Line data Source code
1 : /* pksign.c - public key signing (well, actually using a secret key)
2 : * Copyright (C) 2001-2004, 2010 Free Software Foundation, Inc.
3 : * Copyright (C) 2001-2004, 2010, 2013 Werner Koch
4 : *
5 : * This file is part of GnuPG.
6 : *
7 : * GnuPG is free software; you can redistribute it and/or modify
8 : * it under the terms of the GNU General Public License as published by
9 : * the Free Software Foundation; either version 3 of the License, or
10 : * (at your option) any later version.
11 : *
12 : * GnuPG is distributed in the hope that it will be useful,
13 : * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 : * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 : * GNU General Public License for more details.
16 : *
17 : * You should have received a copy of the GNU General Public License
18 : * along with this program; if not, see <https://www.gnu.org/licenses/>.
19 : */
20 :
21 : #include <config.h>
22 : #include <errno.h>
23 : #include <stdio.h>
24 : #include <stdlib.h>
25 : #include <string.h>
26 : #include <ctype.h>
27 : #include <assert.h>
28 : #include <unistd.h>
29 : #include <sys/stat.h>
30 :
31 : #include "agent.h"
32 : #include "i18n.h"
33 :
34 :
35 : static int
36 23 : do_encode_md (const byte * md, size_t mdlen, int algo, gcry_sexp_t * r_hash,
37 : int raw_value)
38 : {
39 : gcry_sexp_t hash;
40 : int rc;
41 :
42 23 : if (!raw_value)
43 : {
44 : const char *s;
45 : char tmp[16+1];
46 : int i;
47 :
48 23 : s = gcry_md_algo_name (algo);
49 23 : if (s && strlen (s) < 16)
50 : {
51 157 : for (i=0; i < strlen (s); i++)
52 134 : tmp[i] = tolower (s[i]);
53 23 : tmp[i] = '\0';
54 : }
55 :
56 23 : rc = gcry_sexp_build (&hash, NULL,
57 : "(data (flags pkcs1) (hash %s %b))",
58 : tmp, (int)mdlen, md);
59 : }
60 : else
61 : {
62 : gcry_mpi_t mpi;
63 :
64 0 : rc = gcry_mpi_scan (&mpi, GCRYMPI_FMT_USG, md, mdlen, NULL);
65 0 : if (!rc)
66 : {
67 0 : rc = gcry_sexp_build (&hash, NULL,
68 : "(data (flags raw) (value %m))",
69 : mpi);
70 0 : gcry_mpi_release (mpi);
71 : }
72 : else
73 0 : hash = NULL;
74 :
75 : }
76 :
77 23 : *r_hash = hash;
78 23 : return rc;
79 : }
80 :
81 :
82 : /* Return the number of bits of the Q parameter from the DSA key
83 : KEY. */
84 : static unsigned int
85 97 : get_dsa_qbits (gcry_sexp_t key)
86 : {
87 : gcry_sexp_t l1, l2;
88 : gcry_mpi_t q;
89 : unsigned int nbits;
90 :
91 97 : l1 = gcry_sexp_find_token (key, "private-key", 0);
92 97 : if (!l1)
93 0 : l1 = gcry_sexp_find_token (key, "protected-private-key", 0);
94 97 : if (!l1)
95 0 : l1 = gcry_sexp_find_token (key, "shadowed-private-key", 0);
96 97 : if (!l1)
97 0 : l1 = gcry_sexp_find_token (key, "public-key", 0);
98 97 : if (!l1)
99 0 : return 0; /* Does not contain a key object. */
100 97 : l2 = gcry_sexp_cadr (l1);
101 97 : gcry_sexp_release (l1);
102 97 : l1 = gcry_sexp_find_token (l2, "q", 1);
103 97 : gcry_sexp_release (l2);
104 97 : if (!l1)
105 0 : return 0; /* Invalid object. */
106 97 : q = gcry_sexp_nth_mpi (l1, 1, GCRYMPI_FMT_USG);
107 97 : gcry_sexp_release (l1);
108 97 : if (!q)
109 0 : return 0; /* Missing value. */
110 97 : nbits = gcry_mpi_get_nbits (q);
111 97 : gcry_mpi_release (q);
112 :
113 97 : return nbits;
114 : }
115 :
116 :
117 : /* Return an appropriate hash algorithm to be used with RFC-6979 for a
118 : message digest of length MDLEN. Although a fallback of SHA-256 is
