keejef
/
session-ios
mirror of https://github.com/oxen-io/session-ios
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
master
dev
voice-calls-2
voice-calls
authentication
2.5.0
2.4.5
2.4.4
2.4.3
2.4.2
2.4.1
2.4.0
2.3.2
2.3.1
2.3.0
2.2.14
2.2.13
2.2.12
2.2.11
2.2.10
2.2.9
2.2.6
2.2.4
2.2.2
2.2.1
2.2.0
2.1.1
2.0.3
2.0.2
2.0.1
2.0.0
1.0.0-alpha.1
audit-2
audit
2.8.0
2.7.4
2.7.3
2.7.2
2.7.1
2.7.0
2.6.3
2.6.2
2.6.1
2.6.0
2.2.8
2.2.7
2.2.5
2.2.3
2.1.0
1.9.7
1.9.6
1.9.5
1.9.4
1.9.3
1.9.1
1.9.0
1.8.3
1.8.2
1.8.1
1.8.0
1.7.8
1.7.7
1.7.6
1.7.5
1.7.4
1.7.3
1.7.2
1.7.0
1.6.5
1.6.4
1.6.3
1.6.2
1.6.1
1.6.0
1.5.3
1.5.2
1.5.1-beta
1.5.0-beta
1.5.0
1.4.7
1.4.6
1.4.5
1.4.4
1.4.3
1.4.2
1.4.0-beta
1.4.0
1.3.0-alpha.1
1.3.0
1.2.6
1.2.5
1.2.4
1.2.3
1.2.1
1.2.0-alpha.2
1.2.0-alpha.1
1.2.0
1.13.0
1.12.9
1.12.8
1.12.7
1.12.6
1.12.5
1.12.4
1.12.2
1.12.1
1.11.9
1.11.8
1.11.7
1.11.6
1.11.5
1.11.4
1.11.3
1.11.24
1.11.23
1.11.22
1.11.21
1.11.20
1.11.2
1.11.19
1.11.18
1.11.17
1.11.16
1.11.15
1.11.14
1.11.13
1.11.12
1.11.11
1.11.10
1.11.1
1.11.0
1.10.2
1.10.1
1.10.0
1.1.0-alpha.4
1.1.0-alpha.3
1.1.0-alpha.2
1.1.0-alpha.1
1.1.0
1.0.8
1.0.7
1.0.6
1.0.5
1.0.4
1.0.3
1.0.2
1.0.1
1.0.0-alpha.3
1.0.0-alpha.2
1.0.0
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'f8fb647752'
${ noResults }
session-ios/SessionMessagingKit/Crypto/Crypto+Attachments.swift

257 lines
11 KiB
Swift
Raw Blame History

// Copyright © 2024 Rangeproof Pty Ltd. All rights reserved.
//
// stringlint:disable
import Foundation
import CommonCrypto
import SessionUtilitiesKit
// MARK: - Encryption
public extension Crypto.Generator {
private static var hmac256KeyLength: Int { 32 }
private static var hmac256OutputLength: Int { 32 }
private static var aesCBCIvLength: Int { 16 }
private static var aesKeySize: Int { 32 }
static func encryptAttachment(
plaintext: Data,
using dependencies: Dependencies
) -> Crypto.Generator<(ciphertext: Data, encryptionKey: Data, digest: Data)> {
return Crypto.Generator(
id: "encryptAttachment",
args: [plaintext]
) {
// Due to paddedSize, we need to divide by two.
guard plaintext.count < (UInt.max / 2) else {
Log.error("[Crypto] Attachment data too long to encrypt.")
throw CryptoError.encryptionFailed
}
guard
var iv: [UInt8] = dependencies.crypto.generate(.randomBytes(aesCBCIvLength)),
var encryptionKey: [UInt8] = dependencies.crypto.generate(.randomBytes(aesKeySize)),
var hmacKey: [UInt8] = dependencies.crypto.generate(.randomBytes(hmac256KeyLength))
else {
Log.error("[Crypto] Failed to generate random data.")
throw CryptoError.encryptionFailed
}
// The concatenated key for storage
var outKey: Data = Data()
outKey.append(Data(encryptionKey))
outKey.append(Data(hmacKey))
// Apply any padding
let desiredSize: Int = max(541, Int(floor(pow(1.05, ceil(log(Double(plaintext.count)) / log(1.05))))))
var paddedAttachmentData: [UInt8] = Array(plaintext)
if desiredSize > plaintext.count {
paddedAttachmentData.append(contentsOf: [UInt8](repeating: 0, count: desiredSize - plaintext.count))
}
var numBytesEncrypted: size_t = 0
var bufferData: [UInt8] = Array(Data(count: paddedAttachmentData.count + kCCBlockSizeAES128))
let cryptStatus: CCCryptorStatus = CCCrypt(
CCOperation(kCCEncrypt),
CCAlgorithm(kCCAlgorithmAES128),
CCOptions(kCCOptionPKCS7Padding),
&encryptionKey, encryptionKey.count,
&iv,
&paddedAttachmentData, paddedAttachmentData.count,
&bufferData, bufferData.count,
&numBytesEncrypted
)
guard cryptStatus == kCCSuccess else {
Log.error("[Crypto] Failed to encrypt attachment with status: \(cryptStatus).")
throw CryptoError.encryptionFailed
}
guard cryptStatus == kCCSuccess else {
Log.error("[Crypto] Failed to encrypt attachment with status: \(cryptStatus).")
throw CryptoError.encryptionFailed
}
guard bufferData.count >= numBytesEncrypted else {
Log.error("[Crypto] ciphertext has unexpected length: \(bufferData.count) < \(numBytesEncrypted).")
throw CryptoError.encryptionFailed
}
let ciphertext: [UInt8] = Array(bufferData[0..<numBytesEncrypted])
var encryptedPaddedData: [UInt8] = (iv + ciphertext)
// compute hmac of: iv || encrypted data
guard encryptedPaddedData.count < (UInt.max / 2) else {
Log.error("[Crypto] Attachment data too long to encrypt.")
throw CryptoError.encryptionFailed
}
guard hmacKey.count < (UInt.max / 2) else {
Log.error("[Crypto] Hmac key is too long.")
throw CryptoError.encryptionFailed
}
var hmacDataBuffer: [UInt8] = Array(Data(count: Int(CC_SHA256_DIGEST_LENGTH)))
CCHmac(
CCHmacAlgorithm(kCCHmacAlgSHA256),
&hmacKey,
hmacKey.count,
&encryptedPaddedData,
encryptedPaddedData.count,
&hmacDataBuffer
)
let hmac: [UInt8] = Array(hmacDataBuffer[0..<hmac256OutputLength])
encryptedPaddedData.append(contentsOf: hmac)
// compute digest of: iv || encrypted data || hmac
guard encryptedPaddedData.count < UInt32.max else {
Log.error("[Crypto] Attachment data too long to encrypt.")
throw CryptoError.encryptionFailed
}
var digest: [UInt8] = Array(Data(count: Int(CC_SHA256_DIGEST_LENGTH)))
CC_SHA256(&encryptedPaddedData, UInt32(encryptedPaddedData.count), &digest)
return (Data(encryptedPaddedData), outKey, Data(digest))
}
}
}
// MARK: - Decryption
public extension Crypto.Generator {
static func decryptAttachment(
ciphertext: Data,
key: Data,
digest: Data,
unpaddedSize: UInt
) -> Crypto.Generator<Data> {
return Crypto.Generator(
id: "decryptAttachment",
args: [ciphertext, key, digest, unpaddedSize]
) {
guard ciphertext.count >= aesCBCIvLength + hmac256OutputLength else {
Log.error("[Crypto] Attachment shorter than crypto overhead.");
throw CryptoError.decryptionFailed
}
// key: 32 byte AES key || 32 byte Hmac-SHA256 key.
var encryptionKey: [UInt8] = Array(key[0..<aesKeySize])
var hmacKey: [UInt8] = Array(key[aesKeySize...])
// ciphertext: IV || Ciphertext || truncated MAC(IV||Ciphertext)
var iv: [UInt8] = Array(ciphertext[0..<aesCBCIvLength])
var encryptedAttachment: [UInt8] = Array(ciphertext[aesCBCIvLength..<ciphertext.count - hmac256OutputLength])
let hmac: [UInt8] = Array(ciphertext[(ciphertext.count - hmac256OutputLength)...])
// Verify hmac of: iv || encrypted data
var dataToAuth: [UInt8] = (iv + encryptedAttachment)
var hmacDataBuffer: [UInt8] = Array(Data(count: Int(CC_SHA256_DIGEST_LENGTH)))
CCHmac(
CCHmacAlgorithm(kCCHmacAlgSHA256),
&hmacKey,
hmacKey.count,
&dataToAuth,
dataToAuth.count,
&hmacDataBuffer
)
let generatedHmac: [UInt8] = Array(hmacDataBuffer[0..<hmac256OutputLength])
let isHmacEqual: Bool = {
guard hmac.count == generatedHmac.count else { return false }
var isEqual: UInt8 = 0
(0..<hmac.count).forEach { index in
// Rather than returning as soon as we find a discrepency, we compare the rest of
// the byte stream to maintain a constant time comparison
isEqual |= hmac[index] ^ generatedHmac[index]
}
return (isEqual == 0)
}()
guard isHmacEqual else {
Log.error("[Crypto] Bad HMAC on decrypting payload.")
throw CryptoError.decryptionFailed
}
// Verify digest of: iv || encrypted data || hmac
dataToAuth += generatedHmac
var generatedDigest: [UInt8] = Array(Data(count: Int(CC_SHA256_DIGEST_LENGTH)))
CC_SHA256(&dataToAuth, UInt32(dataToAuth.count), &generatedDigest)
let isDigestEqual: Bool = {
guard digest.count == generatedDigest.count else { return false }
var isEqual: UInt8 = 0
(0..<digest.count).forEach { index in
// Rather than returning as soon as we find a discrepency, we compare the rest of
// the byte stream to maintain a constant time comparison
isEqual |= digest[index] ^ generatedDigest[index]
}
return (isEqual == 0)
}()
guard isDigestEqual else {
Log.error("[Crypto] Bad digest on decrypting payload.")
throw CryptoError.decryptionFailed
}
var numBytesDecrypted: size_t = 0
var bufferData: [UInt8] = Array(Data(count: ciphertext.count + kCCBlockSizeAES128))
let cryptStatus: CCCryptorStatus = CCCrypt(
CCOperation(kCCDecrypt),
CCAlgorithm(kCCAlgorithmAES128),
CCOptions(kCCOptionPKCS7Padding),
&encryptionKey, encryptionKey.count,
&iv,
&encryptedAttachment, encryptedAttachment.count,
&bufferData, bufferData.count,
&numBytesDecrypted
)
guard cryptStatus == kCCSuccess else {
Log.error("[Crypto] Failed to decrypt attachment with status: \(cryptStatus).")
throw CryptoError.decryptionFailed
}
guard bufferData.count >= numBytesDecrypted else {
Log.error("[Crypto] Attachment paddedPlaintext has unexpected length: \(bufferData.count) < \(numBytesDecrypted).")
throw CryptoError.decryptionFailed
}
let paddedPlaintext: [UInt8] = Array(bufferData[0..<numBytesDecrypted])
// Legacy iOS clients didn't set the unpaddedSize on attachments.
// So an unpaddedSize of 0 could mean one of two things:
// [case 1] receiving a legacy attachment from before padding was introduced
// [case 2] receiving a modern attachment of length 0 that just has some null padding (e.g. an empty group sync)
guard unpaddedSize > 0 else {
guard paddedPlaintext.contains(where: { $0 != 0x00 }) else {
// [case 2] The bytes were all 0's. We assume it was all padding and the actual
// attachment data was indeed empty. The downside here would be if a legacy client
// was intentionally sending an attachment consisting of just 0's. This seems unlikely,
// and would only affect iOS clients from before commit:
//
// 6eeb78157a044e632adc3daf6254aceacd53e335
// Author: Michael Kirk <michael.code@endoftheworl.de>
// Date: Thu Oct 26 15:08:25 2017 -0700
//
// Include size in attachment pointer
return Data()
}
// [case 1] There was something besides 0 in our data, assume it wasn't padding.
return Data(paddedPlaintext)
}
guard unpaddedSize <= paddedPlaintext.count else {
Log.error("[Crypto] Decrypted attachment was smaller than the expected size (\(unpaddedSize) < \(paddedPlaintext.count)), decryption was invalid.")
throw CryptoError.decryptionFailed
}
// If the `paddedPlaintext` is the same length as the `unpaddedSize` then just return it
guard unpaddedSize != paddedPlaintext.count else { return Data(paddedPlaintext) }
return Data(paddedPlaintext[0..<Int(unpaddedSize)])
}
}
}
Reference in New Issue View Git Blame Copy Permalink