1/* 2 * libwebsockets - small server side websockets and web server implementation 3 * 4 * Copyright (C) 2010 - 2019 Andy Green <andy@warmcat.com> 5 * 6 * Permission is hereby granted, free of charge, to any person obtaining a copy 7 * of this software and associated documentation files (the "Software"), to 8 * deal in the Software without restriction, including without limitation the 9 * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or 10 * sell copies of the Software, and to permit persons to whom the Software is 11 * furnished to do so, subject to the following conditions: 12 * 13 * The above copyright notice and this permission notice shall be included in 14 * all copies or substantial portions of the Software. 15 * 16 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 17 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 18 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 20 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING 21 * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 22 * IN THE SOFTWARE. 23 */ 24 25#include "private-lib-core.h" 26 27/* 28 * These came from RFC7518 (JSON Web Algorithms) Section 3 29 * 30 * Cryptographic Algorithms for Digital Signatures and MACs 31 */ 32 33static const struct lws_jose_jwe_alg lws_gencrypto_jws_alg_map[] = { 34 35 /* 36 * JWSs MAY also be created that do not provide integrity protection. 37 * Such a JWS is called an Unsecured JWS. An Unsecured JWS uses the 38 * "alg" value "none" and is formatted identically to other JWSs, but 39 * MUST use the empty octet sequence as its JWS Signature value. 40 * Recipients MUST verify that the JWS Signature value is the empty 41 * octet sequence. 42 * 43 * Implementations that support Unsecured JWSs MUST NOT accept such 44 * objects as valid unless the application specifies that it is 45 * acceptable for a specific object to not be integrity protected. 46 * Implementations MUST NOT accept Unsecured JWSs by default. In order 47 * to mitigate downgrade attacks, applications MUST NOT signal 48 * acceptance of Unsecured JWSs at a global level, and SHOULD signal 49 * acceptance on a per-object basis. See Section 8.5 for security 50 * considerations associated with using this algorithm. 51 */ 52 { /* optional */ 53 LWS_GENHASH_TYPE_UNKNOWN, 54 LWS_GENHMAC_TYPE_UNKNOWN, 55 LWS_JOSE_ENCTYPE_NONE, 56 LWS_JOSE_ENCTYPE_NONE, 57 "none", NULL, 0, 0, 0 58 }, 59 60 /* 61 * HMAC with SHA-2 Functions 62 * 63 * The HMAC SHA-256 MAC for a JWS is validated by computing an HMAC 64 * value per RFC 2104, using SHA-256 as the hash algorithm "H", using 65 * the received JWS Signing Input as the "text" value, and using the 66 * shared key. This computed HMAC value is then compared to the result 67 * of base64url decoding the received encoded JWS Signature value. The 68 * comparison of the computed HMAC value to the JWS Signature value MUST 69 * be done in a constant-time manner to thwart timing attacks. 70 * 71 * Alternatively, the computed HMAC value can be base64url encoded and 72 * compared to the received encoded JWS Signature value (also in a 73 * constant-time manner), as this comparison produces the same result as 74 * comparing the unencoded values. In either case, if the values match, 75 * the HMAC has been validated. 76 */ 77 78 { /* required: HMAC using SHA-256 */ 79 LWS_GENHASH_TYPE_UNKNOWN, 80 LWS_GENHMAC_TYPE_SHA256, 81 LWS_JOSE_ENCTYPE_NONE, 82 LWS_JOSE_ENCTYPE_NONE, 83 "HS256", NULL, 0, 0, 0 84 }, 85 { /* optional: HMAC using SHA-384 */ 86 LWS_GENHASH_TYPE_UNKNOWN, 87 LWS_GENHMAC_TYPE_SHA384, 88 LWS_JOSE_ENCTYPE_NONE, 89 LWS_JOSE_ENCTYPE_NONE, 90 "HS384", NULL, 0, 0, 0 91 }, 92 { /* optional: HMAC using SHA-512 */ 93 LWS_GENHASH_TYPE_UNKNOWN, 94 LWS_GENHMAC_TYPE_SHA512, 95 LWS_JOSE_ENCTYPE_NONE, 96 LWS_JOSE_ENCTYPE_NONE, 97 "HS512", NULL, 0, 0, 0 98 }, 99 100 /* 101 * Digital Signature with RSASSA-PKCS1-v1_5 102 * 103 * This section defines the use of the RSASSA-PKCS1-v1_5 digital 104 * signature algorithm as defined in Section 8.2 of RFC 3447 [RFC3447] 105 * (commonly known as PKCS #1), using SHA-2 [SHS] hash functions. 106 * 107 * A key of size 2048 bits or larger MUST be used with these algorithms. 108 * 109 * The RSASSA-PKCS1-v1_5 SHA-256 digital signature is generated as 110 * follows: generate a digital signature of the JWS Signing Input using 111 * RSASSA-PKCS1-v1_5-SIGN and the SHA-256 hash function with the desired 112 * private key. This is the JWS Signature value. 113 * 114 * The RSASSA-PKCS1-v1_5 SHA-256 digital signature for a JWS is 115 * validated as follows: submit the JWS Signing Input, the JWS 116 * Signature, and the public key corresponding to the private key used 117 * by the signer to the RSASSA-PKCS1-v1_5-VERIFY algorithm using SHA-256 118 * as the hash function. 119 */ 120 121 { /* recommended: RSASSA-PKCS1-v1_5 using SHA-256 */ 122 LWS_GENHASH_TYPE_SHA256, 123 LWS_GENHMAC_TYPE_UNKNOWN, 124 LWS_JOSE_ENCTYPE_RSASSA_PKCS1_1_5, 125 LWS_JOSE_ENCTYPE_NONE, 126 "RS256", NULL, 2048, 4096, 0 127 }, 128 { /* optional: RSASSA-PKCS1-v1_5 using SHA-384 */ 129 LWS_GENHASH_TYPE_SHA384, 130 LWS_GENHMAC_TYPE_UNKNOWN, 131 LWS_JOSE_ENCTYPE_RSASSA_PKCS1_1_5, 132 LWS_JOSE_ENCTYPE_NONE, 133 "RS384", NULL, 2048, 4096, 0 134 }, 135 { /* optional: RSASSA-PKCS1-v1_5 using SHA-512 */ 136 LWS_GENHASH_TYPE_SHA512, 137 LWS_GENHMAC_TYPE_UNKNOWN, 138 LWS_JOSE_ENCTYPE_RSASSA_PKCS1_1_5, 139 LWS_JOSE_ENCTYPE_NONE, 140 "RS512", NULL, 2048, 4096, 0 141 }, 142 143 /* 144 * Digital Signature with ECDSA 145 * 146 * The ECDSA P-256 SHA-256 digital signature is generated as follows: 147 * 148 * 1. Generate a digital signature of the JWS Signing Input using ECDSA 149 * P-256 SHA-256 with the desired private key. The output will be 150 * the pair (R, S), where R and S are 256-bit unsigned integers. 