1 /*-
2 * Copyright (c) 2012 Alistair Crooks <agc@NetBSD.org>
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 *
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
15 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
16 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
17 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
18 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
19 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
21 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
23 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24 */
25 #include <sys/types.h>
26 #include <sys/stat.h>
27 #include <sys/param.h>
28 #include <sys/mman.h>
29
30 #include <bzlib.h>
31 #include <err.h>
32 #include <inttypes.h>
33 #include <stdarg.h>
34 #include <stdio.h>
35 #include <stdlib.h>
36 #include <string.h>
37 #include <time.h>
38 #include <unistd.h>
39 #include <zlib.h>
40
41 #include "array.h"
42 #include "bn.h"
43 #include "b64.h"
44 #include "digest.h"
45 #include "pgpsum.h"
46 #include "rsa.h"
47 #include "verify.h"
48
49 #ifndef USE_ARG
50 #define USE_ARG(x) /*LINTED*/(void)&(x)
51 #endif
52
53 #ifndef __printflike
54 #define __printflike(n, m) __attribute__((format(printf,n,m)))
55 #endif
56
57 #define BITS_TO_BYTES(b) (((b) + (CHAR_BIT - 1)) / CHAR_BIT)
58
59 /* packet types */
60 #define SIGNATURE_PKT 2
61 #define ONEPASS_SIGNATURE_PKT 4
62 #define PUBKEY_PKT 6
63 #define COMPRESSED_DATA_PKT 8
64 #define MARKER_PKT 10
65 #define LITDATA_PKT 11
66 #define TRUST_PKT 12
67 #define USERID_PKT 13
68 #define PUB_SUBKEY_PKT 14
69 #define USER_ATTRIBUTE_PKT 17
70
71 /* only allow certain packets at certain times */
72 #define PUBRING_ALLOWED "\002\006\014\015\016\021"
73 #define SIGNATURE_ALLOWED "\002\004\010\013"
74
75 /* actions to do on close */
76 #define FREE_MEM 0x01
77 #define UNMAP_MEM 0x02
78
79 /* types of pubkey we encounter */
80 #define PUBKEY_RSA_ENCRYPT_OR_SIGN 1
81 #define PUBKEY_RSA_ENCRYPT 2
82 #define PUBKEY_RSA_SIGN 3
83 #define PUBKEY_ELGAMAL_ENCRYPT 16
84 #define PUBKEY_DSA 17
85 #define PUBKEY_ELLIPTIC_CURVE 18
86 #define PUBKEY_ECDSA 19
87 #define PUBKEY_ELGAMAL_ENCRYPT_OR_SIGN 20
88
89 /* hash algorithm definitions */
90 #define PGPV_HASH_MD5 1
91 #define PGPV_HASH_SHA1 2
92 #define PGPV_HASH_RIPEMD 3
93 #define PGPV_HASH_SHA256 8
94 #define PGPV_HASH_SHA384 9
95 #define PGPV_HASH_SHA512 10
96
97 /* pubkey defs for bignums */
98 #define RSA_N 0
99 #define RSA_E 1
100 #define DSA_P 0
101 #define DSA_Q 1
102 #define DSA_G 2
103 #define DSA_Y 3
104 #define ELGAMAL_P 0
105 #define ELGAMAL_G 1
106 #define ELGAMAL_Y 2
107
108 /* sesskey indices */
109 #define RSA_SESSKEY_ENCRYPTED_M 0
110 #define RSA_SESSKEY_M 1
111 #define ELGAMAL_SESSKEY_G_TO_K 0
112 #define ELGAMAL_SESSKEY_ENCRYPTED_M 1
113
114 /* seckey indices */
115 #define RSA_SECKEY_D 0
116 #define RSA_SECKEY_P 1
117 #define RSA_SECKEY_Q 2
118 #define RSA_SECKEY_U 3
119 #define DSA_SECKEY_X 0
120 #define ELGAMAL_SECKEY_X 0
121
122 /* signature mpi indices in bignumber array */
123 #define RSA_SIG 0
124 #define DSA_R 0
125 #define DSA_S 1
126 #define ELGAMAL_SIG_R 0
127 #define ELGAMAL_SIG_S 1
128
129 /* signature types */
130 #define SIGTYPE_BINARY_DOC 0x00 /* Signature of a binary document */
131 #define SIGTYPE_TEXT 0x01 /* Signature of a canonical text document */
132 #define SIGTYPE_STANDALONE 0x02 /* Standalone signature */
133
134 #define SIGTYPE_GENERIC_USERID 0x10 /* Generic certification of a User ID and Public Key packet */
135 #define SIGTYPE_PERSONA_USERID 0x11 /* Persona certification of a User ID and Public Key packet */
136 #define SIGTYPE_CASUAL_USERID 0x12 /* Casual certification of a User ID and Public Key packet */
137 #define SIGTYPE_POSITIVE_USERID 0x13 /* Positive certification of a User ID and Public Key packet */
138
139 #define SIGTYPE_SUBKEY_BINDING 0x18 /* Subkey Binding Signature */
140 #define SIGTYPE_PRIMARY_KEY_BINDING 0x19 /* Primary Key Binding Signature */
141 #define SIGTYPE_DIRECT_KEY 0x1f /* Signature directly on a key */
142
143 #define SIGTYPE_KEY_REVOCATION 0x20 /* Key revocation signature */
144 #define SIGTYPE_SUBKEY_REVOCATION 0x28 /* Subkey revocation signature */
145 #define SIGTYPE_CERT_REVOCATION 0x30 /* Certification revocation signature */
146
147 #define SIGTYPE_TIMESTAMP_SIG 0x40 /* Timestamp signature */
148 #define SIGTYPE_3RDPARTY 0x50 /* Third-Party Confirmation signature */
149
150 /* Forward declarations */
151 static int read_all_packets(pgpv_t */*pgp*/, pgpv_mem_t */*mem*/, const char */*op*/);
152 static int read_binary_file(pgpv_t */*pgp*/, const char */*op*/, const char */*fmt*/, ...)
153 __printflike(3, 4);
154 static int read_binary_memory(pgpv_t */*pgp*/, const char */*op*/, const void */*memory*/, size_t /*size*/);
155 static int pgpv_find_keyid(pgpv_t */*pgp*/, const char */*strkeyid*/, uint8_t */*keyid*/);
156
157 /* read a file into the pgpv_mem_t struct */
158 static int
read_file(pgpv_t * pgp,const char * f)159 read_file(pgpv_t *pgp, const char *f)
160 {
161 struct stat st;
162 pgpv_mem_t *mem;
163
164 ARRAY_EXPAND(pgp->areas);
165 ARRAY_COUNT(pgp->areas) += 1;
166 mem = &ARRAY_LAST(pgp->areas);
167 memset(mem, 0x0, sizeof(*mem));
168 if ((mem->fp = fopen(f, "r")) == NULL) {
169 warn("can't read '%s'", f);
170 return 0;
171 }
172 fstat(fileno(mem->fp), &st);
173 mem->size = (size_t)st.st_size;
174 mem->mem = mmap(NULL, mem->size, PROT_READ, MAP_SHARED, fileno(mem->fp), 0);
175 mem->dealloc = UNMAP_MEM;
176 return 1;
177 }
178
179 /* DTRT and free resources */
180 static int
closemem(pgpv_mem_t * mem)181 closemem(pgpv_mem_t *mem)
182 {
183 switch(mem->dealloc) {
184 case FREE_MEM:
185 free(mem->mem);
186 mem->size = 0;
187 break;
188 case UNMAP_MEM:
189 munmap(mem->mem, mem->size);
190 fclose(mem->fp);
191 break;
192 }
193 return 1;
194 }
195
196 /* make a reference to a memory area, and its offset */
197 static void
make_ref(pgpv_t * pgp,uint8_t mement,pgpv_ref_t * ref)198 make_ref(pgpv_t *pgp, uint8_t mement, pgpv_ref_t *ref)
199 {
200 ref->mem = mement;
201 ref->offset = ARRAY_ELEMENT(pgp->areas, ref->mem).cc;
202 ref->vp = pgp;
203 }
204
205 /* return the pointer we wanted originally */
206 static uint8_t *
get_ref(pgpv_ref_t * ref)207 get_ref(pgpv_ref_t *ref)
208 {
209 pgpv_mem_t *mem;
210 pgpv_t *pgp = (pgpv_t *)ref->vp;;
211
212 mem = &ARRAY_ELEMENT(pgp->areas, ref->mem);
213 return &mem->mem[ref->offset];
214 }
215
216 #define IS_PARTIAL(x) ((x) >= 224 && (x) < 255)
217 #define DECODE_PARTIAL(x) (1 << ((x) & 0x1f))
218
219 #define PKT_LENGTH(m, off) \
220 ((m[off] < 192) ? (m[off]) : \
221 (m[off] < 224) ? ((m[off] - 192) << 8) + (m[off + 1]) + 192 : \
222 (m[off + 1] << 24) | ((m[off + 2]) << 16) | ((m[off + 3]) << 8) | (m[off + 4]))
223
224 #define PKT_LENGTH_LENGTH(m, off) \
225 ((m[off] < 192) ? 1 : (m[off] < 224) ? 2 : 5)
226
227 /* fix up partial body lengths, return new size */
228 static size_t
fixup_partials(pgpv_t * pgp,uint8_t * p,size_t totlen,size_t filesize,size_t * cc)229 fixup_partials(pgpv_t *pgp, uint8_t *p, size_t totlen, size_t filesize, size_t *cc)
230 {
231 pgpv_mem_t *mem;
232 size_t partial;
233 size_t newcc;
234
235 if (totlen > filesize) {
236 printf("fixup_partial: filesize %zu is less than encoded size %zu\n", filesize, totlen);
237 return 0;
238 }
239 ARRAY_EXPAND(pgp->areas);
240 ARRAY_COUNT(pgp->areas) += 1;
241 mem = &ARRAY_LAST(pgp->areas);
242 mem->size = totlen;
243 if ((mem->mem = calloc(1, mem->size + 5)) == NULL) {
244 printf("fixup_partial: can't allocate %zu length\n", totlen);
245 return 0;
246 }
247 newcc = 0;
248 mem->dealloc = FREE_MEM;
249 for (*cc = 0 ; *cc < totlen ; newcc += partial, *cc += partial + 1) {
250 if (IS_PARTIAL(p[*cc])) {
251 partial = DECODE_PARTIAL(p[*cc]);
252 memcpy(&mem->mem[newcc], &p[*cc + 1], partial);
253 } else {
254 partial = PKT_LENGTH(p, *cc);
255 *cc += PKT_LENGTH_LENGTH(p, *cc);
256 memcpy(&mem->mem[newcc], &p[*cc], partial);
257 newcc += partial;
258 *cc += partial;
259 break;
260 }
261 }
262 return newcc;
263 }
264
265 /* get the weirdo packet length */
266 static size_t
get_pkt_len(uint8_t newfmt,uint8_t * p,size_t filesize,int isprimary)267 get_pkt_len(uint8_t newfmt, uint8_t *p, size_t filesize, int isprimary)
268 {
269 size_t lenbytes;
270 size_t len;
271
272 if (newfmt) {
273 if (IS_PARTIAL(*p)) {
274 if (!isprimary) {
275 /* for sub-packets, only 1, 2 or 4 byte sizes allowed */
276 return ((*p - 192) << 8) + *(p + 1) + 192;
277 }
278 lenbytes = 1;
279 for (len = DECODE_PARTIAL(*p) ; IS_PARTIAL(p[len + lenbytes]) ; lenbytes++) {
280 len += DECODE_PARTIAL(p[len + lenbytes]);
281 }
282 len += get_pkt_len(newfmt, &p[len + lenbytes], filesize, 1);
283 return len;
284 }
285 return PKT_LENGTH(p, 0);
286 } else {
287 switch(*--p & 0x3) {
288 case 0:
289 return *(p + 1);
290 case 1:
291 return (*(p + 1) << 8) | *(p + 2);
292 case 2:
293 return (*(p + 1) << 24) | (*(p + 2) << 16) | (*(p + 3) << 8) | *(p + 4);
294 default:
295 return filesize;
296 }
297 }
298 }
299
300 /* get the length of the packet length field */
301 static unsigned
get_pkt_len_len(uint8_t newfmt,uint8_t * p,int isprimary)302 get_pkt_len_len(uint8_t newfmt, uint8_t *p, int isprimary)
303 {
304 if (newfmt) {
305 if (IS_PARTIAL(*p)) {
306 return (isprimary) ? 1 : 2;
307 }
