| Line | Count | Source (jump to first uncovered line) | 
| 1 |  | /* | 
| 2 |  |  * Copyright (c) 2022 Yubico AB. All rights reserved. | 
| 3 |  |  * Use of this source code is governed by a BSD-style | 
| 4 |  |  * license that can be found in the LICENSE file. | 
| 5 |  |  * SPDX-License-Identifier: BSD-2-Clause | 
| 6 |  |  */ | 
| 7 |  |  | 
| 8 |  | #include <openssl/bn.h> | 
| 9 |  | #include <openssl/ecdsa.h> | 
| 10 |  | #include <openssl/obj_mac.h> | 
| 11 |  |  | 
| 12 |  | #include "fido.h" | 
| 13 |  | #include "fido/es384.h" | 
| 14 |  |  | 
| 15 |  | #if OPENSSL_VERSION_NUMBER >= 0x30000000 | 
| 16 | 55 | #define get0_EC_KEY(x)  EVP_PKEY_get0_EC_KEY((x)) | 
| 17 |  | #else | 
| 18 |  | #define get0_EC_KEY(x)  EVP_PKEY_get0((x)) | 
| 19 |  | #endif | 
| 20 |  |  | 
| 21 |  | static int | 
| 22 |  | decode_coord(const cbor_item_t *item, void *xy, size_t xy_len) | 
| 23 | 406 | { | 
| 24 | 406 |         if (cbor_isa_bytestring(item) == false || | 
| 25 | 406 |             cbor_bytestring_is_definite(item) == false || | 
| 26 | 406 |             cbor_bytestring_length(item) != xy_len) { | 
| 27 | 9 |                 fido_log_debug("%s: cbor type", __func__); | 
| 28 | 9 |                 return (-1); | 
| 29 | 9 |         } | 
| 30 |  |  | 
| 31 | 397 |         memcpy(xy, cbor_bytestring_handle(item), xy_len); | 
| 32 |  |  | 
| 33 | 397 |         return (0); | 
| 34 | 406 | } | 
| 35 |  |  | 
| 36 |  | static int | 
| 37 |  | decode_pubkey_point(const cbor_item_t *key, const cbor_item_t *val, void *arg) | 
| 38 | 1.13k | { | 
| 39 | 1.13k |         es384_pk_t *k = arg; | 
| 40 |  |  | 
| 41 | 1.13k |         if (cbor_isa_negint(key) == false || | 
| 42 | 1.13k |             cbor_int_get_width(key) != CBOR_INT_8) | 
| 43 | 473 |                 return (0); /* ignore */ | 
| 44 |  |  | 
| 45 | 658 |         switch (cbor_get_uint8(key)) { | 
| 46 | 210 |         case 1: /* x coordinate */ | 
| 47 | 210 |                 return (decode_coord(val, &k->x, sizeof(k->x))); | 
| 48 | 196 |         case 2: /* y coordinate */ | 
| 49 | 196 |                 return (decode_coord(val, &k->y, sizeof(k->y))); | 
| 50 | 658 |         } | 
| 51 |  |  | 
| 52 | 252 |         return (0); /* ignore */ | 
| 53 | 658 | } | 
| 54 |  |  | 
| 55 |  | int | 
| 56 |  | es384_pk_decode(const cbor_item_t *item, es384_pk_t *k) | 
| 57 | 233 | { | 
| 58 | 233 |         if (cbor_isa_map(item) == false || | 
| 59 | 233 |             cbor_map_is_definite(item) == false || | 
| 60 | 233 |             cbor_map_iter(item, k, decode_pubkey_point) < 0) { | 
| 61 | 14 |                 fido_log_debug("%s: cbor type", __func__); | 
| 62 | 14 |                 return (-1); | 
| 63 | 14 |         } | 
| 64 |  |  | 
| 65 | 219 |         return (0); | 
| 66 | 233 | } | 
| 67 |  |  | 
| 68 |  | es384_pk_t * | 
| 69 |  | es384_pk_new(void) | 
| 70 | 791 | { | 
| 71 | 791 |         return (calloc(1, sizeof(es384_pk_t))); | 
| 72 | 791 | } | 
| 73 |  |  | 
| 74 |  | void | 
| 75 |  | es384_pk_free(es384_pk_t **pkp) | 
| 76 | 3.98k | { | 
| 77 | 3.98k |         es384_pk_t *pk; | 
| 78 |  |  | 
| 79 | 3.98k |         if (pkp == NULL || (pk = *pkp) == NULL) | 
| 80 | 3.28k |                 return; | 
| 81 |  |  | 
| 82 | 699 |         freezero(pk, sizeof(*pk)); | 
| 83 | 699 |         *pkp = NULL; | 
| 84 | 699 | } | 
| 85 |  |  | 
| 86 |  | int | 
| 87 |  | es384_pk_from_ptr(es384_pk_t *pk, const void *ptr, size_t len) | 
| 88 | 644 | { | 
| 89 | 644 |         const uint8_t   *p = ptr; | 
| 90 | 644 |         EVP_PKEY        *pkey; | 
| 91 |  |  | 
| 92 | 644 |         if (len < sizeof(*pk)) | 
| 93 | 301 |                 return (FIDO_ERR_INVALID_ARGUMENT); | 
| 94 |  |  | 
| 95 | 343 |         if (len == sizeof(*pk) + 1 && *p == 0x04) | 
| 96 | 2 |                 memcpy(pk, ++p, sizeof(*pk)); /* uncompressed format */ | 
| 97 | 341 |         else | 
| 98 | 341 |                 memcpy(pk, ptr, sizeof(*pk)); /* libfido2 x||y format */ | 
| 99 |  |  | 
| 100 | 343 |         if ((pkey = es384_pk_to_EVP_PKEY(pk)) == NULL) { | 
| 101 | 172 |                 fido_log_debug("%s: es384_pk_to_EVP_PKEY", __func__); | 
| 102 | 172 |                 explicit_bzero(pk, sizeof(*pk)); | 
| 103 | 172 |                 return (FIDO_ERR_INVALID_ARGUMENT); | 
| 104 | 172 |         } | 
| 105 |  |  | 
| 106 | 171 |         EVP_PKEY_free(pkey); | 
| 107 |  |  | 
| 108 | 171 |         return (FIDO_OK); | 
| 109 | 343 | } | 
| 110 |  |  | 
| 111 |  | EVP_PKEY * | 
| 112 |  | es384_pk_to_EVP_PKEY(const es384_pk_t *k) | 
| 113 | 1.52k | { | 
| 114 | 1.52k |         BN_CTX          *bnctx = NULL; | 
| 115 | 1.52k |         EC_KEY          *ec = NULL; | 
| 116 | 1.52k |         EC_POINT        *q = NULL; | 
| 117 | 1.52k |         EVP_PKEY        *pkey = NULL; | 
| 118 | 1.52k |         BIGNUM          *x = NULL; | 
| 119 | 1.52k |         BIGNUM          *y = NULL; | 
| 120 | 1.52k |         const EC_GROUP  *g = NULL; | 
| 121 | 1.52k |         int              ok = -1; | 
| 122 |  |  | 
| 123 | 1.52k |         if ((bnctx = BN_CTX_new()) == NULL) | 
| 124 | 11 |                 goto fail; | 
| 125 |  |  | 
| 126 | 1.51k |         BN_CTX_start(bnctx); | 
| 127 |  |  | 
| 128 | 1.51k |         if ((x = BN_CTX_get(bnctx)) == NULL || | 
| 129 | 1.51k |             (y = BN_CTX_get(bnctx)) == NULL) | 
| 130 | 35 |                 goto fail; | 
| 131 |  |  | 
| 132 | 1.48k |         if (BN_bin2bn(k->x, sizeof(k->x), x) == NULL || | 
| 133 | 1.48k |             BN_bin2bn(k->y, sizeof(k->y), y) == NULL) { | 
| 134 | 43 |                 fido_log_debug("%s: BN_bin2bn", __func__); | 
| 135 | 43 |                 goto fail; | 
| 136 | 43 |         } | 
| 137 |  |  | 
| 138 | 1.43k |         if ((ec = EC_KEY_new_by_curve_name(NID_secp384r1)) == NULL || | 
| 139 | 1.43k |             (g = EC_KEY_get0_group(ec)) == NULL) { | 
| 140 | 19 |                 fido_log_debug("%s: EC_KEY init", __func__); | 
| 141 | 19 |                 goto fail; | 
| 142 | 19 |         } | 
| 143 |  |  | 
| 144 | 1.42k |         if ((q = EC_POINT_new(g)) == NULL || | 
| 145 | 1.42k |             EC_POINT_set_affine_coordinates_GFp(g, q, x, y, bnctx) == 0 || | 
| 146 | 1.42k |             EC_KEY_set_public_key(ec, q) == 0) { | 
| 147 | 631 |                 fido_log_debug("%s: EC_KEY_set_public_key", __func__); | 
