diff options
Diffstat (limited to 'src/libstrongswan/crypto')
| -rw-r--r-- | src/libstrongswan/crypto/certinfo.c | 30 | ||||
| -rw-r--r-- | src/libstrongswan/crypto/certinfo.h | 56 | ||||
| -rwxr-xr-x | src/libstrongswan/crypto/crl.c | 137 | ||||
| -rwxr-xr-x | src/libstrongswan/crypto/crl.h | 18 | ||||
| -rw-r--r-- | src/libstrongswan/crypto/crypters/crypter.c | 38 | ||||
| -rw-r--r-- | src/libstrongswan/crypto/crypters/crypter.h | 6 | ||||
| -rw-r--r-- | src/libstrongswan/crypto/diffie_hellman.c | 33 | ||||
| -rw-r--r-- | src/libstrongswan/crypto/diffie_hellman.h | 6 | ||||
| -rw-r--r-- | src/libstrongswan/crypto/hashers/hasher.c | 21 | ||||
| -rw-r--r-- | src/libstrongswan/crypto/hashers/hasher.h | 16 | ||||
| -rw-r--r-- | src/libstrongswan/crypto/prfs/prf.c | 20 | ||||
| -rw-r--r-- | src/libstrongswan/crypto/prfs/prf.h | 6 | ||||
| -rw-r--r-- | src/libstrongswan/crypto/signers/signer.c | 22 | ||||
| -rw-r--r-- | src/libstrongswan/crypto/signers/signer.h | 6 | ||||
| -rwxr-xr-x | src/libstrongswan/crypto/x509.c | 284 | ||||
| -rwxr-xr-x | src/libstrongswan/crypto/x509.h | 17 |
16 files changed, 359 insertions, 357 deletions
diff --git a/src/libstrongswan/crypto/certinfo.c b/src/libstrongswan/crypto/certinfo.c index a289d6562..20a695753 100644 --- a/src/libstrongswan/crypto/certinfo.c +++ b/src/libstrongswan/crypto/certinfo.c @@ -69,24 +69,15 @@ struct private_certinfo_t { crl_reason_t revocationReason; }; -/** - * RFC 2560 OCSP - certificate status - */ -static const char *const cert_status_name[] = { +ENUM(cert_status_names, CERT_GOOD, CERT_UNTRUSTED, "good", "revoked", "unknown", "unknown", - "untrusted" - }; - -enum_names cert_status_names = - { CERT_GOOD, CERT_UNTRUSTED, cert_status_name, NULL}; + "untrusted", +); -/** - * RFC 2459 CRL reason codes - */ -static const char *const crl_reason_name[] = { +ENUM(crl_reason_names, REASON_UNSPECIFIED, REASON_REMOVE_FROM_CRL, "unspecified", "key compromise", "ca compromise", @@ -95,11 +86,8 @@ static const char *const crl_reason_name[] = { "cessation of operation", "certificate hold", "reason #7", - "remove from crl" - }; - -enum_names crl_reason_names = - { REASON_UNSPECIFIED, REASON_REMOVE_FROM_CRL, crl_reason_name, NULL}; + "remove from crl", +); /** * Implements certinfo_t.get_serialNumber @@ -168,9 +156,9 @@ static void set_revocationReason(private_certinfo_t *this, crl_reason_t reason) /** * Implements certinfo_t.get_revocationReason */ -static const char *get_revocationReason(const private_certinfo_t *this) +static crl_reason_t get_revocationReason(const private_certinfo_t *this) { - return enum_name(&crl_reason_names, this->revocationReason); + return this->revocationReason; } /** @@ -205,7 +193,7 @@ certinfo_t *certinfo_create(chunk_t serial) this->public.set_revocationTime = (void (*) (certinfo_t*,time_t))set_revocationTime; this->public.get_revocationTime = (time_t (*) (const certinfo_t*))get_revocationTime; this->public.set_revocationReason = (void (*) (certinfo_t*, crl_reason_t))set_revocationReason; - this->public.get_revocationReason = (const char *(*) (const certinfo_t*))get_revocationReason; + this->public.get_revocationReason = (crl_reason_t(*) (const certinfo_t*))get_revocationReason; this->public.destroy = (void (*) (certinfo_t*))destroy; return &this->public; diff --git a/src/libstrongswan/crypto/certinfo.h b/src/libstrongswan/crypto/certinfo.h index 45090eafc..6561462a7 100644 --- a/src/libstrongswan/crypto/certinfo.h +++ b/src/libstrongswan/crypto/certinfo.h @@ -29,8 +29,6 @@ /** * RFC 2560 OCSP - certificate status */ -extern enum_names cert_status_names; - typedef enum { CERT_GOOD = 0, CERT_REVOKED = 1, @@ -39,12 +37,11 @@ typedef enum { CERT_UNTRUSTED = 4 /* private use */ } cert_status_t; +extern enum_name_t *cert_status_names; + /** * RFC 2459 CRL reason codes */ - -extern enum_names crl_reason_names; - typedef enum { REASON_UNSPECIFIED = 0, REASON_KEY_COMPROMISE = 1, @@ -56,6 +53,8 @@ typedef enum { REASON_REMOVE_FROM_CRL = 8 } crl_reason_t; +extern enum_name_t *crl_reason_names; + typedef struct certinfo_t certinfo_t; /** @@ -67,85 +66,76 @@ typedef struct certinfo_t certinfo_t; struct certinfo_t { /** - * @brief Get serial number - * - * + * @brief Get serial number. + * * @param this calling object * @return serialNumber */ chunk_t (*get_serialNumber) (const certinfo_t *this); /** - * @brief Set certificate status - * - * + * @brief Set certificate status. + * * @param this calling object * @param status status */ void (*set_status) (certinfo_t *this, cert_status_t status); /** - * @brief Get certificate