crypto.c revision 1.35
1/* $OpenBSD: crypto.c,v 1.35 2021/11/18 22:42:02 tobhe Exp $ */ 2 3/* 4 * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org> 5 * 6 * Permission to use, copy, modify, and distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19#include <sys/param.h> /* roundup */ 20#include <sys/queue.h> 21#include <sys/socket.h> 22#include <sys/uio.h> 23 24#include <stdio.h> 25#include <stdlib.h> 26#include <unistd.h> 27#include <string.h> 28#include <errno.h> 29#include <fcntl.h> 30#include <event.h> 31 32#include <openssl/ecdsa.h> 33#include <openssl/hmac.h> 34#include <openssl/evp.h> 35#include <openssl/sha.h> 36#include <openssl/md5.h> 37#include <openssl/x509.h> 38#include <openssl/rsa.h> 39 40#include "iked.h" 41#include "ikev2.h" 42 43/* RFC 7427, A.1 RSA */ 44static const uint8_t sha256WithRSA[] = { 45 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 46 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00 47}; 48static const uint8_t sha384WithRSA[] = { 49 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 50 0xf7, 0x0d, 0x01, 0x01, 0x0c, 0x05, 0x00 51}; 52static const uint8_t sha512WithRSA[] = { 53 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 54 0xf7, 0x0d, 0x01, 0x01, 0x0d, 0x05, 0x00 55}; 56/* RFC 7427, A.3 ECDSA */ 57static const uint8_t ecdsa_sha256[] = { 58 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 59 0x3d, 0x04, 0x03, 0x02 60}; 61static const uint8_t ecdsa_sha384[] = { 62 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 63 0x3d, 0x04, 0x03, 0x03 64}; 65static const uint8_t ecdsa_sha512[] = { 66 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 67 0x3d, 0x04, 0x03, 0x04 68}; 69/* RFC 7427, A.4.3 RSASSA-PSS with SHA-256 */ 70static const uint8_t rsapss_sha256[] = { 71 0x30, 0x46, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 72 0xf7, 0x0d, 0x01, 0x01, 0x0a, 0x30, 0x39, 0xa0, 73 0x0f, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 74 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 75 0xa1, 0x1c, 0x30, 0x1a, 0x06, 0x09, 0x2a, 0x86, 76 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x08, 0x30, 77 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 78 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0xa2, 0x03, 79 0x02, 0x01, 0x20, 0xa3, 0x03, 0x02, 0x01, 0x01 80}; 81/* RSASSA-PSS SHA-384 */ 82static const uint8_t rsapss_sha384[] = { 83 0x30, 0x46, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 84 0xf7, 0x0d, 0x01, 0x01, 0x0a, 0x30, 0x34, 0xa0, 85 0x0f, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 86 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 87 0xa1, 0x1c, 0x30, 0x1a, 0x06, 0x09, 0x2a, 0x86, 88 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x08, 0x30, 89 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 90 0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 0xa2, 0x03, 91 0x02, 0x01, 0x30, 0xa3, 0x03, 0x02, 0x01, 0x01 92}; 93/* RSASSA-PSS SHA-512 */ 94static const uint8_t rsapss_sha512[] = { 95 0x30, 0x46, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 96 0xf7, 0x0d, 0x01, 0x01, 0x0a, 0x30, 0x34, 0xa0, 97 0x0f, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 98 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 99 0xa1, 0x1c, 0x30, 0x1a, 0x06, 0x09, 0x2a, 0x86, 100 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x08, 0x30, 101 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 102 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0xa2, 0x03, 103 0x02, 0x01, 0x40, 0xa3, 0x03, 0x02, 0x01, 0x01 104}; 105/* RSASSA-PSS SHA-256, no trailer */ 106static const uint8_t rsapss_sha256nt[] = { 107 0x30, 0x41, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 108 0xf7, 0x0d, 0x01, 0x01, 0x0a, 0x30, 0x34, 0xa0, 109 0x0f, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 110 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 111 0xa1, 0x1c, 0x30, 0x1a, 0x06, 0x09, 0x2a, 0x86, 112 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x08, 0x30, 113 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 114 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0xa2, 0x03, 115 0x02, 0x01, 0x20 116}; 117/* RSASSA-PSS