/** \ingroup Core_WritePackets \brief Write a One Pass Signature packet \param seckey Secret Key to use \param hash_alg Hash Algorithm to use \param sig_type Signature type \param output Write settings \return 1 if OK; else 0 */ unsigned pgp_write_one_pass_sig(pgp_output_t *output, const pgp_seckey_t *seckey, const pgp_hash_alg_t hash_alg, const pgp_sig_type_t sig_type) { uint8_t keyid[PGP_KEY_ID_SIZE]; pgp_keyid(keyid, PGP_KEY_ID_SIZE, &seckey->pubkey, PGP_HASH_SHA1); /* XXX - hardcoded */ return pgp_write_ptag(output, PGP_PTAG_CT_1_PASS_SIG) && pgp_write_length(output, 1 + 1 + 1 + 1 + 8 + 1) && pgp_write_scalar(output, 3, 1) /* version */ && pgp_write_scalar(output, (unsigned)sig_type, 1) && pgp_write_scalar(output, (unsigned)hash_alg, 1) && pgp_write_scalar(output, (unsigned)seckey->pubkey.alg, 1) && pgp_write(output, keyid, 8) && pgp_write_scalar(output, 1, 1); }
unsigned pgp_end_hashed_subpkts(pgp_create_sig_t *sig) { sig->hashlen = (unsigned)(pgp_mem_len(sig->mem) - sig->hashoff - 2); pgp_memory_place_int(sig->mem, sig->hashoff, sig->hashlen, 2); /* dummy unhashed subpacket count */ sig->unhashoff = (unsigned)pgp_mem_len(sig->mem); return pgp_write_scalar(sig->output, 0, 2); }
unsigned pgp_write_ss_header(pgp_output_t *output, unsigned length, pgp_content_enum type) { return pgp_write_length(output, length) && pgp_write_scalar(output, (unsigned)(type - (unsigned)PGP_PTAG_SIG_SUBPKT_BASE), 1); }
static void start_sig_in_mem(pgp_create_sig_t *sig) { /* since this has subpackets and stuff, we have to buffer the whole */ /* thing to get counts before writing. */ sig->mem = pgp_memory_new(); pgp_memory_init(sig->mem, 100); pgp_writer_set_memory(sig->output, sig->mem); /* write nearly up to the first subpacket */ pgp_write_scalar(sig->output, (unsigned)sig->sig.info.version, 1); pgp_write_scalar(sig->output, (unsigned)sig->sig.info.type, 1); pgp_write_scalar(sig->output, (unsigned)sig->sig.info.key_alg, 1); pgp_write_scalar(sig->output, (unsigned)sig->sig.info.hash_alg, 1); /* dummy hashed subpacket count */ sig->hashoff = (unsigned)pgp_mem_len(sig->mem); pgp_write_scalar(sig->output, 0, 2); }
/** \ingroup Core_WritePackets \brief Writes Literal Data packet from buffer \param data Buffer to write out \param maxlen Max length of buffer \param type Literal Data Type \param output Write settings \return 1 if OK; else 0 */ unsigned pgp_write_litdata(pgp_output_t *output, const uint8_t *data, const int maxlen, const pgp_litdata_enum type) { /* * RFC4880 does not specify a meaning for filename or date. * It is implementation-dependent. * We will not implement them. */ /* \todo do we need to check text data for <cr><lf> line endings ? */ return pgp_write_ptag(output, PGP_PTAG_CT_LITDATA) && pgp_write_length(output, (unsigned)(1 + 1 + 4 + maxlen)) && pgp_write_scalar(output, (unsigned)type, 1) && pgp_write_scalar(output, 0, 1) && pgp_write_scalar(output, 0, 4) && pgp_write(output, data, (unsigned)maxlen); }
