1 /* $OpenBSD: crypto.c,v 1.34 2021/02/25 20:13:24 tobhe Exp $ */ 2 3 /* 4 * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org> 5 * 6 * Permission to use, copy, modify, and distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19 #include <sys/param.h> /* roundup */ 20 #include <sys/queue.h> 21 #include <sys/socket.h> 22 #include <sys/uio.h> 23 24 #include <stdio.h> 25 #include <stdlib.h> 26 #include <unistd.h> 27 #include <string.h> 28 #include <errno.h> 29 #include <fcntl.h> 30 #include <event.h> 31 32 #include <openssl/ecdsa.h> 33 #include <openssl/hmac.h> 34 #include <openssl/evp.h> 35 #include <openssl/sha.h> 36 #include <openssl/md5.h> 37 #include <openssl/x509.h> 38 #include <openssl/rsa.h> 39 40 #include "iked.h" 41 #include "ikev2.h" 42 43 /* RFC 7427, A.1 RSA */ 44 static const uint8_t sha256WithRSA[] = { 45 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 46 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00 47 }; 48 static const uint8_t sha384WithRSA[] = { 49 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 50 0xf7, 0x0d, 0x01, 0x01, 0x0c, 0x05, 0x00 51 }; 52 static const uint8_t sha512WithRSA[] = { 53 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 54 0xf7, 0x0d, 0x01, 0x01, 0x0d, 0x05, 0x00 55 }; 56 /* RFC 7427, A.3 ECDSA */ 57 static const uint8_t ecdsa_sha256[] = { 58 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 59 0x3d, 0x04, 0x03, 0x02 60 }; 61 static const uint8_t ecdsa_sha384[] = { 62 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 63 0x3d, 0x04, 0x03, 0x03 64 }; 65 static const uint8_t ecdsa_sha512[] = { 66 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 67 0x3d, 0x04, 0x03, 0x04 68 }; 69 /* RFC 7427, A.4.3 RSASSA-PSS with SHA-256 */ 70 static const uint8_t rsapss_sha256[] = { 71 0x30, 0x46, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 72 0xf7, 0x0d, 0x01, 0x01, 0x0a, 0x30, 0x39, 0xa0, 73 0x0f, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 74 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 75 0xa1, 0x1c, 0x30, 0x1a, 0x06, 0x09, 0x2a, 0x86, 76 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x08, 0x30, 77 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 78 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0xa2, 0x03, 79 0x02, 0x01, 0x20, 0xa3, 0x03, 0x02, 0x01, 0x01 80 }; 81 /* RSASSA-PSS SHA-384 */ 82 static const uint8_t rsapss_sha384[] = { 83 0x30, 0x46, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 84 0xf7, 0x0d, 0x01, 0x01, 0x0a, 0x30, 0x34, 0xa0, 85 0x0f, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 86 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 87 0xa1, 0x1c, 0x30, 0x1a, 0x06, 0x09, 0x2a, 0x86, 88 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x08, 0x30, 89 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 90 0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 0xa2, 0x03, 91 0x02, 0x01, 0x30, 0xa3, 0x03, 0x02, 0x01, 0x01 92 }; 93 /* RSASSA-PSS SHA-512 */ 94 static const uint8_t rsapss_sha512[] = { 95 0x30, 0x46, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 96 0xf7, 0x0d, 0x01, 0x01, 0x0a, 0x30, 0x34, 0xa0, 97 0x0f, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 98 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 99 0xa1, 0x1c, 0x30, 0x1a, 0x06, 0x09, 0x2a, 0x86, 100 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x08, 0x30, 101 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 102 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0xa2, 0x03, 103 0x02, 0x01, 0x40, 0xa3, 0x03, 0x02, 0x01, 0x01 104 }; 105 /* RSASSA-PSS SHA-256, no trailer */ 106 static const uint8_t rsapss_sha256nt[] = { 107 0x30, 0x41, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 108 0xf7, 0x0d, 0x01, 0x01, 0x0a, 0x30, 0x34, 0xa0, 109 0x0f, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 110 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 111 0xa1, 0x1c, 0x30, 0x1a, 0x06, 0x09, 0x2a, 0x86, 112 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x08, 0x30, 113 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 114 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0xa2, 0x03, 115 0x02, 0x01, 0x20 116 }; 117 /* RSASSA-PSS SHA-384, no trailer */ 118 static const uint8_t rsapss_sha384nt[] = { 119 0x30, 0x41, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 120 0xf7, 0x0d, 0x01, 0x01, 0x0a, 0x30, 0x34, 0xa0, 121 0x0f, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 122 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 123 0xa1, 0x1c, 0x30, 0x1a, 0x06, 0x09, 0x2a, 0x86, 124 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x08, 0x30, 125 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 126 0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 0xa2, 0x03, 127 0x02, 0x01, 0x30 128 }; 129 /* RSASSA-PSS SHA-512, no trailer */ 130 static const uint8_t rsapss_sha512nt[] = { 131 0x30, 0x41, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 132 0xf7, 0x0d, 0x01, 0x01, 0x0a, 0x30, 0x34, 0xa0, 133 0x0f, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 134 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 135 0xa1, 0x1c, 0x30, 0x1a, 0x06, 0x09, 0x2a, 0x86, 136 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x08, 0x30, 137 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 138 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0xa2, 0x03, 139 0x02, 0x01, 0x40 140 }; 141 142 #define FLAG_RSA_PSS 0x00001 143 int force_rsa_pss = 0; /* XXX move to API */ 144 145 static const struct { 146 int sc_keytype; 147 const EVP_MD *(*sc_md)(void); 148 uint8_t sc_len; 149 const uint8_t *sc_oid; 150 uint32_t sc_flags; 151 } schemes[] = { 152 { EVP_PKEY_RSA, EVP_sha256, sizeof(sha256WithRSA), sha256WithRSA, 0 }, 153 { EVP_PKEY_RSA, EVP_sha384, sizeof(sha384WithRSA), sha384WithRSA, 0 }, 154 { EVP_PKEY_RSA, EVP_sha512, sizeof(sha512WithRSA), sha512WithRSA, 0 }, 155 { EVP_PKEY_EC, EVP_sha256, sizeof(ecdsa_sha256), ecdsa_sha256, 0 }, 156 { EVP_PKEY_EC, EVP_sha384, sizeof(ecdsa_sha384), ecdsa_sha384, 0 }, 157 { EVP_PKEY_EC, EVP_sha512, sizeof(ecdsa_sha512), ecdsa_sha512, 0 }, 158 { EVP_PKEY_RSA, EVP_sha256, sizeof(rsapss_sha256), rsapss_sha256, 159 FLAG_RSA_PSS }, 160 { EVP_PKEY_RSA, EVP_sha384, sizeof(rsapss_sha384), rsapss_sha384, 161 FLAG_RSA_PSS }, 162 { EVP_PKEY_RSA, EVP_sha512, sizeof(rsapss_sha512), rsapss_sha512, 163 FLAG_RSA_PSS }, 164 { EVP_PKEY_RSA, EVP_sha256, sizeof(rsapss_sha256nt), rsapss_sha256nt, 165 FLAG_RSA_PSS }, 166 { EVP_PKEY_RSA, EVP_sha384, sizeof(rsapss_sha384nt), rsapss_sha384nt, 167 FLAG_RSA_PSS }, 168 { EVP_PKEY_RSA, EVP_sha512, sizeof(rsapss_sha512nt), rsapss_sha512nt, 169 FLAG_RSA_PSS }, 170 }; 171 172 int _dsa_verify_init(struct iked_dsa *, const uint8_t *, size_t); 173 int _dsa_verify_prepare(struct iked_dsa *, uint8_t **, size_t *, 174 uint8_t **); 175 int _dsa_sign_encode(struct iked_dsa *, uint8_t *, size_t, size_t *); 176 int _dsa_sign_ecdsa(struct iked_dsa *, uint8_t *, size_t); 177 178 struct iked_hash * 179 hash_new(uint8_t type, uint16_t id) 180 { 181 struct iked_hash *hash; 182 const EVP_MD *md = NULL; 183 int length = 0, fixedkey = 0, trunc = 0, isaead = 0; 184 185 switch (type) { 186 case IKEV2_XFORMTYPE_PRF: 187 switch (id) { 188 case IKEV2_XFORMPRF_HMAC_MD5: 189 md = EVP_md5(); 190 length = MD5_DIGEST_LENGTH; 191 break; 192 case IKEV2_XFORMPRF_HMAC_SHA1: 193 md = EVP_sha1(); 194 length = SHA_DIGEST_LENGTH; 195 break; 196 case IKEV2_XFORMPRF_HMAC_SHA2_256: 197 md = EVP_sha256(); 198 length = SHA256_DIGEST_LENGTH; 199 break; 200 case IKEV2_XFORMPRF_HMAC_SHA2_384: 201 md = EVP_sha384(); 202 length = SHA384_DIGEST_LENGTH; 203 break; 204 case IKEV2_XFORMPRF_HMAC_SHA2_512: 205 md = EVP_sha512(); 206 length = SHA512_DIGEST_LENGTH; 207 break; 208 case IKEV2_XFORMPRF_AES128_XCBC: 209 fixedkey = 128 / 8; 210 length = fixedkey; 211 /* FALLTHROUGH */ 212 case IKEV2_XFORMPRF_HMAC_TIGER: 213 case IKEV2_XFORMPRF_AES128_CMAC: 214 default: 215 log_debug("%s: prf %s not supported", __func__, 216 print_map(id, ikev2_xformprf_map)); 217 break; 218 } 219 break; 220 case IKEV2_XFORMTYPE_INTEGR: 221 switch (id) { 222 case IKEV2_XFORMAUTH_HMAC_MD5_96: 223 md = EVP_md5(); 224 length = MD5_DIGEST_LENGTH; 225 trunc = 12; 226 break; 227 case IKEV2_XFORMAUTH_HMAC_SHA1_96: 228 md = EVP_sha1(); 229 length = SHA_DIGEST_LENGTH; 230 trunc = 12; 231 break; 232 case IKEV2_XFORMAUTH_HMAC_SHA2_256_128: 233 md = EVP_sha256(); 234 length = SHA256_DIGEST_LENGTH; 235 trunc = 16; 236 break; 237 case IKEV2_XFORMAUTH_HMAC_SHA2_384_192: 238 md = EVP_sha384(); 239 length = SHA384_DIGEST_LENGTH; 240 trunc = 24; 241 break; 242 case IKEV2_XFORMAUTH_HMAC_SHA2_512_256: 243 md = EVP_sha512(); 244 length = SHA512_DIGEST_LENGTH; 245 trunc = 32; 246 break; 247 case IKEV2_XFORMAUTH_AES_GCM_12: 248 length = 12; 249 isaead = 1; 250 break; 251 case IKEV2_XFORMAUTH_AES_GCM_16: 252 length = 16; 253 isaead = 1; 254 break; 255 case IKEV2_XFORMAUTH_NONE: 256 case IKEV2_XFORMAUTH_DES_MAC: 257 case IKEV2_XFORMAUTH_KPDK_MD5: 258 case IKEV2_XFORMAUTH_AES_XCBC_96: 259 case IKEV2_XFORMAUTH_HMAC_MD5_128: 260 case IKEV2_XFORMAUTH_HMAC_SHA1_160: 261 case IKEV2_XFORMAUTH_AES_CMAC_96: 262 case IKEV2_XFORMAUTH_AES_128_GMAC: 263 case IKEV2_XFORMAUTH_AES_192_GMAC: 264 case IKEV2_XFORMAUTH_AES_256_GMAC: 265 default: 266 log_debug("%s: auth %s not supported", __func__, 267 print_map(id, ikev2_xformauth_map)); 268 break; 269 } 270 break; 271 default: 272 log_debug("%s: hash type %s not supported", __func__, 273 print_map(id, ikev2_xformtype_map)); 274 break; 275 } 276 if (!isaead && md == NULL) 277 return (NULL); 278 279 if ((hash = calloc(1, sizeof(*hash))) == NULL) { 280 log_debug("%s: alloc hash", __func__); 281 return (NULL); 282 } 283 284 hash->hash_type = type; 285 hash->hash_id = id; 286 hash->hash_priv = md; 287 hash->hash_ctx = NULL; 288 hash->hash_trunc = trunc; 289 hash->hash_length = length; 290 hash->hash_fixedkey = fixedkey; 291 hash->hash_isaead = isaead; 292 293 if (isaead) 294 return (hash); 295 296 hash->hash_ctx = HMAC_CTX_new(); 297 if (hash->hash_ctx == NULL) { 298 log_debug("%s: alloc hash ctx", __func__); 299 hash_free(hash); 300 return (NULL); 301 } 302 303 return (hash); 304 } 305 306 struct ibuf * 307 hash_setkey(struct iked_hash *hash, void *key, size_t keylen) 308 { 309 ibuf_release(hash->hash_key); 310 if ((hash->hash_key = ibuf_new(key, keylen)) == NULL) { 311 log_debug("%s: alloc hash key", __func__); 312 return (NULL); 313 } 314 return (hash->hash_key); 315 } 316 317 void 318 hash_free(struct iked_hash *hash) 319 { 320 if (hash == NULL) 321 return; 322 if (hash->hash_ctx != NULL) 323 HMAC_CTX_free(hash->hash_ctx); 324 ibuf_release(hash->hash_key); 325 free(hash); 326 } 327 328 void 329 hash_init(struct iked_hash *hash) 330 { 331 HMAC_Init_ex(hash->hash_ctx, hash->hash_key->buf, 332 ibuf_length(hash->hash_key), hash->hash_priv, NULL); 333 } 334 335 void 336 hash_update(struct iked_hash *hash, void *buf, size_t len) 337 { 338 HMAC_Update(hash->hash_ctx, buf, len); 339 } 340 341 void 342 hash_final(struct iked_hash *hash, void *buf, size_t *len) 343 { 344 unsigned int length = 0; 345 346 HMAC_Final(hash->hash_ctx, buf, &length); 347 *len = (size_t)length; 348 349 /* Truncate the result if required by the alg */ 350 if (hash->hash_trunc && *len > hash->hash_trunc) 351 *len = hash->hash_trunc; 352 } 353 354 size_t 355 hash_length(struct iked_hash *hash) 356 { 357 if (hash->hash_trunc) 358 return (hash->hash_trunc); 359 return (hash->hash_length); 360 } 361 362 size_t 363 hash_keylength(struct iked_hash *hash) 364 { 365 return (hash->hash_length); 366 } 367 368 struct iked_cipher * 369 cipher_new(uint8_t type, uint16_t id, uint16_t id_length) 370 { 371 struct iked_cipher *encr; 372 const EVP_CIPHER *cipher = NULL; 373 int length = 0, fixedkey = 0, ivlength = 0; 374 int saltlength = 0, authid = 0; 375 376 switch (type) { 377 case IKEV2_XFORMTYPE_ENCR: 378 switch (id) { 379 case IKEV2_XFORMENCR_3DES: 380 cipher = EVP_des_ede3_cbc(); 381 length = EVP_CIPHER_block_size(cipher); 382 fixedkey = EVP_CIPHER_key_length(cipher); 383 ivlength = EVP_CIPHER_iv_length(cipher); 384 break; 385 case IKEV2_XFORMENCR_AES_CBC: 386 switch (id_length) { 387 case 128: 388 cipher = EVP_aes_128_cbc(); 389 break; 390 case 192: 391 cipher = EVP_aes_192_cbc(); 392 break; 393 case 256: 394 cipher = EVP_aes_256_cbc(); 395 break; 396 default: 397 log_debug("%s: invalid key length %d" 398 " for cipher %s", __func__, id_length, 399 print_map(id, ikev2_xformencr_map)); 400 break; 401 } 