Skip to content

Commit

Permalink
SCP11: Code optimization
Browse files Browse the repository at this point in the history
  • Loading branch information
@aveenismail
aveenismail committed Nov 22, 2024
1 parent 7758295 commit ec144d2
Show file tree
Hide file tree
Showing 5 changed files with 136 additions and 89 deletions.
6 changes: 3 additions & 3 deletions lib/aes_util.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -193,7 +193,7 @@ static ykpiv_rc scp11_get_iv(uint8_t *key, uint8_t counter, uint8_t *iv, bool de
#endif

ykpiv_rc
aescbc_encrypt_data(uint8_t *key, uint8_t counter, uint8_t *data, size_t data_len, uint8_t *enc, size_t *enc_len) {
aescbc_encrypt_data(uint8_t *key, uint8_t counter, const uint8_t *data, size_t data_len, uint8_t *enc, size_t *enc_len) {
ykpiv_rc rc = YKPIV_OK;
#if (OPENSSL_VERSION_NUMBER > 0x10100000L)
uint8_t iv[SCP11_BLOCK_SIZE] = {0};
Expand Down Expand Up @@ -251,7 +251,7 @@ ykpiv_rc
aesecb_decrypt_data(uint8_t *key, uint8_t counter, uint8_t *enc, size_t enc_len, uint8_t *data, size_t *data_len) {
ykpiv_rc rc = YKPIV_OK;
#if (OPENSSL_VERSION_NUMBER > 0x10100000L)
if(enc_len == 0) {
if(enc_len <= 0) {
DBG("No data to decrypt");
*data_len = 0;
return YKPIV_OK;
Expand Down Expand Up @@ -280,7 +280,7 @@ aesecb_decrypt_data(uint8_t *key, uint8_t counter, uint8_t *enc, size_t enc_len,
}

if (1 != EVP_DecryptUpdate(ctx, data, &len, enc, enc_len)) {
DBG("Failed to encrypt data");
DBG("Failed to decrypt data");
rc = YKPIV_AUTHENTICATION_ERROR;
goto aes_dec_clean;
}
Expand Down
2 changes: 1 addition & 1 deletion lib/aes_util.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ ykpiv_rc unmac_data(uint8_t *key, uint8_t *mac_chain, uint8_t *data, size_t data
//ykpiv_rc scp11_get_iv(uint8_t *key, uint8_t counter, uint8_t *iv);

ykpiv_rc
aescbc_encrypt_data(uint8_t *key, uint8_t counter, uint8_t *data, size_t data_len, uint8_t *enc, size_t *enc_len);
aescbc_encrypt_data(uint8_t *key, uint8_t counter, const uint8_t *data, size_t data_len, uint8_t *enc, size_t *enc_len);

ykpiv_rc
aesecb_decrypt_data(uint8_t *key, uint8_t counter, uint8_t *enc, size_t enc_len, uint8_t *data, size_t *data_len);
Expand Down
2 changes: 2 additions & 0 deletions lib/internal.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -220,8 +220,10 @@ bool yk_des_is_weak_key(const unsigned char *key, const size_t cb_key);
prng_rc _ykpiv_prng_generate(unsigned char *buffer, const size_t cb_req);
ykpiv_rc _ykpiv_begin_transaction(ykpiv_state *state);
ykpiv_rc _ykpiv_end_transaction(ykpiv_state *state);
ykpiv_rc _ykpiv_ensure_application_selected_ex(ykpiv_state *state, bool scp11);
ykpiv_rc _ykpiv_ensure_application_selected(ykpiv_state *state);
ykpiv_rc _ykpiv_select_application(ykpiv_state *state);
ykpiv_rc _ykpiv_select_application_ex(ykpiv_state *state, bool scp11);
ykpiv_rc _ykpiv_select_gp_application(ykpiv_state *state);
size_t _ykpiv_get_length_size(size_t length);
size_t _ykpiv_set_length(unsigned char *buffer, size_t length);
Expand Down
38 changes: 19 additions & 19 deletions lib/util.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -118,7 +118,7 @@ ykpiv_rc ykpiv_util_get_cardid(ykpiv_state *state, ykpiv_cardid *cardid) {
if (!cardid) return YKPIV_ARGUMENT_ERROR;

if (YKPIV_OK != (res = _ykpiv_begin_transaction(state))) return res;
if (YKPIV_OK != (res = _ykpiv_ensure_application_selected(state))) goto Cleanup;
if (YKPIV_OK != (res = _ykpiv_ensure_application_selected_ex(state, state->scp11_state.security_level == SCP11_KEY_USAGE))) goto Cleanup;

