1 /*
2 * Portions copyright 2002, 2003 Richard Laager.
3 * Copyright (c) 1996, 1997, 1998, 1999, Marc Horowitz. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 *
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
14 * 3. All advertising materials mentioning features or use of this software
15 * must display the following acknowledgement:
16 * This product includes software developed by Marc Horowitz.
17 * 4. The name of the author may not be used to endorse or promote
18 * products derived from this software without specific prior written
19 * permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY MARC HOROWITZ ``AS IS'' AND ANY EXPRESS
22 * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
23 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
24 * DISCLAIMED. IN NO EVENT SHALL MARC HOROWITZ BE LIABLE FOR ANY DIRECT,
25 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
26 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
27 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
29 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
30 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
31 * POSSIBILITY OF SUCH DAMAGE.
32 */
33
34 #ifdef HAVE_CONFIG_H
35 #include "config.h"
36 #endif
37
38 const char rcsid_pgputil_c[] =
39 "$Id: pgputil.c,v 1.11 2003/04/29 23:25:21 rlaager Exp $";
40
41 #include <openssl/x509.h>
42
43 #if HAVE_STDIO_H
44 #include <stdio.h>
45 #endif
46
47 #if HAVE_STDLIB_H
48 #include <stdlib.h>
49 #endif
50
51 #if HAVE_STRING_H
52 #include <string.h>
53 #endif
54
55 #if HAVE_TIME_H
56 #include <time.h>
57 #endif
58
59 #include "armor.h"
60 #include "globals.h"
61 #include "pgputil.h"
62
63 int
generate_v4_keyid(ddesc * data,unsigned char * keyid)64 generate_v4_keyid (ddesc * data, unsigned char *keyid)
65 {
66 unsigned char hash[20];
67 SHA_CTX sha;
68
69 SHA1_Init (&sha);
70 SHA1_Update (&sha, data->data, data->size);
71 SHA1_Final (hash, &sha);
72
73 /* We only need the low order 64 bits */
74 memcpy (keyid, hash + 12, 8);
75
76 return 1;
77 }
78
79 int
decode_num(ddesc * data,long size,long * num)80 decode_num (ddesc * data, long size, long *num)
81 {
82 long i;
83 long tmp = 0;
84
85 if (!DECODE_READABLE (data, size))
86 return (0);
87
88 for (i = 0; i < size; i++)
89 tmp = (tmp << 8) + data->data[data->offset++];
90
91 *num = tmp;
92 return (1);
93 }
94
95 int
decode_bytestr(ddesc * data,long len,ddesc * bytestr)96 decode_bytestr (ddesc * data, long len, ddesc * bytestr)
97 {
98 if (!DECODE_READABLE (data, len))
99 return (0);
100
101 bytestr->data = data->data + data->offset;
102 bytestr->size = len;
103 bytestr->offset = 0;
104
105 data->offset += len;
106
107 return (1);
108 }
109
110 int
decode_psf(ddesc * data,long * ptype,long * plen)111 decode_psf (ddesc * data, long *ptype, long *plen)
112 {
113 unsigned char ch;
114 long tmp;
115
116 if (!DECODE_READABLE (data, 1))
117 return (0);
118
119 ch = data->data[data->offset++];
120
121 if ((ch & 0xc0) != 0x80)
122 return (0);
123
124 tmp = ((ch & 0x3c) >> 2);
125
126 switch (tmp)
127 {
128 case 0:
129 case 3:
130 case 4:
131 case 7:
132 case 8:
133 case 10:
134 case 15:
135 return (0);
136 default:
137 *ptype = tmp;
138 break;
139 }
140
141 tmp = (ch & 0x03);
142
143 switch (tmp)
144 {
145 case 0:
146 if (!decode_num (data, 1, plen))
147 return (0);
148 break;
149 case 1:
150 if (!decode_num (data, 2, plen))
151 return (0);
152 break;
153 case 2:
