1 |
|
|
/* $OpenBSD: crypto.c,v 1.19 2015/10/31 19:28:19 naddy Exp $ */ |
2 |
|
|
|
3 |
|
|
/* |
4 |
|
|
* Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org> |
5 |
|
|
* |
6 |
|
|
* Permission to use, copy, modify, and distribute this software for any |
7 |
|
|
* purpose with or without fee is hereby granted, provided that the above |
8 |
|
|
* copyright notice and this permission notice appear in all copies. |
9 |
|
|
* |
10 |
|
|
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES |
11 |
|
|
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF |
12 |
|
|
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR |
13 |
|
|
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES |
14 |
|
|
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN |
15 |
|
|
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF |
16 |
|
|
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
17 |
|
|
*/ |
18 |
|
|
|
19 |
|
|
#include <sys/param.h> /* roundup */ |
20 |
|
|
#include <sys/queue.h> |
21 |
|
|
#include <sys/socket.h> |
22 |
|
|
#include <sys/uio.h> |
23 |
|
|
|
24 |
|
|
#include <stdio.h> |
25 |
|
|
#include <stdlib.h> |
26 |
|
|
#include <unistd.h> |
27 |
|
|
#include <string.h> |
28 |
|
|
#include <errno.h> |
29 |
|
|
#include <fcntl.h> |
30 |
|
|
#include <event.h> |
31 |
|
|
|
32 |
|
|
#include <openssl/hmac.h> |
33 |
|
|
#include <openssl/evp.h> |
34 |
|
|
#include <openssl/sha.h> |
35 |
|
|
#include <openssl/md5.h> |
36 |
|
|
#include <openssl/x509.h> |
37 |
|
|
#include <openssl/rsa.h> |
38 |
|
|
|
39 |
|
|
#include "iked.h" |
40 |
|
|
#include "ikev2.h" |
41 |
|
|
|
42 |
|
|
/* RFC 7427, A.1 */ |
43 |
|
|
static const uint8_t sha256WithRSAEncryption[] = { |
44 |
|
|
0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, |
45 |
|
|
0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00 |
46 |
|
|
}; |
47 |
|
|
static const uint8_t sha384WithRSAEncryption[] = { |
48 |
|
|
0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, |
49 |
|
|
0xf7, 0x0d, 0x01, 0x01, 0x0c, 0x05, 0x00 |
50 |
|
|
}; |
51 |
|
|
static const uint8_t sha512WithRSAEncryption[] = { |
52 |
|
|
0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, |
53 |
|
|
0xf7, 0x0d, 0x01, 0x01, 0x0d, 0x05, 0x00 |
54 |
|
|
}; |
55 |
|
|
|
56 |
|
|
struct { |
57 |
|
|
uint8_t sc_len; |
58 |
|
|
const uint8_t *sc_oid; |
59 |
|
|
const EVP_MD *(*sc_md)(void); |
60 |
|
|
} schemes[] = { |
61 |
|
|
{ sizeof(sha256WithRSAEncryption), |
62 |
|
|
sha256WithRSAEncryption, EVP_sha256 }, |
63 |
|
|
{ sizeof(sha384WithRSAEncryption), |
64 |
|
|
sha384WithRSAEncryption, EVP_sha384 }, |
65 |
|
|
{ sizeof(sha512WithRSAEncryption), |
66 |
|
|
sha512WithRSAEncryption, EVP_sha512 }, |
67 |
|
|
}; |
68 |
|
|
|
69 |
|
|
int _dsa_verify_init(struct iked_dsa *, const uint8_t *, size_t); |
70 |
|
|
size_t _dsa_verify_offset(struct iked_dsa *, uint8_t *); |
71 |
|
|
int _dsa_sign_encode(struct iked_dsa *, uint8_t *, size_t *); |
72 |
|
|
|
73 |
|
|
struct iked_hash * |
74 |
|
|
hash_new(uint8_t type, uint16_t id) |
75 |
|
|
{ |
76 |
|
|
struct iked_hash *hash; |
77 |
|
|
const EVP_MD *md = NULL; |
78 |
|
|
HMAC_CTX *ctx = NULL; |
79 |
|
|
int length = 0, fixedkey = 0, trunc = 0; |
80 |
|
|
|
81 |
|
|
switch (type) { |
82 |
|
|
case IKEV2_XFORMTYPE_PRF: |
83 |
|
|
switch (id) { |
84 |
|
|
case IKEV2_XFORMPRF_HMAC_MD5: |
85 |
|
|
md = EVP_md5(); |
86 |
|
|
