2017-04-28 10:06:33 +09:00
|
|
|
/* seskey.c - make session keys etc.
|
2006-04-19 11:26:11 +00:00
|
|
|
* Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003, 2004,
|
2011-01-21 12:00:57 +01:00
|
|
|
* 2006, 2009, 2010 Free Software Foundation, Inc.
|
1997-11-18 14:06:00 +00:00
|
|
|
*
|
1998-12-23 12:41:40 +00:00
|
|
|
* This file is part of GnuPG.
|
1997-11-18 14:06:00 +00:00
|
|
|
*
|
1998-12-23 12:41:40 +00:00
|
|
|
* GnuPG is free software; you can redistribute it and/or modify
|
1997-11-18 14:06:00 +00:00
|
|
|
* it under the terms of the GNU General Public License as published by
|
2007-07-04 19:49:40 +00:00
|
|
|
* the Free Software Foundation; either version 3 of the License, or
|
1997-11-18 14:06:00 +00:00
|
|
|
* (at your option) any later version.
|
|
|
|
*
|
1998-12-23 12:41:40 +00:00
|
|
|
* GnuPG is distributed in the hope that it will be useful,
|
1997-11-18 14:06:00 +00:00
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
* GNU General Public License for more details.
|
|
|
|
*
|
|
|
|
* You should have received a copy of the GNU General Public License
|
2016-11-05 12:02:19 +01:00
|
|
|
* along with this program; if not, see <https://www.gnu.org/licenses/>.
|
1997-11-18 14:06:00 +00:00
|
|
|
*/
|
|
|
|
|
|
|
|
#include <config.h>
|
|
|
|
#include <stdio.h>
|
|
|
|
#include <stdlib.h>
|
|
|
|
#include <string.h>
|
2003-06-18 19:56:13 +00:00
|
|
|
|
|
|
|
#include "gpg.h"
|
2017-03-07 20:21:23 +09:00
|
|
|
#include "../common/util.h"
|
2011-01-05 17:33:17 -08:00
|
|
|
#include "options.h"
|
1997-11-24 22:24:04 +00:00
|
|
|
#include "main.h"
|
2017-03-07 20:21:23 +09:00
|
|
|
#include "../common/i18n.h"
|
2006-04-19 11:26:11 +00:00
|
|
|
|
1997-11-18 14:06:00 +00:00
|
|
|
|
2016-02-03 14:23:51 +01:00
|
|
|
/* Generate a new session key in *DEK that is appropriate for the
|
2016-02-14 16:11:06 +01:00
|
|
|
* algorithm DEK->ALGO (i.e., ensure that the key is not weak).
|
|
|
|
*
|
|
|
|
* This function overwrites DEK->KEYLEN, DEK->KEY. The rest of the
|
|
|
|
* fields are left as is. */
|
1997-11-18 14:06:00 +00:00
|
|
|
void
|
|
|
|
make_session_key( DEK *dek )
|
|
|
|
{
|
2006-04-19 11:26:11 +00:00
|
|
|
gcry_cipher_hd_t chd;
|
|
|
|
int i, rc;
|
2003-06-18 19:56:13 +00:00
|
|
|
|
Add full Camellia support.
* configure.ac: Remove Camellia restriction.
* gpg.c (main), misc.c (openpgp_cipher_test_algo): Remove Camellia
restriction.
* misc.c (map_cipher_openpgp_to_gcry), main.h: Add macros for
openpgp_cipher_open, openpgp_cipher_get_algo_keylen, and
openpgp_cipher_get_algo_blklen to wrap around the corresponding gcry_*
functions, but pass the algorithm number through
map_cipher_openpgp_to_gcry. This is needed in case the gcry algorithm
number doesn't match the OpenPGP number (c.f. Camellia).
* encr-data.c, pubkey-enc.c, mainproc.c, cipher.c, encode.c, seskey.c,
passphrase.c, seckey-cert.c: Use new openpgp_cipher_* macros here.
2009-06-05 14:11:03 +00:00
|
|
|
dek->keylen = openpgp_cipher_get_algo_keylen (dek->algo);
|
2003-06-18 19:56:13 +00:00
|
|
|
|
Add full Camellia support.
* configure.ac: Remove Camellia restriction.
* gpg.c (main), misc.c (openpgp_cipher_test_algo): Remove Camellia
restriction.
* misc.c (map_cipher_openpgp_to_gcry), main.h: Add macros for
openpgp_cipher_open, openpgp_cipher_get_algo_keylen, and
openpgp_cipher_get_algo_blklen to wrap around the corresponding gcry_*
functions, but pass the algorithm number through
map_cipher_openpgp_to_gcry. This is needed in case the gcry algorithm
number doesn't match the OpenPGP number (c.f. Camellia).
* encr-data.c, pubkey-enc.c, mainproc.c, cipher.c, encode.c, seskey.c,
passphrase.c, seckey-cert.c: Use new openpgp_cipher_* macros here.
2009-06-05 14:11:03 +00:00
|
|
|
if (openpgp_cipher_open (&chd, dek->algo, GCRY_CIPHER_MODE_CFB,
|
|
|
|
(GCRY_CIPHER_SECURE
|
|
|
|
| (dek->algo >= 100 ?
|
|
|
|
0 : GCRY_CIPHER_ENABLE_SYNC))) )
|
2006-04-19 11:26:11 +00:00
|
|
|
BUG();
|
|
|
|
gcry_randomize (dek->key, dek->keylen, GCRY_STRONG_RANDOM );
|
2011-02-03 16:31:42 +01:00
|
|
|
for (i=0; i < 16; i++ )
|
2006-04-19 11:26:11 +00:00
|
|
|
{
|
|
|
|
rc = gcry_cipher_setkey (chd, dek->key, dek->keylen);
|
2011-02-03 16:31:42 +01:00
|
|
|
if (!rc)
|
2006-04-19 11:26:11 +00:00
|
|
|
{
|
|
|
|
gcry_cipher_close (chd);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
if (gpg_err_code (rc) != GPG_ERR_WEAK_KEY)
|
|
|
|
BUG();
|
|
|
|
log_info(_("weak key created - retrying\n") );
|
|
|
|
/* Renew the session key until we get a non-weak key. */
|
|
|
|
gcry_randomize (dek->key, dek->keylen, GCRY_STRONG_RANDOM);
|
|
|
|
}
|
|
|
|
log_fatal (_("cannot avoid weak key for symmetric cipher; "
|
|
|
|
"tried %d times!\n"), i);
|
1997-11-18 14:06:00 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
2016-02-03 14:23:51 +01:00
|
|
|
/* Encode the session key stored in DEK as an MPI in preparation to
|
2016-02-14 16:11:06 +01:00
|
|
|
* encrypt it with the public key algorithm OPENPGP_PK_ALGO with a key
|
|
|
|
* whose length (the size of the public key) is NBITS.
