#include <glib.h>
#include <glib/gi18n.h>
-#ifdef G_OS_UNIX
+#if defined G_OS_UNIX
#include <fcntl.h>
#include <unistd.h>
+#elif defined G_OS_WIN32
+#include <windows.h>
+#include <wincrypt.h>
#endif
#include "common/passcrypt.h"
+#include "common/plugin.h"
+#include "common/pkcs5_pbkdf2.h"
+#include "common/timing.h"
#include "common/utils.h"
#include "account.h"
#include "alertpanel.h"
#include "inputdialog.h"
#include "password.h"
+#include "passwordstore.h"
#include "prefs_common.h"
#ifndef PASSWORD_CRYPTO_OLD
-static gchar *_master_password = NULL;
+static gchar *_master_passphrase = NULL;
-static const gchar *master_password()
+/* Length of stored key derivation, before base64. */
+#define KD_LENGTH 64
+
+/* Length of randomly generated and saved salt, used for key derivation.
+ * Also before base64. */
+#define KD_SALT_LENGTH 64
+
+static void _generate_salt()
+{
+ guchar salt[KD_SALT_LENGTH];
+
+ if (prefs_common_get_prefs()->master_passphrase_salt != NULL) {
+ g_free(prefs_common_get_prefs()->master_passphrase_salt);
+ }
+
+ if (!get_random_bytes(salt, KD_SALT_LENGTH)) {
+ debug_print("Could not get random bytes for kd salt.\n");
+ return;
+ }
+
+ prefs_common_get_prefs()->master_passphrase_salt =
+ g_base64_encode(salt, KD_SALT_LENGTH);
+}
+
+#undef KD_SALT_LENGTH
+
+static guchar *_make_key_deriv(const gchar *passphrase, guint rounds,
+ guint length)
+{
+ guchar *kd, *salt;
+ gchar *saltpref = prefs_common_get_prefs()->master_passphrase_salt;
+ gsize saltlen;
+ gint ret;
+
+ /* Grab our salt, generating and saving a new random one if needed. */
+ if (saltpref == NULL || strlen(saltpref) == 0) {
+ _generate_salt();
+ saltpref = prefs_common_get_prefs()->master_passphrase_salt;
+ }
+ salt = g_base64_decode(saltpref, &saltlen);
+ kd = g_malloc0(length);
+
+ START_TIMING("PBKDF2");
+ ret = pkcs5_pbkdf2(passphrase, strlen(passphrase), salt, saltlen,
+ kd, length, rounds);
+ END_TIMING();
+
+ g_free(salt);
+
+ if (ret == 0) {
+ return kd;
+ }
+
+ g_free(kd);
+ return NULL;
+}
+
+static const gchar *master_passphrase()
{
gchar *input;
gboolean end = FALSE;
- if (!prefs_common_get_prefs()->use_master_password) {
+ if (!prefs_common_get_prefs()->use_master_passphrase) {
return PASSCRYPT_KEY;
}
- if (_master_password != NULL) {
- debug_print("Master password is in memory, offering it.\n");
- return _master_password;
+ if (_master_passphrase != NULL) {
+ debug_print("Master passphrase is in memory, offering it.\n");
+ return _master_passphrase;
}
while (!end) {
- input = input_dialog_with_invisible(_("Input master password"),
- _("Input master password"), NULL);
+ input = input_dialog_with_invisible(_("Input master passphrase"),
+ _("Input master passphrase"), NULL);
if (input == NULL) {
- debug_print("Cancel pressed at master password dialog.\n");
+ debug_print("Cancel pressed at master passphrase dialog.\n");
break;
}
- if (master_password_is_correct(input)) {
- debug_print("Entered master password seems to be correct, remembering it.\n");
- _master_password = input;
+ if (master_passphrase_is_correct(input)) {
+ debug_print("Entered master passphrase seems to be correct, remembering it.\n");
+ _master_passphrase = input;
end = TRUE;
} else {
- alertpanel_error(_("Incorrect master password."));
+ alertpanel_error(_("Incorrect master passphrase."));
}
}
- return _master_password;
