Line | Count | Source |
1 | | /* encrypt.c - Main encryption driver |
2 | | * Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, |
3 | | * 2006, 2009 Free Software Foundation, Inc. |
4 | | * Copyright (C) 2016, 2023 g10 Code GmbH |
5 | | * |
6 | | * This file is part of GnuPG. |
7 | | * |
8 | | * GnuPG is free software; you can redistribute it and/or modify |
9 | | * it under the terms of the GNU General Public License as published by |
10 | | * the Free Software Foundation; either version 3 of the License, or |
11 | | * (at your option) any later version. |
12 | | * |
13 | | * GnuPG is distributed in the hope that it will be useful, |
14 | | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
15 | | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
16 | | * GNU General Public License for more details. |
17 | | * |
18 | | * You should have received a copy of the GNU General Public License |
19 | | * along with this program; if not, see <https://www.gnu.org/licenses/>. |
20 | | * SPDX-License-Identifier: GPL-3.0-or-later |
21 | | */ |
22 | | |
23 | | #include <config.h> |
24 | | #include <stdio.h> |
25 | | #include <stdlib.h> |
26 | | #include <string.h> |
27 | | #include <errno.h> |
28 | | |
29 | | #include "gpg.h" |
30 | | #include "options.h" |
31 | | #include "packet.h" |
32 | | #include "../common/status.h" |
33 | | #include "../common/iobuf.h" |
34 | | #include "keydb.h" |
35 | | #include "../common/util.h" |
36 | | #include "main.h" |
37 | | #include "filter.h" |
38 | | #include "trustdb.h" |
39 | | #include "../common/i18n.h" |
40 | | #include "../common/status.h" |
41 | | #include "pkglue.h" |
42 | | #include "../common/compliance.h" |
43 | | |
44 | | |
45 | | static int encrypt_simple( const char *filename, int mode, int use_seskey ); |
46 | | static int write_pubkey_enc_from_list (ctrl_t ctrl, pk_list_t pk_list, |
47 | | DEK *dek, iobuf_t out, |
48 | | struct pubkey_enc_info_item *restrct); |
49 | | |
50 | | |
51 | | |
52 | | /* Helper for show the "encrypted for USER" during encryption. |
53 | | * PUBKEY_USAGE is used to figure out whether this is an ADSK key. */ |
54 | | static void |
55 | | show_encrypted_for_user_info (ctrl_t ctrl, unsigned int pubkey_usage, |
56 | | PKT_pubkey_enc *enc, DEK *dek) |
57 | 0 | { |
58 | 0 | char *ustr = get_user_id_string_native (ctrl, enc->keyid); |
59 | 0 | if ((pubkey_usage & PUBKEY_USAGE_RENC)) |
60 | 0 | { |
61 | 0 | char *tmpustr = xstrconcat (ustr, " [ADSK]", NULL); |
62 | 0 | xfree (ustr); |
63 | 0 | ustr = tmpustr; |
64 | 0 | } |
65 | 0 | log_info (_("%s/%s.%s encrypted for: \"%s\"\n"), |
66 | 0 | openpgp_pk_algo_name (enc->pubkey_algo), |
67 | 0 | openpgp_cipher_algo_name (dek->algo), |
68 | 0 | dek->use_aead? openpgp_aead_algo_name (dek->use_aead) |
69 | 0 | /**/ : "CFB", |
70 | 0 | ustr ); |
71 | 0 | xfree (ustr); |
72 | 0 | } |
73 | | |
74 | | |
75 | | /**************** |
76 | | * Encrypt FILENAME with only the symmetric cipher. Take input from |
77 | | * stdin if FILENAME is NULL. If --force-aead is used we use an SKESK. |
78 | | */ |
79 | | int |
80 | | encrypt_symmetric (const char *filename) |
81 | 0 | { |
82 | 0 | return encrypt_simple( filename, 1, opt.force_aead); |
83 | 0 | } |
84 | | |
85 | | |
86 | | /**************** |
87 | | * Encrypt FILENAME as a literal data packet only. Take input from |
88 | | * stdin if FILENAME is NULL. |
89 | | */ |
90 | | int |
91 | | encrypt_store (const char *filename) |
92 | 0 | { |
93 | 0 | return encrypt_simple( filename, 0, 0 ); |
94 | 0 | } |
95 | | |
96 | | |
97 | | /* Create and setup a DEK structure and print appropriate warnings. |
98 | | * PK_LIST gives the list of public keys. Always returns a DEK. The |
99 | | * actual session needs to be added later. */ |
100 | | static DEK * |
101 | | create_dek_with_warnings (pk_list_t pk_list) |
102 | 0 | { |
103 | 0 | DEK *dek; |
104 | |
|
105 | 0 | dek = xmalloc_secure_clear (sizeof *dek); |
106 | 0 | if (!opt.def_cipher_algo) |
107 | 0 | { |
108 | | /* Try to get it from the prefs. */ |
109 | 0 | dek->algo = select_algo_from_prefs (pk_list, PREFTYPE_SYM, -1, NULL); |
110 | 0 | if (dek->algo == -1) |
111 | 0 | { |
112 | | /* If does not make sense to fallback to the rfc4880 |
113 | | * required 3DES if we will reject that algo later. Thus we |
114 | | * fallback to AES anticipating RFC4880bis rules. */ |
115 | 0 | if (opt.flags.allow_old_cipher_algos) |
116 | 0 | dek->algo = CIPHER_ALGO_3DES; |
117 | 0 | else |
118 | 0 | dek->algo = CIPHER_ALGO_AES; |
119 | 0 | } |
120 | | |
121 | | /* In case 3DES has been selected, print a warning if any key |
122 | | * does not have a preference for AES. This should help to |
123 | | * identify why encrypting to several recipients falls back to |
124 | | * 3DES. */ |
125 | 0 | if (opt.verbose && dek->algo == CIPHER_ALGO_3DES) |
126 | 0 | warn_missing_aes_from_pklist (pk_list); |
127 | 0 | } |
128 | 0 | else |
129 | 0 | { |
130 | 0 | if (!opt.expert |
131 | 0 | && (select_algo_from_prefs (pk_list, PREFTYPE_SYM, |
132 | 0 | opt.def_cipher_algo, NULL) |
133 | 0 | != opt.def_cipher_algo)) |
134 | 0 | { |
135 | 0 | log_info(_("WARNING: forcing symmetric cipher %s (%d)" |
136 | 0 | " violates recipient preferences\n"), |
137 | 0 | openpgp_cipher_algo_name (opt.def_cipher_algo), |
138 | 0 | opt.def_cipher_algo); |
139 | 0 | } |
140 | |
|
141 | 0 | dek->algo = opt.def_cipher_algo; |
142 | 0 | } |
143 | |
|
144 | 0 | if (dek->algo != CIPHER_ALGO_AES256) |
145 | 0 | { |
146 | | /* If quantum resistance was explicitly required, we force the |
147 | | * use of AES256 no matter what. Otherwise, we force AES256 if we |
148 | | * encrypt to Kyber keys only and the user did not explicity |
149 | | * request another another algo. */ |
150 | 0 | if (opt.flags.require_pqc_encryption) |
151 | 0 | dek->algo = CIPHER_ALGO_AES256; |
152 | 0 | else if (!opt.def_cipher_algo) |
153 | 0 | { |
154 | 0 | int non_kyber_pk = 0; |
155 | 0 | for ( ; pk_list; pk_list = pk_list->next) |
156 | 0 | if (pk_list->pk->pubkey_algo != PUBKEY_ALGO_KYBER) |
157 | 0 | non_kyber_pk += 1; |
158 | 0 | if (!non_kyber_pk) |
159 | 0 | dek->algo = CIPHER_ALGO_AES256; |
160 | 0 | } |
161 | 0 | } |
162 | |
|
163 | 0 | return dek; |
164 | 0 | } |
165 | | |
166 | | |
167 | | /* Check whether all encryption keys are compliant with the current |
168 | | * mode and issue respective status lines. DEK has the info about the |
169 | | * session key and PK_LIST the list of public keys. */ |
170 | | static gpg_error_t |