154 if (!decode_num (data, 4, plen))
155 return (0);
156 break;
157 case 3:
158 return (0);
159 break;
160 }
161
162 return (1);
163 }
164
165 int
decode_mpi(ddesc * data,mpidesc * mpi)166 decode_mpi (ddesc * data, mpidesc * mpi)
167 {
168 if (!decode_num (data, 2, &(mpi->nbits)))
169 return (0);
170
171 return (decode_bytestr (data, (mpi->nbits + 7) / 8, &(mpi->number)));
172 }
173
174 int
decode_string(ddesc * data,ddesc * str)175 decode_string (ddesc * data, ddesc * str)
176 {
177 long tmp;
178
179 if (!decode_num (data, 1, &tmp))
180 return (0);
181
182 return (decode_bytestr (data, tmp, str));
183 }
184
185 int
decode_time(ddesc * data,time_t * t)186 decode_time (ddesc * data, time_t * t)
187 {
188 long tmp;
189
190 if (!decode_num (data, 4, &tmp))
191 return (0);
192
193 *t = (time_t) tmp;
194
195 return (1);
196 }
197
198 int
decode_x509(ddesc * data,long len,ddesc * keyid)199 decode_x509 (ddesc * data, long len, ddesc * keyid)
200 {
201 X509 *cert = NULL;
202 EVP_PKEY *pkey;
203 BIGNUM *b = NULL;
204 unsigned char *data_start = data->data + data->offset;
205
206 data->offset += len;
207
208 if (d2i_X509 (&cert, &data_start, len) == NULL)
209 {
210 return (0);
211 }
212 if (X509_NAME_cmp
213 (X509_get_issuer_name (cert), X509_get_subject_name (cert)) != 0)
214 {
215 return (0);
216 }
217 /* X.509 certificate has been parsed,
218 now get keyid = last 4 bytes of modulus */
219 pkey = X509_get_pubkey (cert);
220 if (pkey == NULL)
221 {
222 return (0);
223 }
224 switch (pkey->type)
225 {
226 case EVP_PKEY_RSA:
227 /* pkey->pkey.rsa->n is the modulus */
228 b = BN_dup (pkey->pkey.rsa->n);
229 break;
230 case EVP_PKEY_DSA:
231 b = BN_dup (pkey->pkey.dsa->p);
232 break;
233 }
234 EVP_PKEY_free (pkey);
235 if (b == NULL)
236 {
237 return (0);
238 }
239 BN_mask_bits (b, 32);
240 if ((keyid->data = malloc (8)) == NULL)
241 {
242 BN_free (b);
243 return (0);
244 }
245 /* left pad with zeroes if necessary */
246 memset (keyid->data, 0, 8);
247 BN_bn2bin (b, (keyid->data + 4));
248 BN_free (b);
249 keyid->size = 8;
250 return 1;
251 }
252
253 int
decode_nai(ddesc * data,long len,ddesc * keyid)254 decode_nai (ddesc * data, long len, ddesc * keyid)
255 {
256 len -= 3; /* skip header */
257 if (len < 0 || data->data[data->offset++] != 1 ||
258 data->data[data->offset++] != 1 || data->data[data->offset++] != 4)
259 {
260 /* don't know how to handle this case */
261 data->offset += len;
262 return (0);
263 }
264
265 /* here follows an asn.1 coded X.509 certificate */
266 if (decode_x509 (data, len, keyid))
267 {
268 return (1);
269 }
270 else
271 {
272 if ((keyid->data = malloc (8)) == NULL)
273 {
274 }
275 else
276 {
277 memset ((void *) keyid->data, 0, (size_t) 8);
278 keyid->size = 8;
279 keyid->offset = 0;
280 }
281 }
282 return (0);
283 }
284
285 int
decode_subpacket(ddesc * data,time_t * sig_time,ddesc * keyid)286 decode_subpacket (ddesc * data, time_t * sig_time, ddesc * keyid)
287 {
288 long OverallSPlen;
289 long SPlen;
290 long SPtype;
291
292 OverallSPlen = (data->data[data->offset++]) << 8;
293 OverallSPlen += data->data[data->offset++];
294
295 while (OverallSPlen > 0)
296 {
297 SPlen = data->data[data->offset++];
298 if (SPlen >= 192)
299 {
300 SPlen = ((SPlen & 0x3F) << 8) + data->data[data->offset++] + 192;
301 OverallSPlen--;
302 }
303 OverallSPlen--;
304
305 SPtype = data->data[data->offset++] & 0x7F;
306
307 if (SPtype == 2) /* Sig creation time */
