SKEYID derivation based on libstrongswan
[strongswan.git] / src / pluto / pgp.c
1 /* Support of OpenPGP certificates
2 * Copyright (C) 2002-2004 Andreas Steffen, Zuercher Hochschule Winterthur
3 *
4 * This program is free software; you can redistribute it and/or modify it
5 * under the terms of the GNU General Public License as published by the
6 * Free Software Foundation; either version 2 of the License, or (at your
7 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
8 *
9 * This program is distributed in the hope that it will be useful, but
10 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
11 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
12 * for more details.
13 */
14
15 #include <stdlib.h>
16 #include <string.h>
17 #include <time.h>
18
19 #include <freeswan.h>
20 #include <ipsec_policy.h>
21
22 #include <library.h>
23 #include <crypto/hashers/hasher.h>
24
25 #include "constants.h"
26 #include "defs.h"
27 #include "mp_defs.h"
28 #include "log.h"
29 #include "id.h"
30 #include "pgp.h"
31 #include "certs.h"
32 #include "whack.h"
33 #include "pkcs1.h"
34 #include "keys.h"
35
36 /*
37 * chained list of OpenPGP end certificates
38 */
39 static pgpcert_t *pgpcerts = NULL;
40
41 /*
42 * OpenPGP packet tags defined in section 4.3 of RFC 2440
43 */
44 #define PGP_PKT_RESERVED 0
45 #define PGP_PKT_PUBKEY_ENC_SESSION_KEY 1
46 #define PGP_PKT_SIGNATURE 2
47 #define PGP_PKT_SYMKEY_ENC_SESSION_KEY 3
48 #define PGP_PKT_ONE_PASS_SIGNATURE_PKT 4
49 #define PGP_PKT_SECRET_KEY 5
50 #define PGP_PKT_PUBLIC_KEY 6
51 #define PGP_PKT_SECRET_SUBKEY 7
52 #define PGP_PKT_COMPRESSED_DATA 8
53 #define PGP_PKT_SYMKEY_ENC_DATA 9
54 #define PGP_PKT_MARKER 10
55 #define PGP_PKT_LITERAL_DATA 11
56 #define PGP_PKT_TRUST 12
57 #define PGP_PKT_USER_ID 13
58 #define PGP_PKT_PUBLIC_SUBKEY 14
59 #define PGP_PKT_ROOF 15
60
61 static const char *const pgp_packet_type_name[] = {
62 "Reserved",
63 "Public-Key Encrypted Session Key Packet",
64 "Signature Packet",
65 "Symmetric-Key Encrypted Session Key Packet",
66 "One-Pass Signature Packet",
67 "Secret Key Packet",
68 "Public Key Packet",
69 "Secret Subkey Packet",
70 "Compressed Data Packet",
71 "Symmetrically Encrypted Data Packet",
72 "Marker Packet",
73 "Literal Data Packet",
74 "Trust Packet",
75 "User ID Packet",
76 "Public Subkey Packet"
77 };
78
79 /*
80 * OpenPGP public key algorithms defined in section 9.1 of RFC 2440
81 */
82 #define PGP_PUBKEY_ALG_RSA 1
83 #define PGP_PUBKEY_ALG_RSA_ENC_ONLY 2
84 #define PGP_PUBKEY_ALG_RSA_SIGN_ONLY 3
85 #define PGP_PUBKEY_ALG_ELGAMAL_ENC_ONLY 16
86 #define PGP_PUBKEY_ALG_DSA 17
87 #define PGP_PUBKEY_ALG_ECC 18
88 #define PGP_PUBKEY_ALG_ECDSA 19
89 #define PGP_PUBKEY_ALG_ELGAMAL 20
90
91 /*
92 * OpenPGP symmetric key algorithms defined in section 9.2 of RFC 2440
93 */
94 #define PGP_SYM_ALG_PLAIN 0
95 #define PGP_SYM_ALG_IDEA 1
96 #define PGP_SYM_ALG_3DES 2
97 #define PGP_SYM_ALG_CAST5 3
98 #define PGP_SYM_ALG_BLOWFISH 4