|
|
|
|
*
|
|
|
|
* On success, returns an MPI, which the caller must free using
|
|
|
|
* gcry_mpi_release(). */
|
2003-06-18 19:56:13 +00:00
|
|
|
gcry_mpi_t
|
2011-01-05 17:33:17 -08:00
|
|
|
encode_session_key (int openpgp_pk_algo, DEK *dek, unsigned int nbits)
|
1997-11-18 14:06:00 +00:00
|
|
|
{
|
2011-01-21 12:00:57 +01:00
|
|
|
size_t nframe = (nbits+7) / 8;
|
|
|
|
byte *p;
|
|
|
|
byte *frame;
|
|
|
|
int i,n;
|
|
|
|
u16 csum;
|
2011-02-03 16:31:42 +01:00
|
|
|
|
2015-04-06 13:07:09 +02:00
|
|
|
if (DBG_CRYPTO)
|
2011-01-21 12:00:57 +01:00
|
|
|
log_debug ("encode_session_key: encoding %d byte DEK", dek->keylen);
|
|
|
|
|
2024-04-11 15:56:21 +02:00
|
|
|
if (openpgp_pk_algo == PUBKEY_ALGO_KYBER)
|
|
|
|
{
|
|
|
|
/* Straightforward encoding w/o extra checksum as used by ECDH. */
|
|
|
|
nframe = dek->keylen;
|
|
|
|
log_assert (nframe > 4); /*(for the log_debug)*/
|
|
|
|
frame = xmalloc_secure (nframe);
|
|
|
|
memcpy (frame, dek->key, nframe);
|
|
|
|
if (DBG_CRYPTO)
|
|
|
|
log_debug ("encode_session_key: "
|
|
|
|
"[%d] %02x %02x %02x ... %02x %02x %02x\n",
|
|
|
|
(int) dek->keylen, frame[0], frame[1], frame[2],
|
|
|
|
frame[nframe-3], frame[nframe-2], frame[nframe-1]);
|
|
|
|
|
|
|
|
return gcry_mpi_set_opaque (NULL, frame, 8*nframe);
|
|
|
|
}
|
|
|
|
|
2011-01-21 12:00:57 +01:00
|
|
|
csum = 0;
|
|
|
|
for (p = dek->key, i=0; i < dek->keylen; i++)
|
|
|
|
csum += *p++;
|
|
|
|
|
|
|
|
/* Shortcut for ECDH. It's padding is minimal to simply make the
|
|
|
|
output be a multiple of 8 bytes. */
|
2024-04-11 15:56:21 +02:00
|
|
|
if (openpgp_pk_algo == PUBKEY_ALGO_ECDH)
|
2011-01-21 12:00:57 +01:00
|
|
|
{
|
2018-10-24 15:56:18 -04:00
|
|
|
/* Pad to 8 byte granularity; the padding byte is the number of
|
2011-01-21 12:00:57 +01:00
|
|
|
* padded bytes.
|
|
|
|
*
|
|
|
|
* A DEK(k bytes) CSUM(2 bytes) 0x 0x 0x 0x ... 0x
|
|
|
|
* +---- x times ---+
|
|
|
|
*/
|
|
|
|
nframe = (( 1 + dek->keylen + 2 /* The value so far is always odd. */
|
|
|
|
+ 7 ) & (~7));
|
2011-02-03 16:31:42 +01:00
|
|
|
|
2011-01-21 12:00:57 +01:00
|
|
|
/* alg+key+csum fit and the size is congruent to 8. */
|
2016-04-29 11:05:24 +02:00
|
|
|
log_assert (!(nframe%8) && nframe > 1 + dek->keylen + 2 );
|
2011-02-03 16:31:42 +01:00
|
|
|
|
2011-01-21 12:00:57 +01:00
|
|
|
frame = xmalloc_secure (nframe);
|
|
|
|
n = 0;
|
|
|
|
frame[n++] = dek->algo;
|
|
|
|
memcpy (frame+n, dek->key, dek->keylen);
|
|
|
|
n += dek->keylen;
|
|
|
|
frame[n++] = csum >> 8;
|
|
|
|
frame[n++] = csum;
|
|
|
|
i = nframe - n; /* Number of padded bytes. */
|
|
|
|
memset (frame+n, i, i); /* Use it as the value of each padded byte. */
|
2016-04-29 11:05:24 +02:00
|
|
|
log_assert (n+i == nframe);
|
2011-01-21 12:00:57 +01:00
|
|
|
|
2015-04-06 13:07:09 +02:00
|
|
|
if (DBG_CRYPTO)
|
2011-01-21 12:00:57 +01:00
|
|
|
log_debug ("encode_session_key: "
|
|
|
|
"[%d] %02x %02x %02x ... %02x %02x %02x\n",
|
2011-06-01 21:43:30 +02:00
|
|
|
(int) nframe, frame[0], frame[1], frame[2],
|
2011-01-21 12:00:57 +01:00
|
|
|
frame[nframe-3], frame[nframe-2], frame[nframe-1]);
|
2011-02-03 16:31:42 +01:00
|
|
|
|
2020-06-09 10:32:47 +09:00
|
|
|
return gcry_mpi_set_opaque (NULL, frame, 8*nframe);
|
2011-01-05 17:33:17 -08:00
|
|
|
}
|
2011-02-03 16:31:42 +01:00
|
|
|
|
2011-01-21 12:00:57 +01:00
|
|
|
/* The current limitation is that we can only use a session key
|
|
|
|
* whose length is a multiple of BITS_PER_MPI_LIMB
|
|
|
|
* I think we can live with that.
