bcb4e51a409d94ae670de96afb8483a4f7855294Stephan Bosch/* Copyright (c) 2016-2018 Dovecot authors, see the included COPYING file */
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi i_stream_decrypt_get_key_callback_t *key_callback;
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi unsigned char *iv; /* original iv, in case seeking is done, future feature */
ebd1c50bc43e08ee0a05ad68c7d48497a1563fabMartti Rannanjärvienum decrypt_istream_format i_stream_encrypt_get_format(const struct istream *input)
ebd1c50bc43e08ee0a05ad68c7d48497a1563fabMartti Rannanjärvi return ((const struct decrypt_istream*)input->real_stream)->format;
ebd1c50bc43e08ee0a05ad68c7d48497a1563fabMartti Rannanjärvienum io_stream_encrypt_flags i_stream_encrypt_get_flags(const struct istream *input)
ebd1c50bc43e08ee0a05ad68c7d48497a1563fabMartti Rannanjärvi return ((const struct decrypt_istream*)input->real_stream)->flags;
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomissize_t i_stream_decrypt_read_header_v1(struct decrypt_istream *stream,
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi const unsigned char *digest_pos = NULL, *key_digest_pos = NULL, *key_ct_pos = NULL;
b9e830a81455faf3c0dadfc9dbf0c7dc8aca955cJosef 'Jeff' Sipek keydata_len = be16_to_cpu_unaligned(data);
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi /* try to read more */
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi switch(i++) {
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi buffer_create_from_const_data(&ephemeral_key, data, len);
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi /* public key id */
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi /* encryption key digest */
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi /* encrypted key data */
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi if (i < 4) {
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi io_stream_set_error(&stream->istream.iostream, "Invalid or corrupted header");
aefadb693342d9a2cba15e252f0368e47e9a59ebTimo Sirainen /* was it consumed? */
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi /* we don't have a private key */
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi /* see if we can get one */
269a38b5e60ad8698d6ea56e4a500be2f2486795Aki Tuomi const char *key_id = binary_to_hex(digest_pos, digest_len);
c5e46dba179864f6f1adf196d46e7a0371b11914Josef 'Jeff' Sipek int ret = stream->key_callback(key_id, &stream->priv_key, &error, stream->key_context);
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi io_stream_set_error(&stream->istream.iostream, "Private key not available: %s", error);
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi if (ret == 0) {
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi io_stream_set_error(&stream->istream.iostream, "Private key not available");
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi io_stream_set_error(&stream->istream.iostream, "Private key not available");
8d0e0f098348baa17b165f694e37c518b546b857Aki Tuomi if (!dcrypt_key_id_private_old(stream->priv_key, check, &error)) {
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi io_stream_set_error(&stream->istream.iostream, "Cannot get public key hash: %s", error);
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi if (memcmp(digest_pos, check->data, I_MIN(digest_len,check->used)) != 0) {
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi io_stream_set_error(&stream->istream.iostream, "Private key not available");
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi /* derive shared secret */
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi if (!dcrypt_ecdh_derive_secret_local(stream->priv_key, &ephemeral_key, secret, &error)) {
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi io_stream_set_error(&stream->istream.iostream, "Cannot perform ECDH: %s", error);
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi /* run it thru SHA256 once */
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi const struct hash_method *hash = &hash_method_sha256;
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi safe_memset(buffer_get_modifiable_data(secret, 0), 0, secret->used);
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi /* NB! The old code was broken and used this kind of IV - it is not correct, but
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi we need to stay compatible with old data */
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi /* use it to decrypt the actual encryption key */
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi if (!dcrypt_ctx_sym_create("aes-256-ctr", DCRYPT_MODE_DECRYPT, &dctx, &error)) {
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi io_stream_set_error(&stream->istream.iostream, "Key decryption error: %s", error);
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi dcrypt_ctx_sym_set_iv(dctx, (const unsigned char*)"\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0", 16);
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi dcrypt_ctx_sym_set_key(dctx, hres, hash->digest_size);
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi !dcrypt_ctx_sym_update(dctx, key_ct_pos, key_ct_len, key, &error) ||
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi io_stream_set_error(&stream->istream.iostream, "Key decryption error: %s", error);
