xref: /openbsd/sbin/iked/crypto.c (revision eef6c82a)
1 /*	$OpenBSD: crypto.c,v 1.46 2023/08/04 19:06:25 claudio Exp $	*/
2 
3 /*
4  * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org>
5  *
6  * Permission to use, copy, modify, and distribute this software for any
7  * purpose with or without fee is hereby granted, provided that the above
8  * copyright notice and this permission notice appear in all copies.
9  *
10  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17  */
18 
19 #include <sys/types.h>
20 #include <sys/queue.h>
21 #include <sys/socket.h>
22 #include <sys/uio.h>
23 
24 #include <stdio.h>
25 #include <stdlib.h>
26 #include <unistd.h>
27 #include <string.h>
28 #include <errno.h>
29 #include <fcntl.h>
30 #include <event.h>
31 
32 #include <openssl/ecdsa.h>
33 #include <openssl/hmac.h>
34 #include <openssl/evp.h>
35 #include <openssl/sha.h>
36 #include <openssl/md5.h>
37 #include <openssl/x509.h>
38 #include <openssl/rsa.h>
39 
40 #include "iked.h"
41 #include "ikev2.h"
42 
43 /* RFC 7427, A.1 RSA */
44 static const uint8_t sha256WithRSA[] = {
45 	0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
46 	0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00
47 };
48 static const uint8_t sha384WithRSA[] = {
49 	0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
50 	0xf7, 0x0d, 0x01, 0x01, 0x0c, 0x05, 0x00
51 };
52 static const uint8_t sha512WithRSA[] = {
53 	0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
54 	0xf7, 0x0d, 0x01, 0x01, 0x0d, 0x05, 0x00
55 };
56 /* RFC 7427, A.3 ECDSA */
57 static const uint8_t ecdsa_sha256[] = {
58 	0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce,
59 	0x3d, 0x04, 0x03, 0x02
60 };
61 static const uint8_t ecdsa_sha384[] = {
62 	0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce,
63 	0x3d, 0x04, 0x03, 0x03
64 };
65 static const uint8_t ecdsa_sha512[] = {
66 	0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce,
67 	0x3d, 0x04, 0x03, 0x04
68 };
69 /* RFC 7427, A.4.3 RSASSA-PSS with SHA-256 */
70 static const uint8_t rsapss_sha256[] = {
71 	0x30, 0x46, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
72 	0xf7, 0x0d, 0x01, 0x01, 0x0a, 0x30, 0x39, 0xa0,
73 	0x0f, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48,
74 	0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00,
75 	0xa1, 0x1c, 0x30, 0x1a, 0x06, 0x09, 0x2a, 0x86,
76 	0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x08, 0x30,
77 	0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65,
78 	0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0xa2, 0x03,
79 	0x02, 0x01, 0x20, 0xa3, 0x03, 0x02, 0x01, 0x01
80 };
81 /* RSASSA-PSS SHA-384 */
82 static const uint8_t rsapss_sha384[] = {
83 	0x30, 0x46, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
84 	0xf7, 0x0d, 0x01, 0x01, 0x0a, 0x30, 0x34, 0xa0,
85 	0x0f, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48,
86 	0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05, 0x00,
87 	0xa1, 0x1c, 0x30, 0x1a, 0x06, 0x09, 0x2a, 0x86,
88 	0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x08, 0x30,
89 	0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65,
90 	0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 0xa2, 0x03,
91 	0x02, 0x01, 0x30, 0xa3, 0x03, 0x02, 0x01, 0x01
92 };
93 /* RSASSA-PSS SHA-512 */
94 static const uint8_t rsapss_sha512[] = {
95 	0x30, 0x46, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
96 	0xf7, 0x0d, 0x01, 0x01, 0x0a, 0x30, 0x34, 0xa0,
97 	0x0f, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48,
98 	0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00,
99 	0xa1, 0x1c, 0x30, 0x1a, 0x06, 0x09, 0x2a, 0x86,
100 	0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x08, 0x30,
101 	0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65,
102 	0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0xa2, 0x03,
103 	0x02, 0x01, 0x40, 0xa3, 0x03, 0x02, 0x01, 0x01
104 };
105 /* RSASSA-PSS SHA-256, no trailer */
106 static const uint8_t rsapss_sha256nt[] = {
107 	0x30, 0x41, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
108 	0xf7, 0x0d, 0x01, 0x01, 0x0a, 0x30, 0x34, 0xa0,
109 	0x0f, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48,
110 	0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00,
111 	0xa1, 0x1c, 0x30, 0x1a, 0x06, 0x09, 0x2a, 0x86,
112 	0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x08, 0x30,
113 	0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65,
114 	0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0xa2, 0x03,
115 	0x02, 0x01, 0x20
116 };
117 /* RSASSA-PSS SHA-384, no trailer */
118 static const uint8_t rsapss_sha384nt[] = {
119 	0x30, 0x41, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
120 	0xf7, 0x0d, 0x01, 0x01, 0x0a, 0x30, 0x34, 0xa0,
121 	0x0f, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48,
122 	0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05, 0x00,
123 	0xa1, 0x1c, 0x30, 0x1a, 0x06, 0x09, 0x2a, 0x86,
124 	0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x08, 0x30,
125 	0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65,
126 	0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 0xa2, 0x03,
127 	0x02, 0x01, 0x30
128 };
129 /* RSASSA-PSS SHA-512, no trailer */
130 static const uint8_t rsapss_sha512nt[] = {