length = MD5_DIGEST_LENGTH; |
87 |
|
|
break; |
88 |
|
|
case IKEV2_XFORMPRF_HMAC_SHA1: |
89 |
|
|
md = EVP_sha1(); |
90 |
|
|
length = SHA_DIGEST_LENGTH; |
91 |
|
|
break; |
92 |
|
|
case IKEV2_XFORMPRF_HMAC_SHA2_256: |
93 |
|
|
md = EVP_sha256(); |
94 |
|
|
length = SHA256_DIGEST_LENGTH; |
95 |
|
|
break; |
96 |
|
|
case IKEV2_XFORMPRF_HMAC_SHA2_384: |
97 |
|
|
md = EVP_sha384(); |
98 |
|
|
length = SHA384_DIGEST_LENGTH; |
99 |
|
|
break; |
100 |
|
|
case IKEV2_XFORMPRF_HMAC_SHA2_512: |
101 |
|
|
md = EVP_sha512(); |
102 |
|
|
length = SHA512_DIGEST_LENGTH; |
103 |
|
|
break; |
104 |
|
|
case IKEV2_XFORMPRF_AES128_XCBC: |
105 |
|
|
fixedkey = 128 / 8; |
106 |
|
|
length = fixedkey; |
107 |
|
|
/* FALLTHROUGH */ |
108 |
|
|
case IKEV2_XFORMPRF_HMAC_TIGER: |
109 |
|
|
case IKEV2_XFORMPRF_AES128_CMAC: |
110 |
|
|
default: |
111 |
|
|
log_debug("%s: prf %s not supported", __func__, |
112 |
|
|
print_map(id, ikev2_xformprf_map)); |
113 |
|
|
break; |
114 |
|
|
} |
115 |
|
|
break; |
116 |
|
|
case IKEV2_XFORMTYPE_INTEGR: |
117 |
|
|
switch (id) { |
118 |
|
|
case IKEV2_XFORMAUTH_HMAC_MD5_96: |
119 |
|
|
md = EVP_md5(); |
120 |
|
|
length = MD5_DIGEST_LENGTH; |
121 |
|
|
trunc = 12; |
122 |
|
|
break; |
123 |
|
|
case IKEV2_XFORMAUTH_HMAC_SHA1_96: |
124 |
|
|
md = EVP_sha1(); |
125 |
|
|
length = SHA_DIGEST_LENGTH; |
126 |
|
|
trunc = 12; |
127 |
|
|
break; |
128 |
|
|
case IKEV2_XFORMAUTH_HMAC_SHA2_256_128: |
129 |
|
|
md = EVP_sha256(); |
130 |
|
|
length = SHA256_DIGEST_LENGTH; |
131 |
|
|
trunc = 16; |
132 |
|
|
break; |
133 |
|
|
case IKEV2_XFORMAUTH_HMAC_SHA2_384_192: |
134 |
|
|
md = EVP_sha384(); |
135 |
|
|
length = SHA384_DIGEST_LENGTH; |
136 |
|
|
trunc = 24; |
137 |
|
|
break; |
138 |
|
|
case IKEV2_XFORMAUTH_HMAC_SHA2_512_256: |
139 |
|
|
md = EVP_sha512(); |
140 |
|
|
length = SHA512_DIGEST_LENGTH; |
141 |
|
|
trunc = 32; |
142 |
|
|
break; |
143 |
|
|
case IKEV2_XFORMAUTH_NONE: |
144 |
|
|
case IKEV2_XFORMAUTH_DES_MAC: |
145 |
|
|
case IKEV2_XFORMAUTH_KPDK_MD5: |
146 |
|
|
case IKEV2_XFORMAUTH_AES_XCBC_96: |
147 |
|
|
case IKEV2_XFORMAUTH_HMAC_MD5_128: |
148 |
|
|
case IKEV2_XFORMAUTH_HMAC_SHA1_160: |
149 |
|
|
case IKEV2_XFORMAUTH_AES_CMAC_96: |
150 |
|
|
case IKEV2_XFORMAUTH_AES_128_GMAC: |
151 |
|
|
case IKEV2_XFORMAUTH_AES_192_GMAC: |
152 |
|
|
case IKEV2_XFORMAUTH_AES_256_GMAC: |
153 |
|
|
default: |
154 |
|
|
log_debug("%s: auth %s not supported", __func__, |
155 |
|
|
print_map(id, ikev2_xformauth_map)); |
156 |
|
|
break; |
157 |
|
|
} |
158 |
|
|
break; |
159 |
|
|
default: |
160 |
|
|
log_debug("%s: hash type %s not supported", __func__, |
161 |
|
|
print_map(id, ikev2_xformtype_map)); |
162 |
|
|
break; |
163 |
|
|
} |
164 |
|
|
if (md == NULL) |
165 |
|
|
return (NULL); |
166 |
|
|
|
167 |
|
|
if ((hash = calloc(1, sizeof(*hash))) == NULL) { |
168 |
|
|
log_debug("%s: alloc hash", __func__); |
169 |
|
|
return (NULL); |
170 |
|
|
} |
171 |
|
|
|
172 |
|
|
hash->hash_type = type; |
173 |
|
|
hash->hash_id = id; |
174 |
|
|
hash->hash_priv = md; |
175 |
|
|
hash->hash_ctx = NULL; |
176 |
|
|
hash->hash_trunc = trunc; |
177 |
|
|
hash->hash_length = length; |
178 |
|
|
hash->hash_fixedkey = fixedkey; |
179 |
|
|
|
180 |
|
|
if ((ctx = calloc(1, sizeof(*ctx))) == NULL) { |
181 |
|
|
log_debug("%s: alloc hash ctx", __func__); |
182 |
|
|
hash_free(hash); |
183 |
|
|
return (NULL); |
184 |
|
|
} |
185 |
|
|
|
186 |
|
|
HMAC_CTX_init(ctx); |
187 |
|
|
hash->hash_ctx = ctx; |
188 |
|
|
|
189 |
|
|
return (hash); |
190 |
|
|
} |
191 |
|
|
|
192 |
|
|
struct ibuf * |
193 |
|
|
hash_setkey(struct iked_hash *hash, void *key, size_t keylen) |
194 |
|
|
{ |
195 |
|
|
ibuf_release(hash->hash_key); |
196 |
|
|
if ((hash->hash_key = ibuf_new(key, keylen)) == NULL) { |
197 |
|
|
log_debug("%s: alloc hash key", __func__); |
198 |
|
|
return (NULL); |
199 |
|
|
} |
200 |
|
|
return (hash->hash_key); |
201 |
|
|
} |
202 |
|
|
|
203 |
|
|
void |
204 |
|
|
hash_free(struct iked_hash *hash) |
205 |
|
|
{ |
206 |
|
|
if (hash == NULL) |
207 |
|
|
return; |
208 |
|
|
if (hash->hash_ctx != NULL) { |
209 |
|
|
HMAC_CTX_cleanup(hash->hash_ctx); |
210 |
|
|
free(hash->hash_ctx); |
211 |
|
|
} |
212 |
|
|
ibuf_release(hash->hash_key); |
213 |
|
|
free(hash); |
214 |
|
|
} |
215 |
|
|
|
216 |
|
|
void |
217 |
|
|
hash_init(struct iked_hash *hash) |
218 |
|
|
{ |
219 |
|
|
HMAC_Init_ex(hash->hash_ctx, hash->hash_key->buf, |
220 |
|
|
ibuf_length(hash->hash_key), hash->hash_priv, NULL); |
221 |
|
|
} |
222 |
|
|
|
223 |
|
|
void |
224 |
|
|
hash_update(struct iked_hash *hash, void *buf, size_t len) |
225 |
|
|
{ |
226 |
|
|
HMAC_Update(hash->hash_ctx, buf, len); |
227 |
|
|
} |
228 |
|
|
|
229 |
|
|
void |
230 |
|
|
hash_final(struct iked_hash *hash, void *buf, size_t *len) |
231 |
|
|
{ |
232 |
|
|
unsigned int length = 0; |
233 |
|
|
|
234 |
|
|
HMAC_Final(hash->hash_ctx, buf, &length); |
235 |
|
|
*len = (size_t)length; |
236 |
|
|
|
237 |
|
|
/* Truncate the result if required by the alg */ |
238 |
|
|
if (hash->hash_trunc && *len > hash->hash_trunc) |
239 |
|
|
*len = hash->hash_trunc; |
240 |
|
|
} |
241 |
|
|
|
242 |
|
|
size_t |
243 |
|
|
hash_length(struct iked_hash *hash) |
244 |
|
|
{ |
245 |
|
|
if (hash->hash_trunc) |
246 |
|
|
return (hash->hash_trunc); |
247 |
|
|
return (hash->hash_length); |
248 |
|
|
} |
249 |
|
|
|
250 |
|
|
size_t |
251 |
|
|
hash_keylength(struct iked_hash *hash) |
252 |
|
|
{ |
253 |
|
|
return (hash->hash_length); |
254 |
|
|
} |
255 |
|
|
|
256 |
|
|
struct iked_cipher * |
257 |
|
|
cipher_new(uint8_t type, uint16_t id, uint16_t id_length) |
258 |
|
|
{ |
259 |
|
|
struct iked_cipher *encr; |
260 |
|
|
const EVP_CIPHER *cipher = NULL; |
261 |
|
|
EVP_CIPHER_CTX *ctx = NULL; |
262 |
|
|
int length = 0, fixedkey = 0, ivlength = 0; |
263 |
|
|
|
264 |
|
|
switch (type) { |
265 |
|
|
case IKEV2_XFORMTYPE_ENCR: |
266 |
|
|
switch (id) { |
267 |
|
|
case IKEV2_XFORMENCR_3DES: |
268 |
|
|
cipher = EVP_des_ede3_cbc(); |
269 |
|
|
length = EVP_CIPHER_block_size(cipher); |
270 |
|
|
fixedkey = EVP_CIPHER_key_length(cipher); |
271 |
|
|
ivlength = EVP_CIPHER_iv_length(cipher); |
272 |
|
|
break; |
273 |
|
|
case IKEV2_XFORMENCR_AES_CBC: |
274 |
|
|
switch (id_length) { |
275 |
|
|
case 128: |
276 |
|
|
cipher = EVP_aes_128_cbc(); |
277 |
|
|
break; |
278 |
|
|
case 192: |
279 |
|
|
cipher = EVP_aes_192_cbc(); |
280 |
|
|
break; |
281 |
|
|
case 256: |
282 |
|
|
cipher = EVP_aes_256_cbc(); |
283 |
|
|
break; |
284 |
|
|
default: |
285 |
|
|
log_debug("%s: invalid key length %d" |
286 |
|
|
" for cipher %s", __func__, id_length, |
287 |
|
|
print_map(id, ikev2_xformencr_map)); |
288 |
|
|
break; |
289 |
|
|
} |
290 |
|
|
if (cipher == NULL) |
291 |
|
|
break; |
292 |
|
|
length = EVP_CIPHER_block_size(cipher); |
