Browse Source

Release v1, z/OS: Basic encryption decryption

* RSA keys up to 1024 bit length are supported
* Tripple DES as cipher is supported
  (CAST5 is not supported by hard ware acceleration)
* All common SHA variants are supported
master
David Lanzendörfer 11 months ago
parent
commit
8a98d005dd
17 changed files with 176 additions and 234 deletions
  1. +0
    -2
      include/netpgp/create.h
  2. +4
    -0
      include/netpgp/crypto.h
  3. +0
    -1
      include/netpgp/gskssl_glue.h
  4. +0
    -52
      src/create.c
  5. +2
    -2
      src/crypto.c
  6. +5
    -6
      src/gskssl_crypto.c
  7. +3
    -0
      src/gskssl_glue.c
  8. +0
    -12
      src/keyring.c
  9. +6
    -3
      src/main.c
  10. +6
    -9
      src/openssl_crypto.c
  11. +7
    -4
      src/packet-parse.c
  12. +6
    -8
      src/reader.c
  13. +0
    -12
      src/signature.c
  14. +3
    -6
      src/symmetric.c
  15. +90
    -65
      src/symmetric_gskssl.c
  16. +8
    -24
      src/symmetric_openssl.c
  17. +36
    -28
      src/writer.c

+ 0
- 2
include/netpgp/create.h View File

@ -119,7 +119,5 @@ unsigned encode_m_buf(const uint8_t *, size_t, const pgp_pubkey_t *,
uint8_t *);
unsigned pgp_fileread_litdata(const char *, const pgp_litdata_enum,
pgp_output_t *);
unsigned pgp_write_symm_enc_data(const uint8_t *, const int,
pgp_output_t *);
#endif /* CREATE_H_ */

+ 4
- 0
include/netpgp/crypto.h View File

@ -72,6 +72,10 @@
#define PGP_MIN_HASH_SIZE 16
#if defined(HAVE_GSKSSL)
unsigned gsk_num_bits ( gsk_buffer *bn );
#endif
/** pgp_hash_t */
struct pgp_hash_t {
pgp_hash_alg_t alg; /* algorithm */


+ 0
- 1
include/netpgp/gskssl_glue.h View File

@ -25,7 +25,6 @@
#define KEYBITS_CAMELLIA128 128
#define KEYBITS_CAMELLIA256 256
CK_FUNCTION_LIST *funcs;
CK_RV getSession(CK_SESSION_HANDLE *session);


+ 0
- 52
src/create.c View File

@ -189,16 +189,6 @@ mpi_length(const BIGNUM *bn)
return (unsigned)(2 +(BN_num_bits(bn)+7)/8);
}
#elif defined(HAVE_GSKSSL)
static unsigned gsk_num_bits ( gsk_buffer *bn )
{
unsigned r = (bn->length-1)*8;
uint8_t x = ((uint8_t*)bn->data)[0];
do {
r++;
} while (x >>= 1);
return r;
}
static unsigned
mpi_length(gsk_buffer *bn)
{
@ -1407,48 +1397,6 @@ pgp_filewrite(const char *filename, const char *buf,
return (close(fd) == 0);
}
/**
\ingroup Core_WritePackets
\brief Write Symmetrically Encrypted packet
\param data Data to encrypt
\param len Length of data
\param output Write settings
\return 1 if OK; else 0
\note Hard-coded to use AES256
*/
unsigned
pgp_write_symm_enc_data(const uint8_t *data,
const int len,
pgp_output_t * output)
{
pgp_crypt_t crypt_info;
uint8_t *encrypted = (uint8_t *) NULL;
size_t encrypted_sz;
int done = 0;
/* \todo assume AES256 for now */
pgp_crypt_any(&crypt_info, PGP_SA_AES_256);
pgp_encrypt_init(&crypt_info);
encrypted_sz = (size_t)(len + crypt_info.blocksize + 2);
if ((encrypted = calloc(1, encrypted_sz)) == NULL) {
(void) fprintf(stderr, "can't allocate %" PRIsize "d\n",
encrypted_sz);
return 0;
}
done = (int)pgp_encrypt_se(&crypt_info, encrypted, data, (unsigned)len);
if (done != len) {
(void) fprintf(stderr,
"pgp_write_symm_enc_data: done != len\n");
return 0;
}
return pgp_write_ptag(output, PGP_PTAG_CT_SE_DATA) &&
pgp_write_length(output, (unsigned)(1 + encrypted_sz)) &&
pgp_write(output, data, (unsigned)len);
}
/**
\ingroup Core_WritePackets
\brief Write a One Pass Signature packet


