Imported Upstream version 5.0.4

author: Yves-Alexis Perez <corsac@debian.org> 2013-04-30 17:51:33 +0200
committer: Yves-Alexis Perez <corsac@debian.org> 2013-04-30 17:51:33 +0200
commit: c83921a2b566aa9d55d8ccc7258f04fca6292ee6 (patch)
tree: 44039788fc816c84d5788df847d1555413ebe55a /src/libstrongswan/plugins/openssl
parent: 10e5fb2b9b2f27c83b3e5a1d048b158d5cf42a43 (diff)
download: vyos-strongswan-c83921a2b566aa9d55d8ccc7258f04fca6292ee6.tar.gz
vyos-strongswan-c83921a2b566aa9d55d8ccc7258f04fca6292ee6.zip
8 files changed, 50 insertions, 13 deletions
diff --git a/src/libstrongswan/plugins/openssl/Makefile.am b/src/libstrongswan/plugins/openssl/Makefile.am
index e71567311..0ca27983f 100644
--- a/src/libstrongswan/plugins/openssl/Makefile.am
+++ b/src/libstrongswan/plugins/openssl/Makefile.am
@@ -1,7 +1,7 @@
 
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = -rdynamic -DFIPS_MODE=${fips_mode}
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-openssl.la
diff --git a/src/libstrongswan/plugins/openssl/Makefile.in b/src/libstrongswan/plugins/openssl/Makefile.in
index 5eca47a1c..ba45e4bbc 100644
--- a/src/libstrongswan/plugins/openssl/Makefile.in
+++ b/src/libstrongswan/plugins/openssl/Makefile.in
@@ -256,6 +256,7 @@ dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -326,7 +327,7 @@ urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = -rdynamic -DFIPS_MODE=${fips_mode}
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-openssl.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-openssl.la
 libstrongswan_openssl_la_SOURCES = \
diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c b/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c
index c8a45f79a..38cc8bedf 100644
--- a/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c
@@ -124,7 +124,7 @@ static bool verify_der_signature(private_openssl_ec_public_key_t *this,
 	if (openssl_hash_chunk(nid_hash, data, &hash))
 	{
 		valid = ECDSA_verify(0, hash.ptr, hash.len,
-							 signature.ptr, signature.len, this->ec);
+							 signature.ptr, signature.len, this->ec) == 1;
 		free(hash.ptr);
 	}
 	return valid;
diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c
index 915082234..ce6610ad6 100644
--- a/src/libstrongswan/plugins/openssl/openssl_plugin.c
+++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c
@@ -457,6 +457,25 @@ METHOD(plugin_t, destroy, void,
 plugin_t *openssl_plugin_create()
 {
 	private_openssl_plugin_t *this;
+	int fips_mode;
+
+	fips_mode = lib->settings->get_int(lib->settings,
+						"libstrongswan.plugins.openssl.fips_mode", FIPS_MODE);
+#ifdef OPENSSL_FIPS
+	if (!FIPS_mode_set(fips_mode))
+	{
+		DBG1(DBG_LIB, "unable to set openssl FIPS mode(%d)", fips_mode);
+		return NULL;
+	}
+	DBG1(DBG_LIB, "openssl FIPS mode(%d) - %sabled ",fips_mode,
+				   fips_mode ? "en" : "dis");
+#else
+	DBG1(DBG_LIB, "openssl FIPS mode(%d) unavailable", fips_mode);
+	if (fips_mode)
+	{
+		return NULL;
+	}
+#endif
 
 	INIT(this,
 		.public = {
diff --git a/src/libstrongswan/plugins/openssl/openssl_rng.c b/src/libstrongswan/plugins/openssl/openssl_rng.c
index d3d64f5e8..10db6293a 100644
--- a/src/libstrongswan/plugins/openssl/openssl_rng.c
+++ b/src/libstrongswan/plugins/openssl/openssl_rng.c
@@ -57,7 +57,7 @@ METHOD(rng_t, get_bytes, bool,
 	{
 		ret = RAND_pseudo_bytes((char*)buffer, bytes);
 	}
-	return ret != 0;
+	return ret == 1;
 }
 