SHA-384, no trailer */ 118static const uint8_t rsapss_sha384nt[] = { 119 0x30, 0x41, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 120 0xf7, 0x0d, 0x01, 0x01, 0x0a, 0x30, 0x34, 0xa0, 121 0x0f, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 122 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 123 0xa1, 0x1c, 0x30, 0x1a, 0x06, 0x09, 0x2a, 0x86, 124 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x08, 0x30, 125 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 126 0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 0xa2, 0x03, 127 0x02, 0x01, 0x30 128}; 129/* RSASSA-PSS SHA-512, no trailer */ 130static const uint8_t rsapss_sha512nt[] = { 131 0x30, 0x41, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 132 0xf7, 0x0d, 0x01, 0x01, 0x0a, 0x30, 0x34, 0xa0, 133 0x0f, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 134 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 135 0xa1, 0x1c, 0x30, 0x1a, 0x06, 0x09, 0x2a, 0x86, 136 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x08, 0x30, 137 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 138 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0xa2, 0x03, 139 0x02, 0x01, 0x40 140}; 141 142#define FLAG_RSA_PSS 0x00001 143int force_rsa_pss = 0; /* XXX move to API */ 144 145static const struct { 146 int sc_keytype; 147 const EVP_MD *(*sc_md)(void); 148 uint8_t sc_len; 149 const uint8_t *sc_oid; 150 uint32_t sc_flags; 151} schemes[] = { 152 { EVP_PKEY_RSA, EVP_sha256, sizeof(sha256WithRSA), sha256WithRSA, 0 }, 153 { EVP_PKEY_RSA, EVP_sha384, sizeof(sha384WithRSA), sha384WithRSA, 0 }, 154 { EVP_PKEY_RSA, EVP_sha512, sizeof(sha512WithRSA), sha512WithRSA, 0 }, 155 { EVP_PKEY_EC, EVP_sha256, sizeof(ecdsa_sha256), ecdsa_sha256, 0 }, 156 { EVP_PKEY_EC, EVP_sha384, sizeof(ecdsa_sha384), ecdsa_sha384, 0 }, 157 { EVP_PKEY_EC, EVP_sha512, sizeof(ecdsa_sha512), ecdsa_sha512, 0 }, 158 { EVP_PKEY_RSA, EVP_sha256, sizeof(rsapss_sha256), rsapss_sha256, 159 FLAG_RSA_PSS }, 160 { EVP_PKEY_RSA, EVP_sha384, sizeof(rsapss_sha384), rsapss_sha384, 161 FLAG_RSA_PSS }, 162 { EVP_PKEY_RSA, EVP_sha512, sizeof(rsapss_sha512), rsapss_sha512, 163 FLAG_RSA_PSS }, 164 { EVP_PKEY_RSA, EVP_sha256, sizeof(rsapss_sha256nt), rsapss_sha256nt, 165 FLAG_RSA_PSS }, 166 { EVP_PKEY_RSA, EVP_sha384, sizeof(rsapss_sha384nt), rsapss_sha384nt, 167 FLAG_RSA_PSS }, 168 { EVP_PKEY_RSA, EVP_sha512, sizeof(rsapss_sha512nt), rsapss_sha512nt, 169 FLAG_RSA_PSS }, 170}; 171 172int _dsa_verify_init(struct iked_dsa *, const uint8_t *, size_t); 173int _dsa_verify_prepare(struct iked_dsa *, uint8_t **, size_t *, 174 uint8_t **); 175int _dsa_sign_encode(struct iked_dsa *, uint8_t *, size_t, size_t *); 176int _dsa_sign_ecdsa(struct iked_dsa *, uint8_t *, size_t); 177 178struct iked_hash * 179hash_new(uint8_t type, uint16_t id) 180{ 181 struct iked_hash *hash; 182 const EVP_MD *md = NULL; 183 int length = 0, fixedkey = 0, trunc = 0, isaead = 0; 184 185 switch (type) { 186 case IKEV2_XFORMTYPE_PRF: 187 switch (id) { 188 case IKEV2_XFORMPRF_HMAC_MD5: 189 md = EVP_md5(); 190 length = MD5_DIGEST_LENGTH; 191 break; 192 case IKEV2_XFORMPRF_HMAC_SHA1: 193 md = EVP_sha1(); 194 length = SHA_DIGEST_LENGTH; 195 break; 196 case IKEV2_XFORMPRF_HMAC_SHA2_256: 197 md = EVP_sha256(); 198 length = SHA256_DIGEST_LENGTH; 199 break; 200 case IKEV2_XFORMPRF_HMAC_SHA2_384: 201 md = EVP_sha384(); 202 length = SHA384_DIGEST_LENGTH; 203 break; 204 case IKEV2_XFORMPRF_HMAC_SHA2_512: 205 md = EVP_sha512(); 206 length = SHA512_DIGEST_LENGTH; 207 break; 208 case IKEV2_XFORMPRF_AES128_XCBC: 209 fixedkey = 128 / 8; 210 length = fixedkey; 211 /* FALLTHROUGH */ 212 case IKEV2_XFORMPRF_HMAC_TIGER: 213 case IKEV2_XFORMPRF_AES128_CMAC: 214 default: 215 log_debug("%s: prf %s not supported", __func__, 216 print_map(id, ikev2_xformprf_map)); 217 break; 218 } 219 break; 220 case IKEV2_XFORMTYPE_INTEGR: 221 switch (id) { 222 case IKEV2_XFORMAUTH_HMAC_MD5_96: 223 md = EVP_md5(); 224 length = MD5_DIGEST_LENGTH; 225 trunc = 12; 226 break; 227 case IKEV2_XFORMAUTH_HMAC_SHA1_96: 228 md = EVP_sha1(); 229 length = SHA_DIGEST_LENGTH; 230 trunc = 12; 231 break; 232 case