X-Git-Url: http://git.tuebingen.mpg.de/?p=paraslash.git;a=blobdiff_plain;f=crypt.c;h=6f7e611d0364035560819f7659bbb71d62d4f1b1;hp=49e9e8ae7863fed3f40881a356957f115bf31769;hb=6c23fdee5292a8bf55dc963cfc3d0711b0f7424b;hpb=9609fd30e0d3db45ede3ab5c6bc3a77c15b6aef8 diff --git a/crypt.c b/crypt.c index 49e9e8ae..6f7e611d 100644 --- a/crypt.c +++ b/crypt.c @@ -1,24 +1,31 @@ /* - * Copyright (C) 2005-2009 Andre Noll + * Copyright (C) 2005-2011 Andre Noll * * Licensed under the GPL v2. For licencing details see COPYING. */ -/** \file crypt.c openssl-based RSA encryption/decryption routines */ +/** \file crypt.c Openssl-based encryption/decryption routines. */ #include -#include #include #include #include #include #include +#include +#include +#include #include "para.h" #include "error.h" #include "string.h" #include "crypt.h" #include "fd.h" + +struct asymmetric_key { + RSA *rsa; +}; + /** * Fill a buffer with random content. * @@ -101,18 +108,7 @@ static EVP_PKEY *load_key(const char *file, int private) return pkey; } -/** - * read an RSA key from a file - * - * \param key_file the file containing the key - * \param rsa RSA structure is returned here - * \param private if non-zero, read the private key, otherwise the public key - * - * \return The size of the RSA key on success, negative on errors. - * - * \sa openssl(1), rsa(1). - */ -int get_rsa_key(char *key_file, RSA **rsa, int private) +static int get_openssl_key(const char *key_file, RSA **rsa, int private) { EVP_PKEY *key = load_key(key_file, private); @@ -126,26 +122,358 @@ int get_rsa_key(char *key_file, RSA **rsa, int private) return RSA_size(*rsa); } +#define KEY_TYPE_TXT "ssh-rsa" + +/* check if it is an ssh rsa key */ +static size_t is_ssh_rsa_key(char *data, size_t size) +{ + char *cp; + + if (size < strlen(KEY_TYPE_TXT) + 2) + return 0; + cp = memchr(data, ' ', size); + if (cp == NULL) + return 0; + if (strncmp(KEY_TYPE_TXT, data, strlen(KEY_TYPE_TXT))) + return 0; + cp++; + if (cp >= data + size) + return 0; + if (*cp == '\0') + return 0; + return cp - data; +} + +/* + * This base64/uudecode stuff below is taken from openssh-5.2p1, Copyright (c) + * 1996 by Internet Software Consortium. Portions Copyright (c) 1995 by + * International Business Machines, Inc. + */ + +static const char Base64[] = + "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; +static const char Pad64 = '='; +/* + * Skips all whitespace anywhere. Converts characters, four at a time, starting + * at (or after) src from base - 64 numbers into three 8 bit bytes in the + * target area. it returns the number of data bytes stored at the target, or -1 + * on error. + */ +static int base64_decode(char const *src, unsigned char *target, size_t targsize) +{ + unsigned int tarindex, state; + int ch; + char *pos; + + state = 0; + tarindex = 0; + + while ((ch = *src++) != '\0') { + if (para_isspace(ch)) /* Skip whitespace anywhere. */ + continue; + + if (ch == Pad64) + break; + + pos = strchr(Base64, ch); + if (pos == 0) /* A non-base64 character. */ + return -1; + + switch (state) { + case 0: + if (target) { + if (tarindex >= targsize) + return (-1); + target[tarindex] = (pos - Base64) << 2; + } + state = 1; + break; + case 1: + if (target) { + if (tarindex + 1 >= targsize) + return (-1); + target[tarindex] |= (pos - Base64) >> 4; + target[tarindex+1] = ((pos - Base64) & 0x0f) + << 4 ; + } + tarindex++; + state = 2; + break; + case 2: + if (target) { + if (tarindex + 1 >= targsize) + return (-1); + target[tarindex] |= (pos - Base64) >> 2; + target[tarindex+1] = ((pos - Base64) & 0x03) + << 6; + } + tarindex++; + state = 3; + break; + case 3: + if (target) { + if (tarindex >= targsize) + return (-1); + target[tarindex] |= (pos - Base64); + } + tarindex++; + state = 0; + break; + } + } + + /* + * We are done decoding Base-64 chars. Let's see if we ended + * on a byte boundary, and/or with erroneous trailing characters. + */ + + if (ch == Pad64) { /* We got a pad char. */ + ch = *src++; /* Skip it, get next. */ + switch (state) { + case 0: /* Invalid = in first position */ + case 1: /* Invalid = in second position */ + return (-1); + + case 2: /* Valid, means one byte of info */ + /* Skip any number of spaces. */ + for (; ch != '\0'; ch = *src++) + if (!isspace(ch)) + break; + /* Make sure there is another trailing = sign. */ + if (ch != Pad64) + return (-1); + ch = *src++; /* Skip the = */ + /* Fall through to "single trailing =" case. */ + /* FALLTHROUGH */ + + case 3: /* Valid, means two bytes of info */ + /* + * We know this char is an =. Is there anything but + * whitespace after it? + */ + for (; ch != '\0'; ch = *src++) + if (!isspace(ch)) + return (-1); + + /* + * Now make sure for cases 2 and 3 that the "extra" + * bits that slopped past the last full byte were + * zeros. If we don't check them, they become a + * subliminal channel. + */ + if (target && target[tarindex] != 0) + return (-1); + } + } else { + /* + * We ended by seeing the end of the string. Make sure we + * have no partial bytes lying around. + */ + if (state != 0) + return (-1); + } + + return (tarindex); +} + +static int uudecode(const char *src, unsigned char *target, size_t targsize) +{ + int len; + char *encoded, *p; + + /* copy the 'readonly' source */ + encoded = para_strdup(src); + /* skip whitespace and data */ + for (p = encoded; *p == ' ' || *p == '\t'; p++) + ; + for (; *p != '\0' && *p != ' ' && *p != '\t'; p++) + ; + /* and remove trailing whitespace because base64_decode needs this */ + *p = '\0'; + len = base64_decode(encoded, target, targsize); + free(encoded); + return len >= 0? len : -E_BASE64; +} + +/* + * The public key loading functions below were inspired by corresponding code + * of openssh-5.2p1, Copyright (c) 1995 Tatu Ylonen , Espoo, + * Finland. However, not much of the original code remains. + */ + + +/* + * Can not use the inline functions of portable_io.h here because the byte + * order is different. + */ +static uint32_t read_ssh_u32(const void *vp) +{ + const unsigned char *p = (const unsigned char *)vp; + uint32_t v; + + v = (uint32_t)p[0] << 24; + v |= (uint32_t)p[1] << 16; + v |= (uint32_t)p[2] << 8; + v |= (uint32_t)p[3]; + + return v; +} + +static int read_bignum(const unsigned char *buf, size_t len, BIGNUM **result) +{ + const unsigned char *p = buf, *end = buf + len; + uint32_t bnsize; + BIGNUM *bn; + + if (p + 4 < p) + return -E_BIGNUM; + if (p + 4 > end) + return -E_BIGNUM; + bnsize = read_ssh_u32(p); + PARA_DEBUG_LOG("bnsize: %u\n", bnsize); + p += 4; + if (p + bnsize < p) + return -E_BIGNUM; + if (p + bnsize > end) + return -E_BIGNUM; + if (bnsize > 8192) + return -E_BIGNUM; + bn = BN_bin2bn(p, bnsize, NULL); + if (!bn) + return -E_BIGNUM; + *result = bn; + return bnsize + 4; +} + +static int read_rsa_bignums(const unsigned char *blob, int blen, RSA **result) +{ + int ret; + RSA *rsa; + const unsigned char *p = blob, *end = blob + blen; + uint32_t rlen; + + *result = NULL; + if (p + 4 > end) + return -E_BIGNUM; + rlen = read_ssh_u32(p); + p += 4; + if (p + rlen < p) + return -E_BIGNUM; + if (p + rlen > end) + return -E_BIGNUM; + if (rlen < strlen(KEY_TYPE_TXT)) + return -E_BIGNUM; + PARA_DEBUG_LOG("type: %s, rlen: %d\n", p, rlen); + if (strncmp((char *)p, KEY_TYPE_TXT, strlen(KEY_TYPE_TXT))) + return -E_BIGNUM; + p += rlen; + + rsa = RSA_new(); + if (!rsa) + return -E_BIGNUM; + ret = read_bignum(p, end - p, &rsa->e); + if (ret < 0) + goto fail; + p += ret; + ret = read_bignum(p, end - p, &rsa->n); + if (ret < 0) + goto fail; + *result = rsa; + return 1; +fail: + if (rsa) + RSA_free(rsa); + return ret; +} + /** - * free an RSA structure + * Read an asymmetric key from a file. + * + * \param key_file The file containing the key. + * \param private if non-zero, read the private key, otherwise the public key. + * \param result The key structure is returned here. * - * \param rsa pointer to the RSA struct to free + * \return The size of the key on success, negative on errors. * - * This must be called for any key obtained by get_rsa_key(). + * \sa openssl(1), rsa(1). */ -void rsa_free(RSA *rsa) +int get_asymmetric_key(const char *key_file, int private, + struct asymmetric_key **result) { - if (rsa) - RSA_free(rsa); + struct asymmetric_key *key = NULL; + void *map = NULL; + unsigned char *blob = NULL; + size_t map_size, blob_size; + int ret, ret2; + char *cp; + + key = para_malloc(sizeof(*key)); + if (private) { + ret = get_openssl_key(key_file, &key->rsa, LOAD_PRIVATE_KEY); + goto out; + } + ret = mmap_full_file(key_file, O_RDONLY, &map, &map_size, NULL); + if (ret < 0) + goto out; + ret = is_ssh_rsa_key(map, map_size); + if (!ret) { + ret = para_munmap(map, map_size); + map = NULL; + if (ret < 0) + goto out; + ret = get_openssl_key(key_file, &key->rsa, LOAD_PUBLIC_KEY); + goto out; + } + cp = map + ret; + PARA_INFO_LOG("decoding public rsa-ssh key %s\n", key_file); + ret = -ERRNO_TO_PARA_ERROR(EOVERFLOW); + if (map_size > INT_MAX / 4) + goto out; + blob_size = 2 * map_size; + blob = para_malloc(blob_size); + ret = uudecode(cp, blob, blob_size); + if (ret < 0) + goto out; + ret = read_rsa_bignums(blob, ret, &key->rsa); + if (ret < 0) + goto out; + ret = RSA_size(key->rsa); +out: + ret2 = para_munmap(map, map_size); + if (ret >= 0 && ret2 < 0) + ret = ret2; + if (ret < 0) { + free(key); + result = NULL; + PARA_ERROR_LOG("key %s: %s\n", key_file, para_strerror(-ret)); + } else + *result = key; + free(blob); + return ret; +} + +/** + * Deallocate an asymmetric key structure. + * + * \param key Pointer to the key structure to free. + * + * This must be called for any key obtained by get_asymmetric_key(). + */ +void free_asymmetric_key(struct asymmetric_key *key) +{ + if (!key) + return; + RSA_free(key->rsa); + free(key); } /** - * decrypt a buffer using an RSA key + * Decrypt a buffer using a private key. * - * \param key_file full path of the rsa key - * \param outbuf the output buffer - * \param inbuf the encrypted input buffer - * \param rsa_inlen the length of \a inbuf + * \param key_file Full path of the key. + * \param outbuf The output buffer. + * \param inbuf The encrypted input buffer. + * \param inlen The length of \a inbuf in bytes. * * The \a outbuf must be large enough to hold at least \a rsa_inlen bytes. * @@ -153,15 +481,15 @@ void rsa_free(RSA *rsa) * * \sa RSA_private_decrypt(3) **/ -int para_decrypt_buffer(char *key_file, unsigned char *outbuf, unsigned char *inbuf, - unsigned rsa_inlen) +int priv_decrypt(const char *key_file, unsigned char *outbuf, + unsigned char *inbuf, int inlen) { - RSA *rsa; - int ret, inlen = rsa_inlen; + struct asymmetric_key *priv; + int ret; if (inlen < 0) return -E_RSA; - ret = get_rsa_key(key_file, &rsa, LOAD_PRIVATE_KEY); + ret = get_asymmetric_key(key_file, LOAD_PRIVATE_KEY, &priv); if (ret < 0) return