1 /*	$NetBSD: crypto_openssl.c,v 1.11.6.6 2009/04/29 10:50:25 tteras Exp $	*/
2 
3 /* Id: crypto_openssl.c,v 1.47 2006/05/06 20:42:09 manubsd Exp */
4 
5 /*
6  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7  * All rights reserved.
8  *
9  * Redistribution and use in source and binary forms, with or without
10  * modification, are permitted provided that the following conditions
11  * are met:
12  * 1. Redistributions of source code must retain the above copyright
13  *    notice, this list of conditions and the following disclaimer.
14  * 2. Redistributions in binary form must reproduce the above copyright
15  *    notice, this list of conditions and the following disclaimer in the
16  *    documentation and/or other materials provided with the distribution.
17  * 3. Neither the name of the project nor the names of its contributors
18  *    may be used to endorse or promote products derived from this software
19  *    without specific prior written permission.
20  *
21  * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31  * SUCH DAMAGE.
32  */
33 
34 #include "config.h"
35 
36 #include <sys/types.h>
37 #include <sys/param.h>
38 
39 #include <stdlib.h>
40 #include <stdio.h>
41 #include <limits.h>
42 #include <string.h>
43 
44 /* get openssl/ssleay version number */
45 #include <openssl/opensslv.h>
46 
47 #if !defined(OPENSSL_VERSION_NUMBER) || (OPENSSL_VERSION_NUMBER < 0x0090602fL)
48 #error OpenSSL version 0.9.6 or later required.
49 #endif
50 
51 #include <openssl/pem.h>
52 #include <openssl/evp.h>
53 #include <openssl/x509.h>
54 #include <openssl/x509v3.h>
55 #include <openssl/x509_vfy.h>
56 #include <openssl/bn.h>
57 #include <openssl/dh.h>
58 #include <openssl/md5.h>
59 #include <openssl/sha.h>
60 #include <openssl/hmac.h>
61 #include <openssl/des.h>
62 #include <openssl/crypto.h>
63 #ifdef HAVE_OPENSSL_ENGINE_H
64 #include <openssl/engine.h>
65 #endif
66 #ifndef ANDROID_CHANGES
67 #include <openssl/blowfish.h>
68 #include <openssl/cast.h>
69 #else
70 #define EVP_bf_cbc()    NULL
71 #define EVP_cast5_cbc() NULL
72 #endif
73 #include <openssl/err.h>
74 #ifdef HAVE_OPENSSL_RC5_H
75 #include <openssl/rc5.h>
76 #endif
77 #ifdef HAVE_OPENSSL_IDEA_H
78 #include <openssl/idea.h>
79 #endif
80 #if defined(HAVE_OPENSSL_AES_H)
81 #include <openssl/aes.h>
82 #elif defined(HAVE_OPENSSL_RIJNDAEL_H)
83 #include <openssl/rijndael.h>
84 #else
85 #include "crypto/rijndael/rijndael-api-fst.h"
86 #endif
87 #if defined(HAVE_OPENSSL_CAMELLIA_H)
88 #include <openssl/camellia.h>
89 #endif
90 #ifdef WITH_SHA2
91 #ifdef HAVE_OPENSSL_SHA2_H
92 #include <openssl/sha2.h>
93 #else
94 #include "crypto/sha2/sha2.h"
95 #endif
96 #endif
97 #include "plog.h"
98 
99 /* 0.9.7 stuff? */
100 #if OPENSSL_VERSION_NUMBER < 0x0090700fL
101 typedef STACK_OF(GENERAL_NAME) GENERAL_NAMES;
102 #else
103 #define USE_NEW_DES_API
104 #endif
105 
106 #define OpenSSL_BUG()	do { plog(LLV_ERROR, LOCATION, NULL, "OpenSSL function failed\n"); } while(0)
107 
108 #include "var.h"
109 #include "misc.h"
110 #include "vmbuf.h"
111 #include "plog.h"
112 #include "crypto_openssl.h"
113 #include "debug.h"
114 #include "gcmalloc.h"
115 
116 #if defined(OPENSSL_IS_BORINGSSL)
117 /* HMAC_cleanup is deprecated wrapper in OpenSSL and has been removed in
118  * BoringSSL. */
119 #define HMAC_cleanup(ctx) HMAC_CTX_cleanup(ctx)
120 #endif
121 
122 /*
123  * I hate to cast every parameter to des_xx into void *, but it is
124  * necessary for SSLeay/OpenSSL portability.  It sucks.
125  */
126 
127 static int cb_check_cert_local __P((int, X509_STORE_CTX *));
128 static int cb_check_cert_remote __P((int, X509_STORE_CTX *));
129 static X509 *mem2x509 __P((vchar_t *));
130 
131 static caddr_t eay_hmac_init __P((vchar_t *, const EVP_MD *));
132 
133 /* X509 Certificate */
134 /*
135  * convert the string of the subject name into DER
136  * e.g. str = "C=JP, ST=Kanagawa";
137  */
138 vchar_t *
eay_str2asn1dn(str,len)139 eay_str2asn1dn(str, len)
140 	const char *str;
141 	int len;
142 {
143 	X509_NAME *name;
144 	char *buf;
145 	char *field, *value;
146 	int i, j;
147 	vchar_t *ret = NULL;
148 	caddr_t p;
149 
150 	if (len == -1)
151 		len = strlen(str);
152 
153 	buf = racoon_malloc(len + 1);
154 	if (!buf) {
155 		plog(LLV_WARNING, LOCATION, NULL,"failed to allocate buffer\n");
156 		return NULL;
157 	}
158 	memcpy(buf, str, len);
159 
160 	name = X509_NAME_new();
161 
162 	field = &buf[0];
163 	value = NULL;
164 	for (i = 0; i < len; i++) {
165 		if (!value && buf[i] == '=') {
166 			buf[i] = '\0';
167 			value = &buf[i + 1];
168 			continue;
169 		} else if (buf[i] == ',' || buf[i] == '/') {
170 			buf[i] = '\0';
171 
172 			plog(LLV_DEBUG, LOCATION, NULL, "DN: %s=%s\n",
173 			     field, value);
174 
175 			if (!value) goto err;
176 			if (!X509_NAME_add_entry_by_txt(name, field,
177 					(value[0] == '*' && value[1] == 0) ?
178 						V_ASN1_PRINTABLESTRING : MBSTRING_ASC,
179 					(unsigned char *) value, -1, -1, 0)) {
180 				plog(LLV_ERROR, LOCATION, NULL,
181 				     "Invalid DN field: %s=%s\n",
182 				     field, value);
183 				plog(LLV_ERROR, LOCATION, NULL,
184 				     "%s\n", eay_strerror());
185 				goto err;
186 			}
187 			for (j = i + 1; j < len; j++) {
188 				if (buf[j] != ' ')
189 					break;
190 			}
191 			field = &buf[j];
192 			value = NULL;
193 			continue;
194 		}
195 	}
196 	buf[len] = '\0';
197 
198 	plog(LLV_DEBUG, LOCATION, NULL, "DN: %s=%s\n",
199 	     field, value);
200 
201 	if (!value) goto err;
202 	if (!X509_NAME_add_entry_by_txt(name, field,
203 			(value[0] == '*' && value[1] == 0) ?
204 				V_ASN1_PRINTABLESTRING : MBSTRING_ASC,
205 			(unsigned char *) value, -1, -1, 0)) {
206 		plog(LLV_ERROR, LOCATION, NULL,
207 		     "Invalid DN field: %s=%s\n",
208 		     field, value);
209 		plog(LLV_ERROR, LOCATION, NULL,
210 		     "%s\n", eay_strerror());
211 		goto err;
212 	}
213 
214 	i = i2d_X509_NAME(name, NULL);
215 	if (!i)
216 		goto err;
217 	ret = vmalloc(i);
218 	if (!ret)
219 		goto err;
220 	p = ret->v;
221 	i = i2d_X509_NAME(name, (void *)&p);
222 	if (!i)
223 		goto err;
224 
225 	return ret;
226 
227     err:
228 	if (buf)
229 		racoon_free(buf);
230 	if (name)
231 		X509_NAME_free(name);
232 	if (ret)
233 		vfree(ret);
234 	return NULL;
235 }
236 
237 /*
238  * convert the hex string of the subject name into DER
239  */
240 vchar_t *
eay_hex2asn1dn(const char * hex,int len)241 eay_hex2asn1dn(const char *hex, int len)
242 {
243 	BIGNUM *bn = BN_new();
244 	char *binbuf;
245 	size_t binlen;
246 	vchar_t *ret = NULL;
247 
248 	if (len == -1)
249 		len = strlen(hex);
250 
251 	if (BN_hex2bn(&bn, hex) != len) {
252 		plog(LLV_ERROR, LOCATION, NULL,
253 		     "conversion of Hex-encoded ASN1 string to binary failed: %s\n",
254 		     eay_strerror());
255 		goto out;
256 	}
257 
258 	binlen = BN_num_bytes(bn);
259 	ret = vmalloc(binlen);
260 	if (!ret) {
261 		plog(LLV_WARNING, LOCATION, NULL,"failed to allocate buffer\n");
262 		return NULL;
263 	}
264 	binbuf = ret->v;
265 
266 	BN_bn2bin(bn, (unsigned char *) binbuf);
267 
268 out:
269 	BN_free(bn);
270 
271 	return ret;
272 }
273 
274 /*
275  * The following are derived from code in crypto/x509/x509_cmp.c
276  * in OpenSSL0.9.7c:
277  * X509_NAME_wildcmp() adds wildcard matching to the original
278  * X509_NAME_cmp(), nocase_cmp() and nocase_spacenorm_cmp() are as is.