151 * 2. Turn R and S into octet sequences in big-endian order, with each 152 * array being be 32 octets long. The octet sequence 153 * representations MUST NOT be shortened to omit any leading zero 154 * octets contained in the values. 155 * 156 * 3. Concatenate the two octet sequences in the order R and then S. 157 * (Note that many ECDSA implementations will directly produce this 158 * concatenation as their output.) 159 * 160 * 4. The resulting 64-octet sequence is the JWS Signature value. 161 * 162 * The ECDSA P-256 SHA-256 digital signature for a JWS is validated as 163 * follows: 164 * 165 * 1. The JWS Signature value MUST be a 64-octet sequence. If it is 166 * not a 64-octet sequence, the validation has failed. 167 * 168 * 2. Split the 64-octet sequence into two 32-octet sequences. The 169 * first octet sequence represents R and the second S. The values R 170 * and S are represented as octet sequences using the Integer-to- 171 * OctetString Conversion defined in Section 2.3.7 of SEC1 [SEC1] 172 * (in big-endian octet order). 173 * 3. Submit the JWS Signing Input, R, S, and the public key (x, y) to 174 * the ECDSA P-256 SHA-256 validator. 175 */ 176 177 { /* Recommended+: ECDSA using P-256 and SHA-256 */ 178 LWS_GENHASH_TYPE_SHA256, 179 LWS_GENHMAC_TYPE_UNKNOWN, 180 LWS_JOSE_ENCTYPE_ECDSA, 181 LWS_JOSE_ENCTYPE_NONE, 182 "ES256", "P-256", 256, 256, 0 183 }, 184 { /* optional: ECDSA using P-384 and SHA-384 */ 185 LWS_GENHASH_TYPE_SHA384, 186 LWS_GENHMAC_TYPE_UNKNOWN, 187 LWS_JOSE_ENCTYPE_ECDSA, 188 LWS_JOSE_ENCTYPE_NONE, 189 "ES384", "P-384", 384, 384, 0 190 }, 191 { /* optional: ECDSA using P-521 and SHA-512 */ 192 LWS_GENHASH_TYPE_SHA512, 193 LWS_GENHMAC_TYPE_UNKNOWN, 194 LWS_JOSE_ENCTYPE_ECDSA, 195 LWS_JOSE_ENCTYPE_NONE, 196 "ES512", "P-521", 521, 521, 0 197 }, 198#if 0 199 Not yet supported 200 201 /* 202 * Digital Signature with RSASSA-PSS 203 * 204 * A key of size 2048 bits or larger MUST be used with this algorithm. 205 * 206 * The RSASSA-PSS SHA-256 digital signature is generated as follows: 207 * generate a digital signature of the JWS Signing Input using RSASSA- 208 * PSS-SIGN, the SHA-256 hash function, and the MGF1 mask generation 209 * function with SHA-256 with the desired private key. This is the JWS 210 * Signature value. 211 * 212 * The RSASSA-PSS SHA-256 digital signature for a JWS is validated as 213 * follows: submit the JWS Signing Input, the JWS Signature, and the 214 * public key corresponding to the private key used by the signer to the 215 * RSASSA-PSS-VERIFY algorithm using SHA-256 as the hash function and 216 * using MGF1 as the mask generation function with SHA-256. 