131 	0x30, 0x41, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
132 	0xf7, 0x0d, 0x01, 0x01, 0x0a, 0x30, 0x34, 0xa0,
133 	0x0f, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48,
134 	0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00,
135 	0xa1, 0x1c, 0x30, 0x1a, 0x06, 0x09, 0x2a, 0x86,
136 	0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x08, 0x30,
137 	0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65,
138 	0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0xa2, 0x03,
139 	0x02, 0x01, 0x40
140 };
141 
142 #define FLAG_RSA_PSS	0x00001
143 int force_rsa_pss = 0;	/* XXX move to API */
144 
145 static const struct {
146 	int		 sc_keytype;
147 	const EVP_MD	*(*sc_md)(void);
148 	uint8_t		 sc_len;
149 	const uint8_t	*sc_oid;
150 	uint32_t	 sc_flags;
151 } schemes[] = {
152 	{ EVP_PKEY_RSA, EVP_sha256, sizeof(sha256WithRSA), sha256WithRSA, 0 },
153 	{ EVP_PKEY_RSA, EVP_sha384, sizeof(sha384WithRSA), sha384WithRSA, 0 },
154 	{ EVP_PKEY_RSA, EVP_sha512, sizeof(sha512WithRSA), sha512WithRSA, 0 },
155 	{ EVP_PKEY_EC,  EVP_sha256, sizeof(ecdsa_sha256),  ecdsa_sha256, 0 },
156 	{ EVP_PKEY_EC,  EVP_sha384, sizeof(ecdsa_sha384),  ecdsa_sha384, 0 },
157 	{ EVP_PKEY_EC,  EVP_sha512, sizeof(ecdsa_sha512),  ecdsa_sha512, 0 },
158 	{ EVP_PKEY_RSA, EVP_sha256, sizeof(rsapss_sha256), rsapss_sha256,
159 	    FLAG_RSA_PSS },
160 	{ EVP_PKEY_RSA, EVP_sha384, sizeof(rsapss_sha384), rsapss_sha384,
161 	    FLAG_RSA_PSS },
162 	{ EVP_PKEY_RSA, EVP_sha512, sizeof(rsapss_sha512), rsapss_sha512,
163 	    FLAG_RSA_PSS },
164 	{ EVP_PKEY_RSA, EVP_sha256, sizeof(rsapss_sha256nt), rsapss_sha256nt,
165 	    FLAG_RSA_PSS },
166 	{ EVP_PKEY_RSA, EVP_sha384, sizeof(rsapss_sha384nt), rsapss_sha384nt,
167 	    FLAG_RSA_PSS },
168 	{ EVP_PKEY_RSA, EVP_sha512, sizeof(rsapss_sha512nt), rsapss_sha512nt,
169 	    FLAG_RSA_PSS },
170 };
171 
172 int	_dsa_verify_init(struct iked_dsa *, const uint8_t *, size_t);
173 int	_dsa_verify_prepare(struct iked_dsa *, uint8_t **, size_t *,
174 	    uint8_t **);
175 int	_dsa_sign_encode(struct iked_dsa *, uint8_t *, size_t, size_t *);
176 int	_dsa_sign_ecdsa(struct iked_dsa *, uint8_t *, size_t);
177 
178 struct iked_hash *
hash_new(uint8_t type,uint16_t id)179 hash_new(uint8_t type, uint16_t id)
180 {
181 	struct iked_hash	*hash;
182 	const EVP_MD		*md = NULL;
183 	int			 length = 0, fixedkey = 0, trunc = 0, isaead = 0;
184 
185 	switch (type) {
186 	case IKEV2_XFORMTYPE_PRF:
187 		switch (id) {
188 		case IKEV2_XFORMPRF_HMAC_MD5:
189 			md = EVP_md5();
190 			length = MD5_DIGEST_LENGTH;
191 			break;
192 		case IKEV2_XFORMPRF_HMAC_SHA1:
193 			md = EVP_sha1();
194 			length = SHA_DIGEST_LENGTH;
195 			break;
196 		case IKEV2_XFORMPRF_HMAC_SHA2_256:
197 			md = EVP_sha256();
198 			length = SHA256_DIGEST_LENGTH;
199 			break;
200 		case IKEV2_XFORMPRF_HMAC_SHA2_384:
201 			md = EVP_sha384();
202 			length = SHA384_DIGEST_LENGTH;
203 			break;
204 		case IKEV2_XFORMPRF_HMAC_SHA2_512:
205 			md = EVP_sha512();
206 			length = SHA512_DIGEST_LENGTH;
207 			break;
208 		case IKEV2_XFORMPRF_AES128_XCBC:
209 			fixedkey = 128 / 8;
210 			length = fixedkey;
211 			/* FALLTHROUGH */
212 		case IKEV2_XFORMPRF_HMAC_TIGER:
213 		case IKEV2_XFORMPRF_AES128_CMAC:
214 		default:
215 			log_debug("%s: prf %s not supported", __func__,
216 			    print_map(id, ikev2_xformprf_map));
217 			break;
218 		}
219 		break;
220 	case IKEV2_XFORMTYPE_INTEGR:
221 		switch (id) {
222 		case IKEV2_XFORMAUTH_HMAC_MD5_96:
223 			md = EVP_md5();
224 			length = MD5_DIGEST_LENGTH;
225 			trunc = 12;
226 			break;
227 		case IKEV2_XFORMAUTH_HMAC_SHA1_96:
228 			md = EVP_sha1();
229 			length = SHA_DIGEST_LENGTH;
230 			trunc = 12;
231 			break;
232 		case IKEV2_XFORMAUTH_HMAC_SHA2_256_128:
233 			md = EVP_sha256();
234 			length = SHA256_DIGEST_LENGTH;
235 			trunc = 16;
236 			break;
237 		case IKEV2_XFORMAUTH_HMAC_SHA2_384_192:
238 			md = EVP_sha384();
239 			length = SHA384_DIGEST_LENGTH;
240 			trunc = 24;
241 			break;
242 		case IKEV2_XFORMAUTH_HMAC_SHA2_512_256:
243 			md = EVP_sha512();
244 			length = SHA512_DIGEST_LENGTH;
245 			trunc = 32;
246 			break;
247 		case IKEV2_XFORMAUTH_AES_GCM_12:
248 			length = 12;
249 			isaead = 1;
250 			break;
251 		case IKEV2_XFORMAUTH_AES_GCM_16:
252 			length = 16;
253 			isaead = 1;
254 			break;
255 		case IKEV2_XFORMAUTH_NONE:
256 		case IKEV2_XFORMAUTH_DES_MAC:
257 		case IKEV2_XFORMAUTH_KPDK_MD5:
258 		case IKEV2_XFORMAUTH_AES_XCBC_96:
259 		case IKEV2_XFORMAUTH_HMAC_MD5_128:
260 		case IKEV2_XFORMAUTH_HMAC_SHA1_160:
261 		case IKEV2_XFORMAUTH_AES_CMAC_96:
262 		case IKEV2_XFORMAUTH_AES_128_GMAC:
263 		case IKEV2_XFORMAUTH_AES_192_GMAC:
264 		case IKEV2_XFORMAUTH_AES_256_GMAC:
265 		default:
266 			log_debug("%s: auth %s not supported", __func__,
267 			    print_map(id, ikev2_xformauth_map));
268 			break;
269 		}
270 		break;
271 	default:
272 		log_debug("%s: hash type %s not supported", __func__,
273 		    print_map(id, ikev2_xformtype_map));
274 		break;
275 	}
276 	if (!isaead && md == NULL)
277 		return (NULL);
278 
279 	if ((hash = calloc(1, sizeof(*hash))) == NULL) {
280 		log_debug("%s: alloc hash", __func__);
281 		return (NULL);
282 	}
283 
284 	hash->hash_type = type;
285 	hash->hash_id = id;
286 	hash->hash_priv = md;
