1 /* $OpenBSD: ike_auth.c,v 1.118 2020/07/07 17:33:40 tobhe Exp $ */
2 /* $EOM: ike_auth.c,v 1.59 2000/11/21 00:21:31 angelos Exp $ */
3
4 /*
5 * Copyright (c) 1998, 1999, 2000, 2001 Niklas Hallqvist. All rights reserved.
6 * Copyright (c) 1999 Niels Provos. All rights reserved.
7 * Copyright (c) 1999 Angelos D. Keromytis. All rights reserved.
8 * Copyright (c) 2000, 2001, 2003 H�kan Olsson. All rights reserved.
9 *
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions
12 * are met:
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
18 *
19 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
20 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
21 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
22 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
23 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
24 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
25 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
26 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
27 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
28 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 /*
32 * This code was written under funding by Ericsson Radio Systems.
33 */
34
35 #include <sys/types.h>
36 #include <sys/stat.h>
37 #include <netinet/in.h>
38 #include <arpa/inet.h>
39
40 #include <errno.h>
41 #include <fcntl.h>
42 #include <stdlib.h>
43 #include <string.h>
44 #include <unistd.h>
45 #include <regex.h>
46 #include <keynote.h>
47 #include <policy.h>
48
49 #include "cert.h"
50 #include "conf.h"
51 #include "constants.h"
52 #if defined (USE_DNSSEC)
53 #include "dnssec.h"
54 #endif
55 #include "exchange.h"
56 #include "hash.h"
57 #include "ike_auth.h"
58 #include "ipsec.h"
59 #include "ipsec_doi.h"
60 #include "libcrypto.h"
61 #include "log.h"
62 #include "message.h"
63 #include "monitor.h"
64 #include "prf.h"
65 #include "transport.h"
66 #include "util.h"
67 #include "key.h"
68 #include "x509.h"
69
70 #ifdef notyet
71 static u_int8_t *enc_gen_skeyid(struct exchange *, size_t *);
72 #endif
73 static u_int8_t *pre_shared_gen_skeyid(struct exchange *, size_t *);
74
75 static int pre_shared_decode_hash(struct message *);
76 static int pre_shared_encode_hash(struct message *);
77
78 static u_int8_t *sig_gen_skeyid(struct exchange *, size_t *);
79 static int rsa_sig_decode_hash(struct message *);
80 static int rsa_sig_encode_hash(struct message *);
81
82 static int get_raw_key_from_file(int, u_int8_t *, size_t, RSA **);
83
84 static int ike_auth_hash(struct exchange *, u_int8_t *);
85
86 static struct ike_auth ike_auth[] = {
87 {
88 IKE_AUTH_PRE_SHARED, pre_shared_gen_skeyid,
89 pre_shared_decode_hash,
90 pre_shared_encode_hash
91 },
92 #ifdef notdef
93 {
94 IKE_AUTH_DSS, sig_gen_skeyid,
95 pre_shared_decode_hash,
96 pre_shared_encode_hash
97 },
98 #endif
99 {
100 IKE_AUTH_RSA_SIG, sig_gen_skeyid,
101 rsa_sig_decode_hash,
102 rsa_sig_encode_hash
103 },
104 #ifdef notdef
105 {
106 IKE_AUTH_RSA_ENC, enc_gen_skeyid,
107 pre_shared_decode_hash,
108 pre_shared_encode_hash
109 },
110 {
111 IKE_AUTH_RSA_ENC_REV, enc_gen_skeyid,
112 pre_shared_decode_hash,
113 pre_shared_encode_hash
114 },
115 #endif
116 };
117
118 struct ike_auth *
ike_auth_get(u_int16_t id)119 ike_auth_get(u_int16_t id)
120 {
121 size_t i;
122
123 for (i = 0; i < sizeof ike_auth / sizeof ike_auth[0]; i++)
124 if (id == ike_auth[i].id)
125 return &ike_auth[i];
126 return 0;
127 }
128
129 /*
130 * Find and decode the configured key (pre-shared or public) for the
131 * peer denoted by ID. Stash the len in KEYLEN.
132 */
133 static void *
ike_auth_get_key(int type,char * id,char * local_id,size_t * keylen)134 ike_auth_get_key(int type, char *id, char *local_id, size_t *keylen)
135 {
136 char *key, *buf;
137 char *keyfile, *privkeyfile;
138 FILE *keyfp;
139 RSA *rsakey;
140 size_t fsize, pkflen;
141 int fd;
142
143 switch (type) {
144 case IKE_AUTH_PRE_SHARED:
145 /* Get the pre-shared key for our peer. */
146 key = conf_get_str(id, "Authentication");
147 if (!key && local_id)
148 key = conf_get_str(local_id, "Authentication");
149
150 if (!key) {
151 log_print("ike_auth_get_key: "
152 "no key found for peer \"%s\" or local ID \"%s\"",
153 id, local_id ? local_id : "<none>");
154 return 0;
155 }
156 /* If the key starts with 0x it is in hex format. */
157 if (strncasecmp(key, "0x", 2) == 0) {
158 *keylen = (strlen(key) - 1) / 2;
159 buf = malloc(*keylen);
160 if (!buf) {
161 log_error("ike_auth_get_key: malloc (%lu) "
162 "failed", (unsigned long)*keylen);
163 return 0;
164 }
165 if (hex2raw(key + 2, (unsigned char *)buf, *keylen)) {
166 free(buf);
167 log_print("ike_auth_get_key: invalid hex key "
168 "%s", key);
169 return 0;
170 }
171 key = buf;
172 } else {
173 buf = key;
174 key = strdup(buf);
175 if (!key) {
176 log_error("ike_auth_get_key: strdup() failed");
177 return 0;
178 }
179 *keylen = strlen(key);
180 }
181 break;
182
183 case IKE_AUTH_RSA_SIG:
184 if (local_id && (keyfile = conf_get_str("KeyNote",
185 "Credential-directory")) != 0) {
186 struct stat sb;
187 struct keynote_deckey dc;
188 char *privkeyfile, *buf2;
189 size_t size;
190
191 if (asprintf(&privkeyfile, "%s/%s/%s", keyfile,
192 local_id, PRIVATE_KEY_FILE) == -1) {
193 log_print("ike_auth_get_key: failed to asprintf()");
194 return 0;
195 }
196 keyfile = privkeyfile;
197
198 fd = monitor_open(keyfile, O_RDONLY, 0);
199 if (fd < 0) {
200 free(keyfile);
201 goto ignorekeynote;
202 }
203
204 if (fstat(fd, &sb) == -1) {
205 log_print("ike_auth_get_key: fstat failed");
206 free(keyfile);
207 close(fd);
208 return 0;
209 }
210 size = (size_t)sb.st_size;
211
212 buf = calloc(size + 1, sizeof(char));
213 if (!buf) {
214 log_print("ike_auth_get_key: failed allocating"
215 " %lu bytes", (unsigned long)size + 1);
216 free(keyfile);
217 close(fd);
218 return 0;
219 }
220 if (read(fd, buf, size) != (ssize_t)size) {
221 free(buf);
222 log_print("ike_auth_get_key: "
223 "failed reading %lu bytes from \"%s\"",
224 (unsigned long)size, keyfile);
225 free(keyfile);
226 close(fd);
227 return 0;
228 }
229 close(fd);
230
231 /* Parse private key string */
232 buf2 = kn_get_string(buf);
233 free(buf);
234
235 if (!buf2 || kn_decode_key(&dc, buf2,
236 KEYNOTE_PRIVATE_KEY) == -1) {
237 free(buf2);
238 log_print("ike_auth_get_key: failed decoding "
239 "key in \"%s\"", keyfile);
240 free(keyfile);
241 return 0;
242 }
243 free(buf2);
244
245 if (dc.dec_algorithm != KEYNOTE_ALGORITHM_RSA) {
246 log_print("ike_auth_get_key: wrong algorithm "
247 "type %d in \"%s\"", dc.dec_algorithm,
248 keyfile);
249 free(keyfile);
250 kn_free_key(&dc);
251 return 0;
252 }
253 free(keyfile);
254 return dc.dec_key;
255 }
256 ignorekeynote:
257 /* Otherwise, try X.509 */
258
259 privkeyfile = keyfile = NULL;
260 fd = -1;
261
262 if (local_id) {
263 /* Look in Private-key-directory. */
264 keyfile = conf_get_str("X509-certificates",
265 "Private-key-directory");
266 pkflen = strlen(keyfile) + strlen(local_id) + sizeof "/";
267 privkeyfile = calloc(pkflen, sizeof(char));
268 if (!privkeyfile) {
269 log_print("ike_auth_get_key: failed to "
270 "allocate %lu bytes", (unsigned long)pkflen);
271 return 0;
272 }
273
274 snprintf(privkeyfile, pkflen, "%s/%s", keyfile,
275 local_id);
276 keyfile = privkeyfile;
277
278 fd = monitor_open(keyfile, O_RDONLY, 0);
279 if (fd == -1 && errno != ENOENT) {
280 log_print("ike_auth_get_key: failed opening "
281 "\"%s\"", keyfile);
282 free(privkeyfile);
283 privkeyfile = NULL;
284 keyfile = NULL;
285 }
286 }
287
288 if (fd == -1) {
289 /* No key found, try default key. */
290 keyfile = conf_get_str("X509-certificates",
291 "Private-key");
292
293 fd = monitor_open(keyfile, O_RDONLY, 0);
294 if (fd == -1) {
295 log_print("ike_auth_get_key: failed opening "
296 "\"%s\"", keyfile);
297 return 0;
298 }
299 }
300
301 if (check_file_secrecy_fd(fd, keyfile, &fsize)) {
302 free(privkeyfile);
303 close(fd);
304 return 0;
305 }
306
307 if ((keyfp = fdopen(fd, "r")) == NULL) {
308 log_print("ike_auth_get_key: fdopen failed");
309 free(privkeyfile);
310 close(fd);
311 return 0;
312 }
313 #if SSLEAY_VERSION_NUMBER >= 0x00904100L
314 rsakey = PEM_read_RSAPrivateKey(keyfp, NULL, NULL, NULL);
315 #else
316 rsakey = PEM_read_RSAPrivateKey(keyfp, NULL, NULL);
317 #endif
318 fclose(keyfp);
319
320 free(privkeyfile);
321
322 if (!rsakey) {
323 log_print("ike_auth_get_key: "
324 "PEM_read_bio_RSAPrivateKey failed");
325 return 0;
326 }
327 return rsakey;
328
329 default:
330 log_print("ike_auth_get_key: unknown key type %d", type);
331 return 0;
332 }
333
334 return key;
335 }
336
337 static u_int8_t *
pre_shared_gen_skeyid(struct exchange * exchange,size_t * sz)338 pre_shared_gen_skeyid(struct exchange *exchange, size_t *sz)
339 {
340 struct prf *prf;
341 struct ipsec_exch *ie = exchange->data;
342 u_int8_t *skeyid, *buf = 0;
343 unsigned char *key;
344 size_t keylen;
345
346 /*
347 * If we're the responder and have the initiator's ID (which is the
348 * case in Aggressive mode), try to find the preshared key in the
349 * section of the initiator's Phase 1 ID. This allows us to do
350 * mobile user support with preshared keys.
351 */
352 if (!exchange->initiator && exchange->id_i) {
353 switch (exchange->id_i[0]) {
354 case IPSEC_ID_IPV4_ADDR:
355 case IPSEC_ID_IPV6_ADDR:
356 util_ntoa((char **) &buf,
357 exchange->id_i[0] == IPSEC_ID_IPV4_ADDR ? AF_INET :
358 AF_INET6, exchange->id_i + ISAKMP_ID_DATA_OFF -
359 ISAKMP_GEN_SZ);
360 if (!buf)
361 return 0;
362 break;
363
364 case IPSEC_ID_FQDN:
365 case IPSEC_ID_USER_FQDN:
366 buf = calloc(exchange->id_i_len - ISAKMP_ID_DATA_OFF +
367 ISAKMP_GEN_SZ + 1, sizeof(char));
368 if (!buf) {
369 log_print("pre_shared_gen_skeyid: malloc (%lu"
370 ") failed",
371 (unsigned long)exchange->id_i_len -
372 ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ + 1);
373 return 0;
374 }
375 memcpy(buf,
376 exchange->id_i + ISAKMP_ID_DATA_OFF -
377 ISAKMP_GEN_SZ,
378 exchange->id_i_len - ISAKMP_ID_DATA_OFF +
379 ISAKMP_GEN_SZ);
380 break;
381
382 /* XXX Support more ID types ? */
383 default:
384 break;
385 }
386 }
387 /*
388 * Get the pre-shared key for our peer. This will work even if the key
389 * has been passed to us through a mechanism like PFKEYv2.
390 */
391 key = ike_auth_get_key(IKE_AUTH_PRE_SHARED, exchange->name,
392 (char *)buf, &keylen);
393 free(buf);
394
395 /* Fail if no key could be found. */
396 if (!key)
397 return 0;
398
399 /* Store the secret key for later policy processing. */
400 exchange->recv_key = calloc(keylen + 1, sizeof(char));
401 exchange->recv_keytype = ISAKMP_KEY_PASSPHRASE;
402 if (!exchange->recv_key) {
403 log_error("pre_shared_gen_skeyid: malloc (%lu) failed",
404 (unsigned long)keylen);
405 free(key);
406 return 0;
407 }
408 memcpy(exchange->recv_key, key, keylen);
409 exchange->recv_certtype = ISAKMP_CERTENC_NONE;
410 free(key);
411
412 prf = prf_alloc(ie->prf_type, ie->hash->type, exchange->recv_key,
413 keylen);
414 if (!prf)
415 return 0;
416
417 *sz = prf->blocksize;
418 skeyid = malloc(*sz);
419 if (!skeyid) {
420 log_error("pre_shared_gen_skeyid: malloc (%lu) failed",
421 (unsigned long)*sz);
422 prf_free(prf);
423 return 0;
424 }
425 prf->Init(prf->prfctx);
426 prf->Update(prf->prfctx, exchange->nonce_i, exchange->nonce_i_len);
427 prf->Update(prf->prfctx, exchange->nonce_r, exchange->nonce_r_len);
428 prf->Final(skeyid, prf->prfctx);
429 prf_free(prf);
430 return skeyid;
431 }
432
433 /* Both DSS & RSA signature authentication use this algorithm. */
434 static u_int8_t *
sig_gen_skeyid(struct exchange * exchange,size_t * sz)435 sig_gen_skeyid(struct exchange *exchange, size_t *sz)
436 {
437 struct prf *prf;
438 struct ipsec_exch *ie = exchange->data;
439 u_int8_t *skeyid;
440 unsigned char *key;
441
442 key = malloc(exchange->nonce_i_len + exchange->nonce_r_len);
443 if (!key)
444 return 0;
445 memcpy(key, exchange->nonce_i, exchange->nonce_i_len);
446 memcpy(key + exchange->nonce_i_len, exchange->nonce_r,
447 exchange->nonce_r_len);
448
449 LOG_DBG((LOG_NEGOTIATION, 80, "sig_gen_skeyid: PRF type %d, hash %d",
450 ie->prf_type, ie->hash->type));
451 LOG_DBG_BUF((LOG_NEGOTIATION, 80,
452 "sig_gen_skeyid: SKEYID initialized with",
453 (u_int8_t *)key, exchange->nonce_i_len + exchange->nonce_r_len));
454
455 prf = prf_alloc(ie->prf_type, ie->hash->type, key,
456 exchange->nonce_i_len + exchange->nonce_r_len);
457 free(key);
458 if (!prf)
459 return 0;
460
461 *sz = prf->blocksize;
462 skeyid = malloc(*sz);
463 if (!skeyid) {
464 log_error("sig_gen_skeyid: malloc (%lu) failed",
465 (unsigned long)*sz);
466 prf_free(prf);
467 return 0;
468 }
469 LOG_DBG((LOG_NEGOTIATION, 80, "sig_gen_skeyid: g^xy length %lu",
470 (unsigned long)ie->g_xy_len));
471 LOG_DBG_BUF((LOG_NEGOTIATION, 80,
472 "sig_gen_skeyid: SKEYID fed with g^xy", ie->g_xy, ie->g_xy_len));
473
474 prf->Init(prf->prfctx);
475 prf->Update(prf->prfctx, ie->g_xy, ie->g_xy_len);
476 prf->Final(skeyid, prf->prfctx);
477 prf_free(prf);
478 return skeyid;
479 }
480
481 #ifdef notdef
482 /*
483 * Both standard and revised RSA encryption authentication use this SKEYID
484 * computation.
485 */
486 static u_int8_t *
enc_gen_skeyid(struct exchange * exchange,size_t * sz)487 enc_gen_skeyid(struct exchange *exchange, size_t *sz)
488 {
489 struct prf *prf;
490 struct ipsec_exch *ie = exchange->data;
491 struct hash *hash = ie->hash;
492 u_int8_t *skeyid;
493
494 hash->Init(hash->ctx);
495 hash->Update(hash->ctx, exchange->nonce_i, exchange->nonce_i_len);
496 hash->Update(hash->ctx, exchange->nonce_r, exchange->nonce_r_len);
497 hash->Final(hash->digest, hash->ctx);
498 prf = prf_alloc(ie->prf_type, hash->type, hash->digest, *sz);
499 if (!prf)
500 return 0;
501
502 *sz = prf->blocksize;
503 skeyid = malloc(*sz);
504 if (!skeyid) {
505 log_error("enc_gen_skeyid: malloc (%d) failed", *sz);
506 prf_free(prf);
507 return 0;
508 }
509 prf->Init(prf->prfctx);
510 prf->Update(prf->prfctx, exchange->cookies, ISAKMP_HDR_COOKIES_LEN);
511 prf->Final(skeyid, prf->prfctx);
512 prf_free(prf);
513 return skeyid;
514 }
515 #endif /* notdef */
516
517 static int
pre_shared_decode_hash(struct message * msg)518 pre_shared_decode_hash(struct message *msg)
519 {
520 struct exchange *exchange = msg->exchange;
521 struct ipsec_exch *ie = exchange->data;
522 struct payload *payload;
523 size_t hashsize = ie->hash->hashsize;
524 char header[80];
525 int initiator = exchange->initiator;
526 u_int8_t **hash_p;
527
528 /* Choose the right fields to fill-in. */
529 hash_p = initiator ? &ie->hash_r : &ie->hash_i;
530
531 payload = payload_first(msg, ISAKMP_PAYLOAD_HASH);
532 if (!payload) {
533 log_print("pre_shared_decode_hash: no HASH payload found");
534 return -1;
535 }
536 /* Check that the hash is of the correct size. */
537 if (GET_ISAKMP_GEN_LENGTH(payload->p) - ISAKMP_GEN_SZ != hashsize)
538 return -1;
539
540 /* XXX Need this hash be in the SA? */
541 *hash_p = malloc(hashsize);
542 if (!*hash_p) {
543 log_error("pre_shared_decode_hash: malloc (%lu) failed",
544 (unsigned long)hashsize);
545 return -1;
546 }
547 memcpy(*hash_p, payload->p + ISAKMP_HASH_DATA_OFF, hashsize);
548 snprintf(header, sizeof header, "pre_shared_decode_hash: HASH_%c",
549 initiator ? 'R' : 'I');
550 LOG_DBG_BUF((LOG_MISC, 80, header, *hash_p, hashsize));
551
552 payload->flags |= PL_MARK;
553 return 0;
554 }
555
556 /* Decrypt the HASH in SIG, we already need a parsed ID payload. */
557 static int
rsa_sig_decode_hash(struct message * msg)558 rsa_sig_decode_hash(struct message *msg)
559 {
560 struct cert_handler *handler;
561 struct exchange *exchange = msg->exchange;
562 struct ipsec_exch *ie = exchange->data;
563 struct payload *p;
564 void *cert = 0;
565 u_int8_t *rawcert = 0, **hash_p, **id_cert, *id;
566 u_int32_t rawcertlen, *id_cert_len;
567 RSA *key = 0;
568 size_t hashsize = ie->hash->hashsize, id_len;
569 char header[80];
570 int len, initiator = exchange->initiator;
571 int found = 0, n, i, id_found;
572 #if defined (USE_DNSSEC)
573 u_int8_t *rawkey = 0;
574 u_int32_t rawkeylen;
575 #endif
576
577 /* Choose the right fields to fill-in. */
578 hash_p = initiator ? &ie->hash_r : &ie->hash_i;
579 id = initiator ? exchange->id_r : exchange->id_i;
580 id_len = initiator ? exchange->id_r_len : exchange->id_i_len;
581
582 if (!id || id_len == 0) {
583 log_print("rsa_sig_decode_hash: ID is missing");
584 return -1;
585 }
586 /*
587 * XXX Assume we should use the same kind of certification as the
588 * remote... moreover, just use the first CERT payload to decide what
589 * to use.
590 */
591 p = payload_first(msg, ISAKMP_PAYLOAD_CERT);
592 if (!p)
593 handler = cert_get(ISAKMP_CERTENC_KEYNOTE);
594 else
595 handler = cert_get(GET_ISAKMP_CERT_ENCODING(p->p));
596 if (!handler) {
597 log_print("rsa_sig_decode_hash: cert_get (%d) failed",
598 p ? GET_ISAKMP_CERT_ENCODING(p->p) : -1);
599 return -1;
600 }
601 /*
602 * We need the policy session initialized now, so we can add
603 * credentials etc.
604 */
605 exchange->policy_id = kn_init();
606 if (exchange->policy_id == -1) {
607 log_print("rsa_sig_decode_hash: failed to initialize policy "
608 "session");
609 return -1;
610 }
611
612 /* Obtain a certificate from our certificate storage. */
613 if (handler->cert_obtain(id, id_len, 0, &rawcert, &rawcertlen)) {
614 if (handler->id == ISAKMP_CERTENC_X509_SIG) {
615 cert = handler->cert_get(rawcert, rawcertlen);
616 if (!cert)
617 LOG_DBG((LOG_CRYPTO, 50, "rsa_sig_decode_hash:"
618 " certificate malformed"));
619 else {
620 if (!handler->cert_get_key(cert, &key)) {
621 log_print("rsa_sig_decode_hash: "
622 "decoding certificate failed");
623 handler->cert_free(cert);
624 } else {
625 found++;
626 LOG_DBG((LOG_CRYPTO, 40,
627 "rsa_sig_decode_hash: using cert "
628 "of type %d", handler->id));
629 exchange->recv_cert = cert;
630 exchange->recv_certtype = handler->id;
631 x509_generate_kn(exchange->policy_id,
632 cert);
633 }
634 }
635 } else if (handler->id == ISAKMP_CERTENC_KEYNOTE)
636 handler->cert_insert(exchange->policy_id, rawcert);
637 free(rawcert);
638 }
639 /*
640 * Walk over potential CERT payloads in this message.
641 * XXX I believe this is the wrong spot for this. CERTs can appear
642 * anytime.
643 */
644 TAILQ_FOREACH(p, &msg->payload[ISAKMP_PAYLOAD_CERT], link) {
645 p->flags |= PL_MARK;
646
647 /*
648 * When we have found a key, just walk over the rest, marking
649 * them.
650 */
651 if (found)
652 continue;
653
654 handler = cert_get(GET_ISAKMP_CERT_ENCODING(p->p));
655 if (!handler) {
656 LOG_DBG((LOG_MISC, 30, "rsa_sig_decode_hash: "
657 "no handler for %s CERT encoding",
658 constant_name(isakmp_certenc_cst,
659 GET_ISAKMP_CERT_ENCODING(p->p))));
660 continue;
661 }
662 cert = handler->cert_get(p->p + ISAKMP_CERT_DATA_OFF,
663 GET_ISAKMP_GEN_LENGTH(p->p) - ISAKMP_CERT_DATA_OFF);
664 if (!cert) {
665 log_print("rsa_sig_decode_hash: "
666 "can not get data from CERT");
667 continue;
668 }
669 if (!handler->cert_validate(cert)) {
670 handler->cert_free(cert);
671 log_print("rsa_sig_decode_hash: received CERT can't "
672 "be validated");
673 continue;
674 }
675 if (GET_ISAKMP_CERT_ENCODING(p->p) ==
676 ISAKMP_CERTENC_X509_SIG) {
677 if (!handler->cert_get_subjects(cert, &n, &id_cert,
678 &id_cert_len)) {
679 handler->cert_free(cert);
680 log_print("rsa_sig_decode_hash: can not get "
681 "subject from CERT");
682 continue;
683 }
684 id_found = 0;
685 for (i = 0; i < n; i++)
686 if (id_cert_len[i] == id_len &&
687 id[0] == id_cert[i][0] &&
688 memcmp(id + 4, id_cert[i] + 4, id_len - 4)
689 == 0) {
690 id_found++;
691 break;
692 }
693 if (!id_found) {
694 handler->cert_free(cert);
695 log_print("rsa_sig_decode_hash: no CERT "
696 "subject match the ID");
697 free(id_cert);
698 continue;
699 }
700 cert_free_subjects(n, id_cert, id_cert_len);
701 }
702 if (!handler->cert_get_key(cert, &key)) {
703 handler->cert_free(cert);
704 log_print("rsa_sig_decode_hash: decoding payload CERT "
705 "failed");
706 continue;
707 }
708 /* We validated the cert, cache it for later use. */
709 handler->cert_insert(exchange->policy_id, cert);
710
711 exchange->recv_cert = cert;
712 exchange->recv_certtype = GET_ISAKMP_CERT_ENCODING(p->p);
713
714 if (exchange->recv_certtype == ISAKMP_CERTENC_KEYNOTE) {
715 struct keynote_deckey dc;
716 char *pp;
717
718 dc.dec_algorithm = KEYNOTE_ALGORITHM_RSA;
719 dc.dec_key = key;
720
721 pp = kn_encode_key(&dc, INTERNAL_ENC_PKCS1,
722 ENCODING_HEX, KEYNOTE_PUBLIC_KEY);
723 if (pp == NULL) {
724 kn_free_key(&dc);
725 log_print("rsa_sig_decode_hash: failed to "
726 "ASCII-encode key");
727 return -1;
728 }
729 if (asprintf(&exchange->keynote_key, "rsa-hex:%s",
730 pp) == -1) {
731 free(pp);
732 kn_free_key(&dc);
733 log_print("rsa_sig_decode_hash: failed to asprintf()");
734 return -1;
735 }
736 free(pp);
737 }
738 found++;
739 }
740
741 #if defined (USE_DNSSEC)
742 /*
743 * If no certificate provided a key, try to find a validated DNSSEC
744 * KEY.
