ims-volte-vowifi
/
strongswan
9
0
Fork 0
Code Pull Requests Releases Activity

started migration to encryption plugins

This commit is contained in:
Andreas Steffen 2009-05-09 00:04:15 +02:00
parent bf45d6dd3b
commit d36ae9e305
24 changed files with 5630 additions and 253 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
configure.in
View File

@ -183,6 +183,30 @@ AC_ARG_ENABLE(
des=true
)
AC_ARG_ENABLE(
[blowfish],
AS_HELP_STRING([--enable-blowfish],[enable Blowfish software implementation plugin (default is NO).]),
[if test x$enableval = xyes; then
blowfish=true
fi]
)
AC_ARG_ENABLE(
[serpent],
AS_HELP_STRING([--enable-serpent],[enable Serpent software implementation plugin (default is NO).]),
[if test x$enableval = xyes; then
serpent=true
fi]
)
AC_ARG_ENABLE(
[twofish],
AS_HELP_STRING([--enable-twofish],[enable Twofish software implementation plugin (default is NO).]),
[if test x$enableval = xyes; then
twofish=true
fi]
)
AC_ARG_ENABLE(
[md4],
AS_HELP_STRING([--enable-md4],[enable MD4 software implementation plugin (default is NO).]),
@ -978,24 +1002,36 @@ if test x$ldap = xtrue; then
fi
if test x$aes = xtrue; then
libstrongswan_plugins=${libstrongswan_plugins}" aes"
pluto_plugins=${pluto_plugins}" aes"
fi
if test x$des = xtrue; then
libstrongswan_plugins=${libstrongswan_plugins}" des"
pluto_plugins=${pluto_plugins}" des"
fi
if test x$blowfish = xtrue; then
libstrongswan_plugins=${libstrongswan_plugins}" blowfish"
pluto_plugins=${pluto_plugins}" blowfish"
fi
if test x$serpent = xtrue; then
pluto_plugins=${pluto_plugins}" serpent"
fi
if test x$twofish = xtrue; then
pluto_plugins=${pluto_plugins}" twofish"
fi
if test x$sha1 = xtrue; then
libstrongswan_plugins=${libstrongswan_plugins}" sha1"
pluto_plugins=${pluto_plugins}" sha1"
pluto_plugins=${pluto_plugins}" sha1"
fi
if test x$sha2 = xtrue; then
libstrongswan_plugins=${libstrongswan_plugins}" sha2"
pluto_plugins=${pluto_plugins}" sha2"
pluto_plugins=${pluto_plugins}" sha2"
fi
if test x$md4 = xtrue; then
libstrongswan_plugins=${libstrongswan_plugins}" md4"
fi
if test x$md5 = xtrue; then
libstrongswan_plugins=${libstrongswan_plugins}" md5"
pluto_plugins=${pluto_plugins}" md5"
pluto_plugins=${pluto_plugins}" md5"
fi
if test x$fips_prf = xtrue; then
libstrongswan_plugins=${libstrongswan_plugins}" fips-prf"
@ -1049,6 +1085,9 @@ AM_CONDITIONAL(USE_CURL, test x$curl = xtrue)
AM_CONDITIONAL(USE_LDAP, test x$ldap = xtrue)
AM_CONDITIONAL(USE_AES, test x$aes = xtrue)
AM_CONDITIONAL(USE_DES, test x$des = xtrue)
AM_CONDITIONAL(USE_BLOWFISH, test x$blowfish = xtrue)
AM_CONDITIONAL(USE_SERPENT, test x$serpent = xtrue)
AM_CONDITIONAL(USE_TWOFISH, test x$twofish = xtrue)
AM_CONDITIONAL(USE_MD4, test x$md4 = xtrue)
AM_CONDITIONAL(USE_MD5, test x$md5 = xtrue)
AM_CONDITIONAL(USE_SHA1, test x$sha1 = xtrue)
@ -1139,6 +1178,9 @@ AC_OUTPUT(
src/libstrongswan/Makefile
src/libstrongswan/plugins/aes/Makefile
src/libstrongswan/plugins/des/Makefile
src/libstrongswan/plugins/blowfish/Makefile
src/libstrongswan/plugins/serpent/Makefile
src/libstrongswan/plugins/twofish/Makefile
src/libstrongswan/plugins/md4/Makefile
src/libstrongswan/plugins/md5/Makefile
src/libstrongswan/plugins/sha1/Makefile

12
src/libstrongswan/Makefile.am
View File

@ -104,6 +104,18 @@ if USE_DES
SUBDIRS += plugins/des
endif
if USE_BLOWFISH
SUBDIRS += plugins/blowfish
endif
if USE_SERPENT
SUBDIRS += plugins/serpent
endif
if USE_TWOFISH
SUBDIRS += plugins/twofish
endif
if USE_MD4
SUBDIRS += plugins/md4
endif

11
src/libstrongswan/asn1/oid.txt
View File

@ -236,10 +236,21 @@
0x65 "gov"
0x03 "csor"
0x04 "nistalgorithm"
0x01 "aes"
0x02 "id-aes128-CBC" OID_AES128_CBC
0x06 "id-aes128-GCM" OID_AES128_GCM
0x07 "id-aes128-CCM" OID_AES128_CCM
0x16 "id-aes192-CBC" OID_AES192_CBC
0x1A "id-aes192-GCM" OID_AES192_GCM
0x1B "id-aes192-CCM" OID_AES192_CCM
0x2A "id-aes256-CBC" OID_AES256_CBC
0x2E "id-aes256-GCM" OID_AES256_GCM
0x2F "id-aes256-CCM" OID_AES256_CCM
0x02 "hashalgs"
0x01 "id-SHA-256" OID_SHA256
0x02 "id-SHA-384" OID_SHA384
0x03 "id-SHA-512" OID_SHA512
0x04 "id-SHA-224" OID_SHA224
0x86 ""
0xf8 ""
0x42 "netscape"