+ return _master_passphrase;
}
-const gboolean master_password_is_set()
+const gboolean master_passphrase_is_set()
{
- if (prefs_common_get_prefs()->master_password_hash == NULL
- || strlen(prefs_common_get_prefs()->master_password_hash) == 0)
+ if (prefs_common_get_prefs()->master_passphrase == NULL
+ || strlen(prefs_common_get_prefs()->master_passphrase) == 0)
return FALSE;
return TRUE;
}
-const gboolean master_password_is_correct(const gchar *input)
+const gboolean master_passphrase_is_correct(const gchar *input)
{
- gchar *hash;
- gchar *stored_hash = prefs_common_get_prefs()->master_password_hash;
- const GChecksumType hashtype = G_CHECKSUM_SHA512;
- const gssize hashlen = g_checksum_type_get_length(hashtype);
- gssize stored_len;
-
+ guchar *kd, *input_kd;
+ gchar **tokens;
+ gchar *stored_kd = prefs_common_get_prefs()->master_passphrase;
+ gsize kd_len;
+ guint rounds = 0;
+ gint ret;
+
+ g_return_val_if_fail(stored_kd != NULL && strlen(stored_kd) > 0, FALSE);
g_return_val_if_fail(input != NULL, FALSE);
- if (stored_hash == NULL)
+ if (stored_kd == NULL)
return FALSE;
- stored_len = strlen(stored_hash);
- g_return_val_if_fail(stored_len == 2*hashlen, FALSE);
+ tokens = g_strsplit_set(stored_kd, "{}", 3);
+ if (tokens[0] == NULL ||
+ strlen(tokens[0]) != 0 || /* nothing before { */
+ tokens[1] == NULL ||
+ strncmp(tokens[1], "PBKDF2-HMAC-SHA1,", 17) || /* correct tag */
+ strlen(tokens[1]) <= 17 || /* something after , */
+ (rounds = atoi(tokens[1] + 17)) <= 0 || /* valid rounds # */
+ tokens[2] == NULL ||
+ strlen(tokens[2]) == 0) { /* string continues after } */
+ debug_print("Mangled master_passphrase format in config, can not use it.\n");
+ g_strfreev(tokens);
+ return FALSE;
+ }
- hash = g_compute_checksum_for_string(hashtype, input, -1);
+ stored_kd = tokens[2];
+ kd = g_base64_decode(stored_kd, &kd_len); /* should be 64 */
+ g_strfreev(tokens);
- if (!strncasecmp(hash, stored_hash, stored_len)) {
- g_free(hash);
- return TRUE;
+ if (kd_len != KD_LENGTH) {
+ debug_print("master_passphrase is %ld bytes long, should be %d.\n",
+ kd_len, KD_LENGTH);
+ g_free(kd);
+ return FALSE;
}
- g_free(hash);
+
+ input_kd = _make_key_deriv(input, rounds, KD_LENGTH);
+ ret = memcmp(kd, input_kd, kd_len);
+
+ g_free(input_kd);
+ g_free(kd);
+
+ if (ret == 0)
+ return TRUE;
return FALSE;
}
-void master_password_forget()
+gboolean master_passphrase_is_entered()
{
- /* If master password is currently in memory (entered by user),
+ return (_master_passphrase == NULL) ? FALSE : TRUE;
+}
+
+void master_passphrase_forget()
+{
+ /* If master passphrase is currently in memory (entered by user),
* get rid of it. User will have to enter the new one again. */
- if (_master_password != NULL) {
- memset(_master_password, 0, strlen(_master_password));
- g_free(_master_password);
+ if (_master_passphrase != NULL) {
+ memset(_master_passphrase, 0, strlen(_master_passphrase));
+ g_free(_master_passphrase);
+ _master_passphrase = NULL;
}
- _master_password = NULL;
}
-void master_password_change(const gchar *newp)
+void master_passphrase_change(const gchar *oldp, const gchar *newp)
{
- gchar *pwd, *newpwd;
- const gchar *oldp;
- GList *cur;
- PrefsAccount *acc;
+ guchar *kd;
+ gchar *base64_kd;
+ guint rounds = prefs_common_get_prefs()->master_passphrase_pbkdf2_rounds;
- /* Make sure the user has to enter the master password before