 METHOD(rng_t, allocate_bytes, bool,
diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
index fb86a6bf1..036f53d23 100644
--- a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
@@ -428,7 +428,7 @@ openssl_rsa_private_key_t *openssl_rsa_private_key_load(key_type_t type,
 	if (blob.ptr)
 	{
 		this->rsa = d2i_RSAPrivateKey(NULL, (const u_char**)&blob.ptr, blob.len);
-		if (this->rsa && RSA_check_key(this->rsa))
+		if (this->rsa && RSA_check_key(this->rsa) == 1)
 		{
 			return &this->public;
 		}
@@ -450,7 +450,7 @@ openssl_rsa_private_key_t *openssl_rsa_private_key_load(key_type_t type,
 			this->rsa->dmq1 = BN_bin2bn((const u_char*)exp2.ptr, exp2.len, NULL);
 		}
 		this->rsa->iqmp = BN_bin2bn((const u_char*)coeff.ptr, coeff.len, NULL);
-		if (RSA_check_key(this->rsa))
+		if (RSA_check_key(this->rsa) == 1)
 		{
 			return &this->public;
 		}
diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
index bf71d7901..48beedef6 100644
--- a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
@@ -48,8 +48,6 @@ struct private_openssl_rsa_public_key_t {
 	refcount_t ref;
 };
 
-
-
 /**
  * Verification of an EMPSA PKCS1 signature described in PKCS#1
  */
@@ -67,12 +65,17 @@ static bool verify_emsa_pkcs1_signature(private_openssl_rsa_public_key_t *this,
 
 	if (type == NID_undef)
 	{
-		chunk_t hash = chunk_alloc(rsa_size);
+		char *buf;
+		int len;
 
-		hash.len = RSA_public_decrypt(signature.len, signature.ptr, hash.ptr,
-									  this->rsa, RSA_PKCS1_PADDING);
-		valid = chunk_equals(data, hash);
-		free(hash.ptr);
+		buf = malloc(rsa_size);
+		len = RSA_public_decrypt(signature.len, signature.ptr, buf, this->rsa,
+								 RSA_PKCS1_PADDING);
+		if (len != -1)
+		{
+			valid = chunk_equals(data, chunk_create(buf, len));
+		}
+		free(buf);
 	}
 	else
 	{
diff --git a/src/libstrongswan/plugins/openssl/openssl_sha1_prf.c b/src/libstrongswan/plugins/openssl/openssl_sha1_prf.c
index 8c00e6a57..446c93e2b 100644
--- a/src/libstrongswan/plugins/openssl/openssl_sha1_prf.c
+++ b/src/libstrongswan/plugins/openssl/openssl_sha1_prf.c
@@ -42,7 +42,14 @@ struct private_openssl_sha1_prf_t {
 METHOD(prf_t, get_bytes, bool,
 	private_openssl_sha1_prf_t *this, chunk_t seed, u_int8_t *bytes)
 {
+#if OPENSSL_VERSION_NUMBER >= 0x10000000L
+	if (!SHA1_Update(&this->ctx, seed.ptr, seed.len))
+	{
+		return FALSE;
+	}
+#else /* OPENSSL_VERSION_NUMBER < 1.0 */
 	SHA1_Update(&this->ctx, seed.ptr, seed.len);
+#endif
 
 	if (bytes)
 	{
@@ -84,7 +91,14 @@ METHOD(prf_t, get_key_size, size_t,
 METHOD(prf_t, set_key, bool,
 	private_openssl_sha1_prf_t *this, chunk_t key)
 {
+#if OPENSSL_VERSION_NUMBER >= 0x10000000L
+	if (!SHA1_Init(&this->ctx))
+	{
+		return FALSE;
+	}
+#else /* OPENSSL_VERSION_NUMBER < 1.0 */
 	SHA1_Init(&this->ctx);
+#endif
 
 	if (key.len % 4)
 	{
author	Yves-Alexis Perez <corsac@debian.org>	2013-04-30 17:51:33 +0200
committer	Yves-Alexis Perez <corsac@debian.org>	2013-04-30 17:51:33 +0200
commit	c83921a2b566aa9d55d8ccc7258f04fca6292ee6 (patch)
tree	44039788fc816c84d5788df847d1555413ebe55a /src/libstrongswan/plugins/openssl
parent	10e5fb2b9b2f27c83b3e5a1d048b158d5cf42a43 (diff)
download	vyos-strongswan-c83921a2b566aa9d55d8ccc7258f04fca6292ee6.tar.gz vyos-strongswan-c83921a2b566aa9d55d8ccc7258f04fca6292ee6.zip