search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Fix CID 1491093: attrib leaked if attvalue is null
[claws.git] / src / password.c
blobf9a21a57f0dffda74fbbfe718cb12a3f7f7eb1fe
1 /*
2 * Claws Mail -- a GTK based, lightweight, and fast e-mail client
3 * Copyright (C) 2016-2023 The Claws Mail Team
4 *
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License as published by
7 * the Free Software Foundation; either version 3 of the License, or
8 * (at your option) any later version.
9 *
10 * This program is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 * GNU General Public License for more details.
14 *
15 * You should have received a copy of the GNU General Public License
16 * along with this program. If not, see <http://www.gnu.org/licenses/>.
17 */
18
19 #ifdef HAVE_CONFIG_H
20 #include "config.h"
21 #include "claws-features.h"
22 #endif
23
24 #ifdef PASSWORD_CRYPTO_GNUTLS
25 # include <gnutls/gnutls.h>
26 # include <gnutls/crypto.h>
27 #endif
28
29 #include <glib.h>
30 #include <glib/gi18n.h>
31
32 #if defined G_OS_UNIX
33 #include <fcntl.h>
34 #include <unistd.h>
35 #elif defined G_OS_WIN32
36 #include <windows.h>
37 #include <wincrypt.h>
38 #endif
39
40 #include "common/passcrypt.h"
41 #include "common/plugin.h"
42 #include "common/pkcs5_pbkdf2.h"
43 #include "common/timing.h"
44 #include "common/utils.h"
45 #include "account.h"
46 #include "alertpanel.h"
47 #include "inputdialog.h"
48 #include "password.h"
49 #include "passwordstore.h"
50 #include "prefs_common.h"
51
52 #ifndef PASSWORD_CRYPTO_OLD
53 static gchar *_primary_passphrase = NULL;
54
55 /* Length of stored key derivation, before base64. */
56 #define KD_LENGTH 64
57
58 /* Length of randomly generated and saved salt, used for key derivation.
59 * Also before base64. */
60 #define KD_SALT_LENGTH 64
61
62 static void _generate_salt()
63 {
64 guchar salt[KD_SALT_LENGTH];
65
66 if (prefs_common_get_prefs()->primary_passphrase_salt != NULL) {
67 g_free(prefs_common_get_prefs()->primary_passphrase_salt);
68 }
69
70 if (!get_random_bytes(salt, KD_SALT_LENGTH)) {
71 debug_print("Could not get random bytes for kd salt.\n");
72 return;
73 }
74
75 prefs_common_get_prefs()->primary_passphrase_salt =
76 g_base64_encode(salt, KD_SALT_LENGTH);
77 }
78
79 #undef KD_SALT_LENGTH
80
81 static guchar *_make_key_deriv(const gchar *passphrase, guint rounds,
82 guint length)
83 {
84 guchar *kd, *salt;
85 gchar *saltpref = prefs_common_get_prefs()->primary_passphrase_salt;
86 gsize saltlen;
87 gint ret;
88
89 /* Grab our salt, generating and saving a new random one if needed. */
90 if (saltpref == NULL || strlen(saltpref) == 0) {
91 _generate_salt();
92 saltpref = prefs_common_get_prefs()->primary_passphrase_salt;
93 }
94 salt = g_base64_decode(saltpref, &saltlen);
95 kd = g_malloc0(length);
96
97 START_TIMING("PBKDF2");
98 ret = pkcs5_pbkdf2(passphrase, strlen(passphrase), salt, saltlen,
99 kd, length, rounds);
100 END_TIMING();
101
102 g_free(salt);
103
104 if (ret == 0) {
105 return kd;
106 }
107
108 g_free(kd);
109 return NULL;
110 }
111
112 const gchar *primary_passphrase()
113 {
114 gchar *input;
115 gboolean end = FALSE;
116
117 if (!prefs_common_get_prefs()->use_primary_passphrase) {
118 return PASSCRYPT_KEY;
119 }
120
121 if (_primary_passphrase != NULL) {
122 debug_print("Primary passphrase is in memory, offering it.\n");
123 return _primary_passphrase;
124 }
125
126 while (!end) {
127 input = input_dialog_with_invisible(_("Input primary passphrase"),
128 _("Input primary passphrase"), NULL);