81
src/libstrongswan/crypto/crypters/crypter.c
View File

@ -14,6 +14,8 @@
* for more details.
*/
#include <asn1/oid.h>
#include "crypter.h"
ENUM_BEGIN(encryption_algorithm_names, ENCR_DES_IV64, ENCR_DES_IV32,
@ -51,3 +53,82 @@ ENUM_NEXT(encryption_algorithm_names, ENCR_UNDEFINED, ENCR_TWOFISH, ENCR_CAMELLI
"TWOFISH");
ENUM_END(encryption_algorithm_names, ENCR_TWOFISH);
/*
* Described in header.
*/
encryption_algorithm_t encryption_algorithm_from_oid(int oid, size_t *key_size)
{
encryption_algorithm_t alg;
size_t alg_key_size;
switch (oid)
{
case OID_DES_CBC:
alg = ENCR_DES;
alg_key_size = 0;
break;
case OID_3DES_EDE_CBC:
alg = ENCR_3DES;
alg_key_size = 0;
break;
case OID_AES128_CBC:
alg = ENCR_AES_CBC;
alg_key_size = 128;
break;
case OID_AES192_CBC:
alg = ENCR_AES_CBC;
alg_key_size = 192;
break;
case OID_AES256_CBC:
alg = ENCR_AES_CBC;
alg_key_size = 256;
break;
default:
alg = ENCR_UNDEFINED;
alg_key_size = 0;
}
if (key_size)
{
*key_size = alg_key_size;
}
return alg;
}
/*
* Described in header.
*/
int encryption_algorithm_to_oid(encryption_algorithm_t alg, size_t key_size)
{
int oid;
switch(alg)
{
case ENCR_DES:
oid = OID_DES_CBC;
break;
case ENCR_3DES:
oid = OID_3DES_EDE_CBC;
break;
case ENCR_AES_CBC:
switch (key_size)
{
case 128:
oid = OID_AES128_CBC;
break;
case 192:
oid = OID_AES192_CBC;
break;
case 256:
oid = OID_AES256_CBC;
break;
default:
oid = OID_UNKNOWN;
}
break;
default:
oid = OID_UNKNOWN;
}
return oid;
}

18
src/libstrongswan/crypto/crypters/crypter.h
View File

@ -128,4 +128,22 @@ struct crypter_t {
void (*destroy) (crypter_t *this);
};
/**
* Conversion of ASN.1 OID to encryption algorithm.
*
* @param oid ASN.1 OID
* @param key_size returns size of encryption key in bits
* @return encryption algorithm, ENCR_UNDEFINED if OID unsupported
*/
encryption_algorithm_t encryption_algorithm_from_oid(int oid, size_t *key_size);
/**
* Conversion of encryption algorithm to ASN.1 OID.
*
* @param alg encryption algorithm
* @param key_size size of encryption key in bits
* @return ASN.1 OID, OID_UNKNOWN if OID is unknown
*/
int encryption_algorithm_to_oid(encryption_algorithm_t alg, size_t key_size);
#endif /** CRYPTER_H_ @}*/

10
src/libstrongswan/plugins/blowfish/Makefile.am Normal file
View File

@ -0,0 +1,10 @@
INCLUDES = -I$(top_srcdir)/src/libstrongswan
AM_CFLAGS = -rdynamic
plugin_LTLIBRARIES = libstrongswan-blowfish.la
libstrongswan_blowfish_la_SOURCES = blowfish_plugin.h blowfish_plugin.c blowfish_crypter.c blowfish_crypter.h
libstrongswan_blowfish_la_LDFLAGS = -module

1612
src/libstrongswan/plugins/blowfish/blowfish_crypter.c Normal file
View File

File diff suppressed because it is too large Load Diff

50
src/libstrongswan/plugins/blowfish/blowfish_crypter.h Normal file
View File

@ -0,0 +1,50 @@
/*
* Copyright (C) 2005-2008 Martin Willi
* Copyright (C) 2009 Andreas Steffen
* Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
/**
* @defgroup blowfish_crypter blowfish_crypter
* @{ @ingroup blowfish_p
*/
#ifndef BLOWFISH_CRYPTER_H_
#define BLOWFISH_CRYPTER_H_
typedef struct blowfish_crypter_t blowfish_crypter_t;
#include <crypto/crypters/crypter.h>
/**
* Class implementing the Blowfish encryption algorithm.
*/
struct blowfish_crypter_t {
/**
* The crypter_t interface.
*/
crypter_t crypter_interface;
};
/**
* Constructor to create blowfish_crypter_t objects.
*
* @param key_size key size in bytes
* @param algo algorithm to implement
* @return blowfish_crypter_t object, NULL if not supported
*/
blowfish_crypter_t *blowfish_crypter_create(encryption_algorithm_t algo,
size_t key_size);
#endif /** BLOWFISH_CRYPTER_H_ @}*/

59
src/libstrongswan/plugins/blowfish/blowfish_plugin.c Normal file
View File

@ -0,0 +1,59 @@
/*
* Copyright (C) 2008 Martin Willi
* Copyright (C) 2009 Andreas Steffen
* Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
#include "blowfish_plugin.h"
#include <library.h>
#include "blowfish_crypter.h"
typedef struct private_blowfish_plugin_t private_blowfish_plugin_t;
/**
* private data of blowfish_plugin
*/
struct private_blowfish_plugin_t {
/**
* public functions
*/
blowfish_plugin_t public;
};
/**
* Implementation of blowfish_plugin_t.destroy
*/
static void destroy(private_blowfish_plugin_t *this)
{
lib->crypto->remove_crypter(lib->crypto,
(crypter_constructor_t)blowfish_crypter_create);
free(this);
}
/*
* see header file
*/
plugin_t *plugin_create()
{
private_blowfish_plugin_t *this = malloc_thing(private_blowfish_plugin_t);
this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
lib->crypto->add_crypter(lib->crypto, ENCR_BLOWFISH,
(crypter_constructor_t)blowfish_crypter_create);
return &this->public.plugin;
}

48
src/libstrongswan/plugins/blowfish/blowfish_plugin.h Normal file
View File

@ -0,0 +1,48 @@
/*
* Copyright (C) 2008 Martin Willi
* Copyright (C) 2009 Andreas Steffen
* Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
/**
* @defgroup blowfish_p blowfish
* @ingroup plugins
*
* @defgroup blowfish_plugin blowfish_plugin
* @{ @ingroup blowfish_p
*/
#ifndef BLOWFISH_PLUGIN_H_
#define BLOWFISH_PLUGIN_H_
#include <plugins/plugin.h>
typedef struct blowfish_plugin_t blowfish_plugin_t;
/**
* Plugin implementing Blowfish based algorithms in software.
*/
struct blowfish_plugin_t {
/**
* implements plugin interface
*/
plugin_t plugin;
};
/**
* Create a blowfish_plugin instance.
*/
plugin_t *plugin_create();
#endif /** BLOWFISH_PLUGIN_H_ @}*/

