fixed a bunch of compiler warnings, pgp end certificate listing
[strongswan.git] / src / pluto / pgp.c
1 /* Support of OpenPGP certificates
2 * Copyright (C) 2002-2004 Andreas Steffen, Zuercher Hochschule Winterthur
3 *
4 * This program is free software; you can redistribute it and/or modify it
5 * under the terms of the GNU General Public License as published by the
6 * Free Software Foundation; either version 2 of the License, or (at your
7 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
8 *
9 * This program is distributed in the hope that it will be useful, but
10 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
11 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
12 * for more details.
13 *
14 * RCSID $Id$
15 */
16
17 #include <stdlib.h>
18 #include <string.h>
19 #include <time.h>
20
21 #include <freeswan.h>
22 #include <ipsec_policy.h>
23
24 #include "constants.h"
25 #include "defs.h"
26 #include "mp_defs.h"
27 #include "log.h"
28 #include "id.h"
29 #include "pgp.h"
30 #include "certs.h"
31 #include "md5.h"
32 #include "whack.h"
33 #include "pkcs1.h"
34 #include "keys.h"
35
36 /*
37 * chained list of OpenPGP end certificates
38 */
39 static pgpcert_t *pgpcerts = NULL;
40
41 /*
42 * OpenPGP packet tags defined in section 4.3 of RFC 2440
43 */
44 #define PGP_PKT_RESERVED 0
45 #define PGP_PKT_PUBKEY_ENC_SESSION_KEY 1
46 #define PGP_PKT_SIGNATURE 2
47 #define PGP_PKT_SYMKEY_ENC_SESSION_KEY 3
48 #define PGP_PKT_ONE_PASS_SIGNATURE_PKT 4
49 #define PGP_PKT_SECRET_KEY 5
50 #define PGP_PKT_PUBLIC_KEY 6
51 #define PGP_PKT_SECRET_SUBKEY 7
52 #define PGP_PKT_COMPRESSED_DATA 8
53 #define PGP_PKT_SYMKEY_ENC_DATA 9
54 #define PGP_PKT_MARKER 10
55 #define PGP_PKT_LITERAL_DATA 11
56 #define PGP_PKT_TRUST 12
57 #define PGP_PKT_USER_ID 13
58 #define PGP_PKT_PUBLIC_SUBKEY 14
59 #define PGP_PKT_ROOF 15
60
61 static const char *const pgp_packet_type_name[] = {
62 "Reserved",
63 "Public-Key Encrypted Session Key Packet",
64 "Signature Packet",
65 "Symmetric-Key Encrypted Session Key Packet",
66 "One-Pass Signature Packet",
67 "Secret Key Packet",
68 "Public Key Packet",
69 "Secret Subkey Packet",
70 "Compressed Data Packet",
71 "Symmetrically Encrypted Data Packet",
72 "Marker Packet",
73 "Literal Data Packet",
74 "Trust Packet",
75 "User ID Packet",
76 "Public Subkey Packet"
77 };
78
79 /*
80 * OpenPGP public key algorithms defined in section 9.1 of RFC 2440
81 */
82 #define PGP_PUBKEY_ALG_RSA 1
83 #define PGP_PUBKEY_ALG_RSA_ENC_ONLY 2
84 #define PGP_PUBKEY_ALG_RSA_SIGN_ONLY 3
85 #define PGP_PUBKEY_ALG_ELGAMAL_ENC_ONLY 16
86 #define PGP_PUBKEY_ALG_DSA 17
87 #define PGP_PUBKEY_ALG_ECC 18
88 #define PGP_PUBKEY_ALG_ECDSA 19
89 #define PGP_PUBKEY_ALG_ELGAMAL 20
90
91 /*
92 * OpenPGP symmetric key algorithms defined in section 9.2 of RFC 2440
93 */
94 #define PGP_SYM_ALG_PLAIN 0
95 #define PGP_SYM_ALG_IDEA 1
96 #define PGP_SYM_ALG_3DES 2
97 #define PGP_SYM_ALG_CAST5 3
98 #define PGP_SYM_ALG_BLOWFISH 4
99 #define PGP_SYM_ALG_SAFER 5
100 #define PGP_SYM_ALG_DES 6
101 #define PGP_SYM_ALG_AES 7
102 #define PGP_SYM_ALG_AES_192 8
103 #define PGP_SYM_ALG_AES_256 9
104 #define PGP_SYM_ALG_TWOFISH 10
105 #define PGP_SYM_ALG_ROOF 11
106
107 static const char *const pgp_sym_alg_name[] = {
108 "Plaintext",
109 "IDEA",
110 "3DES",
111 "CAST5",
112 "Blowfish",
113 "SAFER",
114 "DES",
115 "AES",
116 "AES-192",
117 "AES-256",
118 "Twofish"
119 };
120
121 /*
122 * Size of PGP Key ID
123 */
124 #define PGP_KEYID_SIZE 8
125
126 const pgpcert_t empty_pgpcert = {
127 NULL , /* *next */
128 0 , /* installed */
129 0 , /* count */
130 { NULL, 0 }, /* certificate */
131 0 , /* created */
132 0 , /* until */
133 0 , /* pubkeyAlgorithm */
134 { NULL, 0 }, /* modulus */
135 { NULL, 0 }, /* publicExponent */
136 "" /* fingerprint */
137 };
138
139 static size_t
140 pgp_size(chunk_t *blob, int len)
141 {
142 size_t size = 0;
143
144 blob->len -= len;
145 while (len-- > 0)
146 size = 256*size + *blob->ptr++;
147 return size;
148 }
149
150 /*
151 * extracts the length of a PGP packet
152 */
153 static size_t
154 pgp_old_packet_length(chunk_t *blob)
155 {
156 /* bits 0 and 1 define the packet length type */
157 int len_type = 0x03 & *blob->ptr++;
158
159 blob->len--;
160
161 /* len_type: 0 -> 1 byte, 1 -> 2 bytes, 2 -> 4 bytes */
162 return pgp_size(blob, (len_type == 0)? 1: len_type << 1);
163 }
164
165 /*
166 * extracts PGP packet version (V3 or V4)
167 */
168 static u_char
169 pgp_version(chunk_t *blob)
170 {
171 u_char version = *blob->ptr++;
172 blob->len--;
173 DBG(DBG_PARSING,
174 DBG_log("L3 - version:");
175 DBG_log(" V%d", version)
176 )
177 return version;
178 }
179
180 /*
181 * Parse OpenPGP public key packet defined in section 5.5.2 of RFC 2440
182 */
183 static bool
184 parse_pgp_pubkey_packet(chunk_t *packet, pgpcert_t *cert)
185 {
186 u_char version = pgp_version(packet);
187
188 if (version < 3 || version > 4)
189 {
190 plog("PGP packet version V%d not supported", version);
191 return FALSE;
192 }
193
194 /* creation date - 4 bytes */
195 cert->created = (time_t)pgp_size(packet, 4);
196 DBG(DBG_PARSING,
197 DBG_log("L3 - created:");
198 DBG_log(" %T", &cert->created, TRUE)
199 )
200
201 if (version == 3)
202 {
203 /* validity in days - 2 bytes */
204 cert->until = (time_t)pgp_size(packet, 2);
205
206 /* validity of 0 days means that the key never expires */
207 if (cert->until > 0)
208 cert->until = cert->created + 24*3600*cert->until;
209
210 DBG(DBG_PARSING,
211 DBG_log("L3 - until:");
212 DBG_log(" %T", &cert->until, TRUE);
213 )
214 }
215
216 /* public key algorithm - 1 byte */
217 DBG(DBG_PARSING,
218 DBG_log("L3 - public key algorithm:")
219 )
220
221 switch (pgp_size(packet, 1))
222 {
223 case PGP_PUBKEY_ALG_RSA:
224 case PGP_PUBKEY_ALG_RSA_SIGN_ONLY:
225 cert->pubkeyAlg = PUBKEY_ALG_RSA;
226 DBG(DBG_PARSING,
227 DBG_log(" RSA")
228 )
229 /* modulus n */
