crypto.c revision 1.12
1/* $OpenBSD: crypto.c,v 1.12 2014/01/24 07:29:17 markus Exp $ */ 2 3/* 4 * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org> 5 * 6 * Permission to use, copy, modify, and distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19#include <sys/param.h> 20#include <sys/queue.h> 21#include <sys/socket.h> 22#include <sys/uio.h> 23 24#include <stdio.h> 25#include <stdlib.h> 26#include <unistd.h> 27#include <string.h> 28#include <errno.h> 29#include <fcntl.h> 30#include <event.h> 31 32#include <openssl/hmac.h> 33#include <openssl/evp.h> 34#include <openssl/sha.h> 35#include <openssl/md5.h> 36#include <openssl/x509.h> 37 38#include "iked.h" 39#include "ikev2.h" 40 41struct iked_hash * 42hash_new(u_int8_t type, u_int16_t id) 43{ 44 struct iked_hash *hash; 45 const EVP_MD *md = NULL; 46 HMAC_CTX *ctx = NULL; 47 int length = 0, fixedkey = 0, trunc = 0; 48 49 switch (type) { 50 case IKEV2_XFORMTYPE_PRF: 51 switch (id) { 52 case IKEV2_XFORMPRF_HMAC_MD5: 53 md = EVP_md5(); 54 length = MD5_DIGEST_LENGTH; 55 break; 56 case IKEV2_XFORMPRF_HMAC_SHA1: 57 md = EVP_sha1(); 58 length = SHA_DIGEST_LENGTH; 59 break; 60 case IKEV2_XFORMPRF_HMAC_SHA2_256: 61 md = EVP_sha256(); 62 length = SHA256_DIGEST_LENGTH; 63 break; 64 case IKEV2_XFORMPRF_HMAC_SHA2_384: 65 md = EVP_sha384(); 66 length = SHA384_DIGEST_LENGTH; 67 break; 68 case IKEV2_XFORMPRF_HMAC_SHA2_512: 69 md = EVP_sha512(); 70 length = SHA512_DIGEST_LENGTH; 71 break; 72 case IKEV2_XFORMPRF_AES128_XCBC: 73 fixedkey = 128 / 8; 74 length = fixedkey; 75 /* FALLTHROUGH */ 76 case IKEV2_XFORMPRF_HMAC_TIGER: 77 case IKEV2_XFORMPRF_AES128_CMAC: 78 default: 79 log_debug("%s: prf %s not supported", __func__, 80 print_map(id, ikev2_xformprf_map)); 81 break; 82 } 83 break; 84 case IKEV2_XFORMTYPE_INTEGR: 85 switch (id) { 86 case IKEV2_XFORMAUTH_HMAC_MD5_96: 87 md = EVP_md5(); 88 length = MD5_DIGEST_LENGTH; 89 trunc = 12; 90 break; 91 case IKEV2_XFORMAUTH_HMAC_SHA1_96: 92 md = EVP_sha1(); 93 length = SHA_DIGEST_LENGTH; 94 trunc = 12; 95 break; 96 case IKEV2_XFORMAUTH_HMAC_SHA2_256_128: 97 md = EVP_sha256(); 98 length = SHA256_DIGEST_LENGTH; 99 trunc = 16; 100 break; 101 case IKEV2_XFORMAUTH_HMAC_SHA2_384_192: 102 md = EVP_sha384(); 103 length = SHA384_DIGEST_LENGTH; 104 trunc = 24; 105 break; 106 case IKEV2_XFORMAUTH_HMAC_SHA2_512_256: 107 md = EVP_sha512(); 108 length = SHA512_DIGEST_LENGTH; 109 trunc = 32; 110 break; 111 case IKEV2_XFORMAUTH_NONE: 112 case IKEV2_XFORMAUTH_DES_MAC: 113 case IKEV2_XFORMAUTH_KPDK_MD5: 114 case IKEV2_XFORMAUTH_AES_XCBC_96: 115 case IKEV2_XFORMAUTH_HMAC_MD5_128: 116 case IKEV2_XFORMAUTH_HMAC_SHA1_160: 117 case