1 /***
2 This file is part of PulseAudio.
3
4 Copyright 2013 Martin Blanchard
5
6 PulseAudio is free software; you can redistribute it and/or modify
7 it under the terms of the GNU Lesser General Public License as published
8 by the Free Software Foundation; either version 2.1 of the License,
9 or (at your option) any later version.
10
11 PulseAudio is distributed in the hope that it will be useful, but
12 WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 General Public License for more details.
15
16 You should have received a copy of the GNU Lesser General Public License
17 along with PulseAudio; if not, write to the Free Software
18 Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
19 USA.
20 ***/
21
22 #ifdef HAVE_CONFIG_H
23 #include <config.h>
24 #endif
25
26 #include <stdlib.h>
27 #include <stdint.h>
28 #include <string.h>
29
30 #include <openssl/err.h>
31 #include <openssl/aes.h>
32 #include <openssl/rsa.h>
33 #include <openssl/bn.h>
34
35 #include <pulse/xmalloc.h>
36
37 #include <pulsecore/macro.h>
38 #include <pulsecore/random.h>
39
40 #include "raop-crypto.h"
41 #include "raop-util.h"
42
43 #define AES_CHUNK_SIZE 16
44
45 /* Openssl 1.1.0 broke compatibility. Before 1.1.0 we had to set RSA->n and
46 * RSA->e manually, but after 1.1.0 the RSA struct is opaque and we have to use
47 * RSA_set0_key(). RSA_set0_key() is a new function added in 1.1.0. We could
48 * depend on openssl 1.1.0, but it may take some time before distributions will
49 * be able to upgrade to the new openssl version. To insulate ourselves from
50 * such transition problems, let's implement RSA_set0_key() ourselves if it's
51 * not available. */
52 #if OPENSSL_VERSION_NUMBER < 0x10100000L
RSA_set0_key(RSA * r,BIGNUM * n,BIGNUM * e,BIGNUM * d)53 static int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d) {
54 r->n = n;
55 r->e = e;
56 return 1;
57 }
58 #endif
59
60 struct pa_raop_secret {
61 uint8_t key[AES_CHUNK_SIZE]; /* Key for aes-cbc */
62 uint8_t iv[AES_CHUNK_SIZE]; /* Initialization vector for cbc */
63 AES_KEY aes; /* AES encryption */
64 };
65
66 static const char rsa_modulus[] =
67 "59dE8qLieItsH1WgjrcFRKj6eUWqi+bGLOX1HL3U3GhC/j0Qg90u3sG/1CUtwC"
68 "5vOYvfDmFI6oSFXi5ELabWJmT2dKHzBJKa3k9ok+8t9ucRqMd6DZHJ2YCCLlDR"
69 "KSKv6kDqnw4UwPdpOMXziC/AMj3Z/lUVX1G7WSHCAWKf1zNS1eLvqr+boEjXuB"
70 "OitnZ/bDzPHrTOZz0Dew0uowxf/+sG+NCK3eQJVxqcaJ/vEHKIVd2M+5qL71yJ"
71 "Q+87X6oV3eaYvt3zWZYD6z5vYTcrtij2VZ9Zmni/UAaHqn9JdsBWLUEpVviYnh"
72 "imNVvYFZeCXg/IdTQ+x4IRdiXNv5hEew==";
73
74 static const char rsa_exponent[] =
75 "AQAB";
76
rsa_encrypt(uint8_t * data,int len,uint8_t * str)77 static int rsa_encrypt(uint8_t *data, int len, uint8_t *str) {
78 uint8_t modulus[256];
79 uint8_t exponent[8];
80 int size;
81 RSA *rsa;
82 BIGNUM *n_bn = NULL;
83 BIGNUM *e_bn = NULL;
84 int r;
85
86 pa_assert(data);
87 pa_assert(str);
88
89 rsa = RSA_new();
90 if (!rsa) {
91 pa_log("RSA_new() failed.");
92 goto fail;
93 }
94
95 size = pa_raop_base64_decode(rsa_modulus, modulus);
96
97 n_bn = BN_bin2bn(modulus, size, NULL);
98 if (!n_bn) {
99 pa_log("n_bn = BN_bin2bn() failed.");
100 goto fail;
101 }
102
103 size = pa_raop_base64_decode(rsa_exponent, exponent);
104
105 e_bn = BN_bin2bn(exponent, size, NULL);
106 if (!e_bn) {
107 pa_log("e_bn = BN_bin2bn() failed.");
108 goto fail;
109 }
110
111 r = RSA_set0_key(rsa, n_bn, e_bn, NULL);
112 if (r == 0) {
113 pa_log("RSA_set0_key() failed.");
114 goto fail;
115 }
116
117 /* The memory allocated for n_bn and e_bn is now managed by the RSA object.
118 * Let's set n_bn and e_bn to NULL to avoid freeing the memory in the error
119 * handling code. */
120 n_bn = NULL;
121 e_bn = NULL;
122
123 size = RSA_public_encrypt(len, data, str, rsa, RSA_PKCS1_OAEP_PADDING);
124 if (size == -1) {
125 pa_log("RSA_public_encrypt() failed.");
126 goto fail;
127 }
128
129 RSA_free(rsa);
130 return size;
131
132 fail:
133 if (e_bn)
134 BN_free(e_bn);
135
136 if (n_bn)
137 BN_free(n_bn);
138
139 if (rsa)
140 RSA_free(rsa);
141
142 return -1;
143 }
144
pa_raop_secret_new(void)145 pa_raop_secret* pa_raop_secret_new(void) {
146 pa_raop_secret *s = pa_xnew0(pa_raop_secret, 1);
147
148 pa_assert(s);
149
150 pa_random(s->key, sizeof(s->key));
151 AES_set_encrypt_key(s->key, 128, &s->aes);
152 pa_random(s->iv, sizeof(s->iv));
153
154 return s;
155 }
156
pa_raop_secret_free(pa_raop_secret * s)157 void pa_raop_secret_free(pa_raop_secret *s) {
158 pa_assert(s);
159
160 pa_xfree(s);
161 }
162
pa_raop_secret_get_iv(pa_raop_secret * s)163 char* pa_raop_secret_get_iv(pa_raop_secret *s) {
164 char *base64_iv = NULL;
165
166 pa_assert(s);
167
168 pa_raop_base64_encode(s->iv, AES_CHUNK_SIZE, &base64_iv);
169
170 return base64_iv;
171 }
172
pa_raop_secret_get_key(pa_raop_secret * s)173 char* pa_raop_secret_get_key(pa_raop_secret *s) {
174 char *base64_key = NULL;
175 uint8_t rsa_key[512];
176 int size = 0;
177
178 pa_assert(s);
179
180 /* Encrypt our AES public key to send to the device */
181 size = rsa_encrypt(s->key, AES_CHUNK_SIZE, rsa_key);
182 if (size < 0) {
183 pa_log("rsa_encrypt() failed.");
184 return NULL;
185 }
186
187 pa_raop_base64_encode(rsa_key, size, &base64_key);
188
189 return base64_key;
190 }
191
pa_raop_aes_encrypt(pa_raop_secret * s,uint8_t * data,int len)192 int pa_raop_aes_encrypt(pa_raop_secret *s, uint8_t *data, int len) {
193 static uint8_t nv[AES_CHUNK_SIZE];
194 uint8_t *buffer;
195 int i = 0, j;
196
197 pa_assert(s);
198 pa_assert(data);
199
200 memcpy(nv, s->iv, AES_CHUNK_SIZE);
201
202 while (i + AES_CHUNK_SIZE <= len) {
203 buffer = data + i;
204 for (j = 0; j < AES_CHUNK_SIZE; ++j)
205 buffer[j] ^= nv[j];
206
207 AES_encrypt(buffer, buffer, &s->aes);
208
209 memcpy(nv, buffer, AES_CHUNK_SIZE);
210 i += AES_CHUNK_SIZE;
211 }
212
213 return i;
214 }
215