summaryrefslogtreecommitdiff
path: root/src/libstrongswan
diff options
context:
space:
mode:
authorYves-Alexis Perez <corsac@corsac.net>2018-02-19 18:17:21 +0100
committerYves-Alexis Perez <corsac@corsac.net>2018-02-19 18:17:21 +0100
commit7793611ee71b576dd9c66dee327349fa64e38740 (patch)
treef1379ec1aed52a3c772874d4ed690b90975b9623 /src/libstrongswan
parente1d78dc2faaa06e7c3f71ef674a71e4de2f0758e (diff)
downloadvyos-strongswan-7793611ee71b576dd9c66dee327349fa64e38740.tar.gz
vyos-strongswan-7793611ee71b576dd9c66dee327349fa64e38740.zip
New upstream version 5.6.2
Diffstat (limited to 'src/libstrongswan')
-rw-r--r--src/libstrongswan/Android.mk2
-rw-r--r--src/libstrongswan/Makefile.am4
-rw-r--r--src/libstrongswan/Makefile.in13
-rw-r--r--src/libstrongswan/asn1/oid.c415
-rw-r--r--src/libstrongswan/asn1/oid.h208
-rw-r--r--src/libstrongswan/asn1/oid.txt1
-rw-r--r--src/libstrongswan/collections/linked_list.h2
-rw-r--r--src/libstrongswan/credentials/auth_cfg.c10
-rw-r--r--src/libstrongswan/credentials/cred_encoding.c2
-rw-r--r--src/libstrongswan/credentials/keys/signature_params.c6
-rw-r--r--src/libstrongswan/credentials/sets/cert_cache.c2
-rw-r--r--src/libstrongswan/crypto/proposal/proposal.c1134
-rw-r--r--src/libstrongswan/crypto/proposal/proposal.h246
-rw-r--r--src/libstrongswan/crypto/proposal/proposal_keywords.h2
-rw-r--r--src/libstrongswan/eap/eap.c2
-rw-r--r--src/libstrongswan/ipsec/ipsec_types.c7
-rw-r--r--src/libstrongswan/library.c3
-rw-r--r--src/libstrongswan/plugins/blowfish/bf_enc.c4
-rw-r--r--src/libstrongswan/plugins/blowfish/bf_locl.h4
-rw-r--r--src/libstrongswan/plugins/blowfish/bf_pi.h4
-rw-r--r--src/libstrongswan/plugins/blowfish/bf_skey.c4
-rw-r--r--src/libstrongswan/plugins/blowfish/blowfish.h4
-rw-r--r--src/libstrongswan/plugins/blowfish/blowfish_crypter.c4
-rw-r--r--src/libstrongswan/plugins/des/des_crypter.c6
-rw-r--r--src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c9
-rw-r--r--src/libstrongswan/plugins/newhope/newhope_ke.c2
-rw-r--r--src/libstrongswan/plugins/pkcs7/pkcs7_attributes.c2
-rw-r--r--src/libstrongswan/plugins/plugin_loader.h2
-rw-r--r--src/libstrongswan/plugins/revocation/revocation_validator.c5
-rw-r--r--src/libstrongswan/processing/scheduler.h6
-rw-r--r--src/libstrongswan/tests/Makefile.am1
-rw-r--r--src/libstrongswan/tests/Makefile.in19
-rw-r--r--src/libstrongswan/tests/suites/test_proposal.c220
-rw-r--r--src/libstrongswan/tests/suites/test_utils.c19
-rw-r--r--src/libstrongswan/tests/tests.h1
-rw-r--r--src/libstrongswan/threading/semaphore.h2
-rw-r--r--src/libstrongswan/utils/chunk.c4
37 files changed, 2021 insertions, 360 deletions
diff --git a/src/libstrongswan/Android.mk b/src/libstrongswan/Android.mk
index 0247add96..fb7c62a8a 100644
--- a/src/libstrongswan/Android.mk
