contrib/pgcrypto/pgp-mpi-openssl.c

   1 /*
   2  * pgp-mpi-openssl.c
   3  *        OpenPGP MPI functions using OpenSSL BIGNUM code.
   4  *
   5  * Copyright (c) 2005 Marko Kreen
   6  * All rights reserved.
   7  *
   8  * Redistribution and use in source and binary forms, with or without
   9  * modification, are permitted provided that the following conditions
  10  * are met:
  11  * 1. Redistributions of source code must retain the above copyright
  12  *        notice, this list of conditions and the following disclaimer.
  13  * 2. Redistributions in binary form must reproduce the above copyright
  14  *        notice, this list of conditions and the following disclaimer in the
  15  *        documentation and/or other materials provided with the distribution.
  16  *
  17  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
  18  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  19  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  20  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  21  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  22  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  23  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  24  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  25  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  26  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  27  * SUCH DAMAGE.
  28  *
  29  * contrib/pgcrypto/pgp-mpi-openssl.c
  30  */
  31 #include "postgres.h"
  32
  33 #include <openssl/bn.h>
  34
  35 #include "pgp.h"
  36 #include "px.h"
  37
  38 static BIGNUM *
  39 mpi_to_bn(PGP_MPI *n)
  40 {
  41         BIGNUM     *bn = BN_bin2bn(n->data, n->bytes, NULL);
  42
  43         if (!bn)
  44                 return NULL;
  45         if (BN_num_bits(bn) != n->bits)
  46         {
  47                 px_debug("mpi_to_bn: bignum conversion failed: mpi=%d, bn=%d",
  48                                  n->bits, BN_num_bits(bn));
  49                 BN_clear_free(bn);
  50                 return NULL;
  51         }
  52         return bn;
  53 }
  54
  55 static PGP_MPI *
  56 bn_to_mpi(BIGNUM *bn)
  57 {
  58         int                     res;
  59         PGP_MPI    *n;
  60
  61         res = pgp_mpi_alloc(BN_num_bits(bn), &n);
  62         if (res < 0)
  63                 return NULL;
  64
  65         if (BN_num_bytes(bn) != n->bytes)
  66         {
  67                 px_debug("bn_to_mpi: bignum conversion failed: bn=%d, mpi=%d",
  68                                  BN_num_bytes(bn), n->bytes);
  69                 pgp_mpi_free(n);
  70                 return NULL;
  71         }
  72         BN_bn2bin(bn, n->data);
  73         return n;
  74 }
  75
  76 /*
  77  * Decide the number of bits in the random component k
  78  *
  79  * It should be in the same range as p for signing (which
  80  * is deprecated), but can be much smaller for encrypting.
  81  *
  82  * Until I research it further, I just mimic gpg behaviour.
  83  * It has a special mapping table, for values <= 5120,
  84  * above that it uses 'arbitrary high number'.  Following
  85  * algorithm hovers 10-70 bits above gpg values.  And for
  86  * larger p, it uses gpg's algorithm.
  87  *
  88  * The point is - if k gets large, encryption will be
  89  * really slow.  It does not matter for decryption.
  90  */
  91 static int
  92 decide_k_bits(int p_bits)
  93 {
  94         if (p_bits <= 5120)
  95                 return p_bits / 10 + 160;
  96         else
  97                 return (p_bits / 8 + 200) * 3 / 2;
  98 }
  99
 100 int
 101 pgp_elgamal_encrypt(PGP_PubKey *pk, PGP_MPI *_m,
 102                                         PGP_MPI **c1_p, PGP_MPI **c2_p)
 103 {
 104         int                     res = PXE_PGP_MATH_FAILED;
 105         int                     k_bits;
 106         BIGNUM     *m = mpi_to_bn(_m);
 107         BIGNUM     *p = mpi_to_bn(pk->pub.elg.p);
 108         BIGNUM     *g = mpi_to_bn(pk->pub.elg.g);
 109         BIGNUM     *y = mpi_to_bn(pk->pub.elg.y);
 110         BIGNUM     *k = BN_new();
 111         BIGNUM     *yk = BN_new();
 112         BIGNUM     *c1 = BN_new();
 113         BIGNUM     *c2 = BN_new();
 114         BN_CTX     *tmp = BN_CTX_new();
 115
 116         if (!m || !p || !g || !y || !k || !yk || !c1 || !c2 || !tmp)
 117                 goto err;
 118
 119         /*
 120          * generate k
 121          */
 122         k_bits = decide_k_bits(BN_num_bits(p));
 123         if (!BN_rand(k, k_bits, 0, 0))
 124                 goto err;
 125
 126         /*
 127          * c1 = g^k c2 = m * y^k
 128          */
 129         if (!BN_mod_exp(c1, g, k, p, tmp))
