| Line | Count | Source | 
| 1 |  | /* | 
| 2 |  |  * Copyright (c) 2022 Yubico AB. All rights reserved. | 
| 3 |  |  * Use of this source code is governed by a BSD-style | 
| 4 |  |  * license that can be found in the LICENSE file. | 
| 5 |  |  * SPDX-License-Identifier: BSD-2-Clause | 
| 6 |  |  */ | 
| 7 |  |  | 
| 8 |  | #include <openssl/bn.h> | 
| 9 |  | #include <openssl/ecdsa.h> | 
| 10 |  | #include <openssl/obj_mac.h> | 
| 11 |  |  | 
| 12 |  | #include "fido.h" | 
| 13 |  | #include "fido/es384.h" | 
| 14 |  |  | 
| 15 |  | #if OPENSSL_VERSION_NUMBER >= 0x30000000 | 
| 16 | 190 | #define get0_EC_KEY(x)  EVP_PKEY_get0_EC_KEY((x)) | 
| 17 |  | #else | 
| 18 |  | #define get0_EC_KEY(x)  EVP_PKEY_get0((x)) | 
| 19 |  | #endif | 
| 20 |  |  | 
| 21 |  | static int | 
| 22 |  | decode_coord(const cbor_item_t *item, void *xy, size_t xy_len) | 
| 23 | 1.36k | { | 
| 24 | 1.36k |         if (cbor_isa_bytestring(item) == false || | 
| 25 | 1.36k |             cbor_bytestring_is_definite(item) == false || | 
| 26 | 1.36k |             cbor_bytestring_length(item) != xy_len) { | 
| 27 | 32 |                 fido_log_debug("%s: cbor type", __func__); | 
| 28 | 32 |                 return (-1); | 
| 29 | 32 |         } | 
| 30 |  |  | 
| 31 | 1.33k |         memcpy(xy, cbor_bytestring_handle(item), xy_len); | 
| 32 |  |  | 
| 33 | 1.33k |         return (0); | 
| 34 | 1.36k | } | 
| 35 |  |  | 
| 36 |  | static int | 
| 37 |  | decode_pubkey_point(const cbor_item_t *key, const cbor_item_t *val, void *arg) | 
| 38 | 3.79k | { | 
| 39 | 3.79k |         es384_pk_t *k = arg; | 
| 40 |  |  | 
| 41 | 3.79k |         if (cbor_isa_negint(key) == false || | 
| 42 | 3.79k |             cbor_int_get_width(key) != CBOR_INT_8) | 
| 43 | 1.61k |                 return (0); /* ignore */ | 
| 44 |  |  | 
| 45 | 2.18k |         switch (cbor_get_uint8(key)) { | 
| 46 | 711 |         case 1: /* x coordinate */ | 
| 47 | 711 |                 return (decode_coord(val, &k->x, sizeof(k->x))); | 
| 48 | 657 |         case 2: /* y coordinate */ | 
| 49 | 657 |                 return (decode_coord(val, &k->y, sizeof(k->y))); | 
| 50 | 2.18k |         } | 
| 51 |  |  | 
| 52 | 816 |         return (0); /* ignore */ | 
| 53 | 2.18k | } | 
| 54 |  |  | 
| 55 |  | int | 
| 56 |  | es384_pk_decode(const cbor_item_t *item, es384_pk_t *k) | 
| 57 | 770 | { | 
| 58 | 770 |         if (cbor_isa_map(item) == false || | 
| 59 | 770 |             cbor_map_is_definite(item) == false || | 
| 60 | 770 |             cbor_map_iter(item, k, decode_pubkey_point) < 0) { | 
| 61 | 39 |                 fido_log_debug("%s: cbor type", __func__); | 
| 62 | 39 |                 return (-1); | 
| 63 | 39 |         } | 
| 64 |  |  | 
| 65 | 731 |         return (0); | 
| 66 | 770 | } | 
| 67 |  |  | 
| 68 |  | es384_pk_t * | 
| 69 |  | es384_pk_new(void) | 
| 70 | 2.30k | { | 
| 71 | 2.30k |         return (calloc(1, sizeof(es384_pk_t))); | 
| 72 | 2.30k | } | 
| 73 |  |  | 
| 74 |  | void | 
| 75 |  | es384_pk_free(es384_pk_t **pkp) | 
| 76 | 12.9k | { | 
| 77 | 12.9k |         es384_pk_t *pk; | 
| 78 |  |  | 
| 79 | 12.9k |         if (pkp == NULL || (pk = *pkp) == NULL) | 
| 80 | 10.9k |                 return; | 
