1 /*- 2 * Copyright (c) 2009 The NetBSD Foundation, Inc. 3 * All rights reserved. 4 * 5 * This code is derived from software contributed to The NetBSD Foundation 6 * by Alistair Crooks (agc@NetBSD.org) 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 18 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 19 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 20 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 21 * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 22 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 23 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 24 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 25 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 26 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 27 * POSSIBILITY OF SUCH DAMAGE. 28 */ 29 /* 30 * Copyright (c) 2005-2008 Nominet UK (www.nic.uk) 31 * All rights reserved. 32 * Contributors: Ben Laurie, Rachel Willmer. The Contributors have asserted 33 * their moral rights under the UK Copyright Design and Patents Act 1988 to 34 * be recorded as the authors of this copyright work. 35 * 36 * Licensed under the Apache License, Version 2.0 (the "License"); you may not 37 * use this file except in compliance with the License. 38 * 39 * You may obtain a copy of the License at 40 * http://www.apache.org/licenses/LICENSE-2.0 41 * 42 * Unless required by applicable law or agreed to in writing, software 43 * distributed under the License is distributed on an "AS IS" BASIS, 44 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 45 * 46 * See the License for the specific language governing permissions and 47 * limitations under the License. 48 */ 49 50 /** \file 51 */ 52 #include "config.h" 53 54 #ifdef HAVE_SYS_CDEFS_H 55 #include <sys/cdefs.h> 56 #endif 57 58 #if defined(__NetBSD__) 59 __COPYRIGHT("@(#) Copyright (c) 2009 The NetBSD Foundation, Inc. All rights reserved."); 60 __RCSID("$NetBSD: openssl_crypto.c,v 1.34 2018/02/05 23:56:01 christos Exp $"); 61 #endif 62 63 #ifdef HAVE_OPENSSL_DSA_H 64 #include <openssl/dsa.h> 65 #endif 66 67 #ifdef HAVE_OPENSSL_RSA_H 68 #include <openssl/rsa.h> 69 #endif 70 71 #ifdef HAVE_OPENSSL_ERR_H 72 #include <openssl/err.h> 73 #endif 74 75 #include <openssl/pem.h> 76 #include <openssl/evp.h> 77 78 #include <stdlib.h> 79 #include <string.h> 80 81 #ifdef HAVE_UNISTD_H 82 #include <unistd.h> 83 #endif 84 85 #include "crypto.h" 86 #include "keyring.h" 87 #include "readerwriter.h" 88 #include "netpgpdefs.h" 89 #include "netpgpdigest.h" 90 #include "packet.h" 91 92 static void 93 takeRSA(const RSA *orsa, pgp_rsa_pubkey_t *pk, pgp_rsa_seckey_t *sk) 94 { 95 const BIGNUM *n, *e, *d, *q, *p; 96 #if OPENSSL_VERSION_NUMBER >= 0x10100000L 97 RSA_get0_key(orsa, &n, &e, &d); 98 RSA_get0_factors(orsa, &q, &p); 99 #else 100 n = orsa->n; 101 e = orsa->e; 102 d = orsa->d; 103 p = orsa->p; 104 q = orsa->q; 105 #endif 106 if (sk) { 107 sk->d = BN_dup(d); 108 sk->p = BN_dup(p); 109 sk->q = BN_dup(q); 110 } 111 if (pk) { 112 pk->n = BN_dup(n); 113 pk->e = BN_dup(e); 114 } 115 } 116 117 static RSA * 118 makeRSA(const pgp_rsa_pubkey_t *pubkey, const pgp_rsa_seckey_t *seckey) 119 { 120 BIGNUM *n, *e, *d, *p, *q; 121 RSA *orsa; 122 123 orsa = RSA_new(); 124 n = BN_dup(pubkey->n); 125 e = BN_dup(pubkey->e); 