Mirrors/libwebsockets
1
0
Fork 0
mirror of https://github.com/warmcat/libwebsockets.git synced 2025-03-09 00:00:04 +01:00
Code Issues Releases Wiki Activity
libwebsockets/lib/jose/jwe/enc/aescbc.c
Andy Green c9731c5f17 type comparisons: fixes 
This is a huge patch that should be a global NOP.

For unix type platforms it enables -Wconversion to issue warnings (-> error)
for all automatic casts that seem less than ideal but are normally concealed
by the toolchain.

This is things like passing an int to a size_t argument.  Once enabled, I
went through all args on my default build (which build most things) and
tried to make the removed default cast explicit.

With that approach it neither change nor bloat the code, since it compiles
to whatever it was doing before, just with the casts made explicit... in a
few cases I changed some length args from int to size_t but largely left
the causes alone.

From now on, new code that is relying on less than ideal casting
will complain and nudge me to improve it by warnings.
2021-01-05 10:56:38 +00:00

271 lines
8.7 KiB
C
Executable file
Raw Permalink Blame History

/*
* libwebsockets - small server side websockets and web server implementation
*
* Copyright (C) 2010 - 2020 Andy Green <andy@warmcat.com>
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to
* deal in the Software without restriction, including without limitation the
* rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
* sell copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in
* all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
* FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
* IN THE SOFTWARE.
*/
#include "private-lib-core.h"
#include "private-lib-jose-jwe.h"
int
lws_jwe_encrypt_cbc_hs(struct lws_jwe *jwe, uint8_t *cek,
uint8_t *aad, int aad_len)
{
int n, hlen = (int)lws_genhmac_size(jwe->jose.enc_alg->hmac_type);
uint8_t digest[LWS_GENHASH_LARGEST];
struct lws_gencrypto_keyelem el;
struct lws_genhmac_ctx hmacctx;
struct lws_genaes_ctx aesctx;
size_t paddedlen;
uint8_t al[8];
/* Caller must have prepared space for the results */
if (jwe->jws.map.len[LJWE_ATAG] != (unsigned int)hlen / 2) {
lwsl_notice("%s: expected tag len %d, got %d\n", __func__,
hlen / 2, jwe->jws.map.len[LJWE_ATAG]);
return -1;
}
if (jwe->jws.map.len[LJWE_IV] != 16) {
lwsl_notice("expected iv len %d, got %d\n", 16,
jwe->jws.map.len[LJWE_IV]);
return -1;
}
/* first create the authentication hmac */
/* JWA Section 5.2.2.1
*
* 1. The secondary keys MAC_KEY and ENC_KEY are generated from the
* input key K as follows. Each of these two keys is an octet
* string.
*
* MAC_KEY consists of the initial MAC_KEY_LEN octets of K, in
* order.
* ENC_KEY consists of the final ENC_KEY_LEN octets of K, in
* order.
*/
/*
* 2. The IV used is a 128-bit value generated randomly or
* pseudorandomly for use in the cipher.
*/
lws_get_random(jwe->jws.context, (void *)jwe->jws.map.buf[LJWE_IV], 16);
/*
