X-Git-Url: http://git.tuebingen.mpg.de/?p=paraslash.git;a=blobdiff_plain;f=crypt.c;h=8116fb6eeacdbeaa0f1f22d14cfcc3726ee3bbbf;hp=cf1cabecbad80cdca6d69cf2bbc2165427a84ed8;hb=dda88dcb390a44e1f1f68f6248ed513c75dce4bf;hpb=3580fe47cc87b25aa0497eb54387e1165ba17407 diff --git a/crypt.c b/crypt.c index cf1cabec..8116fb6e 100644 --- a/crypt.c +++ b/crypt.c @@ -1,33 +1,76 @@ /* - * Copyright (C) 2005-2006 Andre Noll + * Copyright (C) 2005 Andre Noll * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111, USA. + * Licensed under the GPL v2. For licencing details see COPYING. */ -/** \file crypt.c openssl-based RSA encryption/decryption routines */ +/** \file crypt.c Openssl-based encryption/decryption routines. */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include #include "para.h" #include "error.h" #include "string.h" #include "crypt.h" +#include "fd.h" +#include "crypt_backend.h" +#include "base64.h" + +struct asymmetric_key { + RSA *rsa; +}; + +void get_random_bytes_or_die(unsigned char *buf, int num) +{ + unsigned long err; + + /* RAND_bytes() returns 1 on success, 0 otherwise. */ + if (RAND_bytes(buf, num) == 1) + return; + err = ERR_get_error(); + PARA_EMERG_LOG("%s\n", ERR_reason_error_string(err)); + exit(EXIT_FAILURE); +} + +/* + * Read 64 bytes from /dev/urandom and adds them to the SSL PRNG. Seed the PRNG + * used by random() with a random seed obtained from SSL. If /dev/random is not + * readable the function calls exit(). + * + * \sa RAND_load_file(3), \ref get_random_bytes_or_die(), srandom(3), + * random(3), \ref para_random(). + */ +void init_random_seed_or_die(void) +{ + int seed, ret = RAND_load_file("/dev/urandom", 64); + + if (ret != 64) { + PARA_EMERG_LOG("could not seed PRNG (ret = %d)\n", ret); + exit(EXIT_FAILURE); + } + get_random_bytes_or_die((unsigned char *)&seed, sizeof(seed)); + srandom(seed); +} static EVP_PKEY *load_key(const char *file, int private) { BIO *key; EVP_PKEY *pkey = NULL; + int ret = check_key_file(file, private); + if (ret < 0) { + PARA_ERROR_LOG("%s\n", para_strerror(-ret)); + return NULL; + } key = BIO_new(BIO_s_file()); if (!key) return NULL; @@ -41,13 +84,13 @@ static EVP_PKEY *load_key(const char *file, int private) return pkey; } - -int get_rsa_key(char *key_file, RSA **rsa, int private) +static int get_openssl_key(const char *key_file, RSA **rsa, int private) { EVP_PKEY *key = load_key(key_file, private); if (!key) - return (private == LOAD_PRIVATE_KEY)? -E_PRIVATE_KEY : -E_PUBLIC_KEY; + return (private == LOAD_PRIVATE_KEY)? -E_PRIVATE_KEY + : -E_PUBLIC_KEY; *rsa = EVP_PKEY_get1_RSA(key); EVP_PKEY_free(key); if (!*rsa) @@ -55,99 +98,264 @@ int get_rsa_key(char *key_file, RSA **rsa, int private) return RSA_size(*rsa); } -/** - * decrypt a buffer using an RSA key - * - * \param key_file full path of the rsa key - * \param outbuf the output buffer - * \param inbuf the encrypted input buffer - * \param rsa_inlen the length of \a inbuf - * - * The \a outbuf must be large enough to hold at least \a rsa_inlen bytes. - * - * \return The size of the recovered plaintext on success, negative on errors. - * - * \sa RSA_private_decrypt(3) - **/ -int para_decrypt_buffer(char *key_file, unsigned char *outbuf, unsigned char *inbuf, - int rsa_inlen) +/* + * The public key loading functions below were inspired by corresponding code + * of openssh-5.2p1, Copyright (c) 1995 Tatu Ylonen , Espoo, + * Finland. However, not much of the original code remains. + */ + +static int read_bignum(const unsigned char *buf, size_t len, BIGNUM **result) +{ + const unsigned char *p = buf, *end = buf + len; + uint32_t bnsize; + BIGNUM *bn; + + if (p + 4 < p) + return -E_BIGNUM; + if (p + 4 > end) + return -E_BIGNUM; + bnsize = read_ssh_u32(p); + PARA_DEBUG_LOG("bnsize: %u\n", bnsize); + p += 4; + if (p + bnsize < p) + return -E_BIGNUM; + if (p + bnsize > end) + return -E_BIGNUM; + if (bnsize > 8192) + return -E_BIGNUM; + bn = BN_bin2bn(p, bnsize, NULL); + if (!bn) + return -E_BIGNUM; + *result = bn; + return bnsize + 4; +} + +static int read_rsa_bignums(const unsigned char *blob, int blen, RSA **result) { + int ret; RSA *rsa; - int ret = get_rsa_key(key_file, &rsa, LOAD_PRIVATE_KEY); + BIGNUM *n, *e; + const unsigned char *p = blob, *end = blob + blen; + rsa = RSA_new(); + if (!rsa) + return -E_BIGNUM; + ret = read_bignum(p, end - p, &e); if (ret < 0) - return ret; - ret = RSA_private_decrypt(rsa_inlen, inbuf, outbuf, rsa, RSA_PKCS1_PADDING); - return (ret > 0)? ret : -E_DECRYPT; + goto fail; + p += ret; + ret = read_bignum(p, end - p, &n); + if (ret < 0) + goto fail; +#ifdef HAVE_RSA_SET0_KEY + RSA_set0_key(rsa, n, e, NULL); +#else + rsa->n = n; + rsa->e = e; +#endif + *result = rsa; + return 1; +fail: + RSA_free(rsa); + return ret; } -/** - * decrypt the challenge number sent by para_server - * - * \param key_file full path of the rsa key - * \param challenge_nr result is stored here - * \param inbuf the input buffer - * \param rsa_inlen the length of \a inbuf - * - * \return positive on success, negative on errors - * - * \sa para_decrypt_buffer() - */ -int para_decrypt_challenge(char *key_file, long unsigned *challenge_nr, - unsigned char *inbuf, int rsa_inlen) +int get_asymmetric_key(const char *key_file, int private, + struct asymmetric_key **result) { - unsigned char *rsa_out = OPENSSL_malloc(rsa_inlen + 1); - int ret = para_decrypt_buffer(key_file, rsa_out, inbuf, rsa_inlen); + struct asymmetric_key *key = NULL; + void *map = NULL; + unsigned char *blob = NULL; + size_t map_size, encoded_size, decoded_size; + int ret, ret2; + char *cp; - if (ret >= 0) { - rsa_out[ret] = '\0'; - ret = sscanf((char *)rsa_out, "%lu", challenge_nr) == 1? - 1 : -E_CHALLENGE; + key = para_malloc(sizeof(*key)); + if (private) { + ret = get_openssl_key(key_file, &key->rsa, LOAD_PRIVATE_KEY); + goto out; } - OPENSSL_free(rsa_out); + ret = mmap_full_file(key_file, O_RDONLY, &map, &map_size, NULL); + if (ret < 0) + goto out; + ret = is_ssh_rsa_key(map, map_size); + if (!ret) { + ret = para_munmap(map, map_size); + map = NULL; + if (ret < 0) + goto out; + ret = get_openssl_key(key_file, &key->rsa, LOAD_PUBLIC_KEY); + goto out; + } + cp = map + ret; + encoded_size = map_size - ret; + PARA_INFO_LOG("decoding public rsa-ssh key %s\n", key_file); + ret = uudecode(cp, encoded_size, (char **)&blob, &decoded_size); + if (ret < 0) + goto out_unmap; + ret = check_ssh_key_header(blob, decoded_size); + if (ret < 0) + goto out_unmap; + ret = read_rsa_bignums(blob + ret, decoded_size - ret, &key->rsa); + if (ret < 0) + goto out_unmap; + ret = RSA_size(key->rsa); +out_unmap: + ret2 = para_munmap(map, map_size); + if (ret >= 0 && ret2 < 0) + ret = ret2; +out: + if (ret < 0) { + free(key); + *result = NULL; + PARA_ERROR_LOG("key %s: %s\n", key_file, para_strerror(-ret)); + } else + *result = key; + free(blob); return ret; } -/** - * encrypt a buffer using an RSA key - * - * \param rsa: public rsa key - * \param inbuf the input buffer - * \param len the length of \a inbuf - * \param outbuf the output buffer - * - * \return The size of the encrypted data on success, negative on errors - * - * \sa RSA_public_encrypt(3) - */ -int para_encrypt_buffer(RSA *rsa, unsigned char *inbuf, - const unsigned len, unsigned char *outbuf) +void free_asymmetric_key(struct asymmetric_key *key) +{ + if (!key) + return; + RSA_free(key->rsa); + free(key); +} + +int priv_decrypt(const char *key_file, unsigned char *outbuf, + unsigned char *inbuf, int inlen) { - int ret = RSA_public_encrypt(len, inbuf, outbuf, rsa, - RSA_PKCS1_PADDING); - return ret < 0? -E_ENCRYPT : ret; + struct asymmetric_key *priv; + int ret; + + if (inlen < 0) + return -E_RSA; + ret = get_asymmetric_key(key_file, LOAD_PRIVATE_KEY, &priv); + if (ret < 0) + return ret; + /* + * RSA is vulnerable to timing attacks. Generate a random blinding + * factor to protect against this kind of attack. + */ + ret = -E_BLINDING; + if (RSA_blinding_on(priv->rsa, NULL) == 0) + goto out; + ret = RSA_private_decrypt(inlen, inbuf, outbuf, priv->rsa, + RSA_PKCS1_OAEP_PADDING); + RSA_blinding_off(priv->rsa); + if (ret <= 0) + ret = -E_DECRYPT; +out: + free_asymmetric_key(priv); + return ret; +} + +int pub_encrypt(struct asymmetric_key *pub, unsigned char *inbuf, + unsigned len, unsigned char *outbuf) +{ + int ret, flen = len; /* RSA_public_encrypt expects a signed int */ + + if (flen < 0) + return -E_ENCRYPT; + ret = RSA_public_encrypt(flen, inbuf, outbuf, pub->rsa, + RSA_PKCS1_OAEP_PADDING); + return ret < 0? -E_ENCRYPT : ret; +} + +struct stream_cipher { + bool use_aes; + union { + RC4_KEY rc4_key; + EVP_CIPHER_CTX *aes; + } context; +}; + +struct stream_cipher *sc_new(const unsigned char *data, int len, + bool use_aes) +{ + struct stream_cipher *sc = para_malloc(sizeof(*sc)); + + sc->use_aes = use_aes; + if (!use_aes) { + RC4_set_key(&sc->context.rc4_key, len, data); + return sc; + } + assert(len >= 2 * AES_CRT128_BLOCK_SIZE); + sc->context.aes = EVP_CIPHER_CTX_new(); + EVP_EncryptInit_ex(sc->context.aes, EVP_aes_128_ctr(), NULL, data, + data + AES_CRT128_BLOCK_SIZE); + return sc; +} + +void sc_free(struct stream_cipher *sc) +{ + if (!sc) + return; + EVP_CIPHER_CTX_free(sc->context.aes); + free(sc); } /** - * encrypt the given challenge number - * - * \param rsa: public rsa key - * \param challenge_nr the number to be encrypted - * \param outbuf the output buffer - * - * \a outbuf must be at least 64 bytes long - * - * \return The size of the encrypted data on success, negative on errors - * - * \sa para_encrypt_buffer() - * + * The RC4() implementation of openssl apparently reads and writes data in + * blocks of 8 bytes. So we have to make sure our buffer sizes are a multiple + * of this. */ -int para_encrypt_challenge(RSA* rsa, long unsigned challenge_nr, - unsigned char *outbuf) +#define RC4_ALIGN 8 + +static void rc4_crypt(RC4_KEY *key, struct iovec *src, struct iovec *dst) { - unsigned char *inbuf = (unsigned char*) make_message("%lu", challenge_nr); - int ret = para_encrypt_buffer(rsa, inbuf, strlen((char *)inbuf), outbuf); - free(inbuf); - return ret; + size_t len = src->iov_len, l1, l2; + + assert(len > 0); + assert(len < ((typeof(src->iov_len))-1) / 2); + l1 = ROUND_DOWN(len, RC4_ALIGN); + l2 = ROUND_UP(len, RC4_ALIGN); + + *dst = (typeof(*dst)) { + /* Add one for the terminating zero byte. */ + .iov_base = para_malloc(l2 + 1), + .iov_len = len + }; + RC4(key, l1, src->iov_base, dst->iov_base); + if (len > l1) { + unsigned char remainder[RC4_ALIGN] = ""; + memcpy(remainder, src->iov_base + l1, len - l1); + RC4(key, len - l1, remainder, dst->iov_base + l1); + } + ((char *)dst->iov_base)[len] = '\0'; +} + +static void aes_ctr128_crypt(EVP_CIPHER_CTX *ctx, struct iovec *src, + struct iovec *dst) +{ + int ret, inlen = src->iov_len, outlen, tmplen; + + *dst = (typeof(*dst)) { + /* Add one for the terminating zero byte. */ + .iov_base = para_malloc(inlen + 1), + .iov_len = inlen + }; + ret = EVP_EncryptUpdate(ctx, dst->iov_base, &outlen, src->iov_base, inlen); + assert(ret != 0); + ret = EVP_EncryptFinal_ex(ctx, dst->iov_base + outlen, &tmplen); + assert(ret != 0); + outlen += tmplen; + ((char *)dst->iov_base)[outlen] = '\0'; + dst->iov_len = outlen; } +void sc_crypt(struct stream_cipher *sc, struct iovec *src, struct iovec *dst) +{ + if (sc->use_aes) + return aes_ctr128_crypt(sc->context.aes, src, dst); + return rc4_crypt(&sc->context.rc4_key, src, dst); +} + +void hash_function(const char *data, unsigned long len, unsigned char *hash) +{ + SHA_CTX c; + SHA1_Init(&c); + SHA1_Update(&c, data, len); + SHA1_Final(hash, &c); +}