/* * Note that we support v3 keys here because they're needed for for * verification - the writer doesn't allow them, though */ static unsigned write_pubkey_body(const pgp_pubkey_t *key, pgp_output_t *output) { if (!(pgp_write_scalar(output, (unsigned)key->version, 1) && pgp_write_scalar(output, (unsigned)key->birthtime, 4))) { return 0; } if (key->version != 4 && !pgp_write_scalar(output, key->days_valid, 2)) { return 0; } if (!pgp_write_scalar(output, (unsigned)key->alg, 1)) { return 0; } switch (key->alg) { case PGP_PKA_DSA: return pgp_write_mpi(output, key->key.dsa.p) && pgp_write_mpi(output, key->key.dsa.q) && pgp_write_mpi(output, key->key.dsa.g) && pgp_write_mpi(output, key->key.dsa.y); case PGP_PKA_RSA: case PGP_PKA_RSA_ENCRYPT_ONLY: case PGP_PKA_RSA_SIGN_ONLY: return pgp_write_mpi(output, key->key.rsa.n) && pgp_write_mpi(output, key->key.rsa.e); case PGP_PKA_ELGAMAL: return pgp_write_mpi(output, key->key.elgamal.p) && pgp_write_mpi(output, key->key.elgamal.g) && pgp_write_mpi(output, key->key.elgamal.y); default: (void) fprintf(stderr, "write_pubkey_body: bad algorithm\n"); break; } return 0; }
/* add a time stamp to the output */ unsigned pgp_add_time(pgp_create_sig_t *sig, int64_t when, const char *type) { pgp_content_enum tag; tag = (strcmp(type, "birth") == 0) ? PGP_PTAG_SS_CREATION_TIME : PGP_PTAG_SS_EXPIRATION_TIME; /* just do 32-bit timestamps for just now - it's in the protocol */ return pgp_write_ss_header(sig->output, 5, tag) && pgp_write_scalar(sig->output, (uint32_t)when, (unsigned)sizeof(uint32_t)); }
/** \ingroup Core_WritePackets \brief Writes Public Key Session Key packet \param info Write settings \param pksk Public Key Session Key to write out \return 1 if OK; else 0 */ unsigned pgp_write_pk_sesskey(pgp_output_t *output, pgp_pk_sesskey_t *pksk) { /* XXX - Flexelint - Pointer parameter 'pksk' (line 1076) could be declared as pointing to const */ if (pksk == NULL) { (void) fprintf(stderr, "pgp_write_pk_sesskey: NULL pksk\n"); return 0; } switch (pksk->alg) { case PGP_PKA_RSA: return pgp_write_ptag(output, PGP_PTAG_CT_PK_SESSION_KEY) && pgp_write_length(output, (unsigned)(1 + 8 + 1 + BN_num_bytes(pksk->params.rsa.encrypted_m) + 2)) && pgp_write_scalar(output, (unsigned)pksk->version, 1) && pgp_write(output, pksk->key_id, 8) && pgp_write_scalar(output, (unsigned)pksk->alg, 1) && pgp_write_mpi(output, pksk->params.rsa.encrypted_m) /* ?? && pgp_write_scalar(output, 0, 2); */ ; case PGP_PKA_DSA: case PGP_PKA_ELGAMAL: return pgp_write_ptag(output, PGP_PTAG_CT_PK_SESSION_KEY) && pgp_write_length(output, (unsigned)(1 + 8 + 1 + BN_num_bytes(pksk->params.elgamal.g_to_k) + 2 + BN_num_bytes(pksk->params.elgamal.encrypted_m) + 2)) && pgp_write_scalar(output, (unsigned)pksk->version, 1) && pgp_write(output, pksk->key_id, 8) && pgp_write_scalar(output, (unsigned)pksk->alg, 1) && pgp_write_mpi(output, pksk->params.elgamal.g_to_k) && pgp_write_mpi(output, pksk->params.elgamal.encrypted_m) /* ?? && pgp_write_scalar(output, 0, 2); */ ; default: (void) fprintf(stderr, "pgp_write_pk_sesskey: bad algorithm\n"); return 0; } }
