device/fido/pin_internal.cc - chromium/src - Git at Google

 // Copyright 2019 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

 #include "device/fido/pin_internal.h"

 #include <string>
 #include <utility>

 #include "base/i18n/char_iterator.h"
 #include "base/no_destructor.h"
 #include "base/strings/string_util.h"
 #include "crypto/random.h"
 #include "third_party/boringssl/src/include/openssl/aes.h"
 #include "third_party/boringssl/src/include/openssl/bn.h"
 #include "third_party/boringssl/src/include/openssl/ec.h"
 #include "third_party/boringssl/src/include/openssl/ec_key.h"
 #include "third_party/boringssl/src/include/openssl/ecdh.h"
 #include "third_party/boringssl/src/include/openssl/evp.h"
 #include "third_party/boringssl/src/include/openssl/hkdf.h"
 #include "third_party/boringssl/src/include/openssl/hmac.h"
 #include "third_party/boringssl/src/include/openssl/mem.h"
 #include "third_party/boringssl/src/include/openssl/sha.h"

 namespace device {
 namespace pin {

 base::Optional<bssl::UniquePtr<EC_POINT>> PointFromKeyAgreementResponse(
     const EC_GROUP* group,
     const KeyAgreementResponse& response) {
   bssl::UniquePtr<EC_POINT> ret(EC_POINT_new(group));

   bssl::UniquePtr<BIGNUM> x_bn(BN_new()), y_bn(BN_new());
   BN_bin2bn(response.x, sizeof(response.x), x_bn.get());
   BN_bin2bn(response.y, sizeof(response.y), y_bn.get());
   const bool on_curve =
       EC_POINT_set_affine_coordinates_GFp(group, ret.get(), x_bn.get(),
                                           y_bn.get(), nullptr /* ctx */) == 1;

   if (!on_curve) {
     return base::nullopt;
   }

   return ret;
 }

 // ProtocolV1 implements CTAP2.1 PIN/UV Auth Protocol One (6.5.10).
 class ProtocolV1 : public Protocol {
  private:
   static constexpr size_t kSharedKeySize = 32u;
   static constexpr size_t kSignatureSize = 16u;

   std::array<uint8_t, kP256X962Length> Encapsulate(
       const KeyAgreementResponse& peers_key,
       std::vector<uint8_t>* out_shared_key) const override {
     bssl::UniquePtr<EC_KEY> key(EC_KEY_new_by_curve_name(NID_X9_62_prime256v1));
     CHECK(EC_KEY_generate_key(key.get()));
     base::Optional<bssl::UniquePtr<EC_POINT>> peers_point =
         PointFromKeyAgreementResponse(EC_KEY_get0_group(key.get()), peers_key);
     *out_shared_key = CalculateSharedKey(key.get(), peers_point->get());
     // KeyAgreementResponse parsing ensures that the point is on the curve.
     DCHECK(peers_point);
     std::array<uint8_t, kP256X962Length> x962;
     CHECK_EQ(x962.size(),
              EC_POINT_point2oct(EC_KEY_get0_group(key.get()),
                                 EC_KEY_get0_public_key(key.get()),
                                 POINT_CONVERSION_UNCOMPRESSED, x962.data(),
                                 x962.size(), nullptr /* BN_CTX */));

     return x962;
   }

   std::vector<uint8_t> Encrypt(
       base::span<const uint8_t> shared_key,
       base::span<const uint8_t> plaintext) const override {
     DCHECK_EQ(plaintext.size() % AES_BLOCK_SIZE, 0u);
     DCHECK_EQ(shared_key.size(), kSharedKeySize);

     std::vector<uint8_t> ciphertext(plaintext.size());

