crypto.c revision 1.38
11573Srgrimes/* $OpenBSD: crypto.c,v 1.38 2021/12/01 16:42:12 deraadt Exp $ */ 21573Srgrimes 31573Srgrimes/* 41573Srgrimes * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org> 51573Srgrimes * 61573Srgrimes * Permission to use, copy, modify, and distribute this software for any 71573Srgrimes * purpose with or without fee is hereby granted, provided that the above 81573Srgrimes * copyright notice and this permission notice appear in all copies. 91573Srgrimes * 101573Srgrimes * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 111573Srgrimes * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 121573Srgrimes * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 131573Srgrimes * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 141573Srgrimes * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 151573Srgrimes * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 161573Srgrimes * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 171573Srgrimes */ 181573Srgrimes 191573Srgrimes#include <sys/types.h> 201573Srgrimes#include <sys/queue.h> 211573Srgrimes#include <sys/socket.h> 221573Srgrimes#include <sys/uio.h> 231573Srgrimes 241573Srgrimes#include <stdio.h> 251573Srgrimes#include <stdlib.h> 261573Srgrimes#include <unistd.h> 271573Srgrimes#include <string.h> 281573Srgrimes#include <errno.h> 291573Srgrimes#include <fcntl.h> 301573Srgrimes#include <event.h> 311573Srgrimes 321573Srgrimes#include <openssl/ecdsa.h> 331573Srgrimes#include <openssl/hmac.h> 341573Srgrimes#include <openssl/evp.h> 351573Srgrimes#include <openssl/sha.h> 3692986Sobrien#include <openssl/md5.h> 3792986Sobrien#include <openssl/x509.h> 381573Srgrimes#include <openssl/rsa.h> 391573Srgrimes 40180104Sdas#include "iked.h" 41180104Sdas#include "ikev2.h" 421573Srgrimes 431573Srgrimes/* RFC 7427, A.1 RSA */ 4471579Sdeischenstatic const uint8_t sha256WithRSA[] = { 451573Srgrimes 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 461573Srgrimes 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00 47180106Sdas}; 4887113Sfennerstatic const uint8_t sha384WithRSA[] = { 4987113Sfenner 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 501573Srgrimes 0xf7, 0x0d, 0x01, 0x01, 0x0c, 0x05, 0x00 511573Srgrimes}; 521573Srgrimesstatic const uint8_t sha512WithRSA[] = { 53103633Stjr 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 541573Srgrimes 0xf7, 0x0d, 0x01, 0x01, 0x0d, 0x05, 0x00 5571579Sdeischen}; 56180104Sdas/* RFC 7427, A.3 ECDSA */ 571573Srgrimesstatic const uint8_t ecdsa_sha256[] = { 5887113Sfenner 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 5987113Sfenner 0x3d, 0x04, 0x03, 0x02 6087113Sfenner}; 6187113Sfennerstatic const uint8_t ecdsa_sha384[] = { 6287113Sfenner 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 6387113Sfenner 0x3d, 0x04, 0x03, 0x03 64189268Sdas}; 6587113Sfennerstatic const uint8_t ecdsa_sha512[] = { 66103633Stjr 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 6787113Sfenner 0x3d, 0x04, 0x03, 0x04 6887113Sfenner}; 69180102Sdas/* RFC 7427, A.4.3 RSASSA-PSS with SHA-256 */ 70180102Sdasstatic const uint8_t rsapss_sha256[] = { 71180102Sdas 0x30, 0x46, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 72180102Sdas 0xf7, 0x0d, 0x01, 0x01, 0x0a, 0x30, 0x39, 0xa0, 73180102Sdas 0x0f, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 74180102Sdas 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 75180102Sdas 0xa1, 0x1c, 0x30, 0x1a, 0x06, 0x09, 0x2a, 0x86, 76180102Sdas 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x08, 0x30, 77180102Sdas 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 78180106Sdas 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0xa2, 0x03, 79180105Sdas 0x02, 0x01, 0x20, 0xa3, 0x03, 0x02, 0x01, 0x01 8016586Sjraynard}; 811573Srgrimes/* RSASSA-PSS SHA-384 */ 82180104Sdasstatic const uint8_t rsapss_sha384[] = { 831573Srgrimes 0x30, 0x46, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 84180104Sdas 0xf7, 0x0d, 0x01, 0x01, 0x0a, 0x30, 0x34, 0xa0, 85180104Sdas 0x0f, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 861573Srgrimes 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 87180104Sdas 0xa1, 0x1c, 0x30, 0x1a, 0x06, 0x09, 0x2a, 0x86, 881573Srgrimes 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x08, 0x30, 89180104Sdas 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 90180104Sdas 0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 0xa2, 0x03, 91180104Sdas 0x02, 0x01, 0x30, 0xa3, 0x03, 0x02, 0x01, 0x01 92180104Sdas}; 93180104Sdas/* RSASSA-PSS SHA-512 */ 94180104Sdasstatic const uint8_t rsapss_sha512[] = { 951573Srgrimes 0x30, 0x46, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 961573Srgrimes 0xf7, 0x0d, 0x01, 0x01, 0x0a, 0x30, 0x34, 0xa0, 971573Srgrimes 0x0f, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 98180104Sdas 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 99180104Sdas 0xa1, 0x1c, 0x30, 0x1a, 0x06, 0x09, 0x2a, 0x86, 100180104Sdas 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x08, 0x30, 101180104Sdas 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 1021573Srgrimes 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0xa2, 0x03, 1031573Srgrimes 0x02, 0x01, 0x40, 