/libfido2/src/aes256.c

Source
/*
 * Copyright (c) 2021 Yubico AB. All rights reserved.
 * Use of this source code is governed by a BSD-style
 * license that can be found in the LICENSE file.
 * SPDX-License-Identifier: BSD-2-Clause
 */

#include "fido.h"

static int
aes256_cbc(const fido_blob_t *key, const u_char *iv, const fido_blob_t *in,
    fido_blob_t *out, int encrypt)
{
        EVP_CIPHER_CTX *ctx = NULL;
        const EVP_CIPHER *cipher;
        int ok = -1;

        memset(out, 0, sizeof(*out));

        if (key->len != 32) {
                fido_log_debug("%s: invalid key len %zu", __func__, key->len);
                goto fail;
        }
        if (in->len > UINT_MAX || in->len % 16 || in->len == 0) {
                fido_log_debug("%s: invalid input len %zu", __func__, in->len);
                goto fail;
        }
        out->len = in->len;
        if ((out->ptr = calloc(1, out->len)) == NULL) {
                fido_log_debug("%s: calloc", __func__);
                goto fail;
        }
        if ((ctx = EVP_CIPHER_CTX_new()) == NULL ||
            (cipher = EVP_aes_256_cbc()) == NULL) {
                fido_log_debug("%s: EVP_CIPHER_CTX_new", __func__);
                goto fail;
        }
        if (EVP_CipherInit(ctx, cipher, key->ptr, iv, encrypt) == 0 ||
            EVP_Cipher(ctx, out->ptr, in->ptr, (u_int)out->len) < 0) {
                fido_log_debug("%s: EVP_Cipher", __func__);
                goto fail;
        }

        ok = 0;
fail:
        if (ctx != NULL)
                EVP_CIPHER_CTX_free(ctx);
        if (ok < 0)
                fido_blob_reset(out);

        return ok;
}

static int
aes256_cbc_proto1(const fido_blob_t *key, const fido_blob_t *in,
    fido_blob_t *out, int encrypt)
{
        u_char iv[16];

        memset(&iv, 0, sizeof(iv));

        return aes256_cbc(key, iv, in, out, encrypt);
}

static int
aes256_cbc_fips(const fido_blob_t *secret, const fido_blob_t *in,
    fido_blob_t *out, int encrypt)
{
        fido_blob_t key, cin, cout;
        u_char iv[16];

        memset(out, 0, sizeof(*out));

        if (secret->len != 64) {
                fido_log_debug("%s: invalid secret len %zu", __func__,
                    secret->len);
                return -1;
        }
        if (in->len < sizeof(iv)) {
                fido_log_debug("%s: invalid input len %zu", __func__, in->len);
                return -1;
        }
        if (encrypt) {
                if (fido_get_random(iv, sizeof(iv)) < 0) {
                        fido_log_debug("%s: fido_get_random", __func__);
                        return -1;
                }
                cin = *in;
        } else {
                memcpy(iv, in->ptr, sizeof(iv));
                cin.ptr = in->ptr + sizeof(iv);
                cin.len = in->len - sizeof(iv);
        }
        key.ptr = secret->ptr + 32;
        key.len = secret->len - 32;
        if (aes256_cbc(&key, iv, &cin, &cout, encrypt) < 0)
                return -1;
        if (encrypt) {
                if (cout.len > SIZE_MAX - sizeof(iv) ||
                    (out->ptr = calloc(1, sizeof(iv) + cout.len)) == NULL) {
                        fido_blob_reset(&cout);
                        return -1;
                }
                out->len = sizeof(iv) + cout.len;
                memcpy(out->ptr, iv, sizeof(iv));
                memcpy(out->ptr + sizeof(iv), cout.ptr, cout.len);
                fido_blob_reset(&cout);
        } else
                *out = cout;

        return 0;
}

static int
aes256_gcm(const fido_blob_t *key, const fido_blob_t *nonce,
    const fido_blob_t *aad, const fido_blob_t *in, fido_blob_t *out,
    int encrypt)
{
        EVP_CIPHER_CTX *ctx = NULL;
        const EVP_CIPHER *cipher;
        size_t textlen;
        int ok = -1;

        memset(out, 0, sizeof(*out));