     EVP_CIPHER_CTX aes_ctx;
     EVP_CIPHER_CTX_init(&aes_ctx);
     const uint8_t kZeroIV[AES_BLOCK_SIZE] = {};
     CHECK(EVP_EncryptInit_ex(&aes_ctx, EVP_aes_256_cbc(), nullptr,
                              shared_key.data(), kZeroIV));
     CHECK(EVP_CIPHER_CTX_set_padding(&aes_ctx, 0 /* no padding */));
     CHECK(EVP_Cipher(&aes_ctx, ciphertext.data(), plaintext.data(),
                      plaintext.size()));
     EVP_CIPHER_CTX_cleanup(&aes_ctx);
     return ciphertext;
   }

   std::vector<uint8_t> Decrypt(
       base::span<const uint8_t> shared_key,
       base::span<const uint8_t> ciphertext) const override {
     DCHECK_EQ(ciphertext.size() % AES_BLOCK_SIZE, 0u);
     DCHECK_EQ(shared_key.size(), kSharedKeySize);

     std::vector<uint8_t> plaintext(ciphertext.size());

     EVP_CIPHER_CTX aes_ctx;
     EVP_CIPHER_CTX_init(&aes_ctx);
     const uint8_t kZeroIV[AES_BLOCK_SIZE] = {};
     CHECK(EVP_DecryptInit_ex(&aes_ctx, EVP_aes_256_cbc(), nullptr,
                              shared_key.data(), kZeroIV));
     CHECK(EVP_CIPHER_CTX_set_padding(&aes_ctx, 0 /* no padding */));

     CHECK(EVP_Cipher(&aes_ctx, plaintext.data(), ciphertext.data(),
                      ciphertext.size()));
     EVP_CIPHER_CTX_cleanup(&aes_ctx);
     return plaintext;
   }

   std::vector<uint8_t> Authenticate(
       base::span<const uint8_t> key,
       base::span<const uint8_t> data) const override {
     // Authenticate can be invoked with the shared secret or with a PIN/UV Auth
     // Token. In CTAP2.1, V1 tokens are fixed at 16 or 32 bytes. But in CTAP2.0
     // they may be any multiple of 16 bytes. We don't know the CTAP version, so
     // only enforce the latter.
     static_assert(kSharedKeySize == 32u, "");
     DCHECK_EQ(key.size() % AES_BLOCK_SIZE, 0u);

     std::vector<uint8_t> pin_auth(SHA256_DIGEST_LENGTH);
     unsigned hmac_bytes;
     CHECK(HMAC(EVP_sha256(), key.data(), key.size(), data.data(), data.size(),
                pin_auth.data(), &hmac_bytes));
     DCHECK_EQ(pin_auth.size(), static_cast<size_t>(hmac_bytes));
     pin_auth.resize(kSignatureSize);
     return pin_auth;
   }

   bool Verify(base::span<const uint8_t> key,
               base::span<const uint8_t> data,
               base::span<const uint8_t> signature) const override {
     if (signature.size() != kSignatureSize) {
       return false;
     }
     const std::vector<uint8_t> computed_signature = Authenticate(key, data);
     CHECK_EQ(computed_signature.size(), kSignatureSize);
     return CRYPTO_memcmp(signature.data(), computed_signature.data(),
                          kSignatureSize) == 0;
   }

   std::vector<uint8_t> CalculateSharedKey(
       const EC_KEY* key,
       const EC_POINT* peers_key) const override {
     std::vector<uint8_t> shared_key(SHA256_DIGEST_LENGTH);
     CHECK_EQ(static_cast<int>(SHA256_DIGEST_LENGTH),
              ECDH_compute_key(shared_key.data(), shared_key.size(), peers_key,
                               key, SHA256KDF));
     return shared_key;
   }

   static void* SHA256KDF(const void* in,
                          size_t in_len,
                          void* out,
                          size_t* out_len) {
     DCHECK_GE(*out_len, static_cast<size_t>(SHA256_DIGEST_LENGTH));
     SHA256(reinterpret_cast<const uint8_t*>(in), in_len,
            reinterpret_cast<uint8_t*>(out));
     *out_len = SHA256_DIGEST_LENGTH;
     return out;
   }
 };

