1 /*-
2 * Copyright (c) 2009 The NetBSD Foundation, Inc.
3 * All rights reserved.
4 *
5 * This code is derived from software contributed to The NetBSD Foundation
6 * by Alistair Crooks (agc@NetBSD.org)
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
18 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
19 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
20 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
21 * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
22 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
23 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
24 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
25 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
26 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
27 * POSSIBILITY OF SUCH DAMAGE.
28 */
29 /*
30 * Copyright (c) 2005-2008 Nominet UK (www.nic.uk)
31 * All rights reserved.
32 * Contributors: Ben Laurie, Rachel Willmer. The Contributors have asserted
33 * their moral rights under the UK Copyright Design and Patents Act 1988 to
34 * be recorded as the authors of this copyright work.
35 *
36 * Licensed under the Apache License, Version 2.0 (the "License"); you may not
37 * use this file except in compliance with the License.
38 *
39 * You may obtain a copy of the License at
40 * http://www.apache.org/licenses/LICENSE-2.0
41 *
42 * Unless required by applicable law or agreed to in writing, software
43 * distributed under the License is distributed on an "AS IS" BASIS,
44 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
45 *
46 * See the License for the specific language governing permissions and
47 * limitations under the License.
48 */
49
50 /** \file
51 */
52 #include "config.h"
53
54 #ifdef HAVE_SYS_CDEFS_H
55 #include <sys/cdefs.h>
56 #endif
57
58 #if defined(__NetBSD__)
59 __COPYRIGHT("@(#) Copyright (c) 2009 The NetBSD Foundation, Inc. All rights reserved.");
60 __RCSID("$NetBSD: openssl_crypto.c,v 1.33 2010/11/07 08:39:59 agc Exp $");
61 #endif
62
63 #ifdef HAVE_OPENSSL_DSA_H
64 #include <openssl/dsa.h>
65 #endif
66
67 #ifdef HAVE_OPENSSL_RSA_H
68 #include <openssl/rsa.h>
69 #endif
70
71 #ifdef HAVE_OPENSSL_ERR_H
72 #include <openssl/err.h>
73 #endif
74
75 #include <openssl/pem.h>
76 #include <openssl/evp.h>
77
78 #include <stdlib.h>
79 #include <string.h>
80
81 #ifdef HAVE_UNISTD_H
82 #include <unistd.h>
83 #endif
84
85 #include "crypto.h"
86 #include "keyring.h"
87 #include "readerwriter.h"
88 #include "netpgpdefs.h"
89 #include "netpgpdigest.h"
90 #include "packet.h"
91
92
93 static void
test_seckey(const pgp_seckey_t * seckey)94 test_seckey(const pgp_seckey_t *seckey)
95 {
96 RSA *test = RSA_new();
97
98 test->n = BN_dup(seckey->pubkey.key.rsa.n);
99 test->e = BN_dup(seckey->pubkey.key.rsa.e);
100
101 test->d = BN_dup(seckey->key.rsa.d);
102 test->p = BN_dup(seckey->key.rsa.p);
103 test->q = BN_dup(seckey->key.rsa.q);
104
105 if (RSA_check_key(test) != 1) {
106 (void) fprintf(stderr,
107 "test_seckey: RSA_check_key failed\n");
108 }
109 RSA_free(test);
110 }
111
112 static int
md5_init(pgp_hash_t * hash)113 md5_init(pgp_hash_t *hash)
114 {
115 if (hash->data) {
116 (void) fprintf(stderr, "md5_init: hash data non-null\n");
117 }
118 if ((hash->data = calloc(1, sizeof(MD5_CTX))) == NULL) {
119 (void) fprintf(stderr, "md5_init: bad alloc\n");
120 return 0;
121 }
122 MD5_Init(hash->data);
123 return 1;
124 }
125
126 static void