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi if (ec != 0) {
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi io_stream_set_error(&stream->istream.iostream, "Key decryption error: %s", error);
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi /* see if we got the correct key */
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi io_stream_set_error(&stream->istream.iostream, "Key decryption error: invalid digest length");
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi if (memcmp(hres, key_digest_pos, sizeof(hres)) != 0) {
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi io_stream_set_error(&stream->istream.iostream, "Key decryption error: decrypted key is invalid");
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi /* prime context with key */
c5e46dba179864f6f1adf196d46e7a0371b11914Josef 'Jeff' Sipek if (!dcrypt_ctx_sym_create("aes-256-ctr", DCRYPT_MODE_DECRYPT, &stream->ctx_sym, &error)) {
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi io_stream_set_error(&stream->istream.iostream, "Decryption context create error: %s", error);
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi /* Again, old code used this IV, so we have to use it too */
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi dcrypt_ctx_sym_set_iv(stream->ctx_sym, (const unsigned char*)"\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0", 16);
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi dcrypt_ctx_sym_set_key(stream->ctx_sym, key->data, key->used);
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi safe_memset(buffer_get_modifiable_data(key, 0), 0, key->used);
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi if (!dcrypt_ctx_sym_init(stream->ctx_sym, &error)) {
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi io_stream_set_error(&stream->istream.iostream, "Decryption init error: %s", error);
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi /* now we are ready to decrypt stream */
a84b413ef72378bbe235a13846fe6a84899eaedcTimo Sirainen return sizeof(IOSTREAM_CRYPT_MAGIC) + 1 + 2 + keydata_len;
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomistatic bool get_msb32(const unsigned char **_data, const unsigned char *end, uint32_t *num_r)
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomibool i_stream_decrypt_der(const unsigned char **_data,
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi /* get us DER encoded length */
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi /* two byte length */
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomissize_t i_stream_decrypt_key(struct decrypt_istream *stream, const char *malg, unsigned int rounds,
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi const unsigned char *data, const unsigned char *end, buffer_t *key, size_t key_len)
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi /* if we have a key, prefab the digest */
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi io_stream_set_error(&stream->istream.iostream, "Decryption error: no private key available");
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi buffer_create_from_data(&buf, dgst, sizeof(dgst));
2223b7a4487cf641876f2713a0638133270fa1d2Aki Tuomi if (!dcrypt_key_id_private(stream->priv_key, "sha256", &buf,
2223b7a4487cf641876f2713a0638133270fa1d2Aki Tuomi io_stream_set_error(&stream->istream.iostream, "Decryption error: "
2223b7a4487cf641876f2713a0638133270fa1d2Aki Tuomi "dcrypt_key_id_private failed: %s",
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi /* for each key */
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi if ((size_t)(end-data) < 1 + (ssize_t)sizeof(dgst))
269a38b5e60ad8698d6ea56e4a500be2f2486795Aki Tuomi const char *hexdgst = binary_to_hex(data, sizeof(dgst)); /* digest length */
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi /* hope you going to give us right key.. */
c5e46dba179864f6f1adf196d46e7a0371b11914Josef 'Jeff' Sipek int ret = stream->key_callback(hexdgst, &stream->priv_key, &error, stream->key_context);
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi io_stream_set_error(&stream->istream.iostream, "Private key not available: %s", error);
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi /* see if key matches to the one we have */
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi /* wasn't correct key, skip over some data */
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi /* didn't find matching key */
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi io_stream_set_error(&stream->istream.iostream, "Decryption error: no private key available");
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi /* read ephemeral key (can be missing for RSA) */
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi if (!get_msb32(&data, end, &ep_key_len) || (size_t)(end-data) < ep_key_len)
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi /* read encrypted key */
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi if (!get_msb32(&data, end, &eklen) || (size_t)(end-data) < eklen)
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi /* read key data hash */
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi if (!get_msb32(&data, end, &ekhash_len) || (size_t)(end-data) < ekhash_len)
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi /* decrypt the seed */
