summaryrefslogtreecommitdiff
path: root/src/libipsec
diff options
context:
space:
mode:
authorYves-Alexis Perez <corsac@corsac.net>2017-04-01 16:26:44 +0200
committerYves-Alexis Perez <corsac@corsac.net>2017-04-01 16:26:44 +0200
commitdc9380af81fbce8e1a9532b07bc671b9d346101b (patch)
tree219f7df0b01243ac1c41c7f679d1b4c6aef36b27 /src/libipsec
parent212c0ba74c0e453497b840f9cd131ec99f73754a (diff)
parent05ddd767992d68bb38c7f16ece142e8c2e9ae016 (diff)
downloadvyos-strongswan-dc9380af81fbce8e1a9532b07bc671b9d346101b.tar.gz
vyos-strongswan-dc9380af81fbce8e1a9532b07bc671b9d346101b.zip
Merge tag 'upstream/5.5.2'
Upstream version 5.5.2
Diffstat (limited to 'src/libipsec')
-rw-r--r--src/libipsec/Makefile.am4
-rw-r--r--src/libipsec/Makefile.in13
-rw-r--r--src/libipsec/esp_context.c19
-rw-r--r--src/libipsec/esp_packet.c2
-rw-r--r--src/libipsec/ip_packet.c29
-rw-r--r--src/libipsec/ipsec_policy.c22
-rw-r--r--src/libipsec/ipsec_processor.c12
-rw-r--r--src/libipsec/ipsec_sa_mgr.c21
-rw-r--r--src/libipsec/tests/Makefile.in2
9 files changed, 105 insertions, 19 deletions
diff --git a/src/libipsec/Makefile.am b/src/libipsec/Makefile.am
index 90b456114..a35aba2e5 100644
--- a/src/libipsec/Makefile.am
+++ b/src/libipsec/Makefile.am
@@ -16,6 +16,10 @@ ipsec_sa_mgr.c ipsec_sa_mgr.h
libipsec_la_LIBADD = \
$(top_builddir)/src/libstrongswan/libstrongswan.la
+if USE_WINDOWS
+ libipsec_la_LIBADD += -lws2_32
+endif
+
AM_CPPFLAGS = \
-I$(top_srcdir)/src/libstrongswan
diff --git a/src/libipsec/Makefile.in b/src/libipsec/Makefile.in
index ea73c6036..7d514fd6e 100644
--- a/src/libipsec/Makefile.in
+++ b/src/libipsec/Makefile.in
@@ -88,6 +88,7 @@ PRE_UNINSTALL = :
POST_UNINSTALL = :
build_triplet = @build@
host_triplet = @host@
+@USE_WINDOWS_TRUE@am__append_1 = -lws2_32
subdir = src/libipsec
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
@@ -136,8 +137,10 @@ am__uninstall_files_from_dir = { \
}
am__installdirs = "$(DESTDIR)$(ipseclibdir)"
LTLIBRARIES = $(ipseclib_LTLIBRARIES)
+am__DEPENDENCIES_1 =
libipsec_la_DEPENDENCIES = \
- $(top_builddir)/src/libstrongswan/libstrongswan.la
+ $(top_builddir)/src/libstrongswan/libstrongswan.la \
+ $(am__DEPENDENCIES_1)
am_libipsec_la_OBJECTS = ipsec.lo esp_context.lo esp_packet.lo \
ip_packet.lo ipsec_event_relay.lo ipsec_policy.lo \
ipsec_policy_mgr.lo ipsec_processor.lo ipsec_sa.lo \
@@ -397,7 +400,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -432,6 +434,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
@@ -495,9 +498,9 @@ ipsec_processor.c ipsec_processor.h \
ipsec_sa.c ipsec_sa.h \
ipsec_sa_mgr.c ipsec_sa_mgr.h
-libipsec_la_LIBADD = \
- $(top_builddir)/src/libstrongswan/libstrongswan.la
-
+libipsec_la_LIBADD = \
+ $(top_builddir)/src/libstrongswan/libstrongswan.la \
+ $(am__append_1)
AM_CPPFLAGS = \
