Coverage Report

Created: 2022-07-22 12:05

/libfido2/src/es256.c
Line
Count
Source (jump to first uncovered line)
1
/*
2
 * Copyright (c) 2018-2022 Yubico AB. All rights reserved.
3
 * Use of this source code is governed by a BSD-style
4
 * license that can be found in the LICENSE file.
5
 */
6
7
#include <openssl/bn.h>
8
#include <openssl/ecdsa.h>
9
#include <openssl/obj_mac.h>
10
11
#include "fido.h"
12
#include "fido/es256.h"
13
14
#if OPENSSL_VERSION_NUMBER >= 0x30000000
15
#define get0_EC_KEY(x)  EVP_PKEY_get0_EC_KEY((x))
16
#else
17
54
#define get0_EC_KEY(x)  EVP_PKEY_get0((x))
18
#endif
19
20
static const int es256_nid = NID_X9_62_prime256v1;
21
22
static int
23
decode_coord(const cbor_item_t *item, void *xy, size_t xy_len)
24
4.22k
{
25
4.22k
        if (cbor_isa_bytestring(item) == false ||
26
4.22k
            cbor_bytestring_is_definite(item) == false ||
27
4.22k
            cbor_bytestring_length(item) != xy_len) {
28
34
                fido_log_debug("%s: cbor type", __func__);
29
34
                return (-1);
30
34
        }
31
32
4.18k
        memcpy(xy, cbor_bytestring_handle(item), xy_len);
33
34
4.18k
        return (0);
35
4.22k
}
36
37
static int
38
decode_pubkey_point(const cbor_item_t *key, const cbor_item_t *val, void *arg)
39
10.7k
{
40
10.7k
        es256_pk_t *k = arg;
41
42
10.7k
        if (cbor_isa_negint(key) == false ||
43
10.7k
            cbor_int_get_width(key) != CBOR_INT_8)
44
4.97k
                return (0); /* ignore */
45
46
5.74k
        switch (cbor_get_uint8(key)) {
47
2.13k
        case 1: /* x coordinate */
48
2.13k
                return (decode_coord(val, &k->x, sizeof(k->x)));
49
2.08k
        case 2: /* y coordinate */
50
2.08k
                return (decode_coord(val, &k->y, sizeof(k->y)));
51
5.74k
        }
52
53
1.52k
        return (0); /* ignore */
54
5.74k
}
55
56
int
57
es256_pk_decode(const cbor_item_t *item, es256_pk_t *k)
58
2.17k
{
59
2.17k
        if (cbor_isa_map(item) == false ||
60
2.17k
            cbor_map_is_definite(item) == false ||
61
2.17k
            cbor_map_iter(item, k, decode_pubkey_point) < 0) {
62
60
                fido_log_debug("%s: cbor type", __func__);
63
60
                return (-1);
64
60
        }
65
66
2.11k
        return (0);
67
2.17k
}
68
69
cbor_item_t *
70
es256_pk_encode(const es256_pk_t *pk, int ecdh)
71
1.27k
{
72
1.27k
        cbor_item_t             *item = NULL;
73
1.27k
        struct cbor_pair         argv[5];
74
1.27k
        int                      alg;
75
1.27k
        int                      ok = -1;
76
77
1.27k
        memset(argv, 0, sizeof(argv));
78
79
1.27k
        if ((item = cbor_new_definite_map(5)) == NULL)
80
8
                goto fail;
81
82
        /* kty */
83
1.26k
        if ((argv[0].key = cbor_build_uint8(1)) == NULL ||
84
1.26k
            (argv[0].value = cbor_build_uint8(2)) == NULL ||
85
1.26k
            !cbor_map_add(item, argv[0]))
86
22
                goto fail;
87
88
        /*
89
         * "The COSEAlgorithmIdentifier used is -25 (ECDH-ES +
90
         * HKDF-256) although this is NOT the algorithm actually
91
         * used. Setting this to a different value may result in
92
         * compatibility issues."