        if (nonce->len != 12 || key->len != 32 || aad->len > UINT_MAX) {
                fido_log_debug("%s: invalid params %zu, %zu, %zu", __func__,
                    nonce->len, key->len, aad->len);
                goto fail;
        }
        if (in->len > UINT_MAX || in->len > SIZE_MAX - 16) {
                fido_log_debug("%s: invalid input len %zu", __func__, in->len);
                goto fail;
        }
        if (!encrypt && in->len < 16) {
                fido_log_debug("%s: invalid input len %zu", __func__, in->len);
                goto fail;
        }
        /* add tag to (on encrypt) or trim tag from the output (on decrypt) */
        out->len = encrypt ? in->len + 16 : in->len - 16;
        if ((out->ptr = calloc(1, out->len)) == NULL) {
                fido_log_debug("%s: calloc", __func__);
                goto fail;
        }
        if ((ctx = EVP_CIPHER_CTX_new()) == NULL ||
            (cipher = EVP_aes_256_gcm()) == NULL) {
                fido_log_debug("%s: EVP_CIPHER_CTX_new", __func__);
                goto fail;
        }
        if (EVP_CipherInit(ctx, cipher, key->ptr, nonce->ptr, encrypt) == 0) {
                fido_log_debug("%s: EVP_CipherInit", __func__);
                goto fail;
        }

        if (encrypt)
                textlen = in->len;
        else {
                textlen = in->len - 16;
                /* point openssl at the mac tag */
                if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, 16,
                    in->ptr + in->len - 16) == 0) {
                        fido_log_debug("%s: EVP_CIPHER_CTX_ctrl", __func__);
                        goto fail;
                }
        }
        /* the last EVP_Cipher() will either compute or verify the mac tag */
        if (EVP_Cipher(ctx, NULL, aad->ptr, (u_int)aad->len) < 0 ||
            EVP_Cipher(ctx, out->ptr, in->ptr, (u_int)textlen) < 0 ||
            EVP_Cipher(ctx, NULL, NULL, 0) < 0) {
                fido_log_debug("%s: EVP_Cipher", __func__);
                goto fail;
        }
        if (encrypt) {
                /* append the mac tag */
                if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, 16,
                    out->ptr + out->len - 16) == 0) {
                        fido_log_debug("%s: EVP_CIPHER_CTX_ctrl", __func__);
                        goto fail;
                }
        }

        ok = 0;
fail:
        if (ctx != NULL)
                EVP_CIPHER_CTX_free(ctx);
        if (ok < 0)
                fido_blob_reset(out);

        return ok;
}

int
aes256_cbc_enc(const fido_dev_t *dev, const fido_blob_t *secret,
    const fido_blob_t *in, fido_blob_t *out)
{
        return fido_dev_get_pin_protocol(dev) == 2 ? aes256_cbc_fips(secret,
            in, out, 1) : aes256_cbc_proto1(secret, in, out, 1);
}

int
aes256_cbc_dec(const fido_dev_t *dev, const fido_blob_t *secret,
    const fido_blob_t *in, fido_blob_t *out)
{
        return fido_dev_get_pin_protocol(dev) == 2 ? aes256_cbc_fips(secret,
            in, out, 0) : aes256_cbc_proto1(secret, in, out, 0);
}

int
aes256_gcm_enc(const fido_blob_t *key, const fido_blob_t *nonce,
    const fido_blob_t *aad, const fido_blob_t *in, fido_blob_t *out)
{
        return aes256_gcm(key, nonce, aad, in, out, 1);
}

int
aes256_gcm_dec(const fido_blob_t *key, const fido_blob_t *nonce,
    const fido_blob_t *aad, const fido_blob_t *in, fido_blob_t *out)
{
        return aes256_gcm(key, nonce, aad, in, out, 0);
}

Coverage Report

Created: 2025-10-04 18:33

Line	Count	Source
1		/*
2		* Copyright (c) 2021 Yubico AB. All rights reserved.
3		* Use of this source code is governed by a BSD-style
4		* license that can be found in the LICENSE file.
5		* SPDX-License-Identifier: BSD-2-Clause
6		*/
7
8		#include "fido.h"
9
10		static int
11		aes256_cbc(const fido_blob_t key, const u_char iv, const fido_blob_t *in,
12		fido_blob_t *out, int encrypt)
13	28.6k	{
14	28.6k	EVP_CIPHER_CTX *ctx = NULL;
15	28.6k	const EVP_CIPHER *cipher;
16	28.6k	int ok = -1;
17
18	28.6k	memset(out, 0, sizeof(*out));
19
20	28.6k	if (key->len != 32) {
21	0	fido_log_debug("%s: invalid key len %zu", __func__, key->len);
22	0	goto fail;
23	0	}
24	28.6k	if (in->len > UINT_MAX \|\| in->len % 16 \|\| in->len == 0) {
25	690	fido_log_debug("%s: invalid input len %zu", __func__, in->len);
26	690	goto fail;
27	690	}
28	27.9k	out->len = in->len;
29	27.9k	if ((out->ptr = calloc(1, out->len)) == NULL) {
30	62	fido_log_debug("%s: calloc", __func__);
31	62	goto fail;
32	62	}
33	27.8k	if ((ctx = EVP_CIPHER_CTX_new()) == NULL \|\|
34	27.8k	(cipher = EVP_aes_256_cbc()) == NULL) {
35	164	fido_log_debug("%s: EVP_CIPHER_CTX_new", __func__);
36	164	goto fail;
37	164	}
38	27.7k	if (EVP_CipherInit(ctx, cipher, key->ptr, iv, encrypt) == 0 \|\|
39	27.7k	EVP_Cipher(ctx, out->ptr, in->ptr, (u_int)out->len) < 0) {
40	218	fido_log_debug("%s: EVP_Cipher", __func__);
41	218	goto fail;
42	218	}
43
44	27.4k	ok = 0;
45	28.6k	fail:
46	28.6k	if (ctx != NULL)
47	27.8k	EVP_CIPHER_CTX_free(ctx);
48	28.6k	if (ok < 0)
49	1.13k	fido_blob_reset(out);
50
51	28.6k	return ok;
52	27.4k	}
53
54		static int
55		aes256_cbc_proto1(const fido_blob_t key, const fido_blob_t in,
56		fido_blob_t *out, int encrypt)
57	25.9k	{
58	25.9k	u_char iv[16];
59
60	25.9k	memset(&iv, 0, sizeof(iv));
61
62	25.9k	return aes256_cbc(key, iv, in, out, encrypt);
63	25.9k	}
64
65		static int
66		aes256_cbc_fips(const fido_blob_t secret, const fido_blob_t in,
67		fido_blob_t *out, int encrypt)
68	2.92k	{
69	2.92k	fido_blob_t key, cin, cout;
70	2.92k	u_char iv[16];
71
72	2.92k	memset(out, 0, sizeof(*out));
73
74	2.92k	if (secret->len != 64) {
75	0	fido_log_debug("%s: invalid secret len %zu", __func__,
76	0	secret->len);
77	0	return -1;
78	0	}
79	2.92k	if (in->len < sizeof(iv)) {
80	206	fido_log_debug("%s: invalid input len %zu", __func__, in->len);
81	206	return -1;
82	206	}
83	2.72k	if (encrypt) {
84	2.09k	if (fido_get_random(iv, sizeof(iv)) < 0) {
85	64	fido_log_debug("%s: fido_get_random", __func__);
86	64	return -1;
87	64	}
88	2.03k	cin = *in;
89	2.03k	} else {
90	624	memcpy(iv, in->ptr, sizeof(iv));
91	624	cin.ptr = in->ptr + sizeof(iv);
92	624	cin.len = in->len - sizeof(iv);
93	624	}
94	2.65k	key.ptr = secret->ptr + 32;
95	2.65k	key.len = secret->len - 32;
96	2.65k	if (aes256_cbc(&key, iv, &cin, &cout, encrypt) < 0)
97	419	return -1;
98	2.24k	if (encrypt) {
99	1.91k	if (cout.len > SIZE_MAX - sizeof(iv) \|\|
100	1.91k	(out->ptr = calloc(1, sizeof(iv) + cout.len)) == NULL) {
101	46	fido_blob_reset(&cout);
102	46	return -1;
103	46	}
104	1.86k	out->len = sizeof(iv) + cout.len;
105	1.86k	memcpy(out->ptr, iv, sizeof(iv));
106	1.86k	memcpy(out->ptr + sizeof(iv), cout.ptr, cout.len);
107	1.86k	fido_blob_reset(&cout);
108	1.86k	} else
109	328	*out = cout;
110
111	2.19k	return 0;
112	2.24k	}
113
114		static int
115		aes256_gcm(const fido_blob_t key, const fido_blob_t nonce,
116		const fido_blob_t aad, const fido_blob_t in, fido_blob_t *out,
117		int encrypt)
118	6.62k	{
