| Line | Count | Source | 
| 1 |  | /* | 
| 2 |  |  * Copyright (c) 2018-2022 Yubico AB. All rights reserved. | 
| 3 |  |  * Use of this source code is governed by a BSD-style | 
| 4 |  |  * license that can be found in the LICENSE file. | 
| 5 |  |  * SPDX-License-Identifier: BSD-2-Clause | 
| 6 |  |  */ | 
| 7 |  |  | 
| 8 |  | #include <openssl/bn.h> | 
| 9 |  | #include <openssl/rsa.h> | 
| 10 |  | #include <openssl/obj_mac.h> | 
| 11 |  |  | 
| 12 |  | #include "fido.h" | 
| 13 |  | #include "fido/rs256.h" | 
| 14 |  |  | 
| 15 |  | #if OPENSSL_VERSION_NUMBER >= 0x30000000 | 
| 16 | 288 | #define get0_RSA(x)     EVP_PKEY_get0_RSA((x)) | 
| 17 |  | #else | 
| 18 |  | #define get0_RSA(x)     EVP_PKEY_get0((x)) | 
| 19 |  | #endif | 
| 20 |  |  | 
| 21 |  | #if defined(__GNUC__) | 
| 22 |  | #define PRAGMA(s) _Pragma(s) | 
| 23 |  | #else | 
| 24 |  | #define PRAGMA(s) | 
| 25 |  | #endif | 
| 26 |  |  | 
| 27 |  | static EVP_MD * | 
| 28 |  | rs256_get_EVP_MD(void) | 
| 29 | 177 | { | 
| 30 | 177 | PRAGMA("GCC diagnostic push") | 
| 31 | 177 | PRAGMA("GCC diagnostic ignored \"-Wcast-qual\"") | 
| 32 | 177 |         return ((EVP_MD *)EVP_sha256()); | 
| 33 | 177 | PRAGMA("GCC diagnostic pop") | 
| 34 | 177 | } | 
| 35 |  |  | 
| 36 |  | static int | 
| 37 |  | decode_bignum(const cbor_item_t *item, void *ptr, size_t len) | 
| 38 | 692 | { | 
| 39 | 692 |         if (cbor_isa_bytestring(item) == false || | 
| 40 | 692 |             cbor_bytestring_is_definite(item) == false || | 
| 41 | 692 |             cbor_bytestring_length(item) != len) { | 
| 42 | 36 |                 fido_log_debug("%s: cbor type", __func__); | 
| 43 | 36 |                 return (-1); | 
| 44 | 36 |         } | 
| 45 |  |  | 
| 46 | 656 |         memcpy(ptr, cbor_bytestring_handle(item), len); | 
| 47 |  |  | 
| 48 | 656 |         return (0); | 
| 49 | 692 | } | 
| 50 |  |  | 
| 51 |  | static int | 
| 52 |  | decode_rsa_pubkey(const cbor_item_t *key, const cbor_item_t *val, void *arg) | 
| 53 | 2.11k | { | 
| 54 | 2.11k |         rs256_pk_t *k = arg; | 
| 55 |  |  | 
| 56 | 2.11k |         if (cbor_isa_negint(key) == false || | 
| 57 | 2.11k |             cbor_int_get_width(key) != CBOR_INT_8) | 
| 58 | 1.29k |                 return (0); /* ignore */ | 
| 59 |  |  | 
| 60 | 819 |         switch (cbor_get_uint8(key)) { | 
| 61 | 360 |         case 0: /* modulus */ | 
| 62 | 360 |                 return (decode_bignum(val, &k->n, sizeof(k->n))); | 
| 63 | 332 |         case 1: /* public exponent */ | 
| 64 | 332 |                 return (decode_bignum(val, &k->e, sizeof(k->e))); | 
| 65 | 819 |         } | 
| 66 |  |  | 
| 67 | 127 |         return (0); /* ignore */ | 
| 68 | 819 | } | 
| 69 |  |  | 
| 70 |  | int | 
| 71 |  | rs256_pk_decode(const cbor_item_t *item, rs256_pk_t *k) | 
| 72 | 560 | { | 
| 73 | 560 |         if (cbor_isa_map(item) == false || | 
| 74 | 560 |             cbor_map_is_definite(item) == false || | 
| 75 | 560 |             cbor_map_iter(item, k, decode_rsa_pubkey) < 0) { | 
| 76 | 56 |                 fido_log_debug("%s: cbor type", __func__); | 
| 77 | 56 |                 return (-1); | 
| 78 | 56 |         } | 
| 79 |  |  | 
| 80 | 504 |         return (0); | 
| 81 | 560 | } | 
| 82 |  |  | 
| 83 |  | rs256_pk_t * | 
| 84 |  | rs256_pk_new(void) | 
| 85 | 3.09k | { | 
| 86 | 3.09k |         return (calloc(1, sizeof(rs256_pk_t))); | 
| 87 | 3.09k | } | 
| 88 |  |  | 
| 89 |  | void | 
| 90 |  | rs256_pk_free(rs256_pk_t **pkp) | 
| 91 | 13.9k | { | 
| 92 | 13.9k |         rs256_pk_t *pk; | 
| 93 |  |  | 
| 94 | 13.9k |         if (pkp == NULL || (pk = *pkp) == NULL) | 
| 95 | 10.8k |                 return; | 
| 96 |  |  | 
| 97 | 3.07k |         freezero(pk, sizeof(*pk)); | 
| 98 | 3.07k |         *pkp = NULL; | 
| 99 | 3.07k | } | 
| 100 |  |  | 
| 101 |  | int | 
| 102 |  | rs256_pk_from_ptr(rs256_pk_t *pk, const void *ptr, size_t len) | 
| 103 | 2.78k | { | 
| 104 | 2.78k |         EVP_PKEY *pkey; | 
| 105 |  |  | 
| 106 | 2.78k |         if (len < sizeof(*pk)) | 
| 107 | 2.24k |                 return (FIDO_ERR_INVALID_ARGUMENT); | 
| 108 |  |  | 
| 109 | 541 |         memcpy(pk, ptr, sizeof(*pk)); | 
| 110 |  |  | 
| 111 | 541 |         if ((pkey = rs256_pk_to_EVP_PKEY(pk)) == NULL) { | 
| 112 | 246 |                 fido_log_debug("%s: rs256_pk_to_EVP_PKEY", __func__); | 
| 113 | 246 |                 return (FIDO_ERR_INVALID_ARGUMENT); | 
| 114 | 246 |         } | 
| 115 |  |  | 
| 116 | 295 |         EVP_PKEY_free(pkey); | 
| 117 |  |  | 
| 118 | 295 |         return (FIDO_OK); | 
| 119 | 541 | } | 
| 120 |  |  | 
| 121 |  | EVP_PKEY * | 
| 122 |  | rs256_pk_to_EVP_PKEY(const rs256_pk_t *k) | 
| 123 | 3.65k | { | 
| 124 | 3.65k |         RSA             *rsa = NULL; | 
| 125 | 3.65k |         EVP_PKEY        *pkey = NULL; | 
| 126 | 3.65k |         BIGNUM          *n = NULL; | 
| 127 | 3.65k |         BIGNUM          *e = NULL; | 
| 128 | 3.65k |         int              ok = -1; | 
| 129 |  |  | 
| 130 | 3.65k |         if ((n = BN_new()) == NULL || (e = BN_new()) == NULL) | 
| 131 | 82 |                 goto fail; | 
| 132 |  |  | 
| 133 | 3.57k |         if (BN_bin2bn(k->n, sizeof(k->n), n) == NULL || | 
| 134 | 3.57k |             BN_bin2bn(k->e, sizeof(k->e), e) == NULL) { | 
| 135 | 147 |                 fido_log_debug("%s: BN_bin2bn", __func__); | 
| 136 | 147 |                 goto fail; | 
| 137 | 147 |         } | 
| 138 |  |  | 
| 139 | 3.42k |         if ((rsa = RSA_new()) == NULL || RSA_set0_key(rsa, n, e, NULL) == 0) { | 
| 140 | 78 |                 fido_log_debug("%s: RSA_set0_key", __func__); | 
| 141 | 78 |                 goto fail; | 
| 142 | 78 |         } | 
| 143 |  |  | 
| 144 |  |         /* at this point, n and e belong to rsa */ | 
| 145 | 3.35k |         n = NULL; | 
| 146 | 3.35k |         e = NULL; | 
| 147 |  |  | 
| 148 | 3.35k |         if (RSA_bits(rsa) != 2048) { | 
| 149 | 2.55k |                 fido_log_debug("%s: invalid key length", __func__); | 
| 150 | 2.55k |                 goto fail; | 
| 151 | 2.55k |         } | 
| 152 |  |  | 
| 153 | 799 |         if ((pkey = EVP_PKEY_new()) == NULL || | 
| 154 | 799 |             EVP_PKEY_assign_RSA(pkey, rsa) == 0) { | 
| 155 | 35 |                 fido_log_debug("%s: EVP_PKEY_assign_RSA", __func__); | 
| 156 | 35 |                 goto fail; | 
| 157 | 35 |         } | 
| 158 |  |  | 
| 159 | 764 |         rsa = NULL; /* at this point, rsa belongs to evp */ | 
| 160 |  |  | 
| 161 | 764 |         ok = 0; | 
| 162 | 3.65k | fail: | 
| 163 | 3.65k |         if (n != NULL) | 
| 164 | 277 |                 BN_free(n); | 
| 165 | 3.65k |         if (e != NULL) | 
| 166 | 225 |                 BN_free(e); | 
| 167 | 3.65k |         if (rsa != NULL) | 
| 168 | 2.63k |                 RSA_free(rsa); | 
| 169 | 3.65k |         if (ok < 0 && pkey != NULL) { | 
| 170 | 21 |                 EVP_PKEY_free(pkey); | 
| 171 | 21 |                 pkey = NULL; | 
| 172 | 21 |         } | 
| 173 |  |  | 
| 174 | 3.65k |         return (pkey); | 
| 175 | 764 | } | 
| 176 |  |  | 
| 177 |  | int | 
| 178 |  | rs256_pk_from_RSA(rs256_pk_t *pk, const RSA *rsa) | 
| 179 | 283 | { | 
| 180 | 283 |         const BIGNUM    *n = NULL; | 
| 181 | 283 |         const BIGNUM    *e = NULL; | 
| 182 | 283 |         const BIGNUM    *d = NULL; | 
| 183 | 283 |         int              k; | 
| 184 |  |  | 
| 185 | 283 |         if (RSA_bits(rsa) != 2048) { | 
| 186 | 0 |                 fido_log_debug("%s: invalid key length", __func__); | 
| 187 | 0 |                 return (FIDO_ERR_INVALID_ARGUMENT); | 
| 188 | 0 |         } | 
| 189 |  |  | 
| 190 | 283 |         RSA_get0_key(rsa, &n, &e, &d); | 
| 191 |  |  | 
| 192 | 283 |         if (n == NULL || e == NULL) { | 
| 193 | 0 |                 fido_log_debug("%s: RSA_get0_key", __func__); | 
| 194 | 0 |                 return (FIDO_ERR_INTERNAL); | 
| 195 | 0 |         } | 
| 196 |  |  | 
| 197 | 283 |         if ((k = BN_num_bytes(n)) < 0 || (size_t)k > sizeof(pk->n) || | 
| 198 | 283 |             (k = BN_num_bytes(e)) < 0 || (size_t)k > sizeof(pk->e)) { | 
| 199 | 0 |                 fido_log_debug("%s: invalid key", __func__); | 
| 200 | 0 |                 return (FIDO_ERR_INTERNAL); | 
| 201 | 0 |         } | 
| 202 |  |  | 
| 203 | 283 |         if ((k = BN_bn2bin(n, pk->n)) < 0 || (size_t)k > sizeof(pk->n) || | 
| 204 | 283 |             (k = BN_bn2bin(e, pk->e)) < 0 || (size_t)k > sizeof(pk->e)) { | 
| 205 | 10 |                 fido_log_debug("%s: BN_bn2bin", __func__); | 
| 206 | 10 |                 return (FIDO_ERR_INTERNAL); | 
| 207 | 10 |         } | 
| 208 |  |  | 
| 209 | 273 |         return (FIDO_OK); | 
| 210 | 283 | } | 
| 211 |  |  | 
| 212 |  | int | 
| 213 |  | rs256_pk_from_EVP_PKEY(rs256_pk_t *pk, const EVP_PKEY *pkey) | 
