forked from resilar/sqleet
-
Notifications
You must be signed in to change notification settings - Fork 0
/
sqleet.c
483 lines (435 loc) · 15.1 KB
/
sqleet.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
#define SQLITE3_H_OMIT
#include "sqleet.h"
#include "sqlite3.c"
#include "rekeyvacuum.c"
#include "crypto.c"
/*
* SQLite3 codec implementation.
*/
typedef struct codec {
struct codec *reader, *writer;
unsigned char key[32], salt[16];
void *pagebuf;
int pagesize;
const void *zKey;
int nKey;
} Codec;
Codec *codec_new(const char *zKey, int nKey)
{
Codec *codec;
if ((codec = sqlite3_malloc(sizeof(Codec)))) {
codec->reader = codec->writer = codec;
memset(codec->key, 0, sizeof(codec->key));
memset(codec->salt, 0, sizeof(codec->salt));
codec->pagebuf = NULL;
codec->pagesize = 0;
codec->zKey = zKey;
codec->nKey = nKey;
}
return codec;
}
Codec *codec_dup(Codec *src)
{
Codec *codec;
if ((codec = codec_new(src->zKey, src->nKey))) {
codec->reader = (src->reader == src) ? codec : src->reader;
codec->writer = (src->writer == src) ? codec : src->writer;
memcpy(codec->salt, src->salt, 16);
memcpy(codec->key, src->key, 32);
}
return codec;
}
static int hex_decode(const char *hex, unsigned int n, unsigned char *out)
{
int i;
for (i = 0; i < n; i++) {
char c = hex[i];
if (c >= '0' && c <= '9') {
c = c - '0';
} else if (c >= 'A' && c <= 'F') {
c = c - 'A' + 10;
} else if (c >= 'a' && c <= 'f') {
c = c - 'a' + 10;
} else {
const int j = (i+1) / 2;
for (i = 0; i < j; i++) {
((volatile unsigned char *)out)[i] = 0;
}
return 0;
}
out[i/2] = (out[i/2] << 4) | c;
}
return 1;
}
void codec_kdf(Codec *codec, const void *salt)
{
int bypass = 0;
/* Bypass key derivation if the key string starts with "raw:" */
if (codec->nKey > 4 && !memcmp(codec->zKey, "raw:", 4)) {
const int nRaw = codec->nKey - 4;
const char *zRaw = (const char *)codec->zKey + 4;
switch (nRaw) {
/* Binary key (and salt) */
case 32 + 16:
salt = memcpy(codec->salt, zRaw + 32, 16);
/* fall-through */
case 32:
memcpy(codec->key, zRaw, 32);
bypass = 1;
break;
/* Hex-encoded key */
case 64:
bypass = !!hex_decode(zRaw, 64, codec->key);
break;
/* Hex-encoded key and salt */
case 64 + 32:
if (!hex_decode(zRaw, 64, codec->key))
break;
if (!hex_decode(zRaw + 64, 32, codec->salt))
break;
salt = codec->salt;
bypass = 1;
break;
default:
break;
}
}
if (!salt) {
/* Generate a random salt */
chacha20_rng(codec->salt, 16);
} else if (salt != codec->salt) {
/* Save the specified salt */
memcpy(codec->salt, salt, 16);
}
if (!bypass) {
/* Run key-derivation algorithm on the key string with the salt */
pbkdf2_hmac_sha256(codec->zKey, codec->nKey,
codec->salt, 16,
12345,
codec->key, 32);
}
codec->zKey = NULL;
codec->nKey = 0;
}
void codec_free(void *pcodec)
{
if (pcodec) {
int i;
volatile char *p;
Codec *codec = pcodec;
if (codec->pagebuf) {
p = codec->pagebuf;
for (i = 0; i < codec->pagesize; p[i++] = '\0');
sqlite3_free(codec->pagebuf);
}
p = pcodec;
for (i = 0; i < sizeof(Codec); p[i++] = '\0');
sqlite3_free(codec);
}
}
/*
* The encrypted database page format.
