implemented RFC3110 key builder in a plugin, added generic DNSKEY RR parsing
This commit is contained in:
parent
3addf4e937
commit
5ef478aaee
17
configure.in
17
configure.in
|
@ -309,6 +309,17 @@ AC_ARG_ENABLE(
|
|||
pgp=true
|
||||
)
|
||||
|
||||
AC_ARG_ENABLE(
|
||||
[dnskey],
|
||||
AS_HELP_STRING([--disable-dnskey],[disable DNS RR key decoding plugin. (default is NO).]),
|
||||
[if test x$enableval = xyes; then
|
||||
dnskey=true
|
||||
else
|
||||
dnskey=false
|
||||
fi],
|
||||
dnskey=true
|
||||
)
|
||||
|
||||
AC_ARG_ENABLE(
|
||||
[pem],
|
||||
AS_HELP_STRING([--disable-pem],[disable PEM decoding plugin. (default is NO).]),
|
||||
|
@ -1222,6 +1233,10 @@ if test x$pgp = xtrue; then
|
|||
libstrongswan_plugins=${libstrongswan_plugins}" pgp"
|
||||
pluto_plugins=${pluto_plugins}" pgp"
|
||||
fi
|
||||
if test x$dnskey = xtrue; then
|
||||
libstrongswan_plugins=${libstrongswan_plugins}" dnskey"
|
||||
pluto_plugins=${pluto_plugins}" dnskey"
|
||||
fi
|
||||
if test x$pem = xtrue; then
|
||||
libstrongswan_plugins=${libstrongswan_plugins}" pem"
|
||||
pluto_plugins=${pluto_plugins}" pem"
|
||||
|
@ -1284,6 +1299,7 @@ AM_CONDITIONAL(USE_X509, test x$x509 = xtrue)
|
|||
AM_CONDITIONAL(USE_PUBKEY, test x$pubkey = xtrue)
|
||||
AM_CONDITIONAL(USE_PKCS1, test x$pkcs1 = xtrue)
|
||||
AM_CONDITIONAL(USE_PGP, test x$pgp = xtrue)
|
||||
AM_CONDITIONAL(USE_DNSKEY, test x$dnskey = xtrue)
|
||||
AM_CONDITIONAL(USE_PEM, test x$pem = xtrue)
|
||||
AM_CONDITIONAL(USE_HMAC, test x$hmac = xtrue)
|
||||
AM_CONDITIONAL(USE_XCBC, test x$xcbc = xtrue)
|
||||
|
@ -1381,6 +1397,7 @@ AC_OUTPUT(
|
|||
src/libstrongswan/plugins/pubkey/Makefile
|
||||
src/libstrongswan/plugins/pkcs1/Makefile
|
||||
src/libstrongswan/plugins/pgp/Makefile
|
||||
src/libstrongswan/plugins/dnskey/Makefile
|
||||
src/libstrongswan/plugins/pem/Makefile
|
||||
src/libstrongswan/plugins/curl/Makefile
|
||||
src/libstrongswan/plugins/ldap/Makefile
|
||||
|
|
|
@ -169,6 +169,10 @@ if USE_PGP
|
|||
SUBDIRS += plugins/pgp
|
||||
endif
|
||||
|
||||
if USE_DNSKEY
|
||||
SUBDIRS += plugins/dnskey
|
||||
endif
|
||||
|
||||
if USE_PEM
|
||||
SUBDIRS += plugins/pem
|
||||
endif
|
||||
|
|
|
@ -0,0 +1,12 @@
|
|||
|
||||
INCLUDES = -I$(top_srcdir)/src/libstrongswan
|
||||
|
||||
AM_CFLAGS = -rdynamic
|
||||
|
||||
plugin_LTLIBRARIES = libstrongswan-dnskey.la
|
||||
|
||||
libstrongswan_dnskey_la_SOURCES = dnskey_plugin.h dnskey_plugin.c \
|
||||
dnskey_builder.h dnskey_builder.c
|
||||
|
||||
libstrongswan_dnskey_la_LDFLAGS = -module -avoid-version
|
||||
|
|
@ -0,0 +1,186 @@
|
|||
/*
|
||||
* Copyright (C) 2009 Martin Willi
|
||||
* Hochschule fuer Technik Rapperswil
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
* Free Software Foundation; either version 2 of the License, or (at your
|
||||
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful, but
|
||||
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
||||
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||
* for more details.
|
||||
*/
|
||||
|
||||
#include "dnskey_builder.h"
|
||||
|
||||
#include <debug.h>
|
||||
#include <credentials/keys/private_key.h>
|
||||
|
||||
|
||||
typedef struct dnskey_rr_t dnskey_rr_t;
|
||||
typedef enum dnskey_algorithm_t dnskey_algorithm_t;
|
||||
|
||||
/**
|
||||
* Header of a DNSKEY resource record
|
||||
*/
|
||||
struct dnskey_rr_t {
|
||||
u_int16_t flags;
|
||||
u_int8_t protocol;
|
||||
u_int8_t algorithm;
|
||||
u_int8_t data[];
|
||||
} __attribute__((__packed__));
|
||||
|
||||
/**
|
||||
* DNSSEC algorithms, RFC4034 Appendix A.1.
