Coverage Report

Created: 2021-03-26 11:35

/libfido2/src/aes256.c
Line
Count
Source (jump to first uncovered line)
1
/*
2
 * Copyright (c) 2021 Yubico AB. All rights reserved.
3
 * Use of this source code is governed by a BSD-style
4
 * license that can be found in the LICENSE file.
5
 */
6
7
#include "fido.h"
8
9
static int
10
aes256_cbc(const fido_blob_t *key, const u_char *iv, const fido_blob_t *in,
11
    fido_blob_t *out, int encrypt)
12
5.38k
{
13
5.38k
        EVP_CIPHER_CTX *ctx = NULL;
14
5.38k
        const EVP_CIPHER *cipher;
15
5.38k
        int ok = -1;
16
5.38k
17
5.38k
        memset(out, 0, sizeof(*out));
18
5.38k
19
5.38k
        if (key->len != 32) {
20
0
                fido_log_debug("%s: invalid key len %zu", __func__, key->len);
21
0
                goto fail;
22
0
        }
23
5.38k
        if (in->len > UINT_MAX || in->len % 16 || in->len == 0) {
24
133
                fido_log_debug("%s: invalid input len %zu", __func__, in->len);
25
133
                goto fail;
26
133
        }
27
5.25k
        out->len = in->len;
28
5.25k
        if ((out->ptr = calloc(1, out->len)) == NULL) {
29
14
                fido_log_debug("%s: calloc", __func__);
30
14
                goto fail;
31
14
        }
32
5.23k
        if ((ctx = EVP_CIPHER_CTX_new()) == NULL ||
33
5.23k
            (cipher = EVP_aes_256_cbc()) == NULL) {
34
15
                fido_log_debug("%s: EVP_CIPHER_CTX_new", __func__);
35
15
                goto fail;
36
15
        }
37
5.22k
        if (EVP_CipherInit(ctx, cipher, key->ptr, iv, encrypt) == 0 ||
38
5.22k
            EVP_Cipher(ctx, out->ptr, in->ptr, (u_int)out->len) < 0) {
39
31
                fido_log_debug("%s: EVP_Cipher", __func__);
40
31
                goto fail;
41
31
        }
42
5.19k
43
5.19k
        ok = 0;
44
5.38k
fail:
45
5.38k
        if (ctx != NULL)
46
5.38k
                EVP_CIPHER_CTX_free(ctx);
47
5.38k
        if (ok < 0)
48
193
                fido_blob_reset(out);
49
5.38k
50
5.38k
        return ok;
51
5.19k
}
52
53
static int
54
aes256_cbc_proto1(const fido_blob_t *key, const fido_blob_t *in,
55
    fido_blob_t *out, int encrypt)
56
5.00k
{
57
5.00k
        u_char iv[16];
58
5.00k
59
5.00k
        memset(&iv, 0, sizeof(iv));
60
5.00k
61
5.00k
        return aes256_cbc(key, iv, in, out, encrypt);
62
5.00k
}
63
64
static int
65
aes256_cbc_fips(const fido_blob_t *secret, const fido_blob_t *in,
66
    fido_blob_t *out, int encrypt)
67
410
{
68
410
        fido_blob_t key, cin, cout;
69
410
        u_char iv[16];
70
410
71
410
        memset(out, 0, sizeof(*out));
72
410
73
410
        if (secret->len != 64) {
74
0
                fido_log_debug("%s: invalid secret len %zu", __func__,
75
0
                    secret->len);
76
0
                return -1;
77
0
        }
78
410
        if (in->len < sizeof(iv)) {
79
32
                fido_log_debug("%s: invalid input len %zu", __func__, in->len);
80
32
                return -1;
81
32
        }
82
378
        if (encrypt) {
83
321
                if (fido_get_random(iv, sizeof(iv)) < 0) {
84
0
                        fido_log_debug("%s: fido_get_random", __func__);
85
0
                        return -1;
86
0
                }
87
321
                cin = *in;
88
321
        } else {
89
57
                memcpy(iv, in->ptr, sizeof(iv));
90
57
                cin.ptr = in->ptr + sizeof(iv);
91
57
                cin.len = in->len - sizeof(iv);
92
57
        }
93
378
        key.ptr = secret->ptr + 32;
94
378
        key.len = secret->len - 32;
95
378
        if (aes256_cbc(&key, iv, &cin, &cout, encrypt) < 0)
96
65
                return -1;
97
313
        if (encrypt) {
98
310
                if (cout.len > SIZE_MAX - sizeof(iv) ||
99
310
                    (out->ptr = calloc(1, sizeof(iv) + cout.len)) == NULL) {
100
7
                        fido_blob_reset(&cout);
101
7
                        return -1;
102
7
                }
103
303
                out->len = sizeof(iv) + cout.len;
104
303
                memcpy(out->ptr, iv, sizeof(iv));
105
303
                memcpy(out->ptr + sizeof(iv), cout.ptr, cout.len);
106
303
                fido_blob_reset(&cout);
107
303
        } else
108
3
                *out = cout;
109
313
110
313
        return 0;
111
313
}
112
113
static int
114
