gmp: Support of SHA-3 RSA signatures
[strongswan.git] / src / libstrongswan / plugins / openssl / openssl_plugin.c
1 /*
2 * Copyright (C) 2008-2013 Tobias Brunner
3 * Copyright (C) 2008 Martin Willi
4 * Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 #include <library.h>
18 #include <utils/debug.h>
19 #include <threading/thread.h>
20 #include <threading/mutex.h>
21 #include <threading/thread_value.h>
22
23 #include <openssl/err.h>
24 #include <openssl/evp.h>
25 #include <openssl/conf.h>
26 #include <openssl/rand.h>
27 #include <openssl/crypto.h>
28 #ifndef OPENSSL_NO_ENGINE
29 #include <openssl/engine.h>
30 #endif
31
32 #include "openssl_plugin.h"
33 #include "openssl_util.h"
34 #include "openssl_crypter.h"
35 #include "openssl_hasher.h"
36 #include "openssl_sha1_prf.h"
37 #include "openssl_diffie_hellman.h"
38 #include "openssl_ec_diffie_hellman.h"
39 #include "openssl_rsa_private_key.h"
40 #include "openssl_rsa_public_key.h"
41 #include "openssl_ec_private_key.h"
42 #include "openssl_ec_public_key.h"
43 #include "openssl_x509.h"
44 #include "openssl_crl.h"
45 #include "openssl_pkcs7.h"
46 #include "openssl_pkcs12.h"
47 #include "openssl_rng.h"
48 #include "openssl_hmac.h"
49 #include "openssl_gcm.h"
50
51 #ifndef FIPS_MODE
52 #define FIPS_MODE 0
53 #endif
54
55 typedef struct private_openssl_plugin_t private_openssl_plugin_t;
56
57 /**
58 * private data of openssl_plugin
59 */
60 struct private_openssl_plugin_t {
61
62 /**
63 * public functions
64 */
65 openssl_plugin_t public;
66 };
67
68 /**
69 * OpenSSL is thread-safe since 1.1.0
70 */
71 #if OPENSSL_VERSION_NUMBER < 0x10100000L
72
73 /**
74 * Array of static mutexs, with CRYPTO_num_locks() mutex
75 */
76 static mutex_t **mutex = NULL;
77
78 /**
79 * Locking callback for static locks
80 */
81 static void locking_function(int mode, int type, const char *file, int line)
82 {
83 if (mutex)
84 {
85 if (mode & CRYPTO_LOCK)
86 {
87 mutex[type]->lock(mutex[type]);
88 }
89 else
90 {
91 mutex[type]->unlock(mutex[type]);
92 }
93 }
94 }
95
96 /**
97 * Implementation of dynlock
98 */
99 struct CRYPTO_dynlock_value {
100 mutex_t *mutex;
101 };
102
103 /**
104 * Callback to create a dynamic lock
105 */
106 static struct CRYPTO_dynlock_value *create_function(const char *file, int line)
107 {
108 struct CRYPTO_dynlock_value *lock;
109
110 lock = malloc_thing(struct CRYPTO_dynlock_value);
111 lock->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
112 return lock;
113 }
114
115 /**
116 * Callback to (un-)lock a dynamic lock
117 */
118 static void lock_function(int mode, struct CRYPTO_dynlock_value *lock,
119 const char *file, int line)
120 {
121 if (mode & CRYPTO_LOCK)
122 {
123 lock->mutex->lock(lock->mutex);
124 }
125 else
126 {
127 lock->mutex->unlock(lock->mutex);
128 }
129 }
130
131 /**
132 * Callback to destroy a dynamic lock
133 */
134 static void destroy_function(struct CRYPTO_dynlock_value *lock,
135 const char *file, int line)
136 {
137 lock->mutex->destroy(lock->mutex);
138 free(lock);
139 }
140
141 /**
142 * Thread-local value used to cleanup thread-specific error buffers
143 */
144 static thread_value_t *cleanup;
145
146 /**
147 * Called when a thread is destroyed. Avoid recursion by setting the thread id
148 * explicitly.
