diff options
author | Yves-Alexis Perez <corsac@corsac.net> | 2017-04-01 16:26:44 +0200 |
---|---|---|
committer | Yves-Alexis Perez <corsac@corsac.net> | 2017-04-01 16:26:44 +0200 |
commit | dc9380af81fbce8e1a9532b07bc671b9d346101b (patch) | |
tree | 219f7df0b01243ac1c41c7f679d1b4c6aef36b27 /src/libipsec | |
parent | 212c0ba74c0e453497b840f9cd131ec99f73754a (diff) | |
parent | 05ddd767992d68bb38c7f16ece142e8c2e9ae016 (diff) | |
download | vyos-strongswan-dc9380af81fbce8e1a9532b07bc671b9d346101b.tar.gz vyos-strongswan-dc9380af81fbce8e1a9532b07bc671b9d346101b.zip |
Merge tag 'upstream/5.5.2'
Upstream version 5.5.2
Diffstat (limited to 'src/libipsec')
-rw-r--r-- | src/libipsec/Makefile.am | 4 | ||||
-rw-r--r-- | src/libipsec/Makefile.in | 13 | ||||
-rw-r--r-- | src/libipsec/esp_context.c | 19 | ||||
-rw-r--r-- | src/libipsec/esp_packet.c | 2 | ||||
-rw-r--r-- | src/libipsec/ip_packet.c | 29 | ||||
-rw-r--r-- | src/libipsec/ipsec_policy.c | 22 | ||||
-rw-r--r-- | src/libipsec/ipsec_processor.c | 12 | ||||
-rw-r--r-- | src/libipsec/ipsec_sa_mgr.c | 21 | ||||
-rw-r--r-- | src/libipsec/tests/Makefile.in | 2 |
9 files changed, 105 insertions, 19 deletions
diff --git a/src/libipsec/Makefile.am b/src/libipsec/Makefile.am index 90b456114..a35aba2e5 100644 --- a/src/libipsec/Makefile.am +++ b/src/libipsec/Makefile.am @@ -16,6 +16,10 @@ ipsec_sa_mgr.c ipsec_sa_mgr.h libipsec_la_LIBADD = \ $(top_builddir)/src/libstrongswan/libstrongswan.la +if USE_WINDOWS + libipsec_la_LIBADD += -lws2_32 +endif + AM_CPPFLAGS = \ -I$(top_srcdir)/src/libstrongswan diff --git a/src/libipsec/Makefile.in b/src/libipsec/Makefile.in index ea73c6036..7d514fd6e 100644 --- a/src/libipsec/Makefile.in +++ b/src/libipsec/Makefile.in @@ -88,6 +88,7 @@ PRE_UNINSTALL = : POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ +@USE_WINDOWS_TRUE@am__append_1 = -lws2_32 subdir = src/libipsec ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ @@ -136,8 +137,10 @@ am__uninstall_files_from_dir = { \ } am__installdirs = "$(DESTDIR)$(ipseclibdir)" LTLIBRARIES = $(ipseclib_LTLIBRARIES) +am__DEPENDENCIES_1 = libipsec_la_DEPENDENCIES = \ - $(top_builddir)/src/libstrongswan/libstrongswan.la + $(top_builddir)/src/libstrongswan/libstrongswan.la \ + $(am__DEPENDENCIES_1) am_libipsec_la_OBJECTS = ipsec.lo esp_context.lo esp_packet.lo \ ip_packet.lo ipsec_event_relay.lo ipsec_policy.lo \ ipsec_policy_mgr.lo ipsec_processor.lo ipsec_sa.lo \ @@ -397,7 +400,6 @@ exec_prefix = @exec_prefix@ fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ -h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -432,6 +434,7 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ +p_plugins = @p_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ @@ -495,9 +498,9 @@ ipsec_processor.c ipsec_processor.h \ ipsec_sa.c ipsec_sa.h \ ipsec_sa_mgr.c ipsec_sa_mgr.h -libipsec_la_LIBADD = \ - $(top_builddir)/src/libstrongswan/libstrongswan.la - +libipsec_la_LIBADD = \ + $(top_builddir)/src/libstrongswan/libstrongswan.la \ + $(am__append_1) AM_CPPFLAGS = \ -I$(top_srcdir)/src/libstrongswan diff --git a/src/libipsec/esp_context.c b/src/libipsec/esp_context.c index 6c7e9a1c9..c014e683a 100644 --- a/src/libipsec/esp_context.c +++ b/src/libipsec/esp_context.c @@ -210,19 +210,32 @@ METHOD(esp_context_t, destroy, void, static bool create_aead(private_esp_context_t *this, int alg, chunk_t key) { + size_t salt = 0; + switch (alg) { case ENCR_AES_GCM_ICV8: case ENCR_AES_GCM_ICV12: case ENCR_AES_GCM_ICV16: case ENCR_CHACHA20_POLY1305: - /* the key includes a 4 byte salt */ - this->aead = lib->crypto->create_aead(lib->crypto, alg, - key.len - 4, 4); + salt = 4; + break; + case ENCR_AES_CCM_ICV8: + case ENCR_AES_CCM_ICV12: + case ENCR_AES_CCM_ICV16: + case ENCR_CAMELLIA_CCM_ICV8: + case ENCR_CAMELLIA_CCM_ICV12: + case ENCR_CAMELLIA_CCM_ICV16: + salt = 3; break; default: break; } + if (salt) + { + this->aead = lib->crypto->create_aead(lib->crypto, alg, + key.len - salt, salt); + } if (!this->aead) { DBG1(DBG_ESP, "failed to create ESP context: unsupported AEAD " diff --git a/src/libipsec/esp_packet.c b/src/libipsec/esp_packet.c index 50bc8b4f7..2c521775c 100644 --- a/src/libipsec/esp_packet.c +++ b/src/libipsec/esp_packet.c @@ -25,7 +25,9 @@ #include <bio/bio_reader.h> #include <bio/bio_writer.h> +#ifndef WIN32 #include <netinet/in.h> +#endif typedef struct private_esp_packet_t private_esp_packet_t; diff --git a/src/libipsec/ip_packet.c b/src/libipsec/ip_packet.c index 0fdd5d340..78b4c407a 100644 --- a/src/libipsec/ip_packet.c +++ b/src/libipsec/ip_packet.c @@ -20,11 +20,40 @@ #include <utils/debug.h> #include <sys/types.h> + +#ifndef WIN32 #include <netinet/in.h> #include <netinet/ip.h> #ifdef HAVE_NETINET_IP6_H #include <netinet/ip6.h> #endif +#else +struct ip { +#if BYTE_ORDER == LITTLE_ENDIAN + uint8_t ip_hl: 4; + uint8_t ip_v: 4; +#elif BYTE_ORDER == BIG_ENDIAN + uint8_t ip_v: 4; + uint8_t ip_hl: 4; +#endif + uint8_t ip_tos; + uint16_t ip_len; + uint16_t ip_id; + uint16_t ip_off; + uint8_t ip_ttl; + uint8_t ip_p; + uint16_t ip_sum; + struct in_addr ip_src, ip_dst; +} __attribute__((packed)); +struct ip6_hdr { + uint32_t ip6_flow; /* 4 bit version, 8 bit TC, 20 bit flow label */ + uint16_t ip6_plen; + uint8_t ip6_nxt; + uint8_t ip6_hlim; + struct in6_addr ip6_src, ip6_dst; +} __attribute__((packed)); +#define HAVE_NETINET_IP6_H /* not really, but we only need the struct above */ +#endif /** * TCP header, defined here because platforms disagree regarding member names diff --git a/src/libipsec/ipsec_policy.c b/src/libipsec/ipsec_policy.c index 8077d3c8d..98201b843 100644 --- a/src/libipsec/ipsec_policy.c +++ b/src/libipsec/ipsec_policy.c @@ -101,6 +101,24 @@ METHOD(ipsec_policy_t, match, bool, this->dst_ts->equals(this->dst_ts, dst_ts)); } +/** + * Match the port of the given host against the given traffic selector. + */ +static inline bool match_port(traffic_selector_t *ts, host_t *host) +{ + uint16_t from, to, port; + + from = ts->get_from_port(ts); + to = ts->get_to_port(ts); + if ((from == 0 && to == 0xffff) || + (from == 0xffff && to == 0)) + { + return TRUE; + } + port = host->get_port(host); + return from <= port && port <= to; +} + METHOD(ipsec_policy_t, match_packet, bool, private_ipsec_policy_t *this, ip_packet_t *packet) { @@ -110,7 +128,9 @@ METHOD(ipsec_policy_t, match_packet, bool, return (!this->protocol || this->protocol == proto) && this->src_ts->includes(this->src_ts, src) && - this->dst_ts->includes(this->dst_ts, dst); + match_port(this->src_ts, src) && + this->dst_ts->includes(this->dst_ts, dst) && + match_port(this->dst_ts, dst); } METHOD(ipsec_policy_t, get_source_ts, traffic_selector_t*, diff --git a/src/libipsec/ipsec_processor.c b/src/libipsec/ipsec_processor.c index af79707d1..23b8ad21e 100644 --- a/src/libipsec/ipsec_processor.c +++ b/src/libipsec/ipsec_processor.c @@ -148,9 +148,10 @@ static job_requeue_t process_inbound(private_ipsec_processor_t *this) policy->destroy(policy); break; } - DBG1(DBG_ESP, "discarding inbound IP packet %H == %H due to " - "policy", ip_packet->get_source(ip_packet), - ip_packet->get_destination(ip_packet)); + DBG1(DBG_ESP, "discarding inbound IP packet %#H == %#H [%hhu] due " + "to policy", ip_packet->get_source(ip_packet), + ip_packet->get_destination(ip_packet), + ip_packet->get_next_header(ip_packet)); /* no matching policy found, fall-through */ } case IPPROTO_NONE: @@ -198,8 +199,9 @@ static job_requeue_t process_outbound(private_ipsec_processor_t *this) policy = ipsec->policies->find_by_packet(ipsec->policies, packet, FALSE, 0); if (!policy) { - DBG2(DBG_ESP, "no matching outbound IPsec policy for %H == %H", - packet->get_source(packet), packet->get_destination(packet)); + DBG2(DBG_ESP, "no matching outbound IPsec policy for %#H == %#H [%hhu]", + packet->get_source(packet), packet->get_destination(packet), + packet->get_next_header(packet)); packet->destroy(packet); return JOB_REQUEUE_DIRECT; } diff --git a/src/libipsec/ipsec_sa_mgr.c b/src/libipsec/ipsec_sa_mgr.c index ec35c6ea3..a1fa23e28 100644 --- a/src/libipsec/ipsec_sa_mgr.c +++ b/src/libipsec/ipsec_sa_mgr.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012 Tobias Brunner + * Copyright (C) 2012-2017 Tobias Brunner * Copyright (C) 2012 Giuliano Grassi * Copyright (C) 2012 Ralf Sager * Hochschule fuer Technik Rapperswil @@ -398,7 +398,21 @@ METHOD(ipsec_sa_mgr_t, get_spi, status_t, private_ipsec_sa_mgr_t *this, host_t *src, host_t *dst, uint8_t protocol, uint32_t *spi) { - uint32_t spi_new; + uint32_t spi_min, spi_max, spi_new; + + spi_min = lib->settings->get_int(lib->settings, "%s.spi_min", + 0x00000100, lib->ns); + spi_max = lib->settings->get_int(lib->settings, "%s.spi_max", + 0xffffffff, lib->ns); + if (spi_min > spi_max) + { + spi_new = spi_min; + spi_min = spi_max; + spi_max = spi_new; + } + /* make sure the SPI is valid (not in range 0-255) */ + spi_min = max(spi_min, 0x00000100); + spi_max = max(spi_max, 0x00000100); this->mutex->lock(this->mutex); if (!this->rng) @@ -421,8 +435,7 @@ METHOD(ipsec_sa_mgr_t, get_spi, status_t, DBG1(DBG_ESP, "failed to allocate SPI"); return FAILED; } - /* make sure the SPI is valid (not in range 0-255) */ - spi_new |= 0x00000100; + spi_new = spi_min + spi_new % (spi_max - spi_min + 1); spi_new = htonl(spi_new); } while (!allocate_spi(this, spi_new)); diff --git a/src/libipsec/tests/Makefile.in b/src/libipsec/tests/Makefile.in index 0c1d858ce..e81d6fc9f 100644 --- a/src/libipsec/tests/Makefile.in +++ b/src/libipsec/tests/Makefile.in @@ -353,7 +353,6 @@ exec_prefix = @exec_prefix@ fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ -h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -388,6 +387,7 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ +p_plugins = @p_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ |