Commit 816435a8 authored by Mark Haines's avatar Mark Haines
Browse files

Move AES specific details behind a cipher interface

parent 8161b56f
/* Copyright 2015 OpenMarket Ltd
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#ifndef AXOLOTL_CIPHER_HH_
#define AXOLOTL_CIPHER_HH_
#include <cstdint>
namespace axolotl {
class Cipher {
public:
virtual ~Cipher();
/**
* Returns the length of the message authentication code that will be
* appended to the output.
*/
virtual std::size_t mac_length() const = 0;
/**
* Returns the length of cipher-text for a given length of plain-text.
*/
virtual std::size_t encrypt_ciphertext_length(
std::size_t plaintext_length
) const = 0;
/*
* Encrypts the plain-text into the output buffer and authenticates the
* contents of the output buffer covering both cipher-text and any other
* associated data in the output buffer.
*
* |---------------------------------------output_length-->|
* output |--ciphertext_length-->| |---mac_length-->|
* ciphertext
*
* Returns std::size_t(-1) if the length of the cipher-text or the output
* buffer is too small. Otherwise returns the length of the output buffer.
*/
virtual std::size_t encrypt(
std::uint8_t const * key, std::size_t key_length,
std::uint8_t const * plaintext, std::size_t plaintext_length,
std::uint8_t * ciphertext, std::size_t ciphertext_length,
std::uint8_t * output, std::size_t output_length
) const = 0;
/**
* Returns the maximum length of plain-text that a given length of
* cipher-text can contain.
*/
virtual std::size_t decrypt_max_plaintext_length(
std::size_t ciphertext_length
) const = 0;
/**
* Authenticates the input and decrypts the cipher-text into the plain-text
* buffer.
*
* |----------------------------------------input_length-->|
* input |--ciphertext_length-->| |---mac_length-->|
* ciphertext
*
* Returns std::size_t(-1) if the length of the plain-text buffer is too
* small or if the authentication check fails. Otherwise returns the length
* of the plain text.
*/
virtual std::size_t decrypt(
std::uint8_t const * key, std::size_t key_length,
std::uint8_t const * input, std::size_t input_length,
std::uint8_t const * ciphertext, std::size_t ciphertext_length,
std::uint8_t * plaintext, std::size_t max_plaintext_length
) const = 0;
};
class CipherAesSha256 : public Cipher {
public:
CipherAesSha256(
std::uint8_t const * kdf_info, std::size_t kdf_info_length
);
virtual std::size_t mac_length() const;
virtual std::size_t encrypt_ciphertext_length(
std::size_t plaintext_length
) const;
virtual std::size_t encrypt(
std::uint8_t const * key, std::size_t key_length,
std::uint8_t const * plaintext, std::size_t plaintext_length,
std::uint8_t * ciphertext, std::size_t ciphertext_length,
std::uint8_t * output, std::size_t output_length
) const;
virtual std::size_t decrypt_max_plaintext_length(
std::size_t ciphertext_length
) const;
virtual std::size_t decrypt(
std::uint8_t const * key, std::size_t key_length,
std::uint8_t const * input, std::size_t input_length,
std::uint8_t const * ciphertext, std::size_t ciphertext_length,
std::uint8_t * plaintext, std::size_t max_plaintext_length
) const;
private:
std::uint8_t const * kdf_info;
std::size_t kdf_info_length;
};
} // namespace
#endif /* AXOLOTL_CIPHER_HH_ */
...@@ -92,7 +92,7 @@ public: ...@@ -92,7 +92,7 @@ public:
} }
List<T, max_size> & operator=(List<T, max_size> const & other) { List<T, max_size> & operator=(List<T, max_size> const & other) {
if (this = &other) { if (this == &other) {
return *this; return *this;
} }
T * this_pos = _data; T * this_pos = _data;
......
