src/lib/crypt_ops/crypto_pwbox.c

   1 /* Copyright (c) 2014-2021, The Tor Project, Inc. */
   2 /* See LICENSE for licensing information */
   3
   4 /**
   5  * \file crypto_pwbox.c
   6  *
   7  * \brief Code for encrypting secrets in a password-protected form and saving
   8  * them to disk.
   9  */
  10
  11 #include <string.h>
  12
  13 #include "lib/arch/bytes.h"
  14 #include "lib/crypt_ops/crypto_cipher.h"
  15 #include "lib/crypt_ops/crypto_digest.h"
  16 #include "lib/crypt_ops/crypto_pwbox.h"
  17 #include "lib/crypt_ops/crypto_rand.h"
  18 #include "lib/crypt_ops/crypto_s2k.h"
  19 #include "lib/crypt_ops/crypto_util.h"
  20 #include "lib/ctime/di_ops.h"
  21 #include "lib/intmath/muldiv.h"
  22 #include "trunnel/pwbox.h"
  23 #include "lib/log/util_bug.h"
  24
  25 /* 8 bytes "TORBOX00"
  26    1 byte: header len (H)
  27    H bytes: header, denoting secret key algorithm.
  28    16 bytes: IV
  29    Round up to multiple of 128 bytes, then encrypt:
  30       4 bytes: data len
  31       data
  32       zeros
  33    32 bytes: HMAC-SHA256 of all previous bytes.
  34 */
  35
  36 #define MAX_OVERHEAD (S2K_MAXLEN + 8 + 1 + 32 + CIPHER_IV_LEN)
  37
  38 /**
  39  * Make an authenticated passphrase-encrypted blob to encode the
  40  * <b>input_len</b> bytes in <b>input</b> using the passphrase
  41  * <b>secret</b> of <b>secret_len</b> bytes.  Allocate a new chunk of memory
  42  * to hold the encrypted data, and store a pointer to that memory in
  43  * *<b>out</b>, and its size in <b>outlen_out</b>.  Use <b>s2k_flags</b> as an
  44  * argument to the passphrase-hashing function.
  45  */
  46 int
  47 crypto_pwbox(uint8_t **out, size_t *outlen_out,
  48              const uint8_t *input, size_t input_len,
  49              const char *secret, size_t secret_len,
  50              unsigned s2k_flags)
  51 {
  52   uint8_t *result = NULL, *encrypted_portion;
  53   size_t encrypted_len = 128 * CEIL_DIV(input_len+4, 128);
  54   ssize_t result_len;
  55   int spec_len;
  56   uint8_t keys[CIPHER_KEY_LEN + DIGEST256_LEN];
  57   pwbox_encoded_t *enc = NULL;
  58   ssize_t enc_len;
  59
  60   crypto_cipher_t *cipher;
  61   int rv;
  62
  63   enc = pwbox_encoded_new();
  64   tor_assert(enc);
  65
  66   pwbox_encoded_setlen_skey_header(enc, S2K_MAXLEN);
  67
  68   spec_len = secret_to_key_make_specifier(
  69                                       pwbox_encoded_getarray_skey_header(enc),
  70                                       S2K_MAXLEN,
  71                                       s2k_flags);
  72   if (BUG(spec_len < 0 || spec_len > S2K_MAXLEN))
  73     goto err;
  74   pwbox_encoded_setlen_skey_header(enc, spec_len);
  75   enc->header_len = spec_len;
  76
  77   crypto_rand((char*)enc->iv, sizeof(enc->iv));
  78
  79   pwbox_encoded_setlen_data(enc, encrypted_len);
  80   encrypted_portion = pwbox_encoded_getarray_data(enc);
  81
  82   set_uint32(encrypted_portion, tor_htonl((uint32_t)input_len));
  83   memcpy(encrypted_portion+4, input, input_len);
  84
  85   /* Now that all the data is in position, derive some keys, encrypt, and
  86    * digest */
  87   const int s2k_rv = secret_to_key_derivekey(keys, sizeof(keys),
  88                               pwbox_encoded_getarray_skey_header(enc),
  89                               spec_len,
  90                               secret, secret_len);
  91   if (BUG(s2k_rv < 0))
  92     goto err;
  93
  94   cipher = crypto_cipher_new_with_iv((char*)keys, (char*)enc->iv);
  95   crypto_cipher_crypt_inplace(cipher, (char*)encrypted_portion, encrypted_len);
  96   crypto_cipher_free(cipher);
  97
  98   result_len = pwbox_encoded_encoded_len(enc);
  99   if (BUG(result_len < 0))
 100     goto err;
 101   result = tor_malloc(result_len);
 102   enc_len = pwbox_encoded_encode(result, result_len, enc);
 103   if (BUG(enc_len < 0))
 104     goto err;
 105   tor_assert(enc_len == result_len);
 106
 107   crypto_hmac_sha256((char*) result + result_len - 32,
 108                      (const char*)keys + CIPHER_KEY_LEN,
 109                      DIGEST256_LEN,
 110                      (const char*)result,
 111                      result_len - 32);
 112
 113   *out = result;
 114   *outlen_out = result_len;
 115   rv = 0;
 116   goto out;
 117
 118   /* LCOV_EXCL_START
 119
 120      This error case is often unreachable if we're correctly coded, unless
 121      somebody adds a new error case somewhere, or unless you're building
 122      without scrypto support.
