1 /*- 2 * Copyright (c) 2009 The NetBSD Foundation, Inc. 3 * All rights reserved. 4 * 5 * This code is derived from software contributed to The NetBSD Foundation 6 * by Alistair Crooks (agc@NetBSD.org) 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 18 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 19 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 20 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 21 * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 22 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 23 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 24 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 25 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 26 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 27 * POSSIBILITY OF SUCH DAMAGE. 28 */ 29 /* 30 * Copyright (c) 2005-2008 Nominet UK (www.nic.uk) 31 * All rights reserved. 32 * Contributors: Ben Laurie, Rachel Willmer. The Contributors have asserted 33 * their moral rights under the UK Copyright Design and Patents Act 1988 to 34 * be recorded as the authors of this copyright work. 35 * 36 * Licensed under the Apache License, Version 2.0 (the "License"); you may not 37 * use this file except in compliance with the License. 38 * 39 * You may obtain a copy of the License at 40 * http://www.apache.org/licenses/LICENSE-2.0 41 * 42 * Unless required by applicable law or agreed to in writing, software 43 * distributed under the License is distributed on an "AS IS" BASIS, 44 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 45 * 46 * See the License for the specific language governing permissions and 47 * limitations under the License. 48 */ 49 50 /** \file 51 */ 52 #include "config.h" 53 54 #ifdef HAVE_SYS_CDEFS_H 55 #include <sys/cdefs.h> 56 #endif 57 58 #if defined(__NetBSD__) 59 __COPYRIGHT("@(#) Copyright (c) 2009 The NetBSD Foundation, Inc. All rights reserved."); 60 __RCSID("$NetBSD: create.c,v 1.23 2010/03/05 16:01:09 agc Exp $"); 61 #endif 62 63 #include <sys/types.h> 64 #include <sys/param.h> 65 #include <sys/stat.h> 66 67 #ifdef HAVE_FCNTL_H 68 #include <fcntl.h> 69 #endif 70 71 #include <string.h> 72 73 #ifdef HAVE_UNISTD_H 74 #include <unistd.h> 75 #endif 76 77 #ifdef HAVE_OPENSSL_CAST_H 78 #include <openssl/cast.h> 79 #endif 80 81 #include "create.h" 82 #include "keyring.h" 83 #include "packet.h" 84 #include "signature.h" 85 #include "writer.h" 86 #include "readerwriter.h" 87 #include "memory.h" 88 #include "netpgpdefs.h" 89 #include "netpgpdigest.h" 90 91 /** 92 * \ingroup Core_Create 93 * \param length 94 * \param type 95 * \param output 96 * \return 1 if OK, otherwise 0 97 */ 98 99 unsigned 100 __ops_write_ss_header(__ops_output_t *output, 101 unsigned length, 102 __ops_content_tag_t type) 103 { 104 return __ops_write_length(output, length) && 105 __ops_write_scalar(output, (unsigned)(type - 106 (unsigned)OPS_PTAG_SIG_SUBPKT_BASE), 1); 107 } 108 109 /* 110 * XXX: the general idea of _fast_ is that it doesn't copy stuff the safe 111 * (i.e. non _fast_) version will, and so will also need to be freed. 112 */ 113 114 /** 115 * \ingroup Core_Create 116 * 117 * __ops_fast_create_userid() sets id->userid to the given userid. 118 * This is fast because it is only copying a char*. However, if userid 119 * is changed or freed in the future, this could have injurious results. 120 * \param id 121 * \param userid 122 */ 123 124 void 125 __ops_fast_create_userid(__ops_userid_t *id, uint8_t *userid) 126 { 127 id->userid = userid; 128 } 129 130 /** 131 * \ingroup Core_WritePackets 132 * \brief Writes a User Id packet 133 * \param id 134 * \param output 135 * \return 1 if OK, otherwise 0 136 */ 137 unsigned 138 __ops_write_struct_userid(__ops_output_t *output, __ops_userid_t *id) 139 { 140 return __ops_write_ptag(output, OPS_PTAG_CT_USER_ID) && 141 __ops_write_length(output, strlen((char *) id->userid)) && 142 __ops_write(output, id->userid, strlen((char *) id->userid)); 143 } 144 145 /** 146 * \ingroup Core_WritePackets 147 * \brief Write a User Id packet. 