93
         */
94
1.24k
        if (ecdh)
95
1.16k
                alg = COSE_ECDH_ES256;
96
72
        else
97
72
                alg = COSE_ES256;
98
99
        /* alg */
100
1.24k
        if ((argv[1].key = cbor_build_uint8(3)) == NULL ||
101
1.24k
            (argv[1].value = cbor_build_negint8((uint8_t)(-alg - 1))) == NULL ||
102
1.24k
            !cbor_map_add(item, argv[1]))
103
26
                goto fail;
104
105
        /* crv */
106
1.21k
        if ((argv[2].key = cbor_build_negint8(0)) == NULL ||
107
1.21k
            (argv[2].value = cbor_build_uint8(1)) == NULL ||
108
1.21k
            !cbor_map_add(item, argv[2]))
109
24
                goto fail;
110
111
        /* x */
112
1.19k
        if ((argv[3].key = cbor_build_negint8(1)) == NULL ||
113
1.19k
            (argv[3].value = cbor_build_bytestring(pk->x,
114
1.18k
            sizeof(pk->x))) == NULL || !cbor_map_add(item, argv[3]))
115
19
                goto fail;
116
117
        /* y */
118
1.17k
        if ((argv[4].key = cbor_build_negint8(2)) == NULL ||
119
1.17k
            (argv[4].value = cbor_build_bytestring(pk->y,
120
1.16k
            sizeof(pk->y))) == NULL || !cbor_map_add(item, argv[4]))
121
18
                goto fail;
122
123
1.15k
        ok = 0;
124
1.27k
fail:
125
1.27k
        if (ok < 0) {
126
117
                if (item != NULL) {
127
109
                        cbor_decref(&item);
128
109
                        item = NULL;
129
109
                }
130
117
        }
131
132
7.62k
        for (size_t i = 0; i < 5; i++) {
133
6.35k
                if (argv[i].key)
134
6.04k
                        cbor_decref(&argv[i].key);
135
6.35k
                if (argv[i].value)
136
6.00k
                        cbor_decref(&argv[i].value);
137
6.35k
        }
138
139
1.27k
        return (item);
140
1.15k
}
141
142
es256_sk_t *
143
es256_sk_new(void)
144
3.83k
{
145
3.83k
        return (calloc(1, sizeof(es256_sk_t)));
146
3.83k
}
147
148
void
149
es256_sk_free(es256_sk_t **skp)
150
3.83k
{
151
3.83k
        es256_sk_t *sk;
152
153
3.83k
        if (skp == NULL || (sk = *skp) == NULL)
154
15
                return;
155
156
3.82k
        freezero(sk, sizeof(*sk));
157
3.82k
        *skp = NULL;
158
3.82k
}
159
160
es256_pk_t *
161
es256_pk_new(void)
162
7.75k
{
163
7.75k
        return (calloc(1, sizeof(es256_pk_t)));
164
7.75k
}
165
166
void
167
es256_pk_free(es256_pk_t **pkp)
168
18.0k
{
169
18.0k
        es256_pk_t *pk;
170
171
18.0k
        if (pkp == NULL || (pk = *pkp) == NULL)
172
10.3k
                return;
173
174
7.70k
        freezero(pk, sizeof(*pk));
175
7.70k
        *pkp = NULL;
176
7.70k
}
177
178
int
179
es256_pk_from_ptr(es256_pk_t *pk, const void *ptr, size_t len)
180
419
{
181
419
        const uint8_t   *p = ptr;
182
419
        EVP_PKEY        *pkey;
183
184
419
        if (len < sizeof(*pk))
185
293
                return (FIDO_ERR_INVALID_ARGUMENT);
186
187
126
        if (len == sizeof(*pk) + 1 && *p == 0x04)
188
2
                memcpy(pk, ++p, sizeof(*pk)); /* uncompressed format */
189
124
        else
190
124
