pgp.c

ipsec vpn

	DBG_log("  %s", pgp_sym_alg_name[s2k])
    )

    /* private key is unencrypted */
    if (s2k == PGP_SYM_ALG_PLAIN)
    {
	for (i = 2; i < 5; i++)
	{
	    key->field[i].len = (pgp_size(packet, 2)+7) / BITS_PER_BYTE;
	    key->field[i].ptr = packet->ptr;
	    packet->ptr += key->field[i].len;
	    packet->len -= key->field[i].len;
	    DBG(DBG_PARSING,
		DBG_log("L3 - %s:", pgp_rsa_privkey_name[i-2])
	    )
	    DBG_cond_dump_chunk(DBG_PRIVATE, "", key->field[i]);
	}
	return TRUE;
    }

    openswan_log("  %s encryption not supported",  pgp_sym_alg_name[s2k]);
    return FALSE;
}

/*
 * Parse OpenPGP signature packet defined in section 5.2.2 of RFC 2440
 */
static bool
parse_pgp_signature_packet(chunk_t *packet, pgpcert_t *cert)
{
    time_t created;
    chunk_t keyid;
    u_char  sig_type;
    u_char version = pgp_version(packet);

    /* we parse only V3 signature packets */
    if (version != 3)
	return TRUE;

    /* size byte must have the value 5 */
    if (pgp_size(packet, 1) != 5)
    {
	openswan_log(" size must be 5");
	return FALSE;
    }

    /* signature type - 1 byte */
    sig_type = (u_char)pgp_size(packet, 1);
    DBG(DBG_PARSING,
	DBG_log("L3 - signature type:  0x%2x", sig_type)
    )

    /* creation date - 4 bytes */
    created = (time_t)pgp_size(packet, 4);
    DBG(DBG_PARSING,
	char tbuf[TIMETOA_BUF];
	DBG_log("L3 - created:");
	DBG_log("  %s", timetoa(&cert->created, TRUE, tbuf, sizeof(tbuf)))
    )

    /* key ID of signer - 8 bytes */
    keyid.ptr = packet->ptr;
    keyid.len = PGP_KEYID_SIZE;
    DBG_cond_dump_chunk(DBG_PARSING, "L3 - key ID of signer", keyid);

   return TRUE;
}

bool
parse_pgp(chunk_t blob, pgpcert_t *cert, rsa_privkey_t *key)
{
    DBG(DBG_PARSING,
	DBG_log("L0 - PGP file:")
    )
    DBG_cond_dump_chunk(DBG_RAW, "", blob);

    if (cert != NULL)
    {
	/* parse a PGP certificate file */
	cert->certificate = blob;
	time(&cert->installed);
    }
    else if (key != NULL)
	/* parse a PGP private key file */
	key->keyobject = blob;
    else
 	/* should not occur, nothing to parse */
	return FALSE;

    while (blob.len > 0)
    {
	chunk_t packet = empty_chunk;
	u_char packet_tag = *blob.ptr;

	DBG(DBG_PARSING,
	    DBG_log("L1 - PGP packet:  tag= 0x%2x", packet_tag)
	)

	/* bit 7 must be set */
	if (!(packet_tag & 0x80))
	{
	    openswan_log("  incorrect Packet Tag");
	    return FALSE;
	}

	/* bit 6 set defines new packet format */
	if (packet_tag & 0x40)
	{
	    openswan_log("  new PGP packet format not supported");
	    return FALSE;
	}
	else
	{
	    int packet_type = (packet_tag & 0x3C) >> 2;

	    packet.len = pgp_old_packet_length(&blob);
	    packet.ptr = blob.ptr;
	    blob.ptr += packet.len;
	    blob.len -= packet.len;
	    DBG(DBG_PARSING,
		DBG_log("  %s (%d), old format, %d bytes",
		    (packet_type < PGP_PKT_ROOF) ?
		    pgp_packet_type_name[packet_type] :
		    "Undefined Packet Type", packet_type, (int)packet.len);
		DBG_log("L2 - body:")
	    )
	    DBG_cond_dump_chunk(DBG_RAW, "", packet);

	    if (cert != NULL)
	    {
		/* parse a PGP certificate */
		switch (packet_type)
		{
		case PGP_PKT_PUBLIC_KEY:
		    if (!parse_pgp_pubkey_packet(&packet, cert))
			return FALSE;
		    break;
		case PGP_PKT_SIGNATURE:
		    if (!parse_pgp_signature_packet(&packet, cert))
			return FALSE;
		    break;
		case PGP_PKT_USER_ID:
		    DBG(DBG_PARSING,
			DBG_log("L3 - user ID:");
			DBG_log("  '%.*s'", (int)packet.len, packet.ptr)
		    )
		    break;
		default:
		    break;
		}
	    }
	    else
	    {
		/* parse a PGP private key file */
		switch (packet_type)
		{
		case PGP_PKT_SECRET_KEY:
		    if (!parse_pgp_secretkey_packet(&packet, key))
			return FALSE;
		    break;
		default:
		    break;
		}
	    }
	}
    }
    return TRUE;
}

