diff options
| author | Martin Willi <martin@strongswan.org> | 2009-08-24 14:19:51 +0200 |
|---|---|---|
| committer | Martin Willi <martin@strongswan.org> | 2009-08-26 11:23:52 +0200 |
| commit | b4b68b64b83c784ba6fac71b6acda1edfd4a5a62 (patch) | |
| tree | 782696bbb57cb95330d7f389416209ece4c8209a /src | |
| parent | 5bceb90c8660d7e6f33b1c9d3996d836918945e3 (diff) | |
| download | strongswan-b4b68b64b83c784ba6fac71b6acda1edfd4a5a62.tar.bz2 strongswan-b4b68b64b83c784ba6fac71b6acda1edfd4a5a62.tar.xz | |
updated pluto to new fingerprinting API
Diffstat (limited to 'src')
| -rw-r--r-- | src/pluto/dnskey.c | 14 | ||||
| -rw-r--r-- | src/pluto/ipsec_doi.c | 18 | ||||
| -rw-r--r-- | src/pluto/keys.c | 7 | ||||
| -rw-r--r-- | src/pluto/pgpcert.c | 16 | ||||
| -rw-r--r-- | src/pluto/x509.c | 25 |
5 files changed, 44 insertions, 36 deletions
diff --git a/src/pluto/dnskey.c b/src/pluto/dnskey.c index ea8419825..998a10c35 100644 --- a/src/pluto/dnskey.c +++ b/src/pluto/dnskey.c @@ -464,18 +464,18 @@ process_txt_rr_body(u_char *str { char cidb[BUF_LEN]; char gwidb[BUF_LEN]; - identification_t *keyid; - public_key_t *pub_key; + chunk_t keyid; + public_key_t *key; idtoa(client_id, cidb, sizeof(cidb)); idtoa(&gi.gw_id, gwidb, sizeof(gwidb)); - pub_key = gi.key->public_key; - keyid = pub_key->get_id(pub_key, ID_PUBKEY_SHA1); + key = gi.key->public_key; - if (gi.gw_key_present) + if (gi.gw_key_present && + key->get_fingerprint(key, KEY_ID_PUBKEY_SHA1, &keyid)) { - DBG_log("gateway for %s is %s with key %Y" - , cidb, gwidb, keyid); + DBG_log("gateway for %s is %s with key %#B" + , cidb, gwidb, &keyid); } else { diff --git a/src/pluto/ipsec_doi.c b/src/pluto/ipsec_doi.c index 57f4fb54b..d293037dd 100644 --- a/src/pluto/ipsec_doi.c +++ b/src/pluto/ipsec_doi.c @@ -1495,17 +1495,18 @@ struct tac_state { static bool take_a_crack(struct tac_state *s, pubkey_t *kr) { public_key_t *pub_key = kr->public_key; - identification_t *keyid = pub_key->get_id(pub_key, ID_PUBKEY_INFO_SHA1); + chunk_t keyid = chunk_empty; signature_scheme_t scheme; s->tried_cnt++; scheme = oakley_to_signature_scheme(s->st->st_oakley.auth); + pub_key->get_fingerprint(pub_key, KEY_ID_PUBKEY_INFO_SHA1, &keyid); if (pub_key->verify(pub_key, scheme, s->hash, s->sig)) { DBG(DBG_CRYPT | DBG_CONTROL, - DBG_log("%s check passed with keyid %Y", - enum_show(&oakley_auth_names, s->st->st_oakley.auth), keyid) + DBG_log("%s check passed with keyid %#B", + enum_show(&oakley_auth_names, s->st->st_oakley.auth), &keyid) ) unreference_key(&s->st->st_peer_pubkey); s->st->st_peer_pubkey = reference_key(kr); @@ -1514,8 +1515,8 @@ static bool take_a_crack(struct tac_state *s, pubkey_t *kr) else { DBG(DBG_CRYPT, - DBG_log("%s check failed with keyid %Y", - enum_show(&oakley_auth_names, s->st->st_oakley.auth), keyid) + DBG_log("%s check failed with keyid %#B", + enum_show(&oakley_auth_names, s->st->st_oakley.auth), &keyid) ) return FALSE; } @@ -4491,14 +4492,12 @@ static enum verify_oppo_step quick_inI1_outR1_process_answer( next_step = vos_done; { public_key_t *pub_key; - identification_t *p1st_keyid; struct gw_info *gwp; /* check that the public key that authenticated * the ISAKMP SA (p1st) will do for this gateway. */ pub_key = p1st->st_peer_pubkey->public_key; - p1st_keyid = pub_key->get_id(pub_key, ID_PUBKEY_INFO_SHA1); ugh = "peer's client does not delegate to peer"; for (gwp = ac->gateways_from_dns; gwp != NULL; gwp = gwp->next) @@ -4510,9 +4509,8 @@ static enum verify_oppo_step quick_inI1_outR1_process_answer( * it implies fetching a KEY from the same * place we must have gotten it. */ - if (!gwp->gw_key_present || p1st_keyid->equals(p1st_keyid, - gwp->key->public_key->get_id(gwp->key->public_key, - ID_PUBKEY_INFO_SHA1)) + if (!gwp->gw_key_present || + pub_key->equals(pub_key, gwp->key->public_key) ) { ugh = NULL; /* good! */ diff --git a/src/pluto/keys.c b/src/pluto/keys.c index 31190340d..249d89100 100644 --- a/src/pluto/keys.c +++ b/src/pluto/keys.c @@ -1433,7 +1433,7 @@ void list_public_keys(bool