aes256_gcm(const fido_blob_t *key, const fido_blob_t *nonce,
115
    const fido_blob_t *aad, const fido_blob_t *in, fido_blob_t *out,
116
    int encrypt)
117
911
{
118
911
        EVP_CIPHER_CTX *ctx = NULL;
119
911
        const EVP_CIPHER *cipher;
120
911
        size_t textlen;
121
911
        int ok = -1;
122
911
123
911
        memset(out, 0, sizeof(*out));
124
911
125
911
        if (nonce->len != 12 || key->len != 32 || aad->len > UINT_MAX) {
126
0
                fido_log_debug("%s: invalid params %zu, %zu, %zu", __func__,
127
0
                    nonce->len, key->len, aad->len);
128
0
                goto fail;
129
0
        }
130
911
        if (in->len > UINT_MAX || in->len > SIZE_MAX - 16 || in->len < 16) {
131
139
                fido_log_debug("%s: invalid input len %zu", __func__, in->len);
132
139
                goto fail;
133
139
        }
134
772
        /* add tag to (on encrypt) or trim tag from the output (on decrypt) */
135
772
        out->len = encrypt ? in->len + 16 : in->len - 16;
136
772
        if ((out->ptr = calloc(1, out->len)) == NULL) {
137
5
                fido_log_debug("%s: calloc", __func__);
138
5
                goto fail;
139
5
        }
140
767
        if ((ctx = EVP_CIPHER_CTX_new()) == NULL ||
141
767
            (cipher = EVP_aes_256_gcm()) == NULL) {
142
4
                fido_log_debug("%s: EVP_CIPHER_CTX_new", __func__);
143
4
                goto fail;
144
4
        }
145
763
        if (EVP_CipherInit(ctx, cipher, key->ptr, nonce->ptr, encrypt) == 0) {
146
3
                fido_log_debug("%s: EVP_CipherInit", __func__);
147
3
                goto fail;
148
3
        }
149
760
150
760
        if (encrypt)
151
416
                textlen = in->len;
152
344
        else {
153
344
                textlen = in->len - 16;
154
344
                /* point openssl at the mac tag */
155
344
                if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, 16,
156
344
                    in->ptr + in->len - 16) == 0) {
157
3
                        fido_log_debug("%s: EVP_CIPHER_CTX_ctrl", __func__);
158
3
                        goto fail;
159
3
                }
160
757
        }
161
757
        /* the last EVP_Cipher() will either compute or verify the mac tag */
162
757
        if (EVP_Cipher(ctx, NULL, aad->ptr, (u_int)aad->len) < 0 ||
163
757
            EVP_Cipher(ctx, out->ptr, in->ptr, (u_int)textlen) < 0 ||
164
757
            EVP_Cipher(ctx, NULL, NULL, 0) < 0) {
165
46
                fido_log_debug("%s: EVP_Cipher", __func__);
166
46
                goto fail;
167
46
        }
168
711
        if (encrypt) {
169
407
                /* append the mac tag */
170
407
                if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, 16,
171
407
                    out->ptr + out->len - 16) == 0) {
172
4
                        fido_log_debug("%s: EVP_CIPHER_CTX_ctrl", __func__);
173
4
                        goto fail;
174
4
                }
175
707
        }
176
707
177
707
        ok = 0;
178
911
fail:
179
911
        if (ctx != NULL)
180
911
                EVP_CIPHER_CTX_free(ctx);
181
911
        if (ok < 0)
182
204
                fido_blob_reset(out);
183
911
184
911
        return ok;
185
707
}
186
187
int
188
aes256_cbc_enc(const fido_dev_t *dev, const fido_blob_t *secret,
189
    const fido_blob_t *in, fido_blob_t *out)
190
3.13k
{
191
3.13k
        return fido_dev_get_pin_protocol(dev) == 2 ? aes256_cbc_fips(secret,
192
2.81k
            in, out, 1) : aes256_cbc_proto1(secret, in, out, 1);
193
3.13k
}
194
195
int
196
aes256_cbc_dec(const fido_dev_t *dev, const fido_blob_t *secret,
197
    const fido_blob_t *in, fido_blob_t *out)
198
2.28k
{
199
2.28k
        return fido_dev_get_pin_protocol(dev) == 2 ? aes256_cbc_fips(secret,
200
2.19k
            in, out, 0) : aes256_cbc_proto1(secret, in, out, 0);
201
2.28k
}
202
203
int
204
aes256_gcm_enc(const fido_blob_t *key, const fido_blob_t *nonce,
205
    const fido_blob_t *aad, const fido_blob_t *in, fido_blob_t *out)
206
563
{
207
563
        return aes256_gcm(key, nonce, aad, in, out, 1);
208
563
}
209
210
int
211
aes256_gcm_dec(const fido_blob_t *key, const fido_blob_t *nonce,
212
    const fido_blob_t *aad, const fido_blob_t *in, fido_blob_t *out)
213
348
{
214
348
        return aes256_gcm(key, nonce, aad, in, out, 0);
215
348
}