149 */
150 static void cleanup_thread(void *arg)
151 {
152 #if OPENSSL_VERSION_NUMBER >= 0x1000000fL
153 CRYPTO_THREADID tid;
154
155 CRYPTO_THREADID_set_numeric(&tid, (u_long)(uintptr_t)arg);
156 ERR_remove_thread_state(&tid);
157 #else
158 ERR_remove_state((u_long)(uintptr_t)arg);
159 #endif
160 }
161
162 /**
163 * Thread-ID callback function
164 */
165 static u_long id_function(void)
166 {
167 u_long id;
168
169 /* ensure the thread ID is never zero, otherwise OpenSSL might try to
170 * acquire locks recursively */
171 id = 1 + (u_long)thread_current_id();
172
173 /* cleanup a thread's state later if OpenSSL interacted with it */
174 cleanup->set(cleanup, (void*)(uintptr_t)id);
175 return id;
176 }
177
178 #if OPENSSL_VERSION_NUMBER >= 0x1000000fL
179 /**
180 * Callback for thread ID
181 */
182 static void threadid_function(CRYPTO_THREADID *threadid)
183 {
184 CRYPTO_THREADID_set_numeric(threadid, id_function());
185 }
186 #endif /* OPENSSL_VERSION_NUMBER */
187
188 /**
189 * initialize OpenSSL for multi-threaded use
190 */
191 static void threading_init()
192 {
193 int i, num_locks;
194
195 cleanup = thread_value_create(cleanup_thread);
196
197 #if OPENSSL_VERSION_NUMBER >= 0x1000000fL
198 CRYPTO_THREADID_set_callback(threadid_function);
199 #else
200 CRYPTO_set_id_callback(id_function);
201 #endif
202
203 CRYPTO_set_locking_callback(locking_function);
204
205 CRYPTO_set_dynlock_create_callback(create_function);
206 CRYPTO_set_dynlock_lock_callback(lock_function);
207 CRYPTO_set_dynlock_destroy_callback(destroy_function);
208
209 num_locks = CRYPTO_num_locks();
210 mutex = malloc(sizeof(mutex_t*) * num_locks);
211 for (i = 0; i < num_locks; i++)
212 {
213 mutex[i] = mutex_create(MUTEX_TYPE_DEFAULT);
214 }
215 }
216
217 /**
218 * cleanup OpenSSL threading locks
219 */
220 static void threading_cleanup()
221 {
222 int i, num_locks;
223
224 num_locks = CRYPTO_num_locks();
225 for (i = 0; i < num_locks; i++)
226 {
227 mutex[i]->destroy(mutex[i]);
228 }
229 free(mutex);
230 mutex = NULL;
231
232 cleanup->destroy(cleanup);
233 }
234
235 #else /* OPENSSL_VERSION_NUMBER */
236
237 #define threading_init()
238
239 #define threading_cleanup()
240
241 #endif
242
243 /**
244 * Seed the OpenSSL RNG, if required
245 */
246 static bool seed_rng()
247 {
248 rng_t *rng = NULL;
249 char buf[32];
250
251 while (RAND_status() != 1)
252 {
253 if (!rng)
254 {
255 rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
256 if (!rng)
257 {
258 return FALSE;
259 }
260 }
261 if (!rng->get_bytes(rng, sizeof(buf), buf))
262 {
263 rng->destroy(rng);
264 return FALSE;
265 }
266 RAND_seed(buf, sizeof(buf));
267 }
268 DESTROY_IF(rng);
269 return TRUE;
270 }
271
272 METHOD(plugin_t, get_name, char*,
273 private_openssl_plugin_t *this)
274 {
275 return "openssl";
276 }
277
278 METHOD(plugin_t, get_features, int,
279 private_openssl_plugin_t *this, plugin_feature_t *features[])
280 {
281 static plugin_feature_t f[] = {
282 /* we provide OpenSSL threading callbacks */
283 PLUGIN_PROVIDE(CUSTOM, "openssl-threading"),
284 /* crypters */
285 PLUGIN_REGISTER(CRYPTER, openssl_crypter_create),
286 #ifndef OPENSSL_NO_AES
287 PLUGIN_PROVIDE(CRYPTER, ENCR_AES_CBC, 16),
288 PLUGIN_PROVIDE(CRYPTER, ENCR_AES_CBC, 24),
289 PLUGIN_PROVIDE(CRYPTER, ENCR_AES_CBC, 32),
290 #endif
291 #ifndef OPENSSL_NO_CAMELLIA
292 PLUGIN_PROVIDE(CRYPTER, ENCR_CAMELLIA_CBC, 16),
293 PLUGIN_PROVIDE(CRYPTER, ENCR_CAMELLIA_CBC, 24),
294 PLUGIN_PROVIDE(CRYPTER, ENCR_CAMELLIA_CBC, 32),
295 #endif
296 #ifndef OPENSSL_NO_RC5
297 PLUGIN_PROVIDE(CRYPTER, ENCR_RC5, 0),
298 #endif
299 #ifndef OPENSSL_NO_CAST
300 PLUGIN_PROVIDE(CRYPTER, ENCR_CAST, 0),
301 #endif
302 #ifndef OPENSSL_NO_BLOWFISH
303 PLUGIN_PROVIDE(CRYPTER, ENCR_BLOWFISH, 0),
304 #endif
305 #ifndef OPENSSL_NO_IDEA
306 PLUGIN_PROVIDE(CRYPTER, ENCR_IDEA, 16),
307 #endif
308 #ifndef OPENSSL_NO_DES
309 PLUGIN_PROVIDE(CRYPTER, ENCR_3DES, 24),
310 PLUGIN_PROVIDE(CRYPTER, ENCR_DES, 8),
311 PLUGIN_PROVIDE(CRYPTER, ENCR_DES_ECB, 8),
312 #endif
313 PLUGIN_PROVIDE(CRYPTER, ENCR_NULL, 0),
314 /* hashers */
315 PLUGIN_REGISTER(HASHER, openssl_hasher_create),
316 #ifndef OPENSSL_NO_MD2
317 PLUGIN_PROVIDE(HASHER, HASH_MD2),
318 #endif
319 #ifndef OPENSSL_NO_MD4
320 PLUGIN_PROVIDE(HASHER, HASH_MD4),
321 #endif
322 #ifndef OPENSSL_NO_MD5
323 PLUGIN_PROVIDE(HASHER, HASH_MD5),
324 #endif
325 #ifndef OPENSSL_NO_SHA1
326 PLUGIN_PROVIDE(HASHER, HASH_SHA1),
327 #endif
328 #ifndef OPENSSL_NO_SHA256
329 PLUGIN_PROVIDE(HASHER, HASH_SHA224),
330 PLUGIN_PROVIDE(HASHER, HASH_SHA256),
331 #endif
332 #ifndef OPENSSL_NO_SHA512
333 PLUGIN_PROVIDE(HASHER, HASH_SHA384),
334 PLUGIN_PROVIDE(HASHER, HASH_SHA512),
335 #endif
336 #ifndef OPENSSL_NO_SHA1
337 /* keyed sha1 hasher (aka prf) */
338 PLUGIN_REGISTER(PRF, openssl_sha1_prf_create),
339 PLUGIN_PROVIDE(PRF, PRF_KEYED_SHA1),
340 #endif
341 #ifndef OPENSSL_NO_HMAC
342 PLUGIN_REGISTER(PRF, openssl_hmac_prf_create),
343 #ifndef OPENSSL_NO_MD5
344 PLUGIN_PROVIDE(PRF, PRF_HMAC_MD5),
345 #endif
346 #ifndef OPENSSL_NO_SHA1
347 PLUGIN_PROVIDE(PRF, PRF_HMAC_SHA1),
348 #endif
349 #ifndef OPENSSL_NO_SHA256
350 PLUGIN_PROVIDE(PRF, PRF_HMAC_SHA2_256),
351 #endif
352 #ifndef OPENSSL_NO_SHA512
353 PLUGIN_PROVIDE(PRF, PRF_HMAC_SHA2_384),
354 PLUGIN_PROVIDE(PRF, PRF_HMAC_SHA2_512),
355 #endif
356 PLUGIN_REGISTER(SIGNER, openssl_hmac_signer_create),
357 #ifndef OPENSSL_NO_MD5
358 PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_MD5_96),
359 PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_MD5_128),
360 #endif
361 #ifndef OPENSSL_NO_SHA1
362 PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_SHA1_96),
363 PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_SHA1_128),
364 PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_SHA1_160),
365 #endif
366 #ifndef OPENSSL_NO_SHA256
367 PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_SHA2_256_128),
368 PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_SHA2_256_256),
369 #endif
370 #ifndef OPENSSL_NO_SHA512
371 PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_SHA2_384_192),
372 PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_SHA2_384_384),
