diff --git a/oscar/SleepLib/crypto.cpp b/oscar/SleepLib/crypto.cpp new file mode 100644 index 00000000..1791a646 --- /dev/null +++ b/oscar/SleepLib/crypto.cpp @@ -0,0 +1,91 @@ +/* SleepLib cryptography abstraction +* +* Copyright (c) 2021-2022 The OSCAR Team +* +* This file is subject to the terms and conditions of the GNU General Public +* License. See the file COPYING in the main directory of the source code +* for more details. */ + +#include + +#include "SleepLib/crypto.h" +#include "SleepLib/thirdparty/botan_all.h" + +CryptoResult decrypt_aes256(const QByteArray & key, const QByteArray & ciphertext, QByteArray & plaintext) +{ + CryptoResult result = OK; + plaintext.clear(); + try { + const std::vector botan_key(key.begin(), key.end()); + Botan::secure_vector botan_message(ciphertext.begin(), ciphertext.end()); + + std::unique_ptr dec = Botan::BlockCipher::create("AES-256"); + dec->set_key(botan_key); + dec->decrypt(botan_message); + QByteArray message((char*) botan_message.data(), botan_message.size()); + plaintext = message; + } + catch (std::exception& e) { + // Make sure no Botan exceptions leak out and terminate the application. + qWarning() << "Unexpected exception in decrypt_aes256:" << e.what(); + result = UnknownError; + } + return result; +} + +CryptoResult decrypt_aes256_gcm(const QByteArray & key, + const QByteArray & iv, const QByteArray & ciphertext, const QByteArray & tag, + QByteArray & plaintext) +{ + CryptoResult result = OK; + plaintext.clear(); + try { + const std::vector botan_key(key.begin(), key.end()); + const std::vector botan_iv(iv.begin(), iv.end()); + const std::vector botan_tag(tag.begin(), tag.end()); + + Botan::secure_vector botan_message(ciphertext.begin(), ciphertext.end()); + botan_message += botan_tag; + + std::unique_ptr dec = Botan::Cipher_Mode::create("AES-256/GCM", Botan::DECRYPTION); + dec->set_key(botan_key); + dec->start(botan_iv); + try { + dec->finish(botan_message); + //qDebug() << QString::fromStdString(Botan::hex_encode(message.data(), message.size())); + QByteArray message((char*) botan_message.data(), botan_message.size()); + plaintext = message; + } + catch (const Botan::Invalid_Authentication_Tag& e) { + result = InvalidTag; + } + } + catch (std::exception& e) { + // Make sure no Botan exceptions leak out and terminate the application. + qWarning() << "Unexpected exception in decrypt_aes256_gcm:" << e.what(); + result = UnknownError; + } + return result; +} + +CryptoResult pbkdf2_sha256(const QByteArray & passphrase, const QByteArray & salt, int iterations, QByteArray & key) +{ + CryptoResult result = OK; + try { + std::unique_ptr family = Botan::PasswordHashFamily::create("PBKDF2(SHA-256)"); + std::unique_ptr kdf = family->from_params(iterations); + Botan::secure_vector botan_key(key.size()); + kdf->derive_key(botan_key.data(), botan_key.size(), + (const char*) passphrase.data(), passphrase.size(), + (const uint8_t*) salt.data(), salt.size()); + QByteArray output((char*) botan_key.data(), botan_key.size()); + key = output; + } + catch (std::exception& e) { + // Make sure no Botan exceptions leak out and terminate the application. + qWarning() << "Unexpected exception in pbkdf2_sha256:" << e.what(); + result = UnknownError; + key.clear(); + } + return result; +} diff --git a/oscar/SleepLib/crypto.h b/oscar/SleepLib/crypto.h new file mode 100644 index 00000000..ec7907e6 --- /dev/null +++ b/oscar/SleepLib/crypto.h @@ -0,0 +1,27 @@ +/* SleepLib cryptography abstraction +* +* Copyright (c) 2021-2022 The OSCAR Team +* +* This file is subject to the terms and conditions of the GNU General Public +* License. See the file COPYING in the main directory of the source code +* for more details. */ + +#ifndef CRYPTO_H +#define CRYPTO_H + +#include + +enum CryptoResult +{ + OK = 0, + UnknownError = -1, + InvalidTag = 1, +}; + +CryptoResult decrypt_aes256(const QByteArray & key, const QByteArray & ciphertext, QByteArray & plaintext); +CryptoResult decrypt_aes256_gcm(const QByteArray & key, + const QByteArray & iv, const QByteArray & ciphertext, const QByteArray & tag, + QByteArray & plaintext); +CryptoResult pbkdf2_sha256(const QByteArray & passphrase, const QByteArray & salt, int iterations, QByteArray & key); + +#endif // CRYPTO_H diff --git a/oscar/SleepLib/loader_plugins/prs1_loader.cpp b/oscar/SleepLib/loader_plugins/prs1_loader.cpp index b91dd466..17f2c5fd 100644 --- a/oscar/SleepLib/loader_plugins/prs1_loader.cpp +++ b/oscar/SleepLib/loader_plugins/prs1_loader.cpp @@ -24,6 +24,7 @@ #include "prs1_parser.h" #include "SleepLib/session.h" #include "SleepLib/calcs.h" +#include "SleepLib/crypto.h" #include "rawdata.h" @@ -248,8 +249,6 @@ const char* PRS1ModelInfo::Name(const QString & model) const //******************************************************************************************** -#include "SleepLib/thirdparty/botan_all.h" - // Decoder for DreamStation 2 files, which encrypt the actual data after a header with the key. // The public read/seek/pos/etc. functions are all in terms of the decoded stream. class PRDS2File : public RawDataFile @@ -344,34 +343,22 @@ qint64 PRDS2File::readData(char *data, qint64 maxSize) bool PRDS2File::decryptData() { bool valid = false; - try { - QByteArray ciphertext = m_device.read(m_device.size() - m_device.pos()); + QByteArray ciphertext = m_device.read(m_device.size() - m_device.pos()); + QByteArray plaintext; - const std::vector key(m_payload_key.begin(), m_payload_key.end()); - const std::vector iv(m_iv.begin(), m_iv.end()); - const std::vector tag(m_payload_tag.begin(), m_payload_tag.end()); + CryptoResult error = decrypt_aes256_gcm(m_payload_key, m_iv, ciphertext, m_payload_tag, plaintext); - Botan::secure_vector message(ciphertext.begin(), ciphertext.end()); - message += tag; - - std::unique_ptr dec = Botan::Cipher_Mode::create("AES-256/GCM", Botan::DECRYPTION); - dec->set_key(key); - dec->start(iv); - try { - dec->finish(message); - //qDebug() << QString::fromStdString(Botan::hex_encode(message.data(), message.size())); - m_payload.setData((char*) message.data(), message.size()); - m_payload.open(QIODevice::ReadOnly); - valid = true; - } - catch (const Botan::Invalid_Authentication_Tag& e) { + if (error) { + if (error == InvalidTag) { // This has been observed where the tag is zero and the data appears truncated. qWarning() << name() << "DS2 payload doesn't match tag, skipping"; + } else { + qWarning() << "*** DS2 unexpected exception decrypting" << name(); } - } - catch (exception& e) { - // Make sure no Botan exceptions leak out and terminate the application. - qWarning() << "*** DS2 unexpected exception decrypting" << name() << ":" << e.what(); + } else { + m_payload.setData(plaintext); + m_payload.open(QIODevice::ReadOnly); + valid = true; } return valid; } @@ -381,45 +368,36 @@ static const int KEY_SIZE = 256 / 8; // AES-256 static const uint8_t OSCAR_KEY[KEY_SIZE+1] = "Patient access to their own data"; static const uint8_t COMMON_KEY[KEY_SIZE] = { 0x75, 0xB3, 0xA2, 0x12, 0x4A, 0x65, 0xAF, 0x97, 0x54, 0xD8, 0xC1, 0xF3, 0xE5, 0x2E, 0xB6, 0xF0, 0x23, 0x20, 0x57, 0x69, 0x7E, 0x38, 0x0E, 0xC9, 0x4A, 0xDC, 0x46, 0x45, 0xB6, 0x92, 0x5A, 0x98 }; +static const QByteArray s_oscar_key((const char*) OSCAR_KEY, KEY_SIZE); +static const QByteArray s_common_key((const char*) COMMON_KEY, KEY_SIZE); + bool PRDS2File::initializeKey() { bool valid = false; - try { - Botan::secure_vector common_key(COMMON_KEY, COMMON_KEY + KEY_SIZE); - Botan::secure_vector oscar_key(OSCAR_KEY, OSCAR_KEY + KEY_SIZE); - std::unique_ptr oscar = Botan::BlockCipher::create("AES-256"); - oscar->set_key(oscar_key); - oscar->decrypt(common_key); + QByteArray common_key; - std::unique_ptr family = Botan::PasswordHashFamily::create("PBKDF2(SHA-256)"); - std::unique_ptr kdf = family->from_params(10000); - Botan::secure_vector salted_key(KEY_SIZE); - kdf->derive_key(salted_key.data(), salted_key.size(), - (const char*) common_key.data(), common_key.size(), - (const uint8_t*) m_salt.data(), m_salt.size()); - - const std::vector iv(m_iv.begin(), m_iv.end()); - const std::vector tag(m_export_key_tag.begin(), m_export_key_tag.end()); - Botan::secure_vector message(m_export_key.begin(), m_export_key.end()); - message += tag; - - std::unique_ptr dec = Botan::Cipher_Mode::create("AES-256/GCM", Botan::DECRYPTION); - dec->set_key(salted_key); - dec->start(iv); - try { - dec->finish(message); - //qDebug() << QString::fromStdString(Botan::hex_encode(message.data(), message.size())); - QByteArray payload_key((char*) message.data(), message.size()); - m_payload_key = payload_key; - valid = true; - } - catch (const Botan::Invalid_Authentication_Tag& e) { - qWarning() << "DS2 validation of payload key failed for" << name(); - } + CryptoResult error = decrypt_aes256(s_oscar_key, s_common_key, common_key); + if (error) { + qWarning() << "*** DS2 unexpected exception deriving common key"; + return false; } - catch (exception& e) { - // Make sure no Botan exceptions leak out and terminate the application. - qWarning() << "*** DS2 unexpected exception deriving key for" << name() << ":" << e.what(); + + QByteArray salted_key(KEY_SIZE, 0); + error = pbkdf2_sha256(common_key, m_salt, 10000, salted_key); + if (error) { + qWarning() << "*** DS2 unexpected exception deriving salted key for" << name(); + return false; + } + + error = decrypt_aes256_gcm(salted_key, m_iv, m_export_key, m_export_key_tag, m_payload_key); + if (error) { + if (error == InvalidTag) { + qWarning() << "DS2 validation of payload key failed for" << name(); + } else { + qWarning() << "*** DS2 unexpected exception deriving key for" << name(); + } + } else { + valid = true; } return valid; } diff --git a/oscar/oscar.pro b/oscar/oscar.pro index 2b78e10d..f791dfc2 100644 --- a/oscar/oscar.pro +++ b/oscar/oscar.pro @@ -312,6 +312,7 @@ SOURCES += \ SleepLib/loader_plugins/viatom_loader.cpp \ SleepLib/loader_plugins/zeo_loader.cpp \ SleepLib/thirdparty/botan_all.cpp \ + SleepLib/crypto.cpp \ zip.cpp \ SleepLib/thirdparty/miniz.c \ csv.cpp \ @@ -402,6 +403,7 @@ HEADERS += \ SleepLib/thirdparty/botan_windows.h \ SleepLib/thirdparty/botan_linux.h \ SleepLib/thirdparty/botan_macos.h \ + SleepLib/crypto.h \ zip.h \ SleepLib/thirdparty/miniz.h \ csv.h \ @@ -583,6 +585,7 @@ test { tests/versiontests.cpp \ tests/viatomtests.cpp \ tests/deviceconnectiontests.cpp \ + tests/cryptotests.cpp \ tests/dreemtests.cpp \ tests/zeotests.cpp @@ -595,6 +598,7 @@ test { tests/versiontests.h \ tests/viatomtests.h \ tests/deviceconnectiontests.h \ + tests/cryptotests.h \ tests/dreemtests.h \ tests/zeotests.h } diff --git a/oscar/tests/cryptotests.cpp b/oscar/tests/cryptotests.cpp new file mode 100644 index 00000000..fcfba50d --- /dev/null +++ b/oscar/tests/cryptotests.cpp @@ -0,0 +1,103 @@ +/* Cryptographic Abstraction Unit Tests + * + * Copyright (c) 2021-2022 The OSCAR Team + * + * This file is subject to the terms and conditions of the GNU General Public + * License. See the file COPYING in the main directory of the source code + * for more details. */ + +#include "cryptotests.h" +#include "SleepLib/crypto.h" + +void CryptoTests::testAES256() +{ + // From