Secure settings refactoring

2022-08-06 19:47:29 +03:00 · 2022-08-06 19:47:29 +03:00 · 585de53148
commit 585de53148
parent 1e85b25438
7 changed files with 122 additions and 73 deletions
--- a/client/client.pro
+++ b/client/client.pro
@ -37,12 +37,12 @@ HEADERS  += \
    core/servercontroller.h \
    debug.h \
    defines.h \
+    encryption_helper.h \
    managementserver.h \
    platforms/ios/MobileUtils.h \
    platforms/linux/leakdetector.h \
   protocols/protocols_defs.h \
    secure_qsettings.h \
-    secureformat.h \
    settings.h \
    ui/notificationhandler.h \
    ui/models/containers_model.h \
@ -96,13 +96,13 @@ SOURCES  += \
   core/server_defs.cpp \
    core/servercontroller.cpp \
    debug.cpp \
+    encryption_helper.cpp \
    main.cpp \
    managementserver.cpp \
    platforms/ios/MobileUtils.cpp \
    platforms/linux/leakdetector.cpp \
   protocols/protocols_defs.cpp \
    secure_qsettings.cpp \
-    secureformat.cpp \
    settings.cpp \
    ui/notificationhandler.cpp \
    ui/models/containers_model.cpp \
--- a/client/encryption_helper.cpp
+++ b/client/encryption_helper.cpp
@ -1,4 +1,4 @@
-#include "secureformat.h"
+#include "encryption_helper.h"

 #include <QTextStream>
 #include <QVariantMap>
@ -6,6 +6,25 @@

 #include "openssl/evp.h"

+int gcm_encrypt(const char *plaintext, int plaintext_len,
+                const char *key, const char *iv, int iv_len,
+                char *ciphertext)
+{
+    return gcm_encrypt((uchar*)plaintext, plaintext_len,
+                       (uchar*)key, (uchar*)iv, iv_len,
+                       (uchar*)ciphertext);
+}
+
+int gcm_decrypt(const char *ciphertext, int ciphertext_len,
+                const char *key,
+                const char *iv, int iv_len,
+                char *plaintext)
+{
+    return gcm_decrypt((uchar*)ciphertext, ciphertext_len,
+                       (uchar*)key, (uchar*)iv, iv_len,
+                       (uchar*)plaintext);
+}
+
 void handleErrors() {
    qDebug() << "handleErrors";
 }
@ -20,9 +39,9 @@ int generate_key_and_iv(unsigned char *iv, unsigned char *key) {
    return 0;
 }

-int gcm_encrypt(unsigned char *plaintext, int plaintext_len,
-                unsigned char *key,
-                unsigned char *iv, int iv_len,
+int gcm_encrypt(const unsigned char *plaintext, int plaintext_len,
+                const unsigned char *key,
+                const unsigned char *iv, int iv_len,
                unsigned char *ciphertext)
 {
    EVP_CIPHER_CTX *ctx;
@ -69,9 +88,9 @@ int gcm_encrypt(unsigned char *plaintext, int plaintext_len,
    return ciphertext_len;
 }

-int gcm_decrypt(unsigned char *ciphertext, int ciphertext_len,
-                unsigned char *key,
-                unsigned char *iv, int iv_len,
+int gcm_decrypt(const unsigned char *ciphertext, int ciphertext_len,
+                const unsigned char *key,
+                const unsigned char *iv, int iv_len,
                unsigned char *plaintext)
 {
    EVP_CIPHER_CTX *ctx;
@ -122,33 +141,3 @@ int gcm_decrypt(unsigned char *ciphertext, int ciphertext_len,
    }
 }

-unsigned char gcmkey[] = "12345qwerty";
-unsigned char iv[] = "000000000000";
-
-QByteArray encryptText(const QByteArray& value) {
-    int plainTextSize = value.size();
-    unsigned char* plainText = new unsigned char[plainTextSize];
-    std::memcpy(plainText, value.constData(), plainTextSize);
-
-    unsigned char chipherText[UINT16_MAX];
-    int chipherTextSize = gcm_encrypt(plainText, plainTextSize,
-                                      gcmkey,
-                                      iv, 12,
-                                      chipherText);
-    delete[] plainText;
-    return QByteArray::fromRawData((const char *)chipherText, chipherTextSize);
-}
-
-QByteArray decryptText(const QByteArray& qEncryptArray) {
-    unsigned char decryptPlainText[UINT16_MAX];
-    gcm_decrypt((unsigned char*)qEncryptArray.data(), qEncryptArray.size(),
-                gcmkey,
-                iv, 12,
-                decryptPlainText);
-    return QByteArray::fromRawData((const char *)decryptPlainText, qEncryptArray.size());
-}
-
-
-
-
-
--- a/client/encryption_helper.h
+++ b/client/encryption_helper.h
@ -0,0 +1,31 @@
+#ifndef ENCRYPTION_HELPER_H
+#define ENCRYPTION_HELPER_H
+
+#include <QSettings>
+#include <QIODevice>
+
+
+
+int gcm_encrypt(const char *plaintext, int plaintext_len,
+                const char *key,
+                const char *iv, int iv_len,
+                char *ciphertext);
+
+int gcm_decrypt(const char *ciphertext, int ciphertext_len,
+                const char *key,
+                const char *iv, int iv_len,
+                char *plaintext);
+
+
+int gcm_encrypt(const unsigned char *plaintext, int plaintext_len,
+                const unsigned char *key,
+                const unsigned char *iv, int iv_len,
+                unsigned char *ciphertext);
+
+int gcm_decrypt(const unsigned char *ciphertext, int ciphertext_len,
+                const unsigned char *key,
+                const unsigned char *iv, int iv_len,
+                unsigned char *plaintext);
+
+
+#endif // ENCRYPTION_HELPER_H
--- a/client/secure_qsettings.cpp
+++ b/client/secure_qsettings.cpp
@ -1,5 +1,5 @@
 #include "secure_qsettings.h"
-#include "secureformat.h"
+#include "encryption_helper.h"

 #include <QDataStream>
 #include <QDebug>
@ -9,10 +9,18 @@ SecureQSettings::SecureQSettings(const QString &organization, const QString &app
      m_setting(organization, application, parent),
      encryptedKeys({"Servers/serversList"})
 {
-    encrypted = m_setting.value("Conf/encrypted").toBool();
+    // load keys from system key storage
+#ifdef Q_OS_IOS
+    key = MobileUtils::readFromKeychain(settingsKeyTag);
+    iv = MobileUtils::readFromKeychain(settingsIvTag);
+#endif
+    key = "12345qwerty00000";
+    iv = "000000000000000";
+
+    bool encrypted = m_setting.value("Conf/encrypted").toBool();

    // convert settings to encrypted
-    if (! encrypted) {
+    if (encryptionRequired() && ! encrypted) {
        for (const QString &key : m_setting.allKeys()) {
            if (encryptedKeys.contains(key)) {
                const QVariant &val = value(key);
@ -21,7 +29,6 @@ SecureQSettings::SecureQSettings(const QString &organization, const QString &app
        }
        m_setting.setValue("Conf/encrypted", true);
        m_setting.sync();
-        encrypted = true;
    }
 }

@ -32,7 +39,7 @@ QVariant SecureQSettings::value(const QString &key, const QVariant &defaultValue
    }

    QVariant retVal;
-    if (encrypted && encryptedKeys.contains(key)) {
+    if (encryptionRequired() && encryptedKeys.contains(key)) {
        if (!m_setting.contains(key)) return defaultValue;

        QByteArray encryptedValue = m_setting.value(key).toByteArray();
@ -52,16 +59,21 @@ QVariant SecureQSettings::value(const QString &key, const QVariant &defaultValue

 void SecureQSettings::setValue(const QString &key, const QVariant &value)
 {
-    QByteArray decryptedValue;
-    {
-        QDataStream ds(&decryptedValue, QIODevice::WriteOnly);
-        ds << value;
+    if (encryptionRequired() && encryptedKeys.contains(key)) {
+        QByteArray decryptedValue;
+        {
+            QDataStream ds(&decryptedValue, QIODevice::WriteOnly);
+            ds << value;
+        }
+
+        QByteArray encryptedValue = encryptText(decryptedValue);
+        m_setting.setValue(key, encryptedValue);
+    }
+    else {
+        m_setting.setValue(key, value);
    }

-    QByteArray encryptedValue = encryptText(decryptedValue);
-    m_setting.setValue(key, encryptedValue);
    m_cache.insert(key, value);
-
    sync();
 }

@ -112,3 +124,29 @@ void SecureQSettings::restoreAppConfig(const QByteArray &base64Cfg)
 }


+QByteArray SecureQSettings::encryptText(const QByteArray& value) const {
+    char cipherText[UINT16_MAX];
+    int cipherTextSize = gcm_encrypt(value.constData(), value.size(),
+        key.constData(), iv.constData(), iv_len, cipherText);
+
+    return QByteArray::fromRawData((const char *)cipherText, cipherTextSize);
+}
+
+QByteArray SecureQSettings::decryptText(const QByteArray& ba) const {
+    char decryptPlainText[UINT16_MAX];
+    gcm_decrypt(ba.data(), ba.size(),
+        key.constData(), iv.constData(), iv_len, decryptPlainText);
+
+    return QByteArray::fromRawData(decryptPlainText, ba.size());
+}
+
+bool SecureQSettings::encryptionRequired() const
+{
+#if defined Q_OS_ANDROID || defined Q_OS_IOS
+    return true;
+#endif
+
+    return false;
+}
+
+
--- a/client/secure_qsettings.h
+++ b/client/secure_qsettings.h
@ -4,6 +4,9 @@
 #include <QSettings>
 #include <QObject>

+constexpr const char* settingsKeyTag = "settingsKeyTag";
+constexpr const char* settingsIvTag = "settingsIvTag";
+
 class SecureQSettings : public QObject
 {
 public:
@ -17,13 +20,21 @@ public:
    QByteArray backupAppConfig() const;
    void restoreAppConfig(const QByteArray &base64Cfg);

+    QByteArray encryptText(const QByteArray &value) const;
+    QByteArray decryptText(const QByteArray& ba) const;
+
+    bool encryptionRequired() const;
+
 private:
    QSettings m_setting;
-    bool encrypted {false};

    mutable QMap<QString, QVariant> m_cache;

    QStringList encryptedKeys; // encode only key listed here
+
+    QByteArray key;
+    QByteArray iv;
+    int iv_len {16};
 };

 #endif // SECUREQSETTINGS_H
--- a/client/secureformat.h
+++ b/client/secureformat.h
@ -1,20 +0,0 @@
-#ifndef SECUREFORMAT_H
-#define SECUREFORMAT_H
-
-#include <QSettings>
-#include <QIODevice>
-
-QByteArray encryptText(const QByteArray &value);
-QByteArray decryptText(const QByteArray& qEncryptArray);
-
-class SecureFormat
-{
-public:
-    SecureFormat();
-
-
-
-
-};
-
-#endif // SECUREFORMAT_H
--- a/client/settings.h
+++ b/client/settings.h
@ -11,7 +11,7 @@

 #include "core/defs.h"
 #include "containers/containers_defs.h"
-#include "secureformat.h"
+#include "encryption_helper.h"
 #include "secure_qsettings.h"

 using namespace amnezia;