lib/arc.c

   1 /***************************************************************************\
   2 *                                                                           *
   3 *  BitlBee - An IRC to IM gateway                                           *
   4 *  Simple (but secure) ArcFour implementation for safer password storage.   *
   5 *                                                                           *
   6 *  Copyright 2006 Wilmer van der Gaast <wilmer@gaast.net>                   *
   7 *                                                                           *
   8 *  This library is free software; you can redistribute it and/or            *
   9 *  modify it under the terms of the GNU Lesser General Public               *
  10 *  License as published by the Free Software Foundation, version            *
  11 *  2.1.                                                                     *
  12 *                                                                           *
  13 *  This library is distributed in the hope that it will be useful,          *
  14 *  but WITHOUT ANY WARRANTY; without even the implied warranty of           *
  15 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU        *
  16 *  Lesser General Public License for more details.                          *
  17 *                                                                           *
  18 *  You should have received a copy of the GNU Lesser General Public License *
  19 *  along with this library; if not, write to the Free Software Foundation,  *
  20 *  Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA           *
  21 *                                                                           *
  22 \***************************************************************************/
  23
  24 /*
  25    This file implements ArcFour-encryption, which will mainly be used to
  26    save IM passwords safely in the new XML-format. Possibly other uses will
  27    come up later. It's supposed to be quite reliable (thanks to the use of a
  28    6-byte IV/seed), certainly compared to the old format. The only realistic
  29    way to crack BitlBee passwords now is to use a sniffer to get your hands
  30    on the user's password.
  31
  32    If you see that something's wrong in this implementation (I asked a
  33    couple of people to look at it already, but who knows), please tell me.
  34
  35    The reason I picked ArcFour is because it's pretty simple but effective,
  36    so it will work without adding several KBs or an extra library dependency.
  37
  38    (ArcFour is an RC4-compatible cipher. See for details:
  39    http://www.mozilla.org/projects/security/pki/nss/draft-kaukonen-cipher-arcfour-03.txt)
  40 */
  41
  42
  43 #include <glib.h>
  44 #include <gmodule.h>
  45 #include <stdlib.h>
  46 #include <string.h>
  47 #include "misc.h"
  48 #include "arc.h"
  49
  50 /* Add some seed to the password, to make sure we *never* use the same key.
  51    This defines how many bytes we use as a seed. */
  52 #define ARC_IV_LEN 6
  53
  54 /* To defend against a "Fluhrer, Mantin and Shamir attack", it is recommended
  55    to shuffle S[] just a bit more before you start to use it. This defines how
  56    many bytes we'll request before we'll really use them for encryption. */
  57 #define ARC_CYCLES 1024
  58
  59 struct arc_state *arc_keymaker( unsigned char *key, int kl, int cycles )
  60 {
  61         struct arc_state *st;
  62         int i, j, tmp;
  63         unsigned char S2[256];
  64
  65         st = g_malloc( sizeof( struct arc_state ) );
  66         st->i = st->j = 0;
  67         if( kl <= 0 )
  68                 kl = strlen( (char*) key );
  69
  70         for( i = 0; i < 256; i ++ )
  71         {
  72                 st->S[i] = i;
  73                 S2[i] = key[i%kl];
  74         }
  75
  76         for( i = j = 0; i < 256; i ++ )
  77         {
  78                 j = ( j + st->S[i] + S2[i] ) & 0xff;
  79                 tmp = st->S[i];
  80                 st->S[i] = st->S[j];
  81                 st->S[j] = tmp;
  82         }
  83
  84         memset( S2, 0, 256 );
  85         i = j = 0;
  86
  87         for( i = 0; i < cycles; i ++ )
  88                 arc_getbyte( st );
  89
  90         return st;
  91 }
  92
  93 /*
  94    For those who don't know, ArcFour is basically an algorithm that generates
  95    a stream of bytes after you give it a key. Just get a byte from it and
  96    xor it with your cleartext. To decrypt, just give it the same key again
  97    and start xorring.
  98
  99    The function above initializes the byte generator, the next function can
 100    be used to get bytes from the generator (and shuffle things a bit).
