From 0fb27dc4961608eb9b088ca659eb087dd2c1cae7 Mon Sep 17 00:00:00 2001 From: Paul Fariello Date: Tue, 26 Feb 2019 20:33:06 +0140 Subject: Add OMEMO message encryption and decryption --- src/omemo/crypto.c | 194 ++++++++++++++++++++++++++++++++++++++++++++++++----- src/omemo/crypto.h | 14 +++- src/omemo/omemo.c | 172 +++++++++++++++++++++++++++++++++++++++++++++-- src/omemo/omemo.h | 12 ++++ src/omemo/store.c | 12 ++-- 5 files changed, 374 insertions(+), 30 deletions(-) (limited to 'src/omemo') diff --git a/src/omemo/crypto.c b/src/omemo/crypto.c index a986c729..73b2ba0d 100644 --- a/src/omemo/crypto.c +++ b/src/omemo/crypto.c @@ -2,7 +2,9 @@ #include #include #include +#include +#include "omemo/omemo.h" #include "omemo/crypto.h" int @@ -12,10 +14,12 @@ omemo_crypto_init(void) return -1; } - if (crypto_aead_aes256gcm_is_available() == 0) { + if (!gcry_check_version(GCRYPT_VERSION)) { return -1; } + gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0); + return 0; } @@ -96,41 +100,195 @@ int omemo_encrypt_func(signal_buffer **output, int cipher, const uint8_t *key, size_t key_len, const uint8_t *iv, size_t iv_len, const uint8_t *plaintext, size_t plaintext_len, void *user_data) { + gcry_cipher_hd_t hd; + unsigned char *padded_plaintext; unsigned char *ciphertext; - unsigned long long ciphertext_len; + size_t ciphertext_len; + int mode; + int algo; + uint8_t padding = 0; + + switch (key_len) { + case 32: + algo = GCRY_CIPHER_AES256; + break; + default: + return OMEMO_ERR_UNSUPPORTED_CRYPTO; + } - assert(cipher != SG_CIPHER_AES_GCM_NOPADDING); - assert(key_len == crypto_aead_aes256gcm_KEYBYTES); - assert(iv_len == crypto_aead_aes256gcm_NPUBBYTES); + switch (cipher) { + case SG_CIPHER_AES_CBC_PKCS5: + mode = GCRY_CIPHER_MODE_CBC; + break; + default: + return OMEMO_ERR_UNSUPPORTED_CRYPTO; + } - ciphertext = malloc(plaintext_len + crypto_aead_aes256gcm_ABYTES); - crypto_aead_aes256gcm_encrypt(ciphertext, &ciphertext_len, plaintext, plaintext_len, NULL, 0, NULL, iv, key); + gcry_cipher_open(&hd, algo, mode, GCRY_CIPHER_SECURE); + + gcry_cipher_setkey(hd, key, key_len); + + switch (cipher) { + case SG_CIPHER_AES_CBC_PKCS5: + gcry_cipher_setiv(hd, iv, iv_len); + padding = 16 - (plaintext_len % 16); + break; + default: + assert(FALSE); + } + + padded_plaintext = malloc(plaintext_len + padding); + memcpy(padded_plaintext, plaintext, plaintext_len); + memset(padded_plaintext + plaintext_len, padding, padding); + + ciphertext_len = plaintext_len + padding; + ciphertext = malloc(ciphertext_len); + gcry_cipher_encrypt(hd, ciphertext, ciphertext_len, padded_plaintext, plaintext_len + padding); *output = signal_buffer_create(ciphertext, ciphertext_len); + free(padded_plaintext); free(ciphertext); - return 0; + gcry_cipher_close(hd); + + return SG_SUCCESS; } int omemo_decrypt_func(signal_buffer **output, int cipher, const uint8_t *key, size_t key_len, const uint8_t *iv, size_t iv_len, const uint8_t *ciphertext, size_t ciphertext_len, void *user_data) { + int ret = SG_SUCCESS; + gcry_cipher_hd_t hd; unsigned char *plaintext; - unsigned long long plaintext_len; + size_t plaintext_len; + int mode; + int algo; + uint8_t padding = 0; - assert(cipher != SG_CIPHER_AES_GCM_NOPADDING); - assert(key_len == crypto_aead_aes256gcm_KEYBYTES); - assert(iv_len == crypto_aead_aes256gcm_NPUBBYTES); + switch (key_len) { + case 32: + algo = GCRY_CIPHER_AES256; + break; + default: + return OMEMO_ERR_UNSUPPORTED_CRYPTO; + } - plaintext = malloc(ciphertext_len - crypto_aead_aes256gcm_ABYTES); - if (crypto_aead_aes256gcm_decrypt(plaintext, &plaintext_len, NULL, ciphertext, ciphertext_len, NULL, 0, iv, key) < 0) { - free(plaintext); - return -1; + switch (cipher) { + case SG_CIPHER_AES_CBC_PKCS5: + mode = GCRY_CIPHER_MODE_CBC; + break; + default: + return OMEMO_ERR_UNSUPPORTED_CRYPTO; } - *output = signal_buffer_create(plaintext, plaintext_len); + gcry_cipher_open(&hd, algo, mode, GCRY_CIPHER_SECURE); + + gcry_cipher_setkey(hd, key, key_len); + + switch (cipher) { + case SG_CIPHER_AES_CBC_PKCS5: + gcry_cipher_setiv(hd, iv, iv_len); + break; + default: + assert(FALSE); + } + + plaintext_len = ciphertext_len; + plaintext = malloc(plaintext_len); + gcry_cipher_decrypt(hd, plaintext, plaintext_len, ciphertext, ciphertext_len); + + switch (cipher) { + case SG_CIPHER_AES_CBC_PKCS5: + padding = plaintext[plaintext_len - 1]; + break; + default: + assert(FALSE); + } + + int i; + for (i = 0; i < padding; i++) { + if (plaintext[plaintext_len - 1 - i] != padding) { + ret = SG_ERR_UNKNOWN; + goto out; + } + } + + *output = signal_buffer_create(plaintext, plaintext_len - padding); + +out: free(plaintext); - return 0; + gcry_cipher_close(hd); + + return ret; +} + +int +aes128gcm_encrypt(unsigned char *ciphertext, size_t *ciphertext_len, const unsigned char *const plaintext, size_t plaintext_len, const unsigned char *const iv, const unsigned char *const key) +{ + gcry_error_t res; + gcry_cipher_hd_t hd; + + res = gcry_cipher_open(&hd, GCRY_CIPHER_AES128, GCRY_CIPHER_MODE_GCM, GCRY_CIPHER_SECURE); + if (res != GPG_ERR_NO_ERROR) { + goto out; + } + res = gcry_cipher_setkey(hd, key, AES128_GCM_KEY_LENGTH); + if (res != GPG_ERR_NO_ERROR) { + goto out; + } + res = gcry_cipher_setiv(hd, iv, AES128_GCM_IV_LENGTH); + if (res != GPG_ERR_NO_ERROR) { + goto out; + } + + res = gcry_cipher_encrypt(hd, ciphertext, *ciphertext_len, plaintext, plaintext_len); + if (res != GPG_ERR_NO_ERROR) { + goto out; + } + + res = gcry_cipher_gettag(hd, ciphertext + plaintext_len, AES128_GCM_TAG_LENGTH); + if (res != GPG_ERR_NO_ERROR) { + goto out; + } + +out: + gcry_cipher_close(hd); + return res; +} + +int +aes128gcm_decrypt(unsigned char *plaintext, size_t *plaintext_len, const unsigned char *const ciphertext, size_t ciphertext_len, const unsigned char *const iv, const unsigned char *const key) +{ + gcry_error_t res; + gcry_cipher_hd_t hd; + + res = gcry_cipher_open(&hd, GCRY_CIPHER_AES128, GCRY_CIPHER_MODE_GCM, GCRY_CIPHER_SECURE); + if (res != GPG_ERR_NO_ERROR) { + goto out; + } + + res = gcry_cipher_setkey(hd, key, AES128_GCM_KEY_LENGTH); + if (res != GPG_ERR_NO_ERROR) { + goto out; + } + + res = gcry_cipher_setiv(hd, iv, AES128_GCM_IV_LENGTH); + if (res != GPG_ERR_NO_ERROR) { + goto out; + } + + res = gcry_cipher_decrypt(hd, plaintext, *plaintext_len, ciphertext, ciphertext_len); + if (res != GPG_ERR_NO_ERROR) { + goto out; + } + //res = gcry_cipher_checktag(hd, ciphertext + ciphertext_len - AES128_GCM_TAG_LENGTH, AES128_GCM_TAG_LENGTH); + //if (res != GPG_ERR_NO_ERROR) { + // goto out; + //} + +out: + gcry_cipher_close(hd); + return res; } diff --git a/src/omemo/crypto.h b/src/omemo/crypto.h index 759cef69..35c5d72a 100644 --- a/src/omemo/crypto.h +++ b/src/omemo/crypto.h @@ -1,6 +1,8 @@ #include -#define SG_CIPHER_AES_GCM_NOPADDING 1000 +#define AES128_GCM_KEY_LENGTH 16 +#define AES128_GCM_IV_LENGTH 16 +#define AES128_GCM_TAG_LENGTH 16 int omemo_crypto_init(void); /** @@ -134,3 +136,13 @@ int omemo_decrypt_func(signal_buffer **output, const uint8_t *iv, size_t iv_len, const uint8_t *ciphertext, size_t ciphertext_len, void *user_data); + +int aes128gcm_encrypt(unsigned char *ciphertext, + size_t *ciphertext_len, const unsigned char *const cleartext, + size_t cleatext_len, const unsigned char *const iv, + const unsigned char *const key); + +int aes128gcm_decrypt(unsigned char *plaintext, + size_t *plaintext_len, const