/* * pgp-mpi-openssl.c * OpenPGP MPI functions using OpenSSL BIGNUM code. * * Copyright (c) 2005 Marko Kreen * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * contrib/pgcrypto/pgp-mpi-openssl.c */ #include "postgres.h" #include #include "pgp.h" #include "px.h" static BIGNUM * mpi_to_bn(PGP_MPI *n) { BIGNUM *bn = BN_bin2bn(n->data, n->bytes, NULL); if (!bn) return NULL; if (BN_num_bits(bn) != n->bits) { px_debug("mpi_to_bn: bignum conversion failed: mpi=%d, bn=%d", n->bits, BN_num_bits(bn)); BN_clear_free(bn); return NULL; } return bn; } static PGP_MPI * bn_to_mpi(BIGNUM *bn) { int res; PGP_MPI *n; res = pgp_mpi_alloc(BN_num_bits(bn), &n); if (res < 0) return NULL; if (BN_num_bytes(bn) != n->bytes) { px_debug("bn_to_mpi: bignum conversion failed: bn=%d, mpi=%d", BN_num_bytes(bn), n->bytes); pgp_mpi_free(n); return NULL; } BN_bn2bin(bn, n->data); return n; } /* * Decide the number of bits in the random component k * * It should be in the same range as p for signing (which * is deprecated), but can be much smaller for encrypting. * * Until I research it further, I just mimic gpg behaviour. * It has a special mapping table, for values <= 5120, * above that it uses 'arbitrary high number'. Following * algorithm hovers 10-70 bits above gpg values. And for * larger p, it uses gpg's algorithm. * * The point is - if k gets large, encryption will be * really slow. It does not matter for decryption. */ static int decide_k_bits(int p_bits) { if (p_bits <= 5120) return p_bits / 10 + 160; else return (p_bits / 8 + 200) * 3 / 2; } int pgp_elgamal_encrypt(PGP_PubKey *pk, PGP_MPI *_m, PGP_MPI **c1_p, PGP_MPI **c2_p) { int res = PXE_PGP_MATH_FAILED; int k_bits; BIGNUM *m = mpi_to_bn(_m); BIGNUM *p = mpi_to_bn(pk->pub.elg.p); BIGNUM *g = mpi_to_bn(pk->pub.elg.g); BIGNUM *y = mpi_to_bn(pk->pub.elg.y); BIGNUM *k = BN_new(); BIGNUM *yk = BN_new(); BIGNUM *c1 = BN_new(); BIGNUM *c2 = BN_new(); BN_CTX *tmp = BN_CTX_new(); if (!m || !p || !g || !y || !k || !yk || !c1 || !c2 || !tmp) goto err; /* * generate k */ k_bits = decide_k_bits(BN_num_bits(p)); if (!BN_rand(k, k_bits, 0, 0)) goto err; /* * c1 = g^k c2 = m * y^k */ if (!BN_mod_exp(c1, g, k, p, tmp)) goto err; if (!BN_mod_exp(yk, y, k, p, tmp)) goto err; if (!BN_mod_mul(c2, m, yk, p, tmp)) goto err; /* result */ *c1_p = bn_to_mpi(c1); *c2_p = bn_to_mpi(c2); if (*c1_p && *c2_p) res = 0; err: if (tmp) BN_CTX_free(tmp); if (c2) BN_clear_free(c2); if (c1) BN_clear_free(c1); if (yk) BN_clear_free(yk); if (k) BN_clear_free(k); if (y) BN_clear_free(y); if (g) BN_clear_free(g); if (p) BN_clear_free(p); if (m) BN_clear_free(m); return res; } int pgp_elgamal_decrypt(PGP_PubKey *pk, PGP_MPI *_c1, PGP_MPI *_c2, PGP_MPI **msg_p) { int res = PXE_PGP_MATH_FAILED; BIGNUM *c1 = mpi_to_bn(_c1); BIGNUM *c2 = mpi_to_bn(_c2); BIGNUM *p = mpi_to_bn(pk->pub.elg.p); BIGNUM *x = mpi_to_bn(pk->sec.elg.x); BIGNUM *c1x = BN_new(); BIGNUM *div = BN_new(); BIGNUM *m = BN_new(); BN_CTX *tmp = BN_CTX_new(); if (!c1 || !c2 || !p || !x || !c1x || !div || !m || !tmp) goto err; /* * m = c2 / (c1^x) */ if (!BN_mod_exp(c1x, c1, x, p, tmp)) goto err; if (!BN_mod_inverse(div, c1x, p, tmp)) goto err; if (!BN_mod_mul(m, c2, div, p, tmp)) goto err; /* result */ *msg_p = bn_to_mpi(m); if (*msg_p) res = 0; err: if (tmp) BN_CTX_free(tmp); if (m) BN_clear_free(m); if (div) BN_clear_free(div); if (c1x) BN_clear_free(c1x); if (x) BN_clear_free(x); if (p) BN_clear_free(p); if (c2) BN_clear_free(c2); if (c1) BN_clear_free(c1); return res; } int pgp_rsa_encrypt(PGP_PubKey *pk, PGP_MPI *_m, PGP_MPI **c_p) { int res = PXE_PGP_MATH_FAILED; BIGNUM *m = mpi_to_bn(_m); BIGNUM *e = mpi_to_bn(pk->pub.rsa.e); BIGNUM *n = mpi_to_bn(pk->pub.rsa.n); BIGNUM *c = BN_new(); BN_CTX *tmp = BN_CTX_new(); if (!m || !e || !n || !c || !tmp) goto err; /* * c = m ^ e */ if (!BN_mod_exp(c, m, e, n, tmp)) goto err; *c_p = bn_to_mpi(c); if (*c_p) res = 0; err: if (tmp) BN_CTX_free(tmp); if (c) BN_clear_free(c); if (n) BN_clear_free(n); if (e) BN_clear_free(e); if (m) BN_clear_free(m); return res; } int pgp_rsa_decrypt(PGP_PubKey *pk, PGP_MPI *_c, PGP_MPI **m_p) { int res = PXE_PGP_MATH_FAILED; BIGNUM *c = mpi_to_bn(_c); BIGNUM *d = mpi_to_bn(pk->sec.rsa.d); BIGNUM *n = mpi_to_bn(pk->pub.rsa.n); BIGNUM *m = BN_new(); BN_CTX *tmp = BN_CTX_new(); if (!m || !d || !n || !c || !tmp) goto err; /* * m = c ^ d */ if (!BN_mod_exp(m, c, d, n, tmp)) goto err; *m_p = bn_to_mpi(m); if (*m_p) res = 0; err: if (tmp) BN_CTX_free(tmp); if (m) BN_clear_free(m); if (n) BN_clear_free(n); if (d) BN_clear_free(d); if (c) BN_clear_free(c); return res; }