1 /*- 2 * Copyright (c) 2009 The NetBSD Foundation, Inc. 3 * All rights reserved. 4 * 5 * This code is derived from software contributed to The NetBSD Foundation 6 * by Alistair Crooks (agc@NetBSD.org) 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 18 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 19 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 20 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 21 * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 22 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 23 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 24 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 25 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 26 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 27 * POSSIBILITY OF SUCH DAMAGE. 28 */ 29 /* 30 * Copyright (c) 2005-2008 Nominet UK (www.nic.uk) 31 * All rights reserved. 32 * Contributors: Ben Laurie, Rachel Willmer. The Contributors have asserted 33 * their moral rights under the UK Copyright Design and Patents Act 1988 to 34 * be recorded as the authors of this copyright work. 35 * 36 * Licensed under the Apache License, Version 2.0 (the "License"); you may not 37 * use this file except in compliance with the License. 38 * 39 * You may obtain a copy of the License at 40 * http://www.apache.org/licenses/LICENSE-2.0 41 * 42 * Unless required by applicable law or agreed to in writing, software 43 * distributed under the License is distributed on an "AS IS" BASIS, 44 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 45 * 46 * See the License for the specific language governing permissions and 47 * limitations under the License. 48 */ 49 50 /** \file 51 */ 52 #include "config.h" 53 54 #ifdef HAVE_SYS_CDEFS_H 55 #include <sys/cdefs.h> 56 #endif 57 58 #if defined(__NetBSD__) 59 __COPYRIGHT("@(#) Copyright (c) 2009 The NetBSD Foundation, Inc. All rights reserved."); 60 __RCSID("$NetBSD: openssl_crypto.c,v 1.35 2022/08/26 19:18:38 jhigh Exp $"); 61 #endif 62 63 #ifdef HAVE_OPENSSL_DSA_H 64 #include <openssl/dsa.h> 65 #endif 66 67 #ifdef HAVE_OPENSSL_RSA_H 68 #include <openssl/rsa.h> 69 #endif 70 71 #ifdef HAVE_OPENSSL_ERR_H 72 #include <openssl/err.h> 73 #endif 74 75 #include <openssl/pem.h> 76 #include <openssl/evp.h> 77 78 #include <stdlib.h> 79 #include <string.h> 80 81 #ifdef HAVE_UNISTD_H 82 #include <unistd.h> 83 #endif 84 85 #include "crypto.h" 86 #include "keyring.h" 87 #include "readerwriter.h" 88 #include "netpgpdefs.h" 89 #include "netpgpdigest.h" 90 #include "netpgpsdk.h" 91 #include "packet.h" 92 93 static void 94 takeRSA(const RSA *orsa, pgp_rsa_pubkey_t *pk, pgp_rsa_seckey_t *sk) 95 { 96 const BIGNUM *n, *e, *d, *q, *p; 97 #if OPENSSL_VERSION_NUMBER >= 0x10100000L 98 RSA_get0_key(orsa, &n, &e, &d); 99 RSA_get0_factors(orsa, &q, &p); 100 #else 101 n = orsa->n; 102 e = orsa->e; 103 d = orsa->d; 104 p = orsa->p; 105 q = orsa->q; 106 #endif 107 if (sk) { 108 sk->d = BN_dup(d); 109 sk->p = BN_dup(p); 110 sk->q = BN_dup(q); 111 } 112 if (pk) { 113 pk->n = BN_dup(n); 114 pk->e = BN_dup(e); 115 } 116 } 117 118 static RSA * 119 makeRSA(const pgp_rsa_pubkey_t *pubkey, const pgp_rsa_seckey_t *seckey) 120 { 121 BIGNUM *n, *e, *d, *p, *q; 122 RSA *orsa; 123 124 orsa = RSA_new(); 125 n = BN_dup(pubkey->n); 126 e = BN_dup(pubkey->e); 127 128 if (seckey) { 129 d = BN_dup(seckey->d); 130 p = BN_dup(seckey->p); 131 q = BN_dup(seckey->q); 132 } else { 133 d = p = q = NULL; 134 } 135 136 #if OPENSSL_VERSION_NUMBER >= 0x10100000L 137 RSA_set0_key(orsa, n, e, d); 138 RSA_set0_factors(orsa, p, q); 139 #else 140 BN_free(orsa->n); 141 BN_free(orsa->e); 142 orsa->n = n; 143 orsa->e = e; 144 if (d) { 145 BN_free(orsa->d); 146 orsa->d = d; 147 } 148 if (p) { 149 BN_free(orsa->p); 