LCOV - code coverage report
Current view: top level - agent - pksign.c (source / functions) Hit Total Coverage
Test: coverage.info Lines: 99 237 41.8 %
Date: 2016-11-29 15:00:56 Functions: 6 8 75.0 %

          Line data    Source code
       1             : /* pksign.c - public key signing (well, actually using a secret key)
       2             :  * Copyright (C) 2001-2004, 2010 Free Software Foundation, Inc.
       3             :  * Copyright (C) 2001-2004, 2010, 2013  Werner Koch
       4             :  *
       5             :  * This file is part of GnuPG.
       6             :  *
       7             :  * GnuPG is free software; you can redistribute it and/or modify
       8             :  * it under the terms of the GNU General Public License as published by
       9             :  * the Free Software Foundation; either version 3 of the License, or
      10             :  * (at your option) any later version.
      11             :  *
      12             :  * GnuPG is distributed in the hope that it will be useful,
      13             :  * but WITHOUT ANY WARRANTY; without even the implied warranty of
      14             :  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
      15             :  * GNU General Public License for more details.
      16             :  *
      17             :  * You should have received a copy of the GNU General Public License
      18             :  * along with this program; if not, see <https://www.gnu.org/licenses/>.
      19             :  */
      20             : 
      21             : #include <config.h>
      22             : #include <errno.h>
      23             : #include <stdio.h>
      24             : #include <stdlib.h>
      25             : #include <string.h>
      26             : #include <ctype.h>
      27             : #include <assert.h>
      28             : #include <unistd.h>
      29             : #include <sys/stat.h>
      30             : 
      31             : #include "agent.h"
      32             : #include "i18n.h"
      33             : 
      34             : 
      35             : static int
      36          23 : do_encode_md (const byte * md, size_t mdlen, int algo, gcry_sexp_t * r_hash,
      37             :               int raw_value)
      38             : {
      39             :   gcry_sexp_t hash;
      40             :   int rc;
      41             : 
      42          23 :   if (!raw_value)
      43             :     {
      44             :       const char *s;
      45             :       char tmp[16+1];
      46             :       int i;
      47             : 
      48          23 :       s = gcry_md_algo_name (algo);
      49          23 :       if (s && strlen (s) < 16)
      50             :         {
      51         157 :           for (i=0; i < strlen (s); i++)
      52         134 :             tmp[i] = tolower (s[i]);
      53          23 :           tmp[i] = '\0';
      54             :         }
      55             : 
      56          23 :       rc = gcry_sexp_build (&hash, NULL,
      57             :                             "(data (flags pkcs1) (hash %s %b))",
      58             :                             tmp, (int)mdlen, md);
      59             :     }
      60             :   else
      61             :     {
      62             :       gcry_mpi_t mpi;
      63             : 
      64           0 :       rc = gcry_mpi_scan (&mpi, GCRYMPI_FMT_USG, md, mdlen, NULL);
      65           0 :       if (!rc)
      66             :         {
      67           0 :           rc = gcry_sexp_build (&hash, NULL,
      68             :                                 "(data (flags raw) (value %m))",
      69             :                                 mpi);
      70           0 :           gcry_mpi_release (mpi);
      71             :         }
      72             :       else
      73           0 :         hash = NULL;
      74             : 
      75             :     }
      76             : 
      77          23 :   *r_hash = hash;
      78          23 :   return rc;
      79             : }
      80             : 
      81             : 
      82             : /* Return the number of bits of the Q parameter from the DSA key
      83             :    KEY.  */
      84             : static unsigned int
      85          97 : get_dsa_qbits (gcry_sexp_t key)
      86             : {
      87             :   gcry_sexp_t l1, l2;
      88             :   gcry_mpi_t q;
      89             :   unsigned int nbits;
      90             : 
      91          97 :   l1 = gcry_sexp_find_token (key, "private-key", 0);
      92          97 :   if (!l1)
      93           0 :     l1 = gcry_sexp_find_token (key, "protected-private-key", 0);
      94          97 :   if (!l1)