402 if (cipher == NULL) 403 break; 404 length = EVP_CIPHER_block_size(cipher); 405 ivlength = EVP_CIPHER_iv_length(cipher); 406 fixedkey = EVP_CIPHER_key_length(cipher); 407 break; 408 case IKEV2_XFORMENCR_AES_GCM_16: 409 case IKEV2_XFORMENCR_AES_GCM_12: 410 switch (id_length) { 411 case 128: 412 cipher = EVP_aes_128_gcm(); 413 break; 414 case 256: 415 cipher = EVP_aes_256_gcm(); 416 break; 417 default: 418 log_debug("%s: invalid key length %d" 419 " for cipher %s", __func__, id_length, 420 print_map(id, ikev2_xformencr_map)); 421 break; 422 } 423 if (cipher == NULL) 424 break; 425 switch(id) { 426 case IKEV2_XFORMENCR_AES_GCM_16: 427 authid = IKEV2_XFORMAUTH_AES_GCM_16; 428 break; 429 case IKEV2_XFORMENCR_AES_GCM_12: 430 authid = IKEV2_XFORMAUTH_AES_GCM_12; 431 break; 432 } 433 length = EVP_CIPHER_block_size(cipher); 434 ivlength = 8; 435 saltlength = 4; 436 fixedkey = EVP_CIPHER_key_length(cipher) + saltlength; 437 break; 438 case IKEV2_XFORMENCR_DES_IV64: 439 case IKEV2_XFORMENCR_DES: 440 case IKEV2_XFORMENCR_RC5: 441 case IKEV2_XFORMENCR_IDEA: 442 case IKEV2_XFORMENCR_CAST: 443 case IKEV2_XFORMENCR_BLOWFISH: 444 case IKEV2_XFORMENCR_3IDEA: 445 case IKEV2_XFORMENCR_DES_IV32: 446 case IKEV2_XFORMENCR_NULL: 447 case IKEV2_XFORMENCR_AES_CTR: 448 /* FALLTHROUGH */ 449 default: 450 log_debug("%s: cipher %s not supported", __func__, 451 print_map(id, ikev2_xformencr_map)); 452 cipher = NULL; 453 break; 454 } 455 break; 456 default: 457 log_debug("%s: cipher type %s not supported", __func__, 458 print_map(id, ikev2_xformtype_map)); 459 break; 460 } 461 if (cipher == NULL) 462 return (NULL); 463 464 if ((encr = calloc(1, sizeof(*encr))) == NULL) { 465 log_debug("%s: alloc cipher", __func__); 466 return (NULL); 467 } 468 469 encr->encr_id = id; 470 encr->encr_priv = cipher; 471 encr->encr_ctx = NULL; 472 encr->encr_length = length; 473 encr->encr_fixedkey = fixedkey; 474 encr->encr_ivlength = ivlength ? ivlength : length; 475 encr->encr_saltlength = saltlength; 476 encr->encr_authid = authid; 477 478 encr->encr_ctx = EVP_CIPHER_CTX_new(); 479 if (encr->encr_ctx == NULL) { 480 log_debug("%s: alloc cipher ctx", __func__); 481 cipher_free(encr); 482 return (NULL); 483 } 484 485 return (encr); 486 } 487 488 struct ibuf * 489 cipher_setkey(struct iked_cipher *encr, const void *key, size_t keylen) 490 { 491 ibuf_release(encr->encr_key); 492 if ((encr->encr_key = ibuf_new(key, keylen)) == NULL) { 493 log_debug("%s: alloc cipher key", __func__); 494 return (NULL); 495 } 496 return (encr->encr_key); 497 } 498 499 struct ibuf * 500 cipher_setiv(struct iked_cipher *encr, const void *iv, size_t len) 501 { 502 ibuf_release(encr->encr_iv); 503 encr->encr_iv = NULL; 504 if (iv != NULL) { 505 if (len < encr->encr_ivlength) { 506 log_debug("%s: invalid IV length %zu", __func__, len); 507 return (NULL); 508 } 509 encr->encr_iv = ibuf_new(iv, encr->encr_ivlength); 510 } else { 511 switch (encr->encr_id) { 512 case IKEV2_XFORMENCR_AES_GCM_16: 513 case IKEV2_XFORMENCR_AES_GCM_12: 514 if (encr->encr_ivlength != sizeof(encr->encr_civ)) { 515 log_info("%s: ivlen does not match %zu != %zu", 516 __func__, encr->encr_ivlength, 517 sizeof(encr->encr_civ)); 518 return (NULL); 519 } 520 encr->encr_iv = ibuf_new(&encr->encr_civ, sizeof(encr->encr_civ)); 521 encr->encr_civ++; 522 break; 523 default: 524 /* Get new random IV */ 525 encr->encr_iv = ibuf_random(encr->encr_ivlength); 526 } 527 } 528 if (encr->encr_iv == NULL) { 529 log_debug("%s: failed to set IV", __func__); 530 return (NULL); 531 } 532 return (encr->encr_iv); 533 } 534 535 int 536 cipher_settag(struct iked_cipher *encr, uint8_t *data, size_t len) 537 { 538 return (EVP_CIPHER_CTX_ctrl(encr->encr_ctx, 539 EVP_CTRL_GCM_SET_TAG, len, data) != 1); 540 } 541 542 int 543 cipher_gettag(struct iked_cipher *encr, uint8_t *data, size_t len) 544 { 545 return (EVP_CIPHER_CTX_ctrl(encr->encr_ctx, 546 EVP_CTRL_GCM_GET_TAG, len, data) != 1); 547 } 548 549 void 550 cipher_free(struct iked_cipher *encr) 551 { 552 if (encr == NULL) 553 return; 554 if (encr->encr_ctx != NULL) { 555 EVP_CIPHER_CTX_cleanup(encr->encr_ctx); 556 free(encr->encr_ctx); 557 } 558 ibuf_release(encr->encr_iv); 559 ibuf_release(encr->encr_key); 560 free(encr); 561 } 562 563 int 564 cipher_init(struct iked_cipher *encr, int enc) 565 { 566 struct ibuf *nonce = NULL; 567 int ret = -1; 568 569 if (EVP_CipherInit_ex(encr->encr_ctx, encr->encr_priv, NULL, 570 NULL, NULL, enc) != 1) 571 return (-1); 572 if (encr->encr_saltlength > 0) { 573 /* For AEADs the nonce is salt + IV (see RFC5282) */ 574 nonce = ibuf_new(ibuf_data(encr->encr_key) + 575 ibuf_size(encr->encr_key) - encr->encr_saltlength, 576 encr->encr_saltlength); 577 if (nonce == NULL) 578 return (-1); 579 if (ibuf_add(nonce, ibuf_data(encr->encr_iv) , ibuf_size(encr->encr_iv)) != 0) 580 goto done; 581 if (EVP_CipherInit_ex(encr->encr_ctx, NULL, NULL, 582 ibuf_data(encr->encr_key), ibuf_data(nonce), enc) != 1) 583 goto done; 584 } else 585 if (EVP_CipherInit_ex(encr->encr_ctx, NULL, NULL, 586 ibuf_data(encr->encr_key), ibuf_data(encr->encr_iv), enc) != 1) 587 return (-1); 588 EVP_CIPHER_CTX_set_padding(encr->encr_ctx, 0); 589 ret = 0; 590 done: 591 ibuf_free(nonce); 592 return (ret); 593 } 594 595 int 596 cipher_init_encrypt(struct iked_cipher *encr) 597 { 598 return (cipher_init(encr, 1)); 599 } 600 601 int 602 cipher_init_decrypt(struct iked_cipher *encr) 603 { 604 return (cipher_init(encr, 0)); 605 } 606 607 void 608 cipher_aad(struct iked_cipher *encr, const void *in, size_t inlen, 609 size_t *outlen) 610 { 611 int olen = 0; 612 613 if (EVP_CipherUpdate(encr->encr_ctx, NULL, &olen, in, inlen) != 1) { 614 ca_sslerror(__func__); 615 *outlen = 0; 616 return; 617 } 618 *outlen = (size_t)olen; 619 } 620 621 int 622 cipher_update(struct iked_cipher *encr, const void *in, size_t inlen, 623 void *out, size_t *outlen) 624 { 625 int olen; 626 627 olen = 0; 628 if (EVP_CipherUpdate(encr->encr_ctx, out, &olen, in, inlen) != 1) { 629 ca_sslerror(__func__); 630 *outlen = 0; 631 return (-1); 632 } 633 *outlen = (size_t)olen; 634 return (0); 635 } 636 637 int 638 cipher_final(struct iked_cipher *encr) 639 { 640 int olen; 641 642 /* 643 * We always have EVP_CIPH_NO_PADDING set. This means arg 644 * out is not used and olen should always be 0. 645 */ 646 if (EVP_CipherFinal_ex(encr->encr_ctx, NULL, &olen) != 1) { 647 ca_sslerror(__func__); 648 return (-1); 649 } 650 return (0); 651 } 652 653 size_t 654 cipher_length(struct iked_cipher *encr) 655 { 656 return (encr->encr_length); 657 } 658 659 size_t 660 cipher_keylength(struct iked_cipher *encr) 661 { 662 if (encr->encr_fixedkey) 663 return (encr->encr_fixedkey); 664 665 /* Might return zero */ 666 return (ibuf_length(encr->encr_key)); 667 } 668 669 size_t 670 cipher_ivlength(struct iked_cipher *encr) 671 { 672 return (encr->encr_ivlength); 673 } 674 675 size_t 676 cipher_outlength(struct iked_cipher *encr, size_t inlen) 677 { 678 return (roundup(inlen, encr->encr_length)); 679 } 680 681 struct iked_dsa * 682 dsa_new(uint8_t id, struct iked_hash *prf, int sign) 683 { 684 struct iked_dsa *dsap = NULL, dsa; 685 686 bzero(&dsa, sizeof(dsa)); 687 688 switch (id) { 689 case IKEV2_AUTH_SIG: 690 if (sign) 691 dsa.dsa_priv = EVP_sha256(); /* XXX should be passed */ 692 else 693 dsa.dsa_priv = NULL; /* set later by dsa_init() */ 694 break; 695 case IKEV2_AUTH_RSA_SIG: 696 /* RFC5996 says we SHOULD use SHA1 here */ 697 dsa.dsa_priv = EVP_sha1(); 698 break; 699 case IKEV2_AUTH_SHARED_KEY_MIC: 700 if (prf == NULL || prf->hash_priv == NULL) 701 fatalx("dsa_new: invalid PRF"); 702 dsa.dsa_priv = prf->hash_priv; 703 dsa.dsa_hmac = 1; 704 break; 705 case IKEV2_AUTH_DSS_SIG: 706 dsa.dsa_priv = EVP_sha1(); 707 break; 708 case IKEV2_AUTH_ECDSA_256: 709 dsa.dsa_priv = EVP_sha256(); 710 break; 711 case IKEV2_AUTH_ECDSA_384: 712 dsa.dsa_priv = EVP_sha384(); 713 break; 714 case IKEV2_AUTH_ECDSA_521: 715 dsa.dsa_priv = EVP_sha512(); 716 break; 717 default: 718 log_debug("%s: auth method %s not supported", __func__, 719 print_map(id, ikev2_auth_map)); 720 break; 721 } 722 723 if ((dsap = calloc(1, sizeof(*dsap))) == NULL) { 724 log_debug("%s: alloc dsa ctx", __func__); 725 726 return (NULL); 727 } 728 memcpy(dsap, &dsa, sizeof(*dsap)); 729 730 dsap->dsa_method = id; 731 dsap->dsa_sign = sign; 732 733 if (dsap->dsa_hmac) { 734 if ((dsap->dsa_ctx = HMAC_CTX_new()) == NULL) { 735 log_debug("%s: alloc hash ctx", __func__); 736 dsa_free(dsap); 737 return (NULL); 738 } 739 } else { 740 if ((dsap->dsa_ctx = EVP_MD_CTX_create()) == NULL) { 741 log_debug("%s: alloc digest ctx", __func__); 742 dsa_free(dsap); 743 return (NULL); 744 } 745 } 746 747 return (dsap); 748 } 749 750 struct iked_dsa * 751 dsa_sign_new(uint8_t id, struct iked_hash *prf) 752 { 753 return (dsa_new(id, prf, 1)); 754 } 755 756 struct iked_dsa * 757 dsa_verify_new(uint8_t id, struct iked_hash *prf) 758 { 759 return (dsa_new(id, prf, 0)); 760 } 761 762 void 763 dsa_free(struct iked_dsa *dsa) 764 { 765 if (dsa == NULL) 766 return; 767 if (dsa->dsa_hmac) { 768 HMAC_CTX_free((HMAC_CTX *)dsa->dsa_ctx); 769 } else { 770 EVP_MD_CTX_destroy((EVP_MD_CTX *)dsa->dsa_ctx); 771 if (dsa->dsa_key) 772 EVP_PKEY_free(dsa->dsa_key); 773 } 774 775 ibuf_release(dsa->dsa_keydata); 776 free(dsa); 777 } 778 779 struct ibuf * 780 dsa_setkey(struct iked_dsa *dsa, void *key, size_t keylen, uint8_t type) 781 { 782 BIO *rawcert = NULL; 783 X509 *cert = NULL; 784 RSA *rsa = NULL; 785 EC_KEY *ec = NULL; 786 EVP_PKEY *pkey = NULL; 787 788 ibuf_release(dsa->dsa_keydata); 789 if ((dsa->dsa_keydata = ibuf_new(key, keylen)) == NULL) { 790 log_debug("%s: alloc signature key", __func__); 791 return (NULL); 792 } 793 794 if ((rawcert = BIO_new_mem_buf(key, keylen)) == NULL) 795 goto err; 796 797 switch (type) { 798 case IKEV2_CERT_X509_CERT: 799 if ((cert = d2i_X509_bio(rawcert, NULL)) == NULL) 800 goto sslerr; 801 if ((pkey = X509_get_pubkey(cert)) == NULL) 802 goto sslerr; 803 dsa->dsa_key = pkey; 804 break; 805 case IKEV2_CERT_RSA_KEY: 806 if (dsa->dsa_sign) { 807 if ((rsa = d2i_RSAPrivateKey_bio(rawcert, 808 NULL)) == NULL) 809 goto sslerr; 810 } else { 811 if ((rsa = d2i_RSAPublicKey_bio(rawcert, 812 NULL)) == NULL) 813 goto sslerr; 814 } 815 816 if ((pkey = EVP_PKEY_new()) == NULL) 817 goto sslerr; 818 if (!EVP_PKEY_set1_RSA(pkey, rsa)) 819 goto sslerr; 820 821 RSA_free(rsa); /* pkey now has the reference */ 822 dsa->dsa_key = pkey; 823 break; 824 case IKEV2_CERT_ECDSA: 825 if (dsa->dsa_sign) { 826 if ((ec = d2i_ECPrivateKey_bio(rawcert, NULL)) == NULL) 827 goto sslerr; 828 } else { 829 if ((ec = d2i_EC_PUBKEY_bio(rawcert, NULL)) == NULL) 830 goto sslerr; 831 } 832 833 if ((pkey = EVP_PKEY_new()) == NULL) 834 goto sslerr; 835 if (!EVP_PKEY_set1_EC_KEY(pkey, ec)) 836 goto sslerr; 837 838 EC_KEY_free(ec); /* pkey now has the reference */ 839 dsa->dsa_key = pkey; 840 break; 841 default: 842 if (dsa->dsa_hmac) 843 break; 844 log_debug("%s: unsupported key type", __func__); 845 goto err; 846 } 847 848 if (cert != NULL) 849 X509_free(cert); 850 BIO_free(rawcert); /* temporary for parsing */ 851 852 return (dsa->dsa_keydata); 853 854 sslerr: 855 ca_sslerror(__func__); 856 err: 857 log_debug("%s: error", __func__); 858 859 if (rsa != NULL) 860 RSA_free(rsa); 861 if (ec != NULL) 862 EC_KEY_free(ec); 863 if (pkey != NULL) 864 EVP_PKEY_free(pkey); 865 if (cert != NULL) 866 X509_free(cert); 867 if (rawcert != NULL) 868 BIO_free(rawcert); 869 ibuf_release(dsa->dsa_keydata); 870 dsa->dsa_keydata = NULL; 871 return (NULL); 872 } 873 874 int 875 _dsa_verify_init(struct iked_dsa *dsa, const uint8_t *sig, size_t len) 876 { 877 uint8_t oidlen; 878 size_t i; 879 int keytype; 880 881 if (dsa->dsa_priv != NULL) 882 return (0); 883 /* 884 * For IKEV2_AUTH_SIG the oid of the authentication signature 885 * is encoded in the first bytes of the auth message. 886 */ 887 if (dsa->dsa_method != IKEV2_AUTH_SIG) { 888 log_debug("%s: dsa_priv not set for %s", __func__, 889 print_map(dsa->dsa_method, ikev2_auth_map)); 890 return (-1); 891 } 892 if (dsa->dsa_key == NULL) { 893 log_debug("%s: dsa_key not set for %s", __func__, 894 print_map(dsa->dsa_method, ikev2_auth_map)); 895 return (-1); 896 } 897 keytype = EVP_PKEY_type(EVP_PKEY_id(((EVP_PKEY *)dsa->dsa_key))); 898 if (sig == NULL) { 899 log_debug("%s: signature missing", __func__); 900 return (-1); 901 } 902 if (len < sizeof(oidlen)) { 903 log_debug("%s: signature (%zu) too small for oid length", 904 __func__, len); 905 return (-1); 906 } 907 memcpy(&oidlen, sig, sizeof(oidlen)); 908 if (len < (size_t)oidlen + sizeof(oidlen)) { 909 log_debug("%s: signature (%zu) too small for oid (%u)", 910 __func__, len, oidlen); 911 return (-1); 912 } 913 for (i = 0; i < nitems(schemes); i++) { 914 if (keytype == schemes[i].sc_keytype && 915 oidlen == schemes[i].sc_len && 916 memcmp(sig + 1, schemes[i].sc_oid, 917 schemes[i].sc_len) == 0) { 918 dsa->dsa_priv = (*schemes[i].sc_md)(); 919 dsa->dsa_flags = schemes[i].sc_flags; 920 log_debug("%s: signature scheme %zd selected", 921 __func__, i); 922 return (0); 923 } 924 } 925 log_debug("%s: unsupported signature (%d)", __func__, oidlen); 926 return (-1); 927 } 928 929 int 930 dsa_init(struct iked_dsa *dsa, const void *buf, size_t len) 931 { 932 int ret; 933 EVP_PKEY_CTX *pctx = NULL; 934 935 if (dsa->dsa_hmac) { 936 if (!HMAC_Init_ex(dsa->dsa_ctx, ibuf_data(dsa->dsa_keydata), 937 ibuf_length(dsa->dsa_keydata), dsa->dsa_priv, NULL)) 938 return (-1); 939 return (0); 940 } 941 942 if (dsa->dsa_sign) { 943 if (force_rsa_pss && 944 EVP_PKEY_base_id(dsa->dsa_key) == EVP_PKEY_RSA) 945 dsa->dsa_flags = FLAG_RSA_PSS; 946 ret = EVP_DigestSignInit(dsa->dsa_ctx, &pctx, dsa->dsa_priv, 947 NULL, dsa->dsa_key); 948 } else { 949 /* sets dsa_priv, dsa_flags */ 950 if ((ret = _dsa_verify_init(dsa, buf, len)) != 0) 951 return (ret); 952 ret = EVP_DigestVerifyInit(dsa->dsa_ctx, &pctx, dsa->dsa_priv, 953 NULL, dsa->dsa_key); 954 } 955 if (ret == 1 && dsa->dsa_flags == FLAG_RSA_PSS) { 956 if (EVP_PKEY_CTX_set_rsa_padding(pctx, 957 RSA_PKCS1_PSS_PADDING) <= 0 || 958 EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1) <= 0) 959 return (-1); 960 } 961 962 return (ret == 1 ? 0 : -1); 963 } 964 965 int 966 dsa_update(struct iked_dsa *dsa, const void *buf, size_t len) 967 { 968 int ret; 969 970 if (dsa->dsa_hmac) 971 ret = HMAC_Update(dsa->dsa_ctx, buf, len); 972 else if (dsa->dsa_sign) 973 ret = EVP_DigestSignUpdate(dsa->dsa_ctx, buf, len); 974 else 975 ret = EVP_DigestVerifyUpdate(dsa->dsa_ctx, buf, len); 976 977 return (ret == 1 ? 0 : -1); 978 } 979 980 /* Prefix signature hash with encoded type */ 981 int 982 _dsa_sign_encode(struct iked_dsa *dsa, uint8_t *ptr, size_t len, size_t *offp) 983 { 984 int keytype; 985 size_t i, need; 986 987 if (offp) 988 *offp = 0; 989 if (dsa->dsa_method != IKEV2_AUTH_SIG) 990 return (0); 991 if (dsa->dsa_key == NULL) 992 return (-1); 993 keytype = EVP_PKEY_type(EVP_PKEY_id(((EVP_PKEY *)dsa->dsa_key))); 994 for (i = 0; i < nitems(schemes); i++) { 995 /* XXX should avoid calling sc_md() each time... */ 996 if (keytype == schemes[i].sc_keytype && 997 dsa->dsa_flags == schemes[i].sc_flags && 998 (dsa->dsa_priv == (*schemes[i].sc_md)())) 999 break; 1000 } 1001 if (i >= nitems(schemes)) 1002 return (-1); 1003 log_debug("%s: signature scheme %zd selected", __func__, i); 1004 need = sizeof(ptr[0]) + schemes[i].sc_len; 1005 if (ptr) { 1006 if (len < need) 1007 return (-1); 1008 ptr[0] = schemes[i].sc_len; 1009 memcpy(ptr + sizeof(ptr[0]), schemes[i].sc_oid, 1010 schemes[i].sc_len); 1011 } 1012 if (offp) 1013 *offp = need; 1014 return (0); 1015 } 1016 1017 /* Export size of encoded signature hash type */ 1018 size_t 1019 dsa_prefix(struct iked_dsa *dsa) 1020 { 1021 size_t off = 0; 1022 1023 if (_dsa_sign_encode(dsa, NULL, 0, &off) < 0) 1024 fatal("dsa_prefix: internal error"); 1025 return off; 1026 } 1027 1028 size_t 1029 dsa_length(struct iked_dsa *dsa) 1030 { 1031 if (dsa->dsa_hmac) 1032 return (EVP_MD_size(dsa->dsa_priv)); 1033 switch (dsa->dsa_method) { 1034 case IKEV2_AUTH_ECDSA_256: 1035 case IKEV2_AUTH_ECDSA_384: 1036 case IKEV2_AUTH_ECDSA_521: 1037 /* size of concat(r|s) */ 1038 return (2 * ((EVP_PKEY_bits(dsa->dsa_key) + 7) / 8)); 1039 } 1040 return (dsa_prefix(dsa) + EVP_PKEY_size(dsa->dsa_key)); 1041 } 1042 1043 int 1044 _dsa_sign_ecdsa(struct iked_dsa *dsa, uint8_t *ptr, size_t len) 1045 { 1046 ECDSA_SIG *obj = NULL; 1047 uint8_t *tmp = NULL; 1048 const uint8_t *p; 1049 size_t tmplen; 1050 int ret = -1; 1051 int bnlen, off; 1052 const BIGNUM *r, *s; 1053 1054 if (len % 2) 1055 goto done; /* must be even */ 1056 bnlen = len/2; 1057 /* 1058 * (a) create DER signature into 'tmp' buffer 1059 * (b) convert buffer to ECDSA_SIG object 1060 * (c) concatenate the padded r|s BIGNUMS into 'ptr' 1061 */ 1062 if (EVP_DigestSignFinal(dsa->dsa_ctx, NULL, &tmplen) != 1) 1063 goto done; 1064 if ((tmp = calloc(1, tmplen)) == NULL) 1065 goto done; 1066 if (EVP_DigestSignFinal(dsa->dsa_ctx, tmp, &tmplen) != 1) 1067 goto done; 1068 p = tmp; 1069 if (d2i_ECDSA_SIG(&obj, &p, tmplen) == NULL) 1070 goto done; 1071 ECDSA_SIG_get0(obj, &r, &s); 1072 if (BN_num_bytes(r) > bnlen || BN_num_bytes(s) > bnlen) 1073 goto done; 1074 memset(ptr, 0, len); 1075 off = bnlen - BN_num_bytes(r); 1076 BN_bn2bin(r, ptr + off); 1077 off = 2 * bnlen - BN_num_bytes(s); 1078 BN_bn2bin(s, ptr + off); 1079 ret = 0; 1080 done: 1081 free(tmp); 1082 if (obj) 1083 ECDSA_SIG_free(obj); 1084 return (ret); 1085 } 1086 1087 ssize_t 1088 dsa_sign_final(struct iked_dsa *dsa, void *buf, size_t len) 1089 { 1090 unsigned int hmaclen; 1091 size_t off = 0; 1092 uint8_t *ptr = buf; 1093 1094 if (len < dsa_length(dsa)) 1095 return (-1); 1096 1097 if (dsa->dsa_hmac) { 1098 if (!HMAC_Final(dsa->dsa_ctx, buf, &hmaclen)) 1099 return (-1); 1100 if (hmaclen > INT_MAX) 1101 return (-1); 1102 return (ssize_t)hmaclen; 1103 } else { 1104 switch (dsa->dsa_method) { 1105 case IKEV2_AUTH_ECDSA_256: 1106 case IKEV2_AUTH_ECDSA_384: 1107 case IKEV2_AUTH_ECDSA_521: 1108 if (_dsa_sign_ecdsa(dsa, buf, len) < 0) 1109 return (-1); 1110 return (len); 1111 default: 1112 if (_dsa_sign_encode(dsa, ptr, len, &off) < 0) 1113 return (-1); 1114 if (off > len) 1115 return (-1); 1116 len -= off; 1117 ptr += off; 1118 if (EVP_DigestSignFinal(dsa->dsa_ctx, ptr, &len) != 1) 1119 return (-1); 1120 return (len + off); 1121 } 1122 } 1123 return (-1); 1124 } 1125 1126 int 1127 _dsa_verify_prepare(struct iked_dsa *dsa, uint8_t **sigp, size_t *lenp, 1128 uint8_t **freemep) 1129 { 1130 ECDSA_SIG *obj = NULL; 1131 uint8_t *ptr = NULL; 1132 size_t bnlen, len, off; 1133 int ret = -1; 1134 BIGNUM *r = NULL, *s = NULL; 1135 1136 *freemep = NULL; /* don't return garbage in case of an error */ 1137 1138 switch (dsa->dsa_method) { 1139 case IKEV2_AUTH_SIG: 1140 /* 1141 * The first byte of the signature encodes the OID 1142 * prefix length which we need to skip. 1143 */ 1144 off = (*sigp)[0] + 1; 1145 *sigp = *sigp + off; 1146 *lenp = *lenp - off; 1147 *freemep = NULL; 1148 ret = 0; 1149 break; 1150 case IKEV2_AUTH_ECDSA_256: 1151 case IKEV2_AUTH_ECDSA_384: 1152 case IKEV2_AUTH_ECDSA_521: 1153 /* 1154 * sigp points to concatenation r|s, while EVP_VerifyFinal() 1155 * expects the signature as a DER-encoded blob (of the two 1156 * values), so we need to convert the signature in a new 1157 * buffer (we cannot override the given buffer) and the caller 1158 * has to free this buffer ('freeme'). 1159 */ 1160 if (*lenp < 64 || *lenp > 132 || *lenp % 2) 1161 goto done; 1162 bnlen = (*lenp)/2; 1163 /* sigp points to concatenation: r|s */ 1164 if ((obj = ECDSA_SIG_new()) == NULL || 1165 (r = BN_bin2bn(*sigp, bnlen, NULL)) == NULL || 1166 (s = BN_bin2bn(*sigp+bnlen, bnlen, NULL)) == NULL || 1167 ECDSA_SIG_set0(obj, r, s) == 0 || 1168 (len = i2d_ECDSA_SIG(obj, &ptr)) == 0) 1169 goto done; 1170 r = s = NULL; 1171 *lenp = len; 1172 *sigp = ptr; 1173 *freemep = ptr; 1174 ptr = NULL; 1175 ret = 0; 1176 break; 1177 default: 1178 return (0); 1179 } 1180 done: 1181 BN_clear_free(r); 1182 BN_clear_free(s); 1183 free(ptr); 1184 if (obj) 1185 ECDSA_SIG_free(obj); 1186 return (ret); 1187 } 1188 1189 ssize_t 1190 dsa_verify_final(struct iked_dsa *dsa, void *buf, size_t len) 1191 { 1192 uint8_t sig[EVP_MAX_MD_SIZE]; 1193 uint8_t *ptr = buf, *freeme = NULL; 1194 unsigned int siglen = sizeof(sig); 1195 1196 if (dsa->dsa_hmac) { 1197 if (!HMAC_Final(dsa->dsa_ctx, sig, &siglen)) 1198 return (-1); 1199 if (siglen != len || memcmp(buf, sig, siglen) != 0) 1200 return (-1); 1201 } else { 1202 if (_dsa_verify_prepare(dsa, &ptr, &len, &freeme) < 0) 1203 return (-1); 1204 if (EVP_DigestVerifyFinal(dsa->dsa_ctx, ptr, len) != 1) { 1205 free(freeme); 1206 ca_sslerror(__func__); 1207 return (-1); 1208 } 1209 free(freeme); 1210 } 1211 1212 return (0); 1213 } 1214