230 cert->modulus.len = (pgp_size(packet, 2)+7) / BITS_PER_BYTE;
231 cert->modulus.ptr = packet->ptr;
232 packet->ptr += cert->modulus.len;
233 packet->len -= cert->modulus.len;
234 DBG(DBG_PARSING,
235 DBG_log("L3 - modulus:")
236 )
237 DBG_cond_dump_chunk(DBG_RAW, "", cert->modulus);
238
239 /* public exponent e */
240 cert->publicExponent.len = (pgp_size(packet, 2)+7) / BITS_PER_BYTE;
241 cert->publicExponent.ptr = packet->ptr;
242 packet->ptr += cert->publicExponent.len;
243 packet->len -= cert->publicExponent.len;
244 DBG(DBG_PARSING,
245 DBG_log("L3 - public exponent:")
246 )
247 DBG_cond_dump_chunk(DBG_RAW, "", cert->publicExponent);
248
249 if (version == 3)
250 {
251 /* a V3 fingerprint is the MD5 hash of modulus and public exponent */
252 MD5_CTX context;
253 MD5Init(&context);
254 MD5Update(&context, cert->modulus.ptr, cert->modulus.len);
255 MD5Update(&context, cert->publicExponent.ptr, cert->publicExponent.len);
256 MD5Final(cert->fingerprint, &context);
257 }
258 else
259 {
260 plog(" computation of V4 key ID not implemented yet");
261 }
262 break;
263 case PGP_PUBKEY_ALG_DSA:
264 cert->pubkeyAlg = PUBKEY_ALG_DSA;
265 DBG(DBG_PARSING,
266 DBG_log(" DSA")
267 )
268 plog(" DSA public keys not supported");
269 return FALSE;
270 default:
271 cert->pubkeyAlg = 0;
272 DBG(DBG_PARSING,
273 DBG_log(" other")
274 )
275 plog(" exotic not RSA public keys not supported");
276 return FALSE;
277 }
278 return TRUE;
279 }
280
281 /*
282 * Parse OpenPGP secret key packet defined in section 5.5.3 of RFC 2440
283 */
284 static bool
285 parse_pgp_secretkey_packet(chunk_t *packet, RSA_private_key_t *key)
286 {
287 int i, s2k;
288 pgpcert_t cert = empty_pgpcert;
289
290 if (!parse_pgp_pubkey_packet(packet, &cert))
291 return FALSE;
292
293 init_RSA_public_key((RSA_public_key_t *)key, cert.publicExponent
294 , cert.modulus);
295
296 /* string-to-key usage */
297 s2k = pgp_size(packet, 1);
298
299 DBG(DBG_PARSING,
300 DBG_log("L3 - string-to-key: %d", s2k)
301 )
302
303 if (s2k == 255)
304 {
305 plog(" string-to-key specifiers not supported");
306 return FALSE;
307 }
308
309 if (s2k >= PGP_SYM_ALG_ROOF)
310 {
311 plog(" undefined symmetric key algorithm");
312 return FALSE;
313 }
314
315 /* a known symmetric key algorithm is specified*/
316 DBG(DBG_PARSING,
317 DBG_log(" %s", pgp_sym_alg_name[s2k])
318 )
319
320 /* private key is unencrypted */
321 if (s2k == PGP_SYM_ALG_PLAIN)
322 {
323 for (i = 2; i < RSA_PRIVATE_FIELD_ELEMENTS; i++)
324 {
325 mpz_t u; /* auxiliary variable */
326
327 /* compute offset to private key component i*/
328 MP_INT *n = (MP_INT*)((char *)key + RSA_private_field[i].offset);
329
330 switch (i)
331 {
332 case 2:
333 case 3:
334 case 4:
335 {
336 size_t len = (pgp_size(packet, 2)+7) / BITS_PER_BYTE;
337
338 n_to_mpz(n, packet->ptr, len);
339 DBG(DBG_PARSING,
340 DBG_log("L3 - %s:", RSA_private_field[i].name)
341 )
342 DBG_cond_dump(DBG_PRIVATE, "", packet->ptr, len);
