1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
|
/***
This file is part of PulseAudio.
Copyright 2013 Martin Blanchard
PulseAudio is free software; you can redistribute it and/or modify
it under the terms of the GNU Lesser General Public License as published
by the Free Software Foundation; either version 2.1 of the License,
or (at your option) any later version.
PulseAudio is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.
You should have received a copy of the GNU Lesser General Public License
along with PulseAudio; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
USA.
***/
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
#include <stdlib.h>
#include <stdint.h>
#include <string.h>
#include <openssl/err.h>
#include <openssl/aes.h>
#include <openssl/rsa.h>
#include <openssl/bn.h>
#include <pulse/xmalloc.h>
#include <pulsecore/macro.h>
#include <pulsecore/random.h>
#include "raop-crypto.h"
#include "raop-util.h"
#define AES_CHUNK_SIZE 16
/* Openssl 1.1.0 broke compatibility. Before 1.1.0 we had to set RSA->n and
* RSA->e manually, but after 1.1.0 the RSA struct is opaque and we have to use
* RSA_set0_key(). RSA_set0_key() is a new function added in 1.1.0. We could
* depend on openssl 1.1.0, but it may take some time before distributions will
* be able to upgrade to the new openssl version. To insulate ourselves from
* such transition problems, let's implement RSA_set0_key() ourselves if it's
* not available. */
#if OPENSSL_VERSION_NUMBER < 0x10100000L
static int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d) {
r->n = n;
r->e = e;
return 1;
}
#endif
struct pa_raop_secret {
uint8_t key[AES_CHUNK_SIZE]; /* Key for aes-cbc */
uint8_t iv[AES_CHUNK_SIZE]; /* Initialization vector for cbc */
AES_KEY aes; /* AES encryption */
};
static const char rsa_modulus[] =
"59dE8qLieItsH1WgjrcFRKj6eUWqi+bGLOX1HL3U3GhC/j0Qg90u3sG/1CUtwC"
"5vOYvfDmFI6oSFXi5ELabWJmT2dKHzBJKa3k9ok+8t9ucRqMd6DZHJ2YCCLlDR"
"KSKv6kDqnw4UwPdpOMXziC/AMj3Z/lUVX1G7WSHCAWKf1zNS1eLvqr+boEjXuB"
"OitnZ/bDzPHrTOZz0Dew0uowxf/+sG+NCK3eQJVxqcaJ/vEHKIVd2M+5qL71yJ"
"Q+87X6oV3eaYvt3zWZYD6z5vYTcrtij2VZ9Zmni/UAaHqn9JdsBWLUEpVviYnh"
"imNVvYFZeCXg/IdTQ+x4IRdiXNv5hEew==";
static const char rsa_exponent[] =
"AQAB";
static int rsa_encrypt(uint8_t *data, int len, uint8_t *str) {
uint8_t modulus[256];
uint8_t exponent[8];
int size;
RSA *rsa;
BIGNUM *n_bn = NULL;
BIGNUM *e_bn = NULL;
int r;
pa_assert(data);
pa_assert(str);
rsa = RSA_new();
if (!rsa) {
pa_log("RSA_new() failed.");
goto fail;
}
size = pa_raop_base64_decode(rsa_modulus, modulus);
n_bn = BN_bin2bn(modulus, size, NULL);
if (!n_bn) {
pa_log("n_bn = BN_bin2bn() failed.");
goto fail;
}
size = pa_raop_base64_decode(rsa_exponent, exponent);
e_bn = BN_bin2bn(exponent, size, NULL);
if (!e_bn) {
pa_log("e_bn = BN_bin2bn() failed.");
goto fail;
}
r = RSA_set0_key(rsa, n_bn, e_bn, NULL);
if (r == 0) {
pa_log("RSA_set0_key() failed.");
goto fail;
}
/* The memory allocated for n_bn and e_bn is now managed by the RSA object.
* Let's set n_bn and e_bn to NULL to avoid freeing the memory in the error
* handling code. */
n_bn = NULL;
e_bn = NULL;
size = RSA_public_encrypt(len, data, str, rsa, RSA_PKCS1_OAEP_PADDING);
if (size == -1) {
pa_log("RSA_public_encrypt() failed.");
goto fail;
}
RSA_free(rsa);
return size;
fail:
if (e_bn)
BN_free(e_bn);
if (n_bn)
BN_free(n_bn);
if (rsa)
RSA_free(rsa);
return -1;
}
pa_raop_secret* pa_raop_secret_new(void) {
pa_raop_secret *s = pa_xnew0(pa_raop_secret, 1);
pa_assert(s);
pa_random(s->key, sizeof(s->key));
AES_set_encrypt_key(s->key, 128, &s->aes);
pa_random(s->iv, sizeof(s->iv));
return s;
}
void pa_raop_secret_free(pa_raop_secret *s) {
pa_assert(s);
pa_xfree(s);
}
char* pa_raop_secret_get_iv(pa_raop_secret *s) {
char *base64_iv = NULL;
pa_assert(s);
pa_raop_base64_encode(s->iv, AES_CHUNK_SIZE, &base64_iv);
return base64_iv;
}
char* pa_raop_secret_get_key(pa_raop_secret *s) {
char *base64_key = NULL;
uint8_t rsa_key[512];
int size = 0;
pa_assert(s);
/* Encrypt our AES public key to send to the device */
size = rsa_encrypt(s->key, AES_CHUNK_SIZE, rsa_key);
if (size < 0) {
pa_log("rsa_encrypt() failed.");
return NULL;
}
pa_raop_base64_encode(rsa_key, size, &base64_key);
return base64_key;
}
int pa_raop_aes_encrypt(pa_raop_secret *s, uint8_t *data, int len) {
static uint8_t nv[AES_CHUNK_SIZE];
uint8_t *buffer;
int i = 0, j;
pa_assert(s);
pa_assert(data);
memcpy(nv, s->iv, AES_CHUNK_SIZE);
while (i + AES_CHUNK_SIZE <= len) {
buffer = data + i;
for (j = 0; j < AES_CHUNK_SIZE; ++j)
buffer[j] ^= nv[j];
AES_encrypt(buffer, buffer, &s->aes);
memcpy(nv, buffer, AES_CHUNK_SIZE);
i += AES_CHUNK_SIZE;
}
return i;
}
|
