crypto.c revision 1.15
1/* $OpenBSD: crypto.c,v 1.15 2015/01/16 06:39:58 deraadt Exp $ */ 2 3/* 4 * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org> 5 * 6 * Permission to use, copy, modify, and distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19#include <sys/param.h> /* roundup */ 20#include <sys/queue.h> 21#include <sys/socket.h> 22#include <sys/uio.h> 23 24#include <stdio.h> 25#include <stdlib.h> 26#include <unistd.h> 27#include <string.h> 28#include <errno.h> 29#include <fcntl.h> 30#include <event.h> 31 32#include <openssl/hmac.h> 33#include <openssl/evp.h> 34#include <openssl/sha.h> 35#include <openssl/md5.h> 36#include <openssl/x509.h> 37#include <openssl/rsa.h> 38 39#include "iked.h" 40#include "ikev2.h" 41 42struct iked_hash * 43hash_new(u_int8_t type, u_int16_t id) 44{ 45 struct iked_hash *hash; 46 const EVP_MD *md = NULL; 47 HMAC_CTX *ctx = NULL; 48 int length = 0, fixedkey = 0, trunc = 0; 49 50 switch (type) { 51 case IKEV2_XFORMTYPE_PRF: 52 switch (id) { 53 case IKEV2_XFORMPRF_HMAC_MD5: 54 md = EVP_md5(); 55 length = MD5_DIGEST_LENGTH; 56 break; 57 case IKEV2_XFORMPRF_HMAC_SHA1: 58 md = EVP_sha1(); 59 length = SHA_DIGEST_LENGTH; 60 break; 61 case IKEV2_XFORMPRF_HMAC_SHA2_256: 62 md = EVP_sha256(); 63 length = SHA256_DIGEST_LENGTH; 64 break; 65 case IKEV2_XFORMPRF_HMAC_SHA2_384: 66 md = EVP_sha384(); 67 length = SHA384_DIGEST_LENGTH; 68 break; 69 case IKEV2_XFORMPRF_HMAC_SHA2_512: 70 md = EVP_sha512(); 71 length = SHA512_DIGEST_LENGTH; 72 break; 73 case IKEV2_XFORMPRF_AES128_XCBC: 74 fixedkey = 128 / 8; 75 length = fixedkey; 76 /* FALLTHROUGH */ 77 case IKEV2_XFORMPRF_HMAC_TIGER: 78 case IKEV2_XFORMPRF_AES128_CMAC: 79 default: 80 log_debug("%s: prf %s not supported", __func__, 81 print_map(id, ikev2_xformprf_map)); 82 break; 83 } 84 break; 85 case IKEV2_XFORMTYPE_INTEGR: 86 switch (id) { 87 case IKEV2_XFORMAUTH_HMAC_MD5_96: 88 md = EVP_md5(); 89 length = MD5_DIGEST_LENGTH; 90 trunc = 12; 91 break; 92 case IKEV2_XFORMAUTH_HMAC_SHA1_96: 93 md = EVP_sha1(); 94 length = SHA_DIGEST_LENGTH; 95 trunc = 12; 96 break; 97 case IKEV2_XFORMAUTH_HMAC_SHA2_256_128: 98 md = EVP_sha256(); 99 length = SHA256_DIGEST_LENGTH; 100 trunc = 16; 101 break; 102 case IKEV2_XFORMAUTH_HMAC_SHA2_384_192: 103 md = EVP_sha384(); 104 length = SHA384_DIGEST_LENGTH; 105 trunc = 24; 106 break; 107 case IKEV2_XFORMAUTH_HMAC_SHA2_512_256: 108 md = EVP_sha512(); 109 length = SHA512_DIGEST_LENGTH; 110 trunc = 32; 111 break; 112 case IKEV2_XFORMAUTH_NONE: 113 case IKEV2_XFORMAUTH_DES_MAC: 114 case IKEV2_XFORMAUTH_KPDK_MD5: 115 case IKEV2_XFORMAUTH_AES_XCBC_96: 116 case IKEV2_XFORMAUTH_HMAC_MD5_128: 117 case