diff --git a/client/client.pro b/client/client.pro index 0b8cf83a..9d2180f7 100644 --- a/client/client.pro +++ b/client/client.pro @@ -37,12 +37,12 @@ HEADERS += \ core/servercontroller.h \ debug.h \ defines.h \ + encryption_helper.h \ managementserver.h \ platforms/ios/MobileUtils.h \ platforms/linux/leakdetector.h \ protocols/protocols_defs.h \ secure_qsettings.h \ - secureformat.h \ settings.h \ ui/notificationhandler.h \ ui/models/containers_model.h \ @@ -96,13 +96,13 @@ SOURCES += \ core/server_defs.cpp \ core/servercontroller.cpp \ debug.cpp \ + encryption_helper.cpp \ main.cpp \ managementserver.cpp \ platforms/ios/MobileUtils.cpp \ platforms/linux/leakdetector.cpp \ protocols/protocols_defs.cpp \ secure_qsettings.cpp \ - secureformat.cpp \ settings.cpp \ ui/notificationhandler.cpp \ ui/models/containers_model.cpp \ diff --git a/client/secureformat.cpp b/client/encryption_helper.cpp similarity index 70% rename from client/secureformat.cpp rename to client/encryption_helper.cpp index 1acdeea7..6c1bffda 100644 --- a/client/secureformat.cpp +++ b/client/encryption_helper.cpp @@ -1,4 +1,4 @@ -#include "secureformat.h" +#include "encryption_helper.h" #include #include @@ -6,6 +6,25 @@ #include "openssl/evp.h" +int gcm_encrypt(const char *plaintext, int plaintext_len, + const char *key, const char *iv, int iv_len, + char *ciphertext) +{ + return gcm_encrypt((uchar*)plaintext, plaintext_len, + (uchar*)key, (uchar*)iv, iv_len, + (uchar*)ciphertext); +} + +int gcm_decrypt(const char *ciphertext, int ciphertext_len, + const char *key, + const char *iv, int iv_len, + char *plaintext) +{ + return gcm_decrypt((uchar*)ciphertext, ciphertext_len, + (uchar*)key, (uchar*)iv, iv_len, + (uchar*)plaintext); +} + void handleErrors() { qDebug() << "handleErrors"; } @@ -20,9 +39,9 @@ int generate_key_and_iv(unsigned char *iv, unsigned char *key) { return 0; } -int gcm_encrypt(unsigned char *plaintext, int plaintext_len, - unsigned char *key, - unsigned char *iv, int iv_len, +int gcm_encrypt(const unsigned char *plaintext, int plaintext_len, + const unsigned char *key, + const unsigned char *iv, int iv_len, unsigned char *ciphertext) { EVP_CIPHER_CTX *ctx; @@ -69,9 +88,9 @@ int gcm_encrypt(unsigned char *plaintext, int plaintext_len, return ciphertext_len; } -int gcm_decrypt(unsigned char *ciphertext, int ciphertext_len, - unsigned char *key, - unsigned char *iv, int iv_len, +int gcm_decrypt(const unsigned char *ciphertext, int ciphertext_len, + const unsigned char *key, + const unsigned char *iv, int iv_len, unsigned char *plaintext) { EVP_CIPHER_CTX *ctx; @@ -122,33 +141,3 @@ int gcm_decrypt(unsigned char *ciphertext, int ciphertext_len, } } -unsigned char gcmkey[] = "12345qwerty"; -unsigned char iv[] = "000000000000"; - -QByteArray encryptText(const QByteArray& value) { - int plainTextSize = value.size(); - unsigned char* plainText = new unsigned char[plainTextSize]; - std::memcpy(plainText, value.constData(), plainTextSize); - - unsigned char chipherText[UINT16_MAX]; - int chipherTextSize = gcm_encrypt(plainText, plainTextSize, - gcmkey, - iv, 12, - chipherText); - delete[] plainText; - return QByteArray::fromRawData((const char *)chipherText, chipherTextSize); -} - -QByteArray decryptText(const QByteArray& qEncryptArray) { - unsigned char decryptPlainText[UINT16_MAX]; - gcm_decrypt((unsigned char*)qEncryptArray.data(), qEncryptArray.size(), - gcmkey, - iv, 12, - decryptPlainText); - return QByteArray::fromRawData((const char *)decryptPlainText, qEncryptArray.size()); -} - - - - - diff --git a/client/encryption_helper.h b/client/encryption_helper.h new file mode 100644 index 00000000..ba921408 --- /dev/null +++ b/client/encryption_helper.h @@ -0,0 +1,31 @@ +#ifndef ENCRYPTION_HELPER_H +#define ENCRYPTION_HELPER_H + +#include +#include + + + +int gcm_encrypt(const char *plaintext, int plaintext_len, + const char *key, + const char *iv, int iv_len, + char *ciphertext); + +int gcm_decrypt(const char *ciphertext, int ciphertext_len, + const char *key, + const char *iv, int iv_len, + char *plaintext); + + +int gcm_encrypt(const unsigned char *plaintext, int plaintext_len, + const unsigned char *key, + const unsigned char *iv, int iv_len, + unsigned char *ciphertext); + +int gcm_decrypt(const unsigned char *ciphertext, int ciphertext_len, + const unsigned char *key, + const unsigned char *iv, int iv_len, + unsigned char *plaintext); + + +#endif // ENCRYPTION_HELPER_H diff --git a/client/secure_qsettings.cpp b/client/secure_qsettings.cpp index b2eeecbc..8faed6b1 100644 --- a/client/secure_qsettings.cpp +++ b/client/secure_qsettings.cpp @@ -1,5 +1,5 @@ #include "secure_qsettings.h" -#include "secureformat.h" +#include "encryption_helper.h" #include #include @@ -9,10 +9,18 @@ SecureQSettings::SecureQSettings(const QString &organization, const QString &app m_setting(organization, application, parent), encryptedKeys({"Servers/serversList"}) { - encrypted = m_setting.value("Conf/encrypted").toBool(); + // load keys from system key storage +#ifdef Q_OS_IOS + key = MobileUtils::readFromKeychain(settingsKeyTag); + iv = MobileUtils::readFromKeychain(settingsIvTag); +#endif + key = "12345qwerty00000"; + iv = "000000000000000"; + + bool encrypted = m_setting.value("Conf/encrypted").toBool(); // convert settings to encrypted - if (! encrypted) { + if (encryptionRequired() && ! encrypted) { for (const QString &key : m_setting.allKeys()) { if (encryptedKeys.contains(key)) { const QVariant &val = value(key); @@ -21,7 +29,6 @@ SecureQSettings::SecureQSettings(const QString &organization, const QString &app } m_setting.setValue("Conf/encrypted", true); m_setting.sync(); - encrypted = true; } } @@ -32,7 +39,7 @@ QVariant SecureQSettings::value(const QString &key, const QVariant &defaultValue } QVariant retVal; - if (encrypted && encryptedKeys.contains(key)) { + if (encryptionRequired() && encryptedKeys.contains(key)) { if (!m_setting.contains(key)) return defaultValue; QByteArray encryptedValue = m_setting.value(key).toByteArray(); @@ -52,16 +59,21 @@ QVariant SecureQSettings::value(const QString &key, const QVariant &defaultValue void SecureQSettings::setValue(const QString &key, const QVariant &value) { - QByteArray decryptedValue; - { - QDataStream ds(&decryptedValue, QIODevice::WriteOnly); - ds << value; + if (encryptionRequired() && encryptedKeys.contains(key)) { + QByteArray decryptedValue; + { + QDataStream ds(&decryptedValue, QIODevice::WriteOnly); + ds << value; + } + + QByteArray encryptedValue = encryptText(decryptedValue); + m_setting.setValue(key, encryptedValue); + } + else { + m_setting.setValue(key, value); } - QByteArray encryptedValue = encryptText(decryptedValue); - m_setting.setValue(key, encryptedValue); m_cache.insert(key, value); - sync(); } @@ -112,3 +124,29 @@ void SecureQSettings::restoreAppConfig(const QByteArray &base64Cfg) } +QByteArray SecureQSettings::encryptText(const QByteArray& value) const { + char cipherText[UINT16_MAX]; + int cipherTextSize = gcm_encrypt(value.constData(), value.size(), + key.constData(), iv.constData(), iv_len, cipherText); + + return QByteArray::fromRawData((const char *)cipherText, cipherTextSize); +} + +QByteArray SecureQSettings::decryptText(const QByteArray& ba) const { + char decryptPlainText[UINT16_MAX]; + gcm_decrypt(ba.data(), ba.size(), + key.constData(), iv.constData(), iv_len, decryptPlainText); + + return QByteArray::fromRawData(decryptPlainText, ba.size()); +} + +bool SecureQSettings::encryptionRequired() const +{ +#if defined Q_OS_ANDROID || defined Q_OS_IOS + return true; +#endif + + return false; +} + + diff --git a/client/secure_qsettings.h b/client/secure_qsettings.h index 113757a6..3fcd4ed7 100644 --- a/client/secure_qsettings.h +++ b/client/secure_qsettings.h @@ -4,6 +4,9 @@ #include #include +constexpr const char* settingsKeyTag = "settingsKeyTag"; +constexpr const char* settingsIvTag = "settingsIvTag"; + class SecureQSettings : public QObject { public: @@ -17,13 +20,21 @@ public: QByteArray backupAppConfig() const; void restoreAppConfig(const QByteArray &base64Cfg); + QByteArray encryptText(const QByteArray &value) const; + QByteArray decryptText(const QByteArray& ba) const; + + bool encryptionRequired() const; + private: QSettings m_setting; - bool encrypted {false}; mutable QMap m_cache; QStringList encryptedKeys; // encode only key listed here + + QByteArray key; + QByteArray iv; + int iv_len {16}; }; #endif // SECUREQSETTINGS_H diff --git a/client/secureformat.h b/client/secureformat.h deleted file mode 100644 index 04a25b64..00000000 --- a/client/secureformat.h +++ /dev/null @@ -1,20 +0,0 @@ -#ifndef SECUREFORMAT_H -#define SECUREFORMAT_H - -#include -#include - -QByteArray encryptText(const QByteArray &value); -QByteArray decryptText(const QByteArray& qEncryptArray); - -class SecureFormat -{ -public: - SecureFormat(); - - - - -}; - -#endif // SECUREFORMAT_H diff --git a/client/settings.h b/client/settings.h index 4241f151..39c9919c 100644 --- a/client/settings.h +++ b/client/settings.h @@ -11,7 +11,7 @@ #include "core/defs.h" #include "containers/containers_defs.h" -#include "secureformat.h" +#include "encryption_helper.h" #include "secure_qsettings.h" using namespace amnezia;