2003-08-05 19:11:04 +02:00
|
|
|
|
/* protect.c - Un/Protect a secret key
|
2014-11-04 16:28:03 +01:00
|
|
|
|
* Copyright (C) 1998-2003, 2007, 2009, 2011 Free Software Foundation, Inc.
|
2015-01-29 16:26:07 +01:00
|
|
|
|
* Copyright (C) 1998-2003, 2007, 2009, 2011, 2013-2015 Werner Koch
|
2003-08-05 19:11:04 +02:00
|
|
|
|
*
|
|
|
|
|
* This file is part of GnuPG.
|
|
|
|
|
*
|
|
|
|
|
* GnuPG is free software; you can redistribute it and/or modify
|
|
|
|
|
* it under the terms of the GNU General Public License as published by
|
2007-07-04 21:49:40 +02:00
|
|
|
|
* the Free Software Foundation; either version 3 of the License, or
|
2003-08-05 19:11:04 +02:00
|
|
|
|
* (at your option) any later version.
|
|
|
|
|
*
|
|
|
|
|
* GnuPG is distributed in the hope that it will be useful,
|
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
* GNU General Public License for more details.
|
|
|
|
|
*
|
|
|
|
|
* You should have received a copy of the GNU General Public License
|
2016-11-05 12:02:19 +01:00
|
|
|
|
* along with this program; if not, see <https://www.gnu.org/licenses/>.
|
2003-08-05 19:11:04 +02:00
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#include <config.h>
|
|
|
|
|
#include <errno.h>
|
|
|
|
|
#include <stdio.h>
|
|
|
|
|
#include <stdlib.h>
|
|
|
|
|
#include <string.h>
|
2017-11-07 02:49:36 +01:00
|
|
|
|
#include <time.h>
|
2003-08-05 19:11:04 +02:00
|
|
|
|
#include <ctype.h>
|
|
|
|
|
#include <assert.h>
|
|
|
|
|
#include <unistd.h>
|
|
|
|
|
#include <sys/stat.h>
|
2009-12-14 21:12:56 +01:00
|
|
|
|
#ifdef HAVE_W32_SYSTEM
|
2014-03-07 09:46:44 +01:00
|
|
|
|
# ifdef HAVE_WINSOCK2_H
|
|
|
|
|
# include <winsock2.h>
|
|
|
|
|
# endif
|
2009-12-14 21:12:56 +01:00
|
|
|
|
# include <windows.h>
|
|
|
|
|
#else
|
|
|
|
|
# include <sys/times.h>
|
|
|
|
|
#endif
|
2003-08-05 19:11:04 +02:00
|
|
|
|
|
|
|
|
|
#include "agent.h"
|
|
|
|
|
|
2013-08-01 11:32:05 +02:00
|
|
|
|
#include "cvt-openpgp.h"
|
agent: Resolve conflict of util.h.
* agent/Makefile.am (AM_CPPFLAGS): Remove -I$(top_srcdir)/common.
* agent/call-pinentry.c, agent/call-scd.c: Follow the change.
* agent/command-ssh.c, agent/command.c, agent/cvt-openpgp.c: Ditto.
* agent/divert-scd.c, agent/findkey.c, agent/genkey.c: Ditto.
* agent/gpg-agent.c, agent/pksign.c, agent/preset-passphrase.c: Ditto.
* agent/protect-tool.c, agent/protect.c, agent/trustlist.c: Ditto.
* agent/w32main.c: Ditto.
--
For openpty function, we need to include util.h on some OS.
We also have util.h in common/, so this change is needed.
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2017-03-07 11:22:48 +01:00
|
|
|
|
#include "../common/sexp-parse.h"
|
2019-01-26 23:10:38 +01:00
|
|
|
|
#include "../common/openpgpdefs.h" /* For s2k functions. */
|
2003-08-05 19:11:04 +02:00
|
|
|
|
|
2016-04-12 14:37:26 +02:00
|
|
|
|
|
2014-09-01 10:15:21 +02:00
|
|
|
|
/* The protection mode for encryption. The supported modes for
|
|
|
|
|
decryption are listed in agent_unprotect(). */
|
|
|
|
|
#define PROT_CIPHER GCRY_CIPHER_AES128
|
2003-08-05 19:11:04 +02:00
|
|
|
|
#define PROT_CIPHER_STRING "aes"
|
|
|
|
|
#define PROT_CIPHER_KEYLEN (128/8)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* A table containing the information needed to create a protected
|
2011-01-21 12:00:57 +01:00
|
|
|
|
private key. */
|
2017-05-22 23:42:44 +02:00
|
|
|
|
static const struct {
|
2003-08-05 19:11:04 +02:00
|
|
|
|
const char *algo;
|
|
|
|
|
const char *parmlist;
|
|
|
|
|
int prot_from, prot_to;
|
2012-12-12 18:47:21 +01:00
|
|
|
|
int ecc_hack;
|
2003-08-05 19:11:04 +02:00
|
|
|
|
} protect_info[] = {
|
|
|
|
|
{ "rsa", "nedpqu", 2, 5 },
|
2004-02-03 17:24:37 +01:00
|
|
|
|
{ "dsa", "pqgyx", 4, 4 },
|
|
|
|
|
{ "elg", "pgyx", 3, 3 },
|
2012-12-12 18:47:21 +01:00
|
|
|
|
{ "ecdsa","pabgnqd", 6, 6, 1 },
|
|
|
|
|
{ "ecdh", "pabgnqd", 6, 6, 1 },
|
|
|
|
|
{ "ecc", "pabgnqd", 6, 6, 1 },
|
2003-08-05 19:11:04 +02:00
|
|
|
|
{ NULL }
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
2018-12-11 18:12:51 +01:00
|
|
|
|
/* The number of milliseconds we use in the S2K function and the
|
|
|
|
|
* calibrated count value. A count value of zero indicates that the
|
|
|
|
|
* calibration has not yet been done or needs to be done again. */
|
|
|
|
|
static unsigned int s2k_calibration_time = AGENT_S2K_CALIBRATION;
|
|
|
|
|
static unsigned long s2k_calibrated_count;
|
|
|
|
|
|
|
|
|
|
|
2009-12-14 21:12:56 +01:00
|
|
|
|
/* A helper object for time measurement. */
|
|
|
|
|
struct calibrate_time_s
|
|
|
|
|
{
|
|
|
|
|
#ifdef HAVE_W32_SYSTEM
|
|
|
|
|
FILETIME creation_time, exit_time, kernel_time, user_time;
|
|
|
|
|
#else
|
|
|
|
|
clock_t ticks;
|
|
|
|
|
#endif
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
2003-08-05 19:11:04 +02:00
|
|
|
|
static int
|
|
|
|
|
hash_passphrase (const char *passphrase, int hashalgo,
|
|
|
|
|
int s2kmode,
|
|
|
|
|
const unsigned char *s2ksalt, unsigned long s2kcount,
|
|
|
|
|
unsigned char *key, size_t keylen);
|
|
|
|
|
|
2010-08-31 17:58:39 +02:00
|
|
|
|
|
2016-04-12 14:37:26 +02:00
|
|
|
|
|
2010-08-31 17:58:39 +02:00
|
|
|
|
|
2021-10-05 04:53:29 +02:00
|
|
|
|
/*
|
|
|
|
|
* Determine if we can use clock_gettime with CLOCK_THREAD_CPUTIME_ID,
|
|
|
|
|
* at compile time.
|
|
|
|
|
*/
|
|
|
|
|
#if defined (CLOCK_THREAD_CPUTIME_ID)
|
|
|
|
|
# if _POSIX_THREAD_CPUTIME > 0
|
|
|
|
|
# define USE_CLOCK_GETTIME 1
|
|
|
|
|
# elif _POSIX_THREAD_CPUTIME == 0
|
|
|
|
|
/*
|
|
|
|
|
* In this case, we should check sysconf with _POSIX_THREAD_CPUTIME at
|
|
|
|
|
* run time. As heuristics, for system with newer GNU C library, we
|
|
|
|
|
* can assume it is available.
|
|
|
|
|
*/
|
|
|
|
|
# if __GLIBC__ >= 2 && __GLIBC_MINOR__ >= 17
|
|
|
|
|
# define USE_CLOCK_GETTIME 1
|
|
|
|
|
# endif
|
|
|
|
|
# endif
|
|
|
|
|
#else
|
|
|
|
|
#undef USE_CLOCK_GETTIME
|
|
|
|
|
#endif
|
|
|
|
|
|
2009-12-14 21:12:56 +01:00
|
|
|
|
/* Get the process time and store it in DATA. */
|
|
|
|
|
static void
|
|
|
|
|
calibrate_get_time (struct calibrate_time_s *data)
|
|
|
|
|
{
|
|
|
|
|
#ifdef HAVE_W32_SYSTEM
|
2010-04-14 13:24:02 +02:00
|
|
|
|
# ifdef HAVE_W32CE_SYSTEM
|
|
|
|
|
GetThreadTimes (GetCurrentThread (),
|
2016-04-11 10:24:15 +02:00
|
|
|
|
&data->creation_time, &data->exit_time,
|
|
|
|
|
&data->kernel_time, &data->user_time);
|
2011-02-03 16:31:42 +01:00
|
|
|
|
# else
|
2009-12-14 21:12:56 +01:00
|
|
|
|
GetProcessTimes (GetCurrentProcess (),
|
|
|
|
|
&data->creation_time, &data->exit_time,
|
|
|
|
|
&data->kernel_time, &data->user_time);
|
2016-04-11 10:24:15 +02:00
|
|
|
|
# endif
|
2021-10-05 04:53:29 +02:00
|
|
|
|
#elif defined (USE_CLOCK_GETTIME)
|
2017-11-07 02:49:36 +01:00
|
|
|
|
struct timespec tmp;
|
2011-02-03 16:31:42 +01:00
|
|
|
|
|
2017-11-07 02:49:36 +01:00
|
|
|
|
clock_gettime (CLOCK_THREAD_CPUTIME_ID, &tmp);
|
|
|
|
|
data->ticks = (clock_t)(((unsigned long long)tmp.tv_sec * 1000000000 +
|
|
|
|
|
tmp.tv_nsec) * CLOCKS_PER_SEC / 1000000000);
|
|
|
|
|
#else
|
|
|
|
|
data->ticks = clock ();
|
2009-12-14 21:12:56 +01:00
|
|
|
|
#endif
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
static unsigned long
|
|
|
|
|
calibrate_elapsed_time (struct calibrate_time_s *starttime)
|
|
|
|
|
{
|
|
|
|
|
struct calibrate_time_s stoptime;
|
2011-02-03 16:31:42 +01:00
|
|
|
|
|
2009-12-14 21:12:56 +01:00
|
|
|
|
calibrate_get_time (&stoptime);
|
|
|
|
|
#ifdef HAVE_W32_SYSTEM
|
|
|
|
|
{
|
|
|
|
|
unsigned long long t1, t2;
|
2011-02-03 16:31:42 +01:00
|
|
|
|
|
2009-12-14 21:12:56 +01:00
|
|
|
|
t1 = (((unsigned long long)starttime->kernel_time.dwHighDateTime << 32)
|
|
|
|
|
+ starttime->kernel_time.dwLowDateTime);
|
|
|
|
|
t1 += (((unsigned long long)starttime->user_time.dwHighDateTime << 32)
|
|
|
|
|
+ starttime->user_time.dwLowDateTime);
|
|
|
|
|
t2 = (((unsigned long long)stoptime.kernel_time.dwHighDateTime << 32)
|
|
|
|
|
+ stoptime.kernel_time.dwLowDateTime);
|
|
|
|
|
t2 += (((unsigned long long)stoptime.user_time.dwHighDateTime << 32)
|
|
|
|
|
+ stoptime.user_time.dwLowDateTime);
|
|
|
|
|
return (unsigned long)((t2 - t1)/10000);
|
|
|
|
|
}
|
|
|
|
|
#else
|
|
|
|
|
return (unsigned long)((((double) (stoptime.ticks - starttime->ticks))
|
2017-11-07 02:49:36 +01:00
|
|
|
|
/CLOCKS_PER_SEC)*1000);
|
2009-12-14 21:12:56 +01:00
|
|
|
|
#endif
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* Run a test hashing for COUNT and return the time required in
|
|
|
|
|
milliseconds. */
|
|
|
|
|
static unsigned long
|
|
|
|
|
calibrate_s2k_count_one (unsigned long count)
|
|
|
|
|
{
|
|
|
|
|
int rc;
|
|
|
|
|
char keybuf[PROT_CIPHER_KEYLEN];
|
|
|
|
|
struct calibrate_time_s starttime;
|
|
|
|
|
|
|
|
|
|
calibrate_get_time (&starttime);
|
|
|
|
|
rc = hash_passphrase ("123456789abcdef0", GCRY_MD_SHA1,
|
|
|
|
|
3, "saltsalt", count, keybuf, sizeof keybuf);
|
|
|
|
|
if (rc)
|
|
|
|
|
BUG ();
|
|
|
|
|
return calibrate_elapsed_time (&starttime);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* Measure the time we need to do the hash operations and deduce an
|
2017-09-08 23:08:57 +02:00
|
|
|
|
S2K count which requires roughly some targeted amount of time. */
|
2009-12-14 21:12:56 +01:00
|
|
|
|
static unsigned long
|
|
|
|
|
calibrate_s2k_count (void)
|
|
|
|
|
{
|
|
|
|
|
unsigned long count;
|
|
|
|
|
unsigned long ms;
|
|
|
|
|
|
|
|
|
|
for (count = 65536; count; count *= 2)
|
|
|
|
|
{
|
|
|
|
|
ms = calibrate_s2k_count_one (count);
|
|
|
|
|
if (opt.verbose > 1)
|
|
|
|
|
log_info ("S2K calibration: %lu -> %lums\n", count, ms);
|
2018-12-11 18:12:51 +01:00
|
|
|
|
if (ms > s2k_calibration_time)
|
2009-12-14 21:12:56 +01:00
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
2018-12-11 18:12:51 +01:00
|
|
|
|
count = (unsigned long)(((double)count / ms) * s2k_calibration_time);
|
2009-12-14 21:12:56 +01:00
|
|
|
|
count /= 1024;
|
|
|
|
|
count *= 1024;
|
|
|
|
|
if (count < 65536)
|
|
|
|
|
count = 65536;
|
|
|
|
|
|
|
|
|
|
if (opt.verbose)
|
|
|
|
|
{
|
|
|
|
|
ms = calibrate_s2k_count_one (count);
|
2009-12-15 12:03:17 +01:00
|
|
|
|
log_info ("S2K calibration: %lu -> %lums\n", count, ms);
|
2009-12-14 21:12:56 +01:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return count;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2018-12-11 18:12:51 +01:00
|
|
|
|
/* Set the calibration time. This may be called early at startup or
|
|
|
|
|
* at any time. Thus it should one set variables. */
|
|
|
|
|
void
|
|
|
|
|
set_s2k_calibration_time (unsigned int milliseconds)
|
|
|
|
|
{
|
|
|
|
|
if (!milliseconds)
|
|
|
|
|
milliseconds = AGENT_S2K_CALIBRATION;
|
|
|
|
|
else if (milliseconds > 60 * 1000)
|
|
|
|
|
milliseconds = 60 * 1000; /* Cap at 60 seconds. */
|
|
|
|
|
s2k_calibration_time = milliseconds;
|
|
|
|
|
s2k_calibrated_count = 0; /* Force re-calibration. */
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2017-11-06 14:20:03 +01:00
|
|
|
|
/* Return the calibrated S2K count. This is only public for the use
|
|
|
|
|
* of the Assuan getinfo s2k_count_cal command. */
|
2009-12-14 21:12:56 +01:00
|
|
|
|
unsigned long
|
2017-11-06 14:20:03 +01:00
|
|
|
|
get_calibrated_s2k_count (void)
|
2009-12-14 21:12:56 +01:00
|
|
|
|
{
|
2018-12-11 18:12:51 +01:00
|
|
|
|
if (!s2k_calibrated_count)
|
|
|
|
|
s2k_calibrated_count = calibrate_s2k_count ();
|
2009-12-14 21:12:56 +01:00
|
|
|
|
|
|
|
|
|
/* Enforce a lower limit. */
|
2018-12-11 18:12:51 +01:00
|
|
|
|
return s2k_calibrated_count < 65536 ? 65536 : s2k_calibrated_count;
|
2009-12-14 21:12:56 +01:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2017-11-06 14:20:03 +01:00
|
|
|
|
/* Return the standard S2K count. */
|
|
|
|
|
unsigned long
|
|
|
|
|
get_standard_s2k_count (void)
|
|
|
|
|
{
|
|
|
|
|
if (opt.s2k_count)
|
|
|
|
|
return opt.s2k_count < 65536 ? 65536 : opt.s2k_count;
|
|
|
|
|
|
|
|
|
|
return get_calibrated_s2k_count ();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* Return the milliseconds required for the standard S2K
|
|
|
|
|
* operation. */
|
|
|
|
|
unsigned long
|
|
|
|
|
get_standard_s2k_time (void)
|
|
|
|
|
{
|
|
|
|
|
return calibrate_s2k_count_one (get_standard_s2k_count ());
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2011-04-26 20:33:46 +02:00
|
|
|
|
/* Same as get_standard_s2k_count but return the count in the encoding
|
|
|
|
|
as described by rfc4880. */
|
|
|
|
|
unsigned char
|
|
|
|
|
get_standard_s2k_count_rfc4880 (void)
|
|
|
|
|
{
|
|
|
|
|
unsigned long iterations;
|
|
|
|
|
unsigned int count;
|
|
|
|
|
unsigned char result;
|
|
|
|
|
unsigned char c=0;
|
|
|
|
|
|
|
|
|
|
iterations = get_standard_s2k_count ();
|
|
|
|
|
if (iterations >= 65011712)
|
|
|
|
|
return 255;
|
|
|
|
|
|
|
|
|
|
/* Need count to be in the range 16-31 */
|
|
|
|
|
for (count=iterations>>6; count>=32; count>>=1)
|
|
|
|
|
c++;
|
|
|
|
|
|
|
|
|
|
result = (c<<4)|(count-16);
|
|
|
|
|
|
|
|
|
|
if (S2K_DECODE_COUNT(result) < iterations)
|
|
|
|
|
result++;
|
|
|
|
|
|
|
|
|
|
return result;
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
2003-08-05 19:11:04 +02:00
|
|
|
|
|
|
|
|
|
|
2010-10-01 22:33:53 +02:00
|
|
|
|
/* Calculate the MIC for a private key or shared secret S-expression.
|
|
|
|
|
SHA1HASH should point to a 20 byte buffer. This function is
|
|
|
|
|
suitable for all algorithms. */
|
2017-07-28 10:37:33 +02:00
|
|
|
|
static gpg_error_t
|
2003-08-05 19:11:04 +02:00
|
|
|
|
calculate_mic (const unsigned char *plainkey, unsigned char *sha1hash)
|
|
|
|
|
{
|
|
|
|
|
const unsigned char *hash_begin, *hash_end;
|
|
|
|
|
const unsigned char *s;
|
|
|
|
|
size_t n;
|
2010-10-01 22:33:53 +02:00
|
|
|
|
int is_shared_secret;
|
2003-08-05 19:11:04 +02:00
|
|
|
|
|
|
|
|
|
s = plainkey;
|
|
|
|
|
if (*s != '(')
|
|
|
|
|
return gpg_error (GPG_ERR_INV_SEXP);
|
|
|
|
|
s++;
|
|
|
|
|
n = snext (&s);
|
|
|
|
|
if (!n)
|
2011-02-03 16:31:42 +01:00
|
|
|
|
return gpg_error (GPG_ERR_INV_SEXP);
|
2010-10-01 22:33:53 +02:00
|
|
|
|
if (smatch (&s, n, "private-key"))
|
|
|
|
|
is_shared_secret = 0;
|
|
|
|
|
else if (smatch (&s, n, "shared-secret"))
|
|
|
|
|
is_shared_secret = 1;
|
|
|
|
|
else
|
2011-02-03 16:31:42 +01:00
|
|
|
|
return gpg_error (GPG_ERR_UNKNOWN_SEXP);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
if (*s != '(')
|
|
|
|
|
return gpg_error (GPG_ERR_UNKNOWN_SEXP);
|
|
|
|
|
hash_begin = s;
|
2010-10-01 22:33:53 +02:00
|
|
|
|
if (!is_shared_secret)
|
|
|
|
|
{
|
|
|
|
|
s++;
|
|
|
|
|
n = snext (&s);
|
|
|
|
|
if (!n)
|
2011-02-03 16:31:42 +01:00
|
|
|
|
return gpg_error (GPG_ERR_INV_SEXP);
|
2010-10-01 22:33:53 +02:00
|
|
|
|
s += n; /* Skip the algorithm name. */
|
|
|
|
|
}
|
2003-08-05 19:11:04 +02:00
|
|
|
|
|
|
|
|
|
while (*s == '(')
|
|
|
|
|
{
|
|
|
|
|
s++;
|
|
|
|
|
n = snext (&s);
|
|
|
|
|
if (!n)
|
2011-02-03 16:31:42 +01:00
|
|
|
|
return gpg_error (GPG_ERR_INV_SEXP);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
s += n;
|
|
|
|
|
n = snext (&s);
|
|
|
|
|
if (!n)
|
2011-02-03 16:31:42 +01:00
|
|
|
|
return gpg_error (GPG_ERR_INV_SEXP);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
s += n;
|
|
|
|
|
if ( *s != ')' )
|
2011-02-03 16:31:42 +01:00
|
|
|
|
return gpg_error (GPG_ERR_INV_SEXP);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
s++;
|
|
|
|
|
}
|
|
|
|
|
if (*s != ')')
|
2011-02-03 16:31:42 +01:00
|
|
|
|
return gpg_error (GPG_ERR_INV_SEXP);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
s++;
|
|
|
|
|
hash_end = s;
|
|
|
|
|
|
|
|
|
|
gcry_md_hash_buffer (GCRY_MD_SHA1, sha1hash,
|
|
|
|
|
hash_begin, hash_end - hash_begin);
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* Encrypt the parameter block starting at PROTBEGIN with length
|
|
|
|
|
PROTLEN using the utf8 encoded key PASSPHRASE and return the entire
|
2005-02-23 22:06:32 +01:00
|
|
|
|
encrypted block in RESULT or return with an error code. SHA1HASH
|
2003-08-05 19:11:04 +02:00
|
|
|
|
is the 20 byte SHA-1 hash required for the integrity code.
|
|
|
|
|
|
2016-04-12 14:37:26 +02:00
|
|
|
|
The parameter block is expected to be an incomplete canonical
|
|
|
|
|
encoded S-Expression of the form (example in advanced format):
|
2003-08-05 19:11:04 +02:00
|
|
|
|
|
|
|
|
|
(d #046129F..[some bytes not shown]..81#)
|
|
|
|
|
(p #00e861b..[some bytes not shown]..f1#)
|
|
|
|
|
(q #00f7a7c..[some bytes not shown]..61#)
|
2011-02-03 16:31:42 +01:00
|
|
|
|
(u #304559a..[some bytes not shown]..9b#)
|
2003-08-05 19:11:04 +02:00
|
|
|
|
|
2016-04-12 14:37:26 +02:00
|
|
|
|
the returned block is the S-Expression:
|
2003-08-05 19:11:04 +02:00
|
|
|
|
|
2016-04-12 14:37:26 +02:00
|
|
|
|
(protected mode (parms) encrypted_octet_string)
|
2003-08-05 19:11:04 +02:00
|
|
|
|
|
|
|
|
|
*/
|
|
|
|
|
static int
|
2016-04-12 14:37:26 +02:00
|
|
|
|
do_encryption (const unsigned char *hashbegin, size_t hashlen,
|
|
|
|
|
const unsigned char *protbegin, size_t protlen,
|
|
|
|
|
const char *passphrase,
|
|
|
|
|
const char *timestamp_exp, size_t timestamp_exp_len,
|
2011-06-29 02:35:13 +02:00
|
|
|
|
unsigned char **result, size_t *resultlen,
|
2016-04-12 14:37:26 +02:00
|
|
|
|
unsigned long s2k_count, int use_ocb)
|
2003-08-05 19:11:04 +02:00
|
|
|
|
{
|
|
|
|
|
gcry_cipher_hd_t hd;
|
2016-04-12 14:37:26 +02:00
|
|
|
|
const char *modestr;
|
|
|
|
|
unsigned char hashvalue[20];
|
2003-08-05 19:11:04 +02:00
|
|
|
|
int blklen, enclen, outlen;
|
2005-06-16 10:12:03 +02:00
|
|
|
|
unsigned char *iv = NULL;
|
2016-04-12 14:37:26 +02:00
|
|
|
|
unsigned int ivsize; /* Size of the buffer allocated for IV. */
|
|
|
|
|
const unsigned char *s2ksalt; /* Points into IV. */
|
2003-08-05 19:11:04 +02:00
|
|
|
|
int rc;
|
|
|
|
|
char *outbuf = NULL;
|
|
|
|
|
char *p;
|
|
|
|
|
int saltpos, ivpos, encpos;
|
|
|
|
|
|
2016-04-12 14:37:26 +02:00
|
|
|
|
s2ksalt = iv; /* Silence compiler warning. */
|
|
|
|
|
|
2005-06-16 10:12:03 +02:00
|
|
|
|
*resultlen = 0;
|
|
|
|
|
*result = NULL;
|
|
|
|
|
|
2016-04-12 14:37:26 +02:00
|
|
|
|
modestr = (use_ocb? "openpgp-s2k3-ocb-aes"
|
|
|
|
|
/* */: "openpgp-s2k3-sha1-" PROT_CIPHER_STRING "-cbc");
|
|
|
|
|
|
|
|
|
|
rc = gcry_cipher_open (&hd, PROT_CIPHER,
|
|
|
|
|
use_ocb? GCRY_CIPHER_MODE_OCB :
|
|
|
|
|
GCRY_CIPHER_MODE_CBC,
|
2003-08-05 19:11:04 +02:00
|
|
|
|
GCRY_CIPHER_SECURE);
|
|
|
|
|
if (rc)
|
|
|
|
|
return rc;
|
|
|
|
|
|
|
|
|
|
/* We need to work on a copy of the data because this makes it
|
2016-04-12 14:37:26 +02:00
|
|
|
|
* easier to add the trailer and the padding and more important we
|
|
|
|
|
* have to prefix the text with 2 parenthesis. In CBC mode we
|
|
|
|
|
* have to allocate enough space for:
|
|
|
|
|
*
|
|
|
|
|
* ((<parameter_list>)(4:hash4:sha120:<hashvalue>)) + padding
|
|
|
|
|
*
|
|
|
|
|
* we always append a full block of random bytes as padding but
|
|
|
|
|
* encrypt only what is needed for a full blocksize. In OCB mode we
|
|
|
|
|
* have to allocate enough space for just:
|
|
|
|
|
*
|
|
|
|
|
* ((<parameter_list>))
|
|
|
|
|
*/
|
2003-08-05 19:11:04 +02:00
|
|
|
|
blklen = gcry_cipher_get_algo_blklen (PROT_CIPHER);
|
2016-04-12 14:37:26 +02:00
|
|
|
|
if (use_ocb)
|
|
|
|
|
{
|
|
|
|
|
/* (( )) */
|
|
|
|
|
outlen = 2 + protlen + 2 ;
|
|
|
|
|
enclen = outlen + 16 /* taglen */;
|
|
|
|
|
outbuf = gcry_malloc_secure (enclen);
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
/* (( )( 4:hash 4:sha1 20:<hash> )) <padding> */
|
|
|
|
|
outlen = 2 + protlen + 2 + 6 + 6 + 23 + 2 + blklen;
|
|
|
|
|
enclen = outlen/blklen * blklen;
|
|
|
|
|
outbuf = gcry_malloc_secure (outlen);
|
|
|
|
|
}
|
2003-08-05 19:11:04 +02:00
|
|
|
|
if (!outbuf)
|
2017-05-31 11:42:55 +02:00
|
|
|
|
{
|
|
|
|
|
rc = out_of_core ();
|
|
|
|
|
goto leave;
|
|
|
|
|
}
|
2016-04-12 14:37:26 +02:00
|
|
|
|
|
|
|
|
|
/* Allocate a buffer for the nonce and the salt. */
|
2003-08-05 19:11:04 +02:00
|
|
|
|
if (!rc)
|
|
|
|
|
{
|
2016-04-12 14:37:26 +02:00
|
|
|
|
/* Allocate random bytes to be used as IV, padding and s2k salt
|
|
|
|
|
* or in OCB mode for a nonce and the s2k salt. The IV/nonce is
|
|
|
|
|
* set later because for OCB we need to set the key first. */
|
|
|
|
|
ivsize = (use_ocb? 12 : (blklen*2)) + 8;
|
|
|
|
|
iv = xtrymalloc (ivsize);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
if (!iv)
|
2016-04-12 14:37:26 +02:00
|
|
|
|
rc = gpg_error_from_syserror ();
|
2009-06-24 16:03:09 +02:00
|
|
|
|
else
|
|
|
|
|
{
|
2016-04-12 14:37:26 +02:00
|
|
|
|
gcry_create_nonce (iv, ivsize);
|
|
|
|
|
s2ksalt = iv + ivsize - 8;
|
2009-06-24 16:03:09 +02:00
|
|
|
|
}
|
2003-08-05 19:11:04 +02:00
|
|
|
|
}
|
2016-04-12 14:37:26 +02:00
|
|
|
|
|
|
|
|
|
/* Hash the passphrase and set the key. */
|
2003-08-05 19:11:04 +02:00
|
|
|
|
if (!rc)
|
|
|
|
|
{
|
|
|
|
|
unsigned char *key;
|
|
|
|
|
size_t keylen = PROT_CIPHER_KEYLEN;
|
2011-02-03 16:31:42 +01:00
|
|
|
|
|
2003-08-05 19:11:04 +02:00
|
|
|
|
key = gcry_malloc_secure (keylen);
|
|
|
|
|
if (!key)
|
|
|
|
|
rc = out_of_core ();
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
rc = hash_passphrase (passphrase, GCRY_MD_SHA1,
|
2016-04-12 14:37:26 +02:00
|
|
|
|
3, s2ksalt,
|
|
|
|
|
s2k_count? s2k_count:get_standard_s2k_count(),
|
2011-06-29 02:35:13 +02:00
|
|
|
|
key, keylen);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
if (!rc)
|
|
|
|
|
rc = gcry_cipher_setkey (hd, key, keylen);
|
|
|
|
|
xfree (key);
|
|
|
|
|
}
|
|
|
|
|
}
|
2016-04-12 14:37:26 +02:00
|
|
|
|
|
2017-05-31 11:42:55 +02:00
|
|
|
|
if (rc)
|
|
|
|
|
goto leave;
|
|
|
|
|
|
2016-04-12 14:37:26 +02:00
|
|
|
|
/* Set the IV/nonce. */
|
2017-05-31 11:42:55 +02:00
|
|
|
|
rc = gcry_cipher_setiv (hd, iv, use_ocb? 12 : blklen);
|
|
|
|
|
if (rc)
|
|
|
|
|
goto leave;
|
2016-04-12 14:37:26 +02:00
|
|
|
|
|
|
|
|
|
if (use_ocb)
|
|
|
|
|
{
|
|
|
|
|
/* In OCB Mode we use only the public key parameters as AAD. */
|
|
|
|
|
rc = gcry_cipher_authenticate (hd, hashbegin, protbegin - hashbegin);
|
|
|
|
|
if (!rc)
|
|
|
|
|
rc = gcry_cipher_authenticate (hd, timestamp_exp, timestamp_exp_len);
|
|
|
|
|
if (!rc)
|
|
|
|
|
rc = gcry_cipher_authenticate
|
|
|
|
|
(hd, protbegin+protlen, hashlen - (protbegin+protlen - hashbegin));
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
/* Hash the entire expression for CBC mode. Because
|
|
|
|
|
* TIMESTAMP_EXP won't get protected, we can't simply hash a
|
|
|
|
|
* continuous buffer but need to call md_write several times. */
|
|
|
|
|
gcry_md_hd_t md;
|
|
|
|
|
|
|
|
|
|
rc = gcry_md_open (&md, GCRY_MD_SHA1, 0 );
|
|
|
|
|
if (!rc)
|
|
|
|
|
{
|
2016-04-14 12:16:51 +02:00
|
|
|
|
gcry_md_write (md, hashbegin, protbegin - hashbegin);
|
|
|
|
|
gcry_md_write (md, protbegin, protlen);
|
2016-04-12 14:37:26 +02:00
|
|
|
|
gcry_md_write (md, timestamp_exp, timestamp_exp_len);
|
2016-04-14 12:16:51 +02:00
|
|
|
|
gcry_md_write (md, protbegin+protlen,
|
|
|
|
|
hashlen - (protbegin+protlen - hashbegin));
|
2016-04-12 14:37:26 +02:00
|
|
|
|
memcpy (hashvalue, gcry_md_read (md, GCRY_MD_SHA1), 20);
|
|
|
|
|
gcry_md_close (md);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* Encrypt. */
|
2003-08-05 19:11:04 +02:00
|
|
|
|
if (!rc)
|
|
|
|
|
{
|
|
|
|
|
p = outbuf;
|
|
|
|
|
*p++ = '(';
|
|
|
|
|
*p++ = '(';
|
|
|
|
|
memcpy (p, protbegin, protlen);
|
|
|
|
|
p += protlen;
|
2016-04-12 14:37:26 +02:00
|
|
|
|
if (use_ocb)
|
|
|
|
|
{
|
|
|
|
|
*p++ = ')';
|
|
|
|
|
*p++ = ')';
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
memcpy (p, ")(4:hash4:sha120:", 17);
|
|
|
|
|
p += 17;
|
|
|
|
|
memcpy (p, hashvalue, 20);
|
|
|
|
|
p += 20;
|
|
|
|
|
*p++ = ')';
|
|
|
|
|
*p++ = ')';
|
|
|
|
|
memcpy (p, iv+blklen, blklen); /* Add padding. */
|
|
|
|
|
p += blklen;
|
|
|
|
|
}
|
2019-05-14 10:31:46 +02:00
|
|
|
|
log_assert ( p - outbuf == outlen);
|
2016-04-12 14:37:26 +02:00
|
|
|
|
if (use_ocb)
|
|
|
|
|
{
|
|
|
|
|
gcry_cipher_final (hd);
|
|
|
|
|
rc = gcry_cipher_encrypt (hd, outbuf, outlen, NULL, 0);
|
|
|
|
|
if (!rc)
|
|
|
|
|
{
|
|
|
|
|
log_assert (outlen + 16 == enclen);
|
|
|
|
|
rc = gcry_cipher_gettag (hd, outbuf + outlen, 16);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
rc = gcry_cipher_encrypt (hd, outbuf, enclen, NULL, 0);
|
|
|
|
|
}
|
2003-08-05 19:11:04 +02:00
|
|
|
|
}
|
2016-04-12 14:37:26 +02:00
|
|
|
|
|
2017-05-31 11:42:55 +02:00
|
|
|
|
if (rc)
|
|
|
|
|
goto leave;
|
|
|
|
|
|
2016-04-12 14:37:26 +02:00
|
|
|
|
/* Release cipher handle and check for errors. */
|
2003-08-05 19:11:04 +02:00
|
|
|
|
gcry_cipher_close (hd);
|
|
|
|
|
|
|
|
|
|
/* Now allocate the buffer we want to return. This is
|
|
|
|
|
|
|
|
|
|
(protected openpgp-s2k3-sha1-aes-cbc
|
|
|
|
|
((sha1 salt no_of_iterations) 16byte_iv)
|
|
|
|
|
encrypted_octet_string)
|
2011-02-03 16:31:42 +01:00
|
|
|
|
|
2003-08-05 19:11:04 +02:00
|
|
|
|
in canoncical format of course. We use asprintf and %n modifier
|
2007-08-28 19:48:13 +02:00
|
|
|
|
and dummy values as placeholders. */
|
2010-01-26 17:15:12 +01:00
|
|
|
|
{
|
|
|
|
|
char countbuf[35];
|
|
|
|
|
|
2011-06-29 02:35:13 +02:00
|
|
|
|
snprintf (countbuf, sizeof countbuf, "%lu",
|
|
|
|
|
s2k_count ? s2k_count : get_standard_s2k_count ());
|
2010-01-26 17:15:12 +01:00
|
|
|
|
p = xtryasprintf
|
|
|
|
|
("(9:protected%d:%s((4:sha18:%n_8bytes_%u:%s)%d:%n%*s)%d:%n%*s)",
|
|
|
|
|
(int)strlen (modestr), modestr,
|
2011-02-03 16:31:42 +01:00
|
|
|
|
&saltpos,
|
2010-01-26 17:15:12 +01:00
|
|
|
|
(unsigned int)strlen (countbuf), countbuf,
|
2016-04-12 14:37:26 +02:00
|
|
|
|
use_ocb? 12 : blklen, &ivpos, use_ocb? 12 : blklen, "",
|
2010-01-26 17:15:12 +01:00
|
|
|
|
enclen, &encpos, enclen, "");
|
|
|
|
|
if (!p)
|
|
|
|
|
{
|
|
|
|
|
gpg_error_t tmperr = out_of_core ();
|
|
|
|
|
xfree (iv);
|
|
|
|
|
xfree (outbuf);
|
|
|
|
|
return tmperr;
|
|
|
|
|
}
|
2016-04-12 14:37:26 +02:00
|
|
|
|
|
2010-01-26 17:15:12 +01:00
|
|
|
|
}
|
2003-08-05 19:11:04 +02:00
|
|
|
|
*resultlen = strlen (p);
|
2005-06-16 10:12:03 +02:00
|
|
|
|
*result = (unsigned char*)p;
|
2016-04-12 14:37:26 +02:00
|
|
|
|
memcpy (p+saltpos, s2ksalt, 8);
|
|
|
|
|
memcpy (p+ivpos, iv, use_ocb? 12 : blklen);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
memcpy (p+encpos, outbuf, enclen);
|
|
|
|
|
xfree (iv);
|
|
|
|
|
xfree (outbuf);
|
|
|
|
|
return 0;
|
2017-05-31 11:42:55 +02:00
|
|
|
|
|
|
|
|
|
leave:
|
|
|
|
|
gcry_cipher_close (hd);
|
|
|
|
|
xfree (iv);
|
|
|
|
|
xfree (outbuf);
|
|
|
|
|
return rc;
|
2003-08-05 19:11:04 +02:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2005-06-16 10:12:03 +02:00
|
|
|
|
/* Protect the key encoded in canonical format in PLAINKEY. We assume
|
2016-04-12 14:37:26 +02:00
|
|
|
|
a valid S-Exp here. With USE_UCB set to -1 the default scheme is
|
|
|
|
|
used (ie. either CBC or OCB), set to 0 the old CBC mode is used,
|
|
|
|
|
and set to 1 OCB is used. */
|
2011-02-03 16:31:42 +01:00
|
|
|
|
int
|
2003-08-05 19:11:04 +02:00
|
|
|
|
agent_protect (const unsigned char *plainkey, const char *passphrase,
|
2011-06-29 02:35:13 +02:00
|
|
|
|
unsigned char **result, size_t *resultlen,
|
2016-04-12 14:37:26 +02:00
|
|
|
|
unsigned long s2k_count, int use_ocb)
|
2003-08-05 19:11:04 +02:00
|
|
|
|
{
|
|
|
|
|
int rc;
|
2012-12-12 18:47:21 +01:00
|
|
|
|
const char *parmlist;
|
|
|
|
|
int prot_from_idx, prot_to_idx;
|
2003-08-05 19:11:04 +02:00
|
|
|
|
const unsigned char *s;
|
|
|
|
|
const unsigned char *hash_begin, *hash_end;
|
|
|
|
|
const unsigned char *prot_begin, *prot_end, *real_end;
|
|
|
|
|
size_t n;
|
|
|
|
|
int c, infidx, i;
|
2007-08-28 19:48:13 +02:00
|
|
|
|
char timestamp_exp[35];
|
2003-08-05 19:11:04 +02:00
|
|
|
|
unsigned char *protected;
|
|
|
|
|
size_t protectedlen;
|
|
|
|
|
int depth = 0;
|
|
|
|
|
unsigned char *p;
|
2013-11-15 08:59:45 +01:00
|
|
|
|
int have_curve = 0;
|
2007-08-28 19:48:13 +02:00
|
|
|
|
|
2016-04-12 14:37:26 +02:00
|
|
|
|
if (use_ocb == -1)
|
2019-03-06 17:58:39 +01:00
|
|
|
|
use_ocb = !!opt.enable_extended_key_format;
|
2016-04-12 14:37:26 +02:00
|
|
|
|
|
2010-06-17 17:44:44 +02:00
|
|
|
|
/* Create an S-expression with the protected-at timestamp. */
|
2007-08-28 19:48:13 +02:00
|
|
|
|
memcpy (timestamp_exp, "(12:protected-at15:", 19);
|
|
|
|
|
gnupg_get_isotime (timestamp_exp+19);
|
|
|
|
|
timestamp_exp[19+15] = ')';
|
2003-08-05 19:11:04 +02:00
|
|
|
|
|
2007-08-28 19:48:13 +02:00
|
|
|
|
/* Parse original key. */
|
2003-08-05 19:11:04 +02:00
|
|
|
|
s = plainkey;
|
|
|
|
|
if (*s != '(')
|
|
|
|
|
return gpg_error (GPG_ERR_INV_SEXP);
|
|
|
|
|
depth++;
|
|
|
|
|
s++;
|
|
|
|
|
n = snext (&s);
|
|
|
|
|
if (!n)
|
2011-02-03 16:31:42 +01:00
|
|
|
|
return gpg_error (GPG_ERR_INV_SEXP);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
if (!smatch (&s, n, "private-key"))
|
2011-02-03 16:31:42 +01:00
|
|
|
|
return gpg_error (GPG_ERR_UNKNOWN_SEXP);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
if (*s != '(')
|
|
|
|
|
return gpg_error (GPG_ERR_UNKNOWN_SEXP);
|
|
|
|
|
depth++;
|
|
|
|
|
hash_begin = s;
|
|
|
|
|
s++;
|
|
|
|
|
n = snext (&s);
|
|
|
|
|
if (!n)
|
2011-02-03 16:31:42 +01:00
|
|
|
|
return gpg_error (GPG_ERR_INV_SEXP);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
|
|
|
|
|
for (infidx=0; protect_info[infidx].algo
|
|
|
|
|
&& !smatch (&s, n, protect_info[infidx].algo); infidx++)
|
|
|
|
|
;
|
2011-01-21 12:00:57 +01:00
|
|
|
|
if (!protect_info[infidx].algo)
|
2011-02-03 16:31:42 +01:00
|
|
|
|
return gpg_error (GPG_ERR_UNSUPPORTED_ALGORITHM);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
|
2013-11-15 08:59:45 +01:00
|
|
|
|
/* The parser below is a complete mess: To make it robust for ECC
|
|
|
|
|
use we should reorder the s-expression to include only what we
|
|
|
|
|
really need and thus guarantee the right order for saving stuff.
|
|
|
|
|
This should be done before calling this function and maybe with
|
|
|
|
|
the help of the new gcry_sexp_extract_param. */
|
2012-12-12 18:47:21 +01:00
|
|
|
|
parmlist = protect_info[infidx].parmlist;
|
|
|
|
|
prot_from_idx = protect_info[infidx].prot_from;
|
|
|
|
|
prot_to_idx = protect_info[infidx].prot_to;
|
2003-08-05 19:11:04 +02:00
|
|
|
|
prot_begin = prot_end = NULL;
|
2012-12-12 18:47:21 +01:00
|
|
|
|
for (i=0; (c=parmlist[i]); i++)
|
2003-08-05 19:11:04 +02:00
|
|
|
|
{
|
2012-12-12 18:47:21 +01:00
|
|
|
|
if (i == prot_from_idx)
|
2003-08-05 19:11:04 +02:00
|
|
|
|
prot_begin = s;
|
2011-01-21 12:00:57 +01:00
|
|
|
|
if (*s != '(')
|
2003-08-05 19:11:04 +02:00
|
|
|
|
return gpg_error (GPG_ERR_INV_SEXP);
|
|
|
|
|
depth++;
|
|
|
|
|
s++;
|
|
|
|
|
n = snext (&s);
|
2011-01-21 12:00:57 +01:00
|
|
|
|
if (!n)
|
2011-02-03 16:31:42 +01:00
|
|
|
|
return gpg_error (GPG_ERR_INV_SEXP);
|
2011-01-21 12:00:57 +01:00
|
|
|
|
if (n != 1 || c != *s)
|
2012-12-12 18:47:21 +01:00
|
|
|
|
{
|
|
|
|
|
if (n == 5 && !memcmp (s, "curve", 5)
|
|
|
|
|
&& !i && protect_info[infidx].ecc_hack)
|
|
|
|
|
{
|
|
|
|
|
/* This is a private ECC key but the first parameter is
|
|
|
|
|
the name of the curve. We change the parameter list
|
|
|
|
|
here to the one we expect in this case. */
|
2013-11-15 08:59:45 +01:00
|
|
|
|
have_curve = 1;
|
2012-12-12 18:47:21 +01:00
|
|
|
|
parmlist = "?qd";
|
|
|
|
|
prot_from_idx = 2;
|
|
|
|
|
prot_to_idx = 2;
|
|
|
|
|
}
|
2013-11-15 08:59:45 +01:00
|
|
|
|
else if (n == 5 && !memcmp (s, "flags", 5)
|
|
|
|
|
&& i == 1 && have_curve)
|
|
|
|
|
{
|
|
|
|
|
/* "curve" followed by "flags": Change again. */
|
|
|
|
|
parmlist = "??qd";
|
|
|
|
|
prot_from_idx = 3;
|
|
|
|
|
prot_to_idx = 3;
|
|
|
|
|
}
|
2012-12-12 18:47:21 +01:00
|
|
|
|
else
|
|
|
|
|
return gpg_error (GPG_ERR_INV_SEXP);
|
|
|
|
|
}
|
2011-01-21 12:00:57 +01:00
|
|
|
|
s += n;
|
2003-08-05 19:11:04 +02:00
|
|
|
|
n = snext (&s);
|
2011-01-21 12:00:57 +01:00
|
|
|
|
if (!n)
|
2011-02-03 16:31:42 +01:00
|
|
|
|
return gpg_error (GPG_ERR_INV_SEXP);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
s +=n; /* skip value */
|
2011-01-21 12:00:57 +01:00
|
|
|
|
if (*s != ')')
|
2011-02-03 16:31:42 +01:00
|
|
|
|
return gpg_error (GPG_ERR_INV_SEXP);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
depth--;
|
2012-12-12 18:47:21 +01:00
|
|
|
|
if (i == prot_to_idx)
|
2003-08-05 19:11:04 +02:00
|
|
|
|
prot_end = s;
|
|
|
|
|
s++;
|
|
|
|
|
}
|
2011-01-21 12:00:57 +01:00
|
|
|
|
if (*s != ')' || !prot_begin || !prot_end )
|
2011-02-03 16:31:42 +01:00
|
|
|
|
return gpg_error (GPG_ERR_INV_SEXP);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
depth--;
|
|
|
|
|
hash_end = s;
|
|
|
|
|
s++;
|
2011-01-21 12:00:57 +01:00
|
|
|
|
/* Skip to the end of the S-expression. */
|
2019-05-14 10:31:46 +02:00
|
|
|
|
log_assert (depth == 1);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
rc = sskip (&s, &depth);
|
|
|
|
|
if (rc)
|
|
|
|
|
return rc;
|
2019-05-14 10:31:46 +02:00
|
|
|
|
log_assert (!depth);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
real_end = s-1;
|
|
|
|
|
|
2016-04-12 14:37:26 +02:00
|
|
|
|
rc = do_encryption (hash_begin, hash_end - hash_begin + 1,
|
|
|
|
|
prot_begin, prot_end - prot_begin + 1,
|
|
|
|
|
passphrase, timestamp_exp, sizeof (timestamp_exp),
|
|
|
|
|
&protected, &protectedlen, s2k_count, use_ocb);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
if (rc)
|
|
|
|
|
return rc;
|
|
|
|
|
|
|
|
|
|
/* Now create the protected version of the key. Note that the 10
|
2017-02-20 22:19:50 +01:00
|
|
|
|
extra bytes are for the inserted "protected-" string (the
|
2007-08-28 19:48:13 +02:00
|
|
|
|
beginning of the plaintext reads: "((11:private-key(" ). The 35
|
|
|
|
|
term is the space for (12:protected-at15:<timestamp>). */
|
2003-08-05 19:11:04 +02:00
|
|
|
|
*resultlen = (10
|
|
|
|
|
+ (prot_begin-plainkey)
|
|
|
|
|
+ protectedlen
|
2007-08-28 19:48:13 +02:00
|
|
|
|
+ 35
|
2003-08-05 19:11:04 +02:00
|
|
|
|
+ (real_end-prot_end));
|
|
|
|
|
*result = p = xtrymalloc (*resultlen);
|
|
|
|
|
if (!p)
|
|
|
|
|
{
|
|
|
|
|
gpg_error_t tmperr = out_of_core ();
|
|
|
|
|
xfree (protected);
|
|
|
|
|
return tmperr;
|
|
|
|
|
}
|
|
|
|
|
memcpy (p, "(21:protected-", 14);
|
|
|
|
|
p += 14;
|
|
|
|
|
memcpy (p, plainkey+4, prot_begin - plainkey - 4);
|
|
|
|
|
p += prot_begin - plainkey - 4;
|
|
|
|
|
memcpy (p, protected, protectedlen);
|
|
|
|
|
p += protectedlen;
|
2007-08-28 19:48:13 +02:00
|
|
|
|
|
|
|
|
|
memcpy (p, timestamp_exp, 35);
|
|
|
|
|
p += 35;
|
|
|
|
|
|
2003-08-05 19:11:04 +02:00
|
|
|
|
memcpy (p, prot_end+1, real_end - prot_end);
|
|
|
|
|
p += real_end - prot_end;
|
2019-05-14 10:31:46 +02:00
|
|
|
|
log_assert ( p - *result == *resultlen);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
xfree (protected);
|
2007-08-28 19:48:13 +02:00
|
|
|
|
|
2003-08-05 19:11:04 +02:00
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2013-05-22 10:50:12 +02:00
|
|
|
|
|
2003-08-05 19:11:04 +02:00
|
|
|
|
|
|
|
|
|
/* Do the actual decryption and check the return list for consistency. */
|
2017-07-28 10:37:33 +02:00
|
|
|
|
static gpg_error_t
|
2016-04-12 14:37:26 +02:00
|
|
|
|
do_decryption (const unsigned char *aad_begin, size_t aad_len,
|
|
|
|
|
const unsigned char *aadhole_begin, size_t aadhole_len,
|
|
|
|
|
const unsigned char *protected, size_t protectedlen,
|
2011-02-03 16:31:42 +01:00
|
|
|
|
const char *passphrase,
|
2003-08-05 19:11:04 +02:00
|
|
|
|
const unsigned char *s2ksalt, unsigned long s2kcount,
|
|
|
|
|
const unsigned char *iv, size_t ivlen,
|
2016-04-12 14:37:26 +02:00
|
|
|
|
int prot_cipher, int prot_cipher_keylen, int is_ocb,
|
2003-08-05 19:11:04 +02:00
|
|
|
|
unsigned char **result)
|
|
|
|
|
{
|
2017-07-28 10:37:33 +02:00
|
|
|
|
int rc;
|
2003-08-05 19:11:04 +02:00
|
|
|
|
int blklen;
|
|
|
|
|
gcry_cipher_hd_t hd;
|
|
|
|
|
unsigned char *outbuf;
|
|
|
|
|
size_t reallen;
|
|
|
|
|
|
2014-09-01 10:15:21 +02:00
|
|
|
|
blklen = gcry_cipher_get_algo_blklen (prot_cipher);
|
2016-04-12 14:37:26 +02:00
|
|
|
|
if (is_ocb)
|
|
|
|
|
{
|
|
|
|
|
/* OCB does not require a multiple of the block length but we
|
|
|
|
|
* check that it is long enough for the 128 bit tag and that we
|
|
|
|
|
* have the 96 bit nonce. */
|
|
|
|
|
if (protectedlen < (4 + 16) || ivlen != 12)
|
|
|
|
|
return gpg_error (GPG_ERR_CORRUPTED_PROTECTION);
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
if (protectedlen < 4 || (protectedlen%blklen))
|
|
|
|
|
return gpg_error (GPG_ERR_CORRUPTED_PROTECTION);
|
|
|
|
|
}
|
2003-08-05 19:11:04 +02:00
|
|
|
|
|
2016-04-12 14:37:26 +02:00
|
|
|
|
rc = gcry_cipher_open (&hd, prot_cipher,
|
|
|
|
|
is_ocb? GCRY_CIPHER_MODE_OCB :
|
|
|
|
|
GCRY_CIPHER_MODE_CBC,
|
2003-08-05 19:11:04 +02:00
|
|
|
|
GCRY_CIPHER_SECURE);
|
|
|
|
|
if (rc)
|
|
|
|
|
return rc;
|
|
|
|
|
|
|
|
|
|
outbuf = gcry_malloc_secure (protectedlen);
|
|
|
|
|
if (!outbuf)
|
|
|
|
|
rc = out_of_core ();
|
2016-04-12 14:37:26 +02:00
|
|
|
|
|
|
|
|
|
/* Hash the passphrase and set the key. */
|
2003-08-05 19:11:04 +02:00
|
|
|
|
if (!rc)
|
|
|
|
|
{
|
|
|
|
|
unsigned char *key;
|
2011-02-03 16:31:42 +01:00
|
|
|
|
|
2014-09-01 10:15:21 +02:00
|
|
|
|
key = gcry_malloc_secure (prot_cipher_keylen);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
if (!key)
|
|
|
|
|
rc = out_of_core ();
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
rc = hash_passphrase (passphrase, GCRY_MD_SHA1,
|
2014-09-01 10:15:21 +02:00
|
|
|
|
3, s2ksalt, s2kcount, key, prot_cipher_keylen);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
if (!rc)
|
2014-09-01 10:15:21 +02:00
|
|
|
|
rc = gcry_cipher_setkey (hd, key, prot_cipher_keylen);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
xfree (key);
|
|
|
|
|
}
|
|
|
|
|
}
|
2016-04-12 14:37:26 +02:00
|
|
|
|
|
|
|
|
|
/* Set the IV/nonce. */
|
2003-08-05 19:11:04 +02:00
|
|
|
|
if (!rc)
|
2016-04-12 14:37:26 +02:00
|
|
|
|
{
|
|
|
|
|
rc = gcry_cipher_setiv (hd, iv, ivlen);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Decrypt. */
|
|
|
|
|
if (!rc)
|
|
|
|
|
{
|
|
|
|
|
if (is_ocb)
|
|
|
|
|
{
|
|
|
|
|
rc = gcry_cipher_authenticate (hd, aad_begin,
|
|
|
|
|
aadhole_begin - aad_begin);
|
|
|
|
|
if (!rc)
|
|
|
|
|
rc = gcry_cipher_authenticate
|
|
|
|
|
(hd, aadhole_begin + aadhole_len,
|
|
|
|
|
aad_len - (aadhole_begin+aadhole_len - aad_begin));
|
|
|
|
|
|
|
|
|
|
if (!rc)
|
|
|
|
|
{
|
|
|
|
|
gcry_cipher_final (hd);
|
|
|
|
|
rc = gcry_cipher_decrypt (hd, outbuf, protectedlen - 16,
|
|
|
|
|
protected, protectedlen - 16);
|
|
|
|
|
}
|
|
|
|
|
if (!rc)
|
2017-07-28 11:40:56 +02:00
|
|
|
|
{
|
|
|
|
|
rc = gcry_cipher_checktag (hd, protected + protectedlen - 16, 16);
|
|
|
|
|
if (gpg_err_code (rc) == GPG_ERR_CHECKSUM)
|
|
|
|
|
{
|
|
|
|
|
/* Return Bad Passphrase instead of checksum error */
|
|
|
|
|
rc = gpg_error (GPG_ERR_BAD_PASSPHRASE);
|
|
|
|
|
}
|
|
|
|
|
}
|
2016-04-12 14:37:26 +02:00
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
rc = gcry_cipher_decrypt (hd, outbuf, protectedlen,
|
|
|
|
|
protected, protectedlen);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Release cipher handle and check for errors. */
|
2003-08-05 19:11:04 +02:00
|
|
|
|
gcry_cipher_close (hd);
|
|
|
|
|
if (rc)
|
|
|
|
|
{
|
|
|
|
|
xfree (outbuf);
|
|
|
|
|
return rc;
|
|
|
|
|
}
|
2016-04-12 14:37:26 +02:00
|
|
|
|
|
|
|
|
|
/* Do a quick check on the data structure. */
|
2003-08-05 19:11:04 +02:00
|
|
|
|
if (*outbuf != '(' && outbuf[1] != '(')
|
|
|
|
|
{
|
|
|
|
|
xfree (outbuf);
|
|
|
|
|
return gpg_error (GPG_ERR_BAD_PASSPHRASE);
|
|
|
|
|
}
|
2016-04-12 14:37:26 +02:00
|
|
|
|
|
2004-02-03 17:24:37 +01:00
|
|
|
|
/* Check that we have a consistent S-Exp. */
|
2003-08-05 19:11:04 +02:00
|
|
|
|
reallen = gcry_sexp_canon_len (outbuf, protectedlen, NULL, NULL);
|
|
|
|
|
if (!reallen || (reallen + blklen < protectedlen) )
|
|
|
|
|
{
|
|
|
|
|
xfree (outbuf);
|
|
|
|
|
return gpg_error (GPG_ERR_BAD_PASSPHRASE);
|
|
|
|
|
}
|
|
|
|
|
*result = outbuf;
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* Merge the parameter list contained in CLEARTEXT with the original
|
2016-04-12 14:37:26 +02:00
|
|
|
|
* protect lists PROTECTEDKEY by replacing the list at REPLACEPOS.
