scip/pcp
1
0
Fork 0
mirror of https://codeberg.org/scip/pcp.git synced 2025-12-17 12:00:56 +01:00
Code Issues Packages Projects Releases Wiki Activity

implemented pbp-compatible self encryption mode (symetrical encryption using scrypt(passphrase, static nonce), no pk)

Browse Source
This commit is contained in:
TLINDEN
2014-01-22 23:20:30 +01:00
parent 7b56ab60a6
commit 1efff67d37
8 changed files with 338 additions and 173 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
include/pcp/crypto.h
View File

@@ -53,10 +53,12 @@ unsigned char *pcp_box_decrypt(pcp_key_t *secret, pcp_pubkey_t *pub,
unsigned char *cipher, size_t ciphersize,
size_t *dsize);
size_t pcp_encrypt_file(FILE *in, FILE* out, pcp_key_t *s, pcp_pubkey_t *p, int self);
size_t pcp_encrypt_file(FILE *in, FILE* out, pcp_key_t *s, pcp_pubkey_t *p);
size_t pcp_decrypt_file(FILE *in, FILE* out, pcp_key_t *s);
size_t pcp_decrypt_file(FILE *in, FILE* out, pcp_key_t *s, unsigned char *symkey);
size_t pcp_encrypt_file_sym(FILE *in, FILE* out, unsigned char *symkey, int havehead);
size_t pcp_decrypt_file_sym(FILE *in, FILE* out, unsigned char *symkey);
#endif // _HAVE_PCP_CRYPTO_H

8
include/pcp/defines.h
View File

@@ -67,12 +67,16 @@ typedef unsigned int qbyte; // Quad byte = 32 bits
// crypto file format stuff
#define PCP_ASYM_CIPHER 5
#define PCP_BLOCK_CIPHER 23
#define PCP_SYM_CIPHER 23
#define PCP_BLOCK_SIZE 32 * 1024
#define PCP_BLOCK_SIZE_IN (PCP_BLOCK_SIZE) + 16 + crypto_secretbox_NONCEBYTES
#define PCP_ASYM_RECIPIENT_SIZE ((crypto_secretbox_KEYBYTES + crypto_box_ZEROBYTES) - crypto_box_BOXZEROBYTES) + crypto_secretbox_NONCEBYTES
#define PCP_CRYPTO_ADD (crypto_box_ZEROBYTES - crypto_box_BOXZEROBYTES)
#define PCP_ASYM_RECIPIENT_SIZE crypto_secretbox_KEYBYTES + PCP_CRYPTO_ADD + crypto_secretbox_NONCEBYTES
//#define PCP_ASYM_ADD_SENDER_PUB
// used for self encryption only
#define PBP_COMPAT_SALT "qa~t](84z<1t<1oz:ik.@IRNyhG=8q(on9}4#!/_h#a7wqK{Nt$T?W>,mt8NqYq&6U<GB1$,<$j>,rSYI2GRDd:Bcm"
// error handling
extern char *PCP_ERR;
extern byte PCP_ERRSET;

212
libpcp/crypto.c
View File

@@ -149,7 +149,7 @@ unsigned char *pcp_box_decrypt(pcp_key_t *secret, pcp_pubkey_t *pub,
// resulting size:
// ciphersize - crypto_secretbox_ZEROBYTES
*dsize = ciphersize - crypto_secretbox_NONCEBYTES - 16;
*dsize = ciphersize - crypto_secretbox_NONCEBYTES - PCP_CRYPTO_ADD;
return message;
errbed:
@@ -162,31 +162,47 @@ unsigned char *pcp_box_decrypt(pcp_key_t *secret, pcp_pubkey_t *pub,
}
size_t pcp_decrypt_file(FILE *in, FILE* out, pcp_key_t *s) {
unsigned char *symkey = NULL;
size_t pcp_decrypt_file(FILE *in, FILE* out, pcp_key_t *s, unsigned char *symkey) {
pcp_pubkey_t *cur, *sender;
size_t es;
int nrec, recmatch;
uint32_t lenrec;
uint8_t head;
size_t cur_bufsize, rec_size, out_size;
size_t ciphersize = (PCP_BLOCK_SIZE_IN) - crypto_secretbox_NONCEBYTES;
unsigned char in_buf[PCP_BLOCK_SIZE_IN];
size_t cur_bufsize, rec_size;
unsigned char rec_buf[PCP_ASYM_RECIPIENT_SIZE];
unsigned char *buf_nonce;
unsigned char *buf_cipher;
unsigned char *buf_clear;
#ifdef PCP_ASYM_ADD_SENDER_PUB
unsigned char *senderpub;
#endif
int self = 0;
if(ftell(in) == 1) {
// header has already been determined outside the lib
if(symkey != NULL)
self = 1;
}
else {
// step 1, check header
cur_bufsize = fread(&head, 1, 1, in);
if(cur_bufsize != 1 && !feof(in) && !ferror(in))
if(head != PCP_ASYM_CIPHER) {
fatal("Error: input file is not asymetrically encrypted\n"); // FIXME: check for sym
if(cur_bufsize != 1 && !feof(in) && !ferror(in)) {
if(head == PCP_SYM_CIPHER) {
if(symkey != NULL)
self = 1;
else {
fatal("Input is symetrically encrypted but no key have been specified (lib usage failure)\n");
goto errdef1;
}
}
else if(head == PCP_ASYM_CIPHER) {
self = 0;
}
}
}
if(self) {
// just decrypt symetrically and go outa here
return pcp_decrypt_file_sym(in, out, symkey);
}
#ifdef PCP_ASYM_ADD_SENDER_PUB
// step 2, sender's pubkey
@@ -233,47 +249,14 @@ size_t pcp_decrypt_file(FILE *in, FILE* out, pcp_key_t *s) {
}
// step 5, actually decrypt the file, finally
buf_nonce = ucmalloc(crypto_secretbox_NONCEBYTES);
buf_cipher = ucmalloc(ciphersize);
out_size = 0;
while(!feof(in)) {
cur_bufsize = fread(&in_buf, 1, PCP_BLOCK_SIZE_IN, in);
if(cur_bufsize <= 16)
break; // no valid cipher block
ciphersize = cur_bufsize - crypto_secretbox_NONCEBYTES;
memcpy(buf_nonce, in_buf, crypto_secretbox_NONCEBYTES);
memcpy(buf_cipher, &in_buf[crypto_secretbox_NONCEBYTES], ciphersize);
return pcp_decrypt_file_sym(in, out, symkey);
es = pcp_sodium_verify_mac(&buf_clear, buf_cipher, ciphersize, buf_nonce, symkey);
if(es == 0) {
fwrite(buf_clear, ciphersize - 16, 1, out);
if(ferror(out) != 0) {
fatal("Failed to write decrypted output!\n");
goto errdef2;
}
}
else {
fatal("Failed to decrypt file content!\n");
goto errdef2;
}
out_size += ciphersize - 16;
}
fclose(in);
fclose(out); // FIXME: check for stdin/stdout
return out_size;
errdef2:
free(buf_nonce);
free(buf_cipher);
free(symkey);
errdef1:
return 0;
}
size_t pcp_encrypt_file(FILE *in, FILE* out, pcp_key_t *s, pcp_pubkey_t *p, int self) {
size_t pcp_encrypt_file(FILE *in, FILE* out, pcp_key_t *s, pcp_pubkey_t *p) {
unsigned char *symkey;
int recipient_count;
