[become] / src / crypt.c

/* -*-c-*-
 *
 * $Id: crypt.c,v 1.5 1998/06/18 15:08:49 mdw Exp $
 *
 * Cryptographic transfer of `become' requests
 *
 * (c) 1998 EBI
 */

/*----- Licensing notice --------------------------------------------------*
 *
 * This file is part of `become'
 *
 * `Become' is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * `Become' is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with `become'; if not, write to the Free Software Foundation,
 * Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
 */

/*----- Revision history --------------------------------------------------*
 *
 * $Log: crypt.c,v $
 * Revision 1.5  1998/06/18 15:08:49  mdw
 * Paranoia: set close-on-exec flag for seed file.
 *
 * Revision 1.4  1998/01/12 16:45:55  mdw
 * Fix copyright date.
 *
 * Revision 1.3  1997/09/26 09:14:58  mdw
 * Merged blowfish branch into trunk.
 *
 * Revision 1.2.2.1  1997/09/26 09:08:02  mdw
 * Use the Blowfish encryption algorithm instead of IDEA.  This is partly
 * because I prefer Blowfish (without any particularly strong evidence) but
 * mainly because IDEA is patented and Blowfish isn't.
 *
 * Revision 1.2  1997/08/04 10:24:21  mdw
 * Sources placed under CVS control.
 *
 * Revision 1.1  1997/07/21  13:47:51  mdw
 * Initial revision
 *
 */

/*----- Header files ------------------------------------------------------*/

/* --- ANSI headers --- */

#include <ctype.h>
#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>

/* --- Unix headers --- */

#include <sys/types.h>
#include <sys/time.h>
#include <unistd.h>
#include <syslog.h>
#include <fcntl.h>

/* --- Local headers --- */

#include "become.h"
#include "blowfish.h"
#include "config.h"
#include "crypt.h"
#include "icrypt.h"
#include "md5.h"
#include "noise.h"
#include "rand.h"
#include "tx.h"
#include "utils.h"

/*----- Magic numbers -----------------------------------------------------*/

#define crypt__timeError 60		/* Seconds error to permit */

/*----- Main code ---------------------------------------------------------*/

/* --- @crypt__sessionKey@ --- *
 *
 * Arguments:	@const char *seedfile@ = pointer to name of seed file
 *		@unsigned char *k@ = our secret key
 *		@unsigned *sk@ = where to store the session key
 *		@unsigned char *iv@ = where to store the IV
 *
 * Returns:	---
 *
 * Use:		Decides on a random session key and initialisation vector.
 */

static void crypt__sessionKey(const char *seedfile, unsigned char *k,
			      unsigned char *sk, unsigned char *iv)
{
  FILE *fp;				/* File handle for reading */
  struct flock l;
  int ok = 1;

  /* --- Open the random seed file --- *
   *
   * If I can't manage that, create a new one.
   */

  if ((fp = fopen(seedfile, "r+")) == 0) {
    ok = 0;
    if ((fp = fopen(seedfile, "w+")) == 0)
      die("can't create random number file: %s", strerror(errno));
    rand_clear();
  }
  if (fcntl(fileno(fp), F_SETFD, 1) < 0) {
    die("can't set close-on-exec for random number file: %s",
	strerror(errno));
  }

  /* --- Lock the seed file against concurrency problems --- */

  l.l_type = F_WRLCK;
  l.l_whence = SEEK_SET;
  l.l_start = 0;
  l.l_len = 0;
  if (fcntl(fileno(fp), F_SETLKW, &l) < 0)
    die("can't lock random number file: %s", strerror(errno));

    /* --- Now read the file, and launder the seed --- */

  if (ok)
    rand_read(fp);

  /* --- Encrypt the pool using the secret key --- */

  {
    icrypt_job j;
    icrypt_init(&j, k, BLOWFISH_KEYSIZE, 0);
    rand_encrypt(&j);
    burn(j);
  }

  /* --- Generate the session key and IV --- */

  noise_acquire();
  rand_extract(sk, BLOWFISH_KEYSIZE);
  rand_extract(iv, BLOWFISH_BLKSIZE);

  IF_TRACING(TRACE_CRYPTO,
    traceblk(TRACE_CRYPTO, "crypto: session key:", sk, BLOWFISH_KEYSIZE);
    traceblk(TRACE_CRYPTO, "crypto: initialisation vector:",
	     iv, BLOWFISH_BLKSIZE);
  );

  /* --- Write the seed back --- */

  rewind(fp);
  rand_write(fp);
  fclose(fp);

}

/* --- @crypt_packRequest@ --- *
 *
 * Arguments:	@request *rq@ = pointer to request block
 *		@unsigned char *buff@ = pointer to a buffer
 *		@time_t t@ = the current time
 *		@pid_t pid@ = my process ID
 *		@unsigned char *k@ = pointer to 128-bit key
 *		@unsigned char *sk@ = where to put the session key
 *
 * Returns:	---
 *
 * Use:		Packs a request block into a buffer.  The buffer should have
 *		space for at least @crq_size@ bytes.  The buffer comes back
 *		encrypted and ready to send.
 */

void crypt_packRequest(request *rq, unsigned char *buff,
		       time_t t, pid_t pid,
		       unsigned char *k, unsigned char *sk)
{
  /* --- First, build the easy stuff in the block --- */

  buff[crq_cryptType] = cryptType_blowfish;
  store32(buff + crq_time, t);
  store32(buff + crq_pid, pid);
  store32(buff + crq_from, rq->from);
  store32(buff + crq_to, rq->to);