126 127 if (seckey) { 128 d = BN_dup(seckey->d); 129 p = BN_dup(seckey->p); 130 q = BN_dup(seckey->q); 131 } else { 132 d = p = q = NULL; 133 } 134 135 #if OPENSSL_VERSION_NUMBER >= 0x10100000L 136 RSA_set0_key(orsa, n, e, d); 137 RSA_set0_factors(orsa, p, q); 138 #else 139 BN_free(orsa->n); 140 BN_free(orsa->e); 141 orsa->n = n; 142 orsa->e = e; 143 if (d) { 144 BN_free(orsa->d); 145 orsa->d = d; 146 } 147 if (p) { 148 BN_free(orsa->p); 149 orsa->p = p; 150 } 151 if (q) { 152 BN_free(orsa->q); 153 orsa->q = q; 154 } 155 #endif 156 return orsa; 157 } 158 159 static DSA_SIG * 160 makeDSA_SIG(const pgp_dsa_sig_t *sig) 161 { 162 DSA_SIG *osig; 163 BIGNUM *r, *s; 164 165 osig = DSA_SIG_new(); 166 r = BN_dup(sig->r); 167 s = BN_dup(sig->s); 168 169 #if OPENSSL_VERSION_NUMBER >= 0x10100000L 170 DSA_SIG_set0(osig, r, s); 171 #else 172 BN_free(osig->r); 173 BN_free(osig->s); 174 osig->r = r; 175 osig->s = s; 176 #endif 177 178 return osig; 179 } 180 181 static DSA * 182 makeDSA(const pgp_dsa_pubkey_t *dsa, const pgp_dsa_seckey_t *secdsa) 183 { 184 DSA *odsa; 185 BIGNUM *p, *q, *g, *y, *x; 186 187 odsa = DSA_new(); 188 189 p = BN_dup(dsa->p); 190 q = BN_dup(dsa->q); 191 g = BN_dup(dsa->g); 192 y = BN_dup(dsa->y); 193 x = secdsa ? secdsa->x : NULL; 194 195 #if OPENSSL_VERSION_NUMBER >= 0x10100000L 196 DSA_set0_key(odsa, y, x); 197 #else 198 BN_free(odsa->p); 199 BN_free(odsa->q); 200 BN_free(odsa->g); 201 BN_free(odsa->pub_key); 202 odsa->p = p; 203 odsa->q = q; 204 odsa->g = g; 205 odsa->pub_key = y; 206 if (x) { 207 BN_free(odsa->priv_key); 208 odsa->priv_key = x; 209 } 210 #endif 211 return odsa; 212 } 213 214 static void 215 takeDSA(const DSA *odsa, pgp_dsa_seckey_t *sk) 216 { 217 const BIGNUM *x; 218 #if OPENSSL_VERSION_NUMBER >= 0x10100000L 219 DSA_get0_key(odsa, NULL, &x); 220 #else 221 x = odsa->priv_key; 222 #endif 223 sk->x = BN_dup(x); 224 } 225 226 static void 227 test_seckey(const pgp_seckey_t *seckey) 228 { 229 RSA *test = makeRSA(&seckey->pubkey.key.rsa, &seckey->key.rsa); 230 231 if (RSA_check_key(test) != 1) { 232 (void) fprintf(stderr, 233 "test_seckey: RSA_check_key failed\n"); 234 } 235 RSA_free(test); 236 } 237 238 static int 239 md5_init(pgp_hash_t *hash) 240 { 241 if (hash->data) { 242 (void) fprintf(stderr, "md5_init: hash data non-null\n"); 243 } 244 if ((hash->data = calloc(1, sizeof(MD5_CTX))) == NULL) { 245 (void) fprintf(stderr, "md5_init: bad alloc\n"); 246 return 0; 247 } 248 MD5_Init(hash->data); 249 return 1; 250 } 251 252 static void 253 md5_add(pgp_hash_t *hash, const uint8_t *data, unsigned length) 254 { 255 MD5_Update(hash->data, data, length); 256 } 257 258 static unsigned 259 md5_finish(pgp_hash_t *hash, uint8_t *out) 260 { 261 MD5_Final(out, hash->data); 262 free(hash->data); 263 hash->data = NULL; 264 return 16; 265 } 266 267 static const pgp_hash_t md5 = { 268 PGP_HASH_MD5, 269 MD5_DIGEST_LENGTH, 270 "MD5", 271 md5_init, 272 md5_add, 273 md5_finish, 274 NULL 275 }; 276 277 /** 278 \ingroup Core_Crypto 279 \brief Initialise to MD5 280 \param hash Hash to initialise 281 */ 282 void 283 pgp_hash_md5(pgp_hash_t *hash) 284 { 285 *hash = md5; 286 } 287 288 static int 289 sha1_init(pgp_hash_t *hash) 290 { 291 if (hash->data) { 292 (void) fprintf(stderr, "sha1_init: hash data non-null\n"); 293 } 294 if ((hash->data = calloc(1, sizeof(SHA_CTX))) == NULL) { 295 (void) fprintf(stderr, "sha1_init: bad alloc\n"); 296 return 0; 297 } 298 SHA1_Init(hash->data); 299 return 1; 300 } 301 302 static void 303 sha1_add(pgp_hash_t *hash, const uint8_t *data, unsigned length) 304 { 305 if (pgp_get_debug_level(__FILE__)) { 306 hexdump(stderr, "sha1_add", data, length); 307 } 308 SHA1_Update(hash->data, data, length); 309 } 310 311 static unsigned 312 sha1_finish(pgp_hash_t *hash, uint8_t *out) 313 { 314 SHA1_Final(out, hash->data); 315 if (pgp_get_debug_level(__FILE__)) { 316 hexdump(stderr, "sha1_finish", out, PGP_SHA1_HASH_SIZE); 317 } 318 free(hash->data); 319 hash->data = NULL; 320 return PGP_SHA1_HASH_SIZE; 321 } 322 323 static const pgp_hash_t sha1 = { 324 PGP_HASH_SHA1, 325 PGP_SHA1_HASH_SIZE, 326 "SHA1", 327 sha1_init, 328 sha1_add, 329 sha1_finish, 330 NULL 331 }; 332 333 /** 334 \ingroup Core_Crypto 335 \brief Initialise to SHA1 336 \param hash Hash to initialise 337 */ 338 void 339 pgp_hash_sha1(pgp_hash_t *hash) 340 { 341 *hash = sha1; 342 } 343 344 static int 345 sha256_init(pgp_hash_t *hash) 346 { 347 if (hash->data) { 348 (void) fprintf(stderr, "sha256_init: hash data non-null\n"); 349 } 350 if ((hash->data = calloc(1, sizeof(SHA256_CTX))) == NULL) { 351 (void) fprintf(stderr, "sha256_init: bad alloc\n"); 352 return 0; 353 } 354 SHA256_Init(hash->data); 355 return 1; 356 } 357 358 static void 359 sha256_add(pgp_hash_t *hash, const uint8_t *data, unsigned length) 360 { 361 if (pgp_get_debug_level(__FILE__)) { 362 hexdump(stderr, "sha256_add", data, length); 363 } 364 SHA256_Update(hash->data, data, length); 365 } 366 367 static unsigned 368 sha256_finish(pgp_hash_t *hash, uint8_t *out) 369 { 370 SHA256_Final(out, hash->data); 371 if (pgp_get_debug_level(__FILE__)) { 372 hexdump(stderr, "sha1_finish", out, SHA256_DIGEST_LENGTH); 373 } 374 free(hash->data); 375 hash->data = NULL; 376 return SHA256_DIGEST_LENGTH; 377 } 378 379 static const pgp_hash_t sha256 = { 380 PGP_HASH_SHA256, 381 SHA256_DIGEST_LENGTH, 382 "SHA256", 383 sha256_init, 384 sha256_add, 385 sha256_finish, 386 NULL 387 }; 388 389 void 390 pgp_hash_sha256(pgp_hash_t *hash) 391 { 392 *hash = sha256; 393 } 394 395 /* 396 * SHA384 397 */ 398 static int 399 sha384_init(pgp_hash_t *hash) 400 { 401 if (hash->data) { 402 (void) fprintf(stderr, "sha384_init: hash data non-null\n"); 403 } 404 if ((hash->data = calloc(1, sizeof(SHA512_CTX))) == NULL) { 405 (void) fprintf(stderr, "sha384_init: bad alloc\n"); 406 return 0; 407 } 408 SHA384_Init(hash->data); 409 return 1; 410 } 411 412 static void 413 sha384_add(pgp_hash_t *hash, const uint8_t *data, unsigned length) 414 { 415 if (pgp_get_debug_level(__FILE__)) { 416 hexdump(stderr, "sha384_add", data, length); 417 } 418 SHA384_Update(hash->data, data, length); 419 } 420 421 static unsigned 422 sha384_finish(pgp_hash_t *hash, uint8_t *out) 423 { 424 SHA384_Final(out, hash->data); 425 if (pgp_get_debug_level(__FILE__)) { 426 hexdump(stderr, "sha384_finish", out, SHA384_DIGEST_LENGTH); 427 } 428 free(hash->data); 429 hash->data = NULL; 430 return SHA384_DIGEST_LENGTH; 431 } 432 433 static const pgp_hash_t sha384 = { 434 PGP_HASH_SHA384, 435 SHA384_DIGEST_LENGTH, 436 "SHA384", 437 