search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
adden new isakmpd
[anytun.git] / keyexchange / isakmpd-20041012 / ike_auth.c
blobdcacb0ed6f879096ec5b13ac1a9af38377bdff7d
1 /* $OpenBSD: ike_auth.c,v 1.95 2004/08/08 19:11:06 deraadt Exp $ */
2 /* $EOM: ike_auth.c,v 1.59 2000/11/21 00:21:31 angelos Exp $ */
3
4 /*
5 * Copyright (c) 1998, 1999, 2000, 2001 Niklas Hallqvist. All rights reserved.
6 * Copyright (c) 1999 Niels Provos. All rights reserved.
7 * Copyright (c) 1999 Angelos D. Keromytis. All rights reserved.
8 * Copyright (c) 2000, 2001, 2003 HÃ¥kan Olsson. All rights reserved.
9 *
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions
12 * are met:
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
18 *
19 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
20 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
21 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
22 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
23 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
24 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
25 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
26 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
27 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
28 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 /*
32 * This code was written under funding by Ericsson Radio Systems.
33 */
34
35 #include <sys/types.h>
36 #include <sys/stat.h>
37 #include <netinet/in.h>
38 #include <arpa/inet.h>
39
40 #include <errno.h>
41 #include <fcntl.h>
42 #include <stdlib.h>
43 #include <string.h>
44 #include <unistd.h>
45 #include <regex.h>
46 #if defined (USE_KEYNOTE)
47 #include <keynote.h>
48 #endif
49 #include <policy.h>
50
51 #include "sysdep.h"
52
53 #include "cert.h"
54 #include "conf.h"
55 #include "constants.h"
56 #if defined (USE_DNSSEC)
57 #include "dnssec.h"
58 #endif
59 #include "exchange.h"
60 #include "gmp_util.h"
61 #include "hash.h"
62 #include "ike_auth.h"
63 #include "ipsec.h"
64 #include "ipsec_doi.h"
65 #include "libcrypto.h"
66 #include "log.h"
67 #include "message.h"
68 #include "monitor.h"
69 #include "prf.h"
70 #include "transport.h"
71 #include "util.h"
72 #include "key.h"
73 #if defined (USE_X509)
74 #include "x509.h"
75 #endif
76
77 #ifdef notyet
78 static u_int8_t *enc_gen_skeyid(struct exchange *, size_t *);
79 #endif
80 static u_int8_t *pre_shared_gen_skeyid(struct exchange *, size_t *);
81
82 static int pre_shared_decode_hash(struct message *);
83 static int pre_shared_encode_hash(struct message *);
84
85 #if defined (USE_X509) || defined (USE_KEYNOTE)
86 static u_int8_t *sig_gen_skeyid(struct exchange *, size_t *);
87 static int rsa_sig_decode_hash(struct message *);
88 static int rsa_sig_encode_hash(struct message *);
89 #endif
90
91 #if defined (USE_RAWKEY)
92 static int get_raw_key_from_file(int, u_int8_t *, size_t, RSA **);
93 #endif
94
95 static int ike_auth_hash(struct exchange *, u_int8_t *);
96
97 static struct ike_auth ike_auth[] = {
98 {
99 IKE_AUTH_PRE_SHARED, pre_shared_gen_skeyid,
100 pre_shared_decode_hash,
101 pre_shared_encode_hash
102 },
103 #ifdef notdef
104 {
105 IKE_AUTH_DSS, sig_gen_skeyid,
106 pre_shared_decode_hash,
107 pre_shared_encode_hash
108 },
109 #endif
110 #if defined (USE_X509) || defined (USE_KEYNOTE)
111 {
112 IKE_AUTH_RSA_SIG, sig_gen_skeyid,
113 rsa_sig_decode_hash,
114 rsa_sig_encode_hash
115 },
116 #endif
117 #ifdef notdef
118 {
119 IKE_AUTH_RSA_ENC, enc_gen_skeyid,
120 pre_shared_decode_hash,
121 pre_shared_encode_hash
122 },
123 {
124 IKE_AUTH_RSA_ENC_REV, enc_gen_skeyid,
125 pre_shared_decode_hash,
126 pre_shared_encode_hash
127 },
128 #endif
129 };
130
131 struct ike_auth *
132 ike_auth_get(u_int16_t id)
133 {
134 size_t i;
135
136 for (i = 0; i < sizeof ike_auth / sizeof ike_auth[0]; i++)
137 if (id == ike_auth[i].id)
138 return &ike_auth[i];
139 return 0;
140 }
141
142 /*
143 * Find and decode the configured key (pre-shared or public) for the
144 * peer denoted by ID. Stash the len in KEYLEN.
145 */
146 static void *
147 ike_auth_get_key(int type, char *id, char *local_id, size_t *keylen)
148 {
149 char *key, *buf;
150 #if defined (USE_X509) || defined (USE_KEYNOTE)
151 int fd;
152 char *keyfile;
153 #if defined (USE_X509)
154 FILE *keyfp;
155 RSA *rsakey;
156 size_t fsize;
157 #endif
158 #endif
159
160 switch (type) {
161 case IKE_AUTH_PRE_SHARED:
162 /* Get the pre-shared key for our peer. */
163 key = conf_get_str(id, "Authentication");
164 if (!key && local_id)
165 key = conf_get_str(local_id, "Authentication");
166
167 if (!key) {
168 log_print("ike_auth_get_key: "
169 "no key found for peer \"%s\" or local ID \"%s\"",
170 id, local_id);
171 return 0;
172 }
173 /* If the key starts with 0x it is in hex format. */
174 if (strncasecmp(key, "0x", 2) == 0) {
175 *keylen = (strlen(key) - 1) / 2;
176 buf = malloc(*keylen);
177 if (!buf) {
178 log_error("ike_auth_get_key: malloc (%lu) "
179 "failed", (unsigned long)*keylen);
180 return 0;
181 }
182 if (hex2raw(key + 2, (unsigned char *)buf, *keylen)) {
183 free(buf);
184 log_print("ike_auth_get_key: invalid hex key "
185 "%s", key);
186 return 0;
187 }
188 key = buf;
189 } else {
190 buf = key;
191 key = strdup(buf);
192 if (!key) {
193 log_error("ike_auth_get_key: strdup() failed");
194 return 0;
195 }
196 *keylen = strlen(key);
197 }
198 break;
199
200 case IKE_AUTH_RSA_SIG:
201 #if defined (USE_X509) || defined (USE_KEYNOTE)
202 #if defined (USE_KEYNOTE)
203 if (local_id && (keyfile = conf_get_str("KeyNote",
204 "Credential-directory")) != 0) {
205 struct stat sb;
206 struct keynote_deckey dc;
207 char *privkeyfile, *buf2;
208 int pkflen;
209 size_t size;
210
211 pkflen = strlen(keyfile) + strlen(local_id) +
212 sizeof PRIVATE_KEY_FILE + sizeof "//" - 1;
213 privkeyfile = calloc(pkflen, sizeof(char));
214 if (!privkeyfile) {
215 log_print("ike_auth_get_key: failed to "
216 "allocate %d bytes", pkflen);
217 return 0;
218 }
219 snprintf(privkeyfile, pkflen, "%s/%s/%s", keyfile,
220 local_id, PRIVATE_KEY_FILE);
221 keyfile = privkeyfile;
222
223 fd = monitor_open(keyfile, O_RDONLY, 0);
224 if (fd < 0) {
225 free(keyfile);
226 goto ignorekeynote;
227 }
228
229 if (fstat(fd, &sb) < 0) {
230 log_print("ike_auth_get_key: fstat failed");
231 free(keyfile);
232 close(fd);
233 return 0;
234 }
235 size = (size_t)sb.st_size;
236
237 buf = calloc(size + 1, sizeof(char));
238 if (!buf) {
239 log_print("ike_auth_get_key: failed allocating"
240 " %lu bytes", (unsigned long)size + 1);
241 free(keyfile);
242 close(fd);
243 return 0;
244 }
245 if (read(fd, buf, size) != (ssize_t)size) {
246 free(buf);
247 log_print("ike_auth_get_key: "
248 "failed reading %lu bytes from \"%s\"",
249 (unsigned long)size, keyfile);
250 free(keyfile);
251 close(fd);
252 return 0;
253 }
254 close(fd);
255
256 /* Parse private key string */
257 buf2 = kn_get_string(buf);
258 free(buf);
259
260 if (!buf2 || kn_decode_key(&dc, buf2,
261 KEYNOTE_PRIVATE_KEY) == -1) {
262 if (buf2)
263 free(buf2);
264 log_print("ike_auth_get_key: failed decoding "
265 "key in \"%s\"", keyfile);
266 free(keyfile);
267 return 0;
268 }
269 free(buf2);
270
271 if (dc.dec_algorithm != KEYNOTE_ALGORITHM_RSA) {
272 log_print("ike_auth_get_key: wrong algorithm "
273 "type %d in \"%s\"", dc.dec_algorithm,
274 keyfile);
275 free(keyfile);
276 kn_free_key(&dc);
277 return 0;
278 }
279 free(keyfile);
280 return dc.dec_key;
281 }
282 ignorekeynote:
283 #endif /* USE_KEYNOTE */
284 #ifdef USE_X509
285 /* Otherwise, try X.509 */
286 keyfile = conf_get_str("X509-certificates", "Private-key");
287
288 fd = monitor_open(keyfile, O_RDONLY, 0);
289 if (fd < 0) {
290 log_print("ike_auth_get_key: failed opening \"%s\"",
291 keyfile);
292 return 0;
293 }
294
295 if (check_file_secrecy_fd(fd, keyfile, &fsize) < 0) {
296 close(fd);
297 return 0;
298 }
299
300 if ((keyfp = fdopen(fd, "r")) == NULL) {
301 log_print("ike_auth_get_key: fdopen failed");
302 close(fd);
303 return 0;
304 }
305 #if SSLEAY_VERSION_NUMBER >= 0x00904100L
306 rsakey = PEM_read_RSAPrivateKey(keyfp, NULL, NULL, NULL);
307 #else
308 rsakey = PEM_read_RSAPrivateKey(keyfp, NULL, NULL);
309 #endif
310 fclose(keyfp);
311
312 if (!rsakey) {
313 log_print("ike_auth_get_key: "
314 "PEM_read_bio_RSAPrivateKey failed");
315 return 0;
316 }
317 return rsakey;
318 #endif /* USE_X509 */
319 #endif /* USE_X509 || USE_KEYNOTE */
320
321 default:
322 log_print("ike_auth_get_key: unknown key type %d", type);
323 return 0;
324 }
325
326 return key;
327 }
328
329 static u_int8_t *
330 pre_shared_gen_skeyid(struct exchange *exchange, size_t *sz)
331 {
332 struct prf *prf;
333 struct ipsec_exch *ie = exchange->data;
334 u_int8_t *skeyid, *buf = 0;
335 unsigned char *key;
336 size_t keylen;
337
338 /*
339 * If we're the responder and have the initiator's ID (which is the
340 * case in Aggressive mode), try to find the preshared key in the
341 * section of the initiator's Phase 1 ID. This allows us to do
342 * mobile user support with preshared keys.
343 */
344 if (!exchange->initiator && exchange->id_i) {
345 switch (exchange->id_i[0]) {
346 case IPSEC_ID_IPV4_ADDR:
347 case IPSEC_ID_IPV6_ADDR:
348 util_ntoa((char **) &buf,
349 exchange->id_i[0] == IPSEC_ID_IPV4_ADDR ? AF_INET :
350 AF_INET6, exchange->id_i + ISAKMP_ID_DATA_OFF -
351 ISAKMP_GEN_SZ);
352 if (!buf)
353 return 0;
354 break;
355
356 case IPSEC_ID_FQDN:
357 case IPSEC_ID_USER_FQDN:
358 buf = calloc(exchange->id_i_len - ISAKMP_ID_DATA_OFF +
359 ISAKMP_GEN_SZ + 1, sizeof(char));
360 if (!buf) {
361 log_print("pre_shared_gen_skeyid: malloc (%lu"
362 ") failed",
363 (unsigned long)exchange->id_i_len -
364 ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ + 1);
365 return 0;
366 }
367 memcpy(buf,
368 exchange->id_i + ISAKMP_ID_DATA_OFF -
369 ISAKMP_GEN_SZ,
370 exchange->id_i_len - ISAKMP_ID_DATA_OFF +
371 ISAKMP_GEN_SZ);
372 break;
373
374 /* XXX Support more ID types ? */
375 default:
376 break;
377 }
378 }
379 /*
380 * Get the pre-shared key for our peer. This will work even if the key
381 * has been passed to us through a mechanism like PFKEYv2.
382 */
383 key = ike_auth_get_key(IKE_AUTH_PRE_SHARED, exchange->name,
384 (char *) buf, &keylen);
385 if (buf)
386 free(buf);
387
388 /* Fail if no key could be found. */
389 if (!key)
390 return 0;
391
392 /* Store the secret key for later policy processing. */
393 exchange->recv_key = calloc(keylen + 1, sizeof(char));
394 exchange->recv_keytype = ISAKMP_KEY_PASSPHRASE;
395 if (!exchange->recv_key) {
396 log_error("pre_shared_gen_skeyid: malloc (%lu) failed",
397 (unsigned long)keylen);
398 free(key);
399 return 0;
400 }
401 memcpy(exchange->recv_key, key, keylen);
402 exchange->recv_certtype = ISAKMP_CERTENC_NONE;
403 free(key);
404
405 prf = prf_alloc(ie->prf_type, ie->hash->type, exchange->recv_key,
406 keylen);
407 if (!prf)
408 return 0;
409
410 *sz = prf->blocksize;
411 skeyid = malloc(*sz);
412 if (!skeyid) {
413 log_error("pre_shared_gen_skeyid: malloc (%lu) failed",
414 (unsigned long)*sz);
415 prf_free(prf);
416 return 0;
417 }
418 prf->Init(prf->prfctx);
419 prf->Update(prf->prfctx, exchange->nonce_i, exchange->nonce_i_len);
420 prf->Update(prf->prfctx, exchange->nonce_r, exchange->nonce_r_len);
421 prf->Final(skeyid, prf->prfctx);
422 prf_free(prf);
423 return skeyid;
424 }
425
426 #if defined (USE_X509) || defined (USE_KEYNOTE)
427 /* Both DSS & RSA signature authentication use this algorithm. */
428 static u_int8_t *
429 sig_gen_skeyid(struct exchange *exchange, size_t *sz)
430 {
431 struct prf *prf;
432 struct ipsec_exch *ie = exchange->data;
433 u_int8_t *skeyid;
434 unsigned char *key;
435
436 key = malloc(exchange->nonce_i_len + exchange->nonce_r_len);
437 if (!key)
438 return 0;
439 memcpy(key, exchange->nonce_i, exchange->nonce_i_len);
440 memcpy(key + exchange->nonce_i_len, exchange->nonce_r,
441 exchange->nonce_r_len);
442
443 LOG_DBG((LOG_NEGOTIATION, 80, "sig_gen_skeyid: PRF type %d, hash %d",
444 ie->prf_type, ie->hash->type));
445 LOG_DBG_BUF((LOG_NEGOTIATION, 80,
446 "sig_gen_skeyid: SKEYID initialized with",
447 (u_int8_t *)key, exchange->nonce_i_len + exchange->nonce_r_len));
448
449 prf = prf_alloc(ie->prf_type, ie->hash->type, key,
450 exchange->nonce_i_len + exchange->nonce_r_len);
451 free(key);
452 if (!prf)
453 return 0;
454
455 *sz = prf->blocksize;
456 skeyid = malloc(*sz);
457 if (!skeyid) {
458 log_error("sig_gen_skeyid: malloc (%lu) failed",
459 (unsigned long)*sz);
460 prf_free(prf);
461 return 0;
462 }
463 LOG_DBG((LOG_NEGOTIATION, 80, "sig_gen_skeyid: g^xy length %lu",
464 (unsigned long) ie->g_x_len));
465 LOG_DBG_BUF((LOG_NEGOTIATION, 80,
466 "sig_gen_skeyid: SKEYID fed with g^xy", ie->g_xy, ie->g_x_len));
467
468 prf->Init(prf->prfctx);
469 prf->Update(prf->prfctx, ie->g_xy, ie->g_x_len);
470 prf->Final(skeyid, prf->prfctx);
471 prf_free(prf);
472 return skeyid;
473 }
474 #endif /* USE_X509 || USE_KEYNOTE */
475
476 #ifdef notdef
477 /*
478 * Both standard and revised RSA encryption authentication use this SKEYID
479 * computation.
480 */
481 static u_int8_t *
482 enc_gen_skeyid(struct exchange *exchange, size_t *sz)
483 {
484 struct prf *prf;
485 struct ipsec_exch *ie = exchange->data;
486 struct hash *hash = ie->hash;
487 u_int8_t *skeyid;
488
489 hash->Init(hash->ctx);
490 hash->Update(hash->ctx, exchange->nonce_i, exchange->nonce_i_len);
491 hash->Update(hash->ctx, exchange->nonce_r, exchange->nonce_r_len);
492 hash->Final(hash->digest, hash->ctx);
493 prf = prf_alloc(ie->prf_type, hash->type, hash->digest, *sz);
494 if (!prf)
495 return 0;
496
497 *sz = prf->blocksize;
498 skeyid = malloc(*sz);
499 if (!skeyid) {
500 log_error("enc_gen_skeyid: malloc (%d) failed", *sz);
501 prf_free(prf);
502 return 0;
503 }
504 prf->Init(prf->prfctx);
505 prf->Update(prf->prfctx, exchange->cookies, ISAKMP_HDR_COOKIES_LEN);
506 prf->Final(skeyid, prf->prfctx);
507 prf_free(prf);
508 return skeyid;
509 }
510 #endif /* notdef */
511
512 static int
513 pre_shared_decode_hash(struct message *msg)
514 {
515 struct exchange *exchange = msg->exchange;
516 struct ipsec_exch *ie = exchange->data;
517 struct payload *payload;
518 size_t hashsize = ie->hash->hashsize;
519 char header[80];
520 int initiator = exchange->initiator;
521 u_int8_t **hash_p;
522
523 /* Choose the right fields to fill-in. */
524 hash_p = initiator ? &ie->hash_r : &ie->hash_i;
525
526 payload = payload_first(msg, ISAKMP_PAYLOAD_HASH);
527 if (!payload) {
528 log_print("pre_shared_decode_hash: no HASH payload found");
529 return -1;
530 }
531 /* Check that the hash is of the correct size. */
532 if (GET_ISAKMP_GEN_LENGTH(payload->p) - ISAKMP_GEN_SZ != hashsize)
533 return -1;
534
535 /* XXX Need this hash be in the SA? */
536 *hash_p = malloc(hashsize);
537 if (!*hash_p) {
538 log_error("pre_shared_decode_hash: malloc (%lu) failed",
539 (unsigned long)hashsize);
540 return -1;
541 }
542 memcpy(*hash_p, payload->p + ISAKMP_HASH_DATA_OFF, hashsize);
543 snprintf(header, sizeof header, "pre_shared_decode_hash: HASH_%c",
544 initiator ? 'R' : 'I');
545 LOG_DBG_BUF((LOG_MISC, 80, header, *hash_p, hashsize));
546
547 payload->flags |= PL_MARK;
548 return 0;
549 }
550
551 #if defined (USE_X509) || defined (USE_KEYNOTE)
552 /* Decrypt the HASH in SIG, we already need a parsed ID payload. */
553 static int
554 rsa_sig_decode_hash(struct message *msg)
555 {
556 struct cert_handler *handler;
557 struct exchange *exchange = msg->exchange;
558 struct ipsec_exch *ie = exchange->data;
559 struct payload *p;
560 void *cert = 0;
561 u_int8_t *rawcert = 0, **hash_p, **id_cert, *id;
562 u_int32_t rawcertlen, *id_cert_len;
563 RSA *key = 0;
564 size_t hashsize = ie->hash->hashsize, id_len;
565 char header[80];
566 int len, initiator = exchange->initiator;
567 int found = 0, n, i, id_found;
568 #if defined (USE_DNSSEC)
569 u_int8_t *rawkey = 0;
570 u_int32_t rawkeylen;
571 #endif
572
573 /* Choose the right fields to fill-in. */
574 hash_p = initiator ? &ie->hash_r : &ie->hash_i;
575 id = initiator ? exchange->id_r : exchange->id_i;
576 id_len = initiator ? exchange->id_r_len : exchange->id_i_len;
577
578 if (!id || id_len == 0) {
579 log_print("rsa_sig_decode_hash: ID is missing");
580 return -1;
581 }
582 /*
583 * XXX Assume we should use the same kind of certification as the
584 * remote... moreover, just use the first CERT payload to decide what
585 * to use.
586 */
587 p = payload_first(msg, ISAKMP_PAYLOAD_CERT);
588 if (!p)
589 handler = cert_get(ISAKMP_CERTENC_KEYNOTE);
590 else
591 handler = cert_get(GET_ISAKMP_CERT_ENCODING(p->p));
592 if (!handler) {
593 log_print("rsa_sig_decode_hash: cert_get (%d) failed",
594 p ? GET_ISAKMP_CERT_ENCODING(p->p) : -1);
595 return -1;
596 }
597 #if defined (USE_POLICY) || defined (USE_KEYNOTE)
598 /*
599 * We need the policy session initialized now, so we can add
600 * credentials etc.
601 */
602 exchange->policy_id = kn_init();
603 if (exchange->policy_id == -1) {
604 log_print("rsa_sig_decode_hash: failed to initialize policy "
605 "session");
606 return -1;
607 }
608 #endif /* USE_POLICY || USE_KEYNOTE */
609
610 /* Obtain a certificate from our certificate storage. */
611 if (handler->cert_obtain(id, id_len, 0, &rawcert, &rawcertlen)) {
612 if (handler->id == ISAKMP_CERTENC_X509_SIG) {
613 cert = handler->cert_get(rawcert, rawcertlen);
614 if (!cert)
615 LOG_DBG((LOG_CRYPTO, 50, "rsa_sig_decode_hash:"
616 " certificate malformed"));
617 else {
618 if (!handler->cert_get_key(cert, &key)) {
619 log_print("rsa_sig_decode_hash: "
620 "decoding certificate failed");
621 handler->cert_free(cert);
622 } else {
623 found++;
624 LOG_DBG((LOG_CRYPTO, 40,
625 "rsa_sig_decode_hash: using cert "
626 "of type %d", handler->id));
627 exchange->recv_cert = cert;
628 exchange->recv_certtype = handler->id;
629 #if defined (USE_POLICY)
630 x509_generate_kn(exchange->policy_id,
631 cert);
632 #endif /* USE_POLICY */
633 }
634 }
635 } else if (handler->id == ISAKMP_CERTENC_KEYNOTE)
636 handler->cert_insert(exchange->policy_id, rawcert);
637 free(rawcert);
638 }
639 /*
640 * Walk over potential CERT payloads in this message.
641 * XXX I believe this is the wrong spot for this. CERTs can appear
642 * anytime.
643 */
644 for (p = payload_first(msg, ISAKMP_PAYLOAD_CERT); p;
645 p = TAILQ_NEXT(p, link)) {
646 p->flags |= PL_MARK;
647
648 /*
649 * When we have found a key, just walk over the rest, marking
650 * them.
651 */
652 if (found)
653 continue;
654
655 handler = cert_get(GET_ISAKMP_CERT_ENCODING(p->p));
656 if (!handler) {
657 LOG_DBG((LOG_MISC, 30, "rsa_sig_decode_hash: "
658 "no handler for %s CERT encoding",
659 constant_name(isakmp_certenc_cst,
660 GET_ISAKMP_CERT_ENCODING(p->p))));
661 continue;
662 }
663 cert = handler->cert_get(p->p + ISAKMP_CERT_DATA_OFF,
664 GET_ISAKMP_GEN_LENGTH(p->p) - ISAKMP_CERT_DATA_OFF);
665 if (!cert) {
666 log_print("rsa_sig_decode_hash: "
667 "can not get data from CERT");
668 continue;
669 }
670 if (!handler->cert_validate(cert)) {
671 handler->cert_free(cert);
672 log_print("rsa_sig_decode_hash: received CERT can't "
673 "be validated");
674 continue;
675 }
676 if (GET_ISAKMP_CERT_ENCODING(p->p) ==
677 ISAKMP_CERTENC_X509_SIG) {
678 if (!handler->cert_get_subjects(cert, &n, &id_cert,
679 &id_cert_len)) {
680 handler->cert_free(cert);
681 log_print("rsa_sig_decode_hash: can not get "
682 "subject from CERT");
683 continue;
684 }
685 id_found = 0;
686 for (i = 0; i < n; i++)
687 if (id_cert_len[i] == id_len &&
688 id[0] == id_cert[i][0] &&
689 memcmp(id + 4, id_cert[i] + 4, id_len - 4)
690 == 0) {
691 id_found++;
692 break;
693 }
694 if (!id_found) {
695 handler->cert_free(cert);
696 log_print("rsa_sig_decode_hash: no CERT "
697 "subject match the ID");
698 free(id_cert);
699 continue;
700 }
701 cert_free_subjects(n, id_cert, id_cert_len);
702 }
703 if (!handler->cert_get_key(cert, &key)) {
704 handler->cert_free(cert);
705 log_print("rsa_sig_decode_hash: decoding payload CERT "
706 "failed");
707 continue;
708 }
709 /* We validated the cert, cache it for later use. */
710 handler->cert_insert(exchange->policy_id, cert);
711
712 exchange->recv_cert = cert;
713 exchange->recv_certtype = GET_ISAKMP_CERT_ENCODING(p->p);
714
715 #if defined (USE_POLICY) || defined (USE_KEYNOTE)
716 if (exchange->recv_certtype == ISAKMP_CERTENC_KEYNOTE) {
717 struct keynote_deckey dc;
718 char *pp;
719 int dclen;
720
721 dc.dec_algorithm = KEYNOTE_ALGORITHM_RSA;
722 dc.dec_key = key;
723
724 pp = kn_encode_key(&dc, INTERNAL_ENC_PKCS1,
725 ENCODING_HEX, KEYNOTE_PUBLIC_KEY);
726 if (pp == NULL) {
727 kn_free_key(&dc);
728 log_print("rsa_sig_decode_hash: failed to "
729 "ASCII-encode key");
730 return -1;
731 }
732 dclen = strlen(pp) + sizeof "rsa-hex:";
733 exchange->keynote_key = calloc(dclen, sizeof(char));
734 if (!exchange->keynote_key) {
735 free(pp);
736 kn_free_key(&dc);
737 log_print("rsa_sig_decode_hash: failed to "
738 "allocate %d bytes", dclen);
739 return -1;
740 }
741 snprintf(exchange->keynote_key, dclen, "rsa-hex:%s",
742 pp);
743 free(pp);
744 }
745 #endif
746
747 found++;
748 }
749
750 #if defined (USE_DNSSEC)
751 /*
752 * If no certificate provided a key, try to find a validated DNSSEC
753 * KEY.
754 */
755 if (!found) {
756 rawkey = dns_get_key(IKE_AUTH_RSA_SIG, msg, &rawkeylen);
757
758 /* We need to convert 'void *rawkey' into 'RSA *key'. */
759 if (dns_RSA_dns_to_x509(rawkey, rawkeylen, &key) == 0)
760 found++;
761 else
762 log_print("rsa_sig_decode_hash: KEY to RSA key "
763 "conversion failed");
764
765 if (rawkey)
766 free(rawkey);
767 }
768 #endif /* USE_DNSSEC */
769
770 #if defined (USE_RAWKEY)
771 /* If we still have not found a key, try to read it from a file. */
772 if (!found)
773 if (get_raw_key_from_file(IKE_AUTH_RSA_SIG, id, id_len, &key)
774 != -1)
775 found++;
776 #endif
777
778 if (!found) {
779 log_print("rsa_sig_decode_hash: no public key found");
780 return -1;
781 }
782 p = payload_first(msg, ISAKMP_PAYLOAD_SIG);
783 if (!p) {
784 log_print("rsa_sig_decode_hash: missing signature payload");
785 RSA_free(key);
786 return -1;
787 }
788 /* Check that the sig is of the correct size. */
789 len = GET_ISAKMP_GEN_LENGTH(p->p) - ISAKMP_SIG_SZ;
790 if (len != RSA_size(key)) {
791 RSA_free(key);
792 log_print("rsa_sig_decode_hash: "
793 "SIG payload length does not match public key");
794 return -1;
795 }
796 *hash_p = malloc(len);
797 if (!*hash_p) {
798 RSA_free(key);
799 log_error("rsa_sig_decode_hash: malloc (%d) failed", len);
800 return -1;
801 }
802 len = RSA_public_decrypt(len, p->p + ISAKMP_SIG_DATA_OFF, *hash_p, key,
803 RSA_PKCS1_PADDING);
804 if (len == -1) {
805 RSA_free(key);
806 log_print("rsa_sig_decode_hash: RSA_public_decrypt () failed");
807 return -1;
808 }
809 /* Store key for later use */
810 exchange->recv_key = key;
811 exchange->recv_keytype = ISAKMP_KEY_RSA;
812
813 if (len != (int) hashsize) {
814 free(*hash_p);
815 *hash_p = 0;
816 log_print("rsa_sig_decode_hash: len %lu != hashsize %lu",
817 (unsigned long)len, (unsigned long)hashsize);
818 return -1;
819 }
820 snprintf(header, sizeof header, "rsa_sig_decode_hash: HASH_%c",
821 initiator ? 'R' : 'I');
822 LOG_DBG_BUF((LOG_MISC, 80, header, *hash_p, hashsize));
823
824 p->flags |= PL_MARK;
825 return 0;
826 }
827 #endif /* USE_X509 || USE_KEYNOTE */
828
829 static int
830 pre_shared_encode_hash(struct message *msg)
831 {
832 struct exchange *exchange = msg->exchange;
833 struct ipsec_exch *ie = exchange->data;
834 size_t hashsize = ie->hash->hashsize;
835 char header[80];
836 int initiator = exchange->initiator;
837 u_int8_t *buf;
838
839 buf = ipsec_add_hash_payload(msg, hashsize);
840 if (!buf)
841 return -1;
842
843 if (ike_auth_hash(exchange, buf + ISAKMP_HASH_DATA_OFF) == -1)
844 return -1;
845
846 snprintf(header, sizeof header, "pre_shared_encode_hash: HASH_%c",
847 initiator ? 'I' : 'R');
848 LOG_DBG_BUF((LOG_MISC, 80, header, buf + ISAKMP_HASH_DATA_OFF,
849 hashsize));
850 return 0;
851 }
852
853 #if defined (USE_X509) || defined (USE_KEYNOTE)
854 /* Encrypt the HASH into a SIG type. */
855 static int
856 rsa_sig_encode_hash(struct message *msg)
857 {
858 struct exchange *exchange = msg->exchange;
859 struct ipsec_exch *ie = exchange->data;
860 size_t hashsize = ie->hash->hashsize, id_len;
861 struct cert_handler *handler;
862 char header[80];
863 int initiator = exchange->initiator, idtype;
864 u_int8_t *buf, *data, *buf2, *id;
865 u_int32_t datalen;
866 int32_t sigsize;
867 void *sent_key;
868
869 id = initiator ? exchange->id_i : exchange->id_r;
870 id_len = initiator ? exchange->id_i_len : exchange->id_r_len;
871
872 /* We may have been provided these by the kernel */
873 buf = (u_int8_t *) conf_get_str(exchange->name, "Credentials");
874 if (buf && (idtype = conf_get_num(exchange->name, "Credential_Type",
875 -1) != -1)) {
876 exchange->sent_certtype = idtype;
877 handler = cert_get(idtype);
878 if (!handler) {
879 log_print("rsa_sig_encode_hash: cert_get (%d) failed",
880 idtype);
881 return -1;
882 }
883 exchange->sent_cert =
884 handler->cert_from_printable((char *)buf);
885 if (!exchange->sent_cert) {
886 log_print("rsa_sig_encode_hash: failed to retrieve "
887 "certificate");
888 return -1;
889 }
890 handler->cert_serialize(exchange->sent_cert, &data, &datalen);
891 if (!data) {
892 log_print("rsa_sig_encode_hash: cert serialization "
893 "failed");
894 return -1;
895 }
896 goto aftercert; /* Skip all the certificate discovery */
897 }
898 /* XXX This needs to be configurable. */
899 idtype = ISAKMP_CERTENC_KEYNOTE;
900
901 /* Find a certificate with subjectAltName = id. */
902 handler = cert_get(idtype);
903 if (!handler) {
904 idtype = ISAKMP_CERTENC_X509_SIG;
905 handler = cert_get(idtype);
906 if (!handler) {
907 log_print("rsa_sig_encode_hash: cert_get(%d) failed",
908 idtype);
909 return -1;
910 }
911 }
912 if (handler->cert_obtain(id, id_len, 0, &data, &datalen) == 0) {
913 if (idtype == ISAKMP_CERTENC_KEYNOTE) {
914 idtype = ISAKMP_CERTENC_X509_SIG;
915 handler = cert_get(idtype);
916 if (!handler) {
917 log_print("rsa_sig_encode_hash: cert_get(%d) "
918 "failed", idtype);
919 return -1;
920 }
921 if (handler->cert_obtain(id, id_len, 0, &data,
922 &datalen) == 0) {
923 LOG_DBG((LOG_MISC, 10, "rsa_sig_encode_hash: "
924 "no certificate to send"));
925 goto skipcert;
926 }
927 } else {
928 LOG_DBG((LOG_MISC, 10,
929 "rsa_sig_encode_hash: no certificate to send"));
930 goto skipcert;
931 }
932 }
933 /* Let's store the certificate we are going to use */
934 exchange->sent_certtype = idtype;
935 exchange->sent_cert = handler->cert_get(data, datalen);
936 if (!exchange->sent_cert) {
937 free(data);
938 log_print("rsa_sig_encode_hash: failed to get certificate "
939 "from wire encoding");
940 return -1;
941 }
942 aftercert:
943
944 buf = realloc(data, ISAKMP_CERT_SZ + datalen);
945 if (!buf) {
946 log_error("rsa_sig_encode_hash: realloc (%p, %d) failed", data,
947 ISAKMP_CERT_SZ + datalen);
948 free(data);
949 return -1;
950 }
951 memmove(buf + ISAKMP_CERT_SZ, buf, datalen);
952 SET_ISAKMP_CERT_ENCODING(buf, idtype);
953 if (message_add_payload(msg, ISAKMP_PAYLOAD_CERT, buf,
954 ISAKMP_CERT_SZ + datalen, 1)) {
955 free(buf);
956 return -1;
957 }
958 skipcert:
959
960 /* Again, we may have these from the kernel */
961 buf = (u_int8_t *) conf_get_str(exchange->name, "PKAuthentication");
962 if (buf) {
963 key_from_printable(ISAKMP_KEY_RSA, ISAKMP_KEYTYPE_PRIVATE,
964 (char *)buf, &data, &datalen);
965 if (!data) {
966 log_print("rsa_sig_encode_hash: badly formatted RSA "
967 "private key");
968 return 0;
969 }
970 sent_key = key_internalize(ISAKMP_KEY_RSA,
971 ISAKMP_KEYTYPE_PRIVATE, data, datalen);
972 if (!sent_key) {
973 log_print("rsa_sig_encode_hash: bad RSA private key "
974 "from dynamic SA acquisition subsystem");
975 return 0;
976 }
977 } else {
978 /* Try through the regular means. */
979 switch (id[ISAKMP_ID_TYPE_OFF - ISAKMP_GEN_SZ]) {
980 case IPSEC_ID_IPV4_ADDR:
981 case IPSEC_ID_IPV6_ADDR:
982 util_ntoa((char **)&buf2,
983 id[ISAKMP_ID_TYPE_OFF - ISAKMP_GEN_SZ] ==
984 IPSEC_ID_IPV4_ADDR ? AF_INET : AF_INET6,
985 id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ);
986 if (!buf2)
987 return 0;
988 break;
989
990 case IPSEC_ID_FQDN:
991 case IPSEC_ID_USER_FQDN:
992 buf2 = calloc(id_len - ISAKMP_ID_DATA_OFF +
993 ISAKMP_GEN_SZ + 1, sizeof(char));
994 if (!buf2) {
995 log_print("rsa_sig_encode_hash: malloc (%lu) "
996 "failed", (unsigned long)id_len -
997 ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ + 1);
998 return 0;
999 }
1000 memcpy(buf2, id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ,
1001 id_len - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ);
1002 break;
1003
1004 /* XXX Support more ID types? */
1005 default:
1006 buf2 = 0;
1007 return 0;
1008 }
1009
1010 sent_key = ike_auth_get_key(IKE_AUTH_RSA_SIG, exchange->name,
1011 (char *)buf2, 0);
1012 free(buf2);
1013
1014 /* Did we find a key? */
1015 if (!sent_key) {
1016 log_print("rsa_sig_encode_hash: "
1017 "could not get private key");
1018 return -1;
1019 }
1020 }
1021
1022 /* Enable RSA blinding. */
1023 if (RSA_blinding_on(sent_key, NULL) != 1) {
1024 log_error("rsa_sig_encode_hash: RSA_blinding_on () failed.");
1025 return -1;
1026 }
1027 /* XXX hashsize is not necessarily prf->blocksize. */
1028 buf = malloc(hashsize);
1029 if (!buf) {
1030 log_error("rsa_sig_encode_hash: malloc (%lu) failed",
1031 (unsigned long)hashsize);
1032 return -1;
1033 }
1034 if (ike_auth_hash(exchange, buf) == -1) {
1035 free(buf);
1036 return -1;
1037 }
1038 snprintf(header, sizeof header, "rsa_sig_encode_hash: HASH_%c",
1039 initiator ? 'I' : 'R');
1040 LOG_DBG_BUF((LOG_MISC, 80, header, buf, hashsize));
1041
1042 data = malloc(RSA_size(sent_key));
1043 if (!data) {
1044 log_error("rsa_sig_encode_hash: malloc (%d) failed",
1045 RSA_size(sent_key));
1046 return -1;
1047 }
1048 sigsize = RSA_private_encrypt(hashsize, buf, data, sent_key,
1049 RSA_PKCS1_PADDING);
1050 if (sigsize == -1) {
1051 log_print("rsa_sig_encode_hash: "
1052 "RSA_private_encrypt () failed");
1053 if (data)
1054 free(data);
1055 free(buf);
1056 RSA_free(sent_key);
1057 return -1;
1058 }
1059 datalen = (u_int32_t) sigsize;
1060
1061 free(buf);
1062
1063 buf = realloc(data, ISAKMP_SIG_SZ + datalen);
1064 if (!buf) {
1065 log_error("rsa_sig_encode_hash: realloc (%p, %d) failed", data,
1066 ISAKMP_SIG_SZ + datalen);
1067 free(data);
1068 return -1;
1069 }
1070 memmove(buf + ISAKMP_SIG_SZ, buf, datalen);
1071
1072 snprintf(header, sizeof header, "rsa_sig_encode_hash: SIG_%c",
1073 initiator ? 'I' : 'R');
1074 LOG_DBG_BUF((LOG_MISC, 80, header, buf + ISAKMP_SIG_DATA_OFF,
1075 datalen));
1076 if (message_add_payload(msg, ISAKMP_PAYLOAD_SIG, buf,
1077 ISAKMP_SIG_SZ + datalen, 1)) {
1078 free(buf);
1079 return -1;
1080 }
1081 return 0;
1082 }
1083 #endif /* USE_X509 || USE_KEYNOTE */
1084
1085 int
1086 ike_auth_hash(struct exchange *exchange, u_int8_t *buf)
1087 {
1088 struct ipsec_exch *ie = exchange->data;
1089 struct prf *prf;
1090 struct hash *hash = ie->hash;
1091 int initiator = exchange->initiator;
1092 u_int8_t *id;
1093 size_t id_len;
1094
1095 /* Choose the right fields to fill-in. */
1096 id = initiator ? exchange->id_i : exchange->id_r;
1097 id_len = initiator ? exchange->id_i_len : exchange->id_r_len;
1098
1099 /* Allocate the prf and start calculating our HASH. */
1100 prf = prf_alloc(ie->prf_type, hash->type, ie->skeyid, ie->skeyid_len);
1101 if (!prf)
1102 return -1;
1103
1104 prf->Init(prf->prfctx);
1105 prf->Update(prf->prfctx, initiator ? ie->g_xi : ie->g_xr, ie->g_x_len);
1106 prf->Update(prf->prfctx, initiator ? ie->g_xr : ie->g_xi, ie->g_x_len);
1107 prf->Update(prf->prfctx, exchange->cookies +
1108 (initiator ? ISAKMP_HDR_ICOOKIE_OFF : ISAKMP_HDR_RCOOKIE_OFF),
1109 ISAKMP_HDR_ICOOKIE_LEN);
1110 prf->Update(prf->prfctx, exchange->cookies +
1111 (initiator ? ISAKMP_HDR_RCOOKIE_OFF : ISAKMP_HDR_ICOOKIE_OFF),
1112 ISAKMP_HDR_ICOOKIE_LEN);
1113 prf->Update(prf->prfctx, ie->sa_i_b, ie->sa_i_b_len);
1114 prf->Update(prf->prfctx, id, id_len);
1115 prf->Final(buf, prf->prfctx);
1116 prf_free(prf);
1117 return 0;
1118 }
1119
1120 #if defined (USE_RAWKEY)
1121 static int
1122 get_raw_key_from_file(int type, u_int8_t *id, size_t id_len, RSA **rsa)
1123 {
1124 char filename[FILENAME_MAX];
1125 char *fstr;
1126 FILE *keyfp;
1127
1128 if (type != IKE_AUTH_RSA_SIG) { /* XXX More types? */
1129 LOG_DBG((LOG_NEGOTIATION, 20, "get_raw_key_from_file: "
1130 "invalid auth type %d\n", type));
1131 return -1;
1132 }
1133 *rsa = 0;
1134
1135 fstr = conf_get_str("General", "Pubkey-directory");
1136 if (!fstr)
1137 fstr = CONF_DFLT_PUBKEY_DIR;
1138
1139 if (snprintf(filename, sizeof filename, "%s/", fstr) >
1140 (int)sizeof filename - 1)
1141 return -1;
1142
1143 fstr = ipsec_id_string(id, id_len);
1144 if (!fstr) {
1145 LOG_DBG((LOG_NEGOTIATION, 50, "get_raw_key_from_file: "
1146 "ipsec_id_string failed"));
1147 return -1;
1148 }
1149 strlcat(filename, fstr, sizeof filename - strlen(filename));
1150 free(fstr);
1151
1152 /* If the file does not exist, fail silently. */
1153 keyfp = monitor_fopen(filename, "r");
1154 if (keyfp) {
1155 *rsa = PEM_read_RSA_PUBKEY(keyfp, NULL, NULL, NULL);
1156 fclose(keyfp);
1157 } else if (errno != ENOENT) {
1158 log_error("get_raw_key_from_file: monitor_fopen "
1159 "(\"%s\", \"r\") failed", filename);
1160 return -1;
1161 } else
1162 LOG_DBG((LOG_NEGOTIATION, 50,
1163 "get_raw_key_from_file: file %s not found", filename));
1164
1165 return (*rsa ? 0 : -1);
1166 }
1167 #endif /* USE_RAWKEY */
Implementation of SATP