0xa3, 0x03, 0x02, 0x01, 0x01 104180104Sdas}; 105180104Sdas/* RSASSA-PSS SHA-256, no trailer */ 1061573Srgrimesstatic const uint8_t rsapss_sha256nt[] = { 1071573Srgrimes 0x30, 0x41, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 1081573Srgrimes 0xf7, 0x0d, 0x01, 0x01, 0x0a, 0x30, 0x34, 0xa0, 109180106Sdas 0x0f, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 110180106Sdas 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 111180106Sdas 0xa1, 0x1c, 0x30, 0x1a, 0x06, 0x09, 0x2a, 0x86, 112180106Sdas 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x08, 0x30, 113180106Sdas 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 114180106Sdas 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0xa2, 0x03, 115180106Sdas 0x02, 0x01, 0x20 116180106Sdas}; 117180106Sdas/* RSASSA-PSS SHA-384, no trailer */ 118180106Sdasstatic const uint8_t rsapss_sha384nt[] = { 119180106Sdas 0x30, 0x41, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 120180106Sdas 0xf7, 0x0d, 0x01, 0x01, 0x0a, 0x30, 0x34, 0xa0, 121180106Sdas 0x0f, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 122180106Sdas 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 123180106Sdas 0xa1, 0x1c, 0x30, 0x1a, 0x06, 0x09, 0x2a, 0x86, 124180106Sdas 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x08, 0x30, 125180106Sdas 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 126180104Sdas 0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 0xa2, 0x03, 127180106Sdas 0x02, 0x01, 0x30 1281573Srgrimes}; 129180106Sdas/* RSASSA-PSS SHA-512, no trailer */ 130180104Sdasstatic const uint8_t rsapss_sha512nt[] = { 1311573Srgrimes 0x30, 0x41, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 1321573Srgrimes 0xf7, 0x0d, 0x01, 0x01, 0x0a, 0x30, 0x34, 0xa0, 133180107Sdas 0x0f, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 134180107Sdas 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 135180104Sdas 0xa1, 0x1c, 0x30, 0x1a, 0x06, 0x09, 0x2a, 0x86, 136180106Sdas 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x08, 0x30, 137180104Sdas 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 1381573Srgrimes 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0xa2, 0x03, 139180106Sdas 0x02, 0x01, 0x40 140180104Sdas}; 141180104Sdas 1421573Srgrimes#define FLAG_RSA_PSS 0x00001 143180106Sdasint force_rsa_pss = 0; /* XXX move to API */ 144180106Sdas 145180104Sdasstatic const struct { 146180106Sdas int sc_keytype; 147180104Sdas const EVP_MD *(*sc_md)(void); 148189131Sdas uint8_t sc_len; 149180104Sdas const uint8_t *sc_oid; 150180106Sdas uint32_t sc_flags; 151180104Sdas} schemes[] = { 152180106Sdas { EVP_PKEY_RSA, EVP_sha256, sizeof(sha256WithRSA), sha256WithRSA, 0 }, 153180104Sdas { EVP_PKEY_RSA, EVP_sha384, sizeof(sha384WithRSA), sha384WithRSA, 0 }, 154180106Sdas { EVP_PKEY_RSA, EVP_sha512, sizeof(sha512WithRSA), sha512WithRSA, 0 }, 155180104Sdas { EVP_PKEY_EC, EVP_sha256, sizeof(ecdsa_sha256), ecdsa_sha256, 0 }, 156180106Sdas { EVP_PKEY_EC, EVP_sha384, sizeof(ecdsa_sha384), ecdsa_sha384, 0 }, 157180106Sdas { EVP_PKEY_EC, EVP_sha512, sizeof(ecdsa_sha512), ecdsa_sha512, 0 }, 1581573Srgrimes { EVP_PKEY_RSA, EVP_sha256, sizeof(rsapss_sha256), rsapss_sha256, 1591573Srgrimes FLAG_RSA_PSS }, 160180106Sdas { EVP_PKEY_RSA, EVP_sha384, sizeof(rsapss_sha384), rsapss_sha384, 161180104Sdas FLAG_RSA_PSS }, 1621573Srgrimes { EVP_PKEY_RSA, EVP_sha512, sizeof(rsapss_sha512), rsapss_sha512, 1631573Srgrimes FLAG_RSA_PSS }, 164180106Sdas { EVP_PKEY_RSA, EVP_sha256, sizeof(rsapss_sha256nt), rsapss_sha256nt, 165180106Sdas FLAG_RSA_PSS }, 166180104Sdas { EVP_PKEY_RSA, EVP_sha384, sizeof(rsapss_sha384nt), rsapss_sha384nt, 167180106Sdas FLAG_RSA_PSS }, 168180104Sdas { EVP_PKEY_RSA, EVP_sha512, sizeof(rsapss_sha512nt), rsapss_sha512nt, 169180106Sdas FLAG_RSA_PSS }, 170180104Sdas}; 171189131Sdas 172180104Sdasint _dsa_verify_init(struct iked_dsa *, const uint8_t *, size_t); 173180106Sdasint _dsa_verify_prepare(struct iked_dsa *, uint8_t **, size_t *, 174180104Sdas uint8_t **); 175180106Sdasint _dsa_sign_encode(struct iked_dsa *, uint8_t *, size_t, size_t *); 176180104Sdasint _dsa_sign_ecdsa(struct iked_dsa *, uint8_t *, size_t); 177180106Sdas 178180106Sdasstruct iked_hash * 1791573Srgrimeshash_new(uint8_t type, uint16_t id) 1801573Srgrimes{ 18171579Sdeischen struct iked_hash *hash; 182180104Sdas const EVP_MD *md = NULL; 183103633Stjr int length = 0, fixedkey = 0, trunc = 0, isaead = 0; 184180106Sdas 185180104Sdas switch (type) { 186103633Stjr case IKEV2_XFORMTYPE_PRF: 187180104Sdas switch (id) { 188180104Sdas case IKEV2_XFORMPRF_HMAC_MD5: 189103633Stjr md = EVP_md5(); 190180104Sdas length = MD5_DIGEST_LENGTH; 191180104Sdas break; 192180104Sdas case IKEV2_XFORMPRF_HMAC_SHA1: 193180104Sdas md = EVP_sha1(); 194180104Sdas length = SHA_DIGEST_LENGTH; 195180104Sdas break; 196180104Sdas case IKEV2_XFORMPRF_HMAC_SHA2_256: 197180104Sdas md = EVP_sha256(); 198180104Sdas length = SHA256_DIGEST_LENGTH; 199180107Sdas break; 200180107Sdas case IKEV2_XFORMPRF_HMAC_SHA2_384: 201180104Sdas md = EVP_sha384(); 202180104Sdas length = SHA384_DIGEST_LENGTH; 203148363Stjr break; 204180107Sdas case IKEV2_XFORMPRF_HMAC_SHA2_512: 205180107Sdas md = EVP_sha512(); 206103633Stjr