Annotation of embedaddon/strongswan/src/libstrongswan/plugins/openssl/openssl_plugin.c, revision 1.1.1.2
1.1 misho 1: /*
2: * Copyright (C) 2008-2020 Tobias Brunner
3: * Copyright (C) 2008 Martin Willi
4: * HSR Hochschule fuer Technik Rapperswil
5: *
6: * This program is free software; you can redistribute it and/or modify it
7: * under the terms of the GNU General Public License as published by the
8: * Free Software Foundation; either version 2 of the License, or (at your
9: * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10: *
11: * This program is distributed in the hope that it will be useful, but
12: * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13: * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14: * for more details.
15: */
16:
17: #include <library.h>
18: #include <utils/debug.h>
19: #include <threading/thread.h>
20: #include <threading/mutex.h>
21: #include <threading/thread_value.h>
22:
23: #include <openssl/err.h>
24: #include <openssl/evp.h>
25: #include <openssl/conf.h>
26: #include <openssl/rand.h>
27: #include <openssl/crypto.h>
28: #ifndef OPENSSL_NO_ENGINE
29: #include <openssl/engine.h>
30: #endif
31:
32: #include "openssl_plugin.h"
33: #include "openssl_util.h"
34: #include "openssl_crypter.h"
35: #include "openssl_hasher.h"
36: #include "openssl_sha1_prf.h"
37: #include "openssl_diffie_hellman.h"
38: #include "openssl_ec_diffie_hellman.h"
39: #include "openssl_rsa_private_key.h"
40: #include "openssl_rsa_public_key.h"
41: #include "openssl_ec_private_key.h"
42: #include "openssl_ec_public_key.h"
43: #include "openssl_x509.h"
44: #include "openssl_crl.h"
45: #include "openssl_pkcs7.h"
46: #include "openssl_pkcs12.h"
47: #include "openssl_rng.h"
48: #include "openssl_hmac.h"
49: #include "openssl_aead.h"
50: #include "openssl_x_diffie_hellman.h"
51: #include "openssl_ed_public_key.h"
52: #include "openssl_ed_private_key.h"
53: #include "openssl_xof.h"
54:
55: #ifndef FIPS_MODE
56: #define FIPS_MODE 0
57: #endif
58:
59: typedef struct private_openssl_plugin_t private_openssl_plugin_t;
60:
61: /**
62: * private data of openssl_plugin
63: */
64: struct private_openssl_plugin_t {
65:
66: /**
67: * public functions
68: */
69: openssl_plugin_t public;
70: };
71:
72: /**
73: * OpenSSL is thread-safe since 1.1.0
74: */
75: #if OPENSSL_VERSION_NUMBER < 0x10100000L
76:
77: /**
1.1.1.2 ! misho 78: * Array of static mutexes, with CRYPTO_num_locks() mutex
1.1 misho 79: */
80: static mutex_t **mutex = NULL;
81:
82: /**
83: * Locking callback for static locks
84: */
85: static void locking_function(int mode, int type, const char *file, int line)
86: {
87: if (mutex)
88: {
89: if (mode & CRYPTO_LOCK)
90: {
91: mutex[type]->lock(mutex[type]);
92: }
93: else
94: {
95: mutex[type]->unlock(mutex[type]);
96: }
97: }
98: }
99:
100: /**
101: * Implementation of dynlock
102: */
103: struct CRYPTO_dynlock_value {
104: mutex_t *mutex;
105: };
106:
107: /**
108: * Callback to create a dynamic lock
109: */
110: static struct CRYPTO_dynlock_value *create_function(const char *file, int line)
111: {
112: struct CRYPTO_dynlock_value *lock;
113:
114: lock = malloc_thing(struct CRYPTO_dynlock_value);
115: lock->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
116: return lock;
117: }
118:
119: /**
120: * Callback to (un-)lock a dynamic lock
121: */
122: static void lock_function(int mode, struct CRYPTO_dynlock_value *lock,
123: const char *file, int line)
124: {
125: if (mode & CRYPTO_LOCK)
126: {
127: lock->mutex->lock(lock->mutex);
128: }
129: else
130: {
131: lock->mutex->unlock(lock->mutex);
132: }
133: }
134:
135: /**
136: * Callback to destroy a dynamic lock
137: */
138: static void destroy_function(struct CRYPTO_dynlock_value *lock,
139: const char *file, int line)
140: {
141: lock->mutex->destroy(lock->mutex);
142: free(lock);
143: }
144:
145: /**
146: * Thread-local value used to cleanup thread-specific error buffers
147: */
148: static thread_value_t *cleanup;
149:
150: /**
151: * Called when a thread is destroyed. Avoid recursion by setting the thread id
152: * explicitly.
