1
0

Cryptography.cpp 29 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852
  1. //---------------------------------------------------------------------------
  2. #include <vcl.h>
  3. #pragma hdrstop
  4. #include "Common.h"
  5. #include "PuttyIntf.h"
  6. #include "Cryptography.h"
  7. #include "FileBuffer.h"
  8. #include "TextsCore.h"
  9. #include <openssl\rand.h>
  10. #include <process.h>
  11. #include <Soap.EncdDecd.hpp>
  12. #include <System.StrUtils.hpp>
  13. /*
  14. ---------------------------------------------------------------------------
  15. Copyright (c) 2002, Dr Brian Gladman <[email protected]>, Worcester, UK.
  16. All rights reserved.
  17. LICENSE TERMS
  18. The free distribution and use of this software in both source and binary
  19. form is allowed (with or without changes) provided that:
  20. 1. distributions of this source code include the above copyright
  21. notice, this list of conditions and the following disclaimer;
  22. 2. distributions in binary form include the above copyright
  23. notice, this list of conditions and the following disclaimer
  24. in the documentation and/or other associated materials;
  25. 3. the copyright holder's name is not used to endorse products
  26. built using this software without specific written permission.
  27. ALTERNATIVELY, provided that this notice is retained in full, this product
  28. may be distributed under the terms of the GNU General Public License (GPL),
  29. in which case the provisions of the GPL apply INSTEAD OF those given above.
  30. DISCLAIMER
  31. This software is provided 'as is' with no explicit or implied warranties
  32. in respect of its properties, including, but not limited to, correctness
  33. and/or fitness for purpose.
  34. -------------------------------------------------------------------------
  35. This file implements password based file encryption and authentication
  36. using AES in CTR mode, HMAC-SHA1 authentication and RFC2898 password
  37. based key derivation.
  38. This is an implementation of HMAC, the FIPS standard keyed hash function
  39. */
  40. #include <memory.h>
  41. #define sha1_ctx SHA_State
  42. #define sha1_begin(ctx) putty_SHA_Init(ctx)
  43. #define sha1_hash(buf, len, ctx) SHA_Bytes(ctx, buf, len)
  44. #define sha1_end(dig, ctx) putty_SHA_Final(ctx, dig)
  45. #define IN_BLOCK_LENGTH 64
  46. #define OUT_BLOCK_LENGTH 20
  47. #define HMAC_IN_DATA 0xffffffff
  48. typedef struct
  49. { unsigned char key[IN_BLOCK_LENGTH];
  50. sha1_ctx ctx[1];
  51. unsigned int klen;
  52. } hmac_ctx;
  53. /* initialise the HMAC context to zero */
  54. static void hmac_sha1_begin(hmac_ctx cx[1])
  55. {
  56. memset(cx, 0, sizeof(hmac_ctx));
  57. }
  58. /* input the HMAC key (can be called multiple times) */
  59. static void hmac_sha1_key(const unsigned char key[], unsigned long key_len, hmac_ctx cx[1])
  60. {
  61. if(cx->klen + key_len > IN_BLOCK_LENGTH) /* if the key has to be hashed */
  62. {
  63. if(cx->klen <= IN_BLOCK_LENGTH) /* if the hash has not yet been */
  64. { /* started, initialise it and */
  65. sha1_begin(cx->ctx); /* hash stored key characters */
  66. sha1_hash(cx->key, cx->klen, cx->ctx);
  67. }
  68. sha1_hash(const_cast<unsigned char *>(key), key_len, cx->ctx); /* hash long key data into hash */
  69. }
  70. else /* otherwise store key data */
  71. memcpy(cx->key + cx->klen, key, key_len);
  72. cx->klen += key_len; /* update the key length count */
  73. }
  74. /* input the HMAC data (can be called multiple times) - */
  75. /* note that this call terminates the key input phase */
  76. static void hmac_sha1_data(const unsigned char data[], unsigned long data_len, hmac_ctx cx[1])
  77. { unsigned int i;
  78. if(cx->klen != HMAC_IN_DATA) /* if not yet in data phase */
  79. {
  80. if(cx->klen > IN_BLOCK_LENGTH) /* if key is being hashed */
  81. { /* complete the hash and */
  82. sha1_end(cx->key, cx->ctx); /* store the result as the */
  83. cx->klen = OUT_BLOCK_LENGTH; /* key and set new length */
  84. }
  85. /* pad the key if necessary */
  86. memset(cx->key + cx->klen, 0, IN_BLOCK_LENGTH - cx->klen);
  87. /* xor ipad into key value */
  88. for(i = 0; i < (IN_BLOCK_LENGTH >> 2); ++i)
  89. ((unsigned long*)cx->key)[i] ^= 0x36363636;
  90. /* and start hash operation */
  91. sha1_begin(cx->ctx);
  92. sha1_hash(cx->key, IN_BLOCK_LENGTH, cx->ctx);
  93. /* mark as now in data mode */
  94. cx->klen = HMAC_IN_DATA;
  95. }
  96. /* hash the data (if any) */
  97. if(data_len)
  98. sha1_hash(const_cast<unsigned char *>(data), data_len, cx->ctx);
  99. }
  100. /* compute and output the MAC value */
  101. static void hmac_sha1_end(unsigned char mac[], unsigned long mac_len, hmac_ctx cx[1])
  102. { unsigned char dig[OUT_BLOCK_LENGTH];
  103. unsigned int i;
  104. /* if no data has been entered perform a null data phase */
  105. if(cx->klen != HMAC_IN_DATA)
  106. hmac_sha1_data((const unsigned char*)0, 0, cx);
  107. sha1_end(dig, cx->ctx); /* complete the inner hash */
  108. /* set outer key value using opad and removing ipad */
  109. for(i = 0; i < (IN_BLOCK_LENGTH >> 2); ++i)
  110. ((unsigned long*)cx->key)[i] ^= 0x36363636 ^ 0x5c5c5c5c;
  111. /* perform the outer hash operation */
  112. sha1_begin(cx->ctx);
  113. sha1_hash(cx->key, IN_BLOCK_LENGTH, cx->ctx);
  114. sha1_hash(dig, OUT_BLOCK_LENGTH, cx->ctx);
  115. sha1_end(dig, cx->ctx);
  116. /* output the hash value */
  117. for(i = 0; i < mac_len; ++i)
  118. mac[i] = dig[i];
  119. }
  120. #define BLOCK_SIZE 16
  121. void aes_set_encrypt_key(const unsigned char in_key[], unsigned int klen, void * cx)
  122. {
  123. call_aes_setup(cx, BLOCK_SIZE, const_cast<unsigned char *>(in_key), klen);
  124. }
  125. void aes_encrypt_block(const unsigned char in_blk[], unsigned char out_blk[], void * cx)
  126. {
  127. int Index;
  128. memmove(out_blk, in_blk, BLOCK_SIZE);
  129. for (Index = 0; Index < 4; Index++)
  130. {
  131. unsigned char t;
  132. t = out_blk[Index * 4 + 0];
  133. out_blk[Index * 4 + 0] = out_blk[Index * 4 + 3];
  134. out_blk[Index * 4 + 3] = t;
  135. t = out_blk[Index * 4 + 1];
  136. out_blk[Index * 4 + 1] = out_blk[Index * 4 + 2];
  137. out_blk[Index * 4 + 2] = t;
  138. }
  139. call_aes_encrypt(cx, reinterpret_cast<unsigned int*>(out_blk));
  140. for (Index = 0; Index < 4; Index++)
  141. {
  142. unsigned char t;
  143. t = out_blk[Index * 4 + 0];
  144. out_blk[Index * 4 + 0] = out_blk[Index * 4 + 3];
  145. out_blk[Index * 4 + 3] = t;
  146. t = out_blk[Index * 4 + 1];
  147. out_blk[Index * 4 + 1] = out_blk[Index * 4 + 2];
  148. out_blk[Index * 4 + 2] = t;
  149. }
  150. }
  151. typedef struct
  152. { unsigned char nonce[BLOCK_SIZE]; /* the CTR nonce */
  153. unsigned char encr_bfr[BLOCK_SIZE]; /* encrypt buffer */
  154. void * encr_ctx; /* encryption context */
  155. hmac_ctx auth_ctx; /* authentication context */
  156. unsigned int encr_pos; /* block position (enc) */
  157. unsigned int pwd_len; /* password length */
  158. unsigned int mode; /* File encryption mode */
  159. } fcrypt_ctx;