-I$(top_srcdir)/src/libstrongswan
diff --git a/src/libipsec/esp_context.c b/src/libipsec/esp_context.c
index 6c7e9a1c9..c014e683a 100644
--- a/src/libipsec/esp_context.c
+++ b/src/libipsec/esp_context.c
@@ -210,19 +210,32 @@ METHOD(esp_context_t, destroy, void,
static bool create_aead(private_esp_context_t *this, int alg,
chunk_t key)
{
+ size_t salt = 0;
+
switch (alg)
{
case ENCR_AES_GCM_ICV8:
case ENCR_AES_GCM_ICV12:
case ENCR_AES_GCM_ICV16:
case ENCR_CHACHA20_POLY1305:
- /* the key includes a 4 byte salt */
- this->aead = lib->crypto->create_aead(lib->crypto, alg,
- key.len - 4, 4);
+ salt = 4;
+ break;
+ case ENCR_AES_CCM_ICV8:
+ case ENCR_AES_CCM_ICV12:
+ case ENCR_AES_CCM_ICV16:
+ case ENCR_CAMELLIA_CCM_ICV8:
+ case ENCR_CAMELLIA_CCM_ICV12:
+ case ENCR_CAMELLIA_CCM_ICV16:
+ salt = 3;
break;
default:
break;
}
+ if (salt)
+ {
+ this->aead = lib->crypto->create_aead(lib->crypto, alg,
+ key.len - salt, salt);
+ }
if (!this->aead)
{
DBG1(DBG_ESP, "failed to create ESP context: unsupported AEAD "
diff --git a/src/libipsec/esp_packet.c b/src/libipsec/esp_packet.c
index 50bc8b4f7..2c521775c 100644
--- a/src/libipsec/esp_packet.c
+++ b/src/libipsec/esp_packet.c
@@ -25,7 +25,9 @@
#include <bio/bio_reader.h>
#include <bio/bio_writer.h>
+#ifndef WIN32
#include <netinet/in.h>
+#endif
typedef struct private_esp_packet_t private_esp_packet_t;
diff --git a/src/libipsec/ip_packet.c b/src/libipsec/ip_packet.c
index 0fdd5d340..78b4c407a 100644
--- a/src/libipsec/ip_packet.c
+++ b/src/libipsec/ip_packet.c
@@ -20,11 +20,40 @@
#include <utils/debug.h>
#include <sys/types.h>
+
+#ifndef WIN32
#include <netinet/in.h>
#include <netinet/ip.h>
#ifdef HAVE_NETINET_IP6_H
#include <netinet/ip6.h>
#endif
+#else
+struct ip {
+#if BYTE_ORDER == LITTLE_ENDIAN
+ uint8_t ip_hl: 4;
+ uint8_t ip_v: 4;
+#elif BYTE_ORDER == BIG_ENDIAN
+ uint8_t ip_v: 4;
+ uint8_t ip_hl: 4;
+#endif
+ uint8_t ip_tos;
+ uint16_t ip_len;
+ uint16_t ip_id;
+ uint16_t ip_off;
+ uint8_t ip_ttl;
+ uint8_t ip_p;
+ uint16_t ip_sum;
+ struct in_addr ip_src, ip_dst;
+} __attribute__((packed));
+struct ip6_hdr {
+ uint32_t ip6_flow; /* 4 bit version, 8 bit TC, 20 bit flow label */
+ uint16_t ip6_plen;
+ uint8_t ip6_nxt;
+ uint8_t ip6_hlim;
+ struct in6_addr ip6_src, ip6_dst;
+} __attribute__((packed));
+#define HAVE_NETINET_IP6_H /* not really, but we only need the struct above */
+#endif
/**
* TCP header, defined here because platforms disagree regarding member names
diff --git a/src/libipsec/ipsec_policy.c b/src/libipsec/ipsec_policy.c
index 8077d3c8d..98201b843 100644
--- a/src/libipsec/ipsec_policy.c
+++ b/src/libipsec/ipsec_policy.c
@@ -101,6 +101,24 @@ METHOD(ipsec_policy_t, match, bool,
this->dst_ts->equals(this->dst_ts, dst_ts));
}
+/**
+ * Match the port of the given host against the given traffic selector.
