1 /*- 2 * Copyright (c) 2012 Alistair Crooks <agc@NetBSD.org> 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 15 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 16 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 17 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 18 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 19 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 21 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 23 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 24 */ 25 #include "config.h" 26 27 #include <sys/types.h> 28 #include <sys/stat.h> 29 #include <sys/param.h> 30 #include <sys/mman.h> 31 32 #include <arpa/inet.h> 33 34 #include <inttypes.h> 35 #include <stdarg.h> 36 #include <stdio.h> 37 #include <stdlib.h> 38 #include <string.h> 39 #include <time.h> 40 #include <unistd.h> 41 42 #include "bzlib.h" 43 #include "zlib.h" 44 45 #include "array.h" 46 #include "b64.h" 47 #include "bn.h" 48 #include "bufgap.h" 49 #include "digest.h" 50 #include "misc.h" 51 #include "pgpsum.h" 52 #include "rsa.h" 53 #include "verify.h" 54 55 #ifndef USE_ARG 56 #define USE_ARG(x) /*LINTED*/(void)&(x) 57 #endif 58 59 #ifndef __dead 60 #define __dead __attribute__((__noreturn__)) 61 #endif 62 63 #ifndef __printflike 64 #define __printflike(n, m) __attribute__((format(printf,n,m))) 65 #endif 66 67 #define BITS_TO_BYTES(b) (((b) + (CHAR_BIT - 1)) / CHAR_BIT) 68 69 /* packet types */ 70 #define SIGNATURE_PKT 2 71 #define ONEPASS_SIGNATURE_PKT 4 72 #define PUBKEY_PKT 6 73 #define COMPRESSED_DATA_PKT 8 74 #define MARKER_PKT 10 75 #define LITDATA_PKT 11 76 #define TRUST_PKT 12 77 #define USERID_PKT 13 78 #define PUB_SUBKEY_PKT 14 79 #define USER_ATTRIBUTE_PKT 17 80 81 /* only allow certain packets at certain times */ 82 #define PUBRING_ALLOWED "\002\006\014\015\016\021" 83 #define SIGNATURE_ALLOWED "\002\004\010\013" 84 85 /* actions to do on close */ 86 #define FREE_MEM 0x01 87 #define UNMAP_MEM 0x02 88 89 /* types of pubkey we encounter */ 90 #define PUBKEY_RSA_ENCRYPT_OR_SIGN 1 91 #define PUBKEY_RSA_ENCRYPT 2 92 #define PUBKEY_RSA_SIGN 3 93 #define PUBKEY_ELGAMAL_ENCRYPT 16 94 #define PUBKEY_DSA 17 95 #define PUBKEY_ELLIPTIC_CURVE 18 96 #define PUBKEY_ECDSA 19 97 #define PUBKEY_ELGAMAL_ENCRYPT_OR_SIGN 20 98 99 /* hash algorithm definitions */ 100 #define PGPV_HASH_MD5 1 101 #define PGPV_HASH_SHA1 2 102 #define PGPV_HASH_RIPEMD 3 103 #define PGPV_HASH_SHA256 8 104 #define PGPV_HASH_SHA384 9 105 #define PGPV_HASH_SHA512 10 106 107 /* pubkey defs for bignums */ 108 #define RSA_N 0 109 #define RSA_E 1 110 #define DSA_P 0 111 #define DSA_Q 1 112 #define DSA_G 2 113 #define DSA_Y 3 114 #define ELGAMAL_P 0 115 #define ELGAMAL_G 1 116 #define ELGAMAL_Y 2 117 118 /* sesskey indices */ 119 #define RSA_SESSKEY_ENCRYPTED_M 0 120 #define RSA_SESSKEY_M 1 121 #define ELGAMAL_SESSKEY_G_TO_K 0 122 #define ELGAMAL_SESSKEY_ENCRYPTED_M 1 123 124 /* seckey indices */ 125 #define RSA_SECKEY_D 0 126 #define RSA_SECKEY_P 1 127 #define RSA_SECKEY_Q 2 128 #define RSA_SECKEY_U 3 129 #define DSA_SECKEY_X 0 130 #define ELGAMAL_SECKEY_X 0 131 132 /* signature mpi indices in bignumber array */ 133 #define RSA_SIG 0 134 #define DSA_R 0 135 #define DSA_S 1 136 #define ELGAMAL_SIG_R 0 137 #define ELGAMAL_SIG_S 1 138 139 /* signature types */ 140 #define SIGTYPE_BINARY_DOC 0x00 /* Signature of a binary document */ 141 #define SIGTYPE_TEXT 0x01 /* Signature of a canonical text document */ 142 #define SIGTYPE_STANDALONE 0x02 /* Standalone signature */ 143 144 #define SIGTYPE_GENERIC_USERID 0x10 /* Generic certification of a User ID and Public Key packet */ 145 #define SIGTYPE_PERSONA_USERID 0x11 /* Persona certification of a User ID and Public Key packet */ 146 #define SIGTYPE_CASUAL_USERID 0x12 /* Casual certification of a User ID and Public Key packet */ 147 #define SIGTYPE_POSITIVE_USERID 0x13 /* Positive certification of a User ID and Public Key packet */ 148 149 #define SIGTYPE_SUBKEY_BINDING 0x18 /* Subkey Binding Signature */ 150 #define SIGTYPE_PRIMARY_KEY_BINDING 0x19 /* Primary Key Binding Signature */ 151 #define SIGTYPE_DIRECT_KEY 0x1f /* Signature directly on a key */ 152 153 #define SIGTYPE_KEY_REVOCATION 0x20 /* Key revocation signature */ 154 #define SIGTYPE_SUBKEY_REVOCATION 0x28 /* Subkey revocation signature */ 155 #define SIGTYPE_CERT_REVOCATION 0x30 /* Certification revocation signature */ 156 157 #define SIGTYPE_TIMESTAMP_SIG 0x40 /* Timestamp signature */ 158 #define SIGTYPE_3RDPARTY 0x50 /* Third-Party Confirmation signature */ 159 160 /* Forward declarations */ 161 static int read_all_packets(pgpv_t */*pgp*/, pgpv_mem_t */*mem*/, const char */*op*/); 162 static int read_binary_file(pgpv_t */*pgp*/, const char */*op*/, const char */*fmt*/, ...) __printflike(3, 4); 163 static int read_binary_memory(pgpv_t */*pgp*/, const char */*op*/, const void */*memory*/, size_t /*size*/); 164 165 /* read a file into the pgpv_mem_t struct */ 166 static int 167 read_file(pgpv_t *pgp, const char *f) 168 { 169 struct stat st; 170 pgpv_mem_t *mem; 171 172 ARRAY_EXPAND(pgp->areas); 173 ARRAY_COUNT(pgp->areas) += 1; 174 mem = &ARRAY_LAST(pgp->areas); 175 memset(mem, 0x0, sizeof(*mem)); 176 if ((mem->fp = fopen(f, "r")) == NULL) { 177 fprintf(stderr, "can't read '%s'", f); 178 return 0; 179 } 180 fstat(fileno(mem->fp), &st); 181 mem->size = (size_t)st.st_size; 182 mem->mem = mmap(NULL, mem->size, PROT_READ, MAP_SHARED, fileno(mem->fp), 0); 183 mem->dealloc = UNMAP_MEM; 184 return 1; 185 } 186 187 /* DTRT and free resources */ 188 static int 189 closemem(pgpv_mem_t *mem) 190 { 191 switch(mem->dealloc) { 192 case FREE_MEM: 193 free(mem->mem); 194 mem->size = 0; 195 break; 196 case UNMAP_MEM: 197 munmap(mem->mem, mem->size); 198 fclose(mem->fp); 199 break; 200 } 201 return 1; 202 } 203 204 /* make a reference to a memory area, and its offset */ 205 static void 206 make_ref(pgpv_t *pgp, uint8_t mement, pgpv_ref_t *ref) 207 { 208 ref->mem = mement; 209 ref->offset = ARRAY_ELEMENT(pgp->areas, ref->mem).cc; 210 ref->vp = pgp; 211 } 212 213 /* return the pointer we wanted originally */ 214 static uint8_t * 215 get_ref(pgpv_ref_t *ref) 216 { 217 pgpv_mem_t *mem; 218 pgpv_t *pgp = (pgpv_t *)ref->vp;; 219 220 mem = &ARRAY_ELEMENT(pgp->areas, ref->mem); 221 return &mem->mem[ref->offset]; 222 } 223 224 #define IS_PARTIAL(x) ((x) >= 224 && (x) < 255) 225 #define DECODE_PARTIAL(x) (1 << ((x) & 0x1f)) 226 227 #define PKT_LENGTH(m, off) \ 228 ((m[off] < 192) ? (m[off]) : \ 229 (m[off] < 224) ? ((m[off] - 192) << 8) + (m[off + 1]) + 192 : \ 230 (m[off + 1] << 24) | ((m[off + 2]) << 16) | ((m[off + 3]) << 8) | (m[off + 4])) 231 232 #define PKT_LENGTH_LENGTH(m, off) \ 233 ((m[off] < 192) ? 1 : (m[off] < 224) ? 2 : 5) 234 235 /* fix up partial body lengths, return new size */ 236 static size_t 237 fixup_partials(pgpv_t *pgp, uint8_t *p, size_t totlen, size_t filesize, size_t *cc) 238 { 239 pgpv_mem_t *mem; 240 size_t partial; 241 size_t newcc; 242 243 if (totlen > filesize) { 244 printf("fixup_partial: filesize %zu is less than encoded size %zu\n", filesize, totlen); 245 return 0; 246 } 247 ARRAY_EXPAND(pgp->areas); 248 ARRAY_COUNT(pgp->areas) += 1; 249 mem = &ARRAY_LAST(pgp->areas); 250 mem->size = totlen; 251 if ((mem->mem = calloc(1, mem->size + 5)) == NULL) { 252 printf("fixup_partial: can't allocate %zu length\n", totlen); 253 return 0; 254 } 255 newcc = 0; 256 mem->dealloc = FREE_MEM; 257 for (*cc = 0 ; *cc < totlen ; newcc += partial, *cc += partial + 1) { 258 if (IS_PARTIAL(p[*cc])) { 259 partial = DECODE_PARTIAL(p[*cc]); 260 memcpy(&mem->mem[newcc], &p[*cc + 1], partial); 261 } else { 262 partial = PKT_LENGTH(p, *cc); 263 *cc += PKT_LENGTH_LENGTH(p, *cc); 264 memcpy(&mem->mem[newcc], &p[*cc], partial); 265 newcc += partial; 266 *cc += partial; 267 break; 268 } 269 } 270 return newcc; 271 } 272 273 /* get the weirdo packet length */ 274 static size_t 275 get_pkt_len(uint8_t newfmt, uint8_t *p, size_t filesize, int isprimary) 276 { 277 size_t lenbytes; 278 size_t len; 279 280 if (newfmt) { 281 if (IS_PARTIAL(*p)) { 282 if (!isprimary) { 283 /* for sub-packets, only 1, 2 or 4 byte sizes allowed */ 284 return ((*p - 192) << 8) + *(p + 1) + 192; 285 } 286 lenbytes = 1; 287 for (len = DECODE_PARTIAL(*p) ; IS_PARTIAL(p[len + lenbytes]) ; lenbytes++) { 288 len += DECODE_PARTIAL(p[len + lenbytes]); 289 } 290 len += get_pkt_len(newfmt, &p[len + lenbytes], filesize, 1); 291 return len; 292 } 293 return PKT_LENGTH(p, 0); 294 } else { 295 switch(*--p & 0x3) { 296 case 0: 297 return *(p + 1); 298 case 1: 299 return (*(p + 1) << 8) | *(p + 2); 300 case 2: 301 return (*(p + 1) << 24) | (*(p + 2) << 16) | (*(p + 3) << 8) | *(p + 4); 302 default: 303 return filesize; 304 } 305 } 306 } 307 308 static const uint8_t base64s[] = 309 /* 000 */ "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" 310 /* 016 */ "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" 311 /* 032 */ "\0\0\0\0\0\0\0\0\0\0\0?\0\0\0@" 312 /* 048 */ "56789:;<=>\0\0\0\0\0\0" 313 /* 064 */ "\0\1\2\3\4\5\6\7\10\11\12\13\14\15\16\17" 314 /* 080 */ "\20\21\22\23\24\25\26\27\30\31\32\0\0\0\0\0" 315 /* 096 */ "\0\33\34\35\36\37 !\"#$%&'()" 316 /* 112 */ "*+,-./01234\0\0\0\0\0" 317 /* 128 */ "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" 318 /* 144 */ "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" 319 /* 160 */ "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" 320 /* 176 */ "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" 321 /* 192 */ "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" 322 /* 208 */ "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" 323 /* 224 */ "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" 324 /* 240 */ "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"; 325 326 327 /* short function to decode from base64 */ 328 /* inspired by an ancient copy of b64.c, then rewritten, the bugs are all mine */ 329 static int 330 frombase64(char *dst, const char *src, size_t size, int flag) 331 { 332 uint8_t out[3]; 333 uint8_t in[4]; 334 uint8_t b; 335 size_t srcc; 336 int dstc; 337 int gotc; 338 int i; 339 340 USE_ARG(flag); 341 for (dstc = 0, srcc = 0 ; srcc < size; ) { 342 for (gotc = 0, i = 0; i < 4 && srcc < size; i++) { 343 for (b = 0x0; srcc < size && b == 0x0 ; ) { 344 b = base64s[(unsigned)src[srcc++]]; 345 } 346 if (srcc < size) { 347 gotc += 1; 348 if (b) { 349 in[i] = (uint8_t)(b - 1); 350 } 351 } else { 352 in[i] = 0x0; 353 } 354 } 355 if (gotc) { 356 out[0] = (uint8_t)((unsigned)in[0] << 2 | 357 (unsigned)in[1] >> 4); 358 out[1] = (uint8_t)((unsigned)in[1] << 4 | 359 (unsigned)in[2] >> 2); 360 out[2] = (uint8_t)(((in[2] << 6) & 0xc0) | in[3]); 361 for (i = 0; i < gotc - 1; i++) { 362 *dst++ = out[i]; 363 } 364 dstc += gotc - 1; 365 } 366 } 367 return dstc; 368 } 369 370 /* get the length of the packet length field */ 371 static unsigned 372 get_pkt_len_len(uint8_t newfmt, uint8_t *p, int isprimary) 373 { 374 if (newfmt) { 375 if (IS_PARTIAL(*p)) { 376 return (isprimary) ? 