  160. #define MAX_KEY_LENGTH 32
  161. #define KEYING_ITERATIONS 1000
  162. #define PWD_VER_LENGTH 2
  163. /*
  164. Field lengths (in bytes) versus File Encryption Mode (0 < mode < 4)
  165. Mode Key Salt MAC Overhead
  166. 1 16 8 10 18
  167. 2 24 12 10 22
  168. 3 32 16 10 26
  169. The following macros assume that the mode value is correct.
  170. */
  171. #define KEY_LENGTH(mode) (8 * (mode & 3) + 8)
  172. #define SALT_LENGTH(mode) (4 * (mode & 3) + 4)
  173. #define MAC_LENGTH(mode) (10)
  174. /* subroutine for data encryption/decryption */
  175. /* this could be speeded up a lot by aligning */
  176. /* buffers and using 32 bit operations */
  177. static void derive_key(const unsigned char pwd[], /* the PASSWORD */
  178. unsigned int pwd_len, /* and its length */
  179. const unsigned char salt[], /* the SALT and its */
  180. unsigned int salt_len, /* length */
  181. unsigned int iter, /* the number of iterations */
  182. unsigned char key[], /* space for the output key */
  183. unsigned int key_len)/* and its required length */
  184. {
  185. unsigned int i, j, k, n_blk;
  186. unsigned char uu[OUT_BLOCK_LENGTH], ux[OUT_BLOCK_LENGTH];
  187. hmac_ctx c1[1], c2[1], c3[1];
  188. /* set HMAC context (c1) for password */
  189. hmac_sha1_begin(c1);
  190. hmac_sha1_key(pwd, pwd_len, c1);
  191. /* set HMAC context (c2) for password and salt */
  192. memmove(c2, c1, sizeof(hmac_ctx));
  193. hmac_sha1_data(salt, salt_len, c2);
  194. /* find the number of SHA blocks in the key */
  195. n_blk = 1 + (key_len - 1) / OUT_BLOCK_LENGTH;
  196. for(i = 0; i < n_blk; ++i) /* for each block in key */
  197. {
  198. /* ux[] holds the running xor value */
  199. memset(ux, 0, OUT_BLOCK_LENGTH);
  200. /* set HMAC context (c3) for password and salt */
  201. memmove(c3, c2, sizeof(hmac_ctx));
  202. /* enter additional data for 1st block into uu */
  203. uu[0] = (unsigned char)((i + 1) >> 24);
  204. uu[1] = (unsigned char)((i + 1) >> 16);
  205. uu[2] = (unsigned char)((i + 1) >> 8);
  206. uu[3] = (unsigned char)(i + 1);
  207. /* this is the key mixing iteration */
  208. for(j = 0, k = 4; j < iter; ++j)
  209. {
  210. /* add previous round data to HMAC */
  211. hmac_sha1_data(uu, k, c3);
  212. /* obtain HMAC for uu[] */
  213. hmac_sha1_end(uu, OUT_BLOCK_LENGTH, c3);
  214. /* xor into the running xor block */
  215. for(k = 0; k < OUT_BLOCK_LENGTH; ++k)
  216. ux[k] ^= uu[k];
  217. /* set HMAC context (c3) for password */
  218. memmove(c3, c1, sizeof(hmac_ctx));
  219. }
  220. /* compile key blocks into the key output */
  221. j = 0; k = i * OUT_BLOCK_LENGTH;
  222. while(j < OUT_BLOCK_LENGTH && k < key_len)
  223. key[k++] = ux[j++];
  224. }
  225. }
  226. static void encr_data(unsigned char data[], unsigned long d_len, fcrypt_ctx cx[1])
  227. {
  228. unsigned long i = 0, pos = cx->encr_pos;
  229. while(i < d_len)
  230. {
  231. if(pos == BLOCK_SIZE)
  232. { unsigned int j = 0;
  233. /* increment encryption nonce */
  234. while(j < 8 && !++cx->nonce[j])
  235. ++j;
  236. /* encrypt the nonce to form next xor buffer */
  237. aes_encrypt_block(cx->nonce, cx->encr_bfr, cx->encr_ctx);
  238. pos = 0;
  239. }
  240. data[i++] ^= cx->encr_bfr[pos++];
  241. }
  242. cx->encr_pos = pos;
  243. }
  244. static void fcrypt_init(
  245. int mode, /* the mode to be used (input) */
  246. const unsigned char pwd[], /* the user specified password (input) */
  247. unsigned int pwd_len, /* the length of the password (input) */
  248. const unsigned char salt[], /* the salt (input) */
  249. fcrypt_ctx cx[1]) /* the file encryption context (output) */
  250. {
  251. unsigned char kbuf[2 * MAX_KEY_LENGTH + PWD_VER_LENGTH];
  252. cx->mode = mode;
  253. cx->pwd_len = pwd_len;
  254. /* derive the encryption and authetication keys and the password verifier */
  255. derive_key(pwd, pwd_len, salt, SALT_LENGTH(mode), KEYING_ITERATIONS,
  256. kbuf, 2 * KEY_LENGTH(mode) + PWD_VER_LENGTH);
  257. /* initialise the encryption nonce and buffer pos */
  258. cx->encr_pos = BLOCK_SIZE;
