1 | /* Copyright 2018-2019 New Vector Ltd |
2 | * |
3 | * Licensed under the Apache License, Version 2.0 (the "License"); |
4 | * you may not use this file except in compliance with the License. |
5 | * You may obtain a copy of the License at |
6 | * |
7 | * http://www.apache.org/licenses/LICENSE-2.0 |
8 | * |
9 | * Unless required by applicable law or agreed to in writing, software |
10 | * distributed under the License is distributed on an "AS IS" BASIS, |
11 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
12 | * See the License for the specific language governing permissions and |
13 | * limitations under the License. |
14 | */ |
15 | |
16 | #include "olm/sas.h" |
17 | #include "olm/base64.h" |
18 | #include "olm/crypto.h" |
19 | #include "olm/error.h" |
20 | #include "olm/memory.h" |
21 | |
22 | struct OlmSAS { |
23 | enum OlmErrorCode last_error; |
24 | struct _olm_curve25519_key_pair curve25519_key; |
25 | uint8_t secret[CURVE25519_SHARED_SECRET_LENGTH]; |
26 | int their_key_set; |
27 | }; |
28 | |
29 | const char * olm_sas_last_error( |
30 | const OlmSAS * sas |
31 | ) { |
32 | return _olm_error_to_string(error: sas->last_error); |
33 | } |
34 | |
35 | enum OlmErrorCode olm_sas_last_error_code( |
36 | const OlmSAS * sas |
37 | ) { |
38 | return sas->last_error; |
39 | } |
40 | |
41 | size_t olm_sas_size(void) { |
42 | return sizeof(OlmSAS); |
43 | } |
44 | |
45 | OlmSAS * olm_sas( |
46 | void * memory |
47 | ) { |
48 | _olm_unset(buffer: memory, buffer_length: sizeof(OlmSAS)); |
49 | return (OlmSAS *) memory; |
50 | } |
51 | |
52 | size_t olm_clear_sas( |
53 | OlmSAS * sas |
54 | ) { |
55 | _olm_unset(buffer: sas, buffer_length: sizeof(OlmSAS)); |
56 | return sizeof(OlmSAS); |
57 | } |
58 | |
59 | size_t olm_create_sas_random_length(const OlmSAS * sas) { |
60 | return CURVE25519_KEY_LENGTH; |
61 | } |
62 | |
63 | size_t olm_create_sas( |
64 | OlmSAS * sas, |
65 | void * random, size_t random_length |
66 | ) { |
67 | if (random_length < olm_create_sas_random_length(sas)) { |
68 | sas->last_error = OLM_NOT_ENOUGH_RANDOM; |
69 | return (size_t)-1; |
70 | } |
71 | _olm_crypto_curve25519_generate_key(random_32_bytes: (uint8_t *) random, output: &sas->curve25519_key); |
72 | sas->their_key_set = 0; |
73 | return 0; |
74 | } |
75 | |
76 | size_t olm_sas_pubkey_length(const OlmSAS * sas) { |
77 | return _olm_encode_base64_length(CURVE25519_KEY_LENGTH); |
78 | } |
79 | |
80 | size_t olm_sas_get_pubkey( |
81 | OlmSAS * sas, |
82 | void * pubkey, size_t pubkey_length |
83 | ) { |
84 | if (pubkey_length < olm_sas_pubkey_length(sas)) { |
85 | sas->last_error = OLM_OUTPUT_BUFFER_TOO_SMALL; |
86 | return (size_t)-1; |
87 | } |
88 | _olm_encode_base64( |
89 | input: (const uint8_t *)sas->curve25519_key.public_key.public_key, |
90 | CURVE25519_KEY_LENGTH, |
91 | output: (uint8_t *)pubkey |
92 | ); |
93 | return 0; |
94 | } |
95 | |
96 | size_t olm_sas_set_their_key( |
97 | OlmSAS *sas, |
98 | void * their_key, size_t their_key_length |
99 | ) { |
100 | if (their_key_length < olm_sas_pubkey_length(sas)) { |
101 | sas->last_error = OLM_INPUT_BUFFER_TOO_SMALL; |
102 | return (size_t)-1; |
103 | } |
104 | |
105 | size_t ret = _olm_decode_base64(input: their_key, input_length: their_key_length, output: their_key); |
106 | if (ret == (size_t)-1) { |
107 | sas->last_error = OLM_INVALID_BASE64; |
108 | return (size_t)-1; |
109 | } |
110 | |
111 | _olm_crypto_curve25519_shared_secret(our_key: &sas->curve25519_key, their_key, output: sas->secret); |
112 | sas->their_key_set = 1; |
113 | return 0; |
114 | } |
115 | |
116 | int olm_sas_is_their_key_set( |
117 | const OlmSAS *sas |
118 | ) { |
119 | return sas->their_key_set; |
120 | } |
121 | |
122 | size_t olm_sas_generate_bytes( |
123 | OlmSAS * sas, |
124 | const void * info, size_t info_length, |