+ 2
- 2
src/crypto.c View File

@ -77,7 +77,7 @@ __RCSID("$NetBSD$");
#include <netpgp/validate.h>
#if defined(HAVE_GSKSSL)
static unsigned gsk_num_bits ( gsk_buffer *bn )
unsigned gsk_num_bits ( gsk_buffer *bn )
{
unsigned r = (bn->length-1)*8;
uint8_t x = ((uint8_t*)bn->data)[0];
@ -133,7 +133,7 @@ pgp_decrypt_decode_mpi(uint8_t *buf,
#if defined(HAVE_OPENSSL)
BN_bn2bin(encmpi, encmpibuf);
#elif defined(HAVE_GSKSSL)
memcpy(encmpibuf,encmpi->data,encmpi->length);
memcpy(encmpibuf, encmpi->data, encmpi->length);
#endif
if (pgp_get_debug_level(__FILE__)) {
hexdump(stderr, "encrypted", encmpibuf, 16);


+ 5
- 6
src/gskssl_crypto.c View File

@ -667,7 +667,6 @@ pgp_rsa_private_encrypt(uint8_t *out,
{CKA_KEY_TYPE, &keyType, sizeof(keyType) },
{CKA_MODULUS, pubkey->n->data, pubkey->n->length },
{CKA_PUBLIC_EXPONENT, seckey->d->data, seckey->d->length }, // CKA_PUBLIC_EXPONENT (e) = d
};
rv = getSession(&session);
@ -742,7 +741,7 @@ pgp_rsa_private_decrypt(uint8_t *out,
CK_SESSION_HANDLE session;
CK_RV rv = CKR_OK;
CK_OBJECT_HANDLE key;
CK_ULONG len = length;
CK_ULONG len;
CK_KEY_TYPE keyType = CKK_RSA;
CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY;
@ -752,14 +751,14 @@ pgp_rsa_private_decrypt(uint8_t *out,
};
CK_ATTRIBUTE template[] = {
{CKA_CLASS, &keyClass, sizeof(keyClass) },
{CKA_KEY_TYPE, &keyType, sizeof(keyType) },
{CKA_CLASS, &keyClass, sizeof(keyClass) },
{CKA_KEY_TYPE, &keyType, sizeof(keyType) },
{CKA_MODULUS, pubkey->n->data, pubkey->n->length },
{CKA_PUBLIC_EXPONENT, pubkey->e->data, pubkey->e->length },
{CKA_PRIVATE_EXPONENT, seckey->d->data, seckey->d->length },
{CKA_PRIME_1, seckey->p->data, seckey->p->length },
{CKA_PRIME_2, seckey->q->data, seckey->q->length },
{CKA_COEFFICIENT, seckey->u->data, seckey->u->length },
{CKA_COEFFICIENT, seckey->u->data, seckey->u->length }
};
rv = getSession(&session);
@ -844,7 +843,7 @@ pgp_rsa_public_encrypt(uint8_t *out,
fprintf(stderr, "C_EncryptInit: rv = 0x%.8lX\n", rv);
}
rv = funcs->C_Encrypt(session,(CK_BYTE_PTR)in,length,out,&len);
rv = funcs->C_Encrypt(session, (CK_BYTE_PTR)in, length, out, &len);
if( rv != CKR_OK) {
fprintf(stderr, "C_Encrypt: rv = 0x%.8lX\n", rv);
}


+ 3
- 0
src/gskssl_glue.c View File

@ -73,11 +73,13 @@ CK_RV getSession(CK_SESSION_HANDLE *session)
fprintf(stderr, "C_GetSlotList: rv = 0x%.8lX\n", rv);
return rv;
}
rv = funcs->C_GetTokenInfo(pSlotList[0], &info);
if( rv != CKR_OK ) {
fprintf(stderr, "C_GetTokenInfo: rv = 0x%.8lX\n", rv);
return rv;
}
rv = funcs->C_OpenSession(pSlotList[0], flags, NULL, NULL, session);
if( rv != CKR_OK ) {
fprintf(stderr, "C_OpenSession: rv = 0x%.8lX\n", rv);
@ -85,6 +87,7 @@ CK_RV getSession(CK_SESSION_HANDLE *session)
}
free(pSlotList);
return rv;
}


+ 0
- 12
src/keyring.c View File

@ -516,18 +516,6 @@ const uint8_t *pgp_key_get_primary_userid(pgp_key_t *key)
return NULL;
}
#if defined(HAVE_GSKSSL)
static unsigned gsk_num_bits ( gsk_buffer *bn )
{
unsigned r = (bn->length-1)*8;
uint8_t x = ((uint8_t*)bn->data)[0];
do {
r++;
} while (x >>= 1);
return r;
}
#endif
unsigned key_bit_len(const pgp_pubkey_t *key)
{
switch (key->alg) {


+ 6
- 3
src/main.c View File

@ -365,7 +365,7 @@ int pgp_generate_keypair(netpgp_t *netpgp, prog_t *p)
pgp_key_t *newseckey, *newpubkey;
char newid[1024];
const char *hashalg = NULL, *cipher = NULL, *username = "David Lanzendörfer", *address = "leviathan@libresilicon.com";
hashalg = netpgp_getvar(netpgp, "hash");
/*hashalg = netpgp_getvar(netpgp, "hash");
cipher = netpgp_getvar(netpgp, "cipher");
if(!cipher) {
fprintf(stderr,"No cipher set\n");
@ -374,7 +374,10 @@ int pgp_generate_keypair(netpgp_t *netpgp, prog_t *p)
if(!hashalg) {
fprintf(stderr,"No cipher set\n");
return 0;
}
}*/
cipher = "tripledes";
hashalg = "sha1";
if(snprintf(newid, sizeof(newid), "%s <%s>", username, address) >= sizeof(newid)) return 0;
// Generate the key
newseckey = pgp_keydata_new();
@ -421,7 +424,7 @@ sign_data(netpgp_t *netpgp, prog_t *p, char *in, size_t size)
(p->cmd == CLEARSIGN) ? cleartext :
!cleartext,
p->detached);*/
return 1;
}
int


+ 6
- 9
src/openssl_crypto.c View File

@ -603,13 +603,11 @@ pgp_rsa_private_decrypt(uint8_t *out,
BN_dup(seckey->d)
);
/*printf("len d: %ld\n", BN_num_bytes(seckey->d));
printf("len: %ld\n", length);
printf("d\n");
BN_print_fp(stdout,seckey->d);
printf("\nn\n");
BN_print_fp(stdout,pubkey->n);
printf("\n\n");*/
RSA_set0_factors(
orsa,
BN_dup(seckey->p),
BN_dup(seckey->q)
);
n = RSA_private_decrypt(length, in, out, orsa, RSA_NO_PADDING);
@ -658,8 +656,7 @@ pgp_rsa_public_encrypt(uint8_t *out,
n = RSA_public_encrypt((int)length, in, out, orsa, RSA_NO_PADDING);
if (n == -1) {
BIO *fd_out;
BIO *fd_out;
fd_out = BIO_new_fd(fileno(stderr), BIO_NOCLOSE);
ERR_print_errors(fd_out);
}


+ 7
- 4
src/packet-parse.c View File

@ -143,6 +143,7 @@ limread_data(pgp_data_t *data, unsigned len, pgp_region_t *subregion, pgp_stream
if (!data->contents) {
return 0;
}
memset( data->contents, 0, data->len );
return pgp_limited_read(stream, data->contents, data->len, subregion, &stream->errors, &stream->readinfo, &stream->cbinfo);
}
@ -652,6 +653,7 @@ limread_mpi(gsk_buffer **pbn, pgp_region_t *region, pgp_stream_t *stream)
#endif
{
uint8_t buf[NETPGP_BUFSIZ];
int i;
/*
* An MPI has a 2 byte length part.
* Length is given in bits, so the
@ -711,9 +713,9 @@ limread_mpi(gsk_buffer **pbn, pgp_region_t *region, pgp_stream_t *stream)
#if defined(HAVE_OPENSSL)
*pbn = BN_bin2bn(buf, (int)length, NULL);
#elif defined(HAVE_GSKSSL)
(*pbn) = malloc(sizeof(gsk_buffer));
(*pbn) = malloc( sizeof(gsk_buffer) );
(*pbn)->length = length;
(*pbn)->data = malloc(length);
(*pbn)->data = malloc( length );
memcpy((*pbn)->data, buf, length);
#endif
return 1;
@ -2362,8 +2364,9 @@ parse_v4_sig(pgp_region_t *region, pgp_stream_t *stream)
#if defined(HAVE_OPENSSL)
BN_print_fp(stderr, pkt.u.sig.info.sig.rsa.sig);
#elif defined(HAVE_GSKSSL)
for(int i=0;i<pkt.u.sig.info.sig.rsa.sig->length;i++)
(void) fprintf(stderr, "%X", ((unsigned char*)pkt.u.sig.info.sig.rsa.sig->data)[i]);
for( int i = 0; i < pkt.u.sig.info.sig.rsa.sig->length; i++ ) {
(void) fprintf(stderr, "%02X", ((unsigned char*)pkt.u.sig.info.sig.rsa.sig->data)[i]);
}
#endif
(void) fprintf(stderr, "\n");
}


+ 6
- 8
src/reader.c View File

@ -131,6 +131,8 @@ __RCSID("$NetBSD$");
#include <limits.h>
#endif
#include <netpgp.h>
#include <netpgp/errors.h>
#include <netpgp/crypto.h>
#include <netpgp/create.h>
@ -144,6 +146,7 @@ __RCSID("$NetBSD$");
#include <netpgp/netpgpsdk.h>
#include <netpgp/netpgpdefs.h>
#include <netpgp/netpgpdigest.h>
#include <netpgp/validate.h>
#ifndef MIN
#define MIN(a,b) (((a)<(b))?(a):(b))
@ -1578,8 +1581,7 @@ se_ip_data_reader(pgp_stream_t *stream, void *dest_,
}
/* read entire SE IP packet */
if (!pgp_stacked_limited_read(stream, buf, decrypted_region.length,
&decrypted_region, errors, readinfo, cbinfo)) {
if (!pgp_stacked_limited_read(stream, buf, decrypted_region.length, &decrypted_region, errors, readinfo, cbinfo)) {
free(buf);
return -1;
}
@ -1592,12 +1594,8 @@ se_ip_data_reader(pgp_stream_t *stream, void *dest_,
}
b = se_ip->decrypt->blocksize;
if (buf[b - 2] != buf[b] || buf[b - 1] != buf[b + 1]) {
fprintf(stderr,
"Bad symmetric decrypt (%02x%02x vs %02x%02x)\n",
buf[b - 2], buf[b - 1], buf[b], buf[b + 1]);
PGP_ERROR_1(errors, PGP_E_PROTO_BAD_SYMMETRIC_DECRYPT,
"%s", "Bad symmetric decrypt when parsing SE IP"
" packet");
fprintf(stderr, "Bad symmetric decrypt (%02x%02x vs %02x%02x)\n", buf[b - 2], buf[b - 1], buf[b], buf[b + 1]);
PGP_ERROR_1(errors, PGP_E_PROTO_BAD_SYMMETRIC_DECRYPT, "%s", "Bad symmetric decrypt when parsing SE IP packet");
free(buf);
return -1;
}


+ 0
- 12
src/signature.c View File

@ -144,18 +144,6 @@ static uint8_t prefix_sha512[] = {
0x00, 0x04, 0x40
};
#if defined(HAVE_GSKSSL)
static unsigned gsk_num_bits ( gsk_buffer *bn )
{
unsigned r = (bn->length-1)*8;
uint8_t x = ((uint8_t*)bn->data)[0];
do {
r++;
} while (x >>= 1);
return r;
}
#endif
/* XXX: both this and verify would be clearer if the signature were */
/* treated as an MPI. */
static int


+ 3
- 6
src/symmetric.c View File

@ -132,14 +132,11 @@ pgp_encrypt_se(pgp_crypt_t *encrypt, void *outvoid, const void *invoid,
*/
while (count-- > 0) {
if ((size_t) encrypt->num == encrypt->blocksize) {
(void) memcpy(encrypt->siv, encrypt->civ,
encrypt->blocksize);
encrypt->block_encrypt(encrypt, encrypt->civ,
encrypt->civ);
(void) memcpy(encrypt->siv, encrypt->civ, encrypt->blocksize);
encrypt->block_encrypt(encrypt, encrypt->civ, encrypt->civ);
encrypt->num = 0;
}
encrypt->civ[encrypt->num] = *out++ =
encrypt->civ[encrypt->num] ^ *in++;
encrypt->civ[encrypt->num] = *out++ = encrypt->civ[encrypt->num] ^ *in++;
++encrypt->num;
}