  259. /* if we need a random component in the encryption */
  260. /* nonce, this is where it would have to be set */
  261. memset(cx->nonce, 0, BLOCK_SIZE * sizeof(unsigned char));
  262. /* initialise for encryption using key 1 */
  263. cx->encr_ctx = call_aes_make_context();
  264. aes_set_encrypt_key(kbuf, KEY_LENGTH(mode), cx->encr_ctx);
  265. /* initialise for authentication using key 2 */
  266. hmac_sha1_begin(&cx->auth_ctx);
  267. hmac_sha1_key(kbuf + KEY_LENGTH(mode), KEY_LENGTH(mode), &cx->auth_ctx);
  268. }
  269. /* perform 'in place' encryption and authentication */
  270. static void fcrypt_encrypt(unsigned char data[], unsigned int data_len, fcrypt_ctx cx[1])
  271. {
  272. encr_data(data, data_len, cx);
  273. hmac_sha1_data(data, data_len, &cx->auth_ctx);
  274. }
  275. /* perform 'in place' authentication and decryption */
  276. static void fcrypt_decrypt(unsigned char data[], unsigned int data_len, fcrypt_ctx cx[1])
  277. {
  278. hmac_sha1_data(data, data_len, &cx->auth_ctx);
  279. encr_data(data, data_len, cx);
  280. }
  281. /* close encryption/decryption and return the MAC value */
  282. static int fcrypt_end(unsigned char mac[], fcrypt_ctx cx[1])
  283. {
  284. hmac_sha1_end(mac, MAC_LENGTH(cx->mode), &cx->auth_ctx);
  285. call_aes_free_context(cx->encr_ctx);
  286. return MAC_LENGTH(cx->mode); /* return MAC length in bytes */
  287. }
  288. //---------------------------------------------------------------------------
  289. #define PASSWORD_MANAGER_AES_MODE 3
  290. //---------------------------------------------------------------------------
  291. static void AES256Salt(RawByteString & Salt)
  292. {
  293. Salt.SetLength(SALT_LENGTH(PASSWORD_MANAGER_AES_MODE));
  294. RAND_pseudo_bytes(reinterpret_cast<unsigned char *>(Salt.c_str()), Salt.Length());
  295. }
  296. //---------------------------------------------------------------------------
  297. RawByteString GenerateEncryptKey()
  298. {
  299. RawByteString Result;
  300. Result.SetLength(KEY_LENGTH(PASSWORD_MANAGER_AES_MODE));
  301. RAND_pseudo_bytes(reinterpret_cast<unsigned char *>(Result.c_str()), Result.Length());
  302. return Result;
  303. }
  304. //---------------------------------------------------------------------------
  305. void ValidateEncryptKey(const RawByteString & Key)
  306. {
  307. int Len = KEY_LENGTH(PASSWORD_MANAGER_AES_MODE);
  308. if (Key.Length() != Len)
  309. {
  310. throw Exception(FMTLOAD(INVALID_ENCRYPT_KEY, (L"AES-256", Len, Len * 2)));
  311. }
  312. }
  313. //---------------------------------------------------------------------------
  314. void __fastcall AES256EncyptWithMAC(RawByteString Input, UnicodeString Password,
  315. RawByteString & Salt, RawByteString & Output, RawByteString & Mac)
  316. {
  317. fcrypt_ctx aes;
  318. if (Salt.IsEmpty())
  319. {
  320. AES256Salt(Salt);
  321. }
  322. DebugAssert(Salt.Length() == SALT_LENGTH(PASSWORD_MANAGER_AES_MODE));
  323. UTF8String UtfPassword = Password;
  324. fcrypt_init(PASSWORD_MANAGER_AES_MODE,
  325. reinterpret_cast<const unsigned char *>(UtfPassword.c_str()), UtfPassword.Length(),
  326. reinterpret_cast<const unsigned char *>(Salt.c_str()), &aes);
  327. Output = Input;
  328. Output.Unique();
  329. fcrypt_encrypt(reinterpret_cast<unsigned char *>(Output.c_str()), Output.Length(), &aes);
  330. Mac.SetLength(MAC_LENGTH(PASSWORD_MANAGER_AES_MODE));
  331. fcrypt_end(reinterpret_cast<unsigned char *>(Mac.c_str()), &aes);
  332. }
  333. //---------------------------------------------------------------------------
  334. void __fastcall AES256EncyptWithMAC(RawByteString Input, UnicodeString Password,
  335. RawByteString & Output)
  336. {
  337. RawByteString Salt;
  338. RawByteString Encrypted;
  339. RawByteString Mac;
  340. AES256EncyptWithMAC(Input, Password, Salt, Encrypted, Mac);
  341. Output = Salt + Encrypted + Mac;
  342. }
  343. //---------------------------------------------------------------------------
  344. bool __fastcall AES256DecryptWithMAC(RawByteString Input, UnicodeString Password,