| 214 | 288 | { | 
| 215 | 288 |         const RSA *rsa; | 
| 216 |  |  | 
| 217 | 288 |         if (EVP_PKEY_base_id(pkey) != EVP_PKEY_RSA || | 
| 218 | 288 |             (rsa = get0_RSA(pkey)) == NULL) | 
| 219 | 5 |                 return (FIDO_ERR_INVALID_ARGUMENT); | 
| 220 |  |  | 
| 221 | 283 |         return (rs256_pk_from_RSA(pk, rsa)); | 
| 222 | 288 | } | 
| 223 |  |  | 
| 224 |  | int | 
| 225 |  | rs256_verify_sig(const fido_blob_t *dgst, EVP_PKEY *pkey, | 
| 226 |  |     const fido_blob_t *sig) | 
| 227 | 181 | { | 
| 228 | 181 |         EVP_PKEY_CTX    *pctx = NULL; | 
| 229 | 181 |         EVP_MD          *md = NULL; | 
| 230 | 181 |         int              ok = -1; | 
| 231 |  |  | 
| 232 | 181 |         if (EVP_PKEY_base_id(pkey) != EVP_PKEY_RSA) { | 
| 233 | 4 |                 fido_log_debug("%s: EVP_PKEY_base_id", __func__); | 
| 234 | 4 |                 goto fail; | 
| 235 | 4 |         } | 
| 236 |  |  | 
| 237 | 177 |         if ((md = rs256_get_EVP_MD()) == NULL) { | 
| 238 | 6 |                 fido_log_debug("%s: rs256_get_EVP_MD", __func__); | 
| 239 | 6 |                 goto fail; | 
| 240 | 6 |         } | 
| 241 |  |  | 
| 242 | 171 |         if ((pctx = EVP_PKEY_CTX_new(pkey, NULL)) == NULL || | 
| 243 | 171 |             EVP_PKEY_verify_init(pctx) != 1 || | 
| 244 | 171 |             EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PADDING) != 1 || | 
| 245 | 171 |             EVP_PKEY_CTX_set_signature_md(pctx, md) != 1) { | 
| 246 | 25 |                 fido_log_debug("%s: EVP_PKEY_CTX", __func__); | 
| 247 | 25 |                 goto fail; | 
| 248 | 25 |         } | 
| 249 |  |  | 
| 250 | 146 |         if (EVP_PKEY_verify(pctx, sig->ptr, sig->len, dgst->ptr, | 
| 251 | 146 |             dgst->len) != 1) { | 
| 252 | 146 |                 fido_log_debug("%s: EVP_PKEY_verify", __func__); | 
| 253 | 146 |                 goto fail; | 
| 254 | 146 |         } | 
| 255 |  |  | 
| 256 | 0 |         ok = 0; | 
| 257 | 181 | fail: | 
| 258 | 181 |         EVP_PKEY_CTX_free(pctx); | 
| 259 |  |  | 
| 260 | 181 |         return (ok); | 
| 261 | 0 | } | 
| 262 |  |  | 
| 263 |  | int | 
| 264 |  | rs256_pk_verify_sig(const fido_blob_t *dgst, const rs256_pk_t *pk, | 
| 265 |  |     const fido_blob_t *sig) | 
| 266 | 327 | { | 
| 267 | 327 |         EVP_PKEY        *pkey; | 
| 268 | 327 |         int              ok = -1; | 
| 269 |  |  | 
| 270 | 327 |         if ((pkey = rs256_pk_to_EVP_PKEY(pk)) == NULL || | 
| 271 | 327 |             rs256_verify_sig(dgst, pkey, sig) < 0) { | 
| 272 | 327 |                 fido_log_debug("%s: rs256_verify_sig", __func__); | 
| 273 | 327 |                 goto fail; | 
| 274 | 327 |         } | 
| 275 |  |  | 
| 276 | 0 |         ok = 0; | 
| 277 | 327 | fail: | 
| 278 | 327 |         EVP_PKEY_free(pkey); | 
| 279 |  |  | 
| 280 | 327 |         return (ok); | 
| 281 | 0 | } |