129
130 if (input == NULL) {
131 debug_print("Cancel pressed at primary passphrase dialog.\n");
132 break;
133 }
134
135 if (primary_passphrase_is_correct(input)) {
136 debug_print("Entered primary passphrase seems to be correct, remembering it.\n");
137 _primary_passphrase = input;
138 end = TRUE;
139 } else {
140 alertpanel_error(_("Incorrect primary passphrase."));
141 }
142 }
143
144 return _primary_passphrase;
145 }
146
147 gboolean primary_passphrase_is_set()
148 {
149 if (prefs_common_get_prefs()->primary_passphrase == NULL
150 || strlen(prefs_common_get_prefs()->primary_passphrase) == 0)
151 return FALSE;
152
153 return TRUE;
154 }
155
156 gboolean primary_passphrase_is_correct(const gchar *input)
157 {
158 guchar *kd, *input_kd;
159 gchar **tokens;
160 gchar *stored_kd = prefs_common_get_prefs()->primary_passphrase;
161 gsize kd_len;
162 guint rounds = 0;
163 gint ret;
164
165 g_return_val_if_fail(stored_kd != NULL && strlen(stored_kd) > 0, FALSE);
166 g_return_val_if_fail(input != NULL, FALSE);
167
168 tokens = g_strsplit_set(stored_kd, "{}", 3);
169 if (tokens[0] == NULL ||
170 strlen(tokens[0]) != 0 || /* nothing before { */
171 tokens[1] == NULL ||
172 strncmp(tokens[1], "PBKDF2-HMAC-SHA1,", 17) || /* correct tag */
173 strlen(tokens[1]) <= 17 || /* something after , */
174 (rounds = atoi(tokens[1] + 17)) <= 0 || /* valid rounds # */
175 tokens[2] == NULL ||
176 strlen(tokens[2]) == 0) { /* string continues after } */
177 debug_print("Mangled primary_passphrase format in config, can not use it.\n");
178 g_strfreev(tokens);
179 return FALSE;
180 }
181
182 stored_kd = tokens[2];
183 kd = g_base64_decode(stored_kd, &kd_len); /* should be 64 */
184 g_strfreev(tokens);
185
186 if (kd_len != KD_LENGTH) {
187 debug_print("primary_passphrase is %"G_GSIZE_FORMAT" bytes long, should be %d.\n",
188 kd_len, KD_LENGTH);
189 g_free(kd);
190 return FALSE;
191 }
192
193 input_kd = _make_key_deriv(input, rounds, KD_LENGTH);
194 ret = memcmp(kd, input_kd, kd_len);
195
196 g_free(input_kd);
197 g_free(kd);
198
199 if (ret == 0)
200 return TRUE;
201
202 return FALSE;
203 }
204
205 gboolean primary_passphrase_is_entered()
206 {
207 return (_primary_passphrase == NULL) ? FALSE : TRUE;
208 }
209
210 void primary_passphrase_forget()
211 {
212 /* If primary passphrase is currently in memory (entered by user),
213 * get rid of it. User will have to enter the new one again. */
214 if (_primary_passphrase != NULL) {
215 memset(_primary_passphrase, 0, strlen(_primary_passphrase));
216 g_free(_primary_passphrase);
217 _primary_passphrase = NULL;
218 }
219 }
220
221 void primary_passphrase_change(const gchar *oldp, const gchar *newp)
222 {
223 guchar *kd;
224 gchar *base64_kd;
225 guint rounds = prefs_common_get_prefs()->primary_passphrase_pbkdf2_rounds;
226
227 g_return_if_fail(rounds > 0);
228
229 if (oldp == NULL) {
230 /* If oldp is NULL, make sure the user has to enter the
231 * current primary passphrase before being able to change it. */
232 primary_passphrase_forget();
233 oldp = primary_passphrase();
234 }
235 g_return_if_fail(oldp != NULL);
236
237 /* Update primary passphrase hash in prefs */
238 if (prefs_common_get_prefs()->primary_passphrase != NULL)
239 g_free(prefs_common_get_prefs()->primary_passphrase);
240
241 if (newp != NULL) {
242 debug_print("Storing key derivation of new primary passphrase\n");
243 kd = _make_key_deriv(newp, rounds, KD_LENGTH);
244 base64_kd = g_base64_encode(kd, 64);
245 prefs_common_get_prefs()->primary_passphrase =
