1 /* $OpenBSD: crypto.c,v 1.46 2023/08/04 19:06:25 claudio Exp $ */
2
3 /*
4 * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org>
5 *
6 * Permission to use, copy, modify, and distribute this software for any
7 * purpose with or without fee is hereby granted, provided that the above
8 * copyright notice and this permission notice appear in all copies.
9 *
10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 */
18
19 #include <sys/types.h>
20 #include <sys/queue.h>
21 #include <sys/socket.h>
22 #include <sys/uio.h>
23
24 #include <stdio.h>
25 #include <stdlib.h>
26 #include <unistd.h>
27 #include <string.h>
28 #include <errno.h>
29 #include <fcntl.h>
30 #include <event.h>
31
32 #include <openssl/ecdsa.h>
33 #include <openssl/hmac.h>
34 #include <openssl/evp.h>
35 #include <openssl/sha.h>
36 #include <openssl/md5.h>
37 #include <openssl/x509.h>
38 #include <openssl/rsa.h>
39
40 #include "iked.h"
41 #include "ikev2.h"
42
43 /* RFC 7427, A.1 RSA */
44 static const uint8_t sha256WithRSA[] = {
45 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
46 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00
47 };
48 static const uint8_t sha384WithRSA[] = {
49 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
50 0xf7, 0x0d, 0x01, 0x01, 0x0c, 0x05, 0x00
51 };
52 static const uint8_t sha512WithRSA[] = {
53 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
54 0xf7, 0x0d, 0x01, 0x01, 0x0d, 0x05, 0x00
55 };
56 /* RFC 7427, A.3 ECDSA */
57 static const uint8_t ecdsa_sha256[] = {
58 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce,
59 0x3d, 0x04, 0x03, 0x02
60 };
61 static const uint8_t ecdsa_sha384[] = {
62 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce,
63 0x3d, 0x04, 0x03, 0x03
64 };
65 static const uint8_t ecdsa_sha512[] = {
66 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce,
67 0x3d, 0x04, 0x03, 0x04
68 };
69 /* RFC 7427, A.4.3 RSASSA-PSS with SHA-256 */
70 static const uint8_t rsapss_sha256[] = {
71 0x30, 0x46, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
72 0xf7, 0x0d, 0x01, 0x01, 0x0a, 0x30, 0x39, 0xa0,
73 0x0f, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48,
74 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00,
75 0xa1, 0x1c, 0x30, 0x1a, 0x06, 0x09, 0x2a, 0x86,
76 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x08, 0x30,
77 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65,
78 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0xa2, 0x03,
79 0x02, 0x01, 0x20, 0xa3, 0x03, 0x02, 0x01, 0x01
80 };
81 /* RSASSA-PSS SHA-384 */
82 static const uint8_t rsapss_sha384[] = {
83 0x30, 0x46, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
84 0xf7, 0x0d, 0x01, 0x01, 0x0a, 0x30, 0x34, 0xa0,
85 0x0f, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48,
86 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05, 0x00,
87 0xa1, 0x1c, 0x30, 0x1a, 0x06, 0x09, 0x2a, 0x86,
88 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x08, 0x30,
89 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65,
90 0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 0xa2, 0x03,
91 0x02, 0x01, 0x30, 0xa3, 0x03, 0x02, 0x01, 0x01
92 };
93 /* RSASSA-PSS SHA-512 */
94 static const uint8_t rsapss_sha512[] = {
95 0x30, 0x46, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
96 0xf7, 0x0d, 0x01, 0x01, 0x0a, 0x30, 0x34, 0xa0,
97 0x0f, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48,
98 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00,
99 0xa1, 0x1c, 0x30, 0x1a, 0x06, 0x09, 0x2a, 0x86,
100 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x08, 0x30,
101 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65,
102 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0xa2, 0x03,
103 0x02, 0x01, 0x40, 0xa3, 0x03, 0x02, 0x01, 0x01
104 };
105 /* RSASSA-PSS SHA-256, no trailer */
106 static const uint8_t rsapss_sha256nt[] = {
107 0x30, 0x41, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
108 0xf7, 0x0d, 0x01, 0x01, 0x0a, 0x30, 0x34, 0xa0,
109 0x0f, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48,
110 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00,
111 0xa1, 0x1c, 0x30, 0x1a, 0x06, 0x09, 0x2a, 0x86,
112 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x08, 0x30,
113 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65,
114 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0xa2, 0x03,
115 0x02, 0x01, 0x20
116 };
117 /* RSASSA-PSS SHA-384, no trailer */
118 static const uint8_t rsapss_sha384nt[] = {
119 0x30, 0x41, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
120 0xf7, 0x0d, 0x01, 0x01, 0x0a, 0x30, 0x34, 0xa0,
121 0x0f, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48,
122 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05, 0x00,
123 0xa1, 0x1c, 0x30, 0x1a, 0x06, 0x09, 0x2a, 0x86,
124 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x08, 0x30,
125 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65,
126 0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 0xa2, 0x03,
127 0x02, 0x01, 0x30
128 };
129 /* RSASSA-PSS SHA-512, no trailer */
130 static const uint8_t rsapss_sha512nt[] = {
131 0x30, 0x41, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
132 0xf7, 0x0d, 0x01, 0x01, 0x0a, 0x30, 0x34, 0xa0,
133 0x0f, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48,
134 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00,
135 0xa1, 0x1c, 0x30, 0x1a, 0x06, 0x09, 0x2a, 0x86,
136 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x08, 0x30,
137 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65,
138 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0xa2, 0x03,
139 0x02, 0x01, 0x40
140 };
141
142 #define FLAG_RSA_PSS 0x00001
143 int force_rsa_pss = 0; /* XXX move to API */
144
145 static const struct {
146 int sc_keytype;
147 const EVP_MD *(*sc_md)(void);
148 uint8_t sc_len;
149 const uint8_t *sc_oid;
150 uint32_t sc_flags;
151 } schemes[] = {
152 { EVP_PKEY_RSA, EVP_sha256, sizeof(sha256WithRSA), sha256WithRSA, 0 },
153 { EVP_PKEY_RSA, EVP_sha384, sizeof(sha384WithRSA), sha384WithRSA, 0 },
154 { EVP_PKEY_RSA, EVP_sha512, sizeof(sha512WithRSA), sha512WithRSA, 0 },
155 { EVP_PKEY_EC, EVP_sha256, sizeof(ecdsa_sha256), ecdsa_sha256, 0 },
156 { EVP_PKEY_EC, EVP_sha384, sizeof(ecdsa_sha384), ecdsa_sha384, 0 },
157 { EVP_PKEY_EC, EVP_sha512, sizeof(ecdsa_sha512), ecdsa_sha512, 0 },
158 { EVP_PKEY_RSA, EVP_sha256, sizeof(rsapss_sha256), rsapss_sha256,
159 FLAG_RSA_PSS },
160 { EVP_PKEY_RSA, EVP_sha384, sizeof(rsapss_sha384), rsapss_sha384,
161 FLAG_RSA_PSS },
162 { EVP_PKEY_RSA, EVP_sha512, sizeof(rsapss_sha512), rsapss_sha512,
163 FLAG_RSA_PSS },
164 { EVP_PKEY_RSA, EVP_sha256, sizeof(rsapss_sha256nt), rsapss_sha256nt,
165 FLAG_RSA_PSS },
166 { EVP_PKEY_RSA, EVP_sha384, sizeof(rsapss_sha384nt), rsapss_sha384nt,
167 FLAG_RSA_PSS },
168 { EVP_PKEY_RSA, EVP_sha512, sizeof(rsapss_sha512nt), rsapss_sha512nt,
169 FLAG_RSA_PSS },
170 };
171
172 int _dsa_verify_init(struct iked_dsa *, const uint8_t *, size_t);
173 int _dsa_verify_prepare(struct iked_dsa *, uint8_t **, size_t *,
174 uint8_t **);
175 int _dsa_sign_encode(struct iked_dsa *, uint8_t *, size_t, size_t *);
176 int _dsa_sign_ecdsa(struct iked_dsa *, uint8_t *, size_t);
177
178 struct iked_hash *
hash_new(uint8_t type,uint16_t id)179 hash_new(uint8_t type, uint16_t id)
180 {
181 struct iked_hash *hash;
182 const EVP_MD *md = NULL;
183 int length = 0, fixedkey = 0, trunc = 0, isaead = 0;
184
185 switch (type) {
186 case IKEV2_XFORMTYPE_PRF:
187 switch (id) {
188 case IKEV2_XFORMPRF_HMAC_MD5:
189 md = EVP_md5();
190 length = MD5_DIGEST_LENGTH;
191 break;
192 case IKEV2_XFORMPRF_HMAC_SHA1:
193 md = EVP_sha1();
194 length = SHA_DIGEST_LENGTH;
195 break;
196 case IKEV2_XFORMPRF_HMAC_SHA2_256:
197 md = EVP_sha256();
198 length = SHA256_DIGEST_LENGTH;
199 break;
200 case IKEV2_XFORMPRF_HMAC_SHA2_384:
201 md = EVP_sha384();
202 length = SHA384_DIGEST_LENGTH;
203 break;
204 case IKEV2_XFORMPRF_HMAC_SHA2_512:
205 md = EVP_sha512();
206 length = SHA512_DIGEST_LENGTH;
207 break;
208 case IKEV2_XFORMPRF_AES128_XCBC:
209 fixedkey = 128 / 8;
210 length = fixedkey;
211 /* FALLTHROUGH */
212 case IKEV2_XFORMPRF_HMAC_TIGER:
213 case IKEV2_XFORMPRF_AES128_CMAC:
214 default:
215 log_debug("%s: prf %s not supported", __func__,
216 print_map(id, ikev2_xformprf_map));
217 break;
218 }
219 break;
220 case IKEV2_XFORMTYPE_INTEGR:
221 switch (id) {
222 case IKEV2_XFORMAUTH_HMAC_MD5_96:
223 md = EVP_md5();
224 length = MD5_DIGEST_LENGTH;
225 trunc = 12;
226 break;
227 case IKEV2_XFORMAUTH_HMAC_SHA1_96:
228 md = EVP_sha1();
229 length = SHA_DIGEST_LENGTH;
230 trunc = 12;
231 break;
232 case IKEV2_XFORMAUTH_HMAC_SHA2_256_128:
233 md = EVP_sha256();
234 length = SHA256_DIGEST_LENGTH;
235 trunc = 16;
236 break;
237 case IKEV2_XFORMAUTH_HMAC_SHA2_384_192:
238 md = EVP_sha384();
239 length = SHA384_DIGEST_LENGTH;
240 trunc = 24;
241 break;
242 case IKEV2_XFORMAUTH_HMAC_SHA2_512_256:
243 md = EVP_sha512();
244 length = SHA512_DIGEST_LENGTH;
245 trunc = 32;
246 break;
247 case IKEV2_XFORMAUTH_AES_GCM_12:
248 length = 12;
249 isaead = 1;
250 break;
251 case IKEV2_XFORMAUTH_AES_GCM_16:
252 length = 16;
253 isaead = 1;
254 break;
255 case IKEV2_XFORMAUTH_NONE:
256 case IKEV2_XFORMAUTH_DES_MAC:
257 case IKEV2_XFORMAUTH_KPDK_MD5:
258 case IKEV2_XFORMAUTH_AES_XCBC_96:
259 case IKEV2_XFORMAUTH_HMAC_MD5_128:
260 case IKEV2_XFORMAUTH_HMAC_SHA1_160:
261 case IKEV2_XFORMAUTH_AES_CMAC_96:
262 case IKEV2_XFORMAUTH_AES_128_GMAC:
263 case IKEV2_XFORMAUTH_AES_192_GMAC:
264 case IKEV2_XFORMAUTH_AES_256_GMAC:
265 default:
266 log_debug("%s: auth %s not supported", __func__,
267 print_map(id, ikev2_xformauth_map));
268 break;
269 }
270 break;
271 default:
272 log_debug("%s: hash type %s not supported", __func__,
273 print_map(id, ikev2_xformtype_map));
274 break;
275 }
276 if (!isaead && md == NULL)
277 return (NULL);
278
279 if ((hash = calloc(1, sizeof(*hash))) == NULL) {
280 log_debug("%s: alloc hash", __func__);
281 return (NULL);
282 }
283
284 hash->hash_type = type;
285 hash->hash_id = id;
286 hash->hash_priv = md;
287 hash->hash_ctx = NULL;
288 hash->hash_trunc = trunc;
289 hash->hash_length = length;
290 hash->hash_fixedkey = fixedkey;
291 hash->hash_isaead = isaead;
292
293 if (isaead)
294 return (hash);
295
296 hash->hash_ctx = HMAC_CTX_new();
297 if (hash->hash_ctx == NULL) {
298 log_debug("%s: alloc hash ctx", __func__);
299 hash_free(hash);
300 return (NULL);
301 }
302
303 return (hash);
304 }
305
306 struct ibuf *
hash_setkey(struct iked_hash * hash,void * key,size_t keylen)307 hash_setkey(struct iked_hash *hash, void *key, size_t keylen)
308 {
309 ibuf_free(hash->hash_key);
310 if ((hash->hash_key = ibuf_new(key, keylen)) == NULL) {
311 log_debug("%s: alloc hash key", __func__);
312 return (NULL);
313 }
314 return (hash->hash_key);
315 }
316
317 void
hash_free(struct iked_hash * hash)318 hash_free(struct iked_hash *hash)
319 {
320 if (hash == NULL)
321 return;
322 HMAC_CTX_free(hash->hash_ctx);
323 ibuf_free(hash->hash_key);
324 free(hash);
325 }
326
327 void
hash_init(struct iked_hash * hash)328 hash_init(struct iked_hash *hash)
329 {
330 HMAC_Init_ex(hash->hash_ctx, ibuf_data(hash->hash_key),
331 ibuf_size(hash->hash_key), hash->hash_priv, NULL);
332 }
333
334 void
hash_update(struct iked_hash * hash,void * buf,size_t len)335 hash_update(struct iked_hash *hash, void *buf, size_t len)
336 {
337 HMAC_Update(hash->hash_ctx, buf, len);
338 }
339
340 void
hash_final(struct iked_hash * hash,void * buf,size_t * len)341 hash_final(struct iked_hash *hash, void *buf, size_t *len)
342 {
343 unsigned int length = 0;
344
345 HMAC_Final(hash->hash_ctx, buf, &length);
346 *len = (size_t)length;
347
348 /* Truncate the result if required by the alg */
349 if (hash->hash_trunc && *len > hash->hash_trunc)
350 *len = hash->hash_trunc;
351 }
352
353 size_t
hash_length(struct iked_hash * hash)354 hash_length(struct iked_hash *hash)
355 {
356 if (hash->hash_trunc)
357 return (hash->hash_trunc);
358 return (hash->hash_length);
359 }
360
361 size_t
hash_keylength(struct iked_hash * hash)362 hash_keylength(struct iked_hash *hash)
363 {
364 return (hash->hash_length);
365 }
366
367 struct iked_cipher *
cipher_new(uint8_t type,uint16_t id,uint16_t id_length)368 cipher_new(uint8_t type, uint16_t id, uint16_t id_length)
369 {
370 struct iked_cipher *encr;
371 const EVP_CIPHER *cipher = NULL;
372 int length = 0, fixedkey = 0, ivlength = 0;
373 int saltlength = 0, authid = 0;
374
375 switch (type) {
376 case IKEV2_XFORMTYPE_ENCR:
377 switch (id) {
378 case IKEV2_XFORMENCR_3DES:
379 cipher = EVP_des_ede3_cbc();
380 length = EVP_CIPHER_block_size(cipher);
381 fixedkey = EVP_CIPHER_key_length(cipher);
382 ivlength = EVP_CIPHER_iv_length(cipher);
383 break;
384 case IKEV2_XFORMENCR_AES_CBC:
385 switch (id_length) {
386 case 128:
387 cipher = EVP_aes_128_cbc();
388 break;
389 case 192:
390 cipher = EVP_aes_192_cbc();
391 break;
392 case 256:
393 cipher = EVP_aes_256_cbc();
394 break;
395 default:
396 log_debug("%s: invalid key length %d"
397 " for cipher %s", __func__, id_length,
398 print_map(id, ikev2_xformencr_map));
399 break;
400 }
401 if (cipher == NULL)
402 break;
403 length = EVP_CIPHER_block_size(cipher);
404 ivlength = EVP_CIPHER_iv_length(cipher);
405 fixedkey = EVP_CIPHER_key_length(cipher);
406 break;
407 case IKEV2_XFORMENCR_AES_GCM_16:
408 case IKEV2_XFORMENCR_AES_GCM_12:
409 switch (id_length) {
410 case 128:
411 cipher = EVP_aes_128_gcm();
412 break;
413 case 256:
414 cipher = EVP_aes_256_gcm();
415 break;
416 default:
417 log_debug("%s: invalid key length %d"
418 " for cipher %s", __func__, id_length,
419 print_map(id, ikev2_xformencr_map));
420 break;
421 }
422 if (cipher == NULL)
423 break;
424 switch(id) {
425 case IKEV2_XFORMENCR_AES_GCM_16:
426 authid = IKEV2_XFORMAUTH_AES_GCM_16;
427 break;
428 case IKEV2_XFORMENCR_AES_GCM_12:
429 authid = IKEV2_XFORMAUTH_AES_GCM_12;
430 break;
431 }
432 length = EVP_CIPHER_block_size(cipher);
433 ivlength = 8;
434 saltlength = 4;
435 fixedkey = EVP_CIPHER_key_length(cipher) + saltlength;
436 break;
437 case IKEV2_XFORMENCR_DES_IV64:
438 case IKEV2_XFORMENCR_DES:
439 case IKEV2_XFORMENCR_RC5:
440 case IKEV2_XFORMENCR_IDEA:
441 case IKEV2_XFORMENCR_CAST:
442 case IKEV2_XFORMENCR_BLOWFISH:
443 case IKEV2_XFORMENCR_3IDEA:
444 case IKEV2_XFORMENCR_DES_IV32:
445 case IKEV2_XFORMENCR_NULL:
446 case IKEV2_XFORMENCR_AES_CTR:
447 /* FALLTHROUGH */
448 default:
449 log_debug("%s: cipher %s not supported", __func__,
450 print_map(id, ikev2_xformencr_map));
451 cipher = NULL;
452 break;
453 }
454 break;
455 default:
456 log_debug("%s: cipher type %s not supported", __func__,
457 print_map(id, ikev2_xformtype_map));
458 break;
459 }
460 if (cipher == NULL)
461 return (NULL);
462
463 if ((encr = calloc(1, sizeof(*encr))) == NULL) {
464 log_debug("%s: alloc cipher", __func__);
465 return (NULL);
466 }
467
468 encr->encr_id = id;
469 encr->encr_priv = cipher;
470 encr->encr_ctx = NULL;
471 encr->encr_length = length;