                memcpy(pk, ptr, sizeof(*pk)); /* libfido2 x||y format */
191
192
126
        if ((pkey = es256_pk_to_EVP_PKEY(pk)) == NULL) {
193
70
                fido_log_debug("%s: es256_pk_to_EVP_PKEY", __func__);
194
70
                explicit_bzero(pk, sizeof(*pk));
195
70
                return (FIDO_ERR_INVALID_ARGUMENT);
196
70
        }
197
198
56
        EVP_PKEY_free(pkey);
199
200
56
        return (FIDO_OK);
201
126
}
202
203
int
204
es256_pk_set_x(es256_pk_t *pk, const unsigned char *x)
205
74
{
206
74
        memcpy(pk->x, x, sizeof(pk->x));
207
208
74
        return (0);
209
74
}
210
211
int
212
es256_pk_set_y(es256_pk_t *pk, const unsigned char *y)
213
74
{
214
74
        memcpy(pk->y, y, sizeof(pk->y));
215
216
74
        return (0);
217
74
}
218
219
int
220
es256_sk_create(es256_sk_t *key)
221
3.80k
{
222
3.80k
        EVP_PKEY_CTX    *pctx = NULL;
223
3.80k
        EVP_PKEY_CTX    *kctx = NULL;
224
3.80k
        EVP_PKEY        *p = NULL;
225
3.80k
        EVP_PKEY        *k = NULL;
226
3.80k
        const EC_KEY    *ec;
227
3.80k
        const BIGNUM    *d;
228
3.80k
        int              n;
229
3.80k
        int              ok = -1;
230
231
3.80k
        if ((pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL)) == NULL ||
232
3.80k
            EVP_PKEY_paramgen_init(pctx) <= 0 ||
233
3.80k
            EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx, es256_nid) <= 0 ||
234
3.80k
            EVP_PKEY_paramgen(pctx, &p) <= 0) {
235
89
                fido_log_debug("%s: EVP_PKEY_paramgen", __func__);
236
89
                goto fail;
237
89
        }
238
239
3.71k
        if ((kctx = EVP_PKEY_CTX_new(p, NULL)) == NULL ||
240
3.71k
            EVP_PKEY_keygen_init(kctx) <= 0 || EVP_PKEY_keygen(kctx, &k) <= 0) {
241
52
                fido_log_debug("%s: EVP_PKEY_keygen", __func__);
242
52
                goto fail;
243
52
        }
244
245
3.65k
        if ((ec = EVP_PKEY_get0_EC_KEY(k)) == NULL ||
246
3.65k
            (d = EC_KEY_get0_private_key(ec)) == NULL ||
247
3.65k
            (n = BN_num_bytes(d)) < 0 || (size_t)n > sizeof(key->d) ||
248
3.65k
            (n = BN_bn2bin(d, key->d)) < 0 || (size_t)n > sizeof(key->d)) {
249
55
                fido_log_debug("%s: EC_KEY_get0_private_key", __func__);
250
55
                goto fail;
251
55
        }
252
253
3.60k
        ok = 0;
254
3.80k
fail:
255
3.80k
        if (p != NULL)
256
3.71k
                EVP_PKEY_free(p);
257
3.80k
        if (k != NULL)
258
3.65k
                EVP_PKEY_free(k);
259
3.80k
        if (pctx != NULL)
260
3.77k
                EVP_PKEY_CTX_free(pctx);
261
3.80k
        if (kctx != NULL)
262
3.69k
                EVP_PKEY_CTX_free(kctx);
263
264
3.80k
        return (ok);
265
3.60k
}
266
267
EVP_PKEY *
268
es256_pk_to_EVP_PKEY(const es256_pk_t *k)
269
2.27k
{
270
2.27k
        BN_CTX          *bnctx = NULL;
271
2.27k
        EC_KEY          *ec = NULL;
272
2.27k
        EC_POINT        *q = NULL;
273
2.27k
        EVP_PKEY        *pkey = NULL;
274
2.27k
        BIGNUM          *x = NULL;
275
2.27k
        BIGNUM          *y = NULL;
276
2.27k
        const EC_GROUP  *g = NULL;
277
2.27k
        int              ok = -1;
278
279
2.27k
        if ((bnctx = BN_CTX_new()) == NULL)
280
21
                goto fail;
281
282
2.25k
        BN_CTX_start(bnctx);
283
284
2.25k
        if ((x = BN_CTX_get(bnctx)) == NULL ||
285
2.25k
            (y = BN_CTX_get(bnctx)) == NULL)
286
27
                goto fail;
287
288
2.23k
        if (BN_bin2bn(k->x, sizeof(k->x), x) == NULL ||
289
2.23k
            BN_bin2bn(k->y, sizeof(k->y), y) == NULL) {
290
39
                fido_log_debug("%s: BN_bin2bn", __func__);
291
39
                goto fail;
292
39
        }
293
294
2.19k
        if ((ec = EC_KEY_new_by_curve_name(es256_nid)) == NULL ||
295
2.19k
            (g = EC_KEY_get0_group(ec)) == NULL) {
296
26
                fido_log_debug("%s: EC_KEY init", __func__);
297
26
                goto fail;
298
26
        }
299
300
2.16k
        if ((q = EC_POINT_new(g)) == NULL ||
301
2.16k
            EC_POINT_set_affine_coordinates_GFp(g, q, x, y, bnctx) == 0 ||
302
2.16k
            EC_KEY_set_public_key(ec, q) == 0) {
303
462
                fido_log_debug("%s: EC_KEY_set_public_key", __func__);
304
462
                goto fail;
305
462
        }
306
307
1.70k
        if ((pkey = EVP_PKEY_new()) == NULL ||
308
1.70k
            EVP_PKEY_assign_EC_KEY(pkey, ec) == 0) {
309
16
                fido_log_debug("%s: EVP_PKEY_assign_EC_KEY", __func__);
310
16
                goto fail;
311
16
        }
312
313
1.68k
        ec = NULL; /* at this point, ec belongs to evp */
314
315
1.68k
        ok = 0;
316
2.27k
fail:
317
2.27k
        if (bnctx != NULL) {
318
2.25k
                BN_CTX_end(bnctx);
319
2.25k
                BN_CTX_free(bnctx);
320
2.25k
        }
321
322
2.27k
        if (ec != NULL)
323
491
                EC_KEY_free(ec);
324
2.27k
        if (q != NULL)
325
2.15k
                EC_POINT_free(q);
326
327
2.27k
        if (ok < 0 && pkey != NULL) {
328
9
                EVP_PKEY_free(pkey);
329
9
                pkey = NULL;
330
9
        }
331
332
2.27k
        return (pkey);
333
1.68k
}
334
335
int
336
es256_pk_from_EC_KEY(es256_pk_t *pk, const EC_KEY *ec)
337
3.57k
{
338
3.57k
        BN_CTX          *bnctx = NULL;
339
3.57k
        BIGNUM          *x = NULL;
340
3.57k
        BIGNUM          *y = NULL;
341
3.57k
        const EC_POINT  *q = NULL;
342
3.57k
        EC_GROUP        *g = NULL;
343
3.57k
        size_t           dx;
344
3.57k
        size_t           dy;
345
3.57k
        int              ok = FIDO_ERR_INTERNAL;
346
3.57k
        int              nx;
347
3.57k
        int              ny;
348
349
3.57k
        if ((q = EC_KEY_get0_public_key(ec)) == NULL ||
350
3.57k
            (g = EC_GROUP_new_by_curve_name(es256_nid)) == NULL ||
351
3.57k
            (bnctx = BN_CTX_new()) == NULL)
352
24
                goto fail;
353
354
3.54k
        BN_CTX_start(bnctx);
355
356
3.54k
        if ((x = BN_CTX_get(bnctx)) == NULL ||
357
3.54k
            (y = BN_CTX_get(bnctx)) == NULL)
358
48
                goto fail;
359
360
3.49k
        if (EC_POINT_is_on_curve(g, q, bnctx) != 1) {