308 return PKT_LENGTH_LENGTH(p, 0);
309 } else {
310 switch(*--p & 0x3) {
311 case 0:
312 return 1;
313 case 1:
314 return 2;
315 case 2:
316 return 4;
317 default:
318 return 0;
319 }
320 }
321 }
322
323 /* copy the 32bit integer in memory in network order */
324 static unsigned
fmt_32(uint8_t * p,uint32_t a)325 fmt_32(uint8_t *p, uint32_t a)
326 {
327 a = htonl(a);
328 memcpy(p, &a, sizeof(a));
329 return sizeof(a);
330 }
331
332 /* copy the 16bit integer in memory in network order */
333 static unsigned
fmt_16(uint8_t * p,uint16_t a)334 fmt_16(uint8_t *p, uint16_t a)
335 {
336 a = htons(a);
337 memcpy(p, &a, sizeof(a));
338 return sizeof(a);
339 }
340
341 /* format a binary string in memory */
342 static size_t
fmt_binary(char * s,size_t size,const uint8_t * bin,unsigned len)343 fmt_binary(char *s, size_t size, const uint8_t *bin, unsigned len)
344 {
345 unsigned i;
346 size_t cc;
347
348 for (cc = 0, i = 0 ; i < len && cc < size ; i++) {
349 cc += snprintf(&s[cc], size - cc, "%02x", bin[i]);
350 }
351 return cc;
352 }
353
354 /* format an mpi into memory */
355 static unsigned
fmt_binary_mpi(pgpv_bignum_t * mpi,uint8_t * p,size_t size)356 fmt_binary_mpi(pgpv_bignum_t *mpi, uint8_t *p, size_t size)
357 {
358 unsigned bytes;
359 BIGNUM *bn;
360
361 bytes = BITS_TO_BYTES(mpi->bits);
362 if ((size_t)bytes + 2 + 1 > size) {
363 warn("truncated mpi");
364 return 0;
365 }
366 bn = (BIGNUM *)mpi->bn;
367 if (bn == NULL || BN_is_zero(bn)) {
368 fmt_32(p, 0);
369 return 2 + 1;
370 }
371 fmt_16(p, mpi->bits);
372 BN_bn2bin(bn, &p[2]);
373 return bytes + 2;
374 }
375
376 /* dump an mpi value onto stdout */
377 static size_t
fmt_mpi(char * s,size_t size,pgpv_bignum_t * bn,const char * name,int pbits)378 fmt_mpi(char *s, size_t size, pgpv_bignum_t *bn, const char *name, int pbits)
379 {
380 size_t cc;
381 char *buf;
382
383 cc = snprintf(s, size, "%s=", name);
384 if (pbits) {
385 cc += snprintf(&s[cc], size - cc, "[%u bits] ", bn->bits);
386 }
387 buf = BN_bn2hex(bn->bn);
388 cc += snprintf(&s[cc], size - cc, "%s\n", buf);
389 free(buf);
390 return cc;
391 }
392
393 #define ALG_IS_RSA(alg) (((alg) == PUBKEY_RSA_ENCRYPT_OR_SIGN) || \
394 ((alg) == PUBKEY_RSA_ENCRYPT) || \
395 ((alg) == PUBKEY_RSA_SIGN))
396
397 #define ALG_IS_DSA(alg) ((alg) == PUBKEY_DSA)
398
399 /* format key mpis into memory */
400 static unsigned
fmt_key_mpis(pgpv_pubkey_t * pubkey,uint8_t * buf,size_t size)401 fmt_key_mpis(pgpv_pubkey_t *pubkey, uint8_t *buf, size_t size)
402 {
403 size_t cc;
404
405 cc = 0;
406 buf[cc++] = pubkey->version;
407 cc += fmt_32(&buf[cc], (uint32_t)pubkey->birth);
408 buf[cc++] = pubkey->keyalg;
409 switch(pubkey->keyalg) {
410 case PUBKEY_RSA_ENCRYPT_OR_SIGN:
411 case PUBKEY_RSA_ENCRYPT:
412 case PUBKEY_RSA_SIGN:
413 cc += fmt_binary_mpi(&pubkey->bn[RSA_N], &buf[cc], size - cc);
414 cc += fmt_binary_mpi(&pubkey->bn[RSA_E], &buf[cc], size - cc);
415 break;
416 case PUBKEY_DSA:
417 cc += fmt_binary_mpi(&pubkey->bn[DSA_P], &buf[cc], size - cc);
418 cc += fmt_binary_mpi(&pubkey->bn[DSA_Q], &buf[cc], size - cc);
419 cc += fmt_binary_mpi(&pubkey->bn[DSA_G], &buf[cc], size - cc);
420 cc += fmt_binary_mpi(&pubkey->bn[DSA_Y], &buf[cc], size - cc);
421 break;
422 default:
423 cc += fmt_binary_mpi(&pubkey->bn[ELGAMAL_P], &buf[cc], size - cc);
424 cc += fmt_binary_mpi(&pubkey->bn[ELGAMAL_G], &buf[cc], size - cc);
425 cc += fmt_binary_mpi(&pubkey->bn[ELGAMAL_Y], &buf[cc], size - cc);
426 break;
427 }
428 return (unsigned)cc;
429 }
430
431 /* calculate the fingerprint, RFC 4880, section 12.2 */
432 static int
pgpv_calc_fingerprint(pgpv_fingerprint_t * fingerprint,pgpv_pubkey_t * pubkey)433 pgpv_calc_fingerprint(pgpv_fingerprint_t *fingerprint, pgpv_pubkey_t *pubkey)
434 {
435 digest_t fphash;
436 uint16_t cc;
437 uint8_t ch = 0x99;
438 uint8_t buf[8192 + 2 + 1];
439 uint8_t len[2];
440
441 memset(&fphash, 0x0, sizeof(fphash));
442 if (pubkey->version == 4) {
443 /* v4 keys */
444 fingerprint->hashalg = digest_get_alg("sha1");
445 digest_init(&fphash, (unsigned)fingerprint->hashalg);
446 cc = fmt_key_mpis(pubkey, buf, sizeof(buf));
447 digest_update(&fphash, &ch, 1);
448 fmt_16(len, cc);
449 digest_update(&fphash, len, 2);
450 digest_update(&fphash, buf, cc);
451 fingerprint->len = digest_final(fingerprint->v, &fphash);
452 return 1;
453 }
454 if (ALG_IS_RSA(pubkey->keyalg)) {
455 /* v3 keys are RSA */
456 fingerprint->hashalg = digest_get_alg("md5");
457 digest_init(&fphash, (unsigned)fingerprint->hashalg);
458 if (pubkey->bn[RSA_N].bn && pubkey->bn[RSA_E].bn) {
459 cc = fmt_binary_mpi(&pubkey->bn[RSA_N], buf, sizeof(buf));
460 digest_update(&fphash, &buf[2], cc - 2);
461 cc = fmt_binary_mpi(&pubkey->bn[RSA_E], buf, sizeof(buf));
462 digest_update(&fphash, &buf[2], cc - 2);
463 fingerprint->len = digest_final(fingerprint->v, &fphash);
464 return 1;
465 }
466 }
467 if (pubkey->bn[RSA_N].bn) {
468 if ((cc = fmt_binary_mpi(&pubkey->bn[RSA_N], buf, sizeof(buf))) >= PGPV_KEYID_LEN) {
469 memcpy(fingerprint->v, &buf[cc - PGPV_KEYID_LEN], PGPV_KEYID_LEN);
470 fingerprint->len = PGPV_KEYID_LEN;
471 return 1;
472 }
473 }
474 /* exhausted all avenues, really */
475 memset(fingerprint->v, 0xff, fingerprint->len = PGPV_KEYID_LEN);
476 return 1;
477 }
478
479 /* format a fingerprint into memory */
480 static size_t
fmt_fingerprint(char * s,size_t size,pgpv_fingerprint_t * fingerprint,const char * name)481 fmt_fingerprint(char *s, size_t size, pgpv_fingerprint_t *fingerprint, const char *name)
482 {
483 unsigned i;
484 size_t cc;
485
486 cc = snprintf(s, size, "%s ", name);
487 for (i = 0 ; i < fingerprint->len ; i++) {
488 cc += snprintf(&s[cc], size - cc, "%02hhx%s",
489 fingerprint->v[i], (i % 2 == 1) ? " " : "");
490 }
491 cc += snprintf(&s[cc], size - cc, "\n");
492 return cc;
493 }
494
495 /* calculate keyid from a pubkey */
496 static int
pgpv_calc_keyid(pgpv_pubkey_t * key)497 pgpv_calc_keyid(pgpv_pubkey_t *key)
498 {
499 pgpv_calc_fingerprint(&key->fingerprint, key);
500 memcpy(key->keyid, &key->fingerprint.v[key->fingerprint.len - PGPV_KEYID_LEN], PGPV_KEYID_LEN);
501 return 1;
502 }
503
504 /* convert a hex string to a 64bit key id (in big endian byte order */
505 static void
str_to_keyid(const char * s,uint8_t * keyid)506 str_to_keyid(const char *s, uint8_t *keyid)
507 {
508 uint64_t u64;
509
510 u64 = (uint64_t)strtoull(s, NULL, 16);
511 u64 = ((u64 & 0x00000000000000FFUL) << 56) |
512 ((u64 & 0x000000000000FF00UL) << 40) |
513 ((u64 & 0x0000000000FF0000UL) << 24) |
514 ((u64 & 0x00000000FF000000UL) << 8) |
515 ((u64 & 0x000000FF00000000UL) >> 8) |
516 ((u64 & 0x0000FF0000000000UL) >> 24) |
517 ((u64 & 0x00FF000000000000UL) >> 40) |
518 ((u64 & 0xFF00000000000000UL) >> 56);
519 memcpy(keyid, &u64, PGPV_KEYID_LEN);
520 }
521
522 #define PKT_ALWAYS_ON 0x80
523 #define PKT_NEWFMT_MASK 0x40
524 #define PKT_NEWFMT_TAG_MASK 0x3f
525 #define PKT_OLDFMT_TAG_MASK 0x3c
526
527 #define SUBPKT_CRITICAL_MASK 0x80
528 #define SUBPKT_TAG_MASK 0x7f
529
530 #define SUBPKT_SIG_BIRTH 2
531 #define SUBPKT_SIG_EXPIRY 3
532 #define SUBPKT_EXPORT_CERT 4
533 #define SUBPKT_TRUST_SIG 5
534 #define SUBPKT_REGEXP 6
535 #define SUBPKT_REVOCABLE 7
536 #define SUBPKT_KEY_EXPIRY 9
537 #define SUBPKT_BWD_COMPAT 10
538 #define SUBPKT_PREF_SYMMETRIC_ALG 11
539 #define SUBPKT_REVOCATION_KEY 12
540 #define SUBPKT_ISSUER 16
541 #define SUBPKT_NOTATION 20
542 #define SUBPKT_PREF_HASH_ALG 21
543 #define SUBPKT_PREF_COMPRESS_ALG 22
544 #define SUBPKT_KEY_SERVER_PREFS 23
545 #define SUBPKT_PREF_KEY_SERVER 24
546 #define SUBPKT_PRIMARY_USER_ID 25
547 #define SUBPKT_POLICY_URI 26
548 #define SUBPKT_KEY_FLAGS 27
549 #define SUBPKT_SIGNER_ID 28
550 #define SUBPKT_REVOCATION_REASON 29
551 #define SUBPKT_FEATURES 30
552 #define SUBPKT_SIGNATURE_TARGET 31
553 #define SUBPKT_EMBEDDED_SIGNATURE 32
554
555 #define UNCOMPRESSED 0
556 #define ZIP_COMPRESSION 1
557 #define ZLIB_COMPRESSION 2
558 #define BZIP2_COMPRESSION 3
559
560 /* get a 16 bit integer, in host order */
561 static uint16_t
get_16(uint8_t * p)562 get_16(uint8_t *p)
563 {
564 uint16_t u16;
565
566 memcpy(&u16, p, sizeof(u16));
567 return ntohs(u16);
568 }
569
570 /* get a 32 bit integer, in host order */
571 static uint32_t
get_32(uint8_t * p)572 get_32(uint8_t *p)
573 {
574 uint32_t u32;
575
576 memcpy(&u32, p, sizeof(u32));
577 return ntohl(u32);
578 }
579
580 #define HOURSECS (int64_t)(60 * 60)
581 #define DAYSECS (int64_t)(24 * 60 * 60)
582 #define MONSECS (int64_t)(30 * DAYSECS)
583 #define YEARSECS (int64_t)(365 * DAYSECS)
584
585 /* format (human readable) time into memory */
586 static size_t
fmt_time(char * s,size_t size,const char * header,int64_t n,const char * trailer,int relative)587 fmt_time(char *s, size_t size, const char *header, int64_t n, const char *trailer, int relative)
588 {
589 struct tm tm;
590 time_t elapsed;
591 time_t now;
592 time_t t;
593 size_t cc;
594
595 t = (time_t)n;
596 now = time(NULL);
597 elapsed = now - t;
598 gmtime_r(&t, &tm);
599 cc = snprintf(s, size, "%s%04d-%02d-%02d", header,
600 tm.tm_year + 1900, tm.tm_mon + 1, tm.tm_mday);
601 if (relative) {
602 cc += snprintf(&s[cc], size - cc, " (%lldy %lldm %lldd %lldh %s)",
603 llabs((long long)elapsed / YEARSECS),
604 llabs(((long long)elapsed % YEARSECS) / MONSECS),
605 llabs(((long long)elapsed % MONSECS) / DAYSECS),
606 llabs(((long long)elapsed % DAYSECS) / HOURSECS),
607 (now > t) ? "ago" : "ahead");
608 }
609 cc += snprintf(&s[cc], size - cc, "%s", trailer);
610 return cc;
611 }
612
613 /* dump key mpis to stdout */
614 static void
print_key_mpis(pgpv_bignum_t * v,uint8_t keyalg)615 print_key_mpis(pgpv_bignum_t *v, uint8_t keyalg)
616 {
617 char s[8192];
618
619 switch(keyalg) {
620 case PUBKEY_RSA_ENCRYPT_OR_SIGN:
621 case PUBKEY_RSA_ENCRYPT:
622 case PUBKEY_RSA_SIGN:
623 fmt_mpi(s, sizeof(s), &v[RSA_N], "rsa.n", 1);
624 printf("%s", s);
625 fmt_mpi(s, sizeof(s), &v[RSA_E], "rsa.e", 1);
626 printf("%s", s);
627 break;
628 case PUBKEY_ELGAMAL_ENCRYPT:
629 fmt_mpi(s, sizeof(s), &v[ELGAMAL_P], "elgamal.p", 1);
630 printf("%s", s);
631 fmt_mpi(s, sizeof(s), &v[ELGAMAL_Y], "elgamal.y", 1);
632 printf("%s", s);
633 break;
634 case PUBKEY_DSA:
635 fmt_mpi(s, sizeof(s), &v[DSA_P], "dsa.p", 1);
636 printf("%s", s);
637 fmt_mpi(s, sizeof(s), &v[DSA_Q], "dsa.q", 1);
638 printf("%s", s);
639 fmt_mpi(s, sizeof(s), &v[DSA_G], "dsa.g", 1);
640 printf("%s", s);
641 fmt_mpi(s, sizeof(s), &v[DSA_Y], "dsa.y", 1);
642 printf("%s", s);
643 break;
644 default:
645 printf("hi, unusual keyalg %u\n", keyalg);
646 break;
647 }
648 }
649
650 /* get an mpi, including 2 byte length */
651 static int
get_mpi(pgpv_bignum_t * mpi,uint8_t * p,size_t pktlen,size_t * off)652 get_mpi(pgpv_bignum_t *mpi, uint8_t *p, size_t pktlen, size_t *off)
653 {
654 size_t bytes;
655
656 mpi->bits = get_16(p);
657 if ((bytes = (size_t)BITS_TO_BYTES(mpi->bits)) > pktlen) {
658 return 0;
659 }
660 *off += sizeof(mpi->bits);
661 mpi->bn = BN_bin2bn(&p[sizeof(mpi->bits)], (int)bytes, NULL);
662 *off += bytes;
663 return 1;
664 }
665
666 /* read mpis in signature */
667 static int
read_signature_mpis(pgpv_sigpkt_t * sigpkt,uint8_t * p,size_t pktlen)668 read_signature_mpis(pgpv_sigpkt_t *sigpkt, uint8_t *p, size_t pktlen)
669 {
670 size_t off;
671
672 off = 0;
673 switch(sigpkt->sig.keyalg) {
674 case PUBKEY_RSA_ENCRYPT_OR_SIGN:
675 case PUBKEY_RSA_SIGN:
676 case PUBKEY_RSA_ENCRYPT:
677 if (!get_mpi(&sigpkt->sig.bn[RSA_SIG], p, pktlen, &off)) {
678 printf("sigpkt->version %d, rsa sig weird\n", sigpkt->sig.version);
679 return 0;
680 }
681 break;
682 case PUBKEY_DSA:
683 case PUBKEY_ECDSA:
684 case PUBKEY_ELGAMAL_ENCRYPT_OR_SIGN: /* deprecated */
685 if (!get_mpi(&sigpkt->sig.bn[DSA_R], p, pktlen, &off) ||
686 !get_mpi(&sigpkt->sig.bn[DSA_S], &p[off], pktlen, &off)) {
687 printf("sigpkt->version %d, dsa/elgamal sig weird\n", sigpkt->sig.version);
688 return 0;
689 }
690 break;
691 default:
692 printf("weird type of sig! %d\n", sigpkt->sig.keyalg);
693 return 0;
694 }
695 return 1;
696 }
697
698 /* add the signature sub packet to the signature packet */
699 static int
add_subpacket(pgpv_sigpkt_t * sigpkt,uint8_t tag,uint8_t * p,uint16_t len)700 add_subpacket(pgpv_sigpkt_t *sigpkt, uint8_t tag, uint8_t *p, uint16_t len)
701 {
702 pgpv_sigsubpkt_t subpkt;
703
704 memset(&subpkt, 0x0, sizeof(subpkt));
705 subpkt.s.size = len;
706 subpkt.critical = 0;
707 subpkt.tag = tag;
708 subpkt.s.data = p;
709 ARRAY_APPEND(sigpkt->subpkts, subpkt);
710 return 1;
711 }
712
713 /* read the subpackets in the signature */
714 static int
read_sig_subpackets(pgpv_sigpkt_t * sigpkt,uint8_t * p,size_t pktlen)715 read_sig_subpackets(pgpv_sigpkt_t *sigpkt, uint8_t *p, size_t pktlen)
716 {
717 pgpv_sigsubpkt_t subpkt;
718 const int is_subpkt = 0;
719 unsigned lenlen;
720 unsigned i;
721 uint8_t *start;
722
723 start = p;
724 for (i = 0 ; (unsigned)(p - start) < sigpkt->subslen ; i++) {
725 memset(&subpkt, 0x0, sizeof(subpkt));
726 subpkt.s.size = get_pkt_len(1, p, 0, is_subpkt);
727 lenlen = get_pkt_len_len(1, p, is_subpkt);
728 if (lenlen > pktlen) {
729 printf("weird lenlen %u\n", lenlen);
730 return 0;
731 }
732 p += lenlen;
733 subpkt.critical = (*p & SUBPKT_CRITICAL_MASK);
734 subpkt.tag = (*p & SUBPKT_TAG_MASK);
735 p += 1;
736 switch(subpkt.tag) {
737 case SUBPKT_SIG_BIRTH:
738 sigpkt->sig.birth = (int64_t)get_32(p);
739 break;
740 case SUBPKT_SIG_EXPIRY:
741 sigpkt->sig.expiry = (int64_t)get_32(p);
742 break;
743 case SUBPKT_KEY_EXPIRY:
744 sigpkt->sig.keyexpiry = (int64_t)get_32(p);
745 break;
746 case SUBPKT_ISSUER:
747 sigpkt->sig.signer = p;
748 break;
749 case SUBPKT_SIGNER_ID:
750 sigpkt->sig.signer = p;
751 break;
752 case SUBPKT_TRUST_SIG:
753 sigpkt->sig.trustsig = *p;
754 break;
755 case SUBPKT_REGEXP:
756 sigpkt->sig.regexp = (char *)(void *)p;
757 break;
758 case SUBPKT_REVOCABLE:
759 sigpkt->sig.revocable = *p;
760 break;
761 case SUBPKT_PREF_SYMMETRIC_ALG:
762 sigpkt->sig.pref_symm_alg = *p;
763 break;
764 case SUBPKT_REVOCATION_KEY:
765 sigpkt->sig.revoke_sensitive = (*p & 0x40);
766 sigpkt->sig.revoke_alg = p[1];
767 sigpkt->sig.revoke_fingerprint = &p[2];
768 break;
769 case SUBPKT_NOTATION:
770 sigpkt->sig.notation = *p;
771 break;
772 case SUBPKT_PREF_HASH_ALG:
773 sigpkt->sig.pref_hash_alg = *p;
774 break;
775 case SUBPKT_PREF_COMPRESS_ALG:
776 sigpkt->sig.pref_compress_alg = *p;
777 break;
778 case SUBPKT_PREF_KEY_SERVER:
779 sigpkt->sig.pref_key_server = (char *)(void *)p;
780 break;
781 case SUBPKT_KEY_SERVER_PREFS:
782 sigpkt->sig.key_server_modify = *p;
783 break;
784 case SUBPKT_KEY_FLAGS:
785 sigpkt->sig.type_key = *p;
786 break;
787 case SUBPKT_PRIMARY_USER_ID:
788 sigpkt->sig.primary_userid = *p;
789 break;
790 case SUBPKT_POLICY_URI:
791 sigpkt->sig.policy = (char *)(void *)p;
792 break;
793 case SUBPKT_FEATURES:
794 sigpkt->sig.features = (char *)(void *)p;
795 break;
796 case SUBPKT_REVOCATION_REASON:
797 sigpkt->sig.revoked = *p++ + 1;
798 sigpkt->sig.why_revoked = (char *)(void *)p;
799 break;
800 default:
801 printf("Ignoring unusual/reserved signature subpacket %d\n", subpkt.tag);
802 break;
803 }
804 subpkt.s.data = p;
805 p += subpkt.s.size - 1;
806 ARRAY_APPEND(sigpkt->subpkts, subpkt);
807 }
808 return 1;
809 }
810
811 /* parse signature packet */
812 static int
read_sigpkt(pgpv_t * pgp,uint8_t mement,pgpv_sigpkt_t * sigpkt,uint8_t * p,size_t pktlen)813 read_sigpkt(pgpv_t *pgp, uint8_t mement, pgpv_sigpkt_t *sigpkt, uint8_t *p, size_t pktlen)
814 {
815 unsigned lenlen;
816 uint8_t *base;
817
818 make_ref(pgp, mement, &sigpkt->sig.hashstart);
819 base = p;
820 switch(sigpkt->sig.version = *p++) {
821 case 2:
822 case 3:
823 if ((lenlen = *p++) != 5) {
824 printf("read_sigpkt: hashed length not 5\n");
825 return 0;
826 }
827 sigpkt->sig.hashlen = lenlen;
828 /* put birthtime into a subpacket */
829 sigpkt->sig.type = *p++;
830 add_subpacket(sigpkt, SUBPKT_SIG_BIRTH, p, sizeof(uint32_t));
831 sigpkt->sig.birth = (int64_t)get_32(p);
832 p += sizeof(uint32_t);
833 sigpkt->sig.signer = p;
834 add_subpacket(sigpkt, SUBPKT_SIGNER_ID, p, PGPV_KEYID_LEN);
835 p += PGPV_KEYID_LEN;
836 sigpkt->sig.keyalg = *p++;
837 sigpkt->sig.hashalg = *p++;
838 sigpkt->sig.hash2 = p;
839 if (!read_signature_mpis(sigpkt, sigpkt->sig.mpi = p + 2, pktlen)) {
840 printf("read_sigpkt: can't read sigs v3\n");
841 return 0;
842 }
843 break;
844 case 4:
845 sigpkt->sig.type = *p++;
846 sigpkt->sig.keyalg = *p++;
847 sigpkt->sig.hashalg = *p++;
848 sigpkt->subslen = get_16(p);
849 p += sizeof(sigpkt->subslen);
850 if (!read_sig_subpackets(sigpkt, p, pktlen)) {
851 printf("read_sigpkt: can't read sig subpackets, v4\n");
852 return 0;
853 }
854 if (!sigpkt->sig.signer) {
855 sigpkt->sig.signer = get_ref(&sigpkt->sig.hashstart) + 16;
856 }
857 p += sigpkt->subslen;
858 sigpkt->sig.hashlen = (unsigned)(p - base);
859 sigpkt->unhashlen = get_16(p);
860 p += sizeof(sigpkt->unhashlen) + sigpkt->unhashlen;
861 sigpkt->sig.hash2 = p;
862 if (!read_signature_mpis(sigpkt, sigpkt->sig.mpi = p + 2, pktlen)) {
863 printf("read_sigpkt: can't read sigs, v4\n");
864 return 0;
865 }
866 break;
867 default:
868 printf("read_sigpkt: unusual signature version (%u)\n", sigpkt->sig.version);
869 break;
870 }
871 return 1;
872 }
873
874
875 /* this parses compressed data, decompresses it, and calls the parser again */
876 static int
read_compressed(pgpv_t * pgp,pgpv_compress_t * compressed,uint8_t * p,size_t len)877 read_compressed(pgpv_t *pgp, pgpv_compress_t *compressed, uint8_t *p, size_t len)
878 {
879 pgpv_mem_t *unzmem;
880 bz_stream bz;
881 z_stream z;
882 int ok = 0;
883
884 compressed->compalg = *p;
885 compressed->s.size = len;
886 if ((compressed->s.data = calloc(1, len)) == NULL) {
887 printf("read_compressed: can't allocate %zu length\n", len);
888 return 0;
889 }
890 switch(compressed->compalg) {
891 case UNCOMPRESSED:
892 printf("not implemented %d compression yet\n", compressed->compalg);
893 return 0;
894 default:
895 break;
896 }
897 ARRAY_EXPAND(pgp->areas);
898 ARRAY_COUNT(pgp->areas) += 1;
899 unzmem = &ARRAY_LAST(pgp->areas);
900 unzmem->size = len * 10;
901 unzmem->dealloc = FREE_MEM;
902 if ((unzmem->mem = calloc(1, unzmem->size)) == NULL) {
903 printf("read_compressed: calloc failed!\n");
904 return 0;
905 }
906 switch(compressed->compalg) {
907 case ZIP_COMPRESSION:
908 case ZLIB_COMPRESSION:
909 memset(&z, 0x0, sizeof(z));
910 z.next_in = p + 1;
911 z.avail_in = (unsigned)(len - 1);
912 z.total_in = (unsigned)(len - 1);
913 z.next_out = unzmem->mem;
914 z.avail_out = (unsigned)unzmem->size;
915 z.total_out = (unsigned)unzmem->size;
916 break;
917 case BZIP2_COMPRESSION:
918 memset(&bz, 0x0, sizeof(bz));
919 bz.avail_in = (unsigned)(len - 1);
920 bz.next_in = (char *)(void *)p + 1;
921 bz.next_out = (char *)(void *)unzmem->mem;
922 bz.avail_out = (unsigned)unzmem->size;
923 break;
924 }
925 switch(compressed->compalg) {
926 case ZIP_COMPRESSION:
927 ok = (inflateInit2(&z, -15) == Z_OK);
928 break;
929 case ZLIB_COMPRESSION:
930 ok = (inflateInit(&z) == Z_OK);
931 break;
932 case BZIP2_COMPRESSION:
933 ok = (BZ2_bzDecompressInit(&bz, 1, 0) == BZ_OK);
934 break;
935 }
936 if (!ok) {
937 printf("read_compressed: initialisation failed!\n");
938 return 0;
939 }
940 switch(compressed->compalg) {
941 case ZIP_COMPRESSION:
942 case ZLIB_COMPRESSION:
943 ok = (inflate(&z, Z_FINISH) == Z_STREAM_END);
944 unzmem->size = z.total_out;
945 break;
946 case BZIP2_COMPRESSION:
947 ok = (BZ2_bzDecompress(&bz) == BZ_STREAM_END);
948 unzmem->size = ((uint64_t)bz.total_out_hi32 << 32) | bz.total_out_lo32;
949 break;
950 }
951 if (!ok) {
952 printf("read_compressed: inflate failed!\n");
953 return 0;
954 }
955 return 1;
956 }
957
958 /* parse one pass signature packet */
959 static int
read_onepass_sig(pgpv_onepass_t * onepasspkt,uint8_t * mem)960 read_onepass_sig(pgpv_onepass_t *onepasspkt, uint8_t *mem)
961 {
962 onepasspkt->version = mem[0];
963 onepasspkt->type = mem[1];
964 onepasspkt->hashalg = mem[2];
965 onepasspkt->keyalg = mem[3];
966 memcpy(onepasspkt->keyid, &mem[4], sizeof(onepasspkt->keyid));
967 onepasspkt->nested = mem[12];
968 return 1;
969 }
970
971 /* parse public key packet */
972 static int
read_pubkey(pgpv_pubkey_t * pubkey,uint8_t * mem,size_t pktlen,int pbn)973 read_pubkey(pgpv_pubkey_t *pubkey, uint8_t *mem, size_t pktlen, int pbn)
974 {
975 size_t off;
976
977 off = 0;
978 pubkey->version = mem[off++];
979 pubkey->birth = get_32(&mem[off]);
980 off += 4;
981 if (pubkey->version == 2 || pubkey->version == 3) {
982 pubkey->expiry = get_16(&mem[off]) * DAYSECS;
983 off += 2;
984 }
985 if ((pubkey->keyalg = mem[off++]) == 0) {
986 pubkey->keyalg = PUBKEY_RSA_ENCRYPT_OR_SIGN;
987 printf("got unusual pubkey keyalg %u\n", mem[off - 1]);
988 }
989 switch(pubkey->keyalg) {
990 case PUBKEY_RSA_ENCRYPT_OR_SIGN:
991 case PUBKEY_RSA_ENCRYPT:
992 case PUBKEY_RSA_SIGN:
993 if (!get_mpi(&pubkey->bn[RSA_N], &mem[off], pktlen, &off) ||
994 !get_mpi(&pubkey->bn[RSA_E], &mem[off], pktlen, &off)) {
995 return 0;
996 }
997 break;
998 case PUBKEY_ELGAMAL_ENCRYPT:
999 case PUBKEY_ELGAMAL_ENCRYPT_OR_SIGN:
1000 if (!get_mpi(&pubkey->bn[ELGAMAL_P], &mem[off], pktlen, &off) ||
1001 !get_mpi(&pubkey->bn[ELGAMAL_Y], &mem[off], pktlen, &off)) {
1002 return 0;
1003 }
1004 break;
1005 case PUBKEY_DSA:
1006 if (!get_mpi(&pubkey->bn[DSA_P], &mem[off], pktlen, &off) ||
1007 !get_mpi(&pubkey->bn[DSA_Q], &mem[off], pktlen, &off) ||
1008 !get_mpi(&pubkey->bn[DSA_G], &mem[off], pktlen, &off) ||
1009 !get_mpi(&pubkey->bn[DSA_Y], &mem[off], pktlen, &off)) {
1010 return 0;
1011 }
1012 break;
1013 default:
1014 printf("hi, different type of pubkey here %u\n", pubkey->keyalg);
1015 break;
1016 }
1017 if (pbn) {
1018 print_key_mpis(pubkey->bn, pubkey->keyalg);
1019 }
1020 return 1;
1021 }
1022
1023 /* parse a user attribute */
1024 static int
read_userattr(pgpv_userattr_t * userattr,uint8_t * p,size_t pktlen)1025 read_userattr(pgpv_userattr_t *userattr, uint8_t *p, size_t pktlen)
1026 {
1027 pgpv_string_t subattr;
1028 const int is_subpkt = 0;
1029 const int indian = 1;
1030 unsigned lenlen;
1031 uint16_t imagelen;
1032 size_t cc;
1033
1034 userattr->len = pktlen;
1035 for (cc = 0 ; cc < pktlen ; cc += subattr.size + lenlen + 1) {
1036 subattr.size = get_pkt_len(1, p, 0, is_subpkt);
1037 lenlen = get_pkt_len_len(1, p, is_subpkt);
1038 if (lenlen > pktlen) {
1039 printf("weird lenlen %u\n", lenlen);
1040 return 0;
1041 }
1042 p += lenlen;
1043 if (*p++ != 1) {
1044 printf("image type (%u) != 1. weird packet\n", *(p - 1));
1045 }
1046 memcpy(&imagelen, p, sizeof(imagelen));
1047 if (!*(const char *)(const void *)&indian) {
1048 /* big endian - byteswap length */
1049 imagelen = (((unsigned)imagelen & 0xff) << 8) | (((unsigned)imagelen >> 8) & 0xff);
1050 }
1051 subattr.data = p + 3;
1052 p += subattr.size;
1053 ARRAY_APPEND(userattr->subattrs, subattr);
1054 }
1055 return 1;
1056 }
1057
1058 #define LITDATA_BINARY 'b'
1059 #define LITDATA_TEXT 't'
1060 #define LITDATA_UTF8 'u'
1061
1062 /* parse literal packet */
1063 static int
read_litdata(pgpv_t * pgp,pgpv_litdata_t * litdata,uint8_t * p,size_t size)1064 read_litdata(pgpv_t *pgp, pgpv_litdata_t *litdata, uint8_t *p, size_t size)
1065 {
1066 size_t cc;
1067
1068 cc = 0;
1069 switch(litdata->format = p[cc++]) {
1070 case LITDATA_BINARY:
1071 case LITDATA_TEXT:
1072 case LITDATA_UTF8:
1073 litdata->namelen = 0;
1074 break;
1075 default:
1076 printf("weird litdata format %u\n", litdata->format);
1077 break;
1078 }
1079 litdata->namelen = p[cc++];
1080 litdata->filename = &p[cc];
1081 cc += litdata->namelen;
1082 litdata->secs = get_32(&p[cc]);
1083 cc += 4;
1084 litdata->s.data = &p[cc];
1085 litdata->len = litdata->s.size = size - cc;
1086 litdata->mem = ARRAY_COUNT(pgp->areas) - 1;
1087 litdata->offset = cc;
1088 return 1;
1089 }
1090
1091 /* parse a single packet */
1092 static int
read_pkt(pgpv_t * pgp,pgpv_mem_t * mem)1093 read_pkt(pgpv_t *pgp, pgpv_mem_t *mem)
1094 {
1095 const int isprimary = 1;
1096 pgpv_pkt_t pkt;
1097 pgpv_mem_t *newmem;
1098 unsigned lenlen;
1099 uint8_t ispartial;
1100 size_t size;
1101
1102 memset(&pkt, 0x0, sizeof(pkt));
1103 pkt.tag = mem->mem[mem->cc++];
1104 if (!(pkt.tag & PKT_ALWAYS_ON)) {
1105 printf("BAD PACKET - bit 7 not 1, offset %zu!\n", mem->cc - 1);
1106 }
1107 pkt.newfmt = (pkt.tag & PKT_NEWFMT_MASK);
1108 pkt.tag = (pkt.newfmt) ?
1109 (pkt.tag & PKT_NEWFMT_TAG_MASK) :
1110 (((unsigned)pkt.tag & PKT_OLDFMT_TAG_MASK) >> 2);
1111 ispartial = (pkt.newfmt && IS_PARTIAL(mem->mem[mem->cc]));
1112 pkt.s.size = get_pkt_len(pkt.newfmt, &mem->mem[mem->cc], mem->size - mem->cc, isprimary);
1113 lenlen = get_pkt_len_len(pkt.newfmt, &mem->mem[mem->cc], isprimary);
1114 pkt.offset = mem->cc;
1115 mem->cc += lenlen;
1116 pkt.mement = (uint8_t)(mem - ARRAY_ARRAY(pgp->areas));
1117 pkt.s.data = &mem->mem[mem->cc];
1118 if (strchr(mem->allowed, pkt.tag) == NULL) {
1119 printf("packet %d not allowed for operation %s\n", pkt.tag, pgp->op);
1120 return 0;
1121 }
1122 size = pkt.s.size;
1123 if (ispartial) {
1124 pkt.s.size = fixup_partials(pgp, &mem->mem[mem->cc - lenlen], pkt.s.size, mem->size, &size);
1125 newmem = &ARRAY_LAST(pgp->areas);
1126 pkt.mement = (uint8_t)(newmem - ARRAY_ARRAY(pgp->areas));
1127 pkt.s.data = newmem->mem;
1128 size -= 1;
1129 }
1130 switch(pkt.tag) {
1131 case SIGNATURE_PKT:
1132 if (!read_sigpkt(pgp, pkt.mement, &pkt.u.sigpkt, pkt.s.data, pkt.s.size)) {
1133 return 0;
1134 }
1135 break;
1136 case ONEPASS_SIGNATURE_PKT:
1137 read_onepass_sig(&pkt.u.onepass, pkt.s.data);
1138 break;
1139 case PUBKEY_PKT:
1140 case PUB_SUBKEY_PKT:
1141 break;
1142 case LITDATA_PKT:
1143 read_litdata(pgp, &pkt.u.litdata, pkt.s.data, pkt.s.size);
1144 break;
1145 case TRUST_PKT:
1146 pkt.u.trust.level = pkt.s.data[0];
1147 pkt.u.trust.amount = pkt.s.data[1];
1148 break;
1149 case USERID_PKT:
1150 pkt.u.userid.size = pkt.s.size;
1151 pkt.u.userid.data = pkt.s.data;
1152 break;
1153 case COMPRESSED_DATA_PKT:
1154 read_compressed(pgp, &pkt.u.compressed, pkt.s.data, pkt.s.size);
1155 ARRAY_APPEND(pgp->pkts, pkt);
1156 read_all_packets(pgp, &ARRAY_LAST(pgp->areas), pgp->op);
1157 break;
1158 case USER_ATTRIBUTE_PKT:
1159 read_userattr(&pkt.u.userattr, pkt.s.data, pkt.s.size);
1160 break;
1161 default:
1162 printf("hi, need to implement %d, offset %zu\n", pkt.tag, mem->cc);
1163 break;
1164 }
1165 mem->cc += size;
1166 if (pkt.tag != COMPRESSED_DATA_PKT) {
1167 /* compressed was added earlier to preserve pkt ordering */
1168 ARRAY_APPEND(pgp->pkts, pkt);
1169 }
1170 return 1;
1171 }
1172
1173 /* checks the tag type of a packet */
1174 static int
pkt_is(pgpv_t * pgp,int wanted)1175 pkt_is(pgpv_t *pgp, int wanted)
1176 {
1177 return (ARRAY_ELEMENT(pgp->pkts, pgp->pkt).tag == wanted);
1178 }
1179
1180 /* checks the packet is a signature packet, and the signature type is the expected one */
1181 static int
pkt_sigtype_is(pgpv_t * pgp,int wanted)1182 pkt_sigtype_is(pgpv_t *pgp, int wanted)
1183 {
1184 if (!pkt_is(pgp, SIGNATURE_PKT)) {
1185 return 0;
1186 }
1187 return (ARRAY_ELEMENT(pgp->pkts, pgp->pkt).u.sigpkt.sig.type == wanted);
1188 }
1189
1190 /* check for expected type of packet, and move to the next */
1191 static int
pkt_accept(pgpv_t * pgp,int expected)1192 pkt_accept(pgpv_t *pgp, int expected)
1193 {
1194 int got;
1195
1196 if ((got = ARRAY_ELEMENT(pgp->pkts, pgp->pkt).tag) == expected) {
1197 pgp->pkt += 1;
1198 return 1;
1199 }
1200 printf("problem at token %zu, expcted %d, got %d\n", pgp->pkt, expected, got);
1201 return 0;
1202 }
1203
1204 /* recognise signature (and trust) packet */
1205 static int
recog_signature(pgpv_t * pgp,pgpv_signature_t * signature)1206 recog_signature(pgpv_t *pgp, pgpv_signature_t *signature)
1207 {
1208 if (!pkt_is(pgp, SIGNATURE_PKT)) {
1209 printf("recog_signature: not a signature packet\n");
1210 return 0;
1211 }
1212 memcpy(signature, &ARRAY_ELEMENT(pgp->pkts, pgp->pkt).u.sigpkt.sig, sizeof(*signature));
