1
by Marek Habersack
Import upstream version 1.10 |
1 |
/* pgp.c
|
2 |
*
|
|
3 |
* PGP related functions.
|
|
4 |
*/
|
|
5 |
||
6 |
/* nettle, low-level cryptographics library
|
|
7 |
*
|
|
8 |
* Copyright (C) 2001, 2002 Niels Möller
|
|
9 |
*
|
|
10 |
* The nettle library is free software; you can redistribute it and/or modify
|
|
11 |
* it under the terms of the GNU Lesser General Public License as published by
|
|
12 |
* the Free Software Foundation; either version 2.1 of the License, or (at your
|
|
13 |
* option) any later version.
|
|
14 |
*
|
|
15 |
* The nettle library is distributed in the hope that it will be useful, but
|
|
16 |
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
|
17 |
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public
|
|
18 |
* License for more details.
|
|
19 |
*
|
|
20 |
* You should have received a copy of the GNU Lesser General Public License
|
|
21 |
* along with the nettle library; see the file COPYING.LIB. If not, write to
|
|
22 |
* the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
|
|
23 |
* MA 02111-1307, USA.
|
|
24 |
*/
|
|
25 |
||
26 |
#if HAVE_CONFIG_H
|
|
27 |
# include "config.h"
|
|
28 |
#endif
|
|
29 |
||
30 |
#include <assert.h> |
|
31 |
#include <stdlib.h> |
|
32 |
#include <string.h> |
|
33 |
||
34 |
#if HAVE_LIBGMP
|
|
35 |
# include "bignum.h"
|
|
36 |
# include "pgp.h"
|
|
37 |
#else /* !HAVE_LIBGMP */ |
|
38 |
/* Kludge to make it possible to include pgp.h */
|
|
39 |
# define mpz_t int
|
|
40 |
# include "pgp.h"
|
|
41 |
# undef mpz_t
|
|
42 |
#endif /* !HAVE_LIBGMP */ |
|
43 |
||
44 |
#if WITH_PUBLIC_KEY
|
|
45 |
# include "rsa.h"
|
|
46 |
#endif
|
|
47 |
||
48 |
#include "base64.h" |
|
49 |
#include "buffer.h" |
|
50 |
#include "macros.h" |
|
51 |
||
52 |
int
|
|
53 |
pgp_put_uint32(struct nettle_buffer *buffer, uint32_t i) |
|
54 |
{
|
|
55 |
uint8_t *p = nettle_buffer_space(buffer, 4); |
|
56 |
if (!p) |
|
57 |
return 0; |
|
58 |
||
59 |
WRITE_UINT32(p, i); |
|
60 |
return 1; |
|
61 |
}
|
|
62 |
||
63 |
int
|
|
64 |
pgp_put_uint16(struct nettle_buffer *buffer, unsigned i) |
|
65 |
{
|
|
66 |
uint8_t *p = nettle_buffer_space(buffer, 2); |
|
67 |
if (!p) |
|
68 |
return 0; |
|
69 |
||
70 |
WRITE_UINT16(p, i); |
|
71 |
return 1; |
|
72 |
}
|
|
73 |
||
74 |
#if HAVE_LIBGMP
|
|
75 |
int
|
|
76 |
pgp_put_mpi(struct nettle_buffer *buffer, const mpz_t x) |
|
77 |
{
|
|
78 |
unsigned bits = mpz_sizeinbase(x, 2); |
|
79 |
unsigned octets = (bits + 7) / 8; |
|
80 |
||
81 |
uint8_t *p; |
|
82 |
||
83 |
/* FIXME: What's the correct representation of zero? */
|
|
84 |
if (!pgp_put_uint16(buffer, bits)) |
