summaryrefslogtreecommitdiff
path: root/src/libstrongswan/plugins/openssl
diff options
context:
space:
mode:
authorRene Mayrhofer <rene@mayrhofer.eu.org>2010-05-25 19:01:36 +0000
committerRene Mayrhofer <rene@mayrhofer.eu.org>2010-05-25 19:01:36 +0000
commit1ac70afcc1f7d6d2738a34308810719b0976d29f (patch)
tree805f6ce2a15d1a717781d7cbceac8408a74b6b0c /src/libstrongswan/plugins/openssl
parented7d79f96177044949744da10f4431c1d6242241 (diff)
downloadvyos-strongswan-1ac70afcc1f7d6d2738a34308810719b0976d29f.tar.gz
vyos-strongswan-1ac70afcc1f7d6d2738a34308810719b0976d29f.zip
[svn-upgrade] Integrating new upstream version, strongswan (4.4.0)
Diffstat (limited to 'src/libstrongswan/plugins/openssl')
-rw-r--r--src/libstrongswan/plugins/openssl/Makefile.am8
-rw-r--r--src/libstrongswan/plugins/openssl/Makefile.in61
-rw-r--r--src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c78
-rw-r--r--src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c4
-rw-r--r--src/libstrongswan/plugins/openssl/openssl_ec_private_key.c27
-rw-r--r--src/libstrongswan/plugins/openssl/openssl_ec_public_key.c25
-rw-r--r--src/libstrongswan/plugins/openssl/openssl_plugin.c15
-rw-r--r--src/libstrongswan/plugins/openssl/openssl_plugin.h5
-rw-r--r--src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c58
-rw-r--r--src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c21
-rw-r--r--src/libstrongswan/plugins/openssl/openssl_sha1_prf.c139
-rw-r--r--src/libstrongswan/plugins/openssl/openssl_sha1_prf.h48
12 files changed, 367 insertions, 122 deletions
diff --git a/src/libstrongswan/plugins/openssl/Makefile.am b/src/libstrongswan/plugins/openssl/Makefile.am
index 25cc5aa1d..a50799798 100644
--- a/src/libstrongswan/plugins/openssl/Makefile.am
+++ b/src/libstrongswan/plugins/openssl/Makefile.am
@@ -3,12 +3,18 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan
AM_CFLAGS = -rdynamic
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-openssl.la
+else
plugin_LTLIBRARIES = libstrongswan-openssl.la
+endif
-libstrongswan_openssl_la_SOURCES = openssl_plugin.h openssl_plugin.c \
+libstrongswan_openssl_la_SOURCES = \
+ openssl_plugin.h openssl_plugin.c \
openssl_util.c openssl_util.h \
openssl_crypter.c openssl_crypter.h \
openssl_hasher.c openssl_hasher.h \
+ openssl_sha1_prf.c openssl_sha1_prf.h \
openssl_diffie_hellman.c openssl_diffie_hellman.h \
openssl_rsa_private_key.c openssl_rsa_private_key.h \
openssl_rsa_public_key.c openssl_rsa_public_key.h \
diff --git a/src/libstrongswan/plugins/openssl/Makefile.in b/src/libstrongswan/plugins/openssl/Makefile.in
index aa8ecf06c..a2a931d42 100644
--- a/src/libstrongswan/plugins/openssl/Makefile.in
+++ b/src/libstrongswan/plugins/openssl/Makefile.in
@@ -72,18 +72,22 @@ am__base_list = \
sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
am__installdirs = "$(DESTDIR)$(plugindir)"
-LTLIBRARIES = $(plugin_LTLIBRARIES)
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
libstrongswan_openssl_la_DEPENDENCIES =
am_libstrongswan_openssl_la_OBJECTS = openssl_plugin.lo \
openssl_util.lo openssl_crypter.lo openssl_hasher.lo \
- openssl_diffie_hellman.lo openssl_rsa_private_key.lo \
- openssl_rsa_public_key.lo openssl_ec_diffie_hellman.lo \
- openssl_ec_private_key.lo openssl_ec_public_key.lo
+ openssl_sha1_prf.lo openssl_diffie_hellman.lo \
+ openssl_rsa_private_key.lo openssl_rsa_public_key.lo \
+ openssl_ec_diffie_hellman.lo openssl_ec_private_key.lo \
+ openssl_ec_public_key.lo
libstrongswan_openssl_la_OBJECTS = \
$(am_libstrongswan_openssl_la_OBJECTS)
libstrongswan_openssl_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
$(libstrongswan_openssl_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_openssl_la_rpath = -rpath \
+@MONOLITHIC_FALSE@ $(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_openssl_la_rpath =
DEFAULT_INCLUDES = -I.@am__isrc@
depcomp = $(SHELL) $(top_srcdir)/depcomp
am__depfiles_maybe = depfiles
@@ -222,6 +226,7 @@ ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
libstrongswan_plugins = @libstrongswan_plugins@
linux_headers = @linux_headers@
localedir = @localedir@
@@ -258,11 +263,14 @@ xml_CFLAGS = @xml_CFLAGS@
xml_LIBS = @xml_LIBS@
INCLUDES = -I$(top_srcdir)/src/libstrongswan
AM_CFLAGS = -rdynamic
-plugin_LTLIBRARIES = libstrongswan-openssl.la
-libstrongswan_openssl_la_SOURCES = openssl_plugin.h openssl_plugin.c \
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-openssl.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-openssl.la
+libstrongswan_openssl_la_SOURCES = \
+ openssl_plugin.h openssl_plugin.c \
openssl_util.c openssl_util.h \
openssl_crypter.c openssl_crypter.h \
openssl_hasher.c openssl_hasher.h \
+ openssl_sha1_prf.c openssl_sha1_prf.h \
openssl_diffie_hellman.c openssl_diffie_hellman.h \
openssl_rsa_private_key.c openssl_rsa_private_key.h \
openssl_rsa_public_key.c openssl_rsa_public_key.h \
@@ -306,6 +314,15 @@ $(top_srcdir)/configure: $(am__configure_deps)
$(ACLOCAL_M4): $(am__aclocal_m4_deps)
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+ -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+ @list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+ dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+ test "$$dir" != "$$p" || dir=.; \
+ echo "rm -f \"$${dir}/so_locations\""; \
+ rm -f "$${dir}/so_locations"; \
+ done
install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
@$(NORMAL_INSTALL)
test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
@@ -338,7 +355,7 @@ clean-pluginLTLIBRARIES:
rm -f "$${dir}/so_locations"; \
done
libstrongswan-openssl.la: $(libstrongswan_openssl_la_OBJECTS) $(libstrongswan_openssl_la_DEPENDENCIES)
- $(libstrongswan_openssl_la_LINK) -rpath $(plugindir) $(libstrongswan_openssl_la_OBJECTS) $(libstrongswan_openssl_la_LIBADD) $(LIBS)
+ $(libstrongswan_openssl_la_LINK) $(am_libstrongswan_openssl_la_rpath) $(libstrongswan_openssl_la_OBJECTS) $(libstrongswan_openssl_la_LIBADD) $(LIBS)
mostlyclean-compile:
-rm -f *.$(OBJEXT)
@@ -355,6 +372,7 @@ distclean-compile:
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_plugin.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_rsa_private_key.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_rsa_public_key.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_sha1_prf.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_util.Plo@am__quote@
.c.o:
@@ -500,8 +518,8 @@ maintainer-clean-generic:
@echo "it deletes files that may require special tools to rebuild."
clean: clean-am
-clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
- mostlyclean-am
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+ clean-pluginLTLIBRARIES mostlyclean-am
distclean: distclean-am
-rm -rf ./$(DEPDIR)
@@ -572,18 +590,19 @@ uninstall-am: uninstall-pluginLTLIBRARIES
.MAKE: install-am install-strip
.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
- clean-libtool clean-pluginLTLIBRARIES ctags distclean \
- distclean-compile distclean-generic distclean-libtool \
- distclean-tags distdir dvi dvi-am html html-am info info-am \
- install install-am install-data install-data-am install-dvi \
- install-dvi-am install-exec install-exec-am install-html \
- install-html-am install-info install-info-am install-man \
- install-pdf install-pdf-am install-pluginLTLIBRARIES \
- install-ps install-ps-am install-strip installcheck \
- installcheck-am installdirs maintainer-clean \
- maintainer-clean-generic mostlyclean mostlyclean-compile \
- mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
- tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
+ clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+ ctags distclean distclean-compile distclean-generic \
+ distclean-libtool distclean-tags distdir dvi dvi-am html \
+ html-am info info-am install install-am install-data \
+ install-data-am install-dvi install-dvi-am install-exec \
+ install-exec-am install-html install-html-am install-info \
+ install-info-am install-man install-pdf install-pdf-am \
+ install-pluginLTLIBRARIES install-ps install-ps-am \
+ install-strip installcheck installcheck-am installdirs \
+ maintainer-clean maintainer-clean-generic mostlyclean \
+ mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+ pdf pdf-am ps ps-am tags uninstall uninstall-am \
+ uninstall-pluginLTLIBRARIES
# Tell versions [3.59,3.63) of GNU make to not export all variables.
diff --git a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c
index 80a1ee878..9a032c54f 100644
--- a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c
+++ b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2008-2010 Tobias Brunner
* Copyright (C) 2008 Martin Willi
* Hochschule fuer Technik Rapperswil
*
@@ -20,47 +20,6 @@
#include <debug.h>
-typedef struct modulus_entry_t modulus_entry_t;
-
-/**
- * Entry of the modulus list.
- */
-struct modulus_entry_t {
- /**
- * Group number as it is defined in file transform_substructure.h.
- */
- diffie_hellman_group_t group;
-
- /**
- * Pointer to the function to get the modulus.
- */
- BIGNUM *(*get_prime)(BIGNUM *bn);
-
- /*
- * Optimum length of exponent in bits.
- */
- long opt_exponent_len;
-
- /*
- * Generator value.
- */
- u_int16_t generator;
-};
-
-/**
- * All supported modulus values - optimum exponent size according to RFC 3526.
- */
-static modulus_entry_t modulus_entries[] = {
- {MODP_768_BIT, get_rfc2409_prime_768, 256, 2},
- {MODP_1024_BIT, get_rfc2409_prime_1024, 256, 2},
- {MODP_1536_BIT, get_rfc3526_prime_1536, 256, 2},
- {MODP_2048_BIT, get_rfc3526_prime_2048, 384, 2},
- {MODP_3072_BIT, get_rfc3526_prime_3072, 384, 2},
- {MODP_4096_BIT, get_rfc3526_prime_4096, 512, 2},
- {MODP_6144_BIT, get_rfc3526_prime_6144, 512, 2},
- {MODP_8192_BIT, get_rfc3526_prime_8192, 512, 2},
-};
-
typedef struct private_openssl_diffie_hellman_t private_openssl_diffie_hellman_t;
/**
@@ -125,7 +84,6 @@ static status_t get_shared_secret(private_openssl_diffie_hellman_t *this,
memset(secret->ptr, 0, secret->len);
memcpy(secret->ptr + secret->len - this->shared_secret.len,
this->shared_secret.ptr, this->shared_secret.len);
-
return SUCCESS;
}
@@ -145,7 +103,7 @@ static void set_other_public_value(private_openssl_diffie_hellman_t *this,
len = DH_compute_key(this->shared_secret.ptr, this->pub_key, this->dh);
if (len < 0)
{
- DBG1("DH shared secret computation failed");
+ DBG1(DBG_LIB, "DH shared secret computation failed");
return;
}
this->shared_secret.len = len;
@@ -165,27 +123,18 @@ static diffie_hellman_group_t get_dh_group(private_openssl_diffie_hellman_t *thi
*/
static status_t set_modulus(private_openssl_diffie_hellman_t *this)
{
- int i;
- bool ansi_x9_42;
-
- ansi_x9_42 = lib->settings->get_bool(lib->settings,
- "libstrongswan.dh_exponent_ansi_x9_42", TRUE);
-
- for (i = 0; i < (sizeof(modulus_entries) / sizeof(modulus_entry_t)); i++)
+ diffie_hellman_params_t *params = diffie_hellman_get_params(this->group);
+ if (!params)
{
- if (modulus_entries[i].group == this->group)
- {
- this->dh->p = modulus_entries[i].get_prime(NULL);
- this->dh->g = BN_new();
- BN_set_word(this->dh->g, modulus_entries[i].generator);
- if (!ansi_x9_42)
- {
- this->dh->length = modulus_entries[i].opt_exponent_len;
- }
- return SUCCESS;
- }
+ return NOT_FOUND;
}
- return NOT_FOUND;
+ this->dh->p = BN_bin2bn(params->prime.ptr, params->prime.len, NULL);
+ this->dh->g = BN_bin2bn(params->generator.ptr, params->generator.len, NULL);
+ if (params->exp_len != params->prime.len)
+ {
+ this->dh->length = params->exp_len * 8;
+ }
+ return SUCCESS;
}
/**
@@ -237,7 +186,8 @@ openssl_diffie_hellman_t *openssl_diffie_hellman_create(diffie_hellman_group_t g
destroy(this);
return NULL;
}
- DBG2("size of DH secret exponent: %d bits", BN_num_bits(this->dh->priv_key));
+ DBG2(DBG_LIB, "size of DH secret exponent: %d bits",
+ BN_num_bits(this->dh->priv_key));
return &this->public;
}
diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c
index 671fa41e2..faec411cd 100644
--- a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c
+++ b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c
@@ -212,14 +212,14 @@ static void set_other_public_value(private_openssl_ec_diffie_hellman_t *this, ch
{
if (!chunk2ecp(this->ec_group, value, this->pub_key))
{
- DBG1("ECDH public value is malformed");
+ DBG1(DBG_LIB, "ECDH public value is malformed");
return;
}
chunk_free(&this->shared_secret);
if (!compute_shared_key(this, &this->shared_secret)) {
- DBG1("ECDH shared secret computation failed");
+ DBG1(DBG_LIB, "ECDH shared secret computation failed");
return;
}
diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c b/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c
