started migration to encryption plugins
This commit is contained in:
parent
bf45d6dd3b
commit
d36ae9e305
48
configure.in
48
configure.in
|
@ -183,6 +183,30 @@ AC_ARG_ENABLE(
|
|||
des=true
|
||||
)
|
||||
|
||||
AC_ARG_ENABLE(
|
||||
[blowfish],
|
||||
AS_HELP_STRING([--enable-blowfish],[enable Blowfish software implementation plugin (default is NO).]),
|
||||
[if test x$enableval = xyes; then
|
||||
blowfish=true
|
||||
fi]
|
||||
)
|
||||
|
||||
AC_ARG_ENABLE(
|
||||
[serpent],
|
||||
AS_HELP_STRING([--enable-serpent],[enable Serpent software implementation plugin (default is NO).]),
|
||||
[if test x$enableval = xyes; then
|
||||
serpent=true
|
||||
fi]
|
||||
)
|
||||
|
||||
AC_ARG_ENABLE(
|
||||
[twofish],
|
||||
AS_HELP_STRING([--enable-twofish],[enable Twofish software implementation plugin (default is NO).]),
|
||||
[if test x$enableval = xyes; then
|
||||
twofish=true
|
||||
fi]
|
||||
)
|
||||
|
||||
AC_ARG_ENABLE(
|
||||
[md4],
|
||||
AS_HELP_STRING([--enable-md4],[enable MD4 software implementation plugin (default is NO).]),
|
||||
|
@ -978,24 +1002,36 @@ if test x$ldap = xtrue; then
|
|||
fi
|
||||
if test x$aes = xtrue; then
|
||||
libstrongswan_plugins=${libstrongswan_plugins}" aes"
|
||||
pluto_plugins=${pluto_plugins}" aes"
|
||||
fi
|
||||
if test x$des = xtrue; then
|
||||
libstrongswan_plugins=${libstrongswan_plugins}" des"
|
||||
pluto_plugins=${pluto_plugins}" des"
|
||||
fi
|
||||
if test x$blowfish = xtrue; then
|
||||
libstrongswan_plugins=${libstrongswan_plugins}" blowfish"
|
||||
pluto_plugins=${pluto_plugins}" blowfish"
|
||||
fi
|
||||
if test x$serpent = xtrue; then
|
||||
pluto_plugins=${pluto_plugins}" serpent"
|
||||
fi
|
||||
if test x$twofish = xtrue; then
|
||||
pluto_plugins=${pluto_plugins}" twofish"
|
||||
fi
|
||||
if test x$sha1 = xtrue; then
|
||||
libstrongswan_plugins=${libstrongswan_plugins}" sha1"
|
||||
pluto_plugins=${pluto_plugins}" sha1"
|
||||
pluto_plugins=${pluto_plugins}" sha1"
|
||||
fi
|
||||
if test x$sha2 = xtrue; then
|
||||
libstrongswan_plugins=${libstrongswan_plugins}" sha2"
|
||||
pluto_plugins=${pluto_plugins}" sha2"
|
||||
pluto_plugins=${pluto_plugins}" sha2"
|
||||
fi
|
||||
if test x$md4 = xtrue; then
|
||||
libstrongswan_plugins=${libstrongswan_plugins}" md4"
|
||||
fi
|
||||
if test x$md5 = xtrue; then
|
||||
libstrongswan_plugins=${libstrongswan_plugins}" md5"
|
||||
pluto_plugins=${pluto_plugins}" md5"
|
||||
pluto_plugins=${pluto_plugins}" md5"
|
||||
fi
|
||||
if test x$fips_prf = xtrue; then
|
||||
libstrongswan_plugins=${libstrongswan_plugins}" fips-prf"
|
||||
|
@ -1049,6 +1085,9 @@ AM_CONDITIONAL(USE_CURL, test x$curl = xtrue)
|
|||
AM_CONDITIONAL(USE_LDAP, test x$ldap = xtrue)
|
||||
AM_CONDITIONAL(USE_AES, test x$aes = xtrue)
|
||||
AM_CONDITIONAL(USE_DES, test x$des = xtrue)
|
||||
AM_CONDITIONAL(USE_BLOWFISH, test x$blowfish = xtrue)
|
||||
AM_CONDITIONAL(USE_SERPENT, test x$serpent = xtrue)
|
||||
AM_CONDITIONAL(USE_TWOFISH, test x$twofish = xtrue)
|
||||
AM_CONDITIONAL(USE_MD4, test x$md4 = xtrue)
|
||||
AM_CONDITIONAL(USE_MD5, test x$md5 = xtrue)
|
||||
AM_CONDITIONAL(USE_SHA1, test x$sha1 = xtrue)
|
||||
|
@ -1139,6 +1178,9 @@ AC_OUTPUT(
|
|||
src/libstrongswan/Makefile
|
||||
src/libstrongswan/plugins/aes/Makefile
|
||||
src/libstrongswan/plugins/des/Makefile
|
||||
src/libstrongswan/plugins/blowfish/Makefile
|
||||
src/libstrongswan/plugins/serpent/Makefile
|
||||
src/libstrongswan/plugins/twofish/Makefile
|
||||
src/libstrongswan/plugins/md4/Makefile
|
||||
src/libstrongswan/plugins/md5/Makefile
|
||||
src/libstrongswan/plugins/sha1/Makefile
|
||||
|
|
|
@ -104,6 +104,18 @@ if USE_DES
|
|||
SUBDIRS += plugins/des
|
||||
endif
|
||||
|
||||
if USE_BLOWFISH
|
||||
SUBDIRS += plugins/blowfish
|
||||
endif
|
||||
|
||||
if USE_SERPENT
|
||||
SUBDIRS += plugins/serpent
|
||||
endif
|
||||
|
||||
if USE_TWOFISH
|
||||
SUBDIRS += plugins/twofish
|
||||
endif
|
||||
|
||||
if USE_MD4
|
||||
SUBDIRS += plugins/md4
|
||||
endif
|
||||
|
|
|
@ -236,10 +236,21 @@
|
|||
0x65 "gov"
|
||||
0x03 "csor"
|
||||
0x04 "nistalgorithm"
|
||||
0x01 "aes"
|
||||
0x02 "id-aes128-CBC" OID_AES128_CBC
|
||||
0x06 "id-aes128-GCM" OID_AES128_GCM
|
||||
0x07 "id-aes128-CCM" OID_AES128_CCM
|
||||
0x16 "id-aes192-CBC" OID_AES192_CBC
|
||||
0x1A "id-aes192-GCM" OID_AES192_GCM
|
||||
0x1B "id-aes192-CCM" OID_AES192_CCM
|
||||
0x2A "id-aes256-CBC" OID_AES256_CBC
|
||||
0x2E "id-aes256-GCM" OID_AES256_GCM
|
||||
0x2F "id-aes256-CCM" OID_AES256_CCM
|
||||
0x02 "hashalgs"
|
||||
0x01 "id-SHA-256" OID_SHA256
|
||||
0x02 "id-SHA-384" OID_SHA384
|
||||
0x03 "id-SHA-512" OID_SHA512
|
||||
0x04 "id-SHA-224" OID_SHA224
|
||||
0x86 ""
|
||||
0xf8 ""
|
||||
0x42 "netscape"
|
||||
|
|
|
@ -14,6 +14,8 @@
|
|||
* for more details.
|
||||
*/
|
||||
|
||||
#include <asn1/oid.h>
|
||||
|
||||
#include "crypter.h"
|
||||
|
||||
ENUM_BEGIN(encryption_algorithm_names, ENCR_DES_IV64, ENCR_DES_IV32,
|
||||
|
@ -51,3 +53,82 @@ ENUM_NEXT(encryption_algorithm_names, ENCR_UNDEFINED, ENCR_TWOFISH, ENCR_CAMELLI
|
|||
"TWOFISH");
|
||||
ENUM_END(encryption_algorithm_names, ENCR_TWOFISH);
|
||||
|
||||
/*
|
||||
* Described in header.
|
||||
*/
|
||||
encryption_algorithm_t encryption_algorithm_from_oid(int oid, size_t *key_size)
|
||||
{
|
||||
encryption_algorithm_t alg;
|
||||
size_t alg_key_size;
|
||||
|
||||
switch (oid)
|
||||
{
|
||||
case OID_DES_CBC:
|
||||
alg = ENCR_DES;
|
||||
alg_key_size = 0;
|
||||
break;
|
||||
case OID_3DES_EDE_CBC:
|
||||
alg = ENCR_3DES;
|
||||
alg_key_size = 0;
|
||||
break;
|
||||
case OID_AES128_CBC:
|
||||
alg = ENCR_AES_CBC;
|
||||
alg_key_size = 128;
|
||||
break;
|
||||
case OID_AES192_CBC:
|
||||
alg = ENCR_AES_CBC;
|
||||
alg_key_size = 192;
|
||||
break;
|
||||
case OID_AES256_CBC:
|
||||
alg = ENCR_AES_CBC;
|
||||
alg_key_size = 256;
|
||||
break;
|
||||
default:
|
||||
alg = ENCR_UNDEFINED;
|
||||
alg_key_size = 0;
|
||||
}
|
||||
if (key_size)
|
||||
{
|
||||
*key_size = alg_key_size;
|
||||
}
|
||||
return alg;
|
||||
}
|
||||
|
||||
/*
|
||||
* Described in header.
|
||||
*/
|
||||
int encryption_algorithm_to_oid(encryption_algorithm_t alg, size_t key_size)
|
||||
{
|
||||
int oid;
|
||||
|
||||
switch(alg)
|
||||
{
|
||||
case ENCR_DES:
|
||||
oid = OID_DES_CBC;
|
||||
break;
|
||||
case ENCR_3DES:
|
||||
oid = OID_3DES_EDE_CBC;
|
||||
break;
|
||||
case ENCR_AES_CBC:
|
||||
switch (key_size)
|
||||
{
|
||||
case 128:
|
||||
oid = OID_AES128_CBC;
|
||||
break;
|
||||
case 192:
|
||||
oid = OID_AES192_CBC;
|
||||
break;
|
||||
case 256:
|
||||
oid = OID_AES256_CBC;
|
||||
break;
|
||||
default:
|
||||
oid = OID_UNKNOWN;
|
||||
}
|
||||
break;
|
||||
default:
|
||||
oid = OID_UNKNOWN;
|
||||
}
|
||||
return oid;
|
||||
}
|
||||
|
||||
|
||||
|
|
|
@ -128,4 +128,22 @@ struct crypter_t {
|
|||
void (*destroy) (crypter_t *this);
|
||||
};
|
||||
|
||||
/**
|
||||
* Conversion of ASN.1 OID to encryption algorithm.
|
||||
*
|
||||
* @param oid ASN.1 OID
|
||||
* @param key_size returns size of encryption key in bits
|
||||
* @return encryption algorithm, ENCR_UNDEFINED if OID unsupported
|
||||
*/
|
||||
encryption_algorithm_t encryption_algorithm_from_oid(int oid, size_t *key_size);
|
||||
|
||||
/**
|
||||
* Conversion of encryption algorithm to ASN.1 OID.
|
||||
*
|
||||
* @param alg encryption algorithm
|
||||
* @param key_size size of encryption key in bits
|
||||
* @return ASN.1 OID, OID_UNKNOWN if OID is unknown
|
||||
*/
|
||||
int encryption_algorithm_to_oid(encryption_algorithm_t alg, size_t key_size);
|
||||
|
||||
#endif /** CRYPTER_H_ @}*/
|
||||
|
|
|
@ -0,0 +1,10 @@
|
|||
|
||||
INCLUDES = -I$(top_srcdir)/src/libstrongswan
|
||||
|
||||
AM_CFLAGS = -rdynamic
|
||||
|
||||
plugin_LTLIBRARIES = libstrongswan-blowfish.la
|
||||
|
||||
libstrongswan_blowfish_la_SOURCES = blowfish_plugin.h blowfish_plugin.c blowfish_crypter.c blowfish_crypter.h
|
||||
libstrongswan_blowfish_la_LDFLAGS = -module
|
||||
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,50 @@
|
|||
/*
|
||||
* Copyright (C) 2005-2008 Martin Willi
|
||||
* Copyright (C) 2009 Andreas Steffen
|
||||
* Hochschule fuer Technik Rapperswil
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
* Free Software Foundation; either version 2 of the License, or (at your
|
||||
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful, but
|
||||
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
||||
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||
* for more details.
|
||||
*/
|
||||
|
||||
/**
|
||||
* @defgroup blowfish_crypter blowfish_crypter
|
||||
* @{ @ingroup blowfish_p
|
||||
*/
|
||||
|
||||
#ifndef BLOWFISH_CRYPTER_H_
|
||||
#define BLOWFISH_CRYPTER_H_
|
||||
|
||||
typedef struct blowfish_crypter_t blowfish_crypter_t;
|
||||
|
||||
#include <crypto/crypters/crypter.h>
|
||||
|
||||
/**
|
||||
* Class implementing the Blowfish encryption algorithm.
|
||||
*/
|
||||
struct blowfish_crypter_t {
|
||||
|
||||
/**
|
||||
* The crypter_t interface.
|
||||
*/
|
||||
crypter_t crypter_interface;
|
||||
};
|
||||
|
||||
/**
|
||||
* Constructor to create blowfish_crypter_t objects.
|
||||
*
|
||||
* @param key_size key size in bytes
|
||||
* @param algo algorithm to implement
|
||||
* @return blowfish_crypter_t object, NULL if not supported
|
||||
*/
|
||||
blowfish_crypter_t *blowfish_crypter_create(encryption_algorithm_t algo,
|
||||
size_t key_size);
|
||||
|
||||
#endif /** BLOWFISH_CRYPTER_H_ @}*/
|
|
@ -0,0 +1,59 @@
|
|||
/*
|
||||
* Copyright (C) 2008 Martin Willi
|
||||
* Copyright (C) 2009 Andreas Steffen
|
||||
* Hochschule fuer Technik Rapperswil
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
* Free Software Foundation; either version 2 of the License, or (at your
|
||||
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful, but
|
||||
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
||||
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||
* for more details.
|
||||
*/
|
||||
|
||||
#include "blowfish_plugin.h"
|
||||
|
||||
#include <library.h>
|
||||
#include "blowfish_crypter.h"
|
||||
|
||||
typedef struct private_blowfish_plugin_t private_blowfish_plugin_t;
|
||||
|
||||
/**
|
||||
* private data of blowfish_plugin
|
||||
*/
|
||||
struct private_blowfish_plugin_t {
|
||||
|
||||
/**
|
||||
* public functions
|
||||
*/
|
||||
blowfish_plugin_t public;
|
||||
};
|
||||
|
||||
/**
|
||||
* Implementation of blowfish_plugin_t.destroy
|
||||
*/
|
||||
static void destroy(private_blowfish_plugin_t *this)
|
||||
{
|
||||
lib->crypto->remove_crypter(lib->crypto,
|
||||
(crypter_constructor_t)blowfish_crypter_create);
|
||||
free(this);
|
||||
}
|
||||
|
||||
/*
|
||||
* see header file
|
||||
*/
|
||||
plugin_t *plugin_create()
|
||||
{
|
||||
private_blowfish_plugin_t *this = malloc_thing(private_blowfish_plugin_t);
|
||||
|
||||
this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
|
||||
|
||||
lib->crypto->add_crypter(lib->crypto, ENCR_BLOWFISH,
|
||||
(crypter_constructor_t)blowfish_crypter_create);
|
||||
|
||||
return &this->public.plugin;
|
||||
}
|
||||
|
|
@ -0,0 +1,48 @@
|
|||
/*
|
||||
* Copyright (C) 2008 Martin Willi
|
||||
* Copyright (C) 2009 Andreas Steffen
|
||||
* Hochschule fuer Technik Rapperswil
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
* Free Software Foundation; either version 2 of the License, or (at your
|
||||
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful, but
|
||||
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
||||
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||
* for more details.
|
||||
*/
|
||||
|
||||
/**
|
||||
* @defgroup blowfish_p blowfish
|
||||
* @ingroup plugins
|
||||
*
|
||||
* @defgroup blowfish_plugin blowfish_plugin
|
||||
* @{ @ingroup blowfish_p
|
||||
*/
|
||||
|
||||
#ifndef BLOWFISH_PLUGIN_H_
|
||||
#define BLOWFISH_PLUGIN_H_
|
||||
|
||||
#include <plugins/plugin.h>
|
||||
|
||||
typedef struct blowfish_plugin_t blowfish_plugin_t;
|
||||
|
||||
/**
|
||||
* Plugin implementing Blowfish based algorithms in software.