|
|
|
|
*/
|
|
|
|
if (dek->keylen + 7 > nframe || !nframe)
|
|
|
|
log_bug ("can't encode a %d bit key in a %d bits frame\n",
|
|
|
|
dek->keylen*8, nbits );
|
2011-02-03 16:31:42 +01:00
|
|
|
|
2016-02-03 14:23:51 +01:00
|
|
|
/* We encode the session key according to PKCS#1 v1.5 (see section
|
|
|
|
* 13.1.1 of RFC 4880):
|
2011-01-21 12:00:57 +01:00
|
|
|
*
|
2016-02-03 14:23:51 +01:00
|
|
|
* 0 2 RND(i bytes) 0 A DEK(k bytes) CSUM(2 bytes)
|
2011-01-21 12:00:57 +01:00
|
|
|
*
|
2018-10-24 15:56:18 -04:00
|
|
|
* (But how can we store the leading 0 - the external representation
|
2011-01-21 12:00:57 +01:00
|
|
|
* of MPIs doesn't allow leading zeroes =:-)
|
|
|
|
*
|
2016-02-03 14:23:51 +01:00
|
|
|
* RND are (at least 1) non-zero random bytes.
|
2011-01-21 12:00:57 +01:00
|
|
|
* A is the cipher algorithm
|
|
|
|
* DEK is the encryption key (session key) length k depends on the
|
|
|
|
* cipher algorithm (20 is used with blowfish160).
|
|
|
|
* CSUM is the 16 bit checksum over the DEK
|
|
|
|
*/
|
|
|
|
|
|
|
|
frame = xmalloc_secure( nframe );
|
|
|
|
n = 0;
|
|
|
|
frame[n++] = 0;
|
|
|
|
frame[n++] = 2;
|
2016-02-03 14:23:51 +01:00
|
|
|
/* The number of random bytes are the number of otherwise unused
|
|
|
|
bytes. See diagram above. */
|
2011-01-21 12:00:57 +01:00
|
|
|
i = nframe - 6 - dek->keylen;
|
2016-04-29 11:05:24 +02:00
|
|
|
log_assert( i > 0 );
|
2011-01-21 12:00:57 +01:00
|
|
|
p = gcry_random_bytes_secure (i, GCRY_STRONG_RANDOM);
|
|
|
|
/* Replace zero bytes by new values. */
|
|
|
|
for (;;)
|
|
|
|
{
|
|
|
|
int j, k;
|
|
|
|
byte *pp;
|
2011-02-03 16:31:42 +01:00
|
|
|
|
2011-01-21 12:00:57 +01:00
|
|
|
/* Count the zero bytes. */
|
|
|
|
for (j=k=0; j < i; j++ )
|
|
|
|
if (!p[j])
|
|
|
|
k++;
|
|
|
|
if (!k)
|
|
|
|
break; /* Okay: no zero bytes. */
|
|
|
|
k += k/128 + 3; /* Better get some more. */
|
|
|
|
pp = gcry_random_bytes_secure (k, GCRY_STRONG_RANDOM);
|
|
|
|
for (j=0; j < i && k ;)
|
|
|
|
{
|
|
|
|
if (!p[j])
|
|
|
|
p[j] = pp[--k];
|
|
|
|
if (p[j])
|
|
|
|
j++;
|
2006-04-19 11:26:11 +00:00
|
|
|
}
|
2011-01-21 12:00:57 +01:00
|
|
|
xfree (pp);
|
1998-08-08 19:27:00 +00:00
|
|
|
}
|
2011-01-21 12:00:57 +01:00
|
|
|
memcpy (frame+n, p, i);
|
|
|
|
xfree (p);
|
|
|
|
n += i;
|
|
|
|
frame[n++] = 0;
|
|
|
|
frame[n++] = dek->algo;
|
|
|
|
memcpy (frame+n, dek->key, dek->keylen );
|
|
|
|
n += dek->keylen;
|
|
|
|
frame[n++] = csum >>8;
|
|
|
|
frame[n++] = csum;
|
2016-04-29 11:05:24 +02:00
|
|
|
log_assert (n == nframe);
|
2020-06-09 10:32:47 +09:00
|
|
|
return gcry_mpi_set_opaque (NULL, frame, 8*n);
|
1997-11-18 14:06:00 +00:00
|
|
|
}
|
|
|
|
|
1997-11-24 11:04:11 +00:00
|
|
|
|
2003-06-18 19:56:13 +00:00
|
|
|
static gcry_mpi_t
|
|
|
|
do_encode_md( gcry_md_hd_t md, int algo, size_t len, unsigned nbits,
|
2006-04-19 11:26:11 +00:00
|
|
|
const byte *asn, size_t asnlen )
|
1997-12-31 12:32:54 +00:00
|
|
|
{
|
2006-11-21 11:00:14 +00:00
|
|
|
size_t nframe = (nbits+7) / 8;
|
1998-02-12 14:39:08 +00:00
|
|
|
byte *frame;
|
1998-01-16 21:15:24 +00:00
|
|
|
int i,n;
|
2003-06-18 19:56:13 +00:00
|
|
|
gcry_mpi_t a;
|
1997-12-31 12:32:54 +00:00
|
|
|
|
2016-06-02 15:14:49 +02:00
|
|
|
if (len + asnlen + 4 > nframe)
|
|
|
|
{
|
|
|
|
log_error ("can't encode a %d bit MD into a %d bits frame, algo=%d\n",
|
|
|
|
(int)(len*8), (int)nbits, algo);
|
|
|
|
return NULL;
|
|
|
|
}
|
1997-12-31 12:32:54 +00:00
|
|
|
|
|
|
|
/* We encode the MD in this way:
|
|
|
|
*
|
2006-04-19 11:26:11 +00:00
|
|
|
* 0 1 PAD(n bytes) 0 ASN(asnlen bytes) MD(len bytes)
|
1997-12-31 12:32:54 +00:00
|
|
|
*
|
|
|
|
* PAD consists of FF bytes.
|
|
|
|
*/
|
2006-04-19 11:26:11 +00:00
|
|
|
frame = gcry_md_is_secure (md)? xmalloc_secure (nframe) : xmalloc (nframe);
|
1997-12-31 12:32:54 +00:00
|
|
|
n = 0;
|
1998-02-12 14:39:08 +00:00
|
|
|
frame[n++] = 0;
|
2006-04-19 11:26:11 +00:00
|
|
|
frame[n++] = 1; /* block type */
|
1998-02-12 14:39:08 +00:00
|
|
|
i = nframe - len - asnlen -3 ;
|
2016-04-29 11:05:24 +02:00
|
|
|
log_assert( i > 1 );
|
1998-02-12 14:39:08 +00:00
|
|
|
memset( frame+n, 0xff, i ); n += i;
|
|
|
|
frame[n++] = 0;
|
|
|
|
memcpy( frame+n, asn, asnlen ); n += asnlen;
|
2003-06-18 19:56:13 +00:00
|
|
|
memcpy( frame+n, gcry_md_read (md, algo), len ); n += len;
|
2016-04-29 11:05:24 +02:00
|
|
|
log_assert( n == nframe );
|
2006-04-19 11:26:11 +00:00
|
|
|
|
2003-07-28 08:59:18 +00:00
|
|
|
if (gcry_mpi_scan( &a, GCRYMPI_FMT_USG, frame, n, &nframe ))
|
2003-06-18 19:56:13 +00:00
|
|
|
BUG();
|
2006-04-19 11:26:11 +00:00
|
|
|
xfree(frame);
|
|
|
|
|
|
|
|
/* Note that PGP before version 2.3 encoded the MD as:
|
|
|
|
*
|
|
|
|
* 0 1 MD(16 bytes) 0 PAD(n bytes) 1
|
|
|
|
*
|
|
|
|
* The MD is always 16 bytes here because it's always MD5. We do
|
|
|
|
* not support pre-v2.3 signatures, but I'm including this comment
|
|
|
|
* so the information is easily found in the future.
|
|
|
|
*/
|
|
|
|
|
1998-02-12 14:39:08 +00:00
|
|
|
return a;
|
1997-11-24 11:04:11 +00:00
|
|
|
}
|
|
|
|
|
1997-11-24 22:24:04 +00:00
|
|
|
|
2000-07-14 17:34:53 +00:00
|
|
|
/****************
|
|
|
|
* Encode a message digest into an MPI.
|
2006-04-19 11:26:11 +00:00
|
|
|
* If it's for a DSA signature, make sure that the hash is large
|
|
|
|
* enough to fill up q. If the hash is too big, take the leftmost
|
|
|
|
* bits.
|
2000-07-14 17:34:53 +00:00
|
|
|
*/
|
2003-06-18 19:56:13 +00:00
|
|
|
gcry_mpi_t
|
2010-04-20 17:57:50 +00:00
|
|
|
encode_md_value (PKT_public_key *pk, gcry_md_hd_t md, int hash_algo)
|
1997-12-01 10:33:23 +00:00
|
|
|
{
|
2003-06-18 19:56:13 +00:00
|
|
|
gcry_mpi_t frame;
|
2011-02-07 14:38:39 +01:00
|
|
|
size_t mdlen;
|
2006-04-19 11:26:11 +00:00
|
|
|
|
2016-04-29 11:05:24 +02:00
|
|
|
log_assert (hash_algo);
|
|
|
|
log_assert (pk);
|
2006-04-19 11:26:11 +00:00
|
|
|
|
gpg: Use only OpenPGP public key algo ids and add the EdDSA algo id.
* common/sexputil.c (get_pk_algo_from_canon_sexp): Change to return a
string.
* g10/keygen.c (check_keygrip): Adjust for change.
* sm/certreqgen-ui.c (check_keygrip): Likewise.
* agent/pksign.c (do_encode_dsa): Remove bogus map_pk_openpgp_to_gcry.
* g10/misc.c (map_pk_openpgp_to_gcry): Remove.
(openpgp_pk_test_algo): Change to a wrapper for openpgp_pk_test_algo2.
(openpgp_pk_test_algo2): Rewrite.
(openpgp_pk_algo_usage, pubkey_nbits): Add support for EdDSA.
(openpgp_pk_algo_name): Rewrite to remove need for gcry calls.
(pubkey_get_npkey, pubkey_get_nskey): Ditto.
(pubkey_get_nsig, pubkey_get_nenc): Ditto.
* g10/keygen.c(do_create_from_keygrip): Support EdDSA.
(common_gen, gen_ecc, ask_keysize, generate_keypair): Ditto.
* g10/build-packet.c (do_key): Ditto.
* g10/export.c (transfer_format_to_openpgp): Ditto.
* g10/getkey.c (cache_public_key): Ditto.
* g10/import.c (transfer_secret_keys): Ditto.
* g10/keylist.c (list_keyblock_print, list_keyblock_colon): Ditto.
* g10/mainproc.c (proc_pubkey_enc): Ditto.
* g10/parse-packet.c (parse_key): Ditto,
* g10/sign.c (hash_for, sign_file, make_keysig_packet): Ditto.
* g10/keyserver.c (print_keyrec): Use openpgp_pk_algo_name.
* g10/pkglue.c (pk_verify, pk_encrypt, pk_check_secret_key): Use only
OpenPGP algo ids and support EdDSA.
* g10/pubkey-enc.c (get_it): Use only OpenPGP algo ids.
* g10/seskey.c (encode_md_value): Ditto.
--
This patch separates Libgcrypt and OpenPGP public key algorithms ids
and in most cases completely removes the Libgcrypt ones. This is
useful because for Libgcrypt we specify the algorithm in the
S-expressions and the public key ids are not anymore needed.