1213 pgp->pkt += 1;
1214 if (pkt_is(pgp, TRUST_PKT)) {
1215 pkt_accept(pgp, TRUST_PKT);
1216 }
1217 return 1;
1218 }
1219
1220 /* recognise user id packet */
1221 static int
recog_userid(pgpv_t * pgp,pgpv_signed_userid_t * userid)1222 recog_userid(pgpv_t *pgp, pgpv_signed_userid_t *userid)
1223 {
1224 pgpv_signature_t signature;
1225 pgpv_pkt_t *pkt;
1226
1227 memset(userid, 0x0, sizeof(*userid));
1228 if (!pkt_is(pgp, USERID_PKT)) {
1229 printf("recog_userid: not %d\n", USERID_PKT);
1230 return 0;
1231 }
1232 pkt = &ARRAY_ELEMENT(pgp->pkts, pgp->pkt);
1233 userid->userid.size = pkt->s.size;
1234 userid->userid.data = pkt->s.data;
1235 pgp->pkt += 1;
1236 while (pkt_is(pgp, SIGNATURE_PKT)) {
1237 if (!recog_signature(pgp, &signature)) {
1238 printf("recog_userid: can't recognise signature/trust\n");
1239 return 0;
1240 }
1241 ARRAY_APPEND(userid->sigs, signature);
1242 if (signature.primary_userid) {
1243 userid->primary_userid = signature.primary_userid;
1244 }
1245 if (signature.revoked) {
1246 userid->revoked = signature.revoked;
1247 }
1248 }
1249 return 1;
1250 }
1251
1252 /* recognise user attributes packet */
1253 static int
recog_userattr(pgpv_t * pgp,pgpv_signed_userattr_t * userattr)1254 recog_userattr(pgpv_t *pgp, pgpv_signed_userattr_t *userattr)
1255 {
1256 pgpv_signature_t signature;
1257
1258 memset(userattr, 0x0, sizeof(*userattr));
1259 if (!pkt_is(pgp, USER_ATTRIBUTE_PKT)) {
1260 printf("recog_userattr: not %d\n", USER_ATTRIBUTE_PKT);
1261 return 0;
1262 }
1263 userattr->userattr = ARRAY_ELEMENT(pgp->pkts, pgp->pkt).u.userattr;
1264 pgp->pkt += 1;
1265 while (pkt_is(pgp, SIGNATURE_PKT)) {
1266 if (!recog_signature(pgp, &signature)) {
1267 printf("recog_userattr: can't recognise signature/trust\n");
1268 return 0;
1269 }
1270 ARRAY_APPEND(userattr->sigs, signature);
1271 if (signature.revoked) {
1272 userattr->revoked = signature.revoked;
1273 }
1274 }
1275 return 1;
1276 }
1277
1278 /* recognise a sub key */
1279 static int
recog_subkey(pgpv_t * pgp,pgpv_signed_subkey_t * subkey)1280 recog_subkey(pgpv_t *pgp, pgpv_signed_subkey_t *subkey)
1281 {
1282 pgpv_signature_t signature;
1283 pgpv_pkt_t *pkt;
1284
1285 pkt = &ARRAY_ELEMENT(pgp->pkts, pgp->pkt);
1286 memset(subkey, 0x0, sizeof(*subkey));
1287 read_pubkey(&subkey->subkey, pkt->s.data, pkt->s.size, 0);
1288 pgp->pkt += 1;
1289 if (pkt_sigtype_is(pgp, SIGTYPE_KEY_REVOCATION) ||
1290 pkt_sigtype_is(pgp, SIGTYPE_SUBKEY_REVOCATION) ||
1291 pkt_sigtype_is(pgp, SIGTYPE_CERT_REVOCATION)) {
1292 recog_signature(pgp, &signature);
1293 subkey->revoc_self_sig = signature;
1294 }
1295 do {
1296 if (!pkt_is(pgp, SIGNATURE_PKT)) {
1297 printf("recog_subkey: not signature packet at %zu\n", pgp->pkt);
1298 return 0;
1299 }
1300 if (!recog_signature(pgp, &signature)) {
1301 printf("recog_subkey: bad signature/trust at %zu\n", pgp->pkt);
1302 return 0;
1303 }
1304 ARRAY_APPEND(subkey->sigs, signature);
1305 if (signature.keyexpiry) {
1306 /* XXX - check it's a good key expiry */
1307 subkey->subkey.expiry = signature.keyexpiry;
1308 }
1309 } while (pkt_is(pgp, SIGNATURE_PKT));
1310 return 1;
1311 }
1312
1313 /* use a sparse map for the text strings here to save space */
1314 static const char *keyalgs[] = {
1315 "[Unknown]",
1316 "RSA (Encrypt or Sign)",
1317 "RSA (Encrypt Only)",
1318 "RSA (Sign Only)",
1319 "Elgamal (Encrypt Only)",
1320 "DSA",
1321 "Elliptic Curve",
1322 "ECDSA",
1323 "Elgamal (Encrypt or Sign)"
1324 };
1325
1326 #define MAX_KEYALG 21
1327
1328 static const char *keyalgmap = "\0\01\02\03\0\0\0\0\0\0\0\0\0\0\0\0\04\05\06\07\010\011";
1329
1330 /* return human readable name for key algorithm */
1331 static const char *
fmtkeyalg(uint8_t keyalg)1332 fmtkeyalg(uint8_t keyalg)
1333 {
1334 return keyalgs[(uint8_t)keyalgmap[(keyalg >= MAX_KEYALG) ? 0 : keyalg]];
1335 }
1336
1337 /* return the number of bits in the public key */
1338 static unsigned
numkeybits(const pgpv_pubkey_t * pubkey)1339 numkeybits(const pgpv_pubkey_t *pubkey)
1340 {
1341 switch(pubkey->keyalg) {
1342 case PUBKEY_RSA_ENCRYPT_OR_SIGN:
1343 case PUBKEY_RSA_ENCRYPT:
1344 case PUBKEY_RSA_SIGN:
1345 return pubkey->bn[RSA_N].bits;
1346 case PUBKEY_DSA:
1347 case PUBKEY_ECDSA:
1348 return BITS_TO_BYTES(pubkey->bn[DSA_Q].bits) * 64;
1349 case PUBKEY_ELGAMAL_ENCRYPT:
1350 case PUBKEY_ELGAMAL_ENCRYPT_OR_SIGN:
1351 return pubkey->bn[ELGAMAL_P].bits;
1352 default:
1353 return 0;
1354 }
1355 }
1356
1357 /* print a public key */
1358 static size_t
fmt_pubkey(char * s,size_t size,pgpv_pubkey_t * pubkey,const char * leader)1359 fmt_pubkey(char *s, size_t size, pgpv_pubkey_t *pubkey, const char *leader)
1360 {
1361 size_t cc;
1362
1363 cc = snprintf(s, size, "%s %u/%s ", leader, numkeybits(pubkey), fmtkeyalg(pubkey->keyalg));
1364 cc += fmt_binary(&s[cc], size - cc, pubkey->keyid, PGPV_KEYID_LEN);
1365 cc += fmt_time(&s[cc], size - cc, " ", pubkey->birth, "", 0);
1366 if (pubkey->expiry) {
1367 cc += fmt_time(&s[cc], size - cc, " [Expiry ", pubkey->birth + pubkey->expiry, "]", 0);
1368 }
1369 cc += snprintf(&s[cc], size - cc, "\n");
1370 cc += fmt_fingerprint(&s[cc], size - cc, &pubkey->fingerprint, "fingerprint: ");
1371 return cc;
1372 }
1373
1374 /* we add 1 to revocation value to denote compromised */
1375 #define COMPROMISED (0x02 + 1)
1376
1377 /* format a userid - used to order the userids when formatting */
1378 static size_t
fmt_userid(char * s,size_t size,pgpv_primarykey_t * primary,uint8_t u)1379 fmt_userid(char *s, size_t size, pgpv_primarykey_t *primary, uint8_t u)
1380 {
1381 pgpv_signed_userid_t *userid;
1382
1383 userid = &ARRAY_ELEMENT(primary->signed_userids, u);
1384 return snprintf(s, size, "uid %.*s%s\n",
1385 (int)userid->userid.size, userid->userid.data,
1386 (userid->revoked == COMPROMISED) ? " [COMPROMISED AND REVOKED]" :
1387 (userid->revoked) ? " [REVOKED]" : "");
1388 }
1389
1390 /* print a primary key, per RFC 4880 */
1391 static size_t
fmt_primary(char * s,size_t size,pgpv_primarykey_t * primary)1392 fmt_primary(char *s, size_t size, pgpv_primarykey_t *primary)
1393 {
1394 unsigned i;
1395 size_t cc;
1396
1397 cc = fmt_pubkey(s, size, &primary->primary, "signature ");
1398 cc += fmt_userid(&s[cc], size - cc, primary, primary->primary_userid);
1399 for (i = 0 ; i < ARRAY_COUNT(primary->signed_userids) ; i++) {
1400 if (i != primary->primary_userid) {
1401 cc += fmt_userid(&s[cc], size - cc, primary, i);
1402 }
1403 }
1404 for (i = 0 ; i < ARRAY_COUNT(primary->signed_subkeys) ; i++) {
1405 cc += fmt_pubkey(&s[cc], size - cc, &ARRAY_ELEMENT(primary->signed_subkeys, i).subkey, "encryption");
1406 }
1407 cc += snprintf(&s[cc], size - cc, "\n");
1408 return cc;
1409 }
1410
1411
1412 /* check the padding on the signature */
1413 static int
rsa_padding_check_none(uint8_t * to,int tlen,const uint8_t * from,int flen,int num)1414 rsa_padding_check_none(uint8_t *to, int tlen, const uint8_t *from, int flen, int num)
1415 {
1416 USE_ARG(num);
1417 if (flen > tlen) {
1418 printf("from length larger than to length\n");
1419 return -1;
1420 }
1421 (void) memset(to, 0x0, tlen - flen);
1422 (void) memcpy(to + tlen - flen, from, flen);
1423 return tlen;
1424 }
1425
1426 #define RSA_MAX_MODULUS_BITS 16384
1427 #define RSA_SMALL_MODULUS_BITS 3072
1428 #define RSA_MAX_PUBEXP_BITS 64 /* exponent limit enforced for "large" modulus only */
1429
1430 /* check against the exponent/moudulo operation */
1431 static int
lowlevel_rsa_public_check(const uint8_t * encbuf,int enclen,uint8_t * dec,const rsa_pubkey_t * rsa)1432 lowlevel_rsa_public_check(const uint8_t *encbuf, int enclen, uint8_t *dec, const rsa_pubkey_t *rsa)
1433 {
1434 uint8_t *decbuf;
1435 BIGNUM *decbn;
1436 BIGNUM *encbn;
1437 int decbytes;
1438 int nbytes;
1439 int r;
1440
1441 nbytes = 0;
1442 r = -1;
1443 decbuf = NULL;
1444 decbn = encbn = NULL;
1445 if (BN_num_bits(rsa->n) > RSA_MAX_MODULUS_BITS) {
1446 printf("rsa r modulus too large\n");
1447 goto err;
1448 }
1449 if (BN_cmp(rsa->n, rsa->e) <= 0) {
1450 printf("rsa r bad n value\n");
1451 goto err;
1452 }
1453 if (BN_num_bits(rsa->n) > RSA_SMALL_MODULUS_BITS &&
1454 BN_num_bits(rsa->e) > RSA_MAX_PUBEXP_BITS) {
1455 printf("rsa r bad exponent limit\n");
1456 goto err;
1457 }
1458 if ((encbn = BN_new()) == NULL ||
1459 (decbn = BN_new()) == NULL ||
1460 (decbuf = calloc(1, nbytes = BN_num_bytes(rsa->n))) == NULL) {
1461 printf("allocation failure\n");
1462 goto err;
1463 }
1464 if (enclen > nbytes) {
1465 printf("rsa r > mod len\n");
1466 goto err;
1467 }
1468 if (BN_bin2bn(encbuf, enclen, encbn) == NULL) {
1469 printf("null encrypted BN\n");
1470 goto err;
1471 }
1472 if (BN_cmp(encbn, rsa->n) >= 0) {
1473 printf("rsa r data too large for modulus\n");
1474 goto err;
1475 }
1476 if (BN_mod_exp(decbn, encbn, rsa->e, rsa->n, NULL) < 0) {
1477 printf("BN_mod_exp < 0\n");
1478 goto err;
1479 }
1480 decbytes = BN_num_bytes(decbn);
1481 (void) BN_bn2bin(decbn, decbuf);
1482 if ((r = rsa_padding_check_none(dec, nbytes, decbuf, decbytes, 0)) < 0) {
1483 printf("rsa r padding check failed\n");
1484 }
1485 err:
1486 BN_free(encbn);
1487 BN_free(decbn);
1488 if (decbuf != NULL) {
1489 (void) memset(decbuf, 0x0, nbytes);
1490 free(decbuf);
1491 }
1492 return r;
1493 }
1494
1495 /* verify */
1496 static int
rsa_public_decrypt(int enclen,const unsigned char * enc,unsigned char * dec,RSA * rsa,int padding)1497 rsa_public_decrypt(int enclen, const unsigned char *enc, unsigned char *dec, RSA *rsa, int padding)
1498 {
1499 rsa_pubkey_t pub;
1500 int ret;
1501
1502 if (enc == NULL || dec == NULL || rsa == NULL) {
1503 return 0;
1504 }
1505 USE_ARG(padding);
1506 (void) memset(&pub, 0x0, sizeof(pub));
1507 pub.n = BN_dup(rsa->n);
1508 pub.e = BN_dup(rsa->e);
1509 ret = lowlevel_rsa_public_check(enc, enclen, dec, &pub);
1510 BN_free(pub.n);
1511 BN_free(pub.e);
1512 return ret;
1513 }
1514
1515 #define SUBKEY_LEN(x) (80 + 80)
1516 #define SIG_LEN 80
1517 #define UID_LEN 80
1518
1519 /* return worst case number of bytes needed to format a primary key */
1520 static size_t
estimate_primarykey_size(pgpv_primarykey_t * primary)1521 estimate_primarykey_size(pgpv_primarykey_t *primary)
1522 {
1523 size_t cc;
1524
1525 cc = SUBKEY_LEN("signature") +
1526 (ARRAY_COUNT(primary->signed_userids) * UID_LEN) +
1527 (ARRAY_COUNT(primary->signed_subkeys) * SUBKEY_LEN("encrypt uids"));
1528 return cc;
1529 }
1530
1531 /* use public decrypt to verify a signature */
1532 static int
pgpv_rsa_public_decrypt(uint8_t * out,const uint8_t * in,size_t length,const pgpv_pubkey_t * pubkey)1533 pgpv_rsa_public_decrypt(uint8_t *out, const uint8_t *in, size_t length, const pgpv_pubkey_t *pubkey)
1534 {
1535 RSA *orsa;
1536 int n;
1537
1538 if ((orsa = calloc(1, sizeof(*orsa))) == NULL) {
1539 return 0;
1540 }
1541 orsa->n = pubkey->bn[RSA_N].bn;
1542 orsa->e = pubkey->bn[RSA_E].bn;
1543 n = rsa_public_decrypt((int)length, in, out, orsa, RSA_NO_PADDING);
1544 orsa->n = orsa->e = NULL;
1545 free(orsa);
1546 return n;
1547 }
1548
1549 /* verify rsa signature */
1550 static int
rsa_verify(uint8_t * calculated,unsigned calclen,uint8_t hashalg,pgpv_bignum_t * bn,pgpv_pubkey_t * pubkey)1551 rsa_verify(uint8_t *calculated, unsigned calclen, uint8_t hashalg, pgpv_bignum_t *bn, pgpv_pubkey_t *pubkey)
1552 {
1553 unsigned prefixlen;
1554 unsigned decryptc;
1555 unsigned i;
1556 uint8_t decrypted[8192];
1557 uint8_t sigbn[8192];
1558 uint8_t prefix[64];
1559 size_t keysize;
1560
1561 keysize = BITS_TO_BYTES(pubkey->bn[RSA_N].bits);
1562 BN_bn2bin(bn[RSA_SIG].bn, sigbn);
1563 decryptc = pgpv_rsa_public_decrypt(decrypted, sigbn, BITS_TO_BYTES(bn[RSA_SIG].bits), pubkey);
1564 if (decryptc != keysize || (decrypted[0] != 0 || decrypted[1] != 1)) {
1565 return 0;
1566 }
1567 if ((prefixlen = digest_get_prefix((unsigned)hashalg, prefix, sizeof(prefix))) == 0) {
1568 printf("rsa_verify: unknown hash algorithm: %d\n", hashalg);
1569 return 0;
1570 }
1571 for (i = 2 ; i < keysize - prefixlen - calclen - 1 ; i++) {
1572 if (decrypted[i] != 0xff) {
1573 return 0;
1574 }
1575 }
1576 if (decrypted[i++] != 0x0) {
1577 return 0;
1578 }
1579 if (memcmp(&decrypted[i], prefix, prefixlen) != 0) {
1580 printf("rsa_verify: wrong hash algorithm\n");
1581 return 0;
1582 }
1583 return memcmp(&decrypted[i + prefixlen], calculated, calclen) == 0;
1584 }
1585
1586 /* return 1 if bn <= 0 */
1587 static int
bignum_is_bad(BIGNUM * bn)1588 bignum_is_bad(BIGNUM *bn)
1589 {
1590 return BN_is_zero(bn) || BN_is_negative(bn);
1591 }
1592
1593 #define BAD_BIGNUM(s, k) \
1594 (bignum_is_bad((s)->bn) || BN_cmp((s)->bn, (k)->bn) >= 0)
1595
1596 #ifndef DSA_MAX_MODULUS_BITS
1597 #define DSA_MAX_MODULUS_BITS 10000
1598 #endif
1599
1600 /* verify DSA signature */
1601 static int
verify_dsa_sig(uint8_t * calculated,unsigned calclen,pgpv_bignum_t * sig,pgpv_pubkey_t * pubkey)1602 verify_dsa_sig(uint8_t *calculated, unsigned calclen, pgpv_bignum_t *sig, pgpv_pubkey_t *pubkey)
1603 {
1604 unsigned qbits;
1605 uint8_t calcnum[128];
1606 uint8_t signum[128];
1607 BIGNUM *M;
1608 BIGNUM *W;
1609 BIGNUM *t1;
1610 int ret;
1611
1612 if (pubkey->bn[DSA_P].bn == NULL ||
1613 pubkey->bn[DSA_Q].bn == NULL ||
1614 pubkey->bn[DSA_G].bn == NULL) {
1615 return 0;
1616 }
1617 M = W = t1 = NULL;
1618 qbits = pubkey->bn[DSA_Q].bits;
1619 switch(qbits) {
1620 case 160:
1621 case 224:
1622 case 256:
1623 break;
1624 default:
1625 printf("dsa: bad # of Q bits\n");
1626 return 0;
1627 }
1628 if (pubkey->bn[DSA_P].bits > DSA_MAX_MODULUS_BITS) {
1629 printf("dsa: p too large\n");
1630 return 0;
1631 }
1632 if (calclen > SHA256_DIGEST_LENGTH) {
1633 printf("dsa: digest too long\n");
1634 return 0;
1635 }
1636 ret = 0;
1637 if ((M = BN_new()) == NULL || (W = BN_new()) == NULL || (t1 = BN_new()) == NULL ||
1638 BAD_BIGNUM(&sig[DSA_R], &pubkey->bn[DSA_Q]) ||
1639 BAD_BIGNUM(&sig[DSA_S], &pubkey->bn[DSA_Q]) ||
1640 BN_mod_inverse(W, sig[DSA_S].bn, pubkey->bn[DSA_Q].bn, NULL) == NULL) {
1641 goto done;
1642 }
1643 if (calclen > qbits / 8) {
1644 calclen = qbits / 8;
1645 }
1646 if (BN_bin2bn(calculated, (int)calclen, M) == NULL ||
1647 !BN_mod_mul(M, M, W, pubkey->bn[DSA_Q].bn, NULL) ||
1648 !BN_mod_mul(W, sig[DSA_R].bn, W, pubkey->bn[DSA_Q].bn, NULL) ||
1649 !BN_mod_exp(t1, pubkey->bn[DSA_G].bn, M, pubkey->bn[DSA_P].bn, NULL) ||
1650 !BN_mod_exp(W, pubkey->bn[DSA_Y].bn, W, pubkey->bn[DSA_P].bn, NULL) ||
1651 !BN_mod_mul(t1, t1, W, pubkey->bn[DSA_P].bn, NULL) ||
1652 !BN_div(NULL, t1, t1, pubkey->bn[DSA_Q].bn, NULL)) {
1653 goto done;
1654 }
1655 /* only compare the first q bits */
1656 BN_bn2bin(t1, calcnum);
1657 BN_bn2bin(sig[DSA_R].bn, signum);
1658 ret = memcmp(calcnum, signum, BITS_TO_BYTES(qbits)) == 0;
1659 done:
1660 if (M) {
1661 BN_free(M);
1662 }
1663 if (W) {
1664 BN_free(W);
1665 }
1666 if (t1) {
1667 BN_free(t1);
1668 }
1669 return ret;
1670 }
1671
1672 #define TIME_SNPRINTF(_cc, _buf, _size, _fmt, _val) do { \
1673 time_t _t; \
1674 char *_s; \
1675 \
1676 _t = _val; \
1677 _s = ctime(&_t); \
1678 _cc += snprintf(_buf, _size, _fmt, _s); \
1679 } while(/*CONSTCOND*/0)
1680
1681 /* check dates on signature and key are valid */
1682 static size_t
valid_dates(pgpv_signature_t * signature,pgpv_pubkey_t * pubkey,char * buf,size_t size)1683 valid_dates(pgpv_signature_t *signature, pgpv_pubkey_t *pubkey, char *buf, size_t size)
1684 {
1685 time_t now;
1686 time_t t;
1687 size_t cc;
1688
1689 cc = 0;
1690 if (signature->birth < pubkey->birth) {
1691 TIME_SNPRINTF(cc, buf, size, "Signature time (%.24s) was before pubkey creation ", signature->birth);
1692 TIME_SNPRINTF(cc, &buf[cc], size - cc, "(%s)\n", pubkey->birth);
1693 return cc;
1694 }
1695 now = time(NULL);
1696 if (signature->expiry != 0) {
1697 if ((t = signature->birth + signature->expiry) < now) {
1698 TIME_SNPRINTF(cc, buf, size, "Signature expired on %.24s\n", t);
1699 return cc;
1700 }
1701 }
1702 if (now < signature->birth) {
1703 TIME_SNPRINTF(cc, buf, size, "Signature not valid before %.24s\n", signature->birth);
1704 return cc;
1705 }
1706 return 0;
1707 }
1708
1709 /* check if the signing key has expired */
1710 static int
key_expired(pgpv_pubkey_t * pubkey,char * buf,size_t size)1711 key_expired(pgpv_pubkey_t *pubkey, char *buf, size_t size)
1712 {
1713 time_t now;
1714 time_t t;
1715 size_t cc;
1716
1717 now = time(NULL);
1718 cc = 0;
1719 if (pubkey->expiry != 0) {
1720 if ((t = pubkey->birth + pubkey->expiry) < now) {
1721 TIME_SNPRINTF(cc, buf, size, "Pubkey expired on %.24s\n", t);
1722 return (int)cc;
1723 }
1724 }
1725 if (now < pubkey->birth) {
1726 TIME_SNPRINTF(cc, buf, size, "Pubkey not valid before %.24s\n", pubkey->birth);
1727 return (int)cc;
1728 }
1729 return 0;
1730 }
1731
1732 /* find the leading onepass packet */
1733 static size_t
find_onepass(pgpv_cursor_t * cursor,size_t datastart)1734 find_onepass(pgpv_cursor_t *cursor, size_t datastart)
1735 {
1736 size_t pkt;
1737
1738 for (pkt = datastart ; pkt < ARRAY_COUNT(cursor->pgp->pkts) ; pkt++) {
1739 if (ARRAY_ELEMENT(cursor->pgp->pkts, pkt).tag == ONEPASS_SIGNATURE_PKT) {
1740 return pkt + 1;
1741 }
1742 }
1743 snprintf(cursor->why, sizeof(cursor->why), "No signature to verify");
1744 return 0;
1745 }
1746
1747 static const char *armor_begins[] = {
1748 "-----BEGIN PGP SIGNED MESSAGE-----\n",
1749 "-----BEGIN PGP MESSAGE-----\n",
1750 NULL
1751 };
1752
1753 /* return non-zero if the buf introduces an armored message */
1754 static int
is_armored(const char * buf,size_t size)1755 is_armored(const char *buf, size_t size)
1756 {
1757 const char **arm;
1758 const char *nl;
1759 size_t n;
1760
1761 if ((nl = memchr(buf, '\n', size)) == NULL) {
1762 return 0;
1763 }
1764 n = (size_t)(nl - buf);
1765 for (arm = armor_begins ; *arm ; arm++) {
1766 if (strncmp(buf, *arm, n) == 0) {
1767 return 1;
1768 }
1769 }
1770 return 0;
1771 }
1772
1773 #define SIGSTART "-----BEGIN PGP SIGNATURE-----\n"
1774 #define SIGEND "-----END PGP SIGNATURE-----\n"
1775
1776 /* for ascii armor, we don't get a onepass packet - make one */
1777 static const char *cons_onepass = "\304\015\003\0\0\0\0\377\377\377\377\377\377\377\377\1";
1778
1779 /* read ascii armor */
1780 static int
read_ascii_armor(pgpv_cursor_t * cursor,pgpv_mem_t * mem,const char * filename)1781 read_ascii_armor(pgpv_cursor_t *cursor, pgpv_mem_t *mem, const char *filename)
1782 {
1783 pgpv_onepass_t *onepass;
1784 pgpv_sigpkt_t *sigpkt;
1785 pgpv_pkt_t litdata;
1786 uint8_t binsig[8192];
1787 uint8_t *datastart;
1788 uint8_t *sigend;
1789 uint8_t *p;
1790 size_t binsigsize;
1791
1792 /* cons up litdata pkt */
1793 memset(&litdata, 0x0, sizeof(litdata));
1794 litdata.u.litdata.mem = ARRAY_COUNT(cursor->pgp->areas) - 1;
1795 p = mem->mem;
1796 /* jump over signed message line */
1797 if ((p = memmem(mem->mem, mem->size, "\n\n", 2)) == NULL) {
1798 snprintf(cursor->why, sizeof(cursor->why), "malformed armor at offset 0");
1799 return 0;
1800 }
1801 p += 2;
1802 litdata.tag = LITDATA_PKT;
1803 litdata.s.data = p;
1804 litdata.u.litdata.offset = (size_t)(p - mem->mem);
1805 litdata.u.litdata.filename = (uint8_t *)strdup(filename);
1806 if ((p = memmem(datastart = p, mem->size - litdata.offset, SIGSTART, strlen(SIGSTART))) == NULL) {
1807 snprintf(cursor->why, sizeof(cursor->why),
1808 "malformed armor - no sig - at %zu", (size_t)(p - mem->mem));
1809 return 0;
1810 }
1811 litdata.u.litdata.len = litdata.s.size = (size_t)(p - datastart);
1812 p += strlen(SIGSTART);
1813 if ((p = memmem(p, mem->size, "\n\n", 2)) == NULL) {
1814 snprintf(cursor->why, sizeof(cursor->why),
1815 "malformed armed signature at %zu", (size_t)(p - mem->mem));
1816 return 0;
1817 }
1818 p += 2;
1819 sigend = memmem(p, mem->size, SIGEND, strlen(SIGEND));
1820 binsigsize = b64decode((char *)p, (size_t)(sigend - p), binsig, sizeof(binsig));
1821
1822 read_binary_memory(cursor->pgp, "signature", cons_onepass, 15);
1823 ARRAY_APPEND(cursor->pgp->pkts, litdata);
1824 read_binary_memory(cursor->pgp, "signature", binsig, binsigsize - 3);
1825 /* XXX - hardwired - 3 is format and length */
1826
1827 /* fix up packets in the packet array now we have them there */
1828 onepass = &ARRAY_ELEMENT(cursor->pgp->pkts, ARRAY_COUNT(cursor->pgp->pkts) - 1 - 2).u.onepass;
1829 sigpkt = &ARRAY_LAST(cursor->pgp->pkts).u.sigpkt;
1830 memcpy(onepass->keyid, sigpkt->sig.signer, sizeof(onepass->keyid));
1831 onepass->hashalg = sigpkt->sig.hashalg;
1832 onepass->keyalg = sigpkt->sig.keyalg;
1833 return 1;
1834 }
1835
1836 /* read ascii armor from a file */
1837 static int
read_ascii_armor_file(pgpv_cursor_t * cursor,const char * filename)1838 read_ascii_armor_file(pgpv_cursor_t *cursor, const char *filename)
1839 {
1840 /* cons up litdata pkt */
1841 read_file(cursor->pgp, filename);
1842 return read_ascii_armor(cursor, &ARRAY_LAST(cursor->pgp->areas), filename);
1843 }
1844
1845 /* read ascii armor from memory */
1846 static int
read_ascii_armor_memory(pgpv_cursor_t * cursor,const void * p,size_t size)1847 read_ascii_armor_memory(pgpv_cursor_t *cursor, const void *p, size_t size)
1848 {
1849 pgpv_mem_t *mem;
1850
1851 /* cons up litdata pkt */
1852 ARRAY_EXPAND(cursor->pgp->areas);
1853 ARRAY_COUNT(cursor->pgp->areas) += 1;
1854 mem = &ARRAY_LAST(cursor->pgp->areas);
1855 memset(mem, 0x0, sizeof(*mem));
1856 mem->size = size;
1857 mem->mem = __UNCONST(p);
1858 mem->dealloc = 0;
1859 return read_ascii_armor(cursor, mem, "[stdin]");
1860 }
1861
1862 /* set up the data to verify */
1863 static int
setup_data(pgpv_cursor_t * cursor,pgpv_t * pgp,const void * p,ssize_t size)1864 setup_data(pgpv_cursor_t *cursor, pgpv_t *pgp, const void *p, ssize_t size)
1865 {
1866 FILE *fp;
1867 char buf[BUFSIZ];
1868
1869 if (cursor == NULL || pgp == NULL || p == NULL) {
1870 return 0;
1871 }
1872 memset(cursor, 0x0, sizeof(*cursor));
1873 ARRAY_APPEND(pgp->datastarts, pgp->pkt);
1874 cursor->pgp = pgp;
1875 if (size < 0) {
1876 /* we have a file name in p */
1877 if ((fp = fopen(p, "r")) == NULL) {
1878 snprintf(cursor->why, sizeof(cursor->why), "No such file '%s'", (const char *)p);
1879 return 0;
1880 }
1881 if (fgets(buf, (int)sizeof(buf), fp) == NULL) {
1882 fclose(fp);
1883 snprintf(cursor->why, sizeof(cursor->why), "can't read file '%s'", (const char *)p);
1884 return 0;
1885 }
1886 if (is_armored(buf, sizeof(buf))) {
1887 read_ascii_armor_file(cursor, p);
1888 } else {
1889 read_binary_file(pgp, "signature", "%s", (const char *)p);
1890 }
1891 fclose(fp);
1892 } else {
1893 if (is_armored(p, (size_t)size)) {
1894 read_ascii_armor_memory(cursor, p, (size_t)size);
1895 } else {
1896 read_binary_memory(pgp, "signature", p, (size_t)size);
1897 }
1898 }
1899 return 1;
1900 }
1901
1902 /* get the data and size from litdata packet */
1903 static uint8_t *
get_literal_data(pgpv_cursor_t * cursor,pgpv_litdata_t * litdata,size_t * size)1904 get_literal_data(pgpv_cursor_t *cursor, pgpv_litdata_t *litdata, size_t *size)
1905 {
1906 pgpv_mem_t *mem;
1907
1908 if (litdata->s.data == NULL && litdata->s.size == 0) {
1909 mem = &ARRAY_ELEMENT(cursor->pgp->areas, litdata->mem);
1910 *size = litdata->len;
1911 return &mem->mem[litdata->offset];
1912 }
1913 *size = litdata->s.size;
1914 return litdata->s.data;
1915 }
1916
1917 /*
1918 RFC 4880 describes the structure of v4 keys as:
1919
1920 Primary-Key
1921 [Revocation Self Signature]
1922 [Direct Key Signature...]
1923 User ID [Signature ...]
1924 [User ID [Signature ...] ...]
1925 [User Attribute [Signature ...] ...]
1926 [[Subkey [Binding-Signature-Revocation]
1927 Primary-Key-Binding-Signature] ...]
1928
1929 and that's implemented below as a recursive descent parser.
1930 It has had to be modified, though: see the comment
1931
1932 some keys out there have user ids where they shouldn't
1933
1934 to look like:
1935
1936 Primary-Key
1937 [Revocation Self Signature]
1938 [Direct Key Signature...]
1939 [User ID [Signature ...]
1940 [User ID [Signature ...] ...]
1941 [User Attribute [Signature ...] ...]
1942 [Subkey [Binding-Signature-Revocation]
1943 Primary-Key-Binding-Signature] ...]
1944
1945 to accommodate keyrings set up by gpg
1946 */
1947
1948 /* recognise a primary key */
1949 static int
recog_primary_key(pgpv_t * pgp,pgpv_primarykey_t * primary)1950 recog_primary_key(pgpv_t *pgp, pgpv_primarykey_t *primary)
1951 {
1952 pgpv_signed_userattr_t userattr;
1953 pgpv_signed_userid_t userid;
1954 pgpv_signed_subkey_t subkey;
1955 pgpv_signature_t signature;
1956 pgpv_pkt_t *pkt;
1957
1958 pkt = &ARRAY_ELEMENT(pgp->pkts, pgp->pkt);
1959 memset(primary, 0x0, sizeof(*primary));
1960 read_pubkey(&primary->primary, pkt->s.data, pkt->s.size, 0);
1961 pgp->pkt += 1;
1962 if (pkt_sigtype_is(pgp, SIGTYPE_KEY_REVOCATION)) {
1963 if (!recog_signature(pgp, &primary->revoc_self_sig)) {
1964 printf("recog_primary_key: no signature/trust at PGPV_SIGTYPE_KEY_REVOCATION\n");
1965 return 0;
1966 }
1967 }
1968 while (pkt_sigtype_is(pgp, SIGTYPE_DIRECT_KEY)) {
1969 if (!recog_signature(pgp, &signature)) {
1970 printf("recog_primary_key: no signature/trust at PGPV_SIGTYPE_DIRECT_KEY\n");
1971 return 0;
1972 }
1973 if (signature.keyexpiry) {
1974 /* XXX - check it's a good key expiry */
1975 primary->primary.expiry = signature.keyexpiry;
1976 }
1977 ARRAY_APPEND(primary->direct_sigs, signature);
1978 }
1979 /* some keys out there have user ids where they shouldn't */
1980 do {
1981 if (!recog_userid(pgp, &userid)) {
1982 printf("recog_primary_key: not userid\n");
1983 return 0;
1984 }
1985 ARRAY_APPEND(primary->signed_userids, userid);
1986 if (userid.primary_userid) {
1987 primary->primary_userid = ARRAY_COUNT(primary->signed_userids) - 1;
1988 }
1989 while (pkt_is(pgp, USERID_PKT)) {
1990 if (!recog_userid(pgp, &userid)) {
1991 printf("recog_primary_key: not signed secondary userid\n");
1992 return 0;
1993 }
1994 ARRAY_APPEND(primary->signed_userids, userid);
1995 if (userid.primary_userid) {
1996 primary->primary_userid = ARRAY_COUNT(primary->signed_userids) - 1;
1997 }
1998 }
1999 while (pkt_is(pgp, USER_ATTRIBUTE_PKT)) {
2000 if (!recog_userattr(pgp, &userattr)) {
2001 printf("recog_primary_key: not signed user attribute\n");
2002 return 0;
2003 }
2004 ARRAY_APPEND(primary->signed_userattrs, userattr);
2005 }
2006 while (pkt_is(pgp, PUB_SUBKEY_PKT)) {
2007 if (!recog_subkey(pgp, &subkey)) {
2008 printf("recog_primary_key: not signed public subkey\n");
2009 return 0;
2010 }
2011 pgpv_calc_keyid(&subkey.subkey);
2012 ARRAY_APPEND(primary->signed_subkeys, subkey);
2013 }
2014 } while (pgp->pkt < ARRAY_COUNT(pgp->pkts) && pkt_is(pgp, USERID_PKT));
2015 primary->fmtsize = estimate_primarykey_size(primary);
2016 return 1;
2017 }
2018
2019 /* parse all of the packets for a given operation */
2020 static int
read_all_packets(pgpv_t * pgp,pgpv_mem_t * mem,const char * op)2021 read_all_packets(pgpv_t *pgp, pgpv_mem_t *mem, const char *op)
2022 {
2023 pgpv_primarykey_t primary;
2024
2025 if (op == NULL) {
2026 return 0;
2027 }
2028 if (strcmp(pgp->op = op, "pubring") == 0) {
2029 mem->allowed = PUBRING_ALLOWED;
2030 /* pubrings have thousands of small packets */
2031 ARRAY_EXPAND_SIZED(pgp->pkts, 0, 5000);
2032 } else if (strcmp(op, "signature") == 0) {
2033 mem->allowed = SIGNATURE_ALLOWED;
2034 } else {
2035 mem->allowed = "";
2036 }
2037 for (mem->cc = 0; mem->cc < mem->size ; ) {
2038 if (!read_pkt(pgp, mem)) {
2039 return 0;
2040 }
2041 }
2042 if (strcmp(op, "pubring") == 0) {
2043 for (pgp->pkt = 0; pgp->pkt < ARRAY_COUNT(pgp->pkts) && recog_primary_key(pgp, &primary) ; ) {
2044 pgpv_calc_keyid(&primary.primary);
2045 ARRAY_APPEND(pgp->primaries, primary);
2046 }
2047 if (pgp->pkt < ARRAY_COUNT(pgp->pkts)) {
2048 printf("short pubring recognition???\n");
2049 }
2050 }
2051 pgp->pkt = ARRAY_COUNT(pgp->pkts);
2052 return 1;
2053 }
2054
2055 /* create a filename, read it, and then parse according to "op" */
2056 static int
read_binary_file(pgpv_t * pgp,const char * op,const char * fmt,...)2057 read_binary_file(pgpv_t *pgp, const char *op, const char *fmt, ...)
