diff options
Diffstat (limited to 'src/libstrongswan/crypto')
-rw-r--r-- | src/libstrongswan/crypto/aead.c | 2 | ||||
-rw-r--r-- | src/libstrongswan/crypto/crypto_factory.c | 4 | ||||
-rw-r--r-- | src/libstrongswan/crypto/crypto_factory.h | 1 | ||||
-rw-r--r-- | src/libstrongswan/crypto/crypto_tester.c | 4 | ||||
-rw-r--r-- | src/libstrongswan/crypto/nonce_gen.h | 4 | ||||
-rw-r--r-- | src/libstrongswan/crypto/pkcs7.c | 1061 | ||||
-rw-r--r-- | src/libstrongswan/crypto/pkcs7.h | 178 | ||||
-rw-r--r-- | src/libstrongswan/crypto/pkcs9.c | 369 | ||||
-rw-r--r-- | src/libstrongswan/crypto/pkcs9.h | 92 | ||||
-rw-r--r-- | src/libstrongswan/crypto/proposal/proposal_keywords.c | 2 | ||||
-rw-r--r-- | src/libstrongswan/crypto/proposal/proposal_keywords_static.c | 198 | ||||
-rw-r--r-- | src/libstrongswan/crypto/proposal/proposal_keywords_static.txt | 8 | ||||
-rw-r--r-- | src/libstrongswan/crypto/transform.h | 2 |
13 files changed, 121 insertions, 1804 deletions
diff --git a/src/libstrongswan/crypto/aead.c b/src/libstrongswan/crypto/aead.c index 02fb8d50a..32a0e6759 100644 --- a/src/libstrongswan/crypto/aead.c +++ b/src/libstrongswan/crypto/aead.c @@ -15,7 +15,7 @@ #include "aead.h" -#include <debug.h> +#include <utils/debug.h> typedef struct private_aead_t private_aead_t; diff --git a/src/libstrongswan/crypto/crypto_factory.c b/src/libstrongswan/crypto/crypto_factory.c index 3736ae38f..5a363e9f0 100644 --- a/src/libstrongswan/crypto/crypto_factory.c +++ b/src/libstrongswan/crypto/crypto_factory.c @@ -15,9 +15,9 @@ #include "crypto_factory.h" -#include <debug.h> +#include <utils/debug.h> #include <threading/rwlock.h> -#include <utils/linked_list.h> +#include <collections/linked_list.h> #include <crypto/crypto_tester.h> const char *default_plugin_name = "default"; diff --git a/src/libstrongswan/crypto/crypto_factory.h b/src/libstrongswan/crypto/crypto_factory.h index 611ca0bbb..5d23c8977 100644 --- a/src/libstrongswan/crypto/crypto_factory.h +++ b/src/libstrongswan/crypto/crypto_factory.h @@ -24,6 +24,7 @@ typedef struct crypto_factory_t crypto_factory_t; #include <library.h> +#include <collections/enumerator.h> #include <crypto/crypters/crypter.h> #include <crypto/aead.h> #include <crypto/signers/signer.h> diff --git a/src/libstrongswan/crypto/crypto_tester.c b/src/libstrongswan/crypto/crypto_tester.c index 01e84a133..08b226468 100644 --- a/src/libstrongswan/crypto/crypto_tester.c +++ b/src/libstrongswan/crypto/crypto_tester.c @@ -20,8 +20,8 @@ #include "crypto_tester.h" -#include <debug.h> -#include <utils/linked_list.h> +#include <utils/debug.h> +#include <collections/linked_list.h> typedef struct private_crypto_tester_t private_crypto_tester_t; diff --git a/src/libstrongswan/crypto/nonce_gen.h b/src/libstrongswan/crypto/nonce_gen.h index 50f3c0090..7dae4f776 100644 --- a/src/libstrongswan/crypto/nonce_gen.h +++ b/src/libstrongswan/crypto/nonce_gen.h @@ -35,7 +35,7 @@ struct nonce_gen_t { * * @param size size of nonce in bytes * @param buffer pointer where the generated nonce will be written - * @return TRUE if nonce allocation was succesful, FALSE otherwise + * @return TRUE if nonce allocation was successful, FALSE otherwise */ bool (*get_nonce)(nonce_gen_t *this, size_t size, u_int8_t *buffer) __attribute__((warn_unused_result)); @@ -45,7 +45,7 @@ struct nonce_gen_t { * * @param size size of nonce in bytes * @param chunk chunk which will hold the generated nonce - * @return TRUE if nonce allocation was succesful, FALSE otherwise + * @return TRUE if nonce allocation was successful, FALSE otherwise */ bool (*allocate_nonce)(nonce_gen_t *this, size_t size, chunk_t *chunk) __attribute__((warn_unused_result)); diff --git a/src/libstrongswan/crypto/pkcs7.c b/src/libstrongswan/crypto/pkcs7.c deleted file mode 100644 index 0ec19f2cd..000000000 --- a/src/libstrongswan/crypto/pkcs7.c +++ /dev/null @@ -1,1061 +0,0 @@ -/* - * Copyright (C) 2012 Tobias Brunner - * Copyright (C) 2002-2008 Andreas Steffen - * Copyright (C) 2005 Jan Hutter, Martin Willi - * Hochschule fuer Technik Rapperswil, Switzerland - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include <stdlib.h> -#include <string.h> -#include <time.h> - -#include <library.h> -#include <debug.h> - -#include <asn1/oid.h> -#include <asn1/asn1.h> -#include <asn1/asn1_parser.h> -#include <credentials/certificates/x509.h> -#include <credentials/keys/public_key.h> -#include <crypto/pkcs9.h> -#include <crypto/hashers/hasher.h> -#include <crypto/crypters/crypter.h> -#include <utils/linked_list.h> - -#include "pkcs7.h" - -typedef struct private_pkcs7_t private_pkcs7_t; - -/** - * Private data of a pkcs7_t object. - */ -struct private_pkcs7_t { - /** - * Public interface for this certificate. - */ - pkcs7_t public; - - /** - * contentInfo type - */ - int type; - - /** - * ASN.1 encoded content - */ - chunk_t content; - - /** - * ASN.1 parsing start level - */ - u_int level; - - /** - * retrieved data - */ - chunk_t data; - - /** - * ASN.1 encoded attributes - */ - pkcs9_t *attributes; - - /** - * Linked list of X.509 certificates - */ - linked_list_t *certs; -}; - -METHOD(pkcs7_t, is_data, bool, - private_pkcs7_t *this) -{ - return this->type == OID_PKCS7_DATA; -} - -METHOD(pkcs7_t, is_signedData, bool, - private_pkcs7_t *this) -{ - return this->type == OID_PKCS7_SIGNED_DATA; -} - -METHOD(pkcs7_t, is_envelopedData, bool, - private_pkcs7_t *this) -{ - return this->type == OID_PKCS7_ENVELOPED_DATA; -} - -/** - * ASN.1 definition of the PKCS#7 ContentInfo type - */ -static const asn1Object_t contentInfoObjects[] = { - { 0, "contentInfo", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */ - { 1, "contentType", ASN1_OID, ASN1_BODY }, /* 1 */ - { 1, "content", ASN1_CONTEXT_C_0, ASN1_OPT | - ASN1_BODY }, /* 2 */ - { 1, "end opt", ASN1_EOC, ASN1_END }, /* 3 */ - { 0, "exit", ASN1_EOC, ASN1_EXIT } -}; -#define PKCS7_INFO_TYPE 1 -#define PKCS7_INFO_CONTENT 2 - -/** - * Parse PKCS#7 contentInfo object - */ -static bool parse_contentInfo(private_pkcs7_t *this) -{ - asn1_parser_t *parser; - chunk_t object; - int objectID; - bool success = FALSE; - - if (!this->data.ptr) - { - return FALSE; - } - - parser = asn1_parser_create(contentInfoObjects, this->data); - parser->set_top_level(parser, this->level); - - while (parser->iterate(parser, &objectID, &object)) - { - if (objectID == PKCS7_INFO_TYPE) - { - this->type = asn1_known_oid(object); - if (this->type < OID_PKCS7_DATA || - this->type > OID_PKCS7_ENCRYPTED_DATA) - { - DBG1(DBG_LIB, "unknown pkcs7 content type"); - goto end; - } - } - else if (objectID == PKCS7_INFO_CONTENT && object.len > 0) - { - chunk_free(&this->content); - this->content = chunk_clone(object); - } - } - success = parser->success(parser); - - if (success) - { - this->level += 2; - chunk_free(&this->data); - } - -end: - parser->destroy(parser); - return success; -} - -/** - * Check whether to abort the requested parsing - */ -static bool abort_parsing(private_pkcs7_t *this, int type) -{ - if (this->type != type) - { - DBG1(DBG_LIB, "pkcs7 content to be parsed is not of type '%s'", - oid_names[type].name); - return TRUE; - } - return FALSE; -} - -METHOD(pkcs7_t, parse_data, bool, - private_pkcs7_t *this) -{ - chunk_t data; - - if (!parse_contentInfo(this) || - abort_parsing(this, OID_PKCS7_DATA)) - { - return FALSE; - } - data = this->content; - if (data.len == 0) - { - this->data = chunk_empty; - return TRUE; - } - if (asn1_parse_simple_object(&data, ASN1_OCTET_STRING, - this->level, "data")) - { - this->data = chunk_clone(data); - return TRUE; - } - return FALSE; -} - -/** - * ASN.1 definition of the PKCS#7 signedData type - */ -static const asn1Object_t signedDataObjects[] = { - { 0, "signedData", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */ - { 1, "version", ASN1_INTEGER, ASN1_BODY }, /* 1 */ - { 1, "digestAlgorithms", ASN1_SET, ASN1_LOOP }, /* 2 */ - { 2, "algorithm", ASN1_EOC, ASN1_RAW }, /* 3 */ - { 1, "end loop", ASN1_EOC, ASN1_END }, /* 4 */ - { 1, "contentInfo", ASN1_EOC, ASN1_RAW }, /* 5 */ - { 1, "certificates", ASN1_CONTEXT_C_0, ASN1_OPT | - ASN1_LOOP }, /* 6 */ - { 2, "certificate", ASN1_SEQUENCE, ASN1_OBJ }, /* 7 */ - { 1, "end opt or loop", ASN1_EOC, ASN1_END }, /* 8 */ - { 1, "crls", ASN1_CONTEXT_C_1, ASN1_OPT | - ASN1_LOOP }, /* 9 */ - { 2, "crl", ASN1_SEQUENCE, ASN1_OBJ }, /* 10 */ - { 1, "end opt or loop", ASN1_EOC, ASN1_END }, /* 11 */ - { 1, "signerInfos", ASN1_SET, ASN1_LOOP }, /* 12 */ - { 2, "signerInfo", ASN1_SEQUENCE, ASN1_NONE }, /* 13 */ - { 3, "version", ASN1_INTEGER, ASN1_BODY }, /* 14 */ - { 3, "issuerAndSerialNumber", ASN1_SEQUENCE, ASN1_BODY }, /* 15 */ - { 4, "issuer", ASN1_SEQUENCE, ASN1_OBJ }, /* 16 */ - { 4, "serial", ASN1_INTEGER, ASN1_BODY }, /* 17 */ - { 3, "digestAlgorithm", ASN1_EOC, ASN1_RAW }, /* 18 */ - { 3, "authenticatedAttributes", ASN1_CONTEXT_C_0, ASN1_OPT | - ASN1_OBJ }, /* 19 */ - { 3, "end opt", ASN1_EOC, ASN1_END }, /* 20 */ - { 3, "digestEncryptionAlgorithm", ASN1_EOC, ASN1_RAW }, /* 21 */ - { 3, "encryptedDigest", ASN1_OCTET_STRING, ASN1_BODY }, /* 22 */ - { 3, "unauthenticatedAttributes", ASN1_CONTEXT_C_1, ASN1_OPT }, /* 23 */ - { 3, "end opt", ASN1_EOC, ASN1_END }, /* 24 */ - { 1, "end loop", ASN1_EOC, ASN1_END }, /* 25 */ - { 0, "exit", ASN1_EOC, ASN1_EXIT } -}; -#define PKCS7_SIGNED_VERSION 1 -#define PKCS7_DIGEST_ALG 3 -#define PKCS7_SIGNED_CONTENT_INFO 5 -#define PKCS7_SIGNED_CERT 7 -#define PKCS7_SIGNER_INFO 13 -#define PKCS7_SIGNER_INFO_VERSION 14 -#define PKCS7_SIGNED_ISSUER 16 -#define PKCS7_SIGNED_SERIAL_NUMBER 17 -#define PKCS7_DIGEST_ALGORITHM 18 -#define PKCS7_AUTH_ATTRIBUTES 19 -#define PKCS7_DIGEST_ENC_ALGORITHM 21 -#define PKCS7_ENCRYPTED_DIGEST 22 - -METHOD(pkcs7_t, parse_signedData, bool, - private_pkcs7_t *this, certificate_t *cacert) -{ - asn1_parser_t *parser; - chunk_t object; - int objectID, version; - int digest_alg = OID_UNKNOWN; - int enc_alg = OID_UNKNOWN; - int signerInfos = 0; - bool success = FALSE; - - chunk_t encrypted_digest = chunk_empty; - - if (!parse_contentInfo(this) || - abort_parsing(this, OID_PKCS7_SIGNED_DATA)) - { - return FALSE; - } - - parser = asn1_parser_create(signedDataObjects, this->content); - parser->set_top_level(parser, this->level); - - while (parser->iterate(parser, &objectID, &object)) - { - u_int level = parser->get_level(parser); - - switch (objectID) - { - case PKCS7_SIGNED_VERSION: - version = object.len ? (int)*object.ptr : 0; - DBG2(DBG_LIB, " v%d", version); - break; - case PKCS7_DIGEST_ALG: - digest_alg = asn1_parse_algorithmIdentifier(object, level, NULL); - break; - case PKCS7_SIGNED_CONTENT_INFO: - { - pkcs7_t *data = pkcs7_create_from_chunk(object, level+1); - - if (!data || !data->parse_data(data)) - { - DESTROY_IF(data); - goto end; - } - this->data = chunk_clone(data->get_data(data)); - data->destroy(data); - break; - } - case PKCS7_SIGNED_CERT: - { - certificate_t *cert; - - DBG2(DBG_LIB, " parsing pkcs7-wrapped certificate"); - cert = lib->creds->create(lib->creds, - CRED_CERTIFICATE, CERT_X509, - BUILD_BLOB_ASN1_DER, object, - BUILD_END); - if (cert) - { - this->certs->insert_last(this->certs, cert); - } - break; - } - case PKCS7_SIGNER_INFO: - signerInfos++; - DBG2(DBG_LIB, " signer #%d", signerInfos); - break; - case PKCS7_SIGNER_INFO_VERSION: - version = object.len ? (int)*object.ptr : 0; - DBG2(DBG_LIB, " v%d", version); - break; - case PKCS7_SIGNED_ISSUER: - { - identification_t *issuer; - - issuer = identification_create_from_encoding(ID_DER_ASN1_DN, object); - DBG2(DBG_LIB, " '%Y'", issuer); - issuer->destroy(issuer); - break; - } - case PKCS7_AUTH_ATTRIBUTES: - *object.ptr = ASN1_SET; - this->attributes = pkcs9_create_from_chunk(object, level+1); - *object.ptr = ASN1_CONTEXT_C_0; - break; - case PKCS7_DIGEST_ALGORITHM: - digest_alg = asn1_parse_algorithmIdentifier(object, level, NULL); - break; - case PKCS7_DIGEST_ENC_ALGORITHM: - enc_alg = asn1_parse_algorithmIdentifier(object, level, NULL); - break; - case PKCS7_ENCRYPTED_DIGEST: - encrypted_digest = object; - } - } - success = parser->success(parser); - -end: - parser->destroy(parser); - if (!success) - { - return FALSE; - } - - /* check the signature only if a cacert is available */ - if (cacert != NULL) - { - signature_scheme_t scheme; - public_key_t *key; - - scheme = signature_scheme_from_oid(digest_alg); - if (scheme == SIGN_UNKNOWN) - { - DBG1(DBG_LIB, "unsupported signature scheme"); - return FALSE; - } - if (signerInfos == 0) - { - DBG1(DBG_LIB, "no signerInfo object found"); - return FALSE; - } - else if (signerInfos > 1) - { - DBG1(DBG_LIB, "more than one signerInfo object found"); - return FALSE; - } - if (this->attributes == NULL) - { - DBG1(DBG_LIB, "no authenticatedAttributes object found"); - return FALSE; - } - if (enc_alg != OID_RSA_ENCRYPTION) - { - DBG1(DBG_LIB, "only RSA digest encryption supported"); - return FALSE; - } - - /* verify the signature */ - key = cacert->get_public_key(cacert); - if (key == NULL) - { - DBG1(DBG_LIB, "no public key found in CA certificate"); - return FALSE; - } - if (key->verify(key, scheme, - this->attributes->get_encoding(this->attributes), encrypted_digest)) - { - DBG2(DBG_LIB, "signature is valid"); - } - else - { - DBG1(DBG_LIB, "invalid signature"); - key->destroy(key); - return FALSE; - } - key->destroy(key); - - if (this->data.ptr != NULL) - { - chunk_t messageDigest; - - messageDigest = this->attributes->get_attribute(this->attributes, - OID_PKCS9_MESSAGE_DIGEST); - if (messageDigest.ptr == NULL) - { - DBG1(DBG_LIB, "messageDigest attribute not found"); - return FALSE; - } - else - { - hash_algorithm_t algorithm; - hasher_t *hasher; - chunk_t hash; - bool valid; - - algorithm = hasher_algorithm_from_oid(digest_alg); - hasher = lib->crypto->create_hasher(lib->crypto, algorithm); - if (!hasher || !hasher->allocate_hash(hasher, this->data, &hash)) - { - DESTROY_IF(hasher); - DBG1(DBG_LIB, "hash algorithm %N not supported", - hash_algorithm_names, algorithm); - return FALSE; - } - hasher->destroy(hasher); - DBG3(DBG_LIB, "hash: %B", &hash); - - valid = chunk_equals(messageDigest, hash); - free(hash.ptr); - if (valid) - { - DBG2(DBG_LIB, "messageDigest is valid"); - } - else - { - DBG1(DBG_LIB, "invalid messageDigest"); - return FALSE; - } - } - } - } - return TRUE; -} - -/** - * ASN.1 definition of the PKCS#7 envelopedData type - */ -static const asn1Object_t envelopedDataObjects[] = { - { 0, "envelopedData", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */ - { 1, "version", ASN1_INTEGER, ASN1_BODY }, /* 1 */ - { 1, "recipientInfos", ASN1_SET, ASN1_LOOP }, /* 2 */ - { 2, "recipientInfo", ASN1_SEQUENCE, ASN1_BODY }, /* 3 */ - { 3, "version", ASN1_INTEGER, ASN1_BODY }, /* 4 */ - { 3, "issuerAndSerialNumber", ASN1_SEQUENCE, ASN1_BODY }, /* 5 */ - { 4, "issuer", ASN1_SEQUENCE, ASN1_OBJ }, /* 6 */ - { 4, "serial", ASN1_INTEGER, ASN1_BODY }, /* 7 */ - { 3, "encryptionAlgorithm", ASN1_EOC, ASN1_RAW }, /* 8 */ - { 3, "encryptedKey", ASN1_OCTET_STRING, ASN1_BODY }, /* 9 */ - { 1, "end loop", ASN1_EOC, ASN1_END }, /* 10 */ - { 1, "encryptedContentInfo", ASN1_SEQUENCE, ASN1_OBJ }, /* 11 */ - { 2, "contentType", ASN1_OID, ASN1_BODY }, /* 12 */ - { 2, "contentEncryptionAlgorithm", ASN1_EOC, ASN1_RAW }, /* 13 */ - { 2, "encryptedContent", ASN1_CONTEXT_S_0, ASN1_BODY }, /* 14 */ - { 0, "exit", ASN1_EOC, ASN1_EXIT } -}; -#define PKCS7_ENVELOPED_VERSION 1 -#define PKCS7_RECIPIENT_INFO_VERSION 4 -#define PKCS7_ISSUER 6 -#define PKCS7_SERIAL_NUMBER 7 -#define PKCS7_ENCRYPTION_ALG 8 -#define PKCS7_ENCRYPTED_KEY 9 -#define PKCS7_CONTENT_TYPE 12 -#define PKCS7_CONTENT_ENC_ALGORITHM 13 -#define PKCS7_ENCRYPTED_CONTENT 