|
85 |
return 0; |
|
86 |
||
87 |
p = nettle_buffer_space(buffer, octets); |
|
88 |
||
89 |
if (!p) |
|
90 |
return 0; |
|
91 |
||
92 |
nettle_mpz_get_str_256(octets, p, x); |
|
93 |
||
94 |
return 1; |
|
95 |
}
|
|
96 |
#endif
|
|
97 |
||
98 |
int
|
|
99 |
pgp_put_string(struct nettle_buffer *buffer, |
|
100 |
unsigned length, |
|
101 |
const uint8_t *s) |
|
102 |
{
|
|
103 |
return nettle_buffer_write(buffer, length, s); |
|
104 |
}
|
|
105 |
||
106 |
#if 0
|
|
107 |
static unsigned
|
|
108 |
length_field(unsigned length)
|
|
109 |
{
|
|
110 |
if (length < PGP_LENGTH_TWO_OCTET)
|
|
111 |
return 1;
|
|
112 |
else if (length < PGP_LENGTH_FOUR_OCTETS)
|
|
113 |
return 2;
|
|
114 |
else return 4;
|
|
115 |
}
|
|
116 |
#endif
|
|
117 |
||
118 |
/* bodyLen = ((1st_octet - 192) << 8) + (2nd_octet) + 192
|
|
119 |
* ==> bodyLen - 192 + 192 << 8 = (1st_octet << 8) + (2nd_octet)
|
|
120 |
*/
|
|
121 |
||
122 |
#define LENGTH_TWO_OFFSET (192 * 255)
|
|
123 |
||
124 |
int
|
|
125 |
pgp_put_length(struct nettle_buffer *buffer, |
|
126 |
unsigned length) |
|
127 |
{
|
|
128 |
if (length < PGP_LENGTH_TWO_OCTETS) |
|
129 |
return NETTLE_BUFFER_PUTC(buffer, length); |
|
130 |
||
131 |
else if (length < PGP_LENGTH_FOUR_OCTETS) |
|
132 |
return pgp_put_uint16(buffer, length + LENGTH_TWO_OFFSET); |
|
133 |
else
|
|
134 |
return NETTLE_BUFFER_PUTC(buffer, 0xff) && pgp_put_uint32(buffer, length); |
|
135 |
}
|
|
136 |
||
137 |
/* Uses the "new" packet format */
|
|
138 |
int
|
|
139 |
pgp_put_header(struct nettle_buffer *buffer, |
|
140 |
unsigned tag, unsigned length) |
|
141 |
{
|
|
142 |
assert(tag < 0x40); |
|
143 |
||
144 |
return (NETTLE_BUFFER_PUTC(buffer, 0xC0 | tag) |
|
145 |
&& pgp_put_length(buffer, length)); |
|
146 |
}
|
|
147 |
||
148 |
/* FIXME: Should we abort or return error if the length and the field
|
|
149 |
* size don't match? */
|
|
150 |
void
|
|
151 |
pgp_put_header_length(struct nettle_buffer *buffer, |
|
152 |
/* start of the header */
|
|
153 |
unsigned start, |
|
154 |
unsigned field_size) |
|
155 |
{
|
|
156 |
unsigned length; |
|
157 |
switch (field_size) |
|
158 |
{
|
|
159 |
case 1: |
|
160 |
length = buffer->size - (start + 2); |
|
161 |
assert(length < PGP_LENGTH_TWO_OCTETS); |
|
162 |
buffer->contents[start + 1] = length; |
|
163 |
break; |
|
164 |
case 2: |
|
165 |
length = buffer->size - (start + 3); |
|
166 |
assert(length < PGP_LENGTH_FOUR_OCTETS |
|
167 |
&& length >= PGP_LENGTH_TWO_OCTETS); |
|
168 |
WRITE_UINT16(buffer->contents + start + 1, length + LENGTH_TWO_OFFSET); |
|
169 |
break; |
|
170 |
case 4: |
|
171 |
length = buffer->size - (start + 5); |
|
172 |
WRITE_UINT32(buffer->contents + start + 2, length); |
|
173 |
break; |
|
174 |
default: |
|
175 |
abort(); |
|
176 |
}
|
|
177 |
}
|
|
178 |
||
179 |
int
|
|
180 |
pgp_put_userid(struct nettle_buffer *buffer, |
|
181 |
unsigned length, |
|
182 |
const uint8_t *name) |
|
183 |
{
|
|
184 |
return (pgp_put_header(buffer, PGP_TAG_USERID, length) |
|
185 |
&& pgp_put_string(buffer, length, name)); |
|
186 |
}
|
|
187 |
||
188 |
unsigned
|
|
189 |
pgp_sub_packet_start(struct nettle_buffer *buffer) |
|
190 |
{
|
|
191 |
return nettle_buffer_space(buffer, 2) ? buffer->size : 0; |
|
192 |
}
|
|
193 |
||
194 |
int
|
|
195 |
pgp_put_sub_packet(struct nettle_buffer *buffer, |
|
196 |
unsigned type, |
|
197 |
unsigned length, |
|
198 |
const uint8_t *data) |
|
199 |
{
|
|
200 |
return (pgp_put_length(buffer, length + 1) |
|
201 |
&& NETTLE_BUFFER_PUTC(buffer, type) |
|
202 |
&& pgp_put_string(buffer, length, data)); |
|
203 |
}
|
|
204 |
||
205 |
void
|
|
206 |
pgp_sub_packet_end(struct nettle_buffer *buffer, unsigned start) |
|
207 |
{
|
|
208 |
unsigned length; |
|
209 |
||
210 |
assert(start >= 2); |
|
211 |
assert(start <= buffer->size); |
|
212 |
||
213 |
length = buffer->size - start; |
|
214 |
WRITE_UINT32(buffer->contents + start - 2, length); |
|
215 |
}
|
|
216 |
||
217 |
#if WITH_PUBLIC_KEY
|
|
218 |
int
|
|
219 |
pgp_put_public_rsa_key(struct nettle_buffer *buffer, |
|
220 |
const struct rsa_public_key *pub, |
|
221 |
time_t timestamp) |
|
222 |
{
|
|
223 |
/* Public key packet, version 4 */
|
|
224 |
unsigned start; |
|
225 |
unsigned length; |
|
226 |
||
227 |
/* Size of packet is 16 + the size of e and n */
|
|
228 |
length = (4 * 4 |
|
229 |
+ nettle_mpz_sizeinbase_256_u(pub->n) |
|
230 |
+ nettle_mpz_sizeinbase_256_u(pub->e)); |
|
231 |
||
232 |
if (!pgp_put_header(buffer, PGP_TAG_PUBLIC_KEY, length)) |
|
233 |
return 0; |
|
234 |
||
235 |
start = buffer->size; |
|
236 |
||
237 |
if (! (pgp_put_header(buffer, PGP_TAG_PUBLIC_KEY, |
|
238 |
/* Assume that we need two octets */
|
|
239 |
PGP_LENGTH_TWO_OCTETS) |
|
240 |
&& pgp_put_uint32(buffer, 4) /* Version */ |
|
241 |
&& pgp_put_uint32(buffer, timestamp)/* Time stamp */ |
|
242 |
&& pgp_put_uint32(buffer, PGP_RSA) /* Algorithm */ |
|
243 |
&& pgp_put_mpi(buffer, pub->n) |
|
244 |
&& pgp_put_mpi(buffer, pub->e)) ) |
|
245 |
return 0; |
|
246 |
||
247 |
assert(buffer->size == start + length); |
|
248 |
||
249 |
return 1; |
|
250 |
}
|
|
251 |
||
252 |
int
|
|
253 |
pgp_put_rsa_sha1_signature(struct nettle_buffer *buffer, |
|
254 |
const struct rsa_private_key *key, |
