dd6a379d26b72a49d2ec22612d1f126f1ff2d025
[strongswan.git] / src / libstrongswan / plugins / openssl / openssl_plugin.c
1 /*
2 * Copyright (C) 2008 Tobias Brunner
3 * Copyright (C) 2008 Martin Willi
4 * Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 #include <openssl/evp.h>
18 #include <openssl/conf.h>
19 #include <openssl/rand.h>
20 #include <openssl/crypto.h>
21 #ifndef OPENSSL_NO_ENGINE
22 #include <openssl/engine.h>
23 #endif
24
25 #include "openssl_plugin.h"
26
27 #include <library.h>
28 #include <utils/debug.h>
29 #include <threading/thread.h>
30 #include <threading/mutex.h>
31 #include "openssl_util.h"
32 #include "openssl_crypter.h"
33 #include "openssl_hasher.h"
34 #include "openssl_sha1_prf.h"
35 #include "openssl_diffie_hellman.h"
36 #include "openssl_ec_diffie_hellman.h"
37 #include "openssl_rsa_private_key.h"
38 #include "openssl_rsa_public_key.h"
39 #include "openssl_ec_private_key.h"
40 #include "openssl_ec_public_key.h"
41 #include "openssl_x509.h"
42 #include "openssl_crl.h"
43 #include "openssl_pkcs7.h"
44 #include "openssl_rng.h"
45 #include "openssl_hmac.h"
46
47 typedef struct private_openssl_plugin_t private_openssl_plugin_t;
48
49 /**
50 * private data of openssl_plugin
51 */
52 struct private_openssl_plugin_t {
53
54 /**
55 * public functions
56 */
57 openssl_plugin_t public;
58 };
59
60 /**
61 * Array of static mutexs, with CRYPTO_num_locks() mutex
62 */
63 static mutex_t **mutex = NULL;
64
65 /**
66 * Locking callback for static locks
67 */
68 static void locking_function(int mode, int type, const char *file, int line)
69 {
70 if (mutex)
71 {
72 if (mode & CRYPTO_LOCK)
73 {
74 mutex[type]->lock(mutex[type]);
75 }
76 else
77 {
78 mutex[type]->unlock(mutex[type]);
79 }
80 }
81 }
82
83 /**
84 * Implementation of dynlock
85 */
86 struct CRYPTO_dynlock_value {
87 mutex_t *mutex;
88 };
89
90 /**
91 * Callback to create a dynamic lock
92 */
93 static struct CRYPTO_dynlock_value *create_function(const char *file, int line)
94 {
95 struct CRYPTO_dynlock_value *lock;
96
97 lock = malloc_thing(struct CRYPTO_dynlock_value);
98 lock->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
99 return lock;
100 }
101
102 /**
103 * Callback to (un-)lock a dynamic lock
104 */
105 static void lock_function(int mode, struct CRYPTO_dynlock_value *lock,
106 const char *file, int line)
107 {
108 if (mode & CRYPTO_LOCK)
109 {
110 lock->mutex->lock(lock->mutex);
111 }
112 else
113 {
114 lock->mutex->unlock(lock->mutex);
115 }
116 }
117
118 /**
119 * Callback to destroy a dynamic lock
120 */
121 static void destroy_function(struct CRYPTO_dynlock_value *lock,
122 const char *file, int line)
123 {
124 lock->mutex->destroy(lock->mutex);
125 free(lock);
126 }
127
128 /**
129 * Thread-ID callback function
130 */
131 static unsigned long id_function(void)
132 {
133 /* ensure the thread ID is never zero, otherwise OpenSSL might try to
134 * acquire locks recursively */
135 return 1 + (unsigned long)thread_current_id();
136 }
137
138 /**
139 * initialize OpenSSL for multi-threaded use
140 */
141 static void threading_init()
142 {
143 int i, num_locks;
144
145 CRYPTO_set_id_callback(id_function);
146 CRYPTO_set_locking_callback(locking_function);
147
148 CRYPTO_set_dynlock_create_callback(create_function);
149 CRYPTO_set_dynlock_lock_callback(lock_function);
150 CRYPTO_set_dynlock_destroy_callback(destroy_function);
151
152 num_locks = CRYPTO_num_locks();
153 mutex = malloc(sizeof(mutex_t*) * num_locks);
154 for (i = 0; i < num_locks; i++)
155 {