153: */
154: static void cleanup_thread(void *arg)
155: {
156: #if OPENSSL_VERSION_NUMBER >= 0x1000000fL
157: CRYPTO_THREADID tid;
158:
159: CRYPTO_THREADID_set_numeric(&tid, (u_long)(uintptr_t)arg);
160: ERR_remove_thread_state(&tid);
161: #else
162: ERR_remove_state((u_long)(uintptr_t)arg);
163: #endif
164: }
165:
166: /**
167: * Thread-ID callback function
168: */
169: static u_long id_function(void)
170: {
171: u_long id;
172:
173: /* ensure the thread ID is never zero, otherwise OpenSSL might try to
174: * acquire locks recursively */
175: id = 1 + (u_long)thread_current_id();
176:
177: /* cleanup a thread's state later if OpenSSL interacted with it */
178: cleanup->set(cleanup, (void*)(uintptr_t)id);
179: return id;
180: }
181:
182: #if OPENSSL_VERSION_NUMBER >= 0x1000000fL
183: /**
184: * Callback for thread ID
185: */
186: static void threadid_function(CRYPTO_THREADID *threadid)
187: {
188: CRYPTO_THREADID_set_numeric(threadid, id_function());
189: }
190: #endif /* OPENSSL_VERSION_NUMBER */
191:
192: /**
193: * initialize OpenSSL for multi-threaded use
194: */
195: static void threading_init()
196: {
197: int i, num_locks;
198:
199: cleanup = thread_value_create(cleanup_thread);
200:
201: #if OPENSSL_VERSION_NUMBER >= 0x1000000fL
202: CRYPTO_THREADID_set_callback(threadid_function);
203: #else
204: CRYPTO_set_id_callback(id_function);
205: #endif
206:
207: CRYPTO_set_locking_callback(locking_function);
208:
209: CRYPTO_set_dynlock_create_callback(create_function);
210: CRYPTO_set_dynlock_lock_callback(lock_function);
211: CRYPTO_set_dynlock_destroy_callback(destroy_function);
212:
213: num_locks = CRYPTO_num_locks();
214: mutex = malloc(sizeof(mutex_t*) * num_locks);
215: for (i = 0; i < num_locks; i++)
216: {
217: mutex[i] = mutex_create(MUTEX_TYPE_DEFAULT);
218: }
219: }
220:
221: /**
222: * cleanup OpenSSL threading locks
223: */
224: static void threading_cleanup()
225: {
226: int i, num_locks;
227:
228: num_locks = CRYPTO_num_locks();
229: for (i = 0; i < num_locks; i++)
230: {
231: mutex[i]->destroy(mutex[i]);
232: }
233: free(mutex);
234: mutex = NULL;
235:
236: cleanup->destroy(cleanup);
237: }
238:
239: #else /* OPENSSL_VERSION_NUMBER */
240:
241: #define threading_init()
242:
243: #define threading_cleanup()
244:
245: #endif
246:
247: #if OPENSSL_VERSION_NUMBER < 0x1010100fL
248: /**
249: * Seed the OpenSSL RNG, if required
250: * Not necessary anymore with OpenSSL 1.1.1 (maybe wasn't already earlier, but
251: * it's now explicitly mentioned in the documentation).
252: */
253: static bool seed_rng()
254: {
255: rng_t *rng = NULL;
256: char buf[32];
257:
258: while (RAND_status() != 1)
259: {
260: if (!rng)
261: {
262: rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
263: if (!rng)
264: {
265: return FALSE;
266: }
267: }
268: if (!rng->get_bytes(rng, sizeof(buf), buf))
269: {
270: rng->destroy(rng);
271: return FALSE;
272: }
273: RAND_seed(buf, sizeof(buf));
274: }
275: DESTROY_IF(rng);
276: return TRUE;
277: }
278: #endif /* OPENSSL_VERSION_NUMBER */
279:
280: /**
281: * Generic key loader
282: */
283: static private_key_t *openssl_private_key_load(key_type_t type, va_list args)
284: {
285: chunk_t blob = chunk_empty;
286: EVP_PKEY *key;
287:
288: while (TRUE)
289: {
290: switch (va_arg(args, builder_part_t))
291: {
292: case BUILD_BLOB_ASN1_DER:
293: blob = va_arg(args, chunk_t);
294: continue;
295: case BUILD_END:
296: break;
297: default:
298: return NULL;
299: }
300: break;
301: }
302:
303: if (blob.ptr)
304: {
305: key = d2i_AutoPrivateKey(NULL, (const u_char**)&blob.ptr, blob.len);
306: if (key)
307: {
308: switch (EVP_PKEY_base_id(key))
309: {
310: #ifndef OPENSSL_NO_RSA
311: case EVP_PKEY_RSA:
312: return openssl_rsa_private_key_create(key, FALSE);
313: #endif
314: #ifndef OPENSSL_NO_ECDSA
315: case EVP_PKEY_EC:
316: return openssl_ec_private_key_create(key, FALSE);
317: #endif
318: #if OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(OPENSSL_NO_EC)
319: case EVP_PKEY_ED25519:
320: case EVP_PKEY_ED448:
321: return openssl_ed_private_key_create(key, FALSE);
322: #endif /* OPENSSL_VERSION_NUMBER */
323: default:
324: EVP_PKEY_free(key);
325: break;
326: }
327: }
328: }
329: return NULL;
330: }
331:
332: #ifndef OPENSSL_NO_ENGINE
333: /**
334: * Login to engine with a PIN specified for a keyid
335: */
336: static bool login(ENGINE *engine, chunk_t keyid)
337: {
338: enumerator_t *enumerator;
339: shared_key_t *shared;
340: identification_t *id;
341: chunk_t key;
342: char pin[64];
343: bool found = FALSE, success = FALSE;
344:
345: id = identification_create_from_encoding(ID_KEY_ID, keyid);
346: enumerator = lib->credmgr->create_shared_enumerator(lib->credmgr,
347: SHARED_PIN, id, NULL);
348: while (enumerator->enumerate(enumerator, &shared, NULL, NULL))
349: {
350: found = TRUE;
351: key = shared->get_key(shared);
352: if (snprintf(pin, sizeof(pin),
353: "%.*s", (int)key.len, key.ptr) >= sizeof(pin))
354: {
355: continue;
356: }
357: if (ENGINE_ctrl_cmd_string(engine, "PIN", pin, 0))
358: {
359: success = TRUE;
360: break;
361: }
362: else
363: {
364: DBG1(DBG_CFG, "setting PIN on engine failed");
365: }
366: }
367: enumerator->destroy(enumerator);
368: id->destroy(id);
369: if (!found)
370: {
371: DBG1(DBG_CFG, "no PIN found for %#B", &keyid);
372: }
373: return success;
374: }
375: #endif /* OPENSSL_NO_ENGINE */
376:
377: /**
378: * Load private key via engine
379: */
380: static private_key_t *openssl_private_key_connect(key_type_t type,
381: va_list args)
382: {
383: #ifndef OPENSSL_NO_ENGINE
384: char *engine_id = NULL;
385: char keyname[BUF_LEN];
386: chunk_t keyid = chunk_empty;
387: EVP_PKEY *key;
388: ENGINE *engine;
389: int slot = -1;
390:
391: while (TRUE)
392: {
393: switch (va_arg(args, builder_part_t))
394: {
395: case BUILD_PKCS11_KEYID:
396: keyid = va_arg(args, chunk_t);
397: continue;
398: case BUILD_PKCS11_SLOT:
399: slot = va_arg(args, int);
400: continue;
401: case BUILD_PKCS11_MODULE:
402: engine_id = va_arg(args, char*);
403: continue;
404: case BUILD_END:
405: break;
406: default:
407: return NULL;
408: }
409: break;
410: }
411: if (!keyid.len)
412: {
413: return NULL;