...@@ -30,22 +30,17 @@ std::size_t encode_message_length( ...@@ -30,22 +30,17 @@ std::size_t encode_message_length(
struct MessageWriter { struct MessageWriter {
std::size_t body_length;
std::uint8_t * ratchet_key; std::uint8_t * ratchet_key;
std::uint8_t * ciphertext; std::uint8_t * ciphertext;
std::uint8_t * mac;
}; };
struct MessageReader { struct MessageReader {
std::size_t body_length;
std::uint8_t version; std::uint8_t version;
std::uint32_t counter; std::uint32_t counter;
std::size_t ratchet_key_length; std::uint8_t const * input; std::size_t input_length;
std::size_t ciphertext_length; std::uint8_t const * ratchet_key; std::size_t ratchet_key_length;
std::uint8_t const * ratchet_key; std::uint8_t const * ciphertext; std::size_t ciphertext_length;
std::uint8_t const * ciphertext;
std::uint8_t const * mac;
}; };
...@@ -53,7 +48,9 @@ struct MessageReader { ...@@ -53,7 +48,9 @@ struct MessageReader {
* Writes the message headers into the output buffer. * Writes the message headers into the output buffer.
* Returns a writer struct populated with pointers into the output buffer. * Returns a writer struct populated with pointers into the output buffer.
*/ */
MessageWriter encode_message(
void encode_message(
MessageWriter & writer,
std::uint8_t version, std::uint8_t version,
std::uint32_t counter, std::uint32_t counter,
std::size_t ratchet_key_length, std::size_t ratchet_key_length,
...@@ -64,10 +61,11 @@ MessageWriter encode_message( ...@@ -64,10 +61,11 @@ MessageWriter encode_message(
/** /**
* Reads the message headers from the input buffer. * Reads the message headers from the input buffer.
* Returns a reader struct populated with pointers into the input buffer. * Populates the reader struct with pointers into the input buffer.
* On failure the returned body_length will be 0. * On failure returns std::size_t(-1).
*/ */
MessageReader decode_message( std::size_t decode_message(
MessageReader & reader,
std::uint8_t const * input, std::size_t input_length, std::uint8_t const * input, std::size_t input_length,
std::size_t mac_length std::size_t mac_length
); );
......
...@@ -18,6 +18,8 @@ ...@@ -18,6 +18,8 @@
namespace axolotl { namespace axolotl {
class Cipher;
typedef std::uint8_t SharedKey[32]; typedef std::uint8_t SharedKey[32];
...@@ -29,9 +31,7 @@ struct ChainKey { ...@@ -29,9 +31,7 @@ struct ChainKey {
struct MessageKey { struct MessageKey {
std::uint32_t index; std::uint32_t index;
Aes256Key cipher_key; SharedKey key;
SharedKey mac_key;
Aes256Iv iv;
}; };
...@@ -72,21 +72,23 @@ struct KdfInfo { ...@@ -72,21 +72,23 @@ struct KdfInfo {
std::size_t root_info_length; std::size_t root_info_length;
std::uint8_t const * ratchet_info; std::uint8_t const * ratchet_info;
std::size_t ratchet_info_length; std::size_t ratchet_info_length;
std::uint8_t const * message_info;
std::size_t message_info_length;
}; };
struct Session { struct Session {
Session( Session(
KdfInfo const & kdf_info KdfInfo const & kdf_info,
Cipher const & ratchet_cipher
); );
/** A some strings identifing the application to feed into the KDF. */ /** A some strings identifying the application to feed into the KDF. */
const KdfInfo &kdf_info; KdfInfo const & kdf_info;
/** The AEAD cipher to use for encrypting messages. */
Cipher const & ratchet_cipher;
/** The last error that happened encypting or decrypting a message. */ /** The last error that happened encrypting or decrypting a message. */
ErrorCode last_error; ErrorCode last_error;
/** The root key is used to generate chain keys from the ephemeral keys. /** The root key is used to generate chain keys from the ephemeral keys.
...@@ -98,7 +100,7 @@ struct Session { ...@@ -98,7 +100,7 @@ struct Session {
* with a new empheral key when we next send a message. */ * with a new empheral key when we next send a message. */
List<SenderChain, 1> sender_chain; List<SenderChain, 1> sender_chain;
/** The receiver chain is used to decrypt recieved messages. We store the /** The receiver chain is used to decrypt received messages. We store the
* last few chains so we can decrypt any out of order messages we haven't * last few chains so we can decrypt any out of order messages we haven't
* received yet. */ * received yet. */
List<ReceiverChain, MAX_RECEIVER_CHAINS> receiver_chains; List<ReceiverChain, MAX_RECEIVER_CHAINS> receiver_chains;
...@@ -114,7 +116,7 @@ struct Session { ...@@ -114,7 +116,7 @@ struct Session {
Curve25519PublicKey const & their_ratchet_key Curve25519PublicKey const & their_ratchet_key
); );
/** Intialise the session using a shared secret and the public/private key /** Initialise the session using a shared secret and the public/private key
* pair for the first ratchet key */ * pair for the first ratchet key */
void initialise_as_alice( void initialise_as_alice(
std::uint8_t const * shared_secret, std::size_t shared_secret_length, std::uint8_t const * shared_secret, std::size_t shared_secret_length,
...@@ -150,7 +152,7 @@ struct Session { ...@@ -150,7 +152,7 @@ struct Session {
* generate a new ephemeral key, or will be 0 bytes otherwise.*/ * generate a new ephemeral key, or will be 0 bytes otherwise.*/
std::size_t encrypt_random_length(); std::size_t encrypt_random_length();
/** Encrypt some plaintext. Returns the length of the encrypted message /** Encrypt some plain-text. Returns the length of the encrypted message
* or std::size_t(-1) on failure. On failure last_error will be set with * or std::size_t(-1) on failure. On failure last_error will be set with
* an error code. The last_error will be NOT_ENOUGH_RANDOM if the number * an error code. The last_error will be NOT_ENOUGH_RANDOM if the number
* of random bytes is too small. The last_error will be * of random bytes is too small. The last_error will be
...@@ -161,16 +163,16 @@ struct Session { ...@@ -161,16 +163,16 @@ struct Session {
std::uint8_t * output, std::size_t max_output_length std::uint8_t * output, std::size_t max_output_length
); );
/** An upper bound on the number of bytes of plaintext the decrypt method /** An upper bound on the number of bytes of plain-text the decrypt method
* will write for a given input message length. */ * will write for a given input message length. */
std::size_t decrypt_max_plaintext_length( std::size_t decrypt_max_plaintext_length(
std::size_t input_length std::size_t input_length
); );
/** Decrypt a message. Returns the length of the decrypted plaintext or /** Decrypt a message. Returns the length of the decrypted plain-text or
* std::size_t(-1) on failure. On failure last_error will be set with an * std::size_t(-1) on failure. On failure last_error will be set with an
* error code. The last_error will be OUTPUT_BUFFER_TOO_SMALL if the * error code. The last_error will be OUTPUT_BUFFER_TOO_SMALL if the
* plaintext buffer is too small. The last_error will be * plain-text buffer is too small. The last_error will be
* BAD_MESSAGE_VERSION if the message was encrypted with an unsupported * BAD_MESSAGE_VERSION if the message was encrypted with an unsupported
* version of the protocol. The last_error will be BAD_MESSAGE_FORMAT if * version of the protocol. The last_error will be BAD_MESSAGE_FORMAT if
* the message headers could not be decoded. The last_error will be * the message headers could not be decoded. The last_error will be
......