if ((res = _ykpiv_fetch_object(state, YKPIV_OBJ_CHUID, buf, &len)) == YKPIV_OK) {
p_temp = buf;
Expand Down Expand Up @@ -177,7 +177,7 @@ ykpiv_rc ykpiv_util_set_cardid(ykpiv_state *state, const ykpiv_cardid *cardid) {
}

if (YKPIV_OK != (res = _ykpiv_begin_transaction(state))) return res;
if (YKPIV_OK != (res = _ykpiv_ensure_application_selected(state))) goto Cleanup;
if (YKPIV_OK != (res = _ykpiv_ensure_application_selected_ex(state, state->scp11_state.security_level == SCP11_KEY_USAGE))) goto Cleanup;

memcpy(buf, CHUID_TMPL, sizeof(CHUID_TMPL));
memcpy(buf + CHUID_GUID_OFFS, id, sizeof(id));
Expand All @@ -199,7 +199,7 @@ ykpiv_rc ykpiv_util_get_cccid(ykpiv_state *state, ykpiv_cccid *ccc) {
if (!ccc) return YKPIV_ARGUMENT_ERROR;

if (YKPIV_OK != (res = _ykpiv_begin_transaction(state))) return res;
if (YKPIV_OK != (res = _ykpiv_ensure_application_selected(state))) goto Cleanup;
if (YKPIV_OK != (res = _ykpiv_ensure_application_selected_ex(state, state->scp11_state.security_level == SCP11_KEY_USAGE))) goto Cleanup;

res = _ykpiv_fetch_object(state, YKPIV_OBJ_CAPABILITY, buf, &len);
if (YKPIV_OK == res) {
Expand Down Expand Up @@ -235,7 +235,7 @@ ykpiv_rc ykpiv_util_set_cccid(ykpiv_state *state, const ykpiv_cccid *ccc) {
}

if (YKPIV_OK != (res = _ykpiv_begin_transaction(state))) return res;
if (YKPIV_OK != (res = _ykpiv_ensure_application_selected(state))) goto Cleanup;
if (YKPIV_OK != (res = _ykpiv_ensure_application_selected_ex(state, state->scp11_state.security_level == SCP11_KEY_USAGE))) goto Cleanup;

len = sizeof(CCC_TMPL);
memcpy(buf, CCC_TMPL, len);
Expand Down Expand Up @@ -298,7 +298,7 @@ ykpiv_rc ykpiv_util_list_keys(ykpiv_state *state, uint8_t *key_count, ykpiv_key
if ((NULL == data) || (NULL == data_len) || (NULL == key_count)) { return YKPIV_ARGUMENT_ERROR; }

if (YKPIV_OK != (res = _ykpiv_begin_transaction(state))) return res;
if (YKPIV_OK != (res = _ykpiv_ensure_application_selected(state))) goto Cleanup;
if (YKPIV_OK != (res = _ykpiv_ensure_application_selected_ex(state, state->scp11_state.security_level == SCP11_KEY_USAGE))) goto Cleanup;

// init return parameters
*key_count = 0;
Expand Down Expand Up @@ -384,7 +384,7 @@ ykpiv_rc ykpiv_util_read_cert(ykpiv_state *state, uint8_t slot, uint8_t **data,
if ((NULL == data )|| (NULL == data_len)) return YKPIV_ARGUMENT_ERROR;

if (YKPIV_OK != (res = _ykpiv_begin_transaction(state))) return res;
if (YKPIV_OK != (res = _ykpiv_ensure_application_selected(state))) goto Cleanup;
if (YKPIV_OK != (res = _ykpiv_ensure_application_selected_ex(state, state->scp11_state.security_level == SCP11_KEY_USAGE))) goto Cleanup;

*data = 0;
*data_len = 0;
Expand Down Expand Up @@ -418,7 +418,7 @@ ykpiv_rc ykpiv_util_write_cert(ykpiv_state *state, uint8_t slot, uint8_t *data,
ykpiv_rc res = YKPIV_OK;

if (YKPIV_OK != (res = _ykpiv_begin_transaction(state))) return res;
if (YKPIV_OK != (res = _ykpiv_ensure_application_selected(state))) goto Cleanup;
if (YKPIV_OK != (res = _ykpiv_ensure_application_selected_ex(state, state->scp11_state.security_level == SCP11_KEY_USAGE))) goto Cleanup;

res = _write_certificate(state, slot, data, data_len, certinfo);