|
|
|
|
|
* Return the new list in RESULT and the MIC value in the 20 byte
|
|
|
|
|
* buffer SHA1HASH; if SHA1HASH is NULL no MIC will be computed.
|
|
|
|
|
* CUTOFF and CUTLEN will receive the offset and the length of the
|
|
|
|
|
* resulting list which should go into the MIC calculation but then be
|
|
|
|
|
* removed. */
|
2017-07-28 10:37:33 +02:00
|
|
|
|
static gpg_error_t
|
2003-08-05 19:11:04 +02:00
|
|
|
|
merge_lists (const unsigned char *protectedkey,
|
2011-02-03 16:31:42 +01:00
|
|
|
|
size_t replacepos,
|
2003-08-05 19:11:04 +02:00
|
|
|
|
const unsigned char *cleartext,
|
2004-02-03 17:24:37 +01:00
|
|
|
|
unsigned char *sha1hash,
|
2007-08-28 19:48:13 +02:00
|
|
|
|
unsigned char **result, size_t *resultlen,
|
|
|
|
|
size_t *cutoff, size_t *cutlen)
|
2003-08-05 19:11:04 +02:00
|
|
|
|
{
|
|
|
|
|
size_t n, newlistlen;
|
|
|
|
|
unsigned char *newlist, *p;
|
|
|
|
|
const unsigned char *s;
|
|
|
|
|
const unsigned char *startpos, *endpos;
|
|
|
|
|
int i, rc;
|
2011-02-03 16:31:42 +01:00
|
|
|
|
|
2005-06-16 10:12:03 +02:00
|
|
|
|
*result = NULL;
|
|
|
|
|
*resultlen = 0;
|
2007-08-28 19:48:13 +02:00
|
|
|
|
*cutoff = 0;
|
|
|
|
|
*cutlen = 0;
|
2005-06-16 10:12:03 +02:00
|
|
|
|
|
2003-08-05 19:11:04 +02:00
|
|
|
|
if (replacepos < 26)
|
|
|
|
|
return gpg_error (GPG_ERR_BUG);
|
|
|
|
|
|
|
|
|
|
/* Estimate the required size of the resulting list. We have a large
|
2016-04-12 14:37:26 +02:00
|
|
|
|
safety margin of >20 bytes (FIXME: MIC hash from CLEARTEXT and the
|
2003-08-05 19:11:04 +02:00
|
|
|
|
removed "protected-" */
|
|
|
|
|
newlistlen = gcry_sexp_canon_len (protectedkey, 0, NULL, NULL);
|
|
|
|
|
if (!newlistlen)
|
|
|
|
|
return gpg_error (GPG_ERR_BUG);
|
|
|
|
|
n = gcry_sexp_canon_len (cleartext, 0, NULL, NULL);
|
|
|
|
|
if (!n)
|
|
|
|
|
return gpg_error (GPG_ERR_BUG);
|
|
|
|
|
newlistlen += n;
|
|
|
|
|
newlist = gcry_malloc_secure (newlistlen);
|
|
|
|
|
if (!newlist)
|
|
|
|
|
return out_of_core ();
|
|
|
|
|
|
|
|
|
|
/* Copy the initial segment */
|
2005-06-16 10:12:03 +02:00
|
|
|
|
strcpy ((char*)newlist, "(11:private-key");
|
2003-08-05 19:11:04 +02:00
|
|
|
|
p = newlist + 15;
|
|
|
|
|
memcpy (p, protectedkey+15+10, replacepos-15-10);
|
|
|
|
|
p += replacepos-15-10;
|
|
|
|
|
|
2016-04-12 14:37:26 +02:00
|
|
|
|
/* Copy the cleartext. */
|
2003-08-05 19:11:04 +02:00
|
|
|
|
s = cleartext;
|
|
|
|
|
if (*s != '(' && s[1] != '(')
|
|
|
|
|
return gpg_error (GPG_ERR_BUG); /*we already checked this */
|
|
|
|
|
s += 2;
|
|
|
|
|
startpos = s;
|
|
|
|
|
while ( *s == '(' )
|
|
|
|
|
{
|
|
|
|
|
s++;
|
|
|
|
|
n = snext (&s);
|
|
|
|
|
if (!n)
|
|
|
|
|
goto invalid_sexp;
|
|
|
|
|
s += n;
|
|
|
|
|
n = snext (&s);
|
|
|
|
|
if (!n)
|
|
|
|
|
goto invalid_sexp;
|
|
|
|
|
s += n;
|
|
|
|
|
if ( *s != ')' )
|
|
|
|
|
goto invalid_sexp;
|
|
|
|
|
s++;
|
|
|
|
|
}
|
|
|
|
|
if ( *s != ')' )
|
|
|
|
|
goto invalid_sexp;
|
|
|
|
|
endpos = s;
|
|
|
|
|
s++;
|
|
|
|
|
|
2016-04-12 14:37:26 +02:00
|
|
|
|
/* Intermezzo: Get the MIC if requested. */
|
|
|
|
|
if (sha1hash)
|
|
|
|
|
{
|
|
|
|
|
if (*s != '(')
|
|
|
|
|
goto invalid_sexp;
|
|
|
|
|
s++;
|
|
|
|
|
n = snext (&s);
|
|
|
|
|
if (!smatch (&s, n, "hash"))
|
|
|
|
|
goto invalid_sexp;
|
|
|
|
|
n = snext (&s);
|
|
|
|
|
if (!smatch (&s, n, "sha1"))
|
|
|
|
|
goto invalid_sexp;
|
|
|
|
|
n = snext (&s);
|
|
|
|
|
if (n != 20)
|
|
|
|
|
goto invalid_sexp;
|
|
|
|
|
memcpy (sha1hash, s, 20);
|
|
|
|
|
s += n;
|
|
|
|
|
if (*s != ')')
|
|
|
|
|
goto invalid_sexp;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Append the parameter list. */
|
2003-08-05 19:11:04 +02:00
|
|
|
|
memcpy (p, startpos, endpos - startpos);
|
|
|
|
|
p += endpos - startpos;
|
2011-02-03 16:31:42 +01:00
|
|
|
|
|
2007-08-28 19:48:13 +02:00
|
|
|
|
/* Skip over the protected list element in the original list. */
|
2003-08-05 19:11:04 +02:00
|
|
|
|
s = protectedkey + replacepos;
|
2019-05-14 10:31:46 +02:00
|
|
|
|
log_assert (*s == '(');
|
2003-08-05 19:11:04 +02:00
|
|
|
|
s++;
|
|
|
|
|
i = 1;
|
|
|
|
|
rc = sskip (&s, &i);
|
|
|
|
|
if (rc)
|
|
|
|
|
goto failure;
|
2007-08-28 19:48:13 +02:00
|
|
|
|
/* Record the position of the optional protected-at expression. */
|
|
|
|
|
if (*s == '(')
|
|
|
|
|
{
|
|
|
|
|
const unsigned char *save_s = s;
|
|
|
|
|
s++;
|
|
|
|
|
n = snext (&s);
|
|
|
|
|
if (smatch (&s, n, "protected-at"))
|
|
|
|
|
{
|
|
|
|
|
i = 1;
|
|
|
|
|
rc = sskip (&s, &i);
|
|
|
|
|
if (rc)
|
|
|
|
|
goto failure;
|
|
|
|
|
*cutlen = s - save_s;
|
|
|
|
|
}
|
|
|
|
|
s = save_s;
|
|
|
|
|
}
|
2003-08-05 19:11:04 +02:00
|
|
|
|
startpos = s;
|
|
|
|
|
i = 2; /* we are inside this level */
|
|
|
|
|
rc = sskip (&s, &i);
|
|
|
|
|
if (rc)
|
|
|
|
|
goto failure;
|
2019-05-14 10:31:46 +02:00
|
|
|
|
log_assert (s[-1] == ')');
|
2003-08-05 19:11:04 +02:00
|
|
|
|
endpos = s; /* one behind the end of the list */
|
|
|
|
|
|
2007-08-28 19:48:13 +02:00
|
|
|
|
/* Append the rest. */
|
|
|
|
|
if (*cutlen)
|
|
|
|
|
*cutoff = p - newlist;
|
2003-08-05 19:11:04 +02:00
|
|
|
|
memcpy (p, startpos, endpos - startpos);
|
|
|
|
|
p += endpos - startpos;
|
2011-02-03 16:31:42 +01:00
|
|
|
|
|
2003-08-05 19:11:04 +02:00
|
|
|
|
|
|
|
|
|
/* ready */
|
|
|
|
|
*result = newlist;
|
2004-02-03 17:24:37 +01:00
|
|
|
|
*resultlen = newlistlen;
|
2003-08-05 19:11:04 +02:00
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
failure:
|
2004-02-03 17:24:37 +01:00
|
|
|
|
wipememory (newlist, newlistlen);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
xfree (newlist);
|
|
|
|
|
return rc;
|
|
|
|
|
|
|
|
|
|
invalid_sexp:
|
2004-02-03 17:24:37 +01:00
|
|
|
|
wipememory (newlist, newlistlen);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
xfree (newlist);
|
|
|
|
|
return gpg_error (GPG_ERR_INV_SEXP);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* Unprotect the key encoded in canonical format. We assume a valid
|
2007-08-28 19:48:13 +02:00
|
|
|
|
S-Exp here. If a protected-at item is available, its value will
|
2013-05-22 10:50:12 +02:00
|
|
|
|
be stored at protected_at unless this is NULL. */
|
2017-07-28 10:37:33 +02:00
|
|
|
|
gpg_error_t
|
2013-05-22 10:50:12 +02:00
|
|
|
|
agent_unprotect (ctrl_t ctrl,
|
|
|
|
|
const unsigned char *protectedkey, const char *passphrase,
|
2011-02-03 16:31:42 +01:00
|
|
|
|
gnupg_isotime_t protected_at,
|
2003-08-05 19:11:04 +02:00
|
|
|
|
unsigned char **result, size_t *resultlen)
|
|
|
|
|
{
|
2017-05-22 23:42:44 +02:00
|
|
|
|
static const struct {
|
2014-09-01 10:15:21 +02:00
|
|
|
|
const char *name; /* Name of the protection method. */
|
|
|
|
|
int algo; /* (A zero indicates the "openpgp-native" hack.) */
|
|
|
|
|
int keylen; /* Used key length in bytes. */
|
2016-04-12 14:37:26 +02:00
|
|
|
|
unsigned int is_ocb:1;
|
2014-09-01 10:15:21 +02:00
|
|
|
|
} algotable[] = {
|
|
|
|
|
{ "openpgp-s2k3-sha1-aes-cbc", GCRY_CIPHER_AES128, (128/8)},
|
|
|
|
|
{ "openpgp-s2k3-sha1-aes256-cbc", GCRY_CIPHER_AES256, (256/8)},
|
2016-04-12 14:37:26 +02:00
|
|
|
|
{ "openpgp-s2k3-ocb-aes", GCRY_CIPHER_AES128, (128/8), 1},
|
2014-09-01 10:15:21 +02:00
|
|
|
|
{ "openpgp-native", 0, 0 }
|
|
|
|
|
};
|
2003-08-05 19:11:04 +02:00
|
|
|
|
int rc;
|
|
|
|
|
const unsigned char *s;
|
2011-02-03 16:31:42 +01:00
|
|
|
|
const unsigned char *protect_list;
|
2003-08-05 19:11:04 +02:00
|
|
|
|
size_t n;
|
|
|
|
|
int infidx, i;
|
|
|
|
|
unsigned char sha1hash[20], sha1hash2[20];
|
|
|
|
|
const unsigned char *s2ksalt;
|
|
|
|
|
unsigned long s2kcount;
|
|
|
|
|
const unsigned char *iv;
|
2014-09-01 10:15:21 +02:00
|
|
|
|
int prot_cipher, prot_cipher_keylen;
|
2016-04-12 14:37:26 +02:00
|
|
|
|
int is_ocb;
|
|
|
|
|
const unsigned char *aad_begin, *aad_end, *aadhole_begin, *aadhole_end;
|
2003-08-05 19:11:04 +02:00
|
|
|
|
const unsigned char *prot_begin;
|
|
|
|
|
unsigned char *cleartext;
|
|
|
|
|
unsigned char *final;
|
2004-02-03 17:24:37 +01:00
|
|
|
|
size_t finallen;
|
2007-08-28 19:48:13 +02:00
|
|
|
|
size_t cutoff, cutlen;
|
|
|
|
|
|
|
|
|
|
if (protected_at)
|
|
|
|
|
*protected_at = 0;
|
2003-08-05 19:11:04 +02:00
|
|
|
|
|
|
|
|
|
s = protectedkey;
|
|
|
|
|
if (*s != '(')
|
|
|
|
|
return gpg_error (GPG_ERR_INV_SEXP);
|
|
|
|
|
s++;
|
|
|
|
|
n = snext (&s);
|
|
|
|
|
if (!n)
|
2011-02-03 16:31:42 +01:00
|
|
|
|
return gpg_error (GPG_ERR_INV_SEXP);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
if (!smatch (&s, n, "protected-private-key"))
|
2011-02-03 16:31:42 +01:00
|
|
|
|
return gpg_error (GPG_ERR_UNKNOWN_SEXP);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
if (*s != '(')
|
|
|
|
|
return gpg_error (GPG_ERR_UNKNOWN_SEXP);
|
2016-04-12 14:37:26 +02:00
|
|
|
|
{
|
|
|
|
|
aad_begin = aad_end = s;
|
|
|
|
|
aad_end++;
|
|
|
|
|
i = 1;
|
|
|
|
|
rc = sskip (&aad_end, &i);
|
|
|
|
|
if (rc)
|
|
|
|
|
return rc;
|
|
|
|
|
}
|
|
|
|
|
|
2003-08-05 19:11:04 +02:00
|
|
|
|
s++;
|
|
|
|
|
n = snext (&s);
|
|
|
|
|
if (!n)
|
2011-02-03 16:31:42 +01:00
|
|
|
|
return gpg_error (GPG_ERR_INV_SEXP);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
|
|
|
|
|
for (infidx=0; protect_info[infidx].algo
|
|
|
|
|
&& !smatch (&s, n, protect_info[infidx].algo); infidx++)