|
||||
*/
|
||||
struct blowfish_plugin_t {
|
||||
|
||||
/**
|
||||
* implements plugin interface
|
||||
*/
|
||||
plugin_t plugin;
|
||||
};
|
||||
|
||||
/**
|
||||
* Create a blowfish_plugin instance.
|
||||
*/
|
||||
plugin_t *plugin_create();
|
||||
|
||||
#endif /** BLOWFISH_PLUGIN_H_ @}*/
|
|
@ -0,0 +1,10 @@
|
|||
|
||||
INCLUDES = -I$(top_srcdir)/src/libstrongswan
|
||||
|
||||
AM_CFLAGS = -rdynamic
|
||||
|
||||
plugin_LTLIBRARIES = libstrongswan-serpent.la
|
||||
|
||||
libstrongswan_serpent_la_SOURCES = serpent_plugin.h serpent_plugin.c serpent_crypter.c serpent_crypter.h
|
||||
libstrongswan_serpent_la_LDFLAGS = -module
|
||||
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,50 @@
|
|||
/*
|
||||
* Copyright (C) 2005-2008 Martin Willi
|
||||
* Copyright (C) 2009 Andreas Steffen
|
||||
* Hochschule fuer Technik Rapperswil
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
* Free Software Foundation; either version 2 of the License, or (at your
|
||||
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful, but
|
||||
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
||||
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||
* for more details.
|
||||
*/
|
||||
|
||||
/**
|
||||
* @defgroup serpent_crypter serpent_crypter
|
||||
* @{ @ingroup serpent_p
|
||||
*/
|
||||
|
||||
#ifndef SERPENT_CRYPTER_H_
|
||||
#define SERPENT_CRYPTER_H_
|
||||
|
||||
typedef struct serpent_crypter_t serpent_crypter_t;
|
||||
|
||||
#include <crypto/crypters/crypter.h>
|
||||
|
||||
/**
|
||||
* Class implementing the Serpent encryption algorithm.
|
||||
*/
|
||||
struct serpent_crypter_t {
|
||||
|
||||
/**
|
||||
* The crypter_t interface.
|
||||
*/
|
||||
crypter_t crypter_interface;
|
||||
};
|
||||
|
||||
/**
|
||||
* Constructor to create serpent_crypter_t objects.
|
||||
*
|
||||
* @param key_size key size in bytes
|
||||
* @param algo algorithm to implement
|
||||
* @return serpent_crypter_t object, NULL if not supported
|
||||
*/
|
||||
serpent_crypter_t *serpent_crypter_create(encryption_algorithm_t algo,
|
||||
size_t key_size);
|
||||
|
||||
#endif /** SERPENT_CRYPTER_H_ @}*/
|
|
@ -0,0 +1,59 @@
|
|||
/*
|
||||
* Copyright (C) 2008 Martin Willi
|
||||
* Copyright (C) 2009 Andreas Steffen
|
||||
* Hochschule fuer Technik Rapperswil
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
* Free Software Foundation; either version 2 of the License, or (at your
|
||||
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful, but
|
||||
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
||||
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||
* for more details.
|
||||
*/
|
||||
|
||||
#include "serpent_plugin.h"
|
||||
|
||||
#include <library.h>
|
||||
#include "serpent_crypter.h"
|
||||
|
||||
typedef struct private_serpent_plugin_t private_serpent_plugin_t;
|
||||
|
||||
/**
|
||||
* private data of serpent_plugin
|
||||
*/
|
||||
struct private_serpent_plugin_t {
|
||||
|
||||
/**
|
||||
* public functions
|
||||
*/
|
||||
serpent_plugin_t public;
|
||||
};
|
||||
|
||||
/**
|
||||
* Implementation of serpent_plugin_t.destroy
|
||||
*/
|
||||
static void destroy(private_serpent_plugin_t *this)
|
||||
{
|
||||
lib->crypto->remove_crypter(lib->crypto,
|
||||
(crypter_constructor_t)serpent_crypter_create);
|
||||
free(this);
|
||||
}
|
||||
|
||||
/*
|
||||
* see header file
|
||||
*/
|
||||
plugin_t *plugin_create()
|
||||
{
|
||||
private_serpent_plugin_t *this = malloc_thing(private_serpent_plugin_t);
|
||||
|
||||
this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
|
||||
|
||||
lib->crypto->add_crypter(lib->crypto, ENCR_SERPENT,
|
||||
(crypter_constructor_t)serpent_crypter_create);
|
||||
|
||||
return &this->public.plugin;
|
||||
}
|
||||
|
|
@ -0,0 +1,48 @@
|
|||
/*
|
||||
* Copyright (C) 2008 Martin Willi
|
||||
* Copyright (C) 2009 Andreas Steffen
|
||||
* Hochschule fuer Technik Rapperswil
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
* Free Software Foundation; either version 2 of the License, or (at your
|
||||
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful, but
|
||||
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
||||
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||
* for more details.
|
||||
*/
|
||||
|
||||
/**
|
||||
* @defgroup serpent_p serpent
|
||||
* @ingroup plugins
|
||||
*
|
||||
* @defgroup serpent_plugin serpent_plugin
|
||||
* @{ @ingroup serpent_p
|
||||
*/
|
||||
|
||||
#ifndef SERPENT_PLUGIN_H_
|
||||
#define SERPENT_PLUGIN_H_
|
||||
|
||||
#include <plugins/plugin.h>
|
||||
|
||||
typedef struct serpent_plugin_t serpent_plugin_t;
|
||||
|
||||
/**
|
||||
* Plugin implementing Serpent based algorithms in software.
|
||||
*/
|
||||
struct serpent_plugin_t {
|
||||
|
||||
/**
|
||||
* implements plugin interface
|
||||
*/
|
||||
plugin_t plugin;
|
||||
};
|
||||
|
||||
/**
|
||||
* Create a serpent_plugin instance.
|
||||
*/
|
||||
plugin_t *plugin_create();
|
||||
|
||||
#endif /** SERPENT_PLUGIN_H_ @}*/
|
|
@ -0,0 +1,10 @@
|
|||
|
||||
INCLUDES = -I$(top_srcdir)/src/libstrongswan
|
||||
|
||||
AM_CFLAGS = -rdynamic
|
||||
|
||||
plugin_LTLIBRARIES = libstrongswan-twofish.la
|
||||
|
||||
libstrongswan_twofish_la_SOURCES = twofish_plugin.h twofish_plugin.c twofish_crypter.c twofish_crypter.h
|
||||
libstrongswan_twofish_la_LDFLAGS = -module
|
||||
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,51 @@
|
|||
/*
|
||||
* Copyright (C) 2005-2008 Martin Willi
|
||||
* Copyright (C) 2005 Jan Hutter
|
||||
* Copyright (C) 2009 Andreas Steffen
|
||||
* Hochschule fuer Technik Rapperswil
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
* Free Software Foundation; either version 2 of the License, or (at your
|
||||
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful, but
|
||||
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
||||
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||
* for more details.
|
||||
*/
|
||||
|
||||
/**
|
||||
* @defgroup twofish_crypter twofish_crypter
|
||||
* @{ @ingroup twofish_p
|
||||
*/
|
||||
|
||||
#ifndef TWOFISH_CRYPTER_H_
|
||||
#define TWOFISH_CRYPTER_H_
|
||||
|
||||
typedef struct twofish_crypter_t twofish_crypter_t;
|
||||
|
||||
#include <crypto/crypters/crypter.h>
|
||||
|
||||
/**
|
||||
* Class implementing the Twofish encryption algorithm.
|
||||
*/
|
||||
struct twofish_crypter_t {
|
||||
|
||||
/**
|
||||
* The crypter_t interface.
|
||||
*/
|
||||
crypter_t crypter_interface;
|
||||
};
|
||||
|
||||
/**
|
||||
* Constructor to create twofish_crypter_t objects.
