openssl: Disable PKCS#7/CMS when building against OpenSSL < 0.9.8g
[strongswan.git] / src / libstrongswan / plugins / openssl / openssl_plugin.c
1 /*
2 * Copyright (C) 2008 Tobias Brunner
3 * Copyright (C) 2008 Martin Willi
4 * Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 #include <openssl/evp.h>
18 #include <openssl/conf.h>
19 #include <openssl/rand.h>
20 #include <openssl/crypto.h>
21 #ifndef OPENSSL_NO_ENGINE
22 #include <openssl/engine.h>
23 #endif
24
25 #include "openssl_plugin.h"
26
27 #include <library.h>
28 #include <utils/debug.h>
29 #include <threading/thread.h>
30 #include <threading/mutex.h>
31 #include "openssl_util.h"
32 #include "openssl_crypter.h"
33 #include "openssl_hasher.h"
34 #include "openssl_sha1_prf.h"
35 #include "openssl_diffie_hellman.h"
36 #include "openssl_ec_diffie_hellman.h"
37 #include "openssl_rsa_private_key.h"
38 #include "openssl_rsa_public_key.h"
39 #include "openssl_ec_private_key.h"
40 #include "openssl_ec_public_key.h"
41 #include "openssl_x509.h"
42 #include "openssl_crl.h"
43 #include "openssl_pkcs7.h"
44 #include "openssl_rng.h"
45 #include "openssl_hmac.h"
46
47 typedef struct private_openssl_plugin_t private_openssl_plugin_t;
48
49 /**
50 * private data of openssl_plugin
51 */
52 struct private_openssl_plugin_t {
53
54 /**
55 * public functions
56 */
57 openssl_plugin_t public;
58 };
59
60 /**
61 * Array of static mutexs, with CRYPTO_num_locks() mutex
62 */
63 static mutex_t **mutex = NULL;
64
65 /**
66 * Locking callback for static locks
67 */
68 static void locking_function(int mode, int type, const char *file, int line)
69 {
70 if (mutex)
71 {
72 if (mode & CRYPTO_LOCK)
73 {
74 mutex[type]->lock(mutex[type]);
75 }
76 else
77 {
78 mutex[type]->unlock(mutex[type]);
79 }
80 }
81 }
82
83 /**
84 * Implementation of dynlock
85 */
86 struct CRYPTO_dynlock_value {
87 mutex_t *mutex;
88 };
89
90 /**
91 * Callback to create a dynamic lock
92 */
93 static struct CRYPTO_dynlock_value *create_function(const char *file, int line)
94 {
95 struct CRYPTO_dynlock_value *lock;
96
97 lock = malloc_thing(struct CRYPTO_dynlock_value);
98 lock->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
99 return lock;
100 }
101
102 /**
103 * Callback to (un-)lock a dynamic lock
104 */
105 static void lock_function(int mode, struct CRYPTO_dynlock_value *lock,
106 const char *file, int line)
107 {
108 if (mode & CRYPTO_LOCK)
109 {
110 lock->mutex->lock(lock->mutex);
111 }
112 else
113 {
114 lock->mutex->unlock(lock->mutex);
115 }
116 }
117
118 /**
119 * Callback to destroy a dynamic lock
120 */
121 static void destroy_function(struct CRYPTO_dynlock_value *lock,
122 const char *file, int line)
123 {
124 lock->mutex->destroy(lock->mutex);
125 free(lock);
126 }
127
128 /**
129 * Thread-ID callback function
130 */
131 static unsigned long id_function(void)
132 {
133 /* ensure the thread ID is never zero, otherwise OpenSSL might try to
134 * acquire locks recursively */
135 return 1 + (unsigned long)thread_current_id();
136 }
137
138 /**
139 * initialize OpenSSL for multi-threaded use
140 */
141 static void threading_init()
142 {
143 int i, num_locks;
144
145 CRYPTO_set_id_callback(id_function);
146 CRYPTO_set_locking_callback(locking_function);
147
148 CRYPTO_set_dynlock_create_callback(create_function);
149 CRYPTO_set_dynlock_lock_callback(lock_function);
150 CRYPTO_set_dynlock_destroy_callback(destroy_function);
151
152 num_locks = CRYPTO_num_locks();
153 mutex = malloc(sizeof(mutex_t*) * num_locks);
154 for (i = 0; i < num_locks; i++)
155 {
