1 |
|
|
/* $OpenBSD: ike_auth.c,v 1.114 2017/11/08 13:33:49 patrick Exp $ */ |
2 |
|
|
/* $EOM: ike_auth.c,v 1.59 2000/11/21 00:21:31 angelos Exp $ */ |
3 |
|
|
|
4 |
|
|
/* |
5 |
|
|
* Copyright (c) 1998, 1999, 2000, 2001 Niklas Hallqvist. All rights reserved. |
6 |
|
|
* Copyright (c) 1999 Niels Provos. All rights reserved. |
7 |
|
|
* Copyright (c) 1999 Angelos D. Keromytis. All rights reserved. |
8 |
|
|
* Copyright (c) 2000, 2001, 2003 Håkan Olsson. All rights reserved. |
9 |
|
|
* |
10 |
|
|
* Redistribution and use in source and binary forms, with or without |
11 |
|
|
* modification, are permitted provided that the following conditions |
12 |
|
|
* are met: |
13 |
|
|
* 1. Redistributions of source code must retain the above copyright |
14 |
|
|
* notice, this list of conditions and the following disclaimer. |
15 |
|
|
* 2. Redistributions in binary form must reproduce the above copyright |
16 |
|
|
* notice, this list of conditions and the following disclaimer in the |
17 |
|
|
* documentation and/or other materials provided with the distribution. |
18 |
|
|
* |
19 |
|
|
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR |
20 |
|
|
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES |
21 |
|
|
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. |
22 |
|
|
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, |
23 |
|
|
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT |
24 |
|
|
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, |
25 |
|
|
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY |
26 |
|
|
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
27 |
|
|
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
28 |
|
|
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
29 |
|
|
*/ |
30 |
|
|
|
31 |
|
|
/* |
32 |
|
|
* This code was written under funding by Ericsson Radio Systems. |
33 |
|
|
*/ |
34 |
|
|
|
35 |
|
|
#include <sys/types.h> |
36 |
|
|
#include <sys/stat.h> |
37 |
|
|
#include <netinet/in.h> |
38 |
|
|
#include <arpa/inet.h> |
39 |
|
|
|
40 |
|
|
#include <errno.h> |
41 |
|
|
#include <fcntl.h> |
42 |
|
|
#include <stdlib.h> |
43 |
|
|
#include <string.h> |
44 |
|
|
#include <unistd.h> |
45 |
|
|
#include <regex.h> |
46 |
|
|
#include <keynote.h> |
47 |
|
|
#include <policy.h> |
48 |
|
|
|
49 |
|
|
#include "cert.h" |
50 |
|
|
#include "conf.h" |
51 |
|
|
#include "constants.h" |
52 |
|
|
#if defined (USE_DNSSEC) |
53 |
|
|
#include "dnssec.h" |
54 |
|
|
#endif |
55 |
|
|
#include "exchange.h" |
56 |
|
|
#include "hash.h" |
57 |
|
|
#include "ike_auth.h" |
58 |
|
|
#include "ipsec.h" |
59 |
|
|
#include "ipsec_doi.h" |
60 |
|
|
#include "libcrypto.h" |
61 |
|
|
#include "log.h" |
62 |
|
|
#include "message.h" |
63 |
|
|
#include "monitor.h" |
64 |
|
|
#include "prf.h" |
65 |
|
|
#include "transport.h" |
66 |
|
|
#include "util.h" |
67 |
|
|
#include "key.h" |
68 |
|
|
#include "x509.h" |
69 |
|
|
|
70 |
|
|
#ifdef notyet |
71 |
|
|
static u_int8_t *enc_gen_skeyid(struct exchange *, size_t *); |
72 |
|
|
#endif |
73 |
|
|
static u_int8_t *pre_shared_gen_skeyid(struct exchange *, size_t *); |
74 |
|
|
|
75 |
|
|
static int pre_shared_decode_hash(struct message *); |
76 |
|
|
static int pre_shared_encode_hash(struct message *); |
77 |
|
|
|
78 |
|
|
static u_int8_t *sig_gen_skeyid(struct exchange *, size_t *); |
79 |
|
|
static int rsa_sig_decode_hash(struct message *); |
80 |
|
|
static int rsa_sig_encode_hash(struct message *); |
81 |
|
|
|
82 |
|
|
static int get_raw_key_from_file(int, u_int8_t *, size_t, RSA **); |
83 |
|
|
|
84 |
|
|
static int ike_auth_hash(struct exchange *, u_int8_t *); |
85 |
|
|
|
86 |
|
|
static struct ike_auth ike_auth[] = { |
87 |
|
|
{ |
88 |
|
|
IKE_AUTH_PRE_SHARED, pre_shared_gen_skeyid, |
89 |
|
|
pre_shared_decode_hash, |
90 |
|
|
pre_shared_encode_hash |
91 |
|
|
}, |
92 |
|
|
#ifdef notdef |
93 |
|
|
{ |
94 |
|
|
IKE_AUTH_DSS, sig_gen_skeyid, |
95 |
|
|
pre_shared_decode_hash, |
96 |
|
|
pre_shared_encode_hash |
97 |
|
|
}, |
98 |
|
|
#endif |
99 |
|
|
{ |
100 |
|
|
IKE_AUTH_RSA_SIG, sig_gen_skeyid, |
101 |
|
|
rsa_sig_decode_hash, |
102 |
|
|
rsa_sig_encode_hash |
103 |
|
|
}, |
104 |
|
|
#ifdef notdef |
105 |
|
|
{ |
106 |
|
|
IKE_AUTH_RSA_ENC, enc_gen_skeyid, |
107 |
|
|
pre_shared_decode_hash, |
108 |
|
|
pre_shared_encode_hash |
109 |
|
|
}, |
110 |
|
|
{ |
111 |
|
|
IKE_AUTH_RSA_ENC_REV, enc_gen_skeyid, |
112 |
|
|
pre_shared_decode_hash, |
113 |
|
|
pre_shared_encode_hash |
114 |
|
|
}, |
115 |
|
|
#endif |
116 |
|
|
}; |
117 |
|
|
|
118 |
|
|
struct ike_auth * |
119 |
|
|
ike_auth_get(u_int16_t id) |
120 |
|
|
{ |
121 |
|
|
size_t i; |
122 |
|
|
|
123 |
|
|
for (i = 0; i < sizeof ike_auth / sizeof ike_auth[0]; i++) |
124 |
|
|
if (id == ike_auth[i].id) |
125 |
|
|
return &ike_auth[i]; |
126 |
|
|
return 0; |
127 |
|
|
} |
128 |
|
|
|
129 |
|
|
/* |
130 |
|
|
* Find and decode the configured key (pre-shared or public) for the |
131 |
|
|
* peer denoted by ID. Stash the len in KEYLEN. |
132 |
|
|
*/ |
133 |
|
|
static void * |
134 |
|
|
ike_auth_get_key(int type, char *id, char *local_id, size_t *keylen) |
135 |
|
|
{ |
136 |
|
|
char *key, *buf; |
137 |
|
|
char *keyfile, *privkeyfile; |
138 |
|
|
FILE *keyfp; |
139 |
|
|
RSA *rsakey; |
140 |
|
|
size_t fsize, pkflen; |
141 |
|
|
int fd; |
142 |
|
|
|
143 |
|
|
switch (type) { |
144 |
|
|
case IKE_AUTH_PRE_SHARED: |
145 |
|
|
/* Get the pre-shared key for our peer. */ |
146 |
|
|
key = conf_get_str(id, "Authentication"); |
147 |
|
|
if (!key && local_id) |
148 |
|
|
key = conf_get_str(local_id, "Authentication"); |
149 |
|
|
|
150 |
|
|
if (!key) { |
151 |
|
|
log_print("ike_auth_get_key: " |
152 |
|
|
"no key found for peer \"%s\" or local ID \"%s\"", |
153 |
|
|
id, local_id ? local_id : "<none>"); |
154 |
|
|
return 0; |
155 |
|
|
} |
156 |
|
|
/* If the key starts with 0x it is in hex format. */ |
157 |
|
|
if (strncasecmp(key, "0x", 2) == 0) { |
158 |
|
|
*keylen = (strlen(key) - 1) / 2; |
159 |
|
|
buf = malloc(*keylen); |
160 |
|
|
if (!buf) { |
161 |
|
|
log_error("ike_auth_get_key: malloc (%lu) " |
162 |
|
|
"failed", (unsigned long)*keylen); |
163 |
|
|
return 0; |
164 |
|
|
} |
165 |
|
|
if (hex2raw(key + 2, (unsigned char *)buf, *keylen)) { |
166 |
|
|
free(buf); |
167 |
|
|
log_print("ike_auth_get_key: invalid hex key " |
168 |
|
|
"%s", key); |
169 |
|
|
return 0; |
170 |
|
|
} |
171 |
|
|
key = buf; |
172 |
|
|
} else { |
173 |
|
|
buf = key; |
174 |
|
|
key = strdup(buf); |
175 |
|
|
if (!key) { |
176 |
|
|
log_error("ike_auth_get_key: strdup() failed"); |
177 |
|
|
return 0; |
178 |
|
|
} |
179 |
|
|
*keylen = strlen(key); |
180 |
|
|
} |
181 |
|
|
break; |
182 |
|
|
|
183 |
|
|
case IKE_AUTH_RSA_SIG: |
184 |
|
|
if (local_id && (keyfile = conf_get_str("KeyNote", |
185 |
|
|
"Credential-directory")) != 0) { |
186 |
|
|
struct stat sb; |
187 |
|
|
struct keynote_deckey dc; |
188 |
|
|
char *privkeyfile, *buf2; |
189 |
|
|
size_t size; |
190 |
|
|
|
191 |
|
|
if (asprintf(&privkeyfile, "%s/%s/%s", keyfile, |
192 |
|
|
local_id, PRIVATE_KEY_FILE) == -1) { |
193 |
|
|
log_print("ike_auth_get_key: failed to asprintf()"); |
194 |
|
|
return 0; |
195 |
|
|
} |
196 |
|
|
keyfile = privkeyfile; |
197 |
|
|
|
198 |
|
|
fd = monitor_open(keyfile, O_RDONLY, 0); |
199 |
|
|
if (fd < 0) { |
200 |
|
|
free(keyfile); |
201 |
|
|
goto ignorekeynote; |
202 |
|
|
} |
203 |
|
|
|
204 |
|
|
if (fstat(fd, &sb) < 0) { |
205 |
|
|
log_print("ike_auth_get_key: fstat failed"); |
206 |
|
|
free(keyfile); |
207 |
|
|
close(fd); |
208 |
|
|
return 0; |
209 |
|
|
} |
210 |
|
|
size = (size_t)sb.st_size; |
211 |
|
|
|
212 |
|
|
buf = calloc(size + 1, sizeof(char)); |
213 |
|
|
if (!buf) { |
214 |
|
|
log_print("ike_auth_get_key: failed allocating" |
215 |
|
|
" %lu bytes", (unsigned long)size + 1); |
216 |
|
|
free(keyfile); |
217 |
|
|
close(fd); |
218 |
|
|
return 0; |
219 |
|
|
} |
220 |
|
|
if (read(fd, buf, size) != (ssize_t)size) { |
221 |
|
|
free(buf); |
222 |
|
|
log_print("ike_auth_get_key: " |
223 |
|
|
"failed reading %lu bytes from \"%s\"", |
224 |
|
|
(unsigned long)size, keyfile); |
225 |
|
|
free(keyfile); |
226 |
|
|
close(fd); |
227 |
|
|
return 0; |
228 |
|
|
} |
229 |
|
|
close(fd); |
230 |
|
|
|
231 |
|
|
/* Parse private key string */ |
232 |
|
|
buf2 = kn_get_string(buf); |
233 |
|
|
free(buf); |
234 |
|
|
|
235 |
|
|
if (!buf2 || kn_decode_key(&dc, buf2, |
236 |
|
|
KEYNOTE_PRIVATE_KEY) == -1) { |
237 |
|
|
free(buf2); |
238 |
|
|
log_print("ike_auth_get_key: failed decoding " |
239 |
|
|
"key in \"%s\"", keyfile); |
240 |
|
|
free(keyfile); |
241 |
|
|
return 0; |
242 |
|
|
} |
243 |
|
|
free(buf2); |
244 |
|
|
|
245 |
|
|
if (dc.dec_algorithm != KEYNOTE_ALGORITHM_RSA) { |
246 |
|
|
log_print("ike_auth_get_key: wrong algorithm " |
247 |
|
|
"type %d in \"%s\"", dc.dec_algorithm, |
248 |
|
|
keyfile); |
249 |
|
|
free(keyfile); |
250 |
|
|
kn_free_key(&dc); |
251 |
|
|
return 0; |
252 |
|
|
} |
253 |
|
|
free(keyfile); |
254 |
|
|
return dc.dec_key; |
255 |
|
|
} |
256 |
|
|
ignorekeynote: |
257 |
|
|
/* Otherwise, try X.509 */ |
258 |
|
|
|
259 |
|
|
privkeyfile = keyfile = NULL; |
260 |
|
|
fd = -1; |
261 |
|
|
|
262 |
|
|
if (local_id) { |
263 |
|
|
/* Look in Private-key-directory. */ |
264 |
|
|
keyfile = conf_get_str("X509-certificates", |
265 |
|
|
"Private-key-directory"); |
266 |
|
|
pkflen = strlen(keyfile) + strlen(local_id) + sizeof "/"; |
267 |
|
|
privkeyfile = calloc(pkflen, sizeof(char)); |
268 |
|
|
if (!privkeyfile) { |
269 |
|
|
log_print("ike_auth_get_key: failed to " |
270 |
|
|
"allocate %lu bytes", (unsigned long)pkflen); |
271 |
|
|
return 0; |
272 |
|
|
} |
273 |
|
|
|
274 |
|
|
snprintf(privkeyfile, pkflen, "%s/%s", keyfile, |
275 |
|
|
local_id); |
276 |
|
|
keyfile = privkeyfile; |
277 |
|
|
|
278 |
|
|
fd = monitor_open(keyfile, O_RDONLY, 0); |
279 |
|
|
if (fd < 0 && errno != ENOENT) { |
280 |
|
|
log_print("ike_auth_get_key: failed opening " |
281 |
|
|
"\"%s\"", keyfile); |
282 |
|
|
free(privkeyfile); |
283 |
|
|
privkeyfile = NULL; |
284 |
|
|
keyfile = NULL; |
285 |
|
|
} |
286 |
|
|
} |
287 |
|
|
|
288 |
|
|
if (fd < 0) { |
289 |
|
|
/* No key found, try default key. */ |
290 |
|
|
keyfile = conf_get_str("X509-certificates", |
291 |
|
|
"Private-key"); |
292 |
|
|
|
293 |
|
|
fd = monitor_open(keyfile, O_RDONLY, 0); |
294 |
|
|
if (fd < 0) { |
295 |
|
|
log_print("ike_auth_get_key: failed opening " |
296 |
|
|
"\"%s\"", keyfile); |
297 |
|
|
return 0; |
298 |
|
|
} |
299 |
|
|
} |
300 |
|
|
|
301 |
|
|
if (check_file_secrecy_fd(fd, keyfile, &fsize)) { |
302 |
|
|
free(privkeyfile); |
303 |
|
|
close(fd); |
304 |
|
|
return 0; |
305 |
|
|
} |
306 |
|
|
|
307 |
|
|
if ((keyfp = fdopen(fd, "r")) == NULL) { |
308 |
|
|
log_print("ike_auth_get_key: fdopen failed"); |
309 |
|
|
free(privkeyfile); |
310 |
|
|
close(fd); |
311 |
|
|
return 0; |
312 |
|
|
} |
313 |
|
|
#if SSLEAY_VERSION_NUMBER >= 0x00904100L |
314 |
|
|
rsakey = PEM_read_RSAPrivateKey(keyfp, NULL, NULL, NULL); |
315 |
|
|
#else |
316 |
|
|
rsakey = PEM_read_RSAPrivateKey(keyfp, NULL, NULL); |
317 |
|
|
#endif |
318 |
|
|
fclose(keyfp); |
319 |
|
|
|
320 |
|
|
free(privkeyfile); |
321 |
|
|
|
322 |
|
|
if (!rsakey) { |
323 |
|
|
log_print("ike_auth_get_key: " |
324 |
|
|
"PEM_read_bio_RSAPrivateKey failed"); |
325 |
|
|
return 0; |
326 |
|
|
} |
327 |
|
|
return rsakey; |
328 |
|
|
|
329 |
|
|
default: |
330 |
|
|
log_print("ike_auth_get_key: unknown key type %d", type); |
331 |
|
|
return 0; |
332 |
|
|
} |
333 |
|
|
|
334 |
|
|
return key; |
335 |
|
|
} |
336 |
|
|
|
337 |
|
|
static u_int8_t * |
338 |
|
|
pre_shared_gen_skeyid(struct exchange *exchange, size_t *sz) |
339 |
|
|
{ |
340 |
|
|
struct prf *prf; |
341 |
|
|
struct ipsec_exch *ie = exchange->data; |
342 |
|
|
u_int8_t *skeyid, *buf = 0; |
343 |
|
|
unsigned char *key; |
344 |
|
|
size_t keylen; |
345 |
|
|
|
346 |
|
|
/* |
347 |
|
|
* If we're the responder and have the initiator's ID (which is the |
348 |
|
|
* case in Aggressive mode), try to find the preshared key in the |
349 |
|
|
* section of the initiator's Phase 1 ID. This allows us to do |
350 |
|
|
* mobile user support with preshared keys. |
351 |
|
|
*/ |
352 |
|
|
if (!exchange->initiator && exchange->id_i) { |
353 |
|
|
switch (exchange->id_i[0]) { |
354 |
|
|
case IPSEC_ID_IPV4_ADDR: |
355 |
|
|
case IPSEC_ID_IPV6_ADDR: |
356 |
|
|
util_ntoa((char **) &buf, |
357 |
|
|
exchange->id_i[0] == IPSEC_ID_IPV4_ADDR ? AF_INET : |
358 |
|
|
AF_INET6, exchange->id_i + ISAKMP_ID_DATA_OFF - |
359 |
|
|
ISAKMP_GEN_SZ); |
360 |
|
|
if (!buf) |
361 |
|
|
return 0; |
362 |
|
|
break; |
363 |
|
|
|
364 |
|
|
case IPSEC_ID_FQDN: |
365 |
|
|
case IPSEC_ID_USER_FQDN: |
366 |
|
|
buf = calloc(exchange->id_i_len - ISAKMP_ID_DATA_OFF + |
367 |
|
|
ISAKMP_GEN_SZ + 1, sizeof(char)); |
368 |
|
|
if (!buf) { |
369 |
|
|
log_print("pre_shared_gen_skeyid: malloc (%lu" |
370 |
|
|
") failed", |
371 |
|
|
(unsigned long)exchange->id_i_len - |
372 |
|
|
ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ + 1); |
373 |
|
|
return 0; |
374 |
|
|
} |
375 |
|
|
memcpy(buf, |
376 |
|
|
exchange->id_i + ISAKMP_ID_DATA_OFF - |
377 |
|
|
ISAKMP_GEN_SZ, |
378 |
|
|
exchange->id_i_len - ISAKMP_ID_DATA_OFF + |
379 |
|
|
ISAKMP_GEN_SZ); |
380 |
|
|
break; |
381 |
|
|
|
382 |
|
|
/* XXX Support more ID types ? */ |
383 |
|
|
default: |
384 |
|
|
break; |
385 |
|
|
} |
386 |
|
|
} |
387 |
|
|
/* |
388 |
|
|
* Get the pre-shared key for our peer. This will work even if the key |
389 |
|
|
* has been passed to us through a mechanism like PFKEYv2. |
390 |
|
|
*/ |
391 |
|
|
key = ike_auth_get_key(IKE_AUTH_PRE_SHARED, exchange->name, |
392 |
|
|
(char *)buf, &keylen); |
393 |
|
|
free(buf); |
394 |
|
|
|
395 |
|
|
/* Fail if no key could be found. */ |
396 |
|
|
if (!key) |
397 |
|
|
return 0; |
398 |
|
|
|
399 |
|
|
/* Store the secret key for later policy processing. */ |
400 |
|
|
exchange->recv_key = calloc(keylen + 1, sizeof(char)); |
401 |
|
|
exchange->recv_keytype = ISAKMP_KEY_PASSPHRASE; |
402 |
|
|
if (!exchange->recv_key) { |
403 |
|
|
log_error("pre_shared_gen_skeyid: malloc (%lu) failed", |
404 |
|
|
(unsigned long)keylen); |
405 |
|
|
free(key); |
406 |
|
|
return 0; |
407 |
|
|
} |
408 |
|
|
memcpy(exchange->recv_key, key, keylen); |
409 |
|
|
exchange->recv_certtype = ISAKMP_CERTENC_NONE; |
410 |
|
|
free(key); |
411 |
|
|
|
412 |
|
|
prf = prf_alloc(ie->prf_type, ie->hash->type, exchange->recv_key, |
413 |
|
|
keylen); |
414 |
|
|
if (!prf) |
415 |
|
|
return 0; |
416 |
|
|
|
417 |
|
|
*sz = prf->blocksize; |
418 |
|
|
skeyid = malloc(*sz); |
419 |
|
|
if (!skeyid) { |
420 |
|
|
log_error("pre_shared_gen_skeyid: malloc (%lu) failed", |
421 |
|
|
(unsigned long)*sz); |
422 |
|
|
prf_free(prf); |
423 |
|
|
return 0; |
424 |
|
|
} |
425 |
|
|
prf->Init(prf->prfctx); |
426 |
|
|
prf->Update(prf->prfctx, exchange->nonce_i, exchange->nonce_i_len); |
427 |
|
|
prf->Update(prf->prfctx, exchange->nonce_r, exchange->nonce_r_len); |
428 |
|
|
prf->Final(skeyid, prf->prfctx); |
429 |
|
|
prf_free(prf); |
430 |
|
|
return skeyid; |
431 |
|
|
} |
432 |
|
|
|
433 |
|
|
/* Both DSS & RSA signature authentication use this algorithm. */ |
434 |
|
|
static u_int8_t * |
435 |
|
|
sig_gen_skeyid(struct exchange *exchange, size_t *sz) |
436 |
|
|
{ |
437 |
|
|
struct prf *prf; |
438 |
|
|
struct ipsec_exch *ie = exchange->data; |
439 |
|
|
u_int8_t *skeyid; |
440 |
|
|
unsigned char *key; |
441 |
|
|
|
442 |
|
|
key = malloc(exchange->nonce_i_len + exchange->nonce_r_len); |
443 |
|
|
if (!key) |
444 |
|
|
return 0; |
445 |
|
|
memcpy(key, exchange->nonce_i, exchange->nonce_i_len); |
446 |
|
|
memcpy(key + exchange->nonce_i_len, exchange->nonce_r, |
447 |
|
|
exchange->nonce_r_len); |
448 |
|
|
|
449 |
|
|
LOG_DBG((LOG_NEGOTIATION, 80, "sig_gen_skeyid: PRF type %d, hash %d", |
450 |
|
|
ie->prf_type, ie->hash->type)); |
451 |
|
|
LOG_DBG_BUF((LOG_NEGOTIATION, 80, |
452 |
|
|
"sig_gen_skeyid: SKEYID initialized with", |
453 |
|
|
(u_int8_t *)key, exchange->nonce_i_len + exchange->nonce_r_len)); |
454 |
|
|
|
455 |
|
|
prf = prf_alloc(ie->prf_type, ie->hash->type, key, |
456 |
|
|
exchange->nonce_i_len + exchange->nonce_r_len); |
457 |
|
|
free(key); |
458 |
|
|
if (!prf) |
459 |
|
|
return 0; |
460 |
|
|
|
461 |
|
|
*sz = prf->blocksize; |
462 |
|
|
skeyid = malloc(*sz); |
463 |
|
|
if (!skeyid) { |
464 |
|
|
log_error("sig_gen_skeyid: malloc (%lu) failed", |
465 |
|
|
(unsigned long)*sz); |
466 |
|
|
prf_free(prf); |
467 |
|
|
return 0; |
468 |
|
|
} |
469 |
|
|
LOG_DBG((LOG_NEGOTIATION, 80, "sig_gen_skeyid: g^xy length %lu", |
470 |
|
|
(unsigned long)ie->g_x_len)); |
471 |
|
|
LOG_DBG_BUF((LOG_NEGOTIATION, 80, |
472 |
|
|
"sig_gen_skeyid: SKEYID fed with g^xy", ie->g_xy, ie->g_xy_len)); |
473 |
|
|
|
474 |
|
|
prf->Init(prf->prfctx); |
475 |
|
|
prf->Update(prf->prfctx, ie->g_xy, ie->g_xy_len); |
476 |
|
|
prf->Final(skeyid, prf->prfctx); |
477 |
|
|
prf_free(prf); |
478 |
|
|
return skeyid; |
479 |
|
|
} |
480 |
|
|
|
481 |
|
|
#ifdef notdef |
482 |
|
|
/* |
483 |
|
|
* Both standard and revised RSA encryption authentication use this SKEYID |
484 |
|
|
* computation. |
485 |
|
|
*/ |
486 |
|
|
static u_int8_t * |
487 |
|
|
enc_gen_skeyid(struct exchange *exchange, size_t *sz) |
488 |
|
|
{ |
489 |
|
|
struct prf *prf; |
490 |
|
|
struct ipsec_exch *ie = exchange->data; |
491 |
|
|
struct hash *hash = ie->hash; |
492 |
|
|
u_int8_t *skeyid; |
493 |
|
|
|
494 |
|
|
hash->Init(hash->ctx); |
495 |
|
|
hash->Update(hash->ctx, exchange->nonce_i, exchange->nonce_i_len); |
496 |
|
|
hash->Update(hash->ctx, exchange->nonce_r, exchange->nonce_r_len); |
497 |
|
|
hash->Final(hash->digest, hash->ctx); |
498 |
|
|
prf = prf_alloc(ie->prf_type, hash->type, hash->digest, *sz); |
499 |
|
|
if (!prf) |
500 |
|
|
return 0; |
501 |
|
|
|
502 |
|
|
*sz = prf->blocksize; |
503 |
|
|
skeyid = malloc(*sz); |
504 |
|
|
if (!skeyid) { |
505 |
|
|
log_error("enc_gen_skeyid: malloc (%d) failed", *sz); |
506 |
|
|
prf_free(prf); |
507 |
|
|
return 0; |
508 |
|
|
} |
509 |
|
|
prf->Init(prf->prfctx); |
510 |
|
|
prf->Update(prf->prfctx, exchange->cookies, ISAKMP_HDR_COOKIES_LEN); |
511 |
|
|
prf->Final(skeyid, prf->prfctx); |
512 |
|
|
prf_free(prf); |
513 |
|
|
return skeyid; |
514 |
|
|
} |
515 |
|
|
#endif /* notdef */ |
516 |
|
|
|
517 |
|
|
static int |
518 |
|
|
pre_shared_decode_hash(struct message *msg) |
519 |
|
|
{ |
520 |
|
|
struct exchange *exchange = msg->exchange; |
521 |
|
|
struct ipsec_exch *ie = exchange->data; |
522 |
|
|
struct payload *payload; |
523 |
|
|
size_t hashsize = ie->hash->hashsize; |
524 |
|
|
char header[80]; |
525 |
|
|
int initiator = exchange->initiator; |
526 |
|
|
u_int8_t **hash_p; |
527 |
|
|
|
528 |
|
|
/* Choose the right fields to fill-in. */ |
529 |
|
|
hash_p = initiator ? &ie->hash_r : &ie->hash_i; |
530 |
|
|
|
531 |
|
|
payload = payload_first(msg, ISAKMP_PAYLOAD_HASH); |
532 |
|
|
if (!payload) { |
533 |
|
|
log_print("pre_shared_decode_hash: no HASH payload found"); |
534 |
|
|
return -1; |
535 |
|
|
} |
536 |
|
|
/* Check that the hash is of the correct size. */ |
537 |
|
|
if (GET_ISAKMP_GEN_LENGTH(payload->p) - ISAKMP_GEN_SZ != hashsize) |
538 |
|
|
return -1; |
539 |
|
|
|
540 |
|
|
/* XXX Need this hash be in the SA? */ |
541 |
|
|
*hash_p = malloc(hashsize); |
542 |
|
|
if (!*hash_p) { |
543 |
|
|
log_error("pre_shared_decode_hash: malloc (%lu) failed", |
544 |
|
|
(unsigned long)hashsize); |
545 |
|
|
return -1; |
546 |
|
|
} |
547 |
|
|
memcpy(*hash_p, payload->p + ISAKMP_HASH_DATA_OFF, hashsize); |
548 |
|
|
snprintf(header, sizeof header, "pre_shared_decode_hash: HASH_%c", |
549 |
|
|
initiator ? 'R' : 'I'); |
550 |
|
|
LOG_DBG_BUF((LOG_MISC, 80, header, *hash_p, hashsize)); |
551 |
|
|
|
552 |
|
|
payload->flags |= PL_MARK; |
553 |
|
|
return 0; |
554 |
|
|
} |
555 |
|
|
|
556 |
|
|
/* Decrypt the HASH in SIG, we already need a parsed ID payload. */ |
557 |
|
|
static int |
558 |
|
|
rsa_sig_decode_hash(struct message *msg) |
559 |
|
|
{ |
560 |
|
|
struct cert_handler *handler; |
561 |
|
|
struct exchange *exchange = msg->exchange; |
562 |
|
|
struct ipsec_exch *ie = exchange->data; |
563 |
|
|
struct payload *p; |
564 |
|
|
void *cert = 0; |
565 |
|
|
u_int8_t *rawcert = 0, **hash_p, **id_cert, *id; |
566 |
|
|
u_int32_t rawcertlen, *id_cert_len; |
567 |
|
|
RSA *key = 0; |
568 |
|
|
size_t hashsize = ie->hash->hashsize, id_len; |
569 |
|
|
char header[80]; |
570 |
|
|
int len, initiator = exchange->initiator; |
571 |
|
|
int found = 0, n, i, id_found; |
572 |
|
|
#if defined (USE_DNSSEC) |
573 |
|
|
u_int8_t *rawkey = 0; |
574 |
|
|
u_int32_t rawkeylen; |
575 |
|
|
#endif |
576 |
|
|
|
577 |
|
|
/* Choose the right fields to fill-in. */ |
578 |
|
|
hash_p = initiator ? &ie->hash_r : &ie->hash_i; |
579 |
|
|
id = initiator ? exchange->id_r : exchange->id_i; |
580 |
|
|
id_len = initiator ? exchange->id_r_len : exchange->id_i_len; |
581 |
|
|
|
582 |
|
|
if (!id || id_len == 0) { |
583 |
|
|
log_print("rsa_sig_decode_hash: ID is missing"); |
584 |
|
|
return -1; |
585 |
|
|
} |
586 |
|
|
/* |
587 |
|
|
* XXX Assume we should use the same kind of certification as the |
588 |
|
|
* remote... moreover, just use the first CERT payload to decide what |
589 |
|
|
* to use. |
590 |
|
|
*/ |
591 |
|
|
p = payload_first(msg, ISAKMP_PAYLOAD_CERT); |
592 |
|
|
if (!p) |
593 |
|
|
