decrypt.c revision c197cb9db36685d2808c057fdbe5700734483ab2
/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License (the "License").
* You may not use this file except in compliance with the License.
*
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information: Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*/
/* Portions Copyright 2005 Richard Lowe */
/*
* Copyright 2007 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
#pragma ident "%Z%%M% %I% %E% SMI"
/*
*
* Implements encrypt(1) and decrypt(1) commands
*
*
* usage:
*
* algorithm - mechanism name without CKM_ prefix. Case
* does not matter
* keyfile - file containing key data. If not specified user is
* prompted to enter key. key length > 0 is required
* if infile & outfile are same, a temp file is used for
* output and infile is replaced with this file after
* operation is complete.
*
* Implementation notes:
* iv data - It is generated by random bytes equal to one block size.
*
* encrypted output format -
* - Output format version number - 4 bytes in network byte order.
* - Iterations used in key gen function, 4 bytes in network byte order.
* - IV ( 'ivlen' bytes)
* - Salt data used in key gen (16 bytes)
* - cipher text data.
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
#include <fcntl.h>
#include <ctype.h>
#include <strings.h>
#include <libintl.h>
#include <libgen.h>
#include <locale.h>
#include <limits.h>
#include <security/cryptoki.h>
#include <cryptoutil.h>
#include <kmfapi.h>
#define PBKD2_ITERATIONS (1000)
#define PBKD2_SALT_SIZE 16
#define SUNW_ENCRYPT_FILE_VERSION 1
/*
* Exit Status codes
*/
#ifndef EXIT_SUCCESS
#define EXIT_SUCCESS 0 /* No errors */
#endif /* EXIT_SUCCESS */
#define DEFAULT_TOKEN_PROMPT "Enter PIN for %s: "
#define PK_DEFAULT_PK11TOKEN SOFT_TOKEN_LABEL
/*
* command
*/
struct CommandInfo {
char *name; /* name of the command */
char *options; /* command line options */
/* function pointers for various operations */
};
static struct CommandInfo encrypt_cmd = {
};
static struct CommandInfo decrypt_cmd = {
};
struct mech_alias {
char *alias;
int keysize_unit;
int ivlen;
};
#define MECH_ALIASES_COUNT 4
static struct mech_alias mech_aliases[] = {
};
static char *token_label = NULL;
static int status_pos = 0; /* current position of progress bar element */
/*
* function prototypes
*/
int
{
extern char *optarg;
extern int optind;
char *optstr;
char c; /* current getopts flag */
struct CommandInfo *cmd;
char *cmdname; /* name of command */
#if !defined(TEXT_DOMAIN) /* Should be defiend by cc -D */
#endif
(void) textdomain(TEXT_DOMAIN);
/*
* Based on command name, determine
* type of command.
*/
cmd = &encrypt_cmd;
cmd = &decrypt_cmd;
} else {
"command name must be either encrypt or decrypt"));
}
/* Parse command line arguments */
switch (c) {
case 'a':
break;
case 'k':
break;
case 'T':
break;
case 'K':
break;
case 'i':
break;
case 'o':
outputfile = optarg;
break;
case 'l':
break;
case 'v':
break;
default:
}
}
}
}
/*
* usage message
*/
static void
{
"[-v] [-k <keyfile> | -K <keylabel> [-T <tokenspec>]] "
"[-i <infile>] [-o <outfile>]\n"));
} else {
"[-v] [-k <keyfile> | -K <keylabel> [-T <tokenspec>]] "
"[-i <infile>] [-o <outfile>]\n"));
}
}
/*
* Print out list of algorithms in default and verbose mode
*/
static void
{
int mech;
"------------------------------------------\n"));
continue;
(void) printf(" %5lu %5lu\n",
else
(void) printf("\n");
}
}
static CK_RV
{
int attrs = 0;
attrs++;
attrs++;
attrs++;
if (keylen > 0) {
attrs++;
}
params.ulPrfDataLen = 0;
return (rv);
}
/*
* This function will login into the token with the provided password and
* find the token key object with the specified keytype and keylabel.
*/
static int
{
CK_BBOOL true = 1;
int i;
return (-1);
}
i = 0;
i++;
i++;
i++;
i++;
pTmpl[i].ulValueLen = sizeof (true);
i++;
goto out;
}
(void) C_FindObjectsFinal(hSession);
out:
"Cannot retrieve key object. error = %s\n",
return (-1);
}
if (key_obj_count == 0) {
return (-1);
}
return (0);
}
/*
* Execute the command.
* cmd - command pointing to type of operation.
* algo_str - alias of the algorithm passed.
*/
static int
{
int status;
int infd = 0; /* input file, stdin default */
char *outfilename = NULL;
int mech_match = 0;
int version = SUNW_ENCRYPT_FILE_VERSION;
if (aflag) {
/* Determine if algorithm is valid */
mech_match++) {
break;
}
}
if (mech_match == MECH_ALIASES_COUNT) {
return (EXIT_FAILURE);
}
/*
* Process keyfile or get the token pin if -K is specified.
