1 /*- 2 * Copyright (c) 2014 Michihiro NAKAJIMA 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) ``AS IS'' AND ANY EXPRESS OR 15 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 16 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 17 * IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT, INDIRECT, 18 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 19 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 21 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 23 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 24 */ 25 26 #include "archive_platform.h" 27 28 #ifdef HAVE_STRING_H 29 #include <string.h> 30 #endif 31 #include "archive.h" 32 #include "archive_cryptor_private.h" 33 34 /* 35 * On systems that do not support any recognized crypto libraries, 36 * this file will normally define no usable symbols. 37 * 38 * But some compilers and linkers choke on empty object files, so 39 * define a public symbol that will always exist. This could 40 * be removed someday if this file gains another always-present 41 * symbol definition. 42 */ 43 int __libarchive_cryptor_build_hack(void) { 44 return 0; 45 } 46 47 #ifdef ARCHIVE_CRYPTOR_USE_Apple_CommonCrypto 48 49 static int 50 pbkdf2_sha1(const char *pw, size_t pw_len, const uint8_t *salt, 51 size_t salt_len, unsigned rounds, uint8_t *derived_key, 52 size_t derived_key_len) 53 { 54 CCKeyDerivationPBKDF(kCCPBKDF2, (const char *)pw, 55 pw_len, salt, salt_len, kCCPRFHmacAlgSHA1, rounds, 56 derived_key, derived_key_len); 57 return 0; 58 } 59 60 #elif defined(_WIN32) && !defined(__CYGWIN__) && defined(HAVE_BCRYPT_H) 61 #ifdef _MSC_VER 62 #pragma comment(lib, "Bcrypt.lib") 63 #endif 64 65 static int 66 pbkdf2_sha1(const char *pw, size_t pw_len, const uint8_t *salt, 67 size_t salt_len, unsigned rounds, uint8_t *derived_key, 68 size_t derived_key_len) 69 { 70 NTSTATUS status; 71 BCRYPT_ALG_HANDLE hAlg; 72 73 status = BCryptOpenAlgorithmProvider(&hAlg, BCRYPT_SHA1_ALGORITHM, 74 MS_PRIMITIVE_PROVIDER, BCRYPT_ALG_HANDLE_HMAC_FLAG); 75 if (!BCRYPT_SUCCESS(status)) 76 return -1; 77 78 status = BCryptDeriveKeyPBKDF2(hAlg, 79 (PUCHAR)(uintptr_t)pw, (ULONG)pw_len, 80 (PUCHAR)(uintptr_t)salt, (ULONG)salt_len, rounds, 81 (PUCHAR)derived_key, (ULONG)derived_key_len, 0); 82 83 BCryptCloseAlgorithmProvider(hAlg, 0); 84 85 return (BCRYPT_SUCCESS(status)) ? 0: -1; 86 } 87 88 #elif defined(HAVE_LIBMBEDCRYPTO) && defined(HAVE_MBEDTLS_PKCS5_H) 89 90 static int 91 pbkdf2_sha1(const char *pw, size_t pw_len, const uint8_t *salt, 92 size_t salt_len, unsigned rounds, uint8_t *derived_key, 93 size_t derived_key_len) 94 { 95 mbedtls_md_context_t ctx; 96 const mbedtls_md_info_t *info; 97 int ret; 98 99 mbedtls_md_init(&ctx); 100 info = mbedtls_md_info_from_type(MBEDTLS_MD_SHA1); 101 if (info == NULL) { 102 mbedtls_md_free(&ctx); 103 return (-1); 104 } 105 ret = mbedtls_md_setup(&ctx, info, 1); 106 if (ret != 0) { 107 mbedtls_md_free(&ctx); 108 return (-1); 109 } 110 ret = mbedtls_pkcs5_pbkdf2_hmac(&ctx, (const unsigned char *)pw, 111 pw_len, salt, salt_len, rounds, derived_key_len, derived_key); 112 113 mbedtls_md_free(&ctx); 114 return (ret); 115 } 116 117 #elif defined(HAVE_LIBNETTLE) && defined(HAVE_NETTLE_PBKDF2_H) 118 119 static int 120 pbkdf2_sha1(const char *pw, size_t pw_len, const uint8_t *salt, 121 size_t salt_len, unsigned rounds, uint8_t *derived_key, 122 size_t derived_key_len) { 123 pbkdf2_hmac_sha1((unsigned)pw_len, (const uint8_t *)pw, rounds, 124 salt_len, salt, derived_key_len, derived_key); 125 return 0; 126 } 127 128 #elif defined(HAVE_LIBCRYPTO) && defined(HAVE_PKCS5_PBKDF2_HMAC_SHA1) 129 130 static int 131 pbkdf2_sha1(const char *pw, size_t pw_len, const uint8_t *salt, 132 size_t salt_len, unsigned rounds, uint8_t *derived_key, 133 size_t derived_key_len) { 134 135 PKCS5_PBKDF2_HMAC_SHA1(pw, pw_len, salt, salt_len, rounds, 136 derived_key_len, derived_key); 137 return 0; 138 } 139 140 #else 141 142 /* Stub */ 143 static int 144 pbkdf2_sha1(const char *pw, size_t pw_len, const uint8_t *salt, 145 size_t salt_len, unsigned rounds, uint8_t *derived_key, 146 size_t derived_key_len) { 147 (void)pw; /* UNUSED */ 148 (void)pw_len; /* UNUSED */ 149 (void)salt; /* UNUSED */ 150 (void)salt_len; /* UNUSED */ 151 (void)rounds; /* UNUSED */ 152 (void)derived_key; /* UNUSED */ 153 (void)derived_key_len; /* UNUSED */ 154 return -1; /* UNSUPPORTED */ 155 } 156 157 #endif 158 159 #ifdef ARCHIVE_CRYPTOR_USE_Apple_CommonCrypto 160 # if MAC_OS_X_VERSION_MAX_ALLOWED < 1090 161 # define kCCAlgorithmAES kCCAlgorithmAES128 162 # endif 163 164 static int 165 aes_ctr_init(archive_crypto_ctx *ctx, const uint8_t *key, size_t key_len) 166 { 167 CCCryptorStatus r; 168 169 ctx->key_len = key_len; 170 memcpy(ctx->key, key, key_len); 171 memset(ctx->nonce, 0, sizeof(ctx->nonce)); 172 ctx->encr_pos = AES_BLOCK_SIZE; 173 r = CCCryptorCreateWithMode(kCCEncrypt, kCCModeECB, kCCAlgorithmAES, 174 ccNoPadding, NULL, key, key_len, NULL, 0, 0, 0, &ctx->ctx); 175 return (r == kCCSuccess)? 0: -1; 176 } 177 178 static int 179 aes_ctr_encrypt_counter(archive_crypto_ctx *ctx) 180 { 181 CCCryptorRef ref = ctx->ctx; 182 CCCryptorStatus r; 183 184 r = CCCryptorReset(ref, NULL); 185 if (r != kCCSuccess && r != kCCUnimplemented) 186 return -1; 187 r = CCCryptorUpdate(ref, ctx->nonce, AES_BLOCK_SIZE, ctx->encr_buf, 188 AES_BLOCK_SIZE, NULL); 189 return (r == kCCSuccess)? 0: -1; 190 } 191 192 static int 193 aes_ctr_release(archive_crypto_ctx *ctx) 194 { 195 memset(ctx->key, 0, ctx->key_len); 196 memset(ctx->nonce, 0, sizeof(ctx->nonce)); 197 return 0; 198 } 199 200 #elif defined(_WIN32) && !defined(__CYGWIN__) && defined(HAVE_BCRYPT_H) 201 202 static int 203 aes_ctr_init(archive_crypto_ctx *ctx, const uint8_t *key, size_t key_len) 204 { 205 BCRYPT_ALG_HANDLE hAlg; 206 BCRYPT_KEY_HANDLE hKey; 207 DWORD keyObj_len, aes_key_len; 208 PBYTE keyObj; 209 ULONG result; 210 NTSTATUS status; 211 BCRYPT_KEY_LENGTHS_STRUCT key_lengths; 212 213 ctx->hAlg = NULL; 214 ctx->hKey = NULL; 215 ctx->keyObj = NULL; 216 switch (key_len) { 217 case 16: aes_key_len = 128; break; 218 case 24: aes_key_len = 192; break; 219 case 32: aes_key_len = 256; break; 220 default: return -1; 221 } 222 status = BCryptOpenAlgorithmProvider(&hAlg, BCRYPT_AES_ALGORITHM, 223 MS_PRIMITIVE_PROVIDER, 0); 224 if (!BCRYPT_SUCCESS(status)) 225 return -1; 226 status = BCryptGetProperty(hAlg, BCRYPT_KEY_LENGTHS, (PUCHAR)&key_lengths, 227 sizeof(key_lengths), &result, 0); 228 if (!BCRYPT_SUCCESS(status)) { 229 BCryptCloseAlgorithmProvider(hAlg, 0); 230 return -1; 231 } 232 if (key_lengths.dwMinLength > aes_key_len 233 || key_lengths.dwMaxLength < aes_key_len) { 234 BCryptCloseAlgorithmProvider(hAlg, 0); 235 return -1; 236 } 237 status = BCryptGetProperty(hAlg, BCRYPT_OBJECT_LENGTH, (PUCHAR)&keyObj_len, 238 sizeof(keyObj_len), &result, 0); 239 if (!BCRYPT_SUCCESS(status)) { 240 BCryptCloseAlgorithmProvider(hAlg, 0); 241 return -1; 242 } 243 keyObj = (PBYTE)HeapAlloc(GetProcessHeap(), 0, keyObj_len); 244 if (keyObj == NULL) { 245 BCryptCloseAlgorithmProvider(hAlg, 0); 246 return -1; 247 } 248 status = BCryptSetProperty(hAlg, BCRYPT_CHAINING_MODE, 249 (PUCHAR)BCRYPT_CHAIN_MODE_ECB, sizeof(BCRYPT_CHAIN_MODE_ECB), 0); 250 if (!BCRYPT_SUCCESS(status)) { 251 BCryptCloseAlgorithmProvider(hAlg, 0); 252 HeapFree(GetProcessHeap(), 0, keyObj); 253 return -1; 254 } 255 status = BCryptGenerateSymmetricKey(hAlg, &hKey, 256 keyObj, keyObj_len, 257 (PUCHAR)(uintptr_t)key, (ULONG)key_len, 0); 258 if (!BCRYPT_SUCCESS(status)) { 259 BCryptCloseAlgorithmProvider(hAlg, 0); 260 HeapFree(GetProcessHeap(), 0, keyObj); 261 return -1; 262 } 263 264 ctx->hAlg = hAlg; 265 ctx->hKey = hKey; 266 ctx->keyObj = keyObj; 267 ctx->keyObj_len = keyObj_len; 268 ctx->encr_pos = AES_BLOCK_SIZE; 269 270 return 0; 271 } 272 273 static int 274 aes_ctr_encrypt_counter(archive_crypto_ctx *ctx) 275 { 276 NTSTATUS status; 277 ULONG result; 278 279 status = BCryptEncrypt(ctx->hKey, (PUCHAR)ctx->nonce, AES_BLOCK_SIZE, 280 NULL, NULL, 0, (PUCHAR)ctx->encr_buf, AES_BLOCK_SIZE, 281 &result, 0); 282 return BCRYPT_SUCCESS(status) ? 0 : -1; 283 } 284 285 static int 286 aes_ctr_release(archive_crypto_ctx *ctx) 287 { 288 289 if (ctx->hAlg != NULL) { 290 BCryptCloseAlgorithmProvider(ctx->hAlg, 0); 291 ctx->hAlg = NULL; 292 BCryptDestroyKey(ctx->hKey); 293 ctx->hKey = NULL; 294 HeapFree(GetProcessHeap(), 0, ctx->keyObj); 295 ctx->keyObj = NULL; 296 } 297 memset(ctx, 0, sizeof(*ctx)); 298 return 0; 299 } 300 301 #elif defined(HAVE_LIBMBEDCRYPTO) && defined(HAVE_MBEDTLS_AES_H) 302 303 static int 304 aes_ctr_init(archive_crypto_ctx *ctx, const uint8_t *key, size_t key_len) 305 { 306 mbedtls_aes_init(&ctx->ctx); 307 ctx->key_len = key_len; 308 memcpy(ctx->key, key, key_len); 309 memset(ctx->nonce, 0, sizeof(ctx->nonce)); 310 ctx->encr_pos = AES_BLOCK_SIZE; 311 return 0; 312 } 313 314 static int 315 aes_ctr_encrypt_counter(archive_crypto_ctx *ctx) 316 { 317 if (mbedtls_aes_setkey_enc(&ctx->ctx, ctx->key, 318 ctx->key_len * 8) != 0) 319 return (-1); 320 if (mbedtls_aes_crypt_ecb(&ctx->ctx, MBEDTLS_AES_ENCRYPT, ctx->nonce, 321 ctx->encr_buf) != 0) 322 return (-1); 323 return 0; 324 } 325 326 static int 327 aes_ctr_release(archive_crypto_ctx *ctx) 328 { 329 mbedtls_aes_free(&ctx->ctx); 330 memset(ctx, 0, sizeof(*ctx)); 331 return 0; 332 } 333 334 #elif defined(HAVE_LIBNETTLE) && defined(HAVE_NETTLE_AES_H) 335 336 static int 337 aes_ctr_init(archive_crypto_ctx *ctx, const uint8_t *key, size_t key_len) 338 { 339 ctx->key_len = key_len; 340 memcpy(ctx->key, key, key_len); 341 memset(ctx->nonce, 0, sizeof(ctx->nonce)); 342 ctx->encr_pos = AES_BLOCK_SIZE; 343 memset(&ctx->ctx, 0, sizeof(ctx->ctx)); 344 return 0; 345 } 346 347 static int 348 aes_ctr_encrypt_counter(archive_crypto_ctx *ctx) 349 { 350 #if NETTLE_VERSION_MAJOR < 3 351 aes_set_encrypt_key(&ctx->ctx, ctx->key_len, ctx->key); 352 aes_encrypt(&ctx->ctx, AES_BLOCK_SIZE, ctx->encr_buf, ctx->nonce); 353 #else 354 switch(ctx->key_len) { 355 case AES128_KEY_SIZE: 356 aes128_set_encrypt_key(&ctx->ctx.c128, ctx->key); 357 aes128_encrypt(&ctx->ctx.c128, AES_BLOCK_SIZE, ctx->encr_buf, 358 ctx->nonce); 359 break; 360 case AES192_KEY_SIZE: 361 aes192_set_encrypt_key(&ctx->ctx.c192, ctx->key); 362 aes192_encrypt(&ctx->ctx.c192, AES_BLOCK_SIZE, ctx->encr_buf, 363 ctx->nonce); 364 break; 365 case AES256_KEY_SIZE: 366 aes256_set_encrypt_key(&ctx->ctx.c256, ctx->key); 367 aes256_encrypt(&ctx->ctx.c256, AES_BLOCK_SIZE, ctx->encr_buf, 368 ctx->nonce); 369 break; 370 default: 371 return -1; 372 break; 373 } 374 #endif 375 return 0; 376 } 377 378 static int 379 aes_ctr_release(archive_crypto_ctx *ctx) 380 { 381 memset(ctx, 0, sizeof(*ctx)); 382 return 0; 383 } 384 385 #elif defined(HAVE_LIBCRYPTO) 386 387 static int 388 aes_ctr_init(archive_crypto_ctx *ctx, const uint8_t *key, size_t key_len) 389 { 390 if ((ctx->ctx = EVP_CIPHER_CTX_new()) == NULL) 391 return -1; 392 393 switch (key_len) { 394 case 16: ctx->type = EVP_aes_128_ecb(); break; 395 case 24: ctx->type = EVP_aes_192_ecb(); break; 396 case 32: ctx->type = EVP_aes_256_ecb(); break; 397 default: ctx->type = NULL; return -1; 398 } 399 400 ctx->key_len = key_len; 401 memcpy(ctx->key, key, key_len); 402 memset(ctx->nonce, 0, sizeof(ctx->nonce)); 403 ctx->encr_pos = AES_BLOCK_SIZE; 404 return 0; 405 } 406 407 static int 408 aes_ctr_encrypt_counter(archive_crypto_ctx *ctx) 409 { 410 int outl = 0; 411 int r; 412 413 r = EVP_EncryptInit_ex(ctx->ctx, ctx->type, NULL, ctx->key, NULL); 414 if (r == 0) 415 return -1; 416 r = EVP_EncryptUpdate(ctx->ctx, ctx->encr_buf, &outl, ctx->nonce, 417 AES_BLOCK_SIZE); 418 if (r == 0 || outl != AES_BLOCK_SIZE) 419 return -1; 420 return 0; 421 } 422 423 static int 424 aes_ctr_release(archive_crypto_ctx *ctx) 425 { 426 EVP_CIPHER_CTX_free(ctx->ctx); 427 memset(ctx->key, 0, ctx->key_len); 428 memset(ctx->nonce, 0, sizeof(ctx->nonce)); 429 return 0; 430 } 431 432 #else 433 434 #define ARCHIVE_CRYPTOR_STUB 435 /* Stub */ 436 static int 437 aes_ctr_init(archive_crypto_ctx *ctx, const uint8_t *key, size_t key_len) 438 { 439 (void)ctx; /* UNUSED */ 440 (void)key; /* UNUSED */ 441 (void)key_len; /* UNUSED */ 442 return -1; 443 } 444 445 static int 446 aes_ctr_encrypt_counter(archive_crypto_ctx *ctx) 447 { 448 (void)ctx; /* UNUSED */ 449 return -1; 450 } 451 452 static int 453 aes_ctr_release(archive_crypto_ctx *ctx) 454 { 455 (void)ctx; /* UNUSED */ 456 return 0; 457 } 458 459 #endif 460 461 #ifdef ARCHIVE_CRYPTOR_STUB 462 static int 463 aes_ctr_update(archive_crypto_ctx *ctx, const uint8_t * const in, 464 size_t in_len, uint8_t * const out, size_t *out_len) 465 { 466 (void)ctx; /* UNUSED */ 467 (void)in; /* UNUSED */ 468 (void)in_len; /* UNUSED */ 469 (void)out; /* UNUSED */ 470 (void)out_len; /* UNUSED */ 471 aes_ctr_encrypt_counter(ctx); /* UNUSED */ /* Fix unused function warning */ 472 return -1; 473 } 474 475 #else 476 static void 477 aes_ctr_increase_counter(archive_crypto_ctx *ctx) 478 { 479 uint8_t *const nonce = ctx->nonce; 480 int j; 481 482 for (j = 0; j < 8; j++) { 483 if (++nonce[j]) 484 break; 485 } 486 } 487 488 static int 489 aes_ctr_update(archive_crypto_ctx *ctx, const uint8_t * const in, 490 size_t in_len, uint8_t * const out, size_t *out_len) 491 { 492 uint8_t *const ebuf = ctx->encr_buf; 493 unsigned pos = ctx->encr_pos; 494 unsigned max = (unsigned)((in_len < *out_len)? in_len: *out_len); 495 unsigned i; 496 497 for (i = 0; i < max; ) { 498 if (pos == AES_BLOCK_SIZE) { 499 aes_ctr_increase_counter(ctx); 500 if (aes_ctr_encrypt_counter(ctx) != 0) 501 return -1; 502 while (max -i >= AES_BLOCK_SIZE) { 503 for (pos = 0; pos < AES_BLOCK_SIZE; pos++) 504 out[i+pos] = in[i+pos] ^ ebuf[pos]; 505 i += AES_BLOCK_SIZE; 506 aes_ctr_increase_counter(ctx); 507 if (aes_ctr_encrypt_counter(ctx) != 0) 508 return -1; 509 } 510 pos = 0; 511 if (i >= max) 512 break; 513 } 514 out[i] = in[i] ^ ebuf[pos++]; 515 i++; 516 } 517 ctx->encr_pos = pos; 518 *out_len = i; 519 520 return 0; 521 } 522 #endif /* ARCHIVE_CRYPTOR_STUB */ 523 524 525 const struct archive_cryptor __archive_cryptor = 526 { 527 &pbkdf2_sha1, 528 &aes_ctr_init, 529 &aes_ctr_update, 530 &aes_ctr_release, 531 &aes_ctr_init, 532 &aes_ctr_update, 533 &aes_ctr_release, 534 }; 535