1 /* $OpenBSD: crypto.c,v 1.28 2020/05/26 20:24:31 tobhe Exp $ */ 2 3 /* 4 * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org> 5 * 6 * Permission to use, copy, modify, and distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19 #include <sys/param.h> /* roundup */ 20 #include <sys/queue.h> 21 #include <sys/socket.h> 22 #include <sys/uio.h> 23 24 #include <stdio.h> 25 #include <stdlib.h> 26 #include <unistd.h> 27 #include <string.h> 28 #include <errno.h> 29 #include <fcntl.h> 30 #include <event.h> 31 32 #include <openssl/hmac.h> 33 #include <openssl/evp.h> 34 #include <openssl/sha.h> 35 #include <openssl/md5.h> 36 #include <openssl/x509.h> 37 #include <openssl/rsa.h> 38 39 #include "iked.h" 40 #include "ikev2.h" 41 42 /* RFC 7427, A.1 RSA */ 43 static const uint8_t sha256WithRSA[] = { 44 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 45 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00 46 }; 47 static const uint8_t sha384WithRSA[] = { 48 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 49 0xf7, 0x0d, 0x01, 0x01, 0x0c, 0x05, 0x00 50 }; 51 static const uint8_t sha512WithRSA[] = { 52 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 53 0xf7, 0x0d, 0x01, 0x01, 0x0d, 0x05, 0x00 54 }; 55 /* RFC 7427, A.3 ECDSA */ 56 static const uint8_t ecdsa_sha256[] = { 57 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 58 0x3d, 0x04, 0x03, 0x02 59 }; 60 static const uint8_t ecdsa_sha384[] = { 61 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 62 0x3d, 0x04, 0x03, 0x03 63 }; 64 static const uint8_t ecdsa_sha512[] = { 65 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 66 0x3d, 0x04, 0x03, 0x04 67 }; 68 69 static const struct { 70 int sc_keytype; 71 const EVP_MD *(*sc_md)(void); 72 uint8_t sc_len; 73 const uint8_t *sc_oid; 74 } schemes[] = { 75 { EVP_PKEY_RSA, EVP_sha256, sizeof(sha256WithRSA), sha256WithRSA }, 76 { EVP_PKEY_RSA, EVP_sha384, sizeof(sha384WithRSA), sha384WithRSA }, 77 { EVP_PKEY_RSA, EVP_sha512, sizeof(sha512WithRSA), sha512WithRSA }, 78 { EVP_PKEY_EC, EVP_sha256, sizeof(ecdsa_sha256), ecdsa_sha256 }, 79 { EVP_PKEY_EC, EVP_sha384, sizeof(ecdsa_sha384), ecdsa_sha384 }, 80 { EVP_PKEY_EC, EVP_sha512, sizeof(ecdsa_sha512), ecdsa_sha512 }, 81 }; 82 83 int _dsa_verify_init(struct iked_dsa *, const uint8_t *, size_t); 84 int _dsa_verify_prepare(struct iked_dsa *, uint8_t **, size_t *, 85 uint8_t **); 86 int _dsa_sign_encode(struct iked_dsa *, uint8_t *, size_t, size_t *); 87 int _dsa_sign_ecdsa(struct iked_dsa *, uint8_t *, size_t); 88 89 struct iked_hash * 90 hash_new(uint8_t type, uint16_t id) 91 { 92 struct iked_hash *hash; 93 const EVP_MD *md = NULL; 94 HMAC_CTX *ctx = NULL; 95 int length = 0, fixedkey = 0, trunc = 0, isaead = 0; 96 97 switch (type) { 98 case IKEV2_XFORMTYPE_PRF: 99 switch (id) { 100 case IKEV2_XFORMPRF_HMAC_MD5: 101 md = EVP_md5(); 102 length = MD5_DIGEST_LENGTH; 103 break; 104 case IKEV2_XFORMPRF_HMAC_SHA1: 105 md = EVP_sha1(); 106 length = SHA_DIGEST_LENGTH; 107 break; 108 case IKEV2_XFORMPRF_HMAC_SHA2_256: 109 md = EVP_sha256(); 110 length = SHA256_DIGEST_LENGTH; 111 break; 112 case IKEV2_XFORMPRF_HMAC_SHA2_384: 113 md = EVP_sha384(); 114 length = SHA384_DIGEST_LENGTH; 115 break; 116 case IKEV2_XFORMPRF_HMAC_SHA2_512: 117 md = EVP_sha512(); 118 length = SHA512_DIGEST_LENGTH; 119 break; 120 case IKEV2_XFORMPRF_AES128_XCBC: 121 fixedkey = 128 / 8; 122 length = fixedkey; 123 /* FALLTHROUGH */ 124 case IKEV2_XFORMPRF_HMAC_TIGER: 125 case IKEV2_XFORMPRF_AES128_CMAC: 126 default: 127 log_debug("%s: prf %s not supported", __func__, 128 print_map(id, ikev2_xformprf_map)); 129 break; 130 } 131 break; 132 case IKEV2_XFORMTYPE_INTEGR: 133 switch (id) { 134 case IKEV2_XFORMAUTH_HMAC_MD5_96: 135 md = EVP_md5(); 136 length = MD5_DIGEST_LENGTH; 137 trunc = 12; 138 break; 139 case IKEV2_XFORMAUTH_HMAC_SHA1_96: 140 md = EVP_sha1(); 141 length = SHA_DIGEST_LENGTH; 142 trunc = 12; 143 break; 144 case IKEV2_XFORMAUTH_HMAC_SHA2_256_128: 145 md = EVP_sha256(); 146 length = SHA256_DIGEST_LENGTH; 147 trunc = 16; 148 break; 149 case IKEV2_XFORMAUTH_HMAC_SHA2_384_192: 150 md = EVP_sha384(); 151 length = SHA384_DIGEST_LENGTH; 152 trunc = 24; 153 break; 154 case IKEV2_XFORMAUTH_HMAC_SHA2_512_256: 155 md = EVP_sha512(); 156 length = SHA512_DIGEST_LENGTH; 157 trunc = 32; 158 break; 159 case IKEV2_XFORMAUTH_AES_GCM_12: 160 length = 12; 161 isaead = 1; 162 break; 163 case IKEV2_XFORMAUTH_AES_GCM_16: 164 length = 16; 165 isaead = 1; 166 break; 167 case IKEV2_XFORMAUTH_NONE: 168 case IKEV2_XFORMAUTH_DES_MAC: 169 case IKEV2_XFORMAUTH_KPDK_MD5: 170 case IKEV2_XFORMAUTH_AES_XCBC_96: 171 case IKEV2_XFORMAUTH_HMAC_MD5_128: 172 case IKEV2_XFORMAUTH_HMAC_SHA1_160: 173 case IKEV2_XFORMAUTH_AES_CMAC_96: 174 case IKEV2_XFORMAUTH_AES_128_GMAC: 175 case IKEV2_XFORMAUTH_AES_192_GMAC: 176 case IKEV2_XFORMAUTH_AES_256_GMAC: 177 default: 178 log_debug("%s: auth %s not supported", __func__, 179 print_map(id, ikev2_xformauth_map)); 180 break; 181 } 182 break; 183 default: 184 log_debug("%s: hash type %s not supported", __func__, 185 print_map(id, ikev2_xformtype_map)); 186 break; 187 } 188 if (!isaead && md == NULL) 189 return (NULL); 190 191 if ((hash = calloc(1, sizeof(*hash))) == NULL) { 192 log_debug("%s: alloc hash", __func__); 193 return (NULL); 194 } 195 196 hash->hash_type = type; 197 hash->hash_id = id; 198 hash->hash_priv = md; 199 hash->hash_ctx = NULL; 200 hash->hash_trunc = trunc; 201 hash->hash_length = length; 202 hash->hash_fixedkey = fixedkey; 203 hash->hash_isaead = isaead; 204 205 if (isaead) 206 return (hash); 207 208 if ((ctx = calloc(1, sizeof(*ctx))) == NULL) { 209 log_debug("%s: alloc hash ctx", __func__); 210 hash_free(hash); 211 return (NULL); 212 } 213 214 HMAC_CTX_init(ctx); 215 hash->hash_ctx = ctx; 216 217 return (hash); 218 } 219 220 struct ibuf * 221 hash_setkey(struct iked_hash *hash, void *key, size_t keylen) 222 { 223 ibuf_release(hash->hash_key); 224 if ((hash->hash_key = ibuf_new(key, keylen)) == NULL) { 225 log_debug("%s: alloc hash key", __func__); 226 return (NULL); 227 } 228 return (hash->hash_key); 229 } 230 231 void 232 hash_free(struct iked_hash *hash) 233 { 234 if (hash == NULL) 235 return; 236 if (hash->hash_ctx != NULL) { 237 HMAC_CTX_cleanup(hash->hash_ctx); 238 free(hash->hash_ctx); 239 } 240 ibuf_release(hash->hash_key); 241 free(hash); 242 } 243 244 void 245 hash_init(struct iked_hash *hash) 246 { 247 HMAC_Init_ex(hash->hash_ctx, hash->hash_key->buf, 248 ibuf_length(hash->hash_key), hash->hash_priv, NULL); 249 } 250 251 void 252 hash_update(struct iked_hash *hash, void *buf, size_t len) 253 { 254 HMAC_Update(hash->hash_ctx, buf, len); 255 } 256 257 void 258 hash_final(struct iked_hash *hash, void *buf, size_t *len) 259 { 260 unsigned int length = 0; 261 262 HMAC_Final(hash->hash_ctx, buf, &length); 263 *len = (size_t)length; 264 265 /* Truncate the result if required by the alg */ 266 if (hash->hash_trunc && *len > hash->hash_trunc) 267 *len = hash->hash_trunc; 268 } 269 270 size_t 271 hash_length(struct iked_hash *hash) 272 { 273 if (hash->hash_trunc) 274 return (hash->hash_trunc); 275 return (hash->hash_length); 276 } 277 278 size_t 279 hash_keylength(struct iked_hash *hash) 280 { 281 return (hash->hash_length); 282 } 283 284 struct iked_cipher * 285 cipher_new(uint8_t type, uint16_t id, uint16_t id_length) 286 { 287 struct iked_cipher *encr; 288 const EVP_CIPHER *cipher = NULL; 289 EVP_CIPHER_CTX *ctx = NULL; 290 int length = 0, fixedkey = 0, ivlength = 0; 291 int saltlength = 0, authid = 0; 292 293 switch (type) { 294 case IKEV2_XFORMTYPE_ENCR: 295 switch (id) { 296 case IKEV2_XFORMENCR_3DES: 297 cipher = EVP_des_ede3_cbc(); 298 length = EVP_CIPHER_block_size(cipher); 299 fixedkey = EVP_CIPHER_key_length(cipher); 300 ivlength = EVP_CIPHER_iv_length(cipher); 301 break; 302 case IKEV2_XFORMENCR_AES_CBC: 303 switch (id_length) { 304 case 128: 305 cipher = EVP_aes_128_cbc(); 306 break; 307 case 192: 308 cipher = EVP_aes_192_cbc(); 309 break; 310 case 256: 311 cipher = EVP_aes_256_cbc(); 312 break; 313 default: 314 log_debug("%s: invalid key length %d" 315 " for cipher %s", __func__, id_length, 316 print_map(id, ikev2_xformencr_map)); 317 break; 318 } 319 if (cipher == NULL) 320 break; 321 length = EVP_CIPHER_block_size(cipher); 322 ivlength = EVP_CIPHER_iv_length(cipher); 323 fixedkey = EVP_CIPHER_key_length(cipher); 324 break; 325 case IKEV2_XFORMENCR_AES_GCM_16: 326 case IKEV2_XFORMENCR_AES_GCM_12: 327 switch (id_length) { 328 case 128: 329 cipher = EVP_aes_128_gcm(); 330 break; 331 case 256: 332 cipher = EVP_aes_256_gcm(); 333 break; 334 default: 335 log_debug("%s: invalid key length %d" 336 " for cipher %s", __func__, id_length, 337 print_map(id, ikev2_xformencr_map)); 338 break; 339 } 340 if (cipher == NULL) 341 break; 342 switch(id) { 343 case IKEV2_XFORMENCR_AES_GCM_16: 344 authid = IKEV2_XFORMAUTH_AES_GCM_16; 345 break; 346 case IKEV2_XFORMENCR_AES_GCM_12: 347 authid = IKEV2_XFORMAUTH_AES_GCM_12; 348 break; 349 } 350 length = EVP_CIPHER_block_size(cipher); 351 ivlength = 8; 352 saltlength = 4; 353 fixedkey = EVP_CIPHER_key_length(cipher) + saltlength; 354 break; 355 case IKEV2_XFORMENCR_DES_IV64: 356 case IKEV2_XFORMENCR_DES: 357 case IKEV2_XFORMENCR_RC5: 358 case IKEV2_XFORMENCR_IDEA: 359 case IKEV2_XFORMENCR_CAST: 360 case IKEV2_XFORMENCR_BLOWFISH: 361 case IKEV2_XFORMENCR_3IDEA: 362 case IKEV2_XFORMENCR_DES_IV32: 363 case IKEV2_XFORMENCR_NULL: 364 case IKEV2_XFORMENCR_AES_CTR: 365 /* FALLTHROUGH */ 366 default: 367 log_debug("%s: cipher %s not supported", __func__, 368 print_map(id, ikev2_xformencr_map)); 369 cipher = NULL; 370 break; 371 } 372 break; 373 default: 374 log_debug("%s: cipher type %s not supported", __func__, 375 print_map(id, ikev2_xformtype_map)); 376 break; 377 } 378 if (cipher == NULL) 379 return (NULL); 380 381 if ((encr = calloc(1, sizeof(*encr))) == NULL) { 382 log_debug("%s: alloc cipher", __func__); 383 return (NULL); 384 } 385 386 encr->encr_id = id; 387 encr->encr_priv = cipher; 388 encr->encr_ctx = NULL; 389 encr->encr_length = length; 390 encr->encr_fixedkey = fixedkey; 391 encr->encr_ivlength = ivlength ? ivlength : length; 392 encr->encr_saltlength = saltlength; 393 encr->encr_authid = authid; 394 395 if ((ctx = calloc(1, sizeof(*ctx))) == NULL) { 396 log_debug("%s: alloc cipher ctx", __func__); 397 cipher_free(encr); 398 return (NULL); 399 } 400 401 EVP_CIPHER_CTX_init(ctx); 402 encr->encr_ctx = ctx; 403 404 return (encr); 405 } 406 407 struct ibuf * 408 cipher_setkey(struct iked_cipher *encr, void *key, size_t keylen) 409 { 410 ibuf_release(encr->encr_key); 411 if ((encr->encr_key = ibuf_new(key, keylen)) == NULL) { 412 log_debug("%s: alloc cipher key", __func__); 413 return (NULL); 414 } 415 return (encr->encr_key); 416 } 417 418 struct ibuf * 419 cipher_setiv(struct iked_cipher *encr, void *iv, size_t len) 420 { 421 ibuf_release(encr->encr_iv); 422 encr->encr_iv = NULL; 423 if (iv != NULL) { 424 if (len < encr->encr_ivlength) { 425 log_debug("%s: invalid IV length %zu", __func__, len); 426 return (NULL); 427 } 428 encr->encr_iv = ibuf_new(iv, encr->encr_ivlength); 429 } else { 430 /* Get new random IV */ 431 encr->encr_iv = ibuf_random(encr->encr_ivlength); 432 } 433 if (encr->encr_iv == NULL) { 434 log_debug("%s: failed to set IV", __func__); 435 return (NULL); 436 } 437 return (encr->encr_iv); 438 } 439 440 int 441 cipher_settag(struct iked_cipher *encr, uint8_t *data, size_t len) 442 { 443 return (EVP_CIPHER_CTX_ctrl(encr->encr_ctx, 444 EVP_CTRL_GCM_SET_TAG, len, data) != 1); 445 } 446 447 int 448 cipher_gettag(struct iked_cipher *encr, uint8_t *data, size_t len) 449 { 450 return (EVP_CIPHER_CTX_ctrl(encr->encr_ctx, 451 EVP_CTRL_GCM_GET_TAG, len, data) != 1); 452 } 453 454 void 455 cipher_free(struct iked_cipher *encr) 456 { 457 if (encr == NULL) 458 return; 459 if (encr->encr_ctx != NULL) { 460 EVP_CIPHER_CTX_cleanup(encr->encr_ctx); 461 free(encr->encr_ctx); 462 } 463 ibuf_release(encr->encr_iv); 464 ibuf_release(encr->encr_key); 465 free(encr); 466 } 467 468 int 469 cipher_init(struct iked_cipher *encr, int enc) 470 { 471 struct ibuf *nonce = NULL; 472 int ret = -1; 473 474 if (EVP_CipherInit_ex(encr->encr_ctx, encr->encr_priv, NULL, 475 NULL, NULL, enc) != 1) 476 return (-1); 477 if (encr->encr_saltlength > 0) { 478 /* For AEADs the nonce is salt + IV (see RFC5282) */ 479 nonce = ibuf_new(ibuf_data(encr->encr_key) + 480 ibuf_size(encr->encr_key) - encr->encr_saltlength, 481 encr->encr_saltlength); 482 if (nonce == NULL) 483 return (-1); 484 if (ibuf_add(nonce, ibuf_data(encr->encr_iv) , ibuf_size(encr->encr_iv)) != 0) 485 goto done; 486 if (EVP_CipherInit_ex(encr->encr_ctx, NULL, NULL, 487 ibuf_data(encr->encr_key), ibuf_data(nonce), enc) != 1) 488 goto done; 489 } else 490 if (EVP_CipherInit_ex(encr->encr_ctx, NULL, NULL, 491 ibuf_data(encr->encr_key), ibuf_data(encr->encr_iv), enc) != 1) 492 return (-1); 493 EVP_CIPHER_CTX_set_padding(encr->encr_ctx, 0); 494 ret = 0; 495 done: 496 ibuf_free(nonce); 497 return (ret); 498 } 499 500 int 501 cipher_init_encrypt(struct iked_cipher *encr) 502 { 503 return (cipher_init(encr, 1)); 504 } 505 506 int 507 cipher_init_decrypt(struct iked_cipher *encr) 508 { 509 return (cipher_init(encr, 0)); 510 } 511 512 void 513 cipher_aad(struct iked_cipher *encr, void *in, size_t inlen, 514 size_t *outlen) 515 { 516 int olen = 0; 517 518 if (EVP_CipherUpdate(encr->encr_ctx, NULL, &olen, in, inlen) != 1) { 519 ca_sslerror(__func__); 520 *outlen = 0; 521 return; 522 } 523 *outlen = (size_t)olen; 524 } 525 526 int 527 cipher_update(struct iked_cipher *encr, void *in, size_t inlen, 528 void *out, size_t *outlen) 529 { 530 int olen; 531 532 olen = 0; 533 if (EVP_CipherUpdate(encr->encr_ctx, out, &olen, in, inlen) != 1) { 534 ca_sslerror(__func__); 535 *outlen = 0; 536 return (-1); 537 } 538 *outlen = (size_t)olen; 539 return (0); 540 } 541 542 int 543 cipher_final(struct iked_cipher *encr) 544 { 545 int olen; 546 547 /* 548 * We always have EVP_CIPH_NO_PADDING set. This means arg 549 * out is not used and olen should always be 0. 