2019-01-22 05:21:41 +01:00
|
|
|
/* Copyright 2018-2019 New Vector Ltd
|
|
|
|
*
|
|
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
* you may not use this file except in compliance with the License.
|
|
|
|
* You may obtain a copy of the License at
|
|
|
|
*
|
|
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
*
|
|
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
* See the License for the specific language governing permissions and
|
|
|
|
* limitations under the License.
|
|
|
|
*/
|
|
|
|
|
|
|
|
#include "olm/sas.h"
|
|
|
|
#include "olm/base64.h"
|
|
|
|
#include "olm/crypto.h"
|
|
|
|
#include "olm/error.h"
|
|
|
|
#include "olm/memory.h"
|
|
|
|
|
|
|
|
struct OlmSAS {
|
|
|
|
enum OlmErrorCode last_error;
|
|
|
|
struct _olm_curve25519_key_pair curve25519_key;
|
|
|
|
uint8_t secret[CURVE25519_SHARED_SECRET_LENGTH];
|
2020-09-23 10:13:46 +02:00
|
|
|
int their_key_set;
|
2019-01-22 05:21:41 +01:00
|
|
|
};
|
|
|
|
|
|
|
|
const char * olm_sas_last_error(
|
|
|
|
OlmSAS * sas
|
|
|
|
) {
|
|
|
|
return _olm_error_to_string(sas->last_error);
|
|
|
|
}
|
|
|
|
|
|
|
|
size_t olm_sas_size(void) {
|
|
|
|
return sizeof(OlmSAS);
|
|
|
|
}
|
|
|
|
|
|
|
|
OlmSAS * olm_sas(
|
|
|
|
void * memory
|
|
|
|
) {
|
|
|
|
_olm_unset(memory, sizeof(OlmSAS));
|
|
|
|
return (OlmSAS *) memory;
|
|
|
|
}
|
|
|
|
|
|
|
|
size_t olm_clear_sas(
|
|
|
|
OlmSAS * sas
|
|
|
|
) {
|
|
|
|
_olm_unset(sas, sizeof(OlmSAS));
|
|
|
|
return sizeof(OlmSAS);
|
|
|
|
}
|
|
|
|
|
|
|
|
size_t olm_create_sas_random_length(OlmSAS * sas) {
|
|
|
|
return CURVE25519_KEY_LENGTH;
|
|
|
|
}
|
|
|
|
|
|
|
|
size_t olm_create_sas(
|
|
|
|
OlmSAS * sas,
|
|
|
|
void * random, size_t random_length
|
|
|
|
) {
|
|
|
|
if (random_length < olm_create_sas_random_length(sas)) {
|
|
|
|
sas->last_error = OLM_NOT_ENOUGH_RANDOM;
|
|
|
|
return (size_t)-1;
|
|
|
|
}
|
|
|
|
_olm_crypto_curve25519_generate_key((uint8_t *) random, &sas->curve25519_key);
|
2020-09-23 22:11:37 +02:00
|
|
|
sas->their_key_set = 0;
|
2019-01-22 05:21:41 +01:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
size_t olm_sas_pubkey_length(OlmSAS * sas) {
|
|
|
|
return _olm_encode_base64_length(CURVE25519_KEY_LENGTH);
|
|
|
|
}
|
|
|
|
|
|
|
|
size_t olm_sas_get_pubkey(
|
|
|
|
OlmSAS * sas,
|
|
|
|
void * pubkey, size_t pubkey_length
|
|
|
|
) {
|
|
|
|
if (pubkey_length < olm_sas_pubkey_length(sas)) {
|
|
|
|
sas->last_error = OLM_OUTPUT_BUFFER_TOO_SMALL;
|
|
|
|
return (size_t)-1;
|
|
|
|
}
|
|
|
|
_olm_encode_base64(
|
|
|
|
(const uint8_t *)sas->curve25519_key.public_key.public_key,
|
|
|
|
CURVE25519_KEY_LENGTH,
|
|
|
|
(uint8_t *)pubkey
|
|
|
|
);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
size_t olm_sas_set_their_key(
|
|
|
|
OlmSAS *sas,
|
|
|
|
void * their_key, size_t their_key_length
|
|
|
|
) {
|
|
|
|
if (their_key_length < olm_sas_pubkey_length(sas)) {
|
|
|
|
sas->last_error = OLM_INPUT_BUFFER_TOO_SMALL;
|
|
|
|
return (size_t)-1;
|
|
|
|
}
|
|
|
|
_olm_decode_base64(their_key, their_key_length, their_key);
|
|
|
|
_olm_crypto_curve25519_shared_secret(&sas->curve25519_key, their_key, sas->secret);
|
2020-09-23 10:13:46 +02:00
|
|
|
