Mercurial > vim
view src/crypt.c @ 32936:c517845bd10e v9.0.1776
patch 9.0.1776: No support for stable Python 3 ABI
Commit: https://github.com/vim/vim/commit/c13b3d1350b60b94fe87f0761ea31c0e7fb6ebf3
Author: Yee Cheng Chin <ychin.git@gmail.com>
Date: Sun Aug 20 21:18:38 2023 +0200
patch 9.0.1776: No support for stable Python 3 ABI
Problem: No support for stable Python 3 ABI
Solution: Support Python 3 stable ABI
Commits:
1) Support Python 3 stable ABI to allow mixed version interoperatbility
Vim currently supports embedding Python for use with plugins, and the
"dynamic" linking option allows the user to specify a locally installed
version of Python by setting `pythonthreedll`. However, one caveat is
that the Python 3 libs are not binary compatible across minor versions,
and mixing versions can potentially be dangerous (e.g. let's say Vim was
linked against the Python 3.10 SDK, but the user sets `pythonthreedll`
to a 3.11 lib). Usually, nothing bad happens, but in theory this could
lead to crashes, memory corruption, and other unpredictable behaviors.
It's also difficult for the user to tell something is wrong because Vim
has no way of reporting what Python 3 version Vim was linked with.
For Vim installed via a package manager, this usually isn't an issue
because all the dependencies would already be figured out. For prebuilt
Vim binaries like MacVim (my motivation for working on this), AppImage,
and Win32 installer this could potentially be an issue as usually a
single binary is distributed. This is more tricky when a new Python
version is released, as there's a chicken-and-egg issue with deciding
what Python version to build against and hard to keep in sync when a new
Python version just drops and we have a mix of users of different Python
versions, and a user just blindly upgrading to a new Python could lead to
bad interactions with Vim.
Python 3 does have a solution for this problem: stable ABI / limited API
(see https://docs.python.org/3/c-api/stable.html). The C SDK limits the
API to a set of functions that are promised to be stable across
versions. This pull request adds an ifdef config that allows us to turn
it on when building Vim. Vim binaries built with this option should be
safe to freely link with any Python 3 libraies without having the
constraint of having to use the same minor version.
Note: Python 2 has no such concept and this doesn't change how Python 2
integration works (not that there is going to be a new version of Python
2 that would cause compatibility issues in the future anyway).
---
Technical details:
======
The stable ABI can be accessed when we compile with the Python 3 limited
API (by defining `Py_LIMITED_API`). The Python 3 code (in `if_python3.c`
and `if_py_both.h`) would now handle this and switch to limited API
mode. Without it set, Vim will still use the full API as before so this
is an opt-in change.
The main difference is that `PyType_Object` is now an opaque struct that
we can't directly create "static types" out of, and we have to create
type objects as "heap types" instead. This is because the struct is not
stable and changes from version to version (e.g. 3.8 added a
`tp_vectorcall` field to it). I had to change all the types to be
allocated on the heap instead with just a pointer to them.
Other functions are also simply missing in limited API, or they are
introduced too late (e.g. `PyUnicode_AsUTF8AndSize` in 3.10) to it that
we need some other ways to do the same thing, so I had to abstract a few
things into macros, and sometimes re-implement functions like
`PyObject_NEW`.
One caveat is that in limited API, `OutputType` (used for replacing
`sys.stdout`) no longer inherits from `PyStdPrinter_Type` which I don't
think has any real issue other than minor differences in how they
convert to a string and missing a couple functions like `mode()` and
`fileno()`.
Also fixed an existing bug where `tp_basicsize` was set incorrectly for
`BufferObject`, `TabListObject, `WinListObject`.
Technically, there could be a small performance drop, there is a little
more indirection with accessing type objects, and some APIs like
`PyUnicode_AsUTF8AndSize` are missing, but in practice I didn't see any
difference, and any well-written Python plugin should try to avoid
excessing callbacks to the `vim` module in Python anyway.
I only tested limited API mode down to Python 3.7, which seemes to
compile and work fine. I haven't tried earlier Python versions.
2) Fix PyIter_Check on older Python vers / type##Ptr unused warning
For PyIter_Check, older versions exposed them as either macros (used in
full API), or a function (for use in limited API). A previous change
exposed PyIter_Check to the dynamic build because Python just moved it
to function-only in 3.10 anyway. Because of that, just make sure we
always grab the function in dynamic builds in earlier versions since
that's what Python eventually did anyway.
3) Move Py_LIMITED_API define to configure script
Can now use --with-python-stable-abi flag to customize what stable ABI
version to target. Can also use an env var to do so as well.
4) Show +python/dyn-stable in :version, and allow has() feature query
Not sure if the "/dyn-stable" suffix would break things, or whether we
should do it another way. Or just don't show it in version and rely on
has() feature checking.
5) Documentation first draft. Still need to implement v:python3_version
6) Fix PyIter_Check build breaks when compiling against Python 3.8
7) Add CI coverage stable ABI on Linux/Windows / make configurable on Windows
This adds configurable options for Windows make files (both MinGW and
MSVC). CI will also now exercise both traditional full API and stable
ABI for Linux and Windows in the matrix for coverage.
Also added a "dynamic" option to Linux matrix as a drive-by change to
make other scripting languages like Ruby / Perl testable under both
static and dynamic builds.
8) Fix inaccuracy in Windows docs
Python's own docs are confusing but you don't actually want to use
`python3.dll` for the dynamic linkage.
9) Add generated autoconf file
10) Add v:python3_version support
This variable indicates the version of Python3 that Vim was built
against (PY_VERSION_HEX), and will be useful to check whether the Python
library you are loading in dynamically actually fits it. When built with
stable ABI, it will be the limited ABI version instead
(`Py_LIMITED_API`), which indicates the minimum version of Python 3 the
user should have, rather than the exact match. When stable ABI is used,
we won't be exposing PY_VERSION_HEX in this var because it just doesn't
seem necessary to do so (the whole point of stable ABI is the promise
that it will work across versions), and I don't want to confuse the user
with too many variables.