+ 90
- 65
src/symmetric_gskssl.c View File

@ -76,26 +76,28 @@ cryptoki_init( pgp_crypt_t *crypt )
CK_RV rv = CKR_OK;
CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY;
CK_BBOOL true = TRUE, false = FALSE;
CK_ULONG len = crypt->keysize;
CK_ULONG tcount = 0;
CK_ATTRIBUTE template[] = {
{CKA_CLASS, &keyClass, sizeof(keyClass) },
{CKA_KEY_TYPE, &crypt->keyType, sizeof(crypt->keyType) },
{CKA_ENCRYPT, &true, sizeof(true) },
{CKA_VALUE, crypt->key, len }
{CKA_CLASS, &keyClass, sizeof(keyClass) },
{CKA_KEY_TYPE, &crypt->keyType, sizeof(crypt->keyType) },
{CKA_ENCRYPT, &true, sizeof(true) },
{CKA_VALUE, crypt->key, crypt->keysize }
};
tcount = sizeof(template)/sizeof(CK_ATTRIBUTE);
rv = getSession( &crypt->session );
if( rv != CKR_OK) {
fprintf(stderr, "getSession: rv = 0x%.8lX\n", rv);
}
rv = funcs->C_CreateObject( crypt->session, template, sizeof(template)/sizeof(CK_ATTRIBUTE), &crypt->encrypt_key);
rv = funcs->C_CreateObject( crypt->session, template, tcount, &crypt->encrypt_key );
if( rv != CKR_OK) {
fprintf(stderr, "C_CreateObject: rv = 0x%.8lX\n", rv);
}
rv = funcs->C_CreateObject( crypt->session, template, sizeof(template)/sizeof(CK_ATTRIBUTE), &crypt->decrypt_key);
rv = funcs->C_CreateObject( crypt->session, template, tcount, &crypt->decrypt_key );
if( rv != CKR_OK) {
fprintf(stderr, "C_CreateObject: rv = 0x%.8lX\n", rv);
}
@ -120,10 +122,6 @@ cryptoki_finish_int( pgp_crypt_t *crypt )
if( rv != CKR_OK) {
fprintf(stderr, "C_Finalize: rv = 0x%.8lX\n", rv);
}
//free( crypt->session );
//free( crypt->pKey );
//free( crypt->pMechanism );
}
static void
@ -131,7 +129,6 @@ cryptoki_block_encrypt(pgp_crypt_t *crypt, void *out, const void *in)
{
CK_ULONG len = crypt->blocksize;
CK_RV rv = CKR_OK;
CK_OBJECT_HANDLE key = crypt->encrypt_key;
cryptoki_init( crypt );
@ -150,22 +147,21 @@ cryptoki_block_encrypt(pgp_crypt_t *crypt, void *out, const void *in)
}
static void
cryptoki_block_decrypt(pgp_crypt_t *crypt, void *out, const void *in)
cfb64_encrypt_iv( pgp_crypt_t *crypt )
{
CK_ULONG len = crypt->blocksize;
CK_ULONG len;
CK_RV rv = CKR_OK;
CK_OBJECT_HANDLE key = crypt->encrypt_key;
cryptoki_init( crypt );
rv = funcs->C_EncryptInit( crypt->session, &crypt->mechanism, crypt->encrypt_key );
if( rv != CKR_OK) {
fprintf(stderr, "C_DecryptInit: rv = 0x%.8lX\n", rv);
fprintf(stderr, "C_EncryptInit: rv = 0x%.8lX\n", rv);
}
rv = funcs->C_Encrypt( crypt->session, (CK_BYTE_PTR)in, crypt->blocksize, out, &len );
rv = funcs->C_Encrypt( crypt->session, crypt->iv, PGP_MAX_BLOCK_SIZE, crypt->iv, &len );
if( rv != CKR_OK) {
fprintf(stderr, "C_Decrypt: rv = 0x%.8lX\n", rv);
fprintf(stderr, "C_Encrypt: rv = 0x%.8lX\n", rv);
printf("%s:%d\n",__FILE__,__LINE__);
}
@ -173,57 +169,74 @@ cryptoki_block_decrypt(pgp_crypt_t *crypt, void *out, const void *in)
}
static void
cryptoki_cfb_encrypt( pgp_crypt_t *crypt, void *out, const void *in, size_t count )
cryptoki_block_decrypt(pgp_crypt_t *crypt, void *out, const void *in)
{
CK_ULONG len = crypt->blocksize;
CK_RV rv = CKR_OK;
cryptoki_init( crypt );
rv = funcs->C_EncryptInit( crypt->session, &crypt->mechanism, crypt->encrypt_key );
rv = funcs->C_DecryptInit( crypt->session, &crypt->mechanism, crypt->decrypt_key );
if( rv != CKR_OK) {
fprintf(stderr, "C_EncryptInit: rv = 0x%.8lX\n", rv);
fprintf(stderr, "C_DecryptInit: rv = 0x%.8lX\n", rv);
}
rv = funcs->C_Encrypt( crypt->session, (CK_BYTE_PTR)in, crypt->blocksize, out, &len );
rv = funcs->C_Decrypt( crypt->session, (CK_BYTE_PTR)in, crypt->blocksize, out, &len );
if( rv != CKR_OK) {
fprintf(stderr, "C_Encrypt: rv = 0x%.8lX\n", rv);
fprintf(stderr, "C_Decrypt: rv = 0x%.8lX\n", rv);
printf("%s:%d\n",__FILE__,__LINE__);
}
cryptoki_finish_int( crypt );
}
static void
cryptoki_cfb_decrypt( pgp_crypt_t *crypt, void *out, const void *in, size_t count )
{
CK_ULONG len = crypt->blocksize;
CK_RV rv = CKR_OK;
cryptoki_init( crypt );
/*
* The input and output encrypted as though 64bit cfb mode is being used.
* The extra state information to record how much of the 64bit block we have
* used is contained in *num;
*/
rv = funcs->C_EncryptInit( crypt->session, &crypt->mechanism, crypt->encrypt_key );
if( rv != CKR_OK) {
fprintf(stderr, "C_EncryptInit: rv = 0x%.8lX\n", rv);
void cryptoki_cfb64_encrypt( pgp_crypt_t *crypt, void *out, const void *in, size_t count)
{
uint8_t c;
register int i, n;
for ( i = 0, n = crypt->num; i < count; i++, n = ( n + 1 ) & 7 ) {
if( n == 0 ) {
cfb64_encrypt_iv( crypt );
}
c = (((uint8_t *)in)[i]) ^ (crypt->iv[n]);
((uint8_t *)out)[i] = c;
crypt->iv[n] = c;
}