119 : used the current implementation in Libgcrypt will reject a hash
120 : algorithm which does not match the length of the message. */
121 : static const char *
122 118 : rfc6979_hash_algo_string (size_t mdlen)
123 : {
124 118 : switch (mdlen)
125 : {
126 97 : case 20: return "sha1";
127 0 : case 28: return "sha224";
128 7 : case 32: return "sha256";
129 7 : case 48: return "sha384";
130 7 : case 64: return "sha512";
131 0 : default: return "sha256";
132 : }
133 : }
134 :
135 :
136 : /* Encode a message digest for use with the EdDSA algorithm
137 : (i.e. curve Ed25519). */
138 : static gpg_error_t
139 0 : do_encode_eddsa (const byte *md, size_t mdlen, gcry_sexp_t *r_hash)
140 : {
141 : gpg_error_t err;
142 : gcry_sexp_t hash;
143 :
144 0 : *r_hash = NULL;
145 0 : err = gcry_sexp_build (&hash, NULL,
146 : "(data(flags eddsa)(hash-algo sha512)(value %b))",
147 : (int)mdlen, md);
148 0 : if (!err)
149 0 : *r_hash = hash;
150 0 : return err;
151 : }
152 :
153 :
154 : /* Encode a message digest for use with an DSA algorithm. */
155 : static gpg_error_t
156 118 : do_encode_dsa (const byte *md, size_t mdlen, int pkalgo, gcry_sexp_t pkey,
157 : gcry_sexp_t *r_hash)
158 : {
159 : gpg_error_t err;
160 : gcry_sexp_t hash;
161 : unsigned int qbits;
162 :
163 118 : *r_hash = NULL;
164 :
165 118 : if (pkalgo == GCRY_PK_ECDSA)
166 21 : qbits = gcry_pk_get_nbits (pkey);
167 97 : else if (pkalgo == GCRY_PK_DSA)
168 97 : qbits = get_dsa_qbits (pkey);
169 : else
170 0 : return gpg_error (GPG_ERR_WRONG_PUBKEY_ALGO);
171 :
172 118 : if (pkalgo == GCRY_PK_DSA && (qbits%8))
173 : {
174 : /* FIXME: We check the QBITS but print a message about the hash
175 : length. */
176 0 : log_error (_("DSA requires the hash length to be a"
177 : " multiple of 8 bits\n"));
178 0 : return gpg_error (GPG_ERR_INV_LENGTH);
179 : }
180 :
181 : /* Don't allow any Q smaller than 160 bits. We don't want someone
182 : to issue signatures from a key with a 16-bit Q or something like
183 : that, which would look correct but allow trivial forgeries. Yes,
184 : I know this rules out using MD5 with DSA. ;) */
185 118 : if (qbits < 160)
186 : {
187 0 : log_error (_("%s key uses an unsafe (%u bit) hash\n"),
188 : gcry_pk_algo_name (pkalgo), qbits);
189 0 : return gpg_error (GPG_ERR_INV_LENGTH);
190 : }
191 :
192 : /* ECDSA 521 is special has it is larger than the largest hash
193 : we have (SHA-512). Thus we chnage the size for further
194 : processing to 512. */
195 118 : if (pkalgo == GCRY_PK_ECDSA && qbits > 512)
196 7 : qbits = 512;
197 :
198 : /* Check if we're too short. Too long is safe as we'll
199 : automatically left-truncate. */
200 118 : if (mdlen < qbits/8)
201 : {
202 0 : log_error (_("a %zu bit hash is not valid for a %u bit %s key\n"),
203 : mdlen*8,
204 : gcry_pk_get_nbits (pkey),
205 : gcry_pk_algo_name (pkalgo));
206 0 : return gpg_error (GPG_ERR_INV_LENGTH);
207 : }
208 :
209 : /* Truncate. */
210 118 : if (mdlen > qbits/8)
211 8 : mdlen = qbits/8;
212 :
213 : /* Create the S-expression. */
214 118 : err = gcry_sexp_build (&hash, NULL,
215 : "(data (flags rfc6979) (hash %s %b))",
216 : rfc6979_hash_algo_string (mdlen),
217 : (int)mdlen, md);
218 118 : if (!err)
219 118 : *r_hash = hash;
220 118 : return err;
221 : }
222 :
223 :
224 : /* Special version of do_encode_md to take care of pkcs#1 padding.
225 : For TLS-MD5SHA1 we need to do the padding ourself as Libgrypt does
226 : not know about this special scheme. Fixme: We should have a
227 : pkcs1-only-padding flag for Libgcrypt. */
228 : static int
229 0 : do_encode_raw_pkcs1 (const byte *md, size_t mdlen, unsigned int nbits,
230 : gcry_sexp_t *r_hash)
231 : {
232 : int rc;
233 : gcry_sexp_t hash;
234 : unsigned char *frame;
235 : size_t i, n, nframe;
236 :
237 0 : nframe = (nbits+7) / 8;
238 0 : if ( !mdlen || mdlen + 8 + 4 > nframe )
239 : {
240 : /* Can't encode this hash into a frame of size NFRAME. */
241 0 : return gpg_error (GPG_ERR_TOO_SHORT);
242 : }
243 :
244 0 : frame = xtrymalloc (nframe);
245 0 : if (!frame)
246 0 : return gpg_error_from_syserror ();
247 :
248 : /* Assemble the pkcs#1 block type 1. */
249 0 : n = 0;
250 0 : frame[n++] = 0;
251 0 : frame[n++] = 1; /* Block type. */
252 0 : i = nframe - mdlen - 3 ;
253 0 : assert (i >= 8); /* At least 8 bytes of padding. */
254 0 : memset (frame+n, 0xff, i );
255 0 : n += i;
256 0 : frame[n++] = 0;
257 0 : memcpy (frame+n, md, mdlen );
258 0 : n += mdlen;
259 0 : assert (n == nframe);
260 :
261 : /* Create the S-expression. */
262 0 : rc = gcry_sexp_build (&hash, NULL,
263 : "(data (flags raw) (value %b))",
264 : (int)nframe, frame);
265 0 : xfree (frame);
266 :
267 0 : *r_hash = hash;
268 0 : return rc;
269 : }
270 :
271 :
272 :
273 : /* SIGN whatever information we have accumulated in CTRL and return
274 : the signature S-expression. LOOKUP is an optional function to
275 : provide a way for lower layers to ask for the caching TTL. If a
276 : CACHE_NONCE is given that cache item is first tried to get a
277 : passphrase. If OVERRIDEDATA is not NULL, OVERRIDEDATALEN bytes
278 : from this buffer are used instead of the data in CTRL. The
279 : override feature is required to allow the use of Ed25519 with ssh
280 : because Ed25519 does the hashing itself. */
281 : int
282 141 : agent_pksign_do (ctrl_t ctrl, const char *cache_nonce,
283 : const char *desc_text,
284 : gcry_sexp_t *signature_sexp,
285 : cache_mode_t cache_mode, lookup_ttl_t lookup_ttl,
286 : const void *overridedata, size_t overridedatalen)
287 : {
288 141 : gcry_sexp_t s_skey = NULL, s_sig = NULL;
289 141 : gcry_sexp_t s_hash = NULL;
290 141 : gcry_sexp_t s_pkey = NULL;
291 141 : unsigned char *shadow_info = NULL;
292 141 : unsigned int rc = 0; /* FIXME: gpg-error? */
293 : const unsigned char *data;
294 : int datalen;
295 141 : int check_signature = 0;
296 :
297 141 : if (overridedata)
298 : {
299 0 : data = overridedata;
300 0 : datalen = overridedatalen;
301 : }
302 : else
303 : {
304 141 : data = ctrl->digest.value;
305 141 : datalen = ctrl->digest.valuelen;
306 : }
307 :
308 141 : if (!ctrl->have_keygrip)
309 0 : return gpg_error (GPG_ERR_NO_SECKEY);
310 :
311 141 : rc = agent_key_from_file (ctrl, cache_nonce, desc_text, ctrl->keygrip,
312 : &shadow_info, cache_mode, lookup_ttl,
313 : &s_skey, NULL);
314 141 : if (rc)
315 : {
316 0 : if (gpg_err_code (rc) != GPG_ERR_NO_SECKEY)
317 0 : log_error ("failed to read the secret key\n");
318 0 : goto leave;
319 : }
320 :
321 141 : if (shadow_info)