      95           0 :     l1 = gcry_sexp_find_token (key, "shadowed-private-key", 0);
      96          97 :   if (!l1)
      97           0 :     l1 = gcry_sexp_find_token (key, "public-key", 0);
      98          97 :   if (!l1)
      99           0 :     return 0; /* Does not contain a key object.  */
     100          97 :   l2 = gcry_sexp_cadr (l1);
     101          97 :   gcry_sexp_release  (l1);
     102          97 :   l1 = gcry_sexp_find_token (l2, "q", 1);
     103          97 :   gcry_sexp_release (l2);
     104          97 :   if (!l1)
     105           0 :     return 0; /* Invalid object.  */
     106          97 :   q = gcry_sexp_nth_mpi (l1, 1, GCRYMPI_FMT_USG);
     107          97 :   gcry_sexp_release (l1);
     108          97 :   if (!q)
     109           0 :     return 0; /* Missing value.  */
     110          97 :   nbits = gcry_mpi_get_nbits (q);
     111          97 :   gcry_mpi_release (q);
     112             : 
     113          97 :   return nbits;
     114             : }
     115             : 
     116             : 
     117             : /* Return an appropriate hash algorithm to be used with RFC-6979 for a
     118             :    message digest of length MDLEN.  Although a fallback of SHA-256 is
     119             :    used the current implementation in Libgcrypt will reject a hash
     120             :    algorithm which does not match the length of the message.  */
     121             : static const char *
     122         118 : rfc6979_hash_algo_string (size_t mdlen)
     123             : {
     124         118 :   switch (mdlen)
     125             :     {
     126          97 :     case 20: return "sha1";
     127           0 :     case 28: return "sha224";
     128           7 :     case 32: return "sha256";
     129           7 :     case 48: return "sha384";
     130           7 :     case 64: return "sha512";
     131           0 :     default: return "sha256";
     132             :     }
     133             : }
     134             : 
     135             : 
     136             : /* Encode a message digest for use with the EdDSA algorithm
     137             :    (i.e. curve Ed25519). */
     138             : static gpg_error_t
     139           0 : do_encode_eddsa (const byte *md, size_t mdlen, gcry_sexp_t *r_hash)
     140             : {
     141             :   gpg_error_t err;
     142             :   gcry_sexp_t hash;
     143             : 
     144           0 :   *r_hash = NULL;
     145           0 :   err = gcry_sexp_build (&hash, NULL,
     146             :                          "(data(flags eddsa)(hash-algo sha512)(value %b))",
     147             :                          (int)mdlen, md);
     148           0 :   if (!err)
     149           0 :     *r_hash = hash;
     150           0 :   return err;
     151             : }
     152             : 
     153             : 
     154             : /* Encode a message digest for use with an DSA algorithm. */
     155             : static gpg_error_t
     156         118 : do_encode_dsa (const byte *md, size_t mdlen, int pkalgo, gcry_sexp_t pkey,
     157             :                gcry_sexp_t *r_hash)
     158             : {
     159             :   gpg_error_t err;
     160             :   gcry_sexp_t hash;
     161             :   unsigned int qbits;
     162             : 
     163         118 :   *r_hash = NULL;
     164             : 
     165         118 :   if (pkalgo == GCRY_PK_ECDSA)
     166          21 :     qbits = gcry_pk_get_nbits (pkey);
     167          97 :   else if (pkalgo == GCRY_PK_DSA)
     168          97 :     qbits = get_dsa_qbits (pkey);
     169             :   else
     170           0 :     return gpg_error (GPG_ERR_WRONG_PUBKEY_ALGO);
     171             : 
     172         118 :   if (pkalgo == GCRY_PK_DSA && (qbits%8))
     173             :     {
     174             :       /* FIXME: We check the QBITS but print a message about the hash
     175             :          length.  */
     176           0 :       log_error (_("DSA requires the hash length to be a"
     177             :                    " multiple of 8 bits\n"));
     178           0 :       return gpg_error (GPG_ERR_INV_LENGTH);
     179             :     }
     180             : 
     181             :   /* Don't allow any Q smaller than 160 bits.  We don't want someone
     182             :      to issue signatures from a key with a 16-bit Q or something like
     183             :      that, which would look correct but allow trivial forgeries.  Yes,
     184             :      I know this rules out using MD5 with DSA. ;) */
     185         118 :   if (qbits < 160)
     186             :     {
     187           0 :       log_error (_("%s key uses an unsafe (%u bit) hash\n"),
