From e6f30694d32a81f9171b2057d9c873cc16f6dca1 Mon Sep 17 00:00:00 2001 From: dubslow Date: Wed, 8 Oct 2014 18:14:23 -0500 Subject: refactor toxencryptedsave to allow passphrase encryption of arbitrary data also a minor API change for clarity --- toxencryptsave/toxencryptsave.h | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) (limited to 'toxencryptsave/toxencryptsave.h') diff --git a/toxencryptsave/toxencryptsave.h b/toxencryptsave/toxencryptsave.h index 75094a2b..e3f998af 100644 --- a/toxencryptsave/toxencryptsave.h +++ b/toxencryptsave/toxencryptsave.h @@ -35,6 +35,8 @@ extern "C" { typedef struct Tox Tox; #endif +#define TOX_PASS_ENCRYPTION_EXTRA_LENGTH (crypto_box_MACBYTES + crypto_box_NONCEBYTES \ + + crypto_pwhash_scryptsalsa208sha256_SALTBYTES) /* This "module" provides functions analogous to tox_load and tox_save in toxcore * Clients should consider alerting their users that, unlike plain data, if even one bit @@ -45,6 +47,16 @@ typedef struct Tox Tox; /* return size of the messenger data (for encrypted saving). */ uint32_t tox_encrypted_size(const Tox *tox); +/* Encrypts the given data with the given passphrase. The output array must be + * at least data_len + TOX_PASS_ENCRYPTION_EXTRA_LENGTH bytes long. + * + * tox_encrypted_save() is a good example of how to use this function. + * + * returns 0 on success + * returns -1 on failure + */ +int tox_pass_encrypt(uint8_t* data, uint32_t data_len, uint8_t* passphrase, uint32_t pplength, uint8_t* out); + /* Save the messenger data encrypted with the given password. * data must be at least tox_encrypted_size(). * @@ -53,6 +65,16 @@ uint32_t tox_encrypted_size(const Tox *tox); */ int tox_encrypted_save(const Tox *tox, uint8_t *data, uint8_t *passphrase, uint32_t pplength); +/* Decrypts the given data with the given passphrase. The output array must be + * at least data_len - TOX_PASS_ENCRYPTION_EXTRA_LENGTH bytes long. + * + * tox_encrypted_load() is a good example of how to use this function. + * + * returns the length of the output data (== data_len - TOX_PASS_ENCRYPTION_EXTRA_LENGTH) on success + * returns -1 on failure + */ +int tox_pass_decrypt(const uint8_t* data, uint32_t length, uint8_t* passphrase, uint32_t pplength, uint8_t* out); + /* Load the messenger from encrypted data of size length. * * returns 0 on success @@ -65,7 +87,7 @@ int tox_encrypted_load(Tox *tox, const uint8_t *data, uint32_t length, uint8_t * * returns 1 if it is encrypted * returns 0 otherwise */ -int tox_is_data_encrypted(const uint8_t *data); +int tox_is_save_encrypted(const uint8_t *data); #ifdef __cplusplus } -- cgit v1.2.3 From 54fdf3bdd653ebf6e55d2cb93fcae41e68436e11 Mon Sep 17 00:00:00 2001 From: dubslow Date: Thu, 9 Oct 2014 20:16:05 -0500 Subject: re-refactor to separate pass->key and key->encryption --- toxencryptsave/toxencryptsave.c | 102 ++++++++++++++++++++++++++++++---------- toxencryptsave/toxencryptsave.h | 31 +++++++++++- 2 files changed, 108 insertions(+), 25 deletions(-) (limited to 'toxencryptsave/toxencryptsave.h') diff --git a/toxencryptsave/toxencryptsave.c b/toxencryptsave/toxencryptsave.c index b018bd48..953ee802 100644 --- a/toxencryptsave/toxencryptsave.c +++ b/toxencryptsave/toxencryptsave.c @@ -47,13 +47,19 @@ uint32_t tox_encrypted_size(const Tox *tox) return tox_size(tox) + TOX_PASS_ENCRYPTION_EXTRA_LENGTH + TOX_ENC_SAVE_MAGIC_LENGTH; } -/* Encrypts the given data with the given passphrase. The output array must be - * at least data_len + TOX_PASS_ENCRYPTION_EXTRA_LENGTH bytes long. +/* Generates a secret symmetric key from the given passphrase. out_key must be at least + * TOX_PASS_KEY_LENGTH bytes long. + * Be sure to not compromise the key! Only keep it in memory, do not write to disk. + * This function is fairly cheap, but irungentoo insists that you be allowed to + * cache the result if you want, to minimize computation for repeated encryptions. + * The password is zeroed after key derivation. + * The key should only be used with the other functions in this module, as it + * includes a salt. * * returns 0 on success * returns -1 on failure */ -int tox_pass_encrypt(uint8_t* data, uint32_t data_len, uint8_t* passphrase, uint32_t