1/* Copyright 2018-2019 New Vector Ltd
2 *
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16#include "olm/sas.h"
17#include "olm/base64.h"
18#include "olm/crypto.h"
19#include "olm/error.h"
20#include "olm/memory.h"
21
22struct OlmSAS {
23 enum OlmErrorCode last_error;
24 struct _olm_curve25519_key_pair curve25519_key;
25 uint8_t secret[CURVE25519_SHARED_SECRET_LENGTH];
26 int their_key_set;
27};
28
29const char * olm_sas_last_error(
30 const OlmSAS * sas
31) {
32 return _olm_error_to_string(error: sas->last_error);
33}
34
35enum OlmErrorCode olm_sas_last_error_code(
36 const OlmSAS * sas
37) {
38 return sas->last_error;
39}
40
41size_t olm_sas_size(void) {
42 return sizeof(OlmSAS);
43}
44
45OlmSAS * olm_sas(
46 void * memory
47) {
48 _olm_unset(buffer: memory, buffer_length: sizeof(OlmSAS));
49 return (OlmSAS *) memory;
50}
51
52size_t olm_clear_sas(
53 OlmSAS * sas
54) {
55 _olm_unset(buffer: sas, buffer_length: sizeof(OlmSAS));
56 return sizeof(OlmSAS);
57}
58
59size_t olm_create_sas_random_length(const OlmSAS * sas) {
60 return CURVE25519_KEY_LENGTH;
61}
62
63size_t olm_create_sas(
64 OlmSAS * sas,
65 void * random, size_t random_length
66) {
67 if (random_length < olm_create_sas_random_length(sas)) {
68 sas->last_error = OLM_NOT_ENOUGH_RANDOM;
69 return (size_t)-1;
70 }
71 _olm_crypto_curve25519_generate_key(random_32_bytes: (uint8_t *) random, output: &sas->curve25519_key);
72 sas->their_key_set = 0;
73 return 0;
74}
75
76size_t olm_sas_pubkey_length(const OlmSAS * sas) {
77 return _olm_encode_base64_length(CURVE25519_KEY_LENGTH);
78}
79
80size_t olm_sas_get_pubkey(
81 OlmSAS * sas,
82 void * pubkey, size_t pubkey_length
83) {
84 if (pubkey_length < olm_sas_pubkey_length(sas)) {
85 sas->last_error = OLM_OUTPUT_BUFFER_TOO_SMALL;
86 return (size_t)-1;
87 }
88 _olm_encode_base64(
89 input: (const uint8_t *)sas->curve25519_key.public_key.public_key,
90 CURVE25519_KEY_LENGTH,
91 output: (uint8_t *)pubkey
92 );
93 return 0;
94}
95
96size_t olm_sas_set_their_key(
97 OlmSAS *sas,
98 void * their_key, size_t their_key_length
99) {
100 if (their_key_length < olm_sas_pubkey_length(sas)) {
101 sas->last_error = OLM_INPUT_BUFFER_TOO_SMALL;
102 return (size_t)-1;
103 }
104
105 size_t ret = _olm_decode_base64(input: their_key, input_length: their_key_length, output: their_key);
106 if (ret == (size_t)-1) {
107 sas->last_error = OLM_INVALID_BASE64;
108 return (size_t)-1;
109 }
110
111 _olm_crypto_curve25519_shared_secret(our_key: &sas->curve25519_key, their_key, output: sas->secret);
112 sas->their_key_set = 1;
113 return 0;
114}
115
116int olm_sas_is_their_key_set(
117 const OlmSAS *sas
118) {
119 return sas->their_key_set;
120}
121
122size_t olm_sas_generate_bytes(
123 OlmSAS * sas,
124 const void * info, size_t info_length,
125 void * output, size_t output_length
126) {
127 if (!sas->their_key_set) {
128 sas->last_error = OLM_SAS_THEIR_KEY_NOT_SET;
129 return (size_t)-1;
130 }
131 _olm_crypto_hkdf_sha256(
132 input: sas->secret, input_length: sizeof(sas->secret),
133 NULL, info_length: 0,
134 salt: (const uint8_t *) info, salt_length: info_length,
135 output, output_length
136 );
137 return 0;
138}
139
140size_t olm_sas_mac_length(
141 const OlmSAS *sas
142) {
143 return _olm_encode_base64_length(SHA256_OUTPUT_LENGTH);
144}
145
146// A version of the calculate mac function that produces base64 strings that are
147// compatible with other base64 implementations.