*
* +----------------------------------------+----------------+----------------+
* | Encrypted data | 16-byte nonce | 16-byte tag |
* +----------------------------------------+----------------+----------------+
*
* As the only exception, the first page (page_no=1) starts with a plaintext
* salt contained in the first 16 bytes of the database file. The "master" key
* is derived from a user-given password with the salt and 12345 iterations of
* PBKDF-HMAC-SHA256. Future plans include switching to BLAKE2 and Argon2.
*
* - The data is encrypted by XORing with the ChaCha20 keystream produced from
* the 16-byte nonce and a 32-byte encryption key derived from the master key.
* - OK, I lied a little: ChaCha20 uses only the first 12 bytes as the nonce.
* However, ChaCha20 also requires an initial value for a counter of 4 bytes
* that encodes a block position in the output stream. We derive the counter
* value from the last 4 bytes, effectively extending the nonce to 16 bytes.
* - Specifically, counter = LOAD32_LE(nonce[12..15])^page_no is first applied
* to generate a single 64-byte block from nonce[0..11] and the master key.
* The block consists of two 32-byte one-time keys, the former is a Poly1305
* key for the authentication tag, and the latter is a ChaCha20 key for the
* data encryption. The encryption with the one-time key uses nonce[0..11]
* and the initial counter value of counter+1.
* - The XOR with page_no prevents malicious reordering of the pages.
*
* - The nonce consists of 128 randomly generated bits, which should be enough
* to guarantee uniqueness with a secure pseudorandom number generator.
* - Given a secure PRNG, the adversary needs to observe at least 2^61 nonces
* to break Poly1305 with the birthday attack at a success rate of 1%.
* - If a nonce is reused, we lose confidentiality of the associated messages.
* Moreover, the compromised nonce can also be used to forge valid tags for
* new messages having the same nonce (basically, the one-time Poly1305 key
* can be recovered from distinct messages with identical nonces).
*
* - The tag is a Poly1305 MAC calculated over the encrypted data and the nonce
* with the one-time key generated from the master key and the nonce.
*/
#define PAGE_NONCE_LEN 16
#define PAGE_TAG_LEN 16
#define PAGE_RESERVED_LEN (PAGE_NONCE_LEN + PAGE_TAG_LEN)
void *codec_handle(void *codec, void *pdata, Pgno page, int mode)
{
uint32_t counter;
unsigned char otk[64], tag[16], *data = pdata;
Codec *reader = ((Codec *)codec)->reader;
Codec *writer = ((Codec *)codec)->writer;
const int skip = (page == 1) ? SKIP_HEADER_BYTES : 0;
switch (mode) {
case 0: /* Journal decryption */
case 2: /* Reload a page */
case 3: /* Load a page */
if (reader) {
const int n = reader->pagesize - PAGE_RESERVED_LEN;
if (page == 1 && reader->zKey)
codec_kdf(reader, data);
/* Generate one-time keys */
memset(otk, 0, 64);
counter = LOAD32_LE(data + n + PAGE_NONCE_LEN-4) ^ page;
chacha20_xor(otk, 64, reader->key, data + n, counter);
/* Verify the MAC */
poly1305(data, n + PAGE_NONCE_LEN, otk, tag);
if (poly1305_tagcmp(data + n + PAGE_NONCE_LEN, tag) != 0)
