diff options
Diffstat (limited to 'src/libstrongswan')
50 files changed, 4491 insertions, 1448 deletions
diff --git a/src/libstrongswan/Makefile.am b/src/libstrongswan/Makefile.am index 292abc0a4..e8859ad4c 100644 --- a/src/libstrongswan/Makefile.am +++ b/src/libstrongswan/Makefile.am @@ -1,6 +1,14 @@ lib_LTLIBRARIES = libstrongswan.la -libstrongswan_la_SOURCES = \ +if USE_INTEGRITY_TEST + libstrongswan_la_SOURCES = \ + fips/fips_canister_start.c \ + fips/fips.c fips/fips.h +else + libstrongswan_la_SOURCES = +endif + +libstrongswan_la_SOURCES += \ credential_store.h \ library.c library.h \ chunk.c chunk.h \ @@ -16,15 +24,17 @@ crypto/ca.c crypto/ca.h \ crypto/certinfo.c crypto/certinfo.h \ crypto/crl.c crypto/crl.h \ crypto/crypters/crypter.c crypto/crypters/crypter.h \ -crypto/crypters/aes_cbc_crypter.c crypto/crypters/aes_cbc_crypter.h\ -crypto/crypters/des_crypter.c crypto/crypters/des_crypter.h\ +crypto/crypters/aes_cbc_crypter.c crypto/crypters/aes_cbc_crypter.h \ +crypto/crypters/des_crypter.c crypto/crypters/des_crypter.h \ crypto/diffie_hellman.c crypto/diffie_hellman.h \ crypto/hashers/hasher.h crypto/hashers/hasher.c \ crypto/hashers/sha1_hasher.c crypto/hashers/sha1_hasher.h \ crypto/hashers/sha2_hasher.c crypto/hashers/sha2_hasher.h \ crypto/hashers/md5_hasher.c crypto/hashers/md5_hasher.h \ crypto/hmac.c crypto/hmac.h \ +crypto/ietf_attr_list.c crypto/ietf_attr_list.h \ crypto/ocsp.c crypto/ocsp.h \ +crypto/pkcs7.c crypto/pkcs7.h \ crypto/prfs/fips_prf.c crypto/prfs/fips_prf.h \ crypto/prfs/hmac_prf.c crypto/prfs/hmac_prf.h \ crypto/prfs/prf.c crypto/prfs/prf.h \ @@ -41,14 +51,18 @@ utils/iterator.h \ utils/leak_detective.c utils/leak_detective.h \ utils/lexparser.c utils/lexparser.h \ utils/linked_list.c utils/linked_list.h \ +utils/enumerator.c utils/enumerator.h \ +utils/optionsfrom.c utils/optionsfrom.h \ utils/randomizer.c utils/randomizer.h +if USE_INTEGRITY_TEST + libstrongswan_la_SOURCES += \ + fips/fips_canister_end.c +endif + libstrongswan_la_LIBADD = -lgmp -lpthread INCLUDES = -I$(top_srcdir)/src/libstrongswan -EXTRA_DIST = asn1/oid.txt asn1/oid.pl -BUILT_SOURCES = asn1/oid.c asn1/oid.h -MAINTAINERCLEANFILES = asn1/oid.c asn1/oid.h if USE_LEAK_DETECTIVE libstrongswan_la_LIBADD += -ldl @@ -63,8 +77,26 @@ if USE_LIBLDAP libstrongswan_la_LIBADD += -lldap -llber endif +EXTRA_DIST = asn1/oid.txt asn1/oid.pl +BUILT_SOURCES = asn1/oid.c asn1/oid.h +MAINTAINERCLEANFILES = asn1/oid.c asn1/oid.h + asn1/oid.c : asn1/oid.txt asn1/oid.pl cd asn1 && $(PERL) oid.pl asn1/oid.h : asn1/oid.txt asn1/oid.pl cd asn1 && $(PERL) oid.pl + +if USE_INTEGRITY_TEST +# build fips_signer which in turn builds fips_signature.h +######################################################### +noinst_PROGRAMS = fips_signer +fips_signer_SOURCES = fips/fips_signer.c +fips_signer_LDADD = libstrongswan.la + +BUILT_SOURCES += fips_signature.h +CLEANFILES = fips_signature.h fips_signer + +fips_signature.h : fips_signer + ./fips_signer +endif diff --git a/src/libstrongswan/Makefile.in b/src/libstrongswan/Makefile.in index f1144144e..75d3dddd4 100644 --- a/src/libstrongswan/Makefile.in +++ b/src/libstrongswan/Makefile.in @@ -1,8 +1,8 @@ -# Makefile.in generated by automake 1.9.6 from Makefile.am. +# Makefile.in generated by automake 1.10 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004, 2005 Free Software Foundation, Inc. +# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. @@ -14,15 +14,12 @@ @SET_MAKE@ -srcdir = @srcdir@ -top_srcdir = @top_srcdir@ + VPATH = @srcdir@ pkgdatadir = $(datadir)/@PACKAGE@ pkglibdir = $(libdir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ -top_builddir = ../.. am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = @INSTALL@ install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c install_sh_SCRIPT = $(install_sh) -c @@ -39,6 +36,8 @@ host_triplet = @host@ @USE_LEAK_DETECTIVE_TRUE@am__append_1 = -ldl @USE_LIBCURL_TRUE@am__append_2 = -lcurl @USE_LIBLDAP_TRUE@am__append_3 = -lldap -llber +@USE_INTEGRITY_TEST_TRUE@noinst_PROGRAMS = fips_signer$(EXEEXT) +@USE_INTEGRITY_TEST_TRUE@am__append_4 = fips_signature.h subdir = src/libstrongswan DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 @@ -59,43 +58,106 @@ LTLIBRARIES = $(lib_LTLIBRARIES) am__DEPENDENCIES_1 = libstrongswan_la_DEPENDENCIES = $(am__DEPENDENCIES_1) \ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) -am_libstrongswan_la_OBJECTS = library.lo chunk.lo debug.lo enum.lo \ - printf_hook.lo asn1.lo oid.lo pem.lo ttodata.lo ac.lo ca.lo \ - certinfo.lo crl.lo crypter.lo aes_cbc_crypter.lo \ - des_crypter.lo diffie_hellman.lo hasher.lo sha1_hasher.lo \ - sha2_hasher.lo md5_hasher.lo hmac.lo ocsp.lo fips_prf.lo \ - hmac_prf.lo prf.lo prf_plus.lo rsa_private_key.lo \ - rsa_public_key.lo hmac_signer.lo signer.lo x509.lo fetcher.lo \ - host.lo identification.lo leak_detective.lo lexparser.lo \ - linked_list.lo randomizer.lo +am__libstrongswan_la_SOURCES_DIST = credential_store.h library.c \ + library.h chunk.c chunk.h debug.c debug.h enum.c enum.h \ + printf_hook.c printf_hook.h asn1/asn1.c asn1/asn1.h asn1/oid.c \ + asn1/oid.h asn1/pem.c asn1/pem.h asn1/ttodata.c asn1/ttodata.h \ + crypto/ac.c crypto/ac.h crypto/ca.c crypto/ca.h \ + crypto/certinfo.c crypto/certinfo.h crypto/crl.c crypto/crl.h \ + crypto/crypters/crypter.c crypto/crypters/crypter.h \ + crypto/crypters/aes_cbc_crypter.c \ + crypto/crypters/aes_cbc_crypter.h \ + crypto/crypters/des_crypter.c crypto/crypters/des_crypter.h \ + crypto/diffie_hellman.c crypto/diffie_hellman.h \ + crypto/hashers/hasher.h crypto/hashers/hasher.c \ + crypto/hashers/sha1_hasher.c crypto/hashers/sha1_hasher.h \ + crypto/hashers/sha2_hasher.c crypto/hashers/sha2_hasher.h \ + crypto/hashers/md5_hasher.c crypto/hashers/md5_hasher.h \ + crypto/hmac.c crypto/hmac.h crypto/ietf_attr_list.c \ + crypto/ietf_attr_list.h crypto/ocsp.c crypto/ocsp.h \ + crypto/pkcs7.c crypto/pkcs7.h crypto/prfs/fips_prf.c \ + crypto/prfs/fips_prf.h crypto/prfs/hmac_prf.c \ + crypto/prfs/hmac_prf.h crypto/prfs/prf.c crypto/prfs/prf.h \ + crypto/prf_plus.h crypto/prf_plus.c \ + crypto/rsa/rsa_private_key.c crypto/rsa/rsa_private_key.h \ + crypto/rsa/rsa_public_key.h crypto/rsa/rsa_public_key.c \ + crypto/signers/hmac_signer.c crypto/signers/hmac_signer.h \ + crypto/signers/signer.c crypto/signers/signer.h crypto/x509.c \ + crypto/x509.h utils/fetcher.c utils/fetcher.h utils/host.c \ + utils/host.h utils/identification.c utils/identification.h \ + utils/iterator.h utils/leak_detective.c utils/leak_detective.h \ + utils/lexparser.c utils/lexparser.h utils/linked_list.c \ + utils/linked_list.h utils/enumerator.c utils/enumerator.h \ + utils/optionsfrom.c utils/optionsfrom.h utils/randomizer.c \ + utils/randomizer.h fips/fips_canister_start.c fips/fips.c \ + fips/fips.h fips/fips_canister_end.c +@USE_INTEGRITY_TEST_FALSE@am_libstrongswan_la_OBJECTS = library.lo \ +@USE_INTEGRITY_TEST_FALSE@ chunk.lo debug.lo enum.lo \ +@USE_INTEGRITY_TEST_FALSE@ printf_hook.lo asn1.lo oid.lo pem.lo \ +@USE_INTEGRITY_TEST_FALSE@ ttodata.lo ac.lo ca.lo certinfo.lo \ +@USE_INTEGRITY_TEST_FALSE@ crl.lo crypter.lo aes_cbc_crypter.lo \ +@USE_INTEGRITY_TEST_FALSE@ des_crypter.lo diffie_hellman.lo \ +@USE_INTEGRITY_TEST_FALSE@ hasher.lo sha1_hasher.lo \ +@USE_INTEGRITY_TEST_FALSE@ sha2_hasher.lo md5_hasher.lo hmac.lo \ +@USE_INTEGRITY_TEST_FALSE@ ietf_attr_list.lo ocsp.lo pkcs7.lo \ +@USE_INTEGRITY_TEST_FALSE@ fips_prf.lo hmac_prf.lo prf.lo \ +@USE_INTEGRITY_TEST_FALSE@ prf_plus.lo rsa_private_key.lo \ +@USE_INTEGRITY_TEST_FALSE@ rsa_public_key.lo hmac_signer.lo \ +@USE_INTEGRITY_TEST_FALSE@ signer.lo x509.lo fetcher.lo host.lo \ +@USE_INTEGRITY_TEST_FALSE@ identification.lo leak_detective.lo \ +@USE_INTEGRITY_TEST_FALSE@ lexparser.lo linked_list.lo \ +@USE_INTEGRITY_TEST_FALSE@ enumerator.lo optionsfrom.lo \ +@USE_INTEGRITY_TEST_FALSE@ randomizer.lo +@USE_INTEGRITY_TEST_TRUE@am_libstrongswan_la_OBJECTS = \ +@USE_INTEGRITY_TEST_TRUE@ fips_canister_start.lo fips.lo \ +@USE_INTEGRITY_TEST_TRUE@ library.lo chunk.lo debug.lo enum.lo \ +@USE_INTEGRITY_TEST_TRUE@ printf_hook.lo asn1.lo oid.lo pem.lo \ +@USE_INTEGRITY_TEST_TRUE@ ttodata.lo ac.lo ca.lo certinfo.lo \ +@USE_INTEGRITY_TEST_TRUE@ crl.lo crypter.lo aes_cbc_crypter.lo \ +@USE_INTEGRITY_TEST_TRUE@ des_crypter.lo diffie_hellman.lo \ +@USE_INTEGRITY_TEST_TRUE@ hasher.lo sha1_hasher.lo \ +@USE_INTEGRITY_TEST_TRUE@ sha2_hasher.lo md5_hasher.lo hmac.lo \ +@USE_INTEGRITY_TEST_TRUE@ ietf_attr_list.lo ocsp.lo pkcs7.lo \ +@USE_INTEGRITY_TEST_TRUE@ fips_prf.lo hmac_prf.lo prf.lo \ +@USE_INTEGRITY_TEST_TRUE@ prf_plus.lo rsa_private_key.lo \ +@USE_INTEGRITY_TEST_TRUE@ rsa_public_key.lo hmac_signer.lo \ +@USE_INTEGRITY_TEST_TRUE@ signer.lo x509.lo fetcher.lo host.lo \ +@USE_INTEGRITY_TEST_TRUE@ identification.lo leak_detective.lo \ +@USE_INTEGRITY_TEST_TRUE@ lexparser.lo linked_list.lo \ +@USE_INTEGRITY_TEST_TRUE@ enumerator.lo optionsfrom.lo \ +@USE_INTEGRITY_TEST_TRUE@ randomizer.lo fips_canister_end.lo libstrongswan_la_OBJECTS = $(am_libstrongswan_la_OBJECTS) -DEFAULT_INCLUDES = -I. -I$(srcdir) +PROGRAMS = $(noinst_PROGRAMS) +am__fips_signer_SOURCES_DIST = fips/fips_signer.c +@USE_INTEGRITY_TEST_TRUE@am_fips_signer_OBJECTS = \ +@USE_INTEGRITY_TEST_TRUE@ fips_signer.$(OBJEXT) +fips_signer_OBJECTS = $(am_fips_signer_OBJECTS) +@USE_INTEGRITY_TEST_TRUE@fips_signer_DEPENDENCIES = libstrongswan.la +DEFAULT_INCLUDES = -I.@am__isrc@ depcomp = $(SHELL) $(top_srcdir)/depcomp am__depfiles_maybe = depfiles COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) \ - $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ - $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) CCLD = $(CC) -LINK = $(LIBTOOL) --tag=CC --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -SOURCES = $(libstrongswan_la_SOURCES) -DIST_SOURCES = $(libstrongswan_la_SOURCES) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = $(libstrongswan_la_SOURCES) $(fips_signer_SOURCES) +DIST_SOURCES = $(am__libstrongswan_la_SOURCES_DIST) \ + $(am__fips_signer_SOURCES_DIST) ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ -AMDEP_FALSE = @AMDEP_FALSE@ -AMDEP_TRUE = @AMDEP_TRUE@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ -BUILD_EAP_SIM_FALSE = @BUILD_EAP_SIM_FALSE@ -BUILD_EAP_SIM_TRUE = @BUILD_EAP_SIM_TRUE@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -118,10 +180,13 @@ F77 = @F77@ FFLAGS = @FFLAGS@ GPERF = @GPERF@ GREP = @GREP@ +INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@ +IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@ LDFLAGS = @LDFLAGS@ LEX = @LEX@ LEXLIB = @LEXLIB@ @@ -133,6 +198,7 @@ LINUX_HEADERS = @LINUX_HEADERS@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ OBJEXT = @OBJEXT@ PACKAGE = @PACKAGE@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ @@ -148,34 +214,16 @@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ STRIP = @STRIP@ -USE_CISCO_QUIRKS_FALSE = @USE_CISCO_QUIRKS_FALSE@ -USE_CISCO_QUIRKS_TRUE = @USE_CISCO_QUIRKS_TRUE@ -USE_LEAK_DETECTIVE_FALSE = @USE_LEAK_DETECTIVE_FALSE@ -USE_LEAK_DETECTIVE_TRUE = @USE_LEAK_DETECTIVE_TRUE@ -USE_LIBCURL_FALSE = @USE_LIBCURL_FALSE@ -USE_LIBCURL_TRUE = @USE_LIBCURL_TRUE@ -USE_LIBDBUS_FALSE = @USE_LIBDBUS_FALSE@ -USE_LIBDBUS_TRUE = @USE_LIBDBUS_TRUE@ -USE_LIBLDAP_FALSE = @USE_LIBLDAP_FALSE@ -USE_LIBLDAP_TRUE = @USE_LIBLDAP_TRUE@ -USE_LIBXML_FALSE = @USE_LIBXML_FALSE@ -USE_LIBXML_TRUE = @USE_LIBXML_TRUE@ -USE_NAT_TRANSPORT_FALSE = @USE_NAT_TRANSPORT_FALSE@ -USE_NAT_TRANSPORT_TRUE = @USE_NAT_TRANSPORT_TRUE@ -USE_SMARTCARD_FALSE = @USE_SMARTCARD_FALSE@ -USE_SMARTCARD_TRUE = @USE_SMARTCARD_TRUE@ -USE_VENDORID_FALSE = @USE_VENDORID_FALSE@ -USE_VENDORID_TRUE = @USE_VENDORID_TRUE@ VERSION = @VERSION@ YACC = @YACC@ YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ ac_ct_CC = @ac_ct_CC@ ac_ct_CXX = @ac_ct_CXX@ ac_ct_F77 = @ac_ct_F77@ -am__fastdepCC_FALSE = @am__fastdepCC_FALSE@ -am__fastdepCC_TRUE = @am__fastdepCC_TRUE@ -am__fastdepCXX_FALSE = @am__fastdepCXX_FALSE@ -am__fastdepCXX_TRUE = @am__fastdepCXX_TRUE@ am__include = @am__include@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ @@ -188,6 +236,7 @@ build_alias = @build_alias@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ +builddir = @builddir@ confdir = @confdir@ datadir = @datadir@ datarootdir = @datarootdir@ @@ -225,61 +274,149 @@ program_transform_name = @program_transform_name@ psdir = @psdir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ xml_CFLAGS = @xml_CFLAGS@ xml_LIBS = @xml_LIBS@ lib_LTLIBRARIES = libstrongswan.la -libstrongswan_la_SOURCES = \ -credential_store.h \ -library.c library.h \ -chunk.c chunk.h \ -debug.c debug.h \ -enum.c enum.h \ -printf_hook.c printf_hook.h \ -asn1/asn1.c asn1/asn1.h \ -asn1/oid.c asn1/oid.h \ -asn1/pem.c asn1/pem.h \ -asn1/ttodata.c asn1/ttodata.h \ -crypto/ac.c crypto/ac.h \ -crypto/ca.c crypto/ca.h \ -crypto/certinfo.c crypto/certinfo.h \ -crypto/crl.c crypto/crl.h \ -crypto/crypters/crypter.c crypto/crypters/crypter.h \ -crypto/crypters/aes_cbc_crypter.c crypto/crypters/aes_cbc_crypter.h\ -crypto/crypters/des_crypter.c crypto/crypters/des_crypter.h\ -crypto/diffie_hellman.c crypto/diffie_hellman.h \ -crypto/hashers/hasher.h crypto/hashers/hasher.c \ -crypto/hashers/sha1_hasher.c crypto/hashers/sha1_hasher.h \ -crypto/hashers/sha2_hasher.c crypto/hashers/sha2_hasher.h \ -crypto/hashers/md5_hasher.c crypto/hashers/md5_hasher.h \ -crypto/hmac.c crypto/hmac.h \ -crypto/ocsp.c crypto/ocsp.h \ -crypto/prfs/fips_prf.c crypto/prfs/fips_prf.h \ -crypto/prfs/hmac_prf.c crypto/prfs/hmac_prf.h \ -crypto/prfs/prf.c crypto/prfs/prf.h \ -crypto/prf_plus.h crypto/prf_plus.c \ -crypto/rsa/rsa_private_key.c crypto/rsa/rsa_private_key.h \ -crypto/rsa/rsa_public_key.h crypto/rsa/rsa_public_key.c \ -crypto/signers/hmac_signer.c crypto/signers/hmac_signer.h \ -crypto/signers/signer.c crypto/signers/signer.h \ -crypto/x509.c crypto/x509.h \ -utils/fetcher.c utils/fetcher.h \ -utils/host.c utils/host.h \ -utils/identification.c utils/identification.h \ -utils/iterator.h \ -utils/leak_detective.c utils/leak_detective.h \ -utils/lexparser.c utils/lexparser.h \ -utils/linked_list.c utils/linked_list.h \ -utils/randomizer.c utils/randomizer.h - +@USE_INTEGRITY_TEST_FALSE@libstrongswan_la_SOURCES = \ +@USE_INTEGRITY_TEST_FALSE@ credential_store.h library.c \ +@USE_INTEGRITY_TEST_FALSE@ library.h chunk.c chunk.h debug.c \ +@USE_INTEGRITY_TEST_FALSE@ debug.h enum.c enum.h printf_hook.c \ +@USE_INTEGRITY_TEST_FALSE@ printf_hook.h asn1/asn1.c \ +@USE_INTEGRITY_TEST_FALSE@ asn1/asn1.h asn1/oid.c asn1/oid.h \ +@USE_INTEGRITY_TEST_FALSE@ asn1/pem.c asn1/pem.h asn1/ttodata.c \ +@USE_INTEGRITY_TEST_FALSE@ asn1/ttodata.h crypto/ac.c \ +@USE_INTEGRITY_TEST_FALSE@ crypto/ac.h crypto/ca.c crypto/ca.h \ +@USE_INTEGRITY_TEST_FALSE@ crypto/certinfo.c crypto/certinfo.h \ +@USE_INTEGRITY_TEST_FALSE@ crypto/crl.c crypto/crl.h \ +@USE_INTEGRITY_TEST_FALSE@ crypto/crypters/crypter.c \ +@USE_INTEGRITY_TEST_FALSE@ crypto/crypters/crypter.h \ +@USE_INTEGRITY_TEST_FALSE@ crypto/crypters/aes_cbc_crypter.c \ +@USE_INTEGRITY_TEST_FALSE@ crypto/crypters/aes_cbc_crypter.h \ +@USE_INTEGRITY_TEST_FALSE@ crypto/crypters/des_crypter.c \ +@USE_INTEGRITY_TEST_FALSE@ crypto/crypters/des_crypter.h \ +@USE_INTEGRITY_TEST_FALSE@ crypto/diffie_hellman.c \ +@USE_INTEGRITY_TEST_FALSE@ crypto/diffie_hellman.h \ +@USE_INTEGRITY_TEST_FALSE@ crypto/hashers/hasher.h \ +@USE_INTEGRITY_TEST_FALSE@ crypto/hashers/hasher.c \ +@USE_INTEGRITY_TEST_FALSE@ crypto/hashers/sha1_hasher.c \ +@USE_INTEGRITY_TEST_FALSE@ crypto/hashers/sha1_hasher.h \ +@USE_INTEGRITY_TEST_FALSE@ crypto/hashers/sha2_hasher.c \ +@USE_INTEGRITY_TEST_FALSE@ crypto/hashers/sha2_hasher.h \ +@USE_INTEGRITY_TEST_FALSE@ crypto/hashers/md5_hasher.c \ +@USE_INTEGRITY_TEST_FALSE@ crypto/hashers/md5_hasher.h \ +@USE_INTEGRITY_TEST_FALSE@ crypto/hmac.c crypto/hmac.h \ +@USE_INTEGRITY_TEST_FALSE@ crypto/ietf_attr_list.c \ +@USE_INTEGRITY_TEST_FALSE@ crypto/ietf_attr_list.h \ +@USE_INTEGRITY_TEST_FALSE@ crypto/ocsp.c crypto/ocsp.h \ +@USE_INTEGRITY_TEST_FALSE@ crypto/pkcs7.c crypto/pkcs7.h \ +@USE_INTEGRITY_TEST_FALSE@ crypto/prfs/fips_prf.c \ +@USE_INTEGRITY_TEST_FALSE@ crypto/prfs/fips_prf.h \ +@USE_INTEGRITY_TEST_FALSE@ crypto/prfs/hmac_prf.c \ +@USE_INTEGRITY_TEST_FALSE@ crypto/prfs/hmac_prf.h \ +@USE_INTEGRITY_TEST_FALSE@ crypto/prfs/prf.c crypto/prfs/prf.h \ +@USE_INTEGRITY_TEST_FALSE@ crypto/prf_plus.h crypto/prf_plus.c \ +@USE_INTEGRITY_TEST_FALSE@ crypto/rsa/rsa_private_key.c \ +@USE_INTEGRITY_TEST_FALSE@ crypto/rsa/rsa_private_key.h \ +@USE_INTEGRITY_TEST_FALSE@ crypto/rsa/rsa_public_key.h \ +@USE_INTEGRITY_TEST_FALSE@ crypto/rsa/rsa_public_key.c \ +@USE_INTEGRITY_TEST_FALSE@ crypto/signers/hmac_signer.c \ +@USE_INTEGRITY_TEST_FALSE@ crypto/signers/hmac_signer.h \ +@USE_INTEGRITY_TEST_FALSE@ crypto/signers/signer.c \ +@USE_INTEGRITY_TEST_FALSE@ crypto/signers/signer.h \ +@USE_INTEGRITY_TEST_FALSE@ crypto/x509.c crypto/x509.h \ +@USE_INTEGRITY_TEST_FALSE@ utils/fetcher.c utils/fetcher.h \ +@USE_INTEGRITY_TEST_FALSE@ utils/host.c utils/host.h \ +@USE_INTEGRITY_TEST_FALSE@ utils/identification.c \ +@USE_INTEGRITY_TEST_FALSE@ utils/identification.h \ +@USE_INTEGRITY_TEST_FALSE@ utils/iterator.h \ +@USE_INTEGRITY_TEST_FALSE@ utils/leak_detective.c \ +@USE_INTEGRITY_TEST_FALSE@ utils/leak_detective.h \ +@USE_INTEGRITY_TEST_FALSE@ utils/lexparser.c utils/lexparser.h \ +@USE_INTEGRITY_TEST_FALSE@ utils/linked_list.c \ +@USE_INTEGRITY_TEST_FALSE@ utils/linked_list.h \ +@USE_INTEGRITY_TEST_FALSE@ utils/enumerator.c \ +@USE_INTEGRITY_TEST_FALSE@ utils/enumerator.h \ +@USE_INTEGRITY_TEST_FALSE@ utils/optionsfrom.c \ +@USE_INTEGRITY_TEST_FALSE@ utils/optionsfrom.h \ +@USE_INTEGRITY_TEST_FALSE@ utils/randomizer.c \ +@USE_INTEGRITY_TEST_FALSE@ utils/randomizer.h +@USE_INTEGRITY_TEST_TRUE@libstrongswan_la_SOURCES = \ +@USE_INTEGRITY_TEST_TRUE@ fips/fips_canister_start.c \ +@USE_INTEGRITY_TEST_TRUE@ fips/fips.c fips/fips.h \ +@USE_INTEGRITY_TEST_TRUE@ credential_store.h library.c \ +@USE_INTEGRITY_TEST_TRUE@ library.h chunk.c chunk.h debug.c \ +@USE_INTEGRITY_TEST_TRUE@ debug.h enum.c enum.h printf_hook.c \ +@USE_INTEGRITY_TEST_TRUE@ printf_hook.h asn1/asn1.c asn1/asn1.h \ +@USE_INTEGRITY_TEST_TRUE@ asn1/oid.c asn1/oid.h asn1/pem.c \ +@USE_INTEGRITY_TEST_TRUE@ asn1/pem.h asn1/ttodata.c \ +@USE_INTEGRITY_TEST_TRUE@ asn1/ttodata.h crypto/ac.c \ +@USE_INTEGRITY_TEST_TRUE@ crypto/ac.h crypto/ca.c crypto/ca.h \ +@USE_INTEGRITY_TEST_TRUE@ crypto/certinfo.c crypto/certinfo.h \ +@USE_INTEGRITY_TEST_TRUE@ crypto/crl.c crypto/crl.h \ +@USE_INTEGRITY_TEST_TRUE@ crypto/crypters/crypter.c \ +@USE_INTEGRITY_TEST_TRUE@ crypto/crypters/crypter.h \ +@USE_INTEGRITY_TEST_TRUE@ crypto/crypters/aes_cbc_crypter.c \ +@USE_INTEGRITY_TEST_TRUE@ crypto/crypters/aes_cbc_crypter.h \ +@USE_INTEGRITY_TEST_TRUE@ crypto/crypters/des_crypter.c \ +@USE_INTEGRITY_TEST_TRUE@ crypto/crypters/des_crypter.h \ +@USE_INTEGRITY_TEST_TRUE@ crypto/diffie_hellman.c \ +@USE_INTEGRITY_TEST_TRUE@ crypto/diffie_hellman.h \ +@USE_INTEGRITY_TEST_TRUE@ crypto/hashers/hasher.h \ +@USE_INTEGRITY_TEST_TRUE@ crypto/hashers/hasher.c \ +@USE_INTEGRITY_TEST_TRUE@ crypto/hashers/sha1_hasher.c \ +@USE_INTEGRITY_TEST_TRUE@ crypto/hashers/sha1_hasher.h \ +@USE_INTEGRITY_TEST_TRUE@ crypto/hashers/sha2_hasher.c \ +@USE_INTEGRITY_TEST_TRUE@ crypto/hashers/sha2_hasher.h \ +@USE_INTEGRITY_TEST_TRUE@ crypto/hashers/md5_hasher.c \ +@USE_INTEGRITY_TEST_TRUE@ crypto/hashers/md5_hasher.h \ +@USE_INTEGRITY_TEST_TRUE@ crypto/hmac.c crypto/hmac.h \ +@USE_INTEGRITY_TEST_TRUE@ crypto/ietf_attr_list.c \ +@USE_INTEGRITY_TEST_TRUE@ crypto/ietf_attr_list.h crypto/ocsp.c \ +@USE_INTEGRITY_TEST_TRUE@ crypto/ocsp.h crypto/pkcs7.c \ +@USE_INTEGRITY_TEST_TRUE@ crypto/pkcs7.h crypto/prfs/fips_prf.c \ +@USE_INTEGRITY_TEST_TRUE@ crypto/prfs/fips_prf.h \ +@USE_INTEGRITY_TEST_TRUE@ crypto/prfs/hmac_prf.c \ +@USE_INTEGRITY_TEST_TRUE@ crypto/prfs/hmac_prf.h \ +@USE_INTEGRITY_TEST_TRUE@ crypto/prfs/prf.c crypto/prfs/prf.h \ +@USE_INTEGRITY_TEST_TRUE@ crypto/prf_plus.h crypto/prf_plus.c \ +@USE_INTEGRITY_TEST_TRUE@ crypto/rsa/rsa_private_key.c \ +@USE_INTEGRITY_TEST_TRUE@ crypto/rsa/rsa_private_key.h \ +@USE_INTEGRITY_TEST_TRUE@ crypto/rsa/rsa_public_key.h \ +@USE_INTEGRITY_TEST_TRUE@ crypto/rsa/rsa_public_key.c \ +@USE_INTEGRITY_TEST_TRUE@ crypto/signers/hmac_signer.c \ +@USE_INTEGRITY_TEST_TRUE@ crypto/signers/hmac_signer.h \ +@USE_INTEGRITY_TEST_TRUE@ crypto/signers/signer.c \ +@USE_INTEGRITY_TEST_TRUE@ crypto/signers/signer.h crypto/x509.c \ +@USE_INTEGRITY_TEST_TRUE@ crypto/x509.h utils/fetcher.c \ +@USE_INTEGRITY_TEST_TRUE@ utils/fetcher.h utils/host.c \ +@USE_INTEGRITY_TEST_TRUE@ utils/host.h utils/identification.c \ +@USE_INTEGRITY_TEST_TRUE@ utils/identification.h \ +@USE_INTEGRITY_TEST_TRUE@ utils/iterator.h \ +@USE_INTEGRITY_TEST_TRUE@ utils/leak_detective.c \ +@USE_INTEGRITY_TEST_TRUE@ utils/leak_detective.h \ +@USE_INTEGRITY_TEST_TRUE@ utils/lexparser.c utils/lexparser.h \ +@USE_INTEGRITY_TEST_TRUE@ utils/linked_list.c \ +@USE_INTEGRITY_TEST_TRUE@ utils/linked_list.h \ +@USE_INTEGRITY_TEST_TRUE@ utils/enumerator.c utils/enumerator.h \ +@USE_INTEGRITY_TEST_TRUE@ utils/optionsfrom.c \ +@USE_INTEGRITY_TEST_TRUE@ utils/optionsfrom.h \ +@USE_INTEGRITY_TEST_TRUE@ utils/randomizer.c utils/randomizer.h \ +@USE_INTEGRITY_TEST_TRUE@ fips/fips_canister_end.c libstrongswan_la_LIBADD = -lgmp -lpthread $(am__append_1) \ $(am__append_2) $(am__append_3) INCLUDES = -I$(top_srcdir)/src/libstrongswan +@USE_LEAK_DETECTIVE_TRUE@AM_CFLAGS = -DLEAK_DETECTIVE EXTRA_DIST = asn1/oid.txt asn1/oid.pl -BUILT_SOURCES = asn1/oid.c asn1/oid.h +BUILT_SOURCES = asn1/oid.c asn1/oid.h $(am__append_4) MAINTAINERCLEANFILES = asn1/oid.c asn1/oid.h -@USE_LEAK_DETECTIVE_TRUE@AM_CFLAGS = -DLEAK_DETECTIVE +@USE_INTEGRITY_TEST_TRUE@fips_signer_SOURCES = fips/fips_signer.c +@USE_INTEGRITY_TEST_TRUE@fips_signer_LDADD = libstrongswan.la +@USE_INTEGRITY_TEST_TRUE@CLEANFILES = fips_signature.h fips_signer all: $(BUILT_SOURCES) $(MAKE) $(AM_MAKEFLAGS) all-am @@ -316,7 +453,7 @@ $(ACLOCAL_M4): $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh install-libLTLIBRARIES: $(lib_LTLIBRARIES) @$(NORMAL_INSTALL) - test -z "$(libdir)" || $(mkdir_p) "$(DESTDIR)$(libdir)" + test -z "$(libdir)" || $(MKDIR_P) "$(DESTDIR)$(libdir)" @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ if test -f $$p; then \ f=$(am__strip_dir) \ @@ -327,7 +464,7 @@ install-libLTLIBRARIES: $(lib_LTLIBRARIES) uninstall-libLTLIBRARIES: @$(NORMAL_UNINSTALL) - @set -x; list='$(lib_LTLIBRARIES)'; for p in $$list; do \ + @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ p=$(am__strip_dir) \ echo " $(LIBTOOL) --mode=uninstall rm -f '$(DESTDIR)$(libdir)/$$p'"; \ $(LIBTOOL) --mode=uninstall rm -f "$(DESTDIR)$(libdir)/$$p"; \ @@ -342,7 +479,17 @@ clean-libLTLIBRARIES: rm -f "$${dir}/so_locations"; \ done libstrongswan.la: $(libstrongswan_la_OBJECTS) $(libstrongswan_la_DEPENDENCIES) - $(LINK) -rpath $(libdir) $(libstrongswan_la_LDFLAGS) $(libstrongswan_la_OBJECTS) $(libstrongswan_la_LIBADD) $(LIBS) + $(LINK) -rpath $(libdir) $(libstrongswan_la_OBJECTS) $(libstrongswan_la_LIBADD) $(LIBS) + +clean-noinstPROGRAMS: + @list='$(noinst_PROGRAMS)'; for p in $$list; do \ + f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ + echo " rm -f $$p $$f"; \ + rm -f $$p $$f ; \ + done +fips_signer$(EXEEXT): $(fips_signer_OBJECTS) $(fips_signer_DEPENDENCIES) + @rm -f fips_signer$(EXEEXT) + $(LINK) $(fips_signer_OBJECTS) $(fips_signer_LDADD) $(LIBS) mostlyclean-compile: -rm -f *.$(OBJEXT) @@ -362,14 +509,20 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/des_crypter.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/diffie_hellman.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/enum.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/enumerator.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fetcher.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fips.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fips_canister_end.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fips_canister_start.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fips_prf.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fips_signer.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hasher.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hmac.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hmac_prf.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hmac_signer.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/host.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/identification.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ietf_attr_list.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/leak_detective.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/lexparser.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/library.Plo@am__quote@ @@ -377,7 +530,9 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/md5_hasher.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ocsp.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/oid.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/optionsfrom.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pem.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs7.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/prf.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/prf_plus.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/printf_hook.Plo@am__quote@ @@ -391,263 +546,326 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/x509.Plo@am__quote@ .c.o: -@am__fastdepCC_TRUE@ if $(COMPILE) -MT $@ -MD -MP -MF "$(DEPDIR)/$*.Tpo" -c -o $@ $<; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/$*.Tpo" "$(DEPDIR)/$*.Po"; else rm -f "$(DEPDIR)/$*.Tpo"; exit 1; fi +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(COMPILE) -c $< .c.obj: -@am__fastdepCC_TRUE@ if $(COMPILE) -MT $@ -MD -MP -MF "$(DEPDIR)/$*.Tpo" -c -o $@ `$(CYGPATH_W) '$<'`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/$*.Tpo" "$(DEPDIR)/$*.Po"; else rm -f "$(DEPDIR)/$*.Tpo"; exit 1; fi +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` .c.lo: -@am__fastdepCC_TRUE@ if $(LTCOMPILE) -MT $@ -MD -MP -MF "$(DEPDIR)/$*.Tpo" -c -o $@ $<; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/$*.Tpo" "$(DEPDIR)/$*.Plo"; else rm -f "$(DEPDIR)/$*.Tpo"; exit 1; fi +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo @AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< asn1.lo: asn1/asn1.c -@am__fastdepCC_TRUE@ if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT asn1.lo -MD -MP -MF "$(DEPDIR)/asn1.Tpo" -c -o asn1.lo `test -f 'asn1/asn1.c' || echo '$(srcdir)/'`asn1/asn1.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/asn1.Tpo" "$(DEPDIR)/asn1.Plo"; else rm -f "$(DEPDIR)/asn1.Tpo"; exit 1; fi +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT asn1.lo -MD -MP -MF $(DEPDIR)/asn1.Tpo -c -o asn1.lo `test -f 'asn1/asn1.c' || echo '$(srcdir)/'`asn1/asn1.c +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/asn1.Tpo $(DEPDIR)/asn1.Plo @AMDEP_TRUE@@am__fastdepCC_FALSE@ source='asn1/asn1.c' object='asn1.lo' libtool=yes @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o asn1.lo `test -f 'asn1/asn1.c' || echo '$(srcdir)/'`asn1/asn1.c +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o asn1.lo `test -f 'asn1/asn1.c' || echo '$(srcdir)/'`asn1/asn1.c oid.lo: asn1/oid.c -@am__fastdepCC_TRUE@ if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT oid.lo -MD -MP -MF "$(DEPDIR)/oid.Tpo" -c -o oid.lo `test -f 'asn1/oid.c' || echo '$(srcdir)/'`asn1/oid.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/oid.Tpo" "$(DEPDIR)/oid.Plo"; else rm -f "$(DEPDIR)/oid.Tpo"; exit 1; fi +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT oid.lo -MD -MP -MF $(DEPDIR)/oid.Tpo -c -o oid.lo `test -f 'asn1/oid.c' || echo '$(srcdir)/'`asn1/oid.c +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/oid.Tpo $(DEPDIR)/oid.Plo @AMDEP_TRUE@@am__fastdepCC_FALSE@ source='asn1/oid.c' object='oid.lo' libtool=yes @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o oid.lo `test -f 'asn1/oid.c' || echo '$(srcdir)/'`asn1/oid.c +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o oid.lo `test -f 'asn1/oid.c' || echo '$(srcdir)/'`asn1/oid.c pem.lo: asn1/pem.c -@am__fastdepCC_TRUE@ if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pem.lo -MD -MP -MF "$(DEPDIR)/pem.Tpo" -c -o pem.lo `test -f 'asn1/pem.c' || echo '$(srcdir)/'`asn1/pem.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/pem.Tpo" "$(DEPDIR)/pem.Plo"; else rm -f "$(DEPDIR)/pem.Tpo"; exit 1; fi +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pem.lo -MD -MP -MF $(DEPDIR)/pem.Tpo -c -o pem.lo `test -f 'asn1/pem.c' || echo '$(srcdir)/'`asn1/pem.c +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/pem.Tpo $(DEPDIR)/pem.Plo @AMDEP_TRUE@@am__fastdepCC_FALSE@ source='asn1/pem.c' object='pem.lo' libtool=yes @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pem.lo `test -f 'asn1/pem.c' || echo '$(srcdir)/'`asn1/pem.c +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pem.lo `test -f 'asn1/pem.c' || echo '$(srcdir)/'`asn1/pem.c ttodata.lo: asn1/ttodata.c -@am__fastdepCC_TRUE@ if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ttodata.lo -MD -MP -MF "$(DEPDIR)/ttodata.Tpo" -c -o ttodata.lo `test -f 'asn1/ttodata.c' || echo '$(srcdir)/'`asn1/ttodata.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ttodata.Tpo" "$(DEPDIR)/ttodata.Plo"; else rm -f "$(DEPDIR)/ttodata.Tpo"; exit 1; fi +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ttodata.lo -MD -MP -MF $(DEPDIR)/ttodata.Tpo -c -o ttodata.lo `test -f 'asn1/ttodata.c' || echo '$(srcdir)/'`asn1/ttodata.c +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/ttodata.Tpo $(DEPDIR)/ttodata.Plo @AMDEP_TRUE@@am__fastdepCC_FALSE@ source='asn1/ttodata.c' object='ttodata.lo' libtool=yes @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ttodata.lo `test -f 'asn1/ttodata.c' || echo '$(srcdir)/'`asn1/ttodata.c +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ttodata.lo `test -f 'asn1/ttodata.c' || echo '$(srcdir)/'`asn1/ttodata.c ac.lo: crypto/ac.c -@am__fastdepCC_TRUE@ if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ac.lo -MD -MP -MF "$(DEPDIR)/ac.Tpo" -c -o ac.lo `test -f 'crypto/ac.c' || echo '$(srcdir)/'`crypto/ac.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ac.Tpo" "$(DEPDIR)/ac.Plo"; else rm -f "$(DEPDIR)/ac.Tpo"; exit 1; fi +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ac.lo -MD -MP -MF $(DEPDIR)/ac.Tpo -c -o ac.lo `test -f 'crypto/ac.c' || echo '$(srcdir)/'`crypto/ac.c +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/ac.Tpo $(DEPDIR)/ac.Plo @AMDEP_TRUE@@am__fastdepCC_FALSE@ source='crypto/ac.c' object='ac.lo' libtool=yes @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ac.lo `test -f 'crypto/ac.c' || echo '$(srcdir)/'`crypto/ac.c +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ac.lo `test -f 'crypto/ac.c' || echo '$(srcdir)/'`crypto/ac.c ca.lo: crypto/ca.c -@am__fastdepCC_TRUE@ if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ca.lo -MD -MP -MF "$(DEPDIR)/ca.Tpo" -c -o ca.lo `test -f 'crypto/ca.c' || echo '$(srcdir)/'`crypto/ca.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ca.Tpo" "$(DEPDIR)/ca.Plo"; else rm -f "$(DEPDIR)/ca.Tpo"; exit 1; fi +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ca.lo -MD -MP -MF $(DEPDIR)/ca.Tpo -c -o ca.lo `test -f 'crypto/ca.c' || echo '$(srcdir)/'`crypto/ca.c +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/ca.Tpo $(DEPDIR)/ca.Plo @AMDEP_TRUE@@am__fastdepCC_FALSE@ source='crypto/ca.c' object='ca.lo' libtool=yes @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ca.lo `test -f 'crypto/ca.c' || echo '$(srcdir)/'`crypto/ca.c +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ca.lo `test -f 'crypto/ca.c' || echo '$(srcdir)/'`crypto/ca.c certinfo.lo: crypto/certinfo.c -@am__fastdepCC_TRUE@ if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT certinfo.lo -MD -MP -MF "$(DEPDIR)/certinfo.Tpo" -c -o certinfo.lo `test -f 'crypto/certinfo.c' || echo '$(srcdir)/'`crypto/certinfo.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/certinfo.Tpo" "$(DEPDIR)/certinfo.Plo"; else rm -f "$(DEPDIR)/certinfo.Tpo"; exit 1; fi +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT certinfo.lo -MD -MP -MF $(DEPDIR)/certinfo.Tpo -c -o certinfo.lo `test -f 'crypto/certinfo.c' || echo '$(srcdir)/'`crypto/certinfo.c +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/certinfo.Tpo $(DEPDIR)/certinfo.Plo @AMDEP_TRUE@@am__fastdepCC_FALSE@ source='crypto/certinfo.c' object='certinfo.lo' libtool=yes @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o certinfo.lo `test -f 'crypto/certinfo.c' || echo '$(srcdir)/'`crypto/certinfo.c +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o certinfo.lo `test -f 'crypto/certinfo.c' || echo '$(srcdir)/'`crypto/certinfo.c crl.lo: crypto/crl.c -@am__fastdepCC_TRUE@ if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT crl.lo -MD -MP -MF "$(DEPDIR)/crl.Tpo" -c -o crl.lo `test -f 'crypto/crl.c' || echo '$(srcdir)/'`crypto/crl.