287 	hash->hash_ctx = NULL;
288 	hash->hash_trunc = trunc;
289 	hash->hash_length = length;
290 	hash->hash_fixedkey = fixedkey;
291 	hash->hash_isaead = isaead;
292 
293 	if (isaead)
294 		return (hash);
295 
296 	hash->hash_ctx = HMAC_CTX_new();
297 	if (hash->hash_ctx == NULL) {
298 		log_debug("%s: alloc hash ctx", __func__);
299 		hash_free(hash);
300 		return (NULL);
301 	}
302 
303 	return (hash);
304 }
305 
306 struct ibuf *
hash_setkey(struct iked_hash * hash,void * key,size_t keylen)307 hash_setkey(struct iked_hash *hash, void *key, size_t keylen)
308 {
309 	ibuf_free(hash->hash_key);
310 	if ((hash->hash_key = ibuf_new(key, keylen)) == NULL) {
311 		log_debug("%s: alloc hash key", __func__);
312 		return (NULL);
313 	}
314 	return (hash->hash_key);
315 }
316 
317 void
hash_free(struct iked_hash * hash)318 hash_free(struct iked_hash *hash)
319 {
320 	if (hash == NULL)
321 		return;
322 	HMAC_CTX_free(hash->hash_ctx);
323 	ibuf_free(hash->hash_key);
324 	free(hash);
325 }
326 
327 void
hash_init(struct iked_hash * hash)328 hash_init(struct iked_hash *hash)
329 {
330 	HMAC_Init_ex(hash->hash_ctx, ibuf_data(hash->hash_key),
331 	    ibuf_size(hash->hash_key), hash->hash_priv, NULL);
332 }
333 
334 void
hash_update(struct iked_hash * hash,void * buf,size_t len)335 hash_update(struct iked_hash *hash, void *buf, size_t len)
336 {
337 	HMAC_Update(hash->hash_ctx, buf, len);
338 }
339 
340 void
hash_final(struct iked_hash * hash,void * buf,size_t * len)341 hash_final(struct iked_hash *hash, void *buf, size_t *len)
342 {
343 	unsigned int	 length = 0;
344 
345 	HMAC_Final(hash->hash_ctx, buf, &length);
346 	*len = (size_t)length;
347 
348 	/* Truncate the result if required by the alg */
349 	if (hash->hash_trunc && *len > hash->hash_trunc)
350 		*len = hash->hash_trunc;
351 }
352 
353 size_t
hash_length(struct iked_hash * hash)354 hash_length(struct iked_hash *hash)
355 {
356 	if (hash->hash_trunc)
357 		return (hash->hash_trunc);
358 	return (hash->hash_length);
359 }
360 
361 size_t
hash_keylength(struct iked_hash * hash)362 hash_keylength(struct iked_hash *hash)
363 {
364 	return (hash->hash_length);
365 }
366 
367 struct iked_cipher *
cipher_new(uint8_t type,uint16_t id,uint16_t id_length)368 cipher_new(uint8_t type, uint16_t id, uint16_t id_length)
369 {
370 	struct iked_cipher	*encr;
371 	const EVP_CIPHER	*cipher = NULL;
372 	int			 length = 0, fixedkey = 0, ivlength = 0;
373 	int			 saltlength = 0, authid = 0;
374 
375 	switch (type) {
376 	case IKEV2_XFORMTYPE_ENCR:
377 		switch (id) {
378 		case IKEV2_XFORMENCR_3DES:
379 			cipher = EVP_des_ede3_cbc();
380 			length = EVP_CIPHER_block_size(cipher);
381 			fixedkey = EVP_CIPHER_key_length(cipher);
382 			ivlength = EVP_CIPHER_iv_length(cipher);
383 			break;
384 		case IKEV2_XFORMENCR_AES_CBC:
385 			switch (id_length) {
386 			case 128:
387 				cipher = EVP_aes_128_cbc();
388 				break;
389 			case 192:
390 				cipher = EVP_aes_192_cbc();
391 				break;
392 			case 256:
393 				cipher = EVP_aes_256_cbc();
394 				break;
395 			default:
396 				log_debug("%s: invalid key length %d"
397 				    " for cipher %s", __func__, id_length,
398 				    print_map(id, ikev2_xformencr_map));
399 				break;
400 			}
401 			if (cipher == NULL)
402 				break;
403 			length = EVP_CIPHER_block_size(cipher);
404 			ivlength = EVP_CIPHER_iv_length(cipher);
405 			fixedkey = EVP_CIPHER_key_length(cipher);
406 			break;
407 		case IKEV2_XFORMENCR_AES_GCM_16:
408 		case IKEV2_XFORMENCR_AES_GCM_12:
409 			switch (id_length) {
410 			case 128:
411 				cipher = EVP_aes_128_gcm();
412 				break;
413 			case 256:
414 				cipher = EVP_aes_256_gcm();
415 				break;
416 			default:
417 				log_debug("%s: invalid key length %d"
418 				    " for cipher %s", __func__, id_length,
419 				    print_map(id, ikev2_xformencr_map));
420 				break;
421 			}
422 			if (cipher == NULL)
423 				break;
424 			switch(id) {
425 			case IKEV2_XFORMENCR_AES_GCM_16:
426 				authid = IKEV2_XFORMAUTH_AES_GCM_16;
427 				break;
428 			case IKEV2_XFORMENCR_AES_GCM_12:
429 				authid = IKEV2_XFORMAUTH_AES_GCM_12;
430 				break;
431 			}
432 			length = EVP_CIPHER_block_size(cipher);
433 			ivlength = 8;
434 			saltlength = 4;
435 			fixedkey = EVP_CIPHER_key_length(cipher) + saltlength;
436 			break;
437 		case IKEV2_XFORMENCR_DES_IV64:
438 		case IKEV2_XFORMENCR_DES:
439 		case IKEV2_XFORMENCR_RC5:
440 		case IKEV2_XFORMENCR_IDEA:
441 		case IKEV2_XFORMENCR_CAST:
442 		case IKEV2_XFORMENCR_BLOWFISH:
443 		case IKEV2_XFORMENCR_3IDEA:
444 		case IKEV2_XFORMENCR_DES_IV32:
445 		case IKEV2_XFORMENCR_NULL:
446 		case IKEV2_XFORMENCR_AES_CTR:
447 			/* FALLTHROUGH */
448 		default:
449 			log_debug("%s: cipher %s not supported", __func__,
450 			    print_map(id, ikev2_xformencr_map));
451 			cipher = NULL;
452 			break;
453 		}
454 		break;
455 	default:
456 		log_debug("%s: cipher type %s not supported", __func__,
457 		    print_map(id, ikev2_xformtype_map));
458 		break;
459 	}
460 	if (cipher == NULL)
461 		return (NULL);
462 
463 	if ((encr = calloc(1, sizeof(*encr))) == NULL) {
464 		log_debug("%s: alloc cipher", __func__);
465 		return (NULL);
466 	}
467 
468 	encr->encr_id = id;
469 	encr->encr_priv = cipher;
470 	encr->encr_ctx = NULL;