return NULL;
/* Decrypt */
chacha20_xor(data + skip, n - skip, otk+32, data + n, counter+1);
if (page == 1) memcpy(data, "SQLite format 3", 16);
}
break;
case 7: /* Encrypt a journal page (with the reader key) */
writer = reader;
/* fall-through */
case 6: /* Encrypt a main database page */
if (writer) {
const int n = writer->pagesize - PAGE_RESERVED_LEN;
data = memcpy(writer->pagebuf, data, writer->pagesize);
/* Generate one-time keys */
memset(otk, 0, 64);
chacha20_rng(data + n, 16);
counter = LOAD32_LE(data + n + PAGE_NONCE_LEN-4) ^ page;
chacha20_xor(otk, 64, writer->key, data + n, counter);
/* Encrypt and authenticate */
chacha20_xor(data + skip, n - skip, otk+32, data + n, counter+1);
if (page == 1) memcpy(data, writer->salt, 16);
poly1305(data, n + PAGE_NONCE_LEN, otk, data + n + PAGE_NONCE_LEN);
}
break;
}
return data;
}
/* Reads page1 to trigger codec_kdf and verify the encryption key */
static int codec_verify_page1(Codec *codec, Btree *pBt)
{
int count, rc = SQLITE_OK;
Pager *pager = sqlite3BtreePager(pBt);
sqlite3PagerSharedLock(pager);
sqlite3PagerPagecount(pager, &count);
if (count > 0) {
DbPage *page;
rc = SQLITE_NOTADB;
sqlite3PcacheTruncate(pager->pPCache, 0);
if (sqlite3PagerGet(pager, 1, &page, 0) == SQLITE_OK) {
if (!memcmp(page->pData, "SQLite format 3", 16))
rc = SQLITE_OK;
sqlite3PagerUnref(page);
} else {
sqlite3PagerSetCodec(pager, NULL, NULL, NULL, NULL);
}
} else if (codec && codec->zKey) {
/* Derive an encryption key for an empty database */
codec_kdf(codec, NULL);
}
pager_unlock(pager);
return rc;
}
/*
* Set (or unset) a codec for the pager of the specified Btree.
*
* The caller must hold the database mutex when calling this function.
* Note that the function consumes the passed-in codec structure.
*/
static int codec_set_to(Codec *codec, Btree *pBt)
{
int pagesize;
Pager *pager = sqlite3BtreePager(pBt);
if (!codec) {
/* Unset a codec */
sqlite3PagerSetCodec(pager, NULL, NULL, NULL, NULL);
return SQLITE_OK;
}
/* Allocate page buffer */
pagesize = sqlite3BtreeGetPageSize(pBt);
if (!codec->pagebuf || codec->pagesize != pagesize) {
void *new = sqlite3_malloc(pagesize);
if (!new) {
codec_free(codec);
return SQLITE_NOMEM;
}
if (codec->pagebuf) {
int i = 0;
while (i < codec->pagesize)
((volatile char *)codec->pagebuf)[i++] = '\0';
sqlite3_free(codec->pagebuf);
}
codec->pagebuf = new;
codec->pagesize = pagesize;
}
/* Force secure delete */
sqlite3BtreeSecureDelete(pBt, 1);
/* Adjust the page size and the reserved area */
if (pager->nReserve != PAGE_RESERVED_LEN) {
pBt->pBt->btsFlags &= ~BTS_PAGESIZE_FIXED;
sqlite3BtreeSetPageSize(pBt, pagesize, PAGE_RESERVED_LEN, 0);
}
/* Set pager codec and try to read page1 */
sqlite3PagerSetCodec(pager, codec_handle, NULL, codec_free, codec);
return codec_verify_page1(codec, pBt);
}
void sqlite3CodecGetKey(sqlite3 *db, int nDb, void **zKey, int *nKey)
{
/*
* sqlite3.c calls this function to decide if a database attached without a
* password should use the encryption scheme of the main database. Returns
* *nKey == 1 to indicate that the main database encryption is available.