1 : 2; 377 } 378 return PKT_LENGTH_LENGTH(p, 0); 379 } else { 380 switch(*--p & 0x3) { 381 case 0: 382 return 1; 383 case 1: 384 return 2; 385 case 2: 386 return 4; 387 default: 388 return 0; 389 } 390 } 391 } 392 393 /* copy the 32bit integer in memory in network order */ 394 static unsigned 395 fmt_32(uint8_t *p, uint32_t a) 396 { 397 a = pgp_hton32(a); 398 memcpy(p, &a, sizeof(a)); 399 return sizeof(a); 400 } 401 402 /* copy the 16bit integer in memory in network order */ 403 static unsigned 404 fmt_16(uint8_t *p, uint16_t a) 405 { 406 a = pgp_hton16(a); 407 memcpy(p, &a, sizeof(a)); 408 return sizeof(a); 409 } 410 411 /* format a binary string in memory */ 412 static size_t 413 fmt_binary(char *s, size_t size, const uint8_t *bin, unsigned len) 414 { 415 unsigned i; 416 size_t cc; 417 418 for (cc = 0, i = 0 ; i < len && cc < size ; i++) { 419 cc += snprintf(&s[cc], size - cc, "%02x", bin[i]); 420 } 421 return cc; 422 } 423 424 /* format an mpi into memory */ 425 static unsigned 426 fmt_binary_mpi(pgpv_bignum_t *mpi, uint8_t *p, size_t size) 427 { 428 unsigned bytes; 429 BIGNUM *bn; 430 431 bytes = BITS_TO_BYTES(mpi->bits); 432 if ((size_t)bytes + 2 + 1 > size) { 433 fprintf(stderr, "truncated mpi"); 434 return 0; 435 } 436 bn = (BIGNUM *)mpi->bn; 437 if (bn == NULL || BN_is_zero(bn)) { 438 fmt_32(p, 0); 439 return 2 + 1; 440 } 441 fmt_16(p, mpi->bits); 442 BN_bn2bin(bn, &p[2]); 443 return bytes + 2; 444 } 445 446 /* dump an mpi value onto stdout */ 447 static size_t 448 fmt_mpi(char *s, size_t size, pgpv_bignum_t *bn, const char *name, int pbits) 449 { 450 size_t cc; 451 char *buf; 452 453 cc = snprintf(s, size, "%s=", name); 454 if (pbits) { 455 cc += snprintf(&s[cc], size - cc, "[%u bits] ", bn->bits); 456 } 457 buf = BN_bn2hex(bn->bn); 458 cc += snprintf(&s[cc], size - cc, "%s\n", buf); 459 free(buf); 460 return cc; 461 } 462 463 #define ALG_IS_RSA(alg) (((alg) == PUBKEY_RSA_ENCRYPT_OR_SIGN) || \ 464 ((alg) == PUBKEY_RSA_ENCRYPT) || \ 465 ((alg) == PUBKEY_RSA_SIGN)) 466 467 #define ALG_IS_DSA(alg) ((alg) == PUBKEY_DSA) 468 469 /* format key mpis into memory */ 470 static unsigned 471 fmt_key_mpis(pgpv_pubkey_t *pubkey, uint8_t *buf, size_t size) 472 { 473 size_t cc; 474 475 cc = 0; 476 buf[cc++] = pubkey->version; 477 cc += fmt_32(&buf[cc], (uint32_t)pubkey->birth); /* XXX - do this portably! */ 478 buf[cc++] = pubkey->keyalg; /* XXX - sign, or encrypt and sign? */ 479 switch(pubkey->keyalg) { 480 case PUBKEY_RSA_ENCRYPT_OR_SIGN: 481 case PUBKEY_RSA_ENCRYPT: 482 case PUBKEY_RSA_SIGN: 483 cc += fmt_binary_mpi(&pubkey->bn[RSA_N], &buf[cc], size - cc); 484 cc += fmt_binary_mpi(&pubkey->bn[RSA_E], &buf[cc], size - cc); 485 break; 486 case PUBKEY_DSA: 487 cc += fmt_binary_mpi(&pubkey->bn[DSA_P], &buf[cc], size - cc); 488 cc += fmt_binary_mpi(&pubkey->bn[DSA_Q], &buf[cc], size - cc); 489 cc += fmt_binary_mpi(&pubkey->bn[DSA_G], &buf[cc], size - cc); 490 cc += fmt_binary_mpi(&pubkey->bn[DSA_Y], &buf[cc], size - cc); 491 break; 492 default: 493 cc += fmt_binary_mpi(&pubkey->bn[ELGAMAL_P], &buf[cc], size - cc); 494 cc += fmt_binary_mpi(&pubkey->bn[ELGAMAL_G], &buf[cc], size - cc); 495 cc += fmt_binary_mpi(&pubkey->bn[ELGAMAL_Y], &buf[cc], size - cc); 496 break; 497 } 498 return (unsigned)cc; 499 } 500 501 /* calculate the fingerprint, RFC 4880, section 12.2 */ 502 static int 503 pgpv_calc_fingerprint(pgpv_fingerprint_t *fingerprint, pgpv_pubkey_t *pubkey, const char *hashtype) 504 { 505 digest_t fphash; 506 uint16_t cc; 507 uint8_t ch = 0x99; 508 uint8_t buf[8192 + 2 + 1]; 509 uint8_t len[2]; 510 511 memset(&fphash, 0x0, sizeof(fphash)); 512 if (pubkey->version == 4) { 513 /* v4 keys */ 514 fingerprint->hashalg = digest_get_alg(hashtype); 515 digest_init(&fphash, (unsigned)fingerprint->hashalg); 516 cc = fmt_key_mpis(pubkey, buf, sizeof(buf)); 517 digest_update(&fphash, &ch, 1); 518 fmt_16(len, cc); 519 digest_update(&fphash, len, 2); 520 digest_update(&fphash, buf, (unsigned)cc); 521 fingerprint->len = digest_final(fingerprint->v, &fphash); 522 return 1; 523 } 524 if (ALG_IS_RSA(pubkey->keyalg)) { 525 /* v3 keys are RSA */ 526 fingerprint->hashalg = digest_get_alg("md5"); 527 digest_init(&fphash, (unsigned)fingerprint->hashalg); 528 if (pubkey->bn[RSA_N].bn && pubkey->bn[RSA_E].bn) { 529 cc = fmt_binary_mpi(&pubkey->bn[RSA_N], buf, sizeof(buf)); 530 digest_update(&fphash, &buf[2], (unsigned)(cc - 2)); 531 cc = fmt_binary_mpi(&pubkey->bn[RSA_E], buf, sizeof(buf)); 532 digest_update(&fphash, &buf[2], (unsigned)(cc - 2)); 533 fingerprint->len = digest_final(fingerprint->v, &fphash); 534 return 1; 535 } 536 } 537 if (pubkey->bn[RSA_N].bn) { 538 if ((cc = fmt_binary_mpi(&pubkey->bn[RSA_N], buf, sizeof(buf))) >= PGPV_KEYID_LEN) { 539 memcpy(fingerprint->v, &buf[cc - PGPV_KEYID_LEN], PGPV_KEYID_LEN); 540 fingerprint->len = PGPV_KEYID_LEN; 541 return 1; 542 } 543 } 544 /* exhausted all avenues, really */ 545 memset(fingerprint->v, 0xff, fingerprint->len = PGPV_KEYID_LEN); 546 return 1; 547 } 548 549 /* format a fingerprint into memory */ 550 static size_t 551 fmt_fingerprint(char *s, size_t size, pgpv_fingerprint_t *fingerprint, const char *name) 552 { 553 unsigned i; 554 size_t cc; 555 556 cc = snprintf(s, size, "%s ", name); 557 for (i = 0 ; i < fingerprint->len ; i++) { 558 cc += snprintf(&s[cc], size - cc, "%02hhx%s", 559 fingerprint->v[i], (i % 2 == 1) ? " " : ""); 560 } 561 cc += snprintf(&s[cc], size - cc, "\n"); 562 return cc; 563 } 564 565 /* calculate keyid from a pubkey */ 566 static int 567 calc_keyid(pgpv_pubkey_t *key, const char *hashtype) 568 { 569 pgpv_calc_fingerprint(&key->fingerprint, key, hashtype); 570 memcpy(key->keyid, &key->fingerprint.v[key->fingerprint.len - PGPV_KEYID_LEN], PGPV_KEYID_LEN); 571 return 1; 572 } 573 574 /* convert a hex string to a 64bit key id (in big endian byte order */ 575 static void 576 str_to_keyid(const char *s, uint8_t *keyid) 577 { 578 uint64_t u64; 579 580 u64 = (uint64_t)strtoull(s, NULL, 16); 581 u64 = ((u64 & 0x00000000000000FFUL) << 56) | 582 ((u64 & 0x000000000000FF00UL) << 40) | 583 ((u64 & 0x0000000000FF0000UL) << 24) | 584 ((u64 & 0x00000000FF000000UL) << 8) | 585 ((u64 & 0x000000FF00000000UL) >> 8) | 586 ((u64 & 0x0000FF0000000000UL) >> 24) | 587 ((u64 & 0x00FF000000000000UL) >> 40) | 588 ((u64 & 0xFF00000000000000UL) >> 56); 589 memcpy(keyid, &u64, PGPV_KEYID_LEN); 590 } 591 592 #define PKT_ALWAYS_ON 0x80 593 #define PKT_NEWFMT_MASK 0x40 594 #define PKT_NEWFMT_TAG_MASK 0x3f 595 #define PKT_OLDFMT_TAG_MASK 0x3c 596 597 #define SUBPKT_CRITICAL_MASK 0x80 598 #define SUBPKT_TAG_MASK 0x7f 599 600 #define SUBPKT_SIG_BIRTH 2 601 #define SUBPKT_SIG_EXPIRY 3 602 #define SUBPKT_EXPORT_CERT 4 603 #define SUBPKT_TRUST_SIG 5 604 #define SUBPKT_REGEXP 6 605 #define SUBPKT_REVOCABLE 7 606 #define SUBPKT_KEY_EXPIRY 9 607 #define SUBPKT_BWD_COMPAT 10 608 #define SUBPKT_PREF_SYMMETRIC_ALG 11 609 #define SUBPKT_REVOCATION_KEY 12 610 #define SUBPKT_ISSUER 16 611 #define SUBPKT_NOTATION 20 612 #define SUBPKT_PREF_HASH_ALG 21 613 #define SUBPKT_PREF_COMPRESS_ALG 22 614 #define SUBPKT_KEY_SERVER_PREFS 23 615 #define SUBPKT_PREF_KEY_SERVER 24 616 #define SUBPKT_PRIMARY_USER_ID 25 617 #define SUBPKT_POLICY_URI 26 618 #define SUBPKT_KEY_FLAGS 27 619 #define SUBPKT_SIGNER_ID 28 620 #define SUBPKT_REVOCATION_REASON 29 621 #define SUBPKT_FEATURES 30 622 #define SUBPKT_SIGNATURE_TARGET 31 623 #define SUBPKT_EMBEDDED_SIGNATURE 32 624 625 #define UNCOMPRESSED 0 626 #define ZIP_COMPRESSION 1 627 #define ZLIB_COMPRESSION 2 628 #define BZIP2_COMPRESSION 3 629 630 /* get a 16 bit integer, in host order */ 631 static uint16_t 632 get_16(uint8_t *p) 633 { 634 uint16_t u16; 635 636 memcpy(&u16, p, sizeof(u16)); 637 return pgp_ntoh16(u16); 638 } 639 640 /* get a 32 bit integer, in host order */ 641 static uint32_t 642 get_32(uint8_t *p) 643 { 644 uint32_t u32; 645 646 memcpy(&u32, p, sizeof(u32)); 647 return pgp_ntoh32(u32); 648 } 649 650 #define HOURSECS (int64_t)(60 * 60) 651 #define DAYSECS (int64_t)(24 * 60 * 60) 652 #define MONSECS (int64_t)(30 * DAYSECS) 653 #define YEARSECS (int64_t)(365 * DAYSECS) 654 655 /* format (human readable) time into memory */ 656 static size_t 657 fmt_time(char *s, size_t size, const char *header, int64_t n, const char *trailer, int relative) 658 { 659 struct tm tm; 660 time_t elapsed; 661 time_t now; 662 time_t t; 663 size_t cc; 664 665 t = (time_t)n; 666 now = time(NULL); 667 elapsed = now - t; 668 gmtime_r(&t, &tm); 669 cc = snprintf(s, size, "%s%04d-%02d-%02d", header, 670 tm.tm_year + 1900, tm.tm_mon + 1, tm.tm_mday); 671 if (relative) { 672 cc += snprintf(&s[cc], size - cc, " (%lldy %lldm %lldd %lldh %s)", 673 llabs((long long)elapsed / YEARSECS), 674 llabs(((long long)elapsed % YEARSECS) / MONSECS), 675 llabs(((long long)elapsed % MONSECS) / DAYSECS), 676 llabs(((long long)elapsed % DAYSECS) / HOURSECS), 677 (now > t) ? "ago" : "ahead"); 678 } 679 cc += snprintf(&s[cc], size - cc, "%s", trailer); 680 return cc; 681 } 682 683 /* dump key mpis to stdout */ 684 static void 685 print_key_mpis(pgpv_bignum_t *v, uint8_t keyalg) 686 { 687 char s[8192]; 688 689 switch(keyalg) { 690 case PUBKEY_RSA_ENCRYPT_OR_SIGN: 691 case PUBKEY_RSA_ENCRYPT: 692 case PUBKEY_RSA_SIGN: 693 fmt_mpi(s, sizeof(s), &v[RSA_N], "rsa.n", 1); 694 printf("%s", s); 695 fmt_mpi(s, sizeof(s), &v[RSA_E], "rsa.e", 1); 696 printf("%s", s); 697 break; 698 case PUBKEY_ELGAMAL_ENCRYPT: 699 fmt_mpi(s, sizeof(s), &v[ELGAMAL_P], "elgamal.p", 1); 700 printf("%s", s); 701 fmt_mpi(s, sizeof(s), &v[ELGAMAL_Y], "elgamal.y", 1); 702 printf("%s", s); 703 break; 704 case PUBKEY_DSA: 705 fmt_mpi(s, sizeof(s), &v[DSA_P], "dsa.p", 1); 706 printf("%s", s); 707 fmt_mpi(s, sizeof(s), &v[DSA_Q], "dsa.q", 1); 708 printf("%s", s); 