tor-auto/doxygen/crypto__pwbox_8c_source.html

 /* Copyright (c) 2014-2021, The Tor Project, Inc. */

 /* See LICENSE for licensing information */


 /**

  * \file crypto_pwbox.c

  *

  * \brief Code for encrypting secrets in a password-protected form and saving

  * them to disk.

  */


 #include <string.h>


 #include "lib/arch/bytes.h"

 #include "lib/crypt_ops/crypto_cipher.h"

 #include "lib/crypt_ops/crypto_digest.h"

 #include "lib/crypt_ops/crypto_pwbox.h"

 #include "lib/crypt_ops/crypto_rand.h"

 #include "lib/crypt_ops/crypto_s2k.h"

 #include "lib/crypt_ops/crypto_util.h"

 #include "lib/ctime/di_ops.h"

 #include "lib/intmath/muldiv.h"

 #include "trunnel/pwbox.h"

 #include "lib/log/util_bug.h"


 /* 8 bytes "TORBOX00"

    1 byte: header len (H)

    H bytes: header, denoting secret key algorithm.

    16 bytes: IV

    Round up to multiple of 128 bytes, then encrypt:

       4 bytes: data len

       data

       zeros

    32 bytes: HMAC-SHA256 of all previous bytes.

 */


 #define MAX_OVERHEAD (S2K_MAXLEN + 8 + 1 + 32 + CIPHER_IV_LEN)


 /**

  * Make an authenticated passphrase-encrypted blob to encode the

  * <b>input_len</b> bytes in <b>input</b> using the passphrase

  * <b>secret</b> of <b>secret_len</b> bytes.  Allocate a new chunk of memory

  * to hold the encrypted data, and store a pointer to that memory in

  * *<b>out</b>, and its size in <b>outlen_out</b>.  Use <b>s2k_flags</b> as an

  * argument to the passphrase-hashing function.

  */

 int

 crypto_pwbox(uint8_t **out, size_t *outlen_out,

              const uint8_t *input, size_t input_len,

              const char *secret, size_t secret_len,

              unsigned s2k_flags)

 {

   uint8_t *result = NULL, *encrypted_portion;

   size_t encrypted_len = 128 * CEIL_DIV(input_len+4, 128);

   ssize_t result_len;

   int spec_len;

   uint8_t keys[CIPHER_KEY_LEN + DIGEST256_LEN];

   pwbox_encoded_t *enc = NULL;

   ssize_t enc_len;


   crypto_cipher_t *cipher;

   int rv;


   enc = pwbox_encoded_new();

   tor_assert(enc);


   pwbox_encoded_setlen_skey_header(enc, S2K_MAXLEN);


   spec_len = secret_to_key_make_specifier(

                                       pwbox_encoded_getarray_skey_header(enc),

                                       S2K_MAXLEN,

                                       s2k_flags);

   if (BUG(spec_len < 0 || spec_len > S2K_MAXLEN))

     goto err;

   pwbox_encoded_setlen_skey_header(enc, spec_len);

   enc->header_len = spec_len;


   crypto_rand((char*)enc->iv, sizeof(enc->iv));


   pwbox_encoded_setlen_data(enc, encrypted_len);

   encrypted_portion = pwbox_encoded_getarray_data(enc);


   set_uint32(encrypted_portion, tor_htonl((uint32_t)input_len));

   memcpy(encrypted_portion+4, input, input_len);