322 : {
323 : /* Divert operation to the smartcard */
324 : size_t len;
325 0 : unsigned char *buf = NULL;
326 : int key_type;
327 0 : int is_RSA = 0;
328 0 : int is_ECDSA = 0;
329 0 : int is_EdDSA = 0;
330 :
331 0 : rc = agent_public_key_from_file (ctrl, ctrl->keygrip, &s_pkey);
332 0 : if (rc)
333 : {
334 0 : log_error ("failed to read the public key\n");
335 0 : goto leave;
336 : }
337 :
338 0 : if (agent_is_eddsa_key (s_skey))
339 0 : is_EdDSA = 1;
340 : else
341 : {
342 0 : key_type = agent_is_dsa_key (s_skey);
343 0 : if (key_type == 0)
344 0 : is_RSA = 1;
345 0 : else if (key_type == GCRY_PK_ECDSA)
346 0 : is_ECDSA = 1;
347 : }
348 :
349 0 : rc = divert_pksign (ctrl,
350 : data, datalen,
351 : ctrl->digest.algo,
352 : shadow_info, &buf, &len);
353 0 : if (rc)
354 : {
355 0 : log_error ("smartcard signing failed: %s\n", gpg_strerror (rc));
356 0 : goto leave;
357 : }
358 :
359 0 : if (is_RSA)
360 : {
361 0 : check_signature = 1;
362 0 : if (*buf & 0x80)
363 : {
364 0 : len++;
365 0 : buf = xtryrealloc (buf, len);
366 0 : if (!buf)
367 0 : goto leave;
368 :
369 0 : memmove (buf + 1, buf, len - 1);
370 0 : *buf = 0;
371 : }
372 :
373 0 : rc = gcry_sexp_build (&s_sig, NULL, "(sig-val(rsa(s%b)))",
374 : (int)len, buf);
375 : }
376 0 : else if (is_EdDSA)
377 : {
378 0 : rc = gcry_sexp_build (&s_sig, NULL, "(sig-val(eddsa(r%b)(s%b)))",
379 0 : (int)len/2, buf, (int)len/2, buf + len/2);
380 : }
381 0 : else if (is_ECDSA)
382 : {
383 0 : unsigned char *r_buf_allocated = NULL;
384 0 : unsigned char *s_buf_allocated = NULL;
385 : unsigned char *r_buf, *s_buf;
386 : int r_buflen, s_buflen;
387 :
388 0 : r_buflen = s_buflen = len/2;
389 :
390 0 : if (*buf & 0x80)
391 : {
392 0 : r_buflen++;
393 0 : r_buf_allocated = xtrymalloc (r_buflen);
394 0 : if (!r_buf_allocated)
395 0 : goto leave;
396 :
397 0 : r_buf = r_buf_allocated;
398 0 : memcpy (r_buf + 1, buf, len/2);
399 0 : *r_buf = 0;
400 : }
401 : else
402 0 : r_buf = buf;
403 :
404 0 : if (*(buf + len/2) & 0x80)
405 : {
406 0 : s_buflen++;
407 0 : s_buf_allocated = xtrymalloc (s_buflen);
408 0 : if (!s_buf_allocated)
409 : {
410 0 : xfree (r_buf_allocated);
411 0 : goto leave;
412 : }
413 :
414 0 : s_buf = s_buf_allocated;
415 0 : memcpy (s_buf + 1, buf + len/2, len/2);
416 0 : *s_buf = 0;
417 : }
418 : else
419 0 : s_buf = buf + len/2;
420 :
421 0 : rc = gcry_sexp_build (&s_sig, NULL, "(sig-val(ecdsa(r%b)(s%b)))",
422 : r_buflen, r_buf,
423 : s_buflen, s_buf);
424 0 : xfree (r_buf_allocated);
425 0 : xfree (s_buf_allocated);
426 : }
427 : else
428 0 : rc = gpg_error (GPG_ERR_NOT_IMPLEMENTED);
429 :
430 0 : xfree (buf);
431 0 : if (rc)
432 : {
433 0 : log_error ("failed to convert sigbuf returned by divert_pksign "
434 : "into S-Exp: %s", gpg_strerror (rc));
435 0 : goto leave;
436 : }
437 : }
438 : else
439 : {
440 : /* No smartcard, but a private key */
441 141 : int dsaalgo = 0;
442 :
443 : /* Put the hash into a sexp */
444 141 : if (agent_is_eddsa_key (s_skey))
445 0 : rc = do_encode_eddsa (data, datalen,
446 : &s_hash);
447 141 : else if (ctrl->digest.algo == MD_USER_TLS_MD5SHA1)
448 0 : rc = do_encode_raw_pkcs1 (data, datalen,
