1/*- 2* Copyright (c) 2014 Michihiro NAKAJIMA 3* All rights reserved. 4* 5* Redistribution and use in source and binary forms, with or without 6* modification, are permitted provided that the following conditions 7* are met: 8* 1. Redistributions of source code must retain the above copyright 9* notice, this list of conditions and the following disclaimer. 10* 2. Redistributions in binary form must reproduce the above copyright 11* notice, this list of conditions and the following disclaimer in the 12* documentation and/or other materials provided with the distribution. 13* 14* THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) ``AS IS'' AND ANY EXPRESS OR 15* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 16* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 17* IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT, INDIRECT, 18* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 19* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 20* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 21* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 22* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 23* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 24*/ 25 26#include "archive_platform.h" 27 28#ifdef HAVE_STRING_H 29#include <string.h> 30#endif 31#include "archive.h" 32#include "archive_cryptor_private.h" 33 34/* 35 * On systems that do not support any recognized crypto libraries, 36 * this file will normally define no usable symbols. 37 * 38 * But some compilers and linkers choke on empty object files, so 39 * define a public symbol that will always exist. This could 40 * be removed someday if this file gains another always-present 41 * symbol definition. 42 */ 43int __libarchive_cryptor_build_hack(void) { 44 return 0; 45} 46 47#ifdef ARCHIVE_CRYPTOR_USE_Apple_CommonCrypto 48 49static int 50pbkdf2_sha1(const char *pw, size_t pw_len, const uint8_t *salt, 51 size_t salt_len, unsigned rounds, uint8_t *derived_key, 52 size_t derived_key_len) 53{ 54 CCKeyDerivationPBKDF(kCCPBKDF2, (const char *)pw, 55 pw_len, salt, salt_len, kCCPRFHmacAlgSHA1, rounds, 56 derived_key, derived_key_len); 57 return 0; 58} 59 60#elif defined(_WIN32) && !defined(__CYGWIN__) && defined(HAVE_BCRYPT_H) 61#ifdef _MSC_VER 62#pragma comment(lib, "Bcrypt.lib") 63#endif 64 65static int 66pbkdf2_sha1(const char *pw, size_t pw_len, const uint8_t *salt, 67 size_t salt_len, unsigned rounds, uint8_t *derived_key, 68 size_t derived_key_len) 69{ 70 NTSTATUS status; 71 BCRYPT_ALG_HANDLE hAlg; 72 73 status = BCryptOpenAlgorithmProvider(&hAlg, BCRYPT_SHA1_ALGORITHM, 74 MS_PRIMITIVE_PROVIDER, BCRYPT_ALG_HANDLE_HMAC_FLAG); 75 if (!BCRYPT_SUCCESS(status)) 76 return -1; 77 78 status = BCryptDeriveKeyPBKDF2(hAlg, 79 (PUCHAR)(uintptr_t)pw, (ULONG)pw_len, 80 (PUCHAR)(uintptr_t)salt, (ULONG)salt_len, rounds, 81 (PUCHAR)derived_key, (ULONG)derived_key_len, 0); 82 83 BCryptCloseAlgorithmProvider(hAlg, 0); 84 85 return (BCRYPT_SUCCESS(status)) ? 