1 /*-
2  * Copyright (c) 2009 The NetBSD Foundation, Inc.
3  * All rights reserved.
4  *
5  * This code is derived from software contributed to The NetBSD Foundation
6  * by Alistair Crooks (agc@NetBSD.org)
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  * 1. Redistributions of source code must retain the above copyright
12  *    notice, this list of conditions and the following disclaimer.
13  * 2. Redistributions in binary form must reproduce the above copyright
14  *    notice, this list of conditions and the following disclaimer in the
15  *    documentation and/or other materials provided with the distribution.
16  *
17  * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
18  * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
19  * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
20  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
21  * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
22  * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
23  * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
24  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
25  * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
26  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
27  * POSSIBILITY OF SUCH DAMAGE.
28  */
29 /*
30  * Copyright (c) 2005-2008 Nominet UK (www.nic.uk)
31  * All rights reserved.
32  * Contributors: Ben Laurie, Rachel Willmer. The Contributors have asserted
33  * their moral rights under the UK Copyright Design and Patents Act 1988 to
34  * be recorded as the authors of this copyright work.
35  *
36  * Licensed under the Apache License, Version 2.0 (the "License"); you may not
37  * use this file except in compliance with the License.
38  *
39  * You may obtain a copy of the License at
40  *     http://www.apache.org/licenses/LICENSE-2.0
41  *
42  * Unless required by applicable law or agreed to in writing, software
43  * distributed under the License is distributed on an "AS IS" BASIS,
44  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
45  *
46  * See the License for the specific language governing permissions and
47  * limitations under the License.
48  */
49 
50 /** \file
51  * \brief Parser for OpenPGP packets
52  */
53 #include "config.h"
54 
55 #ifdef HAVE_SYS_CDEFS_H
56 #include <sys/cdefs.h>
57 #endif
58 
59 #if defined(__NetBSD__)
60 __COPYRIGHT("@(#) Copyright (c) 2009 The NetBSD Foundation, Inc. All rights reserved.");
61 __RCSID("$NetBSD: packet-parse.c,v 1.51 2012/03/05 02:20:18 christos Exp $");
62 #endif
63 
64 #include <sys/types.h>
65 #include <sys/param.h>
66 
67 #ifdef HAVE_OPENSSL_CAST_H
68 #include <openssl/cast.h>
69 #endif
70 
71 #include <stdarg.h>
72 #include <stdlib.h>
73 #include <string.h>
74 
75 #ifdef HAVE_UNISTD_H
76 #include <unistd.h>
77 #endif
78 
79 #ifdef HAVE_LIMITS_H
80 #include <limits.h>
81 #endif
82 
83 #include "packet.h"
84 #include "packet-parse.h"
85 #include "keyring.h"
86 #include "errors.h"
87 #include "packet-show.h"
88 #include "create.h"
89 #include "readerwriter.h"
90 #include "netpgpdefs.h"
91 #include "crypto.h"
92 #include "netpgpdigest.h"
93 
94 #define ERRP(cbinfo, cont, err)	do {					\
95 	cont.u.error = err;						\
96 	CALLBACK(PGP_PARSER_ERROR, cbinfo, &cont);			\
97 	return 0;							\
98 	/*NOTREACHED*/							\
99 } while(/*CONSTCOND*/0)
100 
101 /**
102  * limread_data reads the specified amount of the subregion's data
103  * into a data_t structure
104  *
105  * \param data	Empty structure which will be filled with data
106  * \param len	Number of octets to read
107  * \param subregion
108  * \param stream	How to parse
109  *
110  * \return 1 on success, 0 on failure
111  */
112 static int
limread_data(pgp_data_t * data,unsigned len,pgp_region_t * subregion,pgp_stream_t * stream)113 limread_data(pgp_data_t *data, unsigned len,
114 		  pgp_region_t *subregion, pgp_stream_t *stream)
115 {
116 	data->len = len;
117 
118 	if (subregion->length - subregion->readc < len) {
119 		(void) fprintf(stderr, "limread_data: bad length\n");
120 		return 0;
121 	}
122 
123 	data->contents = calloc(1, data->len);
124 	if (!data->contents) {
125 		return 0;
126 	}
127 
128 	return pgp_limited_read(stream, data->contents, data->len, subregion,
129 			&stream->errors, &stream->readinfo, &stream->cbinfo);
130 }
131 
132 /**
133  * read_data reads the remainder of the subregion's data
134  * into a data_t structure
135  *
136  * \param data
137  * \param subregion
138  * \param stream
139  *
140  * \return 1 on success, 0 on failure
141  */
142 static int
read_data(pgp_data_t * data,pgp_region_t * region,pgp_stream_t * stream)143 read_data(pgp_data_t *data, pgp_region_t *region, pgp_stream_t *stream)
144 {
145 	int	cc;
146 
147 	cc = region->length - region->readc;
148 	return (cc >= 0) ? limread_data(data, (unsigned)cc, region, stream) : 0;
149 }
150 
151 /**
152  * Reads the remainder of the subregion as a string.
153  * It is the user's responsibility to free the memory allocated here.
154  */
155 
156 static int
read_unsig_str(uint8_t ** str,pgp_region_t * subregion,pgp_stream_t * stream)157 read_unsig_str(uint8_t **str, pgp_region_t *subregion,
158 		     pgp_stream_t *stream)
159 {
160 	size_t	len;
161 
162 	len = subregion->length - subregion->readc;
163 	if ((*str = calloc(1, len + 1)) == NULL) {
164 		return 0;
165 	}
166 	if (len &&
167 	    !pgp_limited_read(stream, *str, len, subregion, &stream->errors,
168 				     &stream->readinfo, &stream->cbinfo)) {
169 		return 0;
170 	}
171 	(*str)[len] = '\0';
172 	return 1;
173 }
174 
175 static int
read_string(char ** str,pgp_region_t * subregion,pgp_stream_t * stream)176 read_string(char **str, pgp_region_t *subregion, pgp_stream_t *stream)
177 {
178 	return read_unsig_str((uint8_t **) str, subregion, stream);
179 }
180 
181 void
pgp_init_subregion(pgp_region_t * subregion,pgp_region_t * region)182 pgp_init_subregion(pgp_region_t *subregion, pgp_region_t *region)
183 {
184 	(void) memset(subregion, 0x0, sizeof(*subregion));
185 	subregion->parent = region;
186 }
187 
188 /*
189  * XXX: replace pgp_ptag_t with something more appropriate for limiting reads
190  */
191 
192 /**
193  * low-level function to read data from reader function
194  *
195  * Use this function, rather than calling the reader directly.
196  *
197  * If the accumulate flag is set in *stream, the function
198  * adds the read data to the accumulated data, and updates
199  * the accumulated length. This is useful if, for example,
200  * the application wants access to the raw data as well as the
201  * parsed data.
202  *
203  * This function will also try to read the entire amount asked for, but not
204  * if it is over INT_MAX. Obviously many callers will know that they
205  * never ask for that much and so can avoid the extra complexity of
206  * dealing with return codes and filled-in lengths.
207  *
208  * \param *dest
209  * \param *plength
210  * \param flags
211  * \param *stream
212  *
213  * \return PGP_R_OK
214  * \return PGP_R_PARTIAL_READ
215  * \return PGP_R_EOF
216  * \return PGP_R_EARLY_EOF
217  *
218  * \sa #pgp_reader_ret_t for details of return codes
219  */
220 
221 static int
sub_base_read(pgp_stream_t * stream,void * dest,size_t length,pgp_error_t ** errors,pgp_reader_t * readinfo,pgp_cbdata_t * cbinfo)222 sub_base_read(pgp_stream_t *stream, void *dest, size_t length, pgp_error_t **errors,
223 	      pgp_reader_t *readinfo, pgp_cbdata_t *cbinfo)
224 {
225 	size_t          n;
226 
227 	/* reading more than this would look like an error */
228 	if (length > INT_MAX)
229 		length = INT_MAX;
230 
231 	for (n = 0; n < length;) {
232 		int	r;
233 
234 		r = readinfo->reader(stream, (char *) dest + n, length - n, errors,
235 			readinfo, cbinfo);
236 		if (r > (int)(length - n)) {
237 			(void) fprintf(stderr, "sub_base_read: bad read\n");
238 			return 0;
239 		}
240 		if (r < 0) {
241 			return r;
242 		}
243 		if (r == 0) {
244 			break;
245 		}
246 		n += (unsigned)r;
247 	}
248 
249 	if (n == 0) {
250 		return 0;
251 	}
252 	if (readinfo->accumulate) {
253 		if (readinfo->asize < readinfo->alength) {
254 			(void) fprintf(stderr, "sub_base_read: bad size\n");
255 			return 0;
256 		}
257 		if (readinfo->alength + n > readinfo->asize) {
258 			uint8_t	*temp;
259 
260 			readinfo->asize = (readinfo->asize * 2) + (unsigned)n;
261 			temp = realloc(readinfo->accumulated, readinfo->asize);
262 			if (temp == NULL) {
263 				(void) fprintf(stderr,
264 					"sub_base_read: bad alloc\n");
265 				return 0;
266 			}
267 			readinfo->accumulated = temp;
268 		}
269 		if (readinfo->asize < readinfo->alength + n) {
270 			(void) fprintf(stderr, "sub_base_read: bad realloc\n");
271 			return 0;
272 		}
273 		(void) memcpy(readinfo->accumulated + readinfo->alength, dest,
274 				n);
275 	}
276 	/* we track length anyway, because it is used for packet offsets */
277 	readinfo->alength += (unsigned)n;
278 	/* and also the position */
279 	readinfo->position += (unsigned)n;
280 
281 	return (int)n;
282 }
283 
284 int
pgp_stacked_read(pgp_stream_t * stream,void * dest,size_t length,pgp_error_t ** errors,pgp_reader_t * readinfo,pgp_cbdata_t * cbinfo)285 pgp_stacked_read(pgp_stream_t *stream, void *dest, size_t length, pgp_error_t **errors,
286 		 pgp_reader_t *readinfo, pgp_cbdata_t *cbinfo)
287 {
288 	return sub_base_read(stream, dest, length, errors, readinfo->next, cbinfo);
289 }
290 
291 /* This will do a full read so long as length < MAX_INT */
292 static int
base_read(uint8_t * dest,size_t length,pgp_stream_t * stream)293 base_read(uint8_t *dest, size_t length, pgp_stream_t *stream)
294 {
295 	return sub_base_read(stream, dest, length, &stream->errors, &stream->readinfo,
296 			     &stream->cbinfo);
297 }
298 
299 /*
300  * Read a full size_t's worth. If the return is < than length, then
301  * *last_read tells you why - < 0 for an error, == 0 for EOF
302  */
303 
304 static size_t
full_read(pgp_stream_t * stream,uint8_t * dest,size_t length,int * last_read,pgp_error_t ** errors,pgp_reader_t * readinfo,pgp_cbdata_t * cbinfo)305 full_read(pgp_stream_t *stream, uint8_t *dest,
306 		size_t length,
307 		int *last_read,
308 		pgp_error_t **errors,
309 		pgp_reader_t *readinfo,
310 		pgp_cbdata_t *cbinfo)
311 {
312 	size_t          t;
313 	int             r = 0;	/* preset in case some loon calls with length
314 				 * == 0 */
315 
316 	for (t = 0; t < length;) {
317 		r = sub_base_read(stream, dest + t, length - t, errors, readinfo,
318 				cbinfo);
319 		if (r <= 0) {
320 			*last_read = r;
321 			return t;
322 		}
323 		t += (size_t)r;
324 	}
325 
326 	*last_read = r;
327 
328 	return t;
329 }
330 
331 
332 
333 /** Read a scalar value of selected length from reader.
334  *
335  * Read an unsigned scalar value from reader in Big Endian representation.
336  *
337  * This function does not know or care about packet boundaries. It
338  * also assumes that an EOF is an error.
339  *
340  * \param *result	The scalar value is stored here
341  * \param *reader	Our reader
342  * \param length	How many bytes to read
343  * \return		1 on success, 0 on failure
344  */
345 static unsigned
_read_scalar(unsigned * result,unsigned length,pgp_stream_t * stream)346 _read_scalar(unsigned *result, unsigned length,
347 	     pgp_stream_t *stream)
348 {
349 	unsigned        t = 0;
350 
351 	if (length > sizeof(*result)) {
352 		(void) fprintf(stderr, "_read_scalar: bad length\n");
353 		return 0;
354 	}
355 
356 	while (length--) {
357 		uint8_t	c;
358 		int	r;
359 
360 		r = base_read(&c, 1, stream);
361 		if (r != 1)
362 			return 0;
363 		t = (t << 8) + c;
364 	}
365 
366 	*result = t;
367 	return 1;
368 }
369 
370 /**
371  * \ingroup Core_ReadPackets
372  * \brief Read bytes from a region within the packet.
373  *
374  * Read length bytes into the buffer pointed to by *dest.
375  * Make sure we do not read over the packet boundary.
376  * Updates the Packet Tag's pgp_ptag_t::readc.
377  *
378  * If length would make us read over the packet boundary, or if
379  * reading fails, we call the callback with an error.
380  *
381  * Note that if the region is indeterminate, this can return a short
382  * read - check region->last_read for the length. EOF is indicated by
383  * a success return and region->last_read == 0 in this case (for a
384  * region of known length, EOF is an error).
385  *
386  * This function makes sure to respect packet boundaries.
387  *
388  * \param dest		The destination buffer
389  * \param length	How many bytes to read
390  * \param region	Pointer to packet region
391  * \param errors    Error stack
392  * \param readinfo		Reader info
393  * \param cbinfo	Callback info
394  * \return		1 on success, 0 on error
395  */
396 unsigned
pgp_limited_read(pgp_stream_t * stream,uint8_t * dest,size_t length,pgp_region_t * region,pgp_error_t ** errors,pgp_reader_t * readinfo,pgp_cbdata_t * cbinfo)397 pgp_limited_read(pgp_stream_t *stream, uint8_t *dest,
398 			size_t length,
399 			pgp_region_t *region,
400 			pgp_error_t **errors,
401 			pgp_reader_t *readinfo,
402 			pgp_cbdata_t *cbinfo)
403 {
404 	size_t	r;
405 	int	lr;
406 
407 	if (!region->indeterminate &&
408 	    region->readc + length > region->length) {
409 		PGP_ERROR_1(errors, PGP_E_P_NOT_ENOUGH_DATA, "%s",
410 		    "Not enough data");
411 		return 0;
412 	}
413 	r = full_read(stream, dest, length, &lr, errors, readinfo, cbinfo);
414 	if (lr < 0) {
415 		PGP_ERROR_1(errors, PGP_E_R_READ_FAILED, "%s", "Read failed");
416 		return 0;
417 	}
418 	if (!region->indeterminate && r != length) {
419 		PGP_ERROR_1(errors, PGP_E_R_READ_FAILED, "%s", "Read failed");
420 		return 0;
421 	}
422 	region->last_read = (unsigned)r;
423 	do {
424 		region->readc += (unsigned)r;
425 		if (region->parent && region->length > region->parent->length) {
426 			(void) fprintf(stderr,
427 				"ops_limited_read: bad length\n");
428 			return 0;
429 		}
430 	} while ((region = region->parent) != NULL);
431 	return 1;
432 }
433 
434 /**
435    \ingroup Core_ReadPackets
436    \brief Call pgp_limited_read on next in stack
437 */
438 unsigned
pgp_stacked_limited_read(pgp_stream_t * stream,uint8_t * dest,unsigned length,pgp_region_t * region,pgp_error_t ** errors,pgp_reader_t * readinfo,pgp_cbdata_t * cbinfo)439 pgp_stacked_limited_read(pgp_stream_t *stream, uint8_t *dest, unsigned length,
440 			 pgp_region_t *region,
441 			 pgp_error_t **errors,
442 			 pgp_reader_t *readinfo,
443 			 pgp_cbdata_t *cbinfo)
444 {
445 	return pgp_limited_read(stream, dest, length, region, errors,
446 				readinfo->next, cbinfo);
447 }
448 
449 static unsigned
limread(uint8_t * dest,unsigned length,pgp_region_t * region,pgp_stream_t * info)450 limread(uint8_t *dest, unsigned length,
451 	     pgp_region_t *region, pgp_stream_t *info)
452 {
453 	return pgp_limited_read(info, dest, length, region, &info->errors,
454 				&info->readinfo, &info->cbinfo);
455 }
456 
457 static unsigned
exact_limread(uint8_t * dest,unsigned len,pgp_region_t * region,pgp_stream_t * stream)458 exact_limread(uint8_t *dest, unsigned len,
459 		   pgp_region_t *region,
460 		   pgp_stream_t *stream)
461 {
462 	unsigned   ret;
463 
464 	stream->exact_read = 1;
465 	ret = limread(dest, len, region, stream);
466 	stream->exact_read = 0;
467 	return ret;
468 }
469 
470 /** Skip over length bytes of this packet.
471  *
472  * Calls limread() to skip over some data.
473  *
474  * This function makes sure to respect packet boundaries.
475  *
476  * \param length	How many bytes to skip
477  * \param *region	Pointer to packet region
478  * \param *stream	How to parse
479  * \return		1 on success, 0 on error (calls the cb with PGP_PARSER_ERROR in limread()).
480  */
481 static int
limskip(unsigned length,pgp_region_t * region,pgp_stream_t * stream)482 limskip(unsigned length, pgp_region_t *region, pgp_stream_t *stream)
483 {
484 	uint8_t   buf[NETPGP_BUFSIZ];
485 
486 	while (length > 0) {
487 		unsigned	n = length % NETPGP_BUFSIZ;
488 
489 		if (!limread(buf, n, region, stream)) {
490 			return 0;
491 		}
492 		length -= n;
493 	}
494 	return 1;
495 }
496 
497 /** Read a scalar.