length = SHA512_DIGEST_LENGTH; 207180106Sdas break; 208103633Stjr case IKEV2_XFORMPRF_AES128_XCBC: 209103633Stjr fixedkey = 128 / 8; 210180106Sdas length = fixedkey; 211180104Sdas /* FALLTHROUGH */ 21271579Sdeischen case IKEV2_XFORMPRF_HMAC_TIGER: 213180104Sdas case IKEV2_XFORMPRF_AES128_CMAC: 214180104Sdas default: 21571579Sdeischen log_debug("%s: prf %s not supported", __func__, 216180104Sdas print_map(id, ikev2_xformprf_map)); 217180104Sdas break; 218180104Sdas } 219180104Sdas break; 220180104Sdas case IKEV2_XFORMTYPE_INTEGR: 221180104Sdas switch (id) { 222180104Sdas case IKEV2_XFORMAUTH_HMAC_MD5_96: 223180104Sdas md = EVP_md5(); 224180104Sdas length = MD5_DIGEST_LENGTH; 225180107Sdas trunc = 12; 226180107Sdas break; 227180104Sdas case IKEV2_XFORMAUTH_HMAC_SHA1_96: 228180104Sdas md = EVP_sha1(); 229180104Sdas length = SHA_DIGEST_LENGTH; 230180107Sdas trunc = 12; 231180107Sdas break; 232180104Sdas case IKEV2_XFORMAUTH_HMAC_SHA2_256_128: 233180106Sdas md = EVP_sha256(); 23471579Sdeischen length = SHA256_DIGEST_LENGTH; 23571579Sdeischen trunc = 16; 236113142Sdas break; 237180104Sdas case IKEV2_XFORMAUTH_HMAC_SHA2_384_192: 238180104Sdas md = EVP_sha384(); 239180104Sdas length = SHA384_DIGEST_LENGTH; 240180104Sdas trunc = 24; 241180106Sdas break; 242180104Sdas case IKEV2_XFORMAUTH_HMAC_SHA2_512_256: 243180106Sdas md = EVP_sha512(); 244180104Sdas length = SHA512_DIGEST_LENGTH; 2451573Srgrimes trunc = 32; 24671579Sdeischen break; 24771579Sdeischen case IKEV2_XFORMAUTH_AES_GCM_12: 248180104Sdas length = 12; 249180106Sdas isaead = 1; 25071579Sdeischen break; 2511573Srgrimes case IKEV2_XFORMAUTH_AES_GCM_16: 252180104Sdas length = 16; 253153486Sphk isaead = 1; 2541573Srgrimes break; 255180104Sdas case IKEV2_XFORMAUTH_NONE: 256180106Sdas case IKEV2_XFORMAUTH_DES_MAC: 2571573Srgrimes case IKEV2_XFORMAUTH_KPDK_MD5: 2581573Srgrimes case IKEV2_XFORMAUTH_AES_XCBC_96: 2591573Srgrimes case IKEV2_XFORMAUTH_HMAC_MD5_128: 2601573Srgrimes case IKEV2_XFORMAUTH_HMAC_SHA1_160: 2611573Srgrimes case IKEV2_XFORMAUTH_AES_CMAC_96: 262180104Sdas case IKEV2_XFORMAUTH_AES_128_GMAC: 263180104Sdas case IKEV2_XFORMAUTH_AES_192_GMAC: 2641573Srgrimes case IKEV2_XFORMAUTH_AES_256_GMAC: 2651573Srgrimes default: 2661573Srgrimes log_debug("%s: auth %s not supported", __func__, 2671573Srgrimes print_map(id, ikev2_xformauth_map)); 2681573Srgrimes break; 2691573Srgrimes } 2701573Srgrimes break; 2711573Srgrimes default: 2721573Srgrimes log_debug("%s: hash type %s not supported", __func__, 2731573Srgrimes print_map(id, ikev2_xformtype_map)); 2741573Srgrimes break; 2751573Srgrimes } 2761573Srgrimes if (!isaead && md == NULL) 277180106Sdas return (NULL); 278180106Sdas 279180104Sdas if ((hash = calloc(1, sizeof(*hash))) == NULL) { 2801573Srgrimes log_debug("%s: alloc hash", __func__); 2811573Srgrimes return (NULL); 28287113Sfenner } 28387113Sfenner 2841573Srgrimes hash->hash_type = type; 2851573Srgrimes hash->hash_id = id; 286180106Sdas hash->hash_priv = md; 287180106Sdas hash->hash_ctx = NULL; 2881573Srgrimes hash->hash_trunc = trunc; 2891573Srgrimes hash->hash_length = length; 2901573Srgrimes hash->hash_fixedkey = fixedkey; 2911573Srgrimes hash->hash_isaead = isaead; 2921573Srgrimes 2931573Srgrimes if (isaead) 2941573Srgrimes return (hash); 2951573Srgrimes 2961573Srgrimes hash->hash_ctx = HMAC_CTX_new(); 2971573Srgrimes if (hash->hash_ctx == NULL) { 2981573Srgrimes log_debug("%s: alloc hash ctx", __func__); 2991573Srgrimes hash_free(hash); 3001573Srgrimes return (NULL); 3011573Srgrimes } 3021573Srgrimes 30321674Sjkh return (hash); 304180104Sdas} 30521674Sjkh 306103399Stjrstruct ibuf * 3071573Srgrimeshash_setkey(struct iked_hash *hash, void *key, size_t keylen) 3081573Srgrimes{ 309128819Sdas ibuf_release(hash->hash_key); 3101573Srgrimes if ((hash->hash_key = ibuf_new(key, keylen)) == NULL) { 3111573Srgrimes log_debug("%s: alloc hash key", __func__); 3121573Srgrimes return (NULL); 3131573Srgrimes } 3141573Srgrimes return (hash->hash_key); 31587113Sfenner} 31687113Sfenner 31787113Sfennervoid 31887113Sfennerhash_free(struct iked_hash *hash) 31987113Sfenner{ 3201573Srgrimes if (hash == NULL) 32187113Sfenner return; 32287113Sfenner if (hash->hash_ctx != NULL) 32387113Sfenner HMAC_CTX_free(hash->hash_ctx); 3241573Srgrimes ibuf_release(hash->hash_key); 32587113Sfenner free(hash); 32687113Sfenner} 32787113Sfenner 32887113Sfennervoid 32944674Sdfrhash_init(struct iked_hash *hash) 3301573Srgrimes{ 3311573Srgrimes HMAC_Init_ex(hash->hash_ctx, hash->hash_key->buf, 33287113Sfenner ibuf_length(hash->hash_key), hash->hash_priv, NULL); 3331573Srgrimes} 33487113Sfenner 33587113Sfennervoid 33687113Sfennerhash_update(struct iked_hash *hash, void *buf, size_t len) 33787113Sfenner{ 33887113Sfenner HMAC_Update(hash->hash_ctx, buf, len); 33987113Sfenner} 340105204Stjr 341105204Stjrvoid 342105204Stjrhash_final(struct iked_hash *hash, void *buf, size_t *len) 3431573Srgrimes{ 344180106Sdas unsigned int length = 0; 345180106Sdas 346180106Sdas HMAC_Final(hash->hash_ctx, buf, &length); 347180106Sdas *len = (size_t)length; 3481573Srgrimes 3491573Srgrimes /* Truncate the result if required by the alg */ 3501573Srgrimes if (hash->hash_trunc && *len > hash->hash_trunc) 