| blob | 2de5e97c502a4ce0b67178f9dbf8f1ac8ba1cb8d |
1 /* protect.c - Un/Protect a secret key
2 * Copyright (C) 1998, 1999, 2000, 2001, 2002,
3 * 2003 Free Software Foundation, Inc.
4 *
5 * This file is part of GnuPG.
6 *
7 * GnuPG is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 2 of the License, or
10 * (at your option) any later version.
11 *
12 * GnuPG is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
16 *
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
20 */
22 #include <config.h>
23 #include <errno.h>
24 #include <stdio.h>
25 #include <stdlib.h>
26 #include <string.h>
27 #include <ctype.h>
28 #include <assert.h>
29 #include <unistd.h>
30 #include <sys/stat.h>
36 #define PROT_CIPHER GCRY_CIPHER_AES
38 #define PROT_CIPHER_KEYLEN (128/8)
41 /* A table containing the information needed to create a protected
42 private key */
52 };
55 static int
62 \f
63 /* Calculate the MIC for a private key S-Exp. SHA1HASH should pint to
64 a 20 byte buffer. This function is suitable for any algorithms. */
65 static int
67 {
75 s++;
84 s++;
91 {
92 s++;
103 s++;
104 }
107 s++;
114 }
117 \f
118 /* Encrypt the parameter block starting at PROTBEGIN with length
119 PROTLEN using the utf8 encoded key PASSPHRASE and return the entire
120 encrypted block in RESULT or ereturn with an error code. SHA1HASH
121 is the 20 byte SHA-1 hash required for the integrity code.
123 The parameter block is expected to be an incomplete S-Expression of
124 the form (example in advanced format):
126 (d #046129F..[some bytes not shown]..81#)
127 (p #00e861b..[some bytes not shown]..f1#)
128 (q #00f7a7c..[some bytes not shown]..61#)
129 (u #304559a..[some bytes not shown]..9b#)
131 the returned block is the S-Expression:
133 (protected mode (parms) encrypted_octet_string)
135 */
136 static int
140 {
141 gcry_cipher_hd_t hd;
151 GCRY_CIPHER_SECURE);
156 /* We need to work on a copy of the data because this makes it
157 easier to add the trailer and the padding and more important we
158 have to prefix the text with 2 parenthesis, so we have to
159 allocate enough space for:
161 ((<parameter_list>)(4:hash4:sha120:<hashvalue>)) + padding
163 We always append a full block of random bytes as padding but
164 encrypt only what is needed for a full blocksize */
172 {
173 /* Allocate random bytes to be used as IV, padding and s2k salt. */
179 }
181 {
188 else
189 {
195 }
196 }
198 {
214 }
217 {
221 }
223 /* Now allocate the buffer we want to return. This is
225 (protected openpgp-s2k3-sha1-aes-cbc
226 ((sha1 salt no_of_iterations) 16byte_iv)
227 encrypted_octet_string)
229 in canoncical format of course. We use asprintf and %n modifier
230 and spaces as palceholders. */
244 }
246 {
251 }
260 }
264 /* Protect the key encoded in canonical format in plainkey. We assume
265 a valid S-Exp here. */
266 int
269 {
285 depth++;
286 s++;
294 depth++;
296 s++;
303 ;
309 {
314 depth++;
315 s++;
328 depth--;
331 s++;
332 }
335 depth--;
337 s++;
338 /* skip to the end of the S-exp */
355 /* Now create the protected version of the key. Note that the 10
356 extra bytes are for for the inserted "protected-" string (the
357 beginning of the plaintext reads: "((11:private-key(" ). */
360 + protectedlen
364 {
368 }
380 }
382 \f
383 /* Do the actual decryption and check the return list for consistency. */
384 static int
390 {
393 gcry_cipher_hd_t hd;
402 GCRY_CIPHER_SECURE);
412 {
419 else
420 {
426 }
427 }
433 {
436 }
437 /* Do a quick check first. */
439 {
442 }
443 /* Check that we have a consistent S-Exp. */
446 {
449 }
452 }
455 /* Merge the parameter list contained in CLEARTEXT with the original
456 protect lists PROTECTEDKEY by replacing the list at REPLACEPOS.