150 orsa->p = p; 151 } 152 if (q) { 153 BN_free(orsa->q); 154 orsa->q = q; 155 } 156 #endif 157 return orsa; 158 } 159 160 static DSA_SIG * 161 makeDSA_SIG(const pgp_dsa_sig_t *sig) 162 { 163 DSA_SIG *osig; 164 BIGNUM *r, *s; 165 166 osig = DSA_SIG_new(); 167 r = BN_dup(sig->r); 168 s = BN_dup(sig->s); 169 170 #if OPENSSL_VERSION_NUMBER >= 0x10100000L 171 DSA_SIG_set0(osig, r, s); 172 #else 173 BN_free(osig->r); 174 BN_free(osig->s); 175 osig->r = r; 176 osig->s = s; 177 #endif 178 179 return osig; 180 } 181 182 static DSA * 183 makeDSA(const pgp_dsa_pubkey_t *dsa, const pgp_dsa_seckey_t *secdsa) 184 { 185 DSA *odsa; 186 BIGNUM *p, *q, *g, *y, *x; 187 188 odsa = DSA_new(); 189 190 p = BN_dup(dsa->p); 191 q = BN_dup(dsa->q); 192 g = BN_dup(dsa->g); 193 y = BN_dup(dsa->y); 194 x = secdsa ? secdsa->x : NULL; 195 196 #if OPENSSL_VERSION_NUMBER >= 0x10100000L 197 DSA_set0_key(odsa, y, x); 198 #else 199 BN_free(odsa->p); 200 BN_free(odsa->q); 201 BN_free(odsa->g); 202 BN_free(odsa->pub_key); 203 odsa->p = p; 204 odsa->q = q; 205 odsa->g = g; 206 odsa->pub_key = y; 207 if (x) { 208 BN_free(odsa->priv_key); 209 odsa->priv_key = x; 210 } 211 #endif 212 return odsa; 213 } 214 215 static void 216 takeDSA(const DSA *odsa, pgp_dsa_seckey_t *sk) 217 { 218 const BIGNUM *x; 219 #if OPENSSL_VERSION_NUMBER >= 0x10100000L 220 DSA_get0_key(odsa, NULL, &x); 221 #else 222 x = odsa->priv_key; 223 #endif 224 sk->x = BN_dup(x); 225 } 226 227 static ECDSA_SIG * 228 makeECDSADSA_SIG(const pgp_ecdsa_sig_t *sig) 229 { 230 ECDSA_SIG *osig; 231 BIGNUM *r, *s; 232 233 osig = ECDSA_SIG_new(); 234 r = BN_dup(sig->r); 235 s = BN_dup(sig->s); 236 237 #if OPENSSL_VERSION_NUMBER >= 0x10100000L 238 ECDSA_SIG_set0(osig, r, s); 239 #else 240 BN_free(osig->r); 241 BN_free(osig->s); 242 osig->r = r; 243 osig->s = s; 244 #endif 245 246 return osig; 247 } 248 249 static EC_KEY * 250 makeECDSA(const pgp_ecdsa_pubkey_t *ecdsa, const pgp_ecdsa_seckey_t *sececdsa) 251 { 252 EC_KEY *key; 253 BIGNUM *x; 254 BIGNUM *y; 255 EC_GROUP *group; 256 EC_POINT *pub_key; 257 EC_POINT *point; 258 int nid; 259 260 key = EC_KEY_new(); 261 x = BN_new(); 262 y = BN_new(); 263 264 nid = ecdsa_nid(ecdsa); 265 if (nid == -1) { 266 (void) fprintf(stderr,"makeECDSA: failed to determine NID\n"); 267 return 0; 268 } 269 270 group = EC_GROUP_new_by_curve_name(nid); 271 if (group == NULL) { 272 (void) fprintf(stderr,"makeECDSA: failed to get group for specified NID\n"); 273 return 0; 274 } 275 276 pub_key = EC_POINT_new(group); 277 if (pub_key == NULL) { 278 (void) fprintf(stderr,"makeECDSA: failed to alloc point\n"); 279 return 0; 280 } 281 282 point = EC_POINT_bn2point(group, ecdsa->p, NULL, NULL); 283 if (point == NULL) { 284 (void) fprintf(stderr,"makeECDSA: failed to conv BN to point\n"); 285 return 0; 286 } 287 288 289 if ((EC_POINT_get_affine_coordinates(group, point, x, y, NULL)) == 0) { 290 (void) fprintf(stderr,"makeECDSA: failed to get coordinates from point\n"); 291 return 0; 292 } 293 294 if ((EC_POINT_set_affine_coordinates(group, pub_key, x, y, NULL)) == 0) { 295 (void) fprintf(stderr,"makeECDSA: failed to set coordinates from point\n"); 296 return 0; 297 } 298 299 if ((EC_KEY_set_group(key, group)) == 0) { 300 (void) fprintf(stderr,"makeECDSA: failed to set group for key\n"); 301 return 0; 302 } 303 304 if ((EC_KEY_set_public_key(key, pub_key)) == 0) { 305 (void) fprintf(stderr,"makeECDSA: failed to set pubkey for key\n"); 306 return 0; 307 } 308 309 if (sececdsa) { 310 if ((EC_KEY_set_private_key(key, sececdsa->x)) == 0) { 311 (void) fprintf(stderr,"makeECDSA: failed to set seckey for key\n"); 312 return 0; 313 } 314 315 if ((EC_POINT_mul(group, pub_key, sececdsa->x, NULL, NULL, NULL)) == 0) { 316 (void) fprintf(stderr,"makeECDSA: failed to calculate generator\n"); 317 return 0; 318 } 319 } 320 321 return key; 322 } 323 324 static void 325 test_seckey(const pgp_seckey_t *seckey) 326 { 327 RSA *test = makeRSA(&seckey->pubkey.key.rsa, &seckey->key.rsa); 328 329 if (RSA_check_key(test) != 1) { 330 (void) fprintf(stderr, 331 "test_seckey: RSA_check_key failed\n"); 332 } 333 RSA_free(test); 334 } 335 336 static int 337 md5_init(pgp_hash_t *hash) 338 { 339 if (hash->data) { 340 (void) fprintf(stderr, "md5_init: hash data non-null\n"); 341 } 342 if ((hash->data = calloc(1, sizeof(MD5_CTX))) == NULL) { 343 (void) fprintf(stderr, "md5_init: bad alloc\n"); 344 return 0; 345 } 346 MD5_Init(hash->data); 347 return 1; 348 } 349 350 static void 351 md5_add(pgp_hash_t *hash, const uint8_t *data, unsigned length) 352 { 353 MD5_Update(hash->data, data, length); 354 } 355 356 static unsigned 357 md5_finish(pgp_hash_t *hash, uint8_t *out) 358 { 359 MD5_Final(out, hash->data); 360 free(hash->data); 361 hash->data = NULL; 362 return 16; 363 } 364 365 static const pgp_hash_t md5 = { 366 PGP_HASH_MD5, 367 MD5_DIGEST_LENGTH, 368 "MD5", 369 md5_init, 370 md5_add, 371 md5_finish, 372 NULL 373 }; 374 375 /** 376 \ingroup Core_Crypto 377 \brief Initialise to MD5 378 \param hash Hash to initialise 379 */ 380 void 381 pgp_hash_md5(pgp_hash_t *hash) 382 { 383 *hash = md5; 384 } 385 386 static int 387 sha1_init(pgp_hash_t *hash) 388 { 389 if (hash->data) { 390 (void) fprintf(stderr, "sha1_init: hash data non-null\n"); 391 } 392 if ((hash->data = calloc(1, sizeof(SHA_CTX))) == NULL) { 393 (void) fprintf(stderr, "sha1_init: bad alloc\n"); 394 return 0; 395 } 396 SHA1_Init(hash->data); 397 return 1; 398 } 399 400 static void 401 sha1_add(pgp_hash_t *hash, const uint8_t *data, unsigned length) 402 { 403 if (pgp_get_debug_level(__FILE__)) { 404 hexdump(stderr, "sha1_add", data, length); 405 } 406 SHA1_Update(hash->data, data, length); 407 } 408 409 static unsigned 410 sha1_finish(pgp_hash_t *hash, uint8_t *out) 411 { 412 SHA1_Final(out, hash->data); 413 if (pgp_get_debug_level(__FILE__)) { 414 hexdump(stderr, "sha1_finish", out, PGP_SHA1_HASH_SIZE); 415 } 416 free(hash->data); 417 hash->data = NULL; 418 return PGP_SHA1_HASH_SIZE; 419 } 420 421 static const pgp_hash_t sha1 = { 422 PGP_HASH_SHA1, 423 PGP_SHA1_HASH_SIZE, 424 "SHA1", 425 sha1_init, 426 sha1_add, 427 sha1_finish, 428 NULL 429 }; 430 431 /** 432 \ingroup Core_Crypto 433 \brief Initialise to SHA1 434 \param hash Hash to initialise 435 */ 436 void 437 pgp_hash_sha1(pgp_hash_t *hash) 438 { 439 *hash = sha1; 440 } 441 442 static int 443 sha256_init(pgp_hash_t *hash) 444 { 445 if (hash->data) { 446 (void) fprintf(stderr, "sha256_init: hash data non-null\n"); 447 } 448 if ((hash->data = calloc(1, sizeof(SHA256_CTX))) == NULL) { 449 (void) fprintf(stderr, "sha256_init: bad alloc\n"); 450 return 0; 451 } 452 SHA256_Init(hash->data); 453 return 1; 454 } 455 456 static void 457 sha256_add(pgp_hash_t *hash, const uint8_t *data, unsigned length) 458 { 459 if (pgp_get_debug_level(__FILE__)) { 460 hexdump(stderr, "sha256_add", data, length); 461 } 462 SHA256_Update(hash->data, data, length); 463 } 464 465 static unsigned 466 sha256_finish(pgp_hash_t *hash, uint8_t *out) 467 { 468 SHA256_Final(out, hash->data); 469 if (pgp_get_debug_level(__FILE__)) { 470 hexdump(stderr, "sha1_finish", out, SHA256_DIGEST_LENGTH); 471 } 472 free(hash->data); 473 hash->data = NULL; 474 return SHA256_DIGEST_LENGTH; 475 } 476 477 static const pgp_hash_t sha256 = { 478 PGP_HASH_SHA256, 479 SHA256_DIGEST_LENGTH, 480 "SHA256", 481 sha256_init, 482 sha256_add, 483 sha256_finish, 484 NULL 485 }; 486 487 void 488 pgp_hash_sha256(pgp_hash_t *hash) 489 { 490 *hash = sha256; 491 } 492 493 /* 494 * SHA384 495 */ 496 static int 497 sha384_init(pgp_hash_t *hash) 498 { 499 if (hash->data) { 500 (void) fprintf(stderr, "sha384_init: hash data non-null\n"); 501 } 502 if ((hash->data = calloc(1, sizeof(SHA512_CTX))) == NULL) { 503 (void) fprintf(stderr, "sha384_init: bad alloc\n"); 504 return 0; 505 } 506 SHA384_Init(hash->data); 507 return 1; 508 } 509 510 static void 511 sha384_add(pgp_hash_t *hash, const uint8_t *data, unsigned length) 512 { 513 if (pgp_get_debug_level(__FILE__)) { 514 hexdump(stderr, "sha384_add", data, length); 515 } 516 SHA384_Update(hash->data, data, length); 517 } 518 519 static unsigned 520 sha384_finish(pgp_hash_t *hash, uint8_t *out) 521 { 522 SHA384_Final(out, hash->data); 523 if (pgp_get_debug_level(__FILE__)) { 524 hexdump(stderr, "sha384_finish", out, SHA384_DIGEST_LENGTH); 525 } 526 free(hash->data); 527 hash->data = NULL; 528 return SHA384_DIGEST_LENGTH; 529 } 530 531 static const pgp_hash_t sha384 = { 532 PGP_HASH_SHA384, 533 SHA384_DIGEST_LENGTH, 534 "SHA384", 535 sha384_init, 536 sha384_add, 537 sha384_finish, 538 NULL 539 }; 540 541 void 542 pgp_hash_sha384(pgp_hash_t *hash) 543 { 544 *hash = sha384; 545 } 546 547 /* 548 * SHA512 549 */ 550 static int 551 sha512_init(pgp_hash_t *hash) 552 { 553 if (hash->data) { 554 (void) fprintf(stderr, "sha512_init: hash data non-null\n"); 555 } 556 if ((hash->data = calloc(1, sizeof(SHA512_CTX))) == NULL) { 557 (void) fprintf(stderr, "sha512_init: bad alloc\n"); 558 return 0; 559 } 560 SHA512_Init(hash->data); 561 return 1; 562 } 563 564 static void 565 sha512_add(pgp_hash_t *hash, const uint8_t *data, unsigned length) 566 { 567 if (pgp_get_debug_level(__FILE__)) { 568 hexdump(stderr, "sha512_add", data, length); 569 } 570 SHA512_Update(hash->data, data, length); 571 } 572 573 static unsigned 574 sha512_finish(pgp_hash_t *hash, uint8_t *out) 575 { 576 SHA512_Final(out, hash->data); 577 if (pgp_get_debug_level(__FILE__)) { 578 hexdump(stderr, "sha512_finish", out, SHA512_DIGEST_LENGTH); 579 } 580 free(hash->data); 581 hash->data = NULL; 582 return SHA512_DIGEST_LENGTH; 583 } 584 585 static const pgp_hash_t sha512 = { 586 PGP_HASH_SHA512, 587 SHA512_DIGEST_LENGTH, 588 "SHA512", 589 sha512_init, 590 sha512_add, 591 sha512_finish, 592 NULL 593 }; 594 595 void 596 pgp_hash_sha512(pgp_hash_t *hash) 597 { 598 *hash = sha512; 599 } 600 601 /* 602 * SHA224 603 */ 604 605 static int 606 sha224_init(pgp_hash_t *hash) 607 { 608 if (hash->data) { 609 (void) fprintf(stderr, "sha224_init: hash data non-null\n"); 610 } 611 if ((hash->data = calloc(1, sizeof(SHA256_CTX))) == NULL) { 612 (void) fprintf(stderr, "sha256_init: bad alloc\n"); 613 return 0; 614 } 615 SHA224_Init(hash->data); 616 return 1; 617 } 618 619 static void 620 sha224_add(pgp_hash_t *hash, const uint8_t *data, unsigned length) 621 { 622 if (pgp_get_debug_level(__FILE__)) { 623 hexdump(stderr, "sha224_add", data, length); 624 } 625 SHA224_Update(hash->data, data, length); 626 } 627 628 static unsigned 629 sha224_finish(pgp_hash_t *hash, uint8_t *out) 630 { 631 SHA224_Final(out, hash->data); 632 if (pgp_get_debug_level(__FILE__)) { 633 hexdump(stderr, "sha224_finish", out, SHA224_DIGEST_LENGTH); 634 } 635 free(hash->data); 636 hash->data = NULL; 637 return SHA224_DIGEST_LENGTH; 638 } 639 640 static const pgp_hash_t sha224 = { 641 PGP_HASH_SHA224, 642 SHA224_DIGEST_LENGTH, 643 "SHA224", 644 sha224_init, 645 sha224_add, 646 sha224_finish, 647 NULL 648 }; 649 650 void 651 pgp_hash_sha224(pgp_hash_t *hash) 652 { 653 *hash = sha224; 654 } 655 656 unsigned 657 pgp_dsa_verify(const uint8_t *hash, size_t hash_length, 658 const pgp_dsa_sig_t *sig, 659 const pgp_dsa_pubkey_t *dsa) 660 { 661 unsigned qlen; 662 DSA_SIG *osig = makeDSA_SIG(sig); 663 DSA *odsa = makeDSA(dsa, NULL); 664 int ret; 665 666 if (pgp_get_debug_level(__FILE__)) { 667 hexdump(stderr, "input hash", hash, hash_length); 668 (void) fprintf(stderr, "Q=%d\n", BN_num_bytes(dsa->q)); 669 } 670 if ((qlen = (unsigned)BN_num_bytes(dsa->q)) < hash_length) { 671 hash_length = qlen; 672 } 673 ret = DSA_do_verify(hash, (int)hash_length, osig, odsa); 674 if (pgp_get_debug_level(__FILE__)) { 675 (void) fprintf(stderr, "ret=%d\n", ret); 676 } 677 if (ret < 0) { 678 (void) fprintf(stderr, "pgp_dsa_verify: DSA verification\n"); 679 return 0; 680 } 681 682 DSA_free(odsa); 683 DSA_SIG_free(osig); 684 685 return (unsigned)ret; 686 } 687 688 unsigned 689 pgp_ecdsa_verify(const uint8_t *hash, size_t hash_length, 690 const pgp_ecdsa_sig_t *sig, 691 const pgp_ecdsa_pubkey_t *ecdsa) 692 { 693 unsigned qlen; 694 ECDSA_SIG *osig = makeECDSADSA_SIG(sig); 695 EC_KEY *oecdsa = makeECDSA(ecdsa, NULL); 696 int ret; 697 698 if (pgp_get_debug_level(__FILE__)) { 699 hexdump(stderr, "input hash", hash, hash_length); 700 } 701 702 ret = ECDSA_do_verify(hash, (int)hash_length, osig, oecdsa); 703 704 if (pgp_get_debug_level(__FILE__)) { 705 (void) fprintf(stderr, "ret=%d\n", ret); 706 } 707 708 if (ret <= 0) { 709 (void) fprintf(stderr, "pgp_ecdsa_verify: ECDSA verification failed\n"); 710 return 0; 711 } 712 713 ECDSA_SIG_free(osig); 714 715 return (unsigned)ret; 716 } 717 718 /** 719 \ingroup Core_Crypto 720 \brief Recovers message digest from the signature 721 \param out Where to write decrypted data to 722 \param in Encrypted data 723 \param length Length of encrypted data 724 \param pubkey RSA public key 725 \return size of recovered message digest 726 */ 727 int 728 pgp_rsa_public_decrypt(uint8_t *out, 729 const uint8_t *in, 730 size_t length, 731 const pgp_rsa_pubkey_t *pubkey) 732 { 733 RSA *orsa = makeRSA(pubkey, NULL); 734 int ret; 735 736 ret = RSA_public_decrypt((int)length, in, out, orsa, RSA_NO_PADDING); 737 738 RSA_free(orsa); 739 740 return ret; 741 } 742 743 /** 744 \ingroup Core_Crypto 745 \brief Signs data with RSA 746 \param out Where to write signature 747 \param in Data to sign 748 \param length Length of data 749 \param seckey RSA secret key 750 \param pubkey RSA public key 751 \return number of bytes decrypted 752 */ 753 int 754 pgp_rsa_private_encrypt(uint8_t *out, 755 const uint8_t *in, 756 size_t length, 757 const pgp_rsa_seckey_t *seckey, 758 const pgp_rsa_pubkey_t *pubkey) 759 { 760 RSA *orsa = makeRSA(pubkey, seckey); 761 int ret; 762 763 if (seckey->d == NULL) { 764 (void) fprintf(stderr, "orsa is not set\n"); 765 return 0; 766 } 767 if (RSA_check_key(orsa) != 1) { 768 (void) fprintf(stderr, "RSA_check_key is not set\n"); 769 return 0; 770 } 771 /* end debug */ 772 773 ret = RSA_private_encrypt((int)length, in, out, orsa, RSA_NO_PADDING); 774 775 RSA_free(orsa); 776 777 return ret; 778 } 779 780 /** 781 \ingroup Core_Crypto 782 \brief Decrypts RSA-encrypted data 783 \param out Where to write the plaintext 784 \param in Encrypted data 785 \param length Length of encrypted data 786 \param seckey RSA secret key 787 \param pubkey RSA public key 788 \return size of recovered plaintext 789 */ 790 int 791 pgp_rsa_private_decrypt(uint8_t *out, 792 const uint8_t *in, 793 size_t length, 794 const pgp_rsa_seckey_t *seckey, 795 const pgp_rsa_pubkey_t *pubkey) 796 { 797 RSA *keypair = makeRSA(pubkey, seckey); 798 int n; 799 char errbuf[1024]; 800 801 if (RSA_check_key(keypair) != 1) { 802 (void) fprintf(stderr, "RSA_check_key is not set\n"); 803 return 0; 804 } 805 /* end debug */ 806 807 n = RSA_private_decrypt((int)length, in, out, keypair, RSA_NO_PADDING); 808 809 if (pgp_get_debug_level(__FILE__)) { 810 printf("pgp_rsa_private_decrypt: n=%d\n",n); 811 } 812 813 errbuf[0] = '\0'; 814 if (n == -1) { 815 unsigned long err = ERR_get_error(); 816 817 ERR_error_string(err, &errbuf[0]); 818 (void) fprintf(stderr, "openssl error : %s\n", errbuf); 819 } 820 RSA_free(keypair); 821 822 return n; 823 } 824 825 /** 826 \ingroup Core_Crypto 827 \brief RSA-encrypts data 828 \param out Where to write the encrypted data 829 \param in Plaintext 830 \param length Size of plaintext 831 \param pubkey RSA Public Key 832 */ 833 int 834 pgp_rsa_public_encrypt(uint8_t *out, 835 const uint8_t *in, 836 size_t length, 837 const pgp_rsa_pubkey_t *pubkey) 838 { 839 RSA *orsa = makeRSA(pubkey, NULL); 840 int n; 841 842 /* printf("pgp_rsa_public_encrypt: length=%ld\n", length); */ 843 844 /* printf("len: %ld\n", length); */ 845 /* pgp_print_bn("n: ", orsa->n); */ 846 /* pgp_print_bn("e: ", orsa->e); */ 847 n = RSA_public_encrypt((int)length, in, out, orsa, RSA_NO_PADDING); 848 849 if (n == -1) { 850 BIO *fd_out; 851 852 fd_out = BIO_new_fd(fileno(stderr), BIO_NOCLOSE); 853 ERR_print_errors(fd_out); 854 } 855 RSA_free(orsa); 856 857 return n; 858 } 859 860 /** 861 \ingroup Core_Crypto 862 \brief Finalise openssl 863 \note Would usually call pgp_finish() instead 864 \sa pgp_finish() 865 */ 866 void 867 pgp_crypto_finish(void) 868 { 869 CRYPTO_cleanup_all_ex_data(); 870 #if OPENSSL_VERSION_NUMBER < 0x10100000L 871 ERR_remove_state((unsigned long)0); 872 #endif 873 } 874 875 /** 876 \ingroup Core_Hashes 877 \brief Get Hash name 878 \param hash Hash struct 879 \return Hash name 880 */ 881 const char * 882 pgp_text_from_hash(pgp_hash_t *hash) 883 { 884 return hash->name; 885 } 886 887 /** 888 \ingroup HighLevel_KeyGenerate 889 \brief Generates an RSA keypair 890 \param numbits Modulus size 891 \param e Public Exponent 892 \param keydata Pointer to keydata struct to hold new key 893 \return 1 if key generated successfully; otherwise 0 894 \note It is the caller's responsibility to call pgp_keydata_free(keydata) 895 */ 896 static unsigned 897 rsa_generate_keypair(pgp_key_t *keydata, 898 const int numbits, 899 const unsigned long e, 900 const char *hashalg, 901 const char *cipher) 902 { 903 pgp_seckey_t *seckey; 904 RSA *rsa; 905 BN_CTX *ctx; 906 pgp_output_t *output; 907 pgp_memory_t *mem; 908 BIGNUM *bne; 909 pgp_rsa_pubkey_t *pk; 910 pgp_rsa_seckey_t *sk; 911 912 ctx = BN_CTX_new(); 913 pgp_keydata_init(keydata, PGP_PTAG_CT_SECRET_KEY); 914 seckey = pgp_get_writable_seckey(keydata); 915 pk = &seckey->pubkey.key.rsa; 916 sk = &seckey->key.rsa; 917 918 /* generate the key pair */ 919 920 bne = BN_new(); 921 BN_set_word(bne, e); 922 923 rsa = RSA_new(); 924 RSA_generate_key_ex(rsa, numbits, bne, NULL); 925 BN_free(bne); 926 927 /* populate pgp key from ssl key */ 928 takeRSA(rsa, pk, sk); 929 930 seckey->pubkey.version = PGP_V4; 931 seckey->pubkey.birthtime = time(NULL); 932 seckey->pubkey.days_valid = 0; 933 seckey->pubkey.alg = PGP_PKA_RSA; 934 935 seckey->s2k_usage = PGP_S2KU_ENCRYPTED_AND_HASHED; 936 seckey->s2k_specifier = PGP_S2KS_SALTED; 937 /* seckey->s2k_specifier=PGP_S2KS_SIMPLE; */ 938 if ((seckey->hash_alg = pgp_str_to_hash_alg(hashalg)) == PGP_HASH_UNKNOWN) { 939 seckey->hash_alg = PGP_HASH_SHA1; 940 } 941 seckey->alg = pgp_str_to_cipher(cipher); 942 seckey->octetc = 0; 943 seckey->checksum = 0; 944 945 sk->u = BN_mod_inverse(NULL, sk->p, sk->q, ctx); 946 if (sk->u == NULL) { 947 (void) fprintf(stderr, "seckey->key.rsa.u is NULL\n"); 948 return 0; 949 } 950 BN_CTX_free(ctx); 951 952 RSA_free(rsa); 953 954 pgp_keyid(keydata->sigid, PGP_KEY_ID_SIZE, &keydata->key.seckey.pubkey, seckey->hash_alg); 955 pgp_fingerprint(&keydata->sigfingerprint, &keydata->key.seckey.pubkey, seckey->hash_alg); 956 957 /* Generate checksum */ 958 959 output = NULL; 960 mem = NULL; 961 962 