293 |
|
|
ivlength = EVP_CIPHER_iv_length(cipher); |
294 |
|
|
fixedkey = EVP_CIPHER_key_length(cipher); |
295 |
|
|
break; |
296 |
|
|
case IKEV2_XFORMENCR_DES_IV64: |
297 |
|
|
case IKEV2_XFORMENCR_DES: |
298 |
|
|
case IKEV2_XFORMENCR_RC5: |
299 |
|
|
case IKEV2_XFORMENCR_IDEA: |
300 |
|
|
case IKEV2_XFORMENCR_CAST: |
301 |
|
|
case IKEV2_XFORMENCR_BLOWFISH: |
302 |
|
|
case IKEV2_XFORMENCR_3IDEA: |
303 |
|
|
case IKEV2_XFORMENCR_DES_IV32: |
304 |
|
|
case IKEV2_XFORMENCR_NULL: |
305 |
|
|
case IKEV2_XFORMENCR_AES_CTR: |
306 |
|
|
/* FALLTHROUGH */ |
307 |
|
|
default: |
308 |
|
|
log_debug("%s: cipher %s not supported", __func__, |
309 |
|
|
print_map(id, ikev2_xformencr_map)); |
310 |
|
|
cipher = NULL; |
311 |
|
|
break; |
312 |
|
|
} |
313 |
|
|
break; |
314 |
|
|
default: |
315 |
|
|
log_debug("%s: cipher type %s not supported", __func__, |
316 |
|
|
print_map(id, ikev2_xformtype_map)); |
317 |
|
|
break; |
318 |
|
|
} |
319 |
|
|
if (cipher == NULL) |
320 |
|
|
return (NULL); |
321 |
|
|
|
322 |
|
|
if ((encr = calloc(1, sizeof(*encr))) == NULL) { |
323 |
|
|
log_debug("%s: alloc cipher", __func__); |
324 |
|
|
return (NULL); |
325 |
|
|
} |
326 |
|
|
|
327 |
|
|
encr->encr_id = id; |
328 |
|
|
encr->encr_priv = cipher; |
329 |
|
|
encr->encr_ctx = NULL; |
330 |
|
|
encr->encr_length = length; |
331 |
|
|
encr->encr_fixedkey = fixedkey; |
332 |
|
|
encr->encr_ivlength = ivlength ? ivlength : length; |
333 |
|
|
|
334 |
|
|
if ((ctx = calloc(1, sizeof(*ctx))) == NULL) { |
335 |
|
|
log_debug("%s: alloc cipher ctx", __func__); |
336 |
|
|
cipher_free(encr); |
337 |
|
|
return (NULL); |
338 |
|
|
} |
339 |
|
|
|
340 |
|
|
EVP_CIPHER_CTX_init(ctx); |
341 |
|
|
encr->encr_ctx = ctx; |
342 |
|
|
|
343 |
|
|
return (encr); |
344 |
|
|
} |
345 |
|
|
|
346 |
|
|
struct ibuf * |
347 |
|
|
cipher_setkey(struct iked_cipher *encr, void *key, size_t keylen) |
348 |
|
|
{ |
349 |
|
|
ibuf_release(encr->encr_key); |
350 |
|
|
if ((encr->encr_key = ibuf_new(key, keylen)) == NULL) { |
351 |
|
|
log_debug("%s: alloc cipher key", __func__); |
352 |
|
|
return (NULL); |
353 |
|
|
} |
354 |
|
|
return (encr->encr_key); |
355 |
|
|
} |
356 |
|
|
|
357 |
|
|
struct ibuf * |
358 |
|
|
cipher_setiv(struct iked_cipher *encr, void *iv, size_t len) |
359 |
|
|
{ |
360 |
|
|
ibuf_release(encr->encr_iv); |
361 |
|
|
if (iv != NULL) { |
362 |
|
|
if (len < encr->encr_ivlength) { |
363 |
|
|
log_debug("%s: invalid IV length %zu", __func__, len); |
364 |
|
|
return (NULL); |
365 |
|
|
} |
366 |
|
|
encr->encr_iv = ibuf_new(iv, encr->encr_ivlength); |
367 |
|
|
} else { |
368 |
|
|
/* Get new random IV */ |
369 |
|
|
encr->encr_iv = ibuf_random(encr->encr_ivlength); |
370 |
|
|
} |
371 |
|
|
if (encr->encr_iv == NULL) { |
372 |
|
|
log_debug("%s: failed to set IV", __func__); |
373 |
|
|
return (NULL); |
374 |
|
|
} |
375 |
|
|
return (encr->encr_iv); |
376 |
|
|
} |
377 |
|
|
|
378 |
|
|
void |
379 |
|
|
cipher_free(struct iked_cipher *encr) |
380 |
|
|
{ |
381 |
|
|
if (encr == NULL) |
382 |
|
|
return; |
383 |
|
|
if (encr->encr_ctx != NULL) { |
384 |
|
|
EVP_CIPHER_CTX_cleanup(encr->encr_ctx); |
385 |
|
|
free(encr->encr_ctx); |
386 |
|
|
} |
387 |
|
|
ibuf_release(encr->encr_key); |
388 |
|
|
free(encr); |
389 |
|
|
} |
390 |
|
|
|
391 |
|
|
void |
392 |
|
|
cipher_init(struct iked_cipher *encr, int enc) |
393 |
|
|
{ |
394 |
|
|
EVP_CipherInit_ex(encr->encr_ctx, encr->encr_priv, NULL, |
395 |
|
|
ibuf_data(encr->encr_key), ibuf_data(encr->encr_iv), enc); |
396 |
|
|
EVP_CIPHER_CTX_set_padding(encr->encr_ctx, 0); |
397 |
|
|
} |
398 |
|
|
|
399 |
|
|
void |
400 |
|
|
cipher_init_encrypt(struct iked_cipher *encr) |
401 |
|
|
{ |
402 |
|
|
cipher_init(encr, 1); |
403 |
|
|
} |
404 |
|
|
|
405 |
|
|
void |
406 |
|
|
cipher_init_decrypt(struct iked_cipher *encr) |
407 |
|
|
{ |
408 |
|
|
cipher_init(encr, 0); |
409 |
|
|
} |
410 |
|
|
|
411 |
|
|
void |
412 |
|
|
cipher_update(struct iked_cipher *encr, void *in, size_t inlen, |
413 |
|
|
void *out, size_t *outlen) |
414 |
|
|
{ |
415 |
|
|
int olen; |
416 |
|
|
|
417 |
|
|
olen = 0; |
418 |
|
|
if (!EVP_CipherUpdate(encr->encr_ctx, out, &olen, in, inlen)) { |
419 |
|
|
ca_sslerror(__func__); |
420 |
|
|
*outlen = 0; |
421 |
|
|
return; |
422 |
|
|
} |
423 |
|
|
*outlen = (size_t)olen; |
424 |
|
|
} |
425 |
|
|
|
426 |
|
|
void |
427 |
|
|
cipher_final(struct iked_cipher *encr, void *out, size_t *outlen) |
428 |
|
|
{ |
429 |
|
|
int olen; |
430 |
|
|
|
431 |
|
|
olen = 0; |
432 |
|
|
if (!EVP_CipherFinal_ex(encr->encr_ctx, out, &olen)) { |
433 |
|
|
ca_sslerror(__func__); |
434 |
|
|
*outlen = 0; |
435 |
|
|
return; |
436 |
|
|
} |
437 |
|
|
*outlen = (size_t)olen; |
438 |
|
|
} |
439 |
|
|
|
440 |
|
|
size_t |
441 |
|
|
cipher_length(struct iked_cipher *encr) |
442 |
|
|
{ |
443 |
|
|
return (encr->encr_length); |
444 |
|
|
} |
445 |
|
|
|
446 |
|
|
size_t |
447 |
|
|
cipher_keylength(struct iked_cipher *encr) |
448 |
|
|
{ |
449 |
|
|
if (encr->encr_fixedkey) |
450 |
|
|
return (encr->encr_fixedkey); |
451 |
|
|
|
452 |
|
|
/* Might return zero */ |
453 |
|
|
return (ibuf_length(encr->encr_key)); |
454 |
|
|
} |
455 |
|
|
|
456 |
|
|
size_t |
457 |
|
|
cipher_ivlength(struct iked_cipher *encr) |
458 |
|
|
{ |
459 |
|
|
return (encr->encr_ivlength); |
460 |
|
|
} |
461 |
|
|
|
462 |
|
|
size_t |
463 |
|
|
cipher_outlength(struct iked_cipher *encr, size_t inlen) |
464 |
|
|
{ |
465 |
|
|
return (roundup(inlen, encr->encr_length)); |
466 |
|
|
} |
467 |
|
|
|
468 |
|
|
struct iked_dsa * |
469 |
|
|
dsa_new(uint16_t id, struct iked_hash *prf, int sign) |
470 |
|
|
{ |
471 |
|
|
struct iked_dsa *dsap = NULL, dsa; |
472 |
|
|
|
473 |
|
|
bzero(&dsa, sizeof(dsa)); |
474 |
|
|
|
475 |
|
|
switch (id) { |
476 |
|
|
case IKEV2_AUTH_SIG: |
477 |
|
|
if (sign) |
478 |
|
|
dsa.dsa_priv = EVP_sha256(); /* XXX should be passed */ |
479 |
|
|
else |
480 |
|
|
dsa.dsa_priv = NULL; /* set later by dsa_init() */ |
481 |
|
|
break; |
482 |
|
|
case IKEV2_AUTH_RSA_SIG: |
483 |
|
|
/* RFC5996 says we SHOULD use SHA1 here */ |
484 |
|
|
dsa.dsa_priv = EVP_sha1(); |
485 |
|
|
break; |
486 |
|
|
case IKEV2_AUTH_SHARED_KEY_MIC: |
487 |
|
|
if (prf == NULL || prf->hash_priv == NULL) |
488 |
|
|
fatalx("dsa_new: invalid PRF"); |
489 |
|
|
dsa.dsa_priv = prf->hash_priv; |
490 |
|
|
dsa.dsa_hmac = 1; |
491 |
|
|
break; |
492 |
|
|
case IKEV2_AUTH_DSS_SIG: |
493 |
|
|
dsa.dsa_priv = EVP_dss1(); |
494 |
|
|
break; |
495 |
|
|
case IKEV2_AUTH_ECDSA_256: |
496 |
|
|
dsa.dsa_priv = EVP_sha256(); |
497 |
|
|
break; |
498 |
|
|
case IKEV2_AUTH_ECDSA_384: |
499 |
|
|
dsa.dsa_priv = EVP_sha384(); |
500 |
|
|
break; |
501 |
|
|
case IKEV2_AUTH_ECDSA_521: |
502 |
|
|
dsa.dsa_priv = EVP_sha512(); |
503 |
|
|
break; |
504 |
|
|
default: |
505 |
|
|
log_debug("%s: auth method %s not supported", __func__, |
506 |
|
|
print_map(id, ikev2_auth_map)); |
507 |
|
|
break; |
508 |
|
|
} |
509 |
|
|
|
510 |
|
|
if ((dsap = calloc(1, sizeof(*dsap))) == NULL) { |
511 |
|
|
log_debug("%s: alloc dsa ctx", __func__); |
512 |
|
|
|
513 |
|
|
return (NULL); |
514 |
|
|
} |
515 |
|
|
memcpy(dsap, &dsa, sizeof(*dsap)); |
516 |
|
|
|
517 |
|
|
dsap->dsa_method = id; |
518 |
|
|
dsap->dsa_sign = sign; |
519 |
|
|
|
520 |
|
|
if (dsap->dsa_hmac) { |
521 |
|
|
if ((dsap->dsa_ctx = calloc(1, sizeof(HMAC_CTX))) == NULL) { |
522 |
|
|
log_debug("%s: alloc hash ctx", __func__); |
523 |
|
|
dsa_free(dsap); |
524 |
|
|
return (NULL); |
525 |
|
|
} |
526 |
|
|
HMAC_CTX_init((HMAC_CTX *)dsap->dsa_ctx); |
527 |
|
|
} else { |
528 |
|
|
if ((dsap->dsa_ctx = EVP_MD_CTX_create()) == NULL) { |
529 |
|
|
log_debug("%s: alloc digest ctx", __func__); |
530 |
|
|
dsa_free(dsap); |
531 |
|
|
return (NULL); |
532 |
|
|
} |
533 |
|
|
} |
534 |
|
|
|
535 |
|
|
return (dsap); |
536 |
|
|
} |
537 |
|
|
|
538 |
|
|
struct iked_dsa * |
539 |
|
|
dsa_sign_new(uint16_t id, struct iked_hash *prf) |
540 |
|
|
{ |
541 |
|
|
return (dsa_new(id, prf, 1)); |
542 |
|
|
} |
543 |
|
|
|
544 |
|
|
struct iked_dsa * |
545 |
|
|
dsa_verify_new(uint16_t id, struct iked_hash *prf) |
546 |
|
|
{ |
547 |
|
|
return (dsa_new(id, prf, 0)); |
548 |
|
|
} |
549 |
|
|
|
550 |
|
|
void |
551 |
|
|
dsa_free(struct iked_dsa *dsa) |
552 |
|
|
{ |
553 |
|
|
if (dsa == NULL) |
554 |
|
|
return; |
555 |
|
|
if (dsa->dsa_hmac) { |
556 |
|
|
HMAC_CTX_cleanup((HMAC_CTX *)dsa->dsa_ctx); |
557 |
|
|
free(dsa->dsa_ctx); |
558 |
|
|
} else { |
559 |
|
|
EVP_MD_CTX_destroy((EVP_MD_CTX *)dsa->dsa_ctx); |
560 |
|
|
if (dsa->dsa_key) |
561 |
|
|
EVP_PKEY_free(dsa->dsa_key); |
562 |
|
|
if (dsa->dsa_cert) |
563 |
|
|
X509_free(dsa->dsa_cert); |
564 |
|
|
} |
565 |
|
|
|
566 |
|
|
ibuf_release(dsa->dsa_keydata); |
567 |
|
|
free(dsa); |
568 |
|
|
} |
569 |
|
|
|
570 |
|
|
struct ibuf * |
571 |
|
|
dsa_setkey(struct iked_dsa *dsa, void *key, size_t keylen, uint8_t type) |
572 |
|
|
{ |
573 |
|
|
BIO *rawcert = NULL; |
574 |
|
|
X509 *cert = NULL; |
575 |
|
|
RSA *rsa = NULL; |
576 |
|
|
EVP_PKEY *pkey = NULL; |
577 |
|
|
|
578 |
|
|
ibuf_release(dsa->dsa_keydata); |
579 |
|
|
if ((dsa->dsa_keydata = ibuf_new(key, keylen)) == NULL) { |
580 |
|
|
log_debug("%s: alloc signature key", __func__); |
581 |
|
|
return (NULL); |
582 |
|
|
} |
583 |
|
|
|
584 |
|
|
if ((rawcert = BIO_new_mem_buf(key, keylen)) == NULL) |
585 |
|
|
goto err; |
586 |
|
|
|
587 |
|
|
switch (type) { |
588 |
|
|
case IKEV2_CERT_X509_CERT: |
589 |
|
|
if ((cert = d2i_X509_bio(rawcert, NULL)) == NULL) |
590 |
|
|
goto sslerr; |
591 |
|
|
if ((pkey = X509_get_pubkey(cert)) == NULL) |
592 |
|
|
goto sslerr; |
593 |
|
|
dsa->dsa_cert = cert; |
594 |
|
|
dsa->dsa_key = pkey; |
595 |
|
|
break; |
596 |
|
|
case IKEV2_CERT_RSA_KEY: |
597 |
|
|
if (dsa->dsa_sign) { |
598 |
|
|
if ((rsa = d2i_RSAPrivateKey_bio(rawcert, |
599 |
|
|
NULL)) == NULL) |
600 |
|
|
goto sslerr; |
601 |
|
|
} else { |
602 |
|
|
if ((rsa = d2i_RSAPublicKey_bio(rawcert, |
603 |
|
|
NULL)) == NULL) |
604 |
|
|
goto sslerr; |
605 |
|
|
} |
606 |
|
|
|
607 |
|
|
if ((pkey = EVP_PKEY_new()) == NULL) |
608 |
|
|
goto sslerr; |
609 |
|
|
if (!EVP_PKEY_set1_RSA(pkey, rsa)) |
610 |
|
|
goto sslerr; |
611 |
|
|
|
612 |
|
|
RSA_free(rsa); /* pkey now has the reference */ |
613 |
|
|
dsa->dsa_cert = NULL; |
614 |
|
|
dsa->dsa_key = pkey; |
615 |
|
|
break; |
616 |
|
|
default: |
617 |
|
|
if (dsa->dsa_hmac) |
618 |
|
|
break; |
619 |
|
|
log_debug("%s: unsupported key type", __func__); |
620 |
|
|
goto err; |
621 |
|
|
} |
622 |
|
|
|
623 |
|
|
return (dsa->dsa_keydata); |
624 |
|
|
|
625 |
|
|
sslerr: |
626 |
|
|
ca_sslerror(__func__); |
627 |
|
|
err: |
628 |
|
|
log_debug("%s: error", __func__); |
629 |
|
|
|
630 |
|
|
if (rsa != NULL) |
631 |
|
|
RSA_free(rsa); |
632 |
|
|
if (pkey != NULL) |
633 |
|
|
EVP_PKEY_free(pkey); |
634 |
|
|
if (cert != NULL) |
635 |
|
|
X509_free(cert); |
636 |
|
|
if (rawcert != NULL) |
637 |
|
|
BIO_free(rawcert); |
638 |
|
|
ibuf_release(dsa->dsa_keydata); |
639 |
|
|
return (NULL); |
640 |
|
|
} |
641 |
|
|
|
642 |
|
|
int |
643 |
|
|
_dsa_verify_init(struct iked_dsa *dsa, const uint8_t *sig, size_t len) |
644 |
|
|
{ |
645 |
|
|
uint8_t oidlen; |
646 |
|
|
size_t i; |
647 |
|
|
|
648 |
|
|
if (dsa->dsa_priv != NULL) |
649 |
|
|
return (0); |
650 |
|
|
/* |
651 |
|
|
* For IKEV2_AUTH_SIG the oid of the authentication signature |
652 |
|
|
* is encoded in the first bytes of the auth message. |
653 |
|
|
*/ |
654 |
|
|
if (dsa->dsa_method != IKEV2_AUTH_SIG) { |
655 |
|
|
log_debug("%s: dsa_priv not set for %s", __func__, |
656 |
|
|
print_map(dsa->dsa_method, ikev2_auth_map)); |
657 |
|
|
return (-1); |
658 |
|
|
} |
659 |
|
|
if (sig == NULL) { |
660 |
|
|
log_debug("%s: signature missing", __func__); |
661 |
|
|
return (-1); |
662 |
|
|
} |
663 |
|
|
if (len < 1) { |
664 |
|
|
log_debug("%s: signature (%zu) too small for oid length", |
665 |
|
|
__func__, len); |
666 |
|
|
return (-1); |
667 |
|
|
} |
668 |
|
|
memcpy(&oidlen, sig, sizeof(oidlen)); |
669 |
|
|
if (len < (size_t)oidlen + 1) { |
670 |
|
|
log_debug("%s: signature (%zu) too small for oid (%u)", |
671 |
|
|
__func__, len, oidlen); |
672 |
|
|
return (-1); |
673 |
|
|
} |
674 |
|
|
for (i = 0; i < nitems(schemes); i++) { |
675 |
|
|
if (oidlen == schemes[i].sc_len && |
676 |
|
|
memcmp(sig + 1, schemes[i].sc_oid, |
677 |
|
|
schemes[i].sc_len) == 0) { |
678 |
|
|
dsa->dsa_priv = (*schemes[i].sc_md)(); |
679 |
|
|
log_debug("%s: signature scheme %zd selected", |
680 |
|
|
__func__, i); |
681 |
|
|
return (0); |
682 |
|
|
} |
683 |
|
|
} |
684 |
|
|
log_debug("%s: unsupported signature (%d)", __func__, oidlen); |
685 |
|
|
return (-1); |
686 |
|
|
} |
687 |
|
|
|
688 |
|
|
int |
689 |
|
|
dsa_init(struct iked_dsa *dsa, const void *buf, size_t len) |
690 |
|
|
{ |
691 |
|
|
int ret; |
692 |
|
|
|
693 |
|
|
if (dsa->dsa_hmac) { |
694 |
|
|
if (!HMAC_Init_ex(dsa->dsa_ctx, ibuf_data(dsa->dsa_keydata), |
695 |
|
|
ibuf_length(dsa->dsa_keydata), dsa->dsa_priv, NULL)) |
696 |
|
|
return (-1); |
697 |
|
|
return (0); |
698 |
|
|
} |
699 |
|
|
|
700 |
|
|
if (dsa->dsa_sign) |
701 |
|
|
ret = EVP_SignInit_ex(dsa->dsa_ctx, dsa->dsa_priv, NULL); |
702 |
|
|
else { |
703 |
|
|
if ((ret = _dsa_verify_init(dsa, buf, len)) != 0) |
704 |
|
|
return (ret); |
705 |
|
|
ret = EVP_VerifyInit_ex(dsa->dsa_ctx, dsa->dsa_priv, NULL); |
706 |
|
|
} |
707 |
|
|
|
708 |
|
|
return (ret ? 0 : -1); |
709 |
|
|
} |
710 |
|
|
|
711 |
|
|
int |
712 |
|
|
dsa_update(struct iked_dsa *dsa, const void *buf, size_t len) |