  345. RawByteString Salt, RawByteString & Output, RawByteString Mac)
  346. {
  347. fcrypt_ctx aes;
  348. DebugAssert(Salt.Length() == SALT_LENGTH(PASSWORD_MANAGER_AES_MODE));
  349. UTF8String UtfPassword = Password;
  350. fcrypt_init(PASSWORD_MANAGER_AES_MODE,
  351. reinterpret_cast<const unsigned char *>(UtfPassword.c_str()), UtfPassword.Length(),
  352. reinterpret_cast<const unsigned char *>(Salt.c_str()), &aes);
  353. Output = Input;
  354. Output.Unique();
  355. fcrypt_decrypt(reinterpret_cast<unsigned char *>(Output.c_str()), Output.Length(), &aes);
  356. RawByteString Mac2;
  357. Mac2.SetLength(MAC_LENGTH(PASSWORD_MANAGER_AES_MODE));
  358. DebugAssert(Mac.Length() == Mac2.Length());
  359. fcrypt_end(reinterpret_cast<unsigned char *>(Mac2.c_str()), &aes);
  360. return (Mac2 == Mac);
  361. }
  362. //---------------------------------------------------------------------------
  363. bool __fastcall AES256DecryptWithMAC(RawByteString Input, UnicodeString Password,
  364. RawByteString & Output)
  365. {
  366. bool Result =
  367. Input.Length() > SALT_LENGTH(PASSWORD_MANAGER_AES_MODE) + MAC_LENGTH(PASSWORD_MANAGER_AES_MODE);
  368. if (Result)
  369. {
  370. RawByteString Salt = Input.SubString(1, SALT_LENGTH(PASSWORD_MANAGER_AES_MODE));
  371. RawByteString Encrypted =
  372. Input.SubString(SALT_LENGTH(PASSWORD_MANAGER_AES_MODE) + 1,
  373. Input.Length() - SALT_LENGTH(PASSWORD_MANAGER_AES_MODE) - MAC_LENGTH(PASSWORD_MANAGER_AES_MODE));
  374. RawByteString Mac =
  375. Input.SubString(Input.Length() - MAC_LENGTH(PASSWORD_MANAGER_AES_MODE) + 1,
  376. MAC_LENGTH(PASSWORD_MANAGER_AES_MODE));
  377. Result = AES256DecryptWithMAC(Encrypted, Password, Salt, Output, Mac);
  378. }
  379. return Result;
  380. }
  381. //---------------------------------------------------------------------------
  382. void __fastcall AES256CreateVerifier(UnicodeString Input, RawByteString & Verifier)
  383. {
  384. RawByteString Salt;
  385. RawByteString Dummy;
  386. AES256Salt(Dummy);
  387. RawByteString Encrypted;
  388. RawByteString Mac;
  389. AES256EncyptWithMAC(Dummy, Input, Salt, Encrypted, Mac);
  390. Verifier = Salt + Dummy + Mac;
  391. }
  392. //---------------------------------------------------------------------------
  393. bool __fastcall AES256Verify(UnicodeString Input, RawByteString Verifier)
  394. {
  395. int SaltLength = SALT_LENGTH(PASSWORD_MANAGER_AES_MODE);
  396. RawByteString Salt = Verifier.SubString(1, SaltLength);
  397. RawByteString Dummy = Verifier.SubString(SaltLength + 1, SaltLength);
  398. RawByteString Mac = Verifier.SubString(SaltLength + SaltLength + 1, MAC_LENGTH(PASSWORD_MANAGER_AES_MODE));
  399. RawByteString Encrypted;
  400. RawByteString Mac2;
  401. AES256EncyptWithMAC(Dummy, Input, Salt, Encrypted, Mac2);
  402. DebugAssert(Mac2.Length() == Mac.Length());
  403. return (Mac == Mac2);
  404. }
  405. //---------------------------------------------------------------------------
  406. unsigned char SScrambleTable[256] =
  407. {
  408. 0, 223, 235, 233, 240, 185, 88, 102, 22, 130, 27, 53, 79, 125, 66, 201,
  409. 90, 71, 51, 60, 134, 104, 172, 244, 139, 84, 91, 12, 123, 155, 237, 151,
  410. 192, 6, 87, 32, 211, 38, 149, 75, 164, 145, 52, 200, 224, 226, 156, 50,
  411. 136, 190, 232, 63, 129, 209, 181, 120, 28, 99, 168, 94, 198, 40, 238, 112,
  412. 55, 217, 124, 62, 227, 30, 36, 242, 208, 138, 174, 231, 26, 54, 214, 148,
  413. 37, 157, 19, 137, 187, 111, 228, 39, 110, 17, 197, 229, 118, 246, 153, 80,
  414. 21, 128, 69, 117, 234, 35, 58, 67, 92, 7, 132, 189, 5, 103, 10, 15,
  415. 252, 195, 70, 147, 241, 202, 107, 49, 20, 251, 133, 76, 204, 73, 203, 135,
  416. 184, 78, 194, 183, 1, 121, 109, 11, 143, 144, 171, 161, 48, 205, 245, 46,
  417. 31, 72, 169, 131, 239, 160, 25, 207, 218, 146, 43, 140, 127, 255, 81, 98,
  418. 42, 115, 173, 142, 114, 13, 2, 219, 57, 56, 24, 126, 3, 230, 47, 215,
  419. 9, 44, 159, 33, 249, 18, 93, 95, 29, 113, 220, 89, 97, 182, 248, 64,