709 fmt_mpi(s, sizeof(s), &v[DSA_G], "dsa.g", 1); 710 printf("%s", s); 711 fmt_mpi(s, sizeof(s), &v[DSA_Y], "dsa.y", 1); 712 printf("%s", s); 713 break; 714 default: 715 printf("hi, unusual keyalg %u\n", keyalg); 716 break; 717 } 718 } 719 720 /* get an mpi, including 2 byte length */ 721 static int 722 get_mpi(pgpv_bignum_t *mpi, uint8_t *p, size_t pktlen, size_t *off) 723 { 724 size_t bytes; 725 726 mpi->bits = get_16(p); 727 if ((bytes = (size_t)BITS_TO_BYTES(mpi->bits)) > pktlen) { 728 return 0; 729 } 730 *off += sizeof(mpi->bits); 731 mpi->bn = BN_bin2bn(&p[sizeof(mpi->bits)], (int)bytes, NULL); 732 *off += bytes; 733 return 1; 734 } 735 736 /* read mpis in signature */ 737 static int 738 read_signature_mpis(pgpv_sigpkt_t *sigpkt, uint8_t *p, size_t pktlen) 739 { 740 size_t off; 741 742 off = 0; 743 switch(sigpkt->sig.keyalg) { 744 case PUBKEY_RSA_ENCRYPT_OR_SIGN: 745 case PUBKEY_RSA_SIGN: 746 case PUBKEY_RSA_ENCRYPT: 747 if (!get_mpi(&sigpkt->sig.bn[RSA_SIG], p, pktlen, &off)) { 748 printf("sigpkt->version %d, rsa sig weird\n", sigpkt->sig.version); 749 return 0; 750 } 751 break; 752 case PUBKEY_DSA: 753 case PUBKEY_ECDSA: 754 case PUBKEY_ELGAMAL_ENCRYPT_OR_SIGN: /* deprecated */ 755 if (!get_mpi(&sigpkt->sig.bn[DSA_R], p, pktlen, &off) || 756 !get_mpi(&sigpkt->sig.bn[DSA_S], &p[off], pktlen, &off)) { 757 printf("sigpkt->version %d, dsa/elgamal sig weird\n", sigpkt->sig.version); 758 return 0; 759 } 760 break; 761 default: 762 printf("weird type of sig! %d\n", sigpkt->sig.keyalg); 763 return 0; 764 } 765 return 1; 766 } 767 768 /* add the signature sub packet to the signature packet */ 769 static int 770 add_subpacket(pgpv_sigpkt_t *sigpkt, uint8_t tag, uint8_t *p, uint16_t len) 771 { 772 pgpv_sigsubpkt_t subpkt; 773 774 memset(&subpkt, 0x0, sizeof(subpkt)); 775 subpkt.s.size = len; 776 subpkt.critical = 0; 777 subpkt.tag = tag; 778 subpkt.s.data = p; 779 ARRAY_APPEND(sigpkt->subpkts, subpkt); 780 return 1; 781 } 782 783 /* read the subpackets in the signature */ 784 static int 785 read_sig_subpackets(pgpv_sigpkt_t *sigpkt, uint8_t *p, size_t pktlen) 786 { 787 pgpv_sigsubpkt_t subpkt; 788 const int is_subpkt = 0; 789 unsigned lenlen; 790 unsigned i; 791 uint8_t *start; 792 793 start = p; 794 for (i = 0 ; (unsigned)(p - start) < sigpkt->subslen ; i++) { 795 memset(&subpkt, 0x0, sizeof(subpkt)); 796 subpkt.s.size = get_pkt_len(1, p, 0, is_subpkt); 797 lenlen = get_pkt_len_len(1, p, is_subpkt); 798 if (lenlen > pktlen) { 799 printf("weird lenlen %u\n", lenlen); 800 return 0; 801 } 802 p += lenlen; 803 subpkt.critical = (*p & SUBPKT_CRITICAL_MASK); 804 subpkt.tag = (*p & SUBPKT_TAG_MASK); 805 p += 1; 806 switch(subpkt.tag) { 807 case SUBPKT_SIG_BIRTH: 808 sigpkt->sig.birth = (int64_t)get_32(p); 809 break; 810 case SUBPKT_SIG_EXPIRY: 811 sigpkt->sig.expiry = (int64_t)get_32(p); 812 break; 813 case SUBPKT_KEY_EXPIRY: 814 sigpkt->sig.keyexpiry = (int64_t)get_32(p); 815 break; 816 case SUBPKT_ISSUER: 817 sigpkt->sig.signer = p; 818 break; 819 case SUBPKT_SIGNER_ID: 820 sigpkt->sig.signer = p; 821 break; 822 case SUBPKT_TRUST_SIG: 823 sigpkt->sig.trustsig = *p; 824 break; 825 case SUBPKT_REGEXP: 826 sigpkt->sig.regexp = (char *)(void *)p; 827 break; 828 case SUBPKT_REVOCABLE: 829 sigpkt->sig.revocable = *p; 830 break; 831 case SUBPKT_PREF_SYMMETRIC_ALG: 832 sigpkt->sig.pref_symm_alg = *p; 833 break; 834 case SUBPKT_REVOCATION_KEY: 835 sigpkt->sig.revoke_sensitive = (*p & 0x40); 836 sigpkt->sig.revoke_alg = p[1]; 837 sigpkt->sig.revoke_fingerprint = &p[2]; 838 break; 839 case SUBPKT_NOTATION: 840 sigpkt->sig.notation = *p; 841 break; 842 case SUBPKT_PREF_HASH_ALG: 843 sigpkt->sig.pref_hash_alg = *p; 844 break; 845 case SUBPKT_PREF_COMPRESS_ALG: 846 sigpkt->sig.pref_compress_alg = *p; 847 break; 848 case SUBPKT_PREF_KEY_SERVER: 849 sigpkt->sig.pref_key_server = (char *)(void *)p; 850 break; 851 case SUBPKT_KEY_SERVER_PREFS: 852 sigpkt->sig.key_server_modify = *p; 853 break; 854 case SUBPKT_KEY_FLAGS: 855 sigpkt->sig.type_key = *p; 856 break; 857 case SUBPKT_PRIMARY_USER_ID: 858 sigpkt->sig.primary_userid = *p; 859 break; 860 case SUBPKT_POLICY_URI: 861 sigpkt->sig.policy = (char *)(void *)p; 862 break; 863 case SUBPKT_FEATURES: 864 sigpkt->sig.features = (char *)(void *)p; 865 break; 866 case SUBPKT_REVOCATION_REASON: 867 sigpkt->sig.revoked = *p++ + 1; 868 sigpkt->sig.why_revoked = (char *)(void *)p; 869 break; 870 default: 871 printf("Ignoring unusual/reserved signature subpacket %d\n", subpkt.tag); 872 break; 873 } 874 subpkt.s.data = p; 875 p += subpkt.s.size - 1; 876 ARRAY_APPEND(sigpkt->subpkts, subpkt); 877 } 878 return 1; 879 } 880 881 /* parse signature packet */ 882 static int 883 read_sigpkt(pgpv_t *pgp, uint8_t mement, pgpv_sigpkt_t *sigpkt, uint8_t *p, size_t pktlen) 884 { 885 unsigned lenlen; 886 uint8_t *base; 887 888 make_ref(pgp, mement, &sigpkt->sig.hashstart); 889 base = p; 890 switch(sigpkt->sig.version = *p++) { 891 case 2: 892 case 3: 893 if ((lenlen = *p++) != 5) { 894 printf("read_sigpkt: hashed length not 5\n"); 895 return 0; 896 } 897 sigpkt->sig.hashlen = lenlen; 898 /* put birthtime into a subpacket */ 899 sigpkt->sig.type = *p++; 900 add_subpacket(sigpkt, SUBPKT_SIG_BIRTH, p, sizeof(uint32_t)); 901 sigpkt->sig.birth = (int64_t)get_32(p); 902 p += sizeof(uint32_t); 903 sigpkt->sig.signer = p; 904 add_subpacket(sigpkt, SUBPKT_SIGNER_ID, p, PGPV_KEYID_LEN); 905 p += PGPV_KEYID_LEN; 906 sigpkt->sig.keyalg = *p++; 907 sigpkt->sig.hashalg = *p++; 908 sigpkt->sig.hash2 = p; 909 if (!read_signature_mpis(sigpkt, sigpkt->sig.mpi = p + 2, pktlen)) { 910 printf("read_sigpkt: can't read sigs v3\n"); 911 return 0; 912 } 913 break; 914 case 4: 915 sigpkt->sig.type = *p++; 916 sigpkt->sig.keyalg = *p++; 917 sigpkt->sig.hashalg = *p++; 918 sigpkt->subslen = get_16(p); 919 p += sizeof(sigpkt->subslen); 920 if (!read_sig_subpackets(sigpkt, p, pktlen)) { 921 printf("read_sigpkt: can't read sig subpackets, v4\n"); 922 return 0; 923 } 924 if (!sigpkt->sig.signer) { 925 sigpkt->sig.signer = get_ref(&sigpkt->sig.hashstart) + 16; 926 } 927 p += sigpkt->subslen; 928 sigpkt->sig.hashlen = (unsigned)(p - base); 929 sigpkt->unhashlen = get_16(p); 930 p += sizeof(sigpkt->unhashlen) + sigpkt->unhashlen; 931 sigpkt->sig.hash2 = p; 932 if (!read_signature_mpis(sigpkt, sigpkt->sig.mpi = p + 2, pktlen)) { 933 printf("read_sigpkt: can't read sigs, v4\n"); 934 return 0; 935 } 936 break; 937 default: 938 printf("read_sigpkt: unusual signature version (%u)\n", sigpkt->sig.version); 939 break; 940 } 941 return 1; 942 } 943 944 945 /* this parses compressed data, decompresses it, and calls the parser again */ 946 static int 947 read_compressed(pgpv_t *pgp, pgpv_compress_t *compressed, uint8_t *p, size_t len) 948 { 949 pgpv_mem_t *unzmem; 950 bz_stream bz; 951 z_stream z; 952 int ok = 0; 953 954 compressed->compalg = *p; 955 compressed->s.size = len; 956 if ((compressed->s.data = calloc(1, len)) == NULL) { 957 printf("read_compressed: can't allocate %zu length\n", len); 958 return 0; 959 } 960 switch(compressed->compalg) { 961 case UNCOMPRESSED: 962 printf("not implemented %d compression yet\n", compressed->compalg); 963 return 0; 964 default: 965 break; 966 } 967 ARRAY_EXPAND(pgp->areas); 968 ARRAY_COUNT(pgp->areas) += 1; 969 unzmem = &ARRAY_LAST(pgp->areas); 970 unzmem->size = len * 10; 971 unzmem->dealloc = FREE_MEM; 972 if ((unzmem->mem = calloc(1, unzmem->size)) == NULL) { 973 printf("read_compressed: calloc failed!\n"); 974 return 0; 975 } 976 switch(compressed->compalg) { 977 case ZIP_COMPRESSION: 978 case ZLIB_COMPRESSION: 979 memset(&z, 0x0, sizeof(z)); 980 z.next_in = p + 1; 981 z.avail_in = (unsigned)(len - 1); 982 z.total_in = (unsigned)(len - 1); 983 z.next_out = unzmem->mem; 984 z.avail_out = (unsigned)unzmem->size; 985 z.total_out = (unsigned)unzmem->size; 986 break; 987 case BZIP2_COMPRESSION: 988 memset(&bz, 0x0, sizeof(bz)); 989 bz.avail_in = (unsigned)(len - 1); 990 bz.next_in = (char *)(void *)p + 1; 991 bz.next_out = (char *)(void *)unzmem->mem; 992 bz.avail_out = (unsigned)unzmem->size; 993 break; 994 } 995 switch(compressed->compalg) { 996 case ZIP_COMPRESSION: 997 ok = (inflateInit2(&z, -15) == Z_OK); 998 break; 999 case ZLIB_COMPRESSION: 1000 ok = (inflateInit(&z) == Z_OK); 1001 break; 1002 case BZIP2_COMPRESSION: 1003 ok = (BZ2_bzDecompressInit(&bz, 1, 0) == BZ_OK); 1004 break; 1005 } 1006 if (!ok) { 1007 printf("read_compressed: initialisation failed!\n"); 1008 return 0; 1009 } 1010 switch(compressed->compalg) { 1011 case ZIP_COMPRESSION: 1012 case ZLIB_COMPRESSION: 1013 ok = (inflate(&z, Z_FINISH) == Z_STREAM_END); 1014 unzmem->size = z.total_out; 1015 break; 1016 case BZIP2_COMPRESSION: 1017 ok = (BZ2_bzDecompress(&bz) == BZ_STREAM_END); 1018 unzmem->size = ((uint64_t)bz.total_out_hi32 << 32) | bz.total_out_lo32; 1019 break; 1020 } 1021 if (!ok) { 1022 printf("read_compressed: inflate failed!\n"); 1023 return 0; 1024 } 1025 return 1; 1026 } 1027 1028 /* parse one pass signature packet */ 1029 static int 1030 read_onepass_sig(pgpv_onepass_t *onepasspkt, uint8_t *mem) 1031 { 1032 onepasspkt->version = mem[0]; 1033 onepasspkt->type = mem[1]; 1034 onepasspkt->hashalg = mem[2]; 1035 onepasspkt->keyalg = mem[3]; 1036 memcpy(onepasspkt->keyid, &mem[4], sizeof(onepasspkt->keyid)); 1037 onepasspkt->nested = mem[12]; 1038 return 1; 1039 } 1040 1041 /* parse public key packet */ 1042 static int 1043 read_pubkey(pgpv_pubkey_t *pubkey, uint8_t *mem, size_t pktlen, int pbn) 1044 { 1045 size_t off; 1046 1047 off = 0; 1048 pubkey->version = mem[off++]; 1049 pubkey->birth = get_32(&mem[off]); 1050 off += 4; 1051 if (pubkey->version == 2 || pubkey->version == 3) { 1052 pubkey->expiry = get_16(&mem[off]) * DAYSECS; 1053 off += 2; 1054 } 1055 if ((pubkey->keyalg = mem[off++]) == 0) { 1056 pubkey->keyalg = PUBKEY_RSA_ENCRYPT_OR_SIGN; 1057 printf("got unusual pubkey keyalg %u\n", mem[off - 1]); 1058 } 1059 switch(pubkey->keyalg) { 1060 case PUBKEY_RSA_ENCRYPT_OR_SIGN: 1061 case PUBKEY_RSA_ENCRYPT: 1062 case PUBKEY_RSA_SIGN: 1063 if (!get_mpi(&pubkey->bn[RSA_N], &mem[off], pktlen, &off) || 1064 !get_mpi(&pubkey->bn[RSA_E], &mem[off], pktlen, &off)) { 1065 return 0; 1066 } 1067 break; 1068 case PUBKEY_ELGAMAL_ENCRYPT: 1069 case PUBKEY_ELGAMAL_ENCRYPT_OR_SIGN: 1070 if (!get_mpi(&pubkey->bn[ELGAMAL_P], &mem[off], pktlen, &off) || 1071 !get_mpi(&pubkey->bn[ELGAMAL_Y], &mem[off], pktlen, &off)) { 1072 return 0; 1073 } 1074 break; 1075 case PUBKEY_DSA: 1076 if (!get_mpi(&pubkey->bn[DSA_P], &mem[off], pktlen, &off) || 1077 !get_mpi(&pubkey->bn[DSA_Q], &mem[off], pktlen, &off) || 1078 !get_mpi(&pubkey->bn[DSA_G], &mem[off], pktlen, &off) || 1079 !get_mpi(&pubkey->bn[DSA_Y], &mem[off], pktlen, &off)) { 1080 return 0; 1081 } 1082 break; 1083 default: 1084 printf("hi, different type of pubkey here %u\n", pubkey->keyalg); 1085 break; 1086 } 1087 if (pbn) { 1088 print_key_mpis(pubkey->bn, pubkey->keyalg); 1089 } 1090 return 1; 1091 } 1092 1093 /* parse a user attribute */ 1094 static int 1095 read_userattr(pgpv_userattr_t *userattr, uint8_t *p, size_t pktlen) 1096 { 1097 pgpv_string_t subattr; 1098 const int is_subpkt = 0; 1099 const int indian = 1; 1100 unsigned lenlen; 1101 uint16_t imagelen; 1102 size_t cc; 1103 1104 userattr->len = pktlen; 1105 for (cc = 0 ; cc < pktlen ; cc += subattr.size + lenlen + 1) { 1106 subattr.size = get_pkt_len(1, p, 0, is_subpkt); 1107 lenlen = get_pkt_len_len(1, p, is_subpkt); 1108 if (lenlen > pktlen) { 1109 printf("weird lenlen %u\n", lenlen); 1110 return 0; 1111 } 1112 p += lenlen; 1113 if (*p++ != 1) { 1114 printf("image type (%u) != 1. weird packet\n", *(p - 1)); 1115 } 1116 memcpy(&imagelen, p, sizeof(imagelen)); 1117 if (!