index 89ced5a9a..bdcfda974 100644
--- a/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c
@@ -84,14 +84,14 @@ static bool build_curve_signature(private_openssl_ec_private_key_t *this,
req_group = EC_GROUP_new_by_curve_name(nid_curve);
if (!req_group)
{
- DBG1("signature scheme %N not supported in EC (required curve "
+ DBG1(DBG_LIB, "signature scheme %N not supported in EC (required curve "
"not supported)", signature_scheme_names, scheme);
return FALSE;
}
my_group = EC_KEY_get0_group(this->ec);
if (EC_GROUP_cmp(my_group, req_group, NULL) != 0)
{
- DBG1("signature scheme %N not supported by private key",
+ DBG1(DBG_LIB, "signature scheme %N not supported by private key",
signature_scheme_names, scheme);
return FALSE;
}
@@ -162,7 +162,7 @@ static bool sign(private_openssl_ec_private_key_t *this,
return build_curve_signature(this, scheme, NID_sha512,
NID_secp521r1, data, signature);
default:
- DBG1("signature scheme %N not supported",
+ DBG1(DBG_LIB, "signature scheme %N not supported",
signature_scheme_names, scheme);
return FALSE;
}
@@ -174,7 +174,7 @@ static bool sign(private_openssl_ec_private_key_t *this,
static bool decrypt(private_openssl_ec_private_key_t *this,
chunk_t crypto, chunk_t *plain)
{
- DBG1("EC private key decryption not implemented");
+ DBG1(DBG_LIB, "EC private key decryption not implemented");
return FALSE;
}
@@ -233,11 +233,24 @@ static bool get_encoding(private_openssl_ec_private_key_t *this,
switch (type)
{
case KEY_PRIV_ASN1_DER:
+ case KEY_PRIV_PEM:
{
+ bool success = TRUE;
+
*encoding = chunk_alloc(i2d_ECPrivateKey(this->ec, NULL));
p = encoding->ptr;
i2d_ECPrivateKey(this->ec, &p);
- return TRUE;
+
+ if (type == KEY_PRIV_PEM)
+ {
+ chunk_t asn1_encoding = *encoding;
+
+ success = lib->encoding->encode(lib->encoding, KEY_PRIV_PEM,
+ NULL, encoding, KEY_PART_ECDSA_PRIV_ASN1_DER,
+ asn1_encoding, KEY_PART_END);
+ chunk_clear(&asn1_encoding);
+ }
+ return success;
}
default:
return FALSE;
@@ -335,13 +348,13 @@ openssl_ec_private_key_t *openssl_ec_private_key_gen(key_type_t type,
this->ec = EC_KEY_new_by_curve_name(NID_secp521r1);
break;
default:
- DBG1("EC private key size %d not supported", key_size);
+ DBG1(DBG_LIB, "EC private key size %d not supported", key_size);
destroy(this);
return NULL;
}
if (EC_KEY_generate_key(this->ec) != 1)
{
- DBG1("EC private key generation failed", key_size);
+ DBG1(DBG_LIB, "EC private key generation failed", key_size);
destroy(this);
return NULL;
}
diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c b/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c
index f37c736b1..790a8487d 100644
--- a/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c
@@ -82,14 +82,14 @@ static bool verify_curve_signature(private_openssl_ec_public_key_t *this,
req_group = EC_GROUP_new_by_curve_name(nid_curve);
if (!req_group)
{
- DBG1("signature scheme %N not supported in EC (required curve "
+ DBG1(DBG_LIB, "signature scheme %N not supported in EC (required curve "
"not supported)", signature_scheme_names, scheme);
return FALSE;
}
my_group = EC_KEY_get0_group(this->ec);
if (EC_GROUP_cmp(my_group, req_group, NULL) != 0)
{
- DBG1("signature scheme %N not supported by private key",
+ DBG1(DBG_LIB, "signature scheme %N not supported by private key",
signature_scheme_names, scheme);
return FALSE;
}
@@ -162,7 +162,7 @@ static bool verify(private_openssl_ec_public_key_t *this,
return verify_curve_signature(this, scheme, NID_sha512,
NID_secp521r1, data, signature);
default:
- DBG1("signature scheme %N not supported in EC",
+ DBG1(DBG_LIB, "signature scheme %N not supported in EC",
signature_scheme_names, scheme);
return FALSE;
}
@@ -174,7 +174,7 @@ static bool verify(private_openssl_ec_public_key_t *this,
static bool encrypt_(private_openssl_ec_public_key_t *this,
chunk_t crypto, chunk_t *plain)
{
- DBG1("EC public key encryption not implemented");
+ DBG1(DBG_LIB, "EC public key encryption not implemented");
return FALSE;
}
@@ -217,7 +217,7 @@ bool openssl_ec_fingerprint(EC_KEY *ec, key_encoding_type_t type, chunk_t *fp)
hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
if (!hasher)
{
- DBG1("SHA1 hash algorithm not supported, fingerprinting failed");
+ DBG1(DBG_LIB, "SHA1 hash algorithm not supported, fingerprinting failed");
free(key.ptr);
return FALSE;
}
@@ -248,11 +248,24 @@ static bool get_encoding(private_openssl_ec_public_key_t *this,
switch (type)
{
case KEY_PUB_SPKI_ASN1_DER:
+ case KEY_PUB_PEM:
{
+ bool success = TRUE;
+
*encoding = chunk_alloc(i2d_EC_PUBKEY(this->ec, NULL));
p = encoding->ptr;
i2d_EC_PUBKEY(this->ec, &p);
- return TRUE;
+
+ if (type == KEY_PUB_PEM)
+ {
+ chunk_t asn1_encoding = *encoding;
+
+ success = lib->encoding->encode(lib->encoding, KEY_PUB_PEM,
+ NULL, encoding, KEY_PART_ECDSA_PUB_ASN1_DER,
+ asn1_encoding, KEY_PART_END);
+ chunk_clear(&asn1_encoding);
+ }
+ return success;
}
default:
return FALSE;
diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c
index 548a76bb4..c1545ffb8 100644
--- a/src/libstrongswan/plugins/openssl/openssl_plugin.c
+++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c
@@ -27,6 +27,7 @@
#include "openssl_util.h"
#include "openssl_crypter.h"
#include "openssl_hasher.h"
+#include "openssl_sha1_prf.h"
#include "openssl_diffie_hellman.h"
#include "openssl_ec_diffie_hellman.h"
#include "openssl_rsa_private_key.h"
@@ -170,6 +171,8 @@ static void destroy(private_openssl_plugin_t *this)
(crypter_constructor_t)openssl_crypter_create);
lib->crypto->remove_hasher(lib->crypto,
(hasher_constructor_t)openssl_hasher_create);
+ lib->crypto->remove_prf(lib->crypto,
+ (prf_constructor_t)openssl_sha1_prf_create);
lib->crypto->remove_dh(lib->crypto,
(dh_constructor_t)openssl_diffie_hellman_create);
lib->crypto->remove_dh(lib->crypto,
@@ -201,7 +204,7 @@ static void destroy(private_openssl_plugin_t *this)
/*
* see header file
*/
-plugin_t *plugin_create()
+plugin_t *openssl_plugin_create()
{
private_openssl_plugin_t *this = malloc_thing(private_openssl_plugin_t);
@@ -256,9 +259,17 @@ plugin_t *plugin_create()
lib->crypto->add_hasher(lib->crypto, HASH_SHA512,
(hasher_constructor_t)openssl_hasher_create);
+ /* prf */
+ lib->crypto->add_prf(lib->crypto, PRF_KEYED_SHA1,
+ (prf_constructor_t)openssl_sha1_prf_create);
+
/* (ec) diffie hellman */
lib->crypto->add_dh(lib->crypto, MODP_2048_BIT,
(dh_constructor_t)openssl_diffie_hellman_create);
+ lib->crypto->add_dh(lib->crypto, MODP_2048_224,
+ (dh_constructor_t)openssl_diffie_hellman_create);
+ lib->crypto->add_dh(lib->crypto, MODP_2048_256,
+ (dh_constructor_t)openssl_diffie_hellman_create);
lib->crypto->add_dh(lib->crypto, MODP_1536_BIT,
(dh_constructor_t)openssl_diffie_hellman_create);
lib->crypto->add_dh(lib->crypto, ECP_256_BIT,
@@ -281,6 +292,8 @@ plugin_t *plugin_create()
(dh_constructor_t)openssl_diffie_hellman_create);
lib->crypto->add_dh(lib->crypto, MODP_1024_BIT,
(dh_constructor_t)openssl_diffie_hellman_create);
+ lib->crypto->add_dh(lib->crypto, MODP_1024_160,
+ (dh_constructor_t)openssl_diffie_hellman_create);
lib->crypto->add_dh(lib->crypto, MODP_768_BIT,
(dh_constructor_t)openssl_diffie_hellman_create);
diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.h b/src/libstrongswan/plugins/openssl/openssl_plugin.h
index 9f422c9d0..0762c37b9 100644
--- a/src/libstrongswan/plugins/openssl/openssl_plugin.h
+++ b/src/libstrongswan/plugins/openssl/openssl_plugin.h
@@ -39,9 +39,4 @@ struct openssl_plugin_t {
plugin_t plugin;
};
-/**
- * Create a openssl_plugin instance.
- */
-plugin_t *plugin_create();
-
#endif /** OPENSSL_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
index 078f889a6..de751fe89 100644
--- a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
@@ -160,7 +160,7 @@ static bool sign(private_openssl_rsa_private_key_t *this, signature_scheme_t sch
case SIGN_RSA_EMSA_PKCS1_MD5:
return build_emsa_pkcs1_signature(this, NID_md5, data, signature);
default:
- DBG1("signature scheme %N not supported in RSA",
+ DBG1(DBG_LIB, "signature scheme %N not supported in RSA",
signature_scheme_names, scheme);
return FALSE;
}
@@ -172,7 +172,7 @@ static bool sign(private_openssl_rsa_private_key_t *this, signature_scheme_t sch
static bool decrypt(private_openssl_rsa_private_key_t *this,
chunk_t crypto, chunk_t *plain)
{
- DBG1("RSA private key decryption not implemented");
+ DBG1(DBG_LIB, "RSA private key decryption not implemented");
return FALSE;
}
@@ -226,11 +226,24 @@ static bool get_encoding(private_openssl_rsa_private_key_t *this,
switch (type)
{
case KEY_PRIV_ASN1_DER:
+ case KEY_PRIV_PEM:
{
+ bool success = TRUE;
+
*encoding = chunk_alloc(i2d_RSAPrivateKey(this->rsa, NULL));
p = encoding->ptr;
i2d_RSAPrivateKey(this->rsa, &p);
- return TRUE;
+
+ if (type == KEY_PRIV_PEM)
+ {
+ chunk_t asn1_encoding = *encoding;
+
+ success = lib->encoding->encode(lib->encoding, KEY_PRIV_PEM,
+ NULL, encoding, KEY_PART_RSA_PRIV_ASN1_DER,
+ asn1_encoding, KEY_PART_END);
+ chunk_clear(&asn1_encoding);
+ }
+ return success;
}
default:
return FALSE;
@@ -296,6 +309,8 @@ openssl_rsa_private_key_t *openssl_rsa_private_key_gen(key_type_t type,
{
private_openssl_rsa_private_key_t *this;
u_int key_size = 0;
+ RSA *rsa = NULL;
+ BIGNUM *e = NULL;
while (TRUE)
{
@@ -315,10 +330,31 @@ openssl_rsa_private_key_t *openssl_rsa_private_key_gen(key_type_t type,
{
return NULL;
}
+ e = BN_new();
+ if (!e || !BN_set_word(e, PUBLIC_EXPONENT))
+ {
+ goto error;
+ }
+ rsa = RSA_new();
+ if (!rsa || !RSA_generate_key_ex(rsa, key_size, e, NULL))
+ {
+ goto error;
+ }
this = create_empty();
- this->rsa = RSA_generate_key(key_size, PUBLIC_EXPONENT, NULL, NULL);
-
+ this->rsa = rsa;
+ BN_free(e);
return &this->public;
+
+error:
+ if (e)
+ {
+ BN_free(e);
+ }
+ if (rsa)
+ {
+ RSA_free(rsa);
+ }
+ return NULL;
}
/**
@@ -440,22 +476,22 @@ openssl_rsa_private_key_t *openssl_rsa_private_key_connect(key_type_t type,
}
engine_id = lib->settings->get_str(lib->settings,
- "library.plugins.openssl.engine_id", "pkcs11");
+ "libstrongswan.plugins.openssl.engine_id", "pkcs11");
engine = ENGINE_by_id(engine_id);
if (!engine)
{
- DBG1("engine '%s' is not available", engine_id);
+ DBG1(DBG_LIB, "engine '%s' is not available", engine_id);
return NULL;
}
if (!ENGINE_init(engine))
{
- DBG1("failed to initialize engine '%s'", engine_id);
+ DBG1(DBG_LIB, "failed to initialize engine '%s'", engine_id);
ENGINE_free(engine);
return NULL;
}
if (!ENGINE_ctrl_cmd_string(engine, "PIN", pin, 0))
{
- DBG1("failed to set PIN on engine '%s'", engine_id);
+ DBG1(DBG_LIB, "failed to set PIN on engine '%s'", engine_id);
ENGINE_free(engine);
return NULL;
}
@@ -463,8 +499,8 @@ openssl_rsa_private_key_t *openssl_rsa_private_key_connect(key_type_t type,
key = ENGINE_load_private_key(engine, keyid, NULL, NULL);
if (!key)
{
- DBG1("failed to load private key with ID '%s' from engine '%s'",
- keyid, engine_id);
+ DBG1(DBG_LIB, "failed to load private key with ID '%s' from "
+ "engine '%s'", keyid, engine_id);
ENGINE_free(engine);
return NULL;
}
diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
index 422262b19..ffa575a97 100644
--- a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
@@ -145,7 +145,7 @@ static bool verify(private_openssl_rsa_public_key_t *this, signature_scheme_t sc
case SIGN_RSA_EMSA_PKCS1_MD5:
return verify_emsa_pkcs1_signature(this, NID_md5, data, signature);
default:
- DBG1("signature scheme %N not supported in RSA",
+ DBG1(DBG_LIB, "signature scheme %N not supported in RSA",
signature_scheme_names, scheme);
return FALSE;
}
@@ -157,7 +157,7 @@ static bool verify(private_openssl_rsa_public_key_t *this, signature_scheme_t sc
static bool encrypt_(private_openssl_rsa_public_key_t *this,
chunk_t crypto, chunk_t *plain)
{
- DBG1("RSA public key encryption not implemented");
+ DBG1(DBG_LIB, "RSA public key encryption not implemented");
return FALSE;
}
@@ -200,7 +200,7 @@ bool openssl_rsa_fingerprint(RSA *rsa, key_encoding_type_t type, chunk_t *fp)
hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
if (!hasher)
{
- DBG1("SHA1 hash algorithm not supported, fingerprinting failed");
+ DBG1(DBG_LIB, "SHA1 hash algorithm not supported, fingerprinting failed");
free(key.ptr);
return FALSE;
}
@@ -231,11 +231,24 @@ static bool get_encoding(private_openssl_rsa_public_key_t *this,
switch (type)
{
case KEY_PUB_SPKI_ASN1_DER:
+ case KEY_PUB_PEM:
{
+ bool success = TRUE;
+
*encoding = chunk_alloc(i2d_RSA_PUBKEY(this->rsa, NULL));
p = encoding->ptr;
i2d_RSA_PUBKEY(this->rsa, &p);
- return TRUE;
+
+ if (type == KEY_PUB_PEM)
+ {
+ chunk_t asn1_encoding = *encoding;
+
+ success = lib->encoding->encode(lib->encoding, KEY_PUB_PEM,
+ NULL, encoding, KEY_PART_RSA_PUB_ASN1_DER,
+ asn1_encoding, KEY_PART_END);
+ chunk_clear(&asn1_encoding);
+ }
+ return success;
}
case KEY_PUB_ASN1_DER:
{
diff --git a/src/libstrongswan/plugins/openssl/openssl_sha1_prf.c b/src/libstrongswan/plugins/openssl/openssl_sha1_prf.c
new file mode 100644
index 000000000..b65388010
--- /dev/null
+++ b/src/libstrongswan/plugins/openssl/openssl_sha1_prf.c
@@ -0,0 +1,139 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "openssl_sha1_prf.h"
+
+#include <openssl/sha.h>
+
+typedef struct private_openssl_sha1_prf_t private_openssl_sha1_prf_t;
+
+/**
+ * Private data of an openssl_sha1_prf_t object.
+ */
+struct private_openssl_sha1_prf_t {
+
+ /**
+ * Public openssl_sha1_prf_t interface.