- * being able to change it. */
- master_password_forget();
+ g_return_if_fail(rounds > 0);
- oldp = master_password();
+ if (oldp == NULL) {
+ /* If oldp is NULL, make sure the user has to enter the
+ * current master passphrase before being able to change it. */
+ master_passphrase_forget();
+ oldp = master_passphrase();
+ }
g_return_if_fail(oldp != NULL);
- /* Update master password hash in prefs */
- if (prefs_common_get_prefs()->master_password_hash != NULL)
- g_free(prefs_common_get_prefs()->master_password_hash);
+ /* Update master passphrase hash in prefs */
+ if (prefs_common_get_prefs()->master_passphrase != NULL)
+ g_free(prefs_common_get_prefs()->master_passphrase);
if (newp != NULL) {
- debug_print("Storing hash of new master password\n");
- prefs_common_get_prefs()->master_password_hash =
- g_compute_checksum_for_string(G_CHECKSUM_SHA512, newp, -1);
+ debug_print("Storing key derivation of new master passphrase\n");
+ kd = _make_key_deriv(newp, rounds, KD_LENGTH);
+ base64_kd = g_base64_encode(kd, 64);
+ prefs_common_get_prefs()->master_passphrase =
+ g_strdup_printf("{PBKDF2-HMAC-SHA1,%d}%s", rounds, base64_kd);
+ g_free(kd);
+ g_free(base64_kd);
} else {
- debug_print("Setting master_password_hash to NULL\n");
- prefs_common_get_prefs()->master_password_hash = NULL;
+ debug_print("Setting master_passphrase to NULL\n");
+ prefs_common_get_prefs()->master_passphrase = NULL;
}
/* Now go over all accounts, reencrypting their passwords using
- * the new master password. */
+ * the new master passphrase. */
if (oldp == NULL)
oldp = PASSCRYPT_KEY;
newp = PASSCRYPT_KEY;
debug_print("Reencrypting all account passwords...\n");
- for (cur = account_get_list(); cur != NULL; cur = cur->next) {
- acc = (PrefsAccount *)cur->data;
- debug_print("account %s\n", acc->account_name);
-
- /* Password for receiving */
- if (acc->passwd != NULL && strlen(acc->passwd) > 0) {
- pwd = password_decrypt(acc->passwd, oldp);
- if (pwd == NULL) {
- debug_print("failed to decrypt recv password with old master password\n");
- } else {
- newpwd = password_encrypt(pwd, newp);
- memset(pwd, 0, strlen(pwd));
- g_free(pwd);
- if (newpwd == NULL) {
- debug_print("failed to encrypt recv password with new master password\n");
- } else {
- g_free(acc->passwd);
- acc->passwd = newpwd;
- }
- }
- }
-
- /* Password for sending */
- if (acc->smtp_passwd != NULL && strlen(acc->smtp_passwd) > 0) {
- pwd = password_decrypt(acc->smtp_passwd, oldp);
- if (pwd == NULL) {
- debug_print("failed to decrypt smtp password with old master password\n");
- } else {
- newpwd = password_encrypt(pwd, newp);
- memset(pwd, 0, strlen(pwd));
- g_free(pwd);
- if (newpwd == NULL) {
- debug_print("failed to encrypt smtp password with new master password\n");
- } else {
- g_free(acc->smtp_passwd);
- acc->smtp_passwd = newpwd;
- }
- }
- }
- }
+ passwd_store_reencrypt_all(oldp, newp);
- master_password_forget();
+ master_passphrase_forget();
}
#endif
#ifdef PASSWORD_CRYPTO_GNUTLS
#define BUFSIZE 128
+/* Since we can't count on having GnuTLS new enough to have
+ * gnutls_cipher_get_iv_size(), we hardcode the IV length for now. */
+#define IVLEN 16
+
gchar *password_encrypt_gnutls(const gchar *password,
- const gchar *encryption_password)
+ const gchar *encryption_passphrase)
{
- /* Another, slightly inferior combination is AES-128-CBC + SHA-256.