*(const char *)(const void *)&indian) { 1118 /* big endian - byteswap length */ 1119 imagelen = (((unsigned)imagelen & 0xff) << 8) | (((unsigned)imagelen >> 8) & 0xff); 1120 } 1121 subattr.data = p + 3; 1122 p += subattr.size; 1123 ARRAY_APPEND(userattr->subattrs, subattr); 1124 } 1125 return 1; 1126 } 1127 1128 #define LITDATA_BINARY 'b' 1129 #define LITDATA_TEXT 't' 1130 #define LITDATA_UTF8 'u' 1131 1132 /* parse literal packet */ 1133 static int 1134 read_litdata(pgpv_t *pgp, pgpv_litdata_t *litdata, uint8_t *p, size_t size) 1135 { 1136 size_t cc; 1137 1138 cc = 0; 1139 switch(litdata->format = p[cc++]) { 1140 case LITDATA_BINARY: 1141 case LITDATA_TEXT: 1142 case LITDATA_UTF8: 1143 litdata->namelen = 0; 1144 break; 1145 default: 1146 printf("weird litdata format %u\n", litdata->format); 1147 break; 1148 } 1149 litdata->namelen = p[cc++]; 1150 litdata->filename = &p[cc]; 1151 cc += litdata->namelen; 1152 litdata->secs = get_32(&p[cc]); 1153 cc += 4; 1154 litdata->s.data = &p[cc]; 1155 litdata->len = litdata->s.size = size - cc; 1156 litdata->mem = ARRAY_COUNT(pgp->areas) - 1; 1157 litdata->offset = cc; 1158 return 1; 1159 } 1160 1161 /* parse a single packet */ 1162 static int 1163 read_pkt(pgpv_t *pgp, pgpv_mem_t *mem) 1164 { 1165 const int isprimary = 1; 1166 pgpv_pkt_t pkt; 1167 pgpv_mem_t *newmem; 1168 unsigned lenlen; 1169 uint8_t ispartial; 1170 size_t size; 1171 1172 memset(&pkt, 0x0, sizeof(pkt)); 1173 pkt.tag = mem->mem[mem->cc++]; 1174 if (!(pkt.tag & PKT_ALWAYS_ON)) { 1175 printf("BAD PACKET - bit 7 not 1, offset %zu!\n", mem->cc - 1); 1176 } 1177 pkt.newfmt = (pkt.tag & PKT_NEWFMT_MASK); 1178 pkt.tag = (pkt.newfmt) ? 1179 (pkt.tag & PKT_NEWFMT_TAG_MASK) : 1180 (((unsigned)pkt.tag & PKT_OLDFMT_TAG_MASK) >> 2); 1181 ispartial = (pkt.newfmt && IS_PARTIAL(mem->mem[mem->cc])); 1182 pkt.s.size = get_pkt_len(pkt.newfmt, &mem->mem[mem->cc], mem->size - mem->cc, isprimary); 1183 lenlen = get_pkt_len_len(pkt.newfmt, &mem->mem[mem->cc], isprimary); 1184 pkt.offset = mem->cc; 1185 mem->cc += lenlen; 1186 pkt.mement = (uint8_t)(mem - ARRAY_ARRAY(pgp->areas)); 1187 pkt.s.data = &mem->mem[mem->cc]; 1188 if (strchr(mem->allowed, pkt.tag) == NULL) { 1189 printf("packet %d not allowed for operation %s\n", pkt.tag, pgp->op); 1190 return 0; 1191 } 1192 size = pkt.s.size; 1193 if (ispartial) { 1194 pkt.s.size = fixup_partials(pgp, &mem->mem[mem->cc - lenlen], pkt.s.size, mem->size, &size); 1195 newmem = &ARRAY_LAST(pgp->areas); 1196 pkt.mement = (uint8_t)(newmem - ARRAY_ARRAY(pgp->areas)); 1197 pkt.s.data = newmem->mem; 1198 size -= 1; 1199 } 1200 switch(pkt.tag) { 1201 case SIGNATURE_PKT: 1202 if (!read_sigpkt(pgp, pkt.mement, &pkt.u.sigpkt, pkt.s.data, pkt.s.size)) { 1203 return 0; 1204 } 1205 break; 1206 case ONEPASS_SIGNATURE_PKT: 1207 read_onepass_sig(&pkt.u.onepass, pkt.s.data); 1208 break; 1209 case PUBKEY_PKT: 1210 case PUB_SUBKEY_PKT: 1211 break; 1212 case LITDATA_PKT: 1213 read_litdata(pgp, &pkt.u.litdata, pkt.s.data, pkt.s.size); 1214 break; 1215 case TRUST_PKT: 1216 pkt.u.trust.level = pkt.s.data[0]; 1217 pkt.u.trust.amount = pkt.s.data[1]; 1218 break; 1219 case USERID_PKT: 1220 pkt.u.userid.size = pkt.s.size; 1221 pkt.u.userid.data = pkt.s.data; 1222 break; 1223 case COMPRESSED_DATA_PKT: 1224 read_compressed(pgp, &pkt.u.compressed, pkt.s.data, pkt.s.size); 1225 ARRAY_APPEND(pgp->pkts, pkt); 1226 read_all_packets(pgp, &ARRAY_LAST(pgp->areas), pgp->op); 1227 break; 1228 case USER_ATTRIBUTE_PKT: 1229 read_userattr(&pkt.u.userattr, pkt.s.data, pkt.s.size); 1230 break; 1231 default: 1232 printf("hi, need to implement %d, offset %zu\n", pkt.tag, mem->cc); 1233 break; 1234 } 1235 mem->cc += size; 1236 if (pkt.tag != COMPRESSED_DATA_PKT) { 1237 /* compressed was added earlier to preserve pkt ordering */ 1238 ARRAY_APPEND(pgp->pkts, pkt); 1239 } 1240 return 1; 1241 } 1242 1243 /* checks the tag type of a packet */ 1244 static int 1245 pkt_is(pgpv_t *pgp, int wanted) 1246 { 1247 return (ARRAY_ELEMENT(pgp->pkts, pgp->pkt).tag == wanted); 1248 } 1249 1250 /* checks the packet is a signature packet, and the signature type is the expected one */ 1251 static int 1252 pkt_sigtype_is(pgpv_t *pgp, int wanted) 1253 { 1254 if (!pkt_is(pgp, SIGNATURE_PKT)) { 1255 return 0; 1256 } 1257 return (ARRAY_ELEMENT(pgp->pkts, pgp->pkt).u.sigpkt.sig.type == wanted); 1258 } 1259 1260 /* check for expected type of packet, and move to the next */ 1261 static int 1262 pkt_accept(pgpv_t *pgp, int expected) 1263 { 1264 int got; 1265 1266 if ((got = ARRAY_ELEMENT(pgp->pkts, pgp->pkt).tag) == expected) { 1267 pgp->pkt += 1; 1268 return 1; 1269 } 1270 printf("problem at token %zu, expcted %d, got %d\n", pgp->pkt, expected, got); 1271 return 0; 1272 } 1273 1274 /* recognise signature (and trust) packet */ 1275 static int 1276 recog_signature(pgpv_t *pgp, pgpv_signature_t *signature) 1277 { 1278 if (!pkt_is(pgp, SIGNATURE_PKT)) { 1279 printf("recog_signature: not a signature packet\n"); 1280 return 0; 1281 } 1282 memcpy(signature, &ARRAY_ELEMENT(pgp->pkts, pgp->pkt).u.sigpkt.sig, sizeof(*signature)); 1283 pgp->pkt += 1; 1284 if (pkt_is(pgp, TRUST_PKT)) { 1285 pkt_accept(pgp, TRUST_PKT); 1286 } 1287 return 1; 1288 } 1289 1290 /* recognise user id packet */ 1291 static int 1292 recog_userid(pgpv_t *pgp, pgpv_signed_userid_t *userid) 1293 { 1294 pgpv_signature_t signature; 1295 pgpv_pkt_t *pkt; 1296 1297 memset(userid, 0x0, sizeof(*userid)); 1298 if (!pkt_is(pgp, USERID_PKT)) { 1299 printf("recog_userid: not %d\n", USERID_PKT); 1300 return 0; 1301 } 1302 pkt = &ARRAY_ELEMENT(pgp->pkts, pgp->pkt); 1303 userid->userid.size = pkt->s.size; 1304 userid->userid.data = pkt->s.data; 1305 pgp->pkt += 1; 1306 while (pkt_is(pgp, SIGNATURE_PKT)) { 1307 if (!recog_signature(pgp, &signature)) { 1308 printf("recog_userid: can't recognise signature/trust\n"); 1309 return 0; 1310 } 1311 ARRAY_APPEND(userid->sigs, signature); 1312 if (signature.primary_userid) { 1313 userid->primary_userid = signature.primary_userid; 1314 } 1315 if (signature.revoked) { 1316 userid->revoked = signature.revoked; 1317 } 1318 } 1319 return 1; 1320 } 1321 1322 /* recognise user attributes packet */ 1323 static int 1324 recog_userattr(pgpv_t *pgp, pgpv_signed_userattr_t *userattr) 1325 { 1326 pgpv_signature_t signature; 1327 1328 memset(userattr, 0x0, sizeof(*userattr)); 1329 if (!pkt_is(pgp, USER_ATTRIBUTE_PKT)) { 1330 printf("recog_userattr: not %d\n", USER_ATTRIBUTE_PKT); 1331 return 0; 1332 } 1333 userattr->userattr = ARRAY_ELEMENT(pgp->pkts, pgp->pkt).u.userattr; 1334 pgp->pkt += 1; 1335 while (pkt_is(pgp, SIGNATURE_PKT)) { 1336 if (!recog_signature(pgp, &signature)) { 1337 printf("recog_userattr: can't recognise signature/trust\n"); 1338 return 0; 1339 } 1340 ARRAY_APPEND(userattr->sigs, signature); 1341 if (signature.revoked) { 1342 userattr->revoked = signature.revoked; 1343 } 1344 } 1345 return 1; 1346 } 1347 1348 /* recognise a sub key */ 1349 static int 1350 recog_subkey(pgpv_t *pgp, pgpv_signed_subkey_t *subkey) 1351 { 1352 pgpv_signature_t signature; 1353 pgpv_pkt_t *pkt; 1354 1355 pkt = &ARRAY_ELEMENT(pgp->pkts, pgp->pkt); 1356 memset(subkey, 0x0, sizeof(*subkey)); 1357 read_pubkey(&subkey->subkey, pkt->s.data, pkt->s.size, 0); 1358 pgp->pkt += 1; 1359 if (pkt_sigtype_is(pgp, SIGTYPE_KEY_REVOCATION) || 1360 pkt_sigtype_is(pgp, SIGTYPE_SUBKEY_REVOCATION) || 1361 pkt_sigtype_is(pgp, SIGTYPE_CERT_REVOCATION)) { 1362 recog_signature(pgp, &signature); 1363 subkey->revoc_self_sig = signature; 1364 } 1365 do { 1366 if (!pkt_is(pgp, SIGNATURE_PKT)) { 1367 printf("recog_subkey: not signature packet at %zu\n", pgp->pkt); 1368 return 0; 1369 } 1370 if (!recog_signature(pgp, &signature)) { 1371 printf("recog_subkey: bad signature/trust at %zu\n", pgp->pkt); 1372 return 0; 1373 } 1374 ARRAY_APPEND(subkey->sigs, signature); 1375 if (signature.keyexpiry) { 1376 /* XXX - check it's a good key expiry */ 1377 subkey->subkey.expiry = signature.keyexpiry; 1378 } 1379 } while (pkt_is(pgp, SIGNATURE_PKT)); 1380 return 1; 1381 } 1382 1383 /* use a sparse map for the text strings here to save space */ 1384 static const char *keyalgs[] = { 1385 "[Unknown]", 1386 "RSA (Encrypt or Sign)", 1387 "RSA (Encrypt Only)", 1388 "RSA (Sign Only)", 1389 "Elgamal (Encrypt Only)", 1390 "DSA", 1391 "Elliptic Curve", 1392 "ECDSA", 1393 "Elgamal (Encrypt or Sign)" 1394 }; 1395 1396 #define MAX_KEYALG 21 1397 1398 static const char *keyalgmap = "\0\01\02\03\0\0\0\0\0\0\0\0\0\0\0\0\04\05\06\07\010\011"; 1399 1400 /* return human readable name for key algorithm */ 1401 static const char * 1402 fmtkeyalg(uint8_t keyalg) 1403 { 1404 return keyalgs[(uint8_t)keyalgmap[(keyalg >= MAX_KEYALG) ? 