/src/opensc/openpace/src/eac.c

Source
/*
 * Copyright (c) 2010-2012 Frank Morgner and Dominik Oepen
 *
 * This file is part of OpenPACE.
 *
 * OpenPACE is free software: you can redistribute it and/or modify it under
 * the terms of the GNU General Public License as published by the Free
 * Software Foundation, either version 3 of the License, or (at your option)
 * any later version.
 *
 * OpenPACE is distributed in the hope that it will be useful, but WITHOUT ANY
 * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
 * FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
 * details.
 *
 * You should have received a copy of the GNU General Public License along with
 * OpenPACE.  If not, see <http://www.gnu.org/licenses/>.
 *
 * Additional permission under GNU GPL version 3 section 7
 *
 * If you modify this Program, or any covered work, by linking or combining it
 * with OpenSSL (or a modified version of that library), containing
 * parts covered by the terms of OpenSSL's license, the licensors of
 * this Program grant you additional permission to convey the resulting work.
 * Corresponding Source for a non-source form of such a combination shall include
 * the source code for the parts of OpenSSL used as well as that of the
 * covered work.
 *
 * If you modify this Program, or any covered work, by linking or combining it
 * with OpenSC (or a modified version of that library), containing
 * parts covered by the terms of OpenSC's license, the licensors of
 * this Program grant you additional permission to convey the resulting work. 
 * Corresponding Source for a non-source form of such a combination shall include
 * the source code for the parts of OpenSC used as well as that of the
 * covered work.
 */

/**
 * @file eac.c
 * @brief OpenEAC implementation
 *
 * @author Frank Morgner <frankmorgner@gmail.com>
 * @author Dominik Oepen <oepen@informatik.hu-berlin.de>
 */

#ifdef HAVE_CONFIG_H
#include "config.h"
#endif

#include "eac_err.h"
#include "eac_kdf.h"
#include "eac_lib.h"
#include "eac_util.h"
#include "misc.h"
#include <eac/eac.h>
#include <eac/pace.h>
#include <openssl/crypto.h>

BUF_MEM *
EAC_add_iso_pad(const EAC_CTX *eac_ctx, const BUF_MEM * m)
{
    check_return(eac_ctx && eac_ctx->key_ctx, "Invalid arguments");

    return add_iso_pad(m, EVP_CIPHER_block_size(eac_ctx->key_ctx->cipher));
}

BUF_MEM *
EAC_remove_iso_pad(const BUF_MEM *padded)
{
    BUF_MEM *out = NULL;
    unsigned int m_len;

    check(padded, "Invalid arguments");

    /* Find length of unpadded message */
    m_len = padded->length - 1;
    while (m_len >= 1) {
        if (padded->data[m_len] == (char) 0x80)
            break;
        check(padded->data[m_len] == 0x00, "Invalid padding");
        m_len--;
    }
    check(m_len != 0, "Invalid padding");

    /* Copy unpadded message to output buffer */
    out = BUF_MEM_create(m_len);
    check(out, "Out of memory");

    memcpy(out->data, padded->data, m_len);

err:
    return out;
}

int EAC_increment_ssc(const EAC_CTX *ctx)
{
    if (!ctx)
        return 0;

    return BN_add_word(ctx->ssc, 1);
}

int EAC_reset_ssc(const EAC_CTX *ctx)
{
    if (!ctx)
        return 0;

    BN_zero(ctx->ssc);

    return 1;
}

int EAC_set_ssc(const EAC_CTX *ctx, unsigned long ssc)
{
    if (!ctx)
        return 0;

    return BN_set_word(ctx->ssc, ssc);
}

BUF_MEM *
EAC_encrypt(const EAC_CTX *ctx, const BUF_MEM *data)
{
    check_return((ctx && ctx->key_ctx), "Invalid arguments");

    if (!update_iv(ctx->key_ctx, ctx->cipher_ctx, ctx->ssc))
        return NULL;

    return cipher_no_pad(ctx->key_ctx, ctx->cipher_ctx, ctx->key_ctx->k_enc, data, 1);
}

BUF_MEM *
EAC_decrypt(const EAC_CTX *ctx, const BUF_MEM *data)
{
    check_return((ctx && ctx->key_ctx), "Invalid arguments");

    if (!update_iv(ctx->key_ctx, ctx->cipher_ctx, ctx->ssc))
        return NULL;

    return cipher_no_pad(ctx->key_ctx, ctx->cipher_ctx, ctx->key_ctx->k_enc, data, 0);
}

BUF_MEM *
EAC_authenticate(const EAC_CTX *ctx, const BUF_MEM *data)
{
    int l;
    BUF_MEM *out = NULL, *to_authenticate = NULL;
    unsigned char *ssc_buf = NULL;

    check((ctx && data), "invalid arguments");

    l = encode_ssc(ctx->ssc, ctx->key_ctx, &ssc_buf);
    check(l >= 0, "Failed to encode SSC");

    to_authenticate = BUF_MEM_create(l + data->length);
    check(to_authenticate, "Failed to allocate memory");

    memcpy(to_authenticate->data, ssc_buf, l);
    memcpy(to_authenticate->data + l, data->data, data->length);
    to_authenticate->length = l + data->length;

    out = authenticate(ctx->key_ctx, to_authenticate);

err:
    if (ssc_buf)
        OPENSSL_free(ssc_buf);
    /* TR-03110 uses Encrypt then authenticate, so no need to wipe the memory
     * from the authenticated data */
    if (to_authenticate)
        BUF_MEM_free(to_authenticate);

    return out;
}

int
EAC_verify_authentication(const EAC_CTX *ctx, const BUF_MEM *data,
        const BUF_MEM *mac)
{
    BUF_MEM *my_mac = NULL;
    int ret = 0;

    check((ctx && data), "Invalid arguments");

    my_mac = EAC_authenticate(ctx, data);
    check(my_mac, "Failed to compute MAC");
    check((mac->length == my_mac->length), "Invalid MAC length");

    if (CRYPTO_memcmp(my_mac->data, mac->data, mac->length) == 0)
        ret = 1;

err:
    if (my_mac)
        BUF_MEM_free(my_mac);
    return ret;
}

BUF_MEM *
EAC_Comp(const EAC_CTX *ctx, int id, const BUF_MEM *pub)
{
    switch (id) {
        case EAC_ID_PACE:
            if (!ctx || !ctx->pace_ctx || !ctx->pace_ctx->ka_ctx) {
                log_err("Invalid arguments");
                return 0;
            }
            return Comp(ctx->pace_ctx->ka_ctx->key, pub, ctx->bn_ctx, ctx->md_ctx);

        case EAC_ID_TA:
            if (!ctx || !ctx->ta_ctx) {
                log_err("Invalid arguments");
                return 0;
            }
            if (ctx->ta_ctx->priv_key)
                return Comp(ctx->ta_ctx->priv_key, pub, ctx->bn_ctx, ctx->md_ctx);
            else
                return Comp(ctx->ta_ctx->pub_key, pub, ctx->bn_ctx, ctx->md_ctx);

        case EAC_ID_CA:
            if (!ctx || !ctx->ca_ctx || !ctx->ca_ctx->ka_ctx) {
                log_err("Invalid arguments");
                return 0;
            }
            return Comp(ctx->ca_ctx->ka_ctx->key, pub, ctx->bn_ctx, ctx->md_ctx);

        default:
            log_err("Invalid arguments");
            return NULL;
    }
}

