]> git.ipfire.org Git - thirdparty/strongswan.git/blob - src/libstrongswan/plugins/openssl/openssl_plugin.c
projects / thirdparty / strongswan.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
openssl: Make sure to release the functional ENGINE reference
[thirdparty/strongswan.git] / src / libstrongswan / plugins / openssl / openssl_plugin.c
1 /*
2 * Copyright (C) 2008-2018 Tobias Brunner
3 * Copyright (C) 2008 Martin Willi
4 * HSR Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 #include <library.h>
18 #include <utils/debug.h>
19 #include <threading/thread.h>
20 #include <threading/mutex.h>
21 #include <threading/thread_value.h>
22
23 #include <openssl/err.h>
24 #include <openssl/evp.h>
25 #include <openssl/conf.h>
26 #include <openssl/rand.h>
27 #include <openssl/crypto.h>
28 #ifndef OPENSSL_NO_ENGINE
29 #include <openssl/engine.h>
30 #endif
31
32 #include "openssl_plugin.h"
33 #include "openssl_util.h"
34 #include "openssl_crypter.h"
35 #include "openssl_hasher.h"
36 #include "openssl_sha1_prf.h"
37 #include "openssl_diffie_hellman.h"
38 #include "openssl_ec_diffie_hellman.h"
39 #include "openssl_rsa_private_key.h"
40 #include "openssl_rsa_public_key.h"
41 #include "openssl_ec_private_key.h"
42 #include "openssl_ec_public_key.h"
43 #include "openssl_x509.h"
44 #include "openssl_crl.h"
45 #include "openssl_pkcs7.h"
46 #include "openssl_pkcs12.h"
47 #include "openssl_rng.h"
48 #include "openssl_hmac.h"
49 #include "openssl_gcm.h"
50 #include "openssl_x_diffie_hellman.h"
51 #include "openssl_ed_public_key.h"
52 #include "openssl_ed_private_key.h"
53
54 #ifndef FIPS_MODE
55 #define FIPS_MODE 0
56 #endif
57
58 typedef struct private_openssl_plugin_t private_openssl_plugin_t;
59
60 /**
61 * private data of openssl_plugin
62 */
63 struct private_openssl_plugin_t {
64
65 /**
66 * public functions
67 */
68 openssl_plugin_t public;
69 };
70
71 /**
72 * OpenSSL is thread-safe since 1.1.0
73 */
74 #if OPENSSL_VERSION_NUMBER < 0x10100000L
75
76 /**
77 * Array of static mutexs, with CRYPTO_num_locks() mutex
78 */
79 static mutex_t **mutex = NULL;
80
81 /**
82 * Locking callback for static locks
83 */
84 static void locking_function(int mode, int type, const char *file, int line)
85 {
86 if (mutex)
87 {
88 if (mode & CRYPTO_LOCK)
89 {
90 mutex[type]->lock(mutex[type]);
91 }
92 else
93 {
94 mutex[type]->unlock(mutex[type]);
95 }
96 }
97 }
98
99 /**
100 * Implementation of dynlock
101 */
102 struct CRYPTO_dynlock_value {
103 mutex_t *mutex;
104 };
105
106 /**
107 * Callback to create a dynamic lock
108 */
109 static struct CRYPTO_dynlock_value *create_function(const char *file, int line)
110 {
111 struct CRYPTO_dynlock_value *lock;
112
113 lock = malloc_thing(struct CRYPTO_dynlock_value);
114 lock->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
115 return lock;
116 }
117
118 /**
119 * Callback to (un-)lock a dynamic lock
120 */
121 static void lock_function(int mode, struct CRYPTO_dynlock_value *lock,
122 const char *file, int line)
123 {
124 if (mode & CRYPTO_LOCK)
125 {
126 lock->mutex->lock(lock->mutex);
127 }
128 else
129 {
130 lock->mutex->unlock(lock->mutex);
131 }
132 }
133
134 /**
135 * Callback to destroy a dynamic lock
136 */
137 static void destroy_function(struct CRYPTO_dynlock_value *lock,
138 const char *file, int line)
139 {
140 lock->mutex->destroy(lock->mutex);
141 free(lock);
142 }
143
144 /**
145 * Thread-local value used to cleanup thread-specific error buffers
146 */
147 static thread_value_t *cleanup;
148
149 /**
150 * Called when a thread is destroyed. Avoid recursion by setting the thread id
151 * explicitly.
152 */
153 static void cleanup_thread(void *arg)
154 {
155 #if OPENSSL_VERSION_NUMBER >= 0x1000000fL
156 CRYPTO_THREADID tid;
157
158 CRYPTO_THREADID_set_numeric(&tid, (u_long)(uintptr_t)arg);
159 ERR_remove_thread_state(&tid);
160 #else
161 ERR_remove_state((u_long)(uintptr_t)arg);
162 #endif
163 }
164
165 /**
166 * Thread-ID callback function
167 */
168 static u_long id_function(void)
169 {
170 u_long id;
171
172 /* ensure the thread ID is never zero, otherwise OpenSSL might try to
173 * acquire locks recursively */
174 id = 1 + (u_long)thread_current_id();
175
176 /* cleanup a thread's state later if OpenSSL interacted with it */
177 cleanup->set(cleanup, (void*)(uintptr_t)id);
178 return id;
179 }
180
181 #if OPENSSL_VERSION_NUMBER >= 0x1000000fL
182 /**
183 * Callback for thread ID
184 */
185 static void threadid_function(CRYPTO_THREADID *threadid)
186 {
187 CRYPTO_THREADID_set_numeric(threadid, id_function());
188 }
189 #endif /* OPENSSL_VERSION_NUMBER */
190
191 /**
192 * initialize OpenSSL for multi-threaded use
193 */
194 static void threading_init()
195 {
196 int i, num_locks;
197
198 cleanup = thread_value_create(cleanup_thread);
199
200 #if OPENSSL_VERSION_NUMBER >= 0x1000000fL
201 CRYPTO_THREADID_set_callback(threadid_function);
202 #else
203 CRYPTO_set_id_callback(id_function);
204 #endif
205
206 CRYPTO_set_locking_callback(locking_function);
207
208 CRYPTO_set_dynlock_create_callback(create_function);
209 CRYPTO_set_dynlock_lock_callback(lock_function);
210 CRYPTO_set_dynlock_destroy_callback(destroy_function);
211
212 num_locks = CRYPTO_num_locks();
213 mutex = malloc(sizeof(mutex_t*) * num_locks);
214 for (i = 0; i < num_locks; i++)
215 {
216 mutex[i] = mutex_create(MUTEX_TYPE_DEFAULT);
217 }
218 }
219
220 /**
221 * cleanup OpenSSL threading locks
222 */
223 static void threading_cleanup()
224 {
225 int i, num_locks;
226
227 num_locks = CRYPTO_num_locks();
228 for (i = 0; i < num_locks; i++)
229 {
230 mutex[i]->destroy(mutex[i]);
231 }
232 free(mutex);
233 mutex = NULL;
234
235 cleanup->destroy(cleanup);
236 }
237
238 #else /* OPENSSL_VERSION_NUMBER */
239
240 #define threading_init()
241
242 #define threading_cleanup()
243
244 #endif
245
246 /**
247 * Seed the OpenSSL RNG, if required
248 */
249 static bool seed_rng()
250 {
251 rng_t *rng = NULL;
252 char buf[32];
253
254 while (RAND_status() != 1)
255 {
256 if (!rng)
257 {
258 rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
259 if (!rng)
260 {
261 return FALSE;
262 }
263 }
264 if (!rng->get_bytes(rng, sizeof(buf), buf))
265 {
266 rng->destroy(rng);
267 return FALSE;
268 }
269 RAND_seed(buf, sizeof(buf));
270 }
271 DESTROY_IF(rng);
272 return TRUE;
273 }
274
275 /**
276 * Generic key loader
277 */
278 static private_key_t *openssl_private_key_load(key_type_t type, va_list args)
279 {
280 chunk_t blob = chunk_empty;
281 EVP_PKEY *key;
282
283 while (TRUE)
284 {
285 switch (va_arg(args, builder_part_t))
286 {
287 case BUILD_BLOB_ASN1_DER:
288 blob = va_arg(args, chunk_t);
289 continue;
290 case BUILD_END:
291 break;
292 default:
293 return NULL;
294 }
295 break;
296 }
297
298 if (blob.ptr)
299 {
300 key = d2i_AutoPrivateKey(NULL, (const u_char**)&blob.ptr, blob.len);
301 if (key)
302 {
303 switch (EVP_PKEY_base_id(key))
304 {
305 #ifndef OPENSSL_NO_RSA
306 case EVP_PKEY_RSA:
307 return openssl_rsa_private_key_create(key, FALSE);
308 #endif
309 #ifndef OPENSSL_NO_ECDSA
310 case EVP_PKEY_EC:
311 return openssl_ec_private_key_create(key, FALSE);
312 #endif
313 #if OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(OPENSSL_NO_EC)
314 case EVP_PKEY_ED25519:
315 case EVP_PKEY_ED448:
316 return openssl_ed_private_key_create(key, FALSE);
317 #endif /* OPENSSL_VERSION_NUMBER */
318 default:
319 EVP_PKEY_free(key);
320 break;
321 }
322 }
323 }
324 return NULL;
325 }
326
327 #ifndef OPENSSL_NO_ENGINE
328 /**
329 * Login to engine with a PIN specified for a keyid
330 */
331 static bool login(ENGINE *engine, chunk_t keyid)
332 {
333 enumerator_t *enumerator;
334 shared_key_t *shared;
335 identification_t *id;
336 chunk_t key;
337 char pin[64];
338 bool found = FALSE, success = FALSE;
339
340 id = identification_create_from_encoding(ID_KEY_ID, keyid);
341 enumerator = lib->credmgr->create_shared_enumerator(lib->credmgr,
342 SHARED_PIN, id, NULL);
343 while (enumerator->enumerate(enumerator, &shared, NULL, NULL))
344 {
345 found = TRUE;
346 key = shared->get_key(shared);
347 if (snprintf(pin, sizeof(pin),
348 "%.*s", (int)key.len, key.ptr) >= sizeof(pin))
349 {
350 continue;
351 }
352 if (ENGINE_ctrl_cmd_string(engine, "PIN", pin, 0))
353 {
354 success = TRUE;
355 break;
356 }
357 else
358 {
359 DBG1(DBG_CFG, "setting PIN on engine failed");
360 }
361 }
362 enumerator->destroy(enumerator);
363 id->destroy(id);
364 if (!found)
365 {
366 DBG1(DBG_CFG, "no PIN found for %#B", &keyid);
367 }
368 return success;
369 }
370 #endif /* OPENSSL_NO_ENGINE */
371
372 /**
373 * Load private key via engine
374 */
375 static private_key_t *openssl_private_key_connect(key_type_t type,
376 va_list args)
377 {
378 #ifndef OPENSSL_NO_ENGINE
379 char *engine_id = NULL;
380 char keyname[BUF_LEN];
381 chunk_t keyid = chunk_empty;
382 EVP_PKEY *key;
383 ENGINE *engine;
384 int slot = -1;
385
386 while (TRUE)
387 {
388 switch (va_arg(args, builder_part_t))
389 {
390 case BUILD_PKCS11_KEYID:
391 keyid = va_arg(args, chunk_t);
392 continue;
393 case BUILD_PKCS11_SLOT:
394 slot = va_arg(args, int);
395 continue;
396 case BUILD_PKCS11_MODULE:
397 engine_id = va_arg(args, char*);
398 continue;
399 case BUILD_END:
400 break;
401 default:
402 return NULL;
403 }
404 break;
405 }
406 if (!keyid.len)
407 {
408 return NULL;
409 }
410
411 memset(keyname, 0, sizeof(keyname));
412 if (slot != -1)
413 {
414 snprintf(keyname, sizeof(keyname), "%d:", slot);
415 }
416 if (sizeof(keyname) - strlen(keyname) <= keyid.len * 2 + 1)
417 {
418 return NULL;
419 }
420 chunk_to_hex(keyid, keyname + strlen(keyname), FALSE);
421
422 if (!engine_id)
423 {
424 engine_id = lib->settings->get_str(lib->settings,
425 "%s.plugins.openssl.engine_id", "pkcs11", lib->ns);
426 }
427 engine = ENGINE_by_id(engine_id);
428 if (!engine)
429 {
430 DBG2(DBG_LIB, "engine '%s' is not available", engine_id);
431 return NULL;
432 }
433 if (!ENGINE_init(engine))
434 {
435 DBG1(DBG_LIB, "failed to initialize engine '%s'", engine_id);
436 ENGINE_free(engine);
437 return NULL;
438 }
439 ENGINE_free(engine);
440 if (!login(engine, keyid))
441 {
442 DBG1(DBG_LIB, "login to engine '%s' failed", engine_id);
443 ENGINE_finish(engine);
444 return NULL;
445 }
446 key = ENGINE_load_private_key(engine, keyname, NULL, NULL);
447 ENGINE_finish(engine);
448 if (!key)
449 {
450 DBG1(DBG_LIB, "failed to load private key with ID '%s' from "
451 "engine '%s'", keyname, engine_id);
452 return NULL;
453 }
454
455 switch (EVP_PKEY_base_id(key))
456 {
457 #ifndef OPENSSL_NO_RSA
458 case EVP_PKEY_RSA:
459 return openssl_rsa_private_key_create(key, TRUE);
460 #endif
461 #ifndef OPENSSL_NO_ECDSA
462 case EVP_PKEY_EC:
463 return openssl_ec_private_key_create(key, TRUE);
464 #endif
465 #if OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(OPENSSL_NO_EC)
466 case EVP_PKEY_ED25519:
467 case EVP_PKEY_ED448:
468 return openssl_ed_private_key_create(key, TRUE);
469 #endif /* OPENSSL_VERSION_NUMBER */
470 default:
471 EVP_PKEY_free(key);
472 break;
473 }
474 #endif /* OPENSSL_NO_ENGINE */
475 return NULL;
476 }
477
478 METHOD(plugin_t, get_name, char*,
479 private_openssl_plugin_t *this)
480 {
481 return "openssl";
482 }
483
484 METHOD(plugin_t, get_features, int,
485 private_openssl_plugin_t *this, plugin_feature_t *features[])
486 {
487 static plugin_feature_t f[] = {
488 /* we provide OpenSSL threading callbacks */
489 PLUGIN_PROVIDE(CUSTOM, "openssl-threading"),
490 /* crypters */
491 PLUGIN_REGISTER(CRYPTER, openssl_crypter_create),
492 #ifndef OPENSSL_NO_AES
493 PLUGIN_PROVIDE(CRYPTER, ENCR_AES_CBC, 16),
494 PLUGIN_PROVIDE(CRYPTER, ENCR_AES_CBC, 24),
495 PLUGIN_PROVIDE(CRYPTER, ENCR_AES_CBC, 32),
496 #endif
497 #ifndef OPENSSL_NO_CAMELLIA
498 PLUGIN_PROVIDE(CRYPTER, ENCR_CAMELLIA_CBC, 16),
499 PLUGIN_PROVIDE(CRYPTER, ENCR_CAMELLIA_CBC, 24),
500 PLUGIN_PROVIDE(CRYPTER, ENCR_CAMELLIA_CBC, 32),
501 #endif
502 #ifndef OPENSSL_NO_RC5
503 PLUGIN_PROVIDE(CRYPTER, ENCR_RC5, 0),
504 #endif
505 #ifndef OPENSSL_NO_CAST
506 PLUGIN_PROVIDE(CRYPTER, ENCR_CAST, 0),
507 #endif
508 #ifndef OPENSSL_NO_BLOWFISH
509 PLUGIN_PROVIDE(CRYPTER, ENCR_BLOWFISH, 0),
510 #endif
511 #ifndef OPENSSL_NO_IDEA
512 PLUGIN_PROVIDE(CRYPTER, ENCR_IDEA, 16),
513 #endif
514 #ifndef OPENSSL_NO_DES
515 PLUGIN_PROVIDE(CRYPTER, ENCR_3DES, 24),
516 PLUGIN_PROVIDE(CRYPTER, ENCR_DES, 8),
517 PLUGIN_PROVIDE(CRYPTER, ENCR_DES_ECB, 8),
518 #endif
519 PLUGIN_PROVIDE(CRYPTER, ENCR_NULL, 0),
520 /* hashers */
521 PLUGIN_REGISTER(HASHER, openssl_hasher_create),
522 #ifndef OPENSSL_NO_MD2
523 PLUGIN_PROVIDE(HASHER, HASH_MD2),
524 #endif
525 #ifndef OPENSSL_NO_MD4
526 PLUGIN_PROVIDE(HASHER, HASH_MD4),
527 #endif
528 #ifndef OPENSSL_NO_MD5
529 PLUGIN_PROVIDE(HASHER, HASH_MD5),
530 #endif
531 #ifndef OPENSSL_NO_SHA1
532 PLUGIN_PROVIDE(HASHER, HASH_SHA1),
533 #endif
534 #ifndef OPENSSL_NO_SHA256
535 PLUGIN_PROVIDE(HASHER, HASH_SHA224),
536 PLUGIN_PROVIDE(HASHER, HASH_SHA256),
537 #endif
538 #ifndef OPENSSL_NO_SHA512
539 PLUGIN_PROVIDE(HASHER, HASH_SHA384),
540 PLUGIN_PROVIDE(HASHER, HASH_SHA512),
541 #endif
542 #ifndef OPENSSL_NO_SHA1
543 /* keyed sha1 hasher (aka prf) */
544 PLUGIN_REGISTER(PRF, openssl_sha1_prf_create),
545 PLUGIN_PROVIDE(PRF, PRF_KEYED_SHA1),
546 #endif
547 #ifndef OPENSSL_NO_HMAC
548 PLUGIN_REGISTER(PRF, openssl_hmac_prf_create),
549 #ifndef OPENSSL_NO_MD5
550 PLUGIN_PROVIDE(PRF, PRF_HMAC_MD5),
551 #endif
552 #ifndef OPENSSL_NO_SHA1
553 PLUGIN_PROVIDE(PRF, PRF_HMAC_SHA1),
554 #endif
555 #ifndef OPENSSL_NO_SHA256
556 PLUGIN_PROVIDE(PRF, PRF_HMAC_SHA2_256),
557 #endif
558 #ifndef OPENSSL_NO_SHA512
559 PLUGIN_PROVIDE(PRF, PRF_HMAC_SHA2_384),
560 PLUGIN_PROVIDE(PRF, PRF_HMAC_SHA2_512),
561 #endif
562 PLUGIN_REGISTER(SIGNER, openssl_hmac_signer_create),
563 #ifndef OPENSSL_NO_MD5
564 PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_MD5_96),
565 PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_MD5_128),
566 #endif
567 #ifndef OPENSSL_NO_SHA1
568 PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_SHA1_96),
569 PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_SHA1_128),
570 PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_SHA1_160),
571 #endif
572 #ifndef OPENSSL_NO_SHA256
573 PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_SHA2_256_128),
574 PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_SHA2_256_256),
575 #endif
576 #ifndef OPENSSL_NO_SHA512
577 PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_SHA2_384_192),
578 PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_SHA2_384_384),
579 PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_SHA2_512_256),
580 PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_SHA2_512_512),
581 #endif
582 #endif /* OPENSSL_NO_HMAC */
583 #if OPENSSL_VERSION_NUMBER >= 0x1000100fL
584 #ifndef OPENSSL_NO_AES
585 /* AES GCM */
586 PLUGIN_REGISTER(AEAD, openssl_gcm_create),
587 PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV16, 16),
588 PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV16, 24),
589 PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV16, 32),
590 PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV12, 16),
591 PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV12, 24),
592 PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV12, 32),
593 PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV8, 16),
594 PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV8, 24),
595 PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV8, 32),
596 #endif /* OPENSSL_NO_AES */
597 #endif /* OPENSSL_VERSION_NUMBER */
598 #ifndef OPENSSL_NO_ECDH
599 /* EC DH groups */
600 PLUGIN_REGISTER(DH, openssl_ec_diffie_hellman_create),
601 PLUGIN_PROVIDE(DH, ECP_256_BIT),
602 PLUGIN_PROVIDE(DH, ECP_384_BIT),
603 PLUGIN_PROVIDE(DH, ECP_521_BIT),
604 PLUGIN_PROVIDE(DH, ECP_224_BIT),
605 PLUGIN_PROVIDE(DH, ECP_192_BIT),
606 PLUGIN_PROVIDE(DH, ECP_256_BP),
607 PLUGIN_PROVIDE(DH, ECP_384_BP),
608 PLUGIN_PROVIDE(DH, ECP_512_BP),
609 PLUGIN_PROVIDE(DH, ECP_224_BP),
610 #endif /* OPENSSL_NO_ECDH */
611 #ifndef OPENSSL_NO_DH
612 /* MODP DH groups */
613 PLUGIN_REGISTER(DH, openssl_diffie_hellman_create),
614 PLUGIN_PROVIDE(DH, MODP_3072_BIT),
615 PLUGIN_PROVIDE(DH, MODP_4096_BIT),
616 PLUGIN_PROVIDE(DH, MODP_6144_BIT),
617 PLUGIN_PROVIDE(DH, MODP_8192_BIT),
618 PLUGIN_PROVIDE(DH, MODP_2048_BIT),
619 PLUGIN_PROVIDE(DH, MODP_2048_224),
620 PLUGIN_PROVIDE(DH, MODP_2048_256),
621 PLUGIN_PROVIDE(DH, MODP_1536_BIT),
622 PLUGIN_PROVIDE(DH, MODP_1024_BIT),
623 PLUGIN_PROVIDE(DH, MODP_1024_160),
624 PLUGIN_PROVIDE(DH, MODP_768_BIT),
625 PLUGIN_PROVIDE(DH, MODP_CUSTOM),
626 #endif
627 #ifndef OPENSSL_NO_RSA
628 /* RSA private/public key loading */
629 PLUGIN_REGISTER(PRIVKEY, openssl_rsa_private_key_load, TRUE),
630 PLUGIN_PROVIDE(PRIVKEY, KEY_RSA),
631 PLUGIN_REGISTER(PRIVKEY_GEN, openssl_rsa_private_key_gen, FALSE),
632 PLUGIN_PROVIDE(PRIVKEY_GEN, KEY_RSA),
633 PLUGIN_REGISTER(PUBKEY, openssl_rsa_public_key_load, TRUE),
634 PLUGIN_PROVIDE(PUBKEY, KEY_RSA),
635 PLUGIN_REGISTER(PUBKEY, openssl_rsa_public_key_load, TRUE),
636 PLUGIN_PROVIDE(PUBKEY, KEY_ANY),
637 /* signature/encryption schemes */
638 PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_NULL),
639 PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_NULL),
640 #if OPENSSL_VERSION_NUMBER >= 0x10000000L
641 PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PSS),
642 PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PSS),
643 #endif
644 #ifndef OPENSSL_NO_SHA1
645 PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_SHA1),
646 PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA1),
647 #endif
648 #ifndef OPENSSL_NO_SHA256
649 PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_SHA2_224),
650 PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_SHA2_256),
651 PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA2_224),
652 PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA2_256),
653 #endif
654 #ifndef OPENSSL_NO_SHA512
655 PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_SHA2_384),
656 PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_SHA2_512),
657 PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA2_384),
658 PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA2_512),
659 #endif
660 #ifndef OPENSSL_NO_MD5
661 PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_MD5),
662 PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_MD5),
663 #endif
664 PLUGIN_PROVIDE(PRIVKEY_DECRYPT, ENCRYPT_RSA_PKCS1),
665 PLUGIN_PROVIDE(PUBKEY_ENCRYPT, ENCRYPT_RSA_PKCS1),
666 #endif /* OPENSSL_NO_RSA */
667 /* certificate/CRL loading */
668 PLUGIN_REGISTER(CERT_DECODE, openssl_x509_load, TRUE),
669 PLUGIN_PROVIDE(CERT_DECODE, CERT_X509),
670 PLUGIN_SDEPEND(PUBKEY, KEY_RSA),
671 PLUGIN_SDEPEND(PUBKEY, KEY_ECDSA),
672 PLUGIN_SDEPEND(PUBKEY, KEY_DSA),
673 PLUGIN_REGISTER(CERT_DECODE, openssl_crl_load, TRUE),
674 PLUGIN_PROVIDE(CERT_DECODE, CERT_X509_CRL),
675 #if OPENSSL_VERSION_NUMBER >= 0x0090807fL
676 #ifndef OPENSSL_NO_CMS
677 PLUGIN_REGISTER(CONTAINER_DECODE, openssl_pkcs7_load, TRUE),
678 PLUGIN_PROVIDE(CONTAINER_DECODE, CONTAINER_PKCS7),
679 #endif /* OPENSSL_NO_CMS */
680 #endif /* OPENSSL_VERSION_NUMBER */
681 PLUGIN_REGISTER(CONTAINER_DECODE, openssl_pkcs12_load, TRUE),
682 PLUGIN_PROVIDE(CONTAINER_DECODE, CONTAINER_PKCS12),
683 #ifndef OPENSSL_NO_ECDSA
684 /* EC private/public key loading */
685 PLUGIN_REGISTER(PRIVKEY, openssl_ec_private_key_load, TRUE),
686 PLUGIN_PROVIDE(PRIVKEY, KEY_ECDSA),
687 PLUGIN_REGISTER(PRIVKEY_GEN, openssl_ec_private_key_gen, FALSE),
688 PLUGIN_PROVIDE(PRIVKEY_GEN, KEY_ECDSA),
689 PLUGIN_REGISTER(PUBKEY, openssl_ec_public_key_load, TRUE),
690 PLUGIN_PROVIDE(PUBKEY, KEY_ECDSA),
691 /* signature encryption schemes */
692 PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_ECDSA_WITH_NULL),
693 PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ECDSA_WITH_NULL),
694 #ifndef OPENSSL_NO_SHA1
695 PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_ECDSA_WITH_SHA1_DER),
696 PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ECDSA_WITH_SHA1_DER),
697 #endif
698 #ifndef OPENSSL_NO_SHA256
699 PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_ECDSA_WITH_SHA256_DER),
700 PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ECDSA_WITH_SHA256_DER),
701 PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_ECDSA_256),
702 PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ECDSA_256),
703 #endif
704 #ifndef OPENSSL_NO_SHA512
705 PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_ECDSA_WITH_SHA384_DER),
706 PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_ECDSA_WITH_SHA512_DER),
707 PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ECDSA_WITH_SHA384_DER),
708 PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ECDSA_WITH_SHA512_DER),
709 PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_ECDSA_384),
710 PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_ECDSA_521),
711 PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ECDSA_384),
712 PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ECDSA_521),
713 #endif
714 #endif /* OPENSSL_NO_ECDSA */
715 #if OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(OPENSSL_NO_EC)
716 PLUGIN_REGISTER(DH, openssl_x_diffie_hellman_create),
717 /* available since 1.1.0a, but we require 1.1.1 features */
718 PLUGIN_PROVIDE(DH, CURVE_25519),
719 /* available since 1.1.1 */
720 PLUGIN_PROVIDE(DH, CURVE_448),
721 /* EdDSA private/public key loading */
722 PLUGIN_REGISTER(PUBKEY, openssl_ed_public_key_load, TRUE),
723 PLUGIN_PROVIDE(PUBKEY, KEY_ED25519),
724 PLUGIN_PROVIDE(PUBKEY, KEY_ED448),
725 PLUGIN_REGISTER(PRIVKEY, openssl_ed_private_key_load, TRUE),
726 PLUGIN_PROVIDE(PRIVKEY, KEY_ED25519),
727 PLUGIN_PROVIDE(PRIVKEY, KEY_ED448),
728 PLUGIN_REGISTER(PRIVKEY_GEN, openssl_ed_private_key_gen, FALSE),
729 PLUGIN_PROVIDE(PRIVKEY_GEN, KEY_ED25519),
730 PLUGIN_PROVIDE(PRIVKEY_GEN, KEY_ED448),
731 PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_ED25519),
732 PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_ED448),
733 PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ED25519),
734 PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ED448),
735 /* register a pro forma identity hasher, never instantiated */
736 PLUGIN_REGISTER(HASHER, return_null),
737 PLUGIN_PROVIDE(HASHER, HASH_IDENTITY),
738 #endif /* OPENSSL_VERSION_NUMBER && !OPENSSL_NO_EC */
739 /* generic key loader */
740 PLUGIN_REGISTER(PRIVKEY, openssl_private_key_load, TRUE),
741 PLUGIN_PROVIDE(PRIVKEY, KEY_ANY),
742 PLUGIN_REGISTER(PRIVKEY, openssl_private_key_connect, FALSE),
743 PLUGIN_PROVIDE(PRIVKEY, KEY_ANY),
744 PLUGIN_REGISTER(RNG, openssl_rng_create),
745 PLUGIN_PROVIDE(RNG, RNG_STRONG),
746 PLUGIN_PROVIDE(RNG, RNG_WEAK),
747 };
748 *features = f;
749 return countof(f);
750 }
751
752 METHOD(plugin_t, destroy, void,
753 private_openssl_plugin_t *this)
754 {
755 /* OpenSSL 1.1.0 cleans up itself at exit and while OPENSSL_cleanup() exists we
756 * can't call it as we couldn't re-initialize the library (as required by the
757 * unit tests and the Android app) */
758 #if OPENSSL_VERSION_NUMBER < 0x10100000L
759 #ifndef OPENSSL_IS_BORINGSSL
760 CONF_modules_free();
761 OBJ_cleanup();
762 #endif
763 EVP_cleanup();
764 #ifndef OPENSSL_NO_ENGINE
765 ENGINE_cleanup();
766 #endif /* OPENSSL_NO_ENGINE */
767 CRYPTO_cleanup_all_ex_data();
768 threading_cleanup();
769 ERR_free_strings();
770 #endif /* OPENSSL_VERSION_NUMBER */
771
772 free(this);
773 }
774
775 /*
776 * see header file
777 */
778 plugin_t *openssl_plugin_create()
779 {
780 private_openssl_plugin_t *this;
781 int fips_mode;
782
783 fips_mode = lib->settings->get_int(lib->settings,
784 "%s.plugins.openssl.fips_mode", FIPS_MODE, lib->ns);
785 #ifdef OPENSSL_FIPS
786 if (fips_mode)
787 {
788 if (FIPS_mode() != fips_mode && !FIPS_mode_set(fips_mode))
789 {
790 DBG1(DBG_LIB, "unable to set openssl FIPS mode(%d) from (%d)",
791 fips_mode, FIPS_mode());
792 return NULL;
793 }
794 }
795 #else
796 if (fips_mode)
797 {
798 DBG1(DBG_LIB, "openssl FIPS mode(%d) unavailable", fips_mode);
799 return NULL;
800 }
801 #endif
802
803 INIT(this,
804 .public = {
805 .plugin = {
806 .get_name = _get_name,
807 .get_features = _get_features,
808 .destroy = _destroy,
809 },
810 },
811 );
812
813 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
814 /* note that we can't call OPENSSL_cleanup() when the plugin is destroyed
815 * as we couldn't initialize the library again afterwards */
816 OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG |
817 OPENSSL_INIT_ENGINE_ALL_BUILTIN, NULL);
818 #else /* OPENSSL_VERSION_NUMBER */
819 threading_init();
820 #ifndef OPENSSL_IS_BORINGSSL
821 OPENSSL_config(NULL);
822 #endif
823 OpenSSL_add_all_algorithms();
824 #ifndef OPENSSL_NO_ENGINE
825 /* activate support for hardware accelerators */
826 ENGINE_load_builtin_engines();
827 ENGINE_register_all_complete();
828 #endif /* OPENSSL_NO_ENGINE */
829 #endif /* OPENSSL_VERSION_NUMBER */
830
831 #ifdef OPENSSL_FIPS
832 /* we do this here as it may have been enabled via openssl.conf */
833 fips_mode = FIPS_mode();
834 dbg(DBG_LIB, strpfx(lib->ns, "charon") ? 1 : 2,
835 "openssl FIPS mode(%d) - %sabled ", fips_mode, fips_mode ? "en" : "dis");
836 #endif /* OPENSSL_FIPS */
837
838 if (!seed_rng())
839 {
840 DBG1(DBG_CFG, "no RNG found to seed OpenSSL");
841 destroy(this);
842 return NULL;
843 }
844
845 return &this->public.plugin;
846 }
Unnamed repository; edit this file 'description' to name the repository.