1 /* $OpenBSD: crypto.c,v 1.19 2015/10/31 19:28:19 naddy Exp $ */ 2 3 /* 4 * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org> 5 * 6 * Permission to use, copy, modify, and distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19 #include <sys/param.h> /* roundup */ 20 #include <sys/queue.h> 21 #include <sys/socket.h> 22 #include <sys/uio.h> 23 24 #include <stdio.h> 25 #include <stdlib.h> 26 #include <unistd.h> 27 #include <string.h> 28 #include <errno.h> 29 #include <fcntl.h> 30 #include <event.h> 31 32 #include <openssl/hmac.h> 33 #include <openssl/evp.h> 34 #include <openssl/sha.h> 35 #include <openssl/md5.h> 36 #include <openssl/x509.h> 37 #include <openssl/rsa.h> 38 39 #include "iked.h" 40 #include "ikev2.h" 41 42 /* RFC 7427, A.1 */ 43 static const uint8_t sha256WithRSAEncryption[] = { 44 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 45 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00 46 }; 47 static const uint8_t sha384WithRSAEncryption[] = { 48 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 49 0xf7, 0x0d, 0x01, 0x01, 0x0c, 0x05, 0x00 50 }; 51 static const uint8_t sha512WithRSAEncryption[] = { 52 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 53 0xf7, 0x0d, 0x01, 0x01, 0x0d, 0x05, 0x00 54 }; 55 56 struct { 57 uint8_t sc_len; 58 const uint8_t *sc_oid; 59 const EVP_MD *(*sc_md)(void); 60 } schemes[] = { 61 { sizeof(sha256WithRSAEncryption), 62 sha256WithRSAEncryption, EVP_sha256 }, 63 { sizeof(sha384WithRSAEncryption), 64 sha384WithRSAEncryption, EVP_sha384 }, 65 { sizeof(sha512WithRSAEncryption), 66 sha512WithRSAEncryption, EVP_sha512 }, 67 }; 68 69 int _dsa_verify_init(struct iked_dsa *, const uint8_t *, size_t); 70 size_t _dsa_verify_offset(struct iked_dsa *, uint8_t *); 71 int _dsa_sign_encode(struct iked_dsa *, uint8_t *, size_t *); 72 73 struct iked_hash * 74 hash_new(uint8_t type, uint16_t id) 75 { 76 struct iked_hash *hash; 77 const EVP_MD *md = NULL; 78 HMAC_CTX *ctx = NULL; 79 int length = 0, fixedkey = 0, trunc = 0; 80 81 switch (type) { 82 case IKEV2_XFORMTYPE_PRF: 83 switch (id) { 84 case IKEV2_XFORMPRF_HMAC_MD5: 85 md = EVP_md5(); 86 length = MD5_DIGEST_LENGTH; 87 break; 88 case IKEV2_XFORMPRF_HMAC_SHA1: 89 md = EVP_sha1(); 90 length = SHA_DIGEST_LENGTH; 91 break; 92 case IKEV2_XFORMPRF_HMAC_SHA2_256: 93 md = EVP_sha256(); 94 length = SHA256_DIGEST_LENGTH; 95 break; 96 case IKEV2_XFORMPRF_HMAC_SHA2_384: 97 md = EVP_sha384(); 98 length = SHA384_DIGEST_LENGTH; 99 break; 100 case IKEV2_XFORMPRF_HMAC_SHA2_512: 101 md = EVP_sha512(); 102 length = SHA512_DIGEST_LENGTH; 103 break; 104 case IKEV2_XFORMPRF_AES128_XCBC: 105 fixedkey = 128 / 8; 106 length = fixedkey; 107 /* FALLTHROUGH */ 108 case IKEV2_XFORMPRF_HMAC_TIGER: 109 case IKEV2_XFORMPRF_AES128_CMAC: 110 default: 111 log_debug("%s: prf %s not supported", __func__, 112 