1 /*
2  * Copyright (C) 2020 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #include "adb/pairing/pairing_auth.h"
18 
19 #include <android-base/logging.h>
20 
21 #include <openssl/curve25519.h>
22 #include <openssl/mem.h>
23 
24 #include <iomanip>
25 #include <sstream>
26 #include <vector>
27 
28 #include "adb/pairing/aes_128_gcm.h"
29 
30 #include <string.h>
31 
32 using namespace adb::pairing;
33 
34 static constexpr spake2_role_t kClientRole = spake2_role_alice;
35 static constexpr spake2_role_t kServerRole = spake2_role_bob;
36 
37 static const uint8_t kClientName[] = "adb pair client";
38 static const uint8_t kServerName[] = "adb pair server";
39 
40 // This class is basically a wrapper around the SPAKE2 protocol + initializing a
41 // cipher with the generated key material for encryption.
42 struct PairingAuthCtx {
43   public:
44     using Data = std::vector<uint8_t>;
45     enum class Role {
46         Client,
47         Server,
48     };
49 
50     explicit PairingAuthCtx(Role role, const Data& pswd);
51 
52     // Returns the message to exchange with the other party. This is guaranteed
53     // to have a non-empty message if creating this object with
54     // |PairingAuthCtx::Create|, so you won't need to check.
55     const Data& msg() const;
56 
57     // Processes the peer's |msg| and attempts to initialize the cipher for
58     // encryption. You can only call this method ONCE with a non-empty |msg|,
59     // regardless of success or failure. Subsequent calls will always return
60     // false. On success, you can use the |decrypt|
61     // and |encrypt| methods to exchange any further information securely.
62     //
63     // Note: Once you call this with a non-empty key, the state is locked, which
64     // means that you cannot try and register another key, regardless of the
65     // return value. In order to register another key, you have to create a new
66     // instance of PairingAuthCtx.
67     bool InitCipher(const Data& their_msg);
68 
69     // Encrypts |data| and returns the result. If encryption fails, the return
70     // will be an empty vector.
71     Data Encrypt(const Data& data);
72 
73     // Decrypts |data| and returns the result. If decryption fails, the return
74     // will be an empty vector.
75     Data Decrypt(const Data& data);
76 
77     // Returns a safe buffer size for encrypting a buffer of size |len|.
78     size_t SafeEncryptedSize(size_t len);
79 
80     // Returns a safe buffer size for decrypting a buffer of size |len|.
81     size_t SafeDecryptedSize(size_t len);
82 
83   private:
84     Data our_msg_;
85     Role role_;
86     bssl::UniquePtr<SPAKE2_CTX> spake2_ctx_;
87     std::unique_ptr<Aes128Gcm> cipher_;
88 };  // PairingAuthCtx
89 
PairingAuthCtx(Role role,const Data & pswd)90 PairingAuthCtx::PairingAuthCtx(Role role, const Data& pswd) : role_(role) {
91     CHECK(!pswd.empty());
92     // Try to create the spake2 context and generate the public key.
93     spake2_role_t spake_role;
94     const uint8_t* my_name = nullptr;
95     const uint8_t* their_name = nullptr;
96     size_t my_len = 0;
97     size_t their_len = 0;
98 
99     // Create the SPAKE2 context
100     switch (role_) {
101         case Role::Client:
102             spake_role = kClientRole;
103             my_name = kClientName;
104             my_len = sizeof(kClientName);
105             their_name = kServerName;
106             their_len = sizeof(kServerName);
107             break;
108         case Role::Server:
109             spake_role = kServerRole;
110             my_name = kServerName;
111             my_len = sizeof(kServerName);
112             their_name = kClientName;
113             their_len = sizeof(kClientName);
114             break;
115     }
116     spake2_ctx_.reset(SPAKE2_CTX_new(spake_role, my_name, my_len, their_name, their_len));
117     if (spake2_ctx_ == nullptr) {
118         LOG(ERROR) << "Unable to create a SPAKE2 context.";
119         return;
120     }
121 
122     // Generate the SPAKE2 public key
123     size_t key_size = 0;
124     uint8_t key[SPAKE2_MAX_MSG_SIZE];
125     int status = SPAKE2_generate_msg(spake2_ctx_.get(), key, &key_size, SPAKE2_MAX_MSG_SIZE,
126                                      pswd.data(), pswd.size());
127     if (status != 1 || key_size == 0) {
128         LOG(ERROR) << "Unable to generate the SPAKE2 public key.";
129         return;
130     }
131     our_msg_.assign(key, key + key_size);
132 }
133 
msg() const134 const PairingAuthCtx::Data& PairingAuthCtx::msg() const {
135     return our_msg_;
136 }
137 
InitCipher(const PairingAuthCtx::Data & their_msg)138 bool PairingAuthCtx::InitCipher(const PairingAuthCtx::Data& their_msg) {
139     // You can only register a key once.