IKEV2_XFORMAUTH_HMAC_SHA2_256_128: 233 md = EVP_sha256(); 234 length = SHA256_DIGEST_LENGTH; 235 trunc = 16; 236 break; 237 case IKEV2_XFORMAUTH_HMAC_SHA2_384_192: 238 md = EVP_sha384(); 239 length = SHA384_DIGEST_LENGTH; 240 trunc = 24; 241 break; 242 case IKEV2_XFORMAUTH_HMAC_SHA2_512_256: 243 md = EVP_sha512(); 244 length = SHA512_DIGEST_LENGTH; 245 trunc = 32; 246 break; 247 case IKEV2_XFORMAUTH_AES_GCM_12: 248 length = 12; 249 isaead = 1; 250 break; 251 case IKEV2_XFORMAUTH_AES_GCM_16: 252 length = 16; 253 isaead = 1; 254 break; 255 case IKEV2_XFORMAUTH_NONE: 256 case IKEV2_XFORMAUTH_DES_MAC: 257 case IKEV2_XFORMAUTH_KPDK_MD5: 258 case IKEV2_XFORMAUTH_AES_XCBC_96: 259 case IKEV2_XFORMAUTH_HMAC_MD5_128: 260 case IKEV2_XFORMAUTH_HMAC_SHA1_160: 261 case IKEV2_XFORMAUTH_AES_CMAC_96: 262 case IKEV2_XFORMAUTH_AES_128_GMAC: 263 case IKEV2_XFORMAUTH_AES_192_GMAC: 264 case IKEV2_XFORMAUTH_AES_256_GMAC: 265 default: 266 log_debug("%s: auth %s not supported", __func__, 267 print_map(id, ikev2_xformauth_map)); 268 break; 269 } 270 break; 271 default: 272 log_debug("%s: hash type %s not supported", __func__, 273 print_map(id, ikev2_xformtype_map)); 274 break; 275 } 276 if (!isaead && md == NULL) 277 return (NULL); 278 279 if ((hash = calloc(1, sizeof(*hash))) == NULL) { 280 log_debug("%s: alloc hash", __func__); 281 return (NULL); 282 } 283 284 hash->hash_type = type; 285 hash->hash_id = id; 286 hash->hash_priv = md; 287 hash->hash_ctx = NULL; 288 hash->hash_trunc = trunc; 289 hash->hash_length = length; 290 hash->hash_fixedkey = fixedkey; 291 hash->hash_isaead = isaead; 292 293 if (isaead) 294 return (hash); 295 296 hash->hash_ctx = HMAC_CTX_new(); 297 if (hash->hash_ctx == NULL) { 298 log_debug("%s: alloc hash ctx", __func__); 299 hash_free(hash); 300 return (NULL); 301 } 302 303 return (hash); 304} 305 306struct ibuf * 307hash_setkey(struct iked_hash *hash, void *key, size_t keylen) 308{ 309 ibuf_release(hash->hash_key); 310 if ((hash->hash_key = ibuf_new(key, keylen)) == NULL) { 311 log_debug("%s: alloc hash key", __func__); 312 return (NULL); 313 } 314 return (hash->hash_key); 315} 316 317void 318hash_free(struct iked_hash *hash) 319{ 320 if (hash == NULL) 321 return; 322 if (hash->hash_ctx != NULL) 323 HMAC_CTX_free(hash->hash_ctx); 324 ibuf_release(hash->hash_key); 325 free(hash); 326} 327 328void 329hash_init(struct iked_hash *hash) 330{ 331 HMAC_Init_ex(hash->hash_ctx, hash->hash_key->buf, 332 ibuf_length(hash->hash_key), hash->hash_priv, NULL); 333} 334 335void 336hash_update(struct iked_hash *hash, void *buf, size_t len) 337{ 338 HMAC_Update(hash->hash_ctx, buf, len); 339} 340 341void 342hash_final(struct iked_hash *hash, void *buf, size_t *len) 343{ 344 unsigned int length = 0; 345 346 HMAC_Final(hash->hash_ctx, buf, &length); 347 *len = (size_t)length; 348 349 /* Truncate the result if required by the alg */ 350 if (hash->hash_trunc && *len > hash->hash_trunc) 351 *len = hash->hash_trunc; 352} 353 354size_t 355hash_length(struct iked_hash *hash) 356{ 357 if (hash->hash_trunc) 358 return (hash->hash_trunc); 359 return (hash->hash_length); 360} 361 362size_t 363hash_keylength(struct iked_hash *hash) 364{ 365 return (hash->hash_length); 366} 367 368struct iked_cipher * 369cipher_new(uint8_t type, uint16_t id, uint16_t id_length) 370{ 371 struct iked_cipher *encr; 372 const EVP_CIPHER *cipher = NULL; 373 int length = 0, fixedkey = 0, ivlength = 0; 374 int saltlength = 0, authid = 0; 375 376 switch (type) { 377 case IKEV2_XFORMTYPE_ENCR: 378 switch (id) { 379 case IKEV2_XFORMENCR_3DES: 380 cipher = EVP_des_ede3_cbc(); 381 length = EVP_CIPHER_block_size(cipher); 382 fixedkey = EVP_CIPHER_key_length(cipher); 383 ivlength = EVP_CIPHER_iv_length(cipher); 384 break; 385 case IKEV2_XFORMENCR_AES_CBC: 386 switch (id_length) { 387 case 128: 388 cipher = EVP_aes_128_cbc(); 389 break; 390 case 192: 391 cipher = EVP_aes_192_cbc(); 392 break; 393 case 256: 394 cipher = EVP_aes_256_cbc(); 395 break; 396 default: 397 log_debug("%s: invalid key length %d" 398 " for cipher %s", __func__, id_length, 399 print_map(id, ikev2_xformencr_map)); 400 break; 401 } 402 if (cipher == NULL) 403 