This patch also adds some support for PUBKEY_ALGO_EDDSA which will
eventually be used instead of merging EdDSA with ECDSA. As of now an
experimental algorithm id is used but the plan is to write an I-D so
that we can get a new id from the IETF. Note that EdDSA (Ed25519)
does not yet work and that more changes are required.
The ECC support is still broken right now. Needs to be fixed.
Signed-off-by: Werner Koch <wk@gnupg.org>
2014-01-30 18:48:37 +01:00
|
|
|
if (pk->pubkey_algo == PUBKEY_ALGO_EDDSA)
|
2013-11-15 08:59:45 +01:00
|
|
|
{
|
gpg: Use only OpenPGP public key algo ids and add the EdDSA algo id.
* common/sexputil.c (get_pk_algo_from_canon_sexp): Change to return a
string.
* g10/keygen.c (check_keygrip): Adjust for change.
* sm/certreqgen-ui.c (check_keygrip): Likewise.
* agent/pksign.c (do_encode_dsa): Remove bogus map_pk_openpgp_to_gcry.
* g10/misc.c (map_pk_openpgp_to_gcry): Remove.
(openpgp_pk_test_algo): Change to a wrapper for openpgp_pk_test_algo2.
(openpgp_pk_test_algo2): Rewrite.
(openpgp_pk_algo_usage, pubkey_nbits): Add support for EdDSA.
(openpgp_pk_algo_name): Rewrite to remove need for gcry calls.
(pubkey_get_npkey, pubkey_get_nskey): Ditto.
(pubkey_get_nsig, pubkey_get_nenc): Ditto.
* g10/keygen.c(do_create_from_keygrip): Support EdDSA.
(common_gen, gen_ecc, ask_keysize, generate_keypair): Ditto.
* g10/build-packet.c (do_key): Ditto.
* g10/export.c (transfer_format_to_openpgp): Ditto.
* g10/getkey.c (cache_public_key): Ditto.
* g10/import.c (transfer_secret_keys): Ditto.
* g10/keylist.c (list_keyblock_print, list_keyblock_colon): Ditto.
* g10/mainproc.c (proc_pubkey_enc): Ditto.
* g10/parse-packet.c (parse_key): Ditto,
* g10/sign.c (hash_for, sign_file, make_keysig_packet): Ditto.
* g10/keyserver.c (print_keyrec): Use openpgp_pk_algo_name.
* g10/pkglue.c (pk_verify, pk_encrypt, pk_check_secret_key): Use only
OpenPGP algo ids and support EdDSA.
* g10/pubkey-enc.c (get_it): Use only OpenPGP algo ids.
* g10/seskey.c (encode_md_value): Ditto.
--
This patch separates Libgcrypt and OpenPGP public key algorithms ids
and in most cases completely removes the Libgcrypt ones. This is
useful because for Libgcrypt we specify the algorithm in the
S-expressions and the public key ids are not anymore needed.
This patch also adds some support for PUBKEY_ALGO_EDDSA which will
eventually be used instead of merging EdDSA with ECDSA. As of now an
experimental algorithm id is used but the plan is to write an I-D so
that we can get a new id from the IETF. Note that EdDSA (Ed25519)
does not yet work and that more changes are required.
The ECC support is still broken right now. Needs to be fixed.
Signed-off-by: Werner Koch <wk@gnupg.org>
2014-01-30 18:48:37 +01:00
|
|
|
/* EdDSA signs data of arbitrary length. Thus no special
|
|
|
|
treatment is required. */
|
2013-11-15 08:59:45 +01:00
|
|
|
frame = gcry_mpi_set_opaque_copy (NULL, gcry_md_read (md, hash_algo),
|
|
|
|
8*gcry_md_get_algo_dlen (hash_algo));
|
|
|
|
}
|
gpg: Use only OpenPGP public key algo ids and add the EdDSA algo id.
* common/sexputil.c (get_pk_algo_from_canon_sexp): Change to return a
string.
* g10/keygen.c (check_keygrip): Adjust for change.
* sm/certreqgen-ui.c (check_keygrip): Likewise.
* agent/pksign.c (do_encode_dsa): Remove bogus map_pk_openpgp_to_gcry.
* g10/misc.c (map_pk_openpgp_to_gcry): Remove.
(openpgp_pk_test_algo): Change to a wrapper for openpgp_pk_test_algo2.
(openpgp_pk_test_algo2): Rewrite.
(openpgp_pk_algo_usage, pubkey_nbits): Add support for EdDSA.
(openpgp_pk_algo_name): Rewrite to remove need for gcry calls.
(pubkey_get_npkey, pubkey_get_nskey): Ditto.
(pubkey_get_nsig, pubkey_get_nenc): Ditto.
* g10/keygen.c(do_create_from_keygrip): Support EdDSA.
(common_gen, gen_ecc, ask_keysize, generate_keypair): Ditto.
* g10/build-packet.c (do_key): Ditto.
* g10/export.c (transfer_format_to_openpgp): Ditto.
* g10/getkey.c (cache_public_key): Ditto.
* g10/import.c (transfer_secret_keys): Ditto.
* g10/keylist.c (list_keyblock_print, list_keyblock_colon): Ditto.
* g10/mainproc.c (proc_pubkey_enc): Ditto.
* g10/parse-packet.c (parse_key): Ditto,
* g10/sign.c (hash_for, sign_file, make_keysig_packet): Ditto.
* g10/keyserver.c (print_keyrec): Use openpgp_pk_algo_name.
* g10/pkglue.c (pk_verify, pk_encrypt, pk_check_secret_key): Use only
OpenPGP algo ids and support EdDSA.
* g10/pubkey-enc.c (get_it): Use only OpenPGP algo ids.
* g10/seskey.c (encode_md_value): Ditto.
--
This patch separates Libgcrypt and OpenPGP public key algorithms ids
and in most cases completely removes the Libgcrypt ones. This is
useful because for Libgcrypt we specify the algorithm in the
S-expressions and the public key ids are not anymore needed.
