2 * Copyright (C) 2008-2018 Tobias Brunner
3 * Copyright (C) 2008 Martin Willi
4 * HSR Hochschule fuer Technik Rapperswil
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
18 #include <utils/debug.h>
19 #include <threading/thread.h>
20 #include <threading/mutex.h>
21 #include <threading/thread_value.h>
23 #include <openssl/err.h>
24 #include <openssl/evp.h>
25 #include <openssl/conf.h>
26 #include <openssl/rand.h>
27 #include <openssl/crypto.h>
28 #ifndef OPENSSL_NO_ENGINE
29 #include <openssl/engine.h>
32 #include "openssl_plugin.h"
33 #include "openssl_util.h"
34 #include "openssl_crypter.h"
35 #include "openssl_hasher.h"
36 #include "openssl_sha1_prf.h"
37 #include "openssl_diffie_hellman.h"
38 #include "openssl_ec_diffie_hellman.h"
39 #include "openssl_rsa_private_key.h"
40 #include "openssl_rsa_public_key.h"
41 #include "openssl_ec_private_key.h"
42 #include "openssl_ec_public_key.h"
43 #include "openssl_x509.h"
44 #include "openssl_crl.h"
45 #include "openssl_pkcs7.h"
46 #include "openssl_pkcs12.h"
47 #include "openssl_rng.h"
48 #include "openssl_hmac.h"
49 #include "openssl_gcm.h"
50 #include "openssl_x_diffie_hellman.h"
51 #include "openssl_ed_public_key.h"
52 #include "openssl_ed_private_key.h"
58 typedef struct private_openssl_plugin_t private_openssl_plugin_t
;
61 * private data of openssl_plugin
63 struct private_openssl_plugin_t
{
68 openssl_plugin_t
public;
72 * OpenSSL is thread-safe since 1.1.0
74 #if OPENSSL_VERSION_NUMBER < 0x10100000L
77 * Array of static mutexs, with CRYPTO_num_locks() mutex
79 static mutex_t
**mutex
= NULL
;
82 * Locking callback for static locks
84 static void locking_function(int mode
, int type
, const char *file
, int line
)
88 if (mode
& CRYPTO_LOCK
)
90 mutex
[type
]->lock(mutex
[type
]);
94 mutex
[type
]->unlock(mutex
[type
]);
100 * Implementation of dynlock
102 struct CRYPTO_dynlock_value
{
107 * Callback to create a dynamic lock
109 static struct CRYPTO_dynlock_value
*create_function(const char *file
, int line
)
111 struct CRYPTO_dynlock_value
*lock
;
113 lock
= malloc_thing(struct CRYPTO_dynlock_value
);
114 lock
->mutex
= mutex_create(MUTEX_TYPE_DEFAULT
);
119 * Callback to (un-)lock a dynamic lock
121 static void lock_function(int mode
, struct CRYPTO_dynlock_value
*lock
,
122 const char *file
, int line
)
124 if (mode
& CRYPTO_LOCK
)
126 lock
->mutex
->lock(lock
->mutex
);
130 lock
->mutex
->unlock(lock
->mutex
);
135 * Callback to destroy a dynamic lock
137 static void destroy_function(struct CRYPTO_dynlock_value
*lock
,
138 const char *file
, int line
)
140 lock
->mutex
->destroy(lock
->mutex
);
