1 /*
2 Copyright (C) 2008-2017, Millistream Market Data <support@millistream.com>
3
4 This program is free software: you can redistribute it and/or modify
5 it under the terms of the GNU Lesser General Public License as published by
6 the Free Software Foundation, either version 3 of the License, or
7 (at your option) any later version.
8
9 This program is distributed in the hope that it will be useful,
10 but WITHOUT ANY WARRANTY; without even the implied warranty of
11 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 GNU General Public License for more details.
13
14 You should have received a copy of the GNU Lesser General Public License
15 along with this program. If not, see <http://www.gnu.org/licenses/>.
16
17 */
18
19 #include "common.h"
20 #include "crypt.h"
21
22 /* List of the digest methods that we support */
23 static const struct cryptosystem digests[] = {
24 #if defined MD5_DIGEST_LENGTH && !defined OPENSSL_NO_MD5
25 { 0, MD5_DIGEST_LENGTH, "HMAC-MD5" },
26 #endif
27 #if defined SHA_DIGEST_LENGTH && !defined OPENSSL_NO_SHA1
28 { 1, SHA_DIGEST_LENGTH, "HMAC-SHA1" },
29 #endif
30 #if defined RIPEMD160_DIGEST_LENGTH && !defined OPENSSL_NO_RIPEMD
31 { 3, RIPEMD160_DIGEST_LENGTH, "HMAC-RIPEMD160" },
32 #endif
33 #if defined SHA256_DIGEST_LENGTH && !defined OPENSSL_NO_SHA256
34 { 2, SHA256_DIGEST_LENGTH, "HMAC-SHA256" },
35 #endif
36 #if defined SHA512_DIGEST_LENGTH && !defined OPENSSL_NO_SHA512
37 { 4, SHA512_DIGEST_LENGTH, "HMAC-SHA512" },
38 #endif
39 #if defined WHIRLPOOL_DIGEST_LENGTH && !defined OPENSSL_NO_WHIRLPOOL
40 { 5, WHIRLPOOL_DIGEST_LENGTH, "HMAC-WHIRLPOOL512" },
41 #endif
42 };
43
44 /* List of the encryption methods that we support */
45 static const struct cryptosystem encryptions[] = {
46 { 0, 16, "AES128-CTR" },
47 { 1, 24, "AES192-CTR" },
48 { 2, 32, "AES256-CTR" },
49 };
50
51 /* The Millistream server's public RSA key */
52 static const char rsa_publickey[] =
53 "-----BEGIN RSA PUBLIC KEY-----\n"
54 "MIICCgKCAgEArRXTTnI8lLeRPOkhYzvVT4AI2mrFbiIvPErWHFsDxKmlQB7qMOOt\n"
55 "CGeA8sMRvUPo3XrRhUWibUfusqxHE+b2Bj+8HCxMoF9Ao8PCxudQrX/2ufvP6kY2\n"
56 "ObgqpjmbWbUKUIm9l/UzmeS1qjQ5eKQKKreHHLFz9HHKLavFwkdPop8g+p3JlJXr\n"
57 "pqiDkgdKl0+gD1s9ZY3aLib7eUGvCwcR5bXxajMlOzSt8TQWok1G5pWBSoJ1wHjg\n"
58 "mY2/n0RF88ZK2Gl+zD7++hnnktTM2hTjTNQ0ULGKWmx1bcG45EHgx+w8E+0ERAfp\n"
59 "wL4CNwVpb0VwzjX43R7OMepOP1PpkVaN1hqJmWLH22bsHPboV7t9IW3HTmfSnVt9\n"
60 "xH4Zm2530Yl3LEP/HsjwpjQb5zA3bHaiOtQHDeCB9hASARIo7Mm6EE1uLwqM3EKH\n"
61 "RveQABf+N6+bA13RmrXajhrMmT8uAgGQDh4MjU24cReSUfnS2lVGu3674RLqvgcf\n"
62 "ZOZ5voPTYt6MkOCpn5KCw22Cp3x8IgyIE+q0S26aYXqY5OA5ZXHSOttUIYmkc6rY\n"
63 "vq/YRKUNfxuVdgsIRh3f44IsBs4DPZ1nFmG8FbXDTAjGVw6P6LvUvNXjhF5CnxZg\n"
64 "qX3LIvf/qEniPfZSrHJwWIXICAYVBOrQE0QpEAxHnB1HAWbH31SJQRECAwEAAQ==\n"
65 "-----END RSA PUBLIC KEY-----\n";
66
mdf_int_load_rsapublickey()67 RSA *mdf_int_load_rsapublickey ()
68 {
69 RSA *rsa;
70 BIO *bio = BIO_new_mem_buf ((void *)rsa_publickey, -1);
71 rsa = PEM_read_bio_RSAPublicKey (bio, NULL, NULL, NULL);
72 BIO_free_all (bio);
73
74 return rsa;
75 }
76
mdf_int_sizeof_cryptmethods()77 int mdf_int_sizeof_cryptmethods ()
78 {
79 return sizeof (uint32_t) * (NELEMS (digests) + 1) + sizeof (uint32_t) * (NELEMS (encryptions) + 1);
80 }
81
mdf_int_populate_cryptmethods(uint8_t * message,int * position)82 void mdf_int_populate_cryptmethods (uint8_t *message, int *position)
83 {
84 int i;
85
86 /* we add the list of supported digest methods */
87 *((uint32_t *)(message + *position)) = cpu_to_le32 (NELEMS (digests));
88 *position += sizeof (uint32_t);
89
90 for (i = 0; i < NELEMS (digests); i++) {
91 *((uint32_t *)(message + *position)) = cpu_to_le32 (digests[i].type);
92 *position += sizeof (uint32_t);
93 }
94
95 /* we add the list of supported encryption methods */
96 *((uint32_t *)(message + *position)) = cpu_to_le32 (NELEMS (encryptions));
97 *position += sizeof (uint32_t);
98
99 for (i = 0; i < NELEMS (encryptions); i++) {
100 *((uint32_t *)(message + *position)) = cpu_to_le32 (encryptions[i].type);
101 *position += sizeof (uint32_t);
102 }
103 }
104
mdf_int_digests_verify(const int type,int * restrict method,int * restrict length)105 int mdf_int_digests_verify (const int type, int * restrict method, int * restrict length)
106 {
107 int i;
108 for (i = 0; i < NELEMS (digests); i++) {
109 if (digests[i].type == type) {
110 *method = type;
111 *length = digests[i].size;
112 return 1;
113 }
114 }
115
116 return 0;
117 }
118
mdf_int_encryptions_verify(const int type,int * method)119 int mdf_int_encryptions_verify (const int type, int *method)
120 {
121 int i;
122 for (i = 0; i < NELEMS (encryptions); i++) {
123 if (encryptions[i].type == type) {
124 *method = type;
125 return 1;
126 }
127 }
128
129 return 0;
130 }
131
mdf_int_digest_init(const int digest_method,union digest_ctx * ctx)132 int mdf_int_digest_init (const int digest_method, union digest_ctx *ctx)
133 {
134 #if defined MD5_DIGEST_LENGTH && !defined OPENSSL_NO_MD5
135 if (digest_method == 0)
136 return MD5_Init (&ctx->md5);
137 #endif
138 #if defined SHA_DIGEST_LENGTH && !defined OPENSSL_NO_SHA1
139 if (digest_method == 1)
140 return SHA1_Init (&ctx->sha1);
141 #endif
142 #if defined SHA256_DIGEST_LENGTH && !defined OPENSSL_NO_SHA256
143 if (digest_method == 2)
144 return SHA256_Init (&ctx->sha256);
145 #endif
146 #if defined RIPEMD160_DIGEST_LENGTH && !defined OPENSSL_NO_RIPEMD
147 if (digest_method == 3)
148 return RIPEMD160_Init (&ctx->ripemd160);
149 #endif
150 #if defined SHA512_DIGEST_LENGTH && !defined OPENSSL_NO_SHA512
151 if (digest_method == 4)
152 return SHA512_Init (&ctx->sha512);
153 #endif
154 #if defined WHIRLPOOL_DIGEST_LENGTH && !defined OPENSSL_NO_WHIRLPOOL
155 if (digest_method == 5)
156 return WHIRLPOOL_Init (&ctx->whirlpool);
157 #endif
158 return 0;
159 }
160
mdf_int_digest_update(const int digest_method,union digest_ctx * ctx,const void * data,size_t len)161 int mdf_int_digest_update (const int digest_method, union digest_ctx *ctx, const void *data, size_t len)
162 {
163 #if defined MD5_DIGEST_LENGTH && !defined OPENSSL_NO_MD5
164 if (digest_method == 0)
165 return MD5_Update (&ctx->md5, data, len);
166 #endif
167 #if defined SHA_DIGEST_LENGTH && !defined OPENSSL_NO_SHA1
168 if (digest_method == 1)
169 return SHA1_Update (&ctx->sha1, data, len);
170 #endif
171 #if defined SHA256_DIGEST_LENGTH && !defined OPENSSL_NO_SHA256
172 if (digest_method == 2)
173 return SHA256_Update (&ctx->sha256, data, len);
174 #endif
175 #if defined RIPEMD160_DIGEST_LENGTH && !defined OPENSSL_NO_RIPEMD
176 if (digest_method == 3)
177 return RIPEMD160_Update (&ctx->ripemd160, data, len);
178 #endif
179 #if defined SHA512_DIGEST_LENGTH && !defined OPENSSL_NO_SHA512
180 if (digest_method == 4)
181 return SHA512_Update (&ctx->sha512, data, len);
182 #endif
183 #if defined WHIRLPOOL_DIGEST_LENGTH && !defined OPENSSL_NO_WHIRLPOOL
184 if (digest_method == 5)
185 return WHIRLPOOL_Update (&ctx->whirlpool, data, len);
186 #endif
187 return 0;
188 }
189
mdf_int_digest_final(const int digest_method,unsigned char * md,union digest_ctx * ctx)190 int mdf_int_digest_final (const int digest_method, unsigned char *md, union digest_ctx *ctx)
191 {
192 #if defined MD5_DIGEST_LENGTH && !defined OPENSSL_NO_MD5
193 if (digest_method == 0)
194 return MD5_Final (md, &ctx->md5);
195 #endif
196 #if defined SHA_DIGEST_LENGTH && !defined OPENSSL_NO_SHA1
197 if (digest_method == 1)
198 return SHA1_Final (md, &ctx->sha1);
199 #endif
200 #if defined SHA256_DIGEST_LENGTH && !defined OPENSSL_NO_SHA256
201 if (digest_method == 2)
202 return SHA256_Final (md, &ctx->sha256);
203 #endif
204 #if defined RIPEMD160_DIGEST_LENGTH && !defined OPENSSL_NO_RIPEMD
205 if (digest_method == 3)
206 return RIPEMD160_Final (md, &ctx->ripemd160);
207 #endif
208 #if defined SHA512_DIGEST_LENGTH && !defined OPENSSL_NO_SHA512
209 if (digest_method == 4)
210 return SHA512_Final (md, &ctx->sha512);
211 #endif
212 #if defined WHIRLPOOL_DIGEST_LENGTH && !defined OPENSSL_NO_WHIRLPOOL
213 if (digest_method == 5)
214 return WHIRLPOOL_Final (md, &ctx->whirlpool);
215 #endif
216 return 0;
217 }
218
mdf_int_digest_verify(const int digest_method,unsigned char * restrict md,unsigned char * restrict sig,unsigned int siglen,RSA * rsa)219 int mdf_int_digest_verify (const int digest_method, unsigned char * restrict md, unsigned char * restrict sig, unsigned int siglen, RSA *rsa)
220 {
221 #if defined MD5_DIGEST_LENGTH && !defined OPENSSL_NO_MD5
222 if (digest_method == 0)
223 return RSA_verify (NID_md5, md, MD5_DIGEST_LENGTH, sig, siglen, rsa);
224 #endif
225 #if defined SHA_DIGEST_LENGTH && !defined OPENSSL_NO_SHA1
226 if (digest_method == 1)
227 return RSA_verify (NID_sha1, md, SHA_DIGEST_LENGTH, sig, siglen, rsa);
228 #endif
229 #if defined SHA256_DIGEST_LENGTH && !defined OPENSSL_NO_SHA256
230 if (digest_method == 2)
231 return RSA_verify (NID_sha256, md, SHA256_DIGEST_LENGTH, sig, siglen, rsa);
232 #endif
233 #if defined RIPEMD160_DIGEST_LENGTH && !defined OPENSSL_NO_RIPEMD
234 if (digest_method == 3)
235 return RSA_verify (NID_ripemd160, md, RIPEMD160_DIGEST_LENGTH, sig, siglen, rsa);
236 #endif
237 #if defined SHA512_DIGEST_LENGTH && !defined OPENSSL_NO_SHA512
238 if (digest_method == 4)
239 return RSA_verify (NID_sha512, md, SHA512_DIGEST_LENGTH, sig, siglen, rsa);
240 #endif
241 #if defined WHIRLPOOL_DIGEST_LENGTH && !defined OPENSSL_NO_WHIRLPOOL
242 if (digest_method == 5)
243 return RSA_verify (NID_whirlpool, md, WHIRLPOOL_DIGEST_LENGTH, sig, siglen, rsa);
244 #endif
245 return 0;
246 }
247
mdf_int_set_keys(mdf_t handle,unsigned char * restrict nonce,int nonce_len,AES_KEY ** key,HMAC_CTX ** hmac,unsigned char ** restrict iv)248 void mdf_int_set_keys (mdf_t handle, unsigned char * restrict nonce, int nonce_len, AES_KEY **key, HMAC_CTX **hmac, unsigned char ** restrict iv)
249 {
250 union digest_ctx ctx;
251 unsigned char *md;
252 int aes_key_size = 256;
253 int digest_length = handle->digest_length;
254
255 if (handle->encryption_method == 0)
256 aes_key_size = 128;
257 else if (handle->encryption_method == 1)
258 aes_key_size = 192;
259
260 if (aes_key_size / 8 > digest_length)
261 digest_length = aes_key_size / 8;
262
263 md = calloc (1, digest_length);
264
265 mdf_int_digest_init (handle->digest_method, &ctx);
266 mdf_int_digest_update (handle->digest_method, &ctx, handle->master_secret, handle->digest_length);
267 mdf_int_digest_update (handle->digest_method, &ctx, nonce, nonce_len);
268
269 /* this string is added to the digest so that the encryption key and the authentication key
270 * will differ, that they are both known does not make any difference for the security of
271 * the system. If the attacker got his hands on the encryption key, he still has to perform a
272 * brute-force search on the master_key to get to the authentication key, and even if the
273 * attacker got both keys, he still has to brute-force to get the master_key. And since the
274 * master_key is random and the full length of the digest method used it's still as secure
275 * as the underlying digest method allows us */
276 mdf_int_digest_update (handle->digest_method, &ctx, "C6INKrSnGoox4i7v9omJAvezRjDfBTG3s1nnzxzOnkJXIhOlhVE0ArmCHiWXSZVY", 64);
277 mdf_int_digest_final (handle->digest_method, md, &ctx);
278
279 if (*key == NULL)
280 *key = malloc (sizeof (AES_KEY));
281
282 AES_set_encrypt_key (md, aes_key_size, *key);
283
284 mdf_int_digest_init (handle->digest_method, &ctx);
285 mdf_int_digest_update (handle->digest_method, &ctx, handle->master_secret, handle->digest_length);
286 mdf_int_digest_update (handle->digest_method, &ctx, nonce, nonce_len);
287
288 /* this string is added to the digest so that the encryption key and the authentication key
289 * will differ, that they are both known does not make any difference for the security of
290 * the system. If the attacker got his hands on the encryption key, he still has to perform a
291 * brute-force search on the master_key to get to the authentication key, and even if the
292 * attacker got both keys, he still has to brute-force to get the master_key. And since the
293 * master_key is random and the full length of the digest method used it's still as secure
294 * as the underlying digest method allows us */
295 mdf_int_digest_update (handle->digest_method, &ctx, "gv28ffES1nzPNy8YRxfvbo6UPJITTzr4S9FVJkFyW61u6OPDFDjk7y6jBKBatyb3", 64);
296 mdf_int_digest_final (handle->digest_method, md, &ctx);
297
298 if (*hmac == NULL) {
299 #if OPENSSL_VERSION_NUMBER < 0x10100000L
300 *hmac = OPENSSL_malloc (sizeof (HMAC_CTX));
301 HMAC_CTX_init (*hmac);
302 #else
303 *hmac = HMAC_CTX_new ();
304 #endif
305 }
306
307 #if defined MD5_DIGEST_LENGTH && !defined OPENSSL_NO_MD5
308 if (handle->digest_method == 0)
309 HMAC_Init_ex (*hmac, md, MD5_DIGEST_LENGTH, EVP_md5(), NULL);
310 #endif
311 #if defined SHA_DIGEST_LENGTH && !defined OPENSSL_NO_SHA1
312 if (handle->digest_method == 1)
313 HMAC_Init_ex (*hmac, md, SHA_DIGEST_LENGTH, EVP_sha1(), NULL);
314 #endif
315 #if defined SHA256_DIGEST_LENGTH && !defined OPENSSL_NO_SHA256
316 if (handle->digest_method == 2)
317 HMAC_Init_ex (*hmac, md, SHA256_DIGEST_LENGTH, EVP_sha256(), NULL);
318 #endif
319 #if defined RIPEMD160_DIGEST_LENGTH && !defined OPENSSL_NO_RIPEMD
320 if (handle->digest_method == 3)
321 HMAC_Init_ex (*hmac, md, RIPEMD160_DIGEST_LENGTH, EVP_ripemd160(), NULL);
322 #endif
323 #if defined SHA512_DIGEST_LENGTH && !defined OPENSSL_NO_SHA512
324 if (handle->digest_method == 4)
325 HMAC_Init_ex (*hmac, md, SHA512_DIGEST_LENGTH, EVP_sha512(), NULL);
326 #endif
327 #if defined WHIRLPOOL_DIGEST_LENGTH && !defined OPENSSL_NO_WHIRLPOOL
328 if (handle->digest_method == 5)
329 HMAC_Init_ex (*hmac, md, WHIRLPOOL_DIGEST_LENGTH, EVP_whirlpool(), NULL);
330 #endif
331
332 if (*iv != NULL)
333 memset (*iv, 0, AES_BLOCK_SIZE);
334 else
335 *iv = calloc (1, AES_BLOCK_SIZE);
336
337 free (md);
338 }
339
mdf_int_handle_server_rekey(mdf_t handle,uint8_t * data,const size_t tlen)340 void mdf_int_handle_server_rekey (mdf_t handle, uint8_t *data, const size_t tlen)
341 {
342 size_t offset;
343 size_t used = le32_to_cpu (*((uint32_t *)(data)));
344
345 /* it's not possible to turn encryption back on */
346 if ((handle->cstate & CSTATE_DECRYPT) == 0)
347 return;
348
349 /* simple buffer overrun protection */
350 if (used > 1024*1024)
351 return;
352
353 offset = sizeof (uint32_t);
354
355 if (offset + used > tlen)
356 return;
357
358 /* this is the signal to disable encryption */
359 if (used == 0) {
360 handle->cstate &= ~CSTATE_DECRYPT;
361
362 free (handle->server_iv);
363 handle->server_iv = NULL;
364
365 free (handle->server_enc);
366 handle->server_enc = NULL;
367
368 if (handle->server_hmac != NULL) {
369 #if OPENSSL_VERSION_NUMBER < 0x10100000L
370 HMAC_CTX_cleanup (handle->server_hmac);
371 OPENSSL_free (handle->server_hmac);
372 #else
373 HMAC_CTX_free (handle->server_hmac);
374 #endif
375 handle->server_hmac = NULL;
376 }
377
378 return;
379 }
380
381 if (used < (size_t) handle->digest_length)
382 return;
383
384 mdf_int_set_keys (handle, data + offset, used, &handle->server_enc, &handle->server_hmac, &handle->server_iv);
385 }
386
387 /* encrypt (and decrypt) a block of data using AES in counter mode,
388 * the IV consists of a 64 bit message number, a 32 bit block number
389 * and 32 bits of "unused" zeroes. For each encrypted block we increase
390 * the block number and for each new message we increase the message
391 * number */
mdf_int_encrypt_aes_ctr(uint8_t * restrict out,const size_t len,AES_KEY * key,uint8_t * restrict iv)392 void mdf_int_encrypt_aes_ctr (uint8_t * restrict out, const size_t len, AES_KEY *key, uint8_t * restrict iv)
393 {
394 size_t l = len;
395 unsigned int n = 0;
396 unsigned char block[AES_BLOCK_SIZE];
397
398 while (l-- != 0) {
399 if (n == 0) {
400 AES_encrypt (iv, block, key);
401 *((uint32_t *)(iv + sizeof (uint64_t))) = cpu_to_le32 (le32_to_cpu (*((uint32_t *) (iv + sizeof (uint64_t)))) + 1);
402 }
403
404 *(out++) ^= block[n];
405 n = (n + 1) % AES_BLOCK_SIZE;
406 }
407
408 *((uint64_t *)iv) = cpu_to_le64 (le64_to_cpu (*((uint64_t *) iv)) + 1);
409 }
410
mdf_int_decrypt_data(mdf_t handle,uint8_t * data,const uint32_t len,const int pos)411 int mdf_int_decrypt_data (mdf_t handle, uint8_t *data, const uint32_t len, const int pos)
412 {
413 unsigned char md[MAX_DIGEST_LENGTH];
414 const uint32_t tmp_u32 = cpu_to_le32 (len);
415
416 HMAC_Init_ex (handle->server_hmac, NULL, 0, NULL, NULL);
417 HMAC_Update (handle->server_hmac, handle->server_iv, sizeof (uint64_t));
418 HMAC_Update (handle->server_hmac, (const unsigned char *) &tmp_u32, sizeof tmp_u32);
419
420 mdf_int_encrypt_aes_ctr (data + pos, len - pos, handle->server_enc, handle->server_iv);
421
422 HMAC_Update (handle->server_hmac, data, len - handle->digest_length);
423 HMAC_Final (handle->server_hmac, md, NULL);
424
425 return memcmp (data + len - handle->digest_length, md, handle->digest_length);
426 }
427
428