Merge commit '86cc97e55fe346502462284d2e636a2b3708163e' as 'Sources/OpenVPN3'

Sources/OpenVPN3/openvpn/openssl/sign/pkcs7verify.hpp

@@ -0,0 +1,87 @@
+//    OpenVPN -- An application to securely tunnel IP networks
+//               over a single port, with support for SSL/TLS-based
+//               session authentication and key exchange,
+//               packet encryption, packet authentication, and
+//               packet compression.
+//
+//    Copyright (C) 2012-2017 OpenVPN Inc.
+//
+//    This program is free software: you can redistribute it and/or modify
+//    it under the terms of the GNU Affero General Public License Version 3
+//    as published by the Free Software Foundation.
+//
+//    This program is distributed in the hope that it will be useful,
+//    but WITHOUT ANY WARRANTY; without even the implied warranty of
+//    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+//    GNU Affero General Public License for more details.
+//
+//    You should have received a copy of the GNU Affero General Public License
+//    along with this program in the COPYING file.
+//    If not, see <http://www.gnu.org/licenses/>.
+
+// Verify a PKCS7 signature
+
+#ifndef OPENVPN_OPENSSL_SIGN_PKCS7VERIFY_H
+#define OPENVPN_OPENSSL_SIGN_PKCS7VERIFY_H
+
+#include <string>
+
+#include <openssl/ssl.h>
+#include <openssl/bio.h>
+#include <openssl/pkcs7.h>
+
+#include <openvpn/common/cleanup.hpp>
+#include <openvpn/openssl/pki/x509.hpp>
+#include <openvpn/openssl/util/error.hpp>
+
+namespace openvpn {
+  namespace OpenSSLSign {
+    /*
+     * Verify PKCS7 signature.
+     * On success, return.
+     * On fail, throw exception.
+     */
+    inline void verify_pkcs7(const OpenSSLPKI::X509& cert,
+			     const std::string& sig,
+			     const std::string& data)
+    {
+      STACK_OF(X509) *x509_stack = nullptr;
+      BIO *in = nullptr;
+      PKCS7 *p7 = nullptr;
+
+      auto clean = Cleanup([&]() {
+	  if (x509_stack)
+	    sk_X509_free(x509_stack);
+	  if (in)
+	    BIO_free(in);
+	  if (p7)
+	    PKCS7_free(p7);
+	});
+
+      /* create x509_stack from cert */
+      x509_stack = sk_X509_new_null();
+      sk_X509_push(x509_stack, cert.obj());
+
+      /* get signature */
+      in = BIO_new_mem_buf(sig.c_str(), sig.length());
+      p7 = PEM_read_bio_PKCS7(in, NULL, NULL, NULL);
+      if (!p7)
+	throw OpenSSLException("OpenSSLSign::verify_pkcs7: failed to parse pkcs7 signature");
+      BIO_free(in);
+      in = nullptr;
+
+      /* get data */
+      in = BIO_new_mem_buf(data.c_str(), data.length());
+
+      /* OpenSSL 1.0.2e and higher no longer allows calling PKCS7_verify
+	 with both data and content.  Empty out the content. */
+      p7->d.sign->contents->d.ptr = 0;
+
+      /* do the verify */
+      if (PKCS7_verify(p7, x509_stack, NULL, in, NULL, PKCS7_NOVERIFY) != 1)
+	throw OpenSSLException("OpenSSLSign::verify_pkcs7: verification failed");
+    }
+  }
+}
+
+#endif

Sources/OpenVPN3/openvpn/openssl/sign/verify.hpp

@@ -0,0 +1,99 @@
+//    OpenVPN -- An application to securely tunnel IP networks
+//               over a single port, with support for SSL/TLS-based
+//               session authentication and key exchange,
+//               packet encryption, packet authentication, and
+//               packet compression.
+//
+//    Copyright (C) 2012-2017 OpenVPN Inc.
+//
+//    This program is free software: you can redistribute it and/or modify
+//    it under the terms of the GNU Affero General Public License Version 3
+//    as published by the Free Software Foundation.
+//
+//    This program is distributed in the hope that it will be useful,
+//    but WITHOUT ANY WARRANTY; without even the implied warranty of
+//    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+//    GNU Affero General Public License for more details.
+//
+//    You should have received a copy of the GNU Affero General Public License
+//    along with this program in the COPYING file.
+//    If not, see <http://www.gnu.org/licenses/>.
+
+// Verify a signature using OpenSSL EVP interface
+
+#ifndef OPENVPN_OPENSSL_SIGN_VERIFY_H
+#define OPENVPN_OPENSSL_SIGN_VERIFY_H
+
+#include <string>
+
+#include <openssl/ssl.h>
+#include <openssl/bio.h>
+
+#include <openvpn/common/cleanup.hpp>
+#include <openvpn/common/base64.hpp>
+#include <openvpn/openssl/pki/x509.hpp>
+#include <openvpn/openssl/util/error.hpp>
+
+#include <openvpn/openssl/compat.hpp>
+
+namespace openvpn {
+  namespace OpenSSLSign {
+    /*
+     * Verify signature.
+     * On success, return.
+     * On fail, throw exception.
+     */
+    inline void verify(const OpenSSLPKI::X509& cert,
+		       const std::string& sig,
+		       const std::string& data,
+		       const std::string& digest)
+    {
+      const EVP_MD *dig;
+      EVP_MD_CTX* md_ctx = nullptr;
+      EVP_PKEY *pkey = nullptr;
+
+      auto clean = Cleanup([&]() {
+	  if (pkey)
+	    EVP_PKEY_free(pkey);
+	  if (md_ctx)
+	    {
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+	      EVP_MD_CTX_cleanup(md_ctx);
+#endif
+	      EVP_MD_CTX_free(md_ctx);
+	    }
+	});
+
+      // get digest
+      dig = EVP_get_digestbyname(digest.c_str());
+      if (!dig)
+	throw Exception("OpenSSLSign::verify: unknown digest: " + digest);
+
+      // get public key
+      pkey = X509_get_pubkey(cert.obj());
+      if (!pkey)
+	throw Exception("OpenSSLSign::verify: no public key");
+
+      // convert signature from base64 to binary
+      BufferAllocated binsig(1024, 0);
+      try {
+	base64->decode(binsig, sig);
+      }
+      catch (const std::exception& e)
+	{
+	  throw Exception(std::string("OpenSSLSign::verify: base64 decode error on signature: ") + e.what());
+	}
+
+      // initialize digest context
+      md_ctx = EVP_MD_CTX_new();
+
+      // verify signature
+      EVP_VerifyInit (md_ctx, dig);
+      EVP_VerifyUpdate(md_ctx, data.c_str(), data.length());
+      if (EVP_VerifyFinal(md_ctx, binsig.c_data(), binsig.length(), pkey) != 1)
+	throw OpenSSLException("OpenSSLSign::verify: verification failed");
+    }
+  }
+}
+
+#endif