 // ProtocolV2 implements CTAP2.1 PIN/UV Auth Protocol Two (6.5.11).
 class ProtocolV2 : public ProtocolV1 {
  private:
   static constexpr size_t kAESKeyLength = 32;
   static constexpr size_t kHMACKeyLength = 32;
   static constexpr size_t kSharedKeyLength = kAESKeyLength + kHMACKeyLength;
   static constexpr size_t kPINUVAuthTokenLength = 32;
   static constexpr size_t kSignatureSize = SHA256_DIGEST_LENGTH;

   // GetHMACSubKey returns the HMAC-key portion of the shared secret.
   static base::span<const uint8_t, kHMACKeyLength> GetHMACSubKey(
       base::span<const uint8_t, kSharedKeyLength> shared_key) {
     CHECK_EQ(shared_key.size(), kSharedKeyLength);
     return base::make_span<kHMACKeyLength>(
         shared_key.subspan(0, kHMACKeyLength));
   }

   // GetAESSubKey returns the HMAC-key portion of the shared secret.
   static base::span<const uint8_t, kAESKeyLength> GetAESSubKey(
       base::span<const uint8_t, kSharedKeyLength> shared_key) {
     return base::make_span<kAESKeyLength>(shared_key.subspan(kHMACKeyLength));
   }

   std::vector<uint8_t> Encrypt(
       base::span<const uint8_t> shared_key,
       base::span<const uint8_t> plaintext) const override {
     DCHECK_EQ(plaintext.size() % AES_BLOCK_SIZE, 0u);

     const base::span<const uint8_t, kAESKeyLength> aes_key =
         GetAESSubKey(base::make_span<kSharedKeyLength>(shared_key));

     std::vector<uint8_t> result(AES_BLOCK_SIZE + plaintext.size());
     const base::span<uint8_t> iv =
         base::make_span(result).subspan(0, AES_BLOCK_SIZE);
     const base::span<uint8_t> ciphertext =
         base::make_span(result).subspan(AES_BLOCK_SIZE);

     crypto::RandBytes(iv);

     EVP_CIPHER_CTX aes_ctx;
     EVP_CIPHER_CTX_init(&aes_ctx);
     CHECK(EVP_EncryptInit_ex(&aes_ctx, EVP_aes_256_cbc(), nullptr,
                              aes_key.data(), iv.data()));
     CHECK(EVP_CIPHER_CTX_set_padding(&aes_ctx, 0 /* no padding */));
     CHECK(EVP_Cipher(&aes_ctx, ciphertext.data(), plaintext.data(),
                      plaintext.size()));
     EVP_CIPHER_CTX_cleanup(&aes_ctx);

     return result;
   }

   std::vector<uint8_t> Decrypt(base::span<const uint8_t> shared_key,
                                base::span<const uint8_t> input) const override {
     DCHECK_EQ(input.size() % AES_BLOCK_SIZE, 0u);

     const base::span<const uint8_t, kAESKeyLength> aes_key =
         GetAESSubKey(base::make_span<kSharedKeyLength>(shared_key));
     const base::span<const uint8_t> iv = input.subspan(0, AES_BLOCK_SIZE);
     const base::span<const uint8_t> ciphertext = input.subspan(AES_BLOCK_SIZE);
     std::vector<uint8_t> plaintext(ciphertext.size());

     EVP_CIPHER_CTX aes_ctx;
     EVP_CIPHER_CTX_init(&aes_ctx);
     CHECK(EVP_DecryptInit_ex(&aes_ctx, EVP_aes_256_cbc(), nullptr,
                              aes_key.data(), iv.data()));
     CHECK(EVP_CIPHER_CTX_set_padding(&aes_ctx, 0 /* no padding */));

