static
ssize_t i_stream_decrypt_key(struct decrypt_istream *stream, const char *malg, unsigned int rounds,
const unsigned char *data, const unsigned char *end, buffer_t *key, size_t key_len)
{
const char *error;
enum dcrypt_key_type ktype;
int keys;
bool have_key = FALSE;
unsigned char dgst[32];
uint32_t val;
buffer_t buf;
if (data == end)
return 0;
keys = *data++;
/* if we have a key, prefab the digest */
if (stream->key_callback == NULL) {
if (stream->priv_key == NULL) {
io_stream_set_error(&stream->istream.iostream, "Decryption error: no private key available");
return -1;
}
buffer_create_from_data(&buf, dgst, sizeof(dgst));
dcrypt_key_id_private(stream->priv_key, "sha256", &buf, NULL);
}
/* for each key */
for(;keys>0;keys--) {
if ((size_t)(end-data) < 1 + (ssize_t)sizeof(dgst))
return 0;
ktype = *data++;
if (stream->key_callback != NULL) {
const char *hexdgst = binary_to_hex(data, sizeof(dgst)); /* digest length */
/* hope you going to give us right key.. */
int ret = stream->key_callback(hexdgst, &(stream->priv_key), &error, stream->key_context);
if (ret < 0) {
io_stream_set_error(&stream->istream.iostream, "Private key not available: %s", error);
return -1;
}
if (ret > 0) {
dcrypt_key_ref_private(stream->priv_key);
have_key = TRUE;
break;
}
} else {
/* see if key matches to the one we have */
if (memcmp(dgst, data, sizeof(dgst)) == 0) {
have_key = TRUE;
break;
}
}
data += sizeof(dgst);
/* wasn't correct key, skip over some data */
if (!get_msb32(&data, end, &val) ||
!get_msb32(&data, end, &val))
return 0;
}
/* didn't find matching key */
if (!have_key) {
io_stream_set_error(&stream->istream.iostream, "Decryption error: no private key available");
return -1;
}
data += sizeof(dgst);
const unsigned char *ephemeral_key;
uint32_t ep_key_len;
const unsigned char *encrypted_key;
uint32_t eklen;
const unsigned char *ekhash;
uint32_t ekhash_len;
/* read ephemeral key (can be missing for RSA) */
if (!get_msb32(&data, end, &ep_key_len) || (size_t)(end-data) < ep_key_len)
return 0;
ephemeral_key = data;
data += ep_key_len;
/* read encrypted key */
if (!get_msb32(&data, end, &eklen) || (size_t)(end-data) < eklen)
return 0;
encrypted_key = data;
data += eklen;
/* read key data hash */
if (!get_msb32(&data, end, &ekhash_len) || (size_t)(end-data) < ekhash_len)
return 0;
ekhash = data;
data += ekhash_len;
/* decrypt the seed */
if (ktype == DCRYPT_KEY_RSA) {
if (!dcrypt_rsa_decrypt(stream->priv_key, encrypted_key, eklen, key, &error)) {
io_stream_set_error(&stream->istream.iostream, "key decryption error: %s", error);
return -1;
}
} else if (ktype == DCRYPT_KEY_EC) {
/* perform ECDHE */
buffer_t *temp_key = buffer_create_dynamic(pool_datastack_create(), 256);
buffer_t *secret = buffer_create_dynamic(pool_datastack_create(), 256);
buffer_t peer_key;
buffer_create_from_const_data(&peer_key, ephemeral_key, ep_key_len);
if (!dcrypt_ecdh_derive_secret_local(stream->priv_key, &peer_key, secret, &error)) {
io_stream_set_error(&stream->istream.iostream, "Key decryption error: corrupted header");
return -1;
}
/* use shared secret and peer key to generate decryption key, AES-256-CBC has 32 byte key and 16 byte IV */
if (!dcrypt_pbkdf2(secret->data, secret->used, peer_key.data, peer_key.used,
malg, rounds, temp_key, 32+16, &error)) {
safe_memset(buffer_get_modifiable_data(secret, 0), 0, secret->used);
io_stream_set_error(&stream->istream.iostream, "Key decryption error: %s", error);
return -1;
}
safe_memset(buffer_get_modifiable_data(secret, 0), 0, secret->used);
if (temp_key->used != 32+16) {
safe_memset(buffer_get_modifiable_data(temp_key, 0), 0, temp_key->used);
io_stream_set_error(&stream->istream.iostream, "Cannot perform key decryption: invalid temporary key");
return -1;
}
struct dcrypt_context_symmetric *dctx;
if (!dcrypt_ctx_sym_create("AES-256-CBC", DCRYPT_MODE_DECRYPT, &dctx, &error)) {
safe_memset(buffer_get_modifiable_data(temp_key, 0), 0, temp_key->used);
io_stream_set_error(&stream->istream.iostream, "Key decryption error: %s", error);
return -1;
}
const unsigned char *ptr = temp_key->data;
/* we use ephemeral_key for IV */
dcrypt_ctx_sym_set_key(dctx, ptr, 32);
dcrypt_ctx_sym_set_iv(dctx, ptr+32, 16);
safe_memset(buffer_get_modifiable_data(temp_key, 0), 0, temp_key->used);
int ec = 0;
if (!dcrypt_ctx_sym_init(dctx, &error) ||
!dcrypt_ctx_sym_update(dctx, encrypted_key, eklen, key, &error) ||
!dcrypt_ctx_sym_final(dctx, key, &error)) {
io_stream_set_error(&stream->istream.iostream, "Cannot perform key decryption: %s", error);
ec = -1;
}
if (key->used != key_len) {
io_stream_set_error(&stream->istream.iostream, "Cannot perform key decryption: invalid key length");
ec = -1;
}
dcrypt_ctx_sym_destroy(&dctx);
if (ec != 0) return ec;
} else {
io_stream_set_error(&stream->istream.iostream, "Decryption error: unsupported key type 0x%02x", ktype);
return -1;
}
/* make sure we were able to decrypt the encrypted key correctly */
const struct hash_method *hash = hash_method_lookup(t_str_lcase(malg));
if (hash == NULL) {
safe_memset(buffer_get_modifiable_data(key, 0), 0, key->used);
io_stream_set_error(&stream->istream.iostream, "Decryption error: unsupported hash algorithm: %s", malg);
return -1;
}
unsigned char hctx[hash->context_size];
unsigned char hres[hash->digest_size];
hash->init(hctx);
hash->loop(hctx, key->data, key->used);
hash->result(hctx, hres);
for(int i = 1; i < 2049; i++) {
uint32_t i_msb = htonl(i);
hash->init(hctx);
hash->loop(hctx, hres, sizeof(hres));
hash->loop(hctx, &i_msb, sizeof(i_msb));
hash->result(hctx, hres);
}
/* do the comparison */
if (memcmp(ekhash, hres, I_MIN(ekhash_len, sizeof(hres))) != 0) {
safe_memset(buffer_get_modifiable_data(key, 0), 0, key->used);
io_stream_set_error(&stream->istream.iostream, "Decryption error: corrupted header ekhash");
return -1;
}
return 1;
}
static
int o_stream_encrypt_key_for_pubkey_v2(struct encrypt_ostream *stream, const char *malg,
const unsigned char *key, size_t key_len, struct dcrypt_public_key *pubkey, buffer_t *res)
{
enum dcrypt_key_type ktype;
const char *error;
buffer_t *encrypted_key, *ephemeral_key, *temp_key;
ephemeral_key = buffer_create_dynamic(pool_datastack_create(), 256);
encrypted_key = buffer_create_dynamic(pool_datastack_create(), 256);
temp_key = buffer_create_dynamic(pool_datastack_create(), 48);
ktype = dcrypt_key_type_public(pubkey);
if (ktype == DCRYPT_KEY_RSA) {
/* encrypt key as R (as we don't need DH with RSA)*/
if (!dcrypt_rsa_encrypt(pubkey, key, key_len, encrypted_key, &error)) {
io_stream_set_error(&stream->ostream.iostream, "Cannot encrypt key data: %s", error);
return -1;
}
} else if (ktype == DCRYPT_KEY_EC) {
/* R = our ephemeral public key */
buffer_t *secret = buffer_create_dynamic(pool_datastack_create(), 256);
/* derive ephemeral key and shared secret */
if (!dcrypt_ecdh_derive_secret_peer(pubkey, ephemeral_key, secret, &error)) {
io_stream_set_error(&stream->ostream.iostream, "Cannot perform ECDH: %s", error);
return -1;
}
/* use shared secret and ephemeral key to generate encryption key/iv */
if (!dcrypt_pbkdf2(secret->data, secret->used, ephemeral_key->data, ephemeral_key->used,
malg, IO_STREAM_ENCRYPT_ROUNDS, temp_key, 48, &error)) {
safe_memset(buffer_get_modifiable_data(secret, 0), 0, secret->used);
io_stream_set_error(&stream->ostream.iostream, "Cannot perform key encryption: %s", error);
}
safe_memset(buffer_get_modifiable_data(secret, 0), 0, secret->used);
/* encrypt key with shared secret */
struct dcrypt_context_symmetric *dctx;
if (!dcrypt_ctx_sym_create("AES-256-CBC", DCRYPT_MODE_ENCRYPT, &dctx, &error)) {
safe_memset(buffer_get_modifiable_data(temp_key, 0), 0, temp_key->used);
io_stream_set_error(&stream->ostream.iostream, "Cannot perform key encryption: %s", error);
return -1;
}
const unsigned char *ptr = temp_key->data;
i_assert(temp_key->used == 48);
dcrypt_ctx_sym_set_key(dctx, ptr, 32);
dcrypt_ctx_sym_set_iv(dctx, ptr+32, 16);
safe_memset(buffer_get_modifiable_data(temp_key, 0), 0, temp_key->used);
int ec = 0;
if (!dcrypt_ctx_sym_init(dctx, &error) ||
!dcrypt_ctx_sym_update(dctx, key, key_len, encrypted_key, &error) ||
!dcrypt_ctx_sym_final(dctx, encrypted_key, &error)) {
io_stream_set_error(&stream->ostream.iostream, "Cannot perform key encryption: %s", error);
ec = -1;
}
dcrypt_ctx_sym_destroy(&dctx);
if (ec != 0) return ec;
} else {
io_stream_set_error(&stream->ostream.iostream, "Unsupported key type");
return -1;
}
/* store key type */
char kt = ktype;
buffer_append(res, &kt, 1);
/* store hash of public key as ID */
dcrypt_key_id_public(stream->pub, "sha256", res, NULL);
/* store ephemeral key (if present) */
unsigned int val = htonl(ephemeral_key->used);
buffer_append(res, &val, 4);
buffer_append_buf(res, ephemeral_key, 0, (size_t)-1);
/* store encrypted key */
val = htonl(encrypted_key->used);
buffer_append(res, &val, 4);
buffer_append_buf(res, encrypted_key, 0, (size_t)-1);
return 0;
}