sha384_init, 438 sha384_add, 439 sha384_finish, 440 NULL 441 }; 442 443 void 444 pgp_hash_sha384(pgp_hash_t *hash) 445 { 446 *hash = sha384; 447 } 448 449 /* 450 * SHA512 451 */ 452 static int 453 sha512_init(pgp_hash_t *hash) 454 { 455 if (hash->data) { 456 (void) fprintf(stderr, "sha512_init: hash data non-null\n"); 457 } 458 if ((hash->data = calloc(1, sizeof(SHA512_CTX))) == NULL) { 459 (void) fprintf(stderr, "sha512_init: bad alloc\n"); 460 return 0; 461 } 462 SHA512_Init(hash->data); 463 return 1; 464 } 465 466 static void 467 sha512_add(pgp_hash_t *hash, const uint8_t *data, unsigned length) 468 { 469 if (pgp_get_debug_level(__FILE__)) { 470 hexdump(stderr, "sha512_add", data, length); 471 } 472 SHA512_Update(hash->data, data, length); 473 } 474 475 static unsigned 476 sha512_finish(pgp_hash_t *hash, uint8_t *out) 477 { 478 SHA512_Final(out, hash->data); 479 if (pgp_get_debug_level(__FILE__)) { 480 hexdump(stderr, "sha512_finish", out, SHA512_DIGEST_LENGTH); 481 } 482 free(hash->data); 483 hash->data = NULL; 484 return SHA512_DIGEST_LENGTH; 485 } 486 487 static const pgp_hash_t sha512 = { 488 PGP_HASH_SHA512, 489 SHA512_DIGEST_LENGTH, 490 "SHA512", 491 sha512_init, 492 sha512_add, 493 sha512_finish, 494 NULL 495 }; 496 497 void 498 pgp_hash_sha512(pgp_hash_t *hash) 499 { 500 *hash = sha512; 501 } 502 503 /* 504 * SHA224 505 */ 506 507 static int 508 sha224_init(pgp_hash_t *hash) 509 { 510 if (hash->data) { 511 (void) fprintf(stderr, "sha224_init: hash data non-null\n"); 512 } 513 if ((hash->data = calloc(1, sizeof(SHA256_CTX))) == NULL) { 514 (void) fprintf(stderr, "sha256_init: bad alloc\n"); 515 return 0; 516 } 517 SHA224_Init(hash->data); 518 return 1; 519 } 520 521 static void 522 sha224_add(pgp_hash_t *hash, const uint8_t *data, unsigned length) 523 { 524 if (pgp_get_debug_level(__FILE__)) { 525 hexdump(stderr, "sha224_add", data, length); 526 } 527 SHA224_Update(hash->data, data, length); 528 } 529 530 static unsigned 531 sha224_finish(pgp_hash_t *hash, uint8_t *out) 532 { 533 SHA224_Final(out, hash->data); 534 if (pgp_get_debug_level(__FILE__)) { 535 hexdump(stderr, "sha224_finish", out, SHA224_DIGEST_LENGTH); 536 } 537 free(hash->data); 538 hash->data = NULL; 539 return SHA224_DIGEST_LENGTH; 540 } 541 542 static const pgp_hash_t sha224 = { 543 PGP_HASH_SHA224, 544 SHA224_DIGEST_LENGTH, 545 "SHA224", 546 sha224_init, 547 sha224_add, 548 sha224_finish, 549 NULL 550 }; 551 552 void 553 pgp_hash_sha224(pgp_hash_t *hash) 554 { 555 *hash = sha224; 556 } 557 558 unsigned 559 pgp_dsa_verify(const uint8_t *hash, size_t hash_length, 560 const pgp_dsa_sig_t *sig, 561 const pgp_dsa_pubkey_t *dsa) 562 { 563 unsigned qlen; 564 DSA_SIG *osig = makeDSA_SIG(sig); 565 DSA *odsa = makeDSA(dsa, NULL); 566 int ret; 567 568 if (pgp_get_debug_level(__FILE__)) { 569 hexdump(stderr, "input hash", hash, hash_length); 570 (void) fprintf(stderr, "Q=%d\n", BN_num_bytes(dsa->q)); 571 } 572 if ((qlen = (unsigned)BN_num_bytes(dsa->q)) < hash_length) { 573 hash_length = qlen; 574 } 575 ret = DSA_do_verify(hash, (int)hash_length, osig, odsa); 576 if (pgp_get_debug_level(__FILE__)) { 577 (void) fprintf(stderr, "ret=%d\n", ret); 578 } 579 if (ret < 0) { 580 (void) fprintf(stderr, "pgp_dsa_verify: DSA verification\n"); 581 return 0; 582 } 583 584 DSA_free(odsa); 585 DSA_SIG_free(osig); 586 587 return (unsigned)ret; 588 } 589 590 /** 591 \ingroup Core_Crypto 592 \brief Recovers message digest from the signature 593 \param out Where to write decrypted data to 594 \param in Encrypted data 595 \param length Length of encrypted data 596 \param pubkey RSA public key 597 \return size of recovered message digest 598 */ 599 int 600 pgp_rsa_public_decrypt(uint8_t *out, 601 const uint8_t *in, 602 size_t length, 603 const pgp_rsa_pubkey_t *pubkey) 604 { 605 RSA *orsa = makeRSA(pubkey, NULL); 606 int ret; 607 608 ret = RSA_public_decrypt((int)length, in, out, orsa, RSA_NO_PADDING); 609 610 RSA_free(orsa); 611 612 return ret; 613 } 614 615 /** 616 \ingroup Core_Crypto 617 \brief Signs data with RSA 618 \param out Where to write signature 619 \param in Data to sign 620 \param length Length of data 621 \param seckey RSA secret key 622 \param pubkey RSA public key 623 \return number of bytes decrypted 624 */ 625 int 626 pgp_rsa_private_encrypt(uint8_t *out, 627 const uint8_t *in, 628 size_t length, 629 const pgp_rsa_seckey_t *seckey, 630 const pgp_rsa_pubkey_t *pubkey) 631 { 632 RSA *orsa = makeRSA(pubkey, seckey); 633 int ret; 634 635 if (seckey->d == NULL) { 636 (void) fprintf(stderr, "orsa is not set\n"); 637 return 0; 638 } 639 if (RSA_check_key(orsa) != 1) { 640 (void) fprintf(stderr, "RSA_check_key is not set\n"); 641 return 0; 642 } 643 /* end debug */ 644 645 ret = RSA_private_encrypt((int)length, in, out, orsa, RSA_NO_PADDING); 646 647 RSA_free(orsa); 648 649 return ret; 650 } 651 652 /** 653 \ingroup Core_Crypto 654 \brief Decrypts RSA-encrypted data 655 \param out Where to write the plaintext 656 \param in Encrypted data 657 \param length Length of encrypted data 658 \param seckey RSA secret key 659 \param pubkey RSA public key 660 \return size of recovered plaintext 661 */ 662 int 663 pgp_rsa_private_decrypt(uint8_t *out, 664 const uint8_t *in, 665 size_t length, 666 const pgp_rsa_seckey_t *seckey, 667 const pgp_rsa_pubkey_t *pubkey) 668 { 669 RSA *keypair = makeRSA(pubkey, seckey); 670 int n; 671 char errbuf[1024]; 672 673 if (RSA_check_key(keypair) != 1) { 674 (void) fprintf(stderr, "RSA_check_key is not set\n"); 675 return 0; 676 } 677 /* end debug */ 678 679 n = RSA_private_decrypt((int)length, in, out, keypair, RSA_NO_PADDING); 680 681 if (pgp_get_debug_level(__FILE__)) { 682 printf("pgp_rsa_private_decrypt: n=%d\n",n); 683 } 684 685 errbuf[0] = '\0'; 686 if (n == -1) { 687 unsigned long err = ERR_get_error(); 688 689 ERR_error_string(err, &errbuf[0]); 690 (void) fprintf(stderr, "openssl error : %s\n", errbuf); 691 } 692 RSA_free(keypair); 693 694 return n; 695 } 696 697 /** 698 \ingroup Core_Crypto 699 \brief RSA-encrypts data 700 \param out Where to write the encrypted data 701 \param in Plaintext 702 \param length Size of plaintext 703 \param pubkey RSA Public Key 704 */ 705 int 706 pgp_rsa_public_encrypt(uint8_t *out, 707 const uint8_t *in, 708 size_t length, 709 const pgp_rsa_pubkey_t *pubkey) 710 { 711 RSA *orsa = makeRSA(pubkey, NULL); 712 int n; 713 714 /* printf("pgp_rsa_public_encrypt: length=%ld\n", length); */ 715 716 /* printf("len: %ld\n", length); */ 717 /* pgp_print_bn("n: ", orsa->n); */ 718 /* pgp_print_bn("e: ", orsa->e); */ 