crypto_pwbox.c 6.5 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215
  1. /* Copyright (c) 2014-2017, The Tor Project, Inc. */
  2. /* See LICENSE for licensing information */
  3. /**
  4. * \file crypto_pwbox.c
  5. *
  6. * \brief Code for encrypting secrets in a password-protected form and saving
  7. * them to disk.
  8. */
  9. #include "crypto.h"
  10. #include "crypto_digest.h"
  11. #include "crypto_pwbox.h"
  12. #include "crypto_rand.h"
  13. #include "crypto_s2k.h"
  14. #include "crypto_util.h"
  15. #include "di_ops.h"
  16. #include "util.h"
  17. #include "pwbox.h"
  18. /* 8 bytes "TORBOX00"
  19. 1 byte: header len (H)
  20. H bytes: header, denoting secret key algorithm.
  21. 16 bytes: IV
  22. Round up to multiple of 128 bytes, then encrypt:
  23. 4 bytes: data len
  24. data
  25. zeros
  26. 32 bytes: HMAC-SHA256 of all previous bytes.
  27. */
  28. #define MAX_OVERHEAD (S2K_MAXLEN + 8 + 1 + 32 + CIPHER_IV_LEN)
  29. /**
  30. * Make an authenticated passphrase-encrypted blob to encode the
  31. * <b>input_len</b> bytes in <b>input</b> using the passphrase
  32. * <b>secret</b> of <b>secret_len</b> bytes. Allocate a new chunk of memory
  33. * to hold the encrypted data, and store a pointer to that memory in
  34. * *<b>out</b>, and its size in <b>outlen_out</b>. Use <b>s2k_flags</b> as an
  35. * argument to the passphrase-hashing function.
  36. */
  37. int
  38. crypto_pwbox(uint8_t **out, size_t *outlen_out,
  39. const uint8_t *input, size_t input_len,
  40. const char *secret, size_t secret_len,
  41. unsigned s2k_flags)
  42. {
  43. uint8_t *result = NULL, *encrypted_portion;
  44. size_t encrypted_len = 128 * CEIL_DIV(input_len+4, 128);
  45. ssize_t result_len;
  46. int spec_len;
  47. uint8_t keys[CIPHER_KEY_LEN + DIGEST256_LEN];
  48. pwbox_encoded_t *enc = NULL;
  49. ssize_t enc_len;
  50. crypto_cipher_t *cipher;
  51. int rv;
  52. enc = pwbox_encoded_new();
  53. pwbox_encoded_setlen_skey_header(enc, S2K_MAXLEN);
  54. spec_len = secret_to_key_make_specifier(
  55. pwbox_encoded_getarray_skey_header(enc),
  56. S2K_MAXLEN,
  57. s2k_flags);
  58. if (BUG(spec_len < 0 || spec_len > S2K_MAXLEN))
  59. goto err;
  60. pwbox_encoded_setlen_skey_header(enc, spec_len);
  61. enc->header_len = spec_len;
  62. crypto_rand((char*)enc->iv, sizeof(enc->iv));
  63. pwbox_encoded_setlen_data(enc, encrypted_len);
  64. encrypted_portion = pwbox_encoded_getarray_data(enc);
  65. set_uint32(encrypted_portion, htonl((uint32_t)input_len));
  66. memcpy(encrypted_portion+4, input, input_len);
  67. /* Now that all the data is in position, derive some keys, encrypt, and
  68. * digest */
  69. const int s2k_rv = secret_to_key_derivekey(keys, sizeof(keys),
  70. pwbox_encoded_getarray_skey_header(enc),
  71. spec_len,
  72. secret, secret_len);
  73. if (BUG(s2k_rv < 0))
  74. goto err;
  75. cipher = crypto_cipher_new_with_iv((char*)keys, (char*)enc->iv);
  76. crypto_cipher_crypt_inplace(cipher, (char*)encrypted_portion, encrypted_len);
  77. crypto_cipher_free(cipher);
  78. result_len = pwbox_encoded_encoded_len(enc);
  79. if (BUG(result_len < 0))
  80. goto err;
  81. result = tor_malloc(result_len);
  82. enc_len = pwbox_encoded_encode(result, result_len, enc);
  83. if (BUG(enc_len < 0))
  84. goto err;
  85. tor_assert(enc_len == result_len);
  86. crypto_hmac_sha256((char*) result + result_len - 32,
  87. (const char*)keys + CIPHER_KEY_LEN,
  88. DIGEST256_LEN,
  89. (const char*)result,
  90. result_len - 32);
  91. *out = result;
  92. *outlen_out = result_len;
  93. rv = 0;
  94. goto out;
  95. /* LCOV_EXCL_START
  96. This error case is often unreachable if we're correctly coded, unless
  97. somebody adds a new error case somewhere, or unless you're building
  98. without scrypto support.
