Line data Source code
1 : /* pksign.c - public key signing (well, actually using a secret key)
2 : * Copyright (C) 2001-2004, 2010 Free Software Foundation, Inc.
3 : * Copyright (C) 2001-2004, 2010, 2013 Werner Koch
4 : *
5 : * This file is part of GnuPG.
6 : *
7 : * GnuPG is free software; you can redistribute it and/or modify
8 : * it under the terms of the GNU General Public License as published by
9 : * the Free Software Foundation; either version 3 of the License, or
10 : * (at your option) any later version.
11 : *
12 : * GnuPG is distributed in the hope that it will be useful,
13 : * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 : * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 : * GNU General Public License for more details.
16 : *
17 : * You should have received a copy of the GNU General Public License
18 : * along with this program; if not, see <http://www.gnu.org/licenses/>.
19 : */
20 :
21 : #include <config.h>
22 : #include <errno.h>
23 : #include <stdio.h>
24 : #include <stdlib.h>
25 : #include <string.h>
26 : #include <ctype.h>
27 : #include <assert.h>
28 : #include <unistd.h>
29 : #include <sys/stat.h>
30 :
31 : #include "agent.h"
32 : #include "i18n.h"
33 :
34 :
35 : static int
36 8 : do_encode_md (const byte * md, size_t mdlen, int algo, gcry_sexp_t * r_hash,
37 : int raw_value)
38 : {
39 : gcry_sexp_t hash;
40 : int rc;
41 :
42 8 : if (!raw_value)
43 : {
44 : const char *s;
45 : char tmp[16+1];
46 : int i;
47 :
48 8 : s = gcry_md_algo_name (algo);
49 8 : if (s && strlen (s) < 16)
50 : {
51 57 : for (i=0; i < strlen (s); i++)
52 49 : tmp[i] = tolower (s[i]);
53 8 : tmp[i] = '\0';
54 : }
55 :
56 8 : rc = gcry_sexp_build (&hash, NULL,
57 : "(data (flags pkcs1) (hash %s %b))",
58 : tmp, (int)mdlen, md);
59 : }
60 : else
61 : {
62 : gcry_mpi_t mpi;
63 :
64 0 : rc = gcry_mpi_scan (&mpi, GCRYMPI_FMT_USG, md, mdlen, NULL);
65 0 : if (!rc)
66 : {
67 0 : rc = gcry_sexp_build (&hash, NULL,
68 : "(data (flags raw) (value %m))",
69 : mpi);
70 0 : gcry_mpi_release (mpi);
71 : }
72 : else
73 0 : hash = NULL;
74 :
75 : }
76 :
77 8 : *r_hash = hash;
78 8 : return rc;
79 : }
80 :
81 :
82 : /* Return the number of bits of the Q parameter from the DSA key
83 : KEY. */
84 : static unsigned int
85 91 : get_dsa_qbits (gcry_sexp_t key)
86 : {
87 : gcry_sexp_t l1, l2;
88 : gcry_mpi_t q;
89 : unsigned int nbits;
90 :
91 91 : l1 = gcry_sexp_find_token (key, "private-key", 0);
92 91 : if (!l1)
93 0 : l1 = gcry_sexp_find_token (key, "protected-private-key", 0);
94 91 : if (!l1)
95 0 : l1 = gcry_sexp_find_token (key, "shadowed-private-key", 0);
96 91 : if (!l1)
97 0 : l1 = gcry_sexp_find_token (key, "public-key", 0);
98 91 : if (!l1)
99 0 : return 0; /* Does not contain a key object. */
100 91 : l2 = gcry_sexp_cadr (l1);
101 91 : gcry_sexp_release (l1);
102 91 : l1 = gcry_sexp_find_token (l2, "q", 1);
103 91 : gcry_sexp_release (l2);
104 91 : if (!l1)
105 0 : return 0; /* Invalid object. */
106 91 : q = gcry_sexp_nth_mpi (l1, 1, GCRYMPI_FMT_USG);
107 91 : gcry_sexp_release (l1);
108 91 : if (!q)
109 0 : return 0; /* Missing value. */
110 91 : nbits = gcry_mpi_get_nbits (q);
111 91 : gcry_mpi_release (q);
112 :
113 91 : return nbits;
114 : }
115 :
116 :
117 : /* Return an appropriate hash algorithm to be used with RFC-6979 for a
118 : message digest of length MDLEN. Although a fallback of SHA-256 is
119 : used the current implementation in Libgcrypt will reject a hash
120 : algorithm which does not match the length of the message. */
