diff options
Diffstat (limited to 'src/libstrongswan/plugins/openssl')
8 files changed, 252 insertions, 157 deletions
diff --git a/src/libstrongswan/plugins/openssl/Makefile.in b/src/libstrongswan/plugins/openssl/Makefile.in index d1c8fce81..8994ff1b4 100644 --- a/src/libstrongswan/plugins/openssl/Makefile.in +++ b/src/libstrongswan/plugins/openssl/Makefile.in @@ -198,6 +198,9 @@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ am__tar = @am__tar@ am__untar = @am__untar@ +attest_plugins = @attest_plugins@ +axis2c_CFLAGS = @axis2c_CFLAGS@ +axis2c_LIBS = @axis2c_LIBS@ bindir = @bindir@ build = @build@ build_alias = @build_alias@ @@ -206,6 +209,7 @@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ c_plugins = @c_plugins@ +clearsilver_LIBS = @clearsilver_LIBS@ datadir = @datadir@ datarootdir = @datarootdir@ dbusservicedir = @dbusservicedir@ @@ -222,11 +226,13 @@ host_cpu = @host_cpu@ host_os = @host_os@ host_vendor = @host_vendor@ htmldir = @htmldir@ +imcvdir = @imcvdir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ ipsecgroup = @ipsecgroup@ +ipseclibdir = @ipseclibdir@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -270,6 +276,7 @@ sharedstatedir = @sharedstatedir@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ +starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ systemdsystemunitdir = @systemdsystemunitdir@ diff --git a/src/libstrongswan/plugins/openssl/openssl_crl.c b/src/libstrongswan/plugins/openssl/openssl_crl.c index 58401faa5..9a9efb2b6 100644 --- a/src/libstrongswan/plugins/openssl/openssl_crl.c +++ b/src/libstrongswan/plugins/openssl/openssl_crl.c @@ -185,7 +185,7 @@ METHOD(crl_t, create_enumerator, enumerator_t*, free(enumerator); return enumerator_create_empty(); } - enumerator->num = sk_X509_EXTENSION_num(enumerator->stack); + enumerator->num = sk_X509_REVOKED_num(enumerator->stack); return &enumerator->public; } diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c index 78ed2811a..9e4067589 100644 --- a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c +++ b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c @@ -219,7 +219,7 @@ METHOD(diffie_hellman_t, set_other_public_value, void, return; } - chunk_free(&this->shared_secret); + chunk_clear(&this->shared_secret); if (!compute_shared_key(this, &this->shared_secret)) { DBG1(DBG_LIB, "ECDH shared secret computation failed"); diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c b/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c index f4c4759bf..950504573 100644 --- a/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c +++ b/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c @@ -1,6 +1,6 @@ /* + * Copyright (C) 2008-2012 Tobias Brunner * Copyright (C) 2009 Martin Willi - * Copyright (C) 2008 Tobias Brunner * Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -371,14 +371,17 @@ openssl_ec_private_key_t *openssl_ec_private_key_load(key_type_t type, va_list args) { private_openssl_ec_private_key_t *this; - chunk_t blob = chunk_empty; + chunk_t par = chunk_empty, key = chunk_empty; while (TRUE) { switch (va_arg(args, builder_part_t)) { + case BUILD_BLOB_ALGID_PARAMS: + par = va_arg(args, chunk_t); + continue; case BUILD_BLOB_ASN1_DER: - blob = va_arg(args, chunk_t); + key = va_arg(args, chunk_t); continue; case BUILD_END: break; @@ -389,18 +392,36 @@ openssl_ec_private_key_t *openssl_ec_private_key_load(key_type_t type, } this = create_empty(); - this->ec = d2i_ECPrivateKey(NULL, (const u_char**)&blob.ptr, blob.len); - if (!this->ec) + + if (par.ptr) { - destroy(this); - return NULL; + this->ec = d2i_ECParameters(NULL, (const u_char**)&par.ptr, par.len); + if (!this->ec) + { + goto error; + } + if (!d2i_ECPrivateKey(&this->ec, (const u_char**)&key.ptr, key.len)) + { + goto error; + } + } + else + { + this->ec = d2i_ECPrivateKey(NULL, (const u_char**)&key.ptr, key.len); + if (!this->ec) + { + goto error; + } } if (!EC_KEY_check_key(this->ec)) { - destroy(this); - return NULL; + goto error; } return &this->public; + +error: + destroy(this); + return NULL; } #endif /* OPENSSL_NO_EC */ diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c index 96aa38bb6..c93ceacc9 100644 --- a/src/libstrongswan/plugins/openssl/openssl_plugin.c +++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c @@ -199,40 +199,175 @@ METHOD(plugin_t, get_name, char*, return "openssl"; } +METHOD(plugin_t, get_features, int, + private_openssl_plugin_t *this, plugin_feature_t *features[]) +{ + static plugin_feature_t f[] = { + /* crypters */ + PLUGIN_REGISTER(CRYPTER, openssl_crypter_create), +#ifndef OPENSSL_NO_AES + PLUGIN_PROVIDE(CRYPTER, ENCR_AES_CBC, 16), + PLUGIN_PROVIDE(CRYPTER, ENCR_AES_CBC, 24), + PLUGIN_PROVIDE(CRYPTER, ENCR_AES_CBC, 32), +#endif +#ifndef OPENSSL_NO_CAMELLIA + PLUGIN_PROVIDE(CRYPTER, ENCR_CAMELLIA_CBC, 16), + PLUGIN_PROVIDE(CRYPTER, ENCR_CAMELLIA_CBC, 24), + PLUGIN_PROVIDE(CRYPTER, ENCR_CAMELLIA_CBC, 32), +#endif +#ifndef OPENSSL_NO_RC5 + PLUGIN_PROVIDE(CRYPTER, ENCR_RC5, 0), +#endif +#ifndef OPENSSL_NO_CAST + PLUGIN_PROVIDE(CRYPTER, ENCR_CAST, 0), +#endif +#ifndef OPENSSL_NO_BLOWFISH + PLUGIN_PROVIDE(CRYPTER, ENCR_BLOWFISH, 0), +#endif +#ifndef OPENSSL_NO_IDEA + PLUGIN_PROVIDE(CRYPTER, ENCR_IDEA, 16), +#endif +#ifndef OPENSSL_NO_DES + PLUGIN_PROVIDE(CRYPTER, ENCR_3DES, 24), + PLUGIN_PROVIDE(CRYPTER, ENCR_DES, 8), + PLUGIN_PROVIDE(CRYPTER, ENCR_DES_ECB, 8), +#endif + PLUGIN_PROVIDE(CRYPTER, ENCR_NULL, 0), + /* hashers */ + PLUGIN_REGISTER(HASHER, openssl_hasher_create), +#ifndef OPENSSL_NO_SHA1 + PLUGIN_PROVIDE(HASHER, HASH_SHA1), +#endif +#ifndef OPENSSL_NO_MD2 + PLUGIN_PROVIDE(HASHER, HASH_MD2), +#endif +#ifndef OPENSSL_NO_MD4 + PLUGIN_PROVIDE(HASHER, HASH_MD4), +#endif +#ifndef OPENSSL_NO_MD5 + PLUGIN_PROVIDE(HASHER, HASH_MD5), +#endif +#ifndef OPENSSL_NO_SHA256 + PLUGIN_PROVIDE(HASHER, HASH_SHA224), + PLUGIN_PROVIDE(HASHER, HASH_SHA256), +#endif +#ifndef OPENSSL_NO_SHA512 + PLUGIN_PROVIDE(HASHER, HASH_SHA384), + PLUGIN_PROVIDE(HASHER, HASH_SHA512), +#endif +#ifndef OPENSSL_NO_SHA1 + /* keyed sha1 hasher (aka prf) */ + PLUGIN_REGISTER(PRF, openssl_sha1_prf_create), + PLUGIN_PROVIDE(PRF, PRF_KEYED_SHA1), +#endif +#ifndef OPENSSL_NO_DH + /* MODP DH groups */ + PLUGIN_REGISTER(DH, openssl_diffie_hellman_create), + PLUGIN_PROVIDE(DH, MODP_2048_BIT), + PLUGIN_PROVIDE(DH, MODP_2048_224), + PLUGIN_PROVIDE(DH, MODP_2048_256), + PLUGIN_PROVIDE(DH, MODP_1536_BIT), + PLUGIN_PROVIDE(DH, MODP_3072_BIT), + PLUGIN_PROVIDE(DH, MODP_4096_BIT), + PLUGIN_PROVIDE(DH, MODP_6144_BIT), + PLUGIN_PROVIDE(DH, MODP_8192_BIT), + PLUGIN_PROVIDE(DH, MODP_1024_BIT), + PLUGIN_PROVIDE(DH, MODP_1024_160), + PLUGIN_PROVIDE(DH, MODP_768_BIT), + PLUGIN_PROVIDE(DH, MODP_CUSTOM), +#endif +#ifndef OPENSSL_NO_RSA + /* RSA private/public key loading */ + PLUGIN_REGISTER(PRIVKEY, openssl_rsa_private_key_load, TRUE), + PLUGIN_PROVIDE(PRIVKEY, KEY_RSA), + PLUGIN_REGISTER(PRIVKEY, openssl_rsa_private_key_connect, FALSE), + PLUGIN_PROVIDE(PRIVKEY, KEY_ANY), + PLUGIN_REGISTER(PRIVKEY_GEN, openssl_rsa_private_key_gen, FALSE), + PLUGIN_PROVIDE(PRIVKEY_GEN, KEY_RSA), + PLUGIN_REGISTER(PUBKEY, openssl_rsa_public_key_load, FALSE), + PLUGIN_PROVIDE(PUBKEY, KEY_RSA), + PLUGIN_REGISTER(PUBKEY, openssl_rsa_public_key_load, TRUE), + PLUGIN_PROVIDE(PUBKEY, KEY_ANY), + /* signature/encryption schemes */ + PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_NULL), + PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_NULL), +#ifndef OPENSSL_NO_SHA1 + PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_SHA1), + PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA1), +#endif +#ifndef OPENSSL_NO_SHA256 + PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_SHA224), + PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_SHA256), + PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA224), + PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA256), +#endif +#ifndef OPENSSL_NO_SHA512 + PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_SHA384), + PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_SHA512), + PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA384), + PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA512), +#endif +#ifndef OPENSSL_NO_MD5 + PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_MD5), + PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_MD5), +#endif + PLUGIN_PROVIDE(PRIVKEY_DECRYPT, ENCRYPT_RSA_PKCS1), + PLUGIN_PROVIDE(PUBKEY_ENCRYPT, ENCRYPT_RSA_PKCS1), +#endif /* OPENSSL_NO_RSA */ + /* certificate/CRL loading */ + PLUGIN_REGISTER(CERT_DECODE, openssl_x509_load, TRUE), + PLUGIN_PROVIDE(CERT_DECODE, CERT_X509), + PLUGIN_REGISTER(CERT_DECODE, openssl_crl_load, TRUE), + PLUGIN_PROVIDE(CERT_DECODE, CERT_X509_CRL), +#ifndef OPENSSL_NO_ECDH + /* EC DH groups */ + PLUGIN_REGISTER(DH, openssl_ec_diffie_hellman_create), + PLUGIN_PROVIDE(DH, ECP_256_BIT), + PLUGIN_PROVIDE(DH, ECP_384_BIT), + PLUGIN_PROVIDE(DH, ECP_521_BIT), + PLUGIN_PROVIDE(DH, ECP_224_BIT), + PLUGIN_PROVIDE(DH, ECP_192_BIT), +#endif +#ifndef OPENSSL_NO_ECDSA + /* EC private/public key loading */ + PLUGIN_REGISTER(PRIVKEY, openssl_ec_private_key_load, TRUE), + PLUGIN_PROVIDE(PRIVKEY, KEY_ECDSA), + PLUGIN_REGISTER(PRIVKEY_GEN, openssl_ec_private_key_gen, FALSE), + PLUGIN_PROVIDE(PRIVKEY_GEN, KEY_ECDSA), + PLUGIN_REGISTER(PUBKEY, openssl_ec_public_key_load, TRUE), + PLUGIN_PROVIDE(PUBKEY, KEY_ECDSA), + /* signature encryption schemes */ + PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_ECDSA_WITH_NULL), + PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ECDSA_WITH_NULL), +#ifndef OPENSSL_NO_SHA1 + PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_ECDSA_WITH_SHA1_DER), + PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ECDSA_WITH_SHA1_DER), +#endif +#ifndef OPENSSL_NO_SHA256 + PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_ECDSA_WITH_SHA256_DER), + PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ECDSA_WITH_SHA256_DER), + PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_ECDSA_256), + PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ECDSA_256), +#endif +#ifndef OPENSSL_NO_SHA512 + PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_ECDSA_WITH_SHA384_DER), + PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_ECDSA_WITH_SHA512_DER), + PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ECDSA_WITH_SHA384_DER), + PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ECDSA_WITH_SHA512_DER), + PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_ECDSA_384), + PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_ECDSA_521), + PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ECDSA_384), + PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ECDSA_521), +#endif +#endif /* OPENSSL_NO_ECDSA */ + }; + *features = f; + return countof(f); +} + METHOD(plugin_t, destroy, void, private_openssl_plugin_t *this) { - lib->crypto->remove_crypter(lib->crypto, - (crypter_constructor_t)openssl_crypter_create); - lib->crypto->remove_hasher(lib->crypto, - (hasher_constructor_t)openssl_hasher_create); - lib->crypto->remove_prf(lib->crypto, - (prf_constructor_t)openssl_sha1_prf_create); - lib->crypto->remove_dh(lib->crypto, - (dh_constructor_t)openssl_diffie_hellman_create); - lib->creds->remove_builder(lib->creds, - (builder_function_t)openssl_rsa_private_key_load); - lib->creds->remove_builder(lib->creds, - (builder_function_t)openssl_rsa_private_key_gen); - lib->creds->remove_builder(lib->creds, - (builder_function_t)openssl_rsa_private_key_connect); - lib->creds->remove_builder(lib->creds, - (builder_function_t)openssl_rsa_public_key_load); -#ifndef OPENSSL_NO_EC - lib->crypto->remove_dh(lib->crypto, - (dh_constructor_t)openssl_ec_diffie_hellman_create); - lib->creds->remove_builder(lib->creds, - (builder_function_t)openssl_ec_private_key_load); - lib->creds->remove_builder(lib->creds, - (builder_function_t)openssl_ec_private_key_gen); - lib->creds->remove_builder(lib->creds, - (builder_function_t)openssl_ec_public_key_load); -#endif /* OPENSSL_NO_EC */ - lib->creds->remove_builder(lib->creds, - (builder_function_t)openssl_x509_load); - lib->creds->remove_builder(lib->creds, - (builder_function_t)openssl_crl_load); - #ifndef OPENSSL_NO_ENGINE ENGINE_cleanup(); #endif /* OPENSSL_NO_ENGINE */ @@ -255,7 +390,7 @@ plugin_t *openssl_plugin_create() .public = { .plugin = { .get_name = _get_name, - .reload = (void*)return_false, + .get_features = _get_features, .destroy = _destroy, }, }, @@ -279,116 +414,6 @@ plugin_t *openssl_plugin_create() return NULL; } - /* crypter */ - lib->crypto->add_crypter(lib->crypto, ENCR_AES_CBC, get_name(this), - (crypter_constructor_t)openssl_crypter_create); - lib->crypto->add_crypter(lib->crypto, ENCR_CAMELLIA_CBC, get_name(this), - (crypter_constructor_t)openssl_crypter_create); - lib->crypto->add_crypter(lib->crypto, ENCR_3DES, get_name(this), - (crypter_constructor_t)openssl_crypter_create); - lib->crypto->add_crypter(lib->crypto, ENCR_RC5, get_name(this), - (crypter_constructor_t)openssl_crypter_create); - lib->crypto->add_crypter(lib->crypto, ENCR_IDEA, get_name(this), - (crypter_constructor_t)openssl_crypter_create); - lib->crypto->add_crypter(lib->crypto, ENCR_CAST, get_name(this), - (crypter_constructor_t)openssl_crypter_create); - lib->crypto->add_crypter(lib->crypto, ENCR_BLOWFISH, get_name(this), - (crypter_constructor_t)openssl_crypter_create); - lib->crypto->add_crypter(lib->crypto, ENCR_DES, get_name(this), - (crypter_constructor_t)openssl_crypter_create); - lib->crypto->add_crypter(lib->crypto, ENCR_DES_ECB, get_name(this), - (crypter_constructor_t)openssl_crypter_create); - lib->crypto->add_crypter(lib->crypto, ENCR_NULL, get_name(this), - (crypter_constructor_t)openssl_crypter_create); - - /* hasher */ - lib->crypto->add_hasher(lib->crypto, HASH_SHA1, get_name(this), - (hasher_constructor_t)openssl_hasher_create); - lib->crypto->add_hasher(lib->crypto, HASH_MD2, get_name(this), - (hasher_constructor_t)openssl_hasher_create); - lib->crypto->add_hasher(lib->crypto, HASH_MD4, get_name(this), - (hasher_constructor_t)openssl_hasher_create); - lib->crypto->add_hasher(lib->crypto, HASH_MD5, get_name(this), - (hasher_constructor_t)openssl_hasher_create); - lib->crypto->add_hasher(lib->crypto, HASH_SHA224, get_name(this), - (hasher_constructor_t)openssl_hasher_create); - lib->crypto->add_hasher(lib->crypto, HASH_SHA256, get_name(this), - (hasher_constructor_t)openssl_hasher_create); - lib->crypto->add_hasher(lib->crypto, HASH_SHA384, get_name(this), - (hasher_constructor_t)openssl_hasher_create); - lib->crypto->add_hasher(lib->crypto, HASH_SHA512, get_name(this), - (hasher_constructor_t)openssl_hasher_create); - - /* prf */ - lib->crypto->add_prf(lib->crypto, PRF_KEYED_SHA1, get_name(this), - (prf_constructor_t)openssl_sha1_prf_create); - - /* (ec) diffie hellman */ - lib->crypto->add_dh(lib->crypto, MODP_2048_BIT, get_name(this), - (dh_constructor_t)openssl_diffie_hellman_create); - lib->crypto->add_dh(lib->crypto, MODP_2048_224, get_name(this), - (dh_constructor_t)openssl_diffie_hellman_create); - lib->crypto->add_dh(lib->crypto, MODP_2048_256, get_name(this), - (dh_constructor_t)openssl_diffie_hellman_create); - lib->crypto->add_dh(lib->crypto, MODP_1536_BIT, get_name(this), - (dh_constructor_t)openssl_diffie_hellman_create); -#ifndef OPENSSL_NO_EC - lib->crypto->add_dh(lib->crypto, ECP_256_BIT, get_name(this), - (dh_constructor_t)openssl_ec_diffie_hellman_create); - lib->crypto->add_dh(lib->crypto, ECP_384_BIT, get_name(this), - (dh_constructor_t)openssl_ec_diffie_hellman_create); - lib->crypto->add_dh(lib->crypto, ECP_521_BIT, get_name(this), - (dh_constructor_t)openssl_ec_diffie_hellman_create); - lib->crypto->add_dh(lib->crypto, ECP_224_BIT, get_name(this), - (dh_constructor_t)openssl_ec_diffie_hellman_create); - lib->crypto->add_dh(lib->crypto, ECP_192_BIT, get_name(this), - (dh_constructor_t)openssl_ec_diffie_hellman_create); -#endif /* OPENSSL_NO_EC */ - lib->crypto->add_dh(lib->crypto, MODP_3072_BIT, get_name(this), - (dh_constructor_t)openssl_diffie_hellman_create); - lib->crypto->add_dh(lib->crypto, MODP_4096_BIT, get_name(this), - (dh_constructor_t)openssl_diffie_hellman_create); - lib->crypto->add_dh(lib->crypto, MODP_6144_BIT, get_name(this), - (dh_constructor_t)openssl_diffie_hellman_create); - lib->crypto->add_dh(lib->crypto, MODP_8192_BIT, get_name(this), - (dh_constructor_t)openssl_diffie_hellman_create); - lib->crypto->add_dh(lib->crypto, MODP_1024_BIT, get_name(this), - (dh_constructor_t)openssl_diffie_hellman_create); - lib->crypto->add_dh(lib->crypto, MODP_1024_160, get_name(this), - (dh_constructor_t)openssl_diffie_hellman_create); - lib->crypto->add_dh(lib->crypto, MODP_768_BIT, get_name(this), - (dh_constructor_t)openssl_diffie_hellman_create); - lib->crypto->add_dh(lib->crypto, MODP_CUSTOM, get_name(this), - (dh_constructor_t)openssl_diffie_hellman_create); - - /* rsa */ - lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, TRUE, - (builder_function_t)openssl_rsa_private_key_load); - lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, FALSE, - (builder_function_t)openssl_rsa_private_key_gen); - lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_ANY, FALSE, - (builder_function_t)openssl_rsa_private_key_connect); - lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA, TRUE, - (builder_function_t)openssl_rsa_public_key_load); - lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ANY, FALSE, - (builder_function_t)openssl_rsa_public_key_load); - -#ifndef OPENSSL_NO_EC - /* ecdsa */ - lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_ECDSA, TRUE, - (builder_function_t)openssl_ec_private_key_load); - lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_ECDSA, FALSE, - (builder_function_t)openssl_ec_private_key_gen); - lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ECDSA, TRUE, - (builder_function_t)openssl_ec_public_key_load); -#endif /* OPENSSL_NO_EC */ - - /* X509 certificates */ - lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509, TRUE, - (builder_function_t)openssl_x509_load); - lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL, TRUE, - (builder_function_t)openssl_crl_load); - return &this->public.plugin; } diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c index 422e31521..a24bae5d6 100644 --- a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c +++ b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c @@ -44,6 +44,8 @@ struct private_openssl_rsa_public_key_t { refcount_t ref; }; + + /** * Verification of an EMPSA PKCS1 signature described in PKCS#1 */ @@ -386,4 +388,3 @@ openssl_rsa_public_key_t *openssl_rsa_public_key_load(key_type_t type, destroy(this); return NULL; } - diff --git a/src/libstrongswan/plugins/openssl/openssl_util.c b/src/libstrongswan/plugins/openssl/openssl_util.c index 99dca3631..1eb1c6723 100644 --- a/src/libstrongswan/plugins/openssl/openssl_util.c +++ b/src/libstrongswan/plugins/openssl/openssl_util.c @@ -130,7 +130,7 @@ chunk_t openssl_asn1_obj2chunk(ASN1_OBJECT *asn1) { if (asn1) { - return chunk_create(asn1->data, asn1->length); + return chunk_create((u_char*)asn1->data, asn1->length); } return chunk_empty; } diff --git a/src/libstrongswan/plugins/openssl/openssl_x509.c b/src/libstrongswan/plugins/openssl/openssl_x509.c index f7495b2ae..5caf5182c 100644 --- a/src/libstrongswan/plugins/openssl/openssl_x509.c +++ b/src/libstrongswan/plugins/openssl/openssl_x509.c @@ -1,4 +1,7 @@ /* + * Copyright (C) 2011 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * * Copyright (C) 2010 Martin Willi * Copyright (C) 2010 revosec AG * @@ -597,7 +600,7 @@ static bool parse_basicConstraints_ext(private_openssl_x509_t *this, } if (constraints->pathlen) { - + pathlen = ASN1_INTEGER_get(constraints->pathlen); this->pathlen = (pathlen >= 0 && pathlen < 128) ? pathlen : X509_NO_CONSTRAINT; @@ -609,6 +612,41 @@ static bool parse_basicConstraints_ext(private_openssl_x509_t *this, } /** + * parse key usage + */ +static bool parse_keyUsage_ext(private_openssl_x509_t *this, + X509_EXTENSION *ext) +{ + ASN1_BIT_STRING *usage; + + usage = X509V3_EXT_d2i(ext); + if (usage) + { + if (usage->length > 0) + { + int flags = usage->data[0]; + if (usage->length > 1) + { + flags |= usage->data[1] << 8; + } + switch (flags) + { + case X509v3_KU_CRL_SIGN: + this->flags |= X509_CRL_SIGN; + break; + case X509v3_KU_KEY_CERT_SIGN: + /* we use the caBasicContraint, MUST be set */ + default: + break; + } + } + ASN1_BIT_STRING_free(usage); + return TRUE; + } + return FALSE; +} + +/** * Parse CRL distribution points */ static bool parse_crlDistributionPoints_ext(private_openssl_x509_t *this, @@ -713,7 +751,7 @@ static bool parse_authorityInfoAccess_ext(private_openssl_x509_t *this, { if (asprintf(&uri, "%Y", id) > 0) { - this->ocsp_uris->insert_first(this->ocsp_uris, uri); + this->ocsp_uris->insert_last(this->ocsp_uris, uri); } id->destroy(id); } @@ -804,6 +842,9 @@ static bool parse_extensions(private_openssl_x509_t *this) case NID_basic_constraints: ok = parse_basicConstraints_ext(this, ext); break; + case NID_key_usage: + ok = parse_keyUsage_ext(this, ext); + break; case NID_crl_distribution_points: ok = parse_crlDistributionPoints_ext(this, ext); break; |