break; 404 length = EVP_CIPHER_block_size(cipher); 405 ivlength = EVP_CIPHER_iv_length(cipher); 406 fixedkey = EVP_CIPHER_key_length(cipher); 407 break; 408 case IKEV2_XFORMENCR_AES_GCM_16: 409 case IKEV2_XFORMENCR_AES_GCM_12: 410 switch (id_length) { 411 case 128: 412 cipher = EVP_aes_128_gcm(); 413 break; 414 case 256: 415 cipher = EVP_aes_256_gcm(); 416 break; 417 default: 418 log_debug("%s: invalid key length %d" 419 " for cipher %s", __func__, id_length, 420 print_map(id, ikev2_xformencr_map)); 421 break; 422 } 423 if (cipher == NULL) 424 break; 425 switch(id) { 426 case IKEV2_XFORMENCR_AES_GCM_16: 427 authid = IKEV2_XFORMAUTH_AES_GCM_16; 428 break; 429 case IKEV2_XFORMENCR_AES_GCM_12: 430 authid = IKEV2_XFORMAUTH_AES_GCM_12; 431 break; 432 } 433 length = EVP_CIPHER_block_size(cipher); 434 ivlength = 8; 435 saltlength = 4; 436 fixedkey = EVP_CIPHER_key_length(cipher) + saltlength; 437 break; 438 case IKEV2_XFORMENCR_DES_IV64: 439 case IKEV2_XFORMENCR_DES: 440 case IKEV2_XFORMENCR_RC5: 441 case IKEV2_XFORMENCR_IDEA: 442 case IKEV2_XFORMENCR_CAST: 443 case IKEV2_XFORMENCR_BLOWFISH: 444 case IKEV2_XFORMENCR_3IDEA: 445 case IKEV2_XFORMENCR_DES_IV32: 446 case IKEV2_XFORMENCR_NULL: 447 case IKEV2_XFORMENCR_AES_CTR: 448 /* FALLTHROUGH */ 449 default: 450 log_debug("%s: cipher %s not supported", __func__, 451 print_map(id, ikev2_xformencr_map)); 452 cipher = NULL; 453 break; 454 } 455 break; 456 default: 457 log_debug("%s: cipher type %s not supported", __func__, 458 print_map(id, ikev2_xformtype_map)); 459 break; 460 } 461 if (cipher == NULL) 462 return (NULL); 463 464 if ((encr = calloc(1, sizeof(*encr))) == NULL) { 465 log_debug("%s: alloc cipher", __func__); 466 return (NULL); 467 } 468 469 encr->encr_id = id; 470 encr->encr_priv = cipher; 471 encr->encr_ctx = NULL; 472 encr->encr_length = length; 473 encr->encr_fixedkey = fixedkey; 474 encr->encr_ivlength = ivlength ? ivlength : length; 475 encr->encr_saltlength = saltlength; 476 encr->encr_authid = authid; 477 478 encr->encr_ctx = EVP_CIPHER_CTX_new(); 479 if (encr->encr_ctx == NULL) { 480 log_debug("%s: alloc cipher ctx", __func__); 481 cipher_free(encr); 482 return (NULL); 483 } 484 485 return (encr); 486} 487 488struct ibuf * 489cipher_setkey(struct iked_cipher *encr, const void *key, size_t keylen) 490{ 491 ibuf_release(encr->encr_key); 492 if ((encr->encr_key = ibuf_new(key, keylen)) == NULL) { 493 log_debug("%s: alloc cipher key", __func__); 494 return (NULL); 495 } 496 return (encr->encr_key); 497} 498 499struct ibuf * 500cipher_setiv(struct iked_cipher *encr, const void *iv, size_t len) 501{ 502 ibuf_release(encr->encr_iv); 503 encr->encr_iv = NULL; 504 if (iv != NULL) { 505 if (len < encr->encr_ivlength) { 506 log_debug("%s: invalid IV length %zu", __func__, len); 507 return (NULL); 508 } 509 encr->encr_iv = ibuf_new(iv, encr->encr_ivlength); 510 } else { 511 switch (encr->encr_id) { 512 case IKEV2_XFORMENCR_AES_GCM_16: 513 case IKEV2_XFORMENCR_AES_GCM_12: 514 if (encr->encr_ivlength != sizeof(encr->encr_civ)) { 515 log_info("%s: ivlen does not match %zu != %zu", 516 __func__, encr->encr_ivlength, 517 sizeof(encr->encr_civ)); 518 return (NULL); 519 } 520 encr->encr_iv = ibuf_new(&encr->encr_civ, sizeof(encr->encr_civ)); 521 encr->encr_civ++; 522 break; 523 default: 524 /* Get new random IV */ 525 encr->encr_iv = ibuf_random(encr->encr_ivlength); 526 } 527 } 528 if (encr->encr_iv == NULL) { 529 log_debug("%s: failed to set IV", __func__); 530 return (NULL); 531 } 532 return (encr->encr_iv); 533} 534 535int 536cipher_settag(struct iked_cipher *encr, uint8_t *data, size_t len) 537{ 538 return (EVP_CIPHER_CTX_ctrl(encr->encr_ctx, 539 EVP_CTRL_GCM_SET_TAG, len, data) != 1); 540} 541 542int 543cipher_gettag(struct iked_cipher *encr, uint8_t *data, size_t len) 544{ 545 return (EVP_CIPHER_CTX_ctrl(encr->encr_ctx, 546 EVP_CTRL_GCM_GET_TAG, len, data) != 1); 547} 548 549void 550cipher_free(struct iked_cipher *encr) 551{ 552 if (encr == NULL) 553 return; 554 if (encr->encr_ctx != NULL) { 555 EVP_CIPHER_CTX_cleanup(encr->encr_ctx); 556 free(encr->encr_ctx); 557 } 558 ibuf_release(encr->encr_iv); 559 