|
||||
*
|
||||
* @param key_size key size in bytes
|
||||
* @param algo algorithm to implement
|
||||
* @return twofish_crypter_t object, NULL if not supported
|
||||
*/
|
||||
twofish_crypter_t *twofish_crypter_create(encryption_algorithm_t algo,
|
||||
size_t key_size);
|
||||
|
||||
#endif /** TWOFISH_CRYPTER_H_ @}*/
|
|
@ -0,0 +1,59 @@
|
|||
/*
|
||||
* Copyright (C) 2008 Martin Willi
|
||||
* Copyright (C) 2009 Andreas Steffen
|
||||
* Hochschule fuer Technik Rapperswil
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
* Free Software Foundation; either version 2 of the License, or (at your
|
||||
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful, but
|
||||
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
||||
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||
* for more details.
|
||||
*/
|
||||
|
||||
#include "twofish_plugin.h"
|
||||
|
||||
#include <library.h>
|
||||
#include "twofish_crypter.h"
|
||||
|
||||
typedef struct private_twofish_plugin_t private_twofish_plugin_t;
|
||||
|
||||
/**
|
||||
* private data of twofish_plugin
|
||||
*/
|
||||
struct private_twofish_plugin_t {
|
||||
|
||||
/**
|
||||
* public functions
|
||||
*/
|
||||
twofish_plugin_t public;
|
||||
};
|
||||
|
||||
/**
|
||||
* Implementation of twofish_plugin_t.destroy
|
||||
*/
|
||||
static void destroy(private_twofish_plugin_t *this)
|
||||
{
|
||||
lib->crypto->remove_crypter(lib->crypto,
|
||||
(crypter_constructor_t)twofish_crypter_create);
|
||||
free(this);
|
||||
}
|
||||
|
||||
/*
|
||||
* see header file
|
||||
*/
|
||||
plugin_t *plugin_create()
|
||||
{
|
||||
private_twofish_plugin_t *this = malloc_thing(private_twofish_plugin_t);
|
||||
|
||||
this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
|
||||
|
||||
lib->crypto->add_crypter(lib->crypto, ENCR_TWOFISH,
|
||||
(crypter_constructor_t)twofish_crypter_create);
|
||||
|
||||
return &this->public.plugin;
|
||||
}
|
||||
|
|
@ -0,0 +1,48 @@
|
|||
/*
|
||||
* Copyright (C) 2008 Martin Willi
|
||||
* Copyright (C) 2009 Andreas Steffen
|
||||
* Hochschule fuer Technik Rapperswil
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
* Free Software Foundation; either version 2 of the License, or (at your
|
||||
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful, but
|
||||
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
||||
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||
* for more details.
|
||||
*/
|
||||
|
||||
/**
|
||||
* @defgroup twofish_p twofish
|
||||
* @ingroup plugins
|
||||
*
|
||||
* @defgroup twofish_plugin twofish_plugin
|
||||
* @{ @ingroup twofish_p
|
||||
*/
|
||||
|
||||
#ifndef TWOFISH_PLUGIN_H_
|
||||
#define TWOFISH_PLUGIN_H_
|
||||
|
||||
#include <plugins/plugin.h>
|
||||
|
||||
typedef struct twofish_plugin_t twofish_plugin_t;
|
||||
|
||||
/**
|
||||
* Plugin implementing Twofish based algorithms in software.
|
||||
*/
|
||||
struct twofish_plugin_t {
|
||||
|
||||
/**
|
||||
* implements plugin interface
|
||||
*/
|
||||
plugin_t plugin;
|
||||
};
|
||||
|
||||
/**
|
||||
* Create a twofish_plugin instance.
|
||||
*/
|
||||
plugin_t *plugin_create();
|
||||
|
||||
#endif /** TWOFISH_PLUGIN_H_ @}*/
|
|
@ -16,19 +16,19 @@
|
|||
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <libdes/des.h>
|
||||
|
||||
#include <freeswan.h>
|
||||
|
||||
#include <library.h>
|
||||
#include <debug.h>
|
||||
#include <asn1/asn1.h>
|
||||
#include <asn1/asn1_parser.h>
|
||||
#include <asn1/oid.h>
|
||||
#include <crypto/rngs/rng.h>
|
||||
#include <crypto/crypters/crypter.h>
|
||||
|
||||
#include "constants.h"
|
||||
#include "defs.h"
|
||||
#include "log.h"
|
||||
#include "x509.h"
|
||||
#include "certs.h"
|
||||
#include "pkcs7.h"
|
||||
|
@ -42,12 +42,11 @@ const contentInfo_t empty_contentInfo = {
|
|||
* ASN.1 definition of the PKCS#7 ContentInfo type
|
||||
*/
|
||||
static const asn1Object_t contentInfoObjects[] = {
|
||||
{ 0, "contentInfo", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
|
||||
{ 1, "contentType", ASN1_OID, ASN1_BODY }, /* 1 */
|
||||
{ 1, "content", ASN1_CONTEXT_C_0, ASN1_OPT |
|
||||
ASN1_BODY }, /* 2 */
|
||||
{ 1, "end opt", ASN1_EOC, ASN1_END }, /* 3 */
|
||||
{ 0, "exit", ASN1_EOC, ASN1_EXIT }
|
||||
{ 0, "contentInfo", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
|
||||
{ 1, "contentType", ASN1_OID, ASN1_BODY }, /* 1 */
|
||||
{ 1, "content", ASN1_CONTEXT_C_0, ASN1_OPT|ASN1_BODY }, /* 2 */
|
||||
{ 1, "end opt", ASN1_EOC, ASN1_END }, /* 3 */
|
||||
{ 0, "exit", ASN1_EOC, ASN1_EXIT }
|
||||
};
|
||||
#define PKCS7_INFO_TYPE 1
|
||||
#define PKCS7_INFO_CONTENT 2
|
||||
|
@ -56,36 +55,33 @@ static const asn1Object_t contentInfoObjects[] = {
|
|||
* ASN.1 definition of the PKCS#7 signedData type
|
||||
*/
|
||||
static const asn1Object_t signedDataObjects[] = {
|
||||
{ 0, "signedData", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
|
||||
{ 1, "version", ASN1_INTEGER, ASN1_BODY }, /* 1 */
|
||||
{ 1, "digestAlgorithms", ASN1_SET, ASN1_LOOP }, /* 2 */
|
||||
{ 2, "algorithm", ASN1_EOC, ASN1_RAW }, /* 3 */
|
||||
{ 1, "end loop", ASN1_EOC, ASN1_END }, /* 4 */
|
||||
{ 1, "contentInfo", ASN1_EOC, ASN1_RAW }, /* 5 */
|
||||
{ 1, "certificates", ASN1_CONTEXT_C_0, ASN1_OPT |
|
||||
ASN1_LOOP }, /* 6 */
|
||||
{ 2, "certificate", ASN1_SEQUENCE, ASN1_OBJ }, /* 7 */
|
||||
{ 1, "end opt or loop", ASN1_EOC, ASN1_END }, /* 8 */
|
||||
{ 1, "crls", ASN1_CONTEXT_C_1, ASN1_OPT |
|
||||
ASN1_LOOP }, /* 9 */
|
||||
{ 2, "crl", ASN1_SEQUENCE, ASN1_OBJ }, /* 10 */
|
||||
{ 1, "end opt or loop", ASN1_EOC, ASN1_END }, /* 11 */
|
||||
{ 1, "signerInfos", ASN1_SET, ASN1_LOOP }, /* 12 */
|
||||
{ 2, "signerInfo", ASN1_SEQUENCE, ASN1_NONE }, /* 13 */
|
||||
{ 3, "version", ASN1_INTEGER, ASN1_BODY }, /* 14 */
|
||||
{ 3, "issuerAndSerialNumber", ASN1_SEQUENCE, ASN1_BODY }, /* 15 */
|
||||
{ 4, "issuer", ASN1_SEQUENCE, ASN1_OBJ }, /* 16 */
|
||||
{ 4, "serial", ASN1_INTEGER, ASN1_BODY }, /* 17 */
|
||||
{ 3, "digestAlgorithm", ASN1_EOC, ASN1_RAW }, /* 18 */
|
||||
{ 3, "authenticatedAttributes", ASN1_CONTEXT_C_0, ASN1_OPT |
|
||||
ASN1_OBJ }, /* 19 */
|
||||
{ 3, "end opt", ASN1_EOC, ASN1_END }, /* 20 */
|
||||
{ 3, "digestEncryptionAlgorithm", ASN1_EOC, ASN1_RAW }, /* 21 */
|
||||
{ 3, "encryptedDigest", ASN1_OCTET_STRING, ASN1_BODY }, /* 22 */
|
||||
{ 3, "unauthenticatedAttributes", ASN1_CONTEXT_C_1, ASN1_OPT }, /* 23 */
|
||||
{ 3, "end opt", ASN1_EOC, ASN1_END }, /* 24 */
|
||||
{ 1, "end loop", ASN1_EOC, ASN1_END }, /* 25 */
|
||||
{ 0, "exit", ASN1_EOC, ASN1_EXIT }
|
||||
{ 0, "signedData", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
|
||||
{ 1, "version", ASN1_INTEGER, ASN1_BODY }, /* 1 */
|
||||
{ 1, "digestAlgorithms", ASN1_SET, ASN1_LOOP }, /* 2 */
|
||||
{ 2, "algorithm", ASN1_EOC, ASN1_RAW }, /* 3 */
|
||||
{ 1, "end loop", ASN1_EOC, ASN1_END }, /* 4 */
|
||||
{ 1, "contentInfo", ASN1_EOC, ASN1_RAW }, /* 5 */
|
||||
{ 1, "certificates", ASN1_CONTEXT_C_0, ASN1_OPT|ASN1_LOOP }, /* 6 */
|
||||
{ 2, "certificate", ASN1_SEQUENCE, ASN1_OBJ }, /* 7 */
|
||||
{ 1, "end opt or loop", ASN1_EOC, ASN1_END }, /* 8 */
|
||||
{ 1, "crls", ASN1_CONTEXT_C_1, ASN1_OPT|ASN1_LOOP }, /* 9 */
|
||||
{ 2, "crl", ASN1_SEQUENCE, ASN1_OBJ }, /* 10 */
|
||||
{ 1, "end opt or loop", ASN1_EOC, ASN1_END }, /* 11 */
|
||||
{ 1, "signerInfos", ASN1_SET, ASN1_LOOP }, /* 12 */
|
||||
{ 2, "signerInfo", ASN1_SEQUENCE, ASN1_NONE }, /* 13 */
|
||||
{ 3, "version", ASN1_INTEGER, ASN1_BODY }, /* 14 */
|
||||
{ 3, "issuerAndSerialNumber", ASN1_SEQUENCE, ASN1_BODY }, /* 15 */
|
||||
{ 4, "issuer", ASN1_SEQUENCE, ASN1_OBJ }, /* 16 */
|
||||
{ 4, "serial", ASN1_INTEGER, ASN1_BODY }, /* 17 */
|
||||
{ 3, "digestAlgorithm", ASN1_EOC, ASN1_RAW }, /* 18 */
|
||||
{ 3, "authenticatedAttributes", ASN1_CONTEXT_C_0, ASN1_OPT|ASN1_OBJ }, /* 19 */
|
||||
{ 3, "end opt", ASN1_EOC, ASN1_END }, /* 20 */
|
||||
{ 3, "digestEncryptionAlgorithm", ASN1_EOC, ASN1_RAW }, /* 21 */
|
||||
{ 3, "encryptedDigest", ASN1_OCTET_STRING, ASN1_BODY }, /* 22 */
|
||||
{ 3, "unauthenticatedAttributes", ASN1_CONTEXT_C_1, ASN1_OPT }, /* 23 */
|
||||
{ 3, "end opt", ASN1_EOC, ASN1_END }, /* 24 */
|
||||
{ 1, "end loop", ASN1_EOC, ASN1_END }, /* 25 */
|
||||
{ 0, "exit", ASN1_EOC, ASN1_EXIT }
|
||||
};
|
||||
#define PKCS7_DIGEST_ALG 3
|
||||
#define PKCS7_SIGNED_CONTENT_INFO 5
|
||||
|
@ -226,7 +222,7 @@ bool pkcs7_parse_contentInfo(chunk_t blob, u_int level0, contentInfo_t *cInfo)
|
|||
if (cInfo->type < OID_PKCS7_DATA
|
||||
|| cInfo->type > OID_PKCS7_ENCRYPTED_DATA)
|
||||
{
|
||||
plog("unknown pkcs7 content type");
|
||||
DBG1("unknown pkcs7 content type");
|
||||
goto end;
|
||||
}
|
||||
}
|
||||
|
@ -266,7 +262,7 @@ bool pkcs7_parse_signedData(chunk_t blob, contentInfo_t *data, x509cert_t **cert
|
|||
}
|
||||
if (cInfo.type != OID_PKCS7_SIGNED_DATA)
|
||||
{
|
||||
plog("pkcs7 content type is not signedData");
|
||||
DBG1("pkcs7 content type is not signedData");
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
|
@ -296,9 +292,7 @@ bool pkcs7_parse_signedData(chunk_t blob, contentInfo_t *data, x509cert_t **cert
|
|||
|
||||
*newcert = empty_x509cert;
|
||||
|
||||
DBG(DBG_CONTROL | DBG_PARSING,
|
||||
DBG_log("parsing pkcs7-wrapped certificate")
|
||||
)
|
||||
DBG2(" parsing pkcs7-wrapped certificate");
|
||||
if (parse_x509cert(cert_blob, level+1, newcert))
|
||||
{
|
||||
newcert->next = *cert;
|
||||
|
@ -312,15 +306,11 @@ bool pkcs7_parse_signedData(chunk_t blob, contentInfo_t *data, x509cert_t **cert
|
|||
break;
|
||||
case PKCS7_SIGNER_INFO:
|
||||
signerInfos++;
|
||||
DBG(DBG_PARSING,
|
||||
DBG_log(" signer #%d", signerInfos)
|
||||
)
|
||||
DBG2(" signer #%d", signerInfos);
|
||||
break;
|
||||
case PKCS7_SIGNED_ISSUER:
|
||||
DBG(DBG_PARSING,
|
||||
dntoa(buf, BUF_LEN, object);
|
||||
DBG_log(" '%s'",buf)
|
||||
)
|
||||
dntoa(buf, BUF_LEN, object);
|
||||
DBG2(" '%s'",buf);
|
||||
break;
|
||||
case PKCS7_AUTH_ATTRIBUTES:
|
||||
if (attributes != NULL)
|
||||
|
@ -351,30 +341,28 @@ bool pkcs7_parse_signedData(chunk_t blob, contentInfo_t *data, x509cert_t **cert
|
|||
{
|
||||
if (signerInfos == 0)
|
||||
{
|
||||
plog("no signerInfo object found");
|
||||
DBG1("no signerInfo object found");
|
||||
return FALSE;
|
||||
}
|
||||
else if (signerInfos > 1)
|
||||
{
|
||||
plog("more than one signerInfo object found");
|
||||
DBG1("more than one signerInfo object found");
|
||||
return FALSE;
|
||||
}
|
||||
if (attributes->ptr == NULL)
|
||||
{
|
||||
plog("no authenticatedAttributes object found");
|
||||
DBG1("no authenticatedAttributes object found");
|
||||
return FALSE;
|
||||
}
|
||||
if (!check_signature(*attributes, encrypted_digest, digest_alg
|
||||
, enc_alg, cacert))
|
||||
if (!check_signature(*attributes, encrypted_digest, digest_alg,
|
||||
enc_alg, cacert))
|
||||
{
|
||||
plog("invalid signature");
|
||||
DBG1("invalid signature");
|
||||
return FALSE;
|
||||
}
|
||||
else
|
||||
{
|
||||
DBG(DBG_CONTROL,
|
||||
DBG_log("signature is valid")
|
||||
)
|
||||
DBG2("signature is valid");
|
||||
}
|
||||
}
|
||||
return TRUE;
|
||||
|
@ -393,8 +381,9 @@ bool pkcs7_parse_envelopedData(chunk_t blob, chunk_t *data,
|
|||
chunk_t symmetric_key = chunk_empty;
|
||||
chunk_t encrypted_content = chunk_empty;
|
||||
|
||||
crypter_t *crypter = NULL;
|
||||
|
||||
u_char buf[BUF_LEN];
|
||||
u_int total_keys = 3;
|
||||
int enc_alg = OID_UNKNOWN;
|
||||
int content_enc_alg = OID_UNKNOWN;
|
||||
int objectID;
|
||||
|
@ -405,12 +394,12 @@ bool pkcs7_parse_envelopedData(chunk_t blob, chunk_t *data,