0 : keyalg]]; 1405 } 1406 1407 /* return the number of bits in the public key */ 1408 static unsigned 1409 numkeybits(const pgpv_pubkey_t *pubkey) 1410 { 1411 switch(pubkey->keyalg) { 1412 case PUBKEY_RSA_ENCRYPT_OR_SIGN: 1413 case PUBKEY_RSA_ENCRYPT: 1414 case PUBKEY_RSA_SIGN: 1415 return pubkey->bn[RSA_N].bits; 1416 case PUBKEY_DSA: 1417 case PUBKEY_ECDSA: 1418 return pubkey->bn[DSA_P].bits; 1419 //return BITS_TO_BYTES(pubkey->bn[DSA_Q].bits) * 64; 1420 case PUBKEY_ELGAMAL_ENCRYPT: 1421 case PUBKEY_ELGAMAL_ENCRYPT_OR_SIGN: 1422 return pubkey->bn[ELGAMAL_P].bits; 1423 default: 1424 return 0; 1425 } 1426 } 1427 1428 /* print a public key */ 1429 static size_t 1430 fmt_pubkey(char *s, size_t size, pgpv_pubkey_t *pubkey, const char *leader) 1431 { 1432 size_t cc; 1433 1434 cc = snprintf(s, size, "%s %u/%s ", leader, numkeybits(pubkey), fmtkeyalg(pubkey->keyalg)); 1435 cc += fmt_binary(&s[cc], size - cc, pubkey->keyid, PGPV_KEYID_LEN); 1436 cc += fmt_time(&s[cc], size - cc, " ", pubkey->birth, "", 0); 1437 if (pubkey->expiry) { 1438 cc += fmt_time(&s[cc], size - cc, " [Expiry ", pubkey->birth + pubkey->expiry, "]", 0); 1439 } 1440 cc += snprintf(&s[cc], size - cc, "\n"); 1441 cc += fmt_fingerprint(&s[cc], size - cc, &pubkey->fingerprint, "fingerprint "); 1442 return cc; 1443 } 1444 1445 /* we add 1 to revocation value to denote compromised */ 1446 #define COMPROMISED (0x02 + 1) 1447 1448 /* format a userid - used to order the userids when formatting */ 1449 static size_t 1450 fmt_userid(char *s, size_t size, pgpv_primarykey_t *primary, uint8_t u) 1451 { 1452 pgpv_signed_userid_t *userid; 1453 1454 userid = &ARRAY_ELEMENT(primary->signed_userids, u); 1455 return snprintf(s, size, "uid %.*s%s\n", 1456 (int)userid->userid.size, userid->userid.data, 1457 (userid->revoked == COMPROMISED) ? " [COMPROMISED AND REVOKED]" : 1458 (userid->revoked) ? " [REVOKED]" : ""); 1459 } 1460 1461 /* format a trust sig - used to order the userids when formatting */ 1462 static size_t 1463 fmt_trust(char *s, size_t size, pgpv_signed_userid_t *userid, uint32_t u) 1464 { 1465 pgpv_signature_t *sig; 1466 size_t cc; 1467 1468 sig = &ARRAY_ELEMENT(userid->sigs, u); 1469 cc = snprintf(s, size, "trust "); 1470 cc += fmt_binary(&s[cc], size - cc, sig->signer, 8); 1471 return cc + snprintf(&s[cc], size - cc, "\n"); 1472 } 1473 1474 /* print a primary key, per RFC 4880 */ 1475 static size_t 1476 fmt_primary(char *s, size_t size, pgpv_primarykey_t *primary, const char *modifiers) 1477 { 1478 pgpv_signed_userid_t *userid; 1479 unsigned i; 1480 unsigned j; 1481 size_t cc; 1482 1483 cc = fmt_pubkey(s, size, &primary->primary, "signature "); 1484 cc += fmt_userid(&s[cc], size - cc, primary, primary->primary_userid); 1485 for (i = 0 ; i < ARRAY_COUNT(primary->signed_userids) ; i++) { 1486 if (i != primary->primary_userid) { 1487 cc += fmt_userid(&s[cc], size - cc, primary, i); 1488 if (strcasecmp(modifiers, "trust") == 0) { 1489 userid = &ARRAY_ELEMENT(primary->signed_userids, i); 1490 for (j = 0 ; j < ARRAY_COUNT(userid->sigs) ; j++) { 1491 cc += fmt_trust(&s[cc], size - cc, userid, j); 1492 } 1493 } 1494 } 1495 } 1496 if (strcasecmp(modifiers, "subkeys") == 0) { 1497 for (i = 0 ; i < ARRAY_COUNT(primary->signed_subkeys) ; i++) { 1498 cc += fmt_pubkey(&s[cc], size - cc, &ARRAY_ELEMENT(primary->signed_subkeys, i).subkey, "encryption"); 1499 } 1500 } 1501 cc += snprintf(&s[cc], size - cc, "\n"); 1502 return cc; 1503 } 1504 1505 1506 /* check the padding on the signature */ 1507 static int 1508 rsa_padding_check_none(uint8_t *to, int tlen, const uint8_t *from, int flen, int num) 1509 { 1510 USE_ARG(num); 1511 if (flen > tlen) { 1512 printf("from length larger than to length\n"); 1513 return -1; 1514 } 1515 (void) memset(to, 0x0, (size_t)(tlen - flen)); 1516 (void) memcpy(to + tlen - flen, from, (size_t)flen); 1517 return tlen; 1518 } 1519 1520 #define RSA_MAX_MODULUS_BITS 16384 1521 #define RSA_SMALL_MODULUS_BITS 3072 1522 #define RSA_MAX_PUBEXP_BITS 64 /* exponent limit enforced for "large" modulus only */ 1523 1524 /* check against the exponent/moudulo operation */ 1525 static int 1526 lowlevel_rsa_public_check(const uint8_t *encbuf, int enclen, uint8_t *dec, const rsa_pubkey_t *rsa) 1527 { 1528 uint8_t *decbuf; 1529 BIGNUM *decbn; 1530 BIGNUM *encbn; 1531 int decbytes; 1532 int nbytes; 1533 int r; 1534 1535 nbytes = 0; 1536 r = -1; 1537 decbuf = NULL; 1538 decbn = encbn = NULL; 1539 if (BN_num_bits(rsa->n) > RSA_MAX_MODULUS_BITS) { 1540 printf("rsa r modulus too large\n"); 1541 goto err; 1542 } 1543 if (BN_cmp(rsa->n, rsa->e) <= 0) { 1544 printf("rsa r bad n value\n"); 1545 goto err; 1546 } 1547 if (BN_num_bits(rsa->n) > RSA_SMALL_MODULUS_BITS && 1548 BN_num_bits(rsa->e) > RSA_MAX_PUBEXP_BITS) { 1549 printf("rsa r bad exponent limit\n"); 1550 goto err; 1551 } 1552 nbytes = BN_num_bytes(rsa->n); 1553 if ((encbn = BN_new()) == NULL || 1554 (decbn = BN_new()) == NULL || 1555 (decbuf = calloc(1, (size_t)nbytes)) == NULL) { 1556 printf("allocation failure\n"); 1557 goto err; 1558 } 1559 if (enclen > nbytes) { 1560 printf("rsa r > mod len\n"); 1561 goto err; 1562 } 1563 if (BN_bin2bn(encbuf, enclen, encbn) == NULL) { 1564 printf("null encrypted BN\n"); 1565 goto err; 1566 } 1567 if (BN_cmp(encbn, rsa->n) >= 0) { 1568 printf("rsa r data too large for modulus\n"); 1569 goto err; 1570 } 1571 if (BN_mod_exp(decbn, encbn, rsa->e, rsa->n, NULL) < 0) { 1572 printf("BN_mod_exp < 0\n"); 1573 goto err; 1574 } 1575 decbytes = BN_num_bytes(decbn); 1576 (void) BN_bn2bin(decbn, decbuf); 1577 if ((r = rsa_padding_check_none(dec, nbytes, decbuf, decbytes, 0)) < 0) { 1578 printf("rsa r padding check failed\n"); 1579 } 1580 err: 1581 BN_free(encbn); 1582 BN_free(decbn); 1583 if (decbuf != NULL) { 1584 (void) memset(decbuf, 0x0, nbytes); 1585 free(decbuf); 1586 } 1587 return r; 1588 } 1589 1590 /* verify */ 1591 static int 1592 rsa_public_decrypt(int enclen, const unsigned char *enc, unsigned char *dec, RSA *rsa, int padding) 1593 { 1594 rsa_pubkey_t pub; 1595 int ret; 1596 1597 if (enc == NULL || dec == NULL || rsa == NULL) { 1598 return 0; 1599 } 1600 USE_ARG(padding); 1601 (void) memset(&pub, 0x0, sizeof(pub)); 1602 pub.n = BN_dup(rsa->n); 1603 pub.e = BN_dup(rsa->e); 1604 ret = lowlevel_rsa_public_check(enc, enclen, dec, &pub); 1605 BN_free(pub.n); 1606 BN_free(pub.e); 1607 return ret; 1608 } 1609 1610 #define SUBKEY_LEN(x) (80 + 80) 1611 #define SIG_LEN 80 1612 #define UID_LEN 80 1613 1614 /* return worst case number of bytes needed to format a primary key */ 1615 static size_t 1616 estimate_primarykey_size(pgpv_primarykey_t *primary) 1617 { 1618 size_t cc; 1619 1620 cc = SUBKEY_LEN("signature") + 1621 (ARRAY_COUNT(primary->signed_userids) * UID_LEN) + 1622 (ARRAY_COUNT(primary->signed_subkeys) * SUBKEY_LEN("encrypt uids")); 1623 return cc; 1624 } 1625 1626 /* use public decrypt to verify a signature */ 1627 static int 1628 pgpv_rsa_public_decrypt(uint8_t *out, const uint8_t *in, size_t length, const pgpv_pubkey_t *pubkey) 1629 { 1630 RSA *orsa; 1631 int n; 1632 1633 if ((orsa = calloc(1, sizeof(*orsa))) == NULL) { 1634 return 0; 1635 } 1636 orsa->n = pubkey->bn[RSA_N].bn; 1637 orsa->e = pubkey->bn[RSA_E].bn; 1638 n = rsa_public_decrypt((int)length, in, out, orsa, RSA_NO_PADDING); 1639 orsa->n = orsa->e = NULL; 1640 free(orsa); 1641 return n; 1642 } 1643 1644 /* verify rsa signature */ 1645 static int 1646 rsa_verify(uint8_t *calculated, unsigned calclen, uint8_t hashalg, pgpv_bignum_t *bn, pgpv_pubkey_t *pubkey) 1647 { 1648 unsigned prefixlen; 1649 unsigned decryptc; 1650 unsigned i; 1651 uint8_t decrypted[8192]; 1652 uint8_t sigbn[8192]; 1653 uint8_t prefix[64]; 1654 size_t keysize; 1655 1656 keysize = BITS_TO_BYTES(pubkey->bn[RSA_N].bits); 1657 BN_bn2bin(bn[RSA_SIG].bn, sigbn); 1658 decryptc = pgpv_rsa_public_decrypt(decrypted, sigbn, BITS_TO_BYTES(bn[RSA_SIG].bits), pubkey); 1659 if (decryptc != keysize || (decrypted[0] != 0 || decrypted[1] != 1)) { 1660 return 0; 1661 } 1662 if ((prefixlen = digest_get_prefix((unsigned)hashalg, prefix, sizeof(prefix))) == 0) { 1663 printf("rsa_verify: unknown hash algorithm: %d\n", hashalg); 1664 return 0; 1665 } 1666 for (i = 2 ; i < keysize - prefixlen - calclen - 1 ; i++) { 1667 if (decrypted[i] != 0xff) { 1668 return 0; 1669 } 1670 } 1671 if (decrypted[i++] != 0x0) { 1672 return 0; 1673 } 1674 if (memcmp(&decrypted[i], prefix, prefixlen) != 0) { 1675 printf("rsa_verify: wrong hash algorithm\n"); 1676 return 0; 1677 } 1678 return memcmp(&decrypted[i + prefixlen], calculated, calclen) == 0; 1679 } 1680 1681 /* return 1 if bn <= 0 */ 1682 static int 1683 bignum_is_bad(BIGNUM *bn) 1684 { 1685 return BN_is_zero(bn) || BN_is_negative(bn); 1686 } 1687 1688 #define BAD_BIGNUM(s, k) \ 1689 (bignum_is_bad((s)->bn) || BN_cmp((s)->bn, (k)->bn) >= 0) 1690 1691 #ifndef DSA_MAX_MODULUS_BITS 1692 #define DSA_MAX_MODULUS_BITS 10000 1693 #endif 1694 1695 /* verify DSA signature */ 1696 static int 1697 verify_dsa_sig(uint8_t *calculated, unsigned calclen, pgpv_bignum_t *sig, pgpv_pubkey_t *pubkey) 1698 { 1699 unsigned qbits; 1700 uint8_t calcnum[128]; 1701 uint8_t signum[128]; 1702 BIGNUM *M; 1703 BIGNUM *W; 1704 BIGNUM *t1; 1705 int ret; 1706 1707 if (pubkey->bn[DSA_P].bn == NULL || 1708 pubkey->bn[DSA_Q].bn == NULL || 1709 pubkey->bn[DSA_G].bn == NULL) { 1710 return 0; 1711 } 1712 M = W = t1 = NULL; 1713 qbits = pubkey->bn[DSA_Q].bits; 1714 switch(qbits) { 1715 case 160: 1716 case 224: 1717 case 256: 1718 break; 1719 default: 1720 printf("dsa: bad # of Q bits\n"); 1721 return 0; 1722 } 1723 if (pubkey->bn[DSA_P].bits > DSA_MAX_MODULUS_BITS) { 1724 printf("dsa: p too large\n"); 1725 return 0; 1726 } 1727 if (calclen > SHA256_DIGEST_LENGTH) { 1728 printf("dsa: digest too long\n"); 1729 return 0; 1730 } 1731 ret = 0; 1732 if ((M = BN_new()) == NULL || (W = BN_new()) == NULL || (t1 = BN_new()) == NULL || 1733 BAD_BIGNUM(&sig[DSA_R], &pubkey->bn[DSA_Q]) || 1734 BAD_BIGNUM(&sig[DSA_S], &pubkey->bn[DSA_Q]) || 1735 BN_mod_inverse(W, sig[DSA_S].bn, pubkey->bn[DSA_Q].bn, NULL) == NULL) { 1736 goto done; 1737 } 1738 if (calclen > qbits / 8) { 1739 calclen = qbits / 8; 1740 } 1741 if (BN_bin2bn(calculated, (int)calclen, M) == NULL || 1742 !BN_mod_mul(M, M, W, pubkey->bn[DSA_Q].bn, NULL) || 1743 !BN_mod_mul(W, sig[DSA_R].bn, W, pubkey->bn[DSA_Q].bn, NULL) || 1744 !BN_mod_exp(t1, pubkey->bn[DSA_G].bn, M, pubkey->bn[DSA_P].bn, NULL) || 1745 !BN_mod_exp(W, pubkey->bn[DSA_Y].bn, W, pubkey->bn[DSA_P].bn, NULL) || 1746 !BN_mod_mul(t1, t1, W, pubkey->bn[DSA_P].bn, NULL) || 1747 !BN_div(NULL, t1, t1, pubkey->bn[DSA_Q].bn, NULL)) { 1748 goto done; 1749 } 1750 /* only compare the first q bits */ 1751 BN_bn2bin(t1, calcnum); 1752 BN_bn2bin(sig[DSA_R].bn, signum); 