Sources placed under CVS control.

[become] / src / crypt.c

/* -*-c-*-
 *
 * $Id: crypt.c,v 1.2 1997/08/04 10:24:21 mdw Exp $
 *
 * Cryptographic transfer of `become' requests
 *
 * (c) 1997 EBI
 */

/*----- Licensing notice --------------------------------------------------*
 *
 * This file is part of `become'
 *
 * `Become' is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * `Become' is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with `become'; if not, write to the Free Software Foundation,
 * Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
 */

/*----- Revision history --------------------------------------------------*
 *
 * $Log: crypt.c,v $
 * Revision 1.2  1997/08/04 10:24:21  mdw
 * Sources placed under CVS control.
 *
 * Revision 1.1  1997/07/21  13:47:51  mdw
 * Initial revision
 *
 */

/*----- Header files ------------------------------------------------------*/

/* --- ANSI headers --- */

#include <ctype.h>
#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>

/* --- Unix headers --- */

#include <sys/types.h>
#include <sys/time.h>
#include <unistd.h>
#include <syslog.h>
#include <fcntl.h>

/* --- Local headers --- */

#include "become.h"
#include "config.h"
#include "crypt.h"
#include "icrypt.h"
#include "idea.h"
#include "md5.h"
#include "noise.h"
#include "rand.h"
#include "tx.h"
#include "utils.h"

/*----- Magic numbers -----------------------------------------------------*/

#define crypt__timeError 60             /* Seconds error to permit */

/*----- Main code ---------------------------------------------------------*/

/* --- @crypt__sessionKey@ --- *
 *
 * Arguments:   @const char *seedfile@ = pointer to name of seed file
 *              @unsigned char *k@ = our secret key
 *              @unsigned *sk@ = where to store the session key
 *              @unsigned char *iv@ = where to store the IV
 *
 * Returns:     ---
 *
 * Use:         Decides on a random session key and initialisation vector.
 */

static void crypt__sessionKey(const char *seedfile, unsigned char *k,
                              unsigned char *sk, unsigned char *iv)
{
  FILE *fp;                             /* File handle for reading */
  struct flock l;
  int ok = 1;

  /* --- Open the random seed file --- *
   *
   * If I can't manage that, create a new one.
   */

  if ((fp = fopen(seedfile, "r+")) == 0) {
    ok = 0;
    if ((fp = fopen(seedfile, "w+")) == 0)
      die("can't create random number file: %s", strerror(errno));
    rand_clear();
  }

  /* --- Lock the seed file against concurrency problems --- */

  l.l_type = F_WRLCK;
  l.l_whence = SEEK_SET;
  l.l_start = 0;
  l.l_len = 0;
  if (fcntl(fileno(fp), F_SETLKW, &l) < 0)
    die("can't lock random number file: %s", strerror(errno));

    /* --- Now read the file, and launder the seed --- */

  if (ok)
    rand_read(fp);

  /* --- Encrypt the pool using the secret key --- */

  {
    icrypt_job j;
    icrypt_init(&j, k, 0);
    rand_encrypt(&j);
    burn(j);
  }

  /* --- Generate the session key and IV --- */

  noise_acquire();
  rand_extract(sk, IDEA_KEYSIZE);
  rand_extract(iv, IDEA_BLKSIZE);

  IF_TRACING(TRACE_CRYPTO,
    traceblk(TRACE_CRYPTO, "crypto: session key:", sk, IDEA_KEYSIZE);
    traceblk(TRACE_CRYPTO, "crypto: initialisation vector:",
             iv, IDEA_BLKSIZE);
  );

  /* --- Write the seed back --- */

  rewind(fp);
  rand_write(fp);
  fclose(fp);

}

/* --- @crypt_packRequest@ --- *
 *
 * Arguments:   @request *rq@ = pointer to request block
 *              @unsigned char *buff@ = pointer to a buffer
 *              @time_t t@ = the current time
 *              @pid_t pid@ = my process ID
 *              @unsigned char *k@ = pointer to 128-bit key
 *              @unsigned char *sk@ = where to put the session key
 *
 * Returns:     ---
 *
 * Use:         Packs a request block into a buffer.  The buffer should have
 *              space for at least @crq_size@ bytes.  The buffer comes back
 *              encrypted and ready to send.
 */

void crypt_packRequest(request *rq, unsigned char *buff,
                       time_t t, pid_t pid,
                       unsigned char *k, unsigned char *sk)
{
  /* --- First, build the easy stuff in the block --- */

  buff[crq_cryptType] = cryptType_idea;
  store32(buff + crq_time, t);
  store32(buff + crq_pid, pid);
  store32(buff + crq_from, rq->from);
  store32(buff + crq_to, rq->to);

  /* --- Now generate session keys and things --- */

  crypt__sessionKey(file_RANDSEED, k, sk, buff + crq_iv);
  memcpy(buff + crq_session, sk, IDEA_KEYSIZE);

