Skip to content

Commit

Permalink
Exclude bunch of unexpected to execute lines from the coverage report…
Browse files Browse the repository at this point in the history 
… for ecdh_ossl.cpp.
  • Loading branch information
@ni4
ni4 committed Apr 23, 2024
1 parent 1a61acc commit d243caa
Showing 1 changed file with 53 additions and 1 deletion.
54 changes: 53 additions & 1 deletion src/lib/crypto/ecdh_ossl.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -70,8 +70,10 @@ ecdh_derive_kek(uint8_t * x,
const size_t hash_len = rnp::Hash::size(key.kdf_hash_alg);
if (!hash_len) {
// must not assert here as kdf/hash algs are not checked during key parsing
/* LCOV_EXCL_START */
RNP_LOG("Unsupported key wrap hash algorithm.");
return RNP_ERROR_NOT_SUPPORTED;
/* LCOV_EXCL_END */
}
size_t other_len = kdf_other_info_serialize(
other_info, curve_desc, fingerprint, key.kdf_hash_alg, key.key_wrap_alg);
Expand All @@ -83,8 +85,10 @@ ecdh_derive_kek(uint8_t * x,
size_t reps = (kek_len + hash_len - 1) / hash_len;
// As we use AES & SHA2 we should not get more then 2 iterations
if (reps > 2) {
/* LCOV_EXCL_START */
RNP_LOG("Invalid key wrap/hash alg combination.");
return RNP_ERROR_NOT_SUPPORTED;
/* LCOV_EXCL_END */
}
size_t have = 0;
try {
Expand All @@ -100,8 +104,10 @@ ecdh_derive_kek(uint8_t * x,
}
return RNP_SUCCESS;
} catch (const std::exception &e) {
/* LCOV_EXCL_START */
RNP_LOG("Failed to derive kek: %s", e.what());
return RNP_ERROR_GENERIC;
/* LCOV_EXCL_END */
}
}