1753 ret = memcmp(calcnum, signum, BITS_TO_BYTES(qbits)) == 0; 1754 done: 1755 if (M) { 1756 BN_free(M); 1757 } 1758 if (W) { 1759 BN_free(W); 1760 } 1761 if (t1) { 1762 BN_free(t1); 1763 } 1764 return ret; 1765 } 1766 1767 #define TIME_SNPRINTF(_cc, _buf, _size, _fmt, _val) do { \ 1768 time_t _t; \ 1769 char *_s; \ 1770 \ 1771 _t = _val; \ 1772 _s = ctime(&_t); \ 1773 _cc += snprintf(_buf, _size, _fmt, _s); \ 1774 } while(/*CONSTCOND*/0) 1775 1776 /* check dates on signature and key are valid */ 1777 static size_t 1778 valid_dates(pgpv_signature_t *signature, pgpv_pubkey_t *pubkey, char *buf, size_t size) 1779 { 1780 time_t now; 1781 time_t t; 1782 size_t cc; 1783 1784 cc = 0; 1785 if (signature->birth < pubkey->birth) { 1786 TIME_SNPRINTF(cc, buf, size, "Signature time (%.24s) was before pubkey creation ", signature->birth); 1787 TIME_SNPRINTF(cc, &buf[cc], size - cc, "(%s)\n", pubkey->birth); 1788 return cc; 1789 } 1790 now = time(NULL); 1791 if (signature->expiry != 0) { 1792 if ((t = signature->birth + signature->expiry) < now) { 1793 TIME_SNPRINTF(cc, buf, size, "Signature expired on %.24s\n", t); 1794 return cc; 1795 } 1796 } 1797 if (now < signature->birth) { 1798 TIME_SNPRINTF(cc, buf, size, "Signature not valid before %.24s\n", signature->birth); 1799 return cc; 1800 } 1801 return 0; 1802 } 1803 1804 /* check if the signing key has expired */ 1805 static int 1806 key_expired(pgpv_pubkey_t *pubkey, char *buf, size_t size) 1807 { 1808 time_t now; 1809 time_t t; 1810 size_t cc; 1811 1812 now = time(NULL); 1813 cc = 0; 1814 if (pubkey->expiry != 0) { 1815 if ((t = pubkey->birth + pubkey->expiry) < now) { 1816 TIME_SNPRINTF(cc, buf, size, "Pubkey expired on %.24s\n", t); 1817 return (int)cc; 1818 } 1819 } 1820 if (now < pubkey->birth) { 1821 TIME_SNPRINTF(cc, buf, size, "Pubkey not valid before %.24s\n", pubkey->birth); 1822 return (int)cc; 1823 } 1824 return 0; 1825 } 1826 1827 /* find the leading onepass packet */ 1828 static size_t 1829 find_onepass(pgpv_cursor_t *cursor, size_t datastart) 1830 { 1831 size_t pkt; 1832 1833 for (pkt = datastart ; pkt < ARRAY_COUNT(cursor->pgp->pkts) ; pkt++) { 1834 if (ARRAY_ELEMENT(cursor->pgp->pkts, pkt).tag == ONEPASS_SIGNATURE_PKT) { 1835 return pkt + 1; 1836 } 1837 } 1838 snprintf(cursor->why, sizeof(cursor->why), "No signature to verify"); 1839 return 0; 1840 } 1841 1842 static const char *armor_begins[] = { 1843 "-----BEGIN PGP SIGNED MESSAGE-----\n", 1844 "-----BEGIN PGP MESSAGE-----\n", 1845 NULL 1846 }; 1847 1848 /* return non-zero if the buf introduces an armored message */ 1849 static int 1850 is_armored(const char *buf, size_t size) 1851 { 1852 const char **arm; 1853 const char *nl; 1854 size_t n; 1855 1856 if ((nl = memchr(buf, '\n', size)) == NULL) { 1857 return 0; 1858 } 1859 n = (size_t)(nl - buf); 1860 for (arm = armor_begins ; *arm ; arm++) { 1861 if (strncmp(buf, *arm, n) == 0) { 1862 return 1; 1863 } 1864 } 1865 return 0; 1866 } 1867 1868 /* find first occurrence of pat binary string in block */ 1869 static void * 1870 find_bin_string(const void *blockarg, size_t blen, const void *pat, size_t plen) 1871 { 1872 const uint8_t *block; 1873 const uint8_t *bp; 1874 1875 if (plen == 0) { 1876 return __UNCONST(blockarg); 1877 } 1878 if (blen < plen) { 1879 return NULL; 1880 } 1881 for (bp = block = blockarg ; (size_t)(bp - block) < blen - plen + 1 ; bp++) { 1882 if (memcmp(bp, pat, plen) == 0) { 1883 return __UNCONST(bp); 1884 } 1885 } 1886 return NULL; 1887 } 1888 1889 #define SIGSTART "-----BEGIN PGP SIGNATURE-----\n" 1890 #define SIGEND "-----END PGP SIGNATURE-----\n" 1891 1892 /* for ascii armor, we don't get a onepass packet - make one */ 1893 static const char *cons_onepass = "\304\015\003\0\0\0\0\377\377\377\377\377\377\377\377\1"; 1894 1895 /* read ascii armor */ 1896 static int 1897 read_ascii_armor(pgpv_cursor_t *cursor, pgpv_mem_t *mem, const char *filename) 1898 { 1899 pgpv_onepass_t *onepass; 1900 pgpv_sigpkt_t *sigpkt; 1901 pgpv_pkt_t litdata; 1902 uint8_t binsig[8192]; 1903 uint8_t *datastart; 1904 uint8_t *sigend; 1905 uint8_t *p; 1906 size_t binsigsize; 1907 1908 /* cons up litdata pkt */ 1909 memset(&litdata, 0x0, sizeof(litdata)); 1910 litdata.u.litdata.mem = ARRAY_COUNT(cursor->pgp->areas) - 1; 1911 p = mem->mem; 1912 /* jump over signed message line */ 1913 if ((p = find_bin_string(mem->mem, mem->size, "\n\n", 2)) == NULL) { 1914 snprintf(cursor->why, sizeof(cursor->why), "malformed armor at offset 0"); 1915 return 0; 1916 } 1917 p += 2; 1918 litdata.tag = LITDATA_PKT; 1919 litdata.s.data = p; 1920 litdata.u.litdata.offset = (size_t)(p - mem->mem); 1921 litdata.u.litdata.filename = (uint8_t *)strdup(filename); 1922 if ((p = find_bin_string(datastart = p, mem->size - litdata.offset, SIGSTART, strlen(SIGSTART))) == NULL) { 1923 snprintf(cursor->why, sizeof(cursor->why), 1924 "malformed armor - no sig - at %zu", (size_t)(p - mem->mem)); 1925 return 0; 1926 } 1927 litdata.u.litdata.len = litdata.s.size = (size_t)(p - datastart); 1928 p += strlen(SIGSTART); 1929 if ((p = find_bin_string(p, mem->size, "\n\n", 2)) == NULL) { 1930 snprintf(cursor->why, sizeof(cursor->why), 1931 "malformed armed signature at %zu", (size_t)(p - mem->mem)); 1932 return 0; 1933 } 1934 p += 2; 1935 sigend = find_bin_string(p, mem->size, SIGEND, strlen(SIGEND)); 1936 binsigsize = b64decode((char *)p, (size_t)(sigend - p), binsig, sizeof(binsig)); 1937 1938 read_binary_memory(cursor->pgp, "signature", cons_onepass, 15); 1939 ARRAY_APPEND(cursor->pgp->pkts, litdata); 1940 read_binary_memory(cursor->pgp, "signature", binsig, binsigsize - 3); 1941 /* XXX - hardwired - 3 is format and length */ 1942 1943 /* fix up packets in the packet array now we have them there */ 1944 onepass = &ARRAY_ELEMENT(cursor->pgp->pkts, ARRAY_COUNT(cursor->pgp->pkts) - 1 - 2).u.onepass; 1945 sigpkt = &ARRAY_LAST(cursor->pgp->pkts).u.sigpkt; 1946 memcpy(onepass->keyid, sigpkt->sig.signer, sizeof(onepass->keyid)); 1947 onepass->hashalg = sigpkt->sig.hashalg; 1948 onepass->keyalg = sigpkt->sig.keyalg; 1949 return 1; 1950 } 1951 1952 /* read ascii armor from a file */ 1953 static int 1954 read_ascii_armor_file(pgpv_cursor_t *cursor, const char *filename) 1955 { 1956 /* cons up litdata pkt */ 1957 read_file(cursor->pgp, filename); 1958 return read_ascii_armor(cursor, &ARRAY_LAST(cursor->pgp->areas), filename); 1959 } 1960 1961 /* read ascii armor from memory */ 1962 static int 1963 read_ascii_armor_memory(pgpv_cursor_t *cursor, const void *p, size_t size) 1964 { 1965 pgpv_mem_t *mem; 1966 1967 /* cons up litdata pkt */ 1968 ARRAY_EXPAND(cursor->pgp->areas); 1969 ARRAY_COUNT(cursor->pgp->areas) += 1; 1970 mem = &ARRAY_LAST(cursor->pgp->areas); 1971 memset(mem, 0x0, sizeof(*mem)); 1972 mem->size = size; 1973 mem->mem = __UNCONST(p); 1974 mem->dealloc = 0; 1975 return read_ascii_armor(cursor, mem, "[stdin]"); 1976 } 1977 1978 /* set up the data to verify */ 1979 static int 1980 setup_data(pgpv_cursor_t *cursor, pgpv_t *pgp, const void *p, ssize_t size) 1981 { 1982 FILE *fp; 1983 char buf[BUFSIZ]; 1984 1985 if (cursor == NULL || pgp == NULL || p == NULL) { 1986 return 0; 1987 } 1988 memset(cursor, 0x0, sizeof(*cursor)); 1989 ARRAY_APPEND(pgp->datastarts, pgp->pkt); 1990 cursor->pgp = pgp; 1991 if (size < 0) { 1992 /* we have a file name in p */ 1993 if ((fp = fopen(p, "r")) == NULL) { 1994 snprintf(cursor->why, sizeof(cursor->why), "No such file '%s'", (const char *)p); 1995 return 0; 1996 } 1997 if (fgets(buf, (int)sizeof(buf), fp) == NULL) { 1998 fclose(fp); 1999 snprintf(cursor->why, sizeof(cursor->why), "can't read file '%s'", (const char *)p); 2000 return 0; 2001 } 2002 if (is_armored(buf, sizeof(buf))) { 2003 read_ascii_armor_file(cursor, p); 2004 } else { 2005 read_binary_file(pgp, "signature", "%s", (const char *)p); 2006 } 2007 fclose(fp); 2008 } else { 2009 if (is_armored(p, (size_t)size)) { 2010 read_ascii_armor_memory(cursor, p, (size_t)size); 2011 } else { 2012 read_binary_memory(pgp, "signature", p, (size_t)size); 2013 } 2014 } 2015 return 1; 2016 } 2017 2018 /* get the data and size from litdata packet */ 2019 static uint8_t * 2020 get_literal_data(pgpv_cursor_t *cursor, pgpv_litdata_t *litdata, size_t *size) 2021 { 2022 pgpv_mem_t *mem; 2023 2024 if (litdata->s.data == NULL && litdata->s.size == 0) { 2025 mem = &ARRAY_ELEMENT(cursor->pgp->areas, litdata->mem); 2026 *size = litdata->len; 2027 return &mem->mem[litdata->offset]; 2028 } 2029 *size = litdata->s.size; 2030 return litdata->s.data; 2031 } 2032 2033 /* 2034 RFC 4880 describes the structure of v4 keys as: 2035 2036 Primary-Key 2037 [Revocation Self Signature] 2038 [Direct Key Signature...] 2039 User ID [Signature ...] 2040 [User ID [Signature ...] ...] 2041 [User Attribute [Signature ...] ...] 2042 [[Subkey [Binding-Signature-Revocation] 2043 Primary-Key-Binding-Signature] ...] 2044 2045 and that's implemented below as a recursive descent parser. 2046 It has had to be modified, though: see the comment 2047 2048 some keys out there have user ids where they shouldn't 2049 2050 to look like: 2051 2052 Primary-Key 2053 [Revocation Self Signature] 2054 [Direct Key Signature...] 2055 [User ID [Signature ...] 2056 [User ID [Signature ...] ...] 2057 [User Attribute [Signature ...] ...] 2058 [Subkey [Binding-Signature-Revocation] 2059 Primary-Key-Binding-Signature] ...] 