*
* If a keyfile is provided, get the key data from
* the file. Otherwise, prompt for a passphrase. The
* passphrase is used as the key data.
*/
if (Kflag) {
/* get the pin of the token */
}
&keysize);
} else if (kflag) {
/* get the key file */
} else {
/* get the key from input */
}
gettext("invalid key."));
return (EXIT_FAILURE);
}
}
/* Initialize pkcs */
goto cleanup;
}
/* Get slot count */
"failed to find any cryptographic provider,"
"please check with your system administrator: %s"),
goto cleanup;
}
/* Found at least one slot, allocate memory for slot list */
goto cleanup;
}
/* Get the list of slots */
"failed to find any cryptographic provider,"
"please check with your system administrator: %s"),
goto cleanup;
}
if (lflag) {
/* Iterate through slots */
/* Iterate through each mechanism */
continue;
/*
* the values available are not 0.
*/
}
}
goto cleanup;
}
/*
* Find a slot with matching mechanism
*
* If -K is specified, we find the slot id for the token first, then
* check if the slot supports the algorithm.
*/
i = 0;
if (Kflag) {
gettext("no matching PKCS#11 token"));
goto cleanup;
}
else
i = slotcount;
} else {
for (i = 0; i < slotcount; i++) {
continue; /* to the next slot */
} else {
/*
* If the slot support the crypto, also
* make sure it supports the correct
* key generation mech if needed.
*
* We need PKCS5 when RC4 is used or
* when the key is entered on cmd line.
*/
break;
break;
}
}
}
}
/* Show error if no matching mechanism found */
if (i == slotcount) {
gettext("no cryptographic provider was "
"found for this algorithm -- %s"), algo_str);
goto cleanup;
}
/* Open a session */
gettext("can not open PKCS #11 session: %s"),
goto cleanup;
}
/*
* Generate IV data for encrypt.
*/
goto cleanup;
}
if ((get_random_data(pivbuf,
"Unable to generate random "
"data for initialization vector."));
goto cleanup;
}
}
/*
* Create the key object
*/
gettext("unable to find key type for algorithm."));
goto cleanup;
}
/* Open input file */
if (iflag) {
"can not open input file %s"), inputfile);
goto cleanup;
}
/* Get info on input file */
"can not stat input file %s"), inputfile);
goto cleanup;
}
}
/*
* Prepare output file
* If the input & output file are same,
* the output is written to a temp
* file first, then renamed to the original file
* after the crypt operation
*/
if (oflag) {
char *dir;
/* create temp file on same dir */
"%s/encrXXXXXX", dir);
"cannot create temp file"));
goto cleanup;
}
} else {
/* Create file for output */
0644)) == -1) {
"cannot open output file %s"),
goto cleanup;
}
}
}
/*
* Read the version number from the head of the file
* to know how to interpret the data that follows.
*/
sizeof (version)) {
"failed to get format version from "
"input file."));
goto cleanup;
}
/* convert to host byte order */
switch (version) {
case 1:
/*
* Version 1 output format:
* - Iterations used in key gen function (4 bytes)
* - IV ( 'ivlen' bytes)
* - Salt data used in key gen (16 bytes)
*
* An encrypted file has IV as first block (0 or
* more bytes depending on mechanism) followed
* by cipher text. Get the IV from the encrypted
* file.
*/
/*
* Read iteration count and salt data.
*/
sizeof (iterations)) !=
sizeof (iterations)) {
"failed to get iterations from "
"input file."));
goto cleanup;
}
/* convert to host byte order */
if (ivlen > 0 &&
"failed to get initialization "
"vector from input file."));
goto cleanup;
}
!= sizeof (salt)) {
"failed to get salt data from "
"input file."));
goto cleanup;
}
break;
default:
"Unrecognized format version read from "
"input file - expected %d, got %d."),
goto cleanup;
break;
}
}
/*
* If Kflag is set, let's find the token key now.
*
* If Kflag is not set and if encrypting, we need some random
* salt data to create the key. If decrypting,
* the salt should come from head of the file
* to be decrypted.
*/
if (Kflag) {
"Can not find the token key"));
goto cleanup;
} else {
goto do_crypto;
}
if (rv != 0) {
gettext("unable to generate random "
"data for key salt."));
goto cleanup;
}
}
/*
* If key input is read from a file, treat it as
* raw key data, unless it is to be used with RC4,
* in which case it must be used to generate a pkcs5
* key to address security concerns with RC4 keys.
*/
int nattr = 0;
nattr++;
nattr++;
nattr++;
nattr++;
nattr++;
} else {
/*
* If the encryption type has a fixed key length,
* then its not necessary to set the key length
* parameter when generating the key.