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/crl.Tpo" "$(DEPDIR)/crl.Plo"; else rm -f "$(DEPDIR)/crl.Tpo"; exit 1; fi +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT crl.lo -MD -MP -MF $(DEPDIR)/crl.Tpo -c -o crl.lo `test -f 'crypto/crl.c' || echo '$(srcdir)/'`crypto/crl.c +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/crl.Tpo $(DEPDIR)/crl.Plo @AMDEP_TRUE@@am__fastdepCC_FALSE@ source='crypto/crl.c' object='crl.lo' libtool=yes @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o crl.lo `test -f 'crypto/crl.c' || echo '$(srcdir)/'`crypto/crl.c +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o crl.lo `test -f 'crypto/crl.c' || echo '$(srcdir)/'`crypto/crl.c crypter.lo: crypto/crypters/crypter.c -@am__fastdepCC_TRUE@ if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT crypter.lo -MD -MP -MF "$(DEPDIR)/crypter.Tpo" -c -o crypter.lo `test -f 'crypto/crypters/crypter.c' || echo '$(srcdir)/'`crypto/crypters/crypter.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/crypter.Tpo" "$(DEPDIR)/crypter.Plo"; else rm -f "$(DEPDIR)/crypter.Tpo"; exit 1; fi +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT crypter.lo -MD -MP -MF $(DEPDIR)/crypter.Tpo -c -o crypter.lo `test -f 'crypto/crypters/crypter.c' || echo '$(srcdir)/'`crypto/crypters/crypter.c +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/crypter.Tpo $(DEPDIR)/crypter.Plo @AMDEP_TRUE@@am__fastdepCC_FALSE@ source='crypto/crypters/crypter.c' object='crypter.lo' libtool=yes @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o crypter.lo `test -f 'crypto/crypters/crypter.c' || echo '$(srcdir)/'`crypto/crypters/crypter.c +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o crypter.lo `test -f 'crypto/crypters/crypter.c' || echo '$(srcdir)/'`crypto/crypters/crypter.c aes_cbc_crypter.lo: crypto/crypters/aes_cbc_crypter.c -@am__fastdepCC_TRUE@ if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT aes_cbc_crypter.lo -MD -MP -MF "$(DEPDIR)/aes_cbc_crypter.Tpo" -c -o aes_cbc_crypter.lo `test -f 'crypto/crypters/aes_cbc_crypter.c' || echo '$(srcdir)/'`crypto/crypters/aes_cbc_crypter.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/aes_cbc_crypter.Tpo" "$(DEPDIR)/aes_cbc_crypter.Plo"; else rm -f "$(DEPDIR)/aes_cbc_crypter.Tpo"; exit 1; fi +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT aes_cbc_crypter.lo -MD -MP -MF $(DEPDIR)/aes_cbc_crypter.Tpo -c -o aes_cbc_crypter.lo `test -f 'crypto/crypters/aes_cbc_crypter.c' || echo '$(srcdir)/'`crypto/crypters/aes_cbc_crypter.c +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/aes_cbc_crypter.Tpo $(DEPDIR)/aes_cbc_crypter.Plo @AMDEP_TRUE@@am__fastdepCC_FALSE@ source='crypto/crypters/aes_cbc_crypter.c' object='aes_cbc_crypter.lo' libtool=yes @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o aes_cbc_crypter.lo `test -f 'crypto/crypters/aes_cbc_crypter.c' || echo '$(srcdir)/'`crypto/crypters/aes_cbc_crypter.c +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o aes_cbc_crypter.lo `test -f 'crypto/crypters/aes_cbc_crypter.c' || echo '$(srcdir)/'`crypto/crypters/aes_cbc_crypter.c des_crypter.lo: crypto/crypters/des_crypter.c -@am__fastdepCC_TRUE@ if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT des_crypter.lo -MD -MP -MF "$(DEPDIR)/des_crypter.Tpo" -c -o des_crypter.lo `test -f 'crypto/crypters/des_crypter.c' || echo '$(srcdir)/'`crypto/crypters/des_crypter.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/des_crypter.Tpo" "$(DEPDIR)/des_crypter.Plo"; else rm -f "$(DEPDIR)/des_crypter.Tpo"; exit 1; fi +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT des_crypter.lo -MD -MP -MF $(DEPDIR)/des_crypter.Tpo -c -o des_crypter.lo `test -f 'crypto/crypters/des_crypter.c' || echo '$(srcdir)/'`crypto/crypters/des_crypter.c +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/des_crypter.Tpo $(DEPDIR)/des_crypter.Plo @AMDEP_TRUE@@am__fastdepCC_FALSE@ source='crypto/crypters/des_crypter.c' object='des_crypter.lo' libtool=yes @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o des_crypter.lo `test -f 'crypto/crypters/des_crypter.c' || echo '$(srcdir)/'`crypto/crypters/des_crypter.c +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o des_crypter.lo `test -f 'crypto/crypters/des_crypter.c' || echo '$(srcdir)/'`crypto/crypters/des_crypter.c diffie_hellman.lo: crypto/diffie_hellman.c -@am__fastdepCC_TRUE@ if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT diffie_hellman.lo -MD -MP -MF "$(DEPDIR)/diffie_hellman.Tpo" -c -o diffie_hellman.lo `test -f 'crypto/diffie_hellman.c' || echo '$(srcdir)/'`crypto/diffie_hellman.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/diffie_hellman.Tpo" "$(DEPDIR)/diffie_hellman.Plo"; else rm -f "$(DEPDIR)/diffie_hellman.Tpo"; exit 1; fi +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT diffie_hellman.lo -MD -MP -MF $(DEPDIR)/diffie_hellman.Tpo -c -o diffie_hellman.lo `test -f 'crypto/diffie_hellman.c' || echo '$(srcdir)/'`crypto/diffie_hellman.c +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/diffie_hellman.Tpo $(DEPDIR)/diffie_hellman.Plo @AMDEP_TRUE@@am__fastdepCC_FALSE@ source='crypto/diffie_hellman.c' object='diffie_hellman.lo' libtool=yes @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o diffie_hellman.lo `test -f 'crypto/diffie_hellman.c' || echo '$(srcdir)/'`crypto/diffie_hellman.c +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o diffie_hellman.lo `test -f 'crypto/diffie_hellman.c' || echo '$(srcdir)/'`crypto/diffie_hellman.c hasher.lo: crypto/hashers/hasher.c -@am__fastdepCC_TRUE@ if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT hasher.lo -MD -MP -MF "$(DEPDIR)/hasher.Tpo" -c -o hasher.lo `test -f 'crypto/hashers/hasher.c' || echo '$(srcdir)/'`crypto/hashers/hasher.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/hasher.Tpo" "$(DEPDIR)/hasher.Plo"; else rm -f "$(DEPDIR)/hasher.Tpo"; exit 1; fi +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT hasher.lo -MD -MP -MF $(DEPDIR)/hasher.Tpo -c -o hasher.lo `test -f 'crypto/hashers/hasher.c' || echo '$(srcdir)/'`crypto/hashers/hasher.c +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/hasher.Tpo $(DEPDIR)/hasher.Plo @AMDEP_TRUE@@am__fastdepCC_FALSE@ source='crypto/hashers/hasher.c' object='hasher.lo' libtool=yes @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o hasher.lo `test -f 'crypto/hashers/hasher.c' || echo '$(srcdir)/'`crypto/hashers/hasher.c +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o hasher.lo `test -f 'crypto/hashers/hasher.c' || echo '$(srcdir)/'`crypto/hashers/hasher.c sha1_hasher.lo: crypto/hashers/sha1_hasher.c -@am__fastdepCC_TRUE@ if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sha1_hasher.lo -MD -MP -MF "$(DEPDIR)/sha1_hasher.Tpo" -c -o sha1_hasher.lo `test -f 'crypto/hashers/sha1_hasher.c' || echo '$(srcdir)/'`crypto/hashers/sha1_hasher.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/sha1_hasher.Tpo" "$(DEPDIR)/sha1_hasher.Plo"; else rm -f "$(DEPDIR)/sha1_hasher.Tpo"; exit 1; fi +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sha1_hasher.lo -MD -MP -MF $(DEPDIR)/sha1_hasher.Tpo -c -o sha1_hasher.lo `test -f 'crypto/hashers/sha1_hasher.c' || echo '$(srcdir)/'`crypto/hashers/sha1_hasher.c +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/sha1_hasher.Tpo $(DEPDIR)/sha1_hasher.Plo @AMDEP_TRUE@@am__fastdepCC_FALSE@ source='crypto/hashers/sha1_hasher.c' object='sha1_hasher.lo' libtool=yes @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sha1_hasher.lo `test -f 'crypto/hashers/sha1_hasher.c' || echo '$(srcdir)/'`crypto/hashers/sha1_hasher.c +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sha1_hasher.lo `test -f 'crypto/hashers/sha1_hasher.c' || echo '$(srcdir)/'`crypto/hashers/sha1_hasher.c sha2_hasher.lo: crypto/hashers/sha2_hasher.c -@am__fastdepCC_TRUE@ if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sha2_hasher.lo -MD -MP -MF "$(DEPDIR)/sha2_hasher.Tpo" -c -o sha2_hasher.lo `test -f 'crypto/hashers/sha2_hasher.c' || echo '$(srcdir)/'`crypto/hashers/sha2_hasher.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/sha2_hasher.Tpo" "$(DEPDIR)/sha2_hasher.Plo"; else rm -f "$(DEPDIR)/sha2_hasher.Tpo"; exit 1; fi +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sha2_hasher.lo -MD -MP -MF $(DEPDIR)/sha2_hasher.Tpo -c -o sha2_hasher.lo `test -f 'crypto/hashers/sha2_hasher.c' || echo '$(srcdir)/'`crypto/hashers/sha2_hasher.c +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/sha2_hasher.Tpo $(DEPDIR)/sha2_hasher.Plo @AMDEP_TRUE@@am__fastdepCC_FALSE@ source='crypto/hashers/sha2_hasher.c' object='sha2_hasher.lo' libtool=yes @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sha2_hasher.lo `test -f 'crypto/hashers/sha2_hasher.c' || echo '$(srcdir)/'`crypto/hashers/sha2_hasher.c +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sha2_hasher.lo `test -f 'crypto/hashers/sha2_hasher.c' || echo '$(srcdir)/'`crypto/hashers/sha2_hasher.c md5_hasher.lo: crypto/hashers/md5_hasher.c -@am__fastdepCC_TRUE@ if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT md5_hasher.lo -MD -MP -MF "$(DEPDIR)/md5_hasher.Tpo" -c -o md5_hasher.lo `test -f 'crypto/hashers/md5_hasher.c' || echo '$(srcdir)/'`crypto/hashers/md5_hasher.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/md5_hasher.Tpo" "$(DEPDIR)/md5_hasher.Plo"; else rm -f "$(DEPDIR)/md5_hasher.Tpo"; exit 1; fi +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT md5_hasher.lo -MD -MP -MF $(DEPDIR)/md5_hasher.Tpo -c -o md5_hasher.lo `test -f 'crypto/hashers/md5_hasher.c' || echo '$(srcdir)/'`crypto/hashers/md5_hasher.c +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/md5_hasher.Tpo $(DEPDIR)/md5_hasher.Plo @AMDEP_TRUE@@am__fastdepCC_FALSE@ source='crypto/hashers/md5_hasher.c' object='md5_hasher.lo' libtool=yes @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o md5_hasher.lo `test -f 'crypto/hashers/md5_hasher.c' || echo '$(srcdir)/'`crypto/hashers/md5_hasher.c +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o md5_hasher.lo `test -f 'crypto/hashers/md5_hasher.c' || echo '$(srcdir)/'`crypto/hashers/md5_hasher.c hmac.lo: crypto/hmac.c -@am__fastdepCC_TRUE@ if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT hmac.lo -MD -MP -MF "$(DEPDIR)/hmac.Tpo" -c -o hmac.lo `test -f 'crypto/hmac.c' || echo '$(srcdir)/'`crypto/hmac.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/hmac.Tpo" "$(DEPDIR)/hmac.Plo"; else rm -f "$(DEPDIR)/hmac.Tpo"; exit 1; fi +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT hmac.lo -MD -MP -MF $(DEPDIR)/hmac.Tpo -c -o hmac.lo `test -f 'crypto/hmac.c' || echo '$(srcdir)/'`crypto/hmac.c +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/hmac.Tpo $(DEPDIR)/hmac.Plo @AMDEP_TRUE@@am__fastdepCC_FALSE@ source='crypto/hmac.c' object='hmac.lo' libtool=yes @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o hmac.lo `test -f 'crypto/hmac.c' || echo '$(srcdir)/'`crypto/hmac.c +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o hmac.lo `test -f 'crypto/hmac.c' || echo '$(srcdir)/'`crypto/hmac.c + +ietf_attr_list.lo: crypto/ietf_attr_list.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ietf_attr_list.lo -MD -MP -MF $(DEPDIR)/ietf_attr_list.Tpo -c -o ietf_attr_list.lo `test -f 'crypto/ietf_attr_list.c' || echo '$(srcdir)/'`crypto/ietf_attr_list.c +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/ietf_attr_list.Tpo $(DEPDIR)/ietf_attr_list.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='crypto/ietf_attr_list.c' object='ietf_attr_list.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ietf_attr_list.lo `test -f 'crypto/ietf_attr_list.c' || echo '$(srcdir)/'`crypto/ietf_attr_list.c ocsp.lo: crypto/ocsp.c -@am__fastdepCC_TRUE@ if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ocsp.lo -MD -MP -MF "$(DEPDIR)/ocsp.Tpo" -c -o ocsp.lo `test -f 'crypto/ocsp.c' || echo '$(srcdir)/'`crypto/ocsp.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ocsp.Tpo" "$(DEPDIR)/ocsp.Plo"; else rm -f "$(DEPDIR)/ocsp.Tpo"; exit 1; fi +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ocsp.lo -MD -MP -MF $(DEPDIR)/ocsp.Tpo -c -o ocsp.lo `test -f 'crypto/ocsp.c' || echo '$(srcdir)/'`crypto/ocsp.c +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/ocsp.Tpo $(DEPDIR)/ocsp.Plo @AMDEP_TRUE@@am__fastdepCC_FALSE@ source='crypto/ocsp.c' object='ocsp.lo' libtool=yes @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ocsp.lo `test -f 'crypto/ocsp.c' || echo '$(srcdir)/'`crypto/ocsp.c +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ocsp.lo `test -f 'crypto/ocsp.c' || echo '$(srcdir)/'`crypto/ocsp.c + +pkcs7.lo: crypto/pkcs7.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pkcs7.lo -MD -MP -MF $(DEPDIR)/pkcs7.Tpo -c -o pkcs7.lo `test -f 'crypto/pkcs7.c' || echo '$(srcdir)/'`crypto/pkcs7.c +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/pkcs7.Tpo $(DEPDIR)/pkcs7.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='crypto/pkcs7.c' object='pkcs7.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pkcs7.lo `test -f 'crypto/pkcs7.c' || echo '$(srcdir)/'`crypto/pkcs7.c fips_prf.lo: crypto/prfs/fips_prf.c -@am__fastdepCC_TRUE@ if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT fips_prf.lo -MD -MP -MF "$(DEPDIR)/fips_prf.Tpo" -c -o fips_prf.lo `test -f 'crypto/prfs/fips_prf.c' || echo '$(srcdir)/'`crypto/prfs/fips_prf.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/fips_prf.Tpo" "$(DEPDIR)/fips_prf.Plo"; else rm -f "$(DEPDIR)/fips_prf.Tpo"; exit 1; fi +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT fips_prf.lo -MD -MP -MF $(DEPDIR)/fips_prf.Tpo -c -o fips_prf.lo `test -f 'crypto/prfs/fips_prf.c' || echo '$(srcdir)/'`crypto/prfs/fips_prf.c +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/fips_prf.Tpo $(DEPDIR)/fips_prf.Plo @AMDEP_TRUE@@am__fastdepCC_FALSE@ source='crypto/prfs/fips_prf.c' object='fips_prf.lo' libtool=yes @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o fips_prf.lo `test -f 'crypto/prfs/fips_prf.c' || echo '$(srcdir)/'`crypto/prfs/fips_prf.c +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o fips_prf.lo `test -f 'crypto/prfs/fips_prf.c' || echo '$(srcdir)/'`crypto/prfs/fips_prf.c hmac_prf.lo: crypto/prfs/hmac_prf.c -@am__fastdepCC_TRUE@ if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT hmac_prf.lo -MD -MP -MF "$(DEPDIR)/hmac_prf.Tpo" -c -o hmac_prf.lo `test -f 'crypto/prfs/hmac_prf.c' || echo '$(srcdir)/'`crypto/prfs/hmac_prf.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/hmac_prf.Tpo" "$(DEPDIR)/hmac_prf.Plo"; else rm -f "$(DEPDIR)/hmac_prf.Tpo"; exit 1; fi +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT hmac_prf.lo -MD -MP -MF $(DEPDIR)/hmac_prf.Tpo -c -o hmac_prf.lo `test -f 'crypto/prfs/hmac_prf.c' || echo '$(srcdir)/'`crypto/prfs/hmac_prf.c +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/hmac_prf.Tpo $(DEPDIR)/hmac_prf.Plo @AMDEP_TRUE@@am__fastdepCC_FALSE@ source='crypto/prfs/hmac_prf.c' object='hmac_prf.lo' libtool=yes @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o hmac_prf.lo `test -f 'crypto/prfs/hmac_prf.c' || echo '$(srcdir)/'`crypto/prfs/hmac_prf.c +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o hmac_prf.lo `test -f 'crypto/prfs/hmac_prf.c' || echo '$(srcdir)/'`crypto/prfs/hmac_prf.c prf.lo: crypto/prfs/prf.c -@am__fastdepCC_TRUE@ if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT prf.lo -MD -MP -MF "$(DEPDIR)/prf.Tpo" -c -o prf.lo `test -f 'crypto/prfs/prf.c' || echo '$(srcdir)/'`crypto/prfs/prf.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/prf.Tpo" "$(DEPDIR)/prf.Plo"; else rm -f "$(DEPDIR)/prf.Tpo"; exit 1; fi +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT prf.lo -MD -MP -MF $(DEPDIR)/prf.Tpo -c -o prf.lo `test -f 'crypto/prfs/prf.c' || echo '$(srcdir)/'`crypto/prfs/prf.c +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/prf.Tpo $(DEPDIR)/prf.Plo @AMDEP_TRUE@@am__fastdepCC_FALSE@ source='crypto/prfs/prf.c' object='prf.lo' libtool=yes @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o prf.lo `test -f 'crypto/prfs/prf.c' || echo '$(srcdir)/'`crypto/prfs/prf.c +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o prf.lo `test -f 'crypto/prfs/prf.c' || echo '$(srcdir)/'`crypto/prfs/prf.c prf_plus.lo: crypto/prf_plus.c -@am__fastdepCC_TRUE@ if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT prf_plus.lo -MD -MP -MF "$(DEPDIR)/prf_plus.Tpo" -c -o prf_plus.lo `test -f 'crypto/prf_plus.c' || echo '$(srcdir)/'`crypto/prf_plus.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/prf_plus.Tpo" "$(DEPDIR)/prf_plus.Plo"; else rm -f "$(DEPDIR)/prf_plus.Tpo"; exit 1; fi +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT prf_plus.lo -MD -MP -MF $(DEPDIR)/prf_plus.Tpo -c -o prf_plus.lo `test -f 'crypto/prf_plus.c' || echo '$(srcdir)/'`crypto/prf_plus.c +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/prf_plus.Tpo $(DEPDIR)/prf_plus.Plo @AMDEP_TRUE@@am__fastdepCC_FALSE@ source='crypto/prf_plus.c' object='prf_plus.lo' libtool=yes @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o prf_plus.lo `test -f 'crypto/prf_plus.c' || echo '$(srcdir)/'`crypto/prf_plus.c +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o prf_plus.lo `test -f 'crypto/prf_plus.c' || echo '$(srcdir)/'`crypto/prf_plus.c rsa_private_key.lo: crypto/rsa/rsa_private_key.c -@am__fastdepCC_TRUE@ if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rsa_private_key.lo -MD -MP -MF "$(DEPDIR)/rsa_private_key.Tpo" -c -o rsa_private_key.lo `test -f 'crypto/rsa/rsa_private_key.c' || echo '$(srcdir)/'`crypto/rsa/rsa_private_key.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/rsa_private_key.Tpo" "$(DEPDIR)/rsa_private_key.Plo"; else rm -f "$(DEPDIR)/rsa_private_key.Tpo"; exit 1; fi +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rsa_private_key.lo -MD -MP -MF $(DEPDIR)/rsa_private_key.Tpo -c -o rsa_private_key.lo `test -f 'crypto/rsa/rsa_private_key.c' || echo '$(srcdir)/'`crypto/rsa/rsa_private_key.c +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/rsa_private_key.Tpo $(DEPDIR)/rsa_private_key.Plo @AMDEP_TRUE@@am__fastdepCC_FALSE@ source='crypto/rsa/rsa_private_key.c' object='rsa_private_key.lo' libtool=yes @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rsa_private_key.lo `test -f 'crypto/rsa/rsa_private_key.c' || echo '$(srcdir)/'`crypto/rsa/rsa_private_key.c +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rsa_private_key.lo `test -f 'crypto/rsa/rsa_private_key.c' || echo '$(srcdir)/'`crypto/rsa/rsa_private_key.c rsa_public_key.lo: crypto/rsa/rsa_public_key.c -@am__fastdepCC_TRUE@ if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rsa_public_key.lo -MD -MP -MF "$(DEPDIR)/rsa_public_key.Tpo" -c -o rsa_public_key.lo `test -f 'crypto/rsa/rsa_public_key.c' || echo '$(srcdir)/'`crypto/rsa/rsa_public_key.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/rsa_public_key.Tpo" "$(DEPDIR)/rsa_public_key.Plo"; else rm -f "$(DEPDIR)/rsa_public_key.Tpo"; exit 1; fi +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rsa_public_key.lo -MD -MP -MF $(DEPDIR)/rsa_public_key.Tpo -c -o rsa_public_key.lo `test -f 'crypto/rsa/rsa_public_key.c' || echo '$(srcdir)/'`crypto/rsa/rsa_public_key.c +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/rsa_public_key.Tpo $(DEPDIR)/rsa_public_key.Plo @AMDEP_TRUE@@am__fastdepCC_FALSE@ source='crypto/rsa/rsa_public_key.c' object='rsa_public_key.lo' libtool=yes @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rsa_public_key.lo `test -f 'crypto/rsa/rsa_public_key.c' || echo '$(srcdir)/'`crypto/rsa/rsa_public_key.c +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rsa_public_key.lo `test -f 'crypto/rsa/rsa_public_key.c' || echo '$(srcdir)/'`crypto/rsa/rsa_public_key.c hmac_signer.lo: crypto/signers/hmac_signer.c -@am__fastdepCC_TRUE@ if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT hmac_signer.lo -MD -MP -MF "$(DEPDIR)/hmac_signer.Tpo" -c -o hmac_signer.lo `test -f 'crypto/signers/hmac_signer.c' || echo '$(srcdir)/'`crypto/signers/hmac_signer.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/hmac_signer.Tpo" "$(DEPDIR)/hmac_signer.Plo"; else rm -f "$(DEPDIR)/hmac_signer.Tpo"; exit 1; fi +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT hmac_signer.lo -MD -MP -MF $(DEPDIR)/hmac_signer.Tpo -c -o hmac_signer.lo `test -f 'crypto/signers/hmac_signer.c' || echo '$(srcdir)/'`crypto/signers/hmac_signer.c +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/hmac_signer.Tpo $(DEPDIR)/hmac_signer.Plo @AMDEP_TRUE@@am__fastdepCC_FALSE@ source='crypto/signers/hmac_signer.c' object='hmac_signer.lo' libtool=yes @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o hmac_signer.lo `test -f 'crypto/signers/hmac_signer.c' || echo '$(srcdir)/'`crypto/signers/hmac_signer.c +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o hmac_signer.lo `test -f 'crypto/signers/hmac_signer.c' || echo '$(srcdir)/'`crypto/signers/hmac_signer.c signer.lo: crypto/signers/signer.c -@am__fastdepCC_TRUE@ if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT signer.lo -MD -MP -MF "$(DEPDIR)/signer.Tpo" -c -o signer.lo `test -f 'crypto/signers/signer.c' || echo '$(srcdir)/'`crypto/signers/signer.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/signer.Tpo" "$(DEPDIR)/signer.Plo"; else rm -f "$(DEPDIR)/signer.Tpo"; exit 1; fi +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT signer.lo -MD -MP -MF $(DEPDIR)/signer.Tpo -c -o signer.lo `test -f 'crypto/signers/signer.c' || echo '$(srcdir)/'`crypto/signers/signer.c +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/signer.Tpo $(DEPDIR)/signer.Plo @AMDEP_TRUE@@am__fastdepCC_FALSE@ source='crypto/signers/signer.c' object='signer.lo' libtool=yes @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o signer.lo `test -f 'crypto/signers/signer.c' || echo '$(srcdir)/'`crypto/signers/signer.c +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o signer.lo `test -f 'crypto/signers/signer.c' || echo '$(srcdir)/'`crypto/signers/signer.c x509.lo: crypto/x509.c -@am__fastdepCC_TRUE@ if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT x509.lo -MD -MP -MF "$(DEPDIR)/x509.Tpo" -c -o x509.lo `test -f 'crypto/x509.c' || echo '$(srcdir)/'`crypto/x509.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/x509.Tpo" "$(DEPDIR)/x509.Plo"; else rm -f "$(DEPDIR)/x509.Tpo"; exit 1; fi +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT x509.lo -MD -MP -MF $(DEPDIR)/x509.Tpo -c -o x509.lo `test -f 'crypto/x509.c' || echo '$(srcdir)/'`crypto/x509.c +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/x509.Tpo $(DEPDIR)/x509.Plo @AMDEP_TRUE@@am__fastdepCC_FALSE@ source='crypto/x509.c' object='x509.lo' libtool=yes @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o x509.lo `test -f 'crypto/x509.c' || echo '$(srcdir)/'`crypto/x509.c +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o x509.lo `test -f 'crypto/x509.c' || echo '$(srcdir)/'`crypto/x509.c fetcher.lo: utils/fetcher.c -@am__fastdepCC_TRUE@ if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT fetcher.lo -MD -MP -MF "$(DEPDIR)/fetcher.Tpo" -c -o fetcher.lo `test -f 'utils/fetcher.c' || echo '$(srcdir)/'`utils/fetcher.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/fetcher.Tpo" "$(DEPDIR)/fetcher.Plo"; else rm -f "$(DEPDIR)/fetcher.Tpo"; exit 1; fi +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT fetcher.lo -MD -MP -MF $(DEPDIR)/fetcher.Tpo -c -o fetcher.lo `test -f 'utils/fetcher.c' || echo '$(srcdir)/'`utils/fetcher.c +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/fetcher.Tpo $(DEPDIR)/fetcher.Plo @AMDEP_TRUE@@am__fastdepCC_FALSE@ source='utils/fetcher.c' object='fetcher.lo' libtool=yes @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o fetcher.lo `test -f 'utils/fetcher.c' || echo '$(srcdir)/'`utils/fetcher.c +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o fetcher.lo `test -f 'utils/fetcher.c' || echo '$(srcdir)/'`utils/fetcher.c host.lo: utils/host.c -@am__fastdepCC_TRUE@ if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT host.lo -MD -MP -MF "$(DEPDIR)/host.Tpo" -c -o host.lo `test -f 'utils/host.c' || echo '$(srcdir)/'`utils/host.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/host.Tpo" "$(DEPDIR)/host.Plo"; else rm -f "$(DEPDIR)/host.Tpo"; exit 1; fi +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT host.lo -MD -MP -MF $(DEPDIR)/host.Tpo -c -o host.lo `test -f 'utils/host.c' || echo '$(srcdir)/'`utils/host.c +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/host.Tpo $(DEPDIR)/host.Plo @AMDEP_TRUE@@am__fastdepCC_FALSE@ source='utils/host.c' object='host.lo' libtool=yes @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o host.lo `test -f 'utils/host.c' || echo '$(srcdir)/'`utils/host.c +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o host.lo `test -f 'utils/host.c' || echo '$(srcdir)/'`utils/host.c identification.lo: utils/identification.c -@am__fastdepCC_TRUE@ if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT identification.lo -MD -MP -MF "$(DEPDIR)/identification.Tpo" -c -o identification.lo `test -f 'utils/identification.c' || echo '$(srcdir)/'`utils/identification.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/identification.Tpo" "$(DEPDIR)/identification.Plo"; else rm -f "$(DEPDIR)/identification.Tpo"; exit 1; fi +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT identification.lo -MD -MP -MF $(DEPDIR)/identification.Tpo -c -o identification.lo `test -f 'utils/identification.c' || echo '$(srcdir)/'`utils/identification.c +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/identification.Tpo $(DEPDIR)/identification.Plo @AMDEP_TRUE@@am__fastdepCC_FALSE@ source='utils/identification.c' object='identification.lo' libtool=yes @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o identification.lo `test -f 'utils/identification.c' || echo '$(srcdir)/'`utils/identification.c +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o identification.lo `test -f 'utils/identification.c' || echo '$(srcdir)/'`utils/identification.c leak_detective.lo: utils/leak_detective.c -@am__fastdepCC_TRUE@ if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT leak_detective.lo -MD -MP -MF "$(DEPDIR)/leak_detective.Tpo" -c -o leak_detective.lo `test -f 'utils/leak_detective.c' || echo '$(srcdir)/'`utils/leak_detective.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/leak_detective.Tpo" "$(DEPDIR)/leak_detective.Plo"; else rm -f "$(DEPDIR)/leak_detective.Tpo"; exit 1; fi +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT leak_detective.lo -MD -MP -MF $(DEPDIR)/leak_detective.Tpo -c -o leak_detective.lo `test -f 'utils/leak_detective.c' || echo '$(srcdir)/'`utils/leak_detective.c +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/leak_detective.Tpo $(DEPDIR)/leak_detective.Plo @AMDEP_TRUE@@am__fastdepCC_FALSE@ source='utils/leak_detective.c' object='leak_detective.lo' libtool=yes @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o leak_detective.lo `test -f 'utils/leak_detective.c' || echo '$(srcdir)/'`utils/leak_detective.c +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o leak_detective.lo `test -f 'utils/leak_detective.c' || echo '$(srcdir)/'`utils/leak_detective.c lexparser.lo: utils/lexparser.c -@am__fastdepCC_TRUE@ if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT lexparser.lo -MD -MP -MF "$(DEPDIR)/lexparser.Tpo" -c -o lexparser.lo `test -f 'utils/lexparser.c' || echo '$(srcdir)/'`utils/lexparser.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/lexparser.Tpo" "$(DEPDIR)/lexparser.Plo"; else rm -f "$(DEPDIR)/lexparser.Tpo"; exit 1; fi +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT lexparser.lo -MD -MP -MF $(DEPDIR)/lexparser.Tpo -c -o lexparser.lo `test -f 'utils/lexparser.c' || echo '$(srcdir)/'`utils/lexparser.c +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/lexparser.Tpo $(DEPDIR)/lexparser.Plo @AMDEP_TRUE@@am__fastdepCC_FALSE@ source='utils/lexparser.c' object='lexparser.lo' libtool=yes @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o lexparser.lo `test -f 'utils/lexparser.c' || echo '$(srcdir)/'`utils/lexparser.c +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o lexparser.lo `test -f 'utils/lexparser.c' || echo '$(srcdir)/'`utils/lexparser.c linked_list.lo: utils/linked_list.c -@am__fastdepCC_TRUE@ if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT linked_list.lo -MD -MP -MF "$(DEPDIR)/linked_list.Tpo" -c -o linked_list.lo `test -f 'utils/linked_list.c' || echo '$(srcdir)/'`utils/linked_list.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/linked_list.Tpo" "$(DEPDIR)/linked_list.Plo"; else rm -f "$(DEPDIR)/linked_list.Tpo"; exit 1; fi +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT linked_list.lo -MD -MP -MF $(DEPDIR)/linked_list.Tpo -c -o linked_list.lo `test -f 'utils/linked_list.c' || echo '$(srcdir)/'`utils/linked_list.c +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/linked_list.Tpo $(DEPDIR)/linked_list.Plo @AMDEP_TRUE@@am__fastdepCC_FALSE@ source='utils/linked_list.c' object='linked_list.lo' libtool=yes @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o linked_list.lo `test -f 'utils/linked_list.c' || echo '$(srcdir)/'`utils/linked_list.c +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o linked_list.lo `test -f 'utils/linked_list.c' || echo '$(srcdir)/'`utils/linked_list.c + +enumerator.lo: utils/enumerator.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT enumerator.lo -MD -MP -MF $(DEPDIR)/enumerator.Tpo -c -o enumerator.lo `test -f 'utils/enumerator.c' || echo '$(srcdir)/'`utils/enumerator.c +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/enumerator.Tpo $(DEPDIR)/enumerator.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='utils/enumerator.c' object='enumerator.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o enumerator.lo `test -f 'utils/enumerator.c' || echo '$(srcdir)/'`utils/enumerator.c + +optionsfrom.lo: utils/optionsfrom.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT optionsfrom.lo -MD -MP -MF $(DEPDIR)/optionsfrom.Tpo -c -o optionsfrom.lo `test -f 'utils/optionsfrom.c' || echo '$(srcdir)/'`utils/optionsfrom.c +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/optionsfrom.Tpo $(DEPDIR)/optionsfrom.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='utils/optionsfrom.c' object='optionsfrom.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o optionsfrom.lo `test -f 'utils/optionsfrom.c' || echo '$(srcdir)/'`utils/optionsfrom.c randomizer.lo: utils/randomizer.c -@am__fastdepCC_TRUE@ if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT randomizer.lo -MD -MP -MF "$(DEPDIR)/randomizer.Tpo" -c -o randomizer.lo `test -f 'utils/randomizer.c' || echo '$(srcdir)/'`utils/randomizer.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/randomizer.Tpo" "$(DEPDIR)/randomizer.Plo"; else rm -f "$(DEPDIR)/randomizer.Tpo"; exit 1; fi +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT randomizer.lo -MD -MP -MF $(DEPDIR)/randomizer.Tpo -c -o randomizer.lo `test -f 'utils/randomizer.c' || echo '$(srcdir)/'`utils/randomizer.c +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/randomizer.Tpo $(DEPDIR)/randomizer.Plo @AMDEP_TRUE@@am__fastdepCC_FALSE@ source='utils/randomizer.c' object='randomizer.lo' libtool=yes @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o randomizer.lo `test -f 'utils/randomizer.c' || echo '$(srcdir)/'`utils/randomizer.c +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o randomizer.lo `test -f 'utils/randomizer.c' || echo '$(srcdir)/'`utils/randomizer.c + +fips_canister_start.lo: fips/fips_canister_start.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT fips_canister_start.lo -MD -MP -MF $(DEPDIR)/fips_canister_start.Tpo -c -o fips_canister_start.lo `test -f 'fips/fips_canister_start.c' || echo '$(srcdir)/'`fips/fips_canister_start.c +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/fips_canister_start.Tpo $(DEPDIR)/fips_canister_start.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='fips/fips_canister_start.c' object='fips_canister_start.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o fips_canister_start.lo `test -f 'fips/fips_canister_start.c' || echo '$(srcdir)/'`fips/fips_canister_start.c + +fips.lo: fips/fips.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT fips.lo -MD -MP -MF $(DEPDIR)/fips.Tpo -c -o fips.lo `test -f 'fips/fips.c' || echo '$(srcdir)/'`fips/fips.c +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/fips.Tpo $(DEPDIR)/fips.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='fips/fips.c' object='fips.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o fips.lo `test -f 'fips/fips.c' || echo '$(srcdir)/'`fips/fips.c + +fips_canister_end.lo: fips/fips_canister_end.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT fips_canister_end.lo -MD -MP -MF $(DEPDIR)/fips_canister_end.Tpo -c -o fips_canister_end.lo `test -f 'fips/fips_canister_end.c' || echo '$(srcdir)/'`fips/fips_canister_end.c +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/fips_canister_end.Tpo $(DEPDIR)/fips_canister_end.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='fips/fips_canister_end.c' object='fips_canister_end.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o fips_canister_end.lo `test -f 'fips/fips_canister_end.c' || echo '$(srcdir)/'`fips/fips_canister_end.c + +fips_signer.o: fips/fips_signer.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT fips_signer.o -MD -MP -MF $(DEPDIR)/fips_signer.Tpo -c -o fips_signer.o `test -f 'fips/fips_signer.c' || echo '$(srcdir)/'`fips/fips_signer.c +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/fips_signer.Tpo $(DEPDIR)/fips_signer.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='fips/fips_signer.c' object='fips_signer.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o fips_signer.o `test -f 'fips/fips_signer.c' || echo '$(srcdir)/'`fips/fips_signer.c + +fips_signer.obj: fips/fips_signer.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT fips_signer.obj -MD -MP -MF $(DEPDIR)/fips_signer.Tpo -c -o fips_signer.obj `if test -f 'fips/fips_signer.c'; then $(CYGPATH_W) 'fips/fips_signer.c'; else $(CYGPATH_W) '$(srcdir)/fips/fips_signer.c'; fi` +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/fips_signer.Tpo $(DEPDIR)/fips_signer.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='fips/fips_signer.c' object='fips_signer.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o fips_signer.obj `if test -f 'fips/fips_signer.c'; then $(CYGPATH_W) 'fips/fips_signer.c'; else $(CYGPATH_W) '$(srcdir)/fips/fips_signer.c'; fi` mostlyclean-libtool: -rm -f *.lo @@ -655,10 +873,6 @@ mostlyclean-libtool: clean-libtool: -rm -rf .libs _libs -distclean-libtool: - -rm -f libtool -uninstall-info-am: - ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ unique=`for i in $$list; do \ @@ -708,23 +922,21 @@ distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags distdir: $(DISTFILES) - $(mkdir_p) $(distdir)/asn1 - @srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \ - topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \ - list='$(DISTFILES)'; for file in $$list; do \ - case $$file in \ - $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \ - $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \ - esac; \ + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkdir_p) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ fi; \ @@ -738,10 +950,10 @@ distdir: $(DISTFILES) check-am: all-am check: $(BUILT_SOURCES) $(MAKE) $(AM_MAKEFLAGS) check-am -all-am: Makefile $(LTLIBRARIES) +all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) installdirs: for dir in "$(DESTDIR)$(libdir)"; do \ - test -z "$$dir" || $(mkdir_p) "$$dir"; \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ done install: $(BUILT_SOURCES) $(MAKE) $(AM_MAKEFLAGS) install-am @@ -761,6 +973,7 @@ install-strip: mostlyclean-generic: clean-generic: + -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) @@ -773,13 +986,13 @@ maintainer-clean-generic: clean: clean-am clean-am: clean-generic clean-libLTLIBRARIES clean-libtool \ - mostlyclean-am + clean-noinstPROGRAMS mostlyclean-am distclean: distclean-am -rm -rf ./$(DEPDIR) -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ - distclean-libtool distclean-tags + distclean-tags dvi: dvi-am @@ -793,12 +1006,20 @@ info-am: install-data-am: +install-dvi: install-dvi-am + install-exec-am: install-libLTLIBRARIES +install-html: install-html-am + install-info: install-info-am install-man: +install-pdf: install-pdf-am + +install-ps: install-ps-am + installcheck-am: maintainer-clean: maintainer-clean-am @@ -819,20 +1040,23 @@ ps: ps-am ps-am: -uninstall-am: uninstall-info-am uninstall-libLTLIBRARIES +uninstall-am: uninstall-libLTLIBRARIES + +.MAKE: install-am install-strip .PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \ - clean-libLTLIBRARIES clean-libtool ctags distclean \ - distclean-compile distclean-generic distclean-libtool \ - distclean-tags distdir dvi dvi-am html html-am info info-am \ - install install-am install-data install-data-am install-exec \ - install-exec-am install-info install-info-am \ - install-libLTLIBRARIES install-man install-strip installcheck \ - installcheck-am installdirs maintainer-clean \ + clean-libLTLIBRARIES clean-libtool clean-noinstPROGRAMS ctags \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-libLTLIBRARIES install-man install-pdf \ + install-pdf-am install-ps install-ps-am install-strip \ + installcheck installcheck-am installdirs maintainer-clean \ maintainer-clean-generic mostlyclean mostlyclean-compile \ mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ - tags uninstall uninstall-am uninstall-info-am \ - uninstall-libLTLIBRARIES + tags uninstall uninstall-am uninstall-libLTLIBRARIES asn1/oid.c : asn1/oid.txt asn1/oid.pl @@ -840,6 +1064,9 @@ asn1/oid.c : asn1/oid.txt asn1/oid.pl asn1/oid.h : asn1/oid.txt asn1/oid.pl cd asn1 && $(PERL) oid.pl + +@USE_INTEGRITY_TEST_TRUE@fips_signature.h : fips_signer +@USE_INTEGRITY_TEST_TRUE@ ./fips_signer # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: diff --git a/src/libstrongswan/asn1/asn1.c b/src/libstrongswan/asn1/asn1.c index 2a0aa4ff6..3191c89bd 100644 --- a/src/libstrongswan/asn1/asn1.c +++ b/src/libstrongswan/asn1/asn1.c @@ -11,6 +11,8 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. + * + * RCSID $Id: asn1.c 3299 2007-10-12 19:29:00Z andreas $ */ #include <stdio.h> @@ -33,6 +35,13 @@ const chunk_t ASN1_INTEGER_2 = chunk_from_buf(ASN1_INTEGER_2_str); /* some popular algorithmIdentifiers */ +static u_char ASN1_md2_id_str[] = { + 0x30, 0x0c, + 0x06, 0x08, + 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x02, + 0x05,0x00, +}; + static u_char ASN1_md5_id_str[] = { 0x30, 0x0C, 0x06, 0x08, @@ -47,6 +56,27 @@ static u_char ASN1_sha1_id_str[] = { 0x05, 0x00 }; +static u_char ASN1_sha256_id_str[] = { + 0x30, 0x0d, + 0x06, 0x09, + 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, + 0x05, 0x00 +}; + +static u_char ASN1_sha384_id_str[] = { + 0x30, 0x0d, + 0x06, 0x09, + 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, + 0x05, 0x00 +}; + +static u_char ASN1_sha512_id_str[] = { + 0x30, 0x0d, + 0x06, 0x09, + 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, + 0x05,0x00 +}; + static u_char ASN1_md5WithRSA_id_str[] = { 0x30, 0x0D, 0x06, 0x09, @@ -68,8 +98,12 @@ static u_char ASN1_rsaEncryption_id_str[] = { 0x05, 0x00 }; -const chunk_t ASN1_md5_id = chunk_from_buf(ASN1_md5_id_str); -const chunk_t ASN1_sha1_id = chunk_from_buf(ASN1_sha1_id_str); +const chunk_t ASN1_md2_id = chunk_from_buf(ASN1_md2_id_str); +const chunk_t ASN1_md5_id = chunk_from_buf(ASN1_md5_id_str); +const chunk_t ASN1_sha1_id = chunk_from_buf(ASN1_sha1_id_str); +const chunk_t ASN1_sha256_id = chunk_from_buf(ASN1_sha256_id_str); +const chunk_t ASN1_sha384_id = chunk_from_buf(ASN1_sha384_id_str); +const chunk_t ASN1_sha512_id = chunk_from_buf(ASN1_sha512_id_str); const chunk_t ASN1_rsaEncryption_id = chunk_from_buf(ASN1_rsaEncryption_id_str); const chunk_t ASN1_md5WithRSA_id = chunk_from_buf(ASN1_md5WithRSA_id_str); const chunk_t ASN1_sha1WithRSA_id = chunk_from_buf(ASN1_sha1WithRSA_id_str); @@ -279,6 +313,35 @@ time_t asn1totime(const chunk_t *utctime, asn1_t type) } /** + * Convert a date into ASN.1 UTCTIME or GENERALIZEDTIME format + */ +chunk_t timetoasn1(const time_t *time, asn1_t type) +{ + int offset; + const char *format; + char buf[BUF_LEN]; + chunk_t formatted_time; + struct tm *t = gmtime(time); + + if (type == ASN1_GENERALIZEDTIME) + { + format = "%04d%02d%02d%02d%02d%02dZ"; + offset = 1900; + } + else /* ASN1_UTCTIME */ + { + format = "%02d%02d%02d%02d%02d%02dZ"; + offset = (t->tm_year < 100)? 0 : -100; + } + snprintf(buf, BUF_LEN, format, t->tm_year + offset, + t->tm_mon + 1, t->tm_mday, t->tm_hour, t->tm_min, t->tm_sec); + formatted_time.ptr = buf; + formatted_time.len = strlen(buf); + return asn1_simple_object(type, formatted_time); +} + + +/** * Initializes the internal context of the ASN.1 parser */ void asn1_init(asn1_ctx_t *ctx, chunk_t blob, u_int level0, @@ -396,7 +459,7 @@ bool extract_object(asn1Object_t const *objects, u_int *objectID, chunk_t *objec if (blob->len < 2) { - DBG2("L%d - %s: ASN.1 object smaller than 2 octets", + DBG1("L%d - %s: ASN.1 object smaller than 2 octets", *level, obj.name); return FALSE; } @@ -405,7 +468,7 @@ bool extract_object(asn1Object_t const *objects, u_int *objectID, chunk_t *objec if (blob1->len == ASN1_INVALID_LENGTH || blob->len < blob1->len) { - DBG2("L%d - %s: length of ASN.1 object invalid or too large", + DBG1("L%d - %s: length of ASN.1 object invalid or too large", *level, obj.name); return FALSE; } @@ -698,38 +761,11 @@ chunk_t asn1_integer_from_mpz(const mpz_t value) { size_t bits = mpz_sizeinbase(value, 2); /* size in bits */ chunk_t n; + n.len = 1 + bits / 8; /* size in bytes */ n.ptr = mpz_export(NULL, NULL, 1, n.len, 1, 0, value); - - return asn1_wrap(ASN1_INTEGER, "m", n); -} -/** - * convert a date into ASN.1 UTCTIME or GENERALIZEDTIME format - */ -chunk_t timetoasn1(const time_t *time, asn1_t type) -{ - int offset; - const char *format; - char buf[32]; - chunk_t formatted_time; - struct tm *t = gmtime(time); - - if (type == ASN1_GENERALIZEDTIME) - { - format = "%04d%02d%02d%02d%02d%02dZ"; - offset = 1900; - } - else /* ASN1_UTCTIME */ - { - format = "%02d%02d%02d%02d%02d%02dZ"; - offset = (t->tm_year < 100)? 0 : -100; - } - snprintf(buf, sizeof(buf), format, t->tm_year + offset, - t->tm_mon + 1, t->tm_mday, t->tm_hour, t->tm_min, t->tm_sec); - formatted_time.ptr = buf; - formatted_time.len = strlen(buf); - return asn1_simple_object(type, formatted_time); + return asn1_wrap(ASN1_INTEGER, "m", n); } /** diff --git a/src/libstrongswan/asn1/asn1.h b/src/libstrongswan/asn1/asn1.h index 365ccb438..18742d18d 100644 --- a/src/libstrongswan/asn1/asn1.h +++ b/src/libstrongswan/asn1/asn1.h @@ -11,6 +11,8 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. + * + * RCSID $Id: asn1.h 3299 2007-10-12 19:29:00Z andreas $ */ #ifndef _ASN1_H @@ -23,7 +25,11 @@ #include <asn1/oid.h> -/* Defines some primitive ASN1 types */ +/** + * @brief Definition of some primitive ASN1 types + * + * @ingroup asn1 + */ typedef enum { ASN1_EOC = 0x00, ASN1_BOOLEAN = 0x01, @@ -109,8 +115,13 @@ extern const chunk_t ASN1_INTEGER_1; extern const chunk_t ASN1_INTEGER_2; /* some popular algorithmIdentifiers */ +extern const chunk_t ASN1_md2_id; extern const chunk_t ASN1_md5_id; extern const chunk_t ASN1_sha1_id; +extern const chunk_t ASN1_sha256_id; +extern const chunk_t ASN1_sha384_id; +extern const chunk_t ASN1_sha512_id; + extern const chunk_t ASN1_rsaEncryption_id; extern const chunk_t ASN1_md5WithRSA_id; extern const chunk_t ASN1_sha1WithRSA_id; @@ -120,6 +131,7 @@ extern int known_oid(chunk_t object); extern u_int asn1_length(chunk_t *blob); extern bool is_printablestring(chunk_t str); extern time_t asn1totime(const chunk_t *utctime, asn1_t type); +extern chunk_t timetoasn1(const time_t *time, asn1_t type); extern void asn1_init(asn1_ctx_t *ctx, chunk_t blob, u_int level0, bool implicit, bool private); extern bool extract_object(asn1Object_t const *objects, u_int *objectID, chunk_t *object, u_int *level, asn1_ctx_t *ctx); extern bool parse_asn1_simple_object(chunk_t *object, asn1_t type, u_int level, const char* name); diff --git a/src/libstrongswan/asn1/oid.c b/src/libstrongswan/asn1/oid.c index 6b16d5a64..28a915433 100644 --- a/src/libstrongswan/asn1/oid.c +++ b/src/libstrongswan/asn1/oid.c @@ -10,194 +10,199 @@ #include "oid.h" const oid_t oid_names[] = { - {0x02, 7, 1, "ITU-T Administration" }, /* 0 */ - { 0x82, 0, 1, "" }, /* 1 */ - { 0x06, 0, 1, "Germany ITU-T member" }, /* 2 */ - { 0x01, 0, 1, "Deutsche Telekom AG" }, /* 3 */ - { 0x0A, 0, 1, "" }, /* 4 */ - { 0x07, 0, 1, "" }, /* 5 */ - { 0x14, 0, 0, "ND" }, /* 6 */ - {0x09, 18, 1, "data" }, /* 7 */ - { 0x92, 0, 1, "" }, /* 8 */ - { 0x26, 0, 1, "" }, /* 9 */ - { 0x89, 0, 1, "" }, /* 10 */ - { 0x93, 0, 1, "" }, /* 11 */ - { 0xF2, 0, 1, "" }, /* 12 */ - { 0x2C, 0, 1, "" }, /* 13 */ - { 0x64, 0, 1, "pilot" }, /* 14 */ - { 0x01, 0, 1, "pilotAttributeType" }, /* 15 */ - { 0x01, 17, 0, "UID" }, /* 16 */ - { 0x19, 0, 0, "DC" }, /* 17 */ - {0x55, 52, 1, "X.500" }, /* 18 */ - { 0x04, 36, 1, "X.509" }, /* 19 */ - { 0x03, 21, 0, "CN" }, /* 20 */ - { 0x04, 22, 0, "S" }, /* 21 */ - { 0x05, 23, 0, "SN" }, /* 22 */ - { 0x06, 24, 0, "C" }, /* 23 */ - { 0x07, 25, 0, "L" }, /* 24 */ - { 0x08, 26, 0, "ST" }, /* 25 */ - { 0x0A, 27, 0, "O" }, /* 26 */ - { 0x0B, 28, 0, "OU" }, /* 27 */ - { 0x0C, 29, 0, "T" }, /* 28 */ - { 0x0D, 30, 0, "D" }, /* 29 */ - { 0x24, 31, 0, "userCertificate" }, /* 30 */ - { 0x29, 32, 0, "N" }, /* 31 */ - { 0x2A, 33, 0, "G" }, /* 32 */ - { 0x2B, 34, 0, "I" }, /* 33 */ - { 0x2D, 35, 0, "ID" }, /* 34 */ - { 0x48, 0, 0, "role" }, /* 35 */ - { 0x1D, 0, 1, "id-ce" }, /* 36 */ - { 0x09, 38, 0, "subjectDirectoryAttrs" }, /* 37 */ - { 0x0E, 39, 0, "subjectKeyIdentifier" }, /* 38 */ - { 0x0F, 40, 0, "keyUsage" }, /* 39 */ - { 0x10, 41, 0, "privateKeyUsagePeriod" }, /* 40 */ - { 0x11, 42, 0, "subjectAltName" }, /* 41 */ - { 0x12, 43, 0, "issuerAltName" }, /* 42 */ - { 0x13, 44, 0, "basicConstraints" }, /* 43 */ - { 0x14, 45, 0, "crlNumber" }, /* 44 */ - { 0x15, 46, 0, "reasonCode" }, /* 45 */ - { 0x1F, 47, 0, "crlDistributionPoints" }, /* 46 */ - { 0x20, 48, 0, "certificatePolicies" }, /* 47 */ - { 0x23, 49, 0, "authorityKeyIdentifier" }, /* 48 */ - { 0x25, 50, 0, "extendedKeyUsage" }, /* 49 */ - { 0x37, 51, 0, "targetInformation" }, /* 50 */ - { 0x38, 0, 0, "noRevAvail" }, /* 51 */ - {0x2A, 94, 1, "" }, /* 52 */ - { 0x86, 0, 1, "" }, /* 53 */ - { 0x48, 0, 1, "" }, /* 54 */ - { 0x86, 0, 1, "" }, /* 55 */ - { 0xF6, 61, 1, "" }, /* 56 */ - { 0x7D, 0, 1, "NortelNetworks" }, /* 57 */ - { 0x07, 0, 1, "Entrust" }, /* 58 */ - { 0x41, 0, 1, "nsn-ce" }, /* 59 */ - { 0x00, 0, 0, "entrustVersInfo" }, /* 60 */ - { 0xF7, 0, 1, "" }, /* 61 */ - { 0x0D, 0, 1, "RSADSI" }, /* 62 */ - { 0x01, 89, 1, "PKCS" }, /* 63 */ - { 0x01, 72, 1, "PKCS-1" }, /* 64 */ - { 0x01, 66, 0, "rsaEncryption" }, /* 65 */ - { 0x02, 67, 0, "md2WithRSAEncryption" }, /* 66 */ - { 0x04, 68, 0, "md5WithRSAEncryption" }, /* 67 */ - { 0x05, 69, 0, "sha-1WithRSAEncryption" }, /* 68 */ - { 0x0B, 70, 0, "sha256WithRSAEncryption"}, /* 69 */ - { 0x0C, 71, 0, "sha384WithRSAEncryption"}, /* 70 */ - { 0x0D, 0, 0, "sha512WithRSAEncryption"}, /* 71 */ - { 0x07, 79, 1, "PKCS-7" }, /* 72 */ - { 0x01, 74, 0, "data" }, /* 73 */ - { 0x02, 75, 0, "signedData" }, /* 74 */ - { 0x03, 76, 0, "envelopedData" }, /* 75 */ - { 0x04, 77, 0, "signedAndEnvelopedData" }, /* 76 */ - { 0x05, 78, 0, "digestedData" }, /* 77 */ - { 0x06, 0, 0, "encryptedData" }, /* 78 */ - { 0x09, 0, 1, "PKCS-9" }, /* 79 */ - { 0x01, 81, 0, "E" }, /* 80 */ - { 0x02, 82, 0, "unstructuredName" }, /* 81 */ - { 0x03, 83, 0, "contentType" }, /* 82 */ - { 0x04, 84, 0, "messageDigest" }, /* 83 */ - { 0x05, 85, 0, "signingTime" }, /* 84 */ - { 0x06, 86, 0, "counterSignature" }, /* 85 */ - { 0x07, 87, 0, "challengePassword" }, /* 86 */ - { 0x08, 88, 0, "unstructuredAddress" }, /* 87 */ - { 0x0E, 0, 0, "extensionRequest" }, /* 88 */ - { 0x02, 92, 1, "digestAlgorithm" }, /* 89 */ - { 0x02, 91, 0, "md2" }, /* 90 */ - { 0x05, 0, 0, "md5" }, /* 91 */ - { 0x03, 0, 1, "encryptionAlgorithm" }, /* 92 */ - { 0x07, 0, 0, "3des-ede-cbc" }, /* 93 */ - {0x2B, 155, 1, "" }, /* 94 */ - { 0x06, 142, 1, "dod" }, /* 95 */ - { 0x01, 0, 1, "internet" }, /* 96 */ - { 0x04, 111, 1, "private" }, /* 97 */ - { 0x01, 0, 1, "enterprise" }, /* 98 */ - { 0x82, 104, 1, "" }, /* 99 */ - { 0x37, 0, 1, "Microsoft" }, /* 100 */ - { 0x0A, 0, 1, "" }, /* 101 */ - { 0x03, 0, 1, "" }, /* 102 */ - { 0x03, 0, 0, "msSGC" }, /* 103 */ - { 0x89, 0, 1, "" }, /* 104 */ - { 0x31, 0, 1, "" }, /* 105 */ - { 0x01, 0, 1, "" }, /* 106 */ - { 0x01, 0, 1, "" }, /* 107 */ - { 0x02, 0, 1, "" }, /* 108 */ - { 0x02, 110, 0, "" }, /* 109 */ - { 0x4B, 0, 0, "TCGID" }, /* 110 */ - { 0x05, 0, 1, "security" }, /* 111 */ - { 0x05, 0, 1, "mechanisms" }, /* 112 */ - { 0x07, 0, 1, "id-pkix" }, /* 113 */ - { 0x01, 116, 1, "id-pe" }, /* 114 */ - { 0x01, 0, 0, "authorityInfoAccess" }, /* 115 */ - { 0x03, 126, 1, "id-kp" }, /* 116 */ - { 0x01, 118, 0, "serverAuth" }, /* 117 */ - { 0x02, 119, 0, "clientAuth" }, /* 118 */ - { 0x03, 120, 0, "codeSigning" }, /* 119 */ - { 0x04, 121, 0, "emailProtection" }, /* 120 */ - { 0x05, 122, 0, "ipsecEndSystem" }, /* 121 */ - { 0x06, 123, 0, "ipsecTunnel" }, /* 122 */ - { 0x07, 124, 0, "ipsecUser" }, /* 123 */ - { 0x08, 125, 0, "timeStamping" }, /* 124 */ - { 0x09, 0, 0, "ocspSigning" }, /* 125 */ - { 0x08, 128, 1, "id-otherNames" }, /* 126 */ - { 0x05, 0, 0, "xmppAddr" }, /* 127 */ - { 0x0A, 133, 1, "id-aca" }, /* 128 */ - { 0x01, 130, 0, "authenticationInfo" }, /* 129 */ - { 0x02, 131, 0, "accessIdentity" }, /* 130 */ - { 0x03, 132, 0, "chargingIdentity" }, /* 131 */ - { 0x04, 0, 0, "group" }, /* 132 */ - { 0x30, 0, 1, "id-ad" }, /* 133 */ - { 0x01, 0, 1, "ocsp" }, /* 134 */ - { 0x01, 136, 0, "basic" }, /* 135 */ - { 0x02, 137, 0, "nonce" }, /* 136 */ - { 0x03, 138, 0, "crl" }, /* 137 */ - { 0x04, 139, 0, "response" }, /* 138 */ - { 0x05, 140, 0, "noCheck" }, /* 139 */ - { 0x06, 141, 0, "archiveCutoff" }, /* 140 */ - { 0x07, 0, 0, "serviceLocator" }, /* 141 */ - { 0x0E, 148, 1, "oiw" }, /* 142 */ - { 0x03, 0, 1, "secsig" }, /* 143 */ - { 0x02, 0, 1, "algorithms" }, /* 144 */ - { 0x07, 146, 0, "des-cbc" }, /* 145 */ - { 0x1A, 147, 0, "sha-1" }, /* 146 */ - { 0x1D, 0, 0, "sha-1WithRSASignature" }, /* 147 */ - { 0x24, 0, 1, "TeleTrusT" }, /* 148 */ - { 0x03, 0, 1, "algorithm" }, /* 149 */ - { 0x03, 0, 1, "signatureAlgorithm" }, /* 150 */ - { 0x01, 0, 1, "rsaSignature" }, /* 151 */ - { 0x02, 153, 0, "rsaSigWithripemd160" }, /* 152 */ - { 0x03, 154, 0, "rsaSigWithripemd128" }, /* 153 */ - { 0x04, 0, 0, "rsaSigWithripemd256" }, /* 154 */ - {0x60, 0, 1, "" }, /* 155 */ - { 0x86, 0, 1, "" }, /* 156 */ - { 0x48, 0, 1, "" }, /* 157 */ - { 0x01, 0, 1, "organization" }, /* 158 */ - { 0x65, 166, 1, "gov" }, /* 159 */ - { 0x03, 0, 1, "csor" }, /* 160 */ - { 0x04, 0, 1, "nistalgorithm" }, /* 161 */ - { 0x02, 0, 1, "hashalgs" }, /* 162 */ - { 0x01, 164, 0, "id-SHA-256" }, /* 163 */ - { 0x02, 165, 0, "id-SHA-384" }, /* 164 */ - { 0x03, 0, 0, "id-SHA-512" }, /* 165 */ - { 0x86, 0, 1, "" }, /* 166 */ - { 0xf8, 0, 1, "" }, /* 167 */ - { 0x42, 180, 1, "netscape" }, /* 168 */ - { 0x01, 175, 1, "" }, /* 169 */ - { 0x01, 171, 0, "nsCertType" }, /* 170 */ - { 0x03, 172, 0, "nsRevocationUrl" }, /* 171 */ - { 0x04, 173, 0, "nsCaRevocationUrl" }, /* 172 */ - { 0x08, 174, 0, "nsCaPolicyUrl" }, /* 173 */ - { 0x0d, 0, 0, "nsComment" }, /* 174 */ - { 0x03, 178, 1, "directory" }, /* 175 */ - { 0x01, 0, 1, "" }, /* 176 */ - { 0x03, 0, 0, "employeeNumber" }, /* 177 */ - { 0x04, 0, 1, "policy" }, /* 178 */ - { 0x01, 0, 0, "nsSGC" }, /* 179 */ - { 0x45, 0, 1, "verisign" }, /* 180 */ - { 0x01, 0, 1, "pki" }, /* 181 */ - { 0x09, 0, 1, "attributes" }, /* 182 */ - { 0x02, 184, 0, "messageType" }, /* 183 */ - { 0x03, 185, 0, "pkiStatus" }, /* 184 */ - { 0x04, 186, 0, "failInfo" }, /* 185 */ - { 0x05, 187, 0, "senderNonce" }, /* 186 */ - { 0x06, 188, 0, "recipientNonce" }, /* 187 */ - { 0x07, 189, 0, "transID" }, /* 188 */ - { 0x08, 0, 0, "extensionReq" } /* 189 */ + {0x02, 7, 1, "ITU-T Administration" }, /* 0 */ + { 0x82, 0, 1, "" }, /* 1 */ + { 0x06, 0, 1, "Germany ITU-T member" }, /* 2 */ + { 0x01, 0, 1, "Deutsche Telekom AG" }, /* 3 */ + { 0x0A, 0, 1, "" }, /* 4 */ + { 0x07, 0, 1, "" }, /* 5 */ + { 0x14, 0, 0, "ND" }, /* 6 */ + {0x09, 18, 1, "data" }, /* 7 */ + { 0x92, 0, 1, "" }, /* 8 */ + { 0x26, 0, 1, "" }, /* 9 */ + { 0x89, 0, 1, "" }, /* 10 */ + { 0x93, 0, 1, "" }, /* 11 */ + { 0xF2, 0, 1, "" }, /* 12 */ + { 0x2C, 0, 1, "" }, /* 13 */ + { 0x64, 0, 1, "pilot" }, /* 14 */ + { 0x01, 0, 1, "pilotAttributeType" }, /* 15 */ + { 0x01, 17, 0, "UID" }, /* 16 */ + { 0x19, 0, 0, "DC" }, /* 17 */ + {0x55, 52, 1, "X.500" }, /* 18 */ + { 0x04, 36, 1, "X.509" }, /* 19 */ + { 0x03, 21, 0, "CN" }, /* 20 */ + { 0x04, 22, 0, "S" }, /* 21 */ + { 0x05, 23, 0, "SN" }, /* 22 */ + { 0x06, 24, 0, "C" }, /* 23 */ + { 0x07, 25, 0, "L" }, /* 24 */ + { 0x08, 26, 0, "ST" }, /* 25 */ + { 0x0A, 27, 0, "O" }, /* 26 */ + { 0x0B, 28, 0, "OU" }, /* 27 */ + { 0x0C, 29, 0, "T" }, /* 28 */ + { 0x0D, 30, 0, "D" }, /* 29 */ + { 0x24, 31, 0, "userCertificate" }, /* 30 */ + { 0x29, 32, 0, "N" }, /* 31 */ + { 0x2A, 33, 0, "G" }, /* 32 */ + { 0x2B, 34, 0, "I" }, /* 33 */ + { 0x2D, 35, 0, "ID" }, /* 34 */ + { 0x48, 0, 0, "role" }, /* 35 */ + { 0x1D, 0, 1, "id-ce" }, /* 36 */ + { 0x09, 38, 0, "subjectDirectoryAttrs" }, /* 37 */ + { 0x0E, 39, 0, "subjectKeyIdentifier" }, /* 38 */ + { 0x0F, 40, 0, "keyUsage" }, /* 39 */ + { 0x10, 41, 0, "privateKeyUsagePeriod" }, /* 40 */ + { 0x11, 42, 0, "subjectAltName" }, /* 41 */ + { 0x12, 43, 0, "issuerAltName" }, /* 42 */ + { 0x13, 44, 0, "basicConstraints" }, /* 43 */ + { 0x14, 45, 0, "crlNumber" }, /* 44 */ + { 0x15, 46, 0, "reasonCode" }, /* 45 */ + { 0x1F, 47, 0, "crlDistributionPoints" }, /* 46 */ + { 0x20, 48, 0, "certificatePolicies" }, /* 47 */ + { 0x23, 49, 0, "authorityKeyIdentifier" }, /* 48 */ + { 0x25, 50, 0, "extendedKeyUsage" }, /* 49 */ + { 0x37, 51, 0, "targetInformation" }, /* 50 */ + { 0x38, 0, 0, "noRevAvail" }, /* 51 */ + {0x2A, 94, 1, "" }, /* 52 */ + { 0x86, 0, 1, "" }, /* 53 */ + { 0x48, 0, 1, "" }, /* 54 */ + { 0x86, 0, 1, "" }, /* 55 */ + { 0xF6, 61, 1, "" }, /* 56 */ + { 0x7D, 0, 1, "NortelNetworks" }, /* 57 */ + { 0x07, 0, 1, "Entrust" }, /* 58 */ + { 0x41, 0, 1, "nsn-ce" }, /* 59 */ + { 0x00, 0, 0, "entrustVersInfo" }, /* 60 */ + { 0xF7, 0, 1, "" }, /* 61 */ + { 0x0D, 0, 1, "RSADSI" }, /* 62 */ + { 0x01, 89, 1, "PKCS" }, /* 63 */ + { 0x01, 72, 1, "PKCS-1" }, /* 64 */ + { 0x01, 66, 0, "rsaEncryption" }, /* 65 */ + { 0x02, 67, 0, "md2WithRSAEncryption" }, /* 66 */ + { 0x04, 68, 0, "md5WithRSAEncryption" }, /* 67 */ + { 0x05, 69, 0, "sha-1WithRSAEncryption" }, /* 68 */ + { 0x0B, 70, 0, "sha256WithRSAEncryption" }, /* 69 */ + { 0x0C, 71, 0, "sha384WithRSAEncryption" }, /* 70 */ + { 0x0D, 0, 0, "sha512WithRSAEncryption" }, /* 71 */ + { 0x07, 79, 1, "PKCS-7" }, /* 72 */ + { 0x01, 74, 0, "data" }, /* 73 */ + { 0x02, 75, 0, "signedData" }, /* 74 */ + { 0x03, 76, 0, "envelopedData" }, /* 75 */ + { 0x04, 77, 0, "signedAndEnvelopedData" }, /* 76 */ + { 0x05, 78, 0, "digestedData" }, /* 77 */ + { 0x06, 0, 0, "encryptedData" }, /* 78 */ + { 0x09, 0, 1, "PKCS-9" }, /* 79 */ + { 0x01, 81, 0, "E" }, /* 80 */ + { 0x02, 82, 0, "unstructuredName" }, /* 81 */ + { 0x03, 83, 0, "contentType" }, /* 82 */ + { 0x04, 84, 0, "messageDigest" }, /* 83 */ + { 0x05, 85, 0, "signingTime" }, /* 84 */ + { 0x06, 86, 0, "counterSignature" }, /* 85 */ + { 0x07, 87, 0, "challengePassword" }, /* 86 */ + { 0x08, 88, 0, "unstructuredAddress" }, /* 87 */ + { 0x0E, 0, 0, "extensionRequest" }, /* 88 */ + { 0x02, 92, 1, "digestAlgorithm" }, /* 89 */ + { 0x02, 91, 0, "md2" }, /* 90 */ + { 0x05, 0, 0, "md5" }, /* 91 */ + { 0x03, 0, 1, "encryptionAlgorithm" }, /* 92 */ + { 0x07, 0, 0, "3des-ede-cbc" }, /* 93 */ + {0x2B, 160, 1, "" }, /* 94 */ + { 0x06, 147, 1, "dod" }, /* 95 */ + { 0x01, 0, 1, "internet" }, /* 96 */ + { 0x04, 115, 1, "private" }, /* 97 */ + { 0x01, 0, 1, "enterprise" }, /* 98 */ + { 0x82, 108, 1, "" }, /* 99 */ + { 0x37, 0, 1, "Microsoft" }, /* 100 */ + { 0x0A, 105, 1, "" }, /* 101 */ + { 0x03, 0, 1, "" }, /* 102 */ + { 0x03, 104, 0, "msSGC" }, /* 103 */ + { 0x04, 0, 0, "msEncryptingFileSystem" }, /* 104 */ + { 0x14, 0, 1, "msEnrollmentInfrastructure"}, /* 105 */ + { 0x02, 0, 1, "msCertificateTypeExtension"}, /* 106 */ + { 0x02, 0, 0, "msSmartcardLogon" }, /* 107 */ + { 0x89, 0, 1, "" }, /* 108 */ + { 0x31, 0, 1, "" }, /* 109 */ + { 0x01, 0, 1, "" }, /* 110 */ + { 0x01, 0, 1, "" }, /* 111 */ + { 0x02, 0, 1, "" }, /* 112 */ + { 0x02, 114, 0, "" }, /* 113 */ + { 0x4B, 0, 0, "TCGID" }, /* 114 */ + { 0x05, 0, 1, "security" }, /* 115 */ + { 0x05, 0, 1, "mechanisms" }, /* 116 */ + { 0x07, 0, 1, "id-pkix" }, /* 117 */ + { 0x01, 120, 1, "id-pe" }, /* 118 */ + { 0x01, 0, 0, "authorityInfoAccess" }, /* 119 */ + { 0x03, 130, 1, "id-kp" }, /* 120 */ + { 0x01, 122, 0, "serverAuth" }, /* 121 */ + { 0x02, 123, 0, "clientAuth" }, /* 122 */ + { 0x03, 124, 0, "codeSigning" }, /* 123 */ + { 0x04, 125, 0, "emailProtection" }, /* 124 */ + { 0x05, 126, 0, "ipsecEndSystem" }, /* 125 */ + { 0x06, 127, 0, "ipsecTunnel" }, /* 126 */ + { 0x07, 128, 0, "ipsecUser" }, /* 127 */ + { 0x08, 129, 0, "timeStamping" }, /* 128 */ + { 0x09, 0, 0, "ocspSigning" }, /* 129 */ + { 0x08, 132, 1, "id-otherNames" }, /* 130 */ + { 0x05, 0, 0, "xmppAddr" }, /* 131 */ + { 0x0A, 137, 1, "id-aca" }, /* 132 */ + { 0x01, 134, 0, "authenticationInfo" }, /* 133 */ + { 0x02, 135, 0, "accessIdentity" }, /* 134 */ + { 0x03, 136, 0, "chargingIdentity" }, /* 135 */ + { 0x04, 0, 0, "group" }, /* 136 */ + { 0x30, 0, 1, "id-ad" }, /* 137 */ + { 0x01, 146, 1, "ocsp" }, /* 138 */ + { 0x01, 140, 0, "basic" }, /* 139 */ + { 0x02, 141, 0, "nonce" }, /* 140 */ + { 0x03, 142, 0, "crl" }, /* 141 */ + { 0x04, 143, 0, "response" }, /* 142 */ + { 0x05, 144, 0, "noCheck" }, /* 143 */ + { 0x06, 145, 0, "archiveCutoff" }, /* 144 */ + { 0x07, 0, 0, "serviceLocator" }, /* 145 */ + { 0x02, 0, 0, "caIssuers" }, /* 146 */ + { 0x0E, 153, 1, "oiw" }, /* 147 */ + { 0x03, 0, 1, "secsig" }, /* 148 */ + { 0x02, 0, 1, "algorithms" }, /* 149 */ + { 0x07, 151, 0, "des-cbc" }, /* 150 */ + { 0x1A, 152, 0, "sha-1" }, /* 151 */ + { 0x1D, 0, 0, "sha-1WithRSASignature" }, /* 152 */ + { 0x24, 0, 1, "TeleTrusT" }, /* 153 */ + { 0x03, 0, 1, "algorithm" }, /* 154 */ + { 0x03, 0, 1, "signatureAlgorithm" }, /* 155 */ + { 0x01, 0, 1, "rsaSignature" }, /* 156 */ + { 0x02, 158, 0, "rsaSigWithripemd160" }, /* 157 */ + { 0x03, 159, 0, "rsaSigWithripemd128" }, /* 158 */ + { 0x04, 0, 0, "rsaSigWithripemd256" }, /* 159 */ + {0x60, 0, 1, "" }, /* 160 */ + { 0x86, 0, 1, "" }, /* 161 */ + { 0x48, 0, 1, "" }, /* 162 */ + { 0x01, 0, 1, "organization" }, /* 163 */ + { 0x65, 171, 1, "gov" }, /* 164 */ + { 0x03, 0, 1, "csor" }, /* 165 */ + { 0x04, 0, 1, "nistalgorithm" }, /* 166 */ + { 0x02, 0, 1, "hashalgs" }, /* 167 */ + { 0x01, 169, 0, "id-SHA-256" }, /* 168 */ + { 0x02, 170, 0, "id-SHA-384" }, /* 169 */ + { 0x03, 0, 0, "id-SHA-512" }, /* 170 */ + { 0x86, 0, 1, "" }, /* 171 */ + { 0xf8, 0, 1, "" }, /* 172 */ + { 0x42, 185, 1, "netscape" }, /* 173 */ + { 0x01, 180, 1, "" }, /* 174 */ + { 0x01, 176, 0, "nsCertType" }, /* 175 */ + { 0x03, 177, 0, "nsRevocationUrl" }, /* 176 */ + { 0x04, 178, 0, "nsCaRevocationUrl" }, /* 177 */ + { 0x08, 179, 0, "nsCaPolicyUrl" }, /* 178 */ + { 0x0d, 0, 0, "nsComment" }, /* 179 */ + { 0x03, 183, 1, "directory" }, /* 180 */ + { 0x01, 0, 1, "" }, /* 181 */ + { 0x03, 0, 0, "employeeNumber" }, /* 182 */ + { 0x04, 0, 1, "policy" }, /* 183 */ + { 0x01, 0, 0, "nsSGC" }, /* 184 */ + { 0x45, 0, 1, "verisign" }, /* 185 */ + { 0x01, 0, 1, "pki" }, /* 186 */ + { 0x09, 0, 1, "attributes" }, /* 187 */ + { 0x02, 189, 0, "messageType" }, /* 188 */ + { 0x03, 190, 0, "pkiStatus" }, /* 189 */ + { 0x04, 191, 0, "failInfo" }, /* 190 */ + { 0x05, 192, 0, "senderNonce" }, /* 191 */ + { 0x06, 193, 0, "recipientNonce" }, /* 192 */ + { 0x07, 194, 0, "transID" }, /* 193 */ + { 0x08, 0, 0, "extensionReq" } /* 194 */ }; diff --git a/src/libstrongswan/asn1/oid.h b/src/libstrongswan/asn1/oid.h index a29b1f0a1..5814a3ba0 100644 --- a/src/libstrongswan/asn1/oid.h +++ b/src/libstrongswan/asn1/oid.h @@ -49,36 +49,37 @@ extern const oid_t oid_names[]; #define OID_MD2 90 #define OID_MD5 91 #define OID_3DES_EDE_CBC 93 -#define OID_AUTHORITY_INFO_ACCESS 115 -#define OID_OCSP_SIGNING 125 -#define OID_XMPP_ADDR 127 -#define OID_AUTHENTICATION_INFO 129 -#define OID_ACCESS_IDENTITY 130 -#define OID_CHARGING_IDENTITY 131 -#define OID_GROUP 132 -#define OID_OCSP 134 -#define OID_BASIC 135 -#define OID_NONCE 136 -#define OID_CRL 137 -#define OID_RESPONSE 138 -#define OID_NO_CHECK 139 -#define OID_ARCHIVE_CUTOFF 140 -#define OID_SERVICE_LOCATOR 141 -#define OID_DES_CBC 145 -#define OID_SHA1 146 -#define OID_SHA1_WITH_RSA_OIW 147 -#define OID_SHA256 163 -#define OID_SHA384 164 -#define OID_SHA512 165 -#define OID_NS_REVOCATION_URL 171 -#define OID_NS_CA_REVOCATION_URL 172 -#define OID_NS_CA_POLICY_URL 173 -#define OID_NS_COMMENT 174 -#define OID_PKI_MESSAGE_TYPE 183 -#define OID_PKI_STATUS 184 -#define OID_PKI_FAIL_INFO 185 -#define OID_PKI_SENDER_NONCE 186 -#define OID_PKI_RECIPIENT_NONCE 187 -#define OID_PKI_TRANS_ID 188 +#define OID_AUTHORITY_INFO_ACCESS 119 +#define OID_OCSP_SIGNING 129 +#define OID_XMPP_ADDR 131 +#define OID_AUTHENTICATION_INFO 133 +#define OID_ACCESS_IDENTITY 134 +#define OID_CHARGING_IDENTITY 135 +#define OID_GROUP 136 +#define OID_OCSP 138 +#define OID_BASIC 139 +#define OID_NONCE 140 +#define OID_CRL 141 +#define OID_RESPONSE 142 +#define OID_NO_CHECK 143 +#define OID_ARCHIVE_CUTOFF 144 +#define OID_SERVICE_LOCATOR 145 +#define OID_CA_ISSUERS 146 +#define OID_DES_CBC 150 +#define OID_SHA1 151 +#define OID_SHA1_WITH_RSA_OIW 152 +#define OID_SHA256 168 +#define OID_SHA384 169 +#define OID_SHA512 170 +#define OID_NS_REVOCATION_URL 176 +#define OID_NS_CA_REVOCATION_URL 177 +#define OID_NS_CA_POLICY_URL 178 +#define OID_NS_COMMENT 179 +#define OID_PKI_MESSAGE_TYPE 188 +#define OID_PKI_STATUS 189 +#define OID_PKI_FAIL_INFO 190 +#define OID_PKI_SENDER_NONCE 191 +#define OID_PKI_RECIPIENT_NONCE 192 +#define OID_PKI_TRANS_ID 193 #endif /* OID_H_ */ diff --git a/src/libstrongswan/asn1/oid.txt b/src/libstrongswan/asn1/oid.txt index bd5a26e43..6ae2dc29a 100644 --- a/src/libstrongswan/asn1/oid.txt +++ b/src/libstrongswan/asn1/oid.txt @@ -102,6 +102,10 @@ 0x0A "" 0x03 "" 0x03 "msSGC" + 0x04 "msEncryptingFileSystem" + 0x14 "msEnrollmentInfrastructure" + 0x02 "msCertificateTypeExtension" + 0x02 "msSmartcardLogon" 0x89 "" 0x31 "" 0x01 "" @@ -140,6 +144,7 @@ 0x05 "noCheck" OID_NO_CHECK 0x06 "archiveCutoff" OID_ARCHIVE_CUTOFF 0x07 "serviceLocator" OID_SERVICE_LOCATOR + 0x02 "caIssuers" OID_CA_ISSUERS 0x0E "oiw" 0x03 "secsig" 0x02 "algorithms" diff --git a/src/libstrongswan/asn1/pem.c b/src/libstrongswan/asn1/pem.c index 641805869..b752a97ab 100755 --- a/src/libstrongswan/asn1/pem.c +++ b/src/libstrongswan/asn1/pem.c @@ -10,6 +10,8 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. + * + * RCSID $Id: pem.c 3256 2007-10-07 13:42:43Z andreas $ */ #include <stdio.h> @@ -40,7 +42,7 @@ static bool present(const char* pattern, chunk_t* ch) { u_int pattern_len = strlen(pattern); - if (ch->len >= pattern_len && strncmp(ch->ptr, pattern, pattern_len) == 0) + if (ch->len >= pattern_len && strneq(ch->ptr, pattern, pattern_len)) { ch->ptr += pattern_len; ch->len -= pattern_len; diff --git a/src/libstrongswan/asn1/ttodata.c b/src/libstrongswan/asn1/ttodata.c index 8114b12c5..125313c2a 100644 --- a/src/libstrongswan/asn1/ttodata.c +++ b/src/libstrongswan/asn1/ttodata.c @@ -62,98 +62,123 @@ const char *ttodatav(const char *src, size_t srclen, int base, char *dst, size_t int skipSpace = 0; if (srclen == 0) + { srclen = strlen(src); + } if (dstlen == 0) + { dst = buf; /* point it somewhere valid */ + } stop = dst + dstlen; - if (base == 0) { + if (base == 0) + { if (srclen < 2) + { return "input too short to be valid"; + } if (*src++ != '0') + { return "input does not begin with format prefix"; - switch (*src++) { - case 'x': - case 'X': - base = 16; + } + switch (*src++) + { + case 'x': + case 'X': + base = 16; + break; + case 's': + case 'S': + base = 64; + break; + case 't': + case 'T': + base = 256; + break; + default: + return "unknown format prefix"; + } + srclen -= 2; + } + switch (base) + { + case 16: + decode = unhex; + underscoreok = 1; + ingroup = 2; break; - case 's': - case 'S': - base = 64; + case 64: + decode = unb64; + underscoreok = 0; + ingroup = 4; + if(flags & TTODATAV_IGNORESPACE) + { + skipSpace = 1; + } break; - case 't': - case 'T': - base = 256; + case 256: + decode = untext; + ingroup = 1; + underscoreok = 0; break; default: - return "unknown format prefix"; - } - srclen -= 2; - } - switch (base) { - case 16: - decode = unhex; - underscoreok = 1; - ingroup = 2; - break; - case 64: - decode = unb64; - underscoreok = 0; - ingroup = 4; - if(flags & TTODATAV_IGNORESPACE) { - skipSpace = 1; - } - break; - - case 256: - decode = untext; - ingroup = 1; - underscoreok = 0; - break; - default: - return "unknown base"; + return "unknown base"; } /* proceed */ ndone = 0; - while (srclen > 0) { + while (srclen > 0) + { char stage[4]; /* staging area for group */ size_t sl = 0; /* Grab ingroup characters into stage, * squeezing out blanks if we are supposed to ignore them. */ - for (sl = 0; sl < ingroup; src++, srclen--) { + for (sl = 0; sl < ingroup; src++, srclen--) + { if (srclen == 0) + { return "input ends in mid-byte, perhaps truncated"; + } else if (!(skipSpace && (*src == ' ' || *src == '\t'))) + { stage[sl++] = *src; + } } nbytes = (*decode)(stage, buf, sizeof(buf)); - switch (nbytes) { - case BADCH0: - case BADCH1: - case BADCH2: - case BADCH3: - return badch(stage, nbytes, errp, errlen); - case SHORT: - return "internal buffer too short (\"can't happen\")"; - case BADPAD: - return "bad (non-zero) padding at end of base64 input"; + switch (nbytes) + { + case BADCH0: + case BADCH1: + case BADCH2: + case BADCH3: + return badch(stage, nbytes, errp, errlen); + case SHORT: + return "internal buffer too short (\"can't happen\")"; + case BADPAD: + return "bad (non-zero) padding at end of base64 input"; } if (nbytes <= 0) + { return "unknown internal error"; - for (i = 0; i < nbytes; i++) { + } + for (i = 0; i < nbytes; i++) + { if (dst < stop) + { *dst++ = buf[i]; + } ndone++; } - while (srclen >= 1 && skipSpace && (*src == ' ' || *src == '\t')){ + while (srclen >= 1 && skipSpace && (*src == ' ' || *src == '\t')) + { src++; srclen--; } - if (underscoreok && srclen > 1 && *src == '_') { + if (underscoreok && srclen > 1 && (*src == '_' || *src == ':')) + { /* srclen > 1 means not last character */ src++; srclen--; @@ -161,9 +186,13 @@ const char *ttodatav(const char *src, size_t srclen, int base, char *dst, size_t } if (ndone == 0) + { return "no data bytes specified by input"; + } if (lenp != NULL) + { *lenp = ndone; + } return NULL; } @@ -201,9 +230,7 @@ size_t atodata(const char *src, size_t srclen, char *dst, size_t dstlen) const char *err; err = ttodata(src, srclen, 0, dst, dstlen, &len); - if (err != NULL) - return 0; - return len; + return (err)? 0:len; } /** @@ -231,21 +258,31 @@ static int unhex(const char *src, char *dst, size_t dstlen) static char hex[] = "0123456789abcdef"; if (dstlen < 1) + { return SHORT; - + } + p = strchr(hex, *src); if (p == NULL) + { p = strchr(hex, tolower(*src)); + } if (p == NULL) + { return BADCH0; + } byte = (p - hex) << 4; src++; p = strchr(hex, *src); if (p == NULL) + { p = strchr(hex, tolower(*src)); + } if (p == NULL) + { return BADCH1; + } byte |= (p - hex); *dst = byte; @@ -272,16 +309,20 @@ static int unb64(const char *src, char *dst, size_t dstlen) "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; if (dstlen < 3) + { return SHORT; - + } p = strchr(base64, *src++); if (p == NULL) + { return BADCH0; + } byte1 = (p - base64) << 2; /* first six bits */ p = strchr(base64, *src++); - if (p == NULL) { + if (p == NULL) + { return BADCH1; } @@ -290,10 +331,14 @@ static int unb64(const char *src, char *dst, size_t dstlen) byte1 = (byte2 & 0xf) << 4; p = strchr(base64, *src++); - if (p == NULL) { - if (*(src-1) == '=' && *src == '=') { + if (p == NULL) + { + if (*(src-1) == '=' && *src == '=') + { if (byte1 != 0) /* bad padding */ + { return BADPAD; + } return 1; } return BADCH2; @@ -304,10 +349,14 @@ static int unb64(const char *src, char *dst, size_t dstlen) byte1 = (byte2 & 0x3) << 6; p = strchr(base64, *src++); - if (p == NULL) { - if (*(src-1) == '=') { + if (p == NULL) + { + if (*(src-1) == '=') + { if (byte1 != 0) /* bad padding */ + { return BADPAD; + } return 2; } return BADCH3; @@ -329,8 +378,9 @@ static int unb64(const char *src, char *dst, size_t dstlen) static int untext(const char *src, char *dst, size_t dstlen) { if (dstlen < 1) + { return SHORT; - + } *dst = *src; return 1; } @@ -359,13 +409,18 @@ static const char *badch(const char *src, int errcode, char *errp, size_t errlen char ch; if (errp == NULL || errlen < REQD) + { return "unknown character in input"; + } strcpy(errp, pre); ch = *(src + BADOFF(errcode)); - if (isprint(ch)) { + if (isprint(ch)) + { buf[0] = ch; buf[1] = '\0'; - } else { + } + else + { buf[0] = '\\'; buf[1] = ((ch & 0700) >> 6) + '0'; buf[2] = ((ch & 0070) >> 3) + '0'; diff --git a/src/libstrongswan/chunk.c b/src/libstrongswan/chunk.c index d70e1723f..0d7841641 100644 --- a/src/libstrongswan/chunk.c +++ b/src/libstrongswan/chunk.c @@ -28,6 +28,7 @@ #include <debug.h> #include <printf_hook.h> +#include <utils/randomizer.h> /** * Empty chunk. @@ -247,6 +248,35 @@ bool chunk_write(chunk_t chunk, const char *path, const char *label, mode_t mask } } +/** hex conversion digits */ +static char hexdig_upper[] = "0123456789ABCDEF"; +static char hexdig_lower[] = "0123456789abcdef"; + +/** + * Described in header. + */ +char *chunk_to_hex(chunk_t chunk, bool uppercase) +{ + int i; + char *str; + char *hexdig = hexdig_lower; + + if (uppercase) + { + hexdig = hexdig_upper; + } + + str = malloc(chunk.len * 2 + 1); + str[chunk.len * 2] = '\0'; + + for (i = 0; i < chunk.len; i ++) + { + str[i*2] = hexdig[(chunk.ptr[i] >> 4) & 0xF]; + str[i*2+1] = hexdig[(chunk.ptr[i] ) & 0xF]; + } + return str; +} + /** * Described in header. */ @@ -260,6 +290,27 @@ void chunk_free(chunk_t *chunk) /** * Described in header. */ +void chunk_free_randomized(chunk_t *chunk) +{ + if (chunk->ptr) + { + if (chunk->len > 0) + { + randomizer_t *randomizer = randomizer_create(); + + randomizer->get_pseudo_random_bytes(randomizer, + chunk->len, chunk->ptr); + randomizer->destroy(randomizer); + }; + free(chunk->ptr); + chunk->ptr = NULL; + } + chunk->len = 0; +} + +/** + * Described in header. + */ chunk_t chunk_skip(chunk_t chunk, size_t bytes) { if (chunk.len > bytes) @@ -332,10 +383,8 @@ static int print_bytes(FILE *stream, const struct printf_info *info, while (bytes_pos < bytes_roof) { - static char hexdig[] = "0123456789ABCDEF"; - - *buffer_pos++ = hexdig[(*bytes_pos >> 4) & 0xF]; - *buffer_pos++ = hexdig[ *bytes_pos & 0xF]; + *buffer_pos++ = hexdig_upper[(*bytes_pos >> 4) & 0xF]; + *buffer_pos++ = hexdig_upper[ *bytes_pos & 0xF]; ascii_buffer[i++] = (*bytes_pos > 31 && *bytes_pos < 127) ? *bytes_pos : '.'; diff --git a/src/libstrongswan/chunk.h b/src/libstrongswan/chunk.h index a13ccfc22..9c0aabba1 100644 --- a/src/libstrongswan/chunk.h +++ b/src/libstrongswan/chunk.h @@ -84,11 +84,21 @@ void chunk_split(chunk_t chunk, const char *mode, ...); bool chunk_write(chunk_t chunk, const char *path, const char *label, mode_t mask, bool force); /** + * convert a chunk to an allocated hex string + */ +char *chunk_to_hex(chunk_t chunk, bool uppercase); + +/** * Free contents of a chunk */ void chunk_free(chunk_t *chunk); /** + * Overwrite the contents of a chunk with pseudo-random bytes and free them + */ +void chunk_free_randomized(chunk_t *chunk); + +/** * Initialize a chunk to point to buffer inspectable by sizeof() */ #define chunk_from_buf(str) { str, sizeof(str) } diff --git a/src/libstrongswan/credential_store.h b/src/libstrongswan/credential_store.h index dcbe43f52..62b6ad2d5 100755 --- a/src/libstrongswan/credential_store.h +++ b/src/libstrongswan/credential_store.h @@ -88,17 +88,6 @@ struct credential_store_t { rsa_public_key_t* (*get_rsa_public_key) (credential_store_t *this, identification_t *id); /** - * @brief Returns the RSA private key belonging to an RSA public key - * - * The returned rsa_private_key_t must be destroyed by the caller after usage. - * - * @param this calling object - * @param pubkey public key - * @return private key, or NULL if not found - */ - rsa_private_key_t* (*get_rsa_private_key) (credential_store_t *this, rsa_public_key_t *pubkey); - - /** * @brief Is there a matching RSA private key belonging to an RSA public key? * * @param this calling object @@ -145,6 +134,20 @@ struct credential_store_t { ca_info_t* (*get_issuer) (credential_store_t *this, x509_t* cert); /** + * @brief RSA private key belonging to an RSA public key + * + * + * @param this calling object + * @param pubkey public key used to find the matching private key + * @param hash_algorithm hash algorithm to be used for signature + * @param data data block to be signed + * @param signature signature to be returned + * @return status of the signature process - SUCCESS if successful + */ + status_t (*rsa_signature) (credential_store_t *this, rsa_public_key_t *pubkey, hash_algorithm_t hash_algorithm, + chunk_t data, chunk_t *signature); + + /** * @brief Verify an RSA signature given the ID of the signer * * @param this calling object @@ -154,7 +157,8 @@ struct credential_store_t { * @param issuer_p issuer of the signer's certificate (if not self-signed). * @return status of the verification - SUCCESS if successful */ - status_t (*verify_signature) (credential_store_t *this, chunk_t hash, chunk_t sig, identification_t *id, ca_info_t **issuer_p); + status_t (*verify_signature) (credential_store_t *this, chunk_t hash, chunk_t sig, identification_t *id, + ca_info_t **issuer_p); /** * @brief Verify an X.509 certificate up to trust anchor without any status checks @@ -240,6 +244,14 @@ struct credential_store_t { iterator_t* (*create_cainfo_iterator) (credential_store_t *this); /** + * @brief Create an iterator over all attribute certificates. + * + * @param this calling object + * @return iterator + */ + iterator_t* (*create_acert_iterator) (credential_store_t *this); + + /** * @brief Loads ca certificates from a default directory. * * Certificates in both DER and PEM format are accepted @@ -288,12 +300,13 @@ struct credential_store_t { /** * @brief Loads secrets in ipsec.secrets * - * Currently, all RSA private key files must be in unencrypted form - * either in DER or PEM format. + * RSA private key files can be either in DER or PEM format + * Optional encryption with a passphrase supported * * @param this calling object + * @param reload are the secrets to be reloaded */ - void (*load_secrets) (credential_store_t *this); + void (*load_secrets) (credential_store_t *this, bool reload); /** * @brief Destroys a credential_store_t object. diff --git a/src/libstrongswan/crypto/ac.c b/src/libstrongswan/crypto/ac.c index 47605e9e1..1367494f8 100644 --- a/src/libstrongswan/crypto/ac.c +++ b/src/libstrongswan/crypto/ac.c @@ -19,17 +19,28 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. + * + * RCSID $Id: ac.c 3300 2007-10-12 21:53:18Z andreas $ */ +#include <string.h> +#include <stdio.h> + #include <library.h> #include <debug.h> #include <asn1/asn1.h> +#include <asn1/pem.h> +#include <crypto/x509.h> +#include <crypto/ietf_attr_list.h> #include <utils/identification.h> #include <utils/linked_list.h> +#include <utils/lexparser.h> #include "ac.h" +#define ACERT_WARNING_INTERVAL 1 /* day */ + typedef struct private_x509ac_t private_x509ac_t; /** @@ -138,92 +149,6 @@ struct private_x509ac_t { }; /** - * definition of ietfAttribute kinds - */ -typedef enum { - IETF_ATTRIBUTE_OCTETS = 0, - IETF_ATTRIBUTE_OID = 1, - IETF_ATTRIBUTE_STRING = 2 -} ietfAttribute_t; - -/** - * access structure for an ietfAttribute - */ -typedef struct ietfAttr_t ietfAttr_t; - -struct ietfAttr_t { - /** - * IETF attribute kind - */ - ietfAttribute_t kind; - - /** - * IETF attribute valuse - */ - chunk_t value; - - /** - * Destroys the ietfAttr_t object. - * - * @param this ietfAttr_t to destroy - */ - void (*destroy) (ietfAttr_t *this); -}; - -/** - * Destroys an ietfAttr_t object - */ -static void ietfAttr_destroy(ietfAttr_t *this) -{ - free(this->value.ptr); - free(this); -} - -/** - * Creates an ietfAttr_t object. - */ -ietfAttr_t *ietfAttr_create(ietfAttribute_t kind, chunk_t value) -{ - ietfAttr_t *this = malloc_thing(ietfAttr_t); - - /* initialize */ - this->kind = kind; - this->value = chunk_clone(value); - - /* function */ - this->destroy = ietfAttr_destroy; - - return this; -} - -/** - * ASN.1 definition of ietfAttrSyntax - */ -static const asn1Object_t ietfAttrSyntaxObjects[] = -{ - { 0, "ietfAttrSyntax", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */ - { 1, "policyAuthority", ASN1_CONTEXT_C_0, ASN1_OPT | - ASN1_BODY }, /* 1 */ - { 1, "end opt", ASN1_EOC, ASN1_END }, /* 2 */ - { 1, "values", ASN1_SEQUENCE, ASN1_LOOP }, /* 3 */ - { 2, "octets", ASN1_OCTET_STRING, ASN1_OPT | - ASN1_BODY }, /* 4 */ - { 2, "end choice", ASN1_EOC, ASN1_END }, /* 5 */ - { 2, "oid", ASN1_OID, ASN1_OPT | - ASN1_BODY }, /* 6 */ - { 2, "end choice", ASN1_EOC, ASN1_END }, /* 7 */ - { 2, "string", ASN1_UTF8STRING, ASN1_OPT | - ASN1_BODY }, /* 8 */ - { 2, "end choice", ASN1_EOC, ASN1_END }, /* 9 */ - { 1, "end loop", ASN1_EOC, ASN1_END } /* 10 */ -}; - -#define IETF_ATTR_OCTETS 4 -#define IETF_ATTR_OID 6 -#define IETF_ATTR_STRING 8 -#define IETF_ATTR_ROOF 11 - -/** * ASN.1 definition of roleSyntax */ static const asn1Object_t roleSyntaxObjects[] = @@ -357,6 +282,23 @@ static err_t is_valid(const private_x509ac_t *this, time_t *until) } /** + * Implements x509ac_t.is_newer + */ +static bool is_newer(const private_x509ac_t *this, const private_x509ac_t *other) +{ + return this->notBefore > other->notBefore; +} + +/** + * Implements x509ac_t.equals_holder. + */ +static bool equals_holder(const private_x509ac_t *this, const private_x509ac_t *other) +{ + return this->holderIssuer->equals(this->holderIssuer, other->holderIssuer) + && chunk_equals(this->holderSerial, other->holderSerial); +} + +/** * parses a directoryName */ static bool parse_directoryName(chunk_t blob, int level, bool implicit, identification_t **name) @@ -364,7 +306,7 @@ static bool parse_directoryName(chunk_t blob, int level, bool implicit, identifi bool has_directoryName; linked_list_t *list = linked_list_create(); - parse_generalNames(blob, level, implicit, list); + x509_parse_generalNames(blob, level, implicit, list); has_directoryName = list->get_count(list) > 0; if (has_directoryName) @@ -398,43 +340,6 @@ static bool parse_directoryName(chunk_t blob, int level, bool implicit, identifi } /** - * parses ietfAttrSyntax - */ -static void parse_ietfAttrSyntax(chunk_t blob, int level0, linked_list_t *list) -{ - asn1_ctx_t ctx; - chunk_t object; - u_int level; - int objectID = 0; - - asn1_init(&ctx, blob, level0, FALSE, FALSE); - - while (objectID < IETF_ATTR_ROOF) - { - if (!extract_object(ietfAttrSyntaxObjects, &objectID, &object, &level, &ctx)) - { - return; - } - - switch (objectID) - { - case IETF_ATTR_OCTETS: - case IETF_ATTR_OID: - case IETF_ATTR_STRING: - { - ietfAttribute_t kind = (objectID - IETF_ATTR_OCTETS) / 2; - ietfAttr_t *attr = ietfAttr_create(kind, object); - list->insert_last(list, (void *)attr); - } - break; - default: - break; - } - objectID++; - } -} - -/** * parses roleSyntax */ static void parse_roleSyntax(chunk_t blob, int level0) @@ -470,9 +375,9 @@ static bool parse_certificate(chunk_t blob, private_x509ac_t *this) bool critical; chunk_t object; u_int level; - u_int type = OID_UNKNOWN; - u_int extn_oid = OID_UNKNOWN; int objectID = 0; + int type = OID_UNKNOWN; + int extn_oid = OID_UNKNOWN; asn1_init(&ctx, blob, 0, FALSE, FALSE); while (objectID < AC_OBJ_ROOF) @@ -549,10 +454,10 @@ static bool parse_certificate(chunk_t blob, private_x509ac_t *this) DBG2(" need to parse accessIdentity"); break; case OID_CHARGING_IDENTITY: - parse_ietfAttrSyntax(object, level, this->charging); + ietfAttr_list_create_from_chunk(object, this->charging, level); break; case OID_GROUP: - parse_ietfAttrSyntax(object, level, this->groups); + ietfAttr_list_create_from_chunk(object, this->groups, level); break; case OID_ROLE: parse_roleSyntax(object, level); @@ -577,7 +482,7 @@ static bool parse_certificate(chunk_t blob, private_x509ac_t *this) DBG2(" need to parse crlDistributionPoints"); break; case OID_AUTHORITY_KEY_ID: - parse_authorityKeyIdentifier(object, level, + x509_parse_authorityKeyIdentifier(object, level, &this->authKeyID, &this->authKeySerialNumber); break; case OID_TARGET_INFORMATION: @@ -603,7 +508,72 @@ static bool parse_certificate(chunk_t blob, private_x509ac_t *this) objectID++; } this->installed = time(NULL); - return FALSE; + return TRUE; +} + +/** + * Implementation of x509ac_t.list. + */ +static void list(const private_x509ac_t *this, FILE *out, bool utc) +{ + time_t now = time(NULL); + + fprintf(out, "%#T\n", &this->installed, utc); + + if (this->entityName) + { + fprintf(out, " holder: '%D'\n", this->entityName); + } + if (this->holderIssuer) + { + fprintf(out, " hissuer: '%D'\n", this->holderIssuer); + } + if (this->holderSerial.ptr) + { + fprintf(out, " hserial: %#B\n", &this->holderSerial); + } + + /* list all group attributes on a single line */ + fprintf(out, " groups: "); + ietfAttr_list_list(this->groups, out); + fprintf(out, "\n"); + + fprintf(out, " issuer: '%D'\n", this->issuerName); + fprintf(out, " serial: %#B\n", &this->serialNumber); + + fprintf(out, " validity: not before %#T, ", &this->notBefore, utc); + if (now < this->notBefore) + { + fprintf(out, "not valid yet (valid in %V)\n", &now, &this->notBefore); + } + else + { + fprintf(out, "ok\n"); + } + + fprintf(out, " not after %#T, ", &this->notAfter, utc); + if (now > this->notAfter) + { + fprintf(out, "expired (%V ago)\n", &now, &this->notAfter); + } + else + { + fprintf(out, "ok"); + if (now > this->notAfter - ACERT_WARNING_INTERVAL * 60 * 60 * 24) + { + fprintf(out, " (expires in %V)", &now, &this->notAfter); + } + fprintf(out, " \n"); + } + + if (this->authKeyID.ptr) + { + fprintf(out, " authkey: %#B\n", &this->authKeyID); + } + if (this->authKeySerialNumber.ptr) + { + fprintf(out, " aserial: %#B\n", &this->authKeySerialNumber); + } } /** @@ -614,10 +584,8 @@ static void destroy(private_x509ac_t *this) DESTROY_IF(this->holderIssuer); DESTROY_IF(this->entityName); DESTROY_IF(this->issuerName); - this->charging->destroy_offset(this->charging, - offsetof(ietfAttr_t, destroy)); - this->groups->destroy_offset(this->groups, - offsetof(ietfAttr_t, destroy)); + ietfAttr_list_destroy(this->charging); + ietfAttr_list_destroy(this->groups); free(this->certificate.ptr); free(this); } @@ -638,6 +606,9 @@ x509ac_t *x509ac_create_from_chunk(chunk_t chunk) /* public functions */ this->public.is_valid = (err_t (*) (const x509ac_t*,time_t*))is_valid; + this->public.is_newer = (bool (*) (const x509ac_t*,const x509ac_t*))is_newer; + this->public.equals_holder = (bool (*) (const x509ac_t*,const x509ac_t*))equals_holder; + this->public.list = (void (*) (const x509ac_t*,FILE*,bool))list; this->public.destroy = (void (*) (x509ac_t*))destroy; if (!parse_certificate(chunk, this)) diff --git a/src/libstrongswan/crypto/ac.h b/src/libstrongswan/crypto/ac.h index b7fd26c94..8a4ccbd4c 100644 --- a/src/libstrongswan/crypto/ac.h +++ b/src/libstrongswan/crypto/ac.h @@ -21,11 +21,15 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. + * + * RCSID $Id: ac.h 3300 2007-10-12 21:53:18Z andreas $ */ #ifndef AC_H_ #define AC_H_ +#include <library.h> + typedef struct x509ac_t x509ac_t; /** @@ -48,6 +52,32 @@ struct x509ac_t { */ err_t (*is_valid) (const x509ac_t *this, time_t *until); + /** @brief Checks if this attr cert is newer than the other attr cert + * + * @param this calling object + * @param other other attr cert object + * @return TRUE if this was issued more recently than other + */ + bool (*is_newer) (const x509ac_t *this, const x509ac_t *other); + + /** + * @brief Checks if two attribute certificates belong to the same holder + * + * @param this calling attribute certificate + * @param that other attribute certificate + * @return TRUE if same holder + */ + bool (*equals_holder) (const x509ac_t *this, const x509ac_t *other); + + /** + * @brief Log the attribute certificate info to out. + * + * @param this calling object + * @param out stream to write to + * @param utc TRUE for UTC times, FALSE for local time + */ + void (*list)(const x509ac_t *this, FILE *out, bool utc); + /** * @brief Destroys the attribute certificate. * @@ -68,14 +98,13 @@ x509ac_t *x509ac_create_from_chunk(chunk_t chunk); /** * @brief Read a x509 attribute certificate from a DER encoded file. - * + * * @param filename file containing DER encoded data - * @return created x509ac_t certificate, or NULL if invalid. - * + * @return created x509ac_t certificate, or NULL if invalid. + * * @ingroup crypto */ x509ac_t *x509ac_create_from_file(const char *filename); - #endif /* AC_H_ */ diff --git a/src/libstrongswan/crypto/crl.c b/src/libstrongswan/crypto/crl.c index b4ae37b2e..d52078ea9 100755 --- a/src/libstrongswan/crypto/crl.c +++ b/src/libstrongswan/crypto/crl.c @@ -18,6 +18,8 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. + * + * RCSID $Id: crl.c 3300 2007-10-12 21:53:18Z andreas $ */ #include <sys/stat.h> @@ -290,7 +292,8 @@ bool parse_x509crl(chunk_t blob, u_int level0, private_crl_t *crl) } else if (extn_oid == OID_AUTHORITY_KEY_ID) { - parse_authorityKeyIdentifier(object, level, &crl->authKeyID, &crl->authKeySerialNumber); + x509_parse_authorityKeyIdentifier(object, level, + &crl->authKeyID, &crl->authKeySerialNumber); } else if (extn_oid == OID_CRL_NUMBER) { @@ -304,6 +307,11 @@ bool parse_x509crl(chunk_t blob, u_int level0, private_crl_t *crl) break; case CRL_OBJ_ALGORITHM: crl->algorithm = parse_algorithmIdentifier(object, level, NULL); + if (crl->algorithm != crl->sigAlg) + { + DBG1(" signature algorithms do not agree"); + return FALSE; + } break; case CRL_OBJ_SIGNATURE: crl->signature = object; @@ -374,7 +382,14 @@ static bool is_newer(const private_crl_t *this, const private_crl_t *other) */ static bool verify(const private_crl_t *this, const rsa_public_key_t *signer) { - return signer->verify_emsa_pkcs1_signature(signer, this->tbsCertList, this->signature) == SUCCESS; + hash_algorithm_t algorithm = hasher_algorithm_from_oid(this->algorithm); + + if (algorithm == HASH_UNKNOWN) + { + DBG1(" unknown signature algorithm"); + return FALSE; + } + return signer->verify_emsa_pkcs1_signature(signer, algorithm, this->tbsCertList, this->signature) == SUCCESS; } /** diff --git a/src/libstrongswan/crypto/crl.h b/src/libstrongswan/crypto/crl.h index a367c3aff..bcf031dd4 100755 --- a/src/libstrongswan/crypto/crl.h +++ b/src/libstrongswan/crypto/crl.h @@ -18,6 +18,8 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. + * + * RCSID $Id: crl.h 3300 2007-10-12 21:53:18Z andreas $ */ #ifndef CRL_H_ diff --git a/src/libstrongswan/crypto/diffie_hellman.c b/src/libstrongswan/crypto/diffie_hellman.c index e4062066c..605892e87 100644 --- a/src/libstrongswan/crypto/diffie_hellman.c +++ b/src/libstrongswan/crypto/diffie_hellman.c @@ -8,7 +8,7 @@ /* * Copyright (C) 1998-2002 D. Hugh Redelmeier. * Copyright (C) 1999, 2000, 2001 Henry Spencer. - * Copyright (C) 2005-2006 Martin Willi + * Copyright (C) 2005-2007 Martin Willi * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil * @@ -24,11 +24,11 @@ */ #include <gmp.h> -#include <stdio.h> #include "diffie_hellman.h" #include <utils/randomizer.h> +#include <debug.h> ENUM_BEGIN(diffie_hellman_group_names, MODP_NONE, MODP_1024_BIT, "MODP_NONE", @@ -302,12 +302,12 @@ static u_int8_t group18_modulus[] = { 0x60,0xC9,0x80,0xDD,0x98,0xED,0xD3,0xDF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, }; -typedef struct modulus_info_entry_t modulus_info_entry_t; +typedef struct modulus_entry_t modulus_entry_t; /** * Entry of the modulus list. */ -struct modulus_info_entry_t { +struct modulus_entry_t { /** * Group number as it is defined in file transform_substructure.h. */ @@ -321,7 +321,7 @@ struct modulus_info_entry_t { /* * Length of modulus in bytes. */ - size_t modulus_length; + size_t modulus_len; /* * Generator value. @@ -329,19 +329,18 @@ struct modulus_info_entry_t { u_int16_t generator; }; - /** * All supported modulus values. */ -static modulus_info_entry_t modulus_info_entries[] = { - {MODP_768_BIT,group1_modulus,sizeof(group1_modulus),2}, - {MODP_1024_BIT,group2_modulus,sizeof(group2_modulus),2}, - {MODP_1536_BIT,group5_modulus,sizeof(group5_modulus),2}, - {MODP_2048_BIT,group14_modulus,sizeof(group14_modulus),2}, - {MODP_3072_BIT,group15_modulus,sizeof(group15_modulus),2}, - {MODP_4096_BIT,group16_modulus,sizeof(group16_modulus),2}, - {MODP_6144_BIT,group17_modulus,sizeof(group17_modulus),2}, - {MODP_8192_BIT,group18_modulus,sizeof(group18_modulus),2}, +static modulus_entry_t modulus_entries[] = { + {MODP_768_BIT, group1_modulus, sizeof(group1_modulus), 2}, + {MODP_1024_BIT, group2_modulus, sizeof(group2_modulus), 2}, + {MODP_1536_BIT, group5_modulus, sizeof(group5_modulus), 2}, + {MODP_2048_BIT, group14_modulus, sizeof(group14_modulus), 2}, + {MODP_3072_BIT, group15_modulus, sizeof(group15_modulus), 2}, + {MODP_4096_BIT, group16_modulus, sizeof(group16_modulus), 2}, + {MODP_6144_BIT, group17_modulus, sizeof(group17_modulus), 2}, + {MODP_8192_BIT, group18_modulus, sizeof(group18_modulus), 2}, }; typedef struct private_diffie_hellman_t private_diffie_hellman_t; @@ -359,170 +358,133 @@ struct private_diffie_hellman_t { /** * Diffie Hellman group number. */ - u_int16_t dh_group_number; - - /** - * Modulus. - */ - mpz_t modulus; - - /** - * Modulus length. - */ - size_t modulus_length; + u_int16_t group; /* * Generator value. */ - u_int16_t generator; + mpz_t g; /** - * My private value . + * My private value. */ - mpz_t my_private_value; + mpz_t xa; /** * My public value. */ - mpz_t my_public_value; + mpz_t ya; /** * Other public value. */ - mpz_t other_public_value; + mpz_t yb; /** * Shared secret. */ - mpz_t shared_secret; + mpz_t zz; /** - * True if shared secret is computed and stored in my_public_value. - */ - bool shared_secret_is_computed; - - /** - * Sets the modulus for a specific diffie hellman group. - * - * @param this calling object - * @return - * SUCCESS if modulus could be found - * NOT_FOUND if modulus not supported + * Modulus. */ - status_t (*set_modulus) (private_diffie_hellman_t *this); + mpz_t p; /** - * Makes sure my public value is computed. - * - * @param this calling object + * Modulus length. */ - void (*compute_public_value) (private_diffie_hellman_t *this); + size_t p_len; /** - * Computes shared secret (other public value must be available). - * - * @param this calling object + * True if shared secret is computed and stored in my_public_value. */ - void (*compute_shared_secret) (private_diffie_hellman_t *this); + bool computed; }; /** - * Implementation of private_diffie_hellman_t.set_modulus. + * Implementation of diffie_hellman_t.set_other_public_value. */ -static status_t set_modulus(private_diffie_hellman_t *this) +static void set_other_public_value(private_diffie_hellman_t *this, chunk_t value) { - int i; - status_t status = NOT_FOUND; + mpz_t p_min_1; + + mpz_init(p_min_1); + mpz_sub_ui(p_min_1, this->p, 1); + + mpz_import(this->yb, value.len, 1, 1, 1, 0, value.ptr); - for (i = 0; i < (sizeof(modulus_info_entries) / sizeof(modulus_info_entry_t)); i++) + /* check public value: + * 1. 0 or 1 is invalid as 0^a = 0 and 1^a = 1 + * 2. a public value larger or equal the modulus is invalid */ + if (mpz_cmp_ui(this->yb, 1) > 0 || + mpz_cmp(this->yb, p_min_1) < 0) { - if (modulus_info_entries[i].group == this->dh_group_number) +#ifdef EXTENDED_DH_TEST + /* 3. test if y ^ q mod p = 1, where q = (p - 1)/2. */ + mpz_t q, one; + + mpz_init(q); + mpz_init(one); + mpz_fdiv_q_2exp(q, p_min_1, 1); + mpz_powm(one, this->yb, q, this->p); + mpz_clear(q); + if (mpz_cmp_ui(one, 1) == 0) { - chunk_t modulus_chunk; - modulus_chunk.ptr = modulus_info_entries[i].modulus; - modulus_chunk.len = modulus_info_entries[i].modulus_length; - mpz_import(this->modulus, modulus_chunk.len, 1, 1, 1, 0, modulus_chunk.ptr); - this->modulus_length = modulus_chunk.len; - this->generator = modulus_info_entries[i].generator; - status = SUCCESS; - break; + mpz_powm(this->zz, this->yb, this->xa, this->p); + this->computed = TRUE; + } + else + { + DBG1("public DH value verification failed: y ^ q mod p != 1"); } + mpz_clear(one); +#else + mpz_powm(this->zz, this->yb, this->xa, this->p); + this->computed = TRUE; +#endif } - return status; -} - -/** - * Implementation of diffie_hellman_t.set_other_public_value. - */ -static void set_other_public_value(private_diffie_hellman_t *this,chunk_t public_value) -{ - mpz_import(this->other_public_value, public_value.len, 1, 1, 1, 0, public_value.ptr); - this->compute_shared_secret(this); + else + { + DBG1("public DH value verification failed: y < 2 || y > p - 1 "); + } + mpz_clear(p_min_1); } /** * Implementation of diffie_hellman_t.get_other_public_value. */ -static status_t get_other_public_value(private_diffie_hellman_t *this,chunk_t *public_value) +static status_t get_other_public_value(private_diffie_hellman_t *this, + chunk_t *value) { - if (!this->shared_secret_is_computed) + if (!this->computed) { return FAILED; } - public_value->len = this->modulus_length; - public_value->ptr = mpz_export(NULL, NULL, 1, public_value->len, 1, 0, this->other_public_value); + value->len = this->p_len; + value->ptr = mpz_export(NULL, NULL, 1, value->len, 1, 0, this->yb); return SUCCESS; } /** - * Implementation of private_diffie_hellman_t.compute_shared_secret. - */ -static void compute_shared_secret (private_diffie_hellman_t *this) -{ - /* initialize my public value */ - mpz_init(this->shared_secret); - /* calculate my public value */ - mpz_powm(this->shared_secret,this->other_public_value,this->my_private_value,this->modulus); - - this->shared_secret_is_computed = TRUE; -} - -/** - * Implementation of private_diffie_hellman_t.compute_public_value. - */ -static void compute_public_value (private_diffie_hellman_t *this) -{ - mpz_t generator; - /* initialize generator and set it*/ - mpz_init_set_ui (generator,this->generator); - /* initialize my public value */ - mpz_init(this->my_public_value); - /* calculate my public value */ - mpz_powm(this->my_public_value,generator,this->my_private_value,this->modulus); - /* generator not used anymore */ - mpz_clear(generator); -} - -/** * Implementation of diffie_hellman_t.get_my_public_value. */ -static void get_my_public_value(private_diffie_hellman_t *this,chunk_t *public_value) +static void get_my_public_value(private_diffie_hellman_t *this,chunk_t *value) { - public_value->len = this->modulus_length; - public_value->ptr = mpz_export(NULL, NULL, 1, public_value->len, 1, 0, this->my_public_value); + value->len = this->p_len; + value->ptr = mpz_export(NULL, NULL, 1, value->len, 1, 0, this->ya); } /** * Implementation of diffie_hellman_t.get_shared_secret. */ -static status_t get_shared_secret(private_diffie_hellman_t *this,chunk_t *secret) +static status_t get_shared_secret(private_diffie_hellman_t *this, chunk_t *secret) { - if (!this->shared_secret_is_computed) + if (!this->computed) { return FAILED; } - secret->len = this->modulus_length; - secret->ptr = mpz_export(NULL, NULL, 1, secret->len, 1, 0, this->shared_secret); + secret->len = this->p_len; + secret->ptr = mpz_export(NULL, NULL, 1, secret->len, 1, 0, this->zz); return SUCCESS; } @@ -531,35 +493,57 @@ static status_t get_shared_secret(private_diffie_hellman_t *this,chunk_t *secret */ static diffie_hellman_group_t get_dh_group(private_diffie_hellman_t *this) { - return this->dh_group_number; + return this->group; } /** - * Implementation of diffie_hellman_t.destroy. + * Lookup the modulus in modulo table */ -static void destroy(private_diffie_hellman_t *this) +static status_t set_modulus(private_diffie_hellman_t *this) { - mpz_clear(this->modulus); - mpz_clear(this->my_private_value); - mpz_clear(this->my_public_value); - mpz_clear(this->other_public_value); - - if (this->shared_secret_is_computed) + int i; + status_t status = NOT_FOUND; + + for (i = 0; i < (sizeof(modulus_entries) / sizeof(modulus_entry_t)); i++) { - /* other public value gets initialized together with shared secret */ - mpz_clear(this->shared_secret); + if (modulus_entries[i].group == this->group) + { + chunk_t chunk; + chunk.ptr = modulus_entries[i].modulus; + chunk.len = modulus_entries[i].modulus_len; + mpz_import(this->p, chunk.len, 1, 1, 1, 0, chunk.ptr); + this->p_len = chunk.len; + mpz_set_ui(this->g, modulus_entries[i].generator); + status = SUCCESS; + break; + } } + return status; +} + +/** + * Implementation of diffie_hellman_t.destroy. + */ +static void destroy(private_diffie_hellman_t *this) +{ + mpz_clear(this->p); + mpz_clear(this->xa); + mpz_clear(this->ya); + mpz_clear(this->yb); + mpz_clear(this->zz); + mpz_clear(this->g); free(this); } /* * Described in header. */ -diffie_hellman_t *diffie_hellman_create(diffie_hellman_group_t dh_group_number) +diffie_hellman_t *diffie_hellman_create(diffie_hellman_group_t group) { private_diffie_hellman_t *this = malloc_thing(private_diffie_hellman_t); randomizer_t *randomizer; - chunk_t random_bytes; + chunk_t random; + status_t status; /* public functions */ this->public.get_shared_secret = (status_t (*)(diffie_hellman_t *, chunk_t *)) get_shared_secret; @@ -569,44 +553,37 @@ diffie_hellman_t *diffie_hellman_create(diffie_hellman_group_t dh_group_number) this->public.get_dh_group = (diffie_hellman_group_t (*)(diffie_hellman_t *)) get_dh_group; this->public.destroy = (void (*)(diffie_hellman_t *)) destroy; - /* private functions */ - this->set_modulus = set_modulus; - this->compute_public_value = compute_public_value; - this->compute_shared_secret = compute_shared_secret; - /* private variables */ - this->dh_group_number = dh_group_number; - mpz_init(this->modulus); - mpz_init(this->other_public_value); - mpz_init(this->my_private_value); + this->group = group; + mpz_init(this->p); + mpz_init(this->yb); + mpz_init(this->ya); + mpz_init(this->xa); + mpz_init(this->zz); + mpz_init(this->g); + + this->computed = FALSE; - /* set this->modulus */ - if (this->set_modulus(this) != SUCCESS) + /* find a modulus according to group */ + if (set_modulus(this) != SUCCESS) { - free(this); + destroy(this); return NULL; } randomizer = randomizer_create(); - if (randomizer == NULL) - { - free(this); - return NULL; - } - if (randomizer->allocate_pseudo_random_bytes(randomizer, this->modulus_length, &random_bytes) != SUCCESS) + status = randomizer->allocate_pseudo_random_bytes( + randomizer, this->p_len, &random); + randomizer->destroy(randomizer); + if (status != SUCCESS) { - randomizer->destroy(randomizer); - free(this); + destroy(this); return NULL; } + mpz_import(this->xa, random.len, 1, 1, 1, 0, random.ptr); + chunk_free(&random); - mpz_import(this->my_private_value, random_bytes.len, 1, 1, 1, 0, random_bytes.ptr); - chunk_free(&random_bytes); + mpz_powm(this->ya, this->g, this->xa, this->p); - randomizer->destroy(randomizer); - - this->compute_public_value(this); - - this->shared_secret_is_computed = FALSE; - - return &(this->public); + return &this->public; } + diff --git a/src/libstrongswan/crypto/diffie_hellman.h b/src/libstrongswan/crypto/diffie_hellman.h index 29a2ab45b..8cd06d60e 100644 --- a/src/libstrongswan/crypto/diffie_hellman.h +++ b/src/libstrongswan/crypto/diffie_hellman.h @@ -6,7 +6,7 @@ */ /* - * Copyright (C) 2005-2006 Martin Willi + * Copyright (C) 2005-2007 Martin Willi * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil * @@ -36,7 +36,7 @@ typedef struct diffie_hellman_t diffie_hellman_t; * * See IKEv2 RFC 3.3.2 and RFC 3526. * - * @ingroup transforms + * @ingroup crypto */ enum diffie_hellman_group_t { MODP_NONE = 0, @@ -56,76 +56,74 @@ enum diffie_hellman_group_t { extern enum_name_t *diffie_hellman_group_names; /** - * @brief Implementation of the widely used Diffie-Hellman algorithm. + * @brief Implementation of the Diffie-Hellman algorithm, as in RFC2631. * * @b Constructors: * - diffie_hellman_create() * - * @ingroup transforms + * @ingroup crypto */ struct diffie_hellman_t { /** * @brief Returns the shared secret of this diffie hellman exchange. * - * @warning Space for returned secret is allocated and must be + * Space for returned secret is allocated and must be * freed by the caller. * - * @param this calling diffie_hellman_t object - * @param[out] secret shared secret will be written into this chunk + * @param this calling object + * @param secret shared secret will be written into this chunk * @return - * - SUCCESS - * - FAILED if not both DH values are set + * - SUCCESS + * - FAILED if not both DH values are set */ status_t (*get_shared_secret) (diffie_hellman_t *this, chunk_t *secret); /** * @brief Sets the public value of partner. * - * chunk gets cloned and can be destroyed afterwards. + * Chunk gets cloned and can be destroyed afterwards. * - * @param this calling diffie_hellman_t object - * @param public_value public value of partner + * @param this calling object + * @param value public value of partner */ - void (*set_other_public_value) (diffie_hellman_t *this, chunk_t public_value); + void (*set_other_public_value) (diffie_hellman_t *this, chunk_t value); /** * @brief Gets the public value of partner. * - * @warning Space for returned chunk is allocated and must be - * freed by the caller. + * Space for returned chunk is allocated and must be freed by the caller. * - * @param this calling diffie_hellman_t object - * @param[out] public_value public value of partner is stored at this location + * @param this calling object + * @param value public value of partner is stored at this location * @return - * - SUCCESS - * - FAILED if other public value not set + * - SUCCESS + * - FAILED if other public value not set */ - status_t (*get_other_public_value) (diffie_hellman_t *this, chunk_t *public_value); + status_t (*get_other_public_value) (diffie_hellman_t *this, chunk_t *value); /** - * @brief Gets the public value of caller + * @brief Gets the own public value to transmit. * - * @warning Space for returned chunk is allocated and must be - * freed by the caller. + * Space for returned chunk is allocated and must be freed by the caller. * - * @param this calling diffie_hellman_t object - * @param[out] public_value public value of caller is stored at this location + * @param this calling object + * @param value public value of caller is stored at this location */ - void (*get_my_public_value) (diffie_hellman_t *this, chunk_t *public_value); + void (*get_my_public_value) (diffie_hellman_t *this, chunk_t *value); /** * @brief Get the DH group used. * - * @param this calling diffie_hellman_t object - * @return DH group set in construction + * @param this calling object + * @return DH group set in construction */ diffie_hellman_group_t (*get_dh_group) (diffie_hellman_t *this); /** * @brief Destroys an diffie_hellman_t object. * - * @param this diffie_hellman_t object to destroy + * @param this diffie_hellman_t object to destroy */ void (*destroy) (diffie_hellman_t *this); }; @@ -133,15 +131,14 @@ struct diffie_hellman_t { /** * @brief Creates a new diffie_hellman_t object. * - * The first diffie hellman public value gets automatically created. - * - * @param dh_group_number Diffie Hellman group number to use + * @param group Diffie Hellman group number to use * @return - * - diffie_hellman_t object - * - NULL if dh group not supported + * - diffie_hellman_t object + * - NULL if dh group not supported * - * @ingroup transforms + * @ingroup crypto */ -diffie_hellman_t *diffie_hellman_create(diffie_hellman_group_t dh_group_number); +diffie_hellman_t *diffie_hellman_create(diffie_hellman_group_t group); #endif /*DIFFIE_HELLMAN_H_*/ + diff --git a/src/libstrongswan/crypto/hashers/hasher.c b/src/libstrongswan/crypto/hashers/hasher.c index 7fa6346d6..14bfb022f 100644 --- a/src/libstrongswan/crypto/hashers/hasher.c +++ b/src/libstrongswan/crypto/hashers/hasher.c @@ -19,17 +19,21 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. + * + * RCSID $Id: hasher.c 3304 2007-10-12 23:18:42Z andreas $ */ #include "hasher.h" +#include <asn1/oid.h> #include <crypto/hashers/sha1_hasher.h> #include <crypto/hashers/sha2_hasher.h> #include <crypto/hashers/md5_hasher.h> -ENUM(hash_algorithm_names, HASH_MD2, HASH_SHA512, +ENUM(hash_algorithm_names, HASH_UNKNOWN, HASH_SHA512, + "HASH_UNKNOWN", "HASH_MD2", "HASH_MD5", "HASH_SHA1", @@ -63,3 +67,76 @@ hasher_t *hasher_create(hash_algorithm_t hash_algorithm) return NULL; } } + +/* + * Described in header. + */ +hash_algorithm_t hasher_algorithm_from_oid(int oid) +{ + hash_algorithm_t algorithm; + + switch (oid) + { + case OID_MD2: + case OID_MD2_WITH_RSA: + algorithm = HASH_MD2; + break; + case OID_MD5: + case OID_MD5_WITH_RSA: + algorithm = HASH_MD5; + break; + case OID_SHA1: + case OID_SHA1_WITH_RSA: + algorithm = HASH_SHA1; + break; + case OID_SHA256: + case OID_SHA256_WITH_RSA: + algorithm = HASH_SHA256; + break; + case OID_SHA384: + case OID_SHA384_WITH_RSA: + algorithm = HASH_SHA384; + break; + case OID_SHA512: + case OID_SHA512_WITH_RSA: + algorithm = HASH_SHA512; + break; + default: + algorithm = HASH_UNKNOWN; + } + return algorithm; +} + +/* + * Described in header. + */ +int hasher_signature_algorithm_to_oid(hash_algorithm_t alg) +{ + int oid; + + switch (alg) + { + case HASH_MD2: + oid = OID_MD2_WITH_RSA; + break; + case HASH_MD5: + oid = OID_MD5_WITH_RSA; + break; + case HASH_SHA1: + oid = OID_SHA1_WITH_RSA; + break; + case HASH_SHA256: + oid = OID_SHA256_WITH_RSA; + break; + case HASH_SHA384: + oid = OID_SHA384_WITH_RSA; + break; + case HASH_SHA512: + oid = OID_SHA512_WITH_RSA; + break; + default: + oid = OID_UNKNOWN; + } + return oid; +} + diff --git a/src/libstrongswan/crypto/hashers/hasher.h b/src/libstrongswan/crypto/hashers/hasher.h index 6c17f892d..48b904576 100644 --- a/src/libstrongswan/crypto/hashers/hasher.h +++ b/src/libstrongswan/crypto/hashers/hasher.h @@ -19,6 +19,8 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. + * + * RCSID $Id: hasher.h 3307 2007-10-17 02:56:24Z andreas $ */ #ifndef HASHER_H_ @@ -42,17 +44,18 @@ typedef struct hasher_t hasher_t; * @ingroup hashers */ enum hash_algorithm_t { - HASH_MD2 = 0, + HASH_UNKNOWN = 0, + HASH_MD2 = 1, /** Implemented in class md5_hasher_t */ - HASH_MD5 = 1, + HASH_MD5 = 2, /** Implemented in class sha1_hasher_t */ - HASH_SHA1 = 2, + HASH_SHA1 = 3, /** Implemented in class sha2_hasher_t */ - HASH_SHA256 = 3, + HASH_SHA256 = 4, /** Implemented in class sha2_hasher_t */ - HASH_SHA384 = 4, + HASH_SHA384 = 5, /** Implemented in class sha2_hasher_t */ - HASH_SHA512 = 5, + HASH_SHA512 = 6, }; #define HASH_SIZE_MD2 16 @@ -68,7 +71,6 @@ enum hash_algorithm_t { */ extern enum_name_t *hash_algorithm_names; - /** * @brief Generic interface for all hash functions. * @@ -82,7 +84,7 @@ struct hasher_t { * @brief Hash data and write it in the buffer. * * If the parameter hash is NULL, no result is written back - * an more data can be appended to already hashed data. + * and more data can be appended to already hashed data. * If not, the result is written back and the hasher is reset. * * The hash output parameter must hold at least @@ -98,7 +100,7 @@ struct hasher_t { * @brief Hash data and allocate space for the hash. * * If the parameter hash is NULL, no result is written back - * an more data can be appended to already hashed data. + * and more data can be appended to already hashed data. * If not, the result is written back and the hasher is reset. * * @param this calling object @@ -156,4 +158,28 @@ struct hasher_t { */ hasher_t *hasher_create(hash_algorithm_t hash_algorithm); +/** + * @brief Conversion of ASN.1 OID to hash algorithm. + * + * @param oid ASN.1 OID + * @return + * - hash algorithm + * - HASH_UNKNOWN if OID unsuported + * + * @ingroup hashers + */ +hash_algorithm_t hasher_algorithm_from_oid(int oid); + +/** + * @brief Conversion of hash signature algorithm ASN.1 OID. + * + * @param alg hash algorithm + * @return + * - ASN.1 OID if known hash algorithm + * - OID_UNKNOW + * + * @ingroup hashers + */ +int hasher_signature_algorithm_to_oid(hash_algorithm_t alg); + #endif /* HASHER_H_ */ diff --git a/src/libstrongswan/crypto/hmac.h b/src/libstrongswan/crypto/hmac.h index d320bc5aa..06b75aaf9 100644 --- a/src/libstrongswan/crypto/hmac.h +++ b/src/libstrongswan/crypto/hmac.h @@ -42,7 +42,7 @@ typedef struct hmac_t hmac_t; * @b Constructors: * - hmac_create() * - * @ingroup transforms + * @ingroup crypto */ struct hmac_t { /** diff --git a/src/libstrongswan/crypto/ietf_attr_list.c b/src/libstrongswan/crypto/ietf_attr_list.c new file mode 100644 index 000000000..1ecadf679 --- /dev/null +++ b/src/libstrongswan/crypto/ietf_attr_list.c @@ -0,0 +1,405 @@ +/** + * @file ietf_attr.c + * + * @brief Implementation of ietfAttr_t. + * + */ + +/* + * Copyright (C) 2007 Andreas Steffen, Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include <string.h> +#include <stdio.h> + +#include <debug.h> +#include <asn1/asn1.h> +#include <utils/lexparser.h> + +#include "ietf_attr_list.h" + +/** + * Private definition of ietfAttribute kinds + */ +typedef enum { + IETF_ATTRIBUTE_OCTETS = 0, + IETF_ATTRIBUTE_OID = 1, + IETF_ATTRIBUTE_STRING = 2 +} ietfAttribute_t; + +typedef struct ietfAttr_t ietfAttr_t; + +/** + * Private definition of an ietfAttribute + */ +struct ietfAttr_t { + /** + * IETF attribute kind + */ + ietfAttribute_t kind; + + /** + * IETF attribute valuse + */ + chunk_t value; + + /** + * Compares two ietfAttributes + * + * return -1 if this is earlier in the alphabet than other + * return 0 if this equals other + * return +1 if this is later in the alphabet than other + * + * @param this calling object + * @param other other object + */ + int (*compare) (const ietfAttr_t *this ,const ietfAttr_t *other); + + /** + * Destroys the ietfAttr_t object. + * + * @param this ietfAttr_t to destroy + */ + void (*destroy) (ietfAttr_t *this); +}; + +/** + * Implements ietfAttr_t.compare. + */ +static int ietfAttr_compare(const ietfAttr_t *this ,const ietfAttr_t *other) +{ + int cmp_len, len, cmp_value; + + /* OID attributes are appended after STRING and OCTETS attributes */ + if (this->kind != IETF_ATTRIBUTE_OID && other->kind == IETF_ATTRIBUTE_OID) + { + return -1; + } + if (this->kind == IETF_ATTRIBUTE_OID && other->kind != IETF_ATTRIBUTE_OID) + { + return 1; + } + + cmp_len = this->value.len - other->value.len; + len = (cmp_len < 0)? this->value.len : other->value.len; + cmp_value = memcmp(this->value.ptr, other->value.ptr, len); + + return (cmp_value == 0)? cmp_len : cmp_value; +} + +/** + * Implements ietfAttr_t.destroy. + */ +static void ietfAttr_destroy(ietfAttr_t *this) +{ + free(this->value.ptr); + free(this); +} + +/** + * Creates an ietfAttr_t object. + */ +static ietfAttr_t *ietfAttr_create(ietfAttribute_t kind, chunk_t value) +{ + ietfAttr_t *this = malloc_thing(ietfAttr_t); + + /* initialize */ + this->kind = kind; + this->value = chunk_clone(value); + + /* function */ + this->compare = ietfAttr_compare; + this->destroy = ietfAttr_destroy; + + return this; +} + +/** + * Adds an ietfAttr_t object to a sorted linked list + */ +static void ietfAttr_add(linked_list_t *list, ietfAttr_t *attr) +{ + iterator_t *iterator = list->create_iterator(list, TRUE); + ietfAttr_t *current_attr; + bool found = FALSE; + + while (iterator->iterate(iterator, (void **)¤t_attr)) + { + int cmp = attr->compare(attr, current_attr); + + if (cmp > 0) + { + continue; + } + if (cmp == 0) + { + attr->destroy(attr); + } + else + { + iterator->insert_before(iterator, attr); + } + found = TRUE; + break; + } + iterator->destroy(iterator); + if (!found) + { + list->insert_last(list, attr); + } +} + +/* + * Described in header. + */ +bool ietfAttr_list_equals(linked_list_t *list_a, linked_list_t *list_b) +{ + bool result = TRUE; + + /* lists must have the same number of attributes */ + if (list_a->get_count(list_a) != list_b->get_count(list_b)) + { + return FALSE; + } + /* empty lists - no attributes */ + if (list_a->get_count(list_a) == 0) + { + return TRUE; + } + + /* compare two alphabetically-sorted lists */ + { + iterator_t *iterator_a = list_a->create_iterator(list_a, TRUE); + iterator_t *iterator_b = list_b->create_iterator(list_b, TRUE); + ietfAttr_t *attr_a, *attr_b; + + while (iterator_a->iterate(iterator_a, (void **)&attr_a) && + iterator_b->iterate(iterator_b, (void **)&attr_b)) + { + if (attr_a->compare(attr_a, attr_b) != 0) + { + /* we have a mismatch */ + result = FALSE; + break; + } + } + iterator_a->destroy(iterator_a); + iterator_b->destroy(iterator_b); + } + return result; +} + +/* + * Described in header. + */ +void ietfAttr_list_list(linked_list_t *list, FILE *out) +{ + iterator_t *iterator = list->create_iterator(list, TRUE); + ietfAttr_t *attr; + bool first = TRUE; + + while (iterator->iterate(iterator, (void **)&attr)) + { + if (first) + { + first = FALSE; + } + else + { + fprintf(out, ", "); + } + + switch (attr->kind) + { + case IETF_ATTRIBUTE_OCTETS: + case IETF_ATTRIBUTE_STRING: + fprintf(out, "%.*s", (int)attr->value.len, attr->value.ptr); + break; + case IETF_ATTRIBUTE_OID: + { + int oid = known_oid(attr->value); + + if (oid == OID_UNKNOWN) + { + fprintf(out, "0x#B", &attr->value); + } + else + { + fprintf(out, "%s", oid_names[oid]); + } + } + break; + default: + break; + } + } + iterator->destroy(iterator); +} + +/* + * Described in header. + */ +void ietfAttr_list_create_from_string(char *msg, linked_list_t *list) +{ + chunk_t line = { msg, strlen(msg) }; + + while (eat_whitespace(&line)) + { + chunk_t group; + + /* extract the next comma-separated group attribute */ + if (!extract_token(&group, ',', &line)) + { + group = line; + line.len = 0; + } + + /* remove any trailing spaces */ + while (group.len > 0 && *(group.ptr + group.len - 1) == ' ') + { + group.len--; + } + + /* add the group attribute to the list */ + if (group.len > 0) + { + ietfAttr_t *attr = ietfAttr_create(IETF_ATTRIBUTE_STRING, group); + + ietfAttr_add(list, attr); + } + } +} + +/** + * ASN.1 definition of ietfAttrSyntax + */ +static const asn1Object_t ietfAttrSyntaxObjects[] = +{ + { 0, "ietfAttrSyntax", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */ + { 1, "policyAuthority", ASN1_CONTEXT_C_0, ASN1_OPT | + ASN1_BODY }, /* 1 */ + { 1, "end opt", ASN1_EOC, ASN1_END }, /* 2 */ + { 1, "values", ASN1_SEQUENCE, ASN1_LOOP }, /* 3 */ + { 2, "octets", ASN1_OCTET_STRING, ASN1_OPT | + ASN1_BODY }, /* 4 */ + { 2, "end choice", ASN1_EOC, ASN1_END }, /* 5 */ + { 2, "oid", ASN1_OID, ASN1_OPT | + ASN1_BODY }, /* 6 */ + { 2, "end choice", ASN1_EOC, ASN1_END }, /* 7 */ + { 2, "string", ASN1_UTF8STRING, ASN1_OPT | + ASN1_BODY }, /* 8 */ + { 2, "end choice", ASN1_EOC, ASN1_END }, /* 9 */ + { 1, "end loop", ASN1_EOC, ASN1_END } /* 10 */ +}; + +#define IETF_ATTR_OCTETS 4 +#define IETF_ATTR_OID 6 +#define IETF_ATTR_STRING 8 +#define IETF_ATTR_ROOF 11 + +/* + * Described in header. + */ +void ietfAttr_list_create_from_chunk(chunk_t chunk, linked_list_t *list, int level0) +{ + asn1_ctx_t ctx; + chunk_t object; + u_int level; + int objectID = 0; + + asn1_init(&ctx, chunk, level0, FALSE, FALSE); + + while (objectID < IETF_ATTR_ROOF) + { + if (!extract_object(ietfAttrSyntaxObjects, &objectID, &object, &level, &ctx)) + { + return; + } + + switch (objectID) + { + case IETF_ATTR_OCTETS: + case IETF_ATTR_OID: + case IETF_ATTR_STRING: + { + ietfAttribute_t kind = (objectID - IETF_ATTR_OCTETS) / 2; + ietfAttr_t *attr = ietfAttr_create(kind, object); + ietfAttr_add(list, attr); + } + break; + default: + break; + } + objectID++; + } +} + +/* + * Described in header. + */ +chunk_t ietfAttr_list_encode(linked_list_t *list) +{ + chunk_t ietfAttributes; + size_t size = 0; + u_char *pos; + iterator_t *iterator = list->create_iterator(list, TRUE); + ietfAttr_t *attr; + + /* precalculate the total size of all values */ + while (iterator->iterate(iterator, (void **)&attr)) + { + size_t len = attr->value.len; + + size += 1 + (len > 0) + (len >= 128) + (len >= 256) + (len >= 65536) + len; + } + iterator->destroy(iterator); + + pos = build_asn1_object(&ietfAttributes, ASN1_SEQUENCE, size); + + iterator = list->create_iterator(list, TRUE); + while (iterator->iterate(iterator, (void **)&attr)) + { + chunk_t ietfAttribute; + asn1_t type = ASN1_NULL; + + switch (attr->kind) + { + case IETF_ATTRIBUTE_OCTETS: + type = ASN1_OCTET_STRING; + break; + case IETF_ATTRIBUTE_STRING: + type = ASN1_UTF8STRING; + break; + case IETF_ATTRIBUTE_OID: + type = ASN1_OID; + break; + } + ietfAttribute = asn1_simple_object(type, attr->value); + + /* copy ietfAttribute into ietfAttributes chunk */ + memcpy(pos, ietfAttribute.ptr, ietfAttribute.len); + pos += ietfAttribute.len; + free(ietfAttribute.ptr); + } + iterator->destroy(iterator); + + return asn1_wrap(ASN1_SEQUENCE, "m", ietfAttributes); +} + +/* + * Described in header. + */ +void ietfAttr_list_destroy(linked_list_t *list) +{ + list->destroy_offset(list, offsetof(ietfAttr_t, destroy)); +} diff --git a/src/libstrongswan/crypto/ietf_attr_list.h b/src/libstrongswan/crypto/ietf_attr_list.h new file mode 100644 index 000000000..75407bbf6 --- /dev/null +++ b/src/libstrongswan/crypto/ietf_attr_list.h @@ -0,0 +1,89 @@ +/** + * @file ietf_attr_list.h + * + * @brief Handling of ietfAttr_t linked lists + * + */ + +/* + * Copyright (C) 2007 Andreas Steffen + * + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#ifndef IETF_ATTR_LIST_H_ +#define IETF_ATTR_LIST_H_ + +#include <library.h> +#include <utils/linked_list.h> + + +/** + * @brief Compare two linked lists of ietfAttr_t objects for equality + * + * @param list_a first alphabetically-sorted list + * @param list_b second alphabetically-sorted list + * @return TRUE if equal + * + * @ingroup crypto + */ +bool ietfAttr_list_equals(linked_list_t *list_a, linked_list_t *list_b); + +/** + * @brief Lists a linked list of ietfAttr_t objects + * + * @param list alphabetically-sorted linked list of attributes + @param out output file + * + * @ingroup crypto + */ +void ietfAttr_list_list(linked_list_t *list, FILE *out); + +/** + * @brief Create a linked list of ietfAttr_t objects from a string + * + * @param msg string with comma-separated group names + * @param list alphabetically-sorted linked list of attributes + * + * @ingroup crypto + */ +void ietfAttr_list_create_from_string(char *msg, linked_list_t *list); + +/** + * @brief Create a linked list of ietfAttr_t objects from an ASN.1-coded chunk + * + * @param chunk chunk containing ASN.1-coded attributes + * @param list alphabetically-sorted linked list of attributes + * @param level0 parsing level + */ +void ietfAttr_list_create_from_chunk(chunk_t chunk, linked_list_t *list, int level0); + +/** + * @brief Encode a linked list of ietfAttr_t objects into an ASN.1-coded chunk + * + * @param list alphabetically-sorted linked list of attributes + * @return chunk containing ASN.1-coded attributes + */ +chunk_t ietfAttr_list_encode(linked_list_t *list); + +/** + * @brief Destroys a linked list of ietfAttr_t objects + * + * @param list list to be destroyed + * + * @ingroup crypto + */ +void ietfAttr_list_destroy(linked_list_t *list); + +#endif /* IETF_ATTR_LIST_H_ */ + diff --git a/src/libstrongswan/crypto/ocsp.c b/src/libstrongswan/crypto/ocsp.c index 0d8093e4a..e4d907188 100644 --- a/src/libstrongswan/crypto/ocsp.c +++ b/src/libstrongswan/crypto/ocsp.c @@ -466,11 +466,11 @@ static chunk_t ocsp_build_request(private_ocsp_t *this) static bool ocsp_parse_basic_response(chunk_t blob, int level0, response_t *res) { u_int level, version; - u_int extn_oid = OID_UNKNOWN; asn1_ctx_t ctx; bool critical; chunk_t object; int objectID = 0; + int extn_oid = OID_UNKNOWN; asn1_init(&ctx, blob, level0, FALSE, FALSE); @@ -546,9 +546,8 @@ static response_status ocsp_parse_response(response_t *res) chunk_t object; u_int level; int objectID = 0; - + int ocspResponseType = OID_UNKNOWN; response_status rStatus = STATUS_INTERNALERROR; - u_int ocspResponseType = OID_UNKNOWN; asn1_init(&ctx, res->chunk, 0, FALSE, FALSE); @@ -615,6 +614,13 @@ static bool ocsp_valid_response(response_t *res, x509_t *ocsp_cert) rsa_public_key_t *public_key; time_t until = UNDEFINED_TIME; err_t ugh; + hash_algorithm_t algorithm = hasher_algorithm_from_oid(res->algorithm); + + if (algorithm == HASH_UNKNOWN) + { + DBG1("unknown signature algorithm"); + return FALSE; + } DBG2("verifying ocsp response signature:"); DBG2("signer: '%D'", ocsp_cert->get_subject(ocsp_cert)); @@ -627,8 +633,8 @@ static bool ocsp_valid_response(response_t *res, x509_t *ocsp_cert) return FALSE; } public_key = ocsp_cert->get_public_key(ocsp_cert); - - return public_key->verify_emsa_pkcs1_signature(public_key, res->tbs, res->signature) == SUCCESS; + + return public_key->verify_emsa_pkcs1_signature(public_key, algorithm, res->tbs, res->signature) == SUCCESS; } /** diff --git a/src/libstrongswan/crypto/pkcs7.c b/src/libstrongswan/crypto/pkcs7.c new file mode 100644 index 000000000..70510471a --- /dev/null +++ b/src/libstrongswan/crypto/pkcs7.c @@ -0,0 +1,710 @@ +/** + * @file pkcs7.c + * + * @brief Implementation of pkcs7_t. + * + */ + +/* + * Copyright (C) 2005 Jan Hutter, Martin Willi + * Copyright (C) 2002-2005 Andreas Steffen + * Hochschule fuer Technik Rapperswil, Switzerland + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + * + * RCSID $Id: pkcs7.c 3302 2007-10-12 21:57:20Z andreas $ + */ + +#include <stdlib.h> +#include <string.h> + +#include <library.h> +#include "debug.h" + +#include <asn1/asn1.h> +#include <asn1/oid.h> +#include <crypto/x509.h> +#include <crypto/hashers/hasher.h> +#include <crypto/crypters/crypter.h> +#include <utils/linked_list.h> + +#include "pkcs7.h" + +typedef struct private_pkcs7_t private_pkcs7_t; + +/** + * Private data of a pkcs7_t object. + */ +struct private_pkcs7_t { + /** + * Public interface for this certificate. + */ + pkcs7_t public; + + /** + * contentInfo type + */ + int type; + + /** + * ASN.1 encoded content + */ + chunk_t content; + + /** + * Has the content already been parsed? + */ + bool parsed; + + /** + * ASN.1 parsing start level + */ + u_int level; + + /** + * retrieved data + */ + chunk_t data; + + /** + * ASN.1 encoded attributes + */ + chunk_t attributes; + + /** + * Linked list of X.509 certificates + */ + linked_list_t *certs; +}; + +/** + * ASN.1 definition of the PKCS#7 ContentInfo type + */ +static const asn1Object_t contentInfoObjects[] = { + { 0, "contentInfo", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */ + { 1, "contentType", ASN1_OID, ASN1_BODY }, /* 1 */ + { 1, "content", ASN1_CONTEXT_C_0, ASN1_OPT | + ASN1_BODY }, /* 2 */ + { 1, "end opt", ASN1_EOC, ASN1_END } /* 3 */ +}; + +#define PKCS7_INFO_TYPE 1 +#define PKCS7_INFO_CONTENT 2 +#define PKCS7_INFO_ROOF 4 + +/** + * ASN.1 definition of the PKCS#7 signedData type + */ +static const asn1Object_t signedDataObjects[] = { + { 0, "signedData", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */ + { 1, "version", ASN1_INTEGER, ASN1_BODY }, /* 1 */ + { 1, "digestAlgorithms", ASN1_SET, ASN1_LOOP }, /* 2 */ + { 2, "algorithm", ASN1_EOC, ASN1_RAW }, /* 3 */ + { 1, "end loop", ASN1_EOC, ASN1_END }, /* 4 */ + { 1, "contentInfo", ASN1_EOC, ASN1_RAW }, /* 5 */ + { 1, "certificates", ASN1_CONTEXT_C_0, ASN1_OPT | + ASN1_LOOP }, /* 6 */ + { 2, "certificate", ASN1_SEQUENCE, ASN1_OBJ }, /* 7 */ + { 1, "end opt or loop", ASN1_EOC, ASN1_END }, /* 8 */ + { 1, "crls", ASN1_CONTEXT_C_1, ASN1_OPT | + ASN1_LOOP }, /* 9 */ + { 2, "crl", ASN1_SEQUENCE, ASN1_OBJ }, /* 10 */ + { 1, "end opt or loop", ASN1_EOC, ASN1_END }, /* 11 */ + { 1, "signerInfos", ASN1_SET, ASN1_LOOP }, /* 12 */ + { 2, "signerInfo", ASN1_SEQUENCE, ASN1_NONE }, /* 13 */ + { 3, "version", ASN1_INTEGER, ASN1_BODY }, /* 14 */ + { 3, "issuerAndSerialNumber", ASN1_SEQUENCE, ASN1_BODY }, /* 15 */ + { 4, "issuer", ASN1_SEQUENCE, ASN1_OBJ }, /* 16 */ + { 4, "serial", ASN1_INTEGER, ASN1_BODY }, /* 17 */ + { 3, "digestAlgorithm", ASN1_EOC, ASN1_RAW }, /* 18 */ + { 3, "authenticatedAttributes", ASN1_CONTEXT_C_0, ASN1_OPT | + ASN1_OBJ }, /* 19 */ + { 3, "end opt", ASN1_EOC, ASN1_END }, /* 20 */ + { 3, "digestEncryptionAlgorithm", ASN1_EOC, ASN1_RAW }, /* 21 */ + { 3, "encryptedDigest", ASN1_OCTET_STRING, ASN1_BODY }, /* 22 */ + { 3, "unauthenticatedAttributes", ASN1_CONTEXT_C_1, ASN1_OPT }, /* 23 */ + { 3, "end opt", ASN1_EOC, ASN1_END }, /* 24 */ + { 1, "end loop", ASN1_EOC, ASN1_END } /* 25 */ +}; + +#define PKCS7_DIGEST_ALG 3 +#define PKCS7_SIGNED_CONTENT_INFO 5 +#define PKCS7_SIGNED_CERT 7 +#define PKCS7_SIGNER_INFO 13 +#define PKCS7_SIGNED_ISSUER 16 +#define PKCS7_SIGNED_SERIAL_NUMBER 17 +#define PKCS7_DIGEST_ALGORITHM 18 +#define PKCS7_AUTH_ATTRIBUTES 19 +#define PKCS7_DIGEST_ENC_ALGORITHM 21 +#define PKCS7_ENCRYPTED_DIGEST 22 +#define PKCS7_SIGNED_ROOF 26 + +/** + * ASN.1 definition of the PKCS#7 envelopedData type + */ +static const asn1Object_t envelopedDataObjects[] = { + { 0, "envelopedData", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */ + { 1, "version", ASN1_INTEGER, ASN1_BODY }, /* 1 */ + { 1, "recipientInfos", ASN1_SET, ASN1_LOOP }, /* 2 */ + { 2, "recipientInfo", ASN1_SEQUENCE, ASN1_BODY }, /* 3 */ + { 3, "version", ASN1_INTEGER, ASN1_BODY }, /* 4 */ + { 3, "issuerAndSerialNumber", ASN1_SEQUENCE, ASN1_BODY }, /* 5 */ + { 4, "issuer", ASN1_SEQUENCE, ASN1_OBJ }, /* 6 */ + { 4, "serial", ASN1_INTEGER, ASN1_BODY }, /* 7 */ + { 3, "encryptionAlgorithm", ASN1_EOC, ASN1_RAW }, /* 8 */ + { 3, "encryptedKey", ASN1_OCTET_STRING, ASN1_BODY }, /* 9 */ + { 1, "end loop", ASN1_EOC, ASN1_END }, /* 10 */ + { 1, "encryptedContentInfo", ASN1_SEQUENCE, ASN1_OBJ }, /* 11 */ + { 2, "contentType", ASN1_OID, ASN1_BODY }, /* 12 */ + { 2, "contentEncryptionAlgorithm", ASN1_EOC, ASN1_RAW }, /* 13 */ + { 2, "encryptedContent", ASN1_CONTEXT_S_0, ASN1_BODY } /* 14 */ +}; + +#define PKCS7_ENVELOPED_VERSION 1 +#define PKCS7_RECIPIENT_INFO_VERSION 4 +#define PKCS7_ISSUER 6 +#define PKCS7_SERIAL_NUMBER 7 +#define PKCS7_ENCRYPTION_ALG 8 +#define PKCS7_ENCRYPTED_KEY 9 +#define PKCS7_CONTENT_TYPE 12 +#define PKCS7_CONTENT_ENC_ALGORITHM 13 +#define PKCS7_ENCRYPTED_CONTENT 14 +#define PKCS7_ENVELOPED_ROOF 15 + +/** + * PKCS7 contentInfo OIDs + */ +static u_char ASN1_pkcs7_data_oid_str[] = { + 0x06, 0x09, + 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x01 +}; + +static u_char ASN1_pkcs7_signed_data_oid_str[] = { + 0x06, 0x09, + 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x02 +}; + +static u_char ASN1_pkcs7_enveloped_data_oid_str[] = { + 0x06, 0x09, + 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x03 +}; + +static u_char ASN1_pkcs7_signed_enveloped_data_oid_str[] = { + 0x06, 0x09, + 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x04 +}; + +static u_char ASN1_pkcs7_digested_data_oid_str[] = { + 0x06, 0x09, + 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x05 +}; + +static char ASN1_pkcs7_encrypted_data_oid_str[] = { + 0x06, 0x09, + 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x06 +}; + +static const chunk_t ASN1_pkcs7_data_oid = + chunk_from_buf(ASN1_pkcs7_data_oid_str); +static const chunk_t ASN1_pkcs7_signed_data_oid = + chunk_from_buf(ASN1_pkcs7_signed_data_oid_str); +static const chunk_t ASN1_pkcs7_enveloped_data_oid = + chunk_from_buf(ASN1_pkcs7_enveloped_data_oid_str); +static const chunk_t ASN1_pkcs7_signed_enveloped_data_oid = + chunk_from_buf(ASN1_pkcs7_signed_enveloped_data_oid_str); +static const chunk_t ASN1_pkcs7_digested_data_oid = + chunk_from_buf(ASN1_pkcs7_digested_data_oid_str); +static const chunk_t ASN1_pkcs7_encrypted_data_oid = + chunk_from_buf(ASN1_pkcs7_encrypted_data_oid_str); + +/** + * 3DES and DES encryption OIDs + */ +static u_char ASN1_3des_ede_cbc_oid_str[] = { + 0x06, 0x08, + 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x03, 0x07 +}; + +static u_char ASN1_des_cbc_oid_str[] = { + 0x06, 0x05, + 0x2B, 0x0E, 0x03, 0x02, 0x07 +}; + +static const chunk_t ASN1_3des_ede_cbc_oid = + chunk_from_buf(ASN1_3des_ede_cbc_oid_str); +static const chunk_t ASN1_des_cbc_oid = + chunk_from_buf(ASN1_des_cbc_oid_str); + +/** + * PKCS#7 attribute type OIDs + */ +static u_char ASN1_contentType_oid_str[] = { + 0x06, 0x09, + 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x03 +}; + +static u_char ASN1_messageDigest_oid_str[] = { + 0x06, 0x09, + 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x04 +}; + +static const chunk_t ASN1_contentType_oid = + chunk_from_buf(ASN1_contentType_oid_str); +static const chunk_t ASN1_messageDigest_oid = + chunk_from_buf(ASN1_messageDigest_oid_str); + +/** + * Implements pkcs7_t.is_signedData. + */ +static bool is_data(private_pkcs7_t *this) +{ + return this->type == OID_PKCS7_DATA; +} + +/** + * Implements pkcs7_t.is_signedData. + */ +static bool is_signedData(private_pkcs7_t *this) +{ + return this->type == OID_PKCS7_SIGNED_DATA; +} + +/** + * Implements pkcs7_t.is_signedData. + */ +static bool is_envelopedData(private_pkcs7_t *this) +{ + return this->type == OID_PKCS7_ENVELOPED_DATA; +} + +/** + * Check whether to abort the requested parsing + */ +static bool abort_parsing(private_pkcs7_t *this, int type) +{ + if (this->type != type) + { + DBG1("pkcs7 content to be parsed is not of type '%s'", + oid_names[type]); + return TRUE; + } + if (this->parsed) + { + DBG1("pkcs7 content has already been parsed"); + return TRUE; + } + this->parsed = TRUE; + return FALSE; +} + +/** + * Implements pkcs7_t.parse_data. + */ +static bool parse_data(private_pkcs7_t *this) +{ + chunk_t data = this->content; + + if (abort_parsing(this, OID_PKCS7_DATA)) + { + return FALSE; + } + if (parse_asn1_simple_object(&data, ASN1_OCTET_STRING, this->level, "data")) + { + this->data = chunk_clone(data); + return TRUE; + } + else + { + return FALSE; + } +} + +/** + * Parse PKCS#7 signedData content + */ +static bool parse_signedData(private_pkcs7_t *this, x509_t *cacert) +{ + asn1_ctx_t ctx; + chunk_t object; + u_int level; + int objectID = 0; + + int digest_alg = OID_UNKNOWN; + int enc_alg = OID_UNKNOWN; + int signerInfos = 0; + + chunk_t encrypted_digest = chunk_empty; + + if (abort_parsing(this, OID_PKCS7_SIGNED_DATA)) + { + return FALSE; + } + + asn1_init(&ctx, this->content, this->level, FALSE, FALSE); + + while (objectID < PKCS7_SIGNED_ROOF) + { + if (!extract_object(signedDataObjects, &objectID, &object, &level, &ctx)) + { + return FALSE; + } + + switch (objectID) + { + case PKCS7_DIGEST_ALG: + digest_alg = parse_algorithmIdentifier(object, level, NULL); + break; + case PKCS7_SIGNED_CONTENT_INFO: + this->data = chunk_clone(object); + break; + case PKCS7_SIGNED_CERT: + { + x509_t *cert = x509_create_from_chunk(object, level+1); + + if (cert) + { + this->certs->insert_last(this->certs, (void*)cert); + } + } + break; + case PKCS7_SIGNER_INFO: + signerInfos++; + DBG2(" signer #%d", signerInfos); + break; + case PKCS7_SIGNED_ISSUER: + { + identification_t *issuer; + + issuer = identification_create_from_encoding(ID_DER_ASN1_DN, object); + DBG2(" '%D'", issuer); + issuer->destroy(issuer); + } + break; + case PKCS7_AUTH_ATTRIBUTES: + this->attributes = object; + *this->attributes.ptr = ASN1_SET; + break; + case PKCS7_DIGEST_ALGORITHM: + digest_alg = parse_algorithmIdentifier(object, level, NULL); + break; + case PKCS7_DIGEST_ENC_ALGORITHM: + enc_alg = parse_algorithmIdentifier(object, level, NULL); + break; + case PKCS7_ENCRYPTED_DIGEST: + encrypted_digest = object; + } + objectID++; + } + + /* check the signature only if a cacert is available */ + if (cacert != NULL) + { + rsa_public_key_t *signer = cacert->get_public_key(cacert); + hash_algorithm_t algorithm = hasher_algorithm_from_oid(digest_alg); + + if (signerInfos == 0) + { + DBG1("no signerInfo object found"); + return FALSE; + } + else if (signerInfos > 1) + { + DBG1("more than one signerInfo object found"); + return FALSE; + } + if (this->attributes.ptr == NULL) + { + DBG1("no authenticatedAttributes object found"); + return FALSE; + } + if (enc_alg != OID_RSA_ENCRYPTION) + { + DBG1("only RSA digest encryption supported"); + return FALSE; + } + if (signer->verify_emsa_pkcs1_signature(signer, algorithm, + this->attributes, encrypted_digest) != SUCCESS) + { + DBG1("invalid digest signature"); + return FALSE; + } + else + { + DBG2("digest signature is valid"); + } + } + return TRUE; +} + +/** + * Parse PKCS#7 envelopedData content + */ +static bool parse_envelopedData(private_pkcs7_t *this, chunk_t serialNumber, + rsa_private_key_t *key) +{ + asn1_ctx_t ctx; + chunk_t object; + u_int level; + int objectID = 0; + + chunk_t iv = chunk_empty; + chunk_t symmetric_key = chunk_empty; + chunk_t encrypted_content = chunk_empty; + + crypter_t *crypter = NULL; + + if (abort_parsing(this, OID_PKCS7_ENVELOPED_DATA)) + { + return FALSE; + } + + asn1_init(&ctx, this->content, this->level, FALSE, FALSE); + + while (objectID < PKCS7_ENVELOPED_ROOF) + { + if (!extract_object(envelopedDataObjects, &objectID, &object, &level, &ctx)) + { + goto failed; + } + + switch (objectID) + { + case PKCS7_ENVELOPED_VERSION: + if (*object.ptr != 0) + { + DBG1("envelopedData version is not 0"); + goto failed; + } + break; + case PKCS7_RECIPIENT_INFO_VERSION: + if (*object.ptr != 0) + { + DBG1("recipient info version is not 0"); + goto failed; + } + break; + case PKCS7_ISSUER: + { + identification_t *issuer; + + issuer = identification_create_from_encoding(ID_DER_ASN1_DN, object); + DBG2(" '%D'", issuer); + issuer->destroy(issuer); + } + break; + case PKCS7_SERIAL_NUMBER: + if (!chunk_equals(serialNumber, object)) + { + DBG1("serial numbers do not match"); + goto failed; + } + break; + case PKCS7_ENCRYPTION_ALG: + { + int alg = parse_algorithmIdentifier(object, level, NULL); + + if (alg != OID_RSA_ENCRYPTION) + { + DBG1("only rsa encryption supported"); + goto failed; + } + } + break; + case PKCS7_ENCRYPTED_KEY: + if (key->pkcs1_decrypt(key, object, &symmetric_key) != SUCCESS) + { + DBG1("symmetric key could not be decrypted with rsa"); + goto failed; + } + DBG4("symmetric key : %B", &symmetric_key); + break; + case PKCS7_CONTENT_TYPE: + if (known_oid(object) != OID_PKCS7_DATA) + { + DBG1("encrypted content not of type pkcs7 data"); + goto failed; + } + break; + case PKCS7_CONTENT_ENC_ALGORITHM: + { + int alg = parse_algorithmIdentifier(object, level, &iv); + + switch (alg) + { + case OID_DES_CBC: + crypter = crypter_create(ENCR_DES, 0); + break; + case OID_3DES_EDE_CBC: + crypter = crypter_create(ENCR_3DES, 0); + break; + default: + DBG1("Only DES and 3DES supported for symmetric encryption"); + goto failed; + } + if (symmetric_key.len != crypter->get_key_size(crypter)) + { + DBG1("symmetric key has wrong length"); + goto failed; + } + if (!parse_asn1_simple_object(&iv, ASN1_OCTET_STRING, level+1, "IV")) + { + DBG1("IV could not be parsed"); + goto failed; + } + if (iv.len != crypter->get_block_size(crypter)) + { + DBG1("IV has wrong length"); + goto failed; + } + } + break; + case PKCS7_ENCRYPTED_CONTENT: + encrypted_content = object; + break; + } + objectID++; + } + + /* decrypt the content */ + crypter->decrypt(crypter, encrypted_content, iv, &this->data); + DBG4("decrypted content with padding: %B", &this->data); + + /* remove the padding */ + { + u_char *pos = this->data.ptr + this->data.len - 1; + u_char pattern = *pos; + size_t padding = pattern; + + if (padding > this->data.len) + { + DBG1("padding greater than data length"); + goto failed; + } + this->data.len -= padding; + + while (padding-- > 0) + { + if (*pos-- != pattern) + { + DBG1("wrong padding pattern"); + goto failed; + } + } + } + crypter->destroy(crypter); + free(symmetric_key.ptr); + return TRUE; + +failed: + DESTROY_IF(crypter); + free(symmetric_key.ptr); + chunk_free(&this->data); + return FALSE; +} + +/** + * Implements pkcs7_t.get_data + */ +static chunk_t get_data(private_pkcs7_t *this) +{ + return this->data; +} + +/** + * Implements pkcs_t.create_crluri_iterator + */ +static iterator_t *create_certificate_iterator(const private_pkcs7_t *this) +{ + return this->certs->create_iterator(this->certs, TRUE); +} + +/** + * Implements pkcs7_t.destroy + */ +static void destroy(private_pkcs7_t *this) +{ + this->certs->destroy_offset(this->certs, offsetof(x509_t, destroy)); + free(this->data.ptr); + free(this); +} + +/** + * Parse PKCS#7 contentInfo object + */ +static bool parse_contentInfo(chunk_t blob, u_int level0, private_pkcs7_t *cInfo) +{ + asn1_ctx_t ctx; + chunk_t object; + u_int level; + int objectID = 0; + + asn1_init(&ctx, blob, level0, FALSE, FALSE); + + while (objectID < PKCS7_INFO_ROOF) + { + if (!extract_object(contentInfoObjects, &objectID, &object, &level, &ctx)) + { + return FALSE; + } + + if (objectID == PKCS7_INFO_TYPE) + { + cInfo->type = known_oid(object); + if (cInfo->type < OID_PKCS7_DATA + || cInfo->type > OID_PKCS7_ENCRYPTED_DATA) + { + DBG1("unknown pkcs7 content type"); + return FALSE; + } + } + else if (objectID == PKCS7_INFO_CONTENT) + { + cInfo->content = object; + } + objectID++; + } + return TRUE; +} + +/* + * Described in header. + */ +pkcs7_t *pkcs7_create_from_chunk(chunk_t chunk, u_int level) +{ + private_pkcs7_t *this = malloc_thing(private_pkcs7_t); + + /* initialize */ + this->type = OID_UNKNOWN; + this->content = chunk_empty; + this->parsed = FALSE; + this->level = level + 2; + this->data = chunk_empty; + this->attributes = chunk_empty; + this->certs = linked_list_create(); + + /*public functions */ + this->public.is_data = (bool (*) (pkcs7_t*))is_data; + this->public.is_signedData = (bool (*) (pkcs7_t*))is_signedData; + this->public.is_envelopedData = (bool (*) (pkcs7_t*))is_envelopedData; + this->public.parse_data = (bool (*) (pkcs7_t*))parse_data; + this->public.parse_signedData = (bool (*) (pkcs7_t*,x509_t*))parse_signedData; + this->public.parse_envelopedData = (bool (*) (pkcs7_t*,chunk_t,rsa_private_key_t*))parse_envelopedData; + this->public.get_data = (chunk_t (*) (pkcs7_t*))get_data; + this->public.create_certificate_iterator = (iterator_t* (*) (pkcs7_t*))create_certificate_iterator; + this->public.destroy = (void (*) (pkcs7_t*))destroy; + + if (!parse_contentInfo(chunk, level, this)) + { + destroy(this); + return NULL; + } + return &this->public; +} diff --git a/src/libstrongswan/crypto/pkcs7.h b/src/libstrongswan/crypto/pkcs7.h new file mode 100644 index 000000000..c8434225a --- /dev/null +++ b/src/libstrongswan/crypto/pkcs7.h @@ -0,0 +1,132 @@ +/** + * @file pkcs7.h + * + * @brief Interface of pkcs7_t. + * + */ + +/* + * Copyright (C) 2005 Jan Hutter, Martin Willi + * Copyright (C) 2002-2007 Andreas Steffen + * + * Hochschule fuer Technik Rapperswil, Switzerland + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + * + * RCSID $Id: pkcs7.h 3302 2007-10-12 21:57:20Z andreas $ + */ + +#ifndef _PKCS7_H +#define _PKCS7_H + +typedef struct pkcs7_t pkcs7_t; + +#include <library.h> +#include <crypto/x509.h> +#include <crypto/rsa/rsa_private_key.h> +#include <utils/iterator.h> + +/** + * @brief PKCS#7 contentInfo object. + * + * @b Constructors: + * -pkcs7_create_from_chunk() + * + * @ingroup crypto + */ +struct pkcs7_t { + /** + * @brief Check if the PKCS#7 contentType is data + * + * @param this calling object + * @return TRUE if the contentType is data + */ + bool (*is_data) (pkcs7_t *this); + + /** + * @brief Check if the PKCS#7 contentType is signedData + * + * @param this calling object + * @return TRUE if the contentType is signedData + */ + bool (*is_signedData) (pkcs7_t *this); + + /** + * @brief Check if the PKCS#7 contentType is envelopedData + * + * @param this calling object + * @return TRUE if the contentType is envelopedData + */ + bool (*is_envelopedData) (pkcs7_t *this); + + /** + * @brief Parse a PKCS#7 data content. + * + * @param this calling object + * @return TRUE if parsing was successful + */ + bool (*parse_data) (pkcs7_t *this); + + /** + * @brief Parse a PKCS#7 signedData content. + * + * @param this calling object + * @param cacert cacert used to verify the signature + * @return TRUE if parsing was successful + */ + bool (*parse_signedData) (pkcs7_t *this, x509_t *cacert); + + /** + * @brief Parse a PKCS#7 envelopedData content. + * + * @param this calling object + * @param serialNumber serialNumber of the request + * @param key RSA private key used to decrypt the symmetric key + * @return TRUE if parsing was successful + */ + bool (*parse_envelopedData) (pkcs7_t *this, chunk_t serialNumber, rsa_private_key_t *key); + + /** + * @brief Returns the parsed data object + * + * @param this calling object + * @return chunk containing the data object + */ + chunk_t (*get_data) (pkcs7_t *this); + + /** + * @brief Create an iterator for the certificates. + * + * @param this calling object + * @return iterator for the certificates + */ + iterator_t *(*create_certificate_iterator) (pkcs7_t *this); + + /** + * @brief Destroys the contentInfo object. + * + * @param this PKCS#7 contentInfo object to destroy + */ + void (*destroy) (pkcs7_t *this); +}; + +/** + * @brief Read a PKCS#7 contentInfo object from a DER encoded chunk. + * + * @param chunk chunk containing DER encoded data + * @param level ASN.1 parsing start level + * @return created pkcs7_contentInfo object, or NULL if invalid. + * + * @ingroup crypto + */ +pkcs7_t *pkcs7_create_from_chunk(chunk_t chunk, u_int level); + +#endif /* _PKCS7_H */ diff --git a/src/libstrongswan/crypto/rsa/rsa_private_key.c b/src/libstrongswan/crypto/rsa/rsa_private_key.c index 5b1647965..ec2f2fc74 100644 --- a/src/libstrongswan/crypto/rsa/rsa_private_key.c +++ b/src/libstrongswan/crypto/rsa/rsa_private_key.c @@ -19,6 +19,8 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. + * + * RCSID $Id: rsa_private_key.c 3306 2007-10-17 02:55:53Z andreas $ */ #include <gmp.h> @@ -29,33 +31,21 @@ #include "rsa_public_key.h" #include "rsa_private_key.h" +#include <debug.h> #include <asn1/asn1.h> #include <asn1/pem.h> #include <utils/randomizer.h> /** - * OIDs for hash algorithms are defined in rsa_public_key.c. - */ -extern u_int8_t md2_oid[18]; -extern u_int8_t md5_oid[18]; -extern u_int8_t sha1_oid[15]; -extern u_int8_t sha256_oid[19]; -extern u_int8_t sha384_oid[19]; -extern u_int8_t sha512_oid[19]; - - -/** * defined in rsa_public_key.c */ extern chunk_t rsa_public_key_info_to_asn1(const mpz_t n, const mpz_t e); - /** * Public exponent to use for key generation. */ #define PUBLIC_EXPONENT 0x10001 - typedef struct private_rsa_private_key_t private_rsa_private_key_t; /** @@ -153,23 +143,23 @@ struct private_rsa_private_key_t { /* ASN.1 definition of a PKCS#1 RSA private key */ static const asn1Object_t privkey_objects[] = { - { 0, "RSAPrivateKey", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */ - { 1, "version", ASN1_INTEGER, ASN1_BODY }, /* 1 */ - { 1, "modulus", ASN1_INTEGER, ASN1_BODY }, /* 2 */ - { 1, "publicExponent", ASN1_INTEGER, ASN1_BODY }, /* 3 */ - { 1, "privateExponent", ASN1_INTEGER, ASN1_BODY }, /* 4 */ - { 1, "prime1", ASN1_INTEGER, ASN1_BODY }, /* 5 */ - { 1, "prime2", ASN1_INTEGER, ASN1_BODY }, /* 6 */ - { 1, "exponent1", ASN1_INTEGER, ASN1_BODY }, /* 7 */ - { 1, "exponent2", ASN1_INTEGER, ASN1_BODY }, /* 8 */ - { 1, "coefficient", ASN1_INTEGER, ASN1_BODY }, /* 9 */ - { 1, "otherPrimeInfos", ASN1_SEQUENCE, ASN1_OPT | - ASN1_LOOP }, /* 10 */ - { 2, "otherPrimeInfo", ASN1_SEQUENCE, ASN1_NONE }, /* 11 */ - { 3, "prime", ASN1_INTEGER, ASN1_BODY }, /* 12 */ - { 3, "exponent", ASN1_INTEGER, ASN1_BODY }, /* 13 */ - { 3, "coefficient", ASN1_INTEGER, ASN1_BODY }, /* 14 */ - { 1, "end opt or loop", ASN1_EOC, ASN1_END } /* 15 */ + { 0, "RSAPrivateKey", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */ + { 1, "version", ASN1_INTEGER, ASN1_BODY }, /* 1 */ + { 1, "modulus", ASN1_INTEGER, ASN1_BODY }, /* 2 */ + { 1, "publicExponent", ASN1_INTEGER, ASN1_BODY }, /* 3 */ + { 1, "privateExponent", ASN1_INTEGER, ASN1_BODY }, /* 4 */ + { 1, "prime1", ASN1_INTEGER, ASN1_BODY }, /* 5 */ + { 1, "prime2", ASN1_INTEGER, ASN1_BODY }, /* 6 */ + { 1, "exponent1", ASN1_INTEGER, ASN1_BODY }, /* 7 */ + { 1, "exponent2", ASN1_INTEGER, ASN1_BODY }, /* 8 */ + { 1, "coefficient", ASN1_INTEGER, ASN1_BODY }, /* 9 */ + { 1, "otherPrimeInfos", ASN1_SEQUENCE, ASN1_OPT | + ASN1_LOOP }, /* 10 */ + { 2, "otherPrimeInfo", ASN1_SEQUENCE, ASN1_NONE }, /* 11 */ + { 3, "prime", ASN1_INTEGER, ASN1_BODY }, /* 12 */ + { 3, "exponent", ASN1_INTEGER, ASN1_BODY }, /* 13 */ + { 3, "coefficient", ASN1_INTEGER, ASN1_BODY }, /* 14 */ + { 1, "end opt or loop", ASN1_EOC, ASN1_END } /* 15 */ }; #define PRIV_KEY_VERSION 1 @@ -186,6 +176,26 @@ static const asn1Object_t privkey_objects[] = { static private_rsa_private_key_t *rsa_private_key_create_empty(void); /** + * Auxiliary function overwriting private key material with + * pseudo-random bytes before releasing it + */ +static void mpz_clear_randomized(mpz_t z) +{ + size_t len = mpz_size(z) * GMP_LIMB_BITS / BITS_PER_BYTE; + u_int8_t *random_bytes = alloca(len); + + randomizer_t *randomizer = randomizer_create(); + + randomizer->get_pseudo_random_bytes(randomizer, len, random_bytes); + + /* overwrite mpz_t with pseudo-random bytes before clearing it */ + mpz_import(z, len, 1, 1, 1, 0, random_bytes); + mpz_clear(z); + + randomizer->destroy(randomizer); +} + +/** * Implementation of private_rsa_private_key_t.compute_prime. */ static status_t compute_prime(private_rsa_private_key_t *this, size_t prime_size, mpz_t *prime) @@ -216,7 +226,8 @@ static status_t compute_prime(private_rsa_private_key_t *this, size_t prime_size /* get next prime */ mpz_nextprime (*prime, *prime); - free(random_bytes.ptr); + /* free the random_bytes after overwriting them with a pseudo-random sequence */ + chunk_free_randomized(&random_bytes); } /* check if it isnt too large */ while (((mpz_sizeinbase(*prime, 2) + 7) / 8) > prime_size); @@ -251,59 +262,96 @@ static chunk_t rsadp(private_rsa_private_key_t *this, chunk_t data) decrypted.len = this->k; decrypted.ptr = mpz_export(NULL, NULL, 1, decrypted.len, 1, 0, t1); - mpz_clear(t1); - mpz_clear(t2); + mpz_clear_randomized(t1); + mpz_clear_randomized(t2); return decrypted; } /** - * Implementation of rsa_private_key.build_emsa_signature. + * Implementation of rsa_private_key_t.eme_pkcs1_decrypt. */ -static status_t build_emsa_pkcs1_signature(private_rsa_private_key_t *this, hash_algorithm_t hash_algorithm, chunk_t data, chunk_t *signature) +static status_t pkcs1_decrypt(private_rsa_private_key_t *this, + chunk_t in, chunk_t *out) +{ + status_t status = FAILED; + chunk_t em, em_ori; + + /* decrypt the input data */ + em = em_ori = this->rsadp(this, in); + + /* PKCS#1 v1.5 EME encryption formatting + * EM = 00 || 02 || PS || 00 || M + * PS = pseudo-random nonzero octets + */ + + /* check for magic bytes */ + if (*(em.ptr) != 0x00 || *(em.ptr+1) != 0x02) + { + DBG1("incorrect padding - probably wrong RSA key"); + goto end; + } + em.ptr += 2; + em.len -= 2; + + /* the plaintext data starts after first 0x00 byte */ + while (em.len-- > 0 && *em.ptr++ != 0x00); + + if (em.len == 0) + { + DBG1("no plaintext data found"); + goto end; + } + + *out = chunk_clone(em); + status = SUCCESS; + +end: + free(em_ori.ptr); + return status; +} + +/** + * Implementation of rsa_private_key_t.build_emsa_pkcs1_signature. + */ +static status_t build_emsa_pkcs1_signature(private_rsa_private_key_t *this, + hash_algorithm_t hash_algorithm, + chunk_t data, chunk_t *signature) { hasher_t *hasher; - chunk_t hash; - chunk_t em; - chunk_t oid; + chunk_t em, digestInfo, hash_id, hash; /* get oid string prepended to hash */ switch (hash_algorithm) { case HASH_MD2: { - oid.ptr = md2_oid; - oid.len = sizeof(md2_oid); + hash_id =ASN1_md2_id; break; } case HASH_MD5: { - oid.ptr = md5_oid; - oid.len = sizeof(md5_oid); + hash_id = ASN1_md5_id; break; } case HASH_SHA1: { - oid.ptr = sha1_oid; - oid.len = sizeof(sha1_oid); + hash_id = ASN1_sha1_id; break; } case HASH_SHA256: { - oid.ptr = sha256_oid; - oid.len = sizeof(sha256_oid); + hash_id = ASN1_sha256_id; break; } case HASH_SHA384: { - oid.ptr = sha384_oid; - oid.len = sizeof(sha384_oid); + hash_id = ASN1_sha384_id; break; } case HASH_SHA512: { - oid.ptr = sha512_oid; - oid.len = sizeof(sha512_oid); + hash_id = ASN1_sha512_id; break; } default: @@ -323,10 +371,17 @@ static status_t build_emsa_pkcs1_signature(private_rsa_private_key_t *this, hash hasher->allocate_hash(hasher, data, &hash); hasher->destroy(hasher); + /* build DER-encoded digestInfo */ + digestInfo = asn1_wrap(ASN1_SEQUENCE, "cm", + hash_id, + asn1_simple_object(ASN1_OCTET_STRING, hash) + ); + chunk_free(&hash); + /* build chunk to rsa-decrypt: * EM = 0x00 || 0x01 || PS || 0x00 || T. * PS = 0xFF padding, with length to fill em - * T = oid || hash + * T = encoded_hash */ em.len = this->k; em.ptr = malloc(em.len); @@ -336,78 +391,44 @@ static status_t build_emsa_pkcs1_signature(private_rsa_private_key_t *this, hash /* set magic bytes */ *(em.ptr) = 0x00; *(em.ptr+1) = 0x01; - *(em.ptr + em.len - hash.len - oid.len - 1) = 0x00; - /* set hash */ - memcpy(em.ptr + em.len - hash.len, hash.ptr, hash.len); - /* set oid */ - memcpy(em.ptr + em.len - hash.len - oid.len, oid.ptr, oid.len); - + *(em.ptr + em.len - digestInfo.len - 1) = 0x00; + /* set DER-encoded hash */ + memcpy(em.ptr + em.len - digestInfo.len, digestInfo.ptr, digestInfo.len); + /* build signature */ *signature = this->rsasp1(this, em); - free(hash.ptr); + free(digestInfo.ptr); free(em.ptr); return SUCCESS; } /** - * Implementation of rsa_private_key.get_key. + * Implementation of rsa_private_key_t.pkcs1_write. */ -static status_t get_key(private_rsa_private_key_t *this, chunk_t *key) -{ - chunk_t n, e, p, q, d, exp1, exp2, coeff; - - n.len = this->k; - n.ptr = mpz_export(NULL, NULL, 1, n.len, 1, 0, this->n); - e.len = this->k; - e.ptr = mpz_export(NULL, NULL, 1, e.len, 1, 0, this->e); - p.len = this->k; - p.ptr = mpz_export(NULL, NULL, 1, p.len, 1, 0, this->p); - q.len = this->k; - q.ptr = mpz_export(NULL, NULL, 1, q.len, 1, 0, this->q); - d.len = this->k; - d.ptr = mpz_export(NULL, NULL, 1, d.len, 1, 0, this->d); - exp1.len = this->k; - exp1.ptr = mpz_export(NULL, NULL, 1, exp1.len, 1, 0, this->exp1); - exp2.len = this->k; - exp2.ptr = mpz_export(NULL, NULL, 1, exp2.len, 1, 0, this->exp2); - coeff.len = this->k; - coeff.ptr = mpz_export(NULL, NULL, 1, coeff.len, 1, 0, this->coeff); - - key->len = this->k * 8; - key->ptr = malloc(key->len); - memcpy(key->ptr + this->k * 0, n.ptr , n.len); - memcpy(key->ptr + this->k * 1, e.ptr, e.len); - memcpy(key->ptr + this->k * 2, p.ptr, p.len); - memcpy(key->ptr + this->k * 3, q.ptr, q.len); - memcpy(key->ptr + this->k * 4, d.ptr, d.len); - memcpy(key->ptr + this->k * 5, exp1.ptr, exp1.len); - memcpy(key->ptr + this->k * 6, exp2.ptr, exp2.len); - memcpy(key->ptr + this->k * 7, coeff.ptr, coeff.len); - - free(n.ptr); - free(e.ptr); - free(p.ptr); - free(q.ptr); - free(d.ptr); - free(exp1.ptr); - free(exp2.ptr); - free(coeff.ptr); - - return SUCCESS; -} - -/** - * Implementation of rsa_private_key.save_key. - */ -static status_t save_key(private_rsa_private_key_t *this, char *file) +static bool pkcs1_write(private_rsa_private_key_t *this, const char *filename, bool force) { - return NOT_SUPPORTED; + bool status; + + chunk_t pkcs1 = asn1_wrap(ASN1_SEQUENCE, "cmmmmmmmm", + ASN1_INTEGER_0, + asn1_integer_from_mpz(this->n), + asn1_integer_from_mpz(this->e), + asn1_integer_from_mpz(this->d), + asn1_integer_from_mpz(this->p), + asn1_integer_from_mpz(this->q), + asn1_integer_from_mpz(this->exp1), + asn1_integer_from_mpz(this->exp2), + asn1_integer_from_mpz(this->coeff)); + + status = chunk_write(pkcs1, filename, "pkcs1", 0066, force); + chunk_free_randomized(&pkcs1); + return status; } /** - * Implementation of rsa_private_key.get_public_key. + * Implementation of rsa_private_key_t.get_public_key. */ rsa_public_key_t *get_public_key(private_rsa_private_key_t *this) { @@ -510,47 +531,26 @@ static status_t check(private_rsa_private_key_t *this) status = FAILED; } - mpz_clear(t); - mpz_clear(u); - mpz_clear(q1); + mpz_clear_randomized(t); + mpz_clear_randomized(u); + mpz_clear_randomized(q1); return status; } /** - * Implementation of rsa_private_key.clone. - */ -static rsa_private_key_t* _clone(private_rsa_private_key_t *this) -{ - private_rsa_private_key_t *clone = rsa_private_key_create_empty(); - - mpz_init_set(clone->n, this->n); - mpz_init_set(clone->e, this->e); - mpz_init_set(clone->p, this->p); - mpz_init_set(clone->q, this->q); - mpz_init_set(clone->d, this->d); - mpz_init_set(clone->exp1, this->exp1); - mpz_init_set(clone->exp2, this->exp2); - mpz_init_set(clone->coeff, this->coeff); - clone->keyid = chunk_clone(this->keyid); - clone->k = this->k; - - return &clone->public; -} - -/** * Implementation of rsa_private_key.destroy. */ static void destroy(private_rsa_private_key_t *this) { - mpz_clear(this->n); - mpz_clear(this->e); - mpz_clear(this->p); - mpz_clear(this->q); - mpz_clear(this->d); - mpz_clear(this->exp1); - mpz_clear(this->exp2); - mpz_clear(this->coeff); - free(this->keyid.ptr); + mpz_clear_randomized(this->n); + mpz_clear_randomized(this->e); + mpz_clear_randomized(this->p); + mpz_clear_randomized(this->q); + mpz_clear_randomized(this->d); + mpz_clear_randomized(this->exp1); + mpz_clear_randomized(this->exp2); + mpz_clear_randomized(this->coeff); + chunk_free_randomized(&this->keyid); free(this); } @@ -562,12 +562,11 @@ static private_rsa_private_key_t *rsa_private_key_create_empty(void) private_rsa_private_key_t *this = malloc_thing(private_rsa_private_key_t); /* public functions */ + this->public.pkcs1_decrypt = (status_t (*) (rsa_private_key_t*,chunk_t,chunk_t*))pkcs1_decrypt; this->public.build_emsa_pkcs1_signature = (status_t (*) (rsa_private_key_t*,hash_algorithm_t,chunk_t,chunk_t*))build_emsa_pkcs1_signature; - this->public.get_key = (status_t (*) (rsa_private_key_t*,chunk_t*))get_key; - this->public.save_key = (status_t (*) (rsa_private_key_t*,char*))save_key; - this->public.get_public_key = (rsa_public_key_t *(*) (rsa_private_key_t*))get_public_key; + this->public.pkcs1_write = (bool (*) (rsa_private_key_t*,const char*,bool))pkcs1_write; + this->public.get_public_key = (rsa_public_key_t* (*) (rsa_private_key_t*))get_public_key; this->public.belongs_to = (bool (*) (rsa_private_key_t*,rsa_public_key_t*))belongs_to; - this->public.clone = (rsa_private_key_t*(*)(rsa_private_key_t*))_clone; this->public.destroy = (void (*) (rsa_private_key_t*))destroy; /* private functions */ @@ -575,6 +574,8 @@ static private_rsa_private_key_t *rsa_private_key_create_empty(void) this->rsasp1 = rsadp; /* same algorithm */ this->compute_prime = compute_prime; + this->keyid = chunk_empty; + return this; } @@ -613,9 +614,7 @@ rsa_private_key_t *rsa_private_key_create(size_t key_size) /* Swapping Primes so p is larger then q */ if (mpz_cmp(p, q) < 0) { - mpz_set(t, p); - mpz_set(p, q); - mpz_set(q, t); + mpz_swap(p, q); } mpz_mul(n, p, q); /* n = p*q */ @@ -645,9 +644,9 @@ rsa_private_key_t *rsa_private_key_create(size_t key_size) mpz_add(coeff, coeff, p); } - mpz_clear(q1); - mpz_clear(m); - mpz_clear(t); + mpz_clear_randomized(q1); + mpz_clear_randomized(m); + mpz_clear_randomized(t); /* apply values */ *(this->p) = *p; @@ -733,7 +732,7 @@ rsa_private_key_t *rsa_private_key_create_from_chunk(chunk_t blob) objectID++; } - this->k = (mpz_sizeinbase(this->n, 2) + 7) / 8; + this->k = (mpz_sizeinbase(this->n, 2) + 7) / BITS_PER_BYTE; /* form the keyid as a SHA-1 hash of a publicKeyInfo object */ { @@ -769,6 +768,6 @@ rsa_private_key_t *rsa_private_key_create_from_file(char *filename, chunk_t *pas return NULL; key = rsa_private_key_create_from_chunk(chunk); - free(chunk.ptr); + chunk_free_randomized(&chunk); return key; } diff --git a/src/libstrongswan/crypto/rsa/rsa_private_key.h b/src/libstrongswan/crypto/rsa/rsa_private_key.h index 9ec07704e..e5cf49810 100644 --- a/src/libstrongswan/crypto/rsa/rsa_private_key.h +++ b/src/libstrongswan/crypto/rsa/rsa_private_key.h @@ -19,6 +19,8 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. + * + * RCSID $Id: rsa_private_key.h 3296 2007-10-12 15:23:29Z andreas $ */ #ifndef RSA_PRIVATE_KEY_H_ @@ -42,13 +44,24 @@ typedef struct rsa_private_key_t rsa_private_key_t; * * @see rsa_public_key_t * - * @todo Implement get_key(), save_key(), get_public_key() - * * @ingroup rsa */ struct rsa_private_key_t { /** + * @brief Decrypt a data block based on EME-PKCS1 encoding. + * + * + * @param this calling object + * @param data encrypted input data + * @param out decrypted output data + * @return + * - SUCCESS + * - FAILED if padding is not correct + */ + status_t (*pkcs1_decrypt) (rsa_private_key_t *this, chunk_t in, chunk_t *out); + + /** * @brief Build a signature over a chunk using EMSA-PKCS1 encoding. * * This signature creates a hash using the specified hash algorithm, concatenates @@ -67,45 +80,17 @@ struct rsa_private_key_t { status_t (*build_emsa_pkcs1_signature) (rsa_private_key_t *this, hash_algorithm_t hash_algorithm, chunk_t data, chunk_t *signature); /** - * @brief Gets the key. - * - * UNIMPLEMENTED! - * + * @brief Writes an RSA private key to a file in PKCS#1 format. + * * @param this calling object - * @param key key (in a propriarity format) - * @return - * - SUCCESS - * - INVALID_STATE, if key not set + * @param filename file to which the key should be written. + * @param force if TRUE overwrite existing file + * @return TRUE if successful - FALSE otherwise */ - status_t (*get_key) (rsa_private_key_t *this, chunk_t *key); + bool (*pkcs1_write) (rsa_private_key_t *this, const char *filename, bool force); /** - * @brief Saves a key to a file. - * - * Not implemented! - * - * @param this calling object - * @param file file to which the key should be written. - * @return NOT_SUPPORTED - */ - status_t (*save_key) (rsa_private_key_t *this, char *file); - - /** - * @brief Generate a new key. - * - * Generates a new private_key with specified key size - * - * @param this calling object - * @param key_size size of the key in bits - * @return - * - SUCCESS - * - INVALID_ARG if key_size invalid - */ - status_t (*generate_key) (rsa_private_key_t *this, size_t key_size); - - /** - * @brief Create a rsa_public_key_t with the public - * parts of the key. + * @brief Create a rsa_public_key_t with the public part of the key. * * @param this calling object * @return public_key @@ -125,14 +110,6 @@ struct rsa_private_key_t { bool (*belongs_to) (rsa_private_key_t *this, rsa_public_key_t *public); /** - * @brief Clone the private key. - * - * @param this private key to clone - * @return clone of this - */ - rsa_private_key_t *(*clone) (rsa_private_key_t *this); - - /** * @brief Destroys the private key. * * @param this private key to destroy diff --git a/src/libstrongswan/crypto/rsa/rsa_public_key.c b/src/libstrongswan/crypto/rsa/rsa_public_key.c index 38899670f..6f2158d2b 100644 --- a/src/libstrongswan/crypto/rsa/rsa_public_key.c +++ b/src/libstrongswan/crypto/rsa/rsa_public_key.c @@ -19,6 +19,8 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. + * + * RCSID $Id: rsa_public_key.c 3303 2007-10-12 22:49:39Z andreas $ */ #include <gmp.h> @@ -29,74 +31,13 @@ #include "rsa_public_key.h" +#include <debug.h> #include <crypto/hashers/hasher.h> #include <asn1/asn1.h> #include <asn1/pem.h> -/* - * For simplicity, we use these predefined values for hash algorithm OIDs - * These also contain the length of the appended hash - * These values are also used in rsa_private_key.c. - */ - -const u_int8_t md2_oid[] = { - 0x30,0x20, - 0x30,0x0c, - 0x06,0x08, - 0x2a,0x86,0x48,0x86,0xf7,0x0d,0x02,0x02, - 0x05,0x00, - 0x04,0x10 -}; - -const u_int8_t md5_oid[] = { - 0x30,0x20, - 0x30,0x0c, - 0x06,0x08, - 0x2a,0x86,0x48,0x86,0xf7,0x0d,0x02,0x05, - 0x05,0x00, - 0x04,0x10 -}; - -const u_int8_t sha1_oid[] = { - 0x30,0x21, - 0x30,0x09, - 0x06,0x05, - 0x2b,0x0e,0x03,0x02,0x1a, - 0x05,0x00, - 0x04,0x14 -}; - -const u_int8_t sha256_oid[] = { - 0x30,0x31, - 0x30,0x0d, - 0x06,0x09, - 0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x01, - 0x05,0x00, - 0x04,0x20 -}; - -const u_int8_t sha384_oid[] = { - 0x30,0x41, - 0x30,0x0d, - 0x06,0x09, - 0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x02, - 0x05,0x00, - 0x04,0x30 -}; - -const u_int8_t sha512_oid[] = { - 0x30,0x51, - 0x30,0x0d, - 0x06,0x09, - 0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x03, - 0x05,0x00, - 0x04,0x40 -}; - -#define LARGEST_HASH_OID_SIZE sizeof(sha512_oid) - -/* ASN.1 definition public key */ -static const asn1Object_t pubkey_objects[] = { +/* ASN.1 definition of RSApublicKey */ +static const asn1Object_t pubkeyObjects[] = { { 0, "RSAPublicKey", ASN1_SEQUENCE, ASN1_OBJ }, /* 0 */ { 1, "modulus", ASN1_INTEGER, ASN1_BODY }, /* 1 */ { 1, "publicExponent", ASN1_INTEGER, ASN1_BODY }, /* 2 */ @@ -107,6 +48,18 @@ static const asn1Object_t pubkey_objects[] = { #define PUB_KEY_EXPONENT 2 #define PUB_KEY_ROOF 3 +/* ASN.1 definition of digestInfo */ +static const asn1Object_t digestInfoObjects[] = { + { 0, "digestInfo", ASN1_SEQUENCE, ASN1_OBJ }, /* 0 */ + { 1, "digestAlgorithm", ASN1_EOC, ASN1_RAW }, /* 1 */ + { 1, "digest", ASN1_OCTET_STRING, ASN1_BODY }, /* 2 */ +}; + +#define DIGEST_INFO 0 +#define DIGEST_INFO_ALGORITHM 1 +#define DIGEST_INFO_DIGEST 2 +#define DIGEST_INFO_ROOF 3 + typedef struct private_rsa_public_key_t private_rsa_public_key_t; /** @@ -186,12 +139,11 @@ static chunk_t rsaep(const private_rsa_public_key_t *this, chunk_t data) /** * Implementation of rsa_public_key.verify_emsa_pkcs1_signature. */ -static status_t verify_emsa_pkcs1_signature(const private_rsa_public_key_t *this, chunk_t data, chunk_t signature) +static status_t verify_emsa_pkcs1_signature(const private_rsa_public_key_t *this, + hash_algorithm_t algorithm, + chunk_t data, chunk_t signature) { - hasher_t *hasher = NULL; - chunk_t hash; - chunk_t em; - u_int8_t *pos; + chunk_t em_ori, em; status_t res = FAILED; /* remove any preceding 0-bytes from signature */ @@ -207,7 +159,7 @@ static status_t verify_emsa_pkcs1_signature(const private_rsa_public_key_t *this } /* unpack signature */ - em = this->rsavp1(this, signature); + em_ori = em = this->rsavp1(this, signature); /* result should look like this: * EM = 0x00 || 0x01 || PS || 0x00 || T. @@ -216,141 +168,160 @@ static status_t verify_emsa_pkcs1_signature(const private_rsa_public_key_t *this */ /* check magic bytes */ - if ((*(em.ptr) != 0x00) || (*(em.ptr+1) != 0x01)) + if (*(em.ptr) != 0x00 || *(em.ptr+1) != 0x01) { + DBG2("incorrect padding - probably wrong RSA key"); goto end; } + em.ptr += 2; + em.len -= 2; /* find magic 0x00 */ - pos = em.ptr + 2; - while (pos <= em.ptr + em.len) + while (em.len > 0) { - if (*pos == 0x00) + if (*em.ptr == 0x00) { /* found magic byte, stop */ - pos++; + em.ptr++; + em.len--; break; } - else if (*pos != 0xFF) + else if (*em.ptr != 0xFF) { /* bad padding, decryption failed ?!*/ goto end; } - pos++; + em.ptr++; + em.len--; } - if (pos + LARGEST_HASH_OID_SIZE > em.ptr + em.len) - { - /* not enought room for oid compare */ - goto end; - } - - if (memeq(md2_oid, pos, sizeof(md2_oid))) - { - hasher = hasher_create(HASH_MD2); - pos += sizeof(md2_oid); - } - else if (memeq(md5_oid, pos, sizeof(md5_oid))) + if (em.len == 0) { - hasher = hasher_create(HASH_MD5); - pos += sizeof(md5_oid); - } - else if (memeq(sha1_oid, pos, sizeof(sha1_oid))) - { - hasher = hasher_create(HASH_SHA1); - pos += sizeof(sha1_oid); - } - else if (memeq(sha256_oid, pos, sizeof(sha256_oid))) - { - hasher = hasher_create(HASH_SHA256); - pos += sizeof(sha256_oid); - } - else if (memeq(sha384_oid, pos, sizeof(sha384_oid))) - { - hasher = hasher_create(HASH_SHA384); - pos += sizeof(sha384_oid); - } - else if (memeq(sha512_oid, pos, sizeof(sha512_oid))) - { - hasher = hasher_create(HASH_SHA512); - pos += sizeof(sha512_oid); - } - - if (hasher == NULL) - { - /* unsupported hash algorithm */ - res = NOT_SUPPORTED;; + /* no digestInfo found */ goto end; } - - if (pos + hasher->get_hash_size(hasher) != em.ptr + em.len) + + /* parse ASN.1-based digestInfo */ { - /* bad length */ - hasher->destroy(hasher); - goto end; + asn1_ctx_t ctx; + chunk_t object; + u_int level; + int objectID = 0; + hash_algorithm_t hash_algorithm = HASH_UNKNOWN; + + asn1_init(&ctx, em, 0, FALSE, FALSE); + + while (objectID < DIGEST_INFO_ROOF) + { + if (!extract_object(digestInfoObjects, &objectID, &object, &level, &ctx)) + { + goto end; + } + switch (objectID) + { + case DIGEST_INFO: + if (em.len > object.len) + { + DBG1("digestInfo field in signature is followed by %u surplus bytes", + em.len - object.len); + goto end; + } + break; + case DIGEST_INFO_ALGORITHM: + { + int hash_oid = parse_algorithmIdentifier(object, level+1, NULL); + + hash_algorithm = hasher_algorithm_from_oid(hash_oid); + if (hash_algorithm == HASH_UNKNOWN + || (algorithm != HASH_UNKNOWN && hash_algorithm != algorithm)) + { + DBG1("wrong hash algorithm used in signature"); + goto end; + } + } + break; + case DIGEST_INFO_DIGEST: + { + chunk_t hash; + hasher_t *hasher = hasher_create(hash_algorithm); + + if (object.len != hasher->get_hash_size(hasher)) + { + DBG1("hash size in signature is %u bytes instead of %u bytes", + object.len, hasher->get_hash_size(hasher)); + hasher->destroy(hasher); + goto end; + } + + /* build our own hash */ + hasher->allocate_hash(hasher, data, &hash); + hasher->destroy(hasher); + + /* compare the hashes */ + res = memeq(object.ptr, hash.ptr, hash.len) ? SUCCESS : FAILED; + free(hash.ptr); + } + break; + default: + break; + } + objectID++; + } } - - /* build our own hash */ - hasher->allocate_hash(hasher, data, &hash); - hasher->destroy(hasher); - - /* compare the hashes */ - res = memeq(hash.ptr, pos, hash.len) ? SUCCESS : FAILED; - free(hash.ptr); end: - free(em.ptr); + free(em_ori.ptr); return res; } - + + /** - * Implementation of rsa_public_key.get_key. + * Implementation of rsa_public_key_t.get_modulus. */ -static status_t get_key(const private_rsa_public_key_t *this, chunk_t *key) -{ - chunk_t n, e; - - n.len = this->k; - n.ptr = mpz_export(NULL, NULL, 1, n.len, 1, 0, this->n); - e.len = this->k; - e.ptr = mpz_export(NULL, NULL, 1, e.len, 1, 0, this->e); - - key->len = this->k * 2; - key->ptr = malloc(key->len); - memcpy(key->ptr, n.ptr, n.len); - memcpy(key->ptr + n.len, e.ptr, e.len); - free(n.ptr); - free(e.ptr); - - return SUCCESS; +static mpz_t *get_modulus(const private_rsa_public_key_t *this) +{ + return (mpz_t*)&this->n; } /** - * Implementation of rsa_public_key.save_key. + * Implementation of rsa_public_key_t.get_keysize. */ -static status_t save_key(const private_rsa_public_key_t *this, char *file) +static size_t get_keysize(const private_rsa_public_key_t *this) { - return NOT_SUPPORTED; + return this->k; } /** - * Implementation of rsa_public_key.get_modulus. + * Build a DER-encoded publicKeyInfo object from an RSA public key. + * Also used in rsa_private_key.c. */ -static mpz_t *get_modulus(const private_rsa_public_key_t *this) +chunk_t rsa_public_key_info_to_asn1(const mpz_t n, const mpz_t e) { - return (mpz_t*)&this->n; + chunk_t rawKey = asn1_wrap(ASN1_SEQUENCE, "mm", + asn1_integer_from_mpz(n), + asn1_integer_from_mpz(e)); + chunk_t publicKey; + + u_char *pos = build_asn1_object(&publicKey, ASN1_BIT_STRING, 1 + rawKey.len); + + *pos++ = 0x00; + memcpy(pos, rawKey.ptr, rawKey.len); + free(rawKey.ptr); + + return asn1_wrap(ASN1_SEQUENCE, "cm", ASN1_rsaEncryption_id, + publicKey); } /** - * Implementation of rsa_public_key.get_keysize. + * Implementation of rsa_public_key_t.get_publicKeyInfo. */ -static size_t get_keysize(const private_rsa_public_key_t *this) +static chunk_t get_publicKeyInfo(const private_rsa_public_key_t *this) { - return this->k; + return rsa_public_key_info_to_asn1(this->n, this->e); } /** - * Implementation of rsa_public_key.get_keyid. + * Implementation of rsa_public_key_t.get_keyid. */ static chunk_t get_keyid(const private_rsa_public_key_t *this) { @@ -358,7 +329,7 @@ static chunk_t get_keyid(const private_rsa_public_key_t *this) } /** - * Implementation of rsa_public_key.clone. + * Implementation of rsa_public_key_t.clone. */ static rsa_public_key_t* _clone(const private_rsa_public_key_t *this) { @@ -373,7 +344,7 @@ static rsa_public_key_t* _clone(const private_rsa_public_key_t *this) } /** - * Implementation of rsa_public_key.destroy. + * Implementation of rsa_public_key_t.destroy. */ static void destroy(private_rsa_public_key_t *this) { @@ -391,11 +362,10 @@ private_rsa_public_key_t *rsa_public_key_create_empty(void) private_rsa_public_key_t *this = malloc_thing(private_rsa_public_key_t); /* public functions */ - this->public.verify_emsa_pkcs1_signature = (status_t (*) (const rsa_public_key_t*,chunk_t,chunk_t))verify_emsa_pkcs1_signature; - this->public.get_key = (status_t (*) (const rsa_public_key_t*,chunk_t*))get_key; - this->public.save_key = (status_t (*) (const rsa_public_key_t*,char*))save_key; + this->public.verify_emsa_pkcs1_signature = (status_t (*) (const rsa_public_key_t*,hash_algorithm_t,chunk_t,chunk_t))verify_emsa_pkcs1_signature; this->public.get_modulus = (mpz_t *(*) (const rsa_public_key_t*))get_modulus; this->public.get_keysize = (size_t (*) (const rsa_public_key_t*))get_keysize; + this->public.get_publicKeyInfo = (chunk_t (*) (const rsa_public_key_t*))get_publicKeyInfo; this->public.get_keyid = (chunk_t (*) (const rsa_public_key_t*))get_keyid; this->public.clone = (rsa_public_key_t* (*) (const rsa_public_key_t*))_clone; this->public.destroy = (void (*) (rsa_public_key_t*))destroy; @@ -407,27 +377,6 @@ private_rsa_public_key_t *rsa_public_key_create_empty(void) return this; } -/** - * Build a DER-encoded publicKeyInfo object from an RSA public key. - * Also used in rsa_private_key.c. - */ -chunk_t rsa_public_key_info_to_asn1(const mpz_t n, const mpz_t e) -{ - chunk_t rawKey = asn1_wrap(ASN1_SEQUENCE, "mm", - asn1_integer_from_mpz(n), - asn1_integer_from_mpz(e)); - chunk_t publicKey; - - u_char *pos = build_asn1_object(&publicKey, ASN1_BIT_STRING, 1 + rawKey.len); - - *pos++ = 0x00; - memcpy(pos, rawKey.ptr, rawKey.len); - free(rawKey.ptr); - - return asn1_wrap(ASN1_SEQUENCE, "cm", ASN1_rsaEncryption_id, - publicKey); -} - /* * See header */ @@ -447,7 +396,7 @@ rsa_public_key_t *rsa_public_key_create_from_chunk(chunk_t blob) while (objectID < PUB_KEY_ROOF) { - if (!extract_object(pubkey_objects, &objectID, &object, &level, &ctx)) + if (!extract_object(pubkeyObjects, &objectID, &object, &level, &ctx)) { destroy(this); return FALSE; @@ -489,8 +438,9 @@ rsa_public_key_t *rsa_public_key_create_from_file(char *filename) rsa_public_key_t *pubkey = NULL; if (!pem_asn1_load_file(filename, NULL, "public key", &chunk, &pgp)) + { return NULL; - + } pubkey = rsa_public_key_create_from_chunk(chunk); free(chunk.ptr); return pubkey; diff --git a/src/libstrongswan/crypto/rsa/rsa_public_key.h b/src/libstrongswan/crypto/rsa/rsa_public_key.h index 1ee54dcc3..0a40c2204 100644 --- a/src/libstrongswan/crypto/rsa/rsa_public_key.h +++ b/src/libstrongswan/crypto/rsa/rsa_public_key.h @@ -19,6 +19,8 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. + * + * RCSID $Id: rsa_public_key.h 3303 2007-10-12 22:49:39Z andreas $ */ #ifndef RSA_PUBLIC_KEY_H_ @@ -29,6 +31,7 @@ typedef struct rsa_public_key_t rsa_public_key_t; #include <gmp.h> #include <library.h> +#include <crypto/hashers/hasher.h> /** * @brief RSA public key with associated functions. @@ -58,6 +61,7 @@ struct rsa_public_key_t { * * @param this rsa_public_key to use * @param data data to sign + # @param algorithm hash algorithm the signature is based on * @param signature signature to verify * @return * - SUCCESS, if signature ok @@ -66,34 +70,9 @@ struct rsa_public_key_t { * - INVALID_ARG, if signature is not a signature * - FAILED if signature invalid or unable to verify */ - status_t (*verify_emsa_pkcs1_signature) (const rsa_public_key_t *this, chunk_t data, chunk_t signature); - - /** - * @brief Gets the key. - * - * Currently uses a proprietary format which is only inteded - * for testing. This should be replaced with a proper - * ASN1 encoded key format, when charon gets the ASN1 - * capabilities. - * - * @param this calling object - * @param key key (in a propriarity format) - * @return - * - SUCCESS - * - INVALID_STATE, if key not set - */ - status_t (*get_key) (const rsa_public_key_t *this, chunk_t *key); - - /** - * @brief Saves a key to a file. - * - * Not implemented! - * - * @param this calling object - * @param file file to which the key should be written. - * @return NOT_SUPPORTED - */ - status_t (*save_key) (const rsa_public_key_t *this, char *file); + status_t (*verify_emsa_pkcs1_signature) (const rsa_public_key_t *this, + hash_algorithm_t algorithm, + chunk_t data, chunk_t signature); /** * @brief Get the modulus of the key. @@ -112,6 +91,14 @@ struct rsa_public_key_t { size_t (*get_keysize) (const rsa_public_key_t *this); /** + * @brief Get the DER encoded publicKeyInfo object. + * + * @param this calling object + * @return DER encoded publicKeyInfo object + */ + chunk_t (*get_publicKeyInfo) (const rsa_public_key_t *this); + + /** * @brief Get the keyid formed as the SHA-1 hash of a publicKeyInfo object. * * @param this calling object diff --git a/src/libstrongswan/crypto/signers/hmac_signer.c b/src/libstrongswan/crypto/signers/hmac_signer.c index 76e1ce50e..ad5b882a6 100644 --- a/src/libstrongswan/crypto/signers/hmac_signer.c +++ b/src/libstrongswan/crypto/signers/hmac_signer.c @@ -52,14 +52,19 @@ struct private_hmac_signer_t { /** * Implementation of signer_t.get_signature. */ -static void get_signature (private_hmac_signer_t *this, chunk_t data, u_int8_t *buffer) +static void get_signature(private_hmac_signer_t *this, chunk_t data, u_int8_t *buffer) { - u_int8_t full_mac[this->hmac_prf->get_block_size(this->hmac_prf)]; - - this->hmac_prf->get_bytes(this->hmac_prf, data, full_mac); - - /* copy MAC depending on truncation */ - memcpy(buffer, full_mac, this->block_size); + if (buffer == NULL) + { /* append mode */ + this->hmac_prf->get_bytes(this->hmac_prf, data, NULL); + } + else + { + u_int8_t full_mac[this->hmac_prf->get_block_size(this->hmac_prf)]; + + this->hmac_prf->get_bytes(this->hmac_prf, data, full_mac); + memcpy(buffer, full_mac, this->block_size); + } } /** @@ -67,18 +72,24 @@ static void get_signature (private_hmac_signer_t *this, chunk_t data, u_int8_t * */ static void allocate_signature (private_hmac_signer_t *this, chunk_t data, chunk_t *chunk) { - chunk_t signature; - u_int8_t full_mac[this->hmac_prf->get_block_size(this->hmac_prf)]; - - this->hmac_prf->get_bytes(this->hmac_prf,data,full_mac); + if (chunk == NULL) + { /* append mode */ + this->hmac_prf->get_bytes(this->hmac_prf, data, NULL); + } + else + { + chunk_t signature; + u_int8_t full_mac[this->hmac_prf->get_block_size(this->hmac_prf)]; + + this->hmac_prf->get_bytes(this->hmac_prf, data, full_mac); - signature.ptr = malloc(this->block_size); - signature.len = this->block_size; - - /* copy signature */ - memcpy(signature.ptr, full_mac, this->block_size); + signature.ptr = malloc(this->block_size); + signature.len = this->block_size; + + memcpy(signature.ptr, full_mac, this->block_size); - *chunk = signature; + *chunk = signature; + } } /** diff --git a/src/libstrongswan/crypto/signers/signer.h b/src/libstrongswan/crypto/signers/signer.h index 0f3709712..4218e4146 100644 --- a/src/libstrongswan/crypto/signers/signer.h +++ b/src/libstrongswan/crypto/signers/signer.h @@ -74,6 +74,9 @@ extern enum_name_t *integrity_algorithm_names; struct signer_t { /** * @brief Generate a signature. + * + * If buffer is NULL, data is processed and prepended to a next call until + * buffer is a valid pointer. * * @param this calling object * @param data a chunk containing the data to sign @@ -83,6 +86,9 @@ struct signer_t { /** * @brief Generate a signature and allocate space for it. + * + * If chunk is NULL, data is processed and prepended to a next call until + * chunk is a valid chunk pointer. * * @param this calling object * @param data a chunk containing the data to sign diff --git a/src/libstrongswan/crypto/x509.c b/src/libstrongswan/crypto/x509.c index 5bf3f26d7..d9093fc62 100755 --- a/src/libstrongswan/crypto/x509.c +++ b/src/libstrongswan/crypto/x509.c @@ -23,6 +23,8 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. + * + * RCSID $Id: x509.c 3301 2007-10-12 21:56:30Z andreas $ */ #include <gmp.h> @@ -114,7 +116,7 @@ struct private_x509_t { /** * Signature algorithm */ - int sigAlg; + int signatureAlgorithm; /** * ID representing the certificate issuer @@ -197,11 +199,6 @@ struct private_x509_t { bool isOcspSigner; /** - * Signature algorithm (must be identical to sigAlg) - */ - int algorithm; - - /** * Signature */ chunk_t signature; @@ -445,16 +442,15 @@ static bool parse_basicConstraints(chunk_t blob, int level0) return isCA; } -/* +/** * extracts an otherName */ -static bool -parse_otherName(chunk_t blob, int level0) +static bool parse_otherName(chunk_t blob, int level0) { asn1_ctx_t ctx; chunk_t object; - int objectID = 0; u_int level; + int objectID = 0; int oid = OID_UNKNOWN; asn1_init(&ctx, blob, level0, FALSE, FALSE); @@ -484,7 +480,7 @@ parse_otherName(chunk_t blob, int level0) return TRUE; } -/* +/** * extracts a generalName */ static identification_t *parse_generalName(chunk_t blob, int level0) @@ -544,10 +540,10 @@ static identification_t *parse_generalName(chunk_t blob, int level0) } -/** - * extracts one or several GNs and puts them into a chained list +/* + * Defined in header. */ -void parse_generalNames(chunk_t blob, int level0, bool implicit, linked_list_t *list) +void x509_parse_generalNames(chunk_t blob, int level0, bool implicit, linked_list_t *list) { asn1_ctx_t ctx; chunk_t object; @@ -589,10 +585,10 @@ static chunk_t parse_keyIdentifier(chunk_t blob, int level0, bool implicit) return object; } -/** - * extracts an authoritykeyIdentifier +/* + * Defined in header. */ -void parse_authorityKeyIdentifier(chunk_t blob, int level0 , chunk_t *authKeyID, chunk_t *authKeySerialNumber) +void x509_parse_authorityKeyIdentifier(chunk_t blob, int level0 , chunk_t *authKeyID, chunk_t *authKeySerialNumber) { asn1_ctx_t ctx; chunk_t object; @@ -639,8 +635,7 @@ static void parse_authorityInfoAccess(chunk_t blob, int level0, linked_list_t *l chunk_t object; u_int level; int objectID = 0; - - u_int accessMethod = OID_UNKNOWN; + int accessMethod = OID_UNKNOWN; asn1_init(&ctx, blob, level0, FALSE, FALSE); while (objectID < AUTH_INFO_ACCESS_ROOF) @@ -659,15 +654,26 @@ static void parse_authorityInfoAccess(chunk_t blob, int level0, linked_list_t *l switch (accessMethod) { case OID_OCSP: - if (*object.ptr == ASN1_CONTEXT_S_6) + case OID_CA_ISSUERS: { identification_t *accessLocation; - if (asn1_length(&object) == ASN1_INVALID_LENGTH) + accessLocation = parse_generalName(object, level+1); + if (accessLocation == NULL) + { + /* parsing went wrong - abort */ return; - DBG2(" '%.*s'",(int)object.len, object.ptr); - accessLocation = identification_create_from_encoding(ID_DER_ASN1_GN_URI, object); - list->insert_last(list, (void *)accessLocation); + } + DBG2(" '%D'", accessLocation); + if (accessMethod == OID_OCSP) + { + list->insert_last(list, (void *)accessLocation); + } + else + { + /* caIsssuer accessLocation is not used yet */ + accessLocation->destroy(accessLocation); + } } break; default: @@ -731,7 +737,7 @@ static void parse_crlDistributionPoints(chunk_t blob, int level0, linked_list_t if (objectID == CRL_DIST_POINTS_FULLNAME) { /* append extracted generalNames to existing chained list */ - parse_generalNames(object, level+1, TRUE, list); + x509_parse_generalNames(object, level+1, TRUE, list); } objectID++; @@ -748,8 +754,8 @@ static bool parse_certificate(chunk_t blob, u_int level0, private_x509_t *this) bool critical; chunk_t object; u_int level; - u_int extn_oid = OID_UNKNOWN; int objectID = 0; + int extn_oid = OID_UNKNOWN; asn1_init(&ctx, blob, level0, FALSE, FALSE); while (objectID < X509_OBJ_ROOF) @@ -778,7 +784,7 @@ static bool parse_certificate(chunk_t blob, u_int level0, private_x509_t *this) this->serialNumber = object; break; case X509_OBJ_SIG_ALG: - this->sigAlg = parse_algorithmIdentifier(object, level, NULL); + this->signatureAlgorithm = parse_algorithmIdentifier(object, level, NULL); break; case X509_OBJ_ISSUER: this->issuer = identification_create_from_encoding(ID_DER_ASN1_DN, object); @@ -797,7 +803,7 @@ static bool parse_certificate(chunk_t blob, u_int level0, private_x509_t *this) case X509_OBJ_SUBJECT_PUBLIC_KEY_ALGORITHM: if (parse_algorithmIdentifier(object, level, NULL) != OID_RSA_ENCRYPTION) { - DBG2(" unsupported public key algorithm"); + DBG1(" unsupported public key algorithm"); return FALSE; } break; @@ -809,7 +815,7 @@ static bool parse_certificate(chunk_t blob, u_int level0, private_x509_t *this) } else { - DBG2(" invalid RSA public key format"); + DBG1(" invalid RSA public key format"); return FALSE; } break; @@ -831,7 +837,7 @@ static bool parse_certificate(chunk_t blob, u_int level0, private_x509_t *this) this->subjectKeyID = chunk_clone(parse_keyIdentifier(object, level, FALSE)); break; case OID_SUBJECT_ALT_NAME: - parse_generalNames(object, level, FALSE, this->subjectAltNames); + x509_parse_generalNames(object, level, FALSE, this->subjectAltNames); break; case OID_BASIC_CONSTRAINTS: this->isCA = parse_basicConstraints(object, level); @@ -840,7 +846,8 @@ static bool parse_certificate(chunk_t blob, u_int level0, private_x509_t *this) parse_crlDistributionPoints(object, level, this->crlDistributionPoints); break; case OID_AUTHORITY_KEY_ID: - parse_authorityKeyIdentifier(object, level , &this->authKeyID, &this->authKeySerialNumber); + x509_parse_authorityKeyIdentifier(object, level, + &this->authKeyID, &this->authKeySerialNumber); break; case OID_AUTHORITY_INFO_ACCESS: parse_authorityInfoAccess(object, level, this->ocspAccessLocations); @@ -861,7 +868,15 @@ static bool parse_certificate(chunk_t blob, u_int level0, private_x509_t *this) break; } case X509_OBJ_ALGORITHM: - this->algorithm = parse_algorithmIdentifier(object, level, NULL); + { + int alg = parse_algorithmIdentifier(object, level, NULL); + + if (alg != this->signatureAlgorithm) + { + DBG1(" signature algorithms do not agree"); + return FALSE; + } + } break; case X509_OBJ_SIGNATURE: this->signature = object; @@ -1119,7 +1134,14 @@ static iterator_t *create_ocspuri_iterator(const private_x509_t *this) */ static bool verify(const private_x509_t *this, const rsa_public_key_t *signer) { - return signer->verify_emsa_pkcs1_signature(signer, this->tbsCertificate, this->signature) == SUCCESS; + hash_algorithm_t algorithm = hasher_algorithm_from_oid(this->signatureAlgorithm); + + if (algorithm == HASH_UNKNOWN) + { + DBG1(" unknown signature algorithm"); + return FALSE; + } + return signer->verify_emsa_pkcs1_signature(signer, algorithm, this->tbsCertificate, this->signature) == SUCCESS; } /** @@ -1221,6 +1243,101 @@ static void list(private_x509_t *this, FILE *out, bool utc) } } +/* + * Defined in header. + */ +chunk_t x509_build_generalNames(linked_list_t *list) +{ + linked_list_t *generalNames = linked_list_create(); + iterator_t *iterator = list->create_iterator(list, TRUE); + identification_t *name; + size_t len = 0; + + while (iterator->iterate(iterator, (void**)&name)) + { + asn1_t asn1_type = ASN1_EOC; + chunk_t *generalName = malloc_thing(chunk_t); + + switch (name->get_type(name)) + { + case ID_RFC822_ADDR: + asn1_type = ASN1_CONTEXT_S_1; + break; + case ID_FQDN: + asn1_type = ASN1_CONTEXT_S_2; + break; + case ID_DER_ASN1_DN: + asn1_type = ASN1_CONTEXT_C_4; + break; + case ID_DER_ASN1_GN_URI: + asn1_type = ASN1_CONTEXT_S_6; + break; + case ID_IPV4_ADDR: + asn1_type = ASN1_CONTEXT_S_7; + break; + default: + continue; + } + + *generalName = asn1_simple_object(asn1_type, name->get_encoding(name)); + len += generalName->len; + generalNames->insert_last(generalNames, generalName); + } + iterator->destroy(iterator); + + if (len > 0) + { + iterator_t *iterator = generalNames->create_iterator(generalNames, TRUE); + chunk_t names, *generalName; + u_char *pos = build_asn1_object(&names, ASN1_SEQUENCE, len); + + while (iterator->iterate(iterator, (void**)&generalName)) + { + memcpy(pos, generalName->ptr, generalName->len); + pos += generalName->len; + free(generalName->ptr); + free(generalName); + } + iterator->destroy(iterator); + generalNames->destroy(generalNames); + + return asn1_wrap(ASN1_OCTET_STRING, "m", names); + } + else + { + return chunk_empty; + } +} + +/* + * Defined in header. + */ +chunk_t x509_build_subjectAltNames(linked_list_t *list) +{ + chunk_t generalNames = x509_build_generalNames(list); + + if (generalNames.len) + { + return asn1_wrap(ASN1_SEQUENCE, "cm", + ASN1_subjectAltName_oid, + asn1_wrap(ASN1_OCTET_STRING, "m", generalNames) + ); + } + else + { + return chunk_empty; + } +} + +/** + * Implementation of x509_t.build_encoding. + */ +static void build_encoding(private_x509_t *this, hash_algorithm_t alg, + rsa_private_key_t *private_key) +{ + +} + /** * Implements x509_t.destroy */ @@ -1240,10 +1357,10 @@ static void destroy(private_x509_t *this) free(this); } -/* - * Described in header. +/** + * Internal generic constructor */ -x509_t *x509_create_from_chunk(chunk_t chunk, u_int level) +static private_x509_t *x509_create_empty(void) { private_x509_t *this = malloc_thing(private_x509_t); @@ -1290,9 +1407,34 @@ x509_t *x509_create_from_chunk(chunk_t chunk, u_int level) this->public.create_crluri_iterator = (iterator_t* (*) (const x509_t*))create_crluri_iterator; this->public.create_ocspuri_iterator = (iterator_t* (*) (const x509_t*))create_ocspuri_iterator; this->public.verify = (bool (*) (const x509_t*,const rsa_public_key_t*))verify; - this->public.list = (void(*)(x509_t*, FILE *out, bool utc))list; + this->public.list = (void (*) (x509_t*, FILE *out, bool utc))list; + this->public.build_encoding = (void (*) (x509_t*,hash_algorithm_t,rsa_private_key_t*))build_encoding; this->public.destroy = (void (*) (x509_t*))destroy; + return this; +} + +/* + * Described in header. + */ +x509_t *x509_create_(chunk_t serialNumber, identification_t *issuer, identification_t *subject) +{ + private_x509_t *this = x509_create_empty(); + + this->serialNumber = serialNumber; + this->issuer = issuer->clone(issuer); + this->subject = subject->clone(subject); + + return &this->public; +} + +/* + * Described in header. + */ +x509_t *x509_create_from_chunk(chunk_t chunk, u_int level) +{ + private_x509_t *this = x509_create_empty(); + if (!parse_certificate(chunk, level, this)) { destroy(this); @@ -1314,8 +1456,15 @@ x509_t *x509_create_from_chunk(chunk_t chunk, u_int level) this->isSelfSigned = FALSE; if (this->subject->equals(this->subject, this->issuer)) { + hash_algorithm_t algorithm = hasher_algorithm_from_oid(this->signatureAlgorithm); + + if (algorithm == HASH_UNKNOWN) + { + destroy(this); + return NULL; + } this->isSelfSigned = this->public_key->verify_emsa_pkcs1_signature(this->public_key, - this->tbsCertificate, this->signature) == SUCCESS; + algorithm, this->tbsCertificate, this->signature) == SUCCESS; } if (this->isSelfSigned) { diff --git a/src/libstrongswan/crypto/x509.h b/src/libstrongswan/crypto/x509.h index c6fe148d4..1ab267dac 100755 --- a/src/libstrongswan/crypto/x509.h +++ b/src/libstrongswan/crypto/x509.h @@ -23,6 +23,8 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. + * + * RCSID $Id: x509.h 3301 2007-10-12 21:56:30Z andreas $ */ #ifndef X509_H_ @@ -31,7 +33,8 @@ typedef struct x509_t x509_t; #include <library.h> -#include <crypto/rsa/rsa_public_key.h> +#include <crypto/rsa/rsa_private_key.h> +#include <crypto/hashers/hasher.h> #include <crypto/certinfo.h> #include <crypto/ca.h> #include <utils/identification.h> @@ -49,6 +52,7 @@ typedef struct x509_t x509_t; * @brief X.509 certificate. * * @b Constructors: + * - x509_create() * - x509_create_from_chunk() * - x509_create_from_file() * @@ -288,9 +292,26 @@ struct x509_t { * @param out stream to write to * @param utc TRUE for UTC times, FALSE for local time */ - void (*list)(x509_t *this, FILE *out, bool utc); + void (*list) (x509_t *this, FILE *out, bool utc); /** + * @brief Adds a list of subjectAltNames + * + * @param this calling object + * @param subjectAltNames list of subjectAltNames to be added + */ + void (*add_subjectAltNames) (x509_t *this, linked_list_t *subjectAltNames); + + /** + * @brief Builds a DER-encoded signed X.509 certificate + * + * @param this calling object + * @param alg hash algorithm used to compute the certificate digest + * @param private_key RSA private key used to sign the certificate digest + */ + void (*build_encoding) (x509_t *this, hash_algorithm_t alg, rsa_private_key_t *private_key); + + /** * @brief Destroys the certificate. * * @param this certificate to destroy @@ -299,17 +320,34 @@ struct x509_t { }; /** - * @brief Read a x509 certificate from a DER encoded blob. - * + * @brief Create a X.509 certificate from its components + * + * @param serialNumber chunk containing the serialNumber + * @param issuer issuer distinguished name + * @param notBefore start date of validity + * @param notAfter end date of validity + * @param subject subject distinguished name + * + * @return created x509_t certificate, or NULL if invalid. + * + * @ingroup crypto + */ +x509_t *x509_create(chunk_t serialNumber, identification_t *issuer, + time_t notBefore, time_t notAfter, + identification_t *subject); + +/** + * @brief Read a X.509 certificate from a DER encoded blob. + * * @param chunk chunk containing DER encoded data - * @return created x509_t certificate, or NULL if invlid. + * @return created x509_t certificate, or NULL if invalid. * * @ingroup crypto */ x509_t *x509_create_from_chunk(chunk_t chunk, u_int level); /** - * @brief Read a x509 certificate from a DER encoded file. + * @brief Read a X.509 certificate from a DER encoded file. * * @param filename file containing DER encoded data * @param label label describing kind of certificate @@ -329,7 +367,7 @@ x509_t *x509_create_from_file(const char *filename, const char *label); * * @ingroup crypto */ -void parse_authorityKeyIdentifier(chunk_t blob, int level0, chunk_t *authKeyID, chunk_t *authKeySerialNumber); +void x509_parse_authorityKeyIdentifier(chunk_t blob, int level0, chunk_t *authKeyID, chunk_t *authKeySerialNumber); /** * @brief Parses DER encoded generalNames @@ -337,10 +375,30 @@ void parse_authorityKeyIdentifier(chunk_t blob, int level0, chunk_t *authKeyID, * @param blob blob containing DER encoded data * @param level0 indicates the current parsing level * @param implicit implicit coding is used - * @param list linked list of decoded generalNames + * @param list list of decoded generalNames + * + * @ingroup crypto + */ +void x509_parse_generalNames(chunk_t blob, int level0, bool implicit, linked_list_t *list); + +/** + * @brief Builds a DER encoded list of generalNames + * + * @param list list of generalNames to be encoded + * @return DER encoded list of generalNames + * + * @ingroup crypto + */ +chunk_t x509_build_generalNames(linked_list_t *list); + +/** + * @brief Builds a DER encoded list of subjectAltNames + * + * @param list list of subjectAltNames to be encoded + * @return DER encoded list of subjectAltNames * * @ingroup crypto */ -void parse_generalNames(chunk_t blob, int level0, bool implicit, linked_list_t *list); +chunk_t x509_build_subjectAltNames(linked_list_t *list); #endif /* X509_H_ */ diff --git a/src/libstrongswan/debug.c b/src/libstrongswan/debug.c index 996cae502..a71e978b8 100644 --- a/src/libstrongswan/debug.c +++ b/src/libstrongswan/debug.c @@ -28,7 +28,7 @@ /** * default dbg function which printf all to stderr */ -static void dbg_stderr(int level, char *fmt, ...) +void dbg_default(int level, char *fmt, ...) { va_list args; @@ -38,4 +38,4 @@ static void dbg_stderr(int level, char *fmt, ...) va_end(args); } -void (*dbg) (int level, char *fmt, ...) = dbg_stderr; +void (*dbg) (int level, char *fmt, ...) = dbg_default; diff --git a/src/libstrongswan/debug.h b/src/libstrongswan/debug.h index c424a1c11..71f2c7dfd 100644 --- a/src/libstrongswan/debug.h +++ b/src/libstrongswan/debug.h @@ -57,4 +57,7 @@ /** dbg function hook, uses stderr logger by default */ extern void (*dbg) (int level, char *fmt, ...); +/** default logging function, prints to stderr */ +void dbg_default(int level, char *fmt, ...); + #endif /* DEBUG_H_ */ diff --git a/src/libstrongswan/fips/fips.c b/src/libstrongswan/fips/fips.c new file mode 100644 index 000000000..aba292d81 --- /dev/null +++ b/src/libstrongswan/fips/fips.c @@ -0,0 +1,103 @@ +/** + * @file fips.c + * + * @brief Implementation of the libstrongswan integrity test. + * + */ + +/* + * Copyright (C) 2007 Bruno Krieg, Daniel Wydler + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include <stdio.h> + +#include <debug.h> +#include <crypto/signers/hmac_signer.h> +#include "fips.h" + +extern const u_char FIPS_rodata_start[]; +extern const u_char FIPS_rodata_end[]; +extern const void *FIPS_text_start(); +extern const void *FIPS_text_end(); + +/** + * Described in header + */ +bool fips_compute_hmac_signature(const char *key, char *signature) +{ + u_char *text_start = (u_char *)FIPS_text_start(); + u_char *text_end = (u_char *)FIPS_text_end(); + size_t text_len, rodata_len; + signer_t *signer; + + if (text_start > text_end) + { + DBG1(" TEXT start (%p) > TEXT end (%p", + text_start, text_end); + return FALSE; + } + text_len = text_end - text_start; + DBG1(" TEXT: %p + %6d = %p", + text_start, (int)text_len, text_end); + + if (FIPS_rodata_start > FIPS_rodata_end) + { + DBG1(" RODATA start (%p) > RODATA end (%p", + FIPS_rodata_start, FIPS_rodata_end); + return FALSE; + } + rodata_len = FIPS_rodata_end - FIPS_rodata_start; + DBG1(" RODATA: %p + %6d = %p", + FIPS_rodata_start, (int)rodata_len, FIPS_rodata_end); + + signer = (signer_t *)hmac_signer_create(HASH_SHA1, HASH_SIZE_SHA1); + if (signer == NULL) + { + DBG1(" SHA-1 HMAC signer could not be created"); + return FALSE; + } + else + { + chunk_t hmac_key = { key, strlen(key) }; + chunk_t text_chunk = { text_start, text_len }; + chunk_t rodata_chunk = { (u_char *)FIPS_rodata_start, rodata_len }; + chunk_t signature_chunk = chunk_empty; + + signer->set_key(signer, hmac_key); + signer->allocate_signature(signer, text_chunk, NULL); + signer->allocate_signature(signer, rodata_chunk, &signature_chunk); + signer->destroy(signer); + + sprintf(signature, "%#B", &signature_chunk); + DBG1(" SHA-1 HMAC key: %s", key); + DBG1(" SHA-1 HMAC sig: %s", signature); + free(signature_chunk.ptr); + return TRUE; + } +} + +/** + * Described in header + */ +bool fips_verify_hmac_signature(const char *key, + const char *signature) +{ + char current_signature[BUF_LEN]; + + if (!fips_compute_hmac_signature(key, current_signature)) + { + return FALSE; + } + return streq(signature, current_signature); +} diff --git a/src/libstrongswan/fips/fips.h b/src/libstrongswan/fips/fips.h new file mode 100644 index 000000000..decf73bfd --- /dev/null +++ b/src/libstrongswan/fips/fips.h @@ -0,0 +1,47 @@ +/** + * @file fips.h + * + * @brief Interface of the libstrongswan integrity test + * + * @ingroup fips + */ + +/* + * Copyright (C) 2007 Bruno Krieg, Daniel Wydler + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#ifndef FIPS_H_ +#define FIPS_H_ + +#include <library.h> + +/** + * @brief compute HMAC signature over RODATA and TEXT sections of libstrongswan + * + * @param key key used for HMAC signature in ASCII string format + * @param signature HMAC signature in HEX string format + * @return TRUE if HMAC signature computation was successful + */ +bool fips_compute_hmac_signature(const char *key, char *signature); + +/** + * @brief verify HMAC signature over RODATA and TEXT sections of libstrongswan + * + * @param key key used for HMAC signature in ASCII string format + * @param signature signature value from fips_signature.h in HEX string format + * @return TRUE if signatures agree + */ +bool fips_verify_hmac_signature(const char *key, const char *signature); + +#endif /*FIPS_H_*/ diff --git a/src/libstrongswan/fips/fips_canister_end.c b/src/libstrongswan/fips/fips_canister_end.c new file mode 100644 index 000000000..46d41a664 --- /dev/null +++ b/src/libstrongswan/fips/fips_canister_end.c @@ -0,0 +1,173 @@ +/** + * @file fips_canister_end.c + * + * @brief Marks the end of TEXT and RODATA. + * + */ + +/* ==================================================================== + * Copyright (c) 2005 The OpenSSL Project. Rights for redistribution + * and usage in source and binary forms are granted according to the + * OpenSSL license. + */ + +#include <stdio.h> +#if defined(__DECC) +# include <c_asm.h> +# pragma __nostandard +#endif + +#if !defined(POINTER_TO_FUNCTION_IS_POINTER_TO_1ST_INSTRUCTION) +# if (defined(__sun) && (defined(__sparc) || defined(__sparcv9))) || \ + (defined(__sgi) && (defined(__mips) || defined(mips))) || \ + (defined(__osf__) && defined(__alpha)) || \ + (defined(__linux) && (defined(__arm) || defined(__arm__))) || \ + (defined(__i386) || defined(__i386__)) || \ + (defined(__x86_64) || defined(__x86_64__)) || \ + (defined(vax) || defined(__vax__)) +# define POINTER_TO_FUNCTION_IS_POINTER_TO_1ST_INSTRUCTION +# endif +#endif + +#define FIPS_ref_point FIPS_text_end +/* Some compilers put string literals into a separate segment. As we + * are mostly interested to hash AES tables in .rodata, we declare + * reference points accordingly. In case you wonder, the values are + * big-endian encoded variable names, just to prevent these arrays + * from being merged by linker. */ +const unsigned int FIPS_rodata_end[]= + { 0x46495053, 0x5f726f64, 0x6174615f, 0x656e645b }; + + +/* + * I declare reference function as static in order to avoid certain + * pitfalls in -dynamic linker behaviour... + */ +static void *instruction_pointer(void) +{ + void *ret = NULL; + +/* These are ABI-neutral CPU-specific snippets. ABI-neutrality means + * that they are designed to work under any OS running on particular + * CPU, which is why you don't find any #ifdef THIS_OR_THAT_OS in + * this function. */ +#if defined(INSTRUCTION_POINTER_IMPLEMENTED) + INSTRUCTION_POINTER_IMPLEMENTED(ret); +#elif defined(__GNUC__) && __GNUC__>=2 +# if defined(__alpha) || defined(__alpha__) +# define INSTRUCTION_POINTER_IMPLEMENTED + __asm __volatile ( "br %0,1f\n1:" : "=r"(ret) ); +# elif defined(__i386) || defined(__i386__) +# define INSTRUCTION_POINTER_IMPLEMENTED + __asm __volatile ( "call 1f\n1: popl %0" : "=r"(ret) ); + ret = (void *)((size_t)ret&~3UL); /* align for better performance */ +# elif defined(__ia64) || defined(__ia64__) +# define INSTRUCTION_POINTER_IMPLEMENTED + __asm __volatile ( "mov %0=ip" : "=r"(ret) ); +# elif defined(__hppa) || defined(__hppa__) || defined(__pa_risc) +# define INSTRUCTION_POINTER_IMPLEMENTED + __asm __volatile ( "blr %%r0,%0\n\tnop" : "=r"(ret) ); + ret = (void *)((size_t)ret&~3UL); /* mask privilege level */ +# elif defined(__mips) || defined(__mips__) +# define INSTRUCTION_POINTER_IMPLEMENTED + void *scratch; + __asm __volatile ( "move %1,$31\n\t" /* save ra */ + "bal .+8; nop\n\t" + "move %0,$31\n\t" + "move $31,%1" /* restore ra */ + : "=r"(ret),"=r"(scratch) ); +# elif defined(__ppc__) || defined(__powerpc) || defined(__powerpc__) || \ + defined(__POWERPC__) || defined(_POWER) || defined(__PPC__) || \ + defined(__PPC64__) || defined(__powerpc64__) +# define INSTRUCTION_POINTER_IMPLEMENTED + void *scratch; + __asm __volatile ( "mfspr %1,8\n\t" /* save lr */ + "bl .+4\n\t" + "mfspr %0,8\n\t" /* mflr ret */ + "mtspr 8,%1" /* restore lr */ + : "=r"(ret),"=r"(scratch) ); +# elif defined(__sparc) || defined(__sparc__) || defined(__sparcv9) +# define INSTRUCTION_POINTER_IMPLEMENTED + void *scratch; + __asm __volatile ( "mov %%o7,%1\n\t" + "call .+8; nop\n\t" + "mov %%o7,%0\n\t" + "mov %1,%%o7" + : "=r"(ret),"=r"(scratch) ); +# elif defined(__x86_64) || defined(__x86_64__) +# define INSTRUCTION_POINTER_IMPLEMENTED + __asm __volatile ( "leaq 0(%%rip),%0" : "=r"(ret) ); + ret = (void *)((size_t)ret&~3UL); /* align for better performance */ +# endif +#elif defined(__DECC) && defined(__alpha) +# define INSTRUCTION_POINTER_IMPLEMENTED + ret = (void *)(size_t)asm("br %v0,1f\n1:"); +#elif defined(_MSC_VER) && defined(_M_IX86) +# undef INSTRUCTION_POINTER_IMPLEMENTED + void *scratch; + _asm { + call self + self: pop eax + mov scratch,eax + } + ret = (void *)((size_t)scratch&~3UL); +#endif + return ret; +} + +/* + * This function returns pointer to an instruction in the vicinity of + * its entry point, but not outside this object module. This guarantees + * that sequestered code is covered... + */ +void *FIPS_ref_point() +{ +#if defined(INSTRUCTION_POINTER_IMPLEMENTED) + return instruction_pointer(); +/* Below we essentially cover vendor compilers which do not support + * inline assembler... */ +#elif defined(_AIX) + struct { void *ip,*gp,*env; } *p = (void *)instruction_pointer; + return p->ip; +#elif defined(_HPUX_SOURCE) +# if defined(__hppa) || defined(__hppa__) + struct { void *i[4]; } *p = (void *)FIPS_ref_point; + + if (sizeof(p) == 8) /* 64-bit */ + return p->i[2]; + else if ((size_t)p & 2) + { p = (void *)((size_t)p&~3UL); + return p->i[0]; + } + else + return (void *)p; +# elif defined(__ia64) || defined(__ia64__) + struct { unsigned long long ip,gp; } *p=(void *)instruction_pointer; + return (void *)(size_t)p->ip; +# endif +#elif (defined(__VMS) || defined(VMS)) && !(defined(vax) || defined(__vax__)) + /* applies to both alpha and ia64 */ + struct { unsigned __int64 opaque,ip; } *p=(void *)instruction_pointer; + return (void *)(size_t)p->ip; +#elif defined(__VOS__) + /* applies to both pa-risc and ia32 */ + struct { void *dp,*ip,*gp; } *p = (void *)instruction_pointer; + return p->ip; +#elif defined(_WIN32) +# if defined(_WIN64) && defined(_M_IA64) + struct { void *ip,*gp; } *p = (void *)FIPS_ref_point; + return p->ip; +# else + return (void *)FIPS_ref_point; +# endif +/* + * In case you wonder why there is no #ifdef __linux. All Linux targets + * are GCC-based and therefore are covered by instruction_pointer above + * [well, some are covered by by the one below]... + */ +#elif defined(POINTER_TO_FUNCTION_IS_POINTER_TO_1ST_INSTRUCTION) + return (void *)instruction_pointer; +#else + return NULL; +#endif +} diff --git a/src/libstrongswan/fips/fips_canister_start.c b/src/libstrongswan/fips/fips_canister_start.c new file mode 100644 index 000000000..eaf2571f8 --- /dev/null +++ b/src/libstrongswan/fips/fips_canister_start.c @@ -0,0 +1,174 @@ +/** + * @file fips_canister_start.c + * + * @brief Marks the start of TEXT and RODATA. + * + */ + +/* ==================================================================== + * Copyright (c) 2005 The OpenSSL Project. Rights for redistribution + * and usage in source and binary forms are granted according to the + * OpenSSL license. + */ + +#include <stdio.h> +#if defined(__DECC) +# include <c_asm.h> +# pragma __nostandard +#endif + +#if !defined(POINTER_TO_FUNCTION_IS_POINTER_TO_1ST_INSTRUCTION) +# if (defined(__sun) && (defined(__sparc) || defined(__sparcv9))) || \ + (defined(__sgi) && (defined(__mips) || defined(mips))) || \ + (defined(__osf__) && defined(__alpha)) || \ + (defined(__linux) && (defined(__arm) || defined(__arm__))) || \ + (defined(__i386) || defined(__i386__)) || \ + (defined(__x86_64) || defined(__x86_64__)) || \ + (defined(vax) || defined(__vax__)) +# define POINTER_TO_FUNCTION_IS_POINTER_TO_1ST_INSTRUCTION +# endif +#endif + + +#define FIPS_ref_point FIPS_text_start +/* Some compilers put string literals into a separate segment. As we + * are mostly interested to hash AES tables in .rodata, we declare + * reference points accordingly. In case you wonder, the values are + * big-endian encoded variable names, just to prevent these arrays + * from being merged by linker. */ +const unsigned int FIPS_rodata_start[]= + { 0x46495053, 0x5f726f64, 0x6174615f, 0x73746172 }; + + +/* + * I declare reference function as static in order to avoid certain + * pitfalls in -dynamic linker behaviour... + */ +static void *instruction_pointer(void) +{ + void *ret = NULL; + +/* These are ABI-neutral CPU-specific snippets. ABI-neutrality means + * that they are designed to work under any OS running on particular + * CPU, which is why you don't find any #ifdef THIS_OR_THAT_OS in + * this function. */ +#if defined(INSTRUCTION_POINTER_IMPLEMENTED) + INSTRUCTION_POINTER_IMPLEMENTED(ret); +#elif defined(__GNUC__) && __GNUC__>=2 +# if defined(__alpha) || defined(__alpha__) +# define INSTRUCTION_POINTER_IMPLEMENTED + __asm __volatile ( "br %0,1f\n1:" : "=r"(ret) ); +# elif defined(__i386) || defined(__i386__) +# define INSTRUCTION_POINTER_IMPLEMENTED + __asm __volatile ( "call 1f\n1: popl %0" : "=r"(ret) ); + ret = (void *)((size_t)ret&~3UL); /* align for better performance */ +# elif defined(__ia64) || defined(__ia64__) +# define INSTRUCTION_POINTER_IMPLEMENTED + __asm __volatile ( "mov %0=ip" : "=r"(ret) ); +# elif defined(__hppa) || defined(__hppa__) || defined(__pa_risc) +# define INSTRUCTION_POINTER_IMPLEMENTED + __asm __volatile ( "blr %%r0,%0\n\tnop" : "=r"(ret) ); + ret = (void *)((size_t)ret&~3UL); /* mask privilege level */ +# elif defined(__mips) || defined(__mips__) +# define INSTRUCTION_POINTER_IMPLEMENTED + void *scratch; + __asm __volatile ( "move %1,$31\n\t" /* save ra */ + "bal .+8; nop\n\t" + "move %0,$31\n\t" + "move $31,%1" /* restore ra */ + : "=r"(ret),"=r"(scratch) ); +# elif defined(__ppc__) || defined(__powerpc) || defined(__powerpc__) || \ + defined(__POWERPC__) || defined(_POWER) || defined(__PPC__) || \ + defined(__PPC64__) || defined(__powerpc64__) +# define INSTRUCTION_POINTER_IMPLEMENTED + void *scratch; + __asm __volatile ( "mfspr %1,8\n\t" /* save lr */ + "bl .+4\n\t" + "mfspr %0,8\n\t" /* mflr ret */ + "mtspr 8,%1" /* restore lr */ + : "=r"(ret),"=r"(scratch) ); +# elif defined(__sparc) || defined(__sparc__) || defined(__sparcv9) +# define INSTRUCTION_POINTER_IMPLEMENTED + void *scratch; + __asm __volatile ( "mov %%o7,%1\n\t" + "call .+8; nop\n\t" + "mov %%o7,%0\n\t" + "mov %1,%%o7" + : "=r"(ret),"=r"(scratch) ); +# elif defined(__x86_64) || defined(__x86_64__) +# define INSTRUCTION_POINTER_IMPLEMENTED + __asm __volatile ( "leaq 0(%%rip),%0" : "=r"(ret) ); + ret = (void *)((size_t)ret&~3UL); /* align for better performance */ +# endif +#elif defined(__DECC) && defined(__alpha) +# define INSTRUCTION_POINTER_IMPLEMENTED + ret = (void *)(size_t)asm("br %v0,1f\n1:"); +#elif defined(_MSC_VER) && defined(_M_IX86) +# undef INSTRUCTION_POINTER_IMPLEMENTED + void *scratch; + _asm { + call self + self: pop eax + mov scratch,eax + } + ret = (void *)((size_t)scratch&~3UL); +#endif + return ret; +} + +/* + * This function returns pointer to an instruction in the vicinity of + * its entry point, but not outside this object module. This guarantees + * that sequestered code is covered... + */ +void *FIPS_ref_point() +{ +#if defined(INSTRUCTION_POINTER_IMPLEMENTED) + return instruction_pointer(); +/* Below we essentially cover vendor compilers which do not support + * inline assembler... */ +#elif defined(_AIX) + struct { void *ip,*gp,*env; } *p = (void *)instruction_pointer; + return p->ip; +#elif defined(_HPUX_SOURCE) +# if defined(__hppa) || defined(__hppa__) + struct { void *i[4]; } *p = (void *)FIPS_ref_point; + + if (sizeof(p) == 8) /* 64-bit */ + return p->i[2]; + else if ((size_t)p & 2) + { p = (void *)((size_t)p&~3UL); + return p->i[0]; + } + else + return (void *)p; +# elif defined(__ia64) || defined(__ia64__) + struct { unsigned long long ip,gp; } *p=(void *)instruction_pointer; + return (void *)(size_t)p->ip; +# endif +#elif (defined(__VMS) || defined(VMS)) && !(defined(vax) || defined(__vax__)) + /* applies to both alpha and ia64 */ + struct { unsigned __int64 opaque,ip; } *p=(void *)instruction_pointer; + return (void *)(size_t)p->ip; +#elif defined(__VOS__) + /* applies to both pa-risc and ia32 */ + struct { void *dp,*ip,*gp; } *p = (void *)instruction_pointer; + return p->ip; +#elif defined(_WIN32) +# if defined(_WIN64) && defined(_M_IA64) + struct { void *ip,*gp; } *p = (void *)FIPS_ref_point; + return p->ip; +# else + return (void *)FIPS_ref_point; +# endif +/* + * In case you wonder why there is no #ifdef __linux. All Linux targets + * are GCC-based and therefore are covered by instruction_pointer above + * [well, some are covered by by the one below]... + */ +#elif defined(POINTER_TO_FUNCTION_IS_POINTER_TO_1ST_INSTRUCTION) + return (void *)instruction_pointer; +#else + return NULL; +#endif +} diff --git a/src/libstrongswan/fips/fips_signer.c b/src/libstrongswan/fips/fips_signer.c new file mode 100644 index 000000000..7fb61d5b7 --- /dev/null +++ b/src/libstrongswan/fips/fips_signer.c @@ -0,0 +1,63 @@ +/** + * @file fips_signer.c + * + * @brief Computes a HMAC signature and stores it in fips_signature.h. + * + */ + +/* + * Copyright (C) 2007 Bruno Krieg, Daniel Wydler + * Hochschule fuer Technik Rapperswil, Switzerland + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include <stdio.h> + +#include <crypto/hashers/hasher.h> +#include "fips.h" + +int main(int argc, char* argv[]) +{ + FILE *f; + char *hmac_key = "strongSwan Version " VERSION; + char hmac_signature[BUF_LEN]; + + if (!fips_compute_hmac_signature(hmac_key, hmac_signature)) + { + exit(1); + } + + /** + * write computed HMAC signature to fips_signature.h + */ + f = fopen("fips_signature.h", "wt"); + + if (f == NULL) + { + exit(1); + } + fprintf(f, "/* SHA-1 HMAC signature computed over TEXT and RODATA of libstrongswan\n"); + fprintf(f, " *\n"); + fprintf(f, " * This file has been automatically generated by fips_signer\n"); + fprintf(f, " * Do not edit manually!\n"); + fprintf(f, " */\n"); + fprintf(f, "\n"); + fprintf(f, "#ifndef FIPS_SIGNATURE_H_\n"); + fprintf(f, "#define FIPS_SIGNATURE_H_\n"); + fprintf(f, "\n"); + fprintf(f, "const char *hmac_key = \"%s\";\n", hmac_key); + fprintf(f, "const char *hmac_signature = \"%s\";\n", hmac_signature); + fprintf(f, "\n"); + fprintf(f, "#endif /* FIPS_SIGNATURE_H_ */\n"); + fclose(f); + exit(0); +} diff --git a/src/libstrongswan/library.h b/src/libstrongswan/library.h index 67a05f118..51b72bfce 100644 --- a/src/libstrongswan/library.h +++ b/src/libstrongswan/library.h @@ -18,6 +18,8 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. + * + * RCSID $Id: library.h 3255 2007-10-07 13:35:42Z andreas $ */ #ifndef LIBRARY_H_ @@ -26,13 +28,14 @@ /** * @defgroup libstrongswan libstrongswan * - * libstrongswan: library with various crypto related things. + * libstrongswan: library with various cryptographic, X.509 trust chain and + * identity management functions. */ /** * @defgroup asn1 asn1 * - * ASN1 definitions, parser and generator functions. + * ASN.1 definitions, parser and generator functions. * * @ingroup libstrongswan */ @@ -40,7 +43,7 @@ /** * @defgroup crypto crypto * - * Crypto algorithms of different kind. + * Various cryptographic algorithms. * * @ingroup libstrongswan */ @@ -89,6 +92,14 @@ */ /** + * @defgroup fips fips + * + * Code integrity check of libstrongswan + * + * @ingroup libstrongswan + */ + +/** * @defgroup utils utils * * Generic helper classes. @@ -120,6 +131,11 @@ #define streq(x,y) (strcmp(x, y) == 0) /** + * Macro compares two strings for equality + */ +#define strneq(x,y,len) (strncmp(x, y, len) == 0) + +/** * Macro compares two binary blobs for equality */ #define memeq(x,y,len) (memcmp(x, y, len) == 0) @@ -135,11 +151,21 @@ #define min(x,y) ((x) < (y) ? (x):(y)) /** - * Call destructor of a object if object != NULL + * Call destructor of an object, if object != NULL */ #define DESTROY_IF(obj) if (obj) obj->destroy(obj) /** + * Call offset destructor of an object, if object != NULL + */ +#define DESTROY_OFFSET_IF(obj, offset) if (obj) obj->destroy_offset(obj, offset); + +/** + * Call function destructor of an object, if object != NULL + */ +#define DESTROY_FUNCTION_IF(obj, fn) if (obj) obj->destroy_function(obj, fn); + +/** * Debug macro to follow control flow */ #define POS printf("%s, line %d\n", __FILE__, __LINE__) diff --git a/src/libstrongswan/utils/enumerator.c b/src/libstrongswan/utils/enumerator.c new file mode 100644 index 000000000..842a2e997 --- /dev/null +++ b/src/libstrongswan/utils/enumerator.c @@ -0,0 +1,44 @@ +/** + * @file enumerator.c + * + * @brief Implementation of enumerator_t. + * + */ + +/* + * Copyright (C) 2007 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "enumerator.h" + + +/** + * Implementation of enumerator_create_empty().enumerate + */ +static bool enumerate_empty(enumerator_t *enumerator, ...) +{ + return FALSE; +} + +/** + * See header + */ +enumerator_t* enumerator_create_empty() +{ + enumerator_t *this = malloc_thing(enumerator_t); + this->enumerate = enumerate_empty; + this->destroy = (void*)free; + return this; +} + diff --git a/src/libstrongswan/utils/enumerator.h b/src/libstrongswan/utils/enumerator.h new file mode 100644 index 000000000..df1d78206 --- /dev/null +++ b/src/libstrongswan/utils/enumerator.h @@ -0,0 +1,57 @@ +/** + * @file enumerator.h + * + * @brief Interface of enumerator_t. + * + */ + +/* + * Copyright (C) 2007 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#ifndef ENUMERATOR_H_ +#define ENUMERATOR_H_ + +#include <library.h> + +typedef struct enumerator_t enumerator_t; + +/** + * @brief Enumerate is simpler, but more flexible than iterator. + */ +struct enumerator_t { + + /** + * @brief Enumerate collection. + * + * The enumerate function takes a variable argument list containing + * pointers where the enumerated values get written. + * + * @param ... variable list of enumerated items, implementation dependant + * @return TRUE if pointers returned + */ + bool (*enumerate)(enumerator_t *this, ...); + + /** + * @brief Destroy a enumerator instance. + */ + void (*destroy)(enumerator_t *this); +}; + +/** + * @brief Create an enumerator which enumerates over nothing + */ +enumerator_t* enumerator_create_empty(); + +#endif /* ENUMERATOR_H_ */ diff --git a/src/libstrongswan/utils/identification.c b/src/libstrongswan/utils/identification.c index ba0a76893..18f6d6824 100644 --- a/src/libstrongswan/utils/identification.c +++ b/src/libstrongswan/utils/identification.c @@ -19,6 +19,8 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. + * + * RCSID $Id: identification.c 3256 2007-10-07 13:42:43Z andreas $ */ #define _GNU_SOURCE @@ -199,19 +201,6 @@ static void update_chunk(chunk_t *ch, int n) } /** - * Prints a binary string in hexadecimal form - */ -void hex_str(chunk_t bin, chunk_t *str) -{ - u_int i; - update_chunk(str, snprintf(str->ptr,str->len,"0x")); - for (i = 0; i < bin.len; i++) - { - update_chunk(str, snprintf(str->ptr,str->len,"%02X",*bin.ptr++)); - } -} - -/** * Remove any malicious characters from a chunk. We are very restrictive, but * whe use these strings only to present it to the user. */ @@ -402,9 +391,9 @@ static status_t dntoa(chunk_t dn, chunk_t *str) /* print OID */ oid_code = known_oid(oid); - if (oid_code == OID_UNKNOWN) - { /* OID not found in list */ - hex_str(oid, str); + if (oid_code == OID_UNKNOWN) + { + update_chunk(str, snprintf(str->ptr,str->len,"0x#B", &oid)); } else { @@ -467,12 +456,16 @@ static bool same_dn(chunk_t a, chunk_t b) || (type_a == ASN1_IA5STRING && known_oid(oid_a) == OID_PKCS9_EMAIL))) { if (strncasecmp(value_a.ptr, value_b.ptr, value_b.len) != 0) + { return FALSE; + } } else { - if (strncmp(value_a.ptr, value_b.ptr, value_b.len) != 0) - return FALSE; + if (!strneq(value_a.ptr, value_b.ptr, value_b.len)) + { + return FALSE; + } } } /* both DNs must have same number of RDNs */ @@ -540,12 +533,16 @@ bool match_dn(chunk_t a, chunk_t b, int *wildcards) || (type_a == ASN1_IA5STRING && known_oid(oid_a) == OID_PKCS9_EMAIL))) { if (strncasecmp(value_a.ptr, value_b.ptr, value_b.len) != 0) + { return FALSE; + } } else { - if (strncmp(value_a.ptr, value_b.ptr, value_b.len) != 0) + if (!strneq(value_a.ptr, value_b.ptr, value_b.len)) + { return FALSE; + } } } /* both DNs must have same number of RDNs */ @@ -931,7 +928,7 @@ static int print(FILE *stream, const struct printf_info *info, case ID_FQDN: { proper = sanitize_chunk(this->encoded); - written = fprintf(stream, "@%.*s", proper.len, proper.ptr); + written = fprintf(stream, "%.*s", proper.len, proper.ptr); chunk_free(&proper); return written; } @@ -1071,8 +1068,15 @@ identification_t *identification_create_from_string(char *string) if (inet_pton(AF_INET, string, &address) <= 0) { - free(this); - return NULL; + /* not IPv4, mostly FQDN */ + this->type = ID_FQDN; + this->encoded.ptr = strdup(string); + this->encoded.len = strlen(string); + this->public.matches = (bool (*) + (identification_t*,identification_t*,int*))matches_string; + this->public.equals = (bool (*) + (identification_t*,identification_t*))equals_strcasecmp; + return &(this->public); } this->encoded = chunk_clone(chunk); this->type = ID_IPV4_ADDR; @@ -1137,6 +1141,7 @@ identification_t *identification_create_from_string(char *string) identification_t *identification_create_from_encoding(id_type_t type, chunk_t encoded) { private_identification_t *this = identification_create(); + this->type = type; switch (type) { diff --git a/src/libstrongswan/utils/leak_detective.c b/src/libstrongswan/utils/leak_detective.c index a28ebba51..dab18fd5c 100644 --- a/src/libstrongswan/utils/leak_detective.c +++ b/src/libstrongswan/utils/leak_detective.c @@ -190,7 +190,8 @@ whitelist_t whitelist[] = { {getprotobynumber, 291}, {getservbyport, 311}, {register_printf_function, 159}, - {syslog, 45}, + {syslog, 44}, + {vsyslog, 41}, {dlopen, 109}, # ifdef LIBCURL /* from /usr/lib/libcurl.so.3 */ diff --git a/src/libstrongswan/utils/linked_list.c b/src/libstrongswan/utils/linked_list.c index de52ea46a..5cd8ffd7a 100644 --- a/src/libstrongswan/utils/linked_list.c +++ b/src/libstrongswan/utils/linked_list.c @@ -6,6 +6,7 @@ */ /* + * Copyright (C) 2007 Tobias Brunner * Copyright (C) 2005-2006 Martin Willi * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil @@ -140,6 +141,52 @@ struct private_iterator_t { void *hook_param; }; +typedef struct private_enumerator_t private_enumerator_t; + +/** + * linked lists enumerator implementation + */ +struct private_enumerator_t { + + /** + * implements enumerator interface + */ + enumerator_t enumerator; + + /** + * next item to enumerate + */ + element_t *next; +}; + +/** + * Implementation of private_enumerator_t.enumerator.enumerate. + */ +static bool enumerate(private_enumerator_t *this, void **item) +{ + if (this->next == NULL) + { + return FALSE; + } + *item = this->next->value; + this->next = this->next->next; + return TRUE; +} + +/** + * Implementation of linked_list_t.create_enumerator. + */ +static enumerator_t* create_enumerator(private_linked_list_t *this) +{ + private_enumerator_t *enumerator = malloc_thing(private_enumerator_t); + + enumerator->enumerator.enumerate = (void*)enumerate; + enumerator->enumerator.destroy = (void*)free; + enumerator->next = this->first; + + return &enumerator->enumerator; +} + /** * Implementation of iterator_t.get_count. */ @@ -630,9 +677,9 @@ static status_t get_last(private_linked_list_t *this, void **item) } /** - * Implementation of linked_list_t.invoke. + * Implementation of linked_list_t.invoke_offset. */ -static void invoke(private_linked_list_t *this, size_t offset) +static void invoke_offset(private_linked_list_t *this, size_t offset) { element_t *current = this->first; @@ -645,13 +692,62 @@ static void invoke(private_linked_list_t *this, size_t offset) } /** + * Implementation of linked_list_t.invoke_function. + */ +static void invoke_function(private_linked_list_t *this, void(*fn)(void*)) +{ + element_t *current = this->first; + + while (current) + { + fn(current->value); + current = current->next; + } +} + +/** + * Implementation of linked_list_t.clone_offset + */ +static linked_list_t *clone_offset(private_linked_list_t *this, size_t offset) +{ + linked_list_t *clone = linked_list_create(); + element_t *current = this->first; + + while (current) + { + void* (**method)(void*) = current->value + offset; + clone->insert_last(clone, (*method)(current->value)); + current = current->next; + } + + return clone; +} + +/** + * Implementation of linked_list_t.clone_function + */ +static linked_list_t *clone_function(private_linked_list_t *this, void* (*fn)(void*)) +{ + linked_list_t *clone = linked_list_create(); + element_t *current = this->first; + + while (current) + { + clone->insert_last(clone, fn(current->value)); + current = current->next; + } + + return clone; +} + +/** * Implementation of linked_list_t.destroy. */ static void destroy(private_linked_list_t *this) { void *value; /* Remove all list items before destroying list */ - while (this->public.remove_first(&(this->public), &value) == SUCCESS) + while (remove_first(this, &value) == SUCCESS) { /* values are not destroyed so memory leaks are possible * if list is not empty when deleting */ @@ -744,6 +840,7 @@ linked_list_t *linked_list_create() this->public.get_count = (int (*) (linked_list_t *)) get_count; this->public.create_iterator = (iterator_t * (*) (linked_list_t *,bool))create_iterator; this->public.create_iterator_locked = (iterator_t * (*) (linked_list_t *,pthread_mutex_t*))create_iterator_locked; + this->public.create_enumerator = (enumerator_t*(*)(linked_list_t*))create_enumerator; this->public.get_first = (status_t (*) (linked_list_t *, void **item))get_first; this->public.get_last = (status_t (*) (linked_list_t *, void **item))get_last; this->public.insert_first = (void (*) (linked_list_t *, void *item))insert_first; @@ -753,7 +850,10 @@ linked_list_t *linked_list_create() this->public.insert_at_position = (status_t (*) (linked_list_t *,size_t, void *))insert_at_position; this->public.remove_at_position = (status_t (*) (linked_list_t *,size_t, void **))remove_at_position; this->public.get_at_position = (status_t (*) (linked_list_t *,size_t, void **))get_at_position; - this->public.invoke = (void (*)(linked_list_t*,size_t))invoke; + this->public.invoke_offset = (void (*)(linked_list_t*,size_t))invoke_offset; + this->public.invoke_function = (void (*)(linked_list_t*,void(*)(void*)))invoke_function; + this->public.clone_offset = (linked_list_t * (*)(linked_list_t*,size_t))clone_offset; + this->public.clone_function = (linked_list_t * (*)(linked_list_t*,void*(*)(void*)))clone_function; this->public.destroy = (void (*) (linked_list_t *))destroy; this->public.destroy_offset = (void (*) (linked_list_t *,size_t))destroy_offset; this->public.destroy_function = (void (*)(linked_list_t*,void(*)(void*)))destroy_function; diff --git a/src/libstrongswan/utils/linked_list.h b/src/libstrongswan/utils/linked_list.h index 58bcbbdaa..ebe5c187c 100644 --- a/src/libstrongswan/utils/linked_list.h +++ b/src/libstrongswan/utils/linked_list.h @@ -6,6 +6,7 @@ */ /* + * Copyright (C) 2007 Tobias Brunner * Copyright (C) 2005-2006 Martin Willi * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil @@ -30,6 +31,7 @@ typedef struct linked_list_t linked_list_t; #include <library.h> #include <utils/iterator.h> +#include <utils/enumerator.h> /** * @brief Class implementing a double linked list. @@ -55,6 +57,9 @@ struct linked_list_t { * @brief Creates a iterator for the given list. * * @warning Created iterator_t object has to get destroyed by the caller. + * + * @deprecated Iterator is obsolete and will disappear, it is too + * complicated to implement. Use enumerator instead. * * @param this calling object * @param forward iterator direction (TRUE: front to end) @@ -74,7 +79,18 @@ struct linked_list_t { */ iterator_t *(*create_iterator_locked) (linked_list_t *this, pthread_mutex_t *mutex); - + + /** + * @brief Create an enumerator over the list. + * + * The enumerator is a "lightweight" iterator. It only has two methods + * and should therefore be much easier to implement. + * + * @param this calling object + * @return enumerator over list items + */ + enumerator_t* (*create_enumerator)(linked_list_t *this); + /** * @brief Inserts a new item at the beginning of the list. * @@ -183,7 +199,33 @@ struct linked_list_t { * @param this calling object * @param offset offset of the method to invoke on objects */ - void (*invoke) (linked_list_t *this, size_t offset); + void (*invoke_offset) (linked_list_t *this, size_t offset); + + /** + * @brief Invoke a function on all of the contained objects. + * + * @param this calling object + * @param offset offset of the method to invoke on objects + */ + void (*invoke_function) (linked_list_t *this, void (*)(void*)); + + /** + * @brief Clones a list and its objects using the objects' clone method. + * + * @param this calling object + * @param offset offset ot the objects clone function + * @return cloned list + */ + linked_list_t *(*clone_offset) (linked_list_t *this, size_t offset); + + /** + * @brief Clones a list and its objects using a given function. + * + * @param this calling object + * @param function function that clones an object + * @return cloned list + */ + linked_list_t *(*clone_function) (linked_list_t *this, void*(*)(void*)); /** * @brief Destroys a linked_list object. diff --git a/src/libstrongswan/utils/optionsfrom.c b/src/libstrongswan/utils/optionsfrom.c new file mode 100644 index 000000000..ffa571b05 --- /dev/null +++ b/src/libstrongswan/utils/optionsfrom.c @@ -0,0 +1,148 @@ +/** + * @file optionsfrom.c + * + * @brief read command line options from a file + * + */ + +/* + * Copyright (C) 1998, 1999 Henry Spencer. + * + * This library is free software; you can redistribute it and/or modify it + * under the terms of the GNU Library General Public License as published by + * the Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/lgpl.txt>. + * + * This library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public + * License for more details. + * + */ + +#include <stdio.h> +#include <errno.h> + +#include <library.h> +#include <debug.h> +#include <utils/lexparser.h> + +#include "optionsfrom.h" + +#define MAX_USES 20 /* loop-detection limit */ +#define SOME_ARGS 10 /* first guess at how many arguments we'll need */ + +/* + * Defined in header. + */ +bool optionsfrom(const char *filename, int *argcp, char **argvp[], int optind) +{ + static int nuses = 0; + char **newargv; + int newargc; + int next; /* place for next argument */ + int room; /* how many more new arguments we can hold */ + size_t bytes; + chunk_t chunk, src, line, token; + bool good = TRUE; + int linepos = 0; + FILE *fd; + + /* avoid endless loops with recursive --optionsfrom arguments */ + nuses++; + if (nuses >= MAX_USES) + { + DBG1("optionsfrom called %d times - looping?", (*argvp)[0], nuses); + return FALSE; + } + + fd = fopen(filename, "r"); + if (fd == NULL) + { + DBG1("optionsfrom: unable to open file '%s': %s", + filename, strerror(errno)); + return FALSE; + } + + /* determine the file size */ + fseek(fd, 0, SEEK_END); + chunk.len = ftell(fd); + rewind(fd); + + /* allocate one byte more just in case of a missing final newline */ + chunk.ptr = malloc(chunk.len + 1); + + /* read the whole file into a chunk */ + bytes = fread(chunk.ptr, 1, chunk.len, fd); + fclose(fd); + + newargc = *argcp + SOME_ARGS; + newargv = malloc((newargc + 1) * sizeof(char *)); + memcpy(newargv, *argvp, optind * sizeof(char *)); + room = SOME_ARGS; + next = optind; + newargv[next] = NULL; + + /* we keep the chunk pointer so that we can still free it */ + src = chunk; + + while (fetchline(&src, &line) && good) + { + linepos++; + while (eat_whitespace(&line)) + { + if (*line.ptr == '"'|| *line.ptr == '\'') + { + char delimiter = *line.ptr; + + line.ptr++; + line.len--; + if (!extract_token(&token, delimiter, &line)) + { + DBG1("optionsfrom: missing terminator at %s:%d", + filename, linepos); + good = FALSE; + break; + } + } + else + { + if (!extract_token(&token, ' ', &line)) + { + /* last token in a line */ + token = line; + line.len = 0; + } + } + + /* do we have to allocate more memory for additional arguments? */ + if (room == 0) + { + newargc += SOME_ARGS; + newargv = realloc(newargv, (newargc+1) * sizeof(char *)); + room = SOME_ARGS; + } + + /* terminate the token by replacing the delimiter with a null character */ + *(token.ptr + token.len) = '\0'; + + /* assign the token to the next argument */ + newargv[next] = token.ptr; + next++; + room--; + } + } + + if (!good) /* error of some kind */ + { + free(chunk.ptr); + free(newargv); + return FALSE; + } + + memcpy(newargv + next, *argvp + optind, (*argcp + 1 - optind) * sizeof(char *)); + *argcp += next - optind; + *argvp = newargv; + return TRUE; +} + diff --git a/src/libstrongswan/utils/optionsfrom.h b/src/libstrongswan/utils/optionsfrom.h new file mode 100644 index 000000000..d6b9efde5 --- /dev/null +++ b/src/libstrongswan/utils/optionsfrom.h @@ -0,0 +1,37 @@ +/** + * @file optionsfrom.h + * + * @brief Read command line options from a file + * + */ + +/* + * Copyright (C) 1998, 1999 Henry Spencer. + * Copyright (C) 2007 Andreas Steffen, Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#ifndef OPTIONSFROM_H_ +#define OPTIONSFROM_H_ + +/** + * @brief Pick up more options from a file, in the middle of an option scan + * + * @param filename file containing the options + * @param argcp pointer to argc + * @param argvp pointer to argv[] + * @param optind current optind, number of next argument + * @return TRUE if optionsfrom parsing successful + */ +bool optionsfrom(const char *filename, int *argcp, char **argvp[], int optind); + +#endif /*OPTIONSFROM_H_*/ |