1 /****************************************************************************
2 *																			*
3 *							PGP Definitions Header File						*
4 *						Copyright Peter Gutmann 1996-2013					*
5 *																			*
6 ****************************************************************************/
7 
8 #ifndef _PGP_DEFINED
9 
10 #define _PGP_DEFINED
11 
12 #ifndef _STREAM_DEFINED
13   #if defined( INC_ALL )
14 	#include "stream.h"
15   #else
16 	#include "io/stream.h"
17   #endif /* Compiler-specific includes */
18 #endif /* _STREAM_DEFINED */
19 
20 /* PGP packet types, encoded into the CTB */
21 
22 typedef enum {
23 	PGP_PACKET_NONE,			/* No packet type */
24 	PGP_PACKET_PKE,				/* PKC-encrypted session key */
25 	PGP_PACKET_SIGNATURE,		/* Signature */
26 	PGP_PACKET_SKE,				/* Secret-key-encrypted session key */
27 	PGP_PACKET_SIGNATURE_ONEPASS,/* One-pass signature */
28 	PGP_PACKET_SECKEY,			/* Secret key */
29 	PGP_PACKET_PUBKEY,			/* Public key */
30 	PGP_PACKET_SECKEY_SUB,		/* Secret key subkey */
31 	PGP_PACKET_COPR,			/* Compressed data */
32 	PGP_PACKET_ENCR,			/* Encrypted data */
33 	PGP_PACKET_MARKER,			/* Obsolete marker packet */
34 	PGP_PACKET_DATA,			/* Raw data */
35 	PGP_PACKET_TRUST,			/* Trust information */
36 	PGP_PACKET_USERID,			/* Userid */
37 	PGP_PACKET_PUBKEY_SUB,		/* Public key subkey */
38 	PGP_PACKET_DUMMY1, PGP_PACKET_DUMMY2,	/* 15, 16 unused */
39 	PGP_PACKET_USERATTR,		/* User attributes */
40 	PGP_PACKET_ENCR_MDC,		/* Encrypted data with MDC */
41 	PGP_PACKET_MDC,				/* MDC */
42 	PGP_PACKET_LAST				/* Last possible PGP packet type */
43 	} PGP_PACKET_TYPE;
44 
45 /* PGP signature subpacket types */
46 
47 typedef enum {
48 	PGP_SUBPACKET_RESERVED_0,	/* Reserved */
49 	PGP_SUBPACKET_RESERVED_1,	/* Reserved */
50 	PGP_SUBPACKET_TIME,			/* Signing time */
51 	PGP_SUBPACKET_EXPIRY_TIME,	/* Signature expiry time */
52 	PGP_SUBPACKET_EXP_CERT,		/* Exportable certification */
53 	PGP_SUBPACKET_TRUST_SIG,	/* Trust signature */
54 	PGP_SUBPACKET_REGEX,		/* Regular expression */
55 	PGP_SUBPACKET_REVOCABLE,	/* Revocable */
56 	PGP_SUBPACKET_RESERVED_8,	/* Reserved */
57 	PGP_SUBPACKET_KEY_EXP,		/* Key expiration time */
58 	PGP_SUBPACKET_PLACEHOLDER,	/* Placeholder */
59 	PGP_SUBPACKET_PREF_SYM,		/* Preferred symmetric algorithms */
60 	PGP_SUBPACKET_REV_KEY,		/* Revocation key  */
61 	PGP_SUBPACKET_RESERVED_13,	/* Reserved */
62 	PGP_SUBPACKET_RESERVED_14,	/* Reserved */
63 	PGP_SUBPACKET_RESERVED_15,	/* Reserved */
64 	PGP_SUBPACKET_KEYID,		/* Issuer key ID */
65 	PGP_SUBPACKET_RESERVED_17,	/* Reserved */
66 	PGP_SUBPACKET_RESERVED_18,	/* Reserved */
67 	PGP_SUBPACKET_RESERVED_19,	/* Reserved */
68 	PGP_SUBPACKET_TYPEANDVALUE,	/* Type-and-value pairs */
69 	PGP_SUBPACKET_PREF_HASH,	/* Preferred hash algorithms */
70 	PGP_SUBPACKET_PREF_COPR,	/* Preferred compression algorithms */
71 	PGP_SUBPACKET_KEYSVR_PREF,	/* Key server preferences */
72 	PGP_SUBPACKET_PREF_KEY_SVR,	/* Preferred key server */
73 	PGP_SUBPACKET_PRIMARY_USERID, /* Primary userID */
74 	PGP_SUBPACKET_POLICY_URI,	/* Policy URI */
75 	PGP_SUBPACKET_KEY_FLAGS,	/* Key flags */
76 	PGP_SUBPACKET_SIGNER_USERID, /* Signer's userID  */
77 	PGP_SUBPACKET_REV_REASON,	/* Reason for revocation */