sas->their_key_set = 1;
|
2019-01-22 05:21:41 +01:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2020-09-23 10:13:46 +02:00
|
|
|
int olm_sas_is_their_key_set(
|
|
|
|
OlmSAS *sas
|
|
|
|
) {
|
|
|
|
return sas->their_key_set;
|
|
|
|
}
|
|
|
|
|
2019-01-22 05:21:41 +01:00
|
|
|
size_t olm_sas_generate_bytes(
|
|
|
|
OlmSAS * sas,
|
|
|
|
const void * info, size_t info_length,
|
|
|
|
void * output, size_t output_length
|
|
|
|
) {
|
2020-09-23 10:13:46 +02:00
|
|
|
if (!sas->their_key_set) {
|
|
|
|
sas->last_error = OLM_SAS_THEIR_KEY_NOT_SET;
|
|
|
|
return (size_t)-1;
|
|
|
|
}
|
2019-01-22 05:21:41 +01:00
|
|
|
_olm_crypto_hkdf_sha256(
|
|
|
|
sas->secret, sizeof(sas->secret),
|
|
|
|
NULL, 0,
|
|
|
|
(const uint8_t *) info, info_length,
|
|
|
|
output, output_length
|
|
|
|
);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
size_t olm_sas_mac_length(
|
|
|
|
OlmSAS *sas
|
|
|
|
) {
|
|
|
|
return _olm_encode_base64_length(SHA256_OUTPUT_LENGTH);
|
|
|
|
}
|
|
|
|
|
|
|
|
size_t olm_sas_calculate_mac(
|
|
|
|
OlmSAS * sas,
|
2019-05-14 18:53:19 +02:00
|
|
|
const void * input, size_t input_length,
|
2019-01-22 05:21:41 +01:00
|
|
|
const void * info, size_t info_length,
|
|
|
|
void * mac, size_t mac_length
|
|
|
|
) {
|
|
|
|
if (mac_length < olm_sas_mac_length(sas)) {
|
|
|
|
sas->last_error = OLM_OUTPUT_BUFFER_TOO_SMALL;
|
|
|
|
return (size_t)-1;
|
|
|
|
}
|
2020-09-23 22:45:36 +02:00
|
|
|
if (!sas->their_key_set) {
|
|
|
|
sas->last_error = OLM_SAS_THEIR_KEY_NOT_SET;
|
|
|
|
return (size_t)-1;
|
|
|
|
}
|
2019-01-22 05:21:41 +01:00
|
|
|
uint8_t key[32];
|
|
|
|
_olm_crypto_hkdf_sha256(
|
|
|
|
sas->secret, sizeof(sas->secret),
|
|
|
|
NULL, 0,
|
|
|
|
(const uint8_t *) info, info_length,
|
|
|
|
key, 32
|
|
|
|
);
|
sas: Fix the base64 encoding of the MAC.
When calculating the MAC for a message using olm_sas_calculate_mac() and
olm_sas_calculate_mac_long_kdf() the resulting MAC will be base64
encoded using _olm_encode_base64().
The _olm_encode_base64() method requires an input buffer and output
buffer to be passed alongside the input length. The method is called
with the same buffer, containing the MAC, for the input buffer as well
as for the output buffer. This results in an incorrectly base64 encoded
MAC.
For example the byte array:
[121, 105, 187, 19, 37, 94, 119, 248, 224, 34, 94, 29, 157, 5,
15, 230, 246, 115, 236, 217, 80, 78, 56, 200, 80, 200, 82, 158,
168, 179, 10, 230]
will be encoded as eWm7NyVeVmXgbVhnYlZobllsWm9ibGxzV205aWJHeHo
instead of as eWm7EyVed/jgIl4dnQUP5vZz7NlQTjjIUMhSnqizCuY
Notice the different value at the 10th character.
The correct result can be independently checked using Python for
example:
>>> from base64 import b64encode
>>> mac = [121, 105, 187, 19, 37, 94, 119, 248, 224, 34, 94, 29, 157, \
5, 15, 230, 246, 115, 236, 217, 80, 78, 56, 200, 80, 200, \
82, 158, 168, 179, 10, 230]
>>> b64encode(bytearray(mac)).rstrip(b"=")
>>> b'eWm7EyVed/jgIl4dnQUP5vZz7NlQTjjIUMhSnqizCuY'
This happens because the encode_base64() method that is used does not support
in-place encoding in the general case. This is because the remainder for a 32
bit input will always be 2 (32 % 6 == 2).
The remainder will be used over here:
https://gitlab.matrix.org/matrix-org/olm/-/blob/c01164f001d57fbe2297fe11954b58077a68dc0d/src/base64.cpp#L74
The logic that gets executed if a remainder exists depends on the original input
values, since those already got in-place encoded the whole block will behave
differently if the input buffer is the same as the output buffer.
2021-01-31 12:46:34 +01:00
|
|
|
|
|
|
|
uint8_t temp_mac[32];
|
|
|
|
_olm_crypto_hmac_sha256(key, 32, input, input_length, temp_mac);
|
|
|
|
_olm_encode_base64((const uint8_t *)temp_mac, SHA256_OUTPUT_LENGTH, (uint8_t *)mac);
|
|
|
|
|
2019-01-22 05:21:41 +01:00
|
|
|
return 0;
|
|
|
|
}
|
2019-04-03 05:39:05 +02:00
|
|
|
|
|
|
|
// for compatibility with an old version of Riot
|
|
|
|
size_t olm_sas_calculate_mac_long_kdf(
|
|
|
|
OlmSAS * sas,
|
2019-05-14 18:53:19 +02:00
|
|
|
const void * input, size_t input_length,
|
2019-04-03 05:39:05 +02:00
|
|
|
const void * info, size_t info_length,
|
|
|
|
void * mac, size_t mac_length
|
|
|
|
) {
|
|
|
|
if (mac_length < olm_sas_mac_length(sas)) {
|
|
|
|
sas->last_error = OLM_OUTPUT_BUFFER_TOO_SMALL;
|
|
|
|
return (size_t)-1;
|
|
|
|
}
|
2020-09-23 22:45:36 +02:00
|
|
|
if (!sas->their_key_set) {
|
|
|
|
sas->last_error = OLM_SAS_THEIR_KEY_NOT_SET;
|
|
|
|
return (size_t)-1;
|
|
|
|
}
|
2019-04-03 05:39:05 +02:00
|
|
|
uint8_t key[256];
|
|
|
|
_olm_crypto_hkdf_sha256(
|
|
|
|
sas->secret, sizeof(sas->secret),
|
|
|
|
NULL, 0,
|
|
|
|
(const uint8_t *) info, info_length,
|
|
|
|
key, 256
|
|
|
|
);
|
sas: Fix the base64 encoding of the MAC.
When calculating the MAC for a message using olm_sas_calculate_mac() and
olm_sas_calculate_mac_long_kdf() the resulting MAC will be base64
encoded using _olm_encode_base64().
The _olm_encode_base64() method requires an input buffer and output
buffer to be passed alongside the input length. The method is called
with the same buffer, containing the MAC, for the input buffer as well
as for the output buffer. This results in an incorrectly base64 encoded
MAC.
For example the byte array:
[121, 105, 187, 19, 37, 94, 119, 248, 224, 34, 94, 29, 157, 5,
15, 230, 246, 115, 236, 217, 80, 78, 56, 200, 80, 200, 82, 158,
168, 179, 10, 230]
will be encoded as eWm7NyVeVmXgbVhnYlZobllsWm9ibGxzV205aWJHeHo
instead of as eWm7EyVed/jgIl4dnQUP5vZz7NlQTjjIUMhSnqizCuY
Notice the different value at the 10th character.
The correct result can be independently checked using Python for
example:
>>> from base64 import b64encode
>>> mac = [121, 105, 187, 19, 37, 94, 119, 248, 224, 34, 94, 29, 157, \
5, 15, 230, 246, 115, 236, 217, 80, 78, 56, 200, 80, 200, \
82, 158, 168, 179, 10, 230]
>>> b64encode(bytearray(mac)).rstrip(b"=")
>>> b'eWm7EyVed/jgIl4dnQUP5vZz7NlQTjjIUMhSnqizCuY'
This happens because the encode_base64() method that is used does not support
in-place encoding in the general case. This is because the remainder for a 32
bit input will always be 2 (32 % 6 == 2).
The remainder will be used over here:
https://gitlab.matrix.org/matrix-org/olm/-/blob/c01164f001d57fbe2297fe11954b58077a68dc0d/src/base64.cpp#L74
The logic that gets executed if a remainder exists depends on the original input
values, since those already got in-place encoded the whole block will behave
differently if the input buffer is the same as the output buffer.
2021-01-31 12:46:34 +01:00
|
|
|
|
|
|
|
uint8_t temp_mac[32];
|
|
|
|
_olm_crypto_hmac_sha256(key, 256, input, input_length, temp_mac);
|
|
|
|
_olm_encode_base64((const uint8_t *)temp_mac, SHA256_OUTPUT_LENGTH, (uint8_t *)mac);
|
|
|
|
|
2019-04-03 05:39:05 +02:00
|
|
|
return 0;
|
|
|
|
}
|