121 : static const char *
122 112 : rfc6979_hash_algo_string (size_t mdlen)
123 : {
124 112 : switch (mdlen)
125 : {
126 91 : case 20: return "sha1";
127 0 : case 28: return "sha224";
128 7 : case 32: return "sha256";
129 7 : case 48: return "sha384";
130 7 : case 64: return "sha512";
131 0 : default: return "sha256";
132 : }
133 : }
134 :
135 :
136 : /* Encode a message digest for use with the EdDSA algorithm
137 : (i.e. curve Ed25519). */
138 : static gpg_error_t
139 0 : do_encode_eddsa (const byte *md, size_t mdlen, gcry_sexp_t *r_hash)
140 : {
141 : gpg_error_t err;
142 : gcry_sexp_t hash;
143 :
144 0 : *r_hash = NULL;
145 0 : err = gcry_sexp_build (&hash, NULL,
146 : "(data(flags eddsa)(hash-algo sha512)(value %b))",
147 : (int)mdlen, md);
148 0 : if (!err)
149 0 : *r_hash = hash;
150 0 : return err;
151 : }
152 :
153 :
154 : /* Encode a message digest for use with an DSA algorithm. */
155 : static gpg_error_t
156 112 : do_encode_dsa (const byte *md, size_t mdlen, int pkalgo, gcry_sexp_t pkey,
157 : gcry_sexp_t *r_hash)
158 : {
159 : gpg_error_t err;
160 : gcry_sexp_t hash;
161 : unsigned int qbits;
162 :
163 112 : *r_hash = NULL;
164 :
165 112 : if (pkalgo == GCRY_PK_ECDSA)
166 21 : qbits = gcry_pk_get_nbits (pkey);
167 91 : else if (pkalgo == GCRY_PK_DSA)
168 91 : qbits = get_dsa_qbits (pkey);
169 : else
170 0 : return gpg_error (GPG_ERR_WRONG_PUBKEY_ALGO);
171 :
172 112 : if (pkalgo == GCRY_PK_DSA && (qbits%8))
173 : {
174 : /* FIXME: We check the QBITS but print a message about the hash
175 : length. */
176 0 : log_error (_("DSA requires the hash length to be a"
177 : " multiple of 8 bits\n"));
178 0 : return gpg_error (GPG_ERR_INV_LENGTH);
179 : }
180 :
181 : /* Don't allow any Q smaller than 160 bits. We don't want someone
182 : to issue signatures from a key with a 16-bit Q or something like
183 : that, which would look correct but allow trivial forgeries. Yes,
184 : I know this rules out using MD5 with DSA. ;) */
185 112 : if (qbits < 160)
186 : {
187 0 : log_error (_("%s key uses an unsafe (%u bit) hash\n"),
188 : gcry_pk_algo_name (pkalgo), qbits);
189 0 : return gpg_error (GPG_ERR_INV_LENGTH);
190 : }
191 :
192 : /* Check if we're too short. Too long is safe as we'll
193 : * automatically left-truncate.
194 : *
195 : * This check would require the use of SHA512 with ECDSA 512. I
196 : * think this is overkill to fail in this case. Therefore, relax
197 : * the check, but only for ECDSA keys. We may need to adjust it
198 : * later for general case. (Note that the check is really a bug for
199 : * ECDSA 521 as the only hash that matches it is SHA 512, but 512 <
200 : * 521 ).
201 : */
202 112 : if (mdlen < ((pkalgo==GCRY_PK_ECDSA && qbits > 521) ? 512 : qbits)/8)
203 : {
204 7 : log_error (_("a %zu bit hash is not valid for a %u bit %s key\n"),
205 : mdlen*8,
206 : gcry_pk_get_nbits (pkey),
207 : gcry_pk_algo_name (pkalgo));
208 : /* FIXME: we need to check the requirements for ECDSA. */
209 7 : if (mdlen < 20 || pkalgo == GCRY_PK_DSA)
210 0 : return gpg_error (GPG_ERR_INV_LENGTH);
211 : }
212 :
213 : /* Truncate. */
214 112 : if (mdlen > qbits/8)
215 4 : mdlen = qbits/8;
216 :
217 : /* Create the S-expression. */
218 112 : err = gcry_sexp_build (&hash, NULL,
219 : "(data (flags rfc6979) (hash %s %b))",
220 : rfc6979_hash_algo_string (mdlen),
221 : (int)mdlen, md);
222 112 : if (!err)
223 112 : *r_hash = hash;
224 112 : return err;
225 : }
226 :
227 :
228 : /* Special version of do_encode_md to take care of pkcs#1 padding.
