#include "common/passcrypt.h"
#include "common/plugin.h"
#include "common/pkcs5_pbkdf2.h"
+#include "common/timing.h"
#include "common/utils.h"
#include "account.h"
#include "alertpanel.h"
static void _generate_salt()
{
-#if defined G_OS_UNIX
- int rnd;
-#elif defined G_OS_WIN32
- HCRYPTPROV rnd;
-#endif
- gint ret;
guchar salt[KD_SALT_LENGTH];
if (prefs_common_get_prefs()->master_passphrase_salt != NULL) {
g_free(prefs_common_get_prefs()->master_passphrase_salt);
}
- /* Prepare our source of random data. */
-#if defined G_OS_UNIX
- rnd = open("/dev/urandom", O_RDONLY);
- if (rnd == -1) {
- perror("fopen on /dev/urandom");
-#elif defined G_OS_WIN32
- if (!CryptAcquireContext(&rnd, NULL, NULL, PROV_RSA_FULL, 0) &&
- !CryptAcquireContext(&rnd, NULL, NULL, PROV_RSA_FULL, CRYPT_NEWKEYSET)) {
- debug_print("Could not acquire a CSP handle.\n");
-#endif
- return;
- }
-
-#if defined G_OS_UNIX
- ret = read(rnd, salt, KD_SALT_LENGTH);
- if (ret != KD_SALT_LENGTH) {
- perror("read into salt");
- close(rnd);
-#elif defined G_OS_WIN32
- if (!CryptGenRandom(rnd, KD_SALT_LENGTH, salt)) {
- debug_print("Could not read random data for salt\n");
- CryptReleaseContext(rnd, 0);
-#endif
+ if (!get_random_bytes(salt, KD_SALT_LENGTH)) {
+ debug_print("Could not get random bytes for kd salt.\n");
return;
}
-#if defined G_OS_UNIX
- close(rnd);
-#elif defined G_OS_WIN32
- CryptReleaseContext(rnd, 0);
-#endif
-
prefs_common_get_prefs()->master_passphrase_salt =
g_base64_encode(salt, KD_SALT_LENGTH);
}
#undef KD_SALT_LENGTH
-static guchar *_make_key_deriv(const gchar *passphrase, guint rounds)
+static guchar *_make_key_deriv(const gchar *passphrase, guint rounds,
+ guint length)
{
guchar *kd, *salt;
gchar *saltpref = prefs_common_get_prefs()->master_passphrase_salt;
saltpref = prefs_common_get_prefs()->master_passphrase_salt;
}
salt = g_base64_decode(saltpref, &saltlen);
- kd = g_malloc0(KD_LENGTH);
+ kd = g_malloc0(length);
+ START_TIMING("PBKDF2");
ret = pkcs5_pbkdf2(passphrase, strlen(passphrase), salt, saltlen,
- kd, KD_LENGTH, rounds);
+ kd, length, rounds);
+ END_TIMING();
g_free(salt);
return NULL;
}
-static const gchar *master_passphrase()
+const gchar *master_passphrase()
{
gchar *input;
gboolean end = FALSE;
return _master_passphrase;
}
-const gboolean master_passphrase_is_set()
+gboolean master_passphrase_is_set()
{
if (prefs_common_get_prefs()->master_passphrase == NULL
|| strlen(prefs_common_get_prefs()->master_passphrase) == 0)
return TRUE;
}
-const gboolean master_passphrase_is_correct(const gchar *input)
+gboolean master_passphrase_is_correct(const gchar *input)
{
guchar *kd, *input_kd;
gchar **tokens;
return FALSE;
}
- input_kd = _make_key_deriv(input, rounds);
+ input_kd = _make_key_deriv(input, rounds, KD_LENGTH);
ret = memcmp(kd, input_kd, kd_len);
g_free(input_kd);
if (newp != NULL) {
debug_print("Storing key derivation of new master passphrase\n");
- kd = _make_key_deriv(newp, rounds);
+ kd = _make_key_deriv(newp, rounds, KD_LENGTH);
base64_kd = g_base64_encode(kd, 64);
prefs_common_get_prefs()->master_passphrase =
g_strdup_printf("{PBKDF2-HMAC-SHA1,%d}%s", rounds, base64_kd);
debug_print("Reencrypting all account passwords...\n");
passwd_store_reencrypt_all(oldp, newp);
- /* Now reencrypt all plugins passwords fields
- * FIXME: Unloaded plugins won't be able to update their stored passwords
- */
- plugins_master_passphrase_change(oldp, newp);
-
master_passphrase_forget();
}
#endif
gchar *password_encrypt_gnutls(const gchar *password,
const gchar *encryption_passphrase)
{
- /* Another, slightly inferior combination is AES-128-CBC + SHA-256.
