From: René Fischer Date: Fri, 22 Jan 2021 12:38:01 +0000 (+0100) Subject: botan: Use strongSwan's RNG interface in Botan plugin X-Git-Tag: 5.9.2rc1~13 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4261fcedece37bf839623ed4c7967bf503bb6ed7;p=thirdparty%2Fstrongswan.git botan: Use strongSwan's RNG interface in Botan plugin This allows using rng_t implementations provided by other plugins to serve as RNG for Botan. Closes strongswan/strongswan#192. --- diff --git a/conf/Makefile.am b/conf/Makefile.am index 1c2b412363..74fb63680c 100644 --- a/conf/Makefile.am +++ b/conf/Makefile.am @@ -33,6 +33,7 @@ plugins = \ plugins/attr.opt \ plugins/attr-sql.opt \ plugins/bliss.opt \ + plugins/botan.opt \ plugins/bypass-lan.opt \ plugins/certexpire.opt \ plugins/coupling.opt \ diff --git a/conf/plugins/botan.opt b/conf/plugins/botan.opt new file mode 100644 index 0000000000..dfda14ee1f --- /dev/null +++ b/conf/plugins/botan.opt @@ -0,0 +1,6 @@ +charon.plugins.botan.internal_rng_only = no + Force the use of Botan's internal RNG. + + If enabled, only Botan's internal RNG will be used throughout the plugin. + Otherwise, and if supported by Botan, rng_t implementations provided by + other loaded plugins will be used as RNG. diff --git a/configure.ac b/configure.ac index 520775c1c4..f9c643851b 100644 --- a/configure.ac +++ b/configure.ac @@ -1177,6 +1177,10 @@ if test x$botan = xtrue; then [PKG_CHECK_MODULES(botan, [botan-2])]) AC_SUBST(botan_CFLAGS) AC_SUBST(botan_LIBS) + saved_LIBS=$LIBS + LIBS="$botan_LIBS" + AC_CHECK_FUNCS(botan_rng_init_custom) + LIBS=$saved_LIBS fi if test x$uci = xtrue; then diff --git a/src/libstrongswan/plugins/botan/botan_ec_diffie_hellman.c b/src/libstrongswan/plugins/botan/botan_ec_diffie_hellman.c index 50234b2e02..18e9cb1c1b 100644 --- a/src/libstrongswan/plugins/botan/botan_ec_diffie_hellman.c +++ b/src/libstrongswan/plugins/botan/botan_ec_diffie_hellman.c @@ -205,7 +205,7 @@ botan_ec_diffie_hellman_t *botan_ec_diffie_hellman_create( return NULL; } - if (botan_rng_init(&rng, "user")) + if (!botan_get_rng(&rng, RNG_STRONG)) { free(this); return NULL; diff --git a/src/libstrongswan/plugins/botan/botan_ec_private_key.c b/src/libstrongswan/plugins/botan/botan_ec_private_key.c index d9469e916b..b6940907f8 100644 --- a/src/libstrongswan/plugins/botan/botan_ec_private_key.c +++ b/src/libstrongswan/plugins/botan/botan_ec_private_key.c @@ -329,7 +329,7 @@ botan_ec_private_key_t *botan_ec_private_key_gen(key_type_t type, va_list args) return NULL; } - if (botan_rng_init(&rng, "system")) + if (!botan_get_rng(&rng, RNG_TRUE)) { return NULL; } @@ -429,7 +429,7 @@ botan_ec_private_key_t *botan_ec_private_key_load(key_type_t type, va_list args) this = create_empty(oid); - if (botan_rng_init(&rng, "user")) + if (!botan_get_rng(&rng, RNG_STRONG)) { chunk_clear(&pkcs8); free(this); diff --git a/src/libstrongswan/plugins/botan/botan_ed_private_key.c b/src/libstrongswan/plugins/botan/botan_ed_private_key.c index 3f0f542224..5d901ac743 100644 --- a/src/libstrongswan/plugins/botan/botan_ed_private_key.c +++ b/src/libstrongswan/plugins/botan/botan_ed_private_key.c @@ -216,7 +216,7 @@ private_key_t *botan_ed_private_key_gen(key_type_t type, va_list args) break; } - if (botan_rng_init(&rng, "system")) + if (!botan_get_rng(&rng, RNG_TRUE)) { return NULL; } diff --git a/src/libstrongswan/plugins/botan/botan_rsa_private_key.c b/src/libstrongswan/plugins/botan/botan_rsa_private_key.c index 06a9345624..b8bfa6484b 100644 --- a/src/libstrongswan/plugins/botan/botan_rsa_private_key.c +++ b/src/libstrongswan/plugins/botan/botan_rsa_private_key.c @@ -369,7 +369,7 @@ botan_rsa_private_key_t *botan_rsa_private_key_gen(key_type_t type, return NULL; } - if (botan_rng_init(&rng, "system")) + if (!botan_get_rng(&rng, RNG_TRUE)) { return NULL; } @@ -448,7 +448,7 @@ static bool calculate_pq(botan_mp_t *n, botan_mp_t *e, botan_mp_t *d, goto error; } - if (botan_rng_init(&rng, "user")) + if (!botan_get_rng(&rng, RNG_STRONG)) { goto error; } diff --git a/src/libstrongswan/plugins/botan/botan_rsa_public_key.c