[svn-upgrade] Integrating new upstream version, strongswan (4.2.9)

11 files changed, 274 insertions, 136 deletions

diff --git a/src/libstrongswan/plugins/agent/agent_private_key.c b/src/libstrongswan/plugins/agent/agent_private_key.c
index a3b8eebf3..5e7d0839e 100644
--- a/src/libstrongswan/plugins/agent/agent_private_key.c
+++ b/src/libstrongswan/plugins/agent/agent_private_key.c
@@ -215,9 +215,13 @@ static bool read_key(private_agent_private_key_t *this, public_key_t *pubkey)
 	chunk_t blob = chunk_from_buf(buf), key, type, tmp;
 	
 	len = htonl(1);
-	write(this->socket, &len, sizeof(len));
 	buf[0] = SSH_AGENT_ID_REQUEST;
-	write(this->socket, &buf, 1);
+	if (write(this->socket, &len, sizeof(len)) != sizeof(len) ||
+		write(this->socket, &buf, 1) != 1)
+	{
+		DBG1("writing to ssh-agent failed");
+		return FALSE;
+	}
 	
 	blob.len = read(this->socket, blob.ptr, blob.len);
 	
@@ -275,20 +279,36 @@ static bool sign(private_agent_private_key_t *this, signature_scheme_t scheme,
 	}
 	
 	len = htonl(1 + sizeof(u_int32_t) * 3 + this->key.len + data.len);
-	write(this->socket, &len, sizeof(len));
 	buf[0] = SSH_AGENT_SIGN_REQUEST;
-	write(this->socket, &buf, 1);
+	if (write(this->socket, &len, sizeof(len)) != sizeof(len) ||
+		write(this->socket, &buf, 1) != 1)
+	{
+		DBG1("writing to ssh-agent failed");
+		return FALSE;
+	}
 	
 	len = htonl(this->key.len);
-	write(this->socket, &len, sizeof(len));
-	write(this->socket, this->key.ptr, this->key.len);
+	if (write(this->socket, &len, sizeof(len)) != sizeof(len) ||
+		write(this->socket, this->key.ptr, this->key.len) != this->key.len)
+	{
+		DBG1("writing to ssh-agent failed");
+		return FALSE;
+	}
 	
 	len = htonl(data.len);
-	write(this->socket, &len, sizeof(len));
-	write(this->socket, data.ptr, data.len);
+	if (write(this->socket, &len, sizeof(len)) != sizeof(len) ||
+		write(this->socket, data.ptr, data.len) != data.len)
+	{
+		DBG1("writing to ssh-agent failed");
+		return FALSE;
+	}
 	
 	flags = htonl(0);
-	write(this->socket, &flags, sizeof(flags));
+	if (write(this->socket, &flags, sizeof(flags)) != sizeof(flags))
+	{
+		DBG1("writing to ssh-agent failed");
+		return FALSE;
+	}
 	
 	blob.len = read(this->socket, blob.ptr, blob.len);
 	if (blob.len < sizeof(u_int32_t) + sizeof(u_char) ||
diff --git a/src/libstrongswan/plugins/curl/curl_fetcher.c b/src/libstrongswan/plugins/curl/curl_fetcher.c
index 4754d569e..cd54c76a3 100644
--- a/src/libstrongswan/plugins/curl/curl_fetcher.c
+++ b/src/libstrongswan/plugins/curl/curl_fetcher.c
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: curl_fetcher.c 3529 2008-03-05 15:26:24Z martin $
+ * $Id: curl_fetcher.c 4632 2008-11-11 18:37:19Z martin $
  */
 
 #include <curl/curl.h>
@@ -123,7 +123,7 @@ static bool set_option(private_curl_fetcher_t *this, fetcher_option_t option, ..
 		case FETCH_REQUEST_DATA:
 		{
 			chunk_t data = va_arg(args, chunk_t);
-			curl_easy_setopt(this->curl, CURLOPT_POSTFIELDS, data.ptr);
+			curl_easy_setopt(this->curl, CURLOPT_POSTFIELDS, (char*)data.ptr);
 			curl_easy_setopt(this->curl, CURLOPT_POSTFIELDSIZE, data.len);
 			return TRUE;
 		}
diff --git a/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c b/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c
index 40e83fc4c..294fb722f 100644
--- a/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c
+++ b/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c
@@ -15,7 +15,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: gmp_diffie_hellman.c 4346 2008-09-17 09:02:30Z martin $
+ * $Id: gmp_diffie_hellman.c 4566 2008-11-04 13:12:11Z martin $
  */
 
 #include <gmp.h>
@@ -304,23 +304,28 @@ struct modulus_entry_t {
 	size_t modulus_len;
 	
 	/* 
+	 * Optimum length of exponent in bytes.
+	 */	
+	size_t opt_exponent_len;
+
+	/* 
 	 * Generator value.
 	 */	
 	u_int16_t generator;
 };
 
 /**
- * All supported modulus values.
+ * All supported modulus values - optimum exponent size according to RFC 3526.
  */
 static modulus_entry_t modulus_entries[] = {
-	{MODP_768_BIT, group1_modulus, sizeof(group1_modulus), 2},
-	{MODP_1024_BIT, group2_modulus, sizeof(group2_modulus), 2},
-	{MODP_1536_BIT, group5_modulus, sizeof(group5_modulus), 2},
-	{MODP_2048_BIT, group14_modulus, sizeof(group14_modulus), 2},
-	{MODP_3072_BIT, group15_modulus, sizeof(group15_modulus), 2},
-	{MODP_4096_BIT, group16_modulus, sizeof(group16_modulus), 2},
-	{MODP_6144_BIT, group17_modulus, sizeof(group17_modulus), 2},
-	{MODP_8192_BIT, group18_modulus, sizeof(group18_modulus), 2},
+	{MODP_768_BIT,  group1_modulus,  sizeof(group1_modulus),  32, 2},
+	{MODP_1024_BIT, group2_modulus,  sizeof(group2_modulus),  32, 2},
+	{MODP_1536_BIT, group5_modulus,  sizeof(group5_modulus),  32, 2},
+	{MODP_2048_BIT, group14_modulus, sizeof(group14_modulus), 48, 2},
+	{MODP_3072_BIT, group15_modulus, sizeof(group15_modulus), 48, 2},
+	{MODP_4096_BIT, group16_modulus, sizeof(group16_modulus), 64, 2},
+	{MODP_6144_BIT, group17_modulus, sizeof(group17_modulus), 64, 2},
+	{MODP_8192_BIT, group18_modulus, sizeof(group18_modulus), 64, 2},
 };
 
 typedef struct private_gmp_diffie_hellman_t private_gmp_diffie_hellman_t;
@@ -375,6 +380,11 @@ struct private_gmp_diffie_hellman_t {
 	size_t p_len;
 	
 	/**
+	 * Optimal exponent length.
+	 */
+	size_t opt_exponent_len;
+
+	/**
 	 * True if shared secret is computed and stored in my_public_value.
 	 */
 	bool computed;
@@ -430,25 +440,6 @@ static void set_other_public_value(private_gmp_diffie_hellman_t *this, chunk_t v
 }
 
 /**
- * Implementation of gmp_diffie_hellman_t.get_other_public_value.
- */
-static status_t get_other_public_value(private_gmp_diffie_hellman_t *this, 
-									   chunk_t *value)
-{
-	if (!this->computed)
-	{
-		return FAILED;
-	}
-	value->len = this->p_len;
-	value->ptr = mpz_export(NULL, NULL, 1, value->len, 1, 0, this->yb);
-	if (value->ptr == NULL)
-	{
-		return FAILED;
-	}
-	return SUCCESS;
-}
-
-/**
  * Implementation of gmp_diffie_hellman_t.get_my_public_value.
  */
 static void get_my_public_value(private_gmp_diffie_hellman_t *this,chunk_t *value)
@@ -504,6 +495,7 @@ static status_t set_modulus(private_gmp_diffie_hellman_t *this)
 			chunk.len = modulus_entries[i].modulus_len;
 			mpz_import(this->p, chunk.len, 1, 1, 1, 0, chunk.ptr);
 			this->p_len = chunk.len;
+			this->opt_exponent_len = modulus_entries[i].opt_exponent_len;
 			mpz_set_ui(this->g, modulus_entries[i].generator);
 			status = SUCCESS;
 			break;
@@ -534,11 +526,12 @@ gmp_diffie_hellman_t *gmp_diffie_hellman_create(diffie_hellman_group_t group)
 	private_gmp_diffie_hellman_t *this = malloc_thing(private_gmp_diffie_hellman_t);
 	rng_t *rng;
 	chunk_t random;
+	bool ansi_x9_42;
+	size_t exponent_len;
 
 	/* public functions */
 	this->public.dh.get_shared_secret = (status_t (*)(diffie_hellman_t *, chunk_t *)) get_shared_secret;
 	this->public.dh.set_other_public_value = (void (*)(diffie_hellman_t *, chunk_t )) set_other_public_value;
-	this->public.dh.get_other_public_value = (status_t (*)(diffie_hellman_t *, chunk_t *)) get_other_public_value;
 	this->public.dh.get_my_public_value = (void (*)(diffie_hellman_t *, chunk_t *)) get_my_public_value;
 	this->public.dh.get_dh_group = (diffie_hellman_group_t (*)(diffie_hellman_t *)) get_dh_group;
 	this->public.dh.destroy = (void (*)(diffie_hellman_t *)) destroy;
@@ -567,11 +560,22 @@ gmp_diffie_hellman_t *gmp_diffie_hellman_create(diffie_hellman_group_t group)
 		destroy(this);
 		return NULL;
 	}
-	rng->allocate_bytes(rng, this->p_len, &random);
+
+	ansi_x9_42 = lib->settings->get_int(lib->settings,
+					 "charon.dh_exponent_ansi_x9_42", TRUE);
+	exponent_len = (ansi_x9_42) ? this->p_len : this->opt_exponent_len;	
+	rng->allocate_bytes(rng, exponent_len, &random);
 	rng->destroy(rng);
+
+	if (ansi_x9_42)
+	{
+		/* achieve bitsof(p)-1 by setting MSB to 0 */
+		*random.ptr &= 0x7F;
+	}
 	mpz_import(this->xa, random.len, 1, 1, 1, 0, random.ptr);
 	chunk_free(&random);
-	
+	DBG2("size of DH secret exponent: %u bits", mpz_sizeinbase(this->xa, 2));
+
 	mpz_powm(this->ya, this->g, this->xa, this->p);
 	
 	return &this->public;
diff --git a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c
index 95c079b0b..7c83b3dea 100644
--- a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c
+++ b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c
@@ -1,5 +1,6 @@
 /*
  * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2008 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -12,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: openssl_diffie_hellman.c 3896 2008-04-29 15:42:34Z tobias $
+ * $Id: openssl_diffie_hellman.c 4639 2008-11-12 15:09:24Z martin $
  */
 
 #include <openssl/dh.h>
@@ -38,23 +39,28 @@ struct modulus_entry_t {
 	BIGNUM *(*get_prime)(BIGNUM *bn);
 	
 	/* 
+	 * Optimum length of exponent in bits.
+	 */	
+	long opt_exponent_len;
+	
+	/* 
 	 * Generator value.
 	 */	
 	u_int16_t generator;
 };
 
 /**
- * All supported modulus values.
+ * All supported modulus values - optimum exponent size according to RFC 3526.
  */
 static modulus_entry_t modulus_entries[] = {
-	{MODP_768_BIT,  get_rfc2409_prime_768,  2},
-	{MODP_1024_BIT, get_rfc2409_prime_1024, 2},
-	{MODP_1536_BIT, get_rfc3526_prime_1536, 2},
-	{MODP_2048_BIT, get_rfc3526_prime_2048, 2},
-	{MODP_3072_BIT, get_rfc3526_prime_3072, 2},
-	{MODP_4096_BIT, get_rfc3526_prime_4096, 2},
-	{MODP_6144_BIT, get_rfc3526_prime_6144, 2},
-	{MODP_8192_BIT, get_rfc3526_prime_8192, 2},
+	{MODP_768_BIT,  get_rfc2409_prime_768,  256, 2},
+	{MODP_1024_BIT, get_rfc2409_prime_1024, 256, 2},
+	{MODP_1536_BIT, get_rfc3526_prime_1536, 256, 2},
+	{MODP_2048_BIT, get_rfc3526_prime_2048, 384, 2},
+	{MODP_3072_BIT, get_rfc3526_prime_3072, 384, 2},
+	{MODP_4096_BIT, get_rfc3526_prime_4096, 512, 2},
+	{MODP_6144_BIT, get_rfc3526_prime_6144, 512, 2},
+	{MODP_8192_BIT, get_rfc3526_prime_8192, 512, 2},
 };
 
 typedef struct private_openssl_diffie_hellman_t private_openssl_diffie_hellman_t;
@@ -87,7 +93,7 @@ struct private_openssl_diffie_hellman_t {
 	 * Shared secret
 	 */
 	chunk_t shared_secret;
-
+	
 	/**
 	 * True if shared secret is computed
 	 */
@@ -95,68 +101,57 @@ struct private_openssl_diffie_hellman_t {
 };
 
 /**
- * Convert a BIGNUM to a chunk
- */
-static void bn2chunk(BIGNUM *bn, chunk_t *chunk)
-{
-	chunk->len = BN_num_bytes(bn);
-	chunk->ptr = malloc(chunk->len);
-	BN_bn2bin(bn, chunk->ptr);
-}
-
-/**
- * Implementation of openssl_diffie_hellman_t.set_other_public_value.
+ * Implementation of openssl_diffie_hellman_t.get_my_public_value.
  */
-static void set_other_public_value(private_openssl_diffie_hellman_t *this, chunk_t value)
+static void get_my_public_value(private_openssl_diffie_hellman_t *this,
+								chunk_t *value)
 {
-	int len;
-	BN_bin2bn(value.ptr, value.len, this->pub_key);
-
-	len = DH_size(this->dh);
-	chunk_free(&this->shared_secret);
-	this->shared_secret = chunk_alloc(len);
-	
-	if (DH_compute_key(this->shared_secret.ptr, this->pub_key, this->dh) < 0) {
-    	DBG1("DH shared secret computation failed");
-    	return;
-    }
-	
-    this->computed = TRUE;
+	*value = chunk_alloc(DH_size(this->dh));
+	memset(value->ptr, 0, value->len);
+	BN_bn2bin(this->dh->pub_key,
+			  value->ptr + value->len - BN_num_bytes(this->dh->pub_key));
 }
 
 /**
- * Implementation of openssl_diffie_hellman_t.get_other_public_value.
+ * Implementation of openssl_diffie_hellman_t.get_shared_secret.
  */
-static status_t get_other_public_value(private_openssl_diffie_hellman_t *this, 
-									   chunk_t *value)
+static status_t get_shared_secret(private_openssl_diffie_hellman_t *this,
+								  chunk_t *secret)
 {
 	if (!this->computed)
 	{
 		return FAILED;
 	}
-	bn2chunk(this->pub_key, value);
+	/* shared secret should requires a len according the DH group */
+	*secret = chunk_alloc(DH_size(this->dh));
+	memset(secret->ptr, 0, secret->len);
+	memcpy(secret->ptr + secret->len - this->shared_secret.len, 
+		   this->shared_secret.ptr, this->shared_secret.len);
+
 	return SUCCESS;
 }
 
-/**
- * Implementation of openssl_diffie_hellman_t.get_my_public_value.
- */
-static void get_my_public_value(private_openssl_diffie_hellman_t *this,chunk_t *value)
-{
-	bn2chunk(this->dh->pub_key, value);
-}
 
 /**
- * Implementation of openssl_diffie_hellman_t.get_shared_secret.
+ * Implementation of openssl_diffie_hellman_t.set_other_public_value.
  */
-static status_t get_shared_secret(private_openssl_diffie_hellman_t *this, chunk_t *secret)
+static void set_other_public_value(private_openssl_diffie_hellman_t *this,
+								   chunk_t value)
 {
-	if (!this->computed)
+	int len;
+	
+	BN_bin2bn(value.ptr, value.len, this->pub_key);
+	chunk_clear(&this->shared_secret);
+	this->shared_secret.ptr = malloc(DH_size(this->dh));
+	memset(this->shared_secret.ptr, 0xFF, this->shared_secret.len);
+	len = DH_compute_key(this->shared_secret.ptr, this->pub_key, this->dh);
+	if (len < 0)
 	{
-		return FAILED;
+		DBG1("DH shared secret computation failed");
+		return;
 	}
-	*secret = chunk_clone(this->shared_secret);
-	return SUCCESS;
+	this->shared_secret.len = len;
+	this->computed = TRUE;
 }
 
 /**
@@ -173,6 +168,11 @@ static diffie_hellman_group_t get_dh_group(private_openssl_diffie_hellman_t *thi
 static status_t set_modulus(private_openssl_diffie_hellman_t *this)
 {
 	int i;
+	bool ansi_x9_42;
+	
+	ansi_x9_42 = lib->settings->get_bool(lib->settings,
+										 "charon.dh_exponent_ansi_x9_42", TRUE);
+	
 	for (i = 0; i < (sizeof(modulus_entries) / sizeof(modulus_entry_t)); i++)
 	{
 		if (modulus_entries[i].group == this->group)
@@ -180,6 +180,10 @@ static status_t set_modulus(private_openssl_diffie_hellman_t *this)
 			this->dh->p = modulus_entries[i].get_prime(NULL);
 			this->dh->g = BN_new();
 			BN_set_word(this->dh->g, modulus_entries[i].generator);
+			if (!ansi_x9_42)
+			{
+				this->dh->length = modulus_entries[i].opt_exponent_len;
+			}
 			return SUCCESS;
 		}
 	}
@@ -193,7 +197,7 @@ static void destroy(private_openssl_diffie_hellman_t *this)
 {
 	BN_clear_free(this->pub_key);
 	DH_free(this->dh);
-	chunk_free(&this->shared_secret);
+	chunk_clear(&this->shared_secret);
 	free(this);
 }
 
@@ -206,7 +210,6 @@ openssl_diffie_hellman_t *openssl_diffie_hellman_create(diffie_hellman_group_t g
 	
 	this->public.dh.get_shared_secret = (status_t (*)(diffie_hellman_t *, chunk_t *)) get_shared_secret;
 	this->public.dh.set_other_public_value = (void (*)(diffie_hellman_t *, chunk_t )) set_other_public_value;
-	this->public.dh.get_other_public_value = (status_t (*)(diffie_hellman_t *, chunk_t *)) get_other_public_value;
 	this->public.dh.get_my_public_value = (void (*)(diffie_hellman_t *, chunk_t *)) get_my_public_value;
 	this->public.dh.get_dh_group = (diffie_hellman_group_t (*)(diffie_hellman_t *)) get_dh_group;
 	this->public.dh.destroy = (void (*)(diffie_hellman_t *)) destroy;
@@ -220,7 +223,6 @@ openssl_diffie_hellman_t *openssl_diffie_hellman_create(diffie_hellman_group_t g
 	
 	this->group = group;
 	this->computed = FALSE;
-	
 	this->pub_key = BN_new();
 	this->shared_secret = chunk_empty;
 	