  420. 68, 34, 4, 82, 74, 196, 213, 165, 179, 250, 108, 254, 59, 14, 236, 175,
  421. 85, 199, 83, 106, 77, 178, 167, 225, 45, 247, 163, 158, 8, 221, 61, 191,
  422. 119, 16, 253, 105, 186, 23, 170, 100, 216, 65, 162, 122, 150, 176, 154, 193,
  423. 206, 222, 188, 152, 210, 243, 96, 41, 86, 180, 101, 177, 166, 141, 212, 116
  424. };
  425. //---------------------------------------------------------------------------
  426. unsigned char * ScrambleTable;
  427. unsigned char * UnscrambleTable;
  428. //---------------------------------------------------------------------------
  429. RawByteString __fastcall ScramblePassword(UnicodeString Password)
  430. {
  431. #define SCRAMBLE_LENGTH_EXTENSION 50
  432. UTF8String UtfPassword = Password;
  433. int Len = UtfPassword.Length();
  434. char * Buf = new char[Len + SCRAMBLE_LENGTH_EXTENSION];
  435. int Padding = (((Len + 3) / 17) * 17 + 17) - 3 - Len;
  436. for (int Index = 0; Index < Padding; Index++)
  437. {
  438. int P = 0;
  439. while ((P <= 0) || (P > 255) || IsDigit(static_cast<wchar_t>(P)))
  440. {
  441. P = (int)((double)rand() / ((double)RAND_MAX / 256.0));
  442. }
  443. Buf[Index] = (unsigned char)P;
  444. }
  445. Buf[Padding] = (char)('0' + (Len % 10));
  446. Buf[Padding + 1] = (char)('0' + ((Len / 10) % 10));
  447. Buf[Padding + 2] = (char)('0' + ((Len / 100) % 10));
  448. strcpy(Buf + Padding + 3, UtfPassword.c_str());
  449. char * S = Buf;
  450. int Last = 31;
  451. while (*S != '\0')
  452. {
  453. Last = (Last + (unsigned char)*S) % 255 + 1;
  454. *S = ScrambleTable[Last];
  455. S++;
  456. }
  457. RawByteString Result = Buf;
  458. memset(Buf, 0, Len + SCRAMBLE_LENGTH_EXTENSION);
  459. delete[] Buf;
  460. return Result;
  461. }
  462. //---------------------------------------------------------------------------
  463. bool __fastcall UnscramblePassword(RawByteString Scrambled, UnicodeString & Password)
  464. {
  465. Scrambled.Unique();
  466. char * S = Scrambled.c_str();
  467. int Last = 31;
  468. while (*S != '\0')
  469. {
  470. int X = (int)UnscrambleTable[(unsigned char)*S] - 1 - (Last % 255);
  471. if (X <= 0)
  472. {
  473. X += 255;
  474. }
  475. *S = (char)X;
  476. Last = (Last + X) % 255 + 1;
  477. S++;
  478. }
  479. S = Scrambled.c_str();
  480. while ((*S != '\0') && ((*S < '0') || (*S > '9')))
  481. {
  482. S++;
  483. }
  484. bool Result = false;
  485. if (strlen(S) >= 3)
  486. {
  487. int Len = (S[0] - '0') + 10 * (S[1] - '0') + 100 * (S[2] - '0');
  488. int Total = (((Len + 3) / 17) * 17 + 17);
  489. if ((Len >= 0) && (Total == Scrambled.Length()) && (Total - (S - Scrambled.c_str()) - 3 == Len))
  490. {
  491. Scrambled.Delete(1, Scrambled.Length() - Len);
  492. Result = true;
  493. }
  494. }
  495. if (Result)
  496. {
  497. Password = UTF8ToString(Scrambled);
  498. }
  499. else
  500. {
  501. Password = L"";
  502. }
  503. return Result;
  504. }
  505. //---------------------------------------------------------------------------
  506. void __fastcall CryptographyInitialize()
  507. {
  508. ScrambleTable = SScrambleTable;
  509. UnscrambleTable = new unsigned char[256];
  510. for (int Index = 0; Index < 256; Index++)
  511. {
  512. UnscrambleTable[SScrambleTable[Index]] = (unsigned char)Index;
  513. }
  514. srand((unsigned int)time(NULL) ^ (unsigned int)getpid());
  515. RAND_poll();
  516. }
  517. //---------------------------------------------------------------------------
  518. void __fastcall CryptographyFinalize()
  519. {
  520. delete[] UnscrambleTable;
  521. UnscrambleTable = NULL;
  522. ScrambleTable = NULL;
  523. }
  524. //---------------------------------------------------------------------------
  525. int __fastcall PasswordMaxLength()
  526. {
  527. return 128;
  528. }
  529. //---------------------------------------------------------------------------
  530. int __fastcall IsValidPassword(UnicodeString Password)
  531. {
  532. if (Password.IsEmpty() || (Password.Length() > PasswordMaxLength()))
  533. {
  534. return -1;
  535. }
  536. else