308 decode_time (data, sig_time);
309 else if (SPtype == 16) /* keyid of signer */
310 decode_bytestr (data, SPlen - 1, keyid);
311 else if (SPtype == 100) /* NAI private */
312 decode_nai (data, SPlen - 1, keyid);
313 else
314 data->offset += SPlen - 1;
315
316 OverallSPlen -= SPlen;
317 }
318
319 if (OverallSPlen != 0)
320 return (0);
321
322 return (1);
323 }
324
325
326 int
decode_pubkey(ddesc * data,long len,mpidesc * modulus,mpidesc * exponent,unsigned char * keyid,unsigned char * keytype,time_t * create_time,int * keyversion)327 decode_pubkey (ddesc * data, long len, mpidesc * modulus, mpidesc * exponent,
328 unsigned char *keyid, unsigned char *keytype,
329 time_t * create_time, int *keyversion)
330 {
331 long version, valid_days, pkctype;
332 unsigned char *pktend = data->data + data->offset + len;
333 mpidesc publicbits, grouporder, groupgenerator;
334
335 if (!decode_num (data, 1, &version))
336 return (0);
337
338 if (keyversion)
339 *keyversion = version;
340
341 if ((version != 2) && (version != 3) && (version != 4))
342 return (0);
343
344 if (!decode_time (data, create_time))
345 return (0);
346
347 if (version < 4)
348 if (!decode_num (data, 2, &valid_days))
349 return (0);
350
351 if (!decode_num (data, 1, &pkctype))
352 return (0);
353
354 /* This is pretty sloppy. It will set the type to DSA first time
355 through then to ElGamal the last time through (for each packet).
356 Either DSA or ElGamal should be considered the same. */
357 *keytype = pkctype;
358
359 switch (pkctype)
360 {
361 case 1:
362 /*RSA*/ case 2:
363 case 3:
364 if (!decode_mpi (data, modulus))
365 return (0);
366
367 if (!decode_mpi (data, exponent))
368 return (0);
369 break;
370 case 17:
371 /*DSA*/ if (!decode_mpi (data, modulus))
372 return (0);
373
374 if (!decode_mpi (data, &grouporder))
375 return (0);
376
377 if (!decode_mpi (data, &groupgenerator))
378 return (0);
379
380 if (!decode_mpi (data, &publicbits))
381 return (0);
382 break;
383 case 16: /*ElGamal */
384 case 20:
385 if (!decode_mpi (data, modulus))
386 return (0);
387
388 if (!decode_mpi (data, &groupgenerator))
389 return (0);
390
391 if (!decode_mpi (data, &publicbits))
392 return (0);
393 break;
394 default:
395 return (0);
396 }
397
398 if (keyid)
399 {
400 if (version > 3)
401 generate_v4_keyid (data, keyid);
402 else
403 memcpy (keyid, &modulus->number.data[modulus->number.size - 8], 8);
404 }
405
406 return (pktend == (data->data + data->offset));
407 }
408
409 /* the spec seems to lie, since the userid strings I actually see
410 * don't seem to have a one-byte length */
411
412 int
decode_userid(ddesc * data,long len,ddesc * userid)413 decode_userid (ddesc * data, long len, ddesc * userid)
414 {
415 return (decode_bytestr (data, len, userid));
416 }
417
418 int
decode_sig(ddesc * data,long len,ddesc * keyid,long * sigclass,time_t * sig_time)419 decode_sig (ddesc * data, long len, ddesc * keyid, long *sigclass,
420 time_t * sig_time)
421 {
422 long version, five, pkctype, mdtype;
423 ddesc cksum;
424 mpidesc sig;
425 unsigned char *pktend = data->data + data->offset + len;
426
427 keyid->size = 0;
428
429 if (!decode_num (data, 1, &version))
430 return (0);
431
432 if (version < 4)
433 {
434 if ((version != 2) && (version != 3))
435 return (0);
436
437 if (!decode_num (data, 1, &five))
438 return (0);
439
440 if (five != 5)
441 return (0);
442