*/
*zKey = NULL;
*nKey = !!sqlite3PagerGetCodec(sqlite3BtreePager(db->aDb[nDb].pBt));
}
int sqlite3CodecAttach(sqlite3 *db, int nDb, const void *zKey, int nKey)
{
int rc;
Codec *codec;
Btree *pBt = db->aDb[nDb].pBt;
rc = SQLITE_NOMEM;
sqlite3_mutex_enter(db->mutex);
if (!nKey) {
/* Attach with an empty key (no encryption) */
codec_set_to(NULL, pBt);
rc = codec_verify_page1(NULL, pBt);
} else if (zKey) {
/* Attach with the provided key */
if ((codec = codec_new(zKey, nKey)))
rc = codec_set_to(codec, pBt);
} else if (nDb != 0) {
/* Use the main database's encryption */
codec = sqlite3PagerGetCodec(sqlite3BtreePager(db->aDb[0].pBt));
if (codec && (codec = codec_dup(codec))) {
rc = codec_set_to(codec, pBt);
} else {
/* Main database codec unavailable */
rc = SQLITE_CANTOPEN;
}
}
sqlite3_mutex_leave(db->mutex);
return rc;
}
/* Returns the main database if there is no match */
static int db_index_of(sqlite3 *db, const char *zDbName)
{
int i;
if (zDbName) {
for (i = 0; i < db->nDb; i++) {
if (!strcmp(db->aDb[i].zDbSName, zDbName))
return i;
}
}
return 0;
}
int sqlite3_key_v2(sqlite3 *db, const char *zDbName, const void *zKey, int nKey)
{
return sqlite3CodecAttach(db, db_index_of(db, zDbName), zKey, nKey);
}
int sqlite3_key(sqlite3 *db, const void *zKey, int nKey)
{
return sqlite3_key_v2(db, "main", zKey, nKey);
}
int sqlite3_rekey_v2(sqlite3 *db, const char *zDbName,
const void *zKey, int nKey)
{
char *err;
int nDb, rc;
Btree *pBt;
if (!db || (!nKey && !zKey))
return SQLITE_ERROR;
rc = SQLITE_ERROR;
sqlite3_mutex_enter(db->mutex);
if ((pBt = db->aDb[(nDb = db_index_of(db, zDbName))].pBt)) {
Pgno pgno;
DbPage *page;
Codec *reader, *codec;
Pager *pager = sqlite3BtreePager(pBt);
reader = sqlite3PagerGetCodec(pager);
if (!nKey) {
/* Decrypt */
if (reader) {
reader->writer = NULL;
rc = sqlite3RekeyVacuum(&err, db, nDb, NULL, 0);
if (rc == SQLITE_OK) {
rc = codec_set_to(NULL, pBt);
} else {
reader->writer = reader->reader;
}
} else {
rc = codec_verify_page1(NULL, pBt);
}
goto leave;
}
/* Create a codec for the given key */
if ((codec = codec_new(zKey, nKey))) {
codec->pagesize = sqlite3BtreeGetPageSize(pBt);
codec->pagebuf = sqlite3_malloc(codec->pagesize);
if (codec->pagebuf) {
codec_kdf(codec, NULL);
} else {
codec_free(codec);
codec = NULL;
}
}
if (!codec) {
rc = SQLITE_NOMEM;
goto leave;
}
if (!reader) {
/* Encrypt */
codec->reader = NULL;
if ((rc = codec_set_to(codec, pBt)) == SQLITE_OK) {
rc = sqlite3RekeyVacuum(&err, db, nDb, NULL, PAGE_RESERVED_LEN);
if (rc == SQLITE_OK) {
codec->reader = codec->writer;
} else {
codec_set_to(NULL, pBt);
}
}
goto leave;
}
/* Change key (re-encrypt) */
reader->writer = codec;
rc = sqlite3BtreeBeginTrans(pBt, 1, NULL);
for (pgno = 1; rc == SQLITE_OK && pgno <= pager->dbSize; pgno++) {
/* The DB page occupied by the PENDING_BYTE is never used */
if (pgno == PENDING_BYTE_PAGE(pager))
continue;
if ((rc = sqlite3PagerGet(pager, pgno, &page, 0)) == SQLITE_OK) {
rc = sqlite3PagerWrite(page);
sqlite3PagerUnref(page);
}
}
if (rc == SQLITE_OK) {
sqlite3BtreeCommit(pBt);
rc = codec_set_to(codec, pBt);
} else {
reader->writer = reader;
sqlite3BtreeRollback(pBt, SQLITE_ABORT_ROLLBACK, 0);
}
}
leave:
sqlite3_mutex_leave(db->mutex);
return rc;
}
int sqlite3_rekey(sqlite3 *db, const void *zKey, int nKey)
{
return sqlite3_rekey_v2(db, "main", zKey, nKey);
}
void sqlite3_activate_see(const char *info)
{
}