171 | | check_encryption_compliance (DEK *dek, pk_list_t pk_list) |
172 | 0 | { |
173 | 0 | gpg_error_t err = 0; |
174 | 0 | pk_list_t pkr; |
175 | 0 | int compliant; |
176 | | |
177 | | /* First check whether we should use the algo at all. */ |
178 | 0 | if (openpgp_cipher_blocklen (dek->algo) < 16 |
179 | 0 | && !opt.flags.allow_old_cipher_algos) |
180 | 0 | { |
181 | 0 | log_error (_("cipher algorithm '%s' may not be used for encryption\n"), |
182 | 0 | openpgp_cipher_algo_name (dek->algo)); |
183 | 0 | if (!opt.quiet) |
184 | 0 | log_info (_("(use option \"%s\" to override)\n"), |
185 | 0 | "--allow-old-cipher-algos"); |
186 | 0 | err = gpg_error (GPG_ERR_CIPHER_ALGO); |
187 | 0 | goto leave; |
188 | 0 | } |
189 | | |
190 | | /* Now check the compliance. */ |
191 | 0 | if (! gnupg_cipher_is_allowed (opt.compliance, 1, dek->algo, |
192 | 0 | GCRY_CIPHER_MODE_CFB)) |
193 | 0 | { |
194 | 0 | log_error (_("cipher algorithm '%s' may not be used in %s mode\n"), |
195 | 0 | openpgp_cipher_algo_name (dek->algo), |
196 | 0 | gnupg_compliance_option_string (opt.compliance)); |
197 | 0 | err = gpg_error (GPG_ERR_CIPHER_ALGO); |
198 | 0 | goto leave; |
199 | 0 | } |
200 | | |
201 | 0 | if (!gnupg_rng_is_compliant (opt.compliance)) |
202 | 0 | { |
203 | 0 | err = gpg_error (GPG_ERR_FORBIDDEN); |
204 | 0 | log_error (_("%s is not compliant with %s mode\n"), |
205 | 0 | "RNG", |
206 | 0 | gnupg_compliance_option_string (opt.compliance)); |
207 | 0 | write_status_error ("random-compliance", err); |
208 | 0 | goto leave; |
209 | 0 | } |
210 | | |
211 | | /* From here on we only test for CO_DE_VS - if we ever want to |
212 | | * return other compliance mode values we need to change this to |
213 | | * loop over all those values. */ |
214 | 0 | compliant = gnupg_gcrypt_is_compliant (CO_DE_VS); |
215 | |
|
216 | 0 | if (!gnupg_cipher_is_compliant (CO_DE_VS, dek->algo, GCRY_CIPHER_MODE_CFB)) |
217 | 0 | compliant = 0; |
218 | |
|
219 | 0 | for (pkr = pk_list; pkr; pkr = pkr->next) |
220 | 0 | { |
221 | 0 | PKT_public_key *pk = pkr->pk; |
222 | 0 | unsigned int nbits = nbits_from_pk (pk); |
223 | |
|
224 | 0 | if (!gnupg_pk_is_compliant (opt.compliance, pk->pubkey_algo, 0, |
225 | 0 | pk->pkey, nbits, NULL)) |
226 | 0 | log_info (_("WARNING: key %s is not suitable for encryption" |
227 | 0 | " in %s mode\n"), |
228 | 0 | keystr_from_pk (pk), |
229 | 0 | gnupg_compliance_option_string (opt.compliance)); |
230 | |
|
231 | 0 | if (compliant |
232 | 0 | && !gnupg_pk_is_compliant (CO_DE_VS, pk->pubkey_algo, 0, pk->pkey, |
233 | 0 | nbits, NULL)) |
234 | 0 | compliant = 0; /* Not compliant - reset flag. */ |
235 | 0 | } |
236 | | |
237 | | /* If we are compliant print the status for de-vs compliance. */ |
238 | 0 | if (compliant) |
239 | 0 | write_status_strings (STATUS_ENCRYPTION_COMPLIANCE_MODE, |
240 | 0 | gnupg_status_compliance_flag (CO_DE_VS), |
241 | 0 | NULL); |
242 | | |
243 | | /* Check whether we should fail the operation. */ |
244 | 0 | if (opt.flags.require_compliance |
245 | 0 | && opt.compliance == CO_DE_VS |
246 | 0 | && !compliant) |
247 | 0 | { |
248 | 0 | compliance_failure (); |
249 | 0 | err = gpg_error (GPG_ERR_FORBIDDEN); |
250 | 0 | goto leave; |
251 | 0 | } |
252 | | |
253 | 0 | leave: |
254 | 0 | return err; |
255 | 0 | } |
256 | | |
257 | | |
258 | | /* Encrypt a session key using DEK and store a pointer to the result |
259 | | * at R_ENCKEY and its length at R_ENCKEYLEN. |
260 | | * |
261 | | * R_SESKEY points to the unencrypted session key (.KEY, .KEYLEN) and |
262 | | * the algorithm that will be used to encrypt the contents of the |
263 | | * SKESK packet (.ALGO). If R_SESKEY points to NULL, then a random |
264 | | * session key that is appropriate for DEK->ALGO is generated and |
265 | | * stored at R_SESKEY. If AEAD_ALGO is not 0 the given AEAD algorithm |
266 | | * is used for encryption. |
267 | | */ |
268 | | static gpg_error_t |
269 | | encrypt_seskey (DEK *dek, aead_algo_t aead_algo, |
270 | | DEK **r_seskey, void **r_enckey, size_t *r_enckeylen) |
271 | 0 | { |
272 | 0 | gpg_error_t err; |
273 | 0 | gcry_cipher_hd_t hd = NULL; |
274 | 0 | byte *buf = NULL; |
275 | 0 | DEK *seskey; |
276 | |
|
277 | 0 | *r_enckey = NULL; |
278 | 0 | *r_enckeylen = 0; |
279 | |
|
280 | 0 | if (*r_seskey) |
281 | 0 | seskey = *r_seskey; |
282 | 0 | else |
283 | 0 | { |
284 | 0 | seskey = xtrycalloc (1, sizeof(DEK)); |
285 | 0 | if (!seskey) |
286 | 0 | { |
287 | 0 | err = gpg_error_from_syserror (); |
288 | 0 | goto leave; |
289 | 0 | } |
290 | 0 | seskey->algo = dek->algo; |
291 | 0 | make_session_key (seskey); |
292 | | /*log_hexdump( "thekey", c->key, c->keylen );*/ |
293 | 0 | } |
294 | | |
295 | | |
296 | 0 | if (aead_algo) |
297 | 0 | { |
298 | 0 | unsigned int noncelen; |
299 | 0 | enum gcry_cipher_modes ciphermode; |
300 | 0 | byte ad[4]; |
301 | |
|
302 | 0 | err = openpgp_aead_algo_info (aead_algo, &ciphermode, &noncelen); |
303 | 0 | if (err) |
304 | 0 | goto leave; |
305 | | |
306 | | /* Allocate space for the nonce, the key, and the authentication |
307 | | * tag (16). */ |
308 | 0 | buf = xtrymalloc_secure (noncelen + seskey->keylen + 16); |
309 | 0 | if (!buf) |
310 | 0 | { |
311 | 0 | err = gpg_error_from_syserror (); |
312 | 0 | goto leave; |
313 | 0 | } |
314 | | |
315 | 0 | gcry_randomize (buf, noncelen, GCRY_STRONG_RANDOM); |
316 | |
|
317 | 0 | err = openpgp_cipher_open (&hd, dek->algo, |
318 | 0 | ciphermode, GCRY_CIPHER_SECURE); |
319 | 0 | if (!err) |
320 | 0 | err = gcry_cipher_setkey (hd, dek->key, dek->keylen); |
321 | 0 | if (!err) |
322 | 0 | err = gcry_cipher_setiv (hd, buf, noncelen); |
323 | 0 | if (err) |
324 | 0 | goto leave; |
325 | | |
326 | 0 | ad[0] = (0xc0 | PKT_SYMKEY_ENC); |
327 | 0 | ad[1] = 5; |
328 | 0 | ad[2] = dek->algo; |
329 | 0 | ad[3] = aead_algo; |
330 | 0 | err = gcry_cipher_authenticate (hd, ad, 4); |
331 | 0 | if (err) |
332 | 0 | goto leave; |
333 | | |
334 | 0 | memcpy (buf + noncelen, seskey->key, seskey->keylen); |
335 | 0 | gcry_cipher_final (hd); |
336 | 0 | err = gcry_cipher_encrypt (hd, buf + noncelen, seskey->keylen, NULL,0); |
337 | 0 | if (err) |
338 | 0 | goto leave; |
339 | 0 | err = gcry_cipher_gettag (hd, buf + noncelen + seskey->keylen, 16); |
340 | 0 | if (err) |
341 | 0 | goto leave; |
342 | 0 | *r_enckeylen = noncelen + seskey->keylen + 16; |
343 | 0 | *r_enckey = buf; |
344 | 0 | buf = NULL; |
345 | 0 | } |
346 | 0 | else |
347 | 0 | { |
348 | | /* In the old version 4 SKESK the encrypted session key is |