414: }
415:
416: memset(keyname, 0, sizeof(keyname));
417: if (slot != -1)
418: {
419: snprintf(keyname, sizeof(keyname), "%d:", slot);
420: }
421: if (sizeof(keyname) - strlen(keyname) <= keyid.len * 2 + 1)
422: {
423: return NULL;
424: }
425: chunk_to_hex(keyid, keyname + strlen(keyname), FALSE);
426:
427: if (!engine_id)
428: {
429: engine_id = lib->settings->get_str(lib->settings,
430: "%s.plugins.openssl.engine_id", "pkcs11", lib->ns);
431: }
432: engine = ENGINE_by_id(engine_id);
433: if (!engine)
434: {
435: DBG2(DBG_LIB, "engine '%s' is not available", engine_id);
436: return NULL;
437: }
438: if (!ENGINE_init(engine))
439: {
440: DBG1(DBG_LIB, "failed to initialize engine '%s'", engine_id);
441: ENGINE_free(engine);
442: return NULL;
443: }
444: ENGINE_free(engine);
445: if (!login(engine, keyid))
446: {
447: DBG1(DBG_LIB, "login to engine '%s' failed", engine_id);
448: ENGINE_finish(engine);
449: return NULL;
450: }
451: key = ENGINE_load_private_key(engine, keyname, NULL, NULL);
452: ENGINE_finish(engine);
453: if (!key)
454: {
455: DBG1(DBG_LIB, "failed to load private key with ID '%s' from "
456: "engine '%s'", keyname, engine_id);
457: return NULL;
458: }
459:
460: switch (EVP_PKEY_base_id(key))
461: {
462: #ifndef OPENSSL_NO_RSA
463: case EVP_PKEY_RSA:
464: return openssl_rsa_private_key_create(key, TRUE);
465: #endif
466: #ifndef OPENSSL_NO_ECDSA
467: case EVP_PKEY_EC:
468: return openssl_ec_private_key_create(key, TRUE);
469: #endif
470: #if OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(OPENSSL_NO_EC)
471: case EVP_PKEY_ED25519:
472: case EVP_PKEY_ED448:
473: return openssl_ed_private_key_create(key, TRUE);
474: #endif /* OPENSSL_VERSION_NUMBER */
475: default:
476: EVP_PKEY_free(key);
477: break;
478: }
479: #endif /* OPENSSL_NO_ENGINE */
480: return NULL;
481: }
482:
483: METHOD(plugin_t, get_name, char*,
484: private_openssl_plugin_t *this)
485: {
486: return "openssl";
487: }
488:
489: METHOD(plugin_t, get_features, int,
490: private_openssl_plugin_t *this, plugin_feature_t *features[])
491: {
492: static plugin_feature_t f[] = {
493: /* we provide OpenSSL threading callbacks */
494: PLUGIN_PROVIDE(CUSTOM, "openssl-threading"),
495: /* crypters */
496: PLUGIN_REGISTER(CRYPTER, openssl_crypter_create),
497: #ifndef OPENSSL_NO_AES
498: PLUGIN_PROVIDE(CRYPTER, ENCR_AES_CBC, 16),
499: PLUGIN_PROVIDE(CRYPTER, ENCR_AES_CBC, 24),
500: PLUGIN_PROVIDE(CRYPTER, ENCR_AES_CBC, 32),
501: PLUGIN_PROVIDE(CRYPTER, ENCR_AES_ECB, 16),
502: PLUGIN_PROVIDE(CRYPTER, ENCR_AES_ECB, 24),
503: PLUGIN_PROVIDE(CRYPTER, ENCR_AES_ECB, 32),
504: #endif
505: #ifndef OPENSSL_NO_CAMELLIA
506: PLUGIN_PROVIDE(CRYPTER, ENCR_CAMELLIA_CBC, 16),
507: PLUGIN_PROVIDE(CRYPTER, ENCR_CAMELLIA_CBC, 24),
508: PLUGIN_PROVIDE(CRYPTER, ENCR_CAMELLIA_CBC, 32),
509: #endif
510: #ifndef OPENSSL_NO_RC5
511: PLUGIN_PROVIDE(CRYPTER, ENCR_RC5, 0),
512: #endif
513: #ifndef OPENSSL_NO_CAST
514: PLUGIN_PROVIDE(CRYPTER, ENCR_CAST, 0),
515: #endif
516: #ifndef OPENSSL_NO_BLOWFISH
517: PLUGIN_PROVIDE(CRYPTER, ENCR_BLOWFISH, 0),
518: #endif
519: #ifndef OPENSSL_NO_IDEA
520: PLUGIN_PROVIDE(CRYPTER, ENCR_IDEA, 16),
521: #endif
522: #ifndef OPENSSL_NO_DES
523: PLUGIN_PROVIDE(CRYPTER, ENCR_3DES, 24),
524: PLUGIN_PROVIDE(CRYPTER, ENCR_DES, 8),
525: PLUGIN_PROVIDE(CRYPTER, ENCR_DES_ECB, 8),
526: #endif
527: PLUGIN_PROVIDE(CRYPTER, ENCR_NULL, 0),
528: /* hashers */
529: PLUGIN_REGISTER(HASHER, openssl_hasher_create),
530: #ifndef OPENSSL_NO_MD2
531: PLUGIN_PROVIDE(HASHER, HASH_MD2),
532: #endif
533: #ifndef OPENSSL_NO_MD4
534: PLUGIN_PROVIDE(HASHER, HASH_MD4),
535: #endif
536: #ifndef OPENSSL_NO_MD5