BUF_MEM *
EAC_hash_certificate_description(const unsigned char *cert_desc,
        size_t cert_desc_len)
{
    BUF_MEM *cd, *out;

    cd = BUF_MEM_create_init(cert_desc, cert_desc_len);
    out = hash(EVP_sha256(), NULL, NULL, cd);
    if (cd)
        BUF_MEM_free(cd);

    return out;
}

int
EAC_CTX_set_encryption_ctx(EAC_CTX *ctx, int id)
{
    const KA_CTX *new;

    switch (id) {
        case EAC_ID_PACE:
            if (!ctx || !ctx->pace_ctx || !ctx->pace_ctx->ka_ctx ||
                    !ctx->pace_ctx->ka_ctx->k_enc || !ctx->pace_ctx->ka_ctx->k_mac) {
                log_err("Invalid arguments");
                return 0;
            }
            new = ctx->pace_ctx->ka_ctx;
            break;

        case EAC_ID_CA:
            if (!ctx || !ctx->ca_ctx || !ctx->ca_ctx->ka_ctx ||
                    !ctx->ca_ctx->ka_ctx->k_enc || !ctx->ca_ctx->ka_ctx->k_mac) {
                log_err("Invalid arguments");
                return 0;
            }
            new = ctx->ca_ctx->ka_ctx;
            break;

        case EAC_ID_EAC:
            if (!ctx || !ctx->key_ctx || !ctx->key_ctx->k_enc || !ctx->key_ctx->k_mac) {
                log_err("Invalid arguments");
                return 0;
            }
            return 1;
            break;

        default:
            log_err("Invalid arguments");
            return 0;
    }

    KA_CTX_clear_free(ctx->key_ctx);
    ctx->key_ctx = KA_CTX_dup(new);
    if (!ctx->key_ctx)
        return 0;

    return EAC_reset_ssc(ctx);
}

BUF_MEM *
KA_CTX_generate_key(const KA_CTX *ctx, BN_CTX *bn_ctx)
{
    check_return((ctx && ctx->generate_key), "Invalid arguments");

    return ctx->generate_key(ctx->key, bn_ctx);
}

int
KA_CTX_compute_key(KA_CTX *ctx, const BUF_MEM *in, BN_CTX *bn_ctx)
{
    if (!ctx || !ctx->compute_key) {
        log_err("Invalid arguments");
        return 0;
    }

    BUF_MEM_clear_free(ctx->shared_secret);
    ctx->shared_secret = ctx->compute_key(ctx->key, in, bn_ctx);
    if (!ctx->shared_secret)
        return 0;

    return 1;
}

int
KA_CTX_derive_keys(KA_CTX *ctx, const BUF_MEM *nonce, EVP_MD_CTX *md_ctx)
{
    if (!ctx) {
        log_err("Invalid arguments");
        return 0;
    }

    BUF_MEM_clear_free(ctx->k_mac);
    ctx->k_mac = kdf_mac(nonce, ctx, md_ctx);

    BUF_MEM_clear_free(ctx->k_enc);
    ctx->k_enc = kdf_enc(nonce, ctx, md_ctx);

    if (!ctx->k_mac || !ctx->k_enc)
        return 0;

    return 1;
}

Coverage Report

Created: 2026-03-01 06:54

Line	Count	Source
1		/*
2		* Copyright (c) 2010-2012 Frank Morgner and Dominik Oepen
3		*
4		* This file is part of OpenPACE.
5		*
6		* OpenPACE is free software: you can redistribute it and/or modify it under
7		* the terms of the GNU General Public License as published by the Free
8		* Software Foundation, either version 3 of the License, or (at your option)
9		* any later version.
10		*
11		* OpenPACE is distributed in the hope that it will be useful, but WITHOUT ANY
12		* WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
13		* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
14		* details.
15		*
16		* You should have received a copy of the GNU General Public License along with
17		* OpenPACE. If not, see <http://www.gnu.org/licenses/>.
18		*
19		* Additional permission under GNU GPL version 3 section 7
20		*
21		* If you modify this Program, or any covered work, by linking or combining it
22		* with OpenSSL (or a modified version of that library), containing
23		* parts covered by the terms of OpenSSL's license, the licensors of
24		* this Program grant you additional permission to convey the resulting work.
25		* Corresponding Source for a non-source form of such a combination shall include
26		* the source code for the parts of OpenSSL used as well as that of the
27		* covered work.
28		*
29		* If you modify this Program, or any covered work, by linking or combining it
30		* with OpenSC (or a modified version of that library), containing
31		* parts covered by the terms of OpenSC's license, the licensors of
32		* this Program grant you additional permission to convey the resulting work.
33		* Corresponding Source for a non-source form of such a combination shall include
34		* the source code for the parts of OpenSC used as well as that of the
35		* covered work.
36		*/
37
38		/**
39		* @file eac.c
40		* @brief OpenEAC implementation
41		*
42		* @author Frank Morgner <frankmorgner@gmail.com>
43		* @author Dominik Oepen <oepen@informatik.hu-berlin.de>
44		*/
45
46		#ifdef HAVE_CONFIG_H
47		#include "config.h"
48		#endif
49
50		#include "eac_err.h"
51		#include "eac_kdf.h"
52		#include "eac_lib.h"
53		#include "eac_util.h"
54		#include "misc.h"
55		#include <eac/eac.h>
56		#include <eac/pace.h>
57		#include <openssl/crypto.h>
58
59		BUF_MEM *
60		EAC_add_iso_pad(const EAC_CTX eac_ctx, const BUF_MEM m)
61	0	{
62	0	check_return(eac_ctx && eac_ctx->key_ctx, "Invalid arguments");
63
64	0	return add_iso_pad(m, EVP_CIPHER_block_size(eac_ctx->key_ctx->cipher));
65	0	}
66
67		BUF_MEM *
68		EAC_remove_iso_pad(const BUF_MEM *padded)
69	0	{
70	0	BUF_MEM *out = NULL;
71	0	unsigned int m_len;
72
73	0	check(padded, "Invalid arguments");
74
75		/* Find length of unpadded message */
76	0	m_len = padded->length - 1;
77	0	while (m_len >= 1) {
78	0	if (padded->data[m_len] == (char) 0x80)
79	0	break;
80	0	check(padded->data[m_len] == 0x00, "Invalid padding");
81	0	m_len--;
82	0	}
83	0	check(m_len != 0, "Invalid padding");
84
85		/* Copy unpadded message to output buffer */
86	0	out = BUF_MEM_create(m_len);