|
||||
*/
|
||||
enum dnskey_algorithm_t {
|
||||
DNSKEY_ALG_RSA_MD5 = 1,
|
||||
DNSKEY_ALG_DH = 2,
|
||||
DNSKEY_ALG_DSA = 3,
|
||||
DNSKEY_ALG_ECC = 4,
|
||||
DNSKEY_ALG_RSA_SHA1 = 5,
|
||||
};
|
||||
|
||||
/**
|
||||
* Load a generic public key from a DNSKEY RR blob
|
||||
*/
|
||||
static public_key_t *parse_public_key(chunk_t blob)
|
||||
{
|
||||
dnskey_rr_t *rr = (dnskey_rr_t*)blob.ptr;
|
||||
|
||||
if (blob.len < sizeof(dnskey_rr_t))
|
||||
{
|
||||
DBG1("DNSKEY too short");
|
||||
return NULL;
|
||||
}
|
||||
blob = chunk_skip(blob, sizeof(dnskey_rr_t));
|
||||
|
||||
switch (rr->algorithm)
|
||||
{
|
||||
case DNSKEY_ALG_RSA_SHA1:
|
||||
return lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
|
||||
BUILD_BLOB_DNSKEY, blob, BUILD_END);
|
||||
default:
|
||||
DBG1("DNSKEY public key algorithm %d not supported", rr->algorithm);
|
||||
return NULL;
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Load a RSA public key from DNSKEY RR data
|
||||
*/
|
||||
static public_key_t *parse_rsa_public_key(chunk_t blob)
|
||||
{
|
||||
chunk_t n, e;
|
||||
|
||||
if (blob.len < 3)
|
||||
{
|
||||
DBG1("RFC 3110 public key blob too short for exponent length");
|
||||
return NULL;
|
||||
}
|
||||
|
||||
if (blob.ptr[0])
|
||||
{
|
||||
e.len = blob.ptr[0];
|
||||
blob = chunk_skip(blob, 1);
|
||||
}
|
||||
else
|
||||
{
|
||||
e.len = blob.ptr[1] * 256 + blob.ptr[2];
|
||||
blob = chunk_skip(blob, 3);
|
||||
}
|
||||
e.ptr = blob.ptr;
|
||||
if (e.len >= blob.len)
|
||||
{
|
||||
DBG1("RFC 3110 public key blob too short for exponent");
|
||||
return NULL;
|
||||
}
|
||||
n = chunk_skip(blob, e.len);
|
||||
|
||||
return lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
|
||||
BUILD_RSA_MODULUS, n, BUILD_RSA_PUB_EXP, e,
|
||||
BUILD_END);
|
||||
}
|
||||
|
||||
typedef struct private_builder_t private_builder_t;
|
||||
|
||||
/**
|
||||
* Builder implementation for private/public key loading
|
||||
*/
|
||||
struct private_builder_t {
|
||||
/** implements the builder interface */
|
||||
builder_t public;
|
||||
/** dnskey packet data */
|
||||
chunk_t blob;
|
||||
/** type of key to build */
|
||||
key_type_t type;
|
||||
};
|
||||
|
||||
/**
|
||||
* Implementation of builder_t.build for public keys
|
||||
*/
|
||||
static public_key_t *build_public(private_builder_t *this)
|
||||
{
|
||||
public_key_t *key = NULL;
|
||||
|
||||
switch (this->type)
|
||||
{
|
||||
case KEY_ANY:
|
||||
key = parse_public_key(this->blob);
|
||||
break;
|
||||
case KEY_RSA:
|
||||
key = parse_rsa_public_key(this->blob);
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
}
|
||||
free(this);
|
||||
return key;
|
||||
}
|
||||
|
||||
/**
|
||||
* Implementation of builder_t.add for public keys
|
||||
*/
|
||||
static void add_public(private_builder_t *this, builder_part_t part, ...)
|
||||
{
|
||||
va_list args;
|
||||
|
||||
switch (part)
|
||||
{
|
||||
case BUILD_BLOB_DNSKEY:
|
||||
{
|
||||
va_start(args, part);
|
||||
this->blob = va_arg(args, chunk_t);
|
||||
va_end(args);
|
||||
break;
|
||||
}
|
||||
default:
|
||||
builder_cancel(&this->public);
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Builder construction function for public keys
|
||||
*/
|
||||
builder_t *dnskey_public_key_builder(key_type_t type)
|
||||
{
|
||||
private_builder_t *this;
|
||||
|
||||
if (type != KEY_ANY && type != KEY_RSA)
|
||||
{
|
||||
return NULL;
|
||||
}
|
||||
|
||||
this = malloc_thing(private_builder_t);
|
||||
|
||||
this->blob = chunk_empty;
|
||||
this->type = type;
|
||||
this->public.add = (void(*)(builder_t *this, builder_part_t part, ...))add_public;
|
||||
this->public.build = (void*(*)(builder_t *this))build_public;
|
||||
|
||||
return &this->public;
|
||||
}
|
||||
|
|
@ -0,0 +1,34 @@
|
|||
/*
|
||||
* Copyright (C) 2009 Martin Willi
|
||||
* Hochschule fuer Technik Rapperswil
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
* Free Software Foundation; either version 2 of the License, or (at your
|
||||
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful, but
|
||||
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
||||
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||
* for more details.