78 	PGP_SUBPACKET_FEATURES,		/* Features */
79 	PGP_SUBPACKET_SIG_TARGET,	/* Signature target */
80 	PGP_SUBPACKET_EMBED_SIGNATURE, /* Embedded signature */
81 	PGP_SUBPACKET_LAST			/* Last valid subpacket type */
82 	} PGP_SUBPACKET_TYPE;
83 
84 /* A special-case packet type that denotes a signature that follows on from
85    a one-pass signature packet.  When generating a signature of this type PGP
86    splits the information in the normal signature packet across the one-pass
87    signature packet and the signature packet itself, so we have to read the
88    data on two parts, with half the information in the one-pass packet and
89    the other half in the signature packet */
90 
91 #define PGP_PACKET_SIGNATURE_SPECIAL	1000
92 
93 /* The PGP packet format (via the CTB) is:
94 
95 	+---------------+
96 	|7 6 5 4 3 2 1 0|
97 	+---------------+
98 
99 	Bit 7: Always one
100 	Bit 6: OpenPGP (new) format if set
101 
102 		PGP 2.x:						OpenPGP:
103 	Bits 5-2: Packet type		Bits 5-0: Packet type
104 	Bits 1-0: Length type
105 
106    All CTBs have the MSB set, and OpenPGP CTBs have the next-to-MSB set.  We
107    also have a special-case CTB that's used for indefinite-length compressed
108    data */
109 
110 #define PGP_CTB				0x80	/* PGP 2.x CTB template */
111 #define PGP_CTB_OPENPGP		0xC0	/* OpenPGP CTB template */
112 #define PGP_CTB_COMPRESSED	0xA3	/* Compressed indef-length data */
113 
114 /* Macros to extract packet information from the CTB */
115 
116 #define pgpIsCTB( ctb )				( ( ctb ) & PGP_CTB )
117 #define pgpGetPacketVersion( ctb ) \
118 		( ( ( ( ctb ) & PGP_CTB_OPENPGP ) == PGP_CTB_OPENPGP ) ? \
119 		  PGP_VERSION_OPENPGP : PGP_VERSION_2 )
120 #define pgpGetPacketType( ctb ) \
121 		( ( ( ( ctb ) & PGP_CTB_OPENPGP ) == PGP_CTB_OPENPGP ) ? \
122 			( ( ctb ) & 0x3F ) : ( ( ( ctb ) >> 2 ) & 0x0F ) )
123 #define pgpIsReservedPacket( type )	( ( type ) >= 60 && ( type ) <= 63 )
124 
125 /* Version information */
126 
127 #define PGP_VERSION_2		2		/* Version number byte for PGP 2.0 */
128 #define PGP_VERSION_3		3		/* Version number byte for legal-kludged PGP 2.0 */
129 #define PGP_VERSION_OPENPGP	4		/* Version number for OpenPGP */
130 
131 /* Public-key algorithms */
132 
133 #define PGP_ALGO_RSA		1		/* RSA */
134 #define PGP_ALGO_RSA_ENCRYPT 2		/* RSA encrypt-only */
135 #define PGP_ALGO_RSA_SIGN	3		/* RSA sign-only */
136 #define PGP_ALGO_ELGAMAL	16		/* ElGamal */
137 #define PGP_ALGO_DSA		17		/* DSA */
138 #define PGP_ALGO_ECDH		18		/* RFC 4880: Rsvd.for "ECC", RFC 6637: ECDH */
139 #define PGP_ALGO_ECDSA		19		/* RFC 4880: Rsvd.for ECDSA, RFC 6637: ECDSA */
140 #define PGP_ALGO_PKC_RES1	20		/* Reserved, formerly Elgamal sign */
141 #define PGP_ALGO_PKC_RES2	21		/* Reserved for "X9.42" */
142 
143 /* Conventional encryption algorithms */
144 
145 #define PGP_ALGO_NONE		0		/* No CKE algorithm */
146 #define PGP_ALGO_IDEA		1		/* IDEA */
147 #define PGP_ALGO_3DES		2		/* Triple DES */
148 #define PGP_ALGO_CAST5		3		/* CAST-128 */
149 #define PGP_ALGO_BLOWFISH	4		/* Blowfish */
150 #define PGP_ALGO_ENC_RES1	5		/* Reserved, formerly Safer-SK */
151 #define PGP_ALGO_ENC_RES2	6		/* Reserved */
152 #define PGP_ALGO_AES_128	7		/* AES with 128-bit key */
153 #define PGP_ALGO_AES_192	8		/* AES with 192-bit key */
