source: lib/arc.c @ 59ab2af

Last change on this file since 59ab2af was e2869bf, checked in by Wilmer van der Gaast <wilmer@…>, at 2007-10-07T22:07:25Z

"Changed" the ArcFour implementation. I'm afraid this was a waste of time,
but at least I added a neat unittest...

  • Property mode set to 100644
File size: 6.8 KB
RevLine 
[df1694b]1/***************************************************************************\
2*                                                                           *
3*  BitlBee - An IRC to IM gateway                                           *
[a7b5925]4*  Simple (but secure) ArcFour implementation for safer password storage.   *
[df1694b]5*                                                                           *
6*  Copyright 2006 Wilmer van der Gaast <wilmer@gaast.net>                   *
7*                                                                           *
[9544acb]8*  This library is free software; you can redistribute it and/or            *
9*  modify it under the terms of the GNU Lesser General Public               *
10*  License as published by the Free Software Foundation, version            *
11*  2.1.                                                                     *
[df1694b]12*                                                                           *
[9544acb]13*  This library is distributed in the hope that it will be useful,          *
[df1694b]14*  but WITHOUT ANY WARRANTY; without even the implied warranty of           *
[9544acb]15*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU        *
16*  Lesser General Public License for more details.                          *
[df1694b]17*                                                                           *
[9544acb]18*  You should have received a copy of the GNU Lesser General Public License *
19*  along with this library; if not, write to the Free Software Foundation,  *
20*  Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA           *
[df1694b]21*                                                                           *
22\***************************************************************************/
23
24/*
[a7b5925]25   This file implements ArcFour-encryption, which will mainly be used to
26   save IM passwords safely in the new XML-format. Possibly other uses will
27   come up later. It's supposed to be quite reliable (thanks to the use of a
28   6-byte IV/seed), certainly compared to the old format. The only realistic
29   way to crack BitlBee passwords now is to use a sniffer to get your hands
30   on the user's password.
[df1694b]31   
32   If you see that something's wrong in this implementation (I asked a
33   couple of people to look at it already, but who knows), please tell me.
34   
[a7b5925]35   The reason I picked ArcFour is because it's pretty simple but effective,
[df1694b]36   so it will work without adding several KBs or an extra library dependency.
[a7b5925]37   
38   (ArcFour is an RC4-compatible cipher. See for details:
39   http://www.mozilla.org/projects/security/pki/nss/draft-kaukonen-cipher-arcfour-03.txt)
[df1694b]40*/
41
42
43#include <glib.h>
[1719464]44#include <gmodule.h>
[df1694b]45#include <stdlib.h>
46#include <string.h>
[1719464]47#include "misc.h"
[a7b5925]48#include "arc.h"
[df1694b]49
50/* Add some seed to the password, to make sure we *never* use the same key.
[d1f8759]51   This defines how many bytes we use as a seed. */
[a7b5925]52#define ARC_IV_LEN 6
[df1694b]53
54/* To defend against a "Fluhrer, Mantin and Shamir attack", it is recommended
55   to shuffle S[] just a bit more before you start to use it. This defines how
56   many bytes we'll request before we'll really use them for encryption. */
[a7b5925]57#define ARC_CYCLES 1024
[df1694b]58
[a7b5925]59struct arc_state *arc_keymaker( unsigned char *key, int kl, int cycles )
[df1694b]60{
[a7b5925]61        struct arc_state *st;
[df1694b]62        int i, j, tmp;
[e2869bf]63        unsigned char S2[256];
[df1694b]64       
[a7b5925]65        st = g_malloc( sizeof( struct arc_state ) );
[df1694b]66        st->i = st->j = 0;
67        if( kl <= 0 )
68                kl = strlen( (char*) key );
69       
[e2869bf]70        for( i = 0; i < 256; i ++ )
71        {
72                st->S[i] = i;
73                S2[i] = key[i%kl];
74        }
75       
[df1694b]76        for( i = j = 0; i < 256; i ++ )
77        {
[e2869bf]78                j = ( j + st->S[i] + S2[i] ) & 0xff;
[df1694b]79                tmp = st->S[i];
80                st->S[i] = st->S[j];
81                st->S[j] = tmp;
82        }
83       
[e2869bf]84        memset( S2, 0, 256 );
85        i = j = 0;
86       
[df1694b]87        for( i = 0; i < cycles; i ++ )
[a7b5925]88                arc_getbyte( st );
[df1694b]89       
90        return st;
91}
92
93/*
[a7b5925]94   For those who don't know, ArcFour is basically an algorithm that generates
95   a stream of bytes after you give it a key. Just get a byte from it and
96   xor it with your cleartext. To decrypt, just give it the same key again
97   and start xorring.
[df1694b]98   
[a7b5925]99   The function above initializes the byte generator, the next function can
100   be used to get bytes from the generator (and shuffle things a bit).
[df1694b]101*/
102
[a7b5925]103unsigned char arc_getbyte( struct arc_state *st )
[df1694b]104{
105        unsigned char tmp;
106       
107        /* Unfortunately the st-> stuff doesn't really improve readability here... */
108        st->i ++;
109        st->j += st->S[st->i];
110        tmp = st->S[st->i];
111        st->S[st->i] = st->S[st->j];
112        st->S[st->j] = tmp;
[e2869bf]113        tmp = (st->S[st->i] + st->S[st->j]) & 0xff;
[df1694b]114       
[e2869bf]115        return st->S[tmp];
[df1694b]116}
117
118/*
119   The following two functions can be used for reliable encryption and
120   decryption. Known plaintext attacks are prevented by adding some (6,
[a7b5925]121   by default) random bytes to the password before setting up the state
[df1694b]122   structures. These 6 bytes are also saved in the results, because of
[a7b5925]123   course we'll need them in arc_decode().
[df1694b]124   
125   Because the length of the resulting string is unknown to the caller,
126   it should pass a char**. Since the encode/decode functions allocate
127   memory for the string, make sure the char** points at a NULL-pointer
128   (or at least to something you already free()d), or you'll leak
129   memory. And of course, don't forget to free() the result when you
130   don't need it anymore.
131   
132   Both functions return the number of bytes in the result string.
133*/
134
[a7b5925]135int arc_encode( char *clear, int clear_len, unsigned char **crypt, char *password )
[df1694b]136{
[a7b5925]137        struct arc_state *st;
[df1694b]138        unsigned char *key;
139        int key_len, i;
140       
[a7b5925]141        key_len = strlen( password ) + ARC_IV_LEN;
[df1694b]142        if( clear_len <= 0 )
[3b6eadc]143                clear_len = strlen( clear );
[df1694b]144       
145        /* Prepare buffers and the key + IV */
[a7b5925]146        *crypt = g_malloc( clear_len + ARC_IV_LEN );
[df1694b]147        key = g_malloc( key_len );
148        strcpy( (char*) key, password );
[1719464]149       
150        /* Add the salt. Save it for later (when decrypting) and, of course,
151           add it to the encryption key. */
[a7b5925]152        random_bytes( crypt[0], ARC_IV_LEN );
153        memcpy( key + key_len - ARC_IV_LEN, crypt[0], ARC_IV_LEN );
[df1694b]154       
155        /* Generate the initial S[] from the IVed key. */
[a7b5925]156        st = arc_keymaker( key, key_len, ARC_CYCLES );
[df1694b]157        g_free( key );
158       
159        for( i = 0; i < clear_len; i ++ )
[a7b5925]160                crypt[0][i+ARC_IV_LEN] = clear[i] ^ arc_getbyte( st );
[df1694b]161       
162        g_free( st );
163       
[a7b5925]164        return clear_len + ARC_IV_LEN;
[df1694b]165}
166
[a7b5925]167int arc_decode( unsigned char *crypt, int crypt_len, char **clear, char *password )
[df1694b]168{
[a7b5925]169        struct arc_state *st;
[df1694b]170        unsigned char *key;
171        int key_len, clear_len, i;
172       
[a7b5925]173        key_len = strlen( password ) + ARC_IV_LEN;
174        clear_len = crypt_len - ARC_IV_LEN;
[df1694b]175       
[88086db]176        if( clear_len < 0 )
177        {
[3b6eadc]178                *clear = g_strdup( "" );
[88086db]179                return 0;
180        }
181       
[df1694b]182        /* Prepare buffers and the key + IV */
183        *clear = g_malloc( clear_len + 1 );
184        key = g_malloc( key_len );
185        strcpy( (char*) key, password );
[a7b5925]186        for( i = 0; i < ARC_IV_LEN; i ++ )
187                key[key_len-ARC_IV_LEN+i] = crypt[i];
[df1694b]188       
189        /* Generate the initial S[] from the IVed key. */
[a7b5925]190        st = arc_keymaker( key, key_len, ARC_CYCLES );
[df1694b]191        g_free( key );
192       
193        for( i = 0; i < clear_len; i ++ )
[a7b5925]194                clear[0][i] = crypt[i+ARC_IV_LEN] ^ arc_getbyte( st );
[df1694b]195        clear[0][i] = 0; /* Nice to have for plaintexts. */
196       
197        g_free( st );
198       
199        return clear_len;
200}
Note: See TracBrowser for help on using the repository browser.