471 	encr->encr_length = length;
472 	encr->encr_fixedkey = fixedkey;
473 	encr->encr_ivlength = ivlength ? ivlength : length;
474 	encr->encr_saltlength = saltlength;
475 	encr->encr_authid = authid;
476 
477 	encr->encr_ctx = EVP_CIPHER_CTX_new();
478 	if (encr->encr_ctx == NULL) {
479 		log_debug("%s: alloc cipher ctx", __func__);
480 		cipher_free(encr);
481 		return (NULL);
482 	}
483 
484 	return (encr);
485 }
486 
487 struct ibuf *
cipher_setkey(struct iked_cipher * encr,const void * key,size_t keylen)488 cipher_setkey(struct iked_cipher *encr, const void *key, size_t keylen)
489 {
490 	ibuf_free(encr->encr_key);
491 	if ((encr->encr_key = ibuf_new(key, keylen)) == NULL) {
492 		log_debug("%s: alloc cipher key", __func__);
493 		return (NULL);
494 	}
495 	return (encr->encr_key);
496 }
497 
498 struct ibuf *
cipher_setiv(struct iked_cipher * encr,const void * iv,size_t len)499 cipher_setiv(struct iked_cipher *encr, const void *iv, size_t len)
500 {
501 	ibuf_free(encr->encr_iv);
502 	encr->encr_iv = NULL;
503 	if (iv != NULL) {
504 		if (len < encr->encr_ivlength) {
505 			log_debug("%s: invalid IV length %zu", __func__, len);
506 			return (NULL);
507 		}
508 		encr->encr_iv = ibuf_new(iv, encr->encr_ivlength);
509 	} else {
510 		switch (encr->encr_id) {
511 		case IKEV2_XFORMENCR_AES_GCM_16:
512 		case IKEV2_XFORMENCR_AES_GCM_12:
513 			if (encr->encr_ivlength != sizeof(encr->encr_civ)) {
514 				log_info("%s: ivlen does not match %zu != %zu",
515 				    __func__, encr->encr_ivlength,
516 				    sizeof(encr->encr_civ));
517 				return (NULL);
518 			}
519 			encr->encr_iv = ibuf_new(&encr->encr_civ, sizeof(encr->encr_civ));
520 			encr->encr_civ++;
521 			break;
522 		default:
523 			/* Get new random IV */
524 			encr->encr_iv = ibuf_random(encr->encr_ivlength);
525 		}
526 	}
527 	if (encr->encr_iv == NULL) {
528 		log_debug("%s: failed to set IV", __func__);
529 		return (NULL);
530 	}
531 	return (encr->encr_iv);
532 }
533 
534 int
cipher_settag(struct iked_cipher * encr,uint8_t * data,size_t len)535 cipher_settag(struct iked_cipher *encr, uint8_t *data, size_t len)
536 {
537 	return (EVP_CIPHER_CTX_ctrl(encr->encr_ctx,
538 	    EVP_CTRL_GCM_SET_TAG, len, data) != 1);
539 }
540 
541 int
cipher_gettag(struct iked_cipher * encr,uint8_t * data,size_t len)542 cipher_gettag(struct iked_cipher *encr, uint8_t *data, size_t len)
543 {
544 	return (EVP_CIPHER_CTX_ctrl(encr->encr_ctx,
545 	    EVP_CTRL_GCM_GET_TAG, len, data) != 1);
546 }
547 
548 void
cipher_free(struct iked_cipher * encr)549 cipher_free(struct iked_cipher *encr)
550 {
551 	if (encr == NULL)
552 		return;
553 	EVP_CIPHER_CTX_free(encr->encr_ctx);
554 	ibuf_free(encr->encr_iv);
555 	ibuf_free(encr->encr_key);
556 	free(encr);
557 }
558 
559 int
cipher_init(struct iked_cipher * encr,int enc)560 cipher_init(struct iked_cipher *encr, int enc)
561 {
562 	struct ibuf	*nonce = NULL;
563 	int		 ret = -1;
564 
565 	if (EVP_CipherInit_ex(encr->encr_ctx, encr->encr_priv, NULL,
566 	    NULL, NULL, enc) != 1)
567 		return (-1);
568 	if (encr->encr_saltlength > 0) {
569 		/* For AEADs the nonce is salt + IV  (see RFC5282) */
570 		nonce = ibuf_new(ibuf_seek(encr->encr_key,
571 		    ibuf_size(encr->encr_key) - encr->encr_saltlength,
572 		    encr->encr_saltlength), encr->encr_saltlength);
573 		if (nonce == NULL)
574 			return (-1);
575 		if (ibuf_add_buf(nonce, encr->encr_iv) != 0)
576 			goto done;
577 		if (EVP_CipherInit_ex(encr->encr_ctx, NULL, NULL,
578 		    ibuf_data(encr->encr_key), ibuf_data(nonce), enc) != 1)
579 			goto done;
580 	} else
581 		if (EVP_CipherInit_ex(encr->encr_ctx, NULL, NULL,
582 		    ibuf_data(encr->encr_key), ibuf_data(encr->encr_iv), enc) != 1)
583 			return (-1);
584 	EVP_CIPHER_CTX_set_padding(encr->encr_ctx, 0);
585 	ret = 0;
586  done:
587 	ibuf_free(nonce);
588 	return (ret);
589 }
590 
591 int
cipher_init_encrypt(struct iked_cipher * encr)592 cipher_init_encrypt(struct iked_cipher *encr)
593 {
594 	return (cipher_init(encr, 1));
595 }
596 
597 int
cipher_init_decrypt(struct iked_cipher * encr)598 cipher_init_decrypt(struct iked_cipher *encr)
599 {
600 	return (cipher_init(encr, 0));
601 }
602 
603 void
cipher_aad(struct iked_cipher * encr,const void * in,size_t inlen,size_t * outlen)604 cipher_aad(struct iked_cipher *encr, const void *in, size_t inlen,
605     size_t *outlen)
606 {
607 	int	 olen = 0;
608 
609 	if (EVP_CipherUpdate(encr->encr_ctx, NULL, &olen, in, inlen) != 1) {
610 		ca_sslerror(__func__);
611 		*outlen = 0;
612 		return;
613 	}
614 	*outlen = (size_t)olen;
615 }
616 
617 int
cipher_update(struct iked_cipher * encr,const void * in,size_t inlen,void * out,size_t * outlen)618 cipher_update(struct iked_cipher *encr, const void *in, size_t inlen,
619     void *out, size_t *outlen)
620 {
621 	int	 olen;
622 
623 	olen = 0;
624 	if (EVP_CipherUpdate(encr->encr_ctx, out, &olen, in, inlen) != 1) {
625 		ca_sslerror(__func__);
626 		*outlen = 0;
627 		return (-1);
628 	}
629 	*outlen = (size_t)olen;
630 	return (0);
631 }
632 
633 int
cipher_final(struct iked_cipher * encr)634 cipher_final(struct iked_cipher *encr)
635 {
636 	int	 olen;
637 
638 	/*
639 	 * We always have EVP_CIPH_NO_PADDING set.  This means arg
640 	 * out is not used and olen should always be 0.