10
src/libstrongswan/plugins/serpent/Makefile.am Normal file
View File

@ -0,0 +1,10 @@
INCLUDES = -I$(top_srcdir)/src/libstrongswan
AM_CFLAGS = -rdynamic
plugin_LTLIBRARIES = libstrongswan-serpent.la
libstrongswan_serpent_la_SOURCES = serpent_plugin.h serpent_plugin.c serpent_crypter.c serpent_crypter.h
libstrongswan_serpent_la_LDFLAGS = -module

1578
src/libstrongswan/plugins/serpent/serpent_crypter.c Normal file
View File

File diff suppressed because it is too large Load Diff

50
src/libstrongswan/plugins/serpent/serpent_crypter.h Normal file
View File

@ -0,0 +1,50 @@
/*
* Copyright (C) 2005-2008 Martin Willi
* Copyright (C) 2009 Andreas Steffen
* Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
/**
* @defgroup serpent_crypter serpent_crypter
* @{ @ingroup serpent_p
*/
#ifndef SERPENT_CRYPTER_H_
#define SERPENT_CRYPTER_H_
typedef struct serpent_crypter_t serpent_crypter_t;
#include <crypto/crypters/crypter.h>
/**
* Class implementing the Serpent encryption algorithm.
*/
struct serpent_crypter_t {
/**
* The crypter_t interface.
*/
crypter_t crypter_interface;
};
/**
* Constructor to create serpent_crypter_t objects.
*
* @param key_size key size in bytes
* @param algo algorithm to implement
* @return serpent_crypter_t object, NULL if not supported
*/
serpent_crypter_t *serpent_crypter_create(encryption_algorithm_t algo,
size_t key_size);
#endif /** SERPENT_CRYPTER_H_ @}*/

59
src/libstrongswan/plugins/serpent/serpent_plugin.c Normal file
View File

@ -0,0 +1,59 @@
/*
* Copyright (C) 2008 Martin Willi
* Copyright (C) 2009 Andreas Steffen
* Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
#include "serpent_plugin.h"
#include <library.h>
#include "serpent_crypter.h"
typedef struct private_serpent_plugin_t private_serpent_plugin_t;
/**
* private data of serpent_plugin
*/
struct private_serpent_plugin_t {
/**
* public functions
*/
serpent_plugin_t public;
};
/**
* Implementation of serpent_plugin_t.destroy
*/
static void destroy(private_serpent_plugin_t *this)
{
lib->crypto->remove_crypter(lib->crypto,
(crypter_constructor_t)serpent_crypter_create);
free(this);
}
/*
* see header file
*/
plugin_t *plugin_create()
{
private_serpent_plugin_t *this = malloc_thing(private_serpent_plugin_t);
this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
lib->crypto->add_crypter(lib->crypto, ENCR_SERPENT,
(crypter_constructor_t)serpent_crypter_create);
return &this->public.plugin;
}

48
src/libstrongswan/plugins/serpent/serpent_plugin.h Normal file
View File

@ -0,0 +1,48 @@
/*
* Copyright (C) 2008 Martin Willi
* Copyright (C) 2009 Andreas Steffen
* Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
/**
* @defgroup serpent_p serpent
* @ingroup plugins
*
* @defgroup serpent_plugin serpent_plugin
* @{ @ingroup serpent_p
*/
#ifndef SERPENT_PLUGIN_H_
#define SERPENT_PLUGIN_H_
#include <plugins/plugin.h>
typedef struct serpent_plugin_t serpent_plugin_t;
/**
* Plugin implementing Serpent based algorithms in software.
*/
struct serpent_plugin_t {
/**
* implements plugin interface
*/
plugin_t plugin;
};
/**
* Create a serpent_plugin instance.
*/
plugin_t *plugin_create();
#endif /** SERPENT_PLUGIN_H_ @}*/

10
src/libstrongswan/plugins/twofish/Makefile.am Normal file
View File

@ -0,0 +1,10 @@
INCLUDES = -I$(top_srcdir)/src/libstrongswan
AM_CFLAGS = -rdynamic
plugin_LTLIBRARIES = libstrongswan-twofish.la
libstrongswan_twofish_la_SOURCES = twofish_plugin.h twofish_plugin.c twofish_crypter.c twofish_crypter.h
libstrongswan_twofish_la_LDFLAGS = -module

1578
src/libstrongswan/plugins/twofish/twofish_crypter.c Normal file
View File

File diff suppressed because it is too large Load Diff

51
src/libstrongswan/plugins/twofish/twofish_crypter.h Normal file
View File

@ -0,0 +1,51 @@
/*
* Copyright (C) 2005-2008 Martin Willi
* Copyright (C) 2005 Jan Hutter
* Copyright (C) 2009 Andreas Steffen
* Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
/**
* @defgroup twofish_crypter twofish_crypter
* @{ @ingroup twofish_p
*/
#ifndef TWOFISH_CRYPTER_H_
#define TWOFISH_CRYPTER_H_
typedef struct twofish_crypter_t twofish_crypter_t;
#include <crypto/crypters/crypter.h>
/**
* Class implementing the Twofish encryption algorithm.
*/
struct twofish_crypter_t {
/**
* The crypter_t interface.
*/
crypter_t crypter_interface;
};
/**
* Constructor to create twofish_crypter_t objects.
*
* @param key_size key size in bytes
* @param algo algorithm to implement
* @return twofish_crypter_t object, NULL if not supported
*/
twofish_crypter_t *twofish_crypter_create(encryption_algorithm_t algo,
size_t key_size);
#endif /** TWOFISH_CRYPTER_H_ @}*/