ret; /* @@ -169,44 +497,82 @@ int para_decrypt_buffer(char *key_file, unsigned char *outbuf, unsigned char *in * factor to protect against this kind of attack. */ ret = -E_BLINDING; - if (RSA_blinding_on(rsa, NULL) == 0) + if (RSA_blinding_on(priv->rsa, NULL) == 0) goto out; - ret = RSA_private_decrypt(inlen, inbuf, outbuf, rsa, RSA_PKCS1_OAEP_PADDING); - RSA_blinding_off(rsa); + ret = RSA_private_decrypt(inlen, inbuf, outbuf, priv->rsa, + RSA_PKCS1_OAEP_PADDING); + RSA_blinding_off(priv->rsa); if (ret <= 0) ret = -E_DECRYPT; out: - rsa_free(rsa); + free_asymmetric_key(priv); return ret; } /** - * encrypt a buffer using an RSA key + * Encrypt a buffer using an RSA key * - * \param rsa: public rsa key - * \param inbuf the input buffer - * \param len the length of \a inbuf - * \param outbuf the output buffer + * \param pub: The public key. + * \param inbuf The input buffer. + * \param len The length of \a inbuf. + * \param outbuf The output buffer. * - * \return The size of the encrypted data on success, negative on errors + * \return The size of the encrypted data on success, negative on errors. * * \sa RSA_public_encrypt(3) */ -int para_encrypt_buffer(RSA *rsa, unsigned char *inbuf, +int pub_encrypt(struct asymmetric_key *pub, unsigned char *inbuf, unsigned len, unsigned char *outbuf) { int ret, flen = len; /* RSA_public_encrypt expects a signed int */ if (flen < 0) return -E_ENCRYPT; - ret = RSA_public_encrypt(flen, inbuf, outbuf, rsa, RSA_PKCS1_OAEP_PADDING); + ret = RSA_public_encrypt(flen, inbuf, outbuf, pub->rsa, + RSA_PKCS1_OAEP_PADDING); return ret < 0? -E_ENCRYPT : ret; } +struct stream_cipher { + RC4_KEY key; +}; + +/** + * Allocate and initialize a stream cipher structure. + * + * \param data The key. + * \param len The size of the key. + * + * \return A new stream cipher structure. + */ +struct stream_cipher *sc_new(const unsigned char *data, int len) +{ + struct stream_cipher *sc = para_malloc(sizeof(*sc)); + RC4_set_key(&sc->key, len, data); + return sc; +} + +/** + * Deallocate a stream cipher structure. + * + * \param sc A stream cipher previously obtained by sc_new(). + */ +void sc_free(struct stream_cipher *sc) +{ + free(sc); +} + +/** + * The RC4() implementation of openssl apparently reads and writes data in + * blocks of 8 bytes. So we have to make sure our buffer sizes are a multiple + * of this. + */ +#define RC4_ALIGN 8 + /** * Encrypt and send a buffer. * - * \param rc4c The rc4 crypt context. + * \param scc The context. * \param buf The buffer to send. * \param len The size of \a buf in bytes. * @@ -214,15 +580,22 @@ int para_encrypt_buffer(RSA *rsa, unsigned char *inbuf, * * \sa \ref write_all(), RC4(3). */ -int rc4_send_bin_buffer(struct rc4_context *rc4c, const char *buf, size_t len) +int sc_send_bin_buffer(struct stream_cipher_context *scc, const char *buf, + size_t len) { int ret; unsigned char *tmp; + static unsigned char remainder[RC4_ALIGN]; + size_t l1 = ROUND_DOWN(len, RC4_ALIGN), l2 = ROUND_UP(len, RC4_ALIGN); assert(len); - tmp = para_malloc(len); - RC4(&rc4c->send_key, len, (const unsigned char *)buf, tmp); - ret = write_all(rc4c->fd, (char *)tmp, &len); + tmp = para_malloc(l2); + RC4(&scc->send->key, l1, (const unsigned char *)buf, tmp); + if (len > l1) { + memcpy(remainder, buf + l1, len - l1); + RC4(&scc->send->key, len - l1, remainder, tmp + l1); + } + ret = write_all(scc->fd, (char *)tmp, &len); free(tmp); return ret; } @@ -230,31 +603,32 @@ int rc4_send_bin_buffer(struct rc4_context *rc4c, const char *buf, size_t len) /** * Encrypt and send a \p NULL-terminated buffer. * - * \param rc4c The rc4 crypt context. + * \param scc The context. * \param buf The buffer to send. * - * \return The return value of the underyling call to rc4_send_bin_buffer(). + * \return The return value of the underyling call to sc_send_bin_buffer(). */ -int rc4_send_buffer(struct rc4_context *rc4c, const char *buf) +int sc_send_buffer(struct stream_cipher_context *scc, const char *buf) { - return rc4_send_bin_buffer(rc4c, buf, strlen(buf)); + return sc_send_bin_buffer(scc, buf, strlen(buf)); } /** * Format, encrypt and send a buffer. * - * \param rc4c The rc4 crypt context. + * \param scc The context. * \param fmt A format string. * - * \return The return value of the underyling call to rc4_send_buffer(). + * \return The return value of the underyling call to sc_send_buffer(). */ -__printf_2_3 int rc4_send_va_buffer(struct rc4_context *rc4c, const char *fmt, ...) +__printf_2_3 int sc_send_va_buffer(struct stream_cipher_context *scc, + const char *fmt, ...) { char *msg; int ret; PARA_VSPRINTF(fmt, msg); - ret = rc4_send_buffer(rc4c, msg); + ret = sc_send_buffer(scc, msg); free(msg); return ret; } @@ -262,7 +636,7 @@ __printf_2_3 int rc4_send_va_buffer(struct rc4_context *rc4c, const char *fmt, . /** * Receive a buffer and decrypt it. * - * \param rc4c The rc4 crypt context. + * \param scc The context. * \param buf The buffer to write the decrypted data to. * \param size The size of \a buf. * @@ -271,13 +645,14 @@ __printf_2_3 int rc4_send_va_buffer(struct rc4_context *rc4c, const char *fmt, . * * \sa recv(2), RC4(3). */ -int rc4_recv_bin_buffer(struct rc4_context *rc4c, char *buf, size_t size) +int sc_recv_bin_buffer(struct stream_cipher_context *scc, char *buf, + size_t size) { unsigned char *tmp = para_malloc(size); - ssize_t ret = recv(rc4c->fd, tmp, size, 0); + ssize_t ret = recv(scc->fd, tmp, size, 0); if (ret > 0) - RC4(&rc4c->recv_key, ret, tmp, (unsigned char *)buf); + RC4(&scc->recv->key, ret, tmp, (unsigned char *)buf); else if (ret < 0) ret = -ERRNO_TO_PARA_ERROR(errno); free(tmp); @@ -287,26 +662,44 @@ int rc4_recv_bin_buffer(struct rc4_context *rc4c, char *buf, size_t size) /** * Receive a buffer, decrypt it and write terminating NULL byte. * - * \param rc4c The rc4 crypt context. + * \param scc The context. * \param buf The buffer to write the decrypted data to. * \param size The size of \a buf. * - * Read at most \a size - 1 bytes from file descriptor given by \a rc4c, - * decrypt the received data and write a NULL byte at the end of the decrypted - * data. + * Read at most \a size - 1 bytes from file descriptor given by \a scc, decrypt + * the received data and write a NULL byte at the end of the decrypted data. * * \return The return value of the underlying call to \ref - * rc4_recv_bin_buffer(). + * sc_recv_bin_buffer(). */ -int rc4_recv_buffer(struct rc4_context *rc4c, char *buf, size_t size) +int sc_recv_buffer(struct stream_cipher_context *scc, char *buf, size_t size) { int n; assert(size); - n = rc4_recv_bin_buffer(rc4c, buf, size - 1); + n = sc_recv_bin_buffer(scc, buf, size - 1); if (n >= 0) buf[n] = '\0'; else *buf = '\0'; return n; } + +/** + * Compute the hash of the given input data. + * + * \param data Pointer to the data to compute the hash value from. + * \param len The length of \a data in bytes. + * \param hash Result pointer. + * + * \a hash must point to an area at least \p HASH_SIZE bytes large. + * + * \sa sha(3), openssl(1). + * */ +void hash_function(const char *data, unsigned long len, unsigned char *hash) +{ + SHA_CTX c; + SHA1_Init(&c); + SHA1_Update(&c, data, len); + SHA1_Final(hash, &c); +}