diff options
| -rw-r--r-- | src/libstrongswan/Makefile.am | 1 | ||||
| -rwxr-xr-x | src/libstrongswan/asn1/pem.c | 393 | ||||
| -rwxr-xr-x | src/libstrongswan/asn1/pem.h | 29 | ||||
| -rw-r--r-- | src/pluto/Makefile.am | 1 | ||||
| -rw-r--r-- | src/pluto/certs.c | 67 | ||||
| -rw-r--r-- | src/pluto/certs.h | 2 | ||||
| -rw-r--r-- | src/pluto/fetch.c | 2 | ||||
| -rw-r--r-- | src/pluto/pem.c | 127 | ||||
| -rw-r--r-- | src/pluto/pem.h | 18 | ||||
| -rw-r--r-- | src/scepclient/Makefile.am | 5 |
10 files changed, 1 insertions, 644 deletions
diff --git a/src/libstrongswan/Makefile.am b/src/libstrongswan/Makefile.am index 1777daa06..9dabcfa9b 100644 --- a/src/libstrongswan/Makefile.am +++ b/src/libstrongswan/Makefile.am @@ -10,7 +10,6 @@ printf_hook.c printf_hook.h \ asn1/asn1.c asn1/asn1.h \ asn1/asn1_parser.c asn1/asn1_parser.h \ asn1/oid.c asn1/oid.h \ -asn1/pem.c asn1/pem.h \ crypto/crypters/crypter.c crypto/crypters/crypter.h \ crypto/hashers/hasher.h crypto/hashers/hasher.c \ crypto/pkcs9.c crypto/pkcs9.h \ diff --git a/src/libstrongswan/asn1/pem.c b/src/libstrongswan/asn1/pem.c deleted file mode 100755 index 059795548..000000000 --- a/src/libstrongswan/asn1/pem.c +++ /dev/null @@ -1,393 +0,0 @@ -/* - * Copyright (C) 2001-2008 Andreas Steffen - * - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include <stdio.h> -#include <stdlib.h> -#include <unistd.h> -#include <errno.h> -#include <string.h> -#include <stddef.h> -#include <sys/types.h> - -#include "pem.h" - -#include <library.h> -#include <debug.h> -#include <asn1/asn1.h> - -#include <utils/lexparser.h> -#include <crypto/hashers/hasher.h> -#include <crypto/crypters/crypter.h> - -#define PKCS5_SALT_LEN 8 /* bytes */ - -/** - * check the presence of a pattern in a character string - */ -static bool present(const char* pattern, chunk_t* ch) -{ - u_int pattern_len = strlen(pattern); - - if (ch->len >= pattern_len && strneq(ch->ptr, pattern, pattern_len)) - { - ch->ptr += pattern_len; - ch->len -= pattern_len; - return TRUE; - } - return FALSE; -} - -/** - * find a boundary of the form -----tag name----- - */ -static bool find_boundary(const char* tag, chunk_t *line) -{ - chunk_t name = chunk_empty; - - if (!present("-----", line)) - return FALSE; - if (!present(tag, line)) - return FALSE; - if (*line->ptr != ' ') - return FALSE; - line->ptr++; line->len--; - - /* extract name */ - name.ptr = line->ptr; - while (line->len > 0) - { - if (present("-----", line)) - { - DBG2(" -----%s %.*s-----", tag, (int)name.len, name.ptr); - return TRUE; - } - line->ptr++; line->len--; name.len++; - } - return FALSE; -} - -/* - * decrypts a passphrase protected encrypted data block - */ -static status_t pem_decrypt(chunk_t *blob, encryption_algorithm_t alg, size_t key_size, - chunk_t *iv, chunk_t passphrase) -{ - hasher_t *hasher; - crypter_t *crypter; - chunk_t salt = { iv->ptr, PKCS5_SALT_LEN }; - chunk_t hash; - chunk_t decrypted; - chunk_t key = {alloca(key_size), key_size}; - u_int8_t padding, *last_padding_pos, *first_padding_pos; - - if (passphrase.len == 0) - { - DBG1(" missing passphrase"); - return INVALID_ARG; - } - - /* build key from passphrase and IV */ - hasher = lib->crypto->create_hasher(lib->crypto, HASH_MD5); - if (hasher == NULL) - { - DBG1(" MD5 hash algorithm not available"); - return NOT_SUPPORTED; - } - hash.len = hasher->get_hash_size(hasher); - hash.ptr = alloca(hash.len); - hasher->get_hash(hasher, passphrase, NULL); - hasher->get_hash(hasher, salt, hash.ptr); - memcpy(key.ptr, hash.ptr, hash.len); - - if (key.len > hash.len) - { - hasher->get_hash(hasher, hash, NULL); - hasher->get_hash(hasher, passphrase, NULL); - hasher->get_hash(hasher, salt, hash.ptr); - memcpy(key.ptr + hash.len, hash.ptr, key.len - hash.len); - } - hasher->destroy(hasher); - - /* decrypt blob */ - crypter = lib->crypto->create_crypter(lib->crypto, alg, key_size); - if (crypter == NULL) - { - DBG1(" %N encryption algorithm not available", - encryption_algorithm_names, alg); - return NOT_SUPPORTED; - } - crypter->set_key(crypter, key); - - if (iv->len != crypter->get_block_size(crypter) || - blob->len % iv->len) - { - crypter->destroy(crypter); - DBG1(" data size is not multiple of block size"); - return PARSE_ERROR; - } - crypter->decrypt(crypter, *blob, *iv, &decrypted); - crypter->destroy(crypter); - memcpy(blob->ptr, decrypted.ptr, blob->len); - chunk_free(&decrypted); - - /* determine amount of padding */ - last_padding_pos = blob->ptr + blob->len - 1; - padding = *last_padding_pos; - first_padding_pos = (padding > blob->len) ? blob->ptr : last_padding_pos - padding; - - /* check the padding pattern */ - while (--last_padding_pos > first_padding_pos) - { - if (*last_padding_pos != padding) - { - DBG1(" invalid passphrase"); - return INVALID_ARG; - } - } - /* remove padding */ - blob->len -= padding; - return SUCCESS; -} - -/* Converts a PEM encoded file into its binary form - * - * RFC 1421 Privacy Enhancement for Electronic Mail, February 1993 - * RFC 934 Message Encapsulation, January 1985 - */ -status_t pem_to_bin(chunk_t *blob, chunk_t passphrase, bool *pgp) -{ - typedef enum { - PEM_PRE = 0, - PEM_MSG = 1, - PEM_HEADER = 2, - PEM_BODY = 3, - PEM_POST = 4, - PEM_ABORT = 5 - } state_t; - - encryption_algorithm_t alg = ENCR_UNDEFINED; - size_t key_size = 0; - - bool encrypted = FALSE; - - state_t state = PEM_PRE; - - chunk_t src = *blob; - chunk_t dst = *blob; - chunk_t line = chunk_empty; - chunk_t iv = chunk_empty; - - u_char iv_buf[16]; /* MD5 digest size */ - - /* zero size of converted blob */ - dst.len = 0; - - /* zero size of IV */ - iv.ptr = iv_buf; - iv.len = 0; - - while (fetchline(&src, &line)) - { - if (state == PEM_PRE) - { - if (find_boundary("BEGIN", &line)) - { - state = PEM_MSG; - } - continue; - } - else - { - if (find_boundary("END", &line)) - { - state = PEM_POST; - break; - } - if (state == PEM_MSG) - { - state = (memchr(line.ptr, ':', line.len) == NULL) ? PEM_BODY : PEM_HEADER; - } - if (state == PEM_HEADER) - { - err_t ugh = NULL; - chunk_t name = chunk_empty; - chunk_t value = chunk_empty; - - /* an empty line separates HEADER and BODY */ - if (line.len == 0) - { - state = PEM_BODY; - continue; - } - - /* we are looking for a parameter: value pair */ - DBG2(" %.*s", (int)line.len, line.ptr); - ugh = extract_parameter_value(&name, &value, &line); - if (ugh != NULL) - { - continue; - } - if (match("Proc-Type", &name) && *value.ptr == '4') - { - encrypted = TRUE; - } - else if (match("DEK-Info", &name)) - { - chunk_t dek; - - if (!extract_token(&dek, ',', &value)) - { - dek = value; - } - if (match("DES-EDE3-CBC", &dek)) - { - alg = ENCR_3DES; - key_size = 24; - } - else if (match("AES-128-CBC", &dek)) - { - alg = ENCR_AES_CBC; - key_size = 16; - } - else if (match("AES-192-CBC", &dek)) - { - alg = ENCR_AES_CBC; - key_size = 24; - } - else if (match("AES-256-CBC", &dek)) - { - alg = ENCR_AES_CBC; - key_size = 32; - } - else - { - DBG1(" encryption algorithm '%.s' not supported", - dek.len, dek.ptr); - return NOT_SUPPORTED; - } - eat_whitespace(&value); - iv = chunk_from_hex(value, iv.ptr); - } - } - else /* state is PEM_BODY */ - { - chunk_t data; - - /* remove any trailing whitespace */ - if (!extract_token(&data ,' ', &line)) - { - data = line; - } - - /* check for PGP armor checksum */ - if (*data.ptr == '=') - { - *pgp = TRUE; - data.ptr++; - data.len--; - DBG2(" armor checksum: %.*s", (int)data.len, data.ptr); - continue; - } - - if (blob->len - dst.len < data.len / 4 * 3) - { - state = PEM_ABORT; - } - data = chunk_from_base64(data, dst.ptr); - - dst.ptr += data.len; - dst.len += data.len; - } - } - } - /* set length to size of binary blob */ - blob->len = dst.len; - - if (state != PEM_POST) - { - DBG1(" file coded in unknown format, discarded"); - return PARSE_ERROR; - } - if (!encrypted) - { - return SUCCESS; - } - return pem_decrypt(blob, alg, key_size, &iv, passphrase); - -} - -/* load a coded key or certificate file with autodetection - * of binary DER or base64 PEM ASN.1 formats and armored PGP format - */ -bool pem_asn1_load_file(char *filename, chunk_t *passphrase, - chunk_t *blob, bool *pgp) -{ - FILE *fd = fopen(filename, "r"); - - if (fd) - { - chunk_t pass = chunk_empty; - int bytes; - - fseek(fd, 0, SEEK_END ); - blob->len = ftell(fd); - rewind(fd); - blob->ptr = malloc(blob->len); - bytes = fread(blob->ptr, 1, blob->len, fd); - fclose(fd); - DBG2(" loading '%s' (%d bytes)", filename, bytes); - - *pgp = FALSE; - - /* try DER format */ - if (is_asn1(*blob)) - { - DBG2(" file coded in DER format"); - return TRUE; - } - - if (passphrase != NULL) - { - pass = *passphrase; - DBG4(" passphrase: %#B", passphrase); - } - - /* try PEM format */ - if (pem_to_bin(blob, pass, pgp) == SUCCESS) - { - if (*pgp) - { - DBG2(" file coded in armored PGP format"); - return TRUE; - } - if (is_asn1(*blob)) - { - DBG2(" file coded in PEM format"); - return TRUE; - } - DBG1(" file coded in unknown format, discarded"); - } - - /* a conversion error has occured */ - chunk_free(blob); - } - else - { - DBG1(" reading file '%s' failed", filename); - } - return FALSE; -} - diff --git a/src/libstrongswan/asn1/pem.h b/src/libstrongswan/asn1/pem.h deleted file mode 100755 index 7385330d7..000000000 --- a/src/libstrongswan/asn1/pem.h +++ /dev/null @@ -1,29 +0,0 @@ -/* - * Copyright (C) 2001-2008 Andreas Steffen - * - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#ifndef PEM_H_ -#define PEM_H_ - -#include <stdio.h> - -#include <library.h> - -status_t pem_to_bin(chunk_t *blob, chunk_t passphrase, bool *pgp); - -bool pem_asn1_load_file(char *filename, chunk_t *passphrase, chunk_t *blob, - bool *pgp); - -#endif /*PEM_H_ @} */ diff --git a/src/pluto/Makefile.am b/src/pluto/Makefile.am index e5d897ec3..81677b314 100644 --- a/src/pluto/Makefile.am +++ b/src/pluto/Makefile.am @@ -36,7 +36,6 @@ modecfg.c modecfg.h \ nat_traversal.c nat_traversal.h \ ocsp.c ocsp.h \ packet.c packet.h \ -pem.c pem.h \ pgpcert.c pgpcert.h \ pkcs7.c pkcs7.h \ plutomain.c \ diff --git a/src/pluto/certs.c b/src/pluto/certs.c index f7ad8ad4a..902a1f5df 100644 --- a/src/pluto/certs.c +++ b/src/pluto/certs.c @@ -28,7 +28,6 @@ #include "defs.h" #include "log.h" #include "id.h" -#include "pem.h" #include "certs.h" #include "whack.h" #include "builder.h" @@ -69,72 +68,6 @@ public_key_t* cert_get_public_key(const cert_t cert) } } -/* load a coded key or certificate file with autodetection - * of binary DER or base64 PEM ASN.1 formats and armored PGP format - */ -bool load_coded_file(char *filename, prompt_pass_t *pass, const char *type, - chunk_t *blob, bool *pgp) -{ - err_t ugh = NULL; - - FILE *fd = fopen(filename, "r"); - - if (fd) - { - int bytes; - fseek(fd, 0, SEEK_END ); - blob->len = ftell(fd); - rewind(fd); - blob->ptr = malloc(blob->len); - bytes = fread(blob->ptr, 1, blob->len, fd); - fclose(fd); - plog(" loaded %s file '%s' (%d bytes)", type, filename, bytes); - - *pgp = FALSE; - - /* try DER format */ - if (is_asn1(*blob)) - { - DBG(DBG_PARSING, - DBG_log(" file coded in DER format"); - ) - return TRUE; - } - - /* try PEM format */ - ugh = pemtobin(blob, pass, filename, pgp); - - if (ugh == NULL) - { - if (*pgp) - { - DBG(DBG_PARSING, - DBG_log(" file coded in armored PGP format"); - ) - return TRUE; - } - if (is_asn1(*blob)) - { - DBG(DBG_PARSING, - DBG_log(" file coded in PEM format"); - ) - return TRUE; - } - ugh = "file coded in unknown format, discarded"; - } - - /* a conversion error has occured */ - plog(" %s", ugh); - free(blob->ptr); - *blob = chunk_empty; - } - else - { - plog(" could not open %s file '%s'", type, filename); - } - return FALSE; -} - /** * Passphrase callback to read from whack fd */ diff --git a/src/pluto/certs.h b/src/pluto/certs.h index 0810c52fa..1bd03edcd 100644 --- a/src/pluto/certs.h +++ b/src/pluto/certs.h @@ -66,8 +66,6 @@ extern public_key_t* cert_get_public_key(const cert_t cert); extern chunk_t cert_get_encoding(cert_t cert); extern private_key_t* load_private_key(char* filename, prompt_pass_t *pass, key_type_t type); -extern bool load_coded_file(char *filename, prompt_pass_t *pass, - const char *type, chunk_t *blob, bool *pgp); extern bool load_cert(char *filename, const char *label, cert_t *cert); extern bool load_host_cert(char *filename, cert_t *cert); extern bool load_ca_cert(char *filename, cert_t *cert); diff --git a/src/pluto/fetch.c b/src/pluto/fetch.c index c636266de..827c83d55 100644 --- a/src/pluto/fetch.c +++ b/src/pluto/fetch.c @@ -28,13 +28,11 @@ #include <library.h> #include <debug.h> #include <asn1/asn1.h> -#include <asn1/pem.h> #include "constants.h" #include "defs.h" #include "log.h" #include "id.h" -#include "pem.h" #include "x509.h" #include "ca.h" #include "whack.h" diff --git a/src/pluto/pem.c b/src/pluto/pem.c deleted file mode 100644 index 1a4a99af7..000000000 --- a/src/pluto/pem.c +++ /dev/null @@ -1,127 +0,0 @@ -/* Loading of PEM encoded files with optional encryption - * Copyright (C) 2001-2009 Andreas Steffen - * - * HSR Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -/* decrypt a PEM encoded data block using DES-EDE3-CBC - * see RFC 1423 PEM: Algorithms, Modes and Identifiers - */ - -#include <stdio.h> -#include <stdlib.h> -#include <unistd.h> -#include <errno.h> -#include <string.h> -#include <stddef.h> -#include <sys/types.h> - -#include <freeswan.h> - -#include <library.h> -#include <asn1/pem.h> - -#include "constants.h" -#include "defs.h" -#include "log.h" -#include "whack.h" -#include "pem.h" - -/** - * Converts a PEM encoded file into its binary form - * RFC 1421 Privacy Enhancement for Electronic Mail, February 1993 - * RFC 934 Message Encapsulation, January 1985 - */ -err_t pemtobin(chunk_t *blob, prompt_pass_t *pass, const char* label, bool *pgp) -{ - chunk_t password = chunk_empty; - - /* do we prompt for the passphrase? */ - if (pass && pass->prompt && pass->fd != NULL_FD) - { - int i; - chunk_t blob_copy; - err_t ugh = "invalid passphrase, too many trials"; - status_t status; - - whack_log(RC_ENTERSECRET, "need passphrase for '%s'", label); - - for (i = 0; i < MAX_PROMPT_PASS_TRIALS; i++) - { - int n; - - if (i > 0) - { - whack_log(RC_ENTERSECRET, "invalid passphrase, please try again"); - } - n = read(pass->fd, pass->secret, PROMPT_PASS_LEN); - - if (n == -1) - { - err_t ugh = "read(whackfd) failed"; - - whack_log(RC_LOG_SERIOUS,ugh); - return ugh; - } - - pass->secret[n-1] = '\0'; - - if (strlen(pass->secret) == 0) - { - err_t ugh = "no passphrase entered, aborted"; - - whack_log(RC_LOG_SERIOUS, ugh); - return ugh; - } - - blob_copy = chunk_clone(*blob); - password = chunk_create(pass->secret, strlen(pass->secret)); - - status = pem_to_bin(blob, password, pgp); - if (status != INVALID_ARG) - { - if (status == SUCCESS) - { - whack_log(RC_SUCCESS, "valid passphrase"); - } - else - { - whack_log(RC_LOG_SERIOUS, "%N, aborted", status_names, status); - } - free(blob_copy.ptr); - return NULL; - } - - /* blob is useless after wrong decryption, restore the original */ - free(blob->ptr); - *blob = blob_copy; - } - whack_log(RC_LOG_SERIOUS, ugh); - return ugh; - } - else - { - if (pass) - { - password = chunk_create(pass->secret, strlen(pass->secret)); - } - if (pem_to_bin(blob, password, pgp) == SUCCESS) - { - return NULL; - } - else - { - return "pem to bin conversion failed"; - } - } -} diff --git a/src/pluto/pem.h b/src/pluto/pem.h deleted file mode 100644 index 5e97b99ed..000000000 --- a/src/pluto/pem.h +++ /dev/null @@ -1,18 +0,0 @@ -/* Loading of PEM encoded files with optional encryption - * Copyright (C) 2001-2009 Andreas Steffen - * - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -extern err_t pemtobin(chunk_t *blob, prompt_pass_t *pass, const char* label, - bool *pgp); diff --git a/src/scepclient/Makefile.am b/src/scepclient/Makefile.am index 20bf76065..68dddb244 100644 --- a/src/scepclient/Makefile.am +++ b/src/scepclient/Makefile.am @@ -27,7 +27,7 @@ LIBFREESWANBUILDDIR=$(top_builddir)/src/libfreeswan scepclient_LDADD = \ ca.o crl.o certs.o constants.o defs.o fetch.o id.o keys.o lex.o \ -ocsp.o pem.o pgpcert.o pkcs7.o smartcard.o x509.o \ +ocsp.o pgpcert.o pkcs7.o smartcard.o x509.o \ $(LIBSTRONGSWANBUILDDIR)/libstrongswan.la \ $(LIBFREESWANBUILDDIR)/libfreeswan.a @@ -69,9 +69,6 @@ lex.o : $(PLUTODIR)/lex.c $(PLUTODIR)/lex.h ocsp.o : $(PLUTODIR)/ocsp.c $(PLUTODIR)/ocsp.h $(COMPILE) $(INCLUDES) -c -o $@ $< -pem.o : $(PLUTODIR)/pem.c $(PLUTODIR)/pem.h - $(COMPILE) $(INCLUDES) -c -o $@ $< - pgpcert.o : $(PLUTODIR)/pgpcert.c $(PLUTODIR)/pgpcert.h $(COMPILE) $(INCLUDES) -c -o $@ $< |