static void
cast5_cfb_decrypt(pgp_crypt_t *crypt, void *out, const void *in, size_t count)
{
CAST_cfb64_encrypt(in, out, (long)count,
crypt->encrypt_key, crypt->iv, &crypt->num,
CAST_DECRYPT);
}
// Checks if the given password is valid
bool Tester::check(const Memblock &mblock)
{
const String2Key &s2k = m_key.string2Key();
int32_t tmp = 0;
// Generate key from password
s2k.generateKey(mblock, m_keydata, m_keySize);
// Decrypt first data block in order to check the first two bits of
// the MPI. If they are correct, there's a good chance that the
// password is correct, too.
#if 1
memcpy(m_ivec, s2k.ivec(), m_blockSize);
switch (m_cipher) {
case CryptUtils::CIPHER_CAST5: {
CAST_KEY ck;
CAST_set_key(&ck, m_keySize, m_keydata);
CAST_cfb64_encrypt(m_in, m_out, CAST_BLOCK, &ck, m_ivec, &tmp, CAST_DECRYPT);
}
break;
case CryptUtils::CIPHER_BLOWFISH: {
BF_KEY ck;
BF_set_key(&ck, m_keySize, m_keydata);
BF_cfb64_encrypt(m_in, m_out, BF_BLOCK, &ck, m_ivec, &tmp, BF_DECRYPT);
}
break;
case CryptUtils::CIPHER_AES128:
case CryptUtils::CIPHER_AES192:
case CryptUtils::CIPHER_AES256: {
AES_KEY ck;
AES_set_encrypt_key(m_keydata, m_keySize * 8, &ck);
AES_cfb128_encrypt(m_in, m_out, AES_BLOCK_SIZE, &ck, m_ivec, &tmp, AES_DECRYPT);
}
break;
default:
break;
}
uint32_t num_bits = ((m_out[0] << 8) | m_out[1]);
if (num_bits < MIN_BN_BITS || num_bits > m_bits) {
return false;
}
#endif
// Decrypt all data
memcpy(m_ivec, s2k.ivec(), m_blockSize);
tmp = 0;
switch (m_cipher) {
case CryptUtils::CIPHER_CAST5: {
CAST_KEY ck;
CAST_set_key(&ck, m_keySize, m_keydata);
CAST_cfb64_encrypt(m_in, m_out, m_datalen, &ck, m_ivec, &tmp, CAST_DECRYPT);
}
break;
case CryptUtils::CIPHER_BLOWFISH: {
BF_KEY ck;
BF_set_key(&ck, m_keySize, m_keydata);
BF_cfb64_encrypt(m_in, m_out, m_datalen, &ck, m_ivec, &tmp, BF_DECRYPT);
}
break;
case CryptUtils::CIPHER_AES128:
case CryptUtils::CIPHER_AES192:
case CryptUtils::CIPHER_AES256: {
AES_KEY ck;
AES_set_encrypt_key(m_keydata, m_keySize * 8, &ck);
AES_cfb128_encrypt(m_in, m_out, m_datalen, &ck, m_ivec, &tmp, AES_DECRYPT);
}
break;
default:
break;
}
// Verify
bool checksumOk = false;
switch (s2k.usage()) {
case 254: {
uint8_t checksum[SHA_DIGEST_LENGTH];
pgpry_SHA_CTX ctx;
pgpry_SHA1_Init(&ctx);
pgpry_SHA1_Update(&ctx, m_out, m_datalen - SHA_DIGEST_LENGTH);
pgpry_SHA1_Final(checksum, &ctx);
if (memcmp(checksum, m_out + m_datalen - SHA_DIGEST_LENGTH, SHA_DIGEST_LENGTH) == 0) {
checksumOk = true;
}
} break;
case 0:
case 255: {
uint16_t sum = 0;
for (uint32_t i = 0; i < m_datalen - 2; i++) {
sum += m_out[i];
}
if (sum == ((m_out[m_datalen - 2] << 8) | m_out[m_datalen - 1])) {
checksumOk = true;
}
} break;
default:
break;
}
// If the checksum is ok, try to parse the first MPI of the private key
if (checksumOk) {
BIGNUM *b = NULL;
uint32_t blen = (num_bits + 7) / 8;
if (blen < m_datalen && ((b = BN_bin2bn(m_out + 2, blen, NULL)) != NULL)) {
BN_free(b);
return true;
}
}
return false;
}
static int check(unsigned char *keydata, int ks)
{
// Decrypt first data block in order to check the first two bits of
// the MPI. If they are correct, there's a good chance that the
// password is correct, too.
