1/* Copyright 2015 OpenMarket Ltd
2 *
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15#include "olm/cipher.h"
16#include "olm/crypto.h"
17#include "olm/memory.hh"
18#include <cstring>
19
20const std::size_t HMAC_KEY_LENGTH = 32;
21
22namespace {
23
24struct DerivedKeys {
25 _olm_aes256_key aes_key;
26 std::uint8_t mac_key[HMAC_KEY_LENGTH];
27 _olm_aes256_iv aes_iv;
28};
29
30
31static void derive_keys(
32 std::uint8_t const * kdf_info, std::size_t kdf_info_length,
33 std::uint8_t const * key, std::size_t key_length,
34 DerivedKeys & keys
35) {
36 std::uint8_t derived_secrets[
37 AES256_KEY_LENGTH + HMAC_KEY_LENGTH + AES256_IV_LENGTH
38 ];
39 _olm_crypto_hkdf_sha256(
40 input: key, input_length: key_length,
41 info: nullptr, info_length: 0,
42 salt: kdf_info, salt_length: kdf_info_length,
43 output: derived_secrets, output_length: sizeof(derived_secrets)
44 );
45 std::uint8_t const * pos = derived_secrets;
46 pos = olm::load_array(destination&: keys.aes_key.key, source: pos);
47 pos = olm::load_array(destination&: keys.mac_key, source: pos);
48 pos = olm::load_array(destination&: keys.aes_iv.iv, source: pos);
49 olm::unset(value&: derived_secrets);
50}
51
52static const std::size_t MAC_LENGTH = 8;
53
54size_t aes_sha_256_cipher_mac_length(const struct _olm_cipher *cipher) {
55 return MAC_LENGTH;
56}
57
58size_t aes_sha_256_cipher_encrypt_ciphertext_length(
59 const struct _olm_cipher *cipher, size_t plaintext_length
60) {
61 return _olm_crypto_aes_encrypt_cbc_length(input_length: plaintext_length);
62}
63
64size_t aes_sha_256_cipher_encrypt(
65 const struct _olm_cipher *cipher,
66 uint8_t const * key, size_t key_length,
67 uint8_t const * plaintext, size_t plaintext_length,
68 uint8_t * ciphertext, size_t ciphertext_length,
69 uint8_t * output, size_t output_length
70) {
71 auto *c = reinterpret_cast<const _olm_cipher_aes_sha_256 *>(cipher);
72
73 if (ciphertext_length
74 < aes_sha_256_cipher_encrypt_ciphertext_length(cipher, plaintext_length)
75 || output_length < MAC_LENGTH) {
76 return std::size_t(-1);
77 }
78
79 struct DerivedKeys keys;
80 std::uint8_t mac[SHA256_OUTPUT_LENGTH];
81
82 derive_keys(kdf_info: c->kdf_info, kdf_info_length: c->kdf_info_length, key, key_length, keys);
83
84 _olm_crypto_aes_encrypt_cbc(
85 key: &keys.aes_key, iv: &keys.aes_iv, input: plaintext, input_length: plaintext_length, output: ciphertext
86 );
87
88 _olm_crypto_hmac_sha256(
89 key: keys.mac_key, key_length: HMAC_KEY_LENGTH, input: output, input_length: output_length - MAC_LENGTH, output: mac
90 );
91
92 std::memcpy(dest: output + output_length - MAC_LENGTH, src: mac, n: MAC_LENGTH);
93
94 olm::unset(value&: keys);
95 return output_length;
96}
97
98
99size_t aes_sha_256_cipher_decrypt_max_plaintext_length(
100 const struct _olm_cipher *cipher,
101 size_t ciphertext_length
102) {
103 return ciphertext_length;
104}
105
106size_t aes_sha_256_cipher_decrypt(
107 const struct _olm_cipher *cipher,
108 uint8_t const * key, size_t key_length,
109 uint8_t const * input, size_t input_length,
110 uint8_t const * ciphertext, size_t ciphertext_length,
111 uint8_t * plaintext, size_t max_plaintext_length
112) {
113 if (max_plaintext_length
114 < aes_sha_256_cipher_decrypt_max_plaintext_length(cipher, ciphertext_length)
115 || input_length < MAC_LENGTH) {
116 return std::size_t(-1);
117 }
118
119 auto *c = reinterpret_cast<const _olm_cipher_aes_sha_256 *>(cipher);
120
121 DerivedKeys keys;
122 std::uint8_t mac[SHA256_OUTPUT_LENGTH];
123
124 derive_keys(kdf_info: c->kdf_info, kdf_info_length: c->kdf_info_length, key, key_length, keys);
125
126 _olm_crypto_hmac_sha256(
127 key: keys.mac_key, key_length: HMAC_KEY_LENGTH, input, input_length: input_length - MAC_LENGTH, output: mac
128 );
129
130 std::uint8_t const * input_mac = input + input_length - MAC_LENGTH;
131 if (!olm::is_equal(buffer_a: input_mac, buffer_b: mac, length: MAC_LENGTH)) {
132 olm::unset(value&: keys);
133 return std::size_t(-1);
134 }
135
136 std::size_t plaintext_length = _olm_crypto_aes_decrypt_cbc(
137 key: &keys.aes_key, iv: &keys.aes_iv, input: ciphertext, input_length: ciphertext_length, output: plaintext
138 );
139
140 olm::unset(value&: keys);
141 return plaintext_length;
142}
143
144} // namespace
145
146const struct _olm_cipher_ops _olm_cipher_aes_sha_256_ops = {
147 .mac_length: aes_sha_256_cipher_mac_length,
148 .encrypt_ciphertext_length: aes_sha_256_cipher_encrypt_ciphertext_length,
149 .encrypt: aes_sha_256_cipher_encrypt,
150 .decrypt_max_plaintext_length: aes_sha_256_cipher_decrypt_max_plaintext_length,
151 .decrypt: aes_sha_256_cipher_decrypt,
152};
153