59
src/libstrongswan/plugins/twofish/twofish_plugin.c Normal file
View File

@ -0,0 +1,59 @@
/*
* Copyright (C) 2008 Martin Willi
* Copyright (C) 2009 Andreas Steffen
* Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
#include "twofish_plugin.h"
#include <library.h>
#include "twofish_crypter.h"
typedef struct private_twofish_plugin_t private_twofish_plugin_t;
/**
* private data of twofish_plugin
*/
struct private_twofish_plugin_t {
/**
* public functions
*/
twofish_plugin_t public;
};
/**
* Implementation of twofish_plugin_t.destroy
*/
static void destroy(private_twofish_plugin_t *this)
{
lib->crypto->remove_crypter(lib->crypto,
(crypter_constructor_t)twofish_crypter_create);
free(this);
}
/*
* see header file
*/
plugin_t *plugin_create()
{
private_twofish_plugin_t *this = malloc_thing(private_twofish_plugin_t);
this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
lib->crypto->add_crypter(lib->crypto, ENCR_TWOFISH,
(crypter_constructor_t)twofish_crypter_create);
return &this->public.plugin;
}

48
src/libstrongswan/plugins/twofish/twofish_plugin.h Normal file
View File

@ -0,0 +1,48 @@
/*
* Copyright (C) 2008 Martin Willi
* Copyright (C) 2009 Andreas Steffen
* Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
/**
* @defgroup twofish_p twofish
* @ingroup plugins
*
* @defgroup twofish_plugin twofish_plugin
* @{ @ingroup twofish_p
*/
#ifndef TWOFISH_PLUGIN_H_
#define TWOFISH_PLUGIN_H_
#include <plugins/plugin.h>
typedef struct twofish_plugin_t twofish_plugin_t;
/**
* Plugin implementing Twofish based algorithms in software.
*/
struct twofish_plugin_t {
/**
* implements plugin interface
*/
plugin_t plugin;
};
/**
* Create a twofish_plugin instance.
*/
plugin_t *plugin_create();
#endif /** TWOFISH_PLUGIN_H_ @}*/

