]>
Commit | Line | Data |
---|---|---|
c680a8e1 RS |
1 | // Copyright 2011 The Go Authors. All rights reserved. |
2 | // Use of this source code is governed by a BSD-style | |
3 | // license that can be found in the LICENSE file. | |
4 | ||
5 | package packet | |
6 | ||
7 | import ( | |
8 | "bytes" | |
9 | "crypto/cipher" | |
10 | "io" | |
11 | "strconv" | |
12 | ||
13 | "golang.org/x/crypto/openpgp/errors" | |
14 | "golang.org/x/crypto/openpgp/s2k" | |
15 | ) | |
16 | ||
17 | // This is the largest session key that we'll support. Since no 512-bit cipher | |
18 | // has even been seriously used, this is comfortably large. | |
19 | const maxSessionKeySizeInBytes = 64 | |
20 | ||
21 | // SymmetricKeyEncrypted represents a passphrase protected session key. See RFC | |
22 | // 4880, section 5.3. | |
23 | type SymmetricKeyEncrypted struct { | |
24 | CipherFunc CipherFunction | |
25 | s2k func(out, in []byte) | |
26 | encryptedKey []byte | |
27 | } | |
28 | ||
29 | const symmetricKeyEncryptedVersion = 4 | |
30 | ||
31 | func (ske *SymmetricKeyEncrypted) parse(r io.Reader) error { | |
32 | // RFC 4880, section 5.3. | |
33 | var buf [2]byte | |
34 | if _, err := readFull(r, buf[:]); err != nil { | |
35 | return err | |
36 | } | |
37 | if buf[0] != symmetricKeyEncryptedVersion { | |
38 | return errors.UnsupportedError("SymmetricKeyEncrypted version") | |
39 | } | |
40 | ske.CipherFunc = CipherFunction(buf[1]) | |
41 | ||
42 | if ske.CipherFunc.KeySize() == 0 { | |
43 | return errors.UnsupportedError("unknown cipher: " + strconv.Itoa(int(buf[1]))) | |
44 | } | |
45 | ||
46 | var err error | |
47 | ske.s2k, err = s2k.Parse(r) | |
48 | if err != nil { | |
49 | return err | |
50 | } | |
51 | ||
52 | encryptedKey := make([]byte, maxSessionKeySizeInBytes) | |
53 | // The session key may follow. We just have to try and read to find | |
54 | // out. If it exists then we limit it to maxSessionKeySizeInBytes. | |
55 | n, err := readFull(r, encryptedKey) | |
56 | if err != nil && err != io.ErrUnexpectedEOF { | |
57 | return err | |
58 | } | |
59 | ||
60 | if n != 0 { | |
61 | if n == maxSessionKeySizeInBytes { | |
62 | return errors.UnsupportedError("oversized encrypted session key") | |
63 | } | |
64 | ske.encryptedKey = encryptedKey[:n] | |
65 | } | |
66 | ||
67 | return nil | |
68 | } | |
69 | ||
70 | // Decrypt attempts to decrypt an encrypted session key and returns the key and | |
71 | // the cipher to use when decrypting a subsequent Symmetrically Encrypted Data | |
72 | // packet. | |
73 | func (ske *SymmetricKeyEncrypted) Decrypt(passphrase []byte) ([]byte, CipherFunction, error) { | |
74 | key := make([]byte, ske.CipherFunc.KeySize()) | |
75 | ske.s2k(key, passphrase) | |
76 | ||
77 | if len(ske.encryptedKey) == 0 { | |
78 | return key, ske.CipherFunc, nil | |
79 | } | |
80 | ||
81 | // the IV is all zeros | |
82 | iv := make([]byte, ske.CipherFunc.blockSize()) | |
83 | c := cipher.NewCFBDecrypter(ske.CipherFunc.new(key), iv) | |
84 | plaintextKey := make([]byte, len(ske.encryptedKey)) | |
