aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rwxr-xr-xsrc/libstrongswan/asn1/pem.c73
-rwxr-xr-xsrc/libstrongswan/asn1/pem.h4
-rwxr-xr-xsrc/libstrongswan/crypto/crl.c2
-rw-r--r--src/libstrongswan/crypto/rsa/rsa_private_key.c2
-rw-r--r--src/libstrongswan/crypto/rsa/rsa_private_key.h4
-rw-r--r--src/libstrongswan/crypto/rsa/rsa_public_key.c2
-rwxr-xr-xsrc/libstrongswan/crypto/x509.c2
7 files changed, 61 insertions, 28 deletions
diff --git a/src/libstrongswan/asn1/pem.c b/src/libstrongswan/asn1/pem.c
index 3a41c5ae4..6de340aaf 100755
--- a/src/libstrongswan/asn1/pem.c
+++ b/src/libstrongswan/asn1/pem.c
@@ -89,38 +89,47 @@ static bool find_boundary(const char* tag, chunk_t *line)
/*
* decrypts a DES-EDE-CBC encrypted data block
*/
-static err_t pem_decrypt(chunk_t *blob, chunk_t *iv, char *passphrase)
+static err_t pem_decrypt(chunk_t *blob, encryption_algorithm_t alg, size_t key_size,
+ chunk_t *iv, chunk_t *passphrase)
{
hasher_t *hasher;
crypter_t *crypter;
chunk_t hash;
chunk_t decrypted;
- chunk_t pass = {(char*)passphrase, strlen(passphrase)};
- chunk_t key = {alloca(24), 24};
+ chunk_t key = {alloca(key_size), key_size};
u_int8_t padding, *last_padding_pos, *first_padding_pos;
+ if (passphrase == NULL || passphrase->len == 0)
+ return "missing passphrase";
+
/* build key from passphrase and IV */
hasher = hasher_create(HASH_MD5);
hash.len = hasher->get_hash_size(hasher);
hash.ptr = alloca(hash.len);
- hasher->get_hash(hasher, pass, NULL);
+ hasher->get_hash(hasher, *passphrase, NULL);
hasher->get_hash(hasher, *iv, hash.ptr);
-
memcpy(key.ptr, hash.ptr, hash.len);
-
- hasher->get_hash(hasher, hash, NULL);
- hasher->get_hash(hasher, pass, NULL);
- hasher->get_hash(hasher, *iv, hash.ptr);
-
- memcpy(key.ptr + hash.len, hash.ptr, key.len - hash.len);
-
+
+ printf("hash.len: %d, key.len: %d, iv.len: %d\n", hash.len, key.len, iv->len);
+ if (key.len > hash.len)
+ {
+ hasher->get_hash(hasher, hash, NULL);
+ hasher->get_hash(hasher, *passphrase, NULL);
+ hasher->get_hash(hasher, *iv, hash.ptr);
+ memcpy(key.ptr + hash.len, hash.ptr, key.len - hash.len);
+ }
hasher->destroy(hasher);
/* decrypt blob */
- crypter = crypter_create(ENCR_3DES, 0);
+ crypter = crypter_create(alg, key_size);
crypter->set_key(crypter, key);
- crypter->decrypt(crypter, *blob, *iv, &decrypted);
+ logger->log_chunk(logger, CONTROL, " cipher text:", *blob);
+ if (crypter->decrypt(crypter, *blob, *iv, &decrypted) != SUCCESS)
+ {
+ return "data size is not multiple of block size";
+ }
memcpy(blob->ptr, decrypted.ptr, blob->len);
+ logger->log_chunk(logger, CONTROL, " plain text:", *blob);
chunk_free(&decrypted);
/* determine amount of padding */
@@ -144,7 +153,7 @@ static err_t pem_decrypt(chunk_t *blob, chunk_t *iv, char *passphrase)
* RFC 1421 Privacy Enhancement for Electronic Mail, February 1993
* RFC 934 Message Encapsulation, January 1985
*/
-err_t pem_to_bin(chunk_t *blob, char *passphrase, bool *pgp)
+err_t pem_to_bin(chunk_t *blob, chunk_t *passphrase, bool *pgp)
{
typedef enum {
PEM_PRE = 0,