119	6.62k	EVP_CIPHER_CTX *ctx = NULL;
120	6.62k	const EVP_CIPHER *cipher;
121	6.62k	size_t textlen;
122	6.62k	int ok = -1;
123
124	6.62k	memset(out, 0, sizeof(*out));
125
126	6.62k	if (nonce->len != 12 \|\| key->len != 32 \|\| aad->len > UINT_MAX) {
127	0	fido_log_debug("%s: invalid params %zu, %zu, %zu", __func__,
128	0	nonce->len, key->len, aad->len);
129	0	goto fail;
130	0	}
131	6.62k	if (in->len > UINT_MAX \|\| in->len > SIZE_MAX - 16) {
132	0	fido_log_debug("%s: invalid input len %zu", __func__, in->len);
133	0	goto fail;
134	0	}
135	6.62k	if (!encrypt && in->len < 16) {
136	0	fido_log_debug("%s: invalid input len %zu", __func__, in->len);
137	0	goto fail;
138	0	}
139		/* add tag to (on encrypt) or trim tag from the output (on decrypt) */
140	6.62k	out->len = encrypt ? in->len + 16 : in->len - 16;
141	6.62k	if ((out->ptr = calloc(1, out->len)) == NULL) {
142	34	fido_log_debug("%s: calloc", __func__);
143	34	goto fail;
144	34	}
145	6.58k	if ((ctx = EVP_CIPHER_CTX_new()) == NULL \|\|
146	6.58k	(cipher = EVP_aes_256_gcm()) == NULL) {
147	64	fido_log_debug("%s: EVP_CIPHER_CTX_new", __func__);
148	64	goto fail;
149	64	}
150	6.52k	if (EVP_CipherInit(ctx, cipher, key->ptr, nonce->ptr, encrypt) == 0) {
151	28	fido_log_debug("%s: EVP_CipherInit", __func__);
152	28	goto fail;
153	28	}
154
155	6.49k	if (encrypt)
156	3.99k	textlen = in->len;
157	2.50k	else {
158	2.50k	textlen = in->len - 16;
159		/* point openssl at the mac tag */
160	2.50k	if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, 16,
161	2.50k	in->ptr + in->len - 16) == 0) {
162	27	fido_log_debug("%s: EVP_CIPHER_CTX_ctrl", __func__);
163	27	goto fail;
164	27	}
165	2.50k	}
166		/* the last EVP_Cipher() will either compute or verify the mac tag */
167	6.47k	if (EVP_Cipher(ctx, NULL, aad->ptr, (u_int)aad->len) < 0 \|\|
168	6.47k	EVP_Cipher(ctx, out->ptr, in->ptr, (u_int)textlen) < 0 \|\|
169	6.47k	EVP_Cipher(ctx, NULL, NULL, 0) < 0) {
170	1.09k	fido_log_debug("%s: EVP_Cipher", __func__);
171	1.09k	goto fail;
172	1.09k	}
173	5.37k	if (encrypt) {
174		/* append the mac tag */
175	3.96k	if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, 16,
176	3.96k	out->ptr + out->len - 16) == 0) {
177	8	fido_log_debug("%s: EVP_CIPHER_CTX_ctrl", __func__);
178	8	goto fail;
179	8	}
180	3.96k	}
181
182	5.36k	ok = 0;
183	6.62k	fail:
184	6.62k	if (ctx != NULL)
185	6.56k	EVP_CIPHER_CTX_free(ctx);
186	6.62k	if (ok < 0)
187	1.26k	fido_blob_reset(out);
188
189	6.62k	return ok;
190	5.36k	}
191
192		int
193		aes256_cbc_enc(const fido_dev_t dev, const fido_blob_t secret,
194		const fido_blob_t in, fido_blob_t out)
195	16.6k	{
196	16.6k	return fido_dev_get_pin_protocol(dev) == 2 ? aes256_cbc_fips(secret,
197	14.5k	in, out, 1) : aes256_cbc_proto1(secret, in, out, 1);
198	16.6k	}
199
200		int
201		aes256_cbc_dec(const fido_dev_t dev, const fido_blob_t secret,
202		const fido_blob_t in, fido_blob_t out)
203	12.2k	{
204	12.2k	return fido_dev_get_pin_protocol(dev) == 2 ? aes256_cbc_fips(secret,
205	11.4k	in, out, 0) : aes256_cbc_proto1(secret, in, out, 0);
206	12.2k	}
207
208		int
209		aes256_gcm_enc(const fido_blob_t key, const fido_blob_t nonce,
210		const fido_blob_t aad, const fido_blob_t in, fido_blob_t *out)
211	4.05k	{
212	4.05k	return aes256_gcm(key, nonce, aad, in, out, 1);
213	4.05k	}
214
215		int
216		aes256_gcm_dec(const fido_blob_t key, const fido_blob_t nonce,
217		const fido_blob_t aad, const fido_blob_t in, fido_blob_t *out)
218	2.57k	{
219	2.57k	return aes256_gcm(key, nonce, aad, in, out, 0);
220	2.57k	}