Close PRNG source after reading our PBKDF2 salt from it.

[claws.git] / src / password.c

diff --git a/src/password.c b/src/password.c
index bda205f6e0f36a524c0966c5926c4acd3fadfbdd..461a5b7fa960cf65683570a18f36cd0a0b98e69c 100644 (file)
--- a/src/password.c
+++ b/src/password.c
@@ -40,6 +40,7 @@
 
 #include "common/passcrypt.h"
 #include "common/plugin.h"
+#include "common/pkcs5_pbkdf2.h"
 #include "common/utils.h"
 #include "account.h"
 #include "alertpanel.h"
@@ -51,6 +52,93 @@
 #ifndef PASSWORD_CRYPTO_OLD
 static gchar *_master_passphrase = NULL;
 
+/* Length of stored key derivation, before base64. */
+#define KD_LENGTH 64
+
+/* Length of randomly generated and saved salt, used for key derivation.
+ * Also before base64. */
+#define KD_SALT_LENGTH 64
+
+static void _generate_salt()
+{
+#if defined G_OS_UNIX
+       int rnd;
+#elif defined G_OS_WIN32
+       HCRYPTPROV rnd;
+#endif
+       gint ret;
+       guchar salt[KD_SALT_LENGTH];
+
+       if (prefs_common_get_prefs()->master_passphrase_salt != NULL) {
+               g_free(prefs_common_get_prefs()->master_passphrase_salt);
+       }
+
+       /* Prepare our source of random data. */
+#if defined G_OS_UNIX
+       rnd = open("/dev/urandom", O_RDONLY);
+       if (rnd == -1) {
+               perror("fopen on /dev/urandom");
+#elif defined G_OS_WIN32
+       if (!CryptAcquireContext(&rnd, NULL, NULL, PROV_RSA_FULL, 0) &&
+                       !CryptAcquireContext(&rnd, NULL, NULL, PROV_RSA_FULL, CRYPT_NEWKEYSET)) {
+               debug_print("Could not acquire a CSP handle.\n");
+#endif
+               return;
+       }
+
+#if defined G_OS_UNIX
+       ret = read(rnd, salt, KD_SALT_LENGTH);
+       if (ret != KD_SALT_LENGTH) {
+               perror("read into salt");
+               close(rnd);
+#elif defined G_OS_WIN32
+       if (!CryptGenRandom(rnd, KD_SALT_LENGTH, salt)) {
+               debug_print("Could not read random data for salt\n");
+               CryptReleaseContext(rnd, 0);
+#endif
+               return;
+       }
+
+#if defined G_OS_UNIX
+       close(rnd);
+#elif defined G_OS_WIN32
+       CryptReleaseContext(rnd, 0);
+#endif
+
+       prefs_common_get_prefs()->master_passphrase_salt =
+               g_base64_encode(salt, KD_SALT_LENGTH);
+}
+
+#undef KD_SALT_LENGTH
+
+static guchar *_make_key_deriv(const gchar *passphrase, guint rounds)
+{
+       guchar *kd, *salt;
+       gchar *saltpref = prefs_common_get_prefs()->master_passphrase_salt;
+       gsize saltlen;
+       gint ret;
+
+       /* Grab our salt, generating and saving a new random one if needed. */
+       if (saltpref == NULL || strlen(saltpref) == 0) {
+               _generate_salt();
+               saltpref = prefs_common_get_prefs()->master_passphrase_salt;
+       }
+       salt = g_base64_decode(saltpref, &saltlen);
+       kd = g_malloc0(KD_LENGTH);
+
+       ret = pkcs5_pbkdf2(passphrase, strlen(passphrase), salt, saltlen,
+                       kd, KD_LENGTH, rounds);
+
+       g_free(salt);
+
+       if (ret == 0) {
+               return kd;
+       }
+
+       g_free(kd);
+       return NULL;
+}
+
 static const gchar *master_passphrase()
 {
        gchar *input;
@@ -88,8 +176,8 @@ static const gchar *master_passphrase()
 
 const gboolean master_passphrase_is_set()
 {
-       if (prefs_common_get_prefs()->master_passphrase_hash == NULL
-                       || strlen(prefs_common_get_prefs()->master_passphrase_hash) == 0)
+       if (prefs_common_get_prefs()->master_passphrase == NULL
+                       || strlen(prefs_common_get_prefs()->master_passphrase) == 0)
                return FALSE;
 
        return TRUE;
@@ -97,28 +185,52 @@ const gboolean master_passphrase_is_set()
 
 const gboolean master_passphrase_is_correct(const gchar *input)
 {
-       gchar *hash;
-       gchar *stored_hash = prefs_common_get_prefs()->master_passphrase_hash;
-       const GChecksumType hashtype = G_CHECKSUM_SHA512;
-       const gssize hashlen = g_checksum_type_get_length(hashtype);
-       gssize stored_len;
-
+       guchar *kd, *input_kd;
+       gchar **tokens;
+       gchar *stored_kd = prefs_common_get_prefs()->master_passphrase;
+       gsize kd_len;
+       guint rounds = 0;
+       gint ret;
+
+       g_return_val_if_fail(stored_kd != NULL && strlen(stored_kd) > 0, FALSE);
        g_return_val_if_fail(input != NULL, FALSE);
 
