xref: /aosp_15_r20/external/libwebsockets/lib/jose/jwe/enc/aeskw.c (revision 1c60b9aca93fdbc9b5f19b2d2194c91294b22281) 
1*1c60b9acSAndroid Build Coastguard Worker /*
2*1c60b9acSAndroid Build Coastguard Worker  * libwebsockets - small server side websockets and web server implementation
3*1c60b9acSAndroid Build Coastguard Worker  *
4*1c60b9acSAndroid Build Coastguard Worker  * Copyright (C) 2010 - 2020 Andy Green <[email protected]>
5*1c60b9acSAndroid Build Coastguard Worker  *
6*1c60b9acSAndroid Build Coastguard Worker  * Permission is hereby granted, free of charge, to any person obtaining a copy
7*1c60b9acSAndroid Build Coastguard Worker  * of this software and associated documentation files (the "Software"), to
8*1c60b9acSAndroid Build Coastguard Worker  * deal in the Software without restriction, including without limitation the
9*1c60b9acSAndroid Build Coastguard Worker  * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
10*1c60b9acSAndroid Build Coastguard Worker  * sell copies of the Software, and to permit persons to whom the Software is
11*1c60b9acSAndroid Build Coastguard Worker  * furnished to do so, subject to the following conditions:
12*1c60b9acSAndroid Build Coastguard Worker  *
13*1c60b9acSAndroid Build Coastguard Worker  * The above copyright notice and this permission notice shall be included in
14*1c60b9acSAndroid Build Coastguard Worker  * all copies or substantial portions of the Software.
15*1c60b9acSAndroid Build Coastguard Worker  *
16*1c60b9acSAndroid Build Coastguard Worker  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17*1c60b9acSAndroid Build Coastguard Worker  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
18*1c60b9acSAndroid Build Coastguard Worker  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
19*1c60b9acSAndroid Build Coastguard Worker  * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
20*1c60b9acSAndroid Build Coastguard Worker  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
21*1c60b9acSAndroid Build Coastguard Worker  * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
22*1c60b9acSAndroid Build Coastguard Worker  * IN THE SOFTWARE.
23*1c60b9acSAndroid Build Coastguard Worker  */
24*1c60b9acSAndroid Build Coastguard Worker 
25*1c60b9acSAndroid Build Coastguard Worker #include "private-lib-core.h"
26*1c60b9acSAndroid Build Coastguard Worker #include "private-lib-jose-jwe.h"
27*1c60b9acSAndroid Build Coastguard Worker 
28*1c60b9acSAndroid Build Coastguard Worker /*
29*1c60b9acSAndroid Build Coastguard Worker  * RFC3394 Key Wrap uses a 128-bit key, and bloats what it is wrapping by
30*1c60b9acSAndroid Build Coastguard Worker  * one 8-byte block.  So, if you had a 32 byte plaintext CEK to wrap, after
31*1c60b9acSAndroid Build Coastguard Worker  * wrapping it becomes a 40 byte wrapped, enciphered, key.
32*1c60b9acSAndroid Build Coastguard Worker  *
33*1c60b9acSAndroid Build Coastguard Worker  * The CEK comes in from and goes out in LJWE_EKEY.  So LJWE_EKEY length
34*1c60b9acSAndroid Build Coastguard Worker  * increases by 8 from calling this.
