Coverage Report

Created: 2022-01-17 10:46

/libfido2/src/es256.c
Line
Count
Source (jump to first uncovered line)
1
/*
2
 * Copyright (c) 2018-2021 Yubico AB. All rights reserved.
3
 * Use of this source code is governed by a BSD-style
4
 * license that can be found in the LICENSE file.
5
 */
6
7
#include <openssl/bn.h>
8
#include <openssl/ecdsa.h>
9
#include <openssl/obj_mac.h>
10
11
#include "fido.h"
12
#include "fido/es256.h"
13
14
static int
15
decode_coord(const cbor_item_t *item, void *xy, size_t xy_len)
16
11.7k
{
17
11.7k
        if (cbor_isa_bytestring(item) == false ||
18
11.7k
            cbor_bytestring_is_definite(item) == false ||
19
11.7k
            cbor_bytestring_length(item) != xy_len) {
20
79
                fido_log_debug("%s: cbor type", __func__);
21
79
                return (-1);
22
79
        }
23
24
11.6k
        memcpy(xy, cbor_bytestring_handle(item), xy_len);
25
26
11.6k
        return (0);
27
11.6k
}
28
29
static int
30
decode_pubkey_point(const cbor_item_t *key, const cbor_item_t *val, void *arg)
31
29.8k
{
32
29.8k
        es256_pk_t *k = arg;
33
34
29.8k
        if (cbor_isa_negint(key) == false ||
35
29.8k
            cbor_int_get_width(key) != CBOR_INT_8)
36
14.7k
                return (0); /* ignore */
37
38
15.1k
        switch (cbor_get_uint8(key)) {
39
5.93k
        case 1: /* x coordinate */
40
5.93k
                return (decode_coord(val, &k->x, sizeof(k->x)));
41
5.77k
        case 2: /* y coordinate */
42
5.77k
                return (decode_coord(val, &k->y, sizeof(k->y)));
43
3.40k
        }
44
45
3.40k
        return (0); /* ignore */
46
3.40k
}
47
48
int
49
es256_pk_decode(const cbor_item_t *item, es256_pk_t *k)
50
6.03k
{
51
6.03k
        if (cbor_isa_map(item) == false ||
52
6.03k
            cbor_map_is_definite(item) == false ||
53
6.03k
            cbor_map_iter(item, k, decode_pubkey_point) < 0) {
54
157
                fido_log_debug("%s: cbor type", __func__);
55
157
                return (-1);
56
157
        }
57
58
5.88k
        return (0);
59
5.88k
}
60
61
cbor_item_t *
62
es256_pk_encode(const es256_pk_t *pk, int ecdh)
63
3.66k
{
64
3.66k
        cbor_item_t             *item = NULL;
65
3.66k
        struct cbor_pair         argv[5];
66
3.66k
        int                      alg;
67
3.66k
        int                      ok = -1;
68
69
3.66k
        memset(argv, 0, sizeof(argv));
70
71
3.66k
        if ((item = cbor_new_definite_map(5)) == NULL)
72
3.66k
                goto fail;
73
74
        /* kty */
75
3.64k
        if ((argv[0].key = cbor_build_uint8(1)) == NULL ||
76
3.64k
            (argv[0].value = cbor_build_uint8(2)) == NULL ||
77
3.64k
            !cbor_map_add(item, argv[0]))
78
48
                goto fail;
79
80
        /*
81
         * "The COSEAlgorithmIdentifier used is -25 (ECDH-ES +
82
         * HKDF-256) although this is NOT the algorithm actually
83
         * used. Setting this to a different value may result in
84
         * compatibility issues."
