/work/toxencryptsave/toxencryptsave.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* SPDX-License-Identifier: GPL-3.0-or-later |
2 | | * Copyright © 2016-2018 The TokTok team. |
3 | | * Copyright © 2013 Tox project. |
4 | | */ |
5 | | |
6 | | /** |
7 | | * Batch encryption functions. |
8 | | */ |
9 | | #include "toxencryptsave.h" |
10 | | |
11 | | #include <sodium.h> |
12 | | |
13 | | #include <stdlib.h> |
14 | | #include <string.h> |
15 | | |
16 | | #include "../toxcore/ccompat.h" |
17 | | #include "../toxcore/crypto_core.h" |
18 | | #include "defines.h" |
19 | | |
20 | | static_assert(TOX_PASS_SALT_LENGTH == crypto_pwhash_scryptsalsa208sha256_SALTBYTES, |
21 | | "TOX_PASS_SALT_LENGTH is assumed to be equal to crypto_pwhash_scryptsalsa208sha256_SALTBYTES"); |
22 | | static_assert(TOX_PASS_KEY_LENGTH == CRYPTO_SHARED_KEY_SIZE, |
23 | | "TOX_PASS_KEY_LENGTH is assumed to be equal to CRYPTO_SHARED_KEY_SIZE"); |
24 | | static_assert(TOX_PASS_ENCRYPTION_EXTRA_LENGTH == (crypto_box_MACBYTES + crypto_box_NONCEBYTES + |
25 | | crypto_pwhash_scryptsalsa208sha256_SALTBYTES + TOX_ENC_SAVE_MAGIC_LENGTH), |
26 | | "TOX_PASS_ENCRYPTION_EXTRA_LENGTH is assumed to be equal to (crypto_box_MACBYTES + crypto_box_NONCEBYTES + crypto_pwhash_scryptsalsa208sha256_SALTBYTES + TOX_ENC_SAVE_MAGIC_LENGTH)"); |
27 | | |
28 | | #define SET_ERROR_PARAMETER(param, x) \ |
29 | 175 | do { \ |
30 | 175 | if (param != nullptr) { \ |
31 | 135 | *param = x; \ |
32 | 135 | } \ |
33 | 175 | } while (0) |
34 | | |
35 | | uint32_t tox_pass_salt_length(void) |
36 | 0 | { |
37 | 0 | return TOX_PASS_SALT_LENGTH; |
38 | 0 | } |
39 | | uint32_t tox_pass_key_length(void) |
40 | 0 | { |
41 | 0 | return TOX_PASS_KEY_LENGTH; |
42 | 0 | } |
43 | | uint32_t tox_pass_encryption_extra_length(void) |
44 | 0 | { |
45 | 0 | return TOX_PASS_ENCRYPTION_EXTRA_LENGTH; |
46 | 0 | } |
47 | | |
48 | | struct Tox_Pass_Key { |
49 | | uint8_t salt[TOX_PASS_SALT_LENGTH]; |
50 | | uint8_t key[TOX_PASS_KEY_LENGTH]; |
51 | | }; |
52 | | |
53 | | void tox_pass_key_free(Tox_Pass_Key *key) |
54 | 84 | { |
55 | 84 | free(key); |
56 | 84 | } |
57 | | |
58 | | /* Clients should consider alerting their users that, unlike plain data, if even one bit |
59 | | * becomes corrupted, the data will be entirely unrecoverable. |
60 | | * Ditto if they forget their password, there is no way to recover the data. |
61 | | */ |
62 | | |
63 | | /** |
64 | | * Retrieves the salt used to encrypt the given data. |
65 | | * |
66 | | * The retrieved salt can then be passed to tox_pass_key_derive_with_salt to |
67 | | * produce the same key as was previously used. Any data encrypted with this |
68 | | * module can be used as input. |
69 | | * |
70 | | * The cipher text must be at least TOX_PASS_ENCRYPTION_EXTRA_LENGTH bytes in length. |
71 | | * The salt must be TOX_PASS_SALT_LENGTH bytes in length. |
72 | | * If the passed byte arrays are smaller than required, the behaviour is |