- * Any block cipher in CBC mode with keysize N and a hash algo with
- * digest length 2*N would do. */
gnutls_cipher_algorithm_t algo = GNUTLS_CIPHER_AES_256_CBC;
- gnutls_digest_algorithm_t digest = GNUTLS_DIG_SHA512;
gnutls_cipher_hd_t handle;
gnutls_datum_t key, iv;
- int ivlen, keylen, digestlen, blocklen, ret, i;
- unsigned char hashbuf[BUFSIZE], *buf, *encbuf, *base, *output;
-#ifdef G_OS_UNIX
- int rnd;
-#endif
+ int keylen, blocklen, ret;
+ unsigned char *buf, *encbuf, *base, *output;
+ guint rounds = prefs_common_get_prefs()->master_passphrase_pbkdf2_rounds;
g_return_val_if_fail(password != NULL, NULL);
- g_return_val_if_fail(encryption_password != NULL, NULL);
+ g_return_val_if_fail(encryption_passphrase != NULL, NULL);
- ivlen = gnutls_cipher_get_iv_size(algo);
+/* ivlen = gnutls_cipher_get_iv_size(algo);*/
keylen = gnutls_cipher_get_key_size(algo);
blocklen = gnutls_cipher_get_block_size(algo);
- digestlen = gnutls_hash_get_len(digest);
-
- /* Prepare key for cipher - first half of hash of passkey XORed with
- * the second. */
- memset(&hashbuf, 0, BUFSIZE);
- if ((ret = gnutls_hash_fast(digest, encryption_password,
- strlen(encryption_password), &hashbuf)) < 0) {
- debug_print("Hashing passkey failed: %s\n", gnutls_strerror(ret));
- return NULL;
- }
- for (i = 0; i < digestlen/2; i++) {
- hashbuf[i] = hashbuf[i] ^ hashbuf[i+digestlen/2];
- }
+/* digestlen = gnutls_hash_get_len(digest); */
- key.data = malloc(keylen);
- memcpy(key.data, &hashbuf, keylen);
+ /* Take the passphrase and compute a key derivation of suitable
+ * length to be used as encryption key for our block cipher. */
+ key.data = _make_key_deriv(encryption_passphrase, rounds, keylen);
key.size = keylen;
-#ifdef G_OS_UNIX
- /* Prepare our source of random data. */
- rnd = open("/dev/urandom", O_RDONLY);
- if (rnd == -1) {
- perror("fopen on /dev/urandom");
- g_free(key.data);
- g_free(iv.data);
- return NULL;
- }
-#endif
-
/* Prepare random IV for cipher */
- iv.data = malloc(ivlen);
- iv.size = ivlen;
-#ifdef G_OS_UNIX
- ret = read(rnd, iv.data, ivlen);
- if (ret != ivlen) {
- perror("read into iv");
+ iv.data = malloc(IVLEN);
+ iv.size = IVLEN;
+ if (!get_random_bytes(iv.data, IVLEN)) {
g_free(key.data);
g_free(iv.data);
- close(rnd);
return NULL;
}
-#endif
/* Initialize the encryption */
ret = gnutls_cipher_init(&handle, algo, &key, &iv);
if (ret < 0) {
g_free(key.data);
g_free(iv.data);
-#ifdef G_OS_UNIX
- close(rnd);
-#endif
return NULL;
}
* rest with zero bytes. */
buf = malloc(BUFSIZE + blocklen);
memset(buf, 0, BUFSIZE);
-#ifdef G_OS_UNIX
- ret = read(rnd, buf, blocklen);
- if (ret != blocklen) {
- perror("read into buffer");
+ if (!get_random_bytes(buf, blocklen)) {
g_free(buf);
g_free(key.data);
g_free(iv.data);
- close(rnd);
gnutls_cipher_deinit(handle);
return NULL;
}
- /* We don't need any more random data. */
- close(rnd);
-#endif
-
memcpy(buf + blocklen, password, strlen(password));
/* Encrypt into encbuf */
g_free(buf);
/* And finally prepare the resulting string:
- * "{algorithm}base64encodedciphertext" */
+ * "{algorithm,rounds}base64encodedciphertext" */
base = g_base64_encode(encbuf, BUFSIZE);
g_free(encbuf);
- output = g_strdup_printf("{%s}%s", gnutls_cipher_get_name(algo), base);
+ output = g_strdup_printf("{%s,%d}%s",
+ gnutls_cipher_get_name(algo), rounds, base);
g_free(base);
return output;
}
gchar *password_decrypt_gnutls(const gchar *password,
- const gchar *decryption_password)
+ const gchar *decryption_passphrase)
{
gchar **tokens, *tmp;
gnutls_cipher_algorithm_t algo;
- gnutls_digest_algorithm_t digest = GNUTLS_DIG_UNKNOWN;
gnutls_cipher_hd_t handle;
gnutls_datum_t key, iv;
- int ivlen, keylen, digestlen, blocklen, ret, i;
+ int keylen, blocklen, ret;
gsize len;
- unsigned char hashbuf[BUFSIZE], *buf;
-#ifdef G_OS_UNIX
- int rnd;
-#endif
+ unsigned char *buf;
+ guint rounds;
+ size_t commapos;
g_return_val_if_fail(password != NULL, NULL);
- g_return_val_if_fail(decryption_password != NULL, NULL);
+ g_return_val_if_fail(decryption_passphrase != NULL, NULL);
tokens = g_strsplit_set(password, "{}", 3);
/* Parse the string, retrieving algorithm and encrypted data.
- * We expect "{algorithm}base64encodedciphertext". */
- if (strlen(tokens[0]) != 0 ||
- (algo = gnutls_cipher_get_id(tokens[1])) == GNUTLS_CIPHER_UNKNOWN ||
- strlen(tokens[2]) == 0)
+ * We expect "{algorithm,rounds}base64encodedciphertext". */
+ if (tokens[0] == NULL || strlen(tokens[0]) != 0 ||
+ tokens[1] == NULL || strlen(tokens[1]) == 0 ||
+ tokens[2] == NULL || strlen(tokens[2]) == 0) {
+ debug_print("Garbled password string.\n");
+ g_strfreev(tokens);
return NULL;
-
- /* Our hash algo needs to have digest length twice as long as our
- * cipher algo's key length. */
- if (algo == GNUTLS_CIPHER_AES_256_CBC) {
- debug_print("Using AES-256-CBC + SHA-512 for decryption\n");
- digest = GNUTLS_DIG_SHA512;
- } else if (algo == GNUTLS_CIPHER_AES_128_CBC) {
- debug_print("Using AES-128-CBC + SHA-256 for decryption\n");
- digest = GNUTLS_DIG_SHA256;
}
- if (digest == GNUTLS_DIG_UNKNOWN) {
- debug_print("Password is encrypted with unsupported cipher, giving up.\n");
+
+ commapos = strcspn(tokens[1], ",");
+ if (commapos == strlen(tokens[1]) || commapos == 0) {
+ debug_print("Garbled algorithm substring.\n");
g_strfreev(tokens);
return NULL;
}
- ivlen = gnutls_cipher_get_iv_size(algo);
- keylen = gnutls_cipher_get_key_size(algo);
- blocklen = gnutls_cipher_get_block_size(algo);
- digestlen = gnutls_hash_get_len(digest);
-
- /* Prepare key for cipher - first half of hash of passkey XORed with
- * the second. AES-256 has key length 32 and length of SHA-512 hash
- * is exactly twice that, 64. */
- memset(&hashbuf, 0, BUFSIZE);
- if ((ret = gnutls_hash_fast(digest, decryption_password,
- strlen(decryption_password), &hashbuf)) < 0) {
- debug_print("Hashing passkey failed: %s\n", gnutls_strerror(ret));
