GCC Code Coverage Report
Directory: ./ Exec Total Coverage
File: sbin/iked/ca.c Lines: 0 658 0.0 %
Date: 2016-12-06 Branches: 0 372 0.0 %

Line Branch Exec Source
1
/*	$OpenBSD: ca.c,v 1.40 2015/12/07 12:46:37 reyk Exp $	*/
2
3
/*
4
 * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org>
5
 *
6
 * Permission to use, copy, modify, and distribute this software for any
7
 * purpose with or without fee is hereby granted, provided that the above
8
 * copyright notice and this permission notice appear in all copies.
9
 *
10
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17
 */
18
19
#include <sys/queue.h>
20
#include <sys/socket.h>
21
#include <sys/wait.h>
22
#include <sys/uio.h>
23
24
#include <stdlib.h>
25
#include <stdio.h>
26
#include <unistd.h>
27
#include <dirent.h>
28
#include <string.h>
29
#include <signal.h>
30
#include <errno.h>
31
#include <err.h>
32
#include <pwd.h>
33
#include <event.h>
34
35
#include <openssl/bio.h>
36
#include <openssl/err.h>
37
#include <openssl/engine.h>
38
#include <openssl/ssl.h>
39
#include <openssl/x509.h>
40
#include <openssl/x509v3.h>
41
#include <openssl/pem.h>
42
#include <openssl/evp.h>
43
#include <openssl/sha.h>
44
#include <openssl/rsa.h>
45
46
#include "iked.h"
47
#include "ikev2.h"
48
49
void	 ca_run(struct privsep *, struct privsep_proc *, void *);
50
void	 ca_reset(struct privsep *, struct privsep_proc *, void *);
51
int	 ca_reload(struct iked *);
52
53
int	 ca_getreq(struct iked *, struct imsg *);
54
int	 ca_getcert(struct iked *, struct imsg *);
55
int	 ca_getauth(struct iked *, struct imsg *);
56
X509	*ca_by_subjectpubkey(X509_STORE *, uint8_t *, size_t);
57
X509	*ca_by_issuer(X509_STORE *, X509_NAME *, struct iked_static_id *);
58
int	 ca_subjectpubkey_digest(X509 *, uint8_t *, unsigned int *);
59
int	 ca_x509_subject_cmp(X509 *, struct iked_static_id *);
60
int	 ca_validate_pubkey(struct iked *, struct iked_static_id *,
61
	    void *, size_t);
62
int	 ca_validate_cert(struct iked *, struct iked_static_id *,
63
	    void *, size_t);
64
struct ibuf *
65
	 ca_x509_serialize(X509 *);
66
int	 ca_x509_subjectaltname_cmp(X509 *, struct iked_static_id *);
67
int	 ca_x509_subjectaltname(X509 *cert, struct iked_id *);
68
int	 ca_privkey_serialize(EVP_PKEY *, struct iked_id *);
69
int	 ca_pubkey_serialize(EVP_PKEY *, struct iked_id *);
70
int	 ca_dispatch_parent(int, struct privsep_proc *, struct imsg *);
71
int	 ca_dispatch_ikev2(int, struct privsep_proc *, struct imsg *);
72
73
static struct privsep_proc procs[] = {
74
	{ "parent",	PROC_PARENT,	ca_dispatch_parent },
75
	{ "ikev2",	PROC_IKEV2,	ca_dispatch_ikev2 }
76
};
77
78
struct ca_store {
79
	X509_STORE	*ca_cas;
80
	X509_LOOKUP	*ca_calookup;
81
82
	X509_STORE	*ca_certs;
83
	X509_LOOKUP	*ca_certlookup;
84
85
	struct iked_id	 ca_privkey;
86
	struct iked_id	 ca_pubkey;
87
};
88
89
pid_t
90
caproc(struct privsep *ps, struct privsep_proc *p)
91
{
92
	struct ca_store	*store;
93
	FILE		*fp = NULL;
94
	EVP_PKEY	*key;
95
96
	/*
97
	 * This function runs code before privsep
98
	 */
99
	if ((store = calloc(1, sizeof(*store))) == NULL)
100
		fatal("ca: failed to allocate cert store");
101
102
	/* Read private key */
103
	if ((fp = fopen(IKED_PRIVKEY, "r")) == NULL)
104
		fatal("ca: failed to open private key");
105
106
	if ((key = PEM_read_PrivateKey(fp, NULL, NULL, NULL)) == NULL)
107
		fatalx("ca: failed to read private key");
108
	fclose(fp);
109
110
	if (ca_privkey_serialize(key, &store->ca_privkey) != 0)
111
		fatalx("ca: failed to serialize private key");
112
	if (ca_pubkey_serialize(key, &store->ca_pubkey) != 0)
113
		fatalx("ca: failed to serialize public key");
114
115
	EVP_PKEY_free(key);
116
117
	return (proc_run(ps, p, procs, nitems(procs), ca_reset, store));
118
}
119
120
void
121
ca_run(struct privsep *ps, struct privsep_proc *p, void *arg)
122
{
123
	/*
124
	 * pledge in the ca process:
125
	 * stdio - for malloc and basic I/O including events.
126
	 * rpath - for certificate files.
127
	 * recvfd - for ocsp sockets.
128
	 */
129
	if (pledge("stdio rpath recvfd cpath wpath", NULL) == -1)
130
		fatal("pledge");
131
132
	ca_reset(ps, p, arg);
133
}
134
135
void
136
ca_reset(struct privsep *ps, struct privsep_proc *p, void *arg)
137
{
138
	struct iked	*env = ps->ps_env;
139
	struct ca_store	*store = arg;
140
141
	if (store->ca_cas != NULL)
142
		X509_STORE_free(store->ca_cas);
143
	if (store->ca_certs != NULL)
144
		X509_STORE_free(store->ca_certs);
145
146
	if ((store->ca_cas = X509_STORE_new()) == NULL)
147
		fatalx("ca_reset: failed to get ca store");
148
	if ((store->ca_calookup = X509_STORE_add_lookup(store->ca_cas,
149
	    X509_LOOKUP_file())) == NULL)
150
		fatalx("ca_reset: failed to add ca lookup");
151
152
	if ((store->ca_certs = X509_STORE_new()) == NULL)
153
		fatalx("ca_reset: failed to get cert store");
154
	if ((store->ca_certlookup = X509_STORE_add_lookup(store->ca_certs,
155
	    X509_LOOKUP_file())) == NULL)
156
		fatalx("ca_reset: failed to add cert lookup");
157
158
	env->sc_priv = store;
159
160
	if (ca_reload(env) != 0)
161
		fatal("ca_reset: reload");
162
}
163
164
int
165
ca_dispatch_parent(int fd, struct privsep_proc *p, struct imsg *imsg)
166
{
167
	struct iked		*env = p->p_env;
168
	struct ca_store		*store = env->sc_priv;
169
	unsigned int		 mode;
170
171
	switch (imsg->hdr.type) {
172
	case IMSG_CTL_RESET:
173
		IMSG_SIZE_CHECK(imsg, &mode);
174
		memcpy(&mode, imsg->data, sizeof(mode));
175
		if (mode == RESET_ALL || mode == RESET_CA) {
176
			log_debug("%s: config reload", __func__);
177
			ca_reset(&env->sc_ps, p, store);
178
		}
179
		break;
180
	case IMSG_OCSP_FD:
181
		ocsp_receive_fd(env, imsg);
182
		break;
183
	case IMSG_OCSP_URL:
184
		config_getocsp(env, imsg);
185
		break;
186
	default:
187
		return (-1);
188
	}
189
190
	return (0);
191
}
192
193
int
194
ca_dispatch_ikev2(int fd, struct privsep_proc *p, struct imsg *imsg)
195
{
196
	struct iked	*env = p->p_env;
197
198
	switch (imsg->hdr.type) {
199
	case IMSG_CERTREQ:
200
		ca_getreq(env, imsg);
201
		break;
202
	case IMSG_CERT:
203
		ca_getcert(env, imsg);
204
		break;
205
	case IMSG_AUTH:
206
		ca_getauth(env, imsg);
207
		break;
208
	default:
209
		return (-1);
210
	}
211
212
	return (0);
213
}
214
215
int
216
ca_setcert(struct iked *env, struct iked_sahdr *sh, struct iked_id *id,
217
    uint8_t type, uint8_t *data, size_t len, enum privsep_procid procid)
218
{
219
	struct iovec		iov[4];
220
	int			iovcnt = 0;
221
	struct iked_static_id	idb;
222
223
	/* Must send the cert and a valid Id to the ca process */
224
	if (procid == PROC_CERT) {
225
		if (id == NULL || id->id_type == IKEV2_ID_NONE ||
226
		    ibuf_length(id->id_buf) > IKED_ID_SIZE)
227
			return (-1);
228
		bzero(&idb, sizeof(idb));
229
230
		/* Convert to a static Id */
231
		idb.id_type = id->id_type;
232
		idb.id_offset = id->id_offset;
233
		idb.id_length = ibuf_length(id->id_buf);
234
		memcpy(&idb.id_data, ibuf_data(id->id_buf),
235
		    ibuf_length(id->id_buf));
236
237
		iov[iovcnt].iov_base = &idb;
238
		iov[iovcnt].iov_len = sizeof(idb);
239
		iovcnt++;
240
	}
241
242
	iov[iovcnt].iov_base = sh;
243
	iov[iovcnt].iov_len = sizeof(*sh);
244
	iovcnt++;
245
	iov[iovcnt].iov_base = &type;
246
	iov[iovcnt].iov_len = sizeof(type);
247
	iovcnt++;
248
	iov[iovcnt].iov_base = data;
249
	iov[iovcnt].iov_len = len;
250
	iovcnt++;
251
252
	if (proc_composev(&env->sc_ps, procid, IMSG_CERT, iov, iovcnt) == -1)
253
		return (-1);
254
	return (0);
255
}
256
257
int
258
ca_setreq(struct iked *env, struct iked_sa *sa,
259
    struct iked_static_id *localid, uint8_t type, uint8_t *data,
260
    size_t len, enum privsep_procid procid)
261
{
262
	struct iovec		iov[4];
263
	int			iovcnt = 0;
264
	struct iked_static_id	idb;
265
	struct iked_id		id;
266
	int			ret = -1;
267
268
	/* Convert to a static Id */
269
	bzero(&id, sizeof(id));
270
	if (ikev2_policy2id(localid, &id, 1) != 0)
271
		return (-1);
272
273
	bzero(&idb, sizeof(idb));
274
	idb.id_type = id.id_type;
275
	idb.id_offset = id.id_offset;
276
	idb.id_length = ibuf_length(id.id_buf);
277
	memcpy(&idb.id_data, ibuf_data(id.id_buf),
278
	    ibuf_length(id.id_buf));
279
	iov[iovcnt].iov_base = &idb;
280
	iov[iovcnt].iov_len = sizeof(idb);
281
	iovcnt++;
282
283
	iov[iovcnt].iov_base = &sa->sa_hdr;
284
	iov[iovcnt].iov_len = sizeof(sa->sa_hdr);
285
	iovcnt++;
286
	iov[iovcnt].iov_base = &type;
287
	iov[iovcnt].iov_len = sizeof(type);
288
	iovcnt++;
289
	iov[iovcnt].iov_base = data;
