Line data Source code
1 : /* protect.c - Un/Protect a secret key
2 : * Copyright (C) 1998-2003, 2007, 2009, 2011 Free Software Foundation, Inc.
3 : * Copyright (C) 1998-2003, 2007, 2009, 2011, 2013-2015 Werner Koch
4 : *
5 : * This file is part of GnuPG.
6 : *
7 : * GnuPG is free software; you can redistribute it and/or modify
8 : * it under the terms of the GNU General Public License as published by
9 : * the Free Software Foundation; either version 3 of the License, or
10 : * (at your option) any later version.
11 : *
12 : * GnuPG is distributed in the hope that it will be useful,
13 : * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 : * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 : * GNU General Public License for more details.
16 : *
17 : * You should have received a copy of the GNU General Public License
18 : * along with this program; if not, see <http://www.gnu.org/licenses/>.
19 : */
20 :
21 : #include <config.h>
22 : #include <errno.h>
23 : #include <stdio.h>
24 : #include <stdlib.h>
25 : #include <string.h>
26 : #include <ctype.h>
27 : #include <assert.h>
28 : #include <unistd.h>
29 : #include <sys/stat.h>
30 : #ifdef HAVE_W32_SYSTEM
31 : # ifdef HAVE_WINSOCK2_H
32 : # include <winsock2.h>
33 : # endif
34 : # include <windows.h>
35 : #else
36 : # include <sys/times.h>
37 : #endif
38 :
39 : #include "agent.h"
40 :
41 : #include "cvt-openpgp.h"
42 : #include "sexp-parse.h"
43 :
44 :
45 : /* To use the openpgp-s2k3-ocb-aes scheme by default set the value of
46 : * this macro to 1. Note that the caller of agent_protect may
47 : * override this default. */
48 : #define PROT_DEFAULT_TO_OCB 0
49 :
50 : /* The protection mode for encryption. The supported modes for
51 : decryption are listed in agent_unprotect(). */
52 : #define PROT_CIPHER GCRY_CIPHER_AES128
53 : #define PROT_CIPHER_STRING "aes"
54 : #define PROT_CIPHER_KEYLEN (128/8)
55 :
56 : /* Decode an rfc4880 encoded S2K count. */
57 : #define S2K_DECODE_COUNT(_val) ((16ul + ((_val) & 15)) << (((_val) >> 4) + 6))
58 :
59 :
60 : /* A table containing the information needed to create a protected
61 : private key. */
62 : static struct {
63 : const char *algo;
64 : const char *parmlist;
65 : int prot_from, prot_to;
66 : int ecc_hack;
67 : } protect_info[] = {
68 : { "rsa", "nedpqu", 2, 5 },
69 : { "dsa", "pqgyx", 4, 4 },
70 : { "elg", "pgyx", 3, 3 },
71 : { "ecdsa","pabgnqd", 6, 6, 1 },
72 : { "ecdh", "pabgnqd", 6, 6, 1 },
73 : { "ecc", "pabgnqd", 6, 6, 1 },
74 : { NULL }
75 : };
76 :
77 :
78 : /* A helper object for time measurement. */
79 : struct calibrate_time_s
80 : {
81 : #ifdef HAVE_W32_SYSTEM
82 : FILETIME creation_time, exit_time, kernel_time, user_time;
83 : #else
84 : clock_t ticks;
85 : #endif
86 : };
87 :
88 :
89 : static int
90 : hash_passphrase (const char *passphrase, int hashalgo,
91 : int s2kmode,
92 : const unsigned char *s2ksalt, unsigned long s2kcount,
93 : unsigned char *key, size_t keylen);
94 :
95 :
96 :
97 :
98 : /* Get the process time and store it in DATA. */
99 : static void
100 100 : calibrate_get_time (struct calibrate_time_s *data)
101 : {
102 : #ifdef HAVE_W32_SYSTEM
103 : # ifdef HAVE_W32CE_SYSTEM
104 : GetThreadTimes (GetCurrentThread (),
105 : &data->creation_time, &data->exit_time,
106 : &data->kernel_time, &data->user_time);
107 : # else
108 : GetProcessTimes (GetCurrentProcess (),
109 : &data->creation_time, &data->exit_time,
110 : &data->kernel_time, &data->user_time);
111 : # endif
112 : #else
113 : struct tms tmp;
114 :
115 100 : times (&tmp);
116 100 : data->ticks = tmp.tms_utime;
117 : #endif
118 100 : }
119 :
120 :
121 : static unsigned long
122 50 : calibrate_elapsed_time (struct calibrate_time_s *starttime)
123 : {
124 : struct calibrate_time_s stoptime;
125 :
126 50 : calibrate_get_time (&stoptime);
127 : #ifdef HAVE_W32_SYSTEM
128 : {
129 : unsigned long long t1, t2;
130 :
131 : t1 = (((unsigned long long)starttime->kernel_time.dwHighDateTime << 32)
132 : + starttime->kernel_time.dwLowDateTime);
133 : t1 += (((unsigned long long)starttime->user_time.dwHighDateTime << 32)
134 : + starttime->user_time.dwLowDateTime);
135 : t2 = (((unsigned long long)stoptime.kernel_time.dwHighDateTime << 32)
136 : + stoptime.kernel_time.dwLowDateTime);
137 : t2 += (((unsigned long long)stoptime.user_time.dwHighDateTime << 32)
138 : + stoptime.user_time.dwLowDateTime);
139 : return (unsigned long)((t2 - t1)/10000);
140 : }
141 : #else
142 100 : return (unsigned long)((((double) (stoptime.ticks - starttime->ticks))
143 50 : /CLOCKS_PER_SEC)*10000000);
144 : #endif
145 : }
146 :
147 :
148 : /* Run a test hashing for COUNT and return the time required in
149 : milliseconds. */
150 : static unsigned long
151 50 : calibrate_s2k_count_one (unsigned long count)
152 : {
153 : int rc;
154 : char keybuf[PROT_CIPHER_KEYLEN];
155 : struct calibrate_time_s starttime;
156 :
157 50 : calibrate_get_time (&starttime);
158 50 : rc = hash_passphrase ("123456789abcdef0", GCRY_MD_SHA1,
159 : 3, "saltsalt", count, keybuf, sizeof keybuf);
160 50 : if (rc)
161 0 : BUG ();
162 50 : return calibrate_elapsed_time (&starttime);
163 : }
164 :
165 :
166 : /* Measure the time we need to do the hash operations and deduce an
167 : S2K count which requires about 100ms of time. */
168 : static unsigned long
169 5 : calibrate_s2k_count (void)
170 : {
171 : unsigned long count;
172 : unsigned long ms;
173 :
174 50 : for (count = 65536; count; count *= 2)
175 : {
176 50 : ms = calibrate_s2k_count_one (count);
177 50 : if (opt.verbose > 1)
178 0 : log_info ("S2K calibration: %lu -> %lums\n", count, ms);
179 50 : if (ms > 100)
180 5 : break;
181 : }
182 :
183 5 : count = (unsigned long)(((double)count / ms) * 100);
184 5 : count /= 1024;
185 5 : count *= 1024;
186 5 : if (count < 65536)
187 0 : count = 65536;
188 :
189 5 : if (opt.verbose)
190 : {
191 0 : ms = calibrate_s2k_count_one (count);
192 0 : log_info ("S2K calibration: %lu -> %lums\n", count, ms);
193 : }
194 :
195 5 : return count;
196 : }
197 :
198 :
199 :
200 : /* Return the standard S2K count. */
201 : unsigned long
202 29 : get_standard_s2k_count (void)
203 : {
204 : static unsigned long count;
205 :
206 29 : if (!count)
207 5 : count = calibrate_s2k_count ();
208 :
209 : /* Enforce a lower limit. */
210 29 : return count < 65536 ? 65536 : count;
211 : }
212 :
213 :
214 : /* Same as get_standard_s2k_count but return the count in the encoding
215 : as described by rfc4880. */
216 : unsigned char
217 2 : get_standard_s2k_count_rfc4880 (void)
218 : {
219 : unsigned long iterations;
220 : unsigned int count;
221 : unsigned char result;
222 2 : unsigned char c=0;
223 :
224 2 : iterations = get_standard_s2k_count ();
225 2 : if (iterations >= 65011712)
226 0 : return 255;
227 :
228 : /* Need count to be in the range 16-31 */
229 30 : for (count=iterations>>6; count>=32; count>>=1)
230 28 : c++;
231 :
232 2 : result = (c<<4)|(count-16);
233 :
234 2 : if (S2K_DECODE_COUNT(result) < iterations)
235 2 : result++;
236 :
237 2 : return result;
238 :
239 : }
240 :
241 :
242 :
243 : /* Calculate the MIC for a private key or shared secret S-expression.
244 : SHA1HASH should point to a 20 byte buffer. This function is
245 : suitable for all algorithms. */
246 : static int
247 131 : calculate_mic (const unsigned char *plainkey, unsigned char *sha1hash)
248 : {
249 : const unsigned char *hash_begin, *hash_end;
250 : const unsigned char *s;
251 : size_t n;
252 : int is_shared_secret;
253 :
254 131 : s = plainkey;
255 131 : if (*s != '(')
256 0 : return gpg_error (GPG_ERR_INV_SEXP);
257 131 : s++;
258 131 : n = snext (&s);
259 131 : if (!n)
260 0 : return gpg_error (GPG_ERR_INV_SEXP);
261 131 : if (smatch (&s, n, "private-key"))
262 131 : is_shared_secret = 0;
263 0 : else if (smatch (&s, n, "shared-secret"))
264 0 : is_shared_secret = 1;
265 : else
266 0 : return gpg_error (GPG_ERR_UNKNOWN_SEXP);
267 131 : if (*s != '(')
268 0 : return gpg_error (GPG_ERR_UNKNOWN_SEXP);
269 131 : hash_begin = s;
270 131 : if (!is_shared_secret)
271 : {
272 131 : s++;
273 131 : n = snext (&s);
274 131 : if (!n)
275 0 : return gpg_error (GPG_ERR_INV_SEXP);
276 131 : s += n; /* Skip the algorithm name. */
277 : }
278 :
279 964 : while (*s == '(')
280 : {
281 702 : s++;
282 702 : n = snext (&s);
283 702 : if (!n)
284 0 : return gpg_error (GPG_ERR_INV_SEXP);
285 702 : s += n;
286 702 : n = snext (&s);
287 702 : if (!n)
288 0 : return gpg_error (GPG_ERR_INV_SEXP);
289 702 : s += n;
290 702 : if ( *s != ')' )
291 0 : return gpg_error (GPG_ERR_INV_SEXP);
292 702 : s++;
293 : }
294 131 : if (*s != ')')
295 0 : return gpg_error (GPG_ERR_INV_SEXP);
296 131 : s++;
297 131 : hash_end = s;
298 :
299 131 : gcry_md_hash_buffer (GCRY_MD_SHA1, sha1hash,
300 131 : hash_begin, hash_end - hash_begin);
301 :
302 131 : return 0;
303 : }
304 :
305 :
306 :
307 : /* Encrypt the parameter block starting at PROTBEGIN with length
308 : PROTLEN using the utf8 encoded key PASSPHRASE and return the entire
309 : encrypted block in RESULT or return with an error code. SHA1HASH
310 : is the 20 byte SHA-1 hash required for the integrity code.
311 :
312 : The parameter block is expected to be an incomplete canonical
313 : encoded S-Expression of the form (example in advanced format):
314 :
315 : (d #046129F..[some bytes not shown]..81#)
316 : (p #00e861b..[some bytes not shown]..f1#)
317 : (q #00f7a7c..[some bytes not shown]..61#)
318 : (u #304559a..[some bytes not shown]..9b#)
319 :
320 : the returned block is the S-Expression:
321 :
322 : (protected mode (parms) encrypted_octet_string)
323 :
324 : */
325 : static int
326 12 : do_encryption (const unsigned char *hashbegin, size_t hashlen,
327 : const unsigned char *protbegin, size_t protlen,
328 : const char *passphrase,
329 : const char *timestamp_exp, size_t timestamp_exp_len,
330 : unsigned char **result, size_t *resultlen,
331 : unsigned long s2k_count, int use_ocb)
332 : {
333 : gcry_cipher_hd_t hd;
334 : const char *modestr;
335 : unsigned char hashvalue[20];
336 : int blklen, enclen, outlen;
337 12 : unsigned char *iv = NULL;
338 : unsigned int ivsize; /* Size of the buffer allocated for IV. */
339 : const unsigned char *s2ksalt; /* Points into IV. */
340 : int rc;
341 12 : char *outbuf = NULL;
342 : char *p;
343 : int saltpos, ivpos, encpos;
344 :
345 12 : s2ksalt = iv; /* Silence compiler warning. */
346 :
347 12 : *resultlen = 0;
348 12 : *result = NULL;
349 :
350 12 : modestr = (use_ocb? "openpgp-s2k3-ocb-aes"
351 12 : /* */: "openpgp-s2k3-sha1-" PROT_CIPHER_STRING "-cbc");
352 :
353 12 : rc = gcry_cipher_open (&hd, PROT_CIPHER,
354 : use_ocb? GCRY_CIPHER_MODE_OCB :
355 : GCRY_CIPHER_MODE_CBC,
356 : GCRY_CIPHER_SECURE);
357 12 : if (rc)
358 0 : return rc;
359 :
360 : /* We need to work on a copy of the data because this makes it
361 : * easier to add the trailer and the padding and more important we
362 : * have to prefix the text with 2 parenthesis. In CBC mode we
363 : * have to allocate enough space for:
364 : *
365 : * ((<parameter_list>)(4:hash4:sha120:<hashvalue>)) + padding
366 : *
367 : * we always append a full block of random bytes as padding but
368 : * encrypt only what is needed for a full blocksize. In OCB mode we
369 : * have to allocate enough space for just:
370 : *
371 : * ((<parameter_list>))
372 : */
373 12 : blklen = gcry_cipher_get_algo_blklen (PROT_CIPHER);
374 12 : if (use_ocb)
375 : {
376 : /* (( )) */
377 0 : outlen = 2 + protlen + 2 ;
378 0 : enclen = outlen + 16 /* taglen */;
379 0 : outbuf = gcry_malloc_secure (enclen);
380 : }
381 : else
382 : {
383 : /* (( )( 4:hash 4:sha1 20:<hash> )) <padding> */
384 12 : outlen = 2 + protlen + 2 + 6 + 6 + 23 + 2 + blklen;
385 12 : enclen = outlen/blklen * blklen;
386 12 : outbuf = gcry_malloc_secure (outlen);
387 : }
388 12 : if (!outbuf)
389 0 : rc = out_of_core ();
390 :
391 : /* Allocate a buffer for the nonce and the salt. */
392 12 : if (!rc)
393 : {
394 : /* Allocate random bytes to be used as IV, padding and s2k salt
395 : * or in OCB mode for a nonce and the s2k salt. The IV/nonce is
396 : * set later because for OCB we need to set the key first. */
397 12 : ivsize = (use_ocb? 12 : (blklen*2)) + 8;
398 12 : iv = xtrymalloc (ivsize);
399 12 : if (!iv)
400 0 : rc = gpg_error_from_syserror ();
401 : else
402 : {
403 12 : gcry_create_nonce (iv, ivsize);
404 12 : s2ksalt = iv + ivsize - 8;
405 : }
406 : }
407 :
408 : /* Hash the passphrase and set the key. */
409 12 : if (!rc)
410 : {
411 : unsigned char *key;
412 12 : size_t keylen = PROT_CIPHER_KEYLEN;
413 :
414 12 : key = gcry_malloc_secure (keylen);
415 12 : if (!key)
416 0 : rc = out_of_core ();
417 : else
418 : {
419 12 : rc = hash_passphrase (passphrase, GCRY_MD_SHA1,
420 : 3, s2ksalt,
421 : s2k_count? s2k_count:get_standard_s2k_count(),
422 : key, keylen);
423 12 : if (!rc)
424 12 : rc = gcry_cipher_setkey (hd, key, keylen);
425 12 : xfree (key);
426 : }
427 : }
428 :
429 : /* Set the IV/nonce. */
430 12 : if (!rc)
431 : {
432 12 : rc = gcry_cipher_setiv (hd, iv, use_ocb? 12 : blklen);
433 : }
434 :
435 12 : if (use_ocb)
436 : {
437 : /* In OCB Mode we use only the public key parameters as AAD. */
438 0 : rc = gcry_cipher_authenticate (hd, hashbegin, protbegin - hashbegin);
439 0 : if (!rc)
440 0 : rc = gcry_cipher_authenticate (hd, timestamp_exp, timestamp_exp_len);
441 0 : if (!rc)
442 0 : rc = gcry_cipher_authenticate
443 0 : (hd, protbegin+protlen, hashlen - (protbegin+protlen - hashbegin));
444 :
445 : }
446 : else
447 : {
448 : /* Hash the entire expression for CBC mode. Because
449 : * TIMESTAMP_EXP won't get protected, we can't simply hash a
450 : * continuous buffer but need to call md_write several times. */
451 : gcry_md_hd_t md;
452 :
453 12 : rc = gcry_md_open (&md, GCRY_MD_SHA1, 0 );
454 12 : if (!rc)
455 : {
456 12 : gcry_md_write (md, hashbegin, protbegin - hashbegin);
457 12 : gcry_md_write (md, protbegin, protlen);
458 12 : gcry_md_write (md, timestamp_exp, timestamp_exp_len);
459 12 : gcry_md_write (md, protbegin+protlen,
460 12 : hashlen - (protbegin+protlen - hashbegin));
461 12 : memcpy (hashvalue, gcry_md_read (md, GCRY_MD_SHA1), 20);
462 12 : gcry_md_close (md);
463 : }
464 : }
465 :
466 :
467 : /* Encrypt. */
468 12 : if (!rc)
469 : {
470 12 : p = outbuf;
471 12 : *p++ = '(';
472 12 : *p++ = '(';
473 12 : memcpy (p, protbegin, protlen);
474 12 : p += protlen;
475 12 : if (use_ocb)
476 : {
477 0 : *p++ = ')';
478 0 : *p++ = ')';
479 : }
480 : else
481 : {
482 12 : memcpy (p, ")(4:hash4:sha120:", 17);
483 12 : p += 17;
484 12 : memcpy (p, hashvalue, 20);
485 12 : p += 20;
486 12 : *p++ = ')';
487 12 : *p++ = ')';
488 12 : memcpy (p, iv+blklen, blklen); /* Add padding. */
489 12 : p += blklen;
490 : }
491 12 : assert ( p - outbuf == outlen);
492 12 : if (use_ocb)
493 : {
494 0 : gcry_cipher_final (hd);
495 0 : rc = gcry_cipher_encrypt (hd, outbuf, outlen, NULL, 0);
496 0 : if (!rc)
497 : {
498 0 : log_assert (outlen + 16 == enclen);
499 0 : rc = gcry_cipher_gettag (hd, outbuf + outlen, 16);
500 : }
501 : }
502 : else
503 : {
504 12 : rc = gcry_cipher_encrypt (hd, outbuf, enclen, NULL, 0);
505 : }
506 : }
507 :
508 : /* Release cipher handle and check for errors. */
509 12 : gcry_cipher_close (hd);
510 12 : if (rc)
511 : {
512 0 : xfree (iv);
513 0 : xfree (outbuf);
514 0 : return rc;
515 : }
516 :
517 : /* Now allocate the buffer we want to return. This is
518 :
519 : (protected openpgp-s2k3-sha1-aes-cbc
520 : ((sha1 salt no_of_iterations) 16byte_iv)
521 : encrypted_octet_string)
522 :
523 : in canoncical format of course. We use asprintf and %n modifier
524 : and dummy values as placeholders. */
525 : {
526 : char countbuf[35];
527 :
528 12 : snprintf (countbuf, sizeof countbuf, "%lu",
529 : s2k_count ? s2k_count : get_standard_s2k_count ());
530 36 : p = xtryasprintf
531 : ("(9:protected%d:%s((4:sha18:%n_8bytes_%u:%s)%d:%n%*s)%d:%n%*s)",
532 12 : (int)strlen (modestr), modestr,
533 : &saltpos,
534 12 : (unsigned int)strlen (countbuf), countbuf,
535 : use_ocb? 12 : blklen, &ivpos, use_ocb? 12 : blklen, "",
536 : enclen, &encpos, enclen, "");
537 12 : if (!p)
538 : {
539 0 : gpg_error_t tmperr = out_of_core ();
540 0 : xfree (iv);
541 0 : xfree (outbuf);
542 0 : return tmperr;
543 : }
544 :
545 : }
546 12 : *resultlen = strlen (p);
547 12 : *result = (unsigned char*)p;
548 12 : memcpy (p+saltpos, s2ksalt, 8);
549 12 : memcpy (p+ivpos, iv, use_ocb? 12 : blklen);
550 12 : memcpy (p+encpos, outbuf, enclen);
551 12 : xfree (iv);
552 12 : xfree (outbuf);
553 12 : return 0;
554 : }
555 :
556 :
557 :
558 : /* Protect the key encoded in canonical format in PLAINKEY. We assume
559 : a valid S-Exp here. With USE_UCB set to -1 the default scheme is
560 : used (ie. either CBC or OCB), set to 0 the old CBC mode is used,
561 : and set to 1 OCB is used. */
562 : int
563 15 : agent_protect (const unsigned char *plainkey, const char *passphrase,
564 : unsigned char **result, size_t *resultlen,
565 : unsigned long s2k_count, int use_ocb)
566 : {
567 : int rc;
568 : const char *parmlist;
569 : int prot_from_idx, prot_to_idx;
570 : const unsigned char *s;
571 : const unsigned char *hash_begin, *hash_end;
572 : const unsigned char *prot_begin, *prot_end, *real_end;
573 : size_t n;
574 : int c, infidx, i;
575 : char timestamp_exp[35];
576 : unsigned char *protected;
577 : size_t protectedlen;
578 15 : int depth = 0;
579 : unsigned char *p;
580 15 : int have_curve = 0;
581 :
582 15 : if (use_ocb == -1)
583 15 : use_ocb = PROT_DEFAULT_TO_OCB;
584 :
585 : /* Create an S-expression with the protected-at timestamp. */
586 15 : memcpy (timestamp_exp, "(12:protected-at15:", 19);
587 15 : gnupg_get_isotime (timestamp_exp+19);
588 15 : timestamp_exp[19+15] = ')';
589 :
590 : /* Parse original key. */
591 15 : s = plainkey;
592 15 : if (*s != '(')
593 1 : return gpg_error (GPG_ERR_INV_SEXP);
594 14 : depth++;
595 14 : s++;
596 14 : n = snext (&s);
597 14 : if (!n)
598 0 : return gpg_error (GPG_ERR_INV_SEXP);
599 14 : if (!smatch (&s, n, "private-key"))
600 0 : return gpg_error (GPG_ERR_UNKNOWN_SEXP);
601 14 : if (*s != '(')
602 0 : return gpg_error (GPG_ERR_UNKNOWN_SEXP);
603 14 : depth++;
604 14 : hash_begin = s;
605 14 : s++;
606 14 : n = snext (&s);
607 14 : if (!n)
608 0 : return gpg_error (GPG_ERR_INV_SEXP);
609 :
610 72 : for (infidx=0; protect_info[infidx].algo
611 102 : && !smatch (&s, n, protect_info[infidx].algo); infidx++)
612 : ;
613 14 : if (!protect_info[infidx].algo)
614 0 : return gpg_error (GPG_ERR_UNSUPPORTED_ALGORITHM);
615 :
616 : /* The parser below is a complete mess: To make it robust for ECC
617 : use we should reorder the s-expression to include only what we
618 : really need and thus guarantee the right order for saving stuff.