| 148 | 631 |                 goto fail; | 
| 149 | 631 |         } | 
| 150 |  |  | 
| 151 | 789 |         if ((pkey = EVP_PKEY_new()) == NULL || | 
| 152 | 789 |             EVP_PKEY_assign_EC_KEY(pkey, ec) == 0) { | 
| 153 | 6 |                 fido_log_debug("%s: EVP_PKEY_assign_EC_KEY", __func__); | 
| 154 | 6 |                 goto fail; | 
| 155 | 6 |         } | 
| 156 |  |  | 
| 157 | 783 |         ec = NULL; /* at this point, ec belongs to evp */ | 
| 158 |  |  | 
| 159 | 783 |         ok = 0; | 
| 160 | 1.52k | fail: | 
| 161 | 1.52k |         if (bnctx != NULL) { | 
| 162 | 1.51k |                 BN_CTX_end(bnctx); | 
| 163 | 1.51k |                 BN_CTX_free(bnctx); | 
| 164 | 1.51k |         } | 
| 165 |  |  | 
| 166 | 1.52k |         if (ec != NULL) | 
| 167 | 645 |                 EC_KEY_free(ec); | 
| 168 | 1.52k |         if (q != NULL) | 
| 169 | 1.41k |                 EC_POINT_free(q); | 
| 170 |  |  | 
| 171 | 1.52k |         if (ok < 0 && pkey != NULL) { | 
| 172 | 2 |                 EVP_PKEY_free(pkey); | 
| 173 | 2 |                 pkey = NULL; | 
| 174 | 2 |         } | 
| 175 |  |  | 
| 176 | 1.52k |         return (pkey); | 
| 177 | 783 | } | 
| 178 |  |  | 
| 179 |  | int | 
| 180 |  | es384_pk_from_EC_KEY(es384_pk_t *pk, const EC_KEY *ec) | 
| 181 | 53 | { | 
| 182 | 53 |         BN_CTX          *bnctx = NULL; | 
| 183 | 53 |         BIGNUM          *x = NULL; | 
| 184 | 53 |         BIGNUM          *y = NULL; | 
| 185 | 53 |         const EC_POINT  *q = NULL; | 
| 186 | 53 |         EC_GROUP        *g = NULL; | 
| 187 | 53 |         size_t           dx; | 
| 188 | 53 |         size_t           dy; | 
| 189 | 53 |         int              ok = FIDO_ERR_INTERNAL; | 
| 190 | 53 |         int              nx; | 
| 191 | 53 |         int              ny; | 
| 192 |  |  | 
| 193 | 53 |         if ((q = EC_KEY_get0_public_key(ec)) == NULL || | 
| 194 | 53 |             (g = EC_GROUP_new_by_curve_name(NID_secp384r1)) == NULL || | 
| 195 | 53 |             (bnctx = BN_CTX_new()) == NULL) | 
| 196 | 2 |                 goto fail; | 
| 197 |  |  | 
| 198 | 51 |         BN_CTX_start(bnctx); | 
| 199 |  |  | 
| 200 | 51 |         if ((x = BN_CTX_get(bnctx)) == NULL || | 
| 201 | 51 |             (y = BN_CTX_get(bnctx)) == NULL) | 
| 202 | 3 |                 goto fail; | 
| 203 |  |  | 
| 204 | 48 |         if (EC_POINT_is_on_curve(g, q, bnctx) != 1) { | 
| 205 | 0 |                 fido_log_debug("%s: EC_POINT_is_on_curve", __func__); | 
| 206 | 0 |                 ok = FIDO_ERR_INVALID_ARGUMENT; | 
| 207 | 0 |                 goto fail; | 
| 208 | 0 |         } | 
| 209 |  |  | 
| 210 | 48 |         if (EC_POINT_get_affine_coordinates_GFp(g, q, x, y, bnctx) == 0 || | 
| 211 | 48 |             (nx = BN_num_bytes(x)) < 0 || (size_t)nx > sizeof(pk->x) || | 
| 212 | 48 |             (ny = BN_num_bytes(y)) < 0 || (size_t)ny > sizeof(pk->y)) { | 
| 213 | 1 |                 fido_log_debug("%s: EC_POINT_get_affine_coordinates_GFp", | 
| 214 | 1 |                     __func__); | 
| 215 | 1 |                 goto fail; | 
| 216 | 1 |         } | 
| 217 |  |  | 
| 218 | 47 |         dx = sizeof(pk->x) - (size_t)nx; | 
