1 /* Copyright (C) 2014 mod_auth_gssapi authors - See COPYING for (C) terms */
3 #include <openssl/evp.h>
4 #include <openssl/hmac.h>
5 #include <openssl/rand.h>
10 const EVP_CIPHER *cipher;
16 apr_status_t SEAL_KEY_CREATE(apr_pool_t *p, struct seal_key **skey,
23 n = apr_pcalloc(p, sizeof(*n));
24 if (!n) return ENOMEM;
26 n->cipher = EVP_aes_128_cbc();
32 keylen = n->cipher->key_len;
40 n->ekey = apr_palloc(p, keylen);
46 n->hkey = apr_palloc(p, keylen);
53 if (keys->length != (keylen * 2)) {
57 memcpy(n->ekey, keys->value, keylen);
58 memcpy(n->hkey, keys->value + keylen, keylen);
60 ret = apr_generate_random_bytes(n->ekey, keylen);
66 ret = apr_generate_random_bytes(n->hkey, keylen);
81 apr_status_t HMAC_BUFFER(struct seal_key *skey, struct databuf *buffer,
82 struct databuf *result)
84 HMAC_CTX hmac_ctx = { 0 };
88 /* now MAC the buffer */
89 HMAC_CTX_init(&hmac_ctx);
91 ret = HMAC_Init_ex(&hmac_ctx, skey->hkey,
92 skey->cipher->key_len, skey->md, NULL);
93 if (ret == 0) goto done;
95 ret = HMAC_Update(&hmac_ctx, buffer->value, buffer->length);
96 if (ret == 0) goto done;
98 ret = HMAC_Final(&hmac_ctx, result->value, &len);
101 HMAC_CTX_cleanup(&hmac_ctx);
102 if (ret == 0) return EFAULT;
104 result->length = len;
108 apr_status_t SEAL_BUFFER(apr_pool_t *p, struct seal_key *skey,
109 struct databuf *plain, struct databuf *cipher)
111 int blksz = skey->cipher->block_size;
112 apr_status_t err = EFAULT;
113 EVP_CIPHER_CTX ctx = { 0 };
115 struct databuf hmacbuf;
119 EVP_CIPHER_CTX_init(&ctx);
121 /* confounder to avoid exposing random numbers directly to clients
123 ret = apr_generate_random_bytes(rbuf, sizeof(rbuf));
124 if (ret != 0) goto done;
126 if (cipher->length == 0) {
127 /* add space for confounder and padding and MAC */
128 cipher->length = (plain->length / blksz + 2) * blksz;
129 cipher->value = apr_palloc(p, cipher->length + skey->md->md_size);
130 if (!cipher->value) {
136 ret = EVP_EncryptInit_ex(&ctx, skey->cipher, NULL, skey->ekey, NULL);
137 if (ret == 0) goto done;
140 outlen = cipher->length;
141 ret = EVP_EncryptUpdate(&ctx, cipher->value, &outlen, rbuf, sizeof(rbuf));
142 if (ret == 0) goto done;
145 outlen = cipher->length - totlen;
146 ret = EVP_EncryptUpdate(&ctx, &cipher->value[totlen], &outlen,
147 plain->value, plain->length);
148 if (ret == 0) goto done;
151 outlen = cipher->length - totlen;
152 ret = EVP_EncryptFinal_ex(&ctx, &cipher->value[totlen], &outlen);
153 if (ret == 0) goto done;
156 /* now MAC the buffer */
157 cipher->length = totlen;
158 hmacbuf.value = &cipher->value[totlen];
159 ret = HMAC_BUFFER(skey, cipher, &hmacbuf);
160 if (ret != 0) goto done;
162 cipher->length += hmacbuf.length;
166 EVP_CIPHER_CTX_cleanup(&ctx);
170 apr_status_t UNSEAL_BUFFER(apr_pool_t *p, struct seal_key *skey,
171 struct databuf *cipher, struct databuf *plain)
173 apr_status_t err = EFAULT;
174 EVP_CIPHER_CTX ctx = { 0 };
175 unsigned char mac[skey->md->md_size];
176 struct databuf hmacbuf;
178 volatile bool equal = true;
181 /* check MAC first */
182 cipher->length -= skey->md->md_size;
184 ret = HMAC_BUFFER(skey, cipher, &hmacbuf);
185 if (ret != 0) goto done;
187 if (hmacbuf.length != skey->md->md_size) goto done;
188 for (i = 0; i < skey->md->md_size; i++) {
189 if (cipher->value[cipher->length + i] != mac[i]) equal = false;
190 /* not breaking intentionally,
191 * or we would allow an oracle attack */
193 if (!equal) goto done;
195 EVP_CIPHER_CTX_init(&ctx);
197 if (plain->length == 0) {
198 plain->length = cipher->length;
199 plain->value = apr_palloc(p, plain->length);
206 ret = EVP_DecryptInit_ex(&ctx, skey->cipher, NULL, skey->ekey, NULL);
207 if (ret == 0) goto done;
210 outlen = plain->length;
211 ret = EVP_DecryptUpdate(&ctx, plain->value, &outlen,
212 cipher->value, cipher->length);
213 if (ret == 0) goto done;
216 outlen = plain->length - totlen;
217 ret = EVP_DecryptFinal_ex(&ctx, plain->value, &outlen);
218 if (ret == 0) goto done;
221 /* now remove the confounder */
222 totlen -= skey->cipher->block_size;
223 memmove(plain->value, plain->value + skey->cipher->block_size, totlen);
225 plain->length = totlen;
229 EVP_CIPHER_CTX_cleanup(&ctx);
233 int get_mac_size(struct seal_key *skey)
236 return skey->md->md_size;