LCOV - code coverage report
Current view: top level - agent - pksign.c (source / functions) Hit Total Coverage
Test: coverage.info Lines: 99 236 41.9 %
Date: 2016-09-12 13:01:59 Functions: 6 8 75.0 %

          Line data    Source code
       1             : /* pksign.c - public key signing (well, actually using a secret key)
       2             :  * Copyright (C) 2001-2004, 2010 Free Software Foundation, Inc.
       3             :  * Copyright (C) 2001-2004, 2010, 2013  Werner Koch
       4             :  *
       5             :  * This file is part of GnuPG.
       6             :  *
       7             :  * GnuPG is free software; you can redistribute it and/or modify
       8             :  * it under the terms of the GNU General Public License as published by
       9             :  * the Free Software Foundation; either version 3 of the License, or
      10             :  * (at your option) any later version.
      11             :  *
      12             :  * GnuPG is distributed in the hope that it will be useful,
      13             :  * but WITHOUT ANY WARRANTY; without even the implied warranty of
      14             :  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
      15             :  * GNU General Public License for more details.
      16             :  *
      17             :  * You should have received a copy of the GNU General Public License
      18             :  * along with this program; if not, see <http://www.gnu.org/licenses/>.
      19             :  */
      20             : 
      21             : #include <config.h>
      22             : #include <errno.h>
      23             : #include <stdio.h>
      24             : #include <stdlib.h>
      25             : #include <string.h>
      26             : #include <ctype.h>
      27             : #include <assert.h>
      28             : #include <unistd.h>
      29             : #include <sys/stat.h>
      30             : 
      31             : #include "agent.h"
      32             : #include "i18n.h"
      33             : 
      34             : 
      35             : static int
      36          18 : do_encode_md (const byte * md, size_t mdlen, int algo, gcry_sexp_t * r_hash,
      37             :               int raw_value)
      38             : {
      39             :   gcry_sexp_t hash;
      40             :   int rc;
      41             : 
      42          18 :   if (!raw_value)
      43             :     {
      44             :       const char *s;
      45             :       char tmp[16+1];
      46             :       int i;
      47             : 
      48          18 :       s = gcry_md_algo_name (algo);
      49          18 :       if (s && strlen (s) < 16)
      50             :         {
      51         122 :           for (i=0; i < strlen (s); i++)
      52         104 :             tmp[i] = tolower (s[i]);
      53          18 :           tmp[i] = '\0';
      54             :         }
      55             : 
      56          18 :       rc = gcry_sexp_build (&hash, NULL,
      57             :                             "(data (flags pkcs1) (hash %s %b))",
      58             :                             tmp, (int)mdlen, md);
      59             :     }
      60             :   else
      61             :     {
      62             :       gcry_mpi_t mpi;
      63             : 
      64           0 :       rc = gcry_mpi_scan (&mpi, GCRYMPI_FMT_USG, md, mdlen, NULL);
      65           0 :       if (!rc)
      66             :         {
      67           0 :           rc = gcry_sexp_build (&hash, NULL,
      68             :                                 "(data (flags raw) (value %m))",
      69             :                                 mpi);
      70           0 :           gcry_mpi_release (mpi);
      71             :         }
      72             :       else
      73           0 :         hash = NULL;
      74             : 
      75             :     }
      76             : 
      77          18 :   *r_hash = hash;
      78          18 :   return rc;
      79             : }
      80             : 
      81             : 
      82             : /* Return the number of bits of the Q parameter from the DSA key
      83             :    KEY.  */
      84             : static unsigned int
      85          97 : get_dsa_qbits (gcry_sexp_t key)
      86             : {
      87             :   gcry_sexp_t l1, l2;
      88             :   gcry_mpi_t q;
      89             :   unsigned int nbits;
      90             : 
      91          97 :   l1 = gcry_sexp_find_token (key, "private-key", 0);
      92          97 :   if (!l1)
      93           0 :     l1 = gcry_sexp_find_token (key, "protected-private-key", 0);
      94          97 :   if (!l1)
      95           0 :     l1 = gcry_sexp_find_token (key, "shadowed-private-key", 0);
      96          97 :   if (!l1)
      97           0 :     l1 = gcry_sexp_find_token (key, "public-key", 0);