145 * Thread-local value used to cleanup thread-specific error buffers
147 static thread_value_t
*cleanup
;
150 * Called when a thread is destroyed. Avoid recursion by setting the thread id
153 static void cleanup_thread(void *arg
)
155 #if OPENSSL_VERSION_NUMBER >= 0x1000000fL
158 CRYPTO_THREADID_set_numeric(&tid
, (u_long
)(uintptr_t)arg
);
159 ERR_remove_thread_state(&tid
);
161 ERR_remove_state((u_long
)(uintptr_t)arg
);
166 * Thread-ID callback function
168 static u_long
id_function(void)
172 /* ensure the thread ID is never zero, otherwise OpenSSL might try to
173 * acquire locks recursively */
174 id
= 1 + (u_long
)thread_current_id();
176 /* cleanup a thread's state later if OpenSSL interacted with it */
177 cleanup
->set(cleanup
, (void*)(uintptr_t)id
);
181 #if OPENSSL_VERSION_NUMBER >= 0x1000000fL
183 * Callback for thread ID
185 static void threadid_function(CRYPTO_THREADID
*threadid
)
187 CRYPTO_THREADID_set_numeric(threadid
, id_function());
189 #endif /* OPENSSL_VERSION_NUMBER */
192 * initialize OpenSSL for multi-threaded use
194 static void threading_init()
198 cleanup
= thread_value_create(cleanup_thread
);
200 #if OPENSSL_VERSION_NUMBER >= 0x1000000fL
201 CRYPTO_THREADID_set_callback(threadid_function
);
203 CRYPTO_set_id_callback(id_function
);
206 CRYPTO_set_locking_callback(locking_function
);
208 CRYPTO_set_dynlock_create_callback(create_function
);
209 CRYPTO_set_dynlock_lock_callback(lock_function
);
210 CRYPTO_set_dynlock_destroy_callback(destroy_function
);
212 num_locks
= CRYPTO_num_locks();
213 mutex
= malloc(sizeof(mutex_t
*) * num_locks
);
214 for (i
= 0; i
< num_locks
; i
++)
216 mutex
[i
] = mutex_create(MUTEX_TYPE_DEFAULT
);
221 * cleanup OpenSSL threading locks
223 static void threading_cleanup()
227 num_locks
= CRYPTO_num_locks();
228 for (i
= 0; i
< num_locks
; i
++)
230 mutex
[i
]->destroy(mutex
[i
]);
235 cleanup
->destroy(cleanup
);
238 #else /* OPENSSL_VERSION_NUMBER */
240 #define threading_init()
242 #define threading_cleanup()
247 * Seed the OpenSSL RNG, if required
249 static bool seed_rng()
254 while (RAND_status() != 1)
258 rng
= lib
->crypto
->create_rng(lib
->crypto
, RNG_STRONG
);
264 if (!rng
->get_bytes(rng
, sizeof(buf
), buf
))
269 RAND_seed(buf
, sizeof(buf
));
278 static private_key_t
*openssl_private_key_load(key_type_t type
, va_list args
)
280 chunk_t blob
= chunk_empty
;
285 switch (va_arg(args
, builder_part_t
))
287 case BUILD_BLOB_ASN1_DER
:
288 blob
= va_arg(args
, chunk_t
);
300 key
= d2i_AutoPrivateKey(NULL
, (const u_char
**)&blob
.ptr
, blob
.len
);
303 switch (EVP_PKEY_base_id(key
))
