2 * Claws Mail -- a GTK+ based, lightweight, and fast e-mail client
3 * Copyright (C) 2016 The Claws Mail Team
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License as published by
7 * the Free Software Foundation; either version 3 of the License, or
8 * (at your option) any later version.
10 * This program is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 * GNU General Public License for more details.
15 * You should have received a copy of the GNU General Public License
16 * along with this program. If not, see <http://www.gnu.org/licenses/>.
22 #include "claws-features.h"
25 #ifdef PASSWORD_CRYPTO_GNUTLS
26 # include <gnutls/gnutls.h>
27 # include <gnutls/crypto.h>
31 #include <glib/gi18n.h>
36 #elif defined G_OS_WIN32
41 #include "common/passcrypt.h"
42 #include "common/plugin.h"
43 #include "common/utils.h"
45 #include "alertpanel.h"
46 #include "inputdialog.h"
48 #include "prefs_common.h"
50 #ifndef PASSWORD_CRYPTO_OLD
51 static gchar *_master_password = NULL;
53 static const gchar *master_password()
58 if (!prefs_common_get_prefs()->use_master_password) {
62 if (_master_password != NULL) {
63 debug_print("Master password is in memory, offering it.\n");
64 return _master_password;
68 input = input_dialog_with_invisible(_("Input master password"),
69 _("Input master password"), NULL);
72 debug_print("Cancel pressed at master password dialog.\n");
76 if (master_password_is_correct(input)) {
77 debug_print("Entered master password seems to be correct, remembering it.\n");
78 _master_password = input;
81 alertpanel_error(_("Incorrect master password."));
85 return _master_password;
88 const gboolean master_password_is_set()
90 if (prefs_common_get_prefs()->master_password_hash == NULL
91 || strlen(prefs_common_get_prefs()->master_password_hash) == 0)
97 const gboolean master_password_is_correct(const gchar *input)
100 gchar *stored_hash = prefs_common_get_prefs()->master_password_hash;
101 const GChecksumType hashtype = G_CHECKSUM_SHA512;
102 const gssize hashlen = g_checksum_type_get_length(hashtype);
105 g_return_val_if_fail(input != NULL, FALSE);
107 if (stored_hash == NULL)
110 stored_len = strlen(stored_hash);
111 g_return_val_if_fail(stored_len == 2*hashlen, FALSE);
113 hash = g_compute_checksum_for_string(hashtype, input, -1);
115 if (!strncasecmp(hash, stored_hash, stored_len)) {
124 gboolean master_password_is_entered()
126 return (_master_password == NULL) ? FALSE : TRUE;
129 void master_password_forget()
131 /* If master password is currently in memory (entered by user),
132 * get rid of it. User will have to enter the new one again. */
133 if (_master_password != NULL) {
134 memset(_master_password, 0, strlen(_master_password));
135 g_free(_master_password);
137 _master_password = NULL;
140 void master_password_change(const gchar *newp)
147 /* Make sure the user has to enter the master password before
148 * being able to change it. */
149 master_password_forget();
151 oldp = master_password();
152 g_return_if_fail(oldp != NULL);
154 /* Update master password hash in prefs */
155 if (prefs_common_get_prefs()->master_password_hash != NULL)
156 g_free(prefs_common_get_prefs()->master_password_hash);
159 debug_print("Storing hash of new master password\n");
160 prefs_common_get_prefs()->master_password_hash =
161 g_compute_checksum_for_string(G_CHECKSUM_SHA512, newp, -1);
163 debug_print("Setting master_password_hash to NULL\n");
164 prefs_common_get_prefs()->master_password_hash = NULL;
167 /* Now go over all accounts, reencrypting their passwords using
168 * the new master password. */
171 oldp = PASSCRYPT_KEY;
173 newp = PASSCRYPT_KEY;
175 debug_print("Reencrypting all account passwords...\n");
176 for (cur = account_get_list(); cur != NULL; cur = cur->next) {
177 acc = (PrefsAccount *)cur->data;
178 debug_print("account %s\n", acc->account_name);
180 /* Password for receiving */
181 if (acc->passwd != NULL && strlen(acc->passwd) > 0) {
182 pwd = password_decrypt(acc->passwd, oldp);
184 debug_print("failed to decrypt recv password with old master password\n");
186 newpwd = password_encrypt(pwd, newp);
187 memset(pwd, 0, strlen(pwd));
189 if (newpwd == NULL) {
190 debug_print("failed to encrypt recv password with new master password\n");
193 acc->passwd = newpwd;
198 /* Password for sending */
199 if (acc->smtp_passwd != NULL && strlen(acc->smtp_passwd) > 0) {
200 pwd = password_decrypt(acc->smtp_passwd, oldp);
202 debug_print("failed to decrypt smtp password with old master password\n");
204 newpwd = password_encrypt(pwd, newp);
205 memset(pwd, 0, strlen(pwd));
207 if (newpwd == NULL) {
208 debug_print("failed to encrypt smtp password with new master password\n");
210 g_free(acc->smtp_passwd);
211 acc->smtp_passwd = newpwd;
217 /* Now reencrypt all plugins passwords fields
218 * FIXME: Unloaded plugins won't be able to update their stored passwords
220 plugins_master_password_change(oldp, newp);
222 master_password_forget();
226 gchar *password_encrypt_old(const gchar *password)
228 if (!password || strlen(password) == 0) {
232 gchar *encrypted = g_strdup(password);
233 gchar *encoded, *result;
234 gsize len = strlen(password);
236 passcrypt_encrypt(encrypted, len);
237 encoded = g_base64_encode(encrypted, len);
239 result = g_strconcat("!", encoded, NULL);
245 gchar *password_decrypt_old(const gchar *password)
247 if (!password || strlen(password) == 0) {
251 if (*password != '!' || strlen(password) < 2) {
256 gchar *decrypted = g_base64_decode(password + 1, &len);
258 passcrypt_decrypt(decrypted, len);
262 #ifdef PASSWORD_CRYPTO_GNUTLS
265 gchar *password_encrypt_gnutls(const gchar *password,
266 const gchar *encryption_password)
268 /* Another, slightly inferior combination is AES-128-CBC + SHA-256.
269 * Any block cipher in CBC mode with keysize N and a hash algo with
270 * digest length 2*N would do. */
271 gnutls_cipher_algorithm_t algo = GNUTLS_CIPHER_AES_256_CBC;
272 gnutls_digest_algorithm_t digest = GNUTLS_DIG_SHA512;
273 gnutls_cipher_hd_t handle;
274 gnutls_datum_t key, iv;
275 int ivlen, keylen, digestlen, blocklen, ret, i;
276 unsigned char hashbuf[BUFSIZE], *buf, *encbuf, *base, *output;
277 #if defined G_OS_UNIX
279 #elif defined G_OS_WIN32
283 g_return_val_if_fail(password != NULL, NULL);
284 g_return_val_if_fail(encryption_password != NULL, NULL);
286 ivlen = gnutls_cipher_get_iv_size(algo);
287 keylen = gnutls_cipher_get_key_size(algo);
288 blocklen = gnutls_cipher_get_block_size(algo);