|
|
|
|
|
;
|
|
|
|
|
if (!protect_info[infidx].algo)
|
2011-02-03 16:31:42 +01:00
|
|
|
|
return gpg_error (GPG_ERR_UNSUPPORTED_ALGORITHM);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
|
2018-10-24 21:56:18 +02:00
|
|
|
|
/* See whether we have a protected-at timestamp. */
|
2007-08-28 19:48:13 +02:00
|
|
|
|
protect_list = s; /* Save for later. */
|
|
|
|
|
if (protected_at)
|
|
|
|
|
{
|
|
|
|
|
while (*s == '(')
|
|
|
|
|
{
|
|
|
|
|
prot_begin = s;
|
|
|
|
|
s++;
|
|
|
|
|
n = snext (&s);
|
|
|
|
|
if (!n)
|
|
|
|
|
return gpg_error (GPG_ERR_INV_SEXP);
|
|
|
|
|
if (smatch (&s, n, "protected-at"))
|
|
|
|
|
{
|
|
|
|
|
n = snext (&s);
|
|
|
|
|
if (!n)
|
|
|
|
|
return gpg_error (GPG_ERR_INV_SEXP);
|
|
|
|
|
if (n != 15)
|
|
|
|
|
return gpg_error (GPG_ERR_UNKNOWN_SEXP);
|
|
|
|
|
memcpy (protected_at, s, 15);
|
|
|
|
|
protected_at[15] = 0;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
s += n;
|
|
|
|
|
i = 1;
|
|
|
|
|
rc = sskip (&s, &i);
|
|
|
|
|
if (rc)
|
|
|
|
|
return rc;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2004-02-03 17:24:37 +01:00
|
|
|
|
/* Now find the list with the protected information. Here is an
|
2003-08-05 19:11:04 +02:00
|
|
|
|
example for such a list:
|
2011-02-03 16:31:42 +01:00
|
|
|
|
(protected openpgp-s2k3-sha1-aes-cbc
|
2003-08-05 19:11:04 +02:00
|
|
|
|
((sha1 <salt> <count>) <Initialization_Vector>)
|
|
|
|
|
<encrypted_data>)
|
|
|
|
|
*/
|
2007-08-28 19:48:13 +02:00
|
|
|
|
s = protect_list;
|
2003-08-05 19:11:04 +02:00
|
|
|
|
for (;;)
|
|
|
|
|
{
|
|
|
|
|
if (*s != '(')
|
|
|
|
|
return gpg_error (GPG_ERR_INV_SEXP);
|
|
|
|
|
prot_begin = s;
|
|
|
|
|
s++;
|
|
|
|
|
n = snext (&s);
|
|
|
|
|
if (!n)
|
2011-02-03 16:31:42 +01:00
|
|
|
|
return gpg_error (GPG_ERR_INV_SEXP);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
if (smatch (&s, n, "protected"))
|
|
|
|
|
break;
|
|
|
|
|
s += n;
|
|
|
|
|
i = 1;
|
|
|
|
|
rc = sskip (&s, &i);
|
|
|
|
|
if (rc)
|
|
|
|
|
return rc;
|
|
|
|
|
}
|
|
|
|
|
/* found */
|
2016-04-12 14:37:26 +02:00
|
|
|
|
{
|
|
|
|
|
aadhole_begin = aadhole_end = prot_begin;
|
|
|
|
|
aadhole_end++;
|
|
|
|
|
i = 1;
|
|
|
|
|
rc = sskip (&aadhole_end, &i);
|
|
|
|
|
if (rc)
|
|
|
|
|
return rc;
|
|
|
|
|
}
|
2003-08-05 19:11:04 +02:00
|
|
|
|
n = snext (&s);
|
|
|
|
|
if (!n)
|
2011-02-03 16:31:42 +01:00
|
|
|
|
return gpg_error (GPG_ERR_INV_SEXP);
|
2014-09-01 10:15:21 +02:00
|
|
|
|
|
|
|
|
|
/* Lookup the protection algo. */
|
|
|
|
|
prot_cipher = 0; /* (avoid gcc warning) */
|
|
|
|
|
prot_cipher_keylen = 0; /* (avoid gcc warning) */
|
2016-04-12 14:37:26 +02:00
|
|
|
|
is_ocb = 0;
|
|
|
|
|
for (i=0; i < DIM (algotable); i++)
|
2014-09-01 10:15:21 +02:00
|
|
|
|
if (smatch (&s, n, algotable[i].name))
|
|
|
|
|
{
|
|
|
|
|
prot_cipher = algotable[i].algo;
|
|
|
|
|
prot_cipher_keylen = algotable[i].keylen;
|
2016-04-12 14:37:26 +02:00
|
|
|
|
is_ocb = algotable[i].is_ocb;
|
2014-09-01 10:15:21 +02:00
|
|
|
|
break;
|
|
|
|
|
}
|
2016-07-14 10:40:15 +02:00
|
|
|
|
if (i == DIM (algotable))
|
2014-09-01 10:15:21 +02:00
|
|
|
|
return gpg_error (GPG_ERR_UNSUPPORTED_PROTECTION);
|
|
|
|
|
|
|
|
|
|
if (!prot_cipher) /* This is "openpgp-native". */
|
2013-05-22 10:50:12 +02:00
|
|
|
|
{
|
2014-09-01 10:15:21 +02:00
|
|
|
|
gcry_sexp_t s_prot_begin;
|
2013-05-22 10:50:12 +02:00
|
|
|
|
|
2014-09-01 10:15:21 +02:00
|
|
|
|
rc = gcry_sexp_sscan (&s_prot_begin, NULL,
|
|
|
|
|
prot_begin,
|
|
|
|
|
gcry_sexp_canon_len (prot_begin, 0,NULL,NULL));
|
|
|
|
|
if (rc)
|
|
|
|
|
return rc;
|
2013-05-22 10:50:12 +02:00
|
|
|
|
|
2014-09-01 10:15:21 +02:00
|
|
|
|
rc = convert_from_openpgp_native (ctrl, s_prot_begin, passphrase, &final);
|
|
|
|
|
gcry_sexp_release (s_prot_begin);
|
|
|
|
|
if (!rc)
|
|
|
|
|
{
|
|
|
|
|
*result = final;
|
|
|
|
|
*resultlen = gcry_sexp_canon_len (final, 0, NULL, NULL);
|
2013-05-22 10:50:12 +02:00
|
|
|
|
}
|
2014-09-01 10:15:21 +02:00
|
|
|
|
return rc;
|
2013-05-22 10:50:12 +02:00
|
|
|
|
}
|
2014-09-01 10:15:21 +02:00
|
|
|
|
|
2003-08-05 19:11:04 +02:00
|
|
|
|
if (*s != '(' || s[1] != '(')
|
|
|
|
|
return gpg_error (GPG_ERR_INV_SEXP);
|
|
|
|
|
s += 2;
|
|
|
|
|
n = snext (&s);
|
|
|
|
|
if (!n)
|
2011-02-03 16:31:42 +01:00
|
|
|
|
return gpg_error (GPG_ERR_INV_SEXP);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
if (!smatch (&s, n, "sha1"))
|
|
|
|
|
return gpg_error (GPG_ERR_UNSUPPORTED_PROTECTION);
|
|
|
|
|
n = snext (&s);
|
|
|
|
|
if (n != 8)
|
|
|
|
|
return gpg_error (GPG_ERR_CORRUPTED_PROTECTION);
|
|
|
|
|
s2ksalt = s;
|
|
|
|
|
s += n;
|
|
|
|
|
n = snext (&s);
|
|
|
|
|
if (!n)
|
|
|
|
|
return gpg_error (GPG_ERR_CORRUPTED_PROTECTION);
|
|
|
|
|
/* We expect a list close as next, so we can simply use strtoul()
|
|
|
|
|
here. We might want to check that we only have digits - but this
|
|
|
|
|
is nothing we should worry about */
|
|
|
|
|
if (s[n] != ')' )
|
|
|
|
|
return gpg_error (GPG_ERR_INV_SEXP);
|
2011-02-03 16:31:42 +01:00
|
|
|
|
|
2009-12-14 21:12:56 +01:00
|
|
|
|
/* Old versions of gpg-agent used the funny floating point number in
|
|
|
|
|
a byte encoding as specified by OpenPGP. However this is not
|
|
|
|
|
needed and thus we now store it as a plain unsigned integer. We
|
|
|
|
|
can easily distinguish the old format by looking at its value:
|
|
|
|
|
Less than 256 is an old-style encoded number; other values are
|
|
|
|
|
plain integers. In any case we check that they are at least
|
|
|
|
|
65536 because we never used a lower value in the past and we
|
|
|
|
|
should have a lower limit. */
|
2005-06-16 10:12:03 +02:00
|
|
|
|
s2kcount = strtoul ((const char*)s, NULL, 10);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
if (!s2kcount)
|
|
|
|
|
return gpg_error (GPG_ERR_CORRUPTED_PROTECTION);
|
2009-12-14 21:12:56 +01:00
|
|
|
|
if (s2kcount < 256)
|
|
|
|
|
s2kcount = (16ul + (s2kcount & 15)) << ((s2kcount >> 4) + 6);
|
|
|
|
|
if (s2kcount < 65536)
|
|
|
|
|
return gpg_error (GPG_ERR_CORRUPTED_PROTECTION);
|
|
|
|
|
|
2003-08-05 19:11:04 +02:00
|
|
|
|
s += n;
|
|
|
|
|
s++; /* skip list end */
|
|
|
|
|
|
|
|
|
|
n = snext (&s);
|
2016-04-12 14:37:26 +02:00
|
|
|
|
if (is_ocb)
|
|
|
|
|
{
|
|
|
|
|
if (n != 12) /* Wrong size of the nonce. */
|
|
|
|
|
return gpg_error (GPG_ERR_CORRUPTED_PROTECTION);
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
if (n != 16) /* Wrong blocksize for IV (we support only 128 bit). */
|
|
|
|
|
return gpg_error (GPG_ERR_CORRUPTED_PROTECTION);
|
|
|
|
|
}
|
2003-08-05 19:11:04 +02:00
|
|
|
|
iv = s;
|
|
|
|
|
s += n;
|
|
|
|
|
if (*s != ')' )
|
|
|
|
|
return gpg_error (GPG_ERR_INV_SEXP);
|
|
|
|
|
s++;
|
|
|
|
|
n = snext (&s);
|
|
|
|
|
if (!n)
|
2011-02-03 16:31:42 +01:00
|
|
|
|
return gpg_error (GPG_ERR_INV_SEXP);
|
|
|
|
|
|
2009-12-08 17:30:33 +01:00
|
|
|
|
cleartext = NULL; /* Avoid cc warning. */
|
2016-04-12 14:37:26 +02:00
|
|
|
|
rc = do_decryption (aad_begin, aad_end - aad_begin,
|
|
|
|
|
aadhole_begin, aadhole_end - aadhole_begin,
|
|
|
|
|
s, n,
|
2003-08-05 19:11:04 +02:00
|
|
|
|
passphrase, s2ksalt, s2kcount,
|
2016-04-12 14:37:26 +02:00
|
|
|
|
iv, is_ocb? 12:16,
|
|
|
|
|
prot_cipher, prot_cipher_keylen, is_ocb,
|
2003-08-05 19:11:04 +02:00
|
|
|
|
&cleartext);
|
|
|
|
|
if (rc)
|
|
|
|
|
return rc;
|
|
|
|
|
|
|
|
|
|
rc = merge_lists (protectedkey, prot_begin-protectedkey, cleartext,
|
2016-04-12 14:37:26 +02:00
|
|
|
|
is_ocb? NULL : sha1hash,
|
|
|
|
|
&final, &finallen, &cutoff, &cutlen);
|
2004-02-03 17:24:37 +01:00
|
|
|
|
/* Albeit cleartext has been allocated in secure memory and thus
|
|
|
|
|
xfree will wipe it out, we do an extra wipe just in case
|
|
|
|
|
somethings goes badly wrong. */
|
2004-09-28 16:12:10 +02:00
|
|
|
|
wipememory (cleartext, n);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
xfree (cleartext);
|
|
|
|
|
if (rc)
|
|
|
|
|
return rc;
|
|
|
|
|
|
2016-04-12 14:37:26 +02:00
|
|
|
|
if (!is_ocb)
|
2003-08-05 19:11:04 +02:00
|
|
|
|
{
|
2016-04-12 14:37:26 +02:00
|
|
|
|
rc = calculate_mic (final, sha1hash2);
|
|
|
|
|
if (!rc && memcmp (sha1hash, sha1hash2, 20))
|
|
|
|
|
rc = gpg_error (GPG_ERR_CORRUPTED_PROTECTION);
|
|
|
|
|
if (rc)
|
|
|
|
|
{
|
|
|
|
|
wipememory (final, finallen);
|
|
|
|
|
xfree (final);
|
|
|
|
|
return rc;
|
|
|
|
|
}
|
2003-08-05 19:11:04 +02:00
|
|
|
|
}
|
2016-04-12 14:37:26 +02:00
|
|
|
|
|
2010-10-01 22:33:53 +02:00
|
|
|
|
/* Now remove the part which is included in the MIC but should not
|
2007-08-28 19:48:13 +02:00
|
|
|
|
go into the final thing. */
|
|
|
|
|
if (cutlen)
|
|
|
|
|
{
|
|
|
|
|
memmove (final+cutoff, final+cutoff+cutlen, finallen-cutoff-cutlen);
|
|
|
|
|
finallen -= cutlen;
|
|
|
|
|
}
|
2003-08-05 19:11:04 +02:00
|
|
|
|
|
|
|
|
|
*result = final;
|
|
|
|
|
*resultlen = gcry_sexp_canon_len (final, 0, NULL, NULL);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2017-07-28 10:37:33 +02:00
|
|
|
|
|
2003-08-05 19:11:04 +02:00
|
|
|
|
/* Check the type of the private key, this is one of the constants:
|
|
|
|
|
PRIVATE_KEY_UNKNOWN if we can't figure out the type (this is the
|
|
|
|
|
value 0), PRIVATE_KEY_CLEAR for an unprotected private key.