| 81 |  |  | 
| 82 | 2.01k |         freezero(pk, sizeof(*pk)); | 
| 83 | 2.01k |         *pkp = NULL; | 
| 84 | 2.01k | } | 
| 85 |  |  | 
| 86 |  | int | 
| 87 |  | es384_pk_from_ptr(es384_pk_t *pk, const void *ptr, size_t len) | 
| 88 | 1.82k | { | 
| 89 | 1.82k |         const uint8_t   *p = ptr; | 
| 90 | 1.82k |         EVP_PKEY        *pkey; | 
| 91 |  |  | 
| 92 | 1.82k |         if (len < sizeof(*pk)) | 
| 93 | 899 |                 return (FIDO_ERR_INVALID_ARGUMENT); | 
| 94 |  |  | 
| 95 | 926 |         if (len == sizeof(*pk) + 1 && *p == 0x04) | 
| 96 | 7 |                 memcpy(pk, ++p, sizeof(*pk)); /* uncompressed format */ | 
| 97 | 919 |         else | 
| 98 | 919 |                 memcpy(pk, ptr, sizeof(*pk)); /* libfido2 x||y format */ | 
| 99 |  |  | 
| 100 | 926 |         if ((pkey = es384_pk_to_EVP_PKEY(pk)) == NULL) { | 
| 101 | 390 |                 fido_log_debug("%s: es384_pk_to_EVP_PKEY", __func__); | 
| 102 | 390 |                 explicit_bzero(pk, sizeof(*pk)); | 
| 103 | 390 |                 return (FIDO_ERR_INVALID_ARGUMENT); | 
| 104 | 390 |         } | 
| 105 |  |  | 
| 106 | 536 |         EVP_PKEY_free(pkey); | 
| 107 |  |  | 
| 108 | 536 |         return (FIDO_OK); | 
| 109 | 926 | } | 
| 110 |  |  | 
| 111 |  | EVP_PKEY * | 
| 112 |  | es384_pk_to_EVP_PKEY(const es384_pk_t *k) | 
| 113 | 4.52k | { | 
| 114 | 4.52k |         BN_CTX          *bnctx = NULL; | 
| 115 | 4.52k |         EC_KEY          *ec = NULL; | 
| 116 | 4.52k |         EC_POINT        *q = NULL; | 
| 117 | 4.52k |         EVP_PKEY        *pkey = NULL; | 
| 118 | 4.52k |         BIGNUM          *x = NULL; | 
| 119 | 4.52k |         BIGNUM          *y = NULL; | 
| 120 | 4.52k |         const EC_GROUP  *g = NULL; | 
| 121 | 4.52k |         int              ok = -1; | 
| 122 |  |  | 
| 123 | 4.52k |         if ((bnctx = BN_CTX_new()) == NULL) | 
| 124 | 34 |                 goto fail; | 
| 125 |  |  | 
| 126 | 4.49k |         BN_CTX_start(bnctx); | 
| 127 |  |  | 
| 128 | 4.49k |         if ((x = BN_CTX_get(bnctx)) == NULL || | 
| 129 | 4.49k |             (y = BN_CTX_get(bnctx)) == NULL) | 
| 130 | 110 |                 goto fail; | 
| 131 |  |  | 
| 132 | 4.38k |         if (BN_bin2bn(k->x, sizeof(k->x), x) == NULL || | 
| 133 | 4.38k |             BN_bin2bn(k->y, sizeof(k->y), y) == NULL) { | 
| 134 | 188 |                 fido_log_debug("%s: BN_bin2bn", __func__); | 
| 135 | 188 |                 goto fail; | 
| 136 | 188 |         } | 
| 137 |  |  | 
| 138 | 4.19k |         if ((ec = EC_KEY_new_by_curve_name(NID_secp384r1)) == NULL || | 
| 139 | 4.19k |             (g = EC_KEY_get0_group(ec)) == NULL) { | 
| 140 | 83 |                 fido_log_debug("%s: EC_KEY init", __func__); | 
| 141 | 83 |                 goto fail; | 
| 142 | 83 |         } | 
| 143 |  |  | 
| 144 | 4.11k |         if ((q = EC_POINT_new(g)) == NULL || | 
| 145 | 4.11k |             EC_POINT_set_affine_coordinates_GFp(g, q, x, y, bnctx) == 0 || | 
| 146 | 4.11k |             EC_KEY_set_public_key(ec, q) == 0) { | 
| 147 | 1.62k |                 fido_log_debug("%s: EC_KEY_set_public_key", __func__); | 
| 148 | 1.62k |                 goto fail; | 