@@ -155,6 +164,9 @@ err_t pem_to_bin(chunk_t *blob, char *passphrase, bool *pgp)
PEM_ABORT = 5
} state_t;
+ encryption_algorithm_t alg = ENCR_UNDEFINED;
+ size_t key_size;
+
bool encrypted = FALSE;
state_t state = PEM_PRE;
@@ -198,6 +210,7 @@ err_t pem_to_bin(chunk_t *blob, char *passphrase, bool *pgp)
}
if (state == PEM_HEADER)
{
+ err_t ugh = NULL;
chunk_t name = CHUNK_INITIALIZER;
chunk_t value = CHUNK_INITIALIZER;
@@ -210,14 +223,14 @@ err_t pem_to_bin(chunk_t *blob, char *passphrase, bool *pgp)
/* we are looking for a parameter: value pair */
logger->log(logger, CONTROL|LEVEL2, " %.*s", (int)line.len, line.ptr);
- if (!extract_parameter_value(&name, &value, &line))
+ ugh = extract_parameter_value(&name, &value, &line);
+ if (ugh != NULL)
continue;
if (match("Proc-Type", &name) && *value.ptr == '4')
encrypted = TRUE;
else if (match("DEK-Info", &name))
{
- const char *ugh = NULL;
size_t len = 0;
chunk_t dek;
@@ -225,8 +238,25 @@ err_t pem_to_bin(chunk_t *blob, char *passphrase, bool *pgp)
dek = value;
/* we support DES-EDE3-CBC encrypted files, only */
- if (!match("DES-EDE3-CBC", &dek))
+ if (match("DES-EDE3-CBC", &dek))
+ {
+ alg = ENCR_3DES;
+ key_size = 24;
+ }
+ else if (match("AES-128-CBC", &dek))
+ {
+ alg = ENCR_AES_CBC;
+ key_size = 16;
+ }
+ else if (match("AES-256-CBC", &dek))
+ {
+ alg = ENCR_AES_CBC;
+ key_size = 32;
+ }
+ else
+ {
return "encryption algorithm not supported";
+ }
eat_whitespace(&value);
ugh = ttodata(value.ptr, value.len, 16, iv.ptr, 16, &len);
@@ -279,13 +309,13 @@ err_t pem_to_bin(chunk_t *blob, char *passphrase, bool *pgp)
if (state != PEM_POST)
return "file coded in unknown format, discarded";
- return (encrypted)? pem_decrypt(blob, &iv, passphrase) : NULL;
+ return (encrypted)? pem_decrypt(blob, alg, key_size, &iv, passphrase) : NULL;
}
/* load a coded key or certificate file with autodetection
* of binary DER or base64 PEM ASN.1 formats and armored PGP format
*/
-bool pem_asn1_load_file(const char *filename, char *passphrase,
+bool pem_asn1_load_file(const char *filename, chunk_t *passphrase,
const char *type, chunk_t *blob, bool *pgp)
{
err_t ugh = NULL;
@@ -314,6 +344,9 @@ bool pem_asn1_load_file(const char *filename, char *passphrase,
return TRUE;
}
+ if (passphrase != NULL)
+ logger->log_bytes(logger, PRIVATE, " passphrase:", passphrase->ptr, passphrase->len);
+
/* try PEM format */
ugh = pem_to_bin(blob, passphrase, pgp);
diff --git a/src/libstrongswan/asn1/pem.h b/src/libstrongswan/asn1/pem.h
index 9edb3dc20..2c0b45748 100755
--- a/src/libstrongswan/asn1/pem.h
+++ b/src/libstrongswan/asn1/pem.h
@@ -19,9 +19,9 @@
#include <types.h>
-err_t pem_to_bin(chunk_t *blob, char *passphrase, bool *pgp);
+err_t pem_to_bin(chunk_t *blob, chunk_t *passphrase, bool *pgp);
-bool pem_asn1_load_file(const char *filename, char *passphrase,
+bool pem_asn1_load_file(const char *filename, chunk_t *passphrase,
const char *type, chunk_t *blob, bool *pgp);
#endif /*PEM_H_*/
diff --git a/src/libstrongswan/crypto/crl.c b/src/libstrongswan/crypto/crl.c
index 43f616fb0..513dfc885 100755
--- a/src/libstrongswan/crypto/crl.c
