mirror of
git://git.gnupg.org/gnupg.git
synced 2025-01-18 14:17:03 +01:00
7777e68d04
* agent/command.c (cmd_import_key): Add option --unattended. * agent/cvt-openpgp.c (convert_transfer_key): New. (do_unprotect): Factor some code out to ... (prepare_unprotect): new function. (convert_from_openpgp): Factor all code out to ... (convert_from_openpgp_main): this. Add arg 'passphrase'. Implement openpgp-native protection modes. (convert_from_openpgp_native): New. * agent/t-protect.c (convert_from_openpgp_native): New dummy fucntion * agent/protect-tool.c (convert_from_openpgp_native): Ditto. * agent/protect.c (agent_unprotect): Add arg CTRL. Adjust all callers. Support openpgp-native protection. * g10/call-agent.c (agent_import_key): Add arg 'unattended'. * g10/import.c (transfer_secret_keys): Use unattended in batch mode. -- With the gpg-agent taking care of the secret keys, the user needs to migrate existing keys from secring.gpg to the agent. This and also the standard import of secret keys required the user to unprotect the secret keys first, so that gpg-agent was able to re-protected them using its own scheme. With many secret keys this is quite some usability hurdle. In particular if a passphrase is not instantly available. To make this migration smoother, this patch implements an unattended key import/migration which delays the conversion to the gpg-agent format until the key is actually used. For example: gpg2 --batch --import mysecretkey.gpg works without any user interaction due to the use of --batch. Now if a key is used (e.g. "gpg2 -su USERID_FROM_MYSECRETKEY foo"), gpg-agent has to ask for the passphrase anyway, converts the key from the openpgp format to the internal format, signs, re-encrypts the key and tries to store it in the gpg-agent format to the disk. The next time, the internal format of the key is used. This patch has only been tested with the old demo keys, more tests with other protection formats and no protection are needed. Signed-off-by: Werner Koch <wk@gnupg.org>
1300 lines
39 KiB
C
1300 lines
39 KiB
C
/* cvt-openpgp.c - Convert an OpenPGP key to our internal format.
|
||
* Copyright (C) 1998, 1999, 2000, 2001, 2002, 2006, 2009,
|
||
* 2010 Free Software Foundation, Inc.
|
||
* Copyright (C) 2013 Werner Koch
|
||
*
|
||
* This file is part of GnuPG.
|
||
*
|
||
* GnuPG is free software; you can redistribute it and/or modify
|
||
* it under the terms of the GNU General Public License as published by
|
||
* the Free Software Foundation; either version 3 of the License, or
|
||
* (at your option) any later version.
|
||
*
|
||
* GnuPG is distributed in the hope that it will be useful,
|
||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||
* GNU General Public License for more details.
|
||
*
|
||
* You should have received a copy of the GNU General Public License
|
||
* along with this program; if not, see <http://www.gnu.org/licenses/>.
|
||
*/
|
||
|
||
#include <config.h>
|
||
#include <stdio.h>
|
||
#include <stdlib.h>
|
||
#include <string.h>
|
||
#include <assert.h>
|
||
|
||
#include "agent.h"
|
||
#include "i18n.h"
|
||
#include "cvt-openpgp.h"
|
||
|
||
|
||
/* Helper to pass data via the callback to do_unprotect. */
|
||
struct try_do_unprotect_arg_s
|
||
{
|
||
int is_v4;
|
||
int is_protected;
|
||
int pubkey_algo;
|
||
int protect_algo;
|
||
char *iv;
|
||
int ivlen;
|
||
int s2k_mode;
|
||
int s2k_algo;
|
||
byte *s2k_salt;
|
||
u32 s2k_count;
|
||
u16 desired_csum;
|
||
gcry_mpi_t *skey;
|
||
size_t skeysize;
|
||
int skeyidx;
|
||
gcry_sexp_t *r_key;
|
||
};
|
||
|
||
|
||
|
||
/* Compute the keygrip from the public key and store it at GRIP. */
|
||
static gpg_error_t
|
||
get_keygrip (int pubkey_algo, gcry_mpi_t *pkey, unsigned char *grip)
|
||
{
|
||
gpg_error_t err;
|
||
gcry_sexp_t s_pkey = NULL;
|
||
|
||
switch (pubkey_algo)
|
||
{
|
||
case GCRY_PK_DSA:
|
||
err = gcry_sexp_build (&s_pkey, NULL,
|
||
"(public-key(dsa(p%m)(q%m)(g%m)(y%m)))",
|
||
pkey[0], pkey[1], pkey[2], pkey[3]);
|
||
break;
|
||
|
||
case GCRY_PK_ELG:
|
||
case GCRY_PK_ELG_E:
|
||
err = gcry_sexp_build (&s_pkey, NULL,
|
||
"(public-key(elg(p%m)(g%m)(y%m)))",
|
||
pkey[0], pkey[1], pkey[2]);
|
||
break;
|
||
|
||
case GCRY_PK_RSA:
|
||
case GCRY_PK_RSA_E:
|
||
case GCRY_PK_RSA_S:
|
||
err = gcry_sexp_build (&s_pkey, NULL,
|
||
"(public-key(rsa(n%m)(e%m)))", pkey[0], pkey[1]);
|
||
break;
|
||
|
||
case GCRY_PK_ECDSA:
|
||
case GCRY_PK_ECDH:
|
||
err = gcry_sexp_build (&s_pkey, NULL,
|
||
"(public-key(ecc(p%m)(a%m)(b%m)(g%m)(n%m)(q%m)))",
|
||
pkey[0], pkey[1], pkey[2], pkey[3], pkey[4],
|
||
pkey[5]);
|
||
break;
|
||
|
||
default:
|
||
err = gpg_error (GPG_ERR_PUBKEY_ALGO);
|
||
break;
|
||
}
|
||
|
||
if (!err && !gcry_pk_get_keygrip (s_pkey, grip))
