search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
2006-09-06 Marcus Brinkmann <marcus@g10code.de>
[gnupg.git] / g10 / seckey-cert.c
blobad5b7560354d0fc0da7a72ef4b4ee13b72c8256d
1 /* seckey-cert.c - secret key certificate packet handling
2 * Copyright (C) 1998, 1999, 2000, 2001, 2002,
3 * 2006 Free Software Foundation, Inc.
4 *
5 * This file is part of GnuPG.
6 *
7 * GnuPG is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 2 of the License, or
10 * (at your option) any later version.
11 *
12 * GnuPG is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
16 *
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
20 * USA.
21 */
22
23 #include <config.h>
24 #include <stdio.h>
25 #include <stdlib.h>
26 #include <string.h>
27 #include <assert.h>
28
29 #include "gpg.h"
30 #include "util.h"
31 #include "packet.h"
32 #include "keydb.h"
33 #include "cipher.h"
34 #include "main.h"
35 #include "options.h"
36 #include "i18n.h"
37 #include "status.h"
38 #include "pkglue.h"
39
40 static int
41 do_check( PKT_secret_key *sk, const char *tryagain_text, int mode,
42 int *canceled )
43 {
44 gpg_error_t err;
45 byte *buffer;
46 u16 csum=0;
47 int i, res;
48 unsigned int nbytes;
49
50 if( sk->is_protected ) { /* remove the protection */
51 DEK *dek = NULL;
52 u32 keyid[4]; /* 4! because we need two of them */
53 gcry_cipher_hd_t cipher_hd=NULL;
54 PKT_secret_key *save_sk;
55
56 if( sk->protect.s2k.mode == 1001 ) {
57 log_info(_("secret key parts are not available\n"));
58 return G10ERR_GENERAL;
59 }
60 if( sk->protect.algo == CIPHER_ALGO_NONE )
61 BUG();
62 if( openpgp_cipher_test_algo( sk->protect.algo ) ) {
63 log_info(_("protection algorithm %d%s is not supported\n"),
64 sk->protect.algo,sk->protect.algo==1?" (IDEA)":"" );
65 if (sk->protect.algo==CIPHER_ALGO_IDEA)
66 {
67 write_status (STATUS_RSA_OR_IDEA);
68 idea_cipher_warn (0);
69 }
70 return G10ERR_CIPHER_ALGO;
71 }
72 if(gcry_md_test_algo (sk->protect.s2k.hash_algo))
73 {
74 log_info(_("protection digest %d is not supported\n"),
75 sk->protect.s2k.hash_algo);
76 return G10ERR_DIGEST_ALGO;
77 }
78 keyid_from_sk( sk, keyid );
79 keyid[2] = keyid[3] = 0;
80 if( !sk->is_primary ) {
81 keyid[2] = sk->main_keyid[0];
82 keyid[3] = sk->main_keyid[1];
83 }
84 dek = passphrase_to_dek( keyid, sk->pubkey_algo, sk->protect.algo,
85 &sk->protect.s2k, mode,
86 tryagain_text, canceled );
87 if (!dek && canceled && *canceled)
88 return G10ERR_GENERAL;
89
90
91 err = gcry_cipher_open (&cipher_hd, sk->protect.algo,
92 GCRY_CIPHER_MODE_CFB,
93 (GCRY_CIPHER_SECURE
94 | (sk->protect.algo >= 100 ?
95 0 : GCRY_CIPHER_ENABLE_SYNC)));
96 if (err)
97 log_fatal ("cipher open failed: %s\n", gpg_strerror (err) );
98
99 err = gcry_cipher_setkey (cipher_hd, dek->key, dek->keylen);
100 if (err)
101 log_fatal ("set key failed: %s\n", gpg_strerror (err) );
102
103 xfree(dek);
104 save_sk = copy_secret_key( NULL, sk );
105
106 gcry_cipher_setiv ( cipher_hd, sk->protect.iv, sk->protect.ivlen );
107
108 csum = 0;
109 if( sk->version >= 4 ) {
110 int ndata;
111 unsigned int ndatabits;
112 byte *p, *data;
113 u16 csumc = 0;
114
115 i = pubkey_get_npkey(sk->pubkey_algo);
116
117 assert ( gcry_mpi_get_flag (sk->skey[i], GCRYMPI_FLAG_OPAQUE ));
118 p = gcry_mpi_get_opaque ( sk->skey[i], &ndatabits );
119 ndata = (ndatabits+7)/8;
120
121 if ( ndata > 1 )
122 csumc = p[ndata-2] << 8 | p[ndata-1];
123 data = xmalloc_secure ( ndata );
124 gcry_cipher_decrypt ( cipher_hd, data, ndata, p, ndata );
125 gcry_mpi_release (sk->skey[i]); sk->skey[i] = NULL ;
126
127 p = data;
128 if (sk->protect.sha1chk) {
129 /* This is the new SHA1 checksum method to detect
130 tampering with the key as used by the Klima/Rosa
131 attack */
132 sk->csum = 0;
133 csum = 1;
134 if( ndata < 20 )
135 log_error("not enough bytes for SHA-1 checksum\n");
136 else {
137 gcry_md_hd_t h;
138
139 if ( gcry_md_open (&h, DIGEST_ALGO_SHA1, 1))
140 BUG(); /* Algo not available. */
141 gcry_md_write (h, data, ndata - 20);
142 gcry_md_final (h);
143 if (!memcmp (gcry_md_read (h, DIGEST_ALGO_SHA1),
144 data + ndata - 20, 20) )
145 {
146 /* Digest does match. We have to keep the old
147 style checksum in sk->csum, so that the
148 test used for unprotected keys does work.