619 : This should be done before calling this function and maybe with
620 : the help of the new gcry_sexp_extract_param. */
621 14 : parmlist = protect_info[infidx].parmlist;
622 14 : prot_from_idx = protect_info[infidx].prot_from;
623 14 : prot_to_idx = protect_info[infidx].prot_to;
624 14 : prot_begin = prot_end = NULL;
625 66 : for (i=0; (c=parmlist[i]); i++)
626 : {
627 53 : if (i == prot_from_idx)
628 13 : prot_begin = s;
629 53 : if (*s != '(')
630 0 : return gpg_error (GPG_ERR_INV_SEXP);
631 53 : depth++;
632 53 : s++;
633 53 : n = snext (&s);
634 53 : if (!n)
635 0 : return gpg_error (GPG_ERR_INV_SEXP);
636 53 : if (n != 1 || c != *s)
637 : {
638 11 : if (n == 5 && !memcmp (s, "curve", 5)
639 9 : && !i && protect_info[infidx].ecc_hack)
640 : {
641 : /* This is a private ECC key but the first parameter is
642 : the name of the curve. We change the parameter list
643 : here to the one we expect in this case. */
644 9 : have_curve = 1;
645 9 : parmlist = "?qd";
646 9 : prot_from_idx = 2;
647 9 : prot_to_idx = 2;
648 : }
649 2 : else if (n == 5 && !memcmp (s, "flags", 5)
650 1 : && i == 1 && have_curve)
651 : {
652 : /* "curve" followed by "flags": Change again. */
653 1 : parmlist = "??qd";
654 1 : prot_from_idx = 3;
655 1 : prot_to_idx = 3;
656 : }
657 : else
658 1 : return gpg_error (GPG_ERR_INV_SEXP);
659 : }
660 52 : s += n;
661 52 : n = snext (&s);
662 52 : if (!n)
663 0 : return gpg_error (GPG_ERR_INV_SEXP);
664 52 : s +=n; /* skip value */
665 52 : if (*s != ')')
666 0 : return gpg_error (GPG_ERR_INV_SEXP);
667 52 : depth--;
668 52 : if (i == prot_to_idx)
669 13 : prot_end = s;
670 52 : s++;
671 : }
672 13 : if (*s != ')' || !prot_begin || !prot_end )
673 0 : return gpg_error (GPG_ERR_INV_SEXP);
674 13 : depth--;
675 13 : hash_end = s;
676 13 : s++;
677 : /* Skip to the end of the S-expression. */
678 13 : assert (depth == 1);
679 13 : rc = sskip (&s, &depth);
680 13 : if (rc)
681 1 : return rc;
682 12 : assert (!depth);
683 12 : real_end = s-1;
684 :
685 12 : rc = do_encryption (hash_begin, hash_end - hash_begin + 1,
686 12 : prot_begin, prot_end - prot_begin + 1,
687 : passphrase, timestamp_exp, sizeof (timestamp_exp),
688 : &protected, &protectedlen, s2k_count, use_ocb);
689 12 : if (rc)
690 0 : return rc;
691 :
692 : /* Now create the protected version of the key. Note that the 10
693 : extra bytes are for for the inserted "protected-" string (the
694 : beginning of the plaintext reads: "((11:private-key(" ). The 35
695 : term is the space for (12:protected-at15:<timestamp>). */
696 12 : *resultlen = (10
697 12 : + (prot_begin-plainkey)
698 12 : + protectedlen
699 : + 35
700 12 : + (real_end-prot_end));
701 12 : *result = p = xtrymalloc (*resultlen);
702 12 : if (!p)
703 : {
704 0 : gpg_error_t tmperr = out_of_core ();
705 0 : xfree (protected);
706 0 : return tmperr;
707 : }
708 12 : memcpy (p, "(21:protected-", 14);
709 12 : p += 14;
710 12 : memcpy (p, plainkey+4, prot_begin - plainkey - 4);
711 12 : p += prot_begin - plainkey - 4;
712 12 : memcpy (p, protected, protectedlen);
713 12 : p += protectedlen;
714 :
715 12 : memcpy (p, timestamp_exp, 35);
716 12 : p += 35;
717 :
718 12 : memcpy (p, prot_end+1, real_end - prot_end);
719 12 : p += real_end - prot_end;
720 12 : assert ( p - *result == *resultlen);
721 12 : xfree (protected);
722 :
723 12 : return 0;
724 : }
725 :
726 :
727 :
728 : /* Do the actual decryption and check the return list for consistency. */
729 : static int
730 131 : do_decryption (const unsigned char *aad_begin, size_t aad_len,
731 : const unsigned char *aadhole_begin, size_t aadhole_len,
732 : const unsigned char *protected, size_t protectedlen,
733 : const char *passphrase,
734 : const unsigned char *s2ksalt, unsigned long s2kcount,
735 : const unsigned char *iv, size_t ivlen,
736 : int prot_cipher, int prot_cipher_keylen, int is_ocb,
737 : unsigned char **result)
738 : {
739 131 : int rc = 0;
740 : int blklen;
741 : gcry_cipher_hd_t hd;
742 : unsigned char *outbuf;
743 : size_t reallen;
744 :
745 131 : blklen = gcry_cipher_get_algo_blklen (prot_cipher);
746 131 : if (is_ocb)
747 : {
748 : /* OCB does not require a multiple of the block length but we
749 : * check that it is long enough for the 128 bit tag and that we
750 : * have the 96 bit nonce. */
751 0 : if (protectedlen < (4 + 16) || ivlen != 12)
752 0 : return gpg_error (GPG_ERR_CORRUPTED_PROTECTION);
753 : }
754 : else
755 : {
756 131 : if (protectedlen < 4 || (protectedlen%blklen))
757 0 : return gpg_error (GPG_ERR_CORRUPTED_PROTECTION);
758 : }
759 :
760 131 : rc = gcry_cipher_open (&hd, prot_cipher,
761 : is_ocb? GCRY_CIPHER_MODE_OCB :
762 : GCRY_CIPHER_MODE_CBC,
763 : GCRY_CIPHER_SECURE);
764 131 : if (rc)
765 0 : return rc;
766 :
767 131 : outbuf = gcry_malloc_secure (protectedlen);
768 131 : if (!outbuf)
769 0 : rc = out_of_core ();
770 :
771 : /* Hash the passphrase and set the key. */
772 131 : if (!rc)
773 : {
774 : unsigned char *key;
775 :
776 131 : key = gcry_malloc_secure (prot_cipher_keylen);
777 131 : if (!key)
778 0 : rc = out_of_core ();
779 : else
780 : {
781 131 : rc = hash_passphrase (passphrase, GCRY_MD_SHA1,
782 : 3, s2ksalt, s2kcount, key, prot_cipher_keylen);
783 131 : if (!rc)
784 131 : rc = gcry_cipher_setkey (hd, key, prot_cipher_keylen);
785 131 : xfree (key);
786 : }
787 : }
788 :
789 : /* Set the IV/nonce. */
790 131 : if (!rc)
791 : {
792 131 : rc = gcry_cipher_setiv (hd, iv, ivlen);
793 : }
794 :
795 : /* Decrypt. */
796 131 : if (!rc)
797 : {
798 131 : if (is_ocb)
799 : {
800 0 : rc = gcry_cipher_authenticate (hd, aad_begin,
801 0 : aadhole_begin - aad_begin);
802 0 : if (!rc)
803 0 : rc = gcry_cipher_authenticate
804 : (hd, aadhole_begin + aadhole_len,
805 0 : aad_len - (aadhole_begin+aadhole_len - aad_begin));
806 :
807 0 : if (!rc)
808 : {
809 0 : gcry_cipher_final (hd);
810 0 : rc = gcry_cipher_decrypt (hd, outbuf, protectedlen - 16,
811 : protected, protectedlen - 16);
812 : }
813 0 : if (!rc)
814 0 : rc = gcry_cipher_checktag (hd, protected + protectedlen - 16, 16);
815 : }
816 : else
817 : {
818 131 : rc = gcry_cipher_decrypt (hd, outbuf, protectedlen,
819 : protected, protectedlen);
820 : }
821 : }
822 :
823 : /* Release cipher handle and check for errors. */
824 131 : gcry_cipher_close (hd);
825 131 : if (rc)
826 : {
827 0 : xfree (outbuf);
828 0 : return rc;
829 : }
830 :
831 : /* Do a quick check on the data structure. */
832 131 : if (*outbuf != '(' && outbuf[1] != '(')
833 : {
834 : /* Note that in OCB mode this is actually invalid _encrypted_
835 : * data and not a bad passphrase. */
836 0 : xfree (outbuf);
837 0 : return gpg_error (GPG_ERR_BAD_PASSPHRASE);
838 : }
839 :
840 : /* Check that we have a consistent S-Exp. */
841 131 : reallen = gcry_sexp_canon_len (outbuf, protectedlen, NULL, NULL);
842 131 : if (!reallen || (reallen + blklen < protectedlen) )
843 : {
844 0 : xfree (outbuf);
845 0 : return gpg_error (GPG_ERR_BAD_PASSPHRASE);
846 : }
847 131 : *result = outbuf;
848 131 : return 0;
849 : }
850 :
851 :
852 : /* Merge the parameter list contained in CLEARTEXT with the original
853 : * protect lists PROTECTEDKEY by replacing the list at REPLACEPOS.
854 : * Return the new list in RESULT and the MIC value in the 20 byte
855 : * buffer SHA1HASH; if SHA1HASH is NULL no MIC will be computed.