unsigned char *const ciphertext, + size_t ciphertext_len, const unsigned char *const iv, + const unsigned char *const key); diff --git a/src/omemo/omemo.c b/src/omemo/omemo.c index 95de1aa2..a9860851 100644 --- a/src/omemo/omemo.c +++ b/src/omemo/omemo.c @@ -3,8 +3,10 @@ #include #include #include +#include #include #include +#include #include #include "config/account.h" @@ -21,6 +23,7 @@ static gboolean loaded; static void lock(void *user_data); static void unlock(void *user_data); +static void omemo_log(int level, const char *message, size_t len, void *user_data); struct omemo_context_t { pthread_mutexattr_t attr; @@ -37,6 +40,7 @@ struct omemo_context_t { GHashTable *pre_key_store; GHashTable *signed_pre_key_store; identity_key_store_t identity_key_store; + GHashTable *device_ids; }; static omemo_context omemo_ctx; @@ -73,6 +77,10 @@ omemo_init(void) return; } + if (signal_context_set_log_function(omemo_ctx.signal, omemo_log) != 0) { + cons_show("Error initializing OMEMO log"); + } + if (signal_context_set_crypto_provider(omemo_ctx.signal, &crypto_provider) != 0) { cons_show("Error initializing OMEMO crypto"); return; @@ -123,6 +131,8 @@ omemo_init(void) .get_local_registration_id = get_local_registration_id, .save_identity = save_identity, .is_trusted_identity = is_trusted_identity, + .destroy_func = NULL, + .user_data = &omemo_ctx.identity_key_store }; signal_protocol_store_context_set_identity_key_store(omemo_ctx.store, &identity_key_store); @@ -148,6 +158,9 @@ omemo_generate_crypto_materials(ProfAccount *account) unsigned long long timestamp = (unsigned long long)(tv.tv_sec) * 1000 + (unsigned long long)(tv.tv_usec) / 1000; signal_protocol_key_helper_generate_signed_pre_key(&omemo_ctx.signed_pre_key, omemo_ctx.identity_key_pair, 5, timestamp, omemo_ctx.signal); + ec_public_key_serialize(&omemo_ctx.identity_key_store.public, ratchet_identity_key_pair_get_public(omemo_ctx.identity_key_pair)); + ec_private_key_serialize(&omemo_ctx.identity_key_store.private, ratchet_identity_key_pair_get_private(omemo_ctx.identity_key_pair)); + loaded = TRUE; /* Ensure we get our current device list, and it gets updated with our @@ -191,7 +204,7 @@ omemo_identity_key(unsigned char **output, size_t *length) ec_public_key_serialize(&buffer, ratchet_identity_key_pair_get_public(omemo_ctx.identity_key_pair)); *length = signal_buffer_len(buffer); *output = malloc(*length); - memcpy(*output, signal_buffer_const_data(buffer), *length); + memcpy(*output, signal_buffer_data(buffer), *length); signal_buffer_free(buffer); } @@ -202,7 +215,7 @@ omemo_signed_prekey(unsigned char **output, size_t *length) ec_public_key_serialize(&buffer, ec_key_pair_get_public(session_signed_pre_key_get_key_pair(omemo_ctx.signed_pre_key))); *length = signal_buffer_len(buffer); *output = malloc(*length); - memcpy(*output, signal_buffer_const_data(buffer), *length); + memcpy(*output, signal_buffer_data(buffer), *length); signal_buffer_free(buffer); } @@ -224,7 +237,7 @@ omemo_prekeys(GList **prekeys, GList **ids, GList **lengths) ec_public_key_serialize(&buffer, ec_key_pair_get_public(session_pre_key_get_key_pair(prekey))); size_t length = signal_buffer_len(buffer); unsigned char *prekey_value = malloc(length); - memcpy(prekey_value, signal_buffer_const_data(buffer), length); + memcpy(prekey_value, signal_buffer_data(buffer), length); signal_buffer_free(buffer); *prekeys = g_list_append(*prekeys, prekey_value); *ids = g_list_append(*ids, GINT_TO_POINTER(session_pre_key_get_id(prekey))); @@ -257,12 +270,15 @@ omemo_start_device_session(const char *const jid, uint32_t device_id, size_t identity_key_len) { session_pre_key_bundle *bundle; - signal_protocol_address