     188             :                  gcry_pk_algo_name (pkalgo), qbits);
     189           0 :       return gpg_error (GPG_ERR_INV_LENGTH);
     190             :     }
     191             : 
     192             :   /* ECDSA 521 is special has it is larger than the largest hash
     193             :      we have (SHA-512).  Thus we chnage the size for further
     194             :      processing to 512.  */
     195         118 :   if (pkalgo == GCRY_PK_ECDSA && qbits > 512)
     196           7 :     qbits = 512;
     197             : 
     198             :   /* Check if we're too short.  Too long is safe as we'll
     199             :      automatically left-truncate.  */
     200         118 :   if (mdlen < qbits/8)
     201             :     {
     202           0 :       log_error (_("a %zu bit hash is not valid for a %u bit %s key\n"),
     203             :                  mdlen*8,
     204             :                  gcry_pk_get_nbits (pkey),
     205             :                  gcry_pk_algo_name (pkalgo));
     206           0 :       return gpg_error (GPG_ERR_INV_LENGTH);
     207             :     }
     208             : 
     209             :   /* Truncate.  */
     210         118 :   if (mdlen > qbits/8)
     211           8 :     mdlen = qbits/8;
     212             : 
     213             :   /* Create the S-expression.  */
     214         118 :   err = gcry_sexp_build (&hash, NULL,
     215             :                          "(data (flags rfc6979) (hash %s %b))",
     216             :                          rfc6979_hash_algo_string (mdlen),
     217             :                          (int)mdlen, md);
     218         118 :   if (!err)
     219         118 :     *r_hash = hash;
     220         118 :   return err;
     221             : }
     222             : 
     223             : 
     224             : /* Special version of do_encode_md to take care of pkcs#1 padding.
     225             :    For TLS-MD5SHA1 we need to do the padding ourself as Libgrypt does
     226             :    not know about this special scheme.  Fixme: We should have a
     227             :    pkcs1-only-padding flag for Libgcrypt. */
     228             : static int
     229           0 : do_encode_raw_pkcs1 (const byte *md, size_t mdlen, unsigned int nbits,
     230             :                      gcry_sexp_t *r_hash)
     231             : {
     232             :   int rc;
     233             :   gcry_sexp_t hash;
     234             :   unsigned char *frame;
     235             :   size_t i, n, nframe;
     236             : 
     237           0 :   nframe = (nbits+7) / 8;
     238           0 :   if ( !mdlen || mdlen + 8 + 4 > nframe )
     239             :     {
     240             :       /* Can't encode this hash into a frame of size NFRAME. */
     241           0 :       return gpg_error (GPG_ERR_TOO_SHORT);
     242             :     }
     243             : 
     244           0 :   frame = xtrymalloc (nframe);
     245           0 :   if (!frame)
     246           0 :     return gpg_error_from_syserror ();
     247             : 
     248             :   /* Assemble the pkcs#1 block type 1. */
     249           0 :   n = 0;
     250           0 :   frame[n++] = 0;
     251           0 :   frame[n++] = 1; /* Block type. */
     252           0 :   i = nframe - mdlen - 3 ;
     253           0 :   assert (i >= 8); /* At least 8 bytes of padding.  */
     254           0 :   memset (frame+n, 0xff, i );
     255           0 :   n += i;
     256           0 :   frame[n++] = 0;
     257           0 :   memcpy (frame+n, md, mdlen );
     258           0 :   n += mdlen;
     259           0 :   assert (n == nframe);
     260             : 
     261             :   /* Create the S-expression.  */
     262           0 :   rc = gcry_sexp_build (&hash, NULL,
     263             :                         "(data (flags raw) (value %b))",
     264             :                         (int)nframe, frame);
     265           0 :   xfree (frame);
     266             : 
     267           0 :   *r_hash = hash;
     268           0 :   return rc;
     269             : }
     270             : 
     271             : 
     272             : 
     273             : /* SIGN whatever information we have accumulated in CTRL and return
     274             :    the signature S-expression.  LOOKUP is an optional function to
     275             :    provide a way for lower layers to ask for the caching TTL.  If a
     276             :    CACHE_NONCE is given that cache item is first tried to get a
     277             :    passphrase.  If OVERRIDEDATA is not NULL, OVERRIDEDATALEN bytes