719 n = RSA_public_encrypt((int)length, in, out, orsa, RSA_NO_PADDING); 720 721 if (n == -1) { 722 BIO *fd_out; 723 724 fd_out = BIO_new_fd(fileno(stderr), BIO_NOCLOSE); 725 ERR_print_errors(fd_out); 726 } 727 RSA_free(orsa); 728 729 return n; 730 } 731 732 /** 733 \ingroup Core_Crypto 734 \brief Finalise openssl 735 \note Would usually call pgp_finish() instead 736 \sa pgp_finish() 737 */ 738 void 739 pgp_crypto_finish(void) 740 { 741 CRYPTO_cleanup_all_ex_data(); 742 #if OPENSSL_VERSION_NUMBER < 0x10100000L 743 ERR_remove_state((unsigned long)0); 744 #endif 745 } 746 747 /** 748 \ingroup Core_Hashes 749 \brief Get Hash name 750 \param hash Hash struct 751 \return Hash name 752 */ 753 const char * 754 pgp_text_from_hash(pgp_hash_t *hash) 755 { 756 return hash->name; 757 } 758 759 /** 760 \ingroup HighLevel_KeyGenerate 761 \brief Generates an RSA keypair 762 \param numbits Modulus size 763 \param e Public Exponent 764 \param keydata Pointer to keydata struct to hold new key 765 \return 1 if key generated successfully; otherwise 0 766 \note It is the caller's responsibility to call pgp_keydata_free(keydata) 767 */ 768 static unsigned 769 rsa_generate_keypair(pgp_key_t *keydata, 770 const int numbits, 771 const unsigned long e, 772 const char *hashalg, 773 const char *cipher) 774 { 775 pgp_seckey_t *seckey; 776 RSA *rsa; 777 BN_CTX *ctx; 778 pgp_output_t *output; 779 pgp_memory_t *mem; 780 BIGNUM *bne; 781 pgp_rsa_pubkey_t *pk; 782 pgp_rsa_seckey_t *sk; 783 784 ctx = BN_CTX_new(); 785 pgp_keydata_init(keydata, PGP_PTAG_CT_SECRET_KEY); 786 seckey = pgp_get_writable_seckey(keydata); 787 pk = &seckey->pubkey.key.rsa; 788 sk = &seckey->key.rsa; 789 790 /* generate the key pair */ 791 792 bne = BN_new(); 793 BN_set_word(bne, e); 794 795 rsa = RSA_new(); 796 RSA_generate_key_ex(rsa, numbits, bne, NULL); 797 BN_free(bne); 798 799 /* populate pgp key from ssl key */ 800 takeRSA(rsa, pk, sk); 801 802 seckey->pubkey.version = PGP_V4; 803 seckey->pubkey.birthtime = time(NULL); 804 seckey->pubkey.days_valid = 0; 805 seckey->pubkey.alg = PGP_PKA_RSA; 806 807 seckey->s2k_usage = PGP_S2KU_ENCRYPTED_AND_HASHED; 808 seckey->s2k_specifier = PGP_S2KS_SALTED; 809 /* seckey->s2k_specifier=PGP_S2KS_SIMPLE; */ 810 if ((seckey->hash_alg = pgp_str_to_hash_alg(hashalg)) == PGP_HASH_UNKNOWN) { 811 seckey->hash_alg = PGP_HASH_SHA1; 812 } 813 seckey->alg = pgp_str_to_cipher(cipher); 814 seckey->octetc = 0; 815 seckey->checksum = 0; 816 817 sk->u = BN_mod_inverse(NULL, sk->p, sk->q, ctx); 818 if (sk->u == NULL) { 819 (void) fprintf(stderr, "seckey->key.rsa.u is NULL\n"); 820 return 0; 821 } 822 BN_CTX_free(ctx); 823 824 RSA_free(rsa); 825 826 pgp_keyid(keydata->sigid, PGP_KEY_ID_SIZE, &keydata->key.seckey.pubkey, seckey->hash_alg); 827 pgp_fingerprint(&keydata->sigfingerprint, &keydata->key.seckey.pubkey, seckey->hash_alg); 828 829 /* Generate checksum */ 830 831 output = NULL; 832 mem = NULL; 833 834 pgp_setup_memory_write(&output, &mem, 128); 835 836 pgp_push_checksum_writer(output, seckey); 837 838 switch (seckey->pubkey.alg) { 839 case PGP_PKA_DSA: 840 return pgp_write_mpi(output, seckey->key.dsa.x); 841 case PGP_PKA_RSA: 842 case PGP_PKA_RSA_ENCRYPT_ONLY: 843 case PGP_PKA_RSA_SIGN_ONLY: 844 if (!pgp_write_mpi(output, seckey->key.rsa.d) || 845 !pgp_write_mpi(output, seckey->key.rsa.p) || 846 !pgp_write_mpi(output, seckey->key.rsa.q) || 847 !pgp_write_mpi(output, seckey->key.rsa.u)) { 848 return 0; 849 } 850 break; 851 case PGP_PKA_ELGAMAL: 852 return pgp_write_mpi(output, seckey->key.elgamal.x); 853 854 default: 855 (void) fprintf(stderr, "Bad seckey->pubkey.alg\n"); 856 return 0; 857 } 858 859 /* close rather than pop, since its the only one on the stack */ 860 pgp_writer_close(output); 861 pgp_teardown_memory_write(output, mem); 862 863 /* should now have checksum in seckey struct */ 864 865 /* test */ 866 if (pgp_get_debug_level(__FILE__)) { 867 test_seckey(seckey); 868 } 869 870 return 1; 871 } 872 873 /** 874 \ingroup HighLevel_KeyGenerate 875 \brief Creates a self-signed RSA keypair 876 \param numbits Modulus size 877 \param e Public Exponent 878 \param userid User ID 879 \return The new keypair or NULL 880 881 \note It is the caller's responsibility to call pgp_keydata_free(keydata) 882 \sa rsa_generate_keypair() 883 \sa pgp_keydata_free() 884 */ 885 pgp_key_t * 886 pgp_rsa_new_selfsign_key(const int numbits, 887 const unsigned long e, 888 uint8_t *userid, 889 const char *hashalg, 890 const char *cipher) 891 { 892 pgp_key_t *keydata; 893 894 keydata = pgp_keydata_new(); 895 if (!rsa_generate_keypair(keydata, numbits, e, hashalg, cipher) || 896 !pgp_add_selfsigned_userid(keydata, userid)) { 897 pgp_keydata_free(keydata); 898 return NULL; 899 } 900 return keydata; 901 } 902 903 DSA_SIG * 904 pgp_dsa_sign(uint8_t *hashbuf, 905 unsigned hashsize, 906 const pgp_dsa_seckey_t *secdsa, 907 const pgp_dsa_pubkey_t *pubdsa) 908 { 909 DSA_SIG *dsasig; 910 DSA *odsa = makeDSA(pubdsa, secdsa); 911 912 dsasig = DSA_do_sign(hashbuf, (int)hashsize, odsa); 913 914 DSA_free(odsa); 915 916 return dsasig; 917 } 918 919 int 920 openssl_read_pem_seckey(const char *f, pgp_key_t *key, const char *type, int verbose) 921 { 922 FILE *fp; 923 char prompt[BUFSIZ]; 924 char *pass; 925 DSA *dsa; 926 RSA *rsa; 927 int ok; 928 929 OpenSSL_add_all_algorithms(); 930 if ((fp = fopen(f, "r")) == NULL) { 931 if (verbose) { 932 (void) fprintf(stderr, "can't open '%s'\n", f); 933 } 934 return 0; 935 } 936 ok = 1; 937 if (strcmp(type, "ssh-rsa") == 0) { 938 if ((rsa = PEM_read_RSAPrivateKey(fp, NULL, NULL, NULL)) == NULL) { 939 (void) snprintf(prompt, sizeof(prompt), "netpgp PEM %s passphrase: ", f); 940 do { 941 pass = getpass(prompt); 942 rsa = PEM_read_RSAPrivateKey(fp, NULL, NULL, pass); 943 } while (rsa == NULL); 944 } 945 takeRSA(rsa, NULL, &key->key.seckey.key.rsa); 946 } else if (strcmp(type, "ssh-dss") == 0) { 947 if ((dsa = PEM_read_DSAPrivateKey(fp, NULL, NULL, NULL)) == NULL) { 948 ok = 0; 949 } else { 950 takeDSA(dsa, &key->key.seckey.key.dsa); 951 } 952 } else { 953 ok = 0; 954 } 955 (void) fclose(fp); 956 return ok; 957 } 958 959 /* 960 * Decide the number of bits in the random componont k 961 * 962 * It should be in the same range as p for signing (which 963 * is deprecated), but can be much smaller for encrypting. 964 * 965 * Until I research it further, I just mimic gpg behaviour. 966 * It has a special mapping table, for values <= 5120, 967 * above that it uses 'arbitrary high number'. Following 968 * algorihm hovers 10-70 bits above gpg values. And for 969 * larger p, it uses gpg's algorihm. 