IKEV2_XFORMAUTH_HMAC_SHA1_160: 118 case IKEV2_XFORMAUTH_AES_CMAC_96: 119 case IKEV2_XFORMAUTH_AES_128_GMAC: 120 case IKEV2_XFORMAUTH_AES_192_GMAC: 121 case IKEV2_XFORMAUTH_AES_256_GMAC: 122 default: 123 log_debug("%s: auth %s not supported", __func__, 124 print_map(id, ikev2_xformauth_map)); 125 break; 126 } 127 break; 128 default: 129 log_debug("%s: hash type %s not supported", __func__, 130 print_map(id, ikev2_xformtype_map)); 131 break; 132 } 133 if (md == NULL) 134 return (NULL); 135 136 if ((hash = calloc(1, sizeof(*hash))) == NULL) { 137 log_debug("%s: alloc hash", __func__); 138 return (NULL); 139 } 140 141 hash->hash_type = type; 142 hash->hash_id = id; 143 hash->hash_priv = md; 144 hash->hash_ctx = NULL; 145 hash->hash_trunc = trunc; 146 hash->hash_length = length; 147 hash->hash_fixedkey = fixedkey; 148 149 if ((ctx = calloc(1, sizeof(*ctx))) == NULL) { 150 log_debug("%s: alloc hash ctx", __func__); 151 hash_free(hash); 152 return (NULL); 153 } 154 155 HMAC_CTX_init(ctx); 156 hash->hash_ctx = ctx; 157 158 return (hash); 159} 160 161struct ibuf * 162hash_setkey(struct iked_hash *hash, void *key, size_t keylen) 163{ 164 ibuf_release(hash->hash_key); 165 if ((hash->hash_key = ibuf_new(key, keylen)) == NULL) { 166 log_debug("%s: alloc hash key", __func__); 167 return (NULL); 168 } 169 return (hash->hash_key); 170} 171 172void 173hash_free(struct iked_hash *hash) 174{ 175 if (hash == NULL) 176 return; 177 if (hash->hash_ctx != NULL) { 178 HMAC_CTX_cleanup(hash->hash_ctx); 179 free(hash->hash_ctx); 180 } 181 ibuf_release(hash->hash_key); 182 free(hash); 183} 184 185void 186hash_init(struct iked_hash *hash) 187{ 188 HMAC_Init_ex(hash->hash_ctx, hash->hash_key->buf, 189 ibuf_length(hash->hash_key), hash->hash_priv, NULL); 190} 191 192void 193hash_update(struct iked_hash *hash, void *buf, size_t len) 194{ 195 HMAC_Update(hash->hash_ctx, buf, len); 196} 197 198void 199hash_final(struct iked_hash *hash, void *buf, size_t *len) 200{ 201 u_int length = 0; 202 203 HMAC_Final(hash->hash_ctx, buf, &length); 204 *len = (size_t)length; 205 206 /* Truncate the result if required by the alg */ 207 if (hash->hash_trunc && *len > hash->hash_trunc) 208 *len = hash->hash_trunc; 209} 210 211size_t 212hash_length(struct iked_hash *hash) 213{ 214 if (hash->hash_trunc) 215 return (hash->hash_trunc); 216 return (hash->hash_length); 217} 218 219size_t 220hash_keylength(struct iked_hash *hash) 221{ 222 return (hash->hash_length); 223} 224 225struct iked_cipher * 226cipher_new(u_int8_t type, u_int16_t id, u_int16_t id_length) 227{ 228 struct iked_cipher *encr; 229 const EVP_CIPHER *cipher = NULL; 230 EVP_CIPHER_CTX *ctx = NULL; 231 int length = 0, fixedkey = 0, ivlength = 0; 232 233 switch (type) { 234 case IKEV2_XFORMTYPE_ENCR: 235 switch (id) { 236 case IKEV2_XFORMENCR_3DES: 237 cipher = EVP_des_ede3_cbc(); 238 length = EVP_CIPHER_block_size(cipher); 239 fixedkey = EVP_CIPHER_key_length(cipher); 240 ivlength = EVP_CIPHER_iv_length(cipher); 241 break; 242 case IKEV2_XFORMENCR_AES_CBC: 243 switch (id_length) { 244 case 128: 245 cipher = EVP_aes_128_cbc(); 246 break; 247 case 192: 248 cipher = EVP_aes_192_cbc(); 249 break; 250 case 256: 251 cipher = EVP_aes_256_cbc(); 252 break; 253 default: 254 log_debug("%s: invalid key length %d" 255 " for cipher %s", __func__, id_length, 256 print_map(id, ikev2_xformencr_map)); 257 break; 258 } 259 if (cipher == NULL) 260 break; 261 length = EVP_CIPHER_block_size(cipher); 262 ivlength = EVP_CIPHER_iv_length(cipher); 263 fixedkey = EVP_CIPHER_key_length(cipher); 264 break; 265 case IKEV2_XFORMENCR_DES_IV64: 266 case IKEV2_XFORMENCR_DES: 267 case IKEV2_XFORMENCR_RC5: 268 case IKEV2_XFORMENCR_IDEA: 269 case IKEV2_XFORMENCR_CAST: 270 case IKEV2_XFORMENCR_BLOWFISH: 271 case IKEV2_XFORMENCR_3IDEA: 272 case IKEV2_XFORMENCR_DES_IV32: 273 case IKEV2_XFORMENCR_NULL: 274 case IKEV2_XFORMENCR_AES_CTR: 275 /* FALLTHROUGH */ 276 default: 277 log_debug("%s: cipher %s not supported", __func__, 278 print_map(id, ikev2_xformencr_map)); 279 cipher = NULL; 280 break; 281 } 282 break; 283 default: 284 log_debug("%s: cipher type %s not supported", __func__, 285 print_map(id, ikev2_xformtype_map)); 286 break; 287 } 288 if (cipher == NULL) 289 return (NULL); 290 291 if ((encr = calloc(1, sizeof(*encr))) == NULL) { 292 log_debug("%s: alloc cipher", __func__); 293 return (NULL); 294 } 295 296 encr->encr_id = id; 297 encr->encr_priv = cipher; 298 encr->encr_ctx = NULL; 299 encr->encr_length = length; 300 encr->encr_fixedkey = fixedkey; 301 encr->encr_ivlength = ivlength ? ivlength : length; 302 303 if ((ctx = calloc(1, sizeof(*ctx))) == NULL) { 304 log_debug("%s: alloc cipher ctx", __func__); 305 cipher_free(encr); 306 return (NULL); 307 } 308 309 EVP_CIPHER_CTX_init(ctx); 310 encr->encr_ctx = ctx; 311 312 return (encr); 313} 314 315struct ibuf * 316cipher_setkey(struct iked_cipher *encr, void *key, size_t keylen) 317{ 318 ibuf_release(encr->encr_key); 319 if ((encr->encr_key = ibuf_new(key, keylen)) == NULL) { 320 log_debug("%s: alloc cipher key", __func__); 321 return (NULL); 322 } 323 return (encr->encr_key); 324} 325 326struct ibuf * 327cipher_setiv(struct iked_cipher *encr, void *iv, size_t len) 328{ 329 ibuf_release(encr->encr_iv); 330 if (iv != NULL) { 331 if (len < encr->encr_ivlength) { 332 log_debug("%s: invalid IV length %zu", __func__, len); 333 return (NULL); 334 } 335 encr->encr_iv = ibuf_new(iv, encr->encr_ivlength); 336 } else { 337 /* Get new random IV */ 338 encr->encr_iv = ibuf_random(encr->encr_ivlength); 339 } 340 if (encr->encr_iv == NULL) { 341 log_debug("%s: failed to set IV", __func__); 342 return (NULL); 343 } 344 return (encr->encr_iv); 345} 346 347void 348cipher_free(struct iked_cipher *encr) 349{ 350 if (encr == NULL) 351 return; 352 if (encr->encr_ctx != NULL) { 353 EVP_CIPHER_CTX_cleanup(encr->encr_ctx); 354 free(encr->encr_ctx); 355 } 356 ibuf_release(encr->encr_key); 357 free(encr); 358} 359 360void 361cipher_init(struct iked_cipher *encr, int enc) 362{ 363 EVP_CipherInit_ex(encr->encr_ctx, encr->encr_priv, NULL, 364 ibuf_data(encr->encr_key), ibuf_data(encr->encr_iv), enc); 365 EVP_CIPHER_CTX_set_padding(encr->encr_ctx, 0); 366} 367 368void 369cipher_init_encrypt(struct iked_cipher *encr) 370{ 371 cipher_init(encr, 1); 372} 373 374void 375cipher_init_decrypt(struct iked_cipher *encr) 376{ 377 cipher_init(encr, 0); 378} 379 380void 381cipher_update(struct iked_cipher *encr, void *in, size_t inlen, 382 void *out, size_t *outlen) 383{ 384 int olen; 385 386 olen = 0; 387 if (!EVP_CipherUpdate(encr->encr_ctx, out, &olen, in, inlen)) { 388 ca_sslerror(__func__); 389 *outlen = 0; 390 return; 391 } 392 *outlen = (size_t)olen; 393} 394 395void 396cipher_final(struct iked_cipher *encr, void *out, size_t *outlen) 397{ 398 int olen; 399 400 olen = 0; 401 if (!EVP_CipherFinal_ex(encr->encr_ctx, out, &olen)) { 402 ca_sslerror(__func__); 403 *outlen = 0; 404 return; 405 } 406 *outlen = (size_t)olen; 407} 408 409size_t 410cipher_length(struct iked_cipher *encr) 411{ 412 return (encr->encr_length); 413} 414 415size_t 416cipher_keylength(struct iked_cipher *encr) 417{ 418 if (encr->encr_fixedkey) 419 return (encr->encr_fixedkey); 420 421 /* Might return zero */ 422 return (ibuf_length(encr->encr_key)); 423} 424 425size_t 426cipher_ivlength(struct iked_cipher *encr) 427{ 428 return (encr->encr_ivlength); 429} 430 431size_t 432cipher_outlength(struct iked_cipher *encr, size_t inlen) 433{ 434 return (roundup(inlen, encr->encr_length)); 435} 436 437struct iked_dsa * 438dsa_new(u_int16_t id, struct iked_hash *prf, int sign) 439{ 440 struct iked_dsa *dsap = NULL, dsa; 441 442 bzero(&dsa, sizeof(dsa)); 443 444 switch (id) { 445 case IKEV2_AUTH_RSA_SIG: 446 /* RFC5996 says we SHOULD use SHA1 here */ 447 dsa.dsa_priv = EVP_sha1(); 448 break; 449 case IKEV2_AUTH_SHARED_KEY_MIC: 450 if (prf == NULL || prf->hash_priv == NULL) 451 fatalx("dsa_new: invalid PRF"); 452 dsa.dsa_priv = prf->hash_priv; 453 dsa.dsa_hmac = 1; 454 break; 455 case IKEV2_AUTH_DSS_SIG: 456 dsa.dsa_priv = EVP_dss1(); 457 break; 458 case IKEV2_AUTH_ECDSA_256: 459 dsa.dsa_priv = EVP_sha256(); 460 break; 461 case IKEV2_AUTH_ECDSA_384: 462 dsa.dsa_priv = EVP_sha384(); 463 break; 464 case IKEV2_AUTH_ECDSA_512: 465 dsa.dsa_priv = EVP_sha512(); 466 break; 467 default: 468 log_debug("%s: auth method %s not supported", __func__, 469 print_map(id, ikev2_auth_map)); 470 break; 471 } 472 473 if ((dsap = calloc(1, sizeof(*dsap))) == NULL) { 474 log_debug("%s: alloc dsa ctx", __func__); 475 476 return (NULL); 477 } 478 memcpy(dsap, &dsa, sizeof(*dsap)); 479 480 dsap->dsa_method = id; 481 dsap->dsa_sign = sign; 482 483 if (dsap->dsa_hmac) { 484 if ((dsap->dsa_ctx = calloc(1, sizeof(HMAC_CTX))) == NULL) { 485 log_debug("%s: alloc hash ctx", __func__); 486 dsa_free(dsap); 487 return (NULL); 488 } 489 HMAC_CTX_init((HMAC_CTX *)dsap->dsa_ctx); 490 } else { 491 if ((dsap->dsa_ctx = EVP_MD_CTX_create()) == NULL) { 492 log_debug("%s: alloc digest ctx", __func__); 493 dsa_free(dsap); 494 return (NULL); 495 } 496 } 497 498 return (dsap); 499} 500 501struct iked_dsa * 502dsa_sign_new(u_int16_t id, struct iked_hash *prf) 503{ 504 return (dsa_new(id, prf, 1)); 505} 506 507struct iked_dsa * 508dsa_verify_new(u_int16_t id, struct iked_hash *prf) 509{ 510 return (dsa_new(id, prf, 0)); 511} 512 513void 514dsa_free(struct iked_dsa *dsa) 515{ 516 if (dsa == NULL) 517 return; 518 if (dsa->dsa_hmac) { 519 HMAC_CTX_cleanup((HMAC_CTX *)dsa->dsa_ctx); 520 free(dsa->dsa_ctx); 521 } else { 522 EVP_MD_CTX_destroy((EVP_MD_CTX *)dsa->dsa_ctx); 523 if (dsa->dsa_key) 524 EVP_PKEY_free(dsa->dsa_key); 525 if (dsa->dsa_cert) 526 X509_free(dsa->dsa_cert); 527 } 528 529 ibuf_release(dsa->dsa_keydata); 530 free(dsa); 531} 532 533struct ibuf * 534dsa_setkey(struct iked_dsa *dsa, void *key, size_t keylen, u_int8_t type) 535{ 536 BIO *rawcert = NULL; 537 X509 *cert = NULL; 538 RSA *rsa = NULL; 539 EVP_PKEY *pkey = NULL; 540 541 ibuf_release(dsa->dsa_keydata); 542 if ((dsa->dsa_keydata = ibuf_new(key, keylen)) == NULL) { 543 log_debug("%s: alloc signature key", __func__); 544 return (NULL); 545 } 546 547 if ((rawcert = BIO_new_mem_buf(key, keylen)) == NULL) 548 goto err; 549 550 switch (type) { 551 case IKEV2_CERT_X509_CERT: 552 if ((cert = d2i_X509_bio(rawcert, NULL)) == NULL) 553 goto sslerr; 554 if ((pkey = X509_get_pubkey(cert)) == NULL) 555 goto sslerr; 556 dsa->dsa_cert = cert; 557 dsa->dsa_key = pkey; 558 break; 559 case IKEV2_CERT_RSA_KEY: 560 if (dsa->dsa_sign) { 561 if ((rsa = d2i_RSAPrivateKey_bio(rawcert, 562 NULL)) == NULL) 563 goto sslerr; 564 } else { 565 if ((rsa = d2i_RSAPublicKey_bio(rawcert, 566 NULL)) == NULL) 567 goto sslerr; 568 } 569 570 if ((pkey = EVP_PKEY_new()) == NULL) 571 goto sslerr; 572 if (!EVP_PKEY_set1_RSA(pkey, rsa)) 573 goto sslerr; 574 575 RSA_free(rsa); /* pkey now has the reference */ 576 dsa->dsa_cert = NULL; 577 dsa->dsa_key = pkey; 578 break; 579 default: 580 if (dsa->dsa_hmac) 581 break; 582 log_debug("%s: unsupported key type", __func__); 583 goto err; 584 } 585 586 return (dsa->dsa_keydata); 587 588 sslerr: 589 ca_sslerror(__func__); 590 err: 591 log_debug("%s: error", __func__); 592 593 if (rsa != NULL) 594 RSA_free(rsa); 595 if (pkey != NULL) 596 EVP_PKEY_free(pkey); 597 if (cert != NULL) 598 X509_free(cert); 599 if (rawcert != NULL) 600 BIO_free(rawcert); 601 ibuf_release(dsa->dsa_keydata); 602 return (NULL); 603} 604 605int 606dsa_init(struct iked_dsa *dsa) 607{ 608 int ret; 609 610 if (dsa->dsa_hmac) { 611 if (!HMAC_Init_ex(dsa->dsa_ctx, ibuf_data(dsa->dsa_keydata), 612 ibuf_length(dsa->dsa_keydata), dsa->dsa_priv, NULL)) 613 return (-1); 614 return (0); 615 } 616 617 if (dsa->dsa_sign) 618 ret = EVP_SignInit_ex(dsa->dsa_ctx, dsa->dsa_priv, NULL); 619 else 620 ret = EVP_VerifyInit_ex(dsa->dsa_ctx, dsa->dsa_priv, NULL); 621 622 return (ret ? 0 : -1); 623} 624 625int 626dsa_update(struct iked_dsa *dsa, const void *buf, size_t len) 627{ 628 int ret = 1; 629 630 if (dsa->dsa_hmac) 631 ret = HMAC_Update(dsa->dsa_ctx, buf, len); 632 else if (dsa->dsa_sign) 633 ret = EVP_SignUpdate(dsa->dsa_ctx, buf, len); 634 else 635 ret = EVP_VerifyUpdate(dsa->dsa_ctx, buf, len); 636 637 return (ret ? 0 : -1); 638} 639 640size_t 641dsa_length(struct iked_dsa *dsa) 642{ 643 if (dsa->dsa_hmac) 644 return (EVP_MD_size(dsa->dsa_priv)); 645 return (EVP_PKEY_size(dsa->dsa_key)); 646} 647 648ssize_t 649dsa_sign_final(struct iked_dsa *dsa, void *buf, size_t len) 650{ 651 u_int siglen; 652 653 if (len < dsa_length(dsa)) 654 return (-1); 655 656 if (dsa->dsa_hmac) { 657 if (!HMAC_Final(dsa->dsa_ctx, buf, &siglen)) 658 return (-1); 659 } else { 660 if (!EVP_SignFinal(dsa->dsa_ctx, buf, &siglen, 661 dsa->dsa_key)) 662 return (-1); 663 } 664 665 return (siglen); 666} 667 668ssize_t 669dsa_verify_final(struct iked_dsa *dsa, void *buf, size_t len) 670{ 671 u_int8_t sig[EVP_MAX_MD_SIZE]; 672 u_int siglen = sizeof(sig); 673 674 if (dsa->dsa_hmac) { 675 if (!HMAC_Final(dsa->dsa_ctx, sig, &siglen)) 676 return (-1); 677 if (siglen != len || memcmp(buf, sig, siglen) != 0) 678 return (-1); 679 } else { 680 if (EVP_VerifyFinal(dsa->dsa_ctx, buf, len, 681 dsa->dsa_key) != 1) { 682 ca_sslerror(__func__); 683 return (-1); 684 } 685 } 686 687 return (0); 688} 689