@@ -237,6 +239,7 @@ openssl_diffie_hellman_t *openssl_diffie_hellman_create(diffie_hellman_group_t g
 		destroy(this);
 		return NULL;
 	}
+	DBG2("size of DH secret exponent: %d bits", BN_num_bits(this->dh->priv_key));
 	
 	return &this->public;
 }
diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c
index 9d2bd44cd..9a89ad045 100644
--- a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c
+++ b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: openssl_ec_diffie_hellman.c 4052 2008-06-10 09:19:18Z tobias $
+ * $Id: openssl_ec_diffie_hellman.c 4566 2008-11-04 13:12:11Z martin $
  */
 
 #include <openssl/ec.h>
@@ -217,24 +217,6 @@ static void set_other_public_value(private_openssl_ec_diffie_hellman_t *this, ch
 }
 
 /**
- * Implementation of openssl_ec_diffie_hellman_t.get_other_public_value.
- */
-static status_t get_other_public_value(private_openssl_ec_diffie_hellman_t *this, 
-									   chunk_t *value)
-{
-	if (!this->computed)
-	{
-		return FAILED;
-	}
-	
-	if (!ecp2chunk(this->ec_group, this->pub_key, value))
-	{
-		return FAILED;
-	}
-	return SUCCESS;
-}
-
-/**
  * Implementation of openssl_ec_diffie_hellman_t.get_my_public_value.
  */
 static void get_my_public_value(private_openssl_ec_diffie_hellman_t *this,chunk_t *value)
@@ -283,7 +265,6 @@ openssl_ec_diffie_hellman_t *openssl_ec_diffie_hellman_create(diffie_hellman_gro
 	
 	this->public.dh.get_shared_secret = (status_t (*)(diffie_hellman_t *, chunk_t *)) get_shared_secret;
 	this->public.dh.set_other_public_value = (void (*)(diffie_hellman_t *, chunk_t )) set_other_public_value;
-	this->public.dh.get_other_public_value = (status_t (*)(diffie_hellman_t *, chunk_t *)) get_other_public_value;
 	this->public.dh.get_my_public_value = (void (*)(diffie_hellman_t *, chunk_t *)) get_my_public_value;
 	this->public.dh.get_dh_group = (diffie_hellman_group_t (*)(diffie_hellman_t *)) get_dh_group;
 	this->public.dh.destroy = (void (*)(diffie_hellman_t *)) destroy;
diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c
index 82c54a95e..dcc78aed6 100644
--- a/src/libstrongswan/plugins/openssl/openssl_plugin.c
+++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c
@@ -1,5 +1,6 @@
 /*
  * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2008 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -12,15 +13,18 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: openssl_plugin.c 4309 2008-08-28 11:07:57Z martin $
+ * $Id: openssl_plugin.c 4583 2008-11-05 12:37:37Z martin $
  */
 
 #include <openssl/evp.h>
 #include <openssl/engine.h>
+#include <openssl/crypto.h>
+#include <pthread.h>
 
 #include "openssl_plugin.h"
 
 #include <library.h>
+#include <utils/mutex.h>
 #include "openssl_crypter.h"
 #include "openssl_hasher.h"
 #include "openssl_diffie_hellman.h"
@@ -44,6 +48,120 @@ struct private_openssl_plugin_t {
 };
 