handler = cert_get(ISAKMP_CERTENC_KEYNOTE); |
594 |
|
|
else |
595 |
|
|
handler = cert_get(GET_ISAKMP_CERT_ENCODING(p->p)); |
596 |
|
|
if (!handler) { |
597 |
|
|
log_print("rsa_sig_decode_hash: cert_get (%d) failed", |
598 |
|
|
p ? GET_ISAKMP_CERT_ENCODING(p->p) : -1); |
599 |
|
|
return -1; |
600 |
|
|
} |
601 |
|
|
/* |
602 |
|
|
* We need the policy session initialized now, so we can add |
603 |
|
|
* credentials etc. |
604 |
|
|
*/ |
605 |
|
|
exchange->policy_id = kn_init(); |
606 |
|
|
if (exchange->policy_id == -1) { |
607 |
|
|
log_print("rsa_sig_decode_hash: failed to initialize policy " |
608 |
|
|
"session"); |
609 |
|
|
return -1; |
610 |
|
|
} |
611 |
|
|
|
612 |
|
|
/* Obtain a certificate from our certificate storage. */ |
613 |
|
|
if (handler->cert_obtain(id, id_len, 0, &rawcert, &rawcertlen)) { |
614 |
|
|
if (handler->id == ISAKMP_CERTENC_X509_SIG) { |
615 |
|
|
cert = handler->cert_get(rawcert, rawcertlen); |
616 |
|
|
if (!cert) |
617 |
|
|
LOG_DBG((LOG_CRYPTO, 50, "rsa_sig_decode_hash:" |
618 |
|
|
" certificate malformed")); |
619 |
|
|
else { |
620 |
|
|
if (!handler->cert_get_key(cert, &key)) { |
621 |
|
|
log_print("rsa_sig_decode_hash: " |
622 |
|
|
"decoding certificate failed"); |
623 |
|
|
handler->cert_free(cert); |
624 |
|
|
} else { |
625 |
|
|
found++; |
626 |
|
|
LOG_DBG((LOG_CRYPTO, 40, |
627 |
|
|
"rsa_sig_decode_hash: using cert " |
628 |
|
|
"of type %d", handler->id)); |
629 |
|
|
exchange->recv_cert = cert; |
630 |
|
|
exchange->recv_certtype = handler->id; |
631 |
|
|
x509_generate_kn(exchange->policy_id, |
632 |
|
|
cert); |
633 |
|
|
} |
634 |
|
|
} |
635 |
|
|
} else if (handler->id == ISAKMP_CERTENC_KEYNOTE) |
636 |
|
|
handler->cert_insert(exchange->policy_id, rawcert); |
637 |
|
|
free(rawcert); |
638 |
|
|
} |
639 |
|
|
/* |
640 |
|
|
* Walk over potential CERT payloads in this message. |
641 |
|
|
* XXX I believe this is the wrong spot for this. CERTs can appear |
642 |
|
|
* anytime. |
643 |
|
|
*/ |
644 |
|
|
TAILQ_FOREACH(p, &msg->payload[ISAKMP_PAYLOAD_CERT], link) { |
645 |
|
|
p->flags |= PL_MARK; |
646 |
|
|
|
647 |
|
|
/* |
648 |
|
|
* When we have found a key, just walk over the rest, marking |
649 |
|
|
* them. |
650 |
|
|
*/ |
651 |
|
|
if (found) |
652 |
|
|
continue; |
653 |
|
|
|
654 |
|
|
handler = cert_get(GET_ISAKMP_CERT_ENCODING(p->p)); |
655 |
|
|
if (!handler) { |
656 |
|
|
LOG_DBG((LOG_MISC, 30, "rsa_sig_decode_hash: " |
657 |
|
|
"no handler for %s CERT encoding", |
658 |
|
|
constant_name(isakmp_certenc_cst, |
659 |
|
|
GET_ISAKMP_CERT_ENCODING(p->p)))); |
660 |
|
|
continue; |
661 |
|
|
} |
662 |
|
|
cert = handler->cert_get(p->p + ISAKMP_CERT_DATA_OFF, |
663 |
|
|
GET_ISAKMP_GEN_LENGTH(p->p) - ISAKMP_CERT_DATA_OFF); |
664 |
|
|
if (!cert) { |
665 |
|
|
log_print("rsa_sig_decode_hash: " |
666 |
|
|
"can not get data from CERT"); |
667 |
|
|
continue; |
668 |
|
|
} |
669 |
|
|
if (!handler->cert_validate(cert)) { |
670 |
|
|
handler->cert_free(cert); |
671 |
|
|
log_print("rsa_sig_decode_hash: received CERT can't " |
672 |
|
|
"be validated"); |
673 |
|
|
continue; |
674 |
|
|
} |
675 |
|
|
if (GET_ISAKMP_CERT_ENCODING(p->p) == |
676 |
|
|
ISAKMP_CERTENC_X509_SIG) { |
677 |
|
|
if (!handler->cert_get_subjects(cert, &n, &id_cert, |
678 |
|
|
&id_cert_len)) { |
679 |
|
|
handler->cert_free(cert); |
680 |
|
|
log_print("rsa_sig_decode_hash: can not get " |
681 |
|
|
"subject from CERT"); |
682 |
|
|
continue; |
683 |
|
|
} |
684 |
|
|
id_found = 0; |
685 |
|
|
for (i = 0; i < n; i++) |
686 |
|
|
if (id_cert_len[i] == id_len && |
687 |
|
|
id[0] == id_cert[i][0] && |
688 |
|
|
memcmp(id + 4, id_cert[i] + 4, id_len - 4) |
689 |
|
|
== 0) { |
690 |
|
|
id_found++; |
691 |
|
|
break; |
692 |
|
|
} |
693 |
|
|
if (!id_found) { |
694 |
|
|
handler->cert_free(cert); |
695 |
|
|
log_print("rsa_sig_decode_hash: no CERT " |
696 |
|
|
"subject match the ID"); |
697 |
|
|
free(id_cert); |
698 |
|
|
continue; |
699 |
|
|
} |
700 |
|
|
cert_free_subjects(n, id_cert, id_cert_len); |
701 |
|
|
} |
702 |
|
|
if (!handler->cert_get_key(cert, &key)) { |
703 |
|
|
handler->cert_free(cert); |
704 |
|
|
log_print("rsa_sig_decode_hash: decoding payload CERT " |
705 |
|
|
"failed"); |
706 |
|
|
continue; |
707 |
|
|
} |
708 |
|
|
/* We validated the cert, cache it for later use. */ |
709 |
|
|
handler->cert_insert(exchange->policy_id, cert); |
710 |
|
|
|
711 |
|
|
exchange->recv_cert = cert; |
712 |
|
|
exchange->recv_certtype = GET_ISAKMP_CERT_ENCODING(p->p); |
713 |
|
|
|
714 |
|
|
if (exchange->recv_certtype == ISAKMP_CERTENC_KEYNOTE) { |
715 |
|
|
struct keynote_deckey dc; |
716 |
|
|
char *pp; |
717 |
|
|
|
718 |
|
|
dc.dec_algorithm = KEYNOTE_ALGORITHM_RSA; |
719 |
|
|
dc.dec_key = key; |
720 |
|
|
|
721 |
|
|
pp = kn_encode_key(&dc, INTERNAL_ENC_PKCS1, |
722 |
|
|
ENCODING_HEX, KEYNOTE_PUBLIC_KEY); |
723 |
|
|
if (pp == NULL) { |
724 |
|
|
kn_free_key(&dc); |
725 |
|
|
log_print("rsa_sig_decode_hash: failed to " |
726 |
|
|
"ASCII-encode key"); |
727 |
|
|
return -1; |
728 |
|
|
} |
729 |
|
|
if (asprintf(&exchange->keynote_key, "rsa-hex:%s", |
730 |
|
|
pp) == -1) { |
731 |
|
|
free(pp); |
732 |
|
|
kn_free_key(&dc); |
733 |
|
|
log_print("rsa_sig_decode_hash: failed to asprintf()"); |
734 |
|
|
return -1; |
735 |
|
|
} |
736 |
|
|
free(pp); |
737 |
|
|
} |
738 |
|
|
found++; |
739 |
|
|
} |
740 |
|
|
|
741 |
|
|
#if defined (USE_DNSSEC) |
742 |
|
|
/* |
743 |
|
|
* If no certificate provided a key, try to find a validated DNSSEC |
744 |
|
|
* KEY. |
745 |
|
|
*/ |
746 |
|
|
if (!found) { |
747 |
|
|
rawkey = dns_get_key(IKE_AUTH_RSA_SIG, msg, &rawkeylen); |
748 |
|
|
|
749 |
|
|
/* We need to convert 'void *rawkey' into 'RSA *key'. */ |
750 |
|
|
if (dns_RSA_dns_to_x509(rawkey, rawkeylen, &key) == 0) |
751 |
|
|
found++; |
752 |
|
|
else |
753 |
|
|
log_print("rsa_sig_decode_hash: KEY to RSA key " |
754 |
|
|
"conversion failed"); |
755 |
|
|
|
756 |
|
|
free(rawkey); |
757 |
|
|
} |
758 |
|
|
#endif /* USE_DNSSEC */ |
759 |
|
|
|
760 |
|
|
/* If we still have not found a key, try to read it from a file. */ |
761 |
|
|
if (!found) |
762 |
|
|
if (get_raw_key_from_file(IKE_AUTH_RSA_SIG, id, id_len, &key) |
763 |
|
|
!= -1) |
764 |
|
|
found++; |
765 |
|
|
|
766 |
|
|
if (!found) { |
767 |
|
|
log_print("rsa_sig_decode_hash: no public key found"); |
768 |
|
|
return -1; |
769 |
|
|
} |
770 |
|
|
p = payload_first(msg, ISAKMP_PAYLOAD_SIG); |
771 |
|
|
if (!p) { |
772 |
|
|
log_print("rsa_sig_decode_hash: missing signature payload"); |
773 |
|
|
RSA_free(key); |
774 |
|
|
return -1; |
775 |
|
|
} |
776 |
|
|
/* Check that the sig is of the correct size. */ |
777 |
|
|
len = GET_ISAKMP_GEN_LENGTH(p->p) - ISAKMP_SIG_SZ; |
778 |
|
|
if (len != RSA_size(key)) { |
779 |
|
|
RSA_free(key); |
780 |
|
|
log_print("rsa_sig_decode_hash: " |
781 |
|
|
"SIG payload length does not match public key"); |
782 |
|
|
return -1; |
783 |
|
|
} |
784 |
|
|
*hash_p = malloc(len); |
785 |
|
|
if (!*hash_p) { |
786 |
|
|
RSA_free(key); |
787 |
|
|
log_error("rsa_sig_decode_hash: malloc (%d) failed", len); |
788 |
|
|
return -1; |
789 |
|
|
} |
790 |
|
|
len = RSA_public_decrypt(len, p->p + ISAKMP_SIG_DATA_OFF, *hash_p, key, |
791 |
|
|
RSA_PKCS1_PADDING); |
792 |
|
|
if (len == -1) { |
793 |
|
|
RSA_free(key); |
794 |
|
|
log_print("rsa_sig_decode_hash: RSA_public_decrypt () failed"); |
795 |
|
|
return -1; |
796 |
|
|
} |
797 |
|
|
/* Store key for later use */ |
798 |
|
|
exchange->recv_key = key; |
799 |
|
|
exchange->recv_keytype = ISAKMP_KEY_RSA; |
800 |
|
|
|
801 |
|
|
if (len != (int)hashsize) { |
802 |
|
|
free(*hash_p); |
803 |
|
|
*hash_p = 0; |
804 |
|
|
log_print("rsa_sig_decode_hash: len %lu != hashsize %lu", |
805 |
|
|
(unsigned long)len, (unsigned long)hashsize); |
806 |
|
|
return -1; |
807 |
|
|
} |
808 |
|
|
snprintf(header, sizeof header, "rsa_sig_decode_hash: HASH_%c", |
809 |
|
|
initiator ? 'R' : 'I'); |
810 |
|
|
LOG_DBG_BUF((LOG_MISC, 80, header, *hash_p, hashsize)); |
811 |
|
|
|
812 |
|
|
p->flags |= PL_MARK; |
813 |
|
|
return 0; |
814 |
|
|
} |
815 |
|
|
|
816 |
|
|
static int |
817 |
|
|
pre_shared_encode_hash(struct message *msg) |
818 |
|
|
{ |
819 |
|
|
struct exchange *exchange = msg->exchange; |
820 |
|
|
struct ipsec_exch *ie = exchange->data; |
821 |
|
|
size_t hashsize = ie->hash->hashsize; |
822 |
|
|
char header[80]; |
823 |
|
|
int initiator = exchange->initiator; |
824 |
|
|
u_int8_t *buf; |
825 |
|
|
|
826 |
|
|
buf = ipsec_add_hash_payload(msg, hashsize); |
827 |
|
|
if (!buf) |
828 |
|
|
return -1; |
829 |
|
|
|
830 |
|
|
if (ike_auth_hash(exchange, buf + ISAKMP_HASH_DATA_OFF) == -1) |
831 |
|
|
return -1; |
832 |
|
|
|
833 |
|
|
snprintf(header, sizeof header, "pre_shared_encode_hash: HASH_%c", |
834 |
|
|
initiator ? 'I' : 'R'); |
835 |
|
|
LOG_DBG_BUF((LOG_MISC, 80, header, buf + ISAKMP_HASH_DATA_OFF, |
836 |
|
|
hashsize)); |
837 |
|
|
return 0; |
838 |
|
|
} |
839 |
|
|
|
840 |
|
|
/* Encrypt the HASH into a SIG type. */ |
841 |
|
|
static int |
842 |
|
|
rsa_sig_encode_hash(struct message *msg) |
843 |
|
|
{ |
844 |
|
|
struct exchange *exchange = msg->exchange; |
845 |
|
|
struct ipsec_exch *ie = exchange->data; |
846 |
|
|
size_t hashsize = ie->hash->hashsize, id_len; |
847 |
|
|
struct cert_handler *handler; |
848 |
|
|
char header[80]; |
849 |
|
|
int initiator = exchange->initiator, idtype; |
850 |
|
|
u_int8_t *buf, *data, *buf2, *id; |
851 |
|
|
u_int32_t datalen; |
852 |
|
|
int32_t sigsize; |
853 |
|
|
void *sent_key; |
854 |
|
|
|
855 |
|
|
id = initiator ? exchange->id_i : exchange->id_r; |
856 |
|
|
id_len = initiator ? exchange->id_i_len : exchange->id_r_len; |
857 |
|
|
|
858 |
|
|
/* We may have been provided these by the kernel */ |
859 |
|
|
buf = (u_int8_t *)conf_get_str(exchange->name, "Credentials"); |
860 |
|
|
if (buf && (idtype = conf_get_num(exchange->name, "Credential_Type", |
861 |
|
|
-1)) != -1) { |
862 |
|
|
exchange->sent_certtype = idtype; |
863 |
|
|
handler = cert_get(idtype); |
864 |
|
|
if (!handler) { |
865 |
|
|
log_print("rsa_sig_encode_hash: cert_get (%d) failed", |
866 |
|
|
idtype); |
867 |
|
|
return -1; |
868 |
|
|
} |
869 |
|
|
exchange->sent_cert = |
870 |
|
|
handler->cert_from_printable((char *)buf); |
871 |
|
|
if (!exchange->sent_cert) { |
872 |
|
|
log_print("rsa_sig_encode_hash: failed to retrieve " |
873 |
|
|
"certificate"); |
874 |
|
|
return -1; |
875 |
|
|
} |
876 |
|
|
handler->cert_serialize(exchange->sent_cert, &data, &datalen); |
877 |
|
|
if (!data) { |
878 |
|
|
log_print("rsa_sig_encode_hash: cert serialization " |
879 |
|
|
"failed"); |
880 |
|
|
return -1; |
881 |
|
|
} |
882 |
|
|
goto aftercert; /* Skip all the certificate discovery */ |
883 |
|
|
} |
884 |
|
|
/* XXX This needs to be configurable. */ |
885 |
|
|
idtype = ISAKMP_CERTENC_KEYNOTE; |
886 |
|
|
|
887 |
|
|
/* Find a certificate with subjectAltName = id. */ |
888 |
|
|
handler = cert_get(idtype); |
889 |
|
|
if (!handler) { |
890 |
|
|
idtype = ISAKMP_CERTENC_X509_SIG; |
891 |
|
|
handler = cert_get(idtype); |
892 |
|
|
if (!handler) { |
893 |
|
|
log_print("rsa_sig_encode_hash: cert_get(%d) failed", |
894 |
|
|
idtype); |
895 |
|
|
return -1; |
896 |
|
|
} |
897 |
|
|
} |
898 |
|
|
if (handler->cert_obtain(id, id_len, 0, &data, &datalen) == 0) { |
899 |
|
|
if (idtype == ISAKMP_CERTENC_KEYNOTE) { |
900 |
|
|
idtype = ISAKMP_CERTENC_X509_SIG; |
901 |
|
|
handler = cert_get(idtype); |
902 |
|
|
if (!handler) { |
903 |
|
|
log_print("rsa_sig_encode_hash: cert_get(%d) " |
904 |
|
|
"failed", idtype); |
905 |
|
|
return -1; |
906 |
|
|
} |
907 |
|
|
if (handler->cert_obtain(id, id_len, 0, &data, |
908 |
|
|
&datalen) == 0) { |
909 |
|
|
LOG_DBG((LOG_MISC, 10, "rsa_sig_encode_hash: " |
910 |
|
|
"no certificate to send for id %s", |
911 |
|
|
ipsec_id_string(id, id_len))); |
912 |
|
|
goto skipcert; |
913 |
|
|
} |
914 |
|
|
} else { |
915 |
|
|
LOG_DBG((LOG_MISC, 10, |
916 |
|
|
"rsa_sig_encode_hash: no certificate to send" |
917 |
|
|
" for id %s", ipsec_id_string(id, id_len))); |
918 |
|
|
goto skipcert; |
919 |
|
|
} |
920 |
|
|
} |
921 |
|
|
/* Let's store the certificate we are going to use */ |
922 |
|
|
exchange->sent_certtype = idtype; |
923 |
|
|
exchange->sent_cert = handler->cert_get(data, datalen); |
924 |
|
|
if (!exchange->sent_cert) { |
925 |
|
|
free(data); |
926 |
|
|
log_print("rsa_sig_encode_hash: failed to get certificate " |
927 |
|
|
"from wire encoding"); |
928 |
|
|
return -1; |
929 |
|
|
} |
930 |
|
|
aftercert: |
931 |
|
|
|
932 |
|
|
buf = realloc(data, ISAKMP_CERT_SZ + datalen); |
933 |
|
|
if (!buf) { |
934 |
|
|
log_error("rsa_sig_encode_hash: realloc (%p, %d) failed", data, |
935 |
|
|
ISAKMP_CERT_SZ + datalen); |
936 |
|
|
free(data); |
937 |
|
|
return -1; |
938 |
|
|
} |
939 |
|
|
memmove(buf + ISAKMP_CERT_SZ, buf, datalen); |
940 |
|
|
SET_ISAKMP_CERT_ENCODING(buf, idtype); |
941 |
|
|
if (message_add_payload(msg, ISAKMP_PAYLOAD_CERT, buf, |
942 |
|
|
ISAKMP_CERT_SZ + datalen, 1)) { |
943 |
|
|
free(buf); |
944 |
|
|
return -1; |
945 |
|
|
} |
946 |
|
|
skipcert: |
947 |
|
|
|
948 |
|
|
/* Again, we may have these from the kernel */ |
949 |
|
|
buf = (u_int8_t *)conf_get_str(exchange->name, "PKAuthentication"); |
950 |
|
|
if (buf) { |
951 |
|
|
key_from_printable(ISAKMP_KEY_RSA, ISAKMP_KEYTYPE_PRIVATE, |
952 |
|
|
(char *)buf, &data, &datalen); |
953 |
|
|
if (!data) { |
954 |
|
|
log_print("rsa_sig_encode_hash: badly formatted RSA " |
955 |
|
|
"private key"); |
956 |
|
|
return 0; |
957 |
|
|
} |
958 |
|
|
sent_key = key_internalize(ISAKMP_KEY_RSA, |
959 |
|
|
ISAKMP_KEYTYPE_PRIVATE, data, datalen); |
960 |
|
|
if (!sent_key) { |
961 |
|
|
log_print("rsa_sig_encode_hash: bad RSA private key " |
962 |
|
|
"from dynamic SA acquisition subsystem"); |
963 |
|
|
return 0; |
964 |
|
|
} |
965 |
|
|
} else { |
966 |
|
|
/* Try through the regular means. */ |
967 |
|
|
switch (id[ISAKMP_ID_TYPE_OFF - ISAKMP_GEN_SZ]) { |
968 |
|
|
case IPSEC_ID_IPV4_ADDR: |
969 |
|
|
case IPSEC_ID_IPV6_ADDR: |
970 |
|
|
util_ntoa((char **)&buf2, |
971 |
|
|
id[ISAKMP_ID_TYPE_OFF - ISAKMP_GEN_SZ] == |
972 |
|
|
IPSEC_ID_IPV4_ADDR ? AF_INET : AF_INET6, |
973 |
|
|
id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ); |
974 |
|
|
if (!buf2) |
975 |
|
|
return 0; |
976 |
|
|
break; |
977 |
|
|
|
978 |
|
|
case IPSEC_ID_FQDN: |
979 |
|
|
case IPSEC_ID_USER_FQDN: |
980 |
|
|
buf2 = calloc(id_len - ISAKMP_ID_DATA_OFF + |
981 |
|
|
ISAKMP_GEN_SZ + 1, sizeof(char)); |
982 |
|
|
if (!buf2) { |
983 |
|
|
log_print("rsa_sig_encode_hash: malloc (%lu) " |
984 |
|
|
"failed", (unsigned long)id_len - |
985 |
|
|
ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ + 1); |
986 |
|
|
return 0; |
987 |
|
|
} |
988 |
|
|
memcpy(buf2, id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, |
989 |
|
|
id_len - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ); |
990 |
|
|
break; |
991 |
|
|
|
992 |
|
|
/* XXX Support more ID types? */ |
993 |
|
|
default: |
994 |
|
|
buf2 = 0; |
995 |
|
|
return 0; |
996 |
|
|
} |
997 |
|
|
|
998 |
|
|
sent_key = ike_auth_get_key(IKE_AUTH_RSA_SIG, exchange->name, |
999 |
|
|
(char *)buf2, 0); |
1000 |
|
|
free(buf2); |
1001 |
|
|
|
1002 |
|
|
/* Did we find a key? */ |
1003 |
|
|
if (!sent_key) { |
1004 |
|
|
log_print("rsa_sig_encode_hash: " |
1005 |
|
|
"could not get private key"); |
1006 |
|
|
return -1; |
1007 |
|
|
} |
1008 |
|
|
} |
1009 |
|
|
|
1010 |
|
|
/* Enable RSA blinding. */ |
1011 |
|
|
if (RSA_blinding_on(sent_key, NULL) != 1) { |
1012 |
|
|
log_error("rsa_sig_encode_hash: RSA_blinding_on () failed."); |
1013 |
|
|
RSA_free(sent_key); |
1014 |
|
|
return -1; |
1015 |
|
|
} |
1016 |
|
|
/* XXX hashsize is not necessarily prf->blocksize. */ |
1017 |
|
|
buf = malloc(hashsize); |
1018 |
|
|
if (!buf) { |
1019 |
|
|
log_error("rsa_sig_encode_hash: malloc (%lu) failed", |
1020 |
|
|
(unsigned long)hashsize); |
1021 |
|
|
RSA_free(sent_key); |
1022 |
|
|
return -1; |
1023 |
|
|
} |
1024 |
|
|
if (ike_auth_hash(exchange, buf) == -1) { |
1025 |
|
|
