mirror of
https://github.com/warmcat/libwebsockets.git
synced 2025-03-23 00:00:06 +01:00
c9731c5f17
This is a huge patch that should be a global NOP. For unix type platforms it enables -Wconversion to issue warnings (-> error) for all automatic casts that seem less than ideal but are normally concealed by the toolchain. This is things like passing an int to a size_t argument. Once enabled, I went through all args on my default build (which build most things) and tried to make the removed default cast explicit. With that approach it neither change nor bloat the code, since it compiles to whatever it was doing before, just with the casts made explicit... in a few cases I changed some length args from int to size_t but largely left the causes alone. From now on, new code that is relying on less than ideal casting will complain and nudge me to improve it by warnings.
196 lines
6 KiB
C
196 lines
6 KiB
C
/*
|
|
* libwebsockets - small server side websockets and web server implementation
|
|
*
|
|
* Copyright (C) 2010 - 2020 Andy Green <andy@warmcat.com>
|
|
*
|
|
* Permission is hereby granted, free of charge, to any person obtaining a copy
|
|
* of this software and associated documentation files (the "Software"), to
|
|
* deal in the Software without restriction, including without limitation the
|
|
* rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
|
|
* sell copies of the Software, and to permit persons to whom the Software is
|
|
* furnished to do so, subject to the following conditions:
|
|
*
|
|
* The above copyright notice and this permission notice shall be included in
|
|
* all copies or substantial portions of the Software.
|
|
*
|
|
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
|
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
|
|
* FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
|
|
* IN THE SOFTWARE.
|
|
*/
|
|
|
|
#include "private-lib-core.h"
|
|
#include "private-lib-jose-jwe.h"
|
|
|
|
/*
|
|
* Requirements on entry:
|
|
*
|
|
* - jwe->jws.map LJWE_JOSE contains the ASCII JOSE header
|
|
* - jwe->jws.map LJWE_EKEY contains cek of enc_alg hmac length
|
|
* - jwe->jws.map LJWE_CTXT contains the plaintext
|
|
*
|
|
* On successful exit:
|
|
*
|
|
* - jwe->jws.map LJWE_ATAG contains the tag
|
|
* - jwe->jws.map LJWE_IV contains the new random IV that was used
|
|
* - jwe->jws.map LJWE_EKEY contains the encrypted CEK
|
|
* - jwe->jws.map LJWE_CTXT contains the ciphertext
|
|
*
|
|
* Return the amount of temp used, or -1
|
|
*/
|
|
|
|
int
|
|
lws_jwe_encrypt_rsa_aes_cbc_hs(struct lws_jwe *jwe,
|
|
char *temp, int *temp_len)
|
|
{
|
|
int n, hlen = (int)lws_genhmac_size(jwe->jose.enc_alg->hmac_type),
|
|
ot = *temp_len;
|
|
char ekey[LWS_GENHASH_LARGEST];
|
|
struct lws_genrsa_ctx rsactx;
|
|
|
|
if (jwe->jws.jwk->kty != LWS_GENCRYPTO_KTY_RSA) {
|
|
lwsl_err("%s: unexpected kty %d\n", __func__, jwe->jws.jwk->kty);
|
|
|
|
return -1;
|
|
}
|
|
|
|
/*
|
|
* Notice that the unencrypted EKEY coming in is smaller than the
|
|
* RSA-encrypted EKEY going out, which is going to be the RSA key size
|
|
*
|
|
* Create a b64 version of the JOSE header, needed as aad
|
|
*/
|
|
if (lws_jws_encode_b64_element(&jwe->jws.map_b64, LJWE_JOSE,
|
|
temp, temp_len,
|
|
jwe->jws.map.buf[LJWE_JOSE],
|
|
jwe->jws.map.len[LJWE_JOSE]))
|
|
return -1;
|
|
|
|
if (lws_jws_alloc_element(&jwe->jws.map, LJWE_ATAG, temp + (ot - *temp_len),
|
|
temp_len, (unsigned int)hlen / 2, 0))
|
|
return -1;
|
|
|
|
if (lws_jws_alloc_element(&jwe->jws.map, LJWE_IV, temp + (ot - *temp_len),
|
|
temp_len, LWS_JWE_AES_IV_BYTES, 0))
|
|
return -1;
|
|
|
|
/*
|
|
* Without changing the unencrypted CEK in EKEY, reallocate enough
|
|
* space to write the RSA-encrypted version in-situ.
|
|
*/
|
|
if (lws_jws_dup_element(&jwe->jws.map, LJWE_EKEY, temp + (ot - *temp_len),
|
|
temp_len, jwe->jws.map.buf[LJWE_EKEY],
|
|
jwe->jws.map.len[LJWE_EKEY],
|
|
jwe->jws.jwk->e[LWS_GENCRYPTO_RSA_KEYEL_N].len))
|
|
return -1;
|
|
|
|
/* Encrypt using the raw CEK (treated as MAC KEY | ENC KEY) */
|
|
|
|
n = lws_jwe_encrypt_cbc_hs(jwe, (uint8_t *)jwe->jws.map.buf[LJWE_EKEY],
|
|
(uint8_t *)jwe->jws.map_b64.buf[LJWE_JOSE],
|
|
(int)jwe->jws.map_b64.len[LJWE_JOSE]);
|
|
if (n < 0) {
|
|
lwsl_err("%s: lws_jwe_encrypt_cbc_hs failed\n", __func__);
|
|
return -1;
|
|
}
|
|
|
|
if (lws_genrsa_create(&rsactx, jwe->jws.jwk->e, jwe->jws.context,
|
|
!strcmp(jwe->jose.alg->alg, "RSA-OAEP") ?