745 */
746 if (!found) {
747 rawkey = dns_get_key(IKE_AUTH_RSA_SIG, msg, &rawkeylen);
748
749 /* We need to convert 'void *rawkey' into 'RSA *key'. */
750 if (dns_RSA_dns_to_x509(rawkey, rawkeylen, &key) == 0)
751 found++;
752 else
753 log_print("rsa_sig_decode_hash: KEY to RSA key "
754 "conversion failed");
755
756 free(rawkey);
757 }
758 #endif /* USE_DNSSEC */
759
760 /* If we still have not found a key, try to read it from a file. */
761 if (!found)
762 if (get_raw_key_from_file(IKE_AUTH_RSA_SIG, id, id_len, &key)
763 != -1)
764 found++;
765
766 if (!found) {
767 log_print("rsa_sig_decode_hash: no public key found");
768 return -1;
769 }
770 p = payload_first(msg, ISAKMP_PAYLOAD_SIG);
771 if (!p) {
772 log_print("rsa_sig_decode_hash: missing signature payload");
773 RSA_free(key);
774 return -1;
775 }
776 /* Check that the sig is of the correct size. */
777 len = GET_ISAKMP_GEN_LENGTH(p->p) - ISAKMP_SIG_SZ;
778 if (len != RSA_size(key)) {
779 RSA_free(key);
780 log_print("rsa_sig_decode_hash: "
781 "SIG payload length does not match public key");
782 return -1;
783 }
784 *hash_p = malloc(len);
785 if (!*hash_p) {
786 RSA_free(key);
787 log_error("rsa_sig_decode_hash: malloc (%d) failed", len);
788 return -1;
789 }
790 len = RSA_public_decrypt(len, p->p + ISAKMP_SIG_DATA_OFF, *hash_p, key,
791 RSA_PKCS1_PADDING);
792 if (len == -1) {
793 RSA_free(key);
794 log_print("rsa_sig_decode_hash: RSA_public_decrypt () failed");
795 return -1;
796 }
797 /* Store key for later use */
798 exchange->recv_key = key;
799 exchange->recv_keytype = ISAKMP_KEY_RSA;
800
801 if (len != (int)hashsize) {
802 free(*hash_p);
803 *hash_p = 0;
804 log_print("rsa_sig_decode_hash: len %lu != hashsize %lu",
805 (unsigned long)len, (unsigned long)hashsize);
806 return -1;
807 }
808 snprintf(header, sizeof header, "rsa_sig_decode_hash: HASH_%c",
809 initiator ? 'R' : 'I');
810 LOG_DBG_BUF((LOG_MISC, 80, header, *hash_p, hashsize));
811
812 p->flags |= PL_MARK;
813 return 0;
814 }
815
816 static int
pre_shared_encode_hash(struct message * msg)817 pre_shared_encode_hash(struct message *msg)
818 {
819 struct exchange *exchange = msg->exchange;
820 struct ipsec_exch *ie = exchange->data;
821 size_t hashsize = ie->hash->hashsize;
822 char header[80];
823 int initiator = exchange->initiator;
824 u_int8_t *buf;
825
826 buf = ipsec_add_hash_payload(msg, hashsize);
827 if (!buf)
828 return -1;
829
830 if (ike_auth_hash(exchange, buf + ISAKMP_HASH_DATA_OFF) == -1)
831 return -1;
832
833 snprintf(header, sizeof header, "pre_shared_encode_hash: HASH_%c",
834 initiator ? 'I' : 'R');
835 LOG_DBG_BUF((LOG_MISC, 80, header, buf + ISAKMP_HASH_DATA_OFF,
836 hashsize));
837 return 0;
838 }
839
840 /* Encrypt the HASH into a SIG type. */
841 static int
rsa_sig_encode_hash(struct message * msg)842 rsa_sig_encode_hash(struct message *msg)
843 {
844 struct exchange *exchange = msg->exchange;
845 struct ipsec_exch *ie = exchange->data;
846 size_t hashsize = ie->hash->hashsize, id_len;
847 struct cert_handler *handler;
848 char header[80];
849 int initiator = exchange->initiator, idtype;
850 u_int8_t *buf, *data, *buf2, *id;
851 u_int32_t datalen;
852 int32_t sigsize;
853 void *sent_key;
854
855 id = initiator ? exchange->id_i : exchange->id_r;
856 id_len = initiator ? exchange->id_i_len : exchange->id_r_len;
857
858 /* We may have been provided these by the kernel */
859 buf = (u_int8_t *)conf_get_str(exchange->name, "Credentials");
860 if (buf && (idtype = conf_get_num(exchange->name, "Credential_Type",
861 -1)) != -1) {
862 exchange->sent_certtype = idtype;
863 handler = cert_get(idtype);
864 if (!handler) {
865 log_print("rsa_sig_encode_hash: cert_get (%d) failed",
866 idtype);
867 return -1;
868 }
869 exchange->sent_cert =
870 handler->cert_from_printable((char *)buf);
871 if (!exchange->sent_cert) {
872 log_print("rsa_sig_encode_hash: failed to retrieve "
873 "certificate");
874 return -1;
875 }
876 handler->cert_serialize(exchange->sent_cert, &data, &datalen);
877 if (!data) {
878 log_print("rsa_sig_encode_hash: cert serialization "
879 "failed");
880 return -1;
881 }
882 goto aftercert; /* Skip all the certificate discovery */
883 }
884 /* XXX This needs to be configurable. */
885 idtype = ISAKMP_CERTENC_KEYNOTE;