498  *
499  * Read a big-endian scalar of length bytes, respecting packet
500  * boundaries (by calling limread() to read the raw data).
501  *
502  * This function makes sure to respect packet boundaries.
503  *
504  * \param *dest		The scalar value is stored here
505  * \param length	How many bytes make up this scalar (at most 4)
506  * \param *region	Pointer to current packet region
507  * \param *stream	How to parse
508  * \param *cb		The callback
509  * \return		1 on success, 0 on error (calls the cb with PGP_PARSER_ERROR in limread()).
510  *
511  * \see RFC4880 3.1
512  */
513 static int
limread_scalar(unsigned * dest,unsigned len,pgp_region_t * region,pgp_stream_t * stream)514 limread_scalar(unsigned *dest,
515 			unsigned len,
516 			pgp_region_t *region,
517 			pgp_stream_t *stream)
518 {
519 	uint8_t		c[4] = "";
520 	unsigned        t;
521 	unsigned        n;
522 
523 	if (len > 4) {
524 		(void) fprintf(stderr, "limread_scalar: bad length\n");
525 		return 0;
526 	}
527 	/*LINTED*/
528 	if (/*CONSTCOND*/sizeof(*dest) < 4) {
529 		(void) fprintf(stderr, "limread_scalar: bad dest\n");
530 		return 0;
531 	}
532 	if (!limread(c, len, region, stream)) {
533 		return 0;
534 	}
535 	for (t = 0, n = 0; n < len; ++n) {
536 		t = (t << 8) + c[n];
537 	}
538 	*dest = t;
539 	return 1;
540 }
541 
542 /** Read a scalar.
543  *
544  * Read a big-endian scalar of length bytes, respecting packet
545  * boundaries (by calling limread() to read the raw data).
546  *
547  * The value read is stored in a size_t, which is a different size
548  * from an unsigned on some platforms.
549  *
550  * This function makes sure to respect packet boundaries.
551  *
552  * \param *dest		The scalar value is stored here
553  * \param length	How many bytes make up this scalar (at most 4)
554  * \param *region	Pointer to current packet region
555  * \param *stream	How to parse
556  * \param *cb		The callback
557  * \return		1 on success, 0 on error (calls the cb with PGP_PARSER_ERROR in limread()).
558  *
559  * \see RFC4880 3.1
560  */
561 static int
limread_size_t(size_t * dest,unsigned length,pgp_region_t * region,pgp_stream_t * stream)562 limread_size_t(size_t *dest,
563 				unsigned length,
564 				pgp_region_t *region,
565 				pgp_stream_t *stream)
566 {
567 	unsigned        tmp;
568 
569 	/*
570 	 * Note that because the scalar is at most 4 bytes, we don't care if
571 	 * size_t is bigger than usigned
572 	 */
573 	if (!limread_scalar(&tmp, length, region, stream))
574 		return 0;
575 
576 	*dest = tmp;
577 	return 1;
578 }
579 
580 /** Read a timestamp.
581  *
582  * Timestamps in OpenPGP are unix time, i.e. seconds since The Epoch (1.1.1970).  They are stored in an unsigned scalar
583  * of 4 bytes.
584  *
585  * This function reads the timestamp using limread_scalar().
586  *
587  * This function makes sure to respect packet boundaries.
588  *
589  * \param *dest		The timestamp is stored here
590  * \param *ptag		Pointer to current packet's Packet Tag.
591  * \param *reader	Our reader
592  * \param *cb		The callback
593  * \return		see limread_scalar()
594  *
595  * \see RFC4880 3.5
596  */
597 static int
limited_read_time(time_t * dest,pgp_region_t * region,pgp_stream_t * stream)598 limited_read_time(time_t *dest, pgp_region_t *region,
599 		  pgp_stream_t *stream)
600 {
601 	uint8_t	c;
602 	time_t	mytime = 0;
603 	int	i;
604 
605 	/*
606          * Cannot assume that time_t is 4 octets long -
607 	 * SunOS 5.10 and NetBSD both have 64-bit time_ts.
608          */
609 	if (/* CONSTCOND */sizeof(time_t) == 4) {
610 		return limread_scalar((unsigned *)(void *)dest, 4, region, stream);
611 	}
612 	for (i = 0; i < 4; i++) {
613 		if (!limread(&c, 1, region, stream)) {
614 			return 0;
615 		}
616 		mytime = (mytime << 8) + c;
617 	}
618 	*dest = mytime;
619 	return 1;
620 }
621 
622 /**
623  * \ingroup Core_MPI
624  * Read a multiprecision integer.
625  *
626  * Large numbers (multiprecision integers, MPI) are stored in OpenPGP in two parts.  First there is a 2 byte scalar
627  * indicating the length of the following MPI in Bits.  Then follow the bits that make up the actual number, most
628  * significant bits first (Big Endian).  The most significant bit in the MPI is supposed to be 1 (unless the MPI is
629  * encrypted - then it may be different as the bit count refers to the plain text but the bits are encrypted).
630  *
631  * Unused bits (i.e. those filling up the most significant byte from the left to the first bits that counts) are
632  * supposed to be cleared - I guess. XXX - does anything actually say so?
633  *
634  * This function makes sure to respect packet boundaries.
635  *
636  * \param **pgn		return the integer there - the BIGNUM is created by BN_bin2bn() and probably needs to be freed
637  * 				by the caller XXX right ben?
638  * \param *ptag		Pointer to current packet's Packet Tag.
639  * \param *reader	Our reader
640  * \param *cb		The callback
641  * \return		1 on success, 0 on error (by limread_scalar() or limread() or if the MPI is not properly formed (XXX
642  * 				 see comment below - the callback is called with a PGP_PARSER_ERROR in case of an error)
643  *
644  * \see RFC4880 3.2
645  */
646 static int
limread_mpi(BIGNUM ** pbn,pgp_region_t * region,pgp_stream_t * stream)647 limread_mpi(BIGNUM **pbn, pgp_region_t *region, pgp_stream_t *stream)
648 {
649 	uint8_t   buf[NETPGP_BUFSIZ] = "";
650 					/* an MPI has a 2 byte length part.
651 					 * Length is given in bits, so the
652 					 * largest we should ever need for
653 					 * the buffer is NETPGP_BUFSIZ bytes. */
654 	unsigned        length;
655 	unsigned        nonzero;
656 	unsigned	ret;
657 
658 	stream->reading_mpi_len = 1;
659 	ret = (unsigned)limread_scalar(&length, 2, region, stream);
660 
661 	stream->reading_mpi_len = 0;
662 	if (!ret)
663 		return 0;
664 
665 	nonzero = length & 7;	/* there should be this many zero bits in the
666 				 * MS byte */
667 	if (!nonzero)
668 		nonzero = 8;
669 	length = (length + 7) / 8;
670 
671 	if (length == 0) {
672 		/* if we try to read a length of 0, then fail */
673 		if (pgp_get_debug_level(__FILE__)) {
674 			(void) fprintf(stderr, "limread_mpi: 0 length\n");
675 		}
676 		return 0;
677 	}
678 	if (length > NETPGP_BUFSIZ) {
679 		(void) fprintf(stderr, "limread_mpi: bad length\n");
680 		return 0;
681 	}
682 	if (!limread(buf, length, region, stream)) {
683 		return 0;
684 	}
685 	if (((unsigned)buf[0] >> nonzero) != 0 ||
686 	    !((unsigned)buf[0] & (1U << (nonzero - 1U)))) {
687 		PGP_ERROR_1(&stream->errors, PGP_E_P_MPI_FORMAT_ERROR,
688 		    "%s", "MPI Format error");
689 		/* XXX: Ben, one part of
690 		 * this constraint does
691 		 * not apply to
692 		 * encrypted MPIs the
693 		 * draft says. -- peter */
694 		return 0;
695 	}
696 	*pbn = BN_bin2bn(buf, (int)length, NULL);
697 	return 1;
698 }
699 
700 static unsigned read_new_length(unsigned *, pgp_stream_t *);
701 
702 /* allocate space, read, and stash data away in a virtual pkt */
703 static void
streamread(pgp_stream_t * stream,unsigned c)704 streamread(pgp_stream_t *stream, unsigned c)
705 {
706 	int	cc;
707 
708 	stream->virtualpkt = realloc(stream->virtualpkt, stream->virtualc + c);
709 	cc = stream->readinfo.reader(stream, &stream->virtualpkt[stream->virtualc],
710 		c, &stream->errors, &stream->readinfo, &stream->cbinfo);
711 	stream->virtualc += cc;
712 }
713 
714 /* coalesce all the partial blocks together */
715 static int
coalesce_blocks(pgp_stream_t * stream,unsigned length)716 coalesce_blocks(pgp_stream_t *stream, unsigned length)
717 {
718 	unsigned	c;
719 
720 	stream->coalescing = 1;
721 	/* already read a partial block length - prime the array */
722 	streamread(stream, length);
723 	while (read_new_length(&c, stream) && stream->partial_read) {
724 		/* length we read is partial - add to end of array */
725 		streamread(stream, c);
726 	}
727 	/* not partial - add the last extent to the end of the array */
728 	streamread(stream, c);
729 	stream->coalescing = 0;
730 	return 1;
731 }
732 
733 /** Read some data with a New-Format length from reader.
734  *
735  * \sa Internet-Draft RFC4880.txt Section 4.2.2
736  *
737  * \param *length	Where the decoded length will be put
738  * \param *stream	How to parse
739  * \return		1 if OK, else 0
740  *
741  */
742 
743 static unsigned
read_new_length(unsigned * length,pgp_stream_t * stream)744 read_new_length(unsigned *length, pgp_stream_t *stream)
745 {
746 	uint8_t   c;
747 
748 	stream->partial_read = 0;
749 	if (base_read(&c, 1, stream) != 1) {
750 		return 0;
751 	}
752 	if (c < 192) {
753 		/* 1. One-octet packet */
754 		*length = c;
755 		return 1;
756 	}
757 	if (c < 224) {
758 		/* 2. Two-octet packet */
759 		unsigned        t = (c - 192) << 8;
760 
761 		if (base_read(&c, 1, stream) != 1) {
762 			return 0;
763 		}
764 		*length = t + c + 192;
765 		return 1;
766 	}
767 	if (c < 255) {
768 		/* 3. Partial Body Length */
769 		stream->partial_read = 1;
770 		*length = 1 << (c & 0x1f);
771 		if (!stream->coalescing) {
772 			/* we have been called from coalesce_blocks -
773 			 * just return with the partial length */
774 			coalesce_blocks(stream, *length);
775 			*length = stream->virtualc;
776 		}
777 		return 1;
778 	}
779 	/* 4. Five-Octet packet */
780 	return _read_scalar(length, 4, stream);
781 }
782 
783 /** Read the length information for a new format Packet Tag.
784  *
785  * New style Packet Tags encode the length in one to five octets.  This function reads the right amount of bytes and
786  * decodes it to the proper length information.
787  *
788  * This function makes sure to respect packet boundaries.
789  *
790  * \param *length	return the length here
791  * \param *ptag		Pointer to current packet's Packet Tag.
792  * \param *reader	Our reader
793  * \param *cb		The callback
794  * \return		1 on success, 0 on error (by limread_scalar() or limread() or if the MPI is not properly formed (XXX
795  * 				 see comment below)
796  *
797  * \see RFC4880 4.2.2
798  * \see pgp_ptag_t
799  */
800 static int
limited_read_new_length(unsigned * length,pgp_region_t * region,pgp_stream_t * stream)801 limited_read_new_length(unsigned *length, pgp_region_t *region,
802 			pgp_stream_t *stream)
803 {
804 	uint8_t   c = 0x0;
805 
806 	if (!limread(&c, 1, region, stream)) {
807 		return 0;
808 	}
809 	if (c < 192) {
810 		*length = c;
811 		return 1;
812 	}
813 	if (c < 224) {
814 		unsigned        t = (c - 192) << 8;
815 
816 		if (!limread(&c, 1, region, stream)) {
817 			return 0;
818 		}
819 		*length = t + c + 192;
820 		return 1;
821 	}
822 	if (c < 255) {
823 		stream->partial_read = 1;
824 		*length = 1 << (c & 0x1f);
825 		if (!stream->coalescing) {
826 			/* we have been called from coalesce_blocks -
827 			 * just return with the partial length */
828 			coalesce_blocks(stream, *length);
829 			*length = stream->virtualc;
830 		}
831 		return 1;
832 	}
833 	return limread_scalar(length, 4, region, stream);
834 }
835 
836 /**
837 \ingroup Core_Create
838 \brief Free allocated memory
839 */
840 void
pgp_data_free(pgp_data_t * data)841 pgp_data_free(pgp_data_t *data)
842 {
843 	free(data->contents);
844 	data->contents = NULL;
845 	data->len = 0;
846 }
847 
848 /**
849 \ingroup Core_Create
850 \brief Free allocated memory
851 */
852 static void
string_free(char ** str)853 string_free(char **str)
854 {
855 	free(*str);
856 	*str = NULL;
857 }
858 
859 /**
860 \ingroup Core_Create
861 \brief Free allocated memory
862 */
863 /* ! Free packet memory, set pointer to NULL */
864 void
pgp_subpacket_free(pgp_subpacket_t * packet)865 pgp_subpacket_free(pgp_subpacket_t *packet)
866 {
867 	free(packet->raw);
868 	packet->raw = NULL;
869 }
870 
871 /**
872 \ingroup Core_Create
873 \brief Free allocated memory
874 */
875 static void
headers_free(pgp_headers_t * headers)876 headers_free(pgp_headers_t *headers)
877 {
878 	unsigned        n;
879 
880 	for (n = 0; n < headers->headerc; ++n) {
881 		free(headers->headers[n].key);
882 		free(headers->headers[n].value);
883 	}
884 	free(headers->headers);
885 	headers->headers = NULL;
886 }
887 
888 /**
889 \ingroup Core_Create
890 \brief Free allocated memory
891 */
892 static void
cleartext_trailer_free(struct pgp_hash_t ** trailer)893 cleartext_trailer_free(struct pgp_hash_t **trailer)
894 {
895 	free(*trailer);
896 	*trailer = NULL;
897 }
898 
899 /**
900 \ingroup Core_Create
901 \brief Free allocated memory
902 */
903 static void
cmd_get_passphrase_free(pgp_seckey_passphrase_t * skp)904 cmd_get_passphrase_free(pgp_seckey_passphrase_t *skp)
905 {
906 	if (skp->passphrase && *skp->passphrase) {
907 		free(*skp->passphrase);
908 		*skp->passphrase = NULL;
909 	}
910 }
911 
912 /**
913 \ingroup Core_Create
914 \brief Free allocated memory
915 */
916 static void
free_BN(BIGNUM ** pp)917 free_BN(BIGNUM **pp)
918 {
919 	BN_free(*pp);
920 	*pp = NULL;
921 }
922 
923 /**
924  * \ingroup Core_Create
925  * \brief Free the memory used when parsing a signature
926  * \param sig
927  */
928 static void
sig_free(pgp_sig_t * sig)929 sig_free(pgp_sig_t *sig)
930 {
931 	switch (sig->info.key_alg) {
932 	case PGP_PKA_RSA:
933 	case PGP_PKA_RSA_SIGN_ONLY:
934 		free_BN(&sig->info.sig.rsa.sig);
935 		break;
936 
937 	case PGP_PKA_DSA:
938 		free_BN(&sig->info.sig.dsa.r);
939 		free_BN(&sig->info.sig.dsa.s);
940 		break;
941 
942 	case PGP_PKA_ELGAMAL_ENCRYPT_OR_SIGN:
943 		free_BN(&sig->info.sig.elgamal.r);
944 		free_BN(&sig->info.sig.elgamal.s);
945 		break;
946 
947 	case PGP_PKA_PRIVATE00:
948 	case PGP_PKA_PRIVATE01:
949 	case PGP_PKA_PRIVATE02:
950 	case PGP_PKA_PRIVATE03:
951 	case PGP_PKA_PRIVATE04:
952 	case PGP_PKA_PRIVATE05:
953 	case PGP_PKA_PRIVATE06:
954 	case PGP_PKA_PRIVATE07:
955 	case PGP_PKA_PRIVATE08:
956 	case PGP_PKA_PRIVATE09:
957 	case PGP_PKA_PRIVATE10:
958 		pgp_data_free(&sig->info.sig.unknown);
959 		break;
960 
961 	default:
962 		(void) fprintf(stderr, "sig_free: bad sig type\n");
963 	}
964 }
965 
966 /**
967 \ingroup Core_Create
968 \brief Free allocated memory
969 */
970 /* ! Free any memory allocated when parsing the packet content */
971 void
pgp_parser_content_free(pgp_packet_t * c)972 pgp_parser_content_free(pgp_packet_t *c)
973 {
974 	switch (c->tag) {
975 	case PGP_PARSER_PTAG:
976 	case PGP_PTAG_CT_COMPRESSED:
977 	case PGP_PTAG_SS_CREATION_TIME:
978 	case PGP_PTAG_SS_EXPIRATION_TIME:
979 	case PGP_PTAG_SS_KEY_EXPIRY:
980 	case PGP_PTAG_SS_TRUST:
981 	case PGP_PTAG_SS_ISSUER_KEY_ID:
982 	case PGP_PTAG_CT_1_PASS_SIG:
983 	case PGP_PTAG_SS_PRIMARY_USER_ID:
984 	case PGP_PTAG_SS_REVOCABLE:
985 	case PGP_PTAG_SS_REVOCATION_KEY:
986 	case PGP_PTAG_CT_LITDATA_HEADER:
987 	case PGP_PTAG_CT_LITDATA_BODY:
988 	case PGP_PTAG_CT_SIGNED_CLEARTEXT_BODY:
989 	case PGP_PTAG_CT_UNARMOURED_TEXT:
990 	case PGP_PTAG_CT_ARMOUR_TRAILER:
991 	case PGP_PTAG_CT_SIGNATURE_HEADER:
992 	case PGP_PTAG_CT_SE_DATA_HEADER:
993 	case PGP_PTAG_CT_SE_IP_DATA_HEADER:
994 	case PGP_PTAG_CT_SE_IP_DATA_BODY:
995 	case PGP_PTAG_CT_MDC:
996 	case PGP_GET_SECKEY:
997 		break;
998 
999 	case PGP_PTAG_CT_SIGNED_CLEARTEXT_HEADER:
1000 		headers_free(&c->u.cleartext_head);
1001 		break;
1002 
1003 	case PGP_PTAG_CT_ARMOUR_HEADER:
1004 		headers_free(&c->u.armour_header.headers);
1005 		break;
1006 
1007 	case PGP_PTAG_CT_SIGNED_CLEARTEXT_TRAILER:
1008 		cleartext_trailer_free(&c->u.cleartext_trailer);
1009 		break;
1010 
1011 	case PGP_PTAG_CT_TRUST:
1012 		pgp_data_free(&c->u.trust);
1013 		break;
1014 
1015 	case PGP_PTAG_CT_SIGNATURE:
1016 	case PGP_PTAG_CT_SIGNATURE_FOOTER:
1017 		sig_free(&c->u.sig);
1018 		break;
1019 
1020 	case PGP_PTAG_CT_PUBLIC_KEY:
1021 	case PGP_PTAG_CT_PUBLIC_SUBKEY:
1022 		pgp_pubkey_free(&c->u.pubkey);
1023 		break;
1024 
1025 	case PGP_PTAG_CT_USER_ID:
1026 		pgp_userid_free(&c->u.userid);
1027 		break;
1028 
1029 	case PGP_PTAG_SS_SIGNERS_USER_ID:
1030 		pgp_userid_free(&c->u.ss_signer);
1031 		break;
1032 
1033 	case PGP_PTAG_CT_USER_ATTR:
1034 		pgp_data_free(&c->u.userattr);
1035 		break;
1036 
1037 	case PGP_PTAG_SS_PREFERRED_SKA:
1038 		pgp_data_free(&c->u.ss_skapref);
1039 		break;
1040 
1041 	case PGP_PTAG_SS_PREFERRED_HASH:
1042 		pgp_data_free(&c->u.ss_hashpref);
1043 		break;
1044 
1045 	case PGP_PTAG_SS_PREF_COMPRESS:
1046 		pgp_data_free(&c->u.ss_zpref);
1047 		break;
1048 
1049 	case PGP_PTAG_SS_KEY_FLAGS:
1050 		pgp_data_free(&c->u.ss_key_flags);
1051 		break;
1052 
1053 	case PGP_PTAG_SS_KEYSERV_PREFS:
1054 		pgp_data_free(&c->u.ss_key_server_prefs);
1055 		break;
1056 
1057 	case PGP_PTAG_SS_FEATURES:
1058 		pgp_data_free(&c->u.ss_features);
1059 		break;
1060 
1061 	case PGP_PTAG_SS_NOTATION_DATA:
1062 		pgp_data_free(&c->u.ss_notation.name);
1063 		pgp_data_free(&c->u.ss_notation.value);
1064 		break;
1065 
1066 	case PGP_PTAG_SS_REGEXP:
1067 		string_free(&c->u.ss_regexp);
1068 		break;
1069 
1070 	case PGP_PTAG_SS_POLICY_URI:
1071 		string_free(&c->u.ss_policy);
1072 		break;
1073 
1074 	case PGP_PTAG_SS_PREF_KEYSERV:
1075 		string_free(&c->u.ss_keyserv);
1076 		break;
1077 
1078 	case PGP_PTAG_SS_USERDEFINED00:
1079 	case PGP_PTAG_SS_USERDEFINED01:
1080 	case PGP_PTAG_SS_USERDEFINED02:
1081 	case PGP_PTAG_SS_USERDEFINED03:
1082 	case PGP_PTAG_SS_USERDEFINED04:
1083 	case PGP_PTAG_SS_USERDEFINED05:
1084 	case PGP_PTAG_SS_USERDEFINED06:
1085 	case PGP_PTAG_SS_USERDEFINED07:
1086 	case PGP_PTAG_SS_USERDEFINED08:
1087 	case PGP_PTAG_SS_USERDEFINED09:
1088 	case PGP_PTAG_SS_USERDEFINED10:
1089 		pgp_data_free(&c->u.ss_userdef);
1090 		break;
1091 
1092 	case PGP_PTAG_SS_RESERVED:
1093 		pgp_data_free(&c->u.ss_unknown);
1094 		break;
1095 
1096 	case PGP_PTAG_SS_REVOCATION_REASON:
1097 		string_free(&c->u.ss_revocation.reason);
1098 		break;
1099 
1100 	case PGP_PTAG_SS_EMBEDDED_SIGNATURE:
1101 		pgp_data_free(&c->u.ss_embedded_sig);
1102 		break;
1103 
1104 	case PGP_PARSER_PACKET_END:
1105 		pgp_subpacket_free(&c->u.packet);
1106 		break;
1107 
1108 	case PGP_PARSER_ERROR:
1109 	case PGP_PARSER_ERRCODE:
1110 		break;
1111 
1112 	case PGP_PTAG_CT_SECRET_KEY:
1113 	case PGP_PTAG_CT_ENCRYPTED_SECRET_KEY:
1114 		pgp_seckey_free(&c->u.seckey);
1115 		break;
1116 
1117 	case PGP_PTAG_CT_PK_SESSION_KEY:
1118 	case PGP_PTAG_CT_ENCRYPTED_PK_SESSION_KEY:
1119 		pgp_pk_sesskey_free(&c->u.pk_sesskey);
1120 		break;
1121 
1122 	case PGP_GET_PASSPHRASE:
1123 		cmd_get_passphrase_free(&c->u.skey_passphrase);
1124 		break;
1125 
1126 	default:
1127 		fprintf(stderr, "Can't free %d (0x%x)\n", c->tag, c->tag);
1128 	}
1129 }
1130 
1131 /**
1132 \ingroup Core_Create
1133 \brief Free allocated memory
1134 */
1135 void
pgp_pk_sesskey_free(pgp_pk_sesskey_t * sk)1136 pgp_pk_sesskey_free(pgp_pk_sesskey_t *sk)
1137 {
1138 	switch (sk->alg) {
1139 	case PGP_PKA_RSA:
1140 		free_BN(&sk->params.rsa.encrypted_m);
1141 		break;
1142 
1143 	case PGP_PKA_ELGAMAL:
1144 		free_BN(&sk->params.elgamal.g_to_k);
1145 		free_BN(&sk->params.elgamal.encrypted_m);
1146 		break;
1147 
1148 	default:
1149 		(void) fprintf(stderr, "pgp_pk_sesskey_free: bad alg\n");
1150 		break;
1151 	}
1152 }
1153 
1154 /**
1155 \ingroup Core_Create
1156 \brief Free allocated memory
1157 */
1158 /* ! Free the memory used when parsing a public key */
1159 void
pgp_pubkey_free(pgp_pubkey_t * p)1160 pgp_pubkey_free(pgp_pubkey_t *p)
1161 {
1162 	switch (p->alg) {
1163 	case PGP_PKA_RSA:
1164 	case PGP_PKA_RSA_ENCRYPT_ONLY:
1165 	case PGP_PKA_RSA_SIGN_ONLY:
1166 		free_BN(&p->key.rsa.n);
1167 		free_BN(&p->key.rsa.e);
1168 		break;
1169 
1170 	case PGP_PKA_DSA:
1171 		free_BN(&p->key.dsa.p);
1172 		free_BN(&p->key.dsa.q);
1173 		free_BN(&p->key.dsa.g);
1174 		free_BN(&p->key.dsa.y);
1175 		break;
1176 
1177 	case PGP_PKA_ELGAMAL:
1178 	case PGP_PKA_ELGAMAL_ENCRYPT_OR_SIGN:
1179 		free_BN(&p->key.elgamal.p);
1180 		free_BN(&p->key.elgamal.g);
1181 		free_BN(&p->key.elgamal.y);
1182 		break;
1183 
1184 	case PGP_PKA_NOTHING:
1185 		/* nothing to free */
1186 		break;
1187 
1188 	default:
1189 		(void) fprintf(stderr, "pgp_pubkey_free: bad alg\n");
1190 	}
1191 }
1192 
1193 /**
1194    \ingroup Core_ReadPackets
1195 */
1196 static int
parse_pubkey_data(pgp_pubkey_t * key,pgp_region_t * region,pgp_stream_t * stream)1197 parse_pubkey_data(pgp_pubkey_t *key, pgp_region_t *region,
1198 		      pgp_stream_t *stream)
1199 {
1200 	uint8_t   c = 0x0;
1201 
1202 	if (region->readc != 0) {
1203 		/* We should not have read anything so far */
1204 		(void) fprintf(stderr, "parse_pubkey_data: bad length\n");
1205 		return 0;
1206 	}
1207 	if (!limread(&c, 1, region, stream)) {
1208 		return 0;
1209 	}
1210 	key->version = (pgp_version_t)c;
1211 	switch (key->version) {
1212 	case PGP_V2:
1213 	case PGP_V3:
1214 	case PGP_V4:
1215 		break;
1216 	default:
1217 		PGP_ERROR_1(&stream->errors, PGP_E_PROTO_BAD_PUBLIC_KEY_VRSN,
1218 			    "Bad public key version (0x%02x)", key->version);
1219 		return 0;
1220 	}
1221 	if (!limited_read_time(&key->birthtime, region, stream)) {
1222 		return 0;
1223 	}
1224 
1225 	key->days_valid = 0;
1226 	if ((key->version == 2 || key->version == 3) &&
1227 	    !limread_scalar(&key->days_valid, 2, region, stream)) {
1228 		return 0;
1229 	}
1230 
1231 	if (!limread(&c, 1, region, stream)) {
1232 		return 0;
1233 	}
1234 	key->alg = c;
1235 
1236 	switch (key->alg) {
1237 	case PGP_PKA_DSA:
1238 		if (!limread_mpi(&key->key.dsa.p, region, stream) ||
1239 		    !limread_mpi(&key->key.dsa.q, region, stream) ||
1240 		    !limread_mpi(&key->key.dsa.g, region, stream) ||
1241 		    !limread_mpi(&key->key.dsa.y, region, stream)) {
1242 			return 0;
1243 		}
1244 		break;
1245 
1246 	case PGP_PKA_RSA:
1247 	case PGP_PKA_RSA_ENCRYPT_ONLY:
1248 	case PGP_PKA_RSA_SIGN_ONLY:
1249 		if (!limread_mpi(&key->key.rsa.n, region, stream) ||
1250 		    !limread_mpi(&key->key.rsa.e, region, stream)) {
1251 			return 0;
1252 		}
1253 		break;
1254 
1255 	case PGP_PKA_ELGAMAL:
1256 	case PGP_PKA_ELGAMAL_ENCRYPT_OR_SIGN:
1257 		if (!limread_mpi(&key->key.elgamal.p, region, stream) ||
1258 		    !limread_mpi(&key->key.elgamal.g, region, stream) ||
1259 		    !limread_mpi(&key->key.elgamal.y, region, stream)) {
1260 			return 0;
1261 		}
1262 		break;
1263 
1264 	default:
1265 		PGP_ERROR_1(&stream->errors,
1266 			PGP_E_ALG_UNSUPPORTED_PUBLIC_KEY_ALG,
1267 			"Unsupported Public Key algorithm (%s)",
1268 			pgp_show_pka(key->alg));
1269 		return 0;
1270 	}
1271 
1272 	return 1;
1273 }
1274 
1275 
1276 /**
1277  * \ingroup Core_ReadPackets
1278  * \brief Parse a public key packet.
1279  *
1280  * This function parses an entire v3 (== v2) or v4 public key packet for RSA, ElGamal, and DSA keys.
1281  *
1282  * Once the key has been parsed successfully, it is passed to the callback.
1283  *
1284  * \param *ptag		Pointer to the current Packet Tag.  This function should consume the entire packet.
1285  * \param *reader	Our reader
1286  * \param *cb		The callback
1287  * \return		1 on success, 0 on error
1288  *
1289  * \see RFC4880 5.5.2
1290  */
1291 static int
parse_pubkey(pgp_content_enum tag,pgp_region_t * region,pgp_stream_t * stream)1292 parse_pubkey(pgp_content_enum tag, pgp_region_t *region,
1293 		 pgp_stream_t *stream)
1294 {
1295 	pgp_packet_t pkt;
1296 
1297 	if (!parse_pubkey_data(&pkt.u.pubkey, region, stream)) {
1298 		(void) fprintf(stderr, "parse_pubkey: parse_pubkey_data failed\n");
1299 		return 0;
1300 	}
1301 
1302 	/* XXX: this test should be done for all packets, surely? */
1303 	if (region->readc != region->length) {
1304 		PGP_ERROR_1(&stream->errors, PGP_E_R_UNCONSUMED_DATA,
1305 			    "Unconsumed data (%d)", region->length - region->readc);
1306 		return 0;
1307 	}
1308 	CALLBACK(tag, &stream->cbinfo, &pkt);
1309 
1310 	return 1;
1311 }
1312 
1313 /**
1314  * \ingroup Core_ReadPackets
1315  * \brief Parse one user attribute packet.
1316  *
1317  * User attribute packets contain one or more attribute subpackets.
1318  * For now, handle the whole packet as raw data.
1319  */
1320 
1321 static int
parse_userattr(pgp_region_t * region,pgp_stream_t * stream)1322 parse_userattr(pgp_region_t *region, pgp_stream_t *stream)
1323 {
1324 
1325 	pgp_packet_t pkt;
1326 
1327 	/*
1328 	 * xxx- treat as raw data for now. Could break down further into
1329 	 * attribute sub-packets later - rachel
1330 	 */
1331 	if (region->readc != 0) {
1332 		/* We should not have read anything so far */
1333 		(void) fprintf(stderr, "parse_userattr: bad length\n");
1334 		return 0;
1335 	}
1336 	if (!read_data(&pkt.u.userattr, region, stream)) {
1337 		return 0;
1338 	}
1339 	CALLBACK(PGP_PTAG_CT_USER_ATTR, &stream->cbinfo, &pkt);
1340 	return 1;
1341 }
1342 
1343 /**
1344 \ingroup Core_Create
1345 \brief Free allocated memory
1346 */
1347 /* ! Free the memory used when parsing this packet type */
1348 void
pgp_userid_free(uint8_t ** id)1349 pgp_userid_free(uint8_t **id)
1350 {
1351 	free(*id);
1352 	*id = NULL;
1353 }
1354 
1355 /**
1356  * \ingroup Core_ReadPackets
1357  * \brief Parse a user id.
1358  *
1359  * This function parses an user id packet, which is basically just a char array the size of the packet.
1360  *
1361  * The char array is to be treated as an UTF-8 string.
1362  *
1363  * The userid gets null terminated by this function.  Freeing it is the responsibility of the caller.
1364  *
1365  * Once the userid has been parsed successfully, it is passed to the callback.
1366  *
1367  * \param *ptag		Pointer to the Packet Tag.  This function should consume the entire packet.
1368  * \param *reader	Our reader
1369  * \param *cb		The callback
1370  * \return		1 on success, 0 on error
1371  *
1372  * \see RFC4880 5.11
1373  */
1374 static int
parse_userid(pgp_region_t * region,pgp_stream_t * stream)1375 parse_userid(pgp_region_t *region, pgp_stream_t *stream)
1376 {
1377 	pgp_packet_t pkt;
1378 
1379 	 if (region->readc != 0) {
1380 		/* We should not have read anything so far */
1381 		(void) fprintf(stderr, "parse_userid: bad length\n");
1382 		return 0;
1383 	}
1384 
1385 	if ((pkt.u.userid = calloc(1, region->length + 1)) == NULL) {
1386 		(void) fprintf(stderr, "parse_userid: bad alloc\n");
1387 		return 0;
1388 	}
1389 
1390 	if (region->length &&
1391 	    !limread(pkt.u.userid, region->length, region,
1392 			stream)) {
1393 		return 0;
1394 	}
1395 	pkt.u.userid[region->length] = 0x0;
1396 	CALLBACK(PGP_PTAG_CT_USER_ID, &stream->cbinfo, &pkt);
1397 	return 1;
1398 }
1399 
1400 static pgp_hash_t     *
parse_hash_find(pgp_stream_t * stream,const uint8_t * keyid)1401 parse_hash_find(pgp_stream_t *stream, const uint8_t *keyid)
1402 {
1403 	pgp_hashtype_t	*hp;
1404 	size_t			 n;
1405 
1406 	for (n = 0, hp = stream->hashes; n < stream->hashc; n++, hp++) {
1407 		if (memcmp(hp->keyid, keyid, PGP_KEY_ID_SIZE) == 0) {
1408 			return &hp->hash;
1409 		}
1410 	}
1411 	return NULL;
1412 }
1413 
1414 /**
1415  * \ingroup Core_Parse
1416  * \brief Parse a version 3 signature.
1417  *
1418  * This function parses an version 3 signature packet, handling RSA and DSA signatures.
1419  *
1420  * Once the signature has been parsed successfully, it is passed to the callback.