rv = funcs->C_Encrypt( crypt->session, (CK_BYTE_PTR)in, crypt->blocksize, out, &len );
if( rv != CKR_OK) {
fprintf(stderr, "C_Decrypt: rv = 0x%.8lX\n", rv);
printf("%s:%d\n",__FILE__,__LINE__);
crypt->num = n;
}
void cryptoki_cfb64_decrypt( pgp_crypt_t *crypt, void *out, const void *in, size_t count )
{
uint8_t c, cc;
register int i, n;
for ( i = 0, n = crypt->num; i < count; i++, n = ( n + 1 ) & 7 ) {
if( n == 0 ) {
cfb64_encrypt_iv( crypt );
}
c = crypt->iv[n];
cc = ((uint8_t *)in)[i];
crypt->iv[n] = cc;
((uint8_t *)out)[i] = c ^ cc;
}
cryptoki_finish_int( crypt );
crypt->num = n;
}
static int
cast5_init(pgp_crypt_t *crypt)
{
crypt->mechanism.mechanism = CKM_CAST5_ECB;
crypt->mechanism.pParameter = NULL;
crypt->mechanism.ulParameterLen = 0;
crypt->keyType = CKK_CAST5;
crypt->mechanism.pParameter = crypt->iv;
crypt->mechanism.ulParameterLen = crypt->blocksize;
crypt->keyType = CKK_CAST128;
return 1;
}
@ -238,8 +251,8 @@ static pgp_crypt_t cast5 =
std_resync,
cryptoki_block_encrypt,
cryptoki_block_decrypt,
cryptoki_cfb_encrypt,
cryptoki_cfb_decrypt,
cryptoki_cfb64_encrypt,
cryptoki_cfb64_decrypt,
cryptoki_finish,
TRAILER
};
@ -265,8 +278,8 @@ static const pgp_crypt_t idea =
std_resync,
cryptoki_block_encrypt,
cryptoki_block_decrypt,
cryptoki_cfb_encrypt,
cryptoki_cfb_decrypt,
cryptoki_cfb64_encrypt,
cryptoki_cfb64_decrypt,
cryptoki_finish,
TRAILER
};
@ -294,8 +307,8 @@ static const pgp_crypt_t aes128 =
std_resync,
cryptoki_block_encrypt,
cryptoki_block_decrypt,
cryptoki_cfb_encrypt,
cryptoki_cfb_decrypt,
cryptoki_cfb64_encrypt,
cryptoki_cfb64_decrypt,
cryptoki_finish,
TRAILER
};
@ -305,7 +318,10 @@ static const pgp_crypt_t aes128 =
static int
aes256_init(pgp_crypt_t *crypt)
{
printf("%s:%d, %s\n",__FILE__,__LINE__,__FUNCTION__);
crypt->mechanism.mechanism = CKM_AES_ECB;
crypt->mechanism.pParameter = NULL;
crypt->mechanism.ulParameterLen = 0;
crypt->keyType = CKK_AES;
return 1;
}
@ -320,8 +336,8 @@ static const pgp_crypt_t aes256 =
std_resync,
cryptoki_block_encrypt,
cryptoki_block_decrypt,
cryptoki_cfb_encrypt,
cryptoki_cfb_decrypt,
cryptoki_cfb64_encrypt,
cryptoki_cfb64_decrypt,
cryptoki_finish,
TRAILER
};
@ -331,7 +347,10 @@ static const pgp_crypt_t aes256 =
static int
tripledes_init(pgp_crypt_t *crypt)
{
printf("%s:%d, %s\n",__FILE__,__LINE__,__FUNCTION__);
crypt->mechanism.mechanism = CKM_DES3_ECB;
crypt->mechanism.pParameter = NULL;
crypt->mechanism.ulParameterLen = 0;
crypt->keyType = CKK_DES3;
return 1;
}
@ -346,8 +365,8 @@ static const pgp_crypt_t tripledes =
std_resync,
cryptoki_block_encrypt,
cryptoki_block_decrypt,
cryptoki_cfb_encrypt,
cryptoki_cfb_decrypt,
cryptoki_cfb64_encrypt,
cryptoki_cfb64_decrypt,
cryptoki_finish,
TRAILER
};
@ -355,7 +374,10 @@ static const pgp_crypt_t tripledes =
static int
camellia128_init(pgp_crypt_t *crypt)
{
printf("%s:%d, %s\n",__FILE__,__LINE__,__FUNCTION__);
crypt->mechanism.mechanism = CKM_CAMELLIA_ECB;
crypt->mechanism.pParameter = NULL;
crypt->mechanism.ulParameterLen = 0;
crypt->keyType = CKK_CAMELLIA;
return 1;
}
@ -370,8 +392,8 @@ static const pgp_crypt_t camellia128 =
std_resync,
cryptoki_block_encrypt,
cryptoki_block_decrypt,
cryptoki_cfb_encrypt,
cryptoki_cfb_decrypt,
cryptoki_cfb64_encrypt,
cryptoki_cfb64_decrypt,
cryptoki_finish,
TRAILER
};
@ -381,7 +403,10 @@ static const pgp_crypt_t camellia128 =
static int
camellia256_init(pgp_crypt_t *crypt)
{
printf("%s:%d, %s\n",__FILE__,__LINE__,__FUNCTION__);
crypt->mechanism.mechanism = CKM_CAMELLIA_ECB;
crypt->mechanism.pParameter = NULL;
crypt->mechanism.ulParameterLen = 0;
crypt->keyType = CKK_CAMELLIA;
return 1;
}
@ -396,8 +421,8 @@ static const pgp_crypt_t camellia256 =
std_resync,
cryptoki_block_encrypt,
cryptoki_block_decrypt,
cryptoki_cfb_encrypt,
cryptoki_cfb_decrypt,
cryptoki_cfb64_encrypt,
cryptoki_cfb64_decrypt,
cryptoki_finish,
TRAILER
};
@ -440,7 +465,7 @@ get_proto(pgp_symm_alg_t alg)
IBM z/OS is the worst platform for such stuff ever, half
the algorithms aren't implemented.
Here's a list of the few which are, in case you've got a crash
here and wanna have a look at the desert of the real worl yoursel:
here and wanna have a look at the desert of the real world yourself:
https://www.ibm.com/docs/en/zos/2.1.0?topic=api-key-types-mechanisms-supported
*/
unsigned
@ -450,10 +475,10 @@ pgp_is_sa_supported(pgp_symm_alg_t alg)
case PGP_SA_AES_128:
case PGP_SA_AES_256:
case PGP_SA_TRIPLEDES:
case PGP_SA_CAMELLIA_128:
case PGP_SA_CAMELLIA_256:
//case PGP_SA_IDEA:
//case PGP_SA_CAST5:
//case PGP_SA_CAMELLIA_128:
//case PGP_SA_CAMELLIA_256:
case PGP_SA_IDEA:
case PGP_SA_CAST5:
return 1;
default:


+ 8
- 24
src/symmetric_openssl.c View File

@ -298,17 +298,13 @@ aes_block_decrypt(pgp_crypt_t *crypt, void *out, const void *in)
static void
aes_cfb_encrypt(pgp_crypt_t *crypt, void *out, const void *in, size_t count)
{
AES_cfb128_encrypt(in, out, (unsigned)count,
crypt->encrypt_key, crypt->iv, &crypt->num,
AES_ENCRYPT);
AES_cfb128_encrypt(in, out, (unsigned)count, crypt->encrypt_key, crypt->iv, &crypt->num, AES_ENCRYPT);
}
static void
aes_cfb_decrypt(pgp_crypt_t *crypt, void *out, const void *in, size_t count)
{
AES_cfb128_encrypt(in, out, (unsigned)count,
crypt->encrypt_key, crypt->iv, &crypt->num,
AES_DECRYPT);
AES_cfb128_encrypt(in, out, (unsigned)count, crypt->encrypt_key, crypt->iv, &crypt->num, AES_DECRYPT);
}
static const pgp_crypt_t aes128 =
@ -413,40 +409,28 @@ static void
tripledes_block_encrypt(pgp_crypt_t *crypt, void *out, const void *in)
{
DES_key_schedule *keys = crypt->encrypt_key;
DES_ecb3_encrypt(__UNCONST(in), out, &keys[0], &keys[1], &keys[2],
DES_ENCRYPT);
DES_ecb3_encrypt(__UNCONST(in), out, &keys[0], &keys[1], &keys[2], DES_ENCRYPT);
}
static void
tripledes_block_decrypt(pgp_crypt_t *crypt, void *out, const void *in)
{
DES_key_schedule *keys = crypt->encrypt_key;
DES_ecb3_encrypt(__UNCONST(in), out, &keys[0], &keys[1], &keys[2],
DES_DECRYPT);
DES_ecb3_encrypt(__UNCONST(in), out, &keys[0], &keys[1], &keys[2], DES_DECRYPT);
}
static void
tripledes_cfb_encrypt(pgp_crypt_t *crypt, void *out, const void *in,
size_t count)
tripledes_cfb_encrypt(pgp_crypt_t *crypt, void *out, const void *in, size_t count)
{
DES_key_schedule *keys = crypt->encrypt_key;
DES_ede3_cfb64_encrypt(in, out, (long)count,
&keys[0], &keys[1], &keys[2], (DES_cblock *)(void *)crypt->iv,
&crypt->num, DES_ENCRYPT);
DES_ede3_cfb64_encrypt(in, out, (long)count, &keys[0], &keys[1], &keys[2], (DES_cblock *)(void *)crypt->iv, &crypt->num, DES_ENCRYPT);
}
static void
tripledes_cfb_decrypt(pgp_crypt_t *crypt, void *out, const void *in,
size_t count)
tripledes_cfb_decrypt(pgp_crypt_t *crypt, void *out, const void *in, size_t count)
{
DES_key_schedule *keys = crypt->encrypt_key;
DES_ede3_cfb64_encrypt(in, out, (long)count,
&keys[0], &keys[1], &keys[2], (DES_cblock *)(void *)crypt->iv,
&crypt->num, DES_DECRYPT);
DES_ede3_cfb64_encrypt(in, out, (long)count, &keys[0], &keys[1], &keys[2], (DES_cblock *)(void *)crypt->iv, &crypt->num, DES_DECRYPT);
}
static const pgp_crypt_t tripledes =