343 packet->ptr += len;
344 packet->len -= len;
345 }
346 break;
347 case 5: /* dP = d mod (p-1) */
348 mpz_init(u);
349 mpz_sub_ui(u, &key->p, 1);
350 mpz_mod(n, &key->d, u);
351 mpz_clear(u);
352 break;
353 case 6: /* dQ = d mod (q-1) */
354 mpz_init(u);
355 mpz_sub_ui(u, &key->q, 1);
356 mpz_mod(n, &key->d, u);
357 mpz_clear(u);
358 break;
359 case 7: /* qInv = (q^-1) mod p */
360 mpz_invert(n, &key->q, &key->p);
361 if (mpz_cmp_ui(n, 0) < 0)
362 mpz_add(n, n, &key->p);
363 passert(mpz_cmp(n, &key->p) < 0);
364 break;
365 }
366 }
367 return TRUE;
368 }
369
370 plog(" %s encryption not supported", pgp_sym_alg_name[s2k]);
371 return FALSE;
372 }
373
374 /*
375 * Parse OpenPGP signature packet defined in section 5.2.2 of RFC 2440
376 */
377 static bool
378 parse_pgp_signature_packet(chunk_t *packet, pgpcert_t *cert)
379 {
380 time_t created;
381 chunk_t keyid;
382 u_char sig_type;
383 u_char version = pgp_version(packet);
384
385 /* we parse only V3 signature packets */
386 if (version != 3)
387 return TRUE;
388
389 /* size byte must have the value 5 */
390 if (pgp_size(packet, 1) != 5)
391 {
392 plog(" size must be 5");
393 return FALSE;
394 }
395
396 /* signature type - 1 byte */
397 sig_type = (u_char)pgp_size(packet, 1);
398 DBG(DBG_PARSING,
399 DBG_log("L3 - signature type: 0x%2x", sig_type)
400 )
401
402 /* creation date - 4 bytes */
403 created = (time_t)pgp_size(packet, 4);
404 DBG(DBG_PARSING,
405 DBG_log("L3 - created:");
406 DBG_log(" %T", &cert->created, TRUE)
407 )
408
409 /* key ID of signer - 8 bytes */
410 keyid.ptr = packet->ptr;
411 keyid.len = PGP_KEYID_SIZE;
412 DBG_cond_dump_chunk(DBG_PARSING, "L3 - key ID of signer", keyid);
413
414 return TRUE;
415 }
416
417 bool
418 parse_pgp(chunk_t blob, pgpcert_t *cert, RSA_private_key_t *key)
419 {
420 DBG(DBG_PARSING,
421 DBG_log("L0 - PGP file:")
422 )
423 DBG_cond_dump_chunk(DBG_RAW, "", blob);
424
425 if (cert != NULL)
426 {
427 /* parse a PGP certificate file */
428 cert->certificate = blob;
429 time(&cert->installed);
430 }
431 else if (key == NULL)
432 {
433 /* should not occur, nothing to parse */
434 return FALSE;
435 }
436
437 while (blob.len > 0)
438 {
439 chunk_t packet = chunk_empty;
440 u_char packet_tag = *blob.ptr;
441
442 DBG(DBG_PARSING,
443 DBG_log("L1 - PGP packet: tag= 0x%2x", packet_tag)
444 )
445
446 /* bit 7 must be set */
447 if (!(packet_tag & 0x80))
448 {
449 plog(" incorrect Packet Tag");
450 return FALSE;
451 }
452
453 /* bit 6 set defines new packet format */
454 if (packet_tag & 0x40)
455 {
456 plog(" new PGP packet format not supported");
457 return FALSE;
458 }
459 else
460 {
461 int packet_type = (packet_tag & 0x3C) >> 2;
462
463 packet.len = pgp_old_packet_length(&blob);
464 packet.ptr = blob.ptr;
465 blob.ptr += packet.len;
466 blob.len -= packet.len;
467 DBG(DBG_PARSING,
468 DBG_log(" %s (%d), old format, %d bytes",
469 (packet_type < PGP_PKT_ROOF) ?