217 * 218 */ 219 { /* optional: RSASSA-PSS using SHA-256 and MGF1 with SHA-256 */ 220 LWS_GENHASH_TYPE_SHA256, 221 LWS_GENHMAC_TYPE_UNKNOWN, 222 LWS_JOSE_ENCTYPE_RSASSA_PKCS1_PSS, 223 LWS_JOSE_ENCTYPE_NONE, 224 "PS256", NULL, 2048, 4096, 0 225 }, 226 { /* optional: RSASSA-PSS using SHA-384 and MGF1 with SHA-384 */ 227 LWS_GENHASH_TYPE_SHA384, 228 LWS_GENHMAC_TYPE_UNKNOWN, 229 LWS_JOSE_ENCTYPE_RSASSA_PKCS1_PSS, 230 LWS_JOSE_ENCTYPE_NONE, 231 "PS384", NULL, 2048, 4096, 0 232 }, 233 { /* optional: RSASSA-PSS using SHA-512 and MGF1 with SHA-512*/ 234 LWS_GENHASH_TYPE_SHA512, 235 LWS_GENHMAC_TYPE_UNKNOWN, 236 LWS_JOSE_ENCTYPE_RSASSA_PKCS1_PSS, 237 LWS_JOSE_ENCTYPE_NONE, 238 "PS512", NULL, 2048, 4096, 0 239 }, 240#endif 241 /* list terminator */ 242 { 0, 0, 0, 0, NULL, NULL, 0, 0, 0} 243}; 244 245/* 246 * These came from RFC7518 (JSON Web Algorithms) Section 4 247 * 248 * Cryptographic Algorithms for Key Management 249 * 250 * JWE uses cryptographic algorithms to encrypt or determine the Content 251 * Encryption Key (CEK). 252 */ 253 254static const struct lws_jose_jwe_alg lws_gencrypto_jwe_alg_map[] = { 255 256 /* 257 * This section defines the specifics of encrypting a JWE CEK with 258 * RSAES-PKCS1-v1_5 [RFC3447]. The "alg" (algorithm) Header Parameter 259 * value "RSA1_5" is used for this algorithm. 260 * 261 * A key of size 2048 bits or larger MUST be used with this algorithm. 262 */ 263 264 { /* recommended-: RSAES-PKCS1-v1_5 */ 265 LWS_GENHASH_TYPE_SHA256, 266 LWS_GENHMAC_TYPE_UNKNOWN, 267 LWS_JOSE_ENCTYPE_RSASSA_PKCS1_1_5, 268 LWS_JOSE_ENCTYPE_NONE, 269 "RSA1_5", NULL, 2048, 4096, 0 270 }, 271 { /* recommended+: RSAES OAEP using default parameters */ 272 LWS_GENHASH_TYPE_SHA1, 273 LWS_GENHMAC_TYPE_UNKNOWN, 274 LWS_JOSE_ENCTYPE_RSASSA_PKCS1_OAEP, 275 LWS_JOSE_ENCTYPE_NONE, 276 "RSA-OAEP", NULL, 2048, 4096, 0 277 }, 278 { /* recommended+: RSAES OAEP using SHA-256 and MGF1 SHA-256 */ 279 LWS_GENHASH_TYPE_SHA256, 280 LWS_GENHMAC_TYPE_UNKNOWN, 281 LWS_JOSE_ENCTYPE_RSASSA_PKCS1_OAEP, 282 LWS_JOSE_ENCTYPE_NONE, 283 "RSA-OAEP-256", NULL, 2048, 4096, 0 284 }, 285 286 /* 287 * Key Wrapping with AES Key Wrap 288 * 289 * This section defines the specifics of encrypting a JWE CEK with the 290 * Advanced Encryption Standard (AES) Key Wrap Algorithm [RFC3394] using 291 * the default initial value specified in Section 2.2.3.1 of that 292 * document. 293 * 294 * 295 */ 296 { /* recommended: AES Key Wrap with AES Key Wrap with defaults 297 using 128-bit key */ 298 LWS_GENHASH_TYPE_UNKNOWN, 299 LWS_GENHMAC_TYPE_UNKNOWN, 300 LWS_JOSE_ENCTYPE_AES_ECB, 301 LWS_JOSE_ENCTYPE_NONE, 302 "A128KW", NULL, 128, 128, 64 303 }, 304 305 { /* optional: AES Key Wrap with AES Key Wrap with defaults 306 using 192-bit key */ 307 LWS_GENHASH_TYPE_UNKNOWN, 308 LWS_GENHMAC_TYPE_UNKNOWN, 309 LWS_JOSE_ENCTYPE_AES_ECB, 310 LWS_JOSE_ENCTYPE_NONE, 311 "A192KW", NULL, 192, 192, 64 312 }, 313 314 { /* recommended: AES Key Wrap with AES Key Wrap with defaults 315 using 256-bit key */ 316 LWS_GENHASH_TYPE_UNKNOWN, 317 LWS_GENHMAC_TYPE_UNKNOWN, 318 LWS_JOSE_ENCTYPE_AES_ECB, 319 LWS_JOSE_ENCTYPE_NONE, 320 "A256KW", NULL, 256, 256, 64 321 }, 322 323 /* 324 * This