lib/jose/jwe/enc/aescbc.c - platform/external/libwebsockets - Git at Google

 /*
  * libwebsockets - small server side websockets and web server implementation
  *
  * Copyright (C) 2010 - 2020 Andy Green <[email protected]>
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to
  * deal in the Software without restriction, including without limitation the
  * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
  * sell copies of the Software, and to permit persons to whom the Software is
  * furnished to do so, subject to the following conditions:
  *
  * The above copyright notice and this permission notice shall be included in
  * all copies or substantial portions of the Software.
  *
  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
  * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
  * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
  * IN THE SOFTWARE.
  */

 #include "private-lib-core.h"
 #include "private-lib-jose-jwe.h"

 int
 lws_jwe_encrypt_cbc_hs(struct lws_jwe *jwe, uint8_t *cek,
 		       uint8_t *aad, int aad_len)
 {
 	int n, hlen = (int)lws_genhmac_size(jwe->jose.enc_alg->hmac_type);
 	uint8_t digest[LWS_GENHASH_LARGEST];
 	struct lws_gencrypto_keyelem el;
 	struct lws_genhmac_ctx hmacctx;
 	struct lws_genaes_ctx aesctx;
 	size_t paddedlen;
 	uint8_t al[8];

 	/* Caller must have prepared space for the results */

 	if (jwe->jws.map.len[LJWE_ATAG] != (unsigned int)hlen / 2) {
 		lwsl_notice("%s: expected tag len %d, got %d\n", __func__,
 			    hlen / 2, jwe->jws.map.len[LJWE_ATAG]);
 		return -1;
 	}

 	if (jwe->jws.map.len[LJWE_IV] != 16) {
 		lwsl_notice("expected iv len %d, got %d\n", 16,
 				jwe->jws.map.len[LJWE_IV]);
 		return -1;
 	}

 	/* first create the authentication hmac */

 	/* JWA Section 5.2.2.1
 	 *
 	 * 1.  The secondary keys MAC_KEY and ENC_KEY are generated from the
 	 *     input key K as follows.  Each of these two keys is an octet
 	 *     string.
 	 *
 	 *       MAC_KEY consists of the initial MAC_KEY_LEN octets of K, in
 	 *        order.
 	 *       ENC_KEY consists of the final ENC_KEY_LEN octets of K, in
 	 *        order.
 	 */

 	/*
 	 *    2.  The IV used is a 128-bit value generated randomly or
 	 *        pseudorandomly for use in the cipher.
 	 */
 	lws_get_random(jwe->jws.context, (void *)jwe->jws.map.buf[LJWE_IV], 16);

 	/*
 	 *  3.  The plaintext is CBC encrypted using PKCS #7 padding using
 	 *      ENC_KEY as the key and the IV.  We denote the ciphertext output
 	 *      from this step as E.
 	 */

 	/* second half is the AES ENC_KEY */
 	el.buf = cek + (hlen / 2);
 	el.len = (uint32_t)(hlen / 2);

 	if (lws_genaes_create(&aesctx, LWS_GAESO_ENC, LWS_GAESM_CBC, &el,
 			      LWS_GAESP_WITH_PADDING, NULL)) {
 		lwsl_err("%s: lws_genaes_create failed\n", __func__);

 		return -1;
 	}

 	/*
 	 * the plaintext gets delivered to us in LJWE_CTXT, this replaces the
 	 * plaintext there with the ciphertext, which will be larger by some
 	 * padding bytes
 	 */
 	n = lws_genaes_crypt(&aesctx, (uint8_t *)jwe->jws.map.buf[LJWE_CTXT],
 			     jwe->jws.map.len[LJWE_CTXT],
 			     (uint8_t *)jwe->jws.map.buf[LJWE_CTXT],
 			     (uint8_t *)jwe->jws.map.buf[LJWE_IV],
 			     NULL, NULL, LWS_AES_CBC_BLOCKLEN);
 	paddedlen = lws_gencrypto_padded_length(LWS_AES_CBC_BLOCKLEN,
 						jwe->jws.map.len[LJWE_CTXT]);
 	jwe->jws.map.len[LJWE_CTXT] = (uint32_t)paddedlen;
 	lws_genaes_destroy(&aesctx, (uint8_t *)jwe->jws.map.buf[LJWE_CTXT] +
 			   paddedlen - LWS_AES_CBC_BLOCKLEN, LWS_AES_CBC_BLOCKLEN);
 	if (n) {
 		lwsl_err("%s: lws_genaes_crypt failed\n", __func__);
 		return -1;
 	}

 	/*
 	 * 4.  The octet string AL is equal to the number of bits in the
 	 *     Additional Authenticated Data A expressed as a 64-bit unsigned
 	 *     big-endian integer.
 	 */
 	lws_jwe_be64((unsigned int)aad_len * 8, al);

 	/* first half of the CEK is the MAC key */
 	if (lws_genhmac_init(&hmacctx, jwe->jose.enc_alg->hmac_type,
 				cek, (unsigned int)hlen / 2))
 		return -1;

 	/*
 	 *    5.  A message Authentication Tag T is computed by applying HMAC
 	 *    [RFC2104] to the following data, in order:
 	 *
 	 *     - the Additional Authenticated Data A,
 	 *     - the Initialization Vector IV,
 	 *     - the ciphertext E computed in the previous step, and
 	 *     - the octet string AL defined above.
 	 *
 	 *    The string MAC_KEY is used as the MAC key.  We denote the output
 	 *    of the MAC computed in this step as M.  The first T_LEN octets of
 	 *    M are used as T.
 	 */

 	if (lws_genhmac_update(&hmacctx, aad, (unsigned int)aad_len) ||
 	    lws_genhmac_update(&hmacctx, jwe->jws.map.buf[LJWE_IV],
 			       LWS_JWE_AES_IV_BYTES) ||
 	    /* since we encrypted it, this is the ciphertext */
 	    lws_genhmac_update(&hmacctx,
 			       (uint8_t *)jwe->jws.map.buf[LJWE_CTXT],
 				          jwe->jws.map.len[LJWE_CTXT]) ||
 	    lws_genhmac_update(&hmacctx, al, 8)) {
 		lwsl_err("%s: hmac computation failed\n", __func__);
 		lws_genhmac_destroy(&hmacctx, NULL);
 		return -1;
 	}

 	if (lws_genhmac_destroy(&hmacctx, digest)) {
 		lwsl_err("%s: problem destroying hmac\n", __func__);
 		return -1;
 	}

 	/* create tag */
 	memcpy((void *)jwe->jws.map.buf[LJWE_ATAG], digest, (unsigned int)hlen / 2);

 	return (int)jwe->jws.map.len[LJWE_CTXT];
 }

 int
 lws_jwe_auth_and_decrypt_cbc_hs(struct lws_jwe *jwe, uint8_t *enc_cek,
 				uint8_t *aad, int aad_len)
 {
 	int n, hlen = (int)lws_genhmac_size(jwe->jose.enc_alg->hmac_type);
 	uint8_t digest[LWS_GENHASH_LARGEST];
 	struct lws_gencrypto_keyelem el;
 	struct lws_genhmac_ctx hmacctx;
 	struct lws_genaes_ctx aesctx;
 	uint8_t al[8];

 	/* Some sanity checks on what came in */

 	if (jwe->jws.map.len[LJWE_ATAG] != (unsigned int)hlen / 2) {
 		lwsl_notice("%s: expected tag len %d, got %d\n", __func__,
 				hlen / 2, jwe->jws.map.len[LJWE_ATAG]);
 		return -1;
 	}

 	if (jwe->jws.map.len[LJWE_IV] != 16) {
 		lwsl_notice("expected iv len %d, got %d\n", 16,
 				jwe->jws.map.len[LJWE_IV]);
 		return -1;
 	}