  /* --- Now generate session keys and things --- */

  crypt__sessionKey(file_RANDSEED, k, sk, buff + crq_iv);
  memcpy(buff + crq_session, sk, BLOWFISH_KEYSIZE);

  /* --- The string causes a few problems --- *
   *
   * There's a good chance that the string will be a good deal shorter than
   * the space allowed for it.  This will probably mean lots of zeroes, and a
   * very easy known-plaintext job for a potential attacker.  (An early
   * version of this code used @strncpy@ which is even worse!)
   *
   * I'll fill the block with random (from @rand@(3) -- nothing too
   * elaborate) and then encrypt it using Blowfish in CFB mode, using the
   * first few bytes as the key.  This should provide a sufficiently
   * unpredictable background for the block.
   */

  {
    icrypt_job j;
    unsigned char *p;
    unsigned u;
    md5 md;
    unsigned char qk[BLOWFISH_KEYSIZE];

    /* --- Initialise the buffer with junk --- */

    srand((unsigned int)(t ^ pid));	/* Seed the (bad) RNG */
    for (p = buff + crq_cmd; p < buff + crq_cmd + CMDLEN_MAX; p++) {
      u = rand(); *p = u ^ (u >> 8);
    }

    /* --- Now make the junk a whole lot harder to predict --- */

    p = buff + crq_cmd;
    md5_init(&md); md5_buffer(&md, p, CMDLEN_MAX); md5_final(&md, qk);
    icrypt_init(&j, qk, BLOWFISH_KEYSIZE, 0);
    icrypt_encrypt(&j, p, p, CMDLEN_MAX);
    burn(j); burn(qk); burn(md);

    /* --- Copy the string into here --- */

    strcpy((char *)buff + crq_cmd, rq->cmd);
  }

  /* --- Checksum the finished data --- */

  {
    md5 md;
    unsigned char mdbuf[MD5_HASHSIZE];

    md5_init(&md);
    md5_buffer(&md, buff + crq_cipher, crq_check - crq_cipher);
    md5_final(&md, mdbuf);
    memcpy(buff + crq_check, mdbuf, 4);
    burn(md); burn(mdbuf);
  }

  /* --- Encrypt the block --- *
   *
   * First, encrypt the session key using the master key.  Since the session
   * key is effectively random, this makes cracking the master key much
   * harder.  The rest of the block is then encrypted with the session key,
   * using the IV left over from encrypting the session key.
   */

  {
    icrypt_job j;

    T( traceblk(TRACE_CRYPTO, "crypto: plaintext request:",
		buff, crq_size); )

    T( traceblk(TRACE_CRYPTO, "crypto: master key:", k, BLOWFISH_KEYSIZE); )
    T( traceblk(TRACE_CRYPTO, "crypto: initial iv:",
		buff + crq_iv, BLOWFISH_BLKSIZE); )
    T( traceblk(TRACE_CRYPTO, "crypto: session key:",
		sk, BLOWFISH_KEYSIZE); )

    icrypt_init(&j, k, BLOWFISH_KEYSIZE, buff + crq_iv);

    icrypt_encrypt(&j, buff + crq_session,
		   buff + crq_session, BLOWFISH_KEYSIZE);
    T( traceblk(TRACE_CRYPTO, "crypto: encrypted session key:",
		buff + crq_session, BLOWFISH_KEYSIZE); )

    icrypt_reset(&j, sk, BLOWFISH_KEYSIZE, 0);

    T( traceblk(TRACE_CRYPTO, "crypto: partial iv:",
		j.iv, BLOWFISH_BLKSIZE); )

    icrypt_encrypt(&j, buff + crq_cipher,
		   buff + crq_cipher, crq_size - crq_cipher);
    burn(j);

    T( traceblk(TRACE_CRYPTO, "crypto: ciphertext request:",
		buff, crq_size); )
  }
}

/* --- @crypt_unpackRequest@ --- *
 *
 * Arguments:	@reqest *rq@ = pointer to destination request block
 *		@unsigned char *buff@ = pointer to source buffer
 *		@unsigned char *k@ = pointer to encryption key
 *		@unsigned char *sk@ = pointer to where to store session key
 *		@unsigned char *rpl@ = where to start building reply
 *
 * Returns:	Nonzero if it was decrypted OK
 *
 * Use:		Decrypts and unpacks a request buffer.
 */

int crypt_unpackRequest(request *rq, unsigned char *buff,
			unsigned char *k, unsigned char *sk,
			unsigned char *rpl)
{
  {
    /* --- Check the encryption format --- */

    if (buff[crq_cryptType] != cryptType_blowfish)
      return (0);
  }

  {
    /* --- First things first: decrypt the block --- */

    icrypt_job j;

    T( traceblk(TRACE_CRYPTO, "crypto: ciphertext request:",
		buff, crq_size); )