2058 {
2059 va_list args;
2060 char buf[1024];
2061
2062 va_start(args, fmt);
2063 vsnprintf(buf, sizeof(buf), fmt, args);
2064 va_end(args);
2065 if (!read_file(pgp, buf)) {
2066 return 0;
2067 }
2068 return read_all_packets(pgp, &ARRAY_LAST(pgp->areas), op);
2069 }
2070
2071 /* parse memory according to "op" */
2072 static int
read_binary_memory(pgpv_t * pgp,const char * op,const void * memory,size_t size)2073 read_binary_memory(pgpv_t *pgp, const char *op, const void *memory, size_t size)
2074 {
2075 pgpv_mem_t *mem;
2076
2077 ARRAY_EXPAND(pgp->areas);
2078 ARRAY_COUNT(pgp->areas) += 1;
2079 mem = &ARRAY_LAST(pgp->areas);
2080 memset(mem, 0x0, sizeof(*mem));
2081 mem->size = size;
2082 mem->mem = __UNCONST(memory);
2083 mem->dealloc = 0;
2084 return read_all_packets(pgp, mem, op);
2085 }
2086
2087 /* fixup the detached signature packets */
2088 static int
fixup_detached(pgpv_cursor_t * cursor,const char * f)2089 fixup_detached(pgpv_cursor_t *cursor, const char *f)
2090 {
2091 pgpv_onepass_t *onepass;
2092 const char *dot;
2093 pgpv_pkt_t sigpkt;
2094 pgpv_pkt_t litdata;
2095 pgpv_mem_t *mem;
2096 size_t el;
2097 char original[MAXPATHLEN];
2098
2099 /* cons up litdata pkt */
2100 if ((dot = strrchr(f, '.')) == NULL || strcasecmp(dot, ".sig") != 0) {
2101 printf("weird filename '%s'\n", f);
2102 return 0;
2103 }
2104 /* hold sigpkt in a temp var while we insert onepass and litdata */
2105 el = ARRAY_COUNT(cursor->pgp->pkts) - 1;
2106 sigpkt = ARRAY_ELEMENT(cursor->pgp->pkts, el);
2107 ARRAY_DELETE(cursor->pgp->pkts, el);
2108 ARRAY_EXPAND(cursor->pgp->pkts);
2109 /* get onepass packet, append to packets */
2110 read_binary_memory(cursor->pgp, "signature", cons_onepass, 15);
2111 onepass = &ARRAY_ELEMENT(cursor->pgp->pkts, el).u.onepass;
2112 /* read the original file into litdata */
2113 snprintf(original, sizeof(original), "%.*s", (int)(dot - f), f);
2114 if (!read_file(cursor->pgp, original)) {
2115 printf("can't read file '%s'\n", original);
2116 return 0;
2117 }
2118 memset(&litdata, 0x0, sizeof(litdata));
2119 mem = &ARRAY_LAST(cursor->pgp->areas);
2120 litdata.tag = LITDATA_PKT;
2121 litdata.s.data = mem->mem;
2122 litdata.u.litdata.format = LITDATA_BINARY;
2123 litdata.u.litdata.offset = 0;
2124 litdata.u.litdata.filename = (uint8_t *)strdup(original);
2125 litdata.u.litdata.mem = ARRAY_COUNT(cursor->pgp->areas) - 1;
2126 litdata.u.litdata.len = litdata.s.size = mem->size;
2127 ARRAY_APPEND(cursor->pgp->pkts, litdata);
2128 ARRAY_APPEND(cursor->pgp->pkts, sigpkt);
2129 memcpy(onepass->keyid, sigpkt.u.sigpkt.sig.signer, sizeof(onepass->keyid));
2130 onepass->hashalg = sigpkt.u.sigpkt.sig.hashalg;
2131 onepass->keyalg = sigpkt.u.sigpkt.sig.keyalg;
2132 return 1;
2133 }
2134
2135 /* match the calculated signature against the oen in the signature packet */
2136 static int
match_sig(pgpv_cursor_t * cursor,pgpv_signature_t * signature,pgpv_pubkey_t * pubkey,uint8_t * data,size_t size)2137 match_sig(pgpv_cursor_t *cursor, pgpv_signature_t *signature, pgpv_pubkey_t *pubkey, uint8_t *data, size_t size)
2138 {
2139 unsigned calclen;
2140 uint8_t calculated[64];
2141 int match;
2142
2143 calclen = pgpv_digest_memory(calculated, sizeof(calculated),
2144 data, size,
2145 get_ref(&signature->hashstart), signature->hashlen,
2146 (signature->type == SIGTYPE_TEXT) ? 't' : 'b');
2147 if (ALG_IS_RSA(signature->keyalg)) {
2148 match = rsa_verify(calculated, calclen, signature->hashalg, signature->bn, pubkey);
2149 } else if (ALG_IS_DSA(signature->keyalg)) {
2150 match = verify_dsa_sig(calculated, calclen, signature->bn, pubkey);
2151 } else {
2152 snprintf(cursor->why, sizeof(cursor->why), "Signature type %u not recognised", signature->keyalg);
2153 return 0;
2154 }
2155 if (!match && signature->type == SIGTYPE_TEXT) {
2156 /* second try for cleartext data, ignoring trailing whitespace */
2157 calclen = pgpv_digest_memory(calculated, sizeof(calculated),
2158 data, size,
2159 get_ref(&signature->hashstart), signature->hashlen, 'w');
2160 if (ALG_IS_RSA(signature->keyalg)) {
2161 match = rsa_verify(calculated, calclen, signature->hashalg, signature->bn, pubkey);
2162 } else if (ALG_IS_DSA(signature->keyalg)) {
2163 match = verify_dsa_sig(calculated, calclen, signature->bn, pubkey);
2164 }
2165 }
2166 if (!match) {
2167 snprintf(cursor->why, sizeof(cursor->why), "Signature on data did not match");
2168 return 0;
2169 }
2170 if (valid_dates(signature, pubkey, cursor->why, sizeof(cursor->why)) > 0) {
2171 return 0;
2172 }
2173 if (key_expired(pubkey, cursor->why, sizeof(cursor->why))) {
2174 return 0;
2175 }
2176 if (signature->revoked) {
2177 snprintf(cursor->why, sizeof(cursor->why), "Signature was revoked");
2178 return 0;
2179 }
2180 return 1;
2181 }
2182
2183 /* check return value from getenv */
2184 static const char *
nonnull_getenv(const char * key)2185 nonnull_getenv(const char *key)
2186 {
2187 char *value;
2188
2189 return ((value = getenv(key)) == NULL) ? "" : value;
2190 }
2191
2192 /************************************************************************/
2193 /* start of exported functions */
2194 /************************************************************************/
2195
2196 /* close all stuff */
2197 int
pgpv_close(pgpv_t * pgp)2198 pgpv_close(pgpv_t *pgp)
2199 {
2200 unsigned i;
2201
2202 if (pgp == NULL) {
2203 return 0;
2204 }
2205 for (i = 0 ; i < ARRAY_COUNT(pgp->areas) ; i++) {
2206 if (ARRAY_ELEMENT(pgp->areas, i).size > 0) {
2207 closemem(&ARRAY_ELEMENT(pgp->areas, i));
2208 }
2209 }
2210 return 1;
2211 }
2212
2213 /* return the formatted entry for the primary key desired */
2214 size_t
pgpv_get_entry(pgpv_t * pgp,unsigned ent,char ** ret)2215 pgpv_get_entry(pgpv_t *pgp, unsigned ent, char **ret)
2216 {
2217 size_t cc;
2218
2219 if (ret == NULL || pgp == NULL || ent >= ARRAY_COUNT(pgp->primaries)) {
2220 return 0;
2221 }
2222 *ret = NULL;
2223 cc = ARRAY_ELEMENT(pgp->primaries, ent).fmtsize;
2224 if ((*ret = calloc(1, cc)) == NULL) {
2225 return 0;
2226 }
2227 return fmt_primary(*ret, cc, &ARRAY_ELEMENT(pgp->primaries, ent));
2228 }
2229
2230 /* find key id */
2231 int
pgpv_find_keyid(pgpv_t * pgp,const char * strkeyid,uint8_t * keyid)2232 pgpv_find_keyid(pgpv_t *pgp, const char *strkeyid, uint8_t *keyid)
2233 {
2234 unsigned i;
2235 uint8_t binkeyid[PGPV_KEYID_LEN];
2236 size_t off;
2237 size_t cmp;
2238
2239 if (strkeyid == NULL && keyid == NULL) {
2240 return 0;
2241 }
2242 if (strkeyid) {
2243 str_to_keyid(strkeyid, binkeyid);
2244 cmp = strlen(strkeyid) / 2;
2245 } else {
2246 memcpy(binkeyid, keyid, sizeof(binkeyid));
2247 cmp = PGPV_KEYID_LEN;
2248 }
2249 off = PGPV_KEYID_LEN - cmp;
2250 for (i = 0 ; i < ARRAY_COUNT(pgp->primaries) ; i++) {
2251 if (memcmp(&ARRAY_ELEMENT(pgp->primaries, i).primary.keyid[off], &binkeyid[off], cmp) == 0) {
2252 return i;
2253 }
2254 }
2255 return -1;
2256 }
2257
2258 /* verify the signed packets we have */
2259 size_t
pgpv_verify(pgpv_cursor_t * cursor,pgpv_t * pgp,const void * p,ssize_t size)2260 pgpv_verify(pgpv_cursor_t *cursor, pgpv_t *pgp, const void *p, ssize_t size)
2261 {
2262 pgpv_signature_t *signature;
2263 pgpv_onepass_t *onepass;
2264 pgpv_litdata_t *litdata;
2265 pgpv_pubkey_t *pubkey;
2266 unsigned primary;
2267 uint8_t *data;
2268 size_t pkt;
2269 size_t insize;
2270 char strkeyid[PGPV_STR_KEYID_LEN];
2271 int j;
2272
2273 if (cursor == NULL || pgp == NULL || p == NULL) {
2274 return 0;
2275 }
2276 if (!setup_data(cursor, pgp, p, size)) {
2277 snprintf(cursor->why, sizeof(cursor->why), "No input data");
2278 return 0;
2279 }
2280 if (ARRAY_COUNT(cursor->pgp->pkts) == ARRAY_LAST(cursor->pgp->datastarts) + 1) {
2281 /* got detached signature here */
2282 if (!fixup_detached(cursor, p)) {
2283 snprintf(cursor->why, sizeof(cursor->why), "Can't read signed file '%s'", (const char *)p);
2284 return 0;
2285 }
2286 }
2287 if ((pkt = find_onepass(cursor, ARRAY_LAST(cursor->pgp->datastarts))) == 0) {
2288 snprintf(cursor->why, sizeof(cursor->why), "No signature found");
2289 return 0;
2290 }
2291 pkt -= 1;
2292 onepass = &ARRAY_ELEMENT(cursor->pgp->pkts, pkt).u.onepass;
2293 litdata = &ARRAY_ELEMENT(cursor->pgp->pkts, pkt + 1).u.litdata;
2294 signature = &ARRAY_ELEMENT(cursor->pgp->pkts, pkt + 2).u.sigpkt.sig;
2295 /* sanity check values in signature and onepass agree */
2296 if (signature->birth == 0) {
2297 fmt_time(cursor->why, sizeof(cursor->why), "Signature creation time [",
2298 signature->birth, "] out of range", 0);
2299 return 0;
2300 }
2301 if (memcmp(onepass->keyid, signature->signer, PGPV_KEYID_LEN) != 0) {
2302 fmt_binary(strkeyid, sizeof(strkeyid), onepass->keyid, (unsigned)sizeof(onepass->keyid));
2303 snprintf(cursor->why, sizeof(cursor->why), "Signature key id %s does not match onepass keyid",
2304 strkeyid);
2305 return 0;
2306 }
2307 if (onepass->hashalg != signature->hashalg) {
2308 snprintf(cursor->why, sizeof(cursor->why), "Signature hashalg %u does not match onepass hashalg %u",
2309 signature->hashalg, onepass->hashalg);
2310 return 0;
2311 }
2312 if (onepass->keyalg != signature->keyalg) {
2313 snprintf(cursor->why, sizeof(cursor->why), "Signature keyalg %u does not match onepass keyalg %u",
2314 signature->keyalg, onepass->keyalg);
2315 return 0;
2316 }
2317 if ((j = pgpv_find_keyid(cursor->pgp, NULL, onepass->keyid)) < 0) {
2318 fmt_binary(strkeyid, sizeof(strkeyid), onepass->keyid, (unsigned)sizeof(onepass->keyid));
2319 snprintf(cursor->why, sizeof(cursor->why), "Signature key id %s not found ", strkeyid);
2320 return 0;
2321 }
2322 primary = (unsigned)j;
2323 pubkey = &ARRAY_ELEMENT(cursor->pgp->primaries, primary).primary;
2324 cursor->sigtime = signature->birth;
2325 /* calc hash on data packet */
2326 data = get_literal_data(cursor, litdata, &insize);
2327 if (!match_sig(cursor, signature, pubkey, data, insize)) {
2328 return 0;
2329 }
2330 ARRAY_APPEND(cursor->datacookies, pkt);
2331 ARRAY_APPEND(cursor->found, primary);
2332 return pkt + 1;
2333 }
2334
2335 /* set up the pubkey keyring */
2336 int
pgpv_read_pubring(pgpv_t * pgp,const void * keyring,ssize_t size)2337 pgpv_read_pubring(pgpv_t *pgp, const void *keyring, ssize_t size)
2338 {
2339 if (pgp == NULL) {
2340 return 0;
2341 }
2342 if (keyring) {
2343 return (size > 0) ?
2344 read_binary_memory(pgp, "pubring", keyring, (size_t)size) :
2345 read_binary_file(pgp, "pubring", "%s", (const char *)keyring);
2346 }
2347 return read_binary_file(pgp, "pubring", "%s/%s", nonnull_getenv("HOME"), ".gnupg/pubring.gpg");
2348 }
2349
2350 /* get verified data as a string, return its size */
2351 size_t
pgpv_get_verified(pgpv_cursor_t * cursor,size_t cookie,char ** ret)2352 pgpv_get_verified(pgpv_cursor_t *cursor, size_t cookie, char **ret)
2353 {
2354 pgpv_litdata_t *litdata;
2355 uint8_t *data;
2356 size_t size;
2357 size_t pkt;
2358
2359 if (ret == NULL || cursor == NULL || cookie == 0) {
2360 return 0;
2361 }
2362 *ret = NULL;
2363 if ((pkt = find_onepass(cursor, cookie - 1)) == 0) {
2364 return 0;
2365 }
2366 litdata = &ARRAY_ELEMENT(cursor->pgp->pkts, pkt).u.litdata;
2367 data = get_literal_data(cursor, litdata, &size);
2368 if ((*ret = calloc(1, size)) == NULL) {
2369 return 0;
2370 }
2371 memcpy(*ret, data, size);
2372 return size;
2373 }
2374