pgp_setup_memory_write(&output, &mem, 128); 963 964 pgp_push_checksum_writer(output, seckey); 965 966 switch (seckey->pubkey.alg) { 967 case PGP_PKA_DSA: 968 return pgp_write_mpi(output, seckey->key.dsa.x); 969 case PGP_PKA_RSA: 970 case PGP_PKA_RSA_ENCRYPT_ONLY: 971 case PGP_PKA_RSA_SIGN_ONLY: 972 if (!pgp_write_mpi(output, seckey->key.rsa.d) || 973 !pgp_write_mpi(output, seckey->key.rsa.p) || 974 !pgp_write_mpi(output, seckey->key.rsa.q) || 975 !pgp_write_mpi(output, seckey->key.rsa.u)) { 976 return 0; 977 } 978 break; 979 case PGP_PKA_ELGAMAL: 980 return pgp_write_mpi(output, seckey->key.elgamal.x); 981 982 default: 983 (void) fprintf(stderr, "Bad seckey->pubkey.alg\n"); 984 return 0; 985 } 986 987 /* close rather than pop, since its the only one on the stack */ 988 pgp_writer_close(output); 989 pgp_teardown_memory_write(output, mem); 990 991 /* should now have checksum in seckey struct */ 992 993 /* test */ 994 if (pgp_get_debug_level(__FILE__)) { 995 test_seckey(seckey); 996 } 997 998 return 1; 999 } 1000 1001 /** 1002 \ingroup HighLevel_KeyGenerate 1003 \brief Creates a self-signed RSA keypair 1004 \param numbits Modulus size 1005 \param e Public Exponent 1006 \param userid User ID 1007 \return The new keypair or NULL 1008 1009 \note It is the caller's responsibility to call pgp_keydata_free(keydata) 1010 \sa rsa_generate_keypair() 1011 \sa pgp_keydata_free() 1012 */ 1013 pgp_key_t * 1014 pgp_rsa_new_selfsign_key(const int numbits, 1015 const unsigned long e, 1016 uint8_t *userid, 1017 const char *hashalg, 1018 const char *cipher) 1019 { 1020 pgp_key_t *keydata; 1021 1022 keydata = pgp_keydata_new(); 1023 if (!rsa_generate_keypair(keydata, numbits, e, hashalg, cipher) || 1024 !pgp_add_selfsigned_userid(keydata, userid)) { 1025 pgp_keydata_free(keydata); 1026 return NULL; 1027 } 1028 return keydata; 1029 } 1030 1031 DSA_SIG * 1032 pgp_dsa_sign(uint8_t *hashbuf, 1033 unsigned hashsize, 1034 const pgp_dsa_seckey_t *secdsa, 1035 const pgp_dsa_pubkey_t *pubdsa) 1036 { 1037 DSA_SIG *dsasig; 1038 DSA *odsa = makeDSA(pubdsa, secdsa); 1039 1040 dsasig = DSA_do_sign(hashbuf, (int)hashsize, odsa); 1041 1042 DSA_free(odsa); 1043 1044 return dsasig; 1045 } 1046 1047 ECDSA_SIG * 1048 pgp_ecdsa_sign(uint8_t *hashbuf, 1049 unsigned hashsize, 1050 const pgp_ecdsa_seckey_t *sececdsa, 1051 const pgp_ecdsa_pubkey_t *pubecdsa) 1052 { 1053 ECDSA_SIG * ecdsasig; 1054 EC_KEY * eckey = makeECDSA(pubecdsa, sececdsa); 1055 1056 ecdsasig = ECDSA_do_sign(hashbuf, (int)hashsize, eckey); 1057 1058 if (ecdsasig == NULL) { 1059 printf("do_sign returned null\n"); 1060 return 0; 1061 } 1062 1063 EC_KEY_free(eckey); 1064 1065 return ecdsasig; 1066 } 1067 1068 int 1069 openssl_read_pem_seckey(const char *f, pgp_key_t *key, const char *type, int verbose) 1070 { 1071 FILE *fp; 1072 char prompt[BUFSIZ]; 1073 char *pass; 1074 DSA *dsa; 1075 RSA *rsa; 1076 int ok; 1077 1078 OpenSSL_add_all_algorithms(); 1079 if ((fp = fopen(f, "r")) == NULL) { 1080 if (verbose) { 1081 (void) fprintf(stderr, "can't open '%s'\n", f); 1082 } 1083 return 0; 1084 } 1085 ok = 1; 1086 if (strcmp(type, "ssh-rsa") == 0) { 1087 if ((rsa = PEM_read_RSAPrivateKey(fp, NULL, NULL, NULL)) == NULL) { 1088 (void) snprintf(prompt, sizeof(prompt), "netpgp PEM %s passphrase: ", f); 1089 do { 1090 pass = getpass(prompt); 1091 rsa = PEM_read_RSAPrivateKey(fp, NULL, NULL, pass); 1092 } while (rsa == NULL); 1093 } 1094 takeRSA(rsa, NULL, &key->key.seckey.key.rsa); 1095 } else if (strcmp(type, "ssh-dss") == 0) { 1096 if ((dsa = PEM_read_DSAPrivateKey(fp, NULL, NULL, NULL)) == NULL) { 1097 ok = 0; 1098 } else { 1099 takeDSA(dsa, &key->key.seckey.key.dsa); 1100 } 1101 } else { 1102 ok = 0; 1103 } 1104 (void) fclose(fp); 1105 return ok; 1106 } 1107 1108 /* 1109 * Decide the number of bits in the random componont k 1110 * 1111 * It should be in the same range as p for signing (which 1112 * is deprecated), but can be much smaller for encrypting. 