/* Generates a random mp_int.
* max is a *mp_int specifying an upper bound.
* rand must be an initialised *mp_int for the result.
* the result rand satisfies: 0 < rand < max
* */
void gen_random_mpint(mp_int *max, mp_int *rand) {
unsigned char *randbuf = NULL;
unsigned int len = 0;
const unsigned char masks[] = {0xff, 0x01, 0x03, 0x07, 0x0f, 0x1f, 0x3f, 0x7f};
const int size_bits = mp_count_bits(max);
len = size_bits / 8;
if ((size_bits % 8) != 0) {
len += 1;
}
randbuf = (unsigned char*)m_malloc(len);
do {
genrandom(randbuf, len);
/* Mask out the unrequired bits - mp_read_unsigned_bin expects
* MSB first.*/
randbuf[0] &= masks[size_bits % 8];
bytes_to_mp(rand, randbuf, len);
/* keep regenerating until we get one satisfying
* 0 < rand < max */
} while (!(mp_cmp(rand, max) == MP_LT && mp_cmp_d(rand, 0) == MP_GT));
m_burn(randbuf, len);
m_free(randbuf);
}
/*
* create a change uid capability
*/
char*
mkcap(char *from, char *to)
{
uchar rand[20];
char *cap;
char *key;
int nfrom, nto;
uchar hash[SHA1dlen];
if(caphashfd < 0)
return nil;
/* create the capability */
nto = strlen(to);
nfrom = strlen(from);
cap = emalloc(nfrom+1+nto+1+sizeof(rand)*3+1);
sprint(cap, "%s@%s", from, to);
genrandom(rand, sizeof(rand));
key = cap+nfrom+1+nto+1;
enc64(key, sizeof(rand)*3, rand, sizeof(rand));
/* hash the capability */
hmac_sha1((uchar*)cap, strlen(cap), (uchar*)key, strlen(key), hash, nil);
/* give the kernel the hash */
key[-1] = '@';
if(write(caphashfd, hash, SHA1dlen) < 0){
free(cap);
return nil;
}
return cap;
}
/*
* use the X917 random number generator to create random
* numbers (faster than truerand() but not as random).
*/
ulong
fastrand(void)
{
ulong x;
genrandom((uchar*)&x, sizeof x);
return x;
}
static void getp(dss_key *key, unsigned int size) {
DEF_MP_INT(tempX);
DEF_MP_INT(tempC);
DEF_MP_INT(tempP);
DEF_MP_INT(temp2q);
int result;
unsigned char *buf;
m_mp_init_multi(&tempX, &tempC, &tempP, &temp2q, NULL);
/* 2*q */
if (mp_mul_d(key->q, 2, &temp2q) != MP_OKAY) {
fprintf(stderr, "dss key generation failed\n");
exit(1);
}
buf = (unsigned char*)m_malloc(size);
result = 0;
do {
genrandom(buf, size);
buf[0] |= 0x80; /* set the top bit high */
/* X is a random mp_int */
bytes_to_mp(&tempX, buf, size);
/* C = X mod 2q */
if (mp_mod(&tempX, &temp2q, &tempC) != MP_OKAY) {
fprintf(stderr, "dss key generation failed\n");
exit(1);
}
/* P = X - (C - 1) = X - C + 1*/
if (mp_sub(&tempX, &tempC, &tempP) != MP_OKAY) {
fprintf(stderr, "dss key generation failed\n");
exit(1);
}
if (mp_add_d(&tempP, 1, key->p) != MP_OKAY) {
fprintf(stderr, "dss key generation failed\n");
exit(1);
}
/* now check for prime, 5 rounds is enough according to HAC */
/* result == 1 => p is prime */
if (mp_prime_is_prime(key->p, 5, &result) != MP_OKAY) {
fprintf(stderr, "dss key generation failed\n");
exit(1);
}
} while (!result);
mp_clear_multi(&tempX, &tempC, &tempP, &temp2q, NULL);
m_burn(buf, size);
m_free(buf);
}
/* Send our list of algorithms we can use */
void send_msg_kexinit() {
CHECKCLEARTOWRITE();
buf_putbyte(ses.writepayload, SSH_MSG_KEXINIT);
/* cookie */
genrandom(buf_getwriteptr(ses.writepayload, 16), 16);
buf_incrwritepos(ses.writepayload, 16);
/* kex algos */
buf_put_algolist(ses.writepayload, sshkex);
/* server_host_key_algorithms */
buf_put_algolist(ses.writepayload, sshhostkey);
/* encryption_algorithms_client_to_server */
buf_put_algolist(ses.writepayload, sshciphers);
/* encryption_algorithms_server_to_client */
buf_put_algolist(ses.writepayload, sshciphers);
/* mac_algorithms_client_to_server */
buf_put_algolist(ses.writepayload, sshhashes);
/* mac_algorithms_server_to_client */
buf_put_algolist(ses.writepayload, sshhashes);
/* compression_algorithms_client_to_server */
buf_put_algolist(ses.writepayload, sshcompress);
/* compression_algorithms_server_to_client */
buf_put_algolist(ses.writepayload, sshcompress);
/* languages_client_to_server */
buf_putstring(ses.writepayload, "", 0);
/* languages_server_to_client */
buf_putstring(ses.writepayload, "", 0);
/* first_kex_packet_follows - unimplemented for now */
buf_putbyte(ses.writepayload, 0x00);
/* reserved unit32 */
buf_putint(ses.writepayload, 0);
/* set up transmitted kex packet buffer for hashing.
