1/* $OpenBSD: crypto.c,v 1.46 2023/08/04 19:06:25 claudio Exp $ */ 2 3/* 4 * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org> 5 * 6 * Permission to use, copy, modify, and distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19#include <sys/types.h> 20#include <sys/queue.h> 21#include <sys/socket.h> 22#include <sys/uio.h> 23 24#include <stdio.h> 25#include <stdlib.h> 26#include <unistd.h> 27#include <string.h> 28#include <errno.h> 29#include <fcntl.h> 30#include <event.h> 31 32#include <openssl/ecdsa.h> 33#include <openssl/hmac.h> 34#include <openssl/evp.h> 35#include <openssl/sha.h> 36#include <openssl/md5.h> 37#include <openssl/x509.h> 38#include <openssl/rsa.h> 39 40#include "iked.h" 41#include "ikev2.h" 42 43/* RFC 7427, A.1 RSA */ 44static const uint8_t sha256WithRSA[] = { 45 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 46 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00 47}; 48static const uint8_t sha384WithRSA[] = { 49 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 50 0xf7, 0x0d, 0x01, 0x01, 0x0c, 0x05, 0x00 51}; 52static const uint8_t sha512WithRSA[] = { 53 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 54 0xf7, 0x0d, 0x01, 0x01, 0x0d, 0x05, 0x00 55}; 56/* RFC 7427, A.3 ECDSA */ 57static const uint8_t ecdsa_sha256[] = { 58 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 59 0x3d, 0x04, 0x03, 0x02 60}; 61static const uint8_t ecdsa_sha384[] = { 62 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 63 0x3d, 0x04, 0x03, 0x03 64}; 65static const uint8_t ecdsa_sha512[] = { 66 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 67 0x3d, 0x04, 0x03, 0x04 68}; 69/* RFC 7427, A.4.3 RSASSA-PSS with SHA-256 */ 70static const uint8_t rsapss_sha256[] = { 71 0x30, 0x46, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 72 0xf7, 0x0d, 0x01, 0x01, 0x0a, 0x30, 0x39, 0xa0, 73 0x0f, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 74 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 75 0xa1, 0x1c, 0x30, 0x1a, 0x06, 0x09, 0x2a, 0x86, 76 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x08, 0x30, 77 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 78 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0xa2, 0x03, 79 0x02, 0x01, 0x20, 0xa3, 0x03, 0x02, 0x01, 0x01 80}; 81/* RSASSA-PSS SHA-384 */ 82static const uint8_t rsapss_sha384[] = { 83 0x30, 0x46, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 84 0xf7, 0x0d, 0x01, 0x01, 0x0a, 0x30, 0x34, 0xa0, 85 0x0f, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 86 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 87 0xa1, 0x1c, 0x30, 0x1a, 0x06, 0x09, 0x2a, 0x86, 88 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x08, 0x30, 89 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 90 0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 0xa2, 0x03, 91 0x02, 0x01, 0x30, 0xa3, 0x03, 0x02, 0x01, 0x01 92}; 93/* RSASSA-PSS SHA-512 */ 94static const uint8_t rsapss_sha512[] = { 95 0x30, 0x46, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 96 0xf7, 0x0d, 0x01, 0x01, 0x0a, 0x30, 0x34, 0xa0, 97 0x0f, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 98 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 99 0xa1, 0x1c, 0x30, 0x1a, 0x06, 0x09, 0x2a, 0x86, 100 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x08, 0x30, 101 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 102 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0xa2, 0x03, 103 0x02, 0x01, 0x40, 0xa3, 0x03, 0x02, 0x01, 0x01 104}; 105/* RSASSA-PSS SHA-256, no trailer */ 106static const uint8_t rsapss_sha256nt[] = { 107 0x30, 0x41, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 108 0xf7, 0x0d, 0x01, 0x01, 0x0a, 0x30, 0x34, 0xa0, 109 0x0f, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 110 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 111 0xa1, 0x1c, 0x30, 0x1a, 0x06, 0x09, 0x2a, 0x86, 112 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x08, 0x30, 113 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 114 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0xa2, 0x03, 115 0x02, 0x01, 0x20 116}; 117/* RSASSA-PSS SHA-384, no trailer */ 118static const uint8_t rsapss_sha384nt[] = { 119 0x30, 0x41, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 120 0xf7, 0x0d, 0x01, 0x01, 0x0a, 0x30, 0x34, 0xa0, 121 0x0f, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 122 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 123 0xa1, 0x1c, 0x30, 0x1a, 0x06, 0x09, 0x2a, 0x86, 124 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x08, 0x30, 125 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 126 0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 0xa2, 0x03, 127 0x02, 0x01, 0x30 128}; 129/* RSASSA-PSS SHA-512, no trailer */ 130static const uint8_t rsapss_sha512nt[] = { 131 0x30, 0x41, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 132 0xf7, 0x0d, 0x01, 0x01, 0x0a, 0x30, 0x34, 0xa0, 133 0x0f, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 134 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 135 0xa1, 0x1c, 0x30, 0x1a, 0x06, 0x09, 0x2a, 0x86, 136 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x08, 0x30, 137 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 138 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0xa2, 0x03, 139 0x02, 0x01, 0x40 140}; 141 142#define FLAG_RSA_PSS 0x00001 143int force_rsa_pss = 0; /* XXX move to API */ 144 145static const struct { 146 int sc_keytype; 147 const EVP_MD *(*sc_md)(void); 148 uint8_t sc_len; 149 const uint8_t *sc_oid; 150 uint32_t sc_flags; 151} schemes[] = { 152 { EVP_PKEY_RSA, EVP_sha256, sizeof(sha256WithRSA), sha256WithRSA, 0 }, 153 { EVP_PKEY_RSA, EVP_sha384, sizeof(sha384WithRSA), sha384WithRSA, 0 }, 154 { EVP_PKEY_RSA, EVP_sha512, sizeof(sha512WithRSA), sha512WithRSA, 0 }, 155 { EVP_PKEY_EC, EVP_sha256, sizeof(ecdsa_sha256), ecdsa_sha256, 0 }, 156 { EVP_PKEY_EC, EVP_sha384, sizeof(ecdsa_sha384), ecdsa_sha384, 0 }, 157 { EVP_PKEY_EC, EVP_sha512, sizeof(ecdsa_sha512), ecdsa_sha512, 0 }, 158 { EVP_PKEY_RSA, EVP_sha256, sizeof(rsapss_sha256), rsapss_sha256, 159 FLAG_RSA_PSS }, 160 { EVP_PKEY_RSA, EVP_sha384, sizeof(rsapss_sha384), rsapss_sha384, 161 FLAG_RSA_PSS }, 162 { EVP_PKEY_RSA, EVP_sha512, sizeof(rsapss_sha512), rsapss_sha512, 163 FLAG_RSA_PSS }, 164 { EVP_PKEY_RSA, EVP_sha256, sizeof(rsapss_sha256nt), rsapss_sha256nt, 165 FLAG_RSA_PSS }, 166 { EVP_PKEY_RSA, EVP_sha384, sizeof(rsapss_sha384nt), rsapss_sha384nt, 167 FLAG_RSA_PSS }, 168 { EVP_PKEY_RSA, EVP_sha512, sizeof(rsapss_sha512nt), rsapss_sha512nt, 169 FLAG_RSA_PSS }, 170}; 171 172int _dsa_verify_init(struct iked_dsa *, const uint8_t *, size_t); 173int _dsa_verify_prepare(struct iked_dsa *, uint8_t **, size_t *, 174 uint8_t **); 175int _dsa_sign_encode(struct iked_dsa *, uint8_t *, size_t, size_t *); 176int _dsa_sign_ecdsa(struct iked_dsa *, uint8_t *, size_t); 177 178struct iked_hash * 179hash_new(uint8_t type, uint16_t id) 180{ 181 struct iked_hash *hash; 182 const EVP_MD *md = NULL; 183 int length = 0, fixedkey = 0, trunc = 0, isaead = 0; 184 185 switch (type) { 186 case IKEV2_XFORMTYPE_PRF: 187 switch (id) { 188 case IKEV2_XFORMPRF_HMAC_MD5: 189 md = EVP_md5(); 190 length = MD5_DIGEST_LENGTH; 191 break; 192 case IKEV2_XFORMPRF_HMAC_SHA1: 193 md = EVP_sha1(); 194 length = SHA_DIGEST_LENGTH; 195 break; 196 case IKEV2_XFORMPRF_HMAC_SHA2_256: 197 md = EVP_sha256(); 198 length = SHA256_DIGEST_LENGTH; 199 break; 200 case IKEV2_XFORMPRF_HMAC_SHA2_384: 201 md = EVP_sha384(); 202 length = SHA384_DIGEST_LENGTH; 203 break; 204 case IKEV2_XFORMPRF_HMAC_SHA2_512: 205 md = EVP_sha512(); 206 length = SHA512_DIGEST_LENGTH; 207 break; 208 case IKEV2_XFORMPRF_AES128_XCBC: 209 fixedkey = 128 / 8; 210 length = fixedkey; 211 /* FALLTHROUGH */ 212 case IKEV2_XFORMPRF_HMAC_TIGER: 213 case IKEV2_XFORMPRF_AES128_CMAC: 214 default: 215 log_debug("%s: prf %s not supported", __func__, 216 print_map(id, ikev2_xformprf_map)); 217 break; 218 } 219 break; 220 case IKEV2_XFORMTYPE_INTEGR: 221 switch (id) { 222 case IKEV2_XFORMAUTH_HMAC_MD5_96: 223 md = EVP_md5(); 224 length = MD5_DIGEST_LENGTH; 225 trunc = 12; 226 break; 227 case IKEV2_XFORMAUTH_HMAC_SHA1_96: 228 md = EVP_sha1(); 229 length = SHA_DIGEST_LENGTH; 230 trunc = 12; 231 break; 232 case IKEV2_XFORMAUTH_HMAC_SHA2_256_128: 233 md = EVP_sha256(); 234 length = SHA256_DIGEST_LENGTH; 235 trunc = 16; 236 break; 237 case IKEV2_XFORMAUTH_HMAC_SHA2_384_192: 238 md = EVP_sha384(); 239 length = SHA384_DIGEST_LENGTH; 240 trunc = 24; 241 break; 242 case IKEV2_XFORMAUTH_HMAC_SHA2_512_256: 243 md = EVP_sha512(); 244 length = SHA512_DIGEST_LENGTH; 245 trunc = 32; 246 break; 247 case IKEV2_XFORMAUTH_AES_GCM_12: 248 length = 12; 249 isaead = 1; 250 break; 251 case IKEV2_XFORMAUTH_AES_GCM_16: 252 length = 16; 253 isaead = 1; 254 break; 255 case IKEV2_XFORMAUTH_NONE: 256 case IKEV2_XFORMAUTH_DES_MAC: 257 case IKEV2_XFORMAUTH_KPDK_MD5: 258 case IKEV2_XFORMAUTH_AES_XCBC_96: 259 case IKEV2_XFORMAUTH_HMAC_MD5_128: 260 case IKEV2_XFORMAUTH_HMAC_SHA1_160: 261 case IKEV2_XFORMAUTH_AES_CMAC_96: 262 case IKEV2_XFORMAUTH_AES_128_GMAC: 263 case IKEV2_XFORMAUTH_AES_192_GMAC: 264 case IKEV2_XFORMAUTH_AES_256_GMAC: 265 default: 266 log_debug("%s: auth %s not supported", __func__, 267 print_map(id, ikev2_xformauth_map)); 268 break; 269 } 270 break; 271 default: 272 log_debug("%s: hash type %s not supported", __func__, 273 print_map(id, ikev2_xformtype_map)); 274 break; 275 } 276 if (!isaead && md == NULL) 277 return (NULL); 278 279 if ((hash = calloc(1, sizeof(*hash))) == NULL) { 280 log_debug("%s: alloc hash", __func__); 281 return (NULL); 282 } 283 284 hash->hash_type = type; 285 hash->hash_id = id; 286 hash->hash_priv = md; 287 hash->hash_ctx = NULL; 288 hash->hash_trunc = trunc; 289 hash->hash_length = length; 290 hash->hash_fixedkey = fixedkey; 291 hash->hash_isaead = isaead; 292 293 if (isaead) 294 return (hash); 295 296 hash->hash_ctx = HMAC_CTX_new(); 297 if (hash->hash_ctx == NULL) { 298 log_debug("%s: alloc hash ctx", __func__); 299 hash_free(hash); 300 return (NULL); 301 } 302 303 return (hash); 304} 305 306struct ibuf * 307hash_setkey(struct iked_hash *hash, void *key, size_t keylen) 308{ 309 ibuf_free(hash->hash_key); 310 if ((hash->hash_key = ibuf_new(key, keylen)) == NULL) { 311 log_debug("%s: alloc hash key", __func__); 312 return (NULL); 313 } 314 return (hash->hash_key); 315} 316 317void 318hash_free(struct iked_hash *hash) 319{ 320 if (hash == NULL) 321 return; 322 HMAC_CTX_free(hash->hash_ctx); 323 ibuf_free(hash->hash_key); 324 free(hash); 325} 326 327void 328hash_init(struct iked_hash *hash) 329{ 330 HMAC_Init_ex(hash->hash_ctx, ibuf_data(hash->hash_key), 331 ibuf_size(hash->hash_key), hash->hash_priv, NULL); 332} 333 334void 335hash_update(struct iked_hash *hash, void *buf, size_t len) 336{ 337 HMAC_Update(hash->hash_ctx, buf, len); 338} 339 340void 341hash_final(struct iked_hash *hash, void *buf, size_t *len) 342{ 343 unsigned int length = 0; 344 345 HMAC_Final(hash->hash_ctx, buf, &length); 346 *len = (size_t)length; 347 348 /* Truncate the result if required by the alg */ 349 if (hash->hash_trunc && *len > hash->hash_trunc) 350 *len = hash->hash_trunc; 351} 352 353size_t 354hash_length(struct iked_hash *hash) 355{ 356 if (hash->hash_trunc) 357 return (hash->hash_trunc); 358 return (hash->hash_length); 359} 360 361size_t 362hash_keylength(struct iked_hash *hash) 363{ 364 return (hash->hash_length); 365} 366 367struct iked_cipher * 368cipher_new(uint8_t type, uint16_t id, uint16_t id_length) 369{ 370 struct iked_cipher *encr; 371 const EVP_CIPHER *cipher = NULL; 372 int length = 0, fixedkey = 0, ivlength = 0; 373 int saltlength = 0, authid = 0; 374 375 switch (type) { 376 case IKEV2_XFORMTYPE_ENCR: 377 switch (id) { 378 case IKEV2_XFORMENCR_3DES: 379 cipher = EVP_des_ede3_cbc(); 380 length = EVP_CIPHER_block_size(cipher); 381 fixedkey = EVP_CIPHER_key_length(cipher); 382 ivlength = EVP_CIPHER_iv_length(cipher); 383 break; 384 case IKEV2_XFORMENCR_AES_CBC: 385 switch (id_length) { 386 case 128: 387 cipher = EVP_aes_128_cbc(); 388 break; 389 case 192: 390 cipher = EVP_aes_192_cbc(); 391 break; 392 case 256: 393 cipher = EVP_aes_256_cbc(); 394 break; 395 default: 396 log_debug("%s: invalid key length %d" 397 " for cipher %s", __func__, id_length, 398 print_map(id, ikev2_xformencr_map)); 399 break; 400 } 401 if (cipher == NULL) 402 break; 403 length = EVP_CIPHER_block_size(cipher); 404 ivlength = EVP_CIPHER_iv_length(cipher); 405 fixedkey = EVP_CIPHER_key_length(cipher); 406 break; 407 case IKEV2_XFORMENCR_AES_GCM_16: 408 case IKEV2_XFORMENCR_AES_GCM_12: 409 switch (id_length) { 410 case 128: 411 cipher = EVP_aes_128_gcm(); 412 break; 413 case 256: 414 cipher = EVP_aes_256_gcm(); 415 break; 416 default: 417 log_debug("%s: invalid key length %d" 418 " for cipher %s", __func__, id_length, 419 print_map(id, ikev2_xformencr_map)); 420 break; 421 } 422 if (cipher == NULL) 423 break; 424 switch(id) { 425 case IKEV2_XFORMENCR_AES_GCM_16: 426 authid = IKEV2_XFORMAUTH_AES_GCM_16; 427 break; 428 case IKEV2_XFORMENCR_AES_GCM_12: 429 authid = IKEV2_XFORMAUTH_AES_GCM_12; 430 break; 431 } 432 length = EVP_CIPHER_block_size(cipher); 433 ivlength = 8; 434 saltlength = 4; 435 fixedkey = EVP_CIPHER_key_length(cipher) + saltlength; 436 break; 437 case IKEV2_XFORMENCR_DES_IV64: 438 case IKEV2_XFORMENCR_DES: 439 case IKEV2_XFORMENCR_RC5: 440 case IKEV2_XFORMENCR_IDEA: 441 case IKEV2_XFORMENCR_CAST: 442 case IKEV2_XFORMENCR_BLOWFISH: 443 case IKEV2_XFORMENCR_3IDEA: 444 case IKEV2_XFORMENCR_DES_IV32: 445 case IKEV2_XFORMENCR_NULL: 446 case IKEV2_XFORMENCR_AES_CTR: 447 /* FALLTHROUGH */ 448 default: 449 log_debug("%s: cipher %s not supported", __func__, 450 print_map(id, ikev2_xformencr_map)); 451 cipher = NULL; 452 break; 453 } 454 break; 455 default: 456 log_debug("%s: cipher type %s not supported", __func__, 457 print_map(id, ikev2_xformtype_map)); 458 break; 459 } 460 if (cipher == NULL) 461 return (NULL); 462 463 if ((encr = calloc(1, sizeof(*encr))) == NULL) { 464 log_debug("%s: alloc cipher", __func__); 465 return (NULL); 466 } 467 468 encr->encr_id = id; 469 encr->encr_priv = cipher; 470 encr->encr_ctx = NULL; 471 encr->encr_length = length; 472 encr->encr_fixedkey = fixedkey; 473 encr->encr_ivlength = ivlength ? ivlength : length; 474 encr->encr_saltlength = saltlength; 475 encr->encr_authid = authid; 476 477 encr->encr_ctx = EVP_CIPHER_CTX_new(); 478 if (encr->encr_ctx == NULL) { 479 log_debug("%s: alloc cipher ctx", __func__); 480 cipher_free(encr); 481 return (NULL); 482 } 483 484 return (encr); 485} 486 487struct ibuf * 488cipher_setkey(struct iked_cipher *encr, const void *key, size_t keylen) 489{ 490 ibuf_free(encr->encr_key); 491 if ((encr->encr_key = ibuf_new(key, keylen)) == NULL) { 492 log_debug("%s: alloc cipher key", __func__); 493 return (NULL); 494 } 495 return (encr->encr_key); 496} 497 498struct ibuf * 499cipher_setiv(struct iked_cipher *encr, const void *iv, size_t len) 500{ 501 ibuf_free(encr->encr_iv); 502 encr->encr_iv = NULL; 503 if (iv != NULL) { 504 if (len < encr->encr_ivlength) { 505 log_debug("%s: invalid IV length %zu", __func__, len); 506 return (NULL); 507 } 508 encr->encr_iv = ibuf_new(iv, encr->encr_ivlength); 509 } else { 510 switch (encr->encr_id) { 511 case IKEV2_XFORMENCR_AES_GCM_16: 512 case IKEV2_XFORMENCR_AES_GCM_12: 513 if (encr->encr_ivlength != sizeof(encr->encr_civ)) { 514 log_info("%s: ivlen does not match %zu != %zu", 515 __func__, encr->encr_ivlength, 516 sizeof(encr->encr_civ)); 517 return (NULL); 518 } 519 encr->encr_iv = ibuf_new(&encr->encr_civ, sizeof(encr->encr_civ)); 520 encr->encr_civ++; 521 break; 522 default: 523 /* Get new random IV */ 524 encr->encr_iv = ibuf_random(encr->encr_ivlength); 525 } 526 } 527 if (encr->encr_iv == NULL) { 528 log_debug("%s: failed to set IV", __func__); 529 return (NULL); 530 } 531 return (encr->encr_iv); 532} 533 534int 535cipher_settag(struct iked_cipher *encr, uint8_t *data, size_t len) 536{ 537 return (EVP_CIPHER_CTX_ctrl(encr->encr_ctx, 538 EVP_CTRL_GCM_SET_TAG, len, data) != 1); 539} 540 541int 542cipher_gettag(struct iked_cipher *encr, uint8_t *data, size_t len) 543{ 544 return (EVP_CIPHER_CTX_ctrl(encr->encr_ctx, 545 EVP_CTRL_GCM_GET_TAG, len, data) != 1); 546} 547 548void 549cipher_free(struct iked_cipher *encr) 550{ 551 if (encr == NULL) 552 return; 553 EVP_CIPHER_CTX_free(encr->encr_ctx); 554 ibuf_free(encr->encr_iv); 555 ibuf_free(encr->encr_key); 556 free(encr); 557} 558 559int 560cipher_init(struct iked_cipher *encr, int enc) 561{ 562 struct ibuf *nonce = NULL; 563 int ret = -1; 564 565 if (EVP_CipherInit_ex(encr->encr_ctx, encr->encr_priv, NULL, 566 NULL, NULL, enc) != 1) 567 return (-1); 568 if (encr->encr_saltlength > 0) { 569 /* For AEADs the nonce is salt + IV (see RFC5282) */ 570 nonce = ibuf_new(ibuf_seek(encr->encr_key, 571 ibuf_size(encr->encr_key) - encr->encr_saltlength, 572 encr->encr_saltlength), encr->encr_saltlength); 573 if (nonce == NULL) 574 return (-1); 575 if (ibuf_add_buf(nonce, encr->encr_iv) != 0) 576 goto done; 577 if (EVP_CipherInit_ex(encr->encr_ctx, NULL, NULL, 578 ibuf_data(encr->encr_key), ibuf_data(nonce), enc) != 1) 579 goto done; 580 } else 581 if (EVP_CipherInit_ex(encr->encr_ctx, NULL, NULL, 582 ibuf_data(encr->encr_key), ibuf_data(encr->encr_iv), enc) != 1) 583 return (-1); 584 EVP_CIPHER_CTX_set_padding(encr->encr_ctx, 0); 585 ret = 0; 586 done: 587 ibuf_free(nonce); 588 return (ret); 589} 590 591int 592cipher_init_encrypt(struct iked_cipher *encr) 593{ 594 return (cipher_init(encr, 1)); 595} 596 597int 598cipher_init_decrypt(struct iked_cipher *encr) 599{ 600 return (cipher_init(encr, 0)); 601} 602 603void 604cipher_aad(struct iked_cipher *encr, const void *in, size_t inlen, 605 size_t *outlen) 606{ 607 int olen = 0; 608 609 if (EVP_CipherUpdate(encr->encr_ctx, NULL, &olen, in, inlen) != 1) { 610 ca_sslerror(__func__); 611 *outlen = 0; 612 return; 613 } 614 *outlen = (size_t)olen; 615} 616 617int 618cipher_update(struct iked_cipher *encr, const void *in, size_t inlen, 619 void *out, size_t *outlen) 620{ 621 int olen; 622 623 olen = 0; 624 if (EVP_CipherUpdate(encr->encr_ctx, out, &olen, in, inlen) != 1) { 625 ca_sslerror(__func__); 626 *outlen = 0; 627 return (-1); 628 } 629 *outlen = (size_t)olen; 630 return (0); 631} 632 633int 634cipher_final(struct iked_cipher *encr) 635{ 636 int olen; 637 638 /* 639 * We always have EVP_CIPH_NO_PADDING set. This means arg 640 * out is not used and olen should always be 0. 641 */ 642 if (EVP_CipherFinal_ex(encr->encr_ctx, NULL, &olen) != 1) { 643 ca_sslerror(__func__); 644 return (-1); 645 } 646 return (0); 647} 648 649size_t 650cipher_length(struct iked_cipher *encr) 651{ 652 return (encr->encr_length); 653} 654 655size_t 656cipher_keylength(struct iked_cipher *encr) 657{ 658 if (encr->encr_fixedkey) 659 return (encr->encr_fixedkey); 660 661 /* Might return zero */ 662 return (ibuf_length(encr->encr_key)); 663} 664 665size_t 666cipher_ivlength(struct iked_cipher *encr) 667{ 668 return (encr->encr_ivlength); 669} 670 671size_t 672cipher_outlength(struct iked_cipher *encr, size_t inlen) 673{ 674 return (roundup(inlen, encr->encr_length)); 675} 676 677struct iked_dsa * 678dsa_new(uint8_t id, struct iked_hash *prf, int sign) 679{ 680 struct iked_dsa *dsap = NULL, dsa; 681 682 bzero(&dsa, sizeof(dsa)); 683 684 switch (id) { 685 case IKEV2_AUTH_SIG: 686 if (sign) 687 dsa.dsa_priv = EVP_sha256(); /* XXX should be passed */ 688 else 689 dsa.dsa_priv = NULL; /* set later by dsa_init() */ 690 break; 691 case IKEV2_AUTH_RSA_SIG: 692 /* RFC5996 says we SHOULD use SHA1 here */ 693 dsa.dsa_priv = EVP_sha1(); 694 break; 695 case IKEV2_AUTH_SHARED_KEY_MIC: 696 if (prf == NULL || prf->hash_priv == NULL) 697 fatalx("dsa_new: invalid PRF"); 698 dsa.dsa_priv = prf->hash_priv; 699 dsa.dsa_hmac = 1; 700 break; 701 case IKEV2_AUTH_DSS_SIG: 702 dsa.dsa_priv = EVP_sha1(); 703 break; 704 case IKEV2_AUTH_ECDSA_256: 705 dsa.dsa_priv = EVP_sha256(); 706 break; 707 case IKEV2_AUTH_ECDSA_384: 708 dsa.dsa_priv = EVP_sha384(); 709 break; 710 case IKEV2_AUTH_ECDSA_521: 711 dsa.dsa_priv = EVP_sha512(); 712 break; 713 default: 714 log_debug("%s: auth method %s not supported", __func__, 715 print_map(id, ikev2_auth_map)); 716 break; 717 } 718 719 if ((dsap = calloc(1, sizeof(*dsap))) == NULL) { 720 log_debug("%s: alloc dsa ctx", __func__); 721 722 return (NULL); 723 } 724 memcpy(dsap, &dsa, sizeof(*dsap)); 725 726 dsap->dsa_method = id; 727 dsap->dsa_sign = sign; 728 729 if (dsap->dsa_hmac) { 730 if ((dsap->dsa_ctx = HMAC_CTX_new()) == NULL) { 731 log_debug("%s: alloc hash ctx", __func__); 732 dsa_free(dsap); 733 return (NULL); 734 } 735 } else { 736 if ((dsap->dsa_ctx = EVP_MD_CTX_create()) == NULL) { 737 log_debug("%s: alloc digest ctx", __func__); 738 dsa_free(dsap); 739 return (NULL); 740 } 741 } 742 743 return (dsap); 744} 745 746struct iked_dsa * 747dsa_sign_new(uint8_t id, struct iked_hash *prf) 748{ 749 return (dsa_new(id, prf, 1)); 750} 751 752struct iked_dsa * 753dsa_verify_new(uint8_t id, struct iked_hash *prf) 754{ 755 return (dsa_new(id, prf, 0)); 756} 757 758void 759dsa_free(struct iked_dsa *dsa) 760{ 761 if (dsa == NULL) 762 return; 763 if (dsa->dsa_hmac) { 764 HMAC_CTX_free((HMAC_CTX *)dsa->dsa_ctx); 765 } else { 766 EVP_MD_CTX_free((EVP_MD_CTX *)dsa->dsa_ctx); 767 EVP_PKEY_free(dsa->dsa_key); 768 } 769 770 ibuf_free(dsa->dsa_keydata); 771 free(dsa); 772} 773 774struct ibuf * 775dsa_setkey(struct iked_dsa *dsa, void *key, size_t keylen, uint8_t type) 776{ 777 BIO *rawcert = NULL; 778 X509 *cert = NULL; 779 RSA *rsa = NULL; 780 EC_KEY *ec = NULL; 781 EVP_PKEY *pkey = NULL; 782 783 ibuf_free(dsa->dsa_keydata); 784 if ((dsa->dsa_keydata = ibuf_new(key, keylen)) == NULL) { 785 log_debug("%s: alloc signature key", __func__); 786 return (NULL); 787 } 788 789 if ((rawcert = BIO_new_mem_buf(key, keylen)) == NULL) 790 goto err; 791 792 switch (type) { 793 case IKEV2_CERT_X509_CERT: 794 if ((cert = d2i_X509_bio(rawcert, NULL)) == NULL) 795 goto sslerr; 796 if ((pkey = X509_get_pubkey(cert)) == NULL) 797 goto sslerr; 798 dsa->dsa_key = pkey; 799 break; 800 case IKEV2_CERT_RSA_KEY: 801 if (dsa->dsa_sign) { 802 if ((rsa = d2i_RSAPrivateKey_bio(rawcert, 803 NULL)) == NULL) 804 goto sslerr; 805 } else { 806 if ((rsa = d2i_RSAPublicKey_bio(rawcert, 807 NULL)) == NULL) 808 goto sslerr; 809 } 810 811 if ((pkey = EVP_PKEY_new()) == NULL) 812 goto sslerr; 813 if (!EVP_PKEY_set1_RSA(pkey, rsa)) 814 goto sslerr; 815 816 RSA_free(rsa); /* pkey now has the reference */ 817 dsa->dsa_key = pkey; 818 break; 819 case IKEV2_CERT_ECDSA: 820 if (dsa->dsa_sign) { 821 if ((ec = d2i_ECPrivateKey_bio(rawcert, NULL)) == NULL) 822 goto sslerr; 823 } else { 824 if ((ec = d2i_EC_PUBKEY_bio(rawcert, NULL)) == NULL) 825 goto sslerr; 826 } 827 828 if ((pkey = EVP_PKEY_new()) == NULL) 829 goto sslerr; 830 if (!EVP_PKEY_set1_EC_KEY(pkey, ec)) 831 goto sslerr; 832 833 EC_KEY_free(ec); /* pkey now has the reference */ 834 dsa->dsa_key = pkey; 835 break; 836 default: 837 if (dsa->dsa_hmac) 838 break; 839 log_debug("%s: unsupported key type", __func__); 840 goto err; 841 } 842 843 X509_free(cert); 844 BIO_free(rawcert); /* temporary for parsing */ 845 846 return (dsa->dsa_keydata); 847 848 sslerr: 849 ca_sslerror(__func__); 850 err: 851 log_debug("%s: error", __func__); 852 853 RSA_free(rsa); 854 EC_KEY_free(ec); 855 EVP_PKEY_free(pkey); 856 X509_free(cert); 857 BIO_free(rawcert); 858 ibuf_free(dsa->dsa_keydata); 859 dsa->dsa_keydata = NULL; 860 return (NULL); 861} 862 863int 864_dsa_verify_init(struct iked_dsa *dsa, const uint8_t *sig, size_t len) 865{ 866 uint8_t oidlen; 867 size_t i; 868 int keytype; 869 870 if (dsa->dsa_priv != NULL) 871 return (0); 872 /* 873 * For IKEV2_AUTH_SIG the oid of the authentication signature 874 * is encoded in the first bytes of the auth message. 875 */ 876 if (dsa->dsa_method != IKEV2_AUTH_SIG) { 877 log_debug("%s: dsa_priv not set for %s", __func__, 878 print_map(dsa->dsa_method, ikev2_auth_map)); 879 return (-1); 880 } 881 if (dsa->dsa_key == NULL) { 882 log_debug("%s: dsa_key not set for %s", __func__, 883 print_map(dsa->dsa_method, ikev2_auth_map)); 884 return (-1); 885 } 886 keytype = EVP_PKEY_type(EVP_PKEY_id(((EVP_PKEY *)dsa->dsa_key))); 887 if (sig == NULL) { 888 log_debug("%s: signature missing", __func__); 889 return (-1); 890 } 891 if (len < sizeof(oidlen)) { 892 log_debug("%s: signature (%zu) too small for oid length", 893 __func__, len); 894 return (-1); 895 } 896 memcpy(&oidlen, sig, sizeof(oidlen)); 897 if (len < (size_t)oidlen + sizeof(oidlen)) { 898 log_debug("%s: signature (%zu) too small for oid (%u)", 899 __func__, len, oidlen); 900 return (-1); 901 } 902 for (i = 0; i < nitems(schemes); i++) { 903 if (keytype == schemes[i].sc_keytype && 904 oidlen == schemes[i].sc_len && 905 memcmp(sig + 1, schemes[i].sc_oid, 906 schemes[i].sc_len) == 0) { 907 dsa->dsa_priv = (*schemes[i].sc_md)(); 908 dsa->dsa_flags = schemes[i].sc_flags; 909 log_debug("%s: signature scheme %zd selected", 910 __func__, i); 911 return (0); 912 } 913 } 914 log_debug("%s: unsupported signature (%d)", __func__, oidlen); 915 return (-1); 916} 917 918int 919dsa_init(struct iked_dsa *dsa, const void *buf, size_t len) 920{ 921 int ret; 922 EVP_PKEY_CTX *pctx = NULL; 923 924 if (dsa->dsa_hmac) { 925 if (!HMAC_Init_ex(dsa->dsa_ctx, ibuf_data(dsa->dsa_keydata), 926 ibuf_size(dsa->dsa_keydata), dsa->dsa_priv, NULL)) 927 return (-1); 928 return (0); 929 } 930 931 if (dsa->dsa_sign) { 932 if (force_rsa_pss && 933 EVP_PKEY_base_id(dsa->dsa_key) == EVP_PKEY_RSA) 934 dsa->dsa_flags = FLAG_RSA_PSS; 935 ret = EVP_DigestSignInit(dsa->dsa_ctx, &pctx, dsa->dsa_priv, 936 NULL, dsa->dsa_key); 937 } else { 938 /* sets dsa_priv, dsa_flags */ 939 if ((ret = _dsa_verify_init(dsa, buf, len)) != 0) 940 return (ret); 941 ret = EVP_DigestVerifyInit(dsa->dsa_ctx, &pctx, dsa->dsa_priv, 942 NULL, dsa->dsa_key); 943 } 944 if (ret == 1 && dsa->dsa_flags == FLAG_RSA_PSS) { 945 if (EVP_PKEY_CTX_set_rsa_padding(pctx, 946 RSA_PKCS1_PSS_PADDING) <= 0 || 947 EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1) <= 0) 948 return (-1); 949 } 950 if (_dsa_sign_encode(dsa, NULL, 0, NULL) < 0) 951 return (-1); 952 953 return (ret == 1 ? 0 : -1); 954} 955 956int 957dsa_update(struct iked_dsa *dsa, const void *buf, size_t len) 958{ 959 int ret; 960 961 if (dsa->dsa_hmac) 962 ret = HMAC_Update(dsa->dsa_ctx, buf, len); 963 else if (dsa->dsa_sign) 964 ret = EVP_DigestSignUpdate(dsa->dsa_ctx, buf, len); 965 else 966 ret = EVP_DigestVerifyUpdate(dsa->dsa_ctx, buf, len); 967 968 return (ret == 1 ? 0 : -1); 969} 970 971/* Prefix signature hash with encoded type */ 972int 973_dsa_sign_encode(struct iked_dsa *dsa, uint8_t *ptr, size_t len, size_t *offp) 974{ 975 int keytype; 976 size_t i, need; 977 978 if (offp) 979 *offp = 0; 980 if (dsa->dsa_method != IKEV2_AUTH_SIG) 981 return (0); 982 if (dsa->dsa_key == NULL) 983 return (-1); 984 keytype = EVP_PKEY_type(EVP_PKEY_id(((EVP_PKEY *)dsa->dsa_key))); 985 for (i = 0; i < nitems(schemes); i++) { 986 /* XXX should avoid calling sc_md() each time... */ 987 if (keytype == schemes[i].sc_keytype && 988 dsa->dsa_flags == schemes[i].sc_flags && 989 (dsa->dsa_priv == (*schemes[i].sc_md)())) 990 break; 991 } 992 if (i >= nitems(schemes)) 993 return (-1); 994 log_debug("%s: signature scheme %zd selected", __func__, i); 995 need = sizeof(ptr[0]) + schemes[i].sc_len; 996 if (ptr) { 997 if (len < need) 998 return (-1); 999 ptr[0] = schemes[i].sc_len; 1000 memcpy(ptr + sizeof(ptr[0]), schemes[i].sc_oid, 1001 schemes[i].sc_len); 1002 } 1003 if (offp) 1004 *offp = need; 1005 return (0); 1006} 1007 1008/* Export size of encoded signature hash type */ 1009size_t 1010dsa_prefix(struct iked_dsa *dsa) 1011{ 1012 size_t off = 0; 1013 1014 if (_dsa_sign_encode(dsa, NULL, 0, &off) < 0) 1015 fatal("dsa_prefix: internal error"); 1016 return off; 1017} 1018 1019size_t 1020dsa_length(struct iked_dsa *dsa) 1021{ 1022 if (dsa->dsa_hmac) 1023 return (EVP_MD_size(dsa->dsa_priv)); 1024 switch (dsa->dsa_method) { 1025 case IKEV2_AUTH_ECDSA_256: 1026 case IKEV2_AUTH_ECDSA_384: 1027 case IKEV2_AUTH_ECDSA_521: 1028 /* size of concat(r|s) */ 1029 return (2 * ((EVP_PKEY_bits(dsa->dsa_key) + 7) / 8)); 1030 } 1031 return (dsa_prefix(dsa) + EVP_PKEY_size(dsa->dsa_key)); 1032} 1033 1034int 1035_dsa_sign_ecdsa(struct iked_dsa *dsa, uint8_t *ptr, size_t len) 1036{ 1037 ECDSA_SIG *obj = NULL; 1038 uint8_t *tmp = NULL; 1039 const uint8_t *p; 1040 size_t tmplen; 1041 int ret = -1; 1042 int bnlen, off; 1043 const BIGNUM *r, *s; 1044 1045 if (len % 2) 1046 goto done; /* must be even */ 1047 bnlen = len/2; 1048 /* 1049 * (a) create DER signature into 'tmp' buffer 1050 * (b) convert buffer to ECDSA_SIG object 1051 * (c) concatenate the padded r|s BIGNUMS into 'ptr' 1052 */ 1053 if (EVP_DigestSignFinal(dsa->dsa_ctx, NULL, &tmplen) != 1) 1054 goto done; 1055 if ((tmp = calloc(1, tmplen)) == NULL) 1056 goto done; 1057 if (EVP_DigestSignFinal(dsa->dsa_ctx, tmp, &tmplen) != 1) 1058 goto done; 1059 p = tmp; 1060 if ((obj = d2i_ECDSA_SIG(NULL, &p, tmplen)) == NULL) 1061 goto done; 1062 ECDSA_SIG_get0(obj, &r, &s); 1063 if (BN_num_bytes(r) > bnlen || BN_num_bytes(s) > bnlen) 1064 goto done; 1065 memset(ptr, 0, len); 1066 off = bnlen - BN_num_bytes(r); 1067 BN_bn2bin(r, ptr + off); 1068 off = 2 * bnlen - BN_num_bytes(s); 1069 BN_bn2bin(s, ptr + off); 1070 ret = 0; 1071 done: 1072 free(tmp); 1073 ECDSA_SIG_free(obj); 1074 1075 return (ret); 1076} 1077 1078ssize_t 1079dsa_sign_final(struct iked_dsa *dsa, void *buf, size_t len) 1080{ 1081 unsigned int hmaclen; 1082 size_t off = 0; 1083 uint8_t *ptr = buf; 1084 1085 if (len < dsa_length(dsa)) 1086 return (-1); 1087 1088 if (dsa->dsa_hmac) { 1089 if (!HMAC_Final(dsa->dsa_ctx, buf, &hmaclen)) 1090 return (-1); 1091 if (hmaclen > INT_MAX) 1092 return (-1); 1093 return (ssize_t)hmaclen; 1094 } else { 1095 switch (dsa->dsa_method) { 1096 case IKEV2_AUTH_ECDSA_256: 1097 case IKEV2_AUTH_ECDSA_384: 1098 case IKEV2_AUTH_ECDSA_521: 1099 if (_dsa_sign_ecdsa(dsa, buf, len) < 0) 1100 return (-1); 1101 return (len); 1102 default: 1103 if (_dsa_sign_encode(dsa, ptr, len, &off) < 0) 1104 return (-1); 1105 if (off > len) 1106 return (-1); 1107 len -= off; 1108 ptr += off; 1109 if (EVP_DigestSignFinal(dsa->dsa_ctx, ptr, &len) != 1) 1110 return (-1); 1111 return (len + off); 1112 } 1113 } 1114 return (-1); 1115} 1116 1117int 1118_dsa_verify_prepare(struct iked_dsa *dsa, uint8_t **sigp, size_t *lenp, 1119 uint8_t **freemep) 1120{ 1121 ECDSA_SIG *obj = NULL; 1122 uint8_t *ptr = NULL; 1123 size_t bnlen, off; 1124 ssize_t len; 1125 int ret = -1; 1126 BIGNUM *r = NULL, *s = NULL; 1127 1128 *freemep = NULL; /* don't return garbage in case of an error */ 1129 1130 switch (dsa->dsa_method) { 1131 case IKEV2_AUTH_SIG: 1132 /* 1133 * The first byte of the signature encodes the OID 1134 * prefix length which we need to skip. 1135 */ 1136 off = (*sigp)[0] + 1; 1137 *sigp = *sigp + off; 1138 *lenp = *lenp - off; 1139 *freemep = NULL; 1140 ret = 0; 1141 break; 1142 case IKEV2_AUTH_ECDSA_256: 1143 case IKEV2_AUTH_ECDSA_384: 1144 case IKEV2_AUTH_ECDSA_521: 1145 /* 1146 * sigp points to concatenation r|s, while EVP_VerifyFinal() 1147 * expects the signature as a DER-encoded blob (of the two 1148 * values), so we need to convert the signature in a new 1149 * buffer (we cannot override the given buffer) and the caller 1150 * has to free this buffer ('freeme'). 1151 */ 1152 if (*lenp < 64 || *lenp > 132 || *lenp % 2) 1153 goto done; 1154 bnlen = (*lenp)/2; 1155 /* sigp points to concatenation: r|s */ 1156 if ((obj = ECDSA_SIG_new()) == NULL || 1157 (r = BN_bin2bn(*sigp, bnlen, NULL)) == NULL || 1158 (s = BN_bin2bn(*sigp+bnlen, bnlen, NULL)) == NULL || 1159 ECDSA_SIG_set0(obj, r, s) == 0 || 1160 (len = i2d_ECDSA_SIG(obj, &ptr)) <= 0) 1161 goto done; 1162 r = s = NULL; 1163 *lenp = len; 1164 *sigp = ptr; 1165 *freemep = ptr; 1166 ptr = NULL; 1167 ret = 0; 1168 break; 1169 default: 1170 return (0); 1171 } 1172 done: 1173 BN_clear_free(r); 1174 BN_clear_free(s); 1175 free(ptr); 1176 ECDSA_SIG_free(obj); 1177 1178 return (ret); 1179} 1180 1181ssize_t 1182dsa_verify_final(struct iked_dsa *dsa, void *buf, size_t len) 1183{ 1184 uint8_t sig[EVP_MAX_MD_SIZE]; 1185 uint8_t *ptr = buf, *freeme = NULL; 1186 unsigned int siglen = sizeof(sig); 1187 1188 if (dsa->dsa_hmac) { 1189 if (!HMAC_Final(dsa->dsa_ctx, sig, &siglen)) 1190 return (-1); 1191 if (siglen != len || memcmp(buf, sig, siglen) != 0) 1192 return (-1); 1193 } else { 1194 if (_dsa_verify_prepare(dsa, &ptr, &len, &freeme) < 0) 1195 return (-1); 1196 if (EVP_DigestVerifyFinal(dsa->dsa_ctx, ptr, len) != 1) { 1197 OPENSSL_free(freeme); 1198 ca_sslerror(__func__); 1199 return (-1); 1200 } 1201 OPENSSL_free(freeme); 1202 } 1203 1204 return (0); 1205} 1206