 	/* Prepare to check authentication
 	 *
 	 * AAD is the b64 JOSE header.
 	 *
 	 * The octet string AL, which is the number of bits in AAD expressed as
 	 * a big-endian 64-bit unsigned integer is:
 	 *
 	 * [0, 0, 0, 0, 0, 0, 1, 152]
 	 *
 	 * Concatenate the AAD, the Initialization Vector, the ciphertext, and
 	 * the AL value.
 	 *
 	 */

 	lws_jwe_be64((unsigned int)aad_len * 8, al);

 	/* first half of enc_cek is the MAC key */
 	if (lws_genhmac_init(&hmacctx, jwe->jose.enc_alg->hmac_type, enc_cek,
 			     (unsigned int)hlen / 2)) {
 		lwsl_err("%s: lws_genhmac_init fail\n", __func__);
 		return -1;
 	}

 	if (lws_genhmac_update(&hmacctx, aad, (unsigned int)aad_len) ||
 	    lws_genhmac_update(&hmacctx, (uint8_t *)jwe->jws.map.buf[LJWE_IV],
 					 jwe->jws.map.len[LJWE_IV]) ||
 	    lws_genhmac_update(&hmacctx, (uint8_t *)jwe->jws.map.buf[LJWE_CTXT],
 				         jwe->jws.map.len[LJWE_CTXT]) ||
 	    lws_genhmac_update(&hmacctx, al, 8)) {
 		lwsl_err("%s: hmac computation failed\n", __func__);
 		lws_genhmac_destroy(&hmacctx, NULL);
 		return -1;
 	}

 	if (lws_genhmac_destroy(&hmacctx, digest)) {
 		lwsl_err("%s: problem destroying hmac\n", __func__);
 		return -1;
 	}

 	/* first half of digest is the auth tag */

 	if (lws_timingsafe_bcmp(digest, jwe->jws.map.buf[LJWE_ATAG], (unsigned int)hlen / 2)) {
 		lwsl_err("%s: auth failed: hmac tag (%d) != ATAG (%d)\n",
 			 __func__, hlen / 2, jwe->jws.map.len[LJWE_ATAG]);
 		lwsl_hexdump_notice(jwe->jws.map.buf[LJWE_ATAG], (unsigned int)hlen / 2);
 		lwsl_hexdump_notice(digest, (unsigned int)hlen / 2);
 		return -1;
 	}

 	/* second half of enc cek is the CEK KEY */
 	el.buf = enc_cek + (hlen / 2);
 	el.len = (unsigned int)hlen / 2;

 	if (lws_genaes_create(&aesctx, LWS_GAESO_DEC, LWS_GAESM_CBC,
 			      &el, LWS_GAESP_NO_PADDING, NULL)) {
 		lwsl_err("%s: lws_genaes_create failed\n", __func__);

 		return -1;
 	}

 	n = lws_genaes_crypt(&aesctx, (uint8_t *)jwe->jws.map.buf[LJWE_CTXT],
 			     jwe->jws.map.len[LJWE_CTXT],
 			     (uint8_t *)jwe->jws.map.buf[LJWE_CTXT],
 			     (uint8_t *)jwe->jws.map.buf[LJWE_IV], NULL, NULL, 16);

 	/* Strip the PKCS #7 padding */

 	if (jwe->jws.map.len[LJWE_CTXT] < LWS_AES_CBC_BLOCKLEN ||
 	    jwe->jws.map.len[LJWE_CTXT] <= (unsigned char)jwe->jws.map.buf[LJWE_CTXT]
 						[jwe->jws.map.len[LJWE_CTXT] - 1]) {
 		lwsl_err("%s: invalid padded ciphertext length: %d. Corrupt data?\n",
 				__func__, jwe->jws.map.len[LJWE_CTXT]);
 		return -1;
 	}
 	jwe->jws.map.len[LJWE_CTXT] = (uint32_t)((int)jwe->jws.map.len[LJWE_CTXT] -
 		jwe->jws.map.buf[LJWE_CTXT][jwe->jws.map.len[LJWE_CTXT] - 1]);