148size_t olm_sas_calculate_mac_fixed_base64(
149 OlmSAS * sas,
150 const void * input, size_t input_length,
151 const void * info, size_t info_length,
152 void * mac, size_t mac_length
153) {
154 if (mac_length < olm_sas_mac_length(sas)) {
155 sas->last_error = OLM_OUTPUT_BUFFER_TOO_SMALL;
156 return (size_t)-1;
157 }
158 if (!sas->their_key_set) {
159 sas->last_error = OLM_SAS_THEIR_KEY_NOT_SET;
160 return (size_t)-1;
161 }
162 uint8_t key[32];
163 _olm_crypto_hkdf_sha256(
164 input: sas->secret, input_length: sizeof(sas->secret),
165 NULL, info_length: 0,
166 salt: (const uint8_t *) info, salt_length: info_length,
167 output: key, output_length: 32
168 );
169
170 uint8_t temp_mac[32];
171 _olm_crypto_hmac_sha256(key, key_length: 32, input, input_length, output: temp_mac);
172 _olm_encode_base64(input: (const uint8_t *)temp_mac, SHA256_OUTPUT_LENGTH, output: (uint8_t *)mac);
173
174 return 0;
175}
176
177
178size_t olm_sas_calculate_mac(
179 OlmSAS * sas,
180 const void * input, size_t input_length,
181 const void * info, size_t info_length,
182 void * mac, size_t mac_length
183) {
184 if (mac_length < olm_sas_mac_length(sas)) {
185 sas->last_error = OLM_OUTPUT_BUFFER_TOO_SMALL;
186 return (size_t)-1;
187 }
188 if (!sas->their_key_set) {
189 sas->last_error = OLM_SAS_THEIR_KEY_NOT_SET;
190 return (size_t)-1;
191 }
192 uint8_t key[32];
193 _olm_crypto_hkdf_sha256(
194 input: sas->secret, input_length: sizeof(sas->secret),
195 NULL, info_length: 0,
196 salt: (const uint8_t *) info, salt_length: info_length,
197 output: key, output_length: 32
198 );
199 _olm_crypto_hmac_sha256(key, key_length: 32, input, input_length, output: mac);
200 _olm_encode_base64(input: (const uint8_t *)mac, SHA256_OUTPUT_LENGTH, output: (uint8_t *)mac);
201 return 0;
202}
203
204// for compatibility with an old version of Riot
205size_t olm_sas_calculate_mac_long_kdf(
206 OlmSAS * sas,
207 const void * input, size_t input_length,
208 const void * info, size_t info_length,
209 void * mac, size_t mac_length
210) {
211 if (mac_length < olm_sas_mac_length(sas)) {
212 sas->last_error = OLM_OUTPUT_BUFFER_TOO_SMALL;
213 return (size_t)-1;
214 }
215 if (!sas->their_key_set) {
216 sas->last_error = OLM_SAS_THEIR_KEY_NOT_SET;
217 return (size_t)-1;
218 }
219 uint8_t key[256];
220 _olm_crypto_hkdf_sha256(
221 input: sas->secret, input_length: sizeof(sas->secret),
222 NULL, info_length: 0,
223 salt: (const uint8_t *) info, salt_length: info_length,
224 output: key, output_length: 256
225 );
226 _olm_crypto_hmac_sha256(key, key_length: 256, input, input_length, output: mac);
227 _olm_encode_base64(input: (const uint8_t *)mac, SHA256_OUTPUT_LENGTH, output: (uint8_t *)mac);
228 return 0;
229}
230