349 | | * prefixed with a one-octet algorithm id. */ |
350 | 0 | buf = xtrymalloc_secure (1 + seskey->keylen); |
351 | 0 | if (!buf) |
352 | 0 | { |
353 | 0 | err = gpg_error_from_syserror (); |
354 | 0 | goto leave; |
355 | 0 | } |
356 | 0 | buf[0] = seskey->algo; |
357 | 0 | memcpy (buf + 1, seskey->key, seskey->keylen); |
358 | |
|
359 | 0 | err = openpgp_cipher_open (&hd, dek->algo, GCRY_CIPHER_MODE_CFB, 1); |
360 | 0 | if (!err) |
361 | 0 | err = gcry_cipher_setkey (hd, dek->key, dek->keylen); |
362 | 0 | if (!err) |
363 | 0 | err = gcry_cipher_setiv (hd, NULL, 0); |
364 | 0 | if (!err) |
365 | 0 | err = gcry_cipher_encrypt (hd, buf, seskey->keylen + 1, NULL, 0); |
366 | 0 | if (err) |
367 | 0 | goto leave; |
368 | 0 | *r_enckeylen = seskey->keylen + 1; |
369 | 0 | *r_enckey = buf; |
370 | 0 | buf = NULL; |
371 | 0 | } |
372 | | |
373 | | /* Return the session key in case we allocated it. */ |
374 | 0 | *r_seskey = seskey; |
375 | 0 | seskey = NULL; |
376 | |
|
377 | 0 | leave: |
378 | 0 | gcry_cipher_close (hd); |
379 | 0 | if (seskey != *r_seskey) |
380 | 0 | xfree (seskey); |
381 | 0 | xfree (buf); |
382 | 0 | return err; |
383 | 0 | } |
384 | | |
385 | | |
386 | | /* Return the AEAD algo if we shall use AEAD mode. Returns 0 if AEAD |
387 | | * shall not be used. */ |
388 | | aead_algo_t |
389 | | use_aead (pk_list_t pk_list, int algo) |
390 | 0 | { |
391 | 0 | int can_use; |
392 | |
|
393 | 0 | can_use = openpgp_cipher_get_algo_blklen (algo) == 16; |
394 | | |
395 | | /* With --force-aead we want AEAD. */ |
396 | 0 | if (opt.force_aead) |
397 | 0 | { |
398 | 0 | if (!can_use) |
399 | 0 | { |
400 | 0 | log_info ("Warning: request to use OCB ignored for cipher '%s'\n", |
401 | 0 | openpgp_cipher_algo_name (algo)); |
402 | 0 | return 0; |
403 | 0 | } |
404 | 0 | return AEAD_ALGO_OCB; |
405 | 0 | } |
406 | | |
407 | | /* AEAD does only work with 128 bit cipher blocklength. */ |
408 | 0 | if (!can_use) |
409 | 0 | return 0; |
410 | | |
411 | | /* Note the user which keys have no AEAD feature flag set. */ |
412 | 0 | if (opt.verbose) |
413 | 0 | warn_missing_aead_from_pklist (pk_list); |
414 | | |
415 | | /* If all keys support AEAD we can use it. */ |
416 | 0 | return select_aead_from_pklist (pk_list); |
417 | 0 | } |
418 | | |
419 | | |
420 | | /* Shall we use the MDC? Yes - unless rfc-2440 compatibility is |
421 | | * requested. */ |
422 | | int |
423 | | use_mdc (pk_list_t pk_list,int algo) |
424 | 0 | { |
425 | 0 | (void)pk_list; |
426 | 0 | (void)algo; |
427 | | |
428 | | /* RFC-2440 don't has MDC - this is the only way to create a legacy |
429 | | * non-MDC encryption packet. */ |
430 | 0 | if (RFC2440) |
431 | 0 | return 0; |
432 | | |
433 | 0 | return 1; /* In all other cases we use the MDC */ |
434 | 0 | } |
435 | | |
436 | | |
437 | | /* This function handles the --symmetric only (MODE true) and --store |
438 | | * (MODE false) cases. We don't want to use USE_SESKEY by default |
439 | | * very old gnupg versions can't handle it, and there isn't really any |
440 | | * point unless we're making a message that can be decrypted by a |
441 | | * public key or passphrase. */ |
442 | | static int |
443 | | encrypt_simple (const char *filename, int mode, int use_seskey) |
444 | 0 | { |
445 | 0 | iobuf_t inp, out; |
446 | 0 | PACKET pkt; |
447 | 0 | PKT_plaintext *pt = NULL; |
448 | 0 | STRING2KEY *s2k = NULL; |
449 | 0 | void *enckey = NULL; |
450 | 0 | size_t enckeylen = 0; |
451 | 0 | int rc = 0; |
452 | 0 | u32 filesize; |
453 | 0 | cipher_filter_context_t cfx; |
454 | 0 | armor_filter_context_t *afx = NULL; |
455 | 0 | compress_filter_context_t zfx; |
456 | 0 | text_filter_context_t tfx; |
457 | 0 | progress_filter_context_t *pfx; |
458 | 0 | int do_compress = !!default_compress_algo(); |
459 | |
|
460 | 0 | if (!gnupg_rng_is_compliant (opt.compliance)) |
461 | 0 | { |
462 | 0 | rc = gpg_error (GPG_ERR_FORBIDDEN); |
463 | 0 | log_error (_("%s is not compliant with %s mode\n"), |
464 | 0 | "RNG", |
465 | 0 | gnupg_compliance_option_string (opt.compliance)); |
466 | 0 | write_status_error ("random-compliance", rc); |
467 | 0 | return rc; |
468 | 0 | } |
469 | | |
470 | 0 | pfx = new_progress_context (); |
471 | 0 | memset( &cfx, 0, sizeof cfx); |
472 | 0 | memset( &zfx, 0, sizeof zfx); |
473 | 0 | memset( &tfx, 0, sizeof tfx); |
474 | 0 | init_packet(&pkt); |
475 | | |
476 | | /* Prepare iobufs. */ |
477 | 0 | inp = iobuf_open(filename); |
478 | 0 | if (inp) |
479 | 0 | iobuf_ioctl (inp, IOBUF_IOCTL_NO_CACHE, 1, NULL); |
480 | 0 | if (inp && is_secured_file (iobuf_get_fd (inp))) |
481 | 0 | { |
482 | 0 | iobuf_close (inp); |
483 | 0 | inp = NULL; |
484 | 0 | gpg_err_set_errno (EPERM); |
485 | 0 | } |
486 | 0 | if (!inp) |
487 | 0 | { |
488 | 0 | rc = gpg_error_from_syserror (); |
489 | 0 | log_error(_("can't open '%s': %s\n"), filename? filename: "[stdin]", |
490 | 0 | strerror(errno) ); |
491 | 0 | release_progress_context (pfx); |
492 | 0 | return rc; |
493 | 0 | } |
494 | | |
495 | 0 | handle_progress (pfx, inp, filename); |
496 | |
|
497 | 0 | if (opt.textmode) |
498 | 0 | iobuf_push_filter( inp, text_filter, &tfx ); |
499 | |
|
500 | 0 | cfx.dek = NULL; |
501 | 0 | if ( mode ) |
502 | 0 | { |
503 | 0 | aead_algo_t aead_algo; |
504 | |
|
505 | 0 | rc = setup_symkey (&s2k, &cfx.dek); |
506 | 0 | if (rc) |
507 | 0 | { |
508 | 0 | iobuf_close (inp); |
509 | 0 | if (gpg_err_code (rc) == GPG_ERR_CIPHER_ALGO |
510 | 0 | || gpg_err_code (rc) == GPG_ERR_DIGEST_ALGO) |
511 | 0 | ; /* Error has already been printed. */ |
512 | 0 | else |
513 | 0 | log_error (_("error creating passphrase: %s\n"), gpg_strerror (rc)); |
514 | 0 | release_progress_context (pfx); |
515 | 0 | return rc; |
516 | 0 | } |
517 | 0 | if (use_seskey && s2k->mode != 1 && s2k->mode != 3) |
518 | 0 | { |
519 | 0 | use_seskey = 0; |
520 | 0 | log_info (_("can't use a SKESK packet due to the S2K mode\n")); |
521 | 0 | } |
522 | | |
523 | | /* See whether we want to use AEAD. */ |
524 | 0 | aead_algo = use_aead (NULL, cfx.dek->algo); |
525 | |
|
526 | 0 | if ( use_seskey ) |
527 | 0 | { |
528 | 0 | DEK *dek = NULL; |
529 | |
|
530 | 0 | rc = encrypt_seskey (cfx.dek, aead_algo, &dek, &enckey, &enckeylen); |
531 | 0 | if (rc) |
532 | 0 | { |
533 | 0 | xfree (cfx.dek); |
534 | 0 | xfree (s2k); |
535 | 0 | iobuf_close (inp); |
536 | 0 | release_progress_context (pfx); |
537 | 0 | return rc; |
538 | 0 | } |
539 | | /* Replace key in DEK. */ |
