp_hash_t * hash,const uint8_t * data,unsigned length)401 sha1_add(pgp_hash_t *hash, const uint8_t *data, unsigned length)
402 {
403 if (pgp_get_debug_level(__FILE__)) {
404 hexdump(stderr, "sha1_add", data, length);
405 }
406 SHA1_Update(hash->data, data, length);
407 }
408
409 static unsigned
sha1_finish(pgp_hash_t * hash,uint8_t * out)410 sha1_finish(pgp_hash_t *hash, uint8_t *out)
411 {
412 SHA1_Final(out, hash->data);
413 if (pgp_get_debug_level(__FILE__)) {
414 hexdump(stderr, "sha1_finish", out, PGP_SHA1_HASH_SIZE);
415 }
416 free(hash->data);
417 hash->data = NULL;
418 return PGP_SHA1_HASH_SIZE;
419 }
420
421 static const pgp_hash_t sha1 = {
422 PGP_HASH_SHA1,
423 PGP_SHA1_HASH_SIZE,
424 "SHA1",
425 sha1_init,
426 sha1_add,
427 sha1_finish,
428 NULL
429 };
430
431 /**
432 \ingroup Core_Crypto
433 \brief Initialise to SHA1
434 \param hash Hash to initialise
435 */
436 void
pgp_hash_sha1(pgp_hash_t * hash)437 pgp_hash_sha1(pgp_hash_t *hash)
438 {
439 *hash = sha1;
440 }
441
442 static int
sha256_init(pgp_hash_t * hash)443 sha256_init(pgp_hash_t *hash)
444 {
445 if (hash->data) {
446 (void) fprintf(stderr, "sha256_init: hash data non-null\n");
447 }
448 if ((hash->data = calloc(1, sizeof(SHA256_CTX))) == NULL) {
449 (void) fprintf(stderr, "sha256_init: bad alloc\n");
450 return 0;
451 }
452 SHA256_Init(hash->data);
453 return 1;
454 }
455
456 static void
sha256_add(pgp_hash_t * hash,const uint8_t * data,unsigned length)457 sha256_add(pgp_hash_t *hash, const uint8_t *data, unsigned length)
458 {
459 if (pgp_get_debug_level(__FILE__)) {
460 hexdump(stderr, "sha256_add", data, length);
461 }
462 SHA256_Update(hash->data, data, length);
463 }
464
465 static unsigned
sha256_finish(pgp_hash_t * hash,uint8_t * out)466 sha256_finish(pgp_hash_t *hash, uint8_t *out)
467 {
468 SHA256_Final(out, hash->data);
469 if (pgp_get_debug_level(__FILE__)) {
470 hexdump(stderr, "sha1_finish", out, SHA256_DIGEST_LENGTH);
471 }
472 free(hash->data);
473 hash->data = NULL;
474 return SHA256_DIGEST_LENGTH;
475 }
476
477 static const pgp_hash_t sha256 = {
478 PGP_HASH_SHA256,
479 SHA256_DIGEST_LENGTH,
480 "SHA256",
481 sha256_init,
482 sha256_add,
483 sha256_finish,
484 NULL
485 };
486
487 void
pgp_hash_sha256(pgp_hash_t * hash)488 pgp_hash_sha256(pgp_hash_t *hash)
489 {
490 *hash = sha256;
491 }
492
493 /*
494 * SHA384
495 */
496 static int
sha384_init(pgp_hash_t * hash)497 sha384_init(pgp_hash_t *hash)
498 {
499 if (hash->data) {
500 (void) fprintf(stderr, "sha384_init: hash data non-null\n");
501 }
502 if ((hash->data = calloc(1, sizeof(SHA512_CTX))) == NULL) {
503 (void) fprintf(stderr, "sha384_init: bad alloc\n");
504 return 0;
505 }
506 SHA384_Init(hash->data);
507 return 1;
508 }
509
510 static void
sha384_add(pgp_hash_t * hash,const uint8_t * data,unsigned length)511 sha384_add(pgp_hash_t *hash, const uint8_t *data, unsigned length)
512 {
513 if (pgp_get_debug_level(__FILE__)) {