856 : * CUTOFF and CUTLEN will receive the offset and the length of the
857 : * resulting list which should go into the MIC calculation but then be
858 : * removed. */
859 : static int
860 131 : merge_lists (const unsigned char *protectedkey,
861 : size_t replacepos,
862 : const unsigned char *cleartext,
863 : unsigned char *sha1hash,
864 : unsigned char **result, size_t *resultlen,
865 : size_t *cutoff, size_t *cutlen)
866 : {
867 : size_t n, newlistlen;
868 : unsigned char *newlist, *p;
869 : const unsigned char *s;
870 : const unsigned char *startpos, *endpos;
871 : int i, rc;
872 :
873 131 : *result = NULL;
874 131 : *resultlen = 0;
875 131 : *cutoff = 0;
876 131 : *cutlen = 0;
877 :
878 131 : if (replacepos < 26)
879 0 : return gpg_error (GPG_ERR_BUG);
880 :
881 : /* Estimate the required size of the resulting list. We have a large
882 : safety margin of >20 bytes (FIXME: MIC hash from CLEARTEXT and the
883 : removed "protected-" */
884 131 : newlistlen = gcry_sexp_canon_len (protectedkey, 0, NULL, NULL);
885 131 : if (!newlistlen)
886 0 : return gpg_error (GPG_ERR_BUG);
887 131 : n = gcry_sexp_canon_len (cleartext, 0, NULL, NULL);
888 131 : if (!n)
889 0 : return gpg_error (GPG_ERR_BUG);
890 131 : newlistlen += n;
891 131 : newlist = gcry_malloc_secure (newlistlen);
892 131 : if (!newlist)
893 0 : return out_of_core ();
894 :
895 : /* Copy the initial segment */
896 131 : strcpy ((char*)newlist, "(11:private-key");
897 131 : p = newlist + 15;
898 131 : memcpy (p, protectedkey+15+10, replacepos-15-10);
899 131 : p += replacepos-15-10;
900 :
901 : /* Copy the cleartext. */
902 131 : s = cleartext;
903 131 : if (*s != '(' && s[1] != '(')
904 0 : return gpg_error (GPG_ERR_BUG); /*we already checked this */
905 131 : s += 2;
906 131 : startpos = s;
907 393 : while ( *s == '(' )
908 : {
909 131 : s++;
910 131 : n = snext (&s);
911 131 : if (!n)
912 0 : goto invalid_sexp;
913 131 : s += n;
914 131 : n = snext (&s);
915 131 : if (!n)
916 0 : goto invalid_sexp;
917 131 : s += n;
918 131 : if ( *s != ')' )
919 0 : goto invalid_sexp;
920 131 : s++;
921 : }
922 131 : if ( *s != ')' )
923 0 : goto invalid_sexp;
924 131 : endpos = s;
925 131 : s++;
926 :
927 : /* Intermezzo: Get the MIC if requested. */
928 131 : if (sha1hash)
929 : {
930 131 : if (*s != '(')
931 0 : goto invalid_sexp;
932 131 : s++;
933 131 : n = snext (&s);
934 131 : if (!smatch (&s, n, "hash"))
935 0 : goto invalid_sexp;
936 131 : n = snext (&s);
937 131 : if (!smatch (&s, n, "sha1"))
938 0 : goto invalid_sexp;
939 131 : n = snext (&s);
940 131 : if (n != 20)
941 0 : goto invalid_sexp;
942 131 : memcpy (sha1hash, s, 20);
943 131 : s += n;
944 131 : if (*s != ')')
945 0 : goto invalid_sexp;
946 : }
947 :
948 : /* Append the parameter list. */
949 131 : memcpy (p, startpos, endpos - startpos);
950 131 : p += endpos - startpos;
951 :
952 : /* Skip over the protected list element in the original list. */
953 131 : s = protectedkey + replacepos;
954 131 : assert (*s == '(');
955 131 : s++;
956 131 : i = 1;
957 131 : rc = sskip (&s, &i);
958 131 : if (rc)
959 0 : goto failure;
960 : /* Record the position of the optional protected-at expression. */
961 131 : if (*s == '(')
962 : {
963 131 : const unsigned char *save_s = s;
964 131 : s++;
965 131 : n = snext (&s);
966 131 : if (smatch (&s, n, "protected-at"))
967 : {
968 131 : i = 1;
969 131 : rc = sskip (&s, &i);
970 131 : if (rc)
971 0 : goto failure;
972 131 : *cutlen = s - save_s;
973 : }
974 131 : s = save_s;
975 : }
976 131 : startpos = s;
977 131 : i = 2; /* we are inside this level */
978 131 : rc = sskip (&s, &i);
979 131 : if (rc)
980 0 : goto failure;
981 131 : assert (s[-1] == ')');
982 131 : endpos = s; /* one behind the end of the list */
983 :
984 : /* Append the rest. */
985 131 : if (*cutlen)
986 131 : *cutoff = p - newlist;
987 131 : memcpy (p, startpos, endpos - startpos);
988 131 : p += endpos - startpos;
989 :
990 :
991 : /* ready */
992 131 : *result = newlist;
993 131 : *resultlen = newlistlen;
994 131 : return 0;
995 :
996 : failure:
997 0 : wipememory (newlist, newlistlen);
998 0 : xfree (newlist);
999 0 : return rc;
1000 :
1001 : invalid_sexp:
1002 0 : wipememory (newlist, newlistlen);
1003 0 : xfree (newlist);
1004 0 : return gpg_error (GPG_ERR_INV_SEXP);
1005 : }
1006 :
1007 :
1008 :
1009 : /* Unprotect the key encoded in canonical format. We assume a valid
1010 : S-Exp here. If a protected-at item is available, its value will
1011 : be stored at protected_at unless this is NULL. */
1012 : int
1013 139 : agent_unprotect (ctrl_t ctrl,
1014 : const unsigned char *protectedkey, const char *passphrase,
1015 : gnupg_isotime_t protected_at,
1016 : unsigned char **result, size_t *resultlen)
1017 : {
1018 : static struct {
1019 : const char *name; /* Name of the protection method. */
1020 : int algo; /* (A zero indicates the "openpgp-native" hack.) */
1021 : int keylen; /* Used key length in bytes. */
1022 : unsigned int is_ocb:1;
1023 : } algotable[] = {
1024 : { "openpgp-s2k3-sha1-aes-cbc", GCRY_CIPHER_AES128, (128/8)},
1025 : { "openpgp-s2k3-sha1-aes256-cbc", GCRY_CIPHER_AES256, (256/8)},
1026 : { "openpgp-s2k3-ocb-aes", GCRY_CIPHER_AES128, (128/8), 1},
1027 : { "openpgp-native", 0, 0 }
1028 : };
1029 : int rc;
1030 : const unsigned char *s;
1031 : const unsigned char *protect_list;
1032 : size_t n;
1033 : int infidx, i;
1034 : unsigned char sha1hash[20], sha1hash2[20];
1035 : const unsigned char *s2ksalt;
1036 : unsigned long s2kcount;
1037 : const unsigned char *iv;
1038 : int prot_cipher, prot_cipher_keylen;
1039 : int is_ocb;
1040 : const unsigned char *aad_begin, *aad_end, *aadhole_begin, *aadhole_end;
1041 : const unsigned char *prot_begin;
1042 : unsigned char *cleartext;
1043 : unsigned char *final;
1044 : size_t finallen;
1045 : size_t cutoff, cutlen;
1046 :
1047 139 : if (protected_at)
1048 1 : *protected_at = 0;
1049 :
1050 139 : s = protectedkey;
1051 139 : if (*s != '(')
1052 0 : return gpg_error (GPG_ERR_INV_SEXP);
1053 139 : s++;
1054 139 : n = snext (&s);
1055 139 : if (!n)
1056 0 : return gpg_error (GPG_ERR_INV_SEXP);
1057 139 : if (!smatch (&s, n, "protected-private-key"))
1058 0 : return gpg_error (GPG_ERR_UNKNOWN_SEXP);
1059 139 : if (*s != '(')
1060 0 : return gpg_error (GPG_ERR_UNKNOWN_SEXP);
1061 : {
1062 139 : aad_begin = aad_end = s;
1063 139 : aad_end++;
1064 139 : i = 1;
1065 139 : rc = sskip (&aad_end, &i);
1066 139 : if (rc)
1067 0 : return rc;
1068 : }
1069 :
1070 139 : s++;
1071 139 : n = snext (&s);
1072 139 : if (!n)
1073 0 : return gpg_error (GPG_ERR_INV_SEXP);
1074 :
1075 601 : for (infidx=0; protect_info[infidx].algo
1076 785 : && !smatch (&s, n, protect_info[infidx].algo); infidx++)
1077 : ;
1078 139 : if (!protect_info[infidx].algo)
1079 0 : return gpg_error (GPG_ERR_UNSUPPORTED_ALGORITHM);
1080 :
1081 : /* See wether we have a protected-at timestamp. */
1082 139 : protect_list = s; /* Save for later. */
1083 139 : if (protected_at)
1084 : {
1085 7 : while (*s == '(')
1086 : {
1087 6 : prot_begin = s;
1088 6 : s++;
1089 6 : n = snext (&s);
1090 6 : if (!n)
1091 0 : return gpg_error (GPG_ERR_INV_SEXP);
1092 6 : if (smatch (&s, n, "protected-at"))
1093 : {
1094 1 : n = snext (&s);
1095 1 : if (!n)
1096 0 : return gpg_error (GPG_ERR_INV_SEXP);
1097 1 : if (n != 15)
1098 0 : return gpg_error (GPG_ERR_UNKNOWN_SEXP);
1099 1 : memcpy (protected_at, s, 15);
1100 1 : protected_at[15] = 0;
1101 1 : break;
1102 : }
1103 5 : s += n;
1104 5 : i = 1;
1105 5 : rc = sskip (&s, &i);
1106 5 : if (rc)
1107 0 : return rc;
1108 : }
1109 : }
1110 :
1111 : /* Now find the list with the protected information. Here is an
1112 : example for such a list:
1113 : (protected openpgp-s2k3-sha1-aes-cbc
1114 : ((sha1 <salt> <count>) <Initialization_Vector>)
1115 : <encrypted_data>)
1116 : */
1117 139 : s = protect_list;
1118 : for (;;)
1119 : {
1120 595 : if (*s != '(')
1121 0 : return gpg_error (GPG_ERR_INV_SEXP);
1122 595 : prot_begin = s;
1123 595 : s++;
1124 595 : n = snext (&s);
1125 595 : if (!n)
1126 0 : return gpg_error (GPG_ERR_INV_SEXP);
1127 595 : if (smatch (&s, n, "protected"))
1128 139 : break;
1129 456 : s += n;
1130 456 : i = 1;
1131 456 : rc = sskip (&s, &i);
1132 456 : if (rc)
1133 0 : return rc;
1134 456 : }
1135 : /* found */
1136 : {
1137 139 : aadhole_begin = aadhole_end = prot_begin;
1138 139 : aadhole_end++;
1139 139 : i = 1;
1140 139 : rc = sskip (&aadhole_end, &i);
1141 139 : if (rc)
1142 0 : return rc;
1143 : }
1144 139 : n = snext (&s);
1145 139 : if (!n)
1146 0 : return gpg_error (GPG_ERR_INV_SEXP);
1147 :
1148 : /* Lookup the protection algo. */
1149 139 : prot_cipher = 0; /* (avoid gcc warning) */
1150 139 : prot_cipher_keylen = 0; /* (avoid gcc warning) */
1151 139 : is_ocb = 0;
1152 163 : for (i=0; i < DIM (algotable); i++)
1153 163 : if (smatch (&s, n, algotable[i].name))
1154 : {
1155 139 : prot_cipher = algotable[i].algo;
1156 139 : prot_cipher_keylen = algotable[i].keylen;
1157 139 : is_ocb = algotable[i].is_ocb;
1158 139 : break;
1159 : }
1160 139 : if (i == DIM (algotable))
1161 0 : return gpg_error (GPG_ERR_UNSUPPORTED_PROTECTION);
1162 :
1163 139 : if (!prot_cipher) /* This is "openpgp-native". */
1164 : {
1165 : gcry_sexp_t s_prot_begin;
1166 :
1167 8 : rc = gcry_sexp_sscan (&s_prot_begin, NULL,
1168 : prot_begin,
1169 : gcry_sexp_canon_len (prot_begin, 0,NULL,NULL));
1170 8 : if (rc)
1171 0 : return rc;
1172 :
1173 8 : rc = convert_from_openpgp_native (ctrl, s_prot_begin, passphrase, &final);
1174 8 : gcry_sexp_release (s_prot_begin);
1175 8 : if (!rc)
1176 : {
1177 8 : *result = final;
1178 8 : *resultlen = gcry_sexp_canon_len (final, 0, NULL, NULL);
1179 : }
1180 8 : return rc;
1181 : }
1182 :
1183 131 : if (*s != '(' || s[1] != '(')
1184 0 : return gpg_error (GPG_ERR_INV_SEXP);
1185 131 : s += 2;
1186 131 : n = snext (&s);
1187 131 : if (!n)
1188 0 : return gpg_error (GPG_ERR_INV_SEXP);
1189 131 : if (!smatch (&s, n, "sha1"))
1190 0 : return gpg_error (GPG_ERR_UNSUPPORTED_PROTECTION);
1191 131 : n = snext (&s);
1192 131 : if (n != 8)
1193 0 : return gpg_error (GPG_ERR_CORRUPTED_PROTECTION);
1194 131 : s2ksalt = s;
1195 131 : s += n;
1196 131 : n = snext (&s);
1197 131 : if (!n)
1198 0 : return gpg_error (GPG_ERR_CORRUPTED_PROTECTION);
1199 : /* We expect a list close as next, so we can simply use strtoul()
1200 : here. We might want to check that we only have digits - but this
1201 : is nothing we should worry about */
1202 131 : if (s[n] != ')' )
1203 0 : return gpg_error (GPG_ERR_INV_SEXP);
1204 :
1205 : /* Old versions of gpg-agent used the funny floating point number in
1206 : a byte encoding as specified by OpenPGP. However this is not
1207 : needed and thus we now store it as a plain unsigned integer. We
1208 : can easily distinguish the old format by looking at its value:
1209 : Less than 256 is an old-style encoded number; other values are
1210 : plain integers. In any case we check that they are at least
1211 : 65536 because we never used a lower value in the past and we
1212 : should have a lower limit. */
1213 131 : s2kcount = strtoul ((const char*)s, NULL, 10);
1214 131 : if (!s2kcount)
1215 0 : return gpg_error (GPG_ERR_CORRUPTED_PROTECTION);
1216 131 : if (s2kcount < 256)
1217 0 : s2kcount = (16ul + (s2kcount & 15)) << ((s2kcount >> 4) + 6);
1218 131 : if (s2kcount < 65536)
1219 0 : return gpg_error (GPG_ERR_CORRUPTED_PROTECTION);
1220 :
1221 131 : s += n;
1222 131 : s++; /* skip list end */
1223 :
1224 131 : n = snext (&s);
1225 131 : if (is_ocb)
1226 : {
1227 0 : if (n != 12) /* Wrong size of the nonce. */
1228 0 : return gpg_error (GPG_ERR_CORRUPTED_PROTECTION);
1229 : }
1230 : else
1231 : {
1232 131 : if (n != 16) /* Wrong blocksize for IV (we support only 128 bit). */
1233 0 : return gpg_error (GPG_ERR_CORRUPTED_PROTECTION);
1234 : }
1235 131 : iv = s;
1236 131 : s += n;
1237 131 : if (*s != ')' )
1238 0 : return gpg_error (GPG_ERR_INV_SEXP);
1239 131 : s++;
1240 131 : n = snext (&s);
1241 131 : if (!n)
1242 0 : return gpg_error (GPG_ERR_INV_SEXP);
1243 :
1244 131 : cleartext = NULL; /* Avoid cc warning. */
1245 262 : rc = do_decryption (aad_begin, aad_end - aad_begin,
1246 131 : aadhole_begin, aadhole_end - aadhole_begin,
1247 : s, n,
1248 : passphrase, s2ksalt, s2kcount,
1249 : iv, is_ocb? 12:16,
1250 : prot_cipher, prot_cipher_keylen, is_ocb,
1251 : &cleartext);
1252 131 : if (rc)
1253 0 : return rc;
1254 :
1255 131 : rc = merge_lists (protectedkey, prot_begin-protectedkey, cleartext,
1256 : is_ocb? NULL : sha1hash,
1257 : &final, &finallen, &cutoff, &cutlen);
1258 : /* Albeit cleartext has been allocated in secure memory and thus
1259 : xfree will wipe it out, we do an extra wipe just in case
1260 : somethings goes badly wrong. */
1261 131 : wipememory (cleartext, n);
1262 131 : xfree (cleartext);
1263 131 : if (rc)
1264 0 : return rc;
1265 :
1266 131 : if (!is_ocb)
1267 : {
1268 131 : rc = calculate_mic (final, sha1hash2);
1269 131 : if (!rc && memcmp (sha1hash, sha1hash2, 20))
1270 0 : rc = gpg_error (GPG_ERR_CORRUPTED_PROTECTION);
1271 131 : if (rc)
1272 : {
1273 0 : wipememory (final, finallen);
1274 0 : xfree (final);
1275 0 : return rc;
1276 : }
1277 : }
1278 :
1279 : /* Now remove the part which is included in the MIC but should not
1280 : go into the final thing. */
1281 131 : if (cutlen)
1282 : {
1283 131 : memmove (final+cutoff, final+cutoff+cutlen, finallen-cutoff-cutlen);
1284 131 : finallen -= cutlen;
1285 : }
1286 :
1287 131 : *result = final;
1288 131 : *resultlen = gcry_sexp_canon_len (final, 0, NULL, NULL);
1289 131 : return 0;
1290 : }
1291 :
1292 : /* Check the type of the private key, this is one of the constants:
1293 : PRIVATE_KEY_UNKNOWN if we can't figure out the type (this is the
1294 : value 0), PRIVATE_KEY_CLEAR for an unprotected private key.