This patch also adds some support for PUBKEY_ALGO_EDDSA which will
eventually be used instead of merging EdDSA with ECDSA. As of now an
experimental algorithm id is used but the plan is to write an I-D so
that we can get a new id from the IETF. Note that EdDSA (Ed25519)
does not yet work and that more changes are required.
The ECC support is still broken right now. Needs to be fixed.
Signed-off-by: Werner Koch <wk@gnupg.org>
2014-01-30 18:48:37 +01:00
|
|
|
else if (pk->pubkey_algo == PUBKEY_ALGO_DSA
|
|
|
|
|| pk->pubkey_algo == PUBKEY_ALGO_ECDSA)
|
2003-06-18 19:56:13 +00:00
|
|
|
{
|
2011-01-21 12:00:57 +01:00
|
|
|
/* It's a DSA signature, so find out the size of q. */
|
2006-04-19 11:26:11 +00:00
|
|
|
|
2011-02-07 14:38:39 +01:00
|
|
|
size_t qbits = gcry_mpi_get_nbits (pk->pkey[1]);
|
2006-04-19 11:26:11 +00:00
|
|
|
|
2011-01-21 12:00:57 +01:00
|
|
|
/* pkey[1] is Q for ECDSA, which is an uncompressed point,
|
|
|
|
i.e. 04 <x> <y> */
|
gpg: Use only OpenPGP public key algo ids and add the EdDSA algo id.
* common/sexputil.c (get_pk_algo_from_canon_sexp): Change to return a
string.
* g10/keygen.c (check_keygrip): Adjust for change.
* sm/certreqgen-ui.c (check_keygrip): Likewise.
* agent/pksign.c (do_encode_dsa): Remove bogus map_pk_openpgp_to_gcry.
* g10/misc.c (map_pk_openpgp_to_gcry): Remove.
(openpgp_pk_test_algo): Change to a wrapper for openpgp_pk_test_algo2.
(openpgp_pk_test_algo2): Rewrite.
(openpgp_pk_algo_usage, pubkey_nbits): Add support for EdDSA.
(openpgp_pk_algo_name): Rewrite to remove need for gcry calls.
(pubkey_get_npkey, pubkey_get_nskey): Ditto.
(pubkey_get_nsig, pubkey_get_nenc): Ditto.
* g10/keygen.c(do_create_from_keygrip): Support EdDSA.
(common_gen, gen_ecc, ask_keysize, generate_keypair): Ditto.
* g10/build-packet.c (do_key): Ditto.
* g10/export.c (transfer_format_to_openpgp): Ditto.
* g10/getkey.c (cache_public_key): Ditto.
* g10/import.c (transfer_secret_keys): Ditto.
* g10/keylist.c (list_keyblock_print, list_keyblock_colon): Ditto.
* g10/mainproc.c (proc_pubkey_enc): Ditto.
* g10/parse-packet.c (parse_key): Ditto,
* g10/sign.c (hash_for, sign_file, make_keysig_packet): Ditto.
* g10/keyserver.c (print_keyrec): Use openpgp_pk_algo_name.
* g10/pkglue.c (pk_verify, pk_encrypt, pk_check_secret_key): Use only
OpenPGP algo ids and support EdDSA.
* g10/pubkey-enc.c (get_it): Use only OpenPGP algo ids.
* g10/seskey.c (encode_md_value): Ditto.
--
This patch separates Libgcrypt and OpenPGP public key algorithms ids
and in most cases completely removes the Libgcrypt ones. This is
useful because for Libgcrypt we specify the algorithm in the
S-expressions and the public key ids are not anymore needed.
This patch also adds some support for PUBKEY_ALGO_EDDSA which will
eventually be used instead of merging EdDSA with ECDSA. As of now an
experimental algorithm id is used but the plan is to write an I-D so
that we can get a new id from the IETF. Note that EdDSA (Ed25519)
does not yet work and that more changes are required.
The ECC support is still broken right now. Needs to be fixed.
Signed-off-by: Werner Koch <wk@gnupg.org>
2014-01-30 18:48:37 +01:00
|
|
|
if (pk->pubkey_algo == PUBKEY_ALGO_ECDSA)
|
2011-02-07 14:38:39 +01:00
|
|
|
qbits = ecdsa_qbits_from_Q (qbits);
|
2011-02-03 16:31:42 +01:00
|
|
|
|
2006-04-19 11:26:11 +00:00
|
|
|
/* Make sure it is a multiple of 8 bits. */
|
2011-02-07 14:38:39 +01:00
|
|
|
if ((qbits%8))
|
2006-04-19 11:26:11 +00:00
|
|
|
{
|
|
|
|
log_error(_("DSA requires the hash length to be a"
|
|
|
|
" multiple of 8 bits\n"));
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Don't allow any q smaller than 160 bits. This might need a
|
|
|
|
revisit as the DSA2 design firms up, but for now, we don't
|
|
|
|
want someone to issue signatures from a key with a 16-bit q
|
|
|
|
or something like that, which would look correct but allow
|
|
|
|
trivial forgeries. Yes, I know this rules out using MD5 with
|
|
|
|
DSA. ;) */
|
2011-02-07 14:38:39 +01:00
|
|
|
if (qbits < 160)
|
2006-04-19 11:26:11 +00:00
|
|
|
{
|
2011-01-05 17:33:17 -08:00
|
|
|
log_error (_("%s key %s uses an unsafe (%zu bit) hash\n"),
|
gpg: Use only OpenPGP public key algo ids and add the EdDSA algo id.
* common/sexputil.c (get_pk_algo_from_canon_sexp): Change to return a
string.
* g10/keygen.c (check_keygrip): Adjust for change.
* sm/certreqgen-ui.c (check_keygrip): Likewise.
* agent/pksign.c (do_encode_dsa): Remove bogus map_pk_openpgp_to_gcry.
* g10/misc.c (map_pk_openpgp_to_gcry): Remove.
(openpgp_pk_test_algo): Change to a wrapper for openpgp_pk_test_algo2.