unsigned pgp_write_mpi(pgp_output_t *output, const BIGNUM *bn) { unsigned bits; uint8_t buf[NETPGP_BUFSIZ]; bits = (unsigned)BN_num_bits(bn); if (bits > 65535) { (void) fprintf(stderr, "pgp_write_mpi: too large %u\n", bits); return 0; } BN_bn2bin(bn, buf); return pgp_write_scalar(output, bits, 2) && pgp_write(output, buf, (bits + 7) / 8); }
/** * \ingroup Core_Signature * * Adds primary user ID to the signature * * \param sig * \param primary */ void pgp_add_primary_userid(pgp_create_sig_t *sig, unsigned primary) { pgp_write_ss_header(sig->output, 2, PGP_PTAG_SS_PRIMARY_USER_ID); pgp_write_scalar(sig->output, primary, 1); }
/* * Note that we support v3 keys here because they're needed for * verification. */ static unsigned write_seckey_body(const pgp_seckey_t *key, const uint8_t *passphrase, const size_t pplen, pgp_output_t *output) { /* RFC4880 Section 5.5.3 Secret-Key Packet Formats */ pgp_crypt_t crypted; pgp_hash_t hash; unsigned done = 0; unsigned i = 0; uint8_t *hashed; uint8_t sesskey[CAST_KEY_LENGTH]; if (!write_pubkey_body(&key->pubkey, output)) { return 0; } if (key->s2k_usage != PGP_S2KU_ENCRYPTED_AND_HASHED) { (void) fprintf(stderr, "write_seckey_body: s2k usage\n"); return 0; } if (!pgp_write_scalar(output, (unsigned)key->s2k_usage, 1)) { return 0; } if (key->alg != PGP_SA_CAST5) { (void) fprintf(stderr, "write_seckey_body: algorithm\n"); return 0; } if (!pgp_write_scalar(output, (unsigned)key->alg, 1)) { return 0; } if (key->s2k_specifier != PGP_S2KS_SIMPLE && key->s2k_specifier != PGP_S2KS_SALTED) { /* = 1 \todo could also be iterated-and-salted */ (void) fprintf(stderr, "write_seckey_body: s2k spec\n"); return 0; } if (!pgp_write_scalar(output, (unsigned)key->s2k_specifier, 1)) { return 0; } if (!pgp_write_scalar(output, (unsigned)key->hash_alg, 1)) { return 0; } switch (key->s2k_specifier) { case PGP_S2KS_SIMPLE: /* nothing more to do */ break; case PGP_S2KS_SALTED: /* 8-octet salt value */ pgp_random(__UNCONST(&key->salt[0]), PGP_SALT_SIZE); if (!pgp_write(output, key->salt, PGP_SALT_SIZE)) { return 0; } break; /* * \todo case PGP_S2KS_ITERATED_AND_SALTED: // 8-octet salt * value // 1-octet count break; */ default: (void) fprintf(stderr, "invalid/unsupported s2k specifier %d\n", key->s2k_specifier); return 0; } if (!pgp_write(output, &key->iv[0], pgp_block_size(key->alg))) { return 0; } /* * create the session key for encrypting the algorithm-specific * fields */ switch (key->s2k_specifier) { case PGP_S2KS_SIMPLE: case PGP_S2KS_SALTED: /* RFC4880: section 3.7.1.1 and 3.7.1.2 */ for (done = 0, i = 0; done < CAST_KEY_LENGTH; i++) { unsigned hashsize; unsigned j; unsigned needed; unsigned size; uint8_t zero = 0; /* Hard-coded SHA1 for session key */ pgp_hash_any(&hash, PGP_HASH_SHA1); hashsize = pgp_hash_size(key->hash_alg); needed = CAST_KEY_LENGTH - done; size = MIN(needed, hashsize); if ((hashed = calloc(1, hashsize)) == NULL) { (void) fprintf(stderr, "write_seckey_body: bad alloc\n"); return 0; } if (!hash.init(&hash)) { (void) fprintf(stderr, "write_seckey_body: bad alloc\n"); return 0; } /* preload if iterating */ for (j = 0; j < i; j++) { /* * Coverity shows a DEADCODE error on this * line. This is expected since the hardcoded * use of SHA1 and