641 	 */
642 	if (EVP_CipherFinal_ex(encr->encr_ctx, NULL, &olen) != 1) {
643 		ca_sslerror(__func__);
644 		return (-1);
645 	}
646 	return (0);
647 }
648 
649 size_t
cipher_length(struct iked_cipher * encr)650 cipher_length(struct iked_cipher *encr)
651 {
652 	return (encr->encr_length);
653 }
654 
655 size_t
cipher_keylength(struct iked_cipher * encr)656 cipher_keylength(struct iked_cipher *encr)
657 {
658 	if (encr->encr_fixedkey)
659 		return (encr->encr_fixedkey);
660 
661 	/* Might return zero */
662 	return (ibuf_length(encr->encr_key));
663 }
664 
665 size_t
cipher_ivlength(struct iked_cipher * encr)666 cipher_ivlength(struct iked_cipher *encr)
667 {
668 	return (encr->encr_ivlength);
669 }
670 
671 size_t
cipher_outlength(struct iked_cipher * encr,size_t inlen)672 cipher_outlength(struct iked_cipher *encr, size_t inlen)
673 {
674 	return (roundup(inlen, encr->encr_length));
675 }
676 
677 struct iked_dsa *
dsa_new(uint8_t id,struct iked_hash * prf,int sign)678 dsa_new(uint8_t id, struct iked_hash *prf, int sign)
679 {
680 	struct iked_dsa		*dsap = NULL, dsa;
681 
682 	bzero(&dsa, sizeof(dsa));
683 
684 	switch (id) {
685 	case IKEV2_AUTH_SIG:
686 		if (sign)
687 			dsa.dsa_priv = EVP_sha256(); /* XXX should be passed */
688 		else
689 			dsa.dsa_priv = NULL; /* set later by dsa_init() */
690 		break;
691 	case IKEV2_AUTH_RSA_SIG:
692 		/* RFC5996 says we SHOULD use SHA1 here */
693 		dsa.dsa_priv = EVP_sha1();
694 		break;
695 	case IKEV2_AUTH_SHARED_KEY_MIC:
696 		if (prf == NULL || prf->hash_priv == NULL)
697 			fatalx("dsa_new: invalid PRF");
698 		dsa.dsa_priv = prf->hash_priv;
699 		dsa.dsa_hmac = 1;
700 		break;
701 	case IKEV2_AUTH_DSS_SIG:
702 		dsa.dsa_priv = EVP_sha1();
703 		break;
704 	case IKEV2_AUTH_ECDSA_256:
705 		dsa.dsa_priv = EVP_sha256();
706 		break;
707 	case IKEV2_AUTH_ECDSA_384:
708 		dsa.dsa_priv = EVP_sha384();
709 		break;
710 	case IKEV2_AUTH_ECDSA_521:
711 		dsa.dsa_priv = EVP_sha512();
712 		break;
713 	default:
714 		log_debug("%s: auth method %s not supported", __func__,
715 		    print_map(id, ikev2_auth_map));
716 		break;
717 	}
718 
719 	if ((dsap = calloc(1, sizeof(*dsap))) == NULL) {
720 		log_debug("%s: alloc dsa ctx", __func__);
721 
722 		return (NULL);
723 	}
724 	memcpy(dsap, &dsa, sizeof(*dsap));
725 
726 	dsap->dsa_method = id;
727 	dsap->dsa_sign = sign;
728 
729 	if (dsap->dsa_hmac) {
730 		if ((dsap->dsa_ctx = HMAC_CTX_new()) == NULL) {
731 			log_debug("%s: alloc hash ctx", __func__);
732 			dsa_free(dsap);
733 			return (NULL);
734 		}
735 	} else {
736 		if ((dsap->dsa_ctx = EVP_MD_CTX_create()) == NULL) {
737 			log_debug("%s: alloc digest ctx", __func__);
738 			dsa_free(dsap);
739 			return (NULL);
740 		}
741 	}
742 
743 	return (dsap);
744 }
745 
746 struct iked_dsa *
dsa_sign_new(uint8_t id,struct iked_hash * prf)747 dsa_sign_new(uint8_t id, struct iked_hash *prf)
748 {
749 	return (dsa_new(id, prf, 1));
750 }
751 
752 struct iked_dsa *
dsa_verify_new(uint8_t id,struct iked_hash * prf)753 dsa_verify_new(uint8_t id, struct iked_hash *prf)
754 {
755 	return (dsa_new(id, prf, 0));
756 }
757 
758 void
dsa_free(struct iked_dsa * dsa)759 dsa_free(struct iked_dsa *dsa)
760 {
761 	if (dsa == NULL)
762 		return;
763 	if (dsa->dsa_hmac) {
764 		HMAC_CTX_free((HMAC_CTX *)dsa->dsa_ctx);
765 	} else {
766 		EVP_MD_CTX_free((EVP_MD_CTX *)dsa->dsa_ctx);
767 		EVP_PKEY_free(dsa->dsa_key);
768 	}
769 
770 	ibuf_free(dsa->dsa_keydata);
771 	free(dsa);
772 }
773 
774 struct ibuf *
dsa_setkey(struct iked_dsa * dsa,void * key,size_t keylen,uint8_t type)775 dsa_setkey(struct iked_dsa *dsa, void *key, size_t keylen, uint8_t type)
776 {
777 	BIO		*rawcert = NULL;
778 	X509		*cert = NULL;
779 	RSA		*rsa = NULL;
780 	EC_KEY		*ec = NULL;
781 	EVP_PKEY	*pkey = NULL;
782 
783 	ibuf_free(dsa->dsa_keydata);
784 	if ((dsa->dsa_keydata = ibuf_new(key, keylen)) == NULL) {
785 		log_debug("%s: alloc signature key", __func__);
786 		return (NULL);
787 	}
788 
789 	if ((rawcert = BIO_new_mem_buf(key, keylen)) == NULL)
790 		goto err;
791 
792 	switch (type) {
793 	case IKEV2_CERT_X509_CERT:
794 		if ((cert = d2i_X509_bio(rawcert, NULL)) == NULL)
795 			goto sslerr;
796 		if ((pkey = X509_get_pubkey(cert)) == NULL)
797 			goto sslerr;
798 		dsa->dsa_key = pkey;
799 		break;
800 	case IKEV2_CERT_RSA_KEY:
801 		if (dsa->dsa_sign) {
802 			if ((rsa = d2i_RSAPrivateKey_bio(rawcert,
803 			    NULL)) == NULL)
804 				goto sslerr;
805 		} else {
806 			if ((rsa = d2i_RSAPublicKey_bio(rawcert,
807 			    NULL)) == NULL)
808 				goto sslerr;
809 		}
810 
811 		if ((pkey = EVP_PKEY_new()) == NULL)
812 			goto sslerr;
813 		if (!EVP_PKEY_set1_RSA(pkey, rsa))
814 			goto sslerr;
815 
816 		RSA_free(rsa);		/* pkey now has the reference */
817 		dsa->dsa_key = pkey;
818 		break;
819 	case IKEV2_CERT_ECDSA:
820 		if (dsa->dsa_sign) {
821 			if ((ec = d2i_ECPrivateKey_bio(rawcert, NULL)) == NULL)
822 				goto sslerr;
823 		} else {
824 			if ((ec = d2i_EC_PUBKEY_bio(rawcert, NULL)) == NULL)
825 				goto sslerr;
826 		}
827 
828 		if ((pkey = EVP_PKEY_new()) == NULL)
829 			goto sslerr;
830 		if (!EVP_PKEY_set1_EC_KEY(pkey, ec))
831 			goto sslerr;
832 
833 		EC_KEY_free(ec);	/* pkey now has the reference */
834 		dsa->dsa_key = pkey;
835 		break;
836 	default:
837 		if (dsa->dsa_hmac)
838 			break;
839 		log_debug("%s: unsupported key type", __func__);
840 		goto err;
841 	}
842 
843 	X509_free(cert);
844 	BIO_free(rawcert);	/* temporary for parsing */
845 
846 	return (dsa->dsa_keydata);
847 
848  sslerr:
849 	ca_sslerror(__func__);
850  err:
851 	log_debug("%s: error", __func__);
852 
853 	RSA_free(rsa);
854 	EC_KEY_free(ec);
855 	EVP_PKEY_free(pkey);
856 	X509_free(cert);
857 	BIO_free(rawcert);
858 	ibuf_free(dsa->dsa_keydata);
859 	dsa->dsa_keydata = NULL;
860 	return (NULL);
861 }
862 
863 int
_dsa_verify_init(struct iked_dsa * dsa,const uint8_t * sig,size_t len)864 _dsa_verify_init(struct iked_dsa *dsa, const uint8_t *sig, size_t len)
865 {
866 	uint8_t			 oidlen;
867 	size_t			 i;
868 	int			 keytype;
869 
870 	if (dsa->dsa_priv != NULL)
871 		return (0);
872 	/*
873 	 * For IKEV2_AUTH_SIG the oid of the authentication signature
874 	 * is encoded in the first bytes of the auth message.
875 	 */
876 	if (dsa->dsa_method != IKEV2_AUTH_SIG)  {
877 		log_debug("%s: dsa_priv not set for %s", __func__,
878 		    print_map(dsa->dsa_method, ikev2_auth_map));
879 		return (-1);
880 	}
881 	if (dsa->dsa_key == NULL) {
882 		log_debug("%s: dsa_key not set for %s", __func__,
883 		    print_map(dsa->dsa_method, ikev2_auth_map));
884 		return (-1);
885 	}
886 	keytype = EVP_PKEY_type(EVP_PKEY_id(((EVP_PKEY *)dsa->dsa_key)));
887 	if (sig == NULL) {
888 		log_debug("%s: signature missing", __func__);
889 		return (-1);
890 	}
891 	if (len < sizeof(oidlen)) {
892 		log_debug("%s: signature (%zu) too small for oid length",
893 		    __func__, len);
894 		return (-1);
895 	}
896 	memcpy(&oidlen, sig, sizeof(oidlen));
897 	if (len < (size_t)oidlen + sizeof(oidlen)) {
898 		log_debug("%s: signature (%zu) too small for oid (%u)",
899 		    __func__, len, oidlen);
900 		return (-1);
901 	}
902 	for (i = 0; i < nitems(schemes); i++) {
903 		if (keytype == schemes[i].sc_keytype &&
904 		    oidlen == schemes[i].sc_len &&
905 		    memcmp(sig + 1, schemes[i].sc_oid,
906 		    schemes[i].sc_len) == 0) {
907 			dsa->dsa_priv = (*schemes[i].sc_md)();
908 			dsa->dsa_flags = schemes[i].sc_flags;
909 			log_debug("%s: signature scheme %zd selected",
910 			    __func__, i);
911 			return (0);
912 		}
913 	}
914 	log_debug("%s: unsupported signature (%d)", __func__, oidlen);
915 	return (-1);
916 }
917 
918 int
dsa_init(struct iked_dsa * dsa,const void * buf,size_t len)919 dsa_init(struct iked_dsa *dsa, const void *buf, size_t len)
920 {
921 	int		 ret;
922 	EVP_PKEY_CTX	*pctx = NULL;
923 
924 	if (dsa->dsa_hmac) {
925 		if (!HMAC_Init_ex(dsa->dsa_ctx, ibuf_data(dsa->dsa_keydata),
926 		    ibuf_size(dsa->dsa_keydata), dsa->dsa_priv, NULL))
927 			return (-1);
928 		return (0);
929 	}
930 
931 	if (dsa->dsa_sign) {
932 		if (force_rsa_pss &&
933 		    EVP_PKEY_base_id(dsa->dsa_key) == EVP_PKEY_RSA)
934 			dsa->dsa_flags = FLAG_RSA_PSS;