14 - -METHOD(pkcs7_t, parse_envelopedData, bool, - private_pkcs7_t *this, chunk_t serialNumber, private_key_t *key) -{ - asn1_parser_t *parser; - chunk_t object; - int objectID, version; - bool success = FALSE; - - chunk_t iv = chunk_empty; - chunk_t symmetric_key = chunk_empty; - chunk_t encrypted_content = chunk_empty; - - crypter_t *crypter = NULL; - - if (!parse_contentInfo(this) || - abort_parsing(this, OID_PKCS7_ENVELOPED_DATA)) - { - return FALSE; - } - - parser = asn1_parser_create(envelopedDataObjects, this->content); - parser->set_top_level(parser, this->level); - - while (parser->iterate(parser, &objectID, &object)) - { - u_int level = parser->get_level(parser); - - switch (objectID) - { - case PKCS7_ENVELOPED_VERSION: - { - version = object.len ? (int)*object.ptr : 0; - DBG2(DBG_LIB, " v%d", version); - if (version != 0) - { - DBG1(DBG_LIB, "envelopedData version is not 0"); - goto end; - } - break; - } - case PKCS7_RECIPIENT_INFO_VERSION: - { - version = object.len ? (int)*object.ptr : 0; - DBG2(DBG_LIB, " v%d", version); - if (version != 0) - { - DBG1(DBG_LIB, "recipient info version is not 0"); - goto end; - } - break; - } - case PKCS7_ISSUER: - { - identification_t *issuer; - - issuer = identification_create_from_encoding(ID_DER_ASN1_DN, - object); - DBG2(DBG_LIB, " '%Y'", issuer); - issuer->destroy(issuer); - break; - } - case PKCS7_SERIAL_NUMBER: - { - if (!chunk_equals(serialNumber, object)) - { - DBG1(DBG_LIB, "serial numbers do not match"); - goto end; - } - break; - } - case PKCS7_ENCRYPTION_ALG: - { - int alg; - - alg = asn1_parse_algorithmIdentifier(object, level, NULL); - if (alg != OID_RSA_ENCRYPTION) - { - DBG1(DBG_LIB, "only rsa encryption supported"); - goto end; - } - break; - } - case PKCS7_ENCRYPTED_KEY: - { - if (!key->decrypt(key, ENCRYPT_RSA_PKCS1, object, &symmetric_key)) - { - DBG1(DBG_LIB, "symmetric key could not be decrypted with rsa"); - goto end; - } - DBG4(DBG_LIB, "symmetric key %B", &symmetric_key); - break; - } - case PKCS7_CONTENT_TYPE: - { - if (asn1_known_oid(object) != OID_PKCS7_DATA) - { - DBG1(DBG_LIB, "encrypted content not of type pkcs7 data"); - goto end; - } - break; - } - case PKCS7_CONTENT_ENC_ALGORITHM: - { - encryption_algorithm_t enc_alg; - size_t key_size; - int alg; - - alg = asn1_parse_algorithmIdentifier(object, level, &iv); - enc_alg = encryption_algorithm_from_oid(alg, &key_size); - if (enc_alg == ENCR_UNDEFINED) - { - DBG1(DBG_LIB, "unsupported content encryption algorithm"); - goto end; - } - crypter = lib->crypto->create_crypter(lib->crypto, enc_alg, - key_size); - if (crypter == NULL) - { - DBG1(DBG_LIB, "crypter %N not available", - encryption_algorithm_names, enc_alg); - goto end; - } - if (symmetric_key.len != crypter->get_key_size(crypter)) - { - DBG1(DBG_LIB, "symmetric key length %d is wrong", - symmetric_key.len); - goto end; - } - if (!asn1_parse_simple_object(&iv, ASN1_OCTET_STRING, - level + 1, "IV")) - { - DBG1(DBG_LIB, "IV could not be parsed"); - goto end; - } - if (iv.len != crypter->get_iv_size(crypter)) - { - DBG1(DBG_LIB, "IV length %d is wrong", iv.len); - goto end; - } - break; - } - case PKCS7_ENCRYPTED_CONTENT: - { - encrypted_content = object; - break; - } - } - } - success = parser->success(parser); - -end: - parser->destroy(parser); - if (!success) - { - goto failed; - } - success = FALSE; - - /* decrypt the content */ - if (!crypter->set_key(crypter, symmetric_key) || - !crypter->decrypt(crypter, encrypted_content, iv, &this->data)) - { - success = FALSE; - goto failed; - } - DBG4(DBG_LIB, "decrypted content with padding: %B", &this->data); - - /* remove the padding */ - { - u_char *pos = this->data.ptr + this->data.len - 1; - u_char pattern = *pos; - size_t padding = pattern; - - if (padding > this->data.len) - { - DBG1(DBG_LIB, "padding greater than data length"); - goto failed; - } - this->data.len -= padding; - - while (padding-- > 0) - { - if (*pos-- != pattern) - { - DBG1(DBG_LIB, "wrong padding pattern"); - goto failed; - } - } - } - success = TRUE; - -failed: - DESTROY_IF(crypter); - chunk_clear(&symmetric_key); - if (!success) - { - chunk_free(&this->data); - } - return success; -} - -METHOD(pkcs7_t, get_data, chunk_t, - private_pkcs7_t *this) -{ - return this->data; -} - -METHOD(pkcs7_t, get_contentInfo, chunk_t, - private_pkcs7_t *this) -{ - chunk_t content_type; - - /* create DER-encoded OID for pkcs7_contentInfo type */ - switch(this->type) - { - case OID_PKCS7_DATA: - case OID_PKCS7_SIGNED_DATA: - case OID_PKCS7_ENVELOPED_DATA: - case OID_PKCS7_SIGNED_ENVELOPED_DATA: - case OID_PKCS7_DIGESTED_DATA: - case OID_PKCS7_ENCRYPTED_DATA: - content_type = asn1_build_known_oid(this->type); - break; - case OID_UNKNOWN: - default: - DBG1(DBG_LIB, "invalid pkcs7 contentInfo type"); - return chunk_empty; - } - - return this->content.ptr == NULL - ? asn1_wrap(ASN1_SEQUENCE, "m", content_type) - : asn1_wrap(ASN1_SEQUENCE, "mm", content_type, - asn1_simple_object(ASN1_CONTEXT_C_0, this->content)); -} - -METHOD(pkcs7_t, create_certificate_enumerator, enumerator_t*, - private_pkcs7_t *this) -{ - return this->certs->create_enumerator(this->certs); -} - -METHOD(pkcs7_t, set_certificate, void, - private_pkcs7_t *this, certificate_t *cert) -{ - if (cert) - { - this->certs->insert_last(this->certs, cert); - } -} - -METHOD(pkcs7_t, set_attributes, void, - private_pkcs7_t *this, pkcs9_t *attributes) -{ - this->attributes = attributes; -} - -METHOD(pkcs7_t, get_attributes, pkcs9_t*, - private_pkcs7_t *this) -{ - return this->attributes; -} - -/** - * build a DER-encoded issuerAndSerialNumber object - */ -chunk_t pkcs7_build_issuerAndSerialNumber(certificate_t *cert) -{ - identification_t *issuer = cert->get_issuer(cert); - chunk_t serial = chunk_empty; - - if (cert->get_type(cert) == CERT_X509) - { - x509_t *x509 = (x509_t*)cert; - serial = x509->get_serial(x509); - } - - return asn1_wrap(ASN1_SEQUENCE, "cm", - issuer->get_encoding(issuer), - asn1_integer("c", serial)); -} - -METHOD(pkcs7_t, build_envelopedData, bool, - private_pkcs7_t *this, certificate_t *cert, encryption_algorithm_t alg, - size_t key_size) -{ - chunk_t iv, symmetricKey, protectedKey, in, out; - crypter_t *crypter; - int alg_oid; - - /* select OID of symmetric encryption algorithm */ - alg_oid = encryption_algorithm_to_oid(alg, key_size); - if (alg_oid == OID_UNKNOWN) - { - DBG1(DBG_LIB, " encryption algorithm %N not supported", - encryption_algorithm_names, alg); - return FALSE; - } - crypter = lib->crypto->create_crypter(lib->crypto, alg, key_size / 8); - if (crypter == NULL) - { - DBG1(DBG_LIB, " could not create crypter for algorithm %N", - encryption_algorithm_names, alg); - return FALSE; - } - - /* generate a true random symmetric encryption key - * and a pseudo-random iv - */ - { - rng_t *rng; - - rng = lib->crypto->create_rng(lib->crypto, RNG_TRUE); - if (!rng || !rng->allocate_bytes(rng, crypter->get_key_size(crypter), - &symmetricKey)) - { - DBG1(DBG_LIB, " failed to allocate symmetric encryption key"); - DESTROY_IF(rng); - return FALSE; - } - DBG4(DBG_LIB, " symmetric encryption key: %B", &symmetricKey); - rng->destroy(rng); - - rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK); - if (!rng || !rng->allocate_bytes(rng, crypter->get_iv_size(crypter), - &iv)) - { - DBG1(DBG_LIB, " failed to allocate initialization vector"); - DESTROY_IF(rng); - return FALSE; - } - DBG4(DBG_LIB, " initialization vector: %B", &iv); - rng->destroy(rng); - } - - /* pad the data so that the total length becomes - * a multiple of the block size - */ - { - size_t block_size = crypter->get_block_size(crypter); - size_t padding = block_size - this->data.len % block_size; - - in.len = this->data.len + padding; - in.ptr = malloc(in.len); - - DBG2(DBG_LIB, " padding %d bytes of data to multiple block size of %d bytes", - (int)this->data.len, (int)in.len); - - /* copy data */ - memcpy(in.ptr, this->data.ptr, this->data.len); - /* append padding */ - memset(in.ptr + this->data.len, padding, padding); - } - DBG3(DBG_LIB, " padded unencrypted data: %B", &in); - - /* symmetric encryption of data object */ - if (!crypter->set_key(crypter, symmetricKey) || - !crypter->encrypt(crypter, in, iv, &out)) - { - crypter->destroy(crypter); - chunk_clear(&in); - chunk_clear(&symmetricKey); - chunk_free(&iv); - return FALSE; - } - crypter->destroy(crypter); - chunk_clear(&in); - DBG3(DBG_LIB, " encrypted data: %B", &out); - - /* protect symmetric key by public key encryption */ - { - public_key_t *key = cert->get_public_key(cert); - - if (key == NULL) - { - DBG1(DBG_LIB, " public key not found in encryption certificate"); - chunk_clear(&symmetricKey); - chunk_free(&iv); - chunk_free(&out); - return FALSE; - } - key->encrypt(key, ENCRYPT_RSA_PKCS1, symmetricKey, &protectedKey); - key->destroy(key); - chunk_clear(&symmetricKey); - } - - /* build pkcs7 enveloped data object */ - { - chunk_t contentEncryptionAlgorithm = asn1_wrap(ASN1_SEQUENCE, "mm", - asn1_build_known_oid(alg_oid), - asn1_wrap(ASN1_OCTET_STRING, "m", iv)); - - chunk_t encryptedContentInfo = asn1_wrap(ASN1_SEQUENCE, "mmm", - asn1_build_known_oid(OID_PKCS7_DATA), - contentEncryptionAlgorithm, - asn1_wrap(ASN1_CONTEXT_S_0, "m", out)); - - chunk_t encryptedKey = asn1_wrap(ASN1_OCTET_STRING, "m", protectedKey); - - chunk_t recipientInfo = asn1_wrap(ASN1_SEQUENCE, "cmmm", - ASN1_INTEGER_0, - pkcs7_build_issuerAndSerialNumber(cert), - asn1_algorithmIdentifier(OID_RSA_ENCRYPTION), - encryptedKey); - - this->content = asn1_wrap(ASN1_SEQUENCE, "cmm", - ASN1_INTEGER_0, - asn1_wrap(ASN1_SET, "m", recipientInfo), - encryptedContentInfo); - chunk_free(&this->data); - this->type = OID_PKCS7_ENVELOPED_DATA; - this->data = get_contentInfo(this); - } - return TRUE; -} - -METHOD(pkcs7_t, build_signedData, bool, - private_pkcs7_t *this, private_key_t *private_key, hash_algorithm_t alg) -{ - chunk_t authenticatedAttributes = chunk_empty; - chunk_t encryptedDigest = chunk_empty; - chunk_t signerInfo, encoding = chunk_empty; - signature_scheme_t scheme; - int digest_oid; - certificate_t *cert; - - if (this->certs->get_first(this->certs, (void**)&cert) != SUCCESS) - { - DBG1(DBG_LIB, " no pkcs7 signer certificate found"); - return FALSE; - } - digest_oid = hasher_algorithm_to_oid(alg); - scheme = signature_scheme_from_oid(digest_oid); - - if (this->attributes != NULL) - { - if (this->data.ptr != NULL) - { - chunk_t messageDigest, signingTime, attributes; - hasher_t *hasher; - time_t now; - - hasher = lib->crypto->create_hasher(lib->crypto, alg); - if (!hasher || - !hasher->allocate_hash(hasher, this->data, &messageDigest)) - { - DESTROY_IF(hasher); - DBG1(DBG_LIB, " hash algorithm %N not support", - hash_algorithm_names, alg); - return FALSE; - } - hasher->destroy(hasher); - this->attributes->set_attribute(this->attributes, - OID_PKCS9_MESSAGE_DIGEST, - messageDigest); - free(messageDigest.ptr); - - /* take the current time as signingTime */ - now = time(NULL); - signingTime = asn1_from_time(&now, ASN1_UTCTIME); - this->attributes->set_attribute_raw(this->attributes, - OID_PKCS9_SIGNING_TIME, signingTime); - this->attributes->set_attribute_raw(this->attributes, - OID_PKCS9_CONTENT_TYPE, - asn1_build_known_oid(OID_PKCS7_DATA)); - - attributes = this->attributes->get_encoding(this->attributes); - - private_key->sign(private_key, scheme, attributes, &encryptedDigest); - authenticatedAttributes = chunk_clone(attributes); - *authenticatedAttributes.ptr = ASN1_CONTEXT_C_0; - } - } - else if (this->data.ptr != NULL) - { - private_key->sign(private_key, scheme, this->data, &encryptedDigest); - } - if (encryptedDigest.ptr) - { - encryptedDigest = asn1_wrap(ASN1_OCTET_STRING, "m", encryptedDigest); - } - signerInfo = asn1_wrap(ASN1_SEQUENCE, "cmmmmm", - ASN1_INTEGER_1, - pkcs7_build_issuerAndSerialNumber(cert), - asn1_algorithmIdentifier(digest_oid), - authenticatedAttributes, - asn1_algorithmIdentifier(OID_RSA_ENCRYPTION), - encryptedDigest); - - if (this->data.ptr != NULL) - { - chunk_free(&this->content); - this->content = asn1_simple_object(ASN1_OCTET_STRING, this->data); - chunk_free(&this->data); - } - this->type = OID_PKCS7_DATA; - this->data = get_contentInfo(this); - chunk_free(&this->content); - - cert->get_encoding(cert, CERT_ASN1_DER, &encoding); - - this->content = asn1_wrap(ASN1_SEQUENCE, "cmcmm", - ASN1_INTEGER_1, - asn1_wrap(ASN1_SET, "m", asn1_algorithmIdentifier(digest_oid)), - this->data, - asn1_wrap(ASN1_CONTEXT_C_0, "m", encoding), - asn1_wrap(ASN1_SET, "m", signerInfo)); - chunk_free(&this->data); - this->type = OID_PKCS7_SIGNED_DATA; - this->data = get_contentInfo(this); - - return TRUE; -} - -METHOD(pkcs7_t, destroy, void, - private_pkcs7_t *this) -{ - DESTROY_IF(this->attributes); - this->certs->destroy_offset(this->certs, offsetof(certificate_t, destroy)); - free(this->content.ptr); - free(this->data.ptr); - free(this); -} - -/** - * Generic private constructor - */ -static private_pkcs7_t *pkcs7_create_empty(void) -{ - private_pkcs7_t *this; - - INIT(this, - .public = { - .is_data = _is_data, - .is_signedData = _is_signedData, - .is_envelopedData = _is_envelopedData, - .parse_data = _parse_data, - .parse_signedData = _parse_signedData, - .parse_envelopedData = _parse_envelopedData, - .get_data = _get_data, - .get_contentInfo = _get_contentInfo, - .create_certificate_enumerator = _create_certificate_enumerator, - .set_certificate = _set_certificate, - .set_attributes = _set_attributes, - .get_attributes = _get_attributes, - .build_envelopedData = _build_envelopedData, - .build_signedData = _build_signedData, - .destroy = _destroy, - }, - .type = OID_UNKNOWN, - .certs = linked_list_create(), - ); - - return this; -} - -/* - * Described in header. - */ -pkcs7_t *pkcs7_create_from_chunk(chunk_t chunk, u_int level) -{ - private_pkcs7_t *this = pkcs7_create_empty(); - - this->level = level; - this->data = chunk_clone(chunk); - - return &this->public; -} - -/* - * Described in header. - */ -pkcs7_t *pkcs7_create_from_data(chunk_t data) -{ - private_pkcs7_t *this = pkcs7_create_empty(); - - this->data = chunk_clone(data); - - return &this->public; -} - diff --git a/src/libstrongswan/crypto/pkcs7.h b/src/libstrongswan/crypto/pkcs7.h deleted file mode 100644 index 7c9a6b037..000000000 --- a/src/libstrongswan/crypto/pkcs7.h +++ /dev/null @@ -1,178 +0,0 @@ -/* - * Copyright (C) 2005 Jan Hutter, Martin Willi - * Copyright (C) 2002-2008 Andreas Steffen - * Hochschule fuer Technik Rapperswil, Switzerland - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -/** - * @defgroup pkcs7 pkcs7 - * @{ @ingroup crypto - */ - -#ifndef PKCS7_H_ -#define PKCS7_H_ - -typedef struct pkcs7_t pkcs7_t; - -#include <library.h> -#include <credentials/keys/private_key.h> -#include <crypto/pkcs9.h> -#include <crypto/crypters/crypter.h> -#include <utils/enumerator.h> - -/** - * PKCS#7 contentInfo object. - */ -struct pkcs7_t { - - /** - * Check if the PKCS#7 contentType is data - * - * @return TRUE if the contentType is data - */ - bool (*is_data) (pkcs7_t *this); - - /** - * Check if the PKCS#7 contentType is signedData - * - * @return TRUE if the contentType is signedData - */ - bool (*is_signedData) (pkcs7_t *this); - - /** - * Check if the PKCS#7 contentType is envelopedData - * - * @return TRUE if the contentType is envelopedData - */ - bool (*is_envelopedData) (pkcs7_t *this); - - /** - * Parse a PKCS#7 data content. - * - * @return TRUE if parsing was successful - */ - bool (*parse_data) (pkcs7_t *this); - - /** - * Parse a PKCS#7 signedData content. The contained PKCS#7 data is parsed - * and verified. - * - * @param cacert cacert used to verify the signature - * @return TRUE if parsing was successful - */ - bool (*parse_signedData) (pkcs7_t *this, certificate_t *cacert); - - /** - * Parse a PKCS#7 envelopedData content. - * - * @param serialNumber serialNumber of the request - * @param key private key used to decrypt the symmetric key - * @return TRUE if parsing was successful - */ - bool (*parse_envelopedData) (pkcs7_t *this, chunk_t serialNumber, - private_key_t *key); - - /** - * Returns the parsed data object - * - * @return chunk containing the data object - */ - chunk_t (*get_data) (pkcs7_t *this); - - /** - * Returns the a DER-encoded contentInfo object - * - * @return chunk containing the contentInfo object - */ - chunk_t (*get_contentInfo) (pkcs7_t *this); - - /** - * Create an enumerator for the certificates. - * - * @return enumerator for the certificates - */ - enumerator_t *(*create_certificate_enumerator) (pkcs7_t *this); - - /** - * Add a certificate. - * - * @param cert certificate to be included (gets adopted) - */ - void (*set_certificate) (pkcs7_t *this, certificate_t *cert); - - /** - * Add authenticated attributes. - * - * @param attributes attributes to be included (gets adopted) - */ - void (*set_attributes) (pkcs7_t *this, pkcs9_t *attributes); - - /** - * Get attributes. - * - * @return attributes (internal data) - */ - pkcs9_t *(*get_attributes) (pkcs7_t *this); - - /** - * Build a data object - * - * @return TRUE if build was successful - */ - bool (*build_data) (pkcs7_t *this); - - /** - * Build an envelopedData object - * - * @param cert receivers's certificate - * @param alg encryption algorithm - * @param key_size key size to use - * @return TRUE if build was successful - */ - bool (*build_envelopedData) (pkcs7_t *this, certificate_t *cert, - encryption_algorithm_t alg, size_t key_size); - - /** - * Build an signedData object - * - * @param key signer's private key - * @param alg digest algorithm used for signature - * @return TRUE if build was successful - */ - bool (*build_signedData) (pkcs7_t *this, private_key_t *key, - hash_algorithm_t alg); - - /** - * Destroys the contentInfo object. - */ - void (*destroy) (pkcs7_t *this); -}; - -/** - * Read a PKCS#7 contentInfo object from a DER encoded chunk. - * - * @param chunk chunk containing DER encoded data - * @param level ASN.1 parsing start level - * @return created pkcs7_contentInfo object, or NULL if invalid. - */ -pkcs7_t *pkcs7_create_from_chunk(chunk_t chunk, u_int level); - -/** - * Create a PKCS#7 contentInfo object - * - * @param data chunk containing data - * @return created pkcs7_contentInfo object. - */ -pkcs7_t *pkcs7_create_from_data(chunk_t data); - -#endif /** PKCS7_H_ @}*/ diff --git a/src/libstrongswan/crypto/pkcs9.c b/src/libstrongswan/crypto/pkcs9.c deleted file mode 100644 index d24ab1b80..000000000 --- a/src/libstrongswan/crypto/pkcs9.c +++ /dev/null @@ -1,369 +0,0 @@ -/* - * Copyright (C) 2012 Tobias Brunner - * Copyright (C) 2008 Andreas Steffen - * Hochschule fuer Technik Rapperswil, Switzerland - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include <library.h> -#include <debug.h> - -#include <asn1/oid.h> -#include <asn1/asn1.h> -#include <asn1/asn1_parser.h> -#include <utils/linked_list.h> - -#include "pkcs9.h" - -typedef struct private_pkcs9_t private_pkcs9_t; - -/** - * Private data of a pkcs9_t attribute list. - */ -struct private_pkcs9_t { - /** - * Public interface - */ - pkcs9_t public; - - /** - * DER encoding of PKCS#9 attributes - */ - chunk_t encoding; - - /** - * Linked list of PKCS#9 attributes - */ - linked_list_t *attributes; -}; - -typedef struct attribute_t attribute_t; - -/** - * Definition of an attribute_t object. - */ -struct attribute_t { - /** - * Object Identifier (OID) - */ - int oid; - - /** - * Attribute value - */ - chunk_t value; - - /** - * ASN.1 encoding - */ - chunk_t encoding; - - /** - * Destroys the attribute. - */ - void (*destroy) (attribute_t *this); - -}; - -/** - * return the ASN.1 encoding of a PKCS#9 attribute - */ -static asn1_t asn1_attributeType(int oid) -{ - asn1_t type; - - switch (oid) - { - case OID_PKCS9_CONTENT_TYPE: - type = ASN1_OID; - break; - case OID_PKCS9_SIGNING_TIME: - type = ASN1_UTCTIME; - break; - case OID_PKCS9_MESSAGE_DIGEST: - type = ASN1_OCTET_STRING; - break; - case OID_PKI_MESSAGE_TYPE: - type = ASN1_PRINTABLESTRING; - break; - case OID_PKI_STATUS: - type = ASN1_PRINTABLESTRING; - break; - case OID_PKI_FAIL_INFO: - type = ASN1_PRINTABLESTRING; - break; - case OID_PKI_SENDER_NONCE: - type = ASN1_OCTET_STRING; - break; - case OID_PKI_RECIPIENT_NONCE: - type = ASN1_OCTET_STRING; - break; - case OID_PKI_TRANS_ID: - type = ASN1_PRINTABLESTRING; - break; - default: - type = ASN1_EOC; - } - return type; -} - -/** - * Destroy an attribute_t object. - */ -static void attribute_destroy(attribute_t *this) -{ - free(this->value.ptr); - free(this->encoding.ptr); - free(this); -} - -/** - * Create an attribute_t object. - */ -static attribute_t *attribute_create(int oid, chunk_t value) -{ - attribute_t *this; - - INIT(this, - .destroy = attribute_destroy, - .oid = oid, - .value = chunk_clone(value), - .encoding = asn1_wrap(ASN1_SEQUENCE, "mm", - asn1_build_known_oid(oid), - asn1_simple_object(ASN1_SET, value)), - ); - - return this; -} - -METHOD(pkcs9_t, build_encoding, void, - private_pkcs9_t *this) -{ - enumerator_t *enumerator; - attribute_t *attribute; - u_int attributes_len = 0; - - if (this->encoding.ptr) - { - chunk_free(&this->encoding); - } - if (this->attributes->get_count(this->attributes) == 0) - { - return; - } - - /* compute the total length of the encoded attributes */ - enumerator = this->attributes->create_enumerator(this->attributes); - - while (enumerator->enumerate(enumerator, (void**)&attribute)) - { - attributes_len += attribute->encoding.len; - } - enumerator->destroy(enumerator); - - /* allocate memory for the attributes and build the encoding */ - { - u_char *pos = asn1_build_object(&this->encoding, ASN1_SET, attributes_len); - - enumerator = this->attributes->create_enumerator(this->attributes); - - while (enumerator->enumerate(enumerator, (void**)&attribute)) - { - memcpy(pos, attribute->encoding.ptr, attribute->encoding.len); - pos += attribute->encoding.len; - } - enumerator->destroy(enumerator); - } -} - -METHOD(pkcs9_t, get_encoding, chunk_t, - private_pkcs9_t *this) -{ - if (this->encoding.ptr == NULL) - { - build_encoding(this); - } - return this->encoding; -} - -METHOD(pkcs9_t, get_attribute, chunk_t, - private_pkcs9_t *this, int oid) -{ - enumerator_t *enumerator; - chunk_t value = chunk_empty; - attribute_t *attribute; - - enumerator = this->attributes->create_enumerator(this->attributes); - while (enumerator->enumerate(enumerator, (void**)&attribute)) - { - if (attribute->oid == oid) - { - value = attribute->value; - break; - } - } - enumerator->destroy(enumerator); - if (value.ptr && - !asn1_parse_simple_object(&value, asn1_attributeType(oid), 0, - oid_names[oid].name)) - { - return chunk_empty; - } - return value; -} - -METHOD(pkcs9_t, set_attribute_raw, void, - private_pkcs9_t *this, int oid, chunk_t value) -{ - attribute_t *attribute = attribute_create(oid, value); - - this->attributes->insert_last(this->attributes, attribute); - chunk_free(&value); -} - -METHOD(pkcs9_t, set_attribute, void, - private_pkcs9_t *this, int oid, chunk_t value) -{ - chunk_t attr = asn1_simple_object(asn1_attributeType(oid), value); - - set_attribute_raw(this, oid, attr); -} - -METHOD(pkcs9_t, destroy, void, - private_pkcs9_t *this) -{ - this->attributes->destroy_offset(this->attributes, offsetof(attribute_t, destroy)); - free(this->encoding.ptr); - free(this); -} - -/** - * Generic private constructor - */ -static private_pkcs9_t *pkcs9_create_empty(void) -{ - private_pkcs9_t *this; - - INIT(this, - .public = { - .build_encoding = _build_encoding, - .get_encoding = _get_encoding, - .get_attribute = _get_attribute, - .set_attribute = _set_attribute, - .set_attribute_raw = _set_attribute_raw, - .destroy = _destroy, - }, - .attributes = linked_list_create(), - ); - - return this; -} - -/* - * Described in header. - */ -pkcs9_t *pkcs9_create(void) -{ - private_pkcs9_t *this = pkcs9_create_empty(); - - return &this->public; -} - -/** - * ASN.1 definition of the X.501 atttribute type - */ -static const asn1Object_t attributesObjects[] = { - { 0, "attributes", ASN1_SET, ASN1_LOOP }, /* 0 */ - { 1, "attribute", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */ - { 2, "type", ASN1_OID, ASN1_BODY }, /* 2 */ - { 2, "values", ASN1_SET, ASN1_LOOP }, /* 3 */ - { 3, "value", ASN1_EOC, ASN1_RAW }, /* 4 */ - { 2, "end loop", ASN1_EOC, ASN1_END }, /* 5 */ - { 0, "end loop", ASN1_EOC, ASN1_END }, /* 6 */ - { 0, "exit", ASN1_EOC, ASN1_EXIT } -}; -#define ATTRIBUTE_OBJ_TYPE 2 -#define ATTRIBUTE_OBJ_VALUE 4 - -/** - * Parse a PKCS#9 attribute list - */ -static bool parse_attributes(chunk_t chunk, int level0, private_pkcs9_t* this) -{ - asn1_parser_t *parser; - chunk_t object; - int objectID; - int oid = OID_UNKNOWN; - bool success = FALSE; - - parser = asn1_parser_create(attributesObjects, chunk); - parser->set_top_level(parser, level0); - - while (parser->iterate(parser, &objectID, &object)) - { - switch (objectID) - { - case ATTRIBUTE_OBJ_TYPE: - oid = asn1_known_oid(object); - break; - case ATTRIBUTE_OBJ_VALUE: - if (oid == OID_UNKNOWN) - { - break; - } - /* add the attribute to a linked list */ - { - attribute_t *attribute = attribute_create(oid, object); - - this->attributes->insert_last(this->attributes, - (void*)attribute); - } - /* parse known attributes */ - { - asn1_t type = asn1_attributeType(oid); - - if (type != ASN1_EOC) - { - if (!asn1_parse_simple_object(&object, type, - parser->get_level(parser)+1, - oid_names[oid].name)) - { - goto end; - } - } - } - } - } - success = parser->success(parser); - -end: - parser->destroy(parser); - return success; -} - - - /* - * Described in header. - */ -pkcs9_t *pkcs9_create_from_chunk(chunk_t chunk, u_int level) -{ - private_pkcs9_t *this = pkcs9_create_empty(); - - this->encoding = chunk_clone(chunk); - - if (!parse_attributes(chunk, level, this)) - { - destroy(this); - return NULL; - } - return &this->public; -} diff --git a/src/libstrongswan/crypto/pkcs9.h b/src/libstrongswan/crypto/pkcs9.h deleted file mode 100644 index c442d4441..000000000 --- a/src/libstrongswan/crypto/pkcs9.h +++ /dev/null @@ -1,92 +0,0 @@ -/* - * Copyright (C) 2012 Tobias Brunner - * Copyright (C) 2008 Andreas Steffen - * Hochschule fuer Technik Rapperswil, Switzerland - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -/** - * @defgroup pkcs9 pkcs9 - * @{ @ingroup crypto - */ - -#ifndef PKCS9_H_ -#define PKCS9_H_ - -typedef struct pkcs9_t pkcs9_t; - -#include <library.h> - -/** - * PKCS#9 attributes. - */ -struct pkcs9_t { - - /** - * Generate ASN.1 encoding of attribute list - */ - void (*build_encoding) (pkcs9_t *this); - - /** - * Gets ASN.1 encoding of PKCS#9 attribute list - * - * @return ASN.1 encoded PKCSI#9 list - */ - chunk_t (*get_encoding) (pkcs9_t *this); - - /** - * Gets a PKCS#9 attribute - * - * @param oid OID of the attribute - * @return value of the attribute (internal data) - */ - chunk_t (*get_attribute) (pkcs9_t *this, int oid); - - /** - * Adds a PKCS#9 attribute - * - * @param oid OID of the attribute - * @param value value of the attribute (gets cloned) - */ - void (*set_attribute) (pkcs9_t *this, int oid, chunk_t value); - - /** - * Adds a ASN.1 encoded PKCS#9 attribute - * - * @param oid OID of the attribute - * @param value ASN.1 encoded value of the attribute (gets adopted) - */ - void (*set_attribute_raw) (pkcs9_t *this, int oid, chunk_t value); - - /** - * Destroys the PKCS#9 attribute list. - */ - void (*destroy) (pkcs9_t *this); -}; - -/** - * Read a PKCS#9 attribute list from a DER encoded chunk. - * - * @param chunk chunk containing DER encoded data - * @param level ASN.1 parsing start level - * @return created pkcs9 attribute list, or NULL if invalid. - */ -pkcs9_t *pkcs9_create_from_chunk(chunk_t chunk, u_int level); - -/** - * Create an empty PKCS#9 attribute list - * - * @return created pkcs9 attribute list. - */ -pkcs9_t *pkcs9_create(void); - -#endif /** PKCS9_H_ @}*/ diff --git a/src/libstrongswan/crypto/proposal/proposal_keywords.c b/src/libstrongswan/crypto/proposal/proposal_keywords.c index 7356dc367..4db504eb0 100644 --- a/src/libstrongswan/crypto/proposal/proposal_keywords.c +++ b/src/libstrongswan/crypto/proposal/proposal_keywords.c @@ -38,7 +38,7 @@ #include "proposal_keywords.h" #include "proposal_keywords_static.h" -#include <utils/linked_list.h> +#include <collections/linked_list.h> #include <threading/rwlock.h> typedef struct private_proposal_keywords_t private_proposal_keywords_t; diff --git a/src/libstrongswan/crypto/proposal/proposal_keywords_static.c b/src/libstrongswan/crypto/proposal/proposal_keywords_static.c index ce52bc2ce..d85bfebd0 100644 --- a/src/libstrongswan/crypto/proposal/proposal_keywords_static.c +++ b/src/libstrongswan/crypto/proposal/proposal_keywords_static.c @@ -59,11 +59,11 @@ struct proposal_token { u_int16_t keysize; }; -#define TOTAL_KEYWORDS 122 +#define TOTAL_KEYWORDS 130 #define MIN_WORD_LENGTH 3 #define MAX_WORD_LENGTH 17 -#define MIN_HASH_VALUE 9 -#define MAX_HASH_VALUE 213 +#define MIN_HASH_VALUE 12 +#define MAX_HASH_VALUE 216 /* maximum key range = 205, duplicates = 0 */ #ifdef __GNUC__ @@ -80,32 +80,32 @@ hash (str, len) { static const unsigned char asso_values[] = { - 214, 214, 214, 214, 214, 214, 214, 214, 214, 214, - 214, 214, 214, 214, 214, 214, 214, 214, 214, 214, - 214, 214, 214, 214, 214, 214, 214, 214, 214, 214, - 214, 214, 214, 214, 214, 214, 214, 214, 214, 214, - 214, 214, 214, 214, 214, 214, 214, 214, 14, 9, - 4, 34, 66, 19, 8, 4, 5, 3, 214, 214, - 214, 214, 214, 214, 214, 214, 214, 214, 214, 214, - 214, 214, 214, 214, 214, 214, 214, 214, 214, 214, - 214, 214, 214, 214, 214, 214, 214, 214, 214, 214, - 214, 214, 214, 214, 214, 131, 214, 3, 22, 21, - 3, 1, 101, 48, 3, 4, 214, 214, 3, 10, - 57, 4, 214, 214, 94, 6, 3, 32, 214, 214, - 214, 214, 214, 214, 214, 214, 214, 214, 214, 214, - 214, 214, 214, 214, 214, 214, 214, 214, 214, 214, - 214, 214, 214, 214, 214, 214, 214, 214, 214, 214, - 214, 214, 214, 214, 214, 214, 214, 214, 214, 214, - 214, 214, 214, 214, 214, 214, 214, 214, 214, 214, - 214, 214, 214, 214, 214, 214, 214, 214, 214, 214, - 214, 214, 214, 214, 214, 214, 214, 214, 214, 214, - 214, 214, 214, 214, 214, 214, 214, 214, 214, 214, - 214, 214, 214, 214, 214, 214, 214, 214, 214, 214, - 214, 214, 214, 214, 214, 214, 214, 214, 214, 214, - 214, 214, 214, 214, 214, 214, 214, 214, 214, 214, - 214, 214, 214, 214, 214, 214, 214, 214, 214, 214, - 214, 214, 214, 214, 214, 214, 214, 214, 214, 214, - 214, 214, 214, 214, 214, 214, 214 + 217, 217, 217, 217, 217, 217, 217, 217, 217, 217, + 217, 217, 217, 217, 217, 217, 217, 217, 217, 217, + 217, 217, 217, 217, 217, 217, 217, 217, 217, 217, + 217, 217, 217, 217, 217, 217, 217, 217, 217, 217, + 217, 217, 217, 217, 217, 217, 217, 217, 35, 10, + 5, 34, 68, 21, 9, 16, 6, 4, 217, 217, + 217, 217, 217, 217, 217, 217, 217, 217, 217, 217, + 217, 217, 217, 217, 217, 217, 217, 217, 217, 217, + 217, 217, 217, 217, 217, 217, 217, 217, 217, 217, + 217, 217, 217, 217, 217, 117, 217, 15, 22, 23, + 4, 29, 4, 51, 57, 4, 217, 217, 4, 16, + 58, 4, 217, 5, 81, 104, 6, 34, 217, 217, + 5, 217, 217, 217, 217, 217, 217, 217, 217, 217, + 217, 217, 217, 217, 217, 217, 217, 217, 217, 217, + 217, 217, 217, 217, 217, 217, 217, 217, 217, 217, + 217, 217, 217, 217, 217, 217, 217, 217, 217, 217, + 217, 217, 217, 217, 217, 217, 217, 217, 217, 217, + 217, 217, 217, 217, 217, 217, 217, 217, 217, 217, + 217, 217, 217, 217, 217, 217, 217, 217, 217, 217, + 217, 217, 217, 217, 217, 217, 217, 217, 217, 217, + 217, 217, 217, 217, 217, 217, 217, 217, 217, 217, + 217, 217, 217, 217, 217, 217, 217, 217, 217, 217, + 217, 217, 217, 217, 217, 217, 217, 217, 217, 217, + 217, 217, 217, 217, 217, 217, 217, 217, 217, 217, + 217, 217, 217, 217, 217, 217, 217, 217, 217, 217, + 217, 217, 217, 217, 217, 217, 217 }; register int hval = len; @@ -142,23 +142,21 @@ hash (str, len) static const struct proposal_token wordlist[] = { - {"sha", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0}, - {"des", ENCRYPTION_ALGORITHM, ENCR_DES, 0}, {"null", ENCRYPTION_ALGORITHM, ENCR_NULL, 0}, + {"ecp192", DIFFIE_HELLMAN_GROUP, ECP_192_BIT, 0}, {"sha1", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0}, - {"serpent", ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC, 128}, - {"camellia", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC, 128}, + {"sha", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0}, + {"ecp521", DIFFIE_HELLMAN_GROUP, ECP_521_BIT, 0}, {"sha512", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_512_256, 0}, - {"serpent192", ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC, 192}, - {"serpent128", ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC, 128}, {"camellia192", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC, 192}, {"cast128", ENCRYPTION_ALGORITHM, ENCR_CAST, 128}, {"camellia128", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC, 128}, - {"aes", ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 128}, - {"serpent256", ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC, 256}, + {"camellia", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC, 128}, + {"prfmd5", PSEUDO_RANDOM_FUNCTION, PRF_HMAC_MD5, 0}, {"aes192", ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 192}, - {"sha256", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_256_128, 0}, {"aes128", ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 128}, + {"ecp256", DIFFIE_HELLMAN_GROUP, ECP_256_BIT, 0}, + {"sha256", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_256_128, 0}, {"camellia192ccm8", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8, 192}, {"camellia128ccm8", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8, 128}, {"camellia192ccm96", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 192}, @@ -170,17 +168,18 @@ static const struct proposal_token wordlist[] = {"camellia192ccm16", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 192}, {"camellia128ccm16", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 128}, {"camellia256", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC, 256}, - {"twofish", ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC, 128}, - {"camellia256ccm8", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8, 256}, + {"serpent", ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC, 128}, {"aes256", ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 256}, + {"camellia256ccm8", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8, 256}, + {"serpent192", ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC, 192}, {"camellia256ccm96", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 256}, - {"twofish192", ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC, 192}, + {"serpent128", ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC, 128}, {"camellia256ccm12", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 256}, - {"twofish128", ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC, 128}, + {"esn", EXTENDED_SEQUENCE_NUMBERS, EXT_SEQ_NUMBERS, 0}, {"camellia256ccm128",ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 256}, {"camellia256ccm16", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 256}, + {"serpent256", ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC, 256}, {"camelliaxcbc", INTEGRITY_ALGORITHM, AUTH_CAMELLIA_XCBC_96, 0}, - {"twofish256", ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC, 256}, {"aes192ccm8", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8, 192}, {"aes128ccm8", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8, 128}, {"aes192ccm96", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12, 192}, @@ -191,18 +190,23 @@ static const struct proposal_token wordlist[] = {"aes128ccm128", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16, 128}, {"aes192ccm16", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16, 192}, {"aes128ccm16", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16, 128}, - {"3des", ENCRYPTION_ALGORITHM, ENCR_3DES, 0}, {"modp8192", DIFFIE_HELLMAN_GROUP, MODP_8192_BIT, 0}, - {"modp768", DIFFIE_HELLMAN_GROUP, MODP_768_BIT, 0}, {"md5", INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 0}, + {"ecp224", DIFFIE_HELLMAN_GROUP, ECP_224_BIT, 0}, + {"ecp384", DIFFIE_HELLMAN_GROUP, ECP_384_BIT, 0}, + {"prfsha256", PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_256, 0}, {"sha384", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_384_192, 0}, - {"aescmac", INTEGRITY_ALGORITHM, AUTH_AES_CMAC_96, 0}, - {"aes256ccm8", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8, 256}, {"md5_128", INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_128, 0}, + {"aes256ccm8", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8, 256}, + {"prfsha1", PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA1, 0}, {"aes256ccm96", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12, 256}, + {"aescmac", INTEGRITY_ALGORITHM, AUTH_AES_CMAC_96, 0}, {"aes256ccm12", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12, 256}, + {"modp768", DIFFIE_HELLMAN_GROUP, MODP_768_BIT, 0}, {"aes256ccm128", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16, 256}, + {"prfaesxcbc", PSEUDO_RANDOM_FUNCTION, PRF_AES128_XCBC, 0}, {"aes256ccm16", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16, 256}, + {"prfsha512", PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_512, 0}, {"aesxcbc", INTEGRITY_ALGORITHM, AUTH_AES_XCBC_96, 0}, {"aes192gcm8", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8, 192}, {"aes128gcm8", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8, 128}, @@ -216,80 +220,84 @@ static const struct proposal_token wordlist[] = {"aes128gcm16", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16, 128}, {"camellia192ccm64", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8, 192}, {"camellia128ccm64", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8, 128}, - {"modp1024s160", DIFFIE_HELLMAN_GROUP, MODP_1024_160, 0}, - {"modp3072", DIFFIE_HELLMAN_GROUP, MODP_3072_BIT, 0}, + {"camellia192ctr", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CTR, 192}, + {"camellia128ctr", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CTR, 128}, + {"prfaescmac", PSEUDO_RANDOM_FUNCTION, PRF_AES128_CMAC, 0}, + {"prfcamelliaxcbc", PSEUDO_RANDOM_FUNCTION, PRF_CAMELLIA128_XCBC, 0}, + {"twofish192", ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC, 192}, {"aes256gcm8", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8, 256}, + {"twofish128", ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC, 128}, {"aes256gcm96", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12, 256}, + {"modp1536", DIFFIE_HELLMAN_GROUP, MODP_1536_BIT, 0}, {"aes256gcm12", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12, 256}, - {"ecp192", DIFFIE_HELLMAN_GROUP, ECP_192_BIT, 0}, + {"modp3072", DIFFIE_HELLMAN_GROUP, MODP_3072_BIT, 0}, {"aes256gcm128", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16, 256}, - {"modp1536", DIFFIE_HELLMAN_GROUP, MODP_1536_BIT, 0}, + {"twofish256", ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC, 256}, {"aes256gcm16", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16, 