diff options
Diffstat (limited to 'src/libstrongswan/plugins/openssl')
12 files changed, 367 insertions, 122 deletions
diff --git a/src/libstrongswan/plugins/openssl/Makefile.am b/src/libstrongswan/plugins/openssl/Makefile.am index 25cc5aa1d..a50799798 100644 --- a/src/libstrongswan/plugins/openssl/Makefile.am +++ b/src/libstrongswan/plugins/openssl/Makefile.am @@ -3,12 +3,18 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan AM_CFLAGS = -rdynamic +if MONOLITHIC +noinst_LTLIBRARIES = libstrongswan-openssl.la +else plugin_LTLIBRARIES = libstrongswan-openssl.la +endif -libstrongswan_openssl_la_SOURCES = openssl_plugin.h openssl_plugin.c \ +libstrongswan_openssl_la_SOURCES = \ + openssl_plugin.h openssl_plugin.c \ openssl_util.c openssl_util.h \ openssl_crypter.c openssl_crypter.h \ openssl_hasher.c openssl_hasher.h \ + openssl_sha1_prf.c openssl_sha1_prf.h \ openssl_diffie_hellman.c openssl_diffie_hellman.h \ openssl_rsa_private_key.c openssl_rsa_private_key.h \ openssl_rsa_public_key.c openssl_rsa_public_key.h \ diff --git a/src/libstrongswan/plugins/openssl/Makefile.in b/src/libstrongswan/plugins/openssl/Makefile.in index aa8ecf06c..a2a931d42 100644 --- a/src/libstrongswan/plugins/openssl/Makefile.in +++ b/src/libstrongswan/plugins/openssl/Makefile.in @@ -72,18 +72,22 @@ am__base_list = \ sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' am__installdirs = "$(DESTDIR)$(plugindir)" -LTLIBRARIES = $(plugin_LTLIBRARIES) +LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES) libstrongswan_openssl_la_DEPENDENCIES = am_libstrongswan_openssl_la_OBJECTS = openssl_plugin.lo \ openssl_util.lo openssl_crypter.lo openssl_hasher.lo \ - openssl_diffie_hellman.lo openssl_rsa_private_key.lo \ - openssl_rsa_public_key.lo openssl_ec_diffie_hellman.lo \ - openssl_ec_private_key.lo openssl_ec_public_key.lo + openssl_sha1_prf.lo openssl_diffie_hellman.lo \ + openssl_rsa_private_key.lo openssl_rsa_public_key.lo \ + openssl_ec_diffie_hellman.lo openssl_ec_private_key.lo \ + openssl_ec_public_key.lo libstrongswan_openssl_la_OBJECTS = \ $(am_libstrongswan_openssl_la_OBJECTS) libstrongswan_openssl_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ $(libstrongswan_openssl_la_LDFLAGS) $(LDFLAGS) -o $@ +@MONOLITHIC_FALSE@am_libstrongswan_openssl_la_rpath = -rpath \ +@MONOLITHIC_FALSE@ $(plugindir) +@MONOLITHIC_TRUE@am_libstrongswan_openssl_la_rpath = DEFAULT_INCLUDES = -I.@am__isrc@ depcomp = $(SHELL) $(top_srcdir)/depcomp am__depfiles_maybe = depfiles @@ -222,6 +226,7 @@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ +libhydra_plugins = @libhydra_plugins@ libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ @@ -258,11 +263,14 @@ xml_CFLAGS = @xml_CFLAGS@ xml_LIBS = @xml_LIBS@ INCLUDES = -I$(top_srcdir)/src/libstrongswan AM_CFLAGS = -rdynamic -plugin_LTLIBRARIES = libstrongswan-openssl.la -libstrongswan_openssl_la_SOURCES = openssl_plugin.h openssl_plugin.c \ +@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-openssl.la +@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-openssl.la +libstrongswan_openssl_la_SOURCES = \ + openssl_plugin.h openssl_plugin.c \ openssl_util.c openssl_util.h \ openssl_crypter.c openssl_crypter.h \ openssl_hasher.c openssl_hasher.h \ + openssl_sha1_prf.c openssl_sha1_prf.h \ openssl_diffie_hellman.c openssl_diffie_hellman.h \ openssl_rsa_private_key.c openssl_rsa_private_key.h \ openssl_rsa_public_key.c