514 hexdump(stderr, "sha384_add", data, length);
515 }
516 SHA384_Update(hash->data, data, length);
517 }
518
519 static unsigned
sha384_finish(pgp_hash_t * hash,uint8_t * out)520 sha384_finish(pgp_hash_t *hash, uint8_t *out)
521 {
522 SHA384_Final(out, hash->data);
523 if (pgp_get_debug_level(__FILE__)) {
524 hexdump(stderr, "sha384_finish", out, SHA384_DIGEST_LENGTH);
525 }
526 free(hash->data);
527 hash->data = NULL;
528 return SHA384_DIGEST_LENGTH;
529 }
530
531 static const pgp_hash_t sha384 = {
532 PGP_HASH_SHA384,
533 SHA384_DIGEST_LENGTH,
534 "SHA384",
535 sha384_init,
536 sha384_add,
537 sha384_finish,
538 NULL
539 };
540
541 void
pgp_hash_sha384(pgp_hash_t * hash)542 pgp_hash_sha384(pgp_hash_t *hash)
543 {
544 *hash = sha384;
545 }
546
547 /*
548 * SHA512
549 */
550 static int
sha512_init(pgp_hash_t * hash)551 sha512_init(pgp_hash_t *hash)
552 {
553 if (hash->data) {
554 (void) fprintf(stderr, "sha512_init: hash data non-null\n");
555 }
556 if ((hash->data = calloc(1, sizeof(SHA512_CTX))) == NULL) {
557 (void) fprintf(stderr, "sha512_init: bad alloc\n");
558 return 0;
559 }
560 SHA512_Init(hash->data);
561 return 1;
562 }
563
564 static void
sha512_add(pgp_hash_t * hash,const uint8_t * data,unsigned length)565 sha512_add(pgp_hash_t *hash, const uint8_t *data, unsigned length)
566 {
567 if (pgp_get_debug_level(__FILE__)) {
568 hexdump(stderr, "sha512_add", data, length);
569 }
570 SHA512_Update(hash->data, data, length);
571 }
572
573 static unsigned
sha512_finish(pgp_hash_t * hash,uint8_t * out)574 sha512_finish(pgp_hash_t *hash, uint8_t *out)
575 {
576 SHA512_Final(out, hash->data);
577 if (pgp_get_debug_level(__FILE__)) {
578 hexdump(stderr, "sha512_finish", out, SHA512_DIGEST_LENGTH);
579 }
580 free(hash->data);
581 hash->data = NULL;
582 return SHA512_DIGEST_LENGTH;
583 }
584
585 static const pgp_hash_t sha512 = {
586 PGP_HASH_SHA512,
587 SHA512_DIGEST_LENGTH,
588 "SHA512",
589 sha512_init,
590 sha512_add,
591 sha512_finish,
592 NULL
593 };
594
595 void
pgp_hash_sha512(pgp_hash_t * hash)596 pgp_hash_sha512(pgp_hash_t *hash)
597 {
598 *hash = sha512;
599 }
600
601 /*
602 * SHA224
603 */
604
605 static int
sha224_init(pgp_hash_t * hash)606 sha224_init(pgp_hash_t *hash)
607 {
608 if (hash->data) {
609 (void) fprintf(stderr, "sha224_init: hash data non-null\n");
610 }
611 if ((hash->data = calloc(1, sizeof(SHA256_CTX))) == NULL) {
612 (void) fprintf(stderr, "sha256_init: bad alloc\n");
613 return 0;
614 }
615 SHA224_Init(hash->data);
616 return 1;
617 }
618
619 static void
sha224_add(pgp_hash_t * hash,const uint8_t * data,unsigned length)620 sha224_add(pgp_hash_t *hash, const uint8_t *data, unsigned length)
621 {
622 if (pgp_get_debug_level(__FILE__)) {
623 hexdump(stderr, "sha224_add", data, length);
624 }
625 SHA224_Update(hash->data, data, length);
626 }
627
628 static unsigned
sha224_finish(pgp_hash_t * hash,uint8_t * out)629 sha224_finish(pgp_hash_t *hash, uint8_t *out)
630 {
631 SHA224_Final(out, hash->data);
632 if (pgp_get_debug_level(__FILE__)) {
633 hexdump(stderr, "sha224_finish", out, SHA224_DIGEST_LENGTH);
634 }
635 free(hash->data);
636 hash->data = NULL;
637 return SHA224_DIGEST_LENGTH;
638 }
639
640 static const pgp_hash_t sha224 = {
641 PGP_HASH_SHA224,
642 SHA224_DIGEST_LENGTH,
643 "SHA224",
644 sha224_init,
645 sha224_add,
646 sha224_finish,
647 NULL
648 };
649
650 void
pgp_hash_sha224(pgp_hash_t * hash)651 pgp_hash_sha224(pgp_hash_t *hash)
652 {
653 *hash = sha224;
654 }
655
656 unsigned
pgp_dsa_verify(const uint8_t * hash,size_t hash_length,const pgp_dsa_sig_t * sig,const pgp_dsa_pubkey_t * dsa)657 pgp_dsa_verify(const uint8_t *hash, size_t hash_length,
658 const pgp_dsa_sig_t *sig,
659 const pgp_dsa_pubkey_t *dsa)
660 {
661 unsigned qlen;
662 DSA_SIG *osig = makeDSA_SIG(sig);
663 DSA *odsa = makeDSA(dsa, NULL);
664 int ret;
665
666 if (pgp_get_debug_level(__FILE__)) {
667 hexdump(stderr, "input hash", hash, hash_length);
668 (void) fprintf(stderr, "Q=%d\n", BN_num_bytes(dsa->q));
669 }
670 if ((qlen = (unsigned)BN_num_bytes(dsa->q)) < hash_length) {
671 hash_length = qlen;
672 }
673 ret = DSA_do_verify(hash, (int)hash_length, osig, odsa);
674 if (pgp_get_debug_level(__FILE__)) {
675 (void) fprintf(stderr, "ret=%d\n", ret);
676 }
677 if (ret < 0) {
678 (void) fprintf(stderr, "pgp_dsa_verify: DSA verification\n");
679 return 0;
680 }
681
682 DSA_free(odsa);
683 DSA_SIG_free(osig);
684
685 return (unsigned)ret;
686 }
687
688 unsigned
pgp_ecdsa_verify(const uint8_t * hash,size_t hash_length,const pgp_ecdsa_sig_t * sig,const pgp_ecdsa_pubkey_t * ecdsa)689 pgp_ecdsa_verify(const uint8_t *hash, size_t hash_length,
690 const pgp_ecdsa_sig_t *sig,
691 const pgp_ecdsa_pubkey_t *ecdsa)
692 {
693 unsigned qlen;
694 ECDSA_SIG *osig = makeECDSADSA_SIG(sig);
695 EC_KEY *oecdsa = makeECDSA(ecdsa, NULL);
696 int ret;
697
698 if (pgp_get_debug_level(__FILE__)) {
699 hexdump(stderr, "input hash", hash, hash_length);
700 }
701
702 ret = ECDSA_do_verify(hash, (int)hash_length, osig, oecdsa);
703
704 if (pgp_get_debug_level(__FILE__)) {
705 (void) fprintf(stderr, "ret=%d\n", ret);
706 }
707
708 if (ret <= 0) {
709 (void) fprintf(stderr, "pgp_ecdsa_verify: ECDSA verification failed\n");
710 return 0;
711 }
712
713 ECDSA_SIG_free(osig);
714
715 return (unsigned)ret;
716 }
717
718 /**
719 \ingroup Core_Crypto
720 \brief Recovers message digest from the signature
721 \param out Where to write decrypted data to
722 \param in Encrypted data
723 \param length Length of encrypted data
724 \param pubkey RSA public key
725 \return size of recovered message digest
726 */
727 int
pgp_rsa_public_decrypt(uint8_t * out,const uint8_t * in,size_t length,const pgp_rsa_pubkey_t * pubkey)728 pgp_rsa_public_decrypt(uint8_t *out,
729 const uint8_t *in,
730 size_t length,
731 const pgp_rsa_pubkey_t *pubkey)