1421  *
1422  * \param *ptag		Pointer to the Packet Tag.  This function should consume the entire packet.
1423  * \param *reader	Our reader
1424  * \param *cb		The callback
1425  * \return		1 on success, 0 on error
1426  *
1427  * \see RFC4880 5.2.2
1428  */
1429 static int
parse_v3_sig(pgp_region_t * region,pgp_stream_t * stream)1430 parse_v3_sig(pgp_region_t *region,
1431 		   pgp_stream_t *stream)
1432 {
1433 	pgp_packet_t	pkt;
1434 	uint8_t		c = 0x0;
1435 
1436 	/* clear signature */
1437 	(void) memset(&pkt.u.sig, 0x0, sizeof(pkt.u.sig));
1438 
1439 	pkt.u.sig.info.version = PGP_V3;
1440 
1441 	/* hash info length */
1442 	if (!limread(&c, 1, region, stream)) {
1443 		return 0;
1444 	}
1445 	if (c != 5) {
1446 		ERRP(&stream->cbinfo, pkt, "bad hash info length");
1447 	}
1448 
1449 	if (!limread(&c, 1, region, stream)) {
1450 		return 0;
1451 	}
1452 	pkt.u.sig.info.type = (pgp_sig_type_t)c;
1453 	/* XXX: check signature type */
1454 
1455 	if (!limited_read_time(&pkt.u.sig.info.birthtime, region, stream)) {
1456 		return 0;
1457 	}
1458 	pkt.u.sig.info.birthtime_set = 1;
1459 
1460 	if (!limread(pkt.u.sig.info.signer_id, PGP_KEY_ID_SIZE, region,
1461 			stream)) {
1462 		return 0;
1463 	}
1464 	pkt.u.sig.info.signer_id_set = 1;
1465 
1466 	if (!limread(&c, 1, region, stream)) {
1467 		return 0;
1468 	}
1469 	pkt.u.sig.info.key_alg = (pgp_pubkey_alg_t)c;
1470 	/* XXX: check algorithm */
1471 
1472 	if (!limread(&c, 1, region, stream)) {
1473 		return 0;
1474 	}
1475 	pkt.u.sig.info.hash_alg = (pgp_hash_alg_t)c;
1476 	/* XXX: check algorithm */
1477 
1478 	if (!limread(pkt.u.sig.hash2, 2, region, stream)) {
1479 		return 0;
1480 	}
1481 
1482 	switch (pkt.u.sig.info.key_alg) {
1483 	case PGP_PKA_RSA:
1484 	case PGP_PKA_RSA_SIGN_ONLY:
1485 		if (!limread_mpi(&pkt.u.sig.info.sig.rsa.sig, region, stream)) {
1486 			return 0;
1487 		}
1488 		break;
1489 
1490 	case PGP_PKA_DSA:
1491 		if (!limread_mpi(&pkt.u.sig.info.sig.dsa.r, region, stream) ||
1492 		    !limread_mpi(&pkt.u.sig.info.sig.dsa.s, region, stream)) {
1493 			return 0;
1494 		}
1495 		break;
1496 
1497 	case PGP_PKA_ELGAMAL_ENCRYPT_OR_SIGN:
1498 		if (!limread_mpi(&pkt.u.sig.info.sig.elgamal.r, region,
1499 				stream) ||
1500 		    !limread_mpi(&pkt.u.sig.info.sig.elgamal.s, region,
1501 		    		stream)) {
1502 			return 0;
1503 		}
1504 		break;
1505 
1506 	default:
1507 		PGP_ERROR_1(&stream->errors,
1508 			PGP_E_ALG_UNSUPPORTED_SIGNATURE_ALG,
1509 			"Unsupported signature key algorithm (%s)",
1510 			pgp_show_pka(pkt.u.sig.info.key_alg));
1511 		return 0;
1512 	}
1513 
1514 	if (region->readc != region->length) {
1515 		PGP_ERROR_1(&stream->errors, PGP_E_R_UNCONSUMED_DATA,
1516 			"Unconsumed data (%d)",
1517 			region->length - region->readc);
1518 		return 0;
1519 	}
1520 	if (pkt.u.sig.info.signer_id_set) {
1521 		pkt.u.sig.hash = parse_hash_find(stream,
1522 				pkt.u.sig.info.signer_id);
1523 	}
1524 	CALLBACK(PGP_PTAG_CT_SIGNATURE, &stream->cbinfo, &pkt);
1525 	return 1;
1526 }
1527 
1528 /**
1529  * \ingroup Core_ReadPackets
1530  * \brief Parse one signature sub-packet.
1531  *
1532  * Version 4 signatures can have an arbitrary amount of (hashed and
1533  * unhashed) subpackets.  Subpackets are used to hold optional
1534  * attributes of subpackets.
1535  *
1536  * This function parses one such signature subpacket.
1537  *
1538  * Once the subpacket has been parsed successfully, it is passed to the callback.
1539  *
1540  * \param *ptag		Pointer to the Packet Tag.  This function should consume the entire subpacket.
1541  * \param *reader	Our reader
1542  * \param *cb		The callback
1543  * \return		1 on success, 0 on error
1544  *
1545  * \see RFC4880 5.2.3
1546  */
1547 static int
parse_one_sig_subpacket(pgp_sig_t * sig,pgp_region_t * region,pgp_stream_t * stream)1548 parse_one_sig_subpacket(pgp_sig_t *sig,
1549 			      pgp_region_t *region,
1550 			      pgp_stream_t *stream)
1551 {
1552 	pgp_region_t	subregion;
1553 	pgp_packet_t	pkt;
1554 	uint8_t		bools = 0x0;
1555 	uint8_t		c = 0x0;
1556 	unsigned	doread = 1;
1557 	unsigned        t8;
1558 	unsigned        t7;
1559 
1560 	pgp_init_subregion(&subregion, region);
1561 	if (!limited_read_new_length(&subregion.length, region, stream)) {
1562 		return 0;
1563 	}
1564 
1565 	if (subregion.length > region->length) {
1566 		ERRP(&stream->cbinfo, pkt, "Subpacket too long");
1567 	}
1568 
1569 	if (!limread(&c, 1, &subregion, stream)) {
1570 		return 0;
1571 	}
1572 
1573 	t8 = (c & 0x7f) / 8;
1574 	t7 = 1 << (c & 7);
1575 
1576 	pkt.critical = (unsigned)c >> 7;
1577 	pkt.tag = (pgp_content_enum)(PGP_PTAG_SIG_SUBPKT_BASE + (c & 0x7f));
1578 
1579 	/* Application wants it delivered raw */
1580 	if (stream->ss_raw[t8] & t7) {
1581 		pkt.u.ss_raw.tag = pkt.tag;
1582 		pkt.u.ss_raw.length = subregion.length - 1;
1583 		pkt.u.ss_raw.raw = calloc(1, pkt.u.ss_raw.length);
1584 		if (pkt.u.ss_raw.raw == NULL) {
1585 			(void) fprintf(stderr, "parse_one_sig_subpacket: bad alloc\n");
1586 			return 0;
1587 		}
1588 		if (!limread(pkt.u.ss_raw.raw, (unsigned)pkt.u.ss_raw.length,
1589 				&subregion, stream)) {
1590 			return 0;
1591 		}
1592 		CALLBACK(PGP_PTAG_RAW_SS, &stream->cbinfo, &pkt);
1593 		return 1;
1594 	}
1595 	switch (pkt.tag) {
1596 	case PGP_PTAG_SS_CREATION_TIME:
1597 	case PGP_PTAG_SS_EXPIRATION_TIME:
1598 	case PGP_PTAG_SS_KEY_EXPIRY:
1599 		if (!limited_read_time(&pkt.u.ss_time, &subregion, stream))
1600 			return 0;
1601 		if (pkt.tag == PGP_PTAG_SS_CREATION_TIME) {
1602 			sig->info.birthtime = pkt.u.ss_time;
1603 			sig->info.birthtime_set = 1;
1604 		}
1605 		if (pkt.tag == PGP_PTAG_SS_EXPIRATION_TIME) {
1606 			sig->info.duration = pkt.u.ss_time;
1607 			sig->info.duration_set = 1;
1608 		}
1609 		break;
1610 
1611 	case PGP_PTAG_SS_TRUST:
1612 		if (!limread(&pkt.u.ss_trust.level, 1, &subregion, stream) ||
1613 		    !limread(&pkt.u.ss_trust.amount, 1, &subregion, stream)) {
1614 			return 0;
1615 		}
1616 		break;
1617 
1618 	case PGP_PTAG_SS_REVOCABLE:
1619 		if (!limread(&bools, 1, &subregion, stream)) {
1620 			return 0;
1621 		}
1622 		pkt.u.ss_revocable = !!bools;
1623 		break;
1624 
1625 	case PGP_PTAG_SS_ISSUER_KEY_ID:
1626 		if (!limread(pkt.u.ss_issuer, PGP_KEY_ID_SIZE, &subregion, stream)) {
1627 			return 0;
1628 		}
1629 		(void) memcpy(sig->info.signer_id, pkt.u.ss_issuer, PGP_KEY_ID_SIZE);
1630 		sig->info.signer_id_set = 1;
1631 		break;
1632 
1633 	case PGP_PTAG_SS_PREFERRED_SKA:
1634 		if (!read_data(&pkt.u.ss_skapref, &subregion, stream)) {
1635 			return 0;
1636 		}
1637 		break;
1638 
1639 	case PGP_PTAG_SS_PREFERRED_HASH:
1640 		if (!read_data(&pkt.u.ss_hashpref, &subregion, stream)) {
1641 			return 0;
1642 		}
1643 		break;
1644 
1645 	case PGP_PTAG_SS_PREF_COMPRESS:
1646 		if (!read_data(&pkt.u.ss_zpref, &subregion, stream)) {
1647 			return 0;
1648 		}
1649 		break;
1650 
1651 	case PGP_PTAG_SS_PRIMARY_USER_ID:
1652 		if (!limread(&bools, 1, &subregion, stream)) {
1653 			return 0;
1654 		}
1655 		pkt.u.ss_primary_userid = !!bools;
1656 		break;
1657 
1658 	case PGP_PTAG_SS_KEY_FLAGS:
1659 		if (!read_data(&pkt.u.ss_key_flags, &subregion, stream)) {
1660 			return 0;
1661 		}
1662 		break;
1663 
1664 	case PGP_PTAG_SS_KEYSERV_PREFS:
1665 		if (!read_data(&pkt.u.ss_key_server_prefs, &subregion, stream)) {
1666 			return 0;
1667 		}
1668 		break;
1669 
1670 	case PGP_PTAG_SS_FEATURES:
1671 		if (!read_data(&pkt.u.ss_features, &subregion, stream)) {
1672 			return 0;
1673 		}
1674 		break;
1675 
1676 	case PGP_PTAG_SS_SIGNERS_USER_ID:
1677 		if (!read_unsig_str(&pkt.u.ss_signer, &subregion, stream)) {
1678 			return 0;
1679 		}
1680 		break;
1681 
1682 	case PGP_PTAG_SS_EMBEDDED_SIGNATURE:
1683 		/* \todo should do something with this sig? */
1684 		if (!read_data(&pkt.u.ss_embedded_sig, &subregion, stream)) {
1685 			return 0;
1686 		}
1687 		break;
1688 
1689 	case PGP_PTAG_SS_NOTATION_DATA:
1690 		if (!limread_data(&pkt.u.ss_notation.flags, 4,
1691 				&subregion, stream)) {
1692 			return 0;
1693 		}
1694 		if (!limread_size_t(&pkt.u.ss_notation.name.len, 2,
1695 				&subregion, stream)) {
1696 			return 0;
1697 		}
1698 		if (!limread_size_t(&pkt.u.ss_notation.value.len, 2,
1699 				&subregion, stream)) {
1700 			return 0;
1701 		}
1702 		if (!limread_data(&pkt.u.ss_notation.name,
1703 				(unsigned)pkt.u.ss_notation.name.len,
1704 				&subregion, stream)) {
1705 			return 0;
1706 		}
1707 		if (!limread_data(&pkt.u.ss_notation.value,
1708 			   (unsigned)pkt.u.ss_notation.value.len,
1709 			   &subregion, stream)) {
1710 			return 0;
1711 		}
1712 		break;
1713 
1714 	case PGP_PTAG_SS_POLICY_URI:
1715 		if (!read_string(&pkt.u.ss_policy, &subregion, stream)) {
1716 			return 0;
1717 		}
1718 		break;
1719 
1720 	case PGP_PTAG_SS_REGEXP:
1721 		if (!read_string(&pkt.u.ss_regexp, &subregion, stream)) {
1722 			return 0;
1723 		}
1724 		break;
1725 
1726 	case PGP_PTAG_SS_PREF_KEYSERV:
1727 		if (!read_string(&pkt.u.ss_keyserv, &subregion, stream)) {
1728 			return 0;
1729 		}
1730 		break;
1731 
1732 	case PGP_PTAG_SS_USERDEFINED00:
1733 	case PGP_PTAG_SS_USERDEFINED01:
1734 	case PGP_PTAG_SS_USERDEFINED02:
1735 	case PGP_PTAG_SS_USERDEFINED03:
1736 	case PGP_PTAG_SS_USERDEFINED04:
1737 	case PGP_PTAG_SS_USERDEFINED05:
1738 	case PGP_PTAG_SS_USERDEFINED06:
1739 	case PGP_PTAG_SS_USERDEFINED07:
1740 	case PGP_PTAG_SS_USERDEFINED08:
1741 	case PGP_PTAG_SS_USERDEFINED09:
1742 	case PGP_PTAG_SS_USERDEFINED10:
1743 		if (!read_data(&pkt.u.ss_userdef, &subregion, stream)) {
1744 			return 0;
1745 		}
1746 		break;
1747 
1748 	case PGP_PTAG_SS_RESERVED:
1749 		if (!read_data(&pkt.u.ss_unknown, &subregion, stream)) {
1750 			return 0;
1751 		}
1752 		break;
1753 
1754 	case PGP_PTAG_SS_REVOCATION_REASON:
1755 		/* first byte is the machine-readable code */
1756 		if (!limread(&pkt.u.ss_revocation.code, 1, &subregion, stream)) {
1757 			return 0;
1758 		}
1759 		/* the rest is a human-readable UTF-8 string */
1760 		if (!read_string(&pkt.u.ss_revocation.reason, &subregion,
1761 				stream)) {
1762 			return 0;
1763 		}
1764 		break;
1765 
1766 	case PGP_PTAG_SS_REVOCATION_KEY:
1767 		/* octet 0 = class. Bit 0x80 must be set */
1768 		if (!limread(&pkt.u.ss_revocation_key.class, 1,
1769 				&subregion, stream)) {
1770 			return 0;
1771 		}
1772 		if (!(pkt.u.ss_revocation_key.class & 0x80)) {
1773 			printf("Warning: PGP_PTAG_SS_REVOCATION_KEY class: "
1774 			       "Bit 0x80 should be set\n");
1775 			return 0;
1776 		}
1777 		/* octet 1 = algid */
1778 		if (!limread(&pkt.u.ss_revocation_key.algid, 1,
1779 				&subregion, stream)) {
1780 			return 0;
1781 		}
1782 		/* octets 2-21 = fingerprint */
1783 		if (!limread(&pkt.u.ss_revocation_key.fingerprint[0],
1784 				PGP_FINGERPRINT_SIZE, &subregion, stream)) {
1785 			return 0;
1786 		}
1787 		break;
1788 
1789 	default:
1790 		if (stream->ss_parsed[t8] & t7) {
1791 			PGP_ERROR_1(&stream->errors, PGP_E_PROTO_UNKNOWN_SS,
1792 				    "Unknown signature subpacket type (%d)",
1793 				    c & 0x7f);
1794 		}
1795 		doread = 0;
1796 		break;
1797 	}
1798 
1799 	/* Application doesn't want it delivered parsed */
1800 	if (!(stream->ss_parsed[t8] & t7)) {
1801 		if (pkt.critical) {
1802 			PGP_ERROR_1(&stream->errors,
1803 				PGP_E_PROTO_CRITICAL_SS_IGNORED,
1804 				"Critical signature subpacket ignored (%d)",
1805 				c & 0x7f);
1806 		}
1807 		if (!doread &&
1808 		    !limskip(subregion.length - 1, &subregion, stream)) {
1809 			return 0;
1810 		}
1811 		if (doread) {
1812 			pgp_parser_content_free(&pkt);
1813 		}
1814 		return 1;
1815 	}
1816 	if (doread && subregion.readc != subregion.length) {
1817 		PGP_ERROR_1(&stream->errors, PGP_E_R_UNCONSUMED_DATA,
1818 			    "Unconsumed data (%d)",
1819 			    subregion.length - subregion.readc);
1820 		return 0;
1821 	}
1822 	CALLBACK(pkt.tag, &stream->cbinfo, &pkt);
1823 	return 1;
1824 }
1825 
1826 /**
1827  * \ingroup Core_ReadPackets
1828  * \brief Parse several signature subpackets.
1829  *
1830  * Hashed and unhashed subpacket sets are preceded by an octet count that specifies the length of the complete set.
1831  * This function parses this length and then calls parse_one_sig_subpacket() for each subpacket until the
1832  * entire set is consumed.
1833  *
1834  * This function does not call the callback directly, parse_one_sig_subpacket() does for each subpacket.
1835  *
1836  * \param *ptag		Pointer to the Packet Tag.
