/* openpgp-fpr.c - OpenPGP Fingerprint computation * Copyright (C) 2021 g10 Code GmbH * * This file is part of GnuPG. * * This file is free software; you can redistribute it and/or modify * it under the terms of either * * - the GNU Lesser General Public License as published by the Free * Software Foundation; either version 3 of the License, or (at * your option) any later version. * * or * * - the GNU General Public License as published by the Free * Software Foundation; either version 2 of the License, or (at * your option) any later version. * * or both in parallel, as here. * * This file is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, see . * SPDX-License-Identifier: (LGPL-3.0-or-later OR GPL-2.0-or-later) */ #include #include #include #include #include "util.h" #include "openpgpdefs.h" /* Count the number of bits, assuming the A represents an unsigned big * integer of length LEN bytes. */ static unsigned int count_bits (const unsigned char *a, size_t len) { unsigned int n = len * 8; int i; for (; len && !*a; len--, a++, n -=8) ; if (len) { for (i=7; i && !(*a & (1<> 24); prefix[i++] = (n >> 16); } else if (keyversion == 4) { hashalgo = GCRY_MD_SHA1; n += 6; /* Add the prefix length. */ prefix[i++] = 0x99; } else return gpg_error (GPG_ERR_UNKNOWN_VERSION); prefix[i++] = (n >> 8); prefix[i++] = n; prefix[i++] = keyversion; prefix[i++] = (timestamp >> 24); prefix[i++] = (timestamp >> 16); prefix[i++] = (timestamp >> 8); prefix[i++] = (timestamp); prefix[i++] = pgpalgo; if (keyversion == 5) { prefix[i++] = ((n-10) >> 24); prefix[i++] = ((n-10) >> 16); prefix[i++] = ((n-10) >> 8); prefix[i++] = (n-10); } log_assert (i <= sizeof prefix); /* The first element is reserved for our use; set it. */ iov[0].size = 0; iov[0].off = 0; iov[0].len = i; iov[0].data = prefix; /* for (i=0; i < iovcnt; i++) */ /* log_printhex (iov[i].data, iov[i].len, "cmpfpr i=%d: ", i); */ err = gcry_md_hash_buffers (hashalgo, 0, result, iov, iovcnt); /* log_printhex (result, 20, "fingerprint: "); */ /* Better clear the first element because it was set by us. */ iov[0].size = 0; iov[0].off = 0; iov[0].len = 0; iov[0].data = NULL; if (!err && r_resultlen) *r_resultlen = (hashalgo == GCRY_MD_SHA1)? 20 : 32; return err; } gpg_error_t compute_openpgp_fpr_rsa (int keyversion, unsigned long timestamp, const unsigned char *m, unsigned int mlen, const unsigned char *e, unsigned int elen, unsigned char *result, unsigned int *r_resultlen) { gcry_buffer_t iov[5] = { {0} }; unsigned char nbits_m[2], nbits_e[2]; unsigned int n; /* Strip leading zeroes. */ for (; mlen && !*m; mlen--, m++) ; for (; elen && !*e; elen--, e++) ; /* Count bits. */ n = count_bits (m, mlen); nbits_m[0] = n >> 8; nbits_m[1] = n; n = count_bits (e, elen); nbits_e[0] = n >> 8; nbits_e[1] = n; /* Put parms into the array. Note that iov[0] is reserved. */ iov[1].len = 2; iov[1].data = nbits_m; iov[2].len = mlen; iov[2].data = (void*)m; iov[3].len = 2; iov[3].data = nbits_e; iov[4].len = elen; iov[4].data = (void*)e; return compute_openpgp_fpr (keyversion, PUBKEY_ALGO_RSA, timestamp, iov, 5, result, r_resultlen); } /* Determine KDF hash algorithm and KEK encryption algorithm by CURVE. * The returned buffer has a length of 4. * Note: This needs to be kept in sync with the table in g10/ecdh.c */ static const unsigned char* default_ecdh_params (unsigned int nbits) { /* See RFC-6637 for those constants. 0x03: Number of bytes 0x01: Version for this parameter format KEK digest algorithm KEK cipher algorithm */ if (nbits <= 256) return (const unsigned char*)"\x03\x01\x08\x07"; else if (nbits <= 384) return (const unsigned char*)"\x03\x01\x09\x09"; else return (const unsigned char*)"\x03\x01\x0a\x09"; } gpg_error_t compute_openpgp_fpr_ecc (int keyversion, unsigned long timestamp, const char *curvename, int for_encryption, const unsigned char *q, unsigned int qlen, const unsigned char *kdf, unsigned int kdflen, unsigned char *result, unsigned int *r_resultlen) { gpg_error_t err; const char *curveoidstr; gcry_mpi_t curveoid = NULL; unsigned int curvebits; int pgpalgo; const unsigned char *oidraw; size_t oidrawlen; gcry_buffer_t iov[5] = { {0} }; unsigned int iovlen; unsigned char nbits_q[2]; unsigned int n; curveoidstr = openpgp_curve_to_oid (curvename, &curvebits, &pgpalgo, (keyversion > 4)); err = openpgp_oid_from_str (curveoidstr, &curveoid); if (err) goto leave; oidraw = gcry_mpi_get_opaque (curveoid, &n); if (!oidraw) { err = gpg_error_from_syserror (); goto leave; } oidrawlen = (n+7)/8; /* If the curve does not enforce a certain algorithm, we use the * for_encryption flag to decide which algo to use. */ if (!pgpalgo) pgpalgo = for_encryption? PUBKEY_ALGO_ECDH : PUBKEY_ALGO_ECDSA; /* Count bits. */ n = count_sos_bits (q, qlen); nbits_q[0] = n >> 8; nbits_q[1] = n; /* Put parms into the array. Note that iov[0] is reserved. */ iov[1].len = oidrawlen; iov[1].data = (void*)oidraw; iov[2].len = 2; iov[2].data = nbits_q; iov[3].len = qlen; iov[3].data = (void*)q; iovlen = 4; if (pgpalgo == PUBKEY_ALGO_ECDH) { if (!kdf || !kdflen || !kdf[0]) { /* No KDF given - use the default. */ kdflen = 4; kdf = default_ecdh_params (curvebits); } iov[4].len = kdflen; iov[4].data = (void*)kdf; iovlen++; } err = compute_openpgp_fpr (keyversion, pgpalgo, timestamp, iov, iovlen, result, r_resultlen); leave: gcry_mpi_release (curveoid); return err; }