    T( traceblk(TRACE_CRYPTO, "crypto: master key:", k, BLOWFISH_KEYSIZE); )
    T( traceblk(TRACE_CRYPTO, "crypto: initial iv:",
		buff + crq_iv, BLOWFISH_BLKSIZE); )

    icrypt_init(&j, k, BLOWFISH_KEYSIZE, buff + crq_iv);
    T( traceblk(TRACE_CRYPTO, "crypto: job block:", &j, sizeof(j)); )

    T( traceblk(TRACE_CRYPTO, "crypto: encrypted session key:",
		buff + crq_session, BLOWFISH_KEYSIZE); )
    icrypt_decrypt(&j, buff + crq_session,
		   buff + crq_session, BLOWFISH_KEYSIZE);
    memcpy(sk, buff + crq_session, BLOWFISH_KEYSIZE);
    T( traceblk(TRACE_CRYPTO, "crypto: session key:",
		sk, BLOWFISH_KEYSIZE); )

    icrypt_reset(&j, sk, BLOWFISH_KEYSIZE, 0);

    T( traceblk(TRACE_CRYPTO, "crypto: partial iv:",
		j.iv, BLOWFISH_BLKSIZE); )

    icrypt_decrypt(&j, buff + crq_cipher,
		   buff + crq_cipher, crq_size - crq_cipher);
    icrypt_saveIV(&j, rpl + crp_iv);

    T( traceblk(TRACE_CRYPTO, "crypto: plaintext request:",
		buff, crq_size); )

    memset(buff + crq_session, 0, BLOWFISH_KEYSIZE); /* Burn, baby, burn */
    burn(j);
  }

  {
    /* --- Check the validity of the data therein --- */

    md5 md;
    unsigned char mdbuf[MD5_HASHSIZE];

    md5_init(&md);
    md5_buffer(&md, buff + crq_cipher, crq_check - crq_cipher);
    md5_final(&md, mdbuf);
    if (memcmp(mdbuf, buff + crq_check, 4) != 0) {
      syslog(LOG_INFO, "packet rejected: bad checksum");
      T( trace(TRACE_CRYPTO, "crypto: bad checksum on incoming request"); )
      return (0);
    }
    burn(md); burn(mdbuf);
  }

  {
    /* --- Extract fields from the block --- */

    rq->from = load32(buff + crq_from);
    rq->to = load32(buff + crq_to);
    memcpy(rq->cmd, buff + crq_cmd, CMDLEN_MAX);
  }

  {
    /* --- Fill in bits of the reply block --- */

    long t = (long)time(0);
    long u = (long)load32(buff + crq_time);

    if (t - u > crypt__timeError || u - t > crypt__timeError) {
      syslog(LOG_INFO, "packet rejected: bad time");
      T( trace(TRACE_CRYPTO, "crypto: bad time on incoming request"); )
      return (0);
    }
    memcpy(rpl + crp_time, buff + crq_time, 8);
  }

  /* --- Done --- */

  T( trace(TRACE_CRYPTO, "crypto: valid request received"); )
  return (1);
}

/* --- @crypt_packReply@ --- *
 *
 * Arguments:	@char *buff@ = pointer to reply block
 *		@unsigned char *sk@ = pointer to session key
 *		@int answer@ = yes or no
 *
 * Returns:	---
 *
 * Use:		Packs and encrypts a reply block.
 */

void crypt_packReply(unsigned char *buff, unsigned char *sk, int answer)
{
  {
    /* --- Store the answer --- */

    buff[crp_answer] = (answer != 0);
  }

  {
    /* --- Build the checksum --- */

    md5 md;
    unsigned char mdbuf[MD5_HASHSIZE];

    md5_init(&md);
    md5_buffer(&md, buff + crp_cipher, crp_check - crp_cipher);
    md5_final(&md, mdbuf);
    memcpy(buff + crp_check, mdbuf, 4);
    burn(md); burn(mdbuf);
  }

  {
    /* --- Encrypt the buffer --- */

    icrypt_job j;

    T( traceblk(TRACE_CRYPTO, "crypto: plaintext reply:", buff, crp_size); )

    icrypt_init(&j, sk, BLOWFISH_KEYSIZE, buff + crp_iv);
    icrypt_encrypt(&j, buff + crp_cipher,
		   buff + crp_cipher, crp_size - crp_cipher);
    burn(j);

    T( traceblk(TRACE_CRYPTO, "crypto: ciphertext reply:", buff, crp_size); )
  }
}

/* --- @crypt_unpackReply@ --- *
 *
 * Arguments:	@unsigned char *buff@ = pointer to reply buffer
 *		@unsigned char *sk@ = pointer to session key
 *		@time_t t@ = time at which request was sent
 *		@pid_t pid@ = my process ID
 *
 * Returns:	>0 if request granted, zero if denied, <0 if reply rejected
 *
 * Use:		Unpacks a reply block, and informs the caller of the outcome.
 */

int crypt_unpackReply(unsigned char *buff, unsigned char *sk,
		      time_t t, pid_t pid)
{
  {
    /* --- Decrypt my reply block --- */

    icrypt_job j;

    T( traceblk(TRACE_CRYPTO, "crypto: ciphertext reply:", buff, crp_size); )

    icrypt_init(&j, sk, BLOWFISH_KEYSIZE, buff + crp_iv);
    icrypt_decrypt(&j, buff + crp_cipher,
		   buff + crp_cipher, crp_size - crp_cipher);
    burn(j);

    T( traceblk(TRACE_CRYPTO, "crypto: plaintext reply:", buff, crp_size); )
  }

  {
    /* --- Check validity --- */

    md5 md;
    unsigned char mdbuf[MD5_HASHSIZE];
    char b[8];

    /* --- Check the checksum --- */

    md5_init(&md);
    md5_buffer(&md, buff + crp_cipher, crp_check - crp_cipher);
    md5_final(&md, mdbuf);
    if (memcmp(buff + crp_check, mdbuf, 4) != 0) {
      syslog(LOG_INFO, "reply rejected: bad checksum");
      T( trace(TRACE_CRYPTO, "crypto: bad checksum on reply"); )
      return (-1);
    }

    /* --- Check the identifier --- */

    store32(b + 0, t); store32(b + 4, pid);
    if (memcmp(b, buff + crp_time, sizeof(b)) != 0) {
      syslog(LOG_INFO, "reply rejected: bad identification marker");
      T( trace(TRACE_CRYPTO, "crypto: bad id on reply"); )
      return (-1);
    }
  }

  /* --- Return the value --- */

  T( trace(TRACE_CRYPTO, "crypto: valid reply received"); )
  return (buff[crp_answer]);
}

/*----- Test rig ----------------------------------------------------------*/

#ifdef TEST_RIG

int main(int argc, char *argv[])
{
  unsigned char buff[8];
  unsigned char sk[BLOWFISH_KEYSIZE], k[BLOWFISH_KEYSIZE];
  FILE *fp;

  ego(argv[0]);
  traceon(stdout, TRACE_CRYPTO);
  if (argc < 3)
    die("bad args");
  fp = fopen(argv[1], "r");
  if (!fp)
    die("fopen: %s", strerror(errno));
  tx_getBits(k, 128, fp);
  fclose(fp);
  crypt__sessionKey(argv[2], k, sk, buff);
  return (0);
}

#endif

/*----- That's all, folks -------------------------------------------------*/
Commit	Line	Data
c4f2d992	1	/* --c--
c4f2d992	2	*
bce14ae6	3	* $Id: crypt.c,v 1.5 1998/06/18 15:08:49 mdw Exp $
c4f2d992	4	*
	5	* Cryptographic transfer of `become' requests
	6	*
c758e654	7	* (c) 1998 EBI
c4f2d992	8	*/
c4f2d992	9
03f996bd	10	/----- Licensing notice --------------------------------------------------
c4f2d992	11	*
	12	* This file is part of `become'
	13	*
	14	* `Become' is free software; you can redistribute it and/or modify
	15	* it under the terms of the GNU General Public License as published by
	16	* the Free Software Foundation; either version 2 of the License, or
	17	* (at your option) any later version.
	18	*
	19	* `Become' is distributed in the hope that it will be useful,
	20	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	21	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	22	* GNU General Public License for more details.
	23	*
	24	* You should have received a copy of the GNU General Public License
03f996bd	25	* along with `become'; if not, write to the Free Software Foundation,
03f996bd	26	* Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
c4f2d992	27	*/
	28
	29	/----- Revision history --------------------------------------------------
	30	*
	31	* $Log: crypt.c,v $
bce14ae6	32	* Revision 1.5 1998/06/18 15:08:49 mdw
	33	* Paranoia: set close-on-exec flag for seed file.
	34	*
c758e654	35	* Revision 1.4 1998/01/12 16:45:55 mdw
	36	* Fix copyright date.
	37	*
9e5602f0	38	* Revision 1.3 1997/09/26 09:14:58 mdw
	39	* Merged blowfish branch into trunk.
	40	*
	41	* Revision 1.2.2.1 1997/09/26 09:08:02 mdw
	42	* Use the Blowfish encryption algorithm instead of IDEA. This is partly
	43	* because I prefer Blowfish (without any particularly strong evidence) but
	44	* mainly because IDEA is patented and Blowfish isn't.
	45	*
03f996bd	46	* Revision 1.2 1997/08/04 10:24:21 mdw
	47	* Sources placed under CVS control.
	48	*
	49	* Revision 1.1 1997/07/21 13:47:51 mdw
c4f2d992	50	* Initial revision
	51	*
	52	*/
	53
	54	/----- Header files ------------------------------------------------------/
	55
	56	/* --- ANSI headers --- */
	57
	58	#include <ctype.h>
	59	#include <errno.h>
	60	#include <stdio.h>
	61	#include <stdlib.h>
	62	#include <string.h>
	63	#include <time.h>
	64
	65	/* --- Unix headers --- */
	66
	67	#include <sys/types.h>
03f996bd	68	#include <sys/time.h>
c4f2d992	69	#include <unistd.h>
	70	#include <syslog.h>
	71	#include <fcntl.h>
	72
	73	/* --- Local headers --- */
	74
03f996bd	75	#include "become.h"
9e5602f0	76	#include "blowfish.h"
c4f2d992	77	#include "config.h"
	78	#include "crypt.h"
	79	#include "icrypt.h"
c4f2d992	80	#include "md5.h"
03f996bd	81	#include "noise.h"
03f996bd	82	#include "rand.h"
c4f2d992	83	#include "tx.h"
	84	#include "utils.h"
	85
	86	/----- Magic numbers -----------------------------------------------------/
	87
03f996bd	88	#define crypt__timeError 60 /* Seconds error to permit */
c4f2d992	89
	90	/----- Main code ---------------------------------------------------------/
	91
	92	/* --- @crypt__sessionKey@ --- *
	93	*
	94	* Arguments: @const char *seedfile@ = pointer to name of seed file
	95	* @unsigned char *k@ = our secret key
c4f2d992	96	* @unsigned *sk@ = where to store the session key
	97	* @unsigned char *iv@ = where to store the IV
	98	*
	99	* Returns: ---
	100	*
	101	* Use: Decides on a random session key and initialisation vector.
	102	*/
	103
	104	static void crypt__sessionKey(const char seedfile, unsigned char k,
c4f2d992	105	unsigned char sk, unsigned char iv)
	106	{
	107	FILE fp; / File handle for reading */
03f996bd	108	struct flock l;
03f996bd	109	int ok = 1;
c4f2d992	110
03f996bd	111	/* --- Open the random seed file --- *
c4f2d992	112	*
03f996bd	113	* If I can't manage that, create a new one.
c4f2d992	114	*/
c4f2d992	115
03f996bd	116	if ((fp = fopen(seedfile, "r+")) == 0) {
	117	ok = 0;
	118	if ((fp = fopen(seedfile, "w+")) == 0)
	119	die("can't create random number file: %s", strerror(errno));
	120	rand_clear();
bce14ae6	121	}
	122	if (fcntl(fileno(fp), F_SETFD, 1) < 0) {
	123	die("can't set close-on-exec for random number file: %s",
	124	strerror(errno));
c4f2d992	125	}
c4f2d992	126
03f996bd	127	/* --- Lock the seed file against concurrency problems --- */
c4f2d992	128
03f996bd	129	l.l_type = F_WRLCK;
	130	l.l_whence = SEEK_SET;
	131	l.l_start = 0;
	132	l.l_len = 0;
	133	if (fcntl(fileno(fp), F_SETLKW, &l) < 0)
	134	die("can't lock random number file: %s", strerror(errno));
c4f2d992	135
03f996bd	136	/* --- Now read the file, and launder the seed --- */
c4f2d992	137
03f996bd	138	if (ok)
03f996bd	139	rand_read(fp);
c4f2d992	140
03f996bd	141	/* --- Encrypt the pool using the secret key --- */
c4f2d992	142
c4f2d992	143	{
03f996bd	144	icrypt_job j;
9e5602f0	145	icrypt_init(&j, k, BLOWFISH_KEYSIZE, 0);
03f996bd	146	rand_encrypt(&j);
03f996bd	147	burn(j);
c4f2d992	148	}
c4f2d992	149
03f996bd	150	/* --- Generate the session key and IV --- */
c4f2d992	151
03f996bd	152	noise_acquire();
9e5602f0	153	rand_extract(sk, BLOWFISH_KEYSIZE);
9e5602f0	154	rand_extract(iv, BLOWFISH_BLKSIZE);
03f996bd	155
03f996bd	156	IF_TRACING(TRACE_CRYPTO,
9e5602f0	157	traceblk(TRACE_CRYPTO, "crypto: session key:", sk, BLOWFISH_KEYSIZE);
03f996bd	158	traceblk(TRACE_CRYPTO, "crypto: initialisation vector:",
9e5602f0	159	iv, BLOWFISH_BLKSIZE);
03f996bd	160	);
c4f2d992	161
03f996bd	162	/* --- Write the seed back --- */
c4f2d992	163
c4f2d992	164	rewind(fp);
03f996bd	165	rand_write(fp);
c4f2d992	166	fclose(fp);
c4f2d992	167
c4f2d992	168	}
	169
	170	/* --- @crypt_packRequest@ --- *
	171	*
	172	* Arguments: @request *rq@ = pointer to request block
	173	* @unsigned char *buff@ = pointer to a buffer
	174	* @time_t t@ = the current time
	175	* @pid_t pid@ = my process ID
	176	* @unsigned char *k@ = pointer to 128-bit key
	177	* @unsigned char *sk@ = where to put the session key
	178	*
	179	* Returns: ---
	180	*
	181	* Use: Packs a request block into a buffer. The buffer should have
	182	* space for at least @crq_size@ bytes. The buffer comes back
	183	* encrypted and ready to send.
	184	*/
	185
	186	void crypt_packRequest(request rq, unsigned char buff,
	187	time_t t, pid_t pid,
	188	unsigned char k, unsigned char sk)
	189	{
	190	/* --- First, build the easy stuff in the block --- */
	191
9e5602f0	192	buff[crq_cryptType] = cryptType_blowfish;
c4f2d992	193	store32(buff + crq_time, t);
	194	store32(buff + crq_pid, pid);
	195	store32(buff + crq_from, rq->from);
	196	store32(buff + crq_to, rq->to);
	197
03f996bd	198	/* --- Now generate session keys and things --- */
	199
	200	crypt__sessionKey(file_RANDSEED, k, sk, buff + crq_iv);
9e5602f0	201	memcpy(buff + crq_session, sk, BLOWFISH_KEYSIZE);
03f996bd	202
c4f2d992	203	/* --- The string causes a few problems --- *
	204	*
	205	* There's a good chance that the string will be a good deal shorter than
	206	* the space allowed for it. This will probably mean lots of zeroes, and a
	207	* very easy known-plaintext job for a potential attacker. (An early
	208	* version of this code used @strncpy@ which is even worse!)
	209	*
	210	* I'll fill the block with random (from @rand@(3) -- nothing too
9e5602f0	211	* elaborate) and then encrypt it using Blowfish in CFB mode, using the
	212	* first few bytes as the key. This should provide a sufficiently
	213	* unpredictable background for the block.
c4f2d992	214	*/
	215
	216	{
	217	icrypt_job j;
	218	unsigned char *p;
	219	unsigned u;
03f996bd	220	md5 md;
9e5602f0	221	unsigned char qk[BLOWFISH_KEYSIZE];
c4f2d992	222
	223	/* --- Initialise the buffer with junk --- */
	224
	225	srand((unsigned int)(t ^ pid)); /* Seed the (bad) RNG */
	226	for (p = buff + crq_cmd; p < buff + crq_cmd + CMDLEN_MAX; p++) {
03f996bd	227	u = rand(); *p = u ^ (u >> 8);
c4f2d992	228	}
	229
	230	/* --- Now make the junk a whole lot harder to predict --- */
	231
	232	p = buff + crq_cmd;
03f996bd	233	md5_init(&md); md5_buffer(&md, p, CMDLEN_MAX); md5_final(&md, qk);
9e5602f0	234	icrypt_init(&j, qk, BLOWFISH_KEYSIZE, 0);
9e5602f0	235	icrypt_encrypt(&j, p, p, CMDLEN_MAX);
03f996bd	236	burn(j); burn(qk); burn(md);
c4f2d992	237
	238	/* --- Copy the string into here --- */
	239
	240	strcpy((char *)buff + crq_cmd, rq->cmd);
	241	}
	242
c4f2d992	243	/* --- Checksum the finished data --- */
	244
	245	{
	246	md5 md;
03f996bd	247	unsigned char mdbuf[MD5_HASHSIZE];
c4f2d992	248
	249	md5_init(&md);
	250	md5_buffer(&md, buff + crq_cipher, crq_check - crq_cipher);
03f996bd	251	md5_final(&md, mdbuf);
	252	memcpy(buff + crq_check, mdbuf, 4);
	253	burn(md); burn(mdbuf);
c4f2d992	254	}
	255
	256	/* --- Encrypt the block --- *
	257	*
	258	* First, encrypt the session key using the master key. Since the session
	259	* key is effectively random, this makes cracking the master key much
	260	* harder. The rest of the block is then encrypted with the session key,
	261	* using the IV left over from encrypting the session key.
	262	*/
	263
	264	{
	265	icrypt_job j;
	266
03f996bd	267	T( traceblk(TRACE_CRYPTO, "crypto: plaintext request:",
03f996bd	268	buff, crq_size); )
c4f2d992	269
9e5602f0	270	T( traceblk(TRACE_CRYPTO, "crypto: master key:", k, BLOWFISH_KEYSIZE); )
	271	T( traceblk(TRACE_CRYPTO, "crypto: initial iv:",
	272	buff + crq_iv, BLOWFISH_BLKSIZE); )
	273	T( traceblk(TRACE_CRYPTO, "crypto: session key:",
	274	sk, BLOWFISH_KEYSIZE); )
	275
	276	icrypt_init(&j, k, BLOWFISH_KEYSIZE, buff + crq_iv);
	277
	278	icrypt_encrypt(&j, buff + crq_session,
	279	buff + crq_session, BLOWFISH_KEYSIZE);
	280	T( traceblk(TRACE_CRYPTO, "crypto: encrypted session key:",
	281	buff + crq_session, BLOWFISH_KEYSIZE); )
	282
	283	icrypt_reset(&j, sk, BLOWFISH_KEYSIZE, 0);
	284
	285	T( traceblk(TRACE_CRYPTO, "crypto: partial iv:",
	286	j.iv, BLOWFISH_BLKSIZE); )
	287
c4f2d992	288	icrypt_encrypt(&j, buff + crq_cipher,
	289	buff + crq_cipher, crq_size - crq_cipher);
	290	burn(j);
	291
03f996bd	292	T( traceblk(TRACE_CRYPTO, "crypto: ciphertext request:",
03f996bd	293	buff, crq_size); )
c4f2d992	294	}
	295	}
	296
	297	/* --- @crypt_unpackRequest@ --- *
	298	*
	299	* Arguments: @reqest *rq@ = pointer to destination request block
	300	* @unsigned char *buff@ = pointer to source buffer
	301	* @unsigned char *k@ = pointer to encryption key
	302	* @unsigned char *sk@ = pointer to where to store session key
	303	* @unsigned char *rpl@ = where to start building reply
	304	*
	305	* Returns: Nonzero if it was decrypted OK
	306	*
	307	* Use: Decrypts and unpacks a request buffer.
	308	*/
	309
	310	int crypt_unpackRequest(request rq, unsigned char buff,
	311	unsigned char k, unsigned char sk,
	312	unsigned char *rpl)
	313	{
	314	{
	315	/* --- Check the encryption format --- */
	316
9e5602f0	317	if (buff[crq_cryptType] != cryptType_blowfish)
c4f2d992	318	return (0);
	319	}
	320
	321	{
	322	/* --- First things first: decrypt the block --- */
	323
	324	icrypt_job j;
	325
03f996bd	326	T( traceblk(TRACE_CRYPTO, "crypto: ciphertext request:",
03f996bd	327	buff, crq_size); )
c4f2d992	328
9e5602f0	329	T( traceblk(TRACE_CRYPTO, "crypto: master key:", k, BLOWFISH_KEYSIZE); )
	330	T( traceblk(TRACE_CRYPTO, "crypto: initial iv:",
	331	buff + crq_iv, BLOWFISH_BLKSIZE); )
	332
	333	icrypt_init(&j, k, BLOWFISH_KEYSIZE, buff + crq_iv);
	334	T( traceblk(TRACE_CRYPTO, "crypto: job block:", &j, sizeof(j)); )
	335
	336	T( traceblk(TRACE_CRYPTO, "crypto: encrypted session key:",
	337	buff + crq_session, BLOWFISH_KEYSIZE); )
	338	icrypt_decrypt(&j, buff + crq_session,
	339	buff + crq_session, BLOWFISH_KEYSIZE);
	340	memcpy(sk, buff + crq_session, BLOWFISH_KEYSIZE);
	341	T( traceblk(TRACE_CRYPTO, "crypto: session key:",
	342	sk, BLOWFISH_KEYSIZE); )
	343
	344	icrypt_reset(&j, sk, BLOWFISH_KEYSIZE, 0);
	345
	346	T( traceblk(TRACE_CRYPTO, "crypto: partial iv:",
	347	j.iv, BLOWFISH_BLKSIZE); )
	348
c4f2d992	349	icrypt_decrypt(&j, buff + crq_cipher,
	350	buff + crq_cipher, crq_size - crq_cipher);
	351	icrypt_saveIV(&j, rpl + crp_iv);
	352
03f996bd	353	T( traceblk(TRACE_CRYPTO, "crypto: plaintext request:",
03f996bd	354	buff, crq_size); )
9e5602f0	355
	356	memset(buff + crq_session, 0, BLOWFISH_KEYSIZE); /* Burn, baby, burn */
	357	burn(j);
c4f2d992	358	}
	359
	360	{
	361	/* --- Check the validity of the data therein --- */
	362
	363	md5 md;
03f996bd	364	unsigned char mdbuf[MD5_HASHSIZE];
c4f2d992	365
	366	md5_init(&md);
	367	md5_buffer(&md, buff + crq_cipher, crq_check - crq_cipher);
03f996bd	368	md5_final(&md, mdbuf);
03f996bd	369	if (memcmp(mdbuf, buff + crq_check, 4) != 0) {
c4f2d992	370	syslog(LOG_INFO, "packet rejected: bad checksum");
03f996bd	371	T( trace(TRACE_CRYPTO, "crypto: bad checksum on incoming request"); )
c4f2d992	372	return (0);
c4f2d992	373	}
03f996bd	374	burn(md); burn(mdbuf);
c4f2d992	375	}
	376
	377	{
	378	/* --- Extract fields from the block --- */
	379
	380	rq->from = load32(buff + crq_from);
	381	rq->to = load32(buff + crq_to);
	382	memcpy(rq->cmd, buff + crq_cmd, CMDLEN_MAX);
	383	}
	384
	385	{
	386	/* --- Fill in bits of the reply block --- */
	387
	388	long t = (long)time(0);
	389	long u = (long)load32(buff + crq_time);
	390
	391	if (t - u > crypt__timeError \|\| u - t > crypt__timeError) {
	392	syslog(LOG_INFO, "packet rejected: bad time");
03f996bd	393	T( trace(TRACE_CRYPTO, "crypto: bad time on incoming request"); )
c4f2d992	394	return (0);
	395	}
	396	memcpy(rpl + crp_time, buff + crq_time, 8);
	397	}
	398
	399	/* --- Done --- */
	400
03f996bd	401	T( trace(TRACE_CRYPTO, "crypto: valid request received"); )
c4f2d992	402	return (1);
	403	}
	404
	405	/* --- @crypt_packReply@ --- *
	406	*
	407	* Arguments: @char *buff@ = pointer to reply block
	408	* @unsigned char *sk@ = pointer to session key
	409	* @int answer@ = yes or no
	410	*
	411	* Returns: ---
	412	*
	413	* Use: Packs and encrypts a reply block.
	414	*/
	415
	416	void crypt_packReply(unsigned char buff, unsigned char sk, int answer)
	417	{
	418	{
	419	/* --- Store the answer --- */
	420
	421	buff[crp_answer] = (answer != 0);
	422	}
	423
	424	{
	425	/* --- Build the checksum --- */
	426
	427	md5 md;
03f996bd	428	unsigned char mdbuf[MD5_HASHSIZE];
c4f2d992	429
	430	md5_init(&md);
	431	md5_buffer(&md, buff + crp_cipher, crp_check - crp_cipher);
03f996bd	432	md5_final(&md, mdbuf);
	433	memcpy(buff + crp_check, mdbuf, 4);
	434	burn(md); burn(mdbuf);
c4f2d992	435	}
	436
	437	{
	438	/* --- Encrypt the buffer --- */
	439
	440	icrypt_job j;
03f996bd	441
	442	T( traceblk(TRACE_CRYPTO, "crypto: plaintext reply:", buff, crp_size); )
	443
9e5602f0	444	icrypt_init(&j, sk, BLOWFISH_KEYSIZE, buff + crp_iv);
c4f2d992	445	icrypt_encrypt(&j, buff + crp_cipher,
c4f2d992	446	buff + crp_cipher, crp_size - crp_cipher);
c4f2d992	447	burn(j);
03f996bd	448
03f996bd	449	T( traceblk(TRACE_CRYPTO, "crypto: ciphertext reply:", buff, crp_size); )
c4f2d992	450	}
	451	}
	452
	453	/* --- @crypt_unpackReply@ --- *
	454	*
	455	* Arguments: @unsigned char *buff@ = pointer to reply buffer
	456	* @unsigned char *sk@ = pointer to session key
	457	* @time_t t@ = time at which request was sent
	458	* @pid_t pid@ = my process ID
	459	*
	460	* Returns: >0 if request granted, zero if denied, <0 if reply rejected
	461	*
	462	* Use: Unpacks a reply block, and informs the caller of the outcome.
	463	*/
	464
	465	int crypt_unpackReply(unsigned char buff, unsigned char sk,
	466	time_t t, pid_t pid)
	467	{
	468	{
	469	/* --- Decrypt my reply block --- */
	470
	471	icrypt_job j;
03f996bd	472
	473	T( traceblk(TRACE_CRYPTO, "crypto: ciphertext reply:", buff, crp_size); )
	474
9e5602f0	475	icrypt_init(&j, sk, BLOWFISH_KEYSIZE, buff + crp_iv);
c4f2d992	476	icrypt_decrypt(&j, buff + crp_cipher,
c4f2d992	477	buff + crp_cipher, crp_size - crp_cipher);
c4f2d992	478	burn(j);
03f996bd	479
03f996bd	480	T( traceblk(TRACE_CRYPTO, "crypto: plaintext reply:", buff, crp_size); )
c4f2d992	481	}
	482
	483	{
	484	/* --- Check validity --- */
	485
	486	md5 md;
03f996bd	487	unsigned char mdbuf[MD5_HASHSIZE];
c4f2d992	488	char b[8];
	489
	490	/* --- Check the checksum --- */
	491
	492	md5_init(&md);
	493	md5_buffer(&md, buff + crp_cipher, crp_check - crp_cipher);
03f996bd	494	md5_final(&md, mdbuf);
03f996bd	495	if (memcmp(buff + crp_check, mdbuf, 4) != 0) {
c4f2d992	496	syslog(LOG_INFO, "reply rejected: bad checksum");
03f996bd	497	T( trace(TRACE_CRYPTO, "crypto: bad checksum on reply"); )
c4f2d992	498	return (-1);
	499	}
	500
	501	/* --- Check the identifier --- */
	502
	503	store32(b + 0, t); store32(b + 4, pid);
	504	if (memcmp(b, buff + crp_time, sizeof(b)) != 0) {
	505	syslog(LOG_INFO, "reply rejected: bad identification marker");
03f996bd	506	T( trace(TRACE_CRYPTO, "crypto: bad id on reply"); )
c4f2d992	507	return (-1);
	508	}
	509	}
	510
	511	/* --- Return the value --- */
	512
03f996bd	513	T( trace(TRACE_CRYPTO, "crypto: valid reply received"); )
c4f2d992	514	return (buff[crp_answer]);
	515	}
	516
	517	/----- Test rig ----------------------------------------------------------/
	518
	519	#ifdef TEST_RIG
	520
	521	int main(int argc, char *argv[])
	522	{
c4f2d992	523	unsigned char buff[8];
9e5602f0	524	unsigned char sk[BLOWFISH_KEYSIZE], k[BLOWFISH_KEYSIZE];
c4f2d992	525	FILE *fp;
	526
	527	ego(argv[0]);
03f996bd	528	traceon(stdout, TRACE_CRYPTO);
c4f2d992	529	if (argc < 3)
	530	die("bad args");
	531	fp = fopen(argv[1], "r");
	532	if (!fp)
	533	die("fopen: %s", strerror(errno));
	534	tx_getBits(k, 128, fp);
	535	fclose(fp);
03f996bd	536	crypt__sessionKey(argv[2], k, sk, buff);
c4f2d992	537	return (0);
	538	}
	539
	540	#endif
	541
	542	/----- That's all, folks -------------------------------------------------/