unsigned char *recipients_cipher;
@@ -281,10 +264,9 @@ size_t pcp_encrypt_file(FILE *in, FILE* out, pcp_key_t *s, pcp_pubkey_t *p, int
size_t es;
int nrec;
uint32_t lenrec;
size_t cur_bufsize, rec_size, out_size;
unsigned char in_buf[PCP_BLOCK_SIZE];
unsigned char *buf_nonce;
unsigned char *buf_cipher;
size_t rec_size, out_size;
/*
Correct format should be:
@@ -350,7 +332,51 @@ size_t pcp_encrypt_file(FILE *in, FILE* out, pcp_key_t *s, pcp_pubkey_t *p, int
out_size = 5 + (rec_size * recipient_count) + crypto_box_PUBLICKEYBYTES;
// step 5, actual encrypted data
cur_bufsize = 0;
size_t sym_size = pcp_encrypt_file_sym(in, out, symkey, 1);
if(sym_size == 0)
goto errec1;
return out_size + sym_size;
errec1:
memset(symkey, 0, crypto_secretbox_KEYBYTES);
free(symkey);
free(recipients_cipher);
if(fileno(in) != 0)
fclose(in);
if(fileno(out) != 1)
fclose(out);
return 0;
}
size_t pcp_encrypt_file_sym(FILE *in, FILE* out, unsigned char *symkey, int havehead) {
/*
havehead = 0: write the whole thing from here
havehead = 1: no header, being called from asym...
*/
unsigned char *buf_nonce;
unsigned char *buf_cipher;
unsigned char in_buf[PCP_BLOCK_SIZE];
size_t cur_bufsize = 0;
size_t out_size = 0;
size_t es;
if(havehead == 0) {
uint8_t head = PCP_SYM_CIPHER;
fwrite(&head, 1, 1, out);
if(ferror(out) != 0) {
fatal("Failed to write encrypted output!\n");
return 0;
}
}
while(!feof(in)) {
cur_bufsize = fread(&in_buf, 1, PCP_BLOCK_SIZE, in);
@@ -369,25 +395,67 @@ size_t pcp_encrypt_file(FILE *in, FILE* out, pcp_key_t *s, pcp_pubkey_t *p, int
if(ferror(out) != 0) {
fatal("Failed to write encrypted output!\n");
goto errec2;
}
fclose(in);
fclose(out); // FIXME: check for stdin/stdout
return out_size;
errec2:
errec1:
memset(symkey, 0, crypto_secretbox_KEYBYTES);
free(symkey);
free(recipients_cipher);
fclose(in);
fclose(out);
return 0;
}
if(fileno(in) != 0)
fclose(in);
if(fileno(out) != 1)
fclose(out);
return out_size;
}
size_t pcp_decrypt_file_sym(FILE *in, FILE* out, unsigned char *symkey) {
unsigned char *buf_nonce;
unsigned char *buf_cipher;
unsigned char *buf_clear;
size_t out_size, cur_bufsize, es;
size_t ciphersize = (PCP_BLOCK_SIZE_IN) - crypto_secretbox_NONCEBYTES;
unsigned char in_buf[PCP_BLOCK_SIZE_IN];
buf_nonce = ucmalloc(crypto_secretbox_NONCEBYTES);
buf_cipher = ucmalloc(ciphersize);
out_size = 0;
while(!feof(in)) {
cur_bufsize = fread(&in_buf, 1, PCP_BLOCK_SIZE_IN, in);
if(cur_bufsize <= PCP_CRYPTO_ADD)
break; // no valid cipher block
ciphersize = cur_bufsize - crypto_secretbox_NONCEBYTES;
memcpy(buf_nonce, in_buf, crypto_secretbox_NONCEBYTES);
memcpy(buf_cipher, &in_buf[crypto_secretbox_NONCEBYTES], ciphersize);
es = pcp_sodium_verify_mac(&buf_clear, buf_cipher, ciphersize, buf_nonce, symkey);
out_size += ciphersize - PCP_CRYPTO_ADD;
if(es == 0) {
fwrite(buf_clear, ciphersize - PCP_CRYPTO_ADD, 1, out);
free(buf_clear);
if(ferror(out) != 0) {
fatal("Failed to write decrypted output!\n");
out_size = 0;
break;
}
}
else {
fatal("Failed to decrypt file content!\n");
free(buf_clear);
out_size = 0;
break;
}
}
free(buf_nonce);
free(buf_cipher);
if(fileno(in) != 0)
fclose(in);
if(fileno(out) != 1)
fclose(out);
return out_size;
}

