From a9b7f8d4a4a4202facd9690580b38542e7933f00 Mon Sep 17 00:00:00 2001
From: Rene Mayrhofer <rene@mayrhofer.eu.org>
Date: Wed, 21 Oct 2009 11:18:20 +0000
Subject: - New upstream release. - Don't disable internal crypto plugins,
 pluto expects to find them in   some cases. - Enable integrity checking.

---
 src/libstrongswan/plugins/gcrypt/Makefile.am       |  2 +-
 src/libstrongswan/plugins/gcrypt/Makefile.in       |  7 ++-
 src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c   |  3 ++
 src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c   |  4 +-
 .../plugins/gcrypt/gcrypt_rsa_private_key.c        | 61 +++++++++++++++++-----
 .../plugins/gcrypt/gcrypt_rsa_public_key.c         | 14 ++---
 6 files changed, 68 insertions(+), 23 deletions(-)

(limited to 'src/libstrongswan/plugins/gcrypt')

diff --git a/src/libstrongswan/plugins/gcrypt/Makefile.am b/src/libstrongswan/plugins/gcrypt/Makefile.am
index 72cc409fc..7394676e2 100644
--- a/src/libstrongswan/plugins/gcrypt/Makefile.am
+++ b/src/libstrongswan/plugins/gcrypt/Makefile.am
@@ -13,5 +13,5 @@ libstrongswan_gcrypt_la_SOURCES = gcrypt_plugin.h gcrypt_plugin.c \
 	gcrypt_crypter.h gcrypt_crypter.c \
 	gcrypt_hasher.h gcrypt_hasher.c
 
-libstrongswan_gcrypt_la_LDFLAGS = -module
+libstrongswan_gcrypt_la_LDFLAGS = -module -avoid-version
 libstrongswan_gcrypt_la_LIBADD  = $(LIBGCRYPT_LIBS)
diff --git a/src/libstrongswan/plugins/gcrypt/Makefile.in b/src/libstrongswan/plugins/gcrypt/Makefile.in
index 49994c593..e3d27f7f8 100644
--- a/src/libstrongswan/plugins/gcrypt/Makefile.in
+++ b/src/libstrongswan/plugins/gcrypt/Makefile.in
@@ -77,12 +77,14 @@ ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
@@ -147,6 +149,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
 VERSION = @VERSION@
 YACC = @YACC@
@@ -187,7 +190,9 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
@@ -232,7 +237,7 @@ libstrongswan_gcrypt_la_SOURCES = gcrypt_plugin.h gcrypt_plugin.c \
 	gcrypt_crypter.h gcrypt_crypter.c \
 	gcrypt_hasher.h gcrypt_hasher.c
 
-libstrongswan_gcrypt_la_LDFLAGS = -module
+libstrongswan_gcrypt_la_LDFLAGS = -module -avoid-version
 libstrongswan_gcrypt_la_LIBADD = $(LIBGCRYPT_LIBS)
 all: all-am
 
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c b/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c
index 785ebda90..41e17c897 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c
@@ -116,6 +116,9 @@ gcrypt_hasher_t *gcrypt_hasher_create(hash_algorithm_t algo)
 		case HASH_SHA1:
 			gcrypt_alg = GCRY_MD_SHA1;
 			break;
+		case HASH_SHA224:
+			gcrypt_alg = GCRY_MD_SHA224;
+			break;
 		case HASH_SHA256:
 			gcrypt_alg = GCRY_MD_SHA256;
 			break;
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c b/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c
index 547329dde..939e0886c 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c
@@ -47,7 +47,7 @@ struct private_gcrypt_plugin_t {
  */
 static int mutex_init(void **lock)
 {
-	*lock = mutex_create(MUTEX_DEFAULT);
+	*lock = mutex_create(MUTEX_TYPE_DEFAULT);
 	return 0;
 }
 
@@ -148,6 +148,8 @@ plugin_t *plugin_create()
 					(hasher_constructor_t)gcrypt_hasher_create);
 	lib->crypto->add_hasher(lib->crypto, HASH_MD5,
 					(hasher_constructor_t)gcrypt_hasher_create);
+	lib->crypto->add_hasher(lib->crypto, HASH_SHA224,
+					(hasher_constructor_t)gcrypt_hasher_create);
 	lib->crypto->add_hasher(lib->crypto, HASH_SHA256,
 					(hasher_constructor_t)gcrypt_hasher_create);
 	lib->crypto->add_hasher(lib->crypto, HASH_SHA384,
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c
index 611ab2467..e0e8015db 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c
@@ -61,12 +61,14 @@ struct private_gcrypt_rsa_private_key_t {
 public_key_t *gcrypt_rsa_public_key_create_from_sexp(gcry_sexp_t key);
 
 /**
- * find a token in a S-expression
+ * find a token in a S-expression. If a key is given, its length is used to
+ * pad the output to a given length.
  */
-chunk_t gcrypt_rsa_find_token(gcry_sexp_t sexp, char *name)
+chunk_t gcrypt_rsa_find_token(gcry_sexp_t sexp, char *name, gcry_sexp_t key)
 {
 	gcry_sexp_t token;
-	chunk_t data = chunk_empty;
+	chunk_t data = chunk_empty, tmp;
+	size_t len = 0;
 	
 	token = gcry_sexp_find_token(sexp, name, 1);
 	if (token)
@@ -76,7 +78,36 @@ chunk_t gcrypt_rsa_find_token(gcry_sexp_t sexp, char *name)
 		{
 			data.len = 0;
 		}
-		data = chunk_clone(data);
+		else
+		{
+			if (key)
+			{
+				/* gcrypt might return more bytes than necessary. Truncate
+				 * to key lenght if key given, or prepend zeros if needed  */
+				len = gcry_pk_get_nbits(key);
+				len = len / 8 + (len % 8 ? 1 : 0);
+				if (len > data.len)
+				{
+					tmp = chunk_alloc(len);
+					len -= data.len;
+					memset(tmp.ptr, 0, tmp.len - len);
+					memcpy(tmp.ptr + len, data.ptr, data.len);
+					data = tmp;
+				}
+				else if (len < data.len)
+				{
+					data = chunk_clone(chunk_skip(data, data.len - len));
+				}
+				else
+				{
+					data = chunk_clone(data);
+				}
+			}
+			else
+			{
+				data = chunk_clone(data);
+			}
+		}
 		gcry_sexp_release(token);
 	}
 	return data;
@@ -124,7 +155,7 @@ static bool sign_raw(private_gcrypt_rsa_private_key_t *this,
 		DBG1("creating pkcs1 signature failed: %s", gpg_strerror(err));
 		return FALSE;
 	}
-	*signature = gcrypt_rsa_find_token(out, "s");
+	*signature = gcrypt_rsa_find_token(out, "s", this->key);
 	gcry_sexp_release(out);
 	return !!signature->len;
 }
@@ -170,7 +201,7 @@ static bool sign_pkcs1(private_gcrypt_rsa_private_key_t *this,
 		DBG1("creating pkcs1 signature failed: %s", gpg_strerror(err));
 		return FALSE;
 	}
-	*signature = gcrypt_rsa_find_token(out, "s");
+	*signature = gcrypt_rsa_find_token(out, "s", this->key);
 	gcry_sexp_release(out);
 	return !!signature->len;
 }
@@ -195,6 +226,8 @@ static bool sign(private_gcrypt_rsa_private_key_t *this, signature_scheme_t sche
 			return sign_raw(this, data, sig);
 		case SIGN_RSA_EMSA_PKCS1_SHA1:
 			return sign_pkcs1(this, HASH_SHA1, "sha1", data, sig);
+		case SIGN_RSA_EMSA_PKCS1_SHA224:
+			return sign_pkcs1(this, HASH_SHA224, "sha224", data, sig);
 		case SIGN_RSA_EMSA_PKCS1_SHA256:
 			return sign_pkcs1(this, HASH_SHA256, "sha256", data, sig);
 		case SIGN_RSA_EMSA_PKCS1_SHA384:
@@ -353,9 +386,9 @@ static chunk_t get_encoding(private_gcrypt_rsa_private_key_t *this)
 	gcry_error_t err;
 	
 	/* p and q are swapped, gcrypt expects p < q */
-	cp = gcrypt_rsa_find_token(this->key, "q");
-	cq = gcrypt_rsa_find_token(this->key, "p");
-	cd = gcrypt_rsa_find_token(this->key, "d");
+	cp = gcrypt_rsa_find_token(this->key, "q", NULL);
+	cq = gcrypt_rsa_find_token(this->key, "p", NULL);
+	cd = gcrypt_rsa_find_token(this->key, "d", NULL);
 	
 	err = gcry_mpi_scan(&p, GCRYMPI_FMT_USG, cp.ptr, cp.len, NULL)
 		| gcry_mpi_scan(&q, GCRYMPI_FMT_USG, cq.ptr, cq.len, NULL)
@@ -401,14 +434,14 @@ static chunk_t get_encoding(private_gcrypt_rsa_private_key_t *this)
 	}
 	
 	return asn1_wrap(ASN1_SEQUENCE, "cmmmmmmmm", ASN1_INTEGER_0,
-			asn1_integer("m", gcrypt_rsa_find_token(this->key, "n")),
-			asn1_integer("m", gcrypt_rsa_find_token(this->key, "e")),
+			asn1_integer("m", gcrypt_rsa_find_token(this->key, "n", NULL)),
+			asn1_integer("m", gcrypt_rsa_find_token(this->key, "e", NULL)),
 			asn1_integer("m", cd),
 			asn1_integer("m", cp),
 			asn1_integer("m", cq),
 			asn1_integer("m", cexp1),
 			asn1_integer("m", cexp2),
-			asn1_integer("m", gcrypt_rsa_find_token(this->key, "u")));
+			asn1_integer("m", gcrypt_rsa_find_token(this->key, "u", NULL)));
 }
 
 /**
@@ -477,8 +510,8 @@ bool gcrypt_rsa_build_keyids(gcry_sexp_t key, identification_t **keyid,
 		return FALSE;
 	}
 	publicKey = asn1_wrap(ASN1_SEQUENCE, "mm",
-				 asn1_integer("m", gcrypt_rsa_find_token(key, "n")),
-				 asn1_integer("m", gcrypt_rsa_find_token(key, "e")));
+				 asn1_integer("m", gcrypt_rsa_find_token(key, "n", NULL)),
+				 asn1_integer("m", gcrypt_rsa_find_token(key, "e", NULL)));
 	hasher->allocate_hash(hasher, publicKey, &hash);
 	*keyid = identification_create_from_encoding(ID_PUBKEY_SHA1, hash);
 	chunk_free(&hash);
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c
index 8024f58a7..4d9c88c6d 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c
@@ -60,7 +60,7 @@ struct private_gcrypt_rsa_public_key_t {
 /**
  * Implemented in gcrypt_rsa_private_key.c
  */
-chunk_t gcrypt_rsa_find_token(gcry_sexp_t sexp, char *name);
+chunk_t gcrypt_rsa_find_token(gcry_sexp_t sexp, char *name, gcry_sexp_t key);
 bool gcrypt_rsa_build_keyids(gcry_sexp_t key, identification_t **keyid,
 							 identification_t **keyid_info);
 
@@ -188,6 +188,8 @@ static bool verify(private_gcrypt_rsa_public_key_t *this,
 			return verify_pkcs1(this, HASH_MD5, "md5", data, signature);
 		case SIGN_RSA_EMSA_PKCS1_SHA1:
 			return verify_pkcs1(this, HASH_SHA1, "sha1", data, signature);
+		case SIGN_RSA_EMSA_PKCS1_SHA224:
+			return verify_pkcs1(this, HASH_SHA224, "sha224", data, signature);
 		case SIGN_RSA_EMSA_PKCS1_SHA256:
 			return verify_pkcs1(this, HASH_SHA256, "sha256", data, signature);
 		case SIGN_RSA_EMSA_PKCS1_SHA384:
@@ -226,7 +228,7 @@ static bool encrypt_(private_gcrypt_rsa_public_key_t *this, chunk_t plain,
 		DBG1("encrypting data using pkcs1 failed: %s", gpg_strerror(err));
 		return FALSE;
 	}
-	*encrypted = gcrypt_rsa_find_token(out, "a");
+	*encrypted = gcrypt_rsa_find_token(out, "a", this->key);
 	gcry_sexp_release(out);
 	return !!encrypted->len;
 }
@@ -290,8 +292,8 @@ static identification_t *get_id(private_gcrypt_rsa_public_key_t *this,
 static chunk_t get_encoding(private_gcrypt_rsa_public_key_t *this)
 {
 	return asn1_wrap(ASN1_SEQUENCE, "mm",
-			asn1_integer("m", gcrypt_rsa_find_token(this->key, "n")),
-			asn1_integer("m", gcrypt_rsa_find_token(this->key, "e")));
+			asn1_integer("m", gcrypt_rsa_find_token(this->key, "n", NULL)),
+			asn1_integer("m", gcrypt_rsa_find_token(this->key, "e", NULL)));
 }
 
 /**
@@ -352,8 +354,8 @@ public_key_t *gcrypt_rsa_public_key_create_from_sexp(gcry_sexp_t key)
 	chunk_t n, e;
 	
 	this = gcrypt_rsa_public_key_create_empty();
-	n = gcrypt_rsa_find_token(key, "n");
-	e = gcrypt_rsa_find_token(key, "e");
+	n = gcrypt_rsa_find_token(key, "n", NULL);
+	e = gcrypt_rsa_find_token(key, "e", NULL);
 	
 	err = gcry_sexp_build(&this->key, NULL, "(public-key(rsa(n %b)(e %b)))",
 						  n.len, n.ptr, e.len, e.ptr);
-- 
cgit v1.2.3