Merge branch 'charon-cmd-pkcs12'

Adds support for PKCS#12 files in charon-cmd and ipsec.secrets. Also fixes the cleanup of the OpenSSL library in the openssl plugin.
author: Tobias Brunner <tobias@strongswan.org> 2013-05-08 15:19:38 +0200
committer: Tobias Brunner <tobias@strongswan.org> 2013-05-08 15:19:38 +0200
commit: c1f1df4b40a27c7f8e5feb7422994be4e71c7d74 (patch)
tree: a5c3ac025d604519599814fdfc22d89cf73ddc2c /src/libstrongswan/plugins/openssl
parent: b715176ec4ae3882d7088fabaa03a98993a4e83d (diff)
parent: 6040eff9006940680a5668bbff5343b7b53cf9e5 (diff)
download: strongswan-c1f1df4b40a27c7f8e5feb7422994be4e71c7d74.tar.bz2
strongswan-c1f1df4b40a27c7f8e5feb7422994be4e71c7d74.tar.xz
4 files changed, 380 insertions, 22 deletions
diff --git a/src/libstrongswan/plugins/openssl/Makefile.am b/src/libstrongswan/plugins/openssl/Makefile.am
index 0ca27983f..7ae5ea43e 100644
--- a/src/libstrongswan/plugins/openssl/Makefile.am
+++ b/src/libstrongswan/plugins/openssl/Makefile.am
@@ -24,6 +24,7 @@ libstrongswan_openssl_la_SOURCES = \
 	openssl_x509.c openssl_x509.h \
 	openssl_crl.c openssl_crl.h \
 	openssl_pkcs7.c openssl_pkcs7.h \
+	openssl_pkcs12.c openssl_pkcs12.h \
 	openssl_rng.c openssl_rng.h \
 	openssl_hmac.c openssl_hmac.h \
 	openssl_gcm.c openssl_gcm.h
diff --git a/src/libstrongswan/plugins/openssl/openssl_pkcs12.c b/src/libstrongswan/plugins/openssl/openssl_pkcs12.c
new file mode 100644
index 000000000..d16b2cc05
--- /dev/null
+++ b/src/libstrongswan/plugins/openssl/openssl_pkcs12.c
@@ -0,0 +1,266 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#define _GNU_SOURCE /* for asprintf() */
+#include <stdio.h>
+#include <openssl/pkcs12.h>
+
+#include "openssl_pkcs12.h"
+#include "openssl_util.h"
+
+#include <library.h>
+#include <credentials/sets/mem_cred.h>
+
+typedef struct private_pkcs12_t private_pkcs12_t;
+
+/**
+ * Private data of a pkcs12_t object.
+ */
+struct private_pkcs12_t {
+
+	/**
+	 * Public pkcs12_t interface.
+	 */
+	pkcs12_t public;
+
+	/**
+	 * OpenSSL PKCS#12 structure
+	 */
+	PKCS12 *p12;
+
+	/**
+	 * Credentials contained in container
+	 */
+	mem_cred_t *creds;
+};
+
+/**
+ * Decode certificate and add it to our credential set
+ */
+static bool add_cert(private_pkcs12_t *this, X509 *x509)
+{
+	certificate_t *cert = NULL;
+	chunk_t encoding;
+
+	if (!x509)
+	{	/* no certificate is ok */
+		return TRUE;
+	}
+	encoding = openssl_i2chunk(X509, x509);
+	if (encoding.ptr)
+	{
+		cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+								  BUILD_BLOB_ASN1_DER, encoding,
+								  BUILD_END);
+		if (cert)
+		{
+			this->creds->add_cert(this->creds, FALSE, cert);
+		}
+	}
+	chunk_free(&encoding);
+	X509_free(x509);
+	return cert != NULL;
+}
+
+/**
+ * Add CA certificates to our credential set
+ */
+static bool add_cas(private_pkcs12_t *this, STACK_OF(X509) *cas)
+{
+	bool success = TRUE;
+	int i;
+
+	if (!cas)
+	{	/* no CAs is ok */
+		return TRUE;
+	}
+	for (i = 0; i < sk_X509_num(cas); i++)
+	{
+		if (!add_cert(this, sk_X509_value(cas, i)))
+		{	/* continue to free all X509 objects */
+			success = FALSE;
+		}
+	}
+	sk_X509_free(cas);
+	return success;
+}
+
+/**
+ * Decode private key and add it to our credential set
+ */
+static bool add_key(private_pkcs12_t *this, EVP_PKEY *private)
+{
+	private_key_t *key = NULL;
+	chunk_t encoding;
+	key_type_t type;
+
+	if (!private)
+	{	/* no private key is ok */
+		return TRUE;
+	}
+	switch (EVP_PKEY_type(private->type))
+	{
+		case EVP_PKEY_RSA:
+			type = KEY_RSA;
+			break;
+		case EVP_PKEY_EC:
+			type = KEY_ECDSA;
+			break;
+		default:
+			EVP_PKEY_free(private);
+			return FALSE;
+	}
+	encoding = openssl_i2chunk(PrivateKey, private);
+	if (encoding.ptr)
+	{
+		key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type,
+								 BUILD_BLOB_ASN1_DER, encoding,
+								 BUILD_END);
+		if (key)
+		{
+			this->creds->add_key(this->creds, key);
+		}
+	}
+	chunk_clear(&encoding);
+	EVP_PKEY_free(private);
+	return key != NULL;