305 #ifndef OPENSSL_NO_RSA
307 return openssl_rsa_private_key_create(key
, FALSE
);
309 #ifndef OPENSSL_NO_ECDSA
311 return openssl_ec_private_key_create(key
, FALSE
);
313 #if OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(OPENSSL_NO_EC)
314 case EVP_PKEY_ED25519
:
316 return openssl_ed_private_key_create(key
, FALSE
);
317 #endif /* OPENSSL_VERSION_NUMBER */
327 #ifndef OPENSSL_NO_ENGINE
329 * Login to engine with a PIN specified for a keyid
331 static bool login(ENGINE
*engine
, chunk_t keyid
)
333 enumerator_t
*enumerator
;
334 shared_key_t
*shared
;
335 identification_t
*id
;
338 bool found
= FALSE
, success
= FALSE
;
340 id
= identification_create_from_encoding(ID_KEY_ID
, keyid
);
341 enumerator
= lib
->credmgr
->create_shared_enumerator(lib
->credmgr
,
342 SHARED_PIN
, id
, NULL
);
343 while (enumerator
->enumerate(enumerator
, &shared
, NULL
, NULL
))
346 key
= shared
->get_key(shared
);
347 if (snprintf(pin
, sizeof(pin
),
348 "%.*s", (int)key
.len
, key
.ptr
) >= sizeof(pin
))
352 if (ENGINE_ctrl_cmd_string(engine
, "PIN", pin
, 0))
359 DBG1(DBG_CFG
, "setting PIN on engine failed");
362 enumerator
->destroy(enumerator
);
366 DBG1(DBG_CFG
, "no PIN found for %#B", &keyid
);
370 #endif /* OPENSSL_NO_ENGINE */
373 * Load private key via engine
375 static private_key_t
*openssl_private_key_connect(key_type_t type
,
378 #ifndef OPENSSL_NO_ENGINE
379 char *engine_id
= NULL
;
380 char keyname
[BUF_LEN
];
381 chunk_t keyid
= chunk_empty
;
388 switch (va_arg(args
, builder_part_t
))
390 case BUILD_PKCS11_KEYID
:
391 keyid
= va_arg(args
, chunk_t
);
393 case BUILD_PKCS11_SLOT
:
394 slot
= va_arg(args
, int);
396 case BUILD_PKCS11_MODULE
:
397 engine_id
= va_arg(args
, char*);
411 memset(keyname
, 0, sizeof(keyname
));
414 snprintf(keyname
, sizeof(keyname
), "%d:", slot
);
416 if (sizeof(keyname
) - strlen(keyname
) <= keyid
.len
* 2 + 1)
420 chunk_to_hex(keyid
, keyname
+ strlen(keyname
), FALSE
);
424 engine_id
= lib
->settings
->get_str(lib
->settings
,
425 "%s.plugins.openssl.engine_id", "pkcs11", lib
->ns
);
427 engine
= ENGINE_by_id(engine_id
);
430 DBG2(DBG_LIB
, "engine '%s' is not available", engine_id
);
433 if (!ENGINE_init(engine
))
435 DBG1(DBG_LIB
, "failed to initialize engine '%s'", engine_id
);
440 if (!login(engine
, keyid
))
442 DBG1(DBG_LIB
, "login to engine '%s' failed", engine_id
);
443 ENGINE_finish(engine
);
446 key
= ENGINE_load_private_key(engine
, keyname
, NULL
, NULL
);
447 ENGINE_finish(engine
);
450 DBG1(DBG_LIB
, "failed to load private key with ID '%s' from "
451 "engine '%s'", keyname
, engine_id
);
455 switch (EVP_PKEY_base_id(key
))
457 #ifndef OPENSSL_NO_RSA
459 return openssl_rsa_private_key_create(key
, TRUE
);
461 #ifndef OPENSSL_NO_ECDSA
463 return openssl_ec_private_key_create(key
, TRUE
);
465 #if OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(OPENSSL_NO_EC)
466 case EVP_PKEY_ED25519
:
468 return openssl_ed_private_key_create(key
, TRUE
);
469 #endif /* OPENSSL_VERSION_NUMBER */
474 #endif /* OPENSSL_NO_ENGINE */
478 METHOD(plugin_t
, get_name
, char*,
479 private_openssl_plugin_t
*this)
484 METHOD(plugin_t
, get_features
, int,
485 private_openssl_plugin_t
*this, plugin_feature_t
*features
[])
487 static plugin_feature_t f
[] = {
488 /* we provide OpenSSL threading callbacks */
489 PLUGIN_PROVIDE(CUSTOM
, "openssl-threading"),
491 PLUGIN_REGISTER(CRYPTER
, openssl_crypter_create
),
492 #ifndef OPENSSL_NO_AES
493 PLUGIN_PROVIDE(CRYPTER
, ENCR_AES_CBC
, 16),
494 PLUGIN_PROVIDE(CRYPTER
, ENCR_AES_CBC
, 24),
495 PLUGIN_PROVIDE(CRYPTER
, ENCR_AES_CBC
, 32),
497 #ifndef OPENSSL_NO_CAMELLIA
498 PLUGIN_PROVIDE(CRYPTER
, ENCR_CAMELLIA_CBC
, 16),
499 PLUGIN_PROVIDE(CRYPTER
, ENCR_CAMELLIA_CBC
, 24),
500 PLUGIN_PROVIDE(CRYPTER
, ENCR_CAMELLIA_CBC
, 32),
502 #ifndef OPENSSL_NO_RC5
503 PLUGIN_PROVIDE(CRYPTER
, ENCR_RC5
, 0),
505 #ifndef OPENSSL_NO_CAST
506 PLUGIN_PROVIDE(CRYPTER
, ENCR_CAST
, 0),
508 #ifndef OPENSSL_NO_BLOWFISH
509 PLUGIN_PROVIDE(CRYPTER
, ENCR_BLOWFISH
, 0),
511 #ifndef OPENSSL_NO_IDEA
512 PLUGIN_PROVIDE(CRYPTER
, ENCR_IDEA
, 16),
514 #ifndef OPENSSL_NO_DES
515 PLUGIN_PROVIDE(CRYPTER
, ENCR_3DES
, 24),
516 PLUGIN_PROVIDE(CRYPTER
, ENCR_DES
, 8),
517 PLUGIN_PROVIDE(CRYPTER
, ENCR_DES_ECB
, 8),
519 PLUGIN_PROVIDE(CRYPTER
, ENCR_NULL
, 0),
521 PLUGIN_REGISTER(HASHER
, openssl_hasher_create
),
522 #ifndef OPENSSL_NO_MD2
523 PLUGIN_PROVIDE(HASHER
, HASH_MD2
),
525 #ifndef OPENSSL_NO_MD4
526 PLUGIN_PROVIDE(HASHER
, HASH_MD4
),
528 #ifndef OPENSSL_NO_MD5
529 PLUGIN_PROVIDE(HASHER
, HASH_MD5
),
531 #ifndef OPENSSL_NO_SHA1
532 PLUGIN_PROVIDE(HASHER
, HASH_SHA1
),
534 #ifndef OPENSSL_NO_SHA256
535 PLUGIN_PROVIDE(HASHER
, HASH_SHA224
),
536 PLUGIN_PROVIDE(HASHER
, HASH_SHA256
),
538 #ifndef OPENSSL_NO_SHA512
539 PLUGIN_PROVIDE(HASHER
, HASH_SHA384
),
540 PLUGIN_PROVIDE(HASHER
, HASH_SHA512
),
542 #ifndef OPENSSL_NO_SHA1
543 /* keyed sha1 hasher (aka prf) */
544 PLUGIN_REGISTER(PRF
, openssl_sha1_prf_create
),
545 PLUGIN_PROVIDE(PRF
, PRF_KEYED_SHA1
),
547 #ifndef OPENSSL_NO_HMAC
548 PLUGIN_REGISTER(PRF
, openssl_hmac_prf_create
),
549 #ifndef OPENSSL_NO_MD5
550 PLUGIN_PROVIDE(PRF
, PRF_HMAC_MD5
),
552 #ifndef OPENSSL_NO_SHA1
553 PLUGIN_PROVIDE(PRF
, PRF_HMAC_SHA1
),
555 #ifndef OPENSSL_NO_SHA256
556 PLUGIN_PROVIDE(PRF
, PRF_HMAC_SHA2_256
),
558 #ifndef OPENSSL_NO_SHA512
559 PLUGIN_PROVIDE(PRF
, PRF_HMAC_SHA2_384
),
560 PLUGIN_PROVIDE(PRF
, PRF_HMAC_SHA2_512
),
562 PLUGIN_REGISTER(SIGNER
, openssl_hmac_signer_create
),
563 #ifndef OPENSSL_NO_MD5
564 PLUGIN_PROVIDE(SIGNER
, AUTH_HMAC_MD5_96
),
565 PLUGIN_PROVIDE(SIGNER
, AUTH_HMAC_MD5_128
),
567 #ifndef OPENSSL_NO_SHA1
568 PLUGIN_PROVIDE(SIGNER
, AUTH_HMAC_SHA1_96
),
569 PLUGIN_PROVIDE(SIGNER
, AUTH_HMAC_SHA1_128
),
570 PLUGIN_PROVIDE(SIGNER
, AUTH_HMAC_SHA1_160
),
572 #ifndef OPENSSL_NO_SHA256
573 PLUGIN_PROVIDE(SIGNER
, AUTH_HMAC_SHA2_256_128
),
574 PLUGIN_PROVIDE(SIGNER
, AUTH_HMAC_SHA2_256_256
),
576 #ifndef OPENSSL_NO_SHA512
577 PLUGIN_PROVIDE(SIGNER
, AUTH_HMAC_SHA2_384_192
),
578 PLUGIN_PROVIDE(SIGNER
, AUTH_HMAC_SHA2_384_384
),
579 PLUGIN_PROVIDE(SIGNER
, AUTH_HMAC_SHA2_512_256
),
580 PLUGIN_PROVIDE(SIGNER
, AUTH_HMAC_SHA2_512_512
),
582 #endif /* OPENSSL_NO_HMAC */
583 #if OPENSSL_VERSION_NUMBER >= 0x1000100fL
584 #ifndef OPENSSL_NO_AES
586 PLUGIN_REGISTER(AEAD
, openssl_gcm_create
),
587 PLUGIN_PROVIDE(AEAD
, ENCR_AES_GCM_ICV16
, 16),
588 PLUGIN_PROVIDE(AEAD
, ENCR_AES_GCM_ICV16
, 24),
589 PLUGIN_PROVIDE(AEAD
, ENCR_AES_GCM_ICV16
, 32),
590 PLUGIN_PROVIDE(AEAD
, ENCR_AES_GCM_ICV12
, 16),
591 PLUGIN_PROVIDE(AEAD
, ENCR_AES_GCM_ICV12
, 24),
592 PLUGIN_PROVIDE(AEAD
, ENCR_AES_GCM_ICV12
, 32),
593 PLUGIN_PROVIDE(AEAD
, ENCR_AES_GCM_ICV8
, 16),
594 PLUGIN_PROVIDE(AEAD
, ENCR_AES_GCM_ICV8
, 24),
595 PLUGIN_PROVIDE(AEAD
, ENCR_AES_GCM_ICV8
, 32),
596 #endif /* OPENSSL_NO_AES */
597 #endif /* OPENSSL_VERSION_NUMBER */
598 #ifndef OPENSSL_NO_ECDH
600 PLUGIN_REGISTER(DH
, openssl_ec_diffie_hellman_create
),
601 PLUGIN_PROVIDE(DH
, ECP_256_BIT
),
602 PLUGIN_PROVIDE(DH
, ECP_384_BIT
),
603 PLUGIN_PROVIDE(DH
, ECP_521_BIT
),
604 PLUGIN_PROVIDE(DH
, ECP_224_BIT
),
605 PLUGIN_PROVIDE(DH
, ECP_192_BIT
),
606 PLUGIN_PROVIDE(DH
, ECP_256_BP
),
607 PLUGIN_PROVIDE(DH
, ECP_384_BP
),
608 PLUGIN_PROVIDE(DH
, ECP_512_BP
),
609 PLUGIN_PROVIDE(DH
, ECP_224_BP
),
610 #endif /* OPENSSL_NO_ECDH */
611 #ifndef OPENSSL_NO_DH
613 PLUGIN_REGISTER(DH
, openssl_diffie_hellman_create
),
614 PLUGIN_PROVIDE(DH
, MODP_3072_BIT
),
615 PLUGIN_PROVIDE(DH
, MODP_4096_BIT
),
616 PLUGIN_PROVIDE(DH
, MODP_6144_BIT
),
617 PLUGIN_PROVIDE(DH
, MODP_8192_BIT
),
618 PLUGIN_PROVIDE(DH
, MODP_2048_BIT
),
619 PLUGIN_PROVIDE(DH
, MODP_2048_224
),
620 PLUGIN_PROVIDE(DH
, MODP_2048_256
),
621 PLUGIN_PROVIDE(DH
, MODP_1536_BIT
),
622 PLUGIN_PROVIDE(DH
, MODP_1024_BIT
),
623 PLUGIN_PROVIDE(DH
, MODP_1024_160
),
624 PLUGIN_PROVIDE(DH
, MODP_768_BIT
),
625 PLUGIN_PROVIDE(DH
, MODP_CUSTOM
),
627 #ifndef OPENSSL_NO_RSA
628 /* RSA private/public key loading */
629 PLUGIN_REGISTER(PRIVKEY
, openssl_rsa_private_key_load
, TRUE
),
630 PLUGIN_PROVIDE(PRIVKEY
, KEY_RSA
),
631 PLUGIN_REGISTER(PRIVKEY_GEN
, openssl_rsa_private_key_gen
, FALSE
),
632 PLUGIN_PROVIDE(PRIVKEY_GEN
, KEY_RSA
),
633 PLUGIN_REGISTER(PUBKEY
, openssl_rsa_public_key_load
, TRUE
),
634 PLUGIN_PROVIDE(PUBKEY
, KEY_RSA
),
635 PLUGIN_REGISTER(PUBKEY
, openssl_rsa_public_key_load
, TRUE
),
636 PLUGIN_PROVIDE(PUBKEY
, KEY_ANY
),
637 /* signature/encryption schemes */
638 PLUGIN_PROVIDE(PRIVKEY_SIGN
, SIGN_RSA_EMSA_PKCS1_NULL
),
639 PLUGIN_PROVIDE(PUBKEY_VERIFY
, SIGN_RSA_EMSA_PKCS1_NULL
),
640 #if OPENSSL_VERSION_NUMBER >= 0x10000000L
641 PLUGIN_PROVIDE(PRIVKEY_SIGN
, SIGN_RSA_EMSA_PSS
),
642 PLUGIN_PROVIDE(PUBKEY_VERIFY
, SIGN_RSA_EMSA_PSS
),
644 #ifndef OPENSSL_NO_SHA1
645 PLUGIN_PROVIDE(PRIVKEY_SIGN
, SIGN_RSA_EMSA_PKCS1_SHA1
),
646 PLUGIN_PROVIDE(PUBKEY_VERIFY
, SIGN_RSA_EMSA_PKCS1_SHA1
),
648 #ifndef OPENSSL_NO_SHA256
649 PLUGIN_PROVIDE(PRIVKEY_SIGN
, SIGN_RSA_EMSA_PKCS1_SHA2_224
),
650 PLUGIN_PROVIDE(PRIVKEY_SIGN
, SIGN_RSA_EMSA_PKCS1_SHA2_256
),
651 PLUGIN_PROVIDE(PUBKEY_VERIFY
, SIGN_RSA_EMSA_PKCS1_SHA2_224
),
652 PLUGIN_PROVIDE(PUBKEY_VERIFY
, SIGN_RSA_EMSA_PKCS1_SHA2_256
),
654 #ifndef OPENSSL_NO_SHA512
655 PLUGIN_PROVIDE(PRIVKEY_SIGN
, SIGN_RSA_EMSA_PKCS1_SHA2_384
),
656 PLUGIN_PROVIDE(PRIVKEY_SIGN
, SIGN_RSA_EMSA_PKCS1_SHA2_512
),
657 PLUGIN_PROVIDE(PUBKEY_VERIFY
, SIGN_RSA_EMSA_PKCS1_SHA2_384
),
658 PLUGIN_PROVIDE(PUBKEY_VERIFY
, SIGN_RSA_EMSA_PKCS1_SHA2_512
),
660 #ifndef OPENSSL_NO_MD5
661 PLUGIN_PROVIDE(PRIVKEY_SIGN
, SIGN_RSA_EMSA_PKCS1_MD5
),
662 PLUGIN_PROVIDE(PUBKEY_VERIFY
, SIGN_RSA_EMSA_PKCS1_MD5
),
664 PLUGIN_PROVIDE(PRIVKEY_DECRYPT
, ENCRYPT_RSA_PKCS1
),
665 PLUGIN_PROVIDE(PUBKEY_ENCRYPT
, ENCRYPT_RSA_PKCS1
),
666 #endif /* OPENSSL_NO_RSA */
667 /* certificate/CRL loading */
668 PLUGIN_REGISTER(CERT_DECODE
, openssl_x509_load
, TRUE
),
669 PLUGIN_PROVIDE(CERT_DECODE
, CERT_X509
),
670 PLUGIN_SDEPEND(PUBKEY
, KEY_RSA
),
671 PLUGIN_SDEPEND(PUBKEY
, KEY_ECDSA
),
672 PLUGIN_SDEPEND(PUBKEY
, KEY_DSA
),
673 PLUGIN_REGISTER(CERT_DECODE
, openssl_crl_load
, TRUE
),
674 PLUGIN_PROVIDE(CERT_DECODE
, CERT_X509_CRL
),
675 #if OPENSSL_VERSION_NUMBER >= 0x0090807fL
676 #ifndef OPENSSL_NO_CMS
677 PLUGIN_REGISTER(CONTAINER_DECODE
, openssl_pkcs7_load
, TRUE
),
678 PLUGIN_PROVIDE(CONTAINER_DECODE
, CONTAINER_PKCS7
),
679 #endif /* OPENSSL_NO_CMS */
680 #endif /* OPENSSL_VERSION_NUMBER */
681 PLUGIN_REGISTER(CONTAINER_DECODE
, openssl_pkcs12_load
, TRUE
),
682 PLUGIN_PROVIDE(CONTAINER_DECODE
, CONTAINER_PKCS12
),
683 #ifndef OPENSSL_NO_ECDSA
684 /* EC private/public key loading */
685 PLUGIN_REGISTER(PRIVKEY
, openssl_ec_private_key_load
, TRUE
),
686 PLUGIN_PROVIDE(PRIVKEY
, KEY_ECDSA
),
687 PLUGIN_REGISTER(PRIVKEY_GEN
, openssl_ec_private_key_gen
, FALSE
),
688 PLUGIN_PROVIDE(PRIVKEY_GEN
, KEY_ECDSA
),
689 PLUGIN_REGISTER(PUBKEY
, openssl_ec_public_key_load
, TRUE
),
690 PLUGIN_PROVIDE(PUBKEY
, KEY_ECDSA
),
691 /* signature encryption schemes */
692 PLUGIN_PROVIDE(PRIVKEY_SIGN
, SIGN_ECDSA_WITH_NULL
),
693 PLUGIN_PROVIDE(PUBKEY_VERIFY
, SIGN_ECDSA_WITH_NULL
),
694 #ifndef OPENSSL_NO_SHA1
695 PLUGIN_PROVIDE(PRIVKEY_SIGN
, SIGN_ECDSA_WITH_SHA1_DER
),
696 PLUGIN_PROVIDE(PUBKEY_VERIFY
, SIGN_ECDSA_WITH_SHA1_DER
),
698 #ifndef OPENSSL_NO_SHA256
699 PLUGIN_PROVIDE(PRIVKEY_SIGN
, SIGN_ECDSA_WITH_SHA256_DER
),
700 PLUGIN_PROVIDE(PUBKEY_VERIFY
, SIGN_ECDSA_WITH_SHA256_DER
),
701 PLUGIN_PROVIDE(PRIVKEY_SIGN
, SIGN_ECDSA_256
),
702 PLUGIN_PROVIDE(PUBKEY_VERIFY
, SIGN_ECDSA_256
),
704 #ifndef OPENSSL_NO_SHA512
705 PLUGIN_PROVIDE(PRIVKEY_SIGN
, SIGN_ECDSA_WITH_SHA384_DER
),
706 PLUGIN_PROVIDE(PRIVKEY_SIGN
, SIGN_ECDSA_WITH_SHA512_DER
),
707 PLUGIN_PROVIDE(PUBKEY_VERIFY
, SIGN_ECDSA_WITH_SHA384_DER
),
708 PLUGIN_PROVIDE(PUBKEY_VERIFY
, SIGN_ECDSA_WITH_SHA512_DER
),
709 PLUGIN_PROVIDE(PRIVKEY_SIGN
, SIGN_ECDSA_384
),
710 PLUGIN_PROVIDE(PRIVKEY_SIGN
, SIGN_ECDSA_521
),
711 PLUGIN_PROVIDE(PUBKEY_VERIFY
, SIGN_ECDSA_384
),
712 PLUGIN_PROVIDE(PUBKEY_VERIFY
, SIGN_ECDSA_521
),
714 #endif /* OPENSSL_NO_ECDSA */
715 #if OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(OPENSSL_NO_EC)
716 PLUGIN_REGISTER(DH
, openssl_x_diffie_hellman_create
),
717 /* available since 1.1.0a, but we require 1.1.1 features */
718 PLUGIN_PROVIDE(DH
, CURVE_25519
),
719 /* available since 1.1.1 */
720 PLUGIN_PROVIDE(DH
, CURVE_448
),
721 /* EdDSA private/public key loading */
722 PLUGIN_REGISTER(PUBKEY
, openssl_ed_public_key_load
, TRUE
),
723 PLUGIN_PROVIDE(PUBKEY
, KEY_ED25519
),
724 PLUGIN_PROVIDE(PUBKEY
, KEY_ED448
),
725 PLUGIN_REGISTER(PRIVKEY
, openssl_ed_private_key_load
, TRUE
),
726 PLUGIN_PROVIDE(PRIVKEY
, KEY_ED25519
),
727 PLUGIN_PROVIDE(PRIVKEY
, KEY_ED448
),
728 PLUGIN_REGISTER(PRIVKEY_GEN
, openssl_ed_private_key_gen
, FALSE
),
729 PLUGIN_PROVIDE(PRIVKEY_GEN
, KEY_ED25519
),
730 PLUGIN_PROVIDE(PRIVKEY_GEN
, KEY_ED448
),
731 PLUGIN_PROVIDE(PRIVKEY_SIGN
, SIGN_ED25519
),
732 PLUGIN_PROVIDE(PRIVKEY_SIGN
, SIGN_ED448
),
733 PLUGIN_PROVIDE(PUBKEY_VERIFY
, SIGN_ED25519
),
734 PLUGIN_PROVIDE(PUBKEY_VERIFY
, SIGN_ED448
),
735 /* register a pro forma identity hasher, never instantiated */
736 PLUGIN_REGISTER(HASHER
, return_null
),
737 PLUGIN_PROVIDE(HASHER
, HASH_IDENTITY
),
738 #endif /* OPENSSL_VERSION_NUMBER && !OPENSSL_NO_EC */
739 /* generic key loader */
740 PLUGIN_REGISTER(PRIVKEY
, openssl_private_key_load
, TRUE
),
741 PLUGIN_PROVIDE(PRIVKEY
, KEY_ANY
),
742 PLUGIN_REGISTER(PRIVKEY
, openssl_private_key_connect
, FALSE
),
743 PLUGIN_PROVIDE(PRIVKEY
, KEY_ANY
),
744 PLUGIN_REGISTER(RNG
, openssl_rng_create
),
745 PLUGIN_PROVIDE(RNG
, RNG_STRONG
),
746 PLUGIN_PROVIDE(RNG
, RNG_WEAK
),
752 METHOD(plugin_t
, destroy
, void,
753 private_openssl_plugin_t
*this)
755 /* OpenSSL 1.1.0 cleans up itself at exit and while OPENSSL_cleanup() exists we
756 * can't call it as we couldn't re-initialize the library (as required by the
757 * unit tests and the Android app) */
758 #if OPENSSL_VERSION_NUMBER < 0x10100000L
759 #ifndef OPENSSL_IS_BORINGSSL
764 #ifndef OPENSSL_NO_ENGINE
766 #endif /* OPENSSL_NO_ENGINE */
767 CRYPTO_cleanup_all_ex_data();
770 #endif /* OPENSSL_VERSION_NUMBER */
778 plugin_t
*openssl_plugin_create()
780 private_openssl_plugin_t
*this;
783 fips_mode
= lib
->settings
->get_int(lib
->settings
,
784 "%s.plugins.openssl.fips_mode", FIPS_MODE
, lib
->ns
);
788 if (FIPS_mode() != fips_mode
&& !FIPS_mode_set(fips_mode
))
790 DBG1(DBG_LIB
, "unable to set openssl FIPS mode(%d) from (%d)",
791 fips_mode
, FIPS_mode());
798 DBG1(DBG_LIB
, "openssl FIPS mode(%d) unavailable", fips_mode
);
806 .get_name
= _get_name
,
807 .get_features
= _get_features
,
813 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
814 /* note that we can't call OPENSSL_cleanup() when the plugin is destroyed
815 * as we couldn't initialize the library again afterwards */
816 OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG
|
817 OPENSSL_INIT_ENGINE_ALL_BUILTIN
, NULL
);
818 #else /* OPENSSL_VERSION_NUMBER */
820 #ifndef OPENSSL_IS_BORINGSSL
821 OPENSSL_config(NULL
);
823 OpenSSL_add_all_algorithms();
824 #ifndef OPENSSL_NO_ENGINE
825 /* activate support for hardware accelerators */
826 ENGINE_load_builtin_engines();
827 ENGINE_register_all_complete();
828 #endif /* OPENSSL_NO_ENGINE */
829 #endif /* OPENSSL_VERSION_NUMBER */
832 /* we do this here as it may have been enabled via openssl.conf */
833 fips_mode
= FIPS_mode();
834 dbg(DBG_LIB
, strpfx(lib
->ns
, "charon") ? 1 : 2,
835 "openssl FIPS mode(%d) - %sabled ", fips_mode
, fips_mode
? "en" : "dis");
836 #endif /* OPENSSL_FIPS */
840 DBG1(DBG_CFG
, "no RNG found to seed OpenSSL");
845 return &this->public.plugin
;