537: PLUGIN_PROVIDE(HASHER, HASH_MD5),
538: #endif
539: #ifndef OPENSSL_NO_SHA1
540: PLUGIN_PROVIDE(HASHER, HASH_SHA1),
541: #endif
542: #ifndef OPENSSL_NO_SHA256
543: PLUGIN_PROVIDE(HASHER, HASH_SHA224),
544: PLUGIN_PROVIDE(HASHER, HASH_SHA256),
545: #endif
546: #ifndef OPENSSL_NO_SHA512
547: PLUGIN_PROVIDE(HASHER, HASH_SHA384),
548: PLUGIN_PROVIDE(HASHER, HASH_SHA512),
549: #endif
550: /* SHA3/SHAKE was added with OpenSSL 1.1.1, it doesn't seem to be possible to
551: * disable it, defining the checked var prevents registration, though */
552: #if OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(OPENSSL_NO_SHA3)
553: PLUGIN_PROVIDE(HASHER, HASH_SHA3_224),
554: PLUGIN_PROVIDE(HASHER, HASH_SHA3_256),
555: PLUGIN_PROVIDE(HASHER, HASH_SHA3_384),
556: PLUGIN_PROVIDE(HASHER, HASH_SHA3_512),
557: #endif
558: #if OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(OPENSSL_NO_SHAKE)
559: PLUGIN_REGISTER(XOF, openssl_xof_create),
560: PLUGIN_PROVIDE(XOF, XOF_SHAKE_128),
561: PLUGIN_PROVIDE(XOF, XOF_SHAKE_256),
562: #endif
563: #ifndef OPENSSL_NO_SHA1
564: /* keyed sha1 hasher (aka prf) */
565: PLUGIN_REGISTER(PRF, openssl_sha1_prf_create),
566: PLUGIN_PROVIDE(PRF, PRF_KEYED_SHA1),
567: #endif
568: #ifndef OPENSSL_NO_HMAC
569: PLUGIN_REGISTER(PRF, openssl_hmac_prf_create),
570: #ifndef OPENSSL_NO_MD5
571: PLUGIN_PROVIDE(PRF, PRF_HMAC_MD5),
572: #endif
573: #ifndef OPENSSL_NO_SHA1
574: PLUGIN_PROVIDE(PRF, PRF_HMAC_SHA1),
575: #endif
576: #ifndef OPENSSL_NO_SHA256
577: PLUGIN_PROVIDE(PRF, PRF_HMAC_SHA2_256),
578: #endif
579: #ifndef OPENSSL_NO_SHA512
580: PLUGIN_PROVIDE(PRF, PRF_HMAC_SHA2_384),
581: PLUGIN_PROVIDE(PRF, PRF_HMAC_SHA2_512),
582: #endif
583: PLUGIN_REGISTER(SIGNER, openssl_hmac_signer_create),
584: #ifndef OPENSSL_NO_MD5
585: PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_MD5_96),
586: PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_MD5_128),
587: #endif
588: #ifndef OPENSSL_NO_SHA1
589: PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_SHA1_96),
590: PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_SHA1_128),
591: PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_SHA1_160),
592: #endif
593: #ifndef OPENSSL_NO_SHA256
594: PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_SHA2_256_128),
595: PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_SHA2_256_256),
596: #endif
597: #ifndef OPENSSL_NO_SHA512
598: PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_SHA2_384_192),
599: PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_SHA2_384_384),
600: PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_SHA2_512_256),
601: PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_SHA2_512_512),
602: #endif
603: #endif /* OPENSSL_NO_HMAC */
604: #if (OPENSSL_VERSION_NUMBER >= 0x1000100fL && !defined(OPENSSL_NO_AES)) || \
605: (OPENSSL_VERSION_NUMBER >= 0x1010000fL && !defined(OPENSSL_NO_CHACHA))
606: /* AEAD (AES GCM since 1.0.1, ChaCha20-Poly1305 since 1.1.0) */
607: PLUGIN_REGISTER(AEAD, openssl_aead_create),
608: #ifndef OPENSSL_NO_AES
609: PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV16, 16),
610: PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV16, 24),
611: PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV16, 32),
612: PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV12, 16),
613: PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV12, 24),
614: PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV12, 32),
615: PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV8, 16),
616: PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV8, 24),
617: PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV8, 32),
618: #endif /* OPENSSL_NO_AES */
619: #if OPENSSL_VERSION_NUMBER >= 0x1010000fL && !defined(OPENSSL_NO_CHACHA)
620: PLUGIN_PROVIDE(AEAD, ENCR_CHACHA20_POLY1305, 32),
621: #endif /* OPENSSL_NO_CHACHA */
622: #endif /* OPENSSL_VERSION_NUMBER */
623: #ifndef OPENSSL_NO_ECDH
624: /* EC DH groups */
625: PLUGIN_REGISTER(DH, openssl_ec_diffie_hellman_create),
626: PLUGIN_PROVIDE(DH, ECP_256_BIT),
627: PLUGIN_PROVIDE(DH, ECP_384_BIT),
628: PLUGIN_PROVIDE(DH, ECP_521_BIT),
629: PLUGIN_PROVIDE(DH, ECP_224_BIT),
630: PLUGIN_PROVIDE(DH, ECP_192_BIT),
631: PLUGIN_PROVIDE(DH, ECP_256_BP),
632: PLUGIN_PROVIDE(DH, ECP_384_BP),
633: PLUGIN_PROVIDE(DH, ECP_512_BP),
634: PLUGIN_PROVIDE(DH, ECP_224_BP),
635: #endif /* OPENSSL_NO_ECDH */
636: #ifndef OPENSSL_NO_DH
637: /* MODP DH groups */
638: PLUGIN_REGISTER(DH, openssl_diffie_hellman_create),
639: PLUGIN_PROVIDE(DH, MODP_3072_BIT),
640: PLUGIN_PROVIDE(DH, MODP_4096_BIT),
641: PLUGIN_PROVIDE(DH, MODP_6144_BIT),
642: PLUGIN_PROVIDE(DH, MODP_8192_BIT),
643: PLUGIN_PROVIDE(DH, MODP_2048_BIT),
644: PLUGIN_PROVIDE(DH, MODP_2048_224),
645: PLUGIN_PROVIDE(DH, MODP_2048_256),
646: PLUGIN_PROVIDE(DH, MODP_1536_BIT),
647: PLUGIN_PROVIDE(DH, MODP_1024_BIT),
648: PLUGIN_PROVIDE(DH, MODP_1024_160),
649: PLUGIN_PROVIDE(DH, MODP_768_BIT),
650: PLUGIN_PROVIDE(DH, MODP_CUSTOM),
651: #endif
652: #ifndef OPENSSL_NO_RSA
653: /* RSA private/public key loading */
654: PLUGIN_REGISTER(PRIVKEY, openssl_rsa_private_key_load, TRUE),
655: PLUGIN_PROVIDE(PRIVKEY, KEY_RSA),
656: PLUGIN_REGISTER(PRIVKEY_GEN, openssl_rsa_private_key_gen, FALSE),
657: PLUGIN_PROVIDE(PRIVKEY_GEN, KEY_RSA),
658: PLUGIN_REGISTER(PUBKEY, openssl_rsa_public_key_load, TRUE),
659: PLUGIN_PROVIDE(PUBKEY, KEY_RSA),
660: PLUGIN_REGISTER(PUBKEY, openssl_rsa_public_key_load, TRUE),
661: PLUGIN_PROVIDE(PUBKEY, KEY_ANY),
662: /* signature/encryption schemes */
663: PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_NULL),
664: PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_NULL),
665: #if OPENSSL_VERSION_NUMBER >= 0x10000000L
666: PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PSS),
667: PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PSS),
668: #endif
669: #ifndef OPENSSL_NO_SHA1
670: PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_SHA1),
671: PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA1),
672: #endif
673: #ifndef OPENSSL_NO_SHA256
674: PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_SHA2_224),
675: PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_SHA2_256),
676: PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA2_224),
677: PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA2_256),
678: #endif
679: #ifndef OPENSSL_NO_SHA512
680: PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_SHA2_384),
681: PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_SHA2_512),
682: PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA2_384),
683: PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA2_512),
684: #endif
685: #ifndef OPENSSL_NO_MD5
686: PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_MD5),
687: PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_MD5),
688: #endif
689: PLUGIN_PROVIDE(PRIVKEY_DECRYPT, ENCRYPT_RSA_PKCS1),
690: PLUGIN_PROVIDE(PUBKEY_ENCRYPT, ENCRYPT_RSA_PKCS1),
691: #endif /* OPENSSL_NO_RSA */
692: /* certificate/CRL loading */
693: PLUGIN_REGISTER(CERT_DECODE, openssl_x509_load, TRUE),
694: PLUGIN_PROVIDE(CERT_DECODE, CERT_X509),
695: PLUGIN_SDEPEND(PUBKEY, KEY_RSA),
696: PLUGIN_SDEPEND(PUBKEY, KEY_ECDSA),
697: PLUGIN_SDEPEND(PUBKEY, KEY_DSA),
698: PLUGIN_REGISTER(CERT_DECODE, openssl_crl_load, TRUE),
699: PLUGIN_PROVIDE(CERT_DECODE, CERT_X509_CRL),
700: #if OPENSSL_VERSION_NUMBER >= 0x0090807fL
701: #ifndef OPENSSL_NO_CMS
702: PLUGIN_REGISTER(CONTAINER_DECODE, openssl_pkcs7_load, TRUE),
703: PLUGIN_PROVIDE(CONTAINER_DECODE, CONTAINER_PKCS7),
704: #endif /* OPENSSL_NO_CMS */
705: #endif /* OPENSSL_VERSION_NUMBER */
706: PLUGIN_REGISTER(CONTAINER_DECODE, openssl_pkcs12_load, TRUE),
707: PLUGIN_PROVIDE(CONTAINER_DECODE, CONTAINER_PKCS12),
708: #ifndef OPENSSL_NO_ECDSA
709: /* EC private/public key loading */
710: PLUGIN_REGISTER(PRIVKEY, openssl_ec_private_key_load, TRUE),
711: PLUGIN_PROVIDE(PRIVKEY, KEY_ECDSA),
712: PLUGIN_REGISTER(PRIVKEY_GEN, openssl_ec_private_key_gen, FALSE),
713: PLUGIN_PROVIDE(PRIVKEY_GEN, KEY_ECDSA),
714: PLUGIN_REGISTER(PUBKEY, openssl_ec_public_key_load, TRUE),
715: PLUGIN_PROVIDE(PUBKEY, KEY_ECDSA),
716: /* signature encryption schemes */
717: PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_ECDSA_WITH_NULL),
718: PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ECDSA_WITH_NULL),
719: #ifndef OPENSSL_NO_SHA1
720: PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_ECDSA_WITH_SHA1_DER),
721: PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ECDSA_WITH_SHA1_DER),
722: #endif
723: #ifndef OPENSSL_NO_SHA256
724: PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_ECDSA_WITH_SHA256_DER),
725: PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ECDSA_WITH_SHA256_DER),
726: PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_ECDSA_256),
727: PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ECDSA_256),
728: #endif
729: #ifndef OPENSSL_NO_SHA512
730: PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_ECDSA_WITH_SHA384_DER),
731: PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_ECDSA_WITH_SHA512_DER),
732: PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ECDSA_WITH_SHA384_DER),
733: PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ECDSA_WITH_SHA512_DER),
734: PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_ECDSA_384),
735: PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_ECDSA_521),
736: PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ECDSA_384),
737: PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ECDSA_521),
738: #endif
739: #endif /* OPENSSL_NO_ECDSA */
1.1.1.2 ! misho 740: #if OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(OPENSSL_NO_ECDH)
1.1 misho 741: PLUGIN_REGISTER(DH, openssl_x_diffie_hellman_create),
742: /* available since 1.1.0a, but we require 1.1.1 features */
743: PLUGIN_PROVIDE(DH, CURVE_25519),
744: /* available since 1.1.1 */
745: PLUGIN_PROVIDE(DH, CURVE_448),
1.1.1.2 ! misho 746: #endif /* OPENSSL_VERSION_NUMBER && !OPENSSL_NO_ECDH */
! 747: #if OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(OPENSSL_NO_EC)
1.1 misho 748: /* EdDSA private/public key loading */
749: PLUGIN_REGISTER(PUBKEY, openssl_ed_public_key_load, TRUE),
750: PLUGIN_PROVIDE(PUBKEY, KEY_ED25519),
751: PLUGIN_PROVIDE(PUBKEY, KEY_ED448),
752: PLUGIN_REGISTER(PRIVKEY, openssl_ed_private_key_load, TRUE),
753: PLUGIN_PROVIDE(PRIVKEY, KEY_ED25519),
754: PLUGIN_PROVIDE(PRIVKEY, KEY_ED448),
755: PLUGIN_REGISTER(PRIVKEY_GEN, openssl_ed_private_key_gen, FALSE),
756: PLUGIN_PROVIDE(PRIVKEY_GEN, KEY_ED25519),
757: PLUGIN_PROVIDE(PRIVKEY_GEN, KEY_ED448),
758: PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_ED25519),
759: PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_ED448),
760: PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ED25519),
761: PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ED448),
762: /* register a pro forma identity hasher, never instantiated */
763: PLUGIN_REGISTER(HASHER, return_null),
764: PLUGIN_PROVIDE(HASHER, HASH_IDENTITY),
765: #endif /* OPENSSL_VERSION_NUMBER && !OPENSSL_NO_EC */
766: /* generic key loader */
767: PLUGIN_REGISTER(PRIVKEY, openssl_private_key_load, TRUE),
768: PLUGIN_PROVIDE(PRIVKEY, KEY_ANY),
769: PLUGIN_REGISTER(PRIVKEY, openssl_private_key_connect, FALSE),
770: PLUGIN_PROVIDE(PRIVKEY, KEY_ANY),
771: PLUGIN_REGISTER(RNG, openssl_rng_create),
772: PLUGIN_PROVIDE(RNG, RNG_STRONG),
773: PLUGIN_PROVIDE(RNG, RNG_WEAK),
774: };
775: *features = f;
776: return countof(f);
777: }
778:
779: METHOD(plugin_t, destroy, void,
780: private_openssl_plugin_t *this)
781: {
782: /* OpenSSL 1.1.0 cleans up itself at exit and while OPENSSL_cleanup() exists we
783: * can't call it as we couldn't re-initialize the library (as required by the
784: * unit tests and the Android app) */
785: #if OPENSSL_VERSION_NUMBER < 0x10100000L
786: #ifndef OPENSSL_IS_BORINGSSL
787: CONF_modules_free();
788: OBJ_cleanup();
789: #endif
790: EVP_cleanup();
791: #ifndef OPENSSL_NO_ENGINE
792: ENGINE_cleanup();
793: #endif /* OPENSSL_NO_ENGINE */
794: CRYPTO_cleanup_all_ex_data();
795: threading_cleanup();
796: ERR_free_strings();
797: #endif /* OPENSSL_VERSION_NUMBER */
798:
799: free(this);
800: }
801:
802: /*
803: * see header file
804: */
805: plugin_t *openssl_plugin_create()
806: {
807: private_openssl_plugin_t *this;
808: int fips_mode;
809:
810: fips_mode = lib->settings->get_int(lib->settings,
811: "%s.plugins.openssl.fips_mode", FIPS_MODE, lib->ns);
812: #ifdef OPENSSL_FIPS
813: if (fips_mode)
814: {
815: if (FIPS_mode() != fips_mode && !FIPS_mode_set(fips_mode))
816: {
817: DBG1(DBG_LIB, "unable to set openssl FIPS mode(%d) from (%d)",
818: fips_mode, FIPS_mode());
819: return NULL;
820: }
821: }
822: #else
823: if (fips_mode)
824: {
825: DBG1(DBG_LIB, "openssl FIPS mode(%d) unavailable", fips_mode);
826: return NULL;
827: }
828: #endif
829:
830: INIT(this,
831: .public = {
832: .plugin = {
833: .get_name = _get_name,
834: .get_features = _get_features,
835: .destroy = _destroy,
836: },
837: },
838: );
839:
840: #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
841: /* note that we can't call OPENSSL_cleanup() when the plugin is destroyed
842: * as we couldn't initialize the library again afterwards */
843: OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG |
844: OPENSSL_INIT_ENGINE_ALL_BUILTIN, NULL);
845: #else /* OPENSSL_VERSION_NUMBER */
846: threading_init();
847: #ifndef OPENSSL_IS_BORINGSSL
848: OPENSSL_config(NULL);
849: #endif
850: OpenSSL_add_all_algorithms();
851: #ifndef OPENSSL_NO_ENGINE
852: /* activate support for hardware accelerators */
853: ENGINE_load_builtin_engines();
854: ENGINE_register_all_complete();
855: #endif /* OPENSSL_NO_ENGINE */
856: #endif /* OPENSSL_VERSION_NUMBER */
857:
858: #ifdef OPENSSL_FIPS
859: /* we do this here as it may have been enabled via openssl.conf */
860: fips_mode = FIPS_mode();
861: dbg(DBG_LIB, strpfx(lib->ns, "charon") ? 1 : 2,
862: "openssl FIPS mode(%d) - %sabled ", fips_mode, fips_mode ? "en" : "dis");
863: #endif /* OPENSSL_FIPS */
864:
865: #if OPENSSL_VERSION_NUMBER < 0x1010100fL
866: if (!seed_rng())
867: {
868: DBG1(DBG_CFG, "no RNG found to seed OpenSSL");
869: destroy(this);
870: return NULL;
871: }
872: #endif /* OPENSSL_VERSION_NUMBER */
873:
874: return &this->public.plugin;
875: }
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to openssl_plugin.c CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / src / libstrongswan / plugins / openssl