crypto_pwbox.c 6.4 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212
  1. /* Copyright (c) 2014-2017, The Tor Project, Inc. */
  2. /* See LICENSE for licensing information */
  3. /**
  4. * \file crypto_pwbox.c
  5. *
  6. * \brief Code for encrypting secrets in a password-protected form and saving
  7. * them to disk.
  8. */
  9. #include "crypto.h"
  10. #include "crypto_s2k.h"
  11. #include "crypto_pwbox.h"
  12. #include "di_ops.h"
  13. #include "util.h"
  14. #include "pwbox.h"
  15. /* 8 bytes "TORBOX00"
  16. 1 byte: header len (H)
  17. H bytes: header, denoting secret key algorithm.
  18. 16 bytes: IV
  19. Round up to multiple of 128 bytes, then encrypt:
  20. 4 bytes: data len
  21. data
  22. zeros
  23. 32 bytes: HMAC-SHA256 of all previous bytes.
  24. */
  25. #define MAX_OVERHEAD (S2K_MAXLEN + 8 + 1 + 32 + CIPHER_IV_LEN)
  26. /**
  27. * Make an authenticated passphrase-encrypted blob to encode the
  28. * <b>input_len</b> bytes in <b>input</b> using the passphrase
  29. * <b>secret</b> of <b>secret_len</b> bytes. Allocate a new chunk of memory
  30. * to hold the encrypted data, and store a pointer to that memory in
  31. * *<b>out</b>, and its size in <b>outlen_out</b>. Use <b>s2k_flags</b> as an
  32. * argument to the passphrase-hashing function.
  33. */
  34. int
  35. crypto_pwbox(uint8_t **out, size_t *outlen_out,
  36. const uint8_t *input, size_t input_len,
  37. const char *secret, size_t secret_len,
  38. unsigned s2k_flags)
  39. {
  40. uint8_t *result = NULL, *encrypted_portion;
  41. size_t encrypted_len = 128 * CEIL_DIV(input_len+4, 128);
  42. ssize_t result_len;
  43. int spec_len;
  44. uint8_t keys[CIPHER_KEY_LEN + DIGEST256_LEN];
  45. pwbox_encoded_t *enc = NULL;
  46. ssize_t enc_len;
  47. crypto_cipher_t *cipher;
  48. int rv;
  49. enc = pwbox_encoded_new();
  50. pwbox_encoded_setlen_skey_header(enc, S2K_MAXLEN);
  51. spec_len = secret_to_key_make_specifier(
  52. pwbox_encoded_getarray_skey_header(enc),
  53. S2K_MAXLEN,
  54. s2k_flags);
  55. if (BUG(spec_len < 0 || spec_len > S2K_MAXLEN))
  56. goto err;
  57. pwbox_encoded_setlen_skey_header(enc, spec_len);
  58. enc->header_len = spec_len;
  59. crypto_rand((char*)enc->iv, sizeof(enc->iv));
  60. pwbox_encoded_setlen_data(enc, encrypted_len);
  61. encrypted_portion = pwbox_encoded_getarray_data(enc);
  62. set_uint32(encrypted_portion, htonl((uint32_t)input_len));
  63. memcpy(encrypted_portion+4, input, input_len);
  64. /* Now that all the data is in position, derive some keys, encrypt, and
  65. * digest */
  66. const int s2k_rv = secret_to_key_derivekey(keys, sizeof(keys),
  67. pwbox_encoded_getarray_skey_header(enc),
  68. spec_len,
  69. secret, secret_len);
  70. if (BUG(s2k_rv < 0))
  71. goto err;
  72. cipher = crypto_cipher_new_with_iv((char*)keys, (char*)enc->iv);
  73. crypto_cipher_crypt_inplace(cipher, (char*)encrypted_portion, encrypted_len);
  74. crypto_cipher_free(cipher);
  75. result_len = pwbox_encoded_encoded_len(enc);
  76. if (BUG(result_len < 0))
  77. goto err;
  78. result = tor_malloc(result_len);
  79. enc_len = pwbox_encoded_encode(result, result_len, enc);
  80. if (BUG(enc_len < 0))
  81. goto err;
  82. tor_assert(enc_len == result_len);
  83. crypto_hmac_sha256((char*) result + result_len - 32,
  84. (const char*)keys + CIPHER_KEY_LEN,
  85. DIGEST256_LEN,
  86. (const char*)result,
  87. result_len - 32);
  88. *out = result;
  89. *outlen_out = result_len;
  90. rv = 0;
  91. goto out;
  92. /* LCOV_EXCL_START
  93. This error case is often unreachable if we're correctly coded, unless
  94. somebody adds a new error case somewhere, or unless you're building
  95. without scrypto support.