373 PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_SHA2_512_256),
374 PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_SHA2_512_512),
375 #endif
376 #endif /* OPENSSL_NO_HMAC */
377 #if OPENSSL_VERSION_NUMBER >= 0x1000100fL
378 #ifndef OPENSSL_NO_AES
379 /* AES GCM */
380 PLUGIN_REGISTER(AEAD, openssl_gcm_create),
381 PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV16, 16),
382 PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV16, 24),
383 PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV16, 32),
384 PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV12, 16),
385 PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV12, 24),
386 PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV12, 32),
387 PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV8, 16),
388 PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV8, 24),
389 PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV8, 32),
390 #endif /* OPENSSL_NO_AES */
391 #endif /* OPENSSL_VERSION_NUMBER */
392 #ifndef OPENSSL_NO_ECDH
393 /* EC DH groups */
394 PLUGIN_REGISTER(DH, openssl_ec_diffie_hellman_create),
395 PLUGIN_PROVIDE(DH, ECP_256_BIT),
396 PLUGIN_PROVIDE(DH, ECP_384_BIT),
397 PLUGIN_PROVIDE(DH, ECP_521_BIT),
398 PLUGIN_PROVIDE(DH, ECP_224_BIT),
399 PLUGIN_PROVIDE(DH, ECP_192_BIT),
400 PLUGIN_PROVIDE(DH, ECP_256_BP),
401 PLUGIN_PROVIDE(DH, ECP_384_BP),
402 PLUGIN_PROVIDE(DH, ECP_512_BP),
403 PLUGIN_PROVIDE(DH, ECP_224_BP),
404 #endif
405 #ifndef OPENSSL_NO_DH
406 /* MODP DH groups */
407 PLUGIN_REGISTER(DH, openssl_diffie_hellman_create),
408 PLUGIN_PROVIDE(DH, MODP_3072_BIT),
409 PLUGIN_PROVIDE(DH, MODP_4096_BIT),
410 PLUGIN_PROVIDE(DH, MODP_6144_BIT),
411 PLUGIN_PROVIDE(DH, MODP_8192_BIT),
412 PLUGIN_PROVIDE(DH, MODP_2048_BIT),
413 PLUGIN_PROVIDE(DH, MODP_2048_224),
414 PLUGIN_PROVIDE(DH, MODP_2048_256),
415 PLUGIN_PROVIDE(DH, MODP_1536_BIT),
416 PLUGIN_PROVIDE(DH, MODP_1024_BIT),
417 PLUGIN_PROVIDE(DH, MODP_1024_160),
418 PLUGIN_PROVIDE(DH, MODP_768_BIT),
419 PLUGIN_PROVIDE(DH, MODP_CUSTOM),
420 #endif
421 #ifndef OPENSSL_NO_RSA
422 /* RSA private/public key loading */
423 PLUGIN_REGISTER(PRIVKEY, openssl_rsa_private_key_load, TRUE),
424 PLUGIN_PROVIDE(PRIVKEY, KEY_RSA),
425 PLUGIN_REGISTER(PRIVKEY, openssl_rsa_private_key_connect, FALSE),
426 PLUGIN_PROVIDE(PRIVKEY, KEY_ANY),
427 PLUGIN_REGISTER(PRIVKEY_GEN, openssl_rsa_private_key_gen, FALSE),
428 PLUGIN_PROVIDE(PRIVKEY_GEN, KEY_RSA),
429 PLUGIN_REGISTER(PUBKEY, openssl_rsa_public_key_load, TRUE),
430 PLUGIN_PROVIDE(PUBKEY, KEY_RSA),
431 PLUGIN_REGISTER(PUBKEY, openssl_rsa_public_key_load, TRUE),
432 PLUGIN_PROVIDE(PUBKEY, KEY_ANY),
433 /* signature/encryption schemes */
434 PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_NULL),
435 PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_NULL),
436 #ifndef OPENSSL_NO_SHA1
437 PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_SHA1),
438 PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA1),
439 #endif
440 #ifndef OPENSSL_NO_SHA256
441 PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_SHA2_224),
442 PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_SHA2_256),