Expand All @@ -445,7 +445,7 @@ ykpiv_rc ykpiv_util_block_puk(ykpiv_state *state) {
if (NULL == state) return YKPIV_ARGUMENT_ERROR;

if (YKPIV_OK != (res = _ykpiv_begin_transaction(state))) return res;
if (YKPIV_OK != (res = _ykpiv_ensure_application_selected(state))) goto Cleanup;
if (YKPIV_OK != (res = _ykpiv_ensure_application_selected_ex(state, state->scp11_state.security_level == SCP11_KEY_USAGE))) goto Cleanup;

while (tries != 0) {
if (YKPIV_OK == (res = ykpiv_change_puk(state, (const char*)puk, sizeof(puk), (const char*)puk, sizeof(puk), &tries))) {
Expand Down Expand Up @@ -501,7 +501,7 @@ ykpiv_rc ykpiv_util_read_mscmap(ykpiv_state *state, ykpiv_container **containers

if ((NULL == containers) || (NULL == n_containers)) { res = YKPIV_ARGUMENT_ERROR; goto Cleanup; }
if (YKPIV_OK != (res = _ykpiv_begin_transaction(state))) return res;
if (YKPIV_OK != (res = _ykpiv_ensure_application_selected(state))) goto Cleanup;
if (YKPIV_OK != (res = _ykpiv_ensure_application_selected_ex(state, state->scp11_state.security_level == SCP11_KEY_USAGE))) goto Cleanup;

*containers = 0;
*n_containers = 0;
Expand Down Expand Up @@ -549,7 +549,7 @@ ykpiv_rc ykpiv_util_write_mscmap(ykpiv_state *state, ykpiv_container *containers
size_t data_len = n_containers * sizeof(ykpiv_container);

if (YKPIV_OK != (res = _ykpiv_begin_transaction(state))) return res;
if (YKPIV_OK != (res = _ykpiv_ensure_application_selected(state))) goto Cleanup;
if (YKPIV_OK != (res = _ykpiv_ensure_application_selected_ex(state, state->scp11_state.security_level == SCP11_KEY_USAGE))) goto Cleanup;

// check if data and data_len are zero, this means that
// we intend to delete the object
Expand Down Expand Up @@ -608,7 +608,7 @@ ykpiv_rc ykpiv_util_read_msroots(ykpiv_state *state, uint8_t **data, size_t *dat
if (!data || !data_len) return YKPIV_ARGUMENT_ERROR;

if (YKPIV_OK != (res = _ykpiv_begin_transaction(state))) return res;
if (YKPIV_OK != (res = _ykpiv_ensure_application_selected(state))) goto Cleanup;
if (YKPIV_OK != (res = _ykpiv_ensure_application_selected_ex(state, state->scp11_state.security_level == SCP11_KEY_USAGE))) goto Cleanup;

*data = 0;
*data_len = 0;
Expand Down Expand Up @@ -695,7 +695,7 @@ ykpiv_rc ykpiv_util_write_msroots(ykpiv_state *state, uint8_t *data, size_t data
size_t cb_obj_max = _obj_size_max(state);

if (YKPIV_OK != (res = _ykpiv_begin_transaction(state))) return res;
if (YKPIV_OK != (res = _ykpiv_ensure_application_selected(state))) goto Cleanup;
if (YKPIV_OK != (res = _ykpiv_ensure_application_selected_ex(state, state->scp11_state.security_level == SCP11_KEY_USAGE))) goto Cleanup;

// check if either data and data_len are zero, this means that
// we intend to delete the object
Expand Down Expand Up @@ -847,7 +847,7 @@ ykpiv_rc ykpiv_util_generate_key(ykpiv_state *state, uint8_t slot, uint8_t algor
}

if (YKPIV_OK != (res = _ykpiv_begin_transaction(state))) return res;
if (YKPIV_OK != (res = _ykpiv_ensure_application_selected(state))) goto Cleanup;
if (YKPIV_OK != (res = _ykpiv_ensure_application_selected_ex(state, state->scp11_state.security_level == SCP11_KEY_USAGE))) goto Cleanup;

templ[3] = slot;

Expand Down Expand Up @@ -1022,7 +1022,7 @@ ykpiv_rc ykpiv_util_get_config(ykpiv_state *state, ykpiv_config *config) {
config->mgm_type = YKPIV_CONFIG_MGM_MANUAL;

if (YKPIV_OK != (res = _ykpiv_begin_transaction(state))) return res;
if (YKPIV_OK != (res = _ykpiv_ensure_application_selected(state))) goto Cleanup;
if (YKPIV_OK != (res = _ykpiv_ensure_application_selected_ex(state, state->scp11_state.security_level == SCP11_KEY_USAGE))) goto Cleanup;

/* recover admin data */
if (YKPIV_OK == _read_metadata(state, TAG_ADMIN, data, &cb_data)) {
Expand Down Expand Up @@ -1097,7 +1097,7 @@ ykpiv_rc ykpiv_util_set_pin_last_changed(ykpiv_state *state) {
if (NULL == state) return YKPIV_ARGUMENT_ERROR;

if (YKPIV_OK != (res = _ykpiv_begin_transaction(state))) return res;
if (YKPIV_OK != (res = _ykpiv_ensure_application_selected(state))) goto Cleanup;
if (YKPIV_OK != (res = _ykpiv_ensure_application_selected_ex(state, state->scp11_state.security_level == SCP11_KEY_USAGE))) goto Cleanup;

/* recover admin data */
if (YKPIV_OK != (ykrc = _read_metadata(state, TAG_ADMIN, data, &cb_data))) {
Expand Down Expand Up @@ -1134,7 +1134,7 @@ ykpiv_rc ykpiv_util_get_derived_mgm(ykpiv_state *state, const uint8_t *pin, cons
if ((NULL == pin) || (0 == pin_len) || (NULL == mgm)) return YKPIV_ARGUMENT_ERROR;

if (YKPIV_OK != (res = _ykpiv_begin_transaction(state))) return res;
if (YKPIV_OK != (res = _ykpiv_ensure_application_selected(state))) goto Cleanup;
if (YKPIV_OK != (res = _ykpiv_ensure_application_selected_ex(state, state->scp11_state.security_level == SCP11_KEY_USAGE))) goto Cleanup;

/* recover management key */
if (YKPIV_OK == (res = _read_metadata(state, TAG_ADMIN, data, &cb_data))) {
Expand Down Expand Up @@ -1170,7 +1170,7 @@ ykpiv_rc ykpiv_util_get_protected_mgm(ykpiv_state *state, ykpiv_mgm *mgm) {
if (NULL == mgm) return YKPIV_ARGUMENT_ERROR;

if (YKPIV_OK != (res = _ykpiv_begin_transaction(state))) return res;
if (YKPIV_OK != (res = _ykpiv_ensure_application_selected(state))) goto Cleanup;
if (YKPIV_OK != (res = _ykpiv_ensure_application_selected_ex(state, state->scp11_state.security_level == SCP11_KEY_USAGE))) goto Cleanup;

if (YKPIV_OK != (res = _read_metadata(state, TAG_PROTECTED, data, &cb_data))) {
DBG("could not read protected data, err = %d", res);
Expand Down Expand Up @@ -1206,7 +1206,7 @@ ykpiv_rc ykpiv_util_update_protected_mgm(ykpiv_state *state, ykpiv_mgm *mgm) {
size_t cb_data = sizeof(data);

if (YKPIV_OK != (res = _ykpiv_begin_transaction(state))) goto Cleanup;
if (YKPIV_OK != (res = _ykpiv_ensure_application_selected(state))) goto Cleanup;
if (YKPIV_OK != (res = _ykpiv_ensure_application_selected_ex(state, state->scp11_state.security_level == SCP11_KEY_USAGE))) goto Cleanup;

if (YKPIV_OK != (res = _read_metadata(state, TAG_PROTECTED, data, &cb_data))) {
cb_data = 0; /* set current metadata blob size to zero, we'll add to the blank blob */
Expand Down Expand Up @@ -1259,7 +1259,7 @@ ykpiv_rc ykpiv_util_set_protected_mgm(ykpiv_state *state, ykpiv_mgm *mgm) {
}

if (YKPIV_OK != (res = _ykpiv_begin_transaction(state))) goto Cleanup;
if (YKPIV_OK != (res = _ykpiv_ensure_application_selected(state))) goto Cleanup;
if (YKPIV_OK != (res = _ykpiv_ensure_application_selected_ex(state, state->scp11_state.security_level == SCP11_KEY_USAGE))) goto Cleanup;

/* try to set the mgm key as long as we don't encounter a fatal error */
do {
Expand Down
Loading

0 comments on commit ec144d2

Please sign in to comment.