1 | /***************************************************************************\ |
---|
2 | * * |
---|
3 | * BitlBee - An IRC to IM gateway * |
---|
4 | * Simple (but secure) RC4 implementation for safer password storage. * |
---|
5 | * * |
---|
6 | * Copyright 2006 Wilmer van der Gaast <wilmer@gaast.net> * |
---|
7 | * * |
---|
8 | * This program is free software; you can redistribute it and/or modify * |
---|
9 | * it under the terms of the GNU General Public License as published by * |
---|
10 | * the Free Software Foundation; either version 2 of the License, or * |
---|
11 | * (at your option) any later version. * |
---|
12 | * * |
---|
13 | * This program is distributed in the hope that it will be useful, * |
---|
14 | * but WITHOUT ANY WARRANTY; without even the implied warranty of * |
---|
15 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * |
---|
16 | * GNU General Public License for more details. * |
---|
17 | * * |
---|
18 | * You should have received a copy of the GNU General Public License along * |
---|
19 | * with this program; if not, write to the Free Software Foundation, Inc., * |
---|
20 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. * |
---|
21 | * * |
---|
22 | \***************************************************************************/ |
---|
23 | |
---|
24 | /* |
---|
25 | This file implements RC4-encryption, which will mainly be used to save IM |
---|
26 | passwords safely in the new XML-format. Possibly other uses will come up |
---|
27 | later. It's supposed to be quite reliable (thanks to the use of a 6-byte |
---|
28 | IV/seed), certainly compared to the old format. The only realistic way to |
---|
29 | crack BitlBee passwords now is to use a sniffer to get your hands on the |
---|
30 | user's password. |
---|
31 | |
---|
32 | If you see that something's wrong in this implementation (I asked a |
---|
33 | couple of people to look at it already, but who knows), please tell me. |
---|
34 | |
---|
35 | The reason I chose for RC4 is because it's pretty simple but effective, |
---|
36 | so it will work without adding several KBs or an extra library dependency. |
---|
37 | */ |
---|
38 | |
---|
39 | |
---|
40 | #include <glib.h> |
---|
41 | #include <gmodule.h> |
---|
42 | #include <stdlib.h> |
---|
43 | #include <string.h> |
---|
44 | #include "misc.h" |
---|
45 | #include "rc4.h" |
---|
46 | |
---|
47 | /* Add some seed to the password, to make sure we *never* use the same key. |
---|
48 | This defines how many byes we use as a seed. */ |
---|
49 | #define RC4_IV_LEN 6 |
---|
50 | |
---|
51 | /* To defend against a "Fluhrer, Mantin and Shamir attack", it is recommended |
---|
52 | to shuffle S[] just a bit more before you start to use it. This defines how |
---|
53 | many bytes we'll request before we'll really use them for encryption. */ |
---|
54 | #define RC4_CYCLES 1024 |
---|
55 | |
---|
56 | struct rc4_state *rc4_keymaker( unsigned char *key, int kl, int cycles ) |
---|
57 | { |
---|
58 | struct rc4_state *st; |
---|
59 | int i, j, tmp; |
---|
60 | |
---|
61 | st = g_malloc( sizeof( struct rc4_state ) ); |
---|
62 | st->i = st->j = 0; |
---|
63 | for( i = 0; i < 256; i ++ ) |
---|
64 | st->S[i] = i; |
---|
65 | |
---|
66 | if( kl <= 0 ) |
---|
67 | kl = strlen( (char*) key ); |
---|
68 | |
---|
69 | for( i = j = 0; i < 256; i ++ ) |
---|
70 | { |
---|
71 | j = ( j + st->S[i] + key[i%kl] ) & 0xff; |
---|
72 | tmp = st->S[i]; |
---|
73 | st->S[i] = st->S[j]; |
---|
74 | st->S[j] = tmp; |
---|
75 | } |
---|
76 | |
---|
77 | for( i = 0; i < cycles; i ++ ) |
---|
78 | rc4_getbyte( st ); |
---|
79 | |
---|
80 | return st; |
---|
81 | } |
---|
82 | |
---|
83 | /* |
---|
84 | For those who don't know, RC4 is basically an algorithm that generates a |
---|
85 | stream of bytes after you give it a key. Just get a byte from it and xor |
---|
86 | it with your cleartext. To decrypt, just give it the same key again and |
---|
87 | start xorring. |
---|
88 | |
---|
89 | The function above initializes the RC4 byte generator, the next function |
---|
90 | can be used to get bytes from the generator (and shuffle things a bit). |
---|
91 | */ |
---|
92 | |
---|
93 | unsigned char rc4_getbyte( struct rc4_state *st ) |
---|
94 | { |
---|
95 | unsigned char tmp; |
---|
96 | |
---|
97 | /* Unfortunately the st-> stuff doesn't really improve readability here... */ |
---|
98 | st->i ++; |
---|
99 | st->j += st->S[st->i]; |
---|
100 | tmp = st->S[st->i]; |
---|
101 | st->S[st->i] = st->S[st->j]; |
---|
102 | st->S[st->j] = tmp; |
---|
103 | |
---|
104 | return st->S[(st->S[st->i] + st->S[st->j]) & 0xff]; |
---|
105 | } |
---|
106 | |
---|
107 | /* |
---|
108 | The following two functions can be used for reliable encryption and |
---|
109 | decryption. Known plaintext attacks are prevented by adding some (6, |
---|
110 | by default) random bytes to the password before setting up the RC4 |
---|
111 | structures. These 6 bytes are also saved in the results, because of |
---|
112 | course we'll need them in rc4_decode(). |
---|
113 | |
---|
114 | Because the length of the resulting string is unknown to the caller, |
---|
115 | it should pass a char**. Since the encode/decode functions allocate |
---|
116 | memory for the string, make sure the char** points at a NULL-pointer |
---|
117 | (or at least to something you already free()d), or you'll leak |
---|
118 | memory. And of course, don't forget to free() the result when you |
---|
119 | don't need it anymore. |
---|
120 | |
---|
121 | Both functions return the number of bytes in the result string. |
---|
122 | */ |
---|
123 | |
---|
124 | int rc4_encode( unsigned char *clear, int clear_len, unsigned char **crypt, char *password ) |
---|
125 | { |
---|
126 | struct rc4_state *st; |
---|
127 | unsigned char *key; |
---|
128 | int key_len, i; |
---|
129 | |
---|
130 | key_len = strlen( password ) + RC4_IV_LEN; |
---|
131 | if( clear_len <= 0 ) |
---|
132 | clear_len = strlen( (char*) clear ); |
---|
133 | |
---|
134 | /* Prepare buffers and the key + IV */ |
---|
135 | *crypt = g_malloc( clear_len + RC4_IV_LEN ); |
---|
136 | key = g_malloc( key_len ); |
---|
137 | strcpy( (char*) key, password ); |
---|
138 | |
---|
139 | /* Add the salt. Save it for later (when decrypting) and, of course, |
---|
140 | add it to the encryption key. */ |
---|
141 | random_bytes( crypt[0], RC4_IV_LEN ); |
---|
142 | memcpy( key + key_len - RC4_IV_LEN, crypt[0], RC4_IV_LEN ); |
---|
143 | |
---|
144 | /* Generate the initial S[] from the IVed key. */ |
---|
145 | st = rc4_keymaker( key, key_len, RC4_CYCLES ); |
---|
146 | g_free( key ); |
---|
147 | |
---|
148 | for( i = 0; i < clear_len; i ++ ) |
---|
149 | crypt[0][i+RC4_IV_LEN] = clear[i] ^ rc4_getbyte( st ); |
---|
150 | |
---|
151 | g_free( st ); |
---|
152 | |
---|
153 | return clear_len + RC4_IV_LEN; |
---|
154 | } |
---|
155 | |
---|
156 | int rc4_decode( unsigned char *crypt, int crypt_len, unsigned char **clear, char *password ) |
---|
157 | { |
---|
158 | struct rc4_state *st; |
---|
159 | unsigned char *key; |
---|
160 | int key_len, clear_len, i; |
---|
161 | |
---|
162 | key_len = strlen( password ) + RC4_IV_LEN; |
---|
163 | clear_len = crypt_len - RC4_IV_LEN; |
---|
164 | |
---|
165 | if( clear_len < 0 ) |
---|
166 | { |
---|
167 | *clear = (unsigned char*) g_strdup( "" ); |
---|
168 | return 0; |
---|
169 | } |
---|
170 | |
---|
171 | /* Prepare buffers and the key + IV */ |
---|
172 | *clear = g_malloc( clear_len + 1 ); |
---|
173 | key = g_malloc( key_len ); |
---|
174 | strcpy( (char*) key, password ); |
---|
175 | for( i = 0; i < RC4_IV_LEN; i ++ ) |
---|
176 | key[key_len-RC4_IV_LEN+i] = crypt[i]; |
---|
177 | |
---|
178 | /* Generate the initial S[] from the IVed key. */ |
---|
179 | st = rc4_keymaker( key, key_len, RC4_CYCLES ); |
---|
180 | g_free( key ); |
---|
181 | |
---|
182 | for( i = 0; i < clear_len; i ++ ) |
---|
183 | clear[0][i] = crypt[i+RC4_IV_LEN] ^ rc4_getbyte( st ); |
---|
184 | clear[0][i] = 0; /* Nice to have for plaintexts. */ |
---|
185 | |
---|
186 | g_free( st ); |
---|
187 | |
---|
188 | return clear_len; |
---|
189 | } |
---|