int
CA_STEP5_derive_keys(const EAC_CTX *ctx, const BUF_MEM *pub,
BUF_MEM **nonce, BUF_MEM **token)
{
BUF_MEM *r = NULL;
BUF_MEM *authentication_token = NULL;
check((ctx && ctx->ca_ctx && ctx->ca_ctx->ka_ctx && nonce && token),
"Invalid arguments");
/* Generate nonce and derive k_mac and k_enc*/
r = randb(CA_NONCE_SIZE);
if (!r || !KA_CTX_derive_keys(ctx->ca_ctx->ka_ctx, r, ctx->md_ctx))
goto err;
/* Compute authentication token */
authentication_token = get_authentication_token(ctx->ca_ctx->protocol,
ctx->ca_ctx->ka_ctx, ctx->bn_ctx, ctx->tr_version,
pub);
check(authentication_token, "Failed to compute authentication token");
*nonce = r;
*token = authentication_token;
return 1;
err:
BUF_MEM_clear_free(r);
return 0;
}
int
PACE_STEP2_dec_nonce(const EAC_CTX * ctx, const PACE_SEC * pi,
const BUF_MEM * enc_nonce)
{
BUF_MEM *key = NULL;
int r = 0;
check((ctx && ctx->pace_ctx && ctx->pace_ctx->ka_ctx && ctx->pace_ctx->ka_ctx->cipher),
"Invalid arguments");
key = kdf_pi(pi, NULL, ctx->pace_ctx->ka_ctx, ctx->md_ctx);
check(key, "Key derivation function failed");
BUF_MEM_clear_free(ctx->pace_ctx->nonce);
ctx->pace_ctx->nonce = cipher_no_pad(ctx->pace_ctx->ka_ctx, ctx->cipher_ctx, key, enc_nonce, 0);
check(ctx->pace_ctx->nonce, "Failed to decrypt nonce");
r = 1;
err:
BUF_MEM_clear_free(key);
return r;
}
BUF_MEM *
PACE_STEP1_enc_nonce(const EAC_CTX * ctx, const PACE_SEC * pi)
{
BUF_MEM * enc_nonce = NULL;
BUF_MEM * key = NULL;
check((ctx && ctx->pace_ctx && ctx->pace_ctx->ka_ctx &&
ctx->pace_ctx->ka_ctx->cipher),
"Invalid arguments");
key = kdf_pi(pi, NULL, ctx->pace_ctx->ka_ctx, ctx->md_ctx);
check(key, "Key derivation function failed");
BUF_MEM_clear_free(ctx->pace_ctx->nonce);
ctx->pace_ctx->nonce = randb(EVP_CIPHER_block_size(ctx->pace_ctx->ka_ctx->cipher));
check(ctx->pace_ctx->nonce, "Failed to create nonce");
enc_nonce = cipher_no_pad(ctx->pace_ctx->ka_ctx, ctx->cipher_ctx, key, ctx->pace_ctx->nonce, 1);
err:
BUF_MEM_clear_free(key);
return enc_nonce;
}
int
EAC_CTX_init_ri(EAC_CTX *ctx, int protocol, int stnd_dp)
{
BUF_MEM *pubkey = NULL;
RI_CTX *ri_ctx = NULL;
int r = 0;
if (!ctx || !ctx->ri_ctxs) {
log_err("Invalid arguments");
goto err;
}
ri_ctx = RI_CTX_new();
check(ri_ctx, "Could not create RI context");
if (!RI_CTX_set_protocol(ri_ctx, protocol)
|| !EVP_PKEY_set_std_dp(ri_ctx->static_key, stnd_dp))
goto err;
if (!ri_ctx->generate_key)
goto err;
pubkey = ri_ctx->generate_key(ri_ctx->static_key, ctx->bn_ctx);
if (!pubkey)
goto err;
else /* We do not need the buffered public key and throw it away immediately */
BUF_MEM_clear_free(pubkey);
r = 1;
err:
if (r && sk_push((_STACK *) ctx->ri_ctxs, ri_ctx)) {
ctx->ri_ctx = ri_ctx;
} else {
/* either an error occurred before
* or we could not push it onto the stack */
r = 0;
RI_CTX_clear_free(ri_ctx);
}
return r;
}
void
TA_CTX_clear_free(TA_CTX *ctx) {
if (!ctx)
return;
if (ctx->pk_pcd)
BUF_MEM_free(ctx->pk_pcd);
if (ctx->priv_key)
EVP_PKEY_free(ctx->priv_key);
if (ctx->pub_key)
EVP_PKEY_free(ctx->pub_key);
if (ctx->trust_anchor)
CVC_CERT_free(ctx->trust_anchor);
if (ctx->current_cert)
CVC_CERT_free(ctx->current_cert);
if (ctx->new_trust_anchor)
CVC_CERT_free(ctx->new_trust_anchor);
BUF_MEM_clear_free(ctx->nonce);
OPENSSL_free(ctx);
return;
}