229 : For TLS-MD5SHA1 we need to do the padding ourself as Libgrypt does
230 : not know about this special scheme. Fixme: We should have a
231 : pkcs1-only-padding flag for Libgcrypt. */
232 : static int
233 0 : do_encode_raw_pkcs1 (const byte *md, size_t mdlen, unsigned int nbits,
234 : gcry_sexp_t *r_hash)
235 : {
236 : int rc;
237 : gcry_sexp_t hash;
238 : unsigned char *frame;
239 : size_t i, n, nframe;
240 :
241 0 : nframe = (nbits+7) / 8;
242 0 : if ( !mdlen || mdlen + 8 + 4 > nframe )
243 : {
244 : /* Can't encode this hash into a frame of size NFRAME. */
245 0 : return gpg_error (GPG_ERR_TOO_SHORT);
246 : }
247 :
248 0 : frame = xtrymalloc (nframe);
249 0 : if (!frame)
250 0 : return gpg_error_from_syserror ();
251 :
252 : /* Assemble the pkcs#1 block type 1. */
253 0 : n = 0;
254 0 : frame[n++] = 0;
255 0 : frame[n++] = 1; /* Block type. */
256 0 : i = nframe - mdlen - 3 ;
257 0 : assert (i >= 8); /* At least 8 bytes of padding. */
258 0 : memset (frame+n, 0xff, i );
259 0 : n += i;
260 0 : frame[n++] = 0;
261 0 : memcpy (frame+n, md, mdlen );
262 0 : n += mdlen;
263 0 : assert (n == nframe);
264 :
265 : /* Create the S-expression. */
266 0 : rc = gcry_sexp_build (&hash, NULL,
267 : "(data (flags raw) (value %b))",
268 : (int)nframe, frame);
269 0 : xfree (frame);
270 :
271 0 : *r_hash = hash;
272 0 : return rc;
273 : }
274 :
275 :
276 :
277 : /* SIGN whatever information we have accumulated in CTRL and return
278 : the signature S-expression. LOOKUP is an optional function to
279 : provide a way for lower layers to ask for the caching TTL. If a
280 : CACHE_NONCE is given that cache item is first tried to get a
281 : passphrase. If OVERRIDEDATA is not NULL, OVERRIDEDATALEN bytes
282 : from this buffer are used instead of the data in CTRL. The
283 : override feature is required to allow the use of Ed25519 with ssh
284 : because Ed25519 dies the hashing itself. */
285 : int
286 120 : agent_pksign_do (ctrl_t ctrl, const char *cache_nonce,
287 : const char *desc_text,
288 : gcry_sexp_t *signature_sexp,
289 : cache_mode_t cache_mode, lookup_ttl_t lookup_ttl,
290 : const void *overridedata, size_t overridedatalen)
291 : {
292 120 : gcry_sexp_t s_skey = NULL, s_sig = NULL;
293 120 : gcry_sexp_t s_hash = NULL;
294 120 : gcry_sexp_t s_pkey = NULL;
295 120 : unsigned char *shadow_info = NULL;
296 120 : unsigned int rc = 0; /* FIXME: gpg-error? */
297 : const unsigned char *data;
298 : int datalen;
299 120 : int check_signature = 0;
300 :
301 120 : if (overridedata)
302 : {
303 0 : data = overridedata;
304 0 : datalen = overridedatalen;
305 : }
306 : else
307 : {
308 120 : data = ctrl->digest.value;
309 120 : datalen = ctrl->digest.valuelen;
310 : }
311 :
312 120 : if (!ctrl->have_keygrip)
313 0 : return gpg_error (GPG_ERR_NO_SECKEY);
314 :
315 120 : rc = agent_key_from_file (ctrl, cache_nonce, desc_text, ctrl->keygrip,
316 : &shadow_info, cache_mode, lookup_ttl,
317 : &s_skey, NULL);
318 120 : if (rc)
319 : {
320 0 : if (gpg_err_code (rc) != GPG_ERR_NO_SECKEY)
321 0 : log_error ("failed to read the secret key\n");
322 0 : goto leave;
323 : }
324 :
325 120 : if (shadow_info)
326 : {
327 : /* Divert operation to the smartcard */
328 : size_t len;
329 0 : unsigned char *buf = NULL;
330 : int key_type;
331 0 : int is_RSA = 0;
332 0 : int is_ECDSA = 0;
333 0 : int is_EdDSA = 0;
334 :
335 0 : rc = agent_public_key_from_file (ctrl, ctrl->keygrip, &s_pkey);
336 0 : if (rc)
337 : {
338 0 : log_error ("failed to read the public key\n");
339 0 : goto leave;
340 : }
341 :
342 0 : if (agent_is_eddsa_key (s_skey))
343 0 : is_EdDSA = 1;
344 : else
345 : {
346 0 : key_type = agent_is_dsa_key (s_skey);
347 0 : if (key_type == 0)
348 0 : is_RSA = 1;
349 0 : else if (key_type == GCRY_PK_ECDSA)
350 0 : is_ECDSA = 1;
351 : }
352 :
353 0 : rc = divert_pksign (ctrl,
354 : data, datalen,
355 : ctrl->digest.algo,
356 : shadow_info, &buf, &len);
357 0 : if (rc)
358 : {
359 0 : log_error ("smartcard signing failed: %s\n", gpg_strerror (rc));
360 0 : goto leave;
361 : }
362 :
363 0 : if (is_RSA)
364 : {
365 0 : check_signature = 1;
366 0 : if (*buf & 0x80)
367 : {
368 0 : len++;
369 0 : buf = xtryrealloc (buf, len);
370 0 : if (!buf)
371 0 : goto leave;
372 :
373 0 : memmove (buf + 1, buf, len - 1);
374 0 : *buf = 0;
375 : }
376 :
377 0 : rc = gcry_sexp_build (&s_sig, NULL, "(sig-val(rsa(s%b)))",
378 : (int)len, buf);
379 : }
380 0 : else if (is_EdDSA)
381 : {
382 0 : rc = gcry_sexp_build (&s_sig, NULL, "(sig-val(eddsa(r%b)(s%b)))",
383 0 : (int)len/2, buf, (int)len/2, buf + len/2);
384 : }
385 0 : else if (is_ECDSA)
386 : {
387 0 : unsigned char *r_buf_allocated = NULL;
388 0 : unsigned char *s_buf_allocated = NULL;
389 : unsigned char *r_buf, *s_buf;
390 : int r_buflen, s_buflen;
391 :
392 0 : r_buflen = s_buflen = len/2;
393 :
394 0 : if (*buf & 0x80)
395 : {
396 0 : r_buflen++;
397 0 : r_buf_allocated = xtrymalloc (r_buflen);
398 0 : if (!r_buf_allocated)
399 0 : goto leave;
400 :
401 0 : r_buf = r_buf_allocated;
402 0 : memcpy (r_buf + 1, buf, len/2);
403 0 : *r_buf = 0;
404 : }
405 : else
406 0 : r_buf = buf;
407 :
408 0 : if (*(buf + len/2) & 0x80)
409 : {
410 0 : s_buflen++;
411 0 : s_buf_allocated = xtrymalloc (s_buflen);
412 0 : if (!s_buf_allocated)
413 : {
414 0 : xfree (r_buf_allocated);
415 0 : goto leave;
416 : }
417 :
418 0 : s_buf = s_buf_allocated;
419 0 : memcpy (s_buf + 1, buf + len/2, len/2);
420 0 : *s_buf = 0;
421 : }
422 : else
423 0 : s_buf = buf + len/2;
424 :
425 0 : rc = gcry_sexp_build (&s_sig, NULL, "(sig-val(ecdsa(r%b)(s%b)))",
426 : r_buflen, r_buf,
427 : s_buflen, s_buf);
428 0 : xfree (r_buf_allocated);
429 0 : xfree (s_buf_allocated);
430 : }
431 : else
432 0 : rc = gpg_error (GPG_ERR_NOT_IMPLEMENTED);
433 :
434 0 : xfree (buf);
435 0 : if (rc)
436 : {
437 0 : log_error ("failed to convert sigbuf returned by divert_pksign "
438 : "into S-Exp: %s", gpg_strerror (rc));
439 0 : goto leave;
440 : }
441 : }
442 : else
443 : {
444 : /* No smartcard, but a private key */
445 120 : int dsaalgo = 0;
446 :
447 : /* Put the hash into a sexp */
448 120 : if (agent_is_eddsa_key (s_skey))
449 0 : rc = do_encode_eddsa (data, datalen,
450 : &s_hash);
451 120 : else if (ctrl->digest.algo == MD_USER_TLS_MD5SHA1)
452 0 : rc = do_encode_raw_pkcs1 (data, datalen,
453 : gcry_pk_get_nbits (s_skey),
454 : &s_hash);
455 120 : else if ( (dsaalgo = agent_is_dsa_key (s_skey)) )
456 112 : rc = do_encode_dsa (data, datalen,
457 : dsaalgo, s_skey,
458 : &s_hash);
459 : else
460 8 : rc = do_encode_md (data, datalen,
461 : ctrl->digest.algo,
462 : &s_hash,
463 8 : ctrl->digest.raw_value);
464 120 : if (rc)
465 0 : goto leave;
466 :
467 : if (dsaalgo == 0 && GCRYPT_VERSION_NUMBER < 0x010700)
468 : /* It's RSA and Libgcrypt < 1.7 */
469 : check_signature = 1;
470 :
471 120 : if (DBG_CRYPTO)
472 : {
473 0 : gcry_log_debugsxp ("skey", s_skey);
474 0 : gcry_log_debugsxp ("hash", s_hash);
475 : }
476 :
477 : /* sign */
478 120 : rc = gcry_pk_sign (&s_sig, s_hash, s_skey);
479 120 : if (rc)
480 : {
481 0 : log_error ("signing failed: %s\n", gpg_strerror (rc));
482 0 : goto leave;
483 : }
484 :
485 120 : if (DBG_CRYPTO)
486 0 : gcry_log_debugsxp ("rslt", s_sig);
487 : }
488 :
489 : /* Check that the signature verification worked and nothing is
490 : * fooling us e.g. by a bug in the signature create code or by
491 : * deliberately introduced faults. Because Libgcrypt 1.7 does this
492 : * for RSA internally there is no need to do it here again. */
493 120 : if (check_signature)
494 : {
495 0 : if (s_hash == NULL)
496 : {
497 0 : if (ctrl->digest.algo == MD_USER_TLS_MD5SHA1)
498 0 : rc = do_encode_raw_pkcs1 (data, datalen,
499 : gcry_pk_get_nbits (s_skey),
500 : &s_hash);
501 : else
502 0 : rc = do_encode_md (data, datalen,
503 : ctrl->digest.algo,
504 : &s_hash,
505 0 : ctrl->digest.raw_value);
506 : }
507 :
508 0 : rc = gcry_pk_verify (s_sig, s_hash, s_pkey? s_pkey: s_skey);
509 :
510 0 : if (rc)
511 : {
512 0 : log_error (_("checking created signature failed: %s\n"),
513 : gpg_strerror (rc));
514 0 : gcry_sexp_release (s_sig);
515 0 : s_sig = NULL;
516 : }
517 : }
518 :
519 : leave:
520 :
521 120 : *signature_sexp = s_sig;
522 :
523 120 : gcry_sexp_release (s_pkey);
524 120 : gcry_sexp_release (s_skey);
525 120 : gcry_sexp_release (s_hash);
526 120 : xfree (shadow_info);
527 :
528 120 : return rc;
529 : }
530 :
531 : /* SIGN whatever information we have accumulated in CTRL and write it
532 : back to OUTFP. If a CACHE_NONCE is given that cache item is first
533 : tried to get a passphrase. */
534 : int
535 120 : agent_pksign (ctrl_t ctrl, const char *cache_nonce, const char *desc_text,
536 : membuf_t *outbuf, cache_mode_t cache_mode)
537 : {
538 120 : gcry_sexp_t s_sig = NULL;
539 120 : char *buf = NULL;
540 120 : size_t len = 0;
541 120 : int rc = 0;
542 :
543 120 : rc = agent_pksign_do (ctrl, cache_nonce, desc_text, &s_sig, cache_mode, NULL,
544 : NULL, 0);
545 120 : if (rc)
546 0 : goto leave;
547 :
548 120 : len = gcry_sexp_sprint (s_sig, GCRYSEXP_FMT_CANON, NULL, 0);
549 120 : assert (len);
550 120 : buf = xmalloc (len);
551 120 : len = gcry_sexp_sprint (s_sig, GCRYSEXP_FMT_CANON, buf, len);
552 120 : assert (len);
553 :
554 120 : put_membuf (outbuf, buf, len);
555 :
556 : leave:
557 120 : gcry_sexp_release (s_sig);
558 120 : xfree (buf);
559 :
560 120 : return rc;
561 : }
|