+ 36
- 28
src/writer.c View File

@ -127,18 +127,6 @@ pgp_write_scalar(pgp_output_t *output, unsigned n, unsigned len)
return 1;
}
#if defined(HAVE_GSKSSL)
static unsigned gsk_num_bits ( gsk_buffer *bn )
{
unsigned r = (bn->length-1)*8;
uint8_t x = ((uint8_t*)bn->data)[0];
do {
r++;
} while (x >>= 1);
return r;
}
#endif
/**
* \ingroup Core_WritePackets
* \param bn
@ -153,6 +141,7 @@ pgp_write_mpi(pgp_output_t *output, gsk_buffer *bn)
#endif
{
unsigned bits;
int i,len;
uint8_t buf[NETPGP_BUFSIZ];
memset(buf, 0, NETPGP_BUFSIZ);
#if defined(HAVE_GSKSSL)
@ -167,7 +156,8 @@ pgp_write_mpi(pgp_output_t *output, gsk_buffer *bn)
#if defined(HAVE_OPENSSL)
BN_bn2bin(bn, buf);
#elif defined(HAVE_GSKSSL)
memcpy(buf, bn->data, (bits + 7) / 8);
len = (bits + 7) / 8;
memcpy(buf, bn->data, len);
#endif
return pgp_write_scalar(output, bits, 2) && pgp_write(output, buf, (bits + 7) / 8);
}
@ -937,17 +927,21 @@ typedef struct {
* encrypts it with the given key
* and outputs the resulting encrypted text
*/
static unsigned
encrypt_writer(const uint8_t *src,
unsigned len,
pgp_error_t **errors,
pgp_writer_t *writer)
{
#define BUFSZ 1024 /* arbitrary number */
uint8_t encbuf[BUFSZ];
unsigned remaining;
unsigned done = 0;
crypt_t *pgp_encrypt;
unsigned size = 0;
uint8_t *encbuf = NULL;
uint8_t *blkbuf = NULL;
unsigned remaining = 0;
unsigned done = 0;
crypt_t *pgp_encrypt = NULL;
size_t blocksize = 0;
remaining = len;
pgp_encrypt = (crypt_t *) pgp_writer_get_arg(writer);
@ -955,17 +949,28 @@ encrypt_writer(const uint8_t *src,
(void) fprintf(stderr, "encrypt_writer: not supported\n");
return 0;
}
while (remaining > 0) {
unsigned size = (remaining < BUFSZ) ? remaining : BUFSZ;
/* memcpy(buf,src,size); // \todo copy needed here? */
pgp_encrypt->crypt->cfb_encrypt(pgp_encrypt->crypt, encbuf, src + done, size);
blocksize = pgp_block_size ( pgp_encrypt->crypt->alg );
encbuf = malloc(blocksize);
blkbuf = malloc(blocksize);
memset(encbuf, 0, blocksize);
memset(blkbuf, 0, blocksize);
while ( remaining > 0 ) {
size = ( remaining < blocksize ) ? remaining : blocksize;
memset( encbuf, 0, blocksize );
memset( blkbuf, 0, blocksize );
memcpy( blkbuf, src + done, size );
pgp_encrypt->crypt->cfb_encrypt( pgp_encrypt->crypt, encbuf, blkbuf, size );
if (pgp_get_debug_level(__FILE__)) {
hexdump(stderr, "unencrypted", &src[done], 16);
hexdump(stderr, "encrypted", encbuf, 16);
hexdump(stderr, "blkbuf", blkbuf, blocksize );
hexdump(stderr, "unencrypted", &src[done], blocksize );
hexdump(stderr, "encrypted", encbuf, blocksize );
}
if (!stacked_write(writer, encbuf, size, errors)) {
if (!stacked_write( writer, encbuf, size, errors )) {
if (pgp_get_debug_level(__FILE__)) {
fprintf(stderr, "encrypted_writer: stacked write\n");
}
@ -1093,8 +1098,8 @@ pgp_push_enc_se_ip(pgp_output_t *output, const pgp_keyring_t *pubkeys, const cha
se_ip->raw = raw;
/* And push writer on stack */
pgp_writer_push(output, encrypt_se_ip_writer, NULL,
encrypt_se_ip_destroyer, se_ip);
pgp_writer_push(output, encrypt_se_ip_writer, NULL, encrypt_se_ip_destroyer, se_ip);
/* tidy up */
free(initial_sesskey);
free(iv);
@ -1181,13 +1186,15 @@ pgp_write_se_ip_pktset(pgp_output_t *output,
uint8_t *preamble;
const size_t mdcsize = 1 + 1 + PGP_SHA1_HASH_SIZE;
size_t preamblesize;
size_t bufsize;
size_t bufsize = 0;
preamblesize = crypted->blocksize + 2;
if ((preamble = calloc(1, preamblesize)) == NULL) {
(void) fprintf(stderr, "pgp_write_se_ip_pktset: bad alloc\n");
return 0;
}
bufsize = preamblesize + len + mdcsize;
if (!pgp_write_ptag(output, PGP_PTAG_CT_SE_IP_DATA) ||
@ -1196,6 +1203,7 @@ pgp_write_se_ip_pktset(pgp_output_t *output,
free(preamble);
return 0;
}
pgp_random(preamble, crypted->blocksize);
preamble[crypted->blocksize] = preamble[crypted->blocksize - 2];
preamble[crypted->blocksize + 1] = preamble[crypted->blocksize - 1];


Loading…
Cancel
Save