* This is freed after the end of the kex */
ses.transkexinit = buf_newcopy(ses.writepayload);
encrypt_packet();
ses.dataallowed = 0; /* don't send other packets during kex */
ses.kexstate.sentkexinit = 1;
}
main ( int argc, char *argv[] )
{
int a;
char Volba;
while ( ( Volba = Menu() ) != '5' )
{
switch ( Volba )
{
case '1':
system ( "clear" );
printf ( "Generating please wait...\n\n" );
genrandom();
sort();
printrnd();
printall();
printf ( "\n1. Export results to file\n2. Continue\nType choice number: " );
scanf ( "%d", &a );
if ( a==1 )
{
exptofile();
printf ( "Exported!" );
getchar();
getchar();
}
break;
case '2':
system ( "clear" );
printf ( "How many lines do you want? " );
gennlines();
break;
case '3':
system ( "clear" );
compare();
break;
case '4':
clearfile();
printf ( "Done!" );
getchar();
getchar();
break;
}
}
system ( "clear" );
return 0;
}
static void write_urandom()
{
#ifndef DROPBEAR_PRNGD_SOCKET
/* This is opportunistic, don't worry about failure */
unsigned char buf[INIT_SEED_SIZE];
FILE *f = fopen(DROPBEAR_URANDOM_DEV, "w");
if (!f) {
return;
}
genrandom(buf, sizeof(buf));
fwrite(buf, sizeof(buf), 1, f);
fclose(f);
#endif
}
gennlines ()
{
char *Nazov;
int a,count;
scanf ( "%d",&count );
system ( "clear" );
for ( a=0; a<count; a++ )
{
genrandom();
sort();
printrnd();
exptofile();
}
printf ( "Done! Hit Enter to continue..." );
getchar();
getchar();
}
static void getq(dss_key *key) {
char buf[QSIZE];
/* 160 bit prime */
genrandom(buf, QSIZE);
buf[0] |= 0x80; /* top bit high */
buf[QSIZE-1] |= 0x01; /* bottom bit high */
bytes_to_mp(key->q, buf, QSIZE);
/* 18 rounds are required according to HAC */
if (mp_prime_next_prime(key->q, 18, 0) != MP_OKAY) {
fprintf(stderr, "dss key generation failed\n");
exit(1);
}
}
/* return a prime suitable for p or q */
static void getrsaprime(mp_int* prime, mp_int *primeminus,
mp_int* rsa_e, unsigned int size_bytes) {
unsigned char *buf;
DEF_MP_INT(temp_gcd);
buf = (unsigned char*)m_malloc(size_bytes);
m_mp_init(&temp_gcd);
do {
/* generate a random odd number with MSB set, then find the
the next prime above it */
genrandom(buf, size_bytes);
buf[0] |= 0x80;
bytes_to_mp(prime, buf, size_bytes);
/* find the next integer which is prime, 8 round of miller-rabin */
if (mp_prime_next_prime(prime, 8, 0) != MP_OKAY) {
fprintf(stderr, "RSA generation failed\n");
exit(1);
}
/* subtract one to get p-1 */
if (mp_sub_d(prime, 1, primeminus) != MP_OKAY) {
fprintf(stderr, "RSA generation failed\n");
exit(1);
}
/* check relative primality to e */
if (mp_gcd(primeminus, rsa_e, &temp_gcd) != MP_OKAY) {
fprintf(stderr, "RSA generation failed\n");
exit(1);
}
} while (mp_cmp_d(&temp_gcd, 1) != MP_EQ); /* while gcd(p-1, e) != 1 */
/* now we have a good value for result */
mp_clear(&temp_gcd);
m_burn(buf, size_bytes);
m_free(buf);
}
// generate a probable prime. accuracy is the miller-rabin interations
void
genprime(mpint *p, int n, int accuracy)
{
mpdigit x;
// generate n random bits with high and low bits set
mpbits(p, n);
genrandom((uint8_t*)p->p, (n+7)/8);
p->top = (n+Dbits-1)/Dbits;
x = 1;
x <<= ((n-1)%Dbits);
p->p[p->top-1] &= (x-1);
p->p[p->top-1] |= x;
p->p[0] |= 1;
// keep icrementing till it looks prime
for(;;){
if(probably_prime(p, accuracy))
break;
mpadd(p, mptwo, p);
}
}
/* Generate our side of the diffie-hellman key exchange value (dh_f), and
* calculate the session key using the diffie-hellman algorithm. Following
* that, the session hash is calculated, and signed with RSA or DSS. The
* result is sent to the client.