87	0	check(out, "Out of memory");
88
89	0	memcpy(out->data, padded->data, m_len);
90
91	0	err:
92	0	return out;
93	0	}
94
95		int EAC_increment_ssc(const EAC_CTX *ctx)
96	0	{
97	0	if (!ctx)
98	0	return 0;
99
100	0	return BN_add_word(ctx->ssc, 1);
101	0	}
102
103		int EAC_reset_ssc(const EAC_CTX *ctx)
104	0	{
105	0	if (!ctx)
106	0	return 0;
107
108	0	BN_zero(ctx->ssc);
109
110	0	return 1;
111	0	}
112
113		int EAC_set_ssc(const EAC_CTX *ctx, unsigned long ssc)
114	0	{
115	0	if (!ctx)
116	0	return 0;
117
118	0	return BN_set_word(ctx->ssc, ssc);
119	0	}
120
121		BUF_MEM *
122		EAC_encrypt(const EAC_CTX ctx, const BUF_MEM data)
123	0	{
124	0	check_return((ctx && ctx->key_ctx), "Invalid arguments");
125
126	0	if (!update_iv(ctx->key_ctx, ctx->cipher_ctx, ctx->ssc))
127	0	return NULL;
128
129	0	return cipher_no_pad(ctx->key_ctx, ctx->cipher_ctx, ctx->key_ctx->k_enc, data, 1);
130	0	}
131
132		BUF_MEM *
133		EAC_decrypt(const EAC_CTX ctx, const BUF_MEM data)
134	0	{
135	0	check_return((ctx && ctx->key_ctx), "Invalid arguments");
136
137	0	if (!update_iv(ctx->key_ctx, ctx->cipher_ctx, ctx->ssc))
138	0	return NULL;
139
140	0	return cipher_no_pad(ctx->key_ctx, ctx->cipher_ctx, ctx->key_ctx->k_enc, data, 0);
141	0	}
142
143		BUF_MEM *
144		EAC_authenticate(const EAC_CTX ctx, const BUF_MEM data)
145	0	{
146	0	int l;
147	0	BUF_MEM out = NULL, to_authenticate = NULL;
148	0	unsigned char *ssc_buf = NULL;
149
150	0	check((ctx && data), "invalid arguments");
151
152	0	l = encode_ssc(ctx->ssc, ctx->key_ctx, &ssc_buf);
153	0	check(l >= 0, "Failed to encode SSC");
154
155	0	to_authenticate = BUF_MEM_create(l + data->length);
156	0	check(to_authenticate, "Failed to allocate memory");
157
158	0	memcpy(to_authenticate->data, ssc_buf, l);
159	0	memcpy(to_authenticate->data + l, data->data, data->length);
160	0	to_authenticate->length = l + data->length;
161
162	0	out = authenticate(ctx->key_ctx, to_authenticate);
163
164	0	err:
165	0	if (ssc_buf)
166	0	OPENSSL_free(ssc_buf);
167		/* TR-03110 uses Encrypt then authenticate, so no need to wipe the memory
168		* from the authenticated data */
169	0	if (to_authenticate)
170	0	BUF_MEM_free(to_authenticate);
171
172	0	return out;
173	0	}
174
175		int
176		EAC_verify_authentication(const EAC_CTX ctx, const BUF_MEM data,
177		const BUF_MEM *mac)
178	0	{
179	0	BUF_MEM *my_mac = NULL;
180	0	int ret = 0;
181
182	0	check((ctx && data), "Invalid arguments");
183
184	0	my_mac = EAC_authenticate(ctx, data);
185	0	check(my_mac, "Failed to compute MAC");
186	0	check((mac->length == my_mac->length), "Invalid MAC length");
187
188	0	if (CRYPTO_memcmp(my_mac->data, mac->data, mac->length) == 0)
189	0	ret = 1;
190
191	0	err:
192	0	if (my_mac)
193	0	BUF_MEM_free(my_mac);
194	0	return ret;
195	0	}
196
197		BUF_MEM *
198		EAC_Comp(const EAC_CTX ctx, int id, const BUF_MEM pub)
199	0	{
200	0	switch (id) {
201	0	case EAC_ID_PACE:
202	0	if (!ctx \|\| !ctx->pace_ctx \|\| !ctx->pace_ctx->ka_ctx) {
203	0	log_err("Invalid arguments");
204	0	return 0;
205	0	}
206	0	return Comp(ctx->pace_ctx->ka_ctx->key, pub, ctx->bn_ctx, ctx->md_ctx);
207
208	0	case EAC_ID_TA:
209	0	if (!ctx \|\| !ctx->ta_ctx) {
210	0	log_err("Invalid arguments");
211	0	return 0;
212	0	}
213	0	if (ctx->ta_ctx->priv_key)
214	0	return Comp(ctx->ta_ctx->priv_key, pub, ctx->bn_ctx, ctx->md_ctx);
215	0	else
216	0	return Comp(ctx->ta_ctx->pub_key, pub, ctx->bn_ctx, ctx->md_ctx);
217
218	0	case EAC_ID_CA:
219	0	if (!ctx \|\| !ctx->ca_ctx \|\| !ctx->ca_ctx->ka_ctx) {
220	0	log_err("Invalid arguments");
221	0	return 0;
222	0	}
223	0	return Comp(ctx->ca_ctx->ka_ctx->key, pub, ctx->bn_ctx, ctx->md_ctx);
224
225	0	default:
226	0	log_err("Invalid arguments");
227	0	return NULL;
228	0	}
229	0	}
230
231		BUF_MEM *
232		EAC_hash_certificate_description(const unsigned char *cert_desc,
233		size_t cert_desc_len)
234	0	{
235	0	BUF_MEM cd, out;
236
237	0	cd = BUF_MEM_create_init(cert_desc, cert_desc_len);
238	0	out = hash(EVP_sha256(), NULL, NULL, cd);
239	0	if (cd)
240	0	BUF_MEM_free(cd);
241
242	0	return out;
243	0	}
244
245		int
246		EAC_CTX_set_encryption_ctx(EAC_CTX *ctx, int id)
247	0	{
248	0	const KA_CTX *new;
249
250	0	switch (id) {
251	0	case EAC_ID_PACE:
252	0	if (!ctx \|\| !ctx->pace_ctx \|\| !ctx->pace_ctx->ka_ctx \|\|
253	0	!ctx->pace_ctx->ka_ctx->k_enc \|\| !ctx->pace_ctx->ka_ctx->k_mac) {
254	0	log_err("Invalid arguments");
255	0	return 0;
256	0	}
257	0	new = ctx->pace_ctx->ka_ctx;
258	0	break;
259
260	0	case EAC_ID_CA:
261	0	if (!ctx \|\| !ctx->ca_ctx \|\| !ctx->ca_ctx->ka_ctx \|\|
262	0	!ctx->ca_ctx->ka_ctx->k_enc \|\| !ctx->ca_ctx->ka_ctx->k_mac) {
263	0	log_err("Invalid arguments");
264	0	return 0;
265	0	}
266	0	new = ctx->ca_ctx->ka_ctx;
267	0	break;
268
269	0	case EAC_ID_EAC:
270	0	if (!ctx \|\| !ctx->key_ctx \|\| !ctx->key_ctx->k_enc \|\| !ctx->key_ctx->k_mac) {
271	0	log_err("Invalid arguments");
272	0	return 0;
273	0	}
274	0	return 1;
275	0	break;
276
277	0	default:
278	0	log_err("Invalid arguments");
279	0	return 0;
280	0	}
281
282	0	KA_CTX_clear_free(ctx->key_ctx);
283	0	ctx->key_ctx = KA_CTX_dup(new);
284	0	if (!ctx->key_ctx)
285	0	return 0;
286
287	0	return EAC_reset_ssc(ctx);
288	0	}
289
290		BUF_MEM *
291		KA_CTX_generate_key(const KA_CTX ctx, BN_CTX bn_ctx)
292	0	{
293	0	check_return((ctx && ctx->generate_key), "Invalid arguments");
294
295	0	return ctx->generate_key(ctx->key, bn_ctx);
296	0	}
297
298		int
299		KA_CTX_compute_key(KA_CTX ctx, const BUF_MEM in, BN_CTX *bn_ctx)
300	0	{
301	0	if (!ctx \|\| !ctx->compute_key) {
302	0	log_err("Invalid arguments");
303	0	return 0;
304	0	}
305
306	0	BUF_MEM_clear_free(ctx->shared_secret);
307	0	ctx->shared_secret = ctx->compute_key(ctx->key, in, bn_ctx);
308	0	if (!ctx->shared_secret)
309	0	return 0;
310
311	0	return 1;
312	0	}
313
314		int
315		KA_CTX_derive_keys(KA_CTX ctx, const BUF_MEM nonce, EVP_MD_CTX *md_ctx)
316	0	{
317	0	if (!ctx) {
318	0	log_err("Invalid arguments");
319	0	return 0;
320	0	}
321
322	0	BUF_MEM_clear_free(ctx->k_mac);
323	0	ctx->k_mac = kdf_mac(nonce, ctx, md_ctx);
324
325	0	BUF_MEM_clear_free(ctx->k_enc);
326	0	ctx->k_enc = kdf_enc(nonce, ctx, md_ctx);
327
328	0	if (!ctx->k_mac \|\| !ctx->k_enc)
329	0	return 0;
330
331	0	return 1;
332	0	}