nihilist/tor
1
0
Fork 0
mirror of https://gitlab.torproject.org/tpo/core/tor.git synced 2024-11-28 06:13:31 +01:00
Code Issues Packages Projects Releases Wiki Activity

Adjust pwbox format: use a random IV each time

Browse Source 
Suggested by yawning
This commit is contained in:
Nick Mathewson 2014-09-23 14:47:23 -04:00
parent d0f5d2b662
commit 3011149401
1 changed files with 16 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
src/common/crypto_pwbox.c
View File

@ -8,6 +8,7 @@
/* 7 bytes "TORBOX0"
1 byte: header len (H)
H bytes: header, denoting secret key algorithm.
16 bytes: IV
Round up to multiple of 128 bytes, then encrypt:
4 bytes: data len
data
@ -15,7 +16,7 @@
32 bytes: HMAC-SHA256 of all previous bytes.
*/
#define MAX_OVERHEAD (S2K_MAXLEN + 8 + 32)
#define MAX_OVERHEAD (S2K_MAXLEN + 8 + 32 + CIPHER_IV_LEN)
/**
* Make an authenticated passphrase-encrypted blob to encode the
@ -31,7 +32,7 @@ crypto_pwbox(uint8_t **out, size_t *outlen_out,
const char *secret, size_t secret_len,
unsigned s2k_flags)
{
uint8_t *result, *encrypted_portion, *hmac;
uint8_t *result, *encrypted_portion, *hmac, *iv;
size_t encrypted_len = 128 * CEIL_DIV(input_len+4, 128);
size_t result_len = encrypted_len + MAX_OVERHEAD;
int spec_len;
@ -51,9 +52,10 @@ crypto_pwbox(uint8_t **out, size_t *outlen_out,
goto err;
result[7] = (uint8_t) spec_len;
tor_assert(8 + spec_len + encrypted_len <= result_len);
tor_assert(8 + spec_len + CIPHER_IV_LEN + encrypted_len <= result_len);
encrypted_portion = result + 8 + spec_len;
iv = result + 8 + spec_len;
encrypted_portion = result + 8 + spec_len + CIPHER_IV_LEN;
hmac = encrypted_portion + encrypted_len;
set_uint32(encrypted_portion, htonl(input_len));
@ -66,17 +68,20 @@ crypto_pwbox(uint8_t **out, size_t *outlen_out,
secret, secret_len) < 0)
goto err;
cipher = crypto_cipher_new((char*)keys);
crypto_rand((char*)iv, CIPHER_IV_LEN);
cipher = crypto_cipher_new_with_iv((char*)keys, (char*)iv);
crypto_cipher_crypt_inplace(cipher, (char*)encrypted_portion, encrypted_len);
crypto_cipher_free(cipher);
crypto_hmac_sha256((char*)hmac,
(const char*)keys + CIPHER_KEY_LEN,
sizeof(keys)-CIPHER_KEY_LEN,
(const char*)result, 8 + spec_len + encrypted_len);
(const char*)result,
8 + CIPHER_IV_LEN + spec_len + encrypted_len);
*out = result;
*outlen_out = 8 + spec_len + encrypted_len + DIGEST256_LEN;
*outlen_out = 8 + CIPHER_IV_LEN + spec_len + encrypted_len + DIGEST256_LEN;
rv = 0;
goto out;
@ -104,7 +109,7 @@ crypto_unpwbox(uint8_t **out, size_t *outlen_out,
const char *secret, size_t secret_len)
{
uint8_t *result = NULL;
const uint8_t *encrypted;
const uint8_t *encrypted, *iv;
uint8_t keys[CIPHER_KEY_LEN + DIGEST256_LEN];
size_t spec_bytes;
uint8_t hmac[DIGEST256_LEN];
@ -137,10 +142,11 @@ crypto_unpwbox(uint8_t **out, size_t *outlen_out,
goto err;
}
encrypted = inp + 8 + spec_bytes;
iv = inp + 8 + spec_bytes;
encrypted = inp + 8 + spec_bytes + CIPHER_IV_LEN;
/* How long is the plaintext? */
cipher = crypto_cipher_new((char*)keys);
cipher = crypto_cipher_new_with_iv((char*)keys, (char*)iv);
crypto_cipher_decrypt(cipher, (char*)&result_len, (char*)encrypted, 4);
result_len = ntohl(result_len);
if (input_len < 8 + spec_bytes + 4 + result_len + 32)