      98          97 :   if (!l1)
      99           0 :     return 0; /* Does not contain a key object.  */
     100          97 :   l2 = gcry_sexp_cadr (l1);
     101          97 :   gcry_sexp_release  (l1);
     102          97 :   l1 = gcry_sexp_find_token (l2, "q", 1);
     103          97 :   gcry_sexp_release (l2);
     104          97 :   if (!l1)
     105           0 :     return 0; /* Invalid object.  */
     106          97 :   q = gcry_sexp_nth_mpi (l1, 1, GCRYMPI_FMT_USG);
     107          97 :   gcry_sexp_release (l1);
     108          97 :   if (!q)
     109           0 :     return 0; /* Missing value.  */
     110          97 :   nbits = gcry_mpi_get_nbits (q);
     111          97 :   gcry_mpi_release (q);
     112             : 
     113          97 :   return nbits;
     114             : }
     115             : 
     116             : 
     117             : /* Return an appropriate hash algorithm to be used with RFC-6979 for a
     118             :    message digest of length MDLEN.  Although a fallback of SHA-256 is
     119             :    used the current implementation in Libgcrypt will reject a hash
     120             :    algorithm which does not match the length of the message.  */
     121             : static const char *
     122         118 : rfc6979_hash_algo_string (size_t mdlen)
     123             : {
     124         118 :   switch (mdlen)
     125             :     {
     126          97 :     case 20: return "sha1";
     127           0 :     case 28: return "sha224";
     128           7 :     case 32: return "sha256";
     129           7 :     case 48: return "sha384";
     130           7 :     case 64: return "sha512";
     131           0 :     default: return "sha256";
     132             :     }
     133             : }
     134             : 
     135             : 
     136             : /* Encode a message digest for use with the EdDSA algorithm
     137             :    (i.e. curve Ed25519). */
     138             : static gpg_error_t
     139           0 : do_encode_eddsa (const byte *md, size_t mdlen, gcry_sexp_t *r_hash)
     140             : {
     141             :   gpg_error_t err;
     142             :   gcry_sexp_t hash;
     143             : 
     144           0 :   *r_hash = NULL;
     145           0 :   err = gcry_sexp_build (&hash, NULL,
     146             :                          "(data(flags eddsa)(hash-algo sha512)(value %b))",
     147             :                          (int)mdlen, md);
     148           0 :   if (!err)
     149           0 :     *r_hash = hash;
     150           0 :   return err;
     151             : }
     152             : 
     153             : 
     154             : /* Encode a message digest for use with an DSA algorithm. */
     155             : static gpg_error_t
     156         118 : do_encode_dsa (const byte *md, size_t mdlen, int pkalgo, gcry_sexp_t pkey,
     157             :                gcry_sexp_t *r_hash)
     158             : {
     159             :   gpg_error_t err;
     160             :   gcry_sexp_t hash;
     161             :   unsigned int qbits;
     162             : 
     163         118 :   *r_hash = NULL;
     164             : 
     165         118 :   if (pkalgo == GCRY_PK_ECDSA)
     166          21 :     qbits = gcry_pk_get_nbits (pkey);
     167          97 :   else if (pkalgo == GCRY_PK_DSA)
     168          97 :     qbits = get_dsa_qbits (pkey);
     169             :   else
     170           0 :     return gpg_error (GPG_ERR_WRONG_PUBKEY_ALGO);
     171             : 
     172         118 :   if (pkalgo == GCRY_PK_DSA && (qbits%8))
     173             :     {
     174             :       /* FIXME: We check the QBITS but print a message about the hash
     175             :          length.  */
     176           0 :       log_error (_("DSA requires the hash length to be a"
     177             :                    " multiple of 8 bits\n"));
     178           0 :       return gpg_error (GPG_ERR_INV_LENGTH);
     179             :     }
     180             : 
     181             :   /* Don't allow any Q smaller than 160 bits.  We don't want someone
     182             :      to issue signatures from a key with a 16-bit Q or something like
     183             :      that, which would look correct but allow trivial forgeries.  Yes,
     184             :      I know this rules out using MD5 with DSA. ;) */
     185         118 :   if (qbits < 160)
     186             :     {
     187           0 :       log_error (_("%s key uses an unsafe (%u bit) hash\n"),
     188             :                  gcry_pk_algo_name (pkalgo), qbits);
     189           0 :       return gpg_error (GPG_ERR_INV_LENGTH);
     190             :     }
     191             : 
     192             :   /* Check if we're too short.  Too long is safe as we'll
     193             :    * automatically left-truncate.
     194             :    *
     195             :    * This check would require the use of SHA512 with ECDSA 512. I
     196             :    * think this is overkill to fail in this case.  Therefore, relax
     197             :    * the check, but only for ECDSA keys.  We may need to adjust it
     198             :    * later for general case.  (Note that the check is really a bug for
     199             :    * ECDSA 521 as the only hash that matches it is SHA 512, but 512 <
     200             :    * 521 ).
     201             :    */
     202         118 :   if (mdlen < ((pkalgo==GCRY_PK_ECDSA && qbits > 521) ? 512 : qbits)/8)
     203             :     {
     204           7 :       log_error (_("a %zu bit hash is not valid for a %u bit %s key\n"),
     205             :                  mdlen*8,
     206             :                  gcry_pk_get_nbits (pkey),
     207             :                  gcry_pk_algo_name (pkalgo));
     208             :       /* FIXME: we need to check the requirements for ECDSA.  */
     209           7 :       if (mdlen < 20 || pkalgo == GCRY_PK_DSA)
     210           0 :         return gpg_error (GPG_ERR_INV_LENGTH);
     211             :     }
     212             : 
     213             :   /* Truncate.  */
     214         118 :   if (mdlen > qbits/8)
     215           8 :     mdlen = qbits/8;
     216             : 
     217             :   /* Create the S-expression.  */
     218         118 :   err = gcry_sexp_build (&hash, NULL,
     219             :                          "(data (flags rfc6979) (hash %s %b))",
     220             :                          rfc6979_hash_algo_string (mdlen),
     221             :                          (int)mdlen, md);
     222         118 :   if (!err)
     223         118 :     *r_hash = hash;
     224         118 :   return err;
     225             : }
     226             : 
     227             : 
     228             : /* Special version of do_encode_md to take care of pkcs#1 padding.
     229             :    For TLS-MD5SHA1 we need to do the padding ourself as Libgrypt does
     230             :    not know about this special scheme.  Fixme: We should have a
     231             :    pkcs1-only-padding flag for Libgcrypt. */
     232             : static int
     233           0 : do_encode_raw_pkcs1 (const byte *md, size_t mdlen, unsigned int nbits,
     234             :                      gcry_sexp_t *r_hash)
     235             : {
     236             :   int rc;
     237             :   gcry_sexp_t hash;
     238             :   unsigned char *frame;
     239             :   size_t i, n, nframe;
     240             : 
     241           0 :   nframe = (nbits+7) / 8;
     242           0 :   if ( !mdlen || mdlen + 8 + 4 > nframe )
     243             :     {
     244             :       /* Can't encode this hash into a frame of size NFRAME. */
     245           0 :       return gpg_error (GPG_ERR_TOO_SHORT);
     246             :     }
     247             : 
     248           0 :   frame = xtrymalloc (nframe);
     249           0 :   if (!frame)
     250           0 :     return gpg_error_from_syserror ();
     251             : 
     252             :   /* Assemble the pkcs#1 block type 1. */
     253           0 :   n = 0;
     254           0 :   frame[n++] = 0;
     255           0 :   frame[n++] = 1; /* Block type. */
     256           0 :   i = nframe - mdlen - 3 ;
     257           0 :   assert (i >= 8); /* At least 8 bytes of padding.  */
     258           0 :   memset (frame+n, 0xff, i );
     259           0 :   n += i;
     260           0 :   frame[n++] = 0;
     261           0 :   memcpy (frame+n, md, mdlen );
     262           0 :   n += mdlen;
     263           0 :   assert (n == nframe);
     264             : 
     265             :   /* Create the S-expression.  */
     266           0 :   rc = gcry_sexp_build (&hash, NULL,
     267             :                         "(data (flags raw) (value %b))",
     268             :                         (int)nframe, frame);
     269           0 :   xfree (frame);
     270             : 
     271           0 :   *r_hash = hash;
     272           0 :   return rc;
     273             : }
     274             : 
     275             : 
     276             : 
     277             : /* SIGN whatever information we have accumulated in CTRL and return
     278             :    the signature S-expression.  LOOKUP is an optional function to
     279             :    provide a way for lower layers to ask for the caching TTL.  If a
     280             :    CACHE_NONCE is given that cache item is first tried to get a
     281             :    passphrase.  If OVERRIDEDATA is not NULL, OVERRIDEDATALEN bytes
