pluto supports ECDSA authentication

author: Andreas Steffen <andreas.steffen@strongswan.org> 2009-06-12 19:59:35 +0200
committer: Andreas Steffen <andreas.steffen@strongswan.org> 2009-06-12 19:59:49 +0200
commit: 11e6d28533221ed829fd0369b52c1c3957ca5219 (patch)
tree: af08ca2df8dc9d25e66e725fa0c2c769731a2c6f /src/libstrongswan/plugins
parent: eca36f44de3344805707bf126f348ba3b6a290b1 (diff)
download: strongswan-11e6d28533221ed829fd0369b52c1c3957ca5219.tar.bz2
strongswan-11e6d28533221ed829fd0369b52c1c3957ca5219.tar.xz
9 files changed, 64 insertions, 64 deletions
diff --git a/src/libstrongswan/plugins/agent/agent_private_key.c b/src/libstrongswan/plugins/agent/agent_private_key.c
index 97ca9dcb5..ffdc6d778 100644
--- a/src/libstrongswan/plugins/agent/agent_private_key.c
+++ b/src/libstrongswan/plugins/agent/agent_private_key.c
@@ -269,7 +269,7 @@ static bool sign(private_agent_private_key_t *this, signature_scheme_t scheme,
 	char buf[2048];
 	chunk_t blob = chunk_from_buf(buf);
 	
-	if (scheme != SIGN_DEFAULT && scheme != SIGN_RSA_EMSA_PKCS1_SHA1)
+	if (scheme != SIGN_RSA_EMSA_PKCS1_SHA1)
 	{
 		DBG1("signature scheme %N not supported by ssh-agent",
 			 signature_scheme_names, scheme);
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c
index 4ee431a83..d622a1fe1 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c
@@ -144,8 +144,6 @@ static bool sign(private_gcrypt_rsa_private_key_t *this, signature_scheme_t sche
 {
 	switch (scheme)
 	{
-		case SIGN_DEFAULT:
-			/* default is EMSA-PKCS1 using SHA1 */
 		case SIGN_RSA_EMSA_PKCS1_SHA1:
 			return sign_pkcs1(this, HASH_SHA1, "sha1", data, sig);
 		case SIGN_RSA_EMSA_PKCS1_SHA256:
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c
index bdb5d7feb..ad02d3a28 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c
@@ -138,8 +138,6 @@ static bool verify(private_gcrypt_rsa_public_key_t *this,
 			return verify_pkcs1(this, HASH_SHA384, "sha384", data, signature);
 		case SIGN_RSA_EMSA_PKCS1_SHA512:
 			return verify_pkcs1(this, HASH_SHA512, "sha512", data, signature);
-		case SIGN_DEFAULT:
-			/* parsing hash OID currently not supported by gcrypt, fall */
 		default:
 			DBG1("signature scheme %N not supported in RSA",
 				 signature_scheme_names, scheme);
diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c
index b395a8005..dec4e46a5 100644
--- a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c
+++ b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c
@@ -292,7 +292,6 @@ static bool sign(private_gmp_rsa_private_key_t *this, signature_scheme_t scheme,
 	{
 		case SIGN_RSA_EMSA_PKCS1_NULL:
 			return build_emsa_pkcs1_signature(this, HASH_UNKNOWN, data, signature);
-		case SIGN_DEFAULT:
 		case SIGN_RSA_EMSA_PKCS1_SHA1:
 			return build_emsa_pkcs1_signature(this, HASH_SHA1, data, signature);
 		case SIGN_RSA_EMSA_PKCS1_SHA256:
diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
index 725e1f991..e241dbaf7 100644
--- a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
+++ b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
@@ -299,7 +299,6 @@ static bool verify(private_gmp_rsa_public_key_t *this, signature_scheme_t scheme
 {
 	switch (scheme)
 	{
-		case SIGN_DEFAULT:
 		case SIGN_RSA_EMSA_PKCS1_NULL:
 			return verify_emsa_pkcs1_signature(this, HASH_UNKNOWN, data, signature);
 		case SIGN_RSA_EMSA_PKCS1_MD5:
diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c b/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c
index de9733a0c..d6b442ae9 100644
--- a/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c
@@ -128,36 +128,18 @@ static bool sig2chunk(const EC_GROUP *group, ECDSA_SIG *sig, chunk_t *chunk)
  * Build the signature
  */
 static bool build_signature(private_openssl_ec_private_key_t *this,
-							int hash_type, chunk_t data, chunk_t *signature)
+							chunk_t hash, chunk_t *signature)
 {
-	chunk_t hash = chunk_empty;
-	ECDSA_SIG *sig;
-	bool ret = FALSE;
-	
-	if (!openssl_hash_chunk(hash_type, data, &hash))
-	{
-		return FALSE;
-	}
-	
-	sig = ECDSA_do_sign(hash.ptr, hash.len, this->ec);
+	ECDSA_SIG *sig = ECDSA_do_sign(hash.ptr, hash.len, this->ec);
+	bool success;
+
 	if (!sig)
 	{
-		goto error;
-	}
-	
-	if (!sig2chunk(EC_KEY_get0_group(this->ec), sig, signature))
-	{
-		goto error;
-	}
-	
-	ret = TRUE;
-error:
-	chunk_free(&hash);
-	if (sig)
-	{
-		ECDSA_SIG_free(sig);
+		return FALSE;
 	}
-	return ret;
+	success = sig2chunk(EC_KEY_get0_group(this->ec), sig, signature);
+	ECDSA_SIG_free(sig);
+	return success;
 }
 
 /**
@@ -174,36 +156,51 @@ static key_type_t get_type(private_openssl_ec_private_key_t *this)
 static bool sign(private_openssl_ec_private_key_t *this, signature_scheme_t scheme, 
 				 chunk_t data, chunk_t *signature)
 {
-	EC_GROUP *req_group;
-	const EC_GROUP *my_group;
-	int hash, curve;
-	
-	if (!lookup_scheme(scheme, &hash, &curve))
-	{
-		DBG1("signature scheme %N not supported in EC",
-				 signature_scheme_names, scheme);
-		return FALSE;
-	}
-	
-	req_group = EC_GROUP_new_by_curve_name(curve);
-	if (!req_group)
+	bool success;
+
+	if (scheme == SIGN_ECDSA_WITH_NULL)
 	{
-		DBG1("signature scheme %N not supported in EC (required curve not supported)",
-				 signature_scheme_names, scheme);
-		return FALSE;
+		success = build_signature(this, data, signature);
 	}
-	
-	my_group = EC_KEY_get0_group(this->ec);
-	if (EC_GROUP_cmp(my_group, req_group, NULL) != 0)
+	else
 	{
-		DBG1("signature scheme %N not supported by private key",
-				 signature_scheme_names, scheme);
-		return FALSE;
-	}
+		EC_GROUP *req_group;
+		const EC_GROUP *my_group;
+		chunk_t hash = chunk_empty;
+		int hash_type, curve;
+
+		if (!lookup_scheme(scheme, &hash_type, &curve))
+		{
+			DBG1("signature scheme %N not supported in EC",
+					 signature_scheme_names, scheme);
+			return FALSE;
+		}
 	
-	EC_GROUP_free(req_group);
+		req_group = EC_GROUP_new_by_curve_name(curve);
+		if (!req_group)
+		{
+			DBG1("signature scheme %N not supported in EC (required curve not supported)",
+					 signature_scheme_names, scheme);
+			return FALSE;
+		}
 	
-	return build_signature(this, hash, data, signature);
+		my_group = EC_KEY_get0_group(this->ec);
+		if (EC_GROUP_cmp(my_group, req_group, NULL) != 0)
+		{
+			DBG1("signature scheme %N not supported by private key",
+					 signature_scheme_names, scheme);
+			return FALSE;
+		}
+		EC_GROUP_free(req_group);
+
+		if (!openssl_hash_chunk(hash_type, data, &hash))
+		{
+			return FALSE;
+		}
+		success = build_signature(this, hash, signature);
+		chunk_free(&hash);
+	}	
+	return success;
 }
 
 /**
diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c b/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c
index 780e67529..635a106dd 100644
--- a/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c
@@ -73,9 +73,16 @@ static bool verify_signature(private_openssl_ec_public_key_t *this,
 	ECDSA_SIG *sig;
 	bool valid = FALSE;
 	
-	if (!openssl_hash_chunk(hash_type, data, &hash))
+	if (hash_type == NID_undef)
 	{
-		return FALSE;
+		hash = data;
+	}
+	else
+	{
+		if (!openssl_hash_chunk(hash_type, data, &hash))
+		{
+			return FALSE;
+		}
 	}
 	
 	sig = ECDSA_SIG_new();
@@ -88,7 +95,6 @@ static bool verify_signature(private_openssl_ec_public_key_t *this,
 	{
 		goto error;
 	}
-	
 	valid = (ECDSA_do_verify(hash.ptr, hash.len, sig, this->ec) == 1);
 	
 error:
@@ -96,7 +102,10 @@ error:
 	{
 		ECDSA_SIG_free(sig);
 	}
-	chunk_free(&hash);
+	if (hash_type != NID_undef)
+	{
+		chunk_free(&hash);
+	}
 	return valid;
 }
 
@@ -158,6 +167,8 @@ static bool verify(private_openssl_ec_public_key_t *this, signature_scheme_t sch
 {
 	switch (scheme)
 	{
+		case SIGN_ECDSA_WITH_NULL:
+			return verify_signature(this, NID_undef, data, signature);
 		case SIGN_ECDSA_WITH_SHA1:
 			return verify_default_signature(this, data, signature);
 		case SIGN_ECDSA_256:
diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
index 6ed999f68..695913097 100644
--- a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
@@ -162,7 +162,6 @@ static bool sign(private_openssl_rsa_private_key_t *this, signature_scheme_t sch
 	{
 		case SIGN_RSA_EMSA_PKCS1_NULL:
 			return build_emsa_pkcs1_signature(this, NID_undef, data, signature);
-		case SIGN_DEFAULT:
 		case SIGN_RSA_EMSA_PKCS1_SHA1:
 			return build_emsa_pkcs1_signature(this, NID_sha1, data, signature);
 		case SIGN_RSA_EMSA_PKCS1_SHA256:
diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
index f891802b3..89912f24c 100644
--- a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
@@ -139,7 +139,6 @@ static bool verify(private_openssl_rsa_public_key_t *this, signature_scheme_t sc
 {
 	switch (scheme)
 	{
-		case SIGN_DEFAULT:
 		case SIGN_RSA_EMSA_PKCS1_NULL:
 			return verify_emsa_pkcs1_signature(this, NID_undef, data, signature);
 		case SIGN_RSA_EMSA_PKCS1_SHA1:
author	Andreas Steffen <andreas.steffen@strongswan.org>	2009-06-12 19:59:35 +0200
committer	Andreas Steffen <andreas.steffen@strongswan.org>	2009-06-12 19:59:49 +0200
commit	11e6d28533221ed829fd0369b52c1c3957ca5219 (patch)
tree	af08ca2df8dc9d25e66e725fa0c2c769731a2c6f /src/libstrongswan/plugins
parent	eca36f44de3344805707bf126f348ba3b6a290b1 (diff)
download	strongswan-11e6d28533221ed829fd0369b52c1c3957ca5219.tar.bz2 strongswan-11e6d28533221ed829fd0369b52c1c3957ca5219.tar.xz