 123
 124        - make_specifier can't fail, unless S2K_MAX_LEN is too short.
 125        - secret_to_key_derivekey can't really fail unless we're missing
 126          scrypt, or the underlying function fails, or we pass it a bogus
 127          algorithm or parameters.
 128        - pwbox_encoded_encoded_len can't fail unless we're using trunnel
 129          incorrectly.
 130        - pwbox_encoded_encode can't fail unless we're using trunnel wrong,
 131          or it's buggy.
 132    */
 133  err:
 134   tor_free(result);
 135   rv = -1;
 136   /* LCOV_EXCL_STOP */
 137  out:
 138   pwbox_encoded_free(enc);
 139   memwipe(keys, 0, sizeof(keys));
 140   return rv;
 141 }
 142
 143 /**
 144  * Try to decrypt the passphrase-encrypted blob of <b>input_len</b> bytes in
 145  * <b>input</b> using the passphrase <b>secret</b> of <b>secret_len</b> bytes.
 146  * On success, return 0 and allocate a new chunk of memory to hold the
 147  * decrypted data, and store a pointer to that memory in *<b>out</b>, and its
 148  * size in <b>outlen_out</b>.  On failure, return UNPWBOX_BAD_SECRET if
 149  * the passphrase might have been wrong, and UNPWBOX_CORRUPT if the object is
 150  * definitely corrupt.
 151  */
 152 int
 153 crypto_unpwbox(uint8_t **out, size_t *outlen_out,
 154                const uint8_t *inp, size_t input_len,
 155                const char *secret, size_t secret_len)
 156 {
 157   uint8_t *result = NULL;
 158   const uint8_t *encrypted;
 159   uint8_t keys[CIPHER_KEY_LEN + DIGEST256_LEN];
 160   uint8_t hmac[DIGEST256_LEN];
 161   uint32_t result_len;
 162   size_t encrypted_len;
 163   crypto_cipher_t *cipher = NULL;
 164   int rv = UNPWBOX_CORRUPTED;
 165   ssize_t got_len;
 166
 167   pwbox_encoded_t *enc = NULL;
 168
 169   got_len = pwbox_encoded_parse(&enc, inp, input_len);
 170   if (got_len < 0 || (size_t)got_len != input_len)
 171     goto err;
 172
 173   /* Now derive the keys and check the hmac. */
 174   if (secret_to_key_derivekey(keys, sizeof(keys),
 175                               pwbox_encoded_getarray_skey_header(enc),
 176                               pwbox_encoded_getlen_skey_header(enc),
 177                               secret, secret_len) < 0)
 178     goto err;
 179
 180   crypto_hmac_sha256((char *)hmac,
 181                      (const char*)keys + CIPHER_KEY_LEN, DIGEST256_LEN,
 182                      (const char*)inp, input_len - DIGEST256_LEN);
 183
 184   if (tor_memneq(hmac, enc->hmac, DIGEST256_LEN)) {
 185     rv = UNPWBOX_BAD_SECRET;
 186     goto err;
 187   }
 188
 189   /* How long is the plaintext? */
 190   encrypted = pwbox_encoded_getarray_data(enc);
 191   encrypted_len = pwbox_encoded_getlen_data(enc);
 192   if (encrypted_len < 4)
 193     goto err;
 194
 195   cipher = crypto_cipher_new_with_iv((char*)keys, (char*)enc->iv);
 196   crypto_cipher_decrypt(cipher, (char*)&result_len, (char*)encrypted, 4);
 197   result_len = tor_ntohl(result_len);
 198   if (encrypted_len < result_len + 4)
 199     goto err;
 200
 201   /* Allocate a buffer and decrypt */
 202   result = tor_malloc_zero(result_len);
 203   crypto_cipher_decrypt(cipher, (char*)result, (char*)encrypted+4, result_len);
 204
 205   *out = result;
 206   *outlen_out = result_len;
 207
 208   rv = UNPWBOX_OKAY;
 209   goto out;
 210
 211  err:
 212   tor_free(result);
 213
 214  out:
 215   crypto_cipher_free(cipher);
 216   pwbox_encoded_free(enc);
 217   memwipe(keys, 0, sizeof(keys));
 218   return rv;
 219 }