IKEV2_XFORMAUTH_AES_CMAC_96: 118 case IKEV2_XFORMAUTH_AES_128_GMAC: 119 case IKEV2_XFORMAUTH_AES_192_GMAC: 120 case IKEV2_XFORMAUTH_AES_256_GMAC: 121 default: 122 log_debug("%s: auth %s not supported", __func__, 123 print_map(id, ikev2_xformauth_map)); 124 break; 125 } 126 break; 127 default: 128 log_debug("%s: hash type %s not supported", __func__, 129 print_map(id, ikev2_xformtype_map)); 130 break; 131 } 132 if (md == NULL) 133 return (NULL); 134 135 if ((hash = calloc(1, sizeof(*hash))) == NULL) { 136 log_debug("%s: alloc hash", __func__); 137 return (NULL); 138 } 139 140 hash->hash_type = type; 141 hash->hash_id = id; 142 hash->hash_priv = md; 143 hash->hash_ctx = NULL; 144 hash->hash_trunc = trunc; 145 hash->hash_length = length; 146 hash->hash_fixedkey = fixedkey; 147 148 if ((ctx = calloc(1, sizeof(*ctx))) == NULL) { 149 log_debug("%s: alloc hash ctx", __func__); 150 hash_free(hash); 151 return (NULL); 152 } 153 154 HMAC_CTX_init(ctx); 155 hash->hash_ctx = ctx; 156 157 return (hash); 158} 159 160struct ibuf * 161hash_setkey(struct iked_hash *hash, void *key, size_t keylen) 162{ 163 ibuf_release(hash->hash_key); 164 if ((hash->hash_key = ibuf_new(key, keylen)) == NULL) { 165 log_debug("%s: alloc hash key", __func__); 166 return (NULL); 167 } 168 return (hash->hash_key); 169} 170 171void 172hash_free(struct iked_hash *hash) 173{ 174 if (hash == NULL) 175 return; 176 if (hash->hash_ctx != NULL) { 177 HMAC_CTX_cleanup(hash->hash_ctx); 178 free(hash->hash_ctx); 179 } 180 ibuf_release(hash->hash_key); 181 free(hash); 182} 183 184void 185hash_init(struct iked_hash *hash) 186{ 187 HMAC_Init_ex(hash->hash_ctx, hash->hash_key->buf, 188 ibuf_length(hash->hash_key), hash->hash_priv, NULL); 189} 190 191void 192hash_update(struct iked_hash *hash, void *buf, size_t len) 193{ 194 HMAC_Update(hash->hash_ctx, buf, len); 195} 196 197void 198hash_final(struct iked_hash *hash, void *buf, size_t *len) 199{ 200 u_int length = 0; 201 202 HMAC_Final(hash->hash_ctx, buf, &length); 203 *len = (size_t)length; 204 205 /* Truncate the result if required by the alg */ 206 if (hash->hash_trunc && *len > hash->hash_trunc) 207 *len = hash->hash_trunc; 208} 209 210size_t 211hash_length(struct iked_hash *hash) 212{ 213 if (hash->hash_trunc) 214 return (hash->hash_trunc); 215 return (hash->hash_length); 216} 217 218size_t 219hash_keylength(struct iked_hash *hash) 220{ 221 return (hash->hash_length); 222} 223 224struct iked_cipher * 225cipher_new(u_int8_t type, u_int16_t id, u_int16_t id_length) 226{ 227 struct iked_cipher *encr; 228 const EVP_CIPHER *cipher = NULL; 229 EVP_CIPHER_CTX *ctx = NULL; 230 int length = 