443 PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA2_224),
444 PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA2_256),
445 #endif
446 #ifndef OPENSSL_NO_SHA512
447 PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_SHA2_384),
448 PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_SHA2_512),
449 PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA2_384),
450 PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA2_512),
451 #endif
452 #ifndef OPENSSL_NO_MD5
453 PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_MD5),
454 PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_MD5),
455 #endif
456 PLUGIN_PROVIDE(PRIVKEY_DECRYPT, ENCRYPT_RSA_PKCS1),
457 PLUGIN_PROVIDE(PUBKEY_ENCRYPT, ENCRYPT_RSA_PKCS1),
458 #endif /* OPENSSL_NO_RSA */
459 /* certificate/CRL loading */
460 PLUGIN_REGISTER(CERT_DECODE, openssl_x509_load, TRUE),
461 PLUGIN_PROVIDE(CERT_DECODE, CERT_X509),
462 PLUGIN_SDEPEND(PUBKEY, KEY_RSA),
463 PLUGIN_SDEPEND(PUBKEY, KEY_ECDSA),
464 PLUGIN_SDEPEND(PUBKEY, KEY_DSA),
465 PLUGIN_REGISTER(CERT_DECODE, openssl_crl_load, TRUE),
466 PLUGIN_PROVIDE(CERT_DECODE, CERT_X509_CRL),
467 #if OPENSSL_VERSION_NUMBER >= 0x0090807fL
468 #ifndef OPENSSL_NO_CMS
469 PLUGIN_REGISTER(CONTAINER_DECODE, openssl_pkcs7_load, TRUE),
470 PLUGIN_PROVIDE(CONTAINER_DECODE, CONTAINER_PKCS7),
471 #endif /* OPENSSL_NO_CMS */
472 #endif /* OPENSSL_VERSION_NUMBER */
473 PLUGIN_REGISTER(CONTAINER_DECODE, openssl_pkcs12_load, TRUE),
474 PLUGIN_PROVIDE(CONTAINER_DECODE, CONTAINER_PKCS12),
475 #ifndef OPENSSL_NO_ECDSA
476 /* EC private/public key loading */
477 PLUGIN_REGISTER(PRIVKEY, openssl_ec_private_key_load, TRUE),
478 PLUGIN_PROVIDE(PRIVKEY, KEY_ECDSA),
479 PLUGIN_REGISTER(PRIVKEY_GEN, openssl_ec_private_key_gen, FALSE),
480 PLUGIN_PROVIDE(PRIVKEY_GEN, KEY_ECDSA),
481 PLUGIN_REGISTER(PUBKEY, openssl_ec_public_key_load, TRUE),
482 PLUGIN_PROVIDE(PUBKEY, KEY_ECDSA),
483 /* signature encryption schemes */
484 PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_ECDSA_WITH_NULL),
485 PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ECDSA_WITH_NULL),
486 #ifndef OPENSSL_NO_SHA1
487 PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_ECDSA_WITH_SHA1_DER),
488 PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ECDSA_WITH_SHA1_DER),
489 #endif
490 #ifndef OPENSSL_NO_SHA256
491 PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_ECDSA_WITH_SHA256_DER),
492 PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ECDSA_WITH_SHA256_DER),
493 PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_ECDSA_256),
494 PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ECDSA_256),
495 #endif
496 #ifndef OPENSSL_NO_SHA512
497 PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_ECDSA_WITH_SHA384_DER),
498 PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_ECDSA_WITH_SHA512_DER),
499 PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ECDSA_WITH_SHA384_DER),
500 PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ECDSA_WITH_SHA512_DER),
501 PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_ECDSA_384),
502 PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_ECDSA_521),
503 PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ECDSA_384),
504 PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ECDSA_521),
505 #endif
506 #endif /* OPENSSL_NO_ECDSA */
507 PLUGIN_REGISTER(RNG, openssl_rng_create),
508 PLUGIN_PROVIDE(RNG, RNG_STRONG),
509 PLUGIN_PROVIDE(RNG, RNG_WEAK),
510 };
511 *features = f;
512 return countof(f);
513 }
514
515 METHOD(plugin_t, destroy, void,
516 private_openssl_plugin_t *this)
517 {
518 /* OpenSSL 1.1.0 cleans up itself at exit and while OPENSSL_cleanup() exists we
519 * can't call it as we couldn't re-initialize the library (as required by the
520 * unit tests and the Android app) */
521 #if OPENSSL_VERSION_NUMBER < 0x10100000L
522 #ifndef OPENSSL_IS_BORINGSSL
523 CONF_modules_free();
524 OBJ_cleanup();
525 #endif
526 EVP_cleanup();
527 #ifndef OPENSSL_NO_ENGINE
528 ENGINE_cleanup();
529 #endif /* OPENSSL_NO_ENGINE */
530 CRYPTO_cleanup_all_ex_data();
531 threading_cleanup();
532 ERR_free_strings();
533 #endif /* OPENSSL_VERSION_NUMBER */
534
535 free(this);
536 }
537
538 /*
539 * see header file
540 */
541 plugin_t *openssl_plugin_create()
542 {
543 private_openssl_plugin_t *this;
544 int fips_mode;
545
546 fips_mode = lib->settings->get_int(lib->settings,
547 "%s.plugins.openssl.fips_mode", FIPS_MODE, lib->ns);
548 #ifdef OPENSSL_FIPS
549 if (fips_mode)
550 {
551 if (FIPS_mode() != fips_mode && !FIPS_mode_set(fips_mode))
552 {
553 DBG1(DBG_LIB, "unable to set openssl FIPS mode(%d) from (%d)",
554 fips_mode, FIPS_mode());
555 return NULL;
556 }
557 }
558 #else
559 if (fips_mode)
560 {
561 DBG1(DBG_LIB, "openssl FIPS mode(%d) unavailable", fips_mode);
562 return NULL;
563 }
564 #endif
565
566 INIT(this,
567 .public = {
568 .plugin = {
569 .get_name = _get_name,
570 .get_features = _get_features,
571 .destroy = _destroy,
572 },
573 },
574 );
575
576 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
577 /* note that we can't call OPENSSL_cleanup() when the plugin is destroyed
578 * as we couldn't initialize the library again afterwards */
579 OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG |
580 OPENSSL_INIT_ENGINE_ALL_BUILTIN, NULL);
581 #else /* OPENSSL_VERSION_NUMBER */
582 threading_init();
583 #ifndef OPENSSL_IS_BORINGSSL
584 OPENSSL_config(NULL);
585 #endif
586 OpenSSL_add_all_algorithms();
587 #ifndef OPENSSL_NO_ENGINE
588 /* activate support for hardware accelerators */
589 ENGINE_load_builtin_engines();
590 ENGINE_register_all_complete();
591 #endif /* OPENSSL_NO_ENGINE */
592 #endif /* OPENSSL_VERSION_NUMBER */
593
594 #ifdef OPENSSL_FIPS
595 /* we do this here as it may have been enabled via openssl.conf */
596 fips_mode = FIPS_mode();
597 dbg(DBG_LIB, strpfx(lib->ns, "charon") ? 1 : 2,
598 "openssl FIPS mode(%d) - %sabled ", fips_mode, fips_mode ? "en" : "dis");
599 #endif /* OPENSSL_FIPS */
600
601 if (!seed_rng())
602 {
603 DBG1(DBG_CFG, "no RNG found to seed OpenSSL");
604 destroy(this);
605 return NULL;
606 }
607
608 return &this->public.plugin;
609 }