472 encr->encr_fixedkey = fixedkey;
473 encr->encr_ivlength = ivlength ? ivlength : length;
474 encr->encr_saltlength = saltlength;
475 encr->encr_authid = authid;
476
477 encr->encr_ctx = EVP_CIPHER_CTX_new();
478 if (encr->encr_ctx == NULL) {
479 log_debug("%s: alloc cipher ctx", __func__);
480 cipher_free(encr);
481 return (NULL);
482 }
483
484 return (encr);
485 }
486
487 struct ibuf *
cipher_setkey(struct iked_cipher * encr,const void * key,size_t keylen)488 cipher_setkey(struct iked_cipher *encr, const void *key, size_t keylen)
489 {
490 ibuf_free(encr->encr_key);
491 if ((encr->encr_key = ibuf_new(key, keylen)) == NULL) {
492 log_debug("%s: alloc cipher key", __func__);
493 return (NULL);
494 }
495 return (encr->encr_key);
496 }
497
498 struct ibuf *
cipher_setiv(struct iked_cipher * encr,const void * iv,size_t len)499 cipher_setiv(struct iked_cipher *encr, const void *iv, size_t len)
500 {
501 ibuf_free(encr->encr_iv);
502 encr->encr_iv = NULL;
503 if (iv != NULL) {
504 if (len < encr->encr_ivlength) {
505 log_debug("%s: invalid IV length %zu", __func__, len);
506 return (NULL);
507 }
508 encr->encr_iv = ibuf_new(iv, encr->encr_ivlength);
509 } else {
510 switch (encr->encr_id) {
511 case IKEV2_XFORMENCR_AES_GCM_16:
512 case IKEV2_XFORMENCR_AES_GCM_12:
513 if (encr->encr_ivlength != sizeof(encr->encr_civ)) {
514 log_info("%s: ivlen does not match %zu != %zu",
515 __func__, encr->encr_ivlength,
516 sizeof(encr->encr_civ));
517 return (NULL);
518 }
519 encr->encr_iv = ibuf_new(&encr->encr_civ, sizeof(encr->encr_civ));
520 encr->encr_civ++;
521 break;
522 default:
523 /* Get new random IV */
524 encr->encr_iv = ibuf_random(encr->encr_ivlength);
525 }
526 }
527 if (encr->encr_iv == NULL) {
528 log_debug("%s: failed to set IV", __func__);
529 return (NULL);
530 }
531 return (encr->encr_iv);
532 }
533
534 int
cipher_settag(struct iked_cipher * encr,uint8_t * data,size_t len)535 cipher_settag(struct iked_cipher *encr, uint8_t *data, size_t len)
536 {
537 return (EVP_CIPHER_CTX_ctrl(encr->encr_ctx,
538 EVP_CTRL_GCM_SET_TAG, len, data) != 1);
539 }
540
541 int
cipher_gettag(struct iked_cipher * encr,uint8_t * data,size_t len)542 cipher_gettag(struct iked_cipher *encr, uint8_t *data, size_t len)
543 {
544 return (EVP_CIPHER_CTX_ctrl(encr->encr_ctx,
545 EVP_CTRL_GCM_GET_TAG, len, data) != 1);
546 }
547
548 void
cipher_free(struct iked_cipher * encr)549 cipher_free(struct iked_cipher *encr)
550 {
551 if (encr == NULL)
552 return;
553 EVP_CIPHER_CTX_free(encr->encr_ctx);
554 ibuf_free(encr->encr_iv);
555 ibuf_free(encr->encr_key);
556 free(encr);
557 }
558
559 int
cipher_init(struct iked_cipher * encr,int enc)560 cipher_init(struct iked_cipher *encr, int enc)
561 {
562 struct ibuf *nonce = NULL;
563 int ret = -1;
564
565 if (EVP_CipherInit_ex(encr->encr_ctx, encr->encr_priv, NULL,
566 NULL, NULL, enc) != 1)
567 return (-1);
568 if (encr->encr_saltlength > 0) {
569 /* For AEADs the nonce is salt + IV (see RFC5282) */
570 nonce = ibuf_new(ibuf_seek(encr->encr_key,
571 ibuf_size(encr->encr_key) - encr->encr_saltlength,
572 encr->encr_saltlength), encr->encr_saltlength);
573 if (nonce == NULL)
574 return (-1);
575 if (ibuf_add_buf(nonce, encr->encr_iv) != 0)
576 goto done;
577 if (EVP_CipherInit_ex(encr->encr_ctx, NULL, NULL,
578 ibuf_data(encr->encr_key), ibuf_data(nonce), enc) != 1)
579 goto done;
580 } else
581 if (EVP_CipherInit_ex(encr->encr_ctx, NULL, NULL,
582 ibuf_data(encr->encr_key), ibuf_data(encr->encr_iv), enc) != 1)
583 return (-1);
584 EVP_CIPHER_CTX_set_padding(encr->encr_ctx, 0);
585 ret = 0;
586 done:
587 ibuf_free(nonce);
588 return (ret);
589 }
590
591 int
cipher_init_encrypt(struct iked_cipher * encr)592 cipher_init_encrypt(struct iked_cipher *encr)
593 {
594 return (cipher_init(encr, 1));
595 }
596
597 int
cipher_init_decrypt(struct iked_cipher * encr)598 cipher_init_decrypt(struct iked_cipher *encr)
599 {
600 return (cipher_init(encr, 0));
601 }
602
603 void
cipher_aad(struct iked_cipher * encr,const void * in,size_t inlen,size_t * outlen)604 cipher_aad(struct iked_cipher *encr, const void *in, size_t inlen,
605 size_t *outlen)
606 {
607 int olen = 0;
608
609 if (EVP_CipherUpdate(encr->encr_ctx, NULL, &olen, in, inlen) != 1) {
610 ca_sslerror(__func__);
611 *outlen = 0;
612 return;
613 }
614 *outlen = (size_t)olen;
615 }
616
617 int
cipher_update(struct iked_cipher * encr,const void * in,size_t inlen,void * out,size_t * outlen)618 cipher_update(struct iked_cipher *encr, const void *in, size_t inlen,
619 void *out, size_t *outlen)
620 {
621 int olen;
622
623 olen = 0;
624 if (EVP_CipherUpdate(encr->encr_ctx, out, &olen, in, inlen) != 1) {
625 ca_sslerror(__func__);
626 *outlen = 0;
627 return (-1);
628 }
629 *outlen = (size_t)olen;
630 return (0);
631 }
632
633 int
cipher_final(struct iked_cipher * encr)634 cipher_final(struct iked_cipher *encr)
635 {
636 int olen;
637
638 /*
639 * We always have EVP_CIPH_NO_PADDING set. This means arg
640 * out is not used and olen should always be 0.