125 | void * output, size_t output_length |
126 | ) { |
127 | if (!sas->their_key_set) { |
128 | sas->last_error = OLM_SAS_THEIR_KEY_NOT_SET; |
129 | return (size_t)-1; |
130 | } |
131 | _olm_crypto_hkdf_sha256( |
132 | input: sas->secret, input_length: sizeof(sas->secret), |
133 | NULL, info_length: 0, |
134 | salt: (const uint8_t *) info, salt_length: info_length, |
135 | output, output_length |
136 | ); |
137 | return 0; |
138 | } |
139 | |
140 | size_t olm_sas_mac_length( |
141 | const OlmSAS *sas |
142 | ) { |
143 | return _olm_encode_base64_length(SHA256_OUTPUT_LENGTH); |
144 | } |
145 | |
146 | // A version of the calculate mac function that produces base64 strings that are |
147 | // compatible with other base64 implementations. |
148 | size_t olm_sas_calculate_mac_fixed_base64( |
149 | OlmSAS * sas, |
150 | const void * input, size_t input_length, |
151 | const void * info, size_t info_length, |
152 | void * mac, size_t mac_length |
153 | ) { |
154 | if (mac_length < olm_sas_mac_length(sas)) { |
155 | sas->last_error = OLM_OUTPUT_BUFFER_TOO_SMALL; |
156 | return (size_t)-1; |
157 | } |
158 | if (!sas->their_key_set) { |
159 | sas->last_error = OLM_SAS_THEIR_KEY_NOT_SET; |
160 | return (size_t)-1; |
161 | } |
162 | uint8_t key[32]; |
163 | _olm_crypto_hkdf_sha256( |
164 | input: sas->secret, input_length: sizeof(sas->secret), |
165 | NULL, info_length: 0, |
166 | salt: (const uint8_t *) info, salt_length: info_length, |
167 | output: key, output_length: 32 |
168 | ); |
169 | |
170 | uint8_t temp_mac[32]; |
171 | _olm_crypto_hmac_sha256(key, key_length: 32, input, input_length, output: temp_mac); |
172 | _olm_encode_base64(input: (const uint8_t *)temp_mac, SHA256_OUTPUT_LENGTH, output: (uint8_t *)mac); |
173 | |
174 | return 0; |
175 | } |
176 | |
177 | |
178 | size_t olm_sas_calculate_mac( |
179 | OlmSAS * sas, |
180 | const void * input, size_t input_length, |
181 | const void * info, size_t info_length, |
182 | void * mac, size_t mac_length |
183 | ) { |
184 | if (mac_length < olm_sas_mac_length(sas)) { |
185 | sas->last_error = OLM_OUTPUT_BUFFER_TOO_SMALL; |
186 | return (size_t)-1; |
187 | } |
188 | if (!sas->their_key_set) { |
189 | sas->last_error = OLM_SAS_THEIR_KEY_NOT_SET; |
190 | return (size_t)-1; |
191 | } |
192 | uint8_t key[32]; |
193 | _olm_crypto_hkdf_sha256( |
194 | input: sas->secret, input_length: sizeof(sas->secret), |
195 | NULL, info_length: 0, |
196 | salt: (const uint8_t *) info, salt_length: info_length, |
197 | output: key, output_length: 32 |
198 | ); |
199 | _olm_crypto_hmac_sha256(key, key_length: 32, input, input_length, output: mac); |
200 | _olm_encode_base64(input: (const uint8_t *)mac, SHA256_OUTPUT_LENGTH, output: (uint8_t *)mac); |
201 | return 0; |
202 | } |
203 | |
204 | // for compatibility with an old version of Riot |
205 | size_t olm_sas_calculate_mac_long_kdf( |
206 | OlmSAS * sas, |
207 | const void * input, size_t input_length, |
208 | const void * info, size_t info_length, |
209 | void * mac, size_t mac_length |
210 | ) { |
211 | if (mac_length < olm_sas_mac_length(sas)) { |
212 | sas->last_error = OLM_OUTPUT_BUFFER_TOO_SMALL; |
213 | return (size_t)-1; |
214 | } |
215 | if (!sas->their_key_set) { |
216 | sas->last_error = OLM_SAS_THEIR_KEY_NOT_SET; |
217 | return (size_t)-1; |
218 | } |
219 | uint8_t key[256]; |
220 | _olm_crypto_hkdf_sha256( |
221 | input: sas->secret, input_length: sizeof(sas->secret), |
222 | NULL, info_length: 0, |
223 | salt: (const uint8_t *) info, salt_length: info_length, |
224 | output: key, output_length: 256 |
225 | ); |
226 | _olm_crypto_hmac_sha256(key, key_length: 256, input, input_length, output: mac); |
227 | _olm_encode_base64(input: (const uint8_t *)mac, SHA256_OUTPUT_LENGTH, output: (uint8_t *)mac); |
228 | return 0; |
229 | } |
230 | |