diff --git a/Makefile b/Makefile index a354e19..3269484 100644 --- a/Makefile +++ b/Makefile @@ -34,7 +34,7 @@ JS_EXPORTED_FUNCTIONS := javascript/exported_functions.json JS_EXTRA_EXPORTED_RUNTIME_METHODS := ALLOC_STACK JS_EXTERNS := javascript/externs.js -PUBLIC_HEADERS := include/olm/olm.h include/olm/outbound_group_session.h include/olm/inbound_group_session.h include/olm/pk.h +PUBLIC_HEADERS := include/olm/olm.h include/olm/outbound_group_session.h include/olm/inbound_group_session.h include/olm/pk.h include/olm/sas.h SOURCES := $(wildcard src/*.cpp) $(wildcard src/*.c) \ lib/crypto-algorithms/sha256.c \ @@ -60,6 +60,7 @@ JS_PRE := $(wildcard javascript/*pre.js) JS_POST := javascript/olm_outbound_group_session.js \ javascript/olm_inbound_group_session.js \ javascript/olm_pk.js \ + javascript/olm_sas.js \ javascript/olm_post.js # The prefix & suffix are just added onto the start & end diff --git a/include/olm/sas.h b/include/olm/sas.h new file mode 100644 index 0000000..46d4176 --- /dev/null +++ b/include/olm/sas.h @@ -0,0 +1,156 @@ +/* Copyright 2018-2019 New Vector Ltd + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + + +#ifndef OLM_SAS_H_ +#define OLM_SAS_H_ + +#include + +#ifdef __cplusplus +extern "C" { +#endif + +/** @defgroup SAS Short Authentication String verification + * These functions are used for verifying keys using the Short Authentication + * String (SAS) method. + * @{ + */ + +typedef struct OlmSAS OlmSAS; + +/** A null terminated string describing the most recent error to happen to an + * SAS object. */ +const char * olm_sas_last_error( + OlmSAS * sas +); + +/** The size of an SAS object in bytes. */ +size_t olm_sas_size(void); + +/** Initialize an SAS object using the supplied memory. + * The supplied memory must be at least `olm_sas_size()` bytes. */ +OlmSAS * olm_sas( + void * memory +); + +/** Clears the memory used to back an SAS object. */ +size_t olm_clear_sas( + OlmSAS * sas +); + +/** The number of random bytes needed to create an SAS object. */ +size_t olm_create_sas_random_length( + OlmSAS * sas +); + +/** Creates a new SAS object. + * + * @param[in] sas the SAS object to create, initialized by `olm_sas()`. + * @param[in] random array of random bytes. + * @param[in] random_length the number of random bytes provided. Must be at + * least `olm_create_sas_random_length()`. + * + * @return `olm_error()` on failure. If there weren't enough random bytes then + * `olm_sas_last_error()` will be `NOT_ENOUGH_RANDOM`. + */ +size_t olm_create_sas( + OlmSAS * sas, + void * random, size_t random_length +); + +/** The size of a public key in bytes. */ +size_t olm_sas_pubkey_length(OlmSAS * sas); + +/** Get the public key for the SAS object. + * + * @param[in] sas the SAS object. + * @param[out] pubkey buffer to store the public key. + * @param[in] pubkey_length the size of the `pubkey` buffer. Must be at least + * `olm_sas_pubkey_length()`. + * + * @return `olm_error()` on failure. If the `pubkey` buffer is too small, then + * `olm_sas_last_error()` will be `OUTPUT_BUFFER_TOO_SMALL`. + */ +size_t olm_sas_get_pubkey( + OlmSAS * sas, + void * pubkey, size_t pubkey_length +); + +/** Sets the public key of other user. + * + * @param[in] sas the SAS object. + * @param[in] their_key the other user's public key. + * @param[in] their_key_size the size of the `their_key` buffer. + * + * @return `olm_error()` on failure. If the `their_key` buffer is too small, + * then `olm_sas_last_error()` will be `INPUT_BUFFER_TOO_SMALL`. + */ +size_t olm_sas_set_their_key( + OlmSAS *sas, + void * their_key, size_t their_key_length +); + +/** Generate bytes to use for the short authentication string. + * + * @param[in] sas the SAS object. + * @param[in] info extra information to mix in when generating the bytes, as + * per the Matrix spec. + * @param[in] info_length the length of the `info` parameter. + * @param[out] output the output buffer. + * @param[in] output_length the size of the output buffer. For hex-based SAS + * as in the Matrix spec, this will be 5. + */ +size_t olm_sas_generate_bytes( + OlmSAS * sas, + const void * info, size_t info_length, + void * output, size_t output_length +); + +/** The size of the message authentication code generated by + * olm_sas_calculate_mac()`. */ +size_t olm_sas_mac_length( + OlmSAS *sas +); + +/** Generate a message authentication code (MAC) based on the shared secret. + * + * @param[in] sas the SAS object. + * @param[in] input the message to produce the authentication code for. + * @param[in] input_length the length of the message. + * @param[in] info extra information to mix in when generating the MAC, as per + * the Matrix spec. + * @param[in] info_length the length of the `info` parameter. + * @param[out] mac the buffer in which to store the MAC. + * @param[in] mac_length the size of the `mac` buffer. Must be at least + * `olm_sas_mac_length()` + * + * @return `olm_error()` on failure. If the `mac` buffer is too small, then + * `olm_sas_last_error()` will be `OUTPUT_BUFFER_TOO_SMALL`. + */ +size_t olm_sas_calculate_mac( + OlmSAS * sas, + void * input, size_t input_length, + const void * info, size_t info_length, + void * mac, size_t mac_length +); + +/** @} */ // end of SAS group + +#ifdef __cplusplus +} // extern "C" +#endif + +#endif /* OLM_SAS_H_ */ diff --git a/javascript/olm_post.js b/javascript/olm_post.js index 8c06fff..3bf0d66 100644 --- a/javascript/olm_post.js +++ b/javascript/olm_post.js @@ -534,6 +534,7 @@ olm_exports["Session"] = Session; olm_exports["Utility"] = Utility; olm_exports["PkEncryption"] = PkEncryption; olm_exports["PkDecryption"] = PkDecryption; +olm_exports["SAS"] = SAS; olm_exports["get_library_version"] = restore_stack(function() { var buf = stack(3); diff --git a/javascript/olm_sas.js b/javascript/olm_sas.js new file mode 100644 index 0000000..d5044ce --- /dev/null +++ b/javascript/olm_sas.js @@ -0,0 +1,77 @@ +function SAS() { + var size = Module['_olm_sas_size'](); + var random_length = Module['_olm_create_sas_random_length'](); + var random = random_stack(random_length); + this.buf = malloc(size); + this.ptr = Module['_olm_sas'](this.buf); + Module['_olm_create_sas'](this.ptr, random, random_length); + bzero(random, random_length); +} + +function sas_method(wrapped) { + return function() { + var result = wrapped.apply(this, arguments); + if (result === OLM_ERROR) { + var message = Pointer_stringify( + Module['_olm_sas_last_error'](arguments[0]) + ); + throw new Error("OLM." + message); + } + return result; + } +} + +SAS.prototype['free'] = function() { + Module['_olm_clear_sas'](this.ptr); + free(this.ptr); +}; + +SAS.prototype['get_pubkey'] = restore_stack(function() { + var pubkey_length = sas_method(Module['_olm_sas_pubkey_length'])(this.ptr); + var pubkey_buffer = stack(pubkey_length + NULL_BYTE_PADDING_LENGTH); + sas_method(Module['_olm_sas_get_pubkey'])(this.ptr, pubkey_buffer, pubkey_length); + return Pointer_stringify(pubkey_buffer); +}); + +SAS.prototype['set_their_key'] = restore_stack(function(their_key) { + var their_key_array = array_from_string(their_key); + var their_key_buffer = stack(their_key_array); + sas_method(Module['_olm_sas_set_their_key'])( + this.ptr, + their_key_buffer, their_key_array.length + ); +}); + +SAS.prototype['generate_bytes'] = restore_stack(function(info, length) { + var info_array = array_from_string(info); + var info_buffer = stack(info_array); + var output_buffer = stack(length); + sas_method(Module['_olm_sas_generate_bytes'])( + this.ptr, + info_buffer, info_array.length, + output_buffer, length + ); + // The inner Uint8Array creates a view of the buffer. The outer Uint8Array + // copies it to a new array to return, since the original buffer will get + // deallocated from the stack and could get overwritten. + var output_arr = new Uint8Array( + new Uint8Array(Module['HEAPU8'].buffer, output_buffer, length) + ); + return output_arr; +}); + +SAS.prototype['calculate_mac'] = restore_stack(function(input, info) { + var input_array = array_from_string(input); + var input_buffer = stack(input_array); + var info_array = array_from_string(info); + var info_buffer = stack(info_array); + var mac_length = sas_method(Module['_olm_sas_mac_length'])(this.ptr); + var mac_buffer = stack(mac_length + NULL_BYTE_PADDING_LENGTH); + sas_method(Module['_olm_sas_calculate_mac'])( + this.ptr, + input_buffer, input_array.length, + info_buffer, info_array.length, + mac_buffer, mac_length + ); + return Pointer_stringify(mac_buffer); +}); diff --git a/javascript/test/sas.spec.js b/javascript/test/sas.spec.js new file mode 100644 index 0000000..af7ea65 --- /dev/null +++ b/javascript/test/sas.spec.js @@ -0,0 +1,53 @@ +/* +Copyright 2018 New Vector Ltd + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +var Olm = require('../olm'); + +describe("sas", function() { + var alice, bob; + + beforeEach(async function(done) { + Olm.init().then(function() { + alice = new Olm.SAS(); + bob = new Olm.SAS(); + + done(); + }); + }); + + afterEach(function () { + if (alice !== undefined) { + alice.free(); + alice = undefined; + } + if (bob !== undefined) { + bob.free(); + bob = undefined; + } + }); + + it('should create matching SAS bytes', function () { + alice.set_their_key(bob.get_pubkey()); + bob.set_their_key(alice.get_pubkey()); + expect(alice.generate_bytes("SAS", 5).toString()).toEqual(bob.generate_bytes("SAS", 5).toString()); + }); + + it('should create matching MACs', function () { + alice.set_their_key(bob.get_pubkey()); + bob.set_their_key(alice.get_pubkey()); + expect(alice.calculate_mac("test", "MAC").toString()).toEqual(bob.calculate_mac("test", "MAC").toString()); + }); +}); diff --git a/src/sas.c b/src/sas.c new file mode 100644 index 0000000..c5be73f --- /dev/null +++ b/src/sas.c @@ -0,0 +1,141 @@ +/* Copyright 2018-2019 New Vector Ltd + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "olm/sas.h" +#include "olm/base64.h" +#include "olm/crypto.h" +#include "olm/error.h" +#include "olm/memory.h" + +struct OlmSAS { + enum OlmErrorCode last_error; + struct _olm_curve25519_key_pair curve25519_key; + uint8_t secret[CURVE25519_SHARED_SECRET_LENGTH]; +}; + +const char * olm_sas_last_error( + OlmSAS * sas +) { + return _olm_error_to_string(sas->last_error); +} + +size_t olm_sas_size(void) { + return sizeof(OlmSAS); +} + +OlmSAS * olm_sas( + void * memory +) { + _olm_unset(memory, sizeof(OlmSAS)); + return (OlmSAS *) memory; +} + +size_t olm_clear_sas( + OlmSAS * sas +) { + _olm_unset(sas, sizeof(OlmSAS)); + return sizeof(OlmSAS); +} + +size_t olm_create_sas_random_length(OlmSAS * sas) { + return CURVE25519_KEY_LENGTH; +} + +size_t olm_create_sas( + OlmSAS * sas, + void * random, size_t random_length +) { + if (random_length < olm_create_sas_random_length(sas)) { + sas->last_error = OLM_NOT_ENOUGH_RANDOM; + return (size_t)-1; + } + _olm_crypto_curve25519_generate_key((uint8_t *) random, &sas->curve25519_key); + return 0; +} + +size_t olm_sas_pubkey_length(OlmSAS * sas) { + return _olm_encode_base64_length(CURVE25519_KEY_LENGTH); +} + +size_t olm_sas_get_pubkey( + OlmSAS * sas, + void * pubkey, size_t pubkey_length +) { + if (pubkey_length < olm_sas_pubkey_length(sas)) { + sas->last_error = OLM_OUTPUT_BUFFER_TOO_SMALL; + return (size_t)-1; + } + _olm_encode_base64( + (const uint8_t *)sas->curve25519_key.public_key.public_key, + CURVE25519_KEY_LENGTH, + (uint8_t *)pubkey + ); + return 0; +} + +size_t olm_sas_set_their_key( + OlmSAS *sas, + void * their_key, size_t their_key_length +) { + if (their_key_length < olm_sas_pubkey_length(sas)) { + sas->last_error = OLM_INPUT_BUFFER_TOO_SMALL; + return (size_t)-1; + } + _olm_decode_base64(their_key, their_key_length, their_key); + _olm_crypto_curve25519_shared_secret(&sas->curve25519_key, their_key, sas->secret); + return 0; +} + +size_t olm_sas_generate_bytes( + OlmSAS * sas, + const void * info, size_t info_length, + void * output, size_t output_length +) { + _olm_crypto_hkdf_sha256( + sas->secret, sizeof(sas->secret), + NULL, 0, + (const uint8_t *) info, info_length, + output, output_length + ); + return 0; +} + +size_t olm_sas_mac_length( + OlmSAS *sas +) { + return _olm_encode_base64_length(SHA256_OUTPUT_LENGTH); +} + +size_t olm_sas_calculate_mac( + OlmSAS * sas, + void * input, size_t input_length, + const void * info, size_t info_length, + void * mac, size_t mac_length +) { + if (mac_length < olm_sas_mac_length(sas)) { + sas->last_error = OLM_OUTPUT_BUFFER_TOO_SMALL; + return (size_t)-1; + } + uint8_t key[32]; + _olm_crypto_hkdf_sha256( + sas->secret, sizeof(sas->secret), + NULL, 0, + (const uint8_t *) info, info_length, + key, 32 + ); + _olm_crypto_hmac_sha256(key, 32, input, input_length, mac); + _olm_encode_base64((const uint8_t *)mac, SHA256_OUTPUT_LENGTH, (uint8_t *)mac); + return 0; +} diff --git a/tests/test_sas.cpp b/tests/test_sas.cpp new file mode 100644 index 0000000..3578244 --- /dev/null +++ b/tests/test_sas.cpp @@ -0,0 +1,117 @@ +#include "olm/sas.h" +#include "olm/crypto.h" +#include "olm/olm.h" + +#include "unittest.hh" + +#include + +int main() { + + +{ /* Generate bytes */ + +TestCase test_case("SAS generate bytes"); + +std::uint8_t alice_private[32] = { + 0x77, 0x07, 0x6D, 0x0A, 0x73, 0x18, 0xA5, 0x7D, + 0x3C, 0x16, 0xC1, 0x72, 0x51, 0xB2, 0x66, 0x45, + 0xDF, 0x4C, 0x2F, 0x87, 0xEB, 0xC0, 0x99, 0x2A, + 0xB1, 0x77, 0xFB, 0xA5, 0x1D, 0xB9, 0x2C, 0x2A +}; + +const std::uint8_t *alice_public = (std::uint8_t *) "hSDwCYkwp1R0i33ctD73Wg2/Og0mOBr066SpjqqbTmo"; + +std::uint8_t bob_private[32] = { + 0x5D, 0xAB, 0x08, 0x7E, 0x62, 0x4A, 0x8A, 0x4B, + 0x79, 0xE1, 0x7F, 0x8B, 0x83, 0x80, 0x0E, 0xE6, + 0x6F, 0x3B, 0xB1, 0x29, 0x26, 0x18, 0xB6, 0xFD, + 0x1C, 0x2F, 0x8B, 0x27, 0xFF, 0x88, 0xE0, 0xEB +}; + +const std::uint8_t *bob_public = (std::uint8_t *) "3p7bfXt9wbTTW2HC7OQ1Nz+DQ8hbeGdNrfx+FG+IK08"; + +std::uint8_t alice_sas_buffer[olm_sas_size()]; +OlmSAS *alice_sas = olm_sas(alice_sas_buffer); +olm_create_sas(alice_sas, alice_private, sizeof(alice_private)); +std::uint8_t bob_sas_buffer[olm_sas_size()]; +OlmSAS *bob_sas = olm_sas(bob_sas_buffer); +olm_create_sas(bob_sas, bob_private, sizeof(bob_private)); + +std::uint8_t pubkey[::olm_sas_pubkey_length(alice_sas)]; + +olm_sas_get_pubkey(alice_sas, pubkey, sizeof(pubkey)); + +assert_equals(alice_public, pubkey, olm_sas_pubkey_length(alice_sas)); + +olm_sas_set_their_key(bob_sas, pubkey, olm_sas_pubkey_length(bob_sas)); + +olm_sas_get_pubkey(bob_sas, pubkey, sizeof(pubkey)); + +assert_equals(bob_public, pubkey, olm_sas_pubkey_length(bob_sas)); + +olm_sas_set_their_key(alice_sas, pubkey, olm_sas_pubkey_length(alice_sas)); + +std::uint8_t alice_bytes[6]; +std::uint8_t bob_bytes[6]; + +olm_sas_generate_bytes(alice_sas, "SAS", 3, alice_bytes, 6); +olm_sas_generate_bytes(bob_sas, "SAS", 3, bob_bytes, 6); + +assert_equals(alice_bytes, bob_bytes, 6); + +} + +{ /* Calculate MAC */ + +TestCase test_case("SAS calculate MAC"); + +std::uint8_t alice_private[32] = { + 0x77, 0x07, 0x6D, 0x0A, 0x73, 0x18, 0xA5, 0x7D, + 0x3C, 0x16, 0xC1, 0x72, 0x51, 0xB2, 0x66, 0x45, + 0xDF, 0x4C, 0x2F, 0x87, 0xEB, 0xC0, 0x99, 0x2A, + 0xB1, 0x77, 0xFB, 0xA5, 0x1D, 0xB9, 0x2C, 0x2A +}; + +const std::uint8_t *alice_public = (std::uint8_t *) "hSDwCYkwp1R0i33ctD73Wg2/Og0mOBr066SpjqqbTmo"; + +std::uint8_t bob_private[32] = { + 0x5D, 0xAB, 0x08, 0x7E, 0x62, 0x4A, 0x8A, 0x4B, + 0x79, 0xE1, 0x7F, 0x8B, 0x83, 0x80, 0x0E, 0xE6, + 0x6F, 0x3B, 0xB1, 0x29, 0x26, 0x18, 0xB6, 0xFD, + 0x1C, 0x2F, 0x8B, 0x27, 0xFF, 0x88, 0xE0, 0xEB +}; + +const std::uint8_t *bob_public = (std::uint8_t *) "3p7bfXt9wbTTW2HC7OQ1Nz+DQ8hbeGdNrfx+FG+IK08"; + +std::uint8_t alice_sas_buffer[olm_sas_size()]; +OlmSAS *alice_sas = olm_sas(alice_sas_buffer); +olm_create_sas(alice_sas, alice_private, sizeof(alice_private)); +std::uint8_t bob_sas_buffer[olm_sas_size()]; +OlmSAS *bob_sas = olm_sas(bob_sas_buffer); +olm_create_sas(bob_sas, bob_private, sizeof(bob_private)); + +std::uint8_t pubkey[::olm_sas_pubkey_length(alice_sas)]; + +olm_sas_get_pubkey(alice_sas, pubkey, sizeof(pubkey)); + +assert_equals(alice_public, pubkey, olm_sas_pubkey_length(alice_sas)); + +olm_sas_set_their_key(bob_sas, pubkey, olm_sas_pubkey_length(bob_sas)); + +olm_sas_get_pubkey(bob_sas, pubkey, sizeof(pubkey)); + +assert_equals(bob_public, pubkey, olm_sas_pubkey_length(bob_sas)); + +olm_sas_set_their_key(alice_sas, pubkey, olm_sas_pubkey_length(alice_sas)); + +std::uint8_t alice_mac[olm_sas_mac_length(alice_sas)]; +std::uint8_t bob_mac[olm_sas_mac_length(bob_sas)]; + +olm_sas_calculate_mac(alice_sas, (void *) "Hello world!", 12, "MAC", 3, alice_mac, olm_sas_mac_length(alice_sas)); +olm_sas_calculate_mac(bob_sas, (void *) "Hello world!", 12, "MAC", 3, bob_mac, olm_sas_mac_length(bob_sas)); + +assert_equals(alice_mac, bob_mac, olm_sas_mac_length(alice_sas)); + +} +}