148 * \param userid 149 * \param output 150 * 151 * \return return value from __ops_write_struct_userid() 152 */ 153 unsigned 154 __ops_write_userid(const uint8_t *userid, __ops_output_t *output) 155 { 156 __ops_userid_t id; 157 158 id.userid = __UNCONST(userid); 159 return __ops_write_struct_userid(output, &id); 160 } 161 162 /** 163 \ingroup Core_MPI 164 */ 165 static unsigned 166 mpi_length(const BIGNUM *bn) 167 { 168 return (unsigned)(2 + (BN_num_bits(bn) + 7) / 8); 169 } 170 171 static unsigned 172 pubkey_length(const __ops_pubkey_t *key) 173 { 174 switch (key->alg) { 175 case OPS_PKA_RSA: 176 return mpi_length(key->key.rsa.n) + mpi_length(key->key.rsa.e); 177 178 default: 179 (void) fprintf(stderr, 180 "pubkey_length: unknown key algorithm\n"); 181 } 182 return 0; 183 } 184 185 static unsigned 186 seckey_length(const __ops_seckey_t *key) 187 { 188 int len; 189 190 len = 0; 191 switch (key->pubkey.alg) { 192 case OPS_PKA_RSA: 193 len = mpi_length(key->key.rsa.d) + mpi_length(key->key.rsa.p) + 194 mpi_length(key->key.rsa.q) + mpi_length(key->key.rsa.u); 195 196 return (unsigned)(len + pubkey_length(&key->pubkey)); 197 default: 198 (void) fprintf(stderr, 199 "seckey_length: unknown key algorithm\n"); 200 } 201 return 0; 202 } 203 204 /** 205 * \ingroup Core_Create 206 * \param key 207 * \param t 208 * \param n 209 * \param e 210 */ 211 void 212 __ops_fast_create_rsa_pubkey(__ops_pubkey_t *key, time_t t, 213 BIGNUM *n, BIGNUM *e) 214 { 215 key->version = OPS_V4; 216 key->birthtime = t; 217 key->alg = OPS_PKA_RSA; 218 key->key.rsa.n = n; 219 key->key.rsa.e = e; 220 } 221 222 /* 223 * Note that we support v3 keys here because they're needed for for 224 * verification - the writer doesn't allow them, though 225 */ 226 static unsigned 227 write_pubkey_body(const __ops_pubkey_t *key, __ops_output_t *output) 228 { 229 if (!(__ops_write_scalar(output, (unsigned)key->version, 1) && 230 __ops_write_scalar(output, (unsigned)key->birthtime, 4))) { 231 return 0; 232 } 233 234 if (key->version != 4 && 235 !__ops_write_scalar(output, key->days_valid, 2)) { 236 return 0; 237 } 238 239 if (!__ops_write_scalar(output, (unsigned)key->alg, 1)) { 240 return 0; 241 } 242 243 switch (key->alg) { 244 case OPS_PKA_DSA: 245 return __ops_write_mpi(output, key->key.dsa.p) && 246 __ops_write_mpi(output, key->key.dsa.q) && 247 __ops_write_mpi(output, key->key.dsa.g) && 248 __ops_write_mpi(output, key->key.dsa.y); 249 250 case OPS_PKA_RSA: 251 case OPS_PKA_RSA_ENCRYPT_ONLY: 252 case OPS_PKA_RSA_SIGN_ONLY: 253 return __ops_write_mpi(output, key->key.rsa.n) && 254 __ops_write_mpi(output, key->key.rsa.e); 255 256 case OPS_PKA_ELGAMAL: 257 return __ops_write_mpi(output, key->key.elgamal.p) && 258 __ops_write_mpi(output, key->key.elgamal.g) && 259 __ops_write_mpi(output, key->key.elgamal.y); 260 261 default: 262 (void) fprintf(stderr, 263 "write_pubkey_body: bad algorithm\n"); 264 break; 265 } 266 return 0; 267 } 268 269 /* 270 * Note that we support v3 keys here because they're needed for 271 * verification - the writer doesn't allow them, though 272 */ 273 static unsigned 274 write_seckey_body(const __ops_seckey_t *key, 275 const uint8_t *passphrase, 276 const size_t pplen, 277 __ops_output_t *output) 278 { 279 /* RFC4880 Section 5.5.3 Secret-Key Packet Formats */ 280 281 __ops_crypt_t crypted; 282 __ops_hash_t hash; 283 unsigned done = 0; 284 unsigned i = 0; 285 uint8_t hashed[OPS_SHA1_HASH_SIZE]; 286 uint8_t sesskey[CAST_KEY_LENGTH]; 287 288 if (!write_pubkey_body(&key->pubkey, output)) { 289 return 0; 290 } 291 if (key->s2k_usage != OPS_S2KU_ENCRYPTED_AND_HASHED) { 292 (void) fprintf(stderr, "write_seckey_body: s2k usage\n"); 293 return 0; 294 } 295 if (!__ops_write_scalar(output, (unsigned)key->s2k_usage, 1)) { 296 return 0; 297 } 298 299 if (key->alg != OPS_SA_CAST5) { 300 (void) fprintf(stderr, "write_seckey_body: algorithm\n"); 301 return 0; 302 } 303 if (!__ops_write_scalar(output, (unsigned)key->alg, 1)) { 304 return 0; 305 } 306 307 if (key->s2k_specifier != OPS_S2KS_SIMPLE && 308 key->s2k_specifier != OPS_S2KS_SALTED) { 309 /* = 1 \todo could also be iterated-and-salted */ 310 (void) fprintf(stderr, "write_seckey_body: s2k spec\n"); 311 return 0; 312 } 313 if (!__ops_write_scalar(output, (unsigned)key->s2k_specifier, 1)) { 314 return 0; 315 } 316 317 if (key->hash_alg != OPS_HASH_SHA1) { 318 (void) fprintf(stderr, "write_seckey_body: hash alg\n"); 319 return 0; 320 } 321 if (!__ops_write_scalar(output, (unsigned)key->hash_alg, 1)) { 322 return 0; 323 } 324 325 switch (key->s2k_specifier) { 326 case OPS_S2KS_SIMPLE: 327 /* nothing more to do */ 328 break; 329 330 case OPS_S2KS_SALTED: 331 /* 8-octet salt value */ 332 __ops_random(__UNCONST(&key->salt[0]), OPS_SALT_SIZE); 333 if (!__ops_write(output, key->salt, OPS_SALT_SIZE)) { 334 return 0; 335 } 336 break; 337 338 /* 339 * \todo case OPS_S2KS_ITERATED_AND_SALTED: // 8-octet salt 340 * value // 1-octet count break; 341 */ 342 343 default: 344 (void) fprintf(stderr, 345 "invalid/unsupported s2k specifier %d\n", 346 key->s2k_specifier); 347 return 0; 348 } 349 350 if (!__ops_write(output, &key->iv[0], __ops_block_size(key->alg))) { 351 return 0; 352 } 353 354 /* 355 * create the session key for encrypting the algorithm-specific 356 * fields 357 */ 358 359 switch (key->s2k_specifier) { 360 case OPS_S2KS_SIMPLE: 361 case OPS_S2KS_SALTED: 362 /* RFC4880: section 3.7.1.1 and 3.7.1.2 */ 363 364 for (done = 0, i = 0; done < CAST_KEY_LENGTH; i++) { 365 unsigned j; 366 uint8_t zero = 0; 367 int needed; 368 int size; 369 370 needed = CAST_KEY_LENGTH - done; 371 size = MIN(needed, OPS_SHA1_HASH_SIZE); 372 373 __ops_hash_any(&hash, key->hash_alg); 374 if (!hash.init(&hash)) { 375 (void) fprintf(stderr, "write_seckey_body: bad alloc\n"); 376 return 0; 377 } 378 379 /* preload if iterating */ 380 for (j = 0; j < i; j++) { 381 /* 382 * Coverity shows a DEADCODE error on this 383 * line. This is expected since the hardcoded 384 * use of SHA1 and CAST5 means that it will 385 * not used. This will change however when 386 * other algorithms are supported. 387 */ 388 hash.add(&hash, &zero, 1); 389 } 390 391 if (key->s2k_specifier == OPS_S2KS_SALTED) { 392 hash.add(&hash, key->salt, OPS_SALT_SIZE); 393 } 394 hash.add(&hash, passphrase, pplen); 395 hash.finish(&hash, hashed); 396 397 /* 398 * if more in hash than is needed by session key, use 399 * the leftmost octets 400 */ 401 (void) memcpy(&sesskey[i * OPS_SHA1_HASH_SIZE], 402 hashed, (unsigned)size); 403 done += (unsigned)size; 404 if (done > CAST_KEY_LENGTH) { 405 (void) fprintf(stderr, 406 "write_seckey_body: short add\n"); 407 return 0; 408 } 409 } 410 411 break; 412 413 /* 414 * \todo case OPS_S2KS_ITERATED_AND_SALTED: * 8-octet salt 415 * value * 1-octet count break; 416 */ 417 418 default: 419 (void) fprintf(stderr, 420 "invalid/unsupported s2k specifier %d\n", 421 key->s2k_specifier); 422 return 0; 423 } 424 425 /* use this session key to encrypt */ 426 427 __ops_crypt_any(&crypted, key->alg); 428 crypted.set_iv(&crypted, key->iv); 429 crypted.set_crypt_key(&crypted, sesskey); 430 __ops_encrypt_init(&crypted); 431 432 if (__ops_get_debug_level(__FILE__)) { 433 unsigned i2; 434 435 (void) fprintf(stderr, "\nWRITING:\niv="); 436 for (i2 = 0; i2 < __ops_block_size(key->alg); i2++) { 437 (void) fprintf(stderr, "%02x ", key->iv[i2]); 438 } 439 (void) fprintf(stderr, "\n"); 440 441 (void) fprintf(stderr, "key="); 442 for (i2 = 0; i2 < CAST_KEY_LENGTH; i2++) { 443 (void) fprintf(stderr, "%02x ", sesskey[i2]); 444 } 445 (void) fprintf(stderr, "\n"); 446 447 (void) fprintf(stderr, "turning encryption on...\n"); 448 } 449 __ops_push_enc_crypt(output, &crypted); 450 451 switch (key->pubkey.alg) { 452 /* case OPS_PKA_DSA: */ 453 /* return __ops_write_mpi(output, key->key.dsa.x); */ 454 455 case OPS_PKA_RSA: 456 case OPS_PKA_RSA_ENCRYPT_ONLY: 457 case OPS_PKA_RSA_SIGN_ONLY: 458 459 if (!__ops_write_mpi(output, key->key.rsa.d) || 460 !__ops_write_mpi(output, key->key.rsa.p) || 461 !__ops_write_mpi(output, key->key.rsa.q) || 462 !__ops_write_mpi(output, key->key.rsa.u)) { 463 if (__ops_get_debug_level(__FILE__)) { 464 (void) fprintf(stderr, 465 "4 x mpi not written - problem\n"); 466 } 467 return 0; 468 } 469 break; 470 471 /* case OPS_PKA_ELGAMAL: */ 472 /* return __ops_write_mpi(output, key->key.elgamal.x); */ 473 474 default: 475 return 0; 476 } 477 478 if (!__ops_write(output, key->checkhash, OPS_CHECKHASH_SIZE)) { 479 return 0; 480 } 481 482 __ops_writer_pop(output); 483 484 return 1; 485 } 486 487 /** 488 * \ingroup Core_WritePackets 489 * \brief Writes a Public Key packet 490 * \param key 491 * \param output 492 * \return 1 if OK, otherwise 0 493 */ 494 static unsigned 495 write_struct_pubkey(__ops_output_t *output, const __ops_pubkey_t *key) 496 { 497 if (key->version != 4) { 498 (void) fprintf(stderr, 499 "write_struct_pubkey: wrong key version\n"); 500 return 0; 501 } 502 return __ops_write_ptag(output, OPS_PTAG_CT_PUBLIC_KEY) && 503 __ops_write_length(output, 1 + 4 + 1 + pubkey_length(key)) && 504 write_pubkey_body(key, output); 505 } 506 507 508 /** 509 \ingroup HighLevel_KeyWrite 510 511 \brief Writes a transferable PGP public key to the given output stream. 