99 #define PGP_SYM_ALG_SAFER 5
100 #define PGP_SYM_ALG_DES 6
101 #define PGP_SYM_ALG_AES 7
102 #define PGP_SYM_ALG_AES_192 8
103 #define PGP_SYM_ALG_AES_256 9
104 #define PGP_SYM_ALG_TWOFISH 10
105 #define PGP_SYM_ALG_ROOF 11
106
107 static const char *const pgp_sym_alg_name[] = {
108 "Plaintext",
109 "IDEA",
110 "3DES",
111 "CAST5",
112 "Blowfish",
113 "SAFER",
114 "DES",
115 "AES",
116 "AES-192",
117 "AES-256",
118 "Twofish"
119 };
120
121 /*
122 * Size of PGP Key ID
123 */
124 #define PGP_KEYID_SIZE 8
125
126 const pgpcert_t empty_pgpcert = {
127 NULL , /* *next */
128 0 , /* installed */
129 0 , /* count */
130 { NULL, 0 }, /* certificate */
131 0 , /* created */
132 0 , /* until */
133 0 , /* pubkeyAlgorithm */
134 { NULL, 0 }, /* modulus */
135 { NULL, 0 }, /* publicExponent */
136 "" /* fingerprint */
137 };
138
139 static size_t
140 pgp_size(chunk_t *blob, int len)
141 {
142 size_t size = 0;
143
144 blob->len -= len;
145 while (len-- > 0)
146 size = 256*size + *blob->ptr++;
147 return size;
148 }
149
150 /*
151 * extracts the length of a PGP packet
152 */
153 static size_t
154 pgp_old_packet_length(chunk_t *blob)
155 {
156 /* bits 0 and 1 define the packet length type */
157 int len_type = 0x03 & *blob->ptr++;
158
159 blob->len--;
160
161 /* len_type: 0 -> 1 byte, 1 -> 2 bytes, 2 -> 4 bytes */
162 return pgp_size(blob, (len_type == 0)? 1: len_type << 1);
163 }
164
165 /*
166 * extracts PGP packet version (V3 or V4)
167 */
168 static u_char
169 pgp_version(chunk_t *blob)
170 {
171 u_char version = *blob->ptr++;
172 blob->len--;
173 DBG(DBG_PARSING,
174 DBG_log("L3 - version:");
175 DBG_log(" V%d", version)
176 )
177 return version;
178 }
179
180 /*
181 * Parse OpenPGP public key packet defined in section 5.5.2 of RFC 2440
182 */
183 static bool
184 parse_pgp_pubkey_packet(chunk_t *packet, pgpcert_t *cert)
185 {
186 u_char version = pgp_version(packet);
187
188 if (version < 3 || version > 4)
189 {
190 plog("PGP packet version V%d not supported", version);
191 return FALSE;
192 }
193
194 /* creation date - 4 bytes */
195 cert->created = (time_t)pgp_size(packet, 4);
196 DBG(DBG_PARSING,
197 DBG_log("L3 - created:");
198 DBG_log(" %T", &cert->created, TRUE)
199 )
200
201 if (version == 3)
202 {
203 /* validity in days - 2 bytes */
204 cert->until = (time_t)pgp_size(packet, 2);
205
206 /* validity of 0 days means that the key never expires */
207 if (cert->until > 0)
208 cert->until = cert->created + 24*3600*cert->until;
209
210 DBG(DBG_PARSING,
211 DBG_log("L3 - until:");
212 DBG_log(" %T", &cert->until, TRUE);
213 )
214 }
215
216 /* public key algorithm - 1 byte */
217 DBG(DBG_PARSING,
218 DBG_log("L3 - public key algorithm:")
219 )
220
221 switch (pgp_size(packet, 1))
222 {
223 case PGP_PUBKEY_ALG_RSA:
224 case PGP_PUBKEY_ALG_RSA_SIGN_ONLY:
225 cert->pubkeyAlg = PUBKEY_ALG_RSA;
226 DBG(DBG_PARSING,
227 DBG_log(" RSA")
228 )
229 /* modulus n */
230 cert->modulus.len = (pgp_size(packet, 2)+7) / BITS_PER_BYTE;