|
|
LGRSAM_PKCS1_OAEP_PSS : LGRSAM_PKCS1_1_5,
|
|
LWS_GENHASH_TYPE_UNKNOWN)) {
|
|
lwsl_notice("%s: lws_genrsa_create\n",
|
|
__func__);
|
|
return -1;
|
|
}
|
|
|
|
/* encrypt the CEK using RSA, mbedtls can't handle both in and out are
|
|
* the EKEY, so copy the unencrypted ekey out temporarily */
|
|
|
|
memcpy(ekey, jwe->jws.map.buf[LJWE_EKEY], (unsigned int)hlen);
|
|
|
|
n = lws_genrsa_public_encrypt(&rsactx, (uint8_t *)ekey, (unsigned int)hlen,
|
|
(uint8_t *)jwe->jws.map.buf[LJWE_EKEY]);
|
|
lws_genrsa_destroy(&rsactx);
|
|
lws_explicit_bzero(ekey, (unsigned int)hlen); /* cleanse the temp CEK copy */
|
|
if (n < 0) {
|
|
lwsl_err("%s: encrypt cek fail\n", __func__);
|
|
return -1;
|
|
}
|
|
jwe->jws.map.len[LJWE_EKEY] = (unsigned int)n; /* update to encrypted EKEY size */
|
|
|
|
/*
|
|
* We end up with IV, ATAG, set, EKEY encrypted and CTXT is ciphertext,
|
|
* and b64u version of ATAG in map_b64.
|
|
*/
|
|
|
|
return 0;
|
|
}
|
|
|
|
int
|
|
lws_jwe_auth_and_decrypt_rsa_aes_cbc_hs(struct lws_jwe *jwe)
|
|
{
|
|
int n;
|
|
struct lws_genrsa_ctx rsactx;
|
|
uint8_t enc_cek[512];
|
|
|
|
if (jwe->jws.jwk->kty != LWS_GENCRYPTO_KTY_RSA) {
|
|
lwsl_err("%s: unexpected kty %d\n", __func__, jwe->jws.jwk->kty);
|
|
|
|
return -1;
|
|
}
|
|
|
|
if (jwe->jws.map.len[LJWE_EKEY] < 40) {
|
|
lwsl_err("%s: EKEY length too short %d\n", __func__,
|
|
jwe->jws.map.len[LJWE_EKEY]);
|
|
|
|
return -1;
|
|
}
|
|
|
|
/* Decrypt the JWE Encrypted Key to get the raw MAC || CEK */
|
|
|
|
if (lws_genrsa_create(&rsactx, jwe->jws.jwk->e, jwe->jws.context,
|
|
!strcmp(jwe->jose.alg->alg, "RSA-OAEP") ?
|
|
LGRSAM_PKCS1_OAEP_PSS : LGRSAM_PKCS1_1_5,
|
|
LWS_GENHASH_TYPE_UNKNOWN)) {
|
|
lwsl_notice("%s: lws_genrsa_public_decrypt_create\n",
|
|
__func__);
|
|
return -1;
|
|
}
|
|
|
|
n = lws_genrsa_private_decrypt(&rsactx,
|
|
(uint8_t *)jwe->jws.map.buf[LJWE_EKEY],
|
|
jwe->jws.map.len[LJWE_EKEY], enc_cek,
|
|
sizeof(enc_cek));
|
|
lws_genrsa_destroy(&rsactx);
|
|
if (n < 0) {
|
|
lwsl_err("%s: decrypt cek fail: \n", __func__);
|
|
return -1;
|
|
}
|
|
|
|
n = lws_jwe_auth_and_decrypt_cbc_hs(jwe, enc_cek,
|
|
(uint8_t *)jwe->jws.map_b64.buf[LJWE_JOSE],
|
|
(int)jwe->jws.map_b64.len[LJWE_JOSE]);
|
|
if (n < 0) {
|
|
lwsl_err("%s: lws_jwe_auth_and_decrypt_cbc_hs failed\n",
|
|
__func__);
|
|
return -1;
|
|
}
|
|
|
|
#if defined(LWS_WITH_MBEDTLS) && defined(LWS_PLAT_OPTEE)
|
|
|
|
/* strip padding */
|
|
|
|
n = jwe->jws.map.buf[LJWE_CTXT][jwe->jws.map.len[LJWE_CTXT] - 1];
|
|
if (n > 16) {
|
|
lwsl_err("%s: n == %d, plen %d\n", __func__, n,
|
|
(int)jwe->jws.map.len[LJWE_CTXT]);
|
|
return -1;
|
|
}
|
|
jwe->jws.map.len[LJWE_CTXT] -= n;
|
|
#endif
|
|
|
|
return (int)jwe->jws.map.len[LJWE_CTXT];
|
|
}
|