2016-02-27 18:19:57 +01:00
|
|
|
/* Copyright (c) 2014-2016, The Tor Project, Inc. */
|
|
|
|
/* See LICENSE for licensing information */
|
|
|
|
|
|
|
|
/**
|
|
|
|
* \file crypto_pwbox.c
|
|
|
|
*
|
|
|
|
* \brief Code for encrypting secrets in a password-protected form and saving
|
|
|
|
* them to disk.
|
|
|
|
*/
|
2014-08-28 23:59:06 +02:00
|
|
|
|
|
|
|
#include "crypto.h"
|
|
|
|
#include "crypto_s2k.h"
|
|
|
|
#include "crypto_pwbox.h"
|
|
|
|
#include "di_ops.h"
|
|
|
|
#include "util.h"
|
2014-09-24 16:51:39 +02:00
|
|
|
#include "pwbox.h"
|
2014-08-28 23:59:06 +02:00
|
|
|
|
2014-09-24 16:51:39 +02:00
|
|
|
/* 8 bytes "TORBOX00"
|
2014-08-28 23:59:06 +02:00
|
|
|
1 byte: header len (H)
|
|
|
|
H bytes: header, denoting secret key algorithm.
|
2014-09-23 20:47:23 +02:00
|
|
|
16 bytes: IV
|
2014-08-28 23:59:06 +02:00
|
|
|
Round up to multiple of 128 bytes, then encrypt:
|
|
|
|
4 bytes: data len
|
|
|
|
data
|
|
|
|
zeros
|
|
|
|
32 bytes: HMAC-SHA256 of all previous bytes.
|
|
|
|
*/
|
|
|
|
|
2014-09-24 16:51:39 +02:00
|
|
|
#define MAX_OVERHEAD (S2K_MAXLEN + 8 + 1 + 32 + CIPHER_IV_LEN)
|
2014-08-28 23:59:06 +02:00
|
|
|
|
|
|
|
/**
|
|
|
|
* Make an authenticated passphrase-encrypted blob to encode the
|
|
|
|
* <b>input_len</b> bytes in <b>input</b> using the passphrase
|
|
|
|
* <b>secret</b> of <b>secret_len</b> bytes. Allocate a new chunk of memory
|
|
|
|
* to hold the encrypted data, and store a pointer to that memory in
|
|
|
|
* *<b>out</b>, and its size in <b>outlen_out</b>. Use <b>s2k_flags</b> as an
|
|
|
|
* argument to the passphrase-hashing function.
|
|
|
|
*/
|
|
|
|
int
|
|
|
|
crypto_pwbox(uint8_t **out, size_t *outlen_out,
|
|
|
|
const uint8_t *input, size_t input_len,
|
|
|
|
const char *secret, size_t secret_len,
|
|
|
|
unsigned s2k_flags)
|
|
|
|
{
|
2014-09-24 16:51:39 +02:00
|
|
|
uint8_t *result = NULL, *encrypted_portion;
|
2014-08-28 23:59:06 +02:00
|
|
|
size_t encrypted_len = 128 * CEIL_DIV(input_len+4, 128);
|
2014-09-24 16:51:39 +02:00
|
|
|
ssize_t result_len;
|
2014-08-28 23:59:06 +02:00
|
|
|
int spec_len;
|
|
|
|
uint8_t keys[CIPHER_KEY_LEN + DIGEST256_LEN];
|
2014-09-24 16:51:39 +02:00
|
|
|
pwbox_encoded_t *enc = NULL;
|
|
|
|
ssize_t enc_len;
|
2014-08-28 23:59:06 +02:00
|
|
|
|
|
|
|
crypto_cipher_t *cipher;
|
|
|
|
int rv;
|
|
|
|
|
2014-09-24 16:51:39 +02:00
|
|
|
enc = pwbox_encoded_new();
|
|
|
|
|
|
|
|
pwbox_encoded_setlen_skey_header(enc, S2K_MAXLEN);
|
2014-08-28 23:59:06 +02:00
|
|
|
|
2014-09-24 16:51:39 +02:00
|
|
|
spec_len = secret_to_key_make_specifier(
|
|
|
|
pwbox_encoded_getarray_skey_header(enc),
|
|
|
|
S2K_MAXLEN,
|
|
|
|
s2k_flags);
|
2016-05-03 17:07:49 +02:00
|
|
|
if (BUG(spec_len < 0 || spec_len > S2K_MAXLEN))
|
2014-08-28 23:59:06 +02:00
|
|
|
goto err;
|
2014-09-24 16:51:39 +02:00
|
|
|
pwbox_encoded_setlen_skey_header(enc, spec_len);
|
|
|
|
enc->header_len = spec_len;
|
2014-08-28 23:59:06 +02:00
|
|
|
|
2014-09-24 16:51:39 +02:00
|
|
|
crypto_rand((char*)enc->iv, sizeof(enc->iv));
|
2014-08-28 23:59:06 +02:00
|
|
|
|
2014-09-24 16:51:39 +02:00
|
|
|
pwbox_encoded_setlen_data(enc, encrypted_len);
|
|
|
|
encrypted_portion = pwbox_encoded_getarray_data(enc);
|
2014-08-28 23:59:06 +02:00
|
|
|
|
2014-10-26 04:43:55 +01:00
|
|
|
set_uint32(encrypted_portion, htonl((uint32_t)input_len));
|
2014-08-28 23:59:06 +02:00
|
|
|
memcpy(encrypted_portion+4, input, input_len);
|
|
|
|
|
|
|
|
/* Now that all the data is in position, derive some keys, encrypt, and
|
|
|
|
* digest */
|
2016-05-03 17:07:49 +02:00
|
|
|
const int s2k_rv = secret_to_key_derivekey(keys, sizeof(keys),
|
2014-09-24 16:51:39 +02:00
|
|
|
pwbox_encoded_getarray_skey_header(enc),
|
|
|
|
spec_len,
|
2016-05-03 17:07:49 +02:00
|
|
|
secret, secret_len);
|
|
|
|
if (BUG(s2k_rv < 0))
|
2014-08-28 23:59:06 +02:00
|
|
|
goto err;
|
|
|
|
|
2014-09-24 16:51:39 +02:00
|
|
|
cipher = crypto_cipher_new_with_iv((char*)keys, (char*)enc->iv);
|
2014-08-28 23:59:06 +02:00
|
|
|
crypto_cipher_crypt_inplace(cipher, (char*)encrypted_portion, encrypted_len);
|
|
|
|
crypto_cipher_free(cipher);
|
|
|
|
|
2014-09-24 16:51:39 +02:00
|
|
|
result_len = pwbox_encoded_encoded_len(enc);
|
2016-05-03 17:07:49 +02:00
|
|
|
if (BUG(result_len < 0))
|
2014-09-24 16:51:39 +02:00
|
|
|
goto err;
|
|
|
|
result = tor_malloc(result_len);
|
|
|
|
enc_len = pwbox_encoded_encode(result, result_len, enc);
|
2016-05-03 17:07:49 +02:00
|
|
|
if (BUG(enc_len < 0))
|
2014-09-24 16:51:39 +02:00
|
|
|
goto err;
|
|
|
|
tor_assert(enc_len == result_len);
|
|
|
|
|
|
|
|
crypto_hmac_sha256((char*) result + result_len - 32,
|
2014-08-28 23:59:06 +02:00
|
|
|
(const char*)keys + CIPHER_KEY_LEN,
|
2014-09-24 16:51:39 +02:00
|
|
|
DIGEST256_LEN,
|
2014-09-23 20:47:23 +02:00
|
|
|
(const char*)result,
|
2014-09-24 16:51:39 +02:00
|
|
|
result_len - 32);
|
2014-08-28 23:59:06 +02:00
|
|
|
|
|
|
|
*out = result;
|
2014-09-24 16:51:39 +02:00
|
|
|
*outlen_out = result_len;
|
2014-08-28 23:59:06 +02:00
|
|
|
rv = 0;
|
|
|
|
goto out;
|
|
|
|
|
|
|
|
err:
|
2016-05-03 17:07:49 +02:00
|
|
|
/* LCOV_EXCL_START
|
|
|
|
|
|
|
|
This error case is often unreachable if we're correctly coded, unless
|
|
|
|
somebody adds a new error case somewhere, or unless you're building
|
|
|
|
without scrypto support.
|
|
|
|
|
|
|
|
- make_specifier can't fail, unless S2K_MAX_LEN is too short.
|
|
|
|
- secret_to_key_derivekey can't really fail unless we're missing
|
|
|
|
scrypt, or the underlying function fails, or we pass it a bogus
|
|
|
|
algorithm or parameters.
|
|
|
|
- pwbox_encoded_encoded_len can't fail unless we're using trunnel
|
|
|
|
incorrectly.
|
|
|
|
- pwbox_encoded_encode can't fail unless we're using trunnel wrong,
|
|
|
|
or it's buggy.
|
|
|
|
*/
|
2014-08-28 23:59:06 +02:00
|
|
|
tor_free(result);
|
|
|
|
rv = -1;
|
2016-05-03 17:07:49 +02:00
|
|
|
/* LCOV_EXCL_STOP */
|
2014-08-28 23:59:06 +02:00
|
|
|
out:
|
2014-09-24 16:51:39 +02:00
|
|
|
pwbox_encoded_free(enc);
|
2014-08-28 23:59:06 +02:00
|
|
|
memwipe(keys, 0, sizeof(keys));
|
|
|
|
return rv;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Try to decrypt the passphrase-encrypted blob of <b>input_len</b> bytes in
|
|
|
|
* <b>input</b> using the passphrase <b>secret</b> of <b>secret_len</b> bytes.
|
|
|
|
* On success, return 0 and allocate a new chunk of memory to hold the
|
|
|
|
* decrypted data, and store a pointer to that memory in *<b>out</b>, and its
|
|
|
|
* size in <b>outlen_out</b>. On failure, return UNPWBOX_BAD_SECRET if
|
|
|
|
* the passphrase might have been wrong, and UNPWBOX_CORRUPT if the object is
|
|
|
|
* definitely corrupt.
|
|
|
|
*/
|
|
|
|
int
|
|
|
|
crypto_unpwbox(uint8_t **out, size_t *outlen_out,
|
|
|
|
const uint8_t *inp, size_t input_len,
|
|
|
|
const char *secret, size_t secret_len)
|
|
|
|
{
|
|
|
|
uint8_t *result = NULL;
|
2014-09-24 16:51:39 +02:00
|
|
|
const uint8_t *encrypted;
|
2014-08-28 23:59:06 +02:00
|
|
|
uint8_t keys[CIPHER_KEY_LEN + DIGEST256_LEN];
|
|
|
|
uint8_t hmac[DIGEST256_LEN];
|
|
|
|
uint32_t result_len;
|
2014-09-24 16:51:39 +02:00
|
|
|
size_t encrypted_len;
|
2014-08-28 23:59:06 +02:00
|
|
|
crypto_cipher_t *cipher = NULL;
|
|
|
|
int rv = UNPWBOX_CORRUPTED;
|
2014-09-24 16:51:39 +02:00
|
|
|
ssize_t got_len;
|
2014-08-28 23:59:06 +02:00
|
|
|
|
2014-09-24 16:51:39 +02:00
|
|
|
pwbox_encoded_t *enc = NULL;
|
2014-08-28 23:59:06 +02:00
|
|
|
|
2014-09-24 16:51:39 +02:00
|
|
|
got_len = pwbox_encoded_parse(&enc, inp, input_len);
|
|
|
|
if (got_len < 0 || (size_t)got_len != input_len)
|
2014-08-28 23:59:06 +02:00
|
|
|
goto err;
|
|
|
|
|
|
|
|
/* Now derive the keys and check the hmac. */
|
|
|
|
if (secret_to_key_derivekey(keys, sizeof(keys),
|
2014-09-24 16:51:39 +02:00
|
|
|
pwbox_encoded_getarray_skey_header(enc),
|
|
|
|
pwbox_encoded_getlen_skey_header(enc),
|
2014-08-28 23:59:06 +02:00
|
|
|
secret, secret_len) < 0)
|
|
|
|
goto err;
|
|
|
|
|
|
|
|
crypto_hmac_sha256((char *)hmac,
|
2014-09-24 16:51:39 +02:00
|
|
|
(const char*)keys + CIPHER_KEY_LEN, DIGEST256_LEN,
|
|
|
|
(const char*)inp, input_len - DIGEST256_LEN);
|
2014-08-28 23:59:06 +02:00
|
|
|
|
2014-09-24 16:51:39 +02:00
|
|
|
if (tor_memneq(hmac, enc->hmac, DIGEST256_LEN)) {
|
2014-08-28 23:59:06 +02:00
|
|
|
rv = UNPWBOX_BAD_SECRET;
|
|
|
|
goto err;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* How long is the plaintext? */
|
2014-09-24 16:51:39 +02:00
|
|
|
encrypted = pwbox_encoded_getarray_data(enc);
|
|
|
|
encrypted_len = pwbox_encoded_getlen_data(enc);
|
|
|
|
if (encrypted_len < 4)
|
|
|
|
goto err;
|
|
|
|
|
|
|
|
cipher = crypto_cipher_new_with_iv((char*)keys, (char*)enc->iv);
|
2014-08-28 23:59:06 +02:00
|
|
|
crypto_cipher_decrypt(cipher, (char*)&result_len, (char*)encrypted, 4);
|
|
|
|
result_len = ntohl(result_len);
|
2014-09-24 16:51:39 +02:00
|
|
|
if (encrypted_len < result_len + 4)
|
2014-08-28 23:59:06 +02:00
|
|
|
goto err;
|
|
|
|
|
|
|
|
/* Allocate a buffer and decrypt */
|
|
|
|
result = tor_malloc_zero(result_len);
|
|
|
|
crypto_cipher_decrypt(cipher, (char*)result, (char*)encrypted+4, result_len);
|
|
|
|
|
|
|
|
*out = result;
|
|
|
|
*outlen_out = result_len;
|
|
|
|
|
|
|
|
rv = UNPWBOX_OKAY;
|
|
|
|
goto out;
|
|
|
|
|
|
|
|
err:
|
|
|
|
tor_free(result);
|
|
|
|
|
|
|
|
out:
|
|
|
|
crypto_cipher_free(cipher);
|
2014-09-24 16:51:39 +02:00
|
|
|
pwbox_encoded_free(enc);
|
2014-08-28 23:59:06 +02:00
|
|
|
memwipe(keys, 0, sizeof(keys));
|
|
|
|
return rv;
|
|
|
|
}
|
|
|
|
|