crypto.c revision 1.27
1/* $OpenBSD: crypto.c,v 1.27 2020/05/14 15:08:30 tobhe Exp $ */ 2 3/* 4 * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org> 5 * 6 * Permission to use, copy, modify, and distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19#include <sys/param.h> /* roundup */ 20#include <sys/queue.h> 21#include <sys/socket.h> 22#include <sys/uio.h> 23 24#include <stdio.h> 25#include <stdlib.h> 26#include <unistd.h> 27#include <string.h> 28#include <errno.h> 29#include <fcntl.h> 30#include <event.h> 31 32#include <openssl/hmac.h> 33#include <openssl/evp.h> 34#include <openssl/sha.h> 35#include <openssl/md5.h> 36#include <openssl/x509.h> 37#include <openssl/rsa.h> 38 39#include "iked.h" 40#include "ikev2.h" 41 42/* RFC 7427, A.1 RSA */ 43static const uint8_t sha256WithRSA[] = { 44 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 45 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00 46}; 47static const uint8_t sha384WithRSA[] = { 48 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 49 0xf7, 0x0d, 0x01, 0x01, 0x0c, 0x05, 0x00 50}; 51static const uint8_t sha512WithRSA[] = { 52 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 53 0xf7, 0x0d, 0x01, 0x01, 0x0d, 0x05, 0x00 54}; 55/* RFC 7427, A.3 ECDSA */ 56static const uint8_t ecdsa_sha256[] = { 57 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 58 0x3d, 0x04, 0x03, 0x02 59}; 60static const uint8_t ecdsa_sha384[] = { 61 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 62 0x3d, 0x04, 0x03, 0x03 63}; 64static const uint8_t ecdsa_sha512[] = { 65 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 66 0x3d, 0x04, 0x03, 0x04 67}; 68 69static const struct { 70 int sc_keytype; 71 const EVP_MD *(*sc_md)(void); 72 uint8_t sc_len; 73 const uint8_t *sc_oid; 74} schemes[] = { 75 { EVP_PKEY_RSA, EVP_sha256, sizeof(sha256WithRSA), sha256WithRSA }, 76 { EVP_PKEY_RSA, EVP_sha384, sizeof(sha384WithRSA), sha384WithRSA }, 77 { EVP_PKEY_RSA, EVP_sha512, sizeof(sha512WithRSA), sha512WithRSA }, 78 { EVP_PKEY_EC, EVP_sha256, sizeof(ecdsa_sha256), ecdsa_sha256 }, 79 { EVP_PKEY_EC, EVP_sha384, sizeof(ecdsa_sha384), ecdsa_sha384 }, 80 { EVP_PKEY_EC, EVP_sha512, sizeof(ecdsa_sha512), ecdsa_sha512 }, 81}; 82 83int _dsa_verify_init(struct iked_dsa *, const uint8_t *, size_t); 84int _dsa_verify_prepare(struct iked_dsa *, uint8_t **, size_t *, 85 uint8_t **); 86int _dsa_sign_encode(struct iked_dsa *, uint8_t *, size_t, size_t *); 87int _dsa_sign_ecdsa(struct iked_dsa *, uint8_t *, size_t); 88 89struct iked_hash * 90hash_new(uint8_t type, uint16_t id) 91{ 92 struct iked_hash *hash; 93 const EVP_MD *md = NULL; 94 HMAC_CTX *ctx = NULL; 95 int length = 0, fixedkey = 0, trunc = 0; 96 97 switch (type) { 98 case IKEV2_XFORMTYPE_PRF: 99 switch (id) { 100 case IKEV2_XFORMPRF_HMAC_MD5: 101 md = EVP_md5(); 102 length = MD5_DIGEST_LENGTH; 103 break; 104 case IKEV2_XFORMPRF_HMAC_SHA1: 105 md = EVP_sha1(); 106 length = SHA_DIGEST_LENGTH; 107 break; 108 case IKEV2_XFORMPRF_HMAC_SHA2_256: 109 md = EVP_sha256(); 110 length = SHA256_DIGEST_LENGTH; 111 break; 112 case IKEV2_XFORMPRF_HMAC_SHA2_384: 113 md = EVP_sha384(); 114 length = SHA384_DIGEST_LENGTH; 115 break; 116 case IKEV2_XFORMPRF_HMAC_SHA2_512: 117 md = EVP_sha512(); 118 length = SHA512_DIGEST_LENGTH; 119 break; 120 case IKEV2_XFORMPRF_AES128_XCBC: 121 fixedkey = 128 / 8; 122 length = fixedkey; 123 /* FALLTHROUGH */ 124 case IKEV2_XFORMPRF_HMAC_TIGER: 125 case IKEV2_XFORMPRF_AES128_CMAC: 126 default: 127 log_debug("%s: prf %s not supported", __func__, 128 print_map(id, ikev2_xformprf_map)); 129 break; 130 } 131 break; 132 case IKEV2_XFORMTYPE_INTEGR: 133 switch (id) { 134 case IKEV2_XFORMAUTH_HMAC_MD5_96: 135 md = EVP_md5(); 136 length = MD5_DIGEST_LENGTH; 137 trunc = 12; 138 break; 139 case IKEV2_XFORMAUTH_HMAC_SHA1_96: 140 md = EVP_sha1(); 141 length = SHA_DIGEST_LENGTH; 142 trunc = 12; 143 break; 144 case IKEV2_XFORMAUTH_HMAC_SHA2_256_128: 145 md = EVP_sha256(); 146 length = SHA256_DIGEST_LENGTH; 147 trunc = 16; 148 break; 149 case IKEV2_XFORMAUTH_HMAC_SHA2_384_192: 150 md = EVP_sha384(); 151 length = SHA384_DIGEST_LENGTH; 152 trunc = 24; 153 break; 154 case IKEV2_XFORMAUTH_HMAC_SHA2_512_256: 155 md = EVP_sha512(); 156 length = SHA512_DIGEST_LENGTH; 157 trunc = 32; 158 break; 159 case IKEV2_XFORMAUTH_NONE: 160 case IKEV2_XFORMAUTH_DES_MAC: 161 case IKEV2_XFORMAUTH_KPDK_MD5: 162 case IKEV2_XFORMAUTH_AES_XCBC_96: 163 case IKEV2_XFORMAUTH_HMAC_MD5_128: 164 case IKEV2_XFORMAUTH_HMAC_SHA1_160: 165 case IKEV2_XFORMAUTH_AES_CMAC_96: 166 case IKEV2_XFORMAUTH_AES_128_GMAC: 167 case IKEV2_XFORMAUTH_AES_192_GMAC: 168 case IKEV2_XFORMAUTH_AES_256_GMAC: 169 default: 170 log_debug("%s: auth %s not supported", __func__, 171 print_map(id, ikev2_xformauth_map)); 172 break; 173 } 174 break; 175 default: 176 log_debug("%s: hash type %s not supported", __func__, 177 print_map(id, ikev2_xformtype_map)); 178 break; 179 } 180 if (md == NULL) 181 return (NULL); 182 183 if ((hash = calloc(1, sizeof(*hash))) == NULL) { 184 log_debug("%s: alloc hash", __func__); 185 return (NULL); 186 } 187 188 hash->hash_type = type; 189 hash->hash_id = id; 190 hash->hash_priv = md; 191 hash->hash_ctx = NULL; 192 hash->hash_trunc = trunc; 193 hash->hash_length = length; 194 hash->hash_fixedkey = fixedkey; 195 196 if ((ctx = calloc(1, sizeof(*ctx))) == NULL) { 197 log_debug("%s: alloc hash ctx", __func__); 198 hash_free(hash); 199 return (NULL); 200 } 201 202 HMAC_CTX_init(ctx); 203 hash->hash_ctx = ctx; 204 205 return (hash); 206} 207 208struct ibuf * 209hash_setkey(struct iked_hash *hash, void *key, size_t keylen) 210{ 211 ibuf_release(hash->hash_key); 212 if ((hash->hash_key = ibuf_new(key, keylen)) == NULL) { 213 log_debug("%s: alloc hash key", __func__); 214 return (NULL); 215 } 216 return (hash->hash_key); 217} 218 219void 220hash_free(struct iked_hash *hash) 221{ 222 if (hash == NULL) 223 return; 224 if (hash->hash_ctx != NULL) { 225 HMAC_CTX_cleanup(hash->hash_ctx); 226 free(hash->hash_ctx); 227 } 228 ibuf_release(hash->hash_key); 229 free(hash); 230} 231 232void 233hash_init(struct iked_hash *hash) 234{ 235 HMAC_Init_ex(hash->hash_ctx, hash->hash_key->buf, 236 ibuf_length(hash->hash_key), hash->hash_priv, NULL); 237} 238 239void 240hash_update(struct iked_hash *hash, void *buf, size_t len) 241{ 242 HMAC_Update(hash->hash_ctx, buf, len); 243} 244 245void 246hash_final(struct iked_hash *hash, void *buf, size_t *len) 247{ 248 unsigned int length = 0; 249 250 HMAC_Final(hash->hash_ctx, buf, &length); 251 *len = (size_t)length; 252 253 /* Truncate the result if required by the alg */ 254 if (hash->hash_trunc && *len > hash->hash_trunc) 255 *len = hash->hash_trunc; 256} 257 258size_t 259hash_length(struct iked_hash *hash) 260{ 261 if (hash->hash_trunc) 262 return (hash->hash_trunc); 263 return (hash->hash_length); 264} 265 266size_t 267hash_keylength(struct iked_hash *hash) 268{ 269 return (hash->hash_length); 270} 271 272struct iked_cipher * 273cipher_new(uint8_t type, uint16_t id, uint16_t id_length) 274{ 275 struct iked_cipher *encr; 276 const EVP_CIPHER *cipher = NULL; 277 EVP_CIPHER_CTX *ctx = NULL; 278 int length = 0, fixedkey = 0, ivlength = 0; 279 280 switch (type) { 281 case IKEV2_XFORMTYPE_ENCR: 282 switch (id) { 283 case IKEV2_XFORMENCR_3DES: 284 cipher = EVP_des_ede3_cbc(); 285 length = EVP_CIPHER_block_size(cipher); 286 fixedkey = EVP_CIPHER_key_length(cipher); 287 ivlength = EVP_CIPHER_iv_length(cipher); 288 break; 289 case IKEV2_XFORMENCR_AES_CBC: 290 switch (id_length) { 291 case 128: 292 cipher = EVP_aes_128_cbc(); 293 break; 294 case 192: 295 cipher = EVP_aes_192_cbc(); 296 break; 297 case 256: 298 cipher = EVP_aes_256_cbc(); 299 break; 300 default: 301 log_debug("%s: invalid key length %d" 302 " for cipher %s", __func__, id_length, 303 print_map(id, ikev2_xformencr_map)); 304 break; 305 } 306 if (cipher == NULL) 307 break; 308 length = EVP_CIPHER_block_size(cipher); 309 ivlength = EVP_CIPHER_iv_length(cipher); 310 fixedkey = EVP_CIPHER_key_length(cipher); 311 break; 312 case IKEV2_XFORMENCR_DES_IV64: 313 case IKEV2_XFORMENCR_DES: 314 case IKEV2_XFORMENCR_RC5: 315 case IKEV2_XFORMENCR_IDEA: 316 case IKEV2_XFORMENCR_CAST: 317 case IKEV2_XFORMENCR_BLOWFISH: 318 case IKEV2_XFORMENCR_3IDEA: 319 case IKEV2_XFORMENCR_DES_IV32: 320 case IKEV2_XFORMENCR_NULL: 321 case IKEV2_XFORMENCR_AES_CTR: 322 /* FALLTHROUGH */ 323 default: 324 log_debug("%s: cipher %s not supported", __func__, 325 print_map(id, ikev2_xformencr_map)); 326 cipher = NULL; 327 break; 328 } 329 break; 330 default: 331 log_debug("%s: cipher type %s not supported", __func__, 332 print_map(id, ikev2_xformtype_map)); 333 break; 334 } 335 if (cipher == NULL) 336 return (NULL); 337 338 if ((encr = calloc(1, sizeof(*encr))) == NULL) { 339 log_debug("%s: alloc cipher", __func__); 340 return (NULL); 341 } 342 343 encr->encr_id = id; 344 encr->encr_priv = cipher; 345 encr->encr_ctx = NULL; 346 encr->encr_length = length; 347 encr->encr_fixedkey = fixedkey; 348 encr->encr_ivlength = ivlength ? ivlength : length; 349 350 if ((ctx = calloc(1, sizeof(*ctx))) == NULL) { 351 log_debug("%s: alloc cipher ctx", __func__); 352 cipher_free(encr); 353 return (NULL); 354 } 355 356 EVP_CIPHER_CTX_init(ctx); 357 encr->encr_ctx = ctx; 358 359 return (encr); 360} 361 362struct ibuf * 363cipher_setkey(struct iked_cipher *encr, void *key, size_t keylen) 364{ 365 ibuf_release(encr->encr_key); 366 if ((encr->encr_key = ibuf_new(key, keylen)) == NULL) { 367 log_debug("%s: alloc cipher key", __func__); 368 return (NULL); 369 } 370 return (encr->encr_key); 371} 372 373struct ibuf * 374cipher_setiv(struct iked_cipher *encr, void *iv, size_t len) 375{ 376 ibuf_release(encr->encr_iv); 377 encr->encr_iv = NULL; 378 if (iv != NULL) { 379 if (len < encr->encr_ivlength) { 380 log_debug("%s: invalid IV length %zu", __func__, len); 381 return (NULL); 382 } 383 encr->encr_iv = ibuf_new(iv, encr->encr_ivlength); 384 } else { 385 /* Get new random IV */ 386 encr->encr_iv = ibuf_random(encr->encr_ivlength); 387 } 388 if (encr->encr_iv == NULL) { 389 log_debug("%s: failed to set IV", __func__); 390 return (NULL); 391 } 392 return (encr->encr_iv); 393} 394 395void 396cipher_free(struct iked_cipher *encr) 397{ 398 if (encr == NULL) 399 return; 400 if (encr->encr_ctx != NULL) { 401 EVP_CIPHER_CTX_cleanup(encr->encr_ctx); 402 free(encr->encr_ctx); 403 } 404 ibuf_release(encr->encr_iv); 405 ibuf_release(encr->encr_key); 406 free(encr); 407} 408 409int 410cipher_init(struct iked_cipher *encr, int enc) 411{ 412 if (EVP_CipherInit_ex(encr->encr_ctx, encr->encr_priv, NULL, 413 ibuf_data(encr->encr_key), ibuf_data(encr->encr_iv), enc) != 1) 414 return (-1); 415 EVP_CIPHER_CTX_set_padding(encr->encr_ctx, 0); 416 return (0); 417} 418 419int 420cipher_init_encrypt(struct iked_cipher *encr) 421{ 422 return (cipher_init(encr, 1)); 423} 424 425int 426cipher_init_decrypt(struct iked_cipher *encr) 427{ 428 return (cipher_init(encr, 0)); 429} 430 431int 432cipher_update(struct iked_cipher *encr, void *in, size_t inlen, 433 void *out, size_t *outlen) 434{ 435 int olen; 436 437 olen = 0; 438 if (EVP_CipherUpdate(encr->encr_ctx, out, &olen, in, inlen) != 1) { 439 ca_sslerror(__func__); 440 *outlen = 0; 441 return (-1); 442 } 443 *outlen = (size_t)olen; 444 return (0); 445} 446 447int 448cipher_final(struct iked_cipher *encr) 449{ 450 int olen; 451 452 /* 453 * We always have EVP_CIPH_NO_PADDING set. This means arg 454 * out is not used and olen should always be 0. 455 */ 456 if (EVP_CipherFinal_ex(encr->encr_ctx, NULL, &olen) != 1) { 457 ca_sslerror(__func__); 458 return (-1); 459 } 460 return (0); 461} 462 463size_t 464cipher_length(struct iked_cipher *encr) 465{ 466 return (encr->encr_length); 467} 468 469size_t 470cipher_keylength(struct iked_cipher *encr) 471{ 472 if (encr->encr_fixedkey) 473 return (encr->encr_fixedkey); 474 475 /* Might return zero */ 476 return (ibuf_length(encr->encr_key)); 477} 478 479size_t 480cipher_ivlength(struct iked_cipher *encr) 481{ 482 return (encr->encr_ivlength); 483} 484 485size_t 486cipher_outlength(struct iked_cipher *encr, size_t inlen) 487{ 488 return (roundup(inlen, encr->encr_length)); 489} 490 491struct iked_dsa * 492dsa_new(uint16_t id, struct iked_hash *prf, int sign) 493{ 494 struct iked_dsa *dsap = NULL, dsa; 495 496 bzero(&dsa, sizeof(dsa)); 497 498 switch (id) { 499 case IKEV2_AUTH_SIG: 500 if (sign) 501 dsa.dsa_priv = EVP_sha256(); /* XXX should be passed */ 502 else 503 dsa.dsa_priv = NULL; /* set later by dsa_init() */ 504 break; 505 case IKEV2_AUTH_RSA_SIG: 506 /* RFC5996 says we SHOULD use SHA1 here */ 507 dsa.dsa_priv = EVP_sha1(); 508 break; 509 case IKEV2_AUTH_SHARED_KEY_MIC: 510 if (prf == NULL || prf->hash_priv == NULL) 511 fatalx("dsa_new: invalid PRF"); 512 dsa.dsa_priv = prf->hash_priv; 513 dsa.dsa_hmac = 1; 514 break; 515 case IKEV2_AUTH_DSS_SIG: 516 dsa.dsa_priv = EVP_dss1(); 517 break; 518 case IKEV2_AUTH_ECDSA_256: 519 dsa.dsa_priv = EVP_sha256(); 520 break; 521 case IKEV2_AUTH_ECDSA_384: 522 dsa.dsa_priv = EVP_sha384(); 523 break; 524 case IKEV2_AUTH_ECDSA_521: 525 dsa.dsa_priv = EVP_sha512(); 526 break; 527 default: 528 log_debug("%s: auth method %s not supported", __func__, 529 print_map(id, ikev2_auth_map)); 530 break; 531 } 532 533 if ((dsap = calloc(1, sizeof(*dsap))) == NULL) { 534 log_debug("%s: alloc dsa ctx", __func__); 535 536 return (NULL); 537 } 538 memcpy(dsap, &dsa, sizeof(*dsap)); 539 540 dsap->dsa_method = id; 541 dsap->dsa_sign = sign; 542 543 if (dsap->dsa_hmac) { 544 if ((dsap->dsa_ctx = calloc(1, sizeof(HMAC_CTX))) == NULL) { 545 log_debug("%s: alloc hash ctx", __func__); 546 dsa_free(dsap); 547 return (NULL); 548 } 549 HMAC_CTX_init((HMAC_CTX *)dsap->dsa_ctx); 550 } else { 551 if ((dsap->dsa_ctx = EVP_MD_CTX_create()) == NULL) { 552 log_debug("%s: alloc digest ctx", __func__); 553 dsa_free(dsap); 554 return (NULL); 555 } 556 } 557 558 return (dsap); 559} 560 561struct iked_dsa * 562dsa_sign_new(uint16_t id, struct iked_hash *prf) 563{ 564 return (dsa_new(id, prf, 1)); 565} 566 567struct iked_dsa * 568dsa_verify_new(uint16_t id, struct iked_hash *prf) 569{ 570 return (dsa_new(id, prf, 0)); 571} 572 573void 574dsa_free(struct iked_dsa *dsa) 575{ 576 if (dsa == NULL) 577 return; 578 if (dsa->dsa_hmac) { 579 HMAC_CTX_cleanup((HMAC_CTX *)dsa->dsa_ctx); 580 free(dsa->dsa_ctx); 581 } else { 582 EVP_MD_CTX_destroy((EVP_MD_CTX *)dsa->dsa_ctx); 583 if (dsa->dsa_key) 584 EVP_PKEY_free(dsa->dsa_key); 585 } 586 587 ibuf_release(dsa->dsa_keydata); 588 free(dsa); 589} 590 591struct ibuf * 592dsa_setkey(struct iked_dsa *dsa, void *key, size_t keylen, uint8_t type) 593{ 594 BIO *rawcert = NULL; 595 X509 *cert = NULL; 596 RSA *rsa = NULL; 597 EC_KEY *ec = NULL; 598 EVP_PKEY *pkey = NULL; 599 600 ibuf_release(dsa->dsa_keydata); 601 if ((dsa->dsa_keydata = ibuf_new(key, keylen)) == NULL) { 602 log_debug("%s: alloc signature key", __func__); 603 return (NULL); 604 } 605 606 if ((rawcert = BIO_new_mem_buf(key, keylen)) == NULL) 607 goto err; 608 609 switch (type) { 610 case IKEV2_CERT_X509_CERT: 611 if ((cert = d2i_X509_bio(rawcert, NULL)) == NULL) 612 goto sslerr; 613 if ((pkey = X509_get_pubkey(cert)) == NULL) 614 goto sslerr; 615 dsa->dsa_key = pkey; 616 break; 617 case IKEV2_CERT_RSA_KEY: 618 if (dsa->dsa_sign) { 619 if ((rsa = d2i_RSAPrivateKey_bio(rawcert, 620 NULL)) == NULL) 621 goto sslerr; 622 } else { 623 if ((rsa = d2i_RSAPublicKey_bio(rawcert, 624 NULL)) == NULL) 625 goto sslerr; 626 } 627 628 if ((pkey = EVP_PKEY_new()) == NULL) 629 goto sslerr; 630 if (!EVP_PKEY_set1_RSA(pkey, rsa)) 631 goto sslerr; 632 633 RSA_free(rsa); /* pkey now has the reference */ 634 dsa->dsa_key = pkey; 635 break; 636 case IKEV2_CERT_ECDSA: 637 if (dsa->dsa_sign) { 638 if ((ec = d2i_ECPrivateKey_bio(rawcert, NULL)) == NULL) 639 goto sslerr; 640 } else { 641 if ((ec = d2i_EC_PUBKEY_bio(rawcert, NULL)) == NULL) 642 goto sslerr; 643 } 644 645 if ((pkey = EVP_PKEY_new()) == NULL) 646 goto sslerr; 647 if (!EVP_PKEY_set1_EC_KEY(pkey, ec)) 648 goto sslerr; 649 650 EC_KEY_free(ec); /* pkey now has the reference */ 651 dsa->dsa_key = pkey; 652 break; 653 default: 654 if (dsa->dsa_hmac) 655 break; 656 log_debug("%s: unsupported key type", __func__); 657 goto err; 658 } 659 660 if (cert != NULL) 661 X509_free(cert); 662 BIO_free(rawcert); /* temporary for parsing */ 663 664 return (dsa->dsa_keydata); 665 666 sslerr: 667 ca_sslerror(__func__); 668 err: 669 log_debug("%s: error", __func__); 670 671 if (rsa != NULL) 672 RSA_free(rsa); 673 if (ec != NULL) 674 EC_KEY_free(ec); 675 if (pkey != NULL) 676 EVP_PKEY_free(pkey); 677 if (cert != NULL) 678 X509_free(cert); 679 if (rawcert != NULL) 680 BIO_free(rawcert); 681 ibuf_release(dsa->dsa_keydata); 682 dsa->dsa_keydata = NULL; 683 return (NULL); 684} 685 686int 687_dsa_verify_init(struct iked_dsa *dsa, const uint8_t *sig, size_t len) 688{ 689 uint8_t oidlen; 690 size_t i; 691 int keytype; 692 693 if (dsa->dsa_priv != NULL) 694 return (0); 695 /* 696 * For IKEV2_AUTH_SIG the oid of the authentication signature 697 * is encoded in the first bytes of the auth message. 698 */ 699 if (dsa->dsa_method != IKEV2_AUTH_SIG) { 700 log_debug("%s: dsa_priv not set for %s", __func__, 701 print_map(dsa->dsa_method, ikev2_auth_map)); 702 return (-1); 703 } 704 if (dsa->dsa_key == NULL) { 705 log_debug("%s: dsa_key not set for %s", __func__, 706 print_map(dsa->dsa_method, ikev2_auth_map)); 707 return (-1); 708 } 709 keytype = EVP_PKEY_type(((EVP_PKEY *)dsa->dsa_key)->type); 710 if (sig == NULL) { 711 log_debug("%s: signature missing", __func__); 712 return (-1); 713 } 714 if (len < sizeof(oidlen)) { 715 log_debug("%s: signature (%zu) too small for oid length", 716 __func__, len); 717 return (-1); 718 } 719 memcpy(&oidlen, sig, sizeof(oidlen)); 720 if (len < (size_t)oidlen + sizeof(oidlen)) { 721 log_debug("%s: signature (%zu) too small for oid (%u)", 722 __func__, len, oidlen); 723 return (-1); 724 } 725 for (i = 0; i < nitems(schemes); i++) { 726 if (keytype == schemes[i].sc_keytype && 727 oidlen == schemes[i].sc_len && 728 memcmp(sig + 1, schemes[i].sc_oid, 729 schemes[i].sc_len) == 0) { 730 dsa->dsa_priv = (*schemes[i].sc_md)(); 731 log_debug("%s: signature scheme %zd selected", 732 __func__, i); 733 return (0); 734 } 735 } 736 log_debug("%s: unsupported signature (%d)", __func__, oidlen); 737 return (-1); 738} 739 740int 741dsa_init(struct iked_dsa *dsa, const void *buf, size_t len) 742{ 743 int ret; 744 745 if (dsa->dsa_hmac) { 746 if (!HMAC_Init_ex(dsa->dsa_ctx, ibuf_data(dsa->dsa_keydata), 747 ibuf_length(dsa->dsa_keydata), dsa->dsa_priv, NULL)) 748 return (-1); 749 return (0); 750 } 751 752 if (dsa->dsa_sign) 753 ret = EVP_DigestSignInit(dsa->dsa_ctx, NULL, dsa->dsa_priv, 754 NULL, dsa->dsa_key); 755 else { 756 if ((ret = _dsa_verify_init(dsa, buf, len)) != 0) 757 return (ret); 758 ret = EVP_DigestVerifyInit(dsa->dsa_ctx, NULL, dsa->dsa_priv, 759 NULL, dsa->dsa_key); 760 } 761 762 return (ret == 1 ? 0 : -1); 763} 764 765int 766dsa_update(struct iked_dsa *dsa, const void *buf, size_t len) 767{ 768 int ret; 769 770 if (dsa->dsa_hmac) 771 ret = HMAC_Update(dsa->dsa_ctx, buf, len); 772 else if (dsa->dsa_sign) 773 ret = EVP_DigestSignUpdate(dsa->dsa_ctx, buf, len); 774 else 775 ret = EVP_DigestVerifyUpdate(dsa->dsa_ctx, buf, len); 776 777 return (ret == 1 ? 0 : -1); 778} 779 780/* Prefix signature hash with encoded type */ 781int 782_dsa_sign_encode(struct iked_dsa *dsa, uint8_t *ptr, size_t len, size_t *offp) 783{ 784 int keytype; 785 size_t i, need; 786 787 if (offp) 788 *offp = 0; 789 if (dsa->dsa_method != IKEV2_AUTH_SIG) 790 return (0); 791 if (dsa->dsa_key == NULL) 792 return (-1); 793 keytype = EVP_PKEY_type(((EVP_PKEY *)dsa->dsa_key)->type); 794 for (i = 0; i < nitems(schemes); i++) { 795 /* XXX should avoid calling sc_md() each time... */ 796 if (keytype == schemes[i].sc_keytype && 797 (dsa->dsa_priv == (*schemes[i].sc_md)())) 798 break; 799 } 800 if (i >= nitems(schemes)) 801 return (-1); 802 log_debug("%s: signature scheme %zd selected", __func__, i); 803 need = sizeof(ptr[0]) + schemes[i].sc_len; 804 if (ptr) { 805 if (len < need) 806 return (-1); 807 ptr[0] = schemes[i].sc_len; 808 memcpy(ptr + sizeof(ptr[0]), schemes[i].sc_oid, 809 schemes[i].sc_len); 810 } 811 if (offp) 812 *offp = need; 813 return (0); 814} 815 816/* Export size of encoded signature hash type */ 817size_t 818dsa_prefix(struct iked_dsa *dsa) 819{ 820 size_t off = 0; 821 822 if (_dsa_sign_encode(dsa, NULL, 0, &off) < 0) 823 fatal("dsa_prefix: internal error"); 824 return off; 825} 826 827size_t 828dsa_length(struct iked_dsa *dsa) 829{ 830 if (dsa->dsa_hmac) 831 return (EVP_MD_size(dsa->dsa_priv)); 832 switch (dsa->dsa_method) { 833 case IKEV2_AUTH_ECDSA_256: 834 case IKEV2_AUTH_ECDSA_384: 835 case IKEV2_AUTH_ECDSA_521: 836 /* size of concat(r|s) */ 837 return (2 * ((EVP_PKEY_bits(dsa->dsa_key) + 7) / 8)); 838 } 839 return (dsa_prefix(dsa) + EVP_PKEY_size(dsa->dsa_key)); 840} 841 842int 843_dsa_sign_ecdsa(struct iked_dsa *dsa, uint8_t *ptr, size_t len) 844{ 845 ECDSA_SIG *obj = NULL; 846 uint8_t *tmp = NULL; 847 const uint8_t *p; 848 size_t tmplen; 849 int ret = -1; 850 int bnlen, off; 851 852 if (len % 2) 853 goto done; /* must be even */ 854 bnlen = len/2; 855 /* 856 * (a) create DER signature into 'tmp' buffer 857 * (b) convert buffer to ECDSA_SIG object 858 * (c) concatenate the padded r|s BIGNUMS into 'ptr' 859 */ 860 if (EVP_DigestSignFinal(dsa->dsa_ctx, NULL, &tmplen) != 1) 861 goto done; 862 if ((tmp = calloc(1, tmplen)) == NULL) 863 goto done; 864 if (EVP_DigestSignFinal(dsa->dsa_ctx, tmp, &tmplen) != 1) 865 goto done; 866 p = tmp; 867 if (d2i_ECDSA_SIG(&obj, &p, tmplen) == NULL) 868 goto done; 869 if (BN_num_bytes(obj->r) > bnlen || BN_num_bytes(obj->s) > bnlen) 870 goto done; 871 memset(ptr, 0, len); 872 off = bnlen - BN_num_bytes(obj->r); 873 BN_bn2bin(obj->r, ptr + off); 874 off = 2 * bnlen - BN_num_bytes(obj->s); 875 BN_bn2bin(obj->s, ptr + off); 876 ret = 0; 877 done: 878 free(tmp); 879 if (obj) 880 ECDSA_SIG_free(obj); 881 return (ret); 882} 883 884ssize_t 885dsa_sign_final(struct iked_dsa *dsa, void *buf, size_t len) 886{ 887 unsigned int hmaclen; 888 size_t off = 0; 889 uint8_t *ptr = buf; 890 891 if (len < dsa_length(dsa)) 892 return (-1); 893 894 if (dsa->dsa_hmac) { 895 if (!HMAC_Final(dsa->dsa_ctx, buf, &hmaclen)) 896 return (-1); 897 if (hmaclen > INT_MAX) 898 return (-1); 899 return (ssize_t)hmaclen; 900 } else { 901 switch (dsa->dsa_method) { 902 case IKEV2_AUTH_ECDSA_256: 903 case IKEV2_AUTH_ECDSA_384: 904 case IKEV2_AUTH_ECDSA_521: 905 if (_dsa_sign_ecdsa(dsa, buf, len) < 0) 906 return (-1); 907 return (len); 908 default: 909 if (_dsa_sign_encode(dsa, ptr, len, &off) < 0) 910 return (-1); 911 if (off > len) 912 return (-1); 913 len -= off; 914 ptr += off; 915 if (EVP_DigestSignFinal(dsa->dsa_ctx, ptr, &len) != 1) 916 return (-1); 917 return (len + off); 918 } 919 } 920 return (-1); 921} 922 923int 924_dsa_verify_prepare(struct iked_dsa *dsa, uint8_t **sigp, size_t *lenp, 925 uint8_t **freemep) 926{ 927 ECDSA_SIG *obj = NULL; 928 uint8_t *ptr = NULL; 929 size_t bnlen, len, off; 930 int ret = -1; 931 932 *freemep = NULL; /* don't return garbage in case of an error */ 933 934 switch (dsa->dsa_method) { 935 case IKEV2_AUTH_SIG: 936 /* 937 * The first byte of the signature encodes the OID 938 * prefix length which we need to skip. 939 */ 940 off = (*sigp)[0] + 1; 941 *sigp = *sigp + off; 942 *lenp = *lenp - off; 943 *freemep = NULL; 944 ret = 0; 945 break; 946 case IKEV2_AUTH_ECDSA_256: 947 case IKEV2_AUTH_ECDSA_384: 948 case IKEV2_AUTH_ECDSA_521: 949 /* 950 * sigp points to concatenation r|s, while EVP_VerifyFinal() 951 * expects the signature as a DER-encoded blob (of the two 952 * values), so we need to convert the signature in a new 953 * buffer (we cannot override the given buffer) and the caller 954 * has to free this buffer ('freeme'). 955 */ 956 if (*lenp < 64 || *lenp > 132 || *lenp % 2) 957 goto done; 958 bnlen = (*lenp)/2; 959 /* sigp points to concatenation: r|s */ 960 if ((obj = ECDSA_SIG_new()) == NULL || 961 BN_bin2bn(*sigp, bnlen, obj->r) == NULL || 962 BN_bin2bn(*sigp+bnlen, bnlen, obj->s) == NULL || 963 (len = i2d_ECDSA_SIG(obj, &ptr)) == 0) 964 goto done; 965 *lenp = len; 966 *sigp = ptr; 967 *freemep = ptr; 968 ptr = NULL; 969 ret = 0; 970 break; 971 default: 972 return (0); 973 } 974 done: 975 free(ptr); 976 if (obj) 977 ECDSA_SIG_free(obj); 978 return (ret); 979} 980 981ssize_t 982dsa_verify_final(struct iked_dsa *dsa, void *buf, size_t len) 983{ 984 uint8_t sig[EVP_MAX_MD_SIZE]; 985 uint8_t *ptr = buf, *freeme = NULL; 986 unsigned int siglen = sizeof(sig); 987 988 if (dsa->dsa_hmac) { 989 if (!HMAC_Final(dsa->dsa_ctx, sig, &siglen)) 990 return (-1); 991 if (siglen != len || memcmp(buf, sig, siglen) != 0) 992 return (-1); 993 } else { 994 if (_dsa_verify_prepare(dsa, &ptr, &len, &freeme) < 0) 995 return (-1); 996 if (EVP_DigestVerifyFinal(dsa->dsa_ctx, ptr, len) != 1) { 997 free(freeme); 998 ca_sslerror(__func__); 999 return (-1); 1000 } 1001 free(freeme); 1002 } 1003 1004 return (0); 1005} 1006