  /* --- The string causes a few problems --- *
   *
   * There's a good chance that the string will be a good deal shorter than
   * the space allowed for it.  This will probably mean lots of zeroes, and a
   * very easy known-plaintext job for a potential attacker.  (An early
   * version of this code used @strncpy@ which is even worse!)
   *
   * I'll fill the block with random (from @rand@(3) -- nothing too
   * elaborate) and then encrypt it using IDEA in CFB mode, using the first
   * few bytes as the key.  This should provide a sufficiently unpredictable
   * background for the block.
   */

  {
    icrypt_job j;
    unsigned char *p;
    unsigned u;
    md5 md;
    unsigned char qk[IDEA_KEYSIZE];

    /* --- Initialise the buffer with junk --- */

    srand((unsigned int)(t ^ pid));     /* Seed the (bad) RNG */
    for (p = buff + crq_cmd; p < buff + crq_cmd + CMDLEN_MAX; p++) {
      u = rand(); *p = u ^ (u >> 8);
    }

    /* --- Now make the junk a whole lot harder to predict --- */

    p = buff + crq_cmd;
    md5_init(&md); md5_buffer(&md, p, CMDLEN_MAX); md5_final(&md, qk);
    icrypt_init(&j, qk, 0); icrypt_encrypt(&j, p, p, CMDLEN_MAX);
    burn(j); burn(qk); burn(md);

    /* --- Copy the string into here --- */

    strcpy((char *)buff + crq_cmd, rq->cmd);
  }

  /* --- Checksum the finished data --- */

  {
    md5 md;
    unsigned char mdbuf[MD5_HASHSIZE];

    md5_init(&md);
    md5_buffer(&md, buff + crq_cipher, crq_check - crq_cipher);
    md5_final(&md, mdbuf);
    memcpy(buff + crq_check, mdbuf, 4);
    burn(md); burn(mdbuf);
  }

  /* --- Encrypt the block --- *
   *
   * First, encrypt the session key using the master key.  Since the session
   * key is effectively random, this makes cracking the master key much
   * harder.  The rest of the block is then encrypted with the session key,
   * using the IV left over from encrypting the session key.
   */

  {
    icrypt_job j;

    T( traceblk(TRACE_CRYPTO, "crypto: plaintext request:",
                buff, crq_size); )

    icrypt_init(&j, k, buff + crq_iv);
    icrypt_encrypt(&j, buff + crq_session, buff + crq_session, IDEA_KEYSIZE);
    icrypt_reset(&j, sk, 0);
    icrypt_encrypt(&j, buff + crq_cipher,
                   buff + crq_cipher, crq_size - crq_cipher);
    burn(j);

    T( traceblk(TRACE_CRYPTO, "crypto: ciphertext request:",
                buff, crq_size); )
  }
}

/* --- @crypt_unpackRequest@ --- *
 *
 * Arguments:   @reqest *rq@ = pointer to destination request block
 *              @unsigned char *buff@ = pointer to source buffer
 *              @unsigned char *k@ = pointer to encryption key
 *              @unsigned char *sk@ = pointer to where to store session key
 *              @unsigned char *rpl@ = where to start building reply
 *
 * Returns:     Nonzero if it was decrypted OK
 *
 * Use:         Decrypts and unpacks a request buffer.
 */

int crypt_unpackRequest(request *rq, unsigned char *buff,
                        unsigned char *k, unsigned char *sk,
                        unsigned char *rpl)
{
  {
    /* --- Check the encryption format --- */

    if (buff[crq_cryptType] != cryptType_idea)
      return (0);
  }

  {
    /* --- First things first: decrypt the block --- */

    icrypt_job j;

    T( traceblk(TRACE_CRYPTO, "crypto: ciphertext request:",
                buff, crq_size); )

    icrypt_init(&j, k, buff + crq_iv);
    icrypt_decrypt(&j, buff + crq_session, buff + crq_session, IDEA_KEYSIZE);
    memcpy(sk, buff + crq_session, IDEA_KEYSIZE);
    icrypt_reset(&j, sk, 0);
    icrypt_decrypt(&j, buff + crq_cipher,
                   buff + crq_cipher, crq_size - crq_cipher);
    icrypt_saveIV(&j, rpl + crp_iv);

    memset(buff + crq_session, 0, IDEA_KEYSIZE); /* Burn, baby, burn */
    burn(j);

    T( traceblk(TRACE_CRYPTO, "crypto: plaintext request:",
                buff, crq_size); )
  }

  {
    /* --- Check the validity of the data therein --- */

    md5 md;
    unsigned char mdbuf[MD5_HASHSIZE];

    md5_init(&md);
    md5_buffer(&md, buff + crq_cipher, crq_check - crq_cipher);
    md5_final(&md, mdbuf);
    if (memcmp(mdbuf, buff + crq_check, 4) != 0) {
      syslog(LOG_INFO, "packet rejected: bad checksum");
      T( trace(TRACE_CRYPTO, "crypto: bad checksum on incoming request"); )
      return (0);
    }
    burn(md); burn(mdbuf);
  }