Expand All @@ -115,27 +121,35 @@ ecdh_rfc3394_wrap_ctx(EVP_CIPHER_CTX **ctx,
const char *cipher_name = NULL;
ARRAY_LOOKUP_BY_ID(ecdh_wrap_alg_map, alg, name, wrap_alg, cipher_name);
if (!cipher_name) {
/* LCOV_EXCL_START */
RNP_LOG("Unsupported key wrap algorithm: %d", (int) wrap_alg);
return RNP_ERROR_NOT_SUPPORTED;
/* LCOV_EXCL_END */
}
const EVP_CIPHER *cipher = EVP_get_cipherbyname(cipher_name);
if (!cipher) {
/* LCOV_EXCL_START */
RNP_LOG("Cipher %s is not supported by OpenSSL.", cipher_name);
return RNP_ERROR_NOT_SUPPORTED;
/* LCOV_EXCL_END */
}
*ctx = EVP_CIPHER_CTX_new();
if (!ctx) {
/* LCOV_EXCL_START */
RNP_LOG("Context allocation failed : %lu", ERR_peek_last_error());
return RNP_ERROR_OUT_OF_MEMORY;
/* LCOV_EXCL_END */
}
EVP_CIPHER_CTX_set_flags(*ctx, EVP_CIPHER_CTX_FLAG_WRAP_ALLOW);
int res = decrypt ? EVP_DecryptInit_ex(*ctx, cipher, NULL, key, NULL) :
EVP_EncryptInit_ex(*ctx, cipher, NULL, key, NULL);
if (res <= 0) {
/* LCOV_EXCL_START */
RNP_LOG("Failed to initialize cipher : %lu", ERR_peek_last_error());
EVP_CIPHER_CTX_free(*ctx);
*ctx = NULL;
return RNP_ERROR_GENERIC;
/* LCOV_EXCL_END */
}
return RNP_SUCCESS;
}
Expand All @@ -151,14 +165,16 @@ ecdh_rfc3394_wrap(uint8_t * out,
EVP_CIPHER_CTX *ctx = NULL;
rnp_result_t ret = ecdh_rfc3394_wrap_ctx(&ctx, wrap_alg, key, false);
if (ret) {
/* LCOV_EXCL_START */
RNP_LOG("Wrap context initialization failed.");
return ret;
/* LCOV_EXCL_END */
}
int intlen = *out_len;
/* encrypts in one pass, no final is needed */
int res = EVP_EncryptUpdate(ctx, out, &intlen, in, in_len);
if (res <= 0) {
RNP_LOG("Failed to encrypt data : %lu", ERR_peek_last_error());
RNP_LOG("Failed to encrypt data : %lu", ERR_peek_last_error()); // LCOV_EXCL_LINE
} else {
*out_len = intlen;
}
Expand All @@ -181,8 +197,10 @@ ecdh_rfc3394_unwrap(uint8_t * out,
EVP_CIPHER_CTX *ctx = NULL;
rnp_result_t ret = ecdh_rfc3394_wrap_ctx(&ctx, wrap_alg, key, true);
if (ret) {
/* LCOV_EXCL_START */
RNP_LOG("Unwrap context initialization failed.");
return ret;
/* LCOV_EXCL_END */
}
int intlen = *out_len;
/* decrypts in one pass, no final is needed */
Expand All @@ -201,21 +219,29 @@ ecdh_derive_secret(EVP_PKEY *sec, EVP_PKEY *peer, uint8_t *x, size_t *xlen)
{
EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new(sec, NULL);
if (!ctx) {
/* LCOV_EXCL_START */
RNP_LOG("Context allocation failed: %lu", ERR_peek_last_error());
return false;
/* LCOV_EXCL_END */
}
bool res = false;
if (EVP_PKEY_derive_init(ctx) <= 0) {
/* LCOV_EXCL_START */
RNP_LOG("Key derivation init failed: %lu", ERR_peek_last_error());
goto done;
/* LCOV_EXCL_END */
}
if (EVP_PKEY_derive_set_peer(ctx, peer) <= 0) {
/* LCOV_EXCL_START */
RNP_LOG("Peer setting failed: %lu", ERR_peek_last_error());
goto done;
/* LCOV_EXCL_END */
}
if (EVP_PKEY_derive(ctx, x, xlen) <= 0) {
/* LCOV_EXCL_START */
RNP_LOG("Failed to obtain shared secret size: %lu", ERR_peek_last_error());
goto done;
/* LCOV_EXCL_END */
}
res = true;
done:
Expand Down Expand Up @@ -256,14 +282,18 @@ ecdh_encrypt_pkcs5(rnp::RNG * rng,
/* check whether we have valid wrap_alg before doing heavy operations */
size_t keklen = ecdh_kek_len(key->key_wrap_alg);
if (!keklen) {
/* LCOV_EXCL_START */
RNP_LOG("Unsupported key wrap algorithm: %d", (int) key->key_wrap_alg);
return RNP_ERROR_NOT_SUPPORTED;
/* LCOV_EXCL_END */
}
/* load our public key */
EVP_PKEY *pkey = ec_load_key(key->p, NULL, key->curve);
if (!pkey) {
/* LCOV_EXCL_START */
RNP_LOG("Failed to load public key.");
return RNP_ERROR_BAD_PARAMETERS;
/* LCOV_EXCL_END */
}
rnp::secure_array<uint8_t, MAX_CURVE_BYTELEN + 1> sec;
rnp::secure_array<uint8_t, MAX_AES_KEY_SIZE> kek;
Expand All @@ -274,42 +304,54 @@ ecdh_encrypt_pkcs5(rnp::RNG * rng,
/* generate ephemeral key */
EVP_PKEY *ephkey = ec_generate_pkey(PGP_PKA_ECDH, key->curve);
if (!ephkey) {
/* LCOV_EXCL_START */
RNP_LOG("Failed to generate ephemeral key.");
ret = RNP_ERROR_KEY_GENERATION;
goto done;
/* LCOV_EXCL_END */
}
/* do ECDH derivation */
if (!ecdh_derive_secret(ephkey, pkey, sec.data(), &seclen)) {
/* LCOV_EXCL_START */
RNP_LOG("ECDH derivation failed.");
goto done;
/* LCOV_EXCL_END */
}
/* here we got x value in sec, deriving kek */
ret = ecdh_derive_kek(sec.data(), seclen, *key, fingerprint, kek.data(), keklen);
if (ret) {
/* LCOV_EXCL_START */
RNP_LOG("Failed to derive KEK.");
goto done;
/* LCOV_EXCL_END */
}
/* add PKCS#7 padding */
size_t m_padded_len;
m_padded_len = ((in_len / 8) + 1) * 8;
memcpy(mpad.data(), in, in_len);
if (!pad_pkcs7(mpad.data(), m_padded_len, in_len)) {
/* LCOV_EXCL_START */
RNP_LOG("Failed to add PKCS #7 padding.");
goto done;
/* LCOV_EXCL_END */
}
/* do RFC 3394 AES key wrap */
static_assert(sizeof(out->m) == ECDH_WRAPPED_KEY_SIZE, "Wrong ECDH wrapped key size.");
out->mlen = ECDH_WRAPPED_KEY_SIZE;
ret = ecdh_rfc3394_wrap(
out->m, &out->mlen, mpad.data(), m_padded_len, kek.data(), key->key_wrap_alg);
if (ret) {
/* LCOV_EXCL_START */
RNP_LOG("Failed to wrap key.");
goto done;
/* LCOV_EXCL_END */
}
/* write ephemeral public key */
if (!ec_write_pubkey(ephkey, out->p, key->curve)) {
/* LCOV_EXCL_START */
RNP_LOG("Failed to write ec key.");
goto done;
/* LCOV_EXCL_END */
}
ret = RNP_SUCCESS;
done:
Expand Down Expand Up @@ -351,32 +393,42 @@ ecdh_decrypt_pkcs5(uint8_t * out,
rnp_result_t ret = RNP_ERROR_GENERIC;
EVP_PKEY * pkey = ec_load_key(key->p, &key->x, key->curve);
if (!pkey) {
/* LCOV_EXCL_START */
RNP_LOG("Failed to load secret key.");
ret = RNP_ERROR_BAD_PARAMETERS;
goto done;
/* LCOV_EXCL_END */
}
/* do ECDH derivation */
if (!ecdh_derive_secret(pkey, ephkey, sec.data(), &seclen)) {
/* LCOV_EXCL_START */
RNP_LOG("ECDH derivation failed.");
goto done;
/* LCOV_EXCL_END */
}
/* here we got x value in sec, deriving kek */
ret = ecdh_derive_kek(sec.data(), seclen, *key, fingerprint, kek.data(), keklen);
if (ret) {
/* LCOV_EXCL_START */
RNP_LOG("Failed to derive KEK.");
goto done;
/* LCOV_EXCL_END */
}
/* do RFC 3394 AES key unwrap */
ret = ecdh_rfc3394_unwrap(
mpad.data(), &mpadlen, in->m, in->mlen, kek.data(), key->key_wrap_alg);
if (ret) {
/* LCOV_EXCL_START */
RNP_LOG("Failed to unwrap key.");
goto done;
/* LCOV_EXCL_END */
}
/* remove PKCS#7 padding */
if (!unpad_pkcs7(mpad.data(), mpadlen, &mpadlen)) {
/* LCOV_EXCL_START */
RNP_LOG("Failed to unpad key.");
goto done;
/* LCOV_EXCL_END */
}
assert(mpadlen <= *out_len);
*out_len = mpadlen;
Expand Down

0 comments on commit d243caa

Please sign in to comment.