unsigned char ivec[32];
unsigned char out[BIG_ENOUGH * 2] = { 0 };
int tmp = 0;
uint32_t num_bits;
int checksumOk;
int i;
// Quick Hack
memcpy(ivec, cur_salt->iv, blockSize(cur_salt->cipher_algorithm));
switch (cur_salt->cipher_algorithm) {
case CIPHER_IDEA: {
IDEA_KEY_SCHEDULE iks;
JtR_idea_set_encrypt_key(keydata, &iks);
JtR_idea_cfb64_encrypt(cur_salt->data, out, SALT_LENGTH, &iks, ivec, &tmp, IDEA_DECRYPT);
}
break;
case CIPHER_CAST5: {
CAST_KEY ck;
CAST_set_key(&ck, ks, keydata);
CAST_cfb64_encrypt(cur_salt->data, out, CAST_BLOCK, &ck, ivec, &tmp, CAST_DECRYPT);
}
break;
case CIPHER_BLOWFISH: {
BF_KEY ck;
BF_set_key(&ck, ks, keydata);
BF_cfb64_encrypt(cur_salt->data, out, BF_BLOCK, &ck, ivec, &tmp, BF_DECRYPT);
}
break;
case CIPHER_AES128:
case CIPHER_AES192:
case CIPHER_AES256: {
AES_KEY ck;
AES_set_encrypt_key(keydata, ks * 8, &ck);
AES_cfb128_encrypt(cur_salt->data, out, AES_BLOCK_SIZE, &ck, ivec, &tmp, AES_DECRYPT);
}
break;
case CIPHER_3DES: {
DES_cblock key1, key2, key3;
DES_cblock divec;
DES_key_schedule ks1, ks2, ks3;
int num = 0;
memcpy(key1, keydata + 0, 8);
memcpy(key2, keydata + 8, 8);
memcpy(key3, keydata + 16, 8);
memcpy(divec, ivec, 8);
DES_set_key((DES_cblock *)key1, &ks1);
DES_set_key((DES_cblock *)key2, &ks2);
DES_set_key((DES_cblock *)key3, &ks3);
DES_ede3_cfb64_encrypt(cur_salt->data, out, SALT_LENGTH, &ks1, &ks2, &ks3, &divec, &num, DES_DECRYPT);
}
break;
default:
printf("(check) Unknown Cipher Algorithm %d ;(\n", cur_salt->cipher_algorithm);
break;
}
num_bits = ((out[0] << 8) | out[1]);
if (num_bits < MIN_BN_BITS || num_bits > cur_salt->bits) {
return 0;
}
// Decrypt all data
memcpy(ivec, cur_salt->iv, blockSize(cur_salt->cipher_algorithm));
tmp = 0;
switch (cur_salt->cipher_algorithm) {
case CIPHER_IDEA: {
IDEA_KEY_SCHEDULE iks;
JtR_idea_set_encrypt_key(keydata, &iks);
JtR_idea_cfb64_encrypt(cur_salt->data, out, cur_salt->datalen, &iks, ivec, &tmp, IDEA_DECRYPT);
}
break;
case CIPHER_CAST5: {
CAST_KEY ck;
CAST_set_key(&ck, ks, keydata);
CAST_cfb64_encrypt(cur_salt->data, out, cur_salt->datalen, &ck, ivec, &tmp, CAST_DECRYPT);
}
break;
case CIPHER_BLOWFISH: {
BF_KEY ck;
BF_set_key(&ck, ks, keydata);
BF_cfb64_encrypt(cur_salt->data, out, cur_salt->datalen, &ck, ivec, &tmp, BF_DECRYPT);
}
break;
case CIPHER_AES128:
case CIPHER_AES192:
case CIPHER_AES256: {
AES_KEY ck;
AES_set_encrypt_key(keydata, ks * 8, &ck);
AES_cfb128_encrypt(cur_salt->data, out, cur_salt->datalen, &ck, ivec, &tmp, AES_DECRYPT);
}
break;
case CIPHER_3DES: {
DES_cblock key1, key2, key3;
DES_cblock divec;
DES_key_schedule ks1, ks2, ks3;
int num = 0;
memcpy(key1, keydata + 0, 8);
memcpy(key2, keydata + 8, 8);
memcpy(key3, keydata + 16, 8);
memcpy(divec, ivec, 8);
DES_set_key((DES_cblock *) key1, &ks1);
DES_set_key((DES_cblock *) key2, &ks2);
DES_set_key((DES_cblock *) key3, &ks3);
DES_ede3_cfb64_encrypt(cur_salt->data, out, cur_salt->datalen, &ks1, &ks2, &ks3, &divec, &num, DES_DECRYPT);
}
break;
default:
break;
}
// Verify
checksumOk = 0;
switch (cur_salt->usage) {
case 254: {
uint8_t checksum[SHA_DIGEST_LENGTH];
SHA_CTX ctx;
SHA1_Init(&ctx);
SHA1_Update(&ctx, out, cur_salt->datalen - SHA_DIGEST_LENGTH);
SHA1_Final(checksum, &ctx);
if (memcmp(checksum, out + cur_salt->datalen - SHA_DIGEST_LENGTH, SHA_DIGEST_LENGTH) == 0)
return 1; /* we have a 20 byte verifier ;) */
else
return 0;
} break;
case 0:
case 255: {
// https://tools.ietf.org/html/rfc4880#section-3.7.2
uint16_t sum = 0;
for (i = 0; i < cur_salt->datalen - 2; i++) {
sum += out[i];
}
if (sum == ((out[cur_salt->datalen - 2] << 8) | out[cur_salt->datalen - 1])) {
checksumOk = 1;
}
} break;
default:
break;
}
// If the checksum is ok, try to parse the first MPI of the private key
// Stop relying on checksum altogether, GnuPG ignores it (after
// documenting why though!)