| 149 | 1.62k |         } | 
| 150 |  |  | 
| 151 | 2.49k |         if ((pkey = EVP_PKEY_new()) == NULL || | 
| 152 | 2.49k |             EVP_PKEY_assign_EC_KEY(pkey, ec) == 0) { | 
| 153 | 36 |                 fido_log_debug("%s: EVP_PKEY_assign_EC_KEY", __func__); | 
| 154 | 36 |                 goto fail; | 
| 155 | 36 |         } | 
| 156 |  |  | 
| 157 | 2.45k |         ec = NULL; /* at this point, ec belongs to evp */ | 
| 158 |  |  | 
| 159 | 2.45k |         ok = 0; | 
| 160 | 4.52k | fail: | 
| 161 | 4.52k |         if (bnctx != NULL) { | 
| 162 | 4.49k |                 BN_CTX_end(bnctx); | 
| 163 | 4.49k |                 BN_CTX_free(bnctx); | 
| 164 | 4.49k |         } | 
| 165 |  |  | 
| 166 | 4.52k |         if (ec != NULL) | 
| 167 | 1.68k |                 EC_KEY_free(ec); | 
| 168 | 4.52k |         if (q != NULL) | 
| 169 | 4.09k |                 EC_POINT_free(q); | 
| 170 |  |  | 
| 171 | 4.52k |         if (ok < 0 && pkey != NULL) { | 
| 172 | 14 |                 EVP_PKEY_free(pkey); | 
| 173 | 14 |                 pkey = NULL; | 
| 174 | 14 |         } | 
| 175 |  |  | 
| 176 | 4.52k |         return (pkey); | 
| 177 | 2.45k | } | 
| 178 |  |  | 
| 179 |  | int | 
| 180 |  | es384_pk_from_EC_KEY(es384_pk_t *pk, const EC_KEY *ec) | 
| 181 | 173 | { | 
| 182 | 173 |         BN_CTX          *bnctx = NULL; | 
| 183 | 173 |         BIGNUM          *x = NULL; | 
| 184 | 173 |         BIGNUM          *y = NULL; | 
| 185 | 173 |         const EC_POINT  *q = NULL; | 
| 186 | 173 |         EC_GROUP        *g = NULL; | 
| 187 | 173 |         size_t           dx; | 
| 188 | 173 |         size_t           dy; | 
| 189 | 173 |         int              ok = FIDO_ERR_INTERNAL; | 
| 190 | 173 |         int              nx; | 
| 191 | 173 |         int              ny; | 
| 192 |  |  | 
| 193 | 173 |         if ((q = EC_KEY_get0_public_key(ec)) == NULL || | 
| 194 | 173 |             (g = EC_GROUP_new_by_curve_name(NID_secp384r1)) == NULL || | 
| 195 | 173 |             (bnctx = BN_CTX_new()) == NULL) | 
| 196 | 7 |                 goto fail; | 
| 197 |  |  | 
| 198 | 166 |         BN_CTX_start(bnctx); | 
| 199 |  |  | 
| 200 | 166 |         if ((x = BN_CTX_get(bnctx)) == NULL || | 
| 201 | 166 |             (y = BN_CTX_get(bnctx)) == NULL) | 
| 202 | 8 |                 goto fail; | 
| 203 |  |  | 
| 204 | 158 |         if (EC_POINT_is_on_curve(g, q, bnctx) != 1) { | 
| 205 | 0 |                 fido_log_debug("%s: EC_POINT_is_on_curve", __func__); | 
| 206 | 0 |                 ok = FIDO_ERR_INVALID_ARGUMENT; | 
| 207 | 0 |                 goto fail; | 
| 208 | 0 |         } | 
| 209 |  |  | 
| 210 | 158 |         if (EC_POINT_get_affine_coordinates_GFp(g, q, x, y, bnctx) == 0 || | 
| 211 | 158 |             (nx = BN_num_bytes(x)) < 0 || (size_t)nx > sizeof(pk->x) || | 
| 212 | 158 |             (ny = BN_num_bytes(y)) < 0 || (size_t)ny > sizeof(pk->y)) { | 
| 213 | 4 |                 fido_log_debug("%s: EC_POINT_get_affine_coordinates_GFp", | 
| 214 | 4 |                     __func__); | 
| 215 | 4 |                 goto fail; | 
| 216 | 4 |         } | 
| 217 |  |  | 
| 218 | 154 |         dx = sizeof(pk->x) - (size_t)nx; | 
