| blob | 45bdae496ca17b04053ae93ef27bba24de280edd |
1 /* protect.c - Un/Protect a secret key
2 * Copyright (C) 1998, 1999, 2000, 2001, 2002,
3 * 2003 Free Software Foundation, Inc.
4 *
5 * This file is part of GnuPG.
6 *
7 * GnuPG is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 2 of the License, or
10 * (at your option) any later version.
11 *
12 * GnuPG is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
16 *
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
20 */
22 #include <config.h>
23 #include <errno.h>
24 #include <stdio.h>
25 #include <stdlib.h>
26 #include <string.h>
27 #include <ctype.h>
28 #include <assert.h>
29 #include <unistd.h>
30 #include <sys/stat.h>
36 #define PROT_CIPHER GCRY_CIPHER_AES
38 #define PROT_CIPHER_KEYLEN (128/8)
41 /* A table containing the information needed to create a protected
42 private key */
52 };
55 static int
62 \f
63 /* Calculate the MIC for a private key S-Exp. SHA1HASH should point to
64 a 20 byte buffer. This function is suitable for any algorithms. */
65 static int
67 {
75 s++;
84 s++;
91 {
92 s++;
103 s++;
104 }
107 s++;
114 }
117 \f
118 /* Encrypt the parameter block starting at PROTBEGIN with length
119 PROTLEN using the utf8 encoded key PASSPHRASE and return the entire
120 encrypted block in RESULT or return with an error code. SHA1HASH
121 is the 20 byte SHA-1 hash required for the integrity code.
123 The parameter block is expected to be an incomplete S-Expression of
124 the form (example in advanced format):
126 (d #046129F..[some bytes not shown]..81#)
127 (p #00e861b..[some bytes not shown]..f1#)
128 (q #00f7a7c..[some bytes not shown]..61#)
129 (u #304559a..[some bytes not shown]..9b#)
131 the returned block is the S-Expression:
133 (protected mode (parms) encrypted_octet_string)
135 */
136 static int
140 {
141 gcry_cipher_hd_t hd;
154 GCRY_CIPHER_SECURE);
159 /* We need to work on a copy of the data because this makes it
160 easier to add the trailer and the padding and more important we
161 have to prefix the text with 2 parenthesis, so we have to
162 allocate enough space for:
164 ((<parameter_list>)(4:hash4:sha120:<hashvalue>)) + padding
166 We always append a full block of random bytes as padding but
167 encrypt only what is needed for a full blocksize */
175 {
176 /* Allocate random bytes to be used as IV, padding and s2k salt. */
182 }
184 {
191 else
192 {
198 }
199 }
201 {
217 }
220 {
224 }
226 /* Now allocate the buffer we want to return. This is
228 (protected openpgp-s2k3-sha1-aes-cbc
229 ((sha1 salt no_of_iterations) 16byte_iv)
230 encrypted_octet_string)
232 in canoncical format of course. We use asprintf and %n modifier
233 and spaces as palceholders. */
247 }
249 {
254 }
263 }
267 /* Protect the key encoded in canonical format in PLAINKEY. We assume
268 a valid S-Exp here. */
269 int
272 {
288 depth++;
289 s++;
297 depth++;
299 s++;
306 ;
312 {
317 depth++;
318 s++;
331 depth--;
334 s++;
335 }
338 depth--;
340 s++;
341 /* skip to the end of the S-exp */
358 /* Now create the protected version of the key. Note that the 10
359 extra bytes are for for the inserted "protected-" string (the
360 beginning of the plaintext reads: "((11:private-key(" ). */
363 + protectedlen
367 {
371 }
383 }
385 \f
386 /* Do the actual decryption and check the return list for consistency. */
387 static int
393 {
396 gcry_cipher_hd_t hd;
405 GCRY_CIPHER_SECURE);
415 {
422 else
423 {
429 }
430 }
436 {
439 }
440 /* Do a quick check first. */
442 {
445 }
446 /* Check that we have a consistent S-Exp. */
449 {
452 }
455 }
458 /* Merge the parameter list contained in CLEARTEXT with the original
459 protect lists PROTECTEDKEY by replacing the list at REPLACEPOS.
460 Return the new list in RESULT and the MIC value in the 20 byte
461 buffer SHA1HASH. */
462 static int
468 {
481 /* Estimate the required size of the resulting list. We have a large
482 safety margin of >20 bytes (MIC hash from CLEARTEXT and the
483 removed "protected-" */
495 /* Copy the initial segment */
501 /* copy the cleartext */
508 {
509 s++;
520 s++;
521 }
525 s++;
526 /* short intermezzo: Get the MIC */
529 s++;
543 /* end intermezzo */
545 /* append the parameter list */
549 /* skip overt the protected list element in the original list */
552 s++;
565 /* append the rest */
569 /* ready */
574 failure:
579 invalid_sexp:
583 }
587 /* Unprotect the key encoded in canonical format. We assume a valid
588 S-Exp here. */
589 int
592 {
609 s++;
617 s++;
624 ;
628 /* Now find the list with the protected information. Here is an
629 example for such a list:
630 (protected openpgp-s2k3-sha1-aes-cbc
631 ((sha1 <salt> <count>) <Initialization_Vector>)
632 <encrypted_data>)
633 */
635 {
639 s++;
650 }
651 /* found */
673 /* We expect a list close as next, so we can simply use strtoul()
674 here. We might want to check that we only have digits - but this
675 is nothing we should worry about */
691 s++;
705 /* Albeit cleartext has been allocated in secure memory and thus
706 xfree will wipe it out, we do an extra wipe just in case
707 somethings goes badly wrong. */
717 {
721 }
726 }
728 /* Check the type of the private key, this is one of the constants:
729 PRIVATE_KEY_UNKNOWN if we can't figure out the type (this is the
730 value 0), PRIVATE_KEY_CLEAR for an unprotected private key.
731 PRIVATE_KEY_PROTECTED for an protected private key or
732 PRIVATE_KEY_SHADOWED for a sub key where the secret parts are stored
733 elsewhere. */
734 int
736 {
743 s++;
754 }
757 \f
758 /* Transform a passphrase into a suitable key of length KEYLEN and
759 store this key in the caller provided buffer KEY. The caller must
760 provide an HASHALGO, a valid S2KMODE (see rfc-2440) and depending on
761 that mode an S2KSALT of 8 random bytes and an S2KCOUNT (a suitable
762 value is 96).
764 Returns an error code on failure. */
765 static int
771 {
773 gcry_md_hd_t md;
789 {
791 {
795 }
798 {
803 {
807 }
810 {
814 }
817 else
818 {
822 }
823 }
824 else
833 }
836 }
839 \f
841 /* Create an canonical encoded S-expression with the shadow info from
842 a card's SERIALNO and the IDSTRING. */
845 {
852 n++;
869 }
873 /* Create a shadow key from a public key. We use the shadow protocol
874 "ti-v1" and insert the S-expressionn SHADOW_INFO. The resulting
875 S-expression is returned in an allocated buffer RESULT will point
876 to. The input parameters are expected to be valid canonicalized
877 S-expressions */
878 int
882 {
896 depth++;
897 s++;
905 depth++;
906 s++;
913 {
916 depth++;
917 s++;
928 depth--;
929 s++;
930 }
932 depth--;
933 s++;
936 /* Calculate required length by taking in account: the "shadowed-"
937 prefix, the "shadowed", "t1-v1" as well as some parenthesis */
944 /* (10:public-key ...)*/
955 }
957 /* Parse a canonical encoded shadowed key and return a pointer to the
958 inner list with the shadow_info */
959 int
962 {
970 depth++;
971 s++;
979 depth++;
980 s++;
987 {
992 depth++;
993 s++;
1006 depth--;
1007 s++;
1008 }
1009 /* Found the shadowed list, S points to the protocol */
1014 {
1018 }
1019 else
1022 }