732 {
733 RSA *orsa = makeRSA(pubkey, NULL);
734 int ret;
735
736 ret = RSA_public_decrypt((int)length, in, out, orsa, RSA_NO_PADDING);
737
738 RSA_free(orsa);
739
740 return ret;
741 }
742
743 /**
744 \ingroup Core_Crypto
745 \brief Signs data with RSA
746 \param out Where to write signature
747 \param in Data to sign
748 \param length Length of data
749 \param seckey RSA secret key
750 \param pubkey RSA public key
751 \return number of bytes decrypted
752 */
753 int
pgp_rsa_private_encrypt(uint8_t * out,const uint8_t * in,size_t length,const pgp_rsa_seckey_t * seckey,const pgp_rsa_pubkey_t * pubkey)754 pgp_rsa_private_encrypt(uint8_t *out,
755 const uint8_t *in,
756 size_t length,
757 const pgp_rsa_seckey_t *seckey,
758 const pgp_rsa_pubkey_t *pubkey)
759 {
760 RSA *orsa = makeRSA(pubkey, seckey);
761 int ret;
762
763 if (seckey->d == NULL) {
764 (void) fprintf(stderr, "orsa is not set\n");
765 return 0;
766 }
767 if (RSA_check_key(orsa) != 1) {
768 (void) fprintf(stderr, "RSA_check_key is not set\n");
769 return 0;
770 }
771 /* end debug */
772
773 ret = RSA_private_encrypt((int)length, in, out, orsa, RSA_NO_PADDING);
774
775 RSA_free(orsa);
776
777 return ret;
778 }
779
780 /**
781 \ingroup Core_Crypto
782 \brief Decrypts RSA-encrypted data
783 \param out Where to write the plaintext
784 \param in Encrypted data
785 \param length Length of encrypted data
786 \param seckey RSA secret key
787 \param pubkey RSA public key
788 \return size of recovered plaintext
789 */
790 int
pgp_rsa_private_decrypt(uint8_t * out,const uint8_t * in,size_t length,const pgp_rsa_seckey_t * seckey,const pgp_rsa_pubkey_t * pubkey)791 pgp_rsa_private_decrypt(uint8_t *out,
792 const uint8_t *in,
793 size_t length,
794 const pgp_rsa_seckey_t *seckey,
795 const pgp_rsa_pubkey_t *pubkey)
796 {
797 RSA *keypair = makeRSA(pubkey, seckey);
798 int n;
799 char errbuf[1024];
800
801 if (RSA_check_key(keypair) != 1) {
802 (void) fprintf(stderr, "RSA_check_key is not set\n");
803 return 0;
804 }
805 /* end debug */
806
807 n = RSA_private_decrypt((int)length, in, out, keypair, RSA_NO_PADDING);
808
809 if (pgp_get_debug_level(__FILE__)) {
810 printf("pgp_rsa_private_decrypt: n=%d\n",n);
811 }
812
813 errbuf[0] = '\0';
814 if (n == -1) {
815 unsigned long err = ERR_get_error();
816
817 ERR_error_string(err, &errbuf[0]);
818 (void) fprintf(stderr, "openssl error : %s\n", errbuf);
819 }
820 RSA_free(keypair);
821
822 return n;
823 }
824
825 /**
826 \ingroup Core_Crypto
827 \brief RSA-encrypts data
828 \param out Where to write the encrypted data
829 \param in Plaintext
830 \param length Size of plaintext
831 \param pubkey RSA Public Key
832 */
833 int
pgp_rsa_public_encrypt(uint8_t * out,const uint8_t * in,size_t length,const pgp_rsa_pubkey_t * pubkey)834 pgp_rsa_public_encrypt(uint8_t *out,
835 const uint8_t *in,
836 size_t length,
837 const pgp_rsa_pubkey_t *pubkey)