398
src/pluto/pkcs7.c
View File

@ -16,19 +16,19 @@
#include <stdlib.h>
#include <string.h>
#include <libdes/des.h>
#include <freeswan.h>
#include <library.h>
#include <debug.h>
#include <asn1/asn1.h>
#include <asn1/asn1_parser.h>
#include <asn1/oid.h>
#include <crypto/rngs/rng.h>
#include <crypto/crypters/crypter.h>
#include "constants.h"
#include "defs.h"
#include "log.h"
#include "x509.h"
#include "certs.h"
#include "pkcs7.h"
@ -42,12 +42,11 @@ const contentInfo_t empty_contentInfo = {
* ASN.1 definition of the PKCS#7 ContentInfo type
*/
static const asn1Object_t contentInfoObjects[] = {
{ 0, "contentInfo", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
{ 1, "contentType", ASN1_OID, ASN1_BODY }, /* 1 */
{ 1, "content", ASN1_CONTEXT_C_0, ASN1_OPT |
ASN1_BODY }, /* 2 */
{ 1, "end opt", ASN1_EOC, ASN1_END }, /* 3 */
{ 0, "exit", ASN1_EOC, ASN1_EXIT }
{ 0, "contentInfo", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
{ 1, "contentType", ASN1_OID, ASN1_BODY }, /* 1 */
{ 1, "content", ASN1_CONTEXT_C_0, ASN1_OPT|ASN1_BODY }, /* 2 */
{ 1, "end opt", ASN1_EOC, ASN1_END }, /* 3 */
{ 0, "exit", ASN1_EOC, ASN1_EXIT }
};
#define PKCS7_INFO_TYPE 1
#define PKCS7_INFO_CONTENT 2
@ -56,36 +55,33 @@ static const asn1Object_t contentInfoObjects[] = {
* ASN.1 definition of the PKCS#7 signedData type
*/
static const asn1Object_t signedDataObjects[] = {
{ 0, "signedData", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
{ 1, "version", ASN1_INTEGER, ASN1_BODY }, /* 1 */
{ 1, "digestAlgorithms", ASN1_SET, ASN1_LOOP }, /* 2 */
{ 2, "algorithm", ASN1_EOC, ASN1_RAW }, /* 3 */
{ 1, "end loop", ASN1_EOC, ASN1_END }, /* 4 */
{ 1, "contentInfo", ASN1_EOC, ASN1_RAW }, /* 5 */
{ 1, "certificates", ASN1_CONTEXT_C_0, ASN1_OPT |
ASN1_LOOP }, /* 6 */
{ 2, "certificate", ASN1_SEQUENCE, ASN1_OBJ }, /* 7 */
{ 1, "end opt or loop", ASN1_EOC, ASN1_END }, /* 8 */
{ 1, "crls", ASN1_CONTEXT_C_1, ASN1_OPT |
ASN1_LOOP }, /* 9 */
{ 2, "crl", ASN1_SEQUENCE, ASN1_OBJ }, /* 10 */
{ 1, "end opt or loop", ASN1_EOC, ASN1_END }, /* 11 */
{ 1, "signerInfos", ASN1_SET, ASN1_LOOP }, /* 12 */
{ 2, "signerInfo", ASN1_SEQUENCE, ASN1_NONE }, /* 13 */
{ 3, "version", ASN1_INTEGER, ASN1_BODY }, /* 14 */
{ 3, "issuerAndSerialNumber", ASN1_SEQUENCE, ASN1_BODY }, /* 15 */
{ 4, "issuer", ASN1_SEQUENCE, ASN1_OBJ }, /* 16 */
{ 4, "serial", ASN1_INTEGER, ASN1_BODY }, /* 17 */
{ 3, "digestAlgorithm", ASN1_EOC, ASN1_RAW }, /* 18 */
{ 3, "authenticatedAttributes", ASN1_CONTEXT_C_0, ASN1_OPT |
ASN1_OBJ }, /* 19 */
{ 3, "end opt", ASN1_EOC, ASN1_END }, /* 20 */
{ 3, "digestEncryptionAlgorithm", ASN1_EOC, ASN1_RAW }, /* 21 */
{ 3, "encryptedDigest", ASN1_OCTET_STRING, ASN1_BODY }, /* 22 */
{ 3, "unauthenticatedAttributes", ASN1_CONTEXT_C_1, ASN1_OPT }, /* 23 */
{ 3, "end opt", ASN1_EOC, ASN1_END }, /* 24 */
{ 1, "end loop", ASN1_EOC, ASN1_END }, /* 25 */
{ 0, "exit", ASN1_EOC, ASN1_EXIT }
{ 0, "signedData", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
{ 1, "version", ASN1_INTEGER, ASN1_BODY }, /* 1 */
{ 1, "digestAlgorithms", ASN1_SET, ASN1_LOOP }, /* 2 */
{ 2, "algorithm", ASN1_EOC, ASN1_RAW }, /* 3 */
{ 1, "end loop", ASN1_EOC, ASN1_END }, /* 4 */
{ 1, "contentInfo", ASN1_EOC, ASN1_RAW }, /* 5 */
{ 1, "certificates", ASN1_CONTEXT_C_0, ASN1_OPT|ASN1_LOOP }, /* 6 */
{ 2, "certificate", ASN1_SEQUENCE, ASN1_OBJ }, /* 7 */
{ 1, "end opt or loop", ASN1_EOC, ASN1_END }, /* 8 */
{ 1, "crls", ASN1_CONTEXT_C_1, ASN1_OPT|ASN1_LOOP }, /* 9 */
{ 2, "crl", ASN1_SEQUENCE, ASN1_OBJ }, /* 10 */
{ 1, "end opt or loop", ASN1_EOC, ASN1_END }, /* 11 */
{ 1, "signerInfos", ASN1_SET, ASN1_LOOP }, /* 12 */
{ 2, "signerInfo", ASN1_SEQUENCE, ASN1_NONE }, /* 13 */
{ 3, "version", ASN1_INTEGER, ASN1_BODY }, /* 14 */
{ 3, "issuerAndSerialNumber", ASN1_SEQUENCE, ASN1_BODY }, /* 15 */
{ 4, "issuer", ASN1_SEQUENCE, ASN1_OBJ }, /* 16 */
{ 4, "serial", ASN1_INTEGER, ASN1_BODY }, /* 17 */
{ 3, "digestAlgorithm", ASN1_EOC, ASN1_RAW }, /* 18 */
{ 3, "authenticatedAttributes", ASN1_CONTEXT_C_0, ASN1_OPT|ASN1_OBJ }, /* 19 */
{ 3, "end opt", ASN1_EOC, ASN1_END }, /* 20 */
{ 3, "digestEncryptionAlgorithm", ASN1_EOC, ASN1_RAW }, /* 21 */
{ 3, "encryptedDigest", ASN1_OCTET_STRING, ASN1_BODY }, /* 22 */
{ 3, "unauthenticatedAttributes", ASN1_CONTEXT_C_1, ASN1_OPT }, /* 23 */
{ 3, "end opt", ASN1_EOC, ASN1_END }, /* 24 */
{ 1, "end loop", ASN1_EOC, ASN1_END }, /* 25 */
{ 0, "exit", ASN1_EOC, ASN1_EXIT }
};
#define PKCS7_DIGEST_ALG 3
#define PKCS7_SIGNED_CONTENT_INFO 5
@ -226,7 +222,7 @@ bool pkcs7_parse_contentInfo(chunk_t blob, u_int level0, contentInfo_t *cInfo)
if (cInfo->type < OID_PKCS7_DATA
|| cInfo->type > OID_PKCS7_ENCRYPTED_DATA)
{
plog("unknown pkcs7 content type");
DBG1("unknown pkcs7 content type");
goto end;
}
}
@ -266,7 +262,7 @@ bool pkcs7_parse_signedData(chunk_t blob, contentInfo_t *data, x509cert_t **cert
}
if (cInfo.type != OID_PKCS7_SIGNED_DATA)
{
plog("pkcs7 content type is not signedData");
DBG1("pkcs7 content type is not signedData");
return FALSE;
}
@ -296,9 +292,7 @@ bool pkcs7_parse_signedData(chunk_t blob, contentInfo_t *data, x509cert_t **cert
*newcert = empty_x509cert;
DBG(DBG_CONTROL | DBG_PARSING,
DBG_log("parsing pkcs7-wrapped certificate")
)
DBG2(" parsing pkcs7-wrapped certificate");
if (parse_x509cert(cert_blob, level+1, newcert))
{
newcert->next = *cert;
@ -312,15 +306,11 @@ bool pkcs7_parse_signedData(chunk_t blob, contentInfo_t *data, x509cert_t **cert
break;
case PKCS7_SIGNER_INFO:
signerInfos++;
DBG(DBG_PARSING,
DBG_log(" signer #%d", signerInfos)
)
DBG2(" signer #%d", signerInfos);
break;
case PKCS7_SIGNED_ISSUER:
DBG(DBG_PARSING,
dntoa(buf, BUF_LEN, object);
DBG_log(" '%s'",buf)
)
dntoa(buf, BUF_LEN, object);
DBG2(" '%s'",buf);
break;
case PKCS7_AUTH_ATTRIBUTES:
if (attributes != NULL)
@ -351,30 +341,28 @@ bool pkcs7_parse_signedData(chunk_t blob, contentInfo_t *data, x509cert_t **cert
{
if (signerInfos == 0)
{
plog("no signerInfo object found");
DBG1("no signerInfo object found");
return FALSE;
}
else if (signerInfos > 1)
{
plog("more than one signerInfo object found");
DBG1("more than one signerInfo object found");
return FALSE;
}
if (attributes->ptr == NULL)
{
plog("no authenticatedAttributes object found");
DBG1("no authenticatedAttributes object found");
return FALSE;
}
if (!check_signature(*attributes, encrypted_digest, digest_alg
, enc_alg, cacert))
if (!check_signature(*attributes, encrypted_digest, digest_alg,
enc_alg, cacert))
{
plog("invalid signature");
DBG1("invalid signature");
return FALSE;
}
else
{
DBG(DBG_CONTROL,
DBG_log("signature is valid")
)
DBG2("signature is valid");
}
}
return TRUE;
@ -393,8 +381,9 @@ bool pkcs7_parse_envelopedData(chunk_t blob, chunk_t *data,
chunk_t symmetric_key = chunk_empty;
chunk_t encrypted_content = chunk_empty;
crypter_t *crypter = NULL;
u_char buf[BUF_LEN];
u_int total_keys = 3;
int enc_alg = OID_UNKNOWN;
int content_enc_alg = OID_UNKNOWN;
int objectID;
@ -405,12 +394,12 @@ bool pkcs7_parse_envelopedData(chunk_t blob, chunk_t *data,
if (!pkcs7_parse_contentInfo(blob, 0, &cInfo))
{
goto end;
goto failed;
}
if (cInfo.type != OID_PKCS7_ENVELOPED_DATA)
{
plog("pkcs7 content type is not envelopedData");
goto end;
DBG1("pkcs7 content type is not envelopedData");
goto failed;
}
parser = asn1_parser_create(envelopedDataObjects, cInfo.content);
@ -425,7 +414,7 @@ bool pkcs7_parse_envelopedData(chunk_t blob, chunk_t *data,
case PKCS7_ENVELOPED_VERSION:
if (*object.ptr != 0)
{
plog("envelopedData version is not 0");
DBG1("envelopedData version is not 0");
goto end;
}
break;
@ -437,15 +426,13 @@ bool pkcs7_parse_envelopedData(chunk_t blob, chunk_t *data,
}
break;
case PKCS7_ISSUER:
DBG(DBG_PARSING,
dntoa(buf, BUF_LEN, object);
DBG_log(" '%s'", buf)
)
dntoa(buf, BUF_LEN, object);
DBG2(" '%s'", buf);
break;
case PKCS7_SERIAL_NUMBER:
if (!chunk_equals(serialNumber, object))
{
plog("serial numbers do not match");
DBG1("serial numbers do not match");
goto end;
}
break;
@ -453,55 +440,36 @@ bool pkcs7_parse_envelopedData(chunk_t blob, chunk_t *data,
enc_alg = asn1_parse_algorithmIdentifier(object, level, NULL);
if (enc_alg != OID_RSA_ENCRYPTION)
{
plog("only rsa encryption supported");
DBG1("only rsa encryption supported");
goto end;
}
break;
case PKCS7_ENCRYPTED_KEY:
if (!RSA_decrypt(key, object, &symmetric_key))
{
plog("symmetric key could not be decrypted with rsa");
DBG1("symmetric key could not be decrypted with rsa");
goto end;
}
DBG(DBG_PRIVATE,
DBG_dump_chunk("symmetric key :", symmetric_key)
)
DBG4("symmetric key %B", &symmetric_key);
break;
case PKCS7_CONTENT_TYPE:
if (asn1_known_oid(object) != OID_PKCS7_DATA)
{
plog("encrypted content not of type pkcs7 data");
DBG1("encrypted content not of type pkcs7 data");
goto end;
}
break;
case PKCS7_CONTENT_ENC_ALGORITHM:
content_enc_alg = asn1_parse_algorithmIdentifier(object, level, &iv);
switch (content_enc_alg)
if (content_enc_alg == OID_UNKNOWN)
{
case OID_DES_CBC:
total_keys = 1;
break;
case OID_3DES_EDE_CBC:
total_keys = 3;
break;
default:
plog("Only DES and 3DES supported for symmetric encryption");
goto end;
}
if (symmetric_key.len != (total_keys * DES_CBC_BLOCK_SIZE))
{
plog("key length is not %d",(total_keys * DES_CBC_BLOCK_SIZE));
DBG1("unknown content encryption algorithm");
goto end;
}
if (!asn1_parse_simple_object(&iv, ASN1_OCTET_STRING, level+1, "IV"))
{
plog("IV could not be parsed");
goto end;
}
if (iv.len != DES_CBC_BLOCK_SIZE)
{
plog("IV has wrong length");
DBG1("IV could not be parsed");
goto end;
}
break;
@ -510,49 +478,47 @@ bool pkcs7_parse_envelopedData(chunk_t blob, chunk_t *data,
break;
}
}
;
if (!parser->success(parser))
success = parser->success(parser);
end:
parser->destroy(parser);
if (!success)
{
goto end;
goto failed;
}
success = FALSE;
/* decrypt the content */
{
u_int i;
des_cblock des_key[3], des_iv;
des_key_schedule key_s[3];
encryption_algorithm_t alg;
size_t key_size;
crypter_t *crypter;
memcpy((char *)des_key, symmetric_key.ptr, symmetric_key.len);
memcpy((char *)des_iv, iv.ptr, iv.len);
for (i = 0; i < total_keys; i++)
alg = encryption_algorithm_from_oid(content_enc_alg, &key_size);
if (alg == ENCR_UNDEFINED)
{
if (des_set_key(&des_key[i], key_s[i]))
{
plog("des key schedule failed");
goto end;
}
DBG1("unsupported content encryption algorithm");
goto failed;
}
data->len = encrypted_content.len;
data->ptr = malloc(data->len);
switch (content_enc_alg)
crypter = lib->crypto->create_crypter(lib->crypto, alg, key_size);
if (crypter == NULL)
{
case OID_DES_CBC:
des_cbc_encrypt((des_cblock*)encrypted_content.ptr
, (des_cblock*)data->ptr, data->len
, key_s[0], &des_iv, DES_DECRYPT);
break;
case OID_3DES_EDE_CBC:
des_ede3_cbc_encrypt( (des_cblock*)encrypted_content.ptr
, (des_cblock*)data->ptr, data->len
, key_s[0], key_s[1], key_s[2]
, &des_iv, DES_DECRYPT);
DBG1("crypter %N not available", encryption_algorithm_names, alg);
goto failed;
}
DBG(DBG_PRIVATE,
DBG_dump_chunk("decrypted content with padding:\n", *data)
)
if (symmetric_key.len != crypter->get_key_size(crypter))
{
DBG1("symmetric key length %d is wrong", symmetric_key.len);
goto failed;
}
if (iv.len != crypter->get_block_size(crypter))
{
DBG1("IV length %d is wrong", iv.len);
goto failed;
}
crypter->set_key(crypter, symmetric_key);
crypter->decrypt(crypter, encrypted_content, iv, data);
DBG4("decrypted content with padding: %B", data);
}
/* remove the padding */
@ -563,8 +529,8 @@ bool pkcs7_parse_envelopedData(chunk_t blob, chunk_t *data,
if (padding > data->len)
{
plog("padding greater than data length");
goto end;
DBG1("padding greater than data length");
goto failed;
}
data->len -= padding;
@ -572,14 +538,15 @@ bool pkcs7_parse_envelopedData(chunk_t blob, chunk_t *data,
{
if (*pos-- != pattern)
{
plog("wrong padding pattern");
goto end;
DBG1("wrong padding pattern");
goto failed;