+++ b/src/libstrongswan/crypto/crl.c
@@ -518,7 +518,7 @@ crl_t *crl_create_from_file(const char *filename)
chunk_t chunk = CHUNK_INITIALIZER;
crl_t *crl = NULL;
- if (!pem_asn1_load_file(filename, "", "crl", &chunk, &pgp))
+ if (!pem_asn1_load_file(filename, NULL, "crl", &chunk, &pgp))
return NULL;
crl = crl_create_from_chunk(chunk);
diff --git a/src/libstrongswan/crypto/rsa/rsa_private_key.c b/src/libstrongswan/crypto/rsa/rsa_private_key.c
index 13e593bf2..244c78c46 100644
--- a/src/libstrongswan/crypto/rsa/rsa_private_key.c
+++ b/src/libstrongswan/crypto/rsa/rsa_private_key.c
@@ -759,7 +759,7 @@ rsa_private_key_t *rsa_private_key_create_from_chunk(chunk_t blob)
/*
* see header
*/
-rsa_private_key_t *rsa_private_key_create_from_file(char *filename, char *passphrase)
+rsa_private_key_t *rsa_private_key_create_from_file(char *filename, chunk_t *passphrase)
{
bool pgp = FALSE;
chunk_t chunk = CHUNK_INITIALIZER;
diff --git a/src/libstrongswan/crypto/rsa/rsa_private_key.h b/src/libstrongswan/crypto/rsa/rsa_private_key.h
index b2fff8c1d..da5cb4359 100644
--- a/src/libstrongswan/crypto/rsa/rsa_private_key.h
+++ b/src/libstrongswan/crypto/rsa/rsa_private_key.h
@@ -173,7 +173,7 @@ rsa_private_key_t *rsa_private_key_create_from_chunk(chunk_t chunk);
* passphrase is used to decrypt an ecrypted key.
*
* @param filename filename which holds the key
- * @param passphrase optional passphase for decryption
+ * @param passphrase optional passphase for decryption, can be NULL
* @return loaded rsa_private_key_t, or NULL
*
* @todo Implement PEM file loading
@@ -181,6 +181,6 @@ rsa_private_key_t *rsa_private_key_create_from_chunk(chunk_t chunk);
*
* @ingroup rsa
*/
-rsa_private_key_t *rsa_private_key_create_from_file(char *filename, char *passphrase);
+rsa_private_key_t *rsa_private_key_create_from_file(char *filename, chunk_t *passphrase);
#endif /*RSA_PRIVATE_KEY_H_*/
diff --git a/src/libstrongswan/crypto/rsa/rsa_public_key.c b/src/libstrongswan/crypto/rsa/rsa_public_key.c
index 469f9ea4f..4aa529dfe 100644
--- a/src/libstrongswan/crypto/rsa/rsa_public_key.c
+++ b/src/libstrongswan/crypto/rsa/rsa_public_key.c
@@ -488,7 +488,7 @@ rsa_public_key_t *rsa_public_key_create_from_file(char *filename)
chunk_t chunk = CHUNK_INITIALIZER;
rsa_public_key_t *pubkey = NULL;
- if (!pem_asn1_load_file(filename, "", "public key", &chunk, &pgp))
+ if (!pem_asn1_load_file(filename, NULL, "public key", &chunk, &pgp))
return NULL;
pubkey = rsa_public_key_create_from_chunk(chunk);
diff --git a/src/libstrongswan/crypto/x509.c b/src/libstrongswan/crypto/x509.c
index 60d2a6e0a..07745ba00 100755
--- a/src/libstrongswan/crypto/x509.c
+++ b/src/libstrongswan/crypto/x509.c
@@ -1268,7 +1268,7 @@ x509_t *x509_create_from_file(const char *filename, const char *label)
chunk_t chunk = CHUNK_INITIALIZER;
x509_t *cert = NULL;
- if (!pem_asn1_load_file(filename, "", label, &chunk, &pgp))
+ if (!pem_asn1_load_file(filename, NULL, label, &chunk, &pgp))
return NULL;
cert = x509_create_from_chunk(chunk);
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-22 13:38:31 +0000