#include "axolotl/cipher.hh"
#include "axolotl/crypto.hh"
#include "axolotl/memory.hh"
#include <cstring>
axolotl::Cipher::~Cipher() {
}
namespace {
static const std::size_t SHA256_LENGTH = 32;
struct DerivedKeys {
axolotl::Aes256Key aes_key;
std::uint8_t mac_key[SHA256_LENGTH];
axolotl::Aes256Iv aes_iv;
};
static void derive_keys(
std::uint8_t const * kdf_info, std::size_t kdf_info_length,
std::uint8_t const * key, std::size_t key_length,
DerivedKeys & keys
) {
std::uint8_t derived_secrets[80];
axolotl::hkdf_sha256(
key, key_length,
NULL, 0,
kdf_info, kdf_info_length,
derived_secrets, sizeof(derived_secrets)
);
std::memcpy(keys.aes_key.key, derived_secrets, 32);
std::memcpy(keys.mac_key, derived_secrets + 32, 32);
std::memcpy(keys.aes_iv.iv, derived_secrets + 64, 16);
axolotl::unset(derived_secrets);
}
static const std::size_t MAC_LENGTH = 8;
} // namespace
axolotl::CipherAesSha256::CipherAesSha256(
std::uint8_t const * kdf_info, std::size_t kdf_info_length
) : kdf_info(kdf_info), kdf_info_length(kdf_info_length) {
}
std::size_t axolotl::CipherAesSha256::mac_length() const {
return MAC_LENGTH;
}
std::size_t axolotl::CipherAesSha256::encrypt_ciphertext_length(
std::size_t plaintext_length
) const {
return axolotl::aes_encrypt_cbc_length(plaintext_length);
}
std::size_t axolotl::CipherAesSha256::encrypt(
std::uint8_t const * key, std::size_t key_length,
std::uint8_t const * plaintext, std::size_t plaintext_length,
std::uint8_t * ciphertext, std::size_t ciphertext_length,
std::uint8_t * output, std::size_t output_length
) const {
if (encrypt_ciphertext_length(plaintext_length) < ciphertext_length) {
return std::size_t(-1);
}
struct DerivedKeys keys;
std::uint8_t mac[SHA256_LENGTH];
derive_keys(kdf_info, kdf_info_length, key, key_length, keys);
axolotl::aes_encrypt_cbc(
keys.aes_key, keys.aes_iv, plaintext, plaintext_length, ciphertext
);
axolotl::hmac_sha256(
keys.mac_key, SHA256_LENGTH, output, output_length - MAC_LENGTH, mac
);
std::memcpy(output + output_length - MAC_LENGTH, mac, MAC_LENGTH);
axolotl::unset(keys);
return output_length;
}
std::size_t axolotl::CipherAesSha256::decrypt_max_plaintext_length(
std::size_t ciphertext_length
) const {
return ciphertext_length;
}
std::size_t axolotl::CipherAesSha256::decrypt(
std::uint8_t const * key, std::size_t key_length,
std::uint8_t const * input, std::size_t input_length,
std::uint8_t const * ciphertext, std::size_t ciphertext_length,
std::uint8_t * plaintext, std::size_t max_plaintext_length
) const {
DerivedKeys keys;
std::uint8_t mac[SHA256_LENGTH];
derive_keys(kdf_info, kdf_info_length, key, key_length, keys);
axolotl::hmac_sha256(
keys.mac_key, SHA256_LENGTH, input, input_length - MAC_LENGTH, mac
);
std::uint8_t const * input_mac = input + input_length - MAC_LENGTH;
if (!axolotl::is_equal(input_mac, mac, MAC_LENGTH)) {
axolotl::unset(keys);
return std::size_t(-1);
}
std::size_t plaintext_length = axolotl::aes_decrypt_cbc(
keys.aes_key, keys.aes_iv, ciphertext, ciphertext_length, plaintext
);
axolotl::unset(keys);
return plaintext_length;
}
...@@ -94,55 +94,52 @@ std::size_t axolotl::encode_message_length( ...@@ -94,55 +94,52 @@ std::size_t axolotl::encode_message_length(
length += 1 + varstring_length(ratchet_key_length); length += 1 + varstring_length(ratchet_key_length);
length += 1 + varint_length(counter); length += 1 + varint_length(counter);
length += 1 + varstring_length(ciphertext_length); length += 1 + varstring_length(ciphertext_length);
return length + mac_length; length += mac_length;
return length;
} }
axolotl::MessageWriter axolotl::encode_message( void axolotl::encode_message(
axolotl::MessageWriter & writer,
std::uint8_t version, std::uint8_t version,
std::uint32_t counter, std::uint32_t counter,
std::size_t ratchet_key_length, std::size_t ratchet_key_length,
std::size_t ciphertext_length, std::size_t ciphertext_length,
std::uint8_t * output std::uint8_t * output
) { ) {
axolotl::MessageWriter result;
std::uint8_t * pos = output; std::uint8_t * pos = output;
*(pos++) = version; *(pos++) = version;
*(pos++) = COUNTER_TAG; *(pos++) = COUNTER_TAG;
pos = varint_encode(pos, counter); pos = varint_encode(pos, counter);
*(pos++) = RATCHET_KEY_TAG; *(pos++) = RATCHET_KEY_TAG;
pos = varint_encode(pos, ratchet_key_length); pos = varint_encode(pos, ratchet_key_length);
result.ratchet_key = pos; writer.ratchet_key = pos;
pos += ratchet_key_length; pos += ratchet_key_length;
*(pos++) = CIPHERTEXT_TAG; *(pos++) = CIPHERTEXT_TAG;
pos = varint_encode(pos, ciphertext_length); pos = varint_encode(pos, ciphertext_length);
result.ciphertext = pos; writer.ciphertext = pos;
pos += ciphertext_length; pos += ciphertext_length;
result.body_length = pos - output;
result.mac = pos;
return result;
} }
axolotl::MessageReader axolotl::decode_message( std::size_t axolotl::decode_message(
axolotl::MessageReader & reader,
std::uint8_t const * input, std::size_t input_length, std::uint8_t const * input, std::size_t input_length,
std::size_t mac_length std::size_t mac_length
) { ) {
axolotl::MessageReader result;
result.body_length = 0;
std::uint8_t const * pos = input; std::uint8_t const * pos = input;
std::uint8_t const * end = input + input_length - mac_length; std::uint8_t const * end = input + input_length - mac_length;
std::uint8_t flags = 0; std::uint8_t flags = 0;
result.mac = end; std::size_t result = std::size_t(-1);
if (pos == end) return result; if (pos == end) return result;
result.version = *(pos++); reader.version = *(pos++);
while (pos != end) { while (pos != end) {
uint8_t tag = *(pos); uint8_t tag = *(pos);
if (tag == COUNTER_TAG) { if (tag == COUNTER_TAG) {
++pos; ++pos;
std::uint8_t const * counter_start = pos; std::uint8_t const * counter_start = pos;
pos = varint_skip(pos, end); pos = varint_skip(pos, end);
result.counter = varint_decode<std::uint32_t>(counter_start, pos); reader.counter = varint_decode<std::uint32_t>(counter_start, pos);
flags |= 1; flags |= 1;
} else if (tag == RATCHET_KEY_TAG) { } else if (tag == RATCHET_KEY_TAG) {
++pos; ++pos;
...@@ -150,8 +147,8 @@ axolotl::MessageReader axolotl::decode_message( ...@@ -150,8 +147,8 @@ axolotl::MessageReader axolotl::decode_message(
pos = varint_skip(pos, end); pos = varint_skip(pos, end);
std::size_t len = varint_decode<std::size_t>(len_start, pos); std::size_t len = varint_decode<std::size_t>(len_start, pos);
if (len > end - pos) return result; if (len > end - pos) return result;
result.ratchet_key_length = len; reader.ratchet_key_length = len;
result.ratchet_key = pos; reader.ratchet_key = pos;
pos += len; pos += len;
flags |= 2; flags |= 2;
} else if (tag == CIPHERTEXT_TAG) { } else if (tag == CIPHERTEXT_TAG) {
...@@ -160,8 +157,8 @@ axolotl::MessageReader axolotl::decode_message( ...@@ -160,8 +157,8 @@ axolotl::MessageReader axolotl::decode_message(
pos = varint_skip(pos, end); pos = varint_skip(pos, end);
std::size_t len = varint_decode<std::size_t>(len_start, pos); std::size_t len = varint_decode<std::size_t>(len_start, pos);
if (len > end - pos) return result; if (len > end - pos) return result;
result.ciphertext_length = len; reader.ciphertext_length = len;
result.ciphertext = pos; reader.ciphertext = pos;
pos += len; pos += len;
flags |= 4; flags |= 4;
} else if (tag & 0x7 == 0) { } else if (tag & 0x7 == 0) {
...@@ -174,11 +171,13 @@ axolotl::MessageReader axolotl::decode_message( ...@@ -174,11 +171,13 @@ axolotl::MessageReader axolotl::decode_message(
if (len > end - pos) return result; if (len > end - pos) return result;
pos += len; pos += len;
} else { } else {
return result; return std::size_t(-1);
} }
} }
if (flags == 0x7) { if (flags == 0x7) {
result.body_length = end - input; reader.input = input;