1837  * \param *reader	Our reader
1838  * \param *cb		The callback
1839  * \return		1 on success, 0 on error
1840  *
1841  * \see RFC4880 5.2.3
1842  */
1843 static int
parse_sig_subpkts(pgp_sig_t * sig,pgp_region_t * region,pgp_stream_t * stream)1844 parse_sig_subpkts(pgp_sig_t *sig,
1845 			   pgp_region_t *region,
1846 			   pgp_stream_t *stream)
1847 {
1848 	pgp_region_t	subregion;
1849 	pgp_packet_t	pkt;
1850 
1851 	pgp_init_subregion(&subregion, region);
1852 	if (!limread_scalar(&subregion.length, 2, region, stream)) {
1853 		return 0;
1854 	}
1855 
1856 	if (subregion.length > region->length) {
1857 		ERRP(&stream->cbinfo, pkt, "Subpacket set too long");
1858 	}
1859 
1860 	while (subregion.readc < subregion.length) {
1861 		if (!parse_one_sig_subpacket(sig, &subregion, stream)) {
1862 			return 0;
1863 		}
1864 	}
1865 
1866 	if (subregion.readc != subregion.length) {
1867 		if (!limskip(subregion.length - subregion.readc,
1868 				&subregion, stream)) {
1869 			ERRP(&stream->cbinfo, pkt,
1870 "parse_sig_subpkts: subpacket length read mismatch");
1871 		}
1872 		ERRP(&stream->cbinfo, pkt, "Subpacket length mismatch");
1873 	}
1874 	return 1;
1875 }
1876 
1877 /**
1878  * \ingroup Core_ReadPackets
1879  * \brief Parse a version 4 signature.
1880  *
1881  * This function parses a version 4 signature including all its hashed and unhashed subpackets.
1882  *
1883  * Once the signature packet has been parsed successfully, it is passed to the callback.
1884  *
1885  * \param *ptag		Pointer to the Packet Tag.
1886  * \param *reader	Our reader
1887  * \param *cb		The callback
1888  * \return		1 on success, 0 on error
1889  *
1890  * \see RFC4880 5.2.3
1891  */
1892 static int
parse_v4_sig(pgp_region_t * region,pgp_stream_t * stream)1893 parse_v4_sig(pgp_region_t *region, pgp_stream_t *stream)
1894 {
1895 	pgp_packet_t	pkt;
1896 	uint8_t		c = 0x0;
1897 
1898 	if (pgp_get_debug_level(__FILE__)) {
1899 		fprintf(stderr, "\nparse_v4_sig\n");
1900 	}
1901 	/* clear signature */
1902 	(void) memset(&pkt.u.sig, 0x0, sizeof(pkt.u.sig));
1903 
1904 	/*
1905 	 * We need to hash the packet data from version through the hashed
1906 	 * subpacket data
1907 	 */
1908 
1909 	pkt.u.sig.v4_hashstart = stream->readinfo.alength - 1;
1910 
1911 	/* Set version,type,algorithms */
1912 
1913 	pkt.u.sig.info.version = PGP_V4;
1914 
1915 	if (!limread(&c, 1, region, stream)) {
1916 		return 0;
1917 	}
1918 	pkt.u.sig.info.type = (pgp_sig_type_t)c;
1919 	if (pgp_get_debug_level(__FILE__)) {
1920 		fprintf(stderr, "signature type=%d (%s)\n",
1921 			pkt.u.sig.info.type,
1922 			pgp_show_sig_type(pkt.u.sig.info.type));
1923 	}
1924 	/* XXX: check signature type */
1925 
1926 	if (!limread(&c, 1, region, stream)) {
1927 		return 0;
1928 	}
1929 	pkt.u.sig.info.key_alg = (pgp_pubkey_alg_t)c;
1930 	/* XXX: check key algorithm */
1931 	if (pgp_get_debug_level(__FILE__)) {
1932 		(void) fprintf(stderr, "key_alg=%d (%s)\n",
1933 			pkt.u.sig.info.key_alg,
1934 			pgp_show_pka(pkt.u.sig.info.key_alg));
1935 	}
1936 	if (!limread(&c, 1, region, stream)) {
1937 		return 0;
1938 	}
1939 	pkt.u.sig.info.hash_alg = (pgp_hash_alg_t)c;
1940 	/* XXX: check hash algorithm */
1941 	if (pgp_get_debug_level(__FILE__)) {
1942 		fprintf(stderr, "hash_alg=%d %s\n",
1943 			pkt.u.sig.info.hash_alg,
1944 		  pgp_show_hash_alg(pkt.u.sig.info.hash_alg));
1945 	}
1946 	CALLBACK(PGP_PTAG_CT_SIGNATURE_HEADER, &stream->cbinfo, &pkt);
1947 
1948 	if (!parse_sig_subpkts(&pkt.u.sig, region, stream)) {
1949 		return 0;
1950 	}
1951 
1952 	pkt.u.sig.info.v4_hashlen = stream->readinfo.alength
1953 					- pkt.u.sig.v4_hashstart;
1954 	if (pgp_get_debug_level(__FILE__)) {
1955 		fprintf(stderr, "v4_hashlen=%zd\n", pkt.u.sig.info.v4_hashlen);
1956 	}
1957 
1958 	/* copy hashed subpackets */
1959 	if (pkt.u.sig.info.v4_hashed) {
1960 		free(pkt.u.sig.info.v4_hashed);
1961 	}
1962 	pkt.u.sig.info.v4_hashed = calloc(1, pkt.u.sig.info.v4_hashlen);
1963 	if (pkt.u.sig.info.v4_hashed == NULL) {
1964 		(void) fprintf(stderr, "parse_v4_sig: bad alloc\n");
1965 		return 0;
1966 	}
1967 
1968 	if (!stream->readinfo.accumulate) {
1969 		/* We must accumulate, else we can't check the signature */
1970 		fprintf(stderr, "*** ERROR: must set accumulate to 1\n");
1971 		return 0;
1972 	}
1973 	(void) memcpy(pkt.u.sig.info.v4_hashed,
1974 	       stream->readinfo.accumulated + pkt.u.sig.v4_hashstart,
1975 	       pkt.u.sig.info.v4_hashlen);
1976 
1977 	if (!parse_sig_subpkts(&pkt.u.sig, region, stream)) {
1978 		return 0;
1979 	}
1980 
1981 	if (!limread(pkt.u.sig.hash2, 2, region, stream)) {
1982 		return 0;
1983 	}
1984 
1985 	switch (pkt.u.sig.info.key_alg) {
1986 	case PGP_PKA_RSA:
1987 		if (!limread_mpi(&pkt.u.sig.info.sig.rsa.sig, region, stream)) {
1988 			return 0;
1989 		}
1990 		if (pgp_get_debug_level(__FILE__)) {
1991 			(void) fprintf(stderr, "parse_v4_sig: RSA: sig is\n");
1992 			BN_print_fp(stderr, pkt.u.sig.info.sig.rsa.sig);
1993 			(void) fprintf(stderr, "\n");
1994 		}
1995 		break;
1996 
1997 	case PGP_PKA_DSA:
1998 		if (!limread_mpi(&pkt.u.sig.info.sig.dsa.r, region, stream)) {
1999 			/*
2000 			 * usually if this fails, it just means we've reached
2001 			 * the end of the keyring
2002 			 */
2003 			if (pgp_get_debug_level(__FILE__)) {
2004 				(void) fprintf(stderr,
2005 				"Error reading DSA r field in signature");
2006 			}
2007 			return 0;
2008 		}
2009 		if (!limread_mpi(&pkt.u.sig.info.sig.dsa.s, region, stream)) {
2010 			ERRP(&stream->cbinfo, pkt,
2011 			"Error reading DSA s field in signature");
2012 		}
2013 		break;
2014 
2015 	case PGP_PKA_ELGAMAL_ENCRYPT_OR_SIGN:
2016 		if (!limread_mpi(&pkt.u.sig.info.sig.elgamal.r, region,
2017 				stream) ||
2018 		    !limread_mpi(&pkt.u.sig.info.sig.elgamal.s, region,
2019 		    		stream)) {
2020 			return 0;
2021 		}
2022 		break;
2023 
2024 	case PGP_PKA_PRIVATE00:
2025 	case PGP_PKA_PRIVATE01:
2026 	case PGP_PKA_PRIVATE02:
2027 	case PGP_PKA_PRIVATE03:
2028 	case PGP_PKA_PRIVATE04:
2029 	case PGP_PKA_PRIVATE05:
2030 	case PGP_PKA_PRIVATE06:
2031 	case PGP_PKA_PRIVATE07:
2032 	case PGP_PKA_PRIVATE08:
2033 	case PGP_PKA_PRIVATE09:
2034 	case PGP_PKA_PRIVATE10:
2035 		if (!read_data(&pkt.u.sig.info.sig.unknown, region, stream)) {
2036 			return 0;
2037 		}
2038 		break;
2039 
2040 	default:
2041 		PGP_ERROR_1(&stream->errors, PGP_E_ALG_UNSUPPORTED_SIGNATURE_ALG,
2042 			    "Bad v4 signature key algorithm (%s)",
2043 			    pgp_show_pka(pkt.u.sig.info.key_alg));
2044 		return 0;
2045 	}
2046 	if (region->readc != region->length) {
2047 		PGP_ERROR_1(&stream->errors, PGP_E_R_UNCONSUMED_DATA,
2048 			    "Unconsumed data (%d)",
2049 			    region->length - region->readc);
2050 		return 0;
2051 	}
2052 	CALLBACK(PGP_PTAG_CT_SIGNATURE_FOOTER, &stream->cbinfo, &pkt);
2053 	return 1;
2054 }
2055 
2056 /**
2057  * \ingroup Core_ReadPackets
2058  * \brief Parse a signature subpacket.
2059  *
2060  * This function calls the appropriate function to handle v3 or v4 signatures.
2061  *
2062  * Once the signature packet has been parsed successfully, it is passed to the callback.
2063  *
2064  * \param *ptag		Pointer to the Packet Tag.
2065  * \param *reader	Our reader
2066  * \param *cb		The callback
2067  * \return		1 on success, 0 on error
2068  */
2069 static int
parse_sig(pgp_region_t * region,pgp_stream_t * stream)2070 parse_sig(pgp_region_t *region, pgp_stream_t *stream)
2071 {
2072 	pgp_packet_t	pkt;
2073 	uint8_t		c = 0x0;
2074 
2075 	if (region->readc != 0) {
2076 		/* We should not have read anything so far */
2077 		(void) fprintf(stderr, "parse_sig: bad length\n");
2078 		return 0;
2079 	}
2080 
2081 	(void) memset(&pkt, 0x0, sizeof(pkt));
2082 	if (!limread(&c, 1, region, stream)) {
2083 		return 0;
2084 	}
2085 	if (c == 2 || c == 3) {
2086 		return parse_v3_sig(region, stream);
2087 	}
2088 	if (c == 4) {
2089 		return parse_v4_sig(region, stream);
2090 	}
2091 	PGP_ERROR_1(&stream->errors, PGP_E_PROTO_BAD_SIGNATURE_VRSN,
2092 		    "Bad signature version (%d)", c);
2093 	return 0;
2094 }
2095 
2096 /**
2097  \ingroup Core_ReadPackets
2098  \brief Parse Compressed packet
2099 */
2100 static int
parse_compressed(pgp_region_t * region,pgp_stream_t * stream)2101 parse_compressed(pgp_region_t *region, pgp_stream_t *stream)
2102 {
2103 	pgp_packet_t	pkt;
2104 	uint8_t		c = 0x0;
2105 
2106 	if (!limread(&c, 1, region, stream)) {
2107 		return 0;
2108 	}
2109 
2110 	pkt.u.compressed = (pgp_compression_type_t)c;
2111 
2112 	CALLBACK(PGP_PTAG_CT_COMPRESSED, &stream->cbinfo, &pkt);
2113 
2114 	/*
2115 	 * The content of a compressed data packet is more OpenPGP packets
2116 	 * once decompressed, so recursively handle them
2117 	 */
2118 
2119 	return pgp_decompress(region, stream, pkt.u.compressed);
2120 }
2121 
2122 /* XXX: this could be improved by sharing all hashes that are the */
2123 /* same, then duping them just before checking the signature. */
2124 static void
parse_hash_init(pgp_stream_t * stream,pgp_hash_alg_t type,const uint8_t * keyid)2125 parse_hash_init(pgp_stream_t *stream, pgp_hash_alg_t type,
2126 		    const uint8_t *keyid)
2127 {
2128 	pgp_hashtype_t *hash;
2129 
2130 	hash = realloc(stream->hashes,
2131 			      (stream->hashc + 1) * sizeof(*stream->hashes));
2132 	if (hash == NULL) {
2133 		(void) fprintf(stderr, "parse_hash_init: bad alloc 0\n");
2134 		/* just continue and die here */
2135 		/* XXX - agc - no way to return failure */
2136 	} else {
2137 		stream->hashes = hash;
2138 	}
2139 	hash = &stream->hashes[stream->hashc++];
2140 
2141 	pgp_hash_any(&hash->hash, type);
2142 	if (!hash->hash.init(&hash->hash)) {
2143 		(void) fprintf(stderr, "parse_hash_init: bad alloc\n");
2144 		/* just continue and die here */
2145 		/* XXX - agc - no way to return failure */
2146 	}
2147 	(void) memcpy(hash->keyid, keyid, sizeof(hash->keyid));
2148 }
2149 
2150 /**
2151    \ingroup Core_ReadPackets
2152    \brief Parse a One Pass Signature packet
2153 */
2154 static int
parse_one_pass(pgp_region_t * region,pgp_stream_t * stream)2155 parse_one_pass(pgp_region_t * region, pgp_stream_t * stream)
2156 {
2157 	pgp_packet_t	pkt;
2158 	uint8_t		c = 0x0;
2159 
2160 	if (!limread(&pkt.u.one_pass_sig.version, 1, region, stream)) {
2161 		return 0;
2162 	}
2163 	if (pkt.u.one_pass_sig.version != 3) {
2164 		PGP_ERROR_1(&stream->errors, PGP_E_PROTO_BAD_ONE_PASS_SIG_VRSN,
2165 			    "Bad one-pass signature version (%d)",
2166 			    pkt.u.one_pass_sig.version);
2167 		return 0;
2168 	}
2169 	if (!limread(&c, 1, region, stream)) {
2170 		return 0;
2171 	}
2172 	pkt.u.one_pass_sig.sig_type = (pgp_sig_type_t)c;
2173 
2174 	if (!limread(&c, 1, region, stream)) {
2175 		return 0;
2176 	}
2177 	pkt.u.one_pass_sig.hash_alg = (pgp_hash_alg_t)c;
2178 
2179 	if (!limread(&c, 1, region, stream)) {
2180 		return 0;
2181 	}
2182 	pkt.u.one_pass_sig.key_alg = (pgp_pubkey_alg_t)c;
2183 
2184 	if (!limread(pkt.u.one_pass_sig.keyid,
2185 			  (unsigned)sizeof(pkt.u.one_pass_sig.keyid),
2186 			  region, stream)) {
2187 		return 0;
2188 	}
2189 
2190 	if (!limread(&c, 1, region, stream)) {
2191 		return 0;
2192 	}
2193 	pkt.u.one_pass_sig.nested = !!c;
2194 	CALLBACK(PGP_PTAG_CT_1_PASS_SIG, &stream->cbinfo, &pkt);
2195 	/* XXX: we should, perhaps, let the app choose whether to hash or not */
2196 	parse_hash_init(stream, pkt.u.one_pass_sig.hash_alg,
2197 			    pkt.u.one_pass_sig.keyid);
2198 	return 1;
2199 }
2200 
2201 /**
2202  \ingroup Core_ReadPackets
2203  \brief Parse a Trust packet
2204 */
2205 static int
parse_trust(pgp_region_t * region,pgp_stream_t * stream)2206 parse_trust(pgp_region_t *region, pgp_stream_t *stream)
2207 {
2208 	pgp_packet_t pkt;
2209 
2210 	if (!read_data(&pkt.u.trust, region, stream)) {
2211 		return 0;
2212 	}
2213 	CALLBACK(PGP_PTAG_CT_TRUST, &stream->cbinfo, &pkt);
2214 	return 1;
2215 }
2216 
2217 static void
parse_hash_data(pgp_stream_t * stream,const void * data,size_t length)2218 parse_hash_data(pgp_stream_t *stream, const void *data,
2219 		    size_t length)
2220 {
2221 	size_t          n;
2222 
2223 	for (n = 0; n < stream->hashc; ++n) {
2224 		stream->hashes[n].hash.add(&stream->hashes[n].hash, data, (unsigned)length);
2225 	}
2226 }
2227 
2228 /**
2229    \ingroup Core_ReadPackets
2230    \brief Parse a Literal Data packet
2231 */
2232 static int
parse_litdata(pgp_region_t * region,pgp_stream_t * stream)2233 parse_litdata(pgp_region_t *region, pgp_stream_t *stream)
2234 {
2235 	pgp_memory_t	*mem;
2236 	pgp_packet_t	 pkt;
2237 	uint8_t		 c = 0x0;
2238 
2239 	if (!limread(&c, 1, region, stream)) {
2240 		return 0;
2241 	}
2242 	pkt.u.litdata_header.format = (pgp_litdata_enum)c;
2243 	if (!limread(&c, 1, region, stream)) {
2244 		return 0;
2245 	}
2246 	if (!limread((uint8_t *)pkt.u.litdata_header.filename,
2247 			(unsigned)c, region, stream)) {
2248 		return 0;
2249 	}
2250 	pkt.u.litdata_header.filename[c] = '\0';
2251 	if (!limited_read_time(&pkt.u.litdata_header.mtime, region, stream)) {
2252 		return 0;
2253 	}
2254 	CALLBACK(PGP_PTAG_CT_LITDATA_HEADER, &stream->cbinfo, &pkt);
2255 	mem = pkt.u.litdata_body.mem = pgp_memory_new();
2256 	pgp_memory_init(pkt.u.litdata_body.mem,
2257 			(unsigned)((region->length * 101) / 100) + 12);
2258 	pkt.u.litdata_body.data = mem->buf;
2259 
2260 	while (region->readc < region->length) {
2261 		unsigned        readc = region->length - region->readc;
2262 
2263 		if (!limread(mem->buf, readc, region, stream)) {
2264 			return 0;
2265 		}
2266 		pkt.u.litdata_body.length = readc;
2267 		parse_hash_data(stream, pkt.u.litdata_body.data, region->length);
2268 		CALLBACK(PGP_PTAG_CT_LITDATA_BODY, &stream->cbinfo, &pkt);
2269 	}
2270 
2271 	/* XXX - get rid of mem here? */
2272 
2273 	return 1;
2274 }
2275 
2276 /**
2277  * \ingroup Core_Create
2278  *
2279  * pgp_seckey_free() frees the memory associated with "key". Note that
2280  * the key itself is not freed.