b/src/libstrongswan/plugins/botan/botan_rsa_public_key.c index af573b7c03..06560c393a 100644 --- a/src/libstrongswan/plugins/botan/botan_rsa_public_key.c +++ b/src/libstrongswan/plugins/botan/botan_rsa_public_key.c @@ -171,7 +171,7 @@ METHOD(public_key_t, encrypt, bool, return FALSE; } - if (botan_rng_init(&rng, "user")) + if (!botan_get_rng(&rng, RNG_STRONG)) { return FALSE; } diff --git a/src/libstrongswan/plugins/botan/botan_util.c b/src/libstrongswan/plugins/botan/botan_util.c index 9414a2cc88..641384f025 100644 --- a/src/libstrongswan/plugins/botan/botan_util.c +++ b/src/libstrongswan/plugins/botan/botan_util.c @@ -238,7 +238,7 @@ bool botan_get_signature(botan_privkey_t key, const char *scheme, return FALSE; } - if (botan_rng_init(&rng, "user")) + if (!botan_get_rng(&rng, RNG_STRONG)) { botan_pk_op_sign_destroy(sign_op); return FALSE; @@ -345,3 +345,63 @@ const char *botan_map_rng_quality(rng_quality_t quality) } return rng_name; } + +#ifdef HAVE_BOTAN_RNG_INIT_CUSTOM + +CALLBACK(get_random, int, + rng_t *rng, uint8_t *out, size_t out_len) +{ + if (!rng->get_bytes(rng, out_len, out)) + { + return -1; + } + return 0; +} + +CALLBACK(destroy_rng, void, + rng_t *rng) +{ + if (rng) + { + rng->destroy(rng); + } +} + +#endif /* HAVE_BOTAN_RNG_INIT_CUSTOM */ + +/* + * Described in header + */ +bool botan_get_rng(botan_rng_t *botan_rng, rng_quality_t quality) +{ +#ifdef HAVE_BOTAN_RNG_INIT_CUSTOM + if (!lib->settings->get_bool(lib->settings, + "%s.plugins.botan.internal_rng_only", FALSE, lib->ns)) + { + rng_t *rng = lib->crypto->create_rng(lib->crypto, quality); + + if (!rng) + { + DBG1(DBG_LIB, "no RNG found for quality %N", rng_quality_names, + quality); + return FALSE; + } + if (botan_rng_init_custom(botan_rng, "strongswan", rng, + get_random, NULL, destroy_rng)) + { + DBG1(DBG_LIB, "Botan RNG creation failed"); + return FALSE; + } + } + else +#endif /* HAVE_BOTAN_RNG_INIT_CUSTOM */ + { + const char *rng_name = botan_map_rng_quality(quality); + + if (!rng_name || botan_rng_init(botan_rng, rng_name)) + { + return FALSE; + } + } + return TRUE; +} diff --git a/src/libstrongswan/plugins/botan/botan_util.h b/src/libstrongswan/plugins/botan/botan_util.h index fe8a9a8ee0..2650292384 100644 --- a/src/libstrongswan/plugins/botan/botan_util.h +++ b/src/libstrongswan/plugins/botan/botan_util.h @@ -133,4 +133,13 @@ bool botan_dh_key_derivation(botan_privkey_t key, chunk_t pub, chunk_t *secret); */ const char *botan_map_rng_quality(rng_quality_t quality); +/** + * Get RNG for Botan API calls. + * + * @param botan_rng Botan RNG + * @param quality RNG quality requested + * @return TRUE if Botan RNG creation was successful + */ +bool botan_get_rng(botan_rng_t *botan_rng, rng_quality_t quality); + #endif /** BOTAN_UTIL_H_ @}*/ diff --git a/src/libstrongswan/plugins/botan/botan_util_keys.c b/src/libstrongswan/plugins/botan/botan_util_keys.c index dc40314911..4008098559 100644 --- a/src/libstrongswan/plugins/botan/botan_util_keys.c +++ b/src/libstrongswan/plugins/botan/botan_util_keys.c @@ -21,6 +21,7 @@ * THE SOFTWARE. */ +#include "botan_util.h" #include "botan_util_keys.h" #include "botan_ec_public_key.h" #include "botan_ec_private_key.h" @@ -81,7 +82,7 @@ public_key_t *botan_public_key_load(key_type_t type, va_list args) break; } - if (botan_rng_init(&rng, "user")) + if (!botan_get_rng(&rng, RNG_STRONG)) { return NULL; } @@ -183,7 +184,7 @@ private_key_t *botan_private_key_load(key_type_t type, va_list args) break; } - if (botan_rng_init(&rng, "user")) + if (!botan_get_rng(&rng, RNG_STRONG)) { return NULL; } diff --git a/src/libstrongswan/plugins/botan/botan_x25519.c b/src/libstrongswan/plugins/botan/botan_x25519.c index 8863f3fa63..e0cfd692f4 100644 --- a/src/libstrongswan/plugins/botan/botan_x25519.c +++ b/src/libstrongswan/plugins/botan/botan_x25519.c @@ -155,7 +155,7 @@ diffie_hellman_t *botan_x25519_create(diffie_hellman_group_t group) }, ); - if (botan_rng_init(&rng, "user")) + if (!botan_get_rng(&rng, RNG_STRONG)) { free(this); return NULL;