pplength, uint8_t* out) +int tox_derive_key_from_pass(uint8_t* passphrase, uint32_t pplength, uint8_t* out_key) { if (pplength == 0) return -1; @@ -77,7 +83,23 @@ int tox_pass_encrypt(uint8_t* data, uint32_t data_len, uint8_t* passphrase, uint } sodium_memzero(passkey, crypto_hash_sha256_BYTES); /* wipe plaintext pw */ + memcpy(out_key, salt, crypto_pwhash_scryptsalsa208sha256_SALTBYTES); + memcpy(out_key + crypto_pwhash_scryptsalsa208sha256_SALTBYTES, key, crypto_box_KEYBYTES); + return 0; +} +/* Encrypt arbitrary with a key produced by tox_derive_key_from_pass. The output + * array must be at least data_len + TOX_PASS_ENCRYPTION_EXTRA_LENGTH bytes long. + * key must be TOX_PASS_KEY_LENGTH bytes. + * If you already have a symmetric key from somewhere besides this module, simply + * call encrypt_data_symmetric in toxcore/crypto_core directly. + * + * + * returns 0 on success + * returns -1 on failure + */ +int tox_pass_key_encrypt(uint8_t* data, uint32_t data_len, const uint8_t* key, uint8_t* out) +{ /* the output data consists of, in order: * salt, nonce, mac, enc_data * where the mac is automatically prepended by the encrypt() @@ -88,9 +110,10 @@ int tox_pass_encrypt(uint8_t* data, uint32_t data_len, uint8_t* passphrase, uint /* first add the prefix */ uint8_t nonce[crypto_box_NONCEBYTES]; - random_nonce(nonce); + random_nonce(nonce); - memcpy(out, salt, crypto_pwhash_scryptsalsa208sha256_SALTBYTES); + memcpy(out, key, crypto_pwhash_scryptsalsa208sha256_SALTBYTES); + key += crypto_pwhash_scryptsalsa208sha256_SALTBYTES; out += crypto_pwhash_scryptsalsa208sha256_SALTBYTES; memcpy(out, nonce, crypto_box_NONCEBYTES); out += crypto_box_NONCEBYTES; @@ -104,6 +127,22 @@ int tox_pass_encrypt(uint8_t* data, uint32_t data_len, uint8_t* passphrase, uint return 0; } +/* Encrypts the given data with the given passphrase. The output array must be + * at least data_len + TOX_PASS_ENCRYPTION_EXTRA_LENGTH bytes long. This delegates + * to tox_derive_key_from_pass and tox_pass_key_encrypt. + * + * returns 0 on success + * returns -1 on failure + */ +int tox_pass_encrypt(uint8_t* data, uint32_t data_len, uint8_t* passphrase, uint32_t pplength, uint8_t* out) +{ + uint8_t key[TOX_PASS_KEY_LENGTH]; + if (tox_derive_key_from_pass(passphrase, pplength, key) == -1) + return -1; + + return tox_pass_key_encrypt(data, data_len, key, out); +} + /* Save the messenger data encrypted with the given password. * data must be at least tox_encrypted_size(). * @@ -122,40 +161,61 @@ int tox_encrypted_save(const Tox *tox, uint8_t *data, uint8_t *passphrase, uint3 memcpy(data, TOX_ENC_SAVE_MAGIC_NUMBER, TOX_ENC_SAVE_MAGIC_LENGTH); data += TOX_ENC_SAVE_MAGIC_LENGTH; - /* now encrypt */ return tox_pass_encrypt(temp_data, temp_size, passphrase, pplength, data); } - -/* Decrypts the given data with the given passphrase. The output array must be - * at least data_len - TOX_PASS_ENCRYPTION_EXTRA_LENGTH bytes long. +/* This is the inverse of tox_pass_key_encrypt, also using only keys produced by + * tox_derive_key_from_pass. * * returns the length of the output data (== data_len - TOX_PASS_ENCRYPTION_EXTRA_LENGTH) on success * returns -1 on failure */ -int tox_pass_decrypt(const uint8_t* data, uint32_t length, uint8_t* passphrase, uint32_t pplength, uint8_t* out) +int tox_pass_key_decrypt(const uint8_t* data, uint32_t length, const uint8_t* key, uint8_t* out) { if (length <= TOX_PASS_ENCRYPTION_EXTRA_LENGTH) return -1; uint32_t decrypt_length = length - TOX_PASS_ENCRYPTION_EXTRA_LENGTH; - uint8_t salt[crypto_pwhash_scryptsalsa208sha256_SALTBYTES]; + //uint8_t salt[crypto_pwhash_scryptsalsa208sha256_SALTBYTES]; uint8_t nonce[crypto_box_NONCEBYTES]; - uint8_t passkey[crypto_hash_sha256_BYTES]; - crypto_hash_sha256(passkey, passphrase, pplength); - - memcpy(salt, data, crypto_pwhash_scryptsalsa208sha256_SALTBYTES); + //memcpy(salt, data, crypto_pwhash_scryptsalsa208sha256_SALTBYTES); + key += crypto_pwhash_scryptsalsa208sha256_SALTBYTES; // ignore the salt, which is only needed for kdf data += crypto_pwhash_scryptsalsa208sha256_SALTBYTES; memcpy(nonce, data, crypto_box_NONCEBYTES); data += crypto_box_NONCEBYTES; + /* decrypt the data */ + if (decrypt_data_symmetric(key, nonce, data, decrypt_length + crypto_box_MACBYTES, out) + != decrypt_length) { + return -1; + } + + return decrypt_length; +} + +/* Decrypts the given data with the given passphrase. The output array must be + * at least data_len - TOX_PASS_ENCRYPTION_EXTRA_LENGTH bytes long. + * + * returns the length of the output data (== data_len - TOX_PASS_ENCRYPTION_EXTRA_LENGTH) on success + * returns -1 on failure + */ +int tox_pass_decrypt(const uint8_t* data, uint32_t length, uint8_t* passphrase, uint32_t pplength, uint8_t* out) +{ + + uint8_t passkey[crypto_hash_sha256_BYTES]; + crypto_hash_sha256(passkey, passphrase, pplength); + + uint8_t salt[crypto_pwhash_scryptsalsa208sha256_SALTBYTES]; + memcpy(salt, data, crypto_pwhash_scryptsalsa208sha256_SALTBYTES); + /* derive the key */ - uint8_t key[crypto_box_KEYBYTES]; + uint8_t key[crypto_box_KEYBYTES + crypto_pwhash_scryptsalsa208sha256_SALTBYTES]; if (crypto_pwhash_scryptsalsa208sha256( - key, sizeof(key), passkey, sizeof(passkey), salt, + key + crypto_pwhash_scryptsalsa208sha256_SALTBYTES, + crypto_box_KEYBYTES, passkey, sizeof(passkey), salt, crypto_pwhash_scryptsalsa208sha256_OPSLIMIT_INTERACTIVE * 2, /* slightly stronger */ crypto_pwhash_scryptsalsa208sha256_MEMLIMIT_INTERACTIVE) != 0) { /* out of memory most likely */ @@ -164,13 +224,7 @@ int tox_pass_decrypt(const uint8_t* data, uint32_t length, uint8_t* passphrase, sodium_memzero(passkey, crypto_hash_sha256_BYTES); /* wipe plaintext pw */ - /* decrypt the data */ - if (decrypt_data_symmetric(key, nonce, data, decrypt_length + crypto_box_MACBYTES, out) - != decrypt_length) { - return -1; - } - - return decrypt_length; + return tox_pass_key_decrypt(data, length, key, out); } /* Load the messenger from encrypted data of size length. diff --git a/toxencryptsave/toxencryptsave.h b/toxencryptsave/toxencryptsave.h index e3f998af..b85d945c 100644 --- a/toxencryptsave/toxencryptsave.h +++ b/toxencryptsave/toxencryptsave.h @@ -38,6 +38,8 @@ typedef struct Tox Tox; #define TOX_PASS_ENCRYPTION_EXTRA_LENGTH (crypto_box_MACBYTES + crypto_box_NONCEBYTES \ + crypto_pwhash_scryptsalsa208sha256_SALTBYTES) +#define TOX_PASS_KEY_LENGTH (crypto_box_KEYBYTES + crypto_pwhash_scryptsalsa208sha256_SALTBYTES) + /* This "module" provides functions analogous to tox_load and tox_save in toxcore * Clients should consider alerting their users that, unlike plain data, if even one bit * becomes corrupted, the data will be entirely unrecoverable. @@ -47,8 +49,35 @@ typedef struct Tox Tox; /* return size of the messenger data (for encrypted saving). */ uint32_t tox_encrypted_size(const Tox *tox); +/* Generates a secret symmetric key from the given passphrase. out_key must be at least + * TOX_PASS_KEY_LENGTH bytes long. + * Be sure to not compromise the key! Only keep it in memory, do not write to disk. + * This function is fairly cheap, but irungentoo insists that you be allowed to + * cache the result if you want, to minimize computation for repeated encryptions. + * The password is zeroed after key derivation. + * The key should only be used with the other functions in this module, as it + * includes a salt. + * + * returns 0 on success + * returns -1 on failure + */ +int tox_derive_key_from_pass(uint8_t* passphrase, uint32_t pplength, uint8_t* out_key); + +/* Encrypt arbitrary with a key produced by tox_derive_key_from_pass. The output + * array must be at least data_len + TOX_PASS_ENCRYPTION_EXTRA_LENGTH bytes long. + * key must be TOX_PASS_KEY_LENGTH bytes. + * If you already have a symmetric key from somewhere besides this module, simply + * call encrypt_data_symmetric in toxcore/crypto_core directly. + * + * + * returns 0 on success + * returns -1 on failure + */ +int tox_pass_key_encrypt(uint8_t* data, uint32_t data_len, const uint8_t* key, uint8_t* out); + /* Encrypts the given data with the given passphrase. The output array must be - * at least data_len + TOX_PASS_ENCRYPTION_EXTRA_LENGTH bytes long. + * at least data_len + TOX_PASS_ENCRYPTION_EXTRA_LENGTH bytes long. This delegates + * to tox_derive_key_from_pass and tox_pass_key_encrypt. * * tox_encrypted_save() is a good example of how to use this function. * -- cgit v1.2.3