security-and-privacy/gnupg
security-and-privacy/gnupg
1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2025-07-02 22:46:30 +02:00
Code Activity

agent: Implement new protection mode openpgp-s2k3-ocb-aes.

Browse source 
* agent/protect.c (agent_protect): Add arg use_ocb.  Change all caller
to pass -1 for default.
* agent/protect-tool.c: New option --debug-use-ocb.
(oDebugUseOCB): New.
(opt_debug_use_ocb): New.
(main): Set option.
(read_and_protect): Implement option.

* agent/protect.c (OCB_MODE_SUPPORTED): New macro.
(PROT_DEFAULT_TO_OCB): New macro.
(do_encryption): Add args use_ocb, hashbegin, hashlen, timestamp_exp,
and timestamp_exp_len.  Implement OCB.
(agent_protect): Change to support OCB.
(do_decryption): Add new args is_ocb, aadhole_begin, and aadhole_len.
Implement OCB.
(merge_lists): Allow NULL for sha1hash.
(agent_unprotect): Change to support OCB.
(agent_private_key_type): Remove debug output.
--

Instead of using the old OpenPGP way of appending a hash of the
plaintext and encrypt that along with the plaintext, the new scheme
uses a proper authenticated encryption mode.  See keyformat.txt for a
description.  Libgcrypt 1.7 is required.

This mode is not yet enabled because there would be no way to return
to an older GnuPG version.  To test the new scheme use
gpg-protect-tool:

 ./gpg-protect-tool -av -P abc -p --debug-use-ocb <plain.key >prot.key
 ./gpg-protect-tool -av -P abc -u <prot.key

Any key from the private key storage should work.

Signed-off-by: Werner Koch <wk@gnupg.org>
This commit is contained in:
Werner Koch 2016-04-12 14:37:26 +02:00
parent 100b413d7f
commit 4159567f7e
No known key found for this signature in database
GPG key ID: E3FDFF218E45B72B
9 changed files with 375 additions and 139 deletions
Download patch file Download diff file Expand all files Collapse all files

8
agent/protect-tool.c
View file

@ -69,6 +69,7 @@ enum cmd_and_opt_values
oHomedir,
oPrompt,
oStatusMsg,
oDebugUseOCB,
oAgentProgram
};
@ -96,6 +97,7 @@ static const char *opt_passphrase;
static char *opt_prompt;
static int opt_status_msg;
static const char *opt_agent_program;
static int opt_debug_use_ocb;
static char *get_passphrase (int promptno);
static void release_passphrase (char *pw);
@ -132,6 +134,8 @@ static ARGPARSE_OPTS opts[] = {
ARGPARSE_s_s (oAgentProgram, "agent-program", "@"),
ARGPARSE_s_n (oDebugUseOCB, "debug-use-ocb", "@"), /* For hacking only. */
ARGPARSE_end ()
};
@ -333,7 +337,8 @@ read_and_protect (const char *fname)
return;
pw = get_passphrase (1);
rc = agent_protect (key, pw, &result, &resultlen, 0);
rc = agent_protect (key, pw, &result, &resultlen, 0,
opt_debug_use_ocb? 1 : -1);
release_passphrase (pw);
xfree (key);
if (rc)
@ -598,6 +603,7 @@ main (int argc, char **argv )
case oHaveCert: opt_have_cert = 1; break;
case oPrompt: opt_prompt = pargs.r.ret_str; break;
case oStatusMsg: opt_status_msg = 1; break;
case oDebugUseOCB: opt_debug_use_ocb = 1; break;
default: pargs.err = ARGPARSE_PRINT_ERROR; break;
}