removed DES-EDE3-CBC only comment
[strongswan.git] / src / libstrongswan / asn1 / pem.c
index dbd8d25..f1c6a42 100755 (executable)
 #include <stddef.h>
 #include <sys/types.h>
 
-#include "asn1.h"
 #include "pem.h"
-#include "ttodata.h"
+
+#include <library.h>
+#include <asn1/asn1.h>
+#include <asn1/ttodata.h>
 
 #include <utils/lexparser.h>
-#include <utils/logger_manager.h>
 #include <crypto/hashers/hasher.h>
 #include <crypto/crypters/crypter.h>
 
-static logger_t *logger = NULL;
-
-/**
- * initializes the PEM logger
- */
-static void pem_init_logger(void)
-{
-       if (logger == NULL)
-               logger = logger_manager->get_logger(logger_manager, ASN1);
-}
+#define PKCS5_SALT_LEN 8       /* bytes */
 
 /**
  * check the presence of a pattern in a character string
@@ -77,8 +69,7 @@ static bool find_boundary(const char* tag, chunk_t *line)
        {
                if (present("-----", line))
                {
-                       logger->log(logger, CONTROL|LEVEL2,
-                               "  -----%s %.*s-----", tag, (int)name.len, name.ptr);
+                       DBG2("  -----%s %.*s-----", tag, (int)name.len, name.ptr);
                        return TRUE;
                }
                line->ptr++;  line->len--;  name.len++;
@@ -87,39 +78,46 @@ static bool find_boundary(const char* tag, chunk_t *line)
 }
 
 /*
- * decrypts a DES-EDE-CBC encrypted data block
+ * decrypts a passphrase protected encrypted data block
  */
-static err_t pem_decrypt(chunk_t *blob, chunk_t *iv, char *passphrase)
+static err_t pem_decrypt(chunk_t *blob, encryption_algorithm_t alg, size_t key_size,
+                                                chunk_t *iv, chunk_t *passphrase)
 {
        hasher_t *hasher;
        crypter_t *crypter;
+       chunk_t salt = { iv->ptr, PKCS5_SALT_LEN };
        chunk_t hash;
        chunk_t decrypted;
-       chunk_t pass = {(char*)passphrase, strlen(passphrase)};
-       chunk_t key = {alloca(24), 24};
+       chunk_t key = {alloca(key_size), key_size};
        u_int8_t padding, *last_padding_pos, *first_padding_pos;
        
+       if (passphrase == NULL || passphrase->len == 0)
+               return "missing passphrase";
+
        /* build key from passphrase and IV */
        hasher = hasher_create(HASH_MD5);
        hash.len = hasher->get_hash_size(hasher);
        hash.ptr = alloca(hash.len);
-       hasher->get_hash(hasher, pass, NULL);
-       hasher->get_hash(hasher, *iv, hash.ptr);
-       
+       hasher->get_hash(hasher, *passphrase, NULL);
+       hasher->get_hash(hasher, salt, hash.ptr);
        memcpy(key.ptr, hash.ptr, hash.len);
-       
-       hasher->get_hash(hasher, hash, NULL);
-       hasher->get_hash(hasher, pass, NULL);
-       hasher->get_hash(hasher, *iv, hash.ptr);
-       
-       memcpy(key.ptr + hash.len, hash.ptr, key.len - hash.len);
-       
+
+       if (key.len > hash.len)
+       {
+               hasher->get_hash(hasher, hash, NULL);
+               hasher->get_hash(hasher, *passphrase, NULL);
+               hasher->get_hash(hasher, salt, hash.ptr);       
+               memcpy(key.ptr + hash.len, hash.ptr, key.len - hash.len);
+       }       
        hasher->destroy(hasher);
        
        /* decrypt blob */
-       crypter = crypter_create(ENCR_3DES, 0);
+       crypter = crypter_create(alg, key_size);
        crypter->set_key(crypter, key);
-       crypter->decrypt(crypter, *blob, *iv, &decrypted);
+       if (crypter->decrypt(crypter, *blob, *iv, &decrypted) != SUCCESS)
+       {
+               return "data size is not multiple of block size";
+       }
        memcpy(blob->ptr, decrypted.ptr, blob->len);
        chunk_free(&decrypted);
        
@@ -144,7 +142,7 @@ static err_t pem_decrypt(chunk_t *blob, chunk_t *iv, char *passphrase)
  *  RFC 1421 Privacy Enhancement for Electronic Mail, February 1993
  *  RFC 934 Message Encapsulation, January 1985
  */
-err_t pem_to_bin(chunk_t *blob, char *passphrase, bool *pgp)
+err_t pem_to_bin(chunk_t *blob, chunk_t *passphrase, bool *pgp)
 {
        typedef enum {
                PEM_PRE    = 0,
@@ -155,6 +153,9 @@ err_t pem_to_bin(chunk_t *blob, char *passphrase, bool *pgp)
                PEM_ABORT  = 5
        } state_t;
 
+       encryption_algorithm_t alg = ENCR_UNDEFINED;
+       size_t key_size = 0;
+
        bool encrypted = FALSE;
 
        state_t state  = PEM_PRE;
@@ -173,8 +174,6 @@ err_t pem_to_bin(chunk_t *blob, char *passphrase, bool *pgp)
        iv.ptr = iv_buf;
        iv.len = 0;
 