149 This test gets used when we are adding new
150 keys. */
151 sk->csum = csum = checksum (data, ndata-20);
152 }
153 gcry_md_close (h);
154 }
155 }
156 else {
157 if( ndata < 2 ) {
158 log_error("not enough bytes for checksum\n");
159 sk->csum = 0;
160 csum = 1;
161 }
162 else {
163 csum = checksum( data, ndata-2);
164 sk->csum = data[ndata-2] << 8 | data[ndata-1];
165 if ( sk->csum != csum ) {
166 /* This is a PGP 7.0.0 workaround */
167 sk->csum = csumc; /* take the encrypted one */
168 }
169 }
170 }
171
172 /* Must check it here otherwise the mpi_read_xx would fail
173 because the length may have an arbitrary value */
174 if( sk->csum == csum ) {
175 for( ; i < pubkey_get_nskey(sk->pubkey_algo); i++ ) {
176 if ( gcry_mpi_scan( &sk->skey[i], GCRYMPI_FMT_PGP,
177 p, ndata, &nbytes))
178 {
179 /* Checksum was okay, but not correctly
180 decrypted. */
181 sk->csum = 0;
182 csum = 1;
183 break;
184 }
185 ndata -= nbytes;
186 p += nbytes;
187 }
188 /* Note: at this point ndata should be 2 for a simple
189 checksum or 20 for the sha1 digest */
190 }
191 xfree(data);
192 }
193 else {
194 for(i=pubkey_get_npkey(sk->pubkey_algo);
195 i < pubkey_get_nskey(sk->pubkey_algo); i++ ) {
196 byte *p;
197 int ndata;
198 unsigned int ndatabits;
199
200 assert (gcry_mpi_get_flag (sk->skey[i], GCRYMPI_FLAG_OPAQUE));
201 p = gcry_mpi_get_opaque (sk->skey[i], &ndatabits);
202 ndata = (ndatabits+7)/8;
203 assert (ndata >= 2);
204 assert (ndata == ((p[0] << 8 | p[1]) + 7)/8 + 2);
205 buffer = xmalloc_secure (ndata);
206 gcry_cipher_sync (cipher_hd);
207 buffer[0] = p[0];
208 buffer[1] = p[1];
209 gcry_cipher_decrypt (cipher_hd, buffer+2, ndata-2,
210 p+2, ndata-2);
211 csum += checksum (buffer, ndata);
212 gcry_mpi_release (sk->skey[i]);
213
214 err = gcry_mpi_scan( &sk->skey[i], GCRYMPI_FMT_USG,
215 buffer, ndata, &ndata );
216 xfree (buffer);
217 if (err)
218 {
219 /* Checksum was okay, but not correctly
220 decrypted. */
221 sk->csum = 0;
222 csum = 1;
223 break;
224 }
225 /* csum += checksum_mpi (sk->skey[i]); */
226 }
227 }
228 gcry_cipher_close ( cipher_hd );
229
230 /* Now let's see whether we have used the correct passphrase. */
231 if( csum != sk->csum ) {
232 copy_secret_key( sk, save_sk );
233 passphrase_clear_cache ( keyid, NULL, sk->pubkey_algo );
234 free_secret_key( save_sk );
235 return gpg_error (GPG_ERR_BAD_PASSPHRASE);
236 }
237
238 /* The checksum may fail, so we also check the key itself. */
239 res = pk_check_secret_key ( sk->pubkey_algo, sk->skey );
240 if( res ) {
241 copy_secret_key( sk, save_sk );
242 passphrase_clear_cache ( keyid, NULL, sk->pubkey_algo );
243 free_secret_key( save_sk );
244 return gpg_error (GPG_ERR_BAD_PASSPHRASE);
245 }
246 free_secret_key( save_sk );
247 sk->is_protected = 0;
248 }
249 else { /* not protected, assume it is okay if the checksum is okay */
250 csum = 0;
251 for(i=pubkey_get_npkey(sk->pubkey_algo);
252 i < pubkey_get_nskey(sk->pubkey_algo); i++ ) {
253 csum += checksum_mpi( sk->skey[i] );
254 }
255 if( csum != sk->csum )
256 return G10ERR_CHECKSUM;
257 }
258
259 return 0;
260 }
261
262
263
264 /****************
265 * Check the secret key
266 * Ask up to 3 (or n) times for a correct passphrase
267 * If n is negative, disable the key info prompt and make n=abs(n)
268 */
269 int
270 check_secret_key( PKT_secret_key *sk, int n )
271 {
272 int rc = gpg_error (GPG_ERR_BAD_PASSPHRASE);
273 int i,mode;
274
275 if (sk && sk->is_protected && sk->protect.s2k.mode == 1002)
276 return 0; /* Let the scdaemon handle this. */
277
278 if(n<0)
279 {
280 n=abs(n);
281 mode=1;
282 }
283 else
284 mode=0;
285
286 if( n < 1 )
287 n = (opt.batch && !opt.use_agent)? 1 : 3; /* use the default value */
288
289 for(i=0; i < n && gpg_err_code (rc) == GPG_ERR_BAD_PASSPHRASE; i++ ) {
290 int canceled = 0;
291 const char *tryagain = NULL;
292 if (i) {
293 tryagain = N_("Invalid passphrase; please try again");
294 log_info (_("%s ...\n"), _(tryagain));
295 }
296 rc = do_check( sk, tryagain, mode, &canceled );
297 if ( gpg_err_code (rc) == GPG_ERR_BAD_PASSPHRASE
298 && is_status_enabled () ) {
299 u32 kid[2];
300 char buf[50];
301
302 keyid_from_sk( sk, kid );
303 sprintf(buf, "%08lX%08lX", (ulong)kid[0], (ulong)kid[1]);
304 write_status_text( STATUS_BAD_PASSPHRASE, buf );
305 }
306 if( have_static_passphrase() || canceled)
307 break;
308 }
309
310 if( !rc )
311 write_status( STATUS_GOOD_PASSPHRASE );
312
313 return rc;
314 }
315
316 /****************
317 * check whether the secret key is protected.
318 * Returns: 0 not protected, -1 on error or the protection algorithm
319 * -2 indicates a card stub.
320 * -3 indicates a not-online stub.
321 */
322 int
323 is_secret_key_protected( PKT_secret_key *sk )
324 {
325 return sk->is_protected?
326 sk->protect.s2k.mode == 1002? -2 :
327 sk->protect.s2k.mode == 1001? -3 : sk->protect.algo : 0;
328 }
329
330
331
332 /****************
333 * Protect the secret key with the passphrase from DEK
334 */
335 int
336 protect_secret_key( PKT_secret_key *sk, DEK *dek )
337 {
338 int i,j, rc = 0;
339 byte *buffer;
340 unsigned nbytes;
341 u16 csum;
342
343 if( !dek )
344 return 0;
345
346 if( !sk->is_protected ) { /* okay, apply the protection */
347 gcry_cipher_hd_t cipher_hd=NULL;
348
349 if ( openpgp_cipher_test_algo ( sk->protect.algo ) ) {
350 /* Unsupport protection algorithm. */
351 rc = gpg_error (GPG_ERR_CIPHER_ALGO);
352 }
353 else {
354 print_cipher_algo_note( sk->protect.algo );
355
356 if ( gcry_cipher_open (&cipher_hd, sk->protect.algo,
357 GCRY_CIPHER_MODE_CFB,
358 (GCRY_CIPHER_SECURE
359 | (sk->protect.algo >= 100 ?
360 0 : GCRY_CIPHER_ENABLE_SYNC))) )
361 BUG();
362 if ( gcry_cipher_setkey ( cipher_hd, dek->key, dek->keylen ) )
363 log_info(_("WARNING: Weak key detected"
364 " - please change passphrase again.\n"));
365 sk->protect.ivlen = gcry_cipher_get_algo_blklen (sk->protect.algo);
366 assert( sk->protect.ivlen <= DIM(sk->protect.iv) );
367 if( sk->protect.ivlen != 8 && sk->protect.ivlen != 16 )
368 BUG(); /* yes, we are very careful */
369 gcry_create_nonce (sk->protect.iv, sk->protect.ivlen);
370 gcry_cipher_setiv (cipher_hd, sk->protect.iv, sk->protect.ivlen);
371 if( sk->version >= 4 ) {
372 byte *bufarr[PUBKEY_MAX_NSKEY];
373 unsigned narr[PUBKEY_MAX_NSKEY];
374 unsigned nbits[PUBKEY_MAX_NSKEY];
375 int ndata=0;
376 byte *p, *data;
377
378 for (j=0, i = pubkey_get_npkey(sk->pubkey_algo);
379 i < pubkey_get_nskey(sk->pubkey_algo); i++, j++ )
380 {
381 assert (!gcry_mpi_get_flag (sk->skey[i],
382 GCRYMPI_FLAG_OPAQUE));
383 if (gcry_mpi_aprint (GCRYMPI_FMT_USG, bufarr+j,
384 narr+j, sk->skey[i]))
385 BUG();
386 nbits[j] = gcry_mpi_get_nbits (sk->skey[i]);
387 ndata += narr[j] + 2;
388 }
389 for ( ; j < PUBKEY_MAX_NSKEY; j++ )
390 bufarr[j] = NULL;
391
392 ndata += opt.simple_sk_checksum? 2 : 20; /* for checksum */
393
394 data = xmalloc_secure( ndata );
395 p = data;
396 for(j=0; j < PUBKEY_MAX_NSKEY && bufarr[j]; j++ ) {
397 p[0] = nbits[j] >> 8 ;
398 p[1] = nbits[j];
399 p += 2;
400 memcpy(p, bufarr[j], narr[j] );
401 p += narr[j];
402 xfree(bufarr[j]);
403 }
404
405 if (opt.simple_sk_checksum) {
406 log_info (_("generating the deprecated 16-bit checksum"
407 " for secret key protection\n"));
408 csum = checksum( data, ndata-2);
409 sk->csum = csum;
410 *p++ = csum >> 8;
411 *p++ = csum;
412 sk->protect.sha1chk = 0;
413 }
414 else {
415 gcry_md_hd_t h;
416
417 if (gcry_md_open (&h, GCRY_MD_SHA1, 1))
418 BUG(); /* Algo not available. */
419 gcry_md_write (h, data, ndata - 20);
420 gcry_md_final (h);
421 memcpy (p, gcry_md_read (h, DIGEST_ALGO_SHA1), 20);
422 p += 20;
423 gcry_md_close (h);
424 sk->csum = csum = 0;
425 sk->protect.sha1chk = 1;
426 }
427 assert( p == data+ndata );
428
429 gcry_cipher_encrypt (cipher_hd, data, ndata, NULL, 0);
430 for (i = pubkey_get_npkey(sk->pubkey_algo);
431 i < pubkey_get_nskey(sk->pubkey_algo); i++ )
432 {
433 gcry_mpi_release (sk->skey[i]);
434 sk->skey[i] = NULL;
435 }
436 i = pubkey_get_npkey(sk->pubkey_algo);
437 sk->skey[i] = gcry_mpi_set_opaque (NULL, data, ndata*8 );
438 }
439 else {
440 csum = 0;
441 for(i=pubkey_get_npkey(sk->pubkey_algo);
442 i < pubkey_get_nskey(sk->pubkey_algo); i++ ) {
443 byte *data;
444 unsigned int nbits;
445
446 csum += checksum_mpi (sk->skey[i]);
447
448 if (gcry_mpi_aprint (GCRYMPI_FMT_USG, &buffer,
449 &nbytes, sk->skey[i] ))
450 BUG();
451 gcry_cipher_sync (cipher_hd);
452 assert (!gcry_mpi_get_flag (sk->skey[i],
453 GCRYMPI_FLAG_OPAQUE));
454
455 data = xmalloc (nbytes+2); /* fixme: need xtrymalloc. */
456 nbits = gcry_mpi_get_nbits (sk->skey[i]);
457 assert (nbytes == (nbits + 7)/8);
458 data[0] = nbits >> 8;
459 data[1] = nbits;
460 gcry_cipher_encrypt (cipher_hd, data+2, nbytes,
461 buffer, nbytes);
462 xfree( buffer );
463
464 gcry_mpi_release (sk->skey[i]);
465 sk->skey[i] = gcry_mpi_set_opaque (NULL,
466 data, (nbytes+2)*8 );
467 }
468 sk->csum = csum;
469 }
470 sk->is_protected = 1;
471 gcry_cipher_close (cipher_hd);
472 }
473 }
474 return rc;
475 }
476
gnupg svn clone