1 /* encrypt.c - Encrypt a message
2 * Copyright (C) 2001, 2003, 2004, 2007, 2008,
3 * 2010 Free Software Foundation, Inc.
4 * Copyright (C) 2001-2019 Werner Koch
5 * Copyright (C) 2015-2020 g10 Code GmbH
6 *
7 * This file is part of GnuPG.
8 *
9 * GnuPG is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License as published by
11 * the Free Software Foundation; either version 3 of the License, or
12 * (at your option) any later version.
13 *
14 * GnuPG is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
18 *
19 * You should have received a copy of the GNU General Public License
20 * along with this program; if not, see <https://www.gnu.org/licenses/>.
21 * SPDX-License-Identifier: GPL-3.0-or-later
22 */
23
24 #include <config.h>
25 #include <stdio.h>
26 #include <stdlib.h>
27 #include <string.h>
28 #include <errno.h>
29 #include <unistd.h>
30 #include <time.h>
31
32 #include "gpgsm.h"
33 #include <gcrypt.h>
34 #include <ksba.h>
35
36 #include "keydb.h"
37 #include "../common/i18n.h"
38 #include "../common/compliance.h"
39
40
41 struct dek_s {
42 const char *algoid;
43 int algo;
44 gcry_cipher_hd_t chd;
45 char key[32];
46 int keylen;
47 char iv[32];
48 int ivlen;
49 };
50 typedef struct dek_s *DEK;
51
52
53 /* Callback parameters for the encryption. */
54 struct encrypt_cb_parm_s
55 {
56 estream_t fp;
57 DEK dek;
58 int eof_seen;
59 int ready;
60 int readerror;
61 int bufsize;
62 unsigned char *buffer;
63 int buflen;
64 };
65
66
67
68
69
70 /* Initialize the data encryption key (session key). */
71 static int
init_dek(DEK dek)72 init_dek (DEK dek)
73 {
74 int rc=0, mode, i;
75
76 dek->algo = gcry_cipher_map_name (dek->algoid);
77 mode = gcry_cipher_mode_from_oid (dek->algoid);
78 if (!dek->algo || !mode)
79 {
80 log_error ("unsupported algorithm '%s'\n", dek->algoid);
81 return gpg_error (GPG_ERR_UNSUPPORTED_ALGORITHM);
82 }
83
84 /* Extra check for algorithms we consider to be too weak for
85 encryption, although we support them for decryption. Note that
86 there is another check below discriminating on the key length. */
87 switch (dek->algo)
88 {
89 case GCRY_CIPHER_DES:
90 case GCRY_CIPHER_RFC2268_40:
91 log_error ("cipher algorithm '%s' not allowed: too weak\n",
92 gnupg_cipher_algo_name (dek->algo));
93 return gpg_error (GPG_ERR_UNSUPPORTED_ALGORITHM);
94 default:
95 break;
96 }
97
98 dek->keylen = gcry_cipher_get_algo_keylen (dek->algo);
99 if (!dek->keylen || dek->keylen > sizeof (dek->key))
100 return gpg_error (GPG_ERR_BUG);
101
102 dek->ivlen = gcry_cipher_get_algo_blklen (dek->algo);
103 if (!dek->ivlen || dek->ivlen > sizeof (dek->iv))
104 return gpg_error (GPG_ERR_BUG);
105
106 /* Make sure we don't use weak keys. */
107 if (dek->keylen < 100/8)
108 {
109 log_error ("key length of '%s' too small\n", dek->algoid);
110 return gpg_error (GPG_ERR_UNSUPPORTED_ALGORITHM);
111 }
112
113 rc = gcry_cipher_open (&dek->chd, dek->algo, mode, GCRY_CIPHER_SECURE);
114 if (rc)
115 {
116 log_error ("failed to create cipher context: %s\n", gpg_strerror (rc));
117 return rc;
118 }
119
120 for (i=0; i < 8; i++)
121 {
122 gcry_randomize (dek->key, dek->keylen, GCRY_STRONG_RANDOM );
123 rc = gcry_cipher_setkey (dek->chd, dek->key, dek->keylen);
124 if (gpg_err_code (rc) != GPG_ERR_WEAK_KEY)
125 break;
126 log_info(_("weak key created - retrying\n") );
127 }
128 if (rc)
129 {
130 log_error ("failed to set the key: %s\n", gpg_strerror (rc));
131 gcry_cipher_close (dek->chd);
132 dek->chd = NULL;
133 return rc;
134 }
135
136 gcry_create_nonce (dek->iv, dek->ivlen);
137 rc = gcry_cipher_setiv (dek->chd, dek->iv, dek->ivlen);
138 if (rc)
139 {
140 log_error ("failed to set the IV: %s\n", gpg_strerror (rc));
141 gcry_cipher_close (dek->chd);
142 dek->chd = NULL;
143 return rc;
144 }
145
146 return 0;
147 }
148
149 /* Encode an RSA session key. */
150 static int
encode_session_key(DEK dek,gcry_sexp_t * r_data)151 encode_session_key (DEK dek, gcry_sexp_t * r_data)
152 {
153 gcry_sexp_t data;
154 char *p;
155 int rc;
156
157 p = xtrymalloc (64 + 2 * dek->keylen);
158 if (!p)
159 return gpg_error_from_syserror ();
160 strcpy (p, "(data\n (flags pkcs1)\n (value #");
161 bin2hex (dek->key, dek->keylen, p + strlen (p));
162 strcat (p, "#))\n");
163 rc = gcry_sexp_sscan (&data, NULL, p, strlen (p));
164 xfree (p);
165 *r_data = data;
166 return rc;
167 }
168
169
170 /* Encrypt DEK using ECDH. S_PKEY is the public key. On success the
171 * result is stored at R_ENCVAL. Example of a public key:
172 *
173 * (public-key (ecc (curve "1.3.132.0.34") (q #04B0[...]B8#)))
174 *
175 */
176 static gpg_error_t
ecdh_encrypt(DEK dek,gcry_sexp_t s_pkey,gcry_sexp_t * r_encval)177 ecdh_encrypt (DEK dek, gcry_sexp_t s_pkey, gcry_sexp_t *r_encval)
178 {
179 gpg_error_t err;
180 gcry_sexp_t l1;
181 char *curvebuf = NULL;
182 const char *curve;
183 unsigned int curvebits;
184 const char *encr_algo_str;
185 const char *wrap_algo_str;
186 int hash_algo, cipher_algo;
187 unsigned int keylen;
188 unsigned char key[32];
189 gcry_sexp_t s_data = NULL;
190 gcry_sexp_t s_encr = NULL;
191 gcry_buffer_t ioarray[2] = { {0}, {0} };
192 unsigned char *secret; /* Alias for ioarray[0]. */
193 unsigned int secretlen;
194 unsigned char *pubkey; /* Alias for ioarray[1]. */
195 unsigned int pubkeylen;
196 gcry_cipher_hd_t cipher_hd = NULL;
197 unsigned char *result = NULL;
198 unsigned int resultlen;
199
200 *r_encval = NULL;
201
202 /* Figure out the encryption and wrap algo OIDs. */
203 /* Get the curve name if any, */
204 l1 = gcry_sexp_find_token (s_pkey, "curve", 0);
205 if (l1)
206 {
207 curvebuf = gcry_sexp_nth_string (l1, 1);
208 gcry_sexp_release (l1);
209 }
210 if (!curvebuf)
211 {
212 err = gpg_error (GPG_ERR_INV_CURVE);
213 log_error ("%s: invalid public key: no curve\n", __func__);
214 goto leave;
215 }
216
217 /* We need to use our OpenPGP mapping to turn a curve name into its
218 * canonical numerical OID. We also use this to get the size of the
219 * curve which we need to figure out a suitable hash algo. We
220 * should have a Libgcrypt function to do this; see bug report #4926. */
221 curve = openpgp_curve_to_oid (curvebuf, &curvebits, NULL);
222 if (!curve)
223 {
224 err = gpg_error (GPG_ERR_UNKNOWN_CURVE);
225 log_error ("%s: invalid public key: %s\n", __func__, gpg_strerror (err));
226 goto leave;
227 }
228 xfree (curvebuf);
229 curvebuf = NULL;
230
231 /* Our mapping matches the recommended algorithms from RFC-5753 but
232 * not supporting the short curves which would require 3DES. */
233 if (curvebits < 255)
234 {
235 err = gpg_error (GPG_ERR_UNKNOWN_CURVE);
236 log_error ("%s: curve '%s' is not supported\n", __func__, curve);
237 goto leave;
238 }
239 else if (opt.force_ecdh_sha1kdf)
240 {
241 /* dhSinglePass-stdDH-sha1kdf-scheme */
242 encr_algo_str = "1.3.133.16.840.63.0.2";
243 wrap_algo_str = "2.16.840.1.101.3.4.1.45";
244 hash_algo = GCRY_MD_SHA1;
245 cipher_algo = GCRY_CIPHER_AES256;
246 keylen = 32;
247 }
248 else if (curvebits <= 256)
249 {
250 /* dhSinglePass-stdDH-sha256kdf-scheme */
251 encr_algo_str = "1.3.132.1.11.1";
252 wrap_algo_str = "2.16.840.1.101.3.4.1.5";
253 hash_algo = GCRY_MD_SHA256;
254 cipher_algo = GCRY_CIPHER_AES128;
255 keylen = 16;
256 }
257 else if (curvebits <= 384)
258 {
259 /* dhSinglePass-stdDH-sha384kdf-scheme */
260 encr_algo_str = "1.3.132.1.11.2";
261 wrap_algo_str = "2.16.840.1.101.3.4.1.25";
262 hash_algo = GCRY_MD_SHA384;
263 cipher_algo = GCRY_CIPHER_AES256;
264 keylen = 24;
265 }
266 else
267 {
268 /* dhSinglePass-stdDH-sha512kdf-scheme*/
269 encr_algo_str = "1.3.132.1.11.3";
270 wrap_algo_str = "2.16.840.1.101.3.4.1.45";
271 hash_algo = GCRY_MD_SHA512;
272 cipher_algo = GCRY_CIPHER_AES256;
273 keylen = 32;
274 }
275
276
277 /* Create a secret and an ephemeral key. */
278 {
279 char *k;
280 k = gcry_random_bytes_secure ((curvebits+7)/8, GCRY_STRONG_RANDOM);
281 if (DBG_CRYPTO)
282 log_printhex (k, (curvebits+7)/8, "ephm. k .:");
283 err = gcry_sexp_build (&s_data, NULL, "%b", (int)(curvebits+7)/8, k);
284 xfree (k);
285 }
286 if (err)
287 {
288 log_error ("%s: error building ephemeral secret: %s\n",
289 __func__, gpg_strerror (err));
290 goto leave;
291 }
292
293 err = gcry_pk_encrypt (&s_encr, s_data, s_pkey);
294 if (err)
295 {
296 log_error ("%s: error encrypting ephemeral secret: %s\n",
297 __func__, gpg_strerror (err));
298 goto leave;
299 }
300 err = gcry_sexp_extract_param (s_encr, NULL, "&se",
301 &ioarray+0, ioarray+1, NULL);
302 if (err)
303 {
304 log_error ("%s: error extracting ephemeral key and secret: %s\n",
305 __func__, gpg_strerror (err));
306 goto leave;
307 }
308 secret = ioarray[0].data;
309 secretlen = ioarray[0].len;
310 pubkey = ioarray[1].data;
311 pubkeylen = ioarray[1].len;
312
313 if (DBG_CRYPTO)
314 {
315 log_printhex (pubkey, pubkeylen, "pubkey ..:");
316 log_printhex (secret, secretlen, "secret ..:");
317 }
318
319 /* Extract X coordinate from SECRET. */
320 if (secretlen < 5) /* 5 because N could be reduced to (n-1)/2. */
321 err = gpg_error (GPG_ERR_BAD_DATA);
322 else if (*secret == 0x04)
323 {
324 secretlen--;
325 memmove (secret, secret+1, secretlen);
326 if ((secretlen & 1))
327 {
328 err = gpg_error (GPG_ERR_BAD_DATA);
329 goto leave;
330 }
331 secretlen /= 2;
332 }
333 else if (*secret == 0x40 || *secret == 0x41)
334 {
335 secretlen--;
336 memmove (secret, secret+1, secretlen);
337 }
338 else
339 err = gpg_error (GPG_ERR_BAD_DATA);
340 if (err)
341 goto leave;
342
343 if (DBG_CRYPTO)
344 log_printhex (secret, secretlen, "ECDH X ..:");
345
346 err = ecdh_derive_kek (key, keylen, hash_algo, wrap_algo_str,
347 secret, secretlen, NULL, 0);
348 if (err)
349 goto leave;
350
351 if (DBG_CRYPTO)
352 log_printhex (key, keylen, "KEK .....:");
353
354 /* Wrap the key. */
355 if ((dek->keylen % 8) || dek->keylen < 16)
356 {
357 log_error ("%s: can't use a session key of %u bytes\n",
358 __func__, dek->keylen);
359 err = gpg_error (GPG_ERR_BAD_DATA);
360 goto leave;
361 }
362
363 resultlen = dek->keylen + 8;
364 result = xtrymalloc_secure (resultlen);
365 if (!result)
366 {
367 err = gpg_error_from_syserror ();
368 goto leave;
369 }
370
371 err = gcry_cipher_open (&cipher_hd, cipher_algo, GCRY_CIPHER_MODE_AESWRAP, 0);
372 if (err)
373 {
374 log_error ("%s: failed to initialize AESWRAP: %s\n",
375 __func__, gpg_strerror (err));
376 goto leave;
377 }
378
379 err = gcry_cipher_setkey (cipher_hd, key, keylen);
380 wipememory (key, sizeof key);
381 if (err)
382 {
383 log_error ("%s: failed in gcry_cipher_setkey: %s\n",
384 __func__, gpg_strerror (err));
385 goto leave;
386 }
387
388 err = gcry_cipher_encrypt (cipher_hd, result, resultlen,
389 dek->key, dek->keylen);
390 if (err)
391 {
392 log_error ("%s: failed in gcry_cipher_encrypt: %s\n",
393 __func__, gpg_strerror (err));
394 goto leave;
395 }
396
397 if (DBG_CRYPTO)
398 log_printhex (result, resultlen, "w(CEK) ..:");
399
400 err = gcry_sexp_build (r_encval, NULL,
401 "(enc-val(ecdh(e%b)(s%b)(encr-algo%s)(wrap-algo%s)))",
402 (int)pubkeylen, pubkey,
403 (int)resultlen, result,
404 encr_algo_str,
405 wrap_algo_str,
406 NULL);
407 if (err)
408 log_error ("%s: failed building final S-exp: %s\n",
409 __func__, gpg_strerror (err));
410
411 leave:
412 gcry_cipher_close (cipher_hd);
413 wipememory (key, sizeof key);
414 xfree (result);
415 xfree (ioarray[0].data);
416 xfree (ioarray[1].data);
417 gcry_sexp_release (s_data);
418 gcry_sexp_release (s_encr);
419 xfree (curvebuf);
420 return err;
421 }
422
423
424 /* Encrypt the DEK under the key contained in CERT and return it as a
425 * canonical S-expressions at ENCVAL. PK_ALGO is the public key
426 * algorithm which the caller has already retrieved from CERT. */
427 static int
encrypt_dek(const DEK dek,ksba_cert_t cert,int pk_algo,unsigned char ** encval)428 encrypt_dek (const DEK dek, ksba_cert_t cert, int pk_algo,
429 unsigned char **encval)
430 {
431 gcry_sexp_t s_ciph, s_data, s_pkey;
432 int rc;
433 ksba_sexp_t buf;
434 size_t len;
435
436 *encval = NULL;
437
438 /* get the key from the cert */
439 buf = ksba_cert_get_public_key (cert);
440 if (!buf)
441 {
442 log_error ("no public key for recipient\n");
443 return gpg_error (GPG_ERR_NO_PUBKEY);
444 }