 /**
+ * Array of static mutexs, with CRYPTO_num_locks() mutex
+ */
+static mutex_t **mutex = NULL;
+
+/**
+ * Locking callback for static locks
+ */
+static void locking_function(int mode, int type, const char *file, int line)
+{
+	if (mutex)
+	{
+		if (mode & CRYPTO_LOCK)
+		{
+			mutex[type]->lock(mutex[type]);
+		}
+		else
+		{
+			mutex[type]->unlock(mutex[type]);
+		}
+	}
+}
+
+/**
+ * Implementation of dynlock
+ */
+struct CRYPTO_dynlock_value {
+	mutex_t *mutex;
+};
+
+/**
+ * Callback to create a dynamic lock
+ */
+static struct CRYPTO_dynlock_value *create_function(const char *file, int line)
+{
+	struct CRYPTO_dynlock_value *lock;
+	
+	lock = malloc_thing(struct CRYPTO_dynlock_value);
+	lock->mutex = mutex_create(MUTEX_DEFAULT);
+	return lock;
+}
+
+/**
+ * Callback to (un-)lock a dynamic lock
+ */
+static void lock_function(int mode, struct CRYPTO_dynlock_value *lock,
+						  const char *file, int line)
+{
+	if (mode & CRYPTO_LOCK)
+	{
+		lock->mutex->lock(lock->mutex);
+	}
+	else
+	{
+		lock->mutex->unlock(lock->mutex);
+	}
+}
+
+/**
+ * Callback to destroy a dynamic lock
+ */
+static void destroy_function(struct CRYPTO_dynlock_value *lock,
+							 const char *file, int line)
+{
+	lock->mutex->destroy(lock->mutex);
+	free(lock);
+}
+
+/**
+ * Thread-ID callback function
+ */
+static unsigned long id_function(void)
+{
+	return pthread_self();
+}
+
+/**
+ * initialize OpenSSL for multi-threaded use
+ */
+static void threading_init()
+{
+	int i, num_locks;
+
+	CRYPTO_set_id_callback(id_function);
+ 	CRYPTO_set_locking_callback(locking_function);
+	
+	CRYPTO_set_dynlock_create_callback(create_function);
+	CRYPTO_set_dynlock_lock_callback(lock_function);
+	CRYPTO_set_dynlock_destroy_callback(destroy_function);
+	
+	num_locks = CRYPTO_num_locks();
+	mutex = malloc(sizeof(mutex_t*) * num_locks);
+	for (i = 0; i < num_locks; i++)
+	{
+		mutex[i] = mutex_create(MUTEX_DEFAULT);
+	}
+}
+
+/**
+ * cleanup OpenSSL threading locks
+ */
+static void threading_cleanup()
+{
+	int i, num_locks;
+	
+	num_locks = CRYPTO_num_locks();
+	for (i = 0; i < num_locks; i++)
+	{
+		mutex[i]->destroy(mutex[i]);
+	}
+	free(mutex);
+	mutex = NULL;
+}
+
+/**
  * Implementation of openssl_plugin_t.destroy
  */
 static void destroy(private_openssl_plugin_t *this)
@@ -68,6 +186,8 @@ static void destroy(private_openssl_plugin_t *this)
 	ENGINE_cleanup();
 	EVP_cleanup();
 	
+	threading_cleanup();
+	
 	free(this);
 }
 
@@ -80,6 +200,8 @@ plugin_t *plugin_create()
 	
 	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
 	
+	threading_init();
+	
 	OpenSSL_add_all_algorithms();
 	
 	/* activate support for hardware accelerators */
diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
index 8ad75215a..a815ce622 100644
--- a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: openssl_rsa_private_key.c 4317 2008-09-02 11:00:13Z martin $
+ * $Id: openssl_rsa_private_key.c 4564 2008-11-04 13:01:36Z martin $
  */
 
 #include "openssl_rsa_private_key.h"
@@ -74,9 +74,11 @@ openssl_rsa_public_key_t *openssl_rsa_public_key_create_from_n_e(BIGNUM *n, BIGN
  * Build an EMPSA PKCS1 signature described in PKCS#1
  */
 static bool build_emsa_pkcs1_signature(private_openssl_rsa_private_key_t *this,
-									   int type, chunk_t data, chunk_t *signature)
+									   int type, chunk_t data, chunk_t *out)
 {
 	bool success = FALSE;
+	u_char *sig = NULL;
+	u_int len;
 	const EVP_MD *hasher = EVP_get_digestbynid(type);
 	if (!hasher)
 	{
@@ -105,14 +107,17 @@ static bool build_emsa_pkcs1_signature(private_openssl_rsa_private_key_t *this,
 		goto error;
 	}
 	
