Coverage Report

Created: 2020-03-07 10:10

/libfido2/src/es256.c
Line
Count
Source
1
/*
2
 * Copyright (c) 2018 Yubico AB. All rights reserved.
3
 * Use of this source code is governed by a BSD-style
4
 * license that can be found in the LICENSE file.
5
 */
6
7
#include <openssl/bn.h>
8
#include <openssl/ec.h>
9
#include <openssl/evp.h>
10
#include <openssl/obj_mac.h>
11
12
#include <string.h>
13
#include "fido.h"
14
#include "fido/es256.h"
15
16
static int
17
decode_coord(const cbor_item_t *item, void *xy, size_t xy_len)
18
15.7k
{
19
15.7k
        if (cbor_isa_bytestring(item) == false ||
20
15.7k
            cbor_bytestring_is_definite(item) == false ||
21
15.7k
            cbor_bytestring_length(item) != xy_len) {
22
162
                fido_log_debug("%s: cbor type", __func__);
23
162
                return (-1);
24
162
        }
25
15.5k
26
15.5k
        memcpy(xy, cbor_bytestring_handle(item), xy_len);
27
15.5k
28
15.5k
        return (0);
29
15.5k
}
30
31
static int
32
decode_pubkey_point(const cbor_item_t *key, const cbor_item_t *val, void *arg)
33
42.4k
{
34
42.4k
        es256_pk_t *k = arg;
35
42.4k
36
42.4k
        if (cbor_isa_negint(key) == false ||
37
42.4k
            cbor_int_get_width(key) != CBOR_INT_8)
38
21.1k
                return (0); /* ignore */
39
21.2k
40
21.2k
        switch (cbor_get_uint8(key)) {
41
21.2k
        case 1: /* x coordinate */
42
8.33k
                return (decode_coord(val, &k->x, sizeof(k->x)));
43
21.2k
        case 2: /* y coordinate */
44
7.39k
                return (decode_coord(val, &k->y, sizeof(k->y)));
45
5.53k
        }
46
5.53k
47
5.53k
        return (0); /* ignore */
48
5.53k
}
49
50
int
51
es256_pk_decode(const cbor_item_t *item, es256_pk_t *k)
52
8.91k
{
53
8.91k
        if (cbor_isa_map(item) == false ||
54
8.91k
            cbor_map_is_definite(item) == false ||
55
8.91k
            cbor_map_iter(item, k, decode_pubkey_point) < 0) {
56
599
                fido_log_debug("%s: cbor type", __func__);
57
599
                return (-1);
58
599
        }
59
8.31k
60
8.31k
        return (0);
61
8.31k
}
62
63
cbor_item_t *
64
es256_pk_encode(const es256_pk_t *pk, int ecdh)
65
4.70k
{
66
4.70k
        cbor_item_t             *item = NULL;
67
4.70k
        struct cbor_pair         argv[5];
68
4.70k
        int                      alg;
69
4.70k
        int                      ok = -1;
70
4.70k
71
4.70k
        memset(argv, 0, sizeof(argv));
72
4.70k
73
4.70k
        if ((item = cbor_new_definite_map(5)) == NULL)
74
4.70k
                goto fail;
75
4.69k
76
4.69k
        /* kty */
77
4.69k
        if ((argv[0].key = cbor_build_uint8(1)) == NULL ||
78
4.69k
            (argv[0].value = cbor_build_uint8(2)) == NULL ||
79
4.69k
            !cbor_map_add(item, argv[0]))
80
47
                goto fail;
81
4.64k
82
4.64k
        /*
83
4.64k
         * "The COSEAlgorithmIdentifier used is -25 (ECDH-ES +
84
4.64k
         * HKDF-256) although this is NOT the algorithm actually
85
4.64k
         * used. Setting this to a different value may result in
86
4.64k
         * compatibility issues."
87
4.64k
         */
88
4.64k
        if (ecdh)
89
49
                alg = COSE_ECDH_ES256;
90
4.64k
        else
91
4.64k
                alg = COSE_ES256;
92
4.64k
93
4.64k
        /* alg */
94
4.64k
        if ((argv[1].key = cbor_build_uint8(3)) == NULL ||
95
4.64k
            (argv[1].value = cbor_build_negint8(-alg - 1)) == NULL ||
96
4.64k
            !cbor_map_add(item, argv[1]))
97
43
                goto fail;
98
4.60k
99
4.60k
        /* crv */
100
4.60k
        if ((argv[2].key = cbor_build_negint8(0)) == NULL ||
101
4.60k
            (argv[2].value = cbor_build_uint8(1)) == NULL ||
102
4.60k
            !cbor_map_add(item, argv[2]))
103
50
                goto fail;
104
4.55k
105
4.55k
        /* x */
106
4.55k
        if ((argv[3].key = cbor_build_negint8(1)) == NULL ||
107
4.55k
            (argv[3].value = cbor_build_bytestring(pk->x,
108
4.53k
            sizeof(pk->x))) == NULL || !cbor_map_add(item, argv[3]))
109
45
                goto fail;
110
4.50k
111
4.50k
        /* y */
112
4.50k
        if ((argv[4].key = cbor_build_negint8(2)) == NULL ||
113
4.50k
            (argv[4].value = cbor_build_bytestring(pk->y,
114
4.48k
            sizeof(pk->y))) == NULL || !cbor_map_add(item, argv[4]))
115
51
                goto fail;
116
4.45k
117
4.45k
        ok = 0;
118
4.70k
fail:
119
4.70k
        if (ok < 0) {
120
255
                if (item != NULL) {
121
236
                        cbor_decref(&item);
122
236
                        item = NULL;
123
236
                }
124
255
        }
125
4.70k
126
28.2k
        for (size_t i = 0; i < 5; i++) {
127
23.5k
                if (argv[i].key)
128
22.9k
                        cbor_decref(&argv[i].key);
129
23.5k
                if (argv[i].value)
130
22.8k
                        cbor_decref(&argv[i].value);
131
23.5k
        }
132
4.70k
133
4.70k
        return (item);
134
4.45k
}
135
136
es256_sk_t *
137
es256_sk_new(void)
138
13.9k
{
139
13.9k
        return (calloc(1, sizeof(es256_sk_t)));
140
13.9k
}
141
142
void
143
es256_sk_free(es256_sk_t **skp)
144
13.9k
{
145
13.9k
        es256_sk_t *sk;
146
13.9k
147
13.9k
        if (skp == NULL || (sk = *skp) == NULL)
148
13.9k
                return;
149
13.9k
150
13.9k
        explicit_bzero(sk, sizeof(*sk));
151
13.9k
        free(sk);
152
13.9k
153
13.9k
        *skp = NULL;
154
13.9k
}
155
156
es256_pk_t *
157
es256_pk_new(void)
158
28.8k
{
159
28.8k
        return (calloc(1, sizeof(es256_pk_t)));
160
28.8k
}
161
162
void
163
es256_pk_free(es256_pk_t **pkp)
164
45.0k
{
165
45.0k
        es256_pk_t *pk;
166
45.0k
167
45.0k
        if (pkp == NULL || (pk = *pkp) == NULL)
168
45.0k
                return;
169
28.7k
170
28.7k
        explicit_bzero(pk, sizeof(*pk));
171
28.7k
        free(pk);
172
28.7k
173
28.7k
        *pkp = NULL;
174
28.7k
}
175
176
int
177
es256_pk_from_ptr(es256_pk_t *pk, const void *ptr, size_t len)
178
1.29k
{
179
1.29k
        const uint8_t *p = ptr;
180
1.29k
181
1.29k
        if (len < sizeof(*pk))
182
470
                return (FIDO_ERR_INVALID_ARGUMENT);
183
825
184
825
        if (len == sizeof(*pk) + 1 && *p == 0x04)
185
1
                memcpy(pk, ++p, sizeof(*pk)); /* uncompressed format */
186
824
        else
187
824
                memcpy(pk, ptr, sizeof(*pk)); /* libfido2 x||y format */
188
825
189
825
        return (FIDO_OK);
190
825
}
191
192
int
193
es256_pk_set_x(es256_pk_t *pk, const unsigned char *x)
194
387
{
195
387
        memcpy(pk->x, x, sizeof(pk->x));
196
387
197
387
        return (0);
198
387
}
199
200
int
201
es256_pk_set_y(es256_pk_t *pk, const unsigned char *y)
202
387
{
203
387
        memcpy(pk->y, y, sizeof(pk->y));
204
387
205
387
        return (0);
206
387
}
207
208
int
209
es256_sk_create(es256_sk_t *key)
210
13.9k
{
211
13.9k
        EVP_PKEY_CTX    *pctx = NULL;
212
13.9k
        EVP_PKEY_CTX    *kctx = NULL;
213
13.9k
        EVP_PKEY        *p = NULL;
214
13.9k
        EVP_PKEY        *k = NULL;
215
13.9k
        const EC_KEY    *ec;
216
13.9k
        const BIGNUM    *d;
217
13.9k
        const int        nid = NID_X9_62_prime256v1;
218
13.9k
        int              n;
219
13.9k
        int              ok = -1;
220
13.9k
221
13.9k
        if ((pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL)) == NULL ||
222
13.9k
            EVP_PKEY_paramgen_init(pctx) <= 0 ||
223
13.9k
            EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx, nid) <= 0 ||
224
13.9k
            EVP_PKEY_paramgen(pctx, &p) <= 0) {
225
117
                fido_log_debug("%s: EVP_PKEY_paramgen", __func__);
226
117
                goto fail;
227
117
        }
228
13.8k
229
13.8k
        if ((kctx = EVP_PKEY_CTX_new(p, NULL)) == NULL ||
230
13.8k
            EVP_PKEY_keygen_init(kctx) <= 0 || EVP_PKEY_keygen(kctx, &k) <= 0) {
231
137
                fido_log_debug("%s: EVP_PKEY_keygen", __func__);
232
137
                goto fail;
233
137
        }
234
13.6k
235
13.6k
        if ((ec = EVP_PKEY_get0_EC_KEY(k)) == NULL ||
236
13.6k
            (d = EC_KEY_get0_private_key(ec)) == NULL ||
237
13.6k
            (n = BN_num_bytes(d)) < 0 || (size_t)n > sizeof(key->d) ||
238
13.6k
            (n = BN_bn2bin(d, key->d)) < 0 || (size_t)n > sizeof(key->d)) {
239
110
                fido_log_debug("%s: EC_KEY_get0_private_key", __func__);
240
110
                goto fail;
241
110
        }
242
13.5k
243
13.5k
        ok = 0;
244
13.9k
fail:
245
13.9k
        if (p != NULL)
246
13.9k
                EVP_PKEY_free(p);
247
13.9k
        if (k != NULL)
248
13.9k
                EVP_PKEY_free(k);
249
13.9k
        if (pctx != NULL)
250
13.9k
                EVP_PKEY_CTX_free(pctx);
251
13.9k
        if (kctx != NULL)
252
13.9k
                EVP_PKEY_CTX_free(kctx);
253
13.9k
254
13.9k
        return (ok);
255
13.5k
}
256
257
EVP_PKEY *
258
es256_pk_to_EVP_PKEY(const es256_pk_t *k)
259
7.45k
{
260
7.45k
        BN_CTX          *bnctx = NULL;
261
7.45k
        EC_KEY          *ec = NULL;
262
7.45k
        EC_POINT        *q = NULL;
263
7.45k
        EVP_PKEY        *pkey = NULL;
264
7.45k
        BIGNUM          *x = NULL;
265
7.45k
        BIGNUM          *y = NULL;
266
7.45k
        const EC_GROUP  *g = NULL;
267
7.45k
        const int        nid = NID_X9_62_prime256v1;
268
7.45k
        int              ok = -1;
269
7.45k
270
7.45k
        if ((bnctx = BN_CTX_new()) == NULL ||
271
7.45k
            (x = BN_CTX_get(bnctx)) == NULL ||
272
7.45k
            (y = BN_CTX_get(bnctx)) == NULL)
273
7.45k
                goto fail;