935 		ret = EVP_DigestSignInit(dsa->dsa_ctx, &pctx, dsa->dsa_priv,
936 		    NULL, dsa->dsa_key);
937 	} else {
938 		/* sets dsa_priv, dsa_flags */
939 		if ((ret = _dsa_verify_init(dsa, buf, len)) != 0)
940 			return (ret);
941 		ret = EVP_DigestVerifyInit(dsa->dsa_ctx, &pctx, dsa->dsa_priv,
942 		    NULL, dsa->dsa_key);
943 	}
944 	if (ret == 1 && dsa->dsa_flags == FLAG_RSA_PSS) {
945 		if (EVP_PKEY_CTX_set_rsa_padding(pctx,
946 		    RSA_PKCS1_PSS_PADDING) <= 0 ||
947 		    EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1) <= 0)
948 			return (-1);
949 	}
950 	if (_dsa_sign_encode(dsa, NULL, 0, NULL) < 0)
951 		return (-1);
952 
953 	return (ret == 1 ? 0 : -1);
954 }
955 
956 int
dsa_update(struct iked_dsa * dsa,const void * buf,size_t len)957 dsa_update(struct iked_dsa *dsa, const void *buf, size_t len)
958 {
959 	int	ret;
960 
961 	if (dsa->dsa_hmac)
962 		ret = HMAC_Update(dsa->dsa_ctx, buf, len);
963 	else if (dsa->dsa_sign)
964 		ret = EVP_DigestSignUpdate(dsa->dsa_ctx, buf, len);
965 	else
966 		ret = EVP_DigestVerifyUpdate(dsa->dsa_ctx, buf, len);
967 
968 	return (ret == 1 ? 0 : -1);
969 }
970 
971 /* Prefix signature hash with encoded type */
972 int
_dsa_sign_encode(struct iked_dsa * dsa,uint8_t * ptr,size_t len,size_t * offp)973 _dsa_sign_encode(struct iked_dsa *dsa, uint8_t *ptr, size_t len, size_t *offp)
974 {
975 	int		 keytype;
976 	size_t		 i, need;
977 
978 	if (offp)
979 		*offp = 0;
980 	if (dsa->dsa_method != IKEV2_AUTH_SIG)
981 		return (0);
982 	if (dsa->dsa_key == NULL)
983 		return (-1);
984 	keytype = EVP_PKEY_type(EVP_PKEY_id(((EVP_PKEY *)dsa->dsa_key)));
985 	for (i = 0; i < nitems(schemes); i++) {
986 		/* XXX should avoid calling sc_md() each time... */
987 		if (keytype == schemes[i].sc_keytype &&
988 		    dsa->dsa_flags == schemes[i].sc_flags &&
989 		    (dsa->dsa_priv == (*schemes[i].sc_md)()))
990 			break;
991 	}
992 	if (i >= nitems(schemes))
993 		return (-1);
994 	log_debug("%s: signature scheme %zd selected", __func__, i);
995 	need = sizeof(ptr[0]) + schemes[i].sc_len;
996 	if (ptr) {
997 		if (len < need)
998 			return (-1);
999 		ptr[0] = schemes[i].sc_len;
1000 		memcpy(ptr + sizeof(ptr[0]), schemes[i].sc_oid,
1001 		    schemes[i].sc_len);
1002 	}
1003 	if (offp)
1004 		*offp = need;
1005 	return (0);
1006 }
1007 
1008 /* Export size of encoded signature hash type */
1009 size_t
dsa_prefix(struct iked_dsa * dsa)1010 dsa_prefix(struct iked_dsa *dsa)
1011 {
1012 	size_t		off = 0;
1013 
1014 	if (_dsa_sign_encode(dsa, NULL, 0, &off) < 0)
1015 		fatal("dsa_prefix: internal error");
1016 	return off;
1017 }
1018 
1019 size_t
dsa_length(struct iked_dsa * dsa)1020 dsa_length(struct iked_dsa *dsa)
1021 {
1022 	if (dsa->dsa_hmac)
1023 		return (EVP_MD_size(dsa->dsa_priv));
1024 	switch (dsa->dsa_method) {
1025 	case IKEV2_AUTH_ECDSA_256:
1026 	case IKEV2_AUTH_ECDSA_384:
1027 	case IKEV2_AUTH_ECDSA_521:
1028 		/* size of concat(r|s) */
1029 		return (2 * ((EVP_PKEY_bits(dsa->dsa_key) + 7) / 8));
1030 	}
1031 	return (dsa_prefix(dsa) + EVP_PKEY_size(dsa->dsa_key));
1032 }
1033 
1034 int
_dsa_sign_ecdsa(struct iked_dsa * dsa,uint8_t * ptr,size_t len)1035 _dsa_sign_ecdsa(struct iked_dsa *dsa, uint8_t *ptr, size_t len)
1036 {
1037 	ECDSA_SIG	*obj = NULL;
1038 	uint8_t		*tmp = NULL;
1039 	const uint8_t	*p;
1040 	size_t		 tmplen;
1041 	int		 ret = -1;
1042 	int		 bnlen, off;
1043 	const BIGNUM	*r, *s;
1044 
1045 	if (len % 2)
1046 		goto done;	/* must be even */
1047 	bnlen = len/2;
1048 	/*
1049 	 * (a) create DER signature into 'tmp' buffer
1050 	 * (b) convert buffer to ECDSA_SIG object
1051 	 * (c) concatenate the padded r|s BIGNUMS into 'ptr'
1052 	 */
1053 	if (EVP_DigestSignFinal(dsa->dsa_ctx, NULL, &tmplen) != 1)
1054 		goto done;
1055 	if ((tmp = calloc(1, tmplen)) == NULL)
1056 		goto done;
1057 	if (EVP_DigestSignFinal(dsa->dsa_ctx, tmp, &tmplen) != 1)
1058 		goto done;
1059 	p = tmp;
1060 	if ((obj = d2i_ECDSA_SIG(NULL, &p, tmplen)) == NULL)
1061 		goto done;
1062 	ECDSA_SIG_get0(obj, &r, &s);
1063 	if (BN_num_bytes(r) > bnlen || BN_num_bytes(s) > bnlen)
