vim: src/blowfish.c comparison

comparison src/blowfish.c @ 6122:18ac55444b37 v7.4.399

updated for version 7.4.399 Problem: Encryption implementation is messy. Blowfish encryption has a weakness. Solution: Refactor the encryption, store the state in an allocated struct instead of using a save/restore mechanism. Introduce the "blowfish2" method, which does not have the weakness and encrypts the whole undo file. (largely by David Leadbeater)

author	Bram Moolenaar <bram@vim.org>
date	Sun, 10 Aug 2014 13:38:34 +0200
parents	391e10afccf6
children	1a5d34492798

comparison

equal deleted inserted replaced

-:913d16b4904c
+:18ac55444b37
 * See README.txt for an overview of the Vim source code.
 *
 * Blowfish encryption for Vim; in Blowfish cipher feedback mode.
 * Contributed by Mohsin Ahmed, http://www.cs.albany.edu/~mosh
 * Based on http://www.schneier.com/blowfish.html by Bruce Schneier.
+*
+* There are two variants:
+* - The old one "blowfish" has a flaw which makes it much easier to crack the
+*   key.  To see this, make a text file with one line of 1000 "x" characters
+*   and write it encrypted.  Use "xxd" to inspect the bytes in the file.  You
+*   will see that a block of 8 bytes repeats 8 times.
+* - The new one "blowfish2" is better.  It uses an 8 byte CFB to avoid the
+*   repeats.
 */
 #include "vim.h"
-#if defined(FEAT_CRYPT)
+#if defined(FEAT_CRYPT) || defined(PROTO)
 #define ARRAY_LENGTH(A)      (sizeof(A)/sizeof(A[0]))
 #define BF_BLOCK    8
 #define BF_BLOCK_MASK 7
-#define BF_CFB_LEN  (8*(BF_BLOCK))
+#define BF_MAX_CFB_LEN  (8 * BF_BLOCK)
 typedef union {
 UINT32_T ul[2];
 char_u   uc[8];
 } block8;
 error!
 Please change this code to define WORDS_BIGENDIAN for big-endian machines.
 # endif
 #endif
-static void bf_e_block __ARGS((UINT32_T *p_xl, UINT32_T *p_xr));
+/* The state of encryption, referenced by cryptstate_T. */
-static void bf_e_cblock __ARGS((char_u *block));
+typedef struct {
-static int bf_check_tables __ARGS((UINT32_T a_ipa[18], UINT32_T a_sbi[4][256], UINT32_T val));
+UINT32_T	pax[18];	    /* P-array */
+UINT32_T	sbx[4][256];	    /* S-boxes */
+int		randbyte_offset;
+int		update_offset;
+char_u	cfb_buffer[BF_MAX_CFB_LEN]; /* up to 64 bytes used */
+int		cfb_len;	    /* size of cfb_buffer actually used */
+} bf_state_T;
+static void bf_e_block __ARGS((bf_state_T *state, UINT32_T *p_xl, UINT32_T *p_xr));
+static void bf_e_cblock __ARGS((bf_state_T *state, char_u *block));
+static int bf_check_tables __ARGS((UINT32_T pax[18], UINT32_T sbx[4][256], UINT32_T val));
 static int bf_self_test __ARGS((void));
+static void bf_key_init __ARGS((bf_state_T *state, char_u *password, char_u *salt, int salt_len));
+static void bf_cfb_init __ARGS((bf_state_T *state, char_u *seed, int seed_len));
 /* Blowfish code */
-static UINT32_T pax[18];
+static UINT32_T pax_init[18] = {
-static UINT32_T ipa[18] = {
 0x243f6a88u, 0x85a308d3u, 0x13198a2eu,
 0x03707344u, 0xa4093822u, 0x299f31d0u,
 0x082efa98u, 0xec4e6c89u, 0x452821e6u,
