scip/pcp
1
0
Fork 0
mirror of https://codeberg.org/scip/pcp.git synced 2025-12-17 12:00:56 +01:00
Code Issues Packages Projects Releases Wiki Activity

implemented pbp-compatible self encryption mode (symetrical encryption using scrypt(passphrase, static nonce), no pk)

Browse Source
This commit is contained in:
TLINDEN
2014-01-22 23:20:30 +01:00
parent 7b56ab60a6
commit 1efff67d37
8 changed files with 338 additions and 173 deletions
Download Patch File Download Diff File Expand all files Collapse all files

178
src/encryption.c
View File

@@ -26,22 +26,11 @@ int pcpdecrypt(char *id, int useid, char *infile, char *outfile, char *passwd) {
FILE *in = NULL;
FILE *out = NULL;
pcp_key_t *secret = NULL;
unsigned char *symkey = NULL;
size_t dlen;
uint8_t head;
if(useid) {
HASH_FIND_STR(pcpkey_hash, id, secret);
if(secret == NULL) {
fatal("Could not find a secret key with id 0x%s in vault %s!\n",
id, vault->filename);
goto errde3;
}
}
else {
secret = pcp_find_primary_secret();
if(secret == NULL) {
fatal("Could not find a secret key in vault %s!\n", id, vault->filename);
goto errde3;
}
}
if(infile == NULL)
in = stdin;
@@ -61,24 +50,72 @@ int pcpdecrypt(char *id, int useid, char *infile, char *outfile, char *passwd) {
}
}
if(secret->secret[0] == 0) {
// encrypted, decrypt it
char *passphrase;
if(passwd == NULL) {
pcp_readpass(&passphrase,
"Enter passphrase to decrypt your secret key", NULL, 1);
// determine crypt mode
fread(&head, 1, 1, in);
if(!feof(in) && !ferror(in)) {
if(head == PCP_SYM_CIPHER) {
// symetric mode
unsigned char *salt = ucmalloc(90);
char stsalt[] = PBP_COMPAT_SALT;
memcpy(salt, stsalt, 90);
char *passphrase;
if(passwd == NULL) {
pcp_readpass(&passphrase,
"Enter passphrase for symetric decryption", NULL, 1);
}
else {
passphrase = ucmalloc(strlen(passwd)+1);
strncpy(passphrase, passwd, strlen(passwd)+1);
}
symkey = pcp_scrypt(passphrase, crypto_secretbox_KEYBYTES, salt);
free(salt);
}
else {
passphrase = ucmalloc(strlen(passwd)+1);
strncpy(passphrase, passwd, strlen(passwd)+1);
}
// asymetric mode
if(useid) {
HASH_FIND_STR(pcpkey_hash, id, secret);
if(secret == NULL) {
fatal("Could not find a secret key with id 0x%s in vault %s!\n",
id, vault->filename);
goto errde3;
}
}
else {
secret = pcp_find_primary_secret();
if(secret == NULL) {
fatal("Could not find a secret key in vault %s!\n", id, vault->filename);
goto errde3;
}
}
if(secret->secret[0] == 0) {
// encrypted, decrypt it
char *passphrase;
if(passwd == NULL) {
pcp_readpass(&passphrase,
"Enter passphrase to decrypt your secret key", NULL, 1);
}
else {
passphrase = ucmalloc(strlen(passwd)+1);
strncpy(passphrase, passwd, strlen(passwd)+1);
}
secret = pcpkey_decrypt(secret, passphrase);
if(secret == NULL)
goto errde3;
secret = pcpkey_decrypt(secret, passphrase);
if(secret == NULL)
goto errde3;
}
}
}
else {
fatal("Could not determine input file type\n");
goto errde3;
}
size_t dlen = pcp_decrypt_file(in, out, secret);
if(symkey == NULL)
dlen = pcp_decrypt_file(in, out, secret, NULL);
else
dlen = pcp_decrypt_file(in, out, NULL, symkey);
if(dlen > 0) {
fprintf(stderr, "Decrypted %d bytes successfully\n",
@@ -100,14 +137,32 @@ int pcpencrypt(char *id, char *infile, char *outfile, char *passwd, plist_t *rec
pcp_pubkey_t *tmp = NULL;
pcp_pubkey_t *pub = NULL;
pcp_key_t *secret = NULL;
unsigned char *symkey;
int self = 0;
if(id == NULL && recipient == NULL) {
// self mode
self = 1;
char *passphrase;
if(passwd == NULL) {
pcp_readpass(&passphrase,
"Enter passphrase for symetric encryption", "Repeat passphrase", 1);
}
else {
passphrase = ucmalloc(strlen(passwd)+1);
strncpy(passphrase, passwd, strlen(passwd)+1);
}
unsigned char *salt = ucmalloc(90);
char stsalt[] = PBP_COMPAT_SALT;
memcpy(salt, stsalt, 90);
symkey = pcp_scrypt(passphrase, crypto_secretbox_KEYBYTES, salt);
free(salt);
}
else if(id != NULL) {
// FIXME: mk id a plist_t with loop as well
if(id != NULL) {
// lookup by id
HASH_FIND_STR(pcppubkey_hash, id, tmp);
if(tmp == NULL) {
// FIXME: use recipient to lookup by name or email
// self-encryption: look if its a secret one
pcp_key_t *s = NULL;
HASH_FIND_STR(pcpkey_hash, id, s);
@@ -152,38 +207,36 @@ int pcpencrypt(char *id, char *infile, char *outfile, char *passwd, plist_t *rec
goto erren3;
}
}
else {
fatal("id or recipient list required!\n");
goto erren3;
}
if(self != 1) {
// we're using a random secret keypair on our side
#ifdef PCP_ASYM_ADD_SENDER_PUB
secret = pcpkey_new();
secret = pcpkey_new();
#else
secret = pcp_find_primary_secret();
if(secret == NULL) {
fatal("Could not find a secret key in vault %s!\n", id, vault->filename);
goto erren2;
}
if(secret->secret[0] == 0) {
// encrypted, decrypt it
char *passphrase;
if(passwd == NULL) {
pcp_readpass(&passphrase,
"Enter passphrase to decrypt your secret key", NULL, 1);
}
else {
passphrase = ucmalloc(strlen(passwd)+1);
strncpy(passphrase, passwd, strlen(passwd)+1);
}
secret = pcpkey_decrypt(secret, passphrase);
if(secret == NULL)
secret = pcp_find_primary_secret();
if(secret == NULL) {
fatal("Could not find a secret key in vault %s!\n", id, vault->filename);
goto erren2;
}
}
if(secret->secret[0] == 0) {
// encrypted, decrypt it
char *passphrase;
if(passwd == NULL) {
pcp_readpass(&passphrase,
"Enter passphrase to decrypt your secret key", NULL, 1);
}
else {
passphrase = ucmalloc(strlen(passwd)+1);
strncpy(passphrase, passwd, strlen(passwd)+1);
}
secret = pcpkey_decrypt(secret, passphrase);
if(secret == NULL)
goto erren2;
}
#endif
}
if(infile == NULL)
in = stdin;
@@ -203,13 +256,20 @@ int pcpencrypt(char *id, char *infile, char *outfile, char *passwd, plist_t *rec
}
}
size_t clen = pcp_encrypt_file(in, out, secret, pubhash, self);
size_t clen;
if(self == 1)
pcp_encrypt_file_sym(in, out, symkey, 0);
else
clen = pcp_encrypt_file(in, out, secret, pubhash);
if(clen > 0) {
if(id != NULL)
fprintf(stderr, "Encrypted %d bytes for 0x%s successfully\n", (int)clen, id);
if(id == NULL && recipient == NULL)
fprintf(stderr, "Encrypted %ld bytes symetrically\n", clen);
else if(id != NULL)
fprintf(stderr, "Encrypted %ld bytes for 0x%s successfully\n", clen, id);
else {
fprintf(stderr, "Encrypted %d bytes for:\n", (int)clen);
fprintf(stderr, "Encrypted %ld bytes for:\n", clen);
pcp_pubkey_t *cur, *t;
HASH_ITER(hh, pubhash, cur, t) {
fprintf(stderr, "%s <%s>\n", cur->owner, cur->mail);

54
src/pcp.c
View File

@@ -63,6 +63,7 @@ int main (int argc, char **argv) {
useid = 0;
userec = 0;
lo = 0;
static struct option longopts[] = {
// generics
{ "vault", required_argument, NULL, 'V' },
@@ -86,6 +87,7 @@ int main (int argc, char **argv) {
// crypto
{ "encrypt", no_argument, NULL, 'e' },
{ "encrypt-me", no_argument, NULL, 'm' },
{ "decrypt", no_argument, NULL, 'd' },
// encoding
@@ -103,7 +105,7 @@ int main (int argc, char **argv) {
{ NULL, 0, NULL, 0 }
};
while ((opt = getopt_long(argc, argv, "klV:vdehsO:i:I:pSPRtEx:DzZr:gc:y",
while ((opt = getopt_long(argc, argv, "klV:vdehsO:i:I:pSPRtEx:DzZr:gc:ym",
longopts, NULL)) != -1) {
switch (opt) {
@@ -156,6 +158,9 @@ int main (int argc, char **argv) {
mode += PCP_MODE_ENCRYPT;
usevault = 1;
break;
case 'm':
mode += PCP_MODE_ENCRYPT_ME;
break;
case 'd':
mode += PCP_MODE_DECRYPT;
usevault = 1;
@@ -336,11 +341,8 @@ int main (int argc, char **argv) {
pcpencrypt(NULL, infile, outfile, xpass, recipient);
}
else if(useid == 0 && userec == 0) {
// self mode
pcp_key_t *k = pcp_find_primary_secret();
id = ucmalloc(17);
memcpy(id, k->id, 17);
pcpencrypt(id, infile, outfile, xpass, NULL);
// self mode, same as -m
pcpencrypt(NULL, infile, outfile, xpass, NULL);
}
else {
// -i and -r specified
@@ -403,28 +405,32 @@ int main (int argc, char **argv) {
pcpz85_decode(infile, outfile);
break;
case PCP_MODE_TEXT:
if(infile != NULL) {
pcptext_infile(infile);
case PCP_MODE_ENCRYPT_ME:
pcpencrypt(NULL, infile, outfile, xpass, NULL);
break;
case PCP_MODE_TEXT:
if(infile != NULL) {
pcptext_infile(infile);
}
else {
pcphash_init();
vault = pcpvault_init(vaultfile);
if(! useid && infile == NULL) {
pcptext_vault(vault);
}
else {
pcphash_init();
vault = pcpvault_init(vaultfile);
if(! useid && infile == NULL) {
pcptext_vault(vault);
id = pcp_normalize_id(keyid);
if(id != NULL) {
pcptext_key(id);
free(id);
}
else {
id = pcp_normalize_id(keyid);
if(id != NULL) {
pcptext_key(id);
free(id);
}
}
pcpvault_close(vault);
pcphash_clean();
ucfree(vaultfile);
}
break;
pcpvault_close(vault);
pcphash_clean();
ucfree(vaultfile);
}
break;
default:
// mode params mixed