+++ b/src/libstrongswan/Android.mk
@@ -8,7 +8,7 @@ asn1/asn1.c asn1/asn1_parser.c asn1/oid.c bio/bio_reader.c bio/bio_writer.c \
collections/blocking_queue.c collections/enumerator.c collections/hashtable.c \
collections/array.c \
collections/linked_list.c crypto/crypters/crypter.c crypto/hashers/hasher.c \
-crypto/hashers/hash_algorithm_set.c \
+crypto/hashers/hash_algorithm_set.c crypto/proposal/proposal.c \
crypto/proposal/proposal_keywords.c crypto/proposal/proposal_keywords_static.c \
crypto/prfs/prf.c crypto/prfs/mac_prf.c crypto/pkcs5.c \
crypto/rngs/rng.c crypto/prf_plus.c crypto/signers/signer.c \
diff --git a/src/libstrongswan/Makefile.am b/src/libstrongswan/Makefile.am
index a9759aeee..66539a879 100644
--- a/src/libstrongswan/Makefile.am
+++ b/src/libstrongswan/Makefile.am
@@ -6,7 +6,7 @@ asn1/asn1.c asn1/asn1_parser.c asn1/oid.c bio/bio_reader.c bio/bio_writer.c \
collections/blocking_queue.c collections/enumerator.c collections/hashtable.c \
collections/array.c \
collections/linked_list.c crypto/crypters/crypter.c crypto/hashers/hasher.c \
-crypto/hashers/hash_algorithm_set.c \
+crypto/hashers/hash_algorithm_set.c crypto/proposal/proposal.c \
crypto/proposal/proposal_keywords.c crypto/proposal/proposal_keywords_static.c \
crypto/prfs/prf.c crypto/prfs/mac_prf.c crypto/pkcs5.c \
crypto/rngs/rng.c crypto/prf_plus.c crypto/signers/signer.c \
@@ -69,7 +69,7 @@ asn1/asn1.h asn1/asn1_parser.h asn1/oid.h bio/bio_reader.h bio/bio_writer.h \
collections/blocking_queue.h collections/enumerator.h collections/hashtable.h \
collections/linked_list.h collections/array.h collections/dictionary.h \
crypto/crypters/crypter.h crypto/hashers/hasher.h \
-crypto/hashers/hash_algorithm_set.h crypto/mac.h \
+crypto/hashers/hash_algorithm_set.h crypto/mac.h crypto/proposal/proposal.h \
crypto/proposal/proposal_keywords.h crypto/proposal/proposal_keywords_static.h \
crypto/prfs/prf.h crypto/prfs/mac_prf.h crypto/rngs/rng.h crypto/nonce_gen.h \
crypto/prf_plus.h crypto/signers/signer.h crypto/signers/mac_signer.h \
diff --git a/src/libstrongswan/Makefile.in b/src/libstrongswan/Makefile.in
index 356670dad..a0eb8b6b5 100644
--- a/src/libstrongswan/Makefile.in
+++ b/src/libstrongswan/Makefile.in
@@ -335,7 +335,7 @@ am__libstrongswan_la_SOURCES_DIST = library.c asn1/asn1.c \
collections/enumerator.c collections/hashtable.c \
collections/array.c collections/linked_list.c \
crypto/crypters/crypter.c crypto/hashers/hasher.c \
- crypto/hashers/hash_algorithm_set.c \
+ crypto/hashers/hash_algorithm_set.c crypto/proposal/proposal.c \
crypto/proposal/proposal_keywords.c \
crypto/proposal/proposal_keywords_static.c crypto/prfs/prf.c \
crypto/prfs/mac_prf.c crypto/pkcs5.c crypto/rngs/rng.c \
@@ -425,6 +425,7 @@ am_libstrongswan_la_OBJECTS = library.lo asn1/asn1.lo \