470 pgp_packet_type_name[packet_type] :
471 "Undefined Packet Type", packet_type, (int)packet.len);
472 DBG_log("L2 - body:")
473 )
474 DBG_cond_dump_chunk(DBG_RAW, "", packet);
475
476 if (cert != NULL)
477 {
478 /* parse a PGP certificate */
479 switch (packet_type)
480 {
481 case PGP_PKT_PUBLIC_KEY:
482 if (!parse_pgp_pubkey_packet(&packet, cert))
483 return FALSE;
484 break;
485 case PGP_PKT_SIGNATURE:
486 if (!parse_pgp_signature_packet(&packet, cert))
487 return FALSE;
488 break;
489 case PGP_PKT_USER_ID:
490 DBG(DBG_PARSING,
491 DBG_log("L3 - user ID:");
492 DBG_log(" '%.*s'", (int)packet.len, packet.ptr)
493 )
494 break;
495 default:
496 break;
497 }
498 }
499 else
500 {
501 /* parse a PGP private key file */
502 switch (packet_type)
503 {
504 case PGP_PKT_SECRET_KEY:
505 if (!parse_pgp_secretkey_packet(&packet, key))
506 return FALSE;
507 break;
508 default:
509 break;
510 }
511 }
512 }
513 }
514 return TRUE;
515 }
516
517 /*
518 * compare two OpenPGP certificates
519 */
520 static bool
521 same_pgpcert(pgpcert_t *a, pgpcert_t *b)
522 {
523 return a->certificate.len == b->certificate.len &&
524 memeq(a->certificate.ptr, b->certificate.ptr, b->certificate.len);
525 }
526
527 /*
528 * for each link pointing to the certificate increase the count by one
529 */
530 void
531 share_pgpcert(pgpcert_t *cert)
532 {
533 if (cert != NULL)
534 {
535 cert->count++;
536 }
537 }
538
539 /*
540 * select the OpenPGP keyid as ID
541 */
542 void
543 select_pgpcert_id(pgpcert_t *cert, struct id *end_id)
544 {
545 end_id->kind = ID_KEY_ID;
546 end_id->name.len = PGP_FINGERPRINT_SIZE;
547 end_id->name.ptr = cert->fingerprint;
548 end_id->name.ptr = temporary_cyclic_buffer();
549 memcpy(end_id->name.ptr, cert->fingerprint, PGP_FINGERPRINT_SIZE);
550 }
551
552 /*
553 * add an OpenPGP user/host certificate to the chained list
554 */
555 pgpcert_t*
556 add_pgpcert(pgpcert_t *cert)
557 {
558 pgpcert_t *c = pgpcerts;
559
560 while (c != NULL)
561 {
562 if (same_pgpcert(c, cert)) /* already in chain, free cert */
563 {
564 free_pgpcert(cert);
565 return c;
566 }
567 c = c->next;
568 }
569
570 /* insert new cert at the root of the chain */
571 cert->next = pgpcerts;
572 pgpcerts = cert;
573 DBG(DBG_CONTROL | DBG_PARSING,
574 DBG_log(" pgp cert inserted")
575 )
576 return cert;
577 }
578
579 /* release of a certificate decreases the count by one
580 " the certificate is freed when the counter reaches zero
581 */
582 void
583 release_pgpcert(pgpcert_t *cert)
584 {
585 if (cert != NULL && --cert->count == 0)
586 {
587 pgpcert_t **pp = &pgpcerts;
588 while (*pp != cert)
589 pp = &(*pp)->next;
590 *pp = cert->next;
591 free_pgpcert(cert);
592 }
593 }
594
595 /*
596 * free a PGP certificate
597 */
598 void
599 free_pgpcert(pgpcert_t *cert)
600 {
601 if (cert != NULL)
602 {
603 free(cert->certificate.ptr);
604 free(cert);
605 }
606 }
607
608 /*
609 * list all PGP end certificates in a chained list
610 */
611 void
612 list_pgp_end_certs(bool utc)
613 {
614 pgpcert_t *cert = pgpcerts;
615 time_t now;
616
617 /* determine the current time */
618 time(&now);
619
620 if (cert != NULL)
621 {
622 whack_log(RC_COMMENT, " ");
623 whack_log(RC_COMMENT, "List of PGP End certificates:");
624 whack_log(RC_COMMENT, " ");
625 }
626
627 while (cert != NULL)
628 {
629 unsigned keysize;
630 char buf[BUF_LEN];
631 cert_t c;
632
633 c.type = CERT_PGP;
634 c.u.pgp = cert;
635
636 whack_log(RC_COMMENT, "%T, count: %d", &cert->installed, utc, cert->count);
637 datatot(cert->fingerprint, PGP_FINGERPRINT_SIZE, 'x', buf, BUF_LEN);
638 whack_log(RC_COMMENT, " fingerprint: %s", buf);
639 form_keyid(cert->publicExponent, cert->modulus, buf, &keysize);
640 whack_log(RC_COMMENT, " pubkey: %4d RSA Key %s%s", 8*keysize, buf,
641 (has_private_key(c))? ", has private key" : "");
642 whack_log(RC_COMMENT, " created: %T", &cert->created, utc);
643 whack_log(RC_COMMENT, " until: %T %s", &cert->until, utc,
644 check_expiry(cert->until, CA_CERT_WARNING_INTERVAL, TRUE));
645 cert = cert->next;
646 }
647 }
648