crypto.c revision 1.5
1/* $OpenBSD: crypto.c,v 1.5 2010/12/21 13:24:11 mikeb Exp $ */ 2/* $vantronix: crypto.c,v 1.18 2010/05/28 15:34:35 reyk Exp $ */ 3 4/* 5 * Copyright (c) 2010 Reyk Floeter <reyk@vantronix.net> 6 * 7 * Permission to use, copy, modify, and distribute this software for any 8 * purpose with or without fee is hereby granted, provided that the above 9 * copyright notice and this permission notice appear in all copies. 10 * 11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 18 */ 19 20#include <sys/param.h> 21#include <sys/queue.h> 22#include <sys/socket.h> 23#include <sys/uio.h> 24 25#include <stdio.h> 26#include <stdlib.h> 27#include <unistd.h> 28#include <string.h> 29#include <errno.h> 30#include <fcntl.h> 31#include <event.h> 32 33#include <openssl/hmac.h> 34#include <openssl/evp.h> 35#include <openssl/sha.h> 36#include <openssl/md5.h> 37#include <openssl/x509.h> 38 39#include "iked.h" 40#include "ikev2.h" 41 42struct iked_hash * 43hash_new(u_int8_t type, u_int16_t id) 44{ 45 struct iked_hash *hash; 46 const EVP_MD *md = NULL; 47 HMAC_CTX *ctx = NULL; 48 int length = 0, fixedkey = 0, trunc = 0; 49 50 switch (type) { 51 case IKEV2_XFORMTYPE_PRF: 52 switch (id) { 53 case IKEV2_XFORMPRF_HMAC_MD5: 54 md = EVP_md5(); 55 length = MD5_DIGEST_LENGTH; 56 break; 57 case IKEV2_XFORMPRF_HMAC_SHA1: 58 md = EVP_sha1(); 59 length = SHA_DIGEST_LENGTH; 60 break; 61 case IKEV2_XFORMPRF_HMAC_SHA2_256: 62 md = EVP_sha256(); 63 length = SHA256_DIGEST_LENGTH; 64 break; 65 case IKEV2_XFORMPRF_HMAC_SHA2_384: 66 md = EVP_sha384(); 67 length = SHA384_DIGEST_LENGTH; 68 break; 69 case IKEV2_XFORMPRF_HMAC_SHA2_512: 70 md = EVP_sha512(); 71 length = SHA512_DIGEST_LENGTH; 72 break; 73 case IKEV2_XFORMPRF_AES128_XCBC: 74 fixedkey = 128 / 8; 75 length = fixedkey; 76 /* FALLTHROUGH */ 77 case IKEV2_XFORMPRF_HMAC_TIGER: 78 case IKEV2_XFORMPRF_AES128_CMAC: 79 default: 80 log_debug("%s: prf %s not supported", __func__, 81 print_map(id, ikev2_xformprf_map)); 82 break; 83 } 84 break; 85 case IKEV2_XFORMTYPE_INTEGR: 86 switch (id) { 87 case IKEV2_XFORMAUTH_HMAC_MD5_96: 88 md = EVP_md5(); 89 length = MD5_DIGEST_LENGTH; 90 trunc = 12; 91 break; 92 case IKEV2_XFORMAUTH_HMAC_SHA1_96: 93 md = EVP_sha1(); 94 length = SHA_DIGEST_LENGTH; 95 trunc = 12; 96 break; 97 case IKEV2_XFORMAUTH_HMAC_SHA2_256_128: 98 md = EVP_sha256(); 99 length = SHA256_DIGEST_LENGTH; 100 trunc = 16; 101 break; 102 case IKEV2_XFORMAUTH_HMAC_SHA2_384_192: 103 md = EVP_sha384(); 104 length = SHA384_DIGEST_LENGTH; 105 trunc = 24; 106 break; 107 case IKEV2_XFORMAUTH_HMAC_SHA2_512_256: 108 md = EVP_sha512(); 109 length = SHA512_DIGEST_LENGTH; 110 trunc = 32; 111 break; 112 case IKEV2_XFORMAUTH_NONE: 