Also, cleaned up some documentation, and added help tags.
11) Fix Python 3.7 compat issues
Fix a couple issues when using limited API < 3.8
- Crash on exit: In Python 3.7, if a heap-allocated type is destroyed
before all instances are, it would cause a crash later. This happens
when we destroyed `OptionsType` before calling `Py_Finalize` when
using the limited API. To make it worse, later versions changed the
semantics and now each instance has a strong reference to its own type
and the recommendation has changed to have each instance de-ref its
own type and have its type in GC traversal. To avoid dealing with
these cross-version variations, we just don't free the heap type. They
are static types in non-limited-API anyway and are designed to last
through the entirety of the app, and we also don't restart the Python
runtime and therefore do not need it to have absolutely 0 leaks.
See:
- https://docs.python.org/3/whatsnew/3.8.html#changes-in-the-c-api
- https://docs.python.org/3/whatsnew/3.9.html#changes-in-the-c-api
- PyIter_Check: This function is not provided in limited APIs older than
3.8. Previously I was trying to mock it out using manual
PyType_GetSlot() but it was brittle and also does not actually work
properly for static types (it will generate a Python error). Just
return false. It does mean using limited API < 3.8 is not recommended
as you lose the functionality to handle iterators, but from playing
with plugins I couldn't find it to be an issue.
- Fix loading of PyIter_Check so it will be done when limited API < 3.8.
Otherwise loading a 3.7 Python lib will fail even if limited API was
specified to use it.
12) Make sure to only load `PyUnicode_AsUTF8AndSize` in needed in limited API
We don't use this function unless limited API >= 3.10, but we were
loading it regardless. Usually it's ok in Unix-like systems where Python
just has a single lib that we load from, but in Windows where there is a
separate python3.dll this would not work as the symbol would not have
been exposed in this more limited DLL file. This makes it much clearer
under what condition is this function needed.
closes: #12032
Signed-off-by: Christian Brabandt <cb@256bit.org>
Co-authored-by: Yee Cheng Chin <ychin.git@gmail.com>
author | Christian Brabandt <cb@256bit.org> |
---|---|
date | Sun, 20 Aug 2023 21:30:04 +0200 |
parents | 185f2a160d5d |
children | cb88e5c589d0 |
line wrap: on
line source
/* vi:set ts=8 sts=4 sw=4 noet: * * VIM - Vi IMproved by Bram Moolenaar * * Do ":help uganda" in Vim to read copying and usage conditions. * Do ":help credits" in Vim to see a list of people who contributed. * See README.txt for an overview of the Vim source code. */ /* * crypt.c: Generic encryption support. */ #include "vim.h" #if defined(FEAT_CRYPT) || defined(PROTO) /* * Optional encryption support. * Mohsin Ahmed, mosh@sasi.com, 1998-09-24 * Based on zip/crypt sources. * Refactored by David Leadbeater, 2014. * * NOTE FOR USA: Since 2000 exporting this code from the USA is allowed to * most countries. There are a few exceptions, but that still should not be a * problem since this code was originally created in Europe and India. * * Blowfish addition originally made by Mohsin Ahmed, * http://www.cs.albany.edu/~mosh 2010-03-14 * Based on blowfish by Bruce Schneier (http://www.schneier.com/blowfish.html) * and sha256 by Christophe Devine. */ typedef struct { char *name; // encryption name as used in 'cryptmethod' char *magic; // magic bytes stored in file header int salt_len; // length of salt, or 0 when not using salt int seed_len; // length of seed, or 0 when not using seed int add_len; // additional length in the header needed for storing // custom data #ifdef CRYPT_NOT_INPLACE int works_inplace; // encryption/decryption can be done in-place #endif int whole_undofile; // whole undo file is encrypted // Optional function pointer for a self-test. int (*self_test_fn)(void); // Function pointer for initializing encryption/decryption. int (* init_fn)(cryptstate_T *state, char_u *key, crypt_arg_T *arg); // Function pointers for encoding/decoding from one buffer into another. // Optional, however, these or the _buffer ones should be configured. void (*encode_fn)(cryptstate_T *state, char_u *from, size_t len, char_u *to, int last); void (*decode_fn)(cryptstate_T *state, char_u *from, size_t len, char_u *to, int last); // Function pointers for encoding and decoding, can buffer data if needed. // Optional (however, these or the above should be configured). long (*encode_buffer_fn)(cryptstate_T *state, char_u *from, size_t len, char_u **newptr, int last); long (*decode_buffer_fn)(cryptstate_T *state, char_u *from, size_t len, char_u **newptr, int last); // Function pointers for in-place encoding and decoding, used for // crypt_*_inplace(). "from" and "to" arguments will be equal. // These may be the same as decode_fn and encode_fn above, however an // algorithm may implement them in a way that is not interchangeable with // the crypt_(en|de)code() interface (for example because it wishes to add // padding