}
}
}
success = TRUE;
end:
failed:
DESTROY_IF(crypter);
chunk_clear(&symmetric_key);
if (!success)
{
@ -654,7 +621,7 @@ static chunk_t pkcs7_build_contentInfo(contentInfo_t *cInfo)
break;
case OID_UNKNOWN:
default:
fprintf(stderr, "invalid pkcs7 contentInfo type");
DBG1("invalid pkcs7 contentInfo type");
return chunk_empty;
}
@ -723,9 +690,7 @@ chunk_t pkcs7_build_signedData(chunk_t data, chunk_t attributes,
, asn1_wrap(ASN1_SET, "m", signerInfo));
cInfo = pkcs7_build_contentInfo(&signedData);
DBG(DBG_RAW,
DBG_dump_chunk("signedData:\n", cInfo)
)
DBG3("signedData %B", &cInfo);
free(pkcs7Data.content.ptr);
free(signedData.content.ptr);
@ -735,110 +700,70 @@ chunk_t pkcs7_build_signedData(chunk_t data, chunk_t attributes,
/**
* create a symmetrically encrypted pkcs7 contentInfo object
*/
chunk_t pkcs7_build_envelopedData(chunk_t data, const x509cert_t *cert, int cipher)
chunk_t pkcs7_build_envelopedData(chunk_t data, const x509cert_t *cert, int enc_alg)
{
bool des_check_key_save;
des_key_schedule ks[3];
des_cblock key[3], des_iv, des_iv_buf;
chunk_t iv = { (u_char *)des_iv_buf, DES_CBC_BLOCK_SIZE };
chunk_t out;
chunk_t cipher_oid;
rng_t *rng;
u_int total_keys, i;
size_t padding = pad_up(data.len, DES_CBC_BLOCK_SIZE);
encryption_algorithm_t alg;
size_t alg_key_size;
RSA_public_key_t public_key;
chunk_t symmetricKey, iv, in, out;
crypter_t *crypter;
init_RSA_public_key(&public_key, cert->publicExponent
, cert->modulus);
if (padding == 0)
padding += DES_CBC_BLOCK_SIZE;
out.len = data.len + padding;
out.ptr = malloc(out.len);
DBG(DBG_CONTROL,
DBG_log("padding %d bytes of data to multiple DES block size of %d bytes"
, (int)data.len, (int)out.len)
)
/* copy data */
memcpy(out.ptr, data.ptr, data.len);
/* append padding */
memset(out.ptr + data.len, padding, padding);
DBG(DBG_RAW,
DBG_dump_chunk("Padded unencrypted data:\n", out)
)
/* select OID and keylength for specified cipher */
switch (cipher)
alg = encryption_algorithm_from_oid(enc_alg, &alg_key_size);
crypter = lib->crypto->create_crypter(lib->crypto, alg,
alg_key_size/BITS_PER_BYTE);
if (crypter == NULL)
{
case OID_DES_CBC:
total_keys = 1;
cipher_oid = ASN1_des_cbc_oid;
break;
case OID_3DES_EDE_CBC:
default:
total_keys = 3;
cipher_oid = ASN1_3des_ede_cbc_oid;
DBG1("crypter for %N not available", encryption_algorithm_names, alg);
return chunk_empty;
}
DBG(DBG_CONTROLMORE,
DBG_log("pkcs7 encryption cipher: %s", oid_names[cipher].name)
)
/* generate a strong random key for DES/3DES */
rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
des_check_key_save = des_check_key;
des_check_key = TRUE;
for (i = 0; i < total_keys;i++)
/* generate a true random symmetric encryption key and a pseudo-random iv */
{
for (;;)
{
rng->get_bytes(rng, DES_CBC_BLOCK_SIZE, (char*)key[i]);
des_set_odd_parity(&key[i]);
if (!des_set_key(&key[i], ks[i]))
{
break;
}
plog("weak DES key discarded - we try again");
}
DBG(DBG_PRIVATE,
DBG_dump("DES key:", key[i], 8)
)
}
des_check_key = des_check_key_save;
/* generate an iv for DES/3DES CBC */
rng->get_bytes(rng, DES_CBC_BLOCK_SIZE, des_iv);
memcpy(iv.ptr, des_iv, DES_CBC_BLOCK_SIZE);
DBG(DBG_RAW,
DBG_dump_chunk("DES IV :", iv)
)
rng->destroy(rng);
/* encryption using specified cipher */
switch (cipher)
{
case OID_DES_CBC:
des_cbc_encrypt((des_cblock*)out.ptr, (des_cblock*)out.ptr, out.len
, ks[0], &des_iv, DES_ENCRYPT);
break;
case OID_3DES_EDE_CBC:
default:
des_ede3_cbc_encrypt((des_cblock*)out.ptr, (des_cblock*)out.ptr, out.len
, ks[0], ks[1], ks[2], &des_iv, DES_ENCRYPT);
}
DBG(DBG_RAW,
DBG_dump_chunk("Encrypted data:\n", out));
rng_t *rng;
rng = lib->crypto->create_rng(lib->crypto, RNG_TRUE);
rng->allocate_bytes(rng, crypter->get_key_size(crypter), &symmetricKey);
DBG4("symmetric encryption key %B", &symmetricKey);
rng->destroy(rng);
rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
rng->allocate_bytes(rng, crypter->get_block_size(crypter), &iv);
DBG4("initialization vector: %B", &iv);
rng->destroy(rng);
}
/* pad the data to a multiple of the block size */
{
size_t block_size = crypter->get_block_size(crypter);
size_t padding = block_size - data.len % block_size;
in.len = data.len + padding;
in.ptr = malloc(in.len);
DBG2("padding %u bytes of data to multiple block size of %u bytes",
data.len, in.len);
/* copy data */
memcpy(in.ptr, data.ptr, data.len);
/* append padding */
memset(in.ptr + data.len, padding, padding);
}
DBG3("padded unencrypted data %B", &in);
/* symmetric encryption of data object */
crypter->set_key(crypter, symmetricKey);
crypter->encrypt(crypter, in, iv, &out);
crypter->destroy(crypter);
DBG3("encrypted data %B", &out);
free(in.ptr);
free(iv.ptr);
init_RSA_public_key(&public_key, cert->publicExponent, cert->modulus);
/* build pkcs7 enveloped data object */
{
chunk_t contentEncryptionAlgorithm = asn1_wrap(ASN1_SEQUENCE, "cm"
, cipher_oid
chunk_t contentEncryptionAlgorithm = asn1_wrap(ASN1_SEQUENCE, "mm"
, asn1_build_known_oid(enc_alg)
, asn1_simple_object(ASN1_OCTET_STRING, iv));
chunk_t encryptedContentInfo = asn1_wrap(ASN1_SEQUENCE, "cmm"
@ -846,10 +771,8 @@ chunk_t pkcs7_build_envelopedData(chunk_t data, const x509cert_t *cert, int ciph
, contentEncryptionAlgorithm
, asn1_wrap(ASN1_CONTEXT_S_0, "m", out));
chunk_t plainKey = { (u_char *)key, DES_CBC_BLOCK_SIZE * total_keys };
chunk_t encryptedKey = asn1_wrap(ASN1_OCTET_STRING, "m"
, RSA_encrypt(&public_key, plainKey));
, RSA_encrypt(&public_key, symmetricKey));
chunk_t recipientInfo = asn1_wrap(ASN1_SEQUENCE, "cmcm"
, ASN1_INTEGER_0
@ -867,12 +790,11 @@ chunk_t pkcs7_build_envelopedData(chunk_t data, const x509cert_t *cert, int ciph
, encryptedContentInfo);
cInfo = pkcs7_build_contentInfo(&envelopedData);
DBG(DBG_RAW,
DBG_dump_chunk("envelopedData:\n", cInfo)
)
DBG3("envelopedData %B", &cInfo);
free_RSA_public_content(&public_key);
free(envelopedData.content.ptr);
free(symmetricKey.ptr);
return cInfo;
}
}