 	n |= lws_genaes_destroy(&aesctx, NULL, 0);
 	if (n) {
 		lwsl_err("%s: lws_genaes_crypt failed\n", __func__);
 		return -1;
 	}

 	return (int)jwe->jws.map.len[LJWE_CTXT];
 }
	/*
	* libwebsockets - small server side websockets and web server implementation
	*
	* Copyright (C) 2010 - 2020 Andy Green <[email protected]>
	*
	* Permission is hereby granted, free of charge, to any person obtaining a copy
	* of this software and associated documentation files (the "Software"), to
	* deal in the Software without restriction, including without limitation the
	* rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
	* sell copies of the Software, and to permit persons to whom the Software is
	* furnished to do so, subject to the following conditions:
	*
	* The above copyright notice and this permission notice shall be included in
	* all copies or substantial portions of the Software.
	*
	* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
	* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
	* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
	* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
	* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
	* FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
	* IN THE SOFTWARE.
	*/

	#include "private-lib-core.h"
	#include "private-lib-jose-jwe.h"

	int
	lws_jwe_encrypt_cbc_hs(struct lws_jwe jwe, uint8_t cek,
	uint8_t *aad, int aad_len)
	{
	int n, hlen = (int)lws_genhmac_size(jwe->jose.enc_alg->hmac_type);
	uint8_t digest[LWS_GENHASH_LARGEST];
	struct lws_gencrypto_keyelem el;
	struct lws_genhmac_ctx hmacctx;
	struct lws_genaes_ctx aesctx;
	size_t paddedlen;
	uint8_t al[8];

	/* Caller must have prepared space for the results */

	if (jwe->jws.map.len[LJWE_ATAG] != (unsigned int)hlen / 2) {
	lwsl_notice("%s: expected tag len %d, got %d\n", __func__,
	hlen / 2, jwe->jws.map.len[LJWE_ATAG]);
	return -1;
	}

	if (jwe->jws.map.len[LJWE_IV] != 16) {
	lwsl_notice("expected iv len %d, got %d\n", 16,
	jwe->jws.map.len[LJWE_IV]);
	return -1;
	}

	/* first create the authentication hmac */

	/* JWA Section 5.2.2.1
	*
	* 1. The secondary keys MAC_KEY and ENC_KEY are generated from the
	* input key K as follows. Each of these two keys is an octet
	* string.
	*
	* MAC_KEY consists of the initial MAC_KEY_LEN octets of K, in
	* order.
	* ENC_KEY consists of the final ENC_KEY_LEN octets of K, in
	* order.
	*/

	/*
	* 2. The IV used is a 128-bit value generated randomly or
	* pseudorandomly for use in the cipher.
	*/
	lws_get_random(jwe->jws.context, (void *)jwe->jws.map.buf[LJWE_IV], 16);

	/*
	* 3. The plaintext is CBC encrypted using PKCS #7 padding using
	* ENC_KEY as the key and the IV. We denote the ciphertext output
	* from this step as E.
	*/

	/* second half is the AES ENC_KEY */
	el.buf = cek + (hlen / 2);
	el.len = (uint32_t)(hlen / 2);

	if (lws_genaes_create(&aesctx, LWS_GAESO_ENC, LWS_GAESM_CBC, &el,
	LWS_GAESP_WITH_PADDING, NULL)) {
	lwsl_err("%s: lws_genaes_create failed\n", __func__);