3511573Srgrimes *len = hash->hash_trunc; 3521573Srgrimes} 3531573Srgrimes 354180106Sdassize_t 355180106Sdashash_length(struct iked_hash *hash) 356180104Sdas{ 357128819Sdas if (hash->hash_trunc) 35887113Sfenner return (hash->hash_trunc); 35987113Sfenner return (hash->hash_length); 3607033Sbde} 3611573Srgrimes 3627033Sbdesize_t 3631573Srgrimeshash_keylength(struct iked_hash *hash) 3641573Srgrimes{ 365180106Sdas return (hash->hash_length); 366180106Sdas} 367180106Sdas 368180106Sdasstruct iked_cipher * 3691573Srgrimescipher_new(uint8_t type, uint16_t id, uint16_t id_length) 370128819Sdas{ 3711573Srgrimes struct iked_cipher *encr; 372180104Sdas const EVP_CIPHER *cipher = NULL; 373180106Sdas int length = 0, fixedkey = 0, ivlength = 0; 374180104Sdas int saltlength = 0, authid = 0; 375180106Sdas 37687113Sfenner switch (type) { 377189268Sdas case IKEV2_XFORMTYPE_ENCR: 378180104Sdas switch (id) { 379180106Sdas case IKEV2_XFORMENCR_3DES: 3801573Srgrimes cipher = EVP_des_ede3_cbc(); 381180106Sdas length = EVP_CIPHER_block_size(cipher); 3821573Srgrimes fixedkey = EVP_CIPHER_key_length(cipher); 383180106Sdas ivlength = EVP_CIPHER_iv_length(cipher); 38487113Sfenner break; 385180106Sdas case IKEV2_XFORMENCR_AES_CBC: 3861573Srgrimes switch (id_length) { 387180106Sdas case 128: 388180106Sdas cipher = EVP_aes_128_cbc(); 389180106Sdas break; 3901573Srgrimes case 192: 3911573Srgrimes cipher = EVP_aes_192_cbc(); 3921573Srgrimes break; 3931573Srgrimes case 256: 3941573Srgrimes cipher = EVP_aes_256_cbc(); 395180106Sdas break; 396180106Sdas default: 397180104Sdas log_debug("%s: invalid key length %d" 3981573Srgrimes " for cipher %s", __func__, id_length, 399180106Sdas print_map(id, ikev2_xformencr_map)); 400180106Sdas break; 401180104Sdas } 402105204Stjr if (cipher == NULL) 403105204Stjr break; 404105204Stjr length = EVP_CIPHER_block_size(cipher); 4051573Srgrimes ivlength = EVP_CIPHER_iv_length(cipher); 406180106Sdas fixedkey = EVP_CIPHER_key_length(cipher); 407180106Sdas break; 408180106Sdas case IKEV2_XFORMENCR_AES_GCM_16: 409180106Sdas case IKEV2_XFORMENCR_AES_GCM_12: 4101573Srgrimes switch (id_length) { 4111573Srgrimes case 128: 4121573Srgrimes cipher = EVP_aes_128_gcm(); 4131573Srgrimes break; 4141573Srgrimes case 256: 4151573Srgrimes cipher = EVP_aes_256_gcm(); 4161573Srgrimes break; 417180106Sdas default: 418180106Sdas log_debug("%s: invalid key length %d" 4191573Srgrimes " for cipher %s", __func__, id_length, 4201573Srgrimes print_map(id, ikev2_xformencr_map)); 4211573Srgrimes break; 4221573Srgrimes } 4231573Srgrimes if (cipher == NULL) 4241573Srgrimes break; 425180104Sdas switch(id) { 426180104Sdas case IKEV2_XFORMENCR_AES_GCM_16: 427180105Sdas authid = IKEV2_XFORMAUTH_AES_GCM_16; 428180106Sdas break; 429180104Sdas case IKEV2_XFORMENCR_AES_GCM_12: 430180106Sdas authid = IKEV2_XFORMAUTH_AES_GCM_12; 431180102Sdas break; 432180102Sdas } 433180104Sdas length = EVP_CIPHER_block_size(cipher); 434180106Sdas ivlength = 8; 435180104Sdas saltlength = 4; 436180102Sdas fixedkey = EVP_CIPHER_key_length(cipher) + saltlength; 437180104Sdas break; 438180104Sdas case IKEV2_XFORMENCR_DES_IV64: 439180102Sdas case IKEV2_XFORMENCR_DES: 440180106Sdas case IKEV2_XFORMENCR_RC5: 44171579Sdeischen case IKEV2_XFORMENCR_IDEA: 44221674Sjkh case IKEV2_XFORMENCR_CAST: 443180102Sdas case IKEV2_XFORMENCR_BLOWFISH: 44421674Sjkh case IKEV2_XFORMENCR_3IDEA: 445180104Sdas case IKEV2_XFORMENCR_DES_IV32: 446180102Sdas case IKEV2_XFORMENCR_NULL: 447180106Sdas case IKEV2_XFORMENCR_AES_CTR: 44821674Sjkh /* FALLTHROUGH */ 44921674Sjkh default: 45021674Sjkh log_debug("%s: cipher %s not supported", __func__, 45121674Sjkh print_map(id, ikev2_xformencr_map)); 45221674Sjkh cipher = NULL; 453180102Sdas break; 454180102Sdas } 45521674Sjkh break; 45621674Sjkh default: 45721674Sjkh log_debug("%s: cipher type %s not supported", __func__, 45821674Sjkh print_map(id, ikev2_xformtype_map)); 45921674Sjkh break; 46021674Sjkh } 46121674Sjkh if (cipher == NULL) 46221674Sjkh return (NULL); 46321674Sjkh 46421674Sjkh if ((encr = calloc(1, sizeof(*encr))) == NULL) { 46521674Sjkh log_debug("%s: alloc cipher", __func__); 46621674Sjkh return (NULL); 46721674Sjkh } 468180106Sdas 469180106Sdas encr->encr_id = id; 47021674Sjkh encr->encr_priv = cipher; 47121674Sjkh encr->encr_ctx = NULL; 47221674Sjkh encr->encr_length = length; 47387113Sfenner encr->encr_fixedkey = fixedkey; 47421674Sjkh encr->encr_ivlength = ivlength ? ivlength : length; 47521674Sjkh encr->encr_saltlength = saltlength; 47621674Sjkh encr->encr_authid = authid; 477180106Sdas 478180106Sdas encr->encr_ctx = EVP_CIPHER_CTX_new(); 47921674Sjkh if (encr->encr_ctx == NULL) { 48021674Sjkh log_debug("%s: alloc cipher ctx", __func__); 48121674Sjkh cipher_free(encr); 48221674Sjkh return (NULL); 48321674Sjkh } 48421674Sjkh 48521674Sjkh return (encr); 48621674Sjkh} 48721674Sjkh 48821674Sjkhstruct ibuf * 48921674Sjkhcipher_setkey(struct iked_cipher *encr, const void *key, size_t keylen) 49021674Sjkh{ 49121674Sjkh ibuf_release(encr->encr_key); 49221674Sjkh if ((encr->encr_key = ibuf_new(key, keylen)) == NULL) { 49321674Sjkh log_debug("%s: alloc cipher key", __func__); 49421674Sjkh return (NULL); 495180102Sdas } 49621674Sjkh