1295 : PRIVATE_KEY_PROTECTED for an protected private key or
1296 : PRIVATE_KEY_SHADOWED for a sub key where the secret parts are
1297 : stored elsewhere. Finally PRIVATE_KEY_OPENPGP_NONE may be returned
1298 : is the key is still in the openpgp-native format but without
1299 : protection. */
1300 : int
1301 429 : agent_private_key_type (const unsigned char *privatekey)
1302 : {
1303 : const unsigned char *s;
1304 : size_t n;
1305 : int i;
1306 :
1307 429 : s = privatekey;
1308 429 : if (*s != '(')
1309 0 : return PRIVATE_KEY_UNKNOWN;
1310 429 : s++;
1311 429 : n = snext (&s);
1312 429 : if (!n)
1313 0 : return PRIVATE_KEY_UNKNOWN;
1314 429 : if (smatch (&s, n, "protected-private-key"))
1315 : {
1316 : /* We need to check whether this is openpgp-native protected
1317 : with the protection method "none". In that case we return a
1318 : different key type so that the caller knows that there is no
1319 : need to ask for a passphrase. */
1320 153 : if (*s != '(')
1321 0 : return PRIVATE_KEY_PROTECTED; /* Unknown sexp - assume protected. */
1322 153 : s++;
1323 153 : n = snext (&s);
1324 153 : if (!n)
1325 0 : return PRIVATE_KEY_UNKNOWN; /* Invalid sexp. */
1326 153 : s += n; /* Skip over the algo */
1327 :
1328 : /* Find the (protected ...) list. */
1329 : for (;;)
1330 : {
1331 652 : if (*s != '(')
1332 0 : return PRIVATE_KEY_UNKNOWN; /* Invalid sexp. */
1333 652 : s++;
1334 652 : n = snext (&s);
1335 652 : if (!n)
1336 0 : return PRIVATE_KEY_UNKNOWN; /* Invalid sexp. */
1337 652 : if (smatch (&s, n, "protected"))
1338 153 : break;
1339 499 : s += n;
1340 499 : i = 1;
1341 499 : if (sskip (&s, &i))
1342 0 : return PRIVATE_KEY_UNKNOWN; /* Invalid sexp. */
1343 499 : }
1344 : /* Found - Is this openpgp-native? */
1345 153 : n = snext (&s);
1346 153 : if (!n)
1347 0 : return PRIVATE_KEY_UNKNOWN; /* Invalid sexp. */
1348 153 : if (smatch (&s, n, "openpgp-native")) /* Yes. */
1349 : {
1350 20 : if (*s != '(')
1351 0 : return PRIVATE_KEY_UNKNOWN; /* Unknown sexp. */
1352 20 : s++;
1353 20 : n = snext (&s);
1354 20 : if (!n)
1355 0 : return PRIVATE_KEY_UNKNOWN; /* Invalid sexp. */
1356 20 : s += n; /* Skip over "openpgp-private-key". */
1357 : /* Find the (protection ...) list. */
1358 : for (;;)
1359 : {
1360 106 : if (*s != '(')
1361 0 : return PRIVATE_KEY_UNKNOWN; /* Invalid sexp. */
1362 106 : s++;
1363 106 : n = snext (&s);
1364 106 : if (!n)
1365 0 : return PRIVATE_KEY_UNKNOWN; /* Invalid sexp. */
1366 106 : if (smatch (&s, n, "protection"))
1367 20 : break;
1368 86 : s += n;
1369 86 : i = 1;
1370 86 : if (sskip (&s, &i))
1371 0 : return PRIVATE_KEY_UNKNOWN; /* Invalid sexp. */
1372 86 : }
1373 : /* Found - Is the mode "none"? */
1374 20 : n = snext (&s);
1375 20 : if (!n)
1376 0 : return PRIVATE_KEY_UNKNOWN; /* Invalid sexp. */
1377 20 : if (smatch (&s, n, "none"))
1378 4 : return PRIVATE_KEY_OPENPGP_NONE; /* Yes. */
1379 : }
1380 :
1381 149 : return PRIVATE_KEY_PROTECTED;
1382 : }
1383 276 : if (smatch (&s, n, "shadowed-private-key"))
1384 0 : return PRIVATE_KEY_SHADOWED;
1385 276 : if (smatch (&s, n, "private-key"))
1386 276 : return PRIVATE_KEY_CLEAR;
1387 0 : return PRIVATE_KEY_UNKNOWN;
1388 : }
1389 :
1390 :
1391 :
1392 : /* Transform a passphrase into a suitable key of length KEYLEN and
1393 : store this key in the caller provided buffer KEY. The caller must
1394 : provide an HASHALGO, a valid S2KMODE (see rfc-2440) and depending on
1395 : that mode an S2KSALT of 8 random bytes and an S2KCOUNT.
1396 :
1397 : Returns an error code on failure. */
1398 : static int
1399 201 : hash_passphrase (const char *passphrase, int hashalgo,
1400 : int s2kmode,
1401 : const unsigned char *s2ksalt,
1402 : unsigned long s2kcount,
1403 : unsigned char *key, size_t keylen)
1404 : {
1405 : /* The key derive function does not support a zero length string for
1406 : the passphrase in the S2K modes. Return a better suited error
1407 : code than GPG_ERR_INV_DATA. */
1408 201 : if (!passphrase || !*passphrase)
1409 0 : return gpg_error (GPG_ERR_NO_PASSPHRASE);
1410 201 : return gcry_kdf_derive (passphrase, strlen (passphrase),
1411 : s2kmode == 3? GCRY_KDF_ITERSALTED_S2K :
1412 0 : s2kmode == 1? GCRY_KDF_SALTED_S2K :
1413 0 : s2kmode == 0? GCRY_KDF_SIMPLE_S2K : GCRY_KDF_NONE,
1414 : hashalgo, s2ksalt, 8, s2kcount,
1415 : keylen, key);
1416 : }
1417 :
1418 :
1419 : gpg_error_t
1420 8 : s2k_hash_passphrase (const char *passphrase, int hashalgo,
1421 : int s2kmode,
1422 : const unsigned char *s2ksalt,
1423 : unsigned int s2kcount,
1424 : unsigned char *key, size_t keylen)
1425 : {
1426 8 : return hash_passphrase (passphrase, hashalgo, s2kmode, s2ksalt,
1427 8 : S2K_DECODE_COUNT (s2kcount),
1428 : key, keylen);
1429 : }
1430 :
1431 :
1432 :
1433 :
1434 : /* Create an canonical encoded S-expression with the shadow info from
1435 : a card's SERIALNO and the IDSTRING. */
1436 : unsigned char *
1437 0 : make_shadow_info (const char *serialno, const char *idstring)
1438 : {
1439 : const char *s;
1440 : char *info, *p;
1441 : char numbuf[20];
1442 : size_t n;
1443 :
1444 0 : for (s=serialno, n=0; *s && s[1]; s += 2)
1445 0 : n++;
1446 :
1447 0 : info = p = xtrymalloc (1 + sizeof numbuf + n
1448 : + sizeof numbuf + strlen (idstring) + 1 + 1);
1449 0 : if (!info)
1450 0 : return NULL;
1451 0 : *p++ = '(';
1452 0 : p = stpcpy (p, smklen (numbuf, sizeof numbuf, n, NULL));
1453 0 : for (s=serialno; *s && s[1]; s += 2)
1454 0 : *(unsigned char *)p++ = xtoi_2 (s);
1455 0 : p = stpcpy (p, smklen (numbuf, sizeof numbuf, strlen (idstring), NULL));
1456 0 : p = stpcpy (p, idstring);
1457 0 : *p++ = ')';
1458 0 : *p = 0;
1459 0 : return (unsigned char *)info;
1460 : }
1461 :
1462 :
1463 :
1464 : /* Create a shadow key from a public key. We use the shadow protocol
1465 : "ti-v1" and insert the S-expressionn SHADOW_INFO. The resulting
1466 : S-expression is returned in an allocated buffer RESULT will point
1467 : to. The input parameters are expected to be valid canonicalized
1468 : S-expressions */
1469 : int
1470 0 : agent_shadow_key (const unsigned char *pubkey,
1471 : const unsigned char *shadow_info,
1472 : unsigned char **result)
1473 : {
1474 : const unsigned char *s;
1475 : const unsigned char *point;
1476 : size_t n;
1477 0 : int depth = 0;
1478 : char *p;
1479 0 : size_t pubkey_len = gcry_sexp_canon_len (pubkey, 0, NULL,NULL);