1113 * 1114 * Until I research it further, I just mimic gpg behaviour. 1115 * It has a special mapping table, for values <= 5120, 1116 * above that it uses 'arbitrary high number'. Following 1117 * algorihm hovers 10-70 bits above gpg values. And for 1118 * larger p, it uses gpg's algorihm. 1119 * 1120 * The point is - if k gets large, encryption will be 1121 * really slow. It does not matter for decryption. 1122 */ 1123 static int 1124 decide_k_bits(int p_bits) 1125 { 1126 return (p_bits <= 5120) ? p_bits / 10 + 160 : (p_bits / 8 + 200) * 3 / 2; 1127 } 1128 1129 int 1130 pgp_elgamal_public_encrypt(uint8_t *g_to_k, uint8_t *encm, 1131 const uint8_t *in, 1132 size_t size, 1133 const pgp_elgamal_pubkey_t *pubkey) 1134 { 1135 int ret = 0; 1136 int k_bits; 1137 BIGNUM *m; 1138 BIGNUM *p; 1139 BIGNUM *g; 1140 BIGNUM *y; 1141 BIGNUM *k; 1142 BIGNUM *yk; 1143 BIGNUM *c1; 1144 BIGNUM *c2; 1145 BN_CTX *tmp; 1146 1147 m = BN_bin2bn(in, (int)size, NULL); 1148 p = pubkey->p; 1149 g = pubkey->g; 1150 y = pubkey->y; 1151 k = BN_new(); 1152 yk = BN_new(); 1153 c1 = BN_new(); 1154 c2 = BN_new(); 1155 tmp = BN_CTX_new(); 1156 if (!m || !p || !g || !y || !k || !yk || !c1 || !c2 || !tmp) { 1157 goto done; 1158 } 1159 /* 1160 * generate k 1161 */ 1162 k_bits = decide_k_bits(BN_num_bits(p)); 1163 if (!BN_rand(k, k_bits, 0, 0)) { 1164 goto done; 1165 } 1166 /* 1167 * c1 = g^k c2 = m * y^k 1168 */ 1169 if (!BN_mod_exp(c1, g, k, p, tmp)) { 1170 goto done; 1171 } 1172 if (!BN_mod_exp(yk, y, k, p, tmp)) { 1173 goto done; 1174 } 1175 if (!BN_mod_mul(c2, m, yk, p, tmp)) { 1176 goto done; 1177 } 1178 /* result */ 1179 BN_bn2bin(c1, g_to_k); 1180 ret = BN_num_bytes(c1); /* c1 = g^k */ 1181 BN_bn2bin(c2, encm); 1182 ret += BN_num_bytes(c2); /* c2 = m * y^k */ 1183 done: 1184 if (tmp) { 1185 BN_CTX_free(tmp); 1186 } 1187 if (c2) { 1188 BN_clear_free(c2); 1189 } 1190 if (c1) { 1191 BN_clear_free(c1); 1192 } 1193 if (yk) { 1194 BN_clear_free(yk); 1195 } 1196 if (k) { 1197 BN_clear_free(k); 1198 } 1199 if (g) { 1200 BN_clear_free(g); 1201 } 1202 return ret; 1203 } 1204 1205 int 1206 pgp_elgamal_private_decrypt(uint8_t *out, 1207 const uint8_t *g_to_k, 1208 const uint8_t *in, 1209 size_t length, 1210 const pgp_elgamal_seckey_t *seckey, 1211 const pgp_elgamal_pubkey_t *pubkey) 1212 { 1213 BIGNUM *bndiv; 1214 BIGNUM *c1x; 1215 BN_CTX *tmp; 1216 BIGNUM *c1; 1217 BIGNUM *c2; 1218 BIGNUM *p; 1219 BIGNUM *x; 1220 BIGNUM *m; 1221 int ret; 1222 1223 ret = 0; 1224 /* c1 and c2 are in g_to_k and in, respectively*/ 1225 c1 = BN_bin2bn(g_to_k, (int)length, NULL); 1226 c2 = BN_bin2bn(in, (int)length, NULL); 1227 /* other bits */ 1228 p = pubkey->p; 1229 x = seckey->x; 1230 c1x = BN_new(); 1231 bndiv = BN_new(); 1232 m = BN_new(); 1233 tmp = BN_CTX_new(); 1234 if (!c1 || !c2 || !p || !x || !c1x || !bndiv || !m || !tmp) { 1235 goto done; 1236 } 1237 /* 1238 * m = c2 / (c1^x) 1239 */ 1240 if (!BN_mod_exp(c1x, c1, x, p, tmp)) { 1241 goto done; 1242 } 1243 if (!BN_mod_inverse(bndiv, c1x, p, tmp)) { 1244 goto done; 1245 } 1246 if (!BN_mod_mul(m, c2, bndiv, p, tmp)) { 1247 goto done; 1248 } 1249 /* result */ 1250 ret = BN_bn2bin(m, out); 1251 done: 1252 if (tmp) { 1253 BN_CTX_free(tmp); 1254 } 1255 if (m) { 1256 BN_clear_free(m); 1257 } 1258 if (bndiv) { 1259 BN_clear_free(bndiv); 1260 } 1261 if (c1x) { 1262 BN_clear_free(c1x); 1263 } 1264 if (x) { 1265 BN_clear_free(x); 1266 } 1267 if (p) { 1268 BN_clear_free(p); 1269 } 1270 if (c1) { 1271 BN_clear_free(c1); 1272 } 1273 if (c2) { 1274 BN_clear_free(c2); 1275 } 1276 return ret; 1277 } 1278