156 mutex[i] = mutex_create(MUTEX_TYPE_DEFAULT);
157 }
158 }
159
160 /**
161 * Seed the OpenSSL RNG, if required
162 */
163 static bool seed_rng()
164 {
165 rng_t *rng = NULL;
166 char buf[32];
167
168 while (RAND_status() != 1)
169 {
170 if (!rng)
171 {
172 rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
173 if (!rng)
174 {
175 return FALSE;
176 }
177 }
178 if (!rng->get_bytes(rng, sizeof(buf), buf))
179 {
180 rng->destroy(rng);
181 return FALSE;
182 }
183 RAND_seed(buf, sizeof(buf));
184 }
185 DESTROY_IF(rng);
186 return TRUE;
187 }
188
189 /**
190 * cleanup OpenSSL threading locks
191 */
192 static void threading_cleanup()
193 {
194 int i, num_locks;
195
196 num_locks = CRYPTO_num_locks();
197 for (i = 0; i < num_locks; i++)
198 {
199 mutex[i]->destroy(mutex[i]);
200 }
201 free(mutex);
202 mutex = NULL;
203 }
204
205 METHOD(plugin_t, get_name, char*,
206 private_openssl_plugin_t *this)
207 {
208 return "openssl";
209 }
210
211 METHOD(plugin_t, get_features, int,
212 private_openssl_plugin_t *this, plugin_feature_t *features[])
213 {
214 static plugin_feature_t f[] = {
215 /* crypters */
216 PLUGIN_REGISTER(CRYPTER, openssl_crypter_create),
217 #ifndef OPENSSL_NO_AES
218 PLUGIN_PROVIDE(CRYPTER, ENCR_AES_CBC, 16),
219 PLUGIN_PROVIDE(CRYPTER, ENCR_AES_CBC, 24),
220 PLUGIN_PROVIDE(CRYPTER, ENCR_AES_CBC, 32),
221 #endif
222 #ifndef OPENSSL_NO_CAMELLIA
223 PLUGIN_PROVIDE(CRYPTER, ENCR_CAMELLIA_CBC, 16),
224 PLUGIN_PROVIDE(CRYPTER, ENCR_CAMELLIA_CBC, 24),
225 PLUGIN_PROVIDE(CRYPTER, ENCR_CAMELLIA_CBC, 32),
226 #endif
227 #ifndef OPENSSL_NO_RC5
228 PLUGIN_PROVIDE(CRYPTER, ENCR_RC5, 0),
229 #endif
230 #ifndef OPENSSL_NO_CAST
231 PLUGIN_PROVIDE(CRYPTER, ENCR_CAST, 0),
232 #endif
233 #ifndef OPENSSL_NO_BLOWFISH
234 PLUGIN_PROVIDE(CRYPTER, ENCR_BLOWFISH, 0),
235 #endif
236 #ifndef OPENSSL_NO_IDEA
237 PLUGIN_PROVIDE(CRYPTER, ENCR_IDEA, 16),
238 #endif
239 #ifndef OPENSSL_NO_DES
240 PLUGIN_PROVIDE(CRYPTER, ENCR_3DES, 24),
241 PLUGIN_PROVIDE(CRYPTER, ENCR_DES, 8),
242 PLUGIN_PROVIDE(CRYPTER, ENCR_DES_ECB, 8),
243 #endif
244 PLUGIN_PROVIDE(CRYPTER, ENCR_NULL, 0),
245 /* hashers */
246 PLUGIN_REGISTER(HASHER, openssl_hasher_create),
247 #ifndef OPENSSL_NO_SHA1
248 PLUGIN_PROVIDE(HASHER, HASH_SHA1),
249 #endif
250 #ifndef OPENSSL_NO_MD2
251 PLUGIN_PROVIDE(HASHER, HASH_MD2),
252 #endif
253 #ifndef OPENSSL_NO_MD4
254 PLUGIN_PROVIDE(HASHER, HASH_MD4),
255 #endif
256 #ifndef OPENSSL_NO_MD5
257 PLUGIN_PROVIDE(HASHER, HASH_MD5),
258 #endif
259 #ifndef OPENSSL_NO_SHA256
260 PLUGIN_PROVIDE(HASHER, HASH_SHA224),
261 PLUGIN_PROVIDE(HASHER, HASH_SHA256),
262 #endif
263 #ifndef OPENSSL_NO_SHA512
264 PLUGIN_PROVIDE(HASHER, HASH_SHA384),
265 PLUGIN_PROVIDE(HASHER, HASH_SHA512),
266 #endif
267 #ifndef OPENSSL_NO_SHA1
268 /* keyed sha1 hasher (aka prf) */
269 PLUGIN_REGISTER(PRF, openssl_sha1_prf_create),
270 PLUGIN_PROVIDE(PRF, PRF_KEYED_SHA1),
271 #endif
272 #ifndef OPENSSL_NO_HMAC
273 PLUGIN_REGISTER(PRF, openssl_hmac_prf_create),
274 #ifndef OPENSSL_NO_MD5
275 PLUGIN_PROVIDE(PRF, PRF_HMAC_MD5),
276 #endif
277 #ifndef OPENSSL_NO_SHA1
278 PLUGIN_PROVIDE(PRF, PRF_HMAC_SHA1),
279 #endif
280 #ifndef OPENSSL_NO_SHA256
281 PLUGIN_PROVIDE(PRF, PRF_HMAC_SHA2_256),
282 #endif
283 #ifndef OPENSSL_NO_SHA512
284 PLUGIN_PROVIDE(PRF, PRF_HMAC_SHA2_384),
285 PLUGIN_PROVIDE(PRF, PRF_HMAC_SHA2_512),
286 #endif
287 PLUGIN_REGISTER(SIGNER, openssl_hmac_signer_create),
288 #ifndef OPENSSL_NO_MD5
289 PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_MD5_96),
290 PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_MD5_128),
291 #endif
292 #ifndef OPENSSL_NO_SHA1
293 PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_SHA1_96),
294 PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_SHA1_128),
295 PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_SHA1_160),
296 #endif
297 #ifndef OPENSSL_NO_SHA256
298 PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_SHA2_256_128),
299 PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_SHA2_256_256),
300 #endif
301 #ifndef OPENSSL_NO_SHA512
302 PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_SHA2_384_192),
303 PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_SHA2_384_384),
304 PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_SHA2_512_256),
305 #endif
306 #endif /* OPENSSL_NO_HMAC */
307 #ifndef OPENSSL_NO_DH
308 /* MODP DH groups */
309 PLUGIN_REGISTER(DH, openssl_diffie_hellman_create),
310 PLUGIN_PROVIDE(DH, MODP_2048_BIT),
311 PLUGIN_PROVIDE(DH, MODP_2048_224),
312 PLUGIN_PROVIDE(DH, MODP_2048_256),
313 PLUGIN_PROVIDE(DH, MODP_1536_BIT),
314 PLUGIN_PROVIDE(DH, MODP_3072_BIT),
315 PLUGIN_PROVIDE(DH, MODP_4096_BIT),
316 PLUGIN_PROVIDE(DH, MODP_6144_BIT),
317 PLUGIN_PROVIDE(DH, MODP_8192_BIT),
318 PLUGIN_PROVIDE(DH, MODP_1024_BIT),
319 PLUGIN_PROVIDE(DH, MODP_1024_160),
320 PLUGIN_PROVIDE(DH, MODP_768_BIT),
321 PLUGIN_PROVIDE(DH, MODP_CUSTOM),
322 #endif
323 #ifndef OPENSSL_NO_RSA
324 /* RSA private/public key loading */
325 PLUGIN_REGISTER(PRIVKEY, openssl_rsa_private_key_load, TRUE),
326 PLUGIN_PROVIDE(PRIVKEY, KEY_RSA),
327 PLUGIN_REGISTER(PRIVKEY, openssl_rsa_private_key_connect, FALSE),
328 PLUGIN_PROVIDE(PRIVKEY, KEY_ANY),
329 PLUGIN_REGISTER(PRIVKEY_GEN, openssl_rsa_private_key_gen, FALSE),
330 PLUGIN_PROVIDE(PRIVKEY_GEN, KEY_RSA),
331 PLUGIN_REGISTER(PUBKEY, openssl_rsa_public_key_load, TRUE),
332 PLUGIN_PROVIDE(PUBKEY, KEY_RSA),
333 PLUGIN_REGISTER(PUBKEY, openssl_rsa_public_key_load, TRUE),
334 PLUGIN_PROVIDE(PUBKEY, KEY_ANY),
335 /* signature/encryption schemes */
336 PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_NULL),
337 PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_NULL),
338 #ifndef OPENSSL_NO_SHA1
339 PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_SHA1),
340 PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA1),
341 #endif
342 #ifndef OPENSSL_NO_SHA256
343 PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_SHA224),
344 PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_SHA256),
345 PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA224),
346 PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA256),
347 #endif
348 #ifndef OPENSSL_NO_SHA512
349 PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_SHA384),
350 PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_SHA512),
351 PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA384),
352 PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA512),
353 #endif
354 #ifndef OPENSSL_NO_MD5
355 PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_MD5),
356 PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_MD5),
357 #endif
358 PLUGIN_PROVIDE(PRIVKEY_DECRYPT, ENCRYPT_RSA_PKCS1),
359 PLUGIN_PROVIDE(PUBKEY_ENCRYPT, ENCRYPT_RSA_PKCS1),
360 #endif /* OPENSSL_NO_RSA */
361 /* certificate/CRL loading */
362 PLUGIN_REGISTER(CERT_DECODE, openssl_x509_load, TRUE),
363 PLUGIN_PROVIDE(CERT_DECODE, CERT_X509),
364 PLUGIN_SDEPEND(PUBKEY, KEY_RSA),
365 PLUGIN_SDEPEND(PUBKEY, KEY_ECDSA),
366 PLUGIN_SDEPEND(PUBKEY, KEY_DSA),
367 PLUGIN_REGISTER(CERT_DECODE, openssl_crl_load, TRUE),