- * Any block cipher in CBC mode with keysize N and a hash algo with
- * digest length 2*N would do. */
gnutls_cipher_algorithm_t algo = GNUTLS_CIPHER_AES_256_CBC;
- gnutls_digest_algorithm_t digest = GNUTLS_DIG_SHA512;
gnutls_cipher_hd_t handle;
gnutls_datum_t key, iv;
- int keylen, digestlen, blocklen, ret, i;
- unsigned char hashbuf[BUFSIZE], *buf, *encbuf, *base, *output;
-#if defined G_OS_UNIX
- int rnd;
-#elif defined G_OS_WIN32
- HCRYPTPROV rnd;
-#endif
+ int keylen, blocklen, ret;
+ unsigned char *buf, *encbuf, *base, *output;
+ guint rounds = prefs_common_get_prefs()->master_passphrase_pbkdf2_rounds;
g_return_val_if_fail(password != NULL, NULL);
g_return_val_if_fail(encryption_passphrase != NULL, NULL);
/* ivlen = gnutls_cipher_get_iv_size(algo);*/
keylen = gnutls_cipher_get_key_size(algo);
blocklen = gnutls_cipher_get_block_size(algo);
- digestlen = gnutls_hash_get_len(digest);
-
- /* Prepare key for cipher - first half of hash of passkey XORed with
- * the second. */
- memset(&hashbuf, 0, BUFSIZE);
- if ((ret = gnutls_hash_fast(digest, encryption_passphrase,
- strlen(encryption_passphrase), &hashbuf)) < 0) {
- debug_print("Hashing passkey failed: %s\n", gnutls_strerror(ret));
- return NULL;
- }
- for (i = 0; i < digestlen/2; i++) {
- hashbuf[i] = hashbuf[i] ^ hashbuf[i+digestlen/2];
- }
+/* digestlen = gnutls_hash_get_len(digest); */
- key.data = malloc(keylen);
- memcpy(key.data, &hashbuf, keylen);
+ /* Take the passphrase and compute a key derivation of suitable
+ * length to be used as encryption key for our block cipher. */
+ key.data = _make_key_deriv(encryption_passphrase, rounds, keylen);
key.size = keylen;
- /* Prepare our source of random data. */
-#if defined G_OS_UNIX
- rnd = open("/dev/urandom", O_RDONLY);
- if (rnd == -1) {
- perror("fopen on /dev/urandom");
-#elif defined G_OS_WIN32
- if (!CryptAcquireContext(&rnd, NULL, NULL, PROV_RSA_FULL, 0) &&
- !CryptAcquireContext(&rnd, NULL, NULL, PROV_RSA_FULL, CRYPT_NEWKEYSET)) {
- debug_print("Could not acquire a CSP handle.\n");
-#endif
- g_free(key.data);
- return NULL;
- }
-
/* Prepare random IV for cipher */
iv.data = malloc(IVLEN);
iv.size = IVLEN;
-#if defined G_OS_UNIX
- ret = read(rnd, iv.data, IVLEN);
- if (ret != IVLEN) {
- perror("read into iv");
- close(rnd);
-#elif defined G_OS_WIN32
- if (!CryptGenRandom(rnd, IVLEN, iv.data)) {
- debug_print("Could not read random data for IV\n");
- CryptReleaseContext(rnd, 0);
-#endif
+ if (!get_random_bytes(iv.data, IVLEN)) {
g_free(key.data);
g_free(iv.data);
return NULL;
if (ret < 0) {
g_free(key.data);
g_free(iv.data);
-#if defined G_OS_UNIX
- close(rnd);
-#elif defined G_OS_WIN32
- CryptReleaseContext(rnd, 0);
-#endif
return NULL;
}
/* Fill buf with one block of random data, our password, pad the
* rest with zero bytes. */
buf = malloc(BUFSIZE + blocklen);
- memset(buf, 0, BUFSIZE);
-#if defined G_OS_UNIX
- ret = read(rnd, buf, blocklen);
- if (ret != blocklen) {
- perror("read into buffer");
- close(rnd);
-#elif defined G_OS_WIN32
- if (!CryptGenRandom(rnd, blocklen, buf)) {
- debug_print("Could not read random data for IV\n");
- CryptReleaseContext(rnd, 0);
-#endif
+ memset(buf, 0, BUFSIZE + blocklen);
+ if (!get_random_bytes(buf, blocklen)) {