+ */
+ openssl_sha1_prf_t public;
+
+ /**
+ * SHA1 context
+ */
+ SHA_CTX ctx;
+};
+
+METHOD(prf_t, get_bytes, void,
+ private_openssl_sha1_prf_t *this, chunk_t seed, u_int8_t *bytes)
+{
+ SHA1_Update(&this->ctx, seed.ptr, seed.len);
+
+ if (bytes)
+ {
+ u_int32_t *hash = (u_int32_t*)bytes;
+
+ hash[0] = htonl(this->ctx.h0);
+ hash[1] = htonl(this->ctx.h1);
+ hash[2] = htonl(this->ctx.h2);
+ hash[3] = htonl(this->ctx.h3);
+ hash[4] = htonl(this->ctx.h4);
+ }
+}
+
+METHOD(prf_t, get_block_size, size_t,
+ private_openssl_sha1_prf_t *this)
+{
+ return HASH_SIZE_SHA1;
+}
+
+METHOD(prf_t, allocate_bytes, void,
+ private_openssl_sha1_prf_t *this, chunk_t seed, chunk_t *chunk)
+{
+ if (chunk)
+ {
+ *chunk = chunk_alloc(HASH_SIZE_SHA1);
+ get_bytes(this, seed, chunk->ptr);
+ }
+ else
+ {
+ get_bytes(this, seed, NULL);
+ }
+}
+
+METHOD(prf_t, get_key_size, size_t,
+ private_openssl_sha1_prf_t *this)
+{
+ return HASH_SIZE_SHA1;
+}
+
+METHOD(prf_t, set_key, void,
+ private_openssl_sha1_prf_t *this, chunk_t key)
+{
+ SHA1_Init(&this->ctx);
+
+ if (key.len >= 4)
+ {
+ this->ctx.h0 ^= untoh32(key.ptr);
+ }
+ if (key.len >= 8)
+ {
+ this->ctx.h1 ^= untoh32(key.ptr + 4);
+ }
+ if (key.len >= 12)
+ {
+ this->ctx.h2 ^= untoh32(key.ptr + 8);
+ }
+ if (key.len >= 16)
+ {
+ this->ctx.h3 ^= untoh32(key.ptr + 12);
+ }
+ if (key.len >= 20)
+ {
+ this->ctx.h4 ^= untoh32(key.ptr + 16);
+ }
+}
+
+METHOD(prf_t, destroy, void,
+ private_openssl_sha1_prf_t *this)
+{
+ free(this);
+}
+
+/**
+ * See header
+ */
+openssl_sha1_prf_t *openssl_sha1_prf_create(pseudo_random_function_t algo)
+{
+ private_openssl_sha1_prf_t *this;
+
+ if (algo != PRF_KEYED_SHA1)
+ {
+ return NULL;
+ }
+
+ INIT(this,
+ .public.prf = {
+ .get_block_size = _get_block_size,
+ .get_bytes = _get_bytes,
+ .allocate_bytes = _allocate_bytes,
+ .get_key_size = _get_key_size,
+ .set_key = _set_key,
+ .destroy = _destroy,
+ },
+ );
+
+ return &this->public;
+}
+
diff --git a/src/libstrongswan/plugins/openssl/openssl_sha1_prf.h b/src/libstrongswan/plugins/openssl/openssl_sha1_prf.h
new file mode 100644
index 000000000..9a24e7ee1
--- /dev/null
+++ b/src/libstrongswan/plugins/openssl/openssl_sha1_prf.h
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup openssl_sha1_prf openssl_sha1_prf
+ * @{ @ingroup sha1_p
+ */
+
+#ifndef OPENSSL_SHA1_PRF_H_
+#define OPENSSL_SHA1_PRF_H_
+
+typedef struct openssl_sha1_prf_t openssl_sha1_prf_t;
+
+#include <crypto/prfs/prf.h>
+
+/**
+ * Implementation of prf_t interface using keyed SHA1 algorithm as used
+ * in EAP-AKA/FIPS_PRF.
+ */
+struct openssl_sha1_prf_t {
+
+ /**
+ * Implements prf_t interface.
+ */
+ prf_t prf;
+};
+
+/**
+ * Creates a new openssl_sha1_prf_t.
+ *
+ * @param algo algorithm, must be PRF_KEYED_SHA1
+ * @return sha1_keyed_prf_tobject
+ */
+openssl_sha1_prf_t *openssl_sha1_prf_create(pseudo_random_function_t algo);
+
+#endif /** OPENSSL_SHA1_PRF_H_ @}*/