368 PLUGIN_PROVIDE(CERT_DECODE, CERT_X509_CRL),
369 #ifndef OPENSSL_NO_CMS
370 PLUGIN_REGISTER(CONTAINER_DECODE, openssl_pkcs7_load, TRUE),
371 PLUGIN_PROVIDE(CONTAINER_DECODE, CONTAINER_PKCS7),
372 #endif /* OPENSSL_NO_CMS */
373 #ifndef OPENSSL_NO_ECDH
374 /* EC DH groups */
375 PLUGIN_REGISTER(DH, openssl_ec_diffie_hellman_create),
376 PLUGIN_PROVIDE(DH, ECP_256_BIT),
377 PLUGIN_PROVIDE(DH, ECP_384_BIT),
378 PLUGIN_PROVIDE(DH, ECP_521_BIT),
379 PLUGIN_PROVIDE(DH, ECP_224_BIT),
380 PLUGIN_PROVIDE(DH, ECP_192_BIT),
381 #endif
382 #ifndef OPENSSL_NO_ECDSA
383 /* EC private/public key loading */
384 PLUGIN_REGISTER(PRIVKEY, openssl_ec_private_key_load, TRUE),
385 PLUGIN_PROVIDE(PRIVKEY, KEY_ECDSA),
386 PLUGIN_REGISTER(PRIVKEY_GEN, openssl_ec_private_key_gen, FALSE),
387 PLUGIN_PROVIDE(PRIVKEY_GEN, KEY_ECDSA),
388 PLUGIN_REGISTER(PUBKEY, openssl_ec_public_key_load, TRUE),
389 PLUGIN_PROVIDE(PUBKEY, KEY_ECDSA),
390 /* signature encryption schemes */
391 PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_ECDSA_WITH_NULL),
392 PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ECDSA_WITH_NULL),
393 #ifndef OPENSSL_NO_SHA1
394 PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_ECDSA_WITH_SHA1_DER),
395 PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ECDSA_WITH_SHA1_DER),
396 #endif
397 #ifndef OPENSSL_NO_SHA256
398 PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_ECDSA_WITH_SHA256_DER),
399 PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ECDSA_WITH_SHA256_DER),
400 PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_ECDSA_256),
401 PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ECDSA_256),
402 #endif
403 #ifndef OPENSSL_NO_SHA512
404 PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_ECDSA_WITH_SHA384_DER),
405 PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_ECDSA_WITH_SHA512_DER),
406 PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ECDSA_WITH_SHA384_DER),
407 PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ECDSA_WITH_SHA512_DER),
408 PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_ECDSA_384),
409 PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_ECDSA_521),
410 PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ECDSA_384),
411 PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ECDSA_521),
412 #endif
413 #endif /* OPENSSL_NO_ECDSA */
414 PLUGIN_REGISTER(RNG, openssl_rng_create),
415 PLUGIN_PROVIDE(RNG, RNG_STRONG),
416 PLUGIN_PROVIDE(RNG, RNG_WEAK),
417 };
418 *features = f;
419 return countof(f);
420 }
421
422 METHOD(plugin_t, destroy, void,
423 private_openssl_plugin_t *this)
424 {
425 #ifndef OPENSSL_NO_ENGINE
426 ENGINE_cleanup();
427 #endif /* OPENSSL_NO_ENGINE */
428 EVP_cleanup();
429 CONF_modules_free();
430
431 threading_cleanup();
432
433 free(this);
434 }
435
436 /*
437 * see header file
438 */
439 plugin_t *openssl_plugin_create()
440 {
441 private_openssl_plugin_t *this;
442
443 INIT(this,
444 .public = {
445 .plugin = {
446 .get_name = _get_name,
447 .get_features = _get_features,
448 .destroy = _destroy,
449 },
450 },
451 );
452
453 threading_init();
454
455 OPENSSL_config(NULL);
456 OpenSSL_add_all_algorithms();
457
458 #ifndef OPENSSL_NO_ENGINE
459 /* activate support for hardware accelerators */
460 ENGINE_load_builtin_engines();
461 ENGINE_register_all_complete();
462 #endif /* OPENSSL_NO_ENGINE */
463
464 if (!seed_rng())
465 {
466 DBG1(DBG_CFG, "no RNG found to seed OpenSSL");
467 destroy(this);
468 return NULL;
469 }
470
471 return &this->public.plugin;
472 }
473