35*1c60b9acSAndroid Build Coastguard Worker  */
36*1c60b9acSAndroid Build Coastguard Worker 
37*1c60b9acSAndroid Build Coastguard Worker int
lws_jwe_encrypt_aeskw_cbc_hs(struct lws_jwe * jwe,char * temp,int * temp_len)38*1c60b9acSAndroid Build Coastguard Worker lws_jwe_encrypt_aeskw_cbc_hs(struct lws_jwe *jwe, char *temp, int *temp_len)
39*1c60b9acSAndroid Build Coastguard Worker {
40*1c60b9acSAndroid Build Coastguard Worker 	struct lws_genaes_ctx aesctx;
41*1c60b9acSAndroid Build Coastguard Worker 	/* we are wrapping a key, so size for the worst case after wrap */
42*1c60b9acSAndroid Build Coastguard Worker 	uint8_t enc_cek[LWS_JWE_LIMIT_KEY_ELEMENT_BYTES +
43*1c60b9acSAndroid Build Coastguard Worker 	                LWS_JWE_RFC3394_OVERHEAD_BYTES];
44*1c60b9acSAndroid Build Coastguard Worker 	int n, m, hlen = (int)lws_genhmac_size(jwe->jose.enc_alg->hmac_type),
45*1c60b9acSAndroid Build Coastguard Worker 			 ot = *temp_len;
46*1c60b9acSAndroid Build Coastguard Worker 
47*1c60b9acSAndroid Build Coastguard Worker 	if (jwe->jws.jwk->kty != LWS_GENCRYPTO_KTY_OCT) {
48*1c60b9acSAndroid Build Coastguard Worker 		lwsl_err("%s: unexpected kty %d\n", __func__, jwe->jws.jwk->kty);
49*1c60b9acSAndroid Build Coastguard Worker 
50*1c60b9acSAndroid Build Coastguard Worker 		return -1;
51*1c60b9acSAndroid Build Coastguard Worker 	}
52*1c60b9acSAndroid Build Coastguard Worker 
53*1c60b9acSAndroid Build Coastguard Worker 	/* create a b64 version of the JOSE header, needed for hashing */
54*1c60b9acSAndroid Build Coastguard Worker 
55*1c60b9acSAndroid Build Coastguard Worker 	if (lws_jws_encode_b64_element(&jwe->jws.map_b64, LJWE_JOSE,
56*1c60b9acSAndroid Build Coastguard Worker 				       temp, temp_len,
57*1c60b9acSAndroid Build Coastguard Worker 				       jwe->jws.map.buf[LJWE_JOSE],
58*1c60b9acSAndroid Build Coastguard Worker 				       jwe->jws.map.len[LJWE_JOSE]))
59*1c60b9acSAndroid Build Coastguard Worker 		return -1;
60*1c60b9acSAndroid Build Coastguard Worker 
61*1c60b9acSAndroid Build Coastguard Worker 	/* Allocate temp space for ATAG and IV */
62*1c60b9acSAndroid Build Coastguard Worker 
63*1c60b9acSAndroid Build Coastguard Worker 	if (lws_jws_alloc_element(&jwe->jws.map, LJWE_ATAG, temp + (ot - *temp_len),
64*1c60b9acSAndroid Build Coastguard Worker 				  temp_len, (unsigned int)hlen / 2, 0))
65*1c60b9acSAndroid Build Coastguard Worker 		return -1;
66*1c60b9acSAndroid Build Coastguard Worker 
67*1c60b9acSAndroid Build Coastguard Worker 	if (lws_jws_alloc_element(&jwe->jws.map, LJWE_IV, temp + (ot - *temp_len),
68*1c60b9acSAndroid Build Coastguard Worker 				  temp_len, LWS_JWE_AES_IV_BYTES, 0))
69*1c60b9acSAndroid Build Coastguard Worker 		return -1;
70*1c60b9acSAndroid Build Coastguard Worker 
71*1c60b9acSAndroid Build Coastguard Worker 	/* 1) Encrypt the payload...  */
72*1c60b9acSAndroid Build Coastguard Worker 
73*1c60b9acSAndroid Build Coastguard Worker 	/* the CEK is 256-bit in the example encrypted with a 128-bit key */
74*1c60b9acSAndroid Build Coastguard Worker 
75*1c60b9acSAndroid Build Coastguard Worker 	n = lws_jwe_encrypt_cbc_hs(jwe, (uint8_t *)jwe->jws.map.buf[LJWE_EKEY],
76*1c60b9acSAndroid Build Coastguard Worker 				   (uint8_t *)jwe->jws.map_b64.buf[LJWE_JOSE],
77*1c60b9acSAndroid Build Coastguard Worker 				   (int)jwe->jws.map_b64.len[LJWE_JOSE]);
78*1c60b9acSAndroid Build Coastguard Worker 	if (n < 0) {
79*1c60b9acSAndroid Build Coastguard Worker 		lwsl_err("%s: lws_jwe_encrypt_cbc_hs failed\n", __func__);
