| blob | 2bb38f316bcb62150d546da44866ce0e45771d7b |
1 /* protect.c - Un/Protect a secret key
2 * Copyright (C) 1998, 1999, 2000, 2001, 2002,
3 * 2003 Free Software Foundation, Inc.
4 *
5 * This file is part of GnuPG.
6 *
7 * GnuPG is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 2 of the License, or
10 * (at your option) any later version.
11 *
12 * GnuPG is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
16 *
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
20 * USA.
21 */
23 #include <config.h>
24 #include <errno.h>
25 #include <stdio.h>
26 #include <stdlib.h>
27 #include <string.h>
28 #include <ctype.h>
29 #include <assert.h>
30 #include <unistd.h>
31 #include <sys/stat.h>
37 #define PROT_CIPHER GCRY_CIPHER_AES
39 #define PROT_CIPHER_KEYLEN (128/8)
42 /* A table containing the information needed to create a protected
43 private key */
53 };
56 static int
63 \f
64 /* Calculate the MIC for a private key S-Exp. SHA1HASH should point to
65 a 20 byte buffer. This function is suitable for any algorithms. */
66 static int
68 {
76 s++;
85 s++;
92 {
93 s++;
104 s++;
105 }
108 s++;
115 }
118 \f
119 /* Encrypt the parameter block starting at PROTBEGIN with length
120 PROTLEN using the utf8 encoded key PASSPHRASE and return the entire
121 encrypted block in RESULT or return with an error code. SHA1HASH
122 is the 20 byte SHA-1 hash required for the integrity code.
124 The parameter block is expected to be an incomplete S-Expression of
125 the form (example in advanced format):
127 (d #046129F..[some bytes not shown]..81#)
128 (p #00e861b..[some bytes not shown]..f1#)
129 (q #00f7a7c..[some bytes not shown]..61#)
130 (u #304559a..[some bytes not shown]..9b#)
132 the returned block is the S-Expression:
134 (protected mode (parms) encrypted_octet_string)
136 */
137 static int
141 {
142 gcry_cipher_hd_t hd;
155 GCRY_CIPHER_SECURE);
160 /* We need to work on a copy of the data because this makes it
161 easier to add the trailer and the padding and more important we
162 have to prefix the text with 2 parenthesis, so we have to
163 allocate enough space for:
165 ((<parameter_list>)(4:hash4:sha120:<hashvalue>)) + padding
167 We always append a full block of random bytes as padding but
168 encrypt only what is needed for a full blocksize */
176 {
177 /* Allocate random bytes to be used as IV, padding and s2k salt. */
183 }
185 {
192 else
193 {
199 }
200 }
202 {
218 }
221 {
225 }
227 /* Now allocate the buffer we want to return. This is
229 (protected openpgp-s2k3-sha1-aes-cbc
230 ((sha1 salt no_of_iterations) 16byte_iv)
231 encrypted_octet_string)
233 in canoncical format of course. We use asprintf and %n modifier
234 and spaces as palceholders. */
248 }
250 {
255 }
264 }
268 /* Protect the key encoded in canonical format in PLAINKEY. We assume
269 a valid S-Exp here. */
270 int
273 {
289 depth++;
290 s++;
298 depth++;
300 s++;
307 ;
313 {
318 depth++;
319 s++;
332 depth--;
335 s++;
336 }
339 depth--;
341 s++;
342 /* skip to the end of the S-exp */
359 /* Now create the protected version of the key. Note that the 10
360 extra bytes are for for the inserted "protected-" string (the
361 beginning of the plaintext reads: "((11:private-key(" ). */
364 + protectedlen
368 {
372 }
384 }
386 \f
387 /* Do the actual decryption and check the return list for consistency. */
388 static int
394 {
397 gcry_cipher_hd_t hd;
406 GCRY_CIPHER_SECURE);
416 {
423 else
424 {
430 }
431 }
437 {
440 }
441 /* Do a quick check first. */
443 {
446 }
447 /* Check that we have a consistent S-Exp. */
450 {
453 }
456 }
459 /* Merge the parameter list contained in CLEARTEXT with the original
460 protect lists PROTECTEDKEY by replacing the list at REPLACEPOS.
461 Return the new list in RESULT and the MIC value in the 20 byte
462 buffer SHA1HASH. */
463 static int
469 {
482 /* Estimate the required size of the resulting list. We have a large
483 safety margin of >20 bytes (MIC hash from CLEARTEXT and the
484 removed "protected-" */
496 /* Copy the initial segment */
502 /* copy the cleartext */
509 {
510 s++;
521 s++;
522 }
526 s++;
527 /* short intermezzo: Get the MIC */
530 s++;
544 /* end intermezzo */
546 /* append the parameter list */
550 /* skip overt the protected list element in the original list */
553 s++;
566 /* append the rest */
570 /* ready */
575 failure:
580 invalid_sexp:
584 }
588 /* Unprotect the key encoded in canonical format. We assume a valid
589 S-Exp here. */
590 int
593 {
610 s++;
618 s++;
625 ;
629 /* Now find the list with the protected information. Here is an
630 example for such a list:
631 (protected openpgp-s2k3-sha1-aes-cbc
632 ((sha1 <salt> <count>) <Initialization_Vector>)
633 <encrypted_data>)
634 */
636 {
640 s++;
651 }
652 /* found */
674 /* We expect a list close as next, so we can simply use strtoul()
675 here. We might want to check that we only have digits - but this
676 is nothing we should worry about */
692 s++;
706 /* Albeit cleartext has been allocated in secure memory and thus
707 xfree will wipe it out, we do an extra wipe just in case
708 somethings goes badly wrong. */
718 {
722 }
727 }
729 /* Check the type of the private key, this is one of the constants:
730 PRIVATE_KEY_UNKNOWN if we can't figure out the type (this is the
731 value 0), PRIVATE_KEY_CLEAR for an unprotected private key.
732 PRIVATE_KEY_PROTECTED for an protected private key or
733 PRIVATE_KEY_SHADOWED for a sub key where the secret parts are stored
734 elsewhere. */
735 int
737 {
744 s++;
755 }
758 \f
759 /* Transform a passphrase into a suitable key of length KEYLEN and
760 store this key in the caller provided buffer KEY. The caller must
761 provide an HASHALGO, a valid S2KMODE (see rfc-2440) and depending on
762 that mode an S2KSALT of 8 random bytes and an S2KCOUNT (a suitable
763 value is 96).
765 Returns an error code on failure. */
766 static int
772 {
774 gcry_md_hd_t md;
790 {
792 {
796 }
799 {
804 {
808 }
811 {
815 }
818 else
819 {
823 }
824 }
825 else
834 }
837 }
840 \f
842 /* Create an canonical encoded S-expression with the shadow info from
843 a card's SERIALNO and the IDSTRING. */
846 {
853 n++;
870 }
874 /* Create a shadow key from a public key. We use the shadow protocol
875 "ti-v1" and insert the S-expressionn SHADOW_INFO. The resulting
876 S-expression is returned in an allocated buffer RESULT will point
877 to. The input parameters are expected to be valid canonicalized
878 S-expressions */
879 int
883 {
897 depth++;
898 s++;
906 depth++;
907 s++;
914 {
917 depth++;
918 s++;
929 depth--;
930 s++;
931 }
933 depth--;
934 s++;
937 /* Calculate required length by taking in account: the "shadowed-"
938 prefix, the "shadowed", "t1-v1" as well as some parenthesis */
945 /* (10:public-key ...)*/
956 }
958 /* Parse a canonical encoded shadowed key and return a pointer to the
959 inner list with the shadow_info */
960 int
963 {
971 depth++;
972 s++;
980 depth++;
981 s++;
988 {
993 depth++;
994 s++;
1007 depth--;
1008 s++;
1009 }
1010 /* Found the shadowed list, S points to the protocol */
1015 {
1019 }
1020 else
1023 }