  96. - make_specifier can't fail, unless S2K_MAX_LEN is too short.
  97. - secret_to_key_derivekey can't really fail unless we're missing
  98. scrypt, or the underlying function fails, or we pass it a bogus
  99. algorithm or parameters.
  100. - pwbox_encoded_encoded_len can't fail unless we're using trunnel
  101. incorrectly.
  102. - pwbox_encoded_encode can't fail unless we're using trunnel wrong,
  103. or it's buggy.
  104. */
  105. err:
  106. tor_free(result);
  107. rv = -1;
  108. /* LCOV_EXCL_STOP */
  109. out:
  110. pwbox_encoded_free(enc);
  111. memwipe(keys, 0, sizeof(keys));
  112. return rv;
  113. }
  114. /**
  115. * Try to decrypt the passphrase-encrypted blob of <b>input_len</b> bytes in
  116. * <b>input</b> using the passphrase <b>secret</b> of <b>secret_len</b> bytes.
  117. * On success, return 0 and allocate a new chunk of memory to hold the
  118. * decrypted data, and store a pointer to that memory in *<b>out</b>, and its
  119. * size in <b>outlen_out</b>. On failure, return UNPWBOX_BAD_SECRET if
  120. * the passphrase might have been wrong, and UNPWBOX_CORRUPT if the object is
  121. * definitely corrupt.
  122. */
  123. int
  124. crypto_unpwbox(uint8_t **out, size_t *outlen_out,
  125. const uint8_t *inp, size_t input_len,
  126. const char *secret, size_t secret_len)
  127. {
  128. uint8_t *result = NULL;
  129. const uint8_t *encrypted;
  130. uint8_t keys[CIPHER_KEY_LEN + DIGEST256_LEN];
  131. uint8_t hmac[DIGEST256_LEN];
  132. uint32_t result_len;
  133. size_t encrypted_len;
  134. crypto_cipher_t *cipher = NULL;
  135. int rv = UNPWBOX_CORRUPTED;
  136. ssize_t got_len;
  137. pwbox_encoded_t *enc = NULL;
  138. got_len = pwbox_encoded_parse(&enc, inp, input_len);
  139. if (got_len < 0 || (size_t)got_len != input_len)
  140. goto err;
  141. /* Now derive the keys and check the hmac. */
  142. if (secret_to_key_derivekey(keys, sizeof(keys),
  143. pwbox_encoded_getarray_skey_header(enc),
  144. pwbox_encoded_getlen_skey_header(enc),
  145. secret, secret_len) < 0)
  146. goto err;
  147. crypto_hmac_sha256((char *)hmac,
  148. (const char*)keys + CIPHER_KEY_LEN, DIGEST256_LEN,
  149. (const char*)inp, input_len - DIGEST256_LEN);
  150. if (tor_memneq(hmac, enc->hmac, DIGEST256_LEN)) {
  151. rv = UNPWBOX_BAD_SECRET;
  152. goto err;
  153. }
  154. /* How long is the plaintext? */
  155. encrypted = pwbox_encoded_getarray_data(enc);
  156. encrypted_len = pwbox_encoded_getlen_data(enc);
  157. if (encrypted_len < 4)
  158. goto err;
  159. cipher = crypto_cipher_new_with_iv((char*)keys, (char*)enc->iv);
  160. crypto_cipher_decrypt(cipher, (char*)&result_len, (char*)encrypted, 4);
  161. result_len = ntohl(result_len);
  162. if (encrypted_len < result_len + 4)
  163. goto err;
  164. /* Allocate a buffer and decrypt */
  165. result = tor_malloc_zero(result_len);
  166. crypto_cipher_decrypt(cipher, (char*)result, (char*)encrypted+4, result_len);
  167. *out = result;
  168. *outlen_out = result_len;
  169. rv = UNPWBOX_OKAY;
  170. goto out;
  171. err:
  172. tor_free(result);
  173. out:
  174. crypto_cipher_free(cipher);
  175. pwbox_encoded_free(enc);
  176. memwipe(keys, 0, sizeof(keys));
  177. return rv;
  178. }