0: -1; 86} 87 88#elif defined(HAVE_LIBMBEDCRYPTO) && defined(HAVE_MBEDTLS_PKCS5_H) 89 90static int 91pbkdf2_sha1(const char *pw, size_t pw_len, const uint8_t *salt, 92 size_t salt_len, unsigned rounds, uint8_t *derived_key, 93 size_t derived_key_len) 94{ 95 mbedtls_md_context_t ctx; 96 const mbedtls_md_info_t *info; 97 int ret; 98 99 mbedtls_md_init(&ctx); 100 info = mbedtls_md_info_from_type(MBEDTLS_MD_SHA1); 101 if (info == NULL) { 102 mbedtls_md_free(&ctx); 103 return (-1); 104 } 105 ret = mbedtls_md_setup(&ctx, info, 1); 106 if (ret != 0) { 107 mbedtls_md_free(&ctx); 108 return (-1); 109 } 110 ret = mbedtls_pkcs5_pbkdf2_hmac(&ctx, (const unsigned char *)pw, 111 pw_len, salt, salt_len, rounds, derived_key_len, derived_key); 112 113 mbedtls_md_free(&ctx); 114 return (ret); 115} 116 117#elif defined(HAVE_LIBNETTLE) && defined(HAVE_NETTLE_PBKDF2_H) 118 119static int 120pbkdf2_sha1(const char *pw, size_t pw_len, const uint8_t *salt, 121 size_t salt_len, unsigned rounds, uint8_t *derived_key, 122 size_t derived_key_len) { 123 pbkdf2_hmac_sha1((unsigned)pw_len, (const uint8_t *)pw, rounds, 124 salt_len, salt, derived_key_len, derived_key); 125 return 0; 126} 127 128#elif defined(HAVE_LIBCRYPTO) && defined(HAVE_PKCS5_PBKDF2_HMAC_SHA1) 129 130static int 131pbkdf2_sha1(const char *pw, size_t pw_len, const uint8_t *salt, 132 size_t salt_len, unsigned rounds, uint8_t *derived_key, 133 size_t derived_key_len) { 134 135 PKCS5_PBKDF2_HMAC_SHA1(pw, pw_len, salt, salt_len, rounds, 136 derived_key_len, derived_key); 137 return 0; 138} 139 140#else 141 142/* Stub */ 143static int 144pbkdf2_sha1(const char *pw, size_t pw_len, const uint8_t *salt, 145 size_t salt_len, unsigned rounds, uint8_t *derived_key, 146 size_t derived_key_len) { 147 (void)pw; /* UNUSED */ 148 (void)pw_len; /* UNUSED */ 149 (void)salt; /* UNUSED */ 150 (void)salt_len; /* UNUSED */ 151 (void)rounds; /* UNUSED */ 152 (void)derived_key; /* UNUSED */ 153 (void)derived_key_len; /* UNUSED */ 154 return -1; /* UNSUPPORTED */ 155} 156 157#endif 158 159#ifdef ARCHIVE_CRYPTOR_USE_Apple_CommonCrypto 160# if MAC_OS_X_VERSION_MAX_ALLOWED < 1090 161# define kCCAlgorithmAES kCCAlgorithmAES128 162# endif 163 164static int 165aes_ctr_init(archive_crypto_ctx *ctx, const uint8_t *key, size_t key_len) 166{ 167 CCCryptorStatus r; 168 169 ctx->key_len = key_len; 170 memcpy(ctx->key, key, key_len); 171 memset(ctx->nonce, 0, sizeof(ctx->nonce)); 172 ctx->encr_pos = AES_BLOCK_SIZE; 173 r = CCCryptorCreateWithMode(kCCEncrypt, kCCModeECB, kCCAlgorithmAES, 174 ccNoPadding, NULL, key, key_len, NULL, 0, 0, 0, &ctx->ctx); 175 return (r == kCCSuccess)? 0: -1; 176} 177 178static int 179aes_ctr_encrypt_counter(archive_crypto_ctx *ctx) 180{ 181 CCCryptorRef ref = ctx->ctx; 182 CCCryptorStatus r; 183 184 r = CCCryptorReset(ref, NULL); 185 if (r != kCCSuccess && r != kCCUnimplemented) 186 return -1; 187 r = CCCryptorUpdate(ref, ctx->nonce, AES_BLOCK_SIZE, ctx->encr_buf, 188 AES_BLOCK_SIZE, NULL); 189 return (r == kCCSuccess)? 0: -1; 190} 191 192static int 193aes_ctr_release(archive_crypto_ctx *ctx) 194{ 195 memset(ctx->key, 0, ctx->key_len); 196 memset(ctx->nonce, 0, sizeof(ctx->nonce)); 197 return 0; 198} 199 200#elif defined(_WIN32) && !defined(__CYGWIN__) && defined(HAVE_BCRYPT_H) 201 202static int 203aes_ctr_init(archive_crypto_ctx *ctx, const uint8_t *key, size_t key_len) 204{ 205 BCRYPT_ALG_HANDLE hAlg; 206 BCRYPT_KEY_HANDLE hKey; 207 DWORD keyObj_len, aes_key_len; 208 PBYTE keyObj; 209 ULONG result; 210 NTSTATUS status; 211 BCRYPT_KEY_LENGTHS_STRUCT key_lengths; 212 213 ctx->hAlg = NULL; 214 ctx->hKey = NULL; 215 ctx->keyObj = NULL; 216 switch (key_len) { 217 case 16: aes_key_len = 128; break; 218 case 24: aes_key_len = 192; break; 219 case 32: aes_key_len = 256; break; 220 default: return -1; 221 } 222 status = BCryptOpenAlgorithmProvider(&hAlg, BCRYPT_AES_ALGORITHM, 223 MS_PRIMITIVE_PROVIDER, 0); 224 if (!BCRYPT_SUCCESS(status)) 225 return -1; 226 status = BCryptGetProperty(hAlg, BCRYPT_KEY_LENGTHS, (PUCHAR)&key_lengths, 227 sizeof(key_lengths), &result, 0); 228 if (!BCRYPT_SUCCESS(status)) { 229 BCryptCloseAlgorithmProvider(hAlg, 0); 230 return -1; 231 } 232 if (key_lengths.dwMinLength > aes_key_len 233 || key_lengths.dwMaxLength < aes_key_len) { 234 BCryptCloseAlgorithmProvider(hAlg, 0); 235 return -1; 236 } 237 status = BCryptGetProperty(hAlg, BCRYPT_OBJECT_LENGTH, (PUCHAR)&keyObj_len, 238 sizeof(keyObj_len), &result, 0); 239 if (!BCRYPT_SUCCESS(status)) { 240 BCryptCloseAlgorithmProvider(hAlg, 0); 241 return -1; 242 } 243 keyObj = (PBYTE)HeapAlloc(GetProcessHeap(), 0, keyObj_len); 244 if (keyObj == NULL) { 245 BCryptCloseAlgorithmProvider(hAlg, 0); 246 return -1; 247 } 248 status = BCryptSetProperty(hAlg, BCRYPT_CHAINING_MODE, 249 (PUCHAR)BCRYPT_CHAIN_MODE_ECB, sizeof(BCRYPT_CHAIN_MODE_ECB), 0); 250 if (!BCRYPT_SUCCESS(status)) { 251 BCryptCloseAlgorithmProvider(hAlg, 0); 252 HeapFree(GetProcessHeap(), 0, keyObj); 253 return -1; 254 } 255 status = BCryptGenerateSymmetricKey(hAlg, &hKey, 256 keyObj, keyObj_len, 257 (PUCHAR)(uintptr_t)key, (ULONG)key_len, 0); 258 if (!BCRYPT_SUCCESS(status)) { 259 BCryptCloseAlgorithmProvider(hAlg, 0); 260 HeapFree(GetProcessHeap(), 0, keyObj); 261 return -1; 262 } 263 264 ctx->hAlg = hAlg; 265 ctx->hKey = hKey; 266 ctx->keyObj = keyObj; 267 ctx->keyObj_len = keyObj_len; 268 ctx->encr_pos = AES_BLOCK_SIZE; 269 270 return 0; 271} 272 273static int 274aes_ctr_encrypt_counter(archive_crypto_ctx *ctx) 275{ 276 NTSTATUS status; 277 ULONG result; 278 279 status = BCryptEncrypt(ctx->hKey, (PUCHAR)ctx->nonce, AES_BLOCK_SIZE, 280 NULL, NULL, 0, (PUCHAR)ctx->encr_buf, AES_BLOCK_SIZE, 281 &result, 0); 282 return BCRYPT_SUCCESS(status) ? 0 : -1; 283} 284 285static int 286aes_ctr_release(archive_crypto_ctx *ctx) 287{ 288 289 if (ctx->hAlg != NULL) { 290 BCryptCloseAlgorithmProvider(ctx->hAlg, 0); 291 ctx->hAlg = NULL; 292 BCryptDestroyKey(ctx->hKey); 293 ctx->hKey = NULL; 294 HeapFree(GetProcessHeap(), 0, ctx->keyObj); 295 ctx->keyObj = NULL; 296 } 297 memset(ctx, 0, sizeof(*ctx)); 298 return 0; 299} 300 301#elif defined(HAVE_LIBMBEDCRYPTO) && defined(HAVE_MBEDTLS_AES_H) 302 303static int 304aes_ctr_init(archive_crypto_ctx *ctx, const uint8_t *key, size_t key_len) 305{ 306 mbedtls_aes_init(&ctx->ctx); 307 ctx->key_len = key_len; 308 memcpy(ctx->key, key, key_len); 309 memset(ctx->nonce, 0, sizeof(ctx->nonce)); 310 ctx->encr_pos = AES_BLOCK_SIZE; 311 return 0; 312} 313 314static int 315aes_ctr_encrypt_counter(archive_crypto_ctx *ctx) 316{ 317 if (mbedtls_aes_setkey_enc(&ctx->ctx, ctx->key, 318 ctx->key_len * 8) != 0) 319 return (-1); 320 if (mbedtls_aes_crypt_ecb(&ctx->ctx, MBEDTLS_AES_ENCRYPT, ctx->nonce, 321 ctx->encr_buf) != 0) 322 return (-1); 323 return 0; 324} 325 326static int 327aes_ctr_release(archive_crypto_ctx *ctx) 328{ 329 mbedtls_aes_free(&ctx->ctx); 330 memset(ctx, 0, sizeof(*ctx)); 331 return 0; 332} 333 334#elif defined(HAVE_LIBNETTLE) && defined(HAVE_NETTLE_AES_H) 335 336static int 337aes_ctr_init(archive_crypto_ctx *ctx, const uint8_t *key, size_t key_len) 338{ 339 ctx->key_len = key_len; 340 memcpy(ctx->key, key, key_len); 341 memset(ctx->nonce, 0, sizeof(ctx->nonce)); 342 ctx->encr_pos = AES_BLOCK_SIZE; 343 memset(&ctx->ctx, 0, sizeof(ctx->ctx)); 344 return 0; 345} 346 347static int 348aes_ctr_encrypt_counter(archive_crypto_ctx *ctx) 349{ 350#if NETTLE_VERSION_MAJOR < 3 351 aes_set_encrypt_key(&ctx->ctx, ctx->key_len, ctx->key); 352 aes_encrypt(&ctx->ctx, AES_BLOCK_SIZE, ctx->encr_buf, ctx->nonce); 353#else 354 switch(ctx->key_len) { 355 case AES128_KEY_SIZE: 356 aes128_set_encrypt_key(&ctx->ctx.c128, ctx->key); 357 aes128_encrypt(&ctx->ctx.c128, AES_BLOCK_SIZE, ctx->encr_buf, 358 ctx->nonce); 359 break; 360 case AES192_KEY_SIZE: 361 aes192_set_encrypt_key(&ctx->ctx.c192, ctx->key); 362 aes192_encrypt(&ctx->ctx.c192, AES_BLOCK_SIZE, ctx->encr_buf, 363 ctx->nonce); 364 break; 365 case AES256_KEY_SIZE: 366 aes256_set_encrypt_key(&ctx->ctx.c256, ctx->key); 367 aes256_encrypt(&ctx->ctx.c256, AES_BLOCK_SIZE, ctx->encr_buf, 368 ctx->nonce); 369 break; 370 default: 371 return -1; 372 break; 373 } 374#endif 375 return 0; 376} 377 378static int 379aes_ctr_release(archive_crypto_ctx *ctx) 380{ 381 memset(ctx, 0, sizeof(*ctx)); 382 return 0; 383} 384 385#elif defined(HAVE_LIBCRYPTO) 386 387static int 388aes_ctr_init(archive_crypto_ctx *ctx, const uint8_t *key, size_t key_len) 389{ 390 if ((ctx->ctx = EVP_CIPHER_CTX_new()) == NULL) 391 return -1; 392 393 switch (key_len) { 394 case 16: ctx->type = EVP_aes_128_ecb(); break; 395 case 24: ctx->type = EVP_aes_192_ecb(); break; 396 case 32: ctx->type = EVP_aes_256_ecb(); break; 397 default: ctx->type = NULL; return -1; 398 } 399 400 ctx->key_len = key_len; 401 memcpy(ctx->key, key, key_len); 402 memset(ctx->nonce, 0, sizeof(ctx->nonce)); 403 ctx->encr_pos = AES_BLOCK_SIZE; 404 return 0; 405} 406 407static int 408aes_ctr_encrypt_counter(archive_crypto_ctx *ctx) 409{ 410 int outl = 0; 411 int r; 412 413 r = EVP_EncryptInit_ex(ctx->ctx, ctx->type, NULL, ctx->key, NULL); 414 if (r == 0) 415 return -1; 416 r = EVP_EncryptUpdate(ctx->ctx, ctx->encr_buf, &outl, ctx->nonce, 417 AES_BLOCK_SIZE); 418 if (r == 0 || outl != AES_BLOCK_SIZE) 419 return -1; 420 return 0; 421} 422 423static int 424aes_ctr_release(archive_crypto_ctx *ctx) 425{ 426 EVP_CIPHER_CTX_free(ctx->ctx); 427 OPENSSL_cleanse(ctx->key, ctx->key_len); 428 OPENSSL_cleanse(ctx->nonce, sizeof(ctx->nonce)); 429 return 0; 430} 431 432#else 433 434#define ARCHIVE_CRYPTOR_STUB 435/* Stub */ 436static int 437aes_ctr_init(archive_crypto_ctx *ctx, const uint8_t *key, size_t key_len) 438{ 439 (void)ctx; /* UNUSED */ 440 (void)key; /* UNUSED */ 441 (void)key_len; /* UNUSED */ 442 return -1; 443} 444 445static int 446aes_ctr_encrypt_counter(archive_crypto_ctx *ctx) 447{ 448 (void)ctx; /* UNUSED */ 449 return -1; 450} 451 452static int 453aes_ctr_release(archive_crypto_ctx *ctx) 454{ 455 (void)ctx; /* UNUSED */ 456 return 0; 457} 458 459#endif 460 461#ifdef ARCHIVE_CRYPTOR_STUB 462static int 463aes_ctr_update(archive_crypto_ctx *ctx, const uint8_t * const in, 464 size_t in_len, uint8_t * const out, size_t *out_len) 465{ 466 (void)ctx; /* UNUSED */ 467 (void)in; /* UNUSED */ 468 (void)in_len; /* UNUSED */ 469 (void)out; /* UNUSED */ 470 (void)out_len; /* UNUSED */ 471 aes_ctr_encrypt_counter(ctx); /* UNUSED */ /* Fix unused function warning */ 472 return -1; 473} 474 475#else 476static void 477aes_ctr_increase_counter(archive_crypto_ctx *ctx) 478{ 479 uint8_t *const nonce = ctx->nonce; 480 int j; 481 482 for (j = 0; j < 8; j++) { 483 if (++nonce[j]) 484 break; 485 } 486} 487 488static int 489aes_ctr_update(archive_crypto_ctx *ctx, const uint8_t * const in, 490 size_t in_len, uint8_t * const out, size_t *out_len) 491{ 492 uint8_t *const ebuf = ctx->encr_buf; 493 unsigned pos = ctx->encr_pos; 494 unsigned max = (unsigned)((in_len < *out_len)? in_len: *out_len); 495 unsigned i; 496 497 for (i = 0; i < max; ) { 498 if (pos == AES_BLOCK_SIZE) { 499 aes_ctr_increase_counter(ctx); 500 if (aes_ctr_encrypt_counter(ctx) != 0) 501 return -1; 502 while (max -i >= AES_BLOCK_SIZE) { 503 for (pos = 0; pos < AES_BLOCK_SIZE; pos++) 504 out[i+pos] = in[i+pos] ^ ebuf[pos]; 505 i += AES_BLOCK_SIZE; 506 aes_ctr_increase_counter(ctx); 507 if (aes_ctr_encrypt_counter(ctx) != 0) 508 return -1; 509 } 510 pos = 0; 511 if (i >= max) 512 break; 513 } 514 out[i] = in[i] ^ ebuf[pos++]; 515 i++; 516 } 517 ctx->encr_pos = pos; 518 *out_len = i; 519 520 return 0; 521} 522#endif /* ARCHIVE_CRYPTOR_STUB */ 523 524 525const struct archive_cryptor __archive_cryptor = 526{ 527 &pbkdf2_sha1, 528 &aes_ctr_init, 529 &aes_ctr_update, 530 &aes_ctr_release, 531 &aes_ctr_init, 532 &aes_ctr_update, 533 &aes_ctr_release, 534}; 535