*
* See the ietf-secsh-transport draft, section 6, for details */
static void send_msg_kexdh_reply(mp_int *dh_e) {
mp_int dh_p, dh_q, dh_g, dh_y, dh_f;
unsigned char randbuf[DH_P_LEN];
int dh_q_len;
hash_state hs;
TRACE(("enter send_msg_kexdh_reply"));
assert(ses.kexstate.recvkexinit);
m_mp_init_multi(&dh_g, &dh_p, &dh_q, &dh_y, &dh_f, NULL);
/* read the prime and generator*/
if (mp_read_unsigned_bin(&dh_p, (unsigned char*)dh_p_val, DH_P_LEN)
!= MP_OKAY) {
dropbear_exit("Diffie-Hellman error");
}
if (mp_set_int(&dh_g, dh_g_val) != MP_OKAY) {
dropbear_exit("Diffie-Hellman error");
}
/* calculate q = (p-1)/2 */
if (mp_sub_d(&dh_p, 1, &dh_y) != MP_OKAY) { /*dh_y is just a temp var here*/
dropbear_exit("Diffie-Hellman error");
}
if (mp_div_2(&dh_y, &dh_q) != MP_OKAY) {
dropbear_exit("Diffie-Hellman error");
}
dh_q_len = mp_unsigned_bin_size(&dh_q);
/* calculate our random value dh_y */
do {
assert((unsigned int)dh_q_len <= sizeof(randbuf));
genrandom(randbuf, dh_q_len);
if (mp_read_unsigned_bin(&dh_y, randbuf, dh_q_len) != MP_OKAY) {
dropbear_exit("Diffie-Hellman error");
}
} while (mp_cmp(&dh_y, &dh_q) == MP_GT || mp_cmp_d(&dh_y, 0) != MP_GT);
/* f = g^y mod p */
if (mp_exptmod(&dh_g, &dh_y, &dh_p, &dh_f) != MP_OKAY) {
dropbear_exit("Diffie-Hellman error");
}
mp_clear(&dh_g);
/* K = e^y mod p */
ses.dh_K = (mp_int*)m_malloc(sizeof(mp_int));
m_mp_init(ses.dh_K);
if (mp_exptmod(dh_e, &dh_y, &dh_p, ses.dh_K) != MP_OKAY) {
dropbear_exit("Diffie-Hellman error");
}
/* clear no longer needed vars */
mp_clear_multi(&dh_y, &dh_p, &dh_q, NULL);
/* Create the remainder of the hash buffer, to generate the exchange hash */
/* K_S, the host key */
buf_put_pub_key(ses.kexhashbuf, ses.opts->hostkey,
ses.newkeys->algo_hostkey);
/* e, exchange value sent by the client */
buf_putmpint(ses.kexhashbuf, dh_e);
/* f, exchange value sent by the server */
buf_putmpint(ses.kexhashbuf, &dh_f);
/* K, the shared secret */
buf_putmpint(ses.kexhashbuf, ses.dh_K);
/* calculate the hash H to sign */
sha1_init(&hs);
buf_setpos(ses.kexhashbuf, 0);
sha1_process(&hs, buf_getptr(ses.kexhashbuf, ses.kexhashbuf->len),
ses.kexhashbuf->len);
sha1_done(&hs, ses.hash);
buf_free(ses.kexhashbuf);
ses.kexhashbuf = NULL;
/* first time around, we set the session_id to H */
if (ses.session_id == NULL) {
/* create the session_id, this never needs freeing */
ses.session_id = (unsigned char*)m_malloc(SHA1_HASH_SIZE);
memcpy(ses.session_id, ses.hash, SHA1_HASH_SIZE);
}
/* we can start creating the kexdh_reply packet */
CHECKCLEARTOWRITE();
buf_putbyte(ses.writepayload, SSH_MSG_KEXDH_REPLY);
buf_put_pub_key(ses.writepayload, ses.opts->hostkey,
ses.newkeys->algo_hostkey);
/* put f */
buf_putmpint(ses.writepayload, &dh_f);
mp_clear(&dh_f);
/* calc the signature */
buf_put_sign(ses.writepayload, ses.opts->hostkey,
ses.newkeys->algo_hostkey, ses.hash, SHA1_HASH_SIZE);
/* the SSH_MSG_KEXDH_REPLY is done */
encrypt_packet();
TRACE(("leave send_msg_kexdh_reply"));
}
static long
consread(Chan *c, void *va, long n, vlong offset)
{
int send;
char buf[64], ch;
if(c->qid.type & QTDIR)
return devdirread(c, va, n, contab, nelem(contab), devgen);
switch((ulong)c->qid.path) {
default:
error(Egreg);
case Qsysctl:
return readstr(offset, va, n, VERSION);
case Qsysname:
if(ossysname == nil)
return 0;
return readstr(offset, va, n, ossysname);
case Qrandom:
return randomread(va, n);
case Qnotquiterandom:
genrandom(va, n);
return n;
case Qhostowner:
return readstr(offset, va, n, eve);
case Qhoststdin:
return read(0, va, n); /* should be pread */
case Quser:
return readstr(offset, va, n, up->env->user);
case Qjit:
snprint(buf, sizeof(buf), "%d", cflag);
return readstr(offset, va, n, buf);
case Qtime:
snprint(buf, sizeof(buf), "%.lld", timeoffset + osusectime());
return readstr(offset, va, n, buf);
case Qdrivers:
return devtabread(c, va, n, offset);
case Qmemory:
return poolread(va, n, offset);
case Qnull:
return 0;
case Qmsec:
return readnum(offset, va, n, osmillisec(), NUMSIZE);
case Qcons:
qlock(&kbd.q);
if(waserror()){
qunlock(&kbd.q);
nexterror();
}
if(dflag)
error(Enonexist);
while(!qcanread(lineq)) {
if(qread(kbdq, &ch, 1) == 0)