2281  *
2282  * \param key
2283  */
2284 
2285 void
pgp_seckey_free(pgp_seckey_t * key)2286 pgp_seckey_free(pgp_seckey_t *key)
2287 {
2288 	switch (key->pubkey.alg) {
2289 	case PGP_PKA_RSA:
2290 	case PGP_PKA_RSA_ENCRYPT_ONLY:
2291 	case PGP_PKA_RSA_SIGN_ONLY:
2292 		free_BN(&key->key.rsa.d);
2293 		free_BN(&key->key.rsa.p);
2294 		free_BN(&key->key.rsa.q);
2295 		free_BN(&key->key.rsa.u);
2296 		break;
2297 
2298 	case PGP_PKA_DSA:
2299 		free_BN(&key->key.dsa.x);
2300 		break;
2301 
2302 	default:
2303 		(void) fprintf(stderr,
2304 			"pgp_seckey_free: Unknown algorithm: %d (%s)\n",
2305 			key->pubkey.alg,
2306 			pgp_show_pka(key->pubkey.alg));
2307 	}
2308 	free(key->checkhash);
2309 }
2310 
2311 static int
consume_packet(pgp_region_t * region,pgp_stream_t * stream,unsigned warn)2312 consume_packet(pgp_region_t *region, pgp_stream_t *stream, unsigned warn)
2313 {
2314 	pgp_packet_t	pkt;
2315 	pgp_data_t	remainder;
2316 
2317 	if (region->indeterminate) {
2318 		ERRP(&stream->cbinfo, pkt,
2319 			"Can't consume indeterminate packets");
2320 	}
2321 
2322 	if (read_data(&remainder, region, stream)) {
2323 		/* now throw it away */
2324 		pgp_data_free(&remainder);
2325 		if (warn) {
2326 			PGP_ERROR_1(&stream->errors, PGP_E_P_PACKET_CONSUMED,
2327 			    "%s", "Warning: packet consumer");
2328 		}
2329 		return 1;
2330 	}
2331 	PGP_ERROR_1(&stream->errors, PGP_E_P_PACKET_NOT_CONSUMED,
2332 	    "%s", (warn) ? "Warning: Packet was not consumed" :
2333 	    "Packet was not consumed");
2334 	return warn;
2335 }
2336 
2337 /**
2338  * \ingroup Core_ReadPackets
2339  * \brief Parse a secret key
2340  */
2341 static int
parse_seckey(pgp_region_t * region,pgp_stream_t * stream)2342 parse_seckey(pgp_region_t *region, pgp_stream_t *stream)
2343 {
2344 	pgp_packet_t		pkt;
2345 	pgp_region_t		encregion;
2346 	pgp_region_t	       *saved_region = NULL;
2347 	pgp_crypt_t		decrypt;
2348 	pgp_hash_t		checkhash;
2349 	unsigned		blocksize;
2350 	unsigned		crypted;
2351 	uint8_t			c = 0x0;
2352 	int			ret = 1;
2353 
2354 	if (pgp_get_debug_level(__FILE__)) {
2355 		fprintf(stderr, "\n---------\nparse_seckey:\n");
2356 		fprintf(stderr,
2357 			"region length=%u, readc=%u, remainder=%u\n",
2358 			region->length, region->readc,
2359 			region->length - region->readc);
2360 	}
2361 	(void) memset(&pkt, 0x0, sizeof(pkt));
2362 	if (!parse_pubkey_data(&pkt.u.seckey.pubkey, region, stream)) {
2363 		return 0;
2364 	}
2365 	if (pgp_get_debug_level(__FILE__)) {
2366 		fprintf(stderr, "parse_seckey: public key parsed\n");
2367 		pgp_print_pubkey(&pkt.u.seckey.pubkey);
2368 	}
2369 	stream->reading_v3_secret = (pkt.u.seckey.pubkey.version != PGP_V4);
2370 
2371 	if (!limread(&c, 1, region, stream)) {
2372 		return 0;
2373 	}
2374 	pkt.u.seckey.s2k_usage = (pgp_s2k_usage_t)c;
2375 
2376 	if (pkt.u.seckey.s2k_usage == PGP_S2KU_ENCRYPTED ||
2377 	    pkt.u.seckey.s2k_usage == PGP_S2KU_ENCRYPTED_AND_HASHED) {
2378 		if (!limread(&c, 1, region, stream)) {
2379 			return 0;
2380 		}
2381 		pkt.u.seckey.alg = (pgp_symm_alg_t)c;
2382 		if (!limread(&c, 1, region, stream)) {
2383 			return 0;
2384 		}
2385 		pkt.u.seckey.s2k_specifier = (pgp_s2k_specifier_t)c;
2386 		switch (pkt.u.seckey.s2k_specifier) {
2387 		case PGP_S2KS_SIMPLE:
2388 		case PGP_S2KS_SALTED:
2389 		case PGP_S2KS_ITERATED_AND_SALTED:
2390 			break;
2391 		default:
2392 			(void) fprintf(stderr,
2393 				"parse_seckey: bad seckey\n");
2394 			return 0;
2395 		}
2396 		if (!limread(&c, 1, region, stream)) {
2397 			return 0;
2398 		}
2399 		pkt.u.seckey.hash_alg = (pgp_hash_alg_t)c;
2400 		if (pkt.u.seckey.s2k_specifier != PGP_S2KS_SIMPLE &&
2401 		    !limread(pkt.u.seckey.salt, 8, region, stream)) {
2402 			return 0;
2403 		}
2404 		if (pkt.u.seckey.s2k_specifier ==
2405 					PGP_S2KS_ITERATED_AND_SALTED) {
2406 			if (!limread(&c, 1, region, stream)) {
2407 				return 0;
2408 			}
2409 			pkt.u.seckey.octetc =
2410 				(16 + ((unsigned)c & 15)) <<
2411 						(((unsigned)c >> 4) + 6);
2412 		}
2413 	} else if (pkt.u.seckey.s2k_usage != PGP_S2KU_NONE) {
2414 		/* this is V3 style, looks just like a V4 simple hash */
2415 		pkt.u.seckey.alg = (pgp_symm_alg_t)c;
2416 		pkt.u.seckey.s2k_usage = PGP_S2KU_ENCRYPTED;
2417 		pkt.u.seckey.s2k_specifier = PGP_S2KS_SIMPLE;
2418 		pkt.u.seckey.hash_alg = PGP_HASH_MD5;
2419 	}
2420 	crypted = pkt.u.seckey.s2k_usage == PGP_S2KU_ENCRYPTED ||
2421 		pkt.u.seckey.s2k_usage == PGP_S2KU_ENCRYPTED_AND_HASHED;
2422 
2423 	if (crypted) {
2424 		pgp_packet_t	seckey;
2425 		pgp_hash_t	hashes[(PGP_MAX_KEY_SIZE + PGP_MIN_HASH_SIZE - 1) / PGP_MIN_HASH_SIZE];
2426 		unsigned	passlen;
2427 		uint8_t   	key[PGP_MAX_KEY_SIZE + PGP_MAX_HASH_SIZE];
2428 		char           *passphrase;
2429 		int             hashsize;
2430 		int             keysize;
2431 		int             n;
2432 
2433 		if (pgp_get_debug_level(__FILE__)) {
2434 			(void) fprintf(stderr, "crypted seckey\n");
2435 		}
2436 		blocksize = pgp_block_size(pkt.u.seckey.alg);
2437 		if (blocksize == 0 || blocksize > PGP_MAX_BLOCK_SIZE) {
2438 			(void) fprintf(stderr,
2439 				"parse_seckey: bad blocksize\n");
2440 			return 0;
2441 		}
2442 
2443 		if (!limread(pkt.u.seckey.iv, blocksize, region, stream)) {
2444 			return 0;
2445 		}
2446 		(void) memset(&seckey, 0x0, sizeof(seckey));
2447 		passphrase = NULL;
2448 		seckey.u.skey_passphrase.passphrase = &passphrase;
2449 		seckey.u.skey_passphrase.seckey = &pkt.u.seckey;
2450 		CALLBACK(PGP_GET_PASSPHRASE, &stream->cbinfo, &seckey);
2451 		if (!passphrase) {
2452 			if (pgp_get_debug_level(__FILE__)) {
2453 				/* \todo make into proper error */
2454 				(void) fprintf(stderr,
2455 				"parse_seckey: can't get passphrase\n");
2456 			}
2457 			if (!consume_packet(region, stream, 0)) {
2458 				return 0;
2459 			}
2460 
2461 			CALLBACK(PGP_PTAG_CT_ENCRYPTED_SECRET_KEY,
2462 				&stream->cbinfo, &pkt);
2463 
2464 			return 1;
2465 		}
2466 		keysize = pgp_key_size(pkt.u.seckey.alg);
2467 		if (keysize == 0 || keysize > PGP_MAX_KEY_SIZE) {
2468 			(void) fprintf(stderr,
2469 				"parse_seckey: bad keysize\n");
2470 			return 0;
2471 		}
2472 
2473 		/* Hardcoded SHA1 for just now */
2474 		pkt.u.seckey.hash_alg = PGP_HASH_SHA1;
2475 		hashsize = pgp_hash_size(pkt.u.seckey.hash_alg);
2476 		if (hashsize == 0 || hashsize > PGP_MAX_HASH_SIZE) {
2477 			(void) fprintf(stderr,
2478 				"parse_seckey: bad hashsize\n");
2479 			return 0;
2480 		}
2481 
2482 		for (n = 0; n * hashsize < keysize; ++n) {
2483 			int             i;
2484 
2485 			pgp_hash_any(&hashes[n],
2486 				pkt.u.seckey.hash_alg);
2487 			if (!hashes[n].init(&hashes[n])) {
2488 				(void) fprintf(stderr,
2489 					"parse_seckey: bad alloc\n");
2490 				return 0;
2491 			}
2492 			/* preload hashes with zeroes... */
2493 			for (i = 0; i < n; ++i) {
2494 				hashes[n].add(&hashes[n],
2495 					(const uint8_t *) "", 1);
2496 			}
2497 		}
2498 		passlen = (unsigned)strlen(passphrase);
2499 		for (n = 0; n * hashsize < keysize; ++n) {
2500 			unsigned        i;
2501 
2502 			switch (pkt.u.seckey.s2k_specifier) {
2503 			case PGP_S2KS_SALTED:
2504 				hashes[n].add(&hashes[n],
2505 					pkt.u.seckey.salt,
2506 					PGP_SALT_SIZE);
2507 				/* FALLTHROUGH */
2508 			case PGP_S2KS_SIMPLE:
2509 				hashes[n].add(&hashes[n],
2510 					(uint8_t *)passphrase, (unsigned)passlen);
2511 				break;
2512 
2513 			case PGP_S2KS_ITERATED_AND_SALTED:
2514 				for (i = 0; i < pkt.u.seckey.octetc;
2515 						i += passlen + PGP_SALT_SIZE) {
2516 					unsigned	j;
2517 
2518 					j = passlen + PGP_SALT_SIZE;
2519 					if (i + j > pkt.u.seckey.octetc && i != 0) {
2520 						j = pkt.u.seckey.octetc - i;
2521 					}
2522 					hashes[n].add(&hashes[n],
2523 						pkt.u.seckey.salt,
2524 						(unsigned)(j > PGP_SALT_SIZE) ?
2525 							PGP_SALT_SIZE : j);
2526 					if (j > PGP_SALT_SIZE) {
2527 						hashes[n].add(&hashes[n],
2528 						(uint8_t *) passphrase,
2529 						j - PGP_SALT_SIZE);
2530 					}
2531 				}
2532 				break;
2533 			default:
2534 				break;
2535 			}
2536 		}
2537 
2538 		for (n = 0; n * hashsize < keysize; ++n) {
2539 			int	r;
2540 
2541 			r = hashes[n].finish(&hashes[n], key + n * hashsize);
2542 			if (r != hashsize) {
2543 				(void) fprintf(stderr,
2544 					"parse_seckey: bad r\n");
2545 				return 0;
2546 			}
2547 		}
2548 
2549 		pgp_forget(passphrase, passlen);
2550 
2551 		pgp_crypt_any(&decrypt, pkt.u.seckey.alg);
2552 		if (pgp_get_debug_level(__FILE__)) {
2553 			hexdump(stderr, "input iv", pkt.u.seckey.iv, pgp_block_size(pkt.u.seckey.alg));
2554 			hexdump(stderr, "key", key, CAST_KEY_LENGTH);
2555 		}
2556 		decrypt.set_iv(&decrypt, pkt.u.seckey.iv);
2557 		decrypt.set_crypt_key(&decrypt, key);
2558 
2559 		/* now read encrypted data */
2560 
2561 		pgp_reader_push_decrypt(stream, &decrypt, region);
2562 
2563 		/*
2564 		 * Since all known encryption for PGP doesn't compress, we
2565 		 * can limit to the same length as the current region (for
2566 		 * now).