512 513 \param keydata Key to be written 514 \param armoured Flag is set for armoured output 515 \param output Output stream 516 517 */ 518 519 unsigned 520 __ops_write_xfer_pubkey(__ops_output_t *output, 521 const __ops_key_t *keydata, 522 const unsigned armoured) 523 { 524 unsigned i, j; 525 526 if (armoured) { 527 __ops_writer_push_armoured(output, OPS_PGP_PUBLIC_KEY_BLOCK); 528 } 529 /* public key */ 530 if (!write_struct_pubkey(output, &keydata->key.seckey.pubkey)) { 531 return 0; 532 } 533 534 /* TODO: revocation signatures go here */ 535 536 /* user ids and corresponding signatures */ 537 for (i = 0; i < keydata->uidc; i++) { 538 __ops_userid_t *uid = &keydata->uids[i]; 539 540 if (!__ops_write_struct_userid(output, uid)) { 541 return 0; 542 } 543 544 /* find signature for this packet if it exists */ 545 for (j = 0; j < keydata->sigc; j++) { 546 sigpacket_t *sig = &keydata->sigs[i]; 547 548 if (strcmp((char *) sig->userid->userid, 549 (char *) uid->userid) == 0) { 550 if (!__ops_write(output, sig->packet->raw, 551 sig->packet->length)) { 552 return 0; 553 } 554 } 555 } 556 } 557 558 /* TODO: user attributes and corresponding signatures */ 559 560 /* 561 * subkey packets and corresponding signatures and optional 562 * revocation 563 */ 564 565 if (armoured) { 566 __ops_writer_info_finalise(&output->errors, &output->writer); 567 __ops_writer_pop(output); 568 } 569 return 1; 570 } 571 572 /** 573 \ingroup HighLevel_KeyWrite 574 575 \brief Writes a transferable PGP secret key to the given output stream. 576 577 \param keydata Key to be written 578 \param passphrase 579 \param pplen 580 \param armoured Flag is set for armoured output 581 \param output Output stream 582 583 */ 584 585 unsigned 586 __ops_write_xfer_seckey(__ops_output_t *output, 587 const __ops_key_t *keydata, 588 const uint8_t *passphrase, 589 const size_t pplen, 590 unsigned armoured) 591 { 592 unsigned i, j; 593 594 if (armoured) { 595 __ops_writer_push_armoured(output, OPS_PGP_PRIVATE_KEY_BLOCK); 596 } 597 /* public key */ 598 if (!__ops_write_struct_seckey(&keydata->key.seckey, passphrase, 599 pplen, output)) { 600 return 0; 601 } 602 603 /* TODO: revocation signatures go here */ 604 605 /* user ids and corresponding signatures */ 606 for (i = 0; i < keydata->uidc; i++) { 607 __ops_userid_t *uid = &keydata->uids[i]; 608 609 if (!__ops_write_struct_userid(output, uid)) { 610 return 0; 611 } 612 613 /* find signature for this packet if it exists */ 614 for (j = 0; j < keydata->sigc; j++) { 615 sigpacket_t *sig = &keydata->sigs[i]; 616 617 if (strcmp((char *) sig->userid->userid, 618 (char *) uid->userid) == 0) { 619 if (!__ops_write(output, sig->packet->raw, 620 sig->packet->length)) { 621 return 0; 622 } 623 } 624 } 625 } 626 627 /* TODO: user attributes and corresponding signatures */ 628 629 /* 630 * subkey packets and corresponding signatures and optional 631 * revocation 632 */ 633 634 if (armoured) { 635 __ops_writer_info_finalise(&output->errors, &output->writer); 636 __ops_writer_pop(output); 637 } 638 return 1; 639 } 640 641 /** 642 * \ingroup Core_WritePackets 643 * \brief Writes one RSA public key packet. 644 * \param t Creation time 645 * \param n RSA public modulus 646 * \param e RSA public encryption exponent 647 * \param output Writer settings 648 * 649 * \return 1 if OK, otherwise 0 650 */ 651 652 unsigned 653 __ops_write_rsa_pubkey(time_t t, const BIGNUM *n, 654 const BIGNUM *e, 655 __ops_output_t *output) 656 { 657 __ops_pubkey_t key; 658 659 __ops_fast_create_rsa_pubkey(&key, t, __UNCONST(n), __UNCONST(e)); 660 return write_struct_pubkey(output, &key); 661 } 662 663 /** 664 * \ingroup Core_Create 665 * \param out 666 * \param key 667 * \param make_packet 668 */ 669 670 void 671 __ops_build_pubkey(__ops_memory_t *out, const __ops_pubkey_t *key, 672 unsigned make_packet) 673 { 674 __ops_output_t *output; 675 676 output = __ops_output_new(); 677 __ops_memory_init(out, 128); 678 __ops_writer_set_memory(output, out); 679 write_pubkey_body(key, output); 680 if (make_packet) { 681 __ops_memory_make_packet(out, OPS_PTAG_CT_PUBLIC_KEY); 682 } 683 __ops_output_delete(output); 684 } 685 686 /** 687 * \ingroup Core_Create 688 * 689 * Create an RSA secret key structure. If a parameter is marked as 690 * [OPTIONAL], then it can be omitted and will be calculated from 691 * other params - or, in the case of e, will default to 0x10001. 