status - * - * + * @brief Get certificate status. + * * @param this calling object * @return status */ cert_status_t (*get_status) (const certinfo_t *this); /** - * @brief Set nextUpdate - * - * + * @brief Set nextUpdate. + * * @param this calling object * @return nextUpdate */ void (*set_nextUpdate) (certinfo_t *this, time_t nextUpdate); /** - * @brief Get nextUpdate - * - * + * @brief Get nextUpdate. + * * @param this calling object * @return nextUpdate */ time_t (*get_nextUpdate) (const certinfo_t *this); /** - * @brief Set revocationTime - * - * + * @brief Set revocationTime. + * * @param this calling object * @param revocationTime revocationTime */ void (*set_revocationTime) (certinfo_t *this, time_t revocationTime); /** - * @brief Get revocationTime - * - * + * @brief Get revocationTime. + * * @param this calling object * @return revocationTime */ time_t (*get_revocationTime) (const certinfo_t *this); /** - * @brief Set revocationReason - * - * + * @brief Set revocationReason. + * * @param this calling object * @param reason revocationReason */ void (*set_revocationReason) (certinfo_t *this, crl_reason_t reason); /** - * @brief Get revocationReason - * - * + * @brief Get revocationReason. + * * @param this calling object * @return revocationReason */ - const char *(*get_revocationReason) (const certinfo_t *this); + crl_reason_t (*get_revocationReason) (const certinfo_t *this); /** * @brief Destroys the certinfo_t object. diff --git a/src/libstrongswan/crypto/crl.c b/src/libstrongswan/crypto/crl.c index 1f41c0a76..b2c24b80b 100755 --- a/src/libstrongswan/crypto/crl.c +++ b/src/libstrongswan/crypto/crl.c @@ -23,13 +23,14 @@ #include <sys/stat.h> #include <unistd.h> #include <string.h> +#include <printf.h> #include <types.h> +#include <library.h> #include <definitions.h> #include <asn1/oid.h> #include <asn1/asn1.h> #include <asn1/pem.h> -#include <utils/logger_manager.h> #include <utils/linked_list.h> #include <utils/identification.h> @@ -39,7 +40,6 @@ #define CRL_WARNING_INTERVAL 7 /* days */ -static logger_t *logger; extern char* check_expiry(time_t expiration_date, int warning_interval, bool strict); extern time_t parse_time(chunk_t blob, int level0); extern void parse_authorityKeyIdentifier(chunk_t blob, int level0 , chunk_t *authKeyID, chunk_t *authKeySerialNumber); @@ -206,9 +206,9 @@ static crl_reason_t parse_crl_reasonCode(chunk_t object) { reason = *object.ptr; } - logger->log(logger, CONTROL|LEVEL2, " '%s'", enum_name(&crl_reason_names, reason)); + DBG2(" '%N'", crl_reason_names, reason); - return reason; + return reason; } /** @@ -219,7 +219,7 @@ bool parse_x509crl(chunk_t blob, u_int level0, private_crl_t *crl) asn1_ctx_t ctx; bool critical; chunk_t extnID; - chunk_t userCertificate; + chunk_t userCertificate = CHUNK_INITIALIZER; revokedCert_t *revokedCert = NULL; chunk_t object; u_int level; @@ -245,14 +245,14 @@ bool parse_x509crl(chunk_t blob, u_int level0, private_crl_t *crl) break; case CRL_OBJ_VERSION: crl->version = (object.len) ? (1+(u_int)*object.ptr) : 1; - logger->log(logger, CONTROL|LEVEL2, " v%d", crl->version); + DBG2(" v%d", crl->version); break; case CRL_OBJ_SIG_ALG: crl->sigAlg = parse_algorithmIdentifier(object, level, NULL); break; case CRL_OBJ_ISSUER: crl->issuer = identification_create_from_encoding(ID_DER_ASN1_DN, object); - logger->log(logger, CONTROL|LEVEL1, " '%D'", crl->issuer); + DBG2(" '%D'", crl->issuer); break; case CRL_OBJ_THIS_UPDATE: crl->thisUpdate = parse_time(object, level); @@ -277,7 +277,7 @@ bool parse_x509crl(chunk_t blob, u_int level0, private_crl_t *crl) case CRL_OBJ_CRL_ENTRY_CRITICAL: case CRL_OBJ_CRITICAL: critical = object.len && *object.ptr; - logger->log(logger, CONTROL|LEVEL2, " %s",(critical)?"TRUE":"FALSE"); + DBG2(" %s",(critical)?"TRUE":"FALSE"); break; case CRL_OBJ_CRL_ENTRY_EXTN_VALUE: case CRL_OBJ_EXTN_VALUE: @@ -314,25 +314,22 @@ bool parse_x509crl(chunk_t blob, u_int level0, private_crl_t *crl) */ static err_t is_valid(const private_crl_t *this, time_t *until, bool strict) { - char buf[TIMETOA_BUF]; - time_t current_time = time(NULL); - timetoa(buf, BUF_LEN, &this->thisUpdate, TRUE); - logger->log(logger, CONTROL|LEVEL1, " this update : %s", buf); - timetoa(buf, BUF_LEN, ¤t_time, TRUE); - logger->log(logger, CONTROL|LEVEL1, " current time: %s", buf); - timetoa(buf, BUF_LEN, &this->nextUpdate, TRUE); - logger->log(logger, CONTROL|LEVEL1, " next update: %s", buf); - - if (strict && until != NULL - && (*until == UNDEFINED_TIME || this->nextUpdate < *until)) + DBG2(" this update : %T", this->thisUpdate); + DBG2(" current