summaryrefslogtreecommitdiff
path: root/src/libstrongswan/crypto
diff options
context:
space:
mode:
authorYves-Alexis Perez <corsac@debian.org>2013-02-07 13:27:27 +0100
committerYves-Alexis Perez <corsac@debian.org>2013-02-07 13:27:27 +0100
commit7585facf05d927eb6df3929ce09ed5e60d905437 (patch)
treee4d14b4dc180db20356b6b01ce0112f3a2d7897e /src/libstrongswan/crypto
parentc1343b3278cdf99533b7902744d15969f9d6fdc1 (diff)
downloadvyos-strongswan-7585facf05d927eb6df3929ce09ed5e60d905437.tar.gz
vyos-strongswan-7585facf05d927eb6df3929ce09ed5e60d905437.zip
Imported Upstream version 5.0.2
Diffstat (limited to 'src/libstrongswan/crypto')
-rw-r--r--src/libstrongswan/crypto/aead.c2
-rw-r--r--src/libstrongswan/crypto/crypto_factory.c4
-rw-r--r--src/libstrongswan/crypto/crypto_factory.h1
-rw-r--r--src/libstrongswan/crypto/crypto_tester.c4
-rw-r--r--src/libstrongswan/crypto/nonce_gen.h4
-rw-r--r--src/libstrongswan/crypto/pkcs7.c1061
-rw-r--r--src/libstrongswan/crypto/pkcs7.h178
-rw-r--r--src/libstrongswan/crypto/pkcs9.c369
-rw-r--r--src/libstrongswan/crypto/pkcs9.h92
-rw-r--r--src/libstrongswan/crypto/proposal/proposal_keywords.c2
-rw-r--r--src/libstrongswan/crypto/proposal/proposal_keywords_static.c198
-rw-r--r--src/libstrongswan/crypto/proposal/proposal_keywords_static.txt8
-rw-r--r--src/libstrongswan/crypto/transform.h2
13 files changed, 121 insertions, 1804 deletions
diff --git a/src/libstrongswan/crypto/aead.c b/src/libstrongswan/crypto/aead.c
index 02fb8d50a..32a0e6759 100644
--- a/src/libstrongswan/crypto/aead.c
+++ b/src/libstrongswan/crypto/aead.c
@@ -15,7 +15,7 @@
#include "aead.h"
-#include <debug.h>
+#include <utils/debug.h>
typedef struct private_aead_t private_aead_t;
diff --git a/src/libstrongswan/crypto/crypto_factory.c b/src/libstrongswan/crypto/crypto_factory.c
index 3736ae38f..5a363e9f0 100644
--- a/src/libstrongswan/crypto/crypto_factory.c
+++ b/src/libstrongswan/crypto/crypto_factory.c
@@ -15,9 +15,9 @@
#include "crypto_factory.h"
-#include <debug.h>
+#include <utils/debug.h>
#include <threading/rwlock.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
#include <crypto/crypto_tester.h>
const char *default_plugin_name = "default";
diff --git a/src/libstrongswan/crypto/crypto_factory.h b/src/libstrongswan/crypto/crypto_factory.h
index 611ca0bbb..5d23c8977 100644
--- a/src/libstrongswan/crypto/crypto_factory.h
+++ b/src/libstrongswan/crypto/crypto_factory.h
@@ -24,6 +24,7 @@
typedef struct crypto_factory_t crypto_factory_t;
#include <library.h>
+#include <collections/enumerator.h>
#include <crypto/crypters/crypter.h>
#include <crypto/aead.h>
#include <crypto/signers/signer.h>
diff --git a/src/libstrongswan/crypto/crypto_tester.c b/src/libstrongswan/crypto/crypto_tester.c
index 01e84a133..08b226468 100644
--- a/src/libstrongswan/crypto/crypto_tester.c
+++ b/src/libstrongswan/crypto/crypto_tester.c
@@ -20,8 +20,8 @@
#include "crypto_tester.h"
-#include <debug.h>
-#include <utils/linked_list.h>
+#include <utils/debug.h>
+#include <collections/linked_list.h>
typedef struct private_crypto_tester_t private_crypto_tester_t;
diff --git a/src/libstrongswan/crypto/nonce_gen.h b/src/libstrongswan/crypto/nonce_gen.h
index 50f3c0090..7dae4f776 100644
--- a/src/libstrongswan/crypto/nonce_gen.h
+++ b/src/libstrongswan/crypto/nonce_gen.h
@@ -35,7 +35,7 @@ struct nonce_gen_t {
*
* @param size size of nonce in bytes
* @param buffer pointer where the generated nonce will be written
- * @return TRUE if nonce allocation was succesful, FALSE otherwise
+ * @return TRUE if nonce allocation was successful, FALSE otherwise
*/
bool (*get_nonce)(nonce_gen_t *this, size_t size,
u_int8_t *buffer) __attribute__((warn_unused_result));
@@ -45,7 +45,7 @@ struct nonce_gen_t {
*
* @param size size of nonce in bytes
* @param chunk chunk which will hold the generated nonce
- * @return TRUE if nonce allocation was succesful, FALSE otherwise
+ * @return TRUE if nonce allocation was successful, FALSE otherwise
*/
bool (*allocate_nonce)(nonce_gen_t *this, size_t size,
chunk_t *chunk) __attribute__((warn_unused_result));
diff --git a/src/libstrongswan/crypto/pkcs7.c b/src/libstrongswan/crypto/pkcs7.c
deleted file mode 100644
index 0ec19f2cd..000000000
--- a/src/libstrongswan/crypto/pkcs7.c
+++ /dev/null
@@ -1,1061 +0,0 @@
-/*
- * Copyright (C) 2012 Tobias Brunner
- * Copyright (C) 2002-2008 Andreas Steffen
- * Copyright (C) 2005 Jan Hutter, Martin Willi
- * Hochschule fuer Technik Rapperswil, Switzerland
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- */
-
-#include <stdlib.h>
-#include <string.h>
-#include <time.h>
-
-#include <library.h>
-#include <debug.h>
-
-#include <asn1/oid.h>
-#include <asn1/asn1.h>
-#include <asn1/asn1_parser.h>
-#include <credentials/certificates/x509.h>
-#include <credentials/keys/public_key.h>
-#include <crypto/pkcs9.h>
-#include <crypto/hashers/hasher.h>
-#include <crypto/crypters/crypter.h>
-#include <utils/linked_list.h>
-
-#include "pkcs7.h"
-
-typedef struct private_pkcs7_t private_pkcs7_t;
-
-/**
- * Private data of a pkcs7_t object.
- */
-struct private_pkcs7_t {
- /**
- * Public interface for this certificate.
- */
- pkcs7_t public;
-
- /**
- * contentInfo type
- */
- int type;
-
- /**
- * ASN.1 encoded content
- */
- chunk_t content;
-
- /**
- * ASN.1 parsing start level
- */
- u_int level;
-
- /**
- * retrieved data
- */
- chunk_t data;
-
- /**
- * ASN.1 encoded attributes
- */
- pkcs9_t *attributes;
-
- /**
- * Linked list of X.509 certificates
- */
- linked_list_t *certs;
-};
-
-METHOD(pkcs7_t, is_data, bool,
- private_pkcs7_t *this)
-{
- return this->type == OID_PKCS7_DATA;
-}
-
-METHOD(pkcs7_t, is_signedData, bool,
- private_pkcs7_t *this)
-{
- return this->type == OID_PKCS7_SIGNED_DATA;
-}
-
-METHOD(pkcs7_t, is_envelopedData, bool,
- private_pkcs7_t *this)
-{
- return this->type == OID_PKCS7_ENVELOPED_DATA;
-}
-
-/**
- * ASN.1 definition of the PKCS#7 ContentInfo type
- */
-static const asn1Object_t contentInfoObjects[] = {
- { 0, "contentInfo", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
- { 1, "contentType", ASN1_OID, ASN1_BODY }, /* 1 */
- { 1, "content", ASN1_CONTEXT_C_0, ASN1_OPT |
- ASN1_BODY }, /* 2 */
- { 1, "end opt", ASN1_EOC, ASN1_END }, /* 3 */
- { 0, "exit", ASN1_EOC, ASN1_EXIT }
-};
-#define PKCS7_INFO_TYPE 1
-#define PKCS7_INFO_CONTENT 2
-
-/**
- * Parse PKCS#7 contentInfo object
- */
-static bool parse_contentInfo(private_pkcs7_t *this)
-{
- asn1_parser_t *parser;
- chunk_t object;
- int objectID;
- bool success = FALSE;
-
- if (!this->data.ptr)
- {
- return FALSE;
- }
-
- parser = asn1_parser_create(contentInfoObjects, this->data);
- parser->set_top_level(parser, this->level);
-
- while (parser->iterate(parser, &objectID, &object))
- {
- if (objectID == PKCS7_INFO_TYPE)
- {
- this->type = asn1_known_oid(object);
- if (this->type < OID_PKCS7_DATA ||
- this->type > OID_PKCS7_ENCRYPTED_DATA)
- {
- DBG1(DBG_LIB, "unknown pkcs7 content type");
- goto end;
- }
- }
- else if (objectID == PKCS7_INFO_CONTENT && object.len > 0)
- {
- chunk_free(&this->content);
- this->content = chunk_clone(object);
- }
- }
- success = parser->success(parser);
-
- if (success)
- {
- this->level += 2;
- chunk_free(&this->data);
- }
-
-end:
- parser->destroy(parser);
- return success;
-}
-
-/**
- * Check whether to abort the requested parsing
- */
-static bool abort_parsing(private_pkcs7_t *this, int type)
-{
- if (this->type != type)
- {
- DBG1(DBG_LIB, "pkcs7 content to be parsed is not of type '%s'",
- oid_names[type].name);
- return TRUE;
- }
- return FALSE;
-}
-
-METHOD(pkcs7_t, parse_data, bool,
- private_pkcs7_t *this)
-{
- chunk_t data;
-
- if (!parse_contentInfo(this) ||
- abort_parsing(this, OID_PKCS7_DATA))
- {
- return FALSE;
- }
- data = this->content;
- if (data.len == 0)
- {
- this->data = chunk_empty;
- return TRUE;
- }
- if (asn1_parse_simple_object(&data, ASN1_OCTET_STRING,
- this->level, "data"))
- {
- this->data = chunk_clone(data);
- return TRUE;
- }
- return FALSE;
-}
-
-/**
- * ASN.1 definition of the PKCS#7 signedData type
- */
-static const asn1Object_t signedDataObjects[] = {
- { 0, "signedData", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
- { 1, "version", ASN1_INTEGER, ASN1_BODY }, /* 1 */
- { 1, "digestAlgorithms", ASN1_SET, ASN1_LOOP }, /* 2 */
- { 2, "algorithm", ASN1_EOC, ASN1_RAW }, /* 3 */
- { 1, "end loop", ASN1_EOC, ASN1_END }, /* 4 */
- { 1, "contentInfo", ASN1_EOC, ASN1_RAW }, /* 5 */
- { 1, "certificates", ASN1_CONTEXT_C_0, ASN1_OPT |
- ASN1_LOOP }, /* 6 */
- { 2, "certificate", ASN1_SEQUENCE, ASN1_OBJ }, /* 7 */
- { 1, "end opt or loop", ASN1_EOC, ASN1_END }, /* 8 */
- { 1, "crls", ASN1_CONTEXT_C_1, ASN1_OPT |
- ASN1_LOOP }, /* 9 */
- { 2, "crl", ASN1_SEQUENCE, ASN1_OBJ }, /* 10 */
- { 1, "end opt or loop", ASN1_EOC, ASN1_END }, /* 11 */
- { 1, "signerInfos", ASN1_SET, ASN1_LOOP }, /* 12 */
- { 2, "signerInfo", ASN1_SEQUENCE, ASN1_NONE }, /* 13 */
- { 3, "version", ASN1_INTEGER, ASN1_BODY }, /* 14 */
- { 3, "issuerAndSerialNumber", ASN1_SEQUENCE, ASN1_BODY }, /* 15 */
- { 4, "issuer", ASN1_SEQUENCE, ASN1_OBJ }, /* 16 */
- { 4, "serial", ASN1_INTEGER, ASN1_BODY }, /* 17 */
- { 3, "digestAlgorithm", ASN1_EOC, ASN1_RAW }, /* 18 */
- { 3, "authenticatedAttributes", ASN1_CONTEXT_C_0, ASN1_OPT |
- ASN1_OBJ }, /* 19 */
- { 3, "end opt", ASN1_EOC, ASN1_END }, /* 20 */
- { 3, "digestEncryptionAlgorithm", ASN1_EOC, ASN1_RAW }, /* 21 */
- { 3, "encryptedDigest", ASN1_OCTET_STRING, ASN1_BODY }, /* 22 */
- { 3, "unauthenticatedAttributes", ASN1_CONTEXT_C_1, ASN1_OPT }, /* 23 */
- { 3, "end opt", ASN1_EOC, ASN1_END }, /* 24 */
- { 1, "end loop", ASN1_EOC, ASN1_END }, /* 25 */
- { 0, "exit", ASN1_EOC, ASN1_EXIT }
-};
-#define PKCS7_SIGNED_VERSION 1
-#define PKCS7_DIGEST_ALG 3
-#define PKCS7_SIGNED_CONTENT_INFO 5
-#define PKCS7_SIGNED_CERT 7
-#define PKCS7_SIGNER_INFO 13
-#define PKCS7_SIGNER_INFO_VERSION 14
-#define PKCS7_SIGNED_ISSUER 16
-#define PKCS7_SIGNED_SERIAL_NUMBER 17
-#define PKCS7_DIGEST_ALGORITHM 18
-#define PKCS7_AUTH_ATTRIBUTES 19
-#define PKCS7_DIGEST_ENC_ALGORITHM 21
-#define PKCS7_ENCRYPTED_DIGEST 22
-
-METHOD(pkcs7_t, parse_signedData, bool,
- private_pkcs7_t *this, certificate_t *cacert)
-{
- asn1_parser_t *parser;
- chunk_t object;
- int objectID, version;
- int digest_alg = OID_UNKNOWN;
- int enc_alg = OID_UNKNOWN;
- int signerInfos = 0;
- bool success = FALSE;
-
- chunk_t encrypted_digest = chunk_empty;
-
- if (!parse_contentInfo(this) ||
- abort_parsing(this, OID_PKCS7_SIGNED_DATA))
- {
- return FALSE;
- }
-
- parser = asn1_parser_create(signedDataObjects, this->content);
- parser->set_top_level(parser, this->level);
-
- while (parser->iterate(parser, &objectID, &object))
- {
- u_int level = parser->get_level(parser);
-
- switch (objectID)
- {
- case PKCS7_SIGNED_VERSION:
- version = object.len ? (int)*object.ptr : 0;
- DBG2(DBG_LIB, " v%d", version);
- break;
- case PKCS7_DIGEST_ALG:
- digest_alg = asn1_parse_algorithmIdentifier(object, level, NULL);
- break;
- case PKCS7_SIGNED_CONTENT_INFO:
- {
- pkcs7_t *data = pkcs7_create_from_chunk(object, level+1);
-
- if (!data || !data->parse_data(data))
- {
- DESTROY_IF(data);
- goto end;
- }
- this->data = chunk_clone(data->get_data(data));
- data->destroy(data);
- break;
- }
- case PKCS7_SIGNED_CERT:
- {
- certificate_t *cert;
-
- DBG2(DBG_LIB, " parsing pkcs7-wrapped certificate");
- cert = lib->creds->create(lib->creds,
- CRED_CERTIFICATE, CERT_X509,
- BUILD_BLOB_ASN1_DER, object,
- BUILD_END);
- if (cert)
- {
- this->certs->insert_last(this->certs, cert);
- }
- break;
- }
- case PKCS7_SIGNER_INFO:
- signerInfos++;
- DBG2(DBG_LIB, " signer #%d", signerInfos);
- break;
- case PKCS7_SIGNER_INFO_VERSION:
- version = object.len ? (int)*object.ptr : 0;
- DBG2(DBG_LIB, " v%d", version);
- break;
- case PKCS7_SIGNED_ISSUER:
- {
- identification_t *issuer;
-
- issuer = identification_create_from_encoding(ID_DER_ASN1_DN, object);
- DBG2(DBG_LIB, " '%Y'", issuer);
- issuer->destroy(issuer);
- break;
- }
- case PKCS7_AUTH_ATTRIBUTES:
- *object.ptr = ASN1_SET;
- this->attributes = pkcs9_create_from_chunk(object, level+1);
- *object.ptr = ASN1_CONTEXT_C_0;
- break;
- case PKCS7_DIGEST_ALGORITHM:
- digest_alg = asn1_parse_algorithmIdentifier(object, level, NULL);
- break;
- case PKCS7_DIGEST_ENC_ALGORITHM:
- enc_alg = asn1_parse_algorithmIdentifier(object, level, NULL);
- break;
- case PKCS7_ENCRYPTED_DIGEST:
- encrypted_digest = object;
- }
- }
- success = parser->success(parser);
-
-end:
- parser->destroy(parser);
- if (!success)
- {
- return FALSE;
- }
-
- /* check the signature only if a cacert is available */
- if (cacert != NULL)
- {
- signature_scheme_t scheme;
- public_key_t *key;
-
- scheme = signature_scheme_from_oid(digest_alg);
- if (scheme == SIGN_UNKNOWN)
- {
- DBG1(DBG_LIB, "unsupported signature scheme");
- return FALSE;
- }
- if (signerInfos == 0)
- {
- DBG1(DBG_LIB, "no signerInfo object found");
- return FALSE;
- }
- else if (signerInfos > 1)
- {
- DBG1(DBG_LIB, "more than one signerInfo object found");
- return FALSE;
- }
- if (this->attributes == NULL)
- {
- DBG1(DBG_LIB, "no authenticatedAttributes object found");
- return FALSE;
- }
- if (enc_alg != OID_RSA_ENCRYPTION)
- {
- DBG1(DBG_LIB, "only RSA digest encryption supported");
- return FALSE;
- }
-
- /* verify the signature */
- key = cacert->get_public_key(cacert);
- if (key == NULL)
- {
- DBG1(DBG_LIB, "no public key found in CA certificate");
- return FALSE;
- }
- if (key->verify(key, scheme,
- this->attributes->get_encoding(this->attributes), encrypted_digest))
- {
- DBG2(DBG_LIB, "signature is valid");
- }
- else
- {
- DBG1(DBG_LIB, "invalid signature");
- key->destroy(key);
- return FALSE;
- }
- key->destroy(key);
-
- if (this->data.ptr != NULL)
- {
- chunk_t messageDigest;
-
- messageDigest = this->attributes->get_attribute(this->attributes,
- OID_PKCS9_MESSAGE_DIGEST);
- if (messageDigest.ptr == NULL)
- {
- DBG1(DBG_LIB, "messageDigest attribute not found");
- return FALSE;
- }
- else
- {
- hash_algorithm_t algorithm;
- hasher_t *hasher;
- chunk_t hash;
- bool valid;
-
- algorithm = hasher_algorithm_from_oid(digest_alg);
- hasher = lib->crypto->create_hasher(lib->crypto, algorithm);
- if (!hasher || !hasher->allocate_hash(hasher, this->data, &hash))
- {
- DESTROY_IF(hasher);
- DBG1(DBG_LIB, "hash algorithm %N not supported",
- hash_algorithm_names, algorithm);
- return FALSE;
- }
- hasher->destroy(hasher);
- DBG3(DBG_LIB, "hash: %B", &hash);
-
- valid = chunk_equals(messageDigest, hash);
- free(hash.ptr);
- if (valid)
- {
- DBG2(DBG_LIB, "messageDigest is valid");
- }
- else
- {
- DBG1(DBG_LIB, "invalid messageDigest");
- return FALSE;
- }
- }
- }
- }
- return TRUE;
-}
-
-/**
- * ASN.1 definition of the PKCS#7 envelopedData type
- */
-static const asn1Object_t envelopedDataObjects[] = {
- { 0, "envelopedData", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