     282             :    from this buffer are used instead of the data in CTRL.  The
     283             :    override feature is required to allow the use of Ed25519 with ssh
     284             :    because Ed25519 does the hashing itself.  */
     285             : int
     286         136 : agent_pksign_do (ctrl_t ctrl, const char *cache_nonce,
     287             :                  const char *desc_text,
     288             :                  gcry_sexp_t *signature_sexp,
     289             :                  cache_mode_t cache_mode, lookup_ttl_t lookup_ttl,
     290             :                  const void *overridedata, size_t overridedatalen)
     291             : {
     292         136 :   gcry_sexp_t s_skey = NULL, s_sig = NULL;
     293         136 :   gcry_sexp_t s_hash = NULL;
     294         136 :   gcry_sexp_t s_pkey = NULL;
     295         136 :   unsigned char *shadow_info = NULL;
     296         136 :   unsigned int rc = 0;          /* FIXME: gpg-error? */
     297             :   const unsigned char *data;
     298             :   int datalen;
     299         136 :   int check_signature = 0;
     300             : 
     301         136 :   if (overridedata)
     302             :     {
     303           0 :       data = overridedata;
     304           0 :       datalen = overridedatalen;
     305             :     }
     306             :   else
     307             :     {
     308         136 :       data = ctrl->digest.value;
     309         136 :       datalen = ctrl->digest.valuelen;
     310             :     }
     311             : 
     312         136 :   if (!ctrl->have_keygrip)
     313           0 :     return gpg_error (GPG_ERR_NO_SECKEY);
     314             : 
     315         136 :   rc = agent_key_from_file (ctrl, cache_nonce, desc_text, ctrl->keygrip,
     316             :                             &shadow_info, cache_mode, lookup_ttl,
     317             :                             &s_skey, NULL);
     318         136 :   if (rc)
     319             :     {
     320           0 :       if (gpg_err_code (rc) != GPG_ERR_NO_SECKEY)
     321           0 :         log_error ("failed to read the secret key\n");
     322           0 :       goto leave;
     323             :     }
     324             : 
     325         136 :   if (shadow_info)
     326             :     {
     327             :       /* Divert operation to the smartcard */
     328             :       size_t len;
     329           0 :       unsigned char *buf = NULL;
     330             :       int key_type;
     331           0 :       int is_RSA = 0;
     332           0 :       int is_ECDSA = 0;
     333           0 :       int is_EdDSA = 0;
     334             : 
     335           0 :       rc = agent_public_key_from_file (ctrl, ctrl->keygrip, &s_pkey);
     336           0 :       if (rc)
     337             :         {
     338           0 :           log_error ("failed to read the public key\n");
     339           0 :           goto leave;
     340             :         }
     341             : 
     342           0 :       if (agent_is_eddsa_key (s_skey))
     343           0 :         is_EdDSA = 1;
     344             :       else
     345             :         {
     346           0 :           key_type = agent_is_dsa_key (s_skey);
     347           0 :           if (key_type == 0)
     348           0 :             is_RSA = 1;
     349           0 :           else if (key_type == GCRY_PK_ECDSA)
     350           0 :             is_ECDSA = 1;
     351             :         }
     352             : 
     353           0 :       rc = divert_pksign (ctrl,
     354             :                           data, datalen,
     355             :                           ctrl->digest.algo,
     356             :                           shadow_info, &buf, &len);
     357           0 :       if (rc)
     358             :         {
     359           0 :           log_error ("smartcard signing failed: %s\n", gpg_strerror (rc));
     360           0 :           goto leave;
     361             :         }
     362             : 
     363           0 :       if (is_RSA)
     364             :         {
     365           0 :           check_signature = 1;
     366           0 :           if (*buf & 0x80)
     367             :             {
     368           0 :               len++;
     369           0 :               buf = xtryrealloc (buf, len);
     370           0 :               if (!buf)
     371           0 :                 goto leave;
     372             : 
     373           0 :               memmove (buf + 1, buf, len - 1);
     374           0 :               *buf = 0;
     375             :             }
     376             : 
