static void cast5_cfb_decrypt(pgp_crypt_t *crypt, void *out, const void *in, size_t count) { CAST_cfb64_encrypt(in, out, (long)count, crypt->encrypt_key, crypt->iv, &crypt->num, CAST_DECRYPT); }
// Checks if the given password is valid bool Tester::check(const Memblock &mblock) { const String2Key &s2k = m_key.string2Key(); int32_t tmp = 0; // Generate key from password s2k.generateKey(mblock, m_keydata, m_keySize); // Decrypt first data block in order to check the first two bits of // the MPI. If they are correct, there's a good chance that the // password is correct, too. #if 1 memcpy(m_ivec, s2k.ivec(), m_blockSize); switch (m_cipher) { case CryptUtils::CIPHER_CAST5: { CAST_KEY ck; CAST_set_key(&ck, m_keySize, m_keydata); CAST_cfb64_encrypt(m_in, m_out, CAST_BLOCK, &ck, m_ivec, &tmp, CAST_DECRYPT); } break; case CryptUtils::CIPHER_BLOWFISH: { BF_KEY ck; BF_set_key(&ck, m_keySize, m_keydata); BF_cfb64_encrypt(m_in, m_out, BF_BLOCK, &ck, m_ivec, &tmp, BF_DECRYPT); } break; case CryptUtils::CIPHER_AES128: case CryptUtils::CIPHER_AES192: case CryptUtils::CIPHER_AES256: { AES_KEY ck; AES_set_encrypt_key(m_keydata, m_keySize * 8, &ck); AES_cfb128_encrypt(m_in, m_out, AES_BLOCK_SIZE, &ck, m_ivec, &tmp, AES_DECRYPT); } break; default: break; } uint32_t num_bits = ((m_out[0] << 8) | m_out[1]); if (num_bits < MIN_BN_BITS || num_bits > m_bits) { return false; } #endif // Decrypt all data memcpy(m_ivec, s2k.ivec(), m_blockSize); tmp = 0; switch (m_cipher) { case CryptUtils::CIPHER_CAST5: { CAST_KEY ck; CAST_set_key(&ck, m_keySize, m_keydata); CAST_cfb64_encrypt(m_in, m_out, m_datalen, &ck, m_ivec, &tmp, CAST_DECRYPT); } break; case CryptUtils::CIPHER_BLOWFISH: { BF_KEY ck; BF_set_key(&ck, m_keySize, m_keydata); BF_cfb64_encrypt(m_in, m_out, m_datalen, &ck, m_ivec, &tmp, BF_DECRYPT); } break; case CryptUtils::CIPHER_AES128: case CryptUtils::CIPHER_AES192: case CryptUtils::CIPHER_AES256: { AES_KEY ck; AES_set_encrypt_key(m_keydata, m_keySize * 8, &ck); AES_cfb128_encrypt(m_in, m_out, m_datalen, &ck, m_ivec, &tmp, AES_DECRYPT); } break; default: break; } // Verify bool checksumOk = false; switch (s2k.usage()) { case 254: { uint8_t checksum[SHA_DIGEST_LENGTH]; pgpry_SHA_CTX ctx; pgpry_SHA1_Init(&ctx); pgpry_SHA1_Update(&ctx, m_out, m_datalen - SHA_DIGEST_LENGTH); pgpry_SHA1_Final(checksum, &ctx); if (memcmp(checksum, m_out + m_datalen - SHA_DIGEST_LENGTH, SHA_DIGEST_LENGTH) == 0) { checksumOk = true; } } break; case 0: case 255: { uint16_t sum = 0; for (uint32_t i = 0; i < m_datalen - 2; i++) { sum += m_out[i]; } if (sum == ((m_out[m_datalen - 2] << 8) | m_out[m_datalen - 1])) { checksumOk = true; } } break; default: break; } // If the checksum is ok, try to parse the first MPI of the private key if (checksumOk) { BIGNUM *b = NULL; uint32_t blen = (num_bits + 7) / 8; if (blen < m_datalen && ((b = BN_bin2bn(m_out + 2, blen, NULL)) != NULL)) { BN_free(b); return true; } } return false; }