|
255 |
const uint8_t *keyid, |
|
256 |
unsigned type, |
|
257 |
struct sha1_ctx *hash) |
|
258 |
{
|
|
259 |
unsigned signature_start = buffer->size; |
|
260 |
unsigned hash_end; |
|
261 |
unsigned sub_packet_start; |
|
262 |
uint8_t trailer[6]; |
|
263 |
uint8_t digest16[2]; |
|
264 |
mpz_t s; |
|
265 |
||
266 |
/* Signature packet. The packet could reasonably be both smaller and
|
|
267 |
* larger than 192, so for simplicity we use the 4 octet header
|
|
268 |
* form. */
|
|
269 |
||
270 |
if (! (pgp_put_header(buffer, PGP_TAG_SIGNATURE, PGP_LENGTH_FOUR_OCTETS) |
|
271 |
&& NETTLE_BUFFER_PUTC(buffer, 4) /* Version */ |
|
272 |
&& NETTLE_BUFFER_PUTC(buffer, type) |
|
273 |
/* Could also be PGP_RSA_SIGN */
|
|
274 |
&& NETTLE_BUFFER_PUTC(buffer, PGP_RSA) |
|
275 |
&& NETTLE_BUFFER_PUTC(buffer, PGP_SHA1) |
|
276 |
&& pgp_put_uint16(buffer, 0))) /* Hashed subpacket length */ |
|
277 |
return 0; |
|
278 |
||
279 |
hash_end = buffer->size; |
|
280 |
||
281 |
sha1_update(hash, |
|
282 |
hash_end - signature_start, |
|
283 |
buffer->contents + signature_start); |
|
284 |
||
285 |
trailer[0] = 4; trailer[1] = 0xff; |
|
286 |
WRITE_UINT32(trailer + 2, buffer->size - signature_start); |
|
287 |
||
288 |
sha1_update(hash, sizeof(trailer), trailer); |
|
289 |
||
290 |
{
|
|
291 |
struct sha1_ctx hcopy = *hash; |
|
292 |
uint8_t *p = nettle_buffer_space(buffer, 2); |
|
293 |
if (!p) |
|
294 |
return 0; |
|
295 |
||
296 |
sha1_digest(&hcopy, 2, p); |
|
297 |
}
|
|
298 |
||
299 |
/* One "sub-packet" field with the issuer keyid */
|
|
300 |
sub_packet_start = pgp_sub_packet_start(buffer); |
|
301 |
if (!sub_packet_start) |
|
302 |
return 0; |
|
303 |
||
304 |
if (pgp_put_sub_packet(buffer, PGP_SUBPACKET_ISSUER_KEY_ID, 8, keyid)) |
|
305 |
{
|
|
306 |
pgp_sub_packet_end(buffer, sub_packet_start); |
|
307 |
return 0; |
|
308 |
}
|
|
309 |
||
310 |
mpz_init(s); |
|
311 |
rsa_sha1_sign(key, hash, s); |
|
312 |
||
313 |
if (!pgp_put_mpi(buffer, s)) |
|
314 |
{
|
|
315 |
mpz_clear(s); |
|
316 |
return 0; |
|
317 |
}
|
|
318 |
||
319 |
mpz_clear(s); |
|
320 |
pgp_put_header_length(buffer, signature_start, 4); |
|
321 |
||
322 |
return 1; |
|
323 |
}
|
|
324 |
#endif /* WITH_PUBLIC_KEY */ |
|
325 |
||
326 |
#define CRC24_INIT 0x0b704ceL
|
|
327 |
#define CRC24_POLY 0x1864cfbL
|
|
328 |
||
329 |
uint32_t
|
|
330 |
pgp_crc24(unsigned length, const uint8_t *data) |
|
331 |
{
|
|
332 |
uint32_t crc = CRC24_INIT; |
|
333 |
||
334 |
unsigned i; |
|
335 |
for (i = 0; i<length; i++) |
|
336 |
{
|
|
337 |
unsigned j; |
|
338 |
crc ^= ((unsigned) (data[i]) << 16); |