85
         */
86
3.59k
        if (ecdh)
87
3.51k
                alg = COSE_ECDH_ES256;
88
3.59k
        else
89
3.59k
                alg = COSE_ES256;
90
91
        /* alg */
92
3.59k
        if ((argv[1].key = cbor_build_uint8(3)) == NULL ||
93
3.59k
            (argv[1].value = cbor_build_negint8((uint8_t)(-alg - 1))) == NULL ||
94
3.59k
            !cbor_map_add(item, argv[1]))
95
46
                goto fail;
96
97
        /* crv */
98
3.55k
        if ((argv[2].key = cbor_build_negint8(0)) == NULL ||
99
3.55k
            (argv[2].value = cbor_build_uint8(1)) == NULL ||
100
3.55k
            !cbor_map_add(item, argv[2]))
101
44
                goto fail;
102
103
        /* x */
104
3.50k
        if ((argv[3].key = cbor_build_negint8(1)) == NULL ||
105
3.50k
            (argv[3].value = cbor_build_bytestring(pk->x,
106
3.49k
            sizeof(pk->x))) == NULL || !cbor_map_add(item, argv[3]))
107
42
                goto fail;
108
109
        /* y */
110
3.46k
        if ((argv[4].key = cbor_build_negint8(2)) == NULL ||
111
3.46k
            (argv[4].value = cbor_build_bytestring(pk->y,
112
3.45k
            sizeof(pk->y))) == NULL || !cbor_map_add(item, argv[4]))
113
46
                goto fail;
114
115
3.42k
        ok = 0;
116
3.66k
fail:
117
3.66k
        if (ok < 0) {
118
240
                if (item != NULL) {
119
226
                        cbor_decref(&item);
120
226
                        item = NULL;
121
226
                }
122
240
        }
123
124
21.9k
        for (size_t i = 0; i < 5; i++) {
125
18.3k
                if (argv[i].key)
126
17.6k
                        cbor_decref(&argv[i].key);
127
18.3k
                if (argv[i].value)
128
17.6k
                        cbor_decref(&argv[i].value);
129
18.3k
        }
130
131
3.66k
        return (item);
132
3.42k
}
133
134
es256_sk_t *
135
es256_sk_new(void)
136
9.02k
{
137
9.02k
        return (calloc(1, sizeof(es256_sk_t)));
138
9.02k
}
139
140
void
141
es256_sk_free(es256_sk_t **skp)
142
9.02k
{
143
9.02k
        es256_sk_t *sk;
144
145
9.02k
        if (skp == NULL || (sk = *skp) == NULL)
146
9.02k
                return;
147
148
8.99k
        freezero(sk, sizeof(*sk));
149
8.99k
        *skp = NULL;
150
8.99k
}
151
152
es256_pk_t *
153
es256_pk_new(void)
154
17.8k
{
155
17.8k
        return (calloc(1, sizeof(es256_pk_t)));
156
17.8k
}
157
158
void
159
es256_pk_free(es256_pk_t **pkp)
160
33.3k
{
161
33.3k
        es256_pk_t *pk;
162
163
33.3k
        if (pkp == NULL || (pk = *pkp) == NULL)
164
33.3k
                return;
165
166
17.7k
        freezero(pk, sizeof(*pk));
167
17.7k
        *pkp = NULL;
168
17.7k
}
169
170
int
171
es256_pk_from_ptr(es256_pk_t *pk, const void *ptr, size_t len)
172
556
{
173
556
        const uint8_t *p = ptr;
174
175
556
        if (len < sizeof(*pk))
176
494
                return (FIDO_ERR_INVALID_ARGUMENT);
177
178
62
        if (len == sizeof(*pk) + 1 && *p == 0x04)
179
2
                memcpy(pk, ++p, sizeof(*pk)); /* uncompressed format */
180
60
        else
181
60
                memcpy(pk, ptr, sizeof(*pk)); /* libfido2 x||y format */
182
183
62
        return (FIDO_OK);
184
62
}
185
186
int
187
es256_pk_set_x(es256_pk_t *pk, const unsigned char *x)
188
80
{
189
80
        memcpy(pk->x, x, sizeof(pk->x));
190
191
80
        return (0);
192
80
}
193
194
int
195
es256_pk_set_y(es256_pk_t *pk, const unsigned char *y)
196
80
{
197
80
        memcpy(pk->y, y, sizeof(pk->y));
198
199
80
        return (0);
200
80
}
201
202
int
203
es256_sk_create(es256_sk_t *key)
204
8.95k
{
205
8.95k
        EVP_PKEY_CTX    *pctx = NULL;
206
8.95k
        EVP_PKEY_CTX    *kctx = NULL;
207
8.95k
        EVP_PKEY        *p = NULL;
208
8.95k
