mirror of
https://github.com/vgough/encfs.git
synced 2024-11-29 03:15:07 +01:00
b606ef122b
git-svn-id: http://encfs.googlecode.com/svn/trunk@124 db9cf616-1c43-0410-9cb8-a902689de0d6
655 lines
18 KiB
C++
655 lines
18 KiB
C++
/*****************************************************************************
|
|
* Author: Valient Gough <vgough@pobox.com>
|
|
*
|
|
*****************************************************************************
|
|
* Copyright (c) 2004, Valient Gough
|
|
*
|
|
* This program is free software: you can redistribute it and/or modify it
|
|
* under the terms of the GNU Lesser General Public License as published by the
|
|
* Free Software Foundation, either version 3 of the License, or (at your
|
|
* option) any later version.
|
|
*
|
|
* This program is distributed in the hope that it will be useful, but WITHOUT
|
|
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
|
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
|
|
* for more details.
|
|
*
|
|
* You should have received a copy of the GNU Lesser General Public License
|
|
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
*/
|
|
|
|
#include "cipher/CipherV1.h"
|
|
#include "base/config.h"
|
|
|
|
#include <cstring>
|
|
#include <ctime>
|
|
|
|
#include <sys/mman.h>
|
|
#include <sys/time.h>
|
|
|
|
#include <glog/logging.h>
|
|
|
|
#ifdef HAVE_VALGRIND_MEMCHECK_H
|
|
#include <valgrind/memcheck.h>
|
|
#endif
|
|
|
|
#include "base/base64.h"
|
|
#include "base/Error.h"
|
|
#include "base/i18n.h"
|
|
#include "base/Mutex.h"
|
|
#include "base/Range.h"
|
|
|
|
#include "cipher/MemoryPool.h"
|
|
#include "cipher/MAC.h"
|
|
#include "cipher/BlockCipher.h"
|
|
#include "cipher/PBKDF.h"
|
|
#include "cipher/StreamCipher.h"
|
|
|
|
#ifdef WITH_OPENSSL
|
|
#include "cipher/openssl.h"
|
|
#endif
|
|
|
|
#ifdef WITH_BOTAN
|
|
#include "cipher/botan.h"
|
|
#endif
|
|
|
|
using std::list;
|
|
using std::string;
|
|
using std::vector;
|
|
|
|
namespace encfs {
|
|
|
|
const int MAX_KEYLENGTH = 64; // in bytes (256 bit)
|
|
const int MAX_IVLENGTH = 16;
|
|
const int KEY_CHECKSUM_BYTES = 4;
|
|
|
|
#ifndef MIN
|
|
inline int MIN(int a, int b) { return (a < b) ? a : b; }
|
|
#endif
|
|
|
|
void CipherV1::init(bool threaded) {
|
|
#ifdef WITH_OPENSSL
|
|
OpenSSL::init(threaded);
|
|
#endif
|
|
#ifdef WITH_BOTAN
|
|
Botan_init(threaded);
|
|
#endif
|
|
}
|
|
|
|
void CipherV1::shutdown(bool threaded) {
|
|
#ifdef WITH_OPENSSL
|
|
OpenSSL::shutdown(threaded);
|
|
#endif
|
|
}
|
|
|
|
/*
|
|
DEPRECATED: this is here for backward compatibilty only. Use PBKDF
|
|
|
|
This duplicated some code in OpenSSL, correcting an issue with key lengths
|
|
produced for Blowfish.
|
|
*/
|
|
bool BytesToKey(const byte *data, int dataLen, unsigned int rounds,
|
|
CipherKey *key) {
|
|
Registry<MAC> registry = MAC::GetRegistry();
|
|
shared_ptr<MAC> sha1(registry.CreateForMatch("SHA-1"));
|
|
if (!sha1) return false;
|
|
|
|
if (data == NULL || dataLen == 0)
|
|
return false; // OpenSSL returns nkey here, but why? It is a failure..
|
|
|
|
SecureMem mdBuf(sha1->outputSize());
|
|
int addmd = 0;
|
|
int remaining = key->size();
|
|
|
|
for (;;) {
|
|
sha1->init();
|
|
if (addmd++) sha1->update(mdBuf.data(), mdBuf.size());
|
|
sha1->update(data, dataLen);
|
|
sha1->write(mdBuf.data());
|
|
|
|
for (unsigned int i = 1; i < rounds; ++i) {
|
|
sha1->init();
|
|
sha1->update(mdBuf.data(), mdBuf.size());
|
|
sha1->write(mdBuf.data());
|
|
}
|
|
|
|
int offset = 0;
|
|
int toCopy = MIN(remaining, mdBuf.size() - offset);
|
|
if (toCopy) {
|
|
memcpy(key->data(), mdBuf.data() + offset, toCopy);
|
|
key += toCopy;
|
|
remaining -= toCopy;
|
|
offset += toCopy;
|
|
}
|
|
if (remaining == 0) break;
|
|
}
|
|
|
|
return true;
|
|
}
|
|
|
|
long time_diff(const timeval &end, const timeval &start) {
|
|
return (end.tv_sec - start.tv_sec) * 1000 * 1000 +
|
|
(end.tv_usec - start.tv_usec);
|
|
}
|
|
|
|
int CipherV1::TimedPBKDF2(const char *pass, int passlen, const byte *salt,
|
|
int saltlen, CipherKey *key, long desiredPDFTime) {
|
|
#ifdef HAVE_VALGRIND_MEMCHECK_H
|
|
VALGRIND_CHECK_MEM_IS_DEFINED(pass, passlen);
|
|
VALGRIND_CHECK_MEM_IS_DEFINED(salt, saltlen);
|
|
#endif
|
|
Registry<PBKDF> registry = PBKDF::GetRegistry();
|
|
shared_ptr<PBKDF> impl(registry.CreateForMatch(NAME_PBKDF2_HMAC_SHA1));
|
|
if (!impl) return -1;
|
|
|
|
int iter = 1000;
|
|
timeval start, end;
|
|
|
|
for (;;) {
|
|
gettimeofday(&start, 0);
|
|
if (!impl->makeKey(pass, passlen, salt, saltlen, iter, key)) return -1;
|
|
|
|
gettimeofday(&end, 0);
|
|
|
|
long delta = time_diff(end, start);
|
|
if (delta < desiredPDFTime / 8) {
|
|
iter *= 4;
|
|
} else if (delta < (5 * desiredPDFTime / 6)) {
|
|
// estimate number of iterations to get close to desired time
|
|
iter = (int)((double)iter * (double)desiredPDFTime / (double)delta);
|
|
} else
|
|
return iter;
|
|
}
|
|
}
|
|
|
|
// - Version 1:0 used EVP_BytesToKey, which didn't do the right thing for
|
|
// Blowfish key lengths > 128 bit.
|
|
// - Version 2:0 uses BytesToKey.
|
|
// We support both 2:0 and 1:0, hence current:revision:age = 2:0:1
|
|
// - Version 2:1 adds support for Message Digest function interface
|
|
// - Version 2:2 adds PBKDF2 for password derivation
|
|
// - Version 3:0 adds a new IV mechanism
|
|
// - Version 3:1 drops support for verison 1:0 blowfish keys, in order to avoid
|
|
// having to duplicate the behavior of old EVP_BytesToKey implementations.
|
|
static Interface BlowfishInterface = makeInterface("ssl/blowfish", 3, 1, 1);
|
|
static Interface AESInterface = makeInterface("ssl/aes", 3, 1, 2);
|
|
|
|
static Interface NullCipherInterface = makeInterface("nullCipher", 1, 0, 0);
|
|
|
|
static Range BFKeyRange(128, 256, 32);
|
|
static int BFDefaultKeyLen = 160;
|
|
|
|
static Range AESKeyRange(128, 256, 64);
|
|
static int AESDefaultKeyLen = 192;
|
|
|
|
list<CipherV1::CipherAlgorithm> CipherV1::GetAlgorithmList() {
|
|
list<CipherV1::CipherAlgorithm> result;
|
|
Registry<BlockCipher> blockCipherRegistry = BlockCipher::GetRegistry();
|
|
|
|
if (blockCipherRegistry.GetPropertiesForMatch(NAME_AES_CBC) != NULL) {
|
|
CipherV1::CipherAlgorithm alg;
|
|
alg.name = "AES";
|
|
alg.description = "16 byte block cipher";
|
|
alg.iface = AESInterface;
|
|
alg.keyLength = AESKeyRange;
|
|
alg.blockSize = Range(64, 4096, 16);
|
|
result.push_back(alg);
|
|
}
|
|
|
|
if (blockCipherRegistry.GetPropertiesForMatch(NAME_BLOWFISH_CBC) != NULL) {
|
|
CipherV1::CipherAlgorithm alg;
|
|
alg.name = "Blowfish";
|
|
alg.description = "8 byte block cipher";
|
|
alg.iface = BlowfishInterface;
|
|
alg.keyLength = BFKeyRange;
|
|
alg.blockSize = Range(64, 4096, 8);
|
|
result.push_back(alg);
|
|
}
|
|
|
|
CipherV1::CipherAlgorithm alg;
|
|
alg.name = "Null";
|
|
alg.description = "Pass-through cipher, for testing only!";
|
|
alg.iface = NullCipherInterface;
|
|
alg.keyLength = Range(0);
|
|
alg.blockSize = Range(64, 4096, 8);
|
|
result.push_back(alg);
|
|
|
|
return result;
|
|
}
|
|
|
|
shared_ptr<CipherV1> CipherV1::New(const std::string &name, int keyLen) {
|
|
for (auto &it : GetAlgorithmList()) {
|
|
if (it.name == name) return New(it.iface, keyLen);
|
|
}
|
|
|
|
return shared_ptr<CipherV1>();
|
|
}
|
|
|
|
shared_ptr<CipherV1> CipherV1::New(const Interface &iface, int keyLen) {
|
|
shared_ptr<CipherV1> result(new CipherV1());
|
|
if (!result->initCiphers(iface, iface, keyLen)) result.reset();
|
|
return result;
|
|
}
|
|
|
|
CipherV1::CipherV1() : _keySize(0), _ivLength(0), _keySet(false) {}
|
|
|
|
bool CipherV1::initCiphers(const Interface &iface, const Interface &realIface,
|
|
int keyLength) {
|
|
this->iface = iface;
|
|
this->realIface = realIface;
|
|
|
|
Registry<BlockCipher> blockCipherRegistry = BlockCipher::GetRegistry();
|
|
Registry<StreamCipher> streamCipherRegistry = StreamCipher::GetRegistry();
|
|
|
|
int defaultKeyLength;
|
|
Range keyRange;
|
|
|
|
if (implements(AESInterface, iface)) {
|
|
keyRange = AESKeyRange;
|
|
defaultKeyLength = AESDefaultKeyLen;
|
|
_blockCipher.reset(blockCipherRegistry.CreateForMatch(NAME_AES_CBC));
|
|
_streamCipher.reset(streamCipherRegistry.CreateForMatch(NAME_AES_CFB));
|
|
} else if (implements(BlowfishInterface, iface)) {
|
|
keyRange = BFKeyRange;
|
|
defaultKeyLength = BFDefaultKeyLen;
|
|
_blockCipher.reset(blockCipherRegistry.CreateForMatch(NAME_BLOWFISH_CBC));
|
|
_streamCipher.reset(streamCipherRegistry.CreateForMatch(NAME_BLOWFISH_CFB));
|
|
} else if (implements(NullCipherInterface, iface)) {
|
|
keyRange = Range(0);
|
|
defaultKeyLength = 0;
|
|
_blockCipher.reset(blockCipherRegistry.CreateForMatch("NullCipher"));
|
|
_streamCipher.reset(streamCipherRegistry.CreateForMatch("NullCipher"));
|
|
}
|
|
|
|
if (!_blockCipher || !_streamCipher) {
|
|
LOG(INFO) << "Unsupported cipher " << iface.name();
|
|
return false;
|
|
}
|
|
|
|
if (keyLength <= 0)
|
|
_keySize = defaultKeyLength / 8;
|
|
else
|
|
_keySize = keyRange.closest(keyLength) / 8;
|
|
|
|
_pbkdf.reset(PBKDF::GetRegistry().CreateForMatch(NAME_PBKDF2_HMAC_SHA1));
|
|
if (!_pbkdf) {
|
|
LOG(ERROR) << "PBKDF missing";
|
|
return false;
|
|
}
|
|
|
|
// Initialize the cipher with a temporary key in order to determine the block
|
|
// size.
|
|
CipherKey tmpKey = _pbkdf->randomKey(_keySize);
|
|
_blockCipher->setKey(tmpKey);
|
|
_ivLength = _blockCipher->blockSize();
|
|
_iv.reset(new SecureMem(_ivLength));
|
|
_keySet = false;
|
|
|
|
Lock l(_hmacMutex);
|
|
_hmac.reset(MAC::GetRegistry().CreateForMatch(NAME_SHA1_HMAC));
|
|
if (!_hmac) {
|
|
LOG(ERROR) << "SHA1_HMAC not available";
|
|
return false;
|
|
}
|
|
|
|
return true;
|
|
}
|
|
|
|
CipherV1::~CipherV1() {}
|
|
|
|
Interface CipherV1::interface() const { return realIface; }
|
|
|
|
/*
|
|
Create a key from the password.
|
|
Use SHA to distribute entropy from the password into the key.
|
|
|
|
This algorithm must remain constant for backward compatibility, as this key
|
|
is used to encipher/decipher the master key.
|
|
*/
|
|
CipherKey CipherV1::newKey(const char *password, int passwdLength,
|
|
int *iterationCount, long desiredDuration,
|
|
const byte *salt, int saltLen) {
|
|
#ifdef HAVE_VALGRIND_MEMCHECK_H
|
|
VALGRIND_CHECK_MEM_IS_DEFINED(password, passwdLength);
|
|
VALGRIND_CHECK_MEM_IS_DEFINED(salt, saltLen);
|
|
#endif
|
|
CipherKey key(_keySize + _ivLength);
|
|
|
|
if (*iterationCount == 0) {
|
|
// timed run, fills in iteration count
|
|
int res = TimedPBKDF2(password, passwdLength, salt, saltLen, &key,
|
|
1000 * desiredDuration);
|
|
if (res <= 0) {
|
|
LOG(ERROR) << "openssl error, PBKDF2 failed";
|
|
return CipherKey();
|
|
} else {
|
|
*iterationCount = res;
|
|
}
|
|
} else {
|
|
// known iteration length
|
|
if (!_pbkdf->makeKey(password, passwdLength, salt, saltLen, *iterationCount,
|
|
&key)) {
|
|
LOG(ERROR) << "openssl error, PBKDF2 failed";
|
|
return CipherKey();
|
|
}
|
|
}
|
|
|
|
return key;
|
|
}
|
|
|
|
// Deprecated - for use only with filesystems which used a fixed-round PBKDF.
|
|
// Such configurations are replaced with a new PBKDF2 implementation when the
|
|
// password is changed or configuration is rewritten.
|
|
CipherKey CipherV1::newKey(const char *password, int passwdLength) {
|
|
#ifdef HAVE_VALGRIND_MEMCHECK_H
|
|
VALGRIND_CHECK_MEM_IS_DEFINED(password, passwdLength);
|
|
#endif
|
|
CipherKey key(_keySize + _ivLength);
|
|
|
|
bool ok = BytesToKey((byte *)password, passwdLength, 16, &key);
|
|
LOG_IF(ERROR, !ok) << "newKey: BytesToKey failed";
|
|
if (!ok) throw Error("BytesToKey failed");
|
|
|
|
return key;
|
|
}
|
|
|
|
CipherKey CipherV1::newRandomKey() {
|
|
return _pbkdf->randomKey(_keySize + _ivLength);
|
|
}
|
|
|
|
bool CipherV1::pseudoRandomize(byte *buf, int len) {
|
|
return _pbkdf->pseudoRandom(buf, len);
|
|
}
|
|
|
|
bool CipherV1::setKey(const CipherKey &keyIv) {
|
|
Lock l(_hmacMutex);
|
|
|
|
LOG_IF(ERROR, (int)(_keySize + _ivLength) != keyIv.size())
|
|
<< "Mismatched key size: passed " << keyIv.size() << ", expecting "
|
|
<< _keySize;
|
|
|
|
// Key is actually key plus iv, so extract the different parts.
|
|
CipherKey key(_keySize);
|
|
memcpy(key.data(), keyIv.data(), _keySize);
|
|
memcpy(_iv->data(), keyIv.data() + _keySize, _ivLength);
|
|
|
|
if (_blockCipher->setKey(key) && _streamCipher->setKey(key) &&
|
|
_hmac->setKey(key)) {
|
|
_keySet = true;
|
|
return true;
|
|
}
|
|
|
|
return false;
|
|
}
|
|
|
|
uint64_t CipherV1::MAC_64(const byte *data, int len,
|
|
uint64_t *chainedIV) const {
|
|
rAssert(len > 0);
|
|
rAssert(_keySet);
|
|
|
|
byte md[_hmac->outputSize()];
|
|
|
|
Lock l(_hmacMutex);
|
|
|
|
_hmac->init();
|
|
_hmac->update(data, len);
|
|
if (chainedIV) {
|
|
// toss in the chained IV as well
|
|
uint64_t tmp = *chainedIV;
|
|
byte h[8];
|
|
for (unsigned int i = 0; i < 8; ++i) {
|
|
h[i] = tmp & 0xff;
|
|
tmp >>= 8;
|
|
}
|
|
|
|
_hmac->update(h, 8);
|
|
}
|
|
|
|
bool ok = _hmac->write(md);
|
|
rAssert(ok);
|
|
|
|
// chop this down to a 64bit value..
|
|
byte h[8] = {0, 0, 0, 0, 0, 0, 0, 0};
|
|
|
|
// XXX: the last byte off the hmac isn't used. This minor inconsistency
|
|
// must be maintained in order to maintain backward compatiblity with earlier
|
|
// releases.
|
|
for (int i = 0; i < _hmac->outputSize() - 1; ++i) h[i % 8] ^= (byte)(md[i]);
|
|
|
|
uint64_t value = (uint64_t)h[0];
|
|
for (int i = 1; i < 8; ++i) value = (value << 8) | (uint64_t)h[i];
|
|
|
|
// TODO: should not be here.
|
|
if (chainedIV) *chainedIV = value;
|
|
|
|
return value;
|
|
}
|
|
|
|
unsigned int CipherV1::reduceMac32(uint64_t mac64) {
|
|
return ((mac64 >> 32) & 0xffffffff) ^ (mac64 & 0xffffffff);
|
|
}
|
|
|
|
unsigned int CipherV1::reduceMac16(uint64_t mac64) {
|
|
unsigned int mac32 = reduceMac32(mac64);
|
|
return ((mac32 >> 16) & 0xffff) ^ (mac32 & 0xffff);
|
|
}
|
|
|
|
CipherKey CipherV1::readKey(const byte *data, bool checkKey) {
|
|
rAssert(_keySet);
|
|
CipherKey key(_keySize + _ivLength);
|
|
|
|
// First N bytes are checksum bytes.
|
|
unsigned int checksum = 0;
|
|
for (int i = 0; i < KEY_CHECKSUM_BYTES; ++i)
|
|
checksum = (checksum << 8) | (unsigned int)data[i];
|
|
|
|
memcpy(key.data(), data + KEY_CHECKSUM_BYTES, key.size());
|
|
if (!streamDecode(key.data(), key.size(), checksum)) {
|
|
LOG(ERROR) << "stream decode failure";
|
|
return CipherKey();
|
|
}
|
|
|
|
// check for success
|
|
#ifdef HAVE_VALGRIND_MEMCHECK_H
|
|
VALGRIND_CHECK_MEM_IS_DEFINED(key.data(), key.size());
|
|
#endif
|
|
|
|
unsigned int checksum2 = reduceMac32(MAC_64(key.data(), key.size(), NULL));
|
|
|
|
#ifdef HAVE_VALGRIND_MEMCHECK_H
|
|
VALGRIND_CHECK_VALUE_IS_DEFINED(checksum2);
|
|
VALGRIND_CHECK_VALUE_IS_DEFINED(checksum);
|
|
#endif
|
|
|
|
if (checkKey && (checksum2 != checksum)) {
|
|
LOG(INFO) << "checksum mismatch: expected " << checksum << ", got "
|
|
<< checksum2 << "on decode of " << _keySize + _ivLength
|
|
<< " bytes";
|
|
return CipherKey();
|
|
}
|
|
|
|
return key;
|
|
}
|
|
|
|
void CipherV1::writeKey(const CipherKey &ckey, byte *out) const {
|
|
rAssert(_keySet);
|
|
|
|
SecureMem tmpBuf(ckey.size());
|
|
memcpy(tmpBuf.data(), ckey.data(), tmpBuf.size());
|
|
|
|
unsigned int checksum =
|
|
reduceMac32(MAC_64(tmpBuf.data(), tmpBuf.size(), NULL));
|
|
streamEncode(tmpBuf.data(), tmpBuf.size(), checksum);
|
|
|
|
// first N bytes contain HMAC derived checksum..
|
|
for (int i = 1; i <= KEY_CHECKSUM_BYTES; ++i) {
|
|
out[KEY_CHECKSUM_BYTES - i] = checksum & 0xff;
|
|
checksum >>= 8;
|
|
}
|
|
|
|
memcpy(out + KEY_CHECKSUM_BYTES, tmpBuf.data(), tmpBuf.size());
|
|
}
|
|
|
|
std::string CipherV1::encodeAsString(const CipherKey &key) const {
|
|
rAssert(_keySet);
|
|
int encodedSize = encodedKeySize();
|
|
vector<byte> buf(encodedSize);
|
|
writeKey(key, buf.data());
|
|
|
|
int b64Len = B256ToB64Bytes(encodedSize);
|
|
byte *b64Key = new byte[b64Len + 1];
|
|
|
|
changeBase2(buf.data(), encodedSize, 8, b64Key, b64Len, 6);
|
|
B64ToAscii(b64Key, b64Len);
|
|
b64Key[b64Len - 1] = '\0';
|
|
|
|
return string((const char *)b64Key);
|
|
}
|
|
|
|
int CipherV1::encodedKeySize() const {
|
|
return _keySize + _ivLength + KEY_CHECKSUM_BYTES;
|
|
}
|
|
|
|
int CipherV1::keySize() const { return _keySize; }
|
|
|
|
int CipherV1::cipherBlockSize() const { return _blockCipher->blockSize(); }
|
|
|
|
// Deprecated: For backward compatibility only.
|
|
// A watermark attack was published against this data-independent IV schedule.
|
|
// The replacement incorporates the filesystem key, making it unique to each
|
|
// filesystem.
|
|
static void setIVec_old(byte *ivec, int ivLen, unsigned int seed) {
|
|
unsigned int var1 = 0x060a4011 * seed;
|
|
unsigned int var2 = 0x0221040d * (seed ^ 0xD3FEA11C);
|
|
|
|
ivec[0] ^= (var1 >> 24) & 0xff;
|
|
ivec[1] ^= (var2 >> 16) & 0xff;
|
|
ivec[2] ^= (var1 >> 8) & 0xff;
|
|
ivec[3] ^= (var2) & 0xff;
|
|
ivec[4] ^= (var2 >> 24) & 0xff;
|
|
ivec[5] ^= (var1 >> 16) & 0xff;
|
|
ivec[6] ^= (var2 >> 8) & 0xff;
|
|
ivec[7] ^= (var1) & 0xff;
|
|
|
|
if (ivLen > 8) {
|
|
ivec[8 + 0] ^= (var1) & 0xff;
|
|
ivec[8 + 1] ^= (var2 >> 8) & 0xff;
|
|
ivec[8 + 2] ^= (var1 >> 16) & 0xff;
|
|
ivec[8 + 3] ^= (var2 >> 24) & 0xff;
|
|
ivec[8 + 4] ^= (var1 >> 24) & 0xff;
|
|
ivec[8 + 5] ^= (var2 >> 16) & 0xff;
|
|
ivec[8 + 6] ^= (var1 >> 8) & 0xff;
|
|
ivec[8 + 7] ^= (var2) & 0xff;
|
|
}
|
|
}
|
|
|
|
void CipherV1::setIVec(byte *ivec, uint64_t seed) const {
|
|
rAssert(_keySet);
|
|
memcpy(ivec, _iv->data(), _ivLength);
|
|
if (iface.major() < 3) {
|
|
// Backward compatible mode.
|
|
setIVec_old(ivec, _ivLength, seed);
|
|
return;
|
|
}
|
|
|
|
vector<byte> md(_hmac->outputSize());
|
|
for (int i = 0; i < 8; ++i) {
|
|
md[i] = (byte)(seed & 0xff);
|
|
seed >>= 8;
|
|
}
|
|
|
|
// combine ivec and seed with HMAC
|
|
Lock l(_hmacMutex);
|
|
_hmac->init();
|
|
_hmac->update(ivec, _ivLength);
|
|
_hmac->update(md.data(), 8);
|
|
_hmac->write(md.data());
|
|
|
|
memcpy(ivec, md.data(), _ivLength);
|
|
}
|
|
|
|
static void flipBytes(byte *buf, int size) {
|
|
byte revBuf[64];
|
|
|
|
int bytesLeft = size;
|
|
while (bytesLeft) {
|
|
int toFlip = MIN((int)sizeof(revBuf), bytesLeft);
|
|
|
|
for (int i = 0; i < toFlip; ++i) revBuf[i] = buf[toFlip - (i + 1)];
|
|
|
|
memcpy(buf, revBuf, toFlip);
|
|
bytesLeft -= toFlip;
|
|
buf += toFlip;
|
|
}
|
|
memset(revBuf, 0, sizeof(revBuf));
|
|
}
|
|
|
|
static void shuffleBytes(byte *buf, int size) {
|
|
for (int i = 0; i < size - 1; ++i) buf[i + 1] ^= buf[i];
|
|
}
|
|
|
|
static void unshuffleBytes(byte *buf, int size) {
|
|
for (int i = size - 1; i; --i) buf[i] ^= buf[i - 1];
|
|
}
|
|
|
|
/* Partial blocks are encoded with a stream cipher. We make multiple passes on
|
|
the data to ensure that the ends of the data depend on each other.
|
|
*/
|
|
bool CipherV1::streamEncode(byte *buf, int size, uint64_t iv64) const {
|
|
rAssert(_keySet);
|
|
rAssert(size > 0);
|
|
|
|
vector<byte> ivec(_ivLength);
|
|
shuffleBytes(buf, size);
|
|
|
|
setIVec(ivec.data(), iv64);
|
|
if (!_streamCipher->encrypt(ivec.data(), buf, buf, size)) return false;
|
|
|
|
flipBytes(buf, size);
|
|
shuffleBytes(buf, size);
|
|
|
|
setIVec(ivec.data(), iv64 + 1);
|
|
if (!_streamCipher->encrypt(ivec.data(), buf, buf, size)) return false;
|
|
|
|
return true;
|
|
}
|
|
|
|
bool CipherV1::streamDecode(byte *buf, int size, uint64_t iv64) const {
|
|
rAssert(_keySet);
|
|
rAssert(size > 0);
|
|
|
|
vector<byte> ivec(_ivLength);
|
|
setIVec(ivec.data(), iv64 + 1);
|
|
if (!_streamCipher->decrypt(ivec.data(), buf, buf, size)) return false;
|
|
|
|
unshuffleBytes(buf, size);
|
|
flipBytes(buf, size);
|
|
|
|
setIVec(ivec.data(), iv64);
|
|
if (!_streamCipher->decrypt(ivec.data(), buf, buf, size)) return false;
|
|
|
|
unshuffleBytes(buf, size);
|
|
|
|
return true;
|
|
}
|
|
|
|
bool CipherV1::blockEncode(byte *buf, int size, uint64_t iv64) const {
|
|
rAssert(_keySet);
|
|
rAssert(size > 0);
|
|
|
|
vector<byte> ivec(_ivLength);
|
|
setIVec(ivec.data(), iv64);
|
|
return _blockCipher->encrypt(ivec.data(), buf, buf, size);
|
|
}
|
|
|
|
bool CipherV1::blockDecode(byte *buf, int size, uint64_t iv64) const {
|
|
rAssert(_keySet);
|
|
rAssert(size > 0);
|
|
|
|
vector<byte> ivec(_ivLength);
|
|
setIVec(ivec.data(), iv64);
|
|
return _blockCipher->decrypt(ivec.data(), buf, buf, size);
|
|
}
|
|
|
|
} // namespace encfs
|