g_free(buf);
g_free(key.data);
g_free(iv.data);
return NULL;
}
- /* We don't need any more random data. */
-#if defined G_OS_UNIX
- close(rnd);
-#elif defined G_OS_WIN32
- CryptReleaseContext(rnd, 0);
-#endif
-
memcpy(buf + blocklen, password, strlen(password));
/* Encrypt into encbuf */
g_free(buf);
/* And finally prepare the resulting string:
- * "{algorithm}base64encodedciphertext" */
- base = g_base64_encode(encbuf, BUFSIZE);
+ * "{algorithm,rounds}base64encodedciphertext" */
+ base = g_base64_encode(encbuf, BUFSIZE + blocklen);
g_free(encbuf);
- output = g_strdup_printf("{%s}%s", gnutls_cipher_get_name(algo), base);
+ output = g_strdup_printf("{%s,%d}%s",
+ gnutls_cipher_get_name(algo), rounds, base);
g_free(base);
return output;
{
gchar **tokens, *tmp;
gnutls_cipher_algorithm_t algo;
- gnutls_digest_algorithm_t digest = GNUTLS_DIG_UNKNOWN;
gnutls_cipher_hd_t handle;
gnutls_datum_t key, iv;
- int keylen, digestlen, blocklen, ret, i;
+ int keylen, blocklen, ret;
gsize len;
- unsigned char hashbuf[BUFSIZE], *buf;
-#if defined G_OS_UNIX
- int rnd;
-#elif defined G_OS_WIN32
- HCRYPTPROV rnd;
-#endif
+ unsigned char *buf;
+ guint rounds;
+ size_t commapos;
g_return_val_if_fail(password != NULL, NULL);
g_return_val_if_fail(decryption_passphrase != NULL, NULL);
tokens = g_strsplit_set(password, "{}", 3);
/* Parse the string, retrieving algorithm and encrypted data.
- * We expect "{algorithm}base64encodedciphertext". */
- if (strlen(tokens[0]) != 0 ||
- (algo = gnutls_cipher_get_id(tokens[1])) == GNUTLS_CIPHER_UNKNOWN ||
- strlen(tokens[2]) == 0)
+ * We expect "{algorithm,rounds}base64encodedciphertext". */
+ if (tokens[0] == NULL || strlen(tokens[0]) != 0 ||
+ tokens[1] == NULL || strlen(tokens[1]) == 0 ||
+ tokens[2] == NULL || strlen(tokens[2]) == 0) {
+ debug_print("Garbled password string.\n");
+ g_strfreev(tokens);
return NULL;
-
- /* Our hash algo needs to have digest length twice as long as our
- * cipher algo's key length. */
- if (algo == GNUTLS_CIPHER_AES_256_CBC) {
- debug_print("Using AES-256-CBC + SHA-512 for decryption\n");
- digest = GNUTLS_DIG_SHA512;
- } else if (algo == GNUTLS_CIPHER_AES_128_CBC) {
- debug_print("Using AES-128-CBC + SHA-256 for decryption\n");
- digest = GNUTLS_DIG_SHA256;
}
- if (digest == GNUTLS_DIG_UNKNOWN) {
- debug_print("Password is encrypted with unsupported cipher, giving up.\n");
+
+ commapos = strcspn(tokens[1], ",");
+ if (commapos == strlen(tokens[1]) || commapos == 0) {
+ debug_print("Garbled algorithm substring.\n");
g_strfreev(tokens);
return NULL;
}
-/* ivlen = gnutls_cipher_get_iv_size(algo); */
- keylen = gnutls_cipher_get_key_size(algo);
- blocklen = gnutls_cipher_get_block_size(algo);
- digestlen = gnutls_hash_get_len(digest);
-
- /* Prepare key for cipher - first half of hash of passkey XORed with
- * the second. AES-256 has key length 32 and length of SHA-512 hash
- * is exactly twice that, 64. */
- memset(&hashbuf, 0, BUFSIZE);
- if ((ret = gnutls_hash_fast(digest, decryption_passphrase,
- strlen(decryption_passphrase), &hashbuf)) < 0) {
- debug_print("Hashing passkey failed: %s\n", gnutls_strerror(ret));
+ buf = g_strndup(tokens[1], commapos);
+ if ((algo = gnutls_cipher_get_id(buf)) == GNUTLS_CIPHER_UNKNOWN) {