print_map(id, ikev2_xformprf_map)); 113 break; 114 } 115 break; 116 case IKEV2_XFORMTYPE_INTEGR: 117 switch (id) { 118 case IKEV2_XFORMAUTH_HMAC_MD5_96: 119 md = EVP_md5(); 120 length = MD5_DIGEST_LENGTH; 121 trunc = 12; 122 break; 123 case IKEV2_XFORMAUTH_HMAC_SHA1_96: 124 md = EVP_sha1(); 125 length = SHA_DIGEST_LENGTH; 126 trunc = 12; 127 break; 128 case IKEV2_XFORMAUTH_HMAC_SHA2_256_128: 129 md = EVP_sha256(); 130 length = SHA256_DIGEST_LENGTH; 131 trunc = 16; 132 break; 133 case IKEV2_XFORMAUTH_HMAC_SHA2_384_192: 134 md = EVP_sha384(); 135 length = SHA384_DIGEST_LENGTH; 136 trunc = 24; 137 break; 138 case IKEV2_XFORMAUTH_HMAC_SHA2_512_256: 139 md = EVP_sha512(); 140 length = SHA512_DIGEST_LENGTH; 141 trunc = 32; 142 break; 143 case IKEV2_XFORMAUTH_NONE: 144 case IKEV2_XFORMAUTH_DES_MAC: 145 case IKEV2_XFORMAUTH_KPDK_MD5: 146 case IKEV2_XFORMAUTH_AES_XCBC_96: 147 case IKEV2_XFORMAUTH_HMAC_MD5_128: 148 case IKEV2_XFORMAUTH_HMAC_SHA1_160: 149 case IKEV2_XFORMAUTH_AES_CMAC_96: 150 case IKEV2_XFORMAUTH_AES_128_GMAC: 151 case IKEV2_XFORMAUTH_AES_192_GMAC: 152 case IKEV2_XFORMAUTH_AES_256_GMAC: 153 default: 154 log_debug("%s: auth %s not supported", __func__, 155 print_map(id, ikev2_xformauth_map)); 156 break; 157 } 158 break; 159 default: 160 log_debug("%s: hash type %s not supported", __func__, 161 print_map(id, ikev2_xformtype_map)); 162 break; 163 } 164 if (md == NULL) 165 return (NULL); 166 167 if ((hash = calloc(1, sizeof(*hash))) == NULL) { 168 log_debug("%s: alloc hash", __func__); 169 return (NULL); 170 } 171 172 hash->hash_type = type; 173 hash->hash_id = id; 174 hash->hash_priv = md; 175 hash->hash_ctx = NULL; 176 hash->hash_trunc = trunc; 177 hash->hash_length = length; 178 hash->hash_fixedkey = fixedkey; 179 180 if ((ctx = calloc(1, sizeof(*ctx))) == NULL) { 181 log_debug("%s: alloc hash ctx", __func__); 182 hash_free(hash); 183 return (NULL); 184 } 185 186 HMAC_CTX_init(ctx); 187 hash->hash_ctx = ctx; 188 189 return (hash); 190 } 191 192 struct ibuf * 193 hash_setkey(struct iked_hash *hash, void *key, size_t keylen) 194 { 195 ibuf_release(hash->hash_key); 196 if ((hash->hash_key = ibuf_new(key, keylen)) == NULL) { 197 log_debug("%s: alloc hash key", __func__); 198 return (NULL); 199 } 200 return (hash->hash_key); 201 } 202 203 void 204 hash_free(struct iked_hash *hash) 205 { 206 if (hash == NULL) 207 return; 208 if (hash->hash_ctx != NULL) { 209 HMAC_CTX_cleanup(hash->hash_ctx); 210 free(hash->hash_ctx); 211 } 212 ibuf_release(hash->hash_key); 213 free(hash); 214 } 215 216 void 217 hash_init(struct iked_hash *hash) 218 { 219 HMAC_Init_ex(hash->hash_ctx, hash->hash_key->buf, 220 ibuf_length(hash->hash_key), hash->hash_priv, NULL); 221 } 222 223 void 224 hash_update(struct iked_hash *hash, void *buf, size_t len) 225 { 226 HMAC_Update(hash->hash_ctx, buf, len); 227 } 228 229 void 230 hash_final(struct iked_hash *hash, void *buf, size_t *len) 231 { 232 unsigned int length = 0; 233 234 HMAC_Final(hash->hash_ctx, buf, &length); 235 *len = (size_t)length; 236 237 /* Truncate the result if required by the alg */ 238 if (hash->hash_trunc && *len > hash->hash_trunc) 239 *len = hash->hash_trunc; 240 } 241 242 size_t 243 hash_length(struct iked_hash *hash) 244 { 245 if (hash->hash_trunc) 246 return (hash->hash_trunc); 247 return (hash->hash_length); 248 } 249 250 size_t 251 hash_keylength(struct iked_hash *hash) 252 { 253 return (hash->hash_length); 254 } 255 256 struct iked_cipher * 257 cipher_new(uint8_t type, uint16_t id, uint16_t id_length) 258 { 259 struct iked_cipher *encr; 260 const EVP_CIPHER *cipher = NULL; 261 EVP_CIPHER_CTX *ctx = NULL; 262 int length = 0, fixedkey = 0, ivlength = 0; 263 264 switch (type) { 265 case IKEV2_XFORMTYPE_ENCR: 266 switch (id) { 267 case IKEV2_XFORMENCR_3DES: 268 cipher = EVP_des_ede3_cbc(); 269 length = EVP_CIPHER_block_size(cipher); 270 fixedkey = EVP_CIPHER_key_length(cipher); 271 ivlength = EVP_CIPHER_iv_length(cipher); 272 break; 273 case IKEV2_XFORMENCR_AES_CBC: 274 switch (id_length) { 275 case 128: 276 cipher = EVP_aes_128_cbc(); 277 break; 278 case 192: 279 cipher = EVP_aes_192_cbc(); 280 break; 281 case 256: 282 cipher = EVP_aes_256_cbc(); 283 break; 284 default: 285 log_debug("%s: invalid key length %d" 286 " for cipher %s", __func__, id_length, 287 print_map(id, ikev2_xformencr_map)); 288 break; 289 } 290 if (cipher == NULL) 291 break; 292 length = EVP_CIPHER_block_size(cipher); 293 ivlength = EVP_CIPHER_iv_length(cipher); 294 fixedkey = EVP_CIPHER_key_length(cipher); 295 break; 296 case IKEV2_XFORMENCR_DES_IV64: 297 case IKEV2_XFORMENCR_DES: 298 case IKEV2_XFORMENCR_RC5: 299 case IKEV2_XFORMENCR_IDEA: 300 case IKEV2_XFORMENCR_CAST: 301 case IKEV2_XFORMENCR_BLOWFISH: 302 case IKEV2_XFORMENCR_3IDEA: 303 case IKEV2_XFORMENCR_DES_IV32: 304 case IKEV2_XFORMENCR_NULL: 305 case IKEV2_XFORMENCR_AES_CTR: 306 /* FALLTHROUGH */ 307 default: 308 log_debug("%s: cipher %s not supported", __func__, 309 print_map(id, ikev2_xformencr_map)); 310 cipher = NULL; 311 break; 312 } 313 break; 314 default: 315 log_debug("%s: cipher type %s not supported", __func__, 316 print_map(id, ikev2_xformtype_map)); 317 break; 318 } 319 if (cipher == NULL) 320 return (NULL); 321 322 if ((encr = calloc(1, sizeof(*encr))) == NULL) { 323 log_debug("%s: alloc cipher", __func__); 324 return (NULL); 325 } 326 327 encr->encr_id = id; 328 encr->encr_priv = cipher; 329 encr->encr_ctx = NULL; 330 encr->encr_length = length; 331 encr->encr_fixedkey = fixedkey; 332 encr->encr_ivlength = ivlength ? ivlength : length; 333 334 if ((ctx = calloc(1, sizeof(*ctx))) == NULL) { 335 log_debug("%s: alloc cipher ctx", __func__); 336 cipher_free(encr); 337 return (NULL); 338 } 339 340 EVP_CIPHER_CTX_init(ctx); 341 encr->encr_ctx = ctx; 342 343 return (encr); 344 } 345 346 struct ibuf * 347 cipher_setkey(struct iked_cipher *encr, void *key, size_t keylen) 348 { 349 ibuf_release(encr->encr_key); 350 if ((encr->encr_key = ibuf_new(key, keylen)) == NULL) { 351 log_debug("%s: alloc cipher key", __func__); 352 return (NULL); 353 } 354 return (encr->encr_key); 355 } 356 357 struct ibuf * 358 cipher_setiv(struct iked_cipher *encr, void *iv, size_t len) 359 { 360 ibuf_release(encr->encr_iv); 361 if (iv != NULL) { 362 if (len < encr->encr_ivlength) { 363 log_debug("%s: invalid IV length %zu", __func__, len); 364 return (NULL); 365 } 366 encr->encr_iv = ibuf_new(iv, encr->encr_ivlength); 367 } else { 368 /* Get new random IV */ 369 encr->encr_iv = ibuf_random(encr->encr_ivlength); 370 } 371 if (encr->encr_iv == NULL) { 372 log_debug("%s: failed to set IV", __func__); 373 return (NULL); 374 } 375 return (encr->encr_iv); 376 } 377 378 void 379 cipher_free(struct iked_cipher *encr) 380 { 381 if (encr == NULL) 382 return; 383 if (encr->encr_ctx != NULL) { 384 EVP_CIPHER_CTX_cleanup(encr->encr_ctx); 385 free(encr->encr_ctx); 386 } 387 ibuf_release(encr->encr_key); 388 free(encr); 389 } 390 391 void 392 cipher_init(struct iked_cipher *encr, int enc) 393 { 394 EVP_CipherInit_ex(encr->encr_ctx, encr->encr_priv, NULL, 395 ibuf_data(encr->encr_key), ibuf_data(encr->encr_iv), enc); 396 EVP_CIPHER_CTX_set_padding(encr->encr_ctx, 0); 397 } 398 399 void 400 cipher_init_encrypt(struct iked_cipher *encr) 401 { 402 cipher_init(encr, 1); 403 } 404 405 void 406 cipher_init_decrypt(struct iked_cipher *encr) 407 { 408 cipher_init(encr, 0); 409 } 410 411 void 412 cipher_update(struct iked_cipher *encr, void *in, size_t inlen, 413 void *out, size_t *outlen) 414 { 415 int olen; 416 417 olen = 0; 418 if (!EVP_CipherUpdate(encr->encr_ctx, out, &olen, in, inlen)) { 419 ca_sslerror(__func__); 420 *outlen = 0; 421 return; 422 } 423 *outlen = (size_t)olen; 424 } 425 426 void 427 cipher_final(struct iked_cipher *encr, void *out, size_t *outlen) 428 { 429 int olen; 430 431 olen = 0; 432 if (!EVP_CipherFinal_ex(encr->encr_ctx, out, &olen)) { 433 ca_sslerror(__func__); 434 *outlen = 0; 435 return; 436 } 437 *outlen = (size_t)olen; 438 } 439 440 size_t 441 cipher_length(struct iked_cipher *encr) 442 { 443 return (encr->encr_length); 444 } 445 446 size_t 447 cipher_keylength(struct iked_cipher *encr) 448 { 449 if (encr->encr_fixedkey) 450 return (encr->encr_fixedkey); 451 452 /* Might return zero */ 453 return (ibuf_length(encr->encr_key)); 454 } 455 456 size_t 457 cipher_ivlength(struct iked_cipher *encr) 458 { 459 return (encr->encr_ivlength); 460 } 461 462 size_t 463 cipher_outlength(struct iked_cipher *encr, size_t inlen) 464 { 465 return (roundup(inlen, encr->encr_length)); 466 } 467 468 struct iked_dsa * 469 dsa_new(uint16_t id, struct iked_hash *prf, int sign) 470 { 471 struct iked_dsa *dsap = NULL, dsa; 472 473 bzero(&dsa, sizeof(dsa)); 474 475 switch (id) { 476 case IKEV2_AUTH_SIG: 477 if (sign) 478 dsa.dsa_priv = EVP_sha256(); /* XXX should be passed */ 479 else 480 dsa.dsa_priv = NULL; /* set later by dsa_init() */ 481 break; 482 case IKEV2_AUTH_RSA_SIG: 483 /* RFC5996 says we SHOULD use SHA1 here */ 484 dsa.dsa_priv = EVP_sha1(); 485 break; 486 case IKEV2_AUTH_SHARED_KEY_MIC: 487 if (prf == NULL || prf->hash_priv == NULL) 488 fatalx("dsa_new: invalid PRF"); 489 dsa.dsa_priv = prf->hash_priv; 490 dsa.dsa_hmac = 1; 491 break; 492 case IKEV2_AUTH_DSS_SIG: 493 dsa.dsa_priv = EVP_dss1(); 494 break; 495 case IKEV2_AUTH_ECDSA_256: 496 dsa.dsa_priv = EVP_sha256(); 497 break; 498 case IKEV2_AUTH_ECDSA_384: 499 dsa.dsa_priv = EVP_sha384(); 500 break; 501 case IKEV2_AUTH_ECDSA_521: 502 dsa.dsa_priv = EVP_sha512(); 503 break; 504 default: 505 log_debug("%s: auth method %s not supported", __func__, 506 print_map(id, ikev2_auth_map)); 507 break; 508 } 509 510 if ((dsap = calloc(1, sizeof(*dsap))) == NULL) { 511 log_debug("%s: alloc dsa ctx", __func__); 512 513 return (NULL); 514 } 515 memcpy(dsap, &dsa, sizeof(*dsap)); 516 517 dsap->dsa_method = id; 518 dsap->dsa_sign = sign; 519 520 if (dsap->dsa_hmac) { 521 if ((dsap->dsa_ctx = calloc(1, sizeof(HMAC_CTX))) == NULL) { 522 log_debug("%s: alloc hash ctx", __func__); 523 dsa_free(dsap); 524 return (NULL); 525 } 526 HMAC_CTX_init((HMAC_CTX *)dsap->dsa_ctx); 527 } else { 528 if ((dsap->dsa_ctx = EVP_MD_CTX_create()) == NULL) { 529 log_debug("%s: alloc digest ctx", __func__); 530 dsa_free(dsap); 531 return (NULL); 532 } 533 } 534 535 return (dsap); 536 } 537 538 struct iked_dsa * 539 dsa_sign_new(uint16_t id, struct iked_hash *prf) 540 { 541 return (dsa_new(id, prf, 1)); 542 } 543 544 struct iked_dsa * 545 dsa_verify_new(uint16_t id, struct iked_hash *prf) 546 { 547 return (dsa_new(id, prf, 0)); 548 } 549 550 void 551 dsa_free(struct iked_dsa *dsa) 552 { 553 if (dsa == NULL) 554 return; 555 if (dsa->dsa_hmac) { 556 HMAC_CTX_cleanup((HMAC_CTX *)dsa->dsa_ctx); 557 free(dsa->dsa_ctx); 558 } else { 559 EVP_MD_CTX_destroy((EVP_MD_CTX *)dsa->dsa_ctx); 560 if (dsa->dsa_key) 561 EVP_PKEY_free(dsa->dsa_key); 562 if (dsa->dsa_cert) 563 X509_free(dsa->dsa_cert); 564 } 565 566 ibuf_release(dsa->dsa_keydata); 567 free(dsa); 568 } 569 570 struct ibuf * 571 dsa_setkey(struct iked_dsa *dsa, void *key, size_t keylen, uint8_t type) 572 { 573 BIO *rawcert = NULL; 574 X509 *cert = NULL; 575 RSA *rsa = NULL; 576 EVP_PKEY *pkey = NULL; 577 578 ibuf_release(dsa->dsa_keydata); 579 if ((dsa->dsa_keydata = ibuf_new(key, keylen)) == NULL) { 580 log_debug("%s: alloc signature key", __func__); 581 return (NULL); 582 } 583 584 if ((rawcert = BIO_new_mem_buf(key, keylen)) == NULL) 585 goto err; 586 587 switch (type) { 588 case IKEV2_CERT_X509_CERT: 589 if ((cert = d2i_X509_bio(rawcert, NULL)) == NULL) 590 goto sslerr; 591 if ((pkey = X509_get_pubkey(cert)) == NULL) 592 goto sslerr; 593 dsa->dsa_cert = cert; 594 dsa->dsa_key = pkey; 595 break; 596 case IKEV2_CERT_RSA_KEY: 597 if (dsa->dsa_sign) { 598 if ((rsa = d2i_RSAPrivateKey_bio(rawcert, 599 NULL)) == NULL) 600 goto sslerr; 601 } else { 602 if ((rsa = d2i_RSAPublicKey_bio(rawcert, 603 NULL)) == NULL) 604 goto sslerr; 605 } 606 607 if ((pkey = EVP_PKEY_new()) == NULL) 608 goto sslerr; 609 if (!EVP_PKEY_set1_RSA(pkey, rsa)) 610 goto sslerr; 611 612 RSA_free(rsa); /* pkey now has the reference */ 613 dsa->dsa_cert = NULL; 614 dsa->dsa_key = pkey; 615 break; 616 default: 617 if (dsa->dsa_hmac) 618 break; 619 log_debug("%s: unsupported key type", __func__); 620 goto err; 621 } 622 623 return (dsa->dsa_keydata); 624 625 sslerr: 626 ca_sslerror(__func__); 627 err: 628 log_debug("%s: error", __func__); 629 630 if (rsa != NULL) 631 RSA_free(rsa); 632 if (pkey != NULL) 633 EVP_PKEY_free(pkey); 634 if (cert != NULL) 635 X509_free(cert); 636 if (rawcert != NULL) 637 BIO_free(rawcert); 638 ibuf_release(dsa->dsa_keydata); 639 return (NULL); 640 } 641 642 int 643 _dsa_verify_init(struct iked_dsa *dsa, const uint8_t *sig, size_t len) 644 { 645 uint8_t oidlen; 646 size_t i; 647 648 if (dsa->dsa_priv != NULL) 649 return (0); 650 /* 651 * For IKEV2_AUTH_SIG the oid of the authentication signature 652 * is encoded in the first bytes of the auth message. 653 */ 654 if (dsa->dsa_method != IKEV2_AUTH_SIG) { 655 log_debug("%s: dsa_priv not set for %s", __func__, 656 print_map(dsa->dsa_method, ikev2_auth_map)); 657 return (-1); 658 } 659 if (sig == NULL) { 660 log_debug("%s: signature missing", __func__); 661 return (-1); 662 } 663 if (len < 1) { 664 log_debug("%s: signature (%zu) too small for oid length", 665 __func__, len); 666 return (-1); 667 } 668 memcpy(&oidlen, sig, sizeof(oidlen)); 669 if (len < (size_t)oidlen + 1) { 670 log_debug("%s: signature (%zu) too small for oid (%u)", 671 __func__, len, oidlen); 672 return (-1); 673 } 674 for (i = 0; i < nitems(schemes); i++) { 675 if (oidlen == schemes[i].sc_len && 676 memcmp(sig + 1, schemes[i].sc_oid, 677 schemes[i].sc_len) == 0) { 678 dsa->dsa_priv = (*schemes[i].sc_md)(); 679 log_debug("%s: signature scheme %zd selected", 680 __func__, i); 681 return (0); 682 } 683 } 684 log_debug("%s: unsupported signature (%d)", __func__, oidlen); 685 return (-1); 686 } 687 688 int 689 dsa_init(struct iked_dsa *dsa, const void *buf, size_t len) 690 { 691 int ret; 692 693 if (dsa->dsa_hmac) { 694 if (!HMAC_Init_ex(dsa->dsa_ctx, ibuf_data(dsa->dsa_keydata), 695 ibuf_length(dsa->dsa_keydata), dsa->dsa_priv, NULL)) 696 return (-1); 697 return (0); 698 } 699 700 if (dsa->dsa_sign) 701 ret = EVP_SignInit_ex(dsa->dsa_ctx, dsa->dsa_priv, NULL); 702 else { 703 if ((ret = _dsa_verify_init(dsa, buf, len)) != 0) 704 return (ret); 705 ret = EVP_VerifyInit_ex(dsa->dsa_ctx, dsa->dsa_priv, NULL); 706 } 707 708 return (ret ? 0 : -1); 709 } 710 711 int 712 dsa_update(struct iked_dsa *dsa, const void *buf, size_t len) 713 { 714 int ret = 1; 715 716 if (dsa->dsa_hmac) 717 ret = HMAC_Update(dsa->dsa_ctx, buf, len); 718 else if (dsa->dsa_sign) 719 ret = EVP_SignUpdate(dsa->dsa_ctx, buf, len); 720 else 721 ret = EVP_VerifyUpdate(dsa->dsa_ctx, buf, len); 722 723 return (ret ? 0 : -1); 724 } 725 726 /* Prefix signature hash with encoded type */ 727 int 728 _dsa_sign_encode(struct iked_dsa *dsa, uint8_t *ptr, size_t *offp) 729 { 730 if (offp) 731 *offp = 0; 732 if (dsa->dsa_method != IKEV2_AUTH_SIG) 733 return (0); 734 if (dsa->dsa_priv != EVP_sha256()) 735 return (-1); 736 if (ptr) { 737 ptr[0] = sizeof(sha256WithRSAEncryption); 738 memcpy(ptr + 1, sha256WithRSAEncryption, 739 sizeof(sha256WithRSAEncryption)); 740 } 741 if (offp) 742 *offp = 1 + sizeof(sha256WithRSAEncryption); 743 return (0); 744 } 745 746 size_t 747 dsa_length(struct iked_dsa *dsa) 748 { 749 size_t off = 0; 750 751 if (dsa->dsa_hmac) 752 return (EVP_MD_size(dsa->dsa_priv)); 753 if (_dsa_sign_encode(dsa, NULL, &off) < 0) 754 fatal("dsa_length: internal error"); 755 return (EVP_PKEY_size(dsa->dsa_key) + off); 756 } 757 758 ssize_t 759 dsa_sign_final(struct iked_dsa *dsa, void *buf, size_t len) 760 { 761 unsigned int siglen; 762 size_t off = 0; 763 uint8_t *ptr = buf; 764 765 if (len < dsa_length(dsa)) 766 return (-1); 767 768 if (dsa->dsa_hmac) { 769 if (!HMAC_Final(dsa->dsa_ctx, buf, &siglen)) 770 return (-1); 771 } else { 772 if (_dsa_sign_encode(dsa, ptr, &off) < 0) 773 return (-1); 774 if (!EVP_SignFinal(dsa->dsa_ctx, ptr + off, &siglen, 775 dsa->dsa_key)) 776 return (-1); 777 siglen += off; 778 } 779 780 return (siglen); 781 } 782 783 size_t 784 _dsa_verify_offset(struct iked_dsa *dsa, uint8_t *ptr) 785 { 786 /* 787 * XXX assumes that _dsa_verify_init() has already checked 788 * the encoded method. 789 */ 790 if (dsa->dsa_method == IKEV2_AUTH_SIG) 791 return (ptr[0] + 1); 792 return (0); 793 } 794 795 ssize_t 796 dsa_verify_final(struct iked_dsa *dsa, void *buf, size_t len) 797 { 798 uint8_t sig[EVP_MAX_MD_SIZE]; 799 unsigned int siglen = sizeof(sig); 800 uint8_t *ptr = buf; 801 size_t off = 0; 802 803 if (dsa->dsa_hmac) { 804 if (!HMAC_Final(dsa->dsa_ctx, sig, &siglen)) 805 return (-1); 806 if (siglen != len || memcmp(buf, sig, siglen) != 0) 807 return (-1); 808 } else { 809 if ((off = _dsa_verify_offset(dsa, ptr)) >= len) 810 return (-1); 811 if (EVP_VerifyFinal(dsa->dsa_ctx, ptr + off, len - off, 812 dsa->dsa_key) != 1) { 813 ca_sslerror(__func__); 814 return (-1); 815 } 816 } 817 818 return (0); 819 } 820