-	*signature = chunk_alloc(RSA_size(this->rsa));
-	
-	if (!EVP_SignFinal(ctx, signature->ptr, &signature->len, key))
+	sig = malloc(EVP_PKEY_size(key));
+	if (EVP_SignFinal(ctx, sig, &len, key))
 	{
-		goto error;
+		out->ptr = sig;
+		out->len = len;
+		success = TRUE;
+	}
+	else
+	{
+		free(sig);
 	}
-	
-	success = TRUE;
 	
 error:
 	if (key)
diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
index 61b5b9b64..794fa8123 100644
--- a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: openssl_rsa_public_key.c 4317 2008-09-02 11:00:13Z martin $
+ * $Id: openssl_rsa_public_key.c 4567 2008-11-04 14:05:42Z martin $
  */
 
 #include "openssl_rsa_public_key.h"
@@ -90,13 +90,11 @@ static bool verify_emsa_pkcs1_signature(private_openssl_rsa_public_key_t *this,
 		goto error;
 	}
 	
-	/* remove any preceding 0-bytes from signature */
-	while (signature.len && *(signature.ptr) == 0x00)
+	/* VerifyFinal expects a signature of exactly RSA size (no leading 0x00) */
+	if (signature.len > RSA_size(this->rsa))
 	{
-		signature.len -= 1;
-		signature.ptr++;
+		signature = chunk_skip(signature, signature.len - RSA_size(this->rsa));
 	}
-	
 	valid = (EVP_VerifyFinal(ctx, signature.ptr, signature.len, key) == 1);
 	
 error:
diff --git a/src/libstrongswan/plugins/x509/x509_ac.c b/src/libstrongswan/plugins/x509/x509_ac.c
index caae5e08d..257a903e4 100644
--- a/src/libstrongswan/plugins/x509/x509_ac.c
+++ b/src/libstrongswan/plugins/x509/x509_ac.c
@@ -21,6 +21,8 @@
 #include "x509_ac.h"
 #include "ietf_attr_list.h"
 
+#include <time.h>
+
 #include <library.h>
 #include <debug.h>
 #include <asn1/oid.h>
diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c
index c82d14a17..9f76c3486 100644
--- a/src/libstrongswan/plugins/x509/x509_cert.c
+++ b/src/libstrongswan/plugins/x509/x509_cert.c
@@ -17,7 +17,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: x509_cert.c 4317 2008-09-02 11:00:13Z martin $
+ * $Id: x509_cert.c 4576 2008-11-05 08:32:38Z martin $
  */
 
 #define _GNU_SOURCE
@@ -25,6 +25,7 @@
 #include "x509_cert.h"
 
 #include <sys/stat.h>
+#include <time.h>
 #include <unistd.h>
 #include <string.h>
 #include <stdio.h>
diff --git a/src/libstrongswan/plugins/x509/x509_crl.c b/src/libstrongswan/plugins/x509/x509_crl.c
index eb9bfe903..8375d88ef 100644
--- a/src/libstrongswan/plugins/x509/x509_crl.c
+++ b/src/libstrongswan/plugins/x509/x509_crl.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: x509_crl.c 4317 2008-09-02 11:00:13Z martin $
+ * $Id: x509_crl.c 4576 2008-11-05 08:32:38Z martin $
  */
 
 #include "x509_crl.h"
@@ -20,6 +20,8 @@
 typedef struct private_x509_crl_t private_x509_crl_t;
 typedef struct revoked_t revoked_t;
 
+#include <time.h>
+
 #include <debug.h>
 #include <library.h>
 #include <asn1/oid.h>