Commit 3b7d0ed0 authored by Nick Mathewson's avatar Nick Mathewson 🎨
Browse files

Use trunnel for crypto_pwbox encoding/decoding.

This reduces the likelihood that I have made any exploitable errors
in the encoding/decoding.

This commit also imports the trunnel runtime source into Tor.
parent 30111494
......@@ -170,6 +170,10 @@
/src/tools/Makefile
/src/tools/Makefile.in
# /src/trunnel/
/src/trunnel/libor-trunnel-testing.a
/src/trunnel/libor-trunnel.a
# /src/tools/tor-fw-helper/
/src/tools/tor-fw-helper/tor-fw-helper
/src/tools/tor-fw-helper/tor-fw-helper.exe
......
......@@ -23,7 +23,6 @@ include src/include.am
include doc/include.am
include contrib/include.am
EXTRA_DIST+= \
ChangeLog \
INSTALL \
......
......@@ -4,8 +4,9 @@
#include "crypto_pwbox.h"
#include "di_ops.h"
#include "util.h"
#include "pwbox.h"
/* 7 bytes "TORBOX0"
/* 8 bytes "TORBOX00"
1 byte: header len (H)
H bytes: header, denoting secret key algorithm.
16 bytes: IV
......@@ -16,7 +17,7 @@
32 bytes: HMAC-SHA256 of all previous bytes.
*/
#define MAX_OVERHEAD (S2K_MAXLEN + 8 + 32 + CIPHER_IV_LEN)
#define MAX_OVERHEAD (S2K_MAXLEN + 8 + 1 + 32 + CIPHER_IV_LEN)
/**
* Make an authenticated passphrase-encrypted blob to encode the
......@@ -32,31 +33,34 @@ crypto_pwbox(uint8_t **out, size_t *outlen_out,
const char *secret, size_t secret_len,
unsigned s2k_flags)
{
uint8_t *result, *encrypted_portion, *hmac, *iv;
uint8_t *result = NULL, *encrypted_portion;
size_t encrypted_len = 128 * CEIL_DIV(input_len+4, 128);
size_t result_len = encrypted_len + MAX_OVERHEAD;
ssize_t result_len;
int spec_len;
uint8_t keys[CIPHER_KEY_LEN + DIGEST256_LEN];
pwbox_encoded_t *enc = NULL;
ssize_t enc_len;
crypto_cipher_t *cipher;
int rv;
/* Allocate a buffer and put things in the right place. */
result = tor_malloc_zero(result_len);
memcpy(result, "TORBOX0", 7);
enc = pwbox_encoded_new();
pwbox_encoded_setlen_skey_header(enc, S2K_MAXLEN);
spec_len = secret_to_key_make_specifier(result + 8,
result_len - 8,
s2k_flags);
if (spec_len < 0 || spec_len > 255)
spec_len = secret_to_key_make_specifier(
pwbox_encoded_getarray_skey_header(enc),
S2K_MAXLEN,
s2k_flags);
if (spec_len < 0 || spec_len > S2K_MAXLEN)
goto err;
result[7] = (uint8_t) spec_len;
pwbox_encoded_setlen_skey_header(enc, spec_len);
enc->header_len = spec_len;
tor_assert(8 + spec_len + CIPHER_IV_LEN + encrypted_len <= result_len);
crypto_rand((char*)enc->iv, sizeof(enc->iv));
iv = result + 8 + spec_len;
encrypted_portion = result + 8 + spec_len + CIPHER_IV_LEN;
hmac = encrypted_portion + encrypted_len;
pwbox_encoded_setlen_data(enc, encrypted_len);
encrypted_portion = pwbox_encoded_getarray_data(enc);
set_uint32(encrypted_portion, htonl(input_len));
memcpy(encrypted_portion+4, input, input_len);
......@@ -64,24 +68,32 @@ crypto_pwbox(uint8_t **out, size_t *outlen_out,
/* Now that all the data is in position, derive some keys, encrypt, and
* digest */
if (secret_to_key_derivekey(keys, sizeof(keys),
result+8, spec_len,
pwbox_encoded_getarray_skey_header(enc),
spec_len,
secret, secret_len) < 0)
goto err;
crypto_rand((char*)iv, CIPHER_IV_LEN);
