diff options
| author | Werner Koch <[email protected]> | 2016-04-12 12:37:26 +0000 |
|---|---|---|
| committer | Werner Koch <[email protected]> | 2016-04-12 12:38:44 +0000 |
| commit | 4159567f7ed7a1139fdc3a6c92988e1648ad84ab (patch) | |
| tree | 8a5261826bcbd8252763d9ae5724a53ffb9f6cfe /agent/protect-tool.c | |
| parent | doc: Note that the persistant passphrase format is unimplemented. (diff) | |
| download | gnupg-4159567f7ed7a1139fdc3a6c92988e1648ad84ab.tar.gz gnupg-4159567f7ed7a1139fdc3a6c92988e1648ad84ab.zip | |
agent: Implement new protection mode openpgp-s2k3-ocb-aes.
* agent/protect.c (agent_protect): Add arg use_ocb. Change all caller
to pass -1 for default.
* agent/protect-tool.c: New option --debug-use-ocb.
(oDebugUseOCB): New.
(opt_debug_use_ocb): New.
(main): Set option.
(read_and_protect): Implement option.
* agent/protect.c (OCB_MODE_SUPPORTED): New macro.
(PROT_DEFAULT_TO_OCB): New macro.
(do_encryption): Add args use_ocb, hashbegin, hashlen, timestamp_exp,
and timestamp_exp_len. Implement OCB.
(agent_protect): Change to support OCB.
(do_decryption): Add new args is_ocb, aadhole_begin, and aadhole_len.
Implement OCB.
(merge_lists): Allow NULL for sha1hash.
(agent_unprotect): Change to support OCB.
(agent_private_key_type): Remove debug output.
--
Instead of using the old OpenPGP way of appending a hash of the
plaintext and encrypt that along with the plaintext, the new scheme
uses a proper authenticated encryption mode. See keyformat.txt for a
description. Libgcrypt 1.7 is required.
This mode is not yet enabled because there would be no way to return
to an older GnuPG version. To test the new scheme use
gpg-protect-tool:
./gpg-protect-tool -av -P abc -p --debug-use-ocb <plain.key >prot.key
./gpg-protect-tool -av -P abc -u <prot.key
Any key from the private key storage should work.
Signed-off-by: Werner Koch <[email protected]>
Diffstat (limited to 'agent/protect-tool.c')
| -rw-r--r-- | agent/protect-tool.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/agent/protect-tool.c b/agent/protect-tool.c index 03dbda939..1871ac7af 100644 --- a/agent/protect-tool.c +++ b/agent/protect-tool.c @@ -69,6 +69,7 @@ enum cmd_and_opt_values oHomedir, oPrompt, oStatusMsg, + oDebugUseOCB, oAgentProgram }; @@ -96,6 +97,7 @@ static const char *opt_passphrase; static char *opt_prompt; static int opt_status_msg; static const char *opt_agent_program; +static int opt_debug_use_ocb; static char *get_passphrase (int promptno); static void release_passphrase (char *pw); @@ -132,6 +134,8 @@ static ARGPARSE_OPTS opts[] = { ARGPARSE_s_s (oAgentProgram, "agent-program", "@"), + ARGPARSE_s_n (oDebugUseOCB, "debug-use-ocb", "@"), /* For hacking only. */ + ARGPARSE_end () }; @@ -333,7 +337,8 @@ read_and_protect (const char *fname) return; pw = get_passphrase (1); - rc = agent_protect (key, pw, &result, &resultlen, 0); + rc = agent_protect (key, pw, &result, &resultlen, 0, + opt_debug_use_ocb? 1 : -1); release_passphrase (pw); xfree (key); if (rc) @@ -598,6 +603,7 @@ main (int argc, char **argv ) case oHaveCert: opt_have_cert = 1; break; case oPrompt: opt_prompt = pargs.r.ret_str; break; case oStatusMsg: opt_status_msg = 1; break; + case oDebugUseOCB: opt_debug_use_ocb = 1; break; default: pargs.err = ARGPARSE_PRINT_ERROR; break; } |