utc) { pubkey_t *key = p->key; public_key_t *public = key->public_key; - identification_t *keyid = public->get_id(public, ID_PUBKEY_INFO_SHA1); + chunk_t keyid; char buf[BUF_LEN]; idtoa(&key->id, buf, BUF_LEN); @@ -1443,7 +1443,10 @@ void list_public_keys(bool utc) public->get_keysize(public) * BITS_PER_BYTE, &key->until_time, utc, check_expiry(key->until_time, PUBKEY_WARNING_INTERVAL, TRUE)); - whack_log(RC_COMMENT," keyid: %Y", keyid); + if (public->get_fingerprint(public, KEY_ID_PUBKEY_INFO_SHA1, &keyid)) + { + whack_log(RC_COMMENT," keyid: %#B", &keyid); + } if (key->issuer.len > 0) { dntoa(buf, BUF_LEN, key->issuer); diff --git a/src/pluto/pgpcert.c b/src/pluto/pgpcert.c index 5f58aab1a..3cbfeb717 100644 --- a/src/pluto/pgpcert.c +++ b/src/pluto/pgpcert.c @@ -282,12 +282,15 @@ static bool parse_pgp_pubkey_packet(chunk_t *packet, pgpcert_t *cert) } else { + chunk_t fp; + /* V3 fingerprint is computed by public_key_t class */ - cert->fingerprint = cert->public_key->get_id(cert->public_key, ID_KEY_ID); - if (cert->fingerprint == NULL) + if (!cert->public_key->get_fingerprint(cert->public_key, KEY_ID_PGPV3, + &fp)) { return FALSE; } + cert->fingerprint = identification_create_from_encoding(ID_KEY_ID, fp); } return TRUE; } @@ -484,6 +487,7 @@ void list_pgp_end_certs(bool utc) while (cert != NULL) { public_key_t *key = cert->public_key; + chunk_t keyid; cert_t c; c.type = CERT_PGP; @@ -496,10 +500,12 @@ void list_pgp_end_certs(bool utc) check_expiry(cert->until, CA_CERT_WARNING_INTERVAL, TRUE)); whack_log(RC_COMMENT, " pubkey: %N %4d bits%s", key_type_names, key->get_type(key), - key->get_keysize(key) * BITS_PER_BYTE, + key->get_keysize(key) * BITS_PER_BYTE, has_private_key(c)? ", has private key" : ""); - whack_log(RC_COMMENT, " keyid: %Y", - key->get_id(key, ID_PUBKEY_INFO_SHA1)); + if (key->get_fingerprint(key, KEY_ID_PUBKEY_INFO_SHA1, &keyid)) + { + whack_log(RC_COMMENT, " keyid: %#B", &keyid); + } cert = cert->next; } } diff --git a/src/pluto/x509.c b/src/pluto/x509.c index b019f42c3..889c22e57 100644 --- a/src/pluto/x509.c +++ b/src/pluto/x509.c @@ -1121,14 +1121,14 @@ static chunk_t build_tbs_x509cert(x509cert_t *cert, public_key_t *rsa) { /* version is always X.509v3 */ chunk_t version = asn1_simple_object(ASN1_CONTEXT_C_0, ASN1_INTEGER_2); - + chunk_t key = chunk_empty; chunk_t extensions = chunk_empty; - chunk_t key = rsa->get_encoding(rsa); + rsa->get_encoding(rsa, KEY_PUB_ASN1_DER, &key); chunk_t keyInfo = asn1_wrap(ASN1_SEQUENCE, "cm", asn1_algorithmIdentifier(OID_RSA_ENCRYPTION), - asn1_bitstring("m", key)); + asn1_bitstring("m", key)); if (cert->subjectAltName != NULL) { @@ -1398,17 +1398,15 @@ void gntoid(struct id *id, const generalName_t *gn) */ bool compute_subjectKeyID(x509cert_t *cert, chunk_t subjectKeyID) { - identification_t *keyid; - chunk_t encoding; - - keyid = cert->public_key->get_id(cert->public_key, ID_PUBKEY_SHA1); - if (keyid == NULL) + chunk_t fingerprint; + + if (!cert->public_key->get_fingerprint(cert->public_key, KEY_ID_PUBKEY_SHA1, + &fingerprint)) { plog(" unable to compute subjectKeyID"); return FALSE; } - encoding = keyid->get_encoding(keyid); - memcpy(subjectKeyID.ptr, encoding.ptr, subjectKeyID.len); + memcpy(subjectKeyID.ptr, fingerprint.ptr, subjectKeyID.len); return TRUE; } @@ -2070,6 +2068,7 @@ void list_x509cert_chain(const char *caption, x509cert_t* cert, { u_char buf[BUF_LEN]; public_key_t *key = cert->public_key; + chunk_t keyid; cert_t c; c.type = CERT_X509_SIGNATURE; @@ -2103,8 +2102,10 @@ void list_x509cert_chain(const char *caption, x509cert_t* cert, key->get_keysize(key) * BITS_PER_BYTE, cert->smartcard ? ", on smartcard" : (has_private_key(c)? ", has private key" : "")); - whack_log(RC_COMMENT, " keyid: %Y", - key->get_id(key, ID_PUBKEY_INFO_SHA1)); + if (key->get_fingerprint(key, KEY_ID_PUBKEY_INFO_SHA1, &keyid)) + { + whack_log(RC_COMMENT, " keyid: %#B", &keyid); + } if (cert->subjectKeyID.ptr != NULL) { datatot(cert->subjectKeyID.ptr, cert->subjectKeyID.len, ':', |