Coverage Report

Created: 2022-04-27 14:33

/libfido2/src/rs256.c
Line
Count
Source (jump to first uncovered line)
1
/*
2
 * Copyright (c) 2018-2021 Yubico AB. All rights reserved.
3
 * Use of this source code is governed by a BSD-style
4
 * license that can be found in the LICENSE file.
5
 */
6
7
#include <openssl/bn.h>
8
#include <openssl/rsa.h>
9
#include <openssl/obj_mac.h>
10
11
#include "fido.h"
12
#include "fido/rs256.h"
13
14
#if defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x3050200fL
15
static EVP_MD *
16
rs256_get_EVP_MD(void)
17
{
18
        const EVP_MD *from;
19
        EVP_MD *to = NULL;
20
21
        if ((from = EVP_sha256()) != NULL && (to = malloc(sizeof(*to))) != NULL)
22
                memcpy(to, from, sizeof(*to));
23
24
        return (to);
25
}
26
27
static void
28
rs256_free_EVP_MD(EVP_MD *md)
29
{
30
        freezero(md, sizeof(*md));
31
}
32
#elif OPENSSL_VERSION_NUMBER >= 0x30000000
33
static EVP_MD *
34
rs256_get_EVP_MD(void)
35
{
36
        return (EVP_MD_fetch(NULL, "SHA2-256", NULL));
37
}
38
39
static void
40
rs256_free_EVP_MD(EVP_MD *md)
41
{
42
        EVP_MD_free(md);
43
}
44
#else
45
static EVP_MD *
46
rs256_get_EVP_MD(void)
47
143
{
48
143
        const EVP_MD *md;
49
50
143
        if ((md = EVP_sha256()) == NULL)
51
5
                return (NULL);
52
53
138
        return (EVP_MD_meth_dup(md));
54
143
}
55
56
static void
57
rs256_free_EVP_MD(EVP_MD *md)
58
144
{
59
144
        EVP_MD_meth_free(md);
60
144
}
61
#endif /* LIBRESSL_VERSION_NUMBER */
62
63
static int
64
decode_bignum(const cbor_item_t *item, void *ptr, size_t len)
65
286
{
66
286
        if (cbor_isa_bytestring(item) == false ||
67
286
            cbor_bytestring_is_definite(item) == false ||
68
286
            cbor_bytestring_length(item) != len) {
69
4
                fido_log_debug("%s: cbor type", __func__);
70
4
                return (-1);
71
4
        }
72
73
282
        memcpy(ptr, cbor_bytestring_handle(item), len);
74
75
282
        return (0);
76
286
}
77
78
static int
79
decode_rsa_pubkey(const cbor_item_t *key, const cbor_item_t *val, void *arg)
80
604
{
81
604
        rs256_pk_t *k = arg;
82
83
604
        if (cbor_isa_negint(key) == false ||
84
604
            cbor_int_get_width(key) != CBOR_INT_8)
85
311
                return (0); /* ignore */
86
87
293
        switch (cbor_get_uint8(key)) {
88
147
        case 0: /* modulus */
89
147
                return (decode_bignum(val, &k->n, sizeof(k->n)));
90
139
        case 1: /* public exponent */
91
139
                return (decode_bignum(val, &k->e, sizeof(k->e)));
92
293
        }
93
94
7
        return (0); /* ignore */
95
293
}
96
97
int
98
rs256_pk_decode(const cbor_item_t *item, rs256_pk_t *k)
99
155
{
100
155
        if (cbor_isa_map(item) == false ||
101
155
            cbor_map_is_definite(item) == false ||
102
155
            cbor_map_iter(item, k, decode_rsa_pubkey) < 0) {
103
7
                fido_log_debug("%s: cbor type", __func__);
104
7
                return (-1);
105
7
        }
106
107
148
        return (0);
108
155
}
109
110
rs256_pk_t *
111
rs256_pk_new(void)
112
822
{
113
822
        return (calloc(1, sizeof(rs256_pk_t)));
114
822
}
115
116
void
117
rs256_pk_free(rs256_pk_t **pkp)
118
2.76k
{
119
2.76k
        rs256_pk_t *pk;
120
121
2.76k
        if (pkp == NULL || (pk = *pkp) == NULL)
122
1.95k
                return;
123
124
819
        freezero(pk, sizeof(*pk));
125
819
        *pkp = NULL;
126
819
}
127
128
int
129
rs256_pk_from_ptr(rs256_pk_t *pk, const void *ptr, size_t len)
130
433
{
131
433
        if (len < sizeof(*pk))
132
389
                return (FIDO_ERR_INVALID_ARGUMENT);
133
134
44
        memcpy(pk, ptr, sizeof(*pk));
135
136
44
        return (FIDO_OK);
137
433
}
138
139
EVP_PKEY *
140
rs256_pk_to_EVP_PKEY(const rs256_pk_t *k)
141
613
{
142
613
        RSA             *rsa = NULL;
143
613
        EVP_PKEY        *pkey = NULL;
144
613
        BIGNUM          *n = NULL;
145
613
        BIGNUM          *e = NULL;
146
613
        int              ok = -1;
147
148
613
        if ((n = BN_new()) == NULL || (e = BN_new()) == NULL)
149
26
                goto fail;
150
151
587
        if (BN_bin2bn(k->n, sizeof(k->n), n) == NULL ||
152
587
            BN_bin2bn(k->e, sizeof(k->e), e) == NULL) {
153
16
                fido_log_debug("%s: BN_bin2bn", __func__);
154
16
                goto fail;
155
16
        }
156
157
571
        if ((rsa = RSA_new()) == NULL || RSA_set0_key(rsa, n, e, NULL) == 0) {
158
19
                fido_log_debug("%s: RSA_set0_key", __func__);
159
19
