| Line | Count | Source (jump to first uncovered line) | 
| 1 |  | /* | 
| 2 |  |  * Copyright (c) 2021 Yubico AB. All rights reserved. | 
| 3 |  |  * Use of this source code is governed by a BSD-style | 
| 4 |  |  * license that can be found in the LICENSE file. | 
| 5 |  |  * SPDX-License-Identifier: BSD-2-Clause | 
| 6 |  |  */ | 
| 7 |  |  | 
| 8 |  | #include "fido.h" | 
| 9 |  |  | 
| 10 |  | static int | 
| 11 |  | aes256_cbc(const fido_blob_t *key, const u_char *iv, const fido_blob_t *in, | 
| 12 |  |     fido_blob_t *out, int encrypt) | 
| 13 | 7.71k | { | 
| 14 | 7.71k |         EVP_CIPHER_CTX *ctx = NULL; | 
| 15 | 7.71k |         const EVP_CIPHER *cipher; | 
| 16 | 7.71k |         int ok = -1; | 
| 17 |  |  | 
| 18 | 7.71k |         memset(out, 0, sizeof(*out)); | 
| 19 |  |  | 
| 20 | 7.71k |         if (key->len != 32) { | 
| 21 | 0 |                 fido_log_debug("%s: invalid key len %zu", __func__, key->len); | 
| 22 | 0 |                 goto fail; | 
| 23 | 0 |         } | 
| 24 | 7.71k |         if (in->len > UINT_MAX || in->len % 16 || in->len == 0) { | 
| 25 | 145 |                 fido_log_debug("%s: invalid input len %zu", __func__, in->len); | 
| 26 | 145 |                 goto fail; | 
| 27 | 145 |         } | 
| 28 | 7.56k |         out->len = in->len; | 
| 29 | 7.56k |         if ((out->ptr = calloc(1, out->len)) == NULL) { | 
| 30 | 23 |                 fido_log_debug("%s: calloc", __func__); | 
| 31 | 23 |                 goto fail; | 
| 32 | 23 |         } | 
| 33 | 7.54k |         if ((ctx = EVP_CIPHER_CTX_new()) == NULL || | 
| 34 | 7.54k |             (cipher = EVP_aes_256_cbc()) == NULL) { | 
| 35 | 51 |                 fido_log_debug("%s: EVP_CIPHER_CTX_new", __func__); | 
| 36 | 51 |                 goto fail; | 
| 37 | 51 |         } | 
| 38 | 7.49k |         if (EVP_CipherInit(ctx, cipher, key->ptr, iv, encrypt) == 0 || | 
| 39 | 7.49k |             EVP_Cipher(ctx, out->ptr, in->ptr, (u_int)out->len) < 0) { | 
| 40 | 62 |                 fido_log_debug("%s: EVP_Cipher", __func__); | 
| 41 | 62 |                 goto fail; | 
| 42 | 62 |         } | 
| 43 |  |  | 
| 44 | 7.43k |         ok = 0; | 
| 45 | 7.71k | fail: | 
| 46 | 7.71k |         if (ctx != NULL) | 
| 47 | 7.52k |                 EVP_CIPHER_CTX_free(ctx); | 
| 48 | 7.71k |         if (ok < 0) | 
| 49 | 281 |                 fido_blob_reset(out); | 
| 50 |  |  | 
| 51 | 7.71k |         return ok; | 
| 52 | 7.43k | } | 
| 53 |  |  | 
| 54 |  | static int | 
| 55 |  | aes256_cbc_proto1(const fido_blob_t *key, const fido_blob_t *in, | 
| 56 |  |     fido_blob_t *out, int encrypt) | 
| 57 | 7.02k | { | 
| 58 | 7.02k |         u_char iv[16]; | 
| 59 |  |  | 
| 60 | 7.02k |         memset(&iv, 0, sizeof(iv)); | 
| 61 |  |  | 
| 62 | 7.02k |         return aes256_cbc(key, iv, in, out, encrypt); | 
| 63 | 7.02k | } | 
| 64 |  |  | 
| 65 |  | static int | 
| 66 |  | aes256_cbc_fips(const fido_blob_t *secret, const fido_blob_t *in, | 
| 67 |  |     fido_blob_t *out, int encrypt) | 
| 68 | 745 | { | 
| 69 | 745 |         fido_blob_t key, cin, cout; | 
| 70 | 745 |         u_char iv[16]; | 
| 71 |  |  | 
| 72 | 745 |         memset(out, 0, sizeof(*out)); | 
| 73 |  |  | 
| 74 | 745 |         if (secret->len != 64) { | 
| 75 | 0 |                 fido_log_debug("%s: invalid secret len %zu", __func__, | 
| 76 | 0 |                     secret->len); | 
| 77 | 0 |                 return -1; | 
| 78 | 0 |         } | 
| 79 | 745 |         if (in->len < sizeof(iv)) { | 