to files). // This method is used for swap and undo files which have a rigid format. void (*encode_inplace_fn)(cryptstate_T *state, char_u *p1, size_t len, char_u *p2, int last); void (*decode_inplace_fn)(cryptstate_T *state, char_u *p1, size_t len, char_u *p2, int last); } cryptmethod_T; static int crypt_sodium_init_(cryptstate_T *state, char_u *key, crypt_arg_T *arg); static long crypt_sodium_buffer_decode(cryptstate_T *state, char_u *from, size_t len, char_u **buf_out, int last); static long crypt_sodium_buffer_encode(cryptstate_T *state, char_u *from, size_t len, char_u **buf_out, int last); # if defined(FEAT_SODIUM) || defined(PROTO) static void crypt_long_long_to_char(long long n, char_u *s); static void crypt_int_to_char(int n, char_u *s); static long long crypt_char_to_long_long(char_u *s); static int crypt_char_to_int(char_u *s); #endif #if defined(FEAT_EVAL) && defined(FEAT_SODIUM) static void crypt_sodium_report_hash_params(unsigned long long opslimit, unsigned long long ops_def, size_t memlimit, size_t mem_def, int alg, int alg_def); #endif // index is method_nr of cryptstate_T, CRYPT_M_* static cryptmethod_T cryptmethods[CRYPT_M_COUNT] = { // PK_Zip; very weak { "zip", "VimCrypt~01!", 0, 0, 0, #ifdef CRYPT_NOT_INPLACE TRUE, #endif FALSE, NULL, crypt_zip_init, crypt_zip_encode, crypt_zip_decode, NULL, NULL, crypt_zip_encode, crypt_zip_decode, }, // Blowfish/CFB + SHA-256 custom key derivation; implementation issues. { "blowfish", "VimCrypt~02!", 8, 8, 0, #ifdef CRYPT_NOT_INPLACE TRUE, #endif FALSE, blowfish_self_test, crypt_blowfish_init, crypt_blowfish_encode, crypt_blowfish_decode, NULL, NULL, crypt_blowfish_encode, crypt_blowfish_decode, }, // Blowfish/CFB + SHA-256 custom key derivation; fixed. { "blowfish2", "VimCrypt~03!", 8, 8, 0, #ifdef CRYPT_NOT_INPLACE TRUE, #endif TRUE, blowfish_self_test, crypt_blowfish_init, crypt_blowfish_encode, crypt_blowfish_decode, NULL, NULL, crypt_blowfish_encode, crypt_blowfish_decode, }, // XChaCha20 using libsodium; implementation issues { "xchacha20", "VimCrypt~04!", #ifdef FEAT_SODIUM crypto_pwhash_argon2id_SALTBYTES, // 16 #else 16, #endif 8, 0, #ifdef CRYPT_NOT_INPLACE FALSE, #endif FALSE, NULL, crypt_sodium_init_, NULL, NULL, crypt_sodium_buffer_encode, crypt_sodium_buffer_decode, NULL, NULL, }, // XChaCha20 using libsodium; stores parameters in header { "xchacha20v2", "VimCrypt~05!", #ifdef FEAT_SODIUM crypto_pwhash_argon2id_SALTBYTES, // 16 #else 16, #endif 8, // sizeof(crypto_pwhash_OPSLIMIT_INTERACTIVE + crypto_pwhash_MEMLIMIT_INTERACTIVE + crypto_pwhash_ALG_DEFAULT) 20, #ifdef CRYPT_NOT_INPLACE FALSE, #endif FALSE, NULL, crypt_sodium_init_, NULL, NULL, crypt_sodium_buffer_encode, crypt_sodium_buffer_decode, NULL, NULL, }, // NOTE: when adding a new method, use some random bytes for the magic key, // to avoid that a text file is recognized as encrypted. }; #if defined(FEAT_SODIUM) || defined(PROTO) typedef struct { size_t count; unsigned char key[crypto_box_SEEDBYTES]; // 32, same as crypto_secretstream_xchacha20poly1305_KEYBYTES crypto_secretstream_xchacha20poly1305_state state; } sodium_state_T; # ifdef DYNAMIC_SODIUM # ifdef MSWIN # define SODIUM_PROC FARPROC # define load_dll vimLoadLib # define symbol_from_dll GetProcAddress # define close_dll FreeLibrary # define load_dll_error GetWin32Error # else # error Dynamic loading of libsodium is not supported for now. //# define HINSTANCE void* //# define SODIUM_PROC void* //# define load_dll(n) dlopen((n), RTLD_LAZY|RTLD_GLOBAL) //# define symbol_from_dll dlsym //# define close_dll dlclose //# define load_dll_error dlerror # endif # define sodium_init load_sodium # define sodium_free dll_sodium_free # define sodium_malloc dll_sodium_malloc # define sodium_memzero dll_sodium_memzero # define sodium_mlock dll_sodium_mlock # define sodium_munlock dll_sodium_munlock # define crypto_secretstream_xchacha20poly1305_init_push \ dll_crypto_secretstream_xchacha20poly1305_init_push # define crypto_secretstream_xchacha20poly1305_push \ dll_crypto_secretstream_xchacha20poly1305_push # define crypto_secretstream_xchacha20poly1305_init_pull \ dll_crypto_secretstream_xchacha20poly1305_init_pull # define crypto_secretstream_xchacha20poly1305_pull \ dll_crypto_secretstream_xchacha20poly1305_pull # define crypto_pwhash dll_crypto_pwhash # define randombytes_buf dll_randombytes_buf # define randombytes_random dll_randombytes_random static int (*dll_sodium_init)(void) = NULL; static void (*dll_sodium_free)(void *) = NULL; static void *(*dll_sodium_malloc)(const size_t) = NULL; static void (*dll_sodium_memzero)(void * const, const size_t) = NULL; static int (*dll_sodium_mlock)(void * const, const size_t) = NULL; static int (*dll_sodium_munlock)(void * const, const size_t) = NULL; static int (*dll_crypto_secretstream_xchacha20poly1305_init_push) (crypto_secretstream_xchacha20poly1305_state *state, unsigned char [], const unsigned char []) = NULL; static int (*dll_crypto_secretstream_xchacha20poly1305_push) (crypto_secretstream_xchacha20poly1305_state *state, unsigned char *c, unsigned long long *clen_p, const unsigned char *m, unsigned long long mlen, const unsigned char *ad, unsigned long long adlen, unsigned char tag) = NULL; static int (*dll_crypto_secretstream_xchacha20poly1305_init_pull) (crypto_secretstream_xchacha20poly1305_state *state, const unsigned char [], const unsigned char []) = NULL; static int (*dll_crypto_secretstream_xchacha20poly1305_pull) (crypto_secretstream_xchacha20poly1305_state *state, unsigned char *m, unsigned long long *mlen_p, unsigned char *tag_p, const unsigned char *c, unsigned long long clen, const unsigned char *ad, unsigned long long adlen) = NULL; static int (*dll_crypto_pwhash)(unsigned char * const out, unsigned long long outlen, const char * const passwd, unsigned long long passwdlen, const unsigned char * const salt, unsigned long long opslimit, size_t memlimit, int alg) = NULL; static void (*dll_randombytes_buf)(void * const buf, const size_t size); static uint32_t (*dll_randombytes_random)(void); static struct { const char *name; SODIUM_PROC *ptr; } sodium_funcname_table[] = { {"sodium_init", (SODIUM_PROC*)&dll_sodium_init}, {"sodium_free", (SODIUM_PROC*)&dll_sodium_free}, {"sodium_malloc", (SODIUM_PROC*)&dll_sodium_malloc}, {"sodium_memzero", (SODIUM_PROC*)&dll_sodium_memzero}, {"sodium_mlock", (SODIUM_PROC*)&dll_sodium_mlock}, {"sodium_munlock", (SODIUM_PROC*)&dll_sodium_munlock}, {"crypto_secretstream_xchacha20poly1305_init_push", (SODIUM_PROC*)&dll_crypto_secretstream_xchacha20poly1305_init_push}, {"crypto_secretstream_xchacha20poly1305_push", (SODIUM_PROC*)&dll_crypto_secretstream_xchacha20poly1305_push}, {"crypto_secretstream_xchacha20poly1305_init_pull", (SODIUM_PROC*)&dll_crypto_secretstream_xchacha20poly1305_init_pull}, {"crypto_secretstream_xchacha20poly1305_pull", (SODIUM_PROC*)&dll_crypto_secretstream_xchacha20poly1305_pull}, {"crypto_pwhash", (SODIUM_PROC*)&dll_crypto_pwhash}, {"randombytes_buf", (SODIUM_PROC*)&dll_randombytes_buf}, {"randombytes_random", (SODIUM_PROC*)&dll_randombytes_random}, {NULL, NULL} }; static int sodium_runtime_link_init(int verbose) { static HINSTANCE hsodium = NULL; const char *libname = DYNAMIC_SODIUM_DLL; int i; if (hsodium != NULL) return OK; hsodium = load_dll(libname); if (hsodium == NULL) { if (verbose) semsg(_(e_could_not_load_library_str_str), libname, load_dll_error()); return FAIL; } for (i = 0; sodium_funcname_table[i].ptr; ++i) { if ((*sodium_funcname_table[i].ptr = symbol_from_dll(hsodium, sodium_funcname_table[i].name)) == NULL) { close_dll(hsodium); hsodium = NULL; if (verbose) semsg(_(e_could_not_load_library_function_str), sodium_funcname_table[i].name); return FAIL; } } return OK; } static int load_sodium(void) { if (sodium_runtime_link_init(TRUE) == FAIL) return -1; return dll_sodium_init(); } # endif # if defined(DYNAMIC_SODIUM) || defined(PROTO) int sodium_enabled(int verbose) { return sodium_runtime_link_init(verbose) == OK; } # endif #endif #define CRYPT_MAGIC_LEN 12 // cannot change static char crypt_magic_head[] = "VimCrypt~"; /* * Return int value for crypt method name. * 0 for "zip", the old method. Also for any non-valid value. * 1 for "blowfish". * 2 for "blowfish2". */ int crypt_method_nr_from_name(char_u *name) { int i; for (i = 0; i < CRYPT_M_COUNT; ++i) if (STRCMP(name, cryptmethods[i].name) == 0) return i; return 0; } /* * Get the crypt method used for a file from "ptr[len]", the magic text at the * start of the file. * Returns -1 when no encryption used. */ int crypt_method_nr_from_magic(char *ptr, int len) { int i; if (len < CRYPT_MAGIC_LEN) return -1; for (i = 0; i < CRYPT_M_COUNT; i++) if (memcmp(ptr, cryptmethods[i].magic, CRYPT_MAGIC_LEN) == 0) return i; i = (int)STRLEN(crypt_magic_head); if (len >= i && memcmp(ptr, crypt_magic_head, i) == 0) emsg(_(e_file_is_encrypted_with_unknown_method)); return -1; } #ifdef CRYPT_NOT_INPLACE /* * Return TRUE if the crypt method for "method_nr" can be done in-place. */ int crypt_works_inplace(cryptstate_T *state) { return cryptmethods[state->method_nr].works_inplace; } #endif /* * Get the crypt method for buffer "buf" as a number. */ int crypt_get_method_nr(buf_T *buf) { return crypt_method_nr_from_name(*buf->b_p_cm == NUL ? p_cm : buf->b_p_cm); } /* * Returns True for Sodium Encryption. */ int crypt_method_is_sodium(int method) { return method == CRYPT_M_SOD || method == CRYPT_M_SOD2; } /* * Return TRUE when the buffer uses an encryption method that encrypts the * whole undo file, not only the text. */ int crypt_whole_undofile(int method_nr) { return cryptmethods[method_nr].whole_undofile; } /* * Get crypt method specific length of the file header in bytes. */ int crypt_get_header_len(int method_nr) { return CRYPT_MAGIC_LEN + cryptmethods[method_nr].salt_len + cryptmethods[method_nr].seed_len + cryptmethods[method_nr].add_len; } #if defined(FEAT_SODIUM) || defined(PROTO) /* * Get maximum crypt method specific length of the file header in bytes. */ int crypt_get_max_header_len(void) { int i; int max = 0; int temp = 0; for (i = 0; i < CRYPT_M_COUNT; ++i) { temp = crypt_get_header_len(i); if (temp > max) max = temp; } return max; } #endif /* * Set the crypt method for buffer "buf" to "method_nr" using the int value as * returned by crypt_method_nr_from_name(). */ void crypt_set_cm_option(buf_T *buf, int method_nr) { free_string_option(buf->b_p_cm); buf->b_p_cm = vim_strsave((char_u *)cryptmethods[method_nr].name); } /* * If the crypt method for the current buffer has a self-test, run it and * return OK/FAIL. */ int crypt_self_test(void) { int method_nr = crypt_get_method_nr(curbuf); if (cryptmethods[method_nr].self_test_fn == NULL) return OK; return cryptmethods[method_nr].self_test_fn(); } /* * Allocate a crypt state and initialize it. * Return NULL for failure. */ cryptstate_T * crypt_create( int method_nr, char_u *key, crypt_arg_T *crypt_arg) { cryptstate_T *state = ALLOC_ONE(cryptstate_T); if (state == NULL) return state; state->method_nr = method_nr; if (cryptmethods[method_nr].init_fn(state, key, crypt_arg) == FAIL) { vim_free(state); return NULL; } return state; } /* * Allocate a crypt state from a file header and initialize it. * Assumes that header contains at least the number of bytes that * crypt_get_header_len() returns for "method_nr". */ cryptstate_T * crypt_create_from_header( int method_nr, char_u *key, char_u *header) { crypt_arg_T arg; CLEAR_FIELD(arg); arg.cat_init_from_file = TRUE; arg.cat_salt_len = cryptmethods[method_nr].salt_len; arg.cat_seed_len = cryptmethods[method_nr].seed_len; arg.cat_add_len = cryptmethods[method_nr].add_len; if (arg.cat_salt_len > 0) arg.cat_salt = header + CRYPT_MAGIC_LEN; if (arg.cat_seed_len > 0) arg.cat_seed = header + CRYPT_MAGIC_LEN + arg.cat_salt_len; if (arg.cat_add_len > 0) arg.cat_add = header + CRYPT_MAGIC_LEN + arg.cat_salt_len + arg.cat_seed_len; return crypt_create(method_nr, key, &arg); } /* * Read the crypt method specific header data from "fp". * Return an allocated cryptstate_T or NULL on error. */ cryptstate_T * crypt_create_from_file(FILE *fp, char_u *key) { int method_nr; int header_len; char magic_buffer[CRYPT_MAGIC_LEN]; char_u *buffer; cryptstate_T *state; if (fread(magic_buffer, CRYPT_MAGIC_LEN, 1, fp) != 1) return NULL; method_nr = crypt_method_nr_from_magic(magic_buffer, CRYPT_MAGIC_LEN); if (method_nr < 0) return NULL; header_len = crypt_get_header_len(method_nr); if ((buffer = alloc(header_len)) == NULL) return NULL; mch_memmove(buffer, magic_buffer, CRYPT_MAGIC_LEN); if (header_len > CRYPT_MAGIC_LEN && fread(buffer + CRYPT_MAGIC_LEN, header_len - CRYPT_MAGIC_LEN, 1, fp) != 1) { vim_free(buffer); return NULL; } state = crypt_create_from_header(method_nr, key, buffer); vim_free(buffer); return state; } /* * Allocate a cryptstate_T for writing and initialize it with "key". * Allocates and fills in the header and stores it in "header", setting * "header_len". The header may include salt and seed, depending on * cryptmethod. Caller must free header. * Returns the state or NULL on failure. */ cryptstate_T * crypt_create_for_writing( int method_nr, char_u *key, char_u **header, int *header_len) { int len = crypt_get_header_len(method_nr); crypt_arg_T arg; cryptstate_T *state; CLEAR_FIELD(arg); arg.cat_salt_len = cryptmethods[method_nr].salt_len; arg.cat_seed_len = cryptmethods[method_nr].seed_len; arg.cat_add_len = cryptmethods[method_nr].add_len; arg.cat_init_from_file = FALSE; *header_len = len; *header = alloc(len); if (*header == NULL) return NULL; mch_memmove(*header, cryptmethods[method_nr].magic, CRYPT_MAGIC_LEN); if (arg.cat_salt_len > 0 || arg.cat_seed_len > 0 || arg.cat_add_len > 0) { if (arg.cat_salt_len > 0) arg.cat_salt = *header + CRYPT_MAGIC_LEN; if (arg.cat_seed_len > 0) arg.cat_seed = *header + CRYPT_MAGIC_LEN + arg.cat_salt_len; if (arg.cat_add_len > 0) arg.cat_add = *header + CRYPT_MAGIC_LEN + arg.cat_salt_len + arg.cat_seed_len; // TODO: Should this be crypt method specific? (Probably not worth // it). sha2_seed is pretty bad for large amounts of entropy, so make // that into something which is suitable for anything. #ifdef FEAT_SODIUM if (sodium_init() >= 0) { if (arg.cat_salt_len > 0) randombytes_buf(arg.cat_salt, arg.cat_salt_len); if (arg.cat_seed_len > 0) randombytes_buf(arg.cat_seed, arg.cat_seed_len); } else #endif sha2_seed(arg.cat_salt, arg.cat_salt_len, arg.cat_seed, arg.cat_seed_len); } state = crypt_create(method_nr, key, &arg); if (state == NULL) VIM_CLEAR(*header); return state; } /* * Free the crypt state. */ void crypt_free_state(cryptstate_T *state) { #ifdef FEAT_SODIUM if (crypt_method_is_sodium(state->method_nr)) { sodium_munlock(((sodium_state_T *)state->method_state)->key, crypto_box_SEEDBYTES); sodium_memzero(state->method_state, sizeof(sodium_state_T)); sodium_free(state->method_state); } else #endif vim_free(state->method_state); vim_free(state); } #ifdef CRYPT_NOT_INPLACE /* * Encode "from[len]" and store the result in a newly allocated buffer, which * is stored in "newptr". * Return number of bytes in "newptr", 0 for need more or -1 on error. */ long crypt_encode_alloc( cryptstate_T *state, char_u *from, size_t