641 */
642 if (EVP_CipherFinal_ex(encr->encr_ctx, NULL, &olen) != 1) {
643 ca_sslerror(__func__);
644 return (-1);
645 }
646 return (0);
647 }
648
649 size_t
cipher_length(struct iked_cipher * encr)650 cipher_length(struct iked_cipher *encr)
651 {
652 return (encr->encr_length);
653 }
654
655 size_t
cipher_keylength(struct iked_cipher * encr)656 cipher_keylength(struct iked_cipher *encr)
657 {
658 if (encr->encr_fixedkey)
659 return (encr->encr_fixedkey);
660
661 /* Might return zero */
662 return (ibuf_length(encr->encr_key));
663 }
664
665 size_t
cipher_ivlength(struct iked_cipher * encr)666 cipher_ivlength(struct iked_cipher *encr)
667 {
668 return (encr->encr_ivlength);
669 }
670
671 size_t
cipher_outlength(struct iked_cipher * encr,size_t inlen)672 cipher_outlength(struct iked_cipher *encr, size_t inlen)
673 {
674 return (roundup(inlen, encr->encr_length));
675 }
676
677 struct iked_dsa *
dsa_new(uint8_t id,struct iked_hash * prf,int sign)678 dsa_new(uint8_t id, struct iked_hash *prf, int sign)
679 {
680 struct iked_dsa *dsap = NULL, dsa;
681
682 bzero(&dsa, sizeof(dsa));
683
684 switch (id) {
685 case IKEV2_AUTH_SIG:
686 if (sign)
687 dsa.dsa_priv = EVP_sha256(); /* XXX should be passed */
688 else
689 dsa.dsa_priv = NULL; /* set later by dsa_init() */
690 break;
691 case IKEV2_AUTH_RSA_SIG:
692 /* RFC5996 says we SHOULD use SHA1 here */
693 dsa.dsa_priv = EVP_sha1();
694 break;
695 case IKEV2_AUTH_SHARED_KEY_MIC:
696 if (prf == NULL || prf->hash_priv == NULL)
697 fatalx("dsa_new: invalid PRF");
698 dsa.dsa_priv = prf->hash_priv;
699 dsa.dsa_hmac = 1;
700 break;
701 case IKEV2_AUTH_DSS_SIG:
702 dsa.dsa_priv = EVP_sha1();
703 break;
704 case IKEV2_AUTH_ECDSA_256:
705 dsa.dsa_priv = EVP_sha256();
706 break;
707 case IKEV2_AUTH_ECDSA_384:
708 dsa.dsa_priv = EVP_sha384();
709 break;
710 case IKEV2_AUTH_ECDSA_521:
711 dsa.dsa_priv = EVP_sha512();
712 break;
713 default:
714 log_debug("%s: auth method %s not supported", __func__,
715 print_map(id, ikev2_auth_map));
716 break;
717 }
718
719 if ((dsap = calloc(1, sizeof(*dsap))) == NULL) {
720 log_debug("%s: alloc dsa ctx", __func__);
721
722 return (NULL);
723 }
724 memcpy(dsap, &dsa, sizeof(*dsap));
725
726 dsap->dsa_method = id;
727 dsap->dsa_sign = sign;
728
729 if (dsap->dsa_hmac) {
730 if ((dsap->dsa_ctx = HMAC_CTX_new()) == NULL) {
731 log_debug("%s: alloc hash ctx", __func__);
732 dsa_free(dsap);
733 return (NULL);
734 }
735 } else {
736 if ((dsap->dsa_ctx = EVP_MD_CTX_create()) == NULL) {
737 log_debug("%s: alloc digest ctx", __func__);
738 dsa_free(dsap);
739 return (NULL);
740 }
741 }
742
743 return (dsap);
744 }
745
746 struct iked_dsa *
dsa_sign_new(uint8_t id,struct iked_hash * prf)747 dsa_sign_new(uint8_t id, struct iked_hash *prf)
748 {
749 return (dsa_new(id, prf, 1));
750 }
751
752 struct iked_dsa *
dsa_verify_new(uint8_t id,struct iked_hash * prf)753 dsa_verify_new(uint8_t id, struct iked_hash *prf)
754 {
755 return (dsa_new(id, prf, 0));
756 }
757
758 void
dsa_free(struct iked_dsa * dsa)759 dsa_free(struct iked_dsa *dsa)
760 {
761 if (dsa == NULL)
762 return;
763 if (dsa->dsa_hmac) {
764 HMAC_CTX_free((HMAC_CTX *)dsa->dsa_ctx);
765 } else {
766 EVP_MD_CTX_free((EVP_MD_CTX *)dsa->dsa_ctx);
767 EVP_PKEY_free(dsa->dsa_key);
768 }
769
770 ibuf_free(dsa->dsa_keydata);
771 free(dsa);
772 }
773
774 struct ibuf *
dsa_setkey(struct iked_dsa * dsa,void * key,size_t keylen,uint8_t type)775 dsa_setkey(struct iked_dsa *dsa, void *key, size_t keylen, uint8_t type)
776 {
777 BIO *rawcert = NULL;
778 X509 *cert = NULL;
779 RSA *rsa = NULL;
780 EC_KEY *ec = NULL;
781 EVP_PKEY *pkey = NULL;
782
783 ibuf_free(dsa->dsa_keydata);
784 if ((dsa->dsa_keydata = ibuf_new(key, keylen)) == NULL) {
785 log_debug("%s: alloc signature key", __func__);
786 return (NULL);
787 }
788
789 if ((rawcert = BIO_new_mem_buf(key, keylen)) == NULL)
790 goto err;
791
792 switch (type) {
793 case IKEV2_CERT_X509_CERT:
794 if ((cert = d2i_X509_bio(rawcert, NULL)) == NULL)
795 goto sslerr;
796 if ((pkey = X509_get_pubkey(cert)) == NULL)
797 goto sslerr;
798 dsa->dsa_key = pkey;
799 break;
800 case IKEV2_CERT_RSA_KEY:
801 if (dsa->dsa_sign) {
802 if ((rsa = d2i_RSAPrivateKey_bio(rawcert,
803 NULL)) == NULL)
804 goto sslerr;
805 } else {
806 if ((rsa = d2i_RSAPublicKey_bio(rawcert,
807 NULL)) == NULL)
808 goto sslerr;
809 }
810
811 if ((pkey = EVP_PKEY_new()) == NULL)
812 goto sslerr;
813 if (!EVP_PKEY_set1_RSA(pkey, rsa))
814 goto sslerr;
815
816 RSA_free(rsa); /* pkey now has the reference */
817 dsa->dsa_key = pkey;
818 break;
819 case IKEV2_CERT_ECDSA:
820 if (dsa->dsa_sign) {
821 if ((ec = d2i_ECPrivateKey_bio(rawcert, NULL)) == NULL)
822 goto sslerr;
823 } else {
824 if ((ec = d2i_EC_PUBKEY_bio(rawcert, NULL)) == NULL)
825 goto sslerr;
826 }
827
828 if ((pkey = EVP_PKEY_new()) == NULL)
829 goto sslerr;
830 if (!EVP_PKEY_set1_EC_KEY(pkey, ec))
831 goto sslerr;
832
833 EC_KEY_free(ec); /* pkey now has the reference */
834 dsa->dsa_key = pkey;
835 break;
836 default:
837 if (dsa->dsa_hmac)
838 break;
839 log_debug("%s: unsupported key type", __func__);
840 goto err;
841 }
842
843 X509_free(cert);
844 BIO_free(rawcert); /* temporary for parsing */
845
846 return (dsa->dsa_keydata);
847
848 sslerr:
849 ca_sslerror(__func__);
850 err:
851 log_debug("%s: error", __func__);
852
853 RSA_free(rsa);
854 EC_KEY_free(ec);
855 EVP_PKEY_free(pkey);
856 X509_free(cert);
857 BIO_free(rawcert);
858 ibuf_free(dsa->dsa_keydata);
859 dsa->dsa_keydata = NULL;
860 return (NULL);
861 }
862
863 int
_dsa_verify_init(struct iked_dsa * dsa,const uint8_t * sig,size_t len)864 _dsa_verify_init(struct iked_dsa *dsa, const uint8_t *sig, size_t len)
865 {
866 uint8_t oidlen;
867 size_t i;
868 int keytype;
869
870 if (dsa->dsa_priv != NULL)
871 return (0);
872 /*
873 * For IKEV2_AUTH_SIG the oid of the authentication signature
874 * is encoded in the first bytes of the auth message.
875 */
876 if (dsa->dsa_method != IKEV2_AUTH_SIG) {
877 log_debug("%s: dsa_priv not set for %s", __func__,
878 print_map(dsa->dsa_method, ikev2_auth_map));
879 return (-1);
880 }
881 if (dsa->dsa_key == NULL) {
882 log_debug("%s: dsa_key not set for %s", __func__,
883 print_map(dsa->dsa_method, ikev2_auth_map));
884 return (-1);
885 }
886 keytype = EVP_PKEY_type(EVP_PKEY_id(((EVP_PKEY *)dsa->dsa_key)));
887 if (sig == NULL) {
888 log_debug("%s: signature missing", __func__);
889 return (-1);
890 }
891 if (len < sizeof(oidlen)) {
892 log_debug("%s: signature (%zu) too small for oid length",
893 __func__, len);
894 return (-1);
895 }
896 memcpy(&oidlen, sig, sizeof(oidlen));
897 if (len < (size_t)oidlen + sizeof(oidlen)) {
898 log_debug("%s: signature (%zu) too small for oid (%u)",
899 __func__, len, oidlen);
900 return (-1);
901 }
902 for (i = 0; i < nitems(schemes); i++) {
903 if (keytype == schemes[i].sc_keytype &&
904 oidlen == schemes[i].sc_len &&
905 memcmp(sig + 1, schemes[i].sc_oid,
906 schemes[i].sc_len) == 0) {
907 dsa->dsa_priv = (*schemes[i].sc_md)();
908 dsa->dsa_flags = schemes[i].sc_flags;
909 log_debug("%s: signature scheme %zd selected",
910 __func__, i);
911 return (0);
912 }
913 }
914 log_debug("%s: unsupported signature (%d)", __func__, oidlen);
915 return (-1);
916 }
917
918 int
dsa_init(struct iked_dsa * dsa,const void * buf,size_t len)919 dsa_init(struct iked_dsa *dsa, const void *buf, size_t len)
920 {
921 int ret;
922 EVP_PKEY_CTX *pctx = NULL;
923
924 if (dsa->dsa_hmac) {
925 if (!HMAC_Init_ex(dsa->dsa_ctx, ibuf_data(dsa->dsa_keydata),
926 ibuf_size(dsa->dsa_keydata), dsa->dsa_priv, NULL))
927 return (-1);
928 return (0);
929 }
930
931 if (dsa->dsa_sign) {
932 if (force_rsa_pss &&
933 EVP_PKEY_base_id(dsa->dsa_key) == EVP_PKEY_RSA)
934 dsa->dsa_flags = FLAG_RSA_PSS;