|
|||
|
||||
if (!pkcs7_parse_contentInfo(blob, 0, &cInfo))
|
||||
{
|
||||
goto end;
|
||||
goto failed;
|
||||
}
|
||||
if (cInfo.type != OID_PKCS7_ENVELOPED_DATA)
|
||||
{
|
||||
plog("pkcs7 content type is not envelopedData");
|
||||
goto end;
|
||||
DBG1("pkcs7 content type is not envelopedData");
|
||||
goto failed;
|
||||
}
|
||||
|
||||
parser = asn1_parser_create(envelopedDataObjects, cInfo.content);
|
||||
|
@ -425,7 +414,7 @@ bool pkcs7_parse_envelopedData(chunk_t blob, chunk_t *data,
|
|||
case PKCS7_ENVELOPED_VERSION:
|
||||
if (*object.ptr != 0)
|
||||
{
|
||||
plog("envelopedData version is not 0");
|
||||
DBG1("envelopedData version is not 0");
|
||||
goto end;
|
||||
}
|
||||
break;
|
||||
|
@ -437,15 +426,13 @@ bool pkcs7_parse_envelopedData(chunk_t blob, chunk_t *data,
|
|||
}
|
||||
break;
|
||||
case PKCS7_ISSUER:
|
||||
DBG(DBG_PARSING,
|
||||
dntoa(buf, BUF_LEN, object);
|
||||
DBG_log(" '%s'", buf)
|
||||
)
|
||||
dntoa(buf, BUF_LEN, object);
|
||||
DBG2(" '%s'", buf);
|
||||
break;
|
||||
case PKCS7_SERIAL_NUMBER:
|
||||
if (!chunk_equals(serialNumber, object))
|
||||
{
|
||||
plog("serial numbers do not match");
|
||||
DBG1("serial numbers do not match");
|
||||
goto end;
|
||||
}
|
||||
break;
|
||||
|
@ -453,55 +440,36 @@ bool pkcs7_parse_envelopedData(chunk_t blob, chunk_t *data,
|
|||
enc_alg = asn1_parse_algorithmIdentifier(object, level, NULL);
|
||||
if (enc_alg != OID_RSA_ENCRYPTION)
|
||||
{
|
||||
plog("only rsa encryption supported");
|
||||
DBG1("only rsa encryption supported");
|
||||
goto end;
|
||||
}
|
||||
break;
|
||||
case PKCS7_ENCRYPTED_KEY:
|
||||
if (!RSA_decrypt(key, object, &symmetric_key))
|
||||
{
|
||||
plog("symmetric key could not be decrypted with rsa");
|
||||
DBG1("symmetric key could not be decrypted with rsa");
|
||||
goto end;
|
||||
}
|
||||
DBG(DBG_PRIVATE,
|
||||
DBG_dump_chunk("symmetric key :", symmetric_key)
|
||||
)
|
||||
DBG4("symmetric key %B", &symmetric_key);
|
||||
break;
|
||||
case PKCS7_CONTENT_TYPE:
|
||||
if (asn1_known_oid(object) != OID_PKCS7_DATA)
|
||||
{
|
||||
plog("encrypted content not of type pkcs7 data");
|
||||
DBG1("encrypted content not of type pkcs7 data");
|
||||
goto end;
|
||||
}
|
||||
break;
|
||||
case PKCS7_CONTENT_ENC_ALGORITHM:
|
||||
content_enc_alg = asn1_parse_algorithmIdentifier(object, level, &iv);
|
||||
|
||||
switch (content_enc_alg)
|
||||
|
||||
if (content_enc_alg == OID_UNKNOWN)
|
||||
{
|
||||
case OID_DES_CBC:
|
||||
total_keys = 1;
|
||||
break;
|
||||
case OID_3DES_EDE_CBC:
|
||||
total_keys = 3;
|
||||
break;
|
||||
default:
|
||||
plog("Only DES and 3DES supported for symmetric encryption");
|
||||
goto end;
|
||||
}
|
||||
if (symmetric_key.len != (total_keys * DES_CBC_BLOCK_SIZE))
|
||||
{
|
||||
plog("key length is not %d",(total_keys * DES_CBC_BLOCK_SIZE));
|
||||
DBG1("unknown content encryption algorithm");
|
||||
goto end;
|
||||
}
|
||||
if (!asn1_parse_simple_object(&iv, ASN1_OCTET_STRING, level+1, "IV"))
|
||||
{
|
||||
plog("IV could not be parsed");
|
||||
goto end;
|
||||
}
|
||||
if (iv.len != DES_CBC_BLOCK_SIZE)
|
||||
{
|
||||
plog("IV has wrong length");
|
||||
DBG1("IV could not be parsed");
|
||||
goto end;
|
||||
}
|
||||
break;
|
||||
|
@ -510,49 +478,47 @@ bool pkcs7_parse_envelopedData(chunk_t blob, chunk_t *data,
|
|||
break;
|
||||
}
|
||||
}
|
||||
;
|
||||
if (!parser->success(parser))
|
||||
success = parser->success(parser);
|
||||
|
||||
end:
|
||||
parser->destroy(parser);
|
||||
if (!success)
|
||||
{
|
||||
goto end;
|
||||
goto failed;
|
||||
}
|
||||
success = FALSE;
|
||||
|
||||
/* decrypt the content */
|
||||
{
|
||||
u_int i;
|
||||
des_cblock des_key[3], des_iv;
|
||||
des_key_schedule key_s[3];
|
||||
encryption_algorithm_t alg;
|
||||
size_t key_size;
|
||||
crypter_t *crypter;
|
||||
|
||||
memcpy((char *)des_key, symmetric_key.ptr, symmetric_key.len);
|
||||
memcpy((char *)des_iv, iv.ptr, iv.len);
|
||||
|
||||
for (i = 0; i < total_keys; i++)
|
||||
alg = encryption_algorithm_from_oid(content_enc_alg, &key_size);
|
||||
if (alg == ENCR_UNDEFINED)
|
||||
{
|
||||
if (des_set_key(&des_key[i], key_s[i]))
|
||||
{
|
||||
plog("des key schedule failed");
|
||||
goto end;
|
||||
}
|
||||
DBG1("unsupported content encryption algorithm");
|
||||
goto failed;
|
||||
}
|
||||
|
||||
data->len = encrypted_content.len;
|
||||
data->ptr = malloc(data->len);
|
||||
|
||||
switch (content_enc_alg)
|
||||
crypter = lib->crypto->create_crypter(lib->crypto, alg, key_size);
|
||||
if (crypter == NULL)
|
||||
{
|
||||
case OID_DES_CBC:
|
||||
des_cbc_encrypt((des_cblock*)encrypted_content.ptr
|
||||
, (des_cblock*)data->ptr, data->len
|
||||
, key_s[0], &des_iv, DES_DECRYPT);
|
||||
break;
|
||||
case OID_3DES_EDE_CBC:
|
||||
des_ede3_cbc_encrypt( (des_cblock*)encrypted_content.ptr
|
||||
, (des_cblock*)data->ptr, data->len
|
||||
, key_s[0], key_s[1], key_s[2]
|
||||
, &des_iv, DES_DECRYPT);
|
||||
DBG1("crypter %N not available", encryption_algorithm_names, alg);
|
||||
goto failed;
|
||||
}
|
||||
DBG(DBG_PRIVATE,
|
||||
DBG_dump_chunk("decrypted content with padding:\n", *data)
|
||||
)
|
||||
if (symmetric_key.len != crypter->get_key_size(crypter))
|
||||
{
|
||||
DBG1("symmetric key length %d is wrong", symmetric_key.len);
|
||||
goto failed;
|
||||
}
|
||||
if (iv.len != crypter->get_block_size(crypter))
|
||||
{
|
||||
DBG1("IV length %d is wrong", iv.len);
|
||||
goto failed;
|
||||
}
|
||||
crypter->set_key(crypter, symmetric_key);
|
||||
crypter->decrypt(crypter, encrypted_content, iv, data);
|
||||
DBG4("decrypted content with padding: %B", data);
|
||||
}
|
||||
|
||||
/* remove the padding */
|
||||
|
@ -563,8 +529,8 @@ bool pkcs7_parse_envelopedData(chunk_t blob, chunk_t *data,
|
|||
|
||||