ibuf_release(encr->encr_key); 560 free(encr); 561} 562 563int 564cipher_init(struct iked_cipher *encr, int enc) 565{ 566 struct ibuf *nonce = NULL; 567 int ret = -1; 568 569 if (EVP_CipherInit_ex(encr->encr_ctx, encr->encr_priv, NULL, 570 NULL, NULL, enc) != 1) 571 return (-1); 572 if (encr->encr_saltlength > 0) { 573 /* For AEADs the nonce is salt + IV (see RFC5282) */ 574 nonce = ibuf_new(ibuf_data(encr->encr_key) + 575 ibuf_size(encr->encr_key) - encr->encr_saltlength, 576 encr->encr_saltlength); 577 if (nonce == NULL) 578 return (-1); 579 if (ibuf_add(nonce, ibuf_data(encr->encr_iv) , ibuf_size(encr->encr_iv)) != 0) 580 goto done; 581 if (EVP_CipherInit_ex(encr->encr_ctx, NULL, NULL, 582 ibuf_data(encr->encr_key), ibuf_data(nonce), enc) != 1) 583 goto done; 584 } else 585 if (EVP_CipherInit_ex(encr->encr_ctx, NULL, NULL, 586 ibuf_data(encr->encr_key), ibuf_data(encr->encr_iv), enc) != 1) 587 return (-1); 588 EVP_CIPHER_CTX_set_padding(encr->encr_ctx, 0); 589 ret = 0; 590 done: 591 ibuf_free(nonce); 592 return (ret); 593} 594 595int 596cipher_init_encrypt(struct iked_cipher *encr) 597{ 598 return (cipher_init(encr, 1)); 599} 600 601int 602cipher_init_decrypt(struct iked_cipher *encr) 603{ 604 return (cipher_init(encr, 0)); 605} 606 607void 608cipher_aad(struct iked_cipher *encr, const void *in, size_t inlen, 609 size_t *outlen) 610{ 611 int olen = 0; 612 613 if (EVP_CipherUpdate(encr->encr_ctx, NULL, &olen, in, inlen) != 1) { 614 ca_sslerror(__func__); 615 *outlen = 0; 616 return; 617 } 618 *outlen = (size_t)olen; 619} 620 621int 622cipher_update(struct iked_cipher *encr, const void *in, size_t inlen, 623 void *out, size_t *outlen) 624{ 625 int olen; 626 627 olen = 0; 628 if (EVP_CipherUpdate(encr->encr_ctx, out, &olen, in, inlen) != 1) { 629 ca_sslerror(__func__); 630 *outlen = 0; 631 return (-1); 632 } 633 *outlen = (size_t)olen; 634 return (0); 635} 636 637int 638cipher_final(struct iked_cipher *encr) 639{ 640 int olen; 641 642 /* 643 * We always have EVP_CIPH_NO_PADDING set. This means arg 644 * out is not used and olen should always be 0. 645 */ 646 if (EVP_CipherFinal_ex(encr->encr_ctx, NULL, &olen) != 1) { 647 ca_sslerror(__func__); 648 return (-1); 649 } 650 return (0); 651} 652 653size_t 654cipher_length(struct iked_cipher *encr) 655{ 656 return (encr->encr_length); 657} 658 659size_t 660cipher_keylength(struct iked_cipher *encr) 661{ 662 if (encr->encr_fixedkey) 663 return (encr->encr_fixedkey); 664 665 /* Might return zero */ 666 return (ibuf_length(encr->encr_key)); 667} 668 669size_t 670cipher_ivlength(struct iked_cipher *encr) 671{ 672 return (encr->encr_ivlength); 673} 674 675size_t 676cipher_outlength(struct iked_cipher *encr, size_t inlen) 677{ 678 return (roundup(inlen, encr->encr_length)); 679} 680 681struct iked_dsa * 682dsa_new(uint8_t id, struct iked_hash *prf, int sign) 683{ 684 struct iked_dsa *dsap = NULL, dsa; 685 686 bzero(&dsa, sizeof(dsa)); 687 688 switch (id) { 689 case IKEV2_AUTH_SIG: 690 if (sign) 691 dsa.dsa_priv = EVP_sha256(); /* XXX should be passed */ 692 else 693 dsa.dsa_priv = NULL; /* set later by dsa_init() */ 694 break; 695 case IKEV2_AUTH_RSA_SIG: 696 /* RFC5996 says we SHOULD use SHA1 here */ 697 dsa.dsa_priv = EVP_sha1(); 698 break; 699 case IKEV2_AUTH_SHARED_KEY_MIC: 700 if (prf == NULL || prf->hash_priv == NULL) 701 fatalx("dsa_new: invalid PRF"); 702 dsa.dsa_priv = prf->hash_priv; 703 dsa.dsa_hmac = 1; 704 break; 705 case IKEV2_AUTH_DSS_SIG: 706 dsa.dsa_priv = EVP_sha1(); 707 break; 708 case IKEV2_AUTH_ECDSA_256: 709 dsa.dsa_priv = EVP_sha256(); 710 break; 711 case IKEV2_AUTH_ECDSA_384: 712 dsa.dsa_priv = EVP_sha384(); 713 break; 714 case IKEV2_AUTH_ECDSA_521: 715 dsa.dsa_priv = EVP_sha512(); 716 break; 717 default: 718 log_debug("%s: auth method %s not supported", __func__, 719 print_map(id, ikev2_auth_map)); 720 break; 721 } 722 723 if ((dsap = calloc(1, sizeof(*dsap))) == NULL) { 724 log_debug("%s: alloc dsa ctx", __func__); 725 726 return (NULL); 727 } 728 memcpy(dsap, &dsa, sizeof(*dsap)); 729 730 dsap->dsa_method = id; 731 dsap->dsa_sign = sign; 732 733 if (dsap->dsa_hmac) { 734 if ((dsap->dsa_ctx = HMAC_CTX_new()) == NULL) { 735 log_debug("%s: alloc hash ctx", __func__); 736 dsa_free(dsap); 737 return (NULL); 738 } 739 } else { 740 if ((dsap->dsa_ctx = EVP_MD_CTX_create()) == NULL) { 741 log_debug("%s: alloc digest ctx", __func__); 742 dsa_free(dsap); 743 return (NULL); 744 } 745 } 746 747 return (dsap); 748} 749 750struct iked_dsa * 751dsa_sign_new(uint8_t id, struct iked_hash *prf) 752{ 753 return (dsa_new(id, prf, 1)); 754} 755 756struct iked_dsa * 757dsa_verify_new(uint8_t id, struct iked_hash *prf) 758{ 759 return (dsa_new(id, prf, 0)); 760} 761 762void 763dsa_free(struct iked_dsa *dsa) 764{ 765 if (dsa == NULL) 766 return; 767 if (dsa->dsa_hmac) { 768 HMAC_CTX_free((HMAC_CTX *)dsa->dsa_ctx); 769 } else { 770 EVP_MD_CTX_destroy((EVP_MD_CTX *)dsa->dsa_ctx); 771 if (dsa->dsa_key) 772 EVP_PKEY_free(dsa->dsa_key); 773 } 774 775 ibuf_release(dsa->dsa_keydata); 776 free(dsa); 777} 778 779struct ibuf * 780dsa_setkey(struct iked_dsa *dsa, void *key, size_t keylen, uint8_t type) 781{ 782 BIO *rawcert = NULL; 783 X509 *cert = NULL; 784 RSA *rsa = NULL; 785 EC_KEY *ec = NULL; 786 EVP_PKEY *pkey = NULL; 787 788 ibuf_release(dsa->dsa_keydata); 789 if ((dsa->dsa_keydata = ibuf_new(key, keylen)) == NULL) { 790 log_debug("%s: alloc signature key", __func__); 791 return (NULL); 792 } 793 794 if ((rawcert = BIO_new_mem_buf(key, keylen)) == NULL) 795 goto err; 796 797 switch (type) { 798 case IKEV2_CERT_X509_CERT: 799 if ((cert = d2i_X509_bio(rawcert, NULL)) == NULL) 800 goto sslerr; 801 if ((pkey = X509_get_pubkey(cert)) == NULL) 802 goto sslerr; 803 dsa->dsa_key = pkey; 804 break; 805 case IKEV2_CERT_RSA_KEY: 806 if (dsa->dsa_sign) { 807 if ((rsa = d2i_RSAPrivateKey_bio(rawcert, 808 NULL)) == NULL) 809 goto sslerr; 810 } else { 811 if ((rsa = d2i_RSAPublicKey_bio(rawcert, 812 NULL)) == NULL) 813 goto sslerr; 814 } 815 816 if ((pkey = EVP_PKEY_new()) == NULL) 817 goto sslerr; 818 if (!EVP_PKEY_set1_RSA(pkey, rsa)) 819 goto sslerr; 820 821 RSA_free(rsa); /* pkey now has the reference */ 822 dsa->dsa_key = pkey; 823 break; 824 case IKEV2_CERT_ECDSA: 825 if (dsa->dsa_sign) { 826 if ((ec = d2i_ECPrivateKey_bio(rawcert, NULL)) == NULL) 827 goto sslerr; 828 } else { 829 if ((ec = d2i_EC_PUBKEY_bio(rawcert, NULL)) == NULL) 830 goto sslerr; 831 } 832 833 if ((pkey = EVP_PKEY_new()) == NULL) 834 goto sslerr; 835 if (!EVP_PKEY_set1_EC_KEY(pkey, ec)) 836 goto sslerr; 837 838 EC_KEY_free(ec); /* pkey now has the reference */ 839 dsa->dsa_key = pkey; 840 break; 841 default: 842 if (dsa->dsa_hmac) 843 break; 844 log_debug("%s: unsupported key type", __func__); 845 goto err; 846 } 847 848 if (cert != NULL) 849 X509_free(cert); 850 BIO_free(rawcert); /* temporary for parsing */ 851 852 return (dsa->dsa_keydata); 853 854 sslerr: 855 ca_sslerror(__func__); 856 err: 857 log_debug("%s: error", __func__); 858 859 if (rsa != NULL) 860 RSA_free(rsa); 861 if (ec != NULL) 862 EC_KEY_free(ec); 863 if (pkey != NULL) 864 EVP_PKEY_free(pkey); 865 if (cert != NULL) 866 X509_free(cert); 867 if (rawcert != NULL) 868 BIO_free(rawcert); 869 ibuf_release(dsa->dsa_keydata); 870 dsa->dsa_keydata = NULL; 871 return (NULL); 872} 873 874int 875_dsa_verify_init(struct iked_dsa *dsa, const uint8_t *sig, size_t len) 876{ 877 uint8_t oidlen; 878 size_t i; 879 int keytype; 880 881 if (dsa->dsa_priv != NULL) 882 return (0); 883 /* 884 * For IKEV2_AUTH_SIG the oid of the authentication signature 885 * is encoded in the first bytes of the auth message. 886 */ 887 if (dsa->dsa_method != IKEV2_AUTH_SIG) { 888 log_debug("%s: dsa_priv not set for %s", __func__, 889 print_map(dsa->dsa_method, ikev2_auth_map)); 890 return (-1); 891 } 892 if (dsa->dsa_key == NULL) { 893 log_debug("%s: dsa_key not set for %s", __func__, 894 print_map(dsa->dsa_method, ikev2_auth_map)); 895 return (-1); 896 } 897 keytype = EVP_PKEY_type(EVP_PKEY_id(((EVP_PKEY *)dsa->dsa_key))); 898 if (sig == NULL) { 899 log_debug("%s: signature missing", __func__); 900 return (-1); 901 } 902 if (len < sizeof(oidlen)) { 903 log_debug("%s: signature (%zu) too small for oid length", 904 __func__, len); 905 return (-1); 906 } 907 memcpy(&oidlen, sig, sizeof(oidlen)); 908 if (len < (size_t)oidlen + sizeof(oidlen)) { 909 log_debug("%s: signature (%zu) too small for oid (%u)", 910 __func__, len, oidlen); 911 return (-1); 912 } 913 for (i = 0; i < nitems(schemes); i++) { 914 if (keytype == schemes[i].sc_keytype && 915 oidlen == schemes[i].sc_len && 916 memcmp(sig + 1, schemes[i].sc_oid, 917 schemes[i].sc_len) == 0) { 918 dsa->dsa_priv = (*schemes[i].sc_md)(); 919 dsa->dsa_flags = schemes[i].sc_flags; 920 log_debug("%s: signature scheme %zd selected", 921 __func__, i); 922 return (0); 923 } 924 } 925 log_debug("%s: unsupported signature (%d)", __func__, oidlen); 926 return (-1); 927} 928 929int 930dsa_init(struct iked_dsa *dsa, const void *buf, size_t len) 931{ 932 int ret; 933 EVP_PKEY_CTX *pctx = NULL; 934 935 if (dsa->dsa_hmac) { 936 if (!HMAC_Init_ex(dsa->dsa_ctx, ibuf_data(dsa->dsa_keydata), 937 ibuf_length(dsa->dsa_keydata), dsa->dsa_priv, NULL)) 938 return (-1); 939 return (0); 940 } 941 942 if (dsa->dsa_sign) { 943 if (force_rsa_pss && 944 EVP_PKEY_base_id(dsa->dsa_key) == EVP_PKEY_RSA) 945 dsa->dsa_flags = FLAG_RSA_PSS; 946 ret = EVP_DigestSignInit(dsa->dsa_ctx, &pctx, dsa->dsa_priv, 947 NULL, dsa->dsa_key); 948 } else { 949 /* sets dsa_priv, dsa_flags */ 950 if ((ret = _dsa_verify_init(dsa, buf, len)) != 0) 951 return (ret); 952 ret = EVP_DigestVerifyInit(dsa->dsa_ctx, &pctx, dsa->dsa_priv, 953 NULL, dsa->dsa_key); 954 } 955 if (ret == 1 && dsa->dsa_flags == FLAG_RSA_PSS) { 956 if (EVP_PKEY_CTX_set_rsa_padding(pctx, 957 RSA_PKCS1_PSS_PADDING) <= 0 || 958 EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1) <= 0) 959 return (-1); 960 } 961 if (_dsa_sign_encode(dsa, NULL, 0, NULL) < 0) 962 return (-1); 963 964 return (ret == 1 ? 0 : -1); 965} 966 967int 968dsa_update(struct iked_dsa *dsa, const void *buf, size_t len) 969{ 970 int ret; 971 972 if (dsa->dsa_hmac) 973 ret = HMAC_Update(dsa->dsa_ctx, buf, len); 974 else if (dsa->dsa_sign) 975 ret = EVP_DigestSignUpdate(dsa->dsa_ctx, buf, len); 976 else 977 ret = EVP_DigestVerifyUpdate(dsa->dsa_ctx, buf, len); 978 979 return (ret == 1 ? 0 : -1); 980} 981 982/* Prefix signature hash with encoded type */ 983int 984_dsa_sign_encode(struct iked_dsa *dsa, uint8_t *ptr, size_t len, size_t *offp) 985{ 986 int keytype; 987 size_t i, need; 988 989 if (offp) 990 *offp = 0; 991 if (dsa->dsa_method != IKEV2_AUTH_SIG) 992 return (0); 993 if (dsa->dsa_key == NULL) 994 return (-1); 995 keytype = EVP_PKEY_type(EVP_PKEY_id(((EVP_PKEY *)dsa->dsa_key))); 996 for (i = 0; i < nitems(schemes); i++) { 997 /* XXX should avoid calling sc_md() each time... */ 998 if (keytype == schemes[i].sc_keytype && 999 dsa->dsa_flags == schemes[i].sc_flags && 1000 (dsa->dsa_priv == (*schemes[i].sc_md)())) 1001 break; 1002 } 1003 if (i >= nitems(schemes)) 1004 return (-1); 1005 log_debug("%s: signature scheme %zd selected", __func__, i); 1006 need = sizeof(ptr[0]) + schemes[i].sc_len; 1007 if (ptr) { 1008 if (len < need) 1009 return (-1); 1010 ptr[0] = schemes[i].sc_len; 1011 memcpy(ptr + sizeof(ptr[0]), schemes[i].sc_oid, 1012 schemes[i].sc_len); 1013 } 1014 if (offp) 1015 *offp = need; 1016 return (0); 1017} 1018 1019/* Export size of encoded signature hash type */ 1020size_t 1021dsa_prefix(struct iked_dsa *dsa) 1022{ 1023 size_t off = 0; 1024 1025 if (_dsa_sign_encode(dsa, NULL, 0, &off) < 0) 1026 fatal("dsa_prefix: internal error"); 1027 return off; 1028} 1029 1030size_t 1031dsa_length(struct iked_dsa *dsa) 1032{ 1033 if (dsa->dsa_hmac) 1034 return (EVP_MD_size(dsa->dsa_priv)); 1035 switch (dsa->dsa_method) { 1036 case IKEV2_AUTH_ECDSA_256: 1037 case IKEV2_AUTH_ECDSA_384: 1038 case IKEV2_AUTH_ECDSA_521: 1039 /* size of concat(r|s) */ 1040 return (2 * ((EVP_PKEY_bits(dsa->dsa_key) + 7) / 8)); 1041 } 1042 return (dsa_prefix(dsa) + EVP_PKEY_size(dsa->dsa_key)); 1043} 1044 1045int 1046_dsa_sign_ecdsa(struct iked_dsa *dsa, uint8_t *ptr, size_t len) 1047{ 1048 ECDSA_SIG *obj = NULL; 1049 uint8_t *tmp = NULL; 1050 const uint8_t *p; 1051 size_t tmplen; 1052 int ret = -1; 1053 int bnlen, off; 1054 const BIGNUM *r, *s; 1055 1056 if (len % 2) 1057 goto done; /* must be even */ 1058 bnlen = len/2; 1059 /* 1060 * (a) create DER signature into 'tmp' buffer 1061 * (b) convert buffer to ECDSA_SIG object 1062 * (c) concatenate the padded r|s BIGNUMS into 'ptr' 1063 */ 1064 if (EVP_DigestSignFinal(dsa->dsa_ctx, NULL, &tmplen) != 1) 1065 goto done; 1066 if ((tmp = calloc(1, tmplen)) == NULL) 1067 goto done; 1068 if (EVP_DigestSignFinal(dsa->dsa_ctx, tmp, &tmplen) != 1) 1069 goto done; 1070 p = tmp; 1071 if (d2i_ECDSA_SIG(&obj, &p, tmplen) == NULL) 1072 goto done; 1073 ECDSA_SIG_get0(obj, &r, &s); 1074 if (BN_num_bytes(r) > bnlen || BN_num_bytes(s) > bnlen) 1075 goto done; 1076 memset(ptr, 0, len); 1077 off = bnlen - BN_num_bytes(r); 1078 BN_bn2bin(r, ptr + off); 1079 off = 2 * bnlen - BN_num_bytes(s); 1080 BN_bn2bin(s, ptr + off); 1081 ret = 0; 1082 done: 1083 free(tmp); 1084 if (obj) 1085 ECDSA_SIG_free(obj); 1086 return (ret); 1087} 1088 1089ssize_t 1090dsa_sign_final(struct iked_dsa *dsa, void *buf, size_t len) 1091{ 1092 unsigned int hmaclen; 1093 size_t off = 0; 1094 uint8_t *ptr = buf; 1095 1096 if (len < dsa_length(dsa)) 1097 return (-1); 1098 1099 if (dsa->dsa_hmac) { 1100 if (!HMAC_Final(dsa->dsa_ctx, buf, &hmaclen)) 1101 return (-1); 1102 if (hmaclen > INT_MAX) 1103 return (-1); 1104 return (ssize_t)hmaclen; 1105 } else { 1106 switch (dsa->dsa_method) { 1107 case IKEV2_AUTH_ECDSA_256: 1108 case IKEV2_AUTH_ECDSA_384: 1109 case IKEV2_AUTH_ECDSA_521: 1110 if (_dsa_sign_ecdsa(dsa, buf, len) < 0) 1111 return (-1); 1112 return (len); 1113 default: 1114 if (_dsa_sign_encode(dsa, ptr, len, &off) < 0) 1115 return (-1); 1116 if (off > len) 1117 return (-1); 1118 len -= off; 1119 ptr += off; 1120 if (EVP_DigestSignFinal(dsa->dsa_ctx, ptr, &len) != 1) 1121 return (-1); 1122 return (len + off); 1123 } 1124 } 1125 return (-1); 1126} 1127 1128int 1129_dsa_verify_prepare(struct iked_dsa *dsa, uint8_t **sigp, size_t *lenp, 1130 uint8_t **freemep) 1131{ 1132 ECDSA_SIG *obj = NULL; 1133 uint8_t *ptr = NULL; 1134 size_t bnlen, len, off; 1135 int ret = -1; 1136 BIGNUM *r = NULL, *s = NULL; 1137 1138 *freemep = NULL; /* don't return garbage in case of an error */ 1139 1140 switch (dsa->dsa_method) { 1141 case IKEV2_AUTH_SIG: 1142 /* 1143 * The first byte of the signature encodes the OID 1144 * prefix length which we need to skip. 1145 */ 1146 off = (*sigp)[0] + 1; 1147 *sigp = *sigp + off; 1148 *lenp = *lenp - off; 1149 *freemep = NULL; 1150 ret = 0; 1151 break; 1152 case IKEV2_AUTH_ECDSA_256: 1153 case IKEV2_AUTH_ECDSA_384: 1154 case IKEV2_AUTH_ECDSA_521: 1155 /* 1156 * sigp points to concatenation r|s, while EVP_VerifyFinal() 1157 * expects the signature as a DER-encoded blob (of the two 1158 * values), so we need to convert the signature in a new 1159 * buffer (we cannot override the given buffer) and the caller 1160 * has to free this buffer ('freeme'). 1161 */ 1162 if (*lenp < 64 || *lenp > 132 || *lenp % 2) 1163 goto done; 1164 bnlen = (*lenp)/2; 1165 /* sigp points to concatenation: r|s */ 1166 if ((obj = ECDSA_SIG_new()) == NULL || 1167 (r = BN_bin2bn(*sigp, bnlen, NULL)) == NULL || 1168 (s = BN_bin2bn(*sigp+bnlen, bnlen, NULL)) == NULL || 1169 ECDSA_SIG_set0(obj, r, s) == 0 || 1170 (len = i2d_ECDSA_SIG(obj, &ptr)) == 0) 1171 goto done; 1172 r = s = NULL; 1173 *lenp = len; 1174 *sigp = ptr; 1175 *freemep = ptr; 1176 ptr = NULL; 1177 ret = 0; 1178 break; 1179 default: 1180 return (0); 1181 } 1182 done: 1183 BN_clear_free(r); 1184 BN_clear_free(s); 1185 free(ptr); 1186 if (obj) 1187 ECDSA_SIG_free(obj); 1188 return (ret); 1189} 1190 1191ssize_t 1192dsa_verify_final(struct iked_dsa *dsa, void *buf, size_t len) 1193{ 1194 uint8_t sig[EVP_MAX_MD_SIZE]; 1195 uint8_t *ptr = buf, *freeme = NULL; 1196 unsigned int siglen = sizeof(sig); 1197 1198 if (dsa->dsa_hmac) { 1199 if (!HMAC_Final(dsa->dsa_ctx, sig, &siglen)) 1200 return (-1); 1201 if (siglen != len || memcmp(buf, sig, siglen) != 0) 1202 return (-1); 1203 } else { 1204 if (_dsa_verify_prepare(dsa, &ptr, &len, &freeme) < 0) 1205 return (-1); 1206 if (EVP_DigestVerifyFinal(dsa->dsa_ctx, ptr, len) != 1) { 1207 free(freeme); 1208 ca_sslerror(__func__); 1209 return (-1); 1210 } 1211 free(freeme); 1212 } 1213 1214 return (0); 1215} 1216