openssl_rsa_public_key.h \ @@ -306,6 +314,15 @@ $(top_srcdir)/configure: $(am__configure_deps) $(ACLOCAL_M4): $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(am__aclocal_m4_deps): + +clean-noinstLTLIBRARIES: + -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES) + @list='$(noinst_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES) @$(NORMAL_INSTALL) test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)" @@ -338,7 +355,7 @@ clean-pluginLTLIBRARIES: rm -f "$${dir}/so_locations"; \ done libstrongswan-openssl.la: $(libstrongswan_openssl_la_OBJECTS) $(libstrongswan_openssl_la_DEPENDENCIES) - $(libstrongswan_openssl_la_LINK) -rpath $(plugindir) $(libstrongswan_openssl_la_OBJECTS) $(libstrongswan_openssl_la_LIBADD) $(LIBS) + $(libstrongswan_openssl_la_LINK) $(am_libstrongswan_openssl_la_rpath) $(libstrongswan_openssl_la_OBJECTS) $(libstrongswan_openssl_la_LIBADD) $(LIBS) mostlyclean-compile: -rm -f *.$(OBJEXT) @@ -355,6 +372,7 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_plugin.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_rsa_private_key.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_rsa_public_key.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_sha1_prf.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_util.Plo@am__quote@ .c.o: @@ -500,8 +518,8 @@ maintainer-clean-generic: @echo "it deletes files that may require special tools to rebuild." clean: clean-am -clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \ - mostlyclean-am +clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \ + clean-pluginLTLIBRARIES mostlyclean-am distclean: distclean-am -rm -rf ./$(DEPDIR) @@ -572,18 +590,19 @@ uninstall-am: uninstall-pluginLTLIBRARIES .MAKE: install-am install-strip .PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \ - clean-libtool clean-pluginLTLIBRARIES ctags distclean \ - distclean-compile distclean-generic distclean-libtool \ - distclean-tags distdir dvi dvi-am html html-am info info-am \ - install install-am install-data install-data-am install-dvi \ - install-dvi-am install-exec install-exec-am install-html \ - install-html-am install-info install-info-am install-man \ - install-pdf install-pdf-am install-pluginLTLIBRARIES \ - install-ps install-ps-am install-strip installcheck \ - installcheck-am installdirs maintainer-clean \ - maintainer-clean-generic mostlyclean mostlyclean-compile \ - mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ - tags uninstall uninstall-am uninstall-pluginLTLIBRARIES + clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \ + ctags distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-pdf install-pdf-am \ + install-pluginLTLIBRARIES install-ps install-ps-am \ + install-strip installcheck installcheck-am installdirs \ + maintainer-clean maintainer-clean-generic mostlyclean \ + mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ + pdf pdf-am ps ps-am tags uninstall uninstall-am \ + uninstall-pluginLTLIBRARIES # Tell versions [3.59,3.63) of GNU make to not export all variables. diff --git a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c index 80a1ee878..9a032c54f 100644 --- a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c +++ b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2008 Tobias Brunner + * Copyright (C) 2008-2010 Tobias Brunner * Copyright (C) 2008 Martin Willi * Hochschule fuer Technik Rapperswil * @@ -20,47 +20,6 @@ #include <debug.h> -typedef struct modulus_entry_t modulus_entry_t; - -/** - * Entry of the modulus list. - */ -struct modulus_entry_t { - /** - * Group number as it is defined in file transform_substructure.h. - */ - diffie_hellman_group_t group; - - /** - * Pointer to the function to get the modulus. - */ - BIGNUM *(*get_prime)(BIGNUM *bn); - - /* - * Optimum length of exponent in bits. - */ - long opt_exponent_len; - - /* - * Generator value. - */ - u_int16_t generator; -}; - -/** - * All supported modulus values - optimum exponent size according to RFC 3526. - */ -static modulus_entry_t modulus_entries[] = { - {MODP_768_BIT, get_rfc2409_prime_768, 256, 2}, - {MODP_1024_BIT, get_rfc2409_prime_1024, 256, 2}, - {MODP_1536_BIT, get_rfc3526_prime_1536, 256, 2}, - {MODP_2048_BIT, get_rfc3526_prime_2048, 384, 2}, - {MODP_3072_BIT, get_rfc3526_prime_3072, 384, 2}, - {MODP_4096_BIT, get_rfc3526_prime_4096, 512, 2}, - {MODP_6144_BIT, get_rfc3526_prime_6144, 512, 2}, - {MODP_8192_BIT, get_rfc3526_prime_8192, 512, 2}, -}; - typedef struct private_openssl_diffie_hellman_t private_openssl_diffie_hellman_t; /** @@ -125,7 +84,6 @@ static status_t get_shared_secret(private_openssl_diffie_hellman_t *this, memset(secret->ptr, 0, secret->len); memcpy(secret->ptr + secret->len - this->shared_secret.len, this->shared_secret.ptr, this->shared_secret.len); - return SUCCESS; } @@ -145,7 +103,7 @@ static void set_other_public_value(private_openssl_diffie_hellman_t *this, len = DH_compute_key(this->shared_secret.ptr, this->pub_key, this->dh); if (len < 0) { - DBG1("DH shared secret computation failed"); + DBG1(DBG_LIB, "DH shared secret computation failed"); return; } this->shared_secret.len = len; @@ -165,27 +123,18 @@ static diffie_hellman_group_t get_dh_group(private_openssl_diffie_hellman_t *thi */ static status_t set_modulus(private_openssl_diffie_hellman_t *this) { - int i; - bool ansi_x9_42; - - ansi_x9_42 = lib->settings->get_bool(lib->settings, - "libstrongswan.dh_exponent_ansi_x9_42", TRUE); - - for (i = 0; i < (sizeof(modulus_entries) / sizeof(modulus_entry_t)); i++) + diffie_hellman_params_t *params = diffie_hellman_get_params(this->group); + if (!params) { - if (modulus_entries[i].group == this->group) - { - this->dh->p = modulus_entries[i].get_prime(NULL); - this->dh->g = BN_new(); - BN_set_word(this->dh->g, modulus_entries[i].generator); - if (!ansi_x9_42) - { - this->dh->length = modulus_entries[i].opt_exponent_len; - } - return SUCCESS; - } + return NOT_FOUND; } - return NOT_FOUND; + this->dh->p = BN_bin2bn(params->prime.ptr, params->prime.len, NULL); + this->dh->g = BN_bin2bn(params->generator.ptr, params->generator.len, NULL); + if (params->exp_len != params->prime.len) + { + this->dh->length = params->exp_len * 8; + } + return SUCCESS; } /** @@ -237,7 +186,8 @@ openssl_diffie_hellman_t *openssl_diffie_hellman_create(diffie_hellman_group_t g destroy(this); return NULL; } - DBG2("size of DH secret exponent: %d bits", BN_num_bits(this->dh->priv_key)); + DBG2(DBG_LIB, "size of DH secret exponent: %d bits", + BN_num_bits(this->dh->priv_key)); return &this->public; } diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c index 671fa41e2..faec411cd 100644 --- a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c +++ b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c @@ -212,14 +212,14 @@ static void set_other_public_value(private_openssl_ec_diffie_hellman_t *this, ch { if (!chunk2ecp(this->ec_group, value, this->pub_key)) { - DBG1("ECDH public value is malformed"); + DBG1(DBG_LIB, "ECDH public value is malformed"); return; } chunk_free(&this->shared_secret); if (!compute_shared_key(this, &this->shared_secret)) { - DBG1("ECDH shared secret computation failed"); + DBG1(DBG_LIB, "ECDH shared secret computation failed"); return; } diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c b/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c index 89ced5a9a..bdcfda974 100644 --- a/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c +++ b/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c @@ -84,14 +84,14 @@ static bool build_curve_signature(private_openssl_ec_private_key_t *this, req_group = EC_GROUP_new_by_curve_name(nid_curve); if (!req_group) { - DBG1("signature scheme %N not supported in EC (required curve " + DBG1(DBG_LIB, "signature scheme %N not supported in EC (required curve " "not supported)", signature_scheme_names, scheme); return FALSE; } my_group = EC_KEY_get0_group(this->ec); if (EC_GROUP_cmp(my_group, req_group, NULL) != 0) { - DBG1("signature scheme %N not supported by private key", + DBG1(DBG_LIB, "signature scheme %N not supported by private key", signature_scheme_names, scheme); return FALSE; } @@ -162,7 +162,7 @@ static bool sign(private_openssl_ec_private_key_t *this, return build_curve_signature(this, scheme, NID_sha512, NID_secp521r1, data, signature); default: - DBG1("signature scheme %N not supported", + DBG1(DBG_LIB, "signature scheme %N not supported", signature_scheme_names, scheme); return FALSE; } @@ -174,7 +174,7 @@ static bool sign(private_openssl_ec_private_key_t *this, static bool decrypt(private_openssl_ec_private_key_t *this, chunk_t crypto, chunk_t *plain) { - DBG1("EC private key decryption not implemented"); + DBG1(DBG_LIB, "EC private key decryption not implemented"); return FALSE; } @@ -233,11 +233,24 @@ static bool get_encoding(private_openssl_ec_private_key_t *this, switch (type) { case KEY_PRIV_ASN1_DER: + case KEY_PRIV_PEM: { + bool success = TRUE; + *encoding = chunk_alloc(i2d_ECPrivateKey(this->ec, NULL)); p = encoding->ptr; i2d_ECPrivateKey(this->ec, &p); - return TRUE; + + if (type == KEY_PRIV_PEM) + { + chunk_t asn1_encoding = *encoding; + + success = lib->encoding->encode(lib->encoding, KEY_PRIV_PEM, + NULL, encoding, KEY_PART_ECDSA_PRIV_ASN1_DER, + asn1_encoding, KEY_PART_END); + chunk_clear(&asn1_encoding); + } + return success; } default: return FALSE; @@ -335,13 +348,13 @@ openssl_ec_private_key_t *openssl_ec_private_key_gen(key_type_t type, this->ec = EC_KEY_new_by_curve_name(NID_secp521r1); break; default: - DBG1("EC private key size %d not supported", key_size); + DBG1(DBG_LIB, "EC private key size %d not supported", key_size); destroy(this); return NULL; } if (EC_KEY_generate_key(this->ec) != 1) { - DBG1("EC private key generation failed", key_size); + DBG1(DBG_LIB, "EC private key generation failed", key_size); destroy(this); return NULL; } diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c b/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c index f37c736b1..790a8487d 100644 --- a/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c +++ b/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c @@ -82,14 +82,14 @@ static bool verify_curve_signature(private_openssl_ec_public_key_t *this, req_group = EC_GROUP_new_by_curve_name(nid_curve); if (!req_group) { - DBG1("signature scheme %N not supported in EC (required curve " + DBG1(DBG_LIB, "signature scheme %N not supported in EC (required curve " "not supported)", signature_scheme_names, scheme); return FALSE; } my_group = EC_KEY_get0_group(this->ec); if (EC_GROUP_cmp(my_group, req_group, NULL) != 0) { - DBG1("signature scheme %N not supported by private key", + DBG1(DBG_LIB, "signature scheme %N not supported by private key", signature_scheme_names, scheme); return FALSE; } @@ -162,7 +162,7 @@ static bool verify(private_openssl_ec_public_key_t *this, return verify_curve_signature(this, scheme, NID_sha512, NID_secp521r1, data, signature); default: - DBG1("signature scheme %N not supported in EC", + DBG1(DBG_LIB, "signature scheme %N not supported in EC", signature_scheme_names, scheme); return FALSE; } @@ -174,7 +174,7 @@ static bool verify(private_openssl_ec_public_key_t *this, static bool encrypt_(private_openssl_ec_public_key_t *this, chunk_t crypto, chunk_t *plain) { - DBG1("EC public key encryption not implemented"); + DBG1(DBG_LIB, "EC public key encryption not implemented"); return FALSE; } @@ -217,7 +217,7 @@ bool openssl_ec_fingerprint(EC_KEY *ec, key_encoding_type_t type, chunk_t *fp) hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1); if (!hasher) { - DBG1("SHA1 hash algorithm not supported, fingerprinting failed"); + DBG1(DBG_LIB, "SHA1 hash algorithm not supported, fingerprinting failed"); free(key.ptr); return FALSE; } @@ -248,11 +248,24 @@ static bool get_encoding(private_openssl_ec_public_key_t *this, switch (type) { case KEY_PUB_SPKI_ASN1_DER: + case KEY_PUB_PEM: { + bool success = TRUE; + *encoding = chunk_alloc(i2d_EC_PUBKEY(this->ec, NULL)); p = encoding->ptr; i2d_EC_PUBKEY(this->ec, &p); - return TRUE; + + if (type == KEY_PUB_PEM) + { + chunk_t asn1_encoding = *encoding; + + success = lib->encoding->encode(lib->encoding, KEY_PUB_PEM, + NULL, encoding, KEY_PART_ECDSA_PUB_ASN1_DER, + asn1_encoding, KEY_PART_END); + chunk_clear(&asn1_encoding); + } + return success; } default: return FALSE; diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c index 548a76bb4..c1545ffb8 100644 --- a/src/libstrongswan/plugins/openssl/openssl_plugin.c +++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c @@ -27,6 +27,7 @@ #include "openssl_util.h" #include "openssl_crypter.h" #include "openssl_hasher.h" +#include "openssl_sha1_prf.h" #include "openssl_diffie_hellman.h" #include "openssl_ec_diffie_hellman.h" #include "openssl_rsa_private_key.h" @@ -170,6 +171,8 @@ static void destroy(private_openssl_plugin_t *this) (crypter_constructor_t)openssl_crypter_create); lib->crypto->remove_hasher(lib->crypto, (hasher_constructor_t)openssl_hasher_create); + lib->crypto->remove_prf(lib->crypto, + (prf_constructor_t)openssl_sha1_prf_create); lib->crypto->remove_dh(lib->crypto, (dh_constructor_t)openssl_diffie_hellman_create); lib->crypto->remove_dh(lib->crypto, @@ -201,7 +204,7 @@ static void destroy(private_openssl_plugin_t *this) /* * see header file */ -plugin_t *plugin_create() +plugin_t *openssl_plugin_create() { private_openssl_plugin_t *this = malloc_thing(private_openssl_plugin_t); @@ -256,9 +259,17 @@ plugin_t *plugin_create() lib->crypto->add_hasher(lib->crypto, HASH_SHA512, (hasher_constructor_t)openssl_hasher_create); + /* prf */ + lib->crypto->add_prf(lib->crypto, PRF_KEYED_SHA1, + (prf_constructor_t)openssl_sha1_prf_create); + /* (ec) diffie hellman */ lib->crypto->add_dh(lib->crypto, MODP_2048_BIT, (dh_constructor_t)openssl_diffie_hellman_create); + lib->crypto->add_dh(lib->crypto, MODP_2048_224, + (dh_constructor_t)openssl_diffie_hellman_create); + lib->crypto->add_dh(lib->crypto, MODP_2048_256, + (dh_constructor_t)openssl_diffie_hellman_create); lib->crypto->add_dh(lib->crypto, MODP_1536_BIT, (dh_constructor_t)openssl_diffie_hellman_create); lib->crypto->add_dh(lib->crypto, ECP_256_BIT, @@ -281,6 +292,8 @@ plugin_t *plugin_create() (dh_constructor_t)openssl_diffie_hellman_create); lib->crypto->add_dh(lib->crypto, MODP_1024_BIT, (dh_constructor_t)openssl_diffie_hellman_create); + lib->crypto->add_dh(lib->crypto, MODP_1024_160, + (dh_constructor_t)openssl_diffie_hellman_create); lib->crypto->add_dh(lib->crypto, MODP_768_BIT, (dh_constructor_t)openssl_diffie_hellman_create); diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.h b/src/libstrongswan/plugins/openssl/openssl_plugin.h index 9f422c9d0..0762c37b9 100644 --- a/src/libstrongswan/plugins/openssl/openssl_plugin.h +++ b/src/libstrongswan/plugins/openssl/openssl_plugin.h @@ -39,9 +39,4 @@ struct openssl_plugin_t { plugin_t plugin; }; -/** - * Create a openssl_plugin instance. - */ -plugin_t *plugin_create(); - #endif /** OPENSSL_PLUGIN_H_ @}*/ diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c index 078f889a6..de751fe89 100644 --- a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c +++ b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c @@ -160,7 +160,7 @@ static bool sign(private_openssl_rsa_private_key_t *this, signature_scheme_t sch case SIGN_RSA_EMSA_PKCS1_MD5: return build_emsa_pkcs1_signature(this, NID_md5, data, signature); default: - DBG1("signature scheme %N not supported in RSA", + DBG1(DBG_LIB, "signature scheme %N not supported in RSA", signature_scheme_names, scheme); return FALSE; } @@ -172,7 +172,7 @@ static bool sign(private_openssl_rsa_private_key_t *this, signature_scheme_t sch static bool decrypt(private_openssl_rsa_private_key_t *this, chunk_t crypto, chunk_t *plain) { - DBG1("RSA private key decryption not implemented"); + DBG1(DBG_LIB, "RSA private key decryption not implemented"); return FALSE; } @@ -226,11 +226,24 @@ static bool get_encoding(private_openssl_rsa_private_key_t *this, switch (type) { case KEY_PRIV_ASN1_DER: + case KEY_PRIV_PEM: { + bool success = TRUE; + *encoding = chunk_alloc(i2d_RSAPrivateKey(this->rsa, NULL)); p = encoding->ptr; i2d_RSAPrivateKey(this->rsa, &p); - return TRUE; + + if (type == KEY_PRIV_PEM) + { + chunk_t asn1_encoding = *encoding; + + success = lib->encoding->encode(lib->encoding, KEY_PRIV_PEM, + NULL, encoding, KEY_PART_RSA_PRIV_ASN1_DER, + asn1_encoding, KEY_PART_END); + chunk_clear(&asn1_encoding); + } + return success; } default: return FALSE; @@ -296,6 +309,8 @@ openssl_rsa_private_key_t *openssl_rsa_private_key_gen(key_type_t type, { private_openssl_rsa_private_key_t *this; u_int key_size = 0; + RSA *rsa = NULL; + BIGNUM *e = NULL; while (TRUE) { @@ -315,10 +330,31 @@ openssl_rsa_private_key_t *openssl_rsa_private_key_gen(key_type_t type, { return NULL; } + e = BN_new(); + if (!e || !BN_set_word(e, PUBLIC_EXPONENT)) + { + goto error; + } + rsa = RSA_new(); + if (!rsa || !RSA_generate_key_ex(rsa, key_size, e, NULL)) + { + goto error; + } this = create_empty(); - this->rsa = RSA_generate_key(key_size, PUBLIC_EXPONENT, NULL, NULL); - + this->rsa = rsa; + BN_free(e); return &this->public; + +error: + if (e) + { + BN_free(e); + } + if (rsa) + { + RSA_free(rsa); + } + return NULL; } /** @@ -440,22 +476,22 @@ openssl_rsa_private_key_t *openssl_rsa_private_key_connect(key_type_t type, } engine_id = lib->settings->get_str(lib->settings, - "library.plugins.openssl.engine_id", "pkcs11"); + "libstrongswan.plugins.openssl.engine_id", "pkcs11"); engine = ENGINE_by_id(engine_id); if (!engine) { - DBG1("engine '%s' is not available", engine_id); + DBG1(DBG_LIB, "engine '%s' is not available", engine_id); return NULL; } if (!ENGINE_init(engine)) { - DBG1("failed to initialize engine '%s'", engine_id); + DBG1(DBG_LIB, "failed to initialize engine '%s'", engine_id); ENGINE_free(engine); return NULL; } if (!ENGINE_ctrl_cmd_string(engine, "PIN", pin, 0)) { - DBG1("failed to set PIN on engine '%s'", engine_id); + DBG1(DBG_LIB, "failed to set PIN on engine '%s'", engine_id); ENGINE_free(engine); return NULL; } @@ -463,8 +499,8 @@ openssl_rsa_private_key_t *openssl_rsa_private_key_connect(key_type_t type, key = ENGINE_load_private_key(engine, keyid, NULL, NULL); if (!key) { - DBG1("failed to load private key with ID '%s' from engine '%s'", - keyid, engine_id); + DBG1(DBG_LIB, "failed to load private key with ID '%s' from " + "engine '%s'", keyid, engine_id); ENGINE_free(engine); return NULL; } diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c index 422262b19..ffa575a97 100644 --- a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c +++ b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c @@ -145,7 +145,7 @@ static bool verify(private_openssl_rsa_public_key_t *this, signature_scheme_t sc case SIGN_RSA_EMSA_PKCS1_MD5: return verify_emsa_pkcs1_signature(this, NID_md5, data, signature); default: - DBG1("signature scheme %N not supported in RSA", + DBG1(DBG_LIB, "signature scheme %N not supported in RSA", signature_scheme_names, scheme); return FALSE; } @@ -157,7 +157,7 @@ static bool verify(private_openssl_rsa_public_key_t *this, signature_scheme_t sc static bool encrypt_(private_openssl_rsa_public_key_t *this, chunk_t crypto, chunk_t *plain) { - DBG1("RSA public key encryption not implemented"); + DBG1(DBG_LIB, "RSA public key encryption not implemented"); return FALSE; } @@ -200,7 +200,7 @@ bool openssl_rsa_fingerprint(RSA *rsa, key_encoding_type_t type, chunk_t *fp) hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1); if (!hasher) { - DBG1("SHA1 hash algorithm not supported, fingerprinting failed"); + DBG1(DBG_LIB, "SHA1 hash algorithm not supported, fingerprinting failed"); free(key.ptr); return FALSE; } @@ -231,11 +231,24 @@ static bool get_encoding(private_openssl_rsa_public_key_t *this, switch (type) { case KEY_PUB_SPKI_ASN1_DER: + case KEY_PUB_PEM: { + bool success = TRUE; + *encoding = chunk_alloc(i2d_RSA_PUBKEY(this->rsa, NULL)); p = encoding->ptr; i2d_RSA_PUBKEY(this->rsa, &p); - return TRUE; + + if (type == KEY_PUB_PEM) + { + chunk_t asn1_encoding = *encoding; + + success = lib->encoding->encode(lib->encoding, KEY_PUB_PEM, + NULL, encoding, KEY_PART_RSA_PUB_ASN1_DER, + asn1_encoding, KEY_PART_END); + chunk_clear(&asn1_encoding); + } + return success; } case KEY_PUB_ASN1_DER: { diff --git a/src/libstrongswan/plugins/openssl/openssl_sha1_prf.c b/src/libstrongswan/plugins/openssl/openssl_sha1_prf.c new file mode 100644 index 000000000..b65388010 --- /dev/null +++ b/src/libstrongswan/plugins/openssl/openssl_sha1_prf.c @@ -0,0 +1,139 @@ +/* + * Copyright (C) 2010 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "openssl_sha1_prf.h" + +#include <openssl/sha.h> + +typedef struct private_openssl_sha1_prf_t private_openssl_sha1_prf_t; + +/** + * Private data of an openssl_sha1_prf_t object. + */ +struct private_openssl_sha1_prf_t { + + /** + * Public openssl_sha1_prf_t interface. + */ + openssl_sha1_prf_t public; + + /** + * SHA1 context + */ + SHA_CTX ctx; +}; + +METHOD(prf_t, get_bytes, void, + private_openssl_sha1_prf_t *this, chunk_t seed, u_int8_t *bytes) +{ + SHA1_Update(&this->ctx, seed.ptr, seed.len); + + if (bytes) + { + u_int32_t *hash = (u_int32_t*)bytes; + + hash[0] = htonl(this->ctx.h0); + hash[1] = htonl(this->ctx.h1); + hash[2] = htonl(this->ctx.h2); + hash[3] = htonl(this->ctx.h3); + hash[4] = htonl(this->ctx.h4); + } +} + +METHOD(prf_t, get_block_size, size_t, + private_openssl_sha1_prf_t *this) +{ + return HASH_SIZE_SHA1; +} + +METHOD(prf_t, allocate_bytes, void, + private_openssl_sha1_prf_t *this, chunk_t seed, chunk_t *chunk) +{ + if (chunk) + { + *chunk = chunk_alloc(HASH_SIZE_SHA1); + get_bytes(this, seed, chunk->ptr); + } + else + { + get_bytes(this, seed, NULL); + } +} + +METHOD(prf_t, get_key_size, size_t, + private_openssl_sha1_prf_t *this) +{ + return HASH_SIZE_SHA1; +} + +METHOD(prf_t, set_key, void, + private_openssl_sha1_prf_t *this, chunk_t key) +{ + SHA1_Init(&this->ctx); + + if (key.len >= 4) + { + this->ctx.h0 ^= untoh32(key.ptr); + } + if (key.len >= 8) + { + this->ctx.h1 ^= untoh32(key.ptr + 4); + } + if (key.len >= 12) + { + this->ctx.h2 ^= untoh32(key.ptr + 8); + } + if (key.len >= 16) + { + this->ctx.h3 ^= untoh32(key.ptr + 12); + } + if (key.len >= 20) + { + this->ctx.h4 ^= untoh32(key.ptr + 16); + } +} + +METHOD(prf_t, destroy, void, + private_openssl_sha1_prf_t *this) +{ + free(this); +} + +/** + * See header + */ +openssl_sha1_prf_t *openssl_sha1_prf_create(pseudo_random_function_t algo) +{ + private_openssl_sha1_prf_t *this; + + if (algo != PRF_KEYED_SHA1) + { + return NULL; + } + + INIT(this, + .public.prf = { + .get_block_size = _get_block_size, + .get_bytes = _get_bytes, + .allocate_bytes = _allocate_bytes, + .get_key_size = _get_key_size, + .set_key = _set_key, + .destroy = _destroy, + }, + ); + + return &this->public; +} + diff --git a/src/libstrongswan/plugins/openssl/openssl_sha1_prf.h b/src/libstrongswan/plugins/openssl/openssl_sha1_prf.h new file mode 100644 index 000000000..9a24e7ee1 --- /dev/null +++ b/src/libstrongswan/plugins/openssl/openssl_sha1_prf.h @@ -0,0 +1,48 @@ +/* + * Copyright (C) 2010 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup openssl_sha1_prf openssl_sha1_prf + * @{ @ingroup sha1_p + */ + +#ifndef OPENSSL_SHA1_PRF_H_ +#define OPENSSL_SHA1_PRF_H_ + +typedef struct openssl_sha1_prf_t openssl_sha1_prf_t; + +#include <crypto/prfs/prf.h> + +/** + * Implementation of prf_t interface using keyed SHA1 algorithm as used + * in EAP-AKA/FIPS_PRF. + */ +struct openssl_sha1_prf_t { + + /** + * Implements prf_t interface. + */ + prf_t prf; +}; + +/** + * Creates a new openssl_sha1_prf_t. + * + * @param algo algorithm, must be PRF_KEYED_SHA1 + * @return sha1_keyed_prf_tobject + */ +openssl_sha1_prf_t *openssl_sha1_prf_create(pseudo_random_function_t algo); + +#endif /** OPENSSL_SHA1_PRF_H_ @}*/ |