692 * 693 * Parameters are _not_ copied, so will be freed if the structure is 694 * freed. 695 * 696 * \param key The key structure to be initialised. 697 * \param t 698 * \param d The RSA parameter d (=e^-1 mod (p-1)(q-1)) [OPTIONAL] 699 * \param p The RSA parameter p 700 * \param q The RSA parameter q (q > p) 701 * \param u The RSA parameter u (=p^-1 mod q) [OPTIONAL] 702 * \param n The RSA public parameter n (=p*q) [OPTIONAL] 703 * \param e The RSA public parameter e */ 704 705 void 706 __ops_fast_create_rsa_seckey(__ops_seckey_t *key, time_t t, 707 BIGNUM *d, BIGNUM *p, BIGNUM *q, BIGNUM *u, 708 BIGNUM *n, BIGNUM *e) 709 { 710 __ops_fast_create_rsa_pubkey(&key->pubkey, t, n, e); 711 712 /* XXX: calculate optionals */ 713 key->key.rsa.d = d; 714 key->key.rsa.p = p; 715 key->key.rsa.q = q; 716 key->key.rsa.u = u; 717 718 key->s2k_usage = OPS_S2KU_NONE; 719 720 /* XXX: sanity check and add errors... */ 721 } 722 723 /** 724 * \ingroup Core_WritePackets 725 * \brief Writes a Secret Key packet. 726 * \param key The secret key 727 * \param passphrase The passphrase 728 * \param pplen Length of passphrase 729 * \param output 730 * \return 1 if OK; else 0 731 */ 732 unsigned 733 __ops_write_struct_seckey(const __ops_seckey_t *key, 734 const uint8_t *passphrase, 735 const size_t pplen, 736 __ops_output_t *output) 737 { 738 int length = 0; 739 740 if (key->pubkey.version != 4) { 741 (void) fprintf(stderr, 742 "__ops_write_struct_seckey: public key version\n"); 743 return 0; 744 } 745 746 /* Ref: RFC4880 Section 5.5.3 */ 747 748 /* pubkey, excluding MPIs */ 749 length += 1 + 4 + 1 + 1; 750 751 /* s2k usage */ 752 length += 1; 753 754 switch (key->s2k_usage) { 755 case OPS_S2KU_NONE: 756 /* nothing to add */ 757 break; 758 759 case OPS_S2KU_ENCRYPTED_AND_HASHED: /* 254 */ 760 case OPS_S2KU_ENCRYPTED: /* 255 */ 761 762 /* Ref: RFC4880 Section 3.7 */ 763 length += 1; /* s2k_specifier */ 764 765 switch (key->s2k_specifier) { 766 case OPS_S2KS_SIMPLE: 767 length += 1; /* hash algorithm */ 768 break; 769 770 case OPS_S2KS_SALTED: 771 length += 1 + 8; /* hash algorithm + salt */ 772 break; 773 774 case OPS_S2KS_ITERATED_AND_SALTED: 775 length += 1 + 8 + 1; /* hash algorithm, salt + 776 * count */ 777 break; 778 779 default: 780 (void) fprintf(stderr, 781 "__ops_write_struct_seckey: s2k spec\n"); 782 return 0; 783 } 784 break; 785 786 default: 787 (void) fprintf(stderr, 788 "__ops_write_struct_seckey: s2k usage\n"); 789 return 0; 790 } 791 792 /* IV */ 793 if (key->s2k_usage) { 794 length += __ops_block_size(key->alg); 795 } 796 /* checksum or hash */ 797 switch (key->s2k_usage) { 798 case OPS_S2KU_NONE: 799 case OPS_S2KU_ENCRYPTED: 800 length += 2; 801 break; 802 803 case OPS_S2KU_ENCRYPTED_AND_HASHED: 804 length += OPS_CHECKHASH_SIZE; 805 break; 806 807 default: 808 (void) fprintf(stderr, 809 "__ops_write_struct_seckey: s2k cksum usage\n"); 810 return 0; 811 } 812 813 /* secret key and public key MPIs */ 814 length += (unsigned)seckey_length(key); 815 816 return __ops_write_ptag(output, OPS_PTAG_CT_SECRET_KEY) && 817 /* __ops_write_length(output,1+4+1+1+seckey_length(key)+2) && */ 818 __ops_write_length(output, (unsigned)length) && 819 write_seckey_body(key, passphrase, pplen, output); 820 } 821 822 /** 823 * \ingroup Core_Create 824 * 825 * \brief Create a new __ops_output_t structure. 826 * 827 * \return the new structure. 828 * \note It is the responsiblity of the caller to call __ops_output_delete(). 829 * \sa __ops_output_delete() 830 */ 831 __ops_output_t * 832 __ops_output_new(void) 833 { 834 return calloc(1, sizeof(__ops_output_t)); 835 } 836 837 /** 838 * \ingroup Core_Create 839 * \brief Delete an __ops_output_t strucut and associated resources. 840 * 841 * Delete an __ops_output_t structure. If a writer is active, then 842 * that is also deleted. 843 * 844 * \param info the structure to be deleted. 845 */ 846 void 847 __ops_output_delete(__ops_output_t *output) 848 { 849 __ops_writer_info_delete(&output->writer); 850 free(output); 851 } 852 853 /** 854 \ingroup Core_Create 855 \brief Calculate the checksum for a session key 856 \param sesskey Session Key to use 857 \param cs Checksum to be written 858 \return 1 if OK; else 0 859 */ 860 unsigned 861 __ops_calc_sesskey_checksum(__ops_pk_sesskey_t *sesskey, uint8_t cs[2]) 862 { 863 uint32_t checksum = 0; 864 unsigned i; 865 866 if (!__ops_is_sa_supported(sesskey->symm_alg)) { 867 return 0; 868 } 869 870 for (i = 0; i < __ops_key_size(sesskey->symm_alg); i++) { 871 checksum += sesskey->key[i]; 872 } 873 checksum = checksum % 65536; 874 875 cs[0] = (uint8_t)((checksum >> 8) & 0xff); 876 cs[1] = (uint8_t)(checksum & 0xff); 877 878 if (__ops_get_debug_level(__FILE__)) { 879 (void) fprintf(stderr,"\nm buf checksum: "); 880 (void) fprintf(stderr," %2x",cs[0]); 881 (void) fprintf(stderr," %2x\n",cs[1]); 882 } 883 return 1; 884 } 885 886 static unsigned 887 create_unencoded_m_buf(__ops_pk_sesskey_t *sesskey, uint8_t *m_buf) 888 { 889 int i; 890 891 /* m_buf is the buffer which will be encoded in PKCS#1 block */ 892 /* encoding to form the "m" value used in the */ 893 /* Public Key Encrypted Session Key Packet */ 894 /* 895 * as defined in RFC Section 5.1 "Public-Key Encrypted Session Key 896 * Packet" 897 */ 898 899 m_buf[0] = sesskey->symm_alg; 900 901 if (sesskey->symm_alg != OPS_SA_CAST5) { 902 (void) fprintf(stderr, "create_unencoded_m_buf: symm alg\n"); 903 return 0; 904 } 905 for (i = 0; i < CAST_KEY_LENGTH; i++) { 906 /* XXX - Flexelint - Warning 679: Suspicious Truncation in arithmetic expression combining with pointer */ 907 m_buf[1 + i] = sesskey->key[i]; 908 } 909 910 return (__ops_calc_sesskey_checksum(sesskey, 911 m_buf + 1 + CAST_KEY_LENGTH)); 912 } 913 914 /** 915 \ingroup Core_Create 916 \brief implementation of EME-PKCS1-v1_5-ENCODE, as defined in OpenPGP RFC 917 \param M 918 \param mLen 919 \param pubkey 920 \param EM 921 \return 1 if OK; else 0 922 */ 923 unsigned 924 encode_m_buf(const uint8_t *M, size_t mLen, const __ops_pubkey_t * pubkey, 925 uint8_t *EM) 926 { 927 unsigned k; 928 unsigned i; 929 930 /* implementation of EME-PKCS1-v1_5-ENCODE, as defined in OpenPGP RFC */ 931 932 if (pubkey->alg != OPS_PKA_RSA) { 933 (void) fprintf(stderr, "encode_m_buf: pubkey algorithm\n"); 934 return 0; 935 } 936 937 k = (unsigned)BN_num_bytes(pubkey->key.rsa.n); 938 if (mLen > k - 11) { 939 (void) fprintf(stderr, "encode_m_buf: message too long\n"); 940 return 0; 941 } 942 /* these two bytes defined by RFC */ 943 EM[0] = 0x00; 944 EM[1] = 0x02; 945 946 /* add non-zero random bytes of length k - mLen -3 */ 947 for (i = 2; i < (k - mLen) - 1; ++i) { 948 do { 949 __ops_random(EM + i, 1); 950 } while (EM[i] == 0); 951 } 952 953 if (i < 8 + 2) { 954 (void) fprintf(stderr, "encode_m_buf: bad i len\n"); 955 return 0; 956 } 957 958 EM[i++] = 0; 959 960 (void) memcpy(EM + i, M, mLen); 961 962 if (__ops_get_debug_level(__FILE__)) { 963 unsigned i2; 964 965 (void) fprintf(stderr, "Encoded Message: \n"); 966 for (i2 = 0; i2 < mLen; i2++) { 967 (void) fprintf(stderr, "%2x ", EM[i2]); 968 } 969 (void) fprintf(stderr, "\n"); 970 } 971 return 1; 972 } 973 974 /** 975 \ingroup Core_Create 976 \brief Creates an __ops_pk_sesskey_t struct from keydata 977 \param key Keydata to use 978 \return __ops_pk_sesskey_t struct 979 \note It is the caller's responsiblity to free the returned pointer 980 \note Currently hard-coded to use CAST5 981 \note Currently hard-coded to use RSA 982 */ 983 __ops_pk_sesskey_t * 984 __ops_create_pk_sesskey(const __ops_key_t *key) 985 { 986 /* 987 * Creates a random session key and encrypts it for the given key 988 * 989 * Session Key is for use with a SK algo, 990 * can be any, we're hardcoding CAST5 for now 991 * 992 * Encryption used is PK, 993 * can be any, we're hardcoding RSA for now 994 */ 995 996 #define SZ_UNENCODED_M_BUF (CAST_KEY_LENGTH + 1 + 2) 997 998 const __ops_pubkey_t *pubkey; 999 __ops_pk_sesskey_t *sesskey; 1000 uint8_t unencoded_m_buf[SZ_UNENCODED_M_BUF]; 1001 uint8_t *encoded_m_buf; 1002 size_t sz_encoded_m_buf; 1003 1004 pubkey = __ops_get_pubkey(key); 1005 sz_encoded_m_buf = BN_num_bytes(pubkey->key.rsa.n); 1006 if ((encoded_m_buf = calloc(1, sz_encoded_m_buf)) == NULL) { 1007 (void) fprintf(stderr, 1008 "__ops_create_pk_sesskey: can't allocate\n"); 1009 return NULL; 1010 } 1011 if ((sesskey = calloc(1, sizeof(*sesskey))) == NULL) { 1012 (void) fprintf(stderr, 1013 "__ops_create_pk_sesskey: can't allocate\n"); 1014 free(encoded_m_buf); 1015 return NULL; 1016 } 1017 if (key->type != OPS_PTAG_CT_PUBLIC_KEY) { 1018 (void) fprintf(stderr, 1019 "__ops_create_pk_sesskey: bad type\n"); 1020 free(encoded_m_buf); 1021 free(sesskey); 1022 return NULL; 1023 } 1024 sesskey->version = OPS_PKSK_V3; 1025 (void) memcpy(sesskey->key_id, key->key_id, 1026 sizeof(sesskey->key_id)); 1027 1028 if (__ops_get_debug_level(__FILE__)) { 1029 unsigned i; 1030 1031 (void) fprintf(stderr, "Encrypting for RSA key id : "); 1032 for (i = 0; i < sizeof(sesskey->key_id); i++) { 1033 (void) fprintf(stderr, "%2x ", key->key_id[i]); 1034 } 1035 (void) fprintf(stderr, "\n"); 1036 } 1037 if (key->key.pubkey.alg != OPS_PKA_RSA) { 1038 (void) fprintf(stderr, 1039 "__ops_create_pk_sesskey: bad pubkey algorithm\n"); 1040 free(encoded_m_buf); 1041 free(sesskey); 1042 return NULL; 1043 } 1044 sesskey->alg = key->key.pubkey.alg; 1045 1046 /* \todo allow user to specify other algorithm */ 1047 sesskey->symm_alg = OPS_SA_CAST5; 1048 __ops_random(sesskey->key, CAST_KEY_LENGTH); 1049 1050 if (__ops_get_debug_level(__FILE__)) { 1051 unsigned i; 1052 1053 (void) fprintf(stderr, 1054 "CAST5 session key created (len=%d):\n ", 1055 CAST_KEY_LENGTH); 1056 for (i = 0; i < CAST_KEY_LENGTH; i++) { 1057 (void) fprintf(stderr, "%2x ", sesskey->key[i]); 1058 } 1059 (void) fprintf(stderr, "\n"); 1060 } 1061 if (create_unencoded_m_buf(sesskey, &unencoded_m_buf[0]) == 0) { 1062 free(encoded_m_buf); 1063 free(sesskey); 1064 return NULL; 1065 } 1066 if (__ops_get_debug_level(__FILE__)) { 1067 unsigned i; 1068 1069 printf("unencoded m buf:\n"); 1070 for (i = 0; i < SZ_UNENCODED_M_BUF; i++) { 1071 printf("%2x ", unencoded_m_buf[i]); 1072 } 1073 printf("\n"); 1074 } 1075 encode_m_buf(&unencoded_m_buf[0], SZ_UNENCODED_M_BUF, pubkey, 1076 &encoded_m_buf[0]); 1077 1078 /* and encrypt it */ 1079 if (!__ops_rsa_encrypt_mpi(encoded_m_buf, sz_encoded_m_buf, pubkey, 1080 &sesskey->params)) { 1081 free(encoded_m_buf); 1082 free(sesskey); 1083 return NULL; 1084 } 1085 free(encoded_m_buf); 1086 return sesskey; 1087 } 1088 1089 /** 1090 \ingroup Core_WritePackets 1091 \brief Writes Public Key Session Key packet 1092 \param info Write settings 1093 \param pksk Public Key Session Key to write out 1094 \return 1 if OK; else 0 1095 */ 1096 unsigned 1097 __ops_write_pk_sesskey(__ops_output_t *output, __ops_pk_sesskey_t *pksk) 1098 { 1099 /* XXX - Flexelint - Pointer parameter 'pksk' (line 1076) could be declared as pointing to const */ 1100 if (pksk == NULL) { 1101 (void) fprintf(stderr, 1102 "__ops_write_pk_sesskey: NULL pksk\n"); 1103 return 0; 1104 } 1105 if (pksk->alg != OPS_PKA_RSA) { 1106 (void) fprintf(stderr, 1107 "__ops_write_pk_sesskey: bad algorithm\n"); 1108 return 0; 1109 } 1110 1111 return __ops_write_ptag(output, OPS_PTAG_CT_PK_SESSION_KEY) && 1112 __ops_write_length(output, (unsigned)(1 + 8 + 1 + 1113 BN_num_bytes(pksk->params.rsa.encrypted_m) + 2)) && 1114 __ops_write_scalar(output, (unsigned)pksk->version, 1) && 1115 __ops_write(output, pksk->key_id, 8) && 1116 __ops_write_scalar(output, (unsigned)pksk->alg, 1) && 1117 __ops_write_mpi(output, pksk->params.rsa.encrypted_m) 1118 /* ?? && __ops_write_scalar(output, 0, 2); */ 1119 ; 1120 } 1121 1122 /** 1123 \ingroup Core_WritePackets 1124 \brief Writes MDC packet 1125 \param hashed Hash for MDC 1126 \param output Write settings 1127 \return 1 if OK; else 0 1128 */ 1129 1130 unsigned 1131 __ops_write_mdc(__ops_output_t *output, const uint8_t *hashed) 1132 { 1133 /* write it out */ 1134 return __ops_write_ptag(output, OPS_PTAG_CT_MDC) && 1135 __ops_write_length(output, OPS_SHA1_HASH_SIZE) && 1136 __ops_write(output, hashed, OPS_SHA1_HASH_SIZE); 1137 } 1138 1139 /** 1140 \ingroup Core_WritePackets 1141 \brief Writes Literal Data packet from buffer 1142 \param data Buffer to write out 1143 \param maxlen Max length of buffer 1144 \param type Literal Data Type 1145 \param output Write settings 1146 \return 1 if OK; else 0 1147 */ 1148 unsigned 1149 __ops_write_litdata(__ops_output_t *output, 1150 const uint8_t *data, 1151 const int maxlen, 1152 const __ops_litdata_type_t type) 1153 { 1154 /* 1155 * RFC4880 does not specify a meaning for filename or date. 1156 * It is implementation-dependent. 1157 * We will not implement them. 1158 */ 1159 /* \todo do we need to check text data for <cr><lf> line endings ? */ 1160 return __ops_write_ptag(output, OPS_PTAG_CT_LITDATA) && 1161 __ops_write_length(output, (unsigned)(1 + 1 + 4 + maxlen)) && 1162 __ops_write_scalar(output, (unsigned)type, 1) && 1163 __ops_write_scalar(output, 0, 1) && 1164 __ops_write_scalar(output, 0, 4) && 1165 __ops_write(output, data, (unsigned)maxlen); 1166 } 1167 1168 /** 1169 \ingroup Core_WritePackets 1170 \brief Writes Literal Data packet from contents of file 1171 \param filename Name of file to read from 1172 \param type Literal Data Type 1173 \param output Write settings 1174 \return 1 if OK; else 0 1175 */ 1176 1177 unsigned 1178 __ops_fileread_litdata(const char *filename, 1179 const __ops_litdata_type_t type, 1180 __ops_output_t *output) 1181 { 1182 __ops_memory_t *mem; 1183 unsigned ret; 1184 size_t len; 1185 1186 mem = __ops_memory_new(); 1187 if (!__ops_mem_readfile(mem, filename)) { 1188 return 0; 1189 } 1190 len = __ops_mem_len(mem); 1191 ret = __ops_write_ptag(output, OPS_PTAG_CT_LITDATA) && 1192 __ops_write_length(output, 1 + 1 + 4 + len) && 1193 __ops_write_scalar(output, (unsigned)type, 1) && 1194 __ops_write_scalar(output, 0, 1) /* filename */ && 1195 __ops_write_scalar(output, 0, 4) /* date */ && 1196 __ops_write(output, __ops_mem_data(mem), len); 1197 __ops_memory_free(mem); 1198 return ret; 1199 } 1200 1201 /** 1202 \ingroup HighLevel_General 1203 1204 \brief Writes contents of buffer into file 1205 1206 \param filename Filename to write to 1207 \param buf Buffer to write to file 1208 \param len Size of buffer 1209 \param overwrite Flag to set whether to overwrite an existing file 1210 \return 1 if OK; 0 if error 1211 */ 1212 1213 int 1214 __ops_filewrite(const char *filename, const char *buf, 1215 const size_t len, const unsigned overwrite) 1216 { 1217 int flags; 1218 int fd; 1219 1220 flags = O_WRONLY | O_CREAT; 1221 if (overwrite) { 1222 flags |= O_TRUNC; 1223 } else { 1224 flags |= O_EXCL; 1225 } 1226 #ifdef O_BINARY 1227 flags |= O_BINARY; 1228 #endif 1229 fd = open(filename, flags, 0600); 1230 if (fd < 0) { 1231 (void) fprintf(stderr, "can't open '%s'\n", filename); 1232 return 0; 1233 } 1234 if (write(fd, buf, len) != (int)len) { 1235 (void) close(fd); 1236 return 0; 1237 } 1238 1239 return (close(fd) == 0); 1240 } 1241 1242 /** 1243 \ingroup Core_WritePackets 1244 \brief Write Symmetrically Encrypted packet 1245 \param data Data to encrypt 1246 \param len Length of data 1247 \param output Write settings 1248 \return 1 if OK; else 0 1249 \note Hard-coded to use AES256 1250 */ 1251 unsigned 1252 __ops_write_symm_enc_data(const uint8_t *data, 1253 const int len, 1254 __ops_output_t * output) 1255 { 1256 __ops_crypt_t crypt_info; 1257 uint8_t *encrypted = (uint8_t *) NULL; 1258 size_t encrypted_sz; 1259 int done = 0; 1260 1261 /* \todo assume AES256 for now */ 1262 __ops_crypt_any(&crypt_info, OPS_SA_AES_256); 1263 __ops_encrypt_init(&crypt_info); 1264 1265 encrypted_sz = (size_t)(len + crypt_info.blocksize + 2); 1266 if ((encrypted = calloc(1, encrypted_sz)) == NULL) { 1267 (void) fprintf(stderr, "can't allocate %" PRIsize "d\n", 1268 encrypted_sz); 1269 return 0; 1270 } 1271 1272 done = __ops_encrypt_se(&crypt_info, encrypted, data, (unsigned)len); 1273 if (done != len) { 1274 (void) fprintf(stderr, 1275 "__ops_write_symm_enc_data: done != len\n"); 1276 return 0; 1277 } 1278 1279 return __ops_write_ptag(output, OPS_PTAG_CT_SE_DATA) && 1280 __ops_write_length(output, 1 + encrypted_sz) && 1281 __ops_write(output, data, (unsigned)len); 1282 } 1283 1284 /** 1285 \ingroup Core_WritePackets 1286 \brief Write a One Pass Signature packet 1287 \param seckey Secret Key to use 1288 \param hash_alg Hash Algorithm to use 1289 \param sig_type Signature type 1290 \param output Write settings 1291 \return 1 if OK; else 0 1292 */ 1293 unsigned 1294 __ops_write_one_pass_sig(__ops_output_t *output, 1295 const __ops_seckey_t *seckey, 1296 const __ops_hash_alg_t hash_alg, 1297 const __ops_sig_type_t sig_type) 1298 { 1299 uint8_t keyid[OPS_KEY_ID_SIZE]; 1300 1301 __ops_keyid(keyid, OPS_KEY_ID_SIZE, &seckey->pubkey); 1302 return __ops_write_ptag(output, OPS_PTAG_CT_1_PASS_SIG) && 1303 __ops_write_length(output, 1 + 1 + 1 + 1 + 8 + 1) && 1304 __ops_write_scalar(output, 3, 1) /* version */ && 1305 __ops_write_scalar(output, (unsigned)sig_type, 1) && 1306 __ops_write_scalar(output, (unsigned)hash_alg, 1) && 1307 __ops_write_scalar(output, (unsigned)seckey->pubkey.alg, 1) && 1308 __ops_write(output, keyid, 8) && 1309 __ops_write_scalar(output, 1, 1); 1310 } 1311