diff options
author | Simo Sorce <simo@redhat.com> | 2016-05-09 17:34:49 +0200 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2016-06-29 21:46:52 +0200 |
commit | 625bb2ddf15e8f305a53afa44e87f2146fa930af (patch) | |
tree | e80c6bdcb073d4c597af6c8ef8202726145286ad /src/util | |
parent | 1dd679584241a0f9b29072c7eed1c5c5e4a577e4 (diff) | |
download | sssd-625bb2ddf15e8f305a53afa44e87f2146fa930af.tar.gz sssd-625bb2ddf15e8f305a53afa44e87f2146fa930af.tar.xz sssd-625bb2ddf15e8f305a53afa44e87f2146fa930af.zip |
Secrets: Add encryption at rest
Generates a master key file if it doesn't exist and encrypts secrets
using the master key contained in the file.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Diffstat (limited to 'src/util')
-rw-r--r-- | src/util/crypto/libcrypto/crypto_nite.c | 268 | ||||
-rw-r--r-- | src/util/crypto/nss/nss_crypto.h | 66 | ||||
-rw-r--r-- | src/util/crypto/nss/nss_nite.c | 305 | ||||
-rw-r--r-- | src/util/crypto/nss/nss_obfuscate.c | 214 | ||||
-rw-r--r-- | src/util/crypto/nss/nss_util.c | 211 | ||||
-rw-r--r-- | src/util/crypto/nss/nss_util.h | 1 | ||||
-rw-r--r-- | src/util/crypto/sss_crypto.c | 66 | ||||
-rw-r--r-- | src/util/crypto/sss_crypto.h | 37 |
8 files changed, 966 insertions, 202 deletions
diff --git a/src/util/crypto/libcrypto/crypto_nite.c b/src/util/crypto/libcrypto/crypto_nite.c new file mode 100644 index 000000000..fa267fbcc --- /dev/null +++ b/src/util/crypto/libcrypto/crypto_nite.c @@ -0,0 +1,268 @@ +/* + SSSD + + Encryption/Decryption primitives + + Authors: + Simo Sorce <simo@redhat.com> + + Copyright (C) Simo Sorce 2016 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "config.h" +#include <talloc.h> +#include <errno.h> + +#include "util/util.h" +#include "util/crypto/sss_crypto.h" + +#include <openssl/evp.h> +#include <openssl/rand.h> +#include <openssl/crypto.h> + +struct cipher_mech { + const EVP_CIPHER * (*cipher)(void); + const EVP_MD * (*digest)(void); +} mechs[] = { + { EVP_aes_256_cbc, EVP_sha256 } +}; + +int sss_encrypt(TALLOC_CTX *mem_ctx, enum encmethod enctype, + uint8_t *key, size_t keylen, + const uint8_t *plaintext, size_t plainlen, + uint8_t **ciphertext, size_t *cipherlen) +{ + const EVP_CIPHER *cipher; + const EVP_MD *digest; + EVP_PKEY *hmackey; + EVP_CIPHER_CTX ctx; + EVP_MD_CTX mdctx; + uint8_t *out = NULL; + int evpkeylen; + int evpivlen; + int hmaclen; + int outlen, tmplen; + size_t slen; + int ret; + + if (!plaintext || !plainlen) return EINVAL; + + if (enctype != AES256CBC_HMAC_SHA256) return EINVAL; + cipher = mechs[AES256CBC_HMAC_SHA256].cipher(); + digest = mechs[AES256CBC_HMAC_SHA256].digest(); + + evpkeylen = EVP_CIPHER_key_length(cipher); + if (!key || keylen != evpkeylen) return EINVAL; + + hmackey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, key, keylen); + if (!hmackey) return ENOMEM; + + /* We have no function to return the size of the output for arbitray HMAC + * algorithms so we just truncate to the key size should the hmac be bigger + * (or pad with zeros should the HMAC be smaller) */ + hmaclen = keylen; + + evpivlen = EVP_CIPHER_iv_length(cipher); + outlen = plainlen + (2 * EVP_CIPHER_block_size(cipher)) + + evpivlen + hmaclen; + out = talloc_zero_size(mem_ctx, outlen); + + /* First Encrypt */ + + if (evpivlen != 0) { + RAND_bytes(out, evpivlen); + } + + EVP_CIPHER_CTX_init(&ctx); + ret = EVP_EncryptInit_ex(&ctx, cipher, 0, key, evpivlen ? out : NULL); + if (ret != 1) { + ret = EFAULT; + goto done; + } + + outlen = evpivlen; + tmplen = 0; + ret = EVP_EncryptUpdate(&ctx, out + outlen, &tmplen, plaintext, plainlen); + if (ret != 1) { + ret = EFAULT; + goto done; + } + + outlen += tmplen; + + ret = EVP_EncryptFinal_ex(&ctx, out + outlen, &tmplen); + if (ret != 1) { + ret = EFAULT; + goto done; + } + + outlen += tmplen; + + /* Then HMAC */ + + EVP_MD_CTX_init(&mdctx); + + ret = EVP_DigestInit_ex(&mdctx, digest, NULL); + if (ret != 1) { + ret = EFAULT; + goto done; + } + + ret = EVP_DigestSignInit(&mdctx, NULL, digest, NULL, hmackey); + if (ret != 1) { + ret = EFAULT; + goto done; + } + + ret = EVP_DigestSignUpdate(&mdctx, out, outlen); + if (ret != 1) { + ret = EFAULT; + goto done; + } + + slen = hmaclen; + ret = EVP_DigestSignFinal(&mdctx, &out[outlen], &slen); + if (ret != 1) { + ret = EFAULT; + goto done; + } + + outlen += hmaclen; + + *ciphertext = out; + *cipherlen = outlen; + ret = EOK; + +done: + EVP_MD_CTX_cleanup(&mdctx); + EVP_CIPHER_CTX_cleanup(&ctx); + EVP_PKEY_free(hmackey); + return ret; +} + +int sss_decrypt(TALLOC_CTX *mem_ctx, enum encmethod enctype, + uint8_t *key, size_t keylen, + const uint8_t *ciphertext, size_t cipherlen, + uint8_t **plaintext, size_t *plainlen) +{ + const EVP_CIPHER *cipher; + const EVP_MD *digest; + EVP_PKEY *hmackey; + EVP_CIPHER_CTX ctx; + EVP_MD_CTX mdctx; + const uint8_t *iv = NULL; + uint8_t *out; + int evpkeylen; + int evpivlen; + int hmaclen; + int outlen, tmplen; + size_t slen; + int ret; + + if (!ciphertext || !cipherlen) return EINVAL; + + if (enctype != AES256CBC_HMAC_SHA256) return EINVAL; + cipher = mechs[AES256CBC_HMAC_SHA256].cipher(); + digest = mechs[AES256CBC_HMAC_SHA256].digest(); + + evpkeylen = EVP_CIPHER_key_length(cipher); + if (!key || keylen != evpkeylen) return EINVAL; + + hmackey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, key, keylen); + if (!hmackey) return ENOMEM; + + /* We have no function to return the size of the output for arbitray HMAC + * algorithms so we just assume it was truncated to the key size should + * the hmac be bigger (or pad with zeros should the HMAC be smaller) */ + hmaclen = keylen; + + evpivlen = EVP_CIPHER_iv_length(cipher); + out = talloc_zero_size(mem_ctx, cipherlen); + + /* First check HMAC */ + + EVP_MD_CTX_init(&mdctx); + + ret = EVP_DigestInit_ex(&mdctx, digest, NULL); + if (ret != 1) { + ret = EFAULT; + goto done; + } + + ret = EVP_DigestSignInit(&mdctx, NULL, digest, NULL, hmackey); + if (ret != 1) { + ret = EFAULT; + goto done; + } + + ret = EVP_DigestSignUpdate(&mdctx, ciphertext, cipherlen - hmaclen); + if (ret != 1) { + ret = EFAULT; + goto done; + } + + slen = hmaclen; + ret = EVP_DigestSignFinal(&mdctx, out, &slen); + if (ret != 1) { + ret = EFAULT; + goto done; + } + + ret = CRYPTO_memcmp(&ciphertext[cipherlen - hmaclen], out, hmaclen); + if (ret != 1) { + ret = EFAULT; + goto done; + } + + /* Then Decrypt */ + + if (evpivlen != 0) { + iv = ciphertext; + } + + EVP_CIPHER_CTX_init(&ctx); + ret = EVP_DecryptInit_ex(&ctx, cipher, 0, key, iv); + if (ret != 1) { + ret = EFAULT; + goto done; + } + + ret = EVP_DecryptUpdate(&ctx, out, &outlen, + ciphertext + evpivlen, + cipherlen - evpivlen - hmaclen); + if (ret != 1) { + ret = EFAULT; + goto done; + } + + ret = EVP_DecryptFinal_ex(&ctx, out + outlen, &tmplen); + if (ret != 1) { + ret = EFAULT; + goto done; + } + + outlen += tmplen; + + *plaintext = out; + *plainlen = outlen; + ret = EOK; + +done: + EVP_MD_CTX_cleanup(&mdctx); + EVP_CIPHER_CTX_cleanup(&ctx); + EVP_PKEY_free(hmackey); + return ret; +} diff --git a/src/util/crypto/nss/nss_crypto.h b/src/util/crypto/nss/nss_crypto.h new file mode 100644 index 000000000..5ecb5449d --- /dev/null +++ b/src/util/crypto/nss/nss_crypto.h @@ -0,0 +1,66 @@ +/* + SSSD + + NSS crypto wrappers + + Authors: + Jakub Hrozek <jhrozek@redhat.com> + + Copyright (C) Red Hat, Inc 2010 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include <nss.h> +#include <prerror.h> +#include <pk11func.h> +#include <base64.h> +#include <talloc.h> + +#define MAKE_SECITEM(sdata, slen, sitem) do { \ + (sitem)->type = (siBuffer); \ + (sitem)->data = (sdata); \ + (sitem)->len = (slen); \ +} while(0) + +struct sss_nss_crypto_ctx { + PK11SlotInfo *slot; + PK11Context *ectx; + PK11SymKey *keyobj; + SECItem *sparam; + + SECItem *iv; + SECItem *key; +}; + +struct crypto_mech_data { + CK_MECHANISM_TYPE cipher; + uint16_t keylen; + uint16_t bsize; +}; + +enum crypto_mech_op { + op_encrypt, + op_decrypt, + op_sign +}; + +int nss_ctx_init(TALLOC_CTX *mem_ctx, + struct crypto_mech_data *mech_props, + uint8_t *key, int keylen, + uint8_t *iv, int ivlen, + struct sss_nss_crypto_ctx **_cctx); +int nss_crypto_init(struct crypto_mech_data *mech_props, + enum crypto_mech_op crypto_op, + struct sss_nss_crypto_ctx *cctx); diff --git a/src/util/crypto/nss/nss_nite.c b/src/util/crypto/nss/nss_nite.c new file mode 100644 index 000000000..3641e0512 --- /dev/null +++ b/src/util/crypto/nss/nss_nite.c @@ -0,0 +1,305 @@ +/* + SSSD + + Encryption/Decryption primitives + + Authors: + Simo Sorce <simo@redhat.com> + + Copyright (C) Simo Sorce 2016 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "config.h" + +#include "util/util.h" +#include "util/crypto/sss_crypto.h" +#include "util/crypto/nss/nss_util.h" +#include "util/crypto/nss/nss_crypto.h" + +struct cipher_mech { + struct crypto_mech_data enc; + struct crypto_mech_data hmac; +} mechs[] = { + { { CKM_AES_CBC_PAD, 32, 16 }, { CKM_SHA256_HMAC, 32, 16 } } +}; + +int sss_encrypt(TALLOC_CTX *mem_ctx, enum encmethod enctype, + uint8_t *key, size_t keylen, + const uint8_t *plaintext, size_t plainlen, + uint8_t **ciphertext, size_t *cipherlen) +{ + TALLOC_CTX *tmp_ctx = NULL; + struct sss_nss_crypto_ctx *cctx; + struct sss_nss_crypto_ctx *hctx; + struct crypto_mech_data *enc; + struct crypto_mech_data *hmac; + SECStatus sret; + uint8_t *out = NULL; + int ivlen; + int hmaclen; + int outlen; + int clen; + union { + unsigned int u; + int s; + } tmplen; + unsigned int digestlen; + int ret; + + if (!plaintext || !plainlen) return EINVAL; + + if (enctype != AES256CBC_HMAC_SHA256) return EINVAL; + enc = &mechs[AES256CBC_HMAC_SHA256].enc; + hmac = &mechs[AES256CBC_HMAC_SHA256].hmac; + ivlen = enc->bsize; + + /* We have no function to return the size of the output for arbitray HMAC + * algorithms so we just truncate to the key size should the hmac be bigger + * (or pad with zeros should the HMAC be smaller) */ + hmaclen = keylen; + + tmp_ctx = talloc_new(mem_ctx); + if (!tmp_ctx) { + return ENOMEM; + } + + /* initialize NSS if needed */ + ret = nspr_nss_init(); + if (ret != EOK) { + ret = EFAULT; + goto done; + } + + outlen = plainlen + (2 * enc->bsize) + ivlen + hmaclen; + out = talloc_zero_size(tmp_ctx, outlen); + + /* First Encrypt */ + + if (ivlen != 0) { + ret = generate_csprng_buffer(out, ivlen); + if (ret) return ret; + } + + ret = nss_ctx_init(tmp_ctx, enc, key, keylen, out, ivlen, &cctx); + if (ret != EOK) { + ret = EFAULT; + goto done; + } + + ret = nss_crypto_init(enc, op_encrypt, cctx); + if (ret != EOK) { + ret = EFAULT; + goto done; + } + + clen = ivlen; + + sret = PK11_CipherOp(cctx->ectx, out + clen, &tmplen.s, + outlen - clen, plaintext, plainlen); + if (sret != SECSuccess) { + ret = EFAULT; + goto done; + } + + clen += tmplen.s; + + sret = PK11_DigestFinal(cctx->ectx, out + clen, &tmplen.u, outlen - clen); + if (sret != SECSuccess) { + ret = EFAULT; + goto done; + } + + clen += tmplen.u; + if (clen < 0 || clen > UINT16_MAX) { + ret = ERANGE; + goto done; + } + + /* Then HMAC */ + + ret = nss_ctx_init(tmp_ctx, hmac, key, keylen, NULL, 0, &hctx); + if (ret != EOK) { + ret = EFAULT; + goto done; + } + + ret = nss_crypto_init(hmac, op_sign, hctx); + if (ret != EOK) { + ret = EFAULT; + goto done; + } + + sret = PK11_DigestBegin(hctx->ectx); + if (sret != SECSuccess) { + ret = EFAULT; + goto done; + } + + sret = PK11_DigestOp(hctx->ectx, out, clen); + if (sret != SECSuccess) { + ret = EFAULT; + goto done; + } + + sret = PK11_DigestFinal(hctx->ectx, out + clen, &digestlen, + outlen - clen); + if (sret != SECSuccess) { + ret = EFAULT; + goto done; + } + + *ciphertext = talloc_move(mem_ctx, &out); + *cipherlen = clen + hmaclen; + ret = EOK; + +done: + talloc_free(tmp_ctx); + nspr_nss_cleanup(); + return ret; +} + +int sss_decrypt(TALLOC_CTX *mem_ctx, enum encmethod enctype, + uint8_t *key, size_t keylen, + const uint8_t *ciphertext, size_t cipherlen, + uint8_t **plaintext, size_t *plainlen) +{ + TALLOC_CTX *tmp_ctx = NULL; + struct sss_nss_crypto_ctx *cctx; + struct sss_nss_crypto_ctx *hctx; + struct crypto_mech_data *enc; + struct crypto_mech_data *hmac; + SECStatus sret; + uint8_t *out = NULL; + uint8_t *ivbuf = NULL; + int ivlen; + int hmaclen; + int outlen; + unsigned int tmplen; + unsigned int digestlen; + int ret; + + if (!plaintext || !plainlen) return EINVAL; + + if (enctype != AES256CBC_HMAC_SHA256) return EINVAL; + enc = &mechs[AES256CBC_HMAC_SHA256].enc; + hmac = &mechs[AES256CBC_HMAC_SHA256].hmac; + ivlen = enc->bsize; + + /* We have no function to return the size of the output for arbitray HMAC + * algorithms so we just truncate to the key size should the hmac be bigger + * (or pad with zeros should the HMAC be smaller) */ + hmaclen = keylen; + + tmp_ctx = talloc_new(mem_ctx); + if (!tmp_ctx) { + return ENOMEM; + } + + /* initialize NSS if needed */ + ret = nspr_nss_init(); + if (ret != EOK) { + ret = EFAULT; + goto done; + } + + out = talloc_zero_size(tmp_ctx, cipherlen); + + /* First check HMAC */ + + ret = nss_ctx_init(tmp_ctx, hmac, key, keylen, NULL, 0, &hctx); + if (ret != EOK) { + ret = EFAULT; + goto done; + } + + ret = nss_crypto_init(hmac, op_sign, hctx); + if (ret != EOK) { + ret = EFAULT; + goto done; + } + + sret = PK11_DigestBegin(hctx->ectx); + if (sret != SECSuccess) { + ret = EFAULT; + goto done; + } + + sret = PK11_DigestOp(hctx->ectx, ciphertext, cipherlen - hmaclen); + if (sret != SECSuccess) { + ret = EFAULT; + goto done; + } + + sret = PK11_DigestFinal(hctx->ectx, out, &digestlen, hmaclen); + if (sret != SECSuccess) { + ret = EFAULT; + goto done; + } + + ret = NSS_SecureMemcmp(&ciphertext[cipherlen - hmaclen], out, hmaclen); + if (ret != 0) { + ret = EFAULT; + goto done; + } + + /* Then Decrypt */ + + if (ivlen != 0) { + ivbuf = talloc_size(tmp_ctx, ivlen); + if (!ivbuf) { + ret = ENOMEM; + goto done; + } + memcpy(ivbuf, ciphertext, ivlen); + } + + ret = nss_ctx_init(tmp_ctx, enc, key, keylen, ivbuf, ivlen, &cctx); + if (ret != EOK) { + ret = EFAULT; + goto done; + } + + ret = nss_crypto_init(enc, op_decrypt, cctx); + if (ret != EOK) { + ret = EFAULT; + goto done; + } + + sret = PK11_CipherOp(cctx->ectx, out, &outlen, cipherlen, + ciphertext + ivlen, cipherlen - ivlen - hmaclen); + if (sret != SECSuccess) { + ret = EFAULT; + goto done; + } + + sret = PK11_DigestFinal(cctx->ectx, out + outlen, &tmplen, + cipherlen - outlen); + if (sret != SECSuccess) { + ret = EFAULT; + goto done; + } + + outlen += tmplen; + + *plaintext = talloc_move(mem_ctx, &out); + *plainlen = outlen; + ret = EOK; + +done: + talloc_free(tmp_ctx); + nspr_nss_cleanup(); + return ret; +} diff --git a/src/util/crypto/nss/nss_obfuscate.c b/src/util/crypto/nss/nss_obfuscate.c index 8c6bdc525..a55f22b6d 100644 --- a/src/util/crypto/nss/nss_obfuscate.c +++ b/src/util/crypto/nss/nss_obfuscate.c @@ -31,42 +31,17 @@ */ #include "config.h" - #include <prerror.h> -#include <nss.h> #include <pk11func.h> -#include <base64.h> -#include <talloc.h> #include "util/util.h" #include "util/crypto/sss_crypto.h" #include "util/crypto/nss/nss_util.h" +#include "util/crypto/nss/nss_crypto.h" #define OBF_BUFFER_SENTINEL "\0\1\2\3" #define OBF_BUFFER_SENTINEL_SIZE 