 0x38d01377u, 0xbe5466cfu, 0x34e90c6cu,
 0xc0ac29b7u, 0xc97c50ddu, 0x3f84d5b5u,
 0xb5470917u, 0x9216d5d9u, 0x8979fb1bu
 };
-static UINT32_T sbx[4][256];
+static UINT32_T sbx_init[4][256] = {
-static UINT32_T sbi[4][256] = {
 {0xd1310ba6u, 0x98dfb5acu, 0x2ffd72dbu, 0xd01adfb7u,
 0xb8e1afedu, 0x6a267e96u, 0xba7c9045u, 0xf12c7f99u,
 0x24a19947u, 0xb3916cf7u, 0x0801f2e2u, 0x858efc16u,
 0x636920d8u, 0x71574e69u, 0xa458fea3u, 0xf4933d7eu,
 0x0d95748fu, 0x728eb658u, 0x718bcd58u, 0x82154aeeu,
 0x90d4f869u, 0xa65cdea0u, 0x3f09252du, 0xc208e69fu,
 0xb74e6132u, 0xce77e25bu, 0x578fdfe3u, 0x3ac372e6u
 }
 };
 #define F1(i) \
-xl ^= pax[i]; \
+xl ^= bfs->pax[i]; \
-xr ^= ((sbx[0][xl >> 24] + \
+xr ^= ((bfs->sbx[0][xl >> 24] + \
-sbx[1][(xl & 0xFF0000) >> 16]) ^ \
+bfs->sbx[1][(xl & 0xFF0000) >> 16]) ^ \
-sbx[2][(xl & 0xFF00) >> 8]) + \
+bfs->sbx[2][(xl & 0xFF00) >> 8]) + \
-sbx[3][xl & 0xFF];
+bfs->sbx[3][xl & 0xFF];
 #define F2(i) \
-xr ^= pax[i]; \
+xr ^= bfs->pax[i]; \
-xl ^= ((sbx[0][xr >> 24] + \
+xl ^= ((bfs->sbx[0][xr >> 24] + \
-sbx[1][(xr & 0xFF0000) >> 16]) ^ \
+bfs->sbx[1][(xr & 0xFF0000) >> 16]) ^ \
-sbx[2][(xr & 0xFF00) >> 8]) + \
+bfs->sbx[2][(xr & 0xFF00) >> 8]) + \
-sbx[3][xr & 0xFF];
+bfs->sbx[3][xr & 0xFF];
 static void
-bf_e_block(p_xl, p_xr)
+bf_e_block(bfs, p_xl, p_xr)
+bf_state_T *bfs;
 UINT32_T *p_xl;
 UINT32_T *p_xr;
 {
-UINT32_T temp, xl = *p_xl, xr = *p_xr;
+UINT32_T temp;
+UINT32_T xl = *p_xl;
-F1(0) F2(1) F1(2) F2(3) F1(4) F2(5) F1(6) F2(7)
+UINT32_T xr = *p_xr;
-F1(8) F2(9) F1(10) F2(11) F1(12) F2(13) F1(14) F2(15)
-xl ^= pax[16];
+F1(0) F2(1)
-xr ^= pax[17];
+F1(2) F2(3)
+F1(4) F2(5)
+F1(6) F2(7)
+F1(8) F2(9)
+F1(10) F2(11)
+F1(12) F2(13)
+F1(14) F2(15)
+xl ^= bfs->pax[16];
+xr ^= bfs->pax[17];
 temp = xl;
 xl = xr;
 xr = temp;
 *p_xl = xl;
 *p_xr = xr;
 }
-#if 0  /* not used */
-static void
-bf_d_block(p_xl, p_xr)
-UINT32_T *p_xl;
-UINT32_T *p_xr;
-{
-UINT32_T temp, xl = *p_xl, xr = *p_xr;
-F1(17) F2(16) F1(15) F2(14) F1(13) F2(12) F1(11) F2(10)
-F1(9) F2(8) F1(7) F2(6) F1(5) F2(4) F1(3) F2(2)
-xl ^= pax[1];
-xr ^= pax[0];
-temp = xl; xl = xr; xr = temp;
-*p_xl = xl; *p_xr = xr;
-}
-#endif
 #ifdef WORDS_BIGENDIAN
 # define htonl2(x) \
 x = ((((x) &     0xffL) << 24) | (((x) & 0xff00L)     <<  8) | \
 #else
 # define htonl2(x)
 #endif
 static void
-bf_e_cblock(block)
+bf_e_cblock(bfs, block)
+bf_state_T *bfs;
 char_u *block;
 {
 block8	bk;
 memcpy(bk.uc, block, 8);
 htonl2(bk.ul[0]);
 htonl2(bk.ul[1]);
-bf_e_block(&bk.ul[0], &bk.ul[1]);
+bf_e_block(bfs, &bk.ul[0], &bk.ul[1]);
 htonl2(bk.ul[0]);
 htonl2(bk.ul[1]);
 memcpy(block, bk.uc, 8);
 }
-#if 0  /* not used */
-void
-bf_d_cblock(block)
-char_u *block;
-{
-block8 bk;
-memcpy(bk.uc, block, 8);
-htonl2(bk.ul[0]); htonl2(bk.ul[1]);
-bf_d_block(&bk.ul[0], &bk.ul[1]);
-htonl2(bk.ul[0]); htonl2(bk.ul[1]);
-memcpy(block, bk.uc, 8);
-}
-#endif
 /*
 * Initialize the crypt method using "password" as the encryption key and
 * "salt[salt_len]" as the salt.