445 len = gcry_sexp_canon_len (buf, 0, NULL, NULL);
446 if (!len)
447 {
448 log_error ("libksba did not return a proper S-Exp\n");
449 return gpg_error (GPG_ERR_BUG);
450 }
451 rc = gcry_sexp_sscan (&s_pkey, NULL, (char*)buf, len);
452 xfree (buf); buf = NULL;
453 if (rc)
454 {
455 log_error ("gcry_sexp_scan failed: %s\n", gpg_strerror (rc));
456 return rc;
457 }
458
459 if (DBG_CRYPTO)
460 {
461 log_printsexp (" pubkey:", s_pkey);
462 log_printhex (dek->key, dek->keylen, "CEK .....:");
463 }
464
465 /* Put the encoded cleartext into a simple list. */
466 s_data = NULL; /* (avoid compiler warning) */
467 if (pk_algo == GCRY_PK_ECC)
468 {
469 rc = ecdh_encrypt (dek, s_pkey, &s_ciph);
470 }
471 else
472 {
473 rc = encode_session_key (dek, &s_data);
474 if (rc)
475 {
476 gcry_sexp_release (s_pkey);
477 log_error ("encode_session_key failed: %s\n", gpg_strerror (rc));
478 return rc;
479 }
480 if (DBG_CRYPTO)
481 log_printsexp (" data:", s_data);
482
483 /* pass it to libgcrypt */
484 rc = gcry_pk_encrypt (&s_ciph, s_data, s_pkey);
485 }
486 gcry_sexp_release (s_data);
487 gcry_sexp_release (s_pkey);
488
489 if (DBG_CRYPTO)
490 log_printsexp ("enc-val:", s_ciph);
491
492 /* Reformat it. */
493 if (!rc)
494 {
495 rc = make_canon_sexp (s_ciph, encval, NULL);
496 gcry_sexp_release (s_ciph);
497 }
498 return rc;
499 }
500
501
502
503 /* do the actual encryption */
504 static int
encrypt_cb(void * cb_value,char * buffer,size_t count,size_t * nread)505 encrypt_cb (void *cb_value, char *buffer, size_t count, size_t *nread)
506 {
507 struct encrypt_cb_parm_s *parm = cb_value;
508 int blklen = parm->dek->ivlen;
509 unsigned char *p;
510 size_t n;
511
512 *nread = 0;
513 if (!buffer)
514 return -1; /* not supported */
515
516 if (parm->ready)
517 return -1;
518
519 if (count < blklen)
520 BUG ();
521
522 if (!parm->eof_seen)
523 { /* fillup the buffer */
524 p = parm->buffer;
525 for (n=parm->buflen; n < parm->bufsize; n++)
526 {
527 int c = es_getc (parm->fp);
528 if (c == EOF)
529 {
530 if (es_ferror (parm->fp))
531 {
532 parm->readerror = errno;
533 return -1;
534 }
535 parm->eof_seen = 1;
536 break;
537 }
538 p[n] = c;
539 }
540 parm->buflen = n;
541 }
542
543 n = parm->buflen < count? parm->buflen : count;
544 n = n/blklen * blklen;
545 if (n)
546 { /* encrypt the stuff */
547 gcry_cipher_encrypt (parm->dek->chd, buffer, n, parm->buffer, n);
548 *nread = n;
549 /* Who cares about cycles, take the easy way and shift the buffer */
550 parm->buflen -= n;
551 memmove (parm->buffer, parm->buffer+n, parm->buflen);
552 }
553 else if (parm->eof_seen)
554 { /* no complete block but eof: add padding */
555 /* fixme: we should try to do this also in the above code path */
556 int i, npad = blklen - (parm->buflen % blklen);
557 p = parm->buffer;
558 for (n=parm->buflen, i=0; n < parm->bufsize && i < npad; n++, i++)
559 p[n] = npad;
560 gcry_cipher_encrypt (parm->dek->chd, buffer, n, parm->buffer, n);
561 *nread = n;
562 parm->ready = 1;
563 }
564
565 return 0;
566 }
567
568
569
570
571 /* Perform an encrypt operation.