-       pem_init_logger();
-
        while (fetchline(&src, &line))
        {
                if (state == PEM_PRE)
@@ -198,6 +197,7 @@ err_t pem_to_bin(chunk_t *blob, char *passphrase, bool *pgp)
                        }
                        if (state == PEM_HEADER)
                        {
+                               err_t ugh = NULL;
                                chunk_t name  = CHUNK_INITIALIZER;
                                chunk_t value = CHUNK_INITIALIZER;
 
@@ -209,24 +209,45 @@ err_t pem_to_bin(chunk_t *blob, char *passphrase, bool *pgp)
                                }
 
                                /* we are looking for a parameter: value pair */
-                               logger->log(logger, CONTROL|LEVEL2, "  %.*s", (int)line.len, line.ptr);
-                               if (!extract_parameter_value(&name, &value, &line))
+                               DBG2("  %.*s", (int)line.len, line.ptr);
+                               ugh = extract_parameter_value(&name, &value, &line);
+                               if (ugh != NULL)
                                        continue;
 
                                if (match("Proc-Type", &name) && *value.ptr == '4')
                                        encrypted = TRUE;
                                else if (match("DEK-Info", &name))
                                {
-                                       const char *ugh = NULL;
                                        size_t len = 0;
                                        chunk_t dek;
 
                                        if (!extract_token(&dek, ',', &value))
                                                dek = value;
 
-                                       /* we support DES-EDE3-CBC encrypted files, only */
-                                       if (!match("DES-EDE3-CBC", &dek))
+                                       if (match("DES-EDE3-CBC", &dek))
+                                       {
+                                               alg = ENCR_3DES;
+                                               key_size = 24;
+                                       }
+                                       else if (match("AES-128-CBC", &dek))
+                                       {
+                                               alg = ENCR_AES_CBC;
+                                               key_size = 16;
+                                       }
+                                       else if (match("AES-192-CBC", &dek))
+                                       {
+                                               alg = ENCR_AES_CBC;
+                                               key_size = 24;
+                                       }
+                                       else if (match("AES-256-CBC", &dek))
+                                       {
+                                               alg = ENCR_AES_CBC;
+                                               key_size = 32;
+                                       }
+                                       else
+                                       {
                                                return "encryption algorithm not supported";
+                                       }
 
                                        eat_whitespace(&value);
                                        ugh = ttodata(value.ptr, value.len, 16, iv.ptr, 16, &len);
@@ -254,8 +275,7 @@ err_t pem_to_bin(chunk_t *blob, char *passphrase, bool *pgp)
                                        *pgp = TRUE;
                                        data.ptr++;
                                        data.len--;
-                                       logger->log(logger, CONTROL|LEVEL2, "  Armor checksum: %.*s",
-                                                               (int)data.len, data.ptr);
+                                       DBG2("  Armor checksum: %.*s", (int)data.len, data.ptr);
                                continue;
                                }
 
@@ -279,21 +299,19 @@ err_t pem_to_bin(chunk_t *blob, char *passphrase, bool *pgp)
        if (state != PEM_POST)
                return "file coded in unknown format, discarded";
 
-       return (encrypted)? pem_decrypt(blob, &iv, passphrase) : NULL;
+       return (encrypted)? pem_decrypt(blob, alg, key_size, &iv, passphrase) : NULL;
 }
 
 /* load a coded key or certificate file with autodetection
  * of binary DER or base64 PEM ASN.1 formats and armored PGP format
  */
-bool pem_asn1_load_file(const char *filename, char *passphrase,
+bool pem_asn1_load_file(const char *filename, chunk_t *passphrase,
                                                const char *type, chunk_t *blob, bool *pgp)
 {
        err_t ugh = NULL;
 
        FILE *fd = fopen(filename, "r");
 
-       pem_init_logger();
-
        if (fd)
        {
                int bytes;
@@ -303,17 +321,20 @@ bool pem_asn1_load_file(const char *filename, char *passphrase,
                blob->ptr = malloc(blob->len);
                bytes = fread(blob->ptr, 1, blob->len, fd);
                fclose(fd);
-               logger->log(logger, CONTROL, "  loaded %s file '%s' (%d bytes)", type, filename, bytes);
+               DBG1("  loading %s file '%s' (%d bytes)", type, filename, bytes);
 
                *pgp = FALSE;
 
                /* try DER format */
                if (is_asn1(*blob))
                {
-                       logger->log(logger, CONTROL|LEVEL1, "  file coded in DER format");
+                       DBG2("  file coded in DER format");
                        return TRUE;
                }
 
+               if (passphrase != NULL)
+                       DBG4("  passphrase:", passphrase->ptr, passphrase->len);
+
                /* try PEM format */
                ugh = pem_to_bin(blob, passphrase, pgp);
 
@@ -321,24 +342,24 @@ bool pem_asn1_load_file(const char *filename, char *passphrase,
                {
                        if (*pgp)
                        {
-                               logger->log(logger, CONTROL|LEVEL1, "  file coded in armored PGP format");
+                               DBG2("  file coded in armored PGP format");
                                return TRUE;
                        }
                        if (is_asn1(*blob))
                        {
-                               logger->log(logger, CONTROL|LEVEL1, "  file coded in PEM format");
+                               DBG2("  file coded in PEM format");
                                return TRUE;
                        }
                        ugh = "file coded in unknown format, discarded";
                }
 
                /* a conversion error has occured */
-               logger->log(logger, ERROR, "  %s", ugh);
+               DBG1("  %s", ugh);
                chunk_free(blob);
        }
        else
        {
-               logger->log(logger, ERROR, "could not open %s file '%s'", type, filename);
+               DBG1("  could not open %s file '%s'", type, filename);
        }
        return FALSE;
 }