(openpgp_pk_test_algo2): Rewrite.
(openpgp_pk_algo_usage, pubkey_nbits): Add support for EdDSA.
(openpgp_pk_algo_name): Rewrite to remove need for gcry calls.
(pubkey_get_npkey, pubkey_get_nskey): Ditto.
(pubkey_get_nsig, pubkey_get_nenc): Ditto.
* g10/keygen.c(do_create_from_keygrip): Support EdDSA.
(common_gen, gen_ecc, ask_keysize, generate_keypair): Ditto.
* g10/build-packet.c (do_key): Ditto.
* g10/export.c (transfer_format_to_openpgp): Ditto.
* g10/getkey.c (cache_public_key): Ditto.
* g10/import.c (transfer_secret_keys): Ditto.
* g10/keylist.c (list_keyblock_print, list_keyblock_colon): Ditto.
* g10/mainproc.c (proc_pubkey_enc): Ditto.
* g10/parse-packet.c (parse_key): Ditto,
* g10/sign.c (hash_for, sign_file, make_keysig_packet): Ditto.
* g10/keyserver.c (print_keyrec): Use openpgp_pk_algo_name.
* g10/pkglue.c (pk_verify, pk_encrypt, pk_check_secret_key): Use only
OpenPGP algo ids and support EdDSA.
* g10/pubkey-enc.c (get_it): Use only OpenPGP algo ids.
* g10/seskey.c (encode_md_value): Ditto.
--
This patch separates Libgcrypt and OpenPGP public key algorithms ids
and in most cases completely removes the Libgcrypt ones. This is
useful because for Libgcrypt we specify the algorithm in the
S-expressions and the public key ids are not anymore needed.
This patch also adds some support for PUBKEY_ALGO_EDDSA which will
eventually be used instead of merging EdDSA with ECDSA. As of now an
experimental algorithm id is used but the plan is to write an I-D so
that we can get a new id from the IETF. Note that EdDSA (Ed25519)
does not yet work and that more changes are required.
The ECC support is still broken right now. Needs to be fixed.
Signed-off-by: Werner Koch <wk@gnupg.org>
2014-01-30 18:48:37 +01:00
|
|
|
openpgp_pk_algo_name (pk->pubkey_algo),
|
|
|
|
keystr_from_pk (pk), qbits);
|
2006-04-19 11:26:11 +00:00
|
|
|
return NULL;
|
|
|
|
}
|
2011-02-03 16:31:42 +01:00
|
|
|
|
2011-02-10 20:16:06 +01:00
|
|
|
|
|
|
|
/* ECDSA 521 is special has it is larger than the largest hash
|
2017-04-28 10:06:33 +09:00
|
|
|
we have (SHA-512). Thus we change the size for further
|
2011-02-10 20:16:06 +01:00
|
|
|
processing to 512. */
|
gpg: Use only OpenPGP public key algo ids and add the EdDSA algo id.
* common/sexputil.c (get_pk_algo_from_canon_sexp): Change to return a
string.
* g10/keygen.c (check_keygrip): Adjust for change.
* sm/certreqgen-ui.c (check_keygrip): Likewise.
* agent/pksign.c (do_encode_dsa): Remove bogus map_pk_openpgp_to_gcry.
* g10/misc.c (map_pk_openpgp_to_gcry): Remove.
(openpgp_pk_test_algo): Change to a wrapper for openpgp_pk_test_algo2.
(openpgp_pk_test_algo2): Rewrite.
(openpgp_pk_algo_usage, pubkey_nbits): Add support for EdDSA.
(openpgp_pk_algo_name): Rewrite to remove need for gcry calls.
(pubkey_get_npkey, pubkey_get_nskey): Ditto.
(pubkey_get_nsig, pubkey_get_nenc): Ditto.
* g10/keygen.c(do_create_from_keygrip): Support EdDSA.
(common_gen, gen_ecc, ask_keysize, generate_keypair): Ditto.
* g10/build-packet.c (do_key): Ditto.
* g10/export.c (transfer_format_to_openpgp): Ditto.
* g10/getkey.c (cache_public_key): Ditto.
* g10/import.c (transfer_secret_keys): Ditto.
* g10/keylist.c (list_keyblock_print, list_keyblock_colon): Ditto.
* g10/mainproc.c (proc_pubkey_enc): Ditto.
* g10/parse-packet.c (parse_key): Ditto,
* g10/sign.c (hash_for, sign_file, make_keysig_packet): Ditto.
* g10/keyserver.c (print_keyrec): Use openpgp_pk_algo_name.
* g10/pkglue.c (pk_verify, pk_encrypt, pk_check_secret_key): Use only
OpenPGP algo ids and support EdDSA.
* g10/pubkey-enc.c (get_it): Use only OpenPGP algo ids.
* g10/seskey.c (encode_md_value): Ditto.
--
This patch separates Libgcrypt and OpenPGP public key algorithms ids
and in most cases completely removes the Libgcrypt ones. This is
useful because for Libgcrypt we specify the algorithm in the
S-expressions and the public key ids are not anymore needed.
This patch also adds some support for PUBKEY_ALGO_EDDSA which will
eventually be used instead of merging EdDSA with ECDSA. As of now an
experimental algorithm id is used but the plan is to write an I-D so
that we can get a new id from the IETF. Note that EdDSA (Ed25519)
does not yet work and that more changes are required.
The ECC support is still broken right now. Needs to be fixed.
Signed-off-by: Werner Koch <wk@gnupg.org>
2014-01-30 18:48:37 +01:00
|
|
|
if (pk->pubkey_algo == PUBKEY_ALGO_ECDSA && qbits > 512)
|
2011-02-10 20:16:06 +01:00
|
|
|
qbits = 512;
|
|
|
|
|
2006-04-19 11:26:11 +00:00
|
|
|
/* Check if we're too short. Too long is safe as we'll
|
2011-02-10 20:16:06 +01:00
|
|
|
automatically left-truncate. */
|
2011-02-07 14:38:39 +01:00
|
|
|
mdlen = gcry_md_get_algo_dlen (hash_algo);
|
2011-02-10 20:16:06 +01:00
|
|
|
if (mdlen < qbits/8)
|
2006-04-19 11:26:11 +00:00
|
|
|
{
|
2011-01-21 12:00:57 +01:00
|
|
|
log_error (_("%s key %s requires a %zu bit or larger hash "
|
2012-08-22 12:54:38 -04:00
|
|
|
"(hash is %s)\n"),
|
gpg: Use only OpenPGP public key algo ids and add the EdDSA algo id.