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi if (!dcrypt_rsa_decrypt(stream->priv_key, encrypted_key, eklen, key, &error)) {
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi io_stream_set_error(&stream->istream.iostream, "key decryption error: %s", error);
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi /* perform ECDHE */
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi buffer_create_from_const_data(&peer_key, ephemeral_key, ep_key_len);
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi if (!dcrypt_ecdh_derive_secret_local(stream->priv_key, &peer_key, secret, &error)) {
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi io_stream_set_error(&stream->istream.iostream, "Key decryption error: corrupted header");
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi /* use shared secret and peer key to generate decryption key, AES-256-CBC has 32 byte key and 16 byte IV */
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi if (!dcrypt_pbkdf2(secret->data, secret->used, peer_key.data, peer_key.used,
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi safe_memset(buffer_get_modifiable_data(secret, 0), 0, secret->used);
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi io_stream_set_error(&stream->istream.iostream, "Key decryption error: %s", error);
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi safe_memset(buffer_get_modifiable_data(secret, 0), 0, secret->used);
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi safe_memset(buffer_get_modifiable_data(temp_key, 0), 0, temp_key->used);
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi io_stream_set_error(&stream->istream.iostream, "Cannot perform key decryption: invalid temporary key");
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi if (!dcrypt_ctx_sym_create("AES-256-CBC", DCRYPT_MODE_DECRYPT, &dctx, &error)) {
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi safe_memset(buffer_get_modifiable_data(temp_key, 0), 0, temp_key->used);
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi io_stream_set_error(&stream->istream.iostream, "Key decryption error: %s", error);
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi /* we use ephemeral_key for IV */
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi safe_memset(buffer_get_modifiable_data(temp_key, 0), 0, temp_key->used);
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi !dcrypt_ctx_sym_update(dctx, encrypted_key, eklen, key, &error) ||
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi io_stream_set_error(&stream->istream.iostream, "Cannot perform key decryption: %s", error);
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi io_stream_set_error(&stream->istream.iostream, "Cannot perform key decryption: invalid key length");
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi io_stream_set_error(&stream->istream.iostream, "Decryption error: unsupported key type 0x%02x", ktype);
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi /* make sure we were able to decrypt the encrypted key correctly */
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi const struct hash_method *hash = hash_method_lookup(t_str_lcase(malg));
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi safe_memset(buffer_get_modifiable_data(key, 0), 0, key->used);
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi io_stream_set_error(&stream->istream.iostream, "Decryption error: unsupported hash algorithm: %s", malg);
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi /* do the comparison */
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi if (memcmp(ekhash, hres, I_MIN(ekhash_len, sizeof(hres))) != 0) {
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi safe_memset(buffer_get_modifiable_data(key, 0), 0, key->used);
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi io_stream_set_error(&stream->istream.iostream, "Decryption error: corrupted header ekhash");
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomiint i_stream_decrypt_header_contents(struct decrypt_istream *stream,
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi /* read cipher OID */
c5e46dba179864f6f1adf196d46e7a0371b11914Josef 'Jeff' Sipek if (calg == NULL || !dcrypt_ctx_sym_create(calg, DCRYPT_MODE_DECRYPT, &stream->ctx_sym, NULL)) {
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi io_stream_set_error(&stream->istream.iostream, "Decryption error: unsupported/invalid cipher: %s", calg);
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi /* read MAC oid (MAC is used for PBKDF2 and key data digest, too) */
c5e46dba179864f6f1adf196d46e7a0371b11914Josef 'Jeff' Sipek if (malg == NULL || !dcrypt_ctx_hmac_create(malg, &stream->ctx_mac, NULL)) {
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi io_stream_set_error(&stream->istream.iostream, "Decryption error: unsupported/invalid MAC algorithm: %s", malg);
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi /* read rounds (for PBKDF2) */
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi /* read key data length */
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi if ((stream->flags & IO_STREAM_ENC_INTEGRITY_HMAC) == IO_STREAM_ENC_INTEGRITY_HMAC) {
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi } else if ((stream->flags & IO_STREAM_ENC_INTEGRITY_AEAD) == IO_STREAM_ENC_INTEGRITY_AEAD) {
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi /* how much key data we should be getting */
