1 /*
2 Bacula(R) - The Network Backup Solution
3
4 Copyright (C) 2000-2020 Kern Sibbald
5
6 The original author of Bacula is Kern Sibbald, with contributions
7 from many others, a complete list can be found in the file AUTHORS.
8
9 You may use this file and others of this release according to the
10 license defined in the LICENSE file, which includes the Affero General
11 Public License, v3.0 ("AGPLv3") and some additional permissions and
12 terms pursuant to its AGPLv3 Section 7.
13
14 This notice must be preserved when any source code is
15 conveyed and/or propagated.
16
17 Bacula(R) is a registered trademark of Kern Sibbald.
18 */
19 /*
20 * crypto.c Encryption support functions
21 *
22 * Author: Landon Fuller <landonf@opendarwin.org>
23 *
24 * This file was contributed to the Bacula project by Landon Fuller.
25 *
26 * Landon Fuller has been granted a perpetual, worldwide, non-exclusive,
27 * no-charge, royalty-free, irrevocable copyright license to reproduce,
28 * prepare derivative works of, publicly display, publicly perform,
29 * sublicense, and distribute the original work contributed by Landon Fuller
30 * to the Bacula project in source or object form.
31 *
32 * If you wish to license these contributions under an alternate open source
33 * license please contact Landon Fuller <landonf@opendarwin.org>.
34 */
35
36
37 #include "bacula.h"
38 #include "jcr.h"
39 #include <assert.h>
40
41 /**
42 * For OpenSSL version 1.x, EVP_PKEY_encrypt no longer
43 * exists. It was not an official API.
44 */
45 #ifdef HAVE_OPENSSLv1
46 #define EVP_PKEY_encrypt EVP_PKEY_encrypt_old
47 #define EVP_PKEY_decrypt EVP_PKEY_decrypt_old
48 #endif
49
50 /*
51 * Bacula ASN.1 Syntax
52 *
53 * OID Allocation:
54 * Prefix: iso.org.dod.internet.private.enterprise.threerings.external.bacula (1.3.6.1.4.1.22054.500.2)
55 * Organization: Bacula Project
56 * Contact Name: Kern Sibbald
57 * Contact E-mail: kern@sibbald.com
58 *
59 * Top Level Allocations - 500.2
60 * 1 - Published Allocations
61 * 1.1 - Bacula Encryption
62 *
63 * Bacula Encryption - 500.2.1.1
64 * 1 - ASN.1 Modules
65 * 1.1 - BaculaCrypto
66 * 2 - ASN.1 Object Identifiers
67 * 2.1 - SignatureData
68 * 2.2 - SignerInfo
69 * 2.3 - CryptoData
70 * 2.4 - RecipientInfo
71 *
72 * BaculaCrypto { iso(1) identified-organization(3) usdod(6)
73 * internet(1) private(4) enterprises(1) three-rings(22054)
74 * external(500) bacula(2) published(1) bacula-encryption(1)
75 * asn1-modules(1) bacula-crypto(1) }
76 *
77 * DEFINITIONS AUTOMATIC TAGS ::=
78 * BEGIN
79 *
80 * SignatureData ::= SEQUENCE {
81 * version Version DEFAULT v0,
82 * signerInfo SignerInfo }
83 *
84 * CryptoData ::= SEQUENCE {
85 * version Version DEFAULT v0,
86 * contentEncryptionAlgorithm ContentEncryptionAlgorithmIdentifier,
87 * iv InitializationVector,
88 * recipientInfo RecipientInfo
89 * }
90 *
91 * SignerInfo ::= SET OF SignerInfo
92 * RecipientInfo ::= SET OF RecipientInfo
93 *
94 * Version ::= INTEGER { v0(0) }
95 *
96 * SignerInfo ::= SEQUENCE {
97 * version Version,
98 * subjectKeyIdentifier SubjectKeyIdentifier,
99 * digestAlgorithm DigestAlgorithmIdentifier,
100 * signatureAlgorithm SignatureAlgorithmIdentifier,
101 * signature SignatureValue }
102 *
103 * RecipientInfo ::= SEQUENCE {
104 * version Version
105 * subjectKeyIdentifier SubjectKeyIdentifier
106 * keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier
107 * encryptedKey EncryptedKey
108 * }
109 *
110 * SubjectKeyIdentifier ::= OCTET STRING
111 *
112 * DigestAlgorithmIdentifier ::= AlgorithmIdentifier
113 *
114 * SignatureAlgorithmIdentifier ::= AlgorithmIdentifier
115 *
116 * KeyEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier
117 *
118 * ContentEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier
119 *
120 * InitializationVector ::= OCTET STRING
121 *
122 * SignatureValue ::= OCTET STRING
123 *
124 * EncryptedKey ::= OCTET STRING
125 *
126 * AlgorithmIdentifier ::= OBJECT IDENTIFIER
127 *
128 * END
129 */
130
131 #ifdef HAVE_CRYPTO /* Is encryption enabled? */
132 #ifdef HAVE_OPENSSL /* How about OpenSSL? */
133
134 #include "openssl-compat.h"
135
136 /* ASN.1 Declarations */
137 #define BACULA_ASN1_VERSION 0
138
139 typedef struct {
140 ASN1_INTEGER *version;
141 ASN1_OCTET_STRING *subjectKeyIdentifier;
142 ASN1_OBJECT *digestAlgorithm;
143 ASN1_OBJECT *signatureAlgorithm;
144 ASN1_OCTET_STRING *signature;
145 } SignerInfo;
146
147 typedef struct {
148 ASN1_INTEGER *version;
149 ASN1_OCTET_STRING *subjectKeyIdentifier;
150 ASN1_OBJECT *keyEncryptionAlgorithm;
151 ASN1_OCTET_STRING *encryptedKey;
152 } RecipientInfo;
153
154 ASN1_SEQUENCE(SignerInfo) = {
155 ASN1_SIMPLE(SignerInfo, version, ASN1_INTEGER),
156 ASN1_SIMPLE(SignerInfo, subjectKeyIdentifier, ASN1_OCTET_STRING),
157 ASN1_SIMPLE(SignerInfo, digestAlgorithm, ASN1_OBJECT),
158 ASN1_SIMPLE(SignerInfo, signatureAlgorithm, ASN1_OBJECT),
159 ASN1_SIMPLE(SignerInfo, signature, ASN1_OCTET_STRING)
160 } ASN1_SEQUENCE_END(SignerInfo);
161
162 ASN1_SEQUENCE(RecipientInfo) = {
163 ASN1_SIMPLE(RecipientInfo, version, ASN1_INTEGER),
164 ASN1_SIMPLE(RecipientInfo, subjectKeyIdentifier, ASN1_OCTET_STRING),
165 ASN1_SIMPLE(RecipientInfo, keyEncryptionAlgorithm, ASN1_OBJECT),
166 ASN1_SIMPLE(RecipientInfo, encryptedKey, ASN1_OCTET_STRING),
167 } ASN1_SEQUENCE_END(RecipientInfo);
168
169 typedef struct {
170 ASN1_INTEGER *version;
171 STACK_OF(SignerInfo) *signerInfo;
172 } SignatureData;
173
174 typedef struct {
175 ASN1_INTEGER *version;
176 ASN1_OBJECT *contentEncryptionAlgorithm;
177 ASN1_OCTET_STRING *iv;
178 STACK_OF(RecipientInfo) *recipientInfo;
179 } CryptoData;
180
181 ASN1_SEQUENCE(SignatureData) = {
182 ASN1_SIMPLE(SignatureData, version, ASN1_INTEGER),
183 ASN1_SET_OF(SignatureData, signerInfo, SignerInfo),
184 } ASN1_SEQUENCE_END(SignatureData);
185
186 ASN1_SEQUENCE(CryptoData) = {
187 ASN1_SIMPLE(CryptoData, version, ASN1_INTEGER),
188 ASN1_SIMPLE(CryptoData, contentEncryptionAlgorithm, ASN1_OBJECT),
189 ASN1_SIMPLE(CryptoData, iv, ASN1_OCTET_STRING),
190 ASN1_SET_OF(CryptoData, recipientInfo, RecipientInfo)
191 } ASN1_SEQUENCE_END(CryptoData);
192
193 IMPLEMENT_ASN1_FUNCTIONS(SignerInfo)
194 IMPLEMENT_ASN1_FUNCTIONS(RecipientInfo)
195 IMPLEMENT_ASN1_FUNCTIONS(SignatureData)
196 IMPLEMENT_ASN1_FUNCTIONS(CryptoData)
197
198 #if defined(DEFINE_STACK_OF)
199 DEFINE_STACK_OF(SignerInfo);
200 DEFINE_STACK_OF(RecipientInfo);
201 #else
202 /*
203 * SignerInfo and RecipientInfo stack macros, generated by OpenSSL's util/mkstack.pl.
204 */
205 #define sk_SignerInfo_new(st) SKM_sk_new(SignerInfo, (st))
206 #define sk_SignerInfo_new_null() SKM_sk_new_null(SignerInfo)
207 #define sk_SignerInfo_free(st) SKM_sk_free(SignerInfo, (st))
208 #define sk_SignerInfo_num(st) SKM_sk_num(SignerInfo, (st))
209 #define sk_SignerInfo_value(st, i) SKM_sk_value(SignerInfo, (st), (i))
210 #define sk_SignerInfo_set(st, i, val) SKM_sk_set(SignerInfo, (st), (i), (val))
211 #define sk_SignerInfo_zero(st) SKM_sk_zero(SignerInfo, (st))
212 #define sk_SignerInfo_push(st, val) SKM_sk_push(SignerInfo, (st), (val))
213 #define sk_SignerInfo_unshift(st, val) SKM_sk_unshift(SignerInfo, (st), (val))
214 #define sk_SignerInfo_find(st, val) SKM_sk_find(SignerInfo, (st), (val))
215 #define sk_SignerInfo_delete(st, i) SKM_sk_delete(SignerInfo, (st), (i))
216 #define sk_SignerInfo_delete_ptr(st, ptr) SKM_sk_delete_ptr(SignerInfo, (st), (ptr))
217 #define sk_SignerInfo_insert(st, val, i) SKM_sk_insert(SignerInfo, (st), (val), (i))
218 #define sk_SignerInfo_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(SignerInfo, (st), (cmp))
219 #define sk_SignerInfo_dup(st) SKM_sk_dup(SignerInfo, st)
220 #define sk_SignerInfo_pop_free(st, free_func) SKM_sk_pop_free(SignerInfo, (st), (free_func))
221 #define sk_SignerInfo_shift(st) SKM_sk_shift(SignerInfo, (st))
222 #define sk_SignerInfo_pop(st) SKM_sk_pop(SignerInfo, (st))
223 #define sk_SignerInfo_sort(st) SKM_sk_sort(SignerInfo, (st))
224 #define sk_SignerInfo_is_sorted(st) SKM_sk_is_sorted(SignerInfo, (st))
225
226 #define d2i_ASN1_SET_OF_SignerInfo(st, pp, length, d2i_func, free_func, ex_tag, ex_class) \
227 SKM_ASN1_SET_OF_d2i(SignerInfo, (st), (pp), (length), (d2i_func), (free_func), (ex_tag), (ex_class))
228 #define i2d_ASN1_SET_OF_SignerInfo(st, pp, i2d_func, ex_tag, ex_class, is_set) \
229 SKM_ASN1_SET_OF_i2d(SignerInfo, (st), (pp), (i2d_func), (ex_tag), (ex_class), (is_set))
230 #define ASN1_seq_pack_SignerInfo(st, i2d_func, buf, len) \
231 SKM_ASN1_seq_pack(SignerInfo, (st), (i2d_func), (buf), (len))
232 #define ASN1_seq_unpack_SignerInfo(buf, len, d2i_func, free_func) \
233 SKM_ASN1_seq_unpack(SignerInfo, (buf), (len), (d2i_func), (free_func))
234
235 #define sk_RecipientInfo_new(st) SKM_sk_new(RecipientInfo, (st))
236 #define sk_RecipientInfo_new_null() SKM_sk_new_null(RecipientInfo)
237 #define sk_RecipientInfo_free(st) SKM_sk_free(RecipientInfo, (st))
238 #define sk_RecipientInfo_num(st) SKM_sk_num(RecipientInfo, (st))
239 #define sk_RecipientInfo_value(st, i) SKM_sk_value(RecipientInfo, (st), (i))
240 #define sk_RecipientInfo_set(st, i, val) SKM_sk_set(RecipientInfo, (st), (i), (val))
241 #define sk_RecipientInfo_zero(st) SKM_sk_zero(RecipientInfo, (st))
242 #define sk_RecipientInfo_push(st, val) SKM_sk_push(RecipientInfo, (st), (val))
243 #define sk_RecipientInfo_unshift(st, val) SKM_sk_unshift(RecipientInfo, (st), (val))
244 #define sk_RecipientInfo_find(st, val) SKM_sk_find(RecipientInfo, (st), (val))
245 #define sk_RecipientInfo_delete(st, i) SKM_sk_delete(RecipientInfo, (st), (i))
246 #define sk_RecipientInfo_delete_ptr(st, ptr) SKM_sk_delete_ptr(RecipientInfo, (st), (ptr))
247 #define sk_RecipientInfo_insert(st, val, i) SKM_sk_insert(RecipientInfo, (st), (val), (i))
248 #define sk_RecipientInfo_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(RecipientInfo, (st), (cmp))
249 #define sk_RecipientInfo_dup(st) SKM_sk_dup(RecipientInfo, st)
250 #define sk_RecipientInfo_pop_free(st, free_func) SKM_sk_pop_free(RecipientInfo, (st), (free_func))
251 #define sk_RecipientInfo_shift(st) SKM_sk_shift(RecipientInfo, (st))
252 #define sk_RecipientInfo_pop(st) SKM_sk_pop(RecipientInfo, (st))
253 #define sk_RecipientInfo_sort(st) SKM_sk_sort(RecipientInfo, (st))
254 #define sk_RecipientInfo_is_sorted(st) SKM_sk_is_sorted(RecipientInfo, (st))
255
256 #define d2i_ASN1_SET_OF_RecipientInfo(st, pp, length, d2i_func, free_func, ex_tag, ex_class) \
257 SKM_ASN1_SET_OF_d2i(RecipientInfo, (st), (pp), (length), (d2i_func), (free_func), (ex_tag), (ex_class))
258 #define i2d_ASN1_SET_OF_RecipientInfo(st, pp, i2d_func, ex_tag, ex_class, is_set) \
259 SKM_ASN1_SET_OF_i2d(RecipientInfo, (st), (pp), (i2d_func), (ex_tag), (ex_class), (is_set))
260 #define ASN1_seq_pack_RecipientInfo(st, i2d_func, buf, len) \
261 SKM_ASN1_seq_pack(RecipientInfo, (st), (i2d_func), (buf), (len))
262 #define ASN1_seq_unpack_RecipientInfo(buf, len, d2i_func, free_func) \
263 SKM_ASN1_seq_unpack(RecipientInfo, (buf), (len), (d2i_func), (free_func))
264 /* End of util/mkstack.pl block */
265 #endif
266
267 /* X509 Public/Private Key Pair Structure */
268 struct X509_Keypair {
269 ASN1_OCTET_STRING *keyid;
270 EVP_PKEY *pubkey;
271 EVP_PKEY *privkey;
272 };
273
274 /* Message Digest Structure */
275 struct Digest {
276 crypto_digest_t type;
277 JCR *jcr;
278 EVP_MD_CTX *ctx;
279 };
280
281 /* Message Signature Structure */
282 struct Signature {
283 SignatureData *sigData;
284 JCR *jcr;
285 };
286
287 /* Encryption Session Data */
288 struct Crypto_Session {
289 CryptoData *cryptoData; /* ASN.1 Structure */
290 unsigned char *session_key; /* Private symmetric session key */
291 size_t session_key_len; /* Symmetric session key length */
292 };
293
294 /* Symmetric Cipher Context */
295 struct Cipher_Context {
296 EVP_CIPHER_CTX *ctx;
297 };
298
299 /* PEM Password Dispatch Context */
300 typedef struct PEM_CB_Context {
301 CRYPTO_PEM_PASSWD_CB *pem_callback;
302 const void *pem_userdata;
303 } PEM_CB_CONTEXT;
304
305 /*
306 * Extract subjectKeyIdentifier from x509 certificate.
307 * Returns: On success, an ASN1_OCTET_STRING that must be freed via ASN1_OCTET_STRING_free().
308 * NULL on failure.
309 */
openssl_cert_keyid(X509 * cert)310 static ASN1_OCTET_STRING *openssl_cert_keyid(X509 *cert) {
311 X509_EXTENSION *ext;
312 const X509V3_EXT_METHOD *method;
313 ASN1_OCTET_STRING *keyid;
314 int i;
315 const ASN1_STRING *asn1_ext_val;
316 const unsigned char *ext_value_data;
317
318 /* Find the index to the subjectKeyIdentifier extension */
319 i = X509_get_ext_by_NID(cert, NID_subject_key_identifier, -1);
320 if (i < 0) {
321 /* Not found */
322 return NULL;
323 }
324
325 /* Grab the extension */
326 ext = X509_get_ext(cert, i);
327
328 /* Get x509 extension method structure */
329 if (!(method = X509V3_EXT_get(ext))) {
330 return NULL;
331 }
332
333 asn1_ext_val = X509_EXTENSION_get_data(ext);
334 ext_value_data = ASN1_STRING_get0_data(asn1_ext_val);
335
336 if (method->it) {
337 /* New style ASN1 */
338
339 /* Decode ASN1 item in data */
340 keyid = (ASN1_OCTET_STRING *) ASN1_item_d2i(NULL, &ext_value_data, ASN1_STRING_length(asn1_ext_val),
341 ASN1_ITEM_ptr(method->it));
342 } else {
343 /* Old style ASN1 */
344
345 /* Decode ASN1 item in data */
346 keyid = (ASN1_OCTET_STRING *) method->d2i(NULL, &ext_value_data, ASN1_STRING_length(asn1_ext_val));
347 }
348
349 return keyid;
350 }
351
352 /*
353 * Create a new keypair object.
354 * Returns: A pointer to a X509 KEYPAIR object on success.
355 * NULL on failure.
356 */
crypto_keypair_new(void)357 X509_KEYPAIR *crypto_keypair_new(void)
358 {
359 X509_KEYPAIR *keypair;
360
361 /* Allocate our keypair structure */
362 keypair = (X509_KEYPAIR *)malloc(sizeof(X509_KEYPAIR));
363
364 /* Initialize our keypair structure */
365 keypair->keyid = NULL;
366 keypair->pubkey = NULL;
367 keypair->privkey = NULL;
368
369 return keypair;
370 }
371
372 /*
373 * Create a copy of a keypair object. The underlying
374 * EVP objects are not duplicated, as no EVP_PKEY_dup()
375 * API is available. Instead, the reference count is
376 * incremented.
377 */
crypto_keypair_dup(X509_KEYPAIR * keypair)378 X509_KEYPAIR *crypto_keypair_dup(X509_KEYPAIR *keypair)
379 {
380 X509_KEYPAIR *newpair;
381 int ret;
382
383 newpair = crypto_keypair_new();
384
385 if (!newpair) {
386 /* Allocation failed */
387 return NULL;
388 }
389
390 /* Increment the public key ref count */
391 if (keypair->pubkey) {
392 ret = EVP_PKEY_up_ref(keypair->pubkey);
393 if (ret == 0)
394 goto out_free_new;
395 newpair->pubkey = keypair->pubkey;
396 }
397
398 /* Increment the private key ref count */
399 if (keypair->privkey) {
400 ret = EVP_PKEY_up_ref(keypair->privkey);
401 if (ret == 0)
402 goto out_free_new;
403 newpair->privkey = keypair->privkey;
404 }
405
406 /* Duplicate the keyid */
407 if (keypair->keyid) {
408 newpair->keyid = ASN1_OCTET_STRING_dup(keypair->keyid);
409 if (!newpair->keyid)
410 goto out_free_new;
411 }
412
413 return newpair;
414
415 out_free_new:
416 crypto_keypair_free(newpair);
417 return NULL;
418 }
419
420
421 /*
422 * Load a public key from a PEM-encoded x509 certificate.
423 * Returns: true on success
424 * false on failure
425 */
crypto_keypair_load_cert(X509_KEYPAIR * keypair,const char * file)426 int crypto_keypair_load_cert(X509_KEYPAIR *keypair, const char *file)
427 {
428 BIO *bio;
429 X509 *cert;
430
431 /* Open the file */
432 if (!(bio = BIO_new_file(file, "r"))) {
433 openssl_post_errors(M_ERROR, _("Unable to open certificate file"));
434 return false;
435 }
436
437 cert = PEM_read_bio_X509(bio, NULL, NULL, NULL);
438 BIO_free(bio);
439 if (!cert) {
440 openssl_post_errors(M_ERROR, _("Unable to read certificate from file"));
441 return false;
442 }
443
444 /* Extract the public key */
445 if (!(keypair->pubkey = X509_get_pubkey(cert))) {
446 openssl_post_errors(M_ERROR, _("Unable to extract public key from certificate"));
447 goto err;
448 }
449
450 /* Extract the subjectKeyIdentifier extension field */
451 if ((keypair->keyid = openssl_cert_keyid(cert)) == NULL) {
452 Jmsg0(NULL, M_ERROR, 0,
453 _("Provided certificate does not include the required subjectKeyIdentifier extension."));
454 goto err;
455 }
456
457 /* Validate the public key type (only RSA is supported) */
458 if (EVP_PKEY_base_id(keypair->pubkey) != EVP_PKEY_RSA) {
459 Jmsg1(NULL, M_ERROR, 0,
460 _("Unsupported key type provided: %d\n"), EVP_PKEY_id(keypair->pubkey));
461 goto err;
462 }
463
464 X509_free(cert);
465 return true;
466
467 err:
468 X509_free(cert);
469 if (keypair->pubkey) {
470 EVP_PKEY_free(keypair->pubkey);
471 }
472 return false;
473 }
474
475 /* Dispatch user PEM encryption callbacks */
crypto_pem_callback_dispatch(char * buf,int size,int rwflag,void * userdata)476 static int crypto_pem_callback_dispatch (char *buf, int size, int rwflag, void *userdata)
477 {
478 PEM_CB_CONTEXT *ctx = (PEM_CB_CONTEXT *) userdata;
479 return (ctx->pem_callback(buf, size, ctx->pem_userdata));
480 }
481
482 /*
483 * Check a PEM-encoded file
484 * for the existence of a private key.
485 * Returns: true if a private key is found
486 * false otherwise
487 */
crypto_keypair_has_key(const char * file)488 bool crypto_keypair_has_key(const char *file) {
489 BIO *bio;
490 char *name = NULL;
491 char *header = NULL;
492 unsigned char *data = NULL;
493 bool retval = false;
494 long len;
495
496 if (!(bio = BIO_new_file(file, "r"))) {
497 openssl_post_errors(M_ERROR, _("Unable to open private key file"));
498 return false;
499 }
500
501 while (PEM_read_bio(bio, &name, &header, &data, &len)) {
502 /* We don't care what the data is, just that it's there */
503 OPENSSL_free(header);
504 OPENSSL_free(data);
505
506 /*
507 * PEM Header Found, check for a private key
508 * Due to OpenSSL limitations, we must specifically
509 * list supported PEM private key encodings.
510 */
511 if (strcmp(name, PEM_STRING_RSA) == 0
512 || strcmp(name, PEM_STRING_DSA) == 0
513 || strcmp(name, PEM_STRING_PKCS8) == 0
514 || strcmp(name, PEM_STRING_PKCS8INF) == 0) {
515 retval = true;
516 OPENSSL_free(name);
517 break;
518 } else {
519 OPENSSL_free(name);
520 }
521 }
522
523 /* Free our bio */
524 BIO_free(bio);
525
526 /* Post PEM-decoding error messages, if any */
527 openssl_post_errors(M_ERROR, _("Unable to read private key from file"));
528 return retval;
529 }
530
531 /*
532 * Load a PEM-encoded private key.
533 * Returns: true on success
534 * false on failure
535 */
crypto_keypair_load_key(X509_KEYPAIR * keypair,const char * file,CRYPTO_PEM_PASSWD_CB * pem_callback,const void * pem_userdata)536 int crypto_keypair_load_key(X509_KEYPAIR *keypair, const char *file,
537 CRYPTO_PEM_PASSWD_CB *pem_callback,
538 const void *pem_userdata)
539 {
540 BIO *bio;
541 PEM_CB_CONTEXT ctx;
542
543 /* Open the file */
544 if (!(bio = BIO_new_file(file, "r"))) {
545 openssl_post_errors(M_ERROR, _("Unable to open private key file"));
546 return false;
547 }
548
549 /* Set up PEM encryption callback */
550 if (pem_callback) {
551 ctx.pem_callback = pem_callback;
552 ctx.pem_userdata = pem_userdata;
553 } else {
554 ctx.pem_callback = crypto_default_pem_callback;
555 ctx.pem_userdata = NULL;
556 }
557
558 keypair->privkey = PEM_read_bio_PrivateKey(bio, NULL, crypto_pem_callback_dispatch, &ctx);
559 BIO_free(bio);
560 if (!keypair->privkey) {
561 openssl_post_errors(M_ERROR, _("Unable to read private key from file"));
562 return false;
563 }
564
565 return true;
566 }
567
568 /*
569 * Free memory associated with a keypair object.
570 */
crypto_keypair_free(X509_KEYPAIR * keypair)571 void crypto_keypair_free(X509_KEYPAIR *keypair)
572 {
573 if (keypair->pubkey) {
574 EVP_PKEY_free(keypair->pubkey);
575 }
576 if (keypair->privkey) {
577 EVP_PKEY_free(keypair->privkey);
578 }
579 if (keypair->keyid) {
580 ASN1_OCTET_STRING_free(keypair->keyid);
581 }
582 free(keypair);
583 }
584
585 /*
586 * Create a new message digest context of the specified type
587 * Returns: A pointer to a DIGEST object on success.
588 * NULL on failure.
589 */
crypto_digest_new(JCR * jcr,crypto_digest_t type)590 DIGEST *crypto_digest_new(JCR *jcr, crypto_digest_t type)
591 {
592 DIGEST *digest;
593 const EVP_MD *md = NULL; /* Quell invalid uninitialized warnings */
594
595 digest = (DIGEST *)malloc(sizeof(DIGEST));
596 digest->type = type;
597 digest->jcr = jcr;
598 Dmsg1(150, "crypto_digest_new jcr=%p\n", jcr);
599
600 /* Initialize the OpenSSL message digest context */
601 digest->ctx = EVP_MD_CTX_new();
602 if (!digest->ctx)
603 goto err;
604 EVP_MD_CTX_reset(digest->ctx);
605
606 /* Determine the correct OpenSSL message digest type */
607 switch (type) {
608 case CRYPTO_DIGEST_MD5:
609 md = EVP_md5();
610 break;
611 case CRYPTO_DIGEST_SHA1:
612 md = EVP_sha1();
613 break;
614 #ifdef HAVE_SHA2
615 case CRYPTO_DIGEST_SHA256:
616 md = EVP_sha256();
617 break;
618 case CRYPTO_DIGEST_SHA512:
619 md = EVP_sha512();
620 break;
621 #endif
622 default:
623 Jmsg1(jcr, M_ERROR, 0, _("Unsupported digest type: %d\n"), type);
624 goto err;
625 }
626
627 /* Initialize the backing OpenSSL context */
628 if (EVP_DigestInit_ex(digest->ctx, md, NULL) == 0) {
629 goto err;
630 }
631
632 return digest;
633
634 err:
635 /* This should not happen, but never say never ... */
636 Dmsg0(150, "Digest init failed.\n");
637 openssl_post_errors(jcr, M_ERROR, _("OpenSSL digest initialization failed"));
638 crypto_digest_free(digest);
639 return NULL;
640 }
641
642 /*
643 * Hash length bytes of data into the provided digest context.
644 * Returns: true on success
645 * false on failure
646 */
crypto_digest_update(DIGEST * digest,const uint8_t * data,uint32_t length)647 bool crypto_digest_update(DIGEST *digest, const uint8_t *data, uint32_t length)
648 {
649 if (EVP_DigestUpdate(digest->ctx, data, length) == 0) {
650 Dmsg0(150, "digest update failed\n");
651 openssl_post_errors(digest->jcr, M_ERROR, _("OpenSSL digest update failed"));
652 return false;
653 } else {
654 return true;
655 }
656 }
657
658 /*
659 * Finalize the data in digest, storing the result in dest and the result size
660 * in length. The result size can be determined with crypto_digest_size().
661 *
662 * Returns: true on success
663 * false on failure
664 */
crypto_digest_finalize(DIGEST * digest,uint8_t * dest,uint32_t * length)665 bool crypto_digest_finalize(DIGEST *digest, uint8_t *dest, uint32_t *length)
666 {
667 if (!EVP_DigestFinal(digest->ctx, dest, (unsigned int *)length)) {
668 Dmsg0(150, "digest finalize failed\n");
669 openssl_post_errors(digest->jcr, M_ERROR, _("OpenSSL digest finalize failed"));
670 return false;
671 } else {
672 return true;
673 }
674 }
675
676 /*
677 * Free memory associated with a digest object.
678 */
crypto_digest_free(DIGEST * digest)679 void crypto_digest_free(DIGEST *digest)
680 {
681 EVP_MD_CTX_free(digest->ctx);
682 free(digest);
683 }
684
685 /*
686 * Create a new message signature context.
687 * Returns: A pointer to a SIGNATURE object on success.
688 * NULL on failure.
689 */
crypto_sign_new(JCR * jcr)690 SIGNATURE *crypto_sign_new(JCR *jcr)
691 {
692 SIGNATURE *sig;
693
694 sig = (SIGNATURE *)malloc(sizeof(SIGNATURE));
695 if (!sig) {
696 return NULL;
697 }
698
699 sig->sigData = SignatureData_new();
700 sig->jcr = jcr;
701 Dmsg1(150, "crypto_sign_new jcr=%p\n", jcr);
702
703 if (!sig->sigData) {
704 /* Allocation failed in OpenSSL */
705 free(sig);
706 return NULL;
707 }
708
709 /* Set the ASN.1 structure version number */
710 ASN1_INTEGER_set(sig->sigData->version, BACULA_ASN1_VERSION);
711
712 return sig;
713 }
714
715 /*
716 * For a given public key, find the associated SignatureInfo record
717 * and create a digest context for signature validation
718 *
719 * Returns: CRYPTO_ERROR_NONE on success, with the newly allocated DIGEST in digest.
720 * A crypto_error_t value on failure.
721 */
crypto_sign_get_digest(SIGNATURE * sig,X509_KEYPAIR * keypair,crypto_digest_t & type,DIGEST ** digest)722 crypto_error_t crypto_sign_get_digest(SIGNATURE *sig, X509_KEYPAIR *keypair,
723 crypto_digest_t &type, DIGEST **digest)
724 {
725 STACK_OF(SignerInfo) *signers;
726 SignerInfo *si;
727 int i;
728
729 signers = sig->sigData->signerInfo;
730
731 for (i = 0; i < sk_SignerInfo_num(signers); i++) {
732 si = sk_SignerInfo_value(signers, i);
733 if (ASN1_OCTET_STRING_cmp(keypair->keyid, si->subjectKeyIdentifier) == 0) {
734 /* Get the digest algorithm and allocate a digest context */
735 Dmsg1(150, "crypto_sign_get_digest jcr=%p\n", sig->jcr);
736 switch (OBJ_obj2nid(si->digestAlgorithm)) {
737 case NID_md5:
738 Dmsg0(100, "sign digest algorithm is MD5\n");
739 type = CRYPTO_DIGEST_MD5;
740 *digest = crypto_digest_new(sig->jcr, CRYPTO_DIGEST_MD5);
741 break;
742 case NID_sha1:
743 Dmsg0(100, "sign digest algorithm is SHA1\n");
744 type = CRYPTO_DIGEST_SHA1;
745 *digest = crypto_digest_new(sig->jcr, CRYPTO_DIGEST_SHA1);
746 break;
747 #ifdef HAVE_SHA2
748 case NID_sha256:
749 Dmsg0(100, "sign digest algorithm is SHA256\n");
750 type = CRYPTO_DIGEST_SHA256;
751 *digest = crypto_digest_new(sig->jcr, CRYPTO_DIGEST_SHA256);
752 break;
753 case NID_sha512:
754 Dmsg0(100, "sign digest algorithm is SHA512\n");
755 type = CRYPTO_DIGEST_SHA512;
756 *digest = crypto_digest_new(sig->jcr, CRYPTO_DIGEST_SHA512);
757 break;
758 #endif
759 default:
760 type = CRYPTO_DIGEST_NONE;
761 *digest = NULL;
762 return CRYPTO_ERROR_INVALID_DIGEST;
763 }
764
765 /* Shouldn't happen */
766 if (*digest == NULL) {
767 openssl_post_errors(sig->jcr, M_ERROR, _("OpenSSL digest_new failed"));
768 return CRYPTO_ERROR_INVALID_DIGEST;
769 } else {
770 return CRYPTO_ERROR_NONE;
771 }
772 } else {
773 openssl_post_errors(sig->jcr, M_ERROR, _("OpenSSL sign get digest failed"));
774 }
775
776 }
777
778 return CRYPTO_ERROR_NOSIGNER;
779 }
780
781 /*
782 * For a given signature, public key, and digest, verify the SIGNATURE.
783 * Returns: CRYPTO_ERROR_NONE on success.
784 * A crypto_error_t value on failure.