	return -1;
	}

	/*
	* the plaintext gets delivered to us in LJWE_CTXT, this replaces the
	* plaintext there with the ciphertext, which will be larger by some
	* padding bytes
	*/
	n = lws_genaes_crypt(&aesctx, (uint8_t *)jwe->jws.map.buf[LJWE_CTXT],
	jwe->jws.map.len[LJWE_CTXT],
	(uint8_t *)jwe->jws.map.buf[LJWE_CTXT],
	(uint8_t *)jwe->jws.map.buf[LJWE_IV],
	NULL, NULL, LWS_AES_CBC_BLOCKLEN);
	paddedlen = lws_gencrypto_padded_length(LWS_AES_CBC_BLOCKLEN,
	jwe->jws.map.len[LJWE_CTXT]);
	jwe->jws.map.len[LJWE_CTXT] = (uint32_t)paddedlen;
	lws_genaes_destroy(&aesctx, (uint8_t *)jwe->jws.map.buf[LJWE_CTXT] +
	paddedlen - LWS_AES_CBC_BLOCKLEN, LWS_AES_CBC_BLOCKLEN);
	if (n) {
	lwsl_err("%s: lws_genaes_crypt failed\n", __func__);
	return -1;
	}

	/*
	* 4. The octet string AL is equal to the number of bits in the
	* Additional Authenticated Data A expressed as a 64-bit unsigned
	* big-endian integer.
	*/
	lws_jwe_be64((unsigned int)aad_len * 8, al);

	/* first half of the CEK is the MAC key */
	if (lws_genhmac_init(&hmacctx, jwe->jose.enc_alg->hmac_type,
	cek, (unsigned int)hlen / 2))
	return -1;

	/*
	* 5. A message Authentication Tag T is computed by applying HMAC
	* [RFC2104] to the following data, in order:
	*
	* - the Additional Authenticated Data A,
	* - the Initialization Vector IV,
	* - the ciphertext E computed in the previous step, and
	* - the octet string AL defined above.
	*
	* The string MAC_KEY is used as the MAC key. We denote the output
	* of the MAC computed in this step as M. The first T_LEN octets of
	* M are used as T.
	*/

	if (lws_genhmac_update(&hmacctx, aad, (unsigned int)aad_len) \|\|
	lws_genhmac_update(&hmacctx, jwe->jws.map.buf[LJWE_IV],
	LWS_JWE_AES_IV_BYTES) \|\|
	/* since we encrypted it, this is the ciphertext */
	lws_genhmac_update(&hmacctx,
	(uint8_t *)jwe->jws.map.buf[LJWE_CTXT],
	jwe->jws.map.len[LJWE_CTXT]) \|\|
	lws_genhmac_update(&hmacctx, al, 8)) {
	lwsl_err("%s: hmac computation failed\n", __func__);
	lws_genhmac_destroy(&hmacctx, NULL);
	return -1;
	}

	if (lws_genhmac_destroy(&hmacctx, digest)) {
	lwsl_err("%s: problem destroying hmac\n", __func__);
	return -1;
	}

	/* create tag */
	memcpy((void *)jwe->jws.map.buf[LJWE_ATAG], digest, (unsigned int)hlen / 2);

	return (int)jwe->jws.map.len[LJWE_CTXT];
	}

	int
	lws_jwe_auth_and_decrypt_cbc_hs(struct lws_jwe jwe, uint8_t enc_cek,
	uint8_t *aad, int aad_len)
	{
	int n, hlen = (int)lws_genhmac_size(jwe->jose.enc_alg->hmac_type);
	uint8_t digest[LWS_GENHASH_LARGEST];
	struct lws_gencrypto_keyelem el;
	struct lws_genhmac_ctx hmacctx;
	struct lws_genaes_ctx aesctx;
	uint8_t al[8];

	/* Some sanity checks on what came in */

	if (jwe->jws.map.len[LJWE_ATAG] != (unsigned int)hlen / 2) {
	lwsl_notice("%s: expected tag len %d, got %d\n", __func__,
	hlen / 2, jwe->jws.map.len[LJWE_ATAG]);
	return -1;
	}

	if (jwe->jws.map.len[LJWE_IV] != 16) {
	lwsl_notice("expected iv len %d, got %d\n", 16,
	jwe->jws.map.len[LJWE_IV]);
	return -1;
	}

	/* Prepare to check authentication
	*
	* AAD is the b64 JOSE header.
	*
	* The octet string AL, which is the number of bits in AAD expressed as
	* a big-endian 64-bit unsigned integer is:
	*
	* [0, 0, 0, 0, 0, 0, 1, 152]
	*
	* Concatenate the AAD, the Initialization Vector, the ciphertext, and
	* the AL value.
	*
	*/

	lws_jwe_be64((unsigned int)aad_len * 8, al);

	/* first half of enc_cek is the MAC key */
	if (lws_genhmac_init(&hmacctx, jwe->jose.enc_alg->hmac_type, enc_cek,
	(unsigned int)hlen / 2)) {
	lwsl_err("%s: lws_genhmac_init fail\n", __func__);
	return -1;
	}

	if (lws_genhmac_update(&hmacctx, aad, (unsigned int)aad_len) \|\|
	lws_genhmac_update(&hmacctx, (uint8_t *)jwe->jws.map.buf[LJWE_IV],
	jwe->jws.map.len[LJWE_IV]) \|\|
	lws_genhmac_update(&hmacctx, (uint8_t *)jwe->jws.map.buf[LJWE_CTXT],
	jwe->jws.map.len[LJWE_CTXT]) \|\|
	lws_genhmac_update(&hmacctx, al, 8)) {
	lwsl_err("%s: hmac computation failed\n", __func__);
	lws_genhmac_destroy(&hmacctx, NULL);
	return -1;
	}

	if (lws_genhmac_destroy(&hmacctx, digest)) {
	lwsl_err("%s: problem destroying hmac\n", __func__);
	return -1;
	}

	/* first half of digest is the auth tag */

	if (lws_timingsafe_bcmp(digest, jwe->jws.map.buf[LJWE_ATAG], (unsigned int)hlen / 2)) {
	lwsl_err("%s: auth failed: hmac tag (%d) != ATAG (%d)\n",
	__func__, hlen / 2, jwe->jws.map.len[LJWE_ATAG]);
	lwsl_hexdump_notice(jwe->jws.map.buf[LJWE_ATAG], (unsigned int)hlen / 2);
	lwsl_hexdump_notice(digest, (unsigned int)hlen / 2);
	return -1;
	}

	/* second half of enc cek is the CEK KEY */
	el.buf = enc_cek + (hlen / 2);
	el.len = (unsigned int)hlen / 2;

	if (lws_genaes_create(&aesctx, LWS_GAESO_DEC, LWS_GAESM_CBC,
	&el, LWS_GAESP_NO_PADDING, NULL)) {
	lwsl_err("%s: lws_genaes_create failed\n", __func__);

	return -1;
	}

	n = lws_genaes_crypt(&aesctx, (uint8_t *)jwe->jws.map.buf[LJWE_CTXT],
	jwe->jws.map.len[LJWE_CTXT],
	(uint8_t *)jwe->jws.map.buf[LJWE_CTXT],
	(uint8_t *)jwe->jws.map.buf[LJWE_IV], NULL, NULL, 16);

	/* Strip the PKCS #7 padding */

	if (jwe->jws.map.len[LJWE_CTXT] < LWS_AES_CBC_BLOCKLEN \|\|
	jwe->jws.map.len[LJWE_CTXT] <= (unsigned char)jwe->jws.map.buf[LJWE_CTXT]
	[jwe->jws.map.len[LJWE_CTXT] - 1]) {
	lwsl_err("%s: invalid padded ciphertext length: %d. Corrupt data?\n",
	__func__, jwe->jws.map.len[LJWE_CTXT]);
	return -1;
	}
	jwe->jws.map.len[LJWE_CTXT] = (uint32_t)((int)jwe->jws.map.len[LJWE_CTXT] -
	jwe->jws.map.buf[LJWE_CTXT][jwe->jws.map.len[LJWE_CTXT] - 1]);

	n \|= lws_genaes_destroy(&aesctx, NULL, 0);
	if (n) {
	lwsl_err("%s: lws_genaes_crypt failed\n", __func__);
	return -1;
	}

	return (int)jwe->jws.map.len[LJWE_CTXT];
	}