section defines the specifics of directly performing symmetric 325 * key encryption without performing a key wrapping step. In this case, 326 * the shared symmetric key is used directly as the Content Encryption 327 * Key (CEK) value for the "enc" algorithm. An empty octet sequence is 328 * used as the JWE Encrypted Key value. The "alg" (algorithm) Header 329 * Parameter value "dir" is used in this case. 330 */ 331 { /* recommended */ 332 LWS_GENHASH_TYPE_UNKNOWN, 333 LWS_GENHMAC_TYPE_UNKNOWN, 334 LWS_JOSE_ENCTYPE_NONE, 335 LWS_JOSE_ENCTYPE_NONE, 336 "dir", NULL, 0, 0, 0 337 }, 338 339 /* 340 * Key Agreement with Elliptic Curve Diffie-Hellman Ephemeral Static 341 * (ECDH-ES) 342 * 343 * This section defines the specifics of key agreement with Elliptic 344 * Curve Diffie-Hellman Ephemeral Static [RFC6090], in combination with 345 * the Concat KDF, as defined in Section 5.8.1 of [NIST.800-56A]. The 346 * key agreement result can be used in one of two ways: 347 * 348 * 1. directly as the Content Encryption Key (CEK) for the "enc" 349 * algorithm, in the Direct Key Agreement mode, or 350 * 351 * 2. as a symmetric key used to wrap the CEK with the "A128KW", 352 * "A192KW", or "A256KW" algorithms, in the Key Agreement with Key 353 * Wrapping mode. 354 * 355 * A new ephemeral public key value MUST be generated for each key 356 * agreement operation. 357 * 358 * In Direct Key Agreement mode, the output of the Concat KDF MUST be a 359 * key of the same length as that used by the "enc" algorithm. In this 360 * case, the empty octet sequence is used as the JWE Encrypted Key 361 * value. The "alg" (algorithm) Header Parameter value "ECDH-ES" is 362 * used in the Direct Key Agreement mode. 363 * 364 * In Key Agreement with Key Wrapping mode, the output of the Concat KDF 365 * MUST be a key of the length needed for the specified key wrapping 366 * algorithm. In this case, the JWE Encrypted Key is the CEK wrapped 367 * with the agreed-upon key. 368 */ 369 370 { /* recommended+: ECDH Ephemeral Static Key agreement Concat KDF */ 371 LWS_GENHASH_TYPE_SHA256, 372 LWS_GENHMAC_TYPE_UNKNOWN, 373 LWS_JOSE_ENCTYPE_ECDHES, 374 LWS_JOSE_ENCTYPE_NONE, 375 "ECDH-ES", NULL, 128, 128, 0 376 }, 377 { /* recommended: ECDH-ES + Concat KDF + wrapped by AES128KW */ 378 LWS_GENHASH_TYPE_SHA256, 379 LWS_GENHMAC_TYPE_UNKNOWN, 380 LWS_JOSE_ENCTYPE_ECDHES, 381 LWS_JOSE_ENCTYPE_AES_ECB, 382 "ECDH-ES+A128KW", NULL, 128, 128, 0 383 }, 384 { /* optional: ECDH-ES + Concat KDF + wrapped by AES192KW */ 385 LWS_GENHASH_TYPE_SHA256, 386 LWS_GENHMAC_TYPE_UNKNOWN, 387 LWS_JOSE_ENCTYPE_ECDHES, 388 LWS_JOSE_ENCTYPE_AES_ECB, 389 "ECDH-ES+A192KW", NULL, 192, 192, 0 390 }, 391 { /* recommended: ECDH-ES + Concat KDF + wrapped by AES256KW */ 392 LWS_GENHASH_TYPE_SHA256, 393 LWS_GENHMAC_TYPE_UNKNOWN, 394 LWS_JOSE_ENCTYPE_ECDHES, 395 LWS_JOSE_ENCTYPE_AES_ECB, 396 "ECDH-ES+A256KW", NULL, 256, 256, 0 397 }, 398 399 /* 400 * Key Encryption with AES GCM 401 * 402 * This section defines the specifics of encrypting a JWE Content 403 * Encryption Key (CEK) with Advanced Encryption Standard (AES) in 404 * Galois/Counter Mode (GCM) ([AES] and [NIST.800-38D]). 