+ */
+static inline bool match_port(traffic_selector_t *ts, host_t *host)
+{
+ uint16_t from, to, port;
+
+ from = ts->get_from_port(ts);
+ to = ts->get_to_port(ts);
+ if ((from == 0 && to == 0xffff) ||
+ (from == 0xffff && to == 0))
+ {
+ return TRUE;
+ }
+ port = host->get_port(host);
+ return from <= port && port <= to;
+}
+
METHOD(ipsec_policy_t, match_packet, bool,
private_ipsec_policy_t *this, ip_packet_t *packet)
{
@@ -110,7 +128,9 @@ METHOD(ipsec_policy_t, match_packet, bool,
return (!this->protocol || this->protocol == proto) &&
this->src_ts->includes(this->src_ts, src) &&
- this->dst_ts->includes(this->dst_ts, dst);
+ match_port(this->src_ts, src) &&
+ this->dst_ts->includes(this->dst_ts, dst) &&
+ match_port(this->dst_ts, dst);
}
METHOD(ipsec_policy_t, get_source_ts, traffic_selector_t*,
diff --git a/src/libipsec/ipsec_processor.c b/src/libipsec/ipsec_processor.c
index af79707d1..23b8ad21e 100644
--- a/src/libipsec/ipsec_processor.c
+++ b/src/libipsec/ipsec_processor.c
@@ -148,9 +148,10 @@ static job_requeue_t process_inbound(private_ipsec_processor_t *this)
policy->destroy(policy);
break;
}
- DBG1(DBG_ESP, "discarding inbound IP packet %H == %H due to "
- "policy", ip_packet->get_source(ip_packet),
- ip_packet->get_destination(ip_packet));
+ DBG1(DBG_ESP, "discarding inbound IP packet %#H == %#H [%hhu] due "
+ "to policy", ip_packet->get_source(ip_packet),
+ ip_packet->get_destination(ip_packet),
+ ip_packet->get_next_header(ip_packet));
/* no matching policy found, fall-through */
}
case IPPROTO_NONE:
@@ -198,8 +199,9 @@ static job_requeue_t process_outbound(private_ipsec_processor_t *this)
policy = ipsec->policies->find_by_packet(ipsec->policies, packet, FALSE, 0);
if (!policy)
{
- DBG2(DBG_ESP, "no matching outbound IPsec policy for %H == %H",
- packet->get_source(packet), packet->get_destination(packet));
+ DBG2(DBG_ESP, "no matching outbound IPsec policy for %#H == %#H [%hhu]",
+ packet->get_source(packet), packet->get_destination(packet),
+ packet->get_next_header(packet));
packet->destroy(packet);
return JOB_REQUEUE_DIRECT;
}
diff --git a/src/libipsec/ipsec_sa_mgr.c b/src/libipsec/ipsec_sa_mgr.c
index ec35c6ea3..a1fa23e28 100644
--- a/src/libipsec/ipsec_sa_mgr.c
+++ b/src/libipsec/ipsec_sa_mgr.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2012 Tobias Brunner
+ * Copyright (C) 2012-2017 Tobias Brunner
* Copyright (C) 2012 Giuliano Grassi
* Copyright (C) 2012 Ralf Sager
* Hochschule fuer Technik Rapperswil
@@ -398,7 +398,21 @@ METHOD(ipsec_sa_mgr_t, get_spi, status_t,
private_ipsec_sa_mgr_t *this, host_t *src, host_t *dst, uint8_t protocol,
uint32_t *spi)
{
- uint32_t spi_new;
+ uint32_t spi_min, spi_max, spi_new;
+
+ spi_min = lib->settings->get_int(lib->settings, "%s.spi_min",
+ 0x00000100, lib->ns);
+ spi_max = lib->settings->get_int(lib->settings, "%s.spi_max",
+ 0xffffffff, lib->ns);
+ if (spi_min > spi_max)
+ {
+ spi_new = spi_min;
+ spi_min = spi_max;
+ spi_max = spi_new;
+ }
+ /* make sure the SPI is valid (not in range 0-255) */
+ spi_min = max(spi_min, 0x00000100);
+ spi_max = max(spi_max, 0x00000100);
this->mutex->lock(this->mutex);
if (!this->rng)
@@ -421,8 +435,7 @@ METHOD(ipsec_sa_mgr_t, get_spi, status_t,
DBG1(DBG_ESP, "failed to allocate SPI");
return FAILED;
}
- /* make sure the SPI is valid (not in range 0-255) */
- spi_new |= 0x00000100;
+ spi_new = spi_min + spi_new % (spi_max - spi_min + 1);
spi_new = htonl(spi_new);
}
while (!allocate_spi(this, spi_new));
diff --git a/src/libipsec/tests/Makefile.in b/src/libipsec/tests/Makefile.in
index 0c1d858ce..e81d6fc9f 100644
--- a/src/libipsec/tests/Makefile.in
+++ b/src/libipsec/tests/Makefile.in
@@ -353,7 +353,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -388,6 +387,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@