231 cert->modulus.ptr = packet->ptr;
232 packet->ptr += cert->modulus.len;
233 packet->len -= cert->modulus.len;
234 DBG(DBG_PARSING,
235 DBG_log("L3 - modulus:")
236 )
237 DBG_cond_dump_chunk(DBG_RAW, "", cert->modulus);
238
239 /* public exponent e */
240 cert->publicExponent.len = (pgp_size(packet, 2)+7) / BITS_PER_BYTE;
241 cert->publicExponent.ptr = packet->ptr;
242 packet->ptr += cert->publicExponent.len;
243 packet->len -= cert->publicExponent.len;
244 DBG(DBG_PARSING,
245 DBG_log("L3 - public exponent:")
246 )
247 DBG_cond_dump_chunk(DBG_RAW, "", cert->publicExponent);
248
249 if (version == 3)
250 {
251 hasher_t *hasher;
252
253 /* a V3 fingerprint is the MD5 hash of modulus and public exponent */
254
255 hasher = lib->crypto->create_hasher(lib->crypto, HASH_MD5);
256 if (hasher == NULL)
257 {
258 plog(" computation of V3 key ID failed, no MD5 hasher is available");
259 return FALSE;
260 }
261 hasher->get_hash(hasher, cert->modulus, NULL);
262 hasher->get_hash(hasher, cert->publicExponent, cert->fingerprint);
263 hasher->destroy(hasher);
264 }
265 else
266 {
267 plog(" computation of V4 key ID not implemented yet");
268 }
269 break;
270 case PGP_PUBKEY_ALG_DSA:
271 cert->pubkeyAlg = PUBKEY_ALG_DSA;
272 DBG(DBG_PARSING,
273 DBG_log(" DSA")
274 )
275 plog(" DSA public keys not supported");
276 return FALSE;
277 default:
278 cert->pubkeyAlg = 0;
279 DBG(DBG_PARSING,
280 DBG_log(" other")
281 )
282 plog(" exotic not RSA public keys not supported");
283 return FALSE;
284 }
285 return TRUE;
286 }
287
288 /*
289 * Parse OpenPGP secret key packet defined in section 5.5.3 of RFC 2440
290 */
291 static bool
292 parse_pgp_secretkey_packet(chunk_t *packet, RSA_private_key_t *key)
293 {
294 int i, s2k;
295 pgpcert_t cert = empty_pgpcert;
296
297 if (!parse_pgp_pubkey_packet(packet, &cert))
298 return FALSE;
299
300 init_RSA_public_key((RSA_public_key_t *)key, cert.publicExponent
301 , cert.modulus);
302
303 /* string-to-key usage */
304 s2k = pgp_size(packet, 1);
305
306 DBG(DBG_PARSING,
307 DBG_log("L3 - string-to-key: %d", s2k)
308 )
309
310 if (s2k == 255)
311 {
312 plog(" string-to-key specifiers not supported");
313 return FALSE;
314 }
315
316 if (s2k >= PGP_SYM_ALG_ROOF)
317 {
318 plog(" undefined symmetric key algorithm");
319 return FALSE;
320 }
321
322 /* a known symmetric key algorithm is specified*/
323 DBG(DBG_PARSING,
324 DBG_log(" %s", pgp_sym_alg_name[s2k])
325 )
326
327 /* private key is unencrypted */
328 if (s2k == PGP_SYM_ALG_PLAIN)
329 {
330 for (i = 2; i < RSA_PRIVATE_FIELD_ELEMENTS; i++)
331 {
332 mpz_t u; /* auxiliary variable */
333
334 /* compute offset to private key component i*/
335 MP_INT *n = (MP_INT*)((char *)key + RSA_private_field[i].offset);
336
337 switch (i)
338 {
339 case 2:
340 case 3:
341 case 4:
342 {
343 size_t len = (pgp_size(packet, 2)+7) / BITS_PER_BYTE;
344
345 n_to_mpz(n, packet->ptr, len);
346 DBG(DBG_PARSING,
347 DBG_log("L3 - %s:", RSA_private_field[i].name)