1064 		goto done;
1065 	memset(ptr, 0, len);
1066 	off = bnlen - BN_num_bytes(r);
1067 	BN_bn2bin(r, ptr + off);
1068 	off = 2 * bnlen - BN_num_bytes(s);
1069 	BN_bn2bin(s, ptr + off);
1070 	ret = 0;
1071  done:
1072 	free(tmp);
1073 	ECDSA_SIG_free(obj);
1074 
1075 	return (ret);
1076 }
1077 
1078 ssize_t
dsa_sign_final(struct iked_dsa * dsa,void * buf,size_t len)1079 dsa_sign_final(struct iked_dsa *dsa, void *buf, size_t len)
1080 {
1081 	unsigned int	 hmaclen;
1082 	size_t		 off = 0;
1083 	uint8_t		*ptr = buf;
1084 
1085 	if (len < dsa_length(dsa))
1086 		return (-1);
1087 
1088 	if (dsa->dsa_hmac) {
1089 		if (!HMAC_Final(dsa->dsa_ctx, buf, &hmaclen))
1090 			return (-1);
1091 		if (hmaclen > INT_MAX)
1092 			return (-1);
1093 		return (ssize_t)hmaclen;
1094 	} else {
1095 		switch (dsa->dsa_method) {
1096 		case IKEV2_AUTH_ECDSA_256:
1097 		case IKEV2_AUTH_ECDSA_384:
1098 		case IKEV2_AUTH_ECDSA_521:
1099 			if (_dsa_sign_ecdsa(dsa, buf, len) < 0)
1100 				return (-1);
1101 			return (len);
1102 		default:
1103 			if (_dsa_sign_encode(dsa, ptr, len, &off) < 0)
1104 				return (-1);
1105 			if (off > len)
1106 				return (-1);
1107 			len -= off;
1108 			ptr += off;
1109 			if (EVP_DigestSignFinal(dsa->dsa_ctx, ptr, &len) != 1)
1110 				return (-1);
1111 			return (len + off);
1112 		}
1113 	}
1114 	return (-1);
1115 }
1116 
1117 int
_dsa_verify_prepare(struct iked_dsa * dsa,uint8_t ** sigp,size_t * lenp,uint8_t ** freemep)1118 _dsa_verify_prepare(struct iked_dsa *dsa, uint8_t **sigp, size_t *lenp,
1119     uint8_t **freemep)
1120 {
1121 	ECDSA_SIG	*obj = NULL;
1122 	uint8_t		*ptr = NULL;
1123 	size_t		 bnlen, off;
1124 	ssize_t		 len;
1125 	int		 ret = -1;
1126 	BIGNUM		*r = NULL, *s = NULL;
1127 
1128 	*freemep = NULL;	/* don't return garbage in case of an error */
1129 
1130 	switch (dsa->dsa_method) {
1131 	case IKEV2_AUTH_SIG:
1132 		/*
1133 		 * The first byte of the signature encodes the OID
1134 		 * prefix length which we need to skip.
1135 		 */
1136 		off = (*sigp)[0] + 1;
1137 		*sigp = *sigp + off;
1138 		*lenp = *lenp - off;
1139 		*freemep = NULL;
1140 		ret = 0;
1141 		break;
1142 	case IKEV2_AUTH_ECDSA_256:
1143 	case IKEV2_AUTH_ECDSA_384:
1144 	case IKEV2_AUTH_ECDSA_521:
1145 		/*
1146 		 * sigp points to concatenation r|s, while EVP_VerifyFinal()
1147 		 * expects the signature as a DER-encoded blob (of the two
1148 		 * values), so we need to convert the signature in a new
1149 		 * buffer (we cannot override the given buffer) and the caller
1150 		 * has to free this buffer ('freeme').
1151 		 */
1152 		if (*lenp < 64 || *lenp > 132 || *lenp % 2)
1153 			goto done;
1154 		bnlen = (*lenp)/2;
1155 		/* sigp points to concatenation: r|s */
1156 		if ((obj = ECDSA_SIG_new()) == NULL ||
1157 		    (r = BN_bin2bn(*sigp, bnlen, NULL)) == NULL ||
1158 		    (s = BN_bin2bn(*sigp+bnlen, bnlen, NULL)) == NULL ||
1159 		    ECDSA_SIG_set0(obj, r, s) == 0 ||
1160 		    (len = i2d_ECDSA_SIG(obj, &ptr)) <= 0)
1161 			goto done;
1162 		r = s = NULL;
1163 		*lenp = len;
1164 		*sigp = ptr;
1165 		*freemep = ptr;
1166 		ptr = NULL;
1167 		ret = 0;
1168 		break;
1169 	default:
1170 		return (0);
1171 	}
1172  done:
1173 	BN_clear_free(r);
1174 	BN_clear_free(s);
1175 	free(ptr);
1176 	ECDSA_SIG_free(obj);
1177 
1178 	return (ret);
1179 }
1180 
1181 ssize_t
dsa_verify_final(struct iked_dsa * dsa,void * buf,size_t len)1182 dsa_verify_final(struct iked_dsa *dsa, void *buf, size_t len)
1183 {
1184 	uint8_t		 sig[EVP_MAX_MD_SIZE];
1185 	uint8_t		*ptr = buf, *freeme = NULL;
1186 	unsigned int	 siglen = sizeof(sig);
1187 
1188 	if (dsa->dsa_hmac) {
1189 		if (!HMAC_Final(dsa->dsa_ctx, sig, &siglen))
1190 			return (-1);
1191 		if (siglen != len || memcmp(buf, sig, siglen) != 0)
1192 			return (-1);
1193 	} else {
1194 		if (_dsa_verify_prepare(dsa, &ptr, &len, &freeme) < 0)
1195 			return (-1);
1196 		if (EVP_DigestVerifyFinal(dsa->dsa_ctx, ptr, len) != 1) {
1197 			OPENSSL_free(freeme);
1198 			ca_sslerror(__func__);
1199 			return (-1);
1200 		}
1201 		OPENSSL_free(freeme);
1202 	}
1203 
1204 	return (0);
1205 }
1206