cipher = crypto_cipher_new_with_iv((char*)keys, (char*)iv);
cipher = crypto_cipher_new_with_iv((char*)keys, (char*)enc->iv);
crypto_cipher_crypt_inplace(cipher, (char*)encrypted_portion, encrypted_len);
crypto_cipher_free(cipher);
crypto_hmac_sha256((char*)hmac,
result_len = pwbox_encoded_encoded_len(enc);
if (result_len < 0)
goto err;
result = tor_malloc(result_len);
enc_len = pwbox_encoded_encode(result, result_len, enc);
if (enc_len < 0)
goto err;
tor_assert(enc_len == result_len);
crypto_hmac_sha256((char*) result + result_len - 32,
(const char*)keys + CIPHER_KEY_LEN,
sizeof(keys)-CIPHER_KEY_LEN,
DIGEST256_LEN,
(const char*)result,
8 + CIPHER_IV_LEN + spec_len + encrypted_len);
result_len - 32);
*out = result;
*outlen_out = 8 + CIPHER_IV_LEN + spec_len + encrypted_len + DIGEST256_LEN;
*outlen_out = result_len;
rv = 0;
goto out;
......@@ -90,6 +102,7 @@ crypto_pwbox(uint8_t **out, size_t *outlen_out,
rv = -1;
out:
pwbox_encoded_free(enc);
memwipe(keys, 0, sizeof(keys));
return rv;
}
......@@ -109,47 +122,47 @@ crypto_unpwbox(uint8_t **out, size_t *outlen_out,
const char *secret, size_t secret_len)
{
uint8_t *result = NULL;
const uint8_t *encrypted, *iv;
const uint8_t *encrypted;
uint8_t keys[CIPHER_KEY_LEN + DIGEST256_LEN];
size_t spec_bytes;
uint8_t hmac[DIGEST256_LEN];
uint32_t result_len;
size_t encrypted_len;
crypto_cipher_t *cipher = NULL;
int rv = UNPWBOX_CORRUPTED;
ssize_t got_len;
if (input_len < 32)
goto err;
if (tor_memneq(inp, "TORBOX0", 7))
goto err;
pwbox_encoded_t *enc = NULL;
spec_bytes = inp[7];
if (input_len < 8 + spec_bytes)
got_len = pwbox_encoded_parse(&enc, inp, input_len);
if (got_len < 0 || (size_t)got_len != input_len)
goto err;
/* Now derive the keys and check the hmac. */
if (secret_to_key_derivekey(keys, sizeof(keys),
inp+8, spec_bytes,
pwbox_encoded_getarray_skey_header(enc),
pwbox_encoded_getlen_skey_header(enc),
secret, secret_len) < 0)
goto err;
crypto_hmac_sha256((char *)hmac,
(const char*)keys + CIPHER_KEY_LEN, sizeof(keys)-CIPHER_KEY_LEN,
(const char*)inp, input_len - DIGEST256_LEN);
(const char*)keys + CIPHER_KEY_LEN, DIGEST256_LEN,
(const char*)inp, input_len - DIGEST256_LEN);
if (tor_memneq(hmac, inp + input_len - DIGEST256_LEN, DIGEST256_LEN)) {
if (tor_memneq(hmac, enc->hmac, DIGEST256_LEN)) {
rv = UNPWBOX_BAD_SECRET;
goto err;
}
iv = inp + 8 + spec_bytes;
encrypted = inp + 8 + spec_bytes + CIPHER_IV_LEN;
/* How long is the plaintext? */
cipher = crypto_cipher_new_with_iv((char*)keys, (char*)iv);
encrypted = pwbox_encoded_getarray_data(enc);
encrypted_len = pwbox_encoded_getlen_data(enc);
if (encrypted_len < 4)
goto err;
cipher = crypto_cipher_new_with_iv((char*)keys, (char*)enc->iv);
crypto_cipher_decrypt(cipher, (char*)&result_len, (char*)encrypted, 4);
result_len = ntohl(result_len);
if (input_len < 8 + spec_bytes + 4 + result_len + 32)
if (encrypted_len < result_len + 4)
goto err;
/* Allocate a buffer and decrypt */
......@@ -167,6 +180,7 @@ crypto_unpwbox(uint8_t **out, size_t *outlen_out,
out:
crypto_cipher_free(cipher);
pwbox_encoded_free(enc);
memwipe(keys, 0, sizeof(keys));
return rv;
}
......