        EVP_PKEY        *k = NULL;
209
8.95k
        const EC_KEY    *ec;
210
8.95k
        const BIGNUM    *d;
211
8.95k
        const int        nid = NID_X9_62_prime256v1;
212
8.95k
        int              n;
213
8.95k
        int              ok = -1;
214
215
8.95k
        if ((pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL)) == NULL ||
216
8.95k
            EVP_PKEY_paramgen_init(pctx) <= 0 ||
217
8.95k
            EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx, nid) <= 0 ||
218
8.95k
            EVP_PKEY_paramgen(pctx, &p) <= 0) {
219
141
                fido_log_debug("%s: EVP_PKEY_paramgen", __func__);
220
141
                goto fail;
221
141
        }
222
223
8.81k
        if ((kctx = EVP_PKEY_CTX_new(p, NULL)) == NULL ||
224
8.81k
            EVP_PKEY_keygen_init(kctx) <= 0 || EVP_PKEY_keygen(kctx, &k) <= 0) {
225
104
                fido_log_debug("%s: EVP_PKEY_keygen", __func__);
226
104
                goto fail;
227
104
        }
228
229
8.70k
        if ((ec = EVP_PKEY_get0_EC_KEY(k)) == NULL ||
230
8.70k
            (d = EC_KEY_get0_private_key(ec)) == NULL ||
231
8.70k
            (n = BN_num_bytes(d)) < 0 || (size_t)n > sizeof(key->d) ||
232
8.70k
            (n = BN_bn2bin(d, key->d)) < 0 || (size_t)n > sizeof(key->d)) {
233
101
                fido_log_debug("%s: EC_KEY_get0_private_key", __func__);
234
101
                goto fail;
235
101
        }
236
237
8.60k
        ok = 0;
238
8.95k
fail:
239
8.95k
        if (p != NULL)
240
8.95k
                EVP_PKEY_free(p);
241
8.95k
        if (k != NULL)
242
8.95k
                EVP_PKEY_free(k);
243
8.95k
        if (pctx != NULL)
244
8.95k
                EVP_PKEY_CTX_free(pctx);
245
8.95k
        if (kctx != NULL)
246
8.95k
                EVP_PKEY_CTX_free(kctx);
247
248
8.95k
        return (ok);
249
8.60k
}
250
251
EVP_PKEY *
252
es256_pk_to_EVP_PKEY(const es256_pk_t *k)
253
5.14k
{
254
5.14k
        BN_CTX          *bnctx = NULL;
255
5.14k
        EC_KEY          *ec = NULL;
256
5.14k
        EC_POINT        *q = NULL;
257
5.14k
        EVP_PKEY        *pkey = NULL;
258
5.14k
        BIGNUM          *x = NULL;
259
5.14k
        BIGNUM          *y = NULL;
260
5.14k
        const EC_GROUP  *g = NULL;
261
5.14k
        const int        nid = NID_X9_62_prime256v1;
262
5.14k
        int              ok = -1;
263
264
5.14k
        if ((bnctx = BN_CTX_new()) == NULL)
265
5.14k
                goto fail;
266
267
5.12k
        BN_CTX_start(bnctx);
268
269
5.12k
        if ((x = BN_CTX_get(bnctx)) == NULL ||
270
5.12k
            (y = BN_CTX_get(bnctx)) == NULL)
271
5.12k
                goto fail;
272
273
5.09k
        if (BN_bin2bn(k->x, sizeof(k->x), x) == NULL ||
274
5.09k
            BN_bin2bn(k->y, sizeof(k->y), y) == NULL) {
275
38
                fido_log_debug("%s: BN_bin2bn", __func__);
276
38
                goto fail;
277
38
        }
278
279
5.05k
        if ((ec = EC_KEY_new_by_curve_name(nid)) == NULL ||
280
5.05k
            (g = EC_KEY_get0_group(ec)) == NULL) {
281
40
                fido_log_debug("%s: EC_KEY init", __func__);
282
40
                goto fail;
283
40
        }
284
285
5.01k
        if ((q = EC_POINT_new(g)) == NULL ||
286
5.01k
            EC_POINT_set_affine_coordinates_GFp(g, q, x, y, bnctx) == 0 ||
287
5.01k
            EC_KEY_set_public_key(ec, q) == 0) {
288
688
                fido_log_debug("%s: EC_KEY_set_public_key", __func__);
289
688
                goto fail;
290
688
        }
291
292
4.32k
        if ((pkey = EVP_PKEY_new()) == NULL ||
293
4.32k
            EVP_PKEY_assign_EC_KEY(pkey, ec) == 0) {
294
35
                fido_log_debug("%s: EVP_PKEY_assign_EC_KEY", __func__);
295
35
                goto fail;
296