 */
-void
+static void
-bf_key_init(password, salt, salt_len)
+bf_key_init(bfs, password, salt, salt_len)
-char_u *password;
+bf_state_T	*bfs;
-char_u *salt;
+char_u	*password;
-int    salt_len;
+char_u	*salt;
+int		salt_len;
 {
 int      i, j, keypos = 0;
 unsigned u;
 UINT32_T val, data_l, data_r;
 char_u   *key;
 int      keylen;
-/* Process the key 1000 times.
+/* Process the key 1001 times.
 * See http://en.wikipedia.org/wiki/Key_strengthening. */
 key = sha256_key(password, salt, salt_len);
 for (i = 0; i < 1000; i++)
 	key = sha256_key(key, salt, salt_len);
 {
 	sscanf((char *)&key[i * 2], "%2x", &u);
 	key[i] = u;
 }
-mch_memmove(sbx, sbi, 4 * 4 * 256);
+/* Use "key" to initialize the P-array ("pax") and S-boxes ("sbx") of
+* Blowfish. */
+mch_memmove(bfs->sbx, sbx_init, 4 * 4 * 256);
 for (i = 0; i < 18; ++i)
 {
 	val = 0;
 	for (j = 0; j < 4; ++j)
 	    val = (val << 8) | key[keypos++ % keylen];
-	pax[i] = ipa[i] ^ val;
+	bfs->pax[i] = pax_init[i] ^ val;
 }
 data_l = data_r = 0;
 for (i = 0; i < 18; i += 2)
 {
-	bf_e_block(&data_l, &data_r);
+	bf_e_block(bfs, &data_l, &data_r);
-	pax[i + 0] = data_l;
+	bfs->pax[i + 0] = data_l;
-	pax[i + 1] = data_r;
+	bfs->pax[i + 1] = data_r;
 }
 for (i = 0; i < 4; ++i)
 {
 	for (j = 0; j < 256; j += 2)
 	{
-	    bf_e_block(&data_l, &data_r);
+	    bf_e_block(bfs, &data_l, &data_r);
-	    sbx[i][j + 0] = data_l;
+	    bfs->sbx[i][j + 0] = data_l;
-	    sbx[i][j + 1] = data_r;
+	    bfs->sbx[i][j + 1] = data_r;
 	}
 }
 }
 /*
-* BF Self test for corrupted tables or instructions
+* Blowfish self-test for corrupted tables or instructions.