540 | 0 | xfree (cfx.dek); |
541 | 0 | cfx.dek = dek; |
542 | 0 | } |
543 | | |
544 | 0 | if (aead_algo) |
545 | 0 | cfx.dek->use_aead = aead_algo; |
546 | 0 | else |
547 | 0 | cfx.dek->use_mdc = !!use_mdc (NULL, cfx.dek->algo); |
548 | |
|
549 | 0 | if (opt.verbose) |
550 | 0 | log_info(_("using cipher %s.%s\n"), |
551 | 0 | openpgp_cipher_algo_name (cfx.dek->algo), |
552 | 0 | cfx.dek->use_aead? openpgp_aead_algo_name (cfx.dek->use_aead) |
553 | 0 | /**/ : "CFB"); |
554 | 0 | } |
555 | | |
556 | 0 | if (rc || (rc = open_outfile (GNUPG_INVALID_FD, filename, opt.armor? 1:0, |
557 | 0 | 0, &out ))) |
558 | 0 | { |
559 | 0 | iobuf_cancel (inp); |
560 | 0 | xfree (cfx.dek); |
561 | 0 | xfree (s2k); |
562 | 0 | release_progress_context (pfx); |
563 | 0 | return rc; |
564 | 0 | } |
565 | | |
566 | 0 | if ( opt.armor ) |
567 | 0 | { |
568 | 0 | afx = new_armor_context (); |
569 | 0 | push_armor_filter (afx, out); |
570 | 0 | } |
571 | |
|
572 | 0 | if ( s2k ) |
573 | 0 | { |
574 | | /* Fixme: This is quite similar to write_symkey_enc. */ |
575 | 0 | PKT_symkey_enc *enc = xmalloc_clear (sizeof *enc); |
576 | 0 | enc->version = cfx.dek->use_aead ? 5 : 4; |
577 | 0 | enc->cipher_algo = cfx.dek->algo; |
578 | 0 | enc->aead_algo = cfx.dek->use_aead; |
579 | 0 | enc->s2k = *s2k; |
580 | 0 | if (enckeylen) |
581 | 0 | { |
582 | 0 | enc->seskeylen = enckeylen; |
583 | 0 | enc->seskey = xmalloc (enckeylen); |
584 | 0 | memcpy (enc->seskey, enckey, enckeylen); |
585 | 0 | } |
586 | 0 | pkt.pkttype = PKT_SYMKEY_ENC; |
587 | 0 | pkt.pkt.symkey_enc = enc; |
588 | 0 | if ((rc = build_packet( out, &pkt ))) |
589 | 0 | log_error("build symkey packet failed: %s\n", gpg_strerror (rc) ); |
590 | 0 | free_symkey_enc (enc); |
591 | 0 | xfree (enckey); |
592 | 0 | enckey = NULL; |
593 | 0 | } |
594 | |
|
595 | 0 | if (!opt.no_literal) |
596 | 0 | pt = setup_plaintext_name (filename, inp); |
597 | | |
598 | | /* Note that PGP 5 has problems decrypting symmetrically encrypted |
599 | | data if the file length is in the inner packet. It works when |
600 | | only partial length headers are use. In the past, we always used |
601 | | partial body length here, but since PGP 2, PGP 6, and PGP 7 need |
602 | | the file length, and nobody should be using PGP 5 nowadays |
603 | | anyway, this is now set to the file length. Note also that this |
604 | | only applies to the RFC-1991 style symmetric messages, and not |
605 | | the RFC-2440 style. PGP 6 and 7 work with either partial length |
606 | | or fixed length with the new style messages. */ |
607 | |
|
608 | 0 | if ( !iobuf_is_pipe_filename (filename) && *filename && !opt.textmode ) |
609 | 0 | { |
610 | 0 | uint64_t tmpsize; |
611 | |
|
612 | 0 | tmpsize = iobuf_get_filelength(inp); |
613 | 0 | if (!tmpsize && opt.verbose) |
614 | 0 | log_info(_("WARNING: '%s' is an empty file\n"), filename ); |
615 | | |
616 | | /* We can't encode the length of very large files because |
617 | | OpenPGP uses only 32 bit for file sizes. So if the |
618 | | size of a file is larger than 2^32 minus some bytes for |
619 | | packet headers, we switch to partial length encoding. */ |
620 | 0 | if ( tmpsize < (IOBUF_FILELENGTH_LIMIT - 65536) ) |
621 | 0 | filesize = tmpsize; |
622 | 0 | else |
623 | 0 | filesize = 0; |
624 | 0 | } |
625 | 0 | else |
626 | 0 | filesize = opt.set_filesize ? opt.set_filesize : 0; /* stdin */ |
627 | | |
628 | | /* Register the cipher filter. */ |
629 | 0 | if (mode) |
630 | 0 | iobuf_push_filter (out, |
631 | 0 | cfx.dek->use_aead? cipher_filter_aead |
632 | 0 | /**/ : cipher_filter_cfb, |
633 | 0 | &cfx ); |
634 | |
|
635 | 0 | if (do_compress |
636 | 0 | && cfx.dek |
637 | 0 | && (cfx.dek->use_mdc || cfx.dek->use_aead) |
638 | 0 | && !opt.explicit_compress_option |
639 | 0 | && is_file_compressed (inp)) |
640 | 0 | { |
641 | 0 | if (opt.verbose) |
642 | 0 | log_info(_("'%s' already compressed\n"), filename? filename: "[stdin]"); |
643 | 0 | do_compress = 0; |
644 | 0 | } |
645 | |
|
646 | 0 | if (!opt.no_literal) |
647 | 0 | { |
648 | | /* Note that PT has been initialized above in !no_literal mode. */ |
649 | 0 | pt->timestamp = make_timestamp(); |
650 | 0 | pt->mode = opt.mimemode? 'm' : opt.textmode? 't' : 'b'; |
651 | 0 | pt->len = filesize; |
652 | 0 | pt->new_ctb = !pt->len; |
653 | 0 | pt->buf = inp; |
654 | 0 | pkt.pkttype = PKT_PLAINTEXT; |
655 | 0 | pkt.pkt.plaintext = pt; |
656 | 0 | cfx.datalen = filesize && !do_compress ? calc_packet_length( &pkt ) : 0; |
657 | 0 | } |
658 | 0 | else |
659 | 0 | { |
660 | 0 | cfx.datalen = filesize && !do_compress ? filesize : 0; |
661 | 0 | pkt.pkttype = 0; |
662 | 0 | pkt.pkt.generic = NULL; |
663 | 0 | } |
664 | | |
665 | | /* Register the compress filter. */ |
666 | 0 | if ( do_compress ) |
667 | 0 | { |
668 | 0 | if (cfx.dek && (cfx.dek->use_mdc || cfx.dek->use_aead)) |
669 | 0 | zfx.new_ctb = 1; |
670 | 0 | push_compress_filter (out, &zfx, default_compress_algo()); |
671 | 0 | } |
672 | | |
673 | | /* Do the work. */ |
674 | 0 | if (!opt.no_literal) |
675 | 0 | { |
676 | 0 | if ( (rc = build_packet( out, &pkt )) ) |
677 | 0 | log_error("build_packet failed: %s\n", gpg_strerror (rc) ); |
678 | 0 | } |
679 | 0 | else |
680 | 0 | { |
681 | | /* User requested not to create a literal packet, so we copy the |
682 | | plain data. */ |
683 | 0 | iobuf_copy (out, inp); |
684 | 0 | if ((rc = iobuf_error (inp))) |
685 | 0 | log_error (_("error reading '%s': %s\n"), |
686 | 0 | iobuf_get_fname_nonnull (inp), gpg_strerror (rc)); |
687 | 0 | else if ((rc = iobuf_error (out))) |
688 | 0 | log_error (_("error writing '%s': %s\n"), |
689 | 0 | iobuf_get_fname_nonnull (out), gpg_strerror (rc)); |
690 | 0 | } |
691 | | |
692 | | /* Finish the stuff. */ |
693 | 0 | iobuf_close (inp); |
694 | 0 | if (rc) |
695 | 0 | iobuf_cancel(out); |
696 | 0 | else |
697 | 0 | { |
698 | 0 | iobuf_close (out); /* fixme: check returncode */ |
699 | 0 | if (mode) |
700 | 0 | write_status ( STATUS_END_ENCRYPTION ); |
701 | 0 | } |
702 | 0 | if (pt) |
703 | 0 | pt->buf = NULL; |
704 | 0 | free_packet (&pkt, NULL); |
705 | 0 | xfree (enckey); |
706 | 0 | xfree (cfx.dek); |
707 | 0 | xfree (s2k); |
708 | 0 | release_armor_context (afx); |
709 | 0 | release_progress_context (pfx); |
710 | 0 | return rc; |
711 | 0 | } |
712 | | |
713 | | |
714 | | gpg_error_t |
715 | | setup_symkey (STRING2KEY **symkey_s2k, DEK **symkey_dek) |
716 | 0 | { |
717 | 0 | int canceled; |
718 | 0 | int defcipher; |
719 | 0 | int s2kdigest; |