2060 2061 to accommodate keyrings set up by gpg 2062 */ 2063 2064 /* recognise a primary key */ 2065 static int 2066 recog_primary_key(pgpv_t *pgp, pgpv_primarykey_t *primary) 2067 { 2068 pgpv_signed_userattr_t userattr; 2069 pgpv_signed_userid_t userid; 2070 pgpv_signed_subkey_t subkey; 2071 pgpv_signature_t signature; 2072 pgpv_pkt_t *pkt; 2073 2074 pkt = &ARRAY_ELEMENT(pgp->pkts, pgp->pkt); 2075 memset(primary, 0x0, sizeof(*primary)); 2076 read_pubkey(&primary->primary, pkt->s.data, pkt->s.size, 0); 2077 pgp->pkt += 1; 2078 if (pkt_sigtype_is(pgp, SIGTYPE_KEY_REVOCATION)) { 2079 if (!recog_signature(pgp, &primary->revoc_self_sig)) { 2080 printf("recog_primary_key: no signature/trust at PGPV_SIGTYPE_KEY_REVOCATION\n"); 2081 return 0; 2082 } 2083 } 2084 while (pkt_sigtype_is(pgp, SIGTYPE_DIRECT_KEY)) { 2085 if (!recog_signature(pgp, &signature)) { 2086 printf("recog_primary_key: no signature/trust at PGPV_SIGTYPE_DIRECT_KEY\n"); 2087 return 0; 2088 } 2089 if (signature.keyexpiry) { 2090 /* XXX - check it's a good key expiry */ 2091 primary->primary.expiry = signature.keyexpiry; 2092 } 2093 ARRAY_APPEND(primary->direct_sigs, signature); 2094 } 2095 /* some keys out there have user ids where they shouldn't */ 2096 do { 2097 if (!recog_userid(pgp, &userid)) { 2098 printf("recog_primary_key: not userid\n"); 2099 return 0; 2100 } 2101 ARRAY_APPEND(primary->signed_userids, userid); 2102 if (userid.primary_userid) { 2103 primary->primary_userid = ARRAY_COUNT(primary->signed_userids) - 1; 2104 } 2105 while (pkt_is(pgp, USERID_PKT)) { 2106 if (!recog_userid(pgp, &userid)) { 2107 printf("recog_primary_key: not signed secondary userid\n"); 2108 return 0; 2109 } 2110 ARRAY_APPEND(primary->signed_userids, userid); 2111 if (userid.primary_userid) { 2112 primary->primary_userid = ARRAY_COUNT(primary->signed_userids) - 1; 2113 } 2114 } 2115 while (pkt_is(pgp, USER_ATTRIBUTE_PKT)) { 2116 if (!recog_userattr(pgp, &userattr)) { 2117 printf("recog_primary_key: not signed user attribute\n"); 2118 return 0; 2119 } 2120 ARRAY_APPEND(primary->signed_userattrs, userattr); 2121 } 2122 while (pkt_is(pgp, PUB_SUBKEY_PKT)) { 2123 if (!recog_subkey(pgp, &subkey)) { 2124 printf("recog_primary_key: not signed public subkey\n"); 2125 return 0; 2126 } 2127 calc_keyid(&subkey.subkey, "sha1"); 2128 ARRAY_APPEND(primary->signed_subkeys, subkey); 2129 } 2130 } while (pgp->pkt < ARRAY_COUNT(pgp->pkts) && pkt_is(pgp, USERID_PKT)); 2131 primary->fmtsize = estimate_primarykey_size(primary); 2132 return 1; 2133 } 2134 2135 /* parse all of the packets for a given operation */ 2136 static int 2137 read_all_packets(pgpv_t *pgp, pgpv_mem_t *mem, const char *op) 2138 { 2139 pgpv_primarykey_t primary; 2140 2141 if (op == NULL) { 2142 return 0; 2143 } 2144 if (strcmp(pgp->op = op, "pubring") == 0) { 2145 mem->allowed = PUBRING_ALLOWED; 2146 /* pubrings have thousands of small packets */ 2147 ARRAY_EXPAND_SIZED(pgp->pkts, 0, 5000); 2148 } else if (strcmp(op, "signature") == 0) { 2149 mem->allowed = SIGNATURE_ALLOWED; 2150 } else { 2151 mem->allowed = ""; 2152 } 2153 for (mem->cc = 0; mem->cc < mem->size ; ) { 2154 if (!read_pkt(pgp, mem)) { 2155 return 0; 2156 } 2157 } 2158 if (strcmp(op, "pubring") == 0) { 2159 for (pgp->pkt = 0; pgp->pkt < ARRAY_COUNT(pgp->pkts) && recog_primary_key(pgp, &primary) ; ) { 2160 calc_keyid(&primary.primary, "sha1"); 2161 ARRAY_APPEND(pgp->primaries, primary); 2162 } 2163 if (pgp->pkt < ARRAY_COUNT(pgp->pkts)) { 2164 printf("short pubring recognition???\n"); 2165 } 2166 } 2167 pgp->pkt = ARRAY_COUNT(pgp->pkts); 2168 return 1; 2169 } 2170 2171 /* create a filename, read it, and then parse according to "op" */ 2172 static int 2173 read_binary_file(pgpv_t *pgp, const char *op, const char *fmt, ...) 2174 { 2175 va_list args; 2176 char buf[1024]; 2177 2178 va_start(args, fmt); 2179 vsnprintf(buf, sizeof(buf), fmt, args); 2180 va_end(args); 2181 if (!read_file(pgp, buf)) { 2182 return 0; 2183 } 2184 return read_all_packets(pgp, &ARRAY_LAST(pgp->areas), op); 2185 } 2186 2187 /* get a bignum from the buffer gap */ 2188 static int 2189 getbignum(pgpv_bignum_t *bignum, bufgap_t *bg, char *buf, const char *header) 2190 { 2191 uint32_t len; 2192 2193 (void) bufgap_getbin(bg, &len, sizeof(len)); 2194 len = pgp_ntoh32(len); 2195 (void) bufgap_seek(bg, sizeof(len), BGFromHere, BGByte); 2196 (void) bufgap_getbin(bg, buf, len); 2197 bignum->bn = BN_bin2bn((const uint8_t *)buf, (int)len, NULL); 2198 bignum->bits = BN_num_bits(bignum->bn); 2199 (void) bufgap_seek(bg, len, BGFromHere, BGByte); 2200 return 1; 2201 } 2202 2203 /* structure for searching for constant strings */ 2204 typedef struct str_t { 2205 const char *s; /* string */ 2206 size_t len; /* its length */ 2207 int type; /* return type */ 2208 } str_t; 2209 2210 static str_t pkatypes[] = { 2211 { "ssh-rsa", 7, PUBKEY_RSA_SIGN }, 2212 { "ssh-dss", 7, PUBKEY_DSA }, 2213 { "ssh-dsa", 7, PUBKEY_DSA }, 2214 { NULL, 0, 0 } 2215 }; 2216 2217 /* look for a string in the given array */ 2218 static int 2219 findstr(str_t *array, const char *name) 2220 { 2221 str_t *sp; 2222 2223 for (sp = array ; sp->s ; sp++) { 2224 if (strncmp(name, sp->s, sp->len) == 0) { 2225 return sp->type; 2226 } 2227 } 2228 return -1; 2229 } 2230 2231 /* read public key from the ssh pubkey file */ 2232 static __printflike(3, 4) int 2233 read_ssh_file(pgpv_t *pgp, pgpv_primarykey_t *primary, const char *fmt, ...) 2234 { 2235 pgpv_signed_userid_t userid; 2236 pgpv_pubkey_t *pubkey; 2237 struct stat st; 2238 bufgap_t bg; 2239 uint32_t len; 2240 int64_t off; 2241 va_list args; 2242 char hostname[256]; 2243 char owner[256]; 2244 char *space; 2245 char *buf; 2246 char *bin; 2247 char f[1024]; 2248 int ok; 2249 int cc; 2250 2251 memset(primary, 0x0, sizeof(*primary)); 2252 (void) memset(&bg, 0x0, sizeof(bg)); 2253 va_start(args, fmt); 2254 vsnprintf(f, sizeof(f), fmt, args); 2255 va_end(args); 2256 if (!bufgap_open(&bg, f)) { 2257 (void) fprintf(stderr, "pgp_ssh2pubkey: can't open '%s'\n", f); 2258 return 0; 2259 } 2260 (void)stat(f, &st); 2261 if ((buf = calloc(1, (size_t)st.st_size)) == NULL) { 2262 (void) fprintf(stderr, "can't calloc %zu bytes for '%s'\n", (size_t)st.st_size, f); 2263 bufgap_close(&bg); 2264 return 0; 2265 } 2266 if ((bin = calloc(1, (size_t)st.st_size)) == NULL) { 2267 (void) fprintf(stderr, "can't calloc %zu bytes for '%s'\n", (size_t)st.st_size, f); 2268 (void) free(buf); 2269 bufgap_close(&bg); 2270 return 0; 2271 } 2272 2273 /* move past ascii type of key */ 2274 while (bufgap_peek(&bg, 0) != ' ') { 2275 if (!bufgap_seek(&bg, 1, BGFromHere, BGByte)) { 2276 (void) fprintf(stderr, "bad key file '%s'\n", f); 2277 (void) free(buf); 2278 bufgap_close(&bg); 2279 return 0; 2280 } 2281 } 2282 if (!bufgap_seek(&bg, 1, BGFromHere, BGByte)) { 2283 (void) fprintf(stderr, "bad key file '%s'\n", f); 2284 (void) free(buf); 2285 bufgap_close(&bg); 2286 return 0; 2287 } 2288 off = bufgap_tell(&bg, BGFromBOF, BGByte); 2289 2290 if (bufgap_size(&bg, BGByte) - off < 10) { 2291 (void) fprintf(stderr, "bad key file '%s'\n", f); 2292 (void) free(buf); 2293 bufgap_close(&bg); 2294 return 0; 2295 } 2296 2297 /* convert from base64 to binary */ 2298 cc = bufgap_getbin(&bg, buf, (size_t)bg.bcc); 2299 if ((space = strchr(buf, ' ')) != NULL) { 2300 cc = (int)(space - buf); 2301 } 2302 cc = frombase64(bin, buf, (size_t)cc, 0); 2303 bufgap_delete(&bg, (uint64_t)bufgap_tell(&bg, BGFromEOF, BGByte)); 2304 bufgap_insert(&bg, bin, cc); 2305 bufgap_seek(&bg, off, BGFromBOF, BGByte); 2306 2307 /* get the type of key */ 2308 (void) bufgap_getbin(&bg, &len, sizeof(len)); 2309 len = pgp_ntoh32(len); 2310 if (len >= st.st_size) { 2311 (void) fprintf(stderr, "bad public key file '%s'\n", f); 2312 return 0; 2313 } 2314 (void) bufgap_seek(&bg, sizeof(len), BGFromHere, BGByte); 2315 (void) bufgap_getbin(&bg, buf, len); 2316 (void) bufgap_seek(&bg, len, BGFromHere, BGByte); 2317 2318 pubkey = &primary->primary; 2319 pubkey->hashalg = digest_get_alg("sha256"); /* gets fixed up later */ 2320 pubkey->version = 4; 2321 pubkey->birth = 0; /* gets fixed up later */ 2322 /* get key type */ 2323 ok = 1; 2324 switch (pubkey->keyalg = findstr(pkatypes, buf)) { 2325 case PUBKEY_RSA_ENCRYPT_OR_SIGN: 2326 case PUBKEY_RSA_SIGN: 2327 getbignum(&pubkey->bn[RSA_E], &bg, buf, "RSA E"); 2328 getbignum(&pubkey->bn[RSA_N], &bg, buf, "RSA N"); 2329 break; 2330 case PUBKEY_DSA: 2331 getbignum(&pubkey->bn[DSA_P], &bg, buf, "DSA P"); 2332 getbignum(&pubkey->bn[DSA_Q], &bg, buf, "DSA Q"); 2333 getbignum(&pubkey->bn[DSA_G], &bg, buf, "DSA G"); 2334 getbignum(&pubkey->bn[DSA_Y], &bg, buf, "DSA Y"); 2335 break; 2336 default: 2337 (void) fprintf(stderr, "Unrecognised pubkey type %d for '%s'\n", 2338 pubkey->keyalg, f); 2339 ok = 0; 2340 break; 2341 } 2342 2343 /* check for stragglers */ 2344 if (ok && bufgap_tell(&bg, BGFromEOF, BGByte) > 0) { 2345 printf("%"PRIi64" bytes left\n", bufgap_tell(&bg, BGFromEOF, BGByte)); 2346 printf("[%s]\n", bufgap_getstr(&bg)); 2347 ok = 0; 2348 } 2349 if (ok) { 2350 memset(&userid, 0x0, sizeof(userid)); 2351 (void) gethostname(hostname, sizeof(hostname)); 2352 if (strlen(space + 1) - 1 == 0) { 2353 (void) snprintf(owner, sizeof(owner), "<root@%s>", 2354 hostname); 2355 } else { 2356 (void) snprintf(owner, sizeof(owner), "<%.*s>", 2357 (int)strlen(space + 1) - 1, 2358 space + 1); 2359 } 2360 calc_keyid(pubkey, "sha1"); 2361 userid.userid.size = asprintf((char **)(void *)&userid.userid.data, 2362 "%s (%s) %s", 2363 hostname, 2364 f, 2365 owner); 2366 ARRAY_APPEND(primary->signed_userids, userid); 2367 primary->fmtsize = estimate_primarykey_size(primary) + 1024; 2368 } 2369 (void) free(bin); 2370 (void) free(buf); 2371 bufgap_close(&bg); 2372 return ok; 2373 } 2374 2375 /* parse memory according to "op" */ 2376 static int 2377 read_binary_memory(pgpv_t *pgp, const char *op, const void *memory, size_t size) 2378 { 2379 pgpv_mem_t *mem; 2380 2381 ARRAY_EXPAND(pgp->areas); 2382 ARRAY_COUNT(pgp->areas) += 1; 2383 mem = &ARRAY_LAST(pgp->areas); 2384 memset(mem, 0x0, sizeof(*mem)); 2385 mem->size = size; 2386 mem->mem = __UNCONST(memory); 2387 mem->dealloc = 0; 2388 return read_all_packets(pgp, mem, op); 2389 } 2390 2391 /* fixup the detached signature packets */ 2392 static int 2393 fixup_detached(pgpv_cursor_t *cursor, const char *f) 2394 { 2395 pgpv_onepass_t *onepass; 2396 const char *dot; 2397 pgpv_pkt_t sigpkt; 2398 pgpv_pkt_t litdata; 2399 pgpv_mem_t *mem; 2400 size_t el; 2401 char original[MAXPATHLEN]; 2402 2403 /* cons up litdata pkt */ 2404 if ((dot = strrchr(f, '.')) == NULL || strcasecmp(dot, ".sig") != 0) { 2405 printf("weird filename '%s'\n", f); 2406 return 0; 2407 } 2408 /* hold sigpkt in a temp var while we insert onepass and litdata */ 2409 el = ARRAY_COUNT(cursor->pgp->pkts) - 1; 2410 sigpkt = ARRAY_ELEMENT(cursor->pgp->pkts, el); 2411 ARRAY_DELETE(cursor->pgp->pkts, el); 2412 ARRAY_EXPAND(cursor->pgp->pkts); 2413 /* get onepass packet, append to packets */ 2414 read_binary_memory(cursor->pgp, "signature", cons_onepass, 15); 2415 onepass = &ARRAY_ELEMENT(cursor->pgp->pkts, el).u.onepass; 2416 /* read the original file into litdata */ 2417 snprintf(original, sizeof(original), "%.