405 * 406 * Use of an Initialization Vector (IV) of size 96 bits is REQUIRED with 407 * this algorithm. The IV is represented in base64url-encoded form as 408 * the "iv" (initialization vector) Header Parameter value. 409 * 410 * The Additional Authenticated Data value used is the empty octet 411 * string. 412 * 413 * The requested size of the Authentication Tag output MUST be 128 bits, 414 * regardless of the key size. 415 * 416 * The JWE Encrypted Key value is the ciphertext output. 417 * 418 * The Authentication Tag output is represented in base64url-encoded 419 * form as the "tag" (authentication tag) Header Parameter value. 420 * 421 * 422 * "iv" (Initialization Vector) Header Parameter 423 * 424 * The "iv" (initialization vector) Header Parameter value is the 425 * base64url-encoded representation of the 96-bit IV value used for the 426 * key encryption operation. This Header Parameter MUST be present and 427 * MUST be understood and processed by implementations when these 428 * algorithms are used. 429 * 430 * "tag" (Authentication Tag) Header Parameter 431 * 432 * The "tag" (authentication tag) Header Parameter value is the 433 * base64url-encoded representation of the 128-bit Authentication Tag 434 * value resulting from the key encryption operation. This Header 435 * Parameter MUST be present and MUST be understood and processed by 436 * implementations when these algorithms are used. 437 */ 438 { /* optional: Key wrapping with AES GCM using 128-bit key */ 439 LWS_GENHASH_TYPE_UNKNOWN, 440 LWS_GENHMAC_TYPE_UNKNOWN, 441 LWS_JOSE_ENCTYPE_AES_ECB, 442 LWS_JOSE_ENCTYPE_NONE, 443 "A128GCMKW", NULL, 128, 128, 96 444 }, 445 446 { /* optional: Key wrapping with AES GCM using 192-bit key */ 447 LWS_GENHASH_TYPE_UNKNOWN, 448 LWS_GENHMAC_TYPE_UNKNOWN, 449 LWS_JOSE_ENCTYPE_AES_ECB, 450 LWS_JOSE_ENCTYPE_NONE, 451 "A192GCMKW", NULL, 192, 192, 96 452 }, 453 454 { /* optional: Key wrapping with AES GCM using 256-bit key */ 455 LWS_GENHASH_TYPE_UNKNOWN, 456 LWS_GENHMAC_TYPE_UNKNOWN, 457 LWS_JOSE_ENCTYPE_AES_ECB, 458 LWS_JOSE_ENCTYPE_NONE, 459 "A256GCMKW", NULL, 256, 256, 96 460 }, 461 462 /* list terminator */ 463 { 0, 0, 0, 0, NULL, NULL, 0, 0, 0 } 464}; 465 466/* 467 * The "enc" (encryption algorithm) Header Parameter identifies the 468 * content encryption algorithm used to perform authenticated encryption 469 * on the plaintext to produce the ciphertext and the Authentication 470 * Tag. This algorithm MUST be an AEAD algorithm with a specified key 471 * length. The encrypted content is not usable if the "enc" value does 472 * not represent a supported algorithm. "enc" values should either be 473 * registered in the IANA "JSON Web Signature and Encryption Algorithms" 474 * registry established by [JWA] or be a value that contains a 475 * Collision-Resistant Name. The "enc" value is a case-sensitive ASCII 476 * string containing a StringOrURI value. This Header Parameter MUST be 477 * present and MUST be understood and processed by implementations. 478 */ 479 480static const struct lws_jose_jwe_alg lws_gencrypto_jwe_enc_map[] = { 481 /* 482 * AES_128_CBC_HMAC_SHA_256 / 512 483 * 484 * It uses the HMAC message authentication code [RFC2104] with the 485 * SHA-256 hash function [SHS] to provide message authentication, with 486 * the HMAC output truncated to 128 bits, corresponding to the 487 * HMAC-SHA-256-128 algorithm defined in [RFC4868]. For encryption, it 488 * uses AES in the CBC mode of operation as defined in Section 6.2 of 489 * [NIST.800-38A], with PKCS #7 padding and a 128-bit IV value. 490 * 491 * The AES_CBC_HMAC_SHA2 parameters specific to AES_128_CBC_HMAC_SHA_256 492 * are: 493 * 494 * The input key K is 32 octets long. 495 * ENC_KEY_LEN is 16 octets. 496 * MAC_KEY_LEN is 16 octets. 497 * The SHA-256 hash algorithm is used for the HMAC. 498 * The HMAC-SHA-256 output is truncated to T_LEN=16 octets, by 499 * stripping off the final 16 octets. 500 */ 501 { /* required */ 502 LWS_GENHASH_TYPE_UNKNOWN, 503 LWS_GENHMAC_TYPE_SHA256, 504 LWS_JOSE_ENCTYPE_NONE, 505 LWS_JOSE_ENCTYPE_AES_CBC, 506 "A128CBC-HS256", NULL, 256, 256, 128 507 }, 508 /* 509 * AES_192_CBC_HMAC_SHA_384 is based on AES_128_CBC_HMAC_SHA_256, but 510 * with the following differences: 511 * 512 * The input key K is 48 octets long instead of 32. 513 * ENC_KEY_LEN is 24 octets instead of 16. 514 * MAC_KEY_LEN is 24 octets instead of 16. 515 * SHA-384 is used for the HMAC instead of SHA-256. 516 * The HMAC SHA-384 value is truncated to T_LEN=24 octets instead of 16. 517 */ 518 { /* required */ 519 LWS_GENHASH_TYPE_UNKNOWN, 520 LWS_GENHMAC_TYPE_SHA384, 521 LWS_JOSE_ENCTYPE_NONE, 522 LWS_JOSE_ENCTYPE_AES_CBC, 523 "A192CBC-HS384", NULL, 384, 384, 192 524 }, 525 /* 526 * AES_256_CBC_HMAC_SHA_512 is based on AES_128_CBC_HMAC_SHA_256, but 527 * with the following differences: 528 * 529 * The input key K is 64 octets long instead of 32. 530 * ENC_KEY_LEN is 32 octets instead of 16. 531 * MAC_KEY_LEN is 32 octets instead of 16. 532 * SHA-512 is used for the HMAC instead of SHA-256. 533 * The HMAC SHA-512 value is truncated to T_LEN=32 octets instead of 16. 534 */ 535 { /* required */ 536 LWS_GENHASH_TYPE_UNKNOWN, 537 LWS_GENHMAC_TYPE_SHA512, 538 LWS_JOSE_ENCTYPE_NONE, 539 LWS_JOSE_ENCTYPE_AES_CBC, 540 "A256CBC-HS512", NULL, 512, 512, 256 541 }, 542 543 /* 544 * The CEK is used as the encryption key. 545 * 546 * Use of an IV of size 96 bits is REQUIRED with this algorithm. 