274
7.39k
275
7.39k
        if (BN_bin2bn(k->x, sizeof(k->x), x) == NULL ||
276
7.39k
            BN_bin2bn(k->y, sizeof(k->y), y) == NULL) {
277
50
                fido_log_debug("%s: BN_bin2bn", __func__);
278
50
                goto fail;
279
50
        }
280
7.34k
281
7.34k
        if ((ec = EC_KEY_new_by_curve_name(nid)) == NULL ||
282
7.34k
            (g = EC_KEY_get0_group(ec)) == NULL) {
283
74
                fido_log_debug("%s: EC_KEY init", __func__);
284
74
                goto fail;
285
74
        }
286
7.26k
287
7.26k
        if ((q = EC_POINT_new(g)) == NULL ||
288
7.26k
            EC_POINT_set_affine_coordinates_GFp(g, q, x, y, bnctx) == 0 ||
289
7.26k
            EC_KEY_set_public_key(ec, q) == 0) {
290
2.44k
                fido_log_debug("%s: EC_KEY_set_public_key", __func__);
291
2.44k
                goto fail;
292
2.44k
        }
293
4.81k
294
4.81k
        if ((pkey = EVP_PKEY_new()) == NULL ||
295
4.81k
            EVP_PKEY_assign_EC_KEY(pkey, ec) == 0) {
296
31
                fido_log_debug("%s: EVP_PKEY_assign_EC_KEY", __func__);
297
31
                goto fail;
298
31
        }
299
4.78k
300
4.78k
        ec = NULL; /* at this point, ec belongs to evp */
301
4.78k
302
4.78k
        ok = 0;
303
7.45k
fail:
304
7.45k
        if (bnctx != NULL)
305
7.45k
                BN_CTX_free(bnctx);
306
7.45k
        if (ec != NULL)
307
7.45k
                EC_KEY_free(ec);
308
7.45k
        if (q != NULL)
309
7.45k
                EC_POINT_free(q);
310
7.45k
        if (ok < 0 && pkey != NULL) {
311
18
                EVP_PKEY_free(pkey);
312
18
                pkey = NULL;
313
18
        }
314
7.45k
315
7.45k
        return (pkey);
316
4.78k
}
317
318
int
319
es256_pk_from_EC_KEY(es256_pk_t *pk, const EC_KEY *ec)
320
13.4k
{
321
13.4k
        BN_CTX          *ctx = NULL;
322
13.4k
        BIGNUM          *x = NULL;
323
13.4k
        BIGNUM          *y = NULL;
324
13.4k
        const EC_POINT  *q = NULL;
325
13.4k
        const EC_GROUP  *g = NULL;
326
13.4k
        int              ok = FIDO_ERR_INTERNAL;
327
13.4k
        int              n;
328
13.4k
329
13.4k
        if ((q = EC_KEY_get0_public_key(ec)) == NULL ||
330
13.4k
            (g = EC_KEY_get0_group(ec)) == NULL)
331
13.4k
                goto fail;
332
13.3k
333
13.3k
        if ((ctx = BN_CTX_new()) == NULL ||
334
13.3k
            (x = BN_CTX_get(ctx)) == NULL ||
335
13.3k
            (y = BN_CTX_get(ctx)) == NULL)
336
13.3k
                goto fail;
337
13.2k
338
13.2k
        if (EC_POINT_get_affine_coordinates_GFp(g, q, x, y, ctx) == 0 ||
339
13.2k
            (n = BN_num_bytes(x)) < 0 || (size_t)n > sizeof(pk->x) ||
340
13.2k
            (n = BN_num_bytes(y)) < 0 || (size_t)n > sizeof(pk->y)) {
341
33
                fido_log_debug("%s: EC_POINT_get_affine_coordinates_GFp",
342
33
                    __func__);
343
33
                goto fail;
344
33
        }
345
13.2k
346
13.2k
        if ((n = BN_bn2bin(x, pk->x)) < 0 || (size_t)n > sizeof(pk->x) ||
347
13.2k
            (n = BN_bn2bin(y, pk->y)) < 0 || (size_t)n > sizeof(pk->y)) {
348
52
                fido_log_debug("%s: BN_bn2bin", __func__);
349
52
                goto fail;
350
52
        }
351
13.1k
352
13.1k
        ok = FIDO_OK;