md5_add(pgp_hash_t * hash,const uint8_t * data,unsigned length)127 md5_add(pgp_hash_t *hash, const uint8_t *data, unsigned length)
128 {
129 MD5_Update(hash->data, data, length);
130 }
131
132 static unsigned
md5_finish(pgp_hash_t * hash,uint8_t * out)133 md5_finish(pgp_hash_t *hash, uint8_t *out)
134 {
135 MD5_Final(out, hash->data);
136 free(hash->data);
137 hash->data = NULL;
138 return 16;
139 }
140
141 static const pgp_hash_t md5 = {
142 PGP_HASH_MD5,
143 MD5_DIGEST_LENGTH,
144 "MD5",
145 md5_init,
146 md5_add,
147 md5_finish,
148 NULL
149 };
150
151 /**
152 \ingroup Core_Crypto
153 \brief Initialise to MD5
154 \param hash Hash to initialise
155 */
156 void
pgp_hash_md5(pgp_hash_t * hash)157 pgp_hash_md5(pgp_hash_t *hash)
158 {
159 *hash = md5;
160 }
161
162 static int
sha1_init(pgp_hash_t * hash)163 sha1_init(pgp_hash_t *hash)
164 {
165 if (hash->data) {
166 (void) fprintf(stderr, "sha1_init: hash data non-null\n");
167 }
168 if ((hash->data = calloc(1, sizeof(SHA_CTX))) == NULL) {
169 (void) fprintf(stderr, "sha1_init: bad alloc\n");
170 return 0;
171 }
172 SHA1_Init(hash->data);
173 return 1;
174 }
175
176 static void
sha1_add(pgp_hash_t * hash,const uint8_t * data,unsigned length)177 sha1_add(pgp_hash_t *hash, const uint8_t *data, unsigned length)
178 {
179 if (pgp_get_debug_level(__FILE__)) {
180 hexdump(stderr, "sha1_add", data, length);
181 }
182 SHA1_Update(hash->data, data, length);
183 }
184
185 static unsigned
sha1_finish(pgp_hash_t * hash,uint8_t * out)186 sha1_finish(pgp_hash_t *hash, uint8_t *out)
187 {
188 SHA1_Final(out, hash->data);
189 if (pgp_get_debug_level(__FILE__)) {
190 hexdump(stderr, "sha1_finish", out, PGP_SHA1_HASH_SIZE);
191 }
192 free(hash->data);
193 hash->data = NULL;
194 return PGP_SHA1_HASH_SIZE;
195 }
196
197 static const pgp_hash_t sha1 = {
198 PGP_HASH_SHA1,
199 PGP_SHA1_HASH_SIZE,
200 "SHA1",
201 sha1_init,
202 sha1_add,
203 sha1_finish,
204 NULL
205 };
206
207 /**
208 \ingroup Core_Crypto
209 \brief Initialise to SHA1
210 \param hash Hash to initialise
211 */
212 void
pgp_hash_sha1(pgp_hash_t * hash)213 pgp_hash_sha1(pgp_hash_t *hash)
214 {
215 *hash = sha1;
216 }
217
218 static int
sha256_init(pgp_hash_t * hash)219 sha256_init(pgp_hash_t *hash)
220 {
221 if (hash->data) {
222 (void) fprintf(stderr, "sha256_init: hash data non-null\n");
223 }
224 if ((hash->data = calloc(1, sizeof(SHA256_CTX))) == NULL) {
225 (void) fprintf(stderr, "sha256_init: bad alloc\n");
226 return 0;
227 }
228 SHA256_Init(hash->data);
229 return 1;
230 }
231
232 static void
sha256_add(pgp_hash_t * hash,const uint8_t * data,unsigned length)233 sha256_add(pgp_hash_t *hash, const uint8_t *data, unsigned length)
234 {
235 if (pgp_get_debug_level(__FILE__)) {
236 hexdump(stderr, "sha256_add", data, length);
237 }
238 SHA256_Update(hash->data, data, length);
239 }
240
241 static unsigned
sha256_finish(pgp_hash_t * hash,uint8_t * out)242 sha256_finish(pgp_hash_t *hash, uint8_t *out)
243 {
244 SHA256_Final(out, hash->data);
245 if (pgp_get_debug_level(__FILE__)) {
246 hexdump(stderr, "sha1_finish", out, SHA256_DIGEST_LENGTH);
247 }
248 free(hash->data);
249 hash->data = NULL;
250 return SHA256_DIGEST_LENGTH;
251 }
252
253 static const pgp_hash_t sha256 = {
254 PGP_HASH_SHA256,
255 SHA256_DIGEST_LENGTH,
256 "SHA256",
257 sha256_init,
258 sha256_add,
259 sha256_finish,
260 NULL
261 };
262
263 void
pgp_hash_sha256(pgp_hash_t * hash)264 pgp_hash_sha256(pgp_hash_t *hash)
265 {
266 *hash = sha256;
267 }
268
269 /*