2567 		 */
2568 		pgp_init_subregion(&encregion, NULL);
2569 		encregion.length = region->length - region->readc;
2570 		if (pkt.u.seckey.pubkey.version != PGP_V4) {
2571 			encregion.length -= 2;
2572 		}
2573 		saved_region = region;
2574 		region = &encregion;
2575 	}
2576 	if (pgp_get_debug_level(__FILE__)) {
2577 		fprintf(stderr, "parse_seckey: end of crypted passphrase\n");
2578 	}
2579 	if (pkt.u.seckey.s2k_usage == PGP_S2KU_ENCRYPTED_AND_HASHED) {
2580 		/* XXX - Hard-coded SHA1 here ?? Check */
2581 		pkt.u.seckey.checkhash = calloc(1, PGP_SHA1_HASH_SIZE);
2582 		if (pkt.u.seckey.checkhash == NULL) {
2583 			(void) fprintf(stderr, "parse_seckey: bad alloc\n");
2584 			return 0;
2585 		}
2586 		pgp_hash_sha1(&checkhash);
2587 		pgp_reader_push_hash(stream, &checkhash);
2588 	} else {
2589 		pgp_reader_push_sum16(stream);
2590 	}
2591 	if (pgp_get_debug_level(__FILE__)) {
2592 		fprintf(stderr, "parse_seckey: checkhash, reading MPIs\n");
2593 	}
2594 	switch (pkt.u.seckey.pubkey.alg) {
2595 	case PGP_PKA_RSA:
2596 	case PGP_PKA_RSA_ENCRYPT_ONLY:
2597 	case PGP_PKA_RSA_SIGN_ONLY:
2598 		if (!limread_mpi(&pkt.u.seckey.key.rsa.d, region, stream) ||
2599 		    !limread_mpi(&pkt.u.seckey.key.rsa.p, region, stream) ||
2600 		    !limread_mpi(&pkt.u.seckey.key.rsa.q, region, stream) ||
2601 		    !limread_mpi(&pkt.u.seckey.key.rsa.u, region, stream)) {
2602 			ret = 0;
2603 		}
2604 		break;
2605 
2606 	case PGP_PKA_DSA:
2607 		if (!limread_mpi(&pkt.u.seckey.key.dsa.x, region, stream)) {
2608 			ret = 0;
2609 		}
2610 		break;
2611 
2612 	case PGP_PKA_ELGAMAL:
2613 		if (!limread_mpi(&pkt.u.seckey.key.elgamal.x, region, stream)) {
2614 			ret = 0;
2615 		}
2616 		break;
2617 
2618 	default:
2619 		PGP_ERROR_2(&stream->errors,
2620 			PGP_E_ALG_UNSUPPORTED_PUBLIC_KEY_ALG,
2621 			"Unsupported Public Key algorithm %d (%s)",
2622 			pkt.u.seckey.pubkey.alg,
2623 			pgp_show_pka(pkt.u.seckey.pubkey.alg));
2624 		ret = 0;
2625 	}
2626 
2627 	if (pgp_get_debug_level(__FILE__)) {
2628 		(void) fprintf(stderr, "4 MPIs read\n");
2629 	}
2630 	stream->reading_v3_secret = 0;
2631 
2632 	if (pkt.u.seckey.s2k_usage == PGP_S2KU_ENCRYPTED_AND_HASHED) {
2633 		uint8_t   hash[PGP_CHECKHASH_SIZE];
2634 
2635 		pgp_reader_pop_hash(stream);
2636 		checkhash.finish(&checkhash, hash);
2637 
2638 		if (crypted &&
2639 		    pkt.u.seckey.pubkey.version != PGP_V4) {
2640 			pgp_reader_pop_decrypt(stream);
2641 			region = saved_region;
2642 		}
2643 		if (ret) {
2644 			if (!limread(pkt.u.seckey.checkhash,
2645 				PGP_CHECKHASH_SIZE, region, stream)) {
2646 				return 0;
2647 			}
2648 
2649 			if (memcmp(hash, pkt.u.seckey.checkhash,
2650 					PGP_CHECKHASH_SIZE) != 0) {
2651 				ERRP(&stream->cbinfo, pkt,
2652 					"Hash mismatch in secret key");
2653 			}
2654 		}
2655 	} else {
2656 		uint16_t  sum;
2657 
2658 		sum = pgp_reader_pop_sum16(stream);
2659 		if (crypted &&
2660 		    pkt.u.seckey.pubkey.version != PGP_V4) {
2661 			pgp_reader_pop_decrypt(stream);
2662 			region = saved_region;
2663 		}
2664 		if (ret) {
2665 			if (!limread_scalar(&pkt.u.seckey.checksum, 2,
2666 					region, stream))
2667 				return 0;
2668 
2669 			if (sum != pkt.u.seckey.checksum) {
2670 				ERRP(&stream->cbinfo, pkt,
2671 					"Checksum mismatch in secret key");
2672 			}
2673 		}
2674 	}
2675 
2676 	if (crypted && pkt.u.seckey.pubkey.version == PGP_V4) {
2677 		pgp_reader_pop_decrypt(stream);
2678 	}
2679 	if (region == NULL) {
2680 		(void) fprintf(stderr, "parse_seckey: NULL region\n");
2681 		return 0;
2682 	}
2683 	if (ret && region->readc != region->length) {
2684 		(void) fprintf(stderr, "parse_seckey: bad length\n");
2685 		return 0;
2686 	}
2687 	if (!ret) {
2688 		return 0;
2689 	}
2690 	CALLBACK(PGP_PTAG_CT_SECRET_KEY, &stream->cbinfo, &pkt);
2691 	if (pgp_get_debug_level(__FILE__)) {
2692 		(void) fprintf(stderr, "--- end of parse_seckey\n\n");
2693 	}
2694 	return 1;
2695 }
2696 
2697 /**
2698    \ingroup Core_ReadPackets
2699    \brief Parse a Public Key Session Key packet
2700 */
2701 static int
parse_pk_sesskey(pgp_region_t * region,pgp_stream_t * stream)2702 parse_pk_sesskey(pgp_region_t *region,
2703 		     pgp_stream_t *stream)
2704 {
2705 	const pgp_seckey_t	*secret;
2706 	pgp_packet_t		 sesskey;
2707 	pgp_packet_t		 pkt;
2708 	uint8_t			*iv;
2709 	uint8_t		   	 c = 0x0;
2710 	uint8_t			 cs[2];
2711 	unsigned		 k;
2712 	BIGNUM			*g_to_k;
2713 	BIGNUM			*enc_m;
2714 	int			 n;
2715 	uint8_t		 	 unencoded_m_buf[1024];
2716 
2717 	if (!limread(&c, 1, region, stream)) {
2718 		(void) fprintf(stderr, "parse_pk_sesskey - can't read char in region\n");
2719 		return 0;
2720 	}
2721 	pkt.u.pk_sesskey.version = c;
2722 	if (pkt.u.pk_sesskey.version != 3) {
2723 		PGP_ERROR_1(&stream->errors, PGP_E_PROTO_BAD_PKSK_VRSN,
2724 			"Bad public-key encrypted session key version (%d)",
2725 			    pkt.u.pk_sesskey.version);
2726 		return 0;
2727 	}
2728 	if (!limread(pkt.u.pk_sesskey.key_id,
2729 			  (unsigned)sizeof(pkt.u.pk_sesskey.key_id), region, stream)) {
2730 		return 0;
2731 	}
2732 	if (pgp_get_debug_level(__FILE__)) {
2733 		hexdump(stderr, "sesskey: pubkey id", pkt.u.pk_sesskey.key_id, sizeof(pkt.u.pk_sesskey.key_id));
2734 	}
2735 	if (!limread(&c, 1, region, stream)) {
2736 		return 0;
2737 	}
2738 	pkt.u.pk_sesskey.alg = (pgp_pubkey_alg_t)c;
2739 	switch (pkt.u.pk_sesskey.alg) {
2740 	case PGP_PKA_RSA:
2741 		if (!limread_mpi(&pkt.u.pk_sesskey.params.rsa.encrypted_m,
2742 				      region, stream)) {
2743 			return 0;
2744 		}
2745 		enc_m = pkt.u.pk_sesskey.params.rsa.encrypted_m;
2746 		g_to_k = NULL;
2747 		break;
2748 
2749 	case PGP_PKA_DSA:
2750 	case PGP_PKA_ELGAMAL:
2751 		if (!limread_mpi(&pkt.u.pk_sesskey.params.elgamal.g_to_k,
2752 				      region, stream) ||
2753 		    !limread_mpi(
2754 			&pkt.u.pk_sesskey.params.elgamal.encrypted_m,
2755 					 region, stream)) {
2756 			return 0;
2757 		}
2758 		g_to_k = pkt.u.pk_sesskey.params.elgamal.g_to_k;
2759 		enc_m = pkt.u.pk_sesskey.params.elgamal.encrypted_m;
2760 		break;
2761 
2762 	default:
2763 		PGP_ERROR_1(&stream->errors,
2764 			PGP_E_ALG_UNSUPPORTED_PUBLIC_KEY_ALG,
2765 			"Unknown public key algorithm in session key (%s)",
2766 			pgp_show_pka(pkt.u.pk_sesskey.alg));
2767 		return 0;
2768 	}
2769 
2770 	(void) memset(&sesskey, 0x0, sizeof(sesskey));
2771 	secret = NULL;
2772 	sesskey.u.get_seckey.seckey = &secret;
2773 	sesskey.u.get_seckey.pk_sesskey = &pkt.u.pk_sesskey;
2774 
2775 	if (pgp_get_debug_level(__FILE__)) {
2776 		(void) fprintf(stderr, "getting secret key via callback\n");
2777 	}
2778 
2779 	CALLBACK(PGP_GET_SECKEY, &stream->cbinfo, &sesskey);
2780 
2781 	if (pgp_get_debug_level(__FILE__)) {
2782 		(void) fprintf(stderr, "got secret key via callback\n");
2783 	}
2784 	if (!secret) {
2785 		CALLBACK(PGP_PTAG_CT_ENCRYPTED_PK_SESSION_KEY, &stream->cbinfo,
2786 			&pkt);
2787 		return 1;
2788 	}
2789 	n = pgp_decrypt_decode_mpi(unencoded_m_buf,
2790 		(unsigned)sizeof(unencoded_m_buf), g_to_k, enc_m, secret);
2791 
2792 	if (n < 1) {
2793 		ERRP(&stream->cbinfo, pkt, "decrypted message too short");
2794 		return 0;
2795 	}
2796 
2797 	/* PKA */
2798 	pkt.u.pk_sesskey.symm_alg = (pgp_symm_alg_t)unencoded_m_buf[0];
2799 	if (pgp_get_debug_level(__FILE__)) {
2800 		(void) fprintf(stderr, "symm alg %d\n", pkt.u.pk_sesskey.symm_alg);
2801 	}
2802 
2803 	if (!pgp_is_sa_supported(pkt.u.pk_sesskey.symm_alg)) {
2804 		/* ERR1P */
2805 		PGP_ERROR_1(&stream->errors, PGP_E_ALG_UNSUPPORTED_SYMMETRIC_ALG,
2806 			    "Symmetric algorithm %s not supported",
2807 			    pgp_show_symm_alg(
2808 				pkt.u.pk_sesskey.symm_alg));
2809 		return 0;
2810 	}
2811 	k = pgp_key_size(pkt.u.pk_sesskey.symm_alg);
2812 	if (pgp_get_debug_level(__FILE__)) {
2813 		(void) fprintf(stderr, "key size %d\n", k);
2814 	}
2815 
2816 	if ((unsigned) n != k + 3) {
2817 		PGP_ERROR_2(&stream->errors, PGP_E_PROTO_DECRYPTED_MSG_WRONG_LEN,
2818 		      "decrypted message wrong length (got %d expected %d)",
2819 			    n, k + 3);
2820 		return 0;
2821 	}
2822 	if (k > sizeof(pkt.u.pk_sesskey.key)) {
2823 		(void) fprintf(stderr, "parse_pk_sesskey: bad keylength\n");
2824 		return 0;
2825 	}
2826 
2827 	(void) memcpy(pkt.u.pk_sesskey.key, unencoded_m_buf + 1, k);
2828 
2829 	if (pgp_get_debug_level(__FILE__)) {
2830 		hexdump(stderr, "recovered sesskey", pkt.u.pk_sesskey.key, k);
2831 	}
2832 	pkt.u.pk_sesskey.checksum = unencoded_m_buf[k + 1] +
2833 			(unencoded_m_buf[k + 2] << 8);
2834 	if (pgp_get_debug_level(__FILE__)) {
2835 		(void) fprintf(stderr, "session key checksum: %2x %2x\n",
2836 			unencoded_m_buf[k + 1], unencoded_m_buf[k + 2]);
2837 	}
2838 
2839 	/* Check checksum */
2840 	pgp_calc_sesskey_checksum(&pkt.u.pk_sesskey, &cs[0]);
2841 	if (unencoded_m_buf[k + 1] != cs[0] ||
2842 	    unencoded_m_buf[k + 2] != cs[1]) {
2843 		PGP_ERROR_4(&stream->errors, PGP_E_PROTO_BAD_SK_CHECKSUM,
2844 		"Session key checksum wrong: expected %2x %2x, got %2x %2x",
2845 		cs[0], cs[1], unencoded_m_buf[k + 1],
2846 		unencoded_m_buf[k + 2]);
2847 		return 0;
2848 	}
2849 
2850 	if (pgp_get_debug_level(__FILE__)) {
2851 		(void) fprintf(stderr, "getting pk session key via callback\n");
2852 	}
2853 	/* all is well */
2854 	CALLBACK(PGP_PTAG_CT_PK_SESSION_KEY, &stream->cbinfo, &pkt);
2855 	if (pgp_get_debug_level(__FILE__)) {
2856 		(void) fprintf(stderr, "got pk session key via callback\n");
2857 	}
2858 
2859 	pgp_crypt_any(&stream->decrypt, pkt.u.pk_sesskey.symm_alg);
2860 	iv = calloc(1, stream->decrypt.blocksize);
2861 	if (iv == NULL) {
2862 		(void) fprintf(stderr, "parse_pk_sesskey: bad alloc\n");
2863 		return 0;
2864 	}
2865 	stream->decrypt.set_iv(&stream->decrypt, iv);
2866 	stream->decrypt.set_crypt_key(&stream->decrypt, pkt.u.pk_sesskey.key);
2867 	pgp_encrypt_init(&stream->decrypt);
2868 	free(iv);
2869 	return 1;
2870 }
2871 
2872 static int
decrypt_se_data(pgp_content_enum tag,pgp_region_t * region,pgp_stream_t * stream)2873 decrypt_se_data(pgp_content_enum tag, pgp_region_t *region,
2874 		    pgp_stream_t *stream)
2875 {
2876 	pgp_crypt_t	*decrypt;
2877 	const int	 printerrors = 1;
2878 	int		 r = 1;
2879 
2880 	decrypt = pgp_get_decrypt(stream);
2881 	if (decrypt) {
2882 		pgp_region_t	encregion;
2883 		unsigned	b = (unsigned)decrypt->blocksize;
2884 		uint8_t		buf[PGP_MAX_BLOCK_SIZE + 2] = "";
2885 
2886 		pgp_reader_push_decrypt(stream, decrypt, region);
2887 
2888 		pgp_init_subregion(&encregion, NULL);
2889 		encregion.length = b + 2;
2890 
2891 		if (!exact_limread(buf, b + 2, &encregion, stream)) {
2892 			return 0;
2893 		}
2894 		if (buf[b - 2] != buf[b] || buf[b - 1] != buf[b + 1]) {
2895 			pgp_reader_pop_decrypt(stream);
2896 			PGP_ERROR_4(&stream->errors,
2897 				PGP_E_PROTO_BAD_SYMMETRIC_DECRYPT,
2898 				"Bad symmetric decrypt (%02x%02x vs %02x%02x)",
2899 				buf[b - 2], buf[b - 1], buf[b], buf[b + 1]);
2900 			return 0;
2901 		}
2902 		if (tag == PGP_PTAG_CT_SE_DATA_BODY) {
2903 			decrypt->decrypt_resync(decrypt);
2904 			decrypt->block_encrypt(decrypt, decrypt->civ,
2905 					decrypt->civ);
2906 		}
2907 		r = pgp_parse(stream, !printerrors);
2908 
2909 		pgp_reader_pop_decrypt(stream);
2910 	} else {
2911 		pgp_packet_t pkt;
2912 
2913 		while (region->readc < region->length) {
2914 			unsigned        len;
2915 
2916 			len = region->length - region->readc;
2917 			if (len > sizeof(pkt.u.se_data_body.data))
2918 				len = sizeof(pkt.u.se_data_body.data);
2919 
2920 			if (!limread(pkt.u.se_data_body.data, len,
2921 					region, stream)) {
2922 				return 0;
2923 			}
2924 			pkt.u.se_data_body.length = len;
2925 			CALLBACK(tag, &stream->cbinfo, &pkt);
2926 		}
2927 	}
2928 
2929 	return r;
2930 }
2931 
2932 static int
decrypt_se_ip_data(pgp_content_enum tag,pgp_region_t * region,pgp_stream_t * stream)2933 decrypt_se_ip_data(pgp_content_enum tag, pgp_region_t *region,
2934 		       pgp_stream_t *stream)
2935 {
2936 	pgp_crypt_t	*decrypt;
2937 	const int	 printerrors = 1;
2938 	int		 r = 1;
2939 
2940 	decrypt = pgp_get_decrypt(stream);
2941 	if (decrypt) {
2942 		if (pgp_get_debug_level(__FILE__)) {
2943 			(void) fprintf(stderr, "decrypt_se_ip_data: decrypt\n");
2944 		}
2945 		pgp_reader_push_decrypt(stream, decrypt, region);
2946 		pgp_reader_push_se_ip_data(stream, decrypt, region);
2947 
2948 		r = pgp_parse(stream, !printerrors);
2949 
2950 		pgp_reader_pop_se_ip_data(stream);
2951 		pgp_reader_pop_decrypt(stream);
2952 	} else {
2953 		pgp_packet_t pkt;
2954 
2955 		if (pgp_get_debug_level(__FILE__)) {
2956 			(void) fprintf(stderr, "decrypt_se_ip_data: no decrypt\n");
2957 		}
2958 		while (region->readc < region->length) {
2959 			unsigned        len;
2960 
2961 			len = region->length - region->readc;
2962 			if (len > sizeof(pkt.u.se_data_body.data)) {
2963 				len = sizeof(pkt.u.se_data_body.data);
2964 			}
2965 
2966 			if (!limread(pkt.u.se_data_body.data,
2967 					len, region, stream)) {
2968 				return 0;
2969 			}
2970 
2971 			pkt.u.se_data_body.length = len;
2972 
2973 			CALLBACK(tag, &stream->cbinfo, &pkt);
2974 		}
2975 	}
2976 
2977 	return r;
2978 }
2979 
2980 /**
2981    \ingroup Core_ReadPackets
2982    \brief Read a Symmetrically Encrypted packet
2983 */
2984 static int
parse_se_data(pgp_region_t * region,pgp_stream_t * stream)2985 parse_se_data(pgp_region_t *region, pgp_stream_t *stream)
2986 {
2987 	pgp_packet_t pkt;
2988 
2989 	/* there's no info to go with this, so just announce it */
2990 	CALLBACK(PGP_PTAG_CT_SE_DATA_HEADER, &stream->cbinfo, &pkt);
2991 
2992 	/*
2993 	 * The content of an encrypted data packet is more OpenPGP packets
2994 	 * once decrypted, so recursively handle them
2995 	 */
2996 	return decrypt_se_data(PGP_PTAG_CT_SE_DATA_BODY, region, stream);
2997 }
2998 
2999 /**
3000    \ingroup Core_ReadPackets
3001    \brief Read a Symmetrically Encrypted Integrity Protected packet
3002 */
3003 static int
parse_se_ip_data(pgp_region_t * region,pgp_stream_t * stream)3004 parse_se_ip_data(pgp_region_t *region, pgp_stream_t *stream)
3005 {
3006 	pgp_packet_t	pkt;
3007 	uint8_t		c = 0x0;
3008 
3009 	if (!limread(&c, 1, region, stream)) {
3010 		return 0;
3011 	}
3012 	pkt.u.se_ip_data_header = c;
3013 	if (pgp_get_debug_level(__FILE__)) {
3014 		(void) fprintf(stderr, "parse_se_ip_data: data header %d\n", c);
3015 	}
3016 	if (pkt.u.se_ip_data_header != PGP_SE_IP_DATA_VERSION) {
3017 		(void) fprintf(stderr, "parse_se_ip_data: bad version\n");
3018 		return 0;
3019 	}
3020 
3021 	if (pgp_get_debug_level(__FILE__)) {
3022 		(void) fprintf(stderr, "parse_se_ip_data: region %d,%d\n",
3023 			region->readc, region->length);
3024 		hexdump(stderr, "compressed region", stream->virtualpkt, stream->virtualc);
3025 	}
3026 	/*
3027 	 * The content of an encrypted data packet is more OpenPGP packets
3028 	 * once decrypted, so recursively handle them
3029 	 */
3030 	return decrypt_se_ip_data(PGP_PTAG_CT_SE_IP_DATA_BODY, region, stream);
3031 }
3032 
3033 /**
3034    \ingroup Core_ReadPackets
3035    \brief Read a MDC packet
3036 */
3037 static int
parse_mdc(pgp_region_t * region,pgp_stream_t * stream)3038 parse_mdc(pgp_region_t *region, pgp_stream_t *stream)
3039 {
3040 	pgp_packet_t pkt;
3041 
3042 	pkt.u.mdc.length = PGP_SHA1_HASH_SIZE;
3043 	if ((pkt.u.mdc.data = calloc(1, PGP_SHA1_HASH_SIZE)) == NULL) {
3044 		(void) fprintf(stderr, "parse_mdc: bad alloc\n");
3045 		return 0;
3046 	}
3047 	if (!limread(pkt.u.mdc.data, PGP_SHA1_HASH_SIZE, region, stream)) {
3048 		return 0;
3049 	}
3050 	CALLBACK(PGP_PTAG_CT_MDC, &stream->cbinfo, &pkt);
3051 	free(pkt.u.mdc.data);
3052 	return 1;
3053 }
3054 
3055 /**
3056  * \ingroup Core_ReadPackets
3057  * \brief Parse one packet.