+}
+
+/**
+ * Decrypt PKCS#12 file and unpack credentials
+ */
+static bool decrypt_and_unpack(private_pkcs12_t *this)
+{
+	enumerator_t *enumerator;
+	shared_key_t *shared;
+	STACK_OF(X509) *cas = NULL;
+	EVP_PKEY *private;
+	X509 *cert;
+	chunk_t key;
+	char *password;
+	bool success = FALSE;
+
+	enumerator = lib->credmgr->create_shared_enumerator(lib->credmgr,
+										SHARED_PRIVATE_KEY_PASS, NULL, NULL);
+	while (enumerator->enumerate(enumerator, &shared, NULL, NULL))
+	{
+		key = shared->get_key(shared);
+		if (!key.ptr || asprintf(&password, "%.*s", (int)key.len, key.ptr) < 0)
+		{
+			password = NULL;
+		}
+		if (PKCS12_parse(this->p12, password, &private, &cert, &cas))
+		{
+			success = add_key(this, private);
+			success &= add_cert(this, cert);
+			success &= add_cas(this, cas);
+			free(password);
+			break;
+		}
+		free(password);
+	}
+	enumerator->destroy(enumerator);
+	return success;
+}
+
+METHOD(container_t, get_type, container_type_t,
+	private_pkcs12_t *this)
+{
+	return CONTAINER_PKCS12;
+}
+
+METHOD(pkcs12_t, create_cert_enumerator, enumerator_t*,
+	private_pkcs12_t *this)
+{
+	return this->creds->set.create_cert_enumerator(&this->creds->set, CERT_ANY,
+												   KEY_ANY, NULL, FALSE);
+}
+
+METHOD(pkcs12_t, create_key_enumerator, enumerator_t*,
+	private_pkcs12_t *this)
+{
+	return this->creds->set.create_private_enumerator(&this->creds->set,
+													  KEY_ANY, NULL);
+}
+
+METHOD(container_t, destroy, void,
+	private_pkcs12_t *this)
+{
+	if (this->p12)
+	{
+		PKCS12_free(this->p12);
+	}
+	this->creds->destroy(this->creds);
+	free(this);
+}
+
+/**
+ * Parse a PKCS#12 container
+ */
+static pkcs12_t *parse(chunk_t blob)
+{
+	private_pkcs12_t *this;
+	BIO *bio;
+
+	INIT(this,
+		.public = {
+			.container = {
+				.get_type = _get_type,
+				.create_signature_enumerator = (void*)enumerator_create_empty,
+				.get_data = (void*)return_false,
+				.get_encoding = (void*)return_false,
+				.destroy = _destroy,
+			},
+			.create_cert_enumerator = _create_cert_enumerator,
+			.create_key_enumerator = _create_key_enumerator,
+		},
+		.creds = mem_cred_create(),
+	);
+
+	bio = BIO_new_mem_buf(blob.ptr, blob.len);
+	this->p12 = d2i_PKCS12_bio(bio, NULL);
+	BIO_free(bio);
+
+	if (!this->p12 || !decrypt_and_unpack(this))
+	{
+		destroy(this);
+		return NULL;
+	}
+	return &this->public;
+}
+
+/*
+ * Defined in header
+ */
+pkcs12_t *openssl_pkcs12_load(container_type_t type, va_list args)
+{
+	chunk_t blob = chunk_empty;
+
+	while (TRUE)
+	{
+		switch (va_arg(args, builder_part_t))
+		{
+			case BUILD_BLOB_ASN1_DER:
+				blob = va_arg(args, chunk_t);
+				continue;
+			case BUILD_END:
+				break;
+			default:
+				return NULL;
+		}
+		break;
+	}
+	return blob.len ? parse(blob) : NULL;
+}
diff --git a/src/libstrongswan/plugins/openssl/openssl_pkcs12.h b/src/libstrongswan/plugins/openssl/openssl_pkcs12.h
new file mode 100644
index 000000000..5c3e5933d
--- /dev/null
+++ b/src/libstrongswan/plugins/openssl/openssl_pkcs12.h
@@ -0,0 +1,37 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup openssl_pkcs12 openssl_pkcs12
+ * @{ @ingroup openssl_p
+ */
+
+#ifndef OPENSSL_PKCS12_H_
+#define OPENSSL_PKCS12_H_
+
+#include <credentials/containers/pkcs12.h>
+
+/**
+ * Load a PKCS#12 container.
+ *
+ * The argument list must contain a single BUILD_BLOB_ASN1_DER argument.
+ *
+ * @param type		type of the container, CONTAINER_PKCS12
+ * @param args		builder_part_t argument list
+ * @return			container, NULL on failure
+ */
+pkcs12_t *openssl_pkcs12_load(container_type_t type, va_list args);
+
+#endif /** OPENSSL_PKCS12_H_ @}*/
diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c
index fb7a6d587..5d2074144 100644
--- a/src/libstrongswan/plugins/openssl/openssl_plugin.c
+++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2008-2013 Tobias Brunner
  * Copyright (C) 2008 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -14,6 +14,7 @@
  * for more details.
  */
 
+#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/conf.h>
 #include <openssl/rand.h>
@@ -28,6 +29,7 @@
 #include <utils/debug.h>
 #include <threading/thread.h>
 #include <threading/mutex.h>
+#include <threading/thread_value.h>
 #include "openssl_util.h"
 #include "openssl_crypter.h"
 #include "openssl_hasher.h"
@@ -41,6 +43,7 @@
 #include "openssl_x509.h"
 #include "openssl_crl.h"
 #include "openssl_pkcs7.h"
+#include "openssl_pkcs12.h"
 #include "openssl_rng.h"
 #include "openssl_hmac.h"
 #include "openssl_gcm.h"
@@ -131,15 +134,52 @@ static void destroy_function(struct CRYPTO_dynlock_value *lock,
 }
 
 /**
+ * Thread-local value used to cleanup thread-specific error buffers
+ */
+static thread_value_t *cleanup;
+
+/**
+ * Called when a thread is destroyed. Avoid recursion by setting the thread id
+ * explicitly.
+ */
+static void cleanup_thread(void *arg)
+{
+#if OPENSSL_VERSION_NUMBER >= 0x1000000fL
+	CRYPTO_THREADID tid;
+
+	CRYPTO_THREADID_set_numeric(&tid, (u_long)(uintptr_t)arg);
+	ERR_remove_thread_state(&tid);
+#else
+	ERR_remove_state((u_long)(uintptr_t)arg);
+#endif
+}
+
+/**
  * Thread-ID callback function
  */
-static unsigned long id_function(void)
+static u_long id_function(void)
 {
+	u_long id;
+
 	/* ensure the thread ID is never zero, otherwise OpenSSL might try to
 	 * acquire locks recursively */
-	return 1 + (unsigned long)thread_current_id();
+	id = 1 + (u_long)thread_current_id();
+
+	/* cleanup a thread's state later if OpenSSL interacted with it */
+	cleanup->set(cleanup, (void*)(uintptr_t)id);
+	return id;
 }
 
+#if OPENSSL_VERSION_NUMBER >= 0x1000000fL
+/**
+ * Callback for thread ID
+ */
+static void threadid_function(CRYPTO_THREADID *threadid)
+{
+	CRYPTO_THREADID_set_numeric(threadid, id_function());
+}
+#endif /* OPENSSL_VERSION_NUMBER */
+
 /**
  * initialize OpenSSL for multi-threaded use
  */
@@ -147,7 +187,14 @@ static void threading_init()
 {
 	int i, num_locks;
 
