1 | /* Copyright 2015 OpenMarket Ltd |
2 | * |
3 | * Licensed under the Apache License, Version 2.0 (the "License"); |
4 | * you may not use this file except in compliance with the License. |
5 | * You may obtain a copy of the License at |
6 | * |
7 | * http://www.apache.org/licenses/LICENSE-2.0 |
8 | * |
9 | * Unless required by applicable law or agreed to in writing, software |
10 | * distributed under the License is distributed on an "AS IS" BASIS, |
11 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
12 | * See the License for the specific language governing permissions and |
13 | * limitations under the License. |
14 | */ |
15 | #include "olm/cipher.h" |
16 | #include "olm/crypto.h" |
17 | #include "olm/memory.hh" |
18 | #include <cstring> |
19 | |
20 | const std::size_t HMAC_KEY_LENGTH = 32; |
21 | |
22 | namespace { |
23 | |
24 | struct DerivedKeys { |
25 | _olm_aes256_key aes_key; |
26 | std::uint8_t mac_key[HMAC_KEY_LENGTH]; |
27 | _olm_aes256_iv aes_iv; |
28 | }; |
29 | |
30 | |
31 | static void derive_keys( |
32 | std::uint8_t const * kdf_info, std::size_t kdf_info_length, |
33 | std::uint8_t const * key, std::size_t key_length, |
34 | DerivedKeys & keys |
35 | ) { |
36 | std::uint8_t derived_secrets[ |
37 | AES256_KEY_LENGTH + HMAC_KEY_LENGTH + AES256_IV_LENGTH |
38 | ]; |
39 | _olm_crypto_hkdf_sha256( |
40 | input: key, input_length: key_length, |
41 | info: nullptr, info_length: 0, |
42 | salt: kdf_info, salt_length: kdf_info_length, |
43 | output: derived_secrets, output_length: sizeof(derived_secrets) |
44 | ); |
45 | std::uint8_t const * pos = derived_secrets; |
46 | pos = olm::load_array(destination&: keys.aes_key.key, source: pos); |
47 | pos = olm::load_array(destination&: keys.mac_key, source: pos); |
48 | pos = olm::load_array(destination&: keys.aes_iv.iv, source: pos); |
49 | olm::unset(value&: derived_secrets); |
50 | } |
51 | |
52 | static const std::size_t MAC_LENGTH = 8; |
53 | |
54 | size_t aes_sha_256_cipher_mac_length(const struct _olm_cipher *cipher) { |
55 | return MAC_LENGTH; |
56 | } |
57 | |
58 | size_t aes_sha_256_cipher_encrypt_ciphertext_length( |
59 | const struct _olm_cipher *cipher, size_t plaintext_length |
60 | ) { |
61 | return _olm_crypto_aes_encrypt_cbc_length(input_length: plaintext_length); |
62 | } |
63 | |
64 | size_t aes_sha_256_cipher_encrypt( |
65 | const struct _olm_cipher *cipher, |
66 | uint8_t const * key, size_t key_length, |
67 | uint8_t const * plaintext, size_t plaintext_length, |
68 | uint8_t * ciphertext, size_t ciphertext_length, |
69 | uint8_t * output, size_t output_length |
70 | ) { |
71 | auto *c = reinterpret_cast<const _olm_cipher_aes_sha_256 *>(cipher); |
72 | |
73 | if (ciphertext_length |
74 | < aes_sha_256_cipher_encrypt_ciphertext_length(cipher, plaintext_length) |
75 | || output_length < MAC_LENGTH) { |
76 | return std::size_t(-1); |
77 | } |
78 | |
79 | struct DerivedKeys keys; |
80 | std::uint8_t mac[SHA256_OUTPUT_LENGTH]; |
81 | |
82 | derive_keys(kdf_info: c->kdf_info, kdf_info_length: c->kdf_info_length, key, key_length, keys); |
83 | |
84 | _olm_crypto_aes_encrypt_cbc( |
85 | key: &keys.aes_key, iv: &keys.aes_iv, input: plaintext, input_length: plaintext_length, output: ciphertext |
86 | ); |
87 | |
88 | _olm_crypto_hmac_sha256( |
89 | key: keys.mac_key, key_length: HMAC_KEY_LENGTH, input: output, input_length: output_length - MAC_LENGTH, output: mac |
90 | ); |
91 | |
92 | std::memcpy(dest: output + output_length - MAC_LENGTH, src: mac, n: MAC_LENGTH); |
93 | |
94 | olm::unset(value&: keys); |
95 | return output_length; |
96 | } |
97 | |
98 | |
99 | size_t aes_sha_256_cipher_decrypt_max_plaintext_length( |
100 | const struct _olm_cipher *cipher, |
101 | size_t ciphertext_length |
102 | ) { |
103 | return ciphertext_length; |
104 | } |
105 | |
106 | size_t aes_sha_256_cipher_decrypt( |
107 | const struct _olm_cipher *cipher, |
108 | uint8_t const * key, size_t key_length, |
109 | uint8_t const * input, size_t input_length, |
110 | uint8_t const * ciphertext, size_t ciphertext_length, |
111 | uint8_t * plaintext, size_t max_plaintext_length |
112 | ) { |
113 | if (max_plaintext_length |
114 | < aes_sha_256_cipher_decrypt_max_plaintext_length(cipher, ciphertext_length) |
115 | || input_length < MAC_LENGTH) { |
116 | return std::size_t(-1); |
117 | } |
118 | |
119 | auto *c = reinterpret_cast<const _olm_cipher_aes_sha_256 *>(cipher); |
120 | |
121 | DerivedKeys keys; |
122 | std::uint8_t mac[SHA256_OUTPUT_LENGTH]; |
123 | |
124 | derive_keys(kdf_info: c->kdf_info, kdf_info_length: c->kdf_info_length, key, key_length, keys); |
125 | |
126 | _olm_crypto_hmac_sha256( |
127 | key: keys.mac_key, key_length: HMAC_KEY_LENGTH, input, input_length: input_length - MAC_LENGTH, output: mac |
128 | ); |
129 | |
130 | std::uint8_t const * input_mac = input + input_length - MAC_LENGTH; |
131 | if (!olm::is_equal(buffer_a: input_mac, buffer_b: mac, length: MAC_LENGTH)) { |
132 | olm::unset(value&: keys); |
133 | return std::size_t(-1); |
134 | } |
135 | |
136 | std::size_t plaintext_length = _olm_crypto_aes_decrypt_cbc( |
137 | key: &keys.aes_key, iv: &keys.aes_iv, input: ciphertext, input_length: ciphertext_length, output: plaintext |
138 | ); |
139 | |
140 | olm::unset(value&: keys); |
141 | return plaintext_length; |
142 | } |
143 | |
144 | } // namespace |
145 | |
146 | const struct _olm_cipher_ops _olm_cipher_aes_sha_256_ops = { |
147 | .mac_length: aes_sha_256_cipher_mac_length, |
148 | .encrypt_ciphertext_length: aes_sha_256_cipher_encrypt_ciphertext_length, |
149 | .encrypt: aes_sha_256_cipher_encrypt, |
150 | .decrypt_max_plaintext_length: aes_sha_256_cipher_decrypt_max_plaintext_length, |
151 | .decrypt: aes_sha_256_cipher_decrypt, |
152 | }; |
153 | |