CAST5 means that it will * not used. This will change however when * other algorithms are supported. */ hash.add(&hash, &zero, 1); } if (key->s2k_specifier == PGP_S2KS_SALTED) { hash.add(&hash, key->salt, PGP_SALT_SIZE); } hash.add(&hash, passphrase, (unsigned)pplen); hash.finish(&hash, hashed); /* * if more in hash than is needed by session key, use * the leftmost octets */ (void) memcpy(&sesskey[i * hashsize], hashed, (unsigned)size); done += (unsigned)size; if (done > CAST_KEY_LENGTH) { (void) fprintf(stderr, "write_seckey_body: short add\n"); return 0; } } break; /* * \todo case PGP_S2KS_ITERATED_AND_SALTED: * 8-octet salt * value * 1-octet count break; */ default: (void) fprintf(stderr, "invalid/unsupported s2k specifier %d\n", key->s2k_specifier); return 0; } /* use this session key to encrypt */ pgp_crypt_any(&crypted, key->alg); crypted.set_iv(&crypted, key->iv); crypted.set_crypt_key(&crypted, sesskey); pgp_encrypt_init(&crypted); if (pgp_get_debug_level(__FILE__)) { hexdump(stderr, "writing: iv=", key->iv, pgp_block_size(key->alg)); hexdump(stderr, "key= ", sesskey, CAST_KEY_LENGTH); (void) fprintf(stderr, "\nturning encryption on...\n"); } pgp_push_enc_crypt(output, &crypted); switch (key->pubkey.alg) { case PGP_PKA_RSA: case PGP_PKA_RSA_ENCRYPT_ONLY: case PGP_PKA_RSA_SIGN_ONLY: if (!pgp_write_mpi(output, key->key.rsa.d) || !pgp_write_mpi(output, key->key.rsa.p) || !pgp_write_mpi(output, key->key.rsa.q) || !pgp_write_mpi(output, key->key.rsa.u)) { if (pgp_get_debug_level(__FILE__)) { (void) fprintf(stderr, "4 x mpi not written - problem\n"); } return 0; } break; case PGP_PKA_DSA: return pgp_write_mpi(output, key->key.dsa.x); case PGP_PKA_ELGAMAL: return pgp_write_mpi(output, key->key.elgamal.x); default: return 0; } if (!pgp_write(output, key->checkhash, PGP_CHECKHASH_SIZE)) { return 0; } pgp_writer_pop(output); return 1; }
static unsigned add_key_prefs(pgp_create_sig_t *sig) { /* similar to pgp_add_key_prefs(), Mimic of GPG default settings, limited to supported algos */ return /* Symmetric algo prefs */ pgp_write_ss_header(sig->output, 6, PGP_PTAG_SS_PREFERRED_SKA) && pgp_write_scalar(sig->output, PGP_SA_AES_256, 1) && pgp_write_scalar(sig->output, PGP_SA_AES_128, 1) && pgp_write_scalar(sig->output, PGP_SA_CAST5, 1) && pgp_write_scalar(sig->output, PGP_SA_TRIPLEDES, 1) && pgp_write_scalar(sig->output, PGP_SA_IDEA, 1) && /* Hash algo prefs, the first algo is the preferred algo */ pgp_write_ss_header(sig->output, 6, PGP_PTAG_SS_PREFERRED_HASH) && pgp_write_scalar(sig->output, PGP_HASH_SHA256, 1) && pgp_write_scalar(sig->output, PGP_HASH_SHA384, 1) && pgp_write_scalar(sig->output, PGP_HASH_SHA512, 1) && pgp_write_scalar(sig->output, PGP_HASH_SHA224, 1) && pgp_write_scalar(sig->output, PGP_HASH_SHA1, 1) && /* Edit for Autocrypt/Delta Chat: due to the weak SHA1, it should not be preferred */ /* Compression algo prefs */ pgp_write_ss_header(sig->output, 2/*1+number of following items*/, PGP_PTAG_SS_PREF_COMPRESS) && pgp_write_scalar(sig->output, PGP_C_ZLIB, 1) /*&& -- not sure if Delta Chat will support bzip2 on all platforms, however, this is not that important as typical files are compressed themselves and text is not that big pgp_write_scalar(sig->output, PGP_C_BZIP2, 1) -- if you re-enable this, do not forget to modifiy the header count*/; }
int dc_pgp_symm_encrypt(dc_context_t* context, const char* passphrase, const void* plain, size_t plain_bytes, char** ret_ctext_armored) { int success = 0; uint8_t salt[PGP_SALT_SIZE]; pgp_crypt_t crypt_info; uint8_t* key = NULL; pgp_output_t* payload_output = NULL; pgp_memory_t* payload_mem = NULL; pgp_output_t* encr_output = NULL; pgp_memory_t* encr_mem = NULL; if (context==NULL || passphrase==NULL || plain==NULL || plain_bytes==0 || ret_ctext_armored==NULL ) { goto cleanup; } //printf("\n~~~~~~~~~~~~~~~~~~~~SETUP-PAYLOAD~~~~~~~~~~~~~~~~~~~~\n%s~~~~~~~~~~~~~~~~~~~~/SETUP-PAYLOAD~~~~~~~~~~~~~~~~~~~~\n",key_asc); // DEBUG OUTPUT /* put the payload into a literal data packet which will be encrypted then, see RFC 4880, 5.7 : "When it has been decrypted, it contains other packets (usually a literal data packet or compressed data packet, but in theory other Symmetrically Encrypted Data packets or sequences of packets that form whole OpenPGP messages)" */ pgp_setup_memory_write(&payload_output, &payload_mem, 128); pgp_write_litdata(payload_output, (const uint8_t*)plain, plain_bytes, PGP_LDT_BINARY); /* create salt for the key */ pgp_random(salt, PGP_SALT_SIZE); /* S2K */ #define SYMM_ALGO PGP_SA_AES_128 if (!pgp_crypt_any(&crypt_info, SYMM_ALGO)) { goto cleanup; } int s2k_spec = PGP_S2KS_ITERATED_AND_SALTED; // 0=simple, 1=salted, 3=salted+iterated int s2k_iter_id = 96; // 0=1024 iterations, 96=65536 iterations #define HASH_ALG PGP_HASH_SHA256 if ((key = pgp_s2k_do(passphrase, crypt_info.keysize, s2k_spec, HASH_ALG, salt, s2k_iter_id))==NULL) { goto cleanup; } /* encrypt the payload using the key using AES-128 and put it into OpenPGP's "Symmetric-Key Encrypted Session Key" (Tag 3, https://tools.ietf.org/html/rfc4880#section-5.3) followed by OpenPGP's "Symmetrically Encrypted Data Packet" (Tag 18, https://tools.ietf.org/html/rfc4880#section-5.13 , better than Tag 9) */ pgp_setup_memory_write(&encr_output, &encr_mem, 128); pgp_writer_push_armor_msg(encr_output); /* Tag 3 - PGP_PTAG_CT_SK_SESSION_KEY */ pgp_write_ptag (encr_output, PGP_PTAG_CT_SK_SESSION_KEY); pgp_write_length (encr_output, 1/*version*/ + 1/*symm. algo*/ + 1/*s2k_spec*/ + 1/*S2 hash algo*/ + ((s2k_spec==PGP_S2KS_SALTED || s2k_spec==PGP_S2KS_ITERATED_AND_SALTED)? PGP_SALT_SIZE : 0)/*the salt*/ + ((s2k_spec==PGP_S2KS_ITERATED_AND_SALTED)? 1 : 0)/*number of iterations*/); pgp_write_scalar (encr_output, 4, 1); // 1 octet: version pgp_write_scalar (encr_output, SYMM_ALGO, 1); // 1 octet: symm. algo pgp_write_scalar (encr_output, s2k_spec, 1); // 1 octet: s2k_spec pgp_write_scalar (encr_output, HASH_ALG, 1); // 1 octet: S2 hash algo if (s2k_spec==PGP_S2KS_SALTED || s2k_spec==PGP_S2KS_ITERATED_AND_SALTED) { pgp_write (encr_output, salt, PGP_SALT_SIZE); // 8 octets: the salt } if (s2k_spec==PGP_S2KS_ITERATED_AND_SALTED) { pgp_write_scalar (encr_output, s2k_iter_id, 1); // 1 octet: number of iterations } // for(int j=0; j<AES_KEY_LENGTH; j++) { printf("%02x", key[j]); } printf("\n----------------\n"); /* Tag 18 - PGP_PTAG_CT_SE_IP_DATA */ //pgp_write_symm_enc_data((const uint8_t*)payload_mem->buf, payload_mem->length, PGP_SA_AES_128, key, encr_output); //-- would generate Tag 9 { uint8_t* iv = calloc(1, crypt_info.blocksize); if (iv==NULL) { goto cleanup; } crypt_info.set_iv(&crypt_info, iv); free(iv); crypt_info.set_crypt_key(&crypt_info, &key[0]); pgp_encrypt_init(&crypt_info); pgp_write_se_ip_pktset(encr_output, payload_mem->buf, payload_mem->length, &crypt_info); crypt_info.decrypt_finish(&crypt_info); } /* done with symmetric key block */ pgp_writer_close(encr_output); *ret_ctext_armored = dc_null_terminate((const char*)encr_mem->buf, encr_mem->length); //printf("\n~~~~~~~~~~~~~~~~~~~~SYMMETRICALLY ENCRYPTED~~~~~~~~~~~~~~~~~~~~\n%s~~~~~~~~~~~~~~~~~~~~/SYMMETRICALLY ENCRYPTED~~~~~~~~~~~~~~~~~~~~\n",encr_string); // DEBUG OUTPUT success = 1; cleanup: if (payload_output) { pgp_output_delete(payload_output); } if (payload_mem) { pgp_memory_free(payload_mem); } if (encr_output) { pgp_output_delete(encr_output); } if (encr_mem) { pgp_memory_free(encr_mem); } free(key); return success; }
unsigned pgp_writez(pgp_output_t *out, const uint8_t *data, const unsigned len) { compress_t *zip; size_t sz_in; size_t sz_out; int ret; int r = 0; /* compress the data */ const int level = Z_DEFAULT_COMPRESSION; /* \todo allow varying * levels */ if ((zip = calloc(1, sizeof(*zip))) == NULL) { (void) fprintf(stderr, "pgp_writez: bad alloc\n"); return 0; } zip->stream.zalloc = Z_NULL; zip->stream.zfree = Z_NULL; zip->stream.opaque = NULL; /* all other fields set to zero by use of calloc */ /* LINTED */ /* this is a lint problem in zlib.h header */ if ((int)deflateInit(&zip->stream, level) != Z_OK) { (void) fprintf(stderr, "pgp_writez: can't initialise\n"); return 0; } /* do necessary transformation */ /* copy input to maintain const'ness of src */ if (zip->src != NULL || zip->dst != NULL) { (void) fprintf(stderr, "pgp_writez: non-null streams\n"); return 0; } sz_in = len * sizeof(uint8_t); sz_out = ((101 * sz_in) / 100) + 12; /* from zlib webpage */ if ((zip->src = calloc(1, sz_in)) == NULL) { free(zip); (void) fprintf(stderr, "pgp_writez: bad alloc2\n"); return 0; } if ((zip->dst = calloc(1, sz_out)) == NULL) { free(zip->src); free(zip); (void) fprintf(stderr, "pgp_writez: bad alloc3\n"); return 0; } (void) memcpy(zip->src, data, len); /* setup stream */ zip->stream.next_in = zip->src; zip->stream.avail_in = (unsigned)sz_in; zip->stream.total_in = 0; zip->stream.next_out = zip->dst; zip->stream.avail_out = (unsigned)sz_out; zip->stream.total_out = 0; do { r = deflate(&zip->stream, Z_FINISH); } while (r != Z_STREAM_END); /* write it out */ ret = pgp_write_ptag(out, PGP_PTAG_CT_COMPRESSED) && pgp_write_length(out, (unsigned)(zip->stream.total_out + 1))&& pgp_write_scalar(out, PGP_C_ZLIB, 1) && pgp_write(out, zip->dst, (unsigned)zip->stream.total_out); free(zip->src); free(zip->dst); free(zip); return ret; }