+	cleanup = thread_value_create(cleanup_thread);
+
+#if OPENSSL_VERSION_NUMBER >= 0x1000000fL
+	CRYPTO_THREADID_set_callback(threadid_function);
+#else
 	CRYPTO_set_id_callback(id_function);
+#endif
+
 	CRYPTO_set_locking_callback(locking_function);
 
 	CRYPTO_set_dynlock_create_callback(create_function);
@@ -163,6 +210,24 @@ static void threading_init()
 }
 
 /**
+ * cleanup OpenSSL threading locks
+ */
+static void threading_cleanup()
+{
+	int i, num_locks;
+
+	num_locks = CRYPTO_num_locks();
+	for (i = 0; i < num_locks; i++)
+	{
+		mutex[i]->destroy(mutex[i]);
+	}
+	free(mutex);
+	mutex = NULL;
+
+	cleanup->destroy(cleanup);
+}
+
+/**
  * Seed the OpenSSL RNG, if required
  */
 static bool seed_rng()
@@ -191,22 +256,6 @@ static bool seed_rng()
 	return TRUE;
 }
 
-/**
- * cleanup OpenSSL threading locks
- */
-static void threading_cleanup()
-{
-	int i, num_locks;
-
-	num_locks = CRYPTO_num_locks();
-	for (i = 0; i < num_locks; i++)
-	{
-		mutex[i]->destroy(mutex[i]);
-	}
-	free(mutex);
-	mutex = NULL;
-}
-
 METHOD(plugin_t, get_name, char*,
 	private_openssl_plugin_t *this)
 {
@@ -307,6 +356,7 @@ METHOD(plugin_t, get_features, int,
 			PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_SHA2_384_192),
 			PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_SHA2_384_384),
 			PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_SHA2_512_256),
+			PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_SHA2_512_512),
 #endif
 #endif /* OPENSSL_NO_HMAC */
 #if OPENSSL_VERSION_NUMBER >= 0x1000100fL
@@ -392,6 +442,8 @@ METHOD(plugin_t, get_features, int,
 			PLUGIN_PROVIDE(CONTAINER_DECODE, CONTAINER_PKCS7),
 #endif /* OPENSSL_NO_CMS */
 #endif /* OPENSSL_VERSION_NUMBER */
+		PLUGIN_REGISTER(CONTAINER_DECODE, openssl_pkcs12_load, TRUE),
+			PLUGIN_PROVIDE(CONTAINER_DECODE, CONTAINER_PKCS12),
 #ifndef OPENSSL_NO_ECDH
 		/* EC DH groups */
 		PLUGIN_REGISTER(DH, openssl_ec_diffie_hellman_create),
@@ -444,13 +496,15 @@ METHOD(plugin_t, get_features, int,
 METHOD(plugin_t, destroy, void,
 	private_openssl_plugin_t *this)
 {
+	CONF_modules_free();
+	OBJ_cleanup();
+	EVP_cleanup();
 #ifndef OPENSSL_NO_ENGINE
 	ENGINE_cleanup();
 #endif /* OPENSSL_NO_ENGINE */
-	EVP_cleanup();
-	CONF_modules_free();
-
+	CRYPTO_cleanup_all_ex_data();
 	threading_cleanup();
+	ERR_free_strings();
 
 	free(this);
 }
author	Tobias Brunner <tobias@strongswan.org>	2013-05-08 15:19:38 +0200
committer	Tobias Brunner <tobias@strongswan.org>	2013-05-08 15:19:38 +0200
commit	c1f1df4b40a27c7f8e5feb7422994be4e71c7d74 (patch)
tree	a5c3ac025d604519599814fdfc22d89cf73ddc2c /src/libstrongswan/plugins/openssl
parent	b715176ec4ae3882d7088fabaa03a98993a4e83d (diff)
parent	6040eff9006940680a5668bbff5343b7b53cf9e5 (diff)
download	strongswan-c1f1df4b40a27c7f8e5feb7422994be4e71c7d74.tar.bz2 strongswan-c1f1df4b40a27c7f8e5feb7422994be4e71c7d74.tar.xz