security-and-privacy/gnupg
security-and-privacy/gnupg
1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2025-07-02 22:46:30 +02:00
Code Activity

Generating an OpenPGP key cia gpg-agent basically works.

Browse source
This commit is contained in:
Werner Koch 2010-04-20 17:57:50 +00:00
parent 67934a8c13
commit 21b0a955be
23 changed files with 1233 additions and 1364 deletions
Download patch file Download diff file Expand all files Collapse all files

208
g10/seckey-cert.c
View file

@ -259,58 +259,6 @@ do_check( PKT_secret_key *sk, const char *tryagain_text, int mode,
/****************
* Check the secret key
* Ask up to 3 (or n) times for a correct passphrase
* If n is negative, disable the key info prompt and make n=abs(n)
*/
int
check_secret_key( PKT_secret_key *sk, int n )
{
int rc = gpg_error (GPG_ERR_BAD_PASSPHRASE);
int i,mode;
if (sk && sk->is_protected && sk->protect.s2k.mode == 1002)
return 0; /* Let the scdaemon handle this. */
if(n<0)
{
n=abs(n);
mode=1;
}
else
mode=0;
if( n < 1 )
n = 3; /* Use the default value */
for(i=0; i < n && gpg_err_code (rc) == GPG_ERR_BAD_PASSPHRASE; i++ ) {
int canceled = 0;
const char *tryagain = NULL;
if (i) {
tryagain = N_("Invalid passphrase; please try again");
log_info (_("%s ...\n"), _(tryagain));
}
rc = do_check( sk, tryagain, mode, &canceled );
if ( gpg_err_code (rc) == GPG_ERR_BAD_PASSPHRASE
&& is_status_enabled () ) {
u32 kid[2];
char buf[50];
keyid_from_sk( sk, kid );
sprintf(buf, "%08lX%08lX", (ulong)kid[0], (ulong)kid[1]);
write_status_text( STATUS_BAD_PASSPHRASE, buf );
}
if( have_static_passphrase() || canceled)
break;
}
if( !rc )
write_status( STATUS_GOOD_PASSPHRASE );
return rc;
}
/****************
* check whether the secret key is protected.
* Returns: 0 not protected, -1 on error or the protection algorithm
@ -318,156 +266,10 @@ check_secret_key( PKT_secret_key *sk, int n )
* -3 indicates a not-online stub.
*/
int
is_secret_key_protected( PKT_secret_key *sk )
is_secret_key_protected (PKT_public_key *pk)
{
return sk->is_protected?
sk->protect.s2k.mode == 1002? -2 :
sk->protect.s2k.mode == 1001? -3 : sk->protect.algo : 0;
}
/****************
* Protect the secret key with the passphrase from DEK
*/
int
protect_secret_key( PKT_secret_key *sk, DEK *dek )
{
int i,j, rc = 0;
byte *buffer;
size_t nbytes;
u16 csum;
if( !dek )
return 0;
if( !sk->is_protected ) { /* okay, apply the protection */
gcry_cipher_hd_t cipher_hd=NULL;
if ( openpgp_cipher_test_algo ( sk->protect.algo ) ) {
/* Unsupport protection algorithm. */
rc = gpg_error (GPG_ERR_CIPHER_ALGO);
}
else {
print_cipher_algo_note( sk->protect.algo );
if ( openpgp_cipher_open (&cipher_hd, sk->protect.algo,
GCRY_CIPHER_MODE_CFB,
(GCRY_CIPHER_SECURE
| (sk->protect.algo >= 100 ?
0 : GCRY_CIPHER_ENABLE_SYNC))) )
BUG();
if ( gcry_cipher_setkey ( cipher_hd, dek->key, dek->keylen ) )
log_info(_("WARNING: Weak key detected"
" - please change passphrase again.\n"));