if (padding > data->len)
|
||||
{
|
||||
plog("padding greater than data length");
|
||||
goto end;
|
||||
DBG1("padding greater than data length");
|
||||
goto failed;
|
||||
}
|
||||
data->len -= padding;
|
||||
|
||||
|
@ -572,14 +538,15 @@ bool pkcs7_parse_envelopedData(chunk_t blob, chunk_t *data,
|
|||
{
|
||||
if (*pos-- != pattern)
|
||||
{
|
||||
plog("wrong padding pattern");
|
||||
goto end;
|
||||
DBG1("wrong padding pattern");
|
||||
goto failed;
|
||||
}
|
||||
}
|
||||
}
|
||||
success = TRUE;
|
||||
|
||||
end:
|
||||
failed:
|
||||
DESTROY_IF(crypter);
|
||||
chunk_clear(&symmetric_key);
|
||||
if (!success)
|
||||
{
|
||||
|
@ -654,7 +621,7 @@ static chunk_t pkcs7_build_contentInfo(contentInfo_t *cInfo)
|
|||
break;
|
||||
case OID_UNKNOWN:
|
||||
default:
|
||||
fprintf(stderr, "invalid pkcs7 contentInfo type");
|
||||
DBG1("invalid pkcs7 contentInfo type");
|
||||
return chunk_empty;
|
||||
}
|
||||
|
||||
|
@ -723,9 +690,7 @@ chunk_t pkcs7_build_signedData(chunk_t data, chunk_t attributes,
|
|||
, asn1_wrap(ASN1_SET, "m", signerInfo));
|
||||
|
||||
cInfo = pkcs7_build_contentInfo(&signedData);
|
||||
DBG(DBG_RAW,
|
||||
DBG_dump_chunk("signedData:\n", cInfo)
|
||||
)
|
||||
DBG3("signedData %B", &cInfo);
|
||||
|
||||
free(pkcs7Data.content.ptr);
|
||||
free(signedData.content.ptr);
|
||||
|
@ -735,110 +700,70 @@ chunk_t pkcs7_build_signedData(chunk_t data, chunk_t attributes,
|
|||
/**
|
||||
* create a symmetrically encrypted pkcs7 contentInfo object
|
||||
*/
|
||||
chunk_t pkcs7_build_envelopedData(chunk_t data, const x509cert_t *cert, int cipher)
|
||||
chunk_t pkcs7_build_envelopedData(chunk_t data, const x509cert_t *cert, int enc_alg)
|
||||
{
|
||||
bool des_check_key_save;
|
||||
des_key_schedule ks[3];
|
||||
des_cblock key[3], des_iv, des_iv_buf;
|
||||
|
||||
chunk_t iv = { (u_char *)des_iv_buf, DES_CBC_BLOCK_SIZE };
|
||||
chunk_t out;
|
||||
chunk_t cipher_oid;
|
||||
|
||||
rng_t *rng;
|
||||
u_int total_keys, i;
|
||||
size_t padding = pad_up(data.len, DES_CBC_BLOCK_SIZE);
|
||||
|
||||
encryption_algorithm_t alg;
|
||||
size_t alg_key_size;
|
||||
RSA_public_key_t public_key;
|
||||
chunk_t symmetricKey, iv, in, out;
|
||||
crypter_t *crypter;
|
||||
|
||||
init_RSA_public_key(&public_key, cert->publicExponent
|
||||
, cert->modulus);
|
||||
|
||||
if (padding == 0)
|
||||
padding += DES_CBC_BLOCK_SIZE;
|
||||
|
||||
out.len = data.len + padding;
|
||||
out.ptr = malloc(out.len);
|
||||
|
||||
DBG(DBG_CONTROL,
|
||||
DBG_log("padding %d bytes of data to multiple DES block size of %d bytes"
|
||||
, (int)data.len, (int)out.len)
|
||||
)
|
||||
|
||||
/* copy data */
|
||||
memcpy(out.ptr, data.ptr, data.len);
|
||||
/* append padding */
|
||||
memset(out.ptr + data.len, padding, padding);
|
||||
|
||||
DBG(DBG_RAW,
|
||||
DBG_dump_chunk("Padded unencrypted data:\n", out)
|
||||
)
|
||||
|
||||
/* select OID and keylength for specified cipher */
|
||||
switch (cipher)
|
||||
alg = encryption_algorithm_from_oid(enc_alg, &alg_key_size);
|
||||
crypter = lib->crypto->create_crypter(lib->crypto, alg,
|
||||
alg_key_size/BITS_PER_BYTE);
|
||||
if (crypter == NULL)
|
||||
{
|
||||
case OID_DES_CBC:
|
||||
total_keys = 1;
|
||||
cipher_oid = ASN1_des_cbc_oid;
|
||||
break;
|
||||
case OID_3DES_EDE_CBC:
|
||||
default:
|
||||
total_keys = 3;
|
||||
cipher_oid = ASN1_3des_ede_cbc_oid;
|
||||
DBG1("crypter for %N not available", encryption_algorithm_names, alg);
|
||||
return chunk_empty;
|
||||
}
|
||||
DBG(DBG_CONTROLMORE,
|
||||
DBG_log("pkcs7 encryption cipher: %s", oid_names[cipher].name)
|
||||
)
|
||||
|
||||
/* generate a strong random key for DES/3DES */
|
||||
rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
|
||||
des_check_key_save = des_check_key;
|
||||
des_check_key = TRUE;
|
||||
for (i = 0; i < total_keys;i++)
|
||||
/* generate a true random symmetric encryption key and a pseudo-random iv */
|
||||
{
|
||||
for (;;)
|
||||
{
|
||||
rng->get_bytes(rng, DES_CBC_BLOCK_SIZE, (char*)key[i]);
|
||||
des_set_odd_parity(&key[i]);
|
||||
if (!des_set_key(&key[i], ks[i]))
|
||||
{
|
||||
break;
|
||||
}
|
||||
plog("weak DES key discarded - we try again");
|
||||
}
|
||||
DBG(DBG_PRIVATE,
|
||||
DBG_dump("DES key:", key[i], 8)
|
||||
)
|
||||
}
|
||||
des_check_key = des_check_key_save;
|
||||
|
||||
/* generate an iv for DES/3DES CBC */
|
||||
rng->get_bytes(rng, DES_CBC_BLOCK_SIZE, des_iv);
|
||||
memcpy(iv.ptr, des_iv, DES_CBC_BLOCK_SIZE);
|
||||
DBG(DBG_RAW,
|
||||
DBG_dump_chunk("DES IV :", iv)
|
||||
)
|
||||
rng->destroy(rng);
|
||||
|
||||
/* encryption using specified cipher */
|
||||
switch (cipher)
|
||||
{
|
||||
case OID_DES_CBC:
|
||||
des_cbc_encrypt((des_cblock*)out.ptr, (des_cblock*)out.ptr, out.len
|
||||
, ks[0], &des_iv, DES_ENCRYPT);
|
||||
break;
|
||||
case OID_3DES_EDE_CBC:
|
||||
default:
|
||||
des_ede3_cbc_encrypt((des_cblock*)out.ptr, (des_cblock*)out.ptr, out.len
|
||||
, ks[0], ks[1], ks[2], &des_iv, DES_ENCRYPT);
|
||||
}
|
||||
DBG(DBG_RAW,
|
||||
DBG_dump_chunk("Encrypted data:\n", out));
|
||||
rng_t *rng;
|
||||
|
||||
rng = lib->crypto->create_rng(lib->crypto, RNG_TRUE);
|
||||
rng->allocate_bytes(rng, crypter->get_key_size(crypter), &symmetricKey);
|
||||
DBG4("symmetric encryption key %B", &symmetricKey);
|
||||
rng->destroy(rng);
|
||||
|
||||
rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
|
||||
rng->allocate_bytes(rng, crypter->get_block_size(crypter), &iv);
|
||||
DBG4("initialization vector: %B", &iv);
|
||||
rng->destroy(rng);
|
||||
}
|
||||
|
||||
/* pad the data to a multiple of the block size */
|
||||
{
|
||||
size_t block_size = crypter->get_block_size(crypter);
|
||||
size_t padding = block_size - data.len % block_size;
|
||||
|
||||
in.len = data.len + padding;
