Skip to content

Commit 2ace1ba

Browse files
lws-teamlws-team
committed
gnutls: gencrypto-extra
1 parent 9f3da05 commit 2ace1ba

File tree

9 files changed

+793
-56
lines changed

9 files changed

+793
-56
lines changed

include/libwebsockets/lws-genaes.h

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -103,6 +103,10 @@ struct lws_genaes_ctx {
103103
enum enum_aes_padding padding;
104104
int taglen;
105105
char underway;
106+
#if !defined(LWS_WITH_MBEDTLS) && !defined(LWS_WITH_OPENSSL)
107+
unsigned char buf[16]; /* partial block */
108+
int buf_len; /* length of partial block */
109+
#endif
106110
};
107111

108112
/** lws_genaes_create() - Create genaes AES context

lib/jose/jwe/enc/aescbc.c

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -253,8 +253,9 @@ lws_jwe_auth_and_decrypt_cbc_hs(struct lws_jwe *jwe, uint8_t *enc_cek,
253253
if (jwe->jws.map.len[LJWE_CTXT] < LWS_AES_CBC_BLOCKLEN ||
254254
jwe->jws.map.len[LJWE_CTXT] <= (unsigned char)jwe->jws.map.buf[LJWE_CTXT]
255255
[jwe->jws.map.len[LJWE_CTXT] - 1]) {
256-
lwsl_err("%s: invalid padded ciphertext length: %d. Corrupt data?\n",
257-
__func__, (int)jwe->jws.map.len[LJWE_CTXT]);
256+
int pad = jwe->jws.map.len[LJWE_CTXT] > 0 ? jwe->jws.map.buf[LJWE_CTXT][jwe->jws.map.len[LJWE_CTXT] - 1] : 0;
257+
lwsl_err("%s: invalid padded ciphertext length: %d. pad byte: %d Corrupt data?\n",
258+
__func__, (int)jwe->jws.map.len[LJWE_CTXT], pad);
258259
return -1;
259260
}
260261
jwe->jws.map.len[LJWE_CTXT] = (uint32_t)((int)jwe->jws.map.len[LJWE_CTXT] -

lib/jose/jwe/jwe-ecdh-es-aeskw.c

Lines changed: 18 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -202,9 +202,7 @@ lws_jwe_encrypt_ecdh(struct lws_jwe *jwe, char *temp, int *temp_len,
202202
uint8_t shared_secret[LWS_JWE_LIMIT_KEY_ELEMENT_BYTES],
203203
derived[LWS_JWE_LIMIT_KEY_ELEMENT_BYTES];
204204
int m, n, ret = -1, ot = *temp_len, ss_len = sizeof(shared_secret),
205-
// kw_hlen = lws_genhash_size(jwe->jose.alg->hash_type),
206-
enc_hlen = (int)lws_genhmac_size(jwe->jose.enc_alg->hmac_type),
207-
ekbytes = 32; //jwe->jose.alg->keybits_fixed / 8;
205+
enc_hlen = (int)lws_genhmac_size(jwe->jose.enc_alg->hmac_type);
208206
struct lws_genec_ctx ecctx;
209207
struct lws_jwk *ephem = &jwe->jose.recipient[jwe->recip].jwk_ephemeral;
210208

@@ -219,14 +217,18 @@ lws_jwe_encrypt_ecdh(struct lws_jwe *jwe, char *temp, int *temp_len,
219217

220218
/* Generate jose.jwk_ephemeral on the peer public key curve */
221219

222-
if (lws_genecdh_create(&ecctx, jwe->jws.context, NULL))
220+
if (lws_genecdh_create(&ecctx, jwe->jws.context, NULL)) {
221+
lwsl_err("%s: lws_genecdh_create failed\n", __func__);
223222
goto bail;
223+
}
224224

225225
/* ephemeral context gets random key on same curve as recip pubkey */
226226
if (lws_genecdh_new_keypair(&ecctx, LDHS_OURS, (const char *)
227227
jwe->jws.jwk->e[LWS_GENCRYPTO_EC_KEYEL_CRV].buf,
228-
ephem->e))
228+
ephem->e)) {
229+
lwsl_err("%s: lws_genecdh_new_keypair failed\n", __func__);
229230
goto bail;
231+
}
230232

231233
/* peer context gets js->jwk key */
232234
if (lws_genecdh_set_key(&ecctx, jwe->jws.jwk->e, LDHS_THEIRS)) {
@@ -235,6 +237,7 @@ lws_jwe_encrypt_ecdh(struct lws_jwe *jwe, char *temp, int *temp_len,
235237
}
236238

237239
/* combine our ephemeral key and the peer pubkey to get the secret */
240+
ss_len = (int)jwe->jws.jwk->e[LWS_GENCRYPTO_EC_KEYEL_X].len;
238241

239242
if (lws_genecdh_compute_shared_secret(&ecctx, shared_secret, &ss_len)) {
240243
lwsl_notice("%s: lws_genecdh_compute_shared_secret failed\n",
@@ -302,7 +305,7 @@ lws_jwe_encrypt_ecdh(struct lws_jwe *jwe, char *temp, int *temp_len,
302305
/* wrap with the derived key */
303306

304307
el.buf = derived;
305-
el.len = (unsigned int)enc_hlen / 2;
308+
el.len = (unsigned int)jwe->jose.alg->keybits_fixed / 8;
306309

307310
if (lws_genaes_create(&aesctx, LWS_GAESO_ENC, LWS_GAESM_KW, &el,
308311
1, NULL)) {
@@ -368,8 +371,8 @@ lws_jwe_encrypt_ecdh(struct lws_jwe *jwe, char *temp, int *temp_len,
368371
lws_genec_destroy(&ecctx);
369372

370373
/* cleanse the shared secret (watch out for cek at parent too) */
371-
lws_explicit_bzero(shared_secret, (unsigned int)ekbytes);
372-
lws_explicit_bzero(derived, (unsigned int)ekbytes);
374+
lws_explicit_bzero(shared_secret, sizeof(shared_secret));
375+
lws_explicit_bzero(derived, sizeof(derived));
373376

374377
return ret;
375378
}
@@ -380,7 +383,8 @@ lws_jwe_encrypt_ecdh_cbc_hs(struct lws_jwe *jwe, char *temp, int *temp_len)
380383
int ss_len, // kw_hlen = lws_genhash_size(jwe->jose.alg->hash_type),
381384
enc_hlen = (int)lws_genhmac_size(jwe->jose.enc_alg->hmac_type);
382385
uint8_t cek[LWS_JWE_LIMIT_KEY_ELEMENT_BYTES];
383-
int ekbytes = jwe->jose.alg->keybits_fixed / 8;
386+
int ekbytes = jwe->jose.alg->keybits_fixed ?
387+
jwe->jose.alg->keybits_fixed / 8 : enc_hlen;
384388
int n, ot = *temp_len, ret = -1;
385389

386390
/* if we will produce an EKEY, make space for it */
@@ -454,8 +458,9 @@ lws_jwe_auth_and_decrypt_ecdh(struct lws_jwe *jwe)
454458
{
455459
uint8_t shared_secret[LWS_JWE_LIMIT_KEY_ELEMENT_BYTES],
456460
derived[LWS_JWE_LIMIT_KEY_ELEMENT_BYTES];
457-
int ekbytes = jwe->jose.enc_alg->keybits_fixed / 8,
458-
enc_hlen = (int)lws_genhmac_size(jwe->jose.enc_alg->hmac_type);
461+
int enc_hlen = (int)lws_genhmac_size(jwe->jose.enc_alg->hmac_type);
462+
int ekbytes = jwe->jose.enc_alg->keybits_fixed ?
463+
jwe->jose.enc_alg->keybits_fixed / 8 : enc_hlen;
459464
struct lws_genec_ctx ecctx;
460465
int n, ret = -1, ss_len = sizeof(shared_secret);
461466

@@ -501,6 +506,7 @@ lws_jwe_auth_and_decrypt_ecdh(struct lws_jwe *jwe)
501506
}
502507

503508
/* combine their ephemeral key and our private key to get the secret */
509+
ss_len = (int)jwe->jws.jwk->e[LWS_GENCRYPTO_EC_KEYEL_X].len;
504510

505511
if (lws_genecdh_compute_shared_secret(&ecctx, shared_secret, &ss_len)) {
506512
lwsl_notice("%s: lws_genecdh_compute_shared_secret failed\n",
@@ -551,7 +557,7 @@ lws_jwe_auth_and_decrypt_ecdh(struct lws_jwe *jwe)
551557
/* unwrap with the KEK we derived */
552558

553559
el.buf = derived;
554-
el.len = (unsigned int)enc_hlen / 2;
560+
el.len = (unsigned int)jwe->jose.alg->keybits_fixed / 8;
555561

556562
if (lws_genaes_create(&aesctx, LWS_GAESO_DEC, LWS_GAESM_KW,
557563
&el, 1, NULL)) {

lib/jose/jwe/jwe.c

Lines changed: 8 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -212,11 +212,17 @@ lws_jwa_concat_kdf(struct lws_jwe *jwe, int direct, uint8_t *out,
212212
int hlen = (int)lws_genhash_size(LWS_GENHASH_TYPE_SHA256), aidlen;
213213
struct lws_genhash_ctx hash_ctx;
214214
uint32_t ctr = 1, t;
215+
uint32_t out_bits;
216+
uint32_t out_bytes;
215217
const char *aid;
216218

217219
if (!jwe->jose.enc_alg || !jwe->jose.alg)
218220
return -1;
219221

222+
out_bits = direct ? jwe->jose.enc_alg->keybits_fixed :
223+
jwe->jose.alg->keybits_fixed;
224+
out_bytes = out_bits / 8;
225+
220226
/*
221227
* Hash
222228
*
@@ -268,7 +274,7 @@ lws_jwa_concat_kdf(struct lws_jwe *jwe, int direct, uint8_t *out,
268274
* one hash output size (256b for SHA-256)
269275
*/
270276

271-
while (ctr <= (uint32_t)((jwe->jose.enc_alg->keybits_fixed + (hlen - 1)) / hlen)) {
277+
while (ctr <= (uint32_t)((out_bytes + ((unsigned int)hlen - 1)) / (unsigned int)hlen)) {
272278

273279
/*
274280
* Key derivation is performed using the Concat KDF, as defined
@@ -295,8 +301,7 @@ lws_jwa_concat_kdf(struct lws_jwe *jwe, int direct, uint8_t *out,
295301
lws_genhash_update(&hash_ctx, jwe->jose.e[LJJHI_APV].buf,
296302
jwe->jose.e[LJJHI_APV].len) ||
297303
lws_genhash_update(&hash_ctx,
298-
be32(jwe->jose.enc_alg->keybits_fixed, &t),
299-
4) ||
304+
be32(out_bits, &t), 4) ||
300305
lws_genhash_destroy(&hash_ctx, out)) {
301306
lwsl_err("%s: fail\n", __func__);
302307
lws_genhash_destroy(&hash_ctx, NULL);

0 commit comments

Comments
 (0)