 130                 goto err;
 131         if (!BN_mod_exp(yk, y, k, p, tmp))
 132                 goto err;
 133         if (!BN_mod_mul(c2, m, yk, p, tmp))
 134                 goto err;
 135
 136         /* result */
 137         *c1_p = bn_to_mpi(c1);
 138         *c2_p = bn_to_mpi(c2);
 139         if (*c1_p && *c2_p)
 140                 res = 0;
 141 err:
 142         if (tmp)
 143                 BN_CTX_free(tmp);
 144         if (c2)
 145                 BN_clear_free(c2);
 146         if (c1)
 147                 BN_clear_free(c1);
 148         if (yk)
 149                 BN_clear_free(yk);
 150         if (k)
 151                 BN_clear_free(k);
 152         if (y)
 153                 BN_clear_free(y);
 154         if (g)
 155                 BN_clear_free(g);
 156         if (p)
 157                 BN_clear_free(p);
 158         if (m)
 159                 BN_clear_free(m);
 160         return res;
 161 }
 162
 163 int
 164 pgp_elgamal_decrypt(PGP_PubKey *pk, PGP_MPI *_c1, PGP_MPI *_c2,
 165                                         PGP_MPI **msg_p)
 166 {
 167         int                     res = PXE_PGP_MATH_FAILED;
 168         BIGNUM     *c1 = mpi_to_bn(_c1);
 169         BIGNUM     *c2 = mpi_to_bn(_c2);
 170         BIGNUM     *p = mpi_to_bn(pk->pub.elg.p);
 171         BIGNUM     *x = mpi_to_bn(pk->sec.elg.x);
 172         BIGNUM     *c1x = BN_new();
 173         BIGNUM     *div = BN_new();
 174         BIGNUM     *m = BN_new();
 175         BN_CTX     *tmp = BN_CTX_new();
 176
 177         if (!c1 || !c2 || !p || !x || !c1x || !div || !m || !tmp)
 178                 goto err;
 179
 180         /*
 181          * m = c2 / (c1^x)
 182          */
 183         if (!BN_mod_exp(c1x, c1, x, p, tmp))
 184                 goto err;
 185         if (!BN_mod_inverse(div, c1x, p, tmp))
 186                 goto err;
 187         if (!BN_mod_mul(m, c2, div, p, tmp))
 188                 goto err;
 189
 190         /* result */
 191         *msg_p = bn_to_mpi(m);
 192         if (*msg_p)
 193                 res = 0;
 194 err:
 195         if (tmp)
 196                 BN_CTX_free(tmp);
 197         if (m)
 198                 BN_clear_free(m);
 199         if (div)
 200                 BN_clear_free(div);
 201         if (c1x)
 202                 BN_clear_free(c1x);
 203         if (x)
 204                 BN_clear_free(x);
 205         if (p)
 206                 BN_clear_free(p);
 207         if (c2)
 208                 BN_clear_free(c2);
 209         if (c1)
 210                 BN_clear_free(c1);
 211         return res;
 212 }
 213
 214 int
 215 pgp_rsa_encrypt(PGP_PubKey *pk, PGP_MPI *_m, PGP_MPI **c_p)
 216 {
 217         int                     res = PXE_PGP_MATH_FAILED;
 218         BIGNUM     *m = mpi_to_bn(_m);
 219         BIGNUM     *e = mpi_to_bn(pk->pub.rsa.e);
 220         BIGNUM     *n = mpi_to_bn(pk->pub.rsa.n);
 221         BIGNUM     *c = BN_new();
 222         BN_CTX     *tmp = BN_CTX_new();
 223
 224         if (!m || !e || !n || !c || !tmp)
 225                 goto err;
 226
 227         /*
 228          * c = m ^ e
 229          */
 230         if (!BN_mod_exp(c, m, e, n, tmp))
 231                 goto err;
 232
 233         *c_p = bn_to_mpi(c);
 234         if (*c_p)
 235                 res = 0;
 236 err:
 237         if (tmp)
 238                 BN_CTX_free(tmp);
 239         if (c)
 240                 BN_clear_free(c);
 241         if (n)
 242                 BN_clear_free(n);
 243         if (e)
 244                 BN_clear_free(e);
 245         if (m)
 246                 BN_clear_free(m);
 247         return res;
 248 }
 249
 250 int
 251 pgp_rsa_decrypt(PGP_PubKey *pk, PGP_MPI *_c, PGP_MPI **m_p)
 252 {
 253         int                     res = PXE_PGP_MATH_FAILED;
 254         BIGNUM     *c = mpi_to_bn(_c);
 255         BIGNUM     *d = mpi_to_bn(pk->sec.rsa.d);
 256         BIGNUM     *n = mpi_to_bn(pk->pub.rsa.n);
 257         BIGNUM     *m = BN_new();
 258         BN_CTX     *tmp = BN_CTX_new();
 259
 260         if (!m || !d || !n || !c || !tmp)
 261                 goto err;
 262
 263         /*
 264          * m = c ^ d
 265          */
 266         if (!BN_mod_exp(m, c, d, n, tmp))
 267                 goto err;
 268
 269         *m_p = bn_to_mpi(m);
 270         if (*m_p)
 271                 res = 0;
 272 err:
 273         if (tmp)
 274                 BN_CTX_free(tmp);
 275         if (m)
 276                 BN_clear_free(m);
 277         if (n)
 278                 BN_clear_free(n);
 279         if (d)
 280                 BN_clear_free(d);
 281         if (c)
 282                 BN_clear_free(c);
 283         return res;
 284 }