| 219 | 47 |         dy = sizeof(pk->y) - (size_t)ny; | 
| 220 |  |  | 
| 221 | 47 |         if ((nx = BN_bn2bin(x, pk->x + dx)) < 0 || (size_t)nx > sizeof(pk->x) || | 
| 222 | 47 |             (ny = BN_bn2bin(y, pk->y + dy)) < 0 || (size_t)ny > sizeof(pk->y)) { | 
| 223 | 2 |                 fido_log_debug("%s: BN_bn2bin", __func__); | 
| 224 | 2 |                 goto fail; | 
| 225 | 2 |         } | 
| 226 |  |  | 
| 227 | 45 |         ok = FIDO_OK; | 
| 228 | 53 | fail: | 
| 229 | 53 |         EC_GROUP_free(g); | 
| 230 |  |  | 
| 231 | 53 |         if (bnctx != NULL) { | 
| 232 | 51 |                 BN_CTX_end(bnctx); | 
| 233 | 51 |                 BN_CTX_free(bnctx); | 
| 234 | 51 |         } | 
| 235 |  |  | 
| 236 | 53 |         return (ok); | 
| 237 | 45 | } | 
| 238 |  |  | 
| 239 |  | int | 
| 240 |  | es384_pk_from_EVP_PKEY(es384_pk_t *pk, const EVP_PKEY *pkey) | 
| 241 | 55 | { | 
| 242 | 55 |         const EC_KEY *ec; | 
| 243 |  |  | 
| 244 | 55 |         if (EVP_PKEY_base_id(pkey) != EVP_PKEY_EC || | 
| 245 | 55 |             (ec = get0_EC_KEY(pkey)) == NULL) | 
| 246 | 2 |                 return (FIDO_ERR_INVALID_ARGUMENT); | 
| 247 |  |  | 
| 248 | 53 |         return (es384_pk_from_EC_KEY(pk, ec)); | 
| 249 | 55 | } | 
| 250 |  |  | 
| 251 |  | int | 
| 252 |  | es384_verify_sig(const fido_blob_t *dgst, EVP_PKEY *pkey, | 
| 253 |  |     const fido_blob_t *sig) | 
| 254 | 470 | { | 
| 255 | 470 |         EVP_PKEY_CTX    *pctx = NULL; | 
| 256 | 470 |         int              ok = -1; | 
| 257 |  |  | 
| 258 | 470 |         if (EVP_PKEY_base_id(pkey) != EVP_PKEY_EC) { | 
| 259 | 0 |                 fido_log_debug("%s: EVP_PKEY_base_id", __func__); | 
| 260 | 0 |                 goto fail; | 
| 261 | 0 |         } | 
| 262 |  |  | 
| 263 | 470 |         if ((pctx = EVP_PKEY_CTX_new(pkey, NULL)) == NULL || | 
| 264 | 470 |             EVP_PKEY_verify_init(pctx) != 1 || | 
| 265 | 470 |             EVP_PKEY_verify(pctx, sig->ptr, sig->len, dgst->ptr, | 
| 266 | 470 |             dgst->len) != 1) { | 
| 267 | 470 |                 fido_log_debug("%s: EVP_PKEY_verify", __func__); | 
| 268 | 470 |                 goto fail; | 
| 269 | 470 |         } | 
| 270 |  |  | 
| 271 | 0 |         ok = 0; | 
| 272 | 470 | fail: | 
| 273 | 470 |         EVP_PKEY_CTX_free(pctx); | 
| 274 |  |  | 
| 275 | 470 |         return (ok); | 
| 276 | 0 | } | 
| 277 |  |  | 
| 278 |  | int | 
| 279 |  | es384_pk_verify_sig(const fido_blob_t *dgst, const es384_pk_t *pk, | 
| 280 |  |     const fido_blob_t *sig) | 
| 281 | 541 | { | 
| 282 | 541 |         EVP_PKEY        *pkey; | 
| 283 | 541 |         int              ok = -1; | 
| 284 |  |  | 
| 285 | 541 |         if ((pkey = es384_pk_to_EVP_PKEY(pk)) == NULL || | 
| 286 | 541 |             es384_verify_sig(dgst, pkey, sig) < 0) { | 
| 287 | 541 |                 fido_log_debug("%s: es384_verify_sig", __func__); | 
| 288 | 541 |                 goto fail; | 
| 289 | 541 |         } | 
| 290 |  |  | 
| 291 | 0 |         ok = 0; | 
| 292 | 541 | fail: | 
| 293 | 541 |         EVP_PKEY_free(pkey); | 
| 294 |  |  | 
| 295 | 541 |         return (ok); | 
| 296 | 0 | } |