572
573 Encrypt the data received on DATA-FD and write it to OUT_FP. The
574 recipients are take from the certificate given in recplist; if this
575 is NULL it will be encrypted for a default recipient */
576 int
gpgsm_encrypt(ctrl_t ctrl,certlist_t recplist,int data_fd,estream_t out_fp)577 gpgsm_encrypt (ctrl_t ctrl, certlist_t recplist, int data_fd, estream_t out_fp)
578 {
579 int rc = 0;
580 gnupg_ksba_io_t b64writer = NULL;
581 gpg_error_t err;
582 ksba_writer_t writer;
583 ksba_reader_t reader = NULL;
584 ksba_cms_t cms = NULL;
585 ksba_stop_reason_t stopreason;
586 KEYDB_HANDLE kh = NULL;
587 struct encrypt_cb_parm_s encparm;
588 DEK dek = NULL;
589 int recpno;
590 estream_t data_fp = NULL;
591 certlist_t cl;
592 int count;
593 int compliant;
594
595 memset (&encparm, 0, sizeof encparm);
596
597 audit_set_type (ctrl->audit, AUDIT_TYPE_ENCRYPT);
598
599 /* Check that the certificate list is not empty and that at least
600 one certificate is not flagged as encrypt_to; i.e. is a real
601 recipient. */
602 for (cl = recplist; cl; cl = cl->next)
603 if (!cl->is_encrypt_to)
604 break;
605 if (!cl)
606 {
607 log_error(_("no valid recipients given\n"));
608 gpgsm_status (ctrl, STATUS_NO_RECP, "0");
609 audit_log_i (ctrl->audit, AUDIT_GOT_RECIPIENTS, 0);
610 rc = gpg_error (GPG_ERR_NO_PUBKEY);
611 goto leave;
612 }
613
614 for (count = 0, cl = recplist; cl; cl = cl->next)
615 count++;
616 audit_log_i (ctrl->audit, AUDIT_GOT_RECIPIENTS, count);
617
618 kh = keydb_new (ctrl);
619 if (!kh)
620 {
621 log_error (_("failed to allocate keyDB handle\n"));
622 rc = gpg_error (GPG_ERR_GENERAL);
623 goto leave;
624 }
625
626 /* Fixme: We should use the unlocked version of the es functions. */
627 data_fp = es_fdopen_nc (data_fd, "rb");
628 if (!data_fp)
629 {
630 rc = gpg_error_from_syserror ();
631 log_error ("fdopen() failed: %s\n", strerror (errno));
632 goto leave;
633 }
634
635 err = ksba_reader_new (&reader);
636 if (err)
637 rc = err;
638 if (!rc)
639 rc = ksba_reader_set_cb (reader, encrypt_cb, &encparm);
640 if (rc)
641 goto leave;
642
643 encparm.fp = data_fp;
644
645 ctrl->pem_name = "ENCRYPTED MESSAGE";
646 rc = gnupg_ksba_create_writer
647 (&b64writer, ((ctrl->create_pem? GNUPG_KSBA_IO_PEM : 0)
648 | (ctrl->create_base64? GNUPG_KSBA_IO_BASE64 : 0)),
649 ctrl->pem_name, out_fp, &writer);
650 if (rc)
651 {
652 log_error ("can't create writer: %s\n", gpg_strerror (rc));
653 goto leave;
654 }
655
656 err = ksba_cms_new (&cms);
657 if (err)
658 {
659 rc = err;
660 goto leave;
661 }
662
663 err = ksba_cms_set_reader_writer (cms, reader, writer);
664 if (err)