246 g_strdup_printf("{PBKDF2-HMAC-SHA1,%d}%s", rounds, base64_kd);
247 g_free(kd);
248 g_free(base64_kd);
249 } else {
250 debug_print("Setting primary_passphrase to NULL\n");
251 prefs_common_get_prefs()->primary_passphrase = NULL;
252 }
253
254 /* Now go over all accounts, reencrypting their passwords using
255 * the new primary passphrase. */
256
257 if (oldp == NULL)
258 oldp = PASSCRYPT_KEY;
259 if (newp == NULL)
260 newp = PASSCRYPT_KEY;
261
262 debug_print("Reencrypting all account passwords...\n");
263 passwd_store_reencrypt_all(oldp, newp);
264
265 primary_passphrase_forget();
266 }
267 #endif
268
269 #ifdef PASSWORD_CRYPTO_OLD
270 gchar *password_encrypt_old(const gchar *password)
271 {
272 if (!password || strlen(password) == 0) {
273 return NULL;
274 }
275
276 gchar *encrypted = g_strdup(password);
277 gchar *encoded, *result;
278 gsize len = strlen(password);
279
280 passcrypt_encrypt(encrypted, len);
281 encoded = g_base64_encode(encrypted, len);
282 g_free(encrypted);
283 result = g_strconcat("!", encoded, NULL);
284 g_free(encoded);
285
286 return result;
287 }
288 #endif
289
290 /* Decryption is still needed for supporting migration of old
291 * configurations to newer encryption mechanisms. */
292 gchar *password_decrypt_old(const gchar *password)
293 {
294 if (!password || strlen(password) == 0) {
295 return NULL;
296 }
297
298 if (*password != '!' || strlen(password) < 2) {
299 return NULL;
300 }
301
302 gsize len;
303 gchar *decrypted = g_base64_decode(password + 1, &len);
304
305 passcrypt_decrypt(decrypted, len);
306 return decrypted;
307 }
308
309 #ifdef PASSWORD_CRYPTO_GNUTLS
310 #define BUFSIZE 128
311
312 /* Since we can't count on having GnuTLS new enough to have
313 * gnutls_cipher_get_iv_size(), we hardcode the IV length for now. */
314 #define IVLEN 16
315
316 gchar *password_encrypt_gnutls(const gchar *password,
317 const gchar *encryption_passphrase)
318 {
319 gnutls_cipher_algorithm_t algo = GNUTLS_CIPHER_AES_256_CBC;
320 gnutls_cipher_hd_t handle;
321 gnutls_datum_t key, iv;
322 int keylen, blocklen, ret, len, i;
323 unsigned char *buf, *encbuf, *base, *output;
324 guint rounds = prefs_common_get_prefs()->primary_passphrase_pbkdf2_rounds;
325
326 g_return_val_if_fail(password != NULL, NULL);
327 g_return_val_if_fail(encryption_passphrase != NULL, NULL);
328
329 /* ivlen = gnutls_cipher_get_iv_size(algo);*/
330 keylen = gnutls_cipher_get_key_size(algo);
331 blocklen = gnutls_cipher_get_block_size(algo);
332 /* digestlen = gnutls_hash_get_len(digest); */
333
334 /* Take the passphrase and compute a key derivation of suitable
335 * length to be used as encryption key for our block cipher. */
336 key.data = _make_key_deriv(encryption_passphrase, rounds, keylen);
337 key.size = keylen;
338
339 /* Prepare random IV for cipher */
340 iv.data = malloc(IVLEN);
341 iv.size = IVLEN;
342 if (!get_random_bytes(iv.data, IVLEN)) {
343 g_free(key.data);
344 g_free(iv.data);
345 return NULL;
346 }
347
348 /* Initialize the encryption */
349 ret = gnutls_cipher_init(&handle, algo, &key, &iv);
350 if (ret < 0) {
351 g_free(key.data);
352 g_free(iv.data);
353 return NULL;
354 }
355
356 /* Find out how big buffer (in multiples of BUFSIZE)
357 * we need to store the password. */
358 i = 1;
359 len = strlen(password);
360 while(len >= i * BUFSIZE)
361 i++;
362 len = i * BUFSIZE;
363
364 /* Fill buf with one block of random data, our password, pad the
365 * rest with zero bytes. */
366 buf = malloc(len + blocklen);
367 memset(buf, 0, len + blocklen);
368 if (!get_random_bytes(buf, blocklen)) {
369 g_free(buf);
370 g_free(key.data);
371 g_free(iv.data);
372 gnutls_cipher_deinit(handle);
373 return NULL;
374 }
375
376 memcpy(buf + blocklen, password, strlen(password));
377
378 /* Encrypt into encbuf */
379 encbuf = malloc(len + blocklen);
380 memset(encbuf, 0, len + blocklen);
381 ret = gnutls_cipher_encrypt2(handle, buf, len + blocklen,
382 encbuf, len + blocklen);
383 if (ret < 0) {
384 g_free(key.data);
385 g_free(iv.data);
386 g_free(buf);
387 g_free(encbuf);
388 gnutls_cipher_deinit(handle);
389 return NULL;
390 }
391
392 /* Cleanup */
393 gnutls_cipher_deinit(handle);
394 g_free(key.data);
395 g_free(iv.data);
396 g_free(buf);
397
398 /* And finally prepare the resulting string:
399 * "{algorithm,rounds}base64encodedciphertext" */
400 base = g_base64_encode(encbuf, len + blocklen);
401 g_free(encbuf);
402 output = g_strdup_printf("{%s,%d}%s",
403 gnutls_cipher_get_name(algo), rounds, base);
404 g_free(base);
405
406 return output;
407 }
408
409 gchar *password_decrypt_gnutls(const gchar *password,
410 const gchar *decryption_passphrase)
411 {
412 gchar **tokens, *tmp;
413 gnutls_cipher_algorithm_t algo;
414 gnutls_cipher_hd_t handle;
415 gnutls_datum_t key, iv;
416 int keylen, blocklen, ret;
417 gsize len;
418 unsigned char *buf;
419 guint rounds;
420 size_t commapos;
421 gboolean valid_utf8;
422
423 g_return_val_if_fail(password != NULL, NULL);
424 g_return_val_if_fail(decryption_passphrase != NULL, NULL);
425
426 tokens = g_strsplit_set(password, "{}", 3);
427
428 /* Parse the string, retrieving algorithm and encrypted data.
429 * We expect "{algorithm,rounds}base64encodedciphertext". */
430 if (tokens[0] == NULL || strlen(tokens[0]) != 0 ||
431 tokens[1] == NULL || strlen(tokens[1]) == 0 ||
432 tokens[2] == NULL || strlen(tokens[2]) == 0) {
433 debug_print("Garbled password string.\n");
434 g_strfreev(tokens);
435 return NULL;
436 }
437
438 commapos = strcspn(tokens[1], ",");
439 if (commapos == strlen(tokens[1]) || commapos == 0) {
440 debug_print("Garbled algorithm substring.\n");
441 g_strfreev(tokens);
442 return NULL;
443 }
444
445 buf = g_strndup(tokens[1], commapos);
446 if ((algo = gnutls_cipher_get_id(buf)) == GNUTLS_CIPHER_UNKNOWN) {
447 debug_print("Password string has unknown algorithm: '%s'\n", buf);
448 g_free(buf);
449 g_strfreev(tokens);
450 return NULL;
451 }
452 g_free(buf);
453
454 if ((rounds = atoi(tokens[1] + commapos + 1)) <= 0) {
455 debug_print("Invalid number of rounds: %d\n", rounds);
456 g_strfreev(tokens);
457 return NULL;
458 }
459
460 /* ivlen = gnutls_cipher_get_iv_size(algo); */
461 keylen = gnutls_cipher_get_key_size(algo);
462 blocklen = gnutls_cipher_get_block_size(algo);
463 /* digestlen = gnutls_hash_get_len(digest); */
464
465 /* Take the passphrase and compute a key derivation of suitable
466 * length to be used as encryption key for our block cipher. */
467 key.data = _make_key_deriv(decryption_passphrase, rounds, keylen);
468 key.size = keylen;
469
470 /* Prepare random IV for cipher */
471 iv.data = malloc(IVLEN);
472 iv.size = IVLEN;
473 if (!get_random_bytes(iv.data, IVLEN)) {
474 g_free(key.data);
475 g_free(iv.data);
476 g_strfreev(tokens);
477 return NULL;
478 }
479
480 /* Prepare encrypted password string for decryption. */
481 tmp = g_base64_decode(tokens[2], &len);
482 g_strfreev(tokens);
483 if (tmp == NULL || len == 0) {
484 debug_print("Failed base64-decoding of stored password string\n");
485 g_free(key.data);
486 g_free(iv.data);
487 if (tmp != NULL)