886
887 /* Find a certificate with subjectAltName = id. */
888 handler = cert_get(idtype);
889 if (!handler) {
890 idtype = ISAKMP_CERTENC_X509_SIG;
891 handler = cert_get(idtype);
892 if (!handler) {
893 log_print("rsa_sig_encode_hash: cert_get(%d) failed",
894 idtype);
895 return -1;
896 }
897 }
898 if (handler->cert_obtain(id, id_len, 0, &data, &datalen) == 0) {
899 if (idtype == ISAKMP_CERTENC_KEYNOTE) {
900 idtype = ISAKMP_CERTENC_X509_SIG;
901 handler = cert_get(idtype);
902 if (!handler) {
903 log_print("rsa_sig_encode_hash: cert_get(%d) "
904 "failed", idtype);
905 return -1;
906 }
907 if (handler->cert_obtain(id, id_len, 0, &data,
908 &datalen) == 0) {
909 LOG_DBG((LOG_MISC, 10, "rsa_sig_encode_hash: "
910 "no certificate to send for id %s",
911 ipsec_id_string(id, id_len)));
912 goto skipcert;
913 }
914 } else {
915 LOG_DBG((LOG_MISC, 10,
916 "rsa_sig_encode_hash: no certificate to send"
917 " for id %s", ipsec_id_string(id, id_len)));
918 goto skipcert;
919 }
920 }
921 /* Let's store the certificate we are going to use */
922 exchange->sent_certtype = idtype;
923 exchange->sent_cert = handler->cert_get(data, datalen);
924 if (!exchange->sent_cert) {
925 free(data);
926 log_print("rsa_sig_encode_hash: failed to get certificate "
927 "from wire encoding");
928 return -1;
929 }
930 aftercert:
931
932 buf = realloc(data, ISAKMP_CERT_SZ + datalen);
933 if (!buf) {
934 log_error("rsa_sig_encode_hash: realloc (%p, %d) failed", data,
935 ISAKMP_CERT_SZ + datalen);
936 free(data);
937 return -1;
938 }
939 memmove(buf + ISAKMP_CERT_SZ, buf, datalen);
940 SET_ISAKMP_CERT_ENCODING(buf, idtype);
941 if (message_add_payload(msg, ISAKMP_PAYLOAD_CERT, buf,
942 ISAKMP_CERT_SZ + datalen, 1)) {
943 free(buf);
944 return -1;
945 }
946 skipcert:
947
948 /* Again, we may have these from the kernel */
949 buf = (u_int8_t *)conf_get_str(exchange->name, "PKAuthentication");
950 if (buf) {
951 key_from_printable(ISAKMP_KEY_RSA, ISAKMP_KEYTYPE_PRIVATE,
952 (char *)buf, &data, &datalen);
953 if (!data) {
954 log_print("rsa_sig_encode_hash: badly formatted RSA "
955 "private key");
956 return 0;
957 }
958 sent_key = key_internalize(ISAKMP_KEY_RSA,
959 ISAKMP_KEYTYPE_PRIVATE, data, datalen);
960 if (!sent_key) {
961 log_print("rsa_sig_encode_hash: bad RSA private key "
962 "from dynamic SA acquisition subsystem");
963 return 0;
964 }
965 } else {
966 /* Try through the regular means. */
967 switch (id[ISAKMP_ID_TYPE_OFF - ISAKMP_GEN_SZ]) {
968 case IPSEC_ID_IPV4_ADDR:
969 case IPSEC_ID_IPV6_ADDR:
970 util_ntoa((char **)&buf2,
971 id[ISAKMP_ID_TYPE_OFF - ISAKMP_GEN_SZ] ==
972 IPSEC_ID_IPV4_ADDR ? AF_INET : AF_INET6,
973 id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ);
974 if (!buf2)
975 return 0;
976 break;
977
978 case IPSEC_ID_FQDN:
979 case IPSEC_ID_USER_FQDN:
980 buf2 = calloc(id_len - ISAKMP_ID_DATA_OFF +
981 ISAKMP_GEN_SZ + 1, sizeof(char));
982 if (!buf2) {
983 log_print("rsa_sig_encode_hash: malloc (%lu) "
984 "failed", (unsigned long)id_len -
985 ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ + 1);
986 return 0;
987 }
988 memcpy(buf2, id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ,
989 id_len - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ);
990 break;
991
992 /* XXX Support more ID types? */
993 default:
994 buf2 = 0;
995 return 0;
996 }
997
998 sent_key = ike_auth_get_key(IKE_AUTH_RSA_SIG, exchange->name,
999 (char *)buf2, 0);
1000 free(buf2);
1001
1002 /* Did we find a key? */
1003 if (!sent_key) {
1004 log_print("rsa_sig_encode_hash: "
1005 "could not get private key");
1006 return -1;
1007 }
1008 }
1009
1010 /* Enable RSA blinding. */
1011 if (RSA_blinding_on(sent_key, NULL) != 1) {
1012 log_error("rsa_sig_encode_hash: RSA_blinding_on () failed.");
1013 RSA_free(sent_key);
1014 return -1;
1015 }
1016 /* XXX hashsize is not necessarily prf->blocksize. */
1017 buf = malloc(hashsize);
1018 if (!buf) {
1019 log_error("rsa_sig_encode_hash: malloc (%lu) failed",
1020 (unsigned long)hashsize);
1021 RSA_free(sent_key);
1022 return -1;
1023 }
1024 if (ike_auth_hash(exchange, buf) == -1) {
1025 free(buf);
1026 RSA_free(sent_key);
1027 return -1;
1028 }
1029 snprintf(header, sizeof header, "rsa_sig_encode_hash: HASH_%c",