156 mutex[i] = mutex_create(MUTEX_TYPE_DEFAULT);
157 }
158 }
159
160 /**
161 * Seed the OpenSSL RNG, if required
162 */
163 static bool seed_rng()
164 {
165 rng_t *rng = NULL;
166 char buf[32];
167
168 while (RAND_status() != 1)
169 {
170 if (!rng)
171 {
172 rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
173 if (!rng)
174 {
175 return FALSE;
176 }
177 }
178 if (!rng->get_bytes(rng, sizeof(buf), buf))
179 {
180 rng->destroy(rng);
181 return FALSE;
182 }
183 RAND_seed(buf, sizeof(buf));
184 }
185 DESTROY_IF(rng);
186 return TRUE;
187 }
188
189 /**
190 * cleanup OpenSSL threading locks
191 */
192 static void threading_cleanup()
193 {
194 int i, num_locks;
195
196 num_locks = CRYPTO_num_locks();
197 for (i = 0; i < num_locks; i++)
198 {
199 mutex[i]->destroy(mutex[i]);
200 }
201 free(mutex);
202 mutex = NULL;
203 }
204
205 METHOD(plugin_t, get_name, char*,
206 private_openssl_plugin_t *this)
207 {
208 return "openssl";
209 }
210
211 METHOD(plugin_t, get_features, int,
212 private_openssl_plugin_t *this, plugin_feature_t *features[])
213 {
214 static plugin_feature_t f[] = {
215 /* crypters */
216 PLUGIN_REGISTER(CRYPTER, openssl_crypter_create),
217 #ifndef OPENSSL_NO_AES
218 PLUGIN_PROVIDE(CRYPTER, ENCR_AES_CBC, 16),
219 PLUGIN_PROVIDE(CRYPTER, ENCR_AES_CBC, 24),
220 PLUGIN_PROVIDE(CRYPTER, ENCR_AES_CBC, 32),
221 #endif
222 #ifndef OPENSSL_NO_CAMELLIA
223 PLUGIN_PROVIDE(CRYPTER, ENCR_CAMELLIA_CBC, 16),
224 PLUGIN_PROVIDE(CRYPTER, ENCR_CAMELLIA_CBC, 24),
225 PLUGIN_PROVIDE(CRYPTER, ENCR_CAMELLIA_CBC, 32),
226 #endif
227 #ifndef OPENSSL_NO_RC5
228 PLUGIN_PROVIDE(CRYPTER, ENCR_RC5, 0),
229 #endif
230 #ifndef OPENSSL_NO_CAST
231 PLUGIN_PROVIDE(CRYPTER, ENCR_CAST, 0),
232 #endif
233 #ifndef OPENSSL_NO_BLOWFISH
234 PLUGIN_PROVIDE(CRYPTER, ENCR_BLOWFISH, 0),
235 #endif
236 #ifndef OPENSSL_NO_IDEA
237 PLUGIN_PROVIDE(CRYPTER, ENCR_IDEA, 16),
238 #endif
239 #ifndef OPENSSL_NO_DES
240 PLUGIN_PROVIDE(CRYPTER, ENCR_3DES, 24),
241 PLUGIN_PROVIDE(CRYPTER, ENCR_DES, 8),
242 PLUGIN_PROVIDE(CRYPTER, ENCR_DES_ECB, 8),
243 #endif
244 PLUGIN_PROVIDE(CRYPTER, ENCR_NULL, 0),
245 /* hashers */
246 PLUGIN_REGISTER(HASHER, openssl_hasher_create),
247 #ifndef OPENSSL_NO_SHA1
248 PLUGIN_PROVIDE(HASHER, HASH_SHA1),
249 #endif
250 #ifndef OPENSSL_NO_MD2
251 PLUGIN_PROVIDE(HASHER, HASH_MD2),
252 #endif
253 #ifndef OPENSSL_NO_MD4
254 PLUGIN_PROVIDE(HASHER, HASH_MD4),
255 #endif
256 #ifndef OPENSSL_NO_MD5
257 PLUGIN_PROVIDE(HASHER, HASH_MD5),
258 #endif
259 #ifndef OPENSSL_NO_SHA256
260 PLUGIN_PROVIDE(HASHER, HASH_SHA224),
261 PLUGIN_PROVIDE(HASHER, HASH_SHA256),
262 #endif
263 #ifndef OPENSSL_NO_SHA512
264 PLUGIN_PROVIDE(HASHER, HASH_SHA384),
265 PLUGIN_PROVIDE(HASHER, HASH_SHA512),
266 #endif
267 #ifndef OPENSSL_NO_SHA1
268 /* keyed sha1 hasher (aka prf) */
269 PLUGIN_REGISTER(PRF, openssl_sha1_prf_create),
270 PLUGIN_PROVIDE(PRF, PRF_KEYED_SHA1),
271 #endif
272 #ifndef OPENSSL_NO_HMAC
273 PLUGIN_REGISTER(PRF, openssl_hmac_prf_create),
274 #ifndef OPENSSL_NO_MD5
275 PLUGIN_PROVIDE(PRF, PRF_HMAC_MD5),
276 #endif
277 #ifndef OPENSSL_NO_SHA1
278 PLUGIN_PROVIDE(PRF, PRF_HMAC_SHA1),
279 #endif
280 #ifndef OPENSSL_NO_SHA256
281 PLUGIN_PROVIDE(PRF, PRF_HMAC_SHA2_256),
282 #endif
283 #ifndef OPENSSL_NO_SHA512
284 PLUGIN_PROVIDE(PRF, PRF_HMAC_SHA2_384),
285 PLUGIN_PROVIDE(PRF, PRF_HMAC_SHA2_512),
286 #endif
287 PLUGIN_REGISTER(SIGNER, openssl_hmac_signer_create),
288 #ifndef OPENSSL_NO_MD5
289 PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_MD5_96),
290 PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_MD5_128),