488 g_free(tmp);
489 return NULL;
490 }
491 debug_print("Encrypted password string length: %"G_GSIZE_FORMAT"\n", len);
492
493 /* Initialize the decryption */
494 ret = gnutls_cipher_init(&handle, algo, &key, &iv);
495 if (ret < 0) {
496 debug_print("Cipher init failed: %s\n", gnutls_strerror(ret));
497 g_free(key.data);
498 g_free(iv.data);
499 g_free(tmp);
500 return NULL;
501 }
502
503 /* Allocate the buffer to store decrypted plaintext in. */
504 buf = malloc(len);
505 memset(buf, 0, len);
506
507 /* Decrypt! */
508 ret = gnutls_cipher_decrypt2(handle, tmp, len,
509 buf, len);
510 g_free(tmp);
511 if (ret < 0) {
512 debug_print("Decryption failed: %s\n", gnutls_strerror(ret));
513 g_free(key.data);
514 g_free(iv.data);
515 g_free(buf);
516 gnutls_cipher_deinit(handle);
517 return NULL;
518 }
519
520 /* Cleanup */
521 gnutls_cipher_deinit(handle);
522 g_free(key.data);
523 g_free(iv.data);
524
525 /* 'buf+blocklen' should now be pointing to the plaintext
526 * password string.
527 * (The first block contains random data from the IV.)
528 *
529 * At this point, it should be a valid UTF-8 string. Let's make sure. */
530
531 /* First, let's assume there's just garbage and play it safe
532 * by looking for a first NULL byte within the decrypted range.
533 * (We could really use g_strchr_len() here instead, but Glib
534 * doesn't have that.) */
535 if (!g_strstr_len(buf + blocklen, len - blocklen, "\0")) {
536 debug_print("Could not find a NULL byte in the decrypted password.\n");
537 valid_utf8 = FALSE;
538 } else {
539 /* There is a NULL byte, we can rely on strlen() returning
540 * a sane value, so we don't read past the end of the allocated
541 * buffer. */
542 valid_utf8 = g_utf8_validate(buf + blocklen, strlen(buf + blocklen), NULL);
543 }
544
545 if (!valid_utf8)
546 debug_print("Decrypted password is not a valid UTF-8 string!\n");
547 cm_return_val_if_fail(valid_utf8, NULL);
548
549 tmp = g_strndup(buf + blocklen, strlen(buf + blocklen));
550 memset(buf, 0, len);
551 g_free(buf);
552
553 return tmp;
554 }
555
556 #undef BUFSIZE
557
558 #endif
559
560 gchar *password_encrypt(const gchar *password,
561 const gchar *encryption_passphrase)
562 {
563 if (password == NULL || strlen(password) == 0) {
564 return NULL;
565 }
566
567 #ifndef PASSWORD_CRYPTO_OLD
568 if (encryption_passphrase == NULL)
569 encryption_passphrase = primary_passphrase();
570
571 return password_encrypt_real(password, encryption_passphrase);
572 #else
573 return password_encrypt_old(password);
574 #endif
575 }
576
577 gchar *password_decrypt(const gchar *password,
578 const gchar *decryption_passphrase)
579 {
580 if (password == NULL || strlen(password) == 0) {
581 return NULL;
582 }
583
584 /* First, check if the password was possibly decrypted using old,
585 * obsolete method */
586 if (*password == '!') {
587 debug_print("Trying to decrypt password using the old method...\n");
588 return password_decrypt_old(password);
589 }
590
591 /* Try available crypto backend */
592 #ifndef PASSWORD_CRYPTO_OLD
593 if (decryption_passphrase == NULL)
594 decryption_passphrase = primary_passphrase();
595
596 if (*password == '{') {
597 debug_print("Trying to decrypt password...\n");
598 return password_decrypt_real(password, decryption_passphrase);
599 }
600 #endif
601
602 /* Fallback, in case the configuration is really old and
603 * stored password in plaintext */
604 debug_print("Assuming password was stored plaintext, returning it unchanged\n");
605 return g_strdup(password);
606 }