* common/sexputil.c (get_pk_algo_from_canon_sexp): Change to return a
string.
* g10/keygen.c (check_keygrip): Adjust for change.
* sm/certreqgen-ui.c (check_keygrip): Likewise.
* agent/pksign.c (do_encode_dsa): Remove bogus map_pk_openpgp_to_gcry.
* g10/misc.c (map_pk_openpgp_to_gcry): Remove.
(openpgp_pk_test_algo): Change to a wrapper for openpgp_pk_test_algo2.
(openpgp_pk_test_algo2): Rewrite.
(openpgp_pk_algo_usage, pubkey_nbits): Add support for EdDSA.
(openpgp_pk_algo_name): Rewrite to remove need for gcry calls.
(pubkey_get_npkey, pubkey_get_nskey): Ditto.
(pubkey_get_nsig, pubkey_get_nenc): Ditto.
* g10/keygen.c(do_create_from_keygrip): Support EdDSA.
(common_gen, gen_ecc, ask_keysize, generate_keypair): Ditto.
* g10/build-packet.c (do_key): Ditto.
* g10/export.c (transfer_format_to_openpgp): Ditto.
* g10/getkey.c (cache_public_key): Ditto.
* g10/import.c (transfer_secret_keys): Ditto.
* g10/keylist.c (list_keyblock_print, list_keyblock_colon): Ditto.
* g10/mainproc.c (proc_pubkey_enc): Ditto.
* g10/parse-packet.c (parse_key): Ditto,
* g10/sign.c (hash_for, sign_file, make_keysig_packet): Ditto.
* g10/keyserver.c (print_keyrec): Use openpgp_pk_algo_name.
* g10/pkglue.c (pk_verify, pk_encrypt, pk_check_secret_key): Use only
OpenPGP algo ids and support EdDSA.
* g10/pubkey-enc.c (get_it): Use only OpenPGP algo ids.
* g10/seskey.c (encode_md_value): Ditto.
--
This patch separates Libgcrypt and OpenPGP public key algorithms ids
and in most cases completely removes the Libgcrypt ones. This is
useful because for Libgcrypt we specify the algorithm in the
S-expressions and the public key ids are not anymore needed.
This patch also adds some support for PUBKEY_ALGO_EDDSA which will
eventually be used instead of merging EdDSA with ECDSA. As of now an
experimental algorithm id is used but the plan is to write an I-D so
that we can get a new id from the IETF. Note that EdDSA (Ed25519)
does not yet work and that more changes are required.
The ECC support is still broken right now. Needs to be fixed.
Signed-off-by: Werner Koch <wk@gnupg.org>
2014-01-30 18:48:37 +01:00
|
|
|
openpgp_pk_algo_name (pk->pubkey_algo),
|
|
|
|
keystr_from_pk (pk), qbits,
|
2011-01-21 12:00:57 +01:00
|
|
|
gcry_md_algo_name (hash_algo));
|
2006-04-19 11:26:11 +00:00
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
2011-02-10 20:16:06 +01:00
|
|
|
/* Note that we do the truncation by passing QBITS/8 as length to
|
|
|
|
mpi_scan. */
|
2006-04-19 11:26:11 +00:00
|
|
|
if (gcry_mpi_scan (&frame, GCRYMPI_FMT_USG,
|
2011-02-10 20:16:06 +01:00
|
|
|
gcry_md_read (md, hash_algo), qbits/8, NULL))
|
2003-06-18 19:56:13 +00:00
|
|
|
BUG();
|
1998-06-15 15:41:04 +00:00
|
|
|
}
|
2003-06-18 19:56:13 +00:00
|
|
|
else
|
|
|
|
{
|
2003-07-01 08:34:45 +00:00
|
|
|
gpg_error_t rc;
|
2003-06-18 19:56:13 +00:00
|
|
|
byte *asn;
|
|
|
|
size_t asnlen;
|
2006-04-19 11:26:11 +00:00
|
|
|
|
2008-09-29 15:02:55 +00:00
|
|
|
rc = gcry_md_algo_info (hash_algo, GCRYCTL_GET_ASNOID, NULL, &asnlen);
|
2003-07-01 08:34:45 +00:00
|
|
|
if (rc)
|
2008-09-29 15:02:55 +00:00
|
|
|
log_fatal ("can't get OID of digest algorithm %d: %s\n",
|
2006-04-19 11:26:11 +00:00
|
|
|
hash_algo, gpg_strerror (rc));
|
2010-04-20 17:57:50 +00:00
|
|
|
asn = xtrymalloc (asnlen);
|
|
|
|
if (!asn)
|
|
|
|
return NULL;
|
2006-04-19 11:26:11 +00:00
|
|
|
if ( gcry_md_algo_info (hash_algo, GCRYCTL_GET_ASNOID, asn, &asnlen) )
|
2003-06-18 19:56:13 +00:00
|
|
|
BUG();
|
2006-04-19 11:26:11 +00:00
|
|
|
frame = do_encode_md (md, hash_algo, gcry_md_get_algo_dlen (hash_algo),
|
2010-04-20 17:57:50 +00:00
|
|
|
gcry_mpi_get_nbits (pk->pkey[0]), asn, asnlen);
|
2003-06-18 19:56:13 +00:00
|
|
|
xfree (asn);
|
1998-06-15 15:41:04 +00:00
|
|
|
}
|
2006-04-19 11:26:11 +00:00
|
|
|
|
2003-06-18 19:56:13 +00:00
|
|
|
return frame;
|
1997-12-01 10:33:23 +00:00
|
|
|
}
|