1 /* 2 * Redistribution and use in source and binary forms, with or without 3 * modification, are permitted provided that: (1) source code 4 * distributions retain the above copyright notice and this paragraph 5 * in its entirety, and (2) distributions including binary code include 6 * the above copyright notice and this paragraph in its entirety in 7 * the documentation or other materials provided with the distribution. 8 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND 9 * WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT 10 * LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 11 * FOR A PARTICULAR PURPOSE. 12 * 13 * Functions for signature and digest verification. 14 * 15 * Original code by Hannes Gredler (hannes@gredler.at) 16 */ 17 18 #include <sys/cdefs.h> 19 #ifndef lint 20 __RCSID("$NetBSD: signature.c,v 1.9 2019/10/01 16:06:16 christos Exp $"); 21 #endif 22 23 #ifdef HAVE_CONFIG_H 24 #include "config.h" 25 #endif 26 27 #include <netdissect-stdinc.h> 28 29 #include <string.h> 30 #include <stdlib.h> 31 32 #include "netdissect.h" 33 #include "signature.h" 34 35 #ifdef HAVE_LIBCRYPTO 36 #include <openssl/md5.h> 37 #endif 38 39 const struct tok signature_check_values[] = { 40 { SIGNATURE_VALID, "valid"}, 41 { SIGNATURE_INVALID, "invalid"}, 42 { CANT_ALLOCATE_COPY, "can't allocate memory"}, 43 { CANT_CHECK_SIGNATURE, "unchecked"}, 44 { 0, NULL } 45 }; 46 47 48 #ifdef HAVE_LIBCRYPTO 49 /* 50 * Compute a HMAC MD5 sum. 51 * Taken from rfc2104, Appendix. 52 */ 53 USES_APPLE_DEPRECATED_API 54 static void 55 signature_compute_hmac_md5(const uint8_t *text, int text_len, unsigned char *key, 56 unsigned int key_len, uint8_t *digest) 57 { 58 MD5_CTX context; 59 unsigned char k_ipad[65]; /* inner padding - key XORd with ipad */ 60 unsigned char k_opad[65]; /* outer padding - key XORd with opad */ 61 unsigned char tk[16]; 62 int i; 63 64 /* if key is longer than 64 bytes reset it to key=MD5(key) */ 65 if (key_len > 64) { 66 67 MD5_CTX tctx; 68 69 MD5_Init(&tctx); 70 MD5_Update(&tctx, key, key_len); 71 MD5_Final(tk, &tctx); 72 73 key = tk; 74 key_len = 16; 75 } 76 77 /* 78 * the HMAC_MD5 transform looks like: 79 * 80 * MD5(K XOR opad, MD5(K XOR ipad, text)) 81 * 82 * where K is an n byte key 83 * ipad is the byte 0x36 repeated 64 times 84 * opad is the byte 0x5c repeated 64 times 85 * and text is the data being protected 86 */ 87 88 /* start out by storing key in pads */ 89 memset(k_ipad, 0, sizeof k_ipad); 90 memset(k_opad, 0, sizeof k_opad); 91 memcpy(k_ipad, key, key_len); 92 memcpy(k_opad, key, key_len); 93 94 /* XOR key with ipad and opad values */ 95 for (i=0; i<64; i++) { 96 k_ipad[i] ^= 0x36; 97 k_opad[i] ^= 0x5c; 98 } 99 100 /* 101 * perform inner MD5 102 */ 103 MD5_Init(&context); /* init context for 1st pass */ 104 MD5_Update(&context, k_ipad, 64); /* start with inner pad */ 105 MD5_Update(&context, text, text_len); /* then text of datagram */ 106 MD5_Final(digest, &context); /* finish up 1st pass */ 107 108 /* 109 * perform outer MD5 110 */ 111 MD5_Init(&context); /* init context for 2nd pass */ 112 MD5_Update(&context, k_opad, 64); /* start with outer pad */ 113 MD5_Update(&context, digest, 16); /* then results of 1st hash */ 114 MD5_Final(digest, &context); /* finish up 2nd pass */ 115 } 116 USES_APPLE_RST 117 118 /* 119 * Verify a cryptographic signature of the packet. 120 * Currently only MD5 is supported. 121 */ 122 int 123 signature_verify(netdissect_options *ndo, const u_char *pptr, u_int plen, 124 const u_char *sig_ptr, void (*clear_rtn)(void *), 125 const void *clear_arg) 126 { 127 uint8_t *packet_copy, *sig_copy; 128 uint8_t sig[16]; 129 unsigned int i; 130 131 if (!ndo->ndo_sigsecret) { 132 return (CANT_CHECK_SIGNATURE); 133 } 134 135 /* 136 * Do we have all the packet data to be checked? 137 */ 138 if (!ND_TTEST2(*pptr, plen)) { 139 /* No. */ 140 return (CANT_CHECK_SIGNATURE); 141 } 142 143 /* 144 * Do we have the entire signature to check? 145 */ 146 if (!ND_TTEST2(*sig_ptr, sizeof(sig))) { 147 /* No. */ 148 return (CANT_CHECK_SIGNATURE); 149 } 150 if (sig_ptr + sizeof(sig) > pptr + plen) { 151 /* No. */ 152 return (CANT_CHECK_SIGNATURE); 153 } 154 155 /* 156 * Make a copy of the packet, so we don't overwrite the original. 157 */ 158 packet_copy = malloc(plen); 159 if (packet_copy == NULL) { 160 return (CANT_ALLOCATE_COPY); 161 } 162 163 memcpy(packet_copy, pptr, plen); 164 165 /* 166 * Clear the signature in the copy. 167 */ 168 sig_copy = packet_copy + (sig_ptr - pptr); 169 memset(sig_copy, 0, sizeof(sig)); 170 171 /* 172 * Clear anything else that needs to be cleared in the copy. 173 * Our caller is assumed to have vetted the clear_arg pointer. 174 */ 175 (*clear_rtn)((void *)(packet_copy + ((const uint8_t *)clear_arg - pptr))); 176 177 /* 178 * Compute the signature. 179 */ 180 signature_compute_hmac_md5(packet_copy, plen, 181 (unsigned char *)ndo->ndo_sigsecret, 182 strlen(ndo->ndo_sigsecret), sig); 183 184 /* 185 * Free the copy. 186 */ 187 free(packet_copy); 188 189 /* 190 * Does the computed signature match the signature in the packet? 191 */ 192 if (memcmp(sig_ptr, sig, sizeof(sig)) == 0) { 193 /* Yes. */ 194 return (SIGNATURE_VALID); 195 } else { 196 /* No - print the computed signature. */ 197 for (i = 0; i < sizeof(sig); ++i) { 198 ND_PRINT((ndo, "%02x", sig[i])); 199 } 200 201 return (SIGNATURE_INVALID); 202 } 203 } 204 #else 205 int 206 signature_verify(netdissect_options *ndo _U_, const u_char *pptr _U_, 207 u_int plen _U_, const u_char *sig_ptr _U_, 208 void (*clear_rtn)(void *) _U_, const void *clear_arg _U_) 209 { 210 return (CANT_CHECK_SIGNATURE); 211 } 212 #endif 213 214 /* 215 * Local Variables: 216 * c-style: whitesmith 217 * c-basic-offset: 4 218 * End: 219 */ 220