85 | c.XORKeyStream(plaintextKey, ske.encryptedKey) | |
86 | cipherFunc := CipherFunction(plaintextKey[0]) | |
87 | if cipherFunc.blockSize() == 0 { | |
88 | return nil, ske.CipherFunc, errors.UnsupportedError("unknown cipher: " + strconv.Itoa(int(cipherFunc))) | |
89 | } | |
90 | plaintextKey = plaintextKey[1:] | |
91 | if l, cipherKeySize := len(plaintextKey), cipherFunc.KeySize(); l != cipherFunc.KeySize() { | |
92 | return nil, cipherFunc, errors.StructuralError("length of decrypted key (" + strconv.Itoa(l) + ") " + | |
93 | "not equal to cipher keysize (" + strconv.Itoa(cipherKeySize) + ")") | |
94 | } | |
95 | return plaintextKey, cipherFunc, nil | |
96 | } | |
97 | ||
98 | // SerializeSymmetricKeyEncrypted serializes a symmetric key packet to w. The | |
99 | // packet contains a random session key, encrypted by a key derived from the | |
100 | // given passphrase. The session key is returned and must be passed to | |
101 | // SerializeSymmetricallyEncrypted. | |
102 | // If config is nil, sensible defaults will be used. | |
103 | func SerializeSymmetricKeyEncrypted(w io.Writer, passphrase []byte, config *Config) (key []byte, err error) { | |
104 | cipherFunc := config.Cipher() | |
105 | keySize := cipherFunc.KeySize() | |
106 | if keySize == 0 { | |
107 | return nil, errors.UnsupportedError("unknown cipher: " + strconv.Itoa(int(cipherFunc))) | |
108 | } | |
109 | ||
110 | s2kBuf := new(bytes.Buffer) | |
111 | keyEncryptingKey := make([]byte, keySize) | |
112 | // s2k.Serialize salts and stretches the passphrase, and writes the | |
113 | // resulting key to keyEncryptingKey and the s2k descriptor to s2kBuf. | |
114 | err = s2k.Serialize(s2kBuf, keyEncryptingKey, config.Random(), passphrase, &s2k.Config{Hash: config.Hash(), S2KCount: config.PasswordHashIterations()}) | |
115 | if err != nil { | |
116 | return | |
117 | } | |
118 | s2kBytes := s2kBuf.Bytes() | |
119 | ||
120 | packetLength := 2 /* header */ + len(s2kBytes) + 1 /* cipher type */ + keySize | |
121 | err = serializeHeader(w, packetTypeSymmetricKeyEncrypted, packetLength) | |
122 | if err != nil { | |
123 | return | |
124 | } | |
125 | ||
126 | var buf [2]byte | |
127 | buf[0] = symmetricKeyEncryptedVersion | |
128 | buf[1] = byte(cipherFunc) | |
129 | _, err = w.Write(buf[:]) | |
130 | if err != nil { | |
131 | return | |
132 | } | |
133 | _, err = w.Write(s2kBytes) | |
134 | if err != nil { | |
135 | return | |
136 | } | |
137 | ||
138 | sessionKey := make([]byte, keySize) | |
139 | _, err = io.ReadFull(config.Random(), sessionKey) | |
140 | if err != nil { | |
141 | return | |
142 | } | |
143 | iv := make([]byte, cipherFunc.blockSize()) | |
144 | c := cipher.NewCFBEncrypter(cipherFunc.new(keyEncryptingKey), iv) | |
145 | encryptedCipherAndKey := make([]byte, keySize+1) | |
146 | c.XORKeyStream(encryptedCipherAndKey, buf[1:]) | |
147 | c.XORKeyStream(encryptedCipherAndKey[1:], sessionKey) | |
148 | _, err = w.Write(encryptedCipherAndKey) | |
149 | if err != nil { | |
150 | return | |
151 | } | |
152 | ||
153 | key = sessionKey | |
154 | return | |
155 | } |