FIPS-197 C.3 + QByteArray expected_plaintext = QByteArray::fromHex("00112233445566778899aabbccddeeff"); + QByteArray key = QByteArray::fromHex("000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f"); + QByteArray ciphertext = QByteArray::fromHex("8ea2b7ca516745bfeafc49904b496089"); + + QByteArray plaintext; + CryptoResult result = decrypt_aes256(key, ciphertext, plaintext); + Q_ASSERT(result == OK); + Q_ASSERT(plaintext == expected_plaintext); +} + + +// From https://luca-giuzzi.unibs.it/corsi/Support/papers-cryptography/gcm-spec.pdf +typedef struct AES256GCMVector_t +{ + const char* key; + const char* p; + const char* iv; + const char* c; + const char* tag; +} AES256GCMVector_t; +static const int s_AES256GCMVectorCount = 3; +static const AES256GCMVector_t s_AES256GCMVectors[s_AES256GCMVectorCount] = { + // Test Case 13 + { + "0000000000000000000000000000000000000000000000000000000000000000", + "", + "000000000000000000000000", + "", + "530f8afbc74536b9a963b4f1c4cb738b" + }, + // Test Case 14 + { + "0000000000000000000000000000000000000000000000000000000000000000", + "00000000000000000000000000000000", + "000000000000000000000000", + "cea7403d4d606b6e074ec5d3baf39d18", + "d0d1c8a799996bf0265b98b5d48ab919" + }, + // Test Case 15 + { + "feffe9928665731c6d6a8f9467308308feffe9928665731c6d6a8f9467308308", + "d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b391aafd255", + "cafebabefacedbaddecaf888", + "522dc1f099567d07f47f37a32a84427d643a8cdcbfe5c0c97598a2bd2555d1aa8cb08e48590dbb3da7b08b1056828838c5f61e6393ba7a0abcc9f662898015ad", + "b094dac5d93471bdec1a502270e3cc6c" + } +}; + +void CryptoTests::testAES256GCM() +{ + QByteArray empty; + for (int i = 0; i < s_AES256GCMVectorCount; i++) { + const AES256GCMVector_t* v = &s_AES256GCMVectors[i]; + QByteArray key = QByteArray::fromHex(v->key); + QByteArray expected_plaintext = QByteArray::fromHex(v->p); + QByteArray iv = QByteArray::fromHex(v->iv); + QByteArray ciphertext = QByteArray::fromHex(v->c); + QByteArray tag = QByteArray::fromHex(v->tag); + + QByteArray plaintext; + CryptoResult result = decrypt_aes256_gcm(key, iv, ciphertext, tag, plaintext); + Q_ASSERT(result == OK); + Q_ASSERT(plaintext == expected_plaintext); + + tag = QByteArray::fromHex(s_AES256GCMVectors[(i+1) % s_AES256GCMVectorCount].tag); + result = decrypt_aes256_gcm(key, iv, ciphertext, tag, plaintext); + Q_ASSERT(result == InvalidTag); + Q_ASSERT(plaintext == empty); + } +} + + +void CryptoTests::testPBKDF2_SHA256() +{ + // From RFC 7914 section 11 + QByteArray passphrase("passwd"); + QByteArray salt("salt"); + int iterations = 1; + QByteArray expected_key = QByteArray::fromHex( + "55 ac 04 6e 56 e3 08 9f ec 16 91 c2 25 44 b6 05" + "f9 41 85 21 6d de 04 65 e6 8b 9d 57 c2 0d ac bc" + "49 ca 9c cc f1 79 b6 45 99 16 64 b3 9d 77 ef 31" + "7c 71 b8 45 b1 e3 0b d5 09 11 20 41 d3 a1 97 83"); + + QByteArray derived_key(expected_key.size(), 0); + CryptoResult result = pbkdf2_sha256(passphrase, salt, iterations, derived_key); + Q_ASSERT(result == OK); + Q_ASSERT(derived_key == expected_key); +} diff --git a/oscar/tests/cryptotests.h b/oscar/tests/cryptotests.h new file mode 100644 index 00000000..655ea9e7 --- /dev/null +++ b/oscar/tests/cryptotests.h @@ -0,0 +1,20 @@ +/* Cryptographic Abstraction Unit Tests + * + * Copyright (c) 2021-2022 The OSCAR Team + * + * This file is subject to the terms and conditions of the GNU General Public + * License. See the file COPYING in the main directory of the source code + * for more details. */ + +#include "tests/AutoTest.h" + +class CryptoTests : public QObject +{ + Q_OBJECT +private slots: + void testAES256(); + void testAES256GCM(); + void testPBKDF2_SHA256(); +}; +DECLARE_TEST(CryptoTests) +