|
339 |
for (j = 0; j<8; j++) |
|
340 |
{
|
|
341 |
crc <<= 1; |
|
342 |
if (crc & 0x1000000) |
|
343 |
crc ^= CRC24_POLY; |
|
344 |
}
|
|
345 |
}
|
|
346 |
assert(crc < 0x1000000); |
|
347 |
return crc; |
|
348 |
}
|
|
349 |
||
350 |
||
351 |
#define WRITE(buffer, s) (nettle_buffer_write(buffer, strlen((s)), (s)))
|
|
352 |
||
353 |
/* 15 base 64 groups data per line */
|
|
354 |
#define BINARY_PER_LINE 45
|
|
355 |
#define TEXT_PER_LINE BASE64_ENCODE_LENGTH(BINARY_PER_LINE)
|
|
356 |
||
357 |
int
|
|
358 |
pgp_armor(struct nettle_buffer *buffer, |
|
359 |
const char *tag, |
|
360 |
unsigned length, |
|
361 |
const uint8_t *data) |
|
362 |
{
|
|
363 |
struct base64_encode_ctx ctx; |
|
364 |
||
365 |
unsigned crc = pgp_crc24(length, data); |
|
366 |
||
367 |
base64_encode_init(&ctx); |
|
368 |
||
369 |
if (! (WRITE(buffer, "BEGIN PGP ") |
|
370 |
&& WRITE(buffer, tag) |
|
371 |
&& WRITE(buffer, "\nComment: Nettle\n\n"))) |
|
372 |
return 0; |
|
373 |
||
374 |
for (; |
|
375 |
length >= BINARY_PER_LINE; |
|
376 |
length -= BINARY_PER_LINE, data += BINARY_PER_LINE) |
|
377 |
{
|
|
378 |
unsigned done; |
|
379 |
uint8_t *p |
|
380 |
= nettle_buffer_space(buffer, TEXT_PER_LINE); |
|
381 |
||
382 |
if (!p) |
|
383 |
return 0; |
|
384 |
||
385 |
done = base64_encode_update(&ctx, p, BINARY_PER_LINE, data); |
|
386 |
assert(done <= TEXT_PER_LINE); |
|
387 |
||
388 |
/* FIXME: Create some official way to do this */
|
|
389 |
buffer->size -= (TEXT_PER_LINE - done); |
|
390 |
||
391 |
if (!NETTLE_BUFFER_PUTC(buffer, '\n')) |
|
392 |
return 0; |
|
393 |
}
|
|
394 |
||
395 |
if (length) |
|
396 |
{
|
|
397 |
unsigned text_size = BASE64_ENCODE_LENGTH(length) |
|
398 |
+ BASE64_ENCODE_FINAL_LENGTH; |
|
399 |
unsigned done; |
|
400 |
||
401 |
uint8_t *p |
|
402 |
= nettle_buffer_space(buffer, text_size); |
|
403 |
if (!p) |
|
404 |
return 0; |
|
405 |
||
406 |
done = base64_encode_update(&ctx, p, length, data); |
|
407 |
done += base64_encode_final(&ctx, p + done); |
|
408 |
||
409 |
/* FIXME: Create some official way to do this */
|
|
410 |
buffer->size -= (text_size - done); |
|
411 |
||
412 |
if (!NETTLE_BUFFER_PUTC(buffer, '\n')) |
|
413 |
return 0; |
|
414 |
}
|
|
415 |
/* Checksum */
|
|
416 |
if (!NETTLE_BUFFER_PUTC(buffer, '=')) |
|
417 |
return 0; |
|
418 |
||
419 |
{
|
|
420 |
uint8_t *p = nettle_buffer_space(buffer, 4); |
|
421 |
if (!p) |
|
422 |
return 0; |
|
423 |
base64_encode_group(p, crc); |
|
424 |
}
|
|
425 |
||
426 |
return (WRITE(buffer, "\nBEGIN PGP ") |
|
427 |
&& WRITE(buffer, tag) |
|
428 |
&& NETTLE_BUFFER_PUTC(buffer, '\n')); |
|
429 |
}
|