785 */
crypto_sign_verify(SIGNATURE * sig,X509_KEYPAIR * keypair,DIGEST * digest)786 crypto_error_t crypto_sign_verify(SIGNATURE *sig, X509_KEYPAIR *keypair, DIGEST *digest)
787 {
788 STACK_OF(SignerInfo) *signers;
789 SignerInfo *si;
790 int ok, i;
791 unsigned int sigLen;
792 const unsigned char *sigData;
793
794 signers = sig->sigData->signerInfo;
795
796 /* Find the signer */
797 for (i = 0; i < sk_SignerInfo_num(signers); i++) {
798 si = sk_SignerInfo_value(signers, i);
799 if (ASN1_OCTET_STRING_cmp(keypair->keyid, si->subjectKeyIdentifier) == 0) {
800 /* Extract the signature data */
801 sigLen = ASN1_STRING_length(si->signature);
802 sigData = ASN1_STRING_get0_data(si->signature);
803
804 ok = EVP_VerifyFinal(digest->ctx, sigData, sigLen, keypair->pubkey);
805 if (ok >= 1) {
806 return CRYPTO_ERROR_NONE;
807 } else if (ok == 0) {
808 openssl_post_errors(sig->jcr, M_ERROR, _("OpenSSL digest Verify final failed"));
809 return CRYPTO_ERROR_BAD_SIGNATURE;
810 } else if (ok < 0) {
811 /* Shouldn't happen */
812 openssl_post_errors(sig->jcr, M_ERROR, _("OpenSSL digest Verify final failed"));
813 return CRYPTO_ERROR_INTERNAL;
814 }
815 }
816 }
817 Jmsg(sig->jcr, M_ERROR, 0, _("No signers found for crypto verify.\n"));
818 /* Signer wasn't found. */
819 return CRYPTO_ERROR_NOSIGNER;
820 }
821
822
823 /*
824 * Add a new signer
825 * Returns: true on success
826 * false on failure
827 */
crypto_sign_add_signer(SIGNATURE * sig,DIGEST * digest,X509_KEYPAIR * keypair)828 int crypto_sign_add_signer(SIGNATURE *sig, DIGEST *digest, X509_KEYPAIR *keypair)
829 {
830 SignerInfo *si = NULL;
831 unsigned char *buf = NULL;
832 unsigned int len;
833
834 si = SignerInfo_new();
835
836 if (!si) {
837 /* Allocation failed in OpenSSL */
838 return false;
839 }
840
841 /* Set the ASN.1 structure version number */
842 ASN1_INTEGER_set(si->version, BACULA_ASN1_VERSION);
843
844 /* Set the digest algorithm identifier */
845 switch (digest->type) {
846 case CRYPTO_DIGEST_MD5:
847 si->digestAlgorithm = OBJ_nid2obj(NID_md5);
848 break;
849 case CRYPTO_DIGEST_SHA1:
850 si->digestAlgorithm = OBJ_nid2obj(NID_sha1);
851 break;
852 #ifdef HAVE_SHA2
853 case CRYPTO_DIGEST_SHA256:
854 si->digestAlgorithm = OBJ_nid2obj(NID_sha256);
855 break;
856 case CRYPTO_DIGEST_SHA512:
857 si->digestAlgorithm = OBJ_nid2obj(NID_sha512);
858 break;
859 #endif
860 default:
861 /* This should never happen */
862 goto err;
863 }
864
865 /* Drop the string allocated by OpenSSL, and add our subjectKeyIdentifier */
866 ASN1_OCTET_STRING_free(si->subjectKeyIdentifier);
867 si->subjectKeyIdentifier = ASN1_OCTET_STRING_dup(keypair->keyid);
868
869 /* Set our signature algorithm. We currently require RSA */
870 assert(EVP_PKEY_base_id(keypair->pubkey) == EVP_PKEY_RSA);
871 /* This is slightly evil. Reach into the MD structure and grab the key type */
872 si->signatureAlgorithm = OBJ_nid2obj(EVP_MD_pkey_type(EVP_MD_CTX_md(digest->ctx)));
873
874 /* Finalize/Sign our Digest */
875 len = EVP_PKEY_size(keypair->privkey);
876 buf = (unsigned char *) malloc(len);
877 if (!EVP_SignFinal(digest->ctx, buf, &len, keypair->privkey)) {
878 openssl_post_errors(M_ERROR, _("Signature creation failed"));
879 goto err;
880 }
881
882 /* Add the signature to the SignerInfo structure */
883 if (!ASN1_OCTET_STRING_set(si->signature, buf, len)) {
884 /* Allocation failed in OpenSSL */
885 goto err;
886 }
887
888 /* No longer needed */
889 free(buf);
890
891 /* Push the new SignerInfo structure onto the stack */
892 sk_SignerInfo_push(sig->sigData->signerInfo, si);
893
894 return true;
895
896 err:
897 if (si) {
898 SignerInfo_free(si);
899 }
900 if (buf) {
901 free(buf);
902 }
903
904 return false;
905 }
906
907 /*
908 * Encodes the SignatureData structure. The length argument is used to specify the
909 * size of dest. A length of 0 will cause no data to be written to dest, and the
910 * required length to be written to length. The caller can then allocate sufficient
911 * space for the output.
912 *
913 * Returns: true on success, stores the encoded data in dest, and the size in length.
914 * false on failure.
915 */
crypto_sign_encode(SIGNATURE * sig,uint8_t * dest,uint32_t * length)916 int crypto_sign_encode(SIGNATURE *sig, uint8_t *dest, uint32_t *length)
917 {
918 if (*length == 0) {
919 *length = i2d_SignatureData(sig->sigData, NULL);
920 return true;
921 }
922
923 *length = i2d_SignatureData(sig->sigData, (unsigned char **)&dest);
924 return true;
925 }
926
927 /*
928 * Decodes the SignatureData structure. The length argument is used to specify the
929 * size of sigData.
930 *
931 * Returns: SIGNATURE instance on success.
932 * NULL on failure.
933
934 */
935
crypto_sign_decode(JCR * jcr,const uint8_t * sigData,uint32_t length)936 SIGNATURE *crypto_sign_decode(JCR *jcr, const uint8_t *sigData, uint32_t length)
937 {
938 SIGNATURE *sig;
939 const unsigned char *p = (const unsigned char *) sigData;
940
941 sig = (SIGNATURE *)malloc(sizeof(SIGNATURE));
942 if (!sig) {
943 return NULL;
944 }
945 sig->jcr = jcr;
946
947 /* d2i_SignatureData modifies the supplied pointer */
948 sig->sigData = d2i_SignatureData(NULL, &p, length);
949
950 if (!sig->sigData) {
951 /* Allocation / Decoding failed in OpenSSL */
952 openssl_post_errors(jcr, M_ERROR, _("Signature decoding failed"));
953 free(sig);
954 return NULL;
955 }
956
957 return sig;
958 }
959
960 /*
961 * Free memory associated with a signature object.
962 */
crypto_sign_free(SIGNATURE * sig)963 void crypto_sign_free(SIGNATURE *sig)
964 {
965 SignatureData_free(sig->sigData);
966 free (sig);
967 }
968
969 /*
970 * Create a new encryption session.
971 * Returns: A pointer to a CRYPTO_SESSION object on success.
972 * NULL on failure.
973 *
974 * Note! Bacula malloc() fails if out of memory.
975 */
crypto_session_new(crypto_cipher_t cipher,alist * pubkeys)976 CRYPTO_SESSION *crypto_session_new (crypto_cipher_t cipher, alist *pubkeys)
977 {
978 CRYPTO_SESSION *cs;
979 X509_KEYPAIR *keypair;
980 const EVP_CIPHER *ec;
981 unsigned char *iv;
982 int iv_len;
983
984 /* Allocate our session description structures */
985 cs = (CRYPTO_SESSION *)malloc(sizeof(CRYPTO_SESSION));
986
987 /* Initialize required fields */
988 cs->session_key = NULL;
989
990 /* Allocate a CryptoData structure */
991 cs->cryptoData = CryptoData_new();
992
993 if (!cs->cryptoData) {
994 /* Allocation failed in OpenSSL */
995 free(cs);
996 return NULL;
997 }
998
999 /* Set the ASN.1 structure version number */
1000 ASN1_INTEGER_set(cs->cryptoData->version, BACULA_ASN1_VERSION);
1001
1002 /*
1003 * Acquire a cipher instance and set the ASN.1 cipher NID
1004 */
1005 switch (cipher) {
1006 case CRYPTO_CIPHER_AES_128_CBC:
1007 /* AES 128 bit CBC */
1008 cs->cryptoData->contentEncryptionAlgorithm = OBJ_nid2obj(NID_aes_128_cbc);
1009 ec = EVP_aes_128_cbc();
1010 break;
1011 #ifndef HAVE_OPENSSL_EXPORT_LIBRARY
1012 case CRYPTO_CIPHER_AES_192_CBC:
1013 /* AES 192 bit CBC */
1014 cs->cryptoData->contentEncryptionAlgorithm = OBJ_nid2obj(NID_aes_192_cbc);
1015 ec = EVP_aes_192_cbc();
1016 break;
1017 case CRYPTO_CIPHER_AES_256_CBC:
1018 /* AES 256 bit CBC */
1019 cs->cryptoData->contentEncryptionAlgorithm = OBJ_nid2obj(NID_aes_256_cbc);
1020 ec = EVP_aes_256_cbc();
1021 break;
1022 #endif
1023 case CRYPTO_CIPHER_BLOWFISH_CBC:
1024 /* Blowfish CBC */
1025 cs->cryptoData->contentEncryptionAlgorithm = OBJ_nid2obj(NID_bf_cbc);
1026 ec = EVP_bf_cbc();
1027 break;
1028 default:
1029 Jmsg0(NULL, M_ERROR, 0, _("Unsupported cipher type specified\n"));
1030 crypto_session_free(cs);
1031 return NULL;
1032 }
1033
1034 /* Generate a symmetric session key */
1035 cs->session_key_len = EVP_CIPHER_key_length(ec);
1036 cs->session_key = (unsigned char *) malloc(cs->session_key_len);
1037 if (RAND_bytes(cs->session_key, cs->session_key_len) <= 0) {
1038 /* OpenSSL failure */
1039 crypto_session_free(cs);
1040 return NULL;
1041 }
1042
1043 /* Generate an IV if possible */
1044 if ((iv_len = EVP_CIPHER_iv_length(ec))) {
1045 iv = (unsigned char *)malloc(iv_len);
1046
1047 /* Generate random IV */
1048 if (RAND_bytes(iv, iv_len) <= 0) {
1049 /* OpenSSL failure */
1050 crypto_session_free(cs);
1051 free(iv);
1052 return NULL;
1053 }
1054
1055 /* Store it in our ASN.1 structure */
1056 if (!ASN1_OCTET_STRING_set(cs->cryptoData->iv, iv, iv_len)) {
1057 /* Allocation failed in OpenSSL */
1058 crypto_session_free(cs);
1059 free(iv);
1060 return NULL;
1061 }
1062 free(iv);
1063 }
1064
1065 /*
1066 * Create RecipientInfo structures for supplied
1067 * public keys.