if (checksumOk) {
BIGNUM *b = NULL;
uint32_t blen = (num_bits + 7) / 8;
int ret;
if (cur_salt->datalen == 24 && blen != 20) /* verifier 1 */
return 0;
if (blen < cur_salt->datalen && ((b = BN_bin2bn(out + 2, blen, NULL)) != NULL)) {
char *str = BN_bn2hex(b);
DSA dsa;
ElGamal_secret_key elg;
RSA_secret_key rsa;
if (strlen(str) != blen * 2) { /* verifier 2 */
OPENSSL_free(str);
return 0;
}
OPENSSL_free(str);
if (cur_salt->pk_algorithm == 17) { /* DSA check */
dsa.p = BN_bin2bn(cur_salt->p, cur_salt->pl, NULL);
// puts(BN_bn2hex(dsa.p));
dsa.q = BN_bin2bn(cur_salt->q, cur_salt->ql, NULL);
// puts(BN_bn2hex(dsa.q));
dsa.g = BN_bin2bn(cur_salt->g, cur_salt->gl, NULL);
// puts(BN_bn2hex(dsa.g));
dsa.priv_key = b;
dsa.pub_key = BN_bin2bn(cur_salt->y, cur_salt->yl, NULL);
// puts(BN_bn2hex(dsa.pub_key));
ret = check_dsa_secret_key(&dsa); /* verifier 3 */
if (ret != 0)
return 0;
}
if (cur_salt->pk_algorithm == 16 || cur_salt->pk_algorithm == 20) { /* ElGamal check */
elg.p = BN_bin2bn(cur_salt->p, cur_salt->pl, NULL);
// puts(BN_bn2hex(elg.p));
elg.g = BN_bin2bn(cur_salt->g, cur_salt->gl, NULL);
// puts(BN_bn2hex(elg.g));
elg.x = b;
// puts(BN_bn2hex(elg.x));
elg.y = BN_bin2bn(cur_salt->y, cur_salt->yl, NULL);
// puts(BN_bn2hex(elg.y));
ret = check_elg_secret_key(&elg); /* verifier 3 */
if (ret != 0)
return 0;
}
if (cur_salt->pk_algorithm == 1) { /* RSA check */
// http://www.ietf.org/rfc/rfc4880.txt
int length = 0;
length += give_multi_precision_integer(out, length, &cur_salt->dl, cur_salt->d);
length += give_multi_precision_integer(out, length, &cur_salt->pl, cur_salt->p);
length += give_multi_precision_integer(out, length, &cur_salt->ql, cur_salt->q);
rsa.n = BN_bin2bn(cur_salt->n, cur_salt->nl, NULL);
rsa.p = BN_bin2bn(cur_salt->p, cur_salt->pl, NULL);
rsa.q = BN_bin2bn(cur_salt->q, cur_salt->ql, NULL);
ret = check_rsa_secret_key(&rsa);
if (ret != 0)
return 0;
}
return 1;
}
}
return 0;
}
static void cast5_cfb_encrypt(ops_crypt_t *crypt,void *out,const void *in, size_t count)
{
CAST_cfb64_encrypt(in,out,count,
crypt->encrypt_key, crypt->iv, (int *)&crypt->num,
CAST_ENCRYPT);
}