continue;
send = 0;
if(ch == 0){
/* flush output on rawoff -> rawon */
if(kbd.x > 0)
send = !qcanread(kbdq);
}else if(kbd.raw){
kbd.line[kbd.x++] = ch;
send = !qcanread(kbdq);
}else{
switch(ch){
case '\b':
if(kbd.x)
kbd.x--;
break;
case 0x15:
kbd.x = 0;
break;
case 0x04:
send = 1;
break;
case '\n':
send = 1;
default:
kbd.line[kbd.x++] = ch;
break;
}
}
if(send || kbd.x == sizeof kbd.line){
qwrite(lineq, kbd.line, kbd.x);
kbd.x = 0;
}
}
n = qread(lineq, va, n);
qunlock(&kbd.q);
poperror();
return n;
case Qscancode:
if(offset == 0)
return readstr(0, va, n, gkscanid);
return qread(gkscanq, va, n);
case Qkeyboard:
return qread(gkbdq, va, n);
case Qkprint:
rlock(&kprintq.l);
if(waserror()){
runlock(&kprintq.l);
nexterror();
}
n = qread(kprintq.q, va, n);
poperror();
runlock(&kprintq.l);
return n;
}
}
static long
consread(Chan *c, void *buf, long n, vlong offset)
{
int l;
Osenv *o;
int ch, eol, i;
char *p, tmp[128];
char *cbuf = buf;
if(n <= 0)
return n;
o = up->env;
switch((ulong)c->qid.path){
case Qdir:
return devdirread(c, buf, n, consdir, nelem(consdir), devgen);
case Qsysctl:
return readstr(offset, buf, n, VERSION);
case Qcons:
case Qkeyboard:
qlock(&kbd);
if(waserror()) {
qunlock(&kbd);
nexterror();
}
if(kbd.raw || kbd.kbdr) {
if(qcanread(lineq))
n = qread(lineq, buf, n);
else {
/* read as much as possible */
do {
i = qread(kbdq, cbuf, n);
cbuf += i;
n -= i;
} while(n>0 && qcanread(kbdq));
n = cbuf - (char*)buf;
}
} else {
while(!qcanread(lineq)) {
qread(kbdq, &kbd.line[kbd.x], 1);
ch = kbd.line[kbd.x];
eol = 0;
switch(ch){
case '\b':
if(kbd.x)
kbd.x--;
break;
case 0x15:
kbd.x = 0;
break;
case '\n':
case 0x04:
eol = 1;
default:
kbd.line[kbd.x++] = ch;
break;
}
if(kbd.x == sizeof(kbd.line) || eol) {
if(ch == 0x04)
kbd.x--;
qwrite(lineq, kbd.line, kbd.x);
kbd.x = 0;
}
}
n = qread(lineq, buf, n);
}
qunlock(&kbd);
poperror();
return n;
case Qscancode:
if(offset == 0)
return readstr(0, buf, n, kscanid);
else
return qread(kscanq, buf, n);
case Qtime:
snprint(tmp, sizeof(tmp), "%.lld", (vlong)mseconds()*1000);
return readstr(offset, buf, n, tmp);
case Qhostowner:
return readstr(offset, buf, n, eve);
case Quser:
return readstr(offset, buf, n, o->user);
case Qjit:
snprint(tmp, sizeof(tmp), "%d", cflag);
return readstr(offset, buf, n, tmp);
case Qnull:
return 0;
case Qmsec:
return readnum(offset, buf, n, TK2MS(MACHP(0)->ticks), NUMSIZE);
case Qsysname:
if(sysname == nil)
return 0;
return readstr(offset, buf, n, sysname);
case Qnotquiterandom:
genrandom(buf, n);
return n;
case Qrandom:
return randomread(buf, n);
case Qmemory:
return poolread(buf, n, offset);
case Qdrivers:
p = malloc(READSTR);
if(p == nil)
error(Enomem);
l = 0;
for(i = 0; devtab[i] != nil; i++)
l += snprint(p+l, READSTR-l, "#%C %s\n", devtab[i]->dc, devtab[i]->name);
if(waserror()){
free(p);
nexterror();
}
n = readstr(offset, buf, n, p);
free(p);
poperror();
return n;
case Qklog:
return qread(klogq, buf, n);
case Qkprint:
rlock(&kprintq);
if(waserror()){
runlock(&kprintq);
nexterror();
}
n = qread(kprintq.q, buf, n);
poperror();
runlock(&kprintq);
return n;
default:
print("consread %llud\n", c->qid.path);
error(Egreg);
}
return -1; /* never reached */
}
int
convert(char **db, int len)
{
int i, nu, keydblen, keydboff, keydbaes;
char *p = *db;
keydblen = KEYDBLEN;
keydboff = KEYDBOFF;
keydbaes = len > 24 && memcmp(p, "AES KEYS", 8) == 0;
if(keydbaes) {
keydblen += AESKEYLEN;
keydboff = 8+16; /* signature[8] + iv[16] */
}
len -= keydboff;
if(len % keydblen) {
fprint(2, "%s: file odd length; not converting %d bytes\n", argv0, len % keydblen);
len -= len % keydblen;
}
len += keydboff;
if(keydbaes) {
AESstate s;
/* make sure we have aes key for decryption */
if(memcmp(okey.aes, zeros, AESKEYLEN) == 0) {
fprint(2, "%s: no aes key in NVRAM\n", argv0);
exits("no aes key");
}
setupAESstate(&s, okey.aes, AESKEYLEN, zeros);
aesCBCdecrypt((uchar*)p+8, len-8, &s);
} else {
DESstate s;
uchar k[8];
des56to64((uchar*)okey.des, k);
setupDESstate(&s, k, zeros);
desCBCdecrypt((uchar*)p, len, &s);
}
nu = 0;
for(i = keydboff; i < len; i += keydblen) {
if (badname(&p[i])) {
fprint(2, "%s: bad name %.30s... - aborting\n", argv0, &p[i]);