838 {
839 RSA *orsa = makeRSA(pubkey, NULL);
840 int n;
841
842 /* printf("pgp_rsa_public_encrypt: length=%ld\n", length); */
843
844 /* printf("len: %ld\n", length); */
845 /* pgp_print_bn("n: ", orsa->n); */
846 /* pgp_print_bn("e: ", orsa->e); */
847 n = RSA_public_encrypt((int)length, in, out, orsa, RSA_NO_PADDING);
848
849 if (n == -1) {
850 BIO *fd_out;
851
852 fd_out = BIO_new_fd(fileno(stderr), BIO_NOCLOSE);
853 ERR_print_errors(fd_out);
854 }
855 RSA_free(orsa);
856
857 return n;
858 }
859
860 /**
861 \ingroup Core_Crypto
862 \brief Finalise openssl
863 \note Would usually call pgp_finish() instead
864 \sa pgp_finish()
865 */
866 void
pgp_crypto_finish(void)867 pgp_crypto_finish(void)
868 {
869 CRYPTO_cleanup_all_ex_data();
870 #if OPENSSL_VERSION_NUMBER < 0x10100000L
871 ERR_remove_state((unsigned long)0);
872 #endif
873 }
874
875 /**
876 \ingroup Core_Hashes
877 \brief Get Hash name
878 \param hash Hash struct
879 \return Hash name
880 */
881 const char *
pgp_text_from_hash(pgp_hash_t * hash)882 pgp_text_from_hash(pgp_hash_t *hash)
883 {
884 return hash->name;
885 }
886
887 /**
888 \ingroup HighLevel_KeyGenerate
889 \brief Generates an RSA keypair
890 \param numbits Modulus size
891 \param e Public Exponent
892 \param keydata Pointer to keydata struct to hold new key
893 \return 1 if key generated successfully; otherwise 0
894 \note It is the caller's responsibility to call pgp_keydata_free(keydata)
895 */
896 static unsigned
rsa_generate_keypair(pgp_key_t * keydata,const int numbits,const unsigned long e,const char * hashalg,const char * cipher)897 rsa_generate_keypair(pgp_key_t *keydata,
898 const int numbits,
899 const unsigned long e,
900 const char *hashalg,
901 const char *cipher)
902 {
903 pgp_seckey_t *seckey;
904 RSA *rsa;
905 BN_CTX *ctx;
906 pgp_output_t *output;
907 pgp_memory_t *mem;
908 BIGNUM *bne;
909 pgp_rsa_pubkey_t *pk;
910 pgp_rsa_seckey_t *sk;
911
912 ctx = BN_CTX_new();
913 pgp_keydata_init(keydata, PGP_PTAG_CT_SECRET_KEY);
914 seckey = pgp_get_writable_seckey(keydata);
915 pk = &seckey->pubkey.key.rsa;
916 sk = &seckey->key.rsa;
917
918 /* generate the key pair */
919
920 bne = BN_new();
921 BN_set_word(bne, e);
922
923 rsa = RSA_new();
924 RSA_generate_key_ex(rsa, numbits, bne, NULL);
925 BN_free(bne);
926
927 /* populate pgp key from ssl key */
928 takeRSA(rsa, pk, sk);
929
930 seckey->pubkey.version = PGP_V4;
931 seckey->pubkey.birthtime = time(NULL);
932 seckey->pubkey.days_valid = 0;
933 seckey->pubkey.alg = PGP_PKA_RSA;
934
935 seckey->s2k_usage = PGP_S2KU_ENCRYPTED_AND_HASHED;
936 seckey->s2k_specifier = PGP_S2KS_SALTED;
937 /* seckey->s2k_specifier=PGP_S2KS_SIMPLE; */
938 if ((seckey->hash_alg = pgp_str_to_hash_alg(hashalg)) == PGP_HASH_UNKNOWN) {
939 seckey->hash_alg = PGP_HASH_SHA1;
940 }
941 seckey->alg = pgp_str_to_cipher(cipher);
942 seckey->octetc = 0;
943 seckey->checksum = 0;
944
