1%% This Source Code Form is subject to the terms of the Mozilla Public
2%% License, v. 2.0. If a copy of the MPL was not distributed with this
3%% file, You can obtain one at https://mozilla.org/MPL/2.0/.
4%%
5%% Copyright (c) 2019-2020 VMware, Inc. or its affiliates.  All rights reserved.
6%%
7
8-module(credentials_obfuscation_pbe).
9
10-include("credentials_obfuscation.hrl").
11
12-export([supported_ciphers/0, supported_hashes/0, default_cipher/0, default_hash/0, default_iterations/0]).
13-export([encrypt_term/5, decrypt_term/5]).
14-export([encrypt/5, decrypt/5]).
15
16
17%% Supported ciphers and hashes
18
19%% We only support block ciphers that use an initialization vector.
20
21%% AEAD ciphers expect Associated Data (AD), which we don't have. It would be
22%% convenient if there was a way to get this list rather than hardcode it:
23%% https://bugs.erlang.org/browse/ERL-1479.
24-define(AEAD_CIPHERS, [aes_gcm, aes_ccm, chacha20_poly1305]).
25
26supported_ciphers() ->
27    SupportedByCrypto = crypto:supports(ciphers),
28    lists:filter(fun(Cipher) ->
29        Mode = maps:get(mode, crypto:cipher_info(Cipher)),
30        not lists:member(Mode, [ccm_mode, ecb_mode, gcm_mode])
31    end,
32    SupportedByCrypto) -- ?AEAD_CIPHERS.
33
34supported_hashes() ->
35    crypto:supports(hashs).
36
37%% Default encryption parameters.
38default_cipher() ->
39    aes_128_cbc.
40
41default_hash() ->
42    sha256.
43
44default_iterations() ->
45    1.
46
47%% Encryption/decryption of arbitrary Erlang terms.
48
49encrypt_term(_Cipher, _Hash, _Iterations, ?PENDING_SECRET, Term) ->
50    {plaintext, Term};
51encrypt_term(Cipher, Hash, Iterations, Secret, Term) ->
52    encrypt(Cipher, Hash, Iterations, Secret, term_to_binary(Term)).
53
54decrypt_term(_Cipher, _Hash, _Iterations, _Secret, {plaintext, Term}) ->
55    Term;
56decrypt_term(Cipher, Hash, Iterations, Secret, Base64Binary) ->
57    binary_to_term(decrypt(Cipher, Hash, Iterations, Secret, Base64Binary)).
58
59%% The cipher for encryption is from the list of supported ciphers.
60%% The hash for generating the key from the secret is from the list
61%% of supported hashes. See crypto:supports/0 to obtain both lists.
62%% The key is generated by applying the hash N times with N >= 1.
63%%
64%% The encrypt/5 function returns a base64 binary and the decrypt/5
65%% function accepts that same base64 binary.
66
67-spec encrypt(crypto:cipher_iv(), crypto:hash_algorithm(),
68              pos_integer(), iodata() | '$pending-secret', binary()) -> {plaintext, binary()} | {encrypted, binary()}.
69encrypt(_Cipher, _Hash, _Iterations, ?PENDING_SECRET, ClearText) ->
70    {plaintext, ClearText};
71encrypt(Cipher, Hash, Iterations, Secret, ClearText) when is_list(ClearText) ->
72    encrypt(Cipher, Hash, Iterations, Secret, list_to_binary(ClearText));
73encrypt(Cipher, Hash, Iterations, Secret, ClearText) when is_binary(ClearText) ->
74    Salt = crypto:strong_rand_bytes(16),
75    Ivec = crypto:strong_rand_bytes(iv_length(Cipher)),
76    Key = make_key(Cipher, Hash, Iterations, Secret, Salt),
77    Binary = crypto:crypto_one_time(Cipher, Key, Ivec, pad(Cipher, ClearText), true),
78    Encrypted = base64:encode(<<Salt/binary, Ivec/binary, Binary/binary>>),
79    {encrypted, Encrypted}.
80
81-spec decrypt(crypto:cipher_iv(), crypto:hash_algorithm(),
82              pos_integer(), iodata(), {'encrypted', binary() | [1..255]} | {'plaintext', _}) -> any().
83decrypt(_Cipher, _Hash, _Iterations, _Secret, {plaintext, ClearText}) ->
84    ClearText;
85decrypt(Cipher, Hash, Iterations, Secret, {encrypted, Base64Binary}) ->
86    IvLength = iv_length(Cipher),
87    << Salt:16/binary, Ivec:IvLength/binary, Binary/bits >> = base64:decode(Base64Binary),
88    Key = make_key(Cipher, Hash, Iterations, Secret, Salt),
89    unpad(crypto:crypto_one_time(Cipher, Key, Ivec, Binary, false)).
90
91%% Generate a key from a secret.
92
93make_key(Cipher, Hash, Iterations, Secret, Salt) ->
94    Key = pbdkdf2(Secret, Salt, Iterations, key_length(Cipher),
95        fun hmac/4, Hash, hash_length(Hash)),
96    if
97        Cipher =:= des3_cbc; Cipher =:= des3_cbf; Cipher =:= des3_cfb;
98                Cipher =:= des_ede3; Cipher =:= des_ede3_cbc;
99                Cipher =:= des_ede3_cbf; Cipher =:= des_ede3_cfb ->
100            << A:8/binary, B:8/binary, C:8/binary >> = Key,
101            [A, B, C];
102        true ->
103            Key
104    end.
105
106hmac(SubType, Key, Data, MacLength) ->
107    crypto:macN(hmac, SubType, Key, Data, MacLength).
108
109%% Functions to pad/unpad input to a multiplier of block size.
110
111pad(Cipher, Data) ->
112    BlockSize = block_size(Cipher),
113    N = BlockSize - (byte_size(Data) rem BlockSize),
114    Pad = list_to_binary(lists:duplicate(N, N)),
115    <<Data/binary, Pad/binary>>.
116
117unpad(Data) ->
118    N = binary:last(Data),
119    binary:part(Data, 0, byte_size(Data) - N).
120
121hash_length(Type) ->
122    maps:get(size, crypto:hash_info(Type)).
123
124iv_length(Type) ->
125    maps:get(iv_length, crypto:cipher_info(Type)).
126
127key_length(Type) ->
128    maps:get(key_length, crypto:cipher_info(Type)).
129
130block_size(Type) ->
131    maps:get(block_size, crypto:cipher_info(Type)).
132
133%% The following was taken from OTP's lib/public_key/src/pubkey_pbe.erl
134%%
135%% This is an undocumented interface to password-based encryption algorithms.
136%% These functions have been copied here to stay compatible with R16B03.
137
138%%--------------------------------------------------------------------
139-spec pbdkdf2(iodata(), iodata(), integer(), integer(), fun(), atom(), integer())
140	     -> binary().
141%%
142%% Description: Implements password based decryption key derive function 2.
143%% Exported mainly for testing purposes.
144%%--------------------------------------------------------------------
145pbdkdf2(Password, Salt, Count, DerivedKeyLen, Prf, PrfHash, PrfOutputLen)->
146    NumBlocks = ceiling(DerivedKeyLen / PrfOutputLen),
147    NumLastBlockOctets = DerivedKeyLen - (NumBlocks - 1) * PrfOutputLen ,
148    blocks(NumBlocks, NumLastBlockOctets, 1, Password, Salt,
149	   Count, Prf, PrfHash, PrfOutputLen, <<>>).
150
151blocks(1, N, Index, Password, Salt, Count, Prf, PrfHash, PrfLen, Acc) ->
152    <<XorSum:N/binary, _/binary>> = xor_sum(Password, Salt, Count, Index, Prf, PrfHash, PrfLen),
153    <<Acc/binary, XorSum/binary>>;
154blocks(NumBlocks, N, Index, Password, Salt, Count, Prf, PrfHash, PrfLen, Acc) ->
155    XorSum = xor_sum(Password, Salt, Count, Index, Prf, PrfHash, PrfLen),
156    blocks(NumBlocks -1, N, Index +1, Password, Salt, Count, Prf, PrfHash,
157	   PrfLen, <<Acc/binary, XorSum/binary>>).
158
159xor_sum(Password, Salt, Count, Index, Prf, PrfHash, PrfLen) ->
160    Result = Prf(PrfHash, Password, [Salt,<<Index:32/unsigned-big-integer>>], PrfLen),
161    do_xor_sum(Prf, PrfHash, PrfLen, Result, Password, Count-1, Result).
162
163do_xor_sum(_, _, _, _, _, 0, Acc) ->
164    Acc;
165do_xor_sum(Prf, PrfHash, PrfLen, Prev, Password, Count, Acc) ->
166    Result = Prf(PrfHash, Password, Prev, PrfLen),
167    do_xor_sum(Prf, PrfHash, PrfLen, Result, Password, Count-1, crypto:exor(Acc, Result)).
168
169ceiling(Float) ->
170    erlang:round(Float + 0.5).
171