1 /* $OpenBSD: crypto.c,v 1.6 2011/08/27 16:29:20 mikeb Exp $ */ 2 /* $vantronix: crypto.c,v 1.18 2010/05/28 15:34:35 reyk Exp $ */ 3 4 /* 5 * Copyright (c) 2010 Reyk Floeter <reyk@vantronix.net> 6 * 7 * Permission to use, copy, modify, and distribute this software for any 8 * purpose with or without fee is hereby granted, provided that the above 9 * copyright notice and this permission notice appear in all copies. 10 * 11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 18 */ 19 20 #include <sys/param.h> 21 #include <sys/queue.h> 22 #include <sys/socket.h> 23 #include <sys/uio.h> 24 25 #include <stdio.h> 26 #include <stdlib.h> 27 #include <unistd.h> 28 #include <string.h> 29 #include <errno.h> 30 #include <fcntl.h> 31 #include <event.h> 32 33 #include <openssl/hmac.h> 34 #include <openssl/evp.h> 35 #include <openssl/sha.h> 36 #include <openssl/md5.h> 37 #include <openssl/x509.h> 38 39 #include "iked.h" 40 #include "ikev2.h" 41 42 struct iked_hash * 43 hash_new(u_int8_t type, u_int16_t id) 44 { 45 struct iked_hash *hash; 46 const EVP_MD *md = NULL; 47 HMAC_CTX *ctx = NULL; 48 int length = 0, fixedkey = 0, trunc = 0; 49 50 switch (type) { 51 case IKEV2_XFORMTYPE_PRF: 52 switch (id) { 53 case IKEV2_XFORMPRF_HMAC_MD5: 54 md = EVP_md5(); 55 length = MD5_DIGEST_LENGTH; 56 break; 57 case IKEV2_XFORMPRF_HMAC_SHA1: 58 md = EVP_sha1(); 59 length = SHA_DIGEST_LENGTH; 60 break; 61 case IKEV2_XFORMPRF_HMAC_SHA2_256: 62 md = EVP_sha256(); 63 length = SHA256_DIGEST_LENGTH; 64 break; 65 case IKEV2_XFORMPRF_HMAC_SHA2_384: 66 md = EVP_sha384(); 67 length = SHA384_DIGEST_LENGTH; 68 break; 69 case IKEV2_XFORMPRF_HMAC_SHA2_512: 70 md = EVP_sha512(); 71 length = SHA512_DIGEST_LENGTH; 72 break; 73 case IKEV2_XFORMPRF_AES128_XCBC: 74 fixedkey = 128 / 8; 75 length = fixedkey; 76 /* FALLTHROUGH */ 77 case IKEV2_XFORMPRF_HMAC_TIGER: 78 case IKEV2_XFORMPRF_AES128_CMAC: 79 default: 80 log_debug("%s: prf %s not supported", __func__, 81 print_map(id, ikev2_xformprf_map)); 82 break; 83 } 84 break; 85 case IKEV2_XFORMTYPE_INTEGR: 86 switch (id) { 87 case IKEV2_XFORMAUTH_HMAC_MD5_96: 88 md = EVP_md5(); 89 length = MD5_DIGEST_LENGTH; 90 trunc = 12; 91 break; 92 case IKEV2_XFORMAUTH_HMAC_SHA1_96: 93 md = EVP_sha1(); 94 length = SHA_DIGEST_LENGTH; 95 trunc = 12; 96 break; 97 case IKEV2_XFORMAUTH_HMAC_SHA2_256_128: 98 md = EVP_sha256(); 99 length = SHA256_DIGEST_LENGTH; 100 trunc = 16; 101 break; 102 case IKEV2_XFORMAUTH_HMAC_SHA2_384_192: 103 md = EVP_sha384(); 104 length = SHA384_DIGEST_LENGTH; 105 trunc = 24; 106 break; 107 case IKEV2_XFORMAUTH_HMAC_SHA2_512_256: 108 md = EVP_sha512(); 109 length = SHA512_DIGEST_LENGTH; 110 trunc = 32; 111 break; 112 case IKEV2_XFORMAUTH_NONE: 113 case IKEV2_XFORMAUTH_DES_MAC: 114 case IKEV2_XFORMAUTH_KPDK_MD5: 115 case IKEV2_XFORMAUTH_AES_XCBC_96: 116 case IKEV2_XFORMAUTH_HMAC_MD5_128: 117 case IKEV2_XFORMAUTH_HMAC_SHA1_160: 118 case IKEV2_XFORMAUTH_AES_CMAC_96: 119 case IKEV2_XFORMAUTH_AES_128_GMAC: 120 case IKEV2_XFORMAUTH_AES_192_GMAC: 121 case IKEV2_XFORMAUTH_AES_256_GMAC: 122 default: 123 log_debug("%s: auth %s not supported", __func__, 124 print_map(id, ikev2_xformauth_map)); 125 break; 126 } 127 break; 128 default: 129 log_debug("%s: hash type %s not supported", __func__, 130 print_map(id, ikev2_xformtype_map)); 131 break; 132 } 133 if (md == NULL) 134 return (NULL); 135 136 if ((hash = calloc(1, sizeof(*hash))) == NULL) { 137 log_debug("%s: alloc hash", __func__); 138 return (NULL); 139 } 140 141 hash->hash_type = type; 142 hash->hash_id = id; 143 hash->hash_priv = md; 144 hash->hash_ctx = NULL; 145 hash->hash_trunc = trunc; 146 hash->hash_length = length; 147 hash->hash_fixedkey = fixedkey; 148 149 if ((ctx = calloc(1, sizeof(*ctx))) == NULL) { 150 log_debug("%s: alloc hash ctx", __func__); 151 hash_free(hash); 152 return (NULL); 153 } 154 155 HMAC_CTX_init(ctx); 156 hash->hash_ctx = ctx; 157 158 return (hash); 159 } 160 161 struct ibuf * 162 hash_setkey(struct iked_hash *hash, void *key, size_t keylen) 163 { 164 ibuf_release(hash->hash_key); 165 if ((hash->hash_key = ibuf_new(key, keylen)) == NULL) { 166 log_debug("%s: alloc hash key", __func__); 167 return (NULL); 168 } 169 return (hash->hash_key); 170 } 171 172 void 173 hash_free(struct iked_hash *hash) 174 { 175 if (hash == NULL) 176 return; 177 if (hash->hash_ctx != NULL) { 178 HMAC_CTX_cleanup(hash->hash_ctx); 179 free(hash->hash_ctx); 180 } 181 ibuf_release(hash->hash_key); 182 free(hash); 183 } 184 185 void 186 hash_init(struct iked_hash *hash) 187 { 188 HMAC_Init_ex(hash->hash_ctx, hash->hash_key->buf, 189 ibuf_length(hash->hash_key), hash->hash_priv, NULL); 190 } 191 192 void 193 hash_update(struct iked_hash *hash, void *buf, size_t len) 194 { 195 HMAC_Update(hash->hash_ctx, buf, len); 196 } 197 198 void 199 hash_final(struct iked_hash *hash, void *buf, size_t *len) 200 { 201 u_int length = 0; 202 203 HMAC_Final(hash->hash_ctx, buf, &length); 204 *len = (size_t)length; 205 206 /* Truncate the result if required by the alg */ 207 if (hash->hash_trunc && *len > hash->hash_trunc) 208 *len = hash->hash_trunc; 209 } 210 211 size_t 212 hash_length(struct iked_hash *hash) 213 { 214 if (hash->hash_trunc) 215 return (hash->hash_trunc); 216 return (hash->hash_length); 217 } 218 219 size_t 220 hash_keylength(struct iked_hash *hash) 221 { 222 return (hash->hash_length); 223 } 224 225 struct iked_cipher * 226 cipher_new(u_int8_t type, u_int16_t id, u_int16_t id_length) 227 { 228 struct iked_cipher *encr; 229 const EVP_CIPHER *cipher = NULL; 230 EVP_CIPHER_CTX *ctx = NULL; 231 int length = 0, fixedkey = 0, ivlength = 0; 232 233 switch (type) { 234 case IKEV2_XFORMTYPE_ENCR: 235 switch (id) { 236 case IKEV2_XFORMENCR_3DES: 237 cipher = EVP_des_ede3_cbc(); 238 length = EVP_CIPHER_block_size(cipher); 239 fixedkey = EVP_CIPHER_key_length(cipher); 240 ivlength = EVP_CIPHER_iv_length(cipher); 241 break; 242 case IKEV2_XFORMENCR_AES_CBC: 243 switch (id_length) { 244 case 128: 245 cipher = EVP_aes_128_cbc(); 246 break; 247 case 192: 248 cipher = EVP_aes_192_cbc(); 249 break; 250 case 256: 251 cipher = EVP_aes_256_cbc(); 252 break; 253 default: 254 log_debug("%s: invalid key length %d" 255 " for cipher %s", __func__, id_length, 256 print_map(id, ikev2_xformencr_map)); 257 break; 258 } 259 if (cipher == NULL) 260 break; 261 length = EVP_CIPHER_block_size(cipher); 262 ivlength = EVP_CIPHER_iv_length(cipher); 263 fixedkey = EVP_CIPHER_key_length(cipher); 264 break; 265 case IKEV2_XFORMENCR_DES_IV64: 266 case IKEV2_XFORMENCR_DES: 267 case IKEV2_XFORMENCR_RC5: 268 case IKEV2_XFORMENCR_IDEA: 269 case IKEV2_XFORMENCR_CAST: 270 case IKEV2_XFORMENCR_BLOWFISH: 271 case IKEV2_XFORMENCR_3IDEA: 272 case IKEV2_XFORMENCR_DES_IV32: 273 case IKEV2_XFORMENCR_NULL: 274 case IKEV2_XFORMENCR_AES_CTR: 275 /* FALLTHROUGH */ 276 default: 277 log_debug("%s: cipher %s not supported", __func__, 278 print_map(id, ikev2_xformencr_map)); 279 cipher = NULL; 280 break; 281 } 282 break; 283 default: 284 log_debug("%s: cipher type %s not supported", __func__, 285 print_map(id, ikev2_xformtype_map)); 286 break; 287 } 288 if (cipher == NULL) 289 return (NULL); 290 291 if ((encr = calloc(1, sizeof(*encr))) == NULL) { 292 log_debug("%s: alloc cipher", __func__); 293 return (NULL); 294 } 295 296 encr->encr_id = id; 297 encr->encr_priv = cipher; 298 encr->encr_ctx = NULL; 299 encr->encr_length = length; 300 encr->encr_fixedkey = fixedkey; 301 encr->encr_ivlength = ivlength ? ivlength : length; 302 303 if ((ctx = calloc(1, sizeof(*ctx))) == NULL) { 304 log_debug("%s: alloc cipher ctx", __func__); 305 cipher_free(encr); 306 return (NULL); 307 } 308 309 EVP_CIPHER_CTX_init(ctx); 310 encr->encr_ctx = ctx; 311 312 return (encr); 313 } 314 315 struct ibuf * 316 cipher_setkey(struct iked_cipher *encr, void *key, size_t keylen) 317 { 318 ibuf_release(encr->encr_key); 319 if ((encr->encr_key = ibuf_new(key, keylen)) == NULL) { 320 log_debug("%s: alloc cipher key", __func__); 321 return (NULL); 322 } 323 return (encr->encr_key); 324 } 325 326 struct ibuf * 327 cipher_setiv(struct iked_cipher *encr, void *iv, size_t len) 328 { 329 ibuf_release(encr->encr_iv); 330 if (iv != NULL) { 331 if (len < encr->encr_ivlength) { 332 log_debug("%s: invalid IV length %d", __func__, len); 333 return (NULL); 334 } 335 encr->encr_iv = ibuf_new(iv, encr->encr_ivlength); 336 } else { 337 /* Get new random IV */ 338 encr->encr_iv = ibuf_random(encr->encr_ivlength); 339 } 340 if (encr->encr_iv == NULL) { 341 log_debug("%s: failed to set IV", __func__); 342 return (NULL); 343 } 344 return (encr->encr_iv); 345 } 346 347 void 348 cipher_free(struct iked_cipher *encr) 349 { 350 if (encr == NULL) 351 return; 352 if (encr->encr_ctx != NULL) { 353 EVP_CIPHER_CTX_cleanup(encr->encr_ctx); 354 free(encr->encr_ctx); 355 } 356 ibuf_release(encr->encr_key); 357 free(encr); 358 } 359 360 void 361 cipher_init(struct iked_cipher *encr, int enc) 362 { 363 EVP_CipherInit_ex(encr->encr_ctx, encr->encr_priv, NULL, 364 ibuf_data(encr->encr_key), ibuf_data(encr->encr_iv), enc); 365 EVP_CIPHER_CTX_set_padding(encr->encr_ctx, 0); 366 } 367 368 void 369 cipher_init_encrypt(struct iked_cipher *encr) 370 { 371 cipher_init(encr, 1); 372 } 373 374 void 375 cipher_init_decrypt(struct iked_cipher *encr) 376 { 377 cipher_init(encr, 0); 378 } 379 380 void 381 cipher_update(struct iked_cipher *encr, void *in, size_t inlen, 382 void *out, size_t *outlen) 383 { 384 int olen; 385 386 olen = 0; 387 if (!EVP_CipherUpdate(encr->encr_ctx, out, &olen, in, inlen)) { 388 ca_sslerror(); 389 *outlen = 0; 390 return; 391 } 392 *outlen = (size_t)olen; 393 } 394 395 void 396 cipher_final(struct iked_cipher *encr, void *out, size_t *outlen) 397 { 398 int olen; 399 400 olen = 0; 401 if (!EVP_CipherFinal_ex(encr->encr_ctx, out, &olen)) { 402 ca_sslerror(); 403 *outlen = 0; 404 return; 405 } 406 *outlen = (size_t)olen; 407 } 408 409 size_t 410 cipher_length(struct iked_cipher *encr) 411 { 412 return (encr->encr_length); 413 } 414 415 size_t 416 cipher_keylength(struct iked_cipher *encr) 417 { 418 if (encr->encr_fixedkey) 419 return (encr->encr_fixedkey); 420 421 /* Might return zero */ 422 return (ibuf_length(encr->encr_key)); 423 } 424 425 size_t 426 cipher_ivlength(struct iked_cipher *encr) 427 { 428 return (encr->encr_ivlength); 429 } 430 431 size_t 432 cipher_outlength(struct iked_cipher *encr, size_t inlen) 433 { 434 return (roundup(inlen, encr->encr_length)); 435 } 436 437 struct iked_dsa * 438 dsa_new(u_int16_t id, struct iked_hash *prf, int sign) 439 { 440 struct iked_dsa *dsap = NULL, dsa; 441 442 bzero(&dsa, sizeof(dsa)); 443 444 switch (id) { 445 case IKEV2_AUTH_RSA_SIG: 446 /* 447 * XXX RFC4306 is not very clear about this and the 448 * XXX informational RFC4718 says that we should use 449 * XXX SHA1 here, but shouldn't we use the negotiated PRF 450 * XXX alg instead? 451 */ 452 if ((dsa.dsa_priv = 453 EVP_get_digestbyname("sha1WithRSAEncryption")) == NULL) 454 fatalx("dsa_new: cipher not available"); 455 break; 456 case IKEV2_AUTH_SHARED_KEY_MIC: 457 if (prf == NULL || prf->hash_priv == NULL) 458 fatalx("dsa_new: invalid PRF"); 459 dsa.dsa_priv = prf->hash_priv; 460 dsa.dsa_hmac = 1; 461 break; 462 case IKEV2_AUTH_DSS_SIG: 463 dsa.dsa_priv = EVP_dss1(); 464 break; 465 case IKEV2_AUTH_ECDSA_256: 466 dsa.dsa_priv = EVP_sha256(); 467 break; 468 case IKEV2_AUTH_ECDSA_384: 469 dsa.dsa_priv = EVP_sha384(); 470 break; 471 case IKEV2_AUTH_ECDSA_512: 472 dsa.dsa_priv = EVP_sha512(); 473 break; 474 default: 475 log_debug("%s: auth method %s not supported", __func__, 476 print_map(id, ikev2_auth_map)); 477 break; 478 } 479 480 if ((dsap = calloc(1, sizeof(*dsap))) == NULL) { 481 log_debug("%s: alloc dsa ctx", __func__); 482 483 return (NULL); 484 } 485 memcpy(dsap, &dsa, sizeof(*dsap)); 486 487 dsap->dsa_method = id; 488 dsap->dsa_sign = sign; 489 490 if (dsap->dsa_hmac) { 491 if ((dsap->dsa_ctx = calloc(1, sizeof(HMAC_CTX))) == NULL) { 492 log_debug("%s: alloc hash ctx", __func__); 493 dsa_free(dsap); 494 return (NULL); 495 } 496 HMAC_CTX_init((HMAC_CTX *)dsap->dsa_ctx); 497 } else { 498 if ((dsap->dsa_ctx = EVP_MD_CTX_create()) == NULL) { 499 log_debug("%s: alloc digest ctx", __func__); 500 dsa_free(dsap); 501 return (NULL); 502 } 503 } 504 505 return (dsap); 506 } 507 508 struct iked_dsa * 509 dsa_sign_new(u_int16_t id, struct iked_hash *prf) 510 { 511 return (dsa_new(id, prf, 1)); 512 } 513 514 struct iked_dsa * 515 dsa_verify_new(u_int16_t id, struct iked_hash *prf) 516 { 517 return (dsa_new(id, prf, 0)); 518 } 519 520 void 521 dsa_free(struct iked_dsa *dsa) 522 { 523 if (dsa == NULL) 524 return; 525 if (dsa->dsa_hmac) { 526 HMAC_CTX_cleanup((HMAC_CTX *)dsa->dsa_ctx); 527 free(dsa->dsa_ctx); 528 } else { 529 EVP_MD_CTX_destroy((EVP_MD_CTX *)dsa->dsa_ctx); 530 if (dsa->dsa_key) 531 EVP_PKEY_free(dsa->dsa_key); 532 if (dsa->dsa_cert) 533 X509_free(dsa->dsa_cert); 534 } 535 536 ibuf_release(dsa->dsa_keydata); 537 } 538 539 struct ibuf * 540 dsa_setkey(struct iked_dsa *dsa, void *key, size_t keylen, u_int8_t type) 541 { 542 BIO *rawcert = NULL; 543 X509 *cert = NULL; 544 RSA *rsa = NULL; 545 EVP_PKEY *pkey = NULL; 546 547 ibuf_release(dsa->dsa_keydata); 548 if ((dsa->dsa_keydata = ibuf_new(key, keylen)) == NULL) { 549 log_debug("%s: alloc signature key", __func__); 550 return (NULL); 551 } 552 553 if ((rawcert = BIO_new_mem_buf(key, keylen)) == NULL) 554 goto err; 555 556 switch (type) { 557 case IKEV2_CERT_X509_CERT: 558 if ((cert = d2i_X509_bio(rawcert, NULL)) == NULL) 559 goto sslerr; 560 if ((pkey = X509_get_pubkey(cert)) == NULL) 561 goto sslerr; 562 dsa->dsa_cert = cert; 563 dsa->dsa_key = pkey; 564 break; 565 case IKEV2_CERT_RSA_KEY: 566 if (dsa->dsa_sign) { 567 if ((rsa = d2i_RSAPrivateKey_bio(rawcert, 568 NULL)) == NULL) 569 goto sslerr; 570 } else { 571 if ((rsa = d2i_RSAPublicKey_bio(rawcert, 572 NULL)) == NULL) 573 goto sslerr; 574 } 575 576 if ((pkey = EVP_PKEY_new()) == NULL) 577 goto sslerr; 578 if (!EVP_PKEY_set1_RSA(pkey, rsa)) 579 goto sslerr; 580 581 dsa->dsa_cert = NULL; 582 dsa->dsa_key = pkey; 583 break; 584 default: 585 if (dsa->dsa_hmac) 586 break; 587 log_debug("%s: unsupported key type", __func__); 588 goto err; 589 } 590 591 return (dsa->dsa_keydata); 592 593 sslerr: 594 ca_sslerror(); 595 err: 596 log_debug("%s: error", __func__); 597 598 if (rsa != NULL) 599 RSA_free(rsa); 600 if (pkey != NULL) 601 EVP_PKEY_free(pkey); 602 if (cert != NULL) 603 X509_free(cert); 604 if (rawcert != NULL) 605 BIO_free(rawcert); 606 ibuf_release(dsa->dsa_keydata); 607 return (NULL); 608 } 609 610 int 611 dsa_init(struct iked_dsa *dsa) 612 { 613 int ret; 614 615 if (dsa->dsa_hmac) { 616 if (!HMAC_Init_ex(dsa->dsa_ctx, ibuf_data(dsa->dsa_keydata), 617 ibuf_length(dsa->dsa_keydata), dsa->dsa_priv, NULL)) 618 return (-1); 619 return (0); 620 } 621 622 if (dsa->dsa_sign) 623 ret = EVP_SignInit_ex(dsa->dsa_ctx, dsa->dsa_priv, NULL); 624 else 625 ret = EVP_VerifyInit_ex(dsa->dsa_ctx, dsa->dsa_priv, NULL); 626 627 return (ret ? 0 : -1); 628 } 629 630 int 631 dsa_update(struct iked_dsa *dsa, const void *buf, size_t len) 632 { 633 int ret = 1; 634 635 if (dsa->dsa_hmac) 636 ret = HMAC_Update(dsa->dsa_ctx, buf, len); 637 else if (dsa->dsa_sign) 638 ret = EVP_SignUpdate(dsa->dsa_ctx, buf, len); 639 else 640 ret = EVP_VerifyUpdate(dsa->dsa_ctx, buf, len); 641 642 return (ret ? 0 : -1); 643 } 644 645 size_t 646 dsa_length(struct iked_dsa *dsa) 647 { 648 if (dsa->dsa_hmac) 649 return (EVP_MD_size(dsa->dsa_priv)); 650 return (EVP_PKEY_size(dsa->dsa_key)); 651 } 652 653 ssize_t 654 dsa_sign_final(struct iked_dsa *dsa, void *buf, size_t len) 655 { 656 u_int siglen; 657 658 if (len < dsa_length(dsa)) 659 return (-1); 660 661 if (dsa->dsa_hmac) { 662 if (!HMAC_Final(dsa->dsa_ctx, buf, &siglen)) 663 return (-1); 664 } else { 665 if (!EVP_SignFinal(dsa->dsa_ctx, buf, &siglen, 666 dsa->dsa_key)) 667 return (-1); 668 } 669 670 return (siglen); 671 } 672 673 ssize_t 674 dsa_verify_final(struct iked_dsa *dsa, void *buf, size_t len) 675 { 676 u_int8_t sig[EVP_MAX_MD_SIZE]; 677 u_int siglen = sizeof(sig); 678 679 if (dsa->dsa_hmac) { 680 if (!HMAC_Final(dsa->dsa_ctx, sig, &siglen)) 681 return (-1); 682 if (siglen != len || memcmp(buf, sig, siglen) != 0) 683 return (-1); 684 } else { 685 if (EVP_VerifyFinal(dsa->dsa_ctx, buf, len, 686 dsa->dsa_key) != 1) { 687 ca_sslerror(); 688 return (-1); 689 } 690 } 691 692 return (0); 693 } 694