35
        }
297
298
4.28k
        ec = NULL; /* at this point, ec belongs to evp */
299
300
4.28k
        ok = 0;
301
5.14k
fail:
302
5.14k
        if (bnctx != NULL) {
303
5.12k
                BN_CTX_end(bnctx);
304
5.12k
                BN_CTX_free(bnctx);
305
5.12k
        }
306
307
5.14k
        if (ec != NULL)
308
5.14k
                EC_KEY_free(ec);
309
5.14k
        if (q != NULL)
310
5.14k
                EC_POINT_free(q);
311
312
5.14k
        if (ok < 0 && pkey != NULL) {
313
17
                EVP_PKEY_free(pkey);
314
17
                pkey = NULL;
315
17
        }
316
317
5.14k
        return (pkey);
318
4.28k
}
319
320
int
321
es256_pk_from_EC_KEY(es256_pk_t *pk, const EC_KEY *ec)
322
8.47k
{
323
8.47k
        BN_CTX          *bnctx = NULL;
324
8.47k
        BIGNUM          *x = NULL;
325
8.47k
        BIGNUM          *y = NULL;
326
8.47k
        const EC_POINT  *q = NULL;
327
8.47k
        const EC_GROUP  *g = NULL;
328
8.47k
        int              ok = FIDO_ERR_INTERNAL;
329
8.47k
        int              n;
330
331
8.47k
        if ((q = EC_KEY_get0_public_key(ec)) == NULL ||
332
8.47k
            (g = EC_KEY_get0_group(ec)) == NULL ||
333
8.47k
            (bnctx = BN_CTX_new()) == NULL)
334
8.47k
                goto fail;
335
336
8.39k
        BN_CTX_start(bnctx);
337
338
8.39k
        if ((x = BN_CTX_get(bnctx)) == NULL ||
339
8.39k
            (y = BN_CTX_get(bnctx)) == NULL)
340
8.39k
                goto fail;
341
342
8.30k
        if (EC_POINT_get_affine_coordinates_GFp(g, q, x, y, bnctx) == 0 ||
343
8.30k
            (n = BN_num_bytes(x)) < 0 || (size_t)n > sizeof(pk->x) ||
344
8.30k
            (n = BN_num_bytes(y)) < 0 || (size_t)n > sizeof(pk->y)) {
345
34
                fido_log_debug("%s: EC_POINT_get_affine_coordinates_GFp",
346
34
                    __func__);
347
34
                goto fail;
348
34
        }
349
350
8.26k
        if ((n = BN_bn2bin(x, pk->x)) < 0 || (size_t)n > sizeof(pk->x) ||
351
8.26k
            (n = BN_bn2bin(y, pk->y)) < 0 || (size_t)n > sizeof(pk->y)) {
352
82
                fido_log_debug("%s: BN_bn2bin", __func__);
353
82
                goto fail;
354
82
        }
355
356
8.18k
        ok = FIDO_OK;
357
8.47k
fail:
358
8.47k
        if (bnctx != NULL) {
359
8.39k
                BN_CTX_end(bnctx);
360
8.39k
                BN_CTX_free(bnctx);
361
8.39k
        }
362
363
8.47k
        return (ok);
364
8.18k
}
365
366
int
367
es256_pk_from_EVP_PKEY(es256_pk_t *pk, const EVP_PKEY *pkey)
368
28
{
369
28
        EC_KEY *ec;
370
371
28
        if (EVP_PKEY_base_id(pkey) != EVP_PKEY_EC ||
372
28
            (ec = EVP_PKEY_get0(pkey)) == NULL)
373
28
                return (FIDO_ERR_INVALID_ARGUMENT);
374
375
28
        return (es256_pk_from_EC_KEY(pk, ec));
376
28
}
377
378
EVP_PKEY *
379
es256_sk_to_EVP_PKEY(const es256_sk_t *k)
380
4.24k
{
381
4.24k
        BN_CTX          *bnctx = NULL;
382
4.24k
        EC_KEY          *ec = NULL;
383
4.24k
        EVP_PKEY        *pkey = NULL;
384
4.24k
        BIGNUM          *d = NULL;
385
4.24k
        const int        nid = NID_X9_62_prime256v1;
386
4.24k
        int              ok = -1;
387
388
4.24k
        if ((bnctx = BN_CTX_new()) == NULL)
389
4.24k
                goto fail;
390
391
4.22k
        BN_CTX_start(bnctx);
392
393
4.22k
        if ((d = BN_CTX_get(bnctx)) == NULL ||
394
4.22k
            BN_bin2bn(k->d, sizeof(k->d), d) == NULL) {
395
25
                fido_log_debug("%s: BN_bin2bn", __func__);
396
25
                goto fail;
397
25
        }
398
399
4.20k
        if ((ec = EC_KEY_new_by_curve_name(nid)) == NULL ||
400
4.20k
            EC_KEY_set_private_key(ec, d) == 0) {
401
16
                fido_log_debug("%s: EC_KEY_set_private_key", __func__);