279  */
280 #include <ctype.h>
281 /* Case insensitive string comparision */
nocase_cmp(const ASN1_STRING * a,const ASN1_STRING * b)282 static int nocase_cmp(const ASN1_STRING *a, const ASN1_STRING *b)
283 {
284 	int i;
285 
286 	if (a->length != b->length)
287 		return (a->length - b->length);
288 
289 	for (i=0; i<a->length; i++)
290 	{
291 		int ca, cb;
292 
293 		ca = tolower(a->data[i]);
294 		cb = tolower(b->data[i]);
295 
296 		if (ca != cb)
297 			return(ca-cb);
298 	}
299 	return 0;
300 }
301 
302 /* Case insensitive string comparision with space normalization
303  * Space normalization - ignore leading, trailing spaces,
304  *       multiple spaces between characters are replaced by single space
305  */
nocase_spacenorm_cmp(const ASN1_STRING * a,const ASN1_STRING * b)306 static int nocase_spacenorm_cmp(const ASN1_STRING *a, const ASN1_STRING *b)
307 {
308 	unsigned char *pa = NULL, *pb = NULL;
309 	int la, lb;
310 
311 	la = a->length;
312 	lb = b->length;
313 	pa = a->data;
314 	pb = b->data;
315 
316 	/* skip leading spaces */
317 	while (la > 0 && isspace(*pa))
318 	{
319 		la--;
320 		pa++;
321 	}
322 	while (lb > 0 && isspace(*pb))
323 	{
324 		lb--;
325 		pb++;
326 	}
327 
328 	/* skip trailing spaces */
329 	while (la > 0 && isspace(pa[la-1]))
330 		la--;
331 	while (lb > 0 && isspace(pb[lb-1]))
332 		lb--;
333 
334 	/* compare strings with space normalization */
335 	while (la > 0 && lb > 0)
336 	{
337 		int ca, cb;
338 
339 		/* compare character */
340 		ca = tolower(*pa);
341 		cb = tolower(*pb);
342 		if (ca != cb)
343 			return (ca - cb);
344 
345 		pa++; pb++;
346 		la--; lb--;
347 
348 		if (la <= 0 || lb <= 0)
349 			break;
350 
351 		/* is white space next character ? */
352 		if (isspace(*pa) && isspace(*pb))
353 		{
354 			/* skip remaining white spaces */
355 			while (la > 0 && isspace(*pa))
356 			{
357 				la--;
358 				pa++;
359 			}
360 			while (lb > 0 && isspace(*pb))
361 			{
362 				lb--;
363 				pb++;
364 			}
365 		}
366 	}
367 	if (la > 0 || lb > 0)
368 		return la - lb;
369 
370 	return 0;
371 }
372 
X509_NAME_wildcmp(const X509_NAME * a,const X509_NAME * b)373 static int X509_NAME_wildcmp(const X509_NAME *a, const X509_NAME *b)
374 {
375     int i,j;
376     X509_NAME_ENTRY *na,*nb;
377 
378     if (sk_X509_NAME_ENTRY_num(a->entries)
379 	!= sk_X509_NAME_ENTRY_num(b->entries))
380 	    return sk_X509_NAME_ENTRY_num(a->entries)
381 	      -sk_X509_NAME_ENTRY_num(b->entries);
382     for (i=sk_X509_NAME_ENTRY_num(a->entries)-1; i>=0; i--)
383     {
384 	    na=sk_X509_NAME_ENTRY_value(a->entries,i);
385 	    nb=sk_X509_NAME_ENTRY_value(b->entries,i);
386 	    j=OBJ_cmp(na->object,nb->object);
387 	    if (j) return(j);
388 	    if ((na->value->length == 1 && na->value->data[0] == '*')
389 	     || (nb->value->length == 1 && nb->value->data[0] == '*'))
390 		    continue;
391 	    j=na->value->type-nb->value->type;
392 	    if (j) return(j);
393 	    if (na->value->type == V_ASN1_PRINTABLESTRING)
394 		    j=nocase_spacenorm_cmp(na->value, nb->value);
395 	    else if (na->value->type == V_ASN1_IA5STRING
396 		    && OBJ_obj2nid(na->object) == NID_pkcs9_emailAddress)
397 		    j=nocase_cmp(na->value, nb->value);
398 	    else
399 		    {
400 		    j=na->value->length-nb->value->length;
401 		    if (j) return(j);
402 		    j=memcmp(na->value->data,nb->value->data,
403 			    na->value->length);
404 		    }
405 	    if (j) return(j);
406 	    j=na->set-nb->set;
407 	    if (j) return(j);
408     }
409 
410     return(0);
411 }
412 
413 /*
414  * compare two subjectNames.
415  * OUT:        0: equal
416  *	positive:
417  *	      -1: other error.
418  */
419 int
eay_cmp_asn1dn(n1,n2)420 eay_cmp_asn1dn(n1, n2)
421 	vchar_t *n1, *n2;
422 {
423 	X509_NAME *a = NULL, *b = NULL;
424 	caddr_t p;
425 	int i = -1;
426 
427 	p = n1->v;
428 	if (!d2i_X509_NAME(&a, (void *)&p, n1->l))
429 		goto end;
430 	p = n2->v;
431 	if (!d2i_X509_NAME(&b, (void *)&p, n2->l))
432 		goto end;
433 
434 	i = X509_NAME_wildcmp(a, b);
435 
436     end:
437 	if (a)
438 		X509_NAME_free(a);
439 	if (b)
440 		X509_NAME_free(b);
441 	return i;
442 }
443 
444 #ifdef ANDROID_CHANGES
445 
BIO_from_android(char * path)446 static BIO *BIO_from_android(char *path)
447 {
448 	void *data;
449 	if (sscanf(path, pname, &data) == 1) {
450 		return BIO_new_mem_buf(data, -1);
451 	}
452 	return NULL;
453 }
454 
455 #endif
456 
457 /*
458  * this functions is derived from apps/verify.c in OpenSSL0.9.5
459  */
460 int
eay_check_x509cert(cert,CApath,CAfile,local)461 eay_check_x509cert(cert, CApath, CAfile, local)
462 	vchar_t *cert;
463 	char *CApath;
464 	char *CAfile;
465 	int local;
466 {
467 	X509_STORE *cert_ctx = NULL;
468 	X509_LOOKUP *lookup = NULL;
469 	X509 *x509 = NULL;
470 	X509_STORE_CTX *csc;
471 	int error = -1;
472 
473 	cert_ctx = X509_STORE_new();
474 	if (cert_ctx == NULL)
475 		goto end;
476 
477 	if (local)
478 		X509_STORE_set_verify_cb_func(cert_ctx, cb_check_cert_local);
479 	else
480 		X509_STORE_set_verify_cb_func(cert_ctx, cb_check_cert_remote);
481 
482 #ifdef ANDROID_CHANGES
483 	if (pname) {
484 		BIO *bio = BIO_from_android(CAfile);
485 		STACK_OF(X509_INFO) *stack;
486 		X509_INFO *info;
487 		int i;
488 
489 		if (!bio) {
490 			goto end;
491 		}
492 		stack = PEM_X509_INFO_read_bio(bio, NULL, NULL, NULL);
493 		BIO_free(bio);
494 		if (!stack) {
495 			goto end;
496 		}
497 		for (i = 0; i < sk_X509_INFO_num(stack); ++i) {
498 			info = sk_X509_INFO_value(stack, i);
499 			if (info->x509) {
500 				X509_STORE_add_cert(cert_ctx, info->x509);
501 			}
502 			if (info->crl) {
503 				X509_STORE_add_crl(cert_ctx, info->crl);
504 			}
505 		}
506 		sk_X509_INFO_pop_free(stack, X509_INFO_free);
507 	} else {
508 #endif
509 	lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_file());
510 	if (lookup == NULL)
511 		goto end;
512 
513 	X509_LOOKUP_load_file(lookup, CAfile,
514 	    (CAfile == NULL) ? X509_FILETYPE_DEFAULT : X509_FILETYPE_PEM);
515 
516 	lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_hash_dir());
517 	if (lookup == NULL)
518 		goto end;
519 	error = X509_LOOKUP_add_dir(lookup, CApath, X509_FILETYPE_PEM);
520 	if(!error) {
521 		error = -1;
522 		goto end;
523 	}
524 	error = -1;	/* initialized */
525 #ifdef ANDROID_CHANGES
526 	}
527 #endif
528 
529 	/* read the certificate to be verified */
530 	x509 = mem2x509(cert);
531 	if (x509 == NULL)
532 		goto end;
533 
534 	csc = X509_STORE_CTX_new();
535 	if (csc == NULL)
536 		goto end;
537 	X509_STORE_CTX_init(csc, cert_ctx, x509, NULL);
538 #if OPENSSL_VERSION_NUMBER >= 0x00907000L
539 	X509_STORE_CTX_set_flags (csc, X509_V_FLAG_CRL_CHECK);
540 	X509_STORE_CTX_set_flags (csc, X509_V_FLAG_CRL_CHECK_ALL);
541 #endif
542 	error = X509_verify_cert(csc);
543 	X509_STORE_CTX_free(csc);
544 
545 	/*
546 	 * if x509_verify_cert() is successful then the value of error is
547 	 * set non-zero.
548 	 */
549 	error = error ? 0 : -1;
550 
551 end:
552 	if (error)
553 		plog(LLV_WARNING, LOCATION, NULL,"%s\n", eay_strerror());
554 	if (cert_ctx != NULL)
555 		X509_STORE_free(cert_ctx);
556 	if (x509 != NULL)
557 		X509_free(x509);
558 
559 	return(error);
560 }
561 
562 /*
563  * callback function for verifing certificate.
564  * this function is derived from cb() in openssl/apps/s_server.c
565  */
566 static int
cb_check_cert_local(ok,ctx)567 cb_check_cert_local(ok, ctx)
568 	int ok;
569 	X509_STORE_CTX *ctx;
570 {
571 	char buf[256];
572 	int log_tag;
573 
574 	if (!ok) {
575 		X509_NAME_oneline(
576 				X509_get_subject_name(ctx->current_cert),
577 				buf,
578 				256);
579 		/*
580 		 * since we are just checking the certificates, it is
581 		 * ok if they are self signed. But we should still warn
582 		 * the user.
583  		 */
584 		switch (ctx->error) {
585 		case X509_V_ERR_CERT_HAS_EXPIRED:
586 		case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
587 		case X509_V_ERR_INVALID_CA:
588 		case X509_V_ERR_PATH_LENGTH_EXCEEDED:
589 		case X509_V_ERR_INVALID_PURPOSE:
590 		case X509_V_ERR_UNABLE_TO_GET_CRL:
591 			ok = 1;
592 			log_tag = LLV_WARNING;
593 			break;
594 		default:
595 			log_tag = LLV_ERROR;
596 		}
597 		plog(log_tag, LOCATION, NULL,
598 			"%s(%d) at depth:%d SubjectName:%s\n",
599 			X509_verify_cert_error_string(ctx->error),
600 			ctx->error,
601 			ctx->error_depth,
602 			buf);
603 	}
604 	ERR_clear_error();
605 
606 	return ok;
607 }
608 
609 /*
610  * callback function for verifing remote certificates.
611  * this function is derived from cb() in openssl/apps/s_server.c
612  */
613 static int
cb_check_cert_remote(ok,ctx)614 cb_check_cert_remote(ok, ctx)
615 	int ok;
616 	X509_STORE_CTX *ctx;
617 {
618 	char buf[256];
619 	int log_tag;
620 
621 	if (!ok) {
622 		X509_NAME_oneline(
623 				X509_get_subject_name(ctx->current_cert),
624 				buf,
625 				256);
626 		switch (ctx->error) {
627 		case X509_V_ERR_UNABLE_TO_GET_CRL:
628 			ok = 1;
629 			log_tag = LLV_WARNING;
630 			break;
631 		default:
632 			log_tag = LLV_ERROR;
633 		}
634 		plog(log_tag, LOCATION, NULL,
635 			"%s(%d) at depth:%d SubjectName:%s\n",
636 			X509_verify_cert_error_string(ctx->error),
637 			ctx->error,
638 			ctx->error_depth,
639 			buf);
640 	}
641 	ERR_clear_error();
642 
643 	return ok;
644 }
645 
646 /*
647  * get a subjectAltName from X509 certificate.
648  */
649 vchar_t *
eay_get_x509asn1subjectname(cert)650 eay_get_x509asn1subjectname(cert)
651 	vchar_t *cert;
652 {
653 	X509 *x509 = NULL;
654 	u_char *bp;
655 	vchar_t *name = NULL;
656 	int len;
657 
658 	bp = (unsigned char *) cert->v;
659 
660 	x509 = mem2x509(cert);
661 	if (x509 == NULL)
662 		goto error;
663 
664 	/* get the length of the name */
665 	len = i2d_X509_NAME(x509->cert_info->subject, NULL);
666 	name = vmalloc(len);
667 	if (!name)
668 		goto error;
669 	/* get the name */
670 	bp = (unsigned char *) name->v;
671 	len = i2d_X509_NAME(x509->cert_info->subject, &bp);
672 
673 	X509_free(x509);
674 
675 	return name;
676 
677 error:
678 	plog(LLV_ERROR, LOCATION, NULL, "%s\n", eay_strerror());
679 
680 	if (name != NULL)
681 		vfree(name);
682 
683 	if (x509 != NULL)
684 		X509_free(x509);
685 
686 	return NULL;
687 }
688 
689 /*
690  * get the subjectAltName from X509 certificate.
691  * the name must be terminated by '\0'.
692  */
693 int
eay_get_x509subjectaltname(cert,altname,type,pos)694 eay_get_x509subjectaltname(cert, altname, type, pos)
695 	vchar_t *cert;
696 	char **altname;
697 	int *type;
698 	int pos;
699 {
700 	X509 *x509 = NULL;
701 	GENERAL_NAMES *gens = NULL;
702 	GENERAL_NAME *gen;
703 	int len;
704 	int error = -1;
705 
706 	*altname = NULL;
707 	*type = GENT_OTHERNAME;
708 
709 	x509 = mem2x509(cert);
710 	if (x509 == NULL)
711 		goto end;
712 
713 	gens = X509_get_ext_d2i(x509, NID_subject_alt_name, NULL, NULL);
714 	if (gens == NULL)
715 		goto end;
716 
717 	/* there is no data at "pos" */
718 	if (pos > sk_GENERAL_NAME_num(gens))
719 		goto end;
720 
721 	gen = sk_GENERAL_NAME_value(gens, pos - 1);
722 
723 	/* read DNSName / Email */
724 	if (gen->type == GEN_DNS	||
725 		gen->type == GEN_EMAIL	||
726 		gen->type == GEN_URI )
727 	{
728 		/* make sure if the data is terminated by '\0'. */
729 		if (gen->d.ia5->data[gen->d.ia5->length] != '\0')
730 		{
731 			plog(LLV_ERROR, LOCATION, NULL,
732 				 "data is not terminated by NUL.");
733 			racoon_hexdump(gen->d.ia5->data, gen->d.ia5->length + 1);
734 			goto end;
735 		}
736 
737 		len = gen->d.ia5->length + 1;
738 		*altname = racoon_malloc(len);
739 		if (!*altname)
740 			goto end;
741 
742 		strlcpy(*altname, (char *) gen->d.ia5->data, len);
743 		*type = gen->type;
744 		error = 0;
745 	}
746 	/* read IP address */
747 	else if (gen->type == GEN_IPADD)
748 	{
749 		unsigned char p[5], *ip;
750 		ip = p;
751 
752 		/* only support IPv4 */
753 		if (gen->d.ip->length != 4)
754 			goto end;
755 
756 		/* convert Octet String to String
757 		 * XXX ???????
758 		 */
759 		/*i2d_ASN1_OCTET_STRING(gen->d.ip,&ip);*/
760 		ip = gen->d.ip->data;
761 
762 		/* XXX Magic, enough for an IPv4 address
763 		 */
764 		*altname = racoon_malloc(20);
765 		if (!*altname)
766 			goto end;
767 
768 		sprintf(*altname, "%u.%u.%u.%u", ip[0], ip[1], ip[2], ip[3]);
769 		*type = gen->type;
770 		error = 0;
771 	}
772 	/* XXX other possible types ?
773 	 * For now, error will be -1 if unsupported type
774 	 */
775 
776 end:
777 	if (error) {
778 		if (*altname) {
779 			racoon_free(*altname);
780 			*altname = NULL;
781 		}
782 		plog(LLV_ERROR, LOCATION, NULL, "%s\n", eay_strerror());
783 	}
784 	if (x509)
785 		X509_free(x509);
786 	if (gens)
787 		/* free the whole stack. */
788 		sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
789 
790 	return error;
791 }
792 
793 
794 /*
795  * decode a X509 certificate and make a readable text terminated '\n'.
796  * return the buffer allocated, so must free it later.
797  */
798 char *
eay_get_x509text(cert)799 eay_get_x509text(cert)
800 	vchar_t *cert;
801 {
802 	X509 *x509 = NULL;
803 	BIO *bio = NULL;
804 	char *text = NULL;
805 	u_char *bp = NULL;
806 	int len = 0;
807 	int error = -1;
808 
809 	x509 = mem2x509(cert);
810 	if (x509 == NULL)
811 		goto end;
812 
813 	bio = BIO_new(BIO_s_mem());
814 	if (bio == NULL)
815 		goto end;
816 
817 	error = X509_print(bio, x509);
818 	if (error != 1) {
819 		error = -1;
820 		goto end;
821 	}
822 
823 #if defined(ANDROID_CHANGES)
824 	len = BIO_get_mem_data(bio, (char**) &bp);
825 #else
826 	len = BIO_get_mem_data(bio, &bp);
827 #endif
828 	text = racoon_malloc(len + 1);
829 	if (text == NULL)
830 		goto end;
831 	memcpy(text, bp, len);
832 	text[len] = '\0';
833 
834 	error = 0;
835 
836     end:
837 	if (error) {
838 		if (text) {
839 			racoon_free(text);
840 			text = NULL;
841 		}
842 		plog(LLV_ERROR, LOCATION, NULL, "%s\n", eay_strerror());
843 	}
844 	if (bio)
845 		BIO_free(bio);
846 	if (x509)
847 		X509_free(x509);
848 
849 	return text;
850 }
851 
852 /* get X509 structure from buffer. */
853 static X509 *
mem2x509(cert)854 mem2x509(cert)
855 	vchar_t *cert;
856 {
857 	X509 *x509;
858 
859 #ifndef EAYDEBUG
860     {
861 	u_char *bp;
862 
863 	bp = (unsigned char *) cert->v;
864 
865 	x509 = d2i_X509(NULL, (void *)&bp, cert->l);
866     }
867 #else
868     {
869 	BIO *bio;
870 	int len;
871 
872 	bio = BIO_new(BIO_s_mem());
873 	if (bio == NULL)
874 		return NULL;
875 	len = BIO_write(bio, cert->v, cert->l);
876 	if (len == -1)
877 		return NULL;
878 	x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL);
879 	BIO_free(bio);
880     }
881 #endif
882 	return x509;
883 }
884 
885 /*
886  * get a X509 certificate from local file.
887  * a certificate must be PEM format.
888  * Input:
889  *	path to a certificate.
890  * Output:
891  *	NULL if error occured
892  *	other is the cert.
893  */
894 vchar_t *
eay_get_x509cert(path)895 eay_get_x509cert(path)
896 	char *path;
897 {
898 	FILE *fp;
899 	X509 *x509;
900 	vchar_t *cert;
901 	u_char *bp;
902 	int len;
903 	int error;
904 
905 #ifdef ANDROID_CHANGES
906 	if (pname) {
907 		BIO *bio = BIO_from_android(path);
908 		if (!bio) {
909 			return NULL;
910 		}
911 		x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL);
912 		BIO_free(bio);
913 	} else {
914 #endif
915 	/* Read private key */
916 	fp = fopen(path, "r");
917 	if (fp == NULL)
918 		return NULL;
919 	x509 = PEM_read_X509(fp, NULL, NULL, NULL);
920 	fclose (fp);
921 #ifdef ANDROID_CHANGES
922 	}
923 #endif
924 
925 	if (x509 == NULL)
926 		return NULL;
927 
928 	len = i2d_X509(x509, NULL);
929 	cert = vmalloc(len);
930 	if (cert == NULL) {
931 		X509_free(x509);
932 		return NULL;
933 	}
934 	bp = (unsigned char *) cert->v;
935 	error = i2d_X509(x509, &bp);
936 	X509_free(x509);
937 
938 	if (error == 0) {
939 		vfree(cert);
940 		return NULL;
941 	}
942 
943 	return cert;
944 }
945 
946 /*
947  * check a X509 signature
948  *	XXX: to be get hash type from my cert ?
949  *		to be handled EVP_dss().
950  * OUT: return -1 when error.
951  *	0
952  */
953 int
eay_check_x509sign(source,sig,cert)954 eay_check_x509sign(source, sig, cert)
955 	vchar_t *source;
956 	vchar_t *sig;
957 	vchar_t *cert;
958 {
959 	X509 *x509;
960 	u_char *bp;
961 	EVP_PKEY *evp;
962 	int res;
963 
964 	bp = (unsigned char *) cert->v;
965 
966 	x509 = d2i_X509(NULL, (void *)&bp, cert->l);
967 	if (x509 == NULL) {
968 		plog(LLV_ERROR, LOCATION, NULL, "d2i_X509(): %s\n", eay_strerror());
969 		return -1;
970 	}
971 
972 	evp = X509_get_pubkey(x509);
973 	if (! evp) {
974 		plog(LLV_ERROR, LOCATION, NULL, "X509_get_pubkey(): %s\n", eay_strerror());
975 		X509_free(x509);
976 		return -1;
977 	}
978 
979 	res = eay_rsa_verify(source, sig, evp->pkey.rsa);
980 
981 	EVP_PKEY_free(evp);
982 	X509_free(x509);
983 
984 	return res;
985 }
986 
987 /*
988  * check RSA signature
989  * OUT: return -1 when error.
990  *	0 on success
991  */
992 int
eay_check_rsasign(source,sig,rsa)993 eay_check_rsasign(source, sig, rsa)
994 	vchar_t *source;
995 	vchar_t *sig;
996 	RSA *rsa;
997 {
998 	return eay_rsa_verify(source, sig, rsa);
999 }
1000 
1001 /*
1002  * get PKCS#1 Private Key of PEM format from local file.
1003  */
1004 vchar_t *
eay_get_pkcs1privkey(path)1005 eay_get_pkcs1privkey(path)
1006 	char *path;
1007 {
1008 	FILE *fp;
1009 	EVP_PKEY *evp = NULL;
1010 	vchar_t *pkey = NULL;
1011 	u_char *bp;
1012 	int pkeylen;
1013 	int error = -1;
1014 
1015 #ifdef ANDROID_CHANGES
1016 	if (pname) {
1017 		BIO *bio = BIO_from_android(path);
1018 		if (!bio) {
1019 			return NULL;
1020 		}
1021 		evp = PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL);
1022 		BIO_free(bio);
1023 	} else {
1024 #endif
1025 	/* Read private key */
1026 	fp = fopen(path, "r");
1027 	if (fp == NULL)
1028 		return NULL;
1029 
1030 	evp = PEM_read_PrivateKey(fp, NULL, NULL, NULL);
1031 
1032 	fclose (fp);
1033 #ifdef ANDROID_CHANGES
1034 	}
1035 #endif
1036 
1037 	if (evp == NULL)
1038 		return NULL;
1039 
1040 	pkeylen = i2d_PrivateKey(evp, NULL);
1041 	if (pkeylen == 0)
1042 		goto end;
1043 	pkey = vmalloc(pkeylen);
1044 	if (pkey == NULL)
1045 		goto end;
1046 	bp = (unsigned char *) pkey->v;
1047 	pkeylen = i2d_PrivateKey(evp, &bp);
1048 	if (pkeylen == 0)
1049 		goto end;
1050 
1051 	error = 0;
1052 
1053 end:
1054 	if (evp != NULL)
1055 		EVP_PKEY_free(evp);
1056 	if (error != 0 && pkey != NULL) {
1057 		vfree(pkey);
1058 		pkey = NULL;
1059 	}
1060 
1061 	return pkey;
1062 }
1063 
1064 /*
1065  * get PKCS#1 Public Key of PEM format from local file.
1066  */
1067 vchar_t *
eay_get_pkcs1pubkey(path)1068 eay_get_pkcs1pubkey(path)
1069 	char *path;
1070 {
1071 	FILE *fp;
1072 	EVP_PKEY *evp = NULL;
1073 	vchar_t *pkey = NULL;
1074 	X509 *x509 = NULL;
1075 	u_char *bp;
1076 	int pkeylen;
1077 	int error = -1;
1078 
1079 	/* Read private key */
1080 	fp = fopen(path, "r");
1081 	if (fp == NULL)
1082 		return NULL;
1083 
1084 	x509 = PEM_read_X509(fp, NULL, NULL, NULL);
1085 
1086 	fclose (fp);
1087 
1088 	if (x509 == NULL)
1089 		return NULL;
1090 
1091 	/* Get public key - eay */
1092 	evp = X509_get_pubkey(x509);
1093 	if (evp == NULL)
1094 		return NULL;
1095 
1096 	pkeylen = i2d_PublicKey(evp, NULL);
1097 	if (pkeylen == 0)
1098 		goto end;
1099 	pkey = vmalloc(pkeylen);
1100 	if (pkey == NULL)
1101 		goto end;
1102 	bp = (unsigned char *) pkey->v;
1103 	pkeylen = i2d_PublicKey(evp, &bp);
1104 	if (pkeylen == 0)
1105 		goto end;
1106 
1107 	error = 0;
1108 end:
1109 	if (evp != NULL)
1110 		EVP_PKEY_free(evp);
1111 	if (error != 0 && pkey != NULL) {
1112 		vfree(pkey);
1113 		pkey = NULL;
1114 	}
1115 
1116 	return pkey;
1117 }
1118 
1119 vchar_t *
eay_get_x509sign(src,privkey)1120 eay_get_x509sign(src, privkey)
1121 	vchar_t *src, *privkey;
1122 {
1123 	EVP_PKEY *evp;
1124 	u_char *bp = (unsigned char *) privkey->v;
1125 	vchar_t *sig = NULL;
1126 	int len;
1127 	int pad = RSA_PKCS1_PADDING;
1128 
1129 	/* XXX to be handled EVP_PKEY_DSA */
1130 	evp = d2i_PrivateKey(EVP_PKEY_RSA, NULL, (void *)&bp, privkey->l);
1131 	if (evp == NULL)
1132 		return NULL;
1133 
1134 	sig = eay_rsa_sign(src, evp->pkey.rsa);
1135 
1136 	EVP_PKEY_free(evp);
1137 
1138 	return sig;
1139 }
1140 
1141 vchar_t *
eay_get_rsasign(src,rsa)1142 eay_get_rsasign(src, rsa)
1143 	vchar_t *src;
1144 	RSA *rsa;
1145 {
1146 	return eay_rsa_sign(src, rsa);
1147 }
1148 
1149 vchar_t *
eay_rsa_sign(vchar_t * src,RSA * rsa)1150 eay_rsa_sign(vchar_t *src, RSA *rsa)
1151 {
1152 	int len;
1153 	vchar_t *sig = NULL;
1154 	int pad = RSA_PKCS1_PADDING;
1155 
1156 	len = RSA_size(rsa);
1157 
1158 	sig = vmalloc(len);
1159 	if (sig == NULL)
1160 		return NULL;
1161 
1162 	len = RSA_private_encrypt(src->l, (unsigned char *) src->v,
1163 			(unsigned char *) sig->v, rsa, pad);
1164 
1165 	if (len == 0 || len != sig->l) {
1166 		vfree(sig);
1167 		sig = NULL;
1168 	}
1169 
1170 	return sig;
1171 }
1172 
1173 int
eay_rsa_verify(src,sig,rsa)1174 eay_rsa_verify(src, sig, rsa)
1175 	vchar_t *src, *sig;
1176 	RSA *rsa;
1177 {
1178 	vchar_t *xbuf = NULL;
1179 	int pad = RSA_PKCS1_PADDING;
1180 	int len = 0;
1181 	int error;
1182 
1183 	len = RSA_size(rsa);
1184 	xbuf = vmalloc(len);
1185 	if (xbuf == NULL) {
1186 		plog(LLV_ERROR, LOCATION, NULL, "%s\n", eay_strerror());
1187 		return -1;
1188 	}
1189 
1190 	len = RSA_public_decrypt(sig->l, (unsigned char *) sig->v,
1191 			(unsigned char *) xbuf->v, rsa, pad);
1192 	if (len == 0 || len != src->l) {
1193 		plog(LLV_ERROR, LOCATION, NULL, "%s\n", eay_strerror());
1194 		vfree(xbuf);
1195 		return -1;
1196 	}
1197 
1198 	error = memcmp(src->v, xbuf->v, src->l);
1199 	vfree(xbuf);
1200 	if (error != 0)
1201 		return -1;
1202 
1203 	return 0;
1204 }
1205 
1206 /*
1207  * get error string
1208  * MUST load ERR_load_crypto_strings() first.
1209  */
1210 char *
eay_strerror()1211 eay_strerror()
1212 {
1213 	static char ebuf[512];
1214 	int len = 0, n;
1215 	unsigned long l;
1216 	char buf[200];
1217 	const char *file, *data;
1218 	int line, flags;
1219 	unsigned long es;
1220 
1221 #if defined(ANDROID_CHANGES)
1222 	es = 0;
1223 #else
1224 	es = CRYPTO_thread_id();
1225 #endif
1226 
1227 	while ((l = ERR_get_error_line_data(&file, &line, &data, &flags)) != 0){
1228 		n = snprintf(ebuf + len, sizeof(ebuf) - len,
1229 				"%lu:%s:%s:%d:%s ",
1230 				es, ERR_error_string(l, buf), file, line,
1231 				(flags & ERR_TXT_STRING) ? data : "");
1232 		if (n < 0 || n >= sizeof(ebuf) - len)
1233 			break;
1234 		len += n;
1235 		if (sizeof(ebuf) < len)
1236 			break;
1237 	}
1238 
1239 	return ebuf;
1240 }
1241 
1242 vchar_t *
evp_crypt(vchar_t * data,vchar_t * key,vchar_t * iv,const EVP_CIPHER * e,int enc)1243 evp_crypt(vchar_t *data, vchar_t *key, vchar_t *iv, const EVP_CIPHER *e, int enc)
1244 {
1245 	vchar_t *res;
1246 	EVP_CIPHER_CTX ctx;
1247 
1248 	if (!e)
1249 		return NULL;
1250 
1251 	if (data->l % EVP_CIPHER_block_size(e))
1252 		return NULL;
1253 
1254 	if ((res = vmalloc(data->l)) == NULL)
1255 		return NULL;
1256 
1257 	EVP_CIPHER_CTX_init(&ctx);
1258 
1259 #if !defined(OPENSSL_IS_BORINGSSL)
1260 	switch(EVP_CIPHER_nid(e)){
1261 	case NID_bf_cbc:
1262 	case NID_bf_ecb:
1263 	case NID_bf_cfb64:
1264 	case NID_bf_ofb64:
1265 	case NID_cast5_cbc:
1266 	case NID_cast5_ecb:
1267 	case NID_cast5_cfb64:
1268 	case NID_cast5_ofb64:
1269 		/* XXX: can we do that also for algos with a fixed key size ?
1270 		 */
1271 		/* init context without key/iv
1272          */
1273         if (!EVP_CipherInit(&ctx, e, NULL, NULL, enc))
1274         {
1275             OpenSSL_BUG();
1276             vfree(res);
1277             return NULL;
1278         }
1279 
1280         /* update key size
1281          */
1282         if (!EVP_CIPHER_CTX_set_key_length(&ctx, key->l))
1283         {
1284             OpenSSL_BUG();
1285             vfree(res);
1286             return NULL;
1287         }
1288 
1289         /* finalize context init with desired key size
1290          */
1291         if (!EVP_CipherInit(&ctx, NULL, (u_char *) key->v,
1292 							(u_char *) iv->v, enc))
1293         {
1294             OpenSSL_BUG();
1295             vfree(res);
1296             return NULL;
1297 		}
1298 		break;
1299 	default:
1300 #endif  /* OPENSSL_IS_BORINGSSL */
1301 		if (!EVP_CipherInit(&ctx, e, (u_char *) key->v,
1302 							(u_char *) iv->v, enc)) {
1303 			OpenSSL_BUG();
1304 			vfree(res);
1305 			return NULL;
1306 		}
1307 #if !defined(OPENSSL_IS_BORINGSSL)
1308 	}
1309 #endif
1310 
1311 	/* disable openssl padding */
1312 	EVP_CIPHER_CTX_set_padding(&ctx, 0);
1313 
1314 	if (!EVP_Cipher(&ctx, (u_char *) res->v, (u_char *) data->v, data->l)) {
1315 		OpenSSL_BUG();
1316 		vfree(res);
1317 		return NULL;
1318 	}
1319 
1320 	EVP_CIPHER_CTX_cleanup(&ctx);
1321 
1322 	return res;
1323 }
1324 
1325 int
evp_weakkey(vchar_t * key,const EVP_CIPHER * e)1326 evp_weakkey(vchar_t *key, const EVP_CIPHER *e)
1327 {
1328 	return 0;
1329 }
1330 
1331 int
evp_keylen(int len,const EVP_CIPHER * e)1332 evp_keylen(int len, const EVP_CIPHER *e)
1333 {
1334 	if (!e)
1335 		return -1;
1336 	/* EVP functions return lengths in bytes, ipsec-tools
1337 	 * uses lengths in bits, therefore conversion is required. --AK
1338 	 */
1339 	if (len != 0 && len != (EVP_CIPHER_key_length(e) << 3))
1340 		return -1;
1341 
1342 	return EVP_CIPHER_key_length(e) << 3;
1343 }
1344 
1345 /*
1346  * DES-CBC
1347  */
1348 vchar_t *
eay_des_encrypt(data,key,iv)1349 eay_des_encrypt(data, key, iv)
1350 	vchar_t *data, *key, *iv;
1351 {
1352 	return evp_crypt(data, key, iv, EVP_des_cbc(), 1);
1353 }
1354 
1355 vchar_t *
eay_des_decrypt(data,key,iv)1356 eay_des_decrypt(data, key, iv)
1357 	vchar_t *data, *key, *iv;
1358 {
1359 	return evp_crypt(data, key, iv, EVP_des_cbc(), 0);
1360 }
1361 
1362 #if defined(OPENSSL_IS_BORINGSSL)
1363 /* BoringSSL doesn't implement DES_is_weak_key because the concept is nonsense.
1364  * Thankfully, ipsec-tools never actually uses the result of this function. */
1365 static int
DES_is_weak_key(const DES_cblock * key)1366 DES_is_weak_key(const DES_cblock *key)
1367 {
1368 	return 0;
1369 }
1370 #endif  /* OPENSSL_IS_BORINGSSL */
1371 
1372 int
eay_des_weakkey(key)1373 eay_des_weakkey(key)
1374 	vchar_t *key;
1375 {
1376 #ifdef USE_NEW_DES_API
1377 	return DES_is_weak_key((void *)key->v);
1378 #else
1379 	return des_is_weak_key((void *)key->v);
1380 #endif
1381 }
1382 
1383 int
eay_des_keylen(len)1384 eay_des_keylen(len)
1385 	int len;
1386 {
1387 	return evp_keylen(len, EVP_des_cbc());
1388 }
1389 
1390 #ifdef HAVE_OPENSSL_IDEA_H
1391 /*
1392  * IDEA-CBC
1393  */
1394 vchar_t *
eay_idea_encrypt(data,key,iv)1395 eay_idea_encrypt(data, key, iv)
1396 	vchar_t *data, *key, *iv;
1397 {
1398 	vchar_t *res;
1399 	IDEA_KEY_SCHEDULE ks;
1400 
1401 	idea_set_encrypt_key((unsigned char *)key->v, &ks);
1402 
1403 	/* allocate buffer for result */
1404 	if ((res = vmalloc(data->l)) == NULL)
1405 		return NULL;
1406 
1407 	/* decryption data */
1408 	idea_cbc_encrypt((unsigned char *)data->v, (unsigned char *)res->v, data->l,
1409 			&ks, (unsigned char *)iv->v, IDEA_ENCRYPT);
1410 
1411 	return res;
1412 }
1413 
1414 vchar_t *
eay_idea_decrypt(data,key,iv)1415 eay_idea_decrypt(data, key, iv)
1416 	vchar_t *data, *key, *iv;
1417 {
1418 	vchar_t *res;
1419 	IDEA_KEY_SCHEDULE ks, dks;
1420 
1421 	idea_set_encrypt_key((unsigned char *)key->v, &ks);
1422 	idea_set_decrypt_key(&ks, &dks);
1423 
1424 	/* allocate buffer for result */
1425 	if ((res = vmalloc(data->l)) == NULL)
1426 		return NULL;
1427 
1428 	/* decryption data */
1429 	idea_cbc_encrypt((unsigned char *)data->v, (unsigned char *)res->v, data->l,
1430 			&dks, (unsigned char *)iv->v, IDEA_DECRYPT);
1431 
1432 	return res;
1433 }
1434 
1435 int
eay_idea_weakkey(key)1436 eay_idea_weakkey(key)
1437 	vchar_t *key;
1438 {
1439 	return 0;       /* XXX */
1440 }
1441 
1442 int
eay_idea_keylen(len)1443 eay_idea_keylen(len)
1444 	int len;
1445 {
1446 	if (len != 0 && len != 128)
1447 		return -1;
1448 	return 128;
1449 }
1450 #endif
1451 
1452 /*
1453  * BLOWFISH-CBC
1454  */
1455 vchar_t *
eay_bf_encrypt(data,key,iv)1456 eay_bf_encrypt(data, key, iv)
1457 	vchar_t *data, *key, *iv;
1458 {
1459 	return evp_crypt(data, key, iv, EVP_bf_cbc(), 1);
1460 }
1461 
1462 vchar_t *
eay_bf_decrypt(data,key,iv)1463 eay_bf_decrypt(data, key, iv)
1464 	vchar_t *data, *key, *iv;
1465 {
1466 	return evp_crypt(data, key, iv, EVP_bf_cbc(), 0);
1467 }
1468 
1469 int
eay_bf_weakkey(key)1470 eay_bf_weakkey(key)
1471 	vchar_t *key;
1472 {
1473 	return 0;	/* XXX to be done. refer to RFC 2451 */
1474 }
1475 
1476 int
eay_bf_keylen(len)1477 eay_bf_keylen(len)
1478 	int len;
1479 {
1480 	if (len == 0)
1481 		return 448;
1482 	if (len < 40 || len > 448)
1483 		return -1;
1484 	return len;
1485 }
1486 
1487 #ifdef HAVE_OPENSSL_RC5_H
1488 /*
1489  * RC5-CBC
1490  */
1491 vchar_t *
eay_rc5_encrypt(data,key,iv)1492 eay_rc5_encrypt(data, key, iv)
1493 	vchar_t *data, *key, *iv;
1494 {
1495 	vchar_t *res;
1496 	RC5_32_KEY ks;
1497 
1498 	/* in RFC 2451, there is information about the number of round. */
1499 	RC5_32_set_key(&ks, key->l, (unsigned char *)key->v, 16);
1500 
1501 	/* allocate buffer for result */
1502 	if ((res = vmalloc(data->l)) == NULL)
1503 		return NULL;
1504 
1505 	/* decryption data */
1506 	RC5_32_cbc_encrypt((unsigned char *)data->v, (unsigned char *)res->v, data->l,
1507 		&ks, (unsigned char *)iv->v, RC5_ENCRYPT);
1508 
1509 	return res;
1510 }
1511 
1512 vchar_t *
eay_rc5_decrypt(data,key,iv)1513 eay_rc5_decrypt(data, key, iv)
1514 	vchar_t *data, *key, *iv;
1515 {
1516 	vchar_t *res;
1517 	RC5_32_KEY ks;
1518 
1519 	/* in RFC 2451, there is information about the number of round. */
1520 	RC5_32_set_key(&ks, key->l, (unsigned char *)key->v, 16);
1521 
1522 	/* allocate buffer for result */
1523 	if ((res = vmalloc(data->l)) == NULL)
1524 		return NULL;
1525 
1526 	/* decryption data */
1527 	RC5_32_cbc_encrypt((unsigned char *)data->v, (unsigned char *)res->v, data->l,
1528 		&ks, (unsigned char *)iv->v, RC5_DECRYPT);
1529 
1530 	return res;
1531 }
1532 
1533 int
eay_rc5_weakkey(key)1534 eay_rc5_weakkey(key)
1535 	vchar_t *key;
1536 {
1537 	return 0;       /* No known weak keys when used with 16 rounds. */
1538 
1539 }
1540 
1541 int
eay_rc5_keylen(len)1542 eay_rc5_keylen(len)
1543 	int len;
1544 {
1545 	if (len == 0)
1546 		return 128;
1547 	if (len < 40 || len > 2040)
1548 		return -1;
1549 	return len;
1550 }
1551 #endif
1552 
1553 /*
1554  * 3DES-CBC
1555  */
1556 vchar_t *
eay_3des_encrypt(data,key,iv)1557 eay_3des_encrypt(data, key, iv)
1558 	vchar_t *data, *key, *iv;
1559 {
1560 	return evp_crypt(data, key, iv, EVP_des_ede3_cbc(), 1);
1561 }
1562 
1563 vchar_t *
eay_3des_decrypt(data,key,iv)1564 eay_3des_decrypt(data, key, iv)
1565 	vchar_t *data, *key, *iv;
1566 {
1567 	return evp_crypt(data, key, iv, EVP_des_ede3_cbc(), 0);
1568 }
1569 
1570 int
eay_3des_weakkey(key)1571 eay_3des_weakkey(key)
1572 	vchar_t *key;
1573 {
1574 #ifdef USE_NEW_DES_API
1575 	return (DES_is_weak_key((void *)key->v) ||
1576 	    DES_is_weak_key((void *)(key->v + 8)) ||
1577 	    DES_is_weak_key((void *)(key->v + 16)));
1578 #else
1579 	if (key->l < 24)
1580 		return 0;
1581 
1582 	return (des_is_weak_key((void *)key->v) ||
1583 	    des_is_weak_key((void *)(key->v + 8)) ||
1584 	    des_is_weak_key((void *)(key->v + 16)));
1585 #endif
1586 }
1587 
1588 int
eay_3des_keylen(len)1589 eay_3des_keylen(len)
1590 	int len;
1591 {
1592 	if (len != 0 && len != 192)
1593 		return -1;
1594 	return 192;
1595 }
1596 
1597 /*
1598  * CAST-CBC
1599  */
1600 vchar_t *
eay_cast_encrypt(data,key,iv)1601 eay_cast_encrypt(data, key, iv)
1602 	vchar_t *data, *key, *iv;
1603 {
1604 	return evp_crypt(data, key, iv, EVP_cast5_cbc(), 1);
1605 }
1606 
1607 vchar_t *
eay_cast_decrypt(data,key,iv)1608 eay_cast_decrypt(data, key, iv)
1609 	vchar_t *data, *key, *iv;
1610 {
1611 	return evp_crypt(data, key, iv, EVP_cast5_cbc(), 0);
1612 }
1613 
1614 int
eay_cast_weakkey(key)1615 eay_cast_weakkey(key)
1616 	vchar_t *key;
1617 {
1618 	return 0;	/* No known weak keys. */
1619 }
1620 
1621 int
eay_cast_keylen(len)1622 eay_cast_keylen(len)
1623 	int len;
1624 {
1625 	if (len == 0)
1626 		return 128;
1627 	if (len < 40 || len > 128)
1628 		return -1;
1629 	return len;
1630 }
1631 
1632 /*
1633  * AES(RIJNDAEL)-CBC
1634  */
1635 #ifndef HAVE_OPENSSL_AES_H
1636 vchar_t *
eay_aes_encrypt(data,key,iv)1637 eay_aes_encrypt(data, key, iv)
1638 	vchar_t *data, *key, *iv;
1639 {
1640 	vchar_t *res;
1641 	keyInstance k;
1642 	cipherInstance c;
1643 
1644 	memset(&k, 0, sizeof(k));
1645 	if (rijndael_makeKey(&k, DIR_ENCRYPT, key->l << 3, key->v) < 0)
1646 		return NULL;
1647 
1648 	/* allocate buffer for result */
1649 	if ((res = vmalloc(data->l)) == NULL)
1650 		return NULL;
1651 
1652 	/* encryption data */
1653 	memset(&c, 0, sizeof(c));
1654 	if (rijndael_cipherInit(&c, MODE_CBC, iv->v) < 0){
1655 		vfree(res);
1656 		return NULL;
1657 	}
1658 	if (rijndael_blockEncrypt(&c, &k, data->v, data->l << 3, res->v) < 0){
1659 		vfree(res);
1660 		return NULL;
1661 	}
1662 
1663 	return res;
1664 }
1665 
1666 vchar_t *
eay_aes_decrypt(data,key,iv)1667 eay_aes_decrypt(data, key, iv)
1668 	vchar_t *data, *key, *iv;
1669 {
1670 	vchar_t *res;
1671 	keyInstance k;
1672 	cipherInstance c;
1673 
1674 	memset(&k, 0, sizeof(k));
1675 	if (rijndael_makeKey(&k, DIR_DECRYPT, key->l << 3, key->v) < 0)
1676 		return NULL;
1677 
1678 	/* allocate buffer for result */
1679 	if ((res = vmalloc(data->l)) == NULL)
1680 		return NULL;
1681 
1682 	/* decryption data */
1683 	memset(&c, 0, sizeof(c));
1684 	if (rijndael_cipherInit(&c, MODE_CBC, iv->v) < 0){
1685 		vfree(res);
1686 		return NULL;
1687 	}
1688 	if (rijndael_blockDecrypt(&c, &k, data->v, data->l << 3, res->v) < 0){
1689 		vfree(res);
1690 		return NULL;
1691 	}
1692 
1693 	return res;
1694 }
1695 #else
1696 static inline const EVP_CIPHER *
aes_evp_by_keylen(int keylen)1697 aes_evp_by_keylen(int keylen)
1698 {
1699 	switch(keylen) {
1700 		case 16:
1701 		case 128:
1702 			return EVP_aes_128_cbc();
1703 #if !defined(ANDROID_CHANGES)
1704 		case 24:
1705 		case 192:
1706 			return EVP_aes_192_cbc();
1707 #endif
1708 		case 32:
1709 		case 256:
1710 			return EVP_aes_256_cbc();
1711 		default:
1712 			return NULL;
1713 	}
1714 }
1715 
1716 vchar_t *
eay_aes_encrypt(data,key,iv)1717 eay_aes_encrypt(data, key, iv)
1718        vchar_t *data, *key, *iv;
1719 {
1720 	return evp_crypt(data, key, iv, aes_evp_by_keylen(key->l), 1);
1721 }
1722 
1723 vchar_t *
eay_aes_decrypt(data,key,iv)1724 eay_aes_decrypt(data, key, iv)
1725        vchar_t *data, *key, *iv;
1726 {
1727 	return evp_crypt(data, key, iv, aes_evp_by_keylen(key->l), 0);
1728 }
1729 #endif
1730 
1731 int
eay_aes_weakkey(key)1732 eay_aes_weakkey(key)
1733 	vchar_t *key;
1734 {
1735 	return 0;
1736 }
1737 
1738 int
eay_aes_keylen(len)1739 eay_aes_keylen(len)
1740 	int len;
1741 {
1742 	if (len == 0)
1743 		return 128;
1744 	if (len != 128 && len != 192 && len != 256)
1745 		return -1;
1746 	return len;
1747 }
1748 
1749 #if defined(HAVE_OPENSSL_CAMELLIA_H)
1750 /*
1751  * CAMELLIA-CBC
1752  */
1753 static inline const EVP_CIPHER *
camellia_evp_by_keylen(int keylen)1754 camellia_evp_by_keylen(int keylen)
1755 {
1756 	switch(keylen) {
1757 		case 16:
1758 		case 128:
1759 			return EVP_camellia_128_cbc();
1760 		case 24:
1761 		case 192:
1762 			return EVP_camellia_192_cbc();
1763 		case 32:
1764 		case 256:
1765 			return EVP_camellia_256_cbc();
1766 		default:
1767 			return NULL;
1768 	}
1769 }
1770 
1771 vchar_t *
eay_camellia_encrypt(data,key,iv)1772 eay_camellia_encrypt(data, key, iv)
1773        vchar_t *data, *key, *iv;
1774 {
1775 	return evp_crypt(data, key, iv, camellia_evp_by_keylen(key->l), 1);
1776 }
1777 
1778 vchar_t *
eay_camellia_decrypt(data,key,iv)1779 eay_camellia_decrypt(data, key, iv)
1780        vchar_t *data, *key, *iv;
1781 {
1782 	return evp_crypt(data, key, iv, camellia_evp_by_keylen(key->l), 0);
1783 }
1784 
1785 int
eay_camellia_weakkey(key)1786 eay_camellia_weakkey(key)
1787 	vchar_t *key;
1788 {
1789 	return 0;
1790 }
1791 
1792 int
eay_camellia_keylen(len)1793 eay_camellia_keylen(len)
1794 	int len;
1795 {
1796 	if (len == 0)
1797 		return 128;
1798 	if (len != 128 && len != 192 && len != 256)
1799 		return -1;
1800 	return len;
1801 }
1802 
1803 #endif
1804 
1805 /* for ipsec part */
1806 int
eay_null_hashlen()1807 eay_null_hashlen()
1808 {
1809 	return 0;
1810 }
1811 
1812 int
eay_kpdk_hashlen()1813 eay_kpdk_hashlen()
1814 {
1815 	return 0;
1816 }
1817 
1818 int
eay_twofish_keylen(len)1819 eay_twofish_keylen(len)
1820 	int len;
1821 {
1822 	if (len < 0 || len > 256)
1823 		return -1;
1824 	return len;
1825 }
1826 
1827 int
eay_null_keylen(len)1828 eay_null_keylen(len)
1829 	int len;
1830 {
1831 	return 0;
1832 }
1833 
1834 /*
1835  * HMAC functions
1836  */
1837 static caddr_t
eay_hmac_init(key,md)1838 eay_hmac_init(key, md)
1839 	vchar_t *key;
1840 	const EVP_MD *md;
1841 {
1842 	HMAC_CTX *c = racoon_malloc(sizeof(*c));
1843 
1844 	HMAC_Init(c, key->v, key->l, md);
1845 
1846 	return (caddr_t)c;
1847 }
1848 
1849 #ifdef WITH_SHA2
1850 /*
1851  * HMAC SHA2-512
1852  */
1853 vchar_t *
eay_hmacsha2_512_one(key,data)1854 eay_hmacsha2_512_one(key, data)
1855 	vchar_t *key, *data;
1856 {
1857 	vchar_t *res;
1858 	caddr_t ctx;
1859 
1860 	ctx = eay_hmacsha2_512_init(key);
1861 	eay_hmacsha2_512_update(ctx, data);
1862 	res = eay_hmacsha2_512_final(ctx);
1863 
1864 	return(res);
1865 }
1866 
1867 caddr_t
eay_hmacsha2_512_init(key)1868 eay_hmacsha2_512_init(key)
1869 	vchar_t *key;
1870 {
1871 	return eay_hmac_init(key, EVP_sha2_512());
1872 }
1873 
1874 void
eay_hmacsha2_512_update(c,data)1875 eay_hmacsha2_512_update(c, data)
1876 	caddr_t c;
1877 	vchar_t *data;
1878 {
1879 	HMAC_Update((HMAC_CTX *)c, (unsigned char *) data->v, data->l);
1880 }
1881 
1882 vchar_t *
eay_hmacsha2_512_final(c)1883 eay_hmacsha2_512_final(c)
1884 	caddr_t c;
1885 {
1886 	vchar_t *res;
1887 	unsigned int l;
1888 
1889 	if ((res = vmalloc(SHA512_DIGEST_LENGTH)) == 0)
1890 		return NULL;
1891 
1892 	HMAC_Final((HMAC_CTX *)c, (unsigned char *) res->v, &l);
1893 	res->l = l;
1894 	HMAC_cleanup((HMAC_CTX *)c);
1895 	(void)racoon_free(c);
1896 
1897 	if (SHA512_DIGEST_LENGTH != res->l) {
1898 		plog(LLV_ERROR, LOCATION, NULL,
1899 			"hmac sha2_512 length mismatch %zd.\n", res->l);
1900 		vfree(res);
1901 		return NULL;
1902 	}
1903 
1904 	return(res);
1905 }
1906 
1907 /*
1908  * HMAC SHA2-384
1909  */
1910 vchar_t *
eay_hmacsha2_384_one(key,data)1911 eay_hmacsha2_384_one(key, data)
1912 	vchar_t *key, *data;
1913 {
1914 	vchar_t *res;
1915 	caddr_t ctx;
1916 
1917 	ctx = eay_hmacsha2_384_init(key);
1918 	eay_hmacsha2_384_update(ctx, data);
1919 	res = eay_hmacsha2_384_final(ctx);
1920 
1921 	return(res);
1922 }
1923 
1924 caddr_t
eay_hmacsha2_384_init(key)1925 eay_hmacsha2_384_init(key)
1926 	vchar_t *key;
1927 {
1928 	return eay_hmac_init(key, EVP_sha2_384());
1929 }
1930 
1931 void
eay_hmacsha2_384_update(c,data)1932 eay_hmacsha2_384_update(c, data)
1933 	caddr_t c;
1934 	vchar_t *data;
1935 {
1936 	HMAC_Update((HMAC_CTX *)c, (unsigned char *) data->v, data->l);
1937 }
1938 
1939 vchar_t *
eay_hmacsha2_384_final(c)1940 eay_hmacsha2_384_final(c)
1941 	caddr_t c;
1942 {
1943 	vchar_t *res;
1944 	unsigned int l;
1945 
1946 	if ((res = vmalloc(SHA384_DIGEST_LENGTH)) == 0)
1947 		return NULL;
1948 
1949 	HMAC_Final((HMAC_CTX *)c, (unsigned char *) res->v, &l);
1950 	res->l = l;
1951 	HMAC_cleanup((HMAC_CTX *)c);
1952 	(void)racoon_free(c);
1953 
1954 	if (SHA384_DIGEST_LENGTH != res->l) {
1955 		plog(LLV_ERROR, LOCATION, NULL,
1956 			"hmac sha2_384 length mismatch %zd.\n", res->l);
1957 		vfree(res);
1958 		return NULL;
1959 	}
1960 
1961 	return(res);
1962 }
1963 
1964 /*
1965  * HMAC SHA2-256
1966  */
1967 vchar_t *
eay_hmacsha2_256_one(key,data)1968 eay_hmacsha2_256_one(key, data)
1969 	vchar_t *key, *data;
1970 {
1971 	vchar_t *res;
1972 	caddr_t ctx;
1973 
1974 	ctx = eay_hmacsha2_256_init(key);
1975 	eay_hmacsha2_256_update(ctx, data);
1976 	res = eay_hmacsha2_256_final(ctx);
1977 
1978 	return(res);
1979 }
1980 
1981 caddr_t
eay_hmacsha2_256_init(key)1982 eay_hmacsha2_256_init(key)
1983 	vchar_t *key;
1984 {
1985 	return eay_hmac_init(key, EVP_sha2_256());
1986 }
1987 
1988 void
eay_hmacsha2_256_update(c,data)1989 eay_hmacsha2_256_update(c, data)
1990 	caddr_t c;
1991 	vchar_t *data;
1992 {
1993 	HMAC_Update((HMAC_CTX *)c, (unsigned char *) data->v, data->l);
1994 }
1995 
1996 vchar_t *
eay_hmacsha2_256_final(c)1997 eay_hmacsha2_256_final(c)
1998 	caddr_t c;
1999 {
2000 	vchar_t *res;
2001 	unsigned int l;
2002 
2003 	if ((res = vmalloc(SHA256_DIGEST_LENGTH)) == 0)
2004 		return NULL;
2005 
2006 	HMAC_Final((HMAC_CTX *)c, (unsigned char *) res->v, &l);
2007 	res->l = l;
2008 	HMAC_cleanup((HMAC_CTX *)c);
2009 	(void)racoon_free(c);
2010 
2011 	if (SHA256_DIGEST_LENGTH != res->l) {
2012 		plog(LLV_ERROR, LOCATION, NULL,
2013 			"hmac sha2_256 length mismatch %zd.\n", res->l);
2014 		vfree(res);
2015 		return NULL;
2016 	}
2017 
2018 	return(res);
2019 }
2020 #endif	/* WITH_SHA2 */
2021 
2022 /*
2023  * HMAC SHA1
2024  */
2025 vchar_t *
eay_hmacsha1_one(key,data)2026 eay_hmacsha1_one(key, data)
2027 	vchar_t *key, *data;
2028 {
2029 	vchar_t *res;
2030 	caddr_t ctx;
2031 
2032 	ctx = eay_hmacsha1_init(key);
2033 	eay_hmacsha1_update(ctx, data);
2034 	res = eay_hmacsha1_final(ctx);
2035 
2036 	return(res);
2037 }
2038 
2039 caddr_t
eay_hmacsha1_init(key)2040 eay_hmacsha1_init(key)
2041 	vchar_t *key;
2042 {
2043 	return eay_hmac_init(key, EVP_sha1());
2044 }
2045 
2046 void
eay_hmacsha1_update(c,data)2047 eay_hmacsha1_update(c, data)
2048 	caddr_t c;
2049 	vchar_t *data;
2050 {
2051 	HMAC_Update((HMAC_CTX *)c, (unsigned char *) data->v, data->l);
2052 }
2053 
2054 vchar_t *
eay_hmacsha1_final(c)2055 eay_hmacsha1_final(c)
2056 	caddr_t c;
2057 {
2058 	vchar_t *res;
2059 	unsigned int l;
2060 
2061 	if ((res = vmalloc(SHA_DIGEST_LENGTH)) == 0)
2062 		return NULL;
2063 
2064 	HMAC_Final((HMAC_CTX *)c, (unsigned char *) res->v, &l);
2065 	res->l = l;
2066 	HMAC_cleanup((HMAC_CTX *)c);
2067 	(void)racoon_free(c);
2068 
2069 	if (SHA_DIGEST_LENGTH != res->l) {
2070 		plog(LLV_ERROR, LOCATION, NULL,
2071 			"hmac sha1 length mismatch %zd.\n", res->l);
2072 		vfree(res);
2073 		return NULL;
2074 	}
2075 
2076 	return(res);
2077 }
2078 
2079 /*
2080  * HMAC MD5
2081  */
2082 vchar_t *
eay_hmacmd5_one(key,data)2083 eay_hmacmd5_one(key, data)
2084 	vchar_t *key, *data;
2085 {
2086 	vchar_t *res;
2087 	caddr_t ctx;
2088 
2089 	ctx = eay_hmacmd5_init(key);
2090 	eay_hmacmd5_update(ctx, data);
2091 	res = eay_hmacmd5_final(ctx);
2092 
2093 	return(res);
2094 }
2095 
2096 caddr_t
eay_hmacmd5_init(key)2097 eay_hmacmd5_init(key)
2098 	vchar_t *key;
2099 {
2100 	return eay_hmac_init(key, EVP_md5());
2101 }
2102 
2103 void
eay_hmacmd5_update(c,data)2104 eay_hmacmd5_update(c, data)
2105 	caddr_t c;
2106 	vchar_t *data;
2107 {
2108 	HMAC_Update((HMAC_CTX *)c, (unsigned char *) data->v, data->l);
2109 }
2110 
2111 vchar_t *
eay_hmacmd5_final(c)2112 eay_hmacmd5_final(c)
2113 	caddr_t c;
2114 {
2115 	vchar_t *res;
2116 	unsigned int l;
2117 
2118 	if ((res = vmalloc(MD5_DIGEST_LENGTH)) == 0)
2119 		return NULL;
2120 
2121 	HMAC_Final((HMAC_CTX *)c, (unsigned char *) res->v, &l);
2122 	res->l = l;
2123 	HMAC_cleanup((HMAC_CTX *)c);
2124 	(void)racoon_free(c);
2125 
2126 	if (MD5_DIGEST_LENGTH != res->l) {
2127 		plog(LLV_ERROR, LOCATION, NULL,
2128 			"hmac md5 length mismatch %zd.\n", res->l);
2129 		vfree(res);
2130 		return NULL;
2131 	}
2132 
2133 	return(res);
2134 }
2135 
2136 #ifdef WITH_SHA2
2137 /*
2138  * SHA2-512 functions
2139  */
2140 caddr_t
eay_sha2_512_init()2141 eay_sha2_512_init()
2142 {
2143 	SHA512_CTX *c = racoon_malloc(sizeof(*c));
2144 
2145 	SHA512_Init(c);
2146 
2147 	return((caddr_t)c);
2148 }
2149 
2150 void
eay_sha2_512_update(c,data)2151 eay_sha2_512_update(c, data)
2152 	caddr_t c;
2153 	vchar_t *data;
2154 {
2155 	SHA512_Update((SHA512_CTX *)c, (unsigned char *) data->v, data->l);
2156 
2157 	return;
2158 }
2159 
2160 vchar_t *
eay_sha2_512_final(c)2161 eay_sha2_512_final(c)
2162 	caddr_t c;
2163 {
2164 	vchar_t *res;
2165 
2166 	if ((res = vmalloc(SHA512_DIGEST_LENGTH)) == 0)
2167 		return(0);
2168 
2169 	SHA512_Final((unsigned char *) res->v, (SHA512_CTX *)c);
2170 	(void)racoon_free(c);
2171 
2172 	return(res);
2173 }
2174 
2175 vchar_t *
eay_sha2_512_one(data)2176 eay_sha2_512_one(data)
2177 	vchar_t *data;
2178 {
2179 	caddr_t ctx;
2180 	vchar_t *res;
2181 
2182 	ctx = eay_sha2_512_init();
2183 	eay_sha2_512_update(ctx, data);
2184 	res = eay_sha2_512_final(ctx);
2185 
2186 	return(res);
2187 }
2188 
2189 int
eay_sha2_512_hashlen()2190 eay_sha2_512_hashlen()
2191 {
2192 	return SHA512_DIGEST_LENGTH << 3;
2193 }
2194 #endif
2195 
2196 #ifdef WITH_SHA2
2197 /*
2198  * SHA2-384 functions
2199  */
2200 caddr_t
eay_sha2_384_init()2201 eay_sha2_384_init()
2202 {
2203 	SHA384_CTX *c = racoon_malloc(sizeof(*c));
2204 
2205 	SHA384_Init(c);
2206 
2207 	return((caddr_t)c);
2208 }
2209 
2210 void
eay_sha2_384_update(c,data)2211 eay_sha2_384_update(c, data)
2212 	caddr_t c;
2213 	vchar_t *data;
2214 {
2215 	SHA384_Update((SHA384_CTX *)c, (unsigned char *) data->v, data->l);
2216 
2217 	return;
2218 }
2219 
2220 vchar_t *
eay_sha2_384_final(c)2221 eay_sha2_384_final(c)
2222 	caddr_t c;
2223 {
2224 	vchar_t *res;
2225 
2226 	if ((res = vmalloc(SHA384_DIGEST_LENGTH)) == 0)
2227 		return(0);
2228 
2229 	SHA384_Final((unsigned char *) res->v, (SHA384_CTX *)c);
2230 	(void)racoon_free(c);
2231 
2232 	return(res);
2233 }
2234 
2235 vchar_t *
eay_sha2_384_one(data)2236 eay_sha2_384_one(data)
2237 	vchar_t *data;
2238 {
2239 	caddr_t ctx;
2240 	vchar_t *res;
2241 
2242 	ctx = eay_sha2_384_init();
2243 	eay_sha2_384_update(ctx, data);
2244 	res = eay_sha2_384_final(ctx);
2245 
2246 	return(res);
2247 }
2248 
2249 int
eay_sha2_384_hashlen()2250 eay_sha2_384_hashlen()
2251 {
2252 	return SHA384_DIGEST_LENGTH << 3;
2253 }
2254 #endif
2255 
2256 #ifdef WITH_SHA2
2257 /*
2258  * SHA2-256 functions
2259  */
2260 caddr_t
eay_sha2_256_init()2261 eay_sha2_256_init()
2262 {
2263 	SHA256_CTX *c = racoon_malloc(sizeof(*c));
2264 
2265 	SHA256_Init(c);
2266 
2267 	return((caddr_t)c);
2268 }
2269 
2270 void
eay_sha2_256_update(c,data)2271 eay_sha2_256_update(c, data)
2272 	caddr_t c;
2273 	vchar_t *data;
2274 {
2275 	SHA256_Update((SHA256_CTX *)c, (unsigned char *) data->v, data->l);
2276 
2277 	return;
2278 }
2279 
2280 vchar_t *
eay_sha2_256_final(c)2281 eay_sha2_256_final(c)
2282 	caddr_t c;
2283 {
2284 	vchar_t *res;
2285 
2286 	if ((res = vmalloc(SHA256_DIGEST_LENGTH)) == 0)
2287 		return(0);
2288 
2289 	SHA256_Final((unsigned char *) res->v, (SHA256_CTX *)c);
2290 	(void)racoon_free(c);
2291 
2292 	return(res);
2293 }
2294 
2295 vchar_t *
eay_sha2_256_one(data)2296 eay_sha2_256_one(data)
2297 	vchar_t *data;
2298 {
2299 	caddr_t ctx;
2300 	vchar_t *res;
2301 
2302 	ctx = eay_sha2_256_init();
2303 	eay_sha2_256_update(ctx, data);
2304 	res = eay_sha2_256_final(ctx);
2305 
2306 	return(res);
2307 }
2308 
2309 int
eay_sha2_256_hashlen()2310 eay_sha2_256_hashlen()
2311 {
2312 	return SHA256_DIGEST_LENGTH << 3;
2313 }
2314 #endif
2315 
2316 /*
2317  * SHA functions
2318  */
2319 caddr_t
eay_sha1_init()2320 eay_sha1_init()
2321 {
2322 	SHA_CTX *c = racoon_malloc(sizeof(*c));
2323 
2324 	SHA1_Init(c);
2325 
2326 	return((caddr_t)c);
2327 }
2328 
2329 void
eay_sha1_update(c,data)2330 eay_sha1_update(c, data)
2331 	caddr_t c;
2332 	vchar_t *data;
2333 {
2334 	SHA1_Update((SHA_CTX *)c, data->v, data->l);
2335 
2336 	return;
2337 }
2338 
2339 vchar_t *
eay_sha1_final(c)2340 eay_sha1_final(c)
2341 	caddr_t c;
2342 {
2343 	vchar_t *res;
2344 
2345 	if ((res = vmalloc(SHA_DIGEST_LENGTH)) == 0)
2346 		return(0);
2347 
2348 	SHA1_Final((unsigned char *) res->v, (SHA_CTX *)c);
2349 	(void)racoon_free(c);
2350 
2351 	return(res);
2352 }
2353 
2354 vchar_t *
eay_sha1_one(data)2355 eay_sha1_one(data)
2356 	vchar_t *data;
2357 {
2358 	caddr_t ctx;
2359 	vchar_t *res;
2360 
2361 	ctx = eay_sha1_init();
2362 	eay_sha1_update(ctx, data);
2363 	res = eay_sha1_final(ctx);
2364 
2365 	return(res);
2366 }
2367 
2368 int
eay_sha1_hashlen()2369 eay_sha1_hashlen()
2370 {
2371 	return SHA_DIGEST_LENGTH << 3;
2372 }
2373 
2374 /*
2375  * MD5 functions
2376  */
2377 caddr_t
eay_md5_init()2378 eay_md5_init()
2379 {
2380 	MD5_CTX *c = racoon_malloc(sizeof(*c));
2381 
2382 	MD5_Init(c);
2383 
2384 	return((caddr_t)c);
2385 }
2386 
2387 void
eay_md5_update(c,data)2388 eay_md5_update(c, data)
2389 	caddr_t c;
2390 	vchar_t *data;
2391 {
2392 	MD5_Update((MD5_CTX *)c, data->v, data->l);
2393 
2394 	return;
2395 }
2396 
2397 vchar_t *
eay_md5_final(c)2398 eay_md5_final(c)
2399 	caddr_t c;
2400 {
2401 	vchar_t *res;
2402 
2403 	if ((res = vmalloc(MD5_DIGEST_LENGTH)) == 0)
2404 		return(0);
2405 
2406 	MD5_Final((unsigned char *) res->v, (MD5_CTX *)c);
2407 	(void)racoon_free(c);
2408 
2409 	return(res);
2410 }
2411 
2412 vchar_t *
eay_md5_one(data)2413 eay_md5_one(data)
2414 	vchar_t *data;
2415 {
2416 	caddr_t ctx;
2417 	vchar_t *res;
2418 
2419 	ctx = eay_md5_init();
2420 	eay_md5_update(ctx, data);
2421 	res = eay_md5_final(ctx);
2422 
2423 	return(res);
2424 }
2425 
2426 int
eay_md5_hashlen()2427 eay_md5_hashlen()
2428 {
2429 	return MD5_DIGEST_LENGTH << 3;
2430 }
2431 
2432 /*
2433  * eay_set_random
2434  *   size: number of bytes.
2435  */
2436 vchar_t *
eay_set_random(size)2437 eay_set_random(size)
2438 	u_int32_t size;
2439 {
2440 	BIGNUM *r = NULL;
2441 	vchar_t *res = 0;
2442 
2443 	if ((r = BN_new()) == NULL)
2444 		goto end;
2445 	BN_rand(r, size * 8, 0, 0);
2446 	eay_bn2v(&res, r);
2447 
2448 end:
2449 	if (r)
2450 		BN_free(r);
2451 	return(res);
2452 }
2453 
2454 /* DH */
2455 int
eay_dh_generate(prime,g,publen,pub,priv)2456 eay_dh_generate(prime, g, publen, pub, priv)
2457 	vchar_t *prime, **pub, **priv;
2458 	u_int publen;
2459 	u_int32_t g;
2460 {
2461 	BIGNUM *p = NULL;
2462 	DH *dh = NULL;
2463 	int error = -1;
2464 
2465 	/* initialize */
2466 	/* pre-process to generate number */
2467 	if (eay_v2bn(&p, prime) < 0)
2468 		goto end;
2469 
2470 	if ((dh = DH_new()) == NULL)
2471 		goto end;
2472 	dh->p = p;
2473 	p = NULL;	/* p is now part of dh structure */
2474 	dh->g = NULL;
2475 	if ((dh->g = BN_new()) == NULL)
2476 		goto end;
2477 	if (!BN_set_word(dh->g, g))
2478 		goto end;
2479 
2480 	if (publen != 0) {
2481 #if defined(OPENSSL_IS_BORINGSSL)
2482 		dh->priv_length = publen;
2483 #else
2484 		dh->length = publen;
2485 #endif
2486 	}
2487 
2488 	/* generate public and private number */
2489 	if (!DH_generate_key(dh))
2490 		goto end;
2491 
2492 	/* copy results to buffers */
2493 	if (eay_bn2v(pub, dh->pub_key) < 0)
2494 		goto end;
2495 	if (eay_bn2v(priv, dh->priv_key) < 0) {
2496 		vfree(*pub);
2497 		goto end;
2498 	}
2499 
2500 	error = 0;
2501 
2502 end:
2503 	if (dh != NULL)
2504 		DH_free(dh);
2505 	if (p != 0)
2506 		BN_free(p);
2507 	return(error);
2508 }
2509 
2510 int
eay_dh_compute(prime,g,pub,priv,pub2,key)2511 eay_dh_compute(prime, g, pub, priv, pub2, key)
2512 	vchar_t *prime, *pub, *priv, *pub2, **key;
2513 	u_int32_t g;
2514 {
2515 	BIGNUM *dh_pub = NULL;
2516 	DH *dh = NULL;
2517 	int l;
2518 	unsigned char *v = NULL;
2519 	int error = -1;
2520 
2521 	/* make public number to compute */
2522 	if (eay_v2bn(&dh_pub, pub2) < 0)
2523 		goto end;
2524 
2525 	/* make DH structure */
2526 	if ((dh = DH_new()) == NULL)
2527 		goto end;
2528 	if (eay_v2bn(&dh->p, prime) < 0)
2529 		goto end;
2530 	if (eay_v2bn(&dh->pub_key, pub) < 0)
2531 		goto end;
2532 	if (eay_v2bn(&dh->priv_key, priv) < 0)
2533 		goto end;
2534 #if defined(OPENSSL_IS_BORINGSSL)
2535 	dh->priv_length = pub2->l * 8;
2536 #else
2537 	dh->length = pub2->l * 8;
2538 #endif
2539 
2540 	dh->g = NULL;
2541 	if ((dh->g = BN_new()) == NULL)
2542 		goto end;
2543 	if (!BN_set_word(dh->g, g))
2544 		goto end;
2545 
2546 	if ((v = racoon_calloc(prime->l, sizeof(u_char))) == NULL)
2547 		goto end;
2548 	if ((l = DH_compute_key(v, dh_pub, dh)) == -1)
2549 		goto end;
2550 	memcpy((*key)->v + (prime->l - l), v, l);
2551 
2552 	error = 0;
2553 
2554 end:
2555 	if (dh_pub != NULL)
2556 		BN_free(dh_pub);
2557 	if (dh != NULL)
2558 		DH_free(dh);
2559 	if (v != NULL)
2560 		racoon_free(v);
2561 	return(error);
2562 }
2563 
2564 /*
2565  * convert vchar_t <-> BIGNUM.
2566  *
2567  * vchar_t: unit is u_char, network endian, most significant byte first.
2568  * BIGNUM: unit is BN_ULONG, each of BN_ULONG is in host endian,
2569  *	least significant BN_ULONG must come first.
2570  *
2571  * hex value of "0x3ffe050104" is represented as follows:
2572  *	vchar_t: 3f fe 05 01 04
2573  *	BIGNUM (BN_ULONG = u_int8_t): 04 01 05 fe 3f
2574  *	BIGNUM (BN_ULONG = u_int16_t): 0x0104 0xfe05 0x003f
2575  *	BIGNUM (BN_ULONG = u_int32_t_t): 0xfe050104 0x0000003f
2576  */
2577 int
eay_v2bn(bn,var)2578 eay_v2bn(bn, var)
2579 	BIGNUM **bn;
2580 	vchar_t *var;
2581 {
2582 	if ((*bn = BN_bin2bn((unsigned char *) var->v, var->l, NULL)) == NULL)
2583 		return -1;
2584 
2585 	return 0;
2586 }
2587 
2588 int
eay_bn2v(var,bn)2589 eay_bn2v(var, bn)
2590 	vchar_t **var;
2591 	BIGNUM *bn;
2592 {
2593 #if defined(ANDROID_CHANGES)
2594 	*var = vmalloc(bn->top * sizeof(BN_ULONG));
2595 #else
2596 	*var = vmalloc(bn->top * BN_BYTES);
2597 #endif
2598 	if (*var == NULL)
2599 		return(-1);
2600 
2601 	(*var)->l = BN_bn2bin(bn, (unsigned char *) (*var)->v);
2602 
2603 	return 0;
2604 }
2605 
2606 void
eay_init()2607 eay_init()
2608 {
2609 	OpenSSL_add_all_algorithms();
2610 	ERR_load_crypto_strings();
2611 #ifdef HAVE_OPENSSL_ENGINE_H
2612 	ENGINE_load_builtin_engines();
2613 	ENGINE_register_all_complete();
2614 #endif
2615 }
2616 
2617 vchar_t *
base64_decode(char * in,long inlen)2618 base64_decode(char *in, long inlen)
2619 {
2620 #if defined(OPENSSL_IS_BORINGSSL)
2621 	vchar_t *res;
2622 	size_t decoded_size;
2623 
2624 	if (!EVP_DecodedLength(&decoded_size, inlen)) {
2625 		return NULL;
2626 	}
2627 	res = vmalloc(decoded_size);
2628 	if (res == NULL) {
2629 		return NULL;
2630 	}
2631 	if (!EVP_DecodeBase64((uint8_t*) res->v, &res->l, decoded_size, (uint8_t*) in, inlen)) {
2632 		vfree(res);
2633 		return NULL;
2634 	}
2635 	return res;
2636 #else
2637 	BIO *bio=NULL, *b64=NULL;
2638 	vchar_t *res = NULL;
2639 	char *outb;
2640 	long outlen;
2641 
2642 	outb = malloc(inlen * 2);
2643 	if (outb == NULL)
2644 		goto out;
2645 	bio = BIO_new_mem_buf(in, inlen);
2646 	b64 = BIO_new(BIO_f_base64());
2647 	BIO_set_flags(b64, BIO_FLAGS_BASE64_NO_NL);
2648 	bio = BIO_push(b64, bio);
2649 
2650 	outlen = BIO_read(bio, outb, inlen * 2);
2651 	if (outlen <= 0) {
2652 		plog(LLV_ERROR, LOCATION, NULL, "%s\n", eay_strerror());
2653 		goto out;
2654 	}
2655 
2656 	res = vmalloc(outlen);
2657 	if (!res)
2658 		goto out;
2659 
2660 	memcpy(res->v, outb, outlen);
2661 
2662 out:
2663 	if (outb)
2664 		free(outb);
2665 	if (bio)
2666 		BIO_free_all(bio);
2667 
2668 	return res;
2669 #endif
2670 }
2671 
2672 vchar_t *
base64_encode(char * in,long inlen)2673 base64_encode(char *in, long inlen)
2674 {
2675 #if defined(OPENSSL_IS_BORINGSSL)
2676 	vchar_t *res;
2677 	size_t encoded_size;
2678 
2679 	if (!EVP_EncodedLength(&encoded_size, inlen)) {
2680 		return NULL;
2681 	}
2682 	res = vmalloc(encoded_size+1);
2683 	if (res == NULL) {
2684 		return NULL;
2685 	}
2686 	EVP_EncodeBlock((uint8_t*) res->v, (uint8_t*) in, inlen);
2687 	res->v[encoded_size] = 0;
2688 	return res;
2689 #else
2690 	BIO *bio=NULL, *b64=NULL;
2691 	char *ptr;
2692 	long plen = -1;
2693 	vchar_t *res = NULL;
2694 
2695 	bio = BIO_new(BIO_s_mem());
2696 	b64 = BIO_new(BIO_f_base64());
2697 	BIO_set_flags(b64, BIO_FLAGS_BASE64_NO_NL);
2698 	bio = BIO_push(b64, bio);
2699 
2700 	BIO_write(bio, in, inlen);
2701 	BIO_flush(bio);
2702 
2703 	plen = BIO_get_mem_data(bio, &ptr);
2704 	res = vmalloc(plen+1);
2705 	if (!res)
2706 		goto out;
2707 
2708 	memcpy (res->v, ptr, plen);
2709 	res->v[plen] = '\0';
2710 
2711 out:
2712 	if (bio)
2713 		BIO_free_all(bio);
2714 
2715 	return res;
2716 #endif
2717 }
2718 
2719 static RSA *
binbuf_pubkey2rsa(vchar_t * binbuf)2720 binbuf_pubkey2rsa(vchar_t *binbuf)
2721 {
2722 	BIGNUM *exp, *mod;
2723 	RSA *rsa_pub = NULL;
2724 
2725 	if (binbuf->v[0] > binbuf->l - 1) {
2726 		plog(LLV_ERROR, LOCATION, NULL, "Plain RSA pubkey format error: decoded string doesn't make sense.\n");
2727 		goto out;
2728 	}
2729 
2730 	exp = BN_bin2bn((unsigned char *) (binbuf->v + 1), binbuf->v[0], NULL);
2731 	mod = BN_bin2bn((unsigned char *) (binbuf->v + binbuf->v[0] + 1),
2732 			binbuf->l - binbuf->v[0] - 1, NULL);
2733 	rsa_pub = RSA_new();
2734 
2735 	if (!exp || !mod || !rsa_pub) {
2736 		plog(LLV_ERROR, LOCATION, NULL, "Plain RSA pubkey parsing error: %s\n", eay_strerror());
2737 		if (exp)
2738 			BN_free(exp);
2739 		if (mod)
2740 			BN_free(exp);
2741 		if (rsa_pub)
2742 			RSA_free(rsa_pub);
2743 		rsa_pub = NULL;
2744 		goto out;
2745 	}
2746 
2747 	rsa_pub->n = mod;
2748 	rsa_pub->e = exp;
2749 
2750 out:
2751 	return rsa_pub;
2752 }
2753 
2754 RSA *
base64_pubkey2rsa(char * in)2755 base64_pubkey2rsa(char *in)
2756 {
2757 	BIGNUM *exp, *mod;
2758 	RSA *rsa_pub = NULL;
2759 	vchar_t *binbuf;
2760 
2761 	if (strncmp(in, "0s", 2) != 0) {
2762 		plog(LLV_ERROR, LOCATION, NULL, "Plain RSA pubkey format error: doesn't start with '0s'\n");
2763 		return NULL;
2764 	}
2765 
2766 	binbuf = base64_decode(in + 2, strlen(in + 2));
2767 	if (!binbuf) {
2768 		plog(LLV_ERROR, LOCATION, NULL, "Plain RSA pubkey format error: Base64 decoding failed.\n");
2769 		return NULL;
2770 	}
2771 
2772 	if (binbuf->v[0] > binbuf->l - 1) {
2773 		plog(LLV_ERROR, LOCATION, NULL, "Plain RSA pubkey format error: decoded string doesn't make sense.\n");
2774 		goto out;
2775 	}
2776 
2777 	rsa_pub = binbuf_pubkey2rsa(binbuf);
2778 
2779 out:
2780 	if (binbuf)
2781 		vfree(binbuf);
2782 
2783 	return rsa_pub;
2784 }
2785 
2786 RSA *
bignum_pubkey2rsa(BIGNUM * in)2787 bignum_pubkey2rsa(BIGNUM *in)
2788 {
2789 	RSA *rsa_pub = NULL;
2790 	vchar_t *binbuf;
2791 
2792 	binbuf = vmalloc(BN_num_bytes(in));
2793 	if (!binbuf) {
2794 		plog(LLV_ERROR, LOCATION, NULL, "Plain RSA pubkey conversion: memory allocation failed..\n");
2795 		return NULL;
2796 	}
2797 
2798 	BN_bn2bin(in, (unsigned char *) binbuf->v);
2799 
2800 	rsa_pub = binbuf_pubkey2rsa(binbuf);
2801 
2802 out:
2803 	if (binbuf)
2804 		vfree(binbuf);
2805 
2806 	return rsa_pub;
2807 }
2808 
2809 u_int32_t
eay_random()2810 eay_random()
2811 {
2812 	u_int32_t result;
2813 	vchar_t *vrand;
2814 
2815 	vrand = eay_set_random(sizeof(result));
2816 	memcpy(&result, vrand->v, sizeof(result));
2817 	vfree(vrand);
2818 
2819 	return result;
2820 }
2821 
2822 const char *
eay_version()2823 eay_version()
2824 {
2825 #if defined(OPENSSL_IS_BORINGSSL)
2826 	return "(BoringSSL)";
2827 #else
2828 	return SSLeay_version(SSLEAY_VERSION);
2829 #endif
2830 }
2831