289 digestlen = gnutls_hash_get_len(digest);
291 /* Prepare key for cipher - first half of hash of passkey XORed with
293 memset(&hashbuf, 0, BUFSIZE);
294 if ((ret = gnutls_hash_fast(digest, encryption_password,
295 strlen(encryption_password), &hashbuf)) < 0) {
296 debug_print("Hashing passkey failed: %s\n", gnutls_strerror(ret));
299 for (i = 0; i < digestlen/2; i++) {
300 hashbuf[i] = hashbuf[i] ^ hashbuf[i+digestlen/2];
303 key.data = malloc(keylen);
304 memcpy(key.data, &hashbuf, keylen);
307 /* Prepare our source of random data. */
308 #if defined G_OS_UNIX
309 rnd = open("/dev/urandom", O_RDONLY);
311 perror("fopen on /dev/urandom");
312 #elif defined G_OS_WIN32
313 if (!CryptAcquireContext(&rnd, NULL, NULL, PROV_RSA_FULL, 0) &&
314 !CryptAcquireContext(&rnd, NULL, NULL, PROV_RSA_FULL, CRYPT_NEWKEYSET)) {
315 debug_print("Could not acquire a CSP handle.\n");
322 /* Prepare random IV for cipher */
323 iv.data = malloc(ivlen);
325 #if defined G_OS_UNIX
326 ret = read(rnd, iv.data, ivlen);
328 perror("read into iv");
330 #elif defined G_OS_WIN32
331 if (!CryptGenRandom(rnd, ivlen, iv.data)) {
332 debug_print("Could not read random data for IV\n");
333 CryptReleaseContext(rnd, 0);
340 /* Initialize the encryption */
341 ret = gnutls_cipher_init(&handle, algo, &key, &iv);
345 #if defined G_OS_UNIX
347 #elif defined G_OS_WIN32
348 CryptReleaseContext(rnd, 0);
353 /* Fill buf with one block of random data, our password, pad the
354 * rest with zero bytes. */
355 buf = malloc(BUFSIZE + blocklen);
356 memset(buf, 0, BUFSIZE);
357 #if defined G_OS_UNIX
358 ret = read(rnd, buf, blocklen);
359 if (ret != blocklen) {
360 perror("read into buffer");
362 #elif defined G_OS_WIN32
363 if (!CryptGenRandom(rnd, blocklen, buf)) {
364 debug_print("Could not read random data for IV\n");
365 CryptReleaseContext(rnd, 0);
370 gnutls_cipher_deinit(handle);
374 /* We don't need any more random data. */
375 #if defined G_OS_UNIX
377 #elif defined G_OS_WIN32
378 CryptReleaseContext(rnd, 0);
381 memcpy(buf + blocklen, password, strlen(password));
383 /* Encrypt into encbuf */
384 encbuf = malloc(BUFSIZE + blocklen);
385 memset(encbuf, 0, BUFSIZE + blocklen);
386 ret = gnutls_cipher_encrypt2(handle, buf, BUFSIZE + blocklen,
387 encbuf, BUFSIZE + blocklen);
393 gnutls_cipher_deinit(handle);
398 gnutls_cipher_deinit(handle);
403 /* And finally prepare the resulting string:
404 * "{algorithm}base64encodedciphertext" */
405 base = g_base64_encode(encbuf, BUFSIZE);
407 output = g_strdup_printf("{%s}%s", gnutls_cipher_get_name(algo), base);
413 gchar *password_decrypt_gnutls(const gchar *password,
414 const gchar *decryption_password)
416 gchar **tokens, *tmp;
417 gnutls_cipher_algorithm_t algo;
418 gnutls_digest_algorithm_t digest = GNUTLS_DIG_UNKNOWN;
419 gnutls_cipher_hd_t handle;
420 gnutls_datum_t key, iv;
421 int ivlen, keylen, digestlen, blocklen, ret, i;
423 unsigned char hashbuf[BUFSIZE], *buf;
424 #if defined G_OS_UNIX
426 #elif defined G_OS_WIN32
430 g_return_val_if_fail(password != NULL, NULL);
431 g_return_val_if_fail(decryption_password != NULL, NULL);
433 tokens = g_strsplit_set(password, "{}", 3);
435 /* Parse the string, retrieving algorithm and encrypted data.