   /* Now that all the data is in position, derive some keys, encrypt, and

    * digest */

   const int s2k_rv = secret_to_key_derivekey(keys, sizeof(keys),

                               pwbox_encoded_getarray_skey_header(enc),

                               spec_len,

                               secret, secret_len);

   if (BUG(s2k_rv < 0))

     goto err;


   cipher = crypto_cipher_new_with_iv((char*)keys, (char*)enc->iv);

   crypto_cipher_crypt_inplace(cipher, (char*)encrypted_portion, encrypted_len);

   crypto_cipher_free(cipher);


   result_len = pwbox_encoded_encoded_len(enc);

   if (BUG(result_len < 0))

     goto err;

   result = tor_malloc(result_len);

   enc_len = pwbox_encoded_encode(result, result_len, enc);

   if (BUG(enc_len < 0))

     goto err;

   tor_assert(enc_len == result_len);


   crypto_hmac_sha256((char*) result + result_len - 32,

                      (const char*)keys + CIPHER_KEY_LEN,

                      DIGEST256_LEN,

                      (const char*)result,

                      result_len - 32);


   *out = result;

   *outlen_out = result_len;

   rv = 0;

   goto out;


   /* LCOV_EXCL_START


      This error case is often unreachable if we're correctly coded, unless

      somebody adds a new error case somewhere, or unless you're building

      without scrypto support.


        - make_specifier can't fail, unless S2K_MAX_LEN is too short.

        - secret_to_key_derivekey can't really fail unless we're missing

          scrypt, or the underlying function fails, or we pass it a bogus

          algorithm or parameters.

        - pwbox_encoded_encoded_len can't fail unless we're using trunnel

          incorrectly.

        - pwbox_encoded_encode can't fail unless we're using trunnel wrong,

          or it's buggy.

    */

  err:

   tor_free(result);

   rv = -1;

   /* LCOV_EXCL_STOP */

  out:

   pwbox_encoded_free(enc);

   memwipe(keys, 0, sizeof(keys));

   return rv;

 }


 /**

  * Try to decrypt the passphrase-encrypted blob of <b>input_len</b> bytes in

  * <b>input</b> using the passphrase <b>secret</b> of <b>secret_len</b> bytes.

  * On success, return 0 and allocate a new chunk of memory to hold the

  * decrypted data, and store a pointer to that memory in *<b>out</b>, and its

  * size in <b>outlen_out</b>.  On failure, return UNPWBOX_BAD_SECRET if

  * the passphrase might have been wrong, and UNPWBOX_CORRUPT if the object is

  * definitely corrupt.

  */

 int

 crypto_unpwbox(uint8_t **out, size_t *outlen_out,

                const uint8_t *inp, size_t input_len,

                const char *secret, size_t secret_len)

 {

   uint8_t *result = NULL;

   const uint8_t *encrypted;

   uint8_t keys[CIPHER_KEY_LEN + DIGEST256_LEN];

   uint8_t hmac[DIGEST256_LEN];

   uint32_t result_len;

   size_t encrypted_len;

   crypto_cipher_t *cipher = NULL;

   int rv = UNPWBOX_CORRUPTED;

   ssize_t got_len;


   pwbox_encoded_t *enc = NULL;


   got_len = pwbox_encoded_parse(&enc, inp, input_len);

   if (got_len < 0 || (size_t)got_len != input_len)

     goto err;


   /* Now derive the keys and check the hmac. */

   if (secret_to_key_derivekey(keys, sizeof(keys),

                               pwbox_encoded_getarray_skey_header(enc),

                               pwbox_encoded_getlen_skey_header(enc),

                               secret, secret_len) < 0)

     goto err;


   crypto_hmac_sha256((char *)hmac,

                      (const char*)keys + CIPHER_KEY_LEN, DIGEST256_LEN,

                      (const char*)inp, input_len - DIGEST256_LEN);


   if (tor_memneq(hmac, enc->hmac, DIGEST256_LEN)) {

     rv = UNPWBOX_BAD_SECRET;

     goto err;

   }


   /* How long is the plaintext? */

   encrypted = pwbox_encoded_getarray_data(enc);

   encrypted_len = pwbox_encoded_getlen_data(enc);

   if (encrypted_len < 4)

     goto err;


   cipher = crypto_cipher_new_with_iv((char*)keys, (char*)enc->iv);

   crypto_cipher_decrypt(cipher, (char*)&result_len, (char*)encrypted, 4);

   result_len = tor_ntohl(result_len);

   if (encrypted_len < result_len + 4)

     goto err;


   /* Allocate a buffer and decrypt */

   result = tor_malloc_zero(result_len);

   crypto_cipher_decrypt(cipher, (char*)result, (char*)encrypted+4, result_len);


   *out = result;

   *outlen_out = result_len;


   rv = UNPWBOX_OKAY;

   goto out;


  err:

   tor_free(result);


  out:

   crypto_cipher_free(cipher);

   pwbox_encoded_free(enc);

   memwipe(keys, 0, sizeof(keys));

   return rv;

 }

bytes.h
Inline functions for reading and writing multibyte values from the middle of strings,...

tor_htonl
static uint32_t tor_htonl(uint32_t a)
Definition: bytes.h:163

tor_ntohl
static uint32_t tor_ntohl(uint32_t a)
Definition: bytes.h:177

set_uint32
static void set_uint32(void *cp, uint32_t v)
Definition: bytes.h:87

crypto_cipher_crypt_inplace
void crypto_cipher_crypt_inplace(crypto_cipher_t *env, char *buf, size_t len)
Definition: crypto_cipher.c:125

crypto_cipher_decrypt
int crypto_cipher_decrypt(crypto_cipher_t *env, char *to, const char *from, size_t fromlen)
Definition: crypto_cipher.c:108

crypto_cipher_new_with_iv
crypto_cipher_t * crypto_cipher_new_with_iv(const char *key, const char *iv)
Definition: crypto_cipher.c:44

crypto_cipher.h
Headers for crypto_cipher.c.

CIPHER_KEY_LEN
#define CIPHER_KEY_LEN
Definition: crypto_cipher.h:22

crypto_digest.h
Headers for crypto_digest.c.

crypto_hmac_sha256
void crypto_hmac_sha256(char *hmac_out, const char *key, size_t key_len, const char *msg, size_t msg_len)
Definition: crypto_digest_nss.c:508

crypto_pwbox
int crypto_pwbox(uint8_t **out, size_t *outlen_out, const uint8_t *input, size_t input_len, const char *secret, size_t secret_len, unsigned s2k_flags)
Definition: crypto_pwbox.c:47

crypto_unpwbox
int crypto_unpwbox(uint8_t **out, size_t *outlen_out, const uint8_t *inp, size_t input_len, const char *secret, size_t secret_len)
Definition: crypto_pwbox.c:153

crypto_pwbox.h
Header for crypto_pwbox.c.

crypto_rand
void crypto_rand(char *to, size_t n)
Definition: crypto_rand.c:477

crypto_rand.h
Common functions for using (pseudo-)random number generators.

secret_to_key_derivekey
int secret_to_key_derivekey(uint8_t *key_out, size_t key_out_len, const uint8_t *spec, size_t spec_len, const char *secret, size_t secret_len)
Definition: crypto_s2k.c:370

secret_to_key_make_specifier
int secret_to_key_make_specifier(uint8_t *buf, size_t buf_len, unsigned flags)
Definition: crypto_s2k.c:405

crypto_s2k.h
Header for crypto_s2k.c.

S2K_MAXLEN
#define S2K_MAXLEN
Definition: crypto_s2k.h:36

memwipe
void memwipe(void *mem, uint8_t byte, size_t sz)
Definition: crypto_util.c:55

crypto_util.h
Common functions for cryptographic routines.

di_ops.h
Headers for di_ops.c.

tor_memneq
#define tor_memneq(a, b, sz)
Definition: di_ops.h:21

DIGEST256_LEN
#define DIGEST256_LEN
Definition: digest_sizes.h:23

tor_free
#define tor_free(p)
Definition: malloc.h:52

muldiv.h
Header for muldiv.c.

util_bug.h
Macros to manage assertions, fatal and non-fatal.

tor_assert
#define tor_assert(expr)
Definition: util_bug.h:102