/* SSSD Password obfuscation logic Author: Jakub Hrozek Copyright (C) Red Hat, Inc 2010 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . */ /* * READ ME: * * Please note that password obfuscation does not improve security in any * way. It is just a mechanism to make the password human-unreadable. If you * need to secure passwords in your application, you should probably take a * look at storing passwords in NSS-backed database. */ #include "config.h" #include #include #include #include #include #include "util/util.h" #include "util/crypto/sss_crypto.h" #include "util/crypto/nss/nss_util.h" #define OBF_BUFFER_SENTINEL "\0\1\2\3" #define OBF_BUFFER_SENTINEL_SIZE 4 #define MAKE_SECITEM(sdata, slen, sitem) do { \ (sitem)->type = (siBuffer); \ (sitem)->data = (sdata); \ (sitem)->len = (slen); \ } while(0) struct sss_nss_crypto_ctx { PK11SlotInfo *slot; PK11Context *ectx; PK11SymKey *keyobj; SECItem *sparam; SECItem *iv; SECItem *key; }; struct crypto_mech_data { CK_MECHANISM_TYPE cipher; uint16_t keylen; uint16_t bsize; }; static struct crypto_mech_data cmdata[] = { /* AES with automatic padding, 256b key, 128b block */ { CKM_AES_CBC_PAD, 32, 16 }, /* sentinel */ { 0, 0, 0 } }; static struct crypto_mech_data *get_crypto_mech_data(enum obfmethod meth) { if (meth >= NUM_OBFMETHODS) { DEBUG(1, ("Unsupported cipher type\n")); return NULL; } return &cmdata[meth]; } static int generate_random_key(TALLOC_CTX *mem_ctx, PK11SlotInfo *slot, struct crypto_mech_data *mech_props, SECItem **_key) { SECStatus sret; SECItem *randkeydata; SECItem *key = NULL; PK11SymKey *randkey; int ret; randkey = PK11_KeyGen(slot, mech_props->cipher, NULL, mech_props->keylen, NULL); if (randkey == NULL) { DEBUG(1, ("Failure to generate key (err %d)\n", PR_GetError())); ret = EIO; goto done; } sret = PK11_ExtractKeyValue(randkey); if (sret != SECSuccess) { DEBUG(1, ("Failure to extract key value (err %d)\n", PR_GetError())); ret = EIO; goto done; } randkeydata = PK11_GetKeyData(randkey); if (randkey == NULL) { DEBUG(1, ("Failure to get key data (err %d)\n", PR_GetError())); ret = EIO; goto done; } /* randkeydata is valid until randkey is. Copy with talloc to * get a nice memory hierarchy symmetrical in encrypt * and decrypt case */ key = talloc_zero(mem_ctx, SECItem); if (!key) { ret = ENOMEM; goto done; } key->data = talloc_memdup(key, randkeydata->data, randkeydata->len); if (!key->data) { ret = ENOMEM; goto done; } key->len = randkeydata->len; *_key = key; ret = EOK; done: if (ret != EOK) talloc_zfree(key); PK11_FreeSymKey(randkey); return ret; } static int sss_nss_crypto_ctx_destructor(struct sss_nss_crypto_ctx *cctx) { if (cctx->ectx) PK11_DestroyContext(cctx->ectx, PR_TRUE); if (cctx->sparam) SECITEM_FreeItem(cctx->sparam, PR_TRUE); if (cctx->slot) PK11_FreeSlot(cctx->slot); if (cctx->keyobj) PK11_FreeSymKey(cctx->keyobj); return EOK; } static int nss_ctx_init(TALLOC_CTX *mem_ctx, struct crypto_mech_data *mech_props, struct sss_nss_crypto_ctx **_cctx) { struct sss_nss_crypto_ctx *cctx; int ret; cctx = talloc_zero(mem_ctx, struct sss_nss_crypto_ctx); if (!cctx) { return ENOMEM; } talloc_set_destructor(cctx, sss_nss_crypto_ctx_destructor); cctx->slot = PK11_GetBestSlot(mech_props->cipher, NULL); if (cctx->slot == NULL) { DEBUG(1, ("Unable to find security device (err %d)\n", PR_GetError())); ret = EIO; goto done; } ret = EOK; *_cctx = cctx; done: if (ret) talloc_zfree(cctx); return ret; } static int nss_encrypt_decrypt_init(struct crypto_mech_data *mech_props, bool do_encrypt, struct sss_nss_crypto_ctx *cctx) { CK_ATTRIBUTE_TYPE op; int ret; op = do_encrypt ? CKA_ENCRYPT : CKA_DECRYPT; /* turn the raw key into a key object */ cctx->keyobj = PK11_ImportSymKey(cctx->slot, mech_props->cipher, PK11_OriginUnwrap, op, cctx->key, NULL); if (cctx->keyobj == NULL) { DEBUG(1, ("Failure to import key into NSS (err %d)\n", PR_GetError())); ret = EIO; goto done; } /* turn the raw IV into a initialization vector object */ cctx->sparam = PK11_ParamFromIV(mech_props->cipher, cctx->iv); if (cctx->sparam == NULL) { DEBUG(1, ("Failure to set up PKCS11 param (err %d)\n", PR_GetError())); ret = EIO; goto done; } /* Create cipher context */ cctx->ectx = PK11_CreateContextBySymKey(mech_props->cipher, op, cctx->keyobj, cctx->sparam); if (cctx->ectx == NULL) { DEBUG(1, ("Cannot create cipher context (err %d)\n", PORT_GetError())); ret = EIO; goto done; } ret = EOK; done: return ret; } int sss_password_encrypt(TALLOC_CTX *mem_ctx, const char *password, int plen, enum obfmethod meth, char **obfpwd) { SECStatus sret; int ret; TALLOC_CTX *tmp_ctx = NULL; struct crypto_mech_data *mech_props; struct sss_nss_crypto_ctx *cctx; unsigned char *plaintext; unsigned char *cryptotext; int ct_maxsize; int ctlen; unsigned int digestlen; int result_len; unsigned char *obfbuf; size_t obufsize = 0; size_t p = 0; tmp_ctx = talloc_new(mem_ctx); if (!tmp_ctx) { return ENOMEM; } /* initialize NSS if needed */ ret = nspr_nss_init(); if (ret != EOK) { ret = EIO; goto done; } mech_props = get_crypto_mech_data(meth); if (mech_props == NULL) { ret = EINVAL; goto done; } ret = nss_ctx_init(tmp_ctx, mech_props, &cctx); if (ret) { DEBUG(1, ("Cannot initialize NSS context\n")); goto done; } /* generate random encryption and IV key */ ret = generate_random_key(cctx, cctx->slot, mech_props, &cctx->key); if (ret != EOK) { DEBUG(1, ("Could not generate encryption key\n")); goto done; } ret = generate_random_key(cctx, cctx->slot, mech_props, &cctx->iv); if (ret != EOK) { DEBUG(1, ("Could not generate initialization vector\n")); goto done; } ret = nss_encrypt_decrypt_init(mech_props, true, cctx); if (ret) { DEBUG(1, ("Cannot initialize NSS context properties\n")); goto done; } plaintext = (unsigned char *) talloc_strndup(tmp_ctx, password, plen); if (!plaintext) { ret = ENOMEM; goto done; } /* cryptotext buffer must be at least len(plaintext)+blocksize */ ct_maxsize = plen + (mech_props->bsize); cryptotext = talloc_array(tmp_ctx, unsigned char, ct_maxsize); if (!cryptotext) { ret = ENOMEM; goto done; } /* sample data we'll encrypt and decrypt */ sret = PK11_CipherOp(cctx->ectx, cryptotext, &ctlen, ct_maxsize, plaintext, plen); if (sret != SECSuccess) { DEBUG(1, ("Cannot execute the encryption operation (err %d)\n", PR_GetError())); ret = EIO; goto done; } sret = PK11_DigestFinal(cctx->ectx, cryptotext+ctlen, &digestlen, ct_maxsize-ctlen); if (sret != SECSuccess) { DEBUG(1, ("Cannot execute the digest operation (err %d)\n", PR_GetError())); ret = EIO; goto done; } result_len = ctlen + digestlen; /* Pack the obfuscation buffer */ /* The buffer consists of: * uint16_t the type of the cipher * uint32_t length of the cryptotext in bytes (clen) * uint8_t[klen] key * uint8_t[blen] IV * uint8_t[clen] cryptotext * 4 bytes of "sentinel" denoting end of the buffer */ obufsize = sizeof(uint16_t) + sizeof(uint32_t) + mech_props->keylen + mech_props->bsize + result_len + OBF_BUFFER_SENTINEL_SIZE; obfbuf = talloc_array(tmp_ctx, unsigned char, obufsize); if (!obfbuf) { ret = ENOMEM; goto done; } DEBUG(8, ("Writing method: %d\n", meth)); SAFEALIGN_SET_UINT16(&obfbuf[p], meth, &p); DEBUG(8, ("Writing bufsize: %d\n", result_len)); SAFEALIGN_SET_UINT16(&obfbuf[p], result_len, &p); safealign_memcpy(&obfbuf[p], cctx->key->data, mech_props->keylen, &p); safealign_memcpy(&obfbuf[p], cctx->iv->data, mech_props->bsize, &p); safealign_memcpy(&obfbuf[p], cryptotext, result_len, &p); safealign_memcpy(&obfbuf[p], OBF_BUFFER_SENTINEL, OBF_BUFFER_SENTINEL_SIZE, &p); /* Base64 encode the resulting buffer */ *obfpwd = sss_base64_encode(mem_ctx, obfbuf, obufsize); if (*obfpwd == NULL) { ret = ENOMEM; goto done; } ret = EOK; done: talloc_free(tmp_ctx); nspr_nss_cleanup(); return ret; } int sss_password_decrypt(TALLOC_CTX *mem_ctx, char *b64encoded, char **password) { SECStatus sret; int ret; TALLOC_CTX *tmp_ctx = NULL; struct crypto_mech_data *mech_props; struct sss_nss_crypto_ctx *cctx; int plainlen; unsigned int digestlen; unsigned char *obfbuf = NULL; size_t obflen; char *pwdbuf; /* for unmarshaling data */ uint16_t meth; uint16_t ctsize; size_t p = 0; unsigned char *cryptotext; unsigned char *keybuf; unsigned char *ivbuf; unsigned char sentinel_check[OBF_BUFFER_SENTINEL_SIZE]; tmp_ctx = talloc_new(mem_ctx); if (!tmp_ctx) { return ENOMEM; } /* initialize NSS if needed */ ret = nspr_nss_init(); if (ret != EOK) { ret = EIO; goto done; } /* Base64 decode the incoming buffer */ obfbuf = sss_base64_decode(tmp_ctx, b64encoded, &obflen); if (!obfbuf) { ret = ENOMEM; goto done; } /* unpack obfuscation buffer */ SAFEALIGN_COPY_UINT16_CHECK(&meth, obfbuf+p, obflen, &p); DEBUG(8, ("Read method: %d\n", meth)); SAFEALIGN_COPY_UINT16_CHECK(&ctsize, obfbuf+p, obflen, &p); DEBUG(8, ("Read bufsize: %d\n", ctsize)); mech_props = get_crypto_mech_data(meth); if (mech_props == NULL) { ret = EINVAL; goto done; } /* check that we got sane mechanism properties and cryptotext size */ memcpy(sentinel_check, obfbuf + p + mech_props->keylen + mech_props->bsize + ctsize, OBF_BUFFER_SENTINEL_SIZE); if (memcmp(sentinel_check, OBF_BUFFER_SENTINEL, OBF_BUFFER_SENTINEL_SIZE) != 0) { DEBUG(0, ("Obfuscation buffer seems corrupt, aborting\n")); ret = EFAULT; goto done; } /* copy out key, ivbuf and cryptotext */ keybuf = talloc_array(tmp_ctx, unsigned char, mech_props->keylen); if (keybuf == NULL) { ret = ENOMEM; goto done; } safealign_memcpy(keybuf, obfbuf+p, mech_props->keylen, &p); ivbuf = talloc_array(tmp_ctx, unsigned char, mech_props->bsize); if (ivbuf == NULL) { ret = ENOMEM; goto done; } safealign_memcpy(ivbuf, obfbuf+p, mech_props->bsize, &p); cryptotext = talloc_array(tmp_ctx, unsigned char, ctsize); if (cryptotext == NULL) { ret = ENOMEM; goto done; } safealign_memcpy(cryptotext, obfbuf+p, ctsize, &p); ret = nss_ctx_init(tmp_ctx, mech_props, &cctx); if (ret) { DEBUG(1, ("Cannot initialize NSS context\n")); goto done; } cctx->iv = talloc_zero(cctx, SECItem); cctx->key = talloc_zero(cctx, SECItem); if (!cctx->iv || !cctx->key) { ret = ENOMEM; goto done; } MAKE_SECITEM(ivbuf, mech_props->bsize, cctx->iv); MAKE_SECITEM(keybuf, mech_props->keylen, cctx->key); ret = nss_encrypt_decrypt_init(mech_props, false, cctx); if (ret) { goto done; } pwdbuf = talloc_array(tmp_ctx, char, ctsize); if (!pwdbuf) { ret = ENOMEM; goto done; } sret = PK11_CipherOp(cctx->ectx, (unsigned char *) pwdbuf, &plainlen, ctsize, cryptotext, ctsize); if (sret != SECSuccess) { DEBUG(1, ("Cannot execute the encryption operation (err %d)\n", PR_GetError())); ret = EIO; goto done; } sret = PK11_DigestFinal(cctx->ectx, (unsigned char *) pwdbuf+plainlen, &digestlen, ctsize - plainlen); if (sret != SECSuccess) { DEBUG(1, ("Cannot execute the encryption operation (err %d)\n", PR_GetError())); ret = EIO; goto done; } *password = talloc_move(mem_ctx, &pwdbuf); ret = EOK; done: talloc_free(tmp_ctx); nspr_nss_cleanup(); return ret; }