945 sk->u = BN_mod_inverse(NULL, sk->p, sk->q, ctx);
946 if (sk->u == NULL) {
947 (void) fprintf(stderr, "seckey->key.rsa.u is NULL\n");
948 return 0;
949 }
950 BN_CTX_free(ctx);
951
952 RSA_free(rsa);
953
954 pgp_keyid(keydata->sigid, PGP_KEY_ID_SIZE, &keydata->key.seckey.pubkey, seckey->hash_alg);
955 pgp_fingerprint(&keydata->sigfingerprint, &keydata->key.seckey.pubkey, seckey->hash_alg);
956
957 /* Generate checksum */
958
959 output = NULL;
960 mem = NULL;
961
962 pgp_setup_memory_write(&output, &mem, 128);
963
964 pgp_push_checksum_writer(output, seckey);
965
966 switch (seckey->pubkey.alg) {
967 case PGP_PKA_DSA:
968 return pgp_write_mpi(output, seckey->key.dsa.x);
969 case PGP_PKA_RSA:
970 case PGP_PKA_RSA_ENCRYPT_ONLY:
971 case PGP_PKA_RSA_SIGN_ONLY:
972 if (!pgp_write_mpi(output, seckey->key.rsa.d) ||
973 !pgp_write_mpi(output, seckey->key.rsa.p) ||
974 !pgp_write_mpi(output, seckey->key.rsa.q) ||
975 !pgp_write_mpi(output, seckey->key.rsa.u)) {
976 return 0;
977 }
978 break;
979 case PGP_PKA_ELGAMAL:
980 return pgp_write_mpi(output, seckey->key.elgamal.x);
981
982 default:
983 (void) fprintf(stderr, "Bad seckey->pubkey.alg\n");
984 return 0;
985 }
986
987 /* close rather than pop, since its the only one on the stack */
988 pgp_writer_close(output);
989 pgp_teardown_memory_write(output, mem);
990
991 /* should now have checksum in seckey struct */
992
993 /* test */
994 if (pgp_get_debug_level(__FILE__)) {
995 test_seckey(seckey);
996 }
997
998 return 1;
999 }
1000
1001 /**
1002 \ingroup HighLevel_KeyGenerate
1003 \brief Creates a self-signed RSA keypair
1004 \param numbits Modulus size
1005 \param e Public Exponent
1006 \param userid User ID
1007 \return The new keypair or NULL
1008
1009 \note It is the caller's responsibility to call pgp_keydata_free(keydata)
1010 \sa rsa_generate_keypair()
1011 \sa pgp_keydata_free()
1012 */
1013 pgp_key_t *
pgp_rsa_new_selfsign_key(const int numbits,const unsigned long e,uint8_t * userid,const char * hashalg,const char * cipher)1014 pgp_rsa_new_selfsign_key(const int numbits,
1015 const unsigned long e,
1016 uint8_t *userid,
1017 const char *hashalg,
1018 const char *cipher)
1019 {
1020 pgp_key_t *keydata;
1021
1022 keydata = pgp_keydata_new();
1023 if (!rsa_generate_keypair(keydata, numbits, e, hashalg, cipher) ||
1024 !pgp_add_selfsigned_userid(keydata, userid)) {
1025 pgp_keydata_free(keydata);
1026 return NULL;
1027 }
1028 return keydata;
1029 }
1030
1031 DSA_SIG *
pgp_dsa_sign(uint8_t * hashbuf,unsigned hashsize,const pgp_dsa_seckey_t * secdsa,const pgp_dsa_pubkey_t * pubdsa)1032 pgp_dsa_sign(uint8_t *hashbuf,
1033 unsigned hashsize,
1034 const pgp_dsa_seckey_t *secdsa,
1035 const pgp_dsa_pubkey_t *pubdsa)
1036 {
1037 DSA_SIG *dsasig;
1038 DSA *odsa = makeDSA(pubdsa, secdsa);
1039
1040 dsasig = DSA_do_sign(hashbuf, (int)hashsize, odsa);
1041
1042 DSA_free(odsa);
1043
1044 return dsasig;
1045 }
1046
1047 ECDSA_SIG *