     CHECK(EVP_Cipher(&aes_ctx, plaintext.data(), ciphertext.data(),
                      ciphertext.size()));
     EVP_CIPHER_CTX_cleanup(&aes_ctx);

     return plaintext;
   }

   std::vector<uint8_t> Authenticate(
       base::span<const uint8_t> key,
       base::span<const uint8_t> data) const override {
     // Authenticate can be invoked with the shared secret or with a PIN/UV Auth
     // Token, which is fixed at 32 bytes in V2.
     DCHECK(key.size() == kSharedKeyLength ||
            key.size() == kPINUVAuthTokenLength);
     const base::span<const uint8_t, kHMACKeyLength> hmac_key =
         (key.size() == kSharedKeyLength
              ? GetHMACSubKey(base::make_span<kSharedKeyLength>(key))
              : base::make_span<kPINUVAuthTokenLength>(key));

     std::vector<uint8_t> pin_auth(SHA256_DIGEST_LENGTH);
     unsigned hmac_bytes;
     CHECK(HMAC(EVP_sha256(), hmac_key.data(), hmac_key.size(), data.data(),
                data.size(), pin_auth.data(), &hmac_bytes));
     DCHECK_EQ(pin_auth.size(), static_cast<size_t>(hmac_bytes));
     return pin_auth;
   }

   bool Verify(base::span<const uint8_t> key,
               base::span<const uint8_t> data,
               base::span<const uint8_t> signature) const override {
     if (signature.size() != kSignatureSize) {
       return false;
     }
     const std::vector<uint8_t> computed_signature = Authenticate(key, data);
     CHECK_EQ(computed_signature.size(), kSignatureSize);
     return CRYPTO_memcmp(signature.data(), computed_signature.data(),
                          kSignatureSize) == 0;
   }

   std::vector<uint8_t> CalculateSharedKey(
       const EC_KEY* key,
       const EC_POINT* peers_key) const override {
     std::vector<uint8_t> shared_key(kSharedKeyLength);
     CHECK_EQ(static_cast<int>(kSharedKeyLength),
              ECDH_compute_key(shared_key.data(), shared_key.size(), peers_key,
                               key, KDF));
     return shared_key;
   }

   static void* KDF(const void* in, size_t in_len, void* out, size_t* out_len) {
     static_assert(kSharedKeyLength == 2 * SHA256_DIGEST_LENGTH, "");
     DCHECK_GE(*out_len, static_cast<size_t>(kSharedKeyLength));
     auto hmac_key_out =
         base::make_span(reinterpret_cast<uint8_t*>(out), SHA256_DIGEST_LENGTH);
     auto aes_key_out =
         base::make_span(reinterpret_cast<uint8_t*>(out) + SHA256_DIGEST_LENGTH,
                         SHA256_DIGEST_LENGTH);

     constexpr uint8_t kHMACKeyInfo[] = "CTAP2 HMAC key";
     constexpr uint8_t kAESKeyInfo[] = "CTAP2 AES key";
     constexpr uint8_t kZeroSalt[32] = {};

     CHECK(HKDF(hmac_key_out.data(), hmac_key_out.size(), EVP_sha256(),
                reinterpret_cast<const uint8_t*>(in), in_len, kZeroSalt,
                sizeof(kZeroSalt), kHMACKeyInfo, sizeof(kHMACKeyInfo) - 1));
     CHECK(HKDF(aes_key_out.data(), aes_key_out.size(), EVP_sha256(),
                reinterpret_cast<const uint8_t*>(in), in_len, kZeroSalt,
                sizeof(kZeroSalt), kAESKeyInfo, sizeof(kAESKeyInfo) - 1));

     *out_len = kSharedKeyLength;
     return out;
   }
 };

 // static
 const Protocol& ProtocolVersion(PINUVAuthProtocol protocol) {
   static const base::NoDestructor<ProtocolV1> kProtocolV1;
   static const base::NoDestructor<ProtocolV2> kProtocolV2;

   switch (protocol) {
     case PINUVAuthProtocol::kV1:
       return *kProtocolV1;
     case PINUVAuthProtocol::kV2:
       return *kProtocolV2;
   }
 }

 }  // namespace pin

 }  // namespace device
	// Copyright 2019 The Chromium Authors. All rights reserved.
	// Use of this source code is governed by a BSD-style license that can be
	// found in the LICENSE file.

	#include "device/fido/pin_internal.h"

	#include <string>
	#include <utility>

	#include "base/i18n/char_iterator.h"
	#include "base/no_destructor.h"
	#include "base/strings/string_util.h"
	#include "crypto/random.h"
	#include "third_party/boringssl/src/include/openssl/aes.h"
	#include "third_party/boringssl/src/include/openssl/bn.h"
	#include "third_party/boringssl/src/include/openssl/ec.h"
	#include "third_party/boringssl/src/include/openssl/ec_key.h"
	#include "third_party/boringssl/src/include/openssl/ecdh.h"
	#include "third_party/boringssl/src/include/openssl/evp.h"
	#include "third_party/boringssl/src/include/openssl/hkdf.h"
	#include "third_party/boringssl/src/include/openssl/hmac.h"
	#include "third_party/boringssl/src/include/openssl/mem.h"
	#include "third_party/boringssl/src/include/openssl/sha.h"

	namespace device {
	namespace pin {

	base::Optional<bssl::UniquePtr<EC_POINT>> PointFromKeyAgreementResponse(
	const EC_GROUP* group,
	const KeyAgreementResponse& response) {
	bssl::UniquePtr<EC_POINT> ret(EC_POINT_new(group));

	bssl::UniquePtr<BIGNUM> x_bn(BN_new()), y_bn(BN_new());
	BN_bin2bn(response.x, sizeof(response.x), x_bn.get());
	BN_bin2bn(response.y, sizeof(response.y), y_bn.get());
	const bool on_curve =
	EC_POINT_set_affine_coordinates_GFp(group, ret.get(), x_bn.get(),
	y_bn.get(), nullptr /* ctx */) == 1;

	if (!on_curve) {
	return base::nullopt;
	}

	return ret;
	}

	// ProtocolV1 implements CTAP2.1 PIN/UV Auth Protocol One (6.5.10).
	class ProtocolV1 : public Protocol {
	private:
	static constexpr size_t kSharedKeySize = 32u;
	static constexpr size_t kSignatureSize = 16u;

	std::array<uint8_t, kP256X962Length> Encapsulate(
	const KeyAgreementResponse& peers_key,
	std::vector<uint8_t>* out_shared_key) const override {
	bssl::UniquePtr<EC_KEY> key(EC_KEY_new_by_curve_name(NID_X9_62_prime256v1));
	CHECK(EC_KEY_generate_key(key.get()));
	base::Optional<bssl::UniquePtr<EC_POINT>> peers_point =
	PointFromKeyAgreementResponse(EC_KEY_get0_group(key.get()), peers_key);
	*out_shared_key = CalculateSharedKey(key.get(), peers_point->get());
	// KeyAgreementResponse parsing ensures that the point is on the curve.
	DCHECK(peers_point);
	std::array<uint8_t, kP256X962Length> x962;
	CHECK_EQ(x962.size(),
	EC_POINT_point2oct(EC_KEY_get0_group(key.get()),
	EC_KEY_get0_public_key(key.get()),
	POINT_CONVERSION_UNCOMPRESSED, x962.data(),
	x962.size(), nullptr /* BN_CTX */));

	return x962;
	}

	std::vector<uint8_t> Encrypt(
	base::span<const uint8_t> shared_key,
	base::span<const uint8_t> plaintext) const override {
	DCHECK_EQ(plaintext.size() % AES_BLOCK_SIZE, 0u);
	DCHECK_EQ(shared_key.size(), kSharedKeySize);

	std::vector<uint8_t> ciphertext(plaintext.size());

	EVP_CIPHER_CTX aes_ctx;
	EVP_CIPHER_CTX_init(&aes_ctx);
	const uint8_t kZeroIV[AES_BLOCK_SIZE] = {};
	CHECK(EVP_EncryptInit_ex(&aes_ctx, EVP_aes_256_cbc(), nullptr,
	shared_key.data(), kZeroIV));
	CHECK(EVP_CIPHER_CTX_set_padding(&aes_ctx, 0 /* no padding */));
	CHECK(EVP_Cipher(&aes_ctx, ciphertext.data(), plaintext.data(),
	plaintext.size()));
	EVP_CIPHER_CTX_cleanup(&aes_ctx);
	return ciphertext;
	}

	std::vector<uint8_t> Decrypt(
	base::span<const uint8_t> shared_key,
	base::span<const uint8_t> ciphertext) const override {
	DCHECK_EQ(ciphertext.size() % AES_BLOCK_SIZE, 0u);
	DCHECK_EQ(shared_key.size(), kSharedKeySize);

	std::vector<uint8_t> plaintext(ciphertext.size());

	EVP_CIPHER_CTX aes_ctx;
	EVP_CIPHER_CTX_init(&aes_ctx);
	const uint8_t kZeroIV[AES_BLOCK_SIZE] = {};
	CHECK(EVP_DecryptInit_ex(&aes_ctx, EVP_aes_256_cbc(), nullptr,
	shared_key.data(), kZeroIV));
	CHECK(EVP_CIPHER_CTX_set_padding(&aes_ctx, 0 /* no padding */));

	CHECK(EVP_Cipher(&aes_ctx, plaintext.data(), ciphertext.data(),
	ciphertext.size()));
	EVP_CIPHER_CTX_cleanup(&aes_ctx);
	return plaintext;
	}

	std::vector<uint8_t> Authenticate(
	base::span<const uint8_t> key,
	base::span<const uint8_t> data) const override {
	// Authenticate can be invoked with the shared secret or with a PIN/UV Auth
	// Token. In CTAP2.1, V1 tokens are fixed at 16 or 32 bytes. But in CTAP2.0
	// they may be any multiple of 16 bytes. We don't know the CTAP version, so
	// only enforce the latter.
	static_assert(kSharedKeySize == 32u, "");
	DCHECK_EQ(key.size() % AES_BLOCK_SIZE, 0u);

	std::vector<uint8_t> pin_auth(SHA256_DIGEST_LENGTH);
	unsigned hmac_bytes;
	CHECK(HMAC(EVP_sha256(), key.data(), key.size(), data.data(), data.size(),
	pin_auth.data(), &hmac_bytes));
	DCHECK_EQ(pin_auth.size(), static_cast<size_t>(hmac_bytes));
	pin_auth.resize(kSignatureSize);
	return pin_auth;
	}

	bool Verify(base::span<const uint8_t> key,
	base::span<const uint8_t> data,
	base::span<const uint8_t> signature) const override {
	if (signature.size() != kSignatureSize) {
	return false;
	}
	const std::vector<uint8_t> computed_signature = Authenticate(key, data);
	CHECK_EQ(computed_signature.size(), kSignatureSize);
	return CRYPTO_memcmp(signature.data(), computed_signature.data(),
	kSignatureSize) == 0;
	}

	std::vector<uint8_t> CalculateSharedKey(
	const EC_KEY* key,
	const EC_POINT* peers_key) const override {
	std::vector<uint8_t> shared_key(SHA256_DIGEST_LENGTH);
	CHECK_EQ(static_cast<int>(SHA256_DIGEST_LENGTH),
	ECDH_compute_key(shared_key.data(), shared_key.size(), peers_key,
	key, SHA256KDF));
	return shared_key;
	}

	static void* SHA256KDF(const void* in,
	size_t in_len,
	void* out,
	size_t* out_len) {
	DCHECK_GE(*out_len, static_cast<size_t>(SHA256_DIGEST_LENGTH));
	SHA256(reinterpret_cast<const uint8_t*>(in), in_len,
	reinterpret_cast<uint8_t*>(out));
	*out_len = SHA256_DIGEST_LENGTH;
	return out;
	}
	};

	// ProtocolV2 implements CTAP2.1 PIN/UV Auth Protocol Two (6.5.11).
	class ProtocolV2 : public ProtocolV1 {
	private:
	static constexpr size_t kAESKeyLength = 32;
	static constexpr size_t kHMACKeyLength = 32;
	static constexpr size_t kSharedKeyLength = kAESKeyLength + kHMACKeyLength;
	static constexpr size_t kPINUVAuthTokenLength = 32;
	static constexpr size_t kSignatureSize = SHA256_DIGEST_LENGTH;

	// GetHMACSubKey returns the HMAC-key portion of the shared secret.
	static base::span<const uint8_t, kHMACKeyLength> GetHMACSubKey(
	base::span<const uint8_t, kSharedKeyLength> shared_key) {
	CHECK_EQ(shared_key.size(), kSharedKeyLength);
	return base::make_span<kHMACKeyLength>(
	shared_key.subspan(0, kHMACKeyLength));
	}

	// GetAESSubKey returns the HMAC-key portion of the shared secret.
	static base::span<const uint8_t, kAESKeyLength> GetAESSubKey(
	base::span<const uint8_t, kSharedKeyLength> shared_key) {
	return base::make_span<kAESKeyLength>(shared_key.subspan(kHMACKeyLength));
	}

	std::vector<uint8_t> Encrypt(
	base::span<const uint8_t> shared_key,
	base::span<const uint8_t> plaintext) const override {
	DCHECK_EQ(plaintext.size() % AES_BLOCK_SIZE, 0u);

	const base::span<const uint8_t, kAESKeyLength> aes_key =
	GetAESSubKey(base::make_span<kSharedKeyLength>(shared_key));

	std::vector<uint8_t> result(AES_BLOCK_SIZE + plaintext.size());
	const base::span<uint8_t> iv =
	base::make_span(result).subspan(0, AES_BLOCK_SIZE);
	const base::span<uint8_t> ciphertext =
	base::make_span(result).subspan(AES_BLOCK_SIZE);

	crypto::RandBytes(iv);

	EVP_CIPHER_CTX aes_ctx;
	EVP_CIPHER_CTX_init(&aes_ctx);
	CHECK(EVP_EncryptInit_ex(&aes_ctx, EVP_aes_256_cbc(), nullptr,
	aes_key.data(), iv.data()));
	CHECK(EVP_CIPHER_CTX_set_padding(&aes_ctx, 0 /* no padding */));
	CHECK(EVP_Cipher(&aes_ctx, ciphertext.data(), plaintext.data(),
	plaintext.size()));
	EVP_CIPHER_CTX_cleanup(&aes_ctx);

	return result;
	}

	std::vector<uint8_t> Decrypt(base::span<const uint8_t> shared_key,
	base::span<const uint8_t> input) const override {
	DCHECK_EQ(input.size() % AES_BLOCK_SIZE, 0u);

	const base::span<const uint8_t, kAESKeyLength> aes_key =
	GetAESSubKey(base::make_span<kSharedKeyLength>(shared_key));
	const base::span<const uint8_t> iv = input.subspan(0, AES_BLOCK_SIZE);
	const base::span<const uint8_t> ciphertext = input.subspan(AES_BLOCK_SIZE);
	std::vector<uint8_t> plaintext(ciphertext.size());

	EVP_CIPHER_CTX aes_ctx;
	EVP_CIPHER_CTX_init(&aes_ctx);
	CHECK(EVP_DecryptInit_ex(&aes_ctx, EVP_aes_256_cbc(), nullptr,
	aes_key.data(), iv.data()));
	CHECK(EVP_CIPHER_CTX_set_padding(&aes_ctx, 0 /* no padding */));

	CHECK(EVP_Cipher(&aes_ctx, plaintext.data(), ciphertext.data(),
	ciphertext.size()));
	EVP_CIPHER_CTX_cleanup(&aes_ctx);

	return plaintext;
	}

	std::vector<uint8_t> Authenticate(
	base::span<const uint8_t> key,
	base::span<const uint8_t> data) const override {
	// Authenticate can be invoked with the shared secret or with a PIN/UV Auth
	// Token, which is fixed at 32 bytes in V2.
	DCHECK(key.size() == kSharedKeyLength \|\|
	key.size() == kPINUVAuthTokenLength);
	const base::span<const uint8_t, kHMACKeyLength> hmac_key =
	(key.size() == kSharedKeyLength
	? GetHMACSubKey(base::make_span<kSharedKeyLength>(key))
	: base::make_span<kPINUVAuthTokenLength>(key));

	std::vector<uint8_t> pin_auth(SHA256_DIGEST_LENGTH);
	unsigned hmac_bytes;
	CHECK(HMAC(EVP_sha256(), hmac_key.data(), hmac_key.size(), data.data(),
	data.size(), pin_auth.data(), &hmac_bytes));
	DCHECK_EQ(pin_auth.size(), static_cast<size_t>(hmac_bytes));
	return pin_auth;
	}

	bool Verify(base::span<const uint8_t> key,
	base::span<const uint8_t> data,
	base::span<const uint8_t> signature) const override {
	if (signature.size() != kSignatureSize) {
	return false;
	}
	const std::vector<uint8_t> computed_signature = Authenticate(key, data);
	CHECK_EQ(computed_signature.size(), kSignatureSize);
	return CRYPTO_memcmp(signature.data(), computed_signature.data(),
	kSignatureSize) == 0;
	}

	std::vector<uint8_t> CalculateSharedKey(
	const EC_KEY* key,
	const EC_POINT* peers_key) const override {
	std::vector<uint8_t> shared_key(kSharedKeyLength);
	CHECK_EQ(static_cast<int>(kSharedKeyLength),
	ECDH_compute_key(shared_key.data(), shared_key.size(), peers_key,
	key, KDF));
	return shared_key;
	}

	static void* KDF(const void* in, size_t in_len, void* out, size_t* out_len) {
	static_assert(kSharedKeyLength == 2 * SHA256_DIGEST_LENGTH, "");
	DCHECK_GE(*out_len, static_cast<size_t>(kSharedKeyLength));
	auto hmac_key_out =
	base::make_span(reinterpret_cast<uint8_t*>(out), SHA256_DIGEST_LENGTH);
	auto aes_key_out =
	base::make_span(reinterpret_cast<uint8_t*>(out) + SHA256_DIGEST_LENGTH,
	SHA256_DIGEST_LENGTH);

	constexpr uint8_t kHMACKeyInfo[] = "CTAP2 HMAC key";
	constexpr uint8_t kAESKeyInfo[] = "CTAP2 AES key";
	constexpr uint8_t kZeroSalt[32] = {};

	CHECK(HKDF(hmac_key_out.data(), hmac_key_out.size(), EVP_sha256(),
	reinterpret_cast<const uint8_t*>(in), in_len, kZeroSalt,
	sizeof(kZeroSalt), kHMACKeyInfo, sizeof(kHMACKeyInfo) - 1));
	CHECK(HKDF(aes_key_out.data(), aes_key_out.size(), EVP_sha256(),
	reinterpret_cast<const uint8_t*>(in), in_len, kZeroSalt,
	sizeof(kZeroSalt), kAESKeyInfo, sizeof(kAESKeyInfo) - 1));

	*out_len = kSharedKeyLength;
	return out;
	}
	};

	// static
	const Protocol& ProtocolVersion(PINUVAuthProtocol protocol) {
	static const base::NoDestructor<ProtocolV1> kProtocolV1;
	static const base::NoDestructor<ProtocolV2> kProtocolV2;

	switch (protocol) {
	case PINUVAuthProtocol::kV1:
	return *kProtocolV1;
	case PINUVAuthProtocol::kV2:
	return *kProtocolV2;
	}
	}

	} // namespace pin

	} // namespace device