3
src/pcp.h
View File

@@ -65,7 +65,8 @@
#define PCP_MODE_ZDECODE 0x00000962
#define PCP_MODE_SIGN 0x00000FF6
#define PCP_MODE_VERIFY 0x00001B25
#define PCP_MODE_YAML 0x00002E25
#define PCP_MODE_YAML 0x00002E27
#define PCP_MODE_ENCRYPT_ME 0x00004E77
/*
0x00001B25

26
src/usage.h
View File

@@ -60,14 +60,22 @@
" as YAML formatted text. Use -O to put\n" \
" the export into a file.\n" \
"Encryption Options:\n" \
"-e --encrypt Encrypt a message. Read from stdin or\n" \
" specified via -I. If a keyid (-i) has been\n" \
"-e --encrypt Asym-Encrypt a message. Read from stdin or\n" \
" specified via -I. Output will be written\n" \
" to stdout or the file given with -O.\n" \
" If a keyid (-i) has been\n" \
" given, use that public key for encryption.\n" \
" If a recipient (-r) has been given, use\n" \
" a derived public key. If none of -i or\n" \
" -r has been given, use the primary\n" \
" secret key and the public part of it\n" \
" for encrytion (self-encryption mode).\n" \
" If one or more recipient (-r) has been given,\n" \
" encrypt the message for all recipients\n" \
" asymetrically, given there are matching\n" \
" public keys installed in the vault for them.\n" \
" If none of -i or -r has been given, encrypt\n" \
" the message symetrically. This is the same\n" \
" as -m (self-encryption mode).\n" \
"-m --encrypt-me Sym-Encrypt a message. Specify -I and/or\n" \
" -O for input/output file. You will be asked\n" \
" for a passphrase. No key material will\n" \
" be used. Same as -e without -r and -i.\n" \
"-d --decrypt Decrypt a message. Read from stdin or\n" \
" specified via -I. Output to stdout or\n" \
" written to the file specified via -O.\n" \
@@ -76,6 +84,10 @@
" just one secret key in the vault, this\n" \
" one will be used. Otherwise you'll have\n" \
" to specify the keyid (-i) of the key.\n" \
" You need to have the public key of the\n" \
" sender installed in your vault.\n" \
" If the input is self-encrypted (symetrically)\n" \
" a passphrase will be requested.\n" \
"\n" \
"Signature Options:\n" \
"-g --sign Create a signature of file specified with\n" \

26
src/usage.txt
View File

@@ -58,14 +58,22 @@ Keymanagement Options:
as YAML formatted text. Use -O to put
the export into a file.
Encryption Options:
-e --encrypt Encrypt a message. Read from stdin or
specified via -I. If a keyid (-i) has been
-e --encrypt Asym-Encrypt a message. Read from stdin or
specified via -I. Output will be written
to stdout or the file given with -O.
If a keyid (-i) has been
given, use that public key for encryption.
If a recipient (-r) has been given, use
a derived public key. If none of -i or
-r has been given, use the primary
secret key and the public part of it
for encrytion (self-encryption mode).
If one or more recipient (-r) has been given,
encrypt the message for all recipients
asymetrically, given there are matching
public keys installed in the vault for them.
If none of -i or -r has been given, encrypt
the message symetrically. This is the same
as -m (self-encryption mode).
-m --encrypt-me Sym-Encrypt a message. Specify -I and/or
-O for input/output file. You will be asked
for a passphrase. No key material will
be used. Same as -e without -r and -i.
-d --decrypt Decrypt a message. Read from stdin or
specified via -I. Output to stdout or
written to the file specified via -O.
@@ -74,6 +82,10 @@ Encryption Options:
just one secret key in the vault, this
one will be used. Otherwise you'll have
to specify the keyid (-i) of the key.
You need to have the public key of the
sender installed in your vault.
If the input is self-encrypted (symetrically)
a passphrase will be requested.
Signature Options:
-g --sign Create a signature of file specified with