* 3. The plaintext is CBC encrypted using PKCS #7 padding using
* ENC_KEY as the key and the IV. We denote the ciphertext output
* from this step as E.
*/
/* second half is the AES ENC_KEY */
el.buf = cek + (hlen / 2);
el.len = (uint32_t)(hlen / 2);
if (lws_genaes_create(&aesctx, LWS_GAESO_ENC, LWS_GAESM_CBC, &el,
LWS_GAESP_WITH_PADDING, NULL)) {
lwsl_err("%s: lws_genaes_create failed\n", __func__);
return -1;
}
/*
* the plaintext gets delivered to us in LJWE_CTXT, this replaces the
* plaintext there with the ciphertext, which will be larger by some
* padding bytes
*/
n = lws_genaes_crypt(&aesctx, (uint8_t *)jwe->jws.map.buf[LJWE_CTXT],
jwe->jws.map.len[LJWE_CTXT],
(uint8_t *)jwe->jws.map.buf[LJWE_CTXT],
(uint8_t *)jwe->jws.map.buf[LJWE_IV],
NULL, NULL, LWS_AES_CBC_BLOCKLEN);
paddedlen = lws_gencrypto_padded_length(LWS_AES_CBC_BLOCKLEN,
jwe->jws.map.len[LJWE_CTXT]);
jwe->jws.map.len[LJWE_CTXT] = (uint32_t)paddedlen;
lws_genaes_destroy(&aesctx, (uint8_t *)jwe->jws.map.buf[LJWE_CTXT] +
paddedlen - LWS_AES_CBC_BLOCKLEN, LWS_AES_CBC_BLOCKLEN);
if (n) {
lwsl_err("%s: lws_genaes_crypt failed\n", __func__);
return -1;
}
/*
* 4. The octet string AL is equal to the number of bits in the
* Additional Authenticated Data A expressed as a 64-bit unsigned
* big-endian integer.
*/
lws_jwe_be64((unsigned int)aad_len * 8, al);
/* first half of the CEK is the MAC key */
if (lws_genhmac_init(&hmacctx, jwe->jose.enc_alg->hmac_type,
cek, (unsigned int)hlen / 2))
return -1;
/*
* 5. A message Authentication Tag T is computed by applying HMAC
* [RFC2104] to the following data, in order:
*
* - the Additional Authenticated Data A,
* - the Initialization Vector IV,
* - the ciphertext E computed in the previous step, and
* - the octet string AL defined above.
*
* The string MAC_KEY is used as the MAC key. We denote the output
* of the MAC computed in this step as M. The first T_LEN octets of
* M are used as T.
*/
if (lws_genhmac_update(&hmacctx, aad, (unsigned int)aad_len) ||
lws_genhmac_update(&hmacctx, jwe->jws.map.buf[LJWE_IV],
LWS_JWE_AES_IV_BYTES) ||
/* since we encrypted it, this is the ciphertext */
lws_genhmac_update(&hmacctx,
(uint8_t *)jwe->jws.map.buf[LJWE_CTXT],
jwe->jws.map.len[LJWE_CTXT]) ||
lws_genhmac_update(&hmacctx, al, 8)) {
lwsl_err("%s: hmac computation failed\n", __func__);
lws_genhmac_destroy(&hmacctx, NULL);
return -1;
}
if (lws_genhmac_destroy(&hmacctx, digest)) {
lwsl_err("%s: problem destroying hmac\n", __func__);
return -1;
}
/* create tag */
memcpy((void *)jwe->jws.map.buf[LJWE_ATAG], digest, (unsigned int)hlen / 2);
return (int)jwe->jws.map.len[LJWE_CTXT];
}
int
lws_jwe_auth_and_decrypt_cbc_hs(struct lws_jwe *jwe, uint8_t *enc_cek,
uint8_t *aad, int aad_len)
{
int n, hlen = (int)lws_genhmac_size(jwe->jose.enc_alg->hmac_type);
uint8_t digest[LWS_GENHASH_LARGEST];
struct lws_gencrypto_keyelem el;
struct lws_genhmac_ctx hmacctx;
struct lws_genaes_ctx aesctx;
uint8_t al[8];