720 | |
|
721 | 0 | defcipher = default_cipher_algo (); |
722 | 0 | if (openpgp_cipher_blocklen (defcipher) < 16 |
723 | 0 | && !opt.flags.allow_old_cipher_algos) |
724 | 0 | { |
725 | 0 | log_error (_("cipher algorithm '%s' may not be used for encryption\n"), |
726 | 0 | openpgp_cipher_algo_name (defcipher)); |
727 | 0 | if (!opt.quiet) |
728 | 0 | log_info (_("(use option \"%s\" to override)\n"), |
729 | 0 | "--allow-old-cipher-algos"); |
730 | 0 | return gpg_error (GPG_ERR_CIPHER_ALGO); |
731 | 0 | } |
732 | | |
733 | 0 | if (!gnupg_cipher_is_allowed (opt.compliance, 1, defcipher, |
734 | 0 | GCRY_CIPHER_MODE_CFB)) |
735 | 0 | { |
736 | 0 | log_error (_("cipher algorithm '%s' may not be used in %s mode\n"), |
737 | 0 | openpgp_cipher_algo_name (defcipher), |
738 | 0 | gnupg_compliance_option_string (opt.compliance)); |
739 | 0 | return gpg_error (GPG_ERR_CIPHER_ALGO); |
740 | 0 | } |
741 | | |
742 | 0 | s2kdigest = S2K_DIGEST_ALGO; |
743 | 0 | if (!gnupg_digest_is_allowed (opt.compliance, 1, s2kdigest)) |
744 | 0 | { |
745 | 0 | log_error (_("digest algorithm '%s' may not be used in %s mode\n"), |
746 | 0 | gcry_md_algo_name (s2kdigest), |
747 | 0 | gnupg_compliance_option_string (opt.compliance)); |
748 | 0 | return gpg_error (GPG_ERR_DIGEST_ALGO); |
749 | 0 | } |
750 | | |
751 | 0 | *symkey_s2k = xmalloc_clear (sizeof **symkey_s2k); |
752 | 0 | (*symkey_s2k)->mode = opt.s2k_mode; |
753 | 0 | (*symkey_s2k)->hash_algo = s2kdigest; |
754 | |
|
755 | 0 | *symkey_dek = passphrase_to_dek (defcipher, |
756 | 0 | *symkey_s2k, 1, 0, NULL, 0, &canceled); |
757 | 0 | if (!*symkey_dek || !(*symkey_dek)->keylen) |
758 | 0 | { |
759 | 0 | xfree(*symkey_dek); |
760 | 0 | xfree(*symkey_s2k); |
761 | 0 | return gpg_error (canceled?GPG_ERR_CANCELED:GPG_ERR_INV_PASSPHRASE); |
762 | 0 | } |
763 | | |
764 | 0 | return 0; |
765 | 0 | } |
766 | | |
767 | | |
768 | | static int |
769 | | write_symkey_enc (STRING2KEY *symkey_s2k, aead_algo_t aead_algo, |
770 | | DEK *symkey_dek, DEK *dek, iobuf_t out) |
771 | 0 | { |
772 | 0 | int rc; |
773 | 0 | void *enckey; |
774 | 0 | size_t enckeylen; |
775 | 0 | PKT_symkey_enc *enc; |
776 | 0 | PACKET pkt; |
777 | |
|
778 | 0 | rc = encrypt_seskey (symkey_dek, aead_algo, &dek, &enckey, &enckeylen); |
779 | 0 | if (rc) |
780 | 0 | return rc; |
781 | 0 | enc = xtrycalloc (1, sizeof (PKT_symkey_enc)); |
782 | 0 | if (!enc) |
783 | 0 | { |
784 | 0 | rc = gpg_error_from_syserror (); |
785 | 0 | xfree (enckey); |
786 | 0 | return rc; |
787 | 0 | } |
788 | | |
789 | 0 | enc->version = aead_algo? 5 : 4; |
790 | 0 | enc->cipher_algo = opt.s2k_cipher_algo; |
791 | 0 | enc->aead_algo = aead_algo; |
792 | 0 | enc->s2k = *symkey_s2k; |
793 | 0 | enc->seskeylen = enckeylen; |
794 | 0 | enc->seskey = xtrymalloc (enckeylen); |
795 | 0 | if (!enc->seskey) |
796 | 0 | { |
797 | 0 | rc = gpg_error_from_syserror (); |
798 | 0 | xfree (enc); |
799 | 0 | xfree (enckey); |
800 | 0 | return rc; |
801 | 0 | } |
802 | 0 | memcpy (enc->seskey, enckey, enckeylen); |
803 | 0 | xfree (enckey); |
804 | |
|
805 | 0 | pkt.pkttype = PKT_SYMKEY_ENC; |
806 | 0 | pkt.pkt.symkey_enc = enc; |
807 | |
|
808 | 0 | if ((rc=build_packet(out,&pkt))) |
809 | 0 | log_error("build symkey_enc packet failed: %s\n",gpg_strerror (rc)); |
810 | |
|
811 | 0 | free_symkey_enc (enc); |
812 | 0 | return rc; |
813 | 0 | } |
814 | | |
815 | | |
816 | | /* |
817 | | * Encrypt the file with the given userids (or ask if none is |
818 | | * supplied). Either FILENAME or FILEFD must be given, but not both. |
819 | | * The caller may provide a checked list of public keys in |
820 | | * PROVIDED_KEYS; if not the function builds a list of keys on its own. |
821 | | * |
822 | | * Note that FILEFD and OUTPUTFD are currently only used by |
823 | | * cmd_encrypt in the not yet finished server.c. |
824 | | */ |
825 | | int |
826 | | encrypt_crypt (ctrl_t ctrl, gnupg_fd_t filefd, const char *filename, |
827 | | strlist_t remusr, int use_symkey, pk_list_t provided_keys, |
828 | | gnupg_fd_t outputfd) |
829 | 0 | { |
830 | 0 | iobuf_t inp = NULL; |
831 | 0 | iobuf_t out = NULL; |
832 | 0 | PACKET pkt; |
833 | 0 | PKT_plaintext *pt = NULL; |
834 | 0 | DEK *symkey_dek = NULL; |
835 | 0 | STRING2KEY *symkey_s2k = NULL; |
836 | 0 | int rc = 0; |
837 | 0 | u32 filesize; |
838 | 0 | cipher_filter_context_t cfx; |
839 | 0 | armor_filter_context_t *afx = NULL; |
840 | 0 | compress_filter_context_t zfx; |
841 | 0 | text_filter_context_t tfx; |
842 | 0 | progress_filter_context_t *pfx; |
843 | 0 | PK_LIST pk_list; |
844 | 0 | int do_compress; |
845 | |
|
846 | 0 | if (filefd != GNUPG_INVALID_FD && filename) |
847 | 0 | return gpg_error (GPG_ERR_INV_ARG); /* Both given. */ |
848 | | |
849 | 0 | do_compress = !!opt.compress_algo; |
850 | |
|
851 | 0 | pfx = new_progress_context (); |
852 | 0 | memset( &cfx, 0, sizeof cfx); |
853 | 0 | memset( &zfx, 0, sizeof zfx); |
854 | 0 | memset( &tfx, 0, sizeof tfx); |
855 | 0 | init_packet(&pkt); |
856 | |
|
857 | 0 | if (use_symkey |
858 | 0 | && (rc=setup_symkey(&symkey_s2k,&symkey_dek))) |
859 | 0 | { |
860 | 0 | release_progress_context (pfx); |
861 | 0 | return rc; |
862 | 0 | } |
863 | | |
864 | 0 | if (provided_keys) |
865 | 0 | pk_list = provided_keys; |
866 | 0 | else |
867 | 0 | { |
868 | 0 | if ((rc = build_pk_list (ctrl, remusr, &pk_list))) |
869 | 0 | { |
870 | 0 | release_progress_context (pfx); |
871 | 0 | return rc; |
872 | 0 | } |
873 | 0 | } |
874 | | |
875 | | /* Prepare iobufs. */ |
876 | | #ifdef HAVE_W32_SYSTEM |
877 | | if (filefd == GNUPG_INVALID_FD) |
878 | | inp = iobuf_open (filename); |
879 | | else |
880 | | { |
881 | | inp = NULL; |
882 | | gpg_err_set_errno (ENOSYS); |
883 | | } |
884 | | #else |
885 | 0 | if (filefd == GNUPG_INVALID_FD) |
886 | 0 | inp = iobuf_open (filename); |
887 | 0 | else |
888 | 0 | inp = iobuf_fdopen_nc (filefd, "rb"); |
889 | 0 | #endif |
890 | 0 | if (inp) |
891 | 0 | iobuf_ioctl (inp, IOBUF_IOCTL_NO_CACHE, 1, NULL); |
892 | 0 | if (inp && is_secured_file (iobuf_get_fd (inp))) |
893 | 0 | { |
894 | 0 | iobuf_close (inp); |
895 | 0 | inp = NULL; |
896 | 0 | gpg_err_set_errno (EPERM); |
897 | 0 | } |
898 | 0 | if (!inp) |
899 | 0 | { |
900 | 0 | char xname[64]; |
901 | |
|
902 | 0 | rc = gpg_error_from_syserror (); |
903 | 0 | if (filefd != GNUPG_INVALID_FD) |
904 | 0 | snprintf (xname, sizeof xname, "[fd %d]", FD_DBG (filefd)); |
905 | 0 | else if (!filename) |
906 | 0 | strcpy (xname, "[stdin]"); |
907 | 0 | else |