1068 */
1069 foreach_alist(keypair, pubkeys) {
1070 RecipientInfo *ri;
1071 unsigned char *ekey;
1072 int ekey_len;
1073
1074 ri = RecipientInfo_new();
1075 if (!ri) {
1076 /* Allocation failed in OpenSSL */
1077 crypto_session_free(cs);
1078 return NULL;
1079 }
1080
1081 /* Set the ASN.1 structure version number */
1082 ASN1_INTEGER_set(ri->version, BACULA_ASN1_VERSION);
1083
1084 /* Drop the string allocated by OpenSSL, and add our subjectKeyIdentifier */
1085 ASN1_OCTET_STRING_free(ri->subjectKeyIdentifier);
1086 ri->subjectKeyIdentifier = ASN1_OCTET_STRING_dup(keypair->keyid);
1087
1088 /* Set our key encryption algorithm. We currently require RSA */
1089 assert(keypair->pubkey && EVP_PKEY_base_id(keypair->pubkey) == EVP_PKEY_RSA);
1090 ri->keyEncryptionAlgorithm = OBJ_nid2obj(NID_rsaEncryption);
1091
1092 /* Encrypt the session key */
1093 ekey = (unsigned char *)malloc(EVP_PKEY_size(keypair->pubkey));
1094
1095 if ((ekey_len = EVP_PKEY_encrypt(ekey, cs->session_key, cs->session_key_len, keypair->pubkey)) <= 0) {
1096 /* OpenSSL failure */
1097 RecipientInfo_free(ri);
1098 crypto_session_free(cs);
1099 free(ekey);
1100 return NULL;
1101 }
1102
1103 /* Store it in our ASN.1 structure */
1104 if (!ASN1_OCTET_STRING_set(ri->encryptedKey, ekey, ekey_len)) {
1105 /* Allocation failed in OpenSSL */
1106 RecipientInfo_free(ri);
1107 crypto_session_free(cs);
1108 free(ekey);
1109 return NULL;
1110 }
1111
1112 /* Free the encrypted key buffer */
1113 free(ekey);
1114
1115 /* Push the new RecipientInfo structure onto the stack */
1116 sk_RecipientInfo_push(cs->cryptoData->recipientInfo, ri);
1117 }
1118
1119 return cs;
1120 }
1121
1122 /*
1123 * Encodes the CryptoData structure. The length argument is used to specify the
1124 * size of dest. A length of 0 will cause no data to be written to dest, and the
1125 * required length to be written to length. The caller can then allocate sufficient
1126 * space for the output.
1127 *
1128 * Returns: true on success, stores the encoded data in dest, and the size in length.
1129 * false on failure.
1130 */
crypto_session_encode(CRYPTO_SESSION * cs,uint8_t * dest,uint32_t * length)1131 bool crypto_session_encode(CRYPTO_SESSION *cs, uint8_t *dest, uint32_t *length)
1132 {
1133 if (*length == 0) {
1134 *length = i2d_CryptoData(cs->cryptoData, NULL);
1135 return true;
1136 }
1137
1138 *length = i2d_CryptoData(cs->cryptoData, &dest);
1139 return true;
1140 }
1141
1142 /*
1143 * Decodes the CryptoData structure. The length argument is
1144 * used to specify the size of data.
1145 *
1146 * Returns: CRYPTO_SESSION instance on success.
1147 * NULL on failure.
1148 * Returns: CRYPTO_ERROR_NONE and a pointer to a newly allocated CRYPTO_SESSION structure in *session on success.
1149 * A crypto_error_t value on failure.
1150 */
crypto_session_decode(const uint8_t * data,uint32_t length,alist * keypairs,CRYPTO_SESSION ** session)1151 crypto_error_t crypto_session_decode(const uint8_t *data, uint32_t length, alist *keypairs, CRYPTO_SESSION **session)
1152 {
1153 CRYPTO_SESSION *cs;
1154 X509_KEYPAIR *keypair;
1155 STACK_OF(RecipientInfo) *recipients;
1156 crypto_error_t retval = CRYPTO_ERROR_NONE;
1157 const unsigned char *p = (const unsigned char *)data;
1158
1159 /* bacula-fd.conf doesn't contains any key */
1160 if (!keypairs) {
1161 return CRYPTO_ERROR_NORECIPIENT;
1162 }
1163
1164 cs = (CRYPTO_SESSION *)malloc(sizeof(CRYPTO_SESSION));
1165
1166 /* Initialize required fields */
1167 cs->session_key = NULL;
1168
1169 /* d2i_CryptoData modifies the supplied pointer */
1170 cs->cryptoData = d2i_CryptoData(NULL, &p, length);
1171
1172 if (!cs->cryptoData) {
1173 /* Allocation / Decoding failed in OpenSSL */
1174 openssl_post_errors(M_ERROR, _("CryptoData decoding failed"));
1175 retval = CRYPTO_ERROR_INTERNAL;
1176 goto err;
1177 }
1178
1179 recipients = cs->cryptoData->recipientInfo;
1180
1181 /*
1182 * Find a matching RecipientInfo structure for a supplied
1183 * public key
1184 */
1185 foreach_alist(keypair, keypairs) {
1186 RecipientInfo *ri;
1187 int i;
1188
1189 /* Private key available? */
1190 if (keypair->privkey == NULL) {
1191 continue;
1192 }
1193
1194 for (i = 0; i < sk_RecipientInfo_num(recipients); i++) {
1195 ri = sk_RecipientInfo_value(recipients, i);
1196
1197 /* Match against the subjectKeyIdentifier */
1198 if (ASN1_OCTET_STRING_cmp(keypair->keyid, ri->subjectKeyIdentifier) == 0) {
1199 /* Match found, extract symmetric encryption session data */
1200
1201 /* RSA is required. */
1202 assert(EVP_PKEY_base_id(keypair->privkey) == EVP_PKEY_RSA);
1203
1204 /* If we recieve a RecipientInfo structure that does not use
1205 * RSA, return an error */
1206 if (OBJ_obj2nid(ri->keyEncryptionAlgorithm) != NID_rsaEncryption) {
1207 retval = CRYPTO_ERROR_INVALID_CRYPTO;
1208 goto err;
1209 }
1210
1211 /* Decrypt the session key */
1212 /* Allocate sufficient space for the largest possible decrypted data */
1213 cs->session_key = (unsigned char *)malloc(EVP_PKEY_size(keypair->privkey));
1214 cs->session_key_len = EVP_PKEY_decrypt(cs->session_key, ASN1_STRING_get0_data(ri->encryptedKey),
1215 ASN1_STRING_length(ri->encryptedKey), keypair->privkey);
1216
1217 if (cs->session_key_len <= 0) {
1218 openssl_post_errors(M_ERROR, _("Failure decrypting the session key"));
1219 retval = CRYPTO_ERROR_DECRYPTION;
1220 goto err;
1221 }
1222
1223 /* Session key successfully extracted, return the CRYPTO_SESSION structure */
1224 *session = cs;
1225 return CRYPTO_ERROR_NONE;
1226 }
1227 }
1228 }
1229
1230 /* No matching recipient found */
1231 return CRYPTO_ERROR_NORECIPIENT;
1232
1233 err:
1234 crypto_session_free(cs);
1235 return retval;
1236 }
1237
1238 /*
1239 * Free memory associated with a crypto session object.
1240 */
crypto_session_free(CRYPTO_SESSION * cs)1241 void crypto_session_free(CRYPTO_SESSION *cs)
1242 {
1243 if (cs->cryptoData) {
1244 CryptoData_free(cs->cryptoData);
1245 }
1246 if (cs->session_key){
1247 free(cs->session_key);
1248 }
1249 free(cs);
1250 }
1251
1252 /*
1253 * Create a new crypto cipher context with the specified session object
1254 * Returns: A pointer to a CIPHER_CONTEXT object on success. The cipher block size is returned in blocksize.
1255 * NULL on failure.
1256 */
crypto_cipher_new(CRYPTO_SESSION * cs,bool encrypt,uint32_t * blocksize)1257 CIPHER_CONTEXT *crypto_cipher_new(CRYPTO_SESSION *cs, bool encrypt, uint32_t *blocksize)
1258 {
1259 CIPHER_CONTEXT *cipher_ctx;
1260 const EVP_CIPHER *ec;
1261
1262 cipher_ctx = (CIPHER_CONTEXT *)malloc(sizeof(CIPHER_CONTEXT));
1263 if (!cipher_ctx)
1264 return NULL;
1265
1266 cipher_ctx->ctx = EVP_CIPHER_CTX_new();
1267 if (!cipher_ctx->ctx)
1268 goto err;
1269
1270 /*
1271 * Acquire a cipher instance for the given ASN.1 cipher NID
1272 */
1273 if ((ec = EVP_get_cipherbyobj(cs->cryptoData->contentEncryptionAlgorithm)) == NULL) {
1274 Jmsg1(NULL, M_ERROR, 0,
1275 _("Unsupported contentEncryptionAlgorithm: %d\n"), OBJ_obj2nid(cs->cryptoData->contentEncryptionAlgorithm));
1276 free(cipher_ctx);
1277 return NULL;
1278 }
1279
1280 /* Initialize the OpenSSL cipher context */
1281 EVP_CIPHER_CTX_reset(cipher_ctx->ctx);
1282 if (encrypt) {
1283 /* Initialize for encryption */
1284 if (!EVP_CipherInit_ex(cipher_ctx->ctx, ec, NULL, NULL, NULL, 1)) {
1285 openssl_post_errors(M_ERROR, _("OpenSSL cipher context initialization failed"));
1286 goto err;
1287 }
1288 } else {
1289 /* Initialize for decryption */
1290 if (!EVP_CipherInit_ex(cipher_ctx->ctx, ec, NULL, NULL, NULL, 0)) {
1291 openssl_post_errors(M_ERROR, _("OpenSSL cipher context initialization failed"));
1292 goto err;
1293 }
1294 }
1295
1296 /* Set the key size */
1297 if (!EVP_CIPHER_CTX_set_key_length(cipher_ctx->ctx, cs->session_key_len)) {
1298 openssl_post_errors(M_ERROR, _("Encryption session provided an invalid symmetric key"));
1299 goto err;
1300 }
1301
1302 /* Validate the IV length */
1303 if (EVP_CIPHER_iv_length(ec) != ASN1_STRING_length(cs->cryptoData->iv)) {
1304 openssl_post_errors(M_ERROR, _("Encryption session provided an invalid IV"));
1305 goto err;
1306 }
1307
1308 /* Add the key and IV to the cipher context */
1309 if (!EVP_CipherInit_ex(cipher_ctx->ctx, NULL, NULL, cs->session_key, ASN1_STRING_get0_data(cs->cryptoData->iv), -1)) {
1310 openssl_post_errors(M_ERROR, _("OpenSSL cipher context key/IV initialization failed"));
1311 goto err;
1312 }
1313
1314 *blocksize = EVP_CIPHER_CTX_block_size(cipher_ctx->ctx);
1315 return cipher_ctx;
1316
1317 err:
1318 crypto_cipher_free(cipher_ctx);
1319 return NULL;
1320 }
1321
1322
1323 /*
1324 * Encrypt/Decrypt length bytes of data using the provided cipher context
1325 * Returns: true on success, number of bytes output in written
1326 * false on failure
1327 */
crypto_cipher_update(CIPHER_CONTEXT * cipher_ctx,const uint8_t * data,uint32_t length,const uint8_t * dest,uint32_t * written)1328 bool crypto_cipher_update(CIPHER_CONTEXT *cipher_ctx, const uint8_t *data, uint32_t length, const uint8_t *dest, uint32_t *written)
1329 {
1330 if (!EVP_CipherUpdate(cipher_ctx->ctx, (unsigned char *)dest, (int *)written, (const unsigned char *)data, length)) {
1331 /* This really shouldn't fail */
1332 return false;
1333 } else {
1334 return true;
1335 }
1336 }
1337
1338 /*
1339 * Finalize the cipher context, writing any remaining data and necessary padding
1340 * to dest, and the size in written.
1341 * The result size will either be one block of data or zero.
1342 *
1343 * Returns: true on success
1344 * false on failure
1345 */
crypto_cipher_finalize(CIPHER_CONTEXT * cipher_ctx,uint8_t * dest,uint32_t * written)1346 bool crypto_cipher_finalize (CIPHER_CONTEXT *cipher_ctx, uint8_t *dest, uint32_t *written)
1347 {
1348 if (!EVP_CipherFinal_ex(cipher_ctx->ctx, (unsigned char *)dest, (int *) written)) {
1349 /* This really shouldn't fail */
1350 return false;
1351 } else {
1352 return true;
1353 }
1354 }
1355
1356
1357 /*
1358 * Free memory associated with a cipher context.
1359 */
crypto_cipher_free(CIPHER_CONTEXT * cipher_ctx)1360 void crypto_cipher_free (CIPHER_CONTEXT *cipher_ctx)
1361 {
1362 EVP_CIPHER_CTX_free(cipher_ctx->ctx);
1363 free (cipher_ctx);
1364 }
1365
1366 #else /* HAVE_OPENSSL */
1367 # error No encryption library available
1368 #endif /* HAVE_OPENSSL */
1369
1370 #else /* HAVE_CRYPTO */
1371
1372 /*
1373 * Cryptography Support Disabled
1374 */
1375
1376 /* Message Digest Structure */
1377 struct Digest {
1378 crypto_digest_t type;
1379 JCR *jcr;
1380 union {
1381 SHA1Context sha1;
1382 MD5Context md5;
1383 };
1384 };
1385
1386 /* Dummy Signature Structure */
1387 struct Signature {
1388 JCR *jcr;
1389 };
1390
crypto_digest_new(JCR * jcr,crypto_digest_t type)1391 DIGEST *crypto_digest_new(JCR *jcr, crypto_digest_t type)
1392 {
1393 DIGEST *digest;
1394
1395 digest = (DIGEST *)malloc(sizeof(DIGEST));
1396 digest->type = type;
1397 digest->jcr = jcr;
1398
1399 switch (type) {
1400 case CRYPTO_DIGEST_MD5:
1401 MD5Init(&digest->md5);
1402 break;
1403 case CRYPTO_DIGEST_SHA1:
1404 SHA1Init(&digest->sha1);
1405 break;
1406 default:
1407 Jmsg1(jcr, M_ERROR, 0, _("Unsupported digest type=%d specified\n"), type);
1408 free(digest);
1409 return NULL;
1410 }
1411
1412 return (digest);
1413 }
1414
crypto_digest_update(DIGEST * digest,const uint8_t * data,uint32_t length)1415 bool crypto_digest_update(DIGEST *digest, const uint8_t *data, uint32_t length)
1416 {
1417 switch (digest->type) {
1418 case CRYPTO_DIGEST_MD5:
1419 /* Doesn't return anything ... */
1420 MD5Update(&digest->md5, (unsigned char *) data, length);
1421 return true;
1422 case CRYPTO_DIGEST_SHA1:
1423 int ret;
1424 if ((ret = SHA1Update(&digest->sha1, (const u_int8_t *) data, length)) == shaSuccess) {
1425 return true;
1426 } else {
1427 Jmsg1(NULL, M_ERROR, 0, _("SHA1Update() returned an error: %d\n"), ret);
1428 return false;
1429 }
1430 break;
1431 default:
1432 return false;
1433 }
1434 }
1435
crypto_digest_finalize(DIGEST * digest,uint8_t * dest,uint32_t * length)1436 bool crypto_digest_finalize(DIGEST *digest, uint8_t *dest, uint32_t *length)
1437 {
1438 switch (digest->type) {
1439 case CRYPTO_DIGEST_MD5:
1440 /* Guard against programmer error by either the API client or
1441 * an out-of-sync CRYPTO_DIGEST_MAX_SIZE */
1442 assert(*length >= CRYPTO_DIGEST_MD5_SIZE);
1443 *length = CRYPTO_DIGEST_MD5_SIZE;
1444 /* Doesn't return anything ... */
1445 MD5Final((unsigned char *)dest, &digest->md5);
1446 return true;
1447 case CRYPTO_DIGEST_SHA1:
1448 /* Guard against programmer error by either the API client or
1449 * an out-of-sync CRYPTO_DIGEST_MAX_SIZE */
1450 assert(*length >= CRYPTO_DIGEST_SHA1_SIZE);
1451 *length = CRYPTO_DIGEST_SHA1_SIZE;
1452 if (SHA1Final(&digest->sha1, (u_int8_t *) dest) == shaSuccess) {
1453 return true;
1454 } else {
1455 return false;
1456 }
1457 break;
1458 default:
1459 return false;
1460 }
1461
1462 return false;
1463 }
1464
crypto_digest_free(DIGEST * digest)1465 void crypto_digest_free(DIGEST *digest)
1466 {
1467 free(digest);
1468 }
1469
crypto_sign_new(JCR * jcr)1470 SIGNATURE *crypto_sign_new(JCR *jcr) { return NULL; }
1471
crypto_sign_get_digest(SIGNATURE * sig,X509_KEYPAIR * keypair,crypto_digest_t & type,DIGEST ** digest)1472 crypto_error_t crypto_sign_get_digest (SIGNATURE *sig, X509_KEYPAIR *keypair,
1473 crypto_digest_t &type, DIGEST **digest)
1474 { return CRYPTO_ERROR_INTERNAL; }
1475
crypto_sign_verify(SIGNATURE * sig,X509_KEYPAIR * keypair,DIGEST * digest)1476 crypto_error_t crypto_sign_verify (SIGNATURE *sig, X509_KEYPAIR *keypair, DIGEST *digest) { return CRYPTO_ERROR_INTERNAL; }
1477
crypto_sign_add_signer(SIGNATURE * sig,DIGEST * digest,X509_KEYPAIR * keypair)1478 int crypto_sign_add_signer (SIGNATURE *sig, DIGEST *digest, X509_KEYPAIR *keypair) { return false; }
crypto_sign_encode(SIGNATURE * sig,uint8_t * dest,uint32_t * length)1479 int crypto_sign_encode (SIGNATURE *sig, uint8_t *dest, uint32_t *length) { return false; }
1480
crypto_sign_decode(JCR * jcr,const uint8_t * sigData,uint32_t length)1481 SIGNATURE *crypto_sign_decode (JCR *jcr, const uint8_t *sigData, uint32_t length) { return NULL; }
crypto_sign_free(SIGNATURE * sig)1482 void crypto_sign_free (SIGNATURE *sig) { }
1483
1484
crypto_keypair_new(void)1485 X509_KEYPAIR *crypto_keypair_new(void) { return NULL; }
crypto_keypair_dup(X509_KEYPAIR * keypair)1486 X509_KEYPAIR *crypto_keypair_dup (X509_KEYPAIR *keypair) { return NULL; }
crypto_keypair_load_cert(X509_KEYPAIR * keypair,const char * file)1487 int crypto_keypair_load_cert (X509_KEYPAIR *keypair, const char *file) { return false; }
crypto_keypair_has_key(const char * file)1488 bool crypto_keypair_has_key (const char *file) { return false; }
crypto_keypair_load_key(X509_KEYPAIR * keypair,const char * file,CRYPTO_PEM_PASSWD_CB * pem_callback,const void * pem_userdata)1489 int crypto_keypair_load_key (X509_KEYPAIR *keypair, const char *file, CRYPTO_PEM_PASSWD_CB *pem_callback, const void *pem_userdata) { return false; }
crypto_keypair_free(X509_KEYPAIR * keypair)1490 void crypto_keypair_free (X509_KEYPAIR *keypair) { }
1491
crypto_session_new(crypto_cipher_t cipher,alist * pubkeys)1492 CRYPTO_SESSION *crypto_session_new (crypto_cipher_t cipher, alist *pubkeys) { return NULL; }
crypto_session_free(CRYPTO_SESSION * cs)1493 void crypto_session_free (CRYPTO_SESSION *cs) { }
crypto_session_encode(CRYPTO_SESSION * cs,uint8_t * dest,uint32_t * length)1494 bool crypto_session_encode (CRYPTO_SESSION *cs, uint8_t *dest, uint32_t *length) { return false; }
crypto_session_decode(const uint8_t * data,uint32_t length,alist * keypairs,CRYPTO_SESSION ** session)1495 crypto_error_t crypto_session_decode(const uint8_t *data, uint32_t length, alist *keypairs, CRYPTO_SESSION **session) { return CRYPTO_ERROR_INTERNAL; }
1496
crypto_cipher_new(CRYPTO_SESSION * cs,bool encrypt,uint32_t * blocksize)1497 CIPHER_CONTEXT *crypto_cipher_new (CRYPTO_SESSION *cs, bool encrypt, uint32_t *blocksize) { return NULL; }
crypto_cipher_update(CIPHER_CONTEXT * cipher_ctx,const uint8_t * data,uint32_t length,const uint8_t * dest,uint32_t * written)1498 bool crypto_cipher_update (CIPHER_CONTEXT *cipher_ctx, const uint8_t *data, uint32_t length, const uint8_t *dest, uint32_t *written) { return false; }
crypto_cipher_finalize(CIPHER_CONTEXT * cipher_ctx,uint8_t * dest,uint32_t * written)1499 bool crypto_cipher_finalize (CIPHER_CONTEXT *cipher_ctx, uint8_t *dest, uint32_t *written) { return false; }
crypto_cipher_free(CIPHER_CONTEXT * cipher_ctx)1500 void crypto_cipher_free (CIPHER_CONTEXT *cipher_ctx) { }
1501
1502 #endif /* HAVE_CRYPTO */
1503
1504 /* Shared Code */
1505
1506 /*
1507 * Default PEM encryption passphrase callback.
1508 * Returns an empty password.
1509 */
crypto_default_pem_callback(char * buf,int size,const void * userdata)1510 int crypto_default_pem_callback(char *buf, int size, const void *userdata)
1511 {
1512 bstrncpy(buf, "", size);
1513 return (strlen(buf));
1514 }
1515
1516 /*
1517 * Returns the ASCII name of the digest type.
1518 * Returns: ASCII name of digest type.
1519 */
crypto_digest_name(DIGEST * digest)1520 const char *crypto_digest_name(DIGEST *digest)
1521 {
1522 switch (digest->type) {
1523 case CRYPTO_DIGEST_MD5:
1524 return "MD5";
1525 case CRYPTO_DIGEST_SHA1:
1526 return "SHA1";
1527 case CRYPTO_DIGEST_SHA256:
1528 return "SHA256";
1529 case CRYPTO_DIGEST_SHA512:
1530 return "SHA512";
1531 case CRYPTO_DIGEST_NONE:
1532 return "None";
1533 default:
1534 return "Invalid Digest Type";
1535 }
1536
1537 }
1538
1539 /*
1540 * Given a stream type, returns the associated
1541 * crypto_digest_t value.
1542 */
crypto_digest_stream_type(int stream)1543 crypto_digest_t crypto_digest_stream_type(int stream)
1544 {
1545 switch (stream) {
1546 case STREAM_MD5_DIGEST:
1547 return CRYPTO_DIGEST_MD5;
1548 case STREAM_SHA1_DIGEST:
1549 return CRYPTO_DIGEST_SHA1;
1550 case STREAM_SHA256_DIGEST:
1551 return CRYPTO_DIGEST_SHA256;
1552 case STREAM_SHA512_DIGEST:
1553 return CRYPTO_DIGEST_SHA512;
1554 default:
1555 return CRYPTO_DIGEST_NONE;
1556 }
1557 }
1558
1559 /*
1560 * * Given a crypto_error_t value, return the associated
1561 * * error string
1562 * */
crypto_strerror(crypto_error_t error)1563 const char *crypto_strerror(crypto_error_t error) {
1564 switch (error) {
1565 case CRYPTO_ERROR_NONE:
1566 return _("No error");
1567 case CRYPTO_ERROR_NOSIGNER:
1568 return _("Signer not found");
1569 case CRYPTO_ERROR_NORECIPIENT:
1570 return _("Recipient not found");
1571 case CRYPTO_ERROR_INVALID_DIGEST:
1572 return _("Unsupported digest algorithm");
1573 case CRYPTO_ERROR_INVALID_CRYPTO:
1574 return _("Unsupported encryption algorithm");
1575 case CRYPTO_ERROR_BAD_SIGNATURE:
1576 return _("Signature is invalid");
1577 case CRYPTO_ERROR_DECRYPTION:
1578 return _("Decryption error");
1579 case CRYPTO_ERROR_INTERNAL:
1580 /* This shouldn't happen */
1581 return _("Internal error");
1582 default:
1583 return _("Unknown error");
1584 }
1585 }
1586