| 219 | 154 |         dy = sizeof(pk->y) - (size_t)ny; | 
| 220 |  |  | 
| 221 | 154 |         if ((nx = BN_bn2bin(x, pk->x + dx)) < 0 || (size_t)nx > sizeof(pk->x) || | 
| 222 | 154 |             (ny = BN_bn2bin(y, pk->y + dy)) < 0 || (size_t)ny > sizeof(pk->y)) { | 
| 223 | 9 |                 fido_log_debug("%s: BN_bn2bin", __func__); | 
| 224 | 9 |                 goto fail; | 
| 225 | 9 |         } | 
| 226 |  |  | 
| 227 | 145 |         ok = FIDO_OK; | 
| 228 | 173 | fail: | 
| 229 | 173 |         EC_GROUP_free(g); | 
| 230 |  |  | 
| 231 | 173 |         if (bnctx != NULL) { | 
| 232 | 166 |                 BN_CTX_end(bnctx); | 
| 233 | 166 |                 BN_CTX_free(bnctx); | 
| 234 | 166 |         } | 
| 235 |  |  | 
| 236 | 173 |         return (ok); | 
| 237 | 145 | } | 
| 238 |  |  | 
| 239 |  | int | 
| 240 |  | es384_pk_from_EVP_PKEY(es384_pk_t *pk, const EVP_PKEY *pkey) | 
| 241 | 190 | { | 
| 242 | 190 |         const EC_KEY *ec; | 
| 243 |  |  | 
| 244 | 190 |         if (EVP_PKEY_base_id(pkey) != EVP_PKEY_EC || | 
| 245 | 190 |             (ec = get0_EC_KEY(pkey)) == NULL) | 
| 246 | 17 |                 return (FIDO_ERR_INVALID_ARGUMENT); | 
| 247 |  |  | 
| 248 | 173 |         return (es384_pk_from_EC_KEY(pk, ec)); | 
| 249 | 190 | } | 
| 250 |  |  | 
| 251 |  | int | 
| 252 |  | es384_verify_sig(const fido_blob_t *dgst, EVP_PKEY *pkey, | 
| 253 |  |     const fido_blob_t *sig) | 
| 254 | 1.47k | { | 
| 255 | 1.47k |         EVP_PKEY_CTX    *pctx = NULL; | 
| 256 | 1.47k |         int              ok = -1; | 
| 257 |  |  | 
| 258 | 1.47k |         if (EVP_PKEY_base_id(pkey) != EVP_PKEY_EC) { | 
| 259 | 0 |                 fido_log_debug("%s: EVP_PKEY_base_id", __func__); | 
| 260 | 0 |                 goto fail; | 
| 261 | 0 |         } | 
| 262 |  |  | 
| 263 | 1.47k |         if ((pctx = EVP_PKEY_CTX_new(pkey, NULL)) == NULL || | 
| 264 | 1.47k |             EVP_PKEY_verify_init(pctx) != 1 || | 
| 265 | 1.47k |             EVP_PKEY_verify(pctx, sig->ptr, sig->len, dgst->ptr, | 
| 266 | 1.47k |             dgst->len) != 1) { | 
| 267 | 1.47k |                 fido_log_debug("%s: EVP_PKEY_verify", __func__); | 
| 268 | 1.47k |                 goto fail; | 
| 269 | 1.47k |         } | 
| 270 |  |  | 
| 271 | 0 |         ok = 0; | 
| 272 | 1.47k | fail: | 
| 273 | 1.47k |         EVP_PKEY_CTX_free(pctx); | 
| 274 |  |  | 
| 275 | 1.47k |         return (ok); | 
| 276 | 0 | } | 
| 277 |  |  | 
| 278 |  | int | 
| 279 |  | es384_pk_verify_sig(const fido_blob_t *dgst, const es384_pk_t *pk, | 
| 280 |  |     const fido_blob_t *sig) | 
| 281 | 1.77k | { | 
| 282 | 1.77k |         EVP_PKEY        *pkey; | 
| 283 | 1.77k |         int              ok = -1; | 
| 284 |  |  | 
| 285 | 1.77k |         if ((pkey = es384_pk_to_EVP_PKEY(pk)) == NULL || | 
| 286 | 1.77k |             es384_verify_sig(dgst, pkey, sig) < 0) { | 
| 287 | 1.77k |                 fido_log_debug("%s: es384_verify_sig", __func__); | 
| 288 | 1.77k |                 goto fail; | 
| 289 | 1.77k |         } | 
| 290 |  |  | 
| 291 | 0 |         ok = 0; | 
| 292 | 1.77k | fail: | 
| 293 | 1.77k |         EVP_PKEY_free(pkey); | 
| 294 |  |  | 
| 295 | 1.77k |         return (ok); | 
| 296 | 0 | } |