-       if (stored_hash == NULL)
+       if (stored_kd == NULL)
                return FALSE;
 
-       debug_print("|stored_hash|%s|\n", stored_hash);
-       stored_len = strlen(stored_hash);
-       g_return_val_if_fail(stored_len == 2*hashlen, FALSE);
+       tokens = g_strsplit_set(stored_kd, "{}", 3);
+       if (tokens[0] == NULL ||
+                       strlen(tokens[0]) != 0 || /* nothing before { */
+                       tokens[1] == NULL ||
+                       strncmp(tokens[1], "PBKDF2-HMAC-SHA1,", 17) || /* correct tag */
+                       strlen(tokens[1]) <= 17 || /* something after , */
+                       (rounds = atoi(tokens[1] + 17)) <= 0 || /* valid rounds # */
+                       tokens[2] == NULL ||
+                       strlen(tokens[2]) == 0) { /* string continues after } */
+               debug_print("Mangled master_passphrase format in config, can not use it.\n");
+               g_strfreev(tokens);
+               return FALSE;
+       }
 
-       hash = g_compute_checksum_for_string(hashtype, input, -1);
+       stored_kd = tokens[2];
+       kd = g_base64_decode(stored_kd, &kd_len); /* should be 64 */
+       g_strfreev(tokens);
 
-       if (!strncasecmp(hash, stored_hash, stored_len)) {
-               g_free(hash);
-               return TRUE;
+       if (kd_len != KD_LENGTH) {
+               debug_print("master_passphrase is %ld bytes long, should be %d.\n",
+                               kd_len, KD_LENGTH);
+               g_free(kd);
+               return FALSE;
        }
-       g_free(hash);
+
+       input_kd = _make_key_deriv(input, rounds);
+       ret = memcmp(kd, input_kd, kd_len);
+
+       g_free(input_kd);
+       g_free(kd);
+
+       if (ret == 0)
+               return TRUE;
 
        return FALSE;
 }
@@ -135,12 +247,18 @@ void master_passphrase_forget()
        if (_master_passphrase != NULL) {
                memset(_master_passphrase, 0, strlen(_master_passphrase));
                g_free(_master_passphrase);
+               _master_passphrase = NULL;
        }
-       _master_passphrase = NULL;
 }
 
 void master_passphrase_change(const gchar *oldp, const gchar *newp)
 {
+       guchar *kd;
+       gchar *base64_kd;
+       guint rounds = prefs_common_get_prefs()->master_passphrase_pbkdf2_rounds;
+
+       g_return_if_fail(rounds > 0);
+
        if (oldp == NULL) {
                /* If oldp is NULL, make sure the user has to enter the
                 * current master passphrase before being able to change it. */
@@ -150,16 +268,20 @@ void master_passphrase_change(const gchar *oldp, const gchar *newp)
        g_return_if_fail(oldp != NULL);
 
        /* Update master passphrase hash in prefs */
-       if (prefs_common_get_prefs()->master_passphrase_hash != NULL)
-               g_free(prefs_common_get_prefs()->master_passphrase_hash);
+       if (prefs_common_get_prefs()->master_passphrase != NULL)
+               g_free(prefs_common_get_prefs()->master_passphrase);
 
        if (newp != NULL) {
-               debug_print("Storing hash of new master passphrase\n");
-               prefs_common_get_prefs()->master_passphrase_hash =
-                       g_compute_checksum_for_string(G_CHECKSUM_SHA512, newp, -1);
+               debug_print("Storing key derivation of new master passphrase\n");
+               kd = _make_key_deriv(newp, rounds);
+               base64_kd = g_base64_encode(kd, 64);
+               prefs_common_get_prefs()->master_passphrase =
+                       g_strdup_printf("{PBKDF2-HMAC-SHA1,%d}%s", rounds, base64_kd);
+               g_free(kd);
+               g_free(base64_kd);
        } else {
-               debug_print("Setting master_passphrase_hash to NULL\n");
-               prefs_common_get_prefs()->master_passphrase_hash = NULL;
+               debug_print("Setting master_passphrase to NULL\n");
+               prefs_common_get_prefs()->master_passphrase = NULL;
        }
 
        /* Now go over all accounts, reencrypting their passwords using
@@ -221,6 +343,10 @@ gchar *password_decrypt_old(const gchar *password)
 #ifdef PASSWORD_CRYPTO_GNUTLS
 #define BUFSIZE 128
 
