pluto supports ECDSA authentication

4 files changed, 63 insertions, 57 deletions

diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c b/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c
index de9733a0c..d6b442ae9 100644
--- a/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c
@@ -128,36 +128,18 @@ static bool sig2chunk(const EC_GROUP *group, ECDSA_SIG *sig, chunk_t *chunk)
  * Build the signature
  */
 static bool build_signature(private_openssl_ec_private_key_t *this,
-							int hash_type, chunk_t data, chunk_t *signature)
+							chunk_t hash, chunk_t *signature)
 {
-	chunk_t hash = chunk_empty;
-	ECDSA_SIG *sig;
-	bool ret = FALSE;
-	
-	if (!openssl_hash_chunk(hash_type, data, &hash))
-	{
-		return FALSE;
-	}
-	
-	sig = ECDSA_do_sign(hash.ptr, hash.len, this->ec);
+	ECDSA_SIG *sig = ECDSA_do_sign(hash.ptr, hash.len, this->ec);
+	bool success;
+
 	if (!sig)
 	{
-		goto error;
-	}
-	
-	if (!sig2chunk(EC_KEY_get0_group(this->ec), sig, signature))
-	{
-		goto error;
-	}
-	
-	ret = TRUE;
-error:
-	chunk_free(&hash);
-	if (sig)
-	{
-		ECDSA_SIG_free(sig);
+		return FALSE;
 	}
-	return ret;
+	success = sig2chunk(EC_KEY_get0_group(this->ec), sig, signature);
+	ECDSA_SIG_free(sig);
+	return success;
 }
 
 /**
@@ -174,36 +156,51 @@ static key_type_t get_type(private_openssl_ec_private_key_t *this)
 static bool sign(private_openssl_ec_private_key_t *this, signature_scheme_t scheme, 
 				 chunk_t data, chunk_t *signature)
 {
-	EC_GROUP *req_group;
-	const EC_GROUP *my_group;
-	int hash, curve;
-	
-	if (!lookup_scheme(scheme, &hash, &curve))
-	{
-		DBG1("signature scheme %N not supported in EC",
-				 signature_scheme_names, scheme);
-		return FALSE;
-	}
-	
-	req_group = EC_GROUP_new_by_curve_name(curve);
-	if (!req_group)
+	bool success;
+
+	if (scheme == SIGN_ECDSA_WITH_NULL)
 	{
-		DBG1("signature scheme %N not supported in EC (required curve not supported)",
-				 signature_scheme_names, scheme);
-		return FALSE;
+		success = build_signature(this, data, signature);
 	}
-	
-	my_group = EC_KEY_get0_group(this->ec);
-	if (EC_GROUP_cmp(my_group, req_group, NULL) != 0)
+	else
 	{
-		DBG1("signature scheme %N not supported by private key",
-				 signature_scheme_names, scheme);
-		return FALSE;
-	}
+		EC_GROUP *req_group;
+		const EC_GROUP *my_group;
+		chunk_t hash = chunk_empty;
+		int hash_type, curve;
+
+		if (!lookup_scheme(scheme, &hash_type, &curve))
+		{
+			DBG1("signature scheme %N not supported in EC",
+					 signature_scheme_names, scheme);
+			return FALSE;
+		}
 	
-	EC_GROUP_free(req_group);
+		req_group = EC_GROUP_new_by_curve_name(curve);
+		if (!req_group)
+		{
+			DBG1("signature scheme %N not supported in EC (required curve not supported)",
+					 signature_scheme_names, scheme);
+			return FALSE;
+		}
 	
-	return build_signature(this, hash, data, signature);
+		my_group = EC_KEY_get0_group(this->ec);
+		if (EC_GROUP_cmp(my_group, req_group, NULL) != 0)
+		{
+			DBG1("signature scheme %N not supported by private key",
+					 signature_scheme_names, scheme);
+			return FALSE;
+		}
+		EC_GROUP_free(req_group);
+
+		if (!openssl_hash_chunk(hash_type, data, &hash))
+		{
+			return FALSE;
+		}
+		success = build_signature(this, hash, signature);
+		chunk_free(&hash);
+	}	
+	return success;
 }
 
 /**
diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c b/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c
index 780e67529..635a106dd 100644
--- a/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c
@@ -73,9 +73,16 @@ static bool verify_signature(private_openssl_ec_public_key_t *this,
 	ECDSA_SIG *sig;
 	bool valid = FALSE;
 	
-	if (!openssl_hash_chunk(hash_type, data, &hash))
+	if (hash_type == NID_undef)
 	{
-		return FALSE;
+		hash = data;
+	}
+	else
+	{
+		if (!openssl_hash_chunk(hash_type, data, &hash))
+		{
+			return FALSE;
+		}
 	}
 	
 	sig = ECDSA_SIG_new();
@@ -88,7 +95,6 @@ static bool verify_signature(private_openssl_ec_public_key_t *this,
 	{
 		goto error;
 	}
-	
 	valid = (ECDSA_do_verify(hash.ptr, hash.len, sig, this->ec) == 1);
 	
 error:
@@ -96,7 +102,10 @@ error:
 	{
 		ECDSA_SIG_free(sig);
 	}
-	chunk_free(&hash);
+	if (hash_type != NID_undef)
+	{
+		chunk_free(&hash);
+	}
 	return valid;
 }
 
@@ -158,6 +167,8 @@ static bool verify(private_openssl_ec_public_key_t *this, signature_scheme_t sch
 {
 	switch (scheme)
 	{
+		case SIGN_ECDSA_WITH_NULL:
+			return verify_signature(this, NID_undef, data, signature);
 		case SIGN_ECDSA_WITH_SHA1:
 			return verify_default_signature(this, data, signature);
 		case SIGN_ECDSA_256:
diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
index 6ed999f68..695913097 100644
--- a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
@@ -162,7 +162,6 @@ static bool sign(private_openssl_rsa_private_key_t *this, signature_scheme_t sch
 	{
 		case SIGN_RSA_EMSA_PKCS1_NULL:
 			return build_emsa_pkcs1_signature(this, NID_undef, data, signature);
-		case SIGN_DEFAULT:
 		case SIGN_RSA_EMSA_PKCS1_SHA1:
 			return build_emsa_pkcs1_signature(this, NID_sha1, data, signature);
 		case SIGN_RSA_EMSA_PKCS1_SHA256:
diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
index f891802b3..89912f24c 100644
--- a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
@@ -139,7 +139,6 @@ static bool verify(private_openssl_rsa_public_key_t *this, signature_scheme_t sc
 {
 	switch (scheme)
 	{
-		case SIGN_DEFAULT:
 		case SIGN_RSA_EMSA_PKCS1_NULL:
 			return verify_emsa_pkcs1_signature(this, NID_undef, data, signature);
 		case SIGN_RSA_EMSA_PKCS1_SHA1: