![[BACK]](/cvsweb/icons/back.gif){kind=icon}
Return to rsaglue1.c CVS log ![[TXT]](/cvsweb/icons/text.gif){kind=icon}
![[DIR]](/cvsweb/icons/dir.gif){kind=icon}
Up to [PGP] / pgp / src|
Return to rsaglue1.c CVS log | Up to [PGP] / pgp / src |
1.1.1.2 ! root 1: /* ! 2: * rsaglue1.c - These functions wrap and unwrap message digests (MDs) and ! 3: * data encryption keys (DEKs) in padding and RSA-encrypt them into ! 4: * multi-precision integers. This layer of abstraction was introduced ! 5: * to allow the transparent use of either the RSAREF Cryptographic ! 6: * Toolkit from RSA Data Security Inc for the RSA calculations (where ! 7: * the RSA patent applies), or, Philip Zimmermann's mpi library for the ! 8: * RSA calculations. The rsaglue.c module from PGP version 2.3a performs ! 9: * the same functions as this module, but can be compiled to select the ! 10: * use of mpilib functions instead of RSAREF as the underlying math engine. ! 11: * That version of rsaglue.c would be suitable where the RSA patent does ! 12: * not apply, such as Canada. ! 13: * ! 14: * This file uses MPILIB to perform the actual encryption and decryption. ! 15: * It uses the same PKCS format as RSAREF, although it also accepts an older ! 16: * format used in PGP 2.1. ! 17: * ! 18: * (c) Copyright 1990-1996 by Philip Zimmermann. All rights reserved. ! 19: * The author assumes no liability for damages resulting from the use ! 20: * of this software, even if the damage results from defects in this ! 21: * software. No warranty is expressed or implied. ! 22: * ! 23: * Note that while most PGP source modules bear Philip Zimmermann's ! 24: * copyright notice, many of them have been revised or entirely written ! 25: * by contributors who frequently failed to put their names in their ! 26: * code. Code that has been incorporated into PGP from other authors ! 27: * was either originally published in the public domain or is used with ! 28: * permission from the various authors. ! 29: * ! 30: * PGP is available for free to the public under certain restrictions. ! 31: * See the PGP User's Guide (included in the release package) for ! 32: * important information about licensing, patent restrictions on ! 33: * certain algorithms, trademarks, copyrights, and export controls. ! 34: */ ! 35: ! 36: #include <string.h> /* for mem*() */ ! 37: #include "mpilib.h" ! 38: #include "mpiio.h" ! 39: #include "pgp.h" ! 40: #include "rsaglue.h" ! 41: #include "random.h" /* for cryptRandByte() */ ! 42: ! 43: /* No RSADSI credit for MPI version */ ! 44: char signon_legalese[] = ""; ! 45: ! 46: /* These functions hide all the internal details of RSA-encrypted ! 47: * keys and digests. They owe a lot of their heritage to ! 48: * the preblock() and postunblock() routines in mpiio.c. ! 49: */ ! 50: ! 51: /* Abstract Syntax Notation One (ASN.1) Distinguished Encoding Rules (DER) ! 52: encoding for RSA/MD5, used in PKCS-format signatures. */ ! 53: static byte asn_array[] = { /* PKCS 01 block type 01 data */ ! 54: 0x30,0x20,0x30,0x0c,0x06,0x08,0x2a,0x86,0x48,0x86,0xf7,0x0d, ! 55: 0x02,0x05,0x05,0x00,0x04,0x10 }; ! 56: /* This many bytes from the end, there's a zero byte */ ! 57: #define ASN_ZERO_END 3 ! 58: ! 59: int ! 60: rsa_public_encrypt(unitptr outbuf, byteptr inbuf, short bytes, ! 61: unitptr E, unitptr N) ! 62: /* Encrypt a DEK with a public key. Returns 0 on success. ! 63: * <0 means there was an error. ! 64: * -1: Generic error ! 65: * -3: Key too big ! 66: * -4: Key too small ! 67: */ ! 68: { ! 69: unit temp[MAX_UNIT_PRECISION]; ! 70: unsigned int blocksize; ! 71: int i; /* Temporary, and holds error codes */ ! 72: byte *p = (byte *)temp; ! 73: ! 74: /* ! 75: * We are building the mpi in place, except for a possible ! 76: * byte-order swap to little-endian at the end. Thus, we ! 77: * need to fill the buffer with leading 0's in the unused ! 78: * most significant byte positions. ! 79: */ ! 80: blocksize = countbytes(N) - 1; /* Bytes available for user data */ ! 81: for (i = units2bytes(global_precision) - blocksize; i > 0; --i) ! 82: *p++ = 0; ! 83: /* ! 84: * Both the PKCS and PGP 2.0 key formats add a type byte, and a ! 85: * a framing byte of 0 to the user data. The remaining space ! 86: * is filled with random padding. (PKCS requires that there be ! 87: * at least 1 byte of padding.) ! 88: */ ! 89: i = blocksize - 2 - bytes; ! 90: ! 91: if (i < 1) /* Less than minimum padding? */ ! 92: return -4; ! 93: *p++ = CK_ENCRYPTED_BYTE; /* Type byte */ ! 94: while (i) /* Non-zero random padding */ ! 95: if ((*p = cryptRandByte())) ! 96: ++p, --i; ! 97: *p++ = 0; /* Framing byte */ ! 98: memcpy(p, inbuf, bytes); /* User data */ ! 99: ! 100: mp_convert_order((byte *)temp); /* Convert buffer to MPI */ ! 101: i = mp_modexp(outbuf, temp, E, N); /* Do the encryption */ ! 102: if (i < 0) ! 103: i = -1; ! 104: ! 105: Cleanup: ! 106: mp_burn(temp); ! 107: return i < 0 ? i : 0; ! 108: } /* rsa_public_encrypt */ ! 109: ! 110: int ! 111: rsa_private_encrypt(unitptr outbuf, byteptr inbuf, short bytes, ! 112: unitptr E, unitptr D, unitptr P, unitptr Q, unitptr U, unitptr N) ! 113: /* Encrypt a message digest with a private key. ! 114: * Returns <0 on error: ! 115: * -1: generic error ! 116: * -4: Key too big ! 117: * -5: Key too small ! 118: */ ! 119: { ! 120: unit temp[MAX_UNIT_PRECISION]; ! 121: unit DP[MAX_UNIT_PRECISION], DQ[MAX_UNIT_PRECISION]; ! 122: byte *p; ! 123: int i; ! 124: unsigned int blocksize; ! 125: ! 126: /* PGP doesn't store these coefficents, so we need to compute them. */ ! 127: mp_move(temp,P); ! 128: mp_dec(temp); ! 129: mp_mod(DP,D,temp); ! 130: mp_move(temp,Q); ! 131: mp_dec(temp); ! 132: mp_mod(DQ,D,temp); ! 133: ! 134: p = (byte *)temp; ! 135: ! 136: ! 137: /* We are building the mpi in place, except for a possible ! 138: * byte-order swap to little-endian at the end. Thus, we ! 139: * need to fill the buffer with leading 0's in the unused ! 140: * most significant byte positions. ! 141: */ ! 142: blocksize = countbytes(N) - 1; /* Space available for data */ ! 143: for (i = units2bytes(global_precision) - blocksize; i > 0; --i) ! 144: *p++ = 0; ! 145: ! 146: i = blocksize - 2 - bytes; /* Padding needed */ ! 147: i -= sizeof(asn_array); /* Space for type encoding */ ! 148: if (i < 0) { ! 