908 | 0 | *xname = 0; |
909 | 0 | log_error (_("can't open '%s': %s\n"), |
910 | 0 | *xname? xname : filename, gpg_strerror (rc) ); |
911 | 0 | goto leave; |
912 | 0 | } |
913 | | |
914 | 0 | if (opt.verbose) |
915 | 0 | log_info (_("reading from '%s'\n"), iobuf_get_fname_nonnull (inp)); |
916 | |
|
917 | 0 | handle_progress (pfx, inp, filename); |
918 | |
|
919 | 0 | if (opt.textmode) |
920 | 0 | iobuf_push_filter (inp, text_filter, &tfx); |
921 | |
|
922 | 0 | rc = open_outfile (outputfd, filename, opt.armor? 1:0, 0, &out); |
923 | 0 | if (rc) |
924 | 0 | goto leave; |
925 | | |
926 | 0 | if (opt.armor) |
927 | 0 | { |
928 | 0 | afx = new_armor_context (); |
929 | 0 | push_armor_filter (afx, out); |
930 | 0 | } |
931 | | |
932 | | /* Create a session key. */ |
933 | 0 | cfx.dek = create_dek_with_warnings (pk_list); |
934 | |
|
935 | 0 | rc = check_encryption_compliance (cfx.dek, pk_list); |
936 | 0 | if (rc) |
937 | 0 | goto leave; |
938 | | |
939 | 0 | cfx.dek->use_aead = use_aead (pk_list, cfx.dek->algo); |
940 | 0 | if (!cfx.dek->use_aead) |
941 | 0 | cfx.dek->use_mdc = !!use_mdc (pk_list, cfx.dek->algo); |
942 | |
|
943 | 0 | make_session_key (cfx.dek); |
944 | 0 | if (DBG_CRYPTO) |
945 | 0 | log_printhex (cfx.dek->key, cfx.dek->keylen, "DEK is: "); |
946 | |
|
947 | 0 | rc = write_pubkey_enc_from_list (ctrl, pk_list, cfx.dek, out, NULL); |
948 | 0 | if (rc) |
949 | 0 | goto leave; |
950 | | |
951 | | /* We put the passphrase (if any) after any public keys as this |
952 | | * seems to be the most useful on the recipient side - there is no |
953 | | * point in prompting a user for a passphrase if they have the |
954 | | * secret key needed to decrypt. */ |
955 | 0 | if (use_symkey && (rc = write_symkey_enc (symkey_s2k, cfx.dek->use_aead, |
956 | 0 | symkey_dek, cfx.dek, out))) |
957 | 0 | goto leave; |
958 | | |
959 | 0 | if (!opt.no_literal) |
960 | 0 | pt = setup_plaintext_name (filename, inp); |
961 | | |
962 | | /* Get the size of the file if possible, i.e., if it is a real file. */ |
963 | 0 | if (filename && *filename |
964 | 0 | && !iobuf_is_pipe_filename (filename) && !opt.textmode ) |
965 | 0 | { |
966 | 0 | uint64_t tmpsize; |
967 | |
|
968 | 0 | tmpsize = iobuf_get_filelength (inp); |
969 | 0 | if (!tmpsize && opt.verbose) |
970 | 0 | log_info(_("WARNING: '%s' is an empty file\n"), filename ); |
971 | | /* We can't encode the length of very large files because |
972 | | OpenPGP uses only 32 bit for file sizes. So if the size |
973 | | of a file is larger than 2^32 minus some bytes for packet |
974 | | headers, we switch to partial length encoding. */ |
975 | 0 | if (tmpsize < (IOBUF_FILELENGTH_LIMIT - 65536) ) |
976 | 0 | filesize = tmpsize; |
977 | 0 | else |
978 | 0 | filesize = 0; |
979 | 0 | } |
980 | 0 | else |
981 | 0 | filesize = opt.set_filesize ? opt.set_filesize : 0; /* stdin */ |
982 | | |
983 | | /* Register the cipher filter. */ |
984 | 0 | iobuf_push_filter (out, |
985 | 0 | cfx.dek->use_aead? cipher_filter_aead |
986 | 0 | /**/ : cipher_filter_cfb, |
987 | 0 | &cfx); |
988 | | |
989 | | /* Only do the is-file-already-compressed check if we are using a |
990 | | * MDC or AEAD. This forces compressed files to be re-compressed if |
991 | | * we do not have a MDC to give some protection against chosen |
992 | | * ciphertext attacks. */ |
993 | 0 | if (do_compress |
994 | 0 | && (cfx.dek->use_mdc || cfx.dek->use_aead) |
995 | 0 | && !opt.explicit_compress_option |
996 | 0 | && is_file_compressed (inp)) |
997 | 0 | { |
998 | 0 | if (opt.verbose) |
999 | 0 | log_info(_("'%s' already compressed\n"), filename? filename: "[stdin]"); |
1000 | 0 | do_compress = 0; |
1001 | 0 | } |
1002 | |
|
1003 | 0 | if (!opt.no_literal) |
1004 | 0 | { |
1005 | 0 | pt->timestamp = make_timestamp(); |
1006 | 0 | pt->mode = opt.mimemode? 'm' : opt.textmode ? 't' : 'b'; |
1007 | 0 | pt->len = filesize; |
1008 | 0 | pt->new_ctb = !pt->len; |
1009 | 0 | pt->buf = inp; |
1010 | 0 | pkt.pkttype = PKT_PLAINTEXT; |
1011 | 0 | pkt.pkt.plaintext = pt; |
1012 | 0 | cfx.datalen = filesize && !do_compress? calc_packet_length( &pkt ) : 0; |
1013 | 0 | } |
1014 | 0 | else |
1015 | 0 | cfx.datalen = filesize && !do_compress ? filesize : 0; |
1016 | | |
1017 | | /* Register the compress filter. */ |
1018 | 0 | if (do_compress) |
1019 | 0 | { |
1020 | 0 | int compr_algo = opt.compress_algo; |
1021 | |
|
1022 | 0 | if (compr_algo == -1) |
1023 | 0 | { |
1024 | 0 | compr_algo = select_algo_from_prefs (pk_list, PREFTYPE_ZIP, -1, NULL); |
1025 | 0 | if (compr_algo == -1) |
1026 | 0 | compr_algo = DEFAULT_COMPRESS_ALGO; |
1027 | | /* Theoretically impossible to get here since uncompressed |
1028 | | is implicit. */ |
1029 | 0 | } |
1030 | 0 | else if (!opt.expert |
1031 | 0 | && select_algo_from_prefs(pk_list, PREFTYPE_ZIP, |
1032 | 0 | compr_algo, NULL) != compr_algo) |
1033 | 0 | { |
1034 | 0 | log_info (_("WARNING: forcing compression algorithm %s (%d)" |
1035 | 0 | " violates recipient preferences\n"), |
1036 | 0 | compress_algo_to_string(compr_algo), compr_algo); |
1037 | 0 | } |
1038 | | |
1039 | | /* Algo 0 means no compression. */ |
1040 | 0 | if (compr_algo) |
1041 | 0 | { |
1042 | 0 | if (cfx.dek && (cfx.dek->use_mdc || cfx.dek->use_aead)) |
1043 | 0 | zfx.new_ctb = 1; |
1044 | 0 | push_compress_filter (out,&zfx,compr_algo); |
1045 | 0 | } |
1046 | 0 | } |
1047 | | |
1048 | | /* Do the work. */ |
1049 | 0 | if (!opt.no_literal) |
1050 | 0 | { |
1051 | 0 | if ((rc = build_packet( out, &pkt ))) |
1052 | 0 | log_error ("build_packet failed: %s\n", gpg_strerror (rc)); |
1053 | 0 | } |
1054 | 0 | else |
1055 | 0 | { |
1056 | | /* User requested not to create a literal packet, so we copy the |
1057 | | plain data. */ |
1058 | 0 | iobuf_copy (out, inp); |
1059 | 0 | if ((rc = iobuf_error (inp))) |
1060 | 0 | log_error (_("error reading '%s': %s\n"), |
1061 | 0 | iobuf_get_fname_nonnull (inp), gpg_strerror (rc)); |
1062 | 0 | else if ((rc = iobuf_error (out))) |
1063 | 0 | log_error (_("error writing '%s': %s\n"), |
1064 | 0 | iobuf_get_fname_nonnull (out), gpg_strerror (rc)); |
1065 | |
|
1066 | 0 | } |
1067 | | |
1068 | | /* Finish the stuff. */ |
1069 | 0 | leave: |
1070 | 0 | iobuf_close (inp); |
1071 | 0 | if (rc) |
1072 | 0 | iobuf_cancel (out); |
1073 | 0 | else |
1074 | 0 | { |
1075 | 0 | iobuf_close (out); /* fixme: check returncode */ |
1076 | 0 | write_status (STATUS_END_ENCRYPTION); |
1077 | 0 | } |
1078 | 0 | if (pt) |
1079 | 0 | pt->buf = NULL; |