270 * SHA384
271 */
272 static int
sha384_init(pgp_hash_t * hash)273 sha384_init(pgp_hash_t *hash)
274 {
275 if (hash->data) {
276 (void) fprintf(stderr, "sha384_init: hash data non-null\n");
277 }
278 if ((hash->data = calloc(1, sizeof(SHA512_CTX))) == NULL) {
279 (void) fprintf(stderr, "sha384_init: bad alloc\n");
280 return 0;
281 }
282 SHA384_Init(hash->data);
283 return 1;
284 }
285
286 static void
sha384_add(pgp_hash_t * hash,const uint8_t * data,unsigned length)287 sha384_add(pgp_hash_t *hash, const uint8_t *data, unsigned length)
288 {
289 if (pgp_get_debug_level(__FILE__)) {
290 hexdump(stderr, "sha384_add", data, length);
291 }
292 SHA384_Update(hash->data, data, length);
293 }
294
295 static unsigned
sha384_finish(pgp_hash_t * hash,uint8_t * out)296 sha384_finish(pgp_hash_t *hash, uint8_t *out)
297 {
298 SHA384_Final(out, hash->data);
299 if (pgp_get_debug_level(__FILE__)) {
300 hexdump(stderr, "sha384_finish", out, SHA384_DIGEST_LENGTH);
301 }
302 free(hash->data);
303 hash->data = NULL;
304 return SHA384_DIGEST_LENGTH;
305 }
306
307 static const pgp_hash_t sha384 = {
308 PGP_HASH_SHA384,
309 SHA384_DIGEST_LENGTH,
310 "SHA384",
311 sha384_init,
312 sha384_add,
313 sha384_finish,
314 NULL
315 };
316
317 void
pgp_hash_sha384(pgp_hash_t * hash)318 pgp_hash_sha384(pgp_hash_t *hash)
319 {
320 *hash = sha384;
321 }
322
323 /*
324 * SHA512
325 */
326 static int
sha512_init(pgp_hash_t * hash)327 sha512_init(pgp_hash_t *hash)
328 {
329 if (hash->data) {
330 (void) fprintf(stderr, "sha512_init: hash data non-null\n");
331 }
332 if ((hash->data = calloc(1, sizeof(SHA512_CTX))) == NULL) {
333 (void) fprintf(stderr, "sha512_init: bad alloc\n");
334 return 0;
335 }
336 SHA512_Init(hash->data);
337 return 1;
338 }
339
340 static void
sha512_add(pgp_hash_t * hash,const uint8_t * data,unsigned length)341 sha512_add(pgp_hash_t *hash, const uint8_t *data, unsigned length)
342 {
343 if (pgp_get_debug_level(__FILE__)) {
344 hexdump(stderr, "sha512_add", data, length);
345 }
346 SHA512_Update(hash->data, data, length);
347 }
348
349 static unsigned
sha512_finish(pgp_hash_t * hash,uint8_t * out)350 sha512_finish(pgp_hash_t *hash, uint8_t *out)
351 {
352 SHA512_Final(out, hash->data);
353 if (pgp_get_debug_level(__FILE__)) {
354 hexdump(stderr, "sha512_finish", out, SHA512_DIGEST_LENGTH);
355 }
356 free(hash->data);
357 hash->data = NULL;
358 return SHA512_DIGEST_LENGTH;
359 }
360
361 static const pgp_hash_t sha512 = {
362 PGP_HASH_SHA512,
363 SHA512_DIGEST_LENGTH,
364 "SHA512",
365 sha512_init,
366 sha512_add,
367 sha512_finish,
368 NULL
369 };
370
371 void
pgp_hash_sha512(pgp_hash_t * hash)372 pgp_hash_sha512(pgp_hash_t *hash)
373 {
374 *hash = sha512;
375 }
376
377 /*
378 * SHA224
379 */
380
381 static int
sha224_init(pgp_hash_t * hash)382 sha224_init(pgp_hash_t *hash)
383 {
384 if (hash->data) {
385 (void) fprintf(stderr, "sha224_init: hash data non-null\n");
386 }
387 if ((hash->data = calloc(1, sizeof(SHA256_CTX))) == NULL) {
388 (void) fprintf(stderr, "sha256_init: bad alloc\n");
389 return 0;
390 }
391 SHA224_Init(hash->data);
392 return 1;
393 }
394
395 static void
sha224_add(pgp_hash_t * hash,const uint8_t * data,unsigned length)396 sha224_add(pgp_hash_t *hash, const uint8_t *data, unsigned length)
397 {
398 if (pgp_get_debug_level(__FILE__)) {
399 hexdump(stderr, "sha224_add", data, length);
400 }
401 SHA224_Update(hash->data, data, length);
402 }
403
404 static unsigned
sha224_finish(pgp_hash_t * hash,uint8_t * out)405 sha224_finish(pgp_hash_t *hash, uint8_t *out)
406 {
407 SHA224_Final(out, hash->data);
408 if (pgp_get_debug_level(__FILE__)) {
409 hexdump(stderr, "sha224_finish", out, SHA224_DIGEST_LENGTH);
410 }
411 free(hash->data);
412 hash->data = NULL;
413 return SHA224_DIGEST_LENGTH;
414 }
415
416 static const pgp_hash_t sha224 = {
417 PGP_HASH_SHA224,
418 SHA224_DIGEST_LENGTH,
419 "SHA224",
420 sha224_init,
421 sha224_add,
422 sha224_finish,
423 NULL
424 };
425
426 void
pgp_hash_sha224(pgp_hash_t * hash)427 pgp_hash_sha224(pgp_hash_t *hash)
428 {
429 *hash = sha224;
430 }
431
432 unsigned
pgp_dsa_verify(const uint8_t * hash,size_t hash_length,const pgp_dsa_sig_t * sig,const pgp_dsa_pubkey_t * dsa)433 pgp_dsa_verify(const uint8_t *hash, size_t hash_length,
434 const pgp_dsa_sig_t *sig,
435 const pgp_dsa_pubkey_t *dsa)
436 {
437 unsigned qlen;
438 DSA_SIG *osig;
439 DSA *odsa;
440 int ret;
441
442 osig = DSA_SIG_new();
443 osig->r = sig->r;
444 osig->s = sig->s;
445
446 odsa = DSA_new();
447 odsa->p = dsa->p;
448 odsa->q = dsa->q;
449 odsa->g = dsa->g;
450 odsa->pub_key = dsa->y;
451
452 if (pgp_get_debug_level(__FILE__)) {
453 hexdump(stderr, "input hash", hash, hash_length);
454 (void) fprintf(stderr, "Q=%d\n", BN_num_bytes(odsa->q));
455 }
456 if ((qlen = (unsigned)BN_num_bytes(odsa->q)) < hash_length) {
457 hash_length = qlen;
458 }
459 ret = DSA_do_verify(hash, (int)hash_length, osig, odsa);
460 if (pgp_get_debug_level(__FILE__)) {
461 (void) fprintf(stderr, "ret=%d\n", ret);
462 }
463 if (ret < 0) {
464 (void) fprintf(stderr, "pgp_dsa_verify: DSA verification\n");
465 return 0;
466 }
467
468 odsa->p = odsa->q = odsa->g = odsa->pub_key = NULL;
469 DSA_free(odsa);
470
471 osig->r = osig->s = NULL;
472 DSA_SIG_free(osig);
473
474 return (unsigned)ret;
475 }
476
477 /**
478 \ingroup Core_Crypto
479 \brief Recovers message digest from the signature
480 \param out Where to write decrypted data to
481 \param in Encrypted data
482 \param length Length of encrypted data
483 \param pubkey RSA public key
484 \return size of recovered message digest
485 */
486 int
pgp_rsa_public_decrypt(uint8_t * out,const uint8_t * in,size_t length,const pgp_rsa_pubkey_t * pubkey)487 pgp_rsa_public_decrypt(uint8_t *out,
488 const uint8_t *in,
489 size_t length,
490 const pgp_rsa_pubkey_t *pubkey)
491 {
492 RSA *orsa;
493 int n;
494
495 orsa = RSA_new();
496 orsa->n = pubkey->n;
497 orsa->e = pubkey->e;
498
499 n = RSA_public_decrypt((int)length, in, out, orsa, RSA_NO_PADDING);
500
501 orsa->n = orsa->e = NULL;
502 RSA_free(orsa);
503
504 return n;
505 }
506
507 /**
508 \ingroup Core_Crypto
509 \brief Signs data with RSA
510 \param out Where to write signature
511 \param in Data to sign
512 \param length Length of data
513 \param seckey RSA secret key
514 \param pubkey RSA public key
515 \return number of bytes decrypted
516 */
517 int
pgp_rsa_private_encrypt(uint8_t * out,const uint8_t * in,size_t length,const pgp_rsa_seckey_t * seckey,const pgp_rsa_pubkey_t * pubkey)518 pgp_rsa_private_encrypt(uint8_t *out,
519 const uint8_t *in,
520 size_t length,
521 const pgp_rsa_seckey_t *seckey,
522 const pgp_rsa_pubkey_t *pubkey)
523 {
524 RSA *orsa;
525 int n;
526
527 orsa = RSA_new();
528 orsa->n = BN_dup(pubkey->n);
529 orsa->d = seckey->d;
530 orsa->p = seckey->q; /* p and q are round the other way in openssl */
531 orsa->q = seckey->p;
532
533 /* debug */
534 orsa->e = BN_dup(pubkey->e);
535 /* If this isn't set, it's very likely that the programmer hasn't */
536 /* decrypted the secret key. RSA_check_key segfaults in that case. */
537 /* Use pgp_decrypt_seckey() to do that. */
538 if (orsa->d == NULL) {
539 (void) fprintf(stderr, "orsa is not set\n");
540 return 0;
541 }
542 if (RSA_check_key(orsa) != 1) {
543 (void) fprintf(stderr, "RSA_check_key is not set\n");
544 return 0;
545 }
546 /* end debug */
547
548 n = RSA_private_encrypt((int)length, in, out, orsa, RSA_NO_PADDING);
549
550 orsa->n = orsa->d = orsa->p = orsa->q = NULL;
551 RSA_free(orsa);
552
553 return n;
554 }
555
556 /**
557 \ingroup Core_Crypto
558 \brief Decrypts RSA-encrypted data
559 \param out Where to write the plaintext
560 \param in Encrypted data
561 \param length Length of encrypted data
562 \param seckey RSA secret key
563 \param pubkey RSA public key
564 \return size of recovered plaintext
565 */
566 int
pgp_rsa_private_decrypt(uint8_t * out,const uint8_t * in,size_t length,const pgp_rsa_seckey_t * seckey,const pgp_rsa_pubkey_t * pubkey)567 pgp_rsa_private_decrypt(uint8_t *out,
568 const uint8_t *in,
569 size_t length,
570 const pgp_rsa_seckey_t *seckey,
571 const pgp_rsa_pubkey_t *pubkey)
572 {
573 RSA *keypair;
574 int n;
575 char errbuf[1024];
576
577 keypair = RSA_new();
578 keypair->n = pubkey->n; /* XXX: do we need n? */
579 keypair->d = seckey->d;
580 keypair->p = seckey->q;
581 keypair->q = seckey->p;
582
583 /* debug */
584 keypair->e = pubkey->e;
585 if (RSA_check_key(keypair) != 1) {
586 (void) fprintf(stderr, "RSA_check_key is not set\n");
587 return 0;
588 }
589 /* end debug */
590
591 n = RSA_private_decrypt((int)length, in, out, keypair, RSA_NO_PADDING);
592
593 if (pgp_get_debug_level(__FILE__)) {
594 printf("pgp_rsa_private_decrypt: n=%d\n",n);
595 }
596
597 errbuf[0] = '\0';
598 if (n == -1) {
599 unsigned long err = ERR_get_error();
600
601 ERR_error_string(err, &errbuf[0]);
602 (void) fprintf(stderr, "openssl error : %s\n", errbuf);
603 }
604 keypair->n = keypair->d = keypair->p = keypair->q = NULL;
605 RSA_free(keypair);
606
607 return n;
608 }
609
610 /**
611 \ingroup Core_Crypto
612 \brief RSA-encrypts data
613 \param out Where to write the encrypted data
614 \param in Plaintext
615 \param length Size of plaintext
616 \param pubkey RSA Public Key
617 */
618 int
pgp_rsa_public_encrypt(uint8_t * out,const uint8_t * in,size_t length,const pgp_rsa_pubkey_t * pubkey)619 pgp_rsa_public_encrypt(uint8_t *out,
620 const uint8_t *in,
621 size_t length,
622 const pgp_rsa_pubkey_t *pubkey)
623 {
624 RSA *orsa;
625 int n;
626
627 /* printf("pgp_rsa_public_encrypt: length=%ld\n", length); */
628
629 orsa = RSA_new();
630 orsa->n = pubkey->n;
631 orsa->e = pubkey->e;
632
633 /* printf("len: %ld\n", length); */
634 /* pgp_print_bn("n: ", orsa->n); */
635 /* pgp_print_bn("e: ", orsa->e); */
636 n = RSA_public_encrypt((int)length, in, out, orsa, RSA_NO_PADDING);
637
638 if (n == -1) {
639 BIO *fd_out;
640
641 fd_out = BIO_new_fd(fileno(stderr), BIO_NOCLOSE);
642 ERR_print_errors(fd_out);
643 }
644 orsa->n = orsa->e = NULL;
645 RSA_free(orsa);
646
647 return n;
648 }
649
650 /**
651 \ingroup Core_Crypto
652 \brief Finalise openssl
653 \note Would usually call pgp_finish() instead
654 \sa pgp_finish()
655 */
656 void
pgp_crypto_finish(void)657 pgp_crypto_finish(void)
658 {
659 CRYPTO_cleanup_all_ex_data();
660 ERR_remove_state((unsigned long)0);
661 }
662
663 /**
664 \ingroup Core_Hashes