550 */ 551 if (EVP_CipherFinal_ex(encr->encr_ctx, NULL, &olen) != 1) { 552 ca_sslerror(__func__); 553 return (-1); 554 } 555 return (0); 556 } 557 558 size_t 559 cipher_length(struct iked_cipher *encr) 560 { 561 return (encr->encr_length); 562 } 563 564 size_t 565 cipher_keylength(struct iked_cipher *encr) 566 { 567 if (encr->encr_fixedkey) 568 return (encr->encr_fixedkey); 569 570 /* Might return zero */ 571 return (ibuf_length(encr->encr_key)); 572 } 573 574 size_t 575 cipher_ivlength(struct iked_cipher *encr) 576 { 577 return (encr->encr_ivlength); 578 } 579 580 size_t 581 cipher_outlength(struct iked_cipher *encr, size_t inlen) 582 { 583 return (roundup(inlen, encr->encr_length)); 584 } 585 586 struct iked_dsa * 587 dsa_new(uint16_t id, struct iked_hash *prf, int sign) 588 { 589 struct iked_dsa *dsap = NULL, dsa; 590 591 bzero(&dsa, sizeof(dsa)); 592 593 switch (id) { 594 case IKEV2_AUTH_SIG: 595 if (sign) 596 dsa.dsa_priv = EVP_sha256(); /* XXX should be passed */ 597 else 598 dsa.dsa_priv = NULL; /* set later by dsa_init() */ 599 break; 600 case IKEV2_AUTH_RSA_SIG: 601 /* RFC5996 says we SHOULD use SHA1 here */ 602 dsa.dsa_priv = EVP_sha1(); 603 break; 604 case IKEV2_AUTH_SHARED_KEY_MIC: 605 if (prf == NULL || prf->hash_priv == NULL) 606 fatalx("dsa_new: invalid PRF"); 607 dsa.dsa_priv = prf->hash_priv; 608 dsa.dsa_hmac = 1; 609 break; 610 case IKEV2_AUTH_DSS_SIG: 611 dsa.dsa_priv = EVP_dss1(); 612 break; 613 case IKEV2_AUTH_ECDSA_256: 614 dsa.dsa_priv = EVP_sha256(); 615 break; 616 case IKEV2_AUTH_ECDSA_384: 617 dsa.dsa_priv = EVP_sha384(); 618 break; 619 case IKEV2_AUTH_ECDSA_521: 620 dsa.dsa_priv = EVP_sha512(); 621 break; 622 default: 623 log_debug("%s: auth method %s not supported", __func__, 624 print_map(id, ikev2_auth_map)); 625 break; 626 } 627 628 if ((dsap = calloc(1, sizeof(*dsap))) == NULL) { 629 log_debug("%s: alloc dsa ctx", __func__); 630 631 return (NULL); 632 } 633 memcpy(dsap, &dsa, sizeof(*dsap)); 634 635 dsap->dsa_method = id; 636 dsap->dsa_sign = sign; 637 638 if (dsap->dsa_hmac) { 639 if ((dsap->dsa_ctx = calloc(1, sizeof(HMAC_CTX))) == NULL) { 640 log_debug("%s: alloc hash ctx", __func__); 641 dsa_free(dsap); 642 return (NULL); 643 } 644 HMAC_CTX_init((HMAC_CTX *)dsap->dsa_ctx); 645 } else { 646 if ((dsap->dsa_ctx = EVP_MD_CTX_create()) == NULL) { 647 log_debug("%s: alloc digest ctx", __func__); 648 dsa_free(dsap); 649 return (NULL); 650 } 651 } 652 653 return (dsap); 654 } 655 656 struct iked_dsa * 657 dsa_sign_new(uint16_t id, struct iked_hash *prf) 658 { 659 return (dsa_new(id, prf, 1)); 660 } 661 662 struct iked_dsa * 663 dsa_verify_new(uint16_t id, struct iked_hash *prf) 664 { 665 return (dsa_new(id, prf, 0)); 666 } 667 668 void 669 dsa_free(struct iked_dsa *dsa) 670 { 671 if (dsa == NULL) 672 return; 673 if (dsa->dsa_hmac) { 674 HMAC_CTX_cleanup((HMAC_CTX *)dsa->dsa_ctx); 675 free(dsa->dsa_ctx); 676 } else { 677 EVP_MD_CTX_destroy((EVP_MD_CTX *)dsa->dsa_ctx); 678 if (dsa->dsa_key) 679 EVP_PKEY_free(dsa->dsa_key); 680 } 681 682 ibuf_release(dsa->dsa_keydata); 683 free(dsa); 684 } 685 686 struct ibuf * 687 dsa_setkey(struct iked_dsa *dsa, void *key, size_t keylen, uint8_t type) 688 { 689 BIO *rawcert = NULL; 690 X509 *cert = NULL; 691 RSA *rsa = NULL; 692 EC_KEY *ec = NULL; 693 EVP_PKEY *pkey = NULL; 694 695 ibuf_release(dsa->dsa_keydata); 696 if ((dsa->dsa_keydata = ibuf_new(key, keylen)) == NULL) { 697 log_debug("%s: alloc signature key", __func__); 698 return (NULL); 699 } 700 701 if ((rawcert = BIO_new_mem_buf(key, keylen)) == NULL) 702 goto err; 703 704 switch (type) { 705 case IKEV2_CERT_X509_CERT: 706 if ((cert = d2i_X509_bio(rawcert, NULL)) == NULL) 707 goto sslerr; 708 if ((pkey = X509_get_pubkey(cert)) == NULL) 709 goto sslerr; 710 dsa->dsa_key = pkey; 711 break; 712 case IKEV2_CERT_RSA_KEY: 713 if (dsa->dsa_sign) { 714 if ((rsa = d2i_RSAPrivateKey_bio(rawcert, 715 NULL)) == NULL) 716 goto sslerr; 717 } else { 718 if ((rsa = d2i_RSAPublicKey_bio(rawcert, 719 NULL)) == NULL) 720 goto sslerr; 721 } 722 723 if ((pkey = EVP_PKEY_new()) == NULL) 724 goto sslerr; 725 if (!EVP_PKEY_set1_RSA(pkey, rsa)) 726 goto sslerr; 727 728 RSA_free(rsa); /* pkey now has the reference */ 729 dsa->dsa_key = pkey; 730 break; 731 case IKEV2_CERT_ECDSA: 732 if (dsa->dsa_sign) { 733 if ((ec = d2i_ECPrivateKey_bio(rawcert, NULL)) == NULL) 734 goto sslerr; 735 } else { 736 if ((ec = d2i_EC_PUBKEY_bio(rawcert, NULL)) == NULL) 737 goto sslerr; 738 } 739 740 if ((pkey = EVP_PKEY_new()) == NULL) 741 goto sslerr; 742 if (!EVP_PKEY_set1_EC_KEY(pkey, ec)) 743 goto sslerr; 744 745 EC_KEY_free(ec); /* pkey now has the reference */ 746 dsa->dsa_key = pkey; 747 break; 748 default: 749 if (dsa->dsa_hmac) 750 break; 751 log_debug("%s: unsupported key type", __func__); 752 goto err; 753 } 754 755 if (cert != NULL) 756 X509_free(cert); 757 BIO_free(rawcert); /* temporary for parsing */ 758 759 return (dsa->dsa_keydata); 760 761 sslerr: 762 ca_sslerror(__func__); 763 err: 764 log_debug("%s: error", __func__); 765 766 if (rsa != NULL) 767 RSA_free(rsa); 768 if (ec != NULL) 769 EC_KEY_free(ec); 770 if (pkey != NULL) 771 EVP_PKEY_free(pkey); 772 if (cert != NULL) 773 X509_free(cert); 774 if (rawcert != NULL) 775 BIO_free(rawcert); 776 ibuf_release(dsa->dsa_keydata); 777 dsa->dsa_keydata = NULL; 778 return (NULL); 779 } 780 781 int 782 _dsa_verify_init(struct iked_dsa *dsa, const uint8_t *sig, size_t len) 783 { 784 uint8_t oidlen; 785 size_t i; 786 int keytype; 787 788 if (dsa->dsa_priv != NULL) 789 return (0); 790 /* 791 * For IKEV2_AUTH_SIG the oid of the authentication signature 792 * is encoded in the first bytes of the auth message. 793 */ 794 if (dsa->dsa_method != IKEV2_AUTH_SIG) { 795 log_debug("%s: dsa_priv not set for %s", __func__, 796 print_map(dsa->dsa_method, ikev2_auth_map)); 797 return (-1); 798 } 799 if (dsa->dsa_key == NULL) { 800 log_debug("%s: dsa_key not set for %s", __func__, 801 print_map(dsa->dsa_method, ikev2_auth_map)); 802 return (-1); 803 } 804 keytype = EVP_PKEY_type(((EVP_PKEY *)dsa->dsa_key)->type); 805 if (sig == NULL) { 806 log_debug("%s: signature missing", __func__); 807 return (-1); 808 } 809 if (len < sizeof(oidlen)) { 810 log_debug("%s: signature (%zu) too small for oid length", 811 __func__, len); 812 return (-1); 813 } 814 memcpy(&oidlen, sig, sizeof(oidlen)); 815 if (len < (size_t)oidlen + sizeof(oidlen)) { 816 log_debug("%s: signature (%zu) too small for oid (%u)", 817 __func__, len, oidlen); 818 return (-1); 819 } 820 for (i = 0; i < nitems(schemes); i++) { 821 if (keytype == schemes[i].sc_keytype && 822 oidlen == schemes[i].sc_len && 823 memcmp(sig + 1, schemes[i].sc_oid, 824 schemes[i].sc_len) == 0) { 825 dsa->dsa_priv = (*schemes[i].sc_md)(); 826 log_debug("%s: signature scheme %zd selected", 827 __func__, i); 828 return (0); 829 } 830 } 831 