1080 | 0 | free_packet (&pkt, NULL); |
1081 | 0 | xfree (cfx.dek); |
1082 | 0 | xfree (symkey_dek); |
1083 | 0 | xfree (symkey_s2k); |
1084 | 0 | if (!provided_keys) |
1085 | 0 | release_pk_list (pk_list); |
1086 | 0 | release_armor_context (afx); |
1087 | 0 | release_progress_context (pfx); |
1088 | 0 | return rc; |
1089 | 0 | } |
1090 | | |
1091 | | |
1092 | | /* Re-encrypt files with a set of new recipients. Note that this |
1093 | | * function is called by decrypt_message. INFP is the iobuf from the |
1094 | | * input file which is positioned right after the pubkey_enc and |
1095 | | * symkey_enc packets. */ |
1096 | | gpg_error_t |
1097 | | reencrypt_to_new_recipients (ctrl_t ctrl, int armor, const char *filename, |
1098 | | iobuf_t infp, strlist_t recipients, |
1099 | | DEK *dek, struct seskey_enc_list *sesenc_list) |
1100 | 0 | { |
1101 | 0 | gpg_error_t err; |
1102 | 0 | int save_no_encrypt_to; |
1103 | 0 | pk_list_t newpk_list = NULL; |
1104 | 0 | struct pubkey_enc_info_item *restrict_pk_list = NULL; |
1105 | 0 | struct pubkey_enc_info_item *pkei; /* Iterator */ |
1106 | 0 | iobuf_t outfp = NULL; |
1107 | 0 | armor_filter_context_t *outafx = NULL; |
1108 | 0 | PACKET pkt; |
1109 | 0 | struct seskey_enc_list *el; |
1110 | 0 | unsigned int count; |
1111 | | |
1112 | | /* Unless we want to clear the recipients, record the pubkey encrypt |
1113 | | * infos so hat we can avoid to double encrypt to the same |
1114 | | * recipient. We can't do that for wildcards, though. */ |
1115 | 0 | if (!ctrl->clear_recipients) |
1116 | 0 | { |
1117 | 0 | for (el = sesenc_list; el; el = el->next) |
1118 | 0 | { |
1119 | 0 | if (el->u_sym) |
1120 | 0 | continue; |
1121 | 0 | if (!el->u.pub.keyid[0] && !el->u.pub.keyid[1]) |
1122 | 0 | continue; /* Wildcard encrypt - no useful info. */ |
1123 | 0 | pkei = xcalloc (1, sizeof *pkei); |
1124 | 0 | pkei->keyid[0] = el->u.pub.keyid[0]; |
1125 | 0 | pkei->keyid[1] = el->u.pub.keyid[1]; |
1126 | 0 | pkei->version = el->u.pub.version; |
1127 | 0 | pkei->pubkey_algo = el->u.pub.pubkey_algo; |
1128 | 0 | pkei->next = restrict_pk_list; |
1129 | 0 | restrict_pk_list = pkei; |
1130 | 0 | } |
1131 | 0 | } |
1132 | | |
1133 | | /* Get the keys for all additional recipients but do not encrypt to |
1134 | | * the encrypt-to keys. */ |
1135 | 0 | save_no_encrypt_to = opt.no_encrypt_to; |
1136 | 0 | opt.no_encrypt_to = 1; |
1137 | 0 | err = build_pk_list (ctrl, recipients, &newpk_list); |
1138 | 0 | opt.no_encrypt_to = save_no_encrypt_to; |
1139 | 0 | if (err) |
1140 | 0 | goto leave; |
1141 | | |
1142 | | /* Note that we use by default the suffixes .gpg or .asc */ |
1143 | 0 | err = open_outfile (GNUPG_INVALID_FD, filename, armor? 1:0, 0, &outfp); |
1144 | 0 | if (err) |
1145 | 0 | goto leave; |
1146 | | |
1147 | 0 | if (armor) |
1148 | 0 | { |
1149 | 0 | outafx = new_armor_context (); |
1150 | 0 | push_armor_filter (outafx, outfp); |
1151 | 0 | } |
1152 | | |
1153 | | /* Write the new recipients first. */ |
1154 | 0 | err = write_pubkey_enc_from_list (ctrl, newpk_list, dek, outfp, |
1155 | 0 | restrict_pk_list); |
1156 | 0 | if (err) |
1157 | 0 | goto leave; |
1158 | | |
1159 | | /* Write the old recipients in --add-recipients mode. */ |
1160 | 0 | for (count=0, el = sesenc_list; el; el = el->next, count++) |
1161 | 0 | if (!ctrl->clear_recipients && !el->u_sym) |
1162 | 0 | { |
1163 | 0 | if (opt.verbose) |
1164 | 0 | show_encrypted_for_user_info (ctrl, 0, &el->u.pub, dek); |
1165 | 0 | init_packet (&pkt); |
1166 | 0 | pkt.pkttype = PKT_PUBKEY_ENC; |
1167 | 0 | pkt.pkt.pubkey_enc = &el->u.pub; |
1168 | 0 | err = build_packet (outfp, &pkt); |
1169 | 0 | if (err) |
1170 | 0 | log_error ("build_packet(pubkey_enc) failed: %s\n", |
1171 | 0 | gpg_strerror (err)); |
1172 | 0 | } |
1173 | 0 | if (ctrl->clear_recipients && opt.verbose) |
1174 | 0 | log_info (_("number of removed recipients: %u\n"), count); |
1175 | |
|
1176 | 0 | iobuf_put (outfp, ctrl->last_read_ctb); |
1177 | | |
1178 | | /* Finally copy the bulk of the message. */ |
1179 | 0 | iobuf_copy (outfp, infp); |
1180 | 0 | if ((err = iobuf_error (infp))) |
1181 | 0 | log_error (_("error reading '%s': %s\n"), |
1182 | 0 | iobuf_get_fname_nonnull (infp), gpg_strerror (err)); |
1183 | 0 | else if ((err = iobuf_error (outfp))) |
1184 | 0 | log_error (_("error writing '%s': %s\n"), |
1185 | 0 | iobuf_get_fname_nonnull (outfp), gpg_strerror (err)); |
1186 | | |
1187 | |
|
1188 | 0 | leave: |
1189 | 0 | if (err) |
1190 | 0 | iobuf_cancel (outfp); |
1191 | 0 | else |
1192 | 0 | iobuf_close (outfp); |
1193 | 0 | release_armor_context (outafx); |
1194 | 0 | release_pk_list (newpk_list); |
1195 | 0 | while (restrict_pk_list) |
1196 | 0 | { |
1197 | 0 | pkei = restrict_pk_list->next; |
1198 | 0 | xfree (restrict_pk_list); |
1199 | 0 | restrict_pk_list = pkei; |
1200 | 0 | } |
1201 | 0 | return err; |
1202 | 0 | } |
1203 | | |
1204 | | |
1205 | | � |
1206 | | /* |
1207 | | * Filter to do a complete public key encryption. |
1208 | | */ |
1209 | | int |
1210 | | encrypt_filter (void *opaque, int control, |
1211 | | iobuf_t a, byte *buf, size_t *ret_len) |
1212 | 0 | { |
1213 | 0 | size_t size = *ret_len; |
1214 | 0 | encrypt_filter_context_t *efx = opaque; |
1215 | 0 | int rc = 0; |
1216 | |
|
1217 | 0 | if (control == IOBUFCTRL_UNDERFLOW) /* decrypt */ |
1218 | 0 | { |
1219 | 0 | BUG(); /* not used */ |
1220 | 0 | } |
1221 | 0 | else if ( control == IOBUFCTRL_FLUSH ) /* encrypt */ |
1222 | 0 | { |
1223 | 0 | if ( !efx->header_okay ) |
1224 | 0 | { |
1225 | 0 | efx->header_okay = 1; |
1226 | |
|
1227 | 0 | efx->cfx.dek = create_dek_with_warnings (efx->pk_list); |
1228 | |
|
1229 | 0 | rc = check_encryption_compliance (efx->cfx.dek, efx->pk_list); |
1230 | 0 | if (rc) |
1231 | 0 | return rc; |
1232 | | |
1233 | 0 | efx->cfx.dek->use_aead = use_aead (efx->pk_list, efx->cfx.dek->algo); |
1234 | 0 | if (!efx->cfx.dek->use_aead) |
1235 | 0 | efx->cfx.dek->use_mdc = !!use_mdc (efx->pk_list,efx->cfx.dek->algo); |
1236 | |
|
1237 | 0 | make_session_key ( efx->cfx.dek ); |
1238 | 0 | if (DBG_CRYPTO) |
1239 | 0 | log_printhex (efx->cfx.dek->key, efx->cfx.dek->keylen, "DEK is: "); |
1240 | |
|
1241 | 0 | rc = write_pubkey_enc_from_list (efx->ctrl, |
1242 | 0 | efx->pk_list, efx->cfx.dek, a, NULL); |
1243 | 0 | if (rc) |
1244 | 0 | return rc; |
1245 | | |
1246 | 0 | if(efx->symkey_s2k && efx->symkey_dek) |
1247 | 0 | { |
1248 | 0 | rc = write_symkey_enc (efx->symkey_s2k, efx->cfx.dek->use_aead, |
