archive_cryptor.c revision 358090
1/*- 2* Copyright (c) 2014 Michihiro NAKAJIMA 3* All rights reserved. 4* 5* Redistribution and use in source and binary forms, with or without 6* modification, are permitted provided that the following conditions 7* are met: 8* 1. Redistributions of source code must retain the above copyright 9* notice, this list of conditions and the following disclaimer. 10* 2. Redistributions in binary form must reproduce the above copyright 11* notice, this list of conditions and the following disclaimer in the 12* documentation and/or other materials provided with the distribution. 13* 14* THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) ``AS IS'' AND ANY EXPRESS OR 15* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 16* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 17* IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT, INDIRECT, 18* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 19* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 20* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 21* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 22* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 23* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 24*/ 25 26#include "archive_platform.h" 27 28#ifdef HAVE_STRING_H 29#include <string.h> 30#endif 31#include "archive.h" 32#include "archive_cryptor_private.h" 33 34/* 35 * On systems that do not support any recognized crypto libraries, 36 * this file will normally define no usable symbols. 37 * 38 * But some compilers and linkers choke on empty object files, so 39 * define a public symbol that will always exist. This could 40 * be removed someday if this file gains another always-present 41 * symbol definition. 42 */ 43int __libarchive_cryptor_build_hack(void) { 44 return 0; 45} 46 47#ifdef ARCHIVE_CRYPTOR_USE_Apple_CommonCrypto 48 49static int 50pbkdf2_sha1(const char *pw, size_t pw_len, const uint8_t *salt, 51 size_t salt_len, unsigned rounds, uint8_t *derived_key, 52 size_t derived_key_len) 53{ 54 CCKeyDerivationPBKDF(kCCPBKDF2, (const char *)pw, 55 pw_len, salt, salt_len, kCCPRFHmacAlgSHA1, rounds, 56 derived_key, derived_key_len); 57 return 0; 58} 59 60#elif defined(_WIN32) && !defined(__CYGWIN__) && defined(HAVE_BCRYPT_H) 61#ifdef _MSC_VER 62#pragma comment(lib, "Bcrypt.lib") 63#endif 64 65static int 66pbkdf2_sha1(const char *pw, size_t pw_len, const uint8_t *salt, 67 size_t salt_len, unsigned rounds, uint8_t *derived_key, 68 size_t derived_key_len) 69{ 70 NTSTATUS status; 71 BCRYPT_ALG_HANDLE hAlg; 72 73 status = BCryptOpenAlgorithmProvider(&hAlg, BCRYPT_SHA1_ALGORITHM, 74 MS_PRIMITIVE_PROVIDER, BCRYPT_ALG_HANDLE_HMAC_FLAG); 75 if (!BCRYPT_SUCCESS(status)) 76 return -1; 77 78 status = BCryptDeriveKeyPBKDF2(hAlg, 79 (PUCHAR)(uintptr_t)pw, (ULONG)pw_len, 80 (PUCHAR)(uintptr_t)salt, (ULONG)salt_len, rounds, 81 (PUCHAR)derived_key, (ULONG)derived_key_len, 0); 82 83 BCryptCloseAlgorithmProvider(hAlg, 0); 84 85 return (BCRYPT_SUCCESS(status)) ? 