665 \brief Get Hash name
666 \param hash Hash struct
667 \return Hash name
668 */
669 const char *
pgp_text_from_hash(pgp_hash_t * hash)670 pgp_text_from_hash(pgp_hash_t *hash)
671 {
672 return hash->name;
673 }
674
675 /**
676 \ingroup HighLevel_KeyGenerate
677 \brief Generates an RSA keypair
678 \param numbits Modulus size
679 \param e Public Exponent
680 \param keydata Pointer to keydata struct to hold new key
681 \return 1 if key generated successfully; otherwise 0
682 \note It is the caller's responsibility to call pgp_keydata_free(keydata)
683 */
684 static unsigned
rsa_generate_keypair(pgp_key_t * keydata,const int numbits,const unsigned long e,const char * hashalg,const char * cipher)685 rsa_generate_keypair(pgp_key_t *keydata,
686 const int numbits,
687 const unsigned long e,
688 const char *hashalg,
689 const char *cipher)
690 {
691 pgp_seckey_t *seckey;
692 RSA *rsa;
693 BN_CTX *ctx;
694 pgp_output_t *output;
695 pgp_memory_t *mem;
696
697 ctx = BN_CTX_new();
698 pgp_keydata_init(keydata, PGP_PTAG_CT_SECRET_KEY);
699 seckey = pgp_get_writable_seckey(keydata);
700
701 /* generate the key pair */
702
703 rsa = RSA_generate_key(numbits, e, NULL, NULL);
704
705 /* populate pgp key from ssl key */
706
707 seckey->pubkey.version = PGP_V4;
708 seckey->pubkey.birthtime = time(NULL);
709 seckey->pubkey.days_valid = 0;
710 seckey->pubkey.alg = PGP_PKA_RSA;
711
712 seckey->pubkey.key.rsa.n = BN_dup(rsa->n);
713 seckey->pubkey.key.rsa.e = BN_dup(rsa->e);
714
715 seckey->s2k_usage = PGP_S2KU_ENCRYPTED_AND_HASHED;
716 seckey->s2k_specifier = PGP_S2KS_SALTED;
717 /* seckey->s2k_specifier=PGP_S2KS_SIMPLE; */
718 if ((seckey->hash_alg = pgp_str_to_hash_alg(hashalg)) == PGP_HASH_UNKNOWN) {
719 seckey->hash_alg = PGP_HASH_SHA1;
720 }
721 seckey->alg = pgp_str_to_cipher(cipher);
722 seckey->octetc = 0;
723 seckey->checksum = 0;
724
725 seckey->key.rsa.d = BN_dup(rsa->d);
726 seckey->key.rsa.p = BN_dup(rsa->p);
727 seckey->key.rsa.q = BN_dup(rsa->q);
728 seckey->key.rsa.u = BN_mod_inverse(NULL, rsa->p, rsa->q, ctx);
729 if (seckey->key.rsa.u == NULL) {
730 (void) fprintf(stderr, "seckey->key.rsa.u is NULL\n");
731 return 0;
732 }
733 BN_CTX_free(ctx);
734
735 RSA_free(rsa);
736
737 pgp_keyid(keydata->sigid, PGP_KEY_ID_SIZE, &keydata->key.seckey.pubkey, seckey->hash_alg);
738 pgp_fingerprint(&keydata->sigfingerprint, &keydata->key.seckey.pubkey, seckey->hash_alg);
739
740 /* Generate checksum */
741
742 output = NULL;
743 mem = NULL;
744
745 pgp_setup_memory_write(&output, &mem, 128);
746
747 pgp_push_checksum_writer(output, seckey);
748
749 switch (seckey->pubkey.alg) {
750 case PGP_PKA_DSA:
751 return pgp_write_mpi(output, seckey->key.dsa.x);
752 case PGP_PKA_RSA:
753 case PGP_PKA_RSA_ENCRYPT_ONLY:
754 case PGP_PKA_RSA_SIGN_ONLY:
755 if (!pgp_write_mpi(output, seckey->key.rsa.d) ||
756 !pgp_write_mpi(output, seckey->key.rsa.p) ||
757 !pgp_write_mpi(output, seckey->key.rsa.q) ||
758 !pgp_write_mpi(output, seckey->key.rsa.u)) {
759 return 0;
760 }
761 break;
762 case PGP_PKA_ELGAMAL:
763 return pgp_write_mpi(output, seckey->key.elgamal.x);
764
765 default:
766 (void) fprintf(stderr, "Bad seckey->pubkey.alg\n");
767 return 0;
768 }
769
770 /* close rather than pop, since its the only one on the stack */
771 pgp_writer_close(output);
772 pgp_teardown_memory_write(output, mem);
773
774 /* should now have checksum in seckey struct */
775
776 /* test */
777 if (pgp_get_debug_level(__FILE__)) {