*/
keylen = 0;
else
keylen = 16;
/*
* Generate a cryptographically secure key using
* the key read from the file given (-k keyfile) or
* the passphrase entered by the user.
*/
}
"failed to generate a key: %s"),
goto cleanup;
}
/* Setup up mechanism */
"failed to initialize crypto operation: %s"),
goto cleanup;
}
/* Write the version header encrypt command */
/* convert to network order for storage */
!= sizeof (netversion)) {
"failed to write version number "
"to output file."));
goto cleanup;
}
/*
* Write the iteration and salt data, even if they
* were not used to generate a key.
*/
"failed to write iterations to output"));
goto cleanup;
}
if (ivlen > 0 &&
"failed to write initialization vector "
"to output"));
goto cleanup;
}
"failed to write salt data to output"));
goto cleanup;
}
}
goto cleanup;
}
/*
* Clean up
*/
/* Clear the key data, so others cannot snoop */
}
/* Destroy key object */
}
/* free allocated memory */
/* close all the files */
/* rename tmp output to input file */
if (inoutsame) {
(void) unlink(outfilename);
}
}
/* If error occurred, remove the output file */
(void) unlink(outfilename);
}
/* close pkcs11 session */
if (hSession != CK_INVALID_HANDLE)
(void) C_CloseSession(hSession);
(void) C_Finalize(NULL);
return (errflag);
}
/*
* Function for printing progress bar when the verbose flag
* is set.
*
* The vertical bar is printed at 25, 50, and 75% complete.
*
* The function is passed the number of positions on the screen it needs to
* advance and loops.
*/
static void
{
while (pos_to_advance > 0) {
switch (status_pos) {
case 0:
break;
case 19:
case 39:
case 59:
break;
default:
}
status_pos++;
}
}
/*
*
* This function reads the input file (infd) and writes the
*
* cmd - pointing to commandinfo
* hSession - pkcs session
* infd - input file descriptor
* outfd - output file descriptor
*
*/
static int
{
int pos; /* # of progress bar elements to be print */
resultbuflen = sizeof (outbuf);
/* Divide into 79 increments for progress bar element spacing */
/* Start with the initial buffer */
/* Need a bigger buffer? */
if (rv == CKR_BUFFER_TOO_SMALL) {
/* free the old buffer */
}
/* allocate a new big buffer */
return (-1);
}
/* Try again with bigger buffer */
}
"crypto operation failed: %s"),
break;
}
/* write the output */
"failed to write result to output file."));
break;
}
if (vflag) {
/*
* If input is from stdin, do a our own progress bar
* by printing periods at a pre-defined increment
* until the file is done.
*/
if (!iflag) {
/*
* Print at least 1 element in case the file
* is small, it looks better than nothing.
*/
if (status_pos == 0) {
status_pos = 1;
}
if ((status_index - status_last) >
(PROGRESSSIZE)) {
}
continue;
}
/* Calculate the number of elements need to be print */
if (insize <= BUFFERSIZE)
pos = 78;
else
/* Add progress bar elements, if needed */
if (pos > 0) {
}
}
}
/* Print verbose completion */
if (vflag) {
if (iflag)
}
/* Error in reading */
if (nread == -1) {
"error reading from input file"));
}
if (!errflag) {
/* Do the final part */
/* write the output */
"failed to write result to output file."));
}
} else {
"crypto operation failed: %s"),
}
}
}
if (errflag) {
return (-1);
} else {
return (0);
}
}
/*
* cryptoreadfile - reads file into a buffer
* This function can be used for reading files
* containing key or initialization vector data.
*
* filename - name of file
* pdata - entire file returned in this buffer
* must be freed by caller using free()
* pdatalen - length of data returned
*
* returns 0 if success, -1 if error
*/
static int
{
char *filebuf;
int filesize;
int fd;
return (-1);
/* read the file into a buffer */
"cannot open %s"), filename);
return (-1);
}
"cannot stat %s"), filename);
return (-1);
}
"%s not a regular file"), filename);
return (-1);
}
if (filesize == 0) {
return (-1);
}
/* allocate a buffer to hold the entire key */
return (-1);
}
return (-1);
}
return (0);
}
/*
* cryptogetdata - prompt user for a key or the PIN for a token
*
* pdata - buffer for returning key or pin data
* must be freed by caller using free()
* psize - size of buffer returned
*
* returns
* 0 for success, -1 for failure
*/
static int
{
char prompt[1024];
if (token_spec != NULL) {
} else {
}
return (-1); /* error */
} else {
return (-1);
}
return (0);
}
/*
* get_random_data - generate initialization vector data
* iv data is random bytes
* hSession - a pkcs session
* pivbuf - buffer where data is returned
* ivlen - size of iv data
*/
static int
{
int fd;
if (ivlen == 0) {
/* nothing to generate */
return (0);
}
return (0);
}
}
return (-1);
}