0: -1; 86} 87 88#elif defined(HAVE_LIBMBEDCRYPTO) && defined(HAVE_MBEDTLS_PKCS5_H) 89 90static int 91pbkdf2_sha1(const char *pw, size_t pw_len, const uint8_t *salt, 92 size_t salt_len, unsigned rounds, uint8_t *derived_key, 93 size_t derived_key_len) 94{ 95 mbedtls_md_context_t ctx; 96 const mbedtls_md_info_t *info; 97 int ret; 98 99 mbedtls_md_init(&ctx); 100 info = mbedtls_md_info_from_type(MBEDTLS_MD_SHA1); 101 if (info == NULL) { 102 mbedtls_md_free(&ctx); 103 return (-1); 104 } 105 ret = mbedtls_md_setup(&ctx, info, 1); 106 if (ret != 0) { 107 mbedtls_md_free(&ctx); 108 return (-1); 109 } 110 ret = mbedtls_pkcs5_pbkdf2_hmac(&ctx, (const unsigned char *)pw, 111 pw_len, salt, salt_len, rounds, derived_key_len, derived_key); 112 113 mbedtls_md_free(&ctx); 114 return (ret); 115} 116 117#elif defined(HAVE_LIBNETTLE) && defined(HAVE_NETTLE_PBKDF2_H) 118 119static int 120pbkdf2_sha1(const char *pw, size_t pw_len, const uint8_t *salt, 121 size_t salt_len, unsigned rounds, uint8_t *derived_key, 122 size_t derived_key_len) { 123 pbkdf2_hmac_sha1((unsigned)pw_len, (const uint8_t *)pw, rounds, 124 salt_len, salt, derived_key_len, derived_key); 125 return 0; 126} 127 128#elif defined(HAVE_LIBCRYPTO) && defined(HAVE_PKCS5_PBKDF2_HMAC_SHA1) 129 130static int 131pbkdf2_sha1(const char *pw, size_t pw_len, const uint8_t *salt, 132 size_t salt_len, unsigned rounds, uint8_t *derived_key, 133 size_t derived_key_len) { 134 135 PKCS5_PBKDF2_HMAC_SHA1(pw, pw_len, salt, salt_len, rounds, 136 derived_key_len, derived_key); 137 return 0; 138} 139 140#else 141 142/* Stub */ 143static int 144pbkdf2_sha1(const char *pw, size_t pw_len, const uint8_t *salt, 145 size_t salt_len, unsigned rounds, uint8_t *derived_key, 146 size_t derived_key_len) { 147 (void)pw; /* UNUSED */ 148 (void)pw_len; /* UNUSED */ 149 (void)salt; /* UNUSED */ 150 (void)salt_len; /* UNUSED */ 151 (void)rounds; /* UNUSED */ 152 (void)derived_key; /* UNUSED */ 153 (void)derived_key_len; /* UNUSED */ 154 return -1; /* UNSUPPORTED */ 155} 156 157#endif 158 159#ifdef ARCHIVE_CRYPTOR_USE_Apple_CommonCrypto 160# if MAC_OS_X_VERSION_MAX_ALLOWED < 1090 161# define kCCAlgorithmAES kCCAlgorithmAES128 162# endif 163 164static int 165aes_ctr_init(archive_crypto_ctx *ctx, const uint8_t *key, size_t key_len) 166{ 167 CCCryptorStatus r; 168 169 ctx->key_len = key_len; 170 memcpy(ctx->key, key, key_len); 171 memset(ctx->nonce, 0, sizeof(ctx->nonce)); 172 ctx->encr_pos = AES_BLOCK_SIZE; 173 r = CCCryptorCreateWithMode(kCCEncrypt, kCCModeECB, kCCAlgorithmAES, 174 ccNoPadding, NULL, key, key_len, NULL, 0, 0, 0, &ctx->ctx); 175 return (r == kCCSuccess)? 0: -1; 176} 177 178static int 179aes_ctr_encrypt_counter(archive_crypto_ctx *ctx) 180{ 181 CCCryptorRef ref = ctx->ctx; 182 CCCryptorStatus r; 183 184 r = CCCryptorReset(ref, NULL); 185 if (r != kCCSuccess && r != kCCUnimplemented) 186 return -1; 187 r = CCCryptorUpdate(ref, ctx->nonce, AES_BLOCK_SIZE, ctx->encr_buf, 188 AES_BLOCK_SIZE, NULL); 189 return (r == kCCSuccess)? 0: -1; 190} 191 192static int 193aes_ctr_release(archive_crypto_ctx *ctx) 194{ 195 memset(ctx->key, 0, ctx->key_len); 196 memset(ctx->nonce, 0, sizeof(ctx->nonce)); 197 return 0; 198} 199 200#elif defined(_WIN32) && !defined(__CYGWIN__) && defined(HAVE_BCRYPT_H) 201 202static int 203aes_ctr_init(archive_crypto_ctx *ctx, const uint8_t *key, size_t key_len) 204{ 205 BCRYPT_ALG_HANDLE hAlg; 206 BCRYPT_KEY_HANDLE hKey; 207 DWORD keyObj_len, aes_key_len; 208 PBYTE keyObj; 209 ULONG result; 210 NTSTATUS status; 211 BCRYPT_KEY_LENGTHS_STRUCT key_lengths; 212 213 ctx->hAlg = NULL; 214 ctx->hKey = NULL; 215 ctx->keyObj = NULL; 216 switch (key_len) { 217 case 16: aes_key_len = 128; break; 218 case 24: aes_key_len = 192; break; 219 case 32: aes_key_len = 256; break; 220 default: return -1; 221 } 222 status = BCryptOpenAlgorithmProvider(&hAlg, BCRYPT_AES_ALGORITHM, 223 MS_PRIMITIVE_PROVIDER, 0); 224 if (!BCRYPT_SUCCESS(status)) 225 return -1; 226 status = BCryptGetProperty(hAlg, BCRYPT_KEY_LENGTHS, (PUCHAR)&key_lengths, 227 sizeof(key_lengths), &result, 0); 228 if (!BCRYPT_SUCCESS(status)) { 229 BCryptCloseAlgorithmProvider(hAlg, 0); 230 return -1; 231 } 232 if (key_lengths.dwMinLength > aes_key_len 233 || key_lengths.dwMaxLength < aes_key_len) { 234 BCryptCloseAlgorithmProvider(hAlg, 0); 235 return -1; 236 } 237 status = BCryptGetProperty(hAlg, BCRYPT_OBJECT_LENGTH, (PUCHAR)&keyObj_len, 238 sizeof(keyObj_len), &result, 0); 239 if (!BCRYPT_SUCCESS(status)) { 240 BCryptCloseAlgorithmProvider(hAlg, 0); 241 return -1; 242 } 243 keyObj = (PBYTE)HeapAlloc(GetProcessHeap(), 0, keyObj_len); 244 if (keyObj == NULL) { 245 BCryptCloseAlgorithmProvider(hAlg, 0); 246 return -1; 247 } 248 status = BCryptSetProperty(hAlg, BCRYPT_CHAINING_MODE, 249 (PUCHAR)BCRYPT_CHAIN_MODE_ECB, sizeof(BCRYPT_CHAIN_MODE_ECB), 0); 250 if (!BCRYPT_SUCCESS(status)) { 251 BCryptCloseAlgorithmProvider(hAlg, 0); 252 HeapFree(GetProcessHeap(), 0, keyObj); 253 return -1; 254 } 255 status = BCryptGenerateSymmetricKey(hAlg, &hKey, 256 keyObj, keyObj_len, 257 (PUCHAR)(uintptr_t)key, (ULONG)key_len, 0); 258 if (!BCRYPT_SUCCESS(status)) { 259 BCryptCloseAlgorithmProvider(hAlg, 0); 260 HeapFree(GetProcessHeap(), 0, keyObj); 261 return -1; 262 } 263 264 ctx->hAlg = hAlg; 265 ctx->hKey = hKey; 266 ctx->keyObj = keyObj; 267 ctx->keyObj_len = keyObj_len; 268 ctx->encr_pos = AES_BLOCK_SIZE; 269 270 return 0; 271} 272 273static int 274aes_ctr_encrypt_counter(archive_crypto_ctx *ctx) 275{ 276 NTSTATUS status; 277 ULONG result; 278 279 status = BCryptEncrypt(ctx->hKey, (PUCHAR)ctx->nonce, AES_BLOCK_SIZE, 280 NULL, NULL, 0, (PUCHAR)ctx->encr_buf, AES_BLOCK_SIZE, 281 &result, 0); 282 return BCRYPT_SUCCESS(status) ? 0 : -1; 283} 284 285static int 286aes_ctr_release(archive_crypto_ctx *ctx) 287{ 288 289 if (ctx->hAlg != NULL) { 290 BCryptCloseAlgorithmProvider(ctx->hAlg, 0); 291 ctx->hAlg = NULL; 292 BCryptDestroyKey(ctx->hKey); 293 ctx->hKey = NULL; 294 HeapFree(GetProcessHeap(), 0, ctx->keyObj); 295 ctx->keyObj = NULL; 296 } 297 memset(ctx, 0, sizeof(*ctx)); 298 return 0; 299} 300 301#elif defined(HAVE_LIBMBEDCRYPTO) && defined(HAVE_MBEDTLS_AES_H) 302 303static int 304aes_ctr_init(archive_crypto_ctx *ctx, const uint8_t *key, size_t key_len) 305{ 306 mbedtls_aes_init(&ctx->ctx); 307 ctx->key_len = key_len; 308 memcpy(ctx->key, key, key_len); 309 memset(ctx->nonce, 0, sizeof(ctx->nonce)); 310 ctx->encr_pos = AES_BLOCK_SIZE; 311 return 0; 312} 313 314static int 315aes_ctr_encrypt_counter(archive_crypto_ctx *ctx) 316{ 317 if (mbedtls_aes_setkey_enc(&ctx->ctx, ctx->key, 318 ctx->key_len * 8) != 0) 319 return (-1); 320 if (mbedtls_aes_crypt_ecb(&ctx->ctx, MBEDTLS_AES_ENCRYPT, ctx->nonce, 321 ctx->encr_buf) != 0) 322 return (-1); 323 return 0; 324} 325 326static int 327aes_ctr_release(archive_crypto_ctx *ctx) 328{ 329 mbedtls_aes_free(&ctx->ctx); 330 memset(ctx, 0, sizeof(*ctx)); 331 return 0; 332} 333 334#elif defined(HAVE_LIBNETTLE) && defined(HAVE_NETTLE_AES_H) 335 336static int 337aes_ctr_init(archive_crypto_ctx *ctx, const uint8_t *key, size_t key_len) 338{ 339 ctx->key_len = key_len; 340 memcpy(ctx->key, key, key_len); 341 memset(ctx->nonce, 0, sizeof(ctx->nonce)); 342 ctx->encr_pos = AES_BLOCK_SIZE; 343 memset(&ctx->ctx, 0, sizeof(ctx->ctx)); 344 return 0; 345} 346 347static int 348aes_ctr_encrypt_counter(archive_crypto_ctx *ctx) 349{ 350 aes_set_encrypt_key(&ctx->ctx, ctx->key_len, ctx->key); 351 aes_encrypt(&ctx->ctx, AES_BLOCK_SIZE, ctx->encr_buf, ctx->nonce); 352 return 0; 353} 354 355static int 356aes_ctr_release(archive_crypto_ctx *ctx) 357{ 358 memset(ctx, 0, sizeof(*ctx)); 359 return 0; 360} 361 362#elif defined(HAVE_LIBCRYPTO) 363 364static int 365aes_ctr_init(archive_crypto_ctx *ctx, const uint8_t *key, size_t key_len) 366{ 367 if ((ctx->ctx = EVP_CIPHER_CTX_new()) == NULL) 368 return -1; 369 370 switch (key_len) { 371 case 16: ctx->type = EVP_aes_128_ecb(); break; 372 case 24: ctx->type = EVP_aes_192_ecb(); break; 373 case 32: ctx->type = EVP_aes_256_ecb(); break; 374 default: ctx->type = NULL; return -1; 375 } 376 377 ctx->key_len = key_len; 378 memcpy(ctx->key, key, key_len); 379 memset(ctx->nonce, 0, sizeof(ctx->nonce)); 380 ctx->encr_pos = AES_BLOCK_SIZE; 381#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) 382 if (!EVP_CIPHER_CTX_reset(ctx->ctx)) { 383 EVP_CIPHER_CTX_free(ctx->ctx); 384 ctx->ctx = NULL; 385 } 386#else 387 EVP_CIPHER_CTX_init(ctx->ctx); 388#endif 389 return 0; 390} 391 392static int 393aes_ctr_encrypt_counter(archive_crypto_ctx *ctx) 394{ 395 int outl = 0; 396 int r; 397 398 r = EVP_EncryptInit_ex(ctx->ctx, ctx->type, NULL, ctx->key, NULL); 399 if (r == 0) 400 return -1; 401 r = EVP_EncryptUpdate(ctx->ctx, ctx->encr_buf, &outl, ctx->nonce, 402 AES_BLOCK_SIZE); 403 if (r == 0 || outl != AES_BLOCK_SIZE) 404 return -1; 405 return 0; 406} 407 408static int 409aes_ctr_release(archive_crypto_ctx *ctx) 410{ 411 EVP_CIPHER_CTX_free(ctx->ctx); 412 memset(ctx->key, 0, ctx->key_len); 413 memset(ctx->nonce, 0, sizeof(ctx->nonce)); 414 return 0; 415} 416 417#else 418 419#define ARCHIVE_CRYPTOR_STUB 420/* Stub */ 421static int 422aes_ctr_init(archive_crypto_ctx *ctx, const uint8_t *key, size_t key_len) 423{ 424 (void)ctx; /* UNUSED */ 425 (void)key; /* UNUSED */ 426 (void)key_len; /* UNUSED */ 427 return -1; 428} 429 430static int 431aes_ctr_encrypt_counter(archive_crypto_ctx *ctx) 432{ 433 (void)ctx; /* UNUSED */ 434 return -1; 435} 436 437static int 438aes_ctr_release(archive_crypto_ctx *ctx) 439{ 440 (void)ctx; /* UNUSED */ 441 return 0; 442} 443 444#endif 445 446#ifdef ARCHIVE_CRYPTOR_STUB 447static int 448aes_ctr_update(archive_crypto_ctx *ctx, const uint8_t * const in, 449 size_t in_len, uint8_t * const out, size_t *out_len) 450{ 451 (void)ctx; /* UNUSED */ 452 (void)in; /* UNUSED */ 453 (void)in_len; /* UNUSED */ 454 (void)out; /* UNUSED */ 455 (void)out_len; /* UNUSED */ 456 aes_ctr_encrypt_counter(ctx); /* UNUSED */ /* Fix unused function warning */ 457 return -1; 458} 459 460#else 461static void 462aes_ctr_increase_counter(archive_crypto_ctx *ctx) 463{ 464 uint8_t *const nonce = ctx->nonce; 465 int j; 466 467 for (j = 0; j < 8; j++) { 468 if (++nonce[j]) 469 break; 470 } 471} 472 473static int 474aes_ctr_update(archive_crypto_ctx *ctx, const uint8_t * const in, 475 size_t in_len, uint8_t * const out, size_t *out_len) 476{ 477 uint8_t *const ebuf = ctx->encr_buf; 478 unsigned pos = ctx->encr_pos; 479 unsigned max = (unsigned)((in_len < *out_len)? in_len: *out_len); 480 unsigned i; 481 482 for (i = 0; i < max; ) { 483 if (pos == AES_BLOCK_SIZE) { 484 aes_ctr_increase_counter(ctx); 485 if (aes_ctr_encrypt_counter(ctx) != 0) 486 return -1; 487 while (max -i >= AES_BLOCK_SIZE) { 488 for (pos = 0; pos < AES_BLOCK_SIZE; pos++) 489 out[i+pos] = in[i+pos] ^ ebuf[pos]; 490 i += AES_BLOCK_SIZE; 491 aes_ctr_increase_counter(ctx); 492 if (aes_ctr_encrypt_counter(ctx) != 0) 493 return -1; 494 } 495 pos = 0; 496 if (i >= max) 497 break; 498 } 499 out[i] = in[i] ^ ebuf[pos++]; 500 i++; 501 } 502 ctx->encr_pos = pos; 503 *out_len = i; 504 505 return 0; 506} 507#endif /* ARCHIVE_CRYPTOR_STUB */ 508 509 510const struct archive_cryptor __archive_cryptor = 511{ 512 &pbkdf2_sha1, 513 &aes_ctr_init, 514 &aes_ctr_update, 515 &aes_ctr_release, 516 &aes_ctr_init, 517 &aes_ctr_update, 518 &aes_ctr_release, 519}; 520