361
0
                fido_log_debug("%s: EC_POINT_is_on_curve", __func__);
362
0
                ok = FIDO_ERR_INVALID_ARGUMENT;
363
0
                goto fail;
364
0
        }
365
366
3.49k
        if (EC_POINT_get_affine_coordinates_GFp(g, q, x, y, bnctx) == 0 ||
367
3.49k
            (nx = BN_num_bytes(x)) < 0 || (size_t)nx > sizeof(pk->x) ||
368
3.49k
            (ny = BN_num_bytes(y)) < 0 || (size_t)ny > sizeof(pk->y)) {
369
19
                fido_log_debug("%s: EC_POINT_get_affine_coordinates_GFp",
370
19
                    __func__);
371
19
                goto fail;
372
19
        }
373
374
3.47k
        dx = sizeof(pk->x) - (size_t)nx;
375
3.47k
        dy = sizeof(pk->y) - (size_t)ny;
376
377
3.47k
        if ((nx = BN_bn2bin(x, pk->x + dx)) < 0 || (size_t)nx > sizeof(pk->x) ||
378
3.47k
            (ny = BN_bn2bin(y, pk->y + dy)) < 0 || (size_t)ny > sizeof(pk->y)) {
379
50
                fido_log_debug("%s: BN_bn2bin", __func__);
380
50
                goto fail;
381
50
        }
382
383
3.42k
        ok = FIDO_OK;
384
3.57k
fail:
385
3.57k
        EC_GROUP_free(g);
386
387
3.57k
        if (bnctx != NULL) {
388
3.54k
                BN_CTX_end(bnctx);
389
3.54k
                BN_CTX_free(bnctx);
390
3.54k
        }
391
392
3.57k
        return (ok);
393
3.42k
}
394
395
int
396
es256_pk_from_EVP_PKEY(es256_pk_t *pk, const EVP_PKEY *pkey)
397
54
{
398
54
        const EC_KEY *ec;
399
400
54
        if (EVP_PKEY_base_id(pkey) != EVP_PKEY_EC ||
401
54
            (ec = get0_EC_KEY(pkey)) == NULL)
402
0
                return (FIDO_ERR_INVALID_ARGUMENT);
403
404
54
        return (es256_pk_from_EC_KEY(pk, ec));
405
54
}
406
407
EVP_PKEY *
408
es256_sk_to_EVP_PKEY(const es256_sk_t *k)
409
1.53k
{
410
1.53k
        BN_CTX          *bnctx = NULL;
411
1.53k
        EC_KEY          *ec = NULL;
412
1.53k
        EVP_PKEY        *pkey = NULL;
413
1.53k
        BIGNUM          *d = NULL;
414
1.53k
        int              ok = -1;
415
416
1.53k
        if ((bnctx = BN_CTX_new()) == NULL)
417
8
                goto fail;
418
419
1.52k
        BN_CTX_start(bnctx);
420
421
1.52k
        if ((d = BN_CTX_get(bnctx)) == NULL ||
422
1.52k
            BN_bin2bn(k->d, sizeof(k->d), d) == NULL) {
423
20
                fido_log_debug("%s: BN_bin2bn", __func__);
424
20
                goto fail;
425
20
        }
426
427
1.50k
        if ((ec = EC_KEY_new_by_curve_name(es256_nid)) == NULL ||
428
1.50k
            EC_KEY_set_private_key(ec, d) == 0) {
429
8
                fido_log_debug("%s: EC_KEY_set_private_key", __func__);
430
8
                goto fail;
431
8
        }
432
433
1.49k
        if ((pkey = EVP_PKEY_new()) == NULL ||
434
1.49k
            EVP_PKEY_assign_EC_KEY(pkey, ec) == 0) {
435
12
                fido_log_debug("%s: EVP_PKEY_assign_EC_KEY", __func__);
436
12
                goto fail;
437
12
        }
438
439
1.48k
        ec = NULL; /* at this point, ec belongs to evp */
440
441
1.48k
        ok = 0;
442
1.53k
fail:
443
1.53k
        if (bnctx != NULL) {
444
1.52k
                BN_CTX_end(bnctx);
445
