Adding OpenSSL HMAC signer functions to openssl plugin
authorAleksandr Grinberg <alex@cessp.it>
Wed, 20 Jun 2012 20:46:21 +0000 (13:46 -0700)
committerTobias Brunner <tobias@strongswan.org>
Mon, 25 Jun 2012 14:35:05 +0000 (16:35 +0200)
src/libstrongswan/plugins/openssl/Makefile.am
src/libstrongswan/plugins/openssl/openssl_hmac_signer.c [new file with mode: 0644]
src/libstrongswan/plugins/openssl/openssl_hmac_signer.h [new file with mode: 0644]
src/libstrongswan/plugins/openssl/openssl_plugin.c

index 22bc865..26443e3 100644 (file)
@@ -24,7 +24,8 @@ libstrongswan_openssl_la_SOURCES = \
        openssl_x509.c openssl_x509.h \
        openssl_crl.c openssl_crl.h \
        openssl_rng.c openssl_rng.h \
-       openssl_hmac_prf.c openssl_hmac_prf.h
+       openssl_hmac_prf.c openssl_hmac_prf.h \
+       openssl_hmac_signer.c openssl_hmac_signer.h
 
 libstrongswan_openssl_la_LDFLAGS = -module -avoid-version
 libstrongswan_openssl_la_LIBADD  = -lcrypto
diff --git a/src/libstrongswan/plugins/openssl/openssl_hmac_signer.c b/src/libstrongswan/plugins/openssl/openssl_hmac_signer.c
new file mode 100644 (file)
index 0000000..e31047b
--- /dev/null
@@ -0,0 +1,246 @@
+/*
+ * Copyright (C) 2012 Aleksandr Grinberg
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+#include <openssl/evp.h>
+#include <openssl/hmac.h>
+
+#include "openssl_hmac_signer.h"
+
+typedef struct private_openssl_hmac_signer_t private_openssl_hmac_signer_t;
+
+/**
+ * Private data of openssl_hmac_signer_t
+ */
+struct private_openssl_hmac_signer_t {
+
+       /**
+        * Public part of this class.
+        */
+       openssl_hmac_signer_t public;
+
+       /**
+        * Hasher to use
+        */
+       const EVP_MD *hasher;
+
+       /**
+        * Current HMAC context
+        */
+       HMAC_CTX hmac;
+
+       /**
+        * Key stored for reuse
+        */
+       chunk_t key;
+
+       /**
+        * Signature truncation length
+        */
+       size_t trunc;
+};
+
+METHOD(signer_t, get_block_size, size_t,
+       private_openssl_hmac_signer_t *this)
+{
+       return this->trunc;
+}
+
+METHOD(signer_t, get_key_size, size_t,
+       private_openssl_hmac_signer_t *this)
+{
+       return this->key.len;
+}
+
+/**
+ * Resets HMAC context
+ */
+static void reset(private_openssl_hmac_signer_t *this)
+{
+       HMAC_Init_ex(&this->hmac, this->key.ptr, this->key.len, this->hasher, NULL);
+}
+
+static void get_bytes(private_openssl_hmac_signer_t *this, chunk_t seed,
+                                         u_int8_t *out)
+{
+       if (out == NULL)
+       {
+               HMAC_Update(&this->hmac, seed.ptr, seed.len);
+       }
+       else
+       {
+               HMAC_Update(&this->hmac, seed.ptr, seed.len);
+               HMAC_Final(&this->hmac, out, NULL);
+               reset(this);
+       }
+}
+
+METHOD(signer_t, get_signature, void,
+       private_openssl_hmac_signer_t *this, chunk_t seed, u_int8_t *out)
+{
+       if (out == NULL)
+       {
+               get_bytes(this, seed, NULL);
+       }
+       else
+       {
+               u_int8_t mac[this->key.len];
+
+               get_bytes(this, seed, mac);
+               memcpy(out, mac, this->trunc);
+       }
+}
+
+METHOD(signer_t, allocate_signature,void,
+       private_openssl_hmac_signer_t *this, chunk_t seed, chunk_t *out)
+{
+       if (out == NULL)
+       {
+               get_bytes(this, seed, NULL);
+       }
+       else
+       {
+               u_int8_t mac[this->key.len];
+
+               get_bytes(this, seed, mac);
+               *out = chunk_alloc(this->trunc);
+               memcpy(out->ptr, mac, this->trunc);
+       }
+}
+
+METHOD(signer_t, verify_signature, bool,
+       private_openssl_hmac_signer_t *this, chunk_t seed, chunk_t signature)
+{
+       u_int8_t mac[this->key.len];
+
+       get_bytes(this, seed, mac);
+
+       if (signature.len != this->trunc)
+       {
+               return FALSE;
+       }
+       return memeq(signature.ptr, mac, this->trunc);
+}
+
+METHOD(signer_t, set_key, void,
+       private_openssl_hmac_signer_t *this, chunk_t key)
+{
+       chunk_clear(&this->key);
+       this->key = chunk_clone(key);
+       reset(this);
+}
+
+METHOD(signer_t, destroy, void,
+       private_openssl_hmac_signer_t *this)
+{
+       HMAC_CTX_cleanup(&this->hmac);
+       chunk_clear(&this->key);
+       free(this);
+}
+
+/*
+ * Described in header
+ */
+openssl_hmac_signer_t *openssl_hmac_signer_create(integrity_algorithm_t algo)
+{
+       private_openssl_hmac_signer_t *this;
+
+       INIT(this,
+               .public = {
+                       .signer = {
+                               .get_signature = _get_signature,
+                               .allocate_signature = _allocate_signature,
+                               .verify_signature = _verify_signature,
+                               .get_block_size = _get_block_size,
+                               .get_key_size = _get_key_size,
+                               .set_key = _set_key,
+                               .destroy = _destroy,
+                       },
+               },
+       );
+
+       switch (algo)
+       {
+               case AUTH_HMAC_MD5_96:
+                       this->hasher = EVP_get_digestbyname("md5");
+                       this->key.len = 16;
+                       this->trunc = 12;
+                       break;
+               case AUTH_HMAC_MD5_128:
+                       this->hasher = EVP_get_digestbyname("md5");
+                       this->key.len = 16;
+                       this->trunc = 16;
+                       break;
+               case AUTH_HMAC_SHA1_96:
+                       this->hasher = EVP_get_digestbyname("sha1");
+                       this->key.len = 20;
+                       this->trunc = 12;
+                       break;
+               case AUTH_HMAC_SHA1_128:
+                       this->hasher = EVP_get_digestbyname("sha1");
+                       this->key.len = 20;
+                       this->trunc = 16;
+                       break;
+               case AUTH_HMAC_SHA1_160:
+                       this->hasher = EVP_get_digestbyname("sha1");
+                       this->key.len = 20;
+                       this->trunc = 20;
+                       break;
+               case AUTH_HMAC_SHA2_256_128:
+                       this->hasher = EVP_get_digestbyname("sha256");
+                       this->key.len = 32;
+                       this->trunc = 16;
+                       break;
+               case AUTH_HMAC_SHA2_256_256:
+                       this->hasher = EVP_get_digestbyname("sha256");
+                       this->key.len = 32;
+                       this->trunc = 32;
+                       break;
+               case AUTH_HMAC_SHA2_384_192:
+                       this->hasher = EVP_get_digestbyname("sha384");
+                       this->key.len = 48;
+                       this->trunc = 24;
+                       break;
+               case AUTH_HMAC_SHA2_384_384:
+                       this->hasher = EVP_get_digestbyname("sha384");
+                       this->key.len = 48;
+                       this->trunc = 48;
+                       break;
+               case AUTH_HMAC_SHA2_512_256:
+                       this->hasher = EVP_get_digestbyname("sha512");
+                       this->key.len = 64;
+                       this->trunc = 32;
+                       break;
+               default:
+                       break;
+       }
+
+       if (!this->hasher)
+       {
+               /* hash is not available */
+               free(this);
+               return NULL;
+       }
+
+       HMAC_CTX_init(&this->hmac);
+
+       return &this->public;
+}
diff --git a/src/libstrongswan/plugins/openssl/openssl_hmac_signer.h b/src/libstrongswan/plugins/openssl/openssl_hmac_signer.h
new file mode 100644 (file)
index 0000000..fe97b30
--- /dev/null
@@ -0,0 +1,54 @@
+/*
+ * Copyright (C) 2012 Aleksandr Grinberg
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+/**
+ * @defgroup openssl_hmac_signer openssl_hmac_signer
+ * @{ @ingroup openssl_p
+ */
+
+#ifndef OPENSSL_HMAC_SIGNER_H_
+#define OPENSSL_HMAC_SIGNER_H_
+
+typedef struct openssl_hmac_signer_t openssl_hmac_signer_t;
+
+#include <crypto/signers/signer.h>
+
+/**
+ * Implementation of HMAC signature functions using OpenSSL.
+ */
+struct openssl_hmac_signer_t {
+
+       /**
+        * Implements signer_t interface.
+        */
+       signer_t signer;
+};
+
+/**
+ * Constructor to create openssl_hmac_signer_t.
+ *
+ * @param algo         algorithm
+ * @return                     openssl_hmac_signer_t, NULL if not supported
+ */
+openssl_hmac_signer_t *openssl_hmac_signer_create(integrity_algorithm_t algo);
+
+#endif /** OPENSSL_HMAC_SIGNER_H_ @}*/
index 5ba00d4..625ad0a 100644 (file)
@@ -42,6 +42,7 @@
 #include "openssl_crl.h"
 #include "openssl_rng.h"
 #include "openssl_hmac_prf.h"
+#include "openssl_hmac_signer.h"
 
 typedef struct private_openssl_plugin_t private_openssl_plugin_t;
 
@@ -277,6 +278,25 @@ METHOD(plugin_t, get_features, int,
                        PLUGIN_PROVIDE(PRF, PRF_HMAC_SHA2_384),
                        PLUGIN_PROVIDE(PRF, PRF_HMAC_SHA2_512),
 #endif
+               PLUGIN_REGISTER(SIGNER, openssl_hmac_signer_create),
+#ifndef OPENSSL_NO_MD5
+                       PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_MD5_96),
+                       PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_MD5_128),
+#endif
+#ifndef OPENSSL_NO_SHA1
+                       PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_SHA1_96),
+                       PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_SHA1_128),
+                       PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_SHA1_160),
+#endif
+#ifndef OPENSSL_NO_SHA256
+                       PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_SHA2_256_128),
+                       PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_SHA2_256_256),
+#endif
+#ifndef OPENSSL_NO_SHA512
+                       PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_SHA2_384_192),
+                       PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_SHA2_384_384),
+                       PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_SHA2_512_256),
+#endif
 #endif /* OPENSSL_NO_HMAC */
 #ifndef OPENSSL_NO_DH
                /* MODP DH groups */