935 ret = EVP_DigestSignInit(dsa->dsa_ctx, &pctx, dsa->dsa_priv,
936 NULL, dsa->dsa_key);
937 } else {
938 /* sets dsa_priv, dsa_flags */
939 if ((ret = _dsa_verify_init(dsa, buf, len)) != 0)
940 return (ret);
941 ret = EVP_DigestVerifyInit(dsa->dsa_ctx, &pctx, dsa->dsa_priv,
942 NULL, dsa->dsa_key);
943 }
944 if (ret == 1 && dsa->dsa_flags == FLAG_RSA_PSS) {
945 if (EVP_PKEY_CTX_set_rsa_padding(pctx,
946 RSA_PKCS1_PSS_PADDING) <= 0 ||
947 EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1) <= 0)
948 return (-1);
949 }
950 if (_dsa_sign_encode(dsa, NULL, 0, NULL) < 0)
951 return (-1);
952
953 return (ret == 1 ? 0 : -1);
954 }
955
956 int
dsa_update(struct iked_dsa * dsa,const void * buf,size_t len)957 dsa_update(struct iked_dsa *dsa, const void *buf, size_t len)
958 {
959 int ret;
960
961 if (dsa->dsa_hmac)
962 ret = HMAC_Update(dsa->dsa_ctx, buf, len);
963 else if (dsa->dsa_sign)
964 ret = EVP_DigestSignUpdate(dsa->dsa_ctx, buf, len);
965 else
966 ret = EVP_DigestVerifyUpdate(dsa->dsa_ctx, buf, len);
967
968 return (ret == 1 ? 0 : -1);
969 }
970
971 /* Prefix signature hash with encoded type */
972 int
_dsa_sign_encode(struct iked_dsa * dsa,uint8_t * ptr,size_t len,size_t * offp)973 _dsa_sign_encode(struct iked_dsa *dsa, uint8_t *ptr, size_t len, size_t *offp)
974 {
975 int keytype;
976 size_t i, need;
977
978 if (offp)
979 *offp = 0;
980 if (dsa->dsa_method != IKEV2_AUTH_SIG)
981 return (0);
982 if (dsa->dsa_key == NULL)
983 return (-1);
984 keytype = EVP_PKEY_type(EVP_PKEY_id(((EVP_PKEY *)dsa->dsa_key)));
985 for (i = 0; i < nitems(schemes); i++) {
986 /* XXX should avoid calling sc_md() each time... */
987 if (keytype == schemes[i].sc_keytype &&
988 dsa->dsa_flags == schemes[i].sc_flags &&
989 (dsa->dsa_priv == (*schemes[i].sc_md)()))
990 break;
991 }
992 if (i >= nitems(schemes))
993 return (-1);
994 log_debug("%s: signature scheme %zd selected", __func__, i);
995 need = sizeof(ptr[0]) + schemes[i].sc_len;
996 if (ptr) {
997 if (len < need)
998 return (-1);
999 ptr[0] = schemes[i].sc_len;
1000 memcpy(ptr + sizeof(ptr[0]), schemes[i].sc_oid,
1001 schemes[i].sc_len);
1002 }
1003 if (offp)
1004 *offp = need;
1005 return (0);
1006 }
1007
1008 /* Export size of encoded signature hash type */
1009 size_t
dsa_prefix(struct iked_dsa * dsa)1010 dsa_prefix(struct iked_dsa *dsa)
1011 {
1012 size_t off = 0;
1013
1014 if (_dsa_sign_encode(dsa, NULL, 0, &off) < 0)
1015 fatal("dsa_prefix: internal error");
1016 return off;
1017 }
1018
1019 size_t
dsa_length(struct iked_dsa * dsa)1020 dsa_length(struct iked_dsa *dsa)
1021 {
1022 if (dsa->dsa_hmac)
1023 return (EVP_MD_size(dsa->dsa_priv));
1024 switch (dsa->dsa_method) {
1025 case IKEV2_AUTH_ECDSA_256:
1026 case IKEV2_AUTH_ECDSA_384:
1027 case IKEV2_AUTH_ECDSA_521:
1028 /* size of concat(r|s) */
1029 return (2 * ((EVP_PKEY_bits(dsa->dsa_key) + 7) / 8));
1030 }
1031 return (dsa_prefix(dsa) + EVP_PKEY_size(dsa->dsa_key));
1032 }
1033
1034 int
_dsa_sign_ecdsa(struct iked_dsa * dsa,uint8_t * ptr,size_t len)1035 _dsa_sign_ecdsa(struct iked_dsa *dsa, uint8_t *ptr, size_t len)
1036 {
1037 ECDSA_SIG *obj = NULL;
1038 uint8_t *tmp = NULL;
1039 const uint8_t *p;
1040 size_t tmplen;
1041 int ret = -1;
1042 int bnlen, off;
1043 const BIGNUM *r, *s;
1044
1045 if (len % 2)
1046 goto done; /* must be even */
1047 bnlen = len/2;
1048 /*
1049 * (a) create DER signature into 'tmp' buffer
1050 * (b) convert buffer to ECDSA_SIG object
1051 * (c) concatenate the padded r|s BIGNUMS into 'ptr'
1052 */
1053 if (EVP_DigestSignFinal(dsa->dsa_ctx, NULL, &tmplen) != 1)
1054 goto done;
1055 if ((tmp = calloc(1, tmplen)) == NULL)
1056 goto done;
1057 if (EVP_DigestSignFinal(dsa->dsa_ctx, tmp, &tmplen) != 1)
1058 goto done;
1059 p = tmp;
1060 if ((obj = d2i_ECDSA_SIG(NULL, &p, tmplen)) == NULL)
1061 goto done;
1062 ECDSA_SIG_get0(obj, &r, &s);