|
||||
in.ptr = malloc(in.len);
|
||||
|
||||
DBG2("padding %u bytes of data to multiple block size of %u bytes",
|
||||
data.len, in.len);
|
||||
|
||||
/* copy data */
|
||||
memcpy(in.ptr, data.ptr, data.len);
|
||||
/* append padding */
|
||||
memset(in.ptr + data.len, padding, padding);
|
||||
}
|
||||
DBG3("padded unencrypted data %B", &in);
|
||||
|
||||
/* symmetric encryption of data object */
|
||||
crypter->set_key(crypter, symmetricKey);
|
||||
crypter->encrypt(crypter, in, iv, &out);
|
||||
crypter->destroy(crypter);
|
||||
DBG3("encrypted data %B", &out);
|
||||
free(in.ptr);
|
||||
free(iv.ptr);
|
||||
|
||||
init_RSA_public_key(&public_key, cert->publicExponent, cert->modulus);
|
||||
|
||||
/* build pkcs7 enveloped data object */
|
||||
{
|
||||
chunk_t contentEncryptionAlgorithm = asn1_wrap(ASN1_SEQUENCE, "cm"
|
||||
, cipher_oid
|
||||
chunk_t contentEncryptionAlgorithm = asn1_wrap(ASN1_SEQUENCE, "mm"
|
||||
, asn1_build_known_oid(enc_alg)
|
||||
, asn1_simple_object(ASN1_OCTET_STRING, iv));
|
||||
|
||||
chunk_t encryptedContentInfo = asn1_wrap(ASN1_SEQUENCE, "cmm"
|
||||
|
@ -846,10 +771,8 @@ chunk_t pkcs7_build_envelopedData(chunk_t data, const x509cert_t *cert, int ciph
|
|||
, contentEncryptionAlgorithm
|
||||
, asn1_wrap(ASN1_CONTEXT_S_0, "m", out));
|
||||
|
||||
chunk_t plainKey = { (u_char *)key, DES_CBC_BLOCK_SIZE * total_keys };
|
||||
|
||||
chunk_t encryptedKey = asn1_wrap(ASN1_OCTET_STRING, "m"
|
||||
, RSA_encrypt(&public_key, plainKey));
|
||||
, RSA_encrypt(&public_key, symmetricKey));
|
||||
|
||||
chunk_t recipientInfo = asn1_wrap(ASN1_SEQUENCE, "cmcm"
|
||||
, ASN1_INTEGER_0
|
||||
|
@ -867,12 +790,11 @@ chunk_t pkcs7_build_envelopedData(chunk_t data, const x509cert_t *cert, int ciph
|
|||
, encryptedContentInfo);
|
||||
|
||||
cInfo = pkcs7_build_contentInfo(&envelopedData);
|
||||
DBG(DBG_RAW,
|
||||
DBG_dump_chunk("envelopedData:\n", cInfo)
|
||||
)
|
||||
DBG3("envelopedData %B", &cInfo);
|
||||
|
||||
free_RSA_public_content(&public_key);
|
||||
free(envelopedData.content.ptr);
|
||||
free(symmetricKey.ptr);
|
||||
return cInfo;
|
||||
}
|
||||
}
|
||||
|
|
|
@ -17,6 +17,8 @@
|
|||
#ifndef _PKCS7_H
|
||||
#define _PKCS7_H
|
||||
|
||||
#include <crypto/crypters/crypter.h>
|
||||
|
||||
#include "defs.h"
|
||||
#include "pkcs1.h"
|
||||
#include "x509.h"
|
||||
|
@ -32,18 +34,18 @@ struct contentInfo {
|
|||
|
||||
extern const contentInfo_t empty_contentInfo;
|
||||
|
||||
extern bool pkcs7_parse_contentInfo(chunk_t blob, u_int level0
|
||||
, contentInfo_t *cInfo);
|
||||
extern bool pkcs7_parse_signedData(chunk_t blob, contentInfo_t *data
|
||||
, x509cert_t **cert, chunk_t *attributes, const x509cert_t *cacert);
|
||||
extern bool pkcs7_parse_envelopedData(chunk_t blob, chunk_t *data
|
||||
, chunk_t serialNumber, const RSA_private_key_t *key);
|
||||
extern bool pkcs7_parse_contentInfo(chunk_t blob, u_int level0,
|
||||
contentInfo_t *cInfo);
|
||||
extern bool pkcs7_parse_signedData(chunk_t blob, contentInfo_t *data,
|
||||
x509cert_t **cert, chunk_t *attributes, const x509cert_t *cacert);
|
||||
extern bool pkcs7_parse_envelopedData(chunk_t blob, chunk_t *data,
|
||||
chunk_t serialNumber, const RSA_private_key_t *key);
|
||||
extern chunk_t pkcs7_contentType_attribute(void);
|
||||
extern chunk_t pkcs7_messageDigest_attribute(chunk_t content, int digest_alg);
|
||||
extern chunk_t pkcs7_build_issuerAndSerialNumber(const x509cert_t *cert);
|
||||
extern chunk_t pkcs7_build_signedData(chunk_t data, chunk_t attributes
|
||||
,const x509cert_t *cert, int digest_alg, const RSA_private_key_t *key);
|
||||
extern chunk_t pkcs7_build_envelopedData(chunk_t data, const x509cert_t *cert
|
||||
, int cipher);
|
||||
extern chunk_t pkcs7_build_signedData(chunk_t data, chunk_t attributes,
|
||||
const x509cert_t *cert, int digest_alg, const RSA_private_key_t *key);
|
||||
extern chunk_t pkcs7_build_envelopedData(chunk_t data, const x509cert_t *cert,
|
||||
int enc_alg);
|
||||
|
||||
#endif /* _PKCS7_H */
|
||||
|
|
|
@ -152,7 +152,13 @@ Supported values for \fIalgo\fP:
|
|||
.IP "\fBdes\-cbc\fP" 12
|
||||
DES CBC encryption (key size = 56 bit).
|
||||
.IP "\fB3des\-cbc\fP" 12
|
||||
Triple DES CBC encryption (key size = 168 bit).
|
||||
Triple DES-EDE-CBC encryption (key size = 168 bit).
|
||||
.IP "\fBaes128\-cbc\fP" 12
|
||||
AES-CBC encryption (key size = 128 bit).
|
||||
.IP "\fBaes192\-cbc\fP" 12
|
||||
AES-CBC encryption (key size = 192 bit).
|
||||
.IP "\fBaes256\-cbc\fP" 12
|
||||
AES-CBC encryption (key size = 256 bit).
|
||||
.RE
|
||||
.PP
|
||||
.B \-o, \-\-out \fItype\fP[=\fIfilename\fP]
|
||||
|
|
|
@ -249,7 +249,8 @@ usage(const char *message)
|
|||
" --password (-p) <pw> challenge password\n"
|
||||
" - if pw is '%%prompt', password gets prompted for\n"
|
||||
" --algorithm (-a) <algo> use specified algorithm for PKCS#7 encryption\n"
|
||||
" <algo> = des-cbc | 3des-cbc (default: 3des-cbc)\n"
|
||||
" <algo> = des-cbc | 3des-cbc | aes128-cbc |\n"
|
||||
" aes192-cbc | aes256-cbc (default: 3des-cbc)\n"
|
||||
"\n"
|
||||
"Options for enrollment (cert):\n"
|
||||
" --url (-u) <url> url of the SCEP server\n"
|
||||
|
@ -707,6 +708,18 @@ int main(int argc, char **argv)
|
|||
{
|
||||
pkcs7_symmetric_cipher = OID_3DES_EDE_CBC;
|
||||
}
|
||||
else if (strcaseeq("aes128-cbc", optarg))
|
||||
{
|
||||
pkcs7_symmetric_cipher = OID_AES128_CBC;
|
||||
}
|
||||
else if (strcaseeq("aes192-cbc", optarg))
|
||||
{
|
||||
pkcs7_symmetric_cipher = OID_AES192_CBC;
|
||||
}
|
||||
else if (strcaseeq("aes256-cbc", optarg))
|
||||
{
|
||||
pkcs7_symmetric_cipher = OID_AES256_CBC;
|
||||
}
|
||||
else
|
||||
{
|
||||
usage("invalid encryption algorithm specified");
|
||||
|
|
Loading…
Reference in New Issue