 */
 static int
-bf_check_tables(a_ipa, a_sbi, val)
+bf_check_tables(pax, sbx, val)
-UINT32_T a_ipa[18];
+UINT32_T pax[18];
-UINT32_T a_sbi[4][256];
+UINT32_T sbx[4][256];
 UINT32_T val;
 {
 int i, j;
 UINT32_T c = 0;
 for (i = 0; i < 18; i++)
-	c ^= a_ipa[i];
+	c ^= pax[i];
 for (i = 0; i < 4; i++)
 	for (j = 0; j < 256; j++)
-	    c ^= a_sbi[i][j];
+	    c ^= sbx[i][j];
 return c == val;
 }
 typedef struct {
 char_u   password[64];
 {
 int    i, bn;
 int    err = 0;
 block8 bk;
 UINT32_T ui = 0xffffffffUL;
+bf_state_T state;
+vim_memset(&state, 0, sizeof(bf_state_T));
+state.cfb_len = BF_MAX_CFB_LEN;
 /* We can't simply use sizeof(UINT32_T), it would generate a compiler
 * warning. */
 if (ui != 0xffffffffUL || ui + 1 != 0) {
 	err++;
 	EMSG(_("E820: sizeof(uint32_t) != 4"));
 }
-if (!bf_check_tables(ipa, sbi, 0x6ffa520a))
+if (!bf_check_tables(pax_init, sbx_init, 0x6ffa520a))
 	err++;
 bn = ARRAY_LENGTH(bf_test_data);
 for (i = 0; i < bn; i++)
 {
-	bf_key_init((char_u *)(bf_test_data[i].password),
+	bf_key_init(&state, (char_u *)(bf_test_data[i].password),
 		    bf_test_data[i].salt,
 		    (int)STRLEN(bf_test_data[i].salt));
-	if (!bf_check_tables(pax, sbx, bf_test_data[i].keysum))
+	if (!bf_check_tables(state.pax, state.sbx, bf_test_data[i].keysum))
 	    err++;
 	/* Don't modify bf_test_data[i].plaintxt, self test is idempotent. */
 	memcpy(bk.uc, bf_test_data[i].plaintxt, 8);
-	bf_e_cblock(bk.uc);
+	bf_e_cblock(&state, bk.uc);
 	if (memcmp(bk.uc, bf_test_data[i].cryptxt, 8) != 0)
 	{
 	    if (err == 0 && memcmp(bk.uc, bf_test_data[i].badcryptxt, 8) == 0)
 		EMSG(_("E817: Blowfish big/little endian use wrong"));
 	    err++;
 }
 return err > 0 ? FAIL : OK;
 }
-/* Cipher feedback mode. */
+/*
-static int randbyte_offset = 0;
+* CFB: Cipher Feedback Mode.
-static int update_offset = 0;
+*/
-static char_u cfb_buffer[BF_CFB_LEN]; /* 64 bytes */
+/*
-/*
+* Initialize with seed "seed[seed_len]".
-* Initialize with seed "iv[iv_len]".
+*/
-*/
+static void
-void
+bf_cfb_init(bfs, seed, seed_len)
-bf_cfb_init(iv, iv_len)
+bf_state_T	*bfs;
-char_u *iv;
+char_u	*seed;
-int    iv_len;
+int		seed_len;
 {
 int i, mi;
-randbyte_offset = update_offset = 0;
+bfs->randbyte_offset = bfs->update_offset = 0;
-vim_memset(cfb_buffer, 0, BF_CFB_LEN);
+vim_memset(bfs->cfb_buffer, 0, bfs->cfb_len);
-if (iv_len > 0)
+if (seed_len > 0)
 {
-	mi = iv_len > BF_CFB_LEN ? iv_len : BF_CFB_LEN;
+	mi = seed_len > bfs->cfb_len ? seed_len : bfs->cfb_len;
 	for (i = 0; i < mi; i++)
-	    cfb_buffer[i % BF_CFB_LEN] ^= iv[i % iv_len];
+	    bfs->cfb_buffer[i % bfs->cfb_len] ^= seed[i % seed_len];
 }
 }
-#define BF_CFB_UPDATE(c) { \
+#define BF_CFB_UPDATE(bfs, c) { \
-cfb_buffer[update_offset] ^= (char_u)c; \
+bfs->cfb_buffer[bfs->update_offset] ^= (char_u)c; \
-if (++update_offset == BF_CFB_LEN) \
+if (++bfs->update_offset == bfs->cfb_len) \
-	update_offset = 0; \
+	bfs->update_offset = 0; \
 }
-#define BF_RANBYTE(t) { \
+#define BF_RANBYTE(bfs, t) { \
-if ((randbyte_offset & BF_BLOCK_MASK) == 0) \
+if ((bfs->randbyte_offset & BF_BLOCK_MASK) == 0) \
-	bf_e_cblock(&cfb_buffer[randbyte_offset]); \
+	bf_e_cblock(bfs, &(bfs->cfb_buffer[bfs->randbyte_offset])); \
-t = cfb_buffer[randbyte_offset]; \
+t = bfs->cfb_buffer[bfs->randbyte_offset]; \
-if (++randbyte_offset == BF_CFB_LEN) \
+if (++bfs->randbyte_offset == bfs->cfb_len) \
-	randbyte_offset = 0; \
+	bfs->randbyte_offset = 0; \
 }
 /*
 * Encrypt "from[len]" into "to[len]".