436 * We expect "{algorithm}base64encodedciphertext". */
437 if (strlen(tokens[0]) != 0 ||
438 (algo = gnutls_cipher_get_id(tokens[1])) == GNUTLS_CIPHER_UNKNOWN ||
439 strlen(tokens[2]) == 0)
442 /* Our hash algo needs to have digest length twice as long as our
443 * cipher algo's key length. */
444 if (algo == GNUTLS_CIPHER_AES_256_CBC) {
445 debug_print("Using AES-256-CBC + SHA-512 for decryption\n");
446 digest = GNUTLS_DIG_SHA512;
447 } else if (algo == GNUTLS_CIPHER_AES_128_CBC) {
448 debug_print("Using AES-128-CBC + SHA-256 for decryption\n");
449 digest = GNUTLS_DIG_SHA256;
451 if (digest == GNUTLS_DIG_UNKNOWN) {
452 debug_print("Password is encrypted with unsupported cipher, giving up.\n");
457 ivlen = gnutls_cipher_get_iv_size(algo);
458 keylen = gnutls_cipher_get_key_size(algo);
459 blocklen = gnutls_cipher_get_block_size(algo);
460 digestlen = gnutls_hash_get_len(digest);
462 /* Prepare key for cipher - first half of hash of passkey XORed with
463 * the second. AES-256 has key length 32 and length of SHA-512 hash
464 * is exactly twice that, 64. */
465 memset(&hashbuf, 0, BUFSIZE);
466 if ((ret = gnutls_hash_fast(digest, decryption_password,
467 strlen(decryption_password), &hashbuf)) < 0) {
468 debug_print("Hashing passkey failed: %s\n", gnutls_strerror(ret));
472 for (i = 0; i < digestlen/2; i++) {
473 hashbuf[i] = hashbuf[i] ^ hashbuf[i+digestlen/2];
476 key.data = malloc(keylen);
477 memcpy(key.data, &hashbuf, keylen);
480 /* Prepare our source of random data. */
481 #if defined G_OS_UNIX
482 rnd = open("/dev/urandom", O_RDONLY);
484 perror("fopen on /dev/urandom");
485 #elif defined G_OS_WIN32
486 if (!CryptAcquireContext(&rnd, NULL, NULL, PROV_RSA_FULL, 0) &&
487 !CryptAcquireContext(&rnd, NULL, NULL, PROV_RSA_FULL, CRYPT_NEWKEYSET)) {
488 debug_print("Could not acquire a CSP handle.\n");
496 /* Prepare random IV for cipher */
497 iv.data = malloc(ivlen);
499 #if defined G_OS_UNIX
500 ret = read(rnd, iv.data, ivlen);
502 perror("read into iv");
504 #elif defined G_OS_WIN32
505 if (!CryptGenRandom(rnd, ivlen, iv.data)) {
506 debug_print("Could not read random data for IV\n");
507 CryptReleaseContext(rnd, 0);
515 /* We don't need any more random data. */
516 #if defined G_OS_UNIX
518 #elif defined G_OS_WIN32
519 CryptReleaseContext(rnd, 0);
522 /* Prepare encrypted password string for decryption. */
523 tmp = g_base64_decode(tokens[2], &len);
526 /* Initialize the decryption */
527 ret = gnutls_cipher_init(&handle, algo, &key, &iv);
529 debug_print("Cipher init failed: %s\n", gnutls_strerror(ret));
535 buf = malloc(BUFSIZE + blocklen);
536 memset(buf, 0, BUFSIZE + blocklen);
537 ret = gnutls_cipher_decrypt2(handle, tmp, len,
538 buf, BUFSIZE + blocklen);
540 debug_print("Decryption failed: %s\n", gnutls_strerror(ret));
544 gnutls_cipher_deinit(handle);
549 gnutls_cipher_deinit(handle);
553 tmp = g_strndup(buf + blocklen, MIN(strlen(buf + blocklen), BUFSIZE));
562 gchar *password_encrypt(const gchar *password,
563 const gchar *encryption_password)
565 if (password == NULL || strlen(password) == 0) {
569 #ifndef PASSWORD_CRYPTO_OLD
570 if (encryption_password == NULL)
571 encryption_password = master_password();
573 return password_encrypt_real(password, encryption_password);
576 return password_encrypt_old(password);
579 gchar *password_decrypt(const gchar *password,
580 const gchar *decryption_password)
582 if (password == NULL || strlen(password) == 0) {
586 /* First, check if the password was possibly decrypted using old,
588 if (*password == '!') {
589 debug_print("Trying to decrypt password using the old method...\n");
590 return password_decrypt_old(password);
593 /* Try available crypto backend */
594 #ifndef PASSWORD_CRYPTO_OLD
595 if (decryption_password == NULL)
596 decryption_password = master_password();
598 if (*password == '{') {
599 debug_print("Trying to decrypt password...\n");
600 return password_decrypt_real(password, decryption_password);
604 /* Fallback, in case the configuration is really old and
605 * stored password in plaintext */
606 debug_print("Assuming password was stored plaintext, returning it unchanged\n");
607 return g_strdup(password);