1063 if (BN_num_bytes(r) > bnlen || BN_num_bytes(s) > bnlen)
1064 goto done;
1065 memset(ptr, 0, len);
1066 off = bnlen - BN_num_bytes(r);
1067 BN_bn2bin(r, ptr + off);
1068 off = 2 * bnlen - BN_num_bytes(s);
1069 BN_bn2bin(s, ptr + off);
1070 ret = 0;
1071 done:
1072 free(tmp);
1073 ECDSA_SIG_free(obj);
1074
1075 return (ret);
1076 }
1077
1078 ssize_t
dsa_sign_final(struct iked_dsa * dsa,void * buf,size_t len)1079 dsa_sign_final(struct iked_dsa *dsa, void *buf, size_t len)
1080 {
1081 unsigned int hmaclen;
1082 size_t off = 0;
1083 uint8_t *ptr = buf;
1084
1085 if (len < dsa_length(dsa))
1086 return (-1);
1087
1088 if (dsa->dsa_hmac) {
1089 if (!HMAC_Final(dsa->dsa_ctx, buf, &hmaclen))
1090 return (-1);
1091 if (hmaclen > INT_MAX)
1092 return (-1);
1093 return (ssize_t)hmaclen;
1094 } else {
1095 switch (dsa->dsa_method) {
1096 case IKEV2_AUTH_ECDSA_256:
1097 case IKEV2_AUTH_ECDSA_384:
1098 case IKEV2_AUTH_ECDSA_521:
1099 if (_dsa_sign_ecdsa(dsa, buf, len) < 0)
1100 return (-1);
1101 return (len);
1102 default:
1103 if (_dsa_sign_encode(dsa, ptr, len, &off) < 0)
1104 return (-1);
1105 if (off > len)
1106 return (-1);
1107 len -= off;
1108 ptr += off;
1109 if (EVP_DigestSignFinal(dsa->dsa_ctx, ptr, &len) != 1)
1110 return (-1);
1111 return (len + off);
1112 }
1113 }
1114 return (-1);
1115 }
1116
1117 int
_dsa_verify_prepare(struct iked_dsa * dsa,uint8_t ** sigp,size_t * lenp,uint8_t ** freemep)1118 _dsa_verify_prepare(struct iked_dsa *dsa, uint8_t **sigp, size_t *lenp,
1119 uint8_t **freemep)
1120 {
1121 ECDSA_SIG *obj = NULL;
1122 uint8_t *ptr = NULL;
1123 size_t bnlen, off;
1124 ssize_t len;
1125 int ret = -1;
1126 BIGNUM *r = NULL, *s = NULL;
1127
1128 *freemep = NULL; /* don't return garbage in case of an error */
1129
1130 switch (dsa->dsa_method) {
1131 case IKEV2_AUTH_SIG:
1132 /*
1133 * The first byte of the signature encodes the OID
1134 * prefix length which we need to skip.
1135 */
1136 off = (*sigp)[0] + 1;
1137 *sigp = *sigp + off;
1138 *lenp = *lenp - off;
1139 *freemep = NULL;
1140 ret = 0;
1141 break;
1142 case IKEV2_AUTH_ECDSA_256:
1143 case IKEV2_AUTH_ECDSA_384:
1144 case IKEV2_AUTH_ECDSA_521:
1145 /*
1146 * sigp points to concatenation r|s, while EVP_VerifyFinal()
1147 * expects the signature as a DER-encoded blob (of the two
1148 * values), so we need to convert the signature in a new
1149 * buffer (we cannot override the given buffer) and the caller
1150 * has to free this buffer ('freeme').
1151 */
1152 if (*lenp < 64 || *lenp > 132 || *lenp % 2)
1153 goto done;
1154 bnlen = (*lenp)/2;
1155 /* sigp points to concatenation: r|s */
1156 if ((obj = ECDSA_SIG_new()) == NULL ||
1157 (r = BN_bin2bn(*sigp, bnlen, NULL)) == NULL ||
1158 (s = BN_bin2bn(*sigp+bnlen, bnlen, NULL)) == NULL ||
1159 ECDSA_SIG_set0(obj, r, s) == 0 ||
1160 (len = i2d_ECDSA_SIG(obj, &ptr)) <= 0)
1161 goto done;
1162 r = s = NULL;
1163 *lenp = len;
1164 *sigp = ptr;
1165 *freemep = ptr;
1166 ptr = NULL;
1167 ret = 0;
1168 break;
1169 default:
1170 return (0);
1171 }
1172 done:
1173 BN_clear_free(r);
1174 BN_clear_free(s);
1175 free(ptr);
1176 ECDSA_SIG_free(obj);
1177
1178 return (ret);
1179 }
1180
1181 ssize_t
dsa_verify_final(struct iked_dsa * dsa,void * buf,size_t len)1182 dsa_verify_final(struct iked_dsa *dsa, void *buf, size_t len)
1183 {
1184 uint8_t sig[EVP_MAX_MD_SIZE];
1185 uint8_t *ptr = buf, *freeme = NULL;
1186 unsigned int siglen = sizeof(sig);
1187
1188 if (dsa->dsa_hmac) {
1189 if (!HMAC_Final(dsa->dsa_ctx, sig, &siglen))
1190 return (-1);
1191 if (siglen != len || memcmp(buf, sig, siglen) != 0)
1192 return (-1);
1193 } else {
1194 if (_dsa_verify_prepare(dsa, &ptr, &len, &freeme) < 0)
1195 return (-1);
1196 if (EVP_DigestVerifyFinal(dsa->dsa_ctx, ptr, len) != 1) {
1197 OPENSSL_free(freeme);
1198 ca_sslerror(__func__);
1199 return (-1);
1200 }
1201 OPENSSL_free(freeme);
1202 }
1203
1204 return (0);
1205 }
1206