                goto fail;
160
19
        }
161
162
        /* at this point, n and e belong to rsa */
163
552
        n = NULL;
164
552
        e = NULL;
165
166
552
        if ((pkey = EVP_PKEY_new()) == NULL ||
167
552
            EVP_PKEY_assign_RSA(pkey, rsa) == 0) {
168
21
                fido_log_debug("%s: EVP_PKEY_assign_RSA", __func__);
169
21
                goto fail;
170
21
        }
171
172
531
        rsa = NULL; /* at this point, rsa belongs to evp */
173
174
531
        ok = 0;
175
613
fail:
176
613
        if (n != NULL)
177
45
                BN_free(n);
178
613
        if (e != NULL)
179
35
                BN_free(e);
180
613
        if (rsa != NULL)
181
35
                RSA_free(rsa);
182
613
        if (ok < 0 && pkey != NULL) {
183
9
                EVP_PKEY_free(pkey);
184
9
                pkey = NULL;
185
9
        }
186
187
613
        return (pkey);
188
531
}
189
190
int
191
rs256_pk_from_RSA(rs256_pk_t *pk, const RSA *rsa)
192
386
{
193
386
        const BIGNUM    *n = NULL;
194
386
        const BIGNUM    *e = NULL;
195
386
        const BIGNUM    *d = NULL;
196
386
        int              k;
197
198
386
        if (RSA_bits(rsa) != 2048) {
199
362
                fido_log_debug("%s: invalid key length", __func__);
200
362
                return (FIDO_ERR_INVALID_ARGUMENT);
201
362
        }
202
203
24
        RSA_get0_key(rsa, &n, &e, &d);
204
205
24
        if (n == NULL || e == NULL) {
206
0
                fido_log_debug("%s: RSA_get0_key", __func__);
207
0
                return (FIDO_ERR_INTERNAL);
208
0
        }
209
210
24
        if ((k = BN_num_bytes(n)) < 0 || (size_t)k > sizeof(pk->n) ||
211
24
            (k = BN_num_bytes(e)) < 0 || (size_t)k > sizeof(pk->e)) {
212
0
                fido_log_debug("%s: invalid key", __func__);
213
0
                return (FIDO_ERR_INTERNAL);
214
0
        }
215
216
24
        if ((k = BN_bn2bin(n, pk->n)) < 0 || (size_t)k > sizeof(pk->n) ||
217
24
            (k = BN_bn2bin(e, pk->e)) < 0 || (size_t)k > sizeof(pk->e)) {
218
3
                fido_log_debug("%s: BN_bn2bin", __func__);
219
3
                return (FIDO_ERR_INTERNAL);
220
3
        }
221
222
21
        return (FIDO_OK);
223
24
}
224
225
int
226
rs256_pk_from_EVP_PKEY(rs256_pk_t *pk, const EVP_PKEY *pkey)
227
386
{
228
386
        RSA *rsa;
229
230
386
        if (EVP_PKEY_base_id(pkey) != EVP_PKEY_RSA ||
231
386
            (rsa = EVP_PKEY_get0(pkey)) == NULL)
232
0
                return (FIDO_ERR_INVALID_ARGUMENT);
233
234
386
        return (rs256_pk_from_RSA(pk, rsa));
235
386
}
236
237
int
238
rs256_verify_sig(const fido_blob_t *dgst, EVP_PKEY *pkey,
239
    const fido_blob_t *sig)
240
144
{
241
144
        EVP_PKEY_CTX    *pctx = NULL;
242
144
        EVP_MD          *md = NULL;
243
144
        int              ok = -1;
244
245
144
        if (EVP_PKEY_base_id(pkey) != EVP_PKEY_RSA) {
246
1
                fido_log_debug("%s: EVP_PKEY_base_id", __func__);
247
1
                goto fail;
248
1
        }
249
250
143
        if ((md = rs256_get_EVP_MD()) == NULL) {
251
5
                fido_log_debug("%s: rs256_get_EVP_MD", __func__);
252
5
                goto fail;
253
5
        }
254
255
138
        if ((pctx = EVP_PKEY_CTX_new(pkey, NULL)) == NULL ||
256
138
            EVP_PKEY_verify_init(pctx) != 1 ||
257
138
            EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PADDING) != 1 ||
258
138
            EVP_PKEY_CTX_set_signature_md(pctx, md) != 1) {
259
18
                fido_log_debug("%s: EVP_PKEY_CTX", __func__);
260
18
                goto fail;
261
18
        }
262
263
120
        if (EVP_PKEY_verify(pctx, sig->ptr, sig->len, dgst->ptr,
264
120
            dgst->len) != 1) {
265
120
                fido_log_debug("%s: EVP_PKEY_verify", __func__);
266
120
                goto fail;
267
120
        }
268
269
0
        ok = 0;
270
144
fail:
271
144
        EVP_PKEY_CTX_free(pctx);
272
144
        rs256_free_EVP_MD(md);
273
274
144
        return (ok);
275
0
}
276
277
int
278
rs256_pk_verify_sig(const fido_blob_t *dgst, const rs256_pk_t *pk,
279
    const fido_blob_t *sig)
280
180
{
281
180
        EVP_PKEY        *pkey;
282
180
        int              ok = -1;
283
284
180
        if ((pkey = rs256_pk_to_EVP_PKEY(pk)) == NULL ||
285
180
            rs256_verify_sig(dgst, pkey, sig) < 0) {
286
180
                fido_log_debug("%s: rs256_verify_sig", __func__);
287
180
                goto fail;
288
180
        }
289
290
0
        ok = 0;
291
180
fail:
292
180
        EVP_PKEY_free(pkey);
293
294
180
        return (ok);
295
0
}