- { 1, "version", ASN1_INTEGER, ASN1_BODY }, /* 1 */
- { 1, "recipientInfos", ASN1_SET, ASN1_LOOP }, /* 2 */
- { 2, "recipientInfo", ASN1_SEQUENCE, ASN1_BODY }, /* 3 */
- { 3, "version", ASN1_INTEGER, ASN1_BODY }, /* 4 */
- { 3, "issuerAndSerialNumber", ASN1_SEQUENCE, ASN1_BODY }, /* 5 */
- { 4, "issuer", ASN1_SEQUENCE, ASN1_OBJ }, /* 6 */
- { 4, "serial", ASN1_INTEGER, ASN1_BODY }, /* 7 */
- { 3, "encryptionAlgorithm", ASN1_EOC, ASN1_RAW }, /* 8 */
- { 3, "encryptedKey", ASN1_OCTET_STRING, ASN1_BODY }, /* 9 */
- { 1, "end loop", ASN1_EOC, ASN1_END }, /* 10 */
- { 1, "encryptedContentInfo", ASN1_SEQUENCE, ASN1_OBJ }, /* 11 */
- { 2, "contentType", ASN1_OID, ASN1_BODY }, /* 12 */
- { 2, "contentEncryptionAlgorithm", ASN1_EOC, ASN1_RAW }, /* 13 */
- { 2, "encryptedContent", ASN1_CONTEXT_S_0, ASN1_BODY }, /* 14 */
- { 0, "exit", ASN1_EOC, ASN1_EXIT }
-};
-#define PKCS7_ENVELOPED_VERSION 1
-#define PKCS7_RECIPIENT_INFO_VERSION 4
-#define PKCS7_ISSUER 6
-#define PKCS7_SERIAL_NUMBER 7
-#define PKCS7_ENCRYPTION_ALG 8
-#define PKCS7_ENCRYPTED_KEY 9
-#define PKCS7_CONTENT_TYPE 12
-#define PKCS7_CONTENT_ENC_ALGORITHM 13
-#define PKCS7_ENCRYPTED_CONTENT 14
-
-METHOD(pkcs7_t, parse_envelopedData, bool,
- private_pkcs7_t *this, chunk_t serialNumber, private_key_t *key)
-{
- asn1_parser_t *parser;
- chunk_t object;
- int objectID, version;
- bool success = FALSE;
-
- chunk_t iv = chunk_empty;
- chunk_t symmetric_key = chunk_empty;
- chunk_t encrypted_content = chunk_empty;
-
- crypter_t *crypter = NULL;
-
- if (!parse_contentInfo(this) ||
- abort_parsing(this, OID_PKCS7_ENVELOPED_DATA))
- {
- return FALSE;
- }
-
- parser = asn1_parser_create(envelopedDataObjects, this->content);
- parser->set_top_level(parser, this->level);
-
- while (parser->iterate(parser, &objectID, &object))
- {
- u_int level = parser->get_level(parser);
-
- switch (objectID)
- {
- case PKCS7_ENVELOPED_VERSION:
- {
- version = object.len ? (int)*object.ptr : 0;
- DBG2(DBG_LIB, " v%d", version);
- if (version != 0)
- {
- DBG1(DBG_LIB, "envelopedData version is not 0");
- goto end;
- }
- break;
- }
- case PKCS7_RECIPIENT_INFO_VERSION:
- {
- version = object.len ? (int)*object.ptr : 0;
- DBG2(DBG_LIB, " v%d", version);
- if (version != 0)
- {
- DBG1(DBG_LIB, "recipient info version is not 0");
- goto end;
- }
- break;
- }
- case PKCS7_ISSUER:
- {
- identification_t *issuer;
-
- issuer = identification_create_from_encoding(ID_DER_ASN1_DN,
- object);
- DBG2(DBG_LIB, " '%Y'", issuer);
- issuer->destroy(issuer);
- break;
- }
- case PKCS7_SERIAL_NUMBER:
- {
- if (!chunk_equals(serialNumber, object))
- {
- DBG1(DBG_LIB, "serial numbers do not match");
- goto end;
- }
- break;
- }
- case PKCS7_ENCRYPTION_ALG:
- {
- int alg;
-
- alg = asn1_parse_algorithmIdentifier(object, level, NULL);
- if (alg != OID_RSA_ENCRYPTION)
- {
- DBG1(DBG_LIB, "only rsa encryption supported");
- goto end;
- }
- break;
- }
- case PKCS7_ENCRYPTED_KEY:
- {
- if (!key->decrypt(key, ENCRYPT_RSA_PKCS1, object, &symmetric_key))
- {
- DBG1(DBG_LIB, "symmetric key could not be decrypted with rsa");
- goto end;
- }
- DBG4(DBG_LIB, "symmetric key %B", &symmetric_key);
- break;
- }
- case PKCS7_CONTENT_TYPE:
- {
- if (asn1_known_oid(object) != OID_PKCS7_DATA)
- {
- DBG1(DBG_LIB, "encrypted content not of type pkcs7 data");
- goto end;
- }
- break;
- }
- case PKCS7_CONTENT_ENC_ALGORITHM:
- {
- encryption_algorithm_t enc_alg;
- size_t key_size;
- int alg;
-
- alg = asn1_parse_algorithmIdentifier(object, level, &iv);
- enc_alg = encryption_algorithm_from_oid(alg, &key_size);
- if (enc_alg == ENCR_UNDEFINED)
- {
- DBG1(DBG_LIB, "unsupported content encryption algorithm");
- goto end;
- }
- crypter = lib->crypto->create_crypter(lib->crypto, enc_alg,
- key_size);
- if (crypter == NULL)
- {
- DBG1(DBG_LIB, "crypter %N not available",
- encryption_algorithm_names, enc_alg);
- goto end;
- }
- if (symmetric_key.len != crypter->get_key_size(crypter))
- {
- DBG1(DBG_LIB, "symmetric key length %d is wrong",
- symmetric_key.len);
- goto end;
- }
- if (!asn1_parse_simple_object(&iv, ASN1_OCTET_STRING,
- level + 1, "IV"))
- {
- DBG1(DBG_LIB, "IV could not be parsed");
- goto end;
- }
- if (iv.len != crypter->get_iv_size(crypter))
- {
- DBG1(DBG_LIB, "IV length %d is wrong", iv.len);
- goto end;
- }
- break;
- }
- case PKCS7_ENCRYPTED_CONTENT:
- {
- encrypted_content = object;
- break;
- }
- }
- }
- success = parser->success(parser);
-
-end:
- parser->destroy(parser);
- if (!success)
- {
- goto failed;
- }
- success = FALSE;
-
- /* decrypt the content */
- if (!crypter->set_key(crypter, symmetric_key) ||
- !crypter->decrypt(crypter, encrypted_content, iv, &this->data))
- {
- success = FALSE;
- goto failed;
- }
- DBG4(DBG_LIB, "decrypted content with padding: %B", &this->data);
-
- /* remove the padding */
- {
- u_char *pos = this->data.ptr + this->data.len - 1;
- u_char pattern = *pos;
- size_t padding = pattern;
-
- if (padding > this->data.len)
- {
- DBG1(DBG_LIB, "padding greater than data length");
- goto failed;
- }
- this->data.len -= padding;
-
- while (padding-- > 0)
- {
- if (*pos-- != pattern)
- {
- DBG1(DBG_LIB, "wrong padding pattern");
- goto failed;
- }
- }
- }
- success = TRUE;
-
-failed:
- DESTROY_IF(crypter);
- chunk_clear(&symmetric_key);
- if (!success)
- {
- chunk_free(&this->data);
- }
- return success;
-}
-
-METHOD(pkcs7_t, get_data, chunk_t,
- private_pkcs7_t *this)
-{
- return this->data;
-}
-
-METHOD(pkcs7_t, get_contentInfo, chunk_t,
- private_pkcs7_t *this)
-{
- chunk_t content_type;
-
- /* create DER-encoded OID for pkcs7_contentInfo type */
- switch(this->type)
- {
- case OID_PKCS7_DATA:
- case OID_PKCS7_SIGNED_DATA:
- case OID_PKCS7_ENVELOPED_DATA:
- case OID_PKCS7_SIGNED_ENVELOPED_DATA:
- case OID_PKCS7_DIGESTED_DATA:
- case OID_PKCS7_ENCRYPTED_DATA:
- content_type = asn1_build_known_oid(this->type);
- break;
- case OID_UNKNOWN:
- default:
- DBG1(DBG_LIB, "invalid pkcs7 contentInfo type");
- return chunk_empty;
- }
-
- return this->content.ptr == NULL
- ? asn1_wrap(ASN1_SEQUENCE, "m", content_type)
- : asn1_wrap(ASN1_SEQUENCE, "mm", content_type,
- asn1_simple_object(ASN1_CONTEXT_C_0, this->content));
-}
-
-METHOD(pkcs7_t, create_certificate_enumerator, enumerator_t*,
- private_pkcs7_t *this)
-{
- return this->certs->create_enumerator(this->certs);
-}
-
-METHOD(pkcs7_t, set_certificate, void,
- private_pkcs7_t *this, certificate_t *cert)
-{
- if (cert)
- {
- this->certs->insert_last(this->certs, cert);
- }
-}
-
-METHOD(pkcs7_t, set_attributes, void,
- private_pkcs7_t *this, pkcs9_t *attributes)
-{
- this->attributes = attributes;
-}
-
-METHOD(pkcs7_t, get_attributes, pkcs9_t*,
- private_pkcs7_t *this)
-{
- return this->attributes;
-}
-
-/**
- * build a DER-encoded issuerAndSerialNumber object
- */
-chunk_t pkcs7_build_issuerAndSerialNumber(certificate_t *cert)
-{
- identification_t *issuer = cert->get_issuer(cert);
- chunk_t serial = chunk_empty;
-
- if (cert->get_type(cert) == CERT_X509)
- {
- x509_t *x509 = (x509_t*)cert;
- serial = x509->get_serial(x509);
- }
-
- return asn1_wrap(ASN1_SEQUENCE, "cm",
- issuer->get_encoding(issuer),
- asn1_integer("c", serial));
-}
-
-METHOD(pkcs7_t, build_envelopedData, bool,
- private_pkcs7_t *this, certificate_t *cert, encryption_algorithm_t alg,
- size_t key_size)
-{
- chunk_t iv, symmetricKey, protectedKey, in, out;
- crypter_t *crypter;
- int alg_oid;
-
- /* select OID of symmetric encryption algorithm */
- alg_oid = encryption_algorithm_to_oid(alg, key_size);
- if (alg_oid == OID_UNKNOWN)
- {
- DBG1(DBG_LIB, " encryption algorithm %N not supported",
- encryption_algorithm_names, alg);
- return FALSE;
- }
- crypter = lib->crypto->create_crypter(lib->crypto, alg, key_size / 8);
- if (crypter == NULL)
- {
- DBG1(DBG_LIB, " could not create crypter for algorithm %N",
- encryption_algorithm_names, alg);
- return FALSE;
- }
-
- /* generate a true random symmetric encryption key
- * and a pseudo-random iv
- */
- {
- rng_t *rng;
-
- rng = lib->crypto->create_rng(lib->crypto, RNG_TRUE);
- if (!rng || !rng->allocate_bytes(rng, crypter->get_key_size(crypter),
- &symmetricKey))
- {
- DBG1(DBG_LIB, " failed to allocate symmetric encryption key");
- DESTROY_IF(rng);
- return FALSE;
- }
- DBG4(DBG_LIB, " symmetric encryption key: %B", &symmetricKey);
- rng->destroy(rng);
-
- rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
- if (!rng || !rng->allocate_bytes(rng, crypter->get_iv_size(crypter),
- &iv))
- {
- DBG1(DBG_LIB, " failed to allocate initialization vector");
- DESTROY_IF(rng);
- return FALSE;
- }
- DBG4(DBG_LIB, " initialization vector: %B", &iv);
- rng->destroy(rng);
- }
-
- /* pad the data so that the total length becomes
- * a multiple of the block size
- */
- {
- size_t block_size = crypter->get_block_size(crypter);
- size_t padding = block_size - this->data.len % block_size;
-
- in.len = this->data.len + padding;
- in.ptr = malloc(in.len);
-
- DBG2(DBG_LIB, " padding %d bytes of data to multiple block size of %d bytes",
- (int)this->data.len, (int)in.len);
-
- /* copy data */
- memcpy(in.ptr, this->data.ptr, this->data.len);
- /* append padding */
- memset(in.ptr + this->data.len, padding, padding);
- }
- DBG3(DBG_LIB, " padded unencrypted data: %B", &in);
-
- /* symmetric encryption of data object */
- if (!crypter->set_key(crypter, symmetricKey) ||
- !crypter->encrypt(crypter, in, iv, &out))
- {
- crypter->destroy(crypter);
- chunk_clear(&in);
- chunk_clear(&symmetricKey);
- chunk_free(&iv);
- return FALSE;
- }
- crypter->destroy(crypter);
- chunk_clear(&in);
- DBG3(DBG_LIB, " encrypted data: %B", &out);
-
- /* protect symmetric key by public key encryption */
- {
- public_key_t *key = cert->get_public_key(cert);
-
- if (key == NULL)
- {
- DBG1(DBG_LIB, " public key not found in encryption certificate");
- chunk_clear(&symmetricKey);
- chunk_free(&iv);
- chunk_free(&out);
- return FALSE;
- }
- key->encrypt(key, ENCRYPT_RSA_PKCS1, symmetricKey, &protectedKey);
- key->destroy(key);
- chunk_clear(&symmetricKey);
- }
-
- /* build pkcs7 enveloped data object */
- {
- chunk_t contentEncryptionAlgorithm = asn1_wrap(ASN1_SEQUENCE, "mm",
- asn1_build_known_oid(alg_oid),
- asn1_wrap(ASN1_OCTET_STRING, "m", iv));
-
- chunk_t encryptedContentInfo = asn1_wrap(ASN1_SEQUENCE, "mmm",
- asn1_build_known_oid(OID_PKCS7_DATA),
- contentEncryptionAlgorithm,
- asn1_wrap(ASN1_CONTEXT_S_0, "m", out));
-
- chunk_t encryptedKey = asn1_wrap(ASN1_OCTET_STRING, "m", protectedKey);
-
- chunk_t recipientInfo = asn1_wrap(ASN1_SEQUENCE, "cmmm",
- ASN1_INTEGER_0,
- pkcs7_build_issuerAndSerialNumber(cert),
- asn1_algorithmIdentifier(OID_RSA_ENCRYPTION),
- encryptedKey);
-
- this->content = asn1_wrap(ASN1_SEQUENCE, "cmm",
- ASN1_INTEGER_0,
- asn1_wrap(ASN1_SET, "m", recipientInfo),
- encryptedContentInfo);
- chunk_free(&this->data);
- this->type = OID_PKCS7_ENVELOPED_DATA;
- this->data = get_contentInfo(this);
- }
- return TRUE;
-}
-
-METHOD(pkcs7_t, build_signedData, bool,
- private_pkcs7_t *this, private_key_t *private_key, hash_algorithm_t alg)
-{
- chunk_t authenticatedAttributes = chunk_empty;
- chunk_t encryptedDigest = chunk_empty;
- chunk_t signerInfo, encoding = chunk_empty;
- signature_scheme_t scheme;
- int digest_oid;
- certificate_t *cert;
-
- if (this->certs->get_first(this->certs, (void**)&cert) != SUCCESS)
- {
- DBG1(DBG_LIB, " no pkcs7 signer certificate found");
- return FALSE;
- }
- digest_oid = hasher_algorithm_to_oid(alg);
- scheme = signature_scheme_from_oid(digest_oid);
-
- if (this->attributes != NULL)
- {
- if (this->data.ptr != NULL)
- {
- chunk_t messageDigest, signingTime, attributes;
- hasher_t *hasher;
- time_t now;
-
- hasher = lib->crypto->create_hasher(lib->crypto, alg);
- if (!hasher ||
- !hasher->allocate_hash(hasher, this->data, &messageDigest))
- {
- DESTROY_IF(hasher);
- DBG1(DBG_LIB, " hash algorithm %N not support",
- hash_algorithm_names, alg);
- return FALSE;
- }
- hasher->destroy(hasher);
- this->attributes->set_attribute(this->attributes,
- OID_PKCS9_MESSAGE_DIGEST,
- messageDigest);
- free(messageDigest.ptr);
-
- /* take the current time as signingTime */
- now = time(NULL);
- signingTime = asn1_from_time(&now, ASN1_UTCTIME);
- this->attributes->set_attribute_raw(this->attributes,
- OID_PKCS9_SIGNING_TIME, signingTime);
- this->attributes->set_attribute_raw(this->attributes,
- OID_PKCS9_CONTENT_TYPE,
- asn1_build_known_oid(OID_PKCS7_DATA));
-
- attributes = this->attributes->get_encoding(this->attributes);
-
- private_key->sign(private_key, scheme, attributes, &encryptedDigest);
- authenticatedAttributes = chunk_clone(attributes);
- *authenticatedAttributes.ptr = ASN1_CONTEXT_C_0;
- }
- }
- else if (this->data.ptr != NULL)
- {
- private_key->sign(private_key, scheme, this->data, &encryptedDigest);
- }
- if (encryptedDigest.ptr)
- {
- encryptedDigest = asn1_wrap(ASN1_OCTET_STRING, "m", encryptedDigest);
- }
- signerInfo = asn1_wrap(ASN1_SEQUENCE, "cmmmmm",
- ASN1_INTEGER_1,
- pkcs7_build_issuerAndSerialNumber(cert),
- asn1_algorithmIdentifier(digest_oid),
- authenticatedAttributes,
- asn1_algorithmIdentifier(OID_RSA_ENCRYPTION),
- encryptedDigest);
-
- if (this->data.ptr != NULL)
- {
- chunk_free(&this->content);
- this->content = asn1_simple_object(ASN1_OCTET_STRING, this->data);
- chunk_free(&this->data);
- }
- this->type = OID_PKCS7_DATA;
- this->data = get_contentInfo(this);
- chunk_free(&this->content);
-
- cert->get_encoding(cert, CERT_ASN1_DER, &encoding);
-
- this->content = asn1_wrap(ASN1_SEQUENCE, "cmcmm",
- ASN1_INTEGER_1,
- asn1_wrap(ASN1_SET, "m", asn1_algorithmIdentifier(digest_oid)),
- this->data,
- asn1_wrap(ASN1_CONTEXT_C_0, "m", encoding),
- asn1_wrap(ASN1_SET, "m", signerInfo));
- chunk_free(&this->data);
- this->type = OID_PKCS7_SIGNED_DATA;
- this->data = get_contentInfo(this);
-
- return TRUE;
-}
-
-METHOD(pkcs7_t, destroy, void,
- private_pkcs7_t *this)
-{
- DESTROY_IF(this->attributes);
- this->certs->destroy_offset(this->certs, offsetof(certificate_t, destroy));
- free(this->content.ptr);
- free(this->data.ptr);
- free(this);
-}
-
-/**
- * Generic private constructor
- */
-static private_pkcs7_t *pkcs7_create_empty(void)
-{
- private_pkcs7_t *this;
-
- INIT(this,
- .public = {
- .is_data = _is_data,
- .is_signedData = _is_signedData,
- .is_envelopedData = _is_envelopedData,
- .parse_data = _parse_data,
- .parse_signedData = _parse_signedData,
- .parse_envelopedData = _parse_envelopedData,
- .get_data = _get_data,
- .get_contentInfo = _get_contentInfo,
- .create_certificate_enumerator = _create_certificate_enumerator,
- .set_certificate = _set_certificate,
- .set_attributes = _set_attributes,
- .get_attributes = _get_attributes,
- .build_envelopedData = _build_envelopedData,
- .build_signedData = _build_signedData,
- .destroy = _destroy,
- },
- .type = OID_UNKNOWN,
- .certs = linked_list_create(),
- );
-
- return this;
-}
-
-/*
- * Described in header.
- */
-pkcs7_t *pkcs7_create_from_chunk(chunk_t chunk, u_int level)
-{
- private_pkcs7_t *this = pkcs7_create_empty();
-
- this->level = level;
- this->data = chunk_clone(chunk);
-
- return &this->public;
-}
-
-/*
- * Described in header.
- */
-pkcs7_t *pkcs7_create_from_data(chunk_t data)
-{
- private_pkcs7_t *this = pkcs7_create_empty();
-
- this->data = chunk_clone(data);
-
- return &this->public;
-}
-
diff --git a/src/libstrongswan/crypto/pkcs7.h b/src/libstrongswan/crypto/pkcs7.h
deleted file mode 100644
index 7c9a6b037..000000000
--- a/src/libstrongswan/crypto/pkcs7.h
+++ /dev/null
@@ -1,178 +0,0 @@
-/*
- * Copyright (C) 2005 Jan Hutter, Martin Willi
- * Copyright (C) 2002-2008 Andreas Steffen
- * Hochschule fuer Technik Rapperswil, Switzerland
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup pkcs7 pkcs7
- * @{ @ingroup crypto
- */
-
-#ifndef PKCS7_H_
-#define PKCS7_H_
-
-typedef struct pkcs7_t pkcs7_t;
-
-#include <library.h>
-#include <credentials/keys/private_key.h>
-#include <crypto/pkcs9.h>
-#include <crypto/crypters/crypter.h>
-#include <utils/enumerator.h>
-
-/**
- * PKCS#7 contentInfo object.
- */
-struct pkcs7_t {
-
- /**
- * Check if the PKCS#7 contentType is data
- *
- * @return TRUE if the contentType is data
- */
- bool (*is_data) (pkcs7_t *this);
-
- /**
- * Check if the PKCS#7 contentType is signedData
- *
- * @return TRUE if the contentType is signedData
- */
- bool (*is_signedData) (pkcs7_t *this);
-
- /**
- * Check if the PKCS#7 contentType is envelopedData
- *
- * @return TRUE if the contentType is envelopedData
- */
- bool (*is_envelopedData) (pkcs7_t *this);
-
- /**
- * Parse a PKCS#7 data content.
- *
- * @return TRUE if parsing was successful
- */
- bool (*parse_data) (pkcs7_t *this);
-
- /**
- * Parse a PKCS#7 signedData content. The contained PKCS#7 data is parsed
- * and verified.
- *
- * @param cacert cacert used to verify the signature
- * @return TRUE if parsing was successful
- */
- bool (*parse_signedData) (pkcs7_t *this, certificate_t *cacert);
-
- /**
- * Parse a PKCS#7 envelopedData content.
- *
- * @param serialNumber serialNumber of the request
- * @param key private key used to decrypt the symmetric key
- * @return TRUE if parsing was successful
- */
- bool (*parse_envelopedData) (pkcs7_t *this, chunk_t serialNumber,
- private_key_t *key);
-
- /**
- * Returns the parsed data object
- *
- * @return chunk containing the data object
- */
- chunk_t (*get_data) (pkcs7_t *this);
-
- /**
- * Returns the a DER-encoded contentInfo object
- *
- * @return chunk containing the contentInfo object
- */
- chunk_t (*get_contentInfo) (pkcs7_t *this);
-
- /**
- * Create an enumerator for the certificates.
- *
- * @return enumerator for the certificates
- */
- enumerator_t *(*create_certificate_enumerator) (pkcs7_t *this);
-
- /**
- * Add a certificate.
- *
- * @param cert certificate to be included (gets adopted)
- */
- void (*set_certificate) (pkcs7_t *this, certificate_t *cert);
-
- /**
- * Add authenticated attributes.
- *
- * @param attributes attributes to be included (gets adopted)
- */
- void (*set_attributes) (pkcs7_t *this, pkcs9_t *attributes);
-
- /**
- * Get attributes.
- *
- * @return attributes (internal data)
- */
- pkcs9_t *(*get_attributes) (pkcs7_t *this);
-
- /**
- * Build a data object
- *
- * @return TRUE if build was successful
- */
- bool (*build_data) (pkcs7_t *this);
-
- /**
- * Build an envelopedData object
- *
- * @param cert receivers's certificate
- * @param alg encryption algorithm
- * @param key_size key size to use
- * @return TRUE if build was successful
- */
- bool (*build_envelopedData) (pkcs7_t *this, certificate_t *cert,
- encryption_algorithm_t alg, size_t key_size);
-
- /**
- * Build an signedData object
- *
- * @param key signer's private key
- * @param alg digest algorithm used for signature
- * @return TRUE if build was successful
- */
- bool (*build_signedData) (pkcs7_t *this, private_key_t *key,
- hash_algorithm_t alg);
-
- /**
- * Destroys the contentInfo object.
- */
- void (*destroy) (pkcs7_t *this);
-};
-
-/**
- * Read a PKCS#7 contentInfo object from a DER encoded chunk.
- *
- * @param chunk chunk containing DER encoded data
- * @param level ASN.1 parsing start level
- * @return created pkcs7_contentInfo object, or NULL if invalid.
- */
-pkcs7_t *pkcs7_create_from_chunk(chunk_t chunk, u_int level);
-
-/**
- * Create a PKCS#7 contentInfo object
- *
- * @param data chunk containing data
- * @return created pkcs7_contentInfo object.
- */
-pkcs7_t *pkcs7_create_from_data(chunk_t data);
-
-#endif /** PKCS7_H_ @}*/
diff --git a/src/libstrongswan/crypto/pkcs9.c b/src/libstrongswan/crypto/pkcs9.c
deleted file mode 100644
index d24ab1b80..000000000
--- a/src/libstrongswan/crypto/pkcs9.c
+++ /dev/null
@@ -1,369 +0,0 @@
-/*
- * Copyright (C) 2012 Tobias Brunner
- * Copyright (C) 2008 Andreas Steffen
- * Hochschule fuer Technik Rapperswil, Switzerland
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- */
-
-#include <library.h>
-#include <debug.h>
-
-#include <asn1/oid.h>
-#include <asn1/asn1.h>
-#include <asn1/asn1_parser.h>
-#include <utils/linked_list.h>
-
-#include "pkcs9.h"
-
-typedef struct private_pkcs9_t private_pkcs9_t;
-
-/**
- * Private data of a pkcs9_t attribute list.
- */
-struct private_pkcs9_t {
- /**
- * Public interface
- */
- pkcs9_t public;
-
- /**
- * DER encoding of PKCS#9 attributes
- */
- chunk_t encoding;
-
- /**
- * Linked list of PKCS#9 attributes
- */
- linked_list_t *attributes;
-};
-
-typedef struct attribute_t attribute_t;
-
-/**
- * Definition of an attribute_t object.
- */
-struct attribute_t {
- /**
- * Object Identifier (OID)
- */
- int oid;
-
- /**
- * Attribute value
- */
- chunk_t value;
-
- /**
- * ASN.1 encoding
- */
- chunk_t encoding;
-
- /**
- * Destroys the attribute.
- */
- void (*destroy) (attribute_t *this);
-
-};
-
-/**
- * return the ASN.1 encoding of a PKCS#9 attribute
- */
-static asn1_t asn1_attributeType(int oid)
-{
- asn1_t type;
-
- switch (oid)
- {
- case OID_PKCS9_CONTENT_TYPE:
- type = ASN1_OID;
- break;
- case OID_PKCS9_SIGNING_TIME:
- type = ASN1_UTCTIME;
- break;
- case OID_PKCS9_MESSAGE_DIGEST:
- type = ASN1_OCTET_STRING;
- break;
- case OID_PKI_MESSAGE_TYPE:
- type = ASN1_PRINTABLESTRING;
- break;
- case OID_PKI_STATUS:
- type = ASN1_PRINTABLESTRING;
- break;
- case OID_PKI_FAIL_INFO:
- type = ASN1_PRINTABLESTRING;
- break;
- case OID_PKI_SENDER_NONCE:
- type = ASN1_OCTET_STRING;
- break;
- case OID_PKI_RECIPIENT_NONCE:
- type = ASN1_OCTET_STRING;
- break;
- case OID_PKI_TRANS_ID:
- type = ASN1_PRINTABLESTRING;
- break;
- default:
- type = ASN1_EOC;
- }
- return type;
-}
-
-/**
- * Destroy an attribute_t object.
- */
-static void attribute_destroy(attribute_t *this)
-{
- free(this->value.ptr);
- free(this->encoding.ptr);
- free(this);
-}
-
-/**
- * Create an attribute_t object.
- */
-static attribute_t *attribute_create(int oid, chunk_t value)
-{
- attribute_t *this;
-
- INIT(this,
- .destroy = attribute_destroy,
- .oid = oid,
- .value = chunk_clone(value),
- .encoding = asn1_wrap(ASN1_SEQUENCE, "mm",
- asn1_build_known_oid(oid),
- asn1_simple_object(ASN1_SET, value)),
- );
-
- return this;
-}
-
-METHOD(pkcs9_t, build_encoding, void,
- private_pkcs9_t *this)
-{
- enumerator_t *enumerator;
- attribute_t *attribute;
- u_int attributes_len = 0;
-
- if (this->encoding.ptr)
- {
- chunk_free(&this->encoding);
- }
- if (this->attributes->get_count(this->attributes) == 0)
- {
- return;
- }
-
- /* compute the total length of the encoded attributes */
- enumerator = this->attributes->create_enumerator(this->attributes);
-
- while (enumerator->enumerate(enumerator, (void**)&attribute))
- {
- attributes_len += attribute->encoding.len;
- }
- enumerator->destroy(enumerator);
-
- /* allocate memory for the attributes and build the encoding */
- {
- u_char *pos = asn1_build_object(&this->encoding, ASN1_SET, attributes_len);
-
- enumerator = this->attributes->create_enumerator(this->attributes);
-
- while (enumerator->enumerate(enumerator, (void**)&attribute))
- {
- memcpy(pos, attribute->encoding.ptr, attribute->encoding.len);
- pos += attribute->encoding.len;
- }
- enumerator->destroy(enumerator);
- }
-}
-
-METHOD(pkcs9_t, get_encoding, chunk_t,
- private_pkcs9_t *this)
-{
- if (this->encoding.ptr == NULL)
- {
- build_encoding(this);
- }
- return this->encoding;
-}
-
-METHOD(pkcs9_t, get_attribute, chunk_t,
- private_pkcs9_t *this, int oid)
-{
- enumerator_t *enumerator;
- chunk_t value = chunk_empty;
- attribute_t *attribute;
-
- enumerator = this->attributes->create_enumerator(this->attributes);
- while (enumerator->enumerate(enumerator, (void**)&attribute))
- {
- if (attribute->oid == oid)
- {
- value = attribute->value;
- break;
- }
- }
- enumerator->destroy(enumerator);
- if (value.ptr &&
- !asn1_parse_simple_object(&value, asn1_attributeType(oid), 0,
- oid_names[oid].name))
- {
- return chunk_empty;
- }
- return value;
-}
-
-METHOD(pkcs9_t, set_attribute_raw, void,
- private_pkcs9_t *this, int oid, chunk_t value)
-{
- attribute_t *attribute = attribute_create(oid, value);
-
- this->attributes->insert_last(this->attributes, attribute);
- chunk_free(&value);
-}
-
-METHOD(pkcs9_t, set_attribute, void,
- private_pkcs9_t *this, int oid, chunk_t value)
-{
- chunk_t attr = asn1_simple_object(asn1_attributeType(oid), value);
-
- set_attribute_raw(this, oid, attr);
-}
-
-METHOD(pkcs9_t, destroy, void,
- private_pkcs9_t *this)
-{
- this->attributes->destroy_offset(this->attributes, offsetof(attribute_t, destroy));
- free(this->encoding.ptr);
- free(this);
-}
-
-/**
- * Generic private constructor
- */
-static private_pkcs9_t *pkcs9_create_empty(void)
-{
- private_pkcs9_t *this;
-
- INIT(this,
- .public = {
- .build_encoding = _build_encoding,
- .get_encoding = _get_encoding,
- .get_attribute = _get_attribute,
- .set_attribute = _set_attribute,
- .set_attribute_raw = _set_attribute_raw,
- .destroy = _destroy,
- },
- .attributes = linked_list_create(),
- );
-
- return this;
-}
-
-/*
- * Described in header.
- */
-pkcs9_t *pkcs9_create(void)
-{
- private_pkcs9_t *this = pkcs9_create_empty();
-
- return &this->public;
-}
-
-/**
- * ASN.1 definition of the X.501 atttribute type
- */
-static const asn1Object_t attributesObjects[] = {
- { 0, "attributes", ASN1_SET, ASN1_LOOP }, /* 0 */
- { 1, "attribute", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */
- { 2, "type", ASN1_OID, ASN1_BODY }, /* 2 */
- { 2, "values", ASN1_SET, ASN1_LOOP }, /* 3 */
- { 3, "value", ASN1_EOC, ASN1_RAW }, /* 4 */
- { 2, "end loop", ASN1_EOC, ASN1_END }, /* 5 */
- { 0, "end loop", ASN1_EOC, ASN1_END }, /* 6 */
- { 0, "exit", ASN1_EOC, ASN1_EXIT }
-};
-#define ATTRIBUTE_OBJ_TYPE 2
-#define ATTRIBUTE_OBJ_VALUE 4
-
-/**
- * Parse a PKCS#9 attribute list
- */
-static bool parse_attributes(chunk_t chunk, int level0, private_pkcs9_t* this)
-{
- asn1_parser_t *parser;
- chunk_t object;
- int objectID;
- int oid = OID_UNKNOWN;
- bool success = FALSE;
-
- parser = asn1_parser_create(attributesObjects, chunk);
- parser->set_top_level(parser, level0);
-
- while (parser->iterate(parser, &objectID, &object))
- {
- switch (objectID)
- {
- case ATTRIBUTE_OBJ_TYPE:
- oid = asn1_known_oid(object);
- break;
- case ATTRIBUTE_OBJ_VALUE:
- if (oid == OID_UNKNOWN)
- {
- break;
- }
- /* add the attribute to a linked list */
- {
- attribute_t *attribute = attribute_create(oid, object);
-
- this->attributes->insert_last(this->attributes,
- (void*)attribute);
- }
- /* parse known attributes */
- {
- asn1_t type = asn1_attributeType(oid);
-
- if (type != ASN1_EOC)
- {
- if (!asn1_parse_simple_object(&object, type,
- parser->get_level(parser)+1,
- oid_names[oid].name))
- {
- goto end;
- }
- }
- }
- }
- }
- success = parser->success(parser);
-
-end:
- parser->destroy(parser);
- return success;
-}
-
-
- /*
- * Described in header.
- */
-pkcs9_t *pkcs9_create_from_chunk(chunk_t chunk, u_int level)
-{
- private_pkcs9_t *this = pkcs9_create_empty();
-
- this->encoding = chunk_clone(chunk);
-
- if (!parse_attributes(chunk, level, this))
- {
- destroy(this);
- return NULL;
- }
- return &this->public;
-}
diff --git a/src/libstrongswan/crypto/pkcs9.h b/src/libstrongswan/crypto/pkcs9.h
deleted file mode 100644
index c442d4441..000000000
--- a/src/libstrongswan/crypto/pkcs9.h
+++ /dev/null
@@ -1,92 +0,0 @@
-/*
- * Copyright (C) 2012 Tobias Brunner
- * Copyright (C) 2008 Andreas Steffen
- * Hochschule fuer Technik Rapperswil, Switzerland
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup pkcs9 pkcs9
- * @{ @ingroup crypto
- */
-
-#ifndef PKCS9_H_
-#define PKCS9_H_
-
-typedef struct pkcs9_t pkcs9_t;
-
-#include <library.h>
-
-/**
- * PKCS#9 attributes.
- */
-struct pkcs9_t {
-
- /**
- * Generate ASN.1 encoding of attribute list
- */
- void (*build_encoding) (pkcs9_t *this);
-
- /**
- * Gets ASN.1 encoding of PKCS#9 attribute list
- *
- * @return ASN.1 encoded PKCSI#9 list
- */
- chunk_t (*get_encoding) (pkcs9_t *this);
-
- /**
- * Gets a PKCS#9 attribute
- *
- * @param oid OID of the attribute
- * @return value of the attribute (internal data)
- */
- chunk_t (*get_attribute) (pkcs9_t *this, int oid);
-
- /**
- * Adds a PKCS#9 attribute
- *
- * @param oid OID of the attribute
- * @param value value of the attribute (gets cloned)
- */
- void (*set_attribute) (pkcs9_t *this, int oid, chunk_t value);
-
- /**
- * Adds a ASN.1 encoded PKCS#9 attribute
- *
- * @param oid OID of the attribute
- * @param value ASN.1 encoded value of the attribute (gets adopted)
- */
- void (*set_attribute_raw) (pkcs9_t *this, int oid, chunk_t value);
-
- /**
- * Destroys the PKCS#9 attribute list.
- */
- void (*destroy) (pkcs9_t *this);
-};
-
-/**
- * Read a PKCS#9 attribute list from a DER encoded chunk.
- *
- * @param chunk chunk containing DER encoded data
- * @param level ASN.1 parsing start level
- * @return created pkcs9 attribute list, or NULL if invalid.
- */
-pkcs9_t *pkcs9_create_from_chunk(chunk_t chunk, u_int level);
-
-/**
- * Create an empty PKCS#9 attribute list
- *
- * @return created pkcs9 attribute list.
- */
-pkcs9_t *pkcs9_create(void);
-
-#endif /** PKCS9_H_ @}*/
diff --git a/src/libstrongswan/crypto/proposal/proposal_keywords.c b/src/libstrongswan/crypto/proposal/proposal_keywords.c
index 7356dc367..4db504eb0 100644
--- a/src/libstrongswan/crypto/proposal/proposal_keywords.c
+++ b/src/libstrongswan/crypto/proposal/proposal_keywords.c
@@ -38,7 +38,7 @@
#include "proposal_keywords.h"
#include "proposal_keywords_static.h"
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
#include <threading/rwlock.h>
typedef struct private_proposal_keywords_t private_proposal_keywords_t;
diff --git a/src/libstrongswan/crypto/proposal/proposal_keywords_static.c b/src/libstrongswan/crypto/proposal/proposal_keywords_static.c
index ce52bc2ce..d85bfebd0 100644
--- a/src/libstrongswan/crypto/proposal/proposal_keywords_static.c
+++ b/src/libstrongswan/crypto/proposal/proposal_keywords_static.c
@@ -59,11 +59,11 @@ struct proposal_token {
u_int16_t keysize;
};
-#define TOTAL_KEYWORDS 122
+#define TOTAL_KEYWORDS 130
#define MIN_WORD_LENGTH 3
#define MAX_WORD_LENGTH 17
-#define MIN_HASH_VALUE 9
-#define MAX_HASH_VALUE 213
+#define MIN_HASH_VALUE 12
+#define MAX_HASH_VALUE 216
/* maximum key range = 205, duplicates = 0 */
#ifdef __GNUC__
@@ -80,32 +80,32 @@ hash (str, len)
{
static const unsigned char asso_values[] =
{
- 214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
- 214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
- 214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
- 214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
- 214, 214, 214, 214, 214, 214, 214, 214, 14, 9,
- 4, 34, 66, 19, 8, 4, 5, 3, 214, 214,
- 214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
- 214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
- 214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
- 214, 214, 214, 214, 214, 131, 214, 3, 22, 21,
- 3, 1, 101, 48, 3, 4, 214, 214, 3, 10,
- 57, 4, 214, 214, 94, 6, 3, 32, 214, 214,
- 214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
- 214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
- 214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
- 214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
- 214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
- 214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
- 214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
- 214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
- 214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
- 214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
- 214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
- 214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
- 214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
- 214, 214, 214, 214, 214, 214, 214
+ 217, 217, 217, 217, 217, 217, 217, 217, 217, 217,
+ 217, 217, 217, 217, 217, 217, 217, 217, 217, 217,
+ 217, 217, 217, 217, 217, 217, 217, 217, 217, 217,
+ 217, 217, 217, 217, 217, 217, 217, 217, 217, 217,
+ 217, 217, 217, 217, 217, 217, 217, 217, 35, 10,
+ 5, 34, 68, 21, 9, 16, 6, 4, 217, 217,
+ 217, 217, 217, 217, 217, 217, 217, 217, 217, 217,
+ 217, 217, 217, 217, 217, 217, 217, 217, 217, 217,
+ 217, 217, 217, 217, 217, 217, 217, 217, 217, 217,
+ 217, 217, 217, 217, 217, 117, 217, 15, 22, 23,
+ 4, 29, 4, 51, 57, 4, 217, 217, 4, 16,
+ 58, 4, 217, 5, 81, 104, 6, 34, 217, 217,
+ 5, 217, 217, 217, 217, 217, 217, 217, 217, 217,
+ 217, 217, 217, 217, 217, 217, 217, 217, 217, 217,
+ 217, 217, 217, 217, 217, 217, 217, 217, 217, 217,
+ 217, 217, 217, 217, 217, 217, 217, 217, 217, 217,
+ 217, 217, 217, 217, 217, 217, 217, 217, 217, 217,
+ 217, 217, 217, 217, 217, 217, 217, 217, 217, 217,
+ 217, 217, 217, 217, 217, 217, 217, 217, 217, 217,
+ 217, 217, 217, 217, 217, 217, 217, 217, 217, 217,
+ 217, 217, 217, 217, 217, 217, 217, 217, 217, 217,
+ 217, 217, 217, 217, 217, 217, 217, 217, 217, 217,
+ 217, 217, 217, 217, 217, 217, 217, 217, 217, 217,
+ 217, 217, 217, 217, 217, 217, 217, 217, 217, 217,
+ 217, 217, 217, 217, 217, 217, 217, 217, 217, 217,
+ 217, 217, 217, 217, 217, 217, 217
};
register int hval = len;
@@ -142,23 +142,21 @@ hash (str, len)
static const struct proposal_token wordlist[] =
{
- {"sha", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0},
- {"des", ENCRYPTION_ALGORITHM, ENCR_DES, 0},
{"null", ENCRYPTION_ALGORITHM, ENCR_NULL, 0},
+ {"ecp192", DIFFIE_HELLMAN_GROUP, ECP_192_BIT, 0},
{"sha1", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0},
- {"serpent", ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC, 128},
- {"camellia", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC, 128},
+ {"sha", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0},
+ {"ecp521", DIFFIE_HELLMAN_GROUP, ECP_521_BIT, 0},
{"sha512", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_512_256, 0},
- {"serpent192", ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC, 192},
- {"serpent128", ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC, 128},
{"camellia192", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC, 192},
{"cast128", ENCRYPTION_ALGORITHM, ENCR_CAST, 128},
{"camellia128", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC, 128},
- {"aes", ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 128},
- {"serpent256", ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC, 256},
+ {"camellia", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC, 128},
+ {"prfmd5", PSEUDO_RANDOM_FUNCTION, PRF_HMAC_MD5, 0},
{"aes192", ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 192},
- {"sha256", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_256_128, 0},
{"aes128", ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 128},
+ {"ecp256", DIFFIE_HELLMAN_GROUP, ECP_256_BIT, 0},
+ {"sha256", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_256_128, 0},
{"camellia192ccm8", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8, 192},
{"camellia128ccm8", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8, 128},
{"camellia192ccm96", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 192},
@@ -170,17 +168,18 @@ static const struct proposal_token wordlist[] =
{"camellia192ccm16", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 192},
{"camellia128ccm16", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 128},
{"camellia256", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC, 256},
- {"twofish", ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC, 128},
- {"camellia256ccm8", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8, 256},
+ {"serpent", ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC, 128},
{"aes256", ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 256},
+ {"camellia256ccm8", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8, 256},
+ {"serpent192", ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC, 192},
{"camellia256ccm96", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 256},
- {"twofish192", ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC, 192},
+ {"serpent128", ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC, 128},
{"camellia256ccm12", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 256},
- {"twofish128", ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC, 128},
+ {"esn", EXTENDED_SEQUENCE_NUMBERS, EXT_SEQ_NUMBERS, 0},
{"camellia256ccm128",ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 256},
{"camellia256ccm16", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 256},
+ {"serpent256", ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC, 256},
{"camelliaxcbc", INTEGRITY_ALGORITHM, AUTH_CAMELLIA_XCBC_96, 0},
- {"twofish256", ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC, 256},
{"aes192ccm8", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8, 192},
{"aes128ccm8", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8, 128},
{"aes192ccm96", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12, 192},
@@ -191,18 +190,23 @@ static const struct proposal_token wordlist[] =
{"aes128ccm128", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16, 128},
{"aes192ccm16", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16, 192},
{"aes128ccm16", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16, 128},
- {"3des", ENCRYPTION_ALGORITHM, ENCR_3DES, 0},
{"modp8192", DIFFIE_HELLMAN_GROUP, MODP_8192_BIT, 0},
- {"modp768", DIFFIE_HELLMAN_GROUP, MODP_768_BIT, 0},
{"md5", INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 0},
+ {"ecp224", DIFFIE_HELLMAN_GROUP, ECP_224_BIT, 0},
+ {"ecp384", DIFFIE_HELLMAN_GROUP, ECP_384_BIT, 0},
+ {"prfsha256", PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_256, 0},
{"sha384", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_384_192, 0},
- {"aescmac", INTEGRITY_ALGORITHM, AUTH_AES_CMAC_96, 0},
- {"aes256ccm8", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8, 256},
{"md5_128", INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_128, 0},
+ {"aes256ccm8", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8, 256},
+ {"prfsha1", PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA1, 0},
{"aes256ccm96", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12, 256},
+ {"aescmac", INTEGRITY_ALGORITHM, AUTH_AES_CMAC_96, 0},
{"aes256ccm12", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12, 256},
+ {"modp768", DIFFIE_HELLMAN_GROUP, MODP_768_BIT, 0},
{"aes256ccm128", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16, 256},
+ {"prfaesxcbc", PSEUDO_RANDOM_FUNCTION, PRF_AES128_XCBC, 0},
{"aes256ccm16", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16, 256},
+ {"prfsha512", PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_512, 0},
{"aesxcbc", INTEGRITY_ALGORITHM, AUTH_AES_XCBC_96, 0},
{"aes192gcm8", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8, 192},
{"aes128gcm8", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8, 128},
@@ -216,80 +220,84 @@ static const struct proposal_token wordlist[] =
{"aes128gcm16", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16, 128},
{"camellia192ccm64", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8, 192},
{"camellia128ccm64", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8, 128},
- {"modp1024s160", DIFFIE_HELLMAN_GROUP, MODP_1024_160, 0},
- {"modp3072", DIFFIE_HELLMAN_GROUP, MODP_3072_BIT, 0},
+ {"camellia192ctr", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CTR, 192},
+ {"camellia128ctr", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CTR, 128},
+ {"prfaescmac", PSEUDO_RANDOM_FUNCTION, PRF_AES128_CMAC, 0},
+ {"prfcamelliaxcbc", PSEUDO_RANDOM_FUNCTION, PRF_CAMELLIA128_XCBC, 0},
+ {"twofish192", ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC, 192},
{"aes256gcm8", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8, 256},
+ {"twofish128", ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC, 128},
{"aes256gcm96", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12, 256},
+ {"modp1536", DIFFIE_HELLMAN_GROUP, MODP_1536_BIT, 0},
{"aes256gcm12", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12, 256},
- {"ecp192", DIFFIE_HELLMAN_GROUP, ECP_192_BIT, 0},
+ {"modp3072", DIFFIE_HELLMAN_GROUP, MODP_3072_BIT, 0},
{"aes256gcm128", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16, 256},
- {"modp1536", DIFFIE_HELLMAN_GROUP, MODP_1536_BIT, 0},
+ {"twofish256", ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC, 256},
{"aes256gcm16", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16, 256},
- {"camellia256ccm64", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8, 256},
- {"ecp521", DIFFIE_HELLMAN_GROUP, ECP_521_BIT, 0},
- {"camellia192ctr", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CTR, 192},
- {"camellia128ctr", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CTR, 128},
{"noesn", EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS, 0},
+ {"camellia256ccm64", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8, 256},
+ {"camellia256ctr", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CTR, 256},
+ {"aes", ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 128},
+ {"modp1024s160", DIFFIE_HELLMAN_GROUP, MODP_1024_160, 0},
+ {"modpnull", DIFFIE_HELLMAN_GROUP, MODP_NULL, 0},
{"aes192gmac", ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 192},
{"aes128gmac", ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 128},
- {"modpnull", DIFFIE_HELLMAN_GROUP, MODP_NULL, 0},
+ {"des", ENCRYPTION_ALGORITHM, ENCR_DES, 0},
{"aes192ccm64", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8, 192},
{"aes128ccm64", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8, 128},
- {"ecp256", DIFFIE_HELLMAN_GROUP, ECP_256_BIT, 0},
- {"camellia256ctr", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CTR, 256},
- {"blowfish", ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 128},
+ {"aes192ctr", ENCRYPTION_ALGORITHM, ENCR_AES_CTR, 192},
+ {"aes128ctr", ENCRYPTION_ALGORITHM, ENCR_AES_CTR, 128},
{"modp2048", DIFFIE_HELLMAN_GROUP, MODP_2048_BIT, 0},
- {"aes256gmac", ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 256},
+ {"sha2_512", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_512_256, 0},
{"modp4096", DIFFIE_HELLMAN_GROUP, MODP_4096_BIT, 0},
{"modp1024", DIFFIE_HELLMAN_GROUP, MODP_1024_BIT, 0},
+ {"aes256gmac", ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 256},
{"blowfish192", ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 192},
- {"aes256ccm64", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8, 256},
{"blowfish128", ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 128},
- {"aes192ctr", ENCRYPTION_ALGORITHM, ENCR_AES_CTR, 192},
- {"aes128ctr", ENCRYPTION_ALGORITHM, ENCR_AES_CTR, 128},
+ {"aes256ccm64", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8, 256},
+ {"aes256ctr", ENCRYPTION_ALGORITHM, ENCR_AES_CTR, 256},
{"modp2048s256", DIFFIE_HELLMAN_GROUP, MODP_2048_256, 0},
- {"sha2_512", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_512_256, 0},
+ {"twofish", ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC, 128},
+ {"sha2_256", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_256_128, 0},
+ {"sha256_96", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_256_96, 0},
{"aes192gcm64", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8, 192},
{"aes128gcm64", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8, 128},
- {"esn", EXTENDED_SEQUENCE_NUMBERS, EXT_SEQ_NUMBERS, 0},
- {"sha1_160", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_160, 0},
- {"aes256ctr", ENCRYPTION_ALGORITHM, ENCR_AES_CTR, 256},
+ {"sha2_256_96", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_256_96, 0},
{"blowfish256", ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 256},
- {"sha2_256", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_256_128, 0},
- {"sha256_96", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_256_96, 0},
+ {"prfsha384", PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_384, 0},
+ {"sha1_160", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_160, 0},
+ {"3des", ENCRYPTION_ALGORITHM, ENCR_3DES, 0},
{"aes256gcm64", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8, 256},
- {"sha2_256_96", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_256_96, 0},
- {"ecp224", DIFFIE_HELLMAN_GROUP, ECP_224_BIT, 0},
- {"ecp384", DIFFIE_HELLMAN_GROUP, ECP_384_BIT, 0},
+ {"blowfish", ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 128},
+ {"sha2_384", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_384_192, 0},
{"modp6144", DIFFIE_HELLMAN_GROUP, MODP_6144_BIT, 0},
- {"modp2048s224", DIFFIE_HELLMAN_GROUP, MODP_2048_224, 0},
- {"sha2_384", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_384_192, 0}
+ {"modp2048s224", DIFFIE_HELLMAN_GROUP, MODP_2048_224, 0}
};
static const short lookup[] =
{
- -1, -1, -1, -1, -1, -1, -1, -1, -1, 0,
- 1, 2, -1, -1, -1, -1, 3, 4, -1, -1,
- -1, 5, 6, -1, -1, 7, -1, 8, 9, 10,
- 11, 12, -1, 13, -1, 14, 15, 16, 17, 18,
- 19, 20, 21, 22, 23, 24, 25, 26, 27, 28,
- -1, -1, -1, -1, 29, 30, 31, 32, 33, 34,
- 35, -1, 36, -1, 37, 38, 39, 40, 41, 42,
- 43, 44, 45, 46, 47, 48, 49, 50, 51, 52,
- 53, 54, 55, 56, 57, -1, 58, -1, 59, -1,
- 60, -1, 61, 62, 63, 64, 65, 66, 67, 68,
- 69, 70, 71, 72, 73, 74, -1, 75, -1, 76,
- -1, 77, -1, 78, 79, 80, 81, 82, -1, 83,
- 84, 85, 86, 87, -1, 88, 89, -1, 90, -1,
- -1, 91, 92, -1, 93, -1, -1, 94, -1, 95,
- 96, 97, 98, -1, 99, -1, 100, 101, 102, 103,
- 104, 105, -1, -1, -1, 106, -1, -1, 107, 108,
- -1, 109, -1, -1, 110, 111, 112, -1, -1, 113,
- 114, -1, -1, -1, 115, 116, -1, 117, 118, -1,
- -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
- -1, -1, -1, -1, -1, 119, -1, -1, -1, 120,
- -1, -1, -1, 121
+ -1, -1, 0, -1, -1, -1, -1, -1, -1, 1,
+ 2, -1, -1, -1, 3, 4, -1, 5, -1, -1,
+ -1, -1, 6, 7, 8, 9, 10, 11, -1, 12,
+ 13, -1, 14, 15, 16, 17, 18, 19, 20, 21,
+ 22, 23, 24, 25, 26, -1, -1, -1, 27, -1,
+ 28, 29, 30, 31, 32, 33, 34, -1, 35, 36,
+ 37, 38, 39, 40, 41, 42, 43, 44, 45, 46,
+ 47, 48, 49, 50, 51, 52, 53, 54, 55, 56,
+ 57, 58, 59, 60, 61, 62, 63, 64, 65, 66,
+ 67, 68, 69, 70, 71, 72, 73, 74, 75, 76,
+ 77, 78, 79, 80, 81, 82, 83, 84, 85, 86,
+ 87, 88, 89, 90, 91, 92, 93, -1, 94, 95,
+ 96, -1, 97, 98, 99, -1, 100, 101, 102, 103,
+ 104, -1, -1, -1, -1, 105, 106, 107, -1, 108,
+ 109, 110, -1, 111, 112, -1, 113, 114, -1, 115,
+ -1, 116, 117, -1, -1, 118, 119, -1, 120, -1,
+ -1, -1, 121, 122, -1, 123, 124, -1, -1, -1,
+ -1, -1, 125, -1, -1, -1, -1, -1, -1, -1,
+ -1, -1, -1, -1, -1, -1, 126, -1, -1, -1,
+ -1, -1, -1, -1, -1, 127, -1, -1, -1, -1,
+ -1, 128, -1, -1, -1, -1, 129
};
#ifdef __GNUC__
diff --git a/src/libstrongswan/crypto/proposal/proposal_keywords_static.txt b/src/libstrongswan/crypto/proposal/proposal_keywords_static.txt
index 7f8c95757..445438f03 100644
--- a/src/libstrongswan/crypto/proposal/proposal_keywords_static.txt
+++ b/src/libstrongswan/crypto/proposal/proposal_keywords_static.txt
@@ -132,6 +132,14 @@ md5_128, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_128, 0
aesxcbc, INTEGRITY_ALGORITHM, AUTH_AES_XCBC_96, 0
camelliaxcbc, INTEGRITY_ALGORITHM, AUTH_CAMELLIA_XCBC_96, 0
aescmac, INTEGRITY_ALGORITHM, AUTH_AES_CMAC_96, 0
+prfsha1, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA1, 0
+prfsha256, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_256, 0
+prfsha384, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_384, 0
+prfsha512, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_512, 0
+prfmd5, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_MD5, 0
+prfaesxcbc, PSEUDO_RANDOM_FUNCTION, PRF_AES128_XCBC, 0
+prfcamelliaxcbc, PSEUDO_RANDOM_FUNCTION, PRF_CAMELLIA128_XCBC, 0
+prfaescmac, PSEUDO_RANDOM_FUNCTION, PRF_AES128_CMAC, 0
modpnull, DIFFIE_HELLMAN_GROUP, MODP_NULL, 0
modp768, DIFFIE_HELLMAN_GROUP, MODP_768_BIT, 0
modp1024, DIFFIE_HELLMAN_GROUP, MODP_1024_BIT, 0
diff --git a/src/libstrongswan/crypto/transform.h b/src/libstrongswan/crypto/transform.h
index 311df068f..4a98f81e9 100644
--- a/src/libstrongswan/crypto/transform.h
+++ b/src/libstrongswan/crypto/transform.h
@@ -23,7 +23,7 @@
typedef enum transform_type_t transform_type_t;
-#include <enum.h>
+#include <utils/enum.h>
/**
* Type of a transform, as in IKEv2 RFC 3.3.2.
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-10 22:40:01 +0000