time: %T", current_time); + DBG2(" next update: %T", this->nextUpdate); + + if (strict && until != NULL && + (*until == UNDEFINED_TIME || this->nextUpdate < *until)) { *until = this->nextUpdate; } if (current_time > this->nextUpdate) + { return "has expired"; - logger->log(logger, CONTROL|LEVEL1, " crl is valid", buf); + } + DBG2(" crl is valid"); return NULL; } @@ -437,38 +434,88 @@ static void destroy(private_crl_t *this) } /** - * log crl + * output handler in printf() */ -static void log_crl(const private_crl_t *this, logger_t *logger, bool utc, bool strict) +static int print(FILE *stream, const struct printf_info *info, + const void *const *args) { - identification_t *issuer = this->issuer; - linked_list_t *revokedCertificates = this->revokedCertificates; - - char buf[BUF_LEN]; - - timetoa(buf, BUF_LEN, &this->installed, utc); - logger->log(logger, CONTROL, "%s, revoked certs: %d", - buf, revokedCertificates->get_count(revokedCertificates)); - - logger->log(logger, CONTROL, " issuer: '%D'", issuer); + private_crl_t *this = *((private_crl_t**)(args[0])); + bool utc = TRUE; + int written = 0; + time_t now; - timetoa(buf, BUF_LEN, &this->thisUpdate, utc); - logger->log(logger, CONTROL, " updates: this %s", buf); + if (info->alt) + { + utc = *((bool*)(args[1])); + } - timetoa(buf, BUF_LEN, &this->nextUpdate, utc); - logger->log(logger, CONTROL, " next %s %s", buf, - check_expiry(this->nextUpdate, CRL_WARNING_INTERVAL, strict)); + if (this == NULL) + { + return fprintf(stream, "(null)"); + } + + now = time(NULL); + + written += fprintf(stream, " issuer: %D\n", this->issuer); + written += fprintf(stream, " installed: %#T, revoked certs: %d\n", this->installed, utc, + this->revokedCertificates->get_count(this->revokedCertificates)); + written += fprintf(stream, " updates: this %#T\n", this->thisUpdate, utc); + written += fprintf(stream, " next %#T "); + if (this->nextUpdate == UNDEFINED_TIME) + { + written += fprintf(stream, "ok (expires never)"); + } + else if (now > this->nextUpdate) + { + written += fprintf(stream, "expired (since %V)", now, this->nextUpdate); + } + else if (now > this->nextUpdate - CRL_WARNING_INTERVAL * 60 * 60 * 24) + { + written += fprintf(stream, "ok (expires in %V)", now, this->nextUpdate); + } + else + { + written += fprintf(stream, "ok"); + } + if (this->authKeyID.ptr) + { + written += fprintf(stream, "\n authkey: %#B", &this->authKeyID); + } + if (this->authKeySerialNumber.ptr) + { + written += fprintf(stream, "\n aserial: %#B", &this->authKeySerialNumber); + } + return written; +} - if (this->authKeyID.ptr != NULL) +/** + * arginfo handler in printf() + */ +static int print_arginfo(const struct printf_info *info, size_t n, int *argtypes) +{ + if (info->alt) { - chunk_to_hex(buf, BUF_LEN, this->authKeyID); - logger->log(logger, CONTROL, " authkey: %s", buf); + if (n > 1) + { + argtypes[0] = PA_INT; + argtypes[1] = PA_INT; + } + return 2; } - if (this->authKeySerialNumber.ptr != NULL) + + if (n > 0) { - chunk_to_hex(buf, BUF_LEN, this->authKeySerialNumber); - logger->log(logger, CONTROL, " aserial: %s", buf); + argtypes[0] = PA_INT; } + return 1; +} + +/** + * register printf() handlers + */ +static void __attribute__ ((constructor))print_register() +{ + register_printf_function(CRL_PRINTF_SPEC, print, print_arginfo); } /* @@ -494,11 +541,7 @@ crl_t *crl_create_from_chunk(chunk_t chunk) this->public.is_newer = (bool (*) (const crl_t*,const crl_t*))is_newer; this->public.verify = (bool (*) (const crl_t*,const rsa_public_key_t*))verify; this->public.get_status = (void (*) (const crl_t*,certinfo_t*))get_status; - this->public.log_crl = (void (*) (const crl_t*,logger_t*,bool,bool))log_crl; this->public.destroy = (void (*) (crl_t*))destroy; - - /* we do not use a per-instance logger right now, since its not always accessible */ - logger = logger_manager->get_logger(logger_manager, ASN1); if (!parse_x509crl(chunk, 0, this)) { diff --git a/src/libstrongswan/crypto/crl.h b/src/libstrongswan/crypto/crl.h index e4739fc29..ee9292818 100755 --- a/src/libstrongswan/crypto/crl.h +++ b/src/libstrongswan/crypto/crl.h @@ -29,7 +29,13 @@ #include <crypto/certinfo.h> #include <utils/identification.h> #include <utils/iterator.h> -#include <utils/logger.h> + +/** + * printf specifier for printing crls. When using the + * #-modifier, an additional bool argument defines if times + * are printed in UTC. + */ +#define CRL_PRINTF_SPEC 'U' typedef struct crl_t crl_t; @@ -115,16 +121,6 @@ struct crl_t { * @param this crl to destroy */ void (*destroy) (crl_t *this); - - /** - * @brief