/* Some sanity checks on what came in */
if (jwe->jws.map.len[LJWE_ATAG] != (unsigned int)hlen / 2) {
lwsl_notice("%s: expected tag len %d, got %d\n", __func__,
hlen / 2, jwe->jws.map.len[LJWE_ATAG]);
return -1;
}
if (jwe->jws.map.len[LJWE_IV] != 16) {
lwsl_notice("expected iv len %d, got %d\n", 16,
jwe->jws.map.len[LJWE_IV]);
return -1;
}
/* Prepare to check authentication
*
* AAD is the b64 JOSE header.
*
* The octet string AL, which is the number of bits in AAD expressed as
* a big-endian 64-bit unsigned integer is:
*
* [0, 0, 0, 0, 0, 0, 1, 152]
*
* Concatenate the AAD, the Initialization Vector, the ciphertext, and
* the AL value.
*
*/
lws_jwe_be64((unsigned int)aad_len * 8, al);
/* first half of enc_cek is the MAC key */
if (lws_genhmac_init(&hmacctx, jwe->jose.enc_alg->hmac_type, enc_cek,
(unsigned int)hlen / 2)) {
lwsl_err("%s: lws_genhmac_init fail\n", __func__);
return -1;
}
if (lws_genhmac_update(&hmacctx, aad, (unsigned int)aad_len) ||
lws_genhmac_update(&hmacctx, (uint8_t *)jwe->jws.map.buf[LJWE_IV],
jwe->jws.map.len[LJWE_IV]) ||
lws_genhmac_update(&hmacctx, (uint8_t *)jwe->jws.map.buf[LJWE_CTXT],
jwe->jws.map.len[LJWE_CTXT]) ||
lws_genhmac_update(&hmacctx, al, 8)) {
lwsl_err("%s: hmac computation failed\n", __func__);
lws_genhmac_destroy(&hmacctx, NULL);
return -1;
}
if (lws_genhmac_destroy(&hmacctx, digest)) {
lwsl_err("%s: problem destroying hmac\n", __func__);
return -1;
}
/* first half of digest is the auth tag */
if (lws_timingsafe_bcmp(digest, jwe->jws.map.buf[LJWE_ATAG], (unsigned int)hlen / 2)) {
lwsl_err("%s: auth failed: hmac tag (%d) != ATAG (%d)\n",
__func__, hlen / 2, jwe->jws.map.len[LJWE_ATAG]);
lwsl_hexdump_notice(jwe->jws.map.buf[LJWE_ATAG], (unsigned int)hlen / 2);
lwsl_hexdump_notice(digest, (unsigned int)hlen / 2);
return -1;
}
/* second half of enc cek is the CEK KEY */
el.buf = enc_cek + (hlen / 2);
el.len = (unsigned int)hlen / 2;
if (lws_genaes_create(&aesctx, LWS_GAESO_DEC, LWS_GAESM_CBC,
&el, LWS_GAESP_NO_PADDING, NULL)) {
lwsl_err("%s: lws_genaes_create failed\n", __func__);
return -1;
}
n = lws_genaes_crypt(&aesctx, (uint8_t *)jwe->jws.map.buf[LJWE_CTXT],
jwe->jws.map.len[LJWE_CTXT],
(uint8_t *)jwe->jws.map.buf[LJWE_CTXT],
(uint8_t *)jwe->jws.map.buf[LJWE_IV], NULL, NULL, 16);
/* Strip the PKCS #7 padding */
if (jwe->jws.map.len[LJWE_CTXT] < LWS_AES_CBC_BLOCKLEN ||
jwe->jws.map.len[LJWE_CTXT] <= (unsigned char)jwe->jws.map.buf[LJWE_CTXT]
[jwe->jws.map.len[LJWE_CTXT] - 1]) {
lwsl_err("%s: invalid padded ciphertext length: %d. Corrupt data?\n",
__func__, jwe->jws.map.len[LJWE_CTXT]);
return -1;
}
jwe->jws.map.len[LJWE_CTXT] = (uint32_t)((int)jwe->jws.map.len[LJWE_CTXT] -
jwe->jws.map.buf[LJWE_CTXT][jwe->jws.map.len[LJWE_CTXT] - 1]);
n |= lws_genaes_destroy(&aesctx, NULL, 0);
if (n) {
lwsl_err("%s: lws_genaes_crypt failed\n", __func__);
return -1;
}
return (int)jwe->jws.map.len[LJWE_CTXT];
}
Reference in a new issue View git blame Copy permalink