1.52k
                BN_CTX_free(bnctx);
446
1.52k
        }
447
448
1.53k
        if (ec != NULL)
449
12
                EC_KEY_free(ec);
450
451
1.53k
        if (ok < 0 && pkey != NULL) {
452
6
                EVP_PKEY_free(pkey);
453
6
                pkey = NULL;
454
6
        }
455
456
1.53k
        return (pkey);
457
1.48k
}
458
459
int
460
es256_derive_pk(const es256_sk_t *sk, es256_pk_t *pk)
461
3.60k
{
462
3.60k
        BIGNUM          *d = NULL;
463
3.60k
        EC_KEY          *ec = NULL;
464
3.60k
        EC_POINT        *q = NULL;
465
3.60k
        const EC_GROUP  *g = NULL;
466
3.60k
        int              ok = -1;
467
468
3.60k
        if ((d = BN_bin2bn(sk->d, (int)sizeof(sk->d), NULL)) == NULL ||
469
3.60k
            (ec = EC_KEY_new_by_curve_name(es256_nid)) == NULL ||
470
3.60k
            (g = EC_KEY_get0_group(ec)) == NULL ||
471
3.60k
            (q = EC_POINT_new(g)) == NULL) {
472
88
                fido_log_debug("%s: get", __func__);
473
88
                goto fail;
474
88
        }
475
476
3.51k
        if (EC_POINT_mul(g, q, d, NULL, NULL, NULL) == 0 ||
477
3.51k
            EC_KEY_set_public_key(ec, q) == 0 ||
478
3.51k
            es256_pk_from_EC_KEY(pk, ec) != FIDO_OK) {
479
132
                fido_log_debug("%s: set", __func__);
480
132
                goto fail;
481
132
        }
482
483
3.38k
        ok = 0;
484
3.60k
fail:
485
3.60k
        if (d != NULL)
486
3.57k
                BN_clear_free(d);
487
3.60k
        if (q != NULL)
488
3.51k
                EC_POINT_free(q);
489
3.60k
        if (ec != NULL)
490
3.55k
                EC_KEY_free(ec);
491
492
3.60k
        return (ok);
493
3.38k
}
494
495
int
496
es256_verify_sig(const fido_blob_t *dgst, EVP_PKEY *pkey,
497
    const fido_blob_t *sig)
498
76
{
499
76
        EVP_PKEY_CTX    *pctx = NULL;
500
76
        int              ok = -1;
501
502
76
        if (EVP_PKEY_base_id(pkey) != EVP_PKEY_EC) {
503
0
                fido_log_debug("%s: EVP_PKEY_base_id", __func__);
504
0
                goto fail;
505
0
        }
506
507
76
        if ((pctx = EVP_PKEY_CTX_new(pkey, NULL)) == NULL ||
508
76
            EVP_PKEY_verify_init(pctx) != 1 ||
509
76
            EVP_PKEY_verify(pctx, sig->ptr, sig->len, dgst->ptr,
510
76
            dgst->len) != 1) {
511
76
                fido_log_debug("%s: EVP_PKEY_verify", __func__);
512
76
                goto fail;
513
76
        }
514
515
0
        ok = 0;
516
76
fail:
517
76
        EVP_PKEY_CTX_free(pctx);
518
519
76
        return (ok);
520
0
}
521
522
int
523
es256_pk_verify_sig(const fido_blob_t *dgst, const es256_pk_t *pk,
524
    const fido_blob_t *sig)
525
64
{
526
64
        EVP_PKEY        *pkey;
527
64
        int              ok = -1;
528
529
64
        if ((pkey = es256_pk_to_EVP_PKEY(pk)) == NULL ||
530
64
            es256_verify_sig(dgst, pkey, sig) < 0) {
531
64
                fido_log_debug("%s: es256_verify_sig", __func__);
532
64
                goto fail;
533
64
        }
534
535
0
        ok = 0;
536
64
fail:
537
64
        EVP_PKEY_free(pkey);
538
539
64
        return (ok);
540
0
}