348 )
349 DBG_cond_dump(DBG_PRIVATE, "", packet->ptr, len);
350 packet->ptr += len;
351 packet->len -= len;
352 }
353 break;
354 case 5: /* dP = d mod (p-1) */
355 mpz_init(u);
356 mpz_sub_ui(u, &key->p, 1);
357 mpz_mod(n, &key->d, u);
358 mpz_clear(u);
359 break;
360 case 6: /* dQ = d mod (q-1) */
361 mpz_init(u);
362 mpz_sub_ui(u, &key->q, 1);
363 mpz_mod(n, &key->d, u);
364 mpz_clear(u);
365 break;
366 case 7: /* qInv = (q^-1) mod p */
367 mpz_invert(n, &key->q, &key->p);
368 if (mpz_cmp_ui(n, 0) < 0)
369 mpz_add(n, n, &key->p);
370 passert(mpz_cmp(n, &key->p) < 0);
371 break;
372 }
373 }
374 return TRUE;
375 }
376
377 plog(" %s encryption not supported", pgp_sym_alg_name[s2k]);
378 return FALSE;
379 }
380
381 /*
382 * Parse OpenPGP signature packet defined in section 5.2.2 of RFC 2440
383 */
384 static bool
385 parse_pgp_signature_packet(chunk_t *packet, pgpcert_t *cert)
386 {
387 time_t created;
388 chunk_t keyid;
389 u_char sig_type;
390 u_char version = pgp_version(packet);
391
392 /* we parse only V3 signature packets */
393 if (version != 3)
394 return TRUE;
395
396 /* size byte must have the value 5 */
397 if (pgp_size(packet, 1) != 5)
398 {
399 plog(" size must be 5");
400 return FALSE;
401 }
402
403 /* signature type - 1 byte */
404 sig_type = (u_char)pgp_size(packet, 1);
405 DBG(DBG_PARSING,
406 DBG_log("L3 - signature type: 0x%2x", sig_type)
407 )
408
409 /* creation date - 4 bytes */
410 created = (time_t)pgp_size(packet, 4);
411 DBG(DBG_PARSING,
412 DBG_log("L3 - created:");
413 DBG_log(" %T", &cert->created, TRUE)
414 )
415
416 /* key ID of signer - 8 bytes */
417 keyid.ptr = packet->ptr;
418 keyid.len = PGP_KEYID_SIZE;
419 DBG_cond_dump_chunk(DBG_PARSING, "L3 - key ID of signer", keyid);
420
421 return TRUE;
422 }
423
424 bool
425 parse_pgp(chunk_t blob, pgpcert_t *cert, RSA_private_key_t *key)
426 {
427 DBG(DBG_PARSING,
428 DBG_log("L0 - PGP file:")
429 )
430 DBG_cond_dump_chunk(DBG_RAW, "", blob);
431
432 if (cert != NULL)
433 {
434 /* parse a PGP certificate file */
435 cert->certificate = blob;
436 time(&cert->installed);
437 }
438 else if (key == NULL)
439 {
440 /* should not occur, nothing to parse */
441 return FALSE;
442 }
443
444 while (blob.len > 0)
445 {
446 chunk_t packet = chunk_empty;
447 u_char packet_tag = *blob.ptr;
448
449 DBG(DBG_PARSING,
450 DBG_log("L1 - PGP packet: tag= 0x%2x", packet_tag)
451 )
452
453 /* bit 7 must be set */
454 if (!(packet_tag & 0x80))
455 {
456 plog(" incorrect Packet Tag");
457 return FALSE;
458 }
459
460 /* bit 6 set defines new packet format */
461 if (packet_tag & 0x40)
462 {
463 plog(" new PGP packet format not supported");
464 return FALSE;
465 }
466 else
467 {
468 int packet_type = (packet_tag & 0x3C) >> 2;
469
470 packet.len = pgp_old_packet_length(&blob);
471 packet.ptr = blob.ptr;
472 blob.ptr += packet.len;
473 blob.len -= packet.len;
474 DBG(DBG_PARSING,
475 DBG_log(" %s (%d), old format, %d bytes",
476 (packet_type < PGP_PKT_ROOF) ?