4 -#define MAKE_SECITEM(sdata, slen, sitem) do { \ - (sitem)->type = (siBuffer); \ - (sitem)->data = (sdata); \ - (sitem)->len = (slen); \ -} while(0) - -struct sss_nss_crypto_ctx { - PK11SlotInfo *slot; - PK11Context *ectx; - PK11SymKey *keyobj; - SECItem *sparam; - - SECItem *iv; - SECItem *key; -}; - -struct crypto_mech_data { - CK_MECHANISM_TYPE cipher; - uint16_t keylen; - uint16_t bsize; -}; - static struct crypto_mech_data cmdata[] = { /* AES with automatic padding, 256b key, 128b block */ { CKM_AES_CBC_PAD, 32, 16 }, @@ -83,147 +58,6 @@ static struct crypto_mech_data *get_crypto_mech_data(enum obfmethod meth) return &cmdata[meth]; } -static int generate_random_key(TALLOC_CTX *mem_ctx, - PK11SlotInfo *slot, - struct crypto_mech_data *mech_props, - SECItem **_key) -{ - SECStatus sret; - SECItem *randkeydata; - SECItem *key = NULL; - PK11SymKey *randkey; - int ret; - - randkey = PK11_KeyGen(slot, mech_props->cipher, - NULL, mech_props->keylen, NULL); - if (randkey == NULL) { - DEBUG(SSSDBG_CRIT_FAILURE, "Failure to generate key (err %d)\n", - PR_GetError()); - ret = EIO; - goto done; - } - - sret = PK11_ExtractKeyValue(randkey); - if (sret != SECSuccess) { - DEBUG(SSSDBG_CRIT_FAILURE, "Failure to extract key value (err %d)\n", - PR_GetError()); - ret = EIO; - goto done; - } - - randkeydata = PK11_GetKeyData(randkey); - if (randkeydata == NULL) { - DEBUG(SSSDBG_CRIT_FAILURE, "Failure to get key data (err %d)\n", - PR_GetError()); - ret = EIO; - goto done; - } - - /* randkeydata is valid until randkey is. Copy with talloc to - * get a nice memory hierarchy symmetrical in encrypt - * and decrypt case */ - key = talloc_zero(mem_ctx, SECItem); - if (!key) { - ret = ENOMEM; - goto done; - } - - key->data = talloc_memdup(key, randkeydata->data, randkeydata->len); - if (!key->data) { - ret = ENOMEM; - goto done; - } - key->len = randkeydata->len; - - *_key = key; - ret = EOK; -done: - if (ret != EOK) talloc_zfree(key); - PK11_FreeSymKey(randkey); - return ret; -} - -static int sss_nss_crypto_ctx_destructor(struct sss_nss_crypto_ctx *cctx) -{ - if (cctx->ectx) PK11_DestroyContext(cctx->ectx, PR_TRUE); - if (cctx->sparam) SECITEM_FreeItem(cctx->sparam, PR_TRUE); - if (cctx->slot) PK11_FreeSlot(cctx->slot); - if (cctx->keyobj) PK11_FreeSymKey(cctx->keyobj); - - return EOK; -} - -static int nss_ctx_init(TALLOC_CTX *mem_ctx, - struct crypto_mech_data *mech_props, - struct sss_nss_crypto_ctx **_cctx) -{ - struct sss_nss_crypto_ctx *cctx; - int ret; - - cctx = talloc_zero(mem_ctx, struct sss_nss_crypto_ctx); - if (!cctx) { - return ENOMEM; - } - talloc_set_destructor(cctx, sss_nss_crypto_ctx_destructor); - - cctx->slot = PK11_GetBestSlot(mech_props->cipher, NULL); - if (cctx->slot == NULL) { - DEBUG(SSSDBG_CRIT_FAILURE, "Unable to find security device (err %d)\n", - PR_GetError()); - ret = EIO; - goto done; - } - - ret = EOK; - *_cctx = cctx; -done: - if (ret) talloc_zfree(cctx); - return ret; -} - -static int nss_encrypt_decrypt_init(struct crypto_mech_data *mech_props, - bool do_encrypt, - struct sss_nss_crypto_ctx *cctx) -{ - CK_ATTRIBUTE_TYPE op; - int ret; - - op = do_encrypt ? CKA_ENCRYPT : CKA_DECRYPT; - - /* turn the raw key into a key object */ - cctx->keyobj = PK11_ImportSymKey(cctx->slot, mech_props->cipher, - PK11_OriginUnwrap, op, cctx->key, NULL); - if (cctx->keyobj == NULL) { - DEBUG(SSSDBG_CRIT_FAILURE, "Failure to import key into NSS (err %d)\n", - PR_GetError()); - ret = EIO; - goto done; - } - - /* turn the raw IV into a initialization vector object */ - cctx->sparam = PK11_ParamFromIV(mech_props->cipher, cctx->iv); - if (cctx->sparam == NULL) { - DEBUG(SSSDBG_CRIT_FAILURE, "Failure to set up PKCS11 param (err %d)\n", - PR_GetError()); - ret = EIO; - goto done; - } - - /* Create cipher context */ - cctx->ectx = PK11_CreateContextBySymKey(mech_props->cipher, op, - cctx->keyobj, cctx->sparam); - if (cctx->ectx == NULL) { - DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create cipher context (err %d)\n", - PORT_GetError()); - ret = EIO; - goto done; - } - - ret = EOK; -done: - return ret; -} - int sss_password_encrypt(TALLOC_CTX *mem_ctx, const char *password, int plen, enum obfmethod meth, char **obfpwd) { @@ -263,27 +97,14 @@ int sss_password_encrypt(TALLOC_CTX *mem_ctx, const char *password, int plen, goto done; } - ret = nss_ctx_init(tmp_ctx, mech_props, &cctx); + /* Initiualize ctx and generate random encryption and IV key */ + ret = nss_ctx_init(tmp_ctx, mech_props, NULL, 1, NULL, 1, &cctx); if (ret) { DEBUG(SSSDBG_CRIT_FAILURE, "Cannot initialize NSS context\n"); goto done; } - /* generate random encryption and IV key */ - ret = generate_random_key(cctx, cctx->slot, mech_props, &cctx->key); - if (ret != EOK) { - DEBUG(SSSDBG_CRIT_FAILURE, "Could not generate encryption key\n"); - goto done; - } - - ret = generate_random_key(cctx, cctx->slot, mech_props, &cctx->iv); - if (ret != EOK) { - DEBUG(SSSDBG_CRIT_FAILURE, - "Could not generate initialization vector\n"); - goto done; - } - - ret = nss_encrypt_decrypt_init(mech_props, true, cctx); + ret = nss_crypto_init(mech_props, op_encrypt, cctx); if (ret) { DEBUG(SSSDBG_CRIT_FAILURE, "Cannot initialize NSS context properties\n"); @@ -431,7 +252,8 @@ int sss_password_decrypt(TALLOC_CTX *mem_ctx, char *b64encoded, memcpy(sentinel_check, obfbuf + p + mech_props->keylen + mech_props->bsize + ctsize, OBF_BUFFER_SENTINEL_SIZE); - if (memcmp(sentinel_check, OBF_BUFFER_SENTINEL, OBF_BUFFER_SENTINEL_SIZE) != 0) { + if (memcmp(sentinel_check, + OBF_BUFFER_SENTINEL, OBF_BUFFER_SENTINEL_SIZE) != 0) { DEBUG(SSSDBG_FATAL_FAILURE, "Obfuscation buffer seems corrupt, aborting\n"); ret = EFAULT; @@ -460,23 +282,15 @@ int sss_password_decrypt(TALLOC_CTX *mem_ctx, char *b64encoded, } safealign_memcpy(cryptotext, obfbuf+p, ctsize, &p); - ret = nss_ctx_init(tmp_ctx, mech_props, &cctx); + ret = nss_ctx_init(tmp_ctx, mech_props, + keybuf, mech_props->keylen, + ivbuf, mech_props->bsize, &cctx); if (ret) { DEBUG(SSSDBG_CRIT_FAILURE, "Cannot initialize NSS context\n"); goto done; } - cctx->iv = talloc_zero(cctx, SECItem); - cctx->key = talloc_zero(cctx, SECItem); - if (!cctx->iv || !cctx->key) { - ret = ENOMEM; - goto done; - } - - MAKE_SECITEM(ivbuf, mech_props->bsize, cctx->iv); - MAKE_SECITEM(keybuf, mech_props->keylen, cctx->key); - - ret = nss_encrypt_decrypt_init(mech_props, false, cctx); + ret = nss_crypto_init(mech_props, op_decrypt, cctx); if (ret) { goto done; } @@ -487,8 +301,8 @@ int sss_password_decrypt(TALLOC_CTX *mem_ctx, char *b64encoded, goto done; } - sret = PK11_CipherOp(cctx->ectx, (unsigned char *) pwdbuf, &plainlen, ctsize, - cryptotext, ctsize); + sret = PK11_CipherOp(cctx->ectx, (unsigned char *) pwdbuf, &plainlen, + ctsize, cryptotext, ctsize); if (sret != SECSuccess) { DEBUG(SSSDBG_CRIT_FAILURE, "Cannot execute the encryption operation (err %d)\n", @@ -497,8 +311,8 @@ int sss_password_decrypt(TALLOC_CTX *mem_ctx, char *b64encoded, goto done; } - sret = PK11_DigestFinal(cctx->ectx, (unsigned char *) pwdbuf+plainlen, &digestlen, - ctsize - plainlen); + sret = PK11_DigestFinal(cctx->ectx, (unsigned char *) pwdbuf+plainlen, + &digestlen, ctsize - plainlen); if (sret != SECSuccess) { DEBUG(SSSDBG_CRIT_FAILURE, "Cannot execute the encryption operation (err %d)\n", diff --git a/src/util/crypto/nss/nss_util.c b/src/util/crypto/nss/nss_util.c index 55b81c9b1..46835057b 100644 --- a/src/util/crypto/nss/nss_util.c +++ b/src/util/crypto/nss/nss_util.c @@ -26,12 +26,11 @@ #include "config.h" #include <prinit.h> -#include <prerror.h> #include <nss.h> -#include <pk11func.h> #include "util/util.h" #include "util/crypto/nss/nss_util.h" +#include "util/crypto/nss/nss_crypto.h" static int nspr_nss_init_done = 0; @@ -75,3 +74,211 @@ int nspr_nss_cleanup(void) nspr_nss_init_done = 0; return EOK; } + +static int sss_nss_crypto_ctx_destructor(struct sss_nss_crypto_ctx *cctx) +{ + if (cctx->ectx) PK11_DestroyContext(cctx->ectx, PR_TRUE); + if (cctx->sparam) SECITEM_FreeItem(cctx->sparam, PR_TRUE); + if (cctx->slot) PK11_FreeSlot(cctx->slot); + if (cctx->keyobj) PK11_FreeSymKey(cctx->keyobj); + + return EOK; +} + +static int generate_random_key(TALLOC_CTX *mem_ctx, + PK11SlotInfo *slot, + struct crypto_mech_data *mech_props, + SECItem **_key) +{ + SECStatus sret; + SECItem *randkeydata; + SECItem *key = NULL; + PK11SymKey *randkey; + int ret; + + randkey = PK11_KeyGen(slot, mech_props->cipher, + NULL, mech_props->keylen, NULL); + if (randkey == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failure to generate key (err %d)\n", + PR_GetError()); + ret = EIO; + goto done; + } + + sret = PK11_ExtractKeyValue(randkey); + if (sret != SECSuccess) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failure to extract key value (err %d)\n", + PR_GetError()); + ret = EIO; + goto done; + } + + randkeydata = PK11_GetKeyData(randkey); + if (randkeydata == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failure to get key data (err %d)\n", + PR_GetError()); + ret = EIO; + goto done; + } + + /* randkeydata is valid until randkey is. Copy with talloc to + * get a nice memory hierarchy symmetrical in encrypt + * and decrypt case */ + key = talloc_zero(mem_ctx, SECItem); + if (!key) { + ret = ENOMEM; + goto done; + } + + key->data = talloc_memdup(key, randkeydata->data, randkeydata->len); + if (!key->data) { + ret = ENOMEM; + goto done; + } + key->len = randkeydata->len; + + *_key = key; + ret = EOK; +done: + if (ret != EOK) talloc_zfree(key); + PK11_FreeSymKey(randkey); + return ret; +} + +int nss_ctx_init(TALLOC_CTX *mem_ctx, + struct crypto_mech_data *mech_props, + uint8_t *key, int keylen, + uint8_t *iv, int ivlen, + struct sss_nss_crypto_ctx **_cctx) +{ + struct sss_nss_crypto_ctx *cctx; + int ret; + + cctx = talloc_zero(mem_ctx, struct sss_nss_crypto_ctx); + if (!cctx) { + return ENOMEM; + } + talloc_set_destructor(cctx, sss_nss_crypto_ctx_destructor); + + cctx->slot = PK11_GetBestSlot(mech_props->cipher, NULL); + if (cctx->slot == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to find security device (err %d)\n", + PR_GetError()); + ret = EIO; + goto done; + } + + if (keylen > 0) { + cctx->key = talloc(cctx, SECItem); + if (cctx->key == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to allocate Key buffer\n"); + ret = ENOMEM; + goto done; + } + if (key) { + MAKE_SECITEM(key, keylen, cctx->key); + } else { + ret = generate_random_key(cctx, cctx->slot, + mech_props, &cctx->key); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Could not generate encryption key\n"); + goto done; + } + } + + } + + if (ivlen > 0) { + cctx->iv = talloc(cctx, SECItem); + if (cctx->iv == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to allocate IV buffer\n"); + ret = ENOMEM; + goto done; + } + if (iv) { + MAKE_SECITEM(iv, ivlen, cctx->iv); + } else { + ret = generate_random_key(cctx, cctx->slot, + mech_props, &cctx->iv); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Could not generate initialization vector\n"); + goto done; + } + } + } + + ret = EOK; + *_cctx = cctx; +done: + if (ret) talloc_zfree(cctx); + return ret; +} + +int nss_crypto_init(struct crypto_mech_data *mech_props, + enum crypto_mech_op crypto_op, + struct sss_nss_crypto_ctx *cctx) +{ + CK_ATTRIBUTE_TYPE op; + int ret; + + switch (crypto_op) { + case op_encrypt: + op = CKA_ENCRYPT; + break; + case op_decrypt: + op = CKA_DECRYPT; + break; + case op_sign: + op = CKA_SIGN; + break; + default: + return EFAULT; + } + + /* turn the raw key into a key object */ + cctx->keyobj = PK11_ImportSymKey(cctx->slot, mech_props->cipher, + PK11_OriginUnwrap, op, cctx->key, NULL); + if (cctx->keyobj == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failure to import key into NSS (err %d)\n", + PR_GetError()); + ret = EIO; + goto done; + } + + if (crypto_op == op_encrypt || crypto_op == op_decrypt) { + /* turn the raw IV into a initialization vector object */ + cctx->sparam = PK11_ParamFromIV(mech_props->cipher, cctx->iv); + if (cctx->sparam == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failure to set up PKCS11 param (err %d)\n", + PR_GetError()); + ret = EIO; + goto done; + } + } else { + cctx->sparam = SECITEM_AllocItem(NULL, NULL, 0); + if (cctx->sparam == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failure to allocate SECItem\n"); + ret = EIO; + goto done; + } + MAKE_SECITEM(NULL, 0, cctx->sparam); + } + + /* Create cipher context */ + cctx->ectx = PK11_CreateContextBySymKey(mech_props->cipher, op, + cctx->keyobj, cctx->sparam); + if (cctx->ectx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create cipher context (err %d)\n", + PORT_GetError()); + ret = EIO; + goto done; + } + + ret = EOK; +done: + return ret; +} diff --git a/src/util/crypto/nss/nss_util.h b/src/util/crypto/nss/nss_util.h index 7387b9a7e..08ab58d87 100644 --- a/src/util/crypto/nss/nss_util.h +++ b/src/util/crypto/nss/nss_util.h @@ -22,6 +22,7 @@ along with this program. If not, see <http://www.gnu.org/licenses/>. */ +#include <nss.h> int nspr_nss_init(void); int nspr_nss_cleanup(void); diff --git a/src/util/crypto/sss_crypto.c b/src/util/crypto/sss_crypto.c new file mode 100644 index 000000000..4c775f3d9 --- /dev/null +++ b/src/util/crypto/sss_crypto.c @@ -0,0 +1,66 @@ +/* + Authors: + Simo Sorce <ssorce@redhat.com> + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "config.h" +#include "util/util.h" +#include "util/crypto/sss_crypto.h" + +int generate_csprng_buffer(uint8_t *buf, size_t size) +{ + ssize_t rsize; + ssize_t pos; + int ret; + int fd; + + fd = open("/dev/urandom", O_RDONLY); + if (fd == -1) return errno; + + rsize = 0; + pos = 0; + while (rsize < size) { + rsize = read(fd, buf + pos, size - pos); + switch (rsize) { + case -1: + if (errno == EINTR) continue; + ret = EIO; + goto done; + case 0: + ret = EIO; + goto done; + default: + if (rsize + pos < size - pos) { + pos += rsize; + continue; + } + ret = EIO; + goto done; + } + } + if (rsize != size) { + ret = EFAULT; + goto done; + } + + ret = EOK; + +done: + close(fd); + return ret; +} diff --git a/src/util/crypto/sss_crypto.h b/src/util/crypto/sss_crypto.h index 5b40ecfc4..8c7a88317 100644 --- a/src/util/crypto/sss_crypto.h +++ b/src/util/crypto/sss_crypto.h @@ -1,3 +1,24 @@ +/* + Copyright (C) 2009-2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#ifndef _SSS_CRYPTO_H_ +#define _SSS_CRYPTO_H_ + +int generate_csprng_buffer(uint8_t *buf, size_t size); int s3crypt_sha512(TALLOC_CTX *mmectx, const char *key, const char *salt, char **_hash); @@ -32,3 +53,19 @@ int sss_password_encrypt(TALLOC_CTX *mem_ctx, const char *password, int plen, int sss_password_decrypt(TALLOC_CTX *mem_ctx, char *b64encoded, char **password); + +enum encmethod { + AES256CBC_HMAC_SHA256, + NUM_ENCMETHODS +}; + +int sss_encrypt(TALLOC_CTX *mem_ctx, enum encmethod enctype, + uint8_t *key, size_t keylen, + const uint8_t *plaintext, size_t plainlen, + uint8_t **ciphertext, size_t *cipherlen); +int sss_decrypt(TALLOC_CTX *mem_ctx, enum encmethod enctype, + uint8_t *key, size_t keylen, + const uint8_t *ciphertext, size_t cipherlen, + uint8_t **plaintext, size_t *plainlen); + +#endif /* _SSS_CRYPTO_H_ */ |