149: i = -4; /* Error code */ ! 150: goto Cleanup; ! 151: } ! 152: *p++ = MD_ENCRYPTED_BYTE; /* Type byte */ ! 153: memset(p, ~0, i); /* All 1's padding */ ! 154: p += i; ! 155: *p++ = 0; /* Zero framing byte */ ! 156: memcpy(p, asn_array, sizeof(asn_array)); /* ASN data */ ! 157: p += sizeof(asn_array); ! 158: memcpy(p, inbuf, bytes); /* User data */ ! 159: ! 160: mp_convert_order((byte *)temp); ! 161: i = mp_modexp_crt(outbuf, temp, P, Q, DP, DQ, U); /* Encrypt */ ! 162: if (i < 0) ! 163: i = -1; ! 164: ! 165: Cleanup: ! 166: burn(temp); ! 167: ! 168: return i; ! 169: } /* rsa_private_encrypt */ ! 170: ! 171: /* Remove a signature packet from an MPI */ ! 172: /* Thus, we expect constant padding and the MIC ASN sequence */ ! 173: int ! 174: rsa_public_decrypt(byteptr outbuf, unitptr inbuf, ! 175: unitptr E, unitptr N) ! 176: /* Decrypt a message digest using a public key. Returns the number of bytes ! 177: * extracted, or <0 on error. ! 178: * -1: Corrupted packet. ! 179: * -3: Key too big ! 180: * -4: Key too small ! 181: * -5: Maybe malformed RSA packet ! 182: * -7: Unknown conventional algorithm ! 183: * -9: Malformed RSA packet ! 184: */ ! 185: { ! 186: unit temp[MAX_UNIT_PRECISION]; ! 187: unsigned int blocksize; ! 188: int i; ! 189: byte *front, *back; ! 190: ! 191: i = mp_modexp(temp, inbuf, E, N); ! 192: if (i < 0) { ! 193: mp_burn(temp); ! 194: return -1; ! 195: } ! 196: mp_convert_order((byte *)temp); ! 197: blocksize = countbytes(N) - 1; ! 198: front = (byte *)temp; /* Points to start of block */ ! 199: i = units2bytes(global_precision); ! 200: back = front + i; /* Points to end of block */ ! 201: i -= countbytes(N) - 1; /* Expected leading 0's */ ! 202: ! 203: /* ! 204: * Strip off the padding. This handles both PKCS and PGP 2.0 ! 205: * formats. If we're using RSAREF2, we use the padding-removal ! 206: * code in RSAPublicDecrypt, which accepts only PKCS style. ! 207: * Oh, well. ! 208: */ ! 209: ! 210: if (i < 0) /* This shouldn't happen */ ! 211: goto ErrorReturn; ! 212: while (i--) /* Extra bytes should be 0 */ ! 213: if (*front++) ! 214: goto ErrorReturn; ! 215: ! 216: /* How to distinguish old PGP from PKCS formats. ! 217: * The old PGP format ends in a trailing type byte, with ! 218: * all 1's padding before that. The PKCS format ends in ! 219: * 16 bytes of message digest, preceded by an ASN string ! 220: * which is not all 1's. ! 221: */ ! 222: if (back[-1] == MD_ENCRYPTED_BYTE && ! 223: back[-17] == 0xff && back[-18] == 0xff) { ! 224: /* Old PGP format: Padding is at the end */ ! 225: if (*--back != MD_ENCRYPTED_BYTE) ! 226: goto ErrorReturn; ! 227: if (*front++ != MD5_ALGORITHM_BYTE) { ! 228: mp_burn(temp); ! 229: return -7; ! 230: } ! 231: while (*--back == 0xff) /* Skip constant padding */ ! 232: ; ! 233: if (*back) /* It should end with a zero */ ! 234: goto ErrorReturn; ! 235: } else { ! 236: /* PKCS format: padding at the beginning */ ! 237: if (*front++ != MD_ENCRYPTED_BYTE) ! 238: goto ErrorReturn; ! 239: while (*front++ == 0xff) /* Skip constant padding */ ! 240: ; ! 241: if (front[-1]) /* First non-FF byte should be 0 */ ! 242: goto ErrorReturn; ! 243: /* Then comes the ASN header */ ! 244: if (memcmp(front, asn_array, sizeof(asn_array))) { ! 245: mp_burn(temp); ! 246: return -7; ! 247: } ! 248: front += sizeof(asn_array); ! 249: } ! 250: ! 251: /* We're done - copy user data to outbuf */ ! 252: if (back < front) ! 253: goto ErrorReturn; ! 254: blocksize = back-front; ! 255: memcpy(outbuf, front, blocksize); ! 256: mp_burn(temp); ! 257: return blocksize; ! 258: ErrorReturn: ! 259: mp_burn(temp); ! 260: return -9; ! 261: } /* rsa_public_decrypt */ ! 262: ! 263: /* We expect to find random padding and an encryption key */ ! 264: int ! 265: rsa_private_decrypt(byteptr outbuf, unitptr inbuf, ! 266: unitptr E, unitptr D, unitptr P, unitptr Q, unitptr U, unitptr N) ! 267: /* Decrypt an encryption key using a private key. Returns the number of bytes ! 268: * extracted, or <0 on error. ! 269: * -1: Generic error ! 270: * -3: Key too big ! 271: * -4: Key too small ! 272: * -5: Maybe malformed RSA ! 273: * -7: Unknown conventional algorithm ! 274: * -9: Malformed RSA packet ! 275: */ ! 276: { ! 277: byte *back; ! 278: byte *front; ! 279: unsigned int blocksize; ! 280: unit temp[MAX_UNIT_PRECISION]; ! 281: unit DP[MAX_UNIT_PRECISION], DQ[MAX_UNIT_PRECISION]; ! 282: int i; ! 283: ! 284: /* PGP doesn't store (d mod p-1) and (d mod q-1), so compute 'em */ ! 285: mp_move(temp,P); ! 286: mp_dec(temp); ! 287: mp_mod(DP,D,temp); ! 288: mp_move(temp,Q); ! 289: mp_dec(temp); ! 290: mp_mod(DQ,D,temp); ! 291: ! 292: i = mp_modexp_crt(temp, inbuf, P, Q, DP, DQ, U); ! 293: mp_burn(DP); ! 294: mp_burn(DQ); ! 295: if (i < 0) { ! 296: mp_burn(temp); ! 297: return -1; ! 298: } ! 299: mp_convert_order((byte *)temp); ! 300: front = (byte *)temp; /* Start of block */ ! 301: i = units2bytes(global_precision); ! 302: back = (byte *)front + i; /* End of block */ ! 303: blocksize = countbytes(N) - 1; ! 304: i -= blocksize; /* Expected # of leading 0's */ ! 305: ! 306: if (i < 0) /* This shouldn't happen */ ! 307: goto Corrupted; ! 308: while (i--) /* Extra bytes should be 0 */ ! 309: if (*front++) ! 310: goto Corrupted; ! 311: ! 312: /* How to distinguish old PGP from PKCS formats. ! 313: * PGP packets have a trailing type byte (CK_ENCRYPTED_BYTE), ! 314: * while PKCS formats have it leading. ! 315: */ ! 316: if (front[0] != CK_ENCRYPTED_BYTE && back[-1] == CK_ENCRYPTED_BYTE) { ! 317: /* PGP 2.0 format - padding at the end */ ! 318: if (back[-1] != CK_ENCRYPTED_BYTE) ! 319: goto Corrupted; ! 320: while (*--back) /* Skip non-zero random padding */ ! 321: ; ! 322: } else { ! 323: /* PKCS format - padding at the beginning */ ! 324: if (*front++ != CK_ENCRYPTED_BYTE) ! 325: goto Corrupted; ! 326: while (*front++) /* Skip non-zero random padding */ ! 327: ; ! 328: } ! 329: if (back <= front) ! 330: goto Corrupted; ! 331: blocksize = back-front; ! 332: ! 333: memcpy(outbuf, front, blocksize); ! 334: mp_burn(temp); ! 335: return blocksize; ! 336: ! 337: Corrupted: ! 338: mp_burn(temp); ! 339: return -9; ! 340: } /* rsa_private_decrypt */
This archive runs on limited infrastructure. Preserving old code on modern bandwidth. Automated agents are requested to crawl responsibly.