     377           0 :           rc = gcry_sexp_build (&s_sig, NULL, "(sig-val(rsa(s%b)))",
     378             :                                 (int)len, buf);
     379             :         }
     380           0 :       else if (is_EdDSA)
     381             :         {
     382           0 :           rc = gcry_sexp_build (&s_sig, NULL, "(sig-val(eddsa(r%b)(s%b)))",
     383           0 :                                 (int)len/2, buf, (int)len/2, buf + len/2);
     384             :         }
     385           0 :       else if (is_ECDSA)
     386             :         {
     387           0 :           unsigned char *r_buf_allocated = NULL;
     388           0 :           unsigned char *s_buf_allocated = NULL;
     389             :           unsigned char *r_buf, *s_buf;
     390             :           int r_buflen, s_buflen;
     391             : 
     392           0 :           r_buflen = s_buflen = len/2;
     393             : 
     394           0 :           if (*buf & 0x80)
     395             :             {
     396           0 :               r_buflen++;
     397           0 :               r_buf_allocated = xtrymalloc (r_buflen);
     398           0 :               if (!r_buf_allocated)
     399           0 :                 goto leave;
     400             : 
     401           0 :               r_buf = r_buf_allocated;
     402           0 :               memcpy (r_buf + 1, buf, len/2);
     403           0 :               *r_buf = 0;
     404             :             }
     405             :           else
     406           0 :             r_buf = buf;
     407             : 
     408           0 :           if (*(buf + len/2) & 0x80)
     409             :             {
     410           0 :               s_buflen++;
     411           0 :               s_buf_allocated = xtrymalloc (s_buflen);
     412           0 :               if (!s_buf_allocated)
     413             :                 {
     414           0 :                   xfree (r_buf_allocated);
     415           0 :                   goto leave;
     416             :                 }
     417             : 
     418           0 :               s_buf = s_buf_allocated;
     419           0 :               memcpy (s_buf + 1, buf + len/2, len/2);
     420           0 :               *s_buf = 0;
     421             :             }
     422             :           else
     423           0 :             s_buf = buf + len/2;
     424             : 
     425           0 :           rc = gcry_sexp_build (&s_sig, NULL, "(sig-val(ecdsa(r%b)(s%b)))",
     426             :                                 r_buflen, r_buf,
     427             :                                 s_buflen, s_buf);
     428           0 :           xfree (r_buf_allocated);
     429           0 :           xfree (s_buf_allocated);
     430             :         }
     431             :       else
     432           0 :         rc = gpg_error (GPG_ERR_NOT_IMPLEMENTED);
     433             : 
     434           0 :       xfree (buf);
     435           0 :       if (rc)
     436             :         {
     437           0 :           log_error ("failed to convert sigbuf returned by divert_pksign "
     438             :                      "into S-Exp: %s", gpg_strerror (rc));
     439           0 :           goto leave;
     440             :         }
     441             :     }
     442             :   else
     443             :     {
     444             :       /* No smartcard, but a private key */
     445         136 :       int dsaalgo = 0;
     446             : 
     447             :       /* Put the hash into a sexp */
     448         136 :       if (agent_is_eddsa_key (s_skey))
     449           0 :         rc = do_encode_eddsa (data, datalen,
     450             :                               &s_hash);
     451         136 :       else if (ctrl->digest.algo == MD_USER_TLS_MD5SHA1)
     452           0 :         rc = do_encode_raw_pkcs1 (data, datalen,
     453             :                                   gcry_pk_get_nbits (s_skey),
     454             :                                   &s_hash);
     455         136 :       else if ( (dsaalgo = agent_is_dsa_key (s_skey)) )
     456         118 :         rc = do_encode_dsa (data, datalen,
     457             :                             dsaalgo, s_skey,
     458             :                             &s_hash);
     459             :       else
     460          18 :         rc = do_encode_md (data, datalen,
     461             :                            ctrl->digest.algo,
     462             :                            &s_hash,
     463          18 :                            ctrl->digest.raw_value);
     464         136 :       if (rc)
     465           0 :         goto leave;