112
src/encryption.c
View File

@@ -26,22 +26,11 @@ int pcpdecrypt(char *id, int useid, char *infile, char *outfile, char *passwd) {
FILE *in = NULL;
FILE *out = NULL;
pcp_key_t *secret = NULL;
unsigned char *symkey = NULL;
size_t dlen;
uint8_t head;
if(useid) {
HASH_FIND_STR(pcpkey_hash, id, secret);
if(secret == NULL) {
fatal("Could not find a secret key with id 0x%s in vault %s!\n",
id, vault->filename);
goto errde3;
}
}
else {
secret = pcp_find_primary_secret();
if(secret == NULL) {
fatal("Could not find a secret key in vault %s!\n", id, vault->filename);
goto errde3;
}
}
if(infile == NULL)
in = stdin;
@@ -61,6 +50,45 @@ int pcpdecrypt(char *id, int useid, char *infile, char *outfile, char *passwd) {
}
}
// determine crypt mode
fread(&head, 1, 1, in);
if(!feof(in) && !ferror(in)) {
if(head == PCP_SYM_CIPHER) {
// symetric mode
unsigned char *salt = ucmalloc(90);
char stsalt[] = PBP_COMPAT_SALT;
memcpy(salt, stsalt, 90);
char *passphrase;
if(passwd == NULL) {
pcp_readpass(&passphrase,
"Enter passphrase for symetric decryption", NULL, 1);
}
else {
passphrase = ucmalloc(strlen(passwd)+1);
strncpy(passphrase, passwd, strlen(passwd)+1);
}
symkey = pcp_scrypt(passphrase, crypto_secretbox_KEYBYTES, salt);
free(salt);
}
else {
// asymetric mode
if(useid) {
HASH_FIND_STR(pcpkey_hash, id, secret);
if(secret == NULL) {
fatal("Could not find a secret key with id 0x%s in vault %s!\n",
id, vault->filename);
goto errde3;
}
}
else {
secret = pcp_find_primary_secret();
if(secret == NULL) {
fatal("Could not find a secret key in vault %s!\n", id, vault->filename);
goto errde3;
}
}
if(secret->secret[0] == 0) {
// encrypted, decrypt it
char *passphrase;
@@ -77,8 +105,17 @@ int pcpdecrypt(char *id, int useid, char *infile, char *outfile, char *passwd) {
if(secret == NULL)
goto errde3;
}
}
}
else {
fatal("Could not determine input file type\n");
goto errde3;
}
size_t dlen = pcp_decrypt_file(in, out, secret);
if(symkey == NULL)
dlen = pcp_decrypt_file(in, out, secret, NULL);
else
dlen = pcp_decrypt_file(in, out, NULL, symkey);
if(dlen > 0) {
fprintf(stderr, "Decrypted %d bytes successfully\n",
@@ -100,14 +137,32 @@ int pcpencrypt(char *id, char *infile, char *outfile, char *passwd, plist_t *rec
pcp_pubkey_t *tmp = NULL;
pcp_pubkey_t *pub = NULL;
pcp_key_t *secret = NULL;
unsigned char *symkey;
int self = 0;
if(id == NULL && recipient == NULL) {
// self mode
self = 1;
char *passphrase;
if(passwd == NULL) {
pcp_readpass(&passphrase,
"Enter passphrase for symetric encryption", "Repeat passphrase", 1);
}
else {
passphrase = ucmalloc(strlen(passwd)+1);
strncpy(passphrase, passwd, strlen(passwd)+1);
}
unsigned char *salt = ucmalloc(90);
char stsalt[] = PBP_COMPAT_SALT;
memcpy(salt, stsalt, 90);
symkey = pcp_scrypt(passphrase, crypto_secretbox_KEYBYTES, salt);
free(salt);
}
else if(id != NULL) {
// FIXME: mk id a plist_t with loop as well
if(id != NULL) {
// lookup by id
HASH_FIND_STR(pcppubkey_hash, id, tmp);
if(tmp == NULL) {
// FIXME: use recipient to lookup by name or email
// self-encryption: look if its a secret one
pcp_key_t *s = NULL;
HASH_FIND_STR(pcpkey_hash, id, s);
@@ -152,12 +207,9 @@ int pcpencrypt(char *id, char *infile, char *outfile, char *passwd, plist_t *rec
goto erren3;
}
}
else {
fatal("id or recipient list required!\n");
goto erren3;
}
if(self != 1) {
// we're using a random secret keypair on our side
#ifdef PCP_ASYM_ADD_SENDER_PUB
secret = pcpkey_new();
@@ -184,6 +236,7 @@ int pcpencrypt(char *id, char *infile, char *outfile, char *passwd, plist_t *rec
goto erren2;
}
#endif
}
if(infile == NULL)
in = stdin;
@@ -203,13 +256,20 @@ int pcpencrypt(char *id, char *infile, char *outfile, char *passwd, plist_t *rec
}
}
size_t clen = pcp_encrypt_file(in, out, secret, pubhash, self);
size_t clen;
if(self == 1)
pcp_encrypt_file_sym(in, out, symkey, 0);
else
clen = pcp_encrypt_file(in, out, secret, pubhash);
if(clen > 0) {
if(id != NULL)
fprintf(stderr, "Encrypted %d bytes for 0x%s successfully\n", (int)clen, id);
if(id == NULL && recipient == NULL)
fprintf(stderr, "Encrypted %ld bytes symetrically\n", clen);
else if(id != NULL)
fprintf(stderr, "Encrypted %ld bytes for 0x%s successfully\n", clen, id);
else {
fprintf(stderr, "Encrypted %d bytes for:\n", (int)clen);
fprintf(stderr, "Encrypted %ld bytes for:\n", clen);
pcp_pubkey_t *cur, *t;
HASH_ITER(hh, pubhash, cur, t) {
fprintf(stderr, "%s <%s>\n", cur->owner, cur->mail);