return (encr->encr_key); 49721674Sjkh} 49821674Sjkh 49921674Sjkhstruct ibuf * 500128819Sdascipher_setiv(struct iked_cipher *encr, const void *iv, size_t len) 50121674Sjkh{ 50221674Sjkh ibuf_release(encr->encr_iv); 50321674Sjkh encr->encr_iv = NULL; 50421674Sjkh if (iv != NULL) { 50521674Sjkh if (len < encr->encr_ivlength) { 50687113Sfenner log_debug("%s: invalid IV length %zu", __func__, len); 50787113Sfenner return (NULL); 50887113Sfenner } 50987113Sfenner encr->encr_iv = ibuf_new(iv, encr->encr_ivlength); 51087113Sfenner } else { 51121674Sjkh switch (encr->encr_id) { 51287113Sfenner case IKEV2_XFORMENCR_AES_GCM_16: 51387113Sfenner case IKEV2_XFORMENCR_AES_GCM_12: 51487113Sfenner if (encr->encr_ivlength != sizeof(encr->encr_civ)) { 51521674Sjkh log_info("%s: ivlen does not match %zu != %zu", 51687113Sfenner __func__, encr->encr_ivlength, 51787113Sfenner sizeof(encr->encr_civ)); 51887113Sfenner return (NULL); 51987113Sfenner } 52044674Sdfr encr->encr_iv = ibuf_new(&encr->encr_civ, sizeof(encr->encr_civ)); 52121674Sjkh encr->encr_civ++; 52221674Sjkh break; 52387113Sfenner default: 52421674Sjkh /* Get new random IV */ 52587113Sfenner encr->encr_iv = ibuf_random(encr->encr_ivlength); 52687113Sfenner } 52787113Sfenner } 52887113Sfenner if (encr->encr_iv == NULL) { 52987113Sfenner log_debug("%s: failed to set IV", __func__); 53087113Sfenner return (NULL); 531105204Stjr } 532105204Stjr return (encr->encr_iv); 533105204Stjr} 53421674Sjkh 535180106Sdasint 536180106Sdascipher_settag(struct iked_cipher *encr, uint8_t *data, size_t len) 537180106Sdas{ 538180106Sdas return (EVP_CIPHER_CTX_ctrl(encr->encr_ctx, 53921674Sjkh EVP_CTRL_GCM_SET_TAG, len, data) != 1); 54021674Sjkh} 54121674Sjkh 54221674Sjkhint 54321674Sjkhcipher_gettag(struct iked_cipher *encr, uint8_t *data, size_t len) 54421674Sjkh{ 545180106Sdas return (EVP_CIPHER_CTX_ctrl(encr->encr_ctx, 546180106Sdas EVP_CTRL_GCM_GET_TAG, len, data) != 1); 54721674Sjkh} 548128819Sdas 54987113Sfennervoid 55087113Sfennercipher_free(struct iked_cipher *encr) 55121674Sjkh{ 55221674Sjkh if (encr == NULL) 55321674Sjkh return; 55421674Sjkh EVP_CIPHER_CTX_free(encr->encr_ctx); 55521674Sjkh ibuf_release(encr->encr_iv); 556180106Sdas ibuf_release(encr->encr_key); 557180106Sdas free(encr); 558180106Sdas} 559180106Sdas 56021674Sjkhint 561128819Sdascipher_init(struct iked_cipher *encr, int enc) 56221674Sjkh{ 56387113Sfenner struct ibuf *nonce = NULL; 564180106Sdas int ret = -1; 56587113Sfenner 566180106Sdas if (EVP_CipherInit_ex(encr->encr_ctx, encr->encr_priv, NULL, 56787113Sfenner NULL, NULL, enc) != 1) 568189268Sdas return (-1); 56987113Sfenner if (encr->encr_saltlength > 0) { 570180106Sdas /* For AEADs the nonce is salt + IV (see RFC5282) */ 57121674Sjkh nonce = ibuf_new(ibuf_data(encr->encr_key) + 572180106Sdas ibuf_size(encr->encr_key) - encr->encr_saltlength, 57321674Sjkh encr->encr_saltlength); 574180106Sdas if (nonce == NULL) 57587113Sfenner return (-1); 576180106Sdas if (ibuf_add(nonce, ibuf_data(encr->encr_iv) , ibuf_size(encr->encr_iv)) != 0) 57721674Sjkh goto done; 578180106Sdas if (EVP_CipherInit_ex(encr->encr_ctx, NULL, NULL, 579180107Sdas ibuf_data(encr->encr_key), ibuf_data(nonce), enc) != 1) 580180107Sdas goto done; 58121674Sjkh } else 58221674Sjkh if (EVP_CipherInit_ex(encr->encr_ctx, NULL, NULL, 58321674Sjkh ibuf_data(encr->encr_key), ibuf_data(encr->encr_iv), enc) != 1) 58421674Sjkh return (-1); 58521674Sjkh EVP_CIPHER_CTX_set_padding(encr->encr_ctx, 0); 586180106Sdas ret = 0; 587180106Sdas done: 58821674Sjkh ibuf_free(nonce); 58921674Sjkh return (ret); 590180106Sdas} 591180106Sdas 59221674Sjkhint 593105204Stjrcipher_init_encrypt(struct iked_cipher *encr) 594105204Stjr{ 595105204Stjr return (cipher_init(encr, 1)); 59621674Sjkh} 597180106Sdas 598180106Sdasint 599180106Sdascipher_init_decrypt(struct iked_cipher *encr) 600180106Sdas{ 60121674Sjkh return (cipher_init(encr, 0)); 60221674Sjkh} 60321674Sjkh 60421674Sjkhvoid 60521674Sjkhcipher_aad(struct iked_cipher *encr, const void *in, size_t inlen, 60621674Sjkh size_t *outlen) 60721674Sjkh{ 608180106Sdas int olen = 0; 609180106Sdas 61021674Sjkh if (EVP_CipherUpdate(encr->encr_ctx, NULL, &olen, in, inlen) != 1) { 61121674Sjkh ca_sslerror(__func__); 61221674Sjkh *outlen = 0; 61321674Sjkh return; 61421674Sjkh } 61521674Sjkh *outlen = (size_t)olen; 61621674Sjkh} 61721674Sjkh 618180105Sdasint 619180106Sdascipher_update(struct iked_cipher *encr, const void *in, size_t inlen, 620180105Sdas void *out, size_t *outlen) 621180106Sdas{ 622180105Sdas int olen; 623180105Sdas 624180105Sdas olen = 0; 625180106Sdas if (EVP_CipherUpdate(encr->encr_ctx, out, &olen, in, inlen) != 1) { 626180105Sdas ca_sslerror(__func__); 627180106Sdas *outlen = 0; 628180105Sdas return (-1); 629180105Sdas } 630180105Sdas *outlen = (size_t)olen; 631180105Sdas return (0); 632180105Sdas} 633180105Sdas 634180105Sdasint 635180105Sdascipher_final(struct iked_cipher *encr) 636180105Sdas{ 637180105Sdas int olen; 638180105Sdas 639180106Sdas /* 640180105Sdas * We always have EVP_CIPH_NO_PADDING set. This means arg 641180105Sdas * out is not used and olen should always be 0. 642180106Sdas */ 643180105Sdas if (EVP_CipherFinal_ex(encr->encr_ctx, NULL, &olen) != 1) { 644180106Sdas ca_sslerror(__func__); 645180105Sdas return (-1); 646180105Sdas } 647180105Sdas return (0); 648180105Sdas} 649180105Sdas 650180105Sdassize_t 651180106Sdascipher_length(struct iked_cipher *encr) 652180106Sdas{ 653180105Sdas return (encr->encr_length); 654180105Sdas} 655180105Sdas 656180105Sdassize_t 657180106Sdascipher_keylength(struct iked_cipher *encr) 658180105Sdas{ 659180105Sdas if (encr->encr_fixedkey) 660180105Sdas return (encr->encr_fixedkey); 661180105Sdas 662180105Sdas /* Might return zero */ 663180105Sdas return (ibuf_length(encr->encr_key)); 664180105Sdas} 66584922Sdfr 666180105Sdassize_t 667180106Sdascipher_ivlength(struct iked_cipher *encr) 668180106Sdas{ 66921674Sjkh return (encr->encr_ivlength); 6701573Srgrimes} 67184922Sdfr 672180105Sdassize_t 673180105Sdascipher_outlength(struct iked_cipher *encr, size_t inlen) 67487113Sfenner{ 67584922Sdfr return (roundup(inlen, encr->encr_length)); 67621674Sjkh} 67787113Sfenner 67887113Sfennerstruct iked_dsa * 67921674Sjkhdsa_new(uint8_t id, struct iked_hash *prf, int sign) 68021674Sjkh{ 68184922Sdfr struct iked_dsa *dsap = NULL, dsa; 68221674Sjkh 68321674Sjkh bzero(&dsa, sizeof(dsa)); 68484922Sdfr 68521674Sjkh switch (id) { 68621674Sjkh case IKEV2_AUTH_SIG: 68784922Sdfr if (sign) 68821674Sjkh dsa.dsa_priv = EVP_sha256(); /* XXX should be passed */ 68921674Sjkh else 69084922Sdfr dsa.dsa_priv = NULL; /* set later by dsa_init() */ 69121674Sjkh break; 69221674Sjkh case IKEV2_AUTH_RSA_SIG: 69384922Sdfr /* RFC5996 says we SHOULD use SHA1 here */ 69421674Sjkh dsa.dsa_priv = EVP_sha1(); 69521674Sjkh break; 69684922Sdfr case IKEV2_AUTH_SHARED_KEY_MIC: 69721674Sjkh if (prf == NULL || prf->hash_priv == NULL) 69821674Sjkh fatalx("dsa_new: invalid PRF"); 69984922Sdfr dsa.dsa_priv = prf->hash_priv; 70021674Sjkh dsa.dsa_hmac = 1; 70187113Sfenner break; 70287113Sfenner case IKEV2_AUTH_DSS_SIG: 70321674Sjkh dsa.dsa_priv = EVP_sha1(); 70487113Sfenner break; 70587113Sfenner case IKEV2_AUTH_ECDSA_256: 70621674Sjkh dsa.dsa_priv = EVP_sha256(); 70787113Sfenner break; 70887113Sfenner case IKEV2_AUTH_ECDSA_384: 70921674Sjkh dsa.dsa_priv = EVP_sha384(); 71087113Sfenner break; 71187113Sfenner case IKEV2_AUTH_ECDSA_521: 71287113Sfenner dsa.dsa_priv = EVP_sha512(); 71387113Sfenner break; 71487113Sfenner default: 71587113Sfenner log_debug("%s: auth method %s not supported", __func__, 71687113Sfenner print_map(id, ikev2_auth_map)); 71787113Sfenner break; 71887113Sfenner } 719189131Sdas 720189131Sdas if ((dsap = calloc(1, sizeof(*dsap))) == NULL) { 721189131Sdas log_debug("%s: alloc dsa ctx", __func__); 722189268Sdas 723189268Sdas return (NULL); 72487113Sfenner } 72587113Sfenner memcpy(dsap, &dsa, sizeof(*dsap)); 72687113Sfenner 72787113Sfenner dsap->dsa_method = id; 72887113Sfenner dsap->dsa_sign = sign; 72987113Sfenner 73087113Sfenner if (dsap->dsa_hmac) { 73187113Sfenner if ((dsap->dsa_ctx = HMAC_CTX_new()) == NULL) { 73287113Sfenner log_debug("%s: alloc hash ctx", __func__); 73387113Sfenner dsa_free(dsap); 734157381Sphk return (NULL); 735128819Sdas } 73684922Sdfr } else { 737157381Sphk if ((dsap->dsa_ctx = EVP_MD_CTX_create()) == NULL) { 73821674Sjkh log_debug("%s: alloc digest ctx", __func__); 73921674Sjkh dsa_free(dsap); 740157381Sphk return (NULL); 74184922Sdfr } 742157381Sphk } 74321674Sjkh 74421674Sjkh return (dsap); 74584922Sdfr} 74621674Sjkh 74721674Sjkhstruct iked_dsa * 74884922Sdfrdsa_sign_new(uint8_t id, struct iked_hash *prf) 74921674Sjkh{ 750103633Stjr return (dsa_new(id, prf, 1)); 751103633Stjr} 752103633Stjr 753103633Stjrstruct iked_dsa * 754103633Stjrdsa_verify_new(uint8_t id, struct iked_hash *prf) 755103633Stjr{ 75621674Sjkh return (dsa_new(id, prf, 0)); 75721674Sjkh} 75821674Sjkh 759void 760dsa_free(struct iked_dsa *dsa) 761{ 762 if (dsa == NULL) 763 return; 764 if (dsa->dsa_hmac) { 765 HMAC_CTX_free((HMAC_CTX *)dsa->dsa_ctx); 766 } else { 767 EVP_MD_CTX_destroy((EVP_MD_CTX *)dsa->dsa_ctx); 768 if (dsa->dsa_key) 769 EVP_PKEY_free(dsa->dsa_key); 770 } 771 772 ibuf_release(dsa->dsa_keydata); 773 free(dsa); 774} 775 776struct ibuf * 777dsa_setkey(struct iked_dsa *dsa, void *key, size_t keylen, uint8_t type) 778{ 779 BIO *rawcert = NULL; 780 X509 *cert = NULL; 781 RSA *rsa = NULL; 782 EC_KEY *ec = NULL; 783 EVP_PKEY *pkey = NULL; 784 785 ibuf_release(dsa->dsa_keydata); 786 if ((dsa->dsa_keydata = ibuf_new(key, keylen)) == NULL) { 787 log_debug("%s: alloc signature key", __func__); 788 return (NULL); 789 } 790 791 if ((rawcert = BIO_new_mem_buf(key, keylen)) == NULL) 792 goto err; 793 794 switch (type) { 795 case IKEV2_CERT_X509_CERT: 796 if ((cert = d2i_X509_bio(rawcert, NULL)) == NULL) 797 goto sslerr; 798 if ((pkey = X509_get_pubkey(cert)) == NULL) 799 goto sslerr; 800 dsa->dsa_key = pkey; 801 break; 802 case IKEV2_CERT_RSA_KEY: 803 if (dsa->dsa_sign) { 804 if ((rsa = d2i_RSAPrivateKey_bio(rawcert, 805 NULL)) == NULL) 806 goto sslerr; 807 } else { 808 if ((rsa = d2i_RSAPublicKey_bio(rawcert, 809 NULL)) == NULL) 810 goto sslerr; 811 } 812 813 if ((pkey = EVP_PKEY_new()) == NULL) 814 goto sslerr; 815 if (!EVP_PKEY_set1_RSA(pkey, rsa)) 816 goto sslerr; 817 818 RSA_free(rsa); /* pkey now has the reference */ 819 dsa->dsa_key = pkey; 820 break; 821 case IKEV2_CERT_ECDSA: 822 if (dsa->dsa_sign) { 823 if ((ec = d2i_ECPrivateKey_bio(rawcert, NULL)) == NULL) 824 goto sslerr; 825 } else { 826 if ((ec = d2i_EC_PUBKEY_bio(rawcert, NULL)) == NULL) 827 goto sslerr; 828 } 829 830 if ((pkey = EVP_PKEY_new()) == NULL) 831 goto sslerr; 832 if (!EVP_PKEY_set1_EC_KEY(pkey, ec)) 833 goto sslerr; 834 835 EC_KEY_free(ec); /* pkey now has the reference */ 836 dsa->dsa_key = pkey; 837 break; 838 default: 839 if (dsa->dsa_hmac) 840 break; 841 log_debug("%s: unsupported key type", __func__); 842 goto err; 843 } 844 845 if (cert != NULL) 846 X509_free(cert); 847 BIO_free(rawcert); /* temporary for parsing */ 848 849 return (dsa->dsa_keydata); 850 851 sslerr: 852 ca_sslerror(__func__); 853 err: 854 log_debug("%s: error", __func__); 855 856 if (rsa != NULL) 857 RSA_free(rsa); 858 if (ec != NULL) 859 EC_KEY_free(ec); 860 if (pkey != NULL) 861 EVP_PKEY_free(pkey); 862 if (cert != NULL) 863 X509_free(cert); 864 if (rawcert != NULL) 865 BIO_free(rawcert); 866 ibuf_release(dsa->dsa_keydata); 867 dsa->dsa_keydata = NULL; 868 return (NULL); 869} 870 871int 872_dsa_verify_init(struct iked_dsa *dsa, const uint8_t *sig, size_t len) 873{ 874 uint8_t oidlen; 875 size_t i; 876 int keytype; 877 878 if (dsa->dsa_priv != NULL) 879 return (0); 880 /* 881 * For IKEV2_AUTH_SIG the oid of the authentication signature 882 * is encoded in the first bytes of the auth message. 883 */ 884 if (dsa->dsa_method != IKEV2_AUTH_SIG) { 885 log_debug("%s: dsa_priv not set for %s", __func__, 886 print_map(dsa->dsa_method, ikev2_auth_map)); 887 return (-1); 888 } 889 if (dsa->dsa_key == NULL) { 890 log_debug("%s: dsa_key not set for %s", __func__, 891 print_map(dsa->dsa_method, ikev2_auth_map)); 892 return (-1); 893 } 894 keytype = EVP_PKEY_type(EVP_PKEY_id(((EVP_PKEY *)dsa->dsa_key))); 895 if (sig == NULL) { 896 log_debug("%s: signature missing", __func__); 897 return (-1); 898 } 899 if (len < sizeof(oidlen)) { 900 log_debug("%s: signature (%zu) too small for oid length", 901 __func__, len); 902 return (-1); 903 } 904 memcpy(&oidlen, sig, sizeof(oidlen)); 905 if (len < (size_t)oidlen + sizeof(oidlen)) { 906 log_debug("%s: signature (%zu) too small for oid (%u)", 907 __func__, len, oidlen); 908 return (-1); 909 } 910 for (i = 0; i < nitems(schemes); i++) { 911 if (keytype == schemes[i].sc_keytype && 912 oidlen == schemes[i].sc_len && 913 memcmp(sig + 1, schemes[i].sc_oid, 914 schemes[i].sc_len) == 0) { 915 dsa->dsa_priv = (*schemes[i].sc_md)(); 916 dsa->dsa_flags = schemes[i].sc_flags; 917 log_debug("%s: signature scheme %zd selected", 918 __func__, i); 919 return (0); 920 } 921 } 922 log_debug("%s: unsupported signature (%d)", __func__, oidlen); 923 return (-1); 924} 925 926int 927dsa_init(struct iked_dsa *dsa, const void *buf, size_t len) 928{ 929 int ret; 930 EVP_PKEY_CTX *pctx = NULL; 931 932 if (dsa->dsa_hmac) { 933 if (!HMAC_Init_ex(dsa->dsa_ctx, ibuf_data(dsa->dsa_keydata), 934 ibuf_length(dsa->dsa_keydata), dsa->dsa_priv, NULL)) 935 return (-1); 936 return (0); 937 } 938 939 if (dsa->dsa_sign) { 940 if (force_rsa_pss && 941 EVP_PKEY_base_id(dsa->dsa_key) == EVP_PKEY_RSA) 942 dsa->dsa_flags = FLAG_RSA_PSS; 943 ret = EVP_DigestSignInit(dsa->dsa_ctx, &pctx, dsa->dsa_priv, 944 NULL, dsa->dsa_key); 945 } else { 946 /* sets dsa_priv, dsa_flags */ 947 if ((ret = _dsa_verify_init(dsa, buf, len)) != 0) 948 return (ret); 949 ret = EVP_DigestVerifyInit(dsa->dsa_ctx, &pctx, dsa->dsa_priv, 950 NULL, dsa->dsa_key); 951 } 952 if (ret == 1 && dsa->dsa_flags == FLAG_RSA_PSS) { 953 if (EVP_PKEY_CTX_set_rsa_padding(pctx, 954 RSA_PKCS1_PSS_PADDING) <= 0 || 955 EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1) <= 0) 956 return (-1); 957 } 958 if (_dsa_sign_encode(dsa, NULL, 0, NULL) < 0) 959 return (-1); 960 961 return (ret == 1 ? 0 : -1); 962} 963 964int 965dsa_update(struct iked_dsa *dsa, const void *buf, size_t len) 966{ 967 int ret; 968 969 if (dsa->dsa_hmac) 970 ret = HMAC_Update(dsa->dsa_ctx, buf, len); 971 else if (dsa->dsa_sign) 972 ret = EVP_DigestSignUpdate(dsa->dsa_ctx, buf, len); 973 else 974 ret = EVP_DigestVerifyUpdate(dsa->dsa_ctx, buf, len); 975 976 return (ret == 1 ? 0 : -1); 977} 978 979/* Prefix signature hash with encoded type */ 980int 981_dsa_sign_encode(struct iked_dsa *dsa, uint8_t *ptr, size_t len, size_t *offp) 982{ 983 int keytype; 984 size_t i, need; 985 986 if (offp) 987 *offp = 0; 988 if (dsa->dsa_method != IKEV2_AUTH_SIG) 989 return (0); 990 if (dsa->dsa_key == NULL) 991 return (-1); 992 keytype = EVP_PKEY_type(EVP_PKEY_id(((EVP_PKEY *)dsa->dsa_key))); 993 for (i = 0; i < nitems(schemes); i++) { 994 /* XXX should avoid calling sc_md() each time... */ 995 if (keytype == schemes[i].sc_keytype && 996 dsa->dsa_flags == schemes[i].sc_flags && 997 (dsa->dsa_priv == (*schemes[i].sc_md)())) 998 break; 999 } 1000 if (i >= nitems(schemes)) 1001 return (-1); 1002 log_debug("%s: signature scheme %zd selected", __func__, i); 1003 need = sizeof(ptr[0]) + schemes[i].sc_len; 1004 if (ptr) { 1005 if (len < need) 1006 return (-1); 1007 ptr[0] = schemes[i].sc_len; 1008 memcpy(ptr + sizeof(ptr[0]), schemes[i].sc_oid, 1009 schemes[i].sc_len); 1010 } 1011 if (offp) 1012 *offp = need; 1013 return (0); 1014} 1015 1016/* Export size of encoded signature hash type */ 1017size_t 1018dsa_prefix(struct iked_dsa *dsa) 1019{ 1020 size_t off = 0; 1021 1022 if (_dsa_sign_encode(dsa, NULL, 0, &off) < 0) 1023 fatal("dsa_prefix: internal error"); 1024 return off; 1025} 1026 1027size_t 1028dsa_length(struct iked_dsa *dsa) 1029{ 1030 if (dsa->dsa_hmac) 1031 return (EVP_MD_size(dsa->dsa_priv)); 1032 switch (dsa->dsa_method) { 1033 case IKEV2_AUTH_ECDSA_256: 1034 case IKEV2_AUTH_ECDSA_384: 1035 case IKEV2_AUTH_ECDSA_521: 1036 /* size of concat(r|s) */ 1037 return (2 * ((EVP_PKEY_bits(dsa->dsa_key) + 7) / 8)); 1038 } 1039 return (dsa_prefix(dsa) + EVP_PKEY_size(dsa->dsa_key)); 1040} 1041 1042int 1043_dsa_sign_ecdsa(struct iked_dsa *dsa, uint8_t *ptr, size_t len) 1044{ 1045 ECDSA_SIG *obj = NULL; 1046 uint8_t *tmp = NULL; 1047 const uint8_t *p; 1048 size_t tmplen; 1049 int ret = -1; 1050 int bnlen, off; 1051 const BIGNUM *r, *s; 1052 1053 if (len % 2) 1054 goto done; /* must be even */ 1055 bnlen = len/2; 1056 /* 1057 * (a) create DER signature into 'tmp' buffer 1058 * (b) convert buffer to ECDSA_SIG object 1059 * (c) concatenate the padded r|s BIGNUMS into 'ptr' 1060 */ 1061 if (EVP_DigestSignFinal(dsa->dsa_ctx, NULL, &tmplen) != 1) 1062 goto done; 1063 if ((tmp = calloc(1, tmplen)) == NULL) 1064 goto done; 1065 if (EVP_DigestSignFinal(dsa->dsa_ctx, tmp, &tmplen) != 1) 1066 goto done; 1067 p = tmp; 1068 if (d2i_ECDSA_SIG(&obj, &p, tmplen) == NULL) 1069 goto done; 1070 ECDSA_SIG_get0(obj, &r, &s); 1071 if (BN_num_bytes(r) > bnlen || BN_num_bytes(s) > bnlen) 1072 goto done; 1073 memset(ptr, 0, len); 1074 off = bnlen - BN_num_bytes(r); 1075 BN_bn2bin(r, ptr + off); 1076 off = 2 * bnlen - BN_num_bytes(s); 1077 BN_bn2bin(s, ptr + off); 1078 ret = 0; 1079 done: 1080 free(tmp); 1081 if (obj) 1082 ECDSA_SIG_free(obj); 1083 return (ret); 1084} 1085 1086ssize_t 1087dsa_sign_final(struct iked_dsa *dsa, void *buf, size_t len) 1088{ 1089 unsigned int hmaclen; 1090 size_t off = 0; 1091 uint8_t *ptr = buf; 1092 1093 if (len < dsa_length(dsa)) 1094 return (-1); 1095 1096 if (dsa->dsa_hmac) { 1097 if (!HMAC_Final(dsa->dsa_ctx, buf, &hmaclen)) 1098 return (-1); 1099 if (hmaclen > INT_MAX) 1100 return (-1); 1101 return (ssize_t)hmaclen; 1102 } else { 1103 switch (dsa->dsa_method) { 1104 case IKEV2_AUTH_ECDSA_256: 1105 case IKEV2_AUTH_ECDSA_384: 1106 case IKEV2_AUTH_ECDSA_521: 1107 if (_dsa_sign_ecdsa(dsa, buf, len) < 0) 1108 return (-1); 1109 return (len); 1110 default: 1111 if (_dsa_sign_encode(dsa, ptr, len, &off) < 0) 1112 return (-1); 1113 if (off > len) 1114 return (-1); 1115 len -= off; 1116 ptr += off; 1117 if (EVP_DigestSignFinal(dsa->dsa_ctx, ptr, &len) != 1) 1118 return (-1); 1119 return (len + off); 1120 } 1121 } 1122 return (-1); 1123} 1124 1125int 1126_dsa_verify_prepare(struct iked_dsa *dsa, uint8_t **sigp, size_t *lenp, 1127 uint8_t **freemep) 1128{ 1129 ECDSA_SIG *obj = NULL; 1130 uint8_t *ptr = NULL; 1131 size_t bnlen, len, off; 1132 int ret = -1; 1133 BIGNUM *r = NULL, *s = NULL; 1134 1135 *freemep = NULL; /* don't return garbage in case of an error */ 1136 1137 switch (dsa->dsa_method) { 1138 case IKEV2_AUTH_SIG: 1139 /* 1140 * The first byte of the signature encodes the OID 1141 * prefix length which we need to skip. 1142 */ 1143 off = (*sigp)[0] + 1; 1144 *sigp = *sigp + off; 1145 *lenp = *lenp - off; 1146 *freemep = NULL; 1147 ret = 0; 1148 break; 1149 case IKEV2_AUTH_ECDSA_256: 1150 case IKEV2_AUTH_ECDSA_384: 1151 case IKEV2_AUTH_ECDSA_521: 1152 /* 1153 * sigp points to concatenation r|s, while EVP_VerifyFinal() 1154 * expects the signature as a DER-encoded blob (of the two 1155 * values), so we need to convert the signature in a new 1156 * buffer (we cannot override the given buffer) and the caller 1157 * has to free this buffer ('freeme'). 1158 */ 1159 if (*lenp < 64 || *lenp > 132 || *lenp % 2) 1160 goto done; 1161 bnlen = (*lenp)/2; 1162 /* sigp points to concatenation: r|s */ 1163 if ((obj = ECDSA_SIG_new()) == NULL || 1164 (r = BN_bin2bn(*sigp, bnlen, NULL)) == NULL || 1165 (s = BN_bin2bn(*sigp+bnlen, bnlen, NULL)) == NULL || 1166 ECDSA_SIG_set0(obj, r, s) == 0 || 1167 (len = i2d_ECDSA_SIG(obj, &ptr)) == 0) 1168 goto done; 1169 r = s = NULL; 1170 *lenp = len; 1171 *sigp = ptr; 1172 *freemep = ptr; 1173 ptr = NULL; 1174 ret = 0; 1175 break; 1176 default: 1177 return (0); 1178 } 1179 done: 1180 BN_clear_free(r); 1181 BN_clear_free(s); 1182 free(ptr); 1183 if (obj) 1184 ECDSA_SIG_free(obj); 1185 return (ret); 1186} 1187 1188ssize_t 1189dsa_verify_final(struct iked_dsa *dsa, void *buf, size_t len) 1190{ 1191 uint8_t sig[EVP_MAX_MD_SIZE]; 1192 uint8_t *ptr = buf, *freeme = NULL; 1193 unsigned int siglen = sizeof(sig); 1194 1195 if (dsa->dsa_hmac) { 1196 if (!HMAC_Final(dsa->dsa_ctx, sig, &siglen)) 1197 return (-1); 1198 if (siglen != len || memcmp(buf, sig, siglen) != 0) 1199 return (-1); 1200 } else { 1201 if (_dsa_verify_prepare(dsa, &ptr, &len, &freeme) < 0) 1202 return (-1); 1203 if (EVP_DigestVerifyFinal(dsa->dsa_ctx, ptr, len) != 1) { 1204 free(freeme); 1205 ca_sslerror(__func__); 1206 return (-1); 1207 } 1208 free(freeme); 1209 } 1210 1211 return (0); 1212} 1213