exits("bad name");
}
nu++;
}
if(verb) {
for(i = keydboff; i < len; i += keydblen)
print("%s\n", &p[i]);
exits(nil);
}
if(convaes && !keydbaes) {
char *s, *d;
keydboff = 8+16;
keydblen += AESKEYLEN;
len = keydboff + keydblen*nu;
p = realloc(p, len);
if(p == nil)
error("out of memory");
*db = p;
s = p + KEYDBOFF + nu*KEYDBLEN;
d = p + keydboff + nu*keydblen;
for(i=0; i<nu; i++) {
s -= KEYDBLEN;
d -= keydblen;
memmove(d, s, KEYDBLEN);
memset(d + KEYDBLEN, 0, keydblen-KEYDBLEN);
}
keydbaes = 1;
}
genrandom((uchar*)p, keydboff);
if(keydbaes) {
AESstate s;
memmove(p, "AES KEYS", 8);
setupAESstate(&s, nkey.aes, AESKEYLEN, zeros);
aesCBCencrypt((uchar*)p+8, len-8, &s);
} else {
DESstate s;
uchar k[8];
des56to64((uchar*)nkey.des, k);
setupDESstate(&s, k, zeros);
desCBCencrypt((uchar*)p, len, &s);
}
return len;
}
static long
consread(Chan *c, void *va, long n, vlong offset)
{
int send;
char *p, buf[64], ch;
if(c->qid.type & QTDIR)
return devdirread(c, va, n, contab, nelem(contab), devgen);
switch((ulong)c->qid.path) {
default:
error(Egreg);
case Qsysctl:
return readstr(offset, va, n, VERSION);
case Qsysname:
if(ossysname == nil)
return 0;
return readstr(offset, va, n, ossysname);
case Qrandom:
return randomread(va, n);
case Qnotquiterandom:
genrandom(va, n);
return n;
case Qhostowner:
return readstr(offset, va, n, eve);
case Qhoststdin:
return read(0, va, n); /* should be pread */
case Quser:
return readstr(offset, va, n, up->env->user);
case Qjit:
snprint(buf, sizeof(buf), "%d", cflag);
return readstr(offset, va, n, buf);
case Qtime:
snprint(buf, sizeof(buf), "%.lld", timeoffset + osusectime());
return readstr(offset, va, n, buf);
case Qdrivers:
return devtabread(c, va, n, offset);
case Qmemory:
return poolread(va, n, offset);
case Qnull:
return 0;
case Qmsec:
return readnum(offset, va, n, osmillisec(), NUMSIZE);
case Qcons:
qlock(&kbd.q);
if(waserror()){
qunlock(&kbd.q);
nexterror();
}
if(dflag)
error(Enonexist);
/* register this proc's read interest in the channel */
/* this probably won't be done here. the read/readn requests
* are going to be different watcher callbacks
*/
/* the following waits for a signal from the keyboard handler */
uv_mutex_lock(&line_lock);
uv_cond_wait(&line_ready, &line_lock);
n = qread(lineq, va, n);
uv_mutex_unlock(&line_lock);
qunlock(&kbd.q);
poperror();
return n;
case Qscancode:
if(offset == 0)
return readstr(0, va, n, gkscanid);
return qread(gkscanq, va, n);
case Qkeyboard:
return qread(gkbdq, va, n);
case Qkprint:
rlock(&kprintq.l);
if(waserror()){
runlock(&kprintq.l);
nexterror();
}
n = qread(kprintq.q, va, n);
poperror();
runlock(&kprintq.l);
return n;
}
}
int
main(int argc, char **argv)
{
int encrypt = 0; /* 0=decrypt, 1=encrypt */
int n, nkey, pass_stdin = 0, pass_nvram = 0;
char *pass;
unsigned char key[AESmaxkey], key2[SHA1dlen];
unsigned char buf[BUF+SHA1dlen]; /* assumption: CHK <= SHA1dlen */
AESstate aes;
DigestState *dstate;
Nvrsafe nvr;
ARGBEGIN{
case 'e':
encrypt = 1;
break;
case 'i':
pass_stdin = 1;
break;
case 'n':
pass_nvram = 1;
break;
}ARGEND;
if(argc!=0){
fprint(2,"usage: %s -d < cipher.aes > clear.txt\n", argv0);
fprint(2," or: %s -e < clear.txt > cipher.aes\n", argv0);
exits("usage");
}
Binit(&bin, 0, OREAD);
Binit(&bout, 1, OWRITE);
if(pass_stdin){
n = readn(3, buf, (sizeof buf)-1);
if(n < 1)
exits("usage: echo password |[3=1] auth/aescbc -i ...");
buf[n] = 0;
while(buf[n-1] == '\n')
buf[--n] = 0;
}else if(pass_nvram){
if(readnvram(&nvr, 0) < 0)
exits("readnvram: %r");
strecpy((char*)buf, (char*)buf+sizeof buf, (char*)nvr.config);
n = strlen((char*)buf);
}else{
pass = getpassm("aescbc key:");
n = strlen(pass);
if(n >= BUF)
exits("key too long");
strcpy((char*)buf, pass);
memset(pass, 0, n);
free(pass);
}
if(n <= 0)
sysfatal("no key");
dstate = sha1((unsigned char*)"aescbc file", 11, nil, nil);
sha1(buf, n, key2, dstate);
memcpy(key, key2, 16);
nkey = 16;
md5(key, nkey, key2, 0); /* so even if HMAC_SHA1 is broken, encryption key is protected */
if(encrypt){
safewrite(v2hdr, AESbsize);
genrandom(buf,2*AESbsize); /* CBC is semantically secure if IV is unpredictable. */
setupAESstate(&aes, key, nkey, buf); /* use first AESbsize bytes as IV */
aesCBCencrypt(buf+AESbsize, AESbsize, &aes); /* use second AESbsize bytes as initial plaintext */
safewrite(buf, 2*AESbsize);
dstate = hmac_sha1(buf+AESbsize, AESbsize, key2, MD5dlen, 0, 0);
for(;;){
n = Bread(&bin, buf, BUF);
if(n < 0)
sysfatal("read error");
aesCBCencrypt(buf, n, &aes);
safewrite(buf, n);
dstate = hmac_sha1(buf, n, key2, MD5dlen, 0, dstate);
if(n < BUF)
break; /* EOF */
}
hmac_sha1(0, 0, key2, MD5dlen, buf, dstate);
safewrite(buf, SHA1dlen);
}else{ /* decrypt */
saferead(buf, AESbsize);
if(memcmp(buf, v2hdr, AESbsize) == 0){
saferead(buf, 2*AESbsize); /* read IV and random initial plaintext */
setupAESstate(&aes, key, nkey, buf);
dstate = hmac_sha1(buf+AESbsize, AESbsize, key2, MD5dlen, 0, 0);
aesCBCdecrypt(buf+AESbsize, AESbsize, &aes);
saferead(buf, SHA1dlen);
while((n = Bread(&bin, buf+SHA1dlen, BUF)) > 0){
dstate = hmac_sha1(buf, n, key2, MD5dlen, 0, dstate);
aesCBCdecrypt(buf, n, &aes);
safewrite(buf, n);
memmove(buf, buf+n, SHA1dlen); /* these bytes are not yet decrypted */
}
hmac_sha1(0, 0, key2, MD5dlen, buf+SHA1dlen, dstate);
if(memcmp(buf, buf+SHA1dlen, SHA1dlen) != 0)
sysfatal("decrypted file failed to authenticate");
}else{ /* compatibility with past mistake */
// if file was encrypted with bad aescbc use this:
// memset(key, 0, AESmaxkey);
// else assume we're decrypting secstore files
setupAESstate(&aes, key, AESbsize, buf);
saferead(buf, CHK);
aesCBCdecrypt(buf, CHK, &aes);
while((n = Bread(&bin, buf+CHK, BUF)) > 0){
aesCBCdecrypt(buf+CHK, n, &aes);
safewrite(buf, n);
memmove(buf, buf+n, CHK);
}
if(memcmp(buf, "XXXXXXXXXXXXXXXX", CHK) != 0)
sysfatal("decrypted file failed to authenticate");
}
}
exits("");
return 1; /* keep other compilers happy */
}
static int
ntv2_blob(uchar *blob, int len, char *windom)
{
int n;
uvlong nttime;
Rune r;
char *d;
uchar *p;
enum { /* name types */
Beof, /* end of name list */
Bnetbios, /* Netbios machine name */
Bdomain, /* Windows Domain name (NT) */
Bdnsfqdn, /* DNS Fully Qualified Domain Name */
Bdnsname, /* DNS machine name (win2k) */
};
p = blob;
*p++ = 1; /* response type */
*p++ = 1; /* max response type understood by client */
*p++ = 0;
*p++ = 0; /* 2 bytes reserved */
*p++ = 0;
*p++ = 0;
*p++ = 0;
*p++ = 0; /* 4 bytes unknown */
nttime = time(nil); /* nt time now */
nttime += 11644473600LL;
nttime *= 10000000LL;
*p++ = nttime;
*p++ = nttime >> 8;
*p++ = nttime >> 16;
*p++ = nttime >> 24;
*p++ = nttime >> 32;
*p++ = nttime >> 40;
*p++ = nttime >> 48;
*p++ = nttime >> 56;
genrandom(p, 8);
p += 8; /* client nonce */
*p++ = 0x6f;
*p++ = 0;
*p++ = 0x6e;
*p++ = 0; /* unknown data */
*p++ = Bdomain;
*p++ = 0; /* name type */
n = utflen(windom) * 2;
*p++ = n;
*p++ = n >> 8; /* name length */
d = windom;
while(*d && p-blob < (len-8)){
d += chartorune(&r, d);
r = toupperrune(r);
*p++ = r;
*p++ = r >> 8;
}
*p++ = 0;
*p++ = Beof; /* name type */
*p++ = 0;
*p++ = 0; /* name length */
*p++ = 0x65;
*p++ = 0;
*p++ = 0;
*p++ = 0; /* unknown data */
return p - blob;
}
static Auth *
auth_ntlmv2(char *windom, char *keyp, uchar *chal, int len)
{
int i, n;
Rune r;
char *p, *u;
uchar v1hash[MD5dlen], blip[Bliplen], blob[1024], v2hash[MD5dlen];
uchar c, lm_hmac[MD5dlen], nt_hmac[MD5dlen], nt_sesskey[MD5dlen],
lm_sesskey[MD5dlen];
DigestState *ds;
UserPasswd *up;
static Auth *ap;
up = auth_getuserpasswd(auth_getkey, "windom=%s proto=pass service=cifs-ntlmv2 %s",
windom, keyp);
if(!up)
sysfatal("cannot get key - %r");
ap = emalloc9p(sizeof(Auth));
memset(ap, 0, sizeof(ap));
/* Standard says unlimited length, experience says 128 max */
if((n = strlen(up->passwd)) > 128)
n = 128;
ds = md4(nil, 0, nil, nil);
for(i=0, p=up->passwd; i < n; i++) {
p += chartorune(&r, p);
c = r;
md4(&c, 1, nil, ds);
c = r >> 8;
md4(&c, 1, nil, ds);
}
md4(nil, 0, v1hash, ds);
/*
* Some documentation insists that the username must be forced to
* uppercase, but the domain name should not be. Other shows both
* being forced to uppercase. I am pretty sure this is irrevevant as the
* domain name passed from the remote server always seems to be in
* uppercase already.