22
src/pluto/pkcs7.h
View File

@ -17,6 +17,8 @@
#ifndef _PKCS7_H
#define _PKCS7_H
#include <crypto/crypters/crypter.h>
#include "defs.h"
#include "pkcs1.h"
#include "x509.h"
@ -32,18 +34,18 @@ struct contentInfo {
extern const contentInfo_t empty_contentInfo;
extern bool pkcs7_parse_contentInfo(chunk_t blob, u_int level0
, contentInfo_t *cInfo);
extern bool pkcs7_parse_signedData(chunk_t blob, contentInfo_t *data
, x509cert_t **cert, chunk_t *attributes, const x509cert_t *cacert);
extern bool pkcs7_parse_envelopedData(chunk_t blob, chunk_t *data
, chunk_t serialNumber, const RSA_private_key_t *key);
extern bool pkcs7_parse_contentInfo(chunk_t blob, u_int level0,
contentInfo_t *cInfo);
extern bool pkcs7_parse_signedData(chunk_t blob, contentInfo_t *data,
x509cert_t **cert, chunk_t *attributes, const x509cert_t *cacert);
extern bool pkcs7_parse_envelopedData(chunk_t blob, chunk_t *data,
chunk_t serialNumber, const RSA_private_key_t *key);
extern chunk_t pkcs7_contentType_attribute(void);
extern chunk_t pkcs7_messageDigest_attribute(chunk_t content, int digest_alg);
extern chunk_t pkcs7_build_issuerAndSerialNumber(const x509cert_t *cert);
extern chunk_t pkcs7_build_signedData(chunk_t data, chunk_t attributes
,const x509cert_t *cert, int digest_alg, const RSA_private_key_t *key);
extern chunk_t pkcs7_build_envelopedData(chunk_t data, const x509cert_t *cert
, int cipher);
extern chunk_t pkcs7_build_signedData(chunk_t data, chunk_t attributes,
const x509cert_t *cert, int digest_alg, const RSA_private_key_t *key);
extern chunk_t pkcs7_build_envelopedData(chunk_t data, const x509cert_t *cert,
int enc_alg);
#endif /* _PKCS7_H */

8
src/scepclient/scepclient.8
View File

@ -152,7 +152,13 @@ Supported values for \fIalgo\fP:
.IP "\fBdes\-cbc\fP" 12
DES CBC encryption (key size = 56 bit).
.IP "\fB3des\-cbc\fP" 12
Triple DES CBC encryption (key size = 168 bit).
Triple DES-EDE-CBC encryption (key size = 168 bit).
.IP "\fBaes128\-cbc\fP" 12
AES-CBC encryption (key size = 128 bit).
.IP "\fBaes192\-cbc\fP" 12
AES-CBC encryption (key size = 192 bit).
.IP "\fBaes256\-cbc\fP" 12
AES-CBC encryption (key size = 256 bit).
.RE
.PP
.B \-o, \-\-out \fItype\fP[=\fIfilename\fP]

15
src/scepclient/scepclient.c
View File

@ -249,7 +249,8 @@ usage(const char *message)
" --password (-p) <pw> challenge password\n"
" - if pw is '%%prompt', password gets prompted for\n"
" --algorithm (-a) <algo> use specified algorithm for PKCS#7 encryption\n"
" <algo> = des-cbc | 3des-cbc (default: 3des-cbc)\n"
" <algo> = des-cbc | 3des-cbc | aes128-cbc |\n"
" aes192-cbc | aes256-cbc (default: 3des-cbc)\n"
"\n"
"Options for enrollment (cert):\n"
" --url (-u) <url> url of the SCEP server\n"
@ -707,6 +708,18 @@ int main(int argc, char **argv)
{
pkcs7_symmetric_cipher = OID_3DES_EDE_CBC;
}
else if (strcaseeq("aes128-cbc", optarg))
{
pkcs7_symmetric_cipher = OID_AES128_CBC;
}
else if (strcaseeq("aes192-cbc", optarg))
{
pkcs7_symmetric_cipher = OID_AES192_CBC;
}
else if (strcaseeq("aes256-cbc", optarg))
{
pkcs7_symmetric_cipher = OID_AES256_CBC;
}
else
{
usage("invalid encryption algorithm specified");