547 * 548 * The requested size of the Authentication Tag output MUST be 128 bits, 549 * regardless of the key size. 550 */ 551 { /* recommended: AES GCM using 128-bit key */ 552 LWS_GENHASH_TYPE_UNKNOWN, 553 LWS_GENHMAC_TYPE_UNKNOWN, 554 LWS_JOSE_ENCTYPE_NONE, 555 LWS_JOSE_ENCTYPE_AES_GCM, 556 "A128GCM", NULL, 128, 128, 96 557 }, 558 { /* optional: AES GCM using 192-bit key */ 559 LWS_GENHASH_TYPE_UNKNOWN, 560 LWS_GENHMAC_TYPE_UNKNOWN, 561 LWS_JOSE_ENCTYPE_NONE, 562 LWS_JOSE_ENCTYPE_AES_GCM, 563 "A192GCM", NULL, 192, 192, 96 564 }, 565 { /* recommended: AES GCM using 256-bit key */ 566 LWS_GENHASH_TYPE_UNKNOWN, 567 LWS_GENHMAC_TYPE_UNKNOWN, 568 LWS_JOSE_ENCTYPE_NONE, 569 LWS_JOSE_ENCTYPE_AES_GCM, 570 "A256GCM", NULL, 256, 256, 96 571 }, 572 { 0, 0, 0, 0, NULL, NULL, 0, 0, 0 } /* sentinel */ 573}; 574 575int 576lws_gencrypto_jws_alg_to_definition(const char *alg, 577 const struct lws_jose_jwe_alg **jose) 578{ 579 const struct lws_jose_jwe_alg *a = lws_gencrypto_jws_alg_map; 580 581 while (a->alg) { 582 if (!strcmp(alg, a->alg)) { 583 *jose = a; 584 585 return 0; 586 } 587 a++; 588 } 589 590 return 1; 591} 592 593int 594lws_gencrypto_jwe_alg_to_definition(const char *alg, 595 const struct lws_jose_jwe_alg **jose) 596{ 597 const struct lws_jose_jwe_alg *a = lws_gencrypto_jwe_alg_map; 598 599 while (a->alg) { 600 if (!strcmp(alg, a->alg)) { 601 *jose = a; 602 603 return 0; 604 } 605 a++; 606 } 607 608 return 1; 609} 610 611int 612lws_gencrypto_jwe_enc_to_definition(const char *enc, 613 const struct lws_jose_jwe_alg **jose) 614{ 615 const struct lws_jose_jwe_alg *e = lws_gencrypto_jwe_enc_map; 616 617 while (e->alg) { 618 if (!strcmp(enc, e->alg)) { 619 *jose = e; 620 621 return 0; 622 } 623 e++; 624 } 625 626 return 1; 627} 628 629size_t 630lws_genhash_size(enum lws_genhash_types type) 631{ 632 switch(type) { 633 case LWS_GENHASH_TYPE_UNKNOWN: 634 return 0; 635 case LWS_GENHASH_TYPE_MD5: 636 return 16; 637 case LWS_GENHASH_TYPE_SHA1: 638 return 20; 639 case LWS_GENHASH_TYPE_SHA256: 640 return 32; 641 case LWS_GENHASH_TYPE_SHA384: 642 return 48; 643 case LWS_GENHASH_TYPE_SHA512: 644 return 64; 645 } 646 647 return 0; 648} 649 650size_t 651lws_genhmac_size(enum lws_genhmac_types type) 652{ 653 switch(type) { 654 case LWS_GENHMAC_TYPE_UNKNOWN: 655 return 0; 656 case LWS_GENHMAC_TYPE_SHA256: 657 return 32; 658 case LWS_GENHMAC_TYPE_SHA384: 659 return 48; 660 case LWS_GENHMAC_TYPE_SHA512: 661 return 64; 662 } 663 664 return 0; 665} 666 667int 668lws_gencrypto_bits_to_bytes(int bits) 669{ 670 if (bits & 7) 671 return (bits / 8) + 1; 672 673 return bits / 8; 674} 675 676int 677lws_base64_size(int bytes) 678{ 679 return ((bytes * 4) / 3) + 6; 680} 681 682void 683lws_gencrypto_destroy_elements(struct lws_gencrypto_keyelem *el, int m) 684{ 685 int n; 686 687 for (n = 0; n < m; n++) 688 if (el[n].buf) 689 lws_free_set_NULL(el[n].buf); 690} 691 692size_t lws_gencrypto_padded_length(size_t pad_block_size, size_t len) 693{ 694 return (len / pad_block_size + 1) * pad_block_size; 695} 696