File encfs-new-iv-initialization.patch of Package encfs

Overview Repositories Revisions Requests Users Attributes Meta

File encfs-new-iv-initialization.patch of Package encfs

---
 encfs/SSL_Cipher.cpp |   60 +++++++++++++++++++++++++++++++++++----------------
 encfs/SSL_Cipher.h   |    6 ++++-
 2 files changed, 47 insertions(+), 19 deletions(-)

Index: encfs-1.6.0/encfs/SSL_Cipher.h
===================================================================
--- encfs-1.6.0.orig/encfs/SSL_Cipher.h	2010-12-03 17:09:12.290131785 +0100
+++ encfs-1.6.0/encfs/SSL_Cipher.h	2010-12-03 17:10:43.482131783 +0100
@@ -137,8 +137,12 @@ class SSL_Cipher : public Cipher
     // hack to help with static builds
     static bool Enabled();
 private:
-    void setIVec( unsigned char *ivec, unsigned int seed, 
+    void setIVec( unsigned char *ivec, uint64_t seed,
 	    const shared_ptr<SSLKey> &key ) const;
+
+    // deprecated - for backward compatibility
+    void setIVec_old( unsigned char *ivec, unsigned int seed,
+            const shared_ptr<SSLKey> &key ) const;
 };
 
 
Index: encfs-1.6.0/encfs/SSL_Cipher.cpp
===================================================================
--- encfs-1.6.0.orig/encfs/SSL_Cipher.cpp	2009-11-29 23:04:12.000000000 +0100
+++ encfs-1.6.0/encfs/SSL_Cipher.cpp	2010-12-03 17:10:43.482131783 +0100
@@ -173,8 +173,9 @@ int TimedPBKDF2(const char *pass, int pa
 // We support both 2:0 and 1:0, hence current:revision:age = 2:0:1
 // - Version 2:1 adds support for Message Digest function interface
 // - Version 2:2 adds PBKDF2 for password derivation
-static Interface BlowfishInterface( "ssl/blowfish", 2, 2, 1 );
-static Interface AESInterface( "ssl/aes", 2, 2, 1 );
+// - Version 3:0 adds a new IV mechanism
+static Interface BlowfishInterface( "ssl/blowfish", 3, 0, 2 );
+static Interface AESInterface( "ssl/aes", 3, 0, 2 );
 
 #if defined(HAVE_EVP_BF)
 
@@ -399,13 +400,6 @@ CipherKey SSL_Cipher::newKey(const char
         int &iterationCount, long desiredDuration,
         const unsigned char *salt, int saltLen)
 {
-    const EVP_MD *md = EVP_sha1();
-    if(!md)
-    {
-	rError("Unknown digest SHA1");
-	return CipherKey();
-    }
-   
     shared_ptr<SSLKey> key( new SSLKey( _keySize, _ivLength) );
     
     if(iterationCount == 0)
@@ -441,13 +435,6 @@ CipherKey SSL_Cipher::newKey(const char
 
 CipherKey SSL_Cipher::newKey(const char *password, int passwdLength)
 {
-    const EVP_MD *md = EVP_sha1();
-    if(!md)
-    {
-	rError("Unknown digest SHA1");
-	return CipherKey();
-    }
-   
     shared_ptr<SSLKey> key( new SSLKey( _keySize, _ivLength) );
     
     int bytes = 0;
@@ -545,7 +532,7 @@ static uint64_t _checksum_64( SSLKey *ke
 
     HMAC_Final( &key->mac_ctx, md, &mdLen );
 
-    rAssert(mdLen != 0);
+    rAssert(mdLen >= 8);
 
     // chop this down to a 64bit value..
     unsigned char h[8] = {0,0,0,0,0,0,0,0};
@@ -690,9 +677,46 @@ int SSL_Cipher::cipherBlockSize() const
     return EVP_CIPHER_block_size( _blockCipher );
 }
 
-void SSL_Cipher::setIVec( unsigned char *ivec, unsigned int seed,
+void SSL_Cipher::setIVec( unsigned char *ivec, uint64_t seed,
 	const shared_ptr<SSLKey> &key) const
 {
+    if (iface.current() >= 3)
+    {
+        memcpy( ivec, IVData(key), _ivLength );
+
+        unsigned char md[EVP_MAX_MD_SIZE];
+        unsigned int mdLen = EVP_MAX_MD_SIZE;
+       
+        for(int i=0; i<8; ++i)
+        {
+            md[i] = (unsigned char)(seed & 0xff);
+            seed >>= 8;
+        }
+
+        // combine ivec and seed with HMAC
+        HMAC_Init_ex( &key->mac_ctx, 0, 0, 0, 0 );
+        HMAC_Update( &key->mac_ctx, ivec, _ivLength );
+        HMAC_Update( &key->mac_ctx, md, 8 );
+        HMAC_Final( &key->mac_ctx, md, &mdLen );
+        rAssert(mdLen >= _ivLength);
+
+        memcpy( ivec, md, _ivLength );
+    } else
+    {
+        setIVec_old(ivec, seed, key);
+    }
+}
+
+/** For backward compatibility.
+    A watermark attack was discovered against this IV setup.  If an attacker
+    could get a victim to store a carefully crafted file, they could later
+    determine if the victim had the file in encrypted storage (without
+    decrypting the file).
+  */
+void SSL_Cipher::setIVec_old(unsigned char *ivec,
+                             unsigned int seed,
+                             const shared_ptr<SSLKey> &key) const
+{
     /* These multiplication constants chosen as they represent (non optimal)
        Golumb rulers, the idea being to spread around the information in the
        seed.

Places

File encfs-new-iv-initialization.patch of Package encfs

Places