|
||
err = gpg_error (GPG_ERR_INTERNAL);
|
||
|
||
gcry_sexp_release (s_pkey);
|
||
return err;
|
||
}
|
||
|
||
|
||
/* Convert a secret key given as algorithm id and an array of key
|
||
parameters into our s-expression based format. Note that
|
||
PUBKEY_ALGO has an gcrypt algorithm number. */
|
||
static gpg_error_t
|
||
convert_secret_key (gcry_sexp_t *r_key, int pubkey_algo, gcry_mpi_t *skey)
|
||
{
|
||
gpg_error_t err;
|
||
gcry_sexp_t s_skey = NULL;
|
||
|
||
*r_key = NULL;
|
||
|
||
switch (pubkey_algo)
|
||
{
|
||
case GCRY_PK_DSA:
|
||
err = gcry_sexp_build (&s_skey, NULL,
|
||
"(private-key(dsa(p%m)(q%m)(g%m)(y%m)(x%m)))",
|
||
skey[0], skey[1], skey[2], skey[3], skey[4]);
|
||
break;
|
||
|
||
case GCRY_PK_ELG:
|
||
case GCRY_PK_ELG_E:
|
||
err = gcry_sexp_build (&s_skey, NULL,
|
||
"(private-key(elg(p%m)(g%m)(y%m)(x%m)))",
|
||
skey[0], skey[1], skey[2], skey[3]);
|
||
break;
|
||
|
||
|
||
case GCRY_PK_RSA:
|
||
case GCRY_PK_RSA_E:
|
||
case GCRY_PK_RSA_S:
|
||
err = gcry_sexp_build (&s_skey, NULL,
|
||
"(private-key(rsa(n%m)(e%m)(d%m)(p%m)(q%m)(u%m)))",
|
||
skey[0], skey[1], skey[2], skey[3], skey[4],
|
||
skey[5]);
|
||
break;
|
||
|
||
case GCRY_PK_ECDSA:
|
||
case GCRY_PK_ECDH:
|
||
/* Although our code would work with "ecc" we explicitly use
|
||
"ecdh" or "ecdsa" to implicitly set the key capabilities. */
|
||
err = gcry_sexp_build (&s_skey, NULL,
|
||
"(private-key(%s(p%m)(a%m)(b%m)(g%m)(n%m)(q%m)"
|
||
"(d%m)))",
|
||
pubkey_algo == GCRY_PK_ECDSA?"ecdsa":"ecdh",
|
||
skey[0], skey[1], skey[2], skey[3], skey[4],
|
||
skey[5], skey[6]);
|
||
break;
|
||
|
||
default:
|
||
err = gpg_error (GPG_ERR_PUBKEY_ALGO);
|
||
break;
|
||
}
|
||
|
||
if (!err)
|
||
*r_key = s_skey;
|
||
return err;
|
||
}
|
||
|
||
|
||
/* Convert a secret key given as algorithm id, an array of key
|
||
parameters, and an S-expression of the original OpenPGP transfer
|
||
key into our s-expression based format. This is a variant of
|
||
convert_secret_key which is used for the openpgp-native protection
|
||
mode. Note that PUBKEY_ALGO has an gcrypt algorithm number. */
|
||
static gpg_error_t
|
||
convert_transfer_key (gcry_sexp_t *r_key, int pubkey_algo, gcry_mpi_t *skey,
|
||
gcry_sexp_t transfer_key)
|
||
{
|
||
gpg_error_t err;
|
||
gcry_sexp_t s_skey = NULL;
|
||
|
||
*r_key = NULL;
|
||
|
||
switch (pubkey_algo)
|
||
{
|
||
case GCRY_PK_DSA:
|
||
err = gcry_sexp_build
|
||
(&s_skey, NULL,
|
||
"(protected-private-key(dsa(p%m)(q%m)(g%m)(y%m)"
|
||
"(protected openpgp-native%S)))",
|
||
skey[0], skey[1], skey[2], skey[3], transfer_key);
|
||
break;
|
||
|
||
case GCRY_PK_ELG:
|
||
case GCRY_PK_ELG_E:
|
||
err = gcry_sexp_build
|
||
(&s_skey, NULL,
|
||
"(protected-private-key(elg(p%m)(g%m)(y%m)"
|
||
"(protected openpgp-native%S)))",
|
||
skey[0], skey[1], skey[2], transfer_key);
|
||
break;
|
||
|
||
|
||
case GCRY_PK_RSA:
|
||
case GCRY_PK_RSA_E:
|
||
case GCRY_PK_RSA_S:
|
||
err = gcry_sexp_build
|
||
(&s_skey, NULL,
|
||
"(protected-private-key(rsa(n%m)(e%m)",
|
||
"(protected openpgp-native%S)))",
|
||
skey[0], skey[1], transfer_key );
|
||
break;
|
||
|
||
case GCRY_PK_ECDSA:
|
||
case GCRY_PK_ECDH:
|
||
/* Although our code would work with "ecc" we explicitly use
|
||
"ecdh" or "ecdsa" to implicitly set the key capabilities. */
|
||
err = gcry_sexp_build
|
||
(&s_skey, NULL,
|
||
"(protected-private-key(%s(p%m)(a%m)(b%m)(g%m)(n%m)(q%m)"
|
||
"(protected openpgp-native%S)))",
|
||
pubkey_algo == GCRY_PK_ECDSA?"ecdsa":"ecdh",
|
||
skey[0], skey[1], skey[2], skey[3], skey[4], skey[5], transfer_key);
|
||
break;
|
||
|
||
default:
|
||
err = gpg_error (GPG_ERR_PUBKEY_ALGO);
|
||
break;
|
||
}
|
||
|
||
if (!err)
|
||
*r_key = s_skey;
|
||
return err;
|
||
}
|
||
|
||
|
||
/* Hash the passphrase and set the key. */
|
||
static gpg_error_t
|
||
hash_passphrase_and_set_key (const char *passphrase,
|
||
gcry_cipher_hd_t hd, int protect_algo,
|
||
int s2k_mode, int s2k_algo,
|
||
byte *s2k_salt, u32 s2k_count)
|
||
{
|
||
gpg_error_t err;
|
||
unsigned char *key;
|
||
size_t keylen;
|
||
|
||
keylen = gcry_cipher_get_algo_keylen (protect_algo);
|
||
if (!keylen)
|
||
return gpg_error (GPG_ERR_INTERNAL);
|
||
|
||
key = xtrymalloc_secure (keylen);
|
||
if (!key)
|
||
return gpg_error_from_syserror ();
|
||
|
||
err = s2k_hash_passphrase (passphrase,
|
||
s2k_algo, s2k_mode, s2k_salt, s2k_count,
|
||
key, keylen);
|
||
if (!err)
|
||
err = gcry_cipher_setkey (hd, key, keylen);
|
||
|
||
xfree (key);
|
||
return err;
|
||
}
|
||
|
||
|
||
static u16
|
||
checksum (const unsigned char *p, unsigned int n)
|
||
{
|
||
u16 a;
|
||
|
||
for (a=0; n; n-- )
|
||
a += *p++;
|
||
return a;
|
||
}
|
||
|
||
|
||
/* Helper for do_unprotect. PUBKEY_ALOGO is the gcrypt algo number.
|
||
On success R_NPKEY and R_NSKEY receive the number or parameters for
|
||
the algorithm PUBKEY_ALGO and R_SKEYLEN the used length of
|
||
SKEY. */
|
||
static int
|
||
prepare_unprotect (int pubkey_algo, gcry_mpi_t *skey, size_t skeysize,
|
||
int s2k_mode,
|
||
unsigned int *r_npkey, unsigned int *r_nskey,
|
||
unsigned int *r_skeylen)
|
||
{
|
||
gpg_error_t err;
|
||
size_t npkey, nskey, skeylen;
|
||
int i;
|
||
|
||
/* Count the actual number of MPIs is in the array and set the
|
||
remainder to NULL for easier processing later on. */
|
||
for (skeylen = 0; skey[skeylen]; skeylen++)
|
||
;
|
||
for (i=skeylen; i < skeysize; i++)
|
||
skey[i] = NULL;
|
||
|
||
/* Check some args. */
|
||
if (s2k_mode == 1001)
|
||
{
|
||
/* Stub key. */
|
||
log_info (_("secret key parts are not available\n"));
|
||
return gpg_error (GPG_ERR_UNUSABLE_SECKEY);
|
||
}
|
||
|
||
if (gcry_pk_test_algo (pubkey_algo))
|
||
{
|
||
log_info (_("public key algorithm %d (%s) is not supported\n"),
|
||
pubkey_algo, gcry_pk_algo_name (pubkey_algo));
|
||
return gpg_error (GPG_ERR_PUBKEY_ALGO);
|
||
}
|
||
|
||
/* Get properties of the public key algorithm and do some
|
||
consistency checks. Note that we need at least NPKEY+1 elements
|
||
in the SKEY array. */
|
||
if ( (err = gcry_pk_algo_info (pubkey_algo, GCRYCTL_GET_ALGO_NPKEY,
|
||
NULL, &npkey))
|
||
|| (err = gcry_pk_algo_info (pubkey_algo, GCRYCTL_GET_ALGO_NSKEY,
|
||
NULL, &nskey)))
|
||
return err;
|
||
if (!npkey || npkey >= nskey)
|
||
return gpg_error (GPG_ERR_INTERNAL);
|
||
if (skeylen <= npkey)
|
||
return gpg_error (GPG_ERR_MISSING_VALUE);
|
||
if (nskey+1 >= skeysize)
|
||
return gpg_error (GPG_ERR_BUFFER_TOO_SHORT);
|
||
|
||
/* Check that the public key parameters are all available and not
|
||
encrypted. */
|
||
for (i=0; i < npkey; i++)
|
||
{
|
||
if (!skey[i] || gcry_mpi_get_flag (skey[i], GCRYMPI_FLAG_OPAQUE))
|
||
return gpg_error (GPG_ERR_BAD_SECKEY);
|
||
}
|
||
|
||
if (r_npkey)
|
||
*r_npkey = npkey;
|
||
if (r_nskey)
|
||
*r_nskey = nskey;
|
||
if (r_skeylen)
|
||
*r_skeylen = skeylen;
|
||
return 0;
|
||
}
|
||
|
||
|
||
/* Note that this function modifies SKEY. SKEYSIZE is the allocated
|
||
size of the array including the NULL item; this is used for a
|
||
bounds check. On success a converted key is stored at R_KEY. */
|
||
static int
|
||
do_unprotect (const char *passphrase,
|
||
int pkt_version, int pubkey_algo, int is_protected,
|
||
gcry_mpi_t *skey, size_t skeysize,
|
||
int protect_algo, void *protect_iv, size_t protect_ivlen,
|
||
int s2k_mode, int s2k_algo, byte *s2k_salt, u32 s2k_count,
|
||
u16 desired_csum, gcry_sexp_t *r_key)
|
||
{
|
||
gpg_error_t err;
|
||
unsigned int npkey, nskey, skeylen;
|
||
gcry_cipher_hd_t cipher_hd = NULL;
|
||
u16 actual_csum;
|
||
size_t nbytes;
|
||
int i;
|
||
gcry_mpi_t tmpmpi;
|
||
|
||
*r_key = NULL;
|
||
|
||
/* Unfortunately, the OpenPGP PK algorithm numbers need to be
|
||
re-mapped for Libgcrypt. */
|
||
pubkey_algo = map_pk_openpgp_to_gcry (pubkey_algo);
|
||
|
||
err = prepare_unprotect (pubkey_algo, skey, skeysize, s2k_mode,
|
||
&npkey, &nskey, &skeylen);
|
||
if (err)
|
||
return err;
|
||
|
||
/* Check whether SKEY is at all protected. If it is not protected
|
||
merely verify the checksum. */
|
||
if (!is_protected)
|
||
{
|
||
unsigned char *buffer;
|
||
|
||
actual_csum = 0;
|
||
for (i=npkey; i < nskey; i++)
|
||
{
|
||
if (!skey[i] || gcry_mpi_get_flag (skey[i], GCRYMPI_FLAG_OPAQUE))
|
||
return gpg_error (GPG_ERR_BAD_SECKEY);
|
||
|
||
err = gcry_mpi_print (GCRYMPI_FMT_PGP, NULL, 0, &nbytes, skey[i]);
|
||
if (!err)
|
||
{
|
||
buffer = (gcry_is_secure (skey[i])?
|
||
xtrymalloc_secure (nbytes) : xtrymalloc (nbytes));
|
||
if (!buffer)
|
||
return gpg_error_from_syserror ();
|
||
err = gcry_mpi_print (GCRYMPI_FMT_PGP, buffer, nbytes,
|
||
NULL, skey[i]);
|
||
if (!err)
|
||
actual_csum += checksum (buffer, nbytes);
|
||
xfree (buffer);
|
||
}
|
||
if (err)
|
||
return err;
|
||
}
|
||
|
||
if (actual_csum != desired_csum)
|
||
return gpg_error (GPG_ERR_CHECKSUM);
|
||
return 0;
|
||
}
|
||
|
||
|
||
if (gcry_cipher_test_algo (protect_algo))
|
||
{
|
||
/* The algorithm numbers are Libgcrypt numbers but fortunately
|
||
the OpenPGP algorithm numbers map one-to-one to the Libgcrypt
|
||
numbers. */
|
||
log_info (_("protection algorithm %d (%s) is not supported\n"),
|
||
protect_algo, gnupg_cipher_algo_name (protect_algo));
|
||
return gpg_error (GPG_ERR_CIPHER_ALGO);
|
||
}
|
||
|
||
if (gcry_md_test_algo (s2k_algo))
|
||
{
|
||
log_info (_("protection hash algorithm %d (%s) is not supported\n"),
|
||
s2k_algo, gcry_md_algo_name (s2k_algo));
|
||
return gpg_error (GPG_ERR_DIGEST_ALGO);
|
||
}
|
||
|
||
err = gcry_cipher_open (&cipher_hd, protect_algo,
|
||
GCRY_CIPHER_MODE_CFB,
|
||
(GCRY_CIPHER_SECURE
|
||
| (protect_algo >= 100 ?
|
||
0 : GCRY_CIPHER_ENABLE_SYNC)));
|
||
if (err)
|
||
{
|
||
log_error ("failed to open cipher_algo %d: %s\n",
|
||
protect_algo, gpg_strerror (err));
|
||
return err;
|
||
}
|
||
|
||
err = hash_passphrase_and_set_key (passphrase, cipher_hd, protect_algo,
|
||
s2k_mode, s2k_algo, s2k_salt, s2k_count);
|
||
if (err)
|
||
{
|
||
gcry_cipher_close (cipher_hd);
|
||
return err;
|
||
}
|
||
|
||
gcry_cipher_setiv (cipher_hd, protect_iv, protect_ivlen);
|
||
|
||
actual_csum = 0;
|
||
if (pkt_version >= 4)
|
||
{
|
||
int ndata;
|
||
unsigned int ndatabits;
|
||
unsigned char *p, *data;
|
||
u16 csum_pgp7 = 0;
|
||
|
||
if (!gcry_mpi_get_flag (skey[npkey], GCRYMPI_FLAG_OPAQUE ))
|
||
{
|
||
gcry_cipher_close (cipher_hd);
|
||
return gpg_error (GPG_ERR_BAD_SECKEY);
|
||
}
|
||
p = gcry_mpi_get_opaque (skey[npkey], &ndatabits);
|
||
ndata = (ndatabits+7)/8;
|
||
|
||
if (ndata > 1)
|
||
csum_pgp7 = p[ndata-2] << 8 | p[ndata-1];
|
||
data = xtrymalloc_secure (ndata);
|
||
if (!data)
|
||
{
|
||
err = gpg_error_from_syserror ();
|
||
gcry_cipher_close (cipher_hd);
|
||
return err;
|
||
}
|
||
gcry_cipher_decrypt (cipher_hd, data, ndata, p, ndata);
|
||
|
||
p = data;
|
||
if (is_protected == 2)
|
||
{
|
||
/* This is the new SHA1 checksum method to detect tampering
|
||
with the key as used by the Klima/Rosa attack. */
|
||
desired_csum = 0;
|
||
actual_csum = 1; /* Default to bad checksum. */
|
||
|
||
if (ndata < 20)
|
||
log_error ("not enough bytes for SHA-1 checksum\n");
|
||
else
|
||
{
|
||
gcry_md_hd_t h;
|
||
|
||
if (gcry_md_open (&h, GCRY_MD_SHA1, 1))
|
||
BUG(); /* Algo not available. */
|
||
gcry_md_write (h, data, ndata - 20);
|
||
gcry_md_final (h);
|
||
if (!memcmp (gcry_md_read (h, GCRY_MD_SHA1), data+ndata-20, 20))
|
||
actual_csum = 0; /* Digest does match. */
|
||
gcry_md_close (h);
|
||
}
|
||
}
|
||
else
|
||
{
|
||
/* Old 16 bit checksum method. */
|
||
if (ndata < 2)
|
||
{
|
||
log_error ("not enough bytes for checksum\n");
|
||
desired_csum = 0;
|
||
actual_csum = 1; /* Mark checksum bad. */
|
||
}
|
||
else
|
||
{
|
||
desired_csum = (data[ndata-2] << 8 | data[ndata-1]);
|
||
actual_csum = checksum (data, ndata-2);
|
||
if (desired_csum != actual_csum)
|
||
{
|
||
/* This is a PGP 7.0.0 workaround */
|
||
desired_csum = csum_pgp7; /* Take the encrypted one. */
|
||
}
|
||
}
|
||
}
|
||
|
||
/* Better check it here. Otherwise the gcry_mpi_scan would fail
|
||
because the length may have an arbitrary value. */
|
||
if (desired_csum == actual_csum)
|
||
{
|
||
for (i=npkey; i < nskey; i++ )
|
||
{
|
||
if (gcry_mpi_scan (&tmpmpi, GCRYMPI_FMT_PGP, p, ndata, &nbytes))
|
||
{
|
||
/* Checksum was okay, but not correctly decrypted. */
|
||
desired_csum = 0;
|
||
actual_csum = 1; /* Mark checksum bad. */
|
||
break;
|
||
}
|
||
gcry_mpi_release (skey[i]);
|
||
skey[i] = tmpmpi;
|
||
ndata -= nbytes;
|
||
p += nbytes;
|
||
}
|
||
skey[i] = NULL;
|
||
skeylen = i;
|
||
assert (skeylen <= skeysize);
|
||
|
||
/* Note: at this point NDATA should be 2 for a simple
|
||
checksum or 20 for the sha1 digest. */
|
||
}
|
||
xfree(data);
|
||
}
|
||
else /* Packet version <= 3. */
|
||
{
|
||
unsigned char *buffer;
|
||
|
||
for (i = npkey; i < nskey; i++)
|
||
{
|
||
unsigned char *p;
|
||
size_t ndata;
|
||
unsigned int ndatabits;
|
||
|
||
if (!skey[i] || !gcry_mpi_get_flag (skey[i], GCRYMPI_FLAG_OPAQUE))
|
||
{
|
||
gcry_cipher_close (cipher_hd);
|
||
return gpg_error (GPG_ERR_BAD_SECKEY);
|
||
}
|
||
p = gcry_mpi_get_opaque (skey[i], &ndatabits);
|
||
ndata = (ndatabits+7)/8;
|
||
|
||
if (!(ndata >= 2) || !(ndata == ((p[0] << 8 | p[1]) + 7)/8 + 2))
|
||
{
|
||
gcry_cipher_close (cipher_hd);
|
||
return gpg_error (GPG_ERR_BAD_SECKEY);
|
||
}
|
||
|
||
buffer = xtrymalloc_secure (ndata);
|
||
if (!buffer)
|
||
{
|
||
err = gpg_error_from_syserror ();
|
||
gcry_cipher_close (cipher_hd);
|
||
return err;
|
||
}
|
||
|
||
gcry_cipher_sync (cipher_hd);
|
||
buffer[0] = p[0];
|
||
buffer[1] = p[1];
|
||
gcry_cipher_decrypt (cipher_hd, buffer+2, ndata-2, p+2, ndata-2);
|
||
actual_csum += checksum (buffer, ndata);
|
||
err = gcry_mpi_scan (&tmpmpi, GCRYMPI_FMT_PGP, buffer, ndata, &ndata);
|
||
xfree (buffer);
|
||
if (err)
|
||
{
|
||
/* Checksum was okay, but not correctly decrypted. */
|
||
desired_csum = 0;
|
||
actual_csum = 1; /* Mark checksum bad. */
|
||
break;
|
||
}
|
||
gcry_mpi_release (skey[i]);
|
||
skey[i] = tmpmpi;
|
||
}
|
||
}
|
||
gcry_cipher_close (cipher_hd);
|
||
|
||
/* Now let's see whether we have used the correct passphrase. */
|
||
if (actual_csum != desired_csum)
|
||
return gpg_error (GPG_ERR_BAD_PASSPHRASE);
|
||
|
||
if (nskey != skeylen)
|
||
err = gpg_error (GPG_ERR_BAD_SECKEY);
|
||
else
|
||
err = convert_secret_key (r_key, pubkey_algo, skey);
|
||
if (err)
|
||
return err;
|
||
|
||
/* The checksum may fail, thus we also check the key itself. */
|
||
err = gcry_pk_testkey (*r_key);
|
||
if (err)
|
||
{
|
||
gcry_sexp_release (*r_key);
|
||
*r_key = NULL;
|
||
return gpg_error (GPG_ERR_BAD_PASSPHRASE);
|
||
}
|
||
|
||
return 0;
|
||
}
|
||
|
||
|
||
/* Callback function to try the unprotection from the passphrase query
|
||
code. */
|
||
static int
|
||
try_do_unprotect_cb (struct pin_entry_info_s *pi)
|
||
{
|
||
gpg_error_t err;
|
||
struct try_do_unprotect_arg_s *arg = pi->check_cb_arg;
|
||
|
||
err = do_unprotect (pi->pin,
|
||
arg->is_v4? 4:3,
|
||
arg->pubkey_algo, arg->is_protected,
|
||
arg->skey, arg->skeysize,
|
||
arg->protect_algo, arg->iv, arg->ivlen,
|
||
arg->s2k_mode, arg->s2k_algo,
|
||
arg->s2k_salt, arg->s2k_count,
|
||
arg->desired_csum, arg->r_key);
|
||
/* SKEY may be modified now, thus we need to re-compute SKEYIDX. */
|
||
for (arg->skeyidx = 0; (arg->skeyidx < arg->skeysize
|
||
&& arg->skey[arg->skeyidx]); arg->skeyidx++)
|
||
;
|
||
return err;
|
||
}
|
||
|
||
|
||
/* See convert_from_openpgp for the core of the description. This
|
||
function adds an optional PASSPHRASE argument and uses this to
|
||
silently decrypt the key; CACHE_NONCE and R_PASSPHRASE must both be
|
||
NULL in this mode. */
|
||
static gpg_error_t
|
||
convert_from_openpgp_main (ctrl_t ctrl, gcry_sexp_t s_pgp,
|
||
unsigned char *grip, const char *prompt,
|
||
const char *cache_nonce, const char *passphrase,
|
||
unsigned char **r_key, char **r_passphrase)
|
||
{
|
||
gpg_error_t err;
|
||
int unattended;
|
||
int from_native;
|
||
gcry_sexp_t top_list;
|
||
gcry_sexp_t list = NULL;
|
||
const char *value;
|
||
size_t valuelen;
|
||
char *string;
|
||
int idx;
|
||
int is_v4, is_protected;
|
||
int pubkey_algo;
|
||
int protect_algo = 0;
|
||
char iv[16];
|
||
int ivlen = 0;
|
||
int s2k_mode = 0;
|
||
int s2k_algo = 0;
|
||
byte s2k_salt[8];
|
||
u32 s2k_count = 0;
|
||
size_t npkey, nskey;
|
||
gcry_mpi_t skey[10]; /* We support up to 9 parameters. */
|
||
u16 desired_csum;
|
||
int skeyidx = 0;
|
||
gcry_sexp_t s_skey = NULL;
|
||
|
||
*r_key = NULL;
|
||
if (r_passphrase)
|
||
*r_passphrase = NULL;
|
||
unattended = !r_passphrase;
|
||
from_native = (!cache_nonce && passphrase && !r_passphrase);
|
||
|
||
top_list = gcry_sexp_find_token (s_pgp, "openpgp-private-key", 0);
|
||
if (!top_list)
|
||
goto bad_seckey;
|
||
|
||
list = gcry_sexp_find_token (top_list, "version", 0);
|
||
if (!list)
|
||
goto bad_seckey;
|
||
value = gcry_sexp_nth_data (list, 1, &valuelen);
|
||
if (!value || valuelen != 1 || !(value[0] == '3' || value[0] == '4'))
|
||
goto bad_seckey;
|
||
is_v4 = (value[0] == '4');
|
||
|
||
gcry_sexp_release (list);
|
||
list = gcry_sexp_find_token (top_list, "protection", 0);
|
||
if (!list)
|
||
goto bad_seckey;
|
||
value = gcry_sexp_nth_data (list, 1, &valuelen);
|
||
if (!value)
|
||
goto bad_seckey;
|
||
if (valuelen == 4 && !memcmp (value, "sha1", 4))
|
||
is_protected = 2;
|
||
else if (valuelen == 3 && !memcmp (value, "sum", 3))
|
||
is_protected = 1;
|
||
else if (valuelen == 4 && !memcmp (value, "none", 4))
|
||
is_protected = 0;
|
||
else
|
||
goto bad_seckey;
|
||
|
||
if (is_protected)
|
||
{
|
||
string = gcry_sexp_nth_string (list, 2);
|
||
if (!string)
|
||
goto bad_seckey;
|
||
protect_algo = gcry_cipher_map_name (string);
|
||
if (!protect_algo && !!strcmp (string, "IDEA"))
|
||
protect_algo = GCRY_CIPHER_IDEA;
|
||
xfree (string);
|
||
|
||
value = gcry_sexp_nth_data (list, 3, &valuelen);
|
||
if (!value || !valuelen || valuelen > sizeof iv)
|
||
goto bad_seckey;
|
||
memcpy (iv, value, valuelen);
|
||
ivlen = valuelen;
|
||
|
||
string = gcry_sexp_nth_string (list, 4);
|
||
if (!string)
|
||
goto bad_seckey;
|
||
s2k_mode = strtol (string, NULL, 10);
|
||
xfree (string);
|
||
|
||
string = gcry_sexp_nth_string (list, 5);
|
||
if (!string)
|
||
goto bad_seckey;
|
||
s2k_algo = gcry_md_map_name (string);
|
||
xfree (string);
|
||
|
||
value = gcry_sexp_nth_data (list, 6, &valuelen);
|
||
if (!value || !valuelen || valuelen > sizeof s2k_salt)
|
||
goto bad_seckey;
|
||
memcpy (s2k_salt, value, valuelen);
|
||
|
||
string = gcry_sexp_nth_string (list, 7);
|
||
if (!string)
|
||
goto bad_seckey;
|
||
s2k_count = strtoul (string, NULL, 10);
|
||
xfree (string);
|
||
}
|
||
|
||
gcry_sexp_release (list);
|
||
list = gcry_sexp_find_token (top_list, "algo", 0);
|
||
if (!list)
|
||
goto bad_seckey;
|
||
string = gcry_sexp_nth_string (list, 1);
|
||
if (!string)
|
||
goto bad_seckey;
|
||
pubkey_algo = gcry_pk_map_name (string);
|
||
xfree (string);
|
||
|
||
if (gcry_pk_algo_info (pubkey_algo, GCRYCTL_GET_ALGO_NPKEY, NULL, &npkey)
|
||
|| gcry_pk_algo_info (pubkey_algo, GCRYCTL_GET_ALGO_NSKEY, NULL, &nskey)
|
||
|| !npkey || npkey >= nskey)
|
||
goto bad_seckey;
|
||
|
||
gcry_sexp_release (list);
|
||
list = gcry_sexp_find_token (top_list, "skey", 0);
|
||
if (!list)
|
||
goto bad_seckey;
|
||
for (idx=0;;)
|
||
{
|
||
int is_enc;
|
||
|
||
value = gcry_sexp_nth_data (list, ++idx, &valuelen);
|
||
if (!value && skeyidx >= npkey)
|
||
break; /* Ready. */
|
||
|
||
/* Check for too many parameters. Note that depending on the
|
||
protection mode and version number we may see less than NSKEY
|
||
(but at least NPKEY+1) parameters. */
|
||
if (idx >= 2*nskey)
|
||
goto bad_seckey;
|
||
if (skeyidx >= DIM (skey)-1)
|
||
goto bad_seckey;
|
||
|
||
if (!value || valuelen != 1 || !(value[0] == '_' || value[0] == 'e'))
|
||
goto bad_seckey;
|
||
is_enc = (value[0] == 'e');
|
||
value = gcry_sexp_nth_data (list, ++idx, &valuelen);
|
||
if (!value || !valuelen)
|
||
goto bad_seckey;
|
||
if (is_enc)
|
||
{
|
||
void *p = xtrymalloc (valuelen);
|
||
if (!p)
|
||
goto outofmem;
|
||
memcpy (p, value, valuelen);
|
||
skey[skeyidx] = gcry_mpi_set_opaque (NULL, p, valuelen*8);
|
||
if (!skey[skeyidx])
|
||
goto outofmem;
|
||
}
|
||
else
|
||
{
|
||
if (gcry_mpi_scan (skey + skeyidx, GCRYMPI_FMT_STD,
|
||
value, valuelen, NULL))
|
||
goto bad_seckey;
|
||
}
|
||
skeyidx++;
|
||
}
|
||
skey[skeyidx++] = NULL;
|
||
|
||
gcry_sexp_release (list);
|
||
list = gcry_sexp_find_token (top_list, "csum", 0);
|
||
if (list)
|
||
{
|
||
string = gcry_sexp_nth_string (list, 1);
|
||
if (!string)
|
||
goto bad_seckey;
|
||
desired_csum = strtoul (string, NULL, 10);
|
||
xfree (string);
|
||
}
|
||
else
|
||
desired_csum = 0;
|
||
|
||
|
||
gcry_sexp_release (list); list = NULL;
|
||
gcry_sexp_release (top_list); top_list = NULL;
|
||
|
||
/* log_debug ("XXX is_v4=%d\n", is_v4); */
|
||
/* log_debug ("XXX pubkey_algo=%d\n", pubkey_algo); */
|
||
/* log_debug ("XXX is_protected=%d\n", is_protected); */
|
||
/* log_debug ("XXX protect_algo=%d\n", protect_algo); */
|
||
/* log_printhex ("XXX iv", iv, ivlen); */
|
||
/* log_debug ("XXX ivlen=%d\n", ivlen); */
|
||
/* log_debug ("XXX s2k_mode=%d\n", s2k_mode); */
|
||
/* log_debug ("XXX s2k_algo=%d\n", s2k_algo); */
|
||
/* log_printhex ("XXX s2k_salt", s2k_salt, sizeof s2k_salt); */
|
||
/* log_debug ("XXX s2k_count=%lu\n", (unsigned long)s2k_count); */
|
||
/* for (idx=0; skey[idx]; idx++) */
|
||
/* { */
|
||
/* int is_enc = gcry_mpi_get_flag (skey[idx], GCRYMPI_FLAG_OPAQUE); */
|
||
/* log_info ("XXX skey[%d]%s:", idx, is_enc? " (enc)":""); */
|
||
/* if (is_enc) */
|
||
/* { */
|
||
/* void *p; */
|
||
/* unsigned int nbits; */
|
||
/* p = gcry_mpi_get_opaque (skey[idx], &nbits); */
|
||
/* log_printhex (NULL, p, (nbits+7)/8); */
|
||
/* } */
|
||
/* else */
|
||
/* gcry_mpi_dump (skey[idx]); */
|
||
/* log_printf ("\n"); */
|
||
/* } */
|
||
|
||
err = get_keygrip (pubkey_algo, skey, grip);
|
||
if (err)
|
||
goto leave;
|
||
|
||
if (!from_native && !agent_key_available (grip))
|
||
{
|
||
err = gpg_error (GPG_ERR_EEXIST);
|
||
goto leave;
|
||
}
|
||
|
||
if (unattended && !from_native)
|
||
{
|
||
int pubkey_g_algo = map_pk_openpgp_to_gcry (pubkey_algo);
|
||
|
||
err = prepare_unprotect (pubkey_g_algo, skey, DIM(skey), s2k_mode,
|
||
NULL, NULL, NULL);
|
||
if (err)
|
||
goto leave;
|
||
|
||
err = convert_transfer_key (&s_skey, pubkey_g_algo, skey, s_pgp);
|
||
if (err)
|
||
goto leave;
|
||
}
|
||
else
|
||
{
|
||
struct pin_entry_info_s *pi;
|
||
struct try_do_unprotect_arg_s pi_arg;
|
||
|
||
pi = xtrycalloc_secure (1, sizeof (*pi) + 100);
|
||
if (!pi)
|
||
return gpg_error_from_syserror ();
|
||
pi->max_length = 100;
|
||
pi->min_digits = 0; /* We want a real passphrase. */
|
||
pi->max_digits = 16;
|
||
pi->max_tries = 3;
|
||
pi->check_cb = try_do_unprotect_cb;
|
||
pi->check_cb_arg = &pi_arg;
|
||
pi_arg.is_v4 = is_v4;
|
||
pi_arg.is_protected = is_protected;
|
||
pi_arg.pubkey_algo = pubkey_algo;
|
||
pi_arg.protect_algo = protect_algo;
|
||
pi_arg.iv = iv;
|
||
pi_arg.ivlen = ivlen;
|
||
pi_arg.s2k_mode = s2k_mode;
|
||
pi_arg.s2k_algo = s2k_algo;
|
||
pi_arg.s2k_salt = s2k_salt;
|
||
pi_arg.s2k_count = s2k_count;
|
||
pi_arg.desired_csum = desired_csum;
|
||
pi_arg.skey = skey;
|
||
pi_arg.skeysize = DIM (skey);
|
||
pi_arg.skeyidx = skeyidx;
|
||
pi_arg.r_key = &s_skey;
|
||
|
||
err = gpg_error (GPG_ERR_BAD_PASSPHRASE);
|
||
if (cache_nonce)
|
||
{
|
||
char *cache_value;
|
||
|
||
cache_value = agent_get_cache (cache_nonce, CACHE_MODE_NONCE);
|
||
if (cache_value)
|
||
{
|
||
if (strlen (cache_value) < pi->max_length)
|
||
strcpy (pi->pin, cache_value);
|
||
xfree (cache_value);
|
||
}
|
||
if (*pi->pin)
|
||
err = try_do_unprotect_cb (pi);
|
||
}
|
||
else if (from_native)
|
||
{
|
||
if (strlen (passphrase) < pi->max_length)
|
||
strcpy (pi->pin, passphrase);
|
||
err = try_do_unprotect_cb (pi);
|
||
}
|
||
if (gpg_err_code (err) == GPG_ERR_BAD_PASSPHRASE && !from_native)
|
||
err = agent_askpin (ctrl, prompt, NULL, NULL, pi);
|
||
skeyidx = pi_arg.skeyidx;
|
||
if (!err && r_passphrase)
|
||
{
|
||
*r_passphrase = xtrystrdup (pi->pin);
|
||
if (!*r_passphrase)
|
||
err = gpg_error_from_syserror ();
|
||
}
|
||
xfree (pi);
|
||
if (err)
|
||
goto leave;
|
||
}
|
||
|
||
/* Save some memory and get rid of the SKEY array now. */
|
||
for (idx=0; idx < skeyidx; idx++)
|
||
gcry_mpi_release (skey[idx]);
|
||
skeyidx = 0;
|
||
|
||
/* Note that the padding is not required - we use it only because
|
||
that function allows us to create the result in secure memory. */
|
||
err = make_canon_sexp_pad (s_skey, 1, r_key, NULL);
|
||
|
||
leave:
|
||
gcry_sexp_release (s_skey);
|
||
gcry_sexp_release (list);
|
||
gcry_sexp_release (top_list);
|
||
for (idx=0; idx < skeyidx; idx++)
|
||
gcry_mpi_release (skey[idx]);
|
||
if (err && r_passphrase)
|
||
{
|
||
xfree (*r_passphrase);
|
||
*r_passphrase = NULL;
|
||
}
|
||
return err;
|
||
|
||
bad_seckey:
|
||
err = gpg_error (GPG_ERR_BAD_SECKEY);
|
||
goto leave;
|
||
|
||
outofmem:
|
||
err = gpg_error (GPG_ERR_ENOMEM);
|
||
goto leave;
|
||
|
||
}
|
||
|
||
|
||
/* Convert an OpenPGP transfer key into our internal format. Before
|
||
asking for a passphrase we check whether the key already exists in
|
||
our key storage. S_PGP is the OpenPGP key in transfer format. If
|
||
CACHE_NONCE is given the passphrase will be looked up in the cache.
|
||
On success R_KEY will receive a canonical encoded S-expression with
|
||
the unprotected key in our internal format; the caller needs to
|
||
release that memory. The passphrase used to decrypt the OpenPGP
|
||
key will be returned at R_PASSPHRASE; the caller must release this
|
||
passphrase. If R_PASSPHRASE is NULL the unattended conversion mode
|
||
will be used which uses the openpgp-native protection format for
|
||
the key. The keygrip will be stored at the 20 byte buffer pointed
|
||
to by GRIP. On error NULL is stored at all return arguments. */
|
||
gpg_error_t
|
||
convert_from_openpgp (ctrl_t ctrl, gcry_sexp_t s_pgp,
|
||
unsigned char *grip, const char *prompt,
|
||
const char *cache_nonce,
|
||
unsigned char **r_key, char **r_passphrase)
|
||
{
|
||
return convert_from_openpgp_main (ctrl, s_pgp, grip, prompt,
|
||
cache_nonce, NULL,
|
||
r_key, r_passphrase);
|
||
}
|
||
|
||
/* This function is called by agent_unprotect to re-protect an
|
||
openpgp-native protected private-key into the standard private-key
|
||
protection format. */
|
||
gpg_error_t
|
||
convert_from_openpgp_native (ctrl_t ctrl,
|
||
gcry_sexp_t s_pgp, const char *passphrase,
|
||
unsigned char **r_key)
|
||
{
|
||
gpg_error_t err;
|
||
unsigned char grip[20];
|
||
|
||
if (!passphrase)
|
||
return gpg_error (GPG_ERR_INTERNAL);
|
||
|
||
err = convert_from_openpgp_main (ctrl, s_pgp, grip, NULL,
|
||
NULL, passphrase,
|
||
r_key, NULL);
|
||
|
||
/* On success try to re-write the key. */
|
||
if (!err)
|
||
{
|
||
unsigned char *protectedkey = NULL;
|
||
size_t protectedkeylen;
|
||
|
||
if (!agent_protect (*r_key, passphrase, &protectedkey, &protectedkeylen,
|
||
ctrl->s2k_count))
|
||
agent_write_private_key (grip, protectedkey, protectedkeylen, 1);
|
||
xfree (protectedkey);
|
||
}
|
||
|
||
return err;
|
||
}
|
||
|
||
|
||
|
||
static gpg_error_t
|
||
key_from_sexp (gcry_sexp_t sexp, const char *elems, gcry_mpi_t *array)
|
||
{
|
||
gpg_error_t err = 0;
|
||
gcry_sexp_t l2;
|
||
int idx;
|
||
|
||
for (idx=0; *elems; elems++, idx++)
|
||
{
|
||
l2 = gcry_sexp_find_token (sexp, elems, 1);
|
||
if (!l2)
|
||
{
|
||
err = gpg_error (GPG_ERR_NO_OBJ); /* Required parameter not found. */
|
||
goto leave;
|
||
}
|
||
array[idx] = gcry_sexp_nth_mpi (l2, 1, GCRYMPI_FMT_USG);
|
||
gcry_sexp_release (l2);
|
||
if (!array[idx])
|
||
{
|
||
err = gpg_error (GPG_ERR_INV_OBJ); /* Required parameter invalid. */
|
||
goto leave;
|
||
}
|
||
}
|
||
|
||
leave:
|
||
if (err)
|
||
{
|
||
int i;
|
||
|
||
for (i=0; i < idx; i++)
|
||
{
|
||
gcry_mpi_release (array[i]);
|
||
array[i] = NULL;
|
||
}
|
||
}
|
||
return err;
|
||
}
|
||
|
||
|
||
/* Given an ARRAY of mpis with the key parameters, protect the secret
|
||
parameters in that array and replace them by one opaque encoded
|
||
mpi. NPKEY is the number of public key parameters and NSKEY is
|
||
the number of secret key parameters (including the public ones).
|
||
On success the array will have NPKEY+1 elements. */
|
||
static gpg_error_t
|
||
apply_protection (gcry_mpi_t *array, int npkey, int nskey,
|
||
const char *passphrase,
|
||
int protect_algo, void *protect_iv, size_t protect_ivlen,
|
||
int s2k_mode, int s2k_algo, byte *s2k_salt, u32 s2k_count)
|
||
{
|
||
gpg_error_t err;
|
||
int i, j;
|
||
gcry_cipher_hd_t cipherhd;
|
||
unsigned char *bufarr[10];
|
||
size_t narr[10];
|
||
unsigned int nbits[10];
|
||
int ndata;
|
||
unsigned char *p, *data;
|
||
|
||
assert (npkey < nskey);
|
||
assert (nskey < DIM (bufarr));
|
||
|
||
/* Collect only the secret key parameters into BUFARR et al and
|
||
compute the required size of the data buffer. */
|
||
ndata = 20; /* Space for the SHA-1 checksum. */
|
||
for (i = npkey, j = 0; i < nskey; i++, j++ )
|
||
{
|
||
err = gcry_mpi_aprint (GCRYMPI_FMT_USG, bufarr+j, narr+j, array[i]);
|
||
if (err)
|
||
{
|
||
err = gpg_error_from_syserror ();
|
||
for (i = 0; i < j; i++)
|
||
xfree (bufarr[i]);
|
||
return err;
|
||
}
|
||
nbits[j] = gcry_mpi_get_nbits (array[i]);
|
||
ndata += 2 + narr[j];
|
||
}
|
||
|
||
/* Allocate data buffer and stuff it with the secret key parameters. */
|
||
data = xtrymalloc_secure (ndata);
|
||
if (!data)
|
||
{
|
||
err = gpg_error_from_syserror ();
|
||
for (i = 0; i < (nskey-npkey); i++ )
|
||
xfree (bufarr[i]);
|
||
return err;
|
||
}
|
||
p = data;
|
||
for (i = 0; i < (nskey-npkey); i++ )
|
||
{
|
||
*p++ = nbits[i] >> 8 ;
|
||
*p++ = nbits[i];
|
||
memcpy (p, bufarr[i], narr[i]);
|
||
p += narr[i];
|
||
xfree (bufarr[i]);
|
||
bufarr[i] = NULL;
|
||
}
|
||
assert (p == data + ndata - 20);
|
||
|
||
/* Append a hash of the secret key parameters. */
|
||
gcry_md_hash_buffer (GCRY_MD_SHA1, p, data, ndata - 20);
|
||
|
||
/* Encrypt it. */
|
||
err = gcry_cipher_open (&cipherhd, protect_algo,
|
||
GCRY_CIPHER_MODE_CFB, GCRY_CIPHER_SECURE);
|
||
if (!err)
|
||
err = hash_passphrase_and_set_key (passphrase, cipherhd, protect_algo,
|
||
s2k_mode, s2k_algo, s2k_salt, s2k_count);
|
||
if (!err)
|
||
err = gcry_cipher_setiv (cipherhd, protect_iv, protect_ivlen);
|
||
if (!err)
|
||
err = gcry_cipher_encrypt (cipherhd, data, ndata, NULL, 0);
|
||
gcry_cipher_close (cipherhd);
|
||
if (err)
|
||
{
|
||
xfree (data);
|
||
return err;
|
||
}
|
||
|
||
/* Replace the secret key parameters in the array by one opaque value. */
|
||
for (i = npkey; i < nskey; i++ )
|
||
{
|
||
gcry_mpi_release (array[i]);
|
||
array[i] = NULL;
|
||
}
|
||
array[npkey] = gcry_mpi_set_opaque (NULL, data, ndata*8);
|
||
return 0;
|
||
}
|
||
|
||
|
||
/* Convert our key S_KEY into an OpenPGP key transfer format. On
|
||
success a canonical encoded S-expression is stored at R_TRANSFERKEY
|
||
and its length at R_TRANSFERKEYLEN; this S-expression is also
|
||
padded to a multiple of 64 bits. */
|
||
gpg_error_t
|
||
convert_to_openpgp (ctrl_t ctrl, gcry_sexp_t s_key, const char *passphrase,
|
||
unsigned char **r_transferkey, size_t *r_transferkeylen)
|
||
{
|
||
gpg_error_t err;
|
||
gcry_sexp_t list, l2;
|
||
char *name;
|
||
int algo;
|
||
const char *algoname;
|
||
const char *elems;
|
||
int npkey, nskey;
|
||
gcry_mpi_t array[10];
|
||
char protect_iv[16];
|
||
char salt[8];
|
||
unsigned long s2k_count;
|
||
int i, j;
|
||
|
||
(void)ctrl;
|
||
|
||
*r_transferkey = NULL;
|
||
|
||
for (i=0; i < DIM (array); i++)
|
||
array[i] = NULL;
|
||
|
||
list = gcry_sexp_find_token (s_key, "private-key", 0);
|
||
if (!list)
|
||
return gpg_error (GPG_ERR_NO_OBJ); /* Does not contain a key object. */
|
||
l2 = gcry_sexp_cadr (list);
|
||
gcry_sexp_release (list);
|
||
list = l2;
|
||
name = gcry_sexp_nth_string (list, 0);
|
||
if (!name)
|
||
{
|
||
gcry_sexp_release (list);
|
||
return gpg_error (GPG_ERR_INV_OBJ); /* Invalid structure of object. */
|
||
}
|
||
|
||
algo = gcry_pk_map_name (name);
|
||
xfree (name);
|
||
|
||
switch (algo)
|
||
{
|
||
case GCRY_PK_RSA: algoname = "rsa"; npkey = 2; elems = "nedpqu"; break;
|
||
case GCRY_PK_ELG: algoname = "elg"; npkey = 3; elems = "pgyx"; break;
|
||
case GCRY_PK_ELG_E: algoname = "elg"; npkey = 3; elems = "pgyx"; break;
|
||
case GCRY_PK_DSA: algoname = "dsa"; npkey = 4; elems = "pqgyx"; break;
|
||
case GCRY_PK_ECDSA: algoname = "ecdsa"; npkey = 6; elems = "pabgnqd"; break;
|
||
case GCRY_PK_ECDH: algoname = "ecdh"; npkey = 6; elems = "pabgnqd"; break;
|
||
default: algoname = ""; npkey = 0; elems = NULL; break;
|
||
}
|
||
assert (!elems || strlen (elems) < DIM (array) );
|
||
nskey = elems? strlen (elems) : 0;
|
||
|
||
if (!elems)
|
||
err = gpg_error (GPG_ERR_PUBKEY_ALGO);
|
||
else
|
||
err = key_from_sexp (list, elems, array);
|
||
gcry_sexp_release (list);
|
||
if (err)
|
||
return err;
|
||
|
||
gcry_create_nonce (protect_iv, sizeof protect_iv);
|
||
gcry_create_nonce (salt, sizeof salt);
|
||
/* We need to use the encoded S2k count. It is not possible to
|
||
encode it after it has been used because the encoding procedure
|
||
may round the value up. */
|
||
s2k_count = get_standard_s2k_count_rfc4880 ();
|
||
err = apply_protection (array, npkey, nskey, passphrase,
|
||
GCRY_CIPHER_AES, protect_iv, sizeof protect_iv,
|
||
3, GCRY_MD_SHA1, salt, s2k_count);
|
||
/* Turn it into the transfer key S-expression. Note that we always
|
||
return a protected key. */
|
||
if (!err)
|
||
{
|
||
char countbuf[35];
|
||
membuf_t mbuf;
|
||
void *format_args_buf_ptr[1];
|
||
int format_args_buf_int[1];
|
||
void *format_args[10+2];
|
||
unsigned int n;
|
||
gcry_sexp_t tmpkey, tmpsexp = NULL;
|
||
|
||
snprintf (countbuf, sizeof countbuf, "%lu", s2k_count);
|
||
|
||
init_membuf (&mbuf, 50);
|
||
put_membuf_str (&mbuf, "(skey");
|
||
for (i=j=0; i < npkey; i++)
|
||
{
|
||
put_membuf_str (&mbuf, " _ %m");
|
||
format_args[j++] = array + i;
|
||
}
|
||
put_membuf_str (&mbuf, " e %b");
|
||
format_args_buf_ptr[0] = gcry_mpi_get_opaque (array[npkey], &n);
|
||
format_args_buf_int[0] = (n+7)/8;
|
||
format_args[j++] = format_args_buf_int;
|
||
format_args[j++] = format_args_buf_ptr;
|
||
put_membuf_str (&mbuf, ")\n");
|
||
put_membuf (&mbuf, "", 1);
|
||
|
||
tmpkey = NULL;
|
||
{
|
||
char *format = get_membuf (&mbuf, NULL);
|
||
if (!format)
|
||
err = gpg_error_from_syserror ();
|
||
else
|
||
err = gcry_sexp_build_array (&tmpkey, NULL, format, format_args);
|
||
xfree (format);
|
||
}
|
||
if (!err)
|
||
err = gcry_sexp_build (&tmpsexp, NULL,
|
||
"(openpgp-private-key\n"
|
||
" (version 1:4)\n"
|
||
" (algo %s)\n"
|
||
" %S\n"
|
||
" (protection sha1 aes %b 1:3 sha1 %b %s))\n",
|
||
algoname,
|
||
tmpkey,
|
||
(int)sizeof protect_iv, protect_iv,
|
||
(int)sizeof salt, salt,
|
||
countbuf);
|
||
gcry_sexp_release (tmpkey);
|
||
if (!err)
|
||
err = make_canon_sexp_pad (tmpsexp, 0, r_transferkey, r_transferkeylen);
|
||
gcry_sexp_release (tmpsexp);
|
||
}
|
||
|
||
for (i=0; i < DIM (array); i++)
|
||
gcry_mpi_release (array[i]);
|
||
|
||
return err;
|
||
}
|