2013-01-29 04:07:54 +01:00
|
|
|
/*****************************************************************************
|
|
|
|
* Author: Valient Gough <vgough@pobox.com>
|
|
|
|
*
|
|
|
|
*****************************************************************************
|
2013-03-05 07:36:32 +01:00
|
|
|
* Copyright (c) 2004-2013, Valient Gough
|
2013-01-29 04:07:54 +01:00
|
|
|
*
|
|
|
|
* This program is free software: you can redistribute it and/or modify it
|
|
|
|
* under the terms of the GNU Lesser General Public License as published by the
|
|
|
|
* Free Software Foundation, either version 3 of the License, or (at your
|
|
|
|
* option) any later version.
|
|
|
|
*
|
|
|
|
* This program is distributed in the hope that it will be useful, but WITHOUT
|
|
|
|
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
|
|
|
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
|
|
|
|
* for more details.
|
|
|
|
*
|
|
|
|
* You should have received a copy of the GNU Lesser General Public License
|
|
|
|
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
*/
|
|
|
|
|
2013-03-05 07:36:32 +01:00
|
|
|
#ifndef _CipherV1_incl_
|
|
|
|
#define _CipherV1_incl_
|
2013-01-29 04:07:54 +01:00
|
|
|
|
|
|
|
#include "base/Interface.h"
|
2013-03-05 07:36:32 +01:00
|
|
|
#include "base/Mutex.h"
|
|
|
|
#include "base/shared_ptr.h"
|
2013-01-29 04:07:54 +01:00
|
|
|
|
2013-03-05 07:36:32 +01:00
|
|
|
#include "cipher/BlockCipher.h"
|
|
|
|
#include "cipher/StreamCipher.h"
|
|
|
|
#include "cipher/MAC.h"
|
|
|
|
#include "cipher/PBKDF.h"
|
2013-01-29 04:07:54 +01:00
|
|
|
|
2013-03-05 07:29:58 +01:00
|
|
|
namespace encfs {
|
2013-03-05 07:36:32 +01:00
|
|
|
|
|
|
|
class SecureMem;
|
2013-03-05 07:29:58 +01:00
|
|
|
|
2013-01-29 04:07:54 +01:00
|
|
|
/*
|
2013-03-05 07:36:32 +01:00
|
|
|
Implements Encfs V1.x ciphers support.
|
2013-01-29 04:07:54 +01:00
|
|
|
|
|
|
|
Design:
|
|
|
|
Variable algorithm, key size, and block size.
|
|
|
|
|
|
|
|
Partial blocks, keys, and names are encrypted using the cipher in a pseudo
|
|
|
|
stream mode (CFB).
|
|
|
|
|
|
|
|
Keys are encrypted with 2-4 (KEY_CHECKSUM_BYTES define) checksum bytes
|
|
|
|
derived from an HMAC over both they key data and the initial value vector
|
|
|
|
associated with the key. This allows a good chance at detecting an
|
|
|
|
incorrect password when we try and decrypt the master key.
|
|
|
|
|
|
|
|
File names are encrypted in the same way, with 2 checksum bytes derived
|
|
|
|
from an HMAC over the filename. This is done not to allow checking the
|
|
|
|
results, but to make the output much more random. Changing one letter in a
|
|
|
|
filename should result in a completely different encrypted filename, to
|
|
|
|
help frustrate any attempt to guess information about files from their
|
|
|
|
encrypted names.
|
|
|
|
|
|
|
|
Stream encryption involves two encryption passes over the data, implemented
|
|
|
|
as:
|
|
|
|
1. shuffle
|
|
|
|
2. encrypt
|
|
|
|
3. reverse
|
|
|
|
4. shuffle
|
|
|
|
5. encrypt
|
|
|
|
The reason for the shuffle and reverse steps (and the second encrypt pass)
|
|
|
|
is to try and propogate any changed bits to a larger set. If only a single
|
|
|
|
pass was made with the stream cipher in CFB mode, then a change to one byte
|
|
|
|
may only affect one byte of output, allowing some XOR attacks.
|
|
|
|
|
|
|
|
The shuffle/encrypt is used as above in filename encryption as well,
|
|
|
|
although it is not necessary as they have checksum bytes which augment the
|
|
|
|
initial value vector to randomize the output. But it makes the code
|
|
|
|
simpler to reuse the encryption algorithm as is.
|
|
|
|
*/
|
2013-03-05 07:36:32 +01:00
|
|
|
class CipherV1
|
2013-01-29 04:07:54 +01:00
|
|
|
{
|
|
|
|
Interface iface;
|
|
|
|
Interface realIface;
|
2013-03-05 07:36:32 +01:00
|
|
|
|
|
|
|
shared_ptr<BlockCipher> _blockCipher;
|
|
|
|
shared_ptr<StreamCipher> _streamCipher;
|
|
|
|
shared_ptr<PBKDF> _pbkdf;
|
|
|
|
|
|
|
|
// HMac is stateful, so access is controlled via mutex.
|
|
|
|
mutable Mutex _hmacMutex;
|
|
|
|
mutable shared_ptr<MAC> _hmac;
|
|
|
|
|
2013-01-29 04:07:54 +01:00
|
|
|
unsigned int _keySize; // in bytes
|
|
|
|
unsigned int _ivLength;
|
|
|
|
|
2013-03-05 07:36:32 +01:00
|
|
|
shared_ptr<SecureMem> _iv;
|
|
|
|
bool _keySet;
|
|
|
|
|
2013-01-29 04:07:54 +01:00
|
|
|
public:
|
2013-03-05 07:36:32 +01:00
|
|
|
|
|
|
|
struct CipherAlgorithm
|
|
|
|
{
|
|
|
|
std::string name;
|
|
|
|
std::string description;
|
|
|
|
Interface iface;
|
|
|
|
Range keyLength;
|
|
|
|
Range blockSize;
|
|
|
|
};
|
|
|
|
|
|
|
|
// Returns a list of supported algorithms.
|
|
|
|
static std::list<CipherAlgorithm> GetAlgorithmList();
|
|
|
|
static shared_ptr<CipherV1> New(const std::string &name, int keyLen = -1);
|
|
|
|
static shared_ptr<CipherV1> New(const Interface &alg, int keyLen = -1);
|
|
|
|
|
|
|
|
// Password-based key derivation function which determines the
|
|
|
|
// number of iterations based on a desired execution time (in microseconds).
|
|
|
|
// Returns the number of iterations applied.
|
|
|
|
static int TimedPBKDF2(const char *pass, int passLen,
|
|
|
|
const byte *salt, int saltLen,
|
|
|
|
CipherKey *out, long desiredPDFTimeMicroseconds);
|
|
|
|
|
|
|
|
CipherV1(const Interface &iface, const Interface &realIface, int keyLength);
|
|
|
|
~CipherV1();
|
2013-01-29 04:07:54 +01:00
|
|
|
|
|
|
|
// returns the real interface, not the one we're emulating (if any)..
|
2013-03-05 07:36:32 +01:00
|
|
|
Interface interface() const;
|
2013-01-29 04:07:54 +01:00
|
|
|
|
|
|
|
// create a new key based on a password
|
2013-03-05 07:36:32 +01:00
|
|
|
CipherKey newKey(const char *password, int passwdLength,
|
|
|
|
int *iterationCount, long desiredDuration,
|
|
|
|
const byte *salt, int saltLen);
|
2013-01-29 04:07:54 +01:00
|
|
|
// deprecated - for backward compatibility
|
2013-03-05 07:36:32 +01:00
|
|
|
CipherKey newKey(const char *password, int passwdLength);
|
2013-01-29 04:07:54 +01:00
|
|
|
// create a new random key
|
2013-03-05 07:36:32 +01:00
|
|
|
CipherKey newRandomKey();
|
2013-01-29 04:07:54 +01:00
|
|
|
|
2013-03-05 07:36:32 +01:00
|
|
|
// Read and decrypt a key.
|
2013-01-29 04:07:54 +01:00
|
|
|
// data must be len keySize()
|
2013-03-05 07:36:32 +01:00
|
|
|
CipherKey readKey(const byte *data, bool checkKey);
|
|
|
|
|
|
|
|
// Encrypt and write the given key.
|
|
|
|
void writeKey(const CipherKey &key, byte *data);
|
|
|
|
|
|
|
|
// Encrypt and store a key as a string.
|
|
|
|
std::string encodeAsString(const CipherKey &key);
|
|
|
|
|
2013-01-29 04:07:54 +01:00
|
|
|
|
|
|
|
// meta-data about the cypher
|
2013-03-05 07:36:32 +01:00
|
|
|
int keySize() const;
|
|
|
|
int encodedKeySize() const;
|
|
|
|
int cipherBlockSize() const;
|
2013-01-29 04:07:54 +01:00
|
|
|
|
2013-03-05 07:36:32 +01:00
|
|
|
bool pseudoRandomize(byte *buf, int len);
|
2013-01-29 04:07:54 +01:00
|
|
|
|
2013-03-05 07:36:32 +01:00
|
|
|
// Sets the key used for encoding / decoding, and MAC operations.
|
|
|
|
bool setKey(const CipherKey &key);
|
2013-01-29 04:07:54 +01:00
|
|
|
|
2013-03-05 07:36:32 +01:00
|
|
|
uint64_t MAC_64(const byte *src, int len,
|
|
|
|
uint64_t *augment = NULL) const;
|
|
|
|
|
|
|
|
static unsigned int reduceMac32(uint64_t mac64);
|
|
|
|
static unsigned int reduceMac16(uint64_t mac64);
|
2013-01-29 04:07:54 +01:00
|
|
|
|
|
|
|
// functional interfaces
|
|
|
|
/*
|
|
|
|
Stream encoding in-place.
|
|
|
|
*/
|
2013-03-05 07:36:32 +01:00
|
|
|
bool streamEncode(byte *data, int len, uint64_t iv64) const;
|
|
|
|
bool streamDecode(byte *data, int len, uint64_t iv64) const;
|
2013-01-29 04:07:54 +01:00
|
|
|
|
|
|
|
/*
|
|
|
|
Block encoding is done in-place. Partial blocks are supported, but
|
|
|
|
blocks are always expected to begin on a block boundary. See
|
|
|
|
blockSize().
|
|
|
|
*/
|
2013-03-05 07:36:32 +01:00
|
|
|
bool blockEncode(byte *buf, int size, uint64_t iv64) const;
|
|
|
|
bool blockDecode(byte *buf, int size, uint64_t iv64) const;
|
2013-01-29 04:07:54 +01:00
|
|
|
|
|
|
|
private:
|
2013-03-05 07:36:32 +01:00
|
|
|
void setIVec(byte *out, uint64_t seed) const;
|
2013-01-29 04:07:54 +01:00
|
|
|
};
|
|
|
|
|
2013-03-05 07:29:58 +01:00
|
|
|
} // namespace encfs
|
|
|
|
|
2013-01-29 04:07:54 +01:00
|
|
|
#endif
|
|
|
|
|