1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-10-30 19:58:44 +01:00
Commit Graph

23 Commits

Author SHA1 Message Date
Werner Koch
cbe0956df0
gpgsm: Increase salt size in pkcs#12 parser.
* sm/minip12.c (parse_bag_encrypted_data): Need 32 bytes.
--

GnuPG-bug-id: 6757
2024-02-05 07:59:02 +01:00
Werner Koch
697d54ceca
gpgsm: Re-introduce the bad passphrase hint for pkcs#12.
* sm/minip12.c (parse_bag_encrypted_data): Set the badpass flag.
(parse_shrouded_key_bag): Ditto.
--
2023-11-14 09:48:04 +01:00
Werner Koch
08f0b9ea2e
sm: Another partly rewrite of minip12.c
* sm/minip12.c (struct tlv_ctx_s): Add origbuffer and origbufsize.
Remove pop_count.  Rename offset to length.
(dump_tag_info, _dump_tag_info): Rewrite.
(dump_tlv_ctx, _dump_tlv_ctx): Rewrite.
(tlv_new): Init origbuffer.
(_tlv_peek): Add arg ti.
(tlv_peek): New.
(tlv_peek_null): New.
(_tlv_push): Rewrite.
(_tlv_pop): Rewrite.
(tlv_next): New macro.  Move old code to ...
(_tlv_next): this.  Add arg lno.  Pop remaining end tags.
(tlv_popped): Remove.
(tlv_expect_object): Handle ndef.
(tlv_expect_octet_string): Ditto.
(parse_bag_encrypted_data): Use nesting level to control the inner
loop.
(parse_shrouded_key_bag): Likewise.
(parse_bag_data): Handle surplus octet strings.
(p12_parse): Ditto.

* sm/minip12.c (decrypt_block): Strip the padding.
(tlv_expect_top_sequence): Remove.  Replace callers by
tlv_expect_sequence.

* tests/samplekeys/t6752-ov-user-ff.p12: New sample key.
* tests/samplekeys/Description-p12: Add its description
--

This patch improves the BER parser by simplifying it.  Now tlv_next
pops off and thus closes all containers regardless on whether they are
length bounded or ndef.  tlv_set_pending is now always used to undo
the effect of a tlv_next in a loop condition which was terminated by a
nesting level change.

Instead of using the length as seen in the decrypted container we now
remove the padding and let the BER parser do its work.  This might
have a negative effect on pkcs#12 objects which are not correctly
padded but we don't have any example of such broken objects.

GnuPG-bug-id: 6752
2023-10-24 09:22:13 +02:00
Werner Koch
9976285ff0
sm: Support more HMAC algos in the pkcs#12 parser.
* sm/minip12.c (oid_hmacWithSHA1): New.  Also for the SHA-2 algos.
(digest_algo_from_oid): New.
(set_key_iv_pbes2): Add arg digest_algo.
(crypt_block): Ditto.
(decrypt_block): Ditto.
(parse_bag_encrypted_data): Parse the optional prf part and get the
hmac algorithm.
(parse_shrouded_key_bag): Ditto.
(p12_build): Pass SHA1 for digest_algo.

* sm/t-minip12.c (run_one_test): Print failed values in verbose mode.

* tests/samplekeys/nistp256-openssl-self-signed.p12: New.
* tests/samplekeys/Description-p12: Add this one.
* tests/Makefile.am (EXTRA_DIST): Ditto.
--

This supports the modern algorithms, i.e. using SHA256 for the KDF
which is the default in openssl unless the -legacy option is used.

GnuPG-bug-id: 6536
2023-10-06 11:22:59 +02:00
Werner Koch
bb157044a0
sm: Improve the octet string cramming for pkcs#12
* sm/minip12.c (need_octet_string_cramming): New.
(tlv_expect_object, tlv_expect_octet_string): Run the test before
cramming.

* sm/minip12.c (ENABLE_DER_STRUCT_DUMPING): New but undefined macro
for debug purposes.
(bag_decrypted_data_p, bag_data_p): Use macro to allow dumping.
--

This bug was exhibited by importing a gpgsm exported EC certificate.

We use an extra test instead of retrying to allow retruning an error
from malloc failure.  And well, for easier reading of the code.

GnuPG-bug-id: 6536
(cherry picked from commit c1f78634ec)
2023-10-05 10:32:57 +02:00
Werner Koch
a6dad932f4
sm: Complete rewrite of the PKCS#12 parser
* sm/minip12.c: Reworked most of the parser.
(p12_set_verbosity): Add arg debug and change all callers.

* sm/t-minip12.c: New.
* sm/Makefile.am (module_maint): Add it.

* tests/samplekeys/Description-p12: New.
* tests/samplekeys/t5793-openssl.pfx: New from T5793.
* tests/samplekeys/t5793-test.pfx: Ditto.
* tests/samplekeys/Description-p12: Add them.
* tests/Makefile.am (EXTRA_DIST): Add samplekeys.
--

GnuPG-bug-id: 6536
Backported_from: 101433dfb4
Backported_from: 5f694dc0be
2023-07-05 14:21:16 +02:00
Werner Koch
1b4247e010
sm: Remove duplicated code.
* sm/minip12.c (struct tag_info): Change type of length and nhdr.
(dump_tag_info): Adjust.
(parse_tag): Re-implement using the parse_ber_header.
2023-07-05 12:14:35 +02:00
Ingo Klöcker
94092793f6
sm: Fix reporting of bad passphrase error
* sm/minip12.c (p12_parse): Set badpass flag to result in ctx.
--

Fixes-commit: 4c14bbf56f
GnuPG-bug-id: 5713, 6037
(cherry picked from commit a47b3a4087)
2022-10-10 09:17:10 +02:00
Werner Koch
4c14bbf56f
sm: Update pkcs#12 module from master
* sm/minip12.c: Update from master.
* sm/import.c (parse_p12): Pass NULL for curve.
--

Over the last years we had a couple of changes not backported to 2.2.
However, to support DFN p12 files and probably other p12 files we need
to update the minip12.c module.  Instead of picking commits we take
the module verbatim, which is relatively easy because it was
originally designed to be a standalone module.

Summary of commits taken from master:

  sm: Improve pkcs#12 debug output.
  sm: Rework the PKCS#12 parser to support DFN issued keys.
  sm: Fix parsing encrypted data.
  sm: Do not print certain issuer not found diags in quiet mode.
  sm: Silence some output on --quiet
  sm: Replace all assert calls by log_assert.
  doc: Typo fixes in code comments
  sm: Add support to export ECC private keys.

Detailed log messages for those commits:

  commit 52f9e13c0c

    sm: Improve pkcs#12 debug output.

    * sm/minip12.c (parse_shrouded_key_bag): Fix offset diagnostic.
    (parse_cert_bag): Ditto.
    (parse_bag_data): Remove debug output.  Pass startoffset.
    Fix offset diagnostic.

  commit a4e04375e8

    sm: Rework the PKCS#12 parser to support DFN issued keys.

    * sm/minip12.c (struct p12_parse_ctx_s): New.  Use this instead of
    passing several parameters to most functions.
    (parse_pag_data): Factor things out to  ...
    parse_shrouded_key_bag): new.
    (parse_cert_bag): New.
    (parse_bag_data): New.
    (p12_parse): Setup the parse context.

    To support newer pkcs#12 files like those issued by the DFN we
    need to support another ordering of data elements.  This rework
    reflects the P12 data structure a bit better than our old ad-hoc
    hacks.  Tests could only be done with the certificate parts and
    not the encrypted private keys.

GnuPG-bug-id: 6037

  commit 6c50834c09

    sm: Fix parsing encrypted data.

    * sm/minip12.c (cram_octet_string): Finish when N==0.
    (parse_bag_encrypted_data): Support constructed data with multiple
    octet strings.

GnuPG-bug-id: 5793

  commit a170f0e73f

    sm: Do not print certain issuer not found diags in quiet mode.

    * sm/certchain.c (find_up_dirmngr): Print one diagnostic only in
    verbose mode.  Do not print issuer not found diags in quiet mode.
    * sm/minip12.c (parse_bag_data): Add missing verbose condition.

GnuPG-bug-id: 4757

  commit 615d2e4fb1

    sm: Silence some output on --quiet

    * sm/encrypt.c (gpgsm_encrypt): Take care of --quiet.
    * sm/gpgsm.c: Include minip12.h.
    (set_debug): Call p12_set_verbosity.
    * sm/import.c (parse_p12): Dump keygrip only in debug mode.
    * sm/minip12.c (opt_verbose, p12_set_verbosity): New.
    (parse_bag_encrypted_data): Print info messages only in verbose
    mode.

GnuPG-bug-id: 4757

  commit 9ee975d588

    gpgsm: Replace all assert calls by log_assert.

  commit 9bc9d0818b

    doc: Typo fixes in code comments

  commit 5da6925a33

    sm: Add support to export ECC private keys.

    * sm/minip12.c [TEST]: Remove test code.  Include util.h, tlv.h. and
    openpgpdefs.h.  Remove the class and tag constants and replace
    them by those from tlv.h.
    (builder_add_oid, builder_add_mpi): New.
    (build_key_sequence): Rename to ...
    (build_rsa_key_sequence): this.
    (build_ecc_key_sequence): New.
    (p12_build): Call RSA or ECC builder.
    (p12_raw_build): Ditto.
    * sm/export.c (gpgsm_p12_export): Use correct armor header for ECC.
    (sexp_to_kparms): Support ECC.

GnuPG-bug-id: 4921
2022-06-21 18:22:14 +02:00
NIIBE Yutaka
0c7dffe99d sm: Fix parsing encrypted data.
* sm/minip12.c (cram_octet_string): Finish when N==0.
(parse_bag_encrypted_data): Support constructed data with multiple
octet strings.

--

Backport master commit of:
	6c50834c09

GnuPG-bug-id: 5793
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-03-09 10:57:22 +09:00
Werner Koch
e5af401fc4
sm: Silence some other pkcs#12 import prattle
* sm/minip12.c (parse_bag_data): Print a regular log_info only in
verbose mode.
--
2021-03-01 09:46:59 +01:00
Werner Koch
bcdbf0fcf3
sm: Silence some output on --quiet
* sm/encrypt.c (gpgsm_encrypt): Take care of --quiet.
* sm/gpgsm.c: Include minip12.h.
(set_debug): Call p12_set_verbosity.
* sm/import.c (parse_p12): Dump keygrip only in debug mode.
* sm/minip12.c (opt_verbose, p12_set_verbosity): New.
(parse_bag_encrypted_data): Print info messages only in verbose mode.
--

GnuPG-bug-id: 4757
2021-02-24 08:38:13 +01:00
Werner Koch
163e4ff195
w32: Support Unicode also for config files etc.
* common/sysutils.c (gnupg_fopen) [W32]: Use _wfopen if needed.   Use
new function in most places where fopen is used.
--

The config files in 2.2 are still read using fopen - we need to change
this to allow Unicode directory names.  There is also one case where
files are written using the old fopen.  The new option parser in 2.3
does not have this problem but at some places fopen is also still used.

GnuPG-bug-id: 5098
Signed-off-by: Werner Koch <wk@gnupg.org>
2020-11-10 12:09:11 +01:00
Werner Koch
4d7dc432b5
Change all http://www.gnu.org in license notices to https://
--
2016-11-05 12:02:19 +01:00
Justus Winter
a9e0905342 Fix typos found using codespell.
* agent/cache.c: Fix typos.
* agent/call-pinentry.c: Likewise.
* agent/call-scd.c: Likewise.
* agent/command-ssh.c: Likewise.
* agent/command.c: Likewise.
* agent/divert-scd.c: Likewise.
* agent/findkey.c: Likewise.
* agent/gpg-agent.c: Likewise.
* agent/w32main.c: Likewise.
* common/argparse.c: Likewise.
* common/audit.c: Likewise.
* common/audit.h: Likewise.
* common/convert.c: Likewise.
* common/dotlock.c: Likewise.
* common/exechelp-posix.c: Likewise.
* common/exechelp-w32.c: Likewise.
* common/exechelp-w32ce.c: Likewise.
* common/exechelp.h: Likewise.
* common/helpfile.c: Likewise.
* common/i18n.h: Likewise.
* common/iobuf.c: Likewise.
* common/iobuf.h: Likewise.
* common/localename.c: Likewise.
* common/logging.c: Likewise.
* common/openpgp-oid.c: Likewise.
* common/session-env.c: Likewise.
* common/sexputil.c: Likewise.
* common/sysutils.c: Likewise.
* common/t-sexputil.c: Likewise.
* common/ttyio.c: Likewise.
* common/util.h: Likewise.
* dirmngr/cdblib.c: Likewise.
* dirmngr/certcache.c: Likewise.
* dirmngr/crlcache.c: Likewise.
* dirmngr/dirmngr-client.c: Likewise.
* dirmngr/dirmngr.c: Likewise.
* dirmngr/dirmngr_ldap.c: Likewise.
* dirmngr/dns-stuff.c: Likewise.
* dirmngr/http.c: Likewise.
* dirmngr/ks-engine-hkp.c: Likewise.
* dirmngr/ks-engine-ldap.c: Likewise.
* dirmngr/ldap-wrapper.c: Likewise.
* dirmngr/ldap.c: Likewise.
* dirmngr/misc.c: Likewise.
* dirmngr/ocsp.c: Likewise.
* dirmngr/validate.c: Likewise.
* g10/encrypt.c: Likewise.
* g10/getkey.c: Likewise.
* g10/gpg.c: Likewise.
* g10/gpgv.c: Likewise.
* g10/import.c: Likewise.
* g10/keydb.c: Likewise.
* g10/keydb.h: Likewise.
* g10/keygen.c: Likewise.
* g10/keyid.c: Likewise.
* g10/keylist.c: Likewise.
* g10/keyring.c: Likewise.
* g10/mainproc.c: Likewise.
* g10/misc.c: Likewise.
* g10/options.h: Likewise.
* g10/packet.h: Likewise.
* g10/parse-packet.c: Likewise.
* g10/pkclist.c: Likewise.
* g10/pkglue.c: Likewise.
* g10/plaintext.c: Likewise.
* g10/server.c: Likewise.
* g10/sig-check.c: Likewise.
* g10/sqlite.c: Likewise.
* g10/tdbio.c: Likewise.
* g10/test-stubs.c: Likewise.
* g10/tofu.c: Likewise.
* g10/trust.c: Likewise.
* g10/trustdb.c: Likewise.
* g13/create.c: Likewise.
* g13/mountinfo.c: Likewise.
* kbx/keybox-blob.c: Likewise.
* kbx/keybox-file.c: Likewise.
* kbx/keybox-init.c: Likewise.
* kbx/keybox-search-desc.h: Likewise.
* kbx/keybox-search.c: Likewise.
* kbx/keybox-update.c: Likewise.
* scd/apdu.c: Likewise.
* scd/app-openpgp.c: Likewise.
* scd/app-p15.c: Likewise.
* scd/app.c: Likewise.
* scd/ccid-driver.c: Likewise.
* scd/command.c: Likewise.
* scd/iso7816.c: Likewise.
* sm/base64.c: Likewise.
* sm/call-agent.c: Likewise.
* sm/call-dirmngr.c: Likewise.
* sm/certchain.c: Likewise.
* sm/gpgsm.c: Likewise.
* sm/import.c: Likewise.
* sm/keydb.c: Likewise.
* sm/minip12.c: Likewise.
* sm/qualified.c: Likewise.
* sm/server.c: Likewise.
* tools/gpg-check-pattern.c: Likewise.
* tools/gpgconf-comp.c: Likewise.
* tools/gpgkey2ssh.c: Likewise.
* tools/gpgparsemail.c: Likewise.
* tools/gpgtar.c: Likewise.
* tools/rfc822parse.c: Likewise.
* tools/symcryptrun.c: Likewise.

Signed-off-by: Justus Winter <justus@g10code.com>
2015-11-17 12:50:22 +01:00
Werner Koch
6c87d1ce66 sm: Simplify fix ed8383c6
* sm/minip12.c (p12_build): Release PWBUF only at the end.
--

Suggested-by: Eygene Ryabinkin <rea@codelabs.ru>
Signed-off-by: Werner Koch <wk@gnupg.org>
2015-01-26 17:56:52 +01:00
Daniel Kahn Gillmor
ed8383c618 sm: Avoid double-free on iconv failure
* sm/minip12.c: (p12_build) if jnlib_iconv_open fails, avoid
double-free of pwbuf.

--

Observed by Joshua Rogers <honey@internot.info>, who proposed a
slightly different fix.

Debian-Bug-Id: 773472

Added fix at a second place - wk.
2014-12-22 14:00:38 +01:00
Werner Koch
0beec2f0f2 gpgsm: New commands --export-secret-key-{p8,raw}
* sm/gpgsm.c: Add new commands.
* sm/minip12.c (build_key_sequence): Add arg mode.
(p12_raw_build): New.
* sm/export.c (export_p12): Add arg rawmode.  Call p12_raw_build.
(gpgsm_p12_export): Ditto.
(print_short_info): Print the keygrip.
2014-06-03 18:57:33 +02:00
Werner Koch
096e7457ec Change all quotes in strings and comments to the new GNU standard.
The asymmetric quotes used by GNU in the past (`...') don't render
nicely on modern systems.  We now use two \x27 characters ('...').

The proper solution would be to use the correct Unicode symmetric
quotes here.  However this has the disadvantage that the system
requires Unicode support.  We don't want that today.  If Unicode is
available a generated po file can be used to output proper quotes.  A
simple sed script like the one used for en@quote is sufficient to
change them.

The changes have been done by applying

  sed -i "s/\`\([^'\`]*\)'/'\1'/g"

to most files and fixing obvious problems by hand.  The msgid strings in
the po files were fixed with a similar command.
2012-06-05 19:29:22 +02:00
Werner Koch
35c731d889 Support pkcs#12 import of PBES2 encoded data.
This is so that we read compatible with gnutls's certtool.  Only
AES-128 is supported.  The latest Libgcrypt from git is required.

Fixes bug#1321.
2011-03-10 15:30:40 +01:00
Werner Koch
b008274afd Nuked almost all trailing white space.
We better do this once and for all instead of cluttering all future
commits with diffs of trailing white spaces.  In the majority of cases
blank or single lines are affected and thus this change won't disturb
a git blame too much.  For future commits the pre-commit scripts
checks that this won't happen again.
2011-02-04 12:57:53 +01:00
Werner Koch
91056b1976 Implement export of pkcs#12 objects using a direct agent connection. 2010-06-21 10:01:24 +00:00
Werner Koch
006fd75aea Avoid using the protect-tool to import pkcs#12. 2010-06-17 15:44:44 +00:00