665 {
666 log_error ("ksba_cms_set_reader_writer failed: %s\n",
667 gpg_strerror (err));
668 rc = err;
669 goto leave;
670 }
671
672 audit_log (ctrl->audit, AUDIT_GOT_DATA);
673
674 /* We are going to create enveloped data with uninterpreted data as
675 inner content */
676 err = ksba_cms_set_content_type (cms, 0, KSBA_CT_ENVELOPED_DATA);
677 if (!err)
678 err = ksba_cms_set_content_type (cms, 1, KSBA_CT_DATA);
679 if (err)
680 {
681 log_error ("ksba_cms_set_content_type failed: %s\n",
682 gpg_strerror (err));
683 rc = err;
684 goto leave;
685 }
686
687 /* Check compliance. */
688 if (!gnupg_cipher_is_allowed
689 (opt.compliance, 1, gcry_cipher_map_name (opt.def_cipher_algoid),
690 gcry_cipher_mode_from_oid (opt.def_cipher_algoid)))
691 {
692 log_error (_("cipher algorithm '%s' may not be used in %s mode\n"),
693 opt.def_cipher_algoid,
694 gnupg_compliance_option_string (opt.compliance));
695 rc = gpg_error (GPG_ERR_CIPHER_ALGO);
696 goto leave;
697 }
698
699 if (!gnupg_rng_is_compliant (opt.compliance))
700 {
701 rc = gpg_error (GPG_ERR_FORBIDDEN);
702 log_error (_("%s is not compliant with %s mode\n"),
703 "RNG",
704 gnupg_compliance_option_string (opt.compliance));
705 gpgsm_status_with_error (ctrl, STATUS_ERROR,
706 "random-compliance", rc);
707 goto leave;
708 }
709
710 /* Create a session key */
711 dek = xtrycalloc_secure (1, sizeof *dek);
712 if (!dek)
713 rc = out_of_core ();
714 else
715 {
716 dek->algoid = opt.def_cipher_algoid;
717 rc = init_dek (dek);
718 }
719 if (rc)
720 {
721 log_error ("failed to create the session key: %s\n",
722 gpg_strerror (rc));
723 goto leave;
724 }
725
726 err = ksba_cms_set_content_enc_algo (cms, dek->algoid, dek->iv, dek->ivlen);
727 if (err)
728 {
729 log_error ("ksba_cms_set_content_enc_algo failed: %s\n",
730 gpg_strerror (err));
731 rc = err;
732 goto leave;
733 }
734
735 encparm.dek = dek;
736 /* Use a ~8k (AES) or ~4k (3DES) buffer */
737 encparm.bufsize = 500 * dek->ivlen;
738 encparm.buffer = xtrymalloc (encparm.bufsize);
739 if (!encparm.buffer)
740 {
741 rc = out_of_core ();
742 goto leave;
743 }
744
745 audit_log_s (ctrl->audit, AUDIT_SESSION_KEY, dek->algoid);
746
747 compliant = gnupg_cipher_is_compliant (CO_DE_VS, dek->algo,
748 GCRY_CIPHER_MODE_CBC);
749
750 /* Gather certificates of recipients, encrypt the session key for
751 each and store them in the CMS object */
752 for (recpno = 0, cl = recplist; cl; recpno++, cl = cl->next)
753 {
754 unsigned char *encval;
755 unsigned int nbits;
756 int pk_algo;
757
758 /* Check compliance. */
759 pk_algo = gpgsm_get_key_algo_info (cl->cert, &nbits);
760 if (!gnupg_pk_is_compliant (opt.compliance, pk_algo, 0,
761 NULL, nbits, NULL))
762 {
763 char kidstr[10+1];
764
765 snprintf (kidstr, sizeof kidstr, "0x%08lX",
766 gpgsm_get_short_fingerprint (cl->cert, NULL));
767 log_info (_("WARNING: key %s is not suitable for encryption"
768 " in %s mode\n"),
769 kidstr,
770 gnupg_compliance_option_string (opt.compliance));
771 }
772
773 /* Fixme: When adding ECC we need to provide the curvename and
774 * the key to gnupg_pk_is_compliant. */
775 if (compliant
776 && !gnupg_pk_is_compliant (CO_DE_VS, pk_algo, 0, NULL, nbits, NULL))
777 compliant = 0;
778
779 rc = encrypt_dek (dek, cl->cert, pk_algo, &encval);
780 if (rc)
781 {
782 audit_log_cert (ctrl->audit, AUDIT_ENCRYPTED_TO, cl->cert, rc);
783 log_error ("encryption failed for recipient no. %d: %s\n",
784 recpno, gpg_strerror (rc));
785 goto leave;
786 }
787
788 err = ksba_cms_add_recipient (cms, cl->cert);
789 if (err)
790 {
791 audit_log_cert (ctrl->audit, AUDIT_ENCRYPTED_TO, cl->cert, err);
792 log_error ("ksba_cms_add_recipient failed: %s\n",
793 gpg_strerror (err));
794 rc = err;
795 xfree (encval);
796 goto leave;
797 }
798
799 err = ksba_cms_set_enc_val (cms, recpno, encval);
800 xfree (encval);
801 audit_log_cert (ctrl->audit, AUDIT_ENCRYPTED_TO, cl->cert, err);
802 if (err)
803 {
804 log_error ("ksba_cms_set_enc_val failed: %s\n",
805 gpg_strerror (err));
806 rc = err;
807 goto leave;
808 }
809 }
810
811 if (compliant && gnupg_gcrypt_is_compliant (CO_DE_VS))
812 gpgsm_status (ctrl, STATUS_ENCRYPTION_COMPLIANCE_MODE,
813 gnupg_status_compliance_flag (CO_DE_VS));
814
815 /* Main control loop for encryption. */
816 recpno = 0;
817 do
818 {
819 err = ksba_cms_build (cms, &stopreason);
820 if (err)
821 {
822 log_debug ("ksba_cms_build failed: %s\n", gpg_strerror (err));
823 rc = err;
824 goto leave;
825 }
826 }
827 while (stopreason != KSBA_SR_READY);
828
829 if (encparm.readerror)
830 {
831 log_error ("error reading input: %s\n", strerror (encparm.readerror));
832 rc = gpg_error (gpg_err_code_from_errno (encparm.readerror));
833 goto leave;
834 }
835
836
837 rc = gnupg_ksba_finish_writer (b64writer);
838 if (rc)
839 {
840 log_error ("write failed: %s\n", gpg_strerror (rc));
841 goto leave;
842 }
843 audit_log (ctrl->audit, AUDIT_ENCRYPTION_DONE);
844 if (!opt.quiet)
845 log_info ("encrypted data created\n");
846
847 leave:
848 ksba_cms_release (cms);
849 gnupg_ksba_destroy_writer (b64writer);
850 ksba_reader_release (reader);
851 keydb_release (kh);
852 xfree (dek);
853 es_fclose (data_fp);
854 xfree (encparm.buffer);
855 return rc;
856 }
857