+/* Since we can't count on having GnuTLS new enough to have
+ * gnutls_cipher_get_iv_size(), we hardcode the IV length for now. */
+#define IVLEN 16
+
 gchar *password_encrypt_gnutls(const gchar *password,
                const gchar *encryption_passphrase)
 {
@@ -231,7 +357,7 @@ gchar *password_encrypt_gnutls(const gchar *password,
        gnutls_digest_algorithm_t digest = GNUTLS_DIG_SHA512;
        gnutls_cipher_hd_t handle;
        gnutls_datum_t key, iv;
-       int ivlen, keylen, digestlen, blocklen, ret, i;
+       int keylen, digestlen, blocklen, ret, i;
        unsigned char hashbuf[BUFSIZE], *buf, *encbuf, *base, *output;
 #if defined G_OS_UNIX
        int rnd;
@@ -242,7 +368,7 @@ gchar *password_encrypt_gnutls(const gchar *password,
        g_return_val_if_fail(password != NULL, NULL);
        g_return_val_if_fail(encryption_passphrase != NULL, NULL);
 
-       ivlen = gnutls_cipher_get_iv_size(algo);
+/*     ivlen = gnutls_cipher_get_iv_size(algo);*/
        keylen = gnutls_cipher_get_key_size(algo);
        blocklen = gnutls_cipher_get_block_size(algo);
        digestlen = gnutls_hash_get_len(digest);
@@ -274,20 +400,19 @@ gchar *password_encrypt_gnutls(const gchar *password,
                debug_print("Could not acquire a CSP handle.\n");
 #endif
                g_free(key.data);
-               g_free(iv.data);
                return NULL;
        }
 
        /* Prepare random IV for cipher */
-       iv.data = malloc(ivlen);
-       iv.size = ivlen;
+       iv.data = malloc(IVLEN);
+       iv.size = IVLEN;
 #if defined G_OS_UNIX
-       ret = read(rnd, iv.data, ivlen);
-       if (ret != ivlen) {
+       ret = read(rnd, iv.data, IVLEN);
+       if (ret != IVLEN) {
                perror("read into iv");
                close(rnd);
 #elif defined G_OS_WIN32
-       if (!CryptGenRandom(rnd, ivlen, iv.data)) {
+       if (!CryptGenRandom(rnd, IVLEN, iv.data)) {
                debug_print("Could not read random data for IV\n");
                CryptReleaseContext(rnd, 0);
 #endif
@@ -377,7 +502,7 @@ gchar *password_decrypt_gnutls(const gchar *password,
        gnutls_digest_algorithm_t digest = GNUTLS_DIG_UNKNOWN;
        gnutls_cipher_hd_t handle;
        gnutls_datum_t key, iv;
-       int ivlen, keylen, digestlen, blocklen, ret, i;
+       int keylen, digestlen, blocklen, ret, i;
        gsize len;
        unsigned char hashbuf[BUFSIZE], *buf;
 #if defined G_OS_UNIX
@@ -413,7 +538,7 @@ gchar *password_decrypt_gnutls(const gchar *password,
                return NULL;
        }
 
-       ivlen = gnutls_cipher_get_iv_size(algo);
+/*     ivlen = gnutls_cipher_get_iv_size(algo); */
        keylen = gnutls_cipher_get_key_size(algo);
        blocklen = gnutls_cipher_get_block_size(algo);
        digestlen = gnutls_hash_get_len(digest);
@@ -447,21 +572,20 @@ gchar *password_decrypt_gnutls(const gchar *password,
                debug_print("Could not acquire a CSP handle.\n");
 #endif
                g_free(key.data);
-               g_free(iv.data);
                g_strfreev(tokens);
                return NULL;
        }
 
        /* Prepare random IV for cipher */
-       iv.data = malloc(ivlen);
-       iv.size = ivlen;
+       iv.data = malloc(IVLEN);
+       iv.size = IVLEN;
 #if defined G_OS_UNIX
-       ret = read(rnd, iv.data, ivlen);
-       if (ret != ivlen) {
+       ret = read(rnd, iv.data, IVLEN);
+       if (ret != IVLEN) {
                perror("read into iv");
                close(rnd);
 #elif defined G_OS_WIN32
-       if (!CryptGenRandom(rnd, ivlen, iv.data)) {
+       if (!CryptGenRandom(rnd, IVLEN, iv.data)) {
                debug_print("Could not read random data for IV\n");
                CryptReleaseContext(rnd, 0);
 #endif
@@ -530,9 +654,9 @@ gchar *password_encrypt(const gchar *password,
                encryption_passphrase = master_passphrase();
 
        return password_encrypt_real(password, encryption_passphrase);
-#endif
-
+#else
        return password_encrypt_old(password);
+#endif
 }
 
 gchar *password_decrypt(const gchar *password,