18
src/pcp.c
View File

@@ -63,6 +63,7 @@ int main (int argc, char **argv) {
useid = 0;
userec = 0;
lo = 0;
static struct option longopts[] = {
// generics
{ "vault", required_argument, NULL, 'V' },
@@ -86,6 +87,7 @@ int main (int argc, char **argv) {
// crypto
{ "encrypt", no_argument, NULL, 'e' },
{ "encrypt-me", no_argument, NULL, 'm' },
{ "decrypt", no_argument, NULL, 'd' },
// encoding
@@ -103,7 +105,7 @@ int main (int argc, char **argv) {
{ NULL, 0, NULL, 0 }
};
while ((opt = getopt_long(argc, argv, "klV:vdehsO:i:I:pSPRtEx:DzZr:gc:y",
while ((opt = getopt_long(argc, argv, "klV:vdehsO:i:I:pSPRtEx:DzZr:gc:ym",
longopts, NULL)) != -1) {
switch (opt) {
@@ -156,6 +158,9 @@ int main (int argc, char **argv) {
mode += PCP_MODE_ENCRYPT;
usevault = 1;
break;
case 'm':
mode += PCP_MODE_ENCRYPT_ME;
break;
case 'd':
mode += PCP_MODE_DECRYPT;
usevault = 1;
@@ -336,11 +341,8 @@ int main (int argc, char **argv) {
pcpencrypt(NULL, infile, outfile, xpass, recipient);
}
else if(useid == 0 && userec == 0) {
// self mode
pcp_key_t *k = pcp_find_primary_secret();
id = ucmalloc(17);
memcpy(id, k->id, 17);
pcpencrypt(id, infile, outfile, xpass, NULL);
// self mode, same as -m
pcpencrypt(NULL, infile, outfile, xpass, NULL);
}
else {
// -i and -r specified
@@ -403,6 +405,10 @@ int main (int argc, char **argv) {
pcpz85_decode(infile, outfile);
break;
case PCP_MODE_ENCRYPT_ME:
pcpencrypt(NULL, infile, outfile, xpass, NULL);
break;
case PCP_MODE_TEXT:
if(infile != NULL) {
pcptext_infile(infile);

