Merge tag 'upstream/5.1.0'

Upstream version 5.1.0

4 files changed, 123 insertions, 84 deletions

diff --git a/src/libstrongswan/plugins/agent/Makefile.am b/src/libstrongswan/plugins/agent/Makefile.am
index ffa6e8b7f..e60d19363 100644
--- a/src/libstrongswan/plugins/agent/Makefile.am
+++ b/src/libstrongswan/plugins/agent/Makefile.am
@@ -1,7 +1,8 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-agent.la
diff --git a/src/libstrongswan/plugins/agent/Makefile.in b/src/libstrongswan/plugins/agent/Makefile.in
index b17a69a76..b1e343c8d 100644
--- a/src/libstrongswan/plugins/agent/Makefile.in
+++ b/src/libstrongswan/plugins/agent/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
@@ -102,9 +102,13 @@ libstrongswan_agent_la_LIBADD =
 am_libstrongswan_agent_la_OBJECTS = agent_plugin.lo \
 	agent_private_key.lo
 libstrongswan_agent_la_OBJECTS = $(am_libstrongswan_agent_la_OBJECTS)
-libstrongswan_agent_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_agent_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_agent_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_agent_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_agent_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_agent_la_rpath =
@@ -114,13 +118,26 @@ am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_agent_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_agent_la_SOURCES)
 am__can_run_installinfo = \
@@ -134,6 +151,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -146,6 +164,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -161,6 +181,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -169,6 +190,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -215,6 +237,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -243,6 +266,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -320,8 +344,12 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -rdynamic
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-agent.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-agent.la
 libstrongswan_agent_la_SOURCES = \
@@ -405,7 +433,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-agent.la: $(libstrongswan_agent_la_OBJECTS) $(libstrongswan_agent_la_DEPENDENCIES) $(EXTRA_libstrongswan_agent_la_DEPENDENCIES) 
-	$(libstrongswan_agent_la_LINK) $(am_libstrongswan_agent_la_rpath) $(libstrongswan_agent_la_OBJECTS) $(libstrongswan_agent_la_LIBADD) $(LIBS)
+	$(AM_V_CCLD)$(libstrongswan_agent_la_LINK) $(am_libstrongswan_agent_la_rpath) $(libstrongswan_agent_la_OBJECTS) $(libstrongswan_agent_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -417,25 +445,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/agent_private_key.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/src/libstrongswan/plugins/agent/agent_plugin.c b/src/libstrongswan/plugins/agent/agent_plugin.c
index 980a140b9..322ded48c 100644
--- a/src/libstrongswan/plugins/agent/agent_plugin.c
+++ b/src/libstrongswan/plugins/agent/agent_plugin.c
@@ -42,7 +42,9 @@ METHOD(plugin_t, get_features, int,
 {
 	static plugin_feature_t f[] = {
 		PLUGIN_REGISTER(PRIVKEY, agent_private_key_open, FALSE),
+			PLUGIN_PROVIDE(PRIVKEY, KEY_ANY),
 			PLUGIN_PROVIDE(PRIVKEY, KEY_RSA),
+			PLUGIN_PROVIDE(PRIVKEY, KEY_ECDSA),
 	};
 	*features = f;
 	return countof(f);
diff --git a/src/libstrongswan/plugins/agent/agent_private_key.c b/src/libstrongswan/plugins/agent/agent_private_key.c
index 42c78c172..8a3fb150a 100644
--- a/src/libstrongswan/plugins/agent/agent_private_key.c
+++ b/src/libstrongswan/plugins/agent/agent_private_key.c
@@ -49,11 +49,16 @@ struct private_agent_private_key_t {
 	int socket;
 
 	/**
-	 * key identity blob in ssh format
+	 * public key encoded in SSH format
 	 */
 	chunk_t key;
 
 	/**
+	 * public key
+	 */
+	public_key_t *pubkey;
+
+	/**
 	 * keysize in bytes
 	 */
 	size_t key_size;
@@ -163,7 +168,7 @@ static bool read_key(private_agent_private_key_t *this, public_key_t *pubkey)
 {
 	int len;
 	char buf[2048];
-	chunk_t blob, key, type, n;
+	chunk_t blob, key;
 
 	len = htonl(1);
 	buf[0] = SSH_AGENT_ID_REQUEST;
@@ -193,34 +198,40 @@ static bool read_key(private_agent_private_key_t *this, public_key_t *pubkey)
 		{
 			break;
 		}
-		this->key = key;
-		type = read_string(&key);
-		if (!type.len || !strneq("ssh-rsa", type.ptr, type.len))
-		{
-			break;
-		}
-		read_string(&key);
-		n = read_string(&key);
-		if (n.len <= 512/8)
+		this->pubkey = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ANY,
+										  BUILD_BLOB_SSHKEY, key, BUILD_END);
+		if (!this->pubkey)
 		{
-			break;;
+			continue;
 		}
 		if (pubkey && !private_key_belongs_to(&this->public.key, pubkey))
 		{
+			this->pubkey->destroy(this->pubkey);
+			this->pubkey = NULL;
 			continue;
 		}
-		this->key_size = n.len;
-		if (n.ptr[0] == 0)
-		{
-			this->key_size--;
-		}
-		this->key = chunk_clone(this->key);
+		this->key = chunk_clone(key);
 		return TRUE;
 	}
-	this->key = chunk_empty;
 	return FALSE;
 }
 
+static bool scheme_supported(private_agent_private_key_t *this,
+							signature_scheme_t scheme)
+{
+	switch (this->pubkey->get_type(this->pubkey))
+	{
+		case KEY_RSA:
+			return scheme == SIGN_RSA_EMSA_PKCS1_SHA1;
+		case KEY_ECDSA:
+			return scheme == SIGN_ECDSA_256 ||
+				   scheme == SIGN_ECDSA_384 ||
+				   scheme == SIGN_ECDSA_521;
+		default:
+			return FALSE;
+	}
+}
+
 METHOD(private_key_t, sign, bool,
 	private_agent_private_key_t *this, signature_scheme_t scheme,
 	chunk_t data, chunk_t *signature)
@@ -229,7 +240,7 @@ METHOD(private_key_t, sign, bool,
 	char buf[2048];
 	chunk_t blob;
 
-	if (scheme != SIGN_RSA_EMSA_PKCS1_SHA1)
+	if (!scheme_supported(this, scheme))
 	{
 		DBG1(DBG_LIB, "signature scheme %N not supported by ssh-agent",
 			 signature_scheme_names, scheme);
@@ -279,23 +290,40 @@ METHOD(private_key_t, sign, bool,
 	}
 	/* parse length */
 	blob = read_string(&blob);
-	/* skip sig type */
-	read_string(&blob);
-	/* parse length */
-	blob = read_string(&blob);
-	if (!blob.len)
-	{
-		DBG1(DBG_LIB, "received invalid ssh-agent signature response");
-		return FALSE;
+	/* check sig type */
+	if (chunk_equals(read_string(&blob), chunk_from_str("ssh-rsa")))
+	{	/* for RSA the signature has no special encoding */
+		blob = read_string(&blob);
+		if (blob.len)
+		{
+			*signature = chunk_clone(blob);
+			return TRUE;
+		}
+	}
+	else
+	{	/* anything else is treated as ECSDA for now */
+		blob = read_string(&blob);
+		if (blob.len)
+		{
+			chunk_t r, s;
+
+			r = read_string(&blob);
+			s = read_string(&blob);
+			if (r.len && s.len)
+			{
+				*signature = chunk_cat("cc", r, s);
+				return TRUE;
+			}
+		}
 	}
-	*signature =  chunk_clone(blob);
-	return TRUE;
+	DBG1(DBG_LIB, "received invalid ssh-agent signature response");
+	return FALSE;
 }
 
 METHOD(private_key_t, get_type, key_type_t,
 	private_agent_private_key_t *this)
 {
-	return KEY_RSA;
+	return this->pubkey->get_type(this->pubkey);
 }
 
 METHOD(private_key_t, decrypt, bool,
@@ -309,21 +337,13 @@ METHOD(private_key_t, decrypt, bool,
 METHOD(private_key_t, get_keysize, int,
 	private_agent_private_key_t *this)
 {
-	return this->key_size * 8;
+	return this->pubkey->get_keysize(this->pubkey);
 }
 
 METHOD(private_key_t, get_public_key, public_key_t*,
 	private_agent_private_key_t *this)
 {
-	chunk_t key, n, e;
-
-	key = this->key;
-	read_string(&key);
-	e = read_string(&key);
-	n = read_string(&key);
-
-	return lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
-						BUILD_RSA_MODULUS, n, BUILD_RSA_PUB_EXP, e, BUILD_END);
+	return this->pubkey->get_ref(this->pubkey);
 }
 
 METHOD(private_key_t, get_encoding, bool,
@@ -336,19 +356,7 @@ METHOD(private_key_t, get_encoding, bool,
 METHOD(private_key_t, get_fingerprint, bool,
 	private_agent_private_key_t *this, cred_encoding_type_t type, chunk_t *fp)
 {
-	chunk_t n, e, key;
-
-	if (lib->encoding->get_cache(lib->encoding, type, this, fp))
-	{
-		return TRUE;
-	}
-	key = this->key;
-	read_string(&key);
-	e = read_string(&key);
-	n = read_string(&key);
-
-	return lib->encoding->encode(lib->encoding, type, this, fp,
-			CRED_PART_RSA_MODULUS, n, CRED_PART_RSA_PUB_EXP, e, CRED_PART_END);
+	return this->pubkey->get_fingerprint(this->pubkey, type, fp);
 }
 
 METHOD(private_key_t, get_ref, private_key_t*,
@@ -364,8 +372,8 @@ METHOD(private_key_t, destroy, void,
 	if (ref_put(&this->ref))
 	{
 		close(this->socket);
-		free(this->key.ptr);
-		lib->encoding->clear_cache(lib->encoding, this);
+		chunk_free(&this->key);
+		DESTROY_IF(this->pubkey);
 		free(this);
 	}
 }