290
	iov[iovcnt].iov_len = len;
291
	iovcnt++;
292
293
	if (proc_composev(&env->sc_ps, procid, IMSG_CERTREQ, iov, iovcnt) == -1)
294
		goto done;
295
296
	sa_stateflags(sa, IKED_REQ_CERTREQ);
297
298
	ret = 0;
299
 done:
300
	ibuf_release(id.id_buf);
301
	return (ret);
302
}
303
304
int
305
ca_setauth(struct iked *env, struct iked_sa *sa,
306
    struct ibuf *authmsg, enum privsep_procid id)
307
{
308
	struct iovec		 iov[3];
309
	int			 iovcnt = 3;
310
	struct iked_policy	*policy = sa->sa_policy;
311
	uint8_t			 type = policy->pol_auth.auth_method;
312
313
	/* switch encoding to IKEV2_AUTH_SIG if SHA2 is supported */
314
	if (sa->sa_sigsha2 && type == IKEV2_AUTH_RSA_SIG) {
315
		log_debug("%s: switching from RSA_SIG to SIG", __func__);
316
		type = IKEV2_AUTH_SIG;
317
	}
318
319
	if (type == IKEV2_AUTH_SHARED_KEY_MIC) {
320
		sa->sa_stateflags |= IKED_REQ_AUTH;
321
		return (ikev2_msg_authsign(env, sa,
322
		    &policy->pol_auth, authmsg));
323
	}
324
325
	iov[0].iov_base = &sa->sa_hdr;
326
	iov[0].iov_len = sizeof(sa->sa_hdr);
327
	iov[1].iov_base = &type;
328
	iov[1].iov_len = sizeof(type);
329
	if (type == IKEV2_AUTH_NONE)
330
		iovcnt--;
331
	else {
332
		iov[2].iov_base = ibuf_data(authmsg);
333
		iov[2].iov_len = ibuf_size(authmsg);
334
		log_debug("%s: auth length %zu", __func__, ibuf_size(authmsg));
335
	}
336
337
	if (proc_composev(&env->sc_ps, id, IMSG_AUTH, iov, iovcnt) == -1)
338
		return (-1);
339
	return (0);
340
}
341
342
int
343
ca_getcert(struct iked *env, struct imsg *imsg)
344
{
345
	struct iked_sahdr	 sh;
346
	uint8_t			 type;
347
	uint8_t			*ptr;
348
	size_t			 len;
349
	struct iked_static_id	 id;
350
	unsigned int		 i;
351
	struct iovec		 iov[2];
352
	int			 iovcnt = 2, cmd, ret = 0;
353
354
	ptr = (uint8_t *)imsg->data;
355
	len = IMSG_DATA_SIZE(imsg);
356
	i = sizeof(id) + sizeof(sh) + sizeof(type);
357
	if (len <= i)
358
		return (-1);
359
360
	memcpy(&id, ptr, sizeof(id));
361
	if (id.id_type == IKEV2_ID_NONE)
362
		return (-1);
363
	memcpy(&sh, ptr + sizeof(id), sizeof(sh));
364
	memcpy(&type, ptr + sizeof(id) + sizeof(sh), sizeof(uint8_t));
365
366
	ptr += i;
367
	len -= i;
368
369
	switch (type) {
370
	case IKEV2_CERT_X509_CERT:
371
		ret = ca_validate_cert(env, &id, ptr, len);
372
		if (ret == 0 && env->sc_ocsp_url) {
373
			ret = ocsp_validate_cert(env, &id, ptr, len, sh, type);
374
			if (ret == 0)
375
				return (0);
376
		}
377
		break;
378
	case IKEV2_CERT_RSA_KEY:
379
		ret = ca_validate_pubkey(env, &id, ptr, len);
380
		break;
381
	default:
382
		log_debug("%s: unsupported cert type %d", __func__, type);
383
		ret = -1;
384
		break;
385
	}
386
387
	if (ret == 0)
388
		cmd = IMSG_CERTVALID;
389
	else
390
		cmd = IMSG_CERTINVALID;
391
392
	iov[0].iov_base = &sh;
393
	iov[0].iov_len = sizeof(sh);
394
	iov[1].iov_base = &type;
395
	iov[1].iov_len = sizeof(type);
396
397
	if (proc_composev(&env->sc_ps, PROC_IKEV2, cmd, iov, iovcnt) == -1)
398
		return (-1);
399
	return (0);
400
}
401
402
int
403
ca_getreq(struct iked *env, struct imsg *imsg)
404
{
405
	struct ca_store		*store = env->sc_priv;
406
	struct iked_sahdr	 sh;
407
	uint8_t			 type;
408
	uint8_t			*ptr;
409
	size_t			 len;
410
	unsigned int		 i, n;
411
	X509			*ca = NULL, *cert = NULL;
412
	struct ibuf		*buf;
413
	struct iked_static_id	 id;
414
415
	ptr = (uint8_t *)imsg->data;
416
	len = IMSG_DATA_SIZE(imsg);
417
	i = sizeof(id) + sizeof(uint8_t) + sizeof(sh);
418
	if (len < i || ((len - i) % SHA_DIGEST_LENGTH) != 0)
419
		return (-1);
420
421
	memcpy(&id, ptr, sizeof(id));
422
	if (id.id_type == IKEV2_ID_NONE)
423
		return (-1);
424
	memcpy(&sh, ptr + sizeof(id), sizeof(sh));
425
	memcpy(&type, ptr + sizeof(id) + sizeof(sh), sizeof(uint8_t));
426
427
	switch (type) {
428
	case IKEV2_CERT_RSA_KEY:
429
		if (store->ca_pubkey.id_type != type ||
430
		    (buf = store->ca_pubkey.id_buf) == NULL)
431
			return (-1);
432
433
		log_debug("%s: using local public key of type %s", __func__,
434
		    print_map(type, ikev2_cert_map));
435
		break;
436
	case IKEV2_CERT_X509_CERT:
437
		for (n = 1; i < len; n++, i += SHA_DIGEST_LENGTH) {
438
			if ((ca = ca_by_subjectpubkey(store->ca_cas, ptr + i,
439
			    SHA_DIGEST_LENGTH)) == NULL)
440
				continue;
441
442
			log_debug("%s: found CA %s", __func__, ca->name);
443
444
			if ((cert = ca_by_issuer(store->ca_certs,
445
			    X509_get_subject_name(ca), &id)) != NULL) {
446
				/* XXX
447
				 * should we re-validate our own cert here?
448
				 */
449
				break;
450
			}
451
		}
452
		if (ca == NULL || cert == NULL) {
453
			log_warnx("%s: no valid local certificate found",
454
			    __func__);
455
			type = IKEV2_CERT_NONE;
456
			ca_setcert(env, &sh, NULL, type, NULL, 0, PROC_IKEV2);
457
			return (0);
458
		}
459
		log_debug("%s: found local certificate %s", __func__,
460
		    cert->name);
461
462
		if ((buf = ca_x509_serialize(cert)) == NULL)
463
			return (-1);
464
		break;
465
	default:
466
		log_warnx("%s: unknown cert type requested", __func__);
467
		return (-1);
468
	}
469
470
	ca_setcert(env, &sh, NULL, type,
471
	    ibuf_data(buf), ibuf_size(buf), PROC_IKEV2);
472
473
	return (0);
474
}
475
476
int
477
ca_getauth(struct iked *env, struct imsg *imsg)
478
{
479
	struct ca_store		*store = env->sc_priv;
480
	struct iked_sahdr	 sh;
481
	uint8_t			 method;
482
	uint8_t			*ptr;
483
	size_t			 len;
484
	unsigned int		 i;
485
	int			 ret = -1;
486
	struct iked_sa		 sa;
487
	struct iked_policy	 policy;
488
	struct iked_id		*id;
489
	struct ibuf		*authmsg;
490
491
	ptr = (uint8_t *)imsg->data;
492
	len = IMSG_DATA_SIZE(imsg);
493
	i = sizeof(method) + sizeof(sh);
494
	if (len <= i)
495
		return (-1);
496
497
	memcpy(&sh, ptr, sizeof(sh));
498
	memcpy(&method, ptr + sizeof(sh), sizeof(uint8_t));
499
	if (method == IKEV2_AUTH_SHARED_KEY_MIC)
500
		return (-1);
501
502
	ptr += i;
503
	len -= i;
504
505
	if ((authmsg = ibuf_new(ptr, len)) == NULL)
506
		return (-1);
507
508
	/*
509
	 * Create fake SA and policy
510
	 */
511
	bzero(&sa, sizeof(sa));
512
	bzero(&policy, sizeof(policy));
513
	memcpy(&sa.sa_hdr, &sh, sizeof(sh));
514
	sa.sa_policy = &policy;
515
	policy.pol_auth.auth_method = method;
516
	if (sh.sh_initiator)
517
		id = &sa.sa_icert;
518
	else
519
		id = &sa.sa_rcert;
520
	memcpy(id, &store->ca_privkey, sizeof(*id));
521
522
	if (ikev2_msg_authsign(env, &sa, &policy.pol_auth, authmsg) != 0) {
523
		log_debug("%s: AUTH sign failed", __func__);
524
		policy.pol_auth.auth_method = IKEV2_AUTH_NONE;
525
	}
526
527
	ret = ca_setauth(env, &sa, sa.sa_localauth.id_buf, PROC_IKEV2);
528
529
	ibuf_release(sa.sa_localauth.id_buf);
530
	ibuf_release(authmsg);
531
532
	return (ret);
533
}
534
535
int
536
ca_reload(struct iked *env)
537
{
538
	struct ca_store		*store = env->sc_priv;
539
	uint8_t			 md[EVP_MAX_MD_SIZE];
540
	char			 file[PATH_MAX];
541
	struct iovec		 iov[2];
542
	struct dirent		*entry;
543
	STACK_OF(X509_OBJECT)	*h;
544
	X509_OBJECT		*xo;
545
	X509			*x509;
546
	DIR			*dir;
547
	int			 i, len, iovcnt = 0;
548
549
	/*
550
	 * Load CAs
551
	 */
552
	if ((dir = opendir(IKED_CA_DIR)) == NULL)
553
		return (-1);
554
555
	while ((entry = readdir(dir)) != NULL) {
556
		if ((entry->d_type != DT_REG) &&
557
		    (entry->d_type != DT_LNK))
558
			continue;
559
560
		if (snprintf(file, sizeof(file), "%s%s",
561
		    IKED_CA_DIR, entry->d_name) == -1)
562
			continue;
563
564
		if (!X509_load_cert_file(store->ca_calookup, file,
565
		    X509_FILETYPE_PEM)) {
566
			log_warn("%s: failed to load ca file %s", __func__,
567
			    entry->d_name);
568
			ca_sslerror(__func__);
569
			continue;
570
		}
571
		log_debug("%s: loaded ca file %s", __func__, entry->d_name);
572
	}
573
	closedir(dir);
574
575
	/*
576
	 * Load CRLs for the CAs
577
	 */
578
	if ((dir = opendir(IKED_CRL_DIR)) == NULL)
579
		return (-1);
580
581
	while ((entry = readdir(dir)) != NULL) {
582
		if ((entry->d_type != DT_REG) &&
583
		    (entry->d_type != DT_LNK))
584
			continue;
585
586
		if (snprintf(file, sizeof(file), "%s%s",
587
		    IKED_CRL_DIR, entry->d_name) == -1)
588
			continue;
589
590
		if (!X509_load_crl_file(store->ca_calookup, file,
591
		    X509_FILETYPE_PEM)) {
592
			log_warn("%s: failed to load crl file %s", __func__,
593
			    entry->d_name);
594
			ca_sslerror(__func__);
595
			continue;
596
		}
597
598
		/* Only enable CRL checks if we actually loaded a CRL */
599
		X509_STORE_set_flags(store->ca_cas, X509_V_FLAG_CRL_CHECK);
600
601
		log_debug("%s: loaded crl file %s", __func__, entry->d_name);
602
	}
603
	closedir(dir);
604
605
	/*
606
	 * Save CAs signatures for the IKEv2 CERTREQ
607
	 */
608
	ibuf_release(env->sc_certreq);
609
	if ((env->sc_certreq = ibuf_new(NULL, 0)) == NULL)
610
		return (-1);
611
612
	h = store->ca_cas->objs;
613
	for (i = 0; i < sk_X509_OBJECT_num(h); i++) {
614
		xo = sk_X509_OBJECT_value(h, i);
615
		if (xo->type != X509_LU_X509)
616
			continue;
617
618
		x509 = xo->data.x509;
619
		len = sizeof(md);
620
		ca_subjectpubkey_digest(x509, md, &len);
621
		log_debug("%s: %s", __func__, x509->name);
622
623
		if (ibuf_add(env->sc_certreq, md, len) != 0) {
624
			ibuf_release(env->sc_certreq);
625
			return (-1);
626
		}
627
	}
628
629
	if (ibuf_length(env->sc_certreq)) {
630
		env->sc_certreqtype = IKEV2_CERT_X509_CERT;
631
		iov[0].iov_base = &env->sc_certreqtype;
632
		iov[0].iov_len = sizeof(env->sc_certreqtype);
633
		iovcnt++;
634
		iov[1].iov_base = ibuf_data(env->sc_certreq);
635
		iov[1].iov_len = ibuf_length(env->sc_certreq);
636
		iovcnt++;
637
638
		log_debug("%s: loaded %zu ca certificate%s", __func__,
639
		    ibuf_length(env->sc_certreq) / SHA_DIGEST_LENGTH,
640
		    ibuf_length(env->sc_certreq) == SHA_DIGEST_LENGTH ?