+ debug_print("Password string has unknown algorithm: '%s'\n", buf);
+ g_free(buf);
g_strfreev(tokens);
return NULL;
}
- for (i = 0; i < digestlen/2; i++) {
- hashbuf[i] = hashbuf[i] ^ hashbuf[i+digestlen/2];
- }
-
- key.data = malloc(keylen);
- memcpy(key.data, &hashbuf, keylen);
- key.size = keylen;
+ g_free(buf);
- /* Prepare our source of random data. */
-#if defined G_OS_UNIX
- rnd = open("/dev/urandom", O_RDONLY);
- if (rnd == -1) {
- perror("fopen on /dev/urandom");
-#elif defined G_OS_WIN32
- if (!CryptAcquireContext(&rnd, NULL, NULL, PROV_RSA_FULL, 0) &&
- !CryptAcquireContext(&rnd, NULL, NULL, PROV_RSA_FULL, CRYPT_NEWKEYSET)) {
- debug_print("Could not acquire a CSP handle.\n");
-#endif
- g_free(key.data);
+ if ((rounds = atoi(tokens[1] + commapos + 1)) <= 0) {
+ debug_print("Invalid number of rounds: %d\n", rounds);
g_strfreev(tokens);
return NULL;
}
+/* ivlen = gnutls_cipher_get_iv_size(algo); */
+ keylen = gnutls_cipher_get_key_size(algo);
+ blocklen = gnutls_cipher_get_block_size(algo);
+/* digestlen = gnutls_hash_get_len(digest); */
+
+ /* Take the passphrase and compute a key derivation of suitable
+ * length to be used as encryption key for our block cipher. */
+ key.data = _make_key_deriv(decryption_passphrase, rounds, keylen);
+ key.size = keylen;
+
/* Prepare random IV for cipher */
iv.data = malloc(IVLEN);
iv.size = IVLEN;
-#if defined G_OS_UNIX
- ret = read(rnd, iv.data, IVLEN);
- if (ret != IVLEN) {
- perror("read into iv");
- close(rnd);
-#elif defined G_OS_WIN32
- if (!CryptGenRandom(rnd, IVLEN, iv.data)) {
- debug_print("Could not read random data for IV\n");
- CryptReleaseContext(rnd, 0);
-#endif
+ if (!get_random_bytes(iv.data, IVLEN)) {
g_free(key.data);
g_free(iv.data);
g_strfreev(tokens);
return NULL;
}
- /* We don't need any more random data. */
-#if defined G_OS_UNIX
- close(rnd);
-#elif defined G_OS_WIN32
- CryptReleaseContext(rnd, 0);
-#endif
-
/* Prepare encrypted password string for decryption. */
tmp = g_base64_decode(tokens[2], &len);
g_strfreev(tokens);
+ if (tmp == NULL || len == 0) {
+ debug_print("Failed base64-decoding of stored password string\n");
+ g_free(key.data);
+ g_free(iv.data);
+ if (tmp != NULL)
+ g_free(tmp);
+ return NULL;
+ }
+ debug_print("Encrypted password string length: %lu\n", len);
/* Initialize the decryption */
ret = gnutls_cipher_init(&handle, algo, &key, &iv);
debug_print("Cipher init failed: %s\n", gnutls_strerror(ret));
g_free(key.data);
g_free(iv.data);
+ g_free(tmp);
return NULL;
}
- buf = malloc(BUFSIZE + blocklen);
- memset(buf, 0, BUFSIZE + blocklen);
+ /* Allocate the buffer to store decrypted plaintext in. */
+ buf = malloc(len);
+ memset(buf, 0, len);
+
+ /* Decrypt! */
ret = gnutls_cipher_decrypt2(handle, tmp, len,
- buf, BUFSIZE + blocklen);
+ buf, len);
+ g_free(tmp);
if (ret < 0) {
debug_print("Decryption failed: %s\n", gnutls_strerror(ret));
g_free(key.data);
g_free(key.data);
g_free(iv.data);
+ /* 'buf+blocklen' should now be pointing to the plaintext
+ * password string. The first block contains random data from the IV. */
tmp = g_strndup(buf + blocklen, MIN(strlen(buf + blocklen), BUFSIZE));
+ memset(buf, 0, len);
g_free(buf);
+
return tmp;
}