diff options
Diffstat (limited to 'src/libstrongswan')
103 files changed, 1990 insertions, 2427 deletions
diff --git a/src/libstrongswan/Makefile.am b/src/libstrongswan/Makefile.am index 212b9547d..ee6996558 100644 --- a/src/libstrongswan/Makefile.am +++ b/src/libstrongswan/Makefile.am @@ -1,14 +1,6 @@ lib_LTLIBRARIES = libstrongswan.la -if USE_INTEGRITY_TEST - libstrongswan_la_SOURCES = \ - fips/fips_canister_start.c \ - fips/fips.c fips/fips.h -else - libstrongswan_la_SOURCES = -endif - -libstrongswan_la_SOURCES += \ +libstrongswan_la_SOURCES = \ library.c library.h \ chunk.c chunk.h \ debug.c debug.h \ @@ -58,7 +50,7 @@ utils/mutex.c utils/mutex.h \ utils/backtrace.c utils/backtrace.h \ plugins/plugin_loader.c plugins/plugin_loader.h plugins/plugin.h -libstrongswan_la_LIBADD = -lpthread $(DLLIB) +libstrongswan_la_LIBADD = -lpthread $(DLLIB) $(BTLIB) $(SOCKLIB) INCLUDES = -I$(top_srcdir)/src/libstrongswan AM_CFLAGS = \ @@ -76,8 +68,9 @@ if USE_LOCK_PROFILER endif if USE_INTEGRITY_TEST + AM_CFLAGS += -DINTEGRITY_TEST libstrongswan_la_SOURCES += \ - fips/fips_canister_end.c + integrity_checker.c integrity_checker.h endif if USE_VSTR @@ -204,7 +197,3 @@ endif if USE_TEST_VECTORS SUBDIRS += plugins/test_vectors endif - -if USE_INTEGRITY_TEST - SUBDIRS += fips -endif diff --git a/src/libstrongswan/Makefile.in b/src/libstrongswan/Makefile.in index dd25f0526..ae751c098 100644 --- a/src/libstrongswan/Makefile.in +++ b/src/libstrongswan/Makefile.in @@ -37,31 +37,34 @@ host_triplet = @host@ @USE_LEAK_DETECTIVE_TRUE@ utils/leak_detective.c utils/leak_detective.h @USE_LOCK_PROFILER_TRUE@am__append_3 = -DLOCK_PROFILER -@USE_VSTR_TRUE@am__append_4 = -lvstr -@USE_AES_TRUE@am__append_5 = plugins/aes -@USE_DES_TRUE@am__append_6 = plugins/des -@USE_BLOWFISH_TRUE@am__append_7 = plugins/blowfish -@USE_MD4_TRUE@am__append_8 = plugins/md4 -@USE_MD5_TRUE@am__append_9 = plugins/md5 -@USE_SHA1_TRUE@am__append_10 = plugins/sha1 -@USE_SHA2_TRUE@am__append_11 = plugins/sha2 -@USE_FIPS_PRF_TRUE@am__append_12 = plugins/fips_prf -@USE_GMP_TRUE@am__append_13 = plugins/gmp -@USE_RANDOM_TRUE@am__append_14 = plugins/random -@USE_HMAC_TRUE@am__append_15 = plugins/hmac -@USE_XCBC_TRUE@am__append_16 = plugins/xcbc -@USE_X509_TRUE@am__append_17 = plugins/x509 -@USE_PUBKEY_TRUE@am__append_18 = plugins/pubkey -@USE_CURL_TRUE@am__append_19 = plugins/curl -@USE_LDAP_TRUE@am__append_20 = plugins/ldap -@USE_MYSQL_TRUE@am__append_21 = plugins/mysql -@USE_SQLITE_TRUE@am__append_22 = plugins/sqlite -@USE_PADLOCK_TRUE@am__append_23 = plugins/padlock -@USE_OPENSSL_TRUE@am__append_24 = plugins/openssl -@USE_GCRYPT_TRUE@am__append_25 = plugins/gcrypt -@USE_AGENT_TRUE@am__append_26 = plugins/agent -@USE_TEST_VECTORS_TRUE@am__append_27 = plugins/test_vectors -@USE_INTEGRITY_TEST_TRUE@am__append_28 = fips +@USE_INTEGRITY_TEST_TRUE@am__append_4 = -DINTEGRITY_TEST +@USE_INTEGRITY_TEST_TRUE@am__append_5 = \ +@USE_INTEGRITY_TEST_TRUE@ integrity_checker.c integrity_checker.h + +@USE_VSTR_TRUE@am__append_6 = -lvstr +@USE_AES_TRUE@am__append_7 = plugins/aes +@USE_DES_TRUE@am__append_8 = plugins/des +@USE_BLOWFISH_TRUE@am__append_9 = plugins/blowfish +@USE_MD4_TRUE@am__append_10 = plugins/md4 +@USE_MD5_TRUE@am__append_11 = plugins/md5 +@USE_SHA1_TRUE@am__append_12 = plugins/sha1 +@USE_SHA2_TRUE@am__append_13 = plugins/sha2 +@USE_FIPS_PRF_TRUE@am__append_14 = plugins/fips_prf +@USE_GMP_TRUE@am__append_15 = plugins/gmp +@USE_RANDOM_TRUE@am__append_16 = plugins/random +@USE_HMAC_TRUE@am__append_17 = plugins/hmac +@USE_XCBC_TRUE@am__append_18 = plugins/xcbc +@USE_X509_TRUE@am__append_19 = plugins/x509 +@USE_PUBKEY_TRUE@am__append_20 = plugins/pubkey +@USE_CURL_TRUE@am__append_21 = plugins/curl +@USE_LDAP_TRUE@am__append_22 = plugins/ldap +@USE_MYSQL_TRUE@am__append_23 = plugins/mysql +@USE_SQLITE_TRUE@am__append_24 = plugins/sqlite +@USE_PADLOCK_TRUE@am__append_25 = plugins/padlock +@USE_OPENSSL_TRUE@am__append_26 = plugins/openssl +@USE_GCRYPT_TRUE@am__append_27 = plugins/gcrypt +@USE_AGENT_TRUE@am__append_28 = plugins/agent +@USE_TEST_VECTORS_TRUE@am__append_29 = plugins/test_vectors subdir = src/libstrongswan DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 @@ -81,6 +84,7 @@ libLTLIBRARIES_INSTALL = $(INSTALL) LTLIBRARIES = $(lib_LTLIBRARIES) am__DEPENDENCIES_1 = libstrongswan_la_DEPENDENCIES = $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ $(am__DEPENDENCIES_1) am__libstrongswan_la_SOURCES_DIST = library.c library.h chunk.c \ chunk.h debug.c debug.h enum.c enum.h settings.h settings.c \ @@ -123,51 +127,20 @@ am__libstrongswan_la_SOURCES_DIST = library.c library.h chunk.c \ utils/backtrace.h plugins/plugin_loader.c \ plugins/plugin_loader.h plugins/plugin.h \ utils/leak_detective.c utils/leak_detective.h \ - fips/fips_canister_start.c fips/fips.c fips/fips.h \ - fips/fips_canister_end.c + integrity_checker.c integrity_checker.h @USE_LEAK_DETECTIVE_TRUE@am__objects_1 = leak_detective.lo -@USE_INTEGRITY_TEST_FALSE@am_libstrongswan_la_OBJECTS = library.lo \ -@USE_INTEGRITY_TEST_FALSE@ chunk.lo debug.lo enum.lo \ -@USE_INTEGRITY_TEST_FALSE@ settings.lo printf_hook.lo asn1.lo \ -@USE_INTEGRITY_TEST_FALSE@ asn1_parser.lo oid.lo pem.lo \ -@USE_INTEGRITY_TEST_FALSE@ crypter.lo hasher.lo pkcs9.lo \ -@USE_INTEGRITY_TEST_FALSE@ proposal_keywords.lo prf.lo rng.lo \ -@USE_INTEGRITY_TEST_FALSE@ prf_plus.lo signer.lo \ -@USE_INTEGRITY_TEST_FALSE@ crypto_factory.lo crypto_tester.lo \ -@USE_INTEGRITY_TEST_FALSE@ diffie_hellman.lo transform.lo \ -@USE_INTEGRITY_TEST_FALSE@ credential_factory.lo builder.lo \ -@USE_INTEGRITY_TEST_FALSE@ private_key.lo public_key.lo \ -@USE_INTEGRITY_TEST_FALSE@ shared_key.lo certificate.lo x509.lo \ -@USE_INTEGRITY_TEST_FALSE@ crl.lo ocsp_response.lo \ -@USE_INTEGRITY_TEST_FALSE@ database_factory.lo \ -@USE_INTEGRITY_TEST_FALSE@ fetcher_manager.lo pgp.lo utils.lo \ -@USE_INTEGRITY_TEST_FALSE@ host.lo identification.lo \ -@USE_INTEGRITY_TEST_FALSE@ lexparser.lo linked_list.lo \ -@USE_INTEGRITY_TEST_FALSE@ hashtable.lo enumerator.lo \ -@USE_INTEGRITY_TEST_FALSE@ optionsfrom.lo mutex.lo backtrace.lo \ -@USE_INTEGRITY_TEST_FALSE@ plugin_loader.lo $(am__objects_1) -@USE_INTEGRITY_TEST_TRUE@am_libstrongswan_la_OBJECTS = \ -@USE_INTEGRITY_TEST_TRUE@ fips_canister_start.lo fips.lo \ -@USE_INTEGRITY_TEST_TRUE@ library.lo chunk.lo debug.lo enum.lo \ -@USE_INTEGRITY_TEST_TRUE@ settings.lo printf_hook.lo asn1.lo \ -@USE_INTEGRITY_TEST_TRUE@ asn1_parser.lo oid.lo pem.lo \ -@USE_INTEGRITY_TEST_TRUE@ crypter.lo hasher.lo pkcs9.lo \ -@USE_INTEGRITY_TEST_TRUE@ proposal_keywords.lo prf.lo rng.lo \ -@USE_INTEGRITY_TEST_TRUE@ prf_plus.lo signer.lo \ -@USE_INTEGRITY_TEST_TRUE@ crypto_factory.lo crypto_tester.lo \ -@USE_INTEGRITY_TEST_TRUE@ diffie_hellman.lo transform.lo \ -@USE_INTEGRITY_TEST_TRUE@ credential_factory.lo builder.lo \ -@USE_INTEGRITY_TEST_TRUE@ private_key.lo public_key.lo \ -@USE_INTEGRITY_TEST_TRUE@ shared_key.lo certificate.lo x509.lo \ -@USE_INTEGRITY_TEST_TRUE@ crl.lo ocsp_response.lo \ -@USE_INTEGRITY_TEST_TRUE@ database_factory.lo \ -@USE_INTEGRITY_TEST_TRUE@ fetcher_manager.lo pgp.lo utils.lo \ -@USE_INTEGRITY_TEST_TRUE@ host.lo identification.lo \ -@USE_INTEGRITY_TEST_TRUE@ lexparser.lo linked_list.lo \ -@USE_INTEGRITY_TEST_TRUE@ hashtable.lo enumerator.lo \ -@USE_INTEGRITY_TEST_TRUE@ optionsfrom.lo mutex.lo backtrace.lo \ -@USE_INTEGRITY_TEST_TRUE@ plugin_loader.lo $(am__objects_1) \ -@USE_INTEGRITY_TEST_TRUE@ fips_canister_end.lo +@USE_INTEGRITY_TEST_TRUE@am__objects_2 = integrity_checker.lo +am_libstrongswan_la_OBJECTS = library.lo chunk.lo debug.lo enum.lo \ + settings.lo printf_hook.lo asn1.lo asn1_parser.lo oid.lo \ + pem.lo crypter.lo hasher.lo pkcs9.lo proposal_keywords.lo \ + prf.lo rng.lo prf_plus.lo signer.lo crypto_factory.lo \ + crypto_tester.lo diffie_hellman.lo transform.lo \ + credential_factory.lo builder.lo private_key.lo public_key.lo \ + shared_key.lo certificate.lo x509.lo crl.lo ocsp_response.lo \ + database_factory.lo fetcher_manager.lo pgp.lo utils.lo host.lo \ + identification.lo lexparser.lo linked_list.lo hashtable.lo \ + enumerator.lo optionsfrom.lo mutex.lo backtrace.lo \ + plugin_loader.lo $(am__objects_1) $(am__objects_2) libstrongswan_la_OBJECTS = $(am_libstrongswan_la_OBJECTS) DEFAULT_INCLUDES = -I.@am__isrc@ depcomp = $(SHELL) $(top_srcdir)/depcomp @@ -199,15 +172,17 @@ DIST_SUBDIRS = . plugins/aes plugins/des plugins/blowfish plugins/md4 \ plugins/gmp plugins/random plugins/hmac plugins/xcbc \ plugins/x509 plugins/pubkey plugins/curl plugins/ldap \ plugins/mysql plugins/sqlite plugins/padlock plugins/openssl \ - plugins/gcrypt plugins/agent plugins/test_vectors fips + plugins/gcrypt plugins/agent plugins/test_vectors DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -272,6 +247,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -312,7 +288,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -347,154 +325,52 @@ top_srcdir = @top_srcdir@ xml_CFLAGS = @xml_CFLAGS@ xml_LIBS = @xml_LIBS@ lib_LTLIBRARIES = libstrongswan.la -@USE_INTEGRITY_TEST_FALSE@libstrongswan_la_SOURCES = library.c \ -@USE_INTEGRITY_TEST_FALSE@ library.h chunk.c chunk.h debug.c \ -@USE_INTEGRITY_TEST_FALSE@ debug.h enum.c enum.h settings.h \ -@USE_INTEGRITY_TEST_FALSE@ settings.c printf_hook.c \ -@USE_INTEGRITY_TEST_FALSE@ printf_hook.h asn1/asn1.c \ -@USE_INTEGRITY_TEST_FALSE@ asn1/asn1.h asn1/asn1_parser.c \ -@USE_INTEGRITY_TEST_FALSE@ asn1/asn1_parser.h asn1/oid.c \ -@USE_INTEGRITY_TEST_FALSE@ asn1/oid.h asn1/pem.c asn1/pem.h \ -@USE_INTEGRITY_TEST_FALSE@ crypto/crypters/crypter.c \ -@USE_INTEGRITY_TEST_FALSE@ crypto/crypters/crypter.h \ -@USE_INTEGRITY_TEST_FALSE@ crypto/hashers/hasher.h \ -@USE_INTEGRITY_TEST_FALSE@ crypto/hashers/hasher.c \ -@USE_INTEGRITY_TEST_FALSE@ crypto/pkcs9.c crypto/pkcs9.h \ -@USE_INTEGRITY_TEST_FALSE@ crypto/proposal/proposal_keywords.c \ -@USE_INTEGRITY_TEST_FALSE@ crypto/proposal/proposal_keywords.h \ -@USE_INTEGRITY_TEST_FALSE@ crypto/prfs/prf.c crypto/prfs/prf.h \ -@USE_INTEGRITY_TEST_FALSE@ crypto/rngs/rng.c crypto/rngs/rng.h \ -@USE_INTEGRITY_TEST_FALSE@ crypto/prf_plus.h crypto/prf_plus.c \ -@USE_INTEGRITY_TEST_FALSE@ crypto/signers/signer.c \ -@USE_INTEGRITY_TEST_FALSE@ crypto/signers/signer.h \ -@USE_INTEGRITY_TEST_FALSE@ crypto/crypto_factory.c \ -@USE_INTEGRITY_TEST_FALSE@ crypto/crypto_factory.h \ -@USE_INTEGRITY_TEST_FALSE@ crypto/crypto_tester.c \ -@USE_INTEGRITY_TEST_FALSE@ crypto/crypto_tester.h \ -@USE_INTEGRITY_TEST_FALSE@ crypto/diffie_hellman.c \ -@USE_INTEGRITY_TEST_FALSE@ crypto/diffie_hellman.h \ -@USE_INTEGRITY_TEST_FALSE@ crypto/transform.c \ -@USE_INTEGRITY_TEST_FALSE@ crypto/transform.h \ -@USE_INTEGRITY_TEST_FALSE@ credentials/credential_factory.c \ -@USE_INTEGRITY_TEST_FALSE@ credentials/credential_factory.h \ -@USE_INTEGRITY_TEST_FALSE@ credentials/builder.c \ -@USE_INTEGRITY_TEST_FALSE@ credentials/builder.h \ -@USE_INTEGRITY_TEST_FALSE@ credentials/keys/private_key.c \ -@USE_INTEGRITY_TEST_FALSE@ credentials/keys/private_key.h \ -@USE_INTEGRITY_TEST_FALSE@ credentials/keys/public_key.c \ -@USE_INTEGRITY_TEST_FALSE@ credentials/keys/public_key.h \ -@USE_INTEGRITY_TEST_FALSE@ credentials/keys/shared_key.c \ -@USE_INTEGRITY_TEST_FALSE@ credentials/keys/shared_key.h \ -@USE_INTEGRITY_TEST_FALSE@ credentials/certificates/certificate.c \ -@USE_INTEGRITY_TEST_FALSE@ credentials/certificates/certificate.h \ -@USE_INTEGRITY_TEST_FALSE@ credentials/certificates/x509.h \ -@USE_INTEGRITY_TEST_FALSE@ credentials/certificates/x509.c \ -@USE_INTEGRITY_TEST_FALSE@ credentials/certificates/ac.h \ -@USE_INTEGRITY_TEST_FALSE@ credentials/certificates/crl.h \ -@USE_INTEGRITY_TEST_FALSE@ credentials/certificates/crl.c \ -@USE_INTEGRITY_TEST_FALSE@ credentials/certificates/ocsp_request.h \ -@USE_INTEGRITY_TEST_FALSE@ credentials/certificates/ocsp_response.h \ -@USE_INTEGRITY_TEST_FALSE@ credentials/certificates/ocsp_response.c \ -@USE_INTEGRITY_TEST_FALSE@ database/database.h \ -@USE_INTEGRITY_TEST_FALSE@ database/database_factory.h \ -@USE_INTEGRITY_TEST_FALSE@ database/database_factory.c \ -@USE_INTEGRITY_TEST_FALSE@ fetcher/fetcher.h \ -@USE_INTEGRITY_TEST_FALSE@ fetcher/fetcher_manager.h \ -@USE_INTEGRITY_TEST_FALSE@ fetcher/fetcher_manager.c pgp/pgp.c \ -@USE_INTEGRITY_TEST_FALSE@ pgp/pgp.h utils.h utils.c \ -@USE_INTEGRITY_TEST_FALSE@ utils/host.c utils/host.h \ -@USE_INTEGRITY_TEST_FALSE@ utils/identification.c \ -@USE_INTEGRITY_TEST_FALSE@ utils/identification.h \ -@USE_INTEGRITY_TEST_FALSE@ utils/iterator.h utils/lexparser.c \ -@USE_INTEGRITY_TEST_FALSE@ utils/lexparser.h \ -@USE_INTEGRITY_TEST_FALSE@ utils/linked_list.c \ -@USE_INTEGRITY_TEST_FALSE@ utils/linked_list.h \ -@USE_INTEGRITY_TEST_FALSE@ utils/hashtable.c utils/hashtable.h \ -@USE_INTEGRITY_TEST_FALSE@ utils/enumerator.c \ -@USE_INTEGRITY_TEST_FALSE@ utils/enumerator.h \ -@USE_INTEGRITY_TEST_FALSE@ utils/optionsfrom.c \ -@USE_INTEGRITY_TEST_FALSE@ utils/optionsfrom.h utils/mutex.c \ -@USE_INTEGRITY_TEST_FALSE@ utils/mutex.h utils/backtrace.c \ -@USE_INTEGRITY_TEST_FALSE@ utils/backtrace.h \ -@USE_INTEGRITY_TEST_FALSE@ plugins/plugin_loader.c \ -@USE_INTEGRITY_TEST_FALSE@ plugins/plugin_loader.h \ -@USE_INTEGRITY_TEST_FALSE@ plugins/plugin.h $(am__append_2) -@USE_INTEGRITY_TEST_TRUE@libstrongswan_la_SOURCES = \ -@USE_INTEGRITY_TEST_TRUE@ fips/fips_canister_start.c \ -@USE_INTEGRITY_TEST_TRUE@ fips/fips.c fips/fips.h library.c \ -@USE_INTEGRITY_TEST_TRUE@ library.h chunk.c chunk.h debug.c \ -@USE_INTEGRITY_TEST_TRUE@ debug.h enum.c enum.h settings.h \ -@USE_INTEGRITY_TEST_TRUE@ settings.c printf_hook.c \ -@USE_INTEGRITY_TEST_TRUE@ printf_hook.h asn1/asn1.c asn1/asn1.h \ -@USE_INTEGRITY_TEST_TRUE@ asn1/asn1_parser.c asn1/asn1_parser.h \ -@USE_INTEGRITY_TEST_TRUE@ asn1/oid.c asn1/oid.h asn1/pem.c \ -@USE_INTEGRITY_TEST_TRUE@ asn1/pem.h crypto/crypters/crypter.c \ -@USE_INTEGRITY_TEST_TRUE@ crypto/crypters/crypter.h \ -@USE_INTEGRITY_TEST_TRUE@ crypto/hashers/hasher.h \ -@USE_INTEGRITY_TEST_TRUE@ crypto/hashers/hasher.c \ -@USE_INTEGRITY_TEST_TRUE@ crypto/pkcs9.c crypto/pkcs9.h \ -@USE_INTEGRITY_TEST_TRUE@ crypto/proposal/proposal_keywords.c \ -@USE_INTEGRITY_TEST_TRUE@ crypto/proposal/proposal_keywords.h \ -@USE_INTEGRITY_TEST_TRUE@ crypto/prfs/prf.c crypto/prfs/prf.h \ -@USE_INTEGRITY_TEST_TRUE@ crypto/rngs/rng.c crypto/rngs/rng.h \ -@USE_INTEGRITY_TEST_TRUE@ crypto/prf_plus.h crypto/prf_plus.c \ -@USE_INTEGRITY_TEST_TRUE@ crypto/signers/signer.c \ -@USE_INTEGRITY_TEST_TRUE@ crypto/signers/signer.h \ -@USE_INTEGRITY_TEST_TRUE@ crypto/crypto_factory.c \ -@USE_INTEGRITY_TEST_TRUE@ crypto/crypto_factory.h \ -@USE_INTEGRITY_TEST_TRUE@ crypto/crypto_tester.c \ -@USE_INTEGRITY_TEST_TRUE@ crypto/crypto_tester.h \ -@USE_INTEGRITY_TEST_TRUE@ crypto/diffie_hellman.c \ -@USE_INTEGRITY_TEST_TRUE@ crypto/diffie_hellman.h \ -@USE_INTEGRITY_TEST_TRUE@ crypto/transform.c crypto/transform.h \ -@USE_INTEGRITY_TEST_TRUE@ credentials/credential_factory.c \ -@USE_INTEGRITY_TEST_TRUE@ credentials/credential_factory.h \ -@USE_INTEGRITY_TEST_TRUE@ credentials/builder.c \ -@USE_INTEGRITY_TEST_TRUE@ credentials/builder.h \ -@USE_INTEGRITY_TEST_TRUE@ credentials/keys/private_key.c \ -@USE_INTEGRITY_TEST_TRUE@ credentials/keys/private_key.h \ -@USE_INTEGRITY_TEST_TRUE@ credentials/keys/public_key.c \ -@USE_INTEGRITY_TEST_TRUE@ credentials/keys/public_key.h \ -@USE_INTEGRITY_TEST_TRUE@ credentials/keys/shared_key.c \ -@USE_INTEGRITY_TEST_TRUE@ credentials/keys/shared_key.h \ -@USE_INTEGRITY_TEST_TRUE@ credentials/certificates/certificate.c \ -@USE_INTEGRITY_TEST_TRUE@ credentials/certificates/certificate.h \ -@USE_INTEGRITY_TEST_TRUE@ credentials/certificates/x509.h \ -@USE_INTEGRITY_TEST_TRUE@ credentials/certificates/x509.c \ -@USE_INTEGRITY_TEST_TRUE@ credentials/certificates/ac.h \ -@USE_INTEGRITY_TEST_TRUE@ credentials/certificates/crl.h \ -@USE_INTEGRITY_TEST_TRUE@ credentials/certificates/crl.c \ -@USE_INTEGRITY_TEST_TRUE@ credentials/certificates/ocsp_request.h \ -@USE_INTEGRITY_TEST_TRUE@ credentials/certificates/ocsp_response.h \ -@USE_INTEGRITY_TEST_TRUE@ credentials/certificates/ocsp_response.c \ -@USE_INTEGRITY_TEST_TRUE@ database/database.h \ -@USE_INTEGRITY_TEST_TRUE@ database/database_factory.h \ -@USE_INTEGRITY_TEST_TRUE@ database/database_factory.c \ -@USE_INTEGRITY_TEST_TRUE@ fetcher/fetcher.h \ -@USE_INTEGRITY_TEST_TRUE@ fetcher/fetcher_manager.h \ -@USE_INTEGRITY_TEST_TRUE@ fetcher/fetcher_manager.c pgp/pgp.c \ -@USE_INTEGRITY_TEST_TRUE@ pgp/pgp.h utils.h utils.c \ -@USE_INTEGRITY_TEST_TRUE@ utils/host.c utils/host.h \ -@USE_INTEGRITY_TEST_TRUE@ utils/identification.c \ -@USE_INTEGRITY_TEST_TRUE@ utils/identification.h \ -@USE_INTEGRITY_TEST_TRUE@ utils/iterator.h utils/lexparser.c \ -@USE_INTEGRITY_TEST_TRUE@ utils/lexparser.h utils/linked_list.c \ -@USE_INTEGRITY_TEST_TRUE@ utils/linked_list.h utils/hashtable.c \ -@USE_INTEGRITY_TEST_TRUE@ utils/hashtable.h utils/enumerator.c \ -@USE_INTEGRITY_TEST_TRUE@ utils/enumerator.h \ -@USE_INTEGRITY_TEST_TRUE@ utils/optionsfrom.c \ -@USE_INTEGRITY_TEST_TRUE@ utils/optionsfrom.h utils/mutex.c \ -@USE_INTEGRITY_TEST_TRUE@ utils/mutex.h utils/backtrace.c \ -@USE_INTEGRITY_TEST_TRUE@ utils/backtrace.h \ -@USE_INTEGRITY_TEST_TRUE@ plugins/plugin_loader.c \ -@USE_INTEGRITY_TEST_TRUE@ plugins/plugin_loader.h \ -@USE_INTEGRITY_TEST_TRUE@ plugins/plugin.h $(am__append_2) \ -@USE_INTEGRITY_TEST_TRUE@ fips/fips_canister_end.c -libstrongswan_la_LIBADD = -lpthread $(DLLIB) $(am__append_4) +libstrongswan_la_SOURCES = library.c library.h chunk.c chunk.h debug.c \ + debug.h enum.c enum.h settings.h settings.c printf_hook.c \ + printf_hook.h asn1/asn1.c asn1/asn1.h asn1/asn1_parser.c \ + asn1/asn1_parser.h asn1/oid.c asn1/oid.h asn1/pem.c asn1/pem.h \ + crypto/crypters/crypter.c crypto/crypters/crypter.h \ + crypto/hashers/hasher.h crypto/hashers/hasher.c crypto/pkcs9.c \ + crypto/pkcs9.h crypto/proposal/proposal_keywords.c \ + crypto/proposal/proposal_keywords.h crypto/prfs/prf.c \ + crypto/prfs/prf.h crypto/rngs/rng.c crypto/rngs/rng.h \ + crypto/prf_plus.h crypto/prf_plus.c crypto/signers/signer.c \ + crypto/signers/signer.h crypto/crypto_factory.c \ + crypto/crypto_factory.h crypto/crypto_tester.c \ + crypto/crypto_tester.h crypto/diffie_hellman.c \ + crypto/diffie_hellman.h crypto/transform.c crypto/transform.h \ + credentials/credential_factory.c \ + credentials/credential_factory.h credentials/builder.c \ + credentials/builder.h credentials/keys/private_key.c \ + credentials/keys/private_key.h credentials/keys/public_key.c \ + credentials/keys/public_key.h credentials/keys/shared_key.c \ + credentials/keys/shared_key.h \ + credentials/certificates/certificate.c \ + credentials/certificates/certificate.h \ + credentials/certificates/x509.h \ + credentials/certificates/x509.c credentials/certificates/ac.h \ + credentials/certificates/crl.h credentials/certificates/crl.c \ + credentials/certificates/ocsp_request.h \ + credentials/certificates/ocsp_response.h \ + credentials/certificates/ocsp_response.c database/database.h \ + database/database_factory.h database/database_factory.c \ + fetcher/fetcher.h fetcher/fetcher_manager.h \ + fetcher/fetcher_manager.c pgp/pgp.c pgp/pgp.h utils.h utils.c \ + utils/host.c utils/host.h utils/identification.c \ + utils/identification.h utils/iterator.h utils/lexparser.c \ + utils/lexparser.h utils/linked_list.c utils/linked_list.h \ + utils/hashtable.c utils/hashtable.h utils/enumerator.c \ + utils/enumerator.h utils/optionsfrom.c utils/optionsfrom.h \ + utils/mutex.c utils/mutex.h utils/backtrace.c \ + utils/backtrace.h plugins/plugin_loader.c \ + plugins/plugin_loader.h plugins/plugin.h $(am__append_2) \ + $(am__append_5) +libstrongswan_la_LIBADD = -lpthread $(DLLIB) $(BTLIB) $(SOCKLIB) \ + $(am__append_6) INCLUDES = -I$(top_srcdir)/src/libstrongswan AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" \ -DIPSEC_PLUGINDIR=\"${plugindir}\" $(am__append_1) \ - $(am__append_3) + $(am__append_3) $(am__append_4) EXTRA_DIST = \ asn1/oid.txt asn1/oid.pl \ crypto/proposal/proposal_keywords.txt @@ -510,14 +386,14 @@ $(srcdir)/crypto/proposal/proposal_keywords.c # build plugins with their own Makefile ####################################### -SUBDIRS = . $(am__append_5) $(am__append_6) $(am__append_7) \ - $(am__append_8) $(am__append_9) $(am__append_10) \ - $(am__append_11) $(am__append_12) $(am__append_13) \ - $(am__append_14) $(am__append_15) $(am__append_16) \ - $(am__append_17) $(am__append_18) $(am__append_19) \ - $(am__append_20) $(am__append_21) $(am__append_22) \ - $(am__append_23) $(am__append_24) $(am__append_25) \ - $(am__append_26) $(am__append_27) $(am__append_28) +SUBDIRS = . $(am__append_7) $(am__append_8) $(am__append_9) \ + $(am__append_10) $(am__append_11) $(am__append_12) \ + $(am__append_13) $(am__append_14) $(am__append_15) \ + $(am__append_16) $(am__append_17) $(am__append_18) \ + $(am__append_19) $(am__append_20) $(am__append_21) \ + $(am__append_22) $(am__append_23) $(am__append_24) \ + $(am__append_25) $(am__append_26) $(am__append_27) \ + $(am__append_28) $(am__append_29) all: $(BUILT_SOURCES) $(MAKE) $(AM_MAKEFLAGS) all-recursive @@ -605,13 +481,11 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/enum.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/enumerator.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fetcher_manager.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fips.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fips_canister_end.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fips_canister_start.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hasher.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hashtable.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/host.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/identification.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/integrity_checker.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/leak_detective.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/lexparser.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/library.Plo@am__quote@ @@ -932,27 +806,6 @@ leak_detective.lo: utils/leak_detective.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o leak_detective.lo `test -f 'utils/leak_detective.c' || echo '$(srcdir)/'`utils/leak_detective.c -fips_canister_start.lo: fips/fips_canister_start.c -@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT fips_canister_start.lo -MD -MP -MF $(DEPDIR)/fips_canister_start.Tpo -c -o fips_canister_start.lo `test -f 'fips/fips_canister_start.c' || echo '$(srcdir)/'`fips/fips_canister_start.c -@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/fips_canister_start.Tpo $(DEPDIR)/fips_canister_start.Plo -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='fips/fips_canister_start.c' object='fips_canister_start.lo' libtool=yes @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o fips_canister_start.lo `test -f 'fips/fips_canister_start.c' || echo '$(srcdir)/'`fips/fips_canister_start.c - -fips.lo: fips/fips.c -@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT fips.lo -MD -MP -MF $(DEPDIR)/fips.Tpo -c -o fips.lo `test -f 'fips/fips.c' || echo '$(srcdir)/'`fips/fips.c -@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/fips.Tpo $(DEPDIR)/fips.Plo -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='fips/fips.c' object='fips.lo' libtool=yes @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o fips.lo `test -f 'fips/fips.c' || echo '$(srcdir)/'`fips/fips.c - -fips_canister_end.lo: fips/fips_canister_end.c -@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT fips_canister_end.lo -MD -MP -MF $(DEPDIR)/fips_canister_end.Tpo -c -o fips_canister_end.lo `test -f 'fips/fips_canister_end.c' || echo '$(srcdir)/'`fips/fips_canister_end.c -@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/fips_canister_end.Tpo $(DEPDIR)/fips_canister_end.Plo -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='fips/fips_canister_end.c' object='fips_canister_end.lo' libtool=yes @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o fips_canister_end.lo `test -f 'fips/fips_canister_end.c' || echo '$(srcdir)/'`fips/fips_canister_end.c - mostlyclean-libtool: -rm -f *.lo diff --git a/src/libstrongswan/asn1/asn1.c b/src/libstrongswan/asn1/asn1.c index d2078cbbc..ec46b165b 100644 --- a/src/libstrongswan/asn1/asn1.c +++ b/src/libstrongswan/asn1/asn1.c @@ -260,25 +260,32 @@ size_t asn1_length(chunk_t *blob) u_char n; size_t len; - /* advance from tag field on to length field */ - blob->ptr++; - blob->len--; + if (blob->len < 2) + { + DBG2("insufficient number of octets to parse ASN.1 length"); + return ASN1_INVALID_LENGTH; + } - /* read first octet of length field */ - n = *blob->ptr++; - blob->len--; + /* read length field, skip tag and length */ + n = blob->ptr[1]; + *blob = chunk_skip(*blob, 2); if ((n & 0x80) == 0) - {/* single length octet */ + { /* single length octet */ + if (n > blob->len) + { + DBG2("length is larger than remaining blob size"); + return ASN1_INVALID_LENGTH; + } return n; } /* composite length, determine number of length octets */ n &= 0x7f; - if (n > blob->len) + if (n == 0 || n > blob->len) { - DBG2("number of length octets is larger than ASN.1 object"); + DBG2("number of length octets invalid"); return ASN1_INVALID_LENGTH; } @@ -304,6 +311,53 @@ size_t asn1_length(chunk_t *blob) return len; } +/* + * See header. + */ +int asn1_unwrap(chunk_t *blob, chunk_t *inner) +{ + chunk_t res; + u_char len; + int type; + + if (blob->len < 2) + { + return ASN1_INVALID; + } + type = blob->ptr[0]; + len = blob->ptr[1]; + *blob = chunk_skip(*blob, 2); + + if ((len & 0x80) == 0) + { /* single length octet */ + res.len = len; + } + else + { /* composite length, determine number of length octets */ + len &= 0x7f; + if (len == 0 || len > sizeof(res.len)) + { + return ASN1_INVALID; + } + res.len = 0; + while (len-- > 0) + { + res.len = 256 * res.len + blob->ptr[0]; + *blob = chunk_skip(*blob, 1); + } + } + if (res.len > blob->len) + { + return ASN1_INVALID; + } + res.ptr = blob->ptr; + *blob = chunk_skip(*blob, res.len); + /* updating inner not before we are finished allows a caller to pass + * blob = inner */ + *inner = res; + return type; +} + #define TIME_MAX 0x7fffffff static const int days[] = { 0, 31, 59, 90, 120, 151, 181, 212, 243, 273, 304, 334 }; diff --git a/src/libstrongswan/asn1/asn1.h b/src/libstrongswan/asn1/asn1.h index 6a2b594c0..8072d62d6 100644 --- a/src/libstrongswan/asn1/asn1.h +++ b/src/libstrongswan/asn1/asn1.h @@ -74,7 +74,9 @@ typedef enum { ASN1_CONTEXT_C_2 = 0xA2, ASN1_CONTEXT_C_3 = 0xA3, ASN1_CONTEXT_C_4 = 0xA4, - ASN1_CONTEXT_C_5 = 0xA5 + ASN1_CONTEXT_C_5 = 0xA5, + + ASN1_INVALID = 0x100, } asn1_t; #define ASN1_INVALID_LENGTH 0xffffffff @@ -123,6 +125,15 @@ chunk_t asn1_build_known_oid(int n); size_t asn1_length(chunk_t *blob); /** + * Unwrap the inner content of an ASN.1 type/length wrapped object. + * + * @param blob blob to parse header from, moved behind parsed content + * @param content inner content + * @return parsed type, ASN1_INVALID if length parsing failed + */ +int asn1_unwrap(chunk_t *blob, chunk_t *content); + +/** * Parses an ASN.1 algorithmIdentifier object * * @param blob ASN.1 coded blob diff --git a/src/libstrongswan/asn1/oid.c b/src/libstrongswan/asn1/oid.c index 53657b514..391d65e89 100644 --- a/src/libstrongswan/asn1/oid.c +++ b/src/libstrongswan/asn1/oid.c @@ -62,7 +62,7 @@ const oid_t oid_names[] = { { 0x25, 50, 0, 2, "extendedKeyUsage" }, /* 49 */ { 0x37, 51, 0, 2, "targetInformation" }, /* 50 */ { 0x38, 0, 0, 2, "noRevAvail" }, /* 51 */ - {0x2A, 143, 1, 0, "" }, /* 52 */ + {0x2A, 149, 1, 0, "" }, /* 52 */ { 0x83, 65, 1, 1, "" }, /* 53 */ { 0x08, 0, 1, 2, "jp" }, /* 54 */ { 0x8C, 0, 1, 3, "" }, /* 55 */ @@ -77,7 +77,7 @@ const oid_t oid_names[] = { { 0x04, 0, 0, 10, "camellia256-cbc" }, /* 64 */ { 0x86, 0, 1, 1, "" }, /* 65 */ { 0x48, 0, 1, 2, "us" }, /* 66 */ - { 0x86, 107, 1, 3, "" }, /* 67 */ + { 0x86, 108, 1, 3, "" }, /* 67 */ { 0xF6, 73, 1, 4, "" }, /* 68 */ { 0x7D, 0, 1, 5, "NortelNetworks" }, /* 69 */ { 0x07, 0, 1, 6, "Entrust" }, /* 70 */ @@ -85,225 +85,231 @@ const oid_t oid_names[] = { { 0x00, 0, 0, 8, "entrustVersInfo" }, /* 72 */ { 0xF7, 0, 1, 4, "" }, /* 73 */ { 0x0D, 0, 1, 5, "RSADSI" }, /* 74 */ - { 0x01, 102, 1, 6, "PKCS" }, /* 75 */ - { 0x01, 84, 1, 7, "PKCS-1" }, /* 76 */ + { 0x01, 103, 1, 6, "PKCS" }, /* 75 */ + { 0x01, 85, 1, 7, "PKCS-1" }, /* 76 */ { 0x01, 78, 0, 8, "rsaEncryption" }, /* 77 */ { 0x02, 79, 0, 8, "md2WithRSAEncryption" }, /* 78 */ { 0x04, 80, 0, 8, "md5WithRSAEncryption" }, /* 79 */ { 0x05, 81, 0, 8, "sha-1WithRSAEncryption" }, /* 80 */ { 0x0B, 82, 0, 8, "sha256WithRSAEncryption" }, /* 81 */ { 0x0C, 83, 0, 8, "sha384WithRSAEncryption" }, /* 82 */ - { 0x0D, 0, 0, 8, "sha512WithRSAEncryption" }, /* 83 */ - { 0x07, 91, 1, 7, "PKCS-7" }, /* 84 */ - { 0x01, 86, 0, 8, "data" }, /* 85 */ - { 0x02, 87, 0, 8, "signedData" }, /* 86 */ - { 0x03, 88, 0, 8, "envelopedData" }, /* 87 */ - { 0x04, 89, 0, 8, "signedAndEnvelopedData" }, /* 88 */ - { 0x05, 90, 0, 8, "digestedData" }, /* 89 */ - { 0x06, 0, 0, 8, "encryptedData" }, /* 90 */ - { 0x09, 0, 1, 7, "PKCS-9" }, /* 91 */ - { 0x01, 93, 0, 8, "E" }, /* 92 */ - { 0x02, 94, 0, 8, "unstructuredName" }, /* 93 */ - { 0x03, 95, 0, 8, "contentType" }, /* 94 */ - { 0x04, 96, 0, 8, "messageDigest" }, /* 95 */ - { 0x05, 97, 0, 8, "signingTime" }, /* 96 */ - { 0x06, 98, 0, 8, "counterSignature" }, /* 97 */ - { 0x07, 99, 0, 8, "challengePassword" }, /* 98 */ - { 0x08, 100, 0, 8, "unstructuredAddress" }, /* 99 */ - { 0x0E, 101, 0, 8, "extensionRequest" }, /* 100 */ - { 0x0F, 0, 0, 8, "S/MIME Capabilities" }, /* 101 */ - { 0x02, 105, 1, 6, "digestAlgorithm" }, /* 102 */ - { 0x02, 104, 0, 7, "md2" }, /* 103 */ - { 0x05, 0, 0, 7, "md5" }, /* 104 */ - { 0x03, 0, 1, 6, "encryptionAlgorithm" }, /* 105 */ - { 0x07, 0, 0, 7, "3des-ede-cbc" }, /* 106 */ - { 0xCE, 0, 1, 3, "" }, /* 107 */ - { 0x3D, 0, 1, 4, "ansi-X9-62" }, /* 108 */ - { 0x02, 111, 1, 5, "id-publicKeyType" }, /* 109 */ - { 0x01, 0, 0, 6, "id-ecPublicKey" }, /* 110 */ - { 0x03, 141, 1, 5, "ellipticCurve" }, /* 111 */ - { 0x00, 133, 1, 6, "c-TwoCurve" }, /* 112 */ - { 0x01, 114, 0, 7, "c2pnb163v1" }, /* 113 */ - { 0x02, 115, 0, 7, "c2pnb163v2" }, /* 114 */ - { 0x03, 116, 0, 7, "c2pnb163v3" }, /* 115 */ - { 0x04, 117, 0, 7, "c2pnb176w1" }, /* 116 */ - { 0x05, 118, 0, 7, "c2tnb191v1" }, /* 117 */ - { 0x06, 119, 0, 7, "c2tnb191v2" }, /* 118 */ - { 0x07, 120, 0, 7, "c2tnb191v3" }, /* 119 */ - { 0x08, 121, 0, 7, "c2onb191v4" }, /* 120 */ - { 0x09, 122, 0, 7, "c2onb191v5" }, /* 121 */ - { 0x0A, 123, 0, 7, "c2pnb208w1" }, /* 122 */ - { 0x0B, 124, 0, 7, "c2tnb239v1" }, /* 123 */ - { 0x0C, 125, 0, 7, "c2tnb239v2" }, /* 124 */ - { 0x0D, 126, 0, 7, "c2tnb239v3" }, /* 125 */ - { 0x0E, 127, 0, 7, "c2onb239v4" }, /* 126 */ - { 0x0F, 128, 0, 7, "c2onb239v5" }, /* 127 */ - { 0x10, 129, 0, 7, "c2pnb272w1" }, /* 128 */ - { 0x11, 130, 0, 7, "c2pnb304w1" }, /* 129 */ - { 0x12, 131, 0, 7, "c2tnb359v1" }, /* 130 */ - { 0x13, 132, 0, 7, "c2pnb368w1" }, /* 131 */ - { 0x14, 0, 0, 7, "c2tnb431r1" }, /* 132 */ - { 0x01, 0, 1, 6, "primeCurve" }, /* 133 */ - { 0x01, 135, 0, 7, "prime192v1" }, /* 134 */ - { 0x02, 136, 0, 7, "prime192v2" }, /* 135 */ - { 0x03, 137, 0, 7, "prime192v3" }, /* 136 */ - { 0x04, 138, 0, 7, "prime239v1" }, /* 137 */ - { 0x05, 139, 0, 7, "prime239v2" }, /* 138 */ - { 0x06, 140, 0, 7, "prime239v3" }, /* 139 */ - { 0x07, 0, 0, 7, "prime256v1" }, /* 140 */ - { 0x04, 0, 1, 5, "id-ecSigType" }, /* 141 */ - { 0x01, 0, 0, 6, "ecdsa-with-SHA1" }, /* 142 */ - {0x2B, 243, 1, 0, "" }, /* 143 */ - { 0x06, 196, 1, 1, "dod" }, /* 144 */ - { 0x01, 0, 1, 2, "internet" }, /* 145 */ - { 0x04, 164, 1, 3, "private" }, /* 146 */ - { 0x01, 0, 1, 4, "enterprise" }, /* 147 */ - { 0x82, 157, 1, 5, "" }, /* 148 */ - { 0x37, 0, 1, 6, "Microsoft" }, /* 149 */ - { 0x0A, 154, 1, 7, "" }, /* 150 */ - { 0x03, 0, 1, 8, "" }, /* 151 */ - { 0x03, 153, 0, 9, "msSGC" }, /* 152 */ - { 0x04, 0, 0, 9, "msEncryptingFileSystem" }, /* 153 */ - { 0x14, 0, 1, 7, "msEnrollmentInfrastructure"}, /* 154 */ - { 0x02, 0, 1, 8, "msCertificateTypeExtension"}, /* 155 */ - { 0x02, 0, 0, 9, "msSmartcardLogon" }, /* 156 */ - { 0x89, 0, 1, 5, "" }, /* 157 */ - { 0x31, 0, 1, 6, "" }, /* 158 */ - { 0x01, 0, 1, 7, "" }, /* 159 */ - { 0x01, 0, 1, 8, "" }, /* 160 */ - { 0x02, 0, 1, 9, "" }, /* 161 */ - { 0x02, 163, 0, 10, "" }, /* 162 */ - { 0x4B, 0, 0, 10, "TCGID" }, /* 163 */ - { 0x05, 0, 1, 3, "security" }, /* 164 */ - { 0x05, 0, 1, 4, "mechanisms" }, /* 165 */ - { 0x07, 0, 1, 5, "id-pkix" }, /* 166 */ - { 0x01, 169, 1, 6, "id-pe" }, /* 167 */ - { 0x01, 0, 0, 7, "authorityInfoAccess" }, /* 168 */ - { 0x03, 179, 1, 6, "id-kp" }, /* 169 */ - { 0x01, 171, 0, 7, "serverAuth" }, /* 170 */ - { 0x02, 172, 0, 7, "clientAuth" }, /* 171 */ - { 0x03, 173, 0, 7, "codeSigning" }, /* 172 */ - { 0x04, 174, 0, 7, "emailProtection" }, /* 173 */ - { 0x05, 175, 0, 7, "ipsecEndSystem" }, /* 174 */ - { 0x06, 176, 0, 7, "ipsecTunnel" }, /* 175 */ - { 0x07, 177, 0, 7, "ipsecUser" }, /* 176 */ - { 0x08, 178, 0, 7, "timeStamping" }, /* 177 */ - { 0x09, 0, 0, 7, "ocspSigning" }, /* 178 */ - { 0x08, 181, 1, 6, "id-otherNames" }, /* 179 */ - { 0x05, 0, 0, 7, "xmppAddr" }, /* 180 */ - { 0x0A, 186, 1, 6, "id-aca" }, /* 181 */ - { 0x01, 183, 0, 7, "authenticationInfo" }, /* 182 */ - { 0x02, 184, 0, 7, "accessIdentity" }, /* 183 */ - { 0x03, 185, 0, 7, "chargingIdentity" }, /* 184 */ - { 0x04, 0, 0, 7, "group" }, /* 185 */ - { 0x30, 0, 1, 6, "id-ad" }, /* 186 */ - { 0x01, 195, 1, 7, "ocsp" }, /* 187 */ - { 0x01, 189, 0, 8, "basic" }, /* 188 */ - { 0x02, 190, 0, 8, "nonce" }, /* 189 */ - { 0x03, 191, 0, 8, "crl" }, /* 190 */ - { 0x04, 192, 0, 8, "response" }, /* 191 */ - { 0x05, 193, 0, 8, "noCheck" }, /* 192 */ - { 0x06, 194, 0, 8, "archiveCutoff" }, /* 193 */ - { 0x07, 0, 0, 8, "serviceLocator" }, /* 194 */ - { 0x02, 0, 0, 7, "caIssuers" }, /* 195 */ - { 0x0E, 202, 1, 1, "oiw" }, /* 196 */ - { 0x03, 0, 1, 2, "secsig" }, /* 197 */ - { 0x02, 0, 1, 3, "algorithms" }, /* 198 */ - { 0x07, 200, 0, 4, "des-cbc" }, /* 199 */ - { 0x1A, 201, 0, 4, "sha-1" }, /* 200 */ - { 0x1D, 0, 0, 4, "sha-1WithRSASignature" }, /* 201 */ - { 0x24, 209, 1, 1, "TeleTrusT" }, /* 202 */ - { 0x03, 0, 1, 2, "algorithm" }, /* 203 */ - { 0x03, 0, 1, 3, "signatureAlgorithm" }, /* 204 */ - { 0x01, 0, 1, 4, "rsaSignature" }, /* 205 */ - { 0x02, 207, 0, 5, "rsaSigWithripemd160" }, /* 206 */ - { 0x03, 208, 0, 5, "rsaSigWithripemd128" }, /* 207 */ - { 0x04, 0, 0, 5, "rsaSigWithripemd256" }, /* 208 */ - { 0x81, 0, 1, 1, "" }, /* 209 */ - { 0x04, 0, 1, 2, "Certicom" }, /* 210 */ - { 0x00, 0, 1, 3, "curve" }, /* 211 */ - { 0x01, 213, 0, 4, "sect163k1" }, /* 212 */ - { 0x02, 214, 0, 4, "sect163r1" }, /* 213 */ - { 0x03, 215, 0, 4, "sect239k1" }, /* 214 */ - { 0x04, 216, 0, 4, "sect113r1" }, /* 215 */ - { 0x05, 217, 0, 4, "sect113r2" }, /* 216 */ - { 0x06, 218, 0, 4, "secp112r1" }, /* 217 */ - { 0x07, 219, 0, 4, "secp112r2" }, /* 218 */ - { 0x08, 220, 0, 4, "secp160r1" }, /* 219 */ - { 0x09, 221, 0, 4, "secp160k1" }, /* 220 */ - { 0x0A, 222, 0, 4, "secp256k1" }, /* 221 */ - { 0x0F, 223, 0, 4, "sect163r2" }, /* 222 */ - { 0x10, 224, 0, 4, "sect283k1" }, /* 223 */ - { 0x11, 225, 0, 4, "sect283r1" }, /* 224 */ - { 0x16, 226, 0, 4, "sect131r1" }, /* 225 */ - { 0x17, 227, 0, 4, "sect131r2" }, /* 226 */ - { 0x18, 228, 0, 4, "sect193r1" }, /* 227 */ - { 0x19, 229, 0, 4, "sect193r2" }, /* 228 */ - { 0x1A, 230, 0, 4, "sect233k1" }, /* 229 */ - { 0x1B, 231, 0, 4, "sect233r1" }, /* 230 */ - { 0x1C, 232, 0, 4, "secp128r1" }, /* 231 */ - { 0x1D, 233, 0, 4, "secp128r2" }, /* 232 */ - { 0x1E, 234, 0, 4, "secp160r2" }, /* 233 */ - { 0x1F, 235, 0, 4, "secp192k1" }, /* 234 */ - { 0x20, 236, 0, 4, "secp224k1" }, /* 235 */ - { 0x21, 237, 0, 4, "secp224r1" }, /* 236 */ - { 0x22, 238, 0, 4, "secp384r1" }, /* 237 */ - { 0x23, 239, 0, 4, "secp521r1" }, /* 238 */ - { 0x24, 240, 0, 4, "sect409k1" }, /* 239 */ - { 0x25, 241, 0, 4, "sect409r1" }, /* 240 */ - { 0x26, 242, 0, 4, "sect571k1" }, /* 241 */ - { 0x27, 0, 0, 4, "sect571r1" }, /* 242 */ - {0x60, 0, 1, 0, "" }, /* 243 */ - { 0x86, 0, 1, 1, "" }, /* 244 */ - { 0x48, 0, 1, 2, "" }, /* 245 */ - { 0x01, 289, 1, 3, "organization" }, /* 246 */ - { 0x65, 265, 1, 4, "gov" }, /* 247 */ - { 0x03, 0, 1, 5, "csor" }, /* 248 */ - { 0x04, 0, 1, 6, "nistalgorithm" }, /* 249 */ - { 0x01, 260, 1, 7, "aes" }, /* 250 */ - { 0x02, 252, 0, 8, "id-aes128-CBC" }, /* 251 */ - { 0x06, 253, 0, 8, "id-aes128-GCM" }, /* 252 */ - { 0x07, 254, 0, 8, "id-aes128-CCM" }, /* 253 */ - { 0x16, 255, 0, 8, "id-aes192-CBC" }, /* 254 */ - { 0x1A, 256, 0, 8, "id-aes192-GCM" }, /* 255 */ - { 0x1B, 257, 0, 8, "id-aes192-CCM" }, /* 256 */ - { 0x2A, 258, 0, 8, "id-aes256-CBC" }, /* 257 */ - { 0x2E, 259, 0, 8, "id-aes256-GCM" }, /* 258 */ - { 0x2F, 0, 0, 8, "id-aes256-CCM" }, /* 259 */ - { 0x02, 0, 1, 7, "hashalgs" }, /* 260 */ - { 0x01, 262, 0, 8, "id-SHA-256" }, /* 261 */ - { 0x02, 263, 0, 8, "id-SHA-384" }, /* 262 */ - { 0x03, 264, 0, 8, "id-SHA-512" }, /* 263 */ - { 0x04, 0, 0, 8, "id-SHA-224" }, /* 264 */ - { 0x86, 0, 1, 4, "" }, /* 265 */ - { 0xf8, 0, 1, 5, "" }, /* 266 */ - { 0x42, 279, 1, 6, "netscape" }, /* 267 */ - { 0x01, 274, 1, 7, "" }, /* 268 */ - { 0x01, 270, 0, 8, "nsCertType" }, /* 269 */ - { 0x03, 271, 0, 8, "nsRevocationUrl" }, /* 270 */ - { 0x04, 272, 0, 8, "nsCaRevocationUrl" }, /* 271 */ - { 0x08, 273, 0, 8, "nsCaPolicyUrl" }, /* 272 */ - { 0x0d, 0, 0, 8, "nsComment" }, /* 273 */ - { 0x03, 277, 1, 7, "directory" }, /* 274 */ - { 0x01, 0, 1, 8, "" }, /* 275 */ - { 0x03, 0, 0, 9, "employeeNumber" }, /* 276 */ - { 0x04, 0, 1, 7, "policy" }, /* 277 */ - { 0x01, 0, 0, 8, "nsSGC" }, /* 278 */ - { 0x45, 0, 1, 6, "verisign" }, /* 279 */ - { 0x01, 0, 1, 7, "pki" }, /* 280 */ - { 0x09, 0, 1, 8, "attributes" }, /* 281 */ - { 0x02, 283, 0, 9, "messageType" }, /* 282 */ - { 0x03, 284, 0, 9, "pkiStatus" }, /* 283 */ - { 0x04, 285, 0, 9, "failInfo" }, /* 284 */ - { 0x05, 286, 0, 9, "senderNonce" }, /* 285 */ - { 0x06, 287, 0, 9, "recipientNonce" }, /* 286 */ - { 0x07, 288, 0, 9, "transID" }, /* 287 */ - { 0x08, 0, 0, 9, "extensionReq" }, /* 288 */ - { 0x86, 0, 1, 3, "old-netscape" }, /* 289 */ - { 0xF7, 0, 1, 4, "" }, /* 290 */ - { 0x0D, 0, 1, 5, "" }, /* 291 */ - { 0x01, 0, 1, 6, "" }, /* 292 */ - { 0x09, 0, 1, 7, "" }, /* 293 */ - { 0x01, 295, 0, 8, "emailAddress" }, /* 294 */ - { 0x02, 0, 0, 8, "unstructuredName" } /* 295 */ + { 0x0D, 84, 0, 8, "sha512WithRSAEncryption" }, /* 83 */ + { 0x0E, 0, 0, 8, "sha224WithRSAEncryption" }, /* 84 */ + { 0x07, 92, 1, 7, "PKCS-7" }, /* 85 */ + { 0x01, 87, 0, 8, "data" }, /* 86 */ + { 0x02, 88, 0, 8, "signedData" }, /* 87 */ + { 0x03, 89, 0, 8, "envelopedData" }, /* 88 */ + { 0x04, 90, 0, 8, "signedAndEnvelopedData" }, /* 89 */ + { 0x05, 91, 0, 8, "digestedData" }, /* 90 */ + { 0x06, 0, 0, 8, "encryptedData" }, /* 91 */ + { 0x09, 0, 1, 7, "PKCS-9" }, /* 92 */ + { 0x01, 94, 0, 8, "E" }, /* 93 */ + { 0x02, 95, 0, 8, "unstructuredName" }, /* 94 */ + { 0x03, 96, 0, 8, "contentType" }, /* 95 */ + { 0x04, 97, 0, 8, "messageDigest" }, /* 96 */ + { 0x05, 98, 0, 8, "signingTime" }, /* 97 */ + { 0x06, 99, 0, 8, "counterSignature" }, /* 98 */ + { 0x07, 100, 0, 8, "challengePassword" }, /* 99 */ + { 0x08, 101, 0, 8, "unstructuredAddress" }, /* 100 */ + { 0x0E, 102, 0, 8, "extensionRequest" }, /* 101 */ + { 0x0F, 0, 0, 8, "S/MIME Capabilities" }, /* 102 */ + { 0x02, 106, 1, 6, "digestAlgorithm" }, /* 103 */ + { 0x02, 105, 0, 7, "md2" }, /* 104 */ + { 0x05, 0, 0, 7, "md5" }, /* 105 */ + { 0x03, 0, 1, 6, "encryptionAlgorithm" }, /* 106 */ + { 0x07, 0, 0, 7, "3des-ede-cbc" }, /* 107 */ + { 0xCE, 0, 1, 3, "" }, /* 108 */ + { 0x3D, 0, 1, 4, "ansi-X9-62" }, /* 109 */ + { 0x02, 112, 1, 5, "id-publicKeyType" }, /* 110 */ + { 0x01, 0, 0, 6, "id-ecPublicKey" }, /* 111 */ + { 0x03, 142, 1, 5, "ellipticCurve" }, /* 112 */ + { 0x00, 134, 1, 6, "c-TwoCurve" }, /* 113 */ + { 0x01, 115, 0, 7, "c2pnb163v1" }, /* 114 */ + { 0x02, 116, 0, 7, "c2pnb163v2" }, /* 115 */ + { 0x03, 117, 0, 7, "c2pnb163v3" }, /* 116 */ + { 0x04, 118, 0, 7, "c2pnb176w1" }, /* 117 */ + { 0x05, 119, 0, 7, "c2tnb191v1" }, /* 118 */ + { 0x06, 120, 0, 7, "c2tnb191v2" }, /* 119 */ + { 0x07, 121, 0, 7, "c2tnb191v3" }, /* 120 */ + { 0x08, 122, 0, 7, "c2onb191v4" }, /* 121 */ + { 0x09, 123, 0, 7, "c2onb191v5" }, /* 122 */ + { 0x0A, 124, 0, 7, "c2pnb208w1" }, /* 123 */ + { 0x0B, 125, 0, 7, "c2tnb239v1" }, /* 124 */ + { 0x0C, 126, 0, 7, "c2tnb239v2" }, /* 125 */ + { 0x0D, 127, 0, 7, "c2tnb239v3" }, /* 126 */ + { 0x0E, 128, 0, 7, "c2onb239v4" }, /* 127 */ + { 0x0F, 129, 0, 7, "c2onb239v5" }, /* 128 */ + { 0x10, 130, 0, 7, "c2pnb272w1" }, /* 129 */ + { 0x11, 131, 0, 7, "c2pnb304w1" }, /* 130 */ + { 0x12, 132, 0, 7, "c2tnb359v1" }, /* 131 */ + { 0x13, 133, 0, 7, "c2pnb368w1" }, /* 132 */ + { 0x14, 0, 0, 7, "c2tnb431r1" }, /* 133 */ + { 0x01, 0, 1, 6, "primeCurve" }, /* 134 */ + { 0x01, 136, 0, 7, "prime192v1" }, /* 135 */ + { 0x02, 137, 0, 7, "prime192v2" }, /* 136 */ + { 0x03, 138, 0, 7, "prime192v3" }, /* 137 */ + { 0x04, 139, 0, 7, "prime239v1" }, /* 138 */ + { 0x05, 140, 0, 7, "prime239v2" }, /* 139 */ + { 0x06, 141, 0, 7, "prime239v3" }, /* 140 */ + { 0x07, 0, 0, 7, "prime256v1" }, /* 141 */ + { 0x04, 0, 1, 5, "id-ecSigType" }, /* 142 */ + { 0x01, 144, 0, 6, "ecdsa-with-SHA1" }, /* 143 */ + { 0x03, 0, 1, 6, "ecdsa-with-Specified" }, /* 144 */ + { 0x01, 146, 0, 7, "ecdsa-with-SHA224" }, /* 145 */ + { 0x02, 147, 0, 7, "ecdsa-with-SHA256" }, /* 146 */ + { 0x03, 148, 0, 7, "ecdsa-with-SHA384" }, /* 147 */ + { 0x04, 0, 0, 7, "ecdsa-with-SHA512" }, /* 148 */ + {0x2B, 249, 1, 0, "" }, /* 149 */ + { 0x06, 202, 1, 1, "dod" }, /* 150 */ + { 0x01, 0, 1, 2, "internet" }, /* 151 */ + { 0x04, 170, 1, 3, "private" }, /* 152 */ + { 0x01, 0, 1, 4, "enterprise" }, /* 153 */ + { 0x82, 163, 1, 5, "" }, /* 154 */ + { 0x37, 0, 1, 6, "Microsoft" }, /* 155 */ + { 0x0A, 160, 1, 7, "" }, /* 156 */ + { 0x03, 0, 1, 8, "" }, /* 157 */ + { 0x03, 159, 0, 9, "msSGC" }, /* 158 */ + { 0x04, 0, 0, 9, "msEncryptingFileSystem" }, /* 159 */ + { 0x14, 0, 1, 7, "msEnrollmentInfrastructure"}, /* 160 */ + { 0x02, 0, 1, 8, "msCertificateTypeExtension"}, /* 161 */ + { 0x02, 0, 0, 9, "msSmartcardLogon" }, /* 162 */ + { 0x89, 0, 1, 5, "" }, /* 163 */ + { 0x31, 0, 1, 6, "" }, /* 164 */ + { 0x01, 0, 1, 7, "" }, /* 165 */ + { 0x01, 0, 1, 8, "" }, /* 166 */ + { 0x02, 0, 1, 9, "" }, /* 167 */ + { 0x02, 169, 0, 10, "" }, /* 168 */ + { 0x4B, 0, 0, 10, "TCGID" }, /* 169 */ + { 0x05, 0, 1, 3, "security" }, /* 170 */ + { 0x05, 0, 1, 4, "mechanisms" }, /* 171 */ + { 0x07, 0, 1, 5, "id-pkix" }, /* 172 */ + { 0x01, 175, 1, 6, "id-pe" }, /* 173 */ + { 0x01, 0, 0, 7, "authorityInfoAccess" }, /* 174 */ + { 0x03, 185, 1, 6, "id-kp" }, /* 175 */ + { 0x01, 177, 0, 7, "serverAuth" }, /* 176 */ + { 0x02, 178, 0, 7, "clientAuth" }, /* 177 */ + { 0x03, 179, 0, 7, "codeSigning" }, /* 178 */ + { 0x04, 180, 0, 7, "emailProtection" }, /* 179 */ + { 0x05, 181, 0, 7, "ipsecEndSystem" }, /* 180 */ + { 0x06, 182, 0, 7, "ipsecTunnel" }, /* 181 */ + { 0x07, 183, 0, 7, "ipsecUser" }, /* 182 */ + { 0x08, 184, 0, 7, "timeStamping" }, /* 183 */ + { 0x09, 0, 0, 7, "ocspSigning" }, /* 184 */ + { 0x08, 187, 1, 6, "id-otherNames" }, /* 185 */ + { 0x05, 0, 0, 7, "xmppAddr" }, /* 186 */ + { 0x0A, 192, 1, 6, "id-aca" }, /* 187 */ + { 0x01, 189, 0, 7, "authenticationInfo" }, /* 188 */ + { 0x02, 190, 0, 7, "accessIdentity" }, /* 189 */ + { 0x03, 191, 0, 7, "chargingIdentity" }, /* 190 */ + { 0x04, 0, 0, 7, "group" }, /* 191 */ + { 0x30, 0, 1, 6, "id-ad" }, /* 192 */ + { 0x01, 201, 1, 7, "ocsp" }, /* 193 */ + { 0x01, 195, 0, 8, "basic" }, /* 194 */ + { 0x02, 196, 0, 8, "nonce" }, /* 195 */ + { 0x03, 197, 0, 8, "crl" }, /* 196 */ + { 0x04, 198, 0, 8, "response" }, /* 197 */ + { 0x05, 199, 0, 8, "noCheck" }, /* 198 */ + { 0x06, 200, 0, 8, "archiveCutoff" }, /* 199 */ + { 0x07, 0, 0, 8, "serviceLocator" }, /* 200 */ + { 0x02, 0, 0, 7, "caIssuers" }, /* 201 */ + { 0x0E, 208, 1, 1, "oiw" }, /* 202 */ + { 0x03, 0, 1, 2, "secsig" }, /* 203 */ + { 0x02, 0, 1, 3, "algorithms" }, /* 204 */ + { 0x07, 206, 0, 4, "des-cbc" }, /* 205 */ + { 0x1A, 207, 0, 4, "sha-1" }, /* 206 */ + { 0x1D, 0, 0, 4, "sha-1WithRSASignature" }, /* 207 */ + { 0x24, 215, 1, 1, "TeleTrusT" }, /* 208 */ + { 0x03, 0, 1, 2, "algorithm" }, /* 209 */ + { 0x03, 0, 1, 3, "signatureAlgorithm" }, /* 210 */ + { 0x01, 0, 1, 4, "rsaSignature" }, /* 211 */ + { 0x02, 213, 0, 5, "rsaSigWithripemd160" }, /* 212 */ + { 0x03, 214, 0, 5, "rsaSigWithripemd128" }, /* 213 */ + { 0x04, 0, 0, 5, "rsaSigWithripemd256" }, /* 214 */ + { 0x81, 0, 1, 1, "" }, /* 215 */ + { 0x04, 0, 1, 2, "Certicom" }, /* 216 */ + { 0x00, 0, 1, 3, "curve" }, /* 217 */ + { 0x01, 219, 0, 4, "sect163k1" }, /* 218 */ + { 0x02, 220, 0, 4, "sect163r1" }, /* 219 */ + { 0x03, 221, 0, 4, "sect239k1" }, /* 220 */ + { 0x04, 222, 0, 4, "sect113r1" }, /* 221 */ + { 0x05, 223, 0, 4, "sect113r2" }, /* 222 */ + { 0x06, 224, 0, 4, "secp112r1" }, /* 223 */ + { 0x07, 225, 0, 4, "secp112r2" }, /* 224 */ + { 0x08, 226, 0, 4, "secp160r1" }, /* 225 */ + { 0x09, 227, 0, 4, "secp160k1" }, /* 226 */ + { 0x0A, 228, 0, 4, "secp256k1" }, /* 227 */ + { 0x0F, 229, 0, 4, "sect163r2" }, /* 228 */ + { 0x10, 230, 0, 4, "sect283k1" }, /* 229 */ + { 0x11, 231, 0, 4, "sect283r1" }, /* 230 */ + { 0x16, 232, 0, 4, "sect131r1" }, /* 231 */ + { 0x17, 233, 0, 4, "sect131r2" }, /* 232 */ + { 0x18, 234, 0, 4, "sect193r1" }, /* 233 */ + { 0x19, 235, 0, 4, "sect193r2" }, /* 234 */ + { 0x1A, 236, 0, 4, "sect233k1" }, /* 235 */ + { 0x1B, 237, 0, 4, "sect233r1" }, /* 236 */ + { 0x1C, 238, 0, 4, "secp128r1" }, /* 237 */ + { 0x1D, 239, 0, 4, "secp128r2" }, /* 238 */ + { 0x1E, 240, 0, 4, "secp160r2" }, /* 239 */ + { 0x1F, 241, 0, 4, "secp192k1" }, /* 240 */ + { 0x20, 242, 0, 4, "secp224k1" }, /* 241 */ + { 0x21, 243, 0, 4, "secp224r1" }, /* 242 */ + { 0x22, 244, 0, 4, "secp384r1" }, /* 243 */ + { 0x23, 245, 0, 4, "secp521r1" }, /* 244 */ + { 0x24, 246, 0, 4, "sect409k1" }, /* 245 */ + { 0x25, 247, 0, 4, "sect409r1" }, /* 246 */ + { 0x26, 248, 0, 4, "sect571k1" }, /* 247 */ + { 0x27, 0, 0, 4, "sect571r1" }, /* 248 */ + {0x60, 0, 1, 0, "" }, /* 249 */ + { 0x86, 0, 1, 1, "" }, /* 250 */ + { 0x48, 0, 1, 2, "" }, /* 251 */ + { 0x01, 295, 1, 3, "organization" }, /* 252 */ + { 0x65, 271, 1, 4, "gov" }, /* 253 */ + { 0x03, 0, 1, 5, "csor" }, /* 254 */ + { 0x04, 0, 1, 6, "nistalgorithm" }, /* 255 */ + { 0x01, 266, 1, 7, "aes" }, /* 256 */ + { 0x02, 258, 0, 8, "id-aes128-CBC" }, /* 257 */ + { 0x06, 259, 0, 8, "id-aes128-GCM" }, /* 258 */ + { 0x07, 260, 0, 8, "id-aes128-CCM" }, /* 259 */ + { 0x16, 261, 0, 8, "id-aes192-CBC" }, /* 260 */ + { 0x1A, 262, 0, 8, "id-aes192-GCM" }, /* 261 */ + { 0x1B, 263, 0, 8, "id-aes192-CCM" }, /* 262 */ + { 0x2A, 264, 0, 8, "id-aes256-CBC" }, /* 263 */ + { 0x2E, 265, 0, 8, "id-aes256-GCM" }, /* 264 */ + { 0x2F, 0, 0, 8, "id-aes256-CCM" }, /* 265 */ + { 0x02, 0, 1, 7, "hashalgs" }, /* 266 */ + { 0x01, 268, 0, 8, "id-SHA-256" }, /* 267 */ + { 0x02, 269, 0, 8, "id-SHA-384" }, /* 268 */ + { 0x03, 270, 0, 8, "id-SHA-512" }, /* 269 */ + { 0x04, 0, 0, 8, "id-SHA-224" }, /* 270 */ + { 0x86, 0, 1, 4, "" }, /* 271 */ + { 0xf8, 0, 1, 5, "" }, /* 272 */ + { 0x42, 285, 1, 6, "netscape" }, /* 273 */ + { 0x01, 280, 1, 7, "" }, /* 274 */ + { 0x01, 276, 0, 8, "nsCertType" }, /* 275 */ + { 0x03, 277, 0, 8, "nsRevocationUrl" }, /* 276 */ + { 0x04, 278, 0, 8, "nsCaRevocationUrl" }, /* 277 */ + { 0x08, 279, 0, 8, "nsCaPolicyUrl" }, /* 278 */ + { 0x0d, 0, 0, 8, "nsComment" }, /* 279 */ + { 0x03, 283, 1, 7, "directory" }, /* 280 */ + { 0x01, 0, 1, 8, "" }, /* 281 */ + { 0x03, 0, 0, 9, "employeeNumber" }, /* 282 */ + { 0x04, 0, 1, 7, "policy" }, /* 283 */ + { 0x01, 0, 0, 8, "nsSGC" }, /* 284 */ + { 0x45, 0, 1, 6, "verisign" }, /* 285 */ + { 0x01, 0, 1, 7, "pki" }, /* 286 */ + { 0x09, 0, 1, 8, "attributes" }, /* 287 */ + { 0x02, 289, 0, 9, "messageType" }, /* 288 */ + { 0x03, 290, 0, 9, "pkiStatus" }, /* 289 */ + { 0x04, 291, 0, 9, "failInfo" }, /* 290 */ + { 0x05, 292, 0, 9, "senderNonce" }, /* 291 */ + { 0x06, 293, 0, 9, "recipientNonce" }, /* 292 */ + { 0x07, 294, 0, 9, "transID" }, /* 293 */ + { 0x08, 0, 0, 9, "extensionReq" }, /* 294 */ + { 0x86, 0, 1, 3, "old-netscape" }, /* 295 */ + { 0xF7, 0, 1, 4, "" }, /* 296 */ + { 0x0D, 0, 1, 5, "" }, /* 297 */ + { 0x01, 0, 1, 6, "" }, /* 298 */ + { 0x09, 0, 1, 7, "" }, /* 299 */ + { 0x01, 301, 0, 8, "emailAddress" }, /* 300 */ + { 0x02, 0, 0, 8, "unstructuredName" } /* 301 */ }; diff --git a/src/libstrongswan/asn1/oid.h b/src/libstrongswan/asn1/oid.h index 477789b62..b7241af8d 100644 --- a/src/libstrongswan/asn1/oid.h +++ b/src/libstrongswan/asn1/oid.h @@ -60,126 +60,131 @@ extern const oid_t oid_names[]; #define OID_SHA256_WITH_RSA 81 #define OID_SHA384_WITH_RSA 82 #define OID_SHA512_WITH_RSA 83 -#define OID_PKCS7_DATA 85 -#define OID_PKCS7_SIGNED_DATA 86 -#define OID_PKCS7_ENVELOPED_DATA 87 -#define OID_PKCS7_SIGNED_ENVELOPED_DATA 88 -#define OID_PKCS7_DIGESTED_DATA 89 -#define OID_PKCS7_ENCRYPTED_DATA 90 -#define OID_PKCS9_EMAIL 92 -#define OID_PKCS9_CONTENT_TYPE 94 -#define OID_PKCS9_MESSAGE_DIGEST 95 -#define OID_PKCS9_SIGNING_TIME 96 -#define OID_MD2 103 -#define OID_MD5 104 -#define OID_3DES_EDE_CBC 106 -#define OID_EC_PUBLICKEY 110 -#define OID_C2PNB163V1 113 -#define OID_C2PNB163V2 114 -#define OID_C2PNB163V3 115 -#define OID_C2PNB176W1 116 -#define OID_C2PNB191V1 117 -#define OID_C2PNB191V2 118 -#define OID_C2PNB191V3 119 -#define OID_C2PNB191V4 120 -#define OID_C2PNB191V5 121 -#define OID_C2PNB208W1 122 -#define OID_C2PNB239V1 123 -#define OID_C2PNB239V2 124 -#define OID_C2PNB239V3 125 -#define OID_C2PNB239V4 126 -#define OID_C2PNB239V5 127 -#define OID_C2PNB272W1 128 -#define OID_C2PNB304W1 129 -#define OID_C2PNB359V1 130 -#define OID_C2PNB368W1 131 -#define OID_C2PNB431R1 132 -#define OID_PRIME192V1 134 -#define OID_PRIME192V2 135 -#define OID_PRIME192V3 136 -#define OID_PRIME239V1 137 -#define OID_PRIME239V2 138 -#define OID_PRIME239V3 139 -#define OID_PRIME256V1 140 -#define OID_ECDSA_WITH_SHA1 142 -#define OID_TCGID 163 -#define OID_AUTHORITY_INFO_ACCESS 168 -#define OID_OCSP_SIGNING 178 -#define OID_XMPP_ADDR 180 -#define OID_AUTHENTICATION_INFO 182 -#define OID_ACCESS_IDENTITY 183 -#define OID_CHARGING_IDENTITY 184 -#define OID_GROUP 185 -#define OID_OCSP 187 -#define OID_BASIC 188 -#define OID_NONCE 189 -#define OID_CRL 190 -#define OID_RESPONSE 191 -#define OID_NO_CHECK 192 -#define OID_ARCHIVE_CUTOFF 193 -#define OID_SERVICE_LOCATOR 194 -#define OID_CA_ISSUERS 195 -#define OID_DES_CBC 199 -#define OID_SHA1 200 -#define OID_SHA1_WITH_RSA_OIW 201 -#define OID_SECT163K1 212 -#define OID_SECT163R1 213 -#define OID_SECT239K1 214 -#define OID_SECT113R1 215 -#define OID_SECT113R2 216 -#define OID_SECT112R1 217 -#define OID_SECT112R2 218 -#define OID_SECT160R1 219 -#define OID_SECT160K1 220 -#define OID_SECT256K1 221 -#define OID_SECT163R2 222 -#define OID_SECT283K1 223 -#define OID_SECT283R1 224 -#define OID_SECT131R1 225 -#define OID_SECT131R2 226 -#define OID_SECT193R1 227 -#define OID_SECT193R2 228 -#define OID_SECT233K1 229 -#define OID_SECT233R1 230 -#define OID_SECT128R1 231 -#define OID_SECT128R2 232 -#define OID_SECT160R2 233 -#define OID_SECT192K1 234 -#define OID_SECT224K1 235 -#define OID_SECT224R1 236 -#define OID_SECT384R1 237 -#define OID_SECT521R1 238 -#define OID_SECT409K1 239 -#define OID_SECT409R1 240 -#define OID_SECT571K1 241 -#define OID_SECT571R1 242 -#define OID_AES128_CBC 251 -#define OID_AES128_GCM 252 -#define OID_AES128_CCM 253 -#define OID_AES192_CBC 254 -#define OID_AES192_GCM 255 -#define OID_AES192_CCM 256 -#define OID_AES256_CBC 257 -#define OID_AES256_GCM 258 -#define OID_AES256_CCM 259 -#define OID_SHA256 261 -#define OID_SHA384 262 -#define OID_SHA512 263 -#define OID_SHA224 264 -#define OID_NS_REVOCATION_URL 270 -#define OID_NS_CA_REVOCATION_URL 271 -#define OID_NS_CA_POLICY_URL 272 -#define OID_NS_COMMENT 273 -#define OID_EMPLOYEE_NUMBER 276 -#define OID_PKI_MESSAGE_TYPE 282 -#define OID_PKI_STATUS 283 -#define OID_PKI_FAIL_INFO 284 -#define OID_PKI_SENDER_NONCE 285 -#define OID_PKI_RECIPIENT_NONCE 286 -#define OID_PKI_TRANS_ID 287 -#define OID_EMAIL_ADDRESS 294 -#define OID_UNSTRUCTURED_NAME 295 +#define OID_SHA224_WITH_RSA 84 +#define OID_PKCS7_DATA 86 +#define OID_PKCS7_SIGNED_DATA 87 +#define OID_PKCS7_ENVELOPED_DATA 88 +#define OID_PKCS7_SIGNED_ENVELOPED_DATA 89 +#define OID_PKCS7_DIGESTED_DATA 90 +#define OID_PKCS7_ENCRYPTED_DATA 91 +#define OID_PKCS9_EMAIL 93 +#define OID_PKCS9_CONTENT_TYPE 95 +#define OID_PKCS9_MESSAGE_DIGEST 96 +#define OID_PKCS9_SIGNING_TIME 97 +#define OID_MD2 104 +#define OID_MD5 105 +#define OID_3DES_EDE_CBC 107 +#define OID_EC_PUBLICKEY 111 +#define OID_C2PNB163V1 114 +#define OID_C2PNB163V2 115 +#define OID_C2PNB163V3 116 +#define OID_C2PNB176W1 117 +#define OID_C2PNB191V1 118 +#define OID_C2PNB191V2 119 +#define OID_C2PNB191V3 120 +#define OID_C2PNB191V4 121 +#define OID_C2PNB191V5 122 +#define OID_C2PNB208W1 123 +#define OID_C2PNB239V1 124 +#define OID_C2PNB239V2 125 +#define OID_C2PNB239V3 126 +#define OID_C2PNB239V4 127 +#define OID_C2PNB239V5 128 +#define OID_C2PNB272W1 129 +#define OID_C2PNB304W1 130 +#define OID_C2PNB359V1 131 +#define OID_C2PNB368W1 132 +#define OID_C2PNB431R1 133 +#define OID_PRIME192V1 135 +#define OID_PRIME192V2 136 +#define OID_PRIME192V3 137 +#define OID_PRIME239V1 138 +#define OID_PRIME239V2 139 +#define OID_PRIME239V3 140 +#define OID_PRIME256V1 141 +#define OID_ECDSA_WITH_SHA1 143 +#define OID_ECDSA_WITH_SHA224 145 +#define OID_ECDSA_WITH_SHA256 146 +#define OID_ECDSA_WITH_SHA384 147 +#define OID_ECDSA_WITH_SHA512 148 +#define OID_TCGID 169 +#define OID_AUTHORITY_INFO_ACCESS 174 +#define OID_OCSP_SIGNING 184 +#define OID_XMPP_ADDR 186 +#define OID_AUTHENTICATION_INFO 188 +#define OID_ACCESS_IDENTITY 189 +#define OID_CHARGING_IDENTITY 190 +#define OID_GROUP 191 +#define OID_OCSP 193 +#define OID_BASIC 194 +#define OID_NONCE 195 +#define OID_CRL 196 +#define OID_RESPONSE 197 +#define OID_NO_CHECK 198 +#define OID_ARCHIVE_CUTOFF 199 +#define OID_SERVICE_LOCATOR 200 +#define OID_CA_ISSUERS 201 +#define OID_DES_CBC 205 +#define OID_SHA1 206 +#define OID_SHA1_WITH_RSA_OIW 207 +#define OID_SECT163K1 218 +#define OID_SECT163R1 219 +#define OID_SECT239K1 220 +#define OID_SECT113R1 221 +#define OID_SECT113R2 222 +#define OID_SECT112R1 223 +#define OID_SECT112R2 224 +#define OID_SECT160R1 225 +#define OID_SECT160K1 226 +#define OID_SECT256K1 227 +#define OID_SECT163R2 228 +#define OID_SECT283K1 229 +#define OID_SECT283R1 230 +#define OID_SECT131R1 231 +#define OID_SECT131R2 232 +#define OID_SECT193R1 233 +#define OID_SECT193R2 234 +#define OID_SECT233K1 235 +#define OID_SECT233R1 236 +#define OID_SECT128R1 237 +#define OID_SECT128R2 238 +#define OID_SECT160R2 239 +#define OID_SECT192K1 240 +#define OID_SECT224K1 241 +#define OID_SECT224R1 242 +#define OID_SECT384R1 243 +#define OID_SECT521R1 244 +#define OID_SECT409K1 245 +#define OID_SECT409R1 246 +#define OID_SECT571K1 247 +#define OID_SECT571R1 248 +#define OID_AES128_CBC 257 +#define OID_AES128_GCM 258 +#define OID_AES128_CCM 259 +#define OID_AES192_CBC 260 +#define OID_AES192_GCM 261 +#define OID_AES192_CCM 262 +#define OID_AES256_CBC 263 +#define OID_AES256_GCM 264 +#define OID_AES256_CCM 265 +#define OID_SHA256 267 +#define OID_SHA384 268 +#define OID_SHA512 269 +#define OID_SHA224 270 +#define OID_NS_REVOCATION_URL 276 +#define OID_NS_CA_REVOCATION_URL 277 +#define OID_NS_CA_POLICY_URL 278 +#define OID_NS_COMMENT 279 +#define OID_EMPLOYEE_NUMBER 282 +#define OID_PKI_MESSAGE_TYPE 288 +#define OID_PKI_STATUS 289 +#define OID_PKI_FAIL_INFO 290 +#define OID_PKI_SENDER_NONCE 291 +#define OID_PKI_RECIPIENT_NONCE 292 +#define OID_PKI_TRANS_ID 293 +#define OID_EMAIL_ADDRESS 300 +#define OID_UNSTRUCTURED_NAME 301 -#define OID_MAX 296 +#define OID_MAX 302 #endif /* OID_H_ */ diff --git a/src/libstrongswan/asn1/oid.txt b/src/libstrongswan/asn1/oid.txt index 1514f179f..5adca6289 100644 --- a/src/libstrongswan/asn1/oid.txt +++ b/src/libstrongswan/asn1/oid.txt @@ -82,6 +82,7 @@ 0x0B "sha256WithRSAEncryption" OID_SHA256_WITH_RSA 0x0C "sha384WithRSAEncryption" OID_SHA384_WITH_RSA 0x0D "sha512WithRSAEncryption" OID_SHA512_WITH_RSA + 0x0E "sha224WithRSAEncryption" OID_SHA224_WITH_RSA 0x07 "PKCS-7" 0x01 "data" OID_PKCS7_DATA 0x02 "signedData" OID_PKCS7_SIGNED_DATA @@ -141,6 +142,11 @@ 0x07 "prime256v1" OID_PRIME256V1 0x04 "id-ecSigType" 0x01 "ecdsa-with-SHA1" OID_ECDSA_WITH_SHA1 + 0x03 "ecdsa-with-Specified" + 0x01 "ecdsa-with-SHA224" OID_ECDSA_WITH_SHA224 + 0x02 "ecdsa-with-SHA256" OID_ECDSA_WITH_SHA256 + 0x03 "ecdsa-with-SHA384" OID_ECDSA_WITH_SHA384 + 0x04 "ecdsa-with-SHA512" OID_ECDSA_WITH_SHA512 0x2B "" 0x06 "dod" 0x01 "internet" diff --git a/src/libstrongswan/chunk.c b/src/libstrongswan/chunk.c index c9c181f87..40a93e21a 100644 --- a/src/libstrongswan/chunk.c +++ b/src/libstrongswan/chunk.c @@ -19,6 +19,7 @@ #include <sys/stat.h> #include <unistd.h> #include <errno.h> +#include <ctype.h> #include "chunk.h" @@ -442,6 +443,32 @@ int chunk_compare(chunk_t a, chunk_t b) }; /** + * Remove non-printable characters from a chunk. + */ +bool chunk_printable(chunk_t chunk, chunk_t *sane, char replace) +{ + bool printable = TRUE; + int i; + + if (sane) + { + *sane = chunk_clone(chunk); + } + for (i = 0; i < chunk.len; i++) + { + if (!isprint(chunk.ptr[i])) + { + if (sane) + { + sane->ptr[i] = replace; + } + printable = FALSE; + } + } + return printable; +} + +/** * Described in header. * * The implementation is based on Paul Hsieh's SuperFastHash: diff --git a/src/libstrongswan/chunk.h b/src/libstrongswan/chunk.h index 3d8c360c5..66c3f26a2 100644 --- a/src/libstrongswan/chunk.h +++ b/src/libstrongswan/chunk.h @@ -26,6 +26,9 @@ #include <string.h> #include <stdarg.h> #include <sys/types.h> +#ifdef HAVE_ALLOCA_H +#include <alloca.h> +#endif typedef struct chunk_t chunk_t; @@ -83,8 +86,9 @@ chunk_t chunk_create_cat(u_char *ptr, const char* mode, ...); void chunk_split(chunk_t chunk, const char *mode, ...); /** - * Write the binary contents of a chunk_t to a file - * + * Write the binary contents of a chunk_t to a file + * + * @param chunk contents to write to file * @param path path where file is written to * @param label label specifying file type * @param mask file mode creation mask @@ -99,6 +103,7 @@ bool chunk_write(chunk_t chunk, char *path, char *label, mode_t mask, bool force * The resulting string is '\\0' terminated, but the chunk does not include * the '\\0'. If buf is supplied, it must hold at least (chunk.len * 2 + 1). * + * @param chunk data to convert to hex encoding * @param buf buffer to write to, NULL to malloc * @param uppercase TRUE to use uppercase letters * @return chunk of encoded data @@ -232,6 +237,19 @@ static inline bool chunk_equals(chunk_t a, chunk_t b) } /** + * Check if a chunk has printable characters only. + * + * If sane is given, chunk is cloned into sane and all non printable characters + * get replaced by "replace". + * + * @param chunk chunk to check for printability + * @param sane pointer where sane version is allocated, or NULL + * @param replace character to use for replaceing unprintable characters + * @return TRUE if all characters in chunk are printable + */ +bool chunk_printable(chunk_t chunk, chunk_t *sane, char replace); + +/** * Computes a 32 bit hash of the given chunk. * Note: This hash is only intended for hash tables not for cryptographic purposes. */ diff --git a/src/libstrongswan/credentials/credential_factory.c b/src/libstrongswan/credentials/credential_factory.c index 2e9a541d4..e55df0398 100644 --- a/src/libstrongswan/credentials/credential_factory.c +++ b/src/libstrongswan/credentials/credential_factory.c @@ -234,7 +234,7 @@ credential_factory_t *credential_factory_create() this->constructors = linked_list_create(); - this->lock = rwlock_create(RWLOCK_DEFAULT); + this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT); return &this->public; } diff --git a/src/libstrongswan/credentials/keys/public_key.c b/src/libstrongswan/credentials/keys/public_key.c index c94c27f0a..a5f547038 100644 --- a/src/libstrongswan/credentials/keys/public_key.c +++ b/src/libstrongswan/credentials/keys/public_key.c @@ -28,6 +28,7 @@ ENUM(signature_scheme_names, SIGN_UNKNOWN, SIGN_ECDSA_521, "RSA_EMSA_PKCS1_NULL", "RSA_EMSA_PKCS1_MD5", "RSA_EMSA_PKCS1_SHA1", + "RSA_EMSA_PKCS1_SHA224", "RSA_EMSA_PKCS1_SHA256", "RSA_EMSA_PKCS1_SHA384", "RSA_EMSA_PKCS1_SHA512", @@ -51,6 +52,9 @@ signature_scheme_t signature_scheme_from_oid(int oid) case OID_SHA1_WITH_RSA: case OID_SHA1: return SIGN_RSA_EMSA_PKCS1_SHA1; + case OID_SHA224_WITH_RSA: + case OID_SHA224: + return SIGN_RSA_EMSA_PKCS1_SHA224; case OID_SHA256_WITH_RSA: case OID_SHA256: return SIGN_RSA_EMSA_PKCS1_SHA256; @@ -63,6 +67,12 @@ signature_scheme_t signature_scheme_from_oid(int oid) case OID_ECDSA_WITH_SHA1: case OID_EC_PUBLICKEY: return SIGN_ECDSA_WITH_SHA1; + case OID_ECDSA_WITH_SHA256: + return SIGN_ECDSA_256; + case OID_ECDSA_WITH_SHA384: + return SIGN_ECDSA_384; + case OID_ECDSA_WITH_SHA512: + return SIGN_ECDSA_521; default: return SIGN_UNKNOWN; } diff --git a/src/libstrongswan/credentials/keys/public_key.h b/src/libstrongswan/credentials/keys/public_key.h index c58531b73..be5f3bde6 100644 --- a/src/libstrongswan/credentials/keys/public_key.h +++ b/src/libstrongswan/credentials/keys/public_key.h @@ -66,6 +66,8 @@ enum signature_scheme_t { SIGN_RSA_EMSA_PKCS1_MD5, /** EMSA-PKCS1_v1.5 signature as in PKCS#1 using RSA and SHA-1 */ SIGN_RSA_EMSA_PKCS1_SHA1, + /** EMSA-PKCS1_v1.5 signature as in PKCS#1 using RSA and SHA-224 */ + SIGN_RSA_EMSA_PKCS1_SHA224, /** EMSA-PKCS1_v1.5 signature as in PKCS#1 using RSA and SHA-256 */ SIGN_RSA_EMSA_PKCS1_SHA256, /** EMSA-PKCS1_v1.5 signature as in PKCS#1 using RSA and SHA-384 */ diff --git a/src/libstrongswan/crypto/crypto_factory.c b/src/libstrongswan/crypto/crypto_factory.c index fea8d0793..e928e8cdf 100644 --- a/src/libstrongswan/crypto/crypto_factory.c +++ b/src/libstrongswan/crypto/crypto_factory.c @@ -746,7 +746,7 @@ crypto_factory_t *crypto_factory_create() this->prfs = linked_list_create(); this->rngs = linked_list_create(); this->dhs = linked_list_create(); - this->lock = rwlock_create(RWLOCK_DEFAULT); + this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT); this->tester = crypto_tester_create(); this->test_on_add = lib->settings->get_bool(lib->settings, "libstrongswan.crypto_test.on_add", FALSE); diff --git a/src/libstrongswan/crypto/crypto_tester.c b/src/libstrongswan/crypto/crypto_tester.c index b0b5aa969..4d13474a1 100644 --- a/src/libstrongswan/crypto/crypto_tester.c +++ b/src/libstrongswan/crypto/crypto_tester.c @@ -136,7 +136,7 @@ static bool test_crypter(private_crypto_tester_t *this, crypter->destroy(crypter); if (failed) { - DBG1("disabled %N: test vector %d failed", + DBG1("disabled %N: test vector %u failed", encryption_algorithm_names, alg, tested); break; } @@ -151,7 +151,7 @@ static bool test_crypter(private_crypto_tester_t *this, } if (!failed) { - DBG1("enabled %N: successfully passed %d test vectors", + DBG1("enabled %N: passed %u test vectors", encryption_algorithm_names, alg, tested); } return !failed; @@ -240,7 +240,7 @@ static bool test_signer(private_crypto_tester_t *this, signer->destroy(signer); if (failed) { - DBG1("disabled %N: test vector %d failed", + DBG1("disabled %N: test vector %u failed", integrity_algorithm_names, alg, tested); break; } @@ -255,7 +255,7 @@ static bool test_signer(private_crypto_tester_t *this, } if (!failed) { - DBG1("enabled %N: successfully passed %d test vectors", + DBG1("enabled %N: passed %u test vectors", integrity_algorithm_names, alg, tested); } return !failed; @@ -330,8 +330,8 @@ static bool test_hasher(private_crypto_tester_t *this, hash_algorithm_t alg, hasher->destroy(hasher); if (failed) { - DBG1("disabled %N: test vector %d failed", - hash_algorithm_names, alg), tested; + DBG1("disabled %N: test vector %u failed", + hash_algorithm_names, alg, tested); break; } } @@ -345,7 +345,7 @@ static bool test_hasher(private_crypto_tester_t *this, hash_algorithm_t alg, } if (!failed) { - DBG1("enabled %N: successfully passed %d test vectors", + DBG1("enabled %N: passed %u test vectors", hash_algorithm_names, alg, tested); } return !failed; @@ -431,7 +431,7 @@ static bool test_prf(private_crypto_tester_t *this, prf->destroy(prf); if (failed) { - DBG1("disabled %N: test vector %d failed", + DBG1("disabled %N: test vector %u failed", pseudo_random_function_names, alg, tested); break; } @@ -446,7 +446,7 @@ static bool test_prf(private_crypto_tester_t *this, } if (!failed) { - DBG1("enabled %N: successfully passed %d test vectors", + DBG1("enabled %N: passed %u test vectors", pseudo_random_function_names, alg, tested); } return !failed; @@ -515,7 +515,7 @@ static bool test_rng(private_crypto_tester_t *this, rng_quality_t quality, rng->destroy(rng); if (failed) { - DBG1("disabled %N: test vector %d failed", + DBG1("disabled %N: test vector %u failed", rng_quality_names, quality, tested); break; } @@ -530,7 +530,7 @@ static bool test_rng(private_crypto_tester_t *this, rng_quality_t quality, } if (!failed) { - DBG1("enabled %N: successfully passed %d test vectors", + DBG1("enabled %N: passed %u test vectors", rng_quality_names, quality, tested); } return !failed; diff --git a/src/libstrongswan/crypto/hashers/hasher.c b/src/libstrongswan/crypto/hashers/hasher.c index c58c2ad42..4d6904e47 100644 --- a/src/libstrongswan/crypto/hashers/hasher.c +++ b/src/libstrongswan/crypto/hashers/hasher.c @@ -26,6 +26,7 @@ ENUM(hash_algorithm_names, HASH_UNKNOWN, HASH_SHA512, "HASH_MD4", "HASH_MD5", "HASH_SHA1", + "HASH_SHA224", "HASH_SHA256", "HASH_SHA384", "HASH_SHA512" @@ -47,6 +48,9 @@ hash_algorithm_t hasher_algorithm_from_oid(int oid) case OID_SHA1: case OID_SHA1_WITH_RSA: return HASH_SHA1; + case OID_SHA224: + case OID_SHA224_WITH_RSA: + return HASH_SHA224; case OID_SHA256: case OID_SHA256_WITH_RSA: return HASH_SHA256; @@ -79,6 +83,9 @@ int hasher_algorithm_to_oid(hash_algorithm_t alg) case HASH_SHA1: oid = OID_SHA1; break; + case HASH_SHA224: + oid = OID_SHA224; + break; case HASH_SHA256: oid = OID_SHA256; break; @@ -112,6 +119,9 @@ int hasher_signature_algorithm_to_oid(hash_algorithm_t alg) case HASH_SHA1: oid = OID_SHA1_WITH_RSA; break; + case HASH_SHA224: + oid = OID_SHA224_WITH_RSA; + break; case HASH_SHA256: oid = OID_SHA256_WITH_RSA; break; diff --git a/src/libstrongswan/crypto/hashers/hasher.h b/src/libstrongswan/crypto/hashers/hasher.h index 098739fa3..6deed37ab 100644 --- a/src/libstrongswan/crypto/hashers/hasher.h +++ b/src/libstrongswan/crypto/hashers/hasher.h @@ -40,15 +40,17 @@ enum hash_algorithm_t { HASH_MD4 = 3, HASH_MD5 = 4, HASH_SHA1 = 5, - HASH_SHA256 = 6, - HASH_SHA384 = 7, - HASH_SHA512 = 8 + HASH_SHA224 = 6, + HASH_SHA256 = 7, + HASH_SHA384 = 8, + HASH_SHA512 = 9 }; #define HASH_SIZE_MD2 16 #define HASH_SIZE_MD4 16 #define HASH_SIZE_MD5 16 #define HASH_SIZE_SHA1 20 +#define HASH_SIZE_SHA224 28 #define HASH_SIZE_SHA256 32 #define HASH_SIZE_SHA384 48 #define HASH_SIZE_SHA512 64 diff --git a/src/libstrongswan/database/database_factory.c b/src/libstrongswan/database/database_factory.c index 76e0a4e89..ef6927874 100644 --- a/src/libstrongswan/database/database_factory.c +++ b/src/libstrongswan/database/database_factory.c @@ -110,7 +110,7 @@ database_factory_t *database_factory_create() this->public.destroy = (void(*)(database_factory_t*))destroy; this->databases = linked_list_create(); - this->mutex = mutex_create(MUTEX_DEFAULT); + this->mutex = mutex_create(MUTEX_TYPE_DEFAULT); return &this->public; } diff --git a/src/libstrongswan/fetcher/fetcher_manager.c b/src/libstrongswan/fetcher/fetcher_manager.c index a30012bb1..1f87412c8 100644 --- a/src/libstrongswan/fetcher/fetcher_manager.c +++ b/src/libstrongswan/fetcher/fetcher_manager.c @@ -201,7 +201,7 @@ fetcher_manager_t *fetcher_manager_create() this->public.destroy = (void(*)(fetcher_manager_t*))destroy; this->fetchers = linked_list_create(); - this->lock = rwlock_create(RWLOCK_DEFAULT); + this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT); return &this->public; } diff --git a/src/libstrongswan/fips/Makefile.am b/src/libstrongswan/fips/Makefile.am deleted file mode 100644 index 22a35701b..000000000 --- a/src/libstrongswan/fips/Makefile.am +++ /dev/null @@ -1,19 +0,0 @@ -noinst_PROGRAMS = fips_signer -fips_signer_SOURCES = fips_signer.c -fips_signer_LDADD = ../libstrongswan.la - -BUILT_SOURCES = fips_signature.h -CLEANFILES = fips_signature.h fips_signer -INCLUDES = -I$(top_srcdir)/src/libstrongswan -AM_CFLAGS = -DSTRONGSWAN_CONF=\"${strongswan_conf}\" \ - -DPLUGINDIR=\"${top_srcdir}/src/libstrongswan/plugins\" -if USE_SHA1 - AM_CFLAGS += -DUSE_SHA1 -endif - -if USE_OPENSSL - AM_CFLAGS += -DUSE_OPENSSL -endif - -fips_signature.h : fips_signer - ./fips_signer diff --git a/src/libstrongswan/fips/Makefile.in b/src/libstrongswan/fips/Makefile.in deleted file mode 100644 index cdced9423..000000000 --- a/src/libstrongswan/fips/Makefile.in +++ /dev/null @@ -1,484 +0,0 @@ -# Makefile.in generated by automake 1.10.2 from Makefile.am. -# @configure_input@ - -# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - -@SET_MAKE@ - -VPATH = @srcdir@ -pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ -pkgincludedir = $(includedir)/@PACKAGE@ -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_HEADER = $(INSTALL_DATA) -transform = $(program_transform_name) -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -build_triplet = @build@ -host_triplet = @host@ -noinst_PROGRAMS = fips_signer$(EXEEXT) -@USE_SHA1_TRUE@am__append_1 = -DUSE_SHA1 -@USE_OPENSSL_TRUE@am__append_2 = -DUSE_OPENSSL -subdir = src/libstrongswan/fips -DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in -ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/configure.in -am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ - $(ACLOCAL_M4) -mkinstalldirs = $(install_sh) -d -CONFIG_CLEAN_FILES = -PROGRAMS = $(noinst_PROGRAMS) -am_fips_signer_OBJECTS = fips_signer.$(OBJEXT) -fips_signer_OBJECTS = $(am_fips_signer_OBJECTS) -fips_signer_DEPENDENCIES = ../libstrongswan.la -DEFAULT_INCLUDES = -I.@am__isrc@ -depcomp = $(SHELL) $(top_srcdir)/depcomp -am__depfiles_maybe = depfiles -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ - --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ - $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ - --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ - $(LDFLAGS) -o $@ -SOURCES = $(fips_signer_SOURCES) -DIST_SOURCES = $(fips_signer_SOURCES) -ETAGS = etags -CTAGS = ctags -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) -ACLOCAL = @ACLOCAL@ -AMTAR = @AMTAR@ -AR = @AR@ -AUTOCONF = @AUTOCONF@ -AUTOHEADER = @AUTOHEADER@ -AUTOMAKE = @AUTOMAKE@ -AWK = @AWK@ -CC = @CC@ -CCDEPMODE = @CCDEPMODE@ -CFLAGS = @CFLAGS@ -CPP = @CPP@ -CPPFLAGS = @CPPFLAGS@ -CYGPATH_W = @CYGPATH_W@ -DEFS = @DEFS@ -DEPDIR = @DEPDIR@ -DLLIB = @DLLIB@ -DSYMUTIL = @DSYMUTIL@ -DUMPBIN = @DUMPBIN@ -ECHO_C = @ECHO_C@ -ECHO_N = @ECHO_N@ -ECHO_T = @ECHO_T@ -EGREP = @EGREP@ -EXEEXT = @EXEEXT@ -FGREP = @FGREP@ -GPERF = @GPERF@ -GREP = @GREP@ -INSTALL = @INSTALL@ -INSTALL_DATA = @INSTALL_DATA@ -INSTALL_PROGRAM = @INSTALL_PROGRAM@ -INSTALL_SCRIPT = @INSTALL_SCRIPT@ -INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ -IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@ -IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@ -LD = @LD@ -LDFLAGS = @LDFLAGS@ -LEX = @LEX@ -LEXLIB = @LEXLIB@ -LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ -LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@ -LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@ -LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@ -LIBOBJS = @LIBOBJS@ -LIBS = @LIBS@ -LIBTOOL = @LIBTOOL@ -LINUX_HEADERS = @LINUX_HEADERS@ -LIPO = @LIPO@ -LN_S = @LN_S@ -LTLIBOBJS = @LTLIBOBJS@ -MAKEINFO = @MAKEINFO@ -MKDIR_P = @MKDIR_P@ -NM = @NM@ -NMEDIT = @NMEDIT@ -OBJDUMP = @OBJDUMP@ -OBJEXT = @OBJEXT@ -OTOOL = @OTOOL@ -OTOOL64 = @OTOOL64@ -PACKAGE = @PACKAGE@ -PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ -PACKAGE_NAME = @PACKAGE_NAME@ -PACKAGE_STRING = @PACKAGE_STRING@ -PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_VERSION = @PACKAGE_VERSION@ -PATH_SEPARATOR = @PATH_SEPARATOR@ -PERL = @PERL@ -PKG_CONFIG = @PKG_CONFIG@ -RANLIB = @RANLIB@ -RUBY = @RUBY@ -RUBYINCLUDE = @RUBYINCLUDE@ -SED = @SED@ -SET_MAKE = @SET_MAKE@ -SHELL = @SHELL@ -STRIP = @STRIP@ -VERSION = @VERSION@ -YACC = @YACC@ -YFLAGS = @YFLAGS@ -abs_builddir = @abs_builddir@ -abs_srcdir = @abs_srcdir@ -abs_top_builddir = @abs_top_builddir@ -abs_top_srcdir = @abs_top_srcdir@ -ac_ct_CC = @ac_ct_CC@ -ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ -am__include = @am__include@ -am__leading_dot = @am__leading_dot@ -am__quote = @am__quote@ -am__tar = @am__tar@ -am__untar = @am__untar@ -bindir = @bindir@ -build = @build@ -build_alias = @build_alias@ -build_cpu = @build_cpu@ -build_os = @build_os@ -build_vendor = @build_vendor@ -builddir = @builddir@ -confdir = @confdir@ -datadir = @datadir@ -datarootdir = @datarootdir@ -docdir = @docdir@ -dvidir = @dvidir@ -exec_prefix = @exec_prefix@ -gtk_CFLAGS = @gtk_CFLAGS@ -gtk_LIBS = @gtk_LIBS@ -host = @host@ -host_alias = @host_alias@ -host_cpu = @host_cpu@ -host_os = @host_os@ -host_vendor = @host_vendor@ -htmldir = @htmldir@ -includedir = @includedir@ -infodir = @infodir@ -install_sh = @install_sh@ -ipsecdir = @ipsecdir@ -ipsecgroup = @ipsecgroup@ -ipsecuser = @ipsecuser@ -libdir = @libdir@ -libexecdir = @libexecdir@ -libstrongswan_plugins = @libstrongswan_plugins@ -linuxdir = @linuxdir@ -localedir = @localedir@ -localstatedir = @localstatedir@ -lt_ECHO = @lt_ECHO@ -mandir = @mandir@ -mkdir_p = @mkdir_p@ -nm_CFLAGS = @nm_CFLAGS@ -nm_LIBS = @nm_LIBS@ -oldincludedir = @oldincludedir@ -pdfdir = @pdfdir@ -piddir = @piddir@ -plugindir = @plugindir@ -pluto_plugins = @pluto_plugins@ -prefix = @prefix@ -program_transform_name = @program_transform_name@ -psdir = @psdir@ -resolv_conf = @resolv_conf@ -sbindir = @sbindir@ -sharedstatedir = @sharedstatedir@ -simreader = @simreader@ -srcdir = @srcdir@ -strongswan_conf = @strongswan_conf@ -sysconfdir = @sysconfdir@ -target_alias = @target_alias@ -top_build_prefix = @top_build_prefix@ -top_builddir = @top_builddir@ -top_srcdir = @top_srcdir@ -xml_CFLAGS = @xml_CFLAGS@ -xml_LIBS = @xml_LIBS@ -fips_signer_SOURCES = fips_signer.c -fips_signer_LDADD = ../libstrongswan.la -BUILT_SOURCES = fips_signature.h -CLEANFILES = fips_signature.h fips_signer -INCLUDES = -I$(top_srcdir)/src/libstrongswan -AM_CFLAGS = -DSTRONGSWAN_CONF=\"${strongswan_conf}\" \ - -DPLUGINDIR=\"${top_srcdir}/src/libstrongswan/plugins\" \ - $(am__append_1) $(am__append_2) -all: $(BUILT_SOURCES) - $(MAKE) $(AM_MAKEFLAGS) all-am - -.SUFFIXES: -.SUFFIXES: .c .lo .o .obj -$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) - @for dep in $?; do \ - case '$(am__configure_deps)' in \ - *$$dep*) \ - ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ - && { if test -f $@; then exit 0; else break; fi; }; \ - exit 1;; \ - esac; \ - done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/fips/Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --gnu src/libstrongswan/fips/Makefile -.PRECIOUS: Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - @case '$?' in \ - *config.status*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ - *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ - esac; - -$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh - -$(top_srcdir)/configure: $(am__configure_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -$(ACLOCAL_M4): $(am__aclocal_m4_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh - -clean-noinstPROGRAMS: - @list='$(noinst_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done -fips_signer$(EXEEXT): $(fips_signer_OBJECTS) $(fips_signer_DEPENDENCIES) - @rm -f fips_signer$(EXEEXT) - $(LINK) $(fips_signer_OBJECTS) $(fips_signer_LDADD) $(LIBS) - -mostlyclean-compile: - -rm -f *.$(OBJEXT) - -distclean-compile: - -rm -f *.tab.c - -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fips_signer.Po@am__quote@ - -.c.o: -@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< -@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(COMPILE) -c $< - -.c.obj: -@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` -@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` - -.c.lo: -@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< -@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ - END { if (nonempty) { for (i in files) print i; }; }'`; \ - mkid -fID $$unique -tags: TAGS - -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ - END { if (nonempty) { for (i in files) print i; }; }'`; \ - if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ - test -n "$$unique" || unique=$$empty_fix; \ - $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique; \ - fi -ctags: CTAGS -CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ - END { if (nonempty) { for (i in files) print i; }; }'`; \ - test -z "$(CTAGS_ARGS)$$tags$$unique" \ - || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags - -distdir: $(DISTFILES) - @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ - topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ - list='$(DISTFILES)'; \ - dist_files=`for file in $$list; do echo $$file; done | \ - sed -e "s|^$$srcdirstrip/||;t" \ - -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ - case $$dist_files in \ - */*) $(MKDIR_P) `echo "$$dist_files" | \ - sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ - sort -u` ;; \ - esac; \ - for file in $$dist_files; do \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - if test -d $$d/$$file; then \ - dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done -check-am: all-am -check: $(BUILT_SOURCES) - $(MAKE) $(AM_MAKEFLAGS) check-am -all-am: Makefile $(PROGRAMS) -installdirs: -install: $(BUILT_SOURCES) - $(MAKE) $(AM_MAKEFLAGS) install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) - -distclean-generic: - -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." - -test -z "$(BUILT_SOURCES)" || rm -f $(BUILT_SOURCES) -clean: clean-am - -clean-am: clean-generic clean-libtool clean-noinstPROGRAMS \ - mostlyclean-am - -distclean: distclean-am - -rm -rf ./$(DEPDIR) - -rm -f Makefile -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-tags - -dvi: dvi-am - -dvi-am: - -html: html-am - -info: info-am - -info-am: - -install-data-am: - -install-dvi: install-dvi-am - -install-exec-am: - -install-html: install-html-am - -install-info: install-info-am - -install-man: - -install-pdf: install-pdf-am - -install-ps: install-ps-am - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -rm -rf ./$(DEPDIR) - -rm -f Makefile -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -pdf: pdf-am - -pdf-am: - -ps: ps-am - -ps-am: - -uninstall-am: - -.MAKE: install-am install-strip - -.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \ - clean-libtool clean-noinstPROGRAMS ctags distclean \ - distclean-compile distclean-generic distclean-libtool \ - distclean-tags distdir dvi dvi-am html html-am info info-am \ - install install-am install-data install-data-am install-dvi \ - install-dvi-am install-exec install-exec-am install-html \ - install-html-am install-info install-info-am install-man \ - install-pdf install-pdf-am install-ps install-ps-am \ - install-strip installcheck installcheck-am installdirs \ - maintainer-clean maintainer-clean-generic mostlyclean \ - mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ - pdf pdf-am ps ps-am tags uninstall uninstall-am - - -fips_signature.h : fips_signer - ./fips_signer -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/src/libstrongswan/fips/fips.c b/src/libstrongswan/fips/fips.c deleted file mode 100644 index d2296e5e9..000000000 --- a/src/libstrongswan/fips/fips.c +++ /dev/null @@ -1,96 +0,0 @@ -/* - * Copyright (C) 2007 Bruno Krieg, Daniel Wydler - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include <stdio.h> - -#include <debug.h> -#include <crypto/signers/signer.h> -#include "fips.h" - -extern const u_char FIPS_rodata_start[]; -extern const u_char FIPS_rodata_end[]; -extern const void *FIPS_text_start(); -extern const void *FIPS_text_end(); - -/** - * Described in header - */ -bool fips_compute_hmac_signature(const char *key, char *signature) -{ - u_char *text_start = (u_char *)FIPS_text_start(); - u_char *text_end = (u_char *)FIPS_text_end(); - size_t text_len, rodata_len; - signer_t *signer; - - if (text_start > text_end) - { - DBG1(" TEXT start (%p) > TEXT end (%p", - text_start, text_end); - return FALSE; - } - text_len = text_end - text_start; - DBG1(" TEXT: %p + %6d = %p", - text_start, (int)text_len, text_end); - - if (FIPS_rodata_start > FIPS_rodata_end) - { - DBG1(" RODATA start (%p) > RODATA end (%p", - FIPS_rodata_start, FIPS_rodata_end); - return FALSE; - } - rodata_len = FIPS_rodata_end - FIPS_rodata_start; - DBG1(" RODATA: %p + %6d = %p", - FIPS_rodata_start, (int)rodata_len, FIPS_rodata_end); - - signer = lib->crypto->create_signer(lib->crypto, AUTH_HMAC_SHA1_128); - if (signer == NULL) - { - DBG1(" SHA-1 HMAC signer could not be created"); - return FALSE; - } - else - { - chunk_t hmac_key = { (u_char *)key, strlen(key) }; - chunk_t text_chunk = { text_start, text_len }; - chunk_t rodata_chunk = { (u_char *)FIPS_rodata_start, rodata_len }; - chunk_t signature_chunk = chunk_empty; - - signer->set_key(signer, hmac_key); - signer->allocate_signature(signer, text_chunk, NULL); - signer->allocate_signature(signer, rodata_chunk, &signature_chunk); - signer->destroy(signer); - - sprintf(signature, "%#B", &signature_chunk); - DBG1(" SHA-1 HMAC key: %s", key); - DBG1(" SHA-1 HMAC sig: %s", signature); - free(signature_chunk.ptr); - return TRUE; - } -} - -/** - * Described in header - */ -bool fips_verify_hmac_signature(const char *key, - const char *signature) -{ - char current_signature[BUF_LEN]; - - if (!fips_compute_hmac_signature(key, current_signature)) - { - return FALSE; - } - return streq(signature, current_signature); -} diff --git a/src/libstrongswan/fips/fips.h b/src/libstrongswan/fips/fips.h deleted file mode 100644 index aae18e3b2..000000000 --- a/src/libstrongswan/fips/fips.h +++ /dev/null @@ -1,44 +0,0 @@ -/* - * Copyright (C) 2007 Bruno Krieg, Daniel Wydler - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -/** - * @defgroup fips1 fips - * @{ @ingroup fips - */ - -#ifndef FIPS_H_ -#define FIPS_H_ - -#include <library.h> - -/** - * compute HMAC signature over RODATA and TEXT sections of libstrongswan - * - * @param key key used for HMAC signature in ASCII string format - * @param signature HMAC signature in HEX string format - * @return TRUE if HMAC signature computation was successful - */ -bool fips_compute_hmac_signature(const char *key, char *signature); - -/** - * verify HMAC signature over RODATA and TEXT sections of libstrongswan - * - * @param key key used for HMAC signature in ASCII string format - * @param signature signature value from fips_signature.h in HEX string format - * @return TRUE if signatures agree - */ -bool fips_verify_hmac_signature(const char *key, const char *signature); - -#endif /** FIPS_H_ @}*/ diff --git a/src/libstrongswan/fips/fips_canister_end.c b/src/libstrongswan/fips/fips_canister_end.c deleted file mode 100644 index 247d48927..000000000 --- a/src/libstrongswan/fips/fips_canister_end.c +++ /dev/null @@ -1,166 +0,0 @@ -/* ==================================================================== - * Copyright (c) 2005 The OpenSSL Project. Rights for redistribution - * and usage in source and binary forms are granted according to the - * OpenSSL license. - */ - -#include <stdio.h> -#if defined(__DECC) -# include <c_asm.h> -# pragma __nostandard -#endif - -#if !defined(POINTER_TO_FUNCTION_IS_POINTER_TO_1ST_INSTRUCTION) -# if (defined(__sun) && (defined(__sparc) || defined(__sparcv9))) || \ - (defined(__sgi) && (defined(__mips) || defined(mips))) || \ - (defined(__osf__) && defined(__alpha)) || \ - (defined(__linux) && (defined(__arm) || defined(__arm__))) || \ - (defined(__i386) || defined(__i386__)) || \ - (defined(__x86_64) || defined(__x86_64__)) || \ - (defined(vax) || defined(__vax__)) -# define POINTER_TO_FUNCTION_IS_POINTER_TO_1ST_INSTRUCTION -# endif -#endif - -#define FIPS_ref_point FIPS_text_end -/* Some compilers put string literals into a separate segment. As we - * are mostly interested to hash AES tables in .rodata, we declare - * reference points accordingly. In case you wonder, the values are - * big-endian encoded variable names, just to prevent these arrays - * from being merged by linker. */ -const unsigned int FIPS_rodata_end[]= - { 0x46495053, 0x5f726f64, 0x6174615f, 0x656e645b }; - - -/* - * I declare reference function as static in order to avoid certain - * pitfalls in -dynamic linker behaviour... - */ -static void *instruction_pointer(void) -{ - void *ret = NULL; - -/* These are ABI-neutral CPU-specific snippets. ABI-neutrality means - * that they are designed to work under any OS running on particular - * CPU, which is why you don't find any #ifdef THIS_OR_THAT_OS in - * this function. */ -#if defined(INSTRUCTION_POINTER_IMPLEMENTED) - INSTRUCTION_POINTER_IMPLEMENTED(ret); -#elif defined(__GNUC__) && __GNUC__>=2 -# if defined(__alpha) || defined(__alpha__) -# define INSTRUCTION_POINTER_IMPLEMENTED - __asm __volatile ( "br %0,1f\n1:" : "=r"(ret) ); -# elif defined(__i386) || defined(__i386__) -# define INSTRUCTION_POINTER_IMPLEMENTED - __asm __volatile ( "call 1f\n1: popl %0" : "=r"(ret) ); - ret = (void *)((size_t)ret&~3UL); /* align for better performance */ -# elif defined(__ia64) || defined(__ia64__) -# define INSTRUCTION_POINTER_IMPLEMENTED - __asm __volatile ( "mov %0=ip" : "=r"(ret) ); -# elif defined(__hppa) || defined(__hppa__) || defined(__pa_risc) -# define INSTRUCTION_POINTER_IMPLEMENTED - __asm __volatile ( "blr %%r0,%0\n\tnop" : "=r"(ret) ); - ret = (void *)((size_t)ret&~3UL); /* mask privilege level */ -# elif defined(__mips) || defined(__mips__) -# define INSTRUCTION_POINTER_IMPLEMENTED - void *scratch; - __asm __volatile ( "move %1,$31\n\t" /* save ra */ - "bal .+8; nop\n\t" - "move %0,$31\n\t" - "move $31,%1" /* restore ra */ - : "=r"(ret),"=r"(scratch) ); -# elif defined(__ppc__) || defined(__powerpc) || defined(__powerpc__) || \ - defined(__POWERPC__) || defined(_POWER) || defined(__PPC__) || \ - defined(__PPC64__) || defined(__powerpc64__) -# define INSTRUCTION_POINTER_IMPLEMENTED - void *scratch; - __asm __volatile ( "mfspr %1,8\n\t" /* save lr */ - "bl .+4\n\t" - "mfspr %0,8\n\t" /* mflr ret */ - "mtspr 8,%1" /* restore lr */ - : "=r"(ret),"=r"(scratch) ); -# elif defined(__sparc) || defined(__sparc__) || defined(__sparcv9) -# define INSTRUCTION_POINTER_IMPLEMENTED - void *scratch; - __asm __volatile ( "mov %%o7,%1\n\t" - "call .+8; nop\n\t" - "mov %%o7,%0\n\t" - "mov %1,%%o7" - : "=r"(ret),"=r"(scratch) ); -# elif defined(__x86_64) || defined(__x86_64__) -# define INSTRUCTION_POINTER_IMPLEMENTED - __asm __volatile ( "leaq 0(%%rip),%0" : "=r"(ret) ); - ret = (void *)((size_t)ret&~3UL); /* align for better performance */ -# endif -#elif defined(__DECC) && defined(__alpha) -# define INSTRUCTION_POINTER_IMPLEMENTED - ret = (void *)(size_t)asm("br %v0,1f\n1:"); -#elif defined(_MSC_VER) && defined(_M_IX86) -# undef INSTRUCTION_POINTER_IMPLEMENTED - void *scratch; - _asm { - call self - self: pop eax - mov scratch,eax - } - ret = (void *)((size_t)scratch&~3UL); -#endif - return ret; -} - -/* - * This function returns pointer to an instruction in the vicinity of - * its entry point, but not outside this object module. This guarantees - * that sequestered code is covered... - */ -void *FIPS_ref_point() -{ -#if defined(INSTRUCTION_POINTER_IMPLEMENTED) - return instruction_pointer(); -/* Below we essentially cover vendor compilers which do not support - * inline assembler... */ -#elif defined(_AIX) - struct { void *ip,*gp,*env; } *p = (void *)instruction_pointer; - return p->ip; -#elif defined(_HPUX_SOURCE) -# if defined(__hppa) || defined(__hppa__) - struct { void *i[4]; } *p = (void *)FIPS_ref_point; - - if (sizeof(p) == 8) /* 64-bit */ - return p->i[2]; - else if ((size_t)p & 2) - { p = (void *)((size_t)p&~3UL); - return p->i[0]; - } - else - return (void *)p; -# elif defined(__ia64) || defined(__ia64__) - struct { unsigned long long ip,gp; } *p=(void *)instruction_pointer; - return (void *)(size_t)p->ip; -# endif -#elif (defined(__VMS) || defined(VMS)) && !(defined(vax) || defined(__vax__)) - /* applies to both alpha and ia64 */ - struct { unsigned __int64 opaque,ip; } *p=(void *)instruction_pointer; - return (void *)(size_t)p->ip; -#elif defined(__VOS__) - /* applies to both pa-risc and ia32 */ - struct { void *dp,*ip,*gp; } *p = (void *)instruction_pointer; - return p->ip; -#elif defined(_WIN32) -# if defined(_WIN64) && defined(_M_IA64) - struct { void *ip,*gp; } *p = (void *)FIPS_ref_point; - return p->ip; -# else - return (void *)FIPS_ref_point; -# endif -/* - * In case you wonder why there is no #ifdef __linux. All Linux targets - * are GCC-based and therefore are covered by instruction_pointer above - * [well, some are covered by by the one below]... - */ -#elif defined(POINTER_TO_FUNCTION_IS_POINTER_TO_1ST_INSTRUCTION) - return (void *)instruction_pointer; -#else - return NULL; -#endif -} diff --git a/src/libstrongswan/fips/fips_canister_start.c b/src/libstrongswan/fips/fips_canister_start.c deleted file mode 100644 index 4a5528a94..000000000 --- a/src/libstrongswan/fips/fips_canister_start.c +++ /dev/null @@ -1,167 +0,0 @@ -/* ==================================================================== - * Copyright (c) 2005 The OpenSSL Project. Rights for redistribution - * and usage in source and binary forms are granted according to the - * OpenSSL license. - */ - -#include <stdio.h> -#if defined(__DECC) -# include <c_asm.h> -# pragma __nostandard -#endif - -#if !defined(POINTER_TO_FUNCTION_IS_POINTER_TO_1ST_INSTRUCTION) -# if (defined(__sun) && (defined(__sparc) || defined(__sparcv9))) || \ - (defined(__sgi) && (defined(__mips) || defined(mips))) || \ - (defined(__osf__) && defined(__alpha)) || \ - (defined(__linux) && (defined(__arm) || defined(__arm__))) || \ - (defined(__i386) || defined(__i386__)) || \ - (defined(__x86_64) || defined(__x86_64__)) || \ - (defined(vax) || defined(__vax__)) -# define POINTER_TO_FUNCTION_IS_POINTER_TO_1ST_INSTRUCTION -# endif -#endif - - -#define FIPS_ref_point FIPS_text_start -/* Some compilers put string literals into a separate segment. As we - * are mostly interested to hash AES tables in .rodata, we declare - * reference points accordingly. In case you wonder, the values are - * big-endian encoded variable names, just to prevent these arrays - * from being merged by linker. */ -const unsigned int FIPS_rodata_start[]= - { 0x46495053, 0x5f726f64, 0x6174615f, 0x73746172 }; - - -/* - * I declare reference function as static in order to avoid certain - * pitfalls in -dynamic linker behaviour... - */ -static void *instruction_pointer(void) -{ - void *ret = NULL; - -/* These are ABI-neutral CPU-specific snippets. ABI-neutrality means - * that they are designed to work under any OS running on particular - * CPU, which is why you don't find any #ifdef THIS_OR_THAT_OS in - * this function. */ -#if defined(INSTRUCTION_POINTER_IMPLEMENTED) - INSTRUCTION_POINTER_IMPLEMENTED(ret); -#elif defined(__GNUC__) && __GNUC__>=2 -# if defined(__alpha) || defined(__alpha__) -# define INSTRUCTION_POINTER_IMPLEMENTED - __asm __volatile ( "br %0,1f\n1:" : "=r"(ret) ); -# elif defined(__i386) || defined(__i386__) -# define INSTRUCTION_POINTER_IMPLEMENTED - __asm __volatile ( "call 1f\n1: popl %0" : "=r"(ret) ); - ret = (void *)((size_t)ret&~3UL); /* align for better performance */ -# elif defined(__ia64) || defined(__ia64__) -# define INSTRUCTION_POINTER_IMPLEMENTED - __asm __volatile ( "mov %0=ip" : "=r"(ret) ); -# elif defined(__hppa) || defined(__hppa__) || defined(__pa_risc) -# define INSTRUCTION_POINTER_IMPLEMENTED - __asm __volatile ( "blr %%r0,%0\n\tnop" : "=r"(ret) ); - ret = (void *)((size_t)ret&~3UL); /* mask privilege level */ -# elif defined(__mips) || defined(__mips__) -# define INSTRUCTION_POINTER_IMPLEMENTED - void *scratch; - __asm __volatile ( "move %1,$31\n\t" /* save ra */ - "bal .+8; nop\n\t" - "move %0,$31\n\t" - "move $31,%1" /* restore ra */ - : "=r"(ret),"=r"(scratch) ); -# elif defined(__ppc__) || defined(__powerpc) || defined(__powerpc__) || \ - defined(__POWERPC__) || defined(_POWER) || defined(__PPC__) || \ - defined(__PPC64__) || defined(__powerpc64__) -# define INSTRUCTION_POINTER_IMPLEMENTED - void *scratch; - __asm __volatile ( "mfspr %1,8\n\t" /* save lr */ - "bl .+4\n\t" - "mfspr %0,8\n\t" /* mflr ret */ - "mtspr 8,%1" /* restore lr */ - : "=r"(ret),"=r"(scratch) ); -# elif defined(__sparc) || defined(__sparc__) || defined(__sparcv9) -# define INSTRUCTION_POINTER_IMPLEMENTED - void *scratch; - __asm __volatile ( "mov %%o7,%1\n\t" - "call .+8; nop\n\t" - "mov %%o7,%0\n\t" - "mov %1,%%o7" - : "=r"(ret),"=r"(scratch) ); -# elif defined(__x86_64) || defined(__x86_64__) -# define INSTRUCTION_POINTER_IMPLEMENTED - __asm __volatile ( "leaq 0(%%rip),%0" : "=r"(ret) ); - ret = (void *)((size_t)ret&~3UL); /* align for better performance */ -# endif -#elif defined(__DECC) && defined(__alpha) -# define INSTRUCTION_POINTER_IMPLEMENTED - ret = (void *)(size_t)asm("br %v0,1f\n1:"); -#elif defined(_MSC_VER) && defined(_M_IX86) -# undef INSTRUCTION_POINTER_IMPLEMENTED - void *scratch; - _asm { - call self - self: pop eax - mov scratch,eax - } - ret = (void *)((size_t)scratch&~3UL); -#endif - return ret; -} - -/* - * This function returns pointer to an instruction in the vicinity of - * its entry point, but not outside this object module. This guarantees - * that sequestered code is covered... - */ -void *FIPS_ref_point() -{ -#if defined(INSTRUCTION_POINTER_IMPLEMENTED) - return instruction_pointer(); -/* Below we essentially cover vendor compilers which do not support - * inline assembler... */ -#elif defined(_AIX) - struct { void *ip,*gp,*env; } *p = (void *)instruction_pointer; - return p->ip; -#elif defined(_HPUX_SOURCE) -# if defined(__hppa) || defined(__hppa__) - struct { void *i[4]; } *p = (void *)FIPS_ref_point; - - if (sizeof(p) == 8) /* 64-bit */ - return p->i[2]; - else if ((size_t)p & 2) - { p = (void *)((size_t)p&~3UL); - return p->i[0]; - } - else - return (void *)p; -# elif defined(__ia64) || defined(__ia64__) - struct { unsigned long long ip,gp; } *p=(void *)instruction_pointer; - return (void *)(size_t)p->ip; -# endif -#elif (defined(__VMS) || defined(VMS)) && !(defined(vax) || defined(__vax__)) - /* applies to both alpha and ia64 */ - struct { unsigned __int64 opaque,ip; } *p=(void *)instruction_pointer; - return (void *)(size_t)p->ip; -#elif defined(__VOS__) - /* applies to both pa-risc and ia32 */ - struct { void *dp,*ip,*gp; } *p = (void *)instruction_pointer; - return p->ip; -#elif defined(_WIN32) -# if defined(_WIN64) && defined(_M_IA64) - struct { void *ip,*gp; } *p = (void *)FIPS_ref_point; - return p->ip; -# else - return (void *)FIPS_ref_point; -# endif -/* - * In case you wonder why there is no #ifdef __linux. All Linux targets - * are GCC-based and therefore are covered by instruction_pointer above - * [well, some are covered by by the one below]... - */ -#elif defined(POINTER_TO_FUNCTION_IS_POINTER_TO_1ST_INSTRUCTION) - return (void *)instruction_pointer; -#else - return NULL; -#endif -} diff --git a/src/libstrongswan/fips/fips_signer.c b/src/libstrongswan/fips/fips_signer.c deleted file mode 100644 index 6f5fdcecf..000000000 --- a/src/libstrongswan/fips/fips_signer.c +++ /dev/null @@ -1,68 +0,0 @@ -/* - * Copyright (C) 2007 Bruno Krieg, Daniel Wydler - * Hochschule fuer Technik Rapperswil, Switzerland - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include <stdio.h> - -#include <crypto/hashers/hasher.h> -#include "fips.h" - -int main(int argc, char* argv[]) -{ - FILE *f; - char *hmac_key = "strongSwan Version " VERSION; - char hmac_signature[BUF_LEN]; - - /* initialize library */ - library_init(STRONGSWAN_CONF); -#ifdef USE_SHA1 - lib->plugins->load(lib->plugins, PLUGINDIR "/sha1/.libs", "sha1"); -#endif -#ifdef USE_OPENSSL - lib->plugins->load(lib->plugins, PLUGINDIR "/openssl/.libs", "openssl"); -#endif - lib->plugins->load(lib->plugins, PLUGINDIR "/hmac/.libs", "hmac"); - - if (!fips_compute_hmac_signature(hmac_key, hmac_signature)) - { - exit(1); - } - - /** - * write computed HMAC signature to fips_signature.h - */ - f = fopen("fips_signature.h", "wt"); - - if (f == NULL) - { - exit(1); - } - fprintf(f, "/* SHA-1 HMAC signature computed over TEXT and RODATA of libstrongswan\n"); - fprintf(f, " *\n"); - fprintf(f, " * This file has been automatically generated by fips_signer\n"); - fprintf(f, " * Do not edit manually!\n"); - fprintf(f, " */\n"); - fprintf(f, "\n"); - fprintf(f, "#ifndef FIPS_SIGNATURE_H_\n"); - fprintf(f, "#define FIPS_SIGNATURE_H_\n"); - fprintf(f, "\n"); - fprintf(f, "const char *hmac_key = \"%s\";\n", hmac_key); - fprintf(f, "const char *hmac_signature = \"%s\";\n", hmac_signature); - fprintf(f, "\n"); - fprintf(f, "#endif /* FIPS_SIGNATURE_H_ @} */\n"); - fclose(f); - - library_deinit(); - exit(0); -} diff --git a/src/libstrongswan/integrity_checker.c b/src/libstrongswan/integrity_checker.c new file mode 100644 index 000000000..32a296d79 --- /dev/null +++ b/src/libstrongswan/integrity_checker.c @@ -0,0 +1,332 @@ +/* + * Copyright (C) 2009 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#define _GNU_SOURCE + +#include "integrity_checker.h" + +#include <dlfcn.h> +#include <link.h> +#include <fcntl.h> +#include <errno.h> +#include <unistd.h> +#include <sys/mman.h> +#include <sys/stat.h> +#include <sys/types.h> + +#include <debug.h> +#include <library.h> + +typedef struct private_integrity_checker_t private_integrity_checker_t; + +/** + * Private data of an integrity_checker_t object. + */ +struct private_integrity_checker_t { + + /** + * Public integrity_checker_t interface. + */ + integrity_checker_t public; + + /** + * dlopen handle to checksum library + */ + void *handle; + + /** + * checksum array + */ + integrity_checksum_t *checksums; + + /** + * number of checksums in array + */ + int checksum_count; +}; + +/** + * Implementation of integrity_checker_t.build_file + */ +static u_int32_t build_file(private_integrity_checker_t *this, char *file, + size_t *len) +{ + u_int32_t checksum; + chunk_t contents; + struct stat sb; + void *addr; + int fd; + + fd = open(file, O_RDONLY); + if (fd == -1) + { + DBG1(" opening '%s' failed: %s", file, strerror(errno)); + return 0; + } + + if (fstat(fd, &sb) == -1) + { + DBG1(" getting file size of '%s' failed: %s", file, strerror(errno)); + close(fd); + return 0; + } + + addr = mmap(NULL, sb.st_size, PROT_READ, MAP_PRIVATE, fd, 0); + if (addr == MAP_FAILED) + { + DBG1(" mapping '%s' failed: %s", file, strerror(errno)); + close(fd); + return 0; + } + + *len = sb.st_size; + contents = chunk_create(addr, sb.st_size); + checksum = chunk_hash(contents); + + munmap(addr, sb.st_size); + close(fd); + + return checksum; +} + +/** + * dl_iterate_phdr callback function + */ +static int callback(struct dl_phdr_info *dlpi, size_t size, Dl_info *dli) +{ + /* We are looking for the dlpi_addr matching the address of our dladdr(). + * dl_iterate_phdr() returns such an address for other (unknown) objects + * in very rare cases (e.g. in a chrooted gentoo, but only if + * the checksum_builder is invoked by 'make'). As a workaround, we filter + * objects by dlpi_name; valid objects have a library name. + */ + if (dli->dli_fbase == (void*)dlpi->dlpi_addr && + dlpi->dlpi_name && *dlpi->dlpi_name) + { + int i; + + for (i = 0; i < dlpi->dlpi_phnum; i++) + { + const ElfW(Phdr) *sgmt = &dlpi->dlpi_phdr[i]; + + /* we are interested in the executable LOAD segment */ + if (sgmt->p_type == PT_LOAD && (sgmt->p_flags & PF_X)) + { + /* safe begin of segment in dli_fbase */ + dli->dli_fbase = (void*)sgmt->p_vaddr + dlpi->dlpi_addr; + /* safe end of segment in dli_saddr */ + dli->dli_saddr = dli->dli_fbase + sgmt->p_memsz; + return 1; + } + } + } + return 0; +} + +/** + * Implementation of integrity_checker_t.build_segment + */ +static u_int32_t build_segment(private_integrity_checker_t *this, void *sym, + size_t *len) +{ + chunk_t segment; + Dl_info dli; + + if (dladdr(sym, &dli) == 0) + { + DBG1(" unable to locate symbol: %s", dlerror()); + return 0; + } + /* we reuse the Dl_info struct as in/out parameter */ + if (!dl_iterate_phdr((void*)callback, &dli)) + { + DBG1(" executable section not found"); + return 0; + } + + segment = chunk_create(dli.dli_fbase, dli.dli_saddr - dli.dli_fbase); + *len = segment.len; + return chunk_hash(segment); +} + +/** + * Find a checksum by its name + */ +static integrity_checksum_t *find_checksum(private_integrity_checker_t *this, + char *name) +{ + int i; + + for (i = 0; i < this->checksum_count; i++) + { + if (streq(this->checksums[i].name, name)) + { + return &this->checksums[i]; + } + } + return NULL; +} + +/** + * Implementation of integrity_checker_t.check_file + */ +static bool check_file(private_integrity_checker_t *this, + char *name, char *file) +{ + integrity_checksum_t *cs; + u_int32_t sum; + size_t len = 0; + + cs = find_checksum(this, name); + if (!cs) + { + DBG1(" '%s' file checksum not found", name); + return FALSE; + } + sum = build_file(this, file, &len); + if (!sum) + { + return FALSE; + } + if (cs->file_len != len) + { + DBG1(" invalid '%s' file size: %u bytes, expected %u bytes", + name, len, cs->file_len); + return FALSE; + } + if (cs->file != sum) + { + DBG1(" invalid '%s' file checksum: %08x, expected %08x", + name, sum, cs->file); + return FALSE; + } + DBG2(" valid '%s' file checksum: %08x", name, sum); + return TRUE; +} + +/** + * Implementation of integrity_checker_t.check_segment + */ +static bool check_segment(private_integrity_checker_t *this, + char *name, void *sym) +{ + integrity_checksum_t *cs; + u_int32_t sum; + size_t len = 0; + + cs = find_checksum(this, name); + if (!cs) + { + DBG1(" '%s' segment checksum not found", name); + return FALSE; + } + sum = build_segment(this, sym, &len); + if (!sum) + { + return FALSE; + } + if (cs->segment_len != len) + { + DBG1(" invalid '%s' segment size: %u bytes, expected %u bytes", + name, len, cs->segment_len); + return FALSE; + } + if (cs->segment != sum) + { + DBG1(" invalid '%s' segment checksum: %08x, expected %08x", + name, sum, cs->segment); + return FALSE; + } + DBG2(" valid '%s' segment checksum: %08x", name, sum); + return TRUE; +} + +/** + * Implementation of integrity_checker_t.check + */ +static bool check(private_integrity_checker_t *this, char *name, void *sym) +{ + Dl_info dli; + + if (dladdr(sym, &dli) == 0) + { + DBG1("unable to locate symbol: %s", dlerror()); + return FALSE; + } + if (!check_file(this, name, (char*)dli.dli_fname)) + { + return FALSE; + } + if (!check_segment(this, name, sym)) + { + return FALSE; + } + return TRUE; +} + +/** + * Implementation of integrity_checker_t.destroy. + */ +static void destroy(private_integrity_checker_t *this) +{ + if (this->handle) + { + dlclose(this->handle); + } + free(this); +} + +/** + * See header + */ +integrity_checker_t *integrity_checker_create(char *checksum_library) +{ + private_integrity_checker_t *this = malloc_thing(private_integrity_checker_t); + + this->public.check_file = (bool(*)(integrity_checker_t*, char *name, char *file))check_file; + this->public.build_file = (u_int32_t(*)(integrity_checker_t*, char *file, size_t *len))build_file; + this->public.check_segment = (bool(*)(integrity_checker_t*, char *name, void *sym))check_segment; + this->public.build_segment = (u_int32_t(*)(integrity_checker_t*, void *sym, size_t *len))build_segment; + this->public.check = (bool(*)(integrity_checker_t*, char *name, void *sym))check; + this->public.destroy = (void(*)(integrity_checker_t*))destroy; + + this->checksum_count = 0; + this->handle = NULL; + if (checksum_library) + { + this->handle = dlopen(checksum_library, RTLD_LAZY); + if (this->handle) + { + int *checksum_count; + + this->checksums = dlsym(this->handle, "checksums"); + checksum_count = dlsym(this->handle, "checksum_count"); + if (this->checksums && checksum_count) + { + this->checksum_count = *checksum_count; + } + else + { + DBG1("checksum library '%s' invalid", checksum_library); + } + } + else + { + DBG1("loading checksum library '%s' failed", checksum_library); + } + } + return &this->public; +} + diff --git a/src/libstrongswan/integrity_checker.h b/src/libstrongswan/integrity_checker.h new file mode 100644 index 000000000..d078dd6fb --- /dev/null +++ b/src/libstrongswan/integrity_checker.h @@ -0,0 +1,111 @@ +/* + * Copyright (C) 2009 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup integrity_checker integrity_checker + * @{ @ingroup libstrongswan + */ + +#ifndef INTEGRITY_CHECKER_H_ +#define INTEGRITY_CHECKER_H_ + +#include <utils.h> +#include <plugins/plugin.h> + +typedef struct integrity_checker_t integrity_checker_t; +typedef struct integrity_checksum_t integrity_checksum_t; + +/** + * Struct to hold a precalculated checksum, implemented in the checksum library. + */ +struct integrity_checksum_t { + /* name of the checksum */ + char *name; + /* size in bytes of the file on disk */ + size_t file_len; + /* checksum of the file on disk */ + u_int32_t file; + /* size in bytes of executable segment in memory */ + size_t segment_len; + /* checksum of the executable segment in memory */ + u_int32_t segment; +}; + +/** + * Code integrity checker to detect non-malicious file manipulation. + * + * The integrity checker reads the checksums from a separate library + * libchecksum.so to compare the checksums. + */ +struct integrity_checker_t { + + /** + * Check the integrity of a file on disk. + * + * @param name name to lookup checksum + * @param file path to file + * @return TRUE if integrity tested successfully + */ + bool (*check_file)(integrity_checker_t *this, char *name, char *file); + + /** + * Build the integrity checksum of a file on disk. + * + * @param file path to file + * @param len return length in bytes of file + * @return checksum, 0 on error + */ + u_int32_t (*build_file)(integrity_checker_t *this, char *file, size_t *len); + + /** + * Check the integrity of the code segment in memory. + * + * @param name name to lookup checksum + * @param sym a symbol in the segment to check + * @return TRUE if integrity tested successfully + */ + bool (*check_segment)(integrity_checker_t *this, char *name, void *sym); + /** + * Build the integrity checksum of a code segment in memory. + * + * @param sym a symbol in the segment to check + * @param len return length in bytes of code segment in memory + * @return checksum, 0 on error + */ + u_int32_t (*build_segment)(integrity_checker_t *this, void *sym, size_t *len); + + /** + * Check both, on disk file integrity and loaded segment. + * + * @param name name to lookup checksum + * @param sym a symbol to look up library and segment + * @return TRUE if integrity tested successfully + */ + bool (*check)(integrity_checker_t *this, char *name, void *sym); + + /** + * Destroy a integrity_checker_t. + */ + void (*destroy)(integrity_checker_t *this); +}; + +/** + * Create a integrity_checker instance. + * + * @param checksum_library library containing checksums + */ +integrity_checker_t *integrity_checker_create(char *checksum_library); + +#endif /* INTEGRITY_CHECKER_H_ @}*/ diff --git a/src/libstrongswan/library.c b/src/libstrongswan/library.c index 8e5a8a611..832c8b607 100644 --- a/src/libstrongswan/library.c +++ b/src/libstrongswan/library.c @@ -20,12 +20,15 @@ #include <utils.h> #include <chunk.h> +#include <debug.h> #include <utils/identification.h> #include <utils/host.h> #ifdef LEAK_DETECTIVE #include <utils/leak_detective.h> #endif +#define CHECKSUM_LIBRARY IPSEC_DIR"/libchecksum.so" + typedef struct private_library_t private_library_t; /** @@ -65,6 +68,10 @@ void library_deinit() this->public.fetcher->destroy(this->public.fetcher); this->public.db->destroy(this->public.db); this->public.printf_hook->destroy(this->public.printf_hook); + if (this->public.integrity) + { + this->public.integrity->destroy(this->public.integrity); + } #ifdef LEAK_DETECTIVE if (this->detective) @@ -79,7 +86,7 @@ void library_deinit() /* * see header file */ -void library_init(char *settings) +bool library_init(char *settings) { printf_hook_t *pfh; private_library_t *this = malloc_thing(private_library_t); @@ -119,5 +126,23 @@ void library_init(char *settings) this->public.fetcher = fetcher_manager_create(); this->public.db = database_factory_create(); this->public.plugins = plugin_loader_create(); + this->public.integrity = NULL; + + if (lib->settings->get_bool(lib->settings, + "libstrongswan.integrity_test", FALSE)) + { +#ifdef INTEGRITY_TEST + this->public.integrity = integrity_checker_create(CHECKSUM_LIBRARY); + if (!lib->integrity->check(lib->integrity, "libstrongswan", library_init)) + { + DBG1("integrity check of libstrongswan failed"); + return FALSE; + } +#else /* !INTEGRITY_TEST */ + DBG1("integrity test enabled, but not supported"); + return FALSE; +#endif /* INTEGRITY_TEST */ + } + return TRUE; } diff --git a/src/libstrongswan/library.h b/src/libstrongswan/library.h index 35c6b686a..df4121803 100644 --- a/src/libstrongswan/library.h +++ b/src/libstrongswan/library.h @@ -19,6 +19,9 @@ * @defgroup asn1 asn1 * @ingroup libstrongswan * + * @defgroup pgp pgp + * @ingroup libstrongswan + * * @defgroup credentials credentials * @ingroup libstrongswan * @@ -30,19 +33,16 @@ * * @defgroup crypto crypto * @ingroup libstrongswan - + * * @defgroup database database * @ingroup libstrongswan - + * * @defgroup fetcher fetcher * @ingroup libstrongswan - - * @defgroup fips fips - * @ingroup libstrongswan - + * * @defgroup plugins plugins * @ingroup libstrongswan - + * * @defgroup utils utils * @ingroup libstrongswan */ @@ -59,6 +59,7 @@ #include <utils.h> #include <chunk.h> #include <settings.h> +#include <integrity_checker.h> #include <plugins/plugin_loader.h> #include <crypto/crypto_factory.h> #include <fetcher/fetcher_manager.h> @@ -108,6 +109,11 @@ struct library_t { settings_t *settings; /** + * integrity checker to verify code integrity + */ + integrity_checker_t *integrity; + + /** * is leak detective running? */ bool leak_detective; @@ -117,8 +123,9 @@ struct library_t { * Initialize library, creates "lib" instance. * * @param settings file to read settings from, may be NULL for none + * @return FALSE if integrity check failed */ -void library_init(char *settings); +bool library_init(char *settings); /** * Deinitialize library, destroys "lib" instance. diff --git a/src/libstrongswan/plugins/aes/Makefile.am b/src/libstrongswan/plugins/aes/Makefile.am index e73040f27..a3101172f 100644 --- a/src/libstrongswan/plugins/aes/Makefile.am +++ b/src/libstrongswan/plugins/aes/Makefile.am @@ -6,5 +6,5 @@ AM_CFLAGS = -rdynamic plugin_LTLIBRARIES = libstrongswan-aes.la libstrongswan_aes_la_SOURCES = aes_plugin.h aes_plugin.c aes_crypter.c aes_crypter.h -libstrongswan_aes_la_LDFLAGS = -module +libstrongswan_aes_la_LDFLAGS = -module -avoid-version diff --git a/src/libstrongswan/plugins/aes/Makefile.in b/src/libstrongswan/plugins/aes/Makefile.in index 19d3249b5..4414b2ede 100644 --- a/src/libstrongswan/plugins/aes/Makefile.in +++ b/src/libstrongswan/plugins/aes/Makefile.in @@ -73,12 +73,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -143,6 +145,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -183,7 +186,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -221,7 +226,7 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan AM_CFLAGS = -rdynamic plugin_LTLIBRARIES = libstrongswan-aes.la libstrongswan_aes_la_SOURCES = aes_plugin.h aes_plugin.c aes_crypter.c aes_crypter.h -libstrongswan_aes_la_LDFLAGS = -module +libstrongswan_aes_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/libstrongswan/plugins/agent/Makefile.am b/src/libstrongswan/plugins/agent/Makefile.am index bc022aa26..e1000e562 100644 --- a/src/libstrongswan/plugins/agent/Makefile.am +++ b/src/libstrongswan/plugins/agent/Makefile.am @@ -8,5 +8,5 @@ plugin_LTLIBRARIES = libstrongswan-agent.la libstrongswan_agent_la_SOURCES = agent_plugin.h agent_plugin.c \ agent_private_key.c agent_private_key.h -libstrongswan_agent_la_LDFLAGS = -module +libstrongswan_agent_la_LDFLAGS = -module -avoid-version diff --git a/src/libstrongswan/plugins/agent/Makefile.in b/src/libstrongswan/plugins/agent/Makefile.in index 5a5202262..a73edb362 100644 --- a/src/libstrongswan/plugins/agent/Makefile.in +++ b/src/libstrongswan/plugins/agent/Makefile.in @@ -74,12 +74,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -144,6 +146,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -184,7 +187,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -224,7 +229,7 @@ plugin_LTLIBRARIES = libstrongswan-agent.la libstrongswan_agent_la_SOURCES = agent_plugin.h agent_plugin.c \ agent_private_key.c agent_private_key.h -libstrongswan_agent_la_LDFLAGS = -module +libstrongswan_agent_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/libstrongswan/plugins/blowfish/Makefile.am b/src/libstrongswan/plugins/blowfish/Makefile.am index 6bb82169e..3fbc5893b 100644 --- a/src/libstrongswan/plugins/blowfish/Makefile.am +++ b/src/libstrongswan/plugins/blowfish/Makefile.am @@ -8,5 +8,5 @@ plugin_LTLIBRARIES = libstrongswan-blowfish.la libstrongswan_blowfish_la_SOURCES = \ blowfish_plugin.h blowfish_plugin.c blowfish_crypter.c blowfish_crypter.h \ bf_skey.c blowfish.h bf_pi.h bf_locl.h bf_enc.c -libstrongswan_blowfish_la_LDFLAGS = -module +libstrongswan_blowfish_la_LDFLAGS = -module -avoid-version diff --git a/src/libstrongswan/plugins/blowfish/Makefile.in b/src/libstrongswan/plugins/blowfish/Makefile.in index 25cea73df..e536b5fc6 100644 --- a/src/libstrongswan/plugins/blowfish/Makefile.in +++ b/src/libstrongswan/plugins/blowfish/Makefile.in @@ -76,12 +76,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -146,6 +148,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -186,7 +189,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -227,7 +232,7 @@ libstrongswan_blowfish_la_SOURCES = \ blowfish_plugin.h blowfish_plugin.c blowfish_crypter.c blowfish_crypter.h \ bf_skey.c blowfish.h bf_pi.h bf_locl.h bf_enc.c -libstrongswan_blowfish_la_LDFLAGS = -module +libstrongswan_blowfish_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/libstrongswan/plugins/curl/Makefile.am b/src/libstrongswan/plugins/curl/Makefile.am index 1b44516b2..f0a41e4ad 100644 --- a/src/libstrongswan/plugins/curl/Makefile.am +++ b/src/libstrongswan/plugins/curl/Makefile.am @@ -6,6 +6,6 @@ AM_CFLAGS = -rdynamic plugin_LTLIBRARIES = libstrongswan-curl.la libstrongswan_curl_la_SOURCES = curl_plugin.h curl_plugin.c curl_fetcher.c curl_fetcher.h -libstrongswan_curl_la_LDFLAGS = -module +libstrongswan_curl_la_LDFLAGS = -module -avoid-version libstrongswan_curl_la_LIBADD = -lcurl diff --git a/src/libstrongswan/plugins/curl/Makefile.in b/src/libstrongswan/plugins/curl/Makefile.in index b413e035e..21d77ac8f 100644 --- a/src/libstrongswan/plugins/curl/Makefile.in +++ b/src/libstrongswan/plugins/curl/Makefile.in @@ -73,12 +73,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -143,6 +145,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -183,7 +186,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -221,7 +226,7 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan AM_CFLAGS = -rdynamic plugin_LTLIBRARIES = libstrongswan-curl.la libstrongswan_curl_la_SOURCES = curl_plugin.h curl_plugin.c curl_fetcher.c curl_fetcher.h -libstrongswan_curl_la_LDFLAGS = -module +libstrongswan_curl_la_LDFLAGS = -module -avoid-version libstrongswan_curl_la_LIBADD = -lcurl all: all-am diff --git a/src/libstrongswan/plugins/des/Makefile.am b/src/libstrongswan/plugins/des/Makefile.am index ea94eda8a..76cfbc419 100644 --- a/src/libstrongswan/plugins/des/Makefile.am +++ b/src/libstrongswan/plugins/des/Makefile.am @@ -6,5 +6,5 @@ AM_CFLAGS = -rdynamic plugin_LTLIBRARIES = libstrongswan-des.la libstrongswan_des_la_SOURCES = des_plugin.h des_plugin.c des_crypter.c des_crypter.h -libstrongswan_des_la_LDFLAGS = -module +libstrongswan_des_la_LDFLAGS = -module -avoid-version diff --git a/src/libstrongswan/plugins/des/Makefile.in b/src/libstrongswan/plugins/des/Makefile.in index bbca6a032..19da339fe 100644 --- a/src/libstrongswan/plugins/des/Makefile.in +++ b/src/libstrongswan/plugins/des/Makefile.in @@ -73,12 +73,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -143,6 +145,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -183,7 +186,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -221,7 +226,7 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan AM_CFLAGS = -rdynamic plugin_LTLIBRARIES = libstrongswan-des.la libstrongswan_des_la_SOURCES = des_plugin.h des_plugin.c des_crypter.c des_crypter.h -libstrongswan_des_la_LDFLAGS = -module +libstrongswan_des_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/libstrongswan/plugins/fips_prf/Makefile.am b/src/libstrongswan/plugins/fips_prf/Makefile.am index 73f28825a..d9431947e 100644 --- a/src/libstrongswan/plugins/fips_prf/Makefile.am +++ b/src/libstrongswan/plugins/fips_prf/Makefile.am @@ -6,5 +6,5 @@ AM_CFLAGS = -rdynamic plugin_LTLIBRARIES = libstrongswan-fips-prf.la libstrongswan_fips_prf_la_SOURCES = fips_prf_plugin.h fips_prf_plugin.c fips_prf.c fips_prf.h -libstrongswan_fips_prf_la_LDFLAGS = -module +libstrongswan_fips_prf_la_LDFLAGS = -module -avoid-version diff --git a/src/libstrongswan/plugins/fips_prf/Makefile.in b/src/libstrongswan/plugins/fips_prf/Makefile.in index 881d7a36e..5dcae7f27 100644 --- a/src/libstrongswan/plugins/fips_prf/Makefile.in +++ b/src/libstrongswan/plugins/fips_prf/Makefile.in @@ -75,12 +75,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -145,6 +147,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -185,7 +188,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -223,7 +228,7 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan AM_CFLAGS = -rdynamic plugin_LTLIBRARIES = libstrongswan-fips-prf.la libstrongswan_fips_prf_la_SOURCES = fips_prf_plugin.h fips_prf_plugin.c fips_prf.c fips_prf.h -libstrongswan_fips_prf_la_LDFLAGS = -module +libstrongswan_fips_prf_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/libstrongswan/plugins/gcrypt/Makefile.am b/src/libstrongswan/plugins/gcrypt/Makefile.am index 72cc409fc..7394676e2 100644 --- a/src/libstrongswan/plugins/gcrypt/Makefile.am +++ b/src/libstrongswan/plugins/gcrypt/Makefile.am @@ -13,5 +13,5 @@ libstrongswan_gcrypt_la_SOURCES = gcrypt_plugin.h gcrypt_plugin.c \ gcrypt_crypter.h gcrypt_crypter.c \ gcrypt_hasher.h gcrypt_hasher.c -libstrongswan_gcrypt_la_LDFLAGS = -module +libstrongswan_gcrypt_la_LDFLAGS = -module -avoid-version libstrongswan_gcrypt_la_LIBADD = $(LIBGCRYPT_LIBS) diff --git a/src/libstrongswan/plugins/gcrypt/Makefile.in b/src/libstrongswan/plugins/gcrypt/Makefile.in index 49994c593..e3d27f7f8 100644 --- a/src/libstrongswan/plugins/gcrypt/Makefile.in +++ b/src/libstrongswan/plugins/gcrypt/Makefile.in @@ -77,12 +77,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -147,6 +149,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -187,7 +190,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -232,7 +237,7 @@ libstrongswan_gcrypt_la_SOURCES = gcrypt_plugin.h gcrypt_plugin.c \ gcrypt_crypter.h gcrypt_crypter.c \ gcrypt_hasher.h gcrypt_hasher.c -libstrongswan_gcrypt_la_LDFLAGS = -module +libstrongswan_gcrypt_la_LDFLAGS = -module -avoid-version libstrongswan_gcrypt_la_LIBADD = $(LIBGCRYPT_LIBS) all: all-am diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c b/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c index 785ebda90..41e17c897 100644 --- a/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c +++ b/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c @@ -116,6 +116,9 @@ gcrypt_hasher_t *gcrypt_hasher_create(hash_algorithm_t algo) case HASH_SHA1: gcrypt_alg = GCRY_MD_SHA1; break; + case HASH_SHA224: + gcrypt_alg = GCRY_MD_SHA224; + break; case HASH_SHA256: gcrypt_alg = GCRY_MD_SHA256; break; diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c b/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c index 547329dde..939e0886c 100644 --- a/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c +++ b/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c @@ -47,7 +47,7 @@ struct private_gcrypt_plugin_t { */ static int mutex_init(void **lock) { - *lock = mutex_create(MUTEX_DEFAULT); + *lock = mutex_create(MUTEX_TYPE_DEFAULT); return 0; } @@ -148,6 +148,8 @@ plugin_t *plugin_create() (hasher_constructor_t)gcrypt_hasher_create); lib->crypto->add_hasher(lib->crypto, HASH_MD5, (hasher_constructor_t)gcrypt_hasher_create); + lib->crypto->add_hasher(lib->crypto, HASH_SHA224, + (hasher_constructor_t)gcrypt_hasher_create); lib->crypto->add_hasher(lib->crypto, HASH_SHA256, (hasher_constructor_t)gcrypt_hasher_create); lib->crypto->add_hasher(lib->crypto, HASH_SHA384, diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c index 611ab2467..e0e8015db 100644 --- a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c +++ b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c @@ -61,12 +61,14 @@ struct private_gcrypt_rsa_private_key_t { public_key_t *gcrypt_rsa_public_key_create_from_sexp(gcry_sexp_t key); /** - * find a token in a S-expression + * find a token in a S-expression. If a key is given, its length is used to + * pad the output to a given length. */ -chunk_t gcrypt_rsa_find_token(gcry_sexp_t sexp, char *name) +chunk_t gcrypt_rsa_find_token(gcry_sexp_t sexp, char *name, gcry_sexp_t key) { gcry_sexp_t token; - chunk_t data = chunk_empty; + chunk_t data = chunk_empty, tmp; + size_t len = 0; token = gcry_sexp_find_token(sexp, name, 1); if (token) @@ -76,7 +78,36 @@ chunk_t gcrypt_rsa_find_token(gcry_sexp_t sexp, char *name) { data.len = 0; } - data = chunk_clone(data); + else + { + if (key) + { + /* gcrypt might return more bytes than necessary. Truncate + * to key lenght if key given, or prepend zeros if needed */ + len = gcry_pk_get_nbits(key); + len = len / 8 + (len % 8 ? 1 : 0); + if (len > data.len) + { + tmp = chunk_alloc(len); + len -= data.len; + memset(tmp.ptr, 0, tmp.len - len); + memcpy(tmp.ptr + len, data.ptr, data.len); + data = tmp; + } + else if (len < data.len) + { + data = chunk_clone(chunk_skip(data, data.len - len)); + } + else + { + data = chunk_clone(data); + } + } + else + { + data = chunk_clone(data); + } + } gcry_sexp_release(token); } return data; @@ -124,7 +155,7 @@ static bool sign_raw(private_gcrypt_rsa_private_key_t *this, DBG1("creating pkcs1 signature failed: %s", gpg_strerror(err)); return FALSE; } - *signature = gcrypt_rsa_find_token(out, "s"); + *signature = gcrypt_rsa_find_token(out, "s", this->key); gcry_sexp_release(out); return !!signature->len; } @@ -170,7 +201,7 @@ static bool sign_pkcs1(private_gcrypt_rsa_private_key_t *this, DBG1("creating pkcs1 signature failed: %s", gpg_strerror(err)); return FALSE; } - *signature = gcrypt_rsa_find_token(out, "s"); + *signature = gcrypt_rsa_find_token(out, "s", this->key); gcry_sexp_release(out); return !!signature->len; } @@ -195,6 +226,8 @@ static bool sign(private_gcrypt_rsa_private_key_t *this, signature_scheme_t sche return sign_raw(this, data, sig); case SIGN_RSA_EMSA_PKCS1_SHA1: return sign_pkcs1(this, HASH_SHA1, "sha1", data, sig); + case SIGN_RSA_EMSA_PKCS1_SHA224: + return sign_pkcs1(this, HASH_SHA224, "sha224", data, sig); case SIGN_RSA_EMSA_PKCS1_SHA256: return sign_pkcs1(this, HASH_SHA256, "sha256", data, sig); case SIGN_RSA_EMSA_PKCS1_SHA384: @@ -353,9 +386,9 @@ static chunk_t get_encoding(private_gcrypt_rsa_private_key_t *this) gcry_error_t err; /* p and q are swapped, gcrypt expects p < q */ - cp = gcrypt_rsa_find_token(this->key, "q"); - cq = gcrypt_rsa_find_token(this->key, "p"); - cd = gcrypt_rsa_find_token(this->key, "d"); + cp = gcrypt_rsa_find_token(this->key, "q", NULL); + cq = gcrypt_rsa_find_token(this->key, "p", NULL); + cd = gcrypt_rsa_find_token(this->key, "d", NULL); err = gcry_mpi_scan(&p, GCRYMPI_FMT_USG, cp.ptr, cp.len, NULL) | gcry_mpi_scan(&q, GCRYMPI_FMT_USG, cq.ptr, cq.len, NULL) @@ -401,14 +434,14 @@ static chunk_t get_encoding(private_gcrypt_rsa_private_key_t *this) } return asn1_wrap(ASN1_SEQUENCE, "cmmmmmmmm", ASN1_INTEGER_0, - asn1_integer("m", gcrypt_rsa_find_token(this->key, "n")), - asn1_integer("m", gcrypt_rsa_find_token(this->key, "e")), + asn1_integer("m", gcrypt_rsa_find_token(this->key, "n", NULL)), + asn1_integer("m", gcrypt_rsa_find_token(this->key, "e", NULL)), asn1_integer("m", cd), asn1_integer("m", cp), asn1_integer("m", cq), asn1_integer("m", cexp1), asn1_integer("m", cexp2), - asn1_integer("m", gcrypt_rsa_find_token(this->key, "u"))); + asn1_integer("m", gcrypt_rsa_find_token(this->key, "u", NULL))); } /** @@ -477,8 +510,8 @@ bool gcrypt_rsa_build_keyids(gcry_sexp_t key, identification_t **keyid, return FALSE; } publicKey = asn1_wrap(ASN1_SEQUENCE, "mm", - asn1_integer("m", gcrypt_rsa_find_token(key, "n")), - asn1_integer("m", gcrypt_rsa_find_token(key, "e"))); + asn1_integer("m", gcrypt_rsa_find_token(key, "n", NULL)), + asn1_integer("m", gcrypt_rsa_find_token(key, "e", NULL))); hasher->allocate_hash(hasher, publicKey, &hash); *keyid = identification_create_from_encoding(ID_PUBKEY_SHA1, hash); chunk_free(&hash); diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c index 8024f58a7..4d9c88c6d 100644 --- a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c +++ b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c @@ -60,7 +60,7 @@ struct private_gcrypt_rsa_public_key_t { /** * Implemented in gcrypt_rsa_private_key.c */ -chunk_t gcrypt_rsa_find_token(gcry_sexp_t sexp, char *name); +chunk_t gcrypt_rsa_find_token(gcry_sexp_t sexp, char *name, gcry_sexp_t key); bool gcrypt_rsa_build_keyids(gcry_sexp_t key, identification_t **keyid, identification_t **keyid_info); @@ -188,6 +188,8 @@ static bool verify(private_gcrypt_rsa_public_key_t *this, return verify_pkcs1(this, HASH_MD5, "md5", data, signature); case SIGN_RSA_EMSA_PKCS1_SHA1: return verify_pkcs1(this, HASH_SHA1, "sha1", data, signature); + case SIGN_RSA_EMSA_PKCS1_SHA224: + return verify_pkcs1(this, HASH_SHA224, "sha224", data, signature); case SIGN_RSA_EMSA_PKCS1_SHA256: return verify_pkcs1(this, HASH_SHA256, "sha256", data, signature); case SIGN_RSA_EMSA_PKCS1_SHA384: @@ -226,7 +228,7 @@ static bool encrypt_(private_gcrypt_rsa_public_key_t *this, chunk_t plain, DBG1("encrypting data using pkcs1 failed: %s", gpg_strerror(err)); return FALSE; } - *encrypted = gcrypt_rsa_find_token(out, "a"); + *encrypted = gcrypt_rsa_find_token(out, "a", this->key); gcry_sexp_release(out); return !!encrypted->len; } @@ -290,8 +292,8 @@ static identification_t *get_id(private_gcrypt_rsa_public_key_t *this, static chunk_t get_encoding(private_gcrypt_rsa_public_key_t *this) { return asn1_wrap(ASN1_SEQUENCE, "mm", - asn1_integer("m", gcrypt_rsa_find_token(this->key, "n")), - asn1_integer("m", gcrypt_rsa_find_token(this->key, "e"))); + asn1_integer("m", gcrypt_rsa_find_token(this->key, "n", NULL)), + asn1_integer("m", gcrypt_rsa_find_token(this->key, "e", NULL))); } /** @@ -352,8 +354,8 @@ public_key_t *gcrypt_rsa_public_key_create_from_sexp(gcry_sexp_t key) chunk_t n, e; this = gcrypt_rsa_public_key_create_empty(); - n = gcrypt_rsa_find_token(key, "n"); - e = gcrypt_rsa_find_token(key, "e"); + n = gcrypt_rsa_find_token(key, "n", NULL); + e = gcrypt_rsa_find_token(key, "e", NULL); err = gcry_sexp_build(&this->key, NULL, "(public-key(rsa(n %b)(e %b)))", n.len, n.ptr, e.len, e.ptr); diff --git a/src/libstrongswan/plugins/gmp/Makefile.am b/src/libstrongswan/plugins/gmp/Makefile.am index f073b5d48..1ab358328 100644 --- a/src/libstrongswan/plugins/gmp/Makefile.am +++ b/src/libstrongswan/plugins/gmp/Makefile.am @@ -10,6 +10,6 @@ libstrongswan_gmp_la_SOURCES = gmp_plugin.h gmp_plugin.c \ gmp_rsa_private_key.c gmp_rsa_private_key.h \ gmp_rsa_public_key.c gmp_rsa_public_key.h -libstrongswan_gmp_la_LDFLAGS = -module +libstrongswan_gmp_la_LDFLAGS = -module -avoid-version libstrongswan_gmp_la_LIBADD = -lgmp diff --git a/src/libstrongswan/plugins/gmp/Makefile.in b/src/libstrongswan/plugins/gmp/Makefile.in index a60cd998c..8d5dff34b 100644 --- a/src/libstrongswan/plugins/gmp/Makefile.in +++ b/src/libstrongswan/plugins/gmp/Makefile.in @@ -74,12 +74,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -144,6 +146,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -184,7 +187,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -226,7 +231,7 @@ libstrongswan_gmp_la_SOURCES = gmp_plugin.h gmp_plugin.c \ gmp_rsa_private_key.c gmp_rsa_private_key.h \ gmp_rsa_public_key.c gmp_rsa_public_key.h -libstrongswan_gmp_la_LDFLAGS = -module +libstrongswan_gmp_la_LDFLAGS = -module -avoid-version libstrongswan_gmp_la_LIBADD = -lgmp all: all-am diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c index cbc112762..259c8e9ad 100644 --- a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c +++ b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c @@ -301,6 +301,8 @@ static bool sign(private_gmp_rsa_private_key_t *this, signature_scheme_t scheme, return build_emsa_pkcs1_signature(this, HASH_UNKNOWN, data, signature); case SIGN_RSA_EMSA_PKCS1_SHA1: return build_emsa_pkcs1_signature(this, HASH_SHA1, data, signature); + case SIGN_RSA_EMSA_PKCS1_SHA224: + return build_emsa_pkcs1_signature(this, HASH_SHA224, data, signature); case SIGN_RSA_EMSA_PKCS1_SHA256: return build_emsa_pkcs1_signature(this, HASH_SHA256, data, signature); case SIGN_RSA_EMSA_PKCS1_SHA384: diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c index 1f3e3072f..c26187c64 100644 --- a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c +++ b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c @@ -301,6 +301,8 @@ static bool verify(private_gmp_rsa_public_key_t *this, signature_scheme_t scheme return verify_emsa_pkcs1_signature(this, HASH_MD5, data, signature); case SIGN_RSA_EMSA_PKCS1_SHA1: return verify_emsa_pkcs1_signature(this, HASH_SHA1, data, signature); + case SIGN_RSA_EMSA_PKCS1_SHA224: + return verify_emsa_pkcs1_signature(this, HASH_SHA224, data, signature); case SIGN_RSA_EMSA_PKCS1_SHA256: return verify_emsa_pkcs1_signature(this, HASH_SHA256, data, signature); case SIGN_RSA_EMSA_PKCS1_SHA384: @@ -417,7 +419,7 @@ static size_t get_keysize(private_gmp_rsa_public_key_t *this) /** * Build the PGP version 3 RSA key identifier from n and e using - * MD5 hashed modulus and exponent. Also used in rsa_private_key.c. + * MD5 hashed modulus and exponent. */ static identification_t* gmp_rsa_build_pgp_v3_keyid(mpz_t n, mpz_t e) { diff --git a/src/libstrongswan/plugins/hmac/Makefile.am b/src/libstrongswan/plugins/hmac/Makefile.am index 89e0638f3..1856cad2d 100644 --- a/src/libstrongswan/plugins/hmac/Makefile.am +++ b/src/libstrongswan/plugins/hmac/Makefile.am @@ -7,5 +7,5 @@ plugin_LTLIBRARIES = libstrongswan-hmac.la libstrongswan_hmac_la_SOURCES = hmac_plugin.h hmac_plugin.c hmac.h hmac.c \ hmac_prf.h hmac_prf.c hmac_signer.h hmac_signer.c -libstrongswan_hmac_la_LDFLAGS = -module +libstrongswan_hmac_la_LDFLAGS = -module -avoid-version diff --git a/src/libstrongswan/plugins/hmac/Makefile.in b/src/libstrongswan/plugins/hmac/Makefile.in index fc36bd9fa..389bde8f9 100644 --- a/src/libstrongswan/plugins/hmac/Makefile.in +++ b/src/libstrongswan/plugins/hmac/Makefile.in @@ -74,12 +74,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -144,6 +146,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -184,7 +187,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -224,7 +229,7 @@ plugin_LTLIBRARIES = libstrongswan-hmac.la libstrongswan_hmac_la_SOURCES = hmac_plugin.h hmac_plugin.c hmac.h hmac.c \ hmac_prf.h hmac_prf.c hmac_signer.h hmac_signer.c -libstrongswan_hmac_la_LDFLAGS = -module +libstrongswan_hmac_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/libstrongswan/plugins/ldap/Makefile.am b/src/libstrongswan/plugins/ldap/Makefile.am index ac6b4be00..6ad073d97 100644 --- a/src/libstrongswan/plugins/ldap/Makefile.am +++ b/src/libstrongswan/plugins/ldap/Makefile.am @@ -6,6 +6,6 @@ AM_CFLAGS = -rdynamic plugin_LTLIBRARIES = libstrongswan-ldap.la libstrongswan_ldap_la_SOURCES = ldap_plugin.h ldap_plugin.c ldap_fetcher.h ldap_fetcher.c -libstrongswan_ldap_la_LDFLAGS = -module +libstrongswan_ldap_la_LDFLAGS = -module -avoid-version libstrongswan_ldap_la_LIBADD = -lldap -llber diff --git a/src/libstrongswan/plugins/ldap/Makefile.in b/src/libstrongswan/plugins/ldap/Makefile.in index 6eefc8546..93fc9a0c1 100644 --- a/src/libstrongswan/plugins/ldap/Makefile.in +++ b/src/libstrongswan/plugins/ldap/Makefile.in @@ -73,12 +73,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -143,6 +145,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -183,7 +186,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -221,7 +226,7 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan AM_CFLAGS = -rdynamic plugin_LTLIBRARIES = libstrongswan-ldap.la libstrongswan_ldap_la_SOURCES = ldap_plugin.h ldap_plugin.c ldap_fetcher.h ldap_fetcher.c -libstrongswan_ldap_la_LDFLAGS = -module +libstrongswan_ldap_la_LDFLAGS = -module -avoid-version libstrongswan_ldap_la_LIBADD = -lldap -llber all: all-am diff --git a/src/libstrongswan/plugins/md4/Makefile.am b/src/libstrongswan/plugins/md4/Makefile.am index f984322a6..a47da2e8e 100644 --- a/src/libstrongswan/plugins/md4/Makefile.am +++ b/src/libstrongswan/plugins/md4/Makefile.am @@ -6,5 +6,5 @@ AM_CFLAGS = -rdynamic plugin_LTLIBRARIES = libstrongswan-md4.la libstrongswan_md4_la_SOURCES = md4_plugin.h md4_plugin.c md4_hasher.c md4_hasher.h -libstrongswan_md4_la_LDFLAGS = -module +libstrongswan_md4_la_LDFLAGS = -module -avoid-version diff --git a/src/libstrongswan/plugins/md4/Makefile.in b/src/libstrongswan/plugins/md4/Makefile.in index efdb64e90..7ca6a20cc 100644 --- a/src/libstrongswan/plugins/md4/Makefile.in +++ b/src/libstrongswan/plugins/md4/Makefile.in @@ -73,12 +73,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -143,6 +145,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -183,7 +186,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -221,7 +226,7 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan AM_CFLAGS = -rdynamic plugin_LTLIBRARIES = libstrongswan-md4.la libstrongswan_md4_la_SOURCES = md4_plugin.h md4_plugin.c md4_hasher.c md4_hasher.h -libstrongswan_md4_la_LDFLAGS = -module +libstrongswan_md4_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/libstrongswan/plugins/md5/Makefile.am b/src/libstrongswan/plugins/md5/Makefile.am index 0a9c5cbf4..ce0611c13 100644 --- a/src/libstrongswan/plugins/md5/Makefile.am +++ b/src/libstrongswan/plugins/md5/Makefile.am @@ -6,5 +6,5 @@ AM_CFLAGS = -rdynamic plugin_LTLIBRARIES = libstrongswan-md5.la libstrongswan_md5_la_SOURCES = md5_plugin.h md5_plugin.c md5_hasher.c md5_hasher.h -libstrongswan_md5_la_LDFLAGS = -module +libstrongswan_md5_la_LDFLAGS = -module -avoid-version diff --git a/src/libstrongswan/plugins/md5/Makefile.in b/src/libstrongswan/plugins/md5/Makefile.in index 15c98aba4..fb9bc4b4d 100644 --- a/src/libstrongswan/plugins/md5/Makefile.in +++ b/src/libstrongswan/plugins/md5/Makefile.in @@ -73,12 +73,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -143,6 +145,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -183,7 +186,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -221,7 +226,7 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan AM_CFLAGS = -rdynamic plugin_LTLIBRARIES = libstrongswan-md5.la libstrongswan_md5_la_SOURCES = md5_plugin.h md5_plugin.c md5_hasher.c md5_hasher.h -libstrongswan_md5_la_LDFLAGS = -module +libstrongswan_md5_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/libstrongswan/plugins/mysql/Makefile.am b/src/libstrongswan/plugins/mysql/Makefile.am index ec94b8fda..0daf7655b 100644 --- a/src/libstrongswan/plugins/mysql/Makefile.am +++ b/src/libstrongswan/plugins/mysql/Makefile.am @@ -7,6 +7,6 @@ plugin_LTLIBRARIES = libstrongswan-mysql.la libstrongswan_mysql_la_SOURCES = mysql_plugin.h mysql_plugin.c \ mysql_database.h mysql_database.c -libstrongswan_mysql_la_LDFLAGS = -module +libstrongswan_mysql_la_LDFLAGS = -module -avoid-version libstrongswan_mysql_la_LIBADD = -lmysqlclient_r diff --git a/src/libstrongswan/plugins/mysql/Makefile.in b/src/libstrongswan/plugins/mysql/Makefile.in index 26b514ad6..21fe61923 100644 --- a/src/libstrongswan/plugins/mysql/Makefile.in +++ b/src/libstrongswan/plugins/mysql/Makefile.in @@ -73,12 +73,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -143,6 +145,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -183,7 +186,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -223,7 +228,7 @@ plugin_LTLIBRARIES = libstrongswan-mysql.la libstrongswan_mysql_la_SOURCES = mysql_plugin.h mysql_plugin.c \ mysql_database.h mysql_database.c -libstrongswan_mysql_la_LDFLAGS = -module +libstrongswan_mysql_la_LDFLAGS = -module -avoid-version libstrongswan_mysql_la_LIBADD = -lmysqlclient_r all: all-am diff --git a/src/libstrongswan/plugins/mysql/mysql_database.c b/src/libstrongswan/plugins/mysql/mysql_database.c index d0d5a3d15..341217dd4 100644 --- a/src/libstrongswan/plugins/mysql/mysql_database.c +++ b/src/libstrongswan/plugins/mysql/mysql_database.c @@ -686,7 +686,7 @@ mysql_database_t *mysql_database_create(char *uri) free(this); return NULL; } - this->mutex = mutex_create(MUTEX_DEFAULT); + this->mutex = mutex_create(MUTEX_TYPE_DEFAULT); this->pool = linked_list_create(); /* check connectivity */ diff --git a/src/libstrongswan/plugins/openssl/Makefile.am b/src/libstrongswan/plugins/openssl/Makefile.am index f331a78eb..25cc5aa1d 100644 --- a/src/libstrongswan/plugins/openssl/Makefile.am +++ b/src/libstrongswan/plugins/openssl/Makefile.am @@ -16,6 +16,6 @@ libstrongswan_openssl_la_SOURCES = openssl_plugin.h openssl_plugin.c \ openssl_ec_private_key.c openssl_ec_private_key.h \ openssl_ec_public_key.c openssl_ec_public_key.h -libstrongswan_openssl_la_LDFLAGS = -module +libstrongswan_openssl_la_LDFLAGS = -module -avoid-version libstrongswan_openssl_la_LIBADD = -lcrypto diff --git a/src/libstrongswan/plugins/openssl/Makefile.in b/src/libstrongswan/plugins/openssl/Makefile.in index 0ebb5acf0..e6d7b479b 100644 --- a/src/libstrongswan/plugins/openssl/Makefile.in +++ b/src/libstrongswan/plugins/openssl/Makefile.in @@ -78,12 +78,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -148,6 +150,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -188,7 +191,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -236,7 +241,7 @@ libstrongswan_openssl_la_SOURCES = openssl_plugin.h openssl_plugin.c \ openssl_ec_private_key.c openssl_ec_private_key.h \ openssl_ec_public_key.c openssl_ec_public_key.h -libstrongswan_openssl_la_LDFLAGS = -module +libstrongswan_openssl_la_LDFLAGS = -module -avoid-version libstrongswan_openssl_la_LIBADD = -lcrypto all: all-am diff --git a/src/libstrongswan/plugins/openssl/openssl_crypter.c b/src/libstrongswan/plugins/openssl/openssl_crypter.c index 7f48f1009..424fec60a 100644 --- a/src/libstrongswan/plugins/openssl/openssl_crypter.c +++ b/src/libstrongswan/plugins/openssl/openssl_crypter.c @@ -83,6 +83,7 @@ static openssl_algorithm_t encryption_algs[] = { /* {ENCR_DES_IV32, "***", 0, 0}, */ /* {ENCR_NULL, "***", 0, 0}, */ /* handled separately */ /* {ENCR_AES_CBC, "***", 0, 0}, */ /* handled separately */ +/* {ENCR_CAMELLIA_CBC, "***", 0, 0}, */ /* handled separately */ /* {ENCR_AES_CTR, "***", 0, 0}, */ /* disabled in evp.h */ {END_OF_LIST, NULL, 0, 0}, }; @@ -224,6 +225,23 @@ openssl_crypter_t *openssl_crypter_create(encryption_algorithm_t algo, return NULL; } break; + case ENCR_CAMELLIA_CBC: + switch (key_size) + { + case 16: /* CAMELLIA 128 */ + this->cipher = EVP_get_cipherbyname("camellia128"); + break; + case 24: /* CAMELLIA 192 */ + this->cipher = EVP_get_cipherbyname("camellia192"); + break; + case 32: /* CAMELLIA 256 */ + this->cipher = EVP_get_cipherbyname("camellia256"); + break; + default: + free(this); + return NULL; + } + break; case ENCR_DES_ECB: this->cipher = EVP_des_ecb(); break; diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c index c93acb75c..082aed9ca 100644 --- a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c +++ b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c @@ -108,7 +108,8 @@ error: * Convert an EC_POINT to a chunk by concatenating the x and y coordinates of * the point. This function allocates memory for the chunk. */ -static bool ecp2chunk(const EC_GROUP *group, const EC_POINT *point, chunk_t *chunk) +static bool ecp2chunk(const EC_GROUP *group, const EC_POINT *point, + chunk_t *chunk, bool x_coordinate_only) { BN_CTX *ctx; BIGNUM *x, *y; @@ -133,6 +134,10 @@ static bool ecp2chunk(const EC_GROUP *group, const EC_POINT *point, chunk_t *chu goto error; } + if (x_coordinate_only) + { + y = NULL; + } if (!openssl_bn_cat(EC_FIELD_ELEMENT_LEN(group), x, y, chunk)) { goto error; @@ -160,7 +165,7 @@ static bool compute_shared_key(private_openssl_ec_diffie_hellman_t *this, chunk_ { const BIGNUM *priv_key; EC_POINT *secret = NULL; - bool ret = FALSE; + bool x_coordinate_only, ret = FALSE; priv_key = EC_KEY_get0_private_key(this->key); if (!priv_key) @@ -179,7 +184,14 @@ static bool compute_shared_key(private_openssl_ec_diffie_hellman_t *this, chunk_ goto error; } - if (!ecp2chunk(this->ec_group, secret, shared_secret)) + /* + * The default setting ecp_x_coordinate_only = TRUE + * applies the following errata for RFC 4753: + * http://www.rfc-editor.org/errata_search.php?eid=9 + */ + x_coordinate_only = lib->settings->get_bool(lib->settings, + "libstrongswan.ecp_x_coordinate_only", TRUE); + if (!ecp2chunk(this->ec_group, secret, shared_secret, x_coordinate_only)) { goto error; } @@ -219,7 +231,7 @@ static void set_other_public_value(private_openssl_ec_diffie_hellman_t *this, ch */ static void get_my_public_value(private_openssl_ec_diffie_hellman_t *this,chunk_t *value) { - ecp2chunk(this->ec_group, EC_KEY_get0_public_key(this->key), value); + ecp2chunk(this->ec_group, EC_KEY_get0_public_key(this->key), value, FALSE); } /** diff --git a/src/libstrongswan/plugins/openssl/openssl_hasher.c b/src/libstrongswan/plugins/openssl/openssl_hasher.c index ed3e57957..90a5229d5 100644 --- a/src/libstrongswan/plugins/openssl/openssl_hasher.c +++ b/src/libstrongswan/plugins/openssl/openssl_hasher.c @@ -65,6 +65,7 @@ static openssl_algorithm_t integrity_algs[] = { {HASH_MD2, "md2"}, {HASH_MD5, "md5"}, {HASH_SHA1, "sha1"}, + {HASH_SHA224, "sha224"}, {HASH_SHA256, "sha256"}, {HASH_SHA384, "sha384"}, {HASH_SHA512, "sha512"}, diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c index a90dff7f1..ce6716f5a 100644 --- a/src/libstrongswan/plugins/openssl/openssl_plugin.c +++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c @@ -84,7 +84,7 @@ static struct CRYPTO_dynlock_value *create_function(const char *file, int line) struct CRYPTO_dynlock_value *lock; lock = malloc_thing(struct CRYPTO_dynlock_value); - lock->mutex = mutex_create(MUTEX_DEFAULT); + lock->mutex = mutex_create(MUTEX_TYPE_DEFAULT); return lock; } @@ -140,7 +140,7 @@ static void threading_init() mutex = malloc(sizeof(mutex_t*) * num_locks); for (i = 0; i < num_locks; i++) { - mutex[i] = mutex_create(MUTEX_DEFAULT); + mutex[i] = mutex_create(MUTEX_TYPE_DEFAULT); } } @@ -212,6 +212,8 @@ plugin_t *plugin_create() /* crypter */ lib->crypto->add_crypter(lib->crypto, ENCR_AES_CBC, (crypter_constructor_t)openssl_crypter_create); + lib->crypto->add_crypter(lib->crypto, ENCR_CAMELLIA_CBC, + (crypter_constructor_t)openssl_crypter_create); lib->crypto->add_crypter(lib->crypto, ENCR_3DES, (crypter_constructor_t)openssl_crypter_create); lib->crypto->add_crypter(lib->crypto, ENCR_RC5, @@ -238,6 +240,8 @@ plugin_t *plugin_create() (hasher_constructor_t)openssl_hasher_create); lib->crypto->add_hasher(lib->crypto, HASH_MD5, (hasher_constructor_t)openssl_hasher_create); + lib->crypto->add_hasher(lib->crypto, HASH_SHA224, + (hasher_constructor_t)openssl_hasher_create); lib->crypto->add_hasher(lib->crypto, HASH_SHA256, (hasher_constructor_t)openssl_hasher_create); lib->crypto->add_hasher(lib->crypto, HASH_SHA384, diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c index c5d4142da..95c0ffdc8 100644 --- a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c +++ b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c @@ -165,6 +165,8 @@ static bool sign(private_openssl_rsa_private_key_t *this, signature_scheme_t sch return build_emsa_pkcs1_signature(this, NID_undef, data, signature); case SIGN_RSA_EMSA_PKCS1_SHA1: return build_emsa_pkcs1_signature(this, NID_sha1, data, signature); + case SIGN_RSA_EMSA_PKCS1_SHA224: + return build_emsa_pkcs1_signature(this, NID_sha224, data, signature); case SIGN_RSA_EMSA_PKCS1_SHA256: return build_emsa_pkcs1_signature(this, NID_sha256, data, signature); case SIGN_RSA_EMSA_PKCS1_SHA384: diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c index 89912f24c..bc1ba35b6 100644 --- a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c +++ b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c @@ -143,6 +143,8 @@ static bool verify(private_openssl_rsa_public_key_t *this, signature_scheme_t sc return verify_emsa_pkcs1_signature(this, NID_undef, data, signature); case SIGN_RSA_EMSA_PKCS1_SHA1: return verify_emsa_pkcs1_signature(this, NID_sha1, data, signature); + case SIGN_RSA_EMSA_PKCS1_SHA224: + return verify_emsa_pkcs1_signature(this, NID_sha224, data, signature); case SIGN_RSA_EMSA_PKCS1_SHA256: return verify_emsa_pkcs1_signature(this, NID_sha256, data, signature); case SIGN_RSA_EMSA_PKCS1_SHA384: diff --git a/src/libstrongswan/plugins/openssl/openssl_util.c b/src/libstrongswan/plugins/openssl/openssl_util.c index bb0c296e1..c8c453f64 100644 --- a/src/libstrongswan/plugins/openssl/openssl_util.c +++ b/src/libstrongswan/plugins/openssl/openssl_util.c @@ -71,21 +71,26 @@ bool openssl_bn_cat(int len, BIGNUM *a, BIGNUM *b, chunk_t *chunk) { int offset; - chunk->len = len * 2; + chunk->len = len + (b ? len : 0); chunk->ptr = malloc(chunk->len); memset(chunk->ptr, 0, chunk->len); + /* convert a */ offset = len - BN_num_bytes(a); if (!BN_bn2bin(a, chunk->ptr + offset)) { goto error; } - offset = len - BN_num_bytes(b); - if (!BN_bn2bin(b, chunk->ptr + len + offset)) + /* optionally convert and concatenate b */ + if (b) { - goto error; - } + offset = len - BN_num_bytes(b); + if (!BN_bn2bin(b, chunk->ptr + len + offset)) + { + goto error; + } + } return TRUE; error: diff --git a/src/libstrongswan/plugins/padlock/Makefile.am b/src/libstrongswan/plugins/padlock/Makefile.am index e7c3ba486..b2b1f9d85 100644 --- a/src/libstrongswan/plugins/padlock/Makefile.am +++ b/src/libstrongswan/plugins/padlock/Makefile.am @@ -9,5 +9,5 @@ libstrongswan_padlock_la_SOURCES = padlock_plugin.h padlock_plugin.c \ padlock_aes_crypter.c padlock_aes_crypter.h \ padlock_sha1_hasher.c padlock_sha1_hasher.h \ padlock_rng.c padlock_rng.h -libstrongswan_padlock_la_LDFLAGS = -module +libstrongswan_padlock_la_LDFLAGS = -module -avoid-version diff --git a/src/libstrongswan/plugins/padlock/Makefile.in b/src/libstrongswan/plugins/padlock/Makefile.in index 7fe0cc198..44f533744 100644 --- a/src/libstrongswan/plugins/padlock/Makefile.in +++ b/src/libstrongswan/plugins/padlock/Makefile.in @@ -75,12 +75,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -145,6 +147,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -185,7 +188,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -227,7 +232,7 @@ libstrongswan_padlock_la_SOURCES = padlock_plugin.h padlock_plugin.c \ padlock_sha1_hasher.c padlock_sha1_hasher.h \ padlock_rng.c padlock_rng.h -libstrongswan_padlock_la_LDFLAGS = -module +libstrongswan_padlock_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/libstrongswan/plugins/padlock/padlock_plugin.c b/src/libstrongswan/plugins/padlock/padlock_plugin.c index dddb73551..e241b59be 100644 --- a/src/libstrongswan/plugins/padlock/padlock_plugin.c +++ b/src/libstrongswan/plugins/padlock/padlock_plugin.c @@ -97,7 +97,7 @@ static padlock_feature_t get_padlock_features() return d; } } - DBG1("Padlock not found, CPU is %s\n", vendor); + DBG1("Padlock not found, CPU is %s", vendor); return 0; } diff --git a/src/libstrongswan/plugins/plugin_loader.c b/src/libstrongswan/plugins/plugin_loader.c index ad5a9e240..459ba9ba9 100644 --- a/src/libstrongswan/plugins/plugin_loader.c +++ b/src/libstrongswan/plugins/plugin_loader.c @@ -22,6 +22,7 @@ #include <stdio.h> #include <debug.h> +#include <integrity_checker.h> #include <utils/linked_list.h> #include <plugins/plugin.h> @@ -61,27 +62,45 @@ static plugin_t* load_plugin(private_plugin_loader_t *this, snprintf(file, sizeof(file), "%s/libstrongswan-%s.so", path, name); + if (lib->integrity) + { + if (!lib->integrity->check_file(lib->integrity, name, file)) + { + DBG1("plugin '%s': failed file integrity test of '%s'", name, file); + return NULL; + } + } handle = dlopen(file, RTLD_LAZY); if (handle == NULL) { - DBG1("loading plugin '%s' failed: %s", name, dlerror()); + DBG1("plugin '%s': failed to load '%s' - %s", name, file, dlerror()); return NULL; } constructor = dlsym(handle, "plugin_create"); if (constructor == NULL) { - DBG1("loading plugin '%s' failed: no plugin_create() function", name); + DBG1("plugin '%s': failed to load - no plugin_create() function", name); dlclose(handle); return NULL; } + if (lib->integrity) + { + if (!lib->integrity->check_segment(lib->integrity, name, constructor)) + { + DBG1("plugin '%s': failed segment integrity test", name); + dlclose(handle); + return NULL; + } + DBG1("plugin '%s': passed file and segment integrity tests", name); + } plugin = constructor(); if (plugin == NULL) { - DBG1("loading plugin '%s' failed: plugin_create() returned NULL", name); + DBG1("plugin '%s': failed to load - plugin_create() returned NULL", name); dlclose(handle); return NULL; } - DBG2("plugin '%s' loaded successfully", name); + DBG2("plugin '%s': loaded successfully", name); /* we do not store or free dlopen() handles, leak_detective requires * the modules to keep loaded until leak report */ diff --git a/src/libstrongswan/plugins/pubkey/Makefile.am b/src/libstrongswan/plugins/pubkey/Makefile.am index 3b512614f..9423e6689 100644 --- a/src/libstrongswan/plugins/pubkey/Makefile.am +++ b/src/libstrongswan/plugins/pubkey/Makefile.am @@ -9,5 +9,5 @@ libstrongswan_pubkey_la_SOURCES = pubkey_plugin.h pubkey_plugin.c \ pubkey_cert.h pubkey_cert.c\ pubkey_public_key.h pubkey_public_key.c -libstrongswan_pubkey_la_LDFLAGS = -module +libstrongswan_pubkey_la_LDFLAGS = -module -avoid-version diff --git a/src/libstrongswan/plugins/pubkey/Makefile.in b/src/libstrongswan/plugins/pubkey/Makefile.in index 4514424f2..a672e2ea8 100644 --- a/src/libstrongswan/plugins/pubkey/Makefile.in +++ b/src/libstrongswan/plugins/pubkey/Makefile.in @@ -75,12 +75,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -145,6 +147,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -185,7 +188,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -226,7 +231,7 @@ libstrongswan_pubkey_la_SOURCES = pubkey_plugin.h pubkey_plugin.c \ pubkey_cert.h pubkey_cert.c\ pubkey_public_key.h pubkey_public_key.c -libstrongswan_pubkey_la_LDFLAGS = -module +libstrongswan_pubkey_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/libstrongswan/plugins/random/Makefile.am b/src/libstrongswan/plugins/random/Makefile.am index 8b61d7094..9a11b8567 100644 --- a/src/libstrongswan/plugins/random/Makefile.am +++ b/src/libstrongswan/plugins/random/Makefile.am @@ -7,5 +7,5 @@ plugin_LTLIBRARIES = libstrongswan-random.la libstrongswan_random_la_SOURCES = random_plugin.h random_plugin.c \ random_rng.c random_rng.h -libstrongswan_random_la_LDFLAGS = -module +libstrongswan_random_la_LDFLAGS = -module -avoid-version diff --git a/src/libstrongswan/plugins/random/Makefile.in b/src/libstrongswan/plugins/random/Makefile.in index 0bed27468..a2869fb51 100644 --- a/src/libstrongswan/plugins/random/Makefile.in +++ b/src/libstrongswan/plugins/random/Makefile.in @@ -74,12 +74,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -144,6 +146,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -184,7 +187,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -224,7 +229,7 @@ plugin_LTLIBRARIES = libstrongswan-random.la libstrongswan_random_la_SOURCES = random_plugin.h random_plugin.c \ random_rng.c random_rng.h -libstrongswan_random_la_LDFLAGS = -module +libstrongswan_random_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/libstrongswan/plugins/sha1/Makefile.am b/src/libstrongswan/plugins/sha1/Makefile.am index 5de45e4e8..ead51a45a 100644 --- a/src/libstrongswan/plugins/sha1/Makefile.am +++ b/src/libstrongswan/plugins/sha1/Makefile.am @@ -7,5 +7,5 @@ plugin_LTLIBRARIES = libstrongswan-sha1.la libstrongswan_sha1_la_SOURCES = sha1_plugin.h sha1_plugin.c \ sha1_hasher.c sha1_hasher.h sha1_prf.c sha1_prf.h -libstrongswan_sha1_la_LDFLAGS = -module +libstrongswan_sha1_la_LDFLAGS = -module -avoid-version diff --git a/src/libstrongswan/plugins/sha1/Makefile.in b/src/libstrongswan/plugins/sha1/Makefile.in index c8b8905bb..f1f5807ab 100644 --- a/src/libstrongswan/plugins/sha1/Makefile.in +++ b/src/libstrongswan/plugins/sha1/Makefile.in @@ -74,12 +74,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -144,6 +146,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -184,7 +187,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -224,7 +229,7 @@ plugin_LTLIBRARIES = libstrongswan-sha1.la libstrongswan_sha1_la_SOURCES = sha1_plugin.h sha1_plugin.c \ sha1_hasher.c sha1_hasher.h sha1_prf.c sha1_prf.h -libstrongswan_sha1_la_LDFLAGS = -module +libstrongswan_sha1_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/libstrongswan/plugins/sha2/Makefile.am b/src/libstrongswan/plugins/sha2/Makefile.am index 066e49476..5422e1d4e 100644 --- a/src/libstrongswan/plugins/sha2/Makefile.am +++ b/src/libstrongswan/plugins/sha2/Makefile.am @@ -6,5 +6,5 @@ AM_CFLAGS = -rdynamic plugin_LTLIBRARIES = libstrongswan-sha2.la libstrongswan_sha2_la_SOURCES = sha2_plugin.h sha2_plugin.c sha2_hasher.c sha2_hasher.h -libstrongswan_sha2_la_LDFLAGS = -module +libstrongswan_sha2_la_LDFLAGS = -module -avoid-version diff --git a/src/libstrongswan/plugins/sha2/Makefile.in b/src/libstrongswan/plugins/sha2/Makefile.in index f37c93502..b34286813 100644 --- a/src/libstrongswan/plugins/sha2/Makefile.in +++ b/src/libstrongswan/plugins/sha2/Makefile.in @@ -73,12 +73,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -143,6 +145,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -183,7 +186,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -221,7 +226,7 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan AM_CFLAGS = -rdynamic plugin_LTLIBRARIES = libstrongswan-sha2.la libstrongswan_sha2_la_SOURCES = sha2_plugin.h sha2_plugin.c sha2_hasher.c sha2_hasher.h -libstrongswan_sha2_la_LDFLAGS = -module +libstrongswan_sha2_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/libstrongswan/plugins/sha2/sha2_hasher.c b/src/libstrongswan/plugins/sha2/sha2_hasher.c index 0e8811cca..645f4d786 100644 --- a/src/libstrongswan/plugins/sha2/sha2_hasher.c +++ b/src/libstrongswan/plugins/sha2/sha2_hasher.c @@ -58,6 +58,11 @@ struct private_sha256_hasher_t { }; +static const u_int32_t sha224_hashInit[8] = { + 0xc1059ed8, 0x367cd507, 0x3070dd17, 0xf70e5939, 0xffc00b31, 0x68581511, + 0x64f98fa7, 0xbefa4fa4 +}; + static const u_int32_t sha256_hashInit[8] = { 0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a, 0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19 @@ -422,6 +427,21 @@ static void sha512_final(private_sha512_hasher_t *ctx) } /** + * Implementation of hasher_t.get_hash for SHA224. + */ +static void get_hash224(private_sha256_hasher_t *this, + chunk_t chunk, u_int8_t *buffer) +{ + sha256_write(this, chunk.ptr, chunk.len); + if (buffer != NULL) + { + sha256_final(this); + memcpy(buffer, this->sha_out, HASH_SIZE_SHA224); + this->public.hasher_interface.reset(&(this->public.hasher_interface)); + } +} + +/** * Implementation of hasher_t.get_hash for SHA256. */ static void get_hash256(private_sha256_hasher_t *this, @@ -467,6 +487,25 @@ static void get_hash512(private_sha512_hasher_t *this, } /** + * Implementation of hasher_t.allocate_hash for SHA224. + */ +static void allocate_hash224(private_sha256_hasher_t *this, + chunk_t chunk, chunk_t *hash) +{ + chunk_t allocated_hash; + + sha256_write(this, chunk.ptr, chunk.len); + if (hash != NULL) + { + sha256_final(this); + allocated_hash = chunk_alloc(HASH_SIZE_SHA224); + memcpy(allocated_hash.ptr, this->sha_out, HASH_SIZE_SHA224); + this->public.hasher_interface.reset(&(this->public.hasher_interface)); + *hash = allocated_hash; + } +} + +/** * Implementation of hasher_t.allocate_hash for SHA256. */ static void allocate_hash256(private_sha256_hasher_t *this, @@ -524,6 +563,14 @@ static void allocate_hash512(private_sha512_hasher_t *this, } /** + * Implementation of hasher_t.get_hash_size for SHA224. + */ +static size_t get_hash_size224(private_sha256_hasher_t *this) +{ + return HASH_SIZE_SHA224; +} + +/** * Implementation of hasher_t.get_hash_size for SHA256. */ static size_t get_hash_size256(private_sha256_hasher_t *this) @@ -548,6 +595,16 @@ static size_t get_hash_size512(private_sha512_hasher_t *this) } /** + * Implementation of hasher_t.reset for SHA224 + */ +static void reset224(private_sha256_hasher_t *ctx) +{ + memcpy(&ctx->sha_H[0], &sha224_hashInit[0], sizeof(ctx->sha_H)); + ctx->sha_blocks = 0; + ctx->sha_bufCnt = 0; +} + +/** * Implementation of hasher_t.reset for SHA256 */ static void reset256(private_sha256_hasher_t *ctx) @@ -596,6 +653,13 @@ sha2_hasher_t *sha2_hasher_create(hash_algorithm_t algorithm) switch (algorithm) { + case HASH_SHA224: + this = (sha2_hasher_t*)malloc_thing(private_sha256_hasher_t); + this->hasher_interface.reset = (void(*)(hasher_t*))reset224; + this->hasher_interface.get_hash_size = (size_t(*)(hasher_t*))get_hash_size224; + this->hasher_interface.get_hash = (void(*)(hasher_t*,chunk_t,u_int8_t*))get_hash224; + this->hasher_interface.allocate_hash = (void(*)(hasher_t*,chunk_t,chunk_t*))allocate_hash224; + break; case HASH_SHA256: this = (sha2_hasher_t*)malloc_thing(private_sha256_hasher_t); this->hasher_interface.reset = (void(*)(hasher_t*))reset256; diff --git a/src/libstrongswan/plugins/sha2/sha2_plugin.c b/src/libstrongswan/plugins/sha2/sha2_plugin.c index 21bc592dc..0743f7b1a 100644 --- a/src/libstrongswan/plugins/sha2/sha2_plugin.c +++ b/src/libstrongswan/plugins/sha2/sha2_plugin.c @@ -50,6 +50,8 @@ plugin_t *plugin_create() this->public.plugin.destroy = (void(*)(plugin_t*))destroy; + lib->crypto->add_hasher(lib->crypto, HASH_SHA224, + (hasher_constructor_t)sha2_hasher_create); lib->crypto->add_hasher(lib->crypto, HASH_SHA256, (hasher_constructor_t)sha2_hasher_create); lib->crypto->add_hasher(lib->crypto, HASH_SHA384, diff --git a/src/libstrongswan/plugins/sqlite/Makefile.am b/src/libstrongswan/plugins/sqlite/Makefile.am index 7c3017abf..f26e31294 100644 --- a/src/libstrongswan/plugins/sqlite/Makefile.am +++ b/src/libstrongswan/plugins/sqlite/Makefile.am @@ -7,6 +7,6 @@ plugin_LTLIBRARIES = libstrongswan-sqlite.la libstrongswan_sqlite_la_SOURCES = sqlite_plugin.h sqlite_plugin.c \ sqlite_database.h sqlite_database.c -libstrongswan_sqlite_la_LDFLAGS = -module +libstrongswan_sqlite_la_LDFLAGS = -module -avoid-version libstrongswan_sqlite_la_LIBADD = -lsqlite3 diff --git a/src/libstrongswan/plugins/sqlite/Makefile.in b/src/libstrongswan/plugins/sqlite/Makefile.in index 547548bd7..b59a1c343 100644 --- a/src/libstrongswan/plugins/sqlite/Makefile.in +++ b/src/libstrongswan/plugins/sqlite/Makefile.in @@ -75,12 +75,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -145,6 +147,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -185,7 +188,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -225,7 +230,7 @@ plugin_LTLIBRARIES = libstrongswan-sqlite.la libstrongswan_sqlite_la_SOURCES = sqlite_plugin.h sqlite_plugin.c \ sqlite_database.h sqlite_database.c -libstrongswan_sqlite_la_LDFLAGS = -module +libstrongswan_sqlite_la_LDFLAGS = -module -avoid-version libstrongswan_sqlite_la_LIBADD = -lsqlite3 all: all-am diff --git a/src/libstrongswan/plugins/sqlite/sqlite_database.c b/src/libstrongswan/plugins/sqlite/sqlite_database.c index ce873b714..6e4951f2d 100644 --- a/src/libstrongswan/plugins/sqlite/sqlite_database.c +++ b/src/libstrongswan/plugins/sqlite/sqlite_database.c @@ -333,7 +333,7 @@ sqlite_database_t *sqlite_database_create(char *uri) this->public.db.get_driver = (db_driver_t(*)(database_t*))get_driver; this->public.db.destroy = (void(*)(database_t*))destroy; - this->mutex = mutex_create(MUTEX_RECURSIVE); + this->mutex = mutex_create(MUTEX_TYPE_RECURSIVE); if (sqlite3_open(file, &this->db) != SQLITE_OK) { diff --git a/src/libstrongswan/plugins/test_vectors/Makefile.am b/src/libstrongswan/plugins/test_vectors/Makefile.am index 27d17c084..6028805c4 100644 --- a/src/libstrongswan/plugins/test_vectors/Makefile.am +++ b/src/libstrongswan/plugins/test_vectors/Makefile.am @@ -29,5 +29,5 @@ libstrongswan_test_vectors_la_SOURCES = \ test_vectors/sha2_hmac.c \ test_vectors/fips_prf.c \ test_vectors/rng.c -libstrongswan_test_vectors_la_LDFLAGS = -module +libstrongswan_test_vectors_la_LDFLAGS = -module -avoid-version diff --git a/src/libstrongswan/plugins/test_vectors/Makefile.in b/src/libstrongswan/plugins/test_vectors/Makefile.in index bb877620c..0e408ba7e 100644 --- a/src/libstrongswan/plugins/test_vectors/Makefile.in +++ b/src/libstrongswan/plugins/test_vectors/Makefile.in @@ -79,12 +79,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -149,6 +151,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -189,7 +192,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -251,7 +256,7 @@ libstrongswan_test_vectors_la_SOURCES = \ test_vectors/fips_prf.c \ test_vectors/rng.c -libstrongswan_test_vectors_la_LDFLAGS = -module +libstrongswan_test_vectors_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors.h b/src/libstrongswan/plugins/test_vectors/test_vectors.h index df5a9c9a8..b182dd829 100644 --- a/src/libstrongswan/plugins/test_vectors/test_vectors.h +++ b/src/libstrongswan/plugins/test_vectors/test_vectors.h @@ -98,6 +98,9 @@ TEST_VECTOR_HASHER(md5_7) TEST_VECTOR_HASHER(sha1_1) TEST_VECTOR_HASHER(sha1_2) TEST_VECTOR_HASHER(sha1_3) +TEST_VECTOR_HASHER(sha224_1) +TEST_VECTOR_HASHER(sha224_2) +TEST_VECTOR_HASHER(sha224_3) TEST_VECTOR_HASHER(sha256_1) TEST_VECTOR_HASHER(sha256_2) TEST_VECTOR_HASHER(sha256_3) diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/sha2.c b/src/libstrongswan/plugins/test_vectors/test_vectors/sha2.c index e2bd42240..4679c26b3 100644 --- a/src/libstrongswan/plugins/test_vectors/test_vectors/sha2.c +++ b/src/libstrongswan/plugins/test_vectors/test_vectors/sha2.c @@ -16,6 +16,41 @@ #include <crypto/crypto_tester.h> /** + * SHA-224 vectors from "The Secure Hash Algorithm Validation System (SHAVS)" + */ +hasher_test_vector_t sha224_1 = { + .alg = HASH_SHA224, .len = 1, + .data = "\x07", + .hash = "\x00\xec\xd5\xf1\x38\x42\x2b\x8a\xd7\x4c\x97\x99\xfd\x82\x6c\x53" + "\x1b\xad\x2f\xca\xbc\x74\x50\xbe\xe2\xaa\x8c\x2a" + +}; + +hasher_test_vector_t sha224_2 = { + .alg = HASH_SHA224, .len = 16, + .data = "\x18\x80\x40\x05\xdd\x4f\xbd\x15\x56\x29\x9d\x6f\x9d\x93\xdf\x62", + .hash = "\xdf\x90\xd7\x8a\xa7\x88\x21\xc9\x9b\x40\xba\x4c\x96\x69\x21\xac" + "\xcd\x8f\xfb\x1e\x98\xac\x38\x8e\x56\x19\x1d\xb1" +}; + +hasher_test_vector_t sha224_3 = { + .alg = HASH_SHA224, .len = 163, + .data = "\x55\xb2\x10\x07\x9c\x61\xb5\x3a\xdd\x52\x06\x22\xd1\xac\x97\xd5" + "\xcd\xbe\x8c\xb3\x3a\xa0\xae\x34\x45\x17\xbe\xe4\xd7\xba\x09\xab" + "\xc8\x53\x3c\x52\x50\x88\x7a\x43\xbe\xbb\xac\x90\x6c\x2e\x18\x37" + "\xf2\x6b\x36\xa5\x9a\xe3\xbe\x78\x14\xd5\x06\x89\x6b\x71\x8b\x2a" + "\x38\x3e\xcd\xac\x16\xb9\x61\x25\x55\x3f\x41\x6f\xf3\x2c\x66\x74" + "\xc7\x45\x99\xa9\x00\x53\x86\xd9\xce\x11\x12\x24\x5f\x48\xee\x47" + "\x0d\x39\x6c\x1e\xd6\x3b\x92\x67\x0c\xa5\x6e\xc8\x4d\xee\xa8\x14" + "\xb6\x13\x5e\xca\x54\x39\x2b\xde\xdb\x94\x89\xbc\x9b\x87\x5a\x8b" + "\xaf\x0d\xc1\xae\x78\x57\x36\x91\x4a\xb7\xda\xa2\x64\xbc\x07\x9d" + "\x26\x9f\x2c\x0d\x7e\xdd\xd8\x10\xa4\x26\x14\x5a\x07\x76\xf6\x7c" + "\x87\x82\x73", + .hash = "\x0b\x31\x89\x4e\xc8\x93\x7a\xd9\xb9\x1b\xdf\xbc\xba\x29\x4d\x9a" + "\xde\xfa\xa1\x8e\x09\x30\x5e\x9f\x20\xd5\xc3\xa4" +}; + +/** * SHA-256 vectors from "The Secure Hash Algorithm Validation System (SHAVS)" */ hasher_test_vector_t sha256_1 = { diff --git a/src/libstrongswan/plugins/x509/Makefile.am b/src/libstrongswan/plugins/x509/Makefile.am index 3f9f85c36..e9668b4e4 100644 --- a/src/libstrongswan/plugins/x509/Makefile.am +++ b/src/libstrongswan/plugins/x509/Makefile.am @@ -12,5 +12,5 @@ libstrongswan_x509_la_SOURCES = x509_plugin.h x509_plugin.c \ x509_ocsp_request.h x509_ocsp_request.c \ x509_ocsp_response.h x509_ocsp_response.c \ ietf_attr_list.h ietf_attr_list.c -libstrongswan_x509_la_LDFLAGS = -module +libstrongswan_x509_la_LDFLAGS = -module -avoid-version diff --git a/src/libstrongswan/plugins/x509/Makefile.in b/src/libstrongswan/plugins/x509/Makefile.in index 0c62ad3b3..56cb04769 100644 --- a/src/libstrongswan/plugins/x509/Makefile.in +++ b/src/libstrongswan/plugins/x509/Makefile.in @@ -75,12 +75,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -145,6 +147,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -185,7 +188,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -230,7 +235,7 @@ libstrongswan_x509_la_SOURCES = x509_plugin.h x509_plugin.c \ x509_ocsp_response.h x509_ocsp_response.c \ ietf_attr_list.h ietf_attr_list.c -libstrongswan_x509_la_LDFLAGS = -module +libstrongswan_x509_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/libstrongswan/plugins/xcbc/Makefile.am b/src/libstrongswan/plugins/xcbc/Makefile.am index 1b10d21f8..515b75031 100644 --- a/src/libstrongswan/plugins/xcbc/Makefile.am +++ b/src/libstrongswan/plugins/xcbc/Makefile.am @@ -7,5 +7,5 @@ plugin_LTLIBRARIES = libstrongswan-xcbc.la libstrongswan_xcbc_la_SOURCES = xcbc_plugin.h xcbc_plugin.c xcbc.h xcbc.c \ xcbc_prf.h xcbc_prf.c xcbc_signer.h xcbc_signer.c -libstrongswan_xcbc_la_LDFLAGS = -module +libstrongswan_xcbc_la_LDFLAGS = -module -avoid-version diff --git a/src/libstrongswan/plugins/xcbc/Makefile.in b/src/libstrongswan/plugins/xcbc/Makefile.in index 82ef55bd5..1d4e39586 100644 --- a/src/libstrongswan/plugins/xcbc/Makefile.in +++ b/src/libstrongswan/plugins/xcbc/Makefile.in @@ -74,12 +74,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -144,6 +146,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -184,7 +187,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -224,7 +229,7 @@ plugin_LTLIBRARIES = libstrongswan-xcbc.la libstrongswan_xcbc_la_SOURCES = xcbc_plugin.h xcbc_plugin.c xcbc.h xcbc.c \ xcbc_prf.h xcbc_prf.c xcbc_signer.h xcbc_signer.c -libstrongswan_xcbc_la_LDFLAGS = -module +libstrongswan_xcbc_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/libstrongswan/utils.c b/src/libstrongswan/utils.c index 4a0eff45f..305841172 100644 --- a/src/libstrongswan/utils.c +++ b/src/libstrongswan/utils.c @@ -20,6 +20,7 @@ #include <string.h> #include <stdio.h> #include <unistd.h> +#include <stdint.h> #include <limits.h> #include <dirent.h> #include <time.h> @@ -58,20 +59,43 @@ void *clalloc(void * pointer, size_t size) /** * Described in header. */ -void memxor(u_int8_t dest[], u_int8_t src[], size_t n) +void memxor(u_int8_t dst[], u_int8_t src[], size_t n) { - int i = 0, m; + int m, i; - m = n - sizeof(long); - while (i < m) + /* byte wise XOR until dst aligned */ + for (i = 0; (uintptr_t)&dst[i] % sizeof(long); i++) { - *(long*)(dest + i) ^= *(long*)(src + i); - i += sizeof(long); + dst[i] ^= src[i]; } - while (i < n) + /* try to use words if src shares an aligment with dst */ + switch (((uintptr_t)&src[i] % sizeof(long))) { - dest[i] ^= src[i]; - i++; + case 0: + for (m = n - sizeof(long); i <= m; i += sizeof(long)) + { + *(long*)&dst[i] ^= *(long*)&src[i]; + } + break; + case sizeof(int): + for (m = n - sizeof(int); i <= m; i += sizeof(int)) + { + *(int*)&dst[i] ^= *(int*)&src[i]; + } + break; + case sizeof(short): + for (m = n - sizeof(short); i <= m; i += sizeof(short)) + { + *(short*)&dst[i] ^= *(short*)&src[i]; + } + break; + default: + break; + } + /* byte wise XOR of the rest */ + for (; i < n; i++) + { + dst[i] ^= src[i]; } } diff --git a/src/libstrongswan/utils.h b/src/libstrongswan/utils.h index debd0145b..5d273d272 100644 --- a/src/libstrongswan/utils.h +++ b/src/libstrongswan/utils.h @@ -29,6 +29,16 @@ #include <enum.h> /** + * strongSwan program return codes + */ +#define SS_RC_LIBSTRONGSWAN_INTEGRITY 64 +#define SS_RC_DAEMON_INTEGRITY 65 +#define SS_RC_INITIALIZATION_FAILED 66 + +#define SS_RC_FIRST SS_RC_LIBSTRONGSWAN_INTEGRITY +#define SS_RC_LAST SS_RC_INITIALIZATION_FAILED + +/** * Number of bits in a byte */ #define BITS_PER_BYTE 8 @@ -134,6 +144,19 @@ # define TRUE true #endif /* TRUE */ +/** + * define some missing fixed width int types on OpenSolaris. + * TODO: since the uintXX_t types are defined by the C99 standard we should + * probably use those anyway + */ +#ifdef __sun + #include <stdint.h> + typedef uint8_t u_int8_t; + typedef uint16_t u_int16_t; + typedef uint32_t u_int32_t; + typedef uint64_t u_int64_t; +#endif + typedef enum status_t status_t; /** diff --git a/src/libstrongswan/utils/enumerator.c b/src/libstrongswan/utils/enumerator.c index 24bafe66a..08522b8d5 100644 --- a/src/libstrongswan/utils/enumerator.c +++ b/src/libstrongswan/utils/enumerator.c @@ -408,7 +408,7 @@ typedef struct { /** * Implementation of enumerator_create_filter().destroy */ -void destroy_filter(filter_enumerator_t *this) +static void destroy_filter(filter_enumerator_t *this) { if (this->destructor) { @@ -421,8 +421,8 @@ void destroy_filter(filter_enumerator_t *this) /** * Implementation of enumerator_create_filter().enumerate */ -bool enumerate_filter(filter_enumerator_t *this, void *o1, void *o2, - void *o3, void *o4, void *o5) +static bool enumerate_filter(filter_enumerator_t *this, void *o1, void *o2, + void *o3, void *o4, void *o5) { void *i1, *i2, *i3, *i4, *i5; diff --git a/src/libstrongswan/utils/host.c b/src/libstrongswan/utils/host.c index 484de5e54..661bec315 100644 --- a/src/libstrongswan/utils/host.c +++ b/src/libstrongswan/utils/host.c @@ -17,6 +17,7 @@ */ #define _GNU_SOURCE +#include <sys/socket.h> #include <netdb.h> #include <string.h> @@ -433,16 +434,40 @@ host_t *host_create_from_string(char *string, u_int16_t port) /* * Described in header. */ +host_t *host_create_from_sockaddr(sockaddr_t *sockaddr) +{ + private_host_t *this = host_create_empty(); + + switch (sockaddr->sa_family) + { + case AF_INET: + { + memcpy(&this->address4, sockaddr, sizeof(struct sockaddr_in)); + this->socklen = sizeof(struct sockaddr_in); + return &this->public; + } + case AF_INET6: + { + memcpy(&this->address6, sockaddr, sizeof(struct sockaddr_in6)); + this->socklen = sizeof(struct sockaddr_in6); + return &this->public; + } + default: + break; + } + free(this); + return NULL; +} + +/* + * Described in header. + */ host_t *host_create_from_dns(char *string, int af, u_int16_t port) { private_host_t *this; - struct hostent *ptr; - int ret = 0, err; -#ifdef HAVE_GETHOSTBYNAME_R - struct hostent host; - char buf[512]; -#endif - + struct addrinfo hints, *result; + int error; + if (streq(string, "%any")) { return host_create_any_port(af ? af : AF_INET, port); @@ -451,62 +476,32 @@ host_t *host_create_from_dns(char *string, int af, u_int16_t port) { return host_create_any_port(af ? af : AF_INET6, port); } - else if (strchr(string, ':')) - { - /* gethostbyname does not like IPv6 addresses - fallback */ - return host_create_from_string(string, port); - } - -#ifdef HAVE_GETHOSTBYNAME_R - if (af) - { - ret = gethostbyname2_r(string, af, &host, buf, sizeof(buf), &ptr, &err); - } - else - { - ret = gethostbyname_r(string, &host, buf, sizeof(buf), &ptr, &err); - } -#else - /* Some systems (e.g. Mac OS X) do not support gethostbyname_r */ - if (af) - { - ptr = gethostbyname2(string, af); - } - else - { - ptr = gethostbyname(string); - } - if (ptr == NULL) - { - err = h_errno; - } -#endif - if (ret != 0 || ptr == NULL) + + memset(&hints, 0, sizeof(hints)); + hints.ai_family = af; + error = getaddrinfo(string, NULL, &hints, &result); + if (error != 0) { - DBG1("resolving '%s' failed: %s", string, hstrerror(err)); + DBG1("resolving '%s' failed: %s", string, gai_strerror(error)); return NULL; } - this = host_create_empty(); - this->address.sa_family = ptr->h_addrtype; - switch (this->address.sa_family) + /* result is a linked list, but we use only the first address */ + this = (private_host_t*)host_create_from_sockaddr(result->ai_addr); + freeaddrinfo(result); + if (this) { - case AF_INET: - memcpy(&this->address4.sin_addr.s_addr, - ptr->h_addr_list[0], ptr->h_length); - this->address4.sin_port = htons(port); - this->socklen = sizeof(struct sockaddr_in); - break; - case AF_INET6: - memcpy(&this->address6.sin6_addr.s6_addr, - ptr->h_addr_list[0], ptr->h_length); - this->address6.sin6_port = htons(port); - this->socklen = sizeof(struct sockaddr_in6); - break; - default: - free(this); - return NULL; + switch (this->address.sa_family) + { + case AF_INET: + this->address4.sin_port = htons(port); + break; + case AF_INET6: + this->address6.sin6_port = htons(port); + break; + } + return &this->public; } - return &this->public; + return NULL; } /* @@ -569,34 +564,6 @@ host_t *host_create_from_chunk(int family, chunk_t address, u_int16_t port) /* * Described in header. */ -host_t *host_create_from_sockaddr(sockaddr_t *sockaddr) -{ - private_host_t *this = host_create_empty(); - - switch (sockaddr->sa_family) - { - case AF_INET: - { - memcpy(&this->address4, sockaddr, sizeof(struct sockaddr_in)); - this->socklen = sizeof(struct sockaddr_in); - return &this->public; - } - case AF_INET6: - { - memcpy(&this->address6, sockaddr, sizeof(struct sockaddr_in6)); - this->socklen = sizeof(struct sockaddr_in6); - return &this->public; - } - default: - break; - } - free(this); - return NULL; -} - -/* - * Described in header. - */ host_t *host_create_any(int family) { private_host_t *this = host_create_empty(); diff --git a/src/libstrongswan/utils/identification.c b/src/libstrongswan/utils/identification.c index 1c04c97ef..10daf4679 100644 --- a/src/libstrongswan/utils/identification.c +++ b/src/libstrongswan/utils/identification.c @@ -21,7 +21,6 @@ #include <arpa/inet.h> #include <string.h> #include <stdio.h> -#include <ctype.h> #include "identification.h" @@ -122,365 +121,216 @@ struct private_identification_t { id_type_t type; }; -static private_identification_t *identification_create(void); - /** - * updates a chunk (!????) - * TODO: We should reconsider this stuff, its not really clear + * Enumerator over RDNs */ -static void update_chunk(chunk_t *ch, int n) -{ - n = (n > -1 && n < (int)ch->len)? n : (int)ch->len-1; - ch->ptr += n; ch->len -= n; -} +typedef struct { + /* implements enumerator interface */ + enumerator_t public; + /* next set to parse, if any */ + chunk_t sets; + /* next sequence in set, if any */ + chunk_t seqs; +} rdn_enumerator_t; /** - * Remove any malicious characters from a chunk. We are very restrictive, but - * whe use these strings only to present it to the user. + * Implementation of rdn_enumerator_t.enumerate */ -static bool sanitize_chunk(chunk_t chunk, chunk_t *clone) +static bool rdn_enumerate(rdn_enumerator_t *this, chunk_t *oid, + u_char *type, chunk_t *data) { - char *pos; - bool all_printable = TRUE; - - *clone = chunk_clone(chunk); + chunk_t rdn; - for (pos = clone->ptr; pos < (char*)(clone->ptr + clone->len); pos++) + /* a DN contains one or more SET, each containing one or more SEQUENCES, + * each containing a OID/value RDN */ + if (!this->seqs.len) { - if (!isprint(*pos)) + /* no SEQUENCEs in current SET, parse next SET */ + if (asn1_unwrap(&this->sets, &this->seqs) != ASN1_SET) { - *pos = '?'; - all_printable = FALSE; + return FALSE; + } + } + if (asn1_unwrap(&this->seqs, &rdn) == ASN1_SEQUENCE && + asn1_unwrap(&rdn, oid) == ASN1_OID) + { + int t = asn1_unwrap(&rdn, data); + + if (t != ASN1_INVALID) + { + *type = t; + return TRUE; } } - return all_printable; + return FALSE; } /** - * Pointer is set to the first RDN in a DN + * Create an enumerator over all RDNs (oid, string type, data) of a DN */ -static bool init_rdn(chunk_t dn, chunk_t *rdn, chunk_t *attribute, bool *next) +static enumerator_t* create_rdn_enumerator(chunk_t dn) { - *rdn = chunk_empty; - *attribute = chunk_empty; + rdn_enumerator_t *e = malloc_thing(rdn_enumerator_t); - /* a DN is a SEQUENCE OF RDNs */ - if (*dn.ptr != ASN1_SEQUENCE) - { - /* DN is not a SEQUENCE */ - return FALSE; - } + e->public.enumerate = (void*)rdn_enumerate; + e->public.destroy = (void*)free; - rdn->len = asn1_length(&dn); - - if (rdn->len == ASN1_INVALID_LENGTH) + /* a DN is a SEQUENCE, get the first SET of it */ + if (asn1_unwrap(&dn, &e->sets) == ASN1_SEQUENCE) { - /* Invalid RDN length */ - return FALSE; + e->seqs = chunk_empty; + return &e->public; } - - rdn->ptr = dn.ptr; - - /* are there any RDNs ? */ - *next = rdn->len > 0; - - return TRUE; + free(e); + return enumerator_create_empty(); } /** - * Fetches the next RDN in a DN + * Part enumerator over RDNs + */ +typedef struct { + /* implements enumerator interface */ + enumerator_t public; + /* inner RDN enumerator */ + enumerator_t *inner; +} rdn_part_enumerator_t; + +/** + * Implementation of rdn_part_enumerator_t.enumerate(). */ -static bool get_next_rdn(chunk_t *rdn, chunk_t * attribute, chunk_t *oid, - chunk_t *value, asn1_t *type, bool *next) +static bool rdn_part_enumerate(rdn_part_enumerator_t *this, + id_part_t *type, chunk_t *data) { - chunk_t body; + int i, known_oid, strtype; + chunk_t oid, inner_data; + static const struct { + int oid; + id_part_t type; + } oid2part[] = { + {OID_COMMON_NAME, ID_PART_RDN_CN}, + {OID_SURNAME, ID_PART_RDN_S}, + {OID_SERIAL_NUMBER, ID_PART_RDN_SN}, + {OID_COUNTRY, ID_PART_RDN_C}, + {OID_LOCALITY, ID_PART_RDN_L}, + {OID_STATE_OR_PROVINCE, ID_PART_RDN_ST}, + {OID_ORGANIZATION, ID_PART_RDN_O}, + {OID_ORGANIZATION_UNIT, ID_PART_RDN_OU}, + {OID_TITLE, ID_PART_RDN_T}, + {OID_DESCRIPTION, ID_PART_RDN_D}, + {OID_NAME, ID_PART_RDN_N}, + {OID_GIVEN_NAME, ID_PART_RDN_G}, + {OID_INITIALS, ID_PART_RDN_I}, + {OID_UNIQUE_IDENTIFIER, ID_PART_RDN_ID}, + {OID_EMAIL_ADDRESS, ID_PART_RDN_E}, + {OID_EMPLOYEE_NUMBER, ID_PART_RDN_EN}, + }; - /* initialize return values */ - *oid = chunk_empty; - *value = chunk_empty; - - /* if all attributes have been parsed, get next rdn */ - if (attribute->len <= 0) + while (this->inner->enumerate(this->inner, &oid, &strtype, &inner_data)) { - /* an RDN is a SET OF attributeTypeAndValue */ - if (*rdn->ptr != ASN1_SET) + known_oid = asn1_known_oid(oid); + for (i = 0; i < countof(oid2part); i++) { - /* RDN is not a SET */ - return FALSE; - } - attribute->len = asn1_length(rdn); - if (attribute->len == ASN1_INVALID_LENGTH) - { - /* Invalid attribute length */ - return FALSE; + if (oid2part[i].oid == known_oid) + { + *type = oid2part[i].type; + *data = inner_data; + return TRUE; + } } - attribute->ptr = rdn->ptr; - /* advance to start of next RDN */ - rdn->ptr += attribute->len; - rdn->len -= attribute->len; - } - - /* an attributeTypeAndValue is a SEQUENCE */ - if (*attribute->ptr != ASN1_SEQUENCE) - { - /* attributeTypeAndValue is not a SEQUENCE */ - return FALSE; } - - /* extract the attribute body */ - body.len = asn1_length(attribute); - - if (body.len == ASN1_INVALID_LENGTH) - { - /* Invalid attribute body length */ - return FALSE; - } - - body.ptr = attribute->ptr; - - /* advance to start of next attribute */ - attribute->ptr += body.len; - attribute->len -= body.len; - - /* attribute type is an OID */ - if (*body.ptr != ASN1_OID) - { - /* attributeType is not an OID */ - return FALSE; - } - /* extract OID */ - oid->len = asn1_length(&body); - - if (oid->len == ASN1_INVALID_LENGTH) - { - /* Invalid attribute OID length */ - return FALSE; - } - oid->ptr = body.ptr; - - /* advance to the attribute value */ - body.ptr += oid->len; - body.len -= oid->len; - - /* extract string type */ - *type = *body.ptr; - - /* extract string value */ - value->len = asn1_length(&body); - - if (value->len == ASN1_INVALID_LENGTH) - { - /* Invalid attribute string length */ - return FALSE; - } - value->ptr = body.ptr; - - /* are there any RDNs left? */ - *next = rdn->len > 0 || attribute->len > 0; - return TRUE; + return FALSE; } /** - * Parses an ASN.1 distinguished name int its OID/value pairs + * Implementation of rdn_part_enumerator_t.destroy(). */ -static bool dntoa(chunk_t dn, chunk_t *str) +static void rdn_part_enumerator_destroy(rdn_part_enumerator_t *this) { - chunk_t rdn, oid, attribute, value, proper; - asn1_t type; - int oid_code; - bool next; - bool first = TRUE; - - if (!init_rdn(dn, &rdn, &attribute, &next)) - { - return FALSE; - } - - while (next) - { - if (!get_next_rdn(&rdn, &attribute, &oid, &value, &type, &next)) - { - return FALSE; - } - - if (first) - { /* first OID/value pair */ - first = FALSE; - } - else - { /* separate OID/value pair by a comma */ - update_chunk(str, snprintf(str->ptr,str->len,", ")); - } - - /* print OID */ - oid_code = asn1_known_oid(oid); - if (oid_code == OID_UNKNOWN) - { - update_chunk(str, snprintf(str->ptr,str->len,"0x#B", &oid)); - } - else - { - update_chunk(str, snprintf(str->ptr,str->len,"%s", oid_names[oid_code].name)); - } - /* print value */ - sanitize_chunk(value, &proper); - update_chunk(str, snprintf(str->ptr,str->len,"=%.*s", (int)proper.len, proper.ptr)); - chunk_free(&proper); - } - return TRUE; + this->inner->destroy(this->inner); + free(this); } /** - * compare two distinguished names by - * comparing the individual RDNs + * Implementation of identification_t.create_part_enumerator */ -static bool same_dn(chunk_t a, chunk_t b) +static enumerator_t* create_part_enumerator(private_identification_t *this) { - chunk_t rdn_a, rdn_b, attribute_a, attribute_b; - chunk_t oid_a, oid_b, value_a, value_b; - asn1_t type_a, type_b; - bool next_a, next_b; - - /* same lengths for the DNs */ - if (a.len != b.len) - { - return FALSE; - } - /* try a binary comparison first */ - if (memeq(a.ptr, b.ptr, b.len)) - { - return TRUE; - } - /* initialize DN parsing */ - if (!init_rdn(a, &rdn_a, &attribute_a, &next_a) || - !init_rdn(b, &rdn_b, &attribute_b, &next_b)) - { - return FALSE; - } - - /* fetch next RDN pair */ - while (next_a && next_b) + switch (this->type) { - /* parse next RDNs and check for errors */ - if (!get_next_rdn(&rdn_a, &attribute_a, &oid_a, &value_a, &type_a, &next_a) || - !get_next_rdn(&rdn_b, &attribute_b, &oid_b, &value_b, &type_b, &next_b)) - { - return FALSE; - } - - /* OIDs must agree */ - if (oid_a.len != oid_b.len || !memeq(oid_a.ptr, oid_b.ptr, oid_b.len)) - { - return FALSE; - } - - /* same lengths for values */ - if (value_a.len != value_b.len) - { - return FALSE; - } - - /* printableStrings and email RDNs require uppercase comparison */ - if (type_a == type_b && (type_a == ASN1_PRINTABLESTRING || - (type_a == ASN1_IA5STRING && asn1_known_oid(oid_a) == OID_PKCS9_EMAIL))) - { - if (strncasecmp(value_a.ptr, value_b.ptr, value_b.len) != 0) - { - return FALSE; - } - } - else + case ID_DER_ASN1_DN: { - if (!strneq(value_a.ptr, value_b.ptr, value_b.len)) - { - return FALSE; - } + rdn_part_enumerator_t *e = malloc_thing(rdn_part_enumerator_t); + + e->inner = create_rdn_enumerator(this->encoded); + e->public.enumerate = (void*)rdn_part_enumerate; + e->public.destroy = (void*)rdn_part_enumerator_destroy; + + return &e->public; } + case ID_RFC822_ADDR: + /* TODO */ + case ID_FQDN: + /* TODO */ + default: + return enumerator_create_empty(); } - /* both DNs must have same number of RDNs */ - if (next_a || next_b) - { - return FALSE; - } - /* the two DNs are equal! */ - return TRUE; } - /** - * compare two distinguished names by comparing the individual RDNs. - * A single'*' character designates a wildcard RDN in DN b. - * TODO: Add support for different RDN order in DN !! + * Print a DN with all its RDN in a buffer to present it to the user */ -bool match_dn(chunk_t a, chunk_t b, int *wildcards) +static void dntoa(chunk_t dn, char *buf, size_t len) { - chunk_t rdn_a, rdn_b, attribute_a, attribute_b; - chunk_t oid_a, oid_b, value_a, value_b; - asn1_t type_a, type_b; - bool next_a, next_b; - - /* initialize wildcard counter */ - *wildcards = 0; - - /* initialize DN parsing */ - if (!init_rdn(a, &rdn_a, &attribute_a, &next_a) || - !init_rdn(b, &rdn_b, &attribute_b, &next_b)) - { - return FALSE; - } + enumerator_t *e; + chunk_t oid_data, data; + u_char type; + int oid, written; + bool finished = FALSE; - /* fetch next RDN pair */ - while (next_a && next_b) + e = create_rdn_enumerator(dn); + while (e->enumerate(e, &oid_data, &type, &data)) { - /* parse next RDNs and check for errors */ - if (!get_next_rdn(&rdn_a, &attribute_a, &oid_a, &value_a, &type_a, &next_a) || - !get_next_rdn(&rdn_b, &attribute_b, &oid_b, &value_b, &type_b, &next_b)) + oid = asn1_known_oid(oid_data); + + if (oid == OID_UNKNOWN) { - return FALSE; + written = snprintf(buf, len, "%#B=", &oid_data); } - /* OIDs must agree */ - if (oid_a.len != oid_b.len || memcmp(oid_a.ptr, oid_b.ptr, oid_b.len) != 0) + else { - return FALSE; + written = snprintf(buf, len,"%s=", oid_names[oid].name); } + buf += written; + len -= written; - /* does rdn_b contain a wildcard? */ - if (value_b.len == 1 && *value_b.ptr == '*') + if (chunk_printable(data, NULL, '?')) { - (*wildcards)++; - continue; + written = snprintf(buf, len, "%.*s", data.len, data.ptr); } - /* same lengths for values */ - if (value_a.len != value_b.len) + else { - return FALSE; + written = snprintf(buf, len, "%#B", &data); } + buf += written; + len -= written; - /* printableStrings and email RDNs require uppercase comparison */ - if (type_a == type_b && (type_a == ASN1_PRINTABLESTRING || - (type_a == ASN1_IA5STRING && asn1_known_oid(oid_a) == OID_PKCS9_EMAIL))) + if (data.ptr + data.len != dn.ptr + dn.len) { - if (strncasecmp(value_a.ptr, value_b.ptr, value_b.len) != 0) - { - return FALSE; - } + written = snprintf(buf, len, ", "); + buf += written; + len -= written; } else { - if (!strneq(value_a.ptr, value_b.ptr, value_b.len)) - { - return FALSE; - } + finished = TRUE; + break; } } - /* both DNs must have same number of RDNs */ - if (next_a || next_b) + if (!finished) { - return FALSE; + snprintf(buf, len, "(invalid ID_DER_ASN1_DN)"); } - /* the two DNs match! */ - *wildcards = min(*wildcards, ID_MATCH_ONE_WILDCARD - ID_MATCH_MAX_WILDCARDS); - return TRUE; + e->destroy(e); } /** @@ -648,53 +498,34 @@ static id_type_t get_type(private_identification_t *this) } /** - * Implementation of identification_t.contains_wildcards fro ID_DER_ASN1_DN. + * Implementation of identification_t.contains_wildcards for ID_DER_ASN1_DN. */ static bool contains_wildcards_dn(private_identification_t *this) { - chunk_t rdn, attribute; - chunk_t oid, value; - asn1_t type; - bool next; + enumerator_t *enumerator; + bool contains = FALSE; + id_part_t type; + chunk_t data; - if (!init_rdn(this->encoded, &rdn, &attribute, &next)) - { - return FALSE; - } - /* fetch next RDN */ - while (next) + enumerator = create_part_enumerator(this); + while (enumerator->enumerate(enumerator, &type, &data)) { - /* parse next RDN and check for errors */ - if (!get_next_rdn(&rdn, &attribute, &oid, &value, &type, &next)) - { - return FALSE; - } - /* check if RDN is a wildcard */ - if (value.len == 1 && *value.ptr == '*') + if (data.len == 1 && data.ptr[0] == '*') { - return TRUE; + contains = TRUE; + break; } } - return FALSE; + enumerator->destroy(enumerator); + return contains; } /** - * Implementation of identification_t.contains_wildcards. + * Implementation of identification_t.contains_wildcards using memchr(*). */ -static bool contains_wildcards(private_identification_t *this) +static bool contains_wildcards_memchr(private_identification_t *this) { - switch (this->type) - { - case ID_ANY: - return TRUE; - case ID_FQDN: - case ID_RFC822_ADDR: - return memchr(this->encoded.ptr, '*', this->encoded.len) != NULL; - case ID_DER_ASN1_DN: - return contains_wildcards_dn(this); - default: - return FALSE; - } + return memchr(this->encoded.ptr, '*', this->encoded.len) != NULL; } /** @@ -711,7 +542,96 @@ static bool equals_binary(private_identification_t *this, private_identification } return chunk_equals(this->encoded, other->encoded); } - return FALSE; + return FALSE; +} + +/** + * Compare to DNs, for equality if wc == NULL, for match otherwise + */ +static bool compare_dn(chunk_t t_dn, chunk_t o_dn, int *wc) +{ + enumerator_t *t, *o; + chunk_t t_oid, o_oid, t_data, o_data; + u_char t_type, o_type; + bool t_next, o_next, finished = FALSE; + + if (wc) + { + *wc = 0; + } + else + { + if (t_dn.len != o_dn.len) + { + return FALSE; + } + } + /* try a binary compare */ + if (memeq(t_dn.ptr, o_dn.ptr, t_dn.len)) + { + return TRUE; + } + + t = create_rdn_enumerator(t_dn); + o = create_rdn_enumerator(o_dn); + while (TRUE) + { + t_next = t->enumerate(t, &t_oid, &t_type, &t_data); + o_next = o->enumerate(o, &o_oid, &o_type, &o_data); + + if (!o_next && !t_next) + { + break; + } + finished = FALSE; + if (o_next != t_next) + { + break; + } + if (!chunk_equals(t_oid, o_oid)) + { + break; + } + if (wc && o_data.len == 1 && o_data.ptr[0] == '*') + { + (*wc)++; + } + else + { + if (t_data.len != o_data.len) + { + break; + } + if (t_type == o_type && + (t_type == ASN1_PRINTABLESTRING || + (t_type == ASN1_IA5STRING && + (asn1_known_oid(t_oid) == OID_PKCS9_EMAIL || + asn1_known_oid(t_oid) == OID_EMAIL_ADDRESS)))) + { /* ignore case for printableStrings and email RDNs */ + if (strncasecmp(t_data.ptr, o_data.ptr, t_data.len) != 0) + { + break; + } + } + else + { /* respect case and length for everything else */ + if (!memeq(t_data.ptr, o_data.ptr, t_data.len)) + { + break; + } + } + } + /* the enumerator returns FALSE on parse error, we are finished + * if we have reached the end of the DN only */ + if ((t_data.ptr + t_data.len == t_dn.ptr + t_dn.len) && + (o_data.ptr + o_data.len == o_dn.ptr + o_dn.len)) + { + finished = TRUE; + } + } + t->destroy(t); + o->destroy(o); + return finished; } /** @@ -720,7 +640,7 @@ static bool equals_binary(private_identification_t *this, private_identification static bool equals_dn(private_identification_t *this, private_identification_t *other) { - return same_dn(this->encoded, other->encoded); + return compare_dn(this->encoded, other->encoded, NULL); } /** @@ -764,7 +684,7 @@ static id_match_t matches_binary(private_identification_t *this, * Checks for a wildcard in other-string, and compares it against this-string. */ static id_match_t matches_string(private_identification_t *this, - private_identification_t *other) + private_identification_t *other) { u_int len = other->encoded.len; @@ -824,7 +744,7 @@ static id_match_t matches_dn(private_identification_t *this, private_identification_t *other) { int wc; - + if (other->type == ID_ANY) { return ID_MATCH_ANY; @@ -832,8 +752,9 @@ static id_match_t matches_dn(private_identification_t *this, if (this->type == other->type) { - if (match_dn(this->encoded, other->encoded, &wc)) + if (compare_dn(this->encoded, other->encoded, &wc)) { + wc = min(wc, ID_MATCH_ONE_WILDCARD - ID_MATCH_MAX_WILDCARDS); return ID_MATCH_PERFECT - wc; } } @@ -847,8 +768,8 @@ int identification_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec, const void *const *args) { private_identification_t *this = *((private_identification_t**)(args[0])); - char buf[BUF_LEN]; - chunk_t proper, buf_chunk = chunk_from_buf(buf); + chunk_t proper; + char buf[512]; if (this == NULL) { @@ -878,29 +799,26 @@ int identification_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec, case ID_RFC822_ADDR: case ID_DER_ASN1_GN_URI: case ID_IETF_ATTR_STRING: - sanitize_chunk(this->encoded, &proper); + chunk_printable(this->encoded, &proper, '?'); snprintf(buf, sizeof(buf), "%.*s", proper.len, proper.ptr); chunk_free(&proper); break; case ID_DER_ASN1_DN: - if (!dntoa(this->encoded, &buf_chunk)) - { - snprintf(buf, sizeof(buf), "(invalid ID_DER_ASN1_DN)"); - } + dntoa(this->encoded, buf, sizeof(buf)); break; case ID_DER_ASN1_GN: snprintf(buf, sizeof(buf), "(ASN.1 general Name"); break; case ID_KEY_ID: - if (sanitize_chunk(this->encoded, &proper)) + if (chunk_printable(this->encoded, NULL, '?')) { /* fully printable, use ascii version */ - snprintf(buf, sizeof(buf), "%.*s", proper.len, proper.ptr); + snprintf(buf, sizeof(buf), "%.*s", + this->encoded.len, this->encoded.ptr); } else { /* not printable, hex dump */ snprintf(buf, sizeof(buf), "%#B", &this->encoded); } - chunk_free(&proper); break; case ID_PUBKEY_INFO_SHA1: case ID_PUBKEY_SHA1: @@ -917,140 +835,18 @@ int identification_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec, } return print_in_hook(dst, len, "%*s", spec->width, buf); } - -/** - * Enumerator over RDNs - */ -typedef struct { - /* implements enumerator interface */ - enumerator_t public; - /* current RDN */ - chunk_t rdn; - /* current attribute */ - chunk_t attr; - /** have another RDN? */ - bool next; -} rdn_enumerator_t; - -/** - * Implementation of rdn_enumerator_t.enumerate - */ -static bool rdn_enumerate(rdn_enumerator_t *this, - id_part_t *type, chunk_t *data) -{ - chunk_t oid, value; - asn1_t asn1_type; - - while (this->next) - { - if (!get_next_rdn(&this->rdn, &this->attr, &oid, - &value, &asn1_type, &this->next)) - { - return FALSE; - } - switch (asn1_known_oid(oid)) - { - case OID_COMMON_NAME: - *type = ID_PART_RDN_CN; - break; - case OID_SURNAME: - *type = ID_PART_RDN_S; - break; - case OID_SERIAL_NUMBER: - *type = ID_PART_RDN_SN; - break; - case OID_COUNTRY: - *type = ID_PART_RDN_C; - break; - case OID_LOCALITY: - *type = ID_PART_RDN_L; - break; - case OID_STATE_OR_PROVINCE: - *type = ID_PART_RDN_ST; - break; - case OID_ORGANIZATION: - *type = ID_PART_RDN_O; - break; - case OID_ORGANIZATION_UNIT: - *type = ID_PART_RDN_OU; - break; - case OID_TITLE: - *type = ID_PART_RDN_T; - break; - case OID_DESCRIPTION: - *type = ID_PART_RDN_D; - break; - case OID_NAME: - *type = ID_PART_RDN_N; - break; - case OID_GIVEN_NAME: - *type = ID_PART_RDN_G; - break; - case OID_INITIALS: - *type = ID_PART_RDN_I; - break; - case OID_UNIQUE_IDENTIFIER: - *type = ID_PART_RDN_ID; - break; - case OID_EMAIL_ADDRESS: - *type = ID_PART_RDN_E; - break; - case OID_EMPLOYEE_NUMBER: - *type = ID_PART_RDN_EN; - break; - default: - continue; - } - *data = value; - return TRUE; - } - return FALSE; -} - -/** - * Implementation of identification_t.create_part_enumerator - */ -static enumerator_t* create_part_enumerator(private_identification_t *this) -{ - switch (this->type) - { - case ID_DER_ASN1_DN: - { - rdn_enumerator_t *e = malloc_thing(rdn_enumerator_t); - - e->public.enumerate = (void*)rdn_enumerate; - e->public.destroy = (void*)free; - if (init_rdn(this->encoded, &e->rdn, &e->attr, &e->next)) - { - return &e->public; - } - free(e); - /* FALL */ - } - case ID_RFC822_ADDR: - /* TODO */ - case ID_FQDN: - /* TODO */ - default: - return enumerator_create_empty(); - } -} - /** * Implementation of identification_t.clone. */ static identification_t *clone_(private_identification_t *this) { - private_identification_t *clone = identification_create(); + private_identification_t *clone = malloc_thing(private_identification_t); - clone->type = this->type; + memcpy(clone, this, sizeof(private_identification_t)); if (this->encoded.len) { clone->encoded = chunk_clone(this->encoded); } - clone->public.equals = this->public.equals; - clone->public.matches = this->public.matches; - return &clone->public; } @@ -1066,20 +862,42 @@ static void destroy(private_identification_t *this) /** * Generic constructor used for the other constructors. */ -static private_identification_t *identification_create(void) +static private_identification_t *identification_create(id_type_t type) { private_identification_t *this = malloc_thing(private_identification_t); this->public.get_encoding = (chunk_t (*) (identification_t*))get_encoding; this->public.get_type = (id_type_t (*) (identification_t*))get_type; - this->public.contains_wildcards = (bool (*) (identification_t *this))contains_wildcards; this->public.create_part_enumerator = (enumerator_t*(*)(identification_t*))create_part_enumerator; this->public.clone = (identification_t* (*) (identification_t*))clone_; this->public.destroy = (void (*) (identification_t*))destroy; - /* we use these as defaults, the may be overloaded for special ID types */ - this->public.equals = (bool (*) (identification_t*,identification_t*))equals_binary; - this->public.matches = (id_match_t (*) (identification_t*,identification_t*))matches_binary; + switch (type) + { + case ID_ANY: + this->public.matches = (id_match_t (*)(identification_t*,identification_t*))matches_any; + this->public.equals = (bool (*) (identification_t*,identification_t*))equals_binary; + this->public.contains_wildcards = (bool (*) (identification_t *this))return_true; + break; + case ID_FQDN: + case ID_RFC822_ADDR: + this->public.matches = (id_match_t (*)(identification_t*,identification_t*))matches_string; + this->public.equals = (bool (*)(identification_t*,identification_t*))equals_strcasecmp; + this->public.contains_wildcards = (bool (*) (identification_t *this))contains_wildcards_memchr; + break; + case ID_DER_ASN1_DN: + this->public.equals = (bool (*)(identification_t*,identification_t*))equals_dn; + this->public.matches = (id_match_t (*)(identification_t*,identification_t*))matches_dn; + this->public.contains_wildcards = (bool (*) (identification_t *this))contains_wildcards_dn; + break; + default: + this->public.equals = (bool (*) (identification_t*,identification_t*))equals_binary; + this->public.matches = (id_match_t (*) (identification_t*,identification_t*))matches_binary; + this->public.contains_wildcards = (bool (*) (identification_t *this))return_false; + break; + } + + this->type = type; this->encoded = chunk_empty; return this; @@ -1090,8 +908,9 @@ static private_identification_t *identification_create(void) */ identification_t *identification_create_from_string(char *string) { - private_identification_t *this = identification_create(); - + private_identification_t *this; + chunk_t encoded; + if (string == NULL) { string = "%any"; @@ -1101,15 +920,16 @@ identification_t *identification_create_from_string(char *string) /* we interpret this as an ASCII X.501 ID_DER_ASN1_DN. * convert from LDAP style or openssl x509 -subject style to ASN.1 DN */ - if (atodn(string, &this->encoded) != SUCCESS) + if (atodn(string, &encoded) == SUCCESS) + { + this = identification_create(ID_DER_ASN1_DN); + this->encoded = encoded; + } + else { - this->type = ID_KEY_ID; + this = identification_create(ID_KEY_ID); this->encoded = chunk_clone(chunk_create(string, strlen(string))); - return &this->public; } - this->type = ID_DER_ASN1_DN; - this->public.equals = (bool (*) (identification_t*,identification_t*))equals_dn; - this->public.matches = (id_match_t (*) (identification_t*,identification_t*))matches_dn; return &this->public; } else if (strchr(string, '@') == NULL) @@ -1122,50 +942,43 @@ identification_t *identification_create_from_string(char *string) || streq(string, "0::0")) { /* any ID will be accepted */ - this->type = ID_ANY; - this->public.matches = (id_match_t (*) - (identification_t*,identification_t*))matches_any; + this = identification_create(ID_ANY); return &this->public; } else { if (strchr(string, ':') == NULL) { - /* try IPv4 */ struct in_addr address; chunk_t chunk = {(void*)&address, sizeof(address)}; - if (inet_pton(AF_INET, string, &address) <= 0) - { - /* not IPv4, mostly FQDN */ - this->type = ID_FQDN; - this->encoded.ptr = strdup(string); - this->encoded.len = strlen(string); - this->public.matches = (id_match_t (*) - (identification_t*,identification_t*))matches_string; - this->public.equals = (bool (*) - (identification_t*,identification_t*))equals_strcasecmp; - return &this->public; + if (inet_pton(AF_INET, string, &address) > 0) + { /* is IPv4 */ + this = identification_create(ID_IPV4_ADDR); + this->encoded = chunk_clone(chunk); + } + else + { /* not IPv4, mostly FQDN */ + this = identification_create(ID_FQDN); + this->encoded = chunk_create(strdup(string), strlen(string)); } - this->encoded = chunk_clone(chunk); - this->type = ID_IPV4_ADDR; return &this->public; } else { - /* try IPv6 */ struct in6_addr address; chunk_t chunk = {(void*)&address, sizeof(address)}; - if (inet_pton(AF_INET6, string, &address) <= 0) - { - this->type = ID_KEY_ID; - this->encoded = chunk_clone(chunk_create(string, - strlen(string))); - return &this->public; + if (inet_pton(AF_INET6, string, &address) > 0) + { /* is IPv6 */ + this = identification_create(ID_IPV6_ADDR); + this->encoded = chunk_clone(chunk); + } + else + { /* not IPv4/6 fallback to KEY_ID */ + this = identification_create(ID_KEY_ID); + this->encoded = chunk_create(strdup(string), strlen(string)); } - this->encoded = chunk_clone(chunk); - this->type = ID_IPV6_ADDR; return &this->public; } } @@ -1176,33 +989,24 @@ identification_t *identification_create_from_string(char *string) { if (*(string + 1) == '#') { + this = identification_create(ID_KEY_ID); string += 2; - this->type = ID_KEY_ID; this->encoded = chunk_from_hex( chunk_create(string, strlen(string)), NULL); return &this->public; } else { - this->type = ID_FQDN; - this->encoded.ptr = strdup(string + 1); - this->encoded.len = strlen(string + 1); - this->public.matches = (id_match_t (*) - (identification_t*,identification_t*))matches_string; - this->public.equals = (bool (*) - (identification_t*,identification_t*))equals_strcasecmp; + this = identification_create(ID_FQDN); + string += 1; + this->encoded = chunk_create(strdup(string), strlen(string)); return &this->public; } } else { - this->type = ID_RFC822_ADDR; - this->encoded.ptr = strdup(string); - this->encoded.len = strlen(string); - this->public.matches = (id_match_t (*) - (identification_t*,identification_t*))matches_string; - this->public.equals = (bool (*) - (identification_t*,identification_t*))equals_strcasecmp; + this = identification_create(ID_RFC822_ADDR); + this->encoded = chunk_create(strdup(string), strlen(string)); return &this->public; } } @@ -1211,42 +1015,10 @@ identification_t *identification_create_from_string(char *string) /* * Described in header. */ -identification_t *identification_create_from_encoding(id_type_t type, chunk_t encoded) +identification_t *identification_create_from_encoding(id_type_t type, + chunk_t encoded) { - private_identification_t *this = identification_create(); - - this->type = type; - switch (type) - { - case ID_ANY: - this->public.matches = (id_match_t (*) - (identification_t*,identification_t*))matches_any; - break; - case ID_FQDN: - case ID_RFC822_ADDR: - this->public.matches = (id_match_t (*) - (identification_t*,identification_t*))matches_string; - this->public.equals = (bool (*) - (identification_t*,identification_t*))equals_strcasecmp; - break; - case ID_DER_ASN1_DN: - this->public.equals = (bool (*) - (identification_t*,identification_t*))equals_dn; - this->public.matches = (id_match_t (*) - (identification_t*,identification_t*))matches_dn; - break; - case ID_IPV4_ADDR: - case ID_IPV6_ADDR: - case ID_DER_ASN1_GN: - case ID_KEY_ID: - case ID_DER_ASN1_GN_URI: - case ID_PUBKEY_INFO_SHA1: - case ID_PUBKEY_SHA1: - case ID_CERT_DER_SHA1: - case ID_IETF_ATTR_STRING: - default: - break; - } + private_identification_t *this = identification_create(type); /* apply encoded chunk */ if (type != ID_ANY) diff --git a/src/libstrongswan/utils/mutex.c b/src/libstrongswan/utils/mutex.c index 8b3a25201..a6c39e94c 100644 --- a/src/libstrongswan/utils/mutex.c +++ b/src/libstrongswan/utils/mutex.c @@ -276,7 +276,7 @@ mutex_t *mutex_create(mutex_type_t type) { switch (type) { - case MUTEX_RECURSIVE: + case MUTEX_TYPE_RECURSIVE: { private_r_mutex_t *this = malloc_thing(private_r_mutex_t); @@ -292,7 +292,7 @@ mutex_t *mutex_create(mutex_type_t type) return &this->generic.public; } - case MUTEX_DEFAULT: + case MUTEX_TYPE_DEFAULT: default: { private_mutex_t *this = malloc_thing(private_mutex_t); @@ -416,7 +416,7 @@ condvar_t *condvar_create(condvar_type_t type) { switch (type) { - case CONDVAR_DEFAULT: + case CONDVAR_TYPE_DEFAULT: default: { private_condvar_t *this = malloc_thing(private_condvar_t); @@ -488,7 +488,7 @@ rwlock_t *rwlock_create(rwlock_type_t type) { switch (type) { - case RWLOCK_DEFAULT: + case RWLOCK_TYPE_DEFAULT: default: { private_rwlock_t *this = malloc_thing(private_rwlock_t); diff --git a/src/libstrongswan/utils/mutex.h b/src/libstrongswan/utils/mutex.h index c5c667992..273f56b47 100644 --- a/src/libstrongswan/utils/mutex.h +++ b/src/libstrongswan/utils/mutex.h @@ -31,14 +31,41 @@ typedef enum rwlock_type_t rwlock_type_t; #include <library.h> +#ifdef __APPLE__ +/* on Mac OS X 10.5 several system calls we use are no cancellation points. + * fortunately, select isn't one of them, so we wrap some of the others with + * calls to select(2). + */ +#include <sys/socket.h> +#include <sys/select.h> + +#define WRAP_WITH_SELECT(func, socket, ...)\ + fd_set rfds; FD_ZERO(&rfds); FD_SET(socket, &rfds);\ + if (select(socket + 1, &rfds, NULL, NULL, NULL) <= 0) { return -1; }\ + return func(socket, __VA_ARGS__) + +static inline int cancellable_accept(int socket, struct sockaddr *address, + socklen_t *address_len) +{ + WRAP_WITH_SELECT(accept, socket, address, address_len); +} +#define accept cancellable_accept +static inline int cancellable_recvfrom(int socket, void *buffer, size_t length, + int flags, struct sockaddr *address, socklen_t *address_len) +{ + WRAP_WITH_SELECT(recvfrom, socket, buffer, length, flags, address, address_len); +} +#define recvfrom cancellable_recvfrom +#endif /* __APPLE__ */ + /** * Type of mutex. */ enum mutex_type_t { /** default mutex */ - MUTEX_DEFAULT = 0, + MUTEX_TYPE_DEFAULT = 0, /** allow recursive locking of the mutex */ - MUTEX_RECURSIVE = 1, + MUTEX_TYPE_RECURSIVE = 1, }; /** @@ -46,7 +73,7 @@ enum mutex_type_t { */ enum condvar_type_t { /** default condvar */ - CONDVAR_DEFAULT = 0, + CONDVAR_TYPE_DEFAULT = 0, }; /** @@ -54,7 +81,7 @@ enum condvar_type_t { */ enum rwlock_type_t { /** default condvar */ - RWLOCK_DEFAULT = 0, + RWLOCK_TYPE_DEFAULT = 0, }; /** |