477 pgp_packet_type_name[packet_type] :
478 "Undefined Packet Type", packet_type, (int)packet.len);
479 DBG_log("L2 - body:")
480 )
481 DBG_cond_dump_chunk(DBG_RAW, "", packet);
482
483 if (cert != NULL)
484 {
485 /* parse a PGP certificate */
486 switch (packet_type)
487 {
488 case PGP_PKT_PUBLIC_KEY:
489 if (!parse_pgp_pubkey_packet(&packet, cert))
490 return FALSE;
491 break;
492 case PGP_PKT_SIGNATURE:
493 if (!parse_pgp_signature_packet(&packet, cert))
494 return FALSE;
495 break;
496 case PGP_PKT_USER_ID:
497 DBG(DBG_PARSING,
498 DBG_log("L3 - user ID:");
499 DBG_log(" '%.*s'", (int)packet.len, packet.ptr)
500 )
501 break;
502 default:
503 break;
504 }
505 }
506 else
507 {
508 /* parse a PGP private key file */
509 switch (packet_type)
510 {
511 case PGP_PKT_SECRET_KEY:
512 if (!parse_pgp_secretkey_packet(&packet, key))
513 return FALSE;
514 break;
515 default:
516 break;
517 }
518 }
519 }
520 }
521 return TRUE;
522 }
523
524 /*
525 * compare two OpenPGP certificates
526 */
527 static bool
528 same_pgpcert(pgpcert_t *a, pgpcert_t *b)
529 {
530 return a->certificate.len == b->certificate.len &&
531 memeq(a->certificate.ptr, b->certificate.ptr, b->certificate.len);
532 }
533
534 /*
535 * for each link pointing to the certificate increase the count by one
536 */
537 void
538 share_pgpcert(pgpcert_t *cert)
539 {
540 if (cert != NULL)
541 {
542 cert->count++;
543 }
544 }
545
546 /*
547 * select the OpenPGP keyid as ID
548 */
549 void
550 select_pgpcert_id(pgpcert_t *cert, struct id *end_id)
551 {
552 end_id->kind = ID_KEY_ID;
553 end_id->name.len = PGP_FINGERPRINT_SIZE;
554 end_id->name.ptr = cert->fingerprint;
555 end_id->name.ptr = temporary_cyclic_buffer();
556 memcpy(end_id->name.ptr, cert->fingerprint, PGP_FINGERPRINT_SIZE);
557 }
558
559 /*
560 * add an OpenPGP user/host certificate to the chained list
561 */
562 pgpcert_t*
563 add_pgpcert(pgpcert_t *cert)
564 {
565 pgpcert_t *c = pgpcerts;
566
567 while (c != NULL)
568 {
569 if (same_pgpcert(c, cert)) /* already in chain, free cert */
570 {
571 free_pgpcert(cert);
572 return c;
573 }
574 c = c->next;
575 }
576
577 /* insert new cert at the root of the chain */
578 cert->next = pgpcerts;
579 pgpcerts = cert;
580 DBG(DBG_CONTROL | DBG_PARSING,
581 DBG_log(" pgp cert inserted")
582 )
583 return cert;
584 }
585
586 /* release of a certificate decreases the count by one
587 " the certificate is freed when the counter reaches zero
588 */
589 void
590 release_pgpcert(pgpcert_t *cert)
591 {
592 if (cert != NULL && --cert->count == 0)
593 {
594 pgpcert_t **pp = &pgpcerts;
595 while (*pp != cert)
596 pp = &(*pp)->next;
597 *pp = cert->next;
598 free_pgpcert(cert);
599 }
600 }
601
602 /*
603 * free a PGP certificate
604 */
605 void
606 free_pgpcert(pgpcert_t *cert)
607 {
608 if (cert != NULL)
609 {
610 free(cert->certificate.ptr);
611 free(cert);
612 }
613 }
614
615 /*
616 * list all PGP end certificates in a chained list
617 */
618 void
619 list_pgp_end_certs(bool utc)
620 {
621 pgpcert_t *cert = pgpcerts;
622 time_t now;
623
624 /* determine the current time */
625 time(&now);
626
627 if (cert != NULL)
628 {
629 whack_log(RC_COMMENT, " ");
630 whack_log(RC_COMMENT, "List of PGP End certificates:");
631 whack_log(RC_COMMENT, " ");
632 }
633
634 while (cert != NULL)
635 {
636 unsigned keysize;
637 char buf[BUF_LEN];
638 cert_t c;
639
640 c.type = CERT_PGP;
641 c.u.pgp = cert;
642
643 whack_log(RC_COMMENT, "%T, count: %d", &cert->installed, utc, cert->count);
644 datatot(cert->fingerprint, PGP_FINGERPRINT_SIZE, 'x', buf, BUF_LEN);
645 whack_log(RC_COMMENT, " fingerprint: %s", buf);
646 form_keyid(cert->publicExponent, cert->modulus, buf, &keysize);
647 whack_log(RC_COMMENT, " pubkey: %4d RSA Key %s%s", 8*keysize, buf,
648 (has_private_key(c))? ", has private key" : "");
649 whack_log(RC_COMMENT, " created: %T", &cert->created, utc);
650 whack_log(RC_COMMENT, " until: %T %s", &cert->until, utc,
651 check_expiry(cert->until, CA_CERT_WARNING_INTERVAL, TRUE));
652 cert = cert->next;
653 }
654 }
655