1249 | 0 | efx->symkey_dek, efx->cfx.dek, a); |
1250 | 0 | if (rc) |
1251 | 0 | return rc; |
1252 | 0 | } |
1253 | | |
1254 | 0 | iobuf_push_filter (a, |
1255 | 0 | efx->cfx.dek->use_aead? cipher_filter_aead |
1256 | 0 | /**/ : cipher_filter_cfb, |
1257 | 0 | &efx->cfx); |
1258 | |
|
1259 | 0 | } |
1260 | 0 | rc = iobuf_write (a, buf, size); |
1261 | |
|
1262 | 0 | } |
1263 | 0 | else if (control == IOBUFCTRL_FREE) |
1264 | 0 | { |
1265 | 0 | xfree (efx->symkey_dek); |
1266 | 0 | xfree (efx->symkey_s2k); |
1267 | 0 | } |
1268 | 0 | else if ( control == IOBUFCTRL_DESC ) |
1269 | 0 | { |
1270 | 0 | mem2str (buf, "encrypt_filter", *ret_len); |
1271 | 0 | } |
1272 | 0 | return rc; |
1273 | 0 | } |
1274 | | |
1275 | | |
1276 | | /* |
1277 | | * Write a pubkey-enc packet for the public key PK to OUT. |
1278 | | */ |
1279 | | int |
1280 | | write_pubkey_enc (ctrl_t ctrl, |
1281 | | PKT_public_key *pk, int throw_keyid, DEK *dek, iobuf_t out) |
1282 | 0 | { |
1283 | 0 | PACKET pkt; |
1284 | 0 | PKT_pubkey_enc *enc; |
1285 | 0 | int rc; |
1286 | 0 | gcry_mpi_t frame; |
1287 | |
|
1288 | 0 | print_pubkey_algo_note ( pk->pubkey_algo ); |
1289 | 0 | enc = xmalloc_clear ( sizeof *enc ); |
1290 | 0 | enc->pubkey_algo = pk->pubkey_algo; |
1291 | 0 | keyid_from_pk( pk, enc->keyid ); |
1292 | 0 | enc->throw_keyid = throw_keyid; |
1293 | 0 | enc->seskey_algo = dek->algo; /* (Used only by PUBKEY_ALGO_KYBER.) */ |
1294 | | |
1295 | | /* Okay, what's going on: We have the session key somewhere in |
1296 | | * the structure DEK and want to encode this session key in an |
1297 | | * integer value of n bits. pubkey_nbits gives us the number of |
1298 | | * bits we have to use. We then encode the session key in some |
1299 | | * way and we get it back in the big integer value FRAME. Then |
1300 | | * we use FRAME, the public key PK->PKEY and the algorithm |
1301 | | * number PK->PUBKEY_ALGO and pass it to pubkey_encrypt which |
1302 | | * returns the encrypted value in the array ENC->DATA. This |
1303 | | * array has a size which depends on the used algorithm (e.g. 2 |
1304 | | * for Elgamal). We don't need frame anymore because we have |
1305 | | * everything now in enc->data which is the passed to |
1306 | | * build_packet(). */ |
1307 | 0 | frame = encode_session_key (pk->pubkey_algo, dek, |
1308 | 0 | pubkey_nbits (pk->pubkey_algo, pk->pkey)); |
1309 | 0 | rc = pk_encrypt (pk, frame, dek->algo, enc->data); |
1310 | 0 | gcry_mpi_release (frame); |
1311 | 0 | if (rc) |
1312 | 0 | log_error ("pubkey_encrypt failed: %s\n", gpg_strerror (rc) ); |
1313 | 0 | else |
1314 | 0 | { |
1315 | 0 | if ( opt.verbose ) |
1316 | 0 | show_encrypted_for_user_info (ctrl, pk->pubkey_usage, enc, dek); |
1317 | | /* And write it. */ |
1318 | 0 | init_packet (&pkt); |
1319 | 0 | pkt.pkttype = PKT_PUBKEY_ENC; |
1320 | 0 | pkt.pkt.pubkey_enc = enc; |
1321 | 0 | rc = build_packet (out, &pkt); |
1322 | 0 | if (rc) |
1323 | 0 | log_error ("build_packet(pubkey_enc) failed: %s\n", |
1324 | 0 | gpg_strerror (rc)); |
1325 | 0 | } |
1326 | 0 | free_pubkey_enc(enc); |
1327 | 0 | return rc; |
1328 | 0 | } |
1329 | | |
1330 | | |
1331 | | /* |
1332 | | * Write pubkey-enc packets from the list of PKs PKLIST to OUT. DEK |
1333 | | * has the session key. If a packet with the same key is also found |
1334 | | * in RESTRICT_PK_LIST, it is not written. |
1335 | | */ |
1336 | | static int |
1337 | | write_pubkey_enc_from_list (ctrl_t ctrl, pk_list_t pk_list, DEK *dek, |
1338 | | iobuf_t out, |
1339 | | struct pubkey_enc_info_item *restrict_pk_list) |
1340 | 0 | { |
1341 | 0 | PKT_public_key *pk; |
1342 | 0 | struct pubkey_enc_info_item *pkei; |
1343 | 0 | int throw_keyid, rc; |
1344 | |
|
1345 | 0 | if (opt.throw_keyids && (PGP7 || PGP8)) |
1346 | 0 | { |
1347 | 0 | log_info(_("option '%s' may not be used in %s mode\n"), |
1348 | 0 | "--throw-keyids", |
1349 | 0 | gnupg_compliance_option_string (opt.compliance)); |
1350 | 0 | compliance_failure(); |
1351 | 0 | } |
1352 | |
|
1353 | 0 | for ( ; pk_list; pk_list = pk_list->next ) |
1354 | 0 | { |
1355 | 0 | pk = pk_list->pk; |
1356 | 0 | for (pkei = restrict_pk_list; pkei; pkei = pkei->next) |
1357 | 0 | if (pk->keyid[0] == pkei->keyid[0] |
1358 | 0 | && pk->keyid[1] == pkei->keyid[1] |
1359 | 0 | && pk->version == pkei->version |
1360 | 0 | && pk->pubkey_algo == pkei->pubkey_algo) |
1361 | 0 | break; |
1362 | 0 | if (pkei) |
1363 | 0 | { |
1364 | 0 | if (opt.verbose) |
1365 | 0 | log_info (_("already encrypted to %08lX\n"), |
1366 | 0 | (ulong) keyid_from_pk (pk, NULL)); |
1367 | 0 | continue; |
1368 | 0 | } |
1369 | | |
1370 | 0 | throw_keyid = (opt.throw_keyids || (pk_list->flags&1)); |
1371 | 0 | rc = write_pubkey_enc (ctrl, pk, throw_keyid, dek, out); |
1372 | 0 | if (rc) |
1373 | 0 | return rc; |
1374 | 0 | } |
1375 | | |
1376 | 0 | return 0; |
1377 | 0 | } |
1378 | | |
1379 | | void |
1380 | | encrypt_crypt_files (ctrl_t ctrl, int nfiles, char **files, strlist_t remusr) |
1381 | 0 | { |
1382 | 0 | int rc = 0; |
1383 | |
|
1384 | 0 | if (opt.outfile) |
1385 | 0 | { |
1386 | 0 | log_error(_("--output doesn't work for this command\n")); |
1387 | 0 | return; |
1388 | 0 | } |
1389 | | |
1390 | 0 | if (!nfiles) |
1391 | 0 | { |
1392 | 0 | char line[2048]; |
1393 | 0 | unsigned int lno = 0; |
1394 | 0 | while ( fgets(line, DIM(line), stdin) ) |
1395 | 0 | { |
1396 | 0 | lno++; |
1397 | 0 | if (!*line || line[strlen(line)-1] != '\n') |
1398 | 0 | { |
1399 | 0 | log_error("input line %u too long or missing LF\n", lno); |
1400 | 0 | return; |
1401 | 0 | } |
1402 | 0 | line[strlen(line)-1] = '\0'; |
1403 | 0 | print_file_status(STATUS_FILE_START, line, 2); |
1404 | 0 | rc = encrypt_crypt (ctrl, GNUPG_INVALID_FD, line, remusr, |
1405 | 0 | 0, NULL, GNUPG_INVALID_FD); |
1406 | 0 | if (rc) |
1407 | 0 | log_error ("encryption of '%s' failed: %s\n", |
1408 | 0 | print_fname_stdin(line), gpg_strerror (rc) ); |
1409 | 0 | write_status( STATUS_FILE_DONE ); |
1410 | 0 | } |
1411 | 0 | } |
1412 | 0 | else |
1413 | 0 | { |
1414 | 0 | while (nfiles--) |
1415 | 0 | { |
1416 | 0 | print_file_status(STATUS_FILE_START, *files, 2); |
1417 | 0 | if ((rc = encrypt_crypt (ctrl, GNUPG_INVALID_FD, *files, remusr, |
1418 | 0 | 0, NULL, GNUPG_INVALID_FD))) |
1419 | 0 | log_error("encryption of '%s' failed: %s\n", |
1420 | 0 | print_fname_stdin(*files), gpg_strerror (rc) ); |
1421 | 0 | write_status( STATUS_FILE_DONE ); |
1422 | 0 | files++; |
1423 | 0 | } |
1424 | 0 | } |
1425 | 0 | } |