static int check(unsigned char *keydata, int ks) { // Decrypt first data block in order to check the first two bits of // the MPI. If they are correct, there's a good chance that the // password is correct, too. unsigned char ivec[32]; unsigned char out[BIG_ENOUGH * 2] = { 0 }; int tmp = 0; uint32_t num_bits; int checksumOk; int i; // Quick Hack memcpy(ivec, cur_salt->iv, blockSize(cur_salt->cipher_algorithm)); switch (cur_salt->cipher_algorithm) { case CIPHER_IDEA: { IDEA_KEY_SCHEDULE iks; JtR_idea_set_encrypt_key(keydata, &iks); JtR_idea_cfb64_encrypt(cur_salt->data, out, SALT_LENGTH, &iks, ivec, &tmp, IDEA_DECRYPT); } break; case CIPHER_CAST5: { CAST_KEY ck; CAST_set_key(&ck, ks, keydata); CAST_cfb64_encrypt(cur_salt->data, out, CAST_BLOCK, &ck, ivec, &tmp, CAST_DECRYPT); } break; case CIPHER_BLOWFISH: { BF_KEY ck; BF_set_key(&ck, ks, keydata); BF_cfb64_encrypt(cur_salt->data, out, BF_BLOCK, &ck, ivec, &tmp, BF_DECRYPT); } break; case CIPHER_AES128: case CIPHER_AES192: case CIPHER_AES256: { AES_KEY ck; AES_set_encrypt_key(keydata, ks * 8, &ck); AES_cfb128_encrypt(cur_salt->data, out, AES_BLOCK_SIZE, &ck, ivec, &tmp, AES_DECRYPT); } break; case CIPHER_3DES: { DES_cblock key1, key2, key3; DES_cblock divec; DES_key_schedule ks1, ks2, ks3; int num = 0; memcpy(key1, keydata + 0, 8); memcpy(key2, keydata + 8, 8); memcpy(key3, keydata + 16, 8); memcpy(divec, ivec, 8); DES_set_key((DES_cblock *)key1, &ks1); DES_set_key((DES_cblock *)key2, &ks2); DES_set_key((DES_cblock *)key3, &ks3); DES_ede3_cfb64_encrypt(cur_salt->data, out, SALT_LENGTH, &ks1, &ks2, &ks3, &divec, &num, DES_DECRYPT); } break; default: printf("(check) Unknown Cipher Algorithm %d ;(\n", cur_salt->cipher_algorithm); break; } num_bits = ((out[0] << 8) | out[1]); if (num_bits < MIN_BN_BITS || num_bits > cur_salt->bits) { return 0; } // Decrypt all data memcpy(ivec, cur_salt->iv, blockSize(cur_salt->cipher_algorithm)); tmp = 0; switch (cur_salt->cipher_algorithm) { case CIPHER_IDEA: { IDEA_KEY_SCHEDULE iks; JtR_idea_set_encrypt_key(keydata, &iks); JtR_idea_cfb64_encrypt(cur_salt->data, out, cur_salt->datalen, &iks, ivec, &tmp, IDEA_DECRYPT); } break; case CIPHER_CAST5: { CAST_KEY ck; CAST_set_key(&ck, ks, keydata); CAST_cfb64_encrypt(cur_salt->data, out, cur_salt->datalen, &ck, ivec, &tmp, CAST_DECRYPT); } break; case CIPHER_BLOWFISH: { BF_KEY ck; BF_set_key(&ck, ks, keydata); BF_cfb64_encrypt(cur_salt->data, out, cur_salt->datalen, &ck, ivec, &tmp, BF_DECRYPT); } break; case CIPHER_AES128: case CIPHER_AES192: case CIPHER_AES256: { AES_KEY ck; AES_set_encrypt_key(keydata, ks * 8, &ck); AES_cfb128_encrypt(cur_salt->data, out, cur_salt->datalen, &ck, ivec, &tmp, AES_DECRYPT); } break; case CIPHER_3DES: { DES_cblock key1, key2, key3; DES_cblock divec; DES_key_schedule ks1, ks2, ks3; int num = 0; memcpy(key1, keydata + 0, 8); memcpy(key2, keydata + 8, 8); memcpy(key3, keydata + 16, 8); memcpy(divec, ivec, 8); DES_set_key((DES_cblock *) key1, &ks1); DES_set_key((DES_cblock *) key2, &ks2); DES_set_key((DES_cblock *) key3, &ks3); DES_ede3_cfb64_encrypt(cur_salt->data, out, cur_salt->datalen, &ks1, &ks2, &ks3, &divec, &num, DES_DECRYPT); } break; default: break; } // Verify checksumOk = 0; switch (cur_salt->usage) { case 254: { uint8_t checksum[SHA_DIGEST_LENGTH]; SHA_CTX ctx; SHA1_Init(&ctx); SHA1_Update(&ctx, out, cur_salt->datalen - SHA_DIGEST_LENGTH); SHA1_Final(checksum, &ctx); if (memcmp(checksum, out + cur_salt->datalen - SHA_DIGEST_LENGTH, SHA_DIGEST_LENGTH) == 0) return 1; /* we have a 20 byte verifier ;) */ else return 0; } break; case 0: case 255: { // https://tools.ietf.org/html/rfc4880#section-3.7.2 uint16_t sum = 0; for (i = 0; i < cur_salt->datalen - 2; i++) { sum += out[i]; } if (sum == ((out[cur_salt->datalen - 2] << 8) | out[cur_salt->datalen - 1])) { checksumOk = 1; } } break; default: break; } // If the checksum is ok, try to parse the first MPI of the private key // Stop relying on checksum altogether, GnuPG ignores it (after // documenting why though!) if (checksumOk) { BIGNUM *b = NULL; uint32_t blen = (num_bits + 7) / 8; int ret; if (cur_salt->datalen == 24 && blen != 20) /* verifier 1 */ return 0; if (blen < cur_salt->datalen && ((b = BN_bin2bn(out + 2, blen, NULL)) != NULL)) { char *str = BN_bn2hex(b); DSA dsa; ElGamal_secret_key elg; RSA_secret_key rsa; if (strlen(str) != blen * 2) { /* verifier 2 */ OPENSSL_free(str); return 0; } OPENSSL_free(str); if (cur_salt->pk_algorithm == 17) { /* DSA check */ dsa.p = BN_bin2bn(cur_salt->p, cur_salt->pl, NULL); // puts(BN_bn2hex(dsa.p)); dsa.q = BN_bin2bn(cur_salt->q, cur_salt->ql, NULL); // puts(BN_bn2hex(dsa.q)); dsa.g = BN_bin2bn(cur_salt->g, cur_salt->gl, NULL); // puts(BN_bn2hex(dsa.g)); dsa.priv_key = b; dsa.pub_key = BN_bin2bn(cur_salt->y, cur_salt->yl, NULL); // puts(BN_bn2hex(dsa.pub_key)); ret = check_dsa_secret_key(&dsa); /* verifier 3 */ if (ret != 0) return 0; } if (cur_salt->pk_algorithm == 16 || cur_salt->pk_algorithm == 20) { /* ElGamal check */ elg.p = BN_bin2bn(cur_salt->p, cur_salt->pl, NULL); // puts(BN_bn2hex(elg.p)); elg.g = BN_bin2bn(cur_salt->g, cur_salt->gl, NULL); // puts(BN_bn2hex(elg.g)); elg.x = b; // puts(BN_bn2hex(elg.x)); elg.y = BN_bin2bn(cur_salt->y, cur_salt->yl, NULL); // puts(BN_bn2hex(elg.y)); ret = check_elg_secret_key(&elg); /* verifier 3 */ if (ret != 0) return 0; } if (cur_salt->pk_algorithm == 1) { /* RSA check */ // http://www.ietf.org/rfc/rfc4880.txt int length = 0; length += give_multi_precision_integer(out, length, &cur_salt->dl, cur_salt->d); length += give_multi_precision_integer(out, length, &cur_salt->pl, cur_salt->p); length += give_multi_precision_integer(out, length, &cur_salt->ql, cur_salt->q); rsa.n = BN_bin2bn(cur_salt->n, cur_salt->nl, NULL); rsa.p = BN_bin2bn(cur_salt->p, cur_salt->pl, NULL); rsa.q = BN_bin2bn(cur_salt->q, cur_salt->ql, NULL); ret = check_rsa_secret_key(&rsa); if (ret != 0) return 0; } return 1; } } return 0; }
static void cast5_cfb_encrypt(ops_crypt_t *crypt,void *out,const void *in, size_t count) { CAST_cfb64_encrypt(in,out,count, crypt->encrypt_key, crypt->iv, (int *)&crypt->num, CAST_ENCRYPT); }