*/
ds = hmac_t64(nil, 0, v1hash, MD5dlen, nil, nil);
u = up->user;
while(*u){
u += chartorune(&r, u);
r = toupperrune(r);
c = r;
hmac_t64(&c, 1, v1hash, MD5dlen, nil, ds);
c = r >> 8;
hmac_t64(&c, 1, v1hash, MD5dlen, nil, ds);
}
u = windom;
while(*u){
u += chartorune(&r, u);
c = r;
hmac_t64(&c, 1, v1hash, MD5dlen, nil, ds);
c = r >> 8;
hmac_t64(&c, 1, v1hash, MD5dlen, nil, ds);
}
hmac_t64(nil, 0, v1hash, MD5dlen, v2hash, ds);
ap->user = estrdup9p(up->user);
ap->windom = estrdup9p(windom);
/* LM v2 */
genrandom(blip, Bliplen);
ds = hmac_t64(chal, len, v2hash, MD5dlen, nil, nil);
hmac_t64(blip, Bliplen, v2hash, MD5dlen, lm_hmac, ds);
ap->len[0] = MD5dlen+Bliplen;
ap->resp[0] = emalloc9p(ap->len[0]);
memcpy(ap->resp[0], lm_hmac, MD5dlen);
memcpy(ap->resp[0]+MD5dlen, blip, Bliplen);
/* LM v2 session key */
hmac_t64(lm_hmac, MD5dlen, v2hash, MD5dlen, lm_sesskey, nil);
/* LM v2 MAC key */
ap->mackey[0] = emalloc9p(MACkeylen);
memcpy(ap->mackey[0], lm_sesskey, MD5dlen);
memcpy(ap->mackey[0]+MD5dlen, ap->resp[0], MACkeylen-MD5dlen);
/* NTLM v2 */
n = ntv2_blob(blob, sizeof(blob), windom);
ds = hmac_t64(chal, len, v2hash, MD5dlen, nil, nil);
hmac_t64(blob, n, v2hash, MD5dlen, nt_hmac, ds);
ap->len[1] = MD5dlen+n;
ap->resp[1] = emalloc9p(ap->len[1]);
memcpy(ap->resp[1], nt_hmac, MD5dlen);
memcpy(ap->resp[1]+MD5dlen, blob, n);
/*
* v2hash definitely OK by
* the time we get here.
*/
/* NTLM v2 session key */
hmac_t64(nt_hmac, MD5dlen, v2hash, MD5dlen, nt_sesskey, nil);
/* NTLM v2 MAC key */
ap->mackey[1] = emalloc9p(MACkeylen);
memcpy(ap->mackey[1], nt_sesskey, MD5dlen);
memcpy(ap->mackey[1]+MD5dlen, ap->resp[1], MACkeylen-MD5dlen);
free(up);
return ap;
}
/* encrypt the writepayload, putting into writebuf, ready for write_packet()
* to put on the wire */
void encrypt_packet() {
unsigned char padlen;
unsigned char blocksize, macsize;
buffer * writebuf; /* the packet which will go on the wire */
buffer * clearwritebuf; /* unencrypted, possibly compressed */
TRACE(("enter encrypt_packet()"));
TRACE(("encrypt_packet type is %d", ses.writepayload->data[0]));
blocksize = ses.keys->trans_algo_crypt->blocksize;
macsize = ses.keys->trans_algo_mac->hashsize;
/* Encrypted packet len is payload+5, then worst case is if we are 3 away
* from a blocksize multiple. In which case we need to pad to the
* multiple, then add another blocksize (or MIN_PACKET_LEN) */
clearwritebuf = buf_new((ses.writepayload->len+4+1) + MIN_PACKET_LEN + 3
#ifndef DISABLE_ZLIB
+ ZLIB_COMPRESS_INCR /* bit of a kludge, but we can't know len*/
#endif
);
buf_setlen(clearwritebuf, PACKET_PAYLOAD_OFF);
buf_setpos(clearwritebuf, PACKET_PAYLOAD_OFF);
buf_setpos(ses.writepayload, 0);
#ifndef DISABLE_ZLIB
/* compression */
if (ses.keys->trans_algo_comp == DROPBEAR_COMP_ZLIB) {
buf_compress(clearwritebuf, ses.writepayload, ses.writepayload->len);
} else
#endif
{
memcpy(buf_getwriteptr(clearwritebuf, ses.writepayload->len),
buf_getptr(ses.writepayload, ses.writepayload->len),
ses.writepayload->len);
buf_incrwritepos(clearwritebuf, ses.writepayload->len);
}
/* finished with payload */
buf_setpos(ses.writepayload, 0);
buf_setlen(ses.writepayload, 0);
/* length of padding - packet length must be a multiple of blocksize,
* with a minimum of 4 bytes of padding */
padlen = blocksize - (clearwritebuf->len) % blocksize;
if (padlen < 4) {
padlen += blocksize;
}
/* check for min packet length */
if (clearwritebuf->len + padlen < MIN_PACKET_LEN) {
padlen += blocksize;
}
buf_setpos(clearwritebuf, 0);
/* packet length excluding the packetlength uint32 */
buf_putint(clearwritebuf, clearwritebuf->len + padlen - 4);
/* padding len */
buf_putbyte(clearwritebuf, padlen);
/* actual padding */
buf_setpos(clearwritebuf, clearwritebuf->len);
buf_incrlen(clearwritebuf, padlen);
genrandom(buf_getptr(clearwritebuf, padlen), padlen);
/* do the actual encryption */
buf_setpos(clearwritebuf, 0);
/* create a new writebuffer, this is freed when it has been put on the
* wire by writepacket() */
writebuf = buf_new(clearwritebuf->len + macsize);
if (ses.keys->trans_algo_crypt->cipherdesc == NULL) {
/* copy it */
memcpy(buf_getwriteptr(writebuf, clearwritebuf->len),
buf_getptr(clearwritebuf, clearwritebuf->len),
clearwritebuf->len);
buf_incrwritepos(writebuf, clearwritebuf->len);
} else {
/* encrypt it */
while (clearwritebuf->pos < clearwritebuf->len) {
if (cbc_encrypt(buf_getptr(clearwritebuf, blocksize),
buf_getwriteptr(writebuf, blocksize),
&ses.keys->trans_symmetric_struct) != CRYPT_OK) {
dropbear_exit("error encrypting");
}
buf_incrpos(clearwritebuf, blocksize);
buf_incrwritepos(writebuf, blocksize);
}
}
/* now add a hmac and we're done */
writemac(writebuf, clearwritebuf);
/* clearwritebuf is finished with */
buf_free(clearwritebuf);
/* enqueue the packet for sending */
buf_setpos(writebuf, 0);
enqueue(&ses.writequeue, (void*)writebuf);
/* Update counts */
ses.kexstate.datatrans += writebuf->len;
ses.transseq++;
TRACE(("leave encrypt_packet()"));
}
static long
consread(Chan *c, void *va, long n, vlong offset)
{
int send;
char *p, buf[64], ch;
FILE * battery;
FILE * brightness;
int size;
if(c->qid.type & QTDIR)
return devdirread(c, va, n, contab, nelem(contab), devgen);
switch((ulong)c->qid.path) {
default:
error(Egreg);
case Qsysctl:
return readstr(offset, va, n, VERSION);
case Qsysname:
if(ossysname == nil)
return 0;
return readstr(offset, va, n, ossysname);
case Qrandom:
return randomread(va, n);
case Qnotquiterandom:
genrandom(va, n);
return n;
case Qhostowner:
return readstr(offset, va, n, eve);
case Qhoststdin:
return read(0, va, n); /* should be pread */
case Quser:
return readstr(offset, va, n, up->env->user);
case Qjit:
snprint(buf, sizeof(buf), "%d", cflag);
return readstr(offset, va, n, buf);
case Qtime:
snprint(buf, sizeof(buf), "%.lld", timeoffset + osusectime());
return readstr(offset, va, n, buf);
case Qdrivers:
return devtabread(c, va, n, offset);
case Qmemory:
return poolread(va, n, offset);
case Qnull:
return 0;
case Qmsec:
return readnum(offset, va, n, osmillisec(), NUMSIZE);
case Qcons:
qlock(&kbd.q);
if(waserror()){
qunlock(&kbd.q);
nexterror();
}
if(dflag)
error(Enonexist);
while(!qcanread(lineq)) {
if(qread(kbdq, &ch, 1) == 0)
continue;
send = 0;
if(ch == 0){
/* flush output on rawoff -> rawon */
if(kbd.x > 0)
send = !qcanread(kbdq);
}else if(kbd.raw){
kbd.line[kbd.x++] = ch;
send = !qcanread(kbdq);
}else{
switch(ch){
case '\b':
if(kbd.x)
kbd.x--;
break;
case 0x15:
kbd.x = 0;
break;
case 0x04:
send = 1;
break;
case '\n':
send = 1;
default:
kbd.line[kbd.x++] = ch;
break;
}
}
if(send || kbd.x == sizeof kbd.line){
qwrite(lineq, kbd.line, kbd.x);
kbd.x = 0;
}
}
n = qread(lineq, va, n);
qunlock(&kbd.q);
poperror();
return n;
case Qscancode:
if(offset == 0)
return readstr(0, va, n, gkscanid);
return qread(gkscanq, va, n);
case Qkeyboard:
return qread(gkbdq, va, n);
case Qevents:
return qread(c->aux, va, n);
case Qkprint:
rlock(&kprintq.l);
if(waserror()){
runlock(&kprintq.l);
nexterror();
}
n = qread(kprintq.q, va, n);
poperror();
runlock(&kprintq.l);
return n;
case Qbattery:
if(type == 's')
battery = fopen("/sys/class/power_supply/battery/capacity", "r");
else if(type == 'c')
battery = fopen("/sys/class/power_supply/max17042-0/capacity", "r");
else
battery = fopen("/sys/class/power_supply/battery/capacity", "r");
size = fread(buf, 1, sizeof(buf), battery);
fclose(battery);
buf[size - 1] = '\0';
return readstr(offset, va, n, buf);
case Qtype:
if(type == 's')
strncpy(buf, "nexus s", sizeof(buf));
else if(type == 'c')
strncpy(buf, "nook color", sizeof(buf));
else if(type == 'e')
strncpy(buf, "emulator", sizeof(buf));
else
strncpy(buf, "nexus s", sizeof(buf));
return readstr(offset, va, n, buf);
case Qbrightness:
if(type == 'c')
brightness = fopen("/sys/devices/platform/omap_pwm_led/leds/lcd-backlight/brightness", "r");
else if(type == 'e')
return;
else
brightness = fopen("/sys/class/backlight/s5p_bl/brightness", "r");
size = fread(buf, 1, sizeof(buf), brightness);
fclose(brightness);
buf[size - 1] = '\0';
return readstr(offset, va, n, buf);
}
}