......@@ -16,7 +16,7 @@ EXTRA_DIST+= \
src/common/Makefile.nmake
#CFLAGS = -Wall -Wpointer-arith -O2
AM_CPPFLAGS += -I$(srcdir)/src/common -Isrc/common
AM_CPPFLAGS += -I$(srcdir)/src/common -Isrc/common -I$(srcdir)/src/ext/trunnel -I$(srcdir)/src/trunnel
if USE_OPENBSD_MALLOC
libor_extra_source=src/ext/OpenBSD_malloc_Linux.c
......@@ -69,6 +69,7 @@ LIBOR_A_SOURCES = \
src/common/util_process.c \
src/common/sandbox.c \
src/ext/csiphash.c \
src/ext/trunnel/trunnel.c \
$(libor_extra_source) \
$(libor_mempool_source)
......@@ -80,6 +81,7 @@ LIBOR_CRYPTO_A_SOURCES = \
src/common/crypto_format.c \
src/common/torgzip.c \
src/common/tortls.c \
src/trunnel/pwbox.c \
$(libcrypto_extra_source)
LIBOR_EVENT_A_SOURCES = \
......
/* trunnel-impl.h -- Implementation helpers for trunnel, included by
* generated trunnel files
*
* Copyright 2014, The Tor Project, Inc.
* See license at the end of this file for copying information.
*/
#ifndef TRUNNEL_IMPL_H_INCLUDED_
#define TRUNNEL_IMPL_H_INCLUDED_
#include "trunnel.h"
#include <assert.h>
#include <string.h>
#ifdef TRUNNEL_LOCAL_H
#include "trunnel-local.h"
#endif
#ifdef _MSC_VER
#define uint8_t unsigned char
#define uint16_t unsigned short
#define uint32_t unsigned int
#define uint64_t unsigned __int64
#define inline __inline
#else
#include <stdint.h>
#endif
#ifdef _WIN32
uint32_t trunnel_htonl(uint32_t a);
uint32_t trunnel_ntohl(uint32_t a);
uint16_t trunnel_htons(uint16_t a);
uint16_t trunnel_ntohs(uint16_t a);
#else
#include <arpa/inet.h>
#define trunnel_htonl(x) htonl(x)
#define trunnel_htons(x) htons(x)
#define trunnel_ntohl(x) ntohl(x)
#define trunnel_ntohs(x) ntohs(x)
#endif
uint64_t trunnel_htonll(uint64_t a);
uint64_t trunnel_ntohll(uint64_t a);
#ifndef trunnel_assert
#define trunnel_assert(x) assert(x)
#endif
static inline void
trunnel_set_uint64(void *p, uint64_t v) {
memcpy(p, &v, 8);
}
static inline void
trunnel_set_uint32(void *p, uint32_t v) {
memcpy(p, &v, 4);
}
static inline void
trunnel_set_uint16(void *p, uint16_t v) {
memcpy(p, &v, 2);
}
static inline void
trunnel_set_uint8(void *p, uint8_t v) {
memcpy(p, &v, 1);
}
static inline uint64_t
trunnel_get_uint64(const void *p) {
uint64_t x;
memcpy(&x, p, 8);
return x;
}
static inline uint32_t
trunnel_get_uint32(const void *p) {
uint32_t x;
memcpy(&x, p, 4);
return x;
}
static inline uint16_t
trunnel_get_uint16(const void *p) {
uint16_t x;
memcpy(&x, p, 2);
return x;
}
static inline uint8_t
trunnel_get_uint8(const void *p) {
return *(const uint8_t*)p;
}
#ifdef TRUNNEL_DEBUG_FAILING_ALLOC
extern int trunnel_provoke_alloc_failure;
static inline void *
trunnel_malloc(size_t n)
{
if (trunnel_provoke_alloc_failure) {
if (--trunnel_provoke_alloc_failure == 0)
return NULL;
}
return malloc(n);
}
static inline void *
trunnel_calloc(size_t a, size_t b)
{
if (trunnel_provoke_alloc_failure) {
if (--trunnel_provoke_alloc_failure == 0)
return NULL;
}
return calloc(a,b);
}
static inline char *
trunnel_strdup(const char *s)
{
if (trunnel_provoke_alloc_failure) {
if (--trunnel_provoke_alloc_failure == 0)
return NULL;
}
return strdup(s);
}
#else
#ifndef trunnel_malloc
#define trunnel_malloc(x) (malloc((x)))
#endif
#ifndef trunnel_calloc
#define trunnel_calloc(a,b) (calloc((a),(b)))
#endif
#ifndef trunnel_strdup
#define trunnel_strdup(s) (strdup((s)))
#endif
#endif
#ifndef trunnel_realloc
#define trunnel_realloc(a,b) realloc((a),(b))
#endif
#ifndef trunnel_free_
#define trunnel_free_(x) (free(x))
#endif
#define trunnel_free(x) ((x) ? (trunnel_free_(x),0) : (0))
#ifndef trunnel_abort
#define trunnel_abort() abort()
#endif
#ifndef trunnel_memwipe
#define trunnel_memwipe(mem, len) ((void)0)
#define trunnel_wipestr(s) ((void)0)
#else
#define trunnel_wipestr(s) do { \
if (s) \
trunnel_memwipe(s, strlen(s)); \
} while (0)
#endif
/* ====== dynamic arrays ======== */
#ifdef NDEBUG
#define TRUNNEL_DYNARRAY_GET(da, n) \
((da)->elts_[(n)])
#else
/** Return the 'n'th element of 'da'. */
#define TRUNNEL_DYNARRAY_GET(da, n) \
(((n) >= (da)->n_ ? (trunnel_abort(),0) : 0), (da)->elts_[(n)])
#endif
/** Change the 'n'th element of 'da' to 'v'. */
#define TRUNNEL_DYNARRAY_SET(da, n, v) do { \
trunnel_assert((n) < (da)->n_); \
(da)->elts_[(n)] = (v); \
} while (0)
/** Expand the dynamic array 'da' of 'elttype' so that it can hold at least
* 'howmanymore' elements than its current capacity. Always tries to increase
* the length of the array. On failure, run the code in 'on_fail' and goto
* trunnel_alloc_failed. */
#define TRUNNEL_DYNARRAY_EXPAND(elttype, da, howmanymore, on_fail) do { \
elttype *newarray; \
newarray = trunnel_dynarray_expand(&(da)->allocated_, \
(da)->elts_, (howmanymore), \
sizeof(elttype)); \
if (newarray == NULL) { \
on_fail; \
goto trunnel_alloc_failed; \
} \
(da)->elts_ = newarray; \
} while (0)
/** Add 'v' to the end of the dynamic array 'da' of 'elttype', expanding it if
* necessary. code in 'on_fail' and goto trunnel_alloc_failed. */
#define TRUNNEL_DYNARRAY_ADD(elttype, da, v, on_fail) do { \
if ((da)->n_ == (da)->allocated_) { \
TRUNNEL_DYNARRAY_EXPAND(elttype, da, 1, on_fail); \
} \
(da)->elts_[(da)->n_++] = (v); \
} while (0)
/** Return the number of elements in 'da'. */
#define TRUNNEL_DYNARRAY_LEN(da) ((da)->n_)
/** Remove all storage held by 'da' and set it to be empty. Does not free
* storage held by the elements themselves. */
#define TRUNNEL_DYNARRAY_CLEAR(da) do { \
trunnel_free((da)->elts_); \
(da)->elts_ = NULL; \
(da)->n_ = (da)->allocated_ = 0; \
} while (0)
/** Remove all storage held by 'da' and set it to be empty. Does not free
* storage held by the elements themselves. */
#define TRUNNEL_DYNARRAY_WIPE(da) do { \
trunnel_memwipe((da)->elts_, (da)->allocated_ * sizeof((da)->elts_[0])); \
} while (0)
/** Helper: wraps or implements an OpenBSD-style reallocarray. Behaves
* as realloc(a, x*y), but verifies that no overflow will occur in the
* multiplication. Returns NULL on failure. */
#ifndef trunnel_reallocarray
void *trunnel_reallocarray(void *a, size_t x, size_t y);
#endif
/** Helper to expand a dynamic array. Behaves as TRUNNEL_DYNARRAY_EXPAND(),
* taking the array of elements in 'ptr', a pointer to thethe current number
* of allocated elements in allocated_p, the minimum numbeer of elements to
* add in 'howmanymore', and the size of a single element in 'eltsize'.
*
* On success, adjust *allocated_p, and return the new value for the array of
* elements. On failure, adjust nothing and return NULL.
*/
void *trunnel_dynarray_expand(size_t *allocated_p, void *ptr,
size_t howmanymore, size_t eltsize);
/** Type for a function to free members of a dynarray of pointers. */
typedef void (*trunnel_free_fn_t)(void *);
/**
* Helper to change the length of a dynamic array. Takes pointers to the
* current allocated and n fields of the array in 'allocated_p' and 'len_p',
* and the current array of elements in 'ptr'; takes the length of a single
* element in 'eltsize'. Changes the length to 'newlen'. If 'newlen' is
* greater than the current length, pads the new elements with 0. If newlen
* is less than the current length, and free_fn is non-NULL, treat the
* array as an array of void *, and invoke free_fn() on each removed element.
*
* On success, adjust *allocated_p and *len_p, and return the new value for
* the array of elements. On failure, adjust nothing, set *errcode_ptr to 1,
* and return NULL.
*/
void *trunnel_dynarray_setlen(size_t *allocated_p, size_t *len_p,
void *ptr, size_t newlen,
size_t eltsize, trunnel_free_fn_t free_fn,
uint8_t *errcode_ptr);
/**
* Helper: return a pointer to the value of 'str' as a NUL-terminated string.
* Might have to reallocate the storage for 'str' in order to fit in the final
* NUL character. On allocation failure, return NULL.
*/
const char *trunnel_string_getstr(trunnel_string_t *str);
/**
* Helper: change the contents of 'str' to hold the 'len'-byte string in
* 'inp'. Adjusts the storage to have a terminating NUL that doesn't count
* towards the length of the string. On success, return 0. On failure, set
* *errcode_ptr to 1 and return -1.
*/
int trunnel_string_setstr0(trunnel_string_t *str, const char *inp, size_t len,
uint8_t *errcode_ptr);
/**
* As trunnel_dynarray_setlen, but adjusts a string rather than a dynamic
* array, and ensures that the new string is NUL-terminated.
*/
int trunnel_string_setlen(trunnel_string_t *str, size_t newlen,
uint8_t *errcode_ptr);
#endif
/*
Copyright 2014 The Tor Project, Inc.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are
met:
* Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above
copyright notice, this list of conditions and the following disclaimer
in the documentation and/or other materials provided with the
distribution.
* Neither the names of the copyright owners nor the names of its
contributors may be used to endorse or promote products derived from
this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
/* trunnel.c -- Helper functions to implement trunnel.
*
* Copyright 2014, The Tor Project, Inc.
* See license at the end of this file for copying information.
*
* See trunnel-impl.h for documentation of these functions.
*/
#include <stdlib.h>
#include <string.h>
#include "trunnel-impl.h"
#if defined(__BYTE_ORDER__) && defined(__ORDER_LITTLE_ENDIAN__) && \
__BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__
# define IS_LITTLE_ENDIAN 1
#elif defined(BYTE_ORDER) && defined(ORDER_LITTLE_ENDIAN) && \
BYTE_ORDER == __ORDER_LITTLE_ENDIAN
# define IS_LITTLE_ENDIAN 1
#elif defined(_WIN32)
# define IS_LITTLE_ENDIAN 1
#elif defined(__APPLE__)
# include <libkern/OSByteOrder.h>
# define BSWAP64(x) OSSwapLittleToHostInt64(x)
#elif defined(sun) || defined(__sun)
# include <sys/byteorder.h>
# ifndef _BIG_ENDIAN
# define IS_LITTLE_ENDIAN
# endif
#else
# if defined(__FreeBSD__) || defined(__NetBSD__) || defined(__OpenBSD__)
# include <sys/endian.h>
# else
# include <endian.h>
# endif
# if defined(__BYTE_ORDER) && defined(__LITTLE_ENDIAN) && \
__BYTE_ORDER == __LITTLE_ENDIAN
# define IS_LITTLE_ENDIAN
# endif
#endif
#ifdef _WIN32
uint16_t
trunnel_htons(uint16_t s)
{
return (s << 8) | (s >> 8);
}
uint16_t
trunnel_ntohs(uint16_t s)
{
return (s << 8) | (s >> 8);
}
uint32_t
trunnel_htonl(uint32_t s)
{
return (s << 24) |
((s << 8)&0xff0000) |
((s >> 8)&0xff00) |
(s >> 24);
}
uint32_t
trunnel_ntohl(uint32_t s)
{
return (s << 24) |
((s << 8)&0xff0000) |
((s >> 8)&0xff00) |
(s >> 24);
}
#endif
uint64_t
trunnel_htonll(uint64_t a)
{
#ifdef IS_LITTLE_ENDIAN
return trunnel_htonl(a>>32) | (((uint64_t)trunnel_htonl(a))<<32);
#else
return a;
#endif
}
uint64_t
trunnel_ntohll(uint64_t a)
{