Log x509 crl info. - * - * @param this crl to log - * @param logger logger to be used - * @param utc log dates either in UTC or local time - * @param strict expiry of nextUpdate is fatal with strict == TRUE - */ - void (*log_crl) (const crl_t *this, logger_t *logger, bool utc, bool strict); }; /** diff --git a/src/libstrongswan/crypto/crypters/crypter.c b/src/libstrongswan/crypto/crypters/crypter.c index 145138d49..7f62741a7 100644 --- a/src/libstrongswan/crypto/crypters/crypter.c +++ b/src/libstrongswan/crypto/crypters/crypter.c @@ -28,27 +28,25 @@ #include <crypto/crypters/des_crypter.h> -/** - * String mappings for encryption_algorithm_t. - */ -mapping_t encryption_algorithm_m[] = { - {ENCR_UNDEFINED, "UNDEFINED"}, - {ENCR_DES_IV64, "DES_IV64"}, - {ENCR_DES, "DES"}, - {ENCR_3DES, "3DES"}, - {ENCR_RC5, "RC5"}, - {ENCR_IDEA, "IDEA"}, - {ENCR_CAST, "CAST"}, - {ENCR_BLOWFISH, "BLOWFISH"}, - {ENCR_3IDEA, "3IDEA"}, - {ENCR_DES_IV32, "DES_IV32"}, - {ENCR_NULL, "NULL"}, - {ENCR_AES_CBC, "AES_CBC"}, - {ENCR_AES_CTR, "AES_CTR"}, - {MAPPING_END, NULL} -}; +ENUM_BEGIN(encryption_algorithm_names, ENCR_UNDEFINED, ENCR_UNDEFINED, + "UNDEFINED"); +ENUM_NEXT(encryption_algorithm_names, ENCR_DES_IV64, ENCR_DES_IV32, ENCR_UNDEFINED, + "DES_IV64", + "DES", + "3DES", + "RC5", + "IDEA", + "CAST", + "BLOWFISH", + "3IDEA", + "DES_IV32"); +ENUM_NEXT(encryption_algorithm_names, ENCR_NULL, ENCR_AES_CTR, ENCR_DES_IV32, + "NULL", + "AES_CBC", + "AES_CTR"); +ENUM_END(encryption_algorithm_names, ENCR_AES_CTR); -/* +/* * Described in header. */ crypter_t *crypter_create(encryption_algorithm_t encryption_algorithm, size_t key_size) diff --git a/src/libstrongswan/crypto/crypters/crypter.h b/src/libstrongswan/crypto/crypters/crypter.h index ea14157f9..cb7f9b139 100644 --- a/src/libstrongswan/crypto/crypters/crypter.h +++ b/src/libstrongswan/crypto/crypters/crypter.h @@ -57,10 +57,10 @@ enum encryption_algorithm_t { ENCR_AES_CTR = 13 }; -/** - * String mappings for encryption_algorithm_t. +/** + * enum name for encryption_algorithm_t. */ -extern mapping_t encryption_algorithm_m[]; +extern enum_name_t *encryption_algorithm_names; typedef struct crypter_t crypter_t; diff --git a/src/libstrongswan/crypto/diffie_hellman.c b/src/libstrongswan/crypto/diffie_hellman.c index fdb508ee9..e4062066c 100644 --- a/src/libstrongswan/crypto/diffie_hellman.c +++ b/src/libstrongswan/crypto/diffie_hellman.c @@ -23,29 +23,26 @@ * for more details. */ -#include <gmp.h> -#include <stdio.h> +#include <gmp.h> +#include <stdio.h> #include "diffie_hellman.h" #include <utils/randomizer.h> - -/** - * String mappings for diffie_hellman_group_t. - */ -mapping_t diffie_hellman_group_m[] = { - {MODP_NONE, "MODP_NONE"}, - {MODP_768_BIT, "MODP_768_BIT"}, - {MODP_1024_BIT, "MODP_1024_BIT"}, - {MODP_1536_BIT, "MODP_1536_BIT"}, - {MODP_2048_BIT, "MODP_2048_BIT"}, - {MODP_3072_BIT, "MODP_3072_BIT"}, - {MODP_4096_BIT, "MODP_4096_BIT"}, - {MODP_6144_BIT, "MODP_6144_BIT"}, - {MODP_8192_BIT, "MODP_8192_BIT"}, - {MAPPING_END, NULL} -}; +ENUM_BEGIN(diffie_hellman_group_names, MODP_NONE, MODP_1024_BIT, + "MODP_NONE", + "MODP_768_BIT", + "MODP_1024_BIT"); +ENUM_NEXT(diffie_hellman_group_names, MODP_1536_BIT, MODP_1536_BIT, MODP_1024_BIT, + "MODP_1536_BIT"); +ENUM_NEXT(diffie_hellman_group_names, MODP_2048_BIT, MODP_8192_BIT, MODP_1536_BIT, + "MODP_2048_BIT", + "MODP_3072_BIT", + "MODP_4096_BIT", + "MODP_6144_BIT", + "MODP_8192_BIT"); +ENUM_END(diffie_hellman_group_names, MODP_8192_BIT); /** diff --git a/src/libstrongswan/crypto/diffie_hellman.h b/src/libstrongswan/crypto/diffie_hellman.h index 8edf9e40a..4659c7fee 100644 --- a/src/libstrongswan/crypto/diffie_hellman.h +++ b/src/libstrongswan/crypto/diffie_hellman.h @@ -50,10 +50,10 @@ enum diffie_hellman_group_t { MODP_8192_BIT = 18 }; -/** - * String mappings for diffie_hellman_group_t. +/** + * enum name for diffie_hellman_group_t. */ -extern mapping_t diffie_hellman_group_m[]; +extern enum_name_t *diffie_hellman_group_names; typedef struct diffie_hellman_t diffie_hellman_t; diff --git a/src/libstrongswan/crypto/hashers/hasher.c b/src/libstrongswan/crypto/hashers/hasher.c index 444486f9f..7fa6346d6 100644 --- a/src/libstrongswan/crypto/hashers/hasher.c +++ b/src/libstrongswan/crypto/hashers/hasher.c @@ -28,18 +28,15 @@ #include <crypto/hashers/sha2_hasher.h> #include <crypto/hashers/md5_hasher.h> -/** - * String mappings for hash_algorithm_t. - */ -mapping_t