pgp_ecdsa_sign(uint8_t * hashbuf,unsigned hashsize,const pgp_ecdsa_seckey_t * sececdsa,const pgp_ecdsa_pubkey_t * pubecdsa)1048 pgp_ecdsa_sign(uint8_t *hashbuf,
1049 unsigned hashsize,
1050 const pgp_ecdsa_seckey_t *sececdsa,
1051 const pgp_ecdsa_pubkey_t *pubecdsa)
1052 {
1053 ECDSA_SIG * ecdsasig;
1054 EC_KEY * eckey = makeECDSA(pubecdsa, sececdsa);
1055
1056 ecdsasig = ECDSA_do_sign(hashbuf, (int)hashsize, eckey);
1057
1058 if (ecdsasig == NULL) {
1059 printf("do_sign returned null\n");
1060 return 0;
1061 }
1062
1063 EC_KEY_free(eckey);
1064
1065 return ecdsasig;
1066 }
1067
1068 int
openssl_read_pem_seckey(const char * f,pgp_key_t * key,const char * type,int verbose)1069 openssl_read_pem_seckey(const char *f, pgp_key_t *key, const char *type, int verbose)
1070 {
1071 FILE *fp;
1072 char prompt[BUFSIZ];
1073 char *pass;
1074 DSA *dsa;
1075 RSA *rsa;
1076 int ok;
1077
1078 OpenSSL_add_all_algorithms();
1079 if ((fp = fopen(f, "r")) == NULL) {
1080 if (verbose) {
1081 (void) fprintf(stderr, "can't open '%s'\n", f);
1082 }
1083 return 0;
1084 }
1085 ok = 1;
1086 if (strcmp(type, "ssh-rsa") == 0) {
1087 if ((rsa = PEM_read_RSAPrivateKey(fp, NULL, NULL, NULL)) == NULL) {
1088 (void) snprintf(prompt, sizeof(prompt), "netpgp PEM %s passphrase: ", f);
1089 do {
1090 pass = getpass(prompt);
1091 rsa = PEM_read_RSAPrivateKey(fp, NULL, NULL, pass);
1092 } while (rsa == NULL);
1093 }
1094 takeRSA(rsa, NULL, &key->key.seckey.key.rsa);
1095 } else if (strcmp(type, "ssh-dss") == 0) {
1096 if ((dsa = PEM_read_DSAPrivateKey(fp, NULL, NULL, NULL)) == NULL) {
1097 ok = 0;
1098 } else {
1099 takeDSA(dsa, &key->key.seckey.key.dsa);
1100 }
1101 } else {
1102 ok = 0;
1103 }
1104 (void) fclose(fp);
1105 return ok;
1106 }
1107
1108 /*
1109 * Decide the number of bits in the random componont k
1110 *
1111 * It should be in the same range as p for signing (which
1112 * is deprecated), but can be much smaller for encrypting.
1113 *
1114 * Until I research it further, I just mimic gpg behaviour.
1115 * It has a special mapping table, for values <= 5120,
1116 * above that it uses 'arbitrary high number'. Following
1117 * algorihm hovers 10-70 bits above gpg values. And for
1118 * larger p, it uses gpg's algorihm.
1119 *
1120 * The point is - if k gets large, encryption will be
1121 * really slow. It does not matter for decryption.
1122 */
1123 static int
decide_k_bits(int p_bits)1124 decide_k_bits(int p_bits)
1125 {
1126 return (p_bits <= 5120) ? p_bits / 10 + 160 : (p_bits / 8 + 200) * 3 / 2;
1127 }
1128
1129 int
pgp_elgamal_public_encrypt(uint8_t * g_to_k,uint8_t * encm,const uint8_t * in,size_t size,const pgp_elgamal_pubkey_t * pubkey)1130 pgp_elgamal_public_encrypt(uint8_t *g_to_k, uint8_t *encm,
1131 const uint8_t *in,
1132 size_t size,
1133 const pgp_elgamal_pubkey_t *pubkey)
1134 {
1135 int ret = 0;
1136 int k_bits;
1137 BIGNUM *m;
1138 BIGNUM *p;
1139 BIGNUM *g;
1140 BIGNUM *y;
1141 BIGNUM *k;
1142 BIGNUM *yk;
1143 BIGNUM *c1;
1144 BIGNUM *c2;
1145 BN_CTX *tmp;
1146
1147 m = BN_bin2bn(in, (int)size, NULL);
1148 p = pubkey->p;
1149 g = pubkey->g;
1150 y = pubkey->y;
1151 k = BN_new();
1152 yk = BN_new();
1153 c1 = BN_new();
1154 c2 = BN_new();
1155 tmp = BN_CTX_new();
1156 if (!m || !p || !g || !y || !k || !yk || !c1 || !c2 || !tmp) {
1157 goto done;
1158 }
1159 /*
1160 * generate k
1161 */
1162 k_bits = decide_k_bits(BN_num_bits(p));
1163 if (!BN_rand(k, k_bits, 0, 0)) {
1164 goto done;
1165 }
1166 /*
1167 * c1 = g^k c2 = m * y^k
1168 */
1169 if (!BN_mod_exp(c1, g, k, p, tmp)) {
1170 goto done;
1171 }
1172 if (!BN_mod_exp(yk, y, k, p, tmp)) {
1173 goto done;
1174 }
1175 if (!BN_mod_mul(c2, m, yk, p, tmp)) {
1176 goto done;
1177 }
1178 /* result */
1179 BN_bn2bin(c1, g_to_k);
1180 ret = BN_num_bytes(c1); /* c1 = g^k */
1181 BN_bn2bin(c2, encm);
1182 ret += BN_num_bytes(c2); /* c2 = m * y^k */
1183 done:
1184 if (tmp) {
1185 BN_CTX_free(tmp);
1186 }
1187 if (c2) {
1188 BN_clear_free(c2);
1189 }
1190 if (c1) {
1191 BN_clear_free(c1);
1192 }
1193 if (yk) {
1194 BN_clear_free(yk);
1195 }
1196 if (k) {
1197 BN_clear_free(k);
1198 }
1199 if (g) {
1200 BN_clear_free(g);
1201 }
1202 return ret;
1203 }
1204
1205 int
pgp_elgamal_private_decrypt(uint8_t * out,const uint8_t * g_to_k,const uint8_t * in,size_t length,const pgp_elgamal_seckey_t * seckey,const pgp_elgamal_pubkey_t * pubkey)1206 pgp_elgamal_private_decrypt(uint8_t *out,
1207 const uint8_t *g_to_k,
1208 const uint8_t *in,
1209 size_t length,
1210 const pgp_elgamal_seckey_t *seckey,
1211 const pgp_elgamal_pubkey_t *pubkey)
1212 {
1213 BIGNUM *bndiv;
1214 BIGNUM *c1x;
1215 BN_CTX *tmp;
1216 BIGNUM *c1;
1217 BIGNUM *c2;
1218 BIGNUM *p;
1219 BIGNUM *x;
1220 BIGNUM *m;
1221 int ret;
1222
1223 ret = 0;
1224 /* c1 and c2 are in g_to_k and in, respectively*/
1225 c1 = BN_bin2bn(g_to_k, (int)length, NULL);
1226 c2 = BN_bin2bn(in, (int)length, NULL);
1227 /* other bits */
1228 p = pubkey->p;
1229 x = seckey->x;
1230 c1x = BN_new();
1231 bndiv = BN_new();
1232 m = BN_new();
1233 tmp = BN_CTX_new();
1234 if (!c1 || !c2 || !p || !x || !c1x || !bndiv || !m || !tmp) {
1235 goto done;
1236 }
1237 /*
1238 * m = c2 / (c1^x)
1239 */
1240 if (!BN_mod_exp(c1x, c1, x, p, tmp)) {
1241 goto done;
1242 }
1243 if (!BN_mod_inverse(bndiv, c1x, p, tmp)) {
1244 goto done;
1245 }
1246 if (!BN_mod_mul(m, c2, bndiv, p, tmp)) {
1247 goto done;
1248 }
1249 /* result */
1250 ret = BN_bn2bin(m, out);
1251 done:
1252 if (tmp) {
1253 BN_CTX_free(tmp);
1254 }
1255 if (m) {
1256 BN_clear_free(m);
1257 }
1258 if (bndiv) {
1259 BN_clear_free(bndiv);
1260 }
1261 if (c1x) {
1262 BN_clear_free(c1x);
1263 }
1264 if (x) {
1265 BN_clear_free(x);
1266 }
1267 if (p) {
1268 BN_clear_free(p);
1269 }
1270 if (c1) {
1271 BN_clear_free(c1);
1272 }
1273 if (c2) {
1274 BN_clear_free(c2);
1275 }
1276 return ret;
1277 }
1278