  99. - make_specifier can't fail, unless S2K_MAX_LEN is too short.
  100. - secret_to_key_derivekey can't really fail unless we're missing
  101. scrypt, or the underlying function fails, or we pass it a bogus
  102. algorithm or parameters.
  103. - pwbox_encoded_encoded_len can't fail unless we're using trunnel
  104. incorrectly.
  105. - pwbox_encoded_encode can't fail unless we're using trunnel wrong,
  106. or it's buggy.
  107. */
  108. err:
  109. tor_free(result);
  110. rv = -1;
  111. /* LCOV_EXCL_STOP */
  112. out:
  113. pwbox_encoded_free(enc);
  114. memwipe(keys, 0, sizeof(keys));
  115. return rv;
  116. }
  117. /**
  118. * Try to decrypt the passphrase-encrypted blob of <b>input_len</b> bytes in
  119. * <b>input</b> using the passphrase <b>secret</b> of <b>secret_len</b> bytes.
  120. * On success, return 0 and allocate a new chunk of memory to hold the
  121. * decrypted data, and store a pointer to that memory in *<b>out</b>, and its
  122. * size in <b>outlen_out</b>. On failure, return UNPWBOX_BAD_SECRET if
  123. * the passphrase might have been wrong, and UNPWBOX_CORRUPT if the object is
  124. * definitely corrupt.
  125. */
  126. int
  127. crypto_unpwbox(uint8_t **out, size_t *outlen_out,
  128. const uint8_t *inp, size_t input_len,
  129. const char *secret, size_t secret_len)
  130. {
  131. uint8_t *result = NULL;
  132. const uint8_t *encrypted;
  133. uint8_t keys[CIPHER_KEY_LEN + DIGEST256_LEN];
  134. uint8_t hmac[DIGEST256_LEN];
  135. uint32_t result_len;
  136. size_t encrypted_len;
  137. crypto_cipher_t *cipher = NULL;
  138. int rv = UNPWBOX_CORRUPTED;
  139. ssize_t got_len;
  140. pwbox_encoded_t *enc = NULL;
  141. got_len = pwbox_encoded_parse(&enc, inp, input_len);
  142. if (got_len < 0 || (size_t)got_len != input_len)
  143. goto err;
  144. /* Now derive the keys and check the hmac. */
  145. if (secret_to_key_derivekey(keys, sizeof(keys),
  146. pwbox_encoded_getarray_skey_header(enc),
  147. pwbox_encoded_getlen_skey_header(enc),
  148. secret, secret_len) < 0)
  149. goto err;
  150. crypto_hmac_sha256((char *)hmac,
  151. (const char*)keys + CIPHER_KEY_LEN, DIGEST256_LEN,
  152. (const char*)inp, input_len - DIGEST256_LEN);
  153. if (tor_memneq(hmac, enc->hmac, DIGEST256_LEN)) {
  154. rv = UNPWBOX_BAD_SECRET;
  155. goto err;
  156. }
  157. /* How long is the plaintext? */
  158. encrypted = pwbox_encoded_getarray_data(enc);
  159. encrypted_len = pwbox_encoded_getlen_data(enc);
  160. if (encrypted_len < 4)
  161. goto err;
  162. cipher = crypto_cipher_new_with_iv((char*)keys, (char*)enc->iv);
  163. crypto_cipher_decrypt(cipher, (char*)&result_len, (char*)encrypted, 4);
  164. result_len = ntohl(result_len);
  165. if (encrypted_len < result_len + 4)
  166. goto err;
  167. /* Allocate a buffer and decrypt */
  168. result = tor_malloc_zero(result_len);
  169. crypto_cipher_decrypt(cipher, (char*)result, (char*)encrypted+4, result_len);
  170. *out = result;
  171. *outlen_out = result_len;
  172. rv = UNPWBOX_OKAY;
  173. goto out;
  174. err:
  175. tor_free(result);
  176. out:
  177. crypto_cipher_free(cipher);
  178. pwbox_encoded_free(enc);
  179. memwipe(keys, 0, sizeof(keys));
  180. return rv;
  181. }