sk->protect.ivlen = openpgp_cipher_get_algo_blklen (sk->protect.algo);
assert( sk->protect.ivlen <= DIM(sk->protect.iv) );
if( sk->protect.ivlen != 8 && sk->protect.ivlen != 16 )
BUG(); /* yes, we are very careful */
gcry_create_nonce (sk->protect.iv, sk->protect.ivlen);
gcry_cipher_setiv (cipher_hd, sk->protect.iv, sk->protect.ivlen);
if( sk->version >= 4 ) {
byte *bufarr[PUBKEY_MAX_NSKEY];
size_t narr[PUBKEY_MAX_NSKEY];
unsigned int nbits[PUBKEY_MAX_NSKEY];
int ndata=0;
byte *p, *data;
for (j=0, i = pubkey_get_npkey(sk->pubkey_algo);
i < pubkey_get_nskey(sk->pubkey_algo); i++, j++ )
{
assert (!gcry_mpi_get_flag (sk->skey[i],
GCRYMPI_FLAG_OPAQUE));
if (gcry_mpi_aprint (GCRYMPI_FMT_USG, bufarr+j,
narr+j, sk->skey[i]))
BUG();
nbits[j] = gcry_mpi_get_nbits (sk->skey[i]);
ndata += narr[j] + 2;
}
for ( ; j < PUBKEY_MAX_NSKEY; j++ )
bufarr[j] = NULL;
ndata += opt.simple_sk_checksum? 2 : 20; /* for checksum */
data = xmalloc_secure( ndata );
p = data;
for(j=0; j < PUBKEY_MAX_NSKEY && bufarr[j]; j++ ) {
p[0] = nbits[j] >> 8 ;
p[1] = nbits[j];
p += 2;
memcpy(p, bufarr[j], narr[j] );
p += narr[j];
xfree(bufarr[j]);
}
if (opt.simple_sk_checksum) {
log_info (_("generating the deprecated 16-bit checksum"
" for secret key protection\n"));
csum = checksum( data, ndata-2);
sk->csum = csum;
*p++ = csum >> 8;
*p++ = csum;
sk->protect.sha1chk = 0;
}
else {
gcry_md_hd_t h;
if (gcry_md_open (&h, GCRY_MD_SHA1, 1))
BUG(); /* Algo not available. */
gcry_md_write (h, data, ndata - 20);
gcry_md_final (h);
memcpy (p, gcry_md_read (h, DIGEST_ALGO_SHA1), 20);
p += 20;
gcry_md_close (h);
sk->csum = csum = 0;
sk->protect.sha1chk = 1;
}
assert( p == data+ndata );
gcry_cipher_encrypt (cipher_hd, data, ndata, NULL, 0);
for (i = pubkey_get_npkey(sk->pubkey_algo);
i < pubkey_get_nskey(sk->pubkey_algo); i++ )
{
gcry_mpi_release (sk->skey[i]);
sk->skey[i] = NULL;
}
i = pubkey_get_npkey(sk->pubkey_algo);
sk->skey[i] = gcry_mpi_set_opaque (NULL, data, ndata*8 );
}
else {
csum = 0;
for(i=pubkey_get_npkey(sk->pubkey_algo);
i < pubkey_get_nskey(sk->pubkey_algo); i++ ) {
byte *data;
unsigned int nbits;
csum += checksum_mpi (sk->skey[i]);
if (gcry_mpi_aprint (GCRYMPI_FMT_USG, &buffer,
&nbytes, sk->skey[i] ))
BUG();
gcry_cipher_sync (cipher_hd);
assert (!gcry_mpi_get_flag (sk->skey[i],
GCRYMPI_FLAG_OPAQUE));
data = xmalloc (nbytes+2); /* fixme: need xtrymalloc. */
nbits = gcry_mpi_get_nbits (sk->skey[i]);
assert (nbytes == (nbits + 7)/8);
data[0] = nbits >> 8;
data[1] = nbits;
gcry_cipher_encrypt (cipher_hd, data+2, nbytes,
buffer, nbytes);
xfree( buffer );
gcry_mpi_release (sk->skey[i]);
sk->skey[i] = gcry_mpi_set_opaque (NULL,
data, (nbytes+2)*8 );
}
sk->csum = csum;
}
sk->is_protected = 1;
gcry_cipher_close (cipher_hd);
}
}
return rc;
return 0; /* FIXME: use agent_get_keyinfo?*/
/* return sk->is_protected? */
/* sk->protect.s2k.mode == 1002? -2 : */
/* sk->protect.s2k.mode == 1001? -3 : sk->protect.algo : 0; */
}