 * "from" and "to" can be equal to encrypt in place.
 */
 void
-bf_crypt_encode(from, len, to)
+crypt_blowfish_encode(state, from, len, to)
+cryptstate_T *state;
 char_u	*from;
 size_t	len;
 char_u	*to;
 {
+bf_state_T *bfs = state->method_state;
 size_t	i;
 int		ztemp, t;
 for (i = 0; i < len; ++i)
 {
 	ztemp = from[i];
-	BF_RANBYTE(t);
+	BF_RANBYTE(bfs, t);
-	BF_CFB_UPDATE(ztemp);
+	BF_CFB_UPDATE(bfs, ztemp);
 	to[i] = t ^ ztemp;
 }
 }
 /*
-* Decrypt "ptr[len]" in place.
+* Decrypt "from[len]" into "to[len]".
 */
 void
-bf_crypt_decode(ptr, len)
+crypt_blowfish_decode(state, from, len, to)
-char_u	*ptr;
+cryptstate_T *state;
-long	len;
+char_u	*from;
-{
+size_t	len;
-char_u	*p;
+char_u	*to;
+{
+bf_state_T *bfs = state->method_state;
+size_t	i;
 int		t;
-for (p = ptr; p < ptr + len; ++p)
+for (i = 0; i < len; ++i)
 {
-	BF_RANBYTE(t);
+	BF_RANBYTE(bfs, t);
-	*p ^= t;
+	to[i] = from[i] ^ t;
-	BF_CFB_UPDATE(*p);
+	BF_CFB_UPDATE(bfs, to[i]);
 }
 }
-/*
-* Initialize the encryption keys and the random header according to
-* the given password.
-*/
 void
-bf_crypt_init_keys(passwd)
+crypt_blowfish_init(state, key, salt, salt_len, seed, seed_len)
-char_u *passwd;		/* password string with which to modify keys */
+cryptstate_T	*state;
-{
+char_u*		key;
-char_u *p;
+char_u*		salt;
+int			salt_len;
-for (p = passwd; *p != NUL; ++p)
+char_u*		seed;
-{
+int			seed_len;
-	BF_CFB_UPDATE(*p);
+{
-}
+bf_state_T	*bfs = (bf_state_T *)alloc_clear(sizeof(bf_state_T));
-}
+state->method_state = bfs;
-static int save_randbyte_offset;
-static int save_update_offset;
+/* "blowfish" uses a 64 byte buffer, causing it to repeat 8 byte groups 8
-static char_u save_cfb_buffer[BF_CFB_LEN];
+* times.  "blowfish2" uses a 8 byte buffer to avoid repeating. */
-static UINT32_T save_pax[18];
+bfs->cfb_len = state->method_nr == CRYPT_M_BF ? BF_MAX_CFB_LEN : BF_BLOCK;
-static UINT32_T save_sbx[4][256];
+if (blowfish_self_test() == FAIL)
-/*
+	return;
-* Save the current crypt state.  Can only be used once before
-* bf_crypt_restore().
+bf_key_init(bfs, key, salt, salt_len);
-*/
+bf_cfb_init(bfs, seed, seed_len);
-void
-bf_crypt_save()
-{
-save_randbyte_offset = randbyte_offset;
-save_update_offset = update_offset;
-mch_memmove(save_cfb_buffer, cfb_buffer, BF_CFB_LEN);
-mch_memmove(save_pax, pax, 4 * 18);
-mch_memmove(save_sbx, sbx, 4 * 4 * 256);
-}
-/*
-* Restore the current crypt state.  Can only be used after
-* bf_crypt_save().
-*/
-void
-bf_crypt_restore()
-{
-randbyte_offset = save_randbyte_offset;
-update_offset = save_update_offset;
-mch_memmove(cfb_buffer, save_cfb_buffer, BF_CFB_LEN);
-mch_memmove(pax, save_pax, 4 * 18);
-mch_memmove(sbx, save_sbx, 4 * 4 * 256);
 }
 /*
 * Run a test to check if the encryption works as expected.
 * Give an error and return FAIL when not.

Mercurial > vim

comparison src/blowfish.c @ 6122:18ac55444b37 v7.4.399