hash_algorithm_m[] = { - {HASH_MD2,"HASH_MD2"}, - {HASH_MD5,"HASH_MD5"}, - {HASH_SHA1,"HASH_SHA1"}, - {HASH_SHA256,"HASH_SHA256"}, - {HASH_SHA384,"HASH_SHA384"}, - {HASH_SHA512,"HASH_SHA512"}, - {MAPPING_END, NULL} -}; + +ENUM(hash_algorithm_names, HASH_MD2, HASH_SHA512, + "HASH_MD2", + "HASH_MD5", + "HASH_SHA1", + "HASH_SHA256", + "HASH_SHA384", + "HASH_SHA512" +); /* * Described in header. diff --git a/src/libstrongswan/crypto/hashers/hasher.h b/src/libstrongswan/crypto/hashers/hasher.h index ccc8d3eca..ed3defb05 100644 --- a/src/libstrongswan/crypto/hashers/hasher.h +++ b/src/libstrongswan/crypto/hashers/hasher.h @@ -43,17 +43,17 @@ typedef enum hash_algorithm_t hash_algorithm_t; * @ingroup hashers */ enum hash_algorithm_t { - HASH_MD2, + HASH_MD2 = 0, /** Implemented in class md5_hasher_t */ - HASH_MD5, + HASH_MD5 = 1, /** Implemented in class sha1_hasher_t */ - HASH_SHA1, + HASH_SHA1 = 2, /** Implemented in class sha2_hasher_t */ - HASH_SHA256, + HASH_SHA256 = 3, /** Implemented in class sha2_hasher_t */ - HASH_SHA384, + HASH_SHA384 = 4, /** Implemented in class sha2_hasher_t */ - HASH_SHA512, + HASH_SHA512 = 5, }; #define HASH_SIZE_MD2 16 @@ -65,9 +65,9 @@ enum hash_algorithm_t { #define HASH_SIZE_MAX 64 /** - * String mappings for hash_algorithm_t. + * enum names for hash_algorithm_t. */ -extern mapping_t hash_algorithm_m[]; +extern enum_name_t *hash_algorithm_names; typedef struct hasher_t hasher_t; diff --git a/src/libstrongswan/crypto/prfs/prf.c b/src/libstrongswan/crypto/prfs/prf.c index 31b220a84..aa5d1d2b7 100644 --- a/src/libstrongswan/crypto/prfs/prf.c +++ b/src/libstrongswan/crypto/prfs/prf.c @@ -27,18 +27,14 @@ #include <crypto/hashers/hasher.h> #include <crypto/prfs/hmac_prf.h> - -/** - * String mappings for encryption_algorithm_t. - */ -mapping_t pseudo_random_function_m[] = { - {PRF_UNDEFINED, "PRF_UNDEFINED"}, - {PRF_HMAC_MD5, "PRF_HMAC_MD5"}, - {PRF_HMAC_SHA1, "PRF_HMAC_SHA1"}, - {PRF_HMAC_TIGER, "PRF_HMAC_TIGER"}, - {PRF_AES128_CBC, "PRF_AES128_CBC"}, - {MAPPING_END, NULL} -}; +ENUM_BEGIN(pseudo_random_function_names, PRF_UNDEFINED, PRF_UNDEFINED, + "PRF_UNDEFINED"); +ENUM_NEXT(pseudo_random_function_names, PRF_HMAC_MD5, PRF_AES128_CBC, PRF_UNDEFINED, + "PRF_HMAC_MD5", + "PRF_HMAC_SHA1", + "PRF_HMAC_TIGER", + "PRF_AES128_CBC"); +ENUM_END(pseudo_random_function_names, PRF_AES128_CBC); /* * Described in header. diff --git a/src/libstrongswan/crypto/prfs/prf.h b/src/libstrongswan/crypto/prfs/prf.h index 2d30cc22e..0a0e0fa5c 100644 --- a/src/libstrongswan/crypto/prfs/prf.h +++ b/src/libstrongswan/crypto/prfs/prf.h @@ -47,10 +47,10 @@ enum pseudo_random_function_t { PRF_AES128_CBC = 4, }; -/** - * String mappings for encryption_algorithm_t. +/** + * enum name for encryption_algorithm_t. */ -extern mapping_t pseudo_random_function_m[]; +extern enum_name_t *pseudo_random_function_names; typedef struct prf_t prf_t; diff --git a/src/libstrongswan/crypto/signers/signer.c b/src/libstrongswan/crypto/signers/signer.c index 67fbbd69a..d6037c545 100644 --- a/src/libstrongswan/crypto/signers/signer.c +++ b/src/libstrongswan/crypto/signers/signer.c @@ -25,19 +25,15 @@ #include <crypto/signers/hmac_signer.h> -/** - * String mappings for integrity_algorithm_t. - */ -mapping_t integrity_algorithm_m[] = { - {AUTH_UNDEFINED, "UNDEFINED"}, - {AUTH_HMAC_MD5_96, "HMAC_MD5_96"}, - {AUTH_HMAC_SHA1_96, "HMAC_SHA1_96"}, - {AUTH_DES_MAC, "DES_MAC"}, - {AUTH_KPDK_MD5, "KPDK_MD5"}, - {AUTH_AES_XCBC_96, "AES_XCBC_96"}, - {MAPPING_END, NULL} -}; - +ENUM_BEGIN(integrity_algorithm_names, AUTH_UNDEFINED, AUTH_UNDEFINED, + "UNDEFINED"); +ENUM_NEXT(integrity_algorithm_names, AUTH_HMAC_MD5_96, AUTH_AES_XCBC_96, AUTH_UNDEFINED, + "HMAC_MD5_96", + "HMAC_SHA1_96", + "DES_MAC", + "KPDK_MD5", + "AES_XCBC_96"); +ENUM_END(integrity_algorithm_names, AUTH_AES_XCBC_96); /* * Described in header. diff --git a/src/libstrongswan/crypto/signers/signer.h b/src/libstrongswan/crypto/signers/signer.h index 585183998..b7c7af55d 100644 --- a/src/libstrongswan/crypto/signers/signer.h +++ b/src/libstrongswan/crypto/signers/signer.h @@ -49,10 +49,10 @@ enum integrity_algorithm_t { AUTH_AES_XCBC_96 = 5 }; -/** - * String mappings for integrity_algorithm_t. +/** + * enum names for integrity_algorithm_t. */ -extern mapping_t integrity_algorithm_m[]; +extern enum_name_t *integrity_algorithm_names; typedef struct signer_t signer_t; diff --git a/src/libstrongswan/crypto/x509.c b/src/libstrongswan/crypto/x509.c index dd82a493c..4c5e014c8 100755 --- a/src/libstrongswan/crypto/x509.c +++ b/src/libstrongswan/crypto/x509.c @@ -24,22 +24,21 @@ #include <sys/stat.h> #include <unistd.h> #include <string.h> +#include <printf.h> #include "x509.h" #include <types.h> +#include <library.h> #include <definitions.h> #include <asn1/oid.h> #include <asn1/asn1.h> #include <asn1/pem.h> -#include <utils/logger_manager.h> #include <utils/linked_list.h> #include <utils/identification.h> #define CERT_WARNING_INTERVAL 30 /* days */ -static logger_t *logger; - /** * Different kinds of generalNames */ @@ -422,7 +421,7 @@ static bool parse_basicConstraints(chunk_t blob, int level0) if (objectID == BASIC_CONSTRAINTS_CA) { isCA = object.len && *object.ptr; - logger->log(logger, CONTROL|LEVEL2, " %s", isCA ? "TRUE" : "FALSE"); + DBG2(" %s", isCA ? "TRUE" : "FALSE"); } objectID++; } @@ -519,7 +518,7 @@ static identification_t *parse_generalName(chunk_t blob, int level0) if (id_type != ID_ANY) { identification_t *gn = identification_create_from_encoding(id_type, object); - logger->log(logger, CONTROL|LEVEL2, " '%D'", gn); + DBG2(" '%D'", gn); return gn; } objectID++; @@ -670,7 +669,7 @@ static void parse_authorityInfoAccess(chunk_t blob, int level0, chunk_t *accessL { if (asn1_length(&object) == ASN1_INVALID_LENGTH) return; - logger->log(logger, CONTROL|LEVEL2, " '%.*s'",(int)object.len, object.ptr); + DBG2(" '%.*s'",(int)object.len, object.ptr); /* only HTTP(S) URIs accepted */ if (strncasecmp(object.ptr, "http", 4) == 0) { @@ -678,7 +677,7 @@ static void parse_authorityInfoAccess(chunk_t blob, int level0, chunk_t *accessL return; } } - logger->log(logger, ERROR|LEVEL2, "ignoring OCSP InfoAccessLocation with unkown protocol"); + DBG2("ignoring OCSP InfoAccessLocation with unkown protocol"); break; default: /* unkown accessMethod, ignoring */ @@ -779,7 +778,7 @@ bool parse_x509cert(chunk_t blob, u_int level0, private_x509_t *cert) break; case X509_OBJ_VERSION: cert->version = (object.len) ? (1+(u_int)*object.ptr) : 1; - logger->log(logger, CONTROL|LEVEL2, " v%d", cert->version); + DBG2(" v%d", cert->version); break; case X509_OBJ_SERIAL_NUMBER: cert->serialNumber = object; @@ -789,7 +788,7 @@ bool parse_x509cert(chunk_t blob, u_int level0, private_x509_t *cert) break; case X509_OBJ_ISSUER: cert->issuer = identification_create_from_encoding(ID_DER_ASN1_DN, object); - logger->log(logger, CONTROL|LEVEL1, " '%D'", cert->issuer); + DBG2(" '%D'", cert->issuer); break; case X509_OBJ_NOT_BEFORE: cert->notBefore = parse_time(object, level); @@ -799,12 +798,12 @@ bool parse_x509cert(chunk_t blob, u_int level0, private_x509_t *cert) break; case X509_OBJ_SUBJECT: cert->subject = identification_create_from_encoding(ID_DER_ASN1_DN, object); - logger->log(logger, CONTROL|LEVEL1, " '%D'", cert->subject); + DBG2(" '%D'", cert->subject); break; case X509_OBJ_SUBJECT_PUBLIC_KEY_ALGORITHM: if (parse_algorithmIdentifier(object, level, NULL) != OID_RSA_ENCRYPTION) { - logger->log(logger, ERROR|LEVEL1, " unsupported public key algorithm"); + DBG2(" unsupported public key algorithm"); return FALSE; } break; @@ -816,7 +815,7 @@ bool parse_x509cert(chunk_t blob, u_int level0, private_x509_t *cert) } else { - logger->log(logger, ERROR|LEVEL1, " invalid RSA public key format"); + DBG2(" invalid RSA public key format"); return FALSE; } break; @@ -828,7 +827,7 @@ bool parse_x509cert(chunk_t blob, u_int level0, private_x509_t *cert) break; case X509_OBJ_CRITICAL: critical = object.len && *object.ptr; - logger->log(logger, ERROR|LEVEL2, " %s", critical ? "TRUE" : "FALSE"); + DBG2(" %s", critical ? "TRUE" : "FALSE"); break; case X509_OBJ_EXTN_VALUE: { @@ -886,27 +885,26 @@ bool parse_x509cert(chunk_t blob, u_int level0, private_x509_t *cert) */ static err_t is_valid(const private_x509_t *this, time_t *until) { - char buf[TIMETOA_BUF]; - time_t current_time = time(NULL); - timetoa(buf, BUF_LEN, &this->notBefore, TRUE); - logger->log(logger, CONTROL|LEVEL1, " not before : %s", buf); - timetoa(buf, BUF_LEN, ¤t_time, TRUE); - logger->log(logger, CONTROL|LEVEL1, " current time: %s", buf); - timetoa(buf, BUF_LEN, &this->notAfter, TRUE); - logger->log(logger, CONTROL|LEVEL1, " not after : %s", buf); - - if (until != NULL - && (*until == UNDEFINED_TIME || this->notAfter < *until)) + DBG2(" not before : %T", this->notBefore); + DBG2(" current time: %T", current_time); + DBG2(" not after : %T", this->notAfter); + + if (until != NULL && + (*until == UNDEFINED_TIME || this->notAfter < *until)) { *until = this->notAfter; } if (current_time < this->notBefore) + { return "is not valid yet"; + } if (current_time > this->notAfter) + { return "has expired"; - logger->log(logger, CONTROL|LEVEL1, " certificate is valid", buf); + } + DBG2(" certificate is valid"); return NULL; } @@ -1049,153 +1047,165 @@ static bool verify(const