1480 0 : size_t shadow_info_len = gcry_sexp_canon_len (shadow_info, 0, NULL,NULL);
1481 :
1482 0 : if (!pubkey_len || !shadow_info_len)
1483 0 : return gpg_error (GPG_ERR_INV_VALUE);
1484 0 : s = pubkey;
1485 0 : if (*s != '(')
1486 0 : return gpg_error (GPG_ERR_INV_SEXP);
1487 0 : depth++;
1488 0 : s++;
1489 0 : n = snext (&s);
1490 0 : if (!n)
1491 0 : return gpg_error (GPG_ERR_INV_SEXP);
1492 0 : if (!smatch (&s, n, "public-key"))
1493 0 : return gpg_error (GPG_ERR_UNKNOWN_SEXP);
1494 0 : if (*s != '(')
1495 0 : return gpg_error (GPG_ERR_UNKNOWN_SEXP);
1496 0 : depth++;
1497 0 : s++;
1498 0 : n = snext (&s);
1499 0 : if (!n)
1500 0 : return gpg_error (GPG_ERR_INV_SEXP);
1501 0 : s += n; /* skip over the algorithm name */
1502 :
1503 0 : while (*s != ')')
1504 : {
1505 0 : if (*s != '(')
1506 0 : return gpg_error (GPG_ERR_INV_SEXP);
1507 0 : depth++;
1508 0 : s++;
1509 0 : n = snext (&s);
1510 0 : if (!n)
1511 0 : return gpg_error (GPG_ERR_INV_SEXP);
1512 0 : s += n;
1513 0 : n = snext (&s);
1514 0 : if (!n)
1515 0 : return gpg_error (GPG_ERR_INV_SEXP);
1516 0 : s +=n; /* skip value */
1517 0 : if (*s != ')')
1518 0 : return gpg_error (GPG_ERR_INV_SEXP);
1519 0 : depth--;
1520 0 : s++;
1521 : }
1522 0 : point = s; /* insert right before the point */
1523 0 : depth--;
1524 0 : s++;
1525 0 : assert (depth == 1);
1526 :
1527 : /* Calculate required length by taking in account: the "shadowed-"
1528 : prefix, the "shadowed", "t1-v1" as well as some parenthesis */
1529 0 : n = 12 + pubkey_len + 1 + 3+8 + 2+5 + shadow_info_len + 1;
1530 0 : *result = xtrymalloc (n);
1531 0 : p = (char*)*result;
1532 0 : if (!p)
1533 0 : return out_of_core ();
1534 0 : p = stpcpy (p, "(20:shadowed-private-key");
1535 : /* (10:public-key ...)*/
1536 0 : memcpy (p, pubkey+14, point - (pubkey+14));
1537 0 : p += point - (pubkey+14);
1538 0 : p = stpcpy (p, "(8:shadowed5:t1-v1");
1539 0 : memcpy (p, shadow_info, shadow_info_len);
1540 0 : p += shadow_info_len;
1541 0 : *p++ = ')';
1542 0 : memcpy (p, point, pubkey_len - (point - pubkey));
1543 0 : p += pubkey_len - (point - pubkey);
1544 :
1545 0 : return 0;
1546 : }
1547 :
1548 : /* Parse a canonical encoded shadowed key and return a pointer to the
1549 : inner list with the shadow_info */
1550 : int
1551 0 : agent_get_shadow_info (const unsigned char *shadowkey,
1552 : unsigned char const **shadow_info)
1553 : {
1554 : const unsigned char *s;
1555 : size_t n;
1556 0 : int depth = 0;
1557 :
1558 0 : s = shadowkey;
1559 0 : if (*s != '(')
1560 0 : return gpg_error (GPG_ERR_INV_SEXP);
1561 0 : depth++;
1562 0 : s++;
1563 0 : n = snext (&s);
1564 0 : if (!n)
1565 0 : return gpg_error (GPG_ERR_INV_SEXP);
1566 0 : if (!smatch (&s, n, "shadowed-private-key"))
1567 0 : return gpg_error (GPG_ERR_UNKNOWN_SEXP);
1568 0 : if (*s != '(')
1569 0 : return gpg_error (GPG_ERR_UNKNOWN_SEXP);
1570 0 : depth++;
1571 0 : s++;
1572 0 : n = snext (&s);
1573 0 : if (!n)
1574 0 : return gpg_error (GPG_ERR_INV_SEXP);
1575 0 : s += n; /* skip over the algorithm name */
1576 :
1577 : for (;;)
1578 : {
1579 0 : if (*s == ')')
1580 0 : return gpg_error (GPG_ERR_UNKNOWN_SEXP);
1581 0 : if (*s != '(')
1582 0 : return gpg_error (GPG_ERR_INV_SEXP);
1583 0 : depth++;
1584 0 : s++;
1585 0 : n = snext (&s);
1586 0 : if (!n)
1587 0 : return gpg_error (GPG_ERR_INV_SEXP);
1588 0 : if (smatch (&s, n, "shadowed"))
1589 0 : break;
1590 0 : s += n;
1591 0 : n = snext (&s);
1592 0 : if (!n)
1593 0 : return gpg_error (GPG_ERR_INV_SEXP);
1594 0 : s +=n; /* skip value */
1595 0 : if (*s != ')')
1596 0 : return gpg_error (GPG_ERR_INV_SEXP);
1597 0 : depth--;
1598 0 : s++;
1599 0 : }
1600 : /* Found the shadowed list, S points to the protocol */
1601 0 : n = snext (&s);
1602 0 : if (!n)
1603 0 : return gpg_error (GPG_ERR_INV_SEXP);
1604 0 : if (smatch (&s, n, "t1-v1"))
1605 : {
1606 0 : if (*s != '(')
1607 0 : return gpg_error (GPG_ERR_INV_SEXP);
1608 0 : *shadow_info = s;
1609 : }
1610 : else
1611 0 : return gpg_error (GPG_ERR_UNSUPPORTED_PROTOCOL);
1612 0 : return 0;
1613 : }
1614 :
1615 :
1616 : /* Parse the canonical encoded SHADOW_INFO S-expression. On success
1617 : the hex encoded serial number is returned as a malloced strings at
1618 : R_HEXSN and the Id string as a malloced string at R_IDSTR. On
1619 : error an error code is returned and NULL is stored at the result
1620 : parameters addresses. If the serial number or the ID string is not
1621 : required, NULL may be passed for them. */
1622 : gpg_error_t
1623 0 : parse_shadow_info (const unsigned char *shadow_info,
1624 : char **r_hexsn, char **r_idstr, int *r_pinlen)
1625 : {
1626 : const unsigned char *s;
1627 : size_t n;
1628 :
1629 0 : if (r_hexsn)
1630 0 : *r_hexsn = NULL;
1631 0 : if (r_idstr)
1632 0 : *r_idstr = NULL;
1633 0 : if (r_pinlen)
1634 0 : *r_pinlen = 0;
1635 :
1636 0 : s = shadow_info;
1637 0 : if (*s != '(')
1638 0 : return gpg_error (GPG_ERR_INV_SEXP);
1639 0 : s++;
1640 0 : n = snext (&s);
1641 0 : if (!n)
1642 0 : return gpg_error (GPG_ERR_INV_SEXP);
1643 :
1644 0 : if (r_hexsn)
1645 : {
1646 0 : *r_hexsn = bin2hex (s, n, NULL);
1647 0 : if (!*r_hexsn)
1648 0 : return gpg_error_from_syserror ();
1649 : }
1650 0 : s += n;
1651 :
1652 0 : n = snext (&s);
1653 0 : if (!n)
1654 : {
1655 0 : if (r_hexsn)
1656 : {
1657 0 : xfree (*r_hexsn);
1658 0 : *r_hexsn = NULL;
1659 : }
1660 0 : return gpg_error (GPG_ERR_INV_SEXP);
1661 : }
1662 :
1663 0 : if (r_idstr)
1664 : {
1665 0 : *r_idstr = xtrymalloc (n+1);
1666 0 : if (!*r_idstr)
1667 : {
1668 0 : if (r_hexsn)
1669 : {
1670 0 : xfree (*r_hexsn);
1671 0 : *r_hexsn = NULL;
1672 : }
1673 0 : return gpg_error_from_syserror ();
1674 : }
1675 0 : memcpy (*r_idstr, s, n);
1676 0 : (*r_idstr)[n] = 0;
1677 : }
1678 :
1679 : /* Parse the optional PINLEN. */
1680 0 : n = snext (&s);
1681 0 : if (!n)
1682 0 : return 0;
1683 :
1684 0 : if (r_pinlen)
1685 : {
1686 0 : char *tmpstr = xtrymalloc (n+1);
1687 0 : if (!tmpstr)
1688 : {
1689 0 : if (r_hexsn)
1690 : {
1691 0 : xfree (*r_hexsn);
1692 0 : *r_hexsn = NULL;
1693 : }
1694 0 : if (r_idstr)
1695 : {
1696 0 : xfree (*r_idstr);
1697 0 : *r_idstr = NULL;
1698 : }
1699 0 : return gpg_error_from_syserror ();
1700 : }
1701 0 : memcpy (tmpstr, s, n);
1702 0 : tmpstr[n] = 0;
1703 :
1704 0 : *r_pinlen = (int)strtol (tmpstr, NULL, 10);
1705 0 : xfree (tmpstr);
1706 : }
1707 :
1708 0 : return 0;
1709 : }
|