|
|
|
|
|
PRIVATE_KEY_PROTECTED for an protected private key or
|
2015-01-29 16:26:07 +01:00
|
|
|
|
PRIVATE_KEY_SHADOWED for a sub key where the secret parts are
|
|
|
|
|
stored elsewhere. Finally PRIVATE_KEY_OPENPGP_NONE may be returned
|
|
|
|
|
is the key is still in the openpgp-native format but without
|
|
|
|
|
protection. */
|
2003-08-05 19:11:04 +02:00
|
|
|
|
int
|
|
|
|
|
agent_private_key_type (const unsigned char *privatekey)
|
|
|
|
|
{
|
|
|
|
|
const unsigned char *s;
|
|
|
|
|
size_t n;
|
2015-01-29 16:26:07 +01:00
|
|
|
|
int i;
|
2003-08-05 19:11:04 +02:00
|
|
|
|
|
|
|
|
|
s = privatekey;
|
|
|
|
|
if (*s != '(')
|
|
|
|
|
return PRIVATE_KEY_UNKNOWN;
|
|
|
|
|
s++;
|
|
|
|
|
n = snext (&s);
|
|
|
|
|
if (!n)
|
|
|
|
|
return PRIVATE_KEY_UNKNOWN;
|
|
|
|
|
if (smatch (&s, n, "protected-private-key"))
|
2015-01-29 16:26:07 +01:00
|
|
|
|
{
|
|
|
|
|
/* We need to check whether this is openpgp-native protected
|
|
|
|
|
with the protection method "none". In that case we return a
|
|
|
|
|
different key type so that the caller knows that there is no
|
|
|
|
|
need to ask for a passphrase. */
|
|
|
|
|
if (*s != '(')
|
|
|
|
|
return PRIVATE_KEY_PROTECTED; /* Unknown sexp - assume protected. */
|
|
|
|
|
s++;
|
|
|
|
|
n = snext (&s);
|
|
|
|
|
if (!n)
|
|
|
|
|
return PRIVATE_KEY_UNKNOWN; /* Invalid sexp. */
|
|
|
|
|
s += n; /* Skip over the algo */
|
|
|
|
|
|
|
|
|
|
/* Find the (protected ...) list. */
|
|
|
|
|
for (;;)
|
|
|
|
|
{
|
|
|
|
|
if (*s != '(')
|
|
|
|
|
return PRIVATE_KEY_UNKNOWN; /* Invalid sexp. */
|
|
|
|
|
s++;
|
|
|
|
|
n = snext (&s);
|
|
|
|
|
if (!n)
|
|
|
|
|
return PRIVATE_KEY_UNKNOWN; /* Invalid sexp. */
|
|
|
|
|
if (smatch (&s, n, "protected"))
|
|
|
|
|
break;
|
|
|
|
|
s += n;
|
|
|
|
|
i = 1;
|
|
|
|
|
if (sskip (&s, &i))
|
|
|
|
|
return PRIVATE_KEY_UNKNOWN; /* Invalid sexp. */
|
|
|
|
|
}
|
|
|
|
|
/* Found - Is this openpgp-native? */
|
|
|
|
|
n = snext (&s);
|
|
|
|
|
if (!n)
|
|
|
|
|
return PRIVATE_KEY_UNKNOWN; /* Invalid sexp. */
|
|
|
|
|
if (smatch (&s, n, "openpgp-native")) /* Yes. */
|
|
|
|
|
{
|
|
|
|
|
if (*s != '(')
|
|
|
|
|
return PRIVATE_KEY_UNKNOWN; /* Unknown sexp. */
|
|
|
|
|
s++;
|
|
|
|
|
n = snext (&s);
|
|
|
|
|
if (!n)
|
|
|
|
|
return PRIVATE_KEY_UNKNOWN; /* Invalid sexp. */
|
|
|
|
|
s += n; /* Skip over "openpgp-private-key". */
|
|
|
|
|
/* Find the (protection ...) list. */
|
|
|
|
|
for (;;)
|
|
|
|
|
{
|
|
|
|
|
if (*s != '(')
|
|
|
|
|
return PRIVATE_KEY_UNKNOWN; /* Invalid sexp. */
|
|
|
|
|
s++;
|
|
|
|
|
n = snext (&s);
|
|
|
|
|
if (!n)
|
|
|
|
|
return PRIVATE_KEY_UNKNOWN; /* Invalid sexp. */
|
|
|
|
|
if (smatch (&s, n, "protection"))
|
|
|
|
|
break;
|
|
|
|
|
s += n;
|
|
|
|
|
i = 1;
|
|
|
|
|
if (sskip (&s, &i))
|
|
|
|
|
return PRIVATE_KEY_UNKNOWN; /* Invalid sexp. */
|
|
|
|
|
}
|
|
|
|
|
/* Found - Is the mode "none"? */
|
|
|
|
|
n = snext (&s);
|
|
|
|
|
if (!n)
|
|
|
|
|
return PRIVATE_KEY_UNKNOWN; /* Invalid sexp. */
|
|
|
|
|
if (smatch (&s, n, "none"))
|
|
|
|
|
return PRIVATE_KEY_OPENPGP_NONE; /* Yes. */
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return PRIVATE_KEY_PROTECTED;
|
|
|
|
|
}
|
2003-08-05 19:11:04 +02:00
|
|
|
|
if (smatch (&s, n, "shadowed-private-key"))
|
|
|
|
|
return PRIVATE_KEY_SHADOWED;
|
|
|
|
|
if (smatch (&s, n, "private-key"))
|
|
|
|
|
return PRIVATE_KEY_CLEAR;
|
|
|
|
|
return PRIVATE_KEY_UNKNOWN;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* Transform a passphrase into a suitable key of length KEYLEN and
|
|
|
|
|
store this key in the caller provided buffer KEY. The caller must
|
|
|
|
|
provide an HASHALGO, a valid S2KMODE (see rfc-2440) and depending on
|
2009-12-14 21:12:56 +01:00
|
|
|
|
that mode an S2KSALT of 8 random bytes and an S2KCOUNT.
|
2011-02-03 16:31:42 +01:00
|
|
|
|
|
2003-08-05 19:11:04 +02:00
|
|
|
|
Returns an error code on failure. */
|
|
|
|
|
static int
|
|
|
|
|
hash_passphrase (const char *passphrase, int hashalgo,
|
|
|
|
|
int s2kmode,
|
|
|
|
|
const unsigned char *s2ksalt,
|
|
|
|
|
unsigned long s2kcount,
|
|
|
|
|
unsigned char *key, size_t keylen)
|
|
|
|
|
{
|
2013-02-06 12:42:07 +01:00
|
|
|
|
/* The key derive function does not support a zero length string for
|
|
|
|
|
the passphrase in the S2K modes. Return a better suited error
|
|
|
|
|
code than GPG_ERR_INV_DATA. */
|
|
|
|
|
if (!passphrase || !*passphrase)
|
|
|
|
|
return gpg_error (GPG_ERR_NO_PASSPHRASE);
|
2011-03-10 18:39:34 +01:00
|
|
|
|
return gcry_kdf_derive (passphrase, strlen (passphrase),
|
|
|
|
|
s2kmode == 3? GCRY_KDF_ITERSALTED_S2K :
|
|
|
|
|
s2kmode == 1? GCRY_KDF_SALTED_S2K :
|
|
|
|
|
s2kmode == 0? GCRY_KDF_SIMPLE_S2K : GCRY_KDF_NONE,
|
|
|
|
|
hashalgo, s2ksalt, 8, s2kcount,
|
|
|
|
|
keylen, key);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2010-08-31 17:58:39 +02:00
|
|
|
|
gpg_error_t
|
|
|
|
|
s2k_hash_passphrase (const char *passphrase, int hashalgo,
|
|
|
|
|
int s2kmode,
|
|
|
|
|
const unsigned char *s2ksalt,
|
|
|
|
|
unsigned int s2kcount,
|
|
|
|
|
unsigned char *key, size_t keylen)
|
|
|
|
|
{
|
2011-02-03 16:31:42 +01:00
|
|
|
|
return hash_passphrase (passphrase, hashalgo, s2kmode, s2ksalt,
|
2011-04-26 20:33:46 +02:00
|
|
|
|
S2K_DECODE_COUNT (s2kcount),
|
2010-08-31 17:58:39 +02:00
|
|
|
|
key, keylen);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2003-08-05 19:11:04 +02:00
|
|
|
|
|
2005-02-25 17:14:55 +01:00
|
|
|
|
|
|
|
|
|
/* Create an canonical encoded S-expression with the shadow info from
|
|
|
|
|
a card's SERIALNO and the IDSTRING. */
|
|
|
|
|
unsigned char *
|
|
|
|
|
make_shadow_info (const char *serialno, const char *idstring)
|
|
|
|
|
{
|
|
|
|
|
const char *s;
|
2005-06-16 10:12:03 +02:00
|
|
|
|
char *info, *p;
|
2007-05-15 18:10:48 +02:00
|
|
|
|
char numbuf[20];
|
|
|
|
|
size_t n;
|
2005-02-25 17:14:55 +01:00
|
|
|
|
|
|
|
|
|
for (s=serialno, n=0; *s && s[1]; s += 2)
|
|
|
|
|
n++;
|
|
|
|
|
|
2007-05-15 18:10:48 +02:00
|
|
|
|
info = p = xtrymalloc (1 + sizeof numbuf + n
|
|
|
|
|
+ sizeof numbuf + strlen (idstring) + 1 + 1);
|
2005-02-25 17:14:55 +01:00
|
|
|
|
if (!info)
|
|
|
|
|
return NULL;
|
|
|
|
|
*p++ = '(';
|
2007-05-15 18:10:48 +02:00
|
|
|
|
p = stpcpy (p, smklen (numbuf, sizeof numbuf, n, NULL));
|
2005-02-25 17:14:55 +01:00
|
|
|
|
for (s=serialno; *s && s[1]; s += 2)
|
2005-06-16 10:12:03 +02:00
|
|
|
|
*(unsigned char *)p++ = xtoi_2 (s);
|
2007-05-15 18:10:48 +02:00
|
|
|
|
p = stpcpy (p, smklen (numbuf, sizeof numbuf, strlen (idstring), NULL));
|
2005-02-25 17:14:55 +01:00
|
|
|
|
p = stpcpy (p, idstring);
|
|
|
|
|
*p++ = ')';
|
|
|
|
|
*p = 0;
|
2005-06-16 10:12:03 +02:00
|
|
|
|
return (unsigned char *)info;
|
2005-02-25 17:14:55 +01:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2003-08-05 19:11:04 +02:00
|
|
|
|
/* Create a shadow key from a public key. We use the shadow protocol
|
2017-12-08 01:19:50 +01:00
|
|
|
|
"t1-v1" and insert the S-expressionn SHADOW_INFO. The resulting
|
2003-08-05 19:11:04 +02:00
|
|
|
|
S-expression is returned in an allocated buffer RESULT will point
|
2005-02-25 17:14:55 +01:00
|
|
|
|
to. The input parameters are expected to be valid canonicalized
|
2003-08-05 19:11:04 +02:00
|
|
|
|
S-expressions */
|
2011-02-03 16:31:42 +01:00
|
|
|
|
int
|
2020-06-14 19:26:45 +02:00
|
|
|
|
agent_shadow_key_type (const unsigned char *pubkey,
|
|
|
|
|
const unsigned char *shadow_info,
|
|
|
|
|
const unsigned char *type,
|
|
|
|
|
unsigned char **result)
|
2003-08-05 19:11:04 +02:00
|
|
|
|
{
|
|
|
|
|
const unsigned char *s;
|
|
|
|
|
const unsigned char *point;
|
|
|
|
|
size_t n;
|
|
|
|
|
int depth = 0;
|
2005-06-16 10:12:03 +02:00
|
|
|
|
char *p;
|
2003-08-05 19:11:04 +02:00
|
|
|
|
size_t pubkey_len = gcry_sexp_canon_len (pubkey, 0, NULL,NULL);
|
|
|
|
|
size_t shadow_info_len = gcry_sexp_canon_len (shadow_info, 0, NULL,NULL);
|
|
|
|
|
|
|
|
|
|
if (!pubkey_len || !shadow_info_len)
|
|
|
|
|
return gpg_error (GPG_ERR_INV_VALUE);
|
|
|
|
|
s = pubkey;
|
|
|
|
|
if (*s != '(')
|
|
|
|
|
return gpg_error (GPG_ERR_INV_SEXP);
|
|
|
|
|
depth++;
|
|
|
|
|
s++;
|
|
|
|
|
n = snext (&s);
|
|
|
|
|
if (!n)
|
2011-02-03 16:31:42 +01:00
|
|
|
|
return gpg_error (GPG_ERR_INV_SEXP);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
if (!smatch (&s, n, "public-key"))
|
2011-02-03 16:31:42 +01:00
|
|
|
|
return gpg_error (GPG_ERR_UNKNOWN_SEXP);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
if (*s != '(')
|
|
|
|
|
return gpg_error (GPG_ERR_UNKNOWN_SEXP);
|
|
|
|
|
depth++;
|
|
|
|
|
s++;
|
2011-02-03 16:31:42 +01:00
|
|
|
|
n = snext (&s);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
if (!n)
|
2011-02-03 16:31:42 +01:00
|
|
|
|
return gpg_error (GPG_ERR_INV_SEXP);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
s += n; /* skip over the algorithm name */
|
|
|
|
|
|
|
|
|
|
while (*s != ')')
|
|
|
|
|
{
|
|
|
|
|
if (*s != '(')
|
|
|
|
|
return gpg_error (GPG_ERR_INV_SEXP);
|
|
|
|
|
depth++;
|
|
|
|
|
s++;
|
|
|
|
|
n = snext (&s);
|
2011-02-03 16:31:42 +01:00
|
|
|
|
if (!n)
|
|
|
|
|
return gpg_error (GPG_ERR_INV_SEXP);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
s += n;
|
|
|
|
|
n = snext (&s);
|
|
|
|
|
if (!n)
|
2011-02-03 16:31:42 +01:00
|
|
|
|
return gpg_error (GPG_ERR_INV_SEXP);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
s +=n; /* skip value */
|
|
|
|
|
if (*s != ')')
|
2011-02-03 16:31:42 +01:00
|
|
|
|
return gpg_error (GPG_ERR_INV_SEXP);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
depth--;
|
|
|
|
|
s++;
|
|
|
|
|
}
|
|
|
|
|
point = s; /* insert right before the point */
|
|
|
|
|
depth--;
|
|
|
|
|
s++;
