1 /* $OpenBSD: crypto.c,v 1.31 2020/12/06 19:46:42 tobhe Exp $ */ 2 3 /* 4 * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org> 5 * 6 * Permission to use, copy, modify, and distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19 #include <sys/param.h> /* roundup */ 20 #include <sys/queue.h> 21 #include <sys/socket.h> 22 #include <sys/uio.h> 23 24 #include <stdio.h> 25 #include <stdlib.h> 26 #include <unistd.h> 27 #include <string.h> 28 #include <errno.h> 29 #include <fcntl.h> 30 #include <event.h> 31 32 #include <openssl/hmac.h> 33 #include <openssl/evp.h> 34 #include <openssl/sha.h> 35 #include <openssl/md5.h> 36 #include <openssl/x509.h> 37 #include <openssl/rsa.h> 38 39 #include "iked.h" 40 #include "ikev2.h" 41 42 /* RFC 7427, A.1 RSA */ 43 static const uint8_t sha256WithRSA[] = { 44 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 45 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00 46 }; 47 static const uint8_t sha384WithRSA[] = { 48 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 49 0xf7, 0x0d, 0x01, 0x01, 0x0c, 0x05, 0x00 50 }; 51 static const uint8_t sha512WithRSA[] = { 52 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 53 0xf7, 0x0d, 0x01, 0x01, 0x0d, 0x05, 0x00 54 }; 55 /* RFC 7427, A.3 ECDSA */ 56 static const uint8_t ecdsa_sha256[] = { 57 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 58 0x3d, 0x04, 0x03, 0x02 59 }; 60 static const uint8_t ecdsa_sha384[] = { 61 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 62 0x3d, 0x04, 0x03, 0x03 63 }; 64 static const uint8_t ecdsa_sha512[] = { 65 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 66 0x3d, 0x04, 0x03, 0x04 67 }; 68 /* RFC 7427, A.4.3 RSASSA-PSS with SHA-256 */ 69 static const uint8_t rsapss_sha256[] = { 70 0x30, 0x46, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 71 0xf7, 0x0d, 0x01, 0x01, 0x0a, 0x30, 0x39, 0xa0, 72 0x0f, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 73 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 74 0xa1, 0x1c, 0x30, 0x1a, 0x06, 0x09, 0x2a, 0x86, 75 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x08, 0x30, 76 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 77 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0xa2, 0x03, 78 0x02, 0x01, 0x20, 0xa3, 0x03, 0x02, 0x01, 0x01 79 }; 80 /* RSASSA-PSS SHA-384 */ 81 static const uint8_t rsapss_sha384[] = { 82 0x30, 0x46, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 83 0xf7, 0x0d, 0x01, 0x01, 0x0a, 0x30, 0x34, 0xa0, 84 0x0f, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 85 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 86 0xa1, 0x1c, 0x30, 0x1a, 0x06, 0x09, 0x2a, 0x86, 87 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x08, 0x30, 88 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 89 0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 0xa2, 0x03, 90 0x02, 0x01, 0x30, 0xa3, 0x03, 0x02, 0x01, 0x01 91 }; 92 /* RSASSA-PSS SHA-512 */ 93 static const uint8_t rsapss_sha512[] = { 94 0x30, 0x46, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 95 0xf7, 0x0d, 0x01, 0x01, 0x0a, 0x30, 0x34, 0xa0, 96 0x0f, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 97 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 98 0xa1, 0x1c, 0x30, 0x1a, 0x06, 0x09, 0x2a, 0x86, 99 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x08, 0x30, 100 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 101 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0xa2, 0x03, 102 0x02, 0x01, 0x40, 0xa3, 0x03, 0x02, 0x01, 0x01 103 }; 104 /* RSASSA-PSS SHA-256, no trailer */ 105 static const uint8_t rsapss_sha256nt[] = { 106 0x30, 0x41, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 107 0xf7, 0x0d, 0x01, 0x01, 0x0a, 0x30, 0x34, 0xa0, 108 0x0f, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 109 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 110 0xa1, 0x1c, 0x30, 0x1a, 0x06, 0x09, 0x2a, 0x86, 111 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x08, 0x30, 112 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 113 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0xa2, 0x03, 114 0x02, 0x01, 0x20 115 }; 116 /* RSASSA-PSS SHA-384, no trailer */ 117 static const uint8_t rsapss_sha384nt[] = { 118 0x30, 0x41, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 119 0xf7, 0x0d, 0x01, 0x01, 0x0a, 0x30, 0x34, 0xa0, 120 0x0f, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 121 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 122 0xa1, 0x1c, 0x30, 0x1a, 0x06, 0x09, 0x2a, 0x86, 123 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x08, 0x30, 124 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 125 0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 0xa2, 0x03, 126 0x02, 0x01, 0x30 127 }; 128 /* RSASSA-PSS SHA-512, no trailer */ 129 static const uint8_t rsapss_sha512nt[] = { 130 0x30, 0x41, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 131 0xf7, 0x0d, 0x01, 0x01, 0x0a, 0x30, 0x34, 0xa0, 132 0x0f, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 133 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 134 0xa1, 0x1c, 0x30, 0x1a, 0x06, 0x09, 0x2a, 0x86, 135 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x08, 0x30, 136 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 137 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0xa2, 0x03, 138 0x02, 0x01, 0x40 139 }; 140 141 #define FLAG_RSA_PSS 0x00001 142 143 static const struct { 144 int sc_keytype; 145 const EVP_MD *(*sc_md)(void); 146 uint8_t sc_len; 147 const uint8_t *sc_oid; 148 uint32_t sc_flags; 149 } schemes[] = { 150 { EVP_PKEY_RSA, EVP_sha256, sizeof(sha256WithRSA), sha256WithRSA, 0 }, 151 { EVP_PKEY_RSA, EVP_sha384, sizeof(sha384WithRSA), sha384WithRSA, 0 }, 152 { EVP_PKEY_RSA, EVP_sha512, sizeof(sha512WithRSA), sha512WithRSA, 0 }, 153 { EVP_PKEY_EC, EVP_sha256, sizeof(ecdsa_sha256), ecdsa_sha256, 0 }, 154 { EVP_PKEY_EC, EVP_sha384, sizeof(ecdsa_sha384), ecdsa_sha384, 0 }, 155 { EVP_PKEY_EC, EVP_sha512, sizeof(ecdsa_sha512), ecdsa_sha512, 0 }, 156 { EVP_PKEY_RSA, EVP_sha256, sizeof(rsapss_sha256), rsapss_sha256, 157 FLAG_RSA_PSS }, 158 { EVP_PKEY_RSA, EVP_sha384, sizeof(rsapss_sha384), rsapss_sha384, 159 FLAG_RSA_PSS }, 160 { EVP_PKEY_RSA, EVP_sha512, sizeof(rsapss_sha512), rsapss_sha512, 161 FLAG_RSA_PSS }, 162 { EVP_PKEY_RSA, EVP_sha256, sizeof(rsapss_sha256nt), rsapss_sha256nt, 163 FLAG_RSA_PSS }, 164 { EVP_PKEY_RSA, EVP_sha384, sizeof(rsapss_sha384nt), rsapss_sha384nt, 165 FLAG_RSA_PSS }, 166 { EVP_PKEY_RSA, EVP_sha512, sizeof(rsapss_sha512nt), rsapss_sha512nt, 167 FLAG_RSA_PSS }, 168 }; 169 170 int _dsa_verify_init(struct iked_dsa *, const uint8_t *, size_t, int *); 171 int _dsa_verify_prepare(struct iked_dsa *, uint8_t **, size_t *, 172 uint8_t **); 173 int _dsa_sign_encode(struct iked_dsa *, uint8_t *, size_t, size_t *); 174 int _dsa_sign_ecdsa(struct iked_dsa *, uint8_t *, size_t); 175 176 struct iked_hash * 177 hash_new(uint8_t type, uint16_t id) 178 { 179 struct iked_hash *hash; 180 const EVP_MD *md = NULL; 181 HMAC_CTX *ctx = NULL; 182 int length = 0, fixedkey = 0, trunc = 0, isaead = 0; 183 184 switch (type) { 185 case IKEV2_XFORMTYPE_PRF: 186 switch (id) { 187 case IKEV2_XFORMPRF_HMAC_MD5: 188 md = EVP_md5(); 189 length = MD5_DIGEST_LENGTH; 190 break; 191 case IKEV2_XFORMPRF_HMAC_SHA1: 192 md = EVP_sha1(); 193 length = SHA_DIGEST_LENGTH; 194 break; 195 case IKEV2_XFORMPRF_HMAC_SHA2_256: 196 md = EVP_sha256(); 197 length = SHA256_DIGEST_LENGTH; 198 break; 199 case IKEV2_XFORMPRF_HMAC_SHA2_384: 200 md = EVP_sha384(); 201 length = SHA384_DIGEST_LENGTH; 202 break; 203 case IKEV2_XFORMPRF_HMAC_SHA2_512: 204 md = EVP_sha512(); 205 length = SHA512_DIGEST_LENGTH; 206 break; 207 case IKEV2_XFORMPRF_AES128_XCBC: 208 fixedkey = 128 / 8; 209 length = fixedkey; 210 /* FALLTHROUGH */ 211 case IKEV2_XFORMPRF_HMAC_TIGER: 212 case IKEV2_XFORMPRF_AES128_CMAC: 213 default: 214 log_debug("%s: prf %s not supported", __func__, 215 print_map(id, ikev2_xformprf_map)); 216 break; 217 } 218 break; 219 case IKEV2_XFORMTYPE_INTEGR: 220 switch (id) { 221 case IKEV2_XFORMAUTH_HMAC_MD5_96: 222 md = EVP_md5(); 223 length = MD5_DIGEST_LENGTH; 224 trunc = 12; 225 break; 226 case IKEV2_XFORMAUTH_HMAC_SHA1_96: 227 md = EVP_sha1(); 228 length = SHA_DIGEST_LENGTH; 229 trunc = 12; 230 break; 231 case IKEV2_XFORMAUTH_HMAC_SHA2_256_128: 232 md = EVP_sha256(); 233 length = SHA256_DIGEST_LENGTH; 234 trunc = 16; 235 break; 236 case IKEV2_XFORMAUTH_HMAC_SHA2_384_192: 237 md = EVP_sha384(); 238 length = SHA384_DIGEST_LENGTH; 239 trunc = 24; 240 break; 241 case IKEV2_XFORMAUTH_HMAC_SHA2_512_256: 242 md = EVP_sha512(); 243 length = SHA512_DIGEST_LENGTH; 244 trunc = 32; 245 break; 246 case IKEV2_XFORMAUTH_AES_GCM_12: 247 length = 12; 248 isaead = 1; 249 break; 250 case IKEV2_XFORMAUTH_AES_GCM_16: 251 length = 16; 252 isaead = 1; 253 break; 254 case IKEV2_XFORMAUTH_NONE: 255 case IKEV2_XFORMAUTH_DES_MAC: 256 case IKEV2_XFORMAUTH_KPDK_MD5: 257 case IKEV2_XFORMAUTH_AES_XCBC_96: 258 case IKEV2_XFORMAUTH_HMAC_MD5_128: 259 case IKEV2_XFORMAUTH_HMAC_SHA1_160: 260 case IKEV2_XFORMAUTH_AES_CMAC_96: 261 case IKEV2_XFORMAUTH_AES_128_GMAC: 262 case IKEV2_XFORMAUTH_AES_192_GMAC: 263 case IKEV2_XFORMAUTH_AES_256_GMAC: 264 default: 265 log_debug("%s: auth %s not supported", __func__, 266 print_map(id, ikev2_xformauth_map)); 267 break; 268 } 269 break; 270 default: 271 log_debug("%s: hash type %s not supported", __func__, 272 print_map(id, ikev2_xformtype_map)); 273 break; 274 } 275 if (!isaead && md == NULL) 276 return (NULL); 277 278 if ((hash = calloc(1, sizeof(*hash))) == NULL) { 279 log_debug("%s: alloc hash", __func__); 280 return (NULL); 281 } 282 283 hash->hash_type = type; 284 hash->hash_id = id; 285 hash->hash_priv = md; 286 hash->hash_ctx = NULL; 287 hash->hash_trunc = trunc; 288 hash->hash_length = length; 289 hash->hash_fixedkey = fixedkey; 290 hash->hash_isaead = isaead; 291 292 if (isaead) 293 return (hash); 294 295 if ((ctx = calloc(1, sizeof(*ctx))) == NULL) { 296 log_debug("%s: alloc hash ctx", __func__); 297 hash_free(hash); 298 return (NULL); 299 } 300 301 HMAC_CTX_init(ctx); 302 hash->hash_ctx = ctx; 303 304 return (hash); 305 } 306 307 struct ibuf * 308 hash_setkey(struct iked_hash *hash, void *key, size_t keylen) 309 { 310 ibuf_release(hash->hash_key); 311 if ((hash->hash_key = ibuf_new(key, keylen)) == NULL) { 312 log_debug("%s: alloc hash key", __func__); 313 return (NULL); 314 } 315 return (hash->hash_key); 316 } 317 318 void 319 hash_free(struct iked_hash *hash) 320 { 321 if (hash == NULL) 322 return; 323 if (hash->hash_ctx != NULL) { 324 HMAC_CTX_cleanup(hash->hash_ctx); 325 free(hash->hash_ctx); 326 } 327 ibuf_release(hash->hash_key); 328 free(hash); 329 } 330 331 void 332 hash_init(struct iked_hash *hash) 333 { 334 HMAC_Init_ex(hash->hash_ctx, hash->hash_key->buf, 335 ibuf_length(hash->hash_key), hash->hash_priv, NULL); 336 } 337 338 void 339 hash_update(struct iked_hash *hash, void *buf, size_t len) 340 { 341 HMAC_Update(hash->hash_ctx, buf, len); 342 } 343 344 void 345 hash_final(struct iked_hash *hash, void *buf, size_t *len) 346 { 347 unsigned int length = 0; 348 349 HMAC_Final(hash->hash_ctx, buf, &length); 350 *len = (size_t)length; 351 352 /* Truncate the result if required by the alg */ 353 if (hash->hash_trunc && *len > hash->hash_trunc) 354 *len = hash->hash_trunc; 355 } 356 357 size_t 358 hash_length(struct iked_hash *hash) 359 { 360 if (hash->hash_trunc) 361 return (hash->hash_trunc); 362 return (hash->hash_length); 363 } 364 365 size_t 366 hash_keylength(struct iked_hash *hash) 367 { 368 return (hash->hash_length); 369 } 370 371 struct iked_cipher * 372 cipher_new(uint8_t type, uint16_t id, uint16_t id_length) 373 { 374 struct iked_cipher *encr; 375 const EVP_CIPHER *cipher = NULL; 376 EVP_CIPHER_CTX *ctx = NULL; 377 int length = 0, fixedkey = 0, ivlength = 0; 378 int saltlength = 0, authid = 0; 379 380 switch (type) { 381 case IKEV2_XFORMTYPE_ENCR: 382 switch (id) { 383 case IKEV2_XFORMENCR_3DES: 384 cipher = EVP_des_ede3_cbc(); 385 length = EVP_CIPHER_block_size(cipher); 386 fixedkey = EVP_CIPHER_key_length(cipher); 387 ivlength = EVP_CIPHER_iv_length(cipher); 388 break; 389 case IKEV2_XFORMENCR_AES_CBC: 390 switch (id_length) { 391 case 128: 392 cipher = EVP_aes_128_cbc(); 393 break; 394 case 192: 395 cipher = EVP_aes_192_cbc(); 396 break; 397 case 256: 398 cipher = EVP_aes_256_cbc(); 399 break; 400 default: 401 log_debug("%s: invalid key length %d" 402 " for cipher %s", __func__, id_length, 403 print_map(id, ikev2_xformencr_map)); 404 break; 405 } 406 if (cipher == NULL) 407 break; 408 length = EVP_CIPHER_block_size(cipher); 409 ivlength = EVP_CIPHER_iv_length(cipher); 410 fixedkey = EVP_CIPHER_key_length(cipher); 411 break; 412 case IKEV2_XFORMENCR_AES_GCM_16: 413 case IKEV2_XFORMENCR_AES_GCM_12: 414 switch (id_length) { 415 case 128: 416 cipher = EVP_aes_128_gcm(); 417 break; 418 case 256: 419 cipher = EVP_aes_256_gcm(); 420 break; 421 default: 422 log_debug("%s: invalid key length %d" 423 " for cipher %s", __func__, id_length, 424 print_map(id, ikev2_xformencr_map)); 425 break; 426 } 427 if (cipher == NULL) 428 break; 429 switch(id) { 430 case IKEV2_XFORMENCR_AES_GCM_16: 431 authid = IKEV2_XFORMAUTH_AES_GCM_16; 432 break; 433 case IKEV2_XFORMENCR_AES_GCM_12: 434 authid = IKEV2_XFORMAUTH_AES_GCM_12; 435 break; 436 } 437 length = EVP_CIPHER_block_size(cipher); 438 ivlength = 8; 439 saltlength = 4; 440 fixedkey = EVP_CIPHER_key_length(cipher) + saltlength; 441 break; 442 case IKEV2_XFORMENCR_DES_IV64: 443 case IKEV2_XFORMENCR_DES: 444 case IKEV2_XFORMENCR_RC5: 445 case IKEV2_XFORMENCR_IDEA: 446 case IKEV2_XFORMENCR_CAST: 447 case IKEV2_XFORMENCR_BLOWFISH: 448 case IKEV2_XFORMENCR_3IDEA: 449 case IKEV2_XFORMENCR_DES_IV32: 450 case IKEV2_XFORMENCR_NULL: 451 case IKEV2_XFORMENCR_AES_CTR: 452 /* FALLTHROUGH */ 453 default: 454 log_debug("%s: cipher %s not supported", __func__, 455 print_map(id, ikev2_xformencr_map)); 456 cipher = NULL; 457 break; 458 } 459 break; 460 default: 461 log_debug("%s: cipher type %s not supported", __func__, 462 print_map(id, ikev2_xformtype_map)); 463 break; 464 } 465 if (cipher == NULL) 466 return (NULL); 467 468 if ((encr = calloc(1, sizeof(*encr))) == NULL) { 469 log_debug("%s: alloc cipher", __func__); 470 return (NULL); 471 } 472 473 encr->encr_id = id; 474 encr->encr_priv = cipher; 475 encr->encr_ctx = NULL; 476 encr->encr_length = length; 477 encr->encr_fixedkey = fixedkey; 478 encr->encr_ivlength = ivlength ? ivlength : length; 479 encr->encr_saltlength = saltlength; 480 encr->encr_authid = authid; 481 482 if ((ctx = calloc(1, sizeof(*ctx))) == NULL) { 483 log_debug("%s: alloc cipher ctx", __func__); 484 cipher_free(encr); 485 return (NULL); 486 } 487 488 EVP_CIPHER_CTX_init(ctx); 489 encr->encr_ctx = ctx; 490 491 return (encr); 492 } 493 494 struct ibuf * 495 cipher_setkey(struct iked_cipher *encr, void *key, size_t keylen) 496 { 497 ibuf_release(encr->encr_key); 498 if ((encr->encr_key = ibuf_new(key, keylen)) == NULL) { 499 log_debug("%s: alloc cipher key", __func__); 500 return (NULL); 501 } 502 return (encr->encr_key); 503 } 504 505 struct ibuf * 506 cipher_setiv(struct iked_cipher *encr, void *iv, size_t len) 507 { 508 ibuf_release(encr->encr_iv); 509 encr->encr_iv = NULL; 510 if (iv != NULL) { 511 if (len < encr->encr_ivlength) { 512 log_debug("%s: invalid IV length %zu", __func__, len); 513 return (NULL); 514 } 515 encr->encr_iv = ibuf_new(iv, encr->encr_ivlength); 516 } else { 517 switch (encr->encr_id) { 518 case IKEV2_XFORMENCR_AES_GCM_16: 519 case IKEV2_XFORMENCR_AES_GCM_12: 520 if (encr->encr_ivlength != sizeof(encr->encr_civ)) { 521 log_info("%s: ivlen does not match %zu != %zu", 522 __func__, encr->encr_ivlength, 523 sizeof(encr->encr_civ)); 524 return (NULL); 525 } 526 encr->encr_iv = ibuf_new(&encr->encr_civ, sizeof(encr->encr_civ)); 527 encr->encr_civ++; 528 break; 529 default: 530 /* Get new random IV */ 531 encr->encr_iv = ibuf_random(encr->encr_ivlength); 532 } 533 } 534 if (encr->encr_iv == NULL) { 535 log_debug("%s: failed to set IV", __func__); 536 return (NULL); 537 } 538 return (encr->encr_iv); 539 } 540 541 int 542 cipher_settag(struct iked_cipher *encr, uint8_t *data, size_t len) 543 { 544 return (EVP_CIPHER_CTX_ctrl(encr->encr_ctx, 545 EVP_CTRL_GCM_SET_TAG, len, data) != 1); 546 } 547 548 int 549 cipher_gettag(struct iked_cipher *encr, uint8_t *data, size_t len) 550 { 551 return (EVP_CIPHER_CTX_ctrl(encr->encr_ctx, 552 EVP_CTRL_GCM_GET_TAG, len, data) != 1); 553 } 554 555 void 556 cipher_free(struct iked_cipher *encr) 557 { 558 if (encr == NULL) 559 return; 560 if (encr->encr_ctx != NULL) { 561 EVP_CIPHER_CTX_cleanup(encr->encr_ctx); 562 free(encr->encr_ctx); 563 } 564 ibuf_release(encr->encr_iv); 565 ibuf_release(encr->encr_key); 566 free(encr); 567 } 568 569 int 570 cipher_init(struct iked_cipher *encr, int enc) 571 { 572 struct ibuf *nonce = NULL; 573 int ret = -1; 574 575 if (EVP_CipherInit_ex(encr->encr_ctx, encr->encr_priv, NULL, 576 NULL, NULL, enc) != 1) 577 return (-1); 578 if (encr->encr_saltlength > 0) { 579 /* For AEADs the nonce is salt + IV (see RFC5282) */ 580 nonce = ibuf_new(ibuf_data(encr->encr_key) + 581 ibuf_size(encr->encr_key) - encr->encr_saltlength, 582 encr->encr_saltlength); 583 if (nonce == NULL) 584 return (-1); 585 if (ibuf_add(nonce, ibuf_data(encr->encr_iv) , ibuf_size(encr->encr_iv)) != 0) 586 goto done; 587 if (EVP_CipherInit_ex(encr->encr_ctx, NULL, NULL, 588 ibuf_data(encr->encr_key), ibuf_data(nonce), enc) != 1) 589 goto done; 590 } else 591 if (EVP_CipherInit_ex(encr->encr_ctx, NULL, NULL, 592 ibuf_data(encr->encr_key), ibuf_data(encr->encr_iv), enc) != 1) 593 return (-1); 594 EVP_CIPHER_CTX_set_padding(encr->encr_ctx, 0); 595 ret = 0; 596 done: 597 ibuf_free(nonce); 598 return (ret); 599 } 600 601 int 602 cipher_init_encrypt(struct iked_cipher *encr) 603 { 604 return (cipher_init(encr, 1)); 605 } 606 607 int 608 cipher_init_decrypt(struct iked_cipher *encr) 609 { 610 return (cipher_init(encr, 0)); 611 } 612 613 void 614 cipher_aad(struct iked_cipher *encr, void *in, size_t inlen, 615 size_t *outlen) 616 { 617 int olen = 0; 618 619 if (EVP_CipherUpdate(encr->encr_ctx, NULL, &olen, in, inlen) != 1) { 620 ca_sslerror(__func__); 621 *outlen = 0; 622 return; 623 } 624 *outlen = (size_t)olen; 625 } 626 627 int 628 cipher_update(struct iked_cipher *encr, void *in, size_t inlen, 629 void *out, size_t *outlen) 630 { 631 int olen; 632 633 olen = 0; 634 if (EVP_CipherUpdate(encr->encr_ctx, out, &olen, in, inlen) != 1) { 635 ca_sslerror(__func__); 636 *outlen = 0; 637 return (-1); 638 } 639 *outlen = (size_t)olen; 640 return (0); 641 } 642 643 int 644 cipher_final(struct iked_cipher *encr) 645 { 646 int olen; 647 648 /* 649 * We always have EVP_CIPH_NO_PADDING set. This means arg 650 * out is not used and olen should always be 0. 651 */ 652 if (EVP_CipherFinal_ex(encr->encr_ctx, NULL, &olen) != 1) { 653 ca_sslerror(__func__); 654 return (-1); 655 } 656 return (0); 657 } 658 659 size_t 660 cipher_length(struct iked_cipher *encr) 661 { 662 return (encr->encr_length); 663 } 664 665 size_t 666 cipher_keylength(struct iked_cipher *encr) 667 { 668 if (encr->encr_fixedkey) 669 return (encr->encr_fixedkey); 670 671 /* Might return zero */ 672 return (ibuf_length(encr->encr_key)); 673 } 674 675 size_t 676 cipher_ivlength(struct iked_cipher *encr) 677 { 678 return (encr->encr_ivlength); 679 } 680 681 size_t 682 cipher_outlength(struct iked_cipher *encr, size_t inlen) 683 { 684 return (roundup(inlen, encr->encr_length)); 685 } 686 687 struct iked_dsa * 688 dsa_new(uint8_t id, struct iked_hash *prf, int sign) 689 { 690 struct iked_dsa *dsap = NULL, dsa; 691 692 bzero(&dsa, sizeof(dsa)); 693 694 switch (id) { 695 case IKEV2_AUTH_SIG: 696 if (sign) 697 dsa.dsa_priv = EVP_sha256(); /* XXX should be passed */ 698 else 699 dsa.dsa_priv = NULL; /* set later by dsa_init() */ 700 break; 701 case IKEV2_AUTH_RSA_SIG: 702 /* RFC5996 says we SHOULD use SHA1 here */ 703 dsa.dsa_priv = EVP_sha1(); 704 break; 705 case IKEV2_AUTH_SHARED_KEY_MIC: 706 if (prf == NULL || prf->hash_priv == NULL) 707 fatalx("dsa_new: invalid PRF"); 708 dsa.dsa_priv = prf->hash_priv; 709 dsa.dsa_hmac = 1; 710 break; 711 case IKEV2_AUTH_DSS_SIG: 712 dsa.dsa_priv = EVP_dss1(); 713 break; 714 case IKEV2_AUTH_ECDSA_256: 715 dsa.dsa_priv = EVP_sha256(); 716 break; 717 case IKEV2_AUTH_ECDSA_384: 718 dsa.dsa_priv = EVP_sha384(); 719 break; 720 case IKEV2_AUTH_ECDSA_521: 721 dsa.dsa_priv = EVP_sha512(); 722 break; 723 default: 724 log_debug("%s: auth method %s not supported", __func__, 725 print_map(id, ikev2_auth_map)); 726 break; 727 } 728 729 if ((dsap = calloc(1, sizeof(*dsap))) == NULL) { 730 log_debug("%s: alloc dsa ctx", __func__); 731 732 return (NULL); 733 } 734 memcpy(dsap, &dsa, sizeof(*dsap)); 735 736 dsap->dsa_method = id; 737 dsap->dsa_sign = sign; 738 739 if (dsap->dsa_hmac) { 740 if ((dsap->dsa_ctx = calloc(1, sizeof(HMAC_CTX))) == NULL) { 741 log_debug("%s: alloc hash ctx", __func__); 742 dsa_free(dsap); 743 return (NULL); 744 } 745 HMAC_CTX_init((HMAC_CTX *)dsap->dsa_ctx); 746 } else { 747 if ((dsap->dsa_ctx = EVP_MD_CTX_create()) == NULL) { 748 log_debug("%s: alloc digest ctx", __func__); 749 dsa_free(dsap); 750 return (NULL); 751 } 752 } 753 754 return (dsap); 755 } 756 757 struct iked_dsa * 758 dsa_sign_new(uint8_t id, struct iked_hash *prf) 759 { 760 return (dsa_new(id, prf, 1)); 761 } 762 763 struct iked_dsa * 764 dsa_verify_new(uint8_t id, struct iked_hash *prf) 765 { 766 return (dsa_new(id, prf, 0)); 767 } 768 769 void 770 dsa_free(struct iked_dsa *dsa) 771 { 772 if (dsa == NULL) 773 return; 774 if (dsa->dsa_hmac) { 775 HMAC_CTX_cleanup((HMAC_CTX *)dsa->dsa_ctx); 776 free(dsa->dsa_ctx); 777 } else { 778 EVP_MD_CTX_destroy((EVP_MD_CTX *)dsa->dsa_ctx); 779 if (dsa->dsa_key) 780 EVP_PKEY_free(dsa->dsa_key); 781 } 782 783 ibuf_release(dsa->dsa_keydata); 784 free(dsa); 785 } 786 787 struct ibuf * 788 dsa_setkey(struct iked_dsa *dsa, void *key, size_t keylen, uint8_t type) 789 { 790 BIO *rawcert = NULL; 791 X509 *cert = NULL; 792 RSA *rsa = NULL; 793 EC_KEY *ec = NULL; 794 EVP_PKEY *pkey = NULL; 795 796 ibuf_release(dsa->dsa_keydata); 797 if ((dsa->dsa_keydata = ibuf_new(key, keylen)) == NULL) { 798 log_debug("%s: alloc signature key", __func__); 799 return (NULL); 800 } 801 802 if ((rawcert = BIO_new_mem_buf(key, keylen)) == NULL) 803 goto err; 804 805 switch (type) { 806 case IKEV2_CERT_X509_CERT: 807 if ((cert = d2i_X509_bio(rawcert, NULL)) == NULL) 808 goto sslerr; 809 if ((pkey = X509_get_pubkey(cert)) == NULL) 810 goto sslerr; 811 dsa->dsa_key = pkey; 812 break; 813 case IKEV2_CERT_RSA_KEY: 814 if (dsa->dsa_sign) { 815 if ((rsa = d2i_RSAPrivateKey_bio(rawcert, 816 NULL)) == NULL) 817 goto sslerr; 818 } else { 819 if ((rsa = d2i_RSAPublicKey_bio(rawcert, 820 NULL)) == NULL) 821 goto sslerr; 822 } 823 824 if ((pkey = EVP_PKEY_new()) == NULL) 825 goto sslerr; 826 if (!EVP_PKEY_set1_RSA(pkey, rsa)) 827 goto sslerr; 828 829 RSA_free(rsa); /* pkey now has the reference */ 830 dsa->dsa_key = pkey; 831 break; 832 case IKEV2_CERT_ECDSA: 833 if (dsa->dsa_sign) { 834 if ((ec = d2i_ECPrivateKey_bio(rawcert, NULL)) == NULL) 835 goto sslerr; 836 } else { 837 if ((ec = d2i_EC_PUBKEY_bio(rawcert, NULL)) == NULL) 838 goto sslerr; 839 } 840 841 if ((pkey = EVP_PKEY_new()) == NULL) 842 goto sslerr; 843 if (!EVP_PKEY_set1_EC_KEY(pkey, ec)) 844 goto sslerr; 845 846 EC_KEY_free(ec); /* pkey now has the reference */ 847 dsa->dsa_key = pkey; 848 break; 849 default: 850 if (dsa->dsa_hmac) 851 break; 852 log_debug("%s: unsupported key type", __func__); 853 goto err; 854 } 855 856 if (cert != NULL) 857 X509_free(cert); 858 BIO_free(rawcert); /* temporary for parsing */ 859 860 return (dsa->dsa_keydata); 861 862 sslerr: 863 ca_sslerror(__func__); 864 err: 865 log_debug("%s: error", __func__); 866 867 if (rsa != NULL) 868 RSA_free(rsa); 869 if (ec != NULL) 870 EC_KEY_free(ec); 871 if (pkey != NULL) 872 EVP_PKEY_free(pkey); 873 if (cert != NULL) 874 X509_free(cert); 875 if (rawcert != NULL) 876 BIO_free(rawcert); 877 ibuf_release(dsa->dsa_keydata); 878 dsa->dsa_keydata = NULL; 879 return (NULL); 880 } 881 882 int 883 _dsa_verify_init(struct iked_dsa *dsa, const uint8_t *sig, size_t len, 884 int *flags) 885 { 886 uint8_t oidlen; 887 size_t i; 888 int keytype; 889 890 *flags = 0; 891 if (dsa->dsa_priv != NULL) 892 return (0); 893 /* 894 * For IKEV2_AUTH_SIG the oid of the authentication signature 895 * is encoded in the first bytes of the auth message. 896 */ 897 if (dsa->dsa_method != IKEV2_AUTH_SIG) { 898 log_debug("%s: dsa_priv not set for %s", __func__, 899 print_map(dsa->dsa_method, ikev2_auth_map)); 900 return (-1); 901 } 902 if (dsa->dsa_key == NULL) { 903 log_debug("%s: dsa_key not set for %s", __func__, 904 print_map(dsa->dsa_method, ikev2_auth_map)); 905 return (-1); 906 } 907 keytype = EVP_PKEY_type(((EVP_PKEY *)dsa->dsa_key)->type); 908 if (sig == NULL) { 909 log_debug("%s: signature missing", __func__); 910 return (-1); 911 } 912 if (len < sizeof(oidlen)) { 913 log_debug("%s: signature (%zu) too small for oid length", 914 __func__, len); 915 return (-1); 916 } 917 memcpy(&oidlen, sig, sizeof(oidlen)); 918 if (len < (size_t)oidlen + sizeof(oidlen)) { 919 log_debug("%s: signature (%zu) too small for oid (%u)", 920 __func__, len, oidlen); 921 return (-1); 922 } 923 for (i = 0; i < nitems(schemes); i++) { 924 if (keytype == schemes[i].sc_keytype && 925 oidlen == schemes[i].sc_len && 926 memcmp(sig + 1, schemes[i].sc_oid, 927 schemes[i].sc_len) == 0) { 928 dsa->dsa_priv = (*schemes[i].sc_md)(); 929 *flags = schemes[i].sc_flags; 930 log_debug("%s: signature scheme %zd selected", 931 __func__, i); 932 return (0); 933 } 934 } 935 log_debug("%s: unsupported signature (%d)", __func__, oidlen); 936 return (-1); 937 } 938 939 int 940 dsa_init(struct iked_dsa *dsa, const void *buf, size_t len) 941 { 942 int ret, flags = 0; 943 EVP_PKEY_CTX *pctx = NULL; 944 945 if (dsa->dsa_hmac) { 946 if (!HMAC_Init_ex(dsa->dsa_ctx, ibuf_data(dsa->dsa_keydata), 947 ibuf_length(dsa->dsa_keydata), dsa->dsa_priv, NULL)) 948 return (-1); 949 return (0); 950 } 951 952 if (dsa->dsa_sign) 953 ret = EVP_DigestSignInit(dsa->dsa_ctx, NULL, dsa->dsa_priv, 954 NULL, dsa->dsa_key); 955 else { 956 /* set dsa_priv */ 957 if ((ret = _dsa_verify_init(dsa, buf, len, &flags)) != 0) 958 return (ret); 959 ret = EVP_DigestVerifyInit(dsa->dsa_ctx, &pctx, dsa->dsa_priv, 960 NULL, dsa->dsa_key); 961 if (ret == 1 && flags == FLAG_RSA_PSS) { 962 if (EVP_PKEY_CTX_set_rsa_padding(pctx, 963 RSA_PKCS1_PSS_PADDING) <= 0 || 964 EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1) <= 0) 965 return (-1); 966 } 967 } 968 969 return (ret == 1 ? 0 : -1); 970 } 971 972 int 973 dsa_update(struct iked_dsa *dsa, const void *buf, size_t len) 974 { 975 int ret; 976 977 if (dsa->dsa_hmac) 978 ret = HMAC_Update(dsa->dsa_ctx, buf, len); 979 else if (dsa->dsa_sign) 980 ret = EVP_DigestSignUpdate(dsa->dsa_ctx, buf, len); 981 else 982 ret = EVP_DigestVerifyUpdate(dsa->dsa_ctx, buf, len); 983 984 return (ret == 1 ? 0 : -1); 985 } 986 987 /* Prefix signature hash with encoded type */ 988 int 989 _dsa_sign_encode(struct iked_dsa *dsa, uint8_t *ptr, size_t len, size_t *offp) 990 { 991 int keytype; 992 size_t i, need; 993 994 if (offp) 995 *offp = 0; 996 if (dsa->dsa_method != IKEV2_AUTH_SIG) 997 return (0); 998 if (dsa->dsa_key == NULL) 999 return (-1); 1000 keytype = EVP_PKEY_type(((EVP_PKEY *)dsa->dsa_key)->type); 1001 for (i = 0; i < nitems(schemes); i++) { 1002 /* XXX should avoid calling sc_md() each time... */ 1003 if (keytype == schemes[i].sc_keytype && 1004 (dsa->dsa_priv == (*schemes[i].sc_md)())) 1005 break; 1006 } 1007 if (i >= nitems(schemes)) 1008 return (-1); 1009 log_debug("%s: signature scheme %zd selected", __func__, i); 1010 need = sizeof(ptr[0]) + schemes[i].sc_len; 1011 if (ptr) { 1012 if (len < need) 1013 return (-1); 1014 ptr[0] = schemes[i].sc_len; 1015 memcpy(ptr + sizeof(ptr[0]), schemes[i].sc_oid, 1016 schemes[i].sc_len); 1017 } 1018 if (offp) 1019 *offp = need; 1020 return (0); 1021 } 1022 1023 /* Export size of encoded signature hash type */ 1024 size_t 1025 dsa_prefix(struct iked_dsa *dsa) 1026 { 1027 size_t off = 0; 1028 1029 if (_dsa_sign_encode(dsa, NULL, 0, &off) < 0) 1030 fatal("dsa_prefix: internal error"); 1031 return off; 1032 } 1033 1034 size_t 1035 dsa_length(struct iked_dsa *dsa) 1036 { 1037 if (dsa->dsa_hmac) 1038 return (EVP_MD_size(dsa->dsa_priv)); 1039 switch (dsa->dsa_method) { 1040 case IKEV2_AUTH_ECDSA_256: 1041 case IKEV2_AUTH_ECDSA_384: 1042 case IKEV2_AUTH_ECDSA_521: 1043 /* size of concat(r|s) */ 1044 return (2 * ((EVP_PKEY_bits(dsa->dsa_key) + 7) / 8)); 1045 } 1046 return (dsa_prefix(dsa) + EVP_PKEY_size(dsa->dsa_key)); 1047 } 1048 1049 int 1050 _dsa_sign_ecdsa(struct iked_dsa *dsa, uint8_t *ptr, size_t len) 1051 { 1052 ECDSA_SIG *obj = NULL; 1053 uint8_t *tmp = NULL; 1054 const uint8_t *p; 1055 size_t tmplen; 1056 int ret = -1; 1057 int bnlen, off; 1058 1059 if (len % 2) 1060 goto done; /* must be even */ 1061 bnlen = len/2; 1062 /* 1063 * (a) create DER signature into 'tmp' buffer 1064 * (b) convert buffer to ECDSA_SIG object 1065 * (c) concatenate the padded r|s BIGNUMS into 'ptr' 1066 */ 1067 if (EVP_DigestSignFinal(dsa->dsa_ctx, NULL, &tmplen) != 1) 1068 goto done; 1069 if ((tmp = calloc(1, tmplen)) == NULL) 1070 goto done; 1071 if (EVP_DigestSignFinal(dsa->dsa_ctx, tmp, &tmplen) != 1) 1072 goto done; 1073 p = tmp; 1074 if (d2i_ECDSA_SIG(&obj, &p, tmplen) == NULL) 1075 goto done; 1076 if (BN_num_bytes(obj->r) > bnlen || BN_num_bytes(obj->s) > bnlen) 1077 goto done; 1078 memset(ptr, 0, len); 1079 off = bnlen - BN_num_bytes(obj->r); 1080 BN_bn2bin(obj->r, ptr + off); 1081 off = 2 * bnlen - BN_num_bytes(obj->s); 1082 BN_bn2bin(obj->s, ptr + off); 1083 ret = 0; 1084 done: 1085 free(tmp); 1086 if (obj) 1087 ECDSA_SIG_free(obj); 1088 return (ret); 1089 } 1090 1091 ssize_t 1092 dsa_sign_final(struct iked_dsa *dsa, void *buf, size_t len) 1093 { 1094 unsigned int hmaclen; 1095 size_t off = 0; 1096 uint8_t *ptr = buf; 1097 1098 if (len < dsa_length(dsa)) 1099 return (-1); 1100 1101 if (dsa->dsa_hmac) { 1102 if (!HMAC_Final(dsa->dsa_ctx, buf, &hmaclen)) 1103 return (-1); 1104 if (hmaclen > INT_MAX) 1105 return (-1); 1106 return (ssize_t)hmaclen; 1107 } else { 1108 switch (dsa->dsa_method) { 1109 case IKEV2_AUTH_ECDSA_256: 1110 case IKEV2_AUTH_ECDSA_384: 1111 case IKEV2_AUTH_ECDSA_521: 1112 if (_dsa_sign_ecdsa(dsa, buf, len) < 0) 1113 return (-1); 1114 return (len); 1115 default: 1116 if (_dsa_sign_encode(dsa, ptr, len, &off) < 0) 1117 return (-1); 1118 if (off > len) 1119 return (-1); 1120 len -= off; 1121 ptr += off; 1122 if (EVP_DigestSignFinal(dsa->dsa_ctx, ptr, &len) != 1) 1123 return (-1); 1124 return (len + off); 1125 } 1126 } 1127 return (-1); 1128 } 1129 1130 int 1131 _dsa_verify_prepare(struct iked_dsa *dsa, uint8_t **sigp, size_t *lenp, 1132 uint8_t **freemep) 1133 { 1134 ECDSA_SIG *obj = NULL; 1135 uint8_t *ptr = NULL; 1136 size_t bnlen, len, off; 1137 int ret = -1; 1138 1139 *freemep = NULL; /* don't return garbage in case of an error */ 1140 1141 switch (dsa->dsa_method) { 1142 case IKEV2_AUTH_SIG: 1143 /* 1144 * The first byte of the signature encodes the OID 1145 * prefix length which we need to skip. 1146 */ 1147 off = (*sigp)[0] + 1; 1148 *sigp = *sigp + off; 1149 *lenp = *lenp - off; 1150 *freemep = NULL; 1151 ret = 0; 1152 break; 1153 case IKEV2_AUTH_ECDSA_256: 1154 case IKEV2_AUTH_ECDSA_384: 1155 case IKEV2_AUTH_ECDSA_521: 1156 /* 1157 * sigp points to concatenation r|s, while EVP_VerifyFinal() 1158 * expects the signature as a DER-encoded blob (of the two 1159 * values), so we need to convert the signature in a new 1160 * buffer (we cannot override the given buffer) and the caller 1161 * has to free this buffer ('freeme'). 1162 */ 1163 if (*lenp < 64 || *lenp > 132 || *lenp % 2) 1164 goto done; 1165 bnlen = (*lenp)/2; 1166 /* sigp points to concatenation: r|s */ 1167 if ((obj = ECDSA_SIG_new()) == NULL || 1168 BN_bin2bn(*sigp, bnlen, obj->r) == NULL || 1169 BN_bin2bn(*sigp+bnlen, bnlen, obj->s) == NULL || 1170 (len = i2d_ECDSA_SIG(obj, &ptr)) == 0) 1171 goto done; 1172 *lenp = len; 1173 *sigp = ptr; 1174 *freemep = ptr; 1175 ptr = NULL; 1176 ret = 0; 1177 break; 1178 default: 1179 return (0); 1180 } 1181 done: 1182 free(ptr); 1183 if (obj) 1184 ECDSA_SIG_free(obj); 1185 return (ret); 1186 } 1187 1188 ssize_t 1189 dsa_verify_final(struct iked_dsa *dsa, void *buf, size_t len) 1190 { 1191 uint8_t sig[EVP_MAX_MD_SIZE]; 1192 uint8_t *ptr = buf, *freeme = NULL; 1193 unsigned int siglen = sizeof(sig); 1194 1195 if (dsa->dsa_hmac) { 1196 if (!HMAC_Final(dsa->dsa_ctx, sig, &siglen)) 1197 return (-1); 1198 if (siglen != len || memcmp(buf, sig, siglen) != 0) 1199 return (-1); 1200 } else { 1201 if (_dsa_verify_prepare(dsa, &ptr, &len, &freeme) < 0) 1202 return (-1); 1203 if (EVP_DigestVerifyFinal(dsa->dsa_ctx, ptr, len) != 1) { 1204 free(freeme); 1205 ca_sslerror(__func__); 1206 return (-1); 1207 } 1208 free(freeme); 1209 } 1210 1211 return (0); 1212 } 1213