0, fixedkey = 0, ivlength = 0; 231 232 switch (type) { 233 case IKEV2_XFORMTYPE_ENCR: 234 switch (id) { 235 case IKEV2_XFORMENCR_3DES: 236 cipher = EVP_des_ede3_cbc(); 237 length = EVP_CIPHER_block_size(cipher); 238 fixedkey = EVP_CIPHER_key_length(cipher); 239 ivlength = EVP_CIPHER_iv_length(cipher); 240 break; 241 case IKEV2_XFORMENCR_AES_CBC: 242 switch (id_length) { 243 case 128: 244 cipher = EVP_aes_128_cbc(); 245 break; 246 case 192: 247 cipher = EVP_aes_192_cbc(); 248 break; 249 case 256: 250 cipher = EVP_aes_256_cbc(); 251 break; 252 default: 253 log_debug("%s: invalid key length %d" 254 " for cipher %s", __func__, id_length, 255 print_map(id, ikev2_xformencr_map)); 256 break; 257 } 258 if (cipher == NULL) 259 break; 260 length = EVP_CIPHER_block_size(cipher); 261 ivlength = EVP_CIPHER_iv_length(cipher); 262 fixedkey = EVP_CIPHER_key_length(cipher); 263 break; 264 case IKEV2_XFORMENCR_DES_IV64: 265 case IKEV2_XFORMENCR_DES: 266 case IKEV2_XFORMENCR_RC5: 267 case IKEV2_XFORMENCR_IDEA: 268 case IKEV2_XFORMENCR_CAST: 269 case IKEV2_XFORMENCR_BLOWFISH: 270 case IKEV2_XFORMENCR_3IDEA: 271 case IKEV2_XFORMENCR_DES_IV32: 272 case IKEV2_XFORMENCR_NULL: 273 case IKEV2_XFORMENCR_AES_CTR: 274 /* FALLTHROUGH */ 275 default: 276 log_debug("%s: cipher %s not supported", __func__, 277 print_map(id, ikev2_xformencr_map)); 278 cipher = NULL; 279 break; 280 } 281 break; 282 default: 283 log_debug("%s: cipher type %s not supported", __func__, 284 print_map(id, ikev2_xformtype_map)); 285 break; 286 } 287 if (cipher == NULL) 288 return (NULL); 289 290 if ((encr = calloc(1, sizeof(*encr))) == NULL) { 291 log_debug("%s: alloc cipher", __func__); 292 return (NULL); 293 } 294 295 encr->encr_id = id; 296 encr->encr_priv = cipher; 297 encr->encr_ctx = NULL; 298 encr->encr_length = length; 299 encr->encr_fixedkey = fixedkey; 300 encr->encr_ivlength = ivlength ? ivlength : length; 301 302 if ((ctx = calloc(1, sizeof(*ctx))) == NULL) { 303 log_debug("%s: alloc cipher ctx", __func__); 304 cipher_free(encr); 305 return (NULL); 306 } 307 308 EVP_CIPHER_CTX_init(ctx); 309 encr->encr_ctx = ctx; 310 311 return (encr); 312} 313 314struct ibuf * 315cipher_setkey(struct iked_cipher *encr, void *key, size_t keylen) 316{ 317 ibuf_release(encr->encr_key); 318 if ((encr->encr_key = ibuf_new(key, keylen)) == NULL) { 319 log_debug("%s: alloc cipher key", __func__); 320 return (NULL); 321 } 322 return (encr->encr_key); 323} 324 325struct ibuf * 326cipher_setiv(struct iked_cipher *encr, void *iv, size_t len) 327{ 328 ibuf_release(encr->encr_iv); 329 if (iv != NULL) { 330 if (len < encr->encr_ivlength) { 331 log_debug("%s: invalid IV length %d", __func__, len); 332 return (NULL); 333 } 334 encr->encr_iv = ibuf_new(iv, encr->encr_ivlength); 335 } else { 336 /* Get new random IV */ 337 encr->encr_iv = ibuf_random(encr->encr_ivlength); 338 } 339 if (encr->encr_iv == NULL) { 340 log_debug("%s: failed to set IV", __func__); 341 return (NULL); 342 } 343 return (encr->encr_iv); 344} 345 346void 347cipher_free(struct iked_cipher *encr) 348{ 349 if (encr == NULL) 350 return; 351 if (encr->encr_ctx != NULL) { 352 EVP_CIPHER_CTX_cleanup(encr->encr_ctx); 353 free(encr->encr_ctx); 354 } 355 ibuf_release(encr->encr_key); 356 free(encr); 357} 358 359void 360cipher_init(struct iked_cipher *encr, int enc) 361{ 362 EVP_CipherInit_ex(encr->encr_ctx, encr->encr_priv, NULL, 363 ibuf_data(encr->encr_key), ibuf_data(encr->encr_iv), enc); 364 EVP_CIPHER_CTX_set_padding(encr->encr_ctx, 0); 365} 366 367void 368cipher_init_encrypt(struct iked_cipher *encr) 369{ 370 cipher_init(encr, 1); 371} 372 373void 374cipher_init_decrypt(struct iked_cipher *encr) 375{ 376 cipher_init(encr, 0); 377} 378 379void 380cipher_update(struct iked_cipher *encr, void *in, size_t inlen, 381 void *out, size_t *outlen) 382{ 383 int olen; 384 385 olen = 0; 386 if (!EVP_CipherUpdate(encr->encr_ctx, out, &olen, in, inlen)) { 387 ca_sslerror(__func__); 388 *outlen = 0; 389 return; 390 } 391 *outlen = (size_t)olen; 392} 393 394void 395cipher_final(struct iked_cipher *encr, void *out, size_t *outlen) 396{ 397 int olen; 398 399 olen = 0; 400 if (!EVP_CipherFinal_ex(encr->encr_ctx, out, &olen)) { 401 ca_sslerror(__func__); 402 *outlen = 0; 403 return; 404 } 405 *outlen = (size_t)olen; 406} 407 408size_t 409cipher_length(struct iked_cipher *encr) 410{ 411 return (encr->encr_length); 412} 413 414size_t 415cipher_keylength(struct iked_cipher *encr) 416{ 417 if (encr->encr_fixedkey) 418 return (encr->encr_fixedkey); 419 420 /* Might return zero */ 421 return (ibuf_length(encr->encr_key)); 422} 423 424size_t 425cipher_ivlength(struct iked_cipher *encr) 426{ 427 return (encr->encr_ivlength); 428} 429 430size_t 431cipher_outlength(struct iked_cipher *encr, size_t inlen) 432{ 433 return (roundup(inlen, encr->encr_length)); 434} 435 436struct iked_dsa * 437dsa_new(u_int16_t id, struct iked_hash *prf, int sign) 438{ 439 struct iked_dsa *dsap = NULL, dsa; 440 441 bzero(&dsa, sizeof(dsa)); 442 443 switch (id) { 444 case IKEV2_AUTH_RSA_SIG: 445 /* RFC5996 says we SHOULD use SHA1 here */ 446 dsa.dsa_priv = EVP_sha1(); 447 break; 448 case IKEV2_AUTH_SHARED_KEY_MIC: 449 if (prf == NULL || prf->hash_priv == NULL) 450 fatalx("dsa_new: invalid PRF"); 451 dsa.dsa_priv = prf->hash_priv; 452 dsa.dsa_hmac = 1; 453 break; 454 case IKEV2_AUTH_DSS_SIG: 455 dsa.dsa_priv = EVP_dss1(); 456 break; 457 case IKEV2_AUTH_ECDSA_256: 458 dsa.dsa_priv = EVP_sha256(); 459 break; 460 case IKEV2_AUTH_ECDSA_384: 461 dsa.dsa_priv = EVP_sha384(); 462 break; 463 case IKEV2_AUTH_ECDSA_512: 464 dsa.dsa_priv = EVP_sha512(); 465 break; 466 default: 467 log_debug("%s: auth method %s not supported", __func__, 468 print_map(id, ikev2_auth_map)); 469 break; 470 } 471 472 if ((dsap = calloc(1, sizeof(*dsap))) == NULL) { 473 log_debug("%s: alloc dsa ctx", __func__); 474 475 return (NULL); 476 } 477 memcpy(dsap, &dsa, sizeof(*dsap)); 478 479 dsap->dsa_method = id; 480 dsap->dsa_sign = sign; 481 482 if (dsap->dsa_hmac) { 483 if ((dsap->dsa_ctx = calloc(1, sizeof(HMAC_CTX))) == NULL) { 484 log_debug("%s: alloc hash ctx", __func__); 485 dsa_free(dsap); 486 return (NULL); 487 } 488 HMAC_CTX_init((HMAC_CTX *)dsap->dsa_ctx); 489 } else { 490 if ((dsap->dsa_ctx = EVP_MD_CTX_create()) == NULL) { 491 log_debug("%s: alloc digest ctx", __func__); 492 dsa_free(dsap); 493 return (NULL); 494 } 495 } 496 497 return (dsap); 498} 499 500struct iked_dsa * 501dsa_sign_new(u_int16_t id, struct iked_hash *prf) 502{ 503 return (dsa_new(id, prf, 1)); 504} 505 506struct iked_dsa * 507dsa_verify_new(u_int16_t id, struct iked_hash *prf) 508{ 509 return (dsa_new(id, prf, 0)); 510} 511 512void 513dsa_free(struct iked_dsa *dsa) 514{ 515 if (dsa == NULL) 516 return; 517 if (dsa->dsa_hmac) { 518 HMAC_CTX_cleanup((HMAC_CTX *)dsa->dsa_ctx); 519 free(dsa->dsa_ctx); 520 } else { 521 EVP_MD_CTX_destroy((EVP_MD_CTX *)dsa->dsa_ctx); 522 if (dsa->dsa_key) 523 EVP_PKEY_free(dsa->dsa_key); 524 if (dsa->dsa_cert) 525 X509_free(dsa->dsa_cert); 526 } 527 528 ibuf_release(dsa->dsa_keydata); 529 free(dsa); 530} 531 532struct ibuf * 533dsa_setkey(struct iked_dsa *dsa, void *key, size_t keylen, u_int8_t type) 534{ 535 BIO *rawcert = NULL; 536 X509 *cert = NULL; 537 RSA *rsa = NULL; 538 EVP_PKEY *pkey = NULL; 539 540 ibuf_release(dsa->dsa_keydata); 541 if ((dsa->dsa_keydata = ibuf_new(key, keylen)) == NULL) { 542 log_debug("%s: alloc signature key", __func__); 543 return (NULL); 544 } 545 546 if ((rawcert = BIO_new_mem_buf(key, keylen)) == NULL) 547 goto err; 548 549 switch (type) { 550 case IKEV2_CERT_X509_CERT: 551 if ((cert = d2i_X509_bio(rawcert, NULL)) == NULL) 552 goto sslerr; 553 if ((pkey = X509_get_pubkey(cert)) == NULL) 554 goto sslerr; 555 dsa->dsa_cert = cert; 556 dsa->dsa_key = pkey; 557 break; 558 case IKEV2_CERT_RSA_KEY: 559 if (dsa->dsa_sign) { 560 if ((rsa = d2i_RSAPrivateKey_bio(rawcert, 561 NULL)) == NULL) 562 goto sslerr; 563 } else { 564 if ((rsa = d2i_RSAPublicKey_bio(rawcert, 565 NULL)) == NULL) 566 goto sslerr; 567 } 568 569 if ((pkey = EVP_PKEY_new()) == NULL) 570 goto sslerr; 571 if (!EVP_PKEY_set1_RSA(pkey, rsa)) 572 goto sslerr; 573 574 RSA_free(rsa); /* pkey now has the reference */ 575 dsa->dsa_cert = NULL; 576 dsa->dsa_key = pkey; 577 break; 578 default: 579 if (dsa->dsa_hmac) 580 break; 581 log_debug("%s: unsupported key type", __func__); 582 goto err; 583 } 584 585 return (dsa->dsa_keydata); 586 587 sslerr: 588 ca_sslerror(__func__); 589 err: 590 log_debug("%s: error", __func__); 591 592 if (rsa != NULL) 593 RSA_free(rsa); 594 if (pkey != NULL) 595 EVP_PKEY_free(pkey); 596 if (cert != NULL) 597 X509_free(cert); 598 if (rawcert != NULL) 599 BIO_free(rawcert); 600 ibuf_release(dsa->dsa_keydata); 601 return (NULL); 602} 603 604int 605dsa_init(struct iked_dsa *dsa) 606{ 607 int ret; 608 609 if (dsa->dsa_hmac) { 610 if (!HMAC_Init_ex(dsa->dsa_ctx, ibuf_data(dsa->dsa_keydata), 611 ibuf_length(dsa->dsa_keydata), dsa->dsa_priv, NULL)) 612 return (-1); 613 return (0); 614 } 615 616 if (dsa->dsa_sign) 617 ret = EVP_SignInit_ex(dsa->dsa_ctx, dsa->dsa_priv, NULL); 618 else 619 ret = EVP_VerifyInit_ex(dsa->dsa_ctx, dsa->dsa_priv, NULL); 620 621 return (ret ? 0 : -1); 622} 623 624int 625dsa_update(struct iked_dsa *dsa, const void *buf, size_t len) 626{ 627 int ret = 1; 628 629 if (dsa->dsa_hmac) 630 ret = HMAC_Update(dsa->dsa_ctx, buf, len); 631 else if (dsa->dsa_sign) 632 ret = EVP_SignUpdate(dsa->dsa_ctx, buf, len); 633 else 634 ret = EVP_VerifyUpdate(dsa->dsa_ctx, buf, len); 635 636 return (ret ? 0 : -1); 637} 638 639size_t 640dsa_length(struct iked_dsa *dsa) 641{ 642 if (dsa->dsa_hmac) 643 return (EVP_MD_size(dsa->dsa_priv)); 644 return (EVP_PKEY_size(dsa->dsa_key)); 645} 646 647ssize_t 648dsa_sign_final(struct iked_dsa *dsa, void *buf, size_t len) 649{ 650 u_int siglen; 651 652 if (len < dsa_length(dsa)) 653 return (-1); 654 655 if (dsa->dsa_hmac) { 656 if (!HMAC_Final(dsa->dsa_ctx, buf, &siglen)) 657 return (-1); 658 } else { 659 if (!EVP_SignFinal(dsa->dsa_ctx, buf, &siglen, 660 dsa->dsa_key)) 661 return (-1); 662 } 663 664 return (siglen); 665} 666 667ssize_t 668dsa_verify_final(struct iked_dsa *dsa, void *buf, size_t len) 669{ 670 u_int8_t sig[EVP_MAX_MD_SIZE]; 671 u_int siglen = sizeof(sig); 672 673 if (dsa->dsa_hmac) { 674 if (!HMAC_Final(dsa->dsa_ctx, sig, &siglen)) 675 return (-1); 676 if (siglen != len || memcmp(buf, sig, siglen) != 0) 677 return (-1); 678 } else { 679 if (EVP_VerifyFinal(dsa->dsa_ctx, buf, len, 680 dsa->dsa_key) != 1) { 681 ca_sslerror(__func__); 682 return (-1); 683 } 684 } 685 686 return (0); 687} 688