Mercurial > dropbear
view libtomcrypt/demos/openssl-enc.c @ 1790:42745af83b7d
Introduce extra delay before closing unauthenticated sessions
To make it harder for attackers, introduce a delay to keep an
unauthenticated session open a bit longer, thus blocking a connection
slot until after the delay.
Without this, while there is a limit on the amount of attempts an attacker
can make at the same time (MAX_UNAUTH_PER_IP), the time taken by dropbear to
handle one attempt is still short and thus for each of the allowed parallel
attempts many attempts can be chained one after the other. The attempt rate
is then:
"MAX_UNAUTH_PER_IP / <process time of one attempt>".
With the delay, this rate becomes:
"MAX_UNAUTH_PER_IP / UNAUTH_CLOSE_DELAY".
| author | Thomas De Schampheleire <thomas.de_schampheleire@nokia.com> |
|---|---|
| date | Wed, 15 Feb 2017 13:53:04 +0100 |
| parents | 6dba84798cd5 |
| children |
line wrap: on
line source
/* LibTomCrypt, modular cryptographic library -- Tom St Denis * * LibTomCrypt is a library that provides various cryptographic * algorithms in a highly modular and flexible manner. * * The library is free for all purposes without any express * guarantee it works. */ /* * Demo to do the rough equivalent of: * * openssl enc -aes-256-cbc -pass pass:foobar -in infile -out outfile -p * * Compilation: * * $(CC) -I /path/to/headers -L .../libs \ * -o openssl-enc \ * openssl-enc.c -ltomcrypt * * Usage: * * ./openssl-enc <enc|dec> infile outfile "passphrase" [salt] * * If provided, the salt must be EXACTLY a 16-char hex string. * * Demo is an example of: * * - (When decrypting) yanking salt out of the OpenSSL "Salted__..." header * - OpenSSL-compatible key derivation (in OpenSSL's modified PKCS#5v1 approach) * - Grabbing an Initialization Vector from the key generator * - Performing simple block encryption using AES * - PKCS#7-type padding (which hopefully can get ripped out of this demo and * made a libtomcrypt thing someday). * * This program is free for all purposes without any express guarantee it * works. If you really want to see a license here, assume the WTFPL :-) * * BJ Black, [email protected], https://wjblack.com * * BUGS: * Passing a password on a command line is a HORRIBLE idea. Don't use * this program for serious work! */ #include <tomcrypt.h> #ifndef LTC_RIJNDAEL #error Cannot compile this demo; Rijndael (AES) required #endif #ifndef LTC_CBC_MODE #error Cannot compile this demo; CBC mode required #endif #ifndef LTC_PKCS_5 #error Cannot compile this demo; PKCS5 required #endif #ifndef LTC_RNG_GET_BYTES #error Cannot compile this demo; random generator required #endif #ifndef LTC_MD5 #error Cannot compile this demo; MD5 required #endif /* OpenSSL by default only runs one hash round */ #define OPENSSL_ITERATIONS 1 /* Use aes-256-cbc, so 256 bits of key, 128 of IV */ #define KEY_LENGTH (256>>3) #define IV_LENGTH (128>>3) /* PKCS#5v1 requires exactly an 8-byte salt */ #define SALT_LENGTH 8 /* The header OpenSSL puts on an encrypted file */ static char salt_header[] = { 'S', 'a', 'l', 't', 'e', 'd', '_', '_' }; #include <errno.h> #include <stdio.h> #include <string.h> /* A simple way to handle the possibility that a block may increase in size after padding. */ union paddable { unsigned char unpad[1024]; unsigned char pad[1024+MAXBLOCKSIZE]; }; /* * Print usage and exit with a bad status (and perror() if any errno). * * Input: argv[0] and the error string * Output: <no return> * Side Effects: print messages and barf (does exit(3)) */ void barf(const char *pname, const char *err) { printf("Usage: %s <enc|dec> infile outfile passphrase [salt]\n", pname); printf("\n"); printf(" # encrypts infile->outfile, random salt\n"); printf(" %s enc infile outfile \"passphrase\"\n", pname); printf("\n"); printf(" # encrypts infile->outfile, salt from cmdline\n"); printf(" %s enc infile outfile pass 0123456789abcdef\n", pname); printf("\n"); printf(" # decrypts infile->outfile, pulls salt from infile\n"); printf(" %s dec infile outfile pass\n", pname); printf("\n"); printf(" # decrypts infile->outfile, salt specified\n"); printf(" # (don't try to read the salt from infile)\n"); printf(" %s dec infile outfile pass 0123456789abcdef" "\n", pname); printf("\n"); printf("Application Error: %s\n", err); if(errno) perror(" System Error"); exit(-1); } /* * Parse a salt value passed in on the cmdline. * * Input: string passed in and a buf to put it in (exactly 8 bytes!) * Output: CRYPT_OK if parsed OK, CRYPT_ERROR if not * Side Effects: none */ int parse_hex_salt(unsigned char *in, unsigned char *out) { int idx; for(idx=0; idx<SALT_LENGTH; idx++) if(sscanf((char*)in+idx*2, "%02hhx", out+idx) != 1) return CRYPT_ERROR; return CRYPT_OK; } /* * Parse the Salted__[+8 bytes] from an OpenSSL-compatible file header. * * Input: file to read from and a to put the salt in (exactly 8 bytes!) * Output: CRYPT_OK if parsed OK, CRYPT_ERROR if not * Side Effects: infile's read pointer += 16 */ int parse_openssl_header(FILE *in, unsigned char *out) { unsigned char tmp[SALT_LENGTH]; if(fread(tmp, 1, sizeof(tmp), in) != sizeof(tmp)) return CRYPT_ERROR; if(memcmp(tmp, salt_header, sizeof(tmp))) return CRYPT_ERROR; if(fread(tmp, 1, sizeof(tmp), in) != sizeof(tmp)) return CRYPT_ERROR; memcpy(out, tmp, sizeof(tmp)); return CRYPT_OK; } /* * Dump a hexed stream of bytes (convenience func). * * Input: buf to read from, length * Output: none * Side Effects: bytes printed as a hex blob, no lf at the end */ void dump_bytes(unsigned char *in, unsigned long len) { unsigned long idx; for(idx=0; idx<len; idx++) printf("%02hhX", *(in+idx)); } /* * Pad or unpad a message using PKCS#7 padding. * Padding will add 1-(blocksize) bytes and unpadding will remove that amount. * Set is_padding to 1 to pad, 0 to unpad. * * Input: paddable buffer, size read, block length of cipher, mode * Output: number of bytes after padding resp. after unpadding * Side Effects: none */ size_t pkcs7_pad(union paddable *buf, size_t nb, int block_length, int is_padding) { unsigned char padval; off_t idx; if(is_padding) { /* We are PADDING this block (and therefore adding bytes) */ /* The pad value in PKCS#7 is the number of bytes remaining in the block, so for a 16-byte block and 3 bytes left, it's 0x030303. In the oddball case where nb is an exact multiple multiple of block_length, set the padval to blocksize (i.e. add one full block) */ padval = (unsigned char) (block_length - (nb % block_length)); padval = padval ? padval : block_length; memset(buf->pad+nb, padval, padval); return nb+padval; } else { /* We are UNPADDING this block (and removing bytes) We really just need to verify that the pad bytes are correct, so start at the end of the string and work backwards. */ /* Figure out what the padlength should be by looking at the last byte */ idx = nb-1; padval = buf->pad[idx]; /* padval must be nonzero and <= block length */ if(padval <= 0 || padval > block_length) return 0; /* First byte's accounted for; do the rest */ idx--; while(idx >= (off_t)(nb-padval)) if(buf->pad[idx] != padval) return 0; else idx--; /* If we got here, the pad checked out, so return a smaller number of bytes than nb (basically where we left off+1) */ return idx+1; } } /* * Perform an encrypt/decrypt operation to/from files using AES+CBC+PKCS7 pad. * Set encrypt to 1 to encrypt, 0 to decrypt. * * Input: in/out files, key, iv, and mode * Output: CRYPT_OK if no error * Side Effects: bytes slurped from infile, pushed to outfile, fds updated. */ int do_crypt(FILE *infd, FILE *outfd, unsigned char *key, unsigned char *iv, int encrypt) { union paddable inbuf, outbuf; int cipher, ret; symmetric_CBC cbc; size_t nb; /* Register your cipher! */ cipher = register_cipher(&aes_desc); if(cipher == -1) return CRYPT_INVALID_CIPHER; /* Start a CBC session with cipher/key/val params */ ret = cbc_start(cipher, iv, key, KEY_LENGTH, 0, &cbc); if( ret != CRYPT_OK ) return -1; do { /* Get bytes from the source */ nb = fread(inbuf.unpad, 1, sizeof(inbuf.unpad), infd); if(!nb) return encrypt ? CRYPT_OK : CRYPT_ERROR; /* Barf if we got a read error */ if(ferror(infd)) return CRYPT_ERROR; if(encrypt) { /* We're encrypting, so pad first (if at EOF) and then crypt */ if(feof(infd)) nb = pkcs7_pad(&inbuf, nb, aes_desc.block_length, 1); ret = cbc_encrypt(inbuf.pad, outbuf.pad, nb, &cbc); if(ret != CRYPT_OK) return ret; } else { /* We're decrypting, so decrypt and then unpad if at EOF */ ret = cbc_decrypt(inbuf.unpad, outbuf.unpad, nb, &cbc); if( ret != CRYPT_OK ) return ret; if( feof(infd) ) nb = pkcs7_pad(&outbuf, nb, aes_desc.block_length, 0); if(nb == 0) /* The file didn't decrypt correctly */ return CRYPT_ERROR; } /* Push bytes to outfile */ if(fwrite(outbuf.unpad, 1, nb, outfd) != nb) return CRYPT_ERROR; } while(!feof(infd)); /* Close up */ cbc_done(&cbc); return CRYPT_OK; } /* Convenience macro for the various barfable places below */ #define BARF(a) { \ if(infd) fclose(infd); \ if(outfd) { fclose(outfd); remove(argv[3]); } \ barf(argv[0], a); \ } /* * The main routine. Mostly validate cmdline params, open files, run the KDF, * and do the crypt. */ int main(int argc, char *argv[]) { unsigned char salt[SALT_LENGTH]; FILE *infd = NULL, *outfd = NULL; int encrypt = -1; int hash = -1; int ret; unsigned char keyiv[KEY_LENGTH + IV_LENGTH]; unsigned long keyivlen = (KEY_LENGTH + IV_LENGTH); unsigned char *key, *iv; /* Check proper number of cmdline args */ if(argc < 5 || argc > 6) BARF("Invalid number of arguments"); /* Check proper mode of operation */ if (!strncmp(argv[1], "enc", 3)) encrypt = 1; else if(!strncmp(argv[1], "dec", 3)) encrypt = 0; else BARF("Bad command name"); /* Check we can open infile/outfile */ infd = fopen(argv[2], "rb"); if(infd == NULL) BARF("Could not open infile"); outfd = fopen(argv[3], "wb"); if(outfd == NULL) BARF("Could not open outfile"); /* Get the salt from wherever */ if(argc == 6) { /* User-provided */ if(parse_hex_salt((unsigned char*) argv[5], salt) != CRYPT_OK) BARF("Bad user-specified salt"); } else if(!strncmp(argv[1], "enc", 3)) { /* Encrypting; get from RNG */ if(rng_get_bytes(salt, sizeof(salt), NULL) != sizeof(salt)) BARF("Not enough random data"); } else { /* Parse from infile (decrypt only) */ if(parse_openssl_header(infd, salt) != CRYPT_OK) BARF("Invalid OpenSSL header in infile"); } /* Fetch the MD5 hasher for PKCS#5 */ hash = register_hash(&md5_desc); if(hash == -1) BARF("Could not register MD5 hash"); /* Set things to a sane initial state */ zeromem(keyiv, sizeof(keyiv)); key = keyiv + 0; /* key comes first */ iv = keyiv + KEY_LENGTH; /* iv comes next */ /* Run the key derivation from the provided passphrase. This gets us the key and iv. */ ret = pkcs_5_alg1_openssl((unsigned char*)argv[4], strlen(argv[4]), salt, OPENSSL_ITERATIONS, hash, keyiv, &keyivlen ); if(ret != CRYPT_OK) BARF("Could not derive key/iv from passphrase"); /* Display the salt/key/iv like OpenSSL cmdline does when -p */ printf("salt="); dump_bytes(salt, sizeof(salt)); printf("\n"); printf("key="); dump_bytes(key, KEY_LENGTH); printf("\n"); printf("iv ="); dump_bytes(iv, IV_LENGTH ); printf("\n"); /* If we're encrypting, write the salt header as OpenSSL does */ if(!strncmp(argv[1], "enc", 3)) { if(fwrite(salt_header, 1, sizeof(salt_header), outfd) != sizeof(salt_header) ) BARF("Error writing salt header to outfile"); if(fwrite(salt, 1, sizeof(salt), outfd) != sizeof(salt)) BARF("Error writing salt to outfile"); } /* At this point, the files are open, the salt has been figured out, and we're ready to pump data through crypt. */ /* Do the crypt operation */ if(do_crypt(infd, outfd, key, iv, encrypt) != CRYPT_OK) BARF("Error during crypt operation"); /* Clean up */ fclose(infd); fclose(outfd); return 0; } /* ref: $Format:%D$ */ /* git commit: $Format:%H$ */ /* commit time: $Format:%ai$ */