+ buf = g_strndup(tokens[1], commapos);
+ if ((algo = gnutls_cipher_get_id(buf)) == GNUTLS_CIPHER_UNKNOWN) {
+ debug_print("Password string has unknown algorithm: '%s'\n", buf);
+ g_free(buf);
g_strfreev(tokens);
return NULL;
}
- for (i = 0; i < digestlen/2; i++) {
- hashbuf[i] = hashbuf[i] ^ hashbuf[i+digestlen/2];
- }
-
- key.data = malloc(keylen);
- memcpy(key.data, &hashbuf, keylen);
- key.size = keylen;
+ g_free(buf);
-#ifdef G_OS_UNIX
- /* Prepare our source of random data. */
- rnd = open("/dev/urandom", O_RDONLY);
- if (rnd == -1) {
- perror("fopen on /dev/urandom");
- g_free(key.data);
- g_free(iv.data);
+ if ((rounds = atoi(tokens[1] + commapos + 1)) <= 0) {
+ debug_print("Invalid number of rounds: %d\n", rounds);
g_strfreev(tokens);
return NULL;
}
-#endif
+
+/* ivlen = gnutls_cipher_get_iv_size(algo); */
+ keylen = gnutls_cipher_get_key_size(algo);
+ blocklen = gnutls_cipher_get_block_size(algo);
+/* digestlen = gnutls_hash_get_len(digest); */
+
+ /* Take the passphrase and compute a key derivation of suitable
+ * length to be used as encryption key for our block cipher. */
+ key.data = _make_key_deriv(decryption_passphrase, rounds, keylen);
+ key.size = keylen;
/* Prepare random IV for cipher */
- iv.data = malloc(ivlen);
- iv.size = ivlen;
-#ifdef G_OS_UNIX
- ret = read(rnd, iv.data, ivlen);
- if (ret != ivlen) {
- perror("read into iv");
+ iv.data = malloc(IVLEN);
+ iv.size = IVLEN;
+ if (!get_random_bytes(iv.data, IVLEN)) {
g_free(key.data);
g_free(iv.data);
g_strfreev(tokens);
- close(rnd);
return NULL;
}
- /* We don't need any more random data. */
- close(rnd);
-#endif
-
/* Prepare encrypted password string for decryption. */
tmp = g_base64_decode(tokens[2], &len);
g_strfreev(tokens);
#endif
gchar *password_encrypt(const gchar *password,
- const gchar *encryption_password)
+ const gchar *encryption_passphrase)
{
if (password == NULL || strlen(password) == 0) {
return NULL;
}
#ifndef PASSWORD_CRYPTO_OLD
- if (encryption_password == NULL)
- encryption_password = master_password();
-
- return password_encrypt_real(password, encryption_password);
-#endif
+ if (encryption_passphrase == NULL)
+ encryption_passphrase = master_passphrase();
+ return password_encrypt_real(password, encryption_passphrase);
+#else
return password_encrypt_old(password);
+#endif
}
gchar *password_decrypt(const gchar *password,
- const gchar *decryption_password)
+ const gchar *decryption_passphrase)
{
if (password == NULL || strlen(password) == 0) {
return NULL;
/* Try available crypto backend */
#ifndef PASSWORD_CRYPTO_OLD
- if (decryption_password == NULL)
- decryption_password = master_password();
+ if (decryption_passphrase == NULL)
+ decryption_passphrase = master_passphrase();
if (*password == '{') {
debug_print("Trying to decrypt password...\n");
- return password_decrypt_real(password, decryption_password);
+ return password_decrypt_real(password, decryption_passphrase);
}
#endif