 101 */
 102
 103 unsigned char arc_getbyte( struct arc_state *st )
 104 {
 105         unsigned char tmp;
 106
 107         /* Unfortunately the st-> stuff doesn't really improve readability here... */
 108         st->i ++;
 109         st->j += st->S[st->i];
 110         tmp = st->S[st->i];
 111         st->S[st->i] = st->S[st->j];
 112         st->S[st->j] = tmp;
 113         tmp = (st->S[st->i] + st->S[st->j]) & 0xff;
 114
 115         return st->S[tmp];
 116 }
 117
 118 /*
 119    The following two functions can be used for reliable encryption and
 120    decryption. Known plaintext attacks are prevented by adding some (6,
 121    by default) random bytes to the password before setting up the state
 122    structures. These 6 bytes are also saved in the results, because of
 123    course we'll need them in arc_decode().
 124
 125    Because the length of the resulting string is unknown to the caller,
 126    it should pass a char**. Since the encode/decode functions allocate
 127    memory for the string, make sure the char** points at a NULL-pointer
 128    (or at least to something you already free()d), or you'll leak
 129    memory. And of course, don't forget to free() the result when you
 130    don't need it anymore.
 131
 132    Both functions return the number of bytes in the result string.
 133
 134    Note that if you use the pad_to argument, you will need zero-termi-
 135    nation to find back the original string length after decryption. So
 136    it shouldn't be used if your string contains \0s by itself!
 137 */
 138
 139 int arc_encode( char *clear, int clear_len, unsigned char **crypt, char *password, int pad_to )
 140 {
 141         struct arc_state *st;
 142         unsigned char *key;
 143         char *padded = NULL;
 144         int key_len, i, padded_len;
 145
 146         key_len = strlen( password ) + ARC_IV_LEN;
 147         if( clear_len <= 0 )
 148                 clear_len = strlen( clear );
 149
 150         /* Pad the string to the closest multiple of pad_to. This makes it
 151            impossible to see the exact length of the password. */
 152         if( pad_to > 0 && ( clear_len % pad_to ) > 0 )
 153         {
 154                 padded_len = clear_len + pad_to - ( clear_len % pad_to );
 155                 padded = g_malloc( padded_len );
 156                 memcpy( padded, clear, clear_len );
 157
 158                 /* First a \0 and then random data, so we don't have to do
 159                    anything special when decrypting. */
 160                 padded[clear_len] = 0;
 161                 random_bytes( (unsigned char*) padded + clear_len + 1, padded_len - clear_len - 1 );
 162
 163                 clear = padded;
 164                 clear_len = padded_len;
 165         }
 166
 167         /* Prepare buffers and the key + IV */
 168         *crypt = g_malloc( clear_len + ARC_IV_LEN );
 169         key = g_malloc( key_len );
 170         strcpy( (char*) key, password );
 171
 172         /* Add the salt. Save it for later (when decrypting) and, of course,
 173            add it to the encryption key. */
 174         random_bytes( crypt[0], ARC_IV_LEN );
 175         memcpy( key + key_len - ARC_IV_LEN, crypt[0], ARC_IV_LEN );
 176
 177         /* Generate the initial S[] from the IVed key. */
 178         st = arc_keymaker( key, key_len, ARC_CYCLES );
 179         g_free( key );
 180
 181         for( i = 0; i < clear_len; i ++ )
 182                 crypt[0][i+ARC_IV_LEN] = clear[i] ^ arc_getbyte( st );
 183
 184         g_free( st );
 185         g_free( padded );
 186
 187         return clear_len + ARC_IV_LEN;
 188 }
 189
 190 int arc_decode( unsigned char *crypt, int crypt_len, char **clear, char *password )
 191 {
 192         struct arc_state *st;
 193         unsigned char *key;
 194         int key_len, clear_len, i;
 195
 196         key_len = strlen( password ) + ARC_IV_LEN;
 197         clear_len = crypt_len - ARC_IV_LEN;
 198
 199         if( clear_len < 0 )
 200         {
 201                 *clear = g_strdup( "" );
 202                 return -1;
 203         }
 204
 205         /* Prepare buffers and the key + IV */
 206         *clear = g_malloc( clear_len + 1 );
 207         key = g_malloc( key_len );
 208         strcpy( (char*) key, password );
 209         for( i = 0; i < ARC_IV_LEN; i ++ )
 210                 key[key_len-ARC_IV_LEN+i] = crypt[i];
 211
 212         /* Generate the initial S[] from the IVed key. */
 213         st = arc_keymaker( key, key_len, ARC_CYCLES );
 214         g_free( key );
 215
 216         for( i = 0; i < clear_len; i ++ )
 217                 clear[0][i] = crypt[i+ARC_IV_LEN] ^ arc_getbyte( st );
 218         clear[0][i] = 0; /* Nice to have for plaintexts. */
 219
 220         g_free( st );
 221
 222         return clear_len;
 223 }