     278             :    from this buffer are used instead of the data in CTRL.  The
     279             :    override feature is required to allow the use of Ed25519 with ssh
     280             :    because Ed25519 does the hashing itself.  */
     281             : int
     282         141 : agent_pksign_do (ctrl_t ctrl, const char *cache_nonce,
     283             :                  const char *desc_text,
     284             :                  gcry_sexp_t *signature_sexp,
     285             :                  cache_mode_t cache_mode, lookup_ttl_t lookup_ttl,
     286             :                  const void *overridedata, size_t overridedatalen)
     287             : {
     288         141 :   gcry_sexp_t s_skey = NULL, s_sig = NULL;
     289         141 :   gcry_sexp_t s_hash = NULL;
     290         141 :   gcry_sexp_t s_pkey = NULL;
     291         141 :   unsigned char *shadow_info = NULL;
     292         141 :   unsigned int rc = 0;          /* FIXME: gpg-error? */
     293             :   const unsigned char *data;
     294             :   int datalen;
     295         141 :   int check_signature = 0;
     296             : 
     297         141 :   if (overridedata)
     298             :     {
     299           0 :       data = overridedata;
     300           0 :       datalen = overridedatalen;
     301             :     }
     302             :   else
     303             :     {
     304         141 :       data = ctrl->digest.value;
     305         141 :       datalen = ctrl->digest.valuelen;
     306             :     }
     307             : 
     308         141 :   if (!ctrl->have_keygrip)
     309           0 :     return gpg_error (GPG_ERR_NO_SECKEY);
     310             : 
     311         141 :   rc = agent_key_from_file (ctrl, cache_nonce, desc_text, ctrl->keygrip,
     312             :                             &shadow_info, cache_mode, lookup_ttl,
     313             :                             &s_skey, NULL);
     314         141 :   if (rc)
     315             :     {
     316           0 :       if (gpg_err_code (rc) != GPG_ERR_NO_SECKEY)
     317           0 :         log_error ("failed to read the secret key\n");
     318           0 :       goto leave;
     319             :     }
     320             : 
     321         141 :   if (shadow_info)
     322             :     {
     323             :       /* Divert operation to the smartcard */
     324             :       size_t len;
     325           0 :       unsigned char *buf = NULL;
     326             :       int key_type;
     327           0 :       int is_RSA = 0;
     328           0 :       int is_ECDSA = 0;
     329           0 :       int is_EdDSA = 0;
     330             : 
     331           0 :       rc = agent_public_key_from_file (ctrl, ctrl->keygrip, &s_pkey);
     332           0 :       if (rc)
     333             :         {
     334           0 :           log_error ("failed to read the public key\n");
     335           0 :           goto leave;
     336             :         }
     337             : 
     338           0 :       if (agent_is_eddsa_key (s_skey))
     339           0 :         is_EdDSA = 1;
     340             :       else
     341             :         {
     342           0 :           key_type = agent_is_dsa_key (s_skey);
     343           0 :           if (key_type == 0)
     344           0 :             is_RSA = 1;
     345           0 :           else if (key_type == GCRY_PK_ECDSA)
     346           0 :             is_ECDSA = 1;
     347             :         }
     348             : 
     349           0 :       rc = divert_pksign (ctrl,
     350             :                           data, datalen,
     351             :                           ctrl->digest.algo,
     352             :                           shadow_info, &buf, &len);
     353           0 :       if (rc)
     354             :         {
     355           0 :           log_error ("smartcard signing failed: %s\n", gpg_strerror (rc));
     356           0 :           goto leave;
     357             :         }
     358             : 
     359           0 :       if (is_RSA)
     360             :         {
     361           0 :           check_signature = 1;
     362           0 :           if (*buf & 0x80)
     363             :             {
     364           0 :               len++;
     365           0 :               buf = xtryrealloc (buf, len);
     366           0 :               if (!buf)
     367           0 :                 goto leave;
     368             : 
     369           0 :               memmove (buf + 1, buf, len - 1);
     370           0 :               *buf = 0;
     371             :             }
     372             : 
     373           0 :           rc = gcry_sexp_build (&s_sig, NULL, "(sig-val(rsa(s%b)))",
     374             :                                 (int)len, buf);
     375             :         }
     376           0 :       else if (is_EdDSA)
     377             :         {
     378           0 :           rc = gcry_sexp_build (&s_sig, NULL, "(sig-val(eddsa(r%b)(s%b)))",
     379           0 :                                 (int)len/2, buf, (int)len/2, buf + len/2);
     380             :         }
     381           0 :       else if (is_ECDSA)
     382             :         {
     383           0 :           unsigned char *r_buf_allocated = NULL;
     384           0 :           unsigned char *s_buf_allocated = NULL;
     385             :           unsigned char *r_buf, *s_buf;
     386             :           int r_buflen, s_buflen;
     387             : 
     388           0 :           r_buflen = s_buflen = len/2;
     389             : 
     390           0 :           if (*buf & 0x80)
     391             :             {
     392           0 :               r_buflen++;
     393           0 :               r_buf_allocated = xtrymalloc (r_buflen);
     394           0 :               if (!r_buf_allocated)
     395           0 :                 goto leave;
     396             : 
     397           0 :               r_buf = r_buf_allocated;
     398           0 :               memcpy (r_buf + 1, buf, len/2);
     399           0 :               *r_buf = 0;
     400             :             }
     401             :           else
     402           0 :             r_buf = buf;
     403             : 
     404           0 :           if (*(buf + len/2) & 0x80)
     405             :             {
     406           0 :               s_buflen++;
     407           0 :               s_buf_allocated = xtrymalloc (s_buflen);
     408           0 :               if (!s_buf_allocated)
     409             :                 {
     410           0 :                   xfree (r_buf_allocated);
     411           0 :                   goto leave;
     412             :                 }
     413             : 
     414           0 :               s_buf = s_buf_allocated;
     415           0 :               memcpy (s_buf + 1, buf + len/2, len/2);
     416           0 :               *s_buf = 0;
     417             :             }
     418             :           else
     419           0 :             s_buf = buf + len/2;
     420             : 
     421           0 :           rc = gcry_sexp_build (&s_sig, NULL, "(sig-val(ecdsa(r%b)(s%b)))",
     422             :                                 r_buflen, r_buf,
     423             :                                 s_buflen, s_buf);
     424           0 :           xfree (r_buf_allocated);
     425           0 :           xfree (s_buf_allocated);
     426             :         }
     427             :       else
     428           0 :         rc = gpg_error (GPG_ERR_NOT_IMPLEMENTED);
     429             : 
     430           0 :       xfree (buf);
     431           0 :       if (rc)
     432             :         {
     433           0 :           log_error ("failed to convert sigbuf returned by divert_pksign "
     434             :                      "into S-Exp: %s", gpg_strerror (rc));
     435           0 :           goto leave;
     436             :         }
     437             :     }
     438             :   else
     439             :     {
     440             :       /* No smartcard, but a private key */
     441         141 :       int dsaalgo = 0;
     442             : 
     443             :       /* Put the hash into a sexp */
     444         141 :       if (agent_is_eddsa_key (s_skey))
     445           0 :         rc = do_encode_eddsa (data, datalen,
     446             :                               &s_hash);
     447         141 :       else if (ctrl->digest.algo == MD_USER_TLS_MD5SHA1)
     448           0 :         rc = do_encode_raw_pkcs1 (data, datalen,
     449             :                                   gcry_pk_get_nbits (s_skey),
     450             :                                   &s_hash);
     451         141 :       else if ( (dsaalgo = agent_is_dsa_key (s_skey)) )
     452         118 :         rc = do_encode_dsa (data, datalen,
     453             :                             dsaalgo, s_skey,
     454             :                             &s_hash);
     455             :       else
     456          23 :         rc = do_encode_md (data, datalen,
     457             :                            ctrl->digest.algo,
     458             :                            &s_hash,
     459          23 :                            ctrl->digest.raw_value);
     460         141 :       if (rc)
     461           0 :         goto leave;
     462             : 
     463             :       if (dsaalgo == 0 && GCRYPT_VERSION_NUMBER < 0x010700)
     464             :         /* It's RSA and Libgcrypt < 1.7 */
     465             :         check_signature = 1;
     466             : 
     467         141 :       if (DBG_CRYPTO)
     468             :         {
     469           0 :           gcry_log_debugsxp ("skey", s_skey);
     470           0 :           gcry_log_debugsxp ("hash", s_hash);
     471             :         }
     472             : 
     473             :       /* sign */
     474         141 :       rc = gcry_pk_sign (&s_sig, s_hash, s_skey);
     475         141 :       if (rc)
     476             :         {
     477           0 :           log_error ("signing failed: %s\n", gpg_strerror (rc));
     478           0 :           goto leave;
     479             :         }
     480             : 
     481         141 :       if (DBG_CRYPTO)
     482           0 :         gcry_log_debugsxp ("rslt", s_sig);
     483             :     }
     484             : 
     485             :   /* Check that the signature verification worked and nothing is
     486             :    * fooling us e.g. by a bug in the signature create code or by
     487             :    * deliberately introduced faults.  Because Libgcrypt 1.7 does this
     488             :    * for RSA internally there is no need to do it here again.  */
     489         141 :   if (check_signature)
     490             :     {
     491           0 :       gcry_sexp_t sexp_key = s_pkey? s_pkey: s_skey;
     492             : 
     493           0 :       if (s_hash == NULL)
     494             :         {
     495           0 :           if (ctrl->digest.algo == MD_USER_TLS_MD5SHA1)
     496           0 :             rc = do_encode_raw_pkcs1 (data, datalen,
     497             :                                       gcry_pk_get_nbits (sexp_key), &s_hash);
     498             :           else
     499           0 :             rc = do_encode_md (data, datalen, ctrl->digest.algo, &s_hash,
     500           0 :                                ctrl->digest.raw_value);
     501             :         }
     502             : 
     503           0 :       if (! rc)
     504           0 :         rc = gcry_pk_verify (s_sig, s_hash, sexp_key);
     505             : 
     506           0 :       if (rc)
     507             :         {
     508           0 :           log_error (_("checking created signature failed: %s\n"),
     509             :                      gpg_strerror (rc));
     510           0 :           gcry_sexp_release (s_sig);
     511           0 :           s_sig = NULL;
     512             :         }
     513             :     }
     514             : 
     515             :  leave:
     516             : 
     517         141 :   *signature_sexp = s_sig;
     518             : 
     519         141 :   gcry_sexp_release (s_pkey);
     520         141 :   gcry_sexp_release (s_skey);
     521         141 :   gcry_sexp_release (s_hash);
     522         141 :   xfree (shadow_info);
     523             : 
     524         141 :   return rc;
     525             : }
     526             : 
     527             : /* SIGN whatever information we have accumulated in CTRL and write it
     528             :    back to OUTFP.  If a CACHE_NONCE is given that cache item is first
     529             :    tried to get a passphrase.  */
     530             : int
     531         141 : agent_pksign (ctrl_t ctrl, const char *cache_nonce, const char *desc_text,
     532             :               membuf_t *outbuf, cache_mode_t cache_mode)
     533             : {
     534         141 :   gcry_sexp_t s_sig = NULL;
     535         141 :   char *buf = NULL;
     536         141 :   size_t len = 0;
     537         141 :   int rc = 0;
     538             : 
     539         141 :   rc = agent_pksign_do (ctrl, cache_nonce, desc_text, &s_sig, cache_mode, NULL,
     540             :                         NULL, 0);
     541         141 :   if (rc)
     542           0 :     goto leave;
     543             : 
     544         141 :   len = gcry_sexp_sprint (s_sig, GCRYSEXP_FMT_CANON, NULL, 0);
     545         141 :   assert (len);
     546         141 :   buf = xmalloc (len);
     547         141 :   len = gcry_sexp_sprint (s_sig, GCRYSEXP_FMT_CANON, buf, len);
     548         141 :   assert (len);
     549             : 
     550         141 :   put_membuf (outbuf, buf, len);
     551             : 
     552             :  leave:
     553         141 :   gcry_sexp_release (s_sig);
     554         141 :   xfree (buf);
     555             : 
     556         141 :   return rc;
     557             : }

Generated by: LCOV version 1.11