641
		    "" : "s");
642
643
		(void)proc_composev(&env->sc_ps, PROC_IKEV2, IMSG_CERTREQ,
644
		    iov, iovcnt);
645
	}
646
647
	/*
648
	 * Load certificates
649
	 */
650
	if ((dir = opendir(IKED_CERT_DIR)) == NULL)
651
		return (-1);
652
653
	while ((entry = readdir(dir)) != NULL) {
654
		if ((entry->d_type != DT_REG) &&
655
		    (entry->d_type != DT_LNK))
656
			continue;
657
658
		if (snprintf(file, sizeof(file), "%s%s",
659
		    IKED_CERT_DIR, entry->d_name) == -1)
660
			continue;
661
662
		if (!X509_load_cert_file(store->ca_certlookup, file,
663
		    X509_FILETYPE_PEM)) {
664
			log_warn("%s: failed to load cert file %s", __func__,
665
			    entry->d_name);
666
			ca_sslerror(__func__);
667
			continue;
668
		}
669
		log_debug("%s: loaded cert file %s", __func__, entry->d_name);
670
	}
671
	closedir(dir);
672
673
	h = store->ca_certs->objs;
674
	for (i = 0; i < sk_X509_OBJECT_num(h); i++) {
675
		xo = sk_X509_OBJECT_value(h, i);
676
		if (xo->type != X509_LU_X509)
677
			continue;
678
679
		x509 = xo->data.x509;
680
681
		(void)ca_validate_cert(env, NULL, x509, 0);
682
	}
683
684
	if (!env->sc_certreqtype)
685
		env->sc_certreqtype = store->ca_pubkey.id_type;
686
687
	log_debug("%s: local cert type %s", __func__,
688
	    print_map(env->sc_certreqtype, ikev2_cert_map));
689
690
	iov[0].iov_base = &env->sc_certreqtype;
691
	iov[0].iov_len = sizeof(env->sc_certreqtype);
692
	if (iovcnt == 0)
693
		iovcnt++;
694
	(void)proc_composev(&env->sc_ps, PROC_IKEV2, IMSG_CERTREQ, iov, iovcnt);
695
696
	return (0);
697
}
698
699
X509 *
700
ca_by_subjectpubkey(X509_STORE *ctx, uint8_t *sig, size_t siglen)
701
{
702
	STACK_OF(X509_OBJECT)	*h;
703
	X509_OBJECT		*xo;
704
	X509			*ca;
705
	int			 i;
706
	unsigned int		 len;
707
	uint8_t			 md[EVP_MAX_MD_SIZE];
708
709
	h = ctx->objs;
710
711
	for (i = 0; i < sk_X509_OBJECT_num(h); i++) {
712
		xo = sk_X509_OBJECT_value(h, i);
713
		if (xo->type != X509_LU_X509)
714
			continue;
715
716
		ca = xo->data.x509;
717
		len = sizeof(md);
718
		ca_subjectpubkey_digest(ca, md, &len);
719
720
		if (len == siglen && memcmp(md, sig, len) == 0)
721
			return (ca);
722
	}
723
724
	return (NULL);
725
}
726
727
X509 *
728
ca_by_issuer(X509_STORE *ctx, X509_NAME *subject, struct iked_static_id *id)
729
{
730
	STACK_OF(X509_OBJECT)	*h;
731
	X509_OBJECT		*xo;
732
	X509			*cert;
733
	int			 i;
734
	X509_NAME		*issuer;
735
736
	if (subject == NULL)
737
		return (NULL);
738
739
	h = ctx->objs;
740
	for (i = 0; i < sk_X509_OBJECT_num(h); i++) {
741
		xo = sk_X509_OBJECT_value(h, i);
742
		if (xo->type != X509_LU_X509)
743
			continue;
744
745
		cert = xo->data.x509;
746
		if ((issuer = X509_get_issuer_name(cert)) == NULL)
747
			continue;
748
		else if (X509_NAME_cmp(subject, issuer) == 0) {
749
			switch (id->id_type) {
750
			case IKEV2_ID_ASN1_DN:
751
				if (ca_x509_subject_cmp(cert, id) == 0)
752
					return (cert);
753
				break;
754
			default:
755
				if (ca_x509_subjectaltname_cmp(cert, id) == 0)
756
					return (cert);
757
				break;
758
			}
759
		}
760
	}
761
762
	return (NULL);
763
}
764
765
int
766
ca_subjectpubkey_digest(X509 *x509, uint8_t *md, unsigned int *size)
767
{
768
	uint8_t		*buf = NULL;
769
	int		 buflen;
770
771
	if (*size < SHA_DIGEST_LENGTH)
772
		return (-1);
773
774
	/*
775
	 * Generate a SHA-1 digest of the Subject Public Key Info
776
	 * element in the X.509 certificate, an ASN.1 sequence
777
	 * that includes the public key type (eg. RSA) and the
778
	 * public key value (see 3.7 of RFC4306).
779
	 */
780
	buflen = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(x509), &buf);
781
	if (!buflen)
782
		return (-1);
783
	if (!EVP_Digest(buf, buflen, md, size, EVP_sha1(), NULL)) {
784
		free(buf);
785
		return (-1);
786
	}
787
	free(buf);
788
789
	return (0);
790
}
791
792
struct ibuf *
793
ca_x509_serialize(X509 *x509)
794
{
795
	long		 len;
796
	struct ibuf	*buf;
797
	uint8_t		*d = NULL;
798
	BIO		*out;
799
800
	if ((out = BIO_new(BIO_s_mem())) == NULL)
801
		return (NULL);
802
	if (!i2d_X509_bio(out, x509)) {
803
		BIO_free(out);
804
		return (NULL);
805
	}
806
807
	len = BIO_get_mem_data(out, &d);
808
	buf = ibuf_new(d, len);
809
	BIO_free(out);
810
811
	return (buf);
812
}
813
814
int
815
ca_pubkey_serialize(EVP_PKEY *key, struct iked_id *id)
816
{
817
	RSA		*rsa = NULL;
818
	uint8_t		*d;
819
	int		 len = 0;
820
	int		 ret = -1;
821
822
	switch (key->type) {
823
	case EVP_PKEY_RSA:
824
		id->id_type = 0;
825
		id->id_offset = 0;
826
		ibuf_release(id->id_buf);
827
828
		if ((rsa = EVP_PKEY_get1_RSA(key)) == NULL)
829
			goto done;
830
		if ((len = i2d_RSAPublicKey(rsa, NULL)) <= 0)
831
			goto done;
832
		if ((id->id_buf = ibuf_new(NULL, len)) == NULL)
833
			goto done;
834
835
		d = ibuf_data(id->id_buf);
836
		if (i2d_RSAPublicKey(rsa, &d) != len) {
837
			ibuf_release(id->id_buf);
838
			goto done;
839
		}
840
841
		id->id_type = IKEV2_CERT_RSA_KEY;
842
		break;
843
	default:
844
		log_debug("%s: unsupported key type %d", __func__, key->type);
845
		return (-1);
846
	}
847
848
	log_debug("%s: type %s length %d", __func__,
849
	    print_map(id->id_type, ikev2_cert_map), len);
850
851
	ret = 0;
852
 done:
853
	if (rsa != NULL)
854
		RSA_free(rsa);
855
	return (ret);
856
}
857
858
int
859
ca_privkey_serialize(EVP_PKEY *key, struct iked_id *id)
860
{
861
	RSA		*rsa = NULL;
862
	uint8_t		*d;
863
	int		 len = 0;
864
	int		 ret = -1;
865
866
	switch (key->type) {
867
	case EVP_PKEY_RSA:
868
		id->id_type = 0;
869
		id->id_offset = 0;
870
		ibuf_release(id->id_buf);
871
872
		if ((rsa = EVP_PKEY_get1_RSA(key)) == NULL)
873
			goto done;
874
		if ((len = i2d_RSAPrivateKey(rsa, NULL)) <= 0)
875
			goto done;
876
		if ((id->id_buf = ibuf_new(NULL, len)) == NULL)
877
			goto done;
878
879
		d = ibuf_data(id->id_buf);
880
		if (i2d_RSAPrivateKey(rsa, &d) != len) {
881
			ibuf_release(id->id_buf);
882
			goto done;
883
		}
884
885
		id->id_type = IKEV2_CERT_RSA_KEY;
886
		break;
887
	default:
888
		log_debug("%s: unsupported key type %d", __func__, key->type);
889
		return (-1);
890
	}
891
892
	log_debug("%s: type %s length %d", __func__,
893
	    print_map(id->id_type, ikev2_cert_map), len);
894
895
	ret = 0;
896
 done:
897
	if (rsa != NULL)
898
		RSA_free(rsa);
899
	return (ret);
900
}
901
902
char *
903
ca_asn1_name(uint8_t *asn1, size_t len)
904
{
905
	X509_NAME	*name = NULL;
906
	char		*str = NULL;
907
	const uint8_t	*p;
908
909
	p = asn1;
910
	if ((name = d2i_X509_NAME(NULL, &p, len)) == NULL)
911
		return (NULL);
912
	str = ca_x509_name(name);
913
	X509_NAME_free(name);
914
915
	return (str);
916
}
917
918
char *
919
ca_x509_name(void *ptr)
920
{
921
	char		 buf[BUFSIZ];
922
	X509_NAME	*name = ptr;
923
924
	bzero(buf, sizeof(buf));
925
	if (!X509_NAME_oneline(name, buf, sizeof(buf) - 1))
926
		return (NULL);
927
928
	return (strdup(buf));
929
}
930
931
/*
932
 * Copy 'src' to 'dst' until 'marker' is found while unescaping '\'
933
 * characters. The return value tells the caller where to continue
934
 * parsing (might be the end of the string) or NULL on error.
935
 */
936
static char *
937
ca_x509_name_unescape(char *src, char *dst, char marker)
938
{
939
	while (*src) {
940
		if (*src == marker) {
941
			src++;
942
			break;
943
		}
944
		if (*src == '\\') {
945
			src++;
946
			if (!*src) {
947
				log_warnx("%s: '\\' at end of string",
948
				    __func__);
949
				*dst = '\0';
950
				return (NULL);
951
			}
952
		}
953
		*dst++ = *src++;
954
	}
955
	*dst = '\0';
956
	return (src);
957
}
958
/*
959
 * Parse an X509 subject name where 'subject' is in the format
960
 *    /type0=value0/type1=value1/type2=...
961
 * where characters may be escaped by '\'.
962
 * See lib/libssl/src/apps/apps.c:parse_name()
963
 */
964
void *
965
ca_x509_name_parse(char *subject)
966
{
967
	char		*cp, *value = NULL, *type = NULL;
968
	size_t		 maxlen;
969
	X509_NAME	*name = NULL;
970
971
	if (*subject != '/') {
972
		log_warnx("%s: leading '/' missing in '%s'", __func__, subject);
973
		goto err;
974
	}
975
976
	/* length of subject is upper bound for unescaped type/value */
977
	maxlen = strlen(subject) + 1;
978
979
	if ((type = calloc(1, maxlen)) == NULL ||
980
	    (value = calloc(1, maxlen)) == NULL ||
981
	    (name = X509_NAME_new()) == NULL)
982
		goto err;
983
984
	cp = subject + 1;
985
	while (*cp) {
986
		/* unescape type, terminated by '=' */
987
		cp = ca_x509_name_unescape(cp, type, '=');
988
		if (cp == NULL) {
989
			log_warnx("%s: could not parse type", __func__);
990
			goto err;
991
		}
992
		if (!*cp) {
993
			log_warnx("%s: missing value", __func__);
994
			goto err;
995
		}
996
		/* unescape value, terminated by '/' */
997
		cp = ca_x509_name_unescape(cp, value, '/');
998
		if (cp == NULL) {
999
			log_warnx("%s: could not parse value", __func__);
1000
			goto err;
1001
		}
1002
		if (!*type || !*value) {
1003
			log_warnx("%s: empty type or value", __func__);
1004
			goto err;
1005
		}
1006
		log_debug("%s: setting '%s' to '%s'", __func__, type, value);
1007
		if (!X509_NAME_add_entry_by_txt(name, type, MBSTRING_ASC,
1008
		    value, -1, -1, 0)) {
1009
			log_warnx("%s: setting '%s' to '%s' failed", __func__,
1010
			    type, value);
1011
			ca_sslerror(__func__);
1012
			goto err;
1013
		}
1014
	}
1015
	free(type);
1016
	free(value);
1017
	return (name);
1018
1019
err:
1020
	X509_NAME_free(name);
1021
	free(type);
1022
	free(value);
1023
	return (NULL);
1024
}
1025
1026
int
1027
ca_validate_pubkey(struct iked *env, struct iked_static_id *id,
1028
    void *data, size_t len)
1029
{
1030
	BIO		*rawcert = NULL;
1031
	RSA		*peerrsa = NULL, *localrsa = NULL;
1032
	EVP_PKEY	*peerkey = NULL, *localkey = NULL;
1033
	int		 ret = -1;
1034
	FILE		*fp = NULL;
1035
	char		 idstr[IKED_ID_SIZE];
1036
	char		 file[PATH_MAX];
1037
	struct iked_id	 idp;
1038
1039
	if (len == 0 && data == NULL)
1040
		return (-1);
1041
1042
	switch (id->id_type) {
1043
	case IKEV2_ID_IPV4:
1044
	case IKEV2_ID_FQDN:
1045
	case IKEV2_ID_UFQDN:
1046
	case IKEV2_ID_IPV6:
1047
		break;
1048
	default:
1049
		/* Some types like ASN1_DN will not be mapped to file names */
1050
		return (-1);
1051
	}
1052
1053
	bzero(&idp, sizeof(idp));
1054
	if ((idp.id_buf = ibuf_new(id->id_data, id->id_length)) == NULL)
1055
		goto done;
1056
1057
	idp.id_type = id->id_type;
1058
	idp.id_offset = id->id_offset;
1059
	if (ikev2_print_id(&idp, idstr, sizeof(idstr)) == -1)
1060
		goto done;
1061
1062
	if (len == 0) {
1063
		/* Data is already an public key */
1064
		peerkey = (EVP_PKEY *)data;
1065
	} else {
1066
		if ((rawcert = BIO_new_mem_buf(data, len)) == NULL)
1067
			goto done;
1068
1069
		if ((peerrsa = d2i_RSAPublicKey_bio(rawcert, NULL)) == NULL)
1070
			goto sslerr;
1071
		if ((peerkey = EVP_PKEY_new()) == NULL)
1072
			goto sslerr;
1073
		if (!EVP_PKEY_set1_RSA(peerkey, peerrsa))
1074
			goto sslerr;
1075
	}
1076
1077
	lc_string(idstr);
1078
	if (strlcpy(file, IKED_PUBKEY_DIR, sizeof(file)) >= sizeof(file) ||
1079
	    strlcat(file, idstr, sizeof(file)) >= sizeof(file))
1080
		goto done;
1081
1082
	if ((fp = fopen(file, "r")) == NULL)
1083
		goto done;
1084
	localkey = PEM_read_PUBKEY(fp, NULL, NULL, NULL);
1085
	if (localkey == NULL) {
1086
		/* reading PKCS #8 failed, try PEM */
1087
		rewind(fp);
1088
		localrsa = PEM_read_RSAPublicKey(fp, NULL, NULL, NULL);
1089
		fclose(fp);
1090
		if (localrsa == NULL)
1091
			goto sslerr;
1092
		if ((localkey = EVP_PKEY_new()) == NULL)
1093
			goto sslerr;
1094
		if (!EVP_PKEY_set1_RSA(localkey, localrsa))
1095
			goto sslerr;
1096
	} else {
1097
		fclose(fp);
1098
	}
1099
	if (localkey == NULL)
1100
		goto sslerr;
1101
1102
	if (!EVP_PKEY_cmp(peerkey, localkey))
1103
		goto done;
1104
1105
	log_debug("%s: valid public key in file %s", __func__, file);
1106
1107
	ret = 0;
1108
 sslerr:
1109
	if (ret != 0)
1110
		ca_sslerror(__func__);
1111
 done:
1112
	ibuf_release(idp.id_buf);
1113
	if (peerkey != NULL)
1114
		EVP_PKEY_free(peerkey);
1115
	if (localkey != NULL)
1116
		EVP_PKEY_free(localkey);
1117
	if (peerrsa != NULL)
1118
		RSA_free(peerrsa);
1119
	if (localrsa != NULL)
1120
		RSA_free(localrsa);
1121
	if (rawcert != NULL)
1122
		BIO_free(rawcert);
1123
1124
	return (ret);
1125
}
1126
1127
int
1128
ca_validate_cert(struct iked *env, struct iked_static_id *id,
1129
    void *data, size_t len)
1130
{
1131
	struct ca_store	*store = env->sc_priv;
1132
	X509_STORE_CTX	 csc;
1133
	BIO		*rawcert = NULL;
1134
	X509		*cert = NULL;
1135
	int		 ret = -1, result, error;
1136
	X509_NAME	*subject;
1137
	const char	*errstr = "failed";
1138
1139
	if (len == 0) {
1140
		/* Data is already an X509 certificate */
1141
		cert = (X509 *)data;
1142
	} else {
1143
		/* Convert data to X509 certificate */
1144
		if ((rawcert = BIO_new_mem_buf(data, len)) == NULL)
1145
			goto done;
1146
		if ((cert = d2i_X509_bio(rawcert, NULL)) == NULL)
1147
			goto done;
1148
	}
1149
1150
	/* Certificate needs a valid subjectName */
1151
	if ((subject = X509_get_subject_name(cert)) == NULL) {
1152
		errstr = "invalid subject";
1153
		goto done;
1154
	}
1155
1156
	if (id != NULL) {
1157
		if ((ret = ca_validate_pubkey(env, id, X509_get_pubkey(cert),
1158
		    0)) == 0) {
1159
			errstr = "in public key file, ok";
1160
			goto done;
1161
		}
1162
1163
		switch (id->id_type) {
1164
		case IKEV2_ID_ASN1_DN:
1165
			if (ca_x509_subject_cmp(cert, id) < 0) {
1166
				errstr = "ASN1_DN identifier mismatch";
1167
				goto done;
1168
			}
1169
			break;
1170
		default:
1171
			if (ca_x509_subjectaltname_cmp(cert, id) != 0) {
1172
				errstr = "invalid subjectAltName extension";
1173
				goto done;
1174
			}
1175
			break;
1176
		}
1177
	}
1178
1179
	bzero(&csc, sizeof(csc));
1180
	X509_STORE_CTX_init(&csc, store->ca_cas, cert, NULL);
1181
	if (store->ca_cas->param->flags & X509_V_FLAG_CRL_CHECK) {
1182
		X509_STORE_CTX_set_flags(&csc, X509_V_FLAG_CRL_CHECK);
1183
		X509_STORE_CTX_set_flags(&csc, X509_V_FLAG_CRL_CHECK_ALL);
1184
	}
1185
1186
	result = X509_verify_cert(&csc);
1187
	error = csc.error;
1188
	X509_STORE_CTX_cleanup(&csc);
1189
	if (error != 0) {
1190
		errstr = X509_verify_cert_error_string(error);
1191
		goto done;
1192
	}
1193
1194
	if (!result) {
1195
		/* XXX should we accept self-signed certificates? */
1196
		errstr = "rejecting self-signed certificate";
1197
		goto done;
1198
	}
1199
1200
	/* Success */
1201
	ret = 0;
1202
	errstr = "ok";
1203
1204
 done:
1205
	if (cert != NULL)
1206
		log_debug("%s: %s %.100s", __func__, cert->name, errstr);
1207
1208
	if (rawcert != NULL) {
1209
		BIO_free(rawcert);
1210
		if (cert != NULL)
1211
			X509_free(cert);
1212
	}
1213
1214
	return (ret);
1215
}
1216
1217
/* check if subject from cert matches the id */
1218
int
1219
ca_x509_subject_cmp(X509 *cert, struct iked_static_id *id)
1220
{
1221
	X509_NAME	*subject, *idname = NULL;
1222
	const uint8_t	*idptr;
1223
	size_t		 idlen;
1224
	int		 ret = -1;
1225
1226
	if (id->id_type != IKEV2_ID_ASN1_DN)
1227
		return (-1);
1228
	if ((subject = X509_get_subject_name(cert)) == NULL)
1229
		return (-1);
1230
	if (id->id_length <= id->id_offset)
1231
		return (-1);
1232
	idlen = id->id_length - id->id_offset;
1233
	idptr = id->id_data + id->id_offset;
1234
	if ((idname = d2i_X509_NAME(NULL, &idptr, idlen)) == NULL)
1235
		return (-1);
1236
	if (X509_NAME_cmp(subject, idname) == 0)
1237
		ret = 0;
1238
	X509_NAME_free(idname);
1239
	return (ret);
1240
}
1241
1242
int
1243
ca_x509_subjectaltname_cmp(X509 *cert, struct iked_static_id *id)
1244
{
1245
	struct iked_id	 sanid;
1246
	char		 idstr[IKED_ID_SIZE];
1247
	int		 ret = -1;
1248
1249
	bzero(&sanid, sizeof(sanid));
1250
1251
	if (ca_x509_subjectaltname(cert, &sanid) != 0)
1252
		return (-1);
1253
1254
	ikev2_print_id(&sanid, idstr, sizeof(idstr));
1255
1256
	/* Compare id types, length and data */
1257
	if ((id->id_type != sanid.id_type) ||
1258
	    ((ssize_t)ibuf_size(sanid.id_buf) !=
1259
	    (id->id_length - id->id_offset)) ||
1260
	    (memcmp(id->id_data + id->id_offset,
1261
	    ibuf_data(sanid.id_buf),
1262
	    ibuf_size(sanid.id_buf)) != 0)) {
1263
		log_debug("%s: %s mismatched", __func__, idstr);
1264
		goto done;
1265
	}
1266
1267
	ret = 0;
1268
 done:
1269
	ibuf_release(sanid.id_buf);
1270
	return (ret);
1271
}
1272
1273
int
1274
ca_x509_subjectaltname(X509 *cert, struct iked_id *id)
1275
{
1276
	X509_EXTENSION	*san;
1277
	uint8_t		 sanhdr[4], *data;
1278
	int		 ext, santype, sanlen;
1279
	char		 idstr[IKED_ID_SIZE];
1280
1281
	if ((ext = X509_get_ext_by_NID(cert,
1282
	    NID_subject_alt_name, -1)) == -1 ||
1283
	    ((san = X509_get_ext(cert, ext)) == NULL)) {
1284
		log_debug("%s: did not find subjectAltName in certificate",
1285
		    __func__);
1286
		return (-1);
1287
	}
1288
1289
	if (san->value == NULL || san->value->data == NULL ||
1290
	    san->value->length < (int)sizeof(sanhdr)) {
1291
		log_debug("%s: invalid subjectAltName in certificate",
1292
		    __func__);
1293
		return (-1);
1294
	}
1295
1296
	/* This is partially based on isakmpd's x509 subjectaltname code */
1297
	data = (uint8_t *)san->value->data;
1298
	memcpy(&sanhdr, data, sizeof(sanhdr));
1299
	santype = sanhdr[2] & 0x3f;
1300
	sanlen = sanhdr[3];
1301
1302
	if ((sanlen + (int)sizeof(sanhdr)) > san->value->length) {
1303
		log_debug("%s: invalid subjectAltName length", __func__);
1304
		return (-1);
1305
	}
1306
1307
	switch (santype) {
1308
	case GEN_DNS:
1309
		id->id_type = IKEV2_ID_FQDN;
1310
		break;
1311
	case GEN_EMAIL:
1312
		id->id_type = IKEV2_ID_UFQDN;
1313
		break;
1314
	case GEN_IPADD:
1315
		if (sanlen == 4)
1316
			id->id_type = IKEV2_ID_IPV4;
1317
		else if (sanlen == 16)
1318
			id->id_type = IKEV2_ID_IPV6;
1319
		else {
1320
			log_debug("%s: invalid subjectAltName IP address",
1321
			    __func__);
1322
			return (-1);
1323
		}
1324
		break;
1325
	default:
1326
		log_debug("%s: unsupported subjectAltName type %d",
1327
		    __func__, santype);
1328
		return (-1);
1329
	}
1330
1331
	ibuf_release(id->id_buf);
1332
	if ((id->id_buf = ibuf_new(data + sizeof(sanhdr), sanlen)) == NULL) {
1333
		log_debug("%s: failed to get id buffer", __func__);
1334
		return (-1);
1335
	}
1336
	id->id_offset = 0;
1337
1338
	ikev2_print_id(id, idstr, sizeof(idstr));
1339
	log_debug("%s: %s", __func__, idstr);
1340
1341
	return (0);
1342
}
1343
1344
void
1345
ca_sslinit(void)
1346
{
1347
	OpenSSL_add_all_algorithms();
1348
	ERR_load_crypto_strings();
1349
1350
	/* Init hardware crypto engines. */
1351
	ENGINE_load_builtin_engines();
1352
	ENGINE_register_all_complete();
1353
}
1354
1355
void
1356
ca_sslerror(const char *caller)
1357
{
1358
	unsigned long	 error;
1359
1360
	while ((error = ERR_get_error()) != 0)
1361
		log_warn("%s: %s: %.100s", __func__, caller,
1362
		    ERR_error_string(error, NULL));
1363
}