449 : gcry_pk_get_nbits (s_skey),
450 : &s_hash);
451 141 : else if ( (dsaalgo = agent_is_dsa_key (s_skey)) )
452 118 : rc = do_encode_dsa (data, datalen,
453 : dsaalgo, s_skey,
454 : &s_hash);
455 : else
456 23 : rc = do_encode_md (data, datalen,
457 : ctrl->digest.algo,
458 : &s_hash,
459 23 : ctrl->digest.raw_value);
460 141 : if (rc)
461 0 : goto leave;
462 :
463 : if (dsaalgo == 0 && GCRYPT_VERSION_NUMBER < 0x010700)
464 : /* It's RSA and Libgcrypt < 1.7 */
465 : check_signature = 1;
466 :
467 141 : if (DBG_CRYPTO)
468 : {
469 0 : gcry_log_debugsxp ("skey", s_skey);
470 0 : gcry_log_debugsxp ("hash", s_hash);
471 : }
472 :
473 : /* sign */
474 141 : rc = gcry_pk_sign (&s_sig, s_hash, s_skey);
475 141 : if (rc)
476 : {
477 0 : log_error ("signing failed: %s\n", gpg_strerror (rc));
478 0 : goto leave;
479 : }
480 :
481 141 : if (DBG_CRYPTO)
482 0 : gcry_log_debugsxp ("rslt", s_sig);
483 : }
484 :
485 : /* Check that the signature verification worked and nothing is
486 : * fooling us e.g. by a bug in the signature create code or by
487 : * deliberately introduced faults. Because Libgcrypt 1.7 does this
488 : * for RSA internally there is no need to do it here again. */
489 141 : if (check_signature)
490 : {
491 0 : gcry_sexp_t sexp_key = s_pkey? s_pkey: s_skey;
492 :
493 0 : if (s_hash == NULL)
494 : {
495 0 : if (ctrl->digest.algo == MD_USER_TLS_MD5SHA1)
496 0 : rc = do_encode_raw_pkcs1 (data, datalen,
497 : gcry_pk_get_nbits (sexp_key), &s_hash);
498 : else
499 0 : rc = do_encode_md (data, datalen, ctrl->digest.algo, &s_hash,
500 0 : ctrl->digest.raw_value);
501 : }
502 :
503 0 : if (! rc)
504 0 : rc = gcry_pk_verify (s_sig, s_hash, sexp_key);
505 :
506 0 : if (rc)
507 : {
508 0 : log_error (_("checking created signature failed: %s\n"),
509 : gpg_strerror (rc));
510 0 : gcry_sexp_release (s_sig);
511 0 : s_sig = NULL;
512 : }
513 : }
514 :
515 : leave:
516 :
517 141 : *signature_sexp = s_sig;
518 :
519 141 : gcry_sexp_release (s_pkey);
520 141 : gcry_sexp_release (s_skey);
521 141 : gcry_sexp_release (s_hash);
522 141 : xfree (shadow_info);
523 :
524 141 : return rc;
525 : }
526 :
527 : /* SIGN whatever information we have accumulated in CTRL and write it
528 : back to OUTFP. If a CACHE_NONCE is given that cache item is first
529 : tried to get a passphrase. */
530 : int
531 141 : agent_pksign (ctrl_t ctrl, const char *cache_nonce, const char *desc_text,
532 : membuf_t *outbuf, cache_mode_t cache_mode)
533 : {
534 141 : gcry_sexp_t s_sig = NULL;
535 141 : char *buf = NULL;
536 141 : size_t len = 0;
537 141 : int rc = 0;
538 :
539 141 : rc = agent_pksign_do (ctrl, cache_nonce, desc_text, &s_sig, cache_mode, NULL,
540 : NULL, 0);
541 141 : if (rc)
542 0 : goto leave;
543 :
544 141 : len = gcry_sexp_sprint (s_sig, GCRYSEXP_FMT_CANON, NULL, 0);
545 141 : assert (len);
546 141 : buf = xmalloc (len);
547 141 : len = gcry_sexp_sprint (s_sig, GCRYSEXP_FMT_CANON, buf, len);
548 141 : assert (len);
549 :
550 141 : put_membuf (outbuf, buf, len);
551 :
552 : leave:
553 141 : gcry_sexp_release (s_sig);
554 141 : xfree (buf);
555 :
556 141 : return rc;
557 : }
|