256}, - {"camellia256ccm64", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8, 256}, - {"ecp521", DIFFIE_HELLMAN_GROUP, ECP_521_BIT, 0}, - {"camellia192ctr", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CTR, 192}, - {"camellia128ctr", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CTR, 128}, {"noesn", EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS, 0}, + {"camellia256ccm64", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8, 256}, + {"camellia256ctr", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CTR, 256}, + {"aes", ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 128}, + {"modp1024s160", DIFFIE_HELLMAN_GROUP, MODP_1024_160, 0}, + {"modpnull", DIFFIE_HELLMAN_GROUP, MODP_NULL, 0}, {"aes192gmac", ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 192}, {"aes128gmac", ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 128}, - {"modpnull", DIFFIE_HELLMAN_GROUP, MODP_NULL, 0}, + {"des", ENCRYPTION_ALGORITHM, ENCR_DES, 0}, {"aes192ccm64", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8, 192}, {"aes128ccm64", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8, 128}, - {"ecp256", DIFFIE_HELLMAN_GROUP, ECP_256_BIT, 0}, - {"camellia256ctr", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CTR, 256}, - {"blowfish", ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 128}, + {"aes192ctr", ENCRYPTION_ALGORITHM, ENCR_AES_CTR, 192}, + {"aes128ctr", ENCRYPTION_ALGORITHM, ENCR_AES_CTR, 128}, {"modp2048", DIFFIE_HELLMAN_GROUP, MODP_2048_BIT, 0}, - {"aes256gmac", ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 256}, + {"sha2_512", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_512_256, 0}, {"modp4096", DIFFIE_HELLMAN_GROUP, MODP_4096_BIT, 0}, {"modp1024", DIFFIE_HELLMAN_GROUP, MODP_1024_BIT, 0}, + {"aes256gmac", ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 256}, {"blowfish192", ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 192}, - {"aes256ccm64", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8, 256}, {"blowfish128", ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 128}, - {"aes192ctr", ENCRYPTION_ALGORITHM, ENCR_AES_CTR, 192}, - {"aes128ctr", ENCRYPTION_ALGORITHM, ENCR_AES_CTR, 128}, + {"aes256ccm64", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8, 256}, + {"aes256ctr", ENCRYPTION_ALGORITHM, ENCR_AES_CTR, 256}, {"modp2048s256", DIFFIE_HELLMAN_GROUP, MODP_2048_256, 0}, - {"sha2_512", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_512_256, 0}, + {"twofish", ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC, 128}, + {"sha2_256", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_256_128, 0}, + {"sha256_96", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_256_96, 0}, {"aes192gcm64", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8, 192}, {"aes128gcm64", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8, 128}, - {"esn", EXTENDED_SEQUENCE_NUMBERS, EXT_SEQ_NUMBERS, 0}, - {"sha1_160", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_160, 0}, - {"aes256ctr", ENCRYPTION_ALGORITHM, ENCR_AES_CTR, 256}, + {"sha2_256_96", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_256_96, 0}, {"blowfish256", ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 256}, - {"sha2_256", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_256_128, 0}, - {"sha256_96", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_256_96, 0}, + {"prfsha384", PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_384, 0}, + {"sha1_160", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_160, 0}, + {"3des", ENCRYPTION_ALGORITHM, ENCR_3DES, 0}, {"aes256gcm64", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8, 256}, - {"sha2_256_96", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_256_96, 0}, - {"ecp224", DIFFIE_HELLMAN_GROUP, ECP_224_BIT, 0}, - {"ecp384", DIFFIE_HELLMAN_GROUP, ECP_384_BIT, 0}, + {"blowfish", ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 128}, + {"sha2_384", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_384_192, 0}, {"modp6144", DIFFIE_HELLMAN_GROUP, MODP_6144_BIT, 0}, - {"modp2048s224", DIFFIE_HELLMAN_GROUP, MODP_2048_224, 0}, - {"sha2_384", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_384_192, 0} + {"modp2048s224", DIFFIE_HELLMAN_GROUP, MODP_2048_224, 0} }; static const short lookup[] = { - -1, -1, -1, -1, -1, -1, -1, -1, -1, 0, - 1, 2, -1, -1, -1, -1, 3, 4, -1, -1, - -1, 5, 6, -1, -1, 7, -1, 8, 9, 10, - 11, 12, -1, 13, -1, 14, 15, 16, 17, 18, - 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, - -1, -1, -1, -1, 29, 30, 31, 32, 33, 34, - 35, -1, 36, -1, 37, 38, 39, 40, 41, 42, - 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, - 53, 54, 55, 56, 57, -1, 58, -1, 59, -1, - 60, -1, 61, 62, 63, 64, 65, 66, 67, 68, - 69, 70, 71, 72, 73, 74, -1, 75, -1, 76, - -1, 77, -1, 78, 79, 80, 81, 82, -1, 83, - 84, 85, 86, 87, -1, 88, 89, -1, 90, -1, - -1, 91, 92, -1, 93, -1, -1, 94, -1, 95, - 96, 97, 98, -1, 99, -1, 100, 101, 102, 103, - 104, 105, -1, -1, -1, 106, -1, -1, 107, 108, - -1, 109, -1, -1, 110, 111, 112, -1, -1, 113, - 114, -1, -1, -1, 115, 116, -1, 117, 118, -1, - -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, - -1, -1, -1, -1, -1, 119, -1, -1, -1, 120, - -1, -1, -1, 121 + -1, -1, 0, -1, -1, -1, -1, -1, -1, 1, + 2, -1, -1, -1, 3, 4, -1, 5, -1, -1, + -1, -1, 6, 7, 8, 9, 10, 11, -1, 12, + 13, -1, 14, 15, 16, 17, 18, 19, 20, 21, + 22, 23, 24, 25, 26, -1, -1, -1, 27, -1, + 28, 29, 30, 31, 32, 33, 34, -1, 35, 36, + 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, + 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, + 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, + 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, + 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, + 87, 88, 89, 90, 91, 92, 93, -1, 94, 95, + 96, -1, 97, 98, 99, -1, 100, 101, 102, 103, + 104, -1, -1, -1, -1, 105, 106, 107, -1, 108, + 109, 110, -1, 111, 112, -1, 113, 114, -1, 115, + -1, 116, 117, -1, -1, 118, 119, -1, 120, -1, + -1, -1, 121, 122, -1, 123, 124, -1, -1, -1, + -1, -1, 125, -1, -1, -1, -1, -1, -1, -1, + -1, -1, -1, -1, -1, -1, 126, -1, -1, -1, + -1, -1, -1, -1, -1, 127, -1, -1, -1, -1, + -1, 128, -1, -1, -1, -1, 129 }; #ifdef __GNUC__ diff --git a/src/libstrongswan/crypto/proposal/proposal_keywords_static.txt b/src/libstrongswan/crypto/proposal/proposal_keywords_static.txt index 7f8c95757..445438f03 100644 --- a/src/libstrongswan/crypto/proposal/proposal_keywords_static.txt +++ b/src/libstrongswan/crypto/proposal/proposal_keywords_static.txt @@ -132,6 +132,14 @@ md5_128, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_128, 0 aesxcbc, INTEGRITY_ALGORITHM, AUTH_AES_XCBC_96, 0 camelliaxcbc, INTEGRITY_ALGORITHM, AUTH_CAMELLIA_XCBC_96, 0 aescmac, INTEGRITY_ALGORITHM, AUTH_AES_CMAC_96, 0 +prfsha1, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA1, 0 +prfsha256, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_256, 0 +prfsha384, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_384, 0 +prfsha512, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_512, 0 +prfmd5, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_MD5, 0 +prfaesxcbc, PSEUDO_RANDOM_FUNCTION, PRF_AES128_XCBC, 0 +prfcamelliaxcbc, PSEUDO_RANDOM_FUNCTION, PRF_CAMELLIA128_XCBC, 0 +prfaescmac, PSEUDO_RANDOM_FUNCTION, PRF_AES128_CMAC, 0 modpnull, DIFFIE_HELLMAN_GROUP, MODP_NULL, 0 modp768, DIFFIE_HELLMAN_GROUP, MODP_768_BIT, 0 modp1024, DIFFIE_HELLMAN_GROUP, MODP_1024_BIT, 0 diff --git a/src/libstrongswan/crypto/transform.h b/src/libstrongswan/crypto/transform.h index 311df068f..4a98f81e9 100644 --- a/src/libstrongswan/crypto/transform.h +++ b/src/libstrongswan/crypto/transform.h @@ -23,7 +23,7 @@ typedef enum transform_type_t transform_type_t; -#include <enum.h> +#include <utils/enum.h> /** * Type of a transform, as in IKEv2 RFC 3.3.2. |