[df1694b] | 1 | /***************************************************************************\ |
---|
| 2 | * * |
---|
| 3 | * BitlBee - An IRC to IM gateway * |
---|
[a7b5925] | 4 | * Simple (but secure) ArcFour implementation for safer password storage. * |
---|
[df1694b] | 5 | * * |
---|
| 6 | * Copyright 2006 Wilmer van der Gaast <wilmer@gaast.net> * |
---|
| 7 | * * |
---|
[4f7255d] | 8 | * This program is free software; you can redistribute it and/or modify * |
---|
| 9 | * it under the terms of the GNU General Public License as published by * |
---|
| 10 | * the Free Software Foundation; either version 2 of the License, or * |
---|
| 11 | * (at your option) any later version. * |
---|
[df1694b] | 12 | * * |
---|
[4f7255d] | 13 | * This program is distributed in the hope that it will be useful, * |
---|
[df1694b] | 14 | * but WITHOUT ANY WARRANTY; without even the implied warranty of * |
---|
[4f7255d] | 15 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * |
---|
| 16 | * GNU General Public License for more details. * |
---|
[df1694b] | 17 | * * |
---|
[4f7255d] | 18 | * You should have received a copy of the GNU General Public License along * |
---|
| 19 | * with this program; if not, write to the Free Software Foundation, Inc., * |
---|
| 20 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. * |
---|
[df1694b] | 21 | * * |
---|
| 22 | \***************************************************************************/ |
---|
| 23 | |
---|
| 24 | /* |
---|
[a7b5925] | 25 | This file implements ArcFour-encryption, which will mainly be used to |
---|
| 26 | save IM passwords safely in the new XML-format. Possibly other uses will |
---|
| 27 | come up later. It's supposed to be quite reliable (thanks to the use of a |
---|
| 28 | 6-byte IV/seed), certainly compared to the old format. The only realistic |
---|
| 29 | way to crack BitlBee passwords now is to use a sniffer to get your hands |
---|
| 30 | on the user's password. |
---|
[df1694b] | 31 | |
---|
| 32 | If you see that something's wrong in this implementation (I asked a |
---|
| 33 | couple of people to look at it already, but who knows), please tell me. |
---|
| 34 | |
---|
[a7b5925] | 35 | The reason I picked ArcFour is because it's pretty simple but effective, |
---|
[df1694b] | 36 | so it will work without adding several KBs or an extra library dependency. |
---|
[a7b5925] | 37 | |
---|
| 38 | (ArcFour is an RC4-compatible cipher. See for details: |
---|
| 39 | http://www.mozilla.org/projects/security/pki/nss/draft-kaukonen-cipher-arcfour-03.txt) |
---|
[df1694b] | 40 | */ |
---|
| 41 | |
---|
| 42 | |
---|
| 43 | #include <glib.h> |
---|
[1719464] | 44 | #include <gmodule.h> |
---|
[df1694b] | 45 | #include <stdlib.h> |
---|
| 46 | #include <string.h> |
---|
[1719464] | 47 | #include "misc.h" |
---|
[a7b5925] | 48 | #include "arc.h" |
---|
[df1694b] | 49 | |
---|
| 50 | /* Add some seed to the password, to make sure we *never* use the same key. |
---|
[d1f8759] | 51 | This defines how many bytes we use as a seed. */ |
---|
[a7b5925] | 52 | #define ARC_IV_LEN 6 |
---|
[df1694b] | 53 | |
---|
| 54 | /* To defend against a "Fluhrer, Mantin and Shamir attack", it is recommended |
---|
| 55 | to shuffle S[] just a bit more before you start to use it. This defines how |
---|
| 56 | many bytes we'll request before we'll really use them for encryption. */ |
---|
[a7b5925] | 57 | #define ARC_CYCLES 1024 |
---|
[df1694b] | 58 | |
---|
[a7b5925] | 59 | struct arc_state *arc_keymaker( unsigned char *key, int kl, int cycles ) |
---|
[df1694b] | 60 | { |
---|
[a7b5925] | 61 | struct arc_state *st; |
---|
[df1694b] | 62 | int i, j, tmp; |
---|
[e2869bf] | 63 | unsigned char S2[256]; |
---|
[df1694b] | 64 | |
---|
[a7b5925] | 65 | st = g_malloc( sizeof( struct arc_state ) ); |
---|
[df1694b] | 66 | st->i = st->j = 0; |
---|
| 67 | if( kl <= 0 ) |
---|
| 68 | kl = strlen( (char*) key ); |
---|
| 69 | |
---|
[e2869bf] | 70 | for( i = 0; i < 256; i ++ ) |
---|
| 71 | { |
---|
| 72 | st->S[i] = i; |
---|
| 73 | S2[i] = key[i%kl]; |
---|
| 74 | } |
---|
| 75 | |
---|
[df1694b] | 76 | for( i = j = 0; i < 256; i ++ ) |
---|
| 77 | { |
---|
[e2869bf] | 78 | j = ( j + st->S[i] + S2[i] ) & 0xff; |
---|
[df1694b] | 79 | tmp = st->S[i]; |
---|
| 80 | st->S[i] = st->S[j]; |
---|
| 81 | st->S[j] = tmp; |
---|
| 82 | } |
---|
| 83 | |
---|
[e2869bf] | 84 | memset( S2, 0, 256 ); |
---|
| 85 | i = j = 0; |
---|
| 86 | |
---|
[df1694b] | 87 | for( i = 0; i < cycles; i ++ ) |
---|
[a7b5925] | 88 | arc_getbyte( st ); |
---|
[df1694b] | 89 | |
---|
| 90 | return st; |
---|
| 91 | } |
---|
| 92 | |
---|
| 93 | /* |
---|
[a7b5925] | 94 | For those who don't know, ArcFour is basically an algorithm that generates |
---|
| 95 | a stream of bytes after you give it a key. Just get a byte from it and |
---|
| 96 | xor it with your cleartext. To decrypt, just give it the same key again |
---|
| 97 | and start xorring. |
---|
[df1694b] | 98 | |
---|
[a7b5925] | 99 | The function above initializes the byte generator, the next function can |
---|
| 100 | be used to get bytes from the generator (and shuffle things a bit). |
---|
[df1694b] | 101 | */ |
---|
| 102 | |
---|
[a7b5925] | 103 | unsigned char arc_getbyte( struct arc_state *st ) |
---|
[df1694b] | 104 | { |
---|
| 105 | unsigned char tmp; |
---|
| 106 | |
---|
| 107 | /* Unfortunately the st-> stuff doesn't really improve readability here... */ |
---|
| 108 | st->i ++; |
---|
| 109 | st->j += st->S[st->i]; |
---|
| 110 | tmp = st->S[st->i]; |
---|
| 111 | st->S[st->i] = st->S[st->j]; |
---|
| 112 | st->S[st->j] = tmp; |
---|
[e2869bf] | 113 | tmp = (st->S[st->i] + st->S[st->j]) & 0xff; |
---|
[df1694b] | 114 | |
---|
[e2869bf] | 115 | return st->S[tmp]; |
---|
[df1694b] | 116 | } |
---|
| 117 | |
---|
| 118 | /* |
---|
| 119 | The following two functions can be used for reliable encryption and |
---|
| 120 | decryption. Known plaintext attacks are prevented by adding some (6, |
---|
[a7b5925] | 121 | by default) random bytes to the password before setting up the state |
---|
[df1694b] | 122 | structures. These 6 bytes are also saved in the results, because of |
---|
[a7b5925] | 123 | course we'll need them in arc_decode(). |
---|
[df1694b] | 124 | |
---|
| 125 | Because the length of the resulting string is unknown to the caller, |
---|
| 126 | it should pass a char**. Since the encode/decode functions allocate |
---|
| 127 | memory for the string, make sure the char** points at a NULL-pointer |
---|
| 128 | (or at least to something you already free()d), or you'll leak |
---|
| 129 | memory. And of course, don't forget to free() the result when you |
---|
| 130 | don't need it anymore. |
---|
| 131 | |
---|
| 132 | Both functions return the number of bytes in the result string. |
---|
[ddcf491f] | 133 | |
---|
| 134 | Note that if you use the pad_to argument, you will need zero-termi- |
---|
| 135 | nation to find back the original string length after decryption. So |
---|
| 136 | it shouldn't be used if your string contains \0s by itself! |
---|
[df1694b] | 137 | */ |
---|
| 138 | |
---|
[ddcf491f] | 139 | int arc_encode( char *clear, int clear_len, unsigned char **crypt, char *password, int pad_to ) |
---|
[df1694b] | 140 | { |
---|
[a7b5925] | 141 | struct arc_state *st; |
---|
[df1694b] | 142 | unsigned char *key; |
---|
[ddcf491f] | 143 | char *padded = NULL; |
---|
| 144 | int key_len, i, padded_len; |
---|
[df1694b] | 145 | |
---|
[a7b5925] | 146 | key_len = strlen( password ) + ARC_IV_LEN; |
---|
[df1694b] | 147 | if( clear_len <= 0 ) |
---|
[3b6eadc] | 148 | clear_len = strlen( clear ); |
---|
[df1694b] | 149 | |
---|
[ddcf491f] | 150 | /* Pad the string to the closest multiple of pad_to. This makes it |
---|
| 151 | impossible to see the exact length of the password. */ |
---|
| 152 | if( pad_to > 0 && ( clear_len % pad_to ) > 0 ) |
---|
| 153 | { |
---|
| 154 | padded_len = clear_len + pad_to - ( clear_len % pad_to ); |
---|
| 155 | padded = g_malloc( padded_len ); |
---|
| 156 | memcpy( padded, clear, clear_len ); |
---|
| 157 | |
---|
| 158 | /* First a \0 and then random data, so we don't have to do |
---|
| 159 | anything special when decrypting. */ |
---|
| 160 | padded[clear_len] = 0; |
---|
| 161 | random_bytes( (unsigned char*) padded + clear_len + 1, padded_len - clear_len - 1 ); |
---|
| 162 | |
---|
| 163 | clear = padded; |
---|
| 164 | clear_len = padded_len; |
---|
| 165 | } |
---|
| 166 | |
---|
[df1694b] | 167 | /* Prepare buffers and the key + IV */ |
---|
[a7b5925] | 168 | *crypt = g_malloc( clear_len + ARC_IV_LEN ); |
---|
[df1694b] | 169 | key = g_malloc( key_len ); |
---|
| 170 | strcpy( (char*) key, password ); |
---|
[1719464] | 171 | |
---|
| 172 | /* Add the salt. Save it for later (when decrypting) and, of course, |
---|
| 173 | add it to the encryption key. */ |
---|
[a7b5925] | 174 | random_bytes( crypt[0], ARC_IV_LEN ); |
---|
| 175 | memcpy( key + key_len - ARC_IV_LEN, crypt[0], ARC_IV_LEN ); |
---|
[df1694b] | 176 | |
---|
| 177 | /* Generate the initial S[] from the IVed key. */ |
---|
[a7b5925] | 178 | st = arc_keymaker( key, key_len, ARC_CYCLES ); |
---|
[df1694b] | 179 | g_free( key ); |
---|
| 180 | |
---|
| 181 | for( i = 0; i < clear_len; i ++ ) |
---|
[a7b5925] | 182 | crypt[0][i+ARC_IV_LEN] = clear[i] ^ arc_getbyte( st ); |
---|
[df1694b] | 183 | |
---|
| 184 | g_free( st ); |
---|
[ddcf491f] | 185 | g_free( padded ); |
---|
[df1694b] | 186 | |
---|
[a7b5925] | 187 | return clear_len + ARC_IV_LEN; |
---|
[df1694b] | 188 | } |
---|
| 189 | |
---|
[dd95ce4] | 190 | int arc_decode( unsigned char *crypt, int crypt_len, char **clear, const char *password ) |
---|
[df1694b] | 191 | { |
---|
[a7b5925] | 192 | struct arc_state *st; |
---|
[df1694b] | 193 | unsigned char *key; |
---|
| 194 | int key_len, clear_len, i; |
---|
| 195 | |
---|
[a7b5925] | 196 | key_len = strlen( password ) + ARC_IV_LEN; |
---|
| 197 | clear_len = crypt_len - ARC_IV_LEN; |
---|
[df1694b] | 198 | |
---|
[88086db] | 199 | if( clear_len < 0 ) |
---|
| 200 | { |
---|
[3b6eadc] | 201 | *clear = g_strdup( "" ); |
---|
[9a1c14d] | 202 | return -1; |
---|
[88086db] | 203 | } |
---|
| 204 | |
---|
[df1694b] | 205 | /* Prepare buffers and the key + IV */ |
---|
| 206 | *clear = g_malloc( clear_len + 1 ); |
---|
| 207 | key = g_malloc( key_len ); |
---|
| 208 | strcpy( (char*) key, password ); |
---|
[a7b5925] | 209 | for( i = 0; i < ARC_IV_LEN; i ++ ) |
---|
| 210 | key[key_len-ARC_IV_LEN+i] = crypt[i]; |
---|
[df1694b] | 211 | |
---|
| 212 | /* Generate the initial S[] from the IVed key. */ |
---|
[a7b5925] | 213 | st = arc_keymaker( key, key_len, ARC_CYCLES ); |
---|
[df1694b] | 214 | g_free( key ); |
---|
| 215 | |
---|
| 216 | for( i = 0; i < clear_len; i ++ ) |
---|
[a7b5925] | 217 | clear[0][i] = crypt[i+ARC_IV_LEN] ^ arc_getbyte( st ); |
---|
[df1694b] | 218 | clear[0][i] = 0; /* Nice to have for plaintexts. */ |
---|
| 219 | |
---|
| 220 | g_free( st ); |
---|
| 221 | |
---|
| 222 | return clear_len; |
---|
| 223 | } |
---|