private_x509_t *this, const rsa_public_key_t *signer) } /** - * destroy + * output handler in printf() */ -static void destroy(private_x509_t *this) +static int print(FILE *stream, const struct printf_info *info, + const void *const *args) { - identification_t *id; - while (this->subjectAltNames->remove_last(this->subjectAltNames, (void**)&id) == SUCCESS) + private_x509_t *this = *((private_x509_t**)(args[0])); + iterator_t *iterator; + identification_t *san; + chunk_t chunk; + bool utc = TRUE; + int written = 0; + + if (info->alt) { - id->destroy(id); + utc = *((bool*)(args[1])); } - this->subjectAltNames->destroy(this->subjectAltNames); - - while (this->crlDistributionPoints->remove_last(this->crlDistributionPoints, (void**)&id) == SUCCESS) + + if (this == NULL) { - id->destroy(id); + return fprintf(stream, "(null)"); } - this->crlDistributionPoints->destroy(this->crlDistributionPoints); - - if (this->issuer) - this->issuer->destroy(this->issuer); - - if (this->subject) - this->subject->destroy(this->subject); - - if (this->public_key) - this->public_key->destroy(this->public_key); - - free(this->certificate.ptr); - free(this); -} - -/** - * checks if the expiration date has been reached and warns during the - * warning_interval of the imminent expiration. - * strict=TRUE declares a fatal error, strict=FALSE issues a warning upon expiry. - */ -char* check_expiry(time_t expiration_date, int warning_interval, bool strict) -{ - int time_left; + + /* determine the current time */ + time_t now = time(NULL); - if (expiration_date == UNDEFINED_TIME) + written += fprintf(stream, " subject: %D\n", this->subject); + if (this->subjectAltNames->get_count(this->subjectAltNames) > 0) { - return "ok (expires never)"; + written += fprintf(stream, " altNames: "); + iterator = this->subjectAltNames->create_iterator(this->subjectAltNames, TRUE); + while (iterator->iterate(iterator, (void**)&san)) + { + written += fprintf(stream, "%D, ", san); + } + iterator->destroy(iterator); + written += fprintf(stream, "\n"); + } + written += fprintf(stream, " issuer: '%D'\n", this->issuer); + written += fprintf(stream, " serial: '%#B'\n", &this->serialNumber); + written += fprintf(stream, " installed: %#T\n", this->installed, utc); + + written += fprintf(stream, " validity: not before %#T, ", + this->notBefore, utc); + if (now < this->notBefore) + { + written += fprintf(stream, "not valid yet (valid in %V)\n", + now, this->notBefore); } - time_left = (expiration_date - time(NULL)); - if (time_left < 0) + else { - return strict? "fatal (expired)" : "warning (expired)"; + written += fprintf(stream, "ok\n"); } + written += fprintf(stream, " not after %#T, ", + this->notAfter, utc); + if (now > this->notAfter) { - static char buf[35]; - const char* unit = "second"; - - if (time_left > 86400*warning_interval) - return "ok"; - - if (time_left > 172800) - { - time_left /= 86400; - unit = "day"; - } - else if (time_left > 7200) - { - time_left /= 3600; - unit = "hour"; - } - else if (time_left > 120) + written += fprintf(stream, "expired (since %V)\n", now, this->notAfter); + } + else + { + written += fprintf(stream, "ok"); + if (now > this->notAfter - CERT_WARNING_INTERVAL * 60 * 60 * 24) { - time_left /= 60; - unit = "minute"; + written += fprintf(stream, " (expires in %V)", now, this->notAfter); } - snprintf(buf, sizeof(buf), "warning (expires in %d %s%s)", time_left, unit, (time_left == 1)?"":"s"); - - /* TODO: This is not thread save and may result in corrupted strings. Rewrite this! */ - return buf; + written += fprintf(stream, " \n"); } -} - -/** - * log certificate - */ -static void log_certificate(const private_x509_t *this, logger_t *logger, bool utc, bool has_key) -{ - identification_t *subject = this->subject; - identification_t *issuer = this->issuer; - rsa_public_key_t *pubkey = this->public_key; - - char buf[BUF_LEN]; - char time_buf[TIMETOA_BUF]; - - /* determine the current time */ - time_t now = time(NULL); - - timetoa(time_buf, TIMETOA_BUF, &this->installed, utc); - logger->log(logger, CONTROL, "%s", time_buf); - logger->log(logger, CONTROL, " subject: '%D'", subject); - logger->log(logger, CONTROL, " issuer: '%D'", issuer); - chunk_to_hex(buf, BUF_LEN, this->serialNumber); - logger->log(logger, CONTROL, " serial: %s", buf); + chunk = this->public_key->get_keyid(this->public_key); + written += fprintf(stream, " keyid: %#B\n", &chunk); + if (this->subjectKeyID.ptr) + { + written += fprintf(stream, " subjkey: %#B\n", &this->subjectKeyID); + } + if (this->authKeyID.ptr) + { + written += fprintf(stream, " authkey: %#B\n", &this->authKeyID); + } + if (this->authKeySerialNumber.ptr) + { + written += fprintf(stream, " aserial: %#B\n", &this->authKeySerialNumber); + } - timetoa(time_buf, TIMETOA_BUF, &this->notBefore, utc); - logger->log(logger, CONTROL, " validity: not before %s %s", time_buf, - (this->notBefore < now)? "ok":"fatal (not valid yet)"); + written += fprintf(stream, " pubkey: RSA %d bits", BITS_PER_BYTE * + this->public_key->get_keysize(this->public_key)); + written += fprintf(stream, ", status %N", + cert_status_names, this->status); - timetoa(time_buf, TIMETOA_BUF, &this->notAfter, utc); - logger->log(logger, CONTROL, " not after %s %s", time_buf, - check_expiry(this->notAfter, CERT_WARNING_INTERVAL, TRUE)); - - timetoa(time_buf, TIMETOA_BUF, &this->until, utc); switch (this->status) { case CERT_GOOD: - snprintf(buf, BUF_LEN, " until %s", time_buf); + written += fprintf(stream, " until %#T", this->until, utc); break; case CERT_REVOKED: - snprintf(buf, BUF_LEN, " on %s", time_buf); + written += fprintf(stream, " on %#T", this->until, utc); break; case CERT_UNKNOWN: case CERT_UNDEFINED: case CERT_UNTRUSTED: default: - *buf = '\0'; + break; } - logger->log(logger, CONTROL, " pubkey: RSA %d bits%s, status %s%s", - BITS_PER_BYTE * pubkey->get_keysize(pubkey), - has_key? ", has private key":"", - enum_name(&cert_status_names, this->status), buf); - - chunk_to_hex(buf, BUF_LEN, pubkey->get_keyid(pubkey)); - logger->log(logger, CONTROL, " keyid: %s", buf); + return written; +} - if (this->subjectKeyID.ptr != NULL) +/** + * arginfo handler in printf() + */ +static int print_arginfo(const struct printf_info *info, size_t n, int *argtypes) +{ + if (info->alt) + { + if (n > 1) + { + argtypes[0] = PA_INT; + argtypes[1] = PA_INT; + } + return 2; + } + + if (n > 0) { - chunk_to_hex(buf, BUF_LEN, this->subjectKeyID); - logger->log(logger, CONTROL, " subjkey: %s", buf); + argtypes[0] = PA_INT; } - if (this->authKeyID.ptr != NULL) + return 1; +} + +/** + * register printf() handlers + */ +static void __attribute__ ((constructor))print_register() +{ + register_printf_function(X509_PRINTF_SPEC, print, print_arginfo); +} + +/** + * Implements x509_t.destroy + */ +static void destroy(private_x509_t *this) +{ + identification_t *id; + while (this->subjectAltNames->remove_last(this->subjectAltNames, (void**)&id) == SUCCESS) { - chunk_to_hex(buf, BUF_LEN, this->authKeyID); - logger->log(logger, CONTROL, " authkey: %s", buf); + id->destroy(id); } - if (this->authKeySerialNumber.ptr != NULL) + this->subjectAltNames->destroy(this->subjectAltNames); + + while (this->crlDistributionPoints->remove_last(this->crlDistributionPoints, (void**)&id) == SUCCESS) { - chunk_to_hex(buf, BUF_LEN, this->authKeySerialNumber); - logger->log(logger, CONTROL, " aserial: %s", buf); + id->destroy(id); } + this->crlDistributionPoints->destroy(this->crlDistributionPoints); + + DESTROY_IF(this->issuer); + DESTROY_IF(this->subject); + DESTROY_IF(this->public_key); + free(this->certificate.ptr); + free(this); } /* @@ -1235,10 +1245,6 @@ x509_t *x509_create_from_chunk(chunk_t chunk) this->public.get_status = (cert_status_t (*) (const x509_t*))get_status; this->public.verify = (bool (*) (const x509_t*,const rsa_public_key_t*))verify; this->public.destroy = (void (*) (x509_t*))destroy; - this->public.log_certificate = (void (*) (const x509_t*,logger_t*,bool,bool))log_certificate; - - /* we do not use a per-instance logger right now, since its not always accessible */ - logger = logger_manager->get_logger(logger_manager, ASN1); if (!parse_x509cert(chunk, 0, this)) { diff --git a/src/libstrongswan/crypto/x509.h b/src/libstrongswan/crypto/x509.h index 866659e3b..6c533215b 100755 --- a/src/libstrongswan/crypto/x509.h +++ b/src/libstrongswan/crypto/x509.h @@ -29,8 +29,13 @@ #include <crypto/certinfo.h> #include <utils/identification.h> #include <utils/iterator.h> -#include <utils/logger.h> +/** + * printf specifier for printing certificates. When using the + * #-modifier, an additional bool argument defines if times + * are printed in UTC. + */ +#define X509_PRINTF_SPEC 'Q' typedef struct x509_t x509_t; @@ -203,16 +208,6 @@ struct x509_t { * @param this certificate to destroy */ void (*destroy) (x509_t *this); - - /** - * @brief Log x509 certificate info. - * - * @param this certificate to log - * @param logger logger to be used - * @param utc log dates either in UTC or local time - * @param has_key a matching private key is available - */ - void (*log_certificate) (const x509_t *this, logger_t *logger, bool utc, bool has_key); }; /** |