|
2019-05-14 10:31:46 +02:00
|
|
|
|
log_assert (depth == 1);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
|
2005-02-25 17:14:55 +01:00
|
|
|
|
/* Calculate required length by taking in account: the "shadowed-"
|
2020-06-14 19:26:45 +02:00
|
|
|
|
prefix, the "shadowed", shadow type as well as some parenthesis */
|
2003-08-05 19:11:04 +02:00
|
|
|
|
n = 12 + pubkey_len + 1 + 3+8 + 2+5 + shadow_info_len + 1;
|
2005-06-16 10:12:03 +02:00
|
|
|
|
*result = xtrymalloc (n);
|
|
|
|
|
p = (char*)*result;
|
2003-08-05 19:11:04 +02:00
|
|
|
|
if (!p)
|
|
|
|
|
return out_of_core ();
|
|
|
|
|
p = stpcpy (p, "(20:shadowed-private-key");
|
|
|
|
|
/* (10:public-key ...)*/
|
|
|
|
|
memcpy (p, pubkey+14, point - (pubkey+14));
|
|
|
|
|
p += point - (pubkey+14);
|
2020-06-14 19:26:45 +02:00
|
|
|
|
p += sprintf (p, "(8:shadowed%d:%s", (int)strlen(type), type);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
memcpy (p, shadow_info, shadow_info_len);
|
|
|
|
|
p += shadow_info_len;
|
|
|
|
|
*p++ = ')';
|
|
|
|
|
memcpy (p, point, pubkey_len - (point - pubkey));
|
|
|
|
|
p += pubkey_len - (point - pubkey);
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2020-06-14 19:26:45 +02:00
|
|
|
|
int
|
|
|
|
|
agent_shadow_key (const unsigned char *pubkey,
|
|
|
|
|
const unsigned char *shadow_info,
|
|
|
|
|
unsigned char **result)
|
|
|
|
|
{
|
|
|
|
|
return agent_shadow_key_type (pubkey, shadow_info, "t1-v1", result);
|
|
|
|
|
}
|
|
|
|
|
|
2003-08-05 19:11:04 +02:00
|
|
|
|
/* Parse a canonical encoded shadowed key and return a pointer to the
|
2020-06-14 19:26:45 +02:00
|
|
|
|
inner list with the shadow_info and the shadow type */
|
2017-07-28 10:37:33 +02:00
|
|
|
|
gpg_error_t
|
2020-06-14 19:26:45 +02:00
|
|
|
|
agent_get_shadow_info_type (const unsigned char *shadowkey,
|
|
|
|
|
unsigned char const **shadow_info,
|
|
|
|
|
unsigned char **shadow_type)
|
2003-08-05 19:11:04 +02:00
|
|
|
|
{
|
2021-06-25 20:23:01 +02:00
|
|
|
|
const unsigned char *s, *saved_s;
|
|
|
|
|
size_t n, saved_n;
|
2003-08-05 19:11:04 +02:00
|
|
|
|
int depth = 0;
|
|
|
|
|
|
|
|
|
|
s = shadowkey;
|
|
|
|
|
if (*s != '(')
|
|
|
|
|
return gpg_error (GPG_ERR_INV_SEXP);
|
|
|
|
|
depth++;
|
|
|
|
|
s++;
|
|
|
|
|
n = snext (&s);
|
|
|
|
|
if (!n)
|
2011-02-03 16:31:42 +01:00
|
|
|
|
return gpg_error (GPG_ERR_INV_SEXP);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
if (!smatch (&s, n, "shadowed-private-key"))
|
2011-02-03 16:31:42 +01:00
|
|
|
|
return gpg_error (GPG_ERR_UNKNOWN_SEXP);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
if (*s != '(')
|
|
|
|
|
return gpg_error (GPG_ERR_UNKNOWN_SEXP);
|
|
|
|
|
depth++;
|
|
|
|
|
s++;
|
2011-02-03 16:31:42 +01:00
|
|
|
|
n = snext (&s);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
if (!n)
|
2011-02-03 16:31:42 +01:00
|
|
|
|
return gpg_error (GPG_ERR_INV_SEXP);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
s += n; /* skip over the algorithm name */
|
|
|
|
|
|
|
|
|
|
for (;;)
|
|
|
|
|
{
|
|
|
|
|
if (*s == ')')
|
|
|
|
|
return gpg_error (GPG_ERR_UNKNOWN_SEXP);
|
|
|
|
|
if (*s != '(')
|
|
|
|
|
return gpg_error (GPG_ERR_INV_SEXP);
|
|
|
|
|
depth++;
|
|
|
|
|
s++;
|
|
|
|
|
n = snext (&s);
|
2011-02-03 16:31:42 +01:00
|
|
|
|
if (!n)
|
|
|
|
|
return gpg_error (GPG_ERR_INV_SEXP);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
if (smatch (&s, n, "shadowed"))
|
|
|
|
|
break;
|
|
|
|
|
s += n;
|
|
|
|
|
n = snext (&s);
|
|
|
|
|
if (!n)
|
2011-02-03 16:31:42 +01:00
|
|
|
|
return gpg_error (GPG_ERR_INV_SEXP);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
s +=n; /* skip value */
|
|
|
|
|
if (*s != ')')
|
2011-02-03 16:31:42 +01:00
|
|
|
|
return gpg_error (GPG_ERR_INV_SEXP);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
depth--;
|
|
|
|
|
s++;
|
|
|
|
|
}
|
2004-02-03 17:24:37 +01:00
|
|
|
|
/* Found the shadowed list, S points to the protocol */
|
2003-08-05 19:11:04 +02:00
|
|
|
|
n = snext (&s);
|
2011-02-03 16:31:42 +01:00
|
|
|
|
if (!n)
|
|
|
|
|
return gpg_error (GPG_ERR_INV_SEXP);
|
2021-06-25 20:23:01 +02:00
|
|
|
|
saved_s = s;
|
|
|
|
|
saved_n = n;
|
2020-06-14 19:26:45 +02:00
|
|
|
|
if (smatch (&s, n, "t1-v1") || smatch(&s, n, "tpm2-v1"))
|
2003-08-05 19:11:04 +02:00
|
|
|
|
{
|
|
|
|
|
if (*s != '(')
|
|
|
|
|
return gpg_error (GPG_ERR_INV_SEXP);
|
2020-06-14 19:26:45 +02:00
|
|
|
|
if (shadow_info)
|
|
|
|
|
*shadow_info = s;
|
2003-08-05 19:11:04 +02:00
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
return gpg_error (GPG_ERR_UNSUPPORTED_PROTOCOL);
|
2021-06-25 20:23:01 +02:00
|
|
|
|
s = saved_s;
|
|
|
|
|
n = saved_n;
|
2021-04-12 19:19:59 +02:00
|
|
|
|
|
|
|
|
|
if (shadow_type)
|
|
|
|
|
{
|
|
|
|
|
char *buf = xtrymalloc(n+1);
|
|
|
|
|
if (!buf)
|
|
|
|
|
return gpg_error_from_syserror ();
|
|
|
|
|
memcpy (buf, s, n);
|
|
|
|
|
buf[n] = '\0';
|
|
|
|
|
*shadow_type = buf;
|
|
|
|
|
}
|
|
|
|
|
|
2003-08-05 19:11:04 +02:00
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2021-03-09 22:50:29 +01:00
|
|
|
|
|
2020-06-14 19:26:45 +02:00
|
|
|
|
gpg_error_t
|
2021-03-09 22:50:29 +01:00
|
|
|
|
agent_get_shadow_info (const unsigned char *shadowkey,
|
|
|
|
|
unsigned char const **shadow_info)
|
2020-06-14 19:26:45 +02:00
|
|
|
|
{
|
2021-03-09 22:50:29 +01:00
|
|
|
|
return agent_get_shadow_info_type (shadowkey, shadow_info, NULL);
|
2020-06-14 19:26:45 +02:00
|
|
|
|
}
|
|
|
|
|
|
2021-03-09 22:50:29 +01:00
|
|
|
|
|
2020-06-14 19:26:45 +02:00
|
|
|
|
int
|
2021-03-09 22:50:29 +01:00
|
|
|
|
agent_is_tpm2_key (gcry_sexp_t s_skey)
|
2020-06-14 19:26:45 +02:00
|
|
|
|
{
|
|
|
|
|
unsigned char *buf;
|
|
|
|
|
unsigned char *type;
|
|
|
|
|
size_t len;
|
|
|
|
|
gpg_error_t err;
|
|
|
|
|
|
2021-03-09 22:50:29 +01:00
|
|
|
|
err = make_canon_sexp (s_skey, &buf, &len);
|
2020-06-14 19:26:45 +02:00
|
|
|
|
if (err)
|
|
|
|
|
return 0;
|
|
|
|
|
|
2021-03-09 22:50:29 +01:00
|
|
|
|
err = agent_get_shadow_info_type (buf, NULL, &type);
|
2021-04-12 19:19:59 +02:00
|
|
|
|
xfree (buf);
|
2020-06-14 19:26:45 +02:00
|
|
|
|
if (err)
|
|
|
|
|
return 0;
|
|
|
|
|
|
2021-03-09 22:50:29 +01:00
|
|
|
|
err = strcmp (type, "tpm2-v1") == 0;
|
|
|
|
|
xfree (type);
|
2020-06-14 19:26:45 +02:00
|
|
|
|
return err;
|
|
|
|
|
}
|
|
|
|
|
|
2021-03-09 22:50:29 +01:00
|
|
|
|
|
2020-06-14 19:26:45 +02:00
|
|
|
|
gpg_error_t
|
2021-03-09 22:50:29 +01:00
|
|
|
|
agent_get_shadow_type (const unsigned char *shadowkey,
|
|
|
|
|
unsigned char **shadow_type)
|
2020-06-14 19:26:45 +02:00
|
|
|
|
{
|
2021-03-09 22:50:29 +01:00
|
|
|
|
return agent_get_shadow_info_type (shadowkey, NULL, shadow_type);
|
2020-06-14 19:26:45 +02:00
|
|
|
|
}
|
2009-03-06 18:31:27 +01:00
|
|
|
|
|
2021-03-09 22:50:29 +01:00
|
|
|
|
|
2009-03-06 18:31:27 +01:00
|
|
|
|
/* Parse the canonical encoded SHADOW_INFO S-expression. On success
|
|
|
|
|
the hex encoded serial number is returned as a malloced strings at
|
|
|
|
|
R_HEXSN and the Id string as a malloced string at R_IDSTR. On
|
|
|
|
|
error an error code is returned and NULL is stored at the result
|
|
|
|
|
parameters addresses. If the serial number or the ID string is not
|
2019-05-03 15:54:54 +02:00
|
|
|
|
required, NULL may be passed for them. Note that R_PINLEN is
|
|
|
|
|
currently not used by any caller. */
|
2009-03-06 18:31:27 +01:00
|
|
|
|
gpg_error_t
|
2011-02-03 16:31:42 +01:00
|
|
|
|
parse_shadow_info (const unsigned char *shadow_info,
|
2012-02-07 14:17:33 +01:00
|
|
|
|
char **r_hexsn, char **r_idstr, int *r_pinlen)
|
2009-03-06 18:31:27 +01:00
|
|
|
|
{
|
|
|
|
|
const unsigned char *s;
|
|
|
|
|
size_t n;
|
|
|
|
|
|
|
|
|
|
if (r_hexsn)
|
|
|
|
|
*r_hexsn = NULL;
|
|
|
|
|
if (r_idstr)
|
|
|
|
|
*r_idstr = NULL;
|
2012-02-07 14:17:33 +01:00
|
|
|
|
if (r_pinlen)
|
|
|
|
|
*r_pinlen = 0;
|
2009-03-06 18:31:27 +01:00
|
|
|
|
|
|
|
|
|
s = shadow_info;
|
|
|
|
|
if (*s != '(')
|
|
|
|
|
return gpg_error (GPG_ERR_INV_SEXP);
|
|
|
|
|
s++;
|
|
|
|
|
n = snext (&s);
|
|
|
|
|
if (!n)
|
|
|
|
|
return gpg_error (GPG_ERR_INV_SEXP);
|
|
|
|
|
|
|
|
|
|
if (r_hexsn)
|
|
|
|
|
{
|
|
|
|
|
*r_hexsn = bin2hex (s, n, NULL);
|
|
|
|
|
if (!*r_hexsn)
|
|
|
|
|
return gpg_error_from_syserror ();
|
|
|
|
|
}
|
|
|
|
|
s += n;
|
|
|
|
|
|
|
|
|
|
n = snext (&s);
|
|
|
|
|
if (!n)
|
|
|
|
|
{
|
|
|
|
|
if (r_hexsn)
|
|
|
|
|
{
|
|
|
|
|
xfree (*r_hexsn);
|
|
|
|
|
*r_hexsn = NULL;
|
|
|
|
|
}
|
|
|
|
|
return gpg_error (GPG_ERR_INV_SEXP);
|
|
|
|
|
}
|
2011-02-03 16:31:42 +01:00
|
|
|
|
|
2009-03-06 18:31:27 +01:00
|
|
|
|
if (r_idstr)
|
|
|
|
|
{
|
|
|
|
|
*r_idstr = xtrymalloc (n+1);
|
|
|
|
|
if (!*r_idstr)
|
|
|
|
|
{
|
|
|
|
|
if (r_hexsn)
|
|
|
|
|
{
|
|
|
|
|
xfree (*r_hexsn);
|
|
|
|
|
*r_hexsn = NULL;
|
|
|
|
|
}
|
|
|
|
|
return gpg_error_from_syserror ();
|
|
|
|
|
}
|
|
|
|
|
memcpy (*r_idstr, s, n);
|
|
|
|
|
(*r_idstr)[n] = 0;
|
|
|
|
|
}
|
|
|
|
|
|
2012-02-07 14:17:33 +01:00
|
|
|
|
/* Parse the optional PINLEN. */
|
|
|
|
|
n = snext (&s);
|
|
|
|
|
if (!n)
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
if (r_pinlen)
|
|
|
|
|
{
|
|
|
|
|
char *tmpstr = xtrymalloc (n+1);
|
|
|
|
|
if (!tmpstr)
|
|
|
|
|
{
|
|
|
|
|
if (r_hexsn)
|
|
|
|
|
{
|
|
|
|
|
xfree (*r_hexsn);
|
|
|
|
|
*r_hexsn = NULL;
|
|
|
|
|
}
|
|
|
|
|
if (r_idstr)
|
|
|
|
|
{
|
|
|
|
|
xfree (*r_idstr);
|
|
|
|
|
*r_idstr = NULL;
|
|
|
|
|
}
|
|
|
|
|
return gpg_error_from_syserror ();
|
|
|
|
|
}
|
|
|
|
|
memcpy (tmpstr, s, n);
|
|
|
|
|
tmpstr[n] = 0;
|
|
|
|
|
|
|
|
|
|
*r_pinlen = (int)strtol (tmpstr, NULL, 10);
|
|
|
|
|
xfree (tmpstr);
|
|
|
|
|
}
|
|
|
|
|
|
2009-03-06 18:31:27 +01:00
|
|
|
|
return 0;
|
|
|
|
|
}
|