  537. {
  538. int A = 0;
  539. int B = 0;
  540. int C = 0;
  541. int D = 0;
  542. for (int Index = 1; Index <= Password.Length(); Index++)
  543. {
  544. if (IsLowerCaseLetter(Password[Index]))
  545. {
  546. A = 1;
  547. }
  548. else if (IsUpperCaseLetter(Password[Index]))
  549. {
  550. B = 1;
  551. }
  552. else if (IsDigit(Password[Index]))
  553. {
  554. C = 1;
  555. }
  556. else
  557. {
  558. D = 1;
  559. }
  560. }
  561. return (Password.Length() >= 6) && ((A + B + C + D) >= 2);
  562. }
  563. }
  564. //---------------------------------------------------------------------------
  565. //---------------------------------------------------------------------------
  566. TEncryption::TEncryption(const RawByteString & Key)
  567. {
  568. FKey = Key;
  569. FOutputtedHeader = false;
  570. if (!FKey.IsEmpty())
  571. {
  572. DebugAssert(FKey.Length() == KEY_LENGTH(PASSWORD_MANAGER_AES_MODE));
  573. FContext = call_aes_make_context();
  574. aes_set_encrypt_key(reinterpret_cast<unsigned char *>(FKey.c_str()), FKey.Length(), FContext);
  575. }
  576. else
  577. {
  578. FContext = NULL;
  579. }
  580. }
  581. //---------------------------------------------------------------------------
  582. TEncryption::~TEncryption()
  583. {
  584. if (FContext != NULL)
  585. {
  586. call_aes_free_context(FContext);
  587. }
  588. Shred(FKey);
  589. if ((FInputHeader.Length() > 0) && (FInputHeader.Length() < GetOverhead()))
  590. {
  591. throw Exception(LoadStr(UNKNOWN_FILE_ENCRYPTION));
  592. }
  593. }
  594. //---------------------------------------------------------------------------
  595. void TEncryption::SetSalt()
  596. {
  597. aes_iv(FContext, reinterpret_cast<unsigned char *>(FSalt.c_str()));
  598. }
  599. //---------------------------------------------------------------------------
  600. void TEncryption::NeedSalt()
  601. {
  602. if (FSalt.IsEmpty())
  603. {
  604. AES256Salt(FSalt);
  605. SetSalt();
  606. }
  607. }
  608. //---------------------------------------------------------------------------
  609. const int AesBlock = 16;
  610. const int AesBlockMask = 0x0F;
  611. UnicodeString AesCtrExt(L".aesctr.enc");
  612. RawByteString AesCtrMagic("aesctr.........."); // 16 bytes fixed [to match AES block size], even for future algos
  613. //---------------------------------------------------------------------------
  614. int TEncryption::RoundToBlock(int Size)
  615. {
  616. int M = (Size % BLOCK_SIZE);
  617. if (M != 0)
  618. {
  619. Size += (BLOCK_SIZE - M);
  620. }
  621. return Size;
  622. }
  623. //---------------------------------------------------------------------------
  624. int TEncryption::RoundToBlockDown(int Size)
  625. {
  626. return Size - (Size % BLOCK_SIZE);
  627. }
  628. //---------------------------------------------------------------------------
  629. void TEncryption::Aes(char * Buffer, int Size)
  630. {
  631. DebugAssert(!FSalt.IsEmpty());
  632. call_aes_sdctr(reinterpret_cast<unsigned char *>(Buffer), Size, FContext);
  633. }
  634. //---------------------------------------------------------------------------
  635. void TEncryption::Aes(TFileBuffer & Buffer, bool Last)
  636. {
  637. if (!FOverflowBuffer.IsEmpty())
  638. {
  639. Buffer.Insert(0, FOverflowBuffer.c_str(), FOverflowBuffer.Length());
  640. FOverflowBuffer.SetLength(0);
  641. }
  642. int Size;
  643. if (Last)
  644. {
  645. Size = Buffer.Size;
  646. Buffer.Size = RoundToBlock(Size);
  647. }
  648. else
  649. {
  650. int RoundedSize = RoundToBlockDown(Buffer.Size);
  651. if (RoundedSize != Buffer.Size)
  652. {
  653. FOverflowBuffer += RawByteString(Buffer.Data + RoundedSize, Buffer.Size - RoundedSize);
  654. Buffer.Size = RoundedSize;
  655. }
  656. }
  657. Aes(Buffer.Data, Buffer.Size);
  658. if (Last)
  659. {
  660. Buffer.Size = Size;
  661. }
  662. }
  663. //---------------------------------------------------------------------------
  664. void TEncryption::Encrypt(TFileBuffer & Buffer, bool Last)
  665. {
