Context Navigation

source: lib/arc.c @ a992d7a

Last change on this file since a992d7a was 9a1c14d, checked in by Wilmer van der Gaast <wilmer@…>, at 2011-12-24T18:12:15Z
An empty password is still a password, don't refuse accounts for that.
Property mode set to `100644`
File size: 7.6 KB

Rev	Line
[df1694b]	1	/***************************************************************************\
	2	* *
	3	* BitlBee - An IRC to IM gateway *
[a7b5925]	4	* Simple (but secure) ArcFour implementation for safer password storage. *
[df1694b]	5	* *
	6	* Copyright 2006 Wilmer van der Gaast <wilmer@gaast.net> *
	7	* *
[9544acb]	8	* This library is free software; you can redistribute it and/or *
	9	* modify it under the terms of the GNU Lesser General Public *
	10	* License as published by the Free Software Foundation, version *
	11	* 2.1. *
[df1694b]	12	* *
[9544acb]	13	* This library is distributed in the hope that it will be useful, *
[df1694b]	14	* but WITHOUT ANY WARRANTY; without even the implied warranty of *
[9544acb]	15	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU *
	16	* Lesser General Public License for more details. *
[df1694b]	17	* *
[9544acb]	18	* You should have received a copy of the GNU Lesser General Public License *
	19	* along with this library; if not, write to the Free Software Foundation, *
	20	* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA *
[df1694b]	21	* *
	22	\***************************************************************************/
	23
	24	/*
[a7b5925]	25	This file implements ArcFour-encryption, which will mainly be used to
	26	save IM passwords safely in the new XML-format. Possibly other uses will
	27	come up later. It's supposed to be quite reliable (thanks to the use of a
	28	6-byte IV/seed), certainly compared to the old format. The only realistic
	29	way to crack BitlBee passwords now is to use a sniffer to get your hands
	30	on the user's password.
[df1694b]	31
	32	If you see that something's wrong in this implementation (I asked a
	33	couple of people to look at it already, but who knows), please tell me.
	34
[a7b5925]	35	The reason I picked ArcFour is because it's pretty simple but effective,
[df1694b]	36	so it will work without adding several KBs or an extra library dependency.
[a7b5925]	37
	38	(ArcFour is an RC4-compatible cipher. See for details:
	39	http://www.mozilla.org/projects/security/pki/nss/draft-kaukonen-cipher-arcfour-03.txt)
[df1694b]	40	*/
	41
	42
	43	#include <glib.h>
[1719464]	44	#include <gmodule.h>
[df1694b]	45	#include <stdlib.h>
	46	#include <string.h>
[1719464]	47	#include "misc.h"
[a7b5925]	48	#include "arc.h"
[df1694b]	49
	50	/* Add some seed to the password, to make sure we never use the same key.
[d1f8759]	51	This defines how many bytes we use as a seed. */
[a7b5925]	52	#define ARC_IV_LEN 6
[df1694b]	53
	54	/* To defend against a "Fluhrer, Mantin and Shamir attack", it is recommended
	55	to shuffle S[] just a bit more before you start to use it. This defines how
	56	many bytes we'll request before we'll really use them for encryption. */
[a7b5925]	57	#define ARC_CYCLES 1024
[df1694b]	58
[a7b5925]	59	struct arc_state arc_keymaker( unsigned char key, int kl, int cycles )
[df1694b]	60	{
[a7b5925]	61	struct arc_state *st;
[df1694b]	62	int i, j, tmp;
[e2869bf]	63	unsigned char S2[256];
[df1694b]	64
[a7b5925]	65	st = g_malloc( sizeof( struct arc_state ) );
[df1694b]	66	st->i = st->j = 0;
	67	if( kl <= 0 )
	68	kl = strlen( (char*) key );
	69
[e2869bf]	70	for( i = 0; i < 256; i ++ )
	71	{
	72	st->S[i] = i;
	73	S2[i] = key[i%kl];
	74	}
	75
[df1694b]	76	for( i = j = 0; i < 256; i ++ )
	77	{
[e2869bf]	78	j = ( j + st->S[i] + S2[i] ) & 0xff;
[df1694b]	79	tmp = st->S[i];
	80	st->S[i] = st->S[j];
	81	st->S[j] = tmp;
	82	}
	83
[e2869bf]	84	memset( S2, 0, 256 );
	85	i = j = 0;
	86
[df1694b]	87	for( i = 0; i < cycles; i ++ )
[a7b5925]	88	arc_getbyte( st );
[df1694b]	89
	90	return st;
	91	}
	92
	93	/*
[a7b5925]	94	For those who don't know, ArcFour is basically an algorithm that generates
	95	a stream of bytes after you give it a key. Just get a byte from it and
	96	xor it with your cleartext. To decrypt, just give it the same key again
	97	and start xorring.
[df1694b]	98
[a7b5925]	99	The function above initializes the byte generator, the next function can
	100	be used to get bytes from the generator (and shuffle things a bit).
[df1694b]	101	*/
	102
[a7b5925]	103	unsigned char arc_getbyte( struct arc_state *st )
[df1694b]	104	{
	105	unsigned char tmp;
	106
	107	/* Unfortunately the st-> stuff doesn't really improve readability here... */
	108	st->i ++;
	109	st->j += st->S[st->i];
	110	tmp = st->S[st->i];
	111	st->S[st->i] = st->S[st->j];
	112	st->S[st->j] = tmp;
[e2869bf]	113	tmp = (st->S[st->i] + st->S[st->j]) & 0xff;
[df1694b]	114
[e2869bf]	115	return st->S[tmp];
[df1694b]	116	}
	117
	118	/*
	119	The following two functions can be used for reliable encryption and
	120	decryption. Known plaintext attacks are prevented by adding some (6,
[a7b5925]	121	by default) random bytes to the password before setting up the state
[df1694b]	122	structures. These 6 bytes are also saved in the results, because of
[a7b5925]	123	course we'll need them in arc_decode().
[df1694b]	124
	125	Because the length of the resulting string is unknown to the caller,
	126	it should pass a char**. Since the encode/decode functions allocate
	127	memory for the string, make sure the char** points at a NULL-pointer
	128	(or at least to something you already free()d), or you'll leak
	129	memory. And of course, don't forget to free() the result when you
	130	don't need it anymore.
	131
	132	Both functions return the number of bytes in the result string.
[ddcf491f]	133
	134	Note that if you use the pad_to argument, you will need zero-termi-
	135	nation to find back the original string length after decryption. So
	136	it shouldn't be used if your string contains \0s by itself!
[df1694b]	137	*/
	138
[ddcf491f]	139	int arc_encode( char clear, int clear_len, unsigned char crypt, char password, int pad_to )
[df1694b]	140	{
[a7b5925]	141	struct arc_state *st;
[df1694b]	142	unsigned char *key;
[ddcf491f]	143	char *padded = NULL;
	144	int key_len, i, padded_len;
[df1694b]	145
[a7b5925]	146	key_len = strlen( password ) + ARC_IV_LEN;
[df1694b]	147	if( clear_len <= 0 )
[3b6eadc]	148	clear_len = strlen( clear );
[df1694b]	149
[ddcf491f]	150	/* Pad the string to the closest multiple of pad_to. This makes it
	151	impossible to see the exact length of the password. */
	152	if( pad_to > 0 && ( clear_len % pad_to ) > 0 )
	153	{
	154	padded_len = clear_len + pad_to - ( clear_len % pad_to );
	155	padded = g_malloc( padded_len );
	156	memcpy( padded, clear, clear_len );
	157
	158	/* First a \0 and then random data, so we don't have to do
	159	anything special when decrypting. */
	160	padded[clear_len] = 0;
	161	random_bytes( (unsigned char*) padded + clear_len + 1, padded_len - clear_len - 1 );
	162
	163	clear = padded;
	164	clear_len = padded_len;
	165	}
	166
[df1694b]	167	/* Prepare buffers and the key + IV */
[a7b5925]	168	*crypt = g_malloc( clear_len + ARC_IV_LEN );
[df1694b]	169	key = g_malloc( key_len );
	170	strcpy( (char*) key, password );
[1719464]	171
	172	/* Add the salt. Save it for later (when decrypting) and, of course,
	173	add it to the encryption key. */
[a7b5925]	174	random_bytes( crypt[0], ARC_IV_LEN );
	175	memcpy( key + key_len - ARC_IV_LEN, crypt[0], ARC_IV_LEN );
[df1694b]	176
	177	/* Generate the initial S[] from the IVed key. */
[a7b5925]	178	st = arc_keymaker( key, key_len, ARC_CYCLES );
[df1694b]	179	g_free( key );
	180
	181	for( i = 0; i < clear_len; i ++ )
[a7b5925]	182	crypt[0][i+ARC_IV_LEN] = clear[i] ^ arc_getbyte( st );
[df1694b]	183
	184	g_free( st );
[ddcf491f]	185	g_free( padded );
[df1694b]	186
[a7b5925]	187	return clear_len + ARC_IV_LEN;
[df1694b]	188	}
	189
[a7b5925]	190	int arc_decode( unsigned char crypt, int crypt_len, char clear, char password )
[df1694b]	191	{
[a7b5925]	192	struct arc_state *st;
[df1694b]	193	unsigned char *key;
	194	int key_len, clear_len, i;
	195
[a7b5925]	196	key_len = strlen( password ) + ARC_IV_LEN;
	197	clear_len = crypt_len - ARC_IV_LEN;
[df1694b]	198
[88086db]	199	if( clear_len < 0 )
	200	{
[3b6eadc]	201	*clear = g_strdup( "" );
[9a1c14d]	202	return -1;
[88086db]	203	}
	204
[df1694b]	205	/* Prepare buffers and the key + IV */
	206	*clear = g_malloc( clear_len + 1 );
	207	key = g_malloc( key_len );
	208	strcpy( (char*) key, password );
[a7b5925]	209	for( i = 0; i < ARC_IV_LEN; i ++ )
	210	key[key_len-ARC_IV_LEN+i] = crypt[i];
[df1694b]	211
	212	/* Generate the initial S[] from the IVed key. */
[a7b5925]	213	st = arc_keymaker( key, key_len, ARC_CYCLES );
[df1694b]	214	g_free( key );
	215
	216	for( i = 0; i < clear_len; i ++ )
[a7b5925]	217	clear[0][i] = crypt[i+ARC_IV_LEN] ^ arc_getbyte( st );
[df1694b]	218	clear[0][i] = 0; /* Nice to have for plaintexts. */
	219
	220	g_free( st );
	221
	222	return clear_len;
	223	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: