static int openssl_engine_set_default(lua_State*L){
ENGINE* eng = CHECK_OBJECT(1,ENGINE,"openssl.engine");
int ret = 0;
int first = 3;
int top = lua_gettop(L);
if(top==2){
if(lua_isnumber(L, 2))
{
int methods = luaL_checkint(L, 2);
ret = ENGINE_set_default(eng, methods);
}else if(lua_isstring(L,2)){
const char* s = luaL_checkstring(L, 2);
ret = ENGINE_set_default_string(eng, s);
}else
luaL_error(L, "#2 must be a number or string");
lua_pushboolean(L, ret);
return 1;
}
while(first<=top){
int c = luaL_checkoption(L, first, "RSA",list);
switch(c){
case 0:
ret = ENGINE_set_default_RSA(eng);
break;
case 1:
ret = ENGINE_set_default_DSA(eng);
break;
case 2:
ret = ENGINE_set_default_ECDH(eng);
break;
case 3:
ret = ENGINE_set_default_ECDSA(eng);
break;
case 4:
ret = ENGINE_set_default_DH(eng);
break;
case 5:
ret = ENGINE_set_default_RAND(eng);
break;
case 7:
ret = ENGINE_set_default_ciphers(eng);
break;
case 8:
ret = ENGINE_set_default_digests(eng);
break;
case 6:
default:
luaL_error(L,"not support %d for %s",c, list[c]);
break;
}
first++;
if(ret!=1){
lua_pushboolean(L, 0);
return 1;
}
}
lua_pushboolean(L, ret);
return 1;
};
int ENGINE_set_default(ENGINE *e, unsigned int flags)
{
if((flags & ENGINE_METHOD_CIPHERS) && !ENGINE_set_default_ciphers(e))
return 0;
if((flags & ENGINE_METHOD_DIGESTS) && !ENGINE_set_default_digests(e))
return 0;
#ifndef OPENSSL_NO_RSA
if((flags & ENGINE_METHOD_RSA) && !ENGINE_set_default_RSA(e))
return 0;
#endif
#ifndef OPENSSL_NO_DSA
if((flags & ENGINE_METHOD_DSA) && !ENGINE_set_default_DSA(e))
return 0;
#endif
#ifndef OPENSSL_NO_DH
if((flags & ENGINE_METHOD_DH) && !ENGINE_set_default_DH(e))
return 0;
#endif
#ifndef OPENSSL_NO_ECDH
if((flags & ENGINE_METHOD_ECDH) && !ENGINE_set_default_ECDH(e))
return 0;
#endif
#ifndef OPENSSL_NO_ECDSA
if((flags & ENGINE_METHOD_ECDSA) && !ENGINE_set_default_ECDSA(e))
return 0;
#endif
if((flags & ENGINE_METHOD_RAND) && !ENGINE_set_default_RAND(e))
return 0;
return 1;
}
CryptoDevEngine::CryptoDevEngine( int /* dummy */ )
{
DEBUG( "cryptodev: ctor: loading and configuring" );
ENGINE_load_cryptodev();
ENGINE * cde = ENGINE_by_id( "cryptodev" );
if ( ! cde )
throw Exception( "cryptodev: load failed" );
m_pEngine = cde;
DEBUG( "cryptodev: ctor: initializing " << m_pEngine );
if ( 1 != ENGINE_init( cde ) )
throw Exception( "cryptodev: init failed" );
#if USE_CRYPTODEV_RSA
DEBUG( "cryptodev: ctor: setting as rsa default" );
if ( 1 != ENGINE_set_default_RSA( cde ) )
throw Exception( "cryptodev: could not use for RSA" );
#endif // USE_CRYPTODEV_RSA
#if USE_CRYPTODEV_CIPHERS
DEBUG( "cryptodev: ctor: setting as cipher default" );
if ( 1 != ENGINE_set_default_ciphers( cde ) )
throw Exception( "cryptodev: could not use for ciphers" );
#endif // USE_CRYPTODEV_CIPHERS
#if USE_CRYPTODEV_DIGESTS
DEBUG( "cryptodev: ctor: setting as digest default" );
if ( 1 != ENGINE_set_default_digests( cde ) )
throw Exception( "cryptodev: could not use for digests" );
#endif // USE_CRYPTODEV_DIGESTS
DEBUG( "cryptodev: ctor: done" );
}
static int load_tpm_certificate(struct openconnect_info *vpninfo)
{
ENGINE *e;
EVP_PKEY *key;
UI_METHOD *meth = NULL;
int ret = 0;
ENGINE_load_builtin_engines();
e = ENGINE_by_id("tpm");
if (!e) {
vpn_progress(vpninfo, PRG_ERR, _("Can't load TPM engine.\n"));
openconnect_report_ssl_errors(vpninfo);
return -EINVAL;
}
if (!ENGINE_init(e) || !ENGINE_set_default_RSA(e) ||
!ENGINE_set_default_RAND(e)) {
vpn_progress(vpninfo, PRG_ERR, _("Failed to init TPM engine\n"));
openconnect_report_ssl_errors(vpninfo);
ENGINE_free(e);
return -EINVAL;
}
if (vpninfo->cert_password) {
if (!ENGINE_ctrl_cmd(e, "PIN", strlen(vpninfo->cert_password),
vpninfo->cert_password, NULL, 0)) {
vpn_progress(vpninfo, PRG_ERR,
_("Failed to set TPM SRK password\n"));
openconnect_report_ssl_errors(vpninfo);
}
vpninfo->cert_password = NULL;
free(vpninfo->cert_password);
} else {
/* Provide our own UI method to handle the PIN callback. */
meth = create_openssl_ui(vpninfo);
}
key = ENGINE_load_private_key(e, vpninfo->sslkey, meth, NULL);
if (meth)
UI_destroy_method(meth);
if (!key) {
vpn_progress(vpninfo, PRG_ERR,
_("Failed to load TPM private key\n"));
openconnect_report_ssl_errors(vpninfo);
ret = -EINVAL;
goto out;
}
if (!SSL_CTX_use_PrivateKey(vpninfo->https_ctx, key)) {
vpn_progress(vpninfo, PRG_ERR, _("Add key from TPM failed\n"));
openconnect_report_ssl_errors(vpninfo);
ret = -EINVAL;
}
EVP_PKEY_free(key);
out:
ENGINE_finish(e);
ENGINE_free(e);
return ret;
}
void
ca_engine_init(void)
{
ENGINE *e;
const char *errstr, *name;
if ((e = ENGINE_get_default_RSA()) == NULL) {
if ((e = ENGINE_new()) == NULL) {
errstr = "ENGINE_new";
goto fail;
}
if (!ENGINE_set_name(e, rsae_method.name)) {
errstr = "ENGINE_set_name";
goto fail;
}
if ((rsa_default = RSA_get_default_method()) == NULL) {
errstr = "RSA_get_default_method";
goto fail;
}
} else if ((rsa_default = ENGINE_get_RSA(e)) == NULL) {
errstr = "ENGINE_get_RSA";
goto fail;
}
if ((name = ENGINE_get_name(e)) == NULL)
name = "unknown RSA engine";
log_debug("debug: %s: using %s", __func__, name);
if (rsa_default->flags & RSA_FLAG_SIGN_VER)
fatalx("unsupported RSA engine");
if (rsa_default->rsa_mod_exp == NULL)
rsae_method.rsa_mod_exp = NULL;
if (rsa_default->bn_mod_exp == NULL)
rsae_method.bn_mod_exp = NULL;
if (rsa_default->rsa_keygen == NULL)
rsae_method.rsa_keygen = NULL;
rsae_method.flags = rsa_default->flags |
RSA_METHOD_FLAG_NO_CHECK;
rsae_method.app_data = rsa_default->app_data;
if (!ENGINE_set_RSA(e, &rsae_method)) {
errstr = "ENGINE_set_RSA";
goto fail;
}
if (!ENGINE_set_default_RSA(e)) {
errstr = "ENGINE_set_default_RSA";
goto fail;
}
return;
fail:
ssl_error(errstr);
fatalx("%s", errstr);
}
int main(int argc, char *argv[])
{
int err=0;
int v;
RSA *key;
unsigned char ptext[256];
unsigned char ctext[256];
static unsigned char ptext_ex[] = "\x54\x85\x9b\x34\x2c\x49\xea\x2a";
unsigned char ctext_ex[256];
int plen;
int clen = 0;
int num;
int n;
ENGINE *e;
const char *engine_id = "remote";
ENGINE_load_builtin_engines();
e = ENGINE_by_id(engine_id);
if(!e)
/* the engine isn't available */
return 1;
if(!ENGINE_init(e)) {
/* the engine couldn't initialise, release 'e' */
ERR_print_errors_fp(stderr);
ENGINE_free(e);
return 1;
}
if(!ENGINE_set_default_RSA(e))
/* This should only happen when 'e' can't initialise, but the previous
* statement suggests it did. */
abort();
ENGINE_ctrl_cmd_string(e, "ADD_WORKER", "local1,127.0.0.1:1234", 0);
CRYPTO_malloc_debug_init();
CRYPTO_dbg_set_options(V_CRYPTO_MDEBUG_ALL);
CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
RAND_seed(rnd_seed, sizeof rnd_seed); /* or OAEP may fail */
plen = sizeof(ptext_ex) - 1;
for (v = 0; v < 6; v++)
{
key = RSA_new();
switch (v%3) {
case 0:
clen = key1(key, ctext_ex);
break;
case 1:
clen = key2(key, ctext_ex);
break;
case 2:
clen = key3(key, ctext_ex);
break;
}
if (v/3 >= 1) key->flags |= RSA_FLAG_NO_CONSTTIME;
num = RSA_public_encrypt(plen, ptext_ex, ctext, key,
RSA_PKCS1_PADDING);
if (num != clen)
{
printf("PKCS#1 v1.5 encryption failed!\n");
err=1;
goto oaep;
}
num = RSA_private_decrypt(num, ctext, ptext, key,
RSA_PKCS1_PADDING);
if (num != plen || memcmp(ptext, ptext_ex, num) != 0)
{
printf("PKCS#1 v1.5 decryption failed!\n");
err=1;
}
else
printf("PKCS #1 v1.5 encryption/decryption ok\n");
oaep:
ERR_clear_error();
num = RSA_public_encrypt(plen, ptext_ex, ctext, key,
RSA_PKCS1_OAEP_PADDING);
if (num == -1 && pad_unknown())
{
printf("No OAEP support\n");
goto next;
}
if (num != clen)
{
printf("OAEP encryption failed!\n");
err=1;
goto next;
}
num = RSA_private_decrypt(num, ctext, ptext, key,
RSA_PKCS1_OAEP_PADDING);
if (num != plen || memcmp(ptext, ptext_ex, num) != 0)
{
printf("OAEP decryption (encrypted data) failed!\n");
err=1;
}
else if (memcmp(ctext, ctext_ex, num) == 0)
printf("OAEP test vector %d passed!\n", v);
/* Different ciphertexts (rsa_oaep.c without -DPKCS_TESTVECT).
Try decrypting ctext_ex */
num = RSA_private_decrypt(clen, ctext_ex, ptext, key,
RSA_PKCS1_OAEP_PADDING);
if (num != plen || memcmp(ptext, ptext_ex, num) != 0)
{
printf("OAEP decryption (test vector data) failed!\n");
err=1;
}
else
printf("OAEP encryption/decryption ok\n");
/* Try decrypting corrupted ciphertexts */
for(n = 0 ; n < clen ; ++n)
{
int b;
unsigned char saved = ctext[n];
for(b = 0 ; b < 256 ; ++b)
{
if(b == saved)
continue;
ctext[n] = b;
num = RSA_private_decrypt(num, ctext, ptext, key,
RSA_PKCS1_OAEP_PADDING);
if(num > 0)
{
printf("Corrupt data decrypted!\n");
err = 1;
}
}
}
next:
RSA_free(key);
}
ENGINE_finish(e);
ENGINE_free(e);
CRYPTO_cleanup_all_ex_data();
ERR_remove_state(0);
CRYPTO_mem_leaks_fp(stderr);
#ifdef OPENSSL_SYS_NETWARE
if (err) printf("ERROR: %d\n", err);
#endif
return err;
}