113 case IKEV2_XFORMAUTH_DES_MAC: 114 case IKEV2_XFORMAUTH_KPDK_MD5: 115 case IKEV2_XFORMAUTH_AES_XCBC_96: 116 case IKEV2_XFORMAUTH_HMAC_MD5_128: 117 case IKEV2_XFORMAUTH_HMAC_SHA1_160: 118 case IKEV2_XFORMAUTH_AES_CMAC_96: 119 case IKEV2_XFORMAUTH_AES_128_GMAC: 120 case IKEV2_XFORMAUTH_AES_192_GMAC: 121 case IKEV2_XFORMAUTH_AES_256_GMAC: 122 default: 123 log_debug("%s: auth %s not supported", __func__, 124 print_map(id, ikev2_xformauth_map)); 125 break; 126 } 127 break; 128 default: 129 log_debug("%s: hash type %s not supported", __func__, 130 print_map(id, ikev2_xformtype_map)); 131 break; 132 } 133 if (md == NULL) 134 return (NULL); 135 136 if ((hash = calloc(1, sizeof(*hash))) == NULL) { 137 log_debug("%s: alloc hash", __func__); 138 return (NULL); 139 } 140 141 hash->hash_type = type; 142 hash->hash_id = id; 143 hash->hash_priv = md; 144 hash->hash_ctx = NULL; 145 hash->hash_trunc = trunc; 146 hash->hash_length = length; 147 hash->hash_fixedkey = fixedkey; 148 149 if ((ctx = calloc(1, sizeof(*ctx))) == NULL) { 150 log_debug("%s: alloc hash ctx", __func__); 151 hash_free(hash); 152 return (NULL); 153 } 154 155 HMAC_CTX_init(ctx); 156 hash->hash_ctx = ctx; 157 158 return (hash); 159} 160 161struct ibuf * 162hash_setkey(struct iked_hash *hash, void *key, size_t keylen) 163{ 164 ibuf_release(hash->hash_key); 165 if ((hash->hash_key = ibuf_new(key, keylen)) == NULL) { 166 log_debug("%s: alloc hash key", __func__); 167 return (NULL); 168 } 169 return (hash->hash_key); 170} 171 172void 173hash_free(struct iked_hash *hash) 174{ 175 if (hash == NULL) 176 return; 177 if (hash->hash_ctx != NULL) { 178 HMAC_CTX_cleanup(hash->hash_ctx); 179 free(hash->hash_ctx); 180 } 181 ibuf_release(hash->hash_key); 182 free(hash); 183} 184 185void 186hash_init(struct iked_hash *hash) 187{ 188 HMAC_Init_ex(hash->hash_ctx, hash->hash_key->buf, 189 ibuf_length(hash->hash_key), hash->hash_priv, NULL); 190} 191 192void 193hash_update(struct iked_hash *hash, void *buf, size_t len) 194{ 195 HMAC_Update(hash->hash_ctx, buf, len); 196} 197 198void 199hash_final(struct iked_hash *hash, void *buf, size_t *len) 200{ 201 u_int length = 0; 202 203 HMAC_Final(hash->hash_ctx, buf, &length); 204 *len = (size_t)length; 205 206 /* Truncate the result if required by the alg */ 207 if (hash->hash_trunc && *len > hash->hash_trunc) 208 *len = hash->hash_trunc; 209} 210 211size_t 212hash_length(struct iked_hash *hash) 213{ 214 if (hash->hash_trunc) 215 return (hash->hash_trunc); 216 return (hash->hash_length); 217} 218 219size_t 220hash_keylength(struct iked_hash *hash) 221{ 222 return (hash->hash_length); 223} 224 225struct iked_cipher * 226cipher_new(u_int8_t type, u_int16_t id, u_int16_t id_length) 227{ 228 struct iked_cipher *encr; 229 const EVP_CIPHER *cipher = NULL; 230 EVP_CIPHER_CTX *ctx = NULL; 231 int length = 0, fixedkey = 0, ivlength = 0; 232 233 switch (type) { 234 case IKEV2_XFORMTYPE_ENCR: 235 switch (id) { 236 case IKEV2_XFORMENCR_3DES: 237 cipher = EVP_des_ede3_cbc(); 238 length = EVP_CIPHER_block_size(cipher); 239 fixedkey = EVP_CIPHER_key_length(cipher); 240 ivlength = EVP_CIPHER_iv_length(cipher); 241 break; 242 case IKEV2_XFORMENCR_AES_CBC: 243 switch (id_length) { 244 case 128: 245 cipher = EVP_aes_128_cbc(); 246 break; 247 case 192: 248 cipher = EVP_aes_192_cbc(); 249 break; 250 case 256: 251 cipher = EVP_aes_256_cbc(); 252 break; 253 default: 254 log_debug("%s: invalid key length %d" 255 " for cipher %s", __func__, id_length, 256 print_map(id, ikev2_xformencr_map)); 257 break; 258 } 259 if (cipher == NULL) 260 break; 261 length = EVP_CIPHER_block_size(cipher); 262 ivlength = EVP_CIPHER_iv_length(cipher); 263 fixedkey = EVP_CIPHER_key_length(cipher); 264 break; 265 case IKEV2_XFORMENCR_DES_IV64: 266 case IKEV2_XFORMENCR_DES: 267 case IKEV2_XFORMENCR_RC5: 268 case IKEV2_XFORMENCR_IDEA: 269 case IKEV2_XFORMENCR_CAST: 270 case IKEV2_XFORMENCR_BLOWFISH: 271 case IKEV2_XFORMENCR_3IDEA: 272 case IKEV2_XFORMENCR_DES_IV32: 273 case IKEV2_XFORMENCR_NULL: 274 case IKEV2_XFORMENCR_AES_CTR: 275 /* FALLTHROUGH */ 276 default: 277 log_debug("%s: cipher %s not supported", __func__, 278 print_map(id, ikev2_xformencr_map)); 279 cipher = NULL; 280 break; 281 } 282 break; 283 default: 284 log_debug("%s: cipher type %s not supported", __func__, 285 print_map(id, ikev2_xformtype_map)); 286 break; 287 } 288 if (cipher == NULL) 289 return (NULL); 290 291 if ((encr = calloc(1, sizeof(*encr))) == NULL) { 292 log_debug("%s: alloc cipher", __func__); 293 return (NULL); 294 } 295 296 encr->encr_id = id; 297 encr->encr_priv = cipher; 298 encr->encr_ctx = NULL; 299 encr->encr_length = length; 300 encr->encr_fixedkey = fixedkey; 301 encr->encr_ivlength = ivlength ? ivlength : length; 302 303 if ((ctx = calloc(1, sizeof(*ctx))) == NULL) { 304 log_debug("%s: alloc cipher ctx", __func__); 305 cipher_free(encr); 306 return (NULL); 307 } 308 309 EVP_CIPHER_CTX_init(ctx); 310 encr->encr_ctx = ctx; 311 312 return (encr); 313} 314 315struct ibuf * 316cipher_setkey(struct iked_cipher *encr, void *key, size_t keylen) 317{ 318 ibuf_release(encr->encr_key); 319 if ((encr->encr_key = ibuf_new(key, keylen)) == NULL) { 320 log_debug("%s: alloc cipher key", __func__); 321 return (NULL); 322 } 323 return (encr->encr_key); 324} 325 326struct ibuf * 327cipher_setiv(struct iked_cipher *encr, void *iv, size_t len) 328{ 329 ibuf_release(encr->encr_iv); 330 if (iv != NULL) { 331 if (len < encr->encr_ivlength) { 332 log_debug("%s: invalid IV length %d", __func__, len); 333 return (NULL); 334 } 335 encr->encr_iv = ibuf_new(iv, encr->encr_ivlength); 336 } else { 337 /* Get new random IV */ 338 encr->encr_iv = ibuf_random(encr->encr_ivlength); 339 } 340 if (encr->encr_iv == NULL) { 341 log_debug("%s: failed to set IV", __func__); 342 return (NULL); 343 } 344 return (encr->encr_iv); 345} 346 347void 348cipher_free(struct iked_cipher *encr) 349{ 350 if (encr == NULL) 351 return; 352 if (encr->encr_ctx != NULL) { 353 EVP_CIPHER_CTX_cleanup(encr->encr_ctx); 354 free(encr->encr_ctx); 355 } 356 ibuf_release(encr->encr_key); 357 free(encr); 358} 359 360void 361cipher_init(struct iked_cipher *encr, int enc) 362{ 363 EVP_CipherInit_ex(encr->encr_ctx, encr->encr_priv, NULL, 364 ibuf_data(encr->encr_key), ibuf_data(encr->encr_iv), enc); 365 EVP_CIPHER_CTX_set_padding(encr->encr_ctx, 0); 366} 367 368void 369cipher_init_encrypt(struct iked_cipher *encr) 370{ 371 cipher_init(encr, 1); 372} 373 374void 375cipher_init_decrypt(struct iked_cipher *encr) 376{ 377 cipher_init(encr, 0); 378} 379 380void 381cipher_update(struct iked_cipher *encr, void *in, size_t inlen, 382 void *out, size_t *outlen) 383{ 384 int olen; 385 386 olen = 0; 387 if (!EVP_CipherUpdate(encr->encr_ctx, out, &olen, in, inlen)) { 388 ca_sslerror(); 389 *outlen = 0; 390 return; 391 } 392 *outlen = (size_t)olen; 393} 394 395void 396cipher_final(struct iked_cipher *encr, void *out, size_t *outlen) 397{ 398 int olen; 399 400 olen = 0; 401 if (!EVP_CipherFinal_ex(encr->encr_ctx, out, &olen)) { 402 ca_sslerror(); 403 *outlen = 0; 404 return; 405 } 406 *outlen = (size_t)olen; 407} 408 409size_t 410cipher_length(struct iked_cipher *encr) 411{ 412 return (encr->encr_length); 413} 414 415size_t 416cipher_keylength(struct iked_cipher *encr) 417{ 418 if (encr->encr_fixedkey) 419 return (encr->encr_fixedkey); 420 421 /* Might return zero */ 422 return (ibuf_length(encr->encr_key)); 423} 424 425size_t 426cipher_ivlength(struct iked_cipher *encr) 427{ 428 return (encr->encr_ivlength); 429} 430 431size_t 432cipher_outlength(struct iked_cipher *encr, size_t inlen) 433{ 434 return (roundup(inlen, encr->encr_length)); 435} 436 437struct iked_dsa * 438dsa_new(u_int16_t id, struct iked_hash *prf, int sign) 439{ 440 struct iked_dsa *dsap = NULL, dsa; 441 442 bzero(&dsa, sizeof(dsa)); 443 444 switch (id) { 445 case IKEV2_AUTH_RSA_SIG: 446 /* 447 * XXX RFC4306 is not very clear about this and the 448 * XXX informational RFC4718 says that we should use 449 * XXX SHA1 here, but shouldn't we use the negotiated PRF 450 * XXX alg instead? 451 */ 452 if ((dsa.dsa_priv = 453 EVP_get_digestbyname("sha1WithRSAEncryption")) == NULL) 454 fatalx("dsa_new: cipher not available"); 455 break; 456 case IKEV2_AUTH_SHARED_KEY_MIC: 457 if (prf == NULL || prf->hash_priv == NULL) 458 fatalx("dsa_new: invalid PRF"); 459 dsa.dsa_priv = prf->hash_priv; 460 dsa.dsa_hmac = 1; 461 break; 462 case IKEV2_AUTH_DSS_SIG: 463 dsa.dsa_priv = EVP_dss1(); 464 break; 465 case IKEV2_AUTH_ECDSA_256: 466 dsa.dsa_priv = EVP_sha256(); 467 break; 468 case IKEV2_AUTH_ECDSA_384: 469 dsa.dsa_priv = EVP_sha384(); 470 break; 471 case IKEV2_AUTH_ECDSA_512: 472 dsa.dsa_priv = EVP_sha512(); 473 break; 474 default: 475 log_debug("%s: auth method %s not supported", __func__, 476 print_map(id, ikev2_auth_map)); 477 break; 478 } 479 480 if ((dsap = calloc(1, sizeof(*dsap))) == NULL) { 481 log_debug("%s: alloc dsa ctx", __func__); 482 483 return (NULL); 484 } 485 memcpy(dsap, &dsa, sizeof(*dsap)); 486 487 dsap->dsa_method = id; 488 dsap->dsa_sign = sign; 489 490 if (dsap->dsa_hmac) { 491 if ((dsap->dsa_ctx = calloc(1, sizeof(HMAC_CTX))) == NULL) { 492 log_debug("%s: alloc hash ctx", __func__); 493 dsa_free(dsap); 494 return (NULL); 495 } 496 HMAC_CTX_init((HMAC_CTX *)dsap->dsa_ctx); 497 } else { 498 if ((dsap->dsa_ctx = EVP_MD_CTX_create()) == NULL) { 499 log_debug("%s: alloc digest ctx", __func__); 500 dsa_free(dsap); 501 return (NULL); 502 } 503 } 504 505 return (dsap); 506} 507 508struct iked_dsa * 509dsa_sign_new(u_int16_t id, struct iked_hash *prf) 510{ 511 return (dsa_new(id, prf, 1)); 512} 513 514struct iked_dsa * 515dsa_verify_new(u_int16_t id, struct iked_hash *prf) 516{ 517 return (dsa_new(id, prf, 0)); 518} 519 520void 521dsa_free(struct iked_dsa *dsa) 522{ 523 if (dsa == NULL) 524 return; 525 if (dsa->dsa_hmac) { 526 HMAC_CTX_cleanup((HMAC_CTX *)dsa->dsa_ctx); 527 free(dsa->dsa_ctx); 528 } else { 529 EVP_MD_CTX_destroy((EVP_MD_CTX *)dsa->dsa_ctx); 530 if (dsa->dsa_key) 531 EVP_PKEY_free(dsa->dsa_key); 532 if (dsa->dsa_cert) 533 X509_free(dsa->dsa_cert); 534 } 535 536 ibuf_release(dsa->dsa_keydata); 537} 538 539struct ibuf * 540dsa_setkey(struct iked_dsa *dsa, void *key, size_t keylen, u_int8_t type) 541{ 542 BIO *rawcert = NULL; 543 X509 *cert = NULL; 544 RSA *rsa = NULL; 545 EVP_PKEY *pkey = NULL; 546 547 ibuf_release(dsa->dsa_keydata); 548 if ((dsa->dsa_keydata = ibuf_new(key, keylen)) == NULL) { 549 log_debug("%s: alloc signature key", __func__); 550 return (NULL); 551 } 552 553 if ((rawcert = BIO_new_mem_buf(key, keylen)) == NULL) 554 goto err; 555 556 switch (type) { 557 case IKEV2_CERT_X509_CERT: 558 if ((cert = d2i_X509_bio(rawcert, NULL)) == NULL) 559 goto sslerr; 560 if ((pkey = X509_get_pubkey(cert)) == NULL) 561 goto sslerr; 562 dsa->dsa_cert = cert; 563 dsa->dsa_key = pkey; 564 break; 565 case IKEV2_CERT_RSA_KEY: 566 if (dsa->dsa_sign) { 567 if ((rsa = d2i_RSAPrivateKey_bio(rawcert, 568 NULL)) == NULL) 569 goto sslerr; 570 } else { 571 if ((rsa = d2i_RSAPublicKey_bio(rawcert, 572 NULL)) == NULL) 573 goto sslerr; 574 } 575 576 if ((pkey = EVP_PKEY_new()) == NULL) 577 goto sslerr; 578 if (!EVP_PKEY_set1_RSA(pkey, rsa)) 579 goto sslerr; 580 581 dsa->dsa_cert = NULL; 582 dsa->dsa_key = pkey; 583 break; 584 default: 585 if (dsa->dsa_hmac) 586 break; 587 log_debug("%s: unsupported key type", __func__); 588 goto err; 589 } 590 591 return (dsa->dsa_keydata); 592 593 sslerr: 594 ca_sslerror(); 595 err: 596 log_debug("%s: error", __func__); 597 598 if (rsa != NULL) 599 RSA_free(rsa); 600 if (pkey != NULL) 601 EVP_PKEY_free(pkey); 602 if (cert != NULL) 603 X509_free(cert); 604 if (rawcert != NULL) 605 BIO_free(rawcert); 606 ibuf_release(dsa->dsa_keydata); 607 return (NULL); 608} 609 610int 611dsa_init(struct iked_dsa *dsa) 612{ 613 int ret; 614 615 if (dsa->dsa_hmac) { 616 HMAC_Init_ex(dsa->dsa_ctx, ibuf_data(dsa->dsa_keydata), 617 ibuf_length(dsa->dsa_keydata), dsa->dsa_priv, NULL); 618 return (0); 619 } 620 621 if (dsa->dsa_sign) 622 ret = EVP_SignInit_ex(dsa->dsa_ctx, dsa->dsa_priv, NULL); 623 else 624 ret = EVP_VerifyInit_ex(dsa->dsa_ctx, dsa->dsa_priv, NULL); 625 626 return (ret ? 0 : -1); 627} 628 629int 630dsa_update(struct iked_dsa *dsa, const void *buf, size_t len) 631{ 632 int ret = 1; 633 634 if (dsa->dsa_hmac) 635 HMAC_Update(dsa->dsa_ctx, buf, len); 636 else if (dsa->dsa_sign) 637 ret = EVP_SignUpdate(dsa->dsa_ctx, buf, len); 638 else 639 ret = EVP_VerifyUpdate(dsa->dsa_ctx, buf, len); 640 641 return (ret ? 0 : -1); 642} 643 644size_t 645dsa_length(struct iked_dsa *dsa) 646{ 647 if (dsa->dsa_hmac) 648 return (EVP_MD_size(dsa->dsa_priv)); 649 return (EVP_PKEY_size(dsa->dsa_key)); 650} 651 652ssize_t 653dsa_sign_final(struct iked_dsa *dsa, void *buf, size_t len) 654{ 655 u_int siglen; 656 657 if (len < dsa_length(dsa)) 658 return (-1); 659 660 if (dsa->dsa_hmac) 661 HMAC_Final(dsa->dsa_ctx, buf, &siglen); 662 else { 663 if (!EVP_SignFinal(dsa->dsa_ctx, buf, &siglen, 664 dsa->dsa_key)) 665 return (-1); 666 } 667 668 return (siglen); 669} 670 671ssize_t 672dsa_verify_final(struct iked_dsa *dsa, void *buf, size_t len) 673{ 674 u_int8_t sig[EVP_MAX_MD_SIZE]; 675 u_int siglen = sizeof(sig); 676 677 if (dsa->dsa_hmac) { 678 HMAC_Final(dsa->dsa_ctx, sig, &siglen); 679 if (siglen != len || memcmp(buf, sig, siglen) != 0) 680 return (-1); 681 } else { 682 if (!EVP_VerifyFinal(dsa->dsa_ctx, buf, len, 683 dsa->dsa_key)) { 684 ca_sslerror(); 685 return (-1); 686 } 687 } 688 689 return (0); 690} 691