len, char_u **newptr, int last) { cryptmethod_T *method = &cryptmethods[state->method_nr]; if (method->encode_buffer_fn != NULL) // Has buffer function, pass through. return method->encode_buffer_fn(state, from, len, newptr, last); if (len == 0) // Not buffering, just return EOF. return (long)len; *newptr = alloc(len + 50); if (*newptr == NULL) return -1; method->encode_fn(state, from, len, *newptr, last); return (long)len; } /* * Decrypt "ptr[len]" and store the result in a newly allocated buffer, which * is stored in "newptr". * Return number of bytes in "newptr", 0 for need more or -1 on error. */ long crypt_decode_alloc( cryptstate_T *state, char_u *ptr, long len, char_u **newptr, int last) { cryptmethod_T *method = &cryptmethods[state->method_nr]; if (method->decode_buffer_fn != NULL) // Has buffer function, pass through. return method->decode_buffer_fn(state, ptr, len, newptr, last); if (len == 0) // Not buffering, just return EOF. return len; *newptr = alloc(len); if (*newptr == NULL) return -1; method->decode_fn(state, ptr, len, *newptr, last); return len; } #endif /* * Encrypting "from[len]" into "to[len]". */ void crypt_encode( cryptstate_T *state, char_u *from, size_t len, char_u *to, int last) { cryptmethods[state->method_nr].encode_fn(state, from, len, to, last); } #if 0 // unused /* * decrypting "from[len]" into "to[len]". */ void crypt_decode( cryptstate_T *state, char_u *from, size_t len, char_u *to, int last) { cryptmethods[state->method_nr].decode_fn(state, from, len, to, last); } #endif /* * Simple inplace encryption, modifies "buf[len]" in place. */ void crypt_encode_inplace( cryptstate_T *state, char_u *buf, size_t len, int last) { cryptmethods[state->method_nr].encode_inplace_fn(state, buf, len, buf, last); } /* * Simple inplace decryption, modifies "buf[len]" in place. */ void crypt_decode_inplace( cryptstate_T *state, char_u *buf, size_t len, int last) { cryptmethods[state->method_nr].decode_inplace_fn(state, buf, len, buf, last); } /* * Free an allocated crypt key. Clear the text to make sure it doesn't stay * in memory anywhere. */ void crypt_free_key(char_u *key) { char_u *p; if (key != NULL) { for (p = key; *p != NUL; ++p) *p = 0; vim_free(key); } } /* * Check the crypt method and give a warning if it's outdated. */ void crypt_check_method(int method) { if (method < CRYPT_M_BF2 || method == CRYPT_M_SOD) { msg_scroll = TRUE; msg(_("Warning: Using a weak encryption method; see :help 'cm'")); } } /* * If the crypt method for "curbuf" does not support encrypting the swap file * then disable the swap file. */ void crypt_check_swapfile_curbuf(void) { #ifdef FEAT_SODIUM int method = crypt_get_method_nr(curbuf); if (crypt_method_is_sodium(method)) { // encryption uses padding and MAC, that does not work very well with // swap and undo files, so disable them mf_close_file(curbuf, TRUE); // remove the swap file set_option_value_give_err((char_u *)"swf", 0, NULL, OPT_LOCAL); msg_scroll = TRUE; msg(_("Note: Encryption of swapfile not supported, disabling swap file")); } #endif } void crypt_check_current_method(void) { crypt_check_method(crypt_get_method_nr(curbuf)); } /* * Ask the user for a crypt key. * When "store" is TRUE, the new key is stored in the 'key' option, and the * 'key' option value is returned: Don't free it. * When "store" is FALSE, the typed key is returned in allocated memory. * Returns NULL on failure. */ char_u * crypt_get_key( int store, int twice) // Ask for the key twice. { char_u *p1, *p2 = NULL; int round; for (round = 0; ; ++round) { cmdline_star = TRUE; cmdline_row = msg_row; p1 = getcmdline_prompt(NUL, round == 0 ? (char_u *)_("Enter encryption key: ") : (char_u *)_("Enter same key again: "), 0, EXPAND_NOTHING, NULL); cmdline_star = FALSE; if (p1 == NULL) break; if (round == twice) { if (p2 != NULL && STRCMP(p1, p2) != 0) { msg(_("Keys don't match!")); crypt_free_key(p1); crypt_free_key(p2); p2 = NULL; round = -1; // do it again continue; } if (store) { set_option_value_give_err((char_u *)"key", 0L, p1, OPT_LOCAL); crypt_free_key(p1); p1 = curbuf->b_p_key; crypt_check_swapfile_curbuf(); } break; } p2 = p1; } // since the user typed this, no need to wait for return if (!crypt_method_is_sodium(crypt_get_method_nr(curbuf))) { if (msg_didout) msg_putchar('\n'); need_wait_return = FALSE; msg_didout = FALSE; } crypt_free_key(p2); return p1; } /* * Append a message to IObuff for the encryption/decryption method being used. */ void crypt_append_msg( buf_T *buf) { if (crypt_get_method_nr(buf) == 0) STRCAT(IObuff, _("[crypted]")); else { STRCAT(IObuff, "["); STRCAT(IObuff, *buf->b_p_cm == NUL ? p_cm : buf->b_p_cm); STRCAT(IObuff, "]"); } } static int crypt_sodium_init_( cryptstate_T *state UNUSED, char_u *key UNUSED, crypt_arg_T *arg UNUSED) { # ifdef FEAT_SODIUM // crypto_box_SEEDBYTES == crypto_secretstream_xchacha20poly1305_KEYBYTES unsigned char dkey[crypto_box_SEEDBYTES]; // 32 sodium_state_T *sd_state; int retval = 0; unsigned long long opslimit; unsigned long long memlimit; int alg; if (sodium_init() < 0) return FAIL; sd_state = (sodium_state_T *)sodium_malloc(sizeof(sodium_state_T)); sodium_memzero(sd_state, sizeof(sodium_state_T)); if ((state->method_nr == CRYPT_M_SOD2 && !arg->cat_init_from_file) || state->method_nr == CRYPT_M_SOD) { opslimit = crypto_pwhash_OPSLIMIT_INTERACTIVE; memlimit = crypto_pwhash_MEMLIMIT_INTERACTIVE; alg = crypto_pwhash_ALG_DEFAULT; #if 0 // For testing if (state->method_nr == CRYPT_M_SOD2) { opslimit = crypto_pwhash_OPSLIMIT_MODERATE; memlimit = crypto_pwhash_MEMLIMIT_MODERATE; } #endif // derive a key from the password if (crypto_pwhash(dkey, sizeof(dkey), (const char *)key, STRLEN(key), arg->cat_salt, opslimit, (size_t)memlimit, alg) != 0) { // out of memory sodium_free(sd_state); return FAIL; } memcpy(sd_state->key, dkey, crypto_box_SEEDBYTES); retval += sodium_mlock(sd_state->key, crypto_box_SEEDBYTES); retval += sodium_mlock(key, STRLEN(key)); if (retval < 0) { emsg(_(e_encryption_sodium_mlock_failed)); sodium_free(sd_state); return FAIL; } // "cat_add" should not be NULL, check anyway for safety if (state->method_nr == CRYPT_M_SOD2 && arg->cat_add != NULL) { char_u buffer[20]; char_u *p = buffer; vim_memset(buffer, 0, 20); crypt_long_long_to_char(opslimit, p); p += sizeof(opslimit); crypt_long_long_to_char(memlimit, p); p += sizeof(memlimit); crypt_int_to_char(alg, p); memcpy(arg->cat_add, buffer, sizeof(opslimit) + sizeof(memlimit) + sizeof(alg)); } } else { char_u buffer[20]; char_u *p = buffer; vim_memset(buffer, 0, 20); int size = sizeof(opslimit) + sizeof(memlimit) + sizeof(alg); // Reading parameters from file if (arg->cat_add_len < size) { sodium_free(sd_state); return FAIL; } // derive the key from the file header memcpy(p, arg->cat_add, size); arg->cat_add += size; opslimit = crypt_char_to_long_long(p); p += sizeof(opslimit); memlimit = crypt_char_to_long_long(p); p += sizeof(memlimit); alg = crypt_char_to_int(p); p += sizeof(alg); #ifdef FEAT_EVAL crypt_sodium_report_hash_params(opslimit, crypto_pwhash_OPSLIMIT_INTERACTIVE, (size_t)memlimit, crypto_pwhash_MEMLIMIT_INTERACTIVE, alg, crypto_pwhash_ALG_DEFAULT); #endif if (crypto_pwhash(dkey, sizeof(dkey), (const char *)key, STRLEN(key), arg->cat_salt, opslimit, (size_t)memlimit, alg) != 0) { // out of memory sodium_free(sd_state); return FAIL; } memcpy(sd_state->key, dkey, crypto_box_SEEDBYTES); retval += sodium_mlock(sd_state->key, crypto_box_SEEDBYTES); retval += sodium_mlock(key, STRLEN(key)); if (retval < 0) { emsg(_(e_encryption_sodium_mlock_failed)); sodium_free(sd_state); return FAIL; } } sd_state->count = 0; state->method_state = sd_state; return OK; # else emsg(_(e_libsodium_not_built_in)); return FAIL; # endif } /* * Encrypt "from[len]" into "to[len]". * "from" and "to" can be equal to encrypt in place. * Call needs to ensure that there is enough space in to (for the header) */ #if 0 // Currently unused void crypt_sodium_encode( cryptstate_T *state UNUSED, char_u *from UNUSED, size_t len UNUSED, char_u *to UNUSED, int last UNUSED) { # ifdef FEAT_SODIUM // crypto_box_SEEDBYTES == crypto_secretstream_xchacha20poly1305_KEYBYTES sodium_state_T *sod_st = state->method_state; unsigned char tag = last ? crypto_secretstream_xchacha20poly1305_TAG_FINAL : 0; if (sod_st->count == 0) { if (len <= crypto_secretstream_xchacha20poly1305_HEADERBYTES) { emsg(_(e_libsodium_cannot_encrypt_header)); return; } crypto_secretstream_xchacha20poly1305_init_push(&sod_st->state, to, sod_st->key); to += crypto_secretstream_xchacha20poly1305_HEADERBYTES; } if (sod_st->count && len <= crypto_secretstream_xchacha20poly1305_ABYTES) { emsg(_(e_libsodium_cannot_encrypt_buffer)); return; } crypto_secretstream_xchacha20poly1305_push(&sod_st->state, to, NULL, from, len, NULL, 0, tag); sod_st->count++; # endif } #endif /* * Decrypt "from[len]" into "to[len]". * "from" and "to" can be equal to encrypt in place. */ #if 0 // Currently unused void crypt_sodium_decode( cryptstate_T *state UNUSED, char_u *from UNUSED, size_t len UNUSED, char_u *to UNUSED, int last UNUSED) { # ifdef FEAT_SODIUM // crypto_box_SEEDBYTES == crypto_secretstream_xchacha20poly1305_KEYBYTES sodium_state_T *sod_st = state->method_state; unsigned char tag; unsigned long long buf_len; char_u *p1 = from; char_u *p2 = to; char_u *buf_out; if (sod_st->count == 0 && len <= crypto_secretstream_xchacha20poly1305_HEADERBYTES) { emsg(_(e_libsodium_cannot_decrypt_header)); return; } buf_out = (char_u *)alloc(len); if (buf_out == NULL) { emsg(_(e_libsodium_cannot_allocate_buffer)); return; } if (sod_st->count == 0) { if (crypto_secretstream_xchacha20poly1305_init_pull( &sod_st->state, from, sod_st->key) != 0) { emsg(_(e_libsodium_decryption_failed_header_incomplete)); goto fail; } from += crypto_secretstream_xchacha20poly1305_HEADERBYTES; len -= crypto_secretstream_xchacha20poly1305_HEADERBYTES; if (p1 == p2) to += crypto_secretstream_xchacha20poly1305_HEADERBYTES; } if (sod_st->count && len <= crypto_secretstream_xchacha20poly1305_ABYTES) { emsg(_(e_libsodium_cannot_decrypt_buffer)); goto fail; } if (crypto_secretstream_xchacha20poly1305_pull(&sod_st->state, buf_out, &buf_len, &tag, from, len, NULL, 