| 80 | 47 |                 fido_log_debug("%s: invalid input len %zu", __func__, in->len); | 
| 81 | 47 |                 return -1; | 
| 82 | 47 |         } | 
| 83 | 698 |         if (encrypt) { | 
| 84 | 601 |                 if (fido_get_random(iv, sizeof(iv)) < 0) { | 
| 85 | 15 |                         fido_log_debug("%s: fido_get_random", __func__); | 
| 86 | 15 |                         return -1; | 
| 87 | 15 |                 } | 
| 88 | 586 |                 cin = *in; | 
| 89 | 586 |         } else { | 
| 90 | 97 |                 memcpy(iv, in->ptr, sizeof(iv)); | 
| 91 | 97 |                 cin.ptr = in->ptr + sizeof(iv); | 
| 92 | 97 |                 cin.len = in->len - sizeof(iv); | 
| 93 | 97 |         } | 
| 94 | 683 |         key.ptr = secret->ptr + 32; | 
| 95 | 683 |         key.len = secret->len - 32; | 
| 96 | 683 |         if (aes256_cbc(&key, iv, &cin, &cout, encrypt) < 0) | 
| 97 | 95 |                 return -1; | 
| 98 | 588 |         if (encrypt) { | 
| 99 | 550 |                 if (cout.len > SIZE_MAX - sizeof(iv) || | 
| 100 | 550 |                     (out->ptr = calloc(1, sizeof(iv) + cout.len)) == NULL) { | 
| 101 | 13 |                         fido_blob_reset(&cout); | 
| 102 | 13 |                         return -1; | 
| 103 | 13 |                 } | 
| 104 | 537 |                 out->len = sizeof(iv) + cout.len; | 
| 105 | 537 |                 memcpy(out->ptr, iv, sizeof(iv)); | 
| 106 | 537 |                 memcpy(out->ptr + sizeof(iv), cout.ptr, cout.len); | 
| 107 | 537 |                 fido_blob_reset(&cout); | 
| 108 | 537 |         } else | 
| 109 | 38 |                 *out = cout; | 
| 110 |  |  | 
| 111 | 575 |         return 0; | 
| 112 | 588 | } | 
| 113 |  |  | 
| 114 |  | static int | 
| 115 |  | aes256_gcm(const fido_blob_t *key, const fido_blob_t *nonce, | 
| 116 |  |     const fido_blob_t *aad, const fido_blob_t *in, fido_blob_t *out, | 
| 117 |  |     int encrypt) | 
| 118 | 2.40k | { | 
| 119 | 2.40k |         EVP_CIPHER_CTX *ctx = NULL; | 
| 120 | 2.40k |         const EVP_CIPHER *cipher; | 
| 121 | 2.40k |         size_t textlen; | 
| 122 | 2.40k |         int ok = -1; | 
| 123 |  |  | 
| 124 | 2.40k |         memset(out, 0, sizeof(*out)); | 
| 125 |  |  | 
| 126 | 2.40k |         if (nonce->len != 12 || key->len != 32 || aad->len > UINT_MAX) { | 
| 127 | 0 |                 fido_log_debug("%s: invalid params %zu, %zu, %zu", __func__, | 
| 128 | 0 |                     nonce->len, key->len, aad->len); | 
| 129 | 0 |                 goto fail; | 
| 130 | 0 |         } | 
| 131 | 2.40k |         if (in->len > UINT_MAX || in->len > SIZE_MAX - 16 || in->len < 16) { | 
| 132 | 340 |                 fido_log_debug("%s: invalid input len %zu", __func__, in->len); | 
| 133 | 340 |                 goto fail; | 
| 134 | 340 |         } | 
| 135 |  |         /* add tag to (on encrypt) or trim tag from the output (on decrypt) */ | 
| 136 | 2.06k |         out->len = encrypt ? in->len + 16 : in->len - 16; | 
| 137 | 2.06k |         if ((out->ptr = calloc(1, out->len)) == NULL) { | 
| 138 | 12 |                 fido_log_debug("%s: calloc", __func__); | 
| 139 | 12 |                 goto fail; | 
| 140 | 12 |         } | 
| 141 | 2.04k |         if ((ctx = EVP_CIPHER_CTX_new()) == NULL || | 
| 142 | 2.04k |             (cipher = EVP_aes_256_gcm()) == NULL) { | 
| 143 | 18 |                 fido_log_debug("%s: EVP_CIPHER_CTX_new", __func__); | 
| 144 | 18 |                 goto fail; | 
| 145 | 18 |         } | 