address = { - jid, strlen(jid), device_id - }; + signal_protocol_address *address; + + address = malloc(sizeof(signal_protocol_address)); + address->name = strdup(jid); + address->name_len = strlen(jid); + address->device_id = device_id; session_builder *builder; - session_builder_create(&builder, omemo_ctx.store, &address, omemo_ctx.signal); + session_builder_create(&builder, omemo_ctx.store, address, omemo_ctx.signal); ec_public_key *prekey; curve_decode_point(&prekey, prekey_raw, prekey_len, omemo_ctx.signal); @@ -275,6 +291,142 @@ omemo_start_device_session(const char *const jid, uint32_t device_id, session_builder_process_pre_key_bundle(builder, bundle); } +gboolean +omemo_on_message_send(ProfChatWin *chatwin, const char *const message, gboolean request_receipt) +{ + int res; + xmpp_ctx_t * const ctx = connection_get_ctx(); + char *barejid = xmpp_jid_bare(ctx, session_get_account_name()); + GList *device_ids = NULL; + + GList *recipient_device_id = g_hash_table_lookup(omemo_ctx.device_list, chatwin->barejid); + if (!recipient_device_id) { + return FALSE; + } + device_ids = g_list_copy(recipient_device_id); + + GList *sender_device_id = g_hash_table_lookup(omemo_ctx.device_list, barejid); + device_ids = g_list_concat(device_ids, g_list_copy(sender_device_id)); + + /* TODO generate fresh AES-GCM materials */ + /* TODO encrypt message */ + unsigned char *key; + unsigned char *iv; + unsigned char *ciphertext; + size_t ciphertext_len; + + key = sodium_malloc(AES128_GCM_KEY_LENGTH); + iv = sodium_malloc(AES128_GCM_IV_LENGTH); + ciphertext_len = strlen(message) + AES128_GCM_TAG_LENGTH; + ciphertext = malloc(ciphertext_len); + + randombytes_buf(key, 16); + randombytes_buf(iv, 16); + + res = aes128gcm_encrypt(ciphertext, &ciphertext_len, (const unsigned char * const)message, strlen(message), iv, key); + if (res != 0) { + return FALSE; + } + + GList *keys = NULL; + GList *device_ids_iter; + for (device_ids_iter = device_ids; device_ids_iter != NULL; device_ids_iter = device_ids_iter->next) { + int res; + ciphertext_message *ciphertext; + session_cipher *cipher; + signal_protocol_address address = { + chatwin->barejid, strlen(chatwin->barejid), GPOINTER_TO_INT(device_ids_iter->data) + }; + + res = session_cipher_create(&cipher, omemo_ctx.store, &address, omemo_ctx.signal); + if (res != 0) { + continue; + } + + res = session_cipher_encrypt(cipher, key, AES128_GCM_KEY_LENGTH, &ciphertext); + if (res != 0) { + continue; + } + signal_buffer *buffer = ciphertext_message_get_serialized(ciphertext); + omemo_key_t *key = malloc(sizeof(omemo_key_t)); + key->data = signal_buffer_data(buffer); + key->length = signal_buffer_len(buffer); + key->device_id = GPOINTER_TO_INT(device_ids_iter->data); + key->prekey = TRUE; + keys = g_list_append(keys, key); + } + + char *id = message_send_chat_omemo(chatwin->barejid, omemo_ctx.device_id, keys, iv, AES128_GCM_IV_LENGTH, ciphertext, ciphertext_len, request_receipt); + chat_log_omemo_msg_out(chatwin->barejid, message); + chatwin_outgoing_msg(chatwin, message, id, PROF_MSG_OMEMO, request_receipt); + + free(id); + g_list_free_full(keys, free); + free(ciphertext); + sodium_free(key); + sodium_free(iv); + g_list_free(device_ids); + + return TRUE; +} + +char * +omemo_on_message_recv(const char *const from, uint32_t sid, + const unsigned char *const iv, size_t iv_len, GList *keys, + const unsigned char *const payload, size_t payload_len) +{ + int res; + GList *key_iter; + omemo_key_t *key = NULL; + for (key_iter = keys; key_iter != NULL; key_iter = key_iter->next) { + if (((omemo_key_t *)key_iter->data)->device_id == omemo_ctx.device_id) { + key = key_iter->data; + break; + } + } + + if (!key) { + return NULL; + } + + session_cipher *cipher; + signal_buffer *plaintext_key; + signal_protocol_address address = { + from, strlen(from), sid + }; + + res = session_cipher_create(&cipher, omemo_ctx.store, &address, omemo_ctx.signal); + if (res != 0) { + return NULL; + } + + if (key->prekey) { + pre_key_signal_message *message; + pre_key_signal_message_deserialize(&message, key->data, key->length, omemo_ctx.signal); + res = session_cipher_decrypt_pre_key_signal_message(cipher, message, NULL, &plaintext_key); + } else { + signal_message *message; + signal_message_deserialize(&message, key->data, key->length, omemo_ctx.signal); + res = session_cipher_decrypt_signal_message(cipher, message, NULL, &plaintext_key); + } + if (res != 0) { + return NULL; + } + + size_t plaintext_len = payload_len; + unsigned char *plaintext = malloc(plaintext_len + 1); + res = aes128gcm_decrypt(plaintext, &plaintext_len, payload, payload_len, iv, signal_buffer_data(plaintext_key)); + if (res != 0) { + free(plaintext); + return NULL; + } + + plaintext[plaintext_len] = '\0'; + + return (char *)plaintext; + +} + static void lock(void *user_data) { @@ -288,3 +440,9 @@ unlock(void *user_data) omemo_context *ctx = (omemo_context *)user_data; pthread_mutex_unlock(&ctx->lock); } + +static void +omemo_log(int level, const char *message, size_t len, void *user_data) +{ + cons_show(message); +} diff --git a/src/omemo/omemo.h b/src/omemo/omemo.h index bf42b3e3..eb9569a3 100644 --- a/src/omemo/omemo.h +++ b/src/omemo/omemo.h @@ -1,9 +1,19 @@ #include +#include "ui/ui.h" #include "config/account.h" +#define OMEMO_ERR_UNSUPPORTED_CRYPTO -10000 + typedef struct omemo_context_t omemo_context; +typedef struct omemo_key { + const unsigned char *data; + size_t length; + gboolean prekey; + uint32_t device_id; +} omemo_key_t; + void omemo_init(void); void omemo_generate_crypto_materials(ProfAccount *account); @@ -18,3 +28,5 @@ void omemo_start_session(const char *const barejid); void omemo_start_device_session(const char *const jid, uint32_t device_id, uint32_t prekey_id, const unsigned char *const prekey, size_t prekey_len, uint32_t signed_prekey_id, const unsigned char *const signed_prekey, size_t signed_prekey_len, const unsigned char *const signature, size_t signature_len, const unsigned char *const identity_key, size_t identity_key_len); gboolean omemo_loaded(void); +gboolean omemo_on_message_send(ProfChatWin *chatwin, const char *const message, gboolean request_receipt); +char * omemo_on_message_recv(const char *const from, uint32_t sid, const unsigned char *const iv, size_t iv_len, GList *keys, const unsigned char *const payload, size_t payload_len); diff --git a/src/omemo/store.c b/src/omemo/store.c index 384eb9ce..ab8cd81b 100644 --- a/src/omemo/store.c +++ b/src/omemo/store.c @@ -39,12 +39,16 @@ load_session(signal_buffer **record, const signal_protocol_address *address, device_store = g_hash_table_lookup(session_store, address->name); if (!device_store) { *record = NULL; - return SG_SUCCESS; + return 0; } signal_buffer *original = g_hash_table_lookup(device_store, GINT_TO_POINTER(address->device_id)); + if (!original) { + *record = NULL; + return 0; + } *record = signal_buffer_copy(original); - return SG_SUCCESS; + return 1; } int @@ -208,8 +212,8 @@ get_identity_key_pair(signal_buffer **public_data, signal_buffer **private_data, { identity_key_store_t *identity_key_store = (identity_key_store_t *)user_data; - *public_data = identity_key_store->public; - *private_data = identity_key_store->private; + *public_data = signal_buffer_copy(identity_key_store->public); + *private_data = signal_buffer_copy(identity_key_store->private); return SG_SUCCESS; } -- cgit 1.4.1-2-gfad0