  {
    /* --- Extract fields from the block --- */

    rq->from = load32(buff + crq_from);
    rq->to = load32(buff + crq_to);
    memcpy(rq->cmd, buff + crq_cmd, CMDLEN_MAX);
  }

  {
    /* --- Fill in bits of the reply block --- */

    long t = (long)time(0);
    long u = (long)load32(buff + crq_time);

    if (t - u > crypt__timeError || u - t > crypt__timeError) {
      syslog(LOG_INFO, "packet rejected: bad time");
      T( trace(TRACE_CRYPTO, "crypto: bad time on incoming request"); )
      return (0);
    }
    memcpy(rpl + crp_time, buff + crq_time, 8);
  }

  /* --- Done --- */

  T( trace(TRACE_CRYPTO, "crypto: valid request received"); )
  return (1);
}

/* --- @crypt_packReply@ --- *
 *
 * Arguments:   @char *buff@ = pointer to reply block
 *              @unsigned char *sk@ = pointer to session key
 *              @int answer@ = yes or no
 *
 * Returns:     ---
 *
 * Use:         Packs and encrypts a reply block.
 */

void crypt_packReply(unsigned char *buff, unsigned char *sk, int answer)
{
  {
    /* --- Store the answer --- */

    buff[crp_answer] = (answer != 0);
  }

  {
    /* --- Build the checksum --- */

    md5 md;
    unsigned char mdbuf[MD5_HASHSIZE];

    md5_init(&md);
    md5_buffer(&md, buff + crp_cipher, crp_check - crp_cipher);
    md5_final(&md, mdbuf);
    memcpy(buff + crp_check, mdbuf, 4);
    burn(md); burn(mdbuf);
  }

  {
    /* --- Encrypt the buffer --- */

    icrypt_job j;

    T( traceblk(TRACE_CRYPTO, "crypto: plaintext reply:", buff, crp_size); )

    icrypt_init(&j, sk, buff + crp_iv);
    icrypt_encrypt(&j, buff + crp_cipher,
                   buff + crp_cipher, crp_size - crp_cipher);
    burn(j);

    T( traceblk(TRACE_CRYPTO, "crypto: ciphertext reply:", buff, crp_size); )
  }
}

/* --- @crypt_unpackReply@ --- *
 *
 * Arguments:   @unsigned char *buff@ = pointer to reply buffer
 *              @unsigned char *sk@ = pointer to session key
 *              @time_t t@ = time at which request was sent
 *              @pid_t pid@ = my process ID
 *
 * Returns:     >0 if request granted, zero if denied, <0 if reply rejected
 *
 * Use:         Unpacks a reply block, and informs the caller of the outcome.
 */

int crypt_unpackReply(unsigned char *buff, unsigned char *sk,
                      time_t t, pid_t pid)
{
  {
    /* --- Decrypt my reply block --- */

    icrypt_job j;

    T( traceblk(TRACE_CRYPTO, "crypto: ciphertext reply:", buff, crp_size); )

    icrypt_init(&j, sk, buff + crp_iv);
    icrypt_decrypt(&j, buff + crp_cipher,
                   buff + crp_cipher, crp_size - crp_cipher);
    burn(j);

    T( traceblk(TRACE_CRYPTO, "crypto: plaintext reply:", buff, crp_size); )
  }

  {
    /* --- Check validity --- */

    md5 md;
    unsigned char mdbuf[MD5_HASHSIZE];
    char b[8];

    /* --- Check the checksum --- */

    md5_init(&md);
    md5_buffer(&md, buff + crp_cipher, crp_check - crp_cipher);
    md5_final(&md, mdbuf);
    if (memcmp(buff + crp_check, mdbuf, 4) != 0) {
      syslog(LOG_INFO, "reply rejected: bad checksum");
      T( trace(TRACE_CRYPTO, "crypto: bad checksum on reply"); )
      return (-1);
    }

    /* --- Check the identifier --- */

    store32(b + 0, t); store32(b + 4, pid);
    if (memcmp(b, buff + crp_time, sizeof(b)) != 0) {
      syslog(LOG_INFO, "reply rejected: bad identification marker");
      T( trace(TRACE_CRYPTO, "crypto: bad id on reply"); )
      return (-1);
    }
  }

  /* --- Return the value --- */

  T( trace(TRACE_CRYPTO, "crypto: valid reply received"); )
  return (buff[crp_answer]);
}

/*----- Test rig ----------------------------------------------------------*/

#ifdef TEST_RIG

int main(int argc, char *argv[])
{
  unsigned char buff[8];
  unsigned char sk[IDEA_KEYSIZE], k[IDEA_KEYSIZE];
  FILE *fp;

  ego(argv[0]);
  traceon(stdout, TRACE_CRYPTO);
  if (argc < 3)
    die("bad args");
  fp = fopen(argv[1], "r");
  if (!fp)
    die("fopen: %s", strerror(errno));
  tx_getBits(k, 128, fp);
  fclose(fp);
  crypt__sessionKey(argv[2], k, sk, buff);
  return (0);
}

#endif

/*----- That's all, folks -------------------------------------------------*/