| 146 | 2.03k |         if (EVP_CipherInit(ctx, cipher, key->ptr, nonce->ptr, encrypt) == 0) { | 
| 147 | 7 |                 fido_log_debug("%s: EVP_CipherInit", __func__); | 
| 148 | 7 |                 goto fail; | 
| 149 | 7 |         } | 
| 150 |  |  | 
| 151 | 2.02k |         if (encrypt) | 
| 152 | 1.25k |                 textlen = in->len; | 
| 153 | 769 |         else { | 
| 154 | 769 |                 textlen = in->len - 16; | 
| 155 |  |                 /* point openssl at the mac tag */ | 
| 156 | 769 |                 if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, 16, | 
| 157 | 769 |                     in->ptr + in->len - 16) == 0) { | 
| 158 | 8 |                         fido_log_debug("%s: EVP_CIPHER_CTX_ctrl", __func__); | 
| 159 | 8 |                         goto fail; | 
| 160 | 8 |                 } | 
| 161 | 769 |         } | 
| 162 |  |         /* the last EVP_Cipher() will either compute or verify the mac tag */ | 
| 163 | 2.01k |         if (EVP_Cipher(ctx, NULL, aad->ptr, (u_int)aad->len) < 0 || | 
| 164 | 2.01k |             EVP_Cipher(ctx, out->ptr, in->ptr, (u_int)textlen) < 0 || | 
| 165 | 2.01k |             EVP_Cipher(ctx, NULL, NULL, 0) < 0) { | 
| 166 | 321 |                 fido_log_debug("%s: EVP_Cipher", __func__); | 
| 167 | 321 |                 goto fail; | 
| 168 | 321 |         } | 
| 169 | 1.69k |         if (encrypt) { | 
| 170 |  |                 /* append the mac tag */ | 
| 171 | 1.24k |                 if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, 16, | 
| 172 | 1.24k |                     out->ptr + out->len - 16) == 0) { | 
| 173 | 1 |                         fido_log_debug("%s: EVP_CIPHER_CTX_ctrl", __func__); | 
| 174 | 1 |                         goto fail; | 
| 175 | 1 |                 } | 
| 176 | 1.24k |         } | 
| 177 |  |  | 
| 178 | 1.69k |         ok = 0; | 
| 179 | 2.40k | fail: | 
| 180 | 2.40k |         if (ctx != NULL) | 
| 181 | 2.04k |                 EVP_CIPHER_CTX_free(ctx); | 
| 182 | 2.40k |         if (ok < 0) | 
| 183 | 707 |                 fido_blob_reset(out); | 
| 184 |  |  | 
| 185 | 2.40k |         return ok; | 
| 186 | 1.69k | } | 
| 187 |  |  | 
| 188 |  | int | 
| 189 |  | aes256_cbc_enc(const fido_dev_t *dev, const fido_blob_t *secret, | 
| 190 |  |     const fido_blob_t *in, fido_blob_t *out) | 
| 191 | 4.54k | { | 
| 192 | 4.54k |         return fido_dev_get_pin_protocol(dev) == 2 ? aes256_cbc_fips(secret, | 
| 193 | 3.94k |             in, out, 1) : aes256_cbc_proto1(secret, in, out, 1); | 
| 194 | 4.54k | } | 
| 195 |  |  | 
| 196 |  | int | 
| 197 |  | aes256_cbc_dec(const fido_dev_t *dev, const fido_blob_t *secret, | 
| 198 |  |     const fido_blob_t *in, fido_blob_t *out) | 
| 199 | 3.22k | { | 
| 200 | 3.22k |         return fido_dev_get_pin_protocol(dev) == 2 ? aes256_cbc_fips(secret, | 
| 201 | 3.08k |             in, out, 0) : aes256_cbc_proto1(secret, in, out, 0); | 
| 202 | 3.22k | } | 
| 203 |  |  | 
| 204 |  | int | 
| 205 |  | aes256_gcm_enc(const fido_blob_t *key, const fido_blob_t *nonce, | 
| 206 |  |     const fido_blob_t *aad, const fido_blob_t *in, fido_blob_t *out) | 
| 207 | 1.60k | { | 
| 208 | 1.60k |         return aes256_gcm(key, nonce, aad, in, out, 1); | 
| 209 | 1.60k | } | 
| 210 |  |  | 
| 211 |  | int | 
| 212 |  | aes256_gcm_dec(const fido_blob_t *key, const fido_blob_t *nonce, | 
| 213 |  |     const fido_blob_t *aad, const fido_blob_t *in, fido_blob_t *out) | 
| 214 | 792 | { | 
| 215 | 792 |         return aes256_gcm(key, nonce, aad, in, out, 0); | 
| 216 | 792 | } |