457 Return the new list in RESULT and the MIC value in the 20 byte
458 buffer SHA1HASH. */
459 static int
465 {
475 /* Estimate the required size of the resulting list. We have a large
476 safety margin of >20 bytes (MIC hash from CLEARTEXT and the
477 removed "protected-" */
489 /* Copy the initial segment */
495 /* copy the cleartext */
502 {
503 s++;
514 s++;
515 }
519 s++;
520 /* short intermezzo: Get the MIC */
523 s++;
537 /* end intermezzo */
539 /* append the parameter list */
543 /* skip overt the protected list element in the original list */
546 s++;
559 /* append the rest */
563 /* ready */
568 failure:
573 invalid_sexp:
577 }
581 /* Unprotect the key encoded in canonical format. We assume a valid
582 S-Exp here. */
583 int
586 {
603 s++;
611 s++;
618 ;
622 /* Now find the list with the protected information. Here is an
623 example for such a list:
624 (protected openpgp-s2k3-sha1-aes-cbc
625 ((sha1 <salt> <count>) <Initialization_Vector>)
626 <encrypted_data>)
627 */
629 {
633 s++;
644 }
645 /* found */
667 /* We expect a list close as next, so we can simply use strtoul()
668 here. We might want to check that we only have digits - but this
669 is nothing we should worry about */
685 s++;
699 /* Albeit cleartext has been allocated in secure memory and thus
700 xfree will wipe it out, we do an extra wipe just in case
701 somethings goes badly wrong. */
711 {
715 }
720 }
722 /* Check the type of the private key, this is one of the constants:
723 PRIVATE_KEY_UNKNOWN if we can't figure out the type (this is the
724 value 0), PRIVATE_KEY_CLEAR for an unprotected private key.
725 PRIVATE_KEY_PROTECTED for an protected private key or
726 PRIVATE_KEY_SHADOWED for a sub key where the secret parts are stored
727 elsewhere. */
728 int
730 {
737 s++;
748 }
751 \f
752 /* Transform a passphrase into a suitable key of length KEYLEN and
753 store this key in the caller provided buffer KEY. The caller must
754 provide an HASHALGO, a valid S2KMODE (see rfc-2440) and depending on
755 that mode an S2KSALT of 8 random bytes and an S2KCOUNT (a suitable
756 value is 96).
758 Returns an error code on failure. */
759 static int
765 {
767 gcry_md_hd_t md;
783 {
785 {
789 }
792 {
797 {
801 }
804 {
808 }
811 else
812 {
816 }
817 }
818 else
827 }
830 }
833 \f
834 /* Create a shadow key from a public key. We use the shadow protocol
835 "ti-v1" and insert the S-expressionn SHADOW_INFO. The resulting
836 S-expression is returned in an allocated buffer RESULT will point
837 to. The input parameters are expected to be valid canonilized
838 S-expressions */
839 int
843 {
857 depth++;
858 s++;
866 depth++;
867 s++;
874 {
877 depth++;
878 s++;
889 depth--;
890 s++;
891 }
893 depth--;
894 s++;
897 /* calculate required length by taking in account: the "shadowed-"
898 prefix, the "shadowed", "t1-v1" as well as some parenthesis */
904 /* (10:public-key ...)*/
915 }
917 /* Parse a canonical encoded shadowed key and return a pointer to the
918 inner list with the shadow_info */
919 int
922 {
930 depth++;
931 s++;
939 depth++;
940 s++;
947 {
952 depth++;
953 s++;
966 depth--;
967 s++;
968 }
969 /* Found the shadowed list, S points to the protocol */
974 {
978 }
979 else
982 }