From 4159567f7ed7a1139fdc3a6c92988e1648ad84ab Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Tue, 12 Apr 2016 14:37:26 +0200 Subject: agent: Implement new protection mode openpgp-s2k3-ocb-aes. * agent/protect.c (agent_protect): Add arg use_ocb. Change all caller to pass -1 for default. * agent/protect-tool.c: New option --debug-use-ocb. (oDebugUseOCB): New. (opt_debug_use_ocb): New. (main): Set option. (read_and_protect): Implement option. * agent/protect.c (OCB_MODE_SUPPORTED): New macro. (PROT_DEFAULT_TO_OCB): New macro. (do_encryption): Add args use_ocb, hashbegin, hashlen, timestamp_exp, and timestamp_exp_len. Implement OCB. (agent_protect): Change to support OCB. (do_decryption): Add new args is_ocb, aadhole_begin, and aadhole_len. Implement OCB. (merge_lists): Allow NULL for sha1hash. (agent_unprotect): Change to support OCB. (agent_private_key_type): Remove debug output. -- Instead of using the old OpenPGP way of appending a hash of the plaintext and encrypt that along with the plaintext, the new scheme uses a proper authenticated encryption mode. See keyformat.txt for a description. Libgcrypt 1.7 is required. This mode is not yet enabled because there would be no way to return to an older GnuPG version. To test the new scheme use gpg-protect-tool: ./gpg-protect-tool -av -P abc -p --debug-use-ocb prot.key ./gpg-protect-tool -av -P abc -u --- agent/command-ssh.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'agent/command-ssh.c') diff --git a/agent/command-ssh.c b/agent/command-ssh.c index 6e809f63d..0e1d9fc9f 100644 --- a/agent/command-ssh.c +++ b/agent/command-ssh.c @@ -3125,7 +3125,7 @@ ssh_key_to_protected_buffer (gcry_sexp_t key, const char *passphrase, gcry_sexp_sprint (key, GCRYSEXP_FMT_CANON, buffer_new, buffer_new_n); /* FIXME: guarantee? */ - err = agent_protect (buffer_new, passphrase, buffer, buffer_n, 0); + err = agent_protect (buffer_new, passphrase, buffer, buffer_n, 0, -1); out: -- cgit v1.2.3