1 /*- 2 * Copyright (c) 2014 Michihiro NAKAJIMA 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) ``AS IS'' AND ANY EXPRESS OR 15 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 16 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 17 * IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT, INDIRECT, 18 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 19 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 21 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 23 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 24 */ 25 26 #include "archive_platform.h" 27 28 #ifdef HAVE_STRING_H 29 #include <string.h> 30 #endif 31 #include "archive.h" 32 #include "archive_cryptor_private.h" 33 34 /* 35 * On systems that do not support any recognized crypto libraries, 36 * this file will normally define no usable symbols. 37 * 38 * But some compilers and linkers choke on empty object files, so 39 * define a public symbol that will always exist. This could 40 * be removed someday if this file gains another always-present 41 * symbol definition. 42 */ 43 int __libarchive_cryptor_build_hack(void) { 44 return 0; 45 } 46 47 #ifdef ARCHIVE_CRYPTOR_USE_Apple_CommonCrypto 48 49 static int 50 pbkdf2_sha1(const char *pw, size_t pw_len, const uint8_t *salt, 51 size_t salt_len, unsigned rounds, uint8_t *derived_key, 52 size_t derived_key_len) 53 { 54 CCKeyDerivationPBKDF(kCCPBKDF2, (const char *)pw, 55 pw_len, salt, salt_len, kCCPRFHmacAlgSHA1, rounds, 56 derived_key, derived_key_len); 57 return 0; 58 } 59 60 #elif defined(_WIN32) && !defined(__CYGWIN__) && defined(HAVE_BCRYPT_H) 61 #ifdef _MSC_VER 62 #pragma comment(lib, "Bcrypt.lib") 63 #endif 64 65 static int 66 pbkdf2_sha1(const char *pw, size_t pw_len, const uint8_t *salt, 67 size_t salt_len, unsigned rounds, uint8_t *derived_key, 68 size_t derived_key_len) 69 { 70 NTSTATUS status; 71 BCRYPT_ALG_HANDLE hAlg; 72 73 status = BCryptOpenAlgorithmProvider(&hAlg, BCRYPT_SHA1_ALGORITHM, 74 MS_PRIMITIVE_PROVIDER, BCRYPT_ALG_HANDLE_HMAC_FLAG); 75 if (!BCRYPT_SUCCESS(status)) 76 return -1; 77 78 status = BCryptDeriveKeyPBKDF2(hAlg, 79 (PUCHAR)(uintptr_t)pw, (ULONG)pw_len, 80 (PUCHAR)(uintptr_t)salt, (ULONG)salt_len, rounds, 81 (PUCHAR)derived_key, (ULONG)derived_key_len, 0); 82 83 BCryptCloseAlgorithmProvider(hAlg, 0); 84 85 return (BCRYPT_SUCCESS(status)) ? 0: -1; 86 } 87 88 #elif defined(HAVE_LIBNETTLE) && defined(HAVE_NETTLE_PBKDF2_H) 89 90 static int 91 pbkdf2_sha1(const char *pw, size_t pw_len, const uint8_t *salt, 92 size_t salt_len, unsigned rounds, uint8_t *derived_key, 93 size_t derived_key_len) { 94 pbkdf2_hmac_sha1((unsigned)pw_len, (const uint8_t *)pw, rounds, 95 salt_len, salt, derived_key_len, derived_key); 96 return 0; 97 } 98 99 #elif defined(HAVE_LIBCRYPTO) && defined(HAVE_PKCS5_PBKDF2_HMAC_SHA1) 100 101 static int 102 pbkdf2_sha1(const char *pw, size_t pw_len, const uint8_t *salt, 103 size_t salt_len, unsigned rounds, uint8_t *derived_key, 104 size_t derived_key_len) { 105 106 PKCS5_PBKDF2_HMAC_SHA1(pw, pw_len, salt, salt_len, rounds, 107 derived_key_len, derived_key); 108 return 0; 109 } 110 111 #else 112 113 /* Stub */ 114 static int 115 pbkdf2_sha1(const char *pw, size_t pw_len, const uint8_t *salt, 116 size_t salt_len, unsigned rounds, uint8_t *derived_key, 117 size_t derived_key_len) { 118 (void)pw; /* UNUSED */ 119 (void)pw_len; /* UNUSED */ 120 (void)salt; /* UNUSED */ 121 (void)salt_len; /* UNUSED */ 122 (void)rounds; /* UNUSED */ 123 (void)derived_key; /* UNUSED */ 124 (void)derived_key_len; /* UNUSED */ 125 return -1; /* UNSUPPORTED */ 126 } 127 128 #endif 129 130 #ifdef ARCHIVE_CRYPTOR_USE_Apple_CommonCrypto 131 # if MAC_OS_X_VERSION_MAX_ALLOWED < 1090 132 # define kCCAlgorithmAES kCCAlgorithmAES128 133 # endif 134 135 static int 136 aes_ctr_init(archive_crypto_ctx *ctx, const uint8_t *key, size_t key_len) 137 { 138 CCCryptorStatus r; 139 140 ctx->key_len = key_len; 141 memcpy(ctx->key, key, key_len); 142 memset(ctx->nonce, 0, sizeof(ctx->nonce)); 143 ctx->encr_pos = AES_BLOCK_SIZE; 144 r = CCCryptorCreateWithMode(kCCEncrypt, kCCModeECB, kCCAlgorithmAES, 145 ccNoPadding, NULL, key, key_len, NULL, 0, 0, 0, &ctx->ctx); 146 return (r == kCCSuccess)? 0: -1; 147 } 148 149 static int 150 aes_ctr_encrypt_counter(archive_crypto_ctx *ctx) 151 { 152 CCCryptorRef ref = ctx->ctx; 153 CCCryptorStatus r; 154 155 r = CCCryptorReset(ref, NULL); 156 if (r != kCCSuccess && r != kCCUnimplemented) 157 return -1; 158 r = CCCryptorUpdate(ref, ctx->nonce, AES_BLOCK_SIZE, ctx->encr_buf, 159 AES_BLOCK_SIZE, NULL); 160 return (r == kCCSuccess)? 0: -1; 161 } 162 163 static int 164 aes_ctr_release(archive_crypto_ctx *ctx) 165 { 166 memset(ctx->key, 0, ctx->key_len); 167 memset(ctx->nonce, 0, sizeof(ctx->nonce)); 168 return 0; 169 } 170 171 #elif defined(_WIN32) && !defined(__CYGWIN__) && defined(HAVE_BCRYPT_H) 172 173 static int 174 aes_ctr_init(archive_crypto_ctx *ctx, const uint8_t *key, size_t key_len) 175 { 176 BCRYPT_ALG_HANDLE hAlg; 177 BCRYPT_KEY_HANDLE hKey; 178 DWORD keyObj_len, aes_key_len; 179 PBYTE keyObj; 180 ULONG result; 181 NTSTATUS status; 182 BCRYPT_KEY_LENGTHS_STRUCT key_lengths; 183 184 ctx->hAlg = NULL; 185 ctx->hKey = NULL; 186 ctx->keyObj = NULL; 187 switch (key_len) { 188 case 16: aes_key_len = 128; break; 189 case 24: aes_key_len = 192; break; 190 case 32: aes_key_len = 256; break; 191 default: return -1; 192 } 193 status = BCryptOpenAlgorithmProvider(&hAlg, BCRYPT_AES_ALGORITHM, 194 MS_PRIMITIVE_PROVIDER, 0); 195 if (!BCRYPT_SUCCESS(status)) 196 return -1; 197 status = BCryptGetProperty(hAlg, BCRYPT_KEY_LENGTHS, (PUCHAR)&key_lengths, 198 sizeof(key_lengths), &result, 0); 199 if (!BCRYPT_SUCCESS(status)) { 200 BCryptCloseAlgorithmProvider(hAlg, 0); 201 return -1; 202 } 203 if (key_lengths.dwMinLength > aes_key_len 204 || key_lengths.dwMaxLength < aes_key_len) { 205 BCryptCloseAlgorithmProvider(hAlg, 0); 206 return -1; 207 } 208 status = BCryptGetProperty(hAlg, BCRYPT_OBJECT_LENGTH, (PUCHAR)&keyObj_len, 209 sizeof(keyObj_len), &result, 0); 210 if (!BCRYPT_SUCCESS(status)) { 211 BCryptCloseAlgorithmProvider(hAlg, 0); 212 return -1; 213 } 214 keyObj = (PBYTE)HeapAlloc(GetProcessHeap(), 0, keyObj_len); 215 if (keyObj == NULL) { 216 BCryptCloseAlgorithmProvider(hAlg, 0); 217 return -1; 218 } 219 status = BCryptSetProperty(hAlg, BCRYPT_CHAINING_MODE, 220 (PUCHAR)BCRYPT_CHAIN_MODE_ECB, sizeof(BCRYPT_CHAIN_MODE_ECB), 0); 221 if (!BCRYPT_SUCCESS(status)) { 222 BCryptCloseAlgorithmProvider(hAlg, 0); 223 HeapFree(GetProcessHeap(), 0, keyObj); 224 return -1; 225 } 226 status = BCryptGenerateSymmetricKey(hAlg, &hKey, 227 keyObj, keyObj_len, 228 (PUCHAR)(uintptr_t)key, (ULONG)key_len, 0); 229 if (!BCRYPT_SUCCESS(status)) { 230 BCryptCloseAlgorithmProvider(hAlg, 0); 231 HeapFree(GetProcessHeap(), 0, keyObj); 232 return -1; 233 } 234 235 ctx->hAlg = hAlg; 236 ctx->hKey = hKey; 237 ctx->keyObj = keyObj; 238 ctx->keyObj_len = keyObj_len; 239 ctx->encr_pos = AES_BLOCK_SIZE; 240 241 return 0; 242 } 243 244 static int 245 aes_ctr_encrypt_counter(archive_crypto_ctx *ctx) 246 { 247 NTSTATUS status; 248 ULONG result; 249 250 status = BCryptEncrypt(ctx->hKey, (PUCHAR)ctx->nonce, AES_BLOCK_SIZE, 251 NULL, NULL, 0, (PUCHAR)ctx->encr_buf, AES_BLOCK_SIZE, 252 &result, 0); 253 return BCRYPT_SUCCESS(status) ? 0 : -1; 254 } 255 256 static int 257 aes_ctr_release(archive_crypto_ctx *ctx) 258 { 259 260 if (ctx->hAlg != NULL) { 261 BCryptCloseAlgorithmProvider(ctx->hAlg, 0); 262 ctx->hAlg = NULL; 263 BCryptDestroyKey(ctx->hKey); 264 ctx->hKey = NULL; 265 HeapFree(GetProcessHeap(), 0, ctx->keyObj); 266 ctx->keyObj = NULL; 267 } 268 memset(ctx, 0, sizeof(*ctx)); 269 return 0; 270 } 271 272 #elif defined(HAVE_LIBNETTLE) && defined(HAVE_NETTLE_AES_H) 273 274 static int 275 aes_ctr_init(archive_crypto_ctx *ctx, const uint8_t *key, size_t key_len) 276 { 277 ctx->key_len = key_len; 278 memcpy(ctx->key, key, key_len); 279 memset(ctx->nonce, 0, sizeof(ctx->nonce)); 280 ctx->encr_pos = AES_BLOCK_SIZE; 281 memset(&ctx->ctx, 0, sizeof(ctx->ctx)); 282 return 0; 283 } 284 285 static int 286 aes_ctr_encrypt_counter(archive_crypto_ctx *ctx) 287 { 288 aes_set_encrypt_key(&ctx->ctx, ctx->key_len, ctx->key); 289 aes_encrypt(&ctx->ctx, AES_BLOCK_SIZE, ctx->encr_buf, ctx->nonce); 290 return 0; 291 } 292 293 static int 294 aes_ctr_release(archive_crypto_ctx *ctx) 295 { 296 memset(ctx, 0, sizeof(*ctx)); 297 return 0; 298 } 299 300 #elif defined(HAVE_LIBCRYPTO) 301 302 static int 303 aes_ctr_init(archive_crypto_ctx *ctx, const uint8_t *key, size_t key_len) 304 { 305 if ((ctx->ctx = EVP_CIPHER_CTX_new()) == NULL) 306 return -1; 307 308 switch (key_len) { 309 case 16: ctx->type = EVP_aes_128_ecb(); break; 310 case 24: ctx->type = EVP_aes_192_ecb(); break; 311 case 32: ctx->type = EVP_aes_256_ecb(); break; 312 default: ctx->type = NULL; return -1; 313 } 314 315 ctx->key_len = key_len; 316 memcpy(ctx->key, key, key_len); 317 memset(ctx->nonce, 0, sizeof(ctx->nonce)); 318 ctx->encr_pos = AES_BLOCK_SIZE; 319 EVP_CIPHER_CTX_init(ctx->ctx); 320 return 0; 321 } 322 323 static int 324 aes_ctr_encrypt_counter(archive_crypto_ctx *ctx) 325 { 326 int outl = 0; 327 int r; 328 329 r = EVP_EncryptInit_ex(ctx->ctx, ctx->type, NULL, ctx->key, NULL); 330 if (r == 0) 331 return -1; 332 r = EVP_EncryptUpdate(ctx->ctx, ctx->encr_buf, &outl, ctx->nonce, 333 AES_BLOCK_SIZE); 334 if (r == 0 || outl != AES_BLOCK_SIZE) 335 return -1; 336 return 0; 337 } 338 339 static int 340 aes_ctr_release(archive_crypto_ctx *ctx) 341 { 342 EVP_CIPHER_CTX_free(ctx->ctx); 343 memset(ctx->key, 0, ctx->key_len); 344 memset(ctx->nonce, 0, sizeof(ctx->nonce)); 345 return 0; 346 } 347 348 #else 349 350 #define ARCHIVE_CRYPTOR_STUB 351 /* Stub */ 352 static int 353 aes_ctr_init(archive_crypto_ctx *ctx, const uint8_t *key, size_t key_len) 354 { 355 (void)ctx; /* UNUSED */ 356 (void)key; /* UNUSED */ 357 (void)key_len; /* UNUSED */ 358 return -1; 359 } 360 361 static int 362 aes_ctr_encrypt_counter(archive_crypto_ctx *ctx) 363 { 364 (void)ctx; /* UNUSED */ 365 return -1; 366 } 367 368 static int 369 aes_ctr_release(archive_crypto_ctx *ctx) 370 { 371 (void)ctx; /* UNUSED */ 372 return 0; 373 } 374 375 #endif 376 377 #ifdef ARCHIVE_CRYPTOR_STUB 378 static int 379 aes_ctr_update(archive_crypto_ctx *ctx, const uint8_t * const in, 380 size_t in_len, uint8_t * const out, size_t *out_len) 381 { 382 (void)ctx; /* UNUSED */ 383 (void)in; /* UNUSED */ 384 (void)in_len; /* UNUSED */ 385 (void)out; /* UNUSED */ 386 (void)out_len; /* UNUSED */ 387 aes_ctr_encrypt_counter(ctx); /* UNUSED */ /* Fix unused function warning */ 388 return -1; 389 } 390 391 #else 392 static void 393 aes_ctr_increase_counter(archive_crypto_ctx *ctx) 394 { 395 uint8_t *const nonce = ctx->nonce; 396 int j; 397 398 for (j = 0; j < 8; j++) { 399 if (++nonce[j]) 400 break; 401 } 402 } 403 404 static int 405 aes_ctr_update(archive_crypto_ctx *ctx, const uint8_t * const in, 406 size_t in_len, uint8_t * const out, size_t *out_len) 407 { 408 uint8_t *const ebuf = ctx->encr_buf; 409 unsigned pos = ctx->encr_pos; 410 unsigned max = (unsigned)((in_len < *out_len)? in_len: *out_len); 411 unsigned i; 412 413 for (i = 0; i < max; ) { 414 if (pos == AES_BLOCK_SIZE) { 415 aes_ctr_increase_counter(ctx); 416 if (aes_ctr_encrypt_counter(ctx) != 0) 417 return -1; 418 while (max -i >= AES_BLOCK_SIZE) { 419 for (pos = 0; pos < AES_BLOCK_SIZE; pos++) 420 out[i+pos] = in[i+pos] ^ ebuf[pos]; 421 i += AES_BLOCK_SIZE; 422 aes_ctr_increase_counter(ctx); 423 if (aes_ctr_encrypt_counter(ctx) != 0) 424 return -1; 425 } 426 pos = 0; 427 if (i >= max) 428 break; 429 } 430 out[i] = in[i] ^ ebuf[pos++]; 431 i++; 432 } 433 ctx->encr_pos = pos; 434 *out_len = i; 435 436 return 0; 437 } 438 #endif /* ARCHIVE_CRYPTOR_STUB */ 439 440 441 const struct archive_cryptor __archive_cryptor = 442 { 443 &pbkdf2_sha1, 444 &aes_ctr_init, 445 &aes_ctr_update, 446 &aes_ctr_release, 447 &aes_ctr_init, 448 &aes_ctr_update, 449 &aes_ctr_release, 450 }; 451