73 | | * undefined. |
74 | | * |
75 | | * If the cipher text pointer or the salt is NULL, this function returns false. |
76 | | * |
77 | | * Success does not say anything about the validity of the data, only that |
78 | | * data of the appropriate size was copied. |
79 | | * |
80 | | * @return true on success. |
81 | | */ |
82 | | bool tox_get_salt( |
83 | | const uint8_t ciphertext[TOX_PASS_ENCRYPTION_EXTRA_LENGTH], |
84 | | uint8_t salt[TOX_PASS_SALT_LENGTH], Tox_Err_Get_Salt *error) |
85 | 1 | { |
86 | 1 | if (ciphertext == nullptr || salt == nullptr) { |
87 | 0 | SET_ERROR_PARAMETER(error, TOX_ERR_GET_SALT_NULL); |
88 | 0 | return false; |
89 | 0 | } |
90 | | |
91 | 1 | if (memcmp(ciphertext, TOX_ENC_SAVE_MAGIC_NUMBER, TOX_ENC_SAVE_MAGIC_LENGTH) != 0) { |
92 | 0 | SET_ERROR_PARAMETER(error, TOX_ERR_GET_SALT_BAD_FORMAT); |
93 | 0 | return false; |
94 | 0 | } |
95 | | |
96 | 1 | ciphertext += TOX_ENC_SAVE_MAGIC_LENGTH; |
97 | 1 | memcpy(salt, ciphertext, crypto_pwhash_scryptsalsa208sha256_SALTBYTES); |
98 | 1 | SET_ERROR_PARAMETER(error, TOX_ERR_GET_SALT_OK); |
99 | 1 | return true; |
100 | 1 | } |
101 | | |
102 | | /** |
103 | | * Generates a secret symmetric key from the given passphrase. |
104 | | * |
105 | | * Be sure to not compromise the key! Only keep it in memory, do not write |
106 | | * it to disk. |
107 | | * |
108 | | * Note that this function is not deterministic; to derive the same key from |
109 | | * a password, you also must know the random salt that was used. A |
110 | | * deterministic version of this function is `tox_pass_key_derive_with_salt`. |
111 | | * |
112 | | * @param passphrase The user-provided password. Can be empty. |
113 | | * @param passphrase_len The length of the password. |
114 | | * |
115 | | * @return new symmetric key on success, NULL on failure. |
116 | | */ |
117 | | Tox_Pass_Key *tox_pass_key_derive( |
118 | | const uint8_t passphrase[], size_t passphrase_len, |
119 | | Tox_Err_Key_Derivation *error) |
120 | 45 | { |
121 | 45 | const Random *rng = os_random(); |
122 | | |
123 | 45 | if (rng == nullptr) { |
124 | 0 | SET_ERROR_PARAMETER(error, TOX_ERR_KEY_DERIVATION_FAILED); |
125 | 0 | return nullptr; |
126 | 0 | } |
127 | | |
128 | 45 | uint8_t salt[crypto_pwhash_scryptsalsa208sha256_SALTBYTES]; |
129 | 45 | random_bytes(rng, salt, sizeof(salt)); |
130 | 45 | return tox_pass_key_derive_with_salt(passphrase, passphrase_len, salt, error); |
131 | 45 | } |
132 | | |
133 | | /** |
134 | | * Same as above, except use the given salt for deterministic key derivation. |
135 | | * |
136 | | * @param passphrase The user-provided password. Can be empty. |
137 | | * @param passphrase_len The length of the password. |
138 | | * @param salt An array of at least TOX_PASS_SALT_LENGTH bytes. |
139 | | * |
140 | | * @return new symmetric key on success, NULL on failure. |
141 | | */ |
142 | | Tox_Pass_Key *tox_pass_key_derive_with_salt( |
143 | | const uint8_t passphrase[], size_t passphrase_len, |
144 | | const uint8_t salt[TOX_PASS_SALT_LENGTH], Tox_Err_Key_Derivation *error) |
145 | 86 | { |
146 | 86 | if (salt == nullptr || (passphrase == nullptr && passphrase_len != 0)) { |
147 | 0 | SET_ERROR_PARAMETER(error, TOX_ERR_KEY_DERIVATION_NULL); |
148 | 0 | return nullptr; |
149 | 0 | } |
150 | | |
151 | 86 | uint8_t passkey[crypto_hash_sha256_BYTES]; |
152 | 86 | crypto_hash_sha256(passkey, passphrase, passphrase_len); |
153 | | |
154 | 86 | uint8_t key[CRYPTO_SHARED_KEY_SIZE]; |
155 | | |
156 | | // Derive a key from the password |
157 | | // http://doc.libsodium.org/key_derivation/README.html |
158 | | // note that, according to the documentation, a generic pwhash interface will be created |
159 | | // once the pwhash competition (https://password-hashing.net/) is over */ |
160 | 86 | if (crypto_pwhash_scryptsalsa208sha256( |
161 | 86 | key, sizeof(key), (char *)passkey, sizeof(passkey), salt, |
162 | 86 | crypto_pwhash_scryptsalsa208sha256_OPSLIMIT_INTERACTIVE * 2, /* slightly stronger */ |
163 | 86 | crypto_pwhash_scryptsalsa208sha256_MEMLIMIT_INTERACTIVE) != 0) { |
164 | | /* out of memory most likely */ |
165 | 0 | SET_ERROR_PARAMETER(error, TOX_ERR_KEY_DERIVATION_FAILED); |
166 | 0 | return nullptr; |
167 | 0 | } |
168 | | |
169 | 86 | crypto_memzero(passkey, crypto_hash_sha256_BYTES); /* wipe plaintext pw */ |
170 | | |
171 | 86 | Tox_Pass_Key *out_key = (Tox_Pass_Key *)calloc(1, sizeof(Tox_Pass_Key)); |
172 | | |
173 | 86 | if (out_key == nullptr) { |
174 | 2 | SET_ERROR_PARAMETER(error, TOX_ERR_KEY_DERIVATION_FAILED); |
175 | 2 | return nullptr; |
176 | 2 | } |
177 | | |
178 | 84 | memcpy(out_key->salt, salt, crypto_pwhash_scryptsalsa208sha256_SALTBYTES); |
179 | 84 | memcpy(out_key->key, key, CRYPTO_SHARED_KEY_SIZE); |
180 | 84 | SET_ERROR_PARAMETER(error, TOX_ERR_KEY_DERIVATION_OK); |
181 | 84 | return out_key; |
182 | 86 | } |
183 | | |
184 | | /** |
185 | | * Encrypt a plain text with a key produced by tox_pass_key_derive or tox_pass_key_derive_with_salt. |
186 | | * |
187 | | * The output array must be at least `plaintext_len + TOX_PASS_ENCRYPTION_EXTRA_LENGTH` |
188 | | * bytes long. |
189 | | * |
190 | | * @param plaintext A byte array of length `plaintext_len`. |
191 | | * @param plaintext_len The length of the plain text array. Bigger than 0. |
192 | | * @param ciphertext The cipher text array to write the encrypted data to. |
193 | | * |
194 | | * @return true on success. |
195 | | */ |
196 | | bool tox_pass_key_encrypt(const Tox_Pass_Key *key, const uint8_t plaintext[], size_t plaintext_len, |
197 | | uint8_t ciphertext[], Tox_Err_Encryption *error) |
198 | 44 | { |
199 | 44 | const Random *rng = os_random(); |
200 | | |
201 | 44 | if (rng == nullptr) { |
202 | 0 | SET_ERROR_PARAMETER(error, TOX_ERR_ENCRYPTION_FAILED); |
203 | 0 | return false; |
204 | 0 | } |
205 | | |
206 | 44 | if (plaintext_len == 0 || plaintext == nullptr || key == nullptr || ciphertext == nullptr) { |
207 | 0 | SET_ERROR_PARAMETER(error, TOX_ERR_ENCRYPTION_NULL); |
208 | 0 | return false; |
209 | 0 | } |
210 | | |
211 | | // the output data consists of, in order: |
212 | | // salt, nonce, mac, enc_data |
213 | | // where the mac is automatically prepended by the encrypt() |
214 | | // the salt+nonce is called the prefix |
215 | | // I'm not sure what else I'm supposed to do with the salt and nonce, since we |
216 | | // need them to decrypt the data |
217 | | |
218 | | /* first add the magic number */ |
219 | 44 | memcpy(ciphertext, TOX_ENC_SAVE_MAGIC_NUMBER, TOX_ENC_SAVE_MAGIC_LENGTH); |
220 | 44 | ciphertext += TOX_ENC_SAVE_MAGIC_LENGTH; |
221 | | |
222 | | /* then add the rest prefix */ |
223 | 44 | memcpy(ciphertext, key->salt, crypto_pwhash_scryptsalsa208sha256_SALTBYTES); |
224 | 44 | ciphertext += crypto_pwhash_scryptsalsa208sha256_SALTBYTES; |
225 | | |
226 | 44 | uint8_t nonce[crypto_box_NONCEBYTES]; |
227 | 44 | random_nonce(rng, nonce); |
228 | 44 | memcpy(ciphertext, nonce, crypto_box_NONCEBYTES); |
229 | 44 | ciphertext += crypto_box_NONCEBYTES; |
230 | | |
231 | | /* now encrypt */ |
232 | 44 | if (encrypt_data_symmetric(key->key, nonce, plaintext, plaintext_len, ciphertext) |
233 | 44 | != plaintext_len + crypto_box_MACBYTES) { |
234 | 1 | SET_ERROR_PARAMETER(error, TOX_ERR_ENCRYPTION_FAILED); |
235 | 1 | return false; |
236 | 1 | } |
237 | | |
238 | 43 | SET_ERROR_PARAMETER(error, TOX_ERR_ENCRYPTION_OK); |
239 | 43 | return true; |
240 | 44 | } |
241 | | |
242 | | /** |
243 | | * Encrypts the given data with the given passphrase. |
244 | | * |
245 | | * The output array must be at least `plaintext_len + TOX_PASS_ENCRYPTION_EXTRA_LENGTH` |
246 | | * bytes long. This delegates to tox_pass_key_derive and |
247 | | * tox_pass_key_encrypt. |
248 | | * |
249 | | * @param plaintext A byte array of length `plaintext_len`. |
250 | | * @param plaintext_len The length of the plain text array. Bigger than 0. |
251 | | * @param passphrase The user-provided password. Can be empty. |
252 | | * @param passphrase_len The length of the password. |
253 | | * @param ciphertext The cipher text array to write the encrypted data to. |
254 | | * |
255 | | * @return true on success. |
256 | | */ |
257 | | bool tox_pass_encrypt(const uint8_t plaintext[], size_t plaintext_len, const uint8_t passphrase[], size_t passphrase_len, |
258 | | uint8_t ciphertext[/*! plaintext_len + TOX_PASS_ENCRYPTION_EXTRA_LENGTH */], Tox_Err_Encryption *error) |
259 | 43 | { |
260 | 43 | Tox_Err_Key_Derivation err; |
261 | 43 | Tox_Pass_Key *key = tox_pass_key_derive(passphrase, passphrase_len, &err); |
262 | | |
263 | 43 | if (key == nullptr) { |
264 | 1 | if (err == TOX_ERR_KEY_DERIVATION_NULL) { |
265 | 0 | SET_ERROR_PARAMETER(error, TOX_ERR_ENCRYPTION_NULL); |
266 | 1 | } else if (err == TOX_ERR_KEY_DERIVATION_FAILED) { |
267 | 1 | SET_ERROR_PARAMETER(error, TOX_ERR_ENCRYPTION_KEY_DERIVATION_FAILED); |
268 | 1 | } |
269 | | |
270 | 1 | return false; |
271 | 1 | } |
272 | | |
273 | 42 | const bool result = tox_pass_key_encrypt(key, plaintext, plaintext_len, ciphertext, error); |
274 | 42 | tox_pass_key_free(key); |
275 | 42 | return result; |
276 | 43 | } |
277 | | |
278 | | /** |
279 | | * This is the inverse of tox_pass_key_encrypt, also using only keys produced by |
280 | | * tox_pass_key_derive or tox_pass_key_derive_with_salt. |
281 | | * |
282 | | * @param ciphertext A byte array of length `ciphertext_len`. |
283 | | * @param ciphertext_len The length of the cipher text array. At least TOX_PASS_ENCRYPTION_EXTRA_LENGTH. |
284 | | * @param plaintext The plain text array to write the decrypted data to. |
285 | | * |
286 | | * @return true on success. |
287 | | */ |
288 | | bool tox_pass_key_decrypt(const Tox_Pass_Key *key, const uint8_t ciphertext[], size_t ciphertext_len, |
289 | | uint8_t plaintext[], Tox_Err_Decryption *error) |
290 | 41 | { |
291 | 41 | if (ciphertext_len <= TOX_PASS_ENCRYPTION_EXTRA_LENGTH) { |
292 | 0 | SET_ERROR_PARAMETER(error, TOX_ERR_DECRYPTION_INVALID_LENGTH); |
293 | 0 | return false; |
294 | 0 | } |
295 | | |
296 | 41 | if (ciphertext == nullptr || key == nullptr || plaintext == nullptr) { |
297 | 0 | SET_ERROR_PARAMETER(error, TOX_ERR_DECRYPTION_NULL); |
298 | 0 | return false; |
299 | 0 | } |
300 | | |
301 | 41 | if (memcmp(ciphertext, TOX_ENC_SAVE_MAGIC_NUMBER, TOX_ENC_SAVE_MAGIC_LENGTH) != 0) { |
302 | 0 | SET_ERROR_PARAMETER(error, TOX_ERR_DECRYPTION_BAD_FORMAT); |
303 | 0 | return false; |
304 | 0 | } |
305 | | |
306 | 41 | ciphertext += TOX_ENC_SAVE_MAGIC_LENGTH; |
307 | 41 | ciphertext += crypto_pwhash_scryptsalsa208sha256_SALTBYTES; // salt only affects key derivation |
308 | | |
309 | 41 | const size_t decrypt_length = ciphertext_len - TOX_PASS_ENCRYPTION_EXTRA_LENGTH; |
310 | | |
311 | 41 | uint8_t nonce[crypto_box_NONCEBYTES]; |
312 | 41 | memcpy(nonce, ciphertext, crypto_box_NONCEBYTES); |
313 | 41 | ciphertext += crypto_box_NONCEBYTES; |
314 | | |
315 | | /* decrypt the ciphertext */ |
316 | 41 | if (decrypt_data_symmetric(key->key, nonce, ciphertext, decrypt_length + crypto_box_MACBYTES, plaintext) |
317 | 41 | != decrypt_length) { |
318 | 1 | SET_ERROR_PARAMETER(error, TOX_ERR_DECRYPTION_FAILED); |
319 | 1 | return false; |
320 | 1 | } |
321 | | |
322 | 40 | SET_ERROR_PARAMETER(error, TOX_ERR_DECRYPTION_OK); |
323 | 40 | return true; |
324 | 41 | } |
325 | | |
326 | | /** |
327 | | * Decrypts the given data with the given passphrase. |
328 | | * |
329 | | * The output array must be at least `ciphertext_len - TOX_PASS_ENCRYPTION_EXTRA_LENGTH` |
330 | | * bytes long. This delegates to tox_pass_key_decrypt. |
331 | | * |
332 | | * @param ciphertext A byte array of length `ciphertext_len`. |
333 | | * @param ciphertext_len The length of the cipher text array. At least TOX_PASS_ENCRYPTION_EXTRA_LENGTH. |
334 | | * @param passphrase The user-provided password. Can be empty. |
335 | | * @param passphrase_len The length of the password. |
336 | | * @param plaintext The plain text array to write the decrypted data to. |
337 | | * |
338 | | * @return true on success. |
339 | | */ |
340 | | bool tox_pass_decrypt(const uint8_t ciphertext[], size_t ciphertext_len, const uint8_t passphrase[], |
341 | | size_t passphrase_len, uint8_t plaintext[/*! ciphertext_len - TOX_PASS_ENCRYPTION_EXTRA_LENGTH */], Tox_Err_Decryption *error) |
342 | 41 | { |
343 | 41 | if (ciphertext_len <= TOX_PASS_ENCRYPTION_EXTRA_LENGTH) { |
344 | 0 | SET_ERROR_PARAMETER(error, TOX_ERR_DECRYPTION_INVALID_LENGTH); |
345 | 0 | return false; |
346 | 0 | } |
347 | | |
348 | 41 | if (ciphertext == nullptr || passphrase == nullptr || plaintext == nullptr) { |
349 | 1 | SET_ERROR_PARAMETER(error, TOX_ERR_DECRYPTION_NULL); |
350 | 1 | return false; |
351 | 1 | } |
352 | | |
353 | 40 | if (memcmp(ciphertext, TOX_ENC_SAVE_MAGIC_NUMBER, TOX_ENC_SAVE_MAGIC_LENGTH) != 0) { |
354 | 0 | SET_ERROR_PARAMETER(error, TOX_ERR_DECRYPTION_BAD_FORMAT); |
355 | 0 | return false; |
356 | 0 | } |
357 | | |
358 | 40 | uint8_t salt[crypto_pwhash_scryptsalsa208sha256_SALTBYTES]; |
359 | 40 | memcpy(salt, ciphertext + TOX_ENC_SAVE_MAGIC_LENGTH, crypto_pwhash_scryptsalsa208sha256_SALTBYTES); |
360 | | |
361 | | /* derive the key */ |
362 | 40 | Tox_Pass_Key *key = tox_pass_key_derive_with_salt(passphrase, passphrase_len, salt, nullptr); |
363 | | |
364 | 40 | if (key == nullptr) { |
365 | | /* out of memory most likely */ |
366 | 1 | SET_ERROR_PARAMETER(error, TOX_ERR_DECRYPTION_KEY_DERIVATION_FAILED); |
367 | 1 | return false; |
368 | 1 | } |
369 | | |
370 | 39 | const bool result = tox_pass_key_decrypt(key, ciphertext, ciphertext_len, plaintext, error); |
371 | 39 | tox_pass_key_free(key); |
372 | 39 | return result; |
373 | 40 | } |
374 | | |
375 | | /** |
376 | | * Determines whether or not the given data is encrypted by this module. |
377 | | * |
378 | | * It does this check by verifying that the magic number is the one put in |
379 | | * place by the encryption functions. |
380 | | * |
381 | | * The data must be at least TOX_PASS_ENCRYPTION_EXTRA_LENGTH bytes in length. |
382 | | * If the passed byte array is smaller than required, the behaviour is |
383 | | * undefined. |
384 | | * |
385 | | * If the data pointer is NULL, the behaviour is undefined |
386 | | * |
387 | | * @return true if the data is encrypted by this module. |
388 | | */ |
389 | | bool tox_is_data_encrypted(const uint8_t data[TOX_PASS_ENCRYPTION_EXTRA_LENGTH]) |
390 | 2 | { |
391 | 2 | return memcmp(data, TOX_ENC_SAVE_MAGIC_NUMBER, TOX_ENC_SAVE_MAGIC_LENGTH) == 0; |
392 | 2 | } |