713 |
|
|
{ |
714 |
|
|
int ret = 1; |
715 |
|
|
|
716 |
|
|
if (dsa->dsa_hmac) |
717 |
|
|
ret = HMAC_Update(dsa->dsa_ctx, buf, len); |
718 |
|
|
else if (dsa->dsa_sign) |
719 |
|
|
ret = EVP_SignUpdate(dsa->dsa_ctx, buf, len); |
720 |
|
|
else |
721 |
|
|
ret = EVP_VerifyUpdate(dsa->dsa_ctx, buf, len); |
722 |
|
|
|
723 |
|
|
return (ret ? 0 : -1); |
724 |
|
|
} |
725 |
|
|
|
726 |
|
|
/* Prefix signature hash with encoded type */ |
727 |
|
|
int |
728 |
|
|
_dsa_sign_encode(struct iked_dsa *dsa, uint8_t *ptr, size_t *offp) |
729 |
|
|
{ |
730 |
|
|
if (offp) |
731 |
|
|
*offp = 0; |
732 |
|
|
if (dsa->dsa_method != IKEV2_AUTH_SIG) |
733 |
|
|
return (0); |
734 |
|
|
if (dsa->dsa_priv != EVP_sha256()) |
735 |
|
|
return (-1); |
736 |
|
|
if (ptr) { |
737 |
|
|
ptr[0] = sizeof(sha256WithRSAEncryption); |
738 |
|
|
memcpy(ptr + 1, sha256WithRSAEncryption, |
739 |
|
|
sizeof(sha256WithRSAEncryption)); |
740 |
|
|
} |
741 |
|
|
if (offp) |
742 |
|
|
*offp = 1 + sizeof(sha256WithRSAEncryption); |
743 |
|
|
return (0); |
744 |
|
|
} |
745 |
|
|
|
746 |
|
|
size_t |
747 |
|
|
dsa_length(struct iked_dsa *dsa) |
748 |
|
|
{ |
749 |
|
|
size_t off = 0; |
750 |
|
|
|
751 |
|
|
if (dsa->dsa_hmac) |
752 |
|
|
return (EVP_MD_size(dsa->dsa_priv)); |
753 |
|
|
if (_dsa_sign_encode(dsa, NULL, &off) < 0) |
754 |
|
|
fatal("dsa_length: internal error"); |
755 |
|
|
return (EVP_PKEY_size(dsa->dsa_key) + off); |
756 |
|
|
} |
757 |
|
|
|
758 |
|
|
ssize_t |
759 |
|
|
dsa_sign_final(struct iked_dsa *dsa, void *buf, size_t len) |
760 |
|
|
{ |
761 |
|
|
unsigned int siglen; |
762 |
|
|
size_t off = 0; |
763 |
|
|
uint8_t *ptr = buf; |
764 |
|
|
|
765 |
|
|
if (len < dsa_length(dsa)) |
766 |
|
|
return (-1); |
767 |
|
|
|
768 |
|
|
if (dsa->dsa_hmac) { |
769 |
|
|
if (!HMAC_Final(dsa->dsa_ctx, buf, &siglen)) |
770 |
|
|
return (-1); |
771 |
|
|
} else { |
772 |
|
|
if (_dsa_sign_encode(dsa, ptr, &off) < 0) |
773 |
|
|
return (-1); |
774 |
|
|
if (!EVP_SignFinal(dsa->dsa_ctx, ptr + off, &siglen, |
775 |
|
|
dsa->dsa_key)) |
776 |
|
|
return (-1); |
777 |
|
|
siglen += off; |
778 |
|
|
} |
779 |
|
|
|
780 |
|
|
return (siglen); |
781 |
|
|
} |
782 |
|
|
|
783 |
|
|
size_t |
784 |
|
|
_dsa_verify_offset(struct iked_dsa *dsa, uint8_t *ptr) |
785 |
|
|
{ |
786 |
|
|
/* |
787 |
|
|
* XXX assumes that _dsa_verify_init() has already checked |
788 |
|
|
* the encoded method. |
789 |
|
|
*/ |
790 |
|
|
if (dsa->dsa_method == IKEV2_AUTH_SIG) |
791 |
|
|
return (ptr[0] + 1); |
792 |
|
|
return (0); |
793 |
|
|
} |
794 |
|
|
|
795 |
|
|
ssize_t |
796 |
|
|
dsa_verify_final(struct iked_dsa *dsa, void *buf, size_t len) |
797 |
|
|
{ |
798 |
|
|
uint8_t sig[EVP_MAX_MD_SIZE]; |
799 |
|
|
unsigned int siglen = sizeof(sig); |
800 |
|
|
uint8_t *ptr = buf; |
801 |
|
|
size_t off = 0; |
802 |
|
|
|
803 |
|
|
if (dsa->dsa_hmac) { |
804 |
|
|
if (!HMAC_Final(dsa->dsa_ctx, sig, &siglen)) |
805 |
|
|
return (-1); |
806 |
|
|
if (siglen != len || memcmp(buf, sig, siglen) != 0) |
807 |
|
|
return (-1); |
808 |
|
|
} else { |
809 |
|
|
if ((off = _dsa_verify_offset(dsa, ptr)) >= len) |
810 |
|
|
return (-1); |
811 |
|
|
if (EVP_VerifyFinal(dsa->dsa_ctx, ptr + off, len - off, |
812 |
|
|
dsa->dsa_key) != 1) { |
813 |
|
|
ca_sslerror(__func__); |
814 |
|
|
return (-1); |
815 |
|
|
} |
816 |
|
|
} |
817 |
|
|
|
818 |
|
|
return (0); |
819 |
|
|
} |