3058  *
3059  * This function parses the packet tag.  It computes the value of the
3060  * content tag and then calls the appropriate function to handle the
3061  * content.
3062  *
3063  * \param *stream	How to parse
3064  * \param *pktlen	On return, will contain number of bytes in packet
3065  * \return 1 on success, 0 on error, -1 on EOF */
3066 static int
parse_packet(pgp_stream_t * stream,uint32_t * pktlen)3067 parse_packet(pgp_stream_t *stream, uint32_t *pktlen)
3068 {
3069 	pgp_packet_t	pkt;
3070 	pgp_region_t	region;
3071 	uint8_t		ptag;
3072 	unsigned	indeterminate = 0;
3073 	int		ret;
3074 
3075 	pkt.u.ptag.position = stream->readinfo.position;
3076 
3077 	ret = base_read(&ptag, 1, stream);
3078 
3079 	if (pgp_get_debug_level(__FILE__)) {
3080 		(void) fprintf(stderr,
3081 			"parse_packet: base_read returned %d, ptag %d\n",
3082 			ret, ptag);
3083 	}
3084 
3085 	/* errors in the base read are effectively EOF. */
3086 	if (ret <= 0) {
3087 		return -1;
3088 	}
3089 
3090 	*pktlen = 0;
3091 
3092 	if (!(ptag & PGP_PTAG_ALWAYS_SET)) {
3093 		pkt.u.error = "Format error (ptag bit not set)";
3094 		CALLBACK(PGP_PARSER_ERROR, &stream->cbinfo, &pkt);
3095 		return 0;
3096 	}
3097 	pkt.u.ptag.new_format = !!(ptag & PGP_PTAG_NEW_FORMAT);
3098 	if (pkt.u.ptag.new_format) {
3099 		pkt.u.ptag.type = (ptag & PGP_PTAG_NF_CONTENT_TAG_MASK);
3100 		pkt.u.ptag.length_type = 0;
3101 		if (!read_new_length(&pkt.u.ptag.length, stream)) {
3102 			return 0;
3103 		}
3104 	} else {
3105 		unsigned   rb;
3106 
3107 		rb = 0;
3108 		pkt.u.ptag.type = ((unsigned)ptag &
3109 				PGP_PTAG_OF_CONTENT_TAG_MASK)
3110 			>> PGP_PTAG_OF_CONTENT_TAG_SHIFT;
3111 		pkt.u.ptag.length_type = ptag & PGP_PTAG_OF_LENGTH_TYPE_MASK;
3112 		switch (pkt.u.ptag.length_type) {
3113 		case PGP_PTAG_OLD_LEN_1:
3114 			rb = _read_scalar(&pkt.u.ptag.length, 1, stream);
3115 			break;
3116 
3117 		case PGP_PTAG_OLD_LEN_2:
3118 			rb = _read_scalar(&pkt.u.ptag.length, 2, stream);
3119 			break;
3120 
3121 		case PGP_PTAG_OLD_LEN_4:
3122 			rb = _read_scalar(&pkt.u.ptag.length, 4, stream);
3123 			break;
3124 
3125 		case PGP_PTAG_OLD_LEN_INDETERMINATE:
3126 			pkt.u.ptag.length = 0;
3127 			indeterminate = 1;
3128 			rb = 1;
3129 			break;
3130 		}
3131 		if (!rb) {
3132 			return 0;
3133 		}
3134 	}
3135 
3136 	CALLBACK(PGP_PARSER_PTAG, &stream->cbinfo, &pkt);
3137 
3138 	pgp_init_subregion(&region, NULL);
3139 	region.length = pkt.u.ptag.length;
3140 	region.indeterminate = indeterminate;
3141 	if (pgp_get_debug_level(__FILE__)) {
3142 		(void) fprintf(stderr, "parse_packet: type %u\n",
3143 			       pkt.u.ptag.type);
3144 	}
3145 	switch (pkt.u.ptag.type) {
3146 	case PGP_PTAG_CT_SIGNATURE:
3147 		ret = parse_sig(&region, stream);
3148 		break;
3149 
3150 	case PGP_PTAG_CT_PUBLIC_KEY:
3151 	case PGP_PTAG_CT_PUBLIC_SUBKEY:
3152 		ret = parse_pubkey((pgp_content_enum)pkt.u.ptag.type, &region, stream);
3153 		break;
3154 
3155 	case PGP_PTAG_CT_TRUST:
3156 		ret = parse_trust(&region, stream);
3157 		break;
3158 
3159 	case PGP_PTAG_CT_USER_ID:
3160 		ret = parse_userid(&region, stream);
3161 		break;
3162 
3163 	case PGP_PTAG_CT_COMPRESSED:
3164 		ret = parse_compressed(&region, stream);
3165 		break;
3166 
3167 	case PGP_PTAG_CT_1_PASS_SIG:
3168 		ret = parse_one_pass(&region, stream);
3169 		break;
3170 
3171 	case PGP_PTAG_CT_LITDATA:
3172 		ret = parse_litdata(&region, stream);
3173 		break;
3174 
3175 	case PGP_PTAG_CT_USER_ATTR:
3176 		ret = parse_userattr(&region, stream);
3177 		break;
3178 
3179 	case PGP_PTAG_CT_SECRET_KEY:
3180 		ret = parse_seckey(&region, stream);
3181 		break;
3182 
3183 	case PGP_PTAG_CT_SECRET_SUBKEY:
3184 		ret = parse_seckey(&region, stream);
3185 		break;
3186 
3187 	case PGP_PTAG_CT_PK_SESSION_KEY:
3188 		ret = parse_pk_sesskey(&region, stream);
3189 		break;
3190 
3191 	case PGP_PTAG_CT_SE_DATA:
3192 		ret = parse_se_data(&region, stream);
3193 		break;
3194 
3195 	case PGP_PTAG_CT_SE_IP_DATA:
3196 		ret = parse_se_ip_data(&region, stream);
3197 		break;
3198 
3199 	case PGP_PTAG_CT_MDC:
3200 		ret = parse_mdc(&region, stream);
3201 		break;
3202 
3203 	default:
3204 		PGP_ERROR_1(&stream->errors, PGP_E_P_UNKNOWN_TAG,
3205 			    "Unknown content tag 0x%x",
3206 			    pkt.u.ptag.type);
3207 		ret = 0;
3208 	}
3209 
3210 	/* Ensure that the entire packet has been consumed */
3211 
3212 	if (region.length != region.readc && !region.indeterminate) {
3213 		if (!consume_packet(&region, stream, 0)) {
3214 			ret = -1;
3215 		}
3216 	}
3217 
3218 	/* also consume it if there's been an error? */
3219 	/* \todo decide what to do about an error on an */
3220 	/* indeterminate packet */
3221 	if (ret == 0) {
3222 		if (!consume_packet(&region, stream, 0)) {
3223 			ret = -1;
3224 		}
3225 	}
3226 	/* set pktlen */
3227 
3228 	*pktlen = stream->readinfo.alength;
3229 
3230 	/* do callback on entire packet, if desired and there was no error */
3231 
3232 	if (ret > 0 && stream->readinfo.accumulate) {
3233 		pkt.u.packet.length = stream->readinfo.alength;
3234 		pkt.u.packet.raw = stream->readinfo.accumulated;
3235 		stream->readinfo.accumulated = NULL;
3236 		stream->readinfo.asize = 0;
3237 		CALLBACK(PGP_PARSER_PACKET_END, &stream->cbinfo, &pkt);
3238 	}
3239 	stream->readinfo.alength = 0;
3240 
3241 	return (ret < 0) ? -1 : (ret) ? 1 : 0;
3242 }
3243 
3244 /**
3245  * \ingroup Core_ReadPackets
3246  *
3247  * \brief Parse packets from an input stream until EOF or error.
3248  *
3249  * \details Setup the necessary parsing configuration in "stream"
3250  * before calling pgp_parse().
3251  *
3252  * That information includes :
3253  *
3254  * - a "reader" function to be used to get the data to be parsed
3255  *
3256  * - a "callback" function to be called when this library has identified
3257  * a parseable object within the data
3258  *
3259  * - whether the calling function wants the signature subpackets
3260  * returned raw, parsed or not at all.
3261  *
3262  * After returning, stream->errors holds any errors encountered while parsing.
3263  *
3264  * \param stream	Parsing configuration
3265  * \return		1 on success in all packets, 0 on error in any packet
3266  *
3267  * \sa CoreAPI Overview
3268  *
3269  * \sa pgp_print_errors()
3270  *
3271  */
3272 
3273 int
pgp_parse(pgp_stream_t * stream,const int perrors)3274 pgp_parse(pgp_stream_t *stream, const int perrors)
3275 {
3276 	uint32_t   pktlen;
3277 	int             r;
3278 
3279 	do {
3280 		r = parse_packet(stream, &pktlen);
3281 	} while (r != -1);
3282 	if (perrors) {
3283 		pgp_print_errors(stream->errors);
3284 	}
3285 	return (stream->errors == NULL);
3286 }
3287 
3288 /**
3289  * \ingroup Core_ReadPackets
3290  *
3291  * \brief Specifies whether one or more signature
3292  * subpacket types should be returned parsed; or raw; or ignored.
3293  *
3294  * \param	stream	Pointer to previously allocated structure
3295  * \param	tag	Packet tag. PGP_PTAG_SS_ALL for all SS tags; or one individual signature subpacket tag
3296  * \param	type	Parse type
3297  * \todo Make all packet types optional, not just subpackets */
3298 void
pgp_parse_options(pgp_stream_t * stream,pgp_content_enum tag,pgp_parse_type_t type)3299 pgp_parse_options(pgp_stream_t *stream,
3300 		  pgp_content_enum tag,
3301 		  pgp_parse_type_t type)
3302 {
3303 	unsigned	t7;
3304 	unsigned	t8;
3305 
3306 	if (tag == PGP_PTAG_SS_ALL) {
3307 		int             n;
3308 
3309 		for (n = 0; n < 256; ++n) {
3310 			pgp_parse_options(stream,
3311 				PGP_PTAG_SIG_SUBPKT_BASE + n,
3312 				type);
3313 		}
3314 		return;
3315 	}
3316 	if (tag < PGP_PTAG_SIG_SUBPKT_BASE ||
3317 	    tag > PGP_PTAG_SIG_SUBPKT_BASE + NTAGS - 1) {
3318 		(void) fprintf(stderr, "pgp_parse_options: bad tag\n");
3319 		return;
3320 	}
3321 	t8 = (tag - PGP_PTAG_SIG_SUBPKT_BASE) / 8;
3322 	t7 = 1 << ((tag - PGP_PTAG_SIG_SUBPKT_BASE) & 7);
3323 	switch (type) {
3324 	case PGP_PARSE_RAW:
3325 		stream->ss_raw[t8] |= t7;
3326 		stream->ss_parsed[t8] &= ~t7;
3327 		break;
3328 
3329 	case PGP_PARSE_PARSED:
3330 		stream->ss_raw[t8] &= ~t7;
3331 		stream->ss_parsed[t8] |= t7;
3332 		break;
3333 
3334 	case PGP_PARSE_IGNORE:
3335 		stream->ss_raw[t8] &= ~t7;
3336 		stream->ss_parsed[t8] &= ~t7;
3337 		break;
3338 	}
3339 }
3340 
3341 /**
3342 \ingroup Core_ReadPackets
3343 \brief Free pgp_stream_t struct and its contents
3344 */
3345 void
pgp_stream_delete(pgp_stream_t * stream)3346 pgp_stream_delete(pgp_stream_t *stream)
3347 {
3348 	pgp_cbdata_t	*cbinfo;
3349 	pgp_cbdata_t	*next;
3350 
3351 	for (cbinfo = stream->cbinfo.next; cbinfo; cbinfo = next) {
3352 		next = cbinfo->next;
3353 		free(cbinfo);
3354 	}
3355 	if (stream->readinfo.destroyer) {
3356 		stream->readinfo.destroyer(&stream->readinfo);
3357 	}
3358 	pgp_free_errors(stream->errors);
3359 	if (stream->readinfo.accumulated) {
3360 		free(stream->readinfo.accumulated);
3361 	}
3362 	free(stream);
3363 }
3364 
3365 /**
3366 \ingroup Core_ReadPackets
3367 \brief Returns the parse_info's reader_info
3368 \return Pointer to the reader_info inside the parse_info
3369 */
3370 pgp_reader_t *
pgp_readinfo(pgp_stream_t * stream)3371 pgp_readinfo(pgp_stream_t *stream)
3372 {
3373 	return &stream->readinfo;
3374 }
3375 
3376 /**
3377 \ingroup Core_ReadPackets
3378 \brief Sets the parse_info's callback
3379 This is used when adding the first callback in a stack of callbacks.
3380 \sa pgp_callback_push()
3381 */
3382 
3383 void
pgp_set_callback(pgp_stream_t * stream,pgp_cbfunc_t * cb,void * arg)3384 pgp_set_callback(pgp_stream_t *stream, pgp_cbfunc_t *cb, void *arg)
3385 {
3386 	stream->cbinfo.cbfunc = cb;
3387 	stream->cbinfo.arg = arg;
3388 	stream->cbinfo.errors = &stream->errors;
3389 }
3390 
3391 /**
3392 \ingroup Core_ReadPackets
3393 \brief Adds a further callback to a stack of callbacks
3394 \sa pgp_set_callback()
3395 */
3396 void
pgp_callback_push(pgp_stream_t * stream,pgp_cbfunc_t * cb,void * arg)3397 pgp_callback_push(pgp_stream_t *stream, pgp_cbfunc_t *cb, void *arg)
3398 {
3399 	pgp_cbdata_t	*cbinfo;
3400 
3401 	if ((cbinfo = calloc(1, sizeof(*cbinfo))) == NULL) {
3402 		(void) fprintf(stderr, "pgp_callback_push: bad alloc\n");
3403 		return;
3404 	}
3405 	(void) memcpy(cbinfo, &stream->cbinfo, sizeof(*cbinfo));
3406 	cbinfo->io = stream->io;
3407 	stream->cbinfo.next = cbinfo;
3408 	pgp_set_callback(stream, cb, arg);
3409 }
3410 
3411 /**
3412 \ingroup Core_ReadPackets
3413 \brief Returns callback's arg
3414 */
3415 void *
pgp_callback_arg(pgp_cbdata_t * cbinfo)3416 pgp_callback_arg(pgp_cbdata_t *cbinfo)
3417 {
3418 	return cbinfo->arg;
3419 }
3420 
3421 /**
3422 \ingroup Core_ReadPackets
3423 \brief Returns callback's errors
3424 */
3425 void *
pgp_callback_errors(pgp_cbdata_t * cbinfo)3426 pgp_callback_errors(pgp_cbdata_t *cbinfo)
3427 {
3428 	return cbinfo->errors;
3429 }
3430 
3431 /**
3432 \ingroup Core_ReadPackets
3433 \brief Calls the parse_cb_info's callback if present
3434 \return Return value from callback, if present; else PGP_FINISHED
3435 */
3436 pgp_cb_ret_t
pgp_callback(const pgp_packet_t * pkt,pgp_cbdata_t * cbinfo)3437 pgp_callback(const pgp_packet_t *pkt, pgp_cbdata_t *cbinfo)
3438 {
3439 	return (cbinfo->cbfunc) ? cbinfo->cbfunc(pkt, cbinfo) : PGP_FINISHED;
3440 }
3441 
3442 /**
3443 \ingroup Core_ReadPackets
3444 \brief Calls the next callback  in the stack
3445 \return Return value from callback
3446 */
3447 pgp_cb_ret_t
pgp_stacked_callback(const pgp_packet_t * pkt,pgp_cbdata_t * cbinfo)3448 pgp_stacked_callback(const pgp_packet_t *pkt, pgp_cbdata_t *cbinfo)
3449 {
3450 	return pgp_callback(pkt, cbinfo->next);
3451 }
3452 
3453 /**
3454 \ingroup Core_ReadPackets
3455 \brief Returns the parse_info's errors
3456 \return parse_info's errors
3457 */
3458 pgp_error_t    *
pgp_stream_get_errors(pgp_stream_t * stream)3459 pgp_stream_get_errors(pgp_stream_t *stream)
3460 {
3461 	return stream->errors;
3462 }
3463 
3464 pgp_crypt_t    *
pgp_get_decrypt(pgp_stream_t * stream)3465 pgp_get_decrypt(pgp_stream_t *stream)
3466 {
3467 	return (stream->decrypt.alg) ? &stream->decrypt : NULL;
3468 }
3469