free(buf); |
1026 |
|
|
RSA_free(sent_key); |
1027 |
|
|
return -1; |
1028 |
|
|
} |
1029 |
|
|
snprintf(header, sizeof header, "rsa_sig_encode_hash: HASH_%c", |
1030 |
|
|
initiator ? 'I' : 'R'); |
1031 |
|
|
LOG_DBG_BUF((LOG_MISC, 80, header, buf, hashsize)); |
1032 |
|
|
|
1033 |
|
|
data = malloc(RSA_size(sent_key)); |
1034 |
|
|
if (!data) { |
1035 |
|
|
log_error("rsa_sig_encode_hash: malloc (%d) failed", |
1036 |
|
|
RSA_size(sent_key)); |
1037 |
|
|
free(buf); |
1038 |
|
|
RSA_free(sent_key); |
1039 |
|
|
return -1; |
1040 |
|
|
} |
1041 |
|
|
sigsize = RSA_private_encrypt(hashsize, buf, data, sent_key, |
1042 |
|
|
RSA_PKCS1_PADDING); |
1043 |
|
|
if (sigsize == -1) { |
1044 |
|
|
log_print("rsa_sig_encode_hash: " |
1045 |
|
|
"RSA_private_encrypt () failed"); |
1046 |
|
|
free(data); |
1047 |
|
|
free(buf); |
1048 |
|
|
RSA_free(sent_key); |
1049 |
|
|
return -1; |
1050 |
|
|
} |
1051 |
|
|
datalen = (u_int32_t) sigsize; |
1052 |
|
|
|
1053 |
|
|
free(buf); |
1054 |
|
|
RSA_free(sent_key); |
1055 |
|
|
|
1056 |
|
|
buf = realloc(data, ISAKMP_SIG_SZ + datalen); |
1057 |
|
|
if (!buf) { |
1058 |
|
|
log_error("rsa_sig_encode_hash: realloc (%p, %d) failed", data, |
1059 |
|
|
ISAKMP_SIG_SZ + datalen); |
1060 |
|
|
free(data); |
1061 |
|
|
return -1; |
1062 |
|
|
} |
1063 |
|
|
memmove(buf + ISAKMP_SIG_SZ, buf, datalen); |
1064 |
|
|
|
1065 |
|
|
snprintf(header, sizeof header, "rsa_sig_encode_hash: SIG_%c", |
1066 |
|
|
initiator ? 'I' : 'R'); |
1067 |
|
|
LOG_DBG_BUF((LOG_MISC, 80, header, buf + ISAKMP_SIG_DATA_OFF, |
1068 |
|
|
datalen)); |
1069 |
|
|
if (message_add_payload(msg, ISAKMP_PAYLOAD_SIG, buf, |
1070 |
|
|
ISAKMP_SIG_SZ + datalen, 1)) { |
1071 |
|
|
free(buf); |
1072 |
|
|
return -1; |
1073 |
|
|
} |
1074 |
|
|
return 0; |
1075 |
|
|
} |
1076 |
|
|
|
1077 |
|
|
int |
1078 |
|
|
ike_auth_hash(struct exchange *exchange, u_int8_t *buf) |
1079 |
|
|
{ |
1080 |
|
|
struct ipsec_exch *ie = exchange->data; |
1081 |
|
|
struct prf *prf; |
1082 |
|
|
struct hash *hash = ie->hash; |
1083 |
|
|
int initiator = exchange->initiator; |
1084 |
|
|
u_int8_t *id; |
1085 |
|
|
size_t id_len; |
1086 |
|
|
|
1087 |
|
|
/* Choose the right fields to fill-in. */ |
1088 |
|
|
id = initiator ? exchange->id_i : exchange->id_r; |
1089 |
|
|
id_len = initiator ? exchange->id_i_len : exchange->id_r_len; |
1090 |
|
|
|
1091 |
|
|
/* Allocate the prf and start calculating our HASH. */ |
1092 |
|
|
prf = prf_alloc(ie->prf_type, hash->type, ie->skeyid, ie->skeyid_len); |
1093 |
|
|
if (!prf) |
1094 |
|
|
return -1; |
1095 |
|
|
|
1096 |
|
|
prf->Init(prf->prfctx); |
1097 |
|
|
prf->Update(prf->prfctx, initiator ? ie->g_xi : ie->g_xr, ie->g_x_len); |
1098 |
|
|
prf->Update(prf->prfctx, initiator ? ie->g_xr : ie->g_xi, ie->g_x_len); |
1099 |
|
|
prf->Update(prf->prfctx, exchange->cookies + |
1100 |
|
|
(initiator ? ISAKMP_HDR_ICOOKIE_OFF : ISAKMP_HDR_RCOOKIE_OFF), |
1101 |
|
|
ISAKMP_HDR_ICOOKIE_LEN); |
1102 |
|
|
prf->Update(prf->prfctx, exchange->cookies + |
1103 |
|
|
(initiator ? ISAKMP_HDR_RCOOKIE_OFF : ISAKMP_HDR_ICOOKIE_OFF), |
1104 |
|
|
ISAKMP_HDR_ICOOKIE_LEN); |
1105 |
|
|
prf->Update(prf->prfctx, ie->sa_i_b, ie->sa_i_b_len); |
1106 |
|
|
prf->Update(prf->prfctx, id, id_len); |
1107 |
|
|
prf->Final(buf, prf->prfctx); |
1108 |
|
|
prf_free(prf); |
1109 |
|
|
return 0; |
1110 |
|
|
} |
1111 |
|
|
|
1112 |
|
|
static int |
1113 |
|
|
get_raw_key_from_file(int type, u_int8_t *id, size_t id_len, RSA **rsa) |
1114 |
|
|
{ |
1115 |
|
|
char filename[FILENAME_MAX]; |
1116 |
|
|
char *fstr; |
1117 |
|
|
FILE *keyfp; |
1118 |
|
|
|
1119 |
|
|
if (type != IKE_AUTH_RSA_SIG) { /* XXX More types? */ |
1120 |
|
|
LOG_DBG((LOG_NEGOTIATION, 20, "get_raw_key_from_file: " |
1121 |
|
|
"invalid auth type %d\n", type)); |
1122 |
|
|
return -1; |
1123 |
|
|
} |
1124 |
|
|
*rsa = 0; |
1125 |
|
|
|
1126 |
|
|
fstr = conf_get_str("General", "Pubkey-directory"); |
1127 |
|
|
if (!fstr) |
1128 |
|
|
fstr = CONF_DFLT_PUBKEY_DIR; |
1129 |
|
|
|
1130 |
|
|
if (snprintf(filename, sizeof filename, "%s/", fstr) > |
1131 |
|
|
(int)sizeof filename - 1) |
1132 |
|
|
return -1; |
1133 |
|
|
|
1134 |
|
|
fstr = ipsec_id_string(id, id_len); |
1135 |
|
|
if (!fstr) { |
1136 |
|
|
LOG_DBG((LOG_NEGOTIATION, 50, "get_raw_key_from_file: " |
1137 |
|
|
"ipsec_id_string failed")); |
1138 |
|
|
return -1; |
1139 |
|
|
} |
1140 |
|
|
strlcat(filename, fstr, sizeof filename - strlen(filename)); |
1141 |
|
|
free(fstr); |
1142 |
|
|
|
1143 |
|
|
/* If the file does not exist, fail silently. */ |
1144 |
|
|
keyfp = monitor_fopen(filename, "r"); |
1145 |
|
|
if (keyfp) { |
1146 |
|
|
*rsa = PEM_read_RSA_PUBKEY(keyfp, NULL, NULL, NULL); |
1147 |
|
|
if (!*rsa) { |
1148 |
|
|
rewind(keyfp); |
1149 |
|
|
*rsa = PEM_read_RSAPublicKey(keyfp, NULL, NULL, NULL); |
1150 |
|
|
} |
1151 |
|
|
if (!*rsa) |
1152 |
|
|
log_print("get_raw_key_from_file: failed to get " |
1153 |
|
|
"public key %s", filename); |
1154 |
|
|
fclose(keyfp); |
1155 |
|
|
} else if (errno != ENOENT) { |
1156 |
|
|
log_error("get_raw_key_from_file: monitor_fopen " |
1157 |
|
|
"(\"%s\", \"r\") failed", filename); |
1158 |
|
|
return -1; |
1159 |
|
|
} else |
1160 |
|
|
LOG_DBG((LOG_NEGOTIATION, 50, |
1161 |
|
|
"get_raw_key_from_file: file %s not found", filename)); |
1162 |
|
|
|
1163 |
|
|
return (*rsa ? 0 : -1); |
1164 |
|
|
} |