80*1c60b9acSAndroid Build Coastguard Worker 		return -1;
81*1c60b9acSAndroid Build Coastguard Worker 	}
82*1c60b9acSAndroid Build Coastguard Worker 
83*1c60b9acSAndroid Build Coastguard Worker 	/* 2) Encrypt the JWE Encrypted Key: RFC3394 Key Wrap uses 64 bit blocks
84*1c60b9acSAndroid Build Coastguard Worker 	 *    and 128-bit input key*/
85*1c60b9acSAndroid Build Coastguard Worker 
86*1c60b9acSAndroid Build Coastguard Worker 	if (lws_genaes_create(&aesctx, LWS_GAESO_ENC, LWS_GAESM_KW,
87*1c60b9acSAndroid Build Coastguard Worker 			      jwe->jws.jwk->e, 1, NULL)) {
88*1c60b9acSAndroid Build Coastguard Worker 
89*1c60b9acSAndroid Build Coastguard Worker 		lwsl_notice("%s: lws_genaes_create\n", __func__);
90*1c60b9acSAndroid Build Coastguard Worker 		return -1;
91*1c60b9acSAndroid Build Coastguard Worker 	}
92*1c60b9acSAndroid Build Coastguard Worker 
93*1c60b9acSAndroid Build Coastguard Worker 	/* tag size is determined by enc cipher key length */
94*1c60b9acSAndroid Build Coastguard Worker 
95*1c60b9acSAndroid Build Coastguard Worker 	n = lws_genaes_crypt(&aesctx, (uint8_t *)jwe->jws.map.buf[LJWE_EKEY],
96*1c60b9acSAndroid Build Coastguard Worker 			     jwe->jws.map.len[LJWE_EKEY], enc_cek, NULL, NULL, NULL,
97*1c60b9acSAndroid Build Coastguard Worker 			     lws_gencrypto_bits_to_bytes(
98*1c60b9acSAndroid Build Coastguard Worker 					     jwe->jose.enc_alg->keybits_fixed));
99*1c60b9acSAndroid Build Coastguard Worker 	m = lws_genaes_destroy(&aesctx, NULL, 0);
100*1c60b9acSAndroid Build Coastguard Worker 	if (n < 0) {
101*1c60b9acSAndroid Build Coastguard Worker 		lwsl_err("%s: encrypt cek fail\n", __func__);
102*1c60b9acSAndroid Build Coastguard Worker 		return -1;
103*1c60b9acSAndroid Build Coastguard Worker 	}
104*1c60b9acSAndroid Build Coastguard Worker 	if (m < 0) {
105*1c60b9acSAndroid Build Coastguard Worker 		lwsl_err("%s: lws_genaes_destroy fail\n", __func__);
106*1c60b9acSAndroid Build Coastguard Worker 		return -1;
107*1c60b9acSAndroid Build Coastguard Worker 	}
108*1c60b9acSAndroid Build Coastguard Worker 
109*1c60b9acSAndroid Build Coastguard Worker 	jwe->jws.map.len[LJWE_EKEY] += LWS_JWE_RFC3394_OVERHEAD_BYTES;
110*1c60b9acSAndroid Build Coastguard Worker 	memcpy((uint8_t *)jwe->jws.map.buf[LJWE_EKEY], enc_cek,
111*1c60b9acSAndroid Build Coastguard Worker 	       jwe->jws.map.len[LJWE_EKEY]);
112*1c60b9acSAndroid Build Coastguard Worker 
113*1c60b9acSAndroid Build Coastguard Worker 	return (int)jwe->jws.map.len[LJWE_CTXT];
114*1c60b9acSAndroid Build Coastguard Worker }
115*1c60b9acSAndroid Build Coastguard Worker 
116*1c60b9acSAndroid Build Coastguard Worker 
117*1c60b9acSAndroid Build Coastguard Worker int
lws_jwe_auth_and_decrypt_aeskw_cbc_hs(struct lws_jwe * jwe)118*1c60b9acSAndroid Build Coastguard Worker lws_jwe_auth_and_decrypt_aeskw_cbc_hs(struct lws_jwe *jwe)
119*1c60b9acSAndroid Build Coastguard Worker {
120*1c60b9acSAndroid Build Coastguard Worker 	struct lws_genaes_ctx aesctx;
121*1c60b9acSAndroid Build Coastguard Worker 	uint8_t enc_cek[LWS_JWE_LIMIT_KEY_ELEMENT_BYTES +
122*1c60b9acSAndroid Build Coastguard Worker 	                LWS_JWE_RFC3394_OVERHEAD_BYTES];
123*1c60b9acSAndroid Build Coastguard Worker 	int n, m;
124*1c60b9acSAndroid Build Coastguard Worker 
125*1c60b9acSAndroid Build Coastguard Worker 	if (jwe->jws.jwk->kty != LWS_GENCRYPTO_KTY_OCT) {
126*1c60b9acSAndroid Build Coastguard Worker 		lwsl_err("%s: unexpected kty %d\n", __func__, jwe->jws.jwk->kty);
127*1c60b9acSAndroid Build Coastguard Worker 