970 * 971 * The point is - if k gets large, encryption will be 972 * really slow. It does not matter for decryption. 973 */ 974 static int 975 decide_k_bits(int p_bits) 976 { 977 return (p_bits <= 5120) ? p_bits / 10 + 160 : (p_bits / 8 + 200) * 3 / 2; 978 } 979 980 int 981 pgp_elgamal_public_encrypt(uint8_t *g_to_k, uint8_t *encm, 982 const uint8_t *in, 983 size_t size, 984 const pgp_elgamal_pubkey_t *pubkey) 985 { 986 int ret = 0; 987 int k_bits; 988 BIGNUM *m; 989 BIGNUM *p; 990 BIGNUM *g; 991 BIGNUM *y; 992 BIGNUM *k; 993 BIGNUM *yk; 994 BIGNUM *c1; 995 BIGNUM *c2; 996 BN_CTX *tmp; 997 998 m = BN_bin2bn(in, (int)size, NULL); 999 p = pubkey->p; 1000 g = pubkey->g; 1001 y = pubkey->y; 1002 k = BN_new(); 1003 yk = BN_new(); 1004 c1 = BN_new(); 1005 c2 = BN_new(); 1006 tmp = BN_CTX_new(); 1007 if (!m || !p || !g || !y || !k || !yk || !c1 || !c2 || !tmp) { 1008 goto done; 1009 } 1010 /* 1011 * generate k 1012 */ 1013 k_bits = decide_k_bits(BN_num_bits(p)); 1014 if (!BN_rand(k, k_bits, 0, 0)) { 1015 goto done; 1016 } 1017 /* 1018 * c1 = g^k c2 = m * y^k 1019 */ 1020 if (!BN_mod_exp(c1, g, k, p, tmp)) { 1021 goto done; 1022 } 1023 if (!BN_mod_exp(yk, y, k, p, tmp)) { 1024 goto done; 1025 } 1026 if (!BN_mod_mul(c2, m, yk, p, tmp)) { 1027 goto done; 1028 } 1029 /* result */ 1030 BN_bn2bin(c1, g_to_k); 1031 ret = BN_num_bytes(c1); /* c1 = g^k */ 1032 BN_bn2bin(c2, encm); 1033 ret += BN_num_bytes(c2); /* c2 = m * y^k */ 1034 done: 1035 if (tmp) { 1036 BN_CTX_free(tmp); 1037 } 1038 if (c2) { 1039 BN_clear_free(c2); 1040 } 1041 if (c1) { 1042 BN_clear_free(c1); 1043 } 1044 if (yk) { 1045 BN_clear_free(yk); 1046 } 1047 if (k) { 1048 BN_clear_free(k); 1049 } 1050 if (g) { 1051 BN_clear_free(g); 1052 } 1053 return ret; 1054 } 1055 1056 int 1057 pgp_elgamal_private_decrypt(uint8_t *out, 1058 const uint8_t *g_to_k, 1059 const uint8_t *in, 1060 size_t length, 1061 const pgp_elgamal_seckey_t *seckey, 1062 const pgp_elgamal_pubkey_t *pubkey) 1063 { 1064 BIGNUM *bndiv; 1065 BIGNUM *c1x; 1066 BN_CTX *tmp; 1067 BIGNUM *c1; 1068 BIGNUM *c2; 1069 BIGNUM *p; 1070 BIGNUM *x; 1071 BIGNUM *m; 1072 int ret; 1073 1074 ret = 0; 1075 /* c1 and c2 are in g_to_k and in, respectively*/ 1076 c1 = BN_bin2bn(g_to_k, (int)length, NULL); 1077 c2 = BN_bin2bn(in, (int)length, NULL); 1078 /* other bits */ 1079 p = pubkey->p; 1080 x = seckey->x; 1081 c1x = BN_new(); 1082 bndiv = BN_new(); 1083 m = BN_new(); 1084 tmp = BN_CTX_new(); 1085 if (!c1 || !c2 || !p || !x || !c1x || !bndiv || !m || !tmp) { 1086 goto done; 1087 } 1088 /* 1089 * m = c2 / (c1^x) 1090 */ 1091 if (!BN_mod_exp(c1x, c1, x, p, tmp)) { 1092 goto done; 1093 } 1094 if (!BN_mod_inverse(bndiv, c1x, p, tmp)) { 1095 goto done; 1096 } 1097 if (!BN_mod_mul(m, c2, bndiv, p, tmp)) { 1098 goto done; 1099 } 1100 /* result */ 1101 ret = BN_bn2bin(m, out); 1102 done: 1103 if (tmp) { 1104 BN_CTX_free(tmp); 1105 } 1106 if (m) { 1107 BN_clear_free(m); 1108 } 1109 if (bndiv) { 1110 BN_clear_free(bndiv); 1111 } 1112 if (c1x) { 1113 BN_clear_free(c1x); 1114 } 1115 if (x) { 1116 BN_clear_free(x); 1117 } 1118 if (p) { 1119 BN_clear_free(p); 1120 } 1121 if (c1) { 1122 BN_clear_free(c1); 1123 } 1124 if (c2) { 1125 BN_clear_free(c2); 1126 } 1127 return ret; 1128 } 1129