353
13.4k
fail:
354
13.4k
        if (ctx != NULL)
355
13.4k
                BN_CTX_free(ctx);
356
13.4k
357
13.4k
        return (ok);
358
13.1k
}
359
360
EVP_PKEY *
361
es256_sk_to_EVP_PKEY(const es256_sk_t *k)
362
4.69k
{
363
4.69k
        BN_CTX          *bnctx = NULL;
364
4.69k
        EC_KEY          *ec = NULL;
365
4.69k
        EVP_PKEY        *pkey = NULL;
366
4.69k
        BIGNUM          *d = NULL;
367
4.69k
        const int        nid = NID_X9_62_prime256v1;
368
4.69k
        int              ok = -1;
369
4.69k
370
4.69k
        if ((bnctx = BN_CTX_new()) == NULL || (d = BN_CTX_get(bnctx)) == NULL ||
371
4.69k
            BN_bin2bn(k->d, sizeof(k->d), d) == NULL) {
372
46
                fido_log_debug("%s: BN_bin2bn", __func__);
373
46
                goto fail;
374
46
        }
375
4.64k
376
4.64k
        if ((ec = EC_KEY_new_by_curve_name(nid)) == NULL ||
377
4.64k
            EC_KEY_set_private_key(ec, d) == 0) {
378
23
                fido_log_debug("%s: EC_KEY_set_private_key", __func__);
379
23
                goto fail;
380
23
        }
381
4.62k
382
4.62k
        if ((pkey = EVP_PKEY_new()) == NULL ||
383
4.62k
            EVP_PKEY_assign_EC_KEY(pkey, ec) == 0) {
384
47
                fido_log_debug("%s: EVP_PKEY_assign_EC_KEY", __func__);
385
47
                goto fail;
386
47
        }
387
4.57k
388
4.57k
        ec = NULL; /* at this point, ec belongs to evp */
389
4.57k
390
4.57k
        ok = 0;
391
4.69k
fail:
392
4.69k
        if (bnctx != NULL)
393
4.69k
                BN_CTX_free(bnctx);
394
4.69k
        if (ec != NULL)
395
4.69k
                EC_KEY_free(ec);
396
4.69k
        if (ok < 0 && pkey != NULL) {
397
22
                EVP_PKEY_free(pkey);
398
22
                pkey = NULL;
399
22
        }
400
4.69k
401
4.69k
        return (pkey);
402
4.57k
}
403
404
int
405
es256_derive_pk(const es256_sk_t *sk, es256_pk_t *pk)
406
13.5k
{
407
13.5k
        BIGNUM          *d = NULL;
408
13.5k
        EC_KEY          *ec = NULL;
409
13.5k
        EC_POINT        *q = NULL;
410
13.5k
        const EC_GROUP  *g = NULL;
411
13.5k
        const int        nid = NID_X9_62_prime256v1;
412
13.5k
        int              ok = -1;
413
13.5k
414
13.5k
        if ((d = BN_bin2bn(sk->d, (int)sizeof(sk->d), NULL)) == NULL ||
415
13.5k
            (ec = EC_KEY_new_by_curve_name(nid)) == NULL ||
416
13.5k
            (g = EC_KEY_get0_group(ec)) == NULL ||
417
13.5k
            (q = EC_POINT_new(g)) == NULL) {
418
149
                fido_log_debug("%s: get", __func__);
419
149
                goto fail;
420
149
        }
421
13.4k
422
13.4k
        if (EC_POINT_mul(g, q, d, NULL, NULL, NULL) == 0 ||
423
13.4k
            EC_KEY_set_public_key(ec, q) == 0 ||
424
13.4k
            es256_pk_from_EC_KEY(pk, ec) != FIDO_OK) {
425
242
                fido_log_debug("%s: set", __func__);
426
242
                goto fail;
427
242
        }
428
13.1k
429
13.1k
        ok = 0;
430
13.5k
fail:
431
13.5k
        if (d != NULL)
432
13.5k
                BN_clear_free(d);
433
13.5k
        if (q != NULL)
434
13.5k
                EC_POINT_free(q);
435
13.5k
        if (ec != NULL)
436
13.5k
                EC_KEY_free(ec);
437
13.5k
438
13.5k
        return (ok);
439
13.1k
}