1 /* Copyright (C) 2014 mod_auth_gssapi authors - See COPYING for (C) terms */
3 #include <openssl/evp.h>
4 #include <openssl/hmac.h>
5 #include <openssl/rand.h>
10 const EVP_CIPHER *cipher;
16 apr_status_t SEAL_KEY_CREATE(apr_pool_t *p, struct seal_key **skey,
23 n = apr_pcalloc(p, sizeof(*n));
24 if (!n) return ENOMEM;
26 n->cipher = EVP_aes_128_cbc();
32 keylen = n->cipher->key_len;
40 n->ekey = apr_palloc(p, keylen);
46 n->hkey = apr_palloc(p, keylen);
53 if (keys->length != (keylen * 2)) {
57 memcpy(n->ekey, keys->value, keylen);
58 memcpy(n->hkey, keys->value + keylen, keylen);
60 ret = apr_generate_random_bytes(n->ekey, keylen);
66 ret = apr_generate_random_bytes(n->hkey, keylen);
85 apr_status_t SEAL_BUFFER(apr_pool_t *p, struct seal_key *skey,
86 struct databuf *plain, struct databuf *cipher)
88 int blksz = skey->cipher->block_size;
89 apr_status_t err = EFAULT;
90 EVP_CIPHER_CTX ctx = { 0 };
91 HMAC_CTX hmac_ctx = { 0 };
97 EVP_CIPHER_CTX_init(&ctx);
99 /* confounder to avoid exposing random numbers directly to clients
101 ret = apr_generate_random_bytes(rbuf, sizeof(rbuf));
102 if (ret != 0) goto done;
104 if (cipher->length == 0) {
105 /* add space for confounder and padding and MAC */
106 cipher->length = (plain->length / blksz + 2) * blksz;
107 cipher->value = apr_palloc(p, cipher->length + skey->md->md_size);
108 if (!cipher->value) {
114 ret = EVP_EncryptInit_ex(&ctx, skey->cipher, NULL, skey->ekey, NULL);
115 if (ret == 0) goto done;
118 outlen = cipher->length;
119 ret = EVP_EncryptUpdate(&ctx, cipher->value, &outlen, rbuf, sizeof(rbuf));
120 if (ret == 0) goto done;
123 outlen = cipher->length - totlen;
124 ret = EVP_EncryptUpdate(&ctx, &cipher->value[totlen], &outlen,
125 plain->value, plain->length);
126 if (ret == 0) goto done;
129 outlen = cipher->length - totlen;
130 ret = EVP_EncryptFinal_ex(&ctx, &cipher->value[totlen], &outlen);
131 if (ret == 0) goto done;
134 /* now MAC the buffer */
135 HMAC_CTX_init(&hmac_ctx);
137 ret = HMAC_Init_ex(&hmac_ctx, skey->hkey,
138 skey->cipher->key_len, skey->md, NULL);
139 if (ret == 0) goto done;
141 ret = HMAC_Update(&hmac_ctx, cipher->value, totlen);
142 if (ret == 0) goto done;
144 ret = HMAC_Final(&hmac_ctx, &cipher->value[totlen], &len);
145 if (ret == 0) goto done;
147 cipher->length = totlen + len;
151 EVP_CIPHER_CTX_cleanup(&ctx);
152 HMAC_CTX_cleanup(&hmac_ctx);
156 apr_status_t UNSEAL_BUFFER(apr_pool_t *p, struct seal_key *skey,
157 struct databuf *cipher, struct databuf *plain)
159 apr_status_t err = EFAULT;
160 EVP_CIPHER_CTX ctx = { 0 };
161 HMAC_CTX hmac_ctx = { 0 };
162 unsigned char mac[skey->md->md_size];
165 volatile bool equal = true;
168 /* check MAC first */
169 HMAC_CTX_init(&hmac_ctx);
171 ret = HMAC_Init_ex(&hmac_ctx, skey->hkey,
172 skey->cipher->key_len, skey->md, NULL);
173 if (ret == 0) goto done;
175 cipher->length -= skey->md->md_size;
177 ret = HMAC_Update(&hmac_ctx, cipher->value, cipher->length);
178 if (ret == 0) goto done;
180 ret = HMAC_Final(&hmac_ctx, mac, &len);
181 if (ret == 0) goto done;
183 if (len != skey->md->md_size) goto done;
184 for (i = 0; i < skey->md->md_size; i++) {
185 if (cipher->value[cipher->length + i] != mac[i]) equal = false;
186 /* not breaking intentionally,
187 * or we would allow an oracle attack */
189 if (!equal) goto done;
191 EVP_CIPHER_CTX_init(&ctx);
193 if (plain->length == 0) {
194 plain->length = cipher->length;
195 plain->value = apr_palloc(p, plain->length);
202 ret = EVP_DecryptInit_ex(&ctx, skey->cipher, NULL, skey->ekey, NULL);
203 if (ret == 0) goto done;
206 outlen = plain->length;
207 ret = EVP_DecryptUpdate(&ctx, plain->value, &outlen,
208 cipher->value, cipher->length);
209 if (ret == 0) goto done;
212 outlen = plain->length - totlen;
213 ret = EVP_DecryptFinal_ex(&ctx, plain->value, &outlen);
214 if (ret == 0) goto done;
217 /* now remove the confounder */
218 totlen -= skey->cipher->block_size;
219 memmove(plain->value, plain->value + skey->cipher->block_size, totlen);
221 plain->length = totlen;
225 EVP_CIPHER_CTX_cleanup(&ctx);
226 HMAC_CTX_cleanup(&hmac_ctx);