778 test_seckey(seckey);
779 }
780
781 return 1;
782 }
783
784 /**
785 \ingroup HighLevel_KeyGenerate
786 \brief Creates a self-signed RSA keypair
787 \param numbits Modulus size
788 \param e Public Exponent
789 \param userid User ID
790 \return The new keypair or NULL
791
792 \note It is the caller's responsibility to call pgp_keydata_free(keydata)
793 \sa rsa_generate_keypair()
794 \sa pgp_keydata_free()
795 */
796 pgp_key_t *
pgp_rsa_new_selfsign_key(const int numbits,const unsigned long e,uint8_t * userid,const char * hashalg,const char * cipher)797 pgp_rsa_new_selfsign_key(const int numbits,
798 const unsigned long e,
799 uint8_t *userid,
800 const char *hashalg,
801 const char *cipher)
802 {
803 pgp_key_t *keydata;
804
805 keydata = pgp_keydata_new();
806 if (!rsa_generate_keypair(keydata, numbits, e, hashalg, cipher) ||
807 !pgp_add_selfsigned_userid(keydata, userid)) {
808 pgp_keydata_free(keydata);
809 return NULL;
810 }
811 return keydata;
812 }
813
814 DSA_SIG *
pgp_dsa_sign(uint8_t * hashbuf,unsigned hashsize,const pgp_dsa_seckey_t * secdsa,const pgp_dsa_pubkey_t * pubdsa)815 pgp_dsa_sign(uint8_t *hashbuf,
816 unsigned hashsize,
817 const pgp_dsa_seckey_t *secdsa,
818 const pgp_dsa_pubkey_t *pubdsa)
819 {
820 DSA_SIG *dsasig;
821 DSA *odsa;
822
823 odsa = DSA_new();
824 odsa->p = pubdsa->p;
825 odsa->q = pubdsa->q;
826 odsa->g = pubdsa->g;
827 odsa->pub_key = pubdsa->y;
828 odsa->priv_key = secdsa->x;
829
830 dsasig = DSA_do_sign(hashbuf, (int)hashsize, odsa);
831
832 odsa->p = odsa->q = odsa->g = odsa->pub_key = odsa->priv_key = NULL;
833 DSA_free(odsa);
834
835 return dsasig;
836 }
837
838 int
openssl_read_pem_seckey(const char * f,pgp_key_t * key,const char * type,int verbose)839 openssl_read_pem_seckey(const char *f, pgp_key_t *key, const char *type, int verbose)
840 {
841 FILE *fp;
842 char prompt[BUFSIZ];
843 char *pass;
844 DSA *dsa;
845 RSA *rsa;
846 int ok;
847
848 OpenSSL_add_all_algorithms();
849 if ((fp = fopen(f, "r")) == NULL) {
850 if (verbose) {
851 (void) fprintf(stderr, "can't open '%s'\n", f);
852 }
853 return 0;
854 }
855 ok = 1;
856 if (strcmp(type, "ssh-rsa") == 0) {
857 if ((rsa = PEM_read_RSAPrivateKey(fp, NULL, NULL, NULL)) == NULL) {
858 (void) snprintf(prompt, sizeof(prompt), "netpgp PEM %s passphrase: ", f);
859 do {
860 pass = getpass(prompt);
861 rsa = PEM_read_RSAPrivateKey(fp, NULL, NULL, pass);
862 } while (rsa == NULL);
863 }
864 key->key.seckey.key.rsa.d = rsa->d;
865 key->key.seckey.key.rsa.p = rsa->p;
866 key->key.seckey.key.rsa.q = rsa->q;
867 key->key.seckey.key.rsa.d = rsa->d;
868 } else if (strcmp(type, "ssh-dss") == 0) {
869 if ((dsa = PEM_read_DSAPrivateKey(fp, NULL, NULL, NULL)) == NULL) {
870 ok = 0;
871 } else {
872 key->key.seckey.key.dsa.x = dsa->priv_key;
873 }
874 } else {
875 ok = 0;
876 }
877 (void) fclose(fp);
878 return ok;
879 }
880
881 /*
882 * Decide the number of bits in the random componont k
883 *
884 * It should be in the same range as p for signing (which
885 * is deprecated), but can be much smaller for encrypting.
886 *
887 * Until I research it further, I just mimic gpg behaviour.
888 * It has a special mapping table, for values <= 5120,
889 * above that it uses 'arbitrary high number'. Following
890 * algorihm hovers 10-70 bits above gpg values. And for
891 * larger p, it uses gpg's algorihm.
892 *
893 * The point is - if k gets large, encryption will be
894 * really slow. It does not matter for decryption.