1030 initiator ? 'I' : 'R');
1031 LOG_DBG_BUF((LOG_MISC, 80, header, buf, hashsize));
1032
1033 data = malloc(RSA_size(sent_key));
1034 if (!data) {
1035 log_error("rsa_sig_encode_hash: malloc (%d) failed",
1036 RSA_size(sent_key));
1037 free(buf);
1038 RSA_free(sent_key);
1039 return -1;
1040 }
1041 sigsize = RSA_private_encrypt(hashsize, buf, data, sent_key,
1042 RSA_PKCS1_PADDING);
1043 if (sigsize == -1) {
1044 log_print("rsa_sig_encode_hash: "
1045 "RSA_private_encrypt () failed");
1046 free(data);
1047 free(buf);
1048 RSA_free(sent_key);
1049 return -1;
1050 }
1051 datalen = (u_int32_t) sigsize;
1052
1053 free(buf);
1054 RSA_free(sent_key);
1055
1056 buf = realloc(data, ISAKMP_SIG_SZ + datalen);
1057 if (!buf) {
1058 log_error("rsa_sig_encode_hash: realloc (%p, %d) failed", data,
1059 ISAKMP_SIG_SZ + datalen);
1060 free(data);
1061 return -1;
1062 }
1063 memmove(buf + ISAKMP_SIG_SZ, buf, datalen);
1064
1065 snprintf(header, sizeof header, "rsa_sig_encode_hash: SIG_%c",
1066 initiator ? 'I' : 'R');
1067 LOG_DBG_BUF((LOG_MISC, 80, header, buf + ISAKMP_SIG_DATA_OFF,
1068 datalen));
1069 if (message_add_payload(msg, ISAKMP_PAYLOAD_SIG, buf,
1070 ISAKMP_SIG_SZ + datalen, 1)) {
1071 free(buf);
1072 return -1;
1073 }
1074 return 0;
1075 }
1076
1077 int
ike_auth_hash(struct exchange * exchange,u_int8_t * buf)1078 ike_auth_hash(struct exchange *exchange, u_int8_t *buf)
1079 {
1080 struct ipsec_exch *ie = exchange->data;
1081 struct prf *prf;
1082 struct hash *hash = ie->hash;
1083 int initiator = exchange->initiator;
1084 u_int8_t *id;
1085 size_t id_len;
1086
1087 /* Choose the right fields to fill-in. */
1088 id = initiator ? exchange->id_i : exchange->id_r;
1089 id_len = initiator ? exchange->id_i_len : exchange->id_r_len;
1090
1091 /* Allocate the prf and start calculating our HASH. */
1092 prf = prf_alloc(ie->prf_type, hash->type, ie->skeyid, ie->skeyid_len);
1093 if (!prf)
1094 return -1;
1095
1096 prf->Init(prf->prfctx);
1097 prf->Update(prf->prfctx, initiator ? ie->g_xi : ie->g_xr, ie->g_x_len);
1098 prf->Update(prf->prfctx, initiator ? ie->g_xr : ie->g_xi, ie->g_x_len);
1099 prf->Update(prf->prfctx, exchange->cookies +
1100 (initiator ? ISAKMP_HDR_ICOOKIE_OFF : ISAKMP_HDR_RCOOKIE_OFF),
1101 ISAKMP_HDR_ICOOKIE_LEN);
1102 prf->Update(prf->prfctx, exchange->cookies +
1103 (initiator ? ISAKMP_HDR_RCOOKIE_OFF : ISAKMP_HDR_ICOOKIE_OFF),
1104 ISAKMP_HDR_ICOOKIE_LEN);
1105 prf->Update(prf->prfctx, ie->sa_i_b, ie->sa_i_b_len);
1106 prf->Update(prf->prfctx, id, id_len);
1107 prf->Final(buf, prf->prfctx);
1108 prf_free(prf);
1109 return 0;
1110 }
1111
1112 static int
get_raw_key_from_file(int type,u_int8_t * id,size_t id_len,RSA ** rsa)1113 get_raw_key_from_file(int type, u_int8_t *id, size_t id_len, RSA **rsa)
1114 {
1115 char filename[FILENAME_MAX];
1116 char *fstr;
1117 FILE *keyfp;
1118
1119 if (type != IKE_AUTH_RSA_SIG) { /* XXX More types? */
1120 LOG_DBG((LOG_NEGOTIATION, 20, "get_raw_key_from_file: "
1121 "invalid auth type %d\n", type));
1122 return -1;
1123 }
1124 *rsa = 0;
1125
1126 fstr = conf_get_str("General", "Pubkey-directory");
1127 if (!fstr)
1128 fstr = CONF_DFLT_PUBKEY_DIR;
1129
1130 if (snprintf(filename, sizeof filename, "%s/", fstr) >
1131 (int)sizeof filename - 1)
1132 return -1;
1133
1134 fstr = ipsec_id_string(id, id_len);
1135 if (!fstr) {
1136 LOG_DBG((LOG_NEGOTIATION, 50, "get_raw_key_from_file: "
1137 "ipsec_id_string failed"));
1138 return -1;
1139 }
1140 strlcat(filename, fstr, sizeof filename - strlen(filename));
1141 free(fstr);
1142
1143 /* If the file does not exist, fail silently. */
1144 keyfp = monitor_fopen(filename, "r");
1145 if (keyfp) {
1146 *rsa = PEM_read_RSA_PUBKEY(keyfp, NULL, NULL, NULL);
1147 if (!*rsa) {
1148 rewind(keyfp);
1149 *rsa = PEM_read_RSAPublicKey(keyfp, NULL, NULL, NULL);
1150 }
1151 if (!*rsa)
1152 log_print("get_raw_key_from_file: failed to get "
1153 "public key %s", filename);
1154 fclose(keyfp);
1155 } else if (errno != ENOENT) {
1156 log_error("get_raw_key_from_file: monitor_fopen "
1157 "(\"%s\", \"r\") failed", filename);
1158 return -1;
1159 } else
1160 LOG_DBG((LOG_NEGOTIATION, 50,
1161 "get_raw_key_from_file: file %s not found", filename));
1162
1163 return (*rsa ? 0 : -1);
1164 }
1165