     466             : 
     467             :       if (dsaalgo == 0 && GCRYPT_VERSION_NUMBER < 0x010700)
     468             :         /* It's RSA and Libgcrypt < 1.7 */
     469             :         check_signature = 1;
     470             : 
     471         136 :       if (DBG_CRYPTO)
     472             :         {
     473           0 :           gcry_log_debugsxp ("skey", s_skey);
     474           0 :           gcry_log_debugsxp ("hash", s_hash);
     475             :         }
     476             : 
     477             :       /* sign */
     478         136 :       rc = gcry_pk_sign (&s_sig, s_hash, s_skey);
     479         136 :       if (rc)
     480             :         {
     481           0 :           log_error ("signing failed: %s\n", gpg_strerror (rc));
     482           0 :           goto leave;
     483             :         }
     484             : 
     485         136 :       if (DBG_CRYPTO)
     486           0 :         gcry_log_debugsxp ("rslt", s_sig);
     487             :     }
     488             : 
     489             :   /* Check that the signature verification worked and nothing is
     490             :    * fooling us e.g. by a bug in the signature create code or by
     491             :    * deliberately introduced faults.  Because Libgcrypt 1.7 does this
     492             :    * for RSA internally there is no need to do it here again.  */
     493         136 :   if (check_signature)
     494             :     {
     495           0 :       gcry_sexp_t sexp_key = s_pkey? s_pkey: s_skey;
     496             : 
     497           0 :       if (s_hash == NULL)
     498             :         {
     499           0 :           if (ctrl->digest.algo == MD_USER_TLS_MD5SHA1)
     500           0 :             rc = do_encode_raw_pkcs1 (data, datalen,
     501             :                                       gcry_pk_get_nbits (sexp_key), &s_hash);
     502             :           else
     503           0 :             rc = do_encode_md (data, datalen, ctrl->digest.algo, &s_hash,
     504           0 :                                ctrl->digest.raw_value);
     505             :         }
     506             : 
     507           0 :       if (! rc)
     508           0 :         rc = gcry_pk_verify (s_sig, s_hash, sexp_key);
     509             : 
     510           0 :       if (rc)
     511             :         {
     512           0 :           log_error (_("checking created signature failed: %s\n"),
     513             :                      gpg_strerror (rc));
     514           0 :           gcry_sexp_release (s_sig);
     515           0 :           s_sig = NULL;
     516             :         }
     517             :     }
     518             : 
     519             :  leave:
     520             : 
     521         136 :   *signature_sexp = s_sig;
     522             : 
     523         136 :   gcry_sexp_release (s_pkey);
     524         136 :   gcry_sexp_release (s_skey);
     525         136 :   gcry_sexp_release (s_hash);
     526         136 :   xfree (shadow_info);
     527             : 
     528         136 :   return rc;
     529             : }
     530             : 
     531             : /* SIGN whatever information we have accumulated in CTRL and write it
     532             :    back to OUTFP.  If a CACHE_NONCE is given that cache item is first
     533             :    tried to get a passphrase.  */
     534             : int
     535         136 : agent_pksign (ctrl_t ctrl, const char *cache_nonce, const char *desc_text,
     536             :               membuf_t *outbuf, cache_mode_t cache_mode)
     537             : {
     538         136 :   gcry_sexp_t s_sig = NULL;
     539         136 :   char *buf = NULL;
     540         136 :   size_t len = 0;
     541         136 :   int rc = 0;
     542             : 
     543         136 :   rc = agent_pksign_do (ctrl, cache_nonce, desc_text, &s_sig, cache_mode, NULL,
     544             :                         NULL, 0);
     545         136 :   if (rc)
     546           0 :     goto leave;
     547             : 
     548         136 :   len = gcry_sexp_sprint (s_sig, GCRYSEXP_FMT_CANON, NULL, 0);
     549         136 :   assert (len);
     550         136 :   buf = xmalloc (len);
     551         136 :   len = gcry_sexp_sprint (s_sig, GCRYSEXP_FMT_CANON, buf, len);
     552         136 :   assert (len);
     553             : 
     554         136 :   put_membuf (outbuf, buf, len);
     555             : 
     556             :  leave:
     557         136 :   gcry_sexp_release (s_sig);
     558         136 :   xfree (buf);
     559             : 
     560         136 :   return rc;
     561             : }

Generated by: LCOV version 1.11