From 7371cbebe70418fd139a25e2929afb4483e93777 Mon Sep 17 00:00:00 2001 From: Gabriele Gristina Date: Sun, 4 Jul 2021 20:14:25 +0200 Subject: [PATCH] add min/max data length limits to MetaMask Wallet --- OpenCL/inc_cipher_aes-gcm.cl | 2 +- OpenCL/m26600-pure.cl | 214 +---------------------------------- src/modules/module_26600.c | 57 ++++++---- tools/test_modules/m26600.pm | 14 ++- 4 files changed, 47 insertions(+), 240 deletions(-) diff --git a/OpenCL/inc_cipher_aes-gcm.cl b/OpenCL/inc_cipher_aes-gcm.cl index fb560558c..b8d9bd1f9 100644 --- a/OpenCL/inc_cipher_aes-gcm.cl +++ b/OpenCL/inc_cipher_aes-gcm.cl @@ -219,7 +219,7 @@ DECLSPEC void AES_GCM_gctr (const u32 *key, const u32 *iv, const u32 *in, int in iv_buf[2] = iv[2]; iv_buf[3] = iv[3]; - const int n = in_len / 16; + const u32 n = in_len / 16; for (u32 i = 0; i < n; i++) { diff --git a/OpenCL/m26600-pure.cl b/OpenCL/m26600-pure.cl index fca3bcfcf..eaa22a061 100644 --- a/OpenCL/m26600-pure.cl +++ b/OpenCL/m26600-pure.cl @@ -34,7 +34,7 @@ typedef struct pbkdf2_sha256_aes_gcm u32 salt_buf[64]; u32 iv_buf[4]; u32 iv_len; - u32 ct_buf[192]; + u32 ct_buf[196]; u32 ct_len; } pbkdf2_sha256_aes_gcm_t; @@ -349,34 +349,6 @@ KERNEL_FQ void m26600_comp (KERN_ATTR_TMPS_ESALT (pbkdf2_sha256_tmp_t, pbkdf2_sh // ct - /* - u32 enc[14] = { 0 }; - - enc[ 0] = esalt_bufs[DIGESTS_OFFSET].ct_buf[ 0]; - enc[ 1] = esalt_bufs[DIGESTS_OFFSET].ct_buf[ 1]; - enc[ 2] = esalt_bufs[DIGESTS_OFFSET].ct_buf[ 2]; - enc[ 3] = esalt_bufs[DIGESTS_OFFSET].ct_buf[ 3]; - enc[ 4] = esalt_bufs[DIGESTS_OFFSET].ct_buf[ 4]; - enc[ 5] = esalt_bufs[DIGESTS_OFFSET].ct_buf[ 5]; - enc[ 6] = esalt_bufs[DIGESTS_OFFSET].ct_buf[ 6]; - enc[ 7] = esalt_bufs[DIGESTS_OFFSET].ct_buf[ 7]; - enc[ 8] = esalt_bufs[DIGESTS_OFFSET].ct_buf[ 8]; - enc[ 9] = esalt_bufs[DIGESTS_OFFSET].ct_buf[ 9]; - enc[10] = esalt_bufs[DIGESTS_OFFSET].ct_buf[10]; - enc[11] = esalt_bufs[DIGESTS_OFFSET].ct_buf[11]; - enc[12] = esalt_bufs[DIGESTS_OFFSET].ct_buf[12]; - enc[13] = esalt_bufs[DIGESTS_OFFSET].ct_buf[13]; - - u32 enc_len = esalt_bufs[DIGESTS_OFFSET].ct_len; - */ - - /* - // decrypt buffer is not usefull here, skip - u32 dec[14] = { 0 }; - - AES_GCM_GCTR (key, J0, enc, enc_len, dec, s_te0, s_te1, s_te2, s_te3, s_te4); - */ - u32 T[4] = { 0 }; u32 S[4] = { 0 }; @@ -384,8 +356,6 @@ KERNEL_FQ void m26600_comp (KERN_ATTR_TMPS_ESALT (pbkdf2_sha256_tmp_t, pbkdf2_sh u32 aad_buf[4] = { 0 }; u32 aad_len = 0; - //AES_GCM_GHASH (subKey, aad_buf, aad_len, enc, enc_len, S); - AES_GCM_GHASH_GLOBAL (subKey, aad_buf, aad_len, esalt_bufs[DIGESTS_OFFSET].ct_buf, esalt_bufs[DIGESTS_OFFSET].ct_len, S); AES_GCM_GCTR (key, J0, S, S_len, T, s_te0, s_te1, s_te2, s_te3, s_te4); @@ -403,185 +373,3 @@ KERNEL_FQ void m26600_comp (KERN_ATTR_TMPS_ESALT (pbkdf2_sha256_tmp_t, pbkdf2_sh #include COMPARE_M #endif } - -/* -Optimized GCM: No real speed benefit. For documentation purpose - -KERNEL_FQ void m26600_comp (KERN_ATTR_TMPS_ESALT (pbkdf2_sha256_tmp_t, pbkdf2_sha256_aes_gcm_t)) -{ - const u64 gid = get_global_id (0); - const u64 lid = get_local_id (0); - const u64 lsz = get_local_size (0); - - #ifdef REAL_SHM - - LOCAL_VK u32 s_te0[256]; - LOCAL_VK u32 s_te1[256]; - LOCAL_VK u32 s_te2[256]; - LOCAL_VK u32 s_te3[256]; - LOCAL_VK u32 s_te4[256]; - - for (u32 i = lid; i < 256; i += lsz) - { - s_te0[i] = te0[i]; - s_te1[i] = te1[i]; - s_te2[i] = te2[i]; - s_te3[i] = te3[i]; - s_te4[i] = te4[i]; - } - - SYNC_THREADS (); - - #else - - CONSTANT_AS u32a *s_te0 = te0; - CONSTANT_AS u32a *s_te1 = te1; - CONSTANT_AS u32a *s_te2 = te2; - CONSTANT_AS u32a *s_te3 = te3; - CONSTANT_AS u32a *s_te4 = te4; - - #endif - - if (gid >= gid_max) return; - - // keys - - u32 ukey[8]; - - ukey[0] = tmps[gid].out[0]; - ukey[1] = tmps[gid].out[1]; - ukey[2] = tmps[gid].out[2]; - ukey[3] = tmps[gid].out[3]; - ukey[4] = tmps[gid].out[4]; - ukey[5] = tmps[gid].out[5]; - ukey[6] = tmps[gid].out[6]; - ukey[7] = tmps[gid].out[7]; - - u32 key[60] = { 0 }; - - u32 subKey[4] = { 0 }; - - AES256_set_encrypt_key (key, ukey, s_te0, s_te1, s_te2, s_te3); - - AES256_encrypt (key, subKey, subKey, s_te0, s_te1, s_te2, s_te3, s_te4); - - // iv - - const u32 iv[4] = { - esalt_bufs[DIGESTS_OFFSET].iv_buf[0], - esalt_bufs[DIGESTS_OFFSET].iv_buf[1], - esalt_bufs[DIGESTS_OFFSET].iv_buf[2], - esalt_bufs[DIGESTS_OFFSET].iv_buf[3] - }; - - u32 J0[4] = { - iv[0], - iv[1], - iv[2], - 0x00000001 - }; - - // ct - - u32 enc[14] = { 0 }; - - enc[ 0] = esalt_bufs[DIGESTS_OFFSET].ct_buf[ 0]; - enc[ 1] = esalt_bufs[DIGESTS_OFFSET].ct_buf[ 1]; - enc[ 2] = esalt_bufs[DIGESTS_OFFSET].ct_buf[ 2]; - enc[ 3] = esalt_bufs[DIGESTS_OFFSET].ct_buf[ 3]; - enc[ 4] = esalt_bufs[DIGESTS_OFFSET].ct_buf[ 4]; - enc[ 5] = esalt_bufs[DIGESTS_OFFSET].ct_buf[ 5]; - enc[ 6] = esalt_bufs[DIGESTS_OFFSET].ct_buf[ 6]; - enc[ 7] = esalt_bufs[DIGESTS_OFFSET].ct_buf[ 7]; - enc[ 8] = esalt_bufs[DIGESTS_OFFSET].ct_buf[ 8]; - enc[ 9] = esalt_bufs[DIGESTS_OFFSET].ct_buf[ 9]; - enc[10] = esalt_bufs[DIGESTS_OFFSET].ct_buf[10]; - enc[11] = esalt_bufs[DIGESTS_OFFSET].ct_buf[11]; - enc[12] = esalt_bufs[DIGESTS_OFFSET].ct_buf[12]; - enc[13] = esalt_bufs[DIGESTS_OFFSET].ct_buf[13]; - - u32 enc_len = esalt_bufs[DIGESTS_OFFSET].ct_len; - - u32 S[4] = { 0 }; - - u32 t[4] = { 0 }; - - S[0] ^= enc[0]; - S[1] ^= enc[1]; - S[2] ^= enc[2]; - S[3] ^= enc[3]; - - AES_GCM_gf_mult (S, subKey, t); - - S[0] = t[0] ^ enc[4]; - S[1] = t[1] ^ enc[5]; - S[2] = t[2] ^ enc[6]; - S[3] = t[3] ^ enc[7]; - - AES_GCM_gf_mult (S, subKey, t); - - S[0] = t[0] ^ enc[8]; - S[1] = t[1] ^ enc[9]; - S[2] = t[2] ^ enc[10]; - S[3] = t[3] ^ enc[11]; - - AES_GCM_gf_mult (S, subKey, t); - - S[0] = t[0]; - S[1] = t[1]; - S[2] = t[2]; - S[3] = t[3]; - - t[0] = enc[12]; - t[1] = enc[13]; - t[2] = 0; - t[3] = 0; - - S[0] ^= t[0]; - S[1] ^= t[1]; - S[2] ^= t[2]; - S[3] ^= t[3]; - - AES_GCM_gf_mult (S, subKey, t); - - S[0] = t[0]; - S[1] = t[1]; - S[2] = t[2]; - S[3] = t[3]; - - u32 len_buf[4] = { 0 }; - - len_buf[0] = 0; - len_buf[3] = enc_len * 8; - - S[0] ^= len_buf[0]; - S[1] ^= len_buf[1]; - S[2] ^= len_buf[2]; - S[3] ^= len_buf[3]; - - AES_GCM_gf_mult (S, subKey, t); - - S[0] = t[0]; - S[1] = t[1]; - S[2] = t[2]; - S[3] = t[3]; - - J0[3] = 0x00000001; - - u32 T[4] = { 0 }; - - AES256_encrypt (key, J0, T, s_te0, s_te1, s_te2, s_te3, s_te4); - - const u32 r0 = T[0] ^ S[0]; - const u32 r1 = T[1] ^ S[1]; - const u32 r2 = T[2] ^ S[2]; - const u32 r3 = T[3] ^ S[3]; - - #define il_pos 0 - - #ifdef KERNEL_STATIC - #include COMPARE_M - #endif -} - -*/ diff --git a/src/modules/module_26600.c b/src/modules/module_26600.c index 46bc0c2b9..ac271b515 100644 --- a/src/modules/module_26600.c +++ b/src/modules/module_26600.c @@ -57,7 +57,7 @@ typedef struct pbkdf2_sha256_aes_gcm u32 salt_buf[64]; u32 iv_buf[4]; u32 iv_len; - u32 ct_buf[192]; + u32 ct_buf[196]; u32 ct_len; } pbkdf2_sha256_aes_gcm_t; @@ -113,6 +113,8 @@ int module_hash_decode (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSE pbkdf2_sha256_aes_gcm_t *metamask = (pbkdf2_sha256_aes_gcm_t *) esalt_buf; + #define CT_MAX_LEN_BASE64 ((768 * 8) / 6) + 3 + token_t token; token.token_cnt = 4; @@ -137,8 +139,8 @@ int module_hash_decode (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSE | TOKEN_ATTR_VERIFY_BASE64A; token.sep[3] = '$'; - token.len_min[3] = 248; - token.len_max[3] = 248; + token.len_min[3] = 64; + token.len_max[3] = CT_MAX_LEN_BASE64; token.attr[3] = TOKEN_ATTR_VERIFY_LENGTH | TOKEN_ATTR_VERIFY_BASE64A; @@ -146,7 +148,7 @@ int module_hash_decode (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSE if (rc_tokenizer != PARSER_OK) return (rc_tokenizer); - u8 tmp_buf[512] = { 0 }; + u8 tmp_buf[CT_MAX_LEN_BASE64] = { 0 }; size_t tmp_len = 0; @@ -189,7 +191,7 @@ int module_hash_decode (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSE if (tmp_len != 16) return (PARSER_IV_LENGTH); - memcpy ((u8 *)metamask->iv_buf, tmp_buf, tmp_len); + memcpy ((u8 *) metamask->iv_buf, tmp_buf, tmp_len); metamask->iv_buf[0] = byte_swap_32 (metamask->iv_buf[0]); metamask->iv_buf[1] = byte_swap_32 (metamask->iv_buf[1]); @@ -207,24 +209,27 @@ int module_hash_decode (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSE tmp_len = base64_decode (base64_to_int, ct_pos, ct_len, tmp_buf); - if (tmp_len != 185) return (PARSER_CT_LENGTH); + if (tmp_len <= 16) return (PARSER_CT_LENGTH); - memcpy ((u8 *)metamask->ct_buf, tmp_buf, tmp_len - 16); + tmp_len -= 16; - for (u32 i = 0; i < 43; i++) - { - metamask->ct_buf[i] = byte_swap_32 (metamask->ct_buf[i]); - } + if (tmp_len < 30 || tmp_len > 768) return (PARSER_CT_LENGTH); - metamask->ct_len = tmp_len - 16; + memcpy ((u8 *) metamask->ct_buf, tmp_buf, tmp_len); - // tag + u32 j = tmp_len / 4; + + if ((tmp_len % 4) > 0) j++; - u32 tag_buf[4]; + for (u32 i = 0; i < j; i++) metamask->ct_buf[i] = byte_swap_32 (metamask->ct_buf[i]); - memset (tag_buf, 0, sizeof (tag_buf)); + metamask->ct_len = tmp_len; - memcpy ((u8 *)tag_buf, tmp_buf+metamask->ct_len, 16); + // tag + + u32 tag_buf[4] = { 0 }; + + memcpy ((u8 *) tag_buf, tmp_buf+metamask->ct_len, 16); digest[0] = byte_swap_32 (tag_buf[0]); digest[1] = byte_swap_32 (tag_buf[1]); @@ -242,9 +247,9 @@ int module_hash_encode (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSE // salt - #define SALT_LEN_BASE64 ((32 * 8) / 6) + 3 - #define IV_LEN_BASE64 ((16 * 8) / 6) + 3 - #define CT_LEN_BASE64 ((185 * 8) / 6) + 3 + #define SALT_LEN_BASE64 ((32 * 8) / 6) + 3 + #define IV_LEN_BASE64 ((16 * 8) / 6) + 3 + #define CT_MAX_LEN_BASE64 ((768 * 8) / 6) + 3 u8 salt_buf[SALT_LEN_BASE64] = { 0 }; @@ -259,15 +264,21 @@ int module_hash_encode (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSE tmp_iv_buf[2] = byte_swap_32 (metamask->iv_buf[2]); tmp_iv_buf[3] = byte_swap_32 (metamask->iv_buf[3]); - u8 iv_buf[IV_LEN_BASE64] = { 0 }; + u8 iv_buf[IV_LEN_BASE64+1] = { 0 }; base64_encode (int_to_base64, (const u8 *) tmp_iv_buf, (const int) metamask->iv_len, iv_buf); // ct - u32 tmp_buf[47] = { 0 }; + u32 ct_len = metamask->ct_len; + + u32 j = ct_len / 4; + + if ((ct_len % 4) > 0) j++; + + u32 tmp_buf[196] = { 0 }; - for (int i = 0; i < 43; i++) tmp_buf[i] = byte_swap_32 (metamask->ct_buf[i]); + for (u32 i = 0; i < j; i++) tmp_buf[i] = byte_swap_32 (metamask->ct_buf[i]); u32 tmp_tag[4] = { 0 }; @@ -281,7 +292,7 @@ int module_hash_encode (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSE memcpy (tmp_buf_str+metamask->ct_len, tmp_tag_str, 16); - u8 ct_buf[CT_LEN_BASE64] = { 0 }; + u8 ct_buf[CT_MAX_LEN_BASE64] = { 0 }; base64_encode (int_to_base64, (const u8 *) tmp_buf, (const int) metamask->ct_len+16, ct_buf); diff --git a/tools/test_modules/m26600.pm b/tools/test_modules/m26600.pm index 7b41ff2b7..3897bc670 100644 --- a/tools/test_modules/m26600.pm +++ b/tools/test_modules/m26600.pm @@ -21,6 +21,9 @@ sub module_generate_hash my $iv = shift // random_hex_string (32); my $ct = shift; + my $ct_min_len = 30; + my $ct_max_len = 768; + my $kdf = Crypt::PBKDF2->new ( hasher => Crypt::PBKDF2->hasher_from_algorithm ('HMACSHA2', 256), @@ -55,12 +58,12 @@ sub module_generate_hash } else { - $pt = "\xff" x 169; + $pt = "\xff" x ($ct_min_len + int(rand($ct_max_len - $ct_min_len)) + 1); } } else { - $pt = "\xff" x 169; + $pt = "\xff" x ($ct_min_len + int(rand($ct_max_len - $ct_min_len)) + 1); } my $aes = Crypt::AuthEnc::GCM->new ("AES", $key, $iv_bin); @@ -100,7 +103,12 @@ sub module_verify_hash return unless length $salt_bin == 32; return unless length $iv_bin == 16; - return unless length $ct_bin == 185; + + my $ct_len = length ($ct_bin); + my $ct_min_len = 30; + my $ct_max_len = 768; + + return unless ($ct_len >= $ct_min_len && $ct_len <= $ct_max_len); my $word_packed = pack_if_HEX_notation ($word);