|
||||
*/
|
||||
|
||||
/**
|
||||
* @defgroup dnskey_public_key dnskey_public_key
|
||||
* @{ @ingroup dnskey_p
|
||||
*/
|
||||
|
||||
#ifndef DNSKEY_BUILDER_H_
|
||||
#define DNSKEY_BUILDER_H_
|
||||
|
||||
#include <credentials/keys/public_key.h>
|
||||
|
||||
/**
|
||||
* Create the builder for a generic or an RSA public key.
|
||||
*
|
||||
* @param type type of the key, either KEY_ANY or KEY_RSA
|
||||
* @return builder instance
|
||||
*/
|
||||
builder_t *dnskey_public_key_builder(key_type_t type);
|
||||
|
||||
#endif /** DNSKEY_BUILDER_H_ @}*/
|
|
@ -0,0 +1,60 @@
|
|||
/*
|
||||
* Copyright (C) 2009 Martin Willi
|
||||
* Hochschule fuer Technik Rapperswil
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
* Free Software Foundation; either version 2 of the License, or (at your
|
||||
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful, but
|
||||
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
||||
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||
* for more details.
|
||||
*/
|
||||
|
||||
#include "dnskey_plugin.h"
|
||||
|
||||
#include <library.h>
|
||||
#include "dnskey_builder.h"
|
||||
|
||||
typedef struct private_dnskey_plugin_t private_dnskey_plugin_t;
|
||||
|
||||
/**
|
||||
* private data of dnskey_plugin
|
||||
*/
|
||||
struct private_dnskey_plugin_t {
|
||||
|
||||
/**
|
||||
* public functions
|
||||
*/
|
||||
dnskey_plugin_t public;
|
||||
};
|
||||
|
||||
/**
|
||||
* Implementation of dnskey_plugin_t.dnskeytroy
|
||||
*/
|
||||
static void destroy(private_dnskey_plugin_t *this)
|
||||
{
|
||||
lib->creds->remove_builder(lib->creds,
|
||||
(builder_constructor_t)dnskey_public_key_builder);
|
||||
free(this);
|
||||
}
|
||||
|
||||
/*
|
||||
* see header file
|
||||
*/
|
||||
plugin_t *plugin_create()
|
||||
{
|
||||
private_dnskey_plugin_t *this = malloc_thing(private_dnskey_plugin_t);
|
||||
|
||||
this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
|
||||
|
||||
lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ANY,
|
||||
(builder_constructor_t)dnskey_public_key_builder);
|
||||
lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
|
||||
(builder_constructor_t)dnskey_public_key_builder);
|
||||
|
||||
return &this->public.plugin;
|
||||
}
|
||||
|
|
@ -0,0 +1,47 @@
|
|||
/*
|
||||
* Copyright (C) 2009 Martin Willi
|
||||
* Hochschule fuer Technik Rapperswil
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
* Free Software Foundation; either version 2 of the License, or (at your
|
||||
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful, but
|
||||
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
||||
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||
* for more details.
|
||||
*/
|
||||
|
||||
/**
|
||||
* @defgroup dnskey_p dnskey
|
||||
* @ingroup plugins
|
||||
*
|
||||
* @defgroup dnskey_plugin dnskey_plugin
|
||||
* @{ @ingroup dnskey_p
|
||||
*/
|
||||
|
||||
#ifndef DNSKEY_PLUGIN_H_
|
||||
#define DNSKEY_PLUGIN_H_
|
||||
|
||||
#include <plugins/plugin.h>
|
||||
|
||||
typedef struct dnskey_plugin_t dnskey_plugin_t;
|
||||
|
||||
/**
|
||||
* Plugin providing RFC4034 public key decoding functions.
|
||||
*/
|
||||
struct dnskey_plugin_t {
|
||||
|
||||
/**
|
||||
* implements plugin interface
|
||||
*/
|
||||
plugin_t plugin;
|
||||
};
|
||||
|
||||
/**
|
||||
* Create a dnskey_plugin instance.
|
||||
*/
|
||||
plugin_t *plugin_create();
|
||||
|
||||
#endif /** DNSKEY_PLUGIN_H_ @}*/
|
Loading…
Reference in New Issue