  666. NeedSalt();
  667. Aes(Buffer, Last);
  668. if (!FOutputtedHeader)
  669. {
  670. DebugAssert(AesCtrMagic.Length() == BLOCK_SIZE);
  671. RawByteString Header = AesCtrMagic + FSalt;
  672. DebugAssert(Header.Length() == GetOverhead());
  673. Buffer.Insert(0, Header.c_str(), Header.Length());
  674. FOutputtedHeader = true;
  675. }
  676. }
  677. //---------------------------------------------------------------------------
  678. void TEncryption::Decrypt(TFileBuffer & Buffer)
  679. {
  680. if (FInputHeader.Length() < GetOverhead())
  681. {
  682. int HeaderSize = std::min(GetOverhead() - FInputHeader.Length(), Buffer.Size);
  683. FInputHeader += RawByteString(Buffer.Data, HeaderSize);
  684. Buffer.Delete(0, HeaderSize);
  685. if (FInputHeader.Length() >= GetOverhead())
  686. {
  687. if (FInputHeader.SubString(1, AesCtrMagic.Length()) != AesCtrMagic)
  688. {
  689. throw Exception(LoadStr(UNKNOWN_FILE_ENCRYPTION));
  690. }
  691. FSalt = FInputHeader.SubString(AesCtrMagic.Length() + 1, SALT_LENGTH(PASSWORD_MANAGER_AES_MODE));
  692. SetSalt();
  693. }
  694. }
  695. if (Buffer.Size > 0)
  696. {
  697. Aes(Buffer, false);
  698. }
  699. }
  700. //---------------------------------------------------------------------------
  701. bool TEncryption::DecryptEnd(TFileBuffer & Buffer)
  702. {
  703. bool Result = !FOverflowBuffer.IsEmpty();
  704. if (Result)
  705. {
  706. Aes(Buffer, true);
  707. }
  708. return Result;
  709. }
  710. //---------------------------------------------------------------------------
  711. void TEncryption::Aes(RawByteString & Buffer)
  712. {
  713. int Size = Buffer.Length();
  714. Buffer.SetLength(RoundToBlock(Buffer.Length()));
  715. Aes(Buffer.c_str(), Buffer.Length());
  716. Buffer.SetLength(Size);
  717. }
  718. //---------------------------------------------------------------------------
  719. UnicodeString TEncryption::EncryptFileName(const UnicodeString & FileName)
  720. {
  721. NeedSalt();
  722. UTF8String FileNameUtf(FileName);
  723. RawByteString Buffer(FileNameUtf);
  724. Aes(Buffer);
  725. Buffer = FSalt + Buffer;
  726. UnicodeString Base64 = UnicodeString(EncodeBase64(Buffer.c_str(), Buffer.Length()));
  727. Base64 = ReplaceChar(Base64, L'/', L'_');
  728. Base64 = ReplaceStr(Base64, L"\r\n", "");
  729. while (DebugAlwaysTrue(!Base64.IsEmpty()) && (Base64.SubString(Base64.Length(), 1) == L'='))
  730. {
  731. Base64.SetLength(Base64.Length() - 1);
  732. }
  733. UnicodeString Result = Base64 + AesCtrExt;
  734. return Result;
  735. }
  736. //---------------------------------------------------------------------------
  737. UnicodeString TEncryption::DecryptFileName(const UnicodeString & FileName)
  738. {
  739. if (!IsEncryptedFileName(FileName))
  740. {
  741. throw Exception(L"Not an encrypted file name");
  742. }
  743. UnicodeString Base64 = ReplaceChar(LeftStr(FileName, FileName.Length() - AesCtrExt.Length()), L'_', L'/');
  744. int Padding = 4 - (Base64.Length() % 4);
  745. if ((Padding > 0) && (Padding < 4))
  746. {
  747. Base64 += UnicodeString::StringOfChar(L'=', Padding);
  748. }
  749. DynamicArray<Byte> BufferBytes = DecodeBase64(Base64);
  750. RawByteString Buffer(reinterpret_cast<const char *>(&BufferBytes[0]), BufferBytes.Length);
  751. FSalt = Buffer.SubString(1, SALT_LENGTH(PASSWORD_MANAGER_AES_MODE));
  752. SetSalt();
  753. Buffer.Delete(1, FSalt.Length());
  754. Aes(Buffer);
  755. UnicodeString Result(UTF8ToString(Buffer));
  756. return Result;
  757. }
  758. //---------------------------------------------------------------------------
  759. bool TEncryption::IsEncryptedFileName(const UnicodeString & FileName)
  760. {
  761. return EndsStr(AesCtrExt, FileName);
  762. }
  763. //---------------------------------------------------------------------------
  764. int TEncryption::GetOverhead()
  765. {
  766. return AesCtrMagic.Length() + SALT_LENGTH(PASSWORD_MANAGER_AES_MODE);
  767. }
  768. //---------------------------------------------------------------------------