128*1c60b9acSAndroid Build Coastguard Worker 		return -1;
129*1c60b9acSAndroid Build Coastguard Worker 	}
130*1c60b9acSAndroid Build Coastguard Worker 
131*1c60b9acSAndroid Build Coastguard Worker 	/* the CEK is 256-bit in the example encrypted with a 128-bit key */
132*1c60b9acSAndroid Build Coastguard Worker 
133*1c60b9acSAndroid Build Coastguard Worker 	if (jwe->jws.map.len[LJWE_EKEY] > sizeof(enc_cek))
134*1c60b9acSAndroid Build Coastguard Worker 		return -1;
135*1c60b9acSAndroid Build Coastguard Worker 
136*1c60b9acSAndroid Build Coastguard Worker 	/* 1) Decrypt the JWE Encrypted Key to get the raw MAC / CEK */
137*1c60b9acSAndroid Build Coastguard Worker 
138*1c60b9acSAndroid Build Coastguard Worker 	if (lws_genaes_create(&aesctx, LWS_GAESO_DEC, LWS_GAESM_KW,
139*1c60b9acSAndroid Build Coastguard Worker 			      jwe->jws.jwk->e, 1, NULL)) {
140*1c60b9acSAndroid Build Coastguard Worker 
141*1c60b9acSAndroid Build Coastguard Worker 		lwsl_notice("%s: lws_genaes_create\n", __func__);
142*1c60b9acSAndroid Build Coastguard Worker 		return -1;
143*1c60b9acSAndroid Build Coastguard Worker 	}
144*1c60b9acSAndroid Build Coastguard Worker 
145*1c60b9acSAndroid Build Coastguard Worker 	/*
146*1c60b9acSAndroid Build Coastguard Worker 	 * Decrypt the CEK into enc_cek
147*1c60b9acSAndroid Build Coastguard Worker 	 * tag size is determined by enc cipher key length */
148*1c60b9acSAndroid Build Coastguard Worker 
149*1c60b9acSAndroid Build Coastguard Worker 	n = lws_genaes_crypt(&aesctx, (uint8_t *)jwe->jws.map.buf[LJWE_EKEY],
150*1c60b9acSAndroid Build Coastguard Worker 			     jwe->jws.map.len[LJWE_EKEY], enc_cek, NULL, NULL, NULL,
151*1c60b9acSAndroid Build Coastguard Worker 			     lws_gencrypto_bits_to_bytes(
152*1c60b9acSAndroid Build Coastguard Worker 					     jwe->jose.enc_alg->keybits_fixed));
153*1c60b9acSAndroid Build Coastguard Worker 	m = lws_genaes_destroy(&aesctx, NULL, 0);
154*1c60b9acSAndroid Build Coastguard Worker 	if (n < 0) {
155*1c60b9acSAndroid Build Coastguard Worker 		lwsl_err("%s: decrypt CEK fail\n", __func__);
156*1c60b9acSAndroid Build Coastguard Worker 		return -1;
157*1c60b9acSAndroid Build Coastguard Worker 	}
158*1c60b9acSAndroid Build Coastguard Worker 	if (m < 0) {
159*1c60b9acSAndroid Build Coastguard Worker 		lwsl_err("%s: lws_genaes_destroy fail\n", __func__);
160*1c60b9acSAndroid Build Coastguard Worker 		return -1;
161*1c60b9acSAndroid Build Coastguard Worker 	}
162*1c60b9acSAndroid Build Coastguard Worker 
163*1c60b9acSAndroid Build Coastguard Worker 	/* 2) Decrypt the payload */
164*1c60b9acSAndroid Build Coastguard Worker 
165*1c60b9acSAndroid Build Coastguard Worker 	n = lws_jwe_auth_and_decrypt_cbc_hs(jwe, enc_cek,
166*1c60b9acSAndroid Build Coastguard Worker 			     (uint8_t *)jwe->jws.map_b64.buf[LJWE_JOSE],
167*1c60b9acSAndroid Build Coastguard Worker 			     (int)jwe->jws.map_b64.len[LJWE_JOSE]);
168*1c60b9acSAndroid Build Coastguard Worker 	if (n < 0) {
169*1c60b9acSAndroid Build Coastguard Worker 		lwsl_err("%s: lws_jwe_auth_and_decrypt_cbc_hs failed\n",
170*1c60b9acSAndroid Build Coastguard Worker 				__func__);
171*1c60b9acSAndroid Build Coastguard Worker 		return -1;
172*1c60b9acSAndroid Build Coastguard Worker 	}
173*1c60b9acSAndroid Build Coastguard Worker 
174*1c60b9acSAndroid Build Coastguard Worker 	return (int)jwe->jws.map.len[LJWE_CTXT];
175*1c60b9acSAndroid Build Coastguard Worker }
176*1c60b9acSAndroid Build Coastguard Worker 
177*1c60b9acSAndroid Build Coastguard Worker 
178