Adjust pwbox format: use a random IV each time
Suggested by yawning
This commit is contained in:
Nick Mathewson
parent
d0f5d2b662
commit
3011149401
|
|
@ -8,6 +8,7 @@
|
|||
/* 7 bytes "TORBOX0"
|
||||
1 byte: header len (H)
|
||||
H bytes: header, denoting secret key algorithm.
|
||||
16 bytes: IV
|
||||
Round up to multiple of 128 bytes, then encrypt:
|
||||
4 bytes: data len
|
||||
data
|
||||
|
|
@ -15,7 +16,7 @@
|
|||
32 bytes: HMAC-SHA256 of all previous bytes.
|
||||
*/
|
||||
|
||||
#define MAX_OVERHEAD (S2K_MAXLEN + 8 + 32)
|
||||
#define MAX_OVERHEAD (S2K_MAXLEN + 8 + 32 + CIPHER_IV_LEN)
|
||||
|
||||
/**
|
||||
* Make an authenticated passphrase-encrypted blob to encode the
|
||||
|
|
@ -31,7 +32,7 @@ crypto_pwbox(uint8_t **out, size_t *outlen_out,
|
|||
const char *secret, size_t secret_len,
|
||||
unsigned s2k_flags)
|
||||
{
|
||||
uint8_t *result, *encrypted_portion, *hmac;
|
||||
uint8_t *result, *encrypted_portion, *hmac, *iv;
|
||||
size_t encrypted_len = 128 * CEIL_DIV(input_len+4, 128);
|
||||
size_t result_len = encrypted_len + MAX_OVERHEAD;
|
||||
int spec_len;
|
||||
|
|
@ -51,9 +52,10 @@ crypto_pwbox(uint8_t **out, size_t *outlen_out,
|
|||
goto err;
|
||||
result[7] = (uint8_t) spec_len;
|
||||
|
||||
tor_assert(8 + spec_len + encrypted_len <= result_len);
|
||||
tor_assert(8 + spec_len + CIPHER_IV_LEN + encrypted_len <= result_len);
|
||||
|
||||
encrypted_portion = result + 8 + spec_len;
|
||||
iv = result + 8 + spec_len;
|
||||
encrypted_portion = result + 8 + spec_len + CIPHER_IV_LEN;
|
||||
hmac = encrypted_portion + encrypted_len;
|
||||
|
||||
set_uint32(encrypted_portion, htonl(input_len));
|
||||
|
|
@ -66,17 +68,20 @@ crypto_pwbox(uint8_t **out, size_t *outlen_out,
|
|||
secret, secret_len) < 0)
|
||||
goto err;
|
||||
|
||||
cipher = crypto_cipher_new((char*)keys);
|
||||
crypto_rand((char*)iv, CIPHER_IV_LEN);
|
||||
|
||||
cipher = crypto_cipher_new_with_iv((char*)keys, (char*)iv);
|
||||
crypto_cipher_crypt_inplace(cipher, (char*)encrypted_portion, encrypted_len);
|
||||
crypto_cipher_free(cipher);
|
||||
|
||||
crypto_hmac_sha256((char*)hmac,
|
||||
(const char*)keys + CIPHER_KEY_LEN,
|
||||
sizeof(keys)-CIPHER_KEY_LEN,
|
||||
(const char*)result, 8 + spec_len + encrypted_len);
|
||||
(const char*)result,
|
||||
8 + CIPHER_IV_LEN + spec_len + encrypted_len);
|
||||
|
||||
*out = result;
|
||||
*outlen_out = 8 + spec_len + encrypted_len + DIGEST256_LEN;
|
||||
*outlen_out = 8 + CIPHER_IV_LEN + spec_len + encrypted_len + DIGEST256_LEN;
|
||||
rv = 0;
|
||||
goto out;
|
||||
|
||||
|
|
@ -104,7 +109,7 @@ crypto_unpwbox(uint8_t **out, size_t *outlen_out,
|
|||
const char *secret, size_t secret_len)
|
||||
{
|
||||
uint8_t *result = NULL;
|
||||
const uint8_t *encrypted;
|
||||
const uint8_t *encrypted, *iv;
|
||||
uint8_t keys[CIPHER_KEY_LEN + DIGEST256_LEN];
|
||||
size_t spec_bytes;
|
||||
uint8_t hmac[DIGEST256_LEN];
|
||||
|
|
@ -137,10 +142,11 @@ crypto_unpwbox(uint8_t **out, size_t *outlen_out,
|
|||
goto err;
|
||||
}
|
||||
|
||||
encrypted = inp + 8 + spec_bytes;
|
||||
iv = inp + 8 + spec_bytes;
|
||||
encrypted = inp + 8 + spec_bytes + CIPHER_IV_LEN;
|
||||
|
||||
/* How long is the plaintext? */
|
||||
cipher = crypto_cipher_new((char*)keys);
|
||||
cipher = crypto_cipher_new_with_iv((char*)keys, (char*)iv);
|
||||
crypto_cipher_decrypt(cipher, (char*)&result_len, (char*)encrypted, 4);
|
||||
result_len = ntohl(result_len);
|
||||
if (input_len < 8 + spec_bytes + 4 + result_len + 32)
|
||||
|
|
|
|||
Loading…
Reference in New Issue