diff options
Diffstat (limited to 'srcs/crypto_service.c')
-rw-r--r-- | srcs/crypto_service.c | 195 |
1 files changed, 44 insertions, 151 deletions
diff --git a/srcs/crypto_service.c b/srcs/crypto_service.c index c28c0cd..dcc172e 100644 --- a/srcs/crypto_service.c +++ b/srcs/crypto_service.c @@ -35,6 +35,11 @@ #include "wae_log.h" #define AES_256_KEY_SIZE 32 +#define KEK_IV_LEN 16 +#define PBKDF2_ITERATION 1024 + + +crypto_element_s *dek_kek = NULL; static bool __initialized = false; @@ -47,186 +52,74 @@ void _initialize() } } -int encrypt_app_dek(const raw_buffer_s *pubkey, const raw_buffer_s *dek, - raw_buffer_s **pencrypted_dek) +int _generate_dek_kek() { - if (!is_buffer_valid(pubkey) || !is_buffer_valid(dek) || pencrypted_dek == NULL) - return WAE_ERROR_INVALID_PARAMETER; - int ret = WAE_ERROR_NONE; - EVP_PKEY *key = NULL; - EVP_PKEY_CTX *ctx = NULL; - raw_buffer_s *encrypted_dek = NULL; - size_t len = 0; - - _initialize(); - - BIO *bio = BIO_new(BIO_s_mem()); - BIO_write(bio, pubkey->buf, pubkey->size); - key = PEM_read_bio_PUBKEY(bio, NULL, NULL, NULL); - - if (key == NULL) { - BIO_reset(bio); - BIO_write(bio, pubkey->buf, pubkey->size); - key = d2i_PUBKEY_bio(bio, NULL); - } - - if (key == NULL) { - ret = WAE_ERROR_FILE; - WAE_SLOGE("Failt to convert to public key."); - goto error; - } - - ctx = EVP_PKEY_CTX_new(key, NULL); - - if (ctx == NULL) { - WAE_SLOGE("Encrypt APP DEK Failed. EVP_PKEY_CTX_new failed"); - ret = WAE_ERROR_CRYPTO; - goto error; - } + raw_buffer_s *kek = NULL; + raw_buffer_s *iv = NULL; - if (EVP_PKEY_encrypt_init(ctx) <= 0) { - WAE_SLOGE("Encrypt APP DEK Failed. EVP_PKEY_encrypt_init failed"); - ret = WAE_ERROR_CRYPTO; - goto error; - } - - if (EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING) <= 0) { - WAE_SLOGE("Encrypt APP DEK Failed. EVP_PKEY_CTX_set_rsa_padding failed"); - ret = WAE_ERROR_CRYPTO; - goto error; - } - - /* Determine buffer length */ - if (EVP_PKEY_encrypt(ctx, NULL, &len, dek->buf, dek->size) <= 0) { - WAE_SLOGE("Encrypt APP DEK Failed. EVP_PKEY_encrypt failed"); - ret = WAE_ERROR_CRYPTO; + kek = buffer_create(AES_256_KEY_SIZE); + if (kek == NULL) { + ret = WAE_ERROR_MEMORY; goto error; } - - if ((encrypted_dek = buffer_create(len)) == NULL) { - WAE_SLOGE("Encrypt APP DEK Failed. OPENSSL_malloc failed"); + iv = buffer_create(KEK_IV_LEN); + if (iv == NULL) { ret = WAE_ERROR_MEMORY; goto error; } - if (EVP_PKEY_encrypt(ctx, encrypted_dek->buf, &encrypted_dek->size, dek->buf, - dek->size) <= 0) { - WAE_SLOGE("Encrypt APP DEK Failed. EVP_PKEY_encrypt failed"); + ret = PKCS5_PBKDF2_HMAC_SHA1( + DEK_KEK_SEED, -1, + NULL, 0, + PBKDF2_ITERATION, + AES_256_KEY_SIZE, + kek->buf); + if (ret == 0) { ret = WAE_ERROR_CRYPTO; goto error; + } else { + ret = WAE_ERROR_NONE; } - *pencrypted_dek = encrypted_dek; - + dek_kek = crypto_element_create(kek, iv); error: - if (bio != NULL) - BIO_free(bio); - - if (key != NULL) - EVP_PKEY_free(key); - - if (ctx != NULL) - EVP_PKEY_CTX_free(ctx); - - if (ret != WAE_ERROR_NONE) - buffer_destroy(encrypted_dek); + if (ret != WAE_ERROR_NONE) { + if (kek != NULL) + buffer_destroy(kek); + if (iv != NULL) + buffer_destroy(iv); + } return ret; } -int decrypt_app_dek(const raw_buffer_s *prikey, const char *prikey_pass, - const raw_buffer_s *encrypted_dek, raw_buffer_s **pdek) +int encrypt_preloaded_app_dek(const raw_buffer_s *dek, raw_buffer_s **pencrypted_dek) { - if (!is_buffer_valid(prikey) || !is_buffer_valid(encrypted_dek) || pdek == NULL) - return WAE_ERROR_INVALID_PARAMETER; - int ret = WAE_ERROR_NONE; - EVP_PKEY_CTX *ctx = NULL; - raw_buffer_s *dek = NULL; - size_t len = 0; - - _initialize(); - BIO *bio = BIO_new(BIO_s_mem()); - if (bio == NULL) - return WAE_ERROR_MEMORY; - - BIO_write(bio, prikey->buf, prikey->size); - EVP_PKEY *key = PEM_read_bio_PrivateKey(bio, NULL, NULL, (void *)prikey_pass); - - if (key == NULL) { - BIO_reset(bio); - BIO_write(bio, prikey->buf, prikey->size); - key = d2i_PrivateKey_bio(bio, NULL); - } - - if (key == NULL) { - ret = WAE_ERROR_FILE; - WAE_SLOGE("Failed to convert to public key."); - goto error; - } - - ctx = EVP_PKEY_CTX_new(key, NULL); - - if (ctx == NULL) { - WAE_SLOGE("Decrypt APP DEK Failed. EVP_PKEY_CTX_new failed"); - ret = WAE_ERROR_CRYPTO; - goto error; + if (dek_kek == NULL) { + ret = _generate_dek_kek(); + if (ret != WAE_ERROR_NONE) + return ret; } - if (EVP_PKEY_decrypt_init(ctx) <= 0) { - WAE_SLOGE("Decrypt APP DEK Failed. EVP_PKEY_decrypt_init failed"); - ret = WAE_ERROR_CRYPTO; - goto error; - } - - if (EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING) <= 0) { - WAE_SLOGE("Decrypt APP DEK Failed. EVP_PKEY_CTX_set_rsa_padding failed"); - ret = WAE_ERROR_CRYPTO; - goto error; - } - - /* Determine buffer length */ - if (EVP_PKEY_decrypt(ctx, NULL, &len, encrypted_dek->buf, encrypted_dek->size) <= 0) { - WAE_SLOGE("Decrypt APP DEK Failed. EVP_PKEY_decrypt failed"); - ret = WAE_ERROR_CRYPTO; - goto error; - } + return encrypt_aes_cbc(dek_kek, dek, pencrypted_dek); +} - dek = buffer_create(len); - if (dek == NULL) { - WAE_SLOGE("Decrypt APP DEK Failed. OPENSSL_malloc failed"); - ret = WAE_ERROR_MEMORY; - goto error; - } +int decrypt_preloaded_app_dek(const raw_buffer_s *encrypted_dek, raw_buffer_s **pdek) +{ + int ret = WAE_ERROR_NONE; - if (EVP_PKEY_decrypt(ctx, dek->buf, &dek->size, encrypted_dek->buf, - encrypted_dek->size) <= 0) { - WAE_SLOGE("Encrypt APP DEK Failed. EVP_PKEY_decrypt failed"); - ret = WAE_ERROR_CRYPTO; - goto error; + if (dek_kek == NULL) { + ret = _generate_dek_kek(); + if (ret != WAE_ERROR_NONE) + return ret; } - *pdek = dek; - -error: - if (bio != NULL) - BIO_free(bio); - - if (key != NULL) - EVP_PKEY_free(key); - - if (ctx != NULL) - EVP_PKEY_CTX_free(ctx); - - if (ret != WAE_ERROR_NONE) - buffer_destroy(dek); - - return ret; + return decrypt_aes_cbc(dek_kek, encrypted_dek, pdek); } - int encrypt_aes_cbc(const crypto_element_s *ce, const raw_buffer_s *data, raw_buffer_s **pencrypted_data) { |