1%% This Source Code Form is subject to the terms of the Mozilla Public 2%% License, v. 2.0. If a copy of the MPL was not distributed with this 3%% file, You can obtain one at https://mozilla.org/MPL/2.0/. 4%% 5%% Copyright (c) 2019-2020 VMware, Inc. or its affiliates. All rights reserved. 6%% 7 8-module(credentials_obfuscation_pbe). 9 10-include("credentials_obfuscation.hrl"). 11 12-export([supported_ciphers/0, supported_hashes/0, default_cipher/0, default_hash/0, default_iterations/0]). 13-export([encrypt_term/5, decrypt_term/5]). 14-export([encrypt/5, decrypt/5]). 15 16 17%% Supported ciphers and hashes 18 19%% We only support block ciphers that use an initialization vector. 20 21%% AEAD ciphers expect Associated Data (AD), which we don't have. It would be 22%% convenient if there was a way to get this list rather than hardcode it: 23%% https://bugs.erlang.org/browse/ERL-1479. 24-define(AEAD_CIPHERS, [aes_gcm, aes_ccm, chacha20_poly1305]). 25 26supported_ciphers() -> 27 SupportedByCrypto = crypto:supports(ciphers), 28 lists:filter(fun(Cipher) -> 29 Mode = maps:get(mode, crypto:cipher_info(Cipher)), 30 not lists:member(Mode, [ccm_mode, ecb_mode, gcm_mode]) 31 end, 32 SupportedByCrypto) -- ?AEAD_CIPHERS. 33 34supported_hashes() -> 35 crypto:supports(hashs). 36 37%% Default encryption parameters. 38default_cipher() -> 39 aes_128_cbc. 40 41default_hash() -> 42 sha256. 43 44default_iterations() -> 45 1. 46 47%% Encryption/decryption of arbitrary Erlang terms. 48 49encrypt_term(_Cipher, _Hash, _Iterations, ?PENDING_SECRET, Term) -> 50 {plaintext, Term}; 51encrypt_term(Cipher, Hash, Iterations, Secret, Term) -> 52 encrypt(Cipher, Hash, Iterations, Secret, term_to_binary(Term)). 53 54decrypt_term(_Cipher, _Hash, _Iterations, _Secret, {plaintext, Term}) -> 55 Term; 56decrypt_term(Cipher, Hash, Iterations, Secret, Base64Binary) -> 57 binary_to_term(decrypt(Cipher, Hash, Iterations, Secret, Base64Binary)). 58 59%% The cipher for encryption is from the list of supported ciphers. 60%% The hash for generating the key from the secret is from the list 61%% of supported hashes. See crypto:supports/0 to obtain both lists. 62%% The key is generated by applying the hash N times with N >= 1. 63%% 64%% The encrypt/5 function returns a base64 binary and the decrypt/5 65%% function accepts that same base64 binary. 66 67-spec encrypt(crypto:cipher_iv(), crypto:hash_algorithm(), 68 pos_integer(), iodata() | '$pending-secret', binary()) -> {plaintext, binary()} | {encrypted, binary()}. 69encrypt(_Cipher, _Hash, _Iterations, ?PENDING_SECRET, ClearText) -> 70 {plaintext, ClearText}; 71encrypt(Cipher, Hash, Iterations, Secret, ClearText) when is_list(ClearText) -> 72 encrypt(Cipher, Hash, Iterations, Secret, list_to_binary(ClearText)); 73encrypt(Cipher, Hash, Iterations, Secret, ClearText) when is_binary(ClearText) -> 74 Salt = crypto:strong_rand_bytes(16), 75 Ivec = crypto:strong_rand_bytes(iv_length(Cipher)), 76 Key = make_key(Cipher, Hash, Iterations, Secret, Salt), 77 Binary = crypto:crypto_one_time(Cipher, Key, Ivec, pad(Cipher, ClearText), true), 78 Encrypted = base64:encode(<<Salt/binary, Ivec/binary, Binary/binary>>), 79 {encrypted, Encrypted}. 80 81-spec decrypt(crypto:cipher_iv(), crypto:hash_algorithm(), 82 pos_integer(), iodata(), {'encrypted', binary() | [1..255]} | {'plaintext', _}) -> any(). 83decrypt(_Cipher, _Hash, _Iterations, _Secret, {plaintext, ClearText}) -> 84 ClearText; 85decrypt(Cipher, Hash, Iterations, Secret, {encrypted, Base64Binary}) -> 86 IvLength = iv_length(Cipher), 87 << Salt:16/binary, Ivec:IvLength/binary, Binary/bits >> = base64:decode(Base64Binary), 88 Key = make_key(Cipher, Hash, Iterations, Secret, Salt), 89 unpad(crypto:crypto_one_time(Cipher, Key, Ivec, Binary, false)). 90 91%% Generate a key from a secret. 92 93make_key(Cipher, Hash, Iterations, Secret, Salt) -> 94 Key = pbdkdf2(Secret, Salt, Iterations, key_length(Cipher), 95 fun hmac/4, Hash, hash_length(Hash)), 96 if 97 Cipher =:= des3_cbc; Cipher =:= des3_cbf; Cipher =:= des3_cfb; 98 Cipher =:= des_ede3; Cipher =:= des_ede3_cbc; 99 Cipher =:= des_ede3_cbf; Cipher =:= des_ede3_cfb -> 100 << A:8/binary, B:8/binary, C:8/binary >> = Key, 101 [A, B, C]; 102 true -> 103 Key 104 end. 105 106hmac(SubType, Key, Data, MacLength) -> 107 crypto:macN(hmac, SubType, Key, Data, MacLength). 108 109%% Functions to pad/unpad input to a multiplier of block size. 110 111pad(Cipher, Data) -> 112 BlockSize = block_size(Cipher), 113 N = BlockSize - (byte_size(Data) rem BlockSize), 114 Pad = list_to_binary(lists:duplicate(N, N)), 115 <<Data/binary, Pad/binary>>. 116 117unpad(Data) -> 118 N = binary:last(Data), 119 binary:part(Data, 0, byte_size(Data) - N). 120 121hash_length(Type) -> 122 maps:get(size, crypto:hash_info(Type)). 123 124iv_length(Type) -> 125 maps:get(iv_length, crypto:cipher_info(Type)). 126 127key_length(Type) -> 128 maps:get(key_length, crypto:cipher_info(Type)). 129 130block_size(Type) -> 131 maps:get(block_size, crypto:cipher_info(Type)). 132 133%% The following was taken from OTP's lib/public_key/src/pubkey_pbe.erl 134%% 135%% This is an undocumented interface to password-based encryption algorithms. 136%% These functions have been copied here to stay compatible with R16B03. 137 138%%-------------------------------------------------------------------- 139-spec pbdkdf2(iodata(), iodata(), integer(), integer(), fun(), atom(), integer()) 140 -> binary(). 141%% 142%% Description: Implements password based decryption key derive function 2. 143%% Exported mainly for testing purposes. 144%%-------------------------------------------------------------------- 145pbdkdf2(Password, Salt, Count, DerivedKeyLen, Prf, PrfHash, PrfOutputLen)-> 146 NumBlocks = ceiling(DerivedKeyLen / PrfOutputLen), 147 NumLastBlockOctets = DerivedKeyLen - (NumBlocks - 1) * PrfOutputLen , 148 blocks(NumBlocks, NumLastBlockOctets, 1, Password, Salt, 149 Count, Prf, PrfHash, PrfOutputLen, <<>>). 150 151blocks(1, N, Index, Password, Salt, Count, Prf, PrfHash, PrfLen, Acc) -> 152 <<XorSum:N/binary, _/binary>> = xor_sum(Password, Salt, Count, Index, Prf, PrfHash, PrfLen), 153 <<Acc/binary, XorSum/binary>>; 154blocks(NumBlocks, N, Index, Password, Salt, Count, Prf, PrfHash, PrfLen, Acc) -> 155 XorSum = xor_sum(Password, Salt, Count, Index, Prf, PrfHash, PrfLen), 156 blocks(NumBlocks -1, N, Index +1, Password, Salt, Count, Prf, PrfHash, 157 PrfLen, <<Acc/binary, XorSum/binary>>). 158 159xor_sum(Password, Salt, Count, Index, Prf, PrfHash, PrfLen) -> 160 Result = Prf(PrfHash, Password, [Salt,<<Index:32/unsigned-big-integer>>], PrfLen), 161 do_xor_sum(Prf, PrfHash, PrfLen, Result, Password, Count-1, Result). 162 163do_xor_sum(_, _, _, _, _, 0, Acc) -> 164 Acc; 165do_xor_sum(Prf, PrfHash, PrfLen, Prev, Password, Count, Acc) -> 166 Result = Prf(PrfHash, Password, Prev, PrfLen), 167 do_xor_sum(Prf, PrfHash, PrfLen, Result, Password, Count-1, crypto:exor(Acc, Result)). 168 169ceiling(Float) -> 170 erlang:round(Float + 0.5). 171