log_debug("%s: unsupported signature (%d)", __func__, oidlen); 832 return (-1); 833 } 834 835 int 836 dsa_init(struct iked_dsa *dsa, const void *buf, size_t len) 837 { 838 int ret; 839 840 if (dsa->dsa_hmac) { 841 if (!HMAC_Init_ex(dsa->dsa_ctx, ibuf_data(dsa->dsa_keydata), 842 ibuf_length(dsa->dsa_keydata), dsa->dsa_priv, NULL)) 843 return (-1); 844 return (0); 845 } 846 847 if (dsa->dsa_sign) 848 ret = EVP_DigestSignInit(dsa->dsa_ctx, NULL, dsa->dsa_priv, 849 NULL, dsa->dsa_key); 850 else { 851 if ((ret = _dsa_verify_init(dsa, buf, len)) != 0) 852 return (ret); 853 ret = EVP_DigestVerifyInit(dsa->dsa_ctx, NULL, dsa->dsa_priv, 854 NULL, dsa->dsa_key); 855 } 856 857 return (ret == 1 ? 0 : -1); 858 } 859 860 int 861 dsa_update(struct iked_dsa *dsa, const void *buf, size_t len) 862 { 863 int ret; 864 865 if (dsa->dsa_hmac) 866 ret = HMAC_Update(dsa->dsa_ctx, buf, len); 867 else if (dsa->dsa_sign) 868 ret = EVP_DigestSignUpdate(dsa->dsa_ctx, buf, len); 869 else 870 ret = EVP_DigestVerifyUpdate(dsa->dsa_ctx, buf, len); 871 872 return (ret == 1 ? 0 : -1); 873 } 874 875 /* Prefix signature hash with encoded type */ 876 int 877 _dsa_sign_encode(struct iked_dsa *dsa, uint8_t *ptr, size_t len, size_t *offp) 878 { 879 int keytype; 880 size_t i, need; 881 882 if (offp) 883 *offp = 0; 884 if (dsa->dsa_method != IKEV2_AUTH_SIG) 885 return (0); 886 if (dsa->dsa_key == NULL) 887 return (-1); 888 keytype = EVP_PKEY_type(((EVP_PKEY *)dsa->dsa_key)->type); 889 for (i = 0; i < nitems(schemes); i++) { 890 /* XXX should avoid calling sc_md() each time... */ 891 if (keytype == schemes[i].sc_keytype && 892 (dsa->dsa_priv == (*schemes[i].sc_md)())) 893 break; 894 } 895 if (i >= nitems(schemes)) 896 return (-1); 897 log_debug("%s: signature scheme %zd selected", __func__, i); 898 need = sizeof(ptr[0]) + schemes[i].sc_len; 899 if (ptr) { 900 if (len < need) 901 return (-1); 902 ptr[0] = schemes[i].sc_len; 903 memcpy(ptr + sizeof(ptr[0]), schemes[i].sc_oid, 904 schemes[i].sc_len); 905 } 906 if (offp) 907 *offp = need; 908 return (0); 909 } 910 911 /* Export size of encoded signature hash type */ 912 size_t 913 dsa_prefix(struct iked_dsa *dsa) 914 { 915 size_t off = 0; 916 917 if (_dsa_sign_encode(dsa, NULL, 0, &off) < 0) 918 fatal("dsa_prefix: internal error"); 919 return off; 920 } 921 922 size_t 923 dsa_length(struct iked_dsa *dsa) 924 { 925 if (dsa->dsa_hmac) 926 return (EVP_MD_size(dsa->dsa_priv)); 927 switch (dsa->dsa_method) { 928 case IKEV2_AUTH_ECDSA_256: 929 case IKEV2_AUTH_ECDSA_384: 930 case IKEV2_AUTH_ECDSA_521: 931 /* size of concat(r|s) */ 932 return (2 * ((EVP_PKEY_bits(dsa->dsa_key) + 7) / 8)); 933 } 934 return (dsa_prefix(dsa) + EVP_PKEY_size(dsa->dsa_key)); 935 } 936 937 int 938 _dsa_sign_ecdsa(struct iked_dsa *dsa, uint8_t *ptr, size_t len) 939 { 940 ECDSA_SIG *obj = NULL; 941 uint8_t *tmp = NULL; 942 const uint8_t *p; 943 size_t tmplen; 944 int ret = -1; 945 int bnlen, off; 946 947 if (len % 2) 948 goto done; /* must be even */ 949 bnlen = len/2; 950 /* 951 * (a) create DER signature into 'tmp' buffer 952 * (b) convert buffer to ECDSA_SIG object 953 * (c) concatenate the padded r|s BIGNUMS into 'ptr' 954 */ 955 if (EVP_DigestSignFinal(dsa->dsa_ctx, NULL, &tmplen) != 1) 956 goto done; 957 if ((tmp = calloc(1, tmplen)) == NULL) 958 goto done; 959 if (EVP_DigestSignFinal(dsa->dsa_ctx, tmp, &tmplen) != 1) 960 goto done; 961 p = tmp; 962 if (d2i_ECDSA_SIG(&obj, &p, tmplen) == NULL) 963 goto done; 964 if (BN_num_bytes(obj->r) > bnlen || BN_num_bytes(obj->s) > bnlen) 965 goto done; 966 memset(ptr, 0, len); 967 off = bnlen - BN_num_bytes(obj->r); 968 BN_bn2bin(obj->r, ptr + off); 969 off = 2 * bnlen - BN_num_bytes(obj->s); 970 BN_bn2bin(obj->s, ptr + off); 971 ret = 0; 972 done: 973 free(tmp); 974 if (obj) 975 ECDSA_SIG_free(obj); 976 return (ret); 977 } 978 979 ssize_t 980 dsa_sign_final(struct iked_dsa *dsa, void *buf, size_t len) 981 { 982 unsigned int hmaclen; 983 size_t off = 0; 984 uint8_t *ptr = buf; 985 986 if (len < dsa_length(dsa)) 987 return (-1); 988 989 if (dsa->dsa_hmac) { 990 if (!HMAC_Final(dsa->dsa_ctx, buf, &hmaclen)) 991 return (-1); 992 if (hmaclen > INT_MAX) 993 return (-1); 994 return (ssize_t)hmaclen; 995 } else { 996 switch (dsa->dsa_method) { 997 case IKEV2_AUTH_ECDSA_256: 998 case IKEV2_AUTH_ECDSA_384: 999 case IKEV2_AUTH_ECDSA_521: 1000 if (_dsa_sign_ecdsa(dsa, buf, len) < 0) 1001 return (-1); 1002 return (len); 1003 default: 1004 if (_dsa_sign_encode(dsa, ptr, len, &off) < 0) 1005 return (-1); 1006 if (off > len) 1007 return (-1); 1008 len -= off; 1009 ptr += off; 1010 if (EVP_DigestSignFinal(dsa->dsa_ctx, ptr, &len) != 1) 1011 return (-1); 1012 return (len + off); 1013 } 1014 } 1015 return (-1); 1016 } 1017 1018 int 1019 _dsa_verify_prepare(struct iked_dsa *dsa, uint8_t **sigp, size_t *lenp, 1020 uint8_t **freemep) 1021 { 1022 ECDSA_SIG *obj = NULL; 1023 uint8_t *ptr = NULL; 1024 size_t bnlen, len, off; 1025 int ret = -1; 1026 1027 *freemep = NULL; /* don't return garbage in case of an error */ 1028 1029 switch (dsa->dsa_method) { 1030 case IKEV2_AUTH_SIG: 1031 /* 1032 * The first byte of the signature encodes the OID 1033 * prefix length which we need to skip. 1034 */ 1035 off = (*sigp)[0] + 1; 1036 *sigp = *sigp + off; 1037 *lenp = *lenp - off; 1038 *freemep = NULL; 1039 ret = 0; 1040 break; 1041 case IKEV2_AUTH_ECDSA_256: 1042 case IKEV2_AUTH_ECDSA_384: 1043 case IKEV2_AUTH_ECDSA_521: 1044 /* 1045 * sigp points to concatenation r|s, while EVP_VerifyFinal() 1046 * expects the signature as a DER-encoded blob (of the two 1047 * values), so we need to convert the signature in a new 1048 * buffer (we cannot override the given buffer) and the caller 1049 * has to free this buffer ('freeme'). 1050 */ 1051 if (*lenp < 64 || *lenp > 132 || *lenp % 2) 1052 goto done; 1053 bnlen = (*lenp)/2; 1054 /* sigp points to concatenation: r|s */ 1055 if ((obj = ECDSA_SIG_new()) == NULL || 1056 BN_bin2bn(*sigp, bnlen, obj->r) == NULL || 1057 BN_bin2bn(*sigp+bnlen, bnlen, obj->s) == NULL || 1058 (len = i2d_ECDSA_SIG(obj, &ptr)) == 0) 1059 goto done; 1060 *lenp = len; 1061 *sigp = ptr; 1062 *freemep = ptr; 1063 ptr = NULL; 1064 ret = 0; 1065 break; 1066 default: 1067 return (0); 1068 } 1069 done: 1070 free(ptr); 1071 if (obj) 1072 ECDSA_SIG_free(obj); 1073 return (ret); 1074 } 1075 1076 ssize_t 1077 dsa_verify_final(struct iked_dsa *dsa, void *buf, size_t len) 1078 { 1079 uint8_t sig[EVP_MAX_MD_SIZE]; 1080 uint8_t *ptr = buf, *freeme = NULL; 1081 unsigned int siglen = sizeof(sig); 1082 1083 if (dsa->dsa_hmac) { 1084 if (!HMAC_Final(dsa->dsa_ctx, sig, &siglen)) 1085 return (-1); 1086 if (siglen != len || memcmp(buf, sig, siglen) != 0) 1087 return (-1); 1088 } else { 1089 if (_dsa_verify_prepare(dsa, &ptr, &len, &freeme) < 0) 1090 return (-1); 1091 if (EVP_DigestVerifyFinal(dsa->dsa_ctx, ptr, len) != 1) { 1092 free(freeme); 1093 ca_sslerror(__func__); 1094 return (-1); 1095 } 1096 free(freeme); 1097 } 1098 1099 return (0); 1100 } 1101