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi size_t kl = dcrypt_ctx_sym_get_key_length(stream->ctx_sym) + dcrypt_ctx_sym_get_iv_length(stream->ctx_sym) + tagsize;
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi /* try to decrypt the keydata with a private key */
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi if ((ret = i_stream_decrypt_key(stream, malg, rounds, data, end, keydata, kl)) <= 0)
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi /* oh, it worked! */
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi /* but returned wrong amount of data */
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi io_stream_set_error(&stream->istream.iostream, "Key decryption error: Key data length mismatch");
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi /* prime contexts */
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi dcrypt_ctx_sym_set_key(stream->ctx_sym, ptr, dcrypt_ctx_sym_get_key_length(stream->ctx_sym));
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi ptr += dcrypt_ctx_sym_get_key_length(stream->ctx_sym);
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi dcrypt_ctx_sym_set_iv(stream->ctx_sym, ptr, dcrypt_ctx_sym_get_iv_length(stream->ctx_sym));
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi stream->iv = i_malloc(dcrypt_ctx_sym_get_iv_length(stream->ctx_sym));
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi memcpy(stream->iv, ptr, dcrypt_ctx_sym_get_iv_length(stream->ctx_sym));
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi ptr += dcrypt_ctx_sym_get_iv_length(stream->ctx_sym);
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi /* based on the chosen MAC, initialize HMAC or AEAD */
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi if ((stream->flags & IO_STREAM_ENC_INTEGRITY_HMAC) == IO_STREAM_ENC_INTEGRITY_HMAC) {
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi dcrypt_ctx_hmac_set_key(stream->ctx_mac, ptr, tagsize);
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi if (!dcrypt_ctx_hmac_init(stream->ctx_mac, &error)) {
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi io_stream_set_error(&stream->istream.iostream, "MAC error: %s", error);
1ec1404c0133d1d26a0477a50189de54fcf79725Timo Sirainen stream->istream.istream.stream_errno = EINVAL;
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi stream->ftr = dcrypt_ctx_hmac_get_digest_length(stream->ctx_mac);
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi } else if ((stream->flags & IO_STREAM_ENC_INTEGRITY_AEAD) == IO_STREAM_ENC_INTEGRITY_AEAD) {
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi dcrypt_ctx_sym_set_aad(stream->ctx_sym, ptr, tagsize);
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi /* destroy private key data */
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi safe_memset(buffer_get_modifiable_data(keydata, 0), 0, keydata->used);
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomissize_t i_stream_decrypt_read_header(struct decrypt_istream *stream,
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi /* check magic */
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi if (memcmp(data, IOSTREAM_CRYPT_MAGIC, sizeof(IOSTREAM_CRYPT_MAGIC)) != 0) {
0835df7f2caae9d276551eeb66eebc5f5d6cc6edTimo Sirainen io_stream_set_error(&stream->istream.iostream, "Stream is not encrypted (invalid magic)");
1ec1404c0133d1d26a0477a50189de54fcf79725Timo Sirainen stream->istream.istream.stream_errno = EINVAL;
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi return 0; /* read more? */
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi /* check version */
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi return i_stream_decrypt_read_header_v1(stream, data+1, end - (data+1));
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi io_stream_set_error(&stream->istream.iostream, "Unsupported encrypted data 0x%02x", *data);
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi /* read flags */
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi /* get the total length of header */
7a71f2326280fb300f7c45d1ba5b30af3db37f2cAki Tuomi /* do not forget stream format */
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi if ((ret = i_stream_decrypt_header_contents(stream, data, hdr_len)) < 0)
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi else if (ret == 0) {
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi io_stream_set_error(&stream->istream.iostream, "Decryption error: truncate header length");
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi /* if it all went well, try to initialize decryption context */
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi if (!dcrypt_ctx_sym_init(stream->ctx_sym, &error)) {
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi io_stream_set_error(&stream->istream.iostream, "Decryption init error: %s", error);
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomii_stream_decrypt_read(struct istream_private *stream)
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi /* not if it's broken */
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi /* remove skipped data from buffer */
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi if (stream->pos >= dstream->istream.max_buffer_size) {
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi /* stream buffer still at maximum */
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi /* if something is already decrypted, return as much of it as
dd49f993330ae7cd357ddb01747ea7a8db62d90bAki Tuomi if (dstream->initialized && dstream->buf->used > 0) {
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi /* only return up to max_buffer_size bytes, even when buffer
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi actually has more, as not to confuse the caller */
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi if (dstream->buf->used <= dstream->istream.max_buffer_size) {
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi /* all data decrypted */
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi /* need to read more input */
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi if (ret == -1 && (size == 0 || stream->parent->stream_errno != 0)) {
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi stream->istream.stream_errno = stream->parent->stream_errno;
7a71f2326280fb300f7c45d1ba5b30af3db37f2cAki Tuomi /* file was empty */
7a71f2326280fb300f7c45d1ba5b30af3db37f2cAki Tuomi if (!dstream->initialized && size == 0 && stream->parent->eof) {
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi "Decryption error: %s",
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi "Input truncated in decryption header");
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi /* final block */
b99357fa1952863bbea761ff7ff3b8ca0f07702fTimo Sirainen if ((hret=i_stream_decrypt_read_header(dstream, data, size)) <= 0) {
43ca8bce8a4c4c7acd970b56b567c0edeee91029Aki Tuomi /* assume temporary failure */
dd49f993330ae7cd357ddb01747ea7a8db62d90bAki Tuomi /* not encrypted by us */
dd49f993330ae7cd357ddb01747ea7a8db62d90bAki Tuomi "Truncated header");
dd49f993330ae7cd357ddb01747ea7a8db62d90bAki Tuomi /* see if we can get more data */
8a2f21f2b03878918333efac486f99e4fa0ecce2Timo Sirainen "Header too large (more than %"PRIuSIZE_T" bytes)", size);
dd49f993330ae7cd357ddb01747ea7a8db62d90bAki Tuomi /* clean up buffer */
dd49f993330ae7cd357ddb01747ea7a8db62d90bAki Tuomi safe_memset(buffer_get_modifiable_data(dstream->buf, 0), 0, dstream->buf->used);
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi "Decryption error: footer is longer than data");
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi /* ignore footer's length of data until we
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi reach EOF */
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi if ((dstream->flags & IO_STREAM_ENC_INTEGRITY_HMAC) == IO_STREAM_ENC_INTEGRITY_HMAC) {
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi if ((dstream->flags & IO_STREAM_ENC_INTEGRITY_HMAC) == IO_STREAM_ENC_INTEGRITY_HMAC) {
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi unsigned char dgst[dcrypt_ctx_hmac_get_digest_length(dstream->ctx_mac)];
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi if (!dcrypt_ctx_hmac_final(dstream->ctx_mac, &db, &error)) {
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi if (memcmp(dgst, data + decrypt_size, dcrypt_ctx_hmac_get_digest_length(dstream->ctx_mac)) != 0) {
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi "Cannot verify MAC: mismatch");
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi } else if ((dstream->flags & IO_STREAM_ENC_INTEGRITY_AEAD) == IO_STREAM_ENC_INTEGRITY_AEAD) {
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi dcrypt_ctx_sym_set_tag(dstream->ctx_sym, data + decrypt_size, dstream->ftr);
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomivoid i_stream_decrypt_close(struct iostream_private *stream,
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomivoid i_stream_decrypt_destroy(struct iostream_private *stream)
c5e46dba179864f6f1adf196d46e7a0371b11914Josef 'Jeff' Sipek dcrypt_ctx_sym_destroy(&dstream->ctx_sym);
c5e46dba179864f6f1adf196d46e7a0371b11914Josef 'Jeff' Sipek dcrypt_ctx_hmac_destroy(&dstream->ctx_mac);
c5e46dba179864f6f1adf196d46e7a0371b11914Josef 'Jeff' Sipek dcrypt_key_unref_private(&dstream->priv_key);
c5e46dba179864f6f1adf196d46e7a0371b11914Josef 'Jeff' Sipek i_stream_unref(&dstream->istream.parent);
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomistruct decrypt_istream *i_stream_create_decrypt_common(struct istream *input)
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi dstream->istream.max_buffer_size = input->real_stream->max_buffer_size;
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi dstream->istream.iostream.close = i_stream_decrypt_close;
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi dstream->istream.iostream.destroy = i_stream_decrypt_destroy;
4930d4fef187428f74827d7e47331beb5cc4e39dTimo Sirainen dstream->istream.istream.blocking = input->blocking;
dd49f993330ae7cd357ddb01747ea7a8db62d90bAki Tuomi dstream->buf = buffer_create_dynamic(default_pool, 512);
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomii_stream_create_decrypt(struct istream *input, struct dcrypt_private_key *priv_key)
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomii_stream_create_sym_decrypt(struct istream *input, struct dcrypt_context_symmetric *ctx)
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi if (ec != 0) {
316cbe323513a0f20d1cf519fe9405e231d633e2Aki Tuomi io_stream_set_error(&dstream->istream.iostream, "Cannot initialize decryption: %s", error);