291 #endif
292 #ifndef OPENSSL_NO_SHA1
293 PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_SHA1_96),
294 PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_SHA1_128),
295 PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_SHA1_160),
296 #endif
297 #ifndef OPENSSL_NO_SHA256
298 PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_SHA2_256_128),
299 PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_SHA2_256_256),
300 #endif
301 #ifndef OPENSSL_NO_SHA512
302 PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_SHA2_384_192),
303 PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_SHA2_384_384),
304 PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_SHA2_512_256),
305 #endif
306 #endif /* OPENSSL_NO_HMAC */
307 #ifndef OPENSSL_NO_DH
308 /* MODP DH groups */
309 PLUGIN_REGISTER(DH, openssl_diffie_hellman_create),
310 PLUGIN_PROVIDE(DH, MODP_2048_BIT),
311 PLUGIN_PROVIDE(DH, MODP_2048_224),
312 PLUGIN_PROVIDE(DH, MODP_2048_256),
313 PLUGIN_PROVIDE(DH, MODP_1536_BIT),
314 PLUGIN_PROVIDE(DH, MODP_3072_BIT),
315 PLUGIN_PROVIDE(DH, MODP_4096_BIT),
316 PLUGIN_PROVIDE(DH, MODP_6144_BIT),
317 PLUGIN_PROVIDE(DH, MODP_8192_BIT),
318 PLUGIN_PROVIDE(DH, MODP_1024_BIT),
319 PLUGIN_PROVIDE(DH, MODP_1024_160),
320 PLUGIN_PROVIDE(DH, MODP_768_BIT),
321 PLUGIN_PROVIDE(DH, MODP_CUSTOM),
322 #endif
323 #ifndef OPENSSL_NO_RSA
324 /* RSA private/public key loading */
325 PLUGIN_REGISTER(PRIVKEY, openssl_rsa_private_key_load, TRUE),
326 PLUGIN_PROVIDE(PRIVKEY, KEY_RSA),
327 PLUGIN_REGISTER(PRIVKEY, openssl_rsa_private_key_connect, FALSE),
328 PLUGIN_PROVIDE(PRIVKEY, KEY_ANY),
329 PLUGIN_REGISTER(PRIVKEY_GEN, openssl_rsa_private_key_gen, FALSE),
330 PLUGIN_PROVIDE(PRIVKEY_GEN, KEY_RSA),
331 PLUGIN_REGISTER(PUBKEY, openssl_rsa_public_key_load, TRUE),
332 PLUGIN_PROVIDE(PUBKEY, KEY_RSA),
333 PLUGIN_REGISTER(PUBKEY, openssl_rsa_public_key_load, TRUE),
334 PLUGIN_PROVIDE(PUBKEY, KEY_ANY),
335 /* signature/encryption schemes */
336 PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_NULL),
337 PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_NULL),
338 #ifndef OPENSSL_NO_SHA1
339 PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_SHA1),
340 PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA1),
341 #endif
342 #ifndef OPENSSL_NO_SHA256
343 PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_SHA224),
344 PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_SHA256),
345 PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA224),
346 PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA256),
347 #endif
348 #ifndef OPENSSL_NO_SHA512
349 PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_SHA384),
350 PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_SHA512),
351 PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA384),
352 PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA512),
353 #endif
354 #ifndef OPENSSL_NO_MD5
355 PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_MD5),
356 PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_MD5),
357 #endif
358 PLUGIN_PROVIDE(PRIVKEY_DECRYPT, ENCRYPT_RSA_PKCS1),
359 PLUGIN_PROVIDE(PUBKEY_ENCRYPT, ENCRYPT_RSA_PKCS1),
360 #endif /* OPENSSL_NO_RSA */
361 /* certificate/CRL loading */
362 PLUGIN_REGISTER(CERT_DECODE, openssl_x509_load, TRUE),
363 PLUGIN_PROVIDE(CERT_DECODE, CERT_X509),
364 PLUGIN_SDEPEND(PUBKEY, KEY_RSA),
365 PLUGIN_SDEPEND(PUBKEY, KEY_ECDSA),
366 PLUGIN_SDEPEND(PUBKEY, KEY_DSA),
367 PLUGIN_REGISTER(CERT_DECODE, openssl_crl_load, TRUE),
368 PLUGIN_PROVIDE(CERT_DECODE, CERT_X509_CRL),