*s", (int)(dot - f), f); 2418 if (!read_file(cursor->pgp, original)) { 2419 printf("can't read file '%s'\n", original); 2420 return 0; 2421 } 2422 memset(&litdata, 0x0, sizeof(litdata)); 2423 mem = &ARRAY_LAST(cursor->pgp->areas); 2424 litdata.tag = LITDATA_PKT; 2425 litdata.s.data = mem->mem; 2426 litdata.u.litdata.format = LITDATA_BINARY; 2427 litdata.u.litdata.offset = 0; 2428 litdata.u.litdata.filename = (uint8_t *)strdup(original); 2429 litdata.u.litdata.mem = ARRAY_COUNT(cursor->pgp->areas) - 1; 2430 litdata.u.litdata.len = litdata.s.size = mem->size; 2431 ARRAY_APPEND(cursor->pgp->pkts, litdata); 2432 ARRAY_APPEND(cursor->pgp->pkts, sigpkt); 2433 memcpy(onepass->keyid, sigpkt.u.sigpkt.sig.signer, sizeof(onepass->keyid)); 2434 onepass->hashalg = sigpkt.u.sigpkt.sig.hashalg; 2435 onepass->keyalg = sigpkt.u.sigpkt.sig.keyalg; 2436 return 1; 2437 } 2438 2439 /* match the calculated signature against the oen in the signature packet */ 2440 static int 2441 match_sig(pgpv_cursor_t *cursor, pgpv_signature_t *signature, pgpv_pubkey_t *pubkey, uint8_t *data, size_t size) 2442 { 2443 unsigned calclen; 2444 uint8_t calculated[64]; 2445 int match; 2446 2447 calclen = pgpv_digest_memory(calculated, sizeof(calculated), 2448 data, size, 2449 get_ref(&signature->hashstart), signature->hashlen, 2450 (signature->type == SIGTYPE_TEXT) ? 't' : 'b'); 2451 if (ALG_IS_RSA(signature->keyalg)) { 2452 match = rsa_verify(calculated, calclen, signature->hashalg, signature->bn, pubkey); 2453 } else if (ALG_IS_DSA(signature->keyalg)) { 2454 match = verify_dsa_sig(calculated, calclen, signature->bn, pubkey); 2455 } else { 2456 snprintf(cursor->why, sizeof(cursor->why), "Signature type %u not recognised", signature->keyalg); 2457 return 0; 2458 } 2459 if (!match && signature->type == SIGTYPE_TEXT) { 2460 /* second try for cleartext data, ignoring trailing whitespace */ 2461 calclen = pgpv_digest_memory(calculated, sizeof(calculated), 2462 data, size, 2463 get_ref(&signature->hashstart), signature->hashlen, 'w'); 2464 if (ALG_IS_RSA(signature->keyalg)) { 2465 match = rsa_verify(calculated, calclen, signature->hashalg, signature->bn, pubkey); 2466 } else if (ALG_IS_DSA(signature->keyalg)) { 2467 match = verify_dsa_sig(calculated, calclen, signature->bn, pubkey); 2468 } 2469 } 2470 if (!match) { 2471 snprintf(cursor->why, sizeof(cursor->why), "Signature on data did not match"); 2472 return 0; 2473 } 2474 if (valid_dates(signature, pubkey, cursor->why, sizeof(cursor->why)) > 0) { 2475 return 0; 2476 } 2477 if (key_expired(pubkey, cursor->why, sizeof(cursor->why))) { 2478 return 0; 2479 } 2480 if (signature->revoked) { 2481 snprintf(cursor->why, sizeof(cursor->why), "Signature was revoked"); 2482 return 0; 2483 } 2484 return 1; 2485 } 2486 2487 /* check return value from getenv */ 2488 static const char * 2489 nonnull_getenv(const char *key) 2490 { 2491 char *value; 2492 2493 return ((value = getenv(key)) == NULL) ? "" : value; 2494 } 2495 2496 /************************************************************************/ 2497 /* start of exported functions */ 2498 /************************************************************************/ 2499 2500 /* close all stuff */ 2501 int 2502 pgpv_close(pgpv_t *pgp) 2503 { 2504 unsigned i; 2505 2506 if (pgp == NULL) { 2507 return 0; 2508 } 2509 for (i = 0 ; i < ARRAY_COUNT(pgp->areas) ; i++) { 2510 if (ARRAY_ELEMENT(pgp->areas, i).size > 0) { 2511 closemem(&ARRAY_ELEMENT(pgp->areas, i)); 2512 } 2513 } 2514 return 1; 2515 } 2516 2517 #define NO_SUBKEYS 0 2518 2519 /* return the formatted entry for the primary key desired */ 2520 size_t 2521 pgpv_get_entry(pgpv_t *pgp, unsigned ent, char **ret, const char *modifiers) 2522 { 2523 size_t cc; 2524 2525 if (ret == NULL || pgp == NULL || ent >= ARRAY_COUNT(pgp->primaries)) { 2526 return 0; 2527 } 2528 *ret = NULL; 2529 cc = ARRAY_ELEMENT(pgp->primaries, ent).fmtsize; 2530 if (modifiers == NULL || (strcasecmp(modifiers, "trust") != 0 && strcasecmp(modifiers, "subkeys") != 0)) { 2531 modifiers = "no-subkeys"; 2532 } 2533 if (strcasecmp(modifiers, "trust") == 0) { 2534 cc *= 2048; 2535 } 2536 if ((*ret = calloc(1, cc)) == NULL) { 2537 return 0; 2538 } 2539 return fmt_primary(*ret, cc, &ARRAY_ELEMENT(pgp->primaries, ent), modifiers); 2540 } 2541 2542 /* fixup key id, with birth, keyalg and hashalg value from signature */ 2543 static int 2544 fixup_ssh_keyid(pgpv_t *pgp, pgpv_signature_t *signature, const char *hashtype) 2545 { 2546 pgpv_pubkey_t *pubkey; 2547 unsigned i; 2548 2549 for (i = 0 ; i < ARRAY_COUNT(pgp->primaries) ; i++) { 2550 pubkey = &ARRAY_ELEMENT(pgp->primaries, i).primary; 2551 pubkey->keyalg = signature->keyalg; 2552 calc_keyid(pubkey, hashtype); 2553 } 2554 return 1; 2555 } 2556 2557 /* find key id */ 2558 static int 2559 find_keyid(pgpv_t *pgp, const char *strkeyid, uint8_t *keyid) 2560 { 2561 unsigned i; 2562 uint8_t binkeyid[PGPV_KEYID_LEN]; 2563 size_t off; 2564 size_t cmp; 2565 2566 if (strkeyid == NULL && keyid == NULL) { 2567 return 0; 2568 } 2569 if (strkeyid) { 2570 str_to_keyid(strkeyid, binkeyid); 2571 cmp = strlen(strkeyid) / 2; 2572 } else { 2573 memcpy(binkeyid, keyid, sizeof(binkeyid)); 2574 cmp = PGPV_KEYID_LEN; 2575 } 2576 off = PGPV_KEYID_LEN - cmp; 2577 for (i = 0 ; i < ARRAY_COUNT(pgp->primaries) ; i++) { 2578 if (memcmp(&ARRAY_ELEMENT(pgp->primaries, i).primary.keyid[off], &binkeyid[off], cmp) == 0) { 2579 return i; 2580 } 2581 } 2582 return -1; 2583 } 2584 2585 /* match the signature with the id indexed by 'primary' */ 2586 static int 2587 match_sig_id(pgpv_cursor_t *cursor, pgpv_signature_t *signature, pgpv_litdata_t *litdata, unsigned primary) 2588 { 2589 pgpv_pubkey_t *pubkey; 2590 uint8_t *data; 2591 size_t insize; 2592 2593 pubkey = &ARRAY_ELEMENT(cursor->pgp->primaries, primary).primary; 2594 cursor->sigtime = signature->birth; 2595 /* calc hash on data packet */ 2596 data = get_literal_data(cursor, litdata, &insize); 2597 return match_sig(cursor, signature, pubkey, data, insize); 2598 } 2599 2600 /* verify the signed packets we have */ 2601 size_t 2602 pgpv_verify(pgpv_cursor_t *cursor, pgpv_t *pgp, const void *p, ssize_t size) 2603 { 2604 pgpv_signature_t *signature; 2605 pgpv_onepass_t *onepass; 2606 pgpv_litdata_t *litdata; 2607 size_t pkt; 2608 char strkeyid[PGPV_STR_KEYID_LEN]; 2609 int j; 2610 2611 if (cursor == NULL || pgp == NULL || p == NULL) { 2612 return 0; 2613 } 2614 if (!setup_data(cursor, pgp, p, size)) { 2615 snprintf(cursor->why, sizeof(cursor->why), "No input data"); 2616 return 0; 2617 } 2618 if (ARRAY_COUNT(cursor->pgp->pkts) == ARRAY_LAST(cursor->pgp->datastarts) + 1) { 2619 /* got detached signature here */ 2620 if (!fixup_detached(cursor, p)) { 2621 snprintf(cursor->why, sizeof(cursor->why), "Can't read signed file '%s'", (const char *)p); 2622 return 0; 2623 } 2624 } 2625 if ((pkt = find_onepass(cursor, ARRAY_LAST(cursor->pgp->datastarts))) == 0) { 2626 snprintf(cursor->why, sizeof(cursor->why), "No signature found"); 2627 return 0; 2628 } 2629 pkt -= 1; 2630 onepass = &ARRAY_ELEMENT(cursor->pgp->pkts, pkt).u.onepass; 2631 litdata = &ARRAY_ELEMENT(cursor->pgp->pkts, pkt + 1).u.litdata; 2632 signature = &ARRAY_ELEMENT(cursor->pgp->pkts, pkt + 2).u.sigpkt.sig; 2633 /* sanity check values in signature and onepass agree */ 2634 if (signature->birth == 0) { 2635 fmt_time(cursor->why, sizeof(cursor->why), "Signature creation time [", 2636 signature->birth, "] out of range", 0); 2637 return 0; 2638 } 2639 if (memcmp(onepass->keyid, signature->signer, PGPV_KEYID_LEN) != 0) { 2640 fmt_binary(strkeyid, sizeof(strkeyid), onepass->keyid, (unsigned)sizeof(onepass->keyid)); 2641 snprintf(cursor->why, sizeof(cursor->why), "Signature key id %s does not match onepass keyid", 2642 strkeyid); 2643 return 0; 2644 } 2645 if (onepass->hashalg != signature->hashalg) { 2646 snprintf(cursor->why, sizeof(cursor->why), "Signature hashalg %u does not match onepass hashalg %u", 2647 signature->hashalg, onepass->hashalg); 2648 return 0; 2649 } 2650 if (onepass->keyalg != signature->keyalg) { 2651 snprintf(cursor->why, sizeof(cursor->why), "Signature keyalg %u does not match onepass keyalg %u", 2652 signature->keyalg, onepass->keyalg); 2653 return 0; 2654 } 2655 if (cursor->pgp->ssh) { 2656 fixup_ssh_keyid(cursor->pgp, signature, "sha1"); 2657 } 2658 if (ARRAY_COUNT(cursor->pgp->primaries) == 1) { 2659 j = 0; 2660 } else if ((j = find_keyid(cursor->pgp, NULL, onepass->keyid)) < 0) { 2661 fmt_binary(strkeyid, sizeof(strkeyid), onepass->keyid, (unsigned)sizeof(onepass->keyid)); 2662 snprintf(cursor->why, sizeof(cursor->why), "Signature key id %s not found ", strkeyid); 2663 return 0; 2664 } 2665 if (!match_sig_id(cursor, signature, litdata, (unsigned)j)) { 2666 return 0; 2667 } 2668 ARRAY_APPEND(cursor->datacookies, pkt); 2669 ARRAY_APPEND(cursor->found, j); 2670 return pkt + 1; 2671 } 2672 2673 /* set up the pubkey keyring */ 2674 int 2675 pgpv_read_pubring(pgpv_t *pgp, const void *keyring, ssize_t size) 2676 { 2677 if (pgp == NULL) { 2678 return 0; 2679 } 2680 if (keyring) { 2681 return (size > 0) ? 2682 read_binary_memory(pgp, "pubring", keyring, (size_t)size) : 2683 read_binary_file(pgp, "pubring", "%s", (const char *)keyring); 2684 } 2685 return read_binary_file(pgp, "pubring", "%s/%s", nonnull_getenv("HOME"), ".gnupg/pubring.gpg"); 2686 } 2687 2688 /* set up the pubkey keyring from ssh pub key */ 2689 int 2690 pgpv_read_ssh_pubkeys(pgpv_t *pgp, const void *keyring, ssize_t size) 2691 { 2692 pgpv_primarykey_t primary; 2693 2694 if (pgp == NULL) { 2695 return 0; 2696 } 2697 if (keyring) { 2698 if (!read_ssh_file(pgp, &primary, "%s", (const char *)keyring)) { 2699 return 0; 2700 } 2701 } else if (!read_ssh_file(pgp, &primary, "%s/%s", nonnull_getenv("HOME"), ".ssh/id_rsa.pub")) { 2702 return 0; 2703 } 2704 ARRAY_APPEND(pgp->primaries, primary); 2705 pgp->ssh = 1; 2706 return 1; 2707 } 2708 2709 /* get verified data as a string, return its size */ 2710 size_t 2711 pgpv_get_verified(pgpv_cursor_t *cursor, size_t cookie, char **ret) 2712 { 2713 pgpv_litdata_t *litdata; 2714 uint8_t *data; 2715 size_t size; 2716 size_t pkt; 2717 2718 if (ret == NULL || cursor == NULL || cookie == 0) { 2719 return 0; 2720 } 2721 *ret = NULL; 2722 if ((pkt = find_onepass(cursor, cookie - 1)) == 0) { 2723 return 0; 2724 } 2725 litdata = &ARRAY_ELEMENT(cursor->pgp->pkts, pkt).u.litdata; 2726 data = get_literal_data(cursor, litdata, &size); 2727 if ((*ret = calloc(1, size)) == NULL) { 2728 return 0; 2729 } 2730 memcpy(*ret, data, size); 2731 return size; 2732 } 2733