443 if (!decode_num (data, 1, sigclass))
444 return (0);
445
446 if (!decode_time (data, sig_time))
447 return (0);
448
449 if (!decode_bytestr (data, 8, keyid))
450 return (0);
451
452 if (!decode_num (data, 1, &pkctype))
453 return (0);
454
455 if (!decode_num (data, 1, &mdtype))
456 return (0);
457
458 if (!decode_bytestr (data, 2, &cksum))
459 return (0);
460
461 switch (pkctype)
462 {
463 case 1: /*RSA: 1*MPI */
464 case 2:
465 case 3:
466 if (!decode_mpi (data, &sig))
467 return (0);
468 break;
469 case 17: /*DSA: 2*MPI */
470 if (!decode_mpi (data, &sig) || !decode_mpi (data, &sig))
471 return (0);
472 break;
473 default:
474 /* this is kind of ugly. There can be any number of MPI's here
475 (although 1 is most likely, and no documented pkctype uses
476 more than 2). */
477 while (DECODE_READABLE (data, 1))
478 {
479 if (!decode_mpi (data, &sig))
480 return (0);
481 }
482 break;
483 }
484 if (pktend != data->data + data->offset)
485 {
486 if (!decode_bytestr (data, pktend - (data->data + data->offset),
487 &sig.number))
488 return (0);
489 }
490 }
491 else
492 {
493 if (version != 4)
494 return (0);
495
496 if (!decode_num (data, 1, sigclass))
497 return (0);
498
499 if (!decode_num (data, 1, &pkctype))
500 return (0);
501
502 if (!decode_num (data, 1, &mdtype))
503 return (0);
504
505 keyid->size = 0;
506
507 if (!decode_subpacket (data, sig_time, keyid))
508 return (0);
509
510 if (!decode_subpacket (data, sig_time, keyid))
511 return (0);
512
513 if (!decode_bytestr (data, 2, &cksum))
514 return (0);
515
516 switch (pkctype)
517 {
518 case 1: /*RSA: 1*MPI */
519 case 2:
520 case 3:
521 if (!decode_mpi (data, &sig))
522 return (0);
523 break;
524 case 17: /*DSA: 2*MPI */
525 if (!decode_mpi (data, &sig) || !decode_mpi (data, &sig))
526 return (0);
527 break;
528 case 100: /* X.509 */
529 decode_nai (data, len, keyid);
530 break;
531 default:
532 /* this is kind of ugly. There can be any number of MPI's here
533 (although 2 is the largest and most likely number. */
534 while (DECODE_READABLE (data, 1))
535 {
536 if (!decode_mpi (data, &sig))
537 return (0);
538 }
539 break;
540 }
541 if (pktend != data->data + data->offset)
542 {
543 if (!decode_bytestr (data, pktend - (data->data + data->offset),
544 &sig.number))
545 return (0);
546 }
547 }
548
549 return (keyid->size > 0);
550 }
551
552 int
decode_packet(ddesc * data,packet_handler h,void * c)553 decode_packet (ddesc * data, packet_handler h, void *c)
554 {
555 long ptype, plen;
556 ddesc packet;
557 packet.data = data->data + data->offset;
558 if (!decode_psf (data, &ptype, &plen))
559 return (0);
560 packet.size = ((data->data + data->offset) - packet.data) + plen;
561 packet.offset = 0;
562 if (!DECODE_READABLE (data, plen))
563 return (0);
564 data->offset += plen;
565 if (!(*h) (&packet, c))
566 return (0);
567 return (1);
568 }
569
570 int
decode_binary(ddesc * data,packet_handler h,void * c)571 decode_binary (ddesc * data, packet_handler h, void *c)
572 {
573 while (DECODE_READABLE (data, 1))
574 {
575 if (!decode_packet (data, h, c))
576 return (0);
577 }
578
579 return (1);
580 }
581
582 int
decode_file(ddesc * data,packet_handler h,void * c)583 decode_file (ddesc * data, packet_handler h, void *c)
584 {
585 ddesc tmp;
586 long n1;
587 long n2;
588 tmp = *data;
589 if (decode_psf (&tmp, &n1, &n2))
590 return (decode_binary (data, h, c));
591 else
592 return (decode_ascii (data, h, c));
593 }
594