369 #if OPENSSL_VERSION_NUMBER >= 0x0090807fL
370 #ifndef OPENSSL_NO_CMS
371 PLUGIN_REGISTER(CONTAINER_DECODE, openssl_pkcs7_load, TRUE),
372 PLUGIN_PROVIDE(CONTAINER_DECODE, CONTAINER_PKCS7),
373 #endif /* OPENSSL_NO_CMS */
374 #endif /* OPENSSL_VERSION_NUMBER */
375 #ifndef OPENSSL_NO_ECDH
376 /* EC DH groups */
377 PLUGIN_REGISTER(DH, openssl_ec_diffie_hellman_create),
378 PLUGIN_PROVIDE(DH, ECP_256_BIT),
379 PLUGIN_PROVIDE(DH, ECP_384_BIT),
380 PLUGIN_PROVIDE(DH, ECP_521_BIT),
381 PLUGIN_PROVIDE(DH, ECP_224_BIT),
382 PLUGIN_PROVIDE(DH, ECP_192_BIT),
383 #endif
384 #ifndef OPENSSL_NO_ECDSA
385 /* EC private/public key loading */
386 PLUGIN_REGISTER(PRIVKEY, openssl_ec_private_key_load, TRUE),
387 PLUGIN_PROVIDE(PRIVKEY, KEY_ECDSA),
388 PLUGIN_REGISTER(PRIVKEY_GEN, openssl_ec_private_key_gen, FALSE),
389 PLUGIN_PROVIDE(PRIVKEY_GEN, KEY_ECDSA),
390 PLUGIN_REGISTER(PUBKEY, openssl_ec_public_key_load, TRUE),
391 PLUGIN_PROVIDE(PUBKEY, KEY_ECDSA),
392 /* signature encryption schemes */
393 PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_ECDSA_WITH_NULL),
394 PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ECDSA_WITH_NULL),
395 #ifndef OPENSSL_NO_SHA1
396 PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_ECDSA_WITH_SHA1_DER),
397 PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ECDSA_WITH_SHA1_DER),
398 #endif
399 #ifndef OPENSSL_NO_SHA256
400 PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_ECDSA_WITH_SHA256_DER),
401 PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ECDSA_WITH_SHA256_DER),
402 PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_ECDSA_256),
403 PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ECDSA_256),
404 #endif
405 #ifndef OPENSSL_NO_SHA512
406 PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_ECDSA_WITH_SHA384_DER),
407 PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_ECDSA_WITH_SHA512_DER),
408 PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ECDSA_WITH_SHA384_DER),
409 PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ECDSA_WITH_SHA512_DER),
410 PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_ECDSA_384),
411 PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_ECDSA_521),
412 PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ECDSA_384),
413 PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ECDSA_521),
414 #endif
415 #endif /* OPENSSL_NO_ECDSA */
416 PLUGIN_REGISTER(RNG, openssl_rng_create),
417 PLUGIN_PROVIDE(RNG, RNG_STRONG),
418 PLUGIN_PROVIDE(RNG, RNG_WEAK),
419 };
420 *features = f;
421 return countof(f);
422 }
423
424 METHOD(plugin_t, destroy, void,
425 private_openssl_plugin_t *this)
426 {
427 #ifndef OPENSSL_NO_ENGINE
428 ENGINE_cleanup();
429 #endif /* OPENSSL_NO_ENGINE */
430 EVP_cleanup();
431 CONF_modules_free();
432
433 threading_cleanup();
434
435 free(this);
436 }
437
438 /*
439 * see header file
440 */
441 plugin_t *openssl_plugin_create()
442 {
443 private_openssl_plugin_t *this;
444
445 INIT(this,
446 .public = {
447 .plugin = {
448 .get_name = _get_name,
449 .get_features = _get_features,
450 .destroy = _destroy,
451 },
452 },
453 );
454
455 threading_init();
456
457 OPENSSL_config(NULL);
458 OpenSSL_add_all_algorithms();
459
460 #ifndef OPENSSL_NO_ENGINE
461 /* activate support for hardware accelerators */
462 ENGINE_load_builtin_engines();
463 ENGINE_register_all_complete();
464 #endif /* OPENSSL_NO_ENGINE */
465
466 if (!seed_rng())
467 {
468 DBG1(DBG_CFG, "no RNG found to seed OpenSSL");
469 destroy(this);
470 return NULL;
471 }
472
473 return &this->public.plugin;
474 }