895 */
896 static int
decide_k_bits(int p_bits)897 decide_k_bits(int p_bits)
898 {
899 return (p_bits <= 5120) ? p_bits / 10 + 160 : (p_bits / 8 + 200) * 3 / 2;
900 }
901
902 int
pgp_elgamal_public_encrypt(uint8_t * g_to_k,uint8_t * encm,const uint8_t * in,size_t size,const pgp_elgamal_pubkey_t * pubkey)903 pgp_elgamal_public_encrypt(uint8_t *g_to_k, uint8_t *encm,
904 const uint8_t *in,
905 size_t size,
906 const pgp_elgamal_pubkey_t *pubkey)
907 {
908 int ret = 0;
909 int k_bits;
910 BIGNUM *m;
911 BIGNUM *p;
912 BIGNUM *g;
913 BIGNUM *y;
914 BIGNUM *k;
915 BIGNUM *yk;
916 BIGNUM *c1;
917 BIGNUM *c2;
918 BN_CTX *tmp;
919
920 m = BN_bin2bn(in, (int)size, NULL);
921 p = pubkey->p;
922 g = pubkey->g;
923 y = pubkey->y;
924 k = BN_new();
925 yk = BN_new();
926 c1 = BN_new();
927 c2 = BN_new();
928 tmp = BN_CTX_new();
929 if (!m || !p || !g || !y || !k || !yk || !c1 || !c2 || !tmp) {
930 goto done;
931 }
932 /*
933 * generate k
934 */
935 k_bits = decide_k_bits(BN_num_bits(p));
936 if (!BN_rand(k, k_bits, 0, 0)) {
937 goto done;
938 }
939 /*
940 * c1 = g^k c2 = m * y^k
941 */
942 if (!BN_mod_exp(c1, g, k, p, tmp)) {
943 goto done;
944 }
945 if (!BN_mod_exp(yk, y, k, p, tmp)) {
946 goto done;
947 }
948 if (!BN_mod_mul(c2, m, yk, p, tmp)) {
949 goto done;
950 }
951 /* result */
952 BN_bn2bin(c1, g_to_k);
953 ret = BN_num_bytes(c1); /* c1 = g^k */
954 BN_bn2bin(c2, encm);
955 ret += BN_num_bytes(c2); /* c2 = m * y^k */
956 done:
957 if (tmp) {
958 BN_CTX_free(tmp);
959 }
960 if (c2) {
961 BN_clear_free(c2);
962 }
963 if (c1) {
964 BN_clear_free(c1);
965 }
966 if (yk) {
967 BN_clear_free(yk);
968 }
969 if (k) {
970 BN_clear_free(k);
971 }
972 if (g) {
973 BN_clear_free(g);
974 }
975 return ret;
976 }
977
978 int
pgp_elgamal_private_decrypt(uint8_t * out,const uint8_t * g_to_k,const uint8_t * in,size_t length,const pgp_elgamal_seckey_t * seckey,const pgp_elgamal_pubkey_t * pubkey)979 pgp_elgamal_private_decrypt(uint8_t *out,
980 const uint8_t *g_to_k,
981 const uint8_t *in,
982 size_t length,
983 const pgp_elgamal_seckey_t *seckey,
984 const pgp_elgamal_pubkey_t *pubkey)
985 {
986 BIGNUM *bndiv;
987 BIGNUM *c1x;
988 BN_CTX *tmp;
989 BIGNUM *c1;
990 BIGNUM *c2;
991 BIGNUM *p;
992 BIGNUM *x;
993 BIGNUM *m;
994 int ret;
995
996 ret = 0;
997 /* c1 and c2 are in g_to_k and in, respectively*/
998 c1 = BN_bin2bn(g_to_k, (int)length, NULL);
999 c2 = BN_bin2bn(in, (int)length, NULL);
1000 /* other bits */
1001 p = pubkey->p;
1002 x = seckey->x;
1003 c1x = BN_new();
1004 bndiv = BN_new();
1005 m = BN_new();
1006 tmp = BN_CTX_new();
1007 if (!c1 || !c2 || !p || !x || !c1x || !bndiv || !m || !tmp) {
1008 goto done;
1009 }
1010 /*
1011 * m = c2 / (c1^x)
1012 */
1013 if (!BN_mod_exp(c1x, c1, x, p, tmp)) {
1014 goto done;
1015 }
1016 if (!BN_mod_inverse(bndiv, c1x, p, tmp)) {
1017 goto done;
1018 }
1019 if (!BN_mod_mul(m, c2, bndiv, p, tmp)) {
1020 goto done;
1021 }
1022 /* result */
1023 ret = BN_bn2bin(m, out);
1024 done:
1025 if (tmp) {
1026 BN_CTX_free(tmp);
1027 }
1028 if (m) {
1029 BN_clear_free(m);
1030 }
1031 if (bndiv) {
1032 BN_clear_free(bndiv);
1033 }
1034 if (c1x) {
1035 BN_clear_free(c1x);
1036 }
1037 if (x) {
1038 BN_clear_free(x);
1039 }
1040 if (p) {
1041 BN_clear_free(p);
1042 }
1043 if (c1) {
1044 BN_clear_free(c1);
1045 }
1046 if (c2) {
1047 BN_clear_free(c2);
1048 }
1049 return ret;
1050 }
1051