/*
 *  compare two OpenPGP certificates
 */
static bool
same_pgpcert(pgpcert_t *a, pgpcert_t *b)
{
    return a->certificate.len == b->certificate.len &&
	memcmp(a->certificate.ptr, b->certificate.ptr, b->certificate.len) == 0;
}

/*
 * for each link pointing to the certificate increase the count by one
 */
void
share_pgpcert(pgpcert_t *cert)
{
    if (cert != NULL)
 	cert->count++;
}

/*
 * select the OpenPGP keyid as ID
 */
void
select_pgpcert_id(pgpcert_t *cert, struct id *end_id)
{
    end_id->kind = ID_KEY_ID;
    end_id->name.len = PGP_FINGERPRINT_SIZE;
    end_id->name.ptr = cert->fingerprint;
    end_id->name.ptr = temporary_cyclic_buffer();
    memcpy(end_id->name.ptr, cert->fingerprint, PGP_FINGERPRINT_SIZE);
}

/*
 *  add an OpenPGP user/host certificate to the chained list
 */
pgpcert_t*
add_pgpcert(pgpcert_t *cert)
{
    pgpcert_t *c = pgpcerts;

    while (c != NULL)
    {
	if (same_pgpcert(c, cert)) /* already in chain, free cert */
	{
	    free_pgpcert(cert);
	    return c;
	}
	c = c->next;
    }

    /* insert new cert at the root of the chain */
    cert->next = pgpcerts;
    pgpcerts = cert;
    return cert;
}

/*  release of a certificate decreases the count by one
 "  the certificate is freed when the counter reaches zero
 */
void
release_pgpcert(pgpcert_t *cert)
{
    if (cert != NULL && --cert->count == 0)
    {
	pgpcert_t **pp = &pgpcerts;
	while (*pp != cert)
	    pp = &(*pp)->next;
        *pp = cert->next;
	free_pgpcert(cert);
    }
}

/*
 *  free a PGP certificate
 */
void
free_pgpcert(pgpcert_t *cert)
{
    if (cert != NULL)
    {
	if (cert->certificate.ptr != NULL)
	    pfree(cert->certificate.ptr);
	pfree(cert);
    }
}

/*
 *  list all PGP end certificates in a chained list
 */
void
list_pgp_end_certs(bool utc)
{
   pgpcert_t *cert = pgpcerts;
   time_t now;

    /* determine the current time */
    time(&now);

    if (cert != NULL)
    {
	whack_log(RC_COMMENT, " ");
	whack_log(RC_COMMENT, "List of PGP End certificates:");
	whack_log(RC_COMMENT, " ");
    }

    while (cert != NULL)
    {
	unsigned keysize;
	char buf[BUF_LEN];
	char tbuf[TIMETOA_BUF];
	cert_t c;

	c.type = CERT_PGP;
	c.u.pgp = cert;

	whack_log(RC_COMMENT, "%s, count: %d"
		  , timetoa(&cert->installed, utc, tbuf, sizeof(tbuf))
		  , cert->count);
	datatot(cert->fingerprint, PGP_FINGERPRINT_SIZE, 'x', buf, BUF_LEN);
	whack_log(RC_COMMENT, "       fingerprint:  %s", buf);
	form_keyid(cert->publicExponent, cert->modulus, buf, &keysize);
	whack_log(RC_COMMENT, "       pubkey:   %4d RSA Key %s%s", 8*keysize, buf,
		(has_private_key(c))? ", has private key" : "");
	whack_log(RC_COMMENT, "       created:  %s"
		  , timetoa(&cert->created, utc, tbuf, sizeof(tbuf)));
	whack_log(RC_COMMENT, "       until:    %s %s"
		  , timetoa(&cert->until, utc, tbuf, sizeof(tbuf)),
		check_expiry(cert->until, CA_CERT_WARNING_INTERVAL, TRUE));
	cert = cert->next;
    }
}

/* extract id and public key from OpenPGP certificate and
 * insert it into a pubkeyrec
 */
void
add_pgp_public_key(pgpcert_t *cert , time_t until
    , enum dns_auth_level dns_auth_level)
{
    struct pubkey *pk;
    cert_t c;

    c.type = CERT_PGP;
    c.u.pgp = cert;

    /* we support RSA only */
    if (cert->pubkeyAlg != PUBKEY_ALG_RSA)
    {
	openswan_log("  RSA public keys supported only");
	return;
    }

    pk = allocate_RSA_public_key(c);
    pk->id.kind = ID_KEY_ID;
    pk->id.name.ptr = cert->fingerprint;
    pk->id.name.len = PGP_FINGERPRINT_SIZE;
    pk->dns_auth_level = dns_auth_level;
    pk->until_time = until;
    delete_public_keys(&pk->id, pk->alg);
    install_public_key(pk, &pubkeys);
}