1 | /* Copyright 2015 OpenMarket Ltd |
---|---|

2 | * |

3 | * Licensed under the Apache License, Version 2.0 (the "License"); |

4 | * you may not use this file except in compliance with the License. |

5 | * You may obtain a copy of the License at |

6 | * |

7 | * http://www.apache.org/licenses/LICENSE-2.0 |

8 | * |

9 | * Unless required by applicable law or agreed to in writing, software |

10 | * distributed under the License is distributed on an "AS IS" BASIS, |

11 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |

12 | * See the License for the specific language governing permissions and |

13 | * limitations under the License. |

14 | */ |

15 | #include "olm/cipher.h" |

16 | #include "olm/crypto.h" |

17 | #include "olm/memory.hh" |

18 | #include <cstring> |

19 | |

20 | const std::size_t HMAC_KEY_LENGTH = 32; |

21 | |

22 | namespace { |

23 | |

24 | struct DerivedKeys { |

25 | _olm_aes256_key aes_key; |

26 | std::uint8_t mac_key[HMAC_KEY_LENGTH]; |

27 | _olm_aes256_iv aes_iv; |

28 | }; |

29 | |

30 | |

31 | static void derive_keys( |

32 | std::uint8_t const * kdf_info, std::size_t kdf_info_length, |

33 | std::uint8_t const * key, std::size_t key_length, |

34 | DerivedKeys & keys |

35 | ) { |

36 | std::uint8_t derived_secrets[ |

37 | AES256_KEY_LENGTH + HMAC_KEY_LENGTH + AES256_IV_LENGTH |

38 | ]; |

39 | _olm_crypto_hkdf_sha256( |

40 | input: key, input_length: key_length, |

41 | info: nullptr, info_length: 0, |

42 | salt: kdf_info, salt_length: kdf_info_length, |

43 | output: derived_secrets, output_length: sizeof(derived_secrets) |

44 | ); |

45 | std::uint8_t const * pos = derived_secrets; |

46 | pos = olm::load_array(destination&: keys.aes_key.key, source: pos); |

47 | pos = olm::load_array(destination&: keys.mac_key, source: pos); |

48 | pos = olm::load_array(destination&: keys.aes_iv.iv, source: pos); |

49 | olm::unset(value&: derived_secrets); |

50 | } |

51 | |

52 | static const std::size_t MAC_LENGTH = 8; |

53 | |

54 | size_t aes_sha_256_cipher_mac_length(const struct _olm_cipher *cipher) { |

55 | return MAC_LENGTH; |

56 | } |

57 | |

58 | size_t aes_sha_256_cipher_encrypt_ciphertext_length( |

59 | const struct _olm_cipher *cipher, size_t plaintext_length |

60 | ) { |

61 | return _olm_crypto_aes_encrypt_cbc_length(input_length: plaintext_length); |

62 | } |

63 | |

64 | size_t aes_sha_256_cipher_encrypt( |

65 | const struct _olm_cipher *cipher, |

66 | uint8_t const * key, size_t key_length, |

67 | uint8_t const * plaintext, size_t plaintext_length, |

68 | uint8_t * ciphertext, size_t ciphertext_length, |

69 | uint8_t * output, size_t output_length |

70 | ) { |

71 | auto *c = reinterpret_cast<const _olm_cipher_aes_sha_256 *>(cipher); |

72 | |

73 | if (ciphertext_length |

74 | < aes_sha_256_cipher_encrypt_ciphertext_length(cipher, plaintext_length) |

75 | || output_length < MAC_LENGTH) { |

76 | return std::size_t(-1); |

77 | } |

78 | |

79 | struct DerivedKeys keys; |

80 | std::uint8_t mac[SHA256_OUTPUT_LENGTH]; |

81 | |

82 | derive_keys(kdf_info: c->kdf_info, kdf_info_length: c->kdf_info_length, key, key_length, keys); |

83 | |

84 | _olm_crypto_aes_encrypt_cbc( |

85 | key: &keys.aes_key, iv: &keys.aes_iv, input: plaintext, input_length: plaintext_length, output: ciphertext |

86 | ); |

87 | |

88 | _olm_crypto_hmac_sha256( |

89 | key: keys.mac_key, key_length: HMAC_KEY_LENGTH, input: output, input_length: output_length - MAC_LENGTH, output: mac |

90 | ); |

91 | |

92 | std::memcpy(dest: output + output_length - MAC_LENGTH, src: mac, n: MAC_LENGTH); |

93 | |

94 | olm::unset(value&: keys); |

95 | return output_length; |

96 | } |

97 | |

98 | |

99 | size_t aes_sha_256_cipher_decrypt_max_plaintext_length( |

100 | const struct _olm_cipher *cipher, |

101 | size_t ciphertext_length |

102 | ) { |

103 | return ciphertext_length; |

104 | } |

105 | |

106 | size_t aes_sha_256_cipher_decrypt( |

107 | const struct _olm_cipher *cipher, |

108 | uint8_t const * key, size_t key_length, |

109 | uint8_t const * input, size_t input_length, |

110 | uint8_t const * ciphertext, size_t ciphertext_length, |

111 | uint8_t * plaintext, size_t max_plaintext_length |

112 | ) { |

113 | if (max_plaintext_length |

114 | < aes_sha_256_cipher_decrypt_max_plaintext_length(cipher, ciphertext_length) |

115 | || input_length < MAC_LENGTH) { |

116 | return std::size_t(-1); |

117 | } |

118 | |

119 | auto *c = reinterpret_cast<const _olm_cipher_aes_sha_256 *>(cipher); |

120 | |

121 | DerivedKeys keys; |

122 | std::uint8_t mac[SHA256_OUTPUT_LENGTH]; |

123 | |

124 | derive_keys(kdf_info: c->kdf_info, kdf_info_length: c->kdf_info_length, key, key_length, keys); |

125 | |

126 | _olm_crypto_hmac_sha256( |

127 | key: keys.mac_key, key_length: HMAC_KEY_LENGTH, input, input_length: input_length - MAC_LENGTH, output: mac |

128 | ); |

129 | |

130 | std::uint8_t const * input_mac = input + input_length - MAC_LENGTH; |

131 | if (!olm::is_equal(buffer_a: input_mac, buffer_b: mac, length: MAC_LENGTH)) { |

132 | olm::unset(value&: keys); |

133 | return std::size_t(-1); |

134 | } |

135 | |

136 | std::size_t plaintext_length = _olm_crypto_aes_decrypt_cbc( |

137 | key: &keys.aes_key, iv: &keys.aes_iv, input: ciphertext, input_length: ciphertext_length, output: plaintext |

138 | ); |

139 | |

140 | olm::unset(value&: keys); |

141 | return plaintext_length; |

142 | } |

143 | |

144 | } // namespace |

145 | |

146 | const struct _olm_cipher_ops _olm_cipher_aes_sha_256_ops = { |

147 | .mac_length: aes_sha_256_cipher_mac_length, |

148 | .encrypt_ciphertext_length: aes_sha_256_cipher_encrypt_ciphertext_length, |

149 | .encrypt: aes_sha_256_cipher_encrypt, |

150 | .decrypt_max_plaintext_length: aes_sha_256_cipher_decrypt_max_plaintext_length, |

151 | .decrypt: aes_sha_256_cipher_decrypt, |

152 | }; |

153 |