154 #define PGP_ALGO_AES_256	9		/* AES with 256-bit key */
155 #define PGP_ALGO_TWOFISH	10		/* Twofish */
156 
157 /* Hash algorithms */
158 
159 #define PGP_ALGO_MD5		1		/* MD5 */
160 #define PGP_ALGO_SHA		2		/* SHA-1 */
161 #define PGP_ALGO_RIPEMD160	3		/* RIPEMD-160 */
162 #define PGP_ALGO_HASH_RES1	4		/* Reserved */
163 #define PGP_ALGO_HASH_RES2	5		/* Reserved, formerly MD2 */
164 #define PGP_ALGO_HASH_RES3	6		/* Reserved, formerly Tiger/192 */
165 #define PGP_ALGO_HASH_RES4	7		/* Reserved, formerly Haval */
166 #define PGP_ALGO_SHA2_256	8		/* SHA-2 256bit */
167 #define PGP_ALGO_SHA2_384	9		/* SHA-2 384bit */
168 #define PGP_ALGO_SHA2_512	10		/* SHA-2 512bit */
169 #define PGP_ALGO_SHA2_224	11		/* SHA-2 224bit */
170 #define PGP_ALGO_SHAng		99		/* Future SHA-nextgen standard */
171 
172 /* Compression algorithms */
173 
174 #define PGP_ALGO_ZIP		1		/* ZIP compression */
175 #define PGP_ALGO_ZLIB		2		/* zlib compression */
176 #define PGP_ALGO_BZIP2		3		/* Bzip2 compression */
177 
178 /* Highest possible algorithm value used by cryptlib, for range checking */
179 
180 #define PGP_ALGO_LAST		PGP_ALGO_ECDSA
181 
182 /* S2K specifier */
183 
184 #define PGP_S2K				0xFF	/* Standard S2K */
185 #define PGP_S2K_HASHED		0xFE	/* S2K with hashed key */
186 
187 /* Signature types */
188 
189 #define PGP_SIG_NONE		0x00	/* Same as PGP_SIG_DATA, for range chk.*/
190 #define PGP_SIG_DATA		0x00	/* Binary data */
191 #define PGP_SIG_TEXT		0x01	/* Canonicalised text data */
192 #define PGP_SIG_STANDALONE	0x02	/* Unknown purpose, from RFC 4880 */
193 #define	PGP_SIG_CERT0		0x10	/* Key certificate, unknown assurance */
194 #define	PGP_SIG_CERT1		0x11	/* Key certificate, no assurance */
195 #define	PGP_SIG_CERT2		0x12	/* Key certificate, casual assurance */
196 #define	PGP_SIG_CERT3		0x13	/* Key certificate, strong assurance */
197 #define PGP_SIG_SUBKEY		0x18	/* Subkey binding signature */
198 #define PGP_SIG_PRIMKEY		0x19	/* Primary key binding signature */
199 #define PGP_SIG_DIRECTKEY	0x1F	/* Key self-signature */
200 #define PGP_SIG_KEYREV		0x20	/* Key revocation */
201 #define PGP_SIG_SUBKEYREV	0x28	/* Subkey revocation */
202 #define PGP_SIG_CRL			0x30	/* Certificate revocation */
203 #define	PGP_SIG_TS			0x40	/* Timestamp signature */
204 #define	PGP_SIG_COUNTERSIG	0x50	/* Third-party countersignature */
205 #define PGP_SIG_LAST		0x51	/* Last possible signature type */
206 
207 /* The size of the PGP version ID and algorithm ID */
208 
209 #define PGP_VERSION_SIZE	1
210 #define PGP_ALGOID_SIZE		1
211 
212 /* The maximum size of a PGP user ID.  Note that this is larger than the
213    cryptlib-wide maximum user ID size */
214 
215 #define PGP_MAX_USERIDSIZE	256
216 
217 /* The size of the salt used for password hashing and the number of
218    setup "iterations".  This isn't a true iteration count but the number of
219    salt+password bytes hashed, and in fact it isn't even that but the
220    actual count scaled by dividing it by 64, which is how PGP encodes the
221    count in the data packet */
222 
223 #define PGP_SALTSIZE		8
224 #define PGP_ITERATIONS		1024
225 
226 /* Various PGP packet header sizes, used to estimate how much data we still
227    need to process */
228 