402
16
                goto fail;
403
16
        }
404
405
4.18k
        if ((pkey = EVP_PKEY_new()) == NULL ||
406
4.18k
            EVP_PKEY_assign_EC_KEY(pkey, ec) == 0) {
407
34
                fido_log_debug("%s: EVP_PKEY_assign_EC_KEY", __func__);
408
34
                goto fail;
409
34
        }
410
411
4.15k
        ec = NULL; /* at this point, ec belongs to evp */
412
413
4.15k
        ok = 0;
414
4.24k
fail:
415
4.24k
        if (bnctx != NULL) {
416
4.22k
                BN_CTX_end(bnctx);
417
4.22k
                BN_CTX_free(bnctx);
418
4.22k
        }
419
420
4.24k
        if (ec != NULL)
421
4.24k
                EC_KEY_free(ec);
422
423
4.24k
        if (ok < 0 && pkey != NULL) {
424
18
                EVP_PKEY_free(pkey);
425
18
                pkey = NULL;
426
18
        }
427
428
4.24k
        return (pkey);
429
4.15k
}
430
431
int
432
es256_derive_pk(const es256_sk_t *sk, es256_pk_t *pk)
433
8.60k
{
434
8.60k
        BIGNUM          *d = NULL;
435
8.60k
        EC_KEY          *ec = NULL;
436
8.60k
        EC_POINT        *q = NULL;
437
8.60k
        const EC_GROUP  *g = NULL;
438
8.60k
        const int        nid = NID_X9_62_prime256v1;
439
8.60k
        int              ok = -1;
440
441
8.60k
        if ((d = BN_bin2bn(sk->d, (int)sizeof(sk->d), NULL)) == NULL ||
442
8.60k
            (ec = EC_KEY_new_by_curve_name(nid)) == NULL ||
443
8.60k
            (g = EC_KEY_get0_group(ec)) == NULL ||
444
8.60k
            (q = EC_POINT_new(g)) == NULL) {
445
160
                fido_log_debug("%s: get", __func__);
446
160
                goto fail;
447
160
        }
448
449
8.44k
        if (EC_POINT_mul(g, q, d, NULL, NULL, NULL) == 0 ||
450
8.44k
            EC_KEY_set_public_key(ec, q) == 0 ||
451
8.44k
            es256_pk_from_EC_KEY(pk, ec) != FIDO_OK) {
452
282
                fido_log_debug("%s: set", __func__);
453
282
                goto fail;
454
282
        }
455
456
8.16k
        ok = 0;
457
8.60k
fail:
458
8.60k
        if (d != NULL)
459
8.60k
                BN_clear_free(d);
460
8.60k
        if (q != NULL)
461
8.60k
                EC_POINT_free(q);
462
8.60k
        if (ec != NULL)
463
8.60k
                EC_KEY_free(ec);
464
465
8.60k
        return (ok);
466
8.16k
}
467
468
int
469
es256_verify_sig(const fido_blob_t *dgst, EVP_PKEY *pkey,
470
    const fido_blob_t *sig)
471
52
{
472
52
        EVP_PKEY_CTX    *pctx = NULL;
473
52
        int              ok = -1;
474
475
52
        if (EVP_PKEY_base_id(pkey) != EVP_PKEY_EC) {
476
0
                fido_log_debug("%s: EVP_PKEY_base_id", __func__);
477
0
                goto fail;
478
0
        }
479
480
52
        if ((pctx = EVP_PKEY_CTX_new(pkey, NULL)) == NULL ||
481
52
            EVP_PKEY_verify_init(pctx) != 1 ||
482
52
            EVP_PKEY_verify(pctx, sig->ptr, sig->len, dgst->ptr,
483
52
            dgst->len) != 1) {
484
52
                fido_log_debug("%s: EVP_PKEY_verify", __func__);
485
52
                goto fail;
486
52
        }
487
488
0
        ok = 0;
489
52
fail:
490
52
        EVP_PKEY_CTX_free(pctx);
491
492
52
        return (ok);
493
0
}
494
495
int
496
es256_pk_verify_sig(const fido_blob_t *dgst, const es256_pk_t *pk,
497
    const fido_blob_t *sig)
498
44
{
499
44
        EVP_PKEY        *pkey;
500
44
        int              ok = -1;
501
502
44
        if ((pkey = es256_pk_to_EVP_PKEY(pk)) == NULL ||
503
44
            es256_verify_sig(dgst, pkey, sig) < 0) {
504
44
                fido_log_debug("%s: es256_verify_sig", __func__);
505
44
                goto fail;
506
44
        }
507
508
0
        ok = 0;
509
44
fail:
510
44
        EVP_PKEY_free(pkey);
511
512
44
        return (ok);
513
0
}