0) != 0) { emsg(_(e_libsodium_decryption_failed)); goto fail; } sod_st->count++; if (tag == crypto_secretstream_xchacha20poly1305_TAG_FINAL && !last) { emsg(_(e_libsodium_decryption_failed_premature)); goto fail; } if (p1 == p2) mch_memmove(p2, buf_out, buf_len); fail: vim_free(buf_out); # endif } #endif /* * Encrypt "from[len]" into "to[len]". * "from" and "to" can be equal to encrypt in place. */ static long crypt_sodium_buffer_encode( cryptstate_T *state UNUSED, char_u *from UNUSED, size_t len UNUSED, char_u **buf_out UNUSED, int last UNUSED) { # ifdef FEAT_SODIUM // crypto_box_SEEDBYTES == crypto_secretstream_xchacha20poly1305_KEYBYTES unsigned long long out_len; char_u *ptr; unsigned char tag = last ? crypto_secretstream_xchacha20poly1305_TAG_FINAL : 0; int length; sodium_state_T *sod_st = state->method_state; int first = (sod_st->count == 0); length = (int)len + crypto_secretstream_xchacha20poly1305_ABYTES + (first ? crypto_secretstream_xchacha20poly1305_HEADERBYTES : 0); *buf_out = alloc_clear(length); if (*buf_out == NULL) { emsg(_(e_libsodium_cannot_allocate_buffer)); return -1; } ptr = *buf_out; if (first) { crypto_secretstream_xchacha20poly1305_init_push(&sod_st->state, ptr, sod_st->key); ptr += crypto_secretstream_xchacha20poly1305_HEADERBYTES; } crypto_secretstream_xchacha20poly1305_push(&sod_st->state, ptr, &out_len, from, len, NULL, 0, tag); sod_st->count++; return out_len + (first ? crypto_secretstream_xchacha20poly1305_HEADERBYTES : 0); # else return -1; # endif } /* * Decrypt "from[len]" into "to[len]". * "from" and "to" can be equal to encrypt in place. */ static long crypt_sodium_buffer_decode( cryptstate_T *state UNUSED, char_u *from UNUSED, size_t len UNUSED, char_u **buf_out UNUSED, int last UNUSED) { # ifdef FEAT_SODIUM // crypto_box_SEEDBYTES == crypto_secretstream_xchacha20poly1305_KEYBYTES sodium_state_T *sod_st = state->method_state; unsigned char tag; unsigned long long out_len; if (sod_st->count == 0 && state->method_nr == CRYPT_M_SOD && len > WRITEBUFSIZE + crypto_secretstream_xchacha20poly1305_HEADERBYTES + crypto_secretstream_xchacha20poly1305_ABYTES) len -= cryptmethods[CRYPT_M_SOD2].add_len; *buf_out = alloc_clear(len); if (*buf_out == NULL) { emsg(_(e_libsodium_cannot_allocate_buffer)); return -1; } if (sod_st->count == 0) { if (crypto_secretstream_xchacha20poly1305_init_pull(&sod_st->state, from, sod_st->key) != 0) { emsg(_(e_libsodium_decryption_failed_header_incomplete)); return -1; } from += crypto_secretstream_xchacha20poly1305_HEADERBYTES; len -= crypto_secretstream_xchacha20poly1305_HEADERBYTES; sod_st->count++; } if (crypto_secretstream_xchacha20poly1305_pull(&sod_st->state, *buf_out, &out_len, &tag, from, len, NULL, 0) != 0) { emsg(_(e_libsodium_decryption_failed)); return -1; } if (tag == crypto_secretstream_xchacha20poly1305_TAG_FINAL && !last) emsg(_(e_libsodium_decryption_failed_premature)); return (long) out_len; # else return -1; # endif } # if defined(FEAT_SODIUM) || defined(PROTO) void crypt_sodium_lock_key(char_u *key) { if (sodium_init() >= 0) sodium_mlock(key, STRLEN(key)); } int crypt_sodium_munlock(void *const addr, const size_t len) { return sodium_munlock(addr, len); } void crypt_sodium_randombytes_buf(void *const buf, const size_t size) { randombytes_buf(buf, size); } int crypt_sodium_init(void) { return sodium_init(); } uint32_t crypt_sodium_randombytes_random(void) { return randombytes_random(); } #if defined(FEAT_EVAL) || defined(PROTO) static void crypt_sodium_report_hash_params( unsigned long long opslimit, unsigned long long ops_def, size_t memlimit, size_t mem_def, int alg, int alg_def) { if (p_verbose > 0) { verbose_enter(); if (opslimit != ops_def) smsg(_("xchacha20v2: using custom opslimit \"%llu\" for Key derivation."), opslimit); else smsg(_("xchacha20v2: using default opslimit \"%llu\" for Key derivation."), opslimit); if (memlimit != mem_def) smsg(_("xchacha20v2: using custom memlimit \"%lu\" for Key derivation."), (unsigned long)memlimit); else smsg(_("xchacha20v2: using default memlimit \"%lu\" for Key derivation."), (unsigned long)memlimit); if (alg != alg_def) smsg(_("xchacha20v2: using custom algorithm \"%d\" for Key derivation."), alg); else smsg(_("xchacha20v2: using default algorithm \"%d\" for Key derivation."), alg); verbose_leave(); } } #endif static void crypt_long_long_to_char(long long n, char_u *s) { int i; for (i = 0; i < 8; i++) { s[i] = (char_u)(n & 0xff); n = (unsigned)n >> 8; } } static void crypt_int_to_char(int n, char_u *s) { int i; for (i = 0; i < 4; i++) { s[i] = (char_u)(n & 0xff); n = (unsigned)n >> 8; } } static long long crypt_char_to_long_long(char_u *s) { unsigned long long retval = 0; int i; for (i = 7; i >= 0; i--) { if (i == 7) retval = s[i]; else retval |= s[i]; if (i > 0) retval <<= 8; } return retval; } static int crypt_char_to_int(char_u *s) { int retval = 0; int i; for (i = 3; i >= 0; i--) { if (i == 3) retval = s[i]; else retval |= s[i]; if (i > 0) retval <<= 8; } return retval; } # endif #endif // FEAT_CRYPT