3
src/pcp.h
View File

@@ -65,7 +65,8 @@
#define PCP_MODE_ZDECODE 0x00000962
#define PCP_MODE_SIGN 0x00000FF6
#define PCP_MODE_VERIFY 0x00001B25
#define PCP_MODE_YAML 0x00002E25
#define PCP_MODE_YAML 0x00002E27
#define PCP_MODE_ENCRYPT_ME 0x00004E77
/*
0x00001B25

26
src/usage.h
View File

@@ -60,14 +60,22 @@
" as YAML formatted text. Use -O to put\n" \
" the export into a file.\n" \
"Encryption Options:\n" \
"-e --encrypt Encrypt a message. Read from stdin or\n" \
" specified via -I. If a keyid (-i) has been\n" \
"-e --encrypt Asym-Encrypt a message. Read from stdin or\n" \
" specified via -I. Output will be written\n" \
" to stdout or the file given with -O.\n" \
" If a keyid (-i) has been\n" \
" given, use that public key for encryption.\n" \
" If a recipient (-r) has been given, use\n" \
" a derived public key. If none of -i or\n" \
" -r has been given, use the primary\n" \
" secret key and the public part of it\n" \
" for encrytion (self-encryption mode).\n" \
" If one or more recipient (-r) has been given,\n" \
" encrypt the message for all recipients\n" \
" asymetrically, given there are matching\n" \
" public keys installed in the vault for them.\n" \
" If none of -i or -r has been given, encrypt\n" \
" the message symetrically. This is the same\n" \
" as -m (self-encryption mode).\n" \
"-m --encrypt-me Sym-Encrypt a message. Specify -I and/or\n" \
" -O for input/output file. You will be asked\n" \
" for a passphrase. No key material will\n" \
" be used. Same as -e without -r and -i.\n" \
"-d --decrypt Decrypt a message. Read from stdin or\n" \
" specified via -I. Output to stdout or\n" \
" written to the file specified via -O.\n" \
@@ -76,6 +84,10 @@
" just one secret key in the vault, this\n" \
" one will be used. Otherwise you'll have\n" \
" to specify the keyid (-i) of the key.\n" \
" You need to have the public key of the\n" \
" sender installed in your vault.\n" \
" If the input is self-encrypted (symetrically)\n" \
" a passphrase will be requested.\n" \
"\n" \
"Signature Options:\n" \
"-g --sign Create a signature of file specified with\n" \

26
src/usage.txt
View File

@@ -58,14 +58,22 @@ Keymanagement Options:
as YAML formatted text. Use -O to put
the export into a file.
Encryption Options:
-e --encrypt Encrypt a message. Read from stdin or
specified via -I. If a keyid (-i) has been
-e --encrypt Asym-Encrypt a message. Read from stdin or
specified via -I. Output will be written
to stdout or the file given with -O.
If a keyid (-i) has been
given, use that public key for encryption.
If a recipient (-r) has been given, use
a derived public key. If none of -i or
-r has been given, use the primary
secret key and the public part of it
for encrytion (self-encryption mode).
If one or more recipient (-r) has been given,
encrypt the message for all recipients
asymetrically, given there are matching
public keys installed in the vault for them.
If none of -i or -r has been given, encrypt
the message symetrically. This is the same
as -m (self-encryption mode).
-m --encrypt-me Sym-Encrypt a message. Specify -I and/or
-O for input/output file. You will be asked
for a passphrase. No key material will
be used. Same as -e without -r and -i.
-d --decrypt Decrypt a message. Read from stdin or
specified via -I. Output to stdout or
written to the file specified via -O.
@@ -74,6 +82,10 @@ Encryption Options:
just one secret key in the vault, this
one will be used. Otherwise you'll have
to specify the keyid (-i) of the key.
You need to have the public key of the
sender installed in your vault.
If the input is self-encrypted (symetrically)
a passphrase will be requested.
Signature Options:
-g --sign Create a signature of file specified with