229 #define PGP_MIN_HEADER_SIZE	2		/* CTB + length */
230 #define PGP_MAX_HEADER_SIZE	6		/* CTB + 0xFF + 4-byte length */
231 #define PGP_DATA_HEADER		"b\x00\x00\x00\x00\x00"
232 #define PGP_DATA_HEADER_SIZE ( 1 + 1 + 4 )
233 #define PGP_MDC_PACKET_SIZE	( 1 + 1 + 20 )	/* Size of MDC packet */
234 
235 /* Since PGP only provides a subset of cryptlib's algorithm types and uses
236    different identifiers, we have to both check that there's a mapping
237    possible and map from one to the other.  When going from PGP -> cryptlib
238    we specify both the algorithm ID and the algorithm class we expect to
239    find it in to allow type checking */
240 
241 typedef enum {
242 	PGP_ALGOCLASS_NONE,		/* No algorithm class */
243 	PGP_ALGOCLASS_CRYPT,	/* Conventional encryption algorithms */
244 	PGP_ALGOCLASS_PWCRYPT,	/* Password-based encryption algorithms */
245 	PGP_ALGOCLASS_PKCCRYPT,	/* PKC algorithms */
246 	PGP_ALGOCLASS_SIGN,		/* Signature algorithms */
247 	PGP_ALGOCLASS_HASH,		/* Hash algorithms */
248 	PGP_ALGOCLASS_LAST		/* Last possible algorithm class */
249 	} PGP_ALGOCLASS_TYPE;
250 
251 CHECK_RETVAL STDC_NONNULL_ARG( ( 3 ) ) \
252 int pgpToCryptlibAlgo( IN_RANGE( PGP_ALGO_NONE, 0xFF ) const int pgpAlgo,
253 					   IN_ENUM( PGP_ALGOCLASS ) \
254 							const PGP_ALGOCLASS_TYPE pgpAlgoClass,
255 					   OUT_ALGO_Z CRYPT_ALGO_TYPE *cryptAlgo,
256 					   OUT_OPT_INT_Z int *cryptAlgoParam );
257 CHECK_RETVAL STDC_NONNULL_ARG( ( 2 ) ) \
258 int cryptlibToPgpAlgo( IN_ALGO const CRYPT_ALGO_TYPE cryptlibAlgo,
259 					   OUT_RANGE( PGP_ALGO_NONE, PGP_ALGO_LAST ) \
260 							int *pgpAlgo );
261 CHECK_RETVAL STDC_NONNULL_ARG( ( 1, 2 ) ) \
262 int readPgpAlgo( INOUT STREAM *stream,
263 				 OUT_ALGO_Z CRYPT_ALGO_TYPE *cryptAlgo,
264 				 OUT_OPT_INT_Z int *cryptAlgoParam,
265 				 IN_ENUM( PGP_ALGOCLASS ) \
266 						const PGP_ALGOCLASS_TYPE pgpAlgoClass );
267 
268 /* Prototypes for functions in pgp_misc.c */
269 
270 CHECK_RETVAL STDC_NONNULL_ARG( ( 3 ) ) \
271 int pgpPasswordToKey( IN_HANDLE const CRYPT_CONTEXT iCryptContext,
272 					  IN_LENGTH_SHORT_OPT const int optKeyLength,
273 					  IN_BUFFER( passwordLength ) const char *password,
274 					  IN_DATALENGTH const int passwordLength,
275 					  IN_ALGO const CRYPT_ALGO_TYPE hashAlgo,
276 					  IN_BUFFER_OPT( saltSize ) const BYTE *salt,
277 					  IN_RANGE( 0, CRYPT_MAX_HASHSIZE ) const int saltSize,
278 					  IN_INT const int iterations );
279 CHECK_RETVAL STDC_NONNULL_ARG( ( 2 ) ) \
280 int pgpProcessIV( IN_HANDLE const CRYPT_CONTEXT iCryptContext,
281 				  INOUT_BUFFER_FIXED( ivInfoSize ) BYTE *ivInfo,
282 				  IN_RANGE( 8 + 2, CRYPT_MAX_IVSIZE + 2 ) \
283 						const int ivInfoSize,
284 				  IN_LENGTH_IV const int ivDataSize,
285 				  IN_HANDLE_OPT const CRYPT_CONTEXT iMdcContext,
286 				  const BOOLEAN isEncrypt );
287 CHECK_RETVAL STDC_NONNULL_ARG( ( 1, 2, 3, 4, 6 ) ) \
288 int readPgpS2K( INOUT STREAM *stream,
289 				OUT_ALGO_Z CRYPT_ALGO_TYPE *hashAlgo,
290 				OUT_INT_Z int *hashAlgoParam,
291 				OUT_BUFFER( saltMaxLen, *saltLen ) BYTE *salt,
292 				IN_LENGTH_SHORT_MIN( PGP_SALTSIZE ) const int saltMaxLen,
293 				OUT_LENGTH_BOUNDED_Z( saltMaxLen ) int *saltLen,
294 				OUT_INT_SHORT_Z int *iterations );
295 
296 #endif /* _PGP_DEFINED */
297