140     CHECK(!their_msg.empty());
141     CHECK(!cipher_);
142 
143     // Don't even try to process a message over the SPAKE2_MAX_MSG_SIZE
144     if (their_msg.size() > SPAKE2_MAX_MSG_SIZE) {
145         LOG(ERROR) << "their_msg size [" << their_msg.size() << "] greater then max size ["
146                    << SPAKE2_MAX_MSG_SIZE << "].";
147         return false;
148     }
149 
150     size_t key_material_len = 0;
151     uint8_t key_material[SPAKE2_MAX_KEY_SIZE];
152     int status = SPAKE2_process_msg(spake2_ctx_.get(), key_material, &key_material_len,
153                                     sizeof(key_material), their_msg.data(), their_msg.size());
154     if (status != 1) {
155         LOG(ERROR) << "Unable to process their public key";
156         return false;
157     }
158 
159     // Once SPAKE2_process_msg returns successfully, you can't do anything else
160     // with the context, besides destroy it.
161     cipher_.reset(new Aes128Gcm(key_material, key_material_len));
162 
163     return true;
164 }
165 
Encrypt(const PairingAuthCtx::Data & data)166 PairingAuthCtx::Data PairingAuthCtx::Encrypt(const PairingAuthCtx::Data& data) {
167     CHECK(cipher_);
168     CHECK(!data.empty());
169 
170     // Determine the size for the encrypted data based on the raw data.
171     Data encrypted(cipher_->EncryptedSize(data.size()));
172     auto out_size = cipher_->Encrypt(data.data(), data.size(), encrypted.data(), encrypted.size());
173     if (!out_size.has_value() || *out_size == 0) {
174         LOG(ERROR) << "Unable to encrypt data";
175         return Data();
176     }
177     encrypted.resize(*out_size);
178 
179     return encrypted;
180 }
181 
Decrypt(const PairingAuthCtx::Data & data)182 PairingAuthCtx::Data PairingAuthCtx::Decrypt(const PairingAuthCtx::Data& data) {
183     CHECK(cipher_);
184     CHECK(!data.empty());
185 
186     // Determine the size for the decrypted data based on the raw data.
187     Data decrypted(cipher_->DecryptedSize(data.size()));
188     size_t decrypted_size = decrypted.size();
189     auto out_size = cipher_->Decrypt(data.data(), data.size(), decrypted.data(), decrypted_size);
190     if (!out_size.has_value() || *out_size == 0) {
191         LOG(ERROR) << "Unable to decrypt data";
192         return Data();
193     }
194     decrypted.resize(*out_size);
195 
196     return decrypted;
197 }
198 
SafeEncryptedSize(size_t len)199 size_t PairingAuthCtx::SafeEncryptedSize(size_t len) {
200     CHECK(cipher_);
201     return cipher_->EncryptedSize(len);
202 }
203 
SafeDecryptedSize(size_t len)204 size_t PairingAuthCtx::SafeDecryptedSize(size_t len) {
205     CHECK(cipher_);
206     return cipher_->DecryptedSize(len);
207 }
208 
pairing_auth_server_new(const uint8_t * pswd,size_t len)209 PairingAuthCtx* pairing_auth_server_new(const uint8_t* pswd, size_t len) {
210     CHECK(pswd);
211     CHECK_GT(len, 0U);
212     std::vector<uint8_t> p(pswd, pswd + len);
213     auto* ret = new PairingAuthCtx(PairingAuthCtx::Role::Server, std::move(p));
214     CHECK(!ret->msg().empty());
215     return ret;
216 }
217 
pairing_auth_client_new(const uint8_t * pswd,size_t len)218 PairingAuthCtx* pairing_auth_client_new(const uint8_t* pswd, size_t len) {
219     CHECK(pswd);
220     CHECK_GT(len, 0U);
221     std::vector<uint8_t> p(pswd, pswd + len);
222     auto* ret = new PairingAuthCtx(PairingAuthCtx::Role::Client, std::move(p));
223     CHECK(!ret->msg().empty());
224     return ret;
225 }
226 
pairing_auth_msg_size(PairingAuthCtx * ctx)227 size_t pairing_auth_msg_size(PairingAuthCtx* ctx) {
228     CHECK(ctx);
229     return ctx->msg().size();
230 }
231 
pairing_auth_get_spake2_msg(PairingAuthCtx * ctx,uint8_t * out_buf)232 void pairing_auth_get_spake2_msg(PairingAuthCtx* ctx, uint8_t* out_buf) {
233     CHECK(ctx);
234     CHECK(out_buf);
235     auto& msg = ctx->msg();
236     memcpy(out_buf, msg.data(), msg.size());
237 }
238 
pairing_auth_init_cipher(PairingAuthCtx * ctx,const uint8_t * their_msg,size_t msg_len)239 bool pairing_auth_init_cipher(PairingAuthCtx* ctx, const uint8_t* their_msg, size_t msg_len) {
240     CHECK(ctx);
241     CHECK(their_msg);
242     CHECK_GT(msg_len, 0U);
243 
244     std::vector<uint8_t> p(their_msg, their_msg + msg_len);
245     return ctx->InitCipher(p);
246 }
247 
pairing_auth_safe_encrypted_size(PairingAuthCtx * ctx,size_t len)248 size_t pairing_auth_safe_encrypted_size(PairingAuthCtx* ctx, size_t len) {
249     CHECK(ctx);
250     return ctx->SafeEncryptedSize(len);
251 }
252 
pairing_auth_encrypt(PairingAuthCtx * ctx,const uint8_t * inbuf,size_t inlen,uint8_t * outbuf,size_t * outlen)253 bool pairing_auth_encrypt(PairingAuthCtx* ctx, const uint8_t* inbuf, size_t inlen, uint8_t* outbuf,
254                           size_t* outlen) {
255     CHECK(ctx);
256     CHECK(inbuf);
257     CHECK(outbuf);
258     CHECK(outlen);
259     CHECK_GT(inlen, 0U);
260 
261     std::vector<uint8_t> in(inbuf, inbuf + inlen);
262     auto out = ctx->Encrypt(in);
263     if (out.empty()) {
264         return false;
265     }
266 
267     memcpy(outbuf, out.data(), out.size());
268     *outlen = out.size();
269     return true;
270 }
271 
pairing_auth_safe_decrypted_size(PairingAuthCtx * ctx,const uint8_t * buf,size_t len)272 size_t pairing_auth_safe_decrypted_size(PairingAuthCtx* ctx, const uint8_t* buf, size_t len) {
273     CHECK(ctx);
274     CHECK(buf);
275     CHECK_GT(len, 0U);
276     // We no longer need buf for EVP_AEAD
277     return ctx->SafeDecryptedSize(len);
278 }
279 
pairing_auth_decrypt(PairingAuthCtx * ctx,const uint8_t * inbuf,size_t inlen,uint8_t * outbuf,size_t * outlen)280 bool pairing_auth_decrypt(PairingAuthCtx* ctx, const uint8_t* inbuf, size_t inlen, uint8_t* outbuf,
281                           size_t* outlen) {
282     CHECK(ctx);
283     CHECK(inbuf);
284     CHECK(outbuf);
285     CHECK(outlen);
286     CHECK_GT(inlen, 0U);
287 
288     std::vector<uint8_t> in(inbuf, inbuf + inlen);
289     auto out = ctx->Decrypt(in);
290     if (out.empty()) {
291         return false;
292     }
293 
294     memcpy(outbuf, out.data(), out.size());
295     *outlen = out.size();
296     return true;
297 }
298 
pairing_auth_destroy(PairingAuthCtx * ctx)299 void pairing_auth_destroy(PairingAuthCtx* ctx) {
300     CHECK(ctx);
301     delete ctx;
302 }
303