collections/array.lo collections/linked_list.lo \
crypto/crypters/crypter.lo crypto/hashers/hasher.lo \
crypto/hashers/hash_algorithm_set.lo \
+ crypto/proposal/proposal.lo \
crypto/proposal/proposal_keywords.lo \
crypto/proposal/proposal_keywords_static.lo crypto/prfs/prf.lo \
crypto/prfs/mac_prf.lo crypto/pkcs5.lo crypto/rngs/rng.lo \
@@ -556,7 +557,8 @@ am__nobase_strongswan_include_HEADERS_DIST = library.h asn1/asn1.h \
collections/linked_list.h collections/array.h \
collections/dictionary.h crypto/crypters/crypter.h \
crypto/hashers/hasher.h crypto/hashers/hash_algorithm_set.h \
- crypto/mac.h crypto/proposal/proposal_keywords.h \
+ crypto/mac.h crypto/proposal/proposal.h \
+ crypto/proposal/proposal_keywords.h \
crypto/proposal/proposal_keywords_static.h crypto/prfs/prf.h \
crypto/prfs/mac_prf.h crypto/rngs/rng.h crypto/nonce_gen.h \
crypto/prf_plus.h crypto/signers/signer.h \
@@ -942,7 +944,7 @@ libstrongswan_la_SOURCES = library.c asn1/asn1.c asn1/asn1_parser.c \
collections/hashtable.c collections/array.c \
collections/linked_list.c crypto/crypters/crypter.c \
crypto/hashers/hasher.c crypto/hashers/hash_algorithm_set.c \
- crypto/proposal/proposal_keywords.c \
+ crypto/proposal/proposal.c crypto/proposal/proposal_keywords.c \
crypto/proposal/proposal_keywords_static.c crypto/prfs/prf.c \
crypto/prfs/mac_prf.c crypto/pkcs5.c crypto/rngs/rng.c \
crypto/prf_plus.c crypto/signers/signer.c \
@@ -1005,7 +1007,7 @@ settings/settings_types.h
@USE_DEV_HEADERS_TRUE@collections/blocking_queue.h collections/enumerator.h collections/hashtable.h \
@USE_DEV_HEADERS_TRUE@collections/linked_list.h collections/array.h collections/dictionary.h \
@USE_DEV_HEADERS_TRUE@crypto/crypters/crypter.h crypto/hashers/hasher.h \
-@USE_DEV_HEADERS_TRUE@crypto/hashers/hash_algorithm_set.h crypto/mac.h \
+@USE_DEV_HEADERS_TRUE@crypto/hashers/hash_algorithm_set.h crypto/mac.h crypto/proposal/proposal.h \
@USE_DEV_HEADERS_TRUE@crypto/proposal/proposal_keywords.h crypto/proposal/proposal_keywords_static.h \
@USE_DEV_HEADERS_TRUE@crypto/prfs/prf.h crypto/prfs/mac_prf.h crypto/rngs/rng.h crypto/nonce_gen.h \
@USE_DEV_HEADERS_TRUE@crypto/prf_plus.h crypto/signers/signer.h crypto/signers/mac_signer.h \
@@ -1302,6 +1304,8 @@ crypto/proposal/$(am__dirstamp):
crypto/proposal/$(DEPDIR)/$(am__dirstamp):
@$(MKDIR_P) crypto/proposal/$(DEPDIR)
@: > crypto/proposal/$(DEPDIR)/$(am__dirstamp)
+crypto/proposal/proposal.lo: crypto/proposal/$(am__dirstamp) \
+ crypto/proposal/$(DEPDIR)/$(am__dirstamp)
crypto/proposal/proposal_keywords.lo: crypto/proposal/$(am__dirstamp) \
crypto/proposal/$(DEPDIR)/$(am__dirstamp)
crypto/proposal/proposal_keywords_static.lo: \
@@ -1855,6 +1859,7 @@ distclean-compile:
@AMDEP_TRUE@@am__include@ @am__quote@crypto/iv/$(DEPDIR)/iv_gen_seq.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@crypto/prfs/$(DEPDIR)/mac_prf.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@crypto/prfs/$(DEPDIR)/prf.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@crypto/proposal/$(DEPDIR)/proposal.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@crypto/proposal/$(DEPDIR)/proposal_keywords.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@crypto/proposal/$(DEPDIR)/proposal_keywords_static.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@crypto/rngs/$(DEPDIR)/rng.Plo@am__quote@
diff --git a/src/libstrongswan/asn1/oid.c b/src/libstrongswan/asn1/oid.c
index 6d9f98ee4..a70aafdd9 100644
--- a/src/libstrongswan/asn1/oid.c
+++ b/src/libstrongswan/asn1/oid.c
@@ -205,8 +205,8 @@ const oid_t oid_names[] = {
{ 0x02, 193, 0, 7, "ecdsa-with-SHA256" }, /* 192 */
{ 0x03, 194, 0, 7, "ecdsa-with-SHA384" }, /* 193 */
{ 0x04, 0, 0, 7, "ecdsa-with-SHA512" }, /* 194 */
- {0x2B, 425, 1, 0, "" }, /* 195 */
- { 0x06, 336, 1, 1, "dod" }, /* 196 */
+ {0x2B, 426, 1, 0, "" }, /* 195 */
+ { 0x06, 337, 1, 1, "dod" }, /* 196 */
{ 0x01, 0, 1, 2, "internet" }, /* 197 */
{ 0x04, 287, 1, 3, "private" }, /* 198 */
{ 0x01, 0, 1, 4, "enterprise" }, /* 199 */
@@ -299,211 +299,212 @@ const oid_t oid_names[] = {
{ 0x03, 0, 0, 9, "eess1-encodingMethods" }, /* 286 */
{ 0x05, 0, 1, 3, "security" }, /* 287 */
{ 0x05, 0, 1, 4, "mechanisms" }, /* 288 */
- { 0x07, 333, 1, 5, "id-pkix" }, /* 289 */
- { 0x01, 294, 1, 6, "id-pe" }, /* 290 */
+ { 0x07, 334, 1, 5, "id-pkix" }, /* 289 */
+ { 0x01, 295, 1, 6, "id-pe" }, /* 290 */
{ 0x01, 292, 0, 7, "authorityInfoAccess" }, /* 291 */
{ 0x03, 293, 0, 7, "qcStatements" }, /* 292 */
- { 0x07, 0, 0, 7, "ipAddrBlocks" }, /* 293 */
- { 0x02, 297, 1, 6, "id-qt" }, /* 294 */
- { 0x01, 296, 0, 7, "cps" }, /* 295 */
- { 0x02, 0, 0, 7, "unotice" }, /* 296 */
- { 0x03, 307, 1, 6, "id-kp" }, /* 297 */
- { 0x01, 299, 0, 7, "serverAuth" }, /* 298 */
- { 0x02, 300, 0, 7, "clientAuth" }, /* 299 */
- { 0x03, 301, 0, 7, "codeSigning" }, /* 300 */
- { 0x04, 302, 0, 7, "emailProtection" }, /* 301 */
- { 0x05, 303, 0, 7, "ipsecEndSystem" }, /* 302 */
- { 0x06, 304, 0, 7, "ipsecTunnel" }, /* 303 */
- { 0x07, 305, 0, 7, "ipsecUser" }, /* 304 */
- { 0x08, 306, 0, 7, "timeStamping" }, /* 305 */
- { 0x09, 0, 0, 7, "ocspSigning" }, /* 306 */
- { 0x08, 315, 1, 6, "id-otherNames" }, /* 307 */
- { 0x01, 309, 0, 7, "personalData" }, /* 308 */
- { 0x02, 310, 0, 7, "userGroup" }, /* 309 */
- { 0x03, 311, 0, 7, "id-on-permanentIdentifier" }, /* 310 */
- { 0x04, 312, 0, 7, "id-on-hardwareModuleName" }, /* 311 */
- { 0x05, 313, 0, 7, "xmppAddr" }, /* 312 */
- { 0x06, 314, 0, 7, "id-on-SIM" }, /* 313 */
- { 0x07, 0, 0, 7, "id-on-dnsSRV" }, /* 314 */
- { 0x0A, 320, 1, 6, "id-aca" }, /* 315 */
- { 0x01, 317, 0, 7, "authenticationInfo" }, /* 316 */
- { 0x02, 318, 0, 7, "accessIdentity" }, /* 317 */
- { 0x03, 319, 0, 7, "chargingIdentity" }, /* 318 */
- { 0x04, 0, 0, 7, "group" }, /* 319 */
- { 0x0B, 321, 0, 6, "subjectInfoAccess" }, /* 320 */
- { 0x30, 0, 1, 6, "id-ad" }, /* 321 */
- { 0x01, 330, 1, 7, "ocsp" }, /* 322 */
- { 0x01, 324, 0, 8, "basic" }, /* 323 */
- { 0x02, 325, 0, 8, "nonce" }, /* 324 */
- { 0x03, 326, 0, 8, "crl" }, /* 325 */
- { 0x04, 327, 0, 8, "response" }, /* 326 */
- { 0x05, 328, 0, 8, "noCheck" }, /* 327 */
- { 0x06, 329, 0, 8, "archiveCutoff" }, /* 328 */
- { 0x07, 0, 0, 8, "serviceLocator" }, /* 329 */
- { 0x02, 331, 0, 7, "caIssuers" }, /* 330 */
- { 0x03, 332, 0, 7, "timeStamping" }, /* 331 */
- { 0x05, 0, 0, 7, "caRepository" }, /* 332 */
- { 0x08, 0, 1, 5, "ipsec" }, /* 333 */
- { 0x02, 0, 1, 6, "certificate" }, /* 334 */
- { 0x02, 0, 0, 7, "iKEIntermediate" }, /* 335 */
- { 0x0E, 342, 1, 1, "oiw" }, /* 336 */
- { 0x03, 0, 1, 2, "secsig" }, /* 337 */
- { 0x02, 0, 1, 3, "algorithms" }, /* 338 */
- { 0x07, 340, 0, 4, "des-cbc" }, /* 339 */
- { 0x1A, 341, 0, 4, "sha-1" }, /* 340 */
- { 0x1D, 0, 0, 4, "sha-1WithRSASignature" }, /* 341 */
- { 0x24, 388, 1, 1, "TeleTrusT" }, /* 342 */
- { 0x03, 0, 1, 2, "algorithm" }, /* 343 */
- { 0x03, 0, 1, 3, "signatureAlgorithm" }, /* 344 */
- { 0x01, 349, 1, 4, "rsaSignature" }, /* 345 */
- { 0x02, 347, 0, 5, "rsaSigWithripemd160" }, /* 346 */
- { 0x03, 348, 0, 5, "rsaSigWithripemd128" }, /* 347 */
- { 0x04, 0, 0, 5, "rsaSigWithripemd256" }, /* 348 */
- { 0x02, 0, 1, 4, "ecSign" }, /* 349 */
- { 0x01, 351, 0, 5, "ecSignWithsha1" }, /* 350 */
- { 0x02, 352, 0, 5, "ecSignWithripemd160" }, /* 351 */
- { 0x03, 353, 0, 5, "ecSignWithmd2" }, /* 352 */
- { 0x04, 354, 0, 5, "ecSignWithmd5" }, /* 353 */
- { 0x05, 371, 1, 5, "ttt-ecg" }, /* 354 */
- { 0x01, 359, 1, 6, "fieldType" }, /* 355 */
- { 0x01, 0, 1, 7, "characteristictwoField" }, /* 356 */
- { 0x01, 0, 1, 8, "basisType" }, /* 357 */
- { 0x01, 0, 0, 9, "ipBasis" }, /* 358 */
- { 0x02, 361, 1, 6, "keyType" }, /* 359 */
- { 0x01, 0, 0, 7, "ecgPublicKey" }, /* 360 */
- { 0x03, 362, 0, 6, "curve" }, /* 361 */
- { 0x04, 369, 1, 6, "signatures" }, /* 362 */
- { 0x01, 364, 0, 7, "ecgdsa-with-RIPEMD160" }, /* 363 */
- { 0x02, 365, 0, 7, "ecgdsa-with-SHA1" }, /* 364 */
- { 0x03, 366, 0, 7, "ecgdsa-with-SHA224" }, /* 365 */
- { 0x04, 367, 0, 7, "ecgdsa-with-SHA256" }, /* 366 */
- { 0x05, 368, 0, 7, "ecgdsa-with-SHA384" }, /* 367 */
- { 0x06, 0, 0, 7, "ecgdsa-with-SHA512" }, /* 368 */
- { 0x05, 0, 1, 6, "module" }, /* 369 */
- { 0x01, 0, 0, 7, "1" }, /* 370 */
- { 0x08, 0, 1, 5, "ecStdCurvesAndGeneration" }, /* 371 */
- { 0x01, 0, 1, 6, "ellipticCurve" }, /* 372 */
- { 0x01, 0, 1, 7, "versionOne" }, /* 373 */
- { 0x01, 375, 0, 8, "brainpoolP160r1" }, /* 374 */
- { 0x02, 376, 0, 8, "brainpoolP160t1" }, /* 375 */
- { 0x03, 377, 0, 8, "brainpoolP192r1" }, /* 376 */
- { 0x04, 378, 0, 8, "brainpoolP192t1" }, /* 377 */
- { 0x05, 379, 0, 8, "brainpoolP224r1" }, /* 378 */
- { 0x06, 380, 0, 8, "brainpoolP224t1" }, /* 379 */
- { 0x07, 381, 0, 8, "brainpoolP256r1" }, /* 380 */
- { 0x08, 382, 0, 8, "brainpoolP256t1" }, /* 381 */
- { 0x09, 383, 0, 8, "brainpoolP320r1" }, /* 382 */
- { 0x0A, 384, 0, 8, "brainpoolP320t1" }, /* 383 */
- { 0x0B, 385, 0, 8, "brainpoolP384r1" }, /* 384 */
- { 0x0C, 386, 0, 8, "brainpoolP384t1" }, /* 385 */
- { 0x0D, 387, 0, 8, "brainpoolP512r1" }, /* 386 */
- { 0x0E, 0, 0, 8, "brainpoolP512t1" }, /* 387 */
- { 0x65, 391, 1, 1, "Thawte" }, /* 388 */
- { 0x70, 390, 0, 2, "id-Ed25519" }, /* 389 */
- { 0x71, 0, 0, 2, "id-Ed448" }, /* 390 */
- { 0x81, 0, 1, 1, "" }, /* 391 */
- { 0x04, 0, 1, 2, "Certicom" }, /* 392 */
- { 0x00, 0, 1, 3, "curve" }, /* 393 */
- { 0x01, 395, 0, 4, "sect163k1" }, /* 394 */
- { 0x02, 396, 0, 4, "sect163r1" }, /* 395 */
- { 0x03, 397, 0, 4, "sect239k1" }, /* 396 */
- { 0x04, 398, 0, 4, "sect113r1" }, /* 397 */
- { 0x05, 399, 0, 4, "sect113r2" }, /* 398 */
- { 0x06, 400, 0, 4, "secp112r1" }, /* 399 */
- { 0x07, 401, 0, 4, "secp112r2" }, /* 400 */
- { 0x08, 402, 0, 4, "secp160r1" }, /* 401 */
- { 0x09, 403, 0, 4, "secp160k1" }, /* 402 */
- { 0x0A, 404, 0, 4, "secp256k1" }, /* 403 */
- { 0x0F, 405, 0, 4, "sect163r2" }, /* 404 */
- { 0x10, 406, 0, 4, "sect283k1" }, /* 405 */
- { 0x11, 407, 0, 4, "sect283r1" }, /* 406 */
- { 0x16, 408, 0, 4, "sect131r1" }, /* 407 */
- { 0x17, 409, 0, 4, "sect131r2" }, /* 408 */
- { 0x18, 410, 0, 4, "sect193r1" }, /* 409 */
- { 0x19, 411, 0, 4, "sect193r2" }, /* 410 */
- { 0x1A, 412, 0, 4, "sect233k1" }, /* 411 */
- { 0x1B, 413, 0, 4, "sect233r1" }, /* 412 */
- { 0x1C, 414, 0, 4, "secp128r1" }, /* 413 */
- { 0x1D, 415, 0, 4, "secp128r2" }, /* 414 */
- { 0x1E, 416, 0, 4, "secp160r2" }, /* 415 */
- { 0x1F, 417, 0, 4, "secp192k1" }, /* 416 */
- { 0x20, 418, 0, 4, "secp224k1" }, /* 417 */
- { 0x21, 419, 0, 4, "secp224r1" }, /* 418 */
- { 0x22, 420, 0, 4, "secp384r1" }, /* 419 */
- { 0x23, 421, 0, 4, "secp521r1" }, /* 420 */
- { 0x24, 422, 0, 4, "sect409k1" }, /* 421 */
- { 0x25, 423, 0, 4, "sect409r1" }, /* 422 */
- { 0x26, 424, 0, 4, "sect571k1" }, /* 423 */
- { 0x27, 0, 0, 4, "sect571r1" }, /* 424 */
- {0x60, 488, 1, 0, "" }, /* 425 */
- { 0x86, 0, 1, 1, "" }, /* 426 */
- { 0x48, 0, 1, 2, "" }, /* 427 */
- { 0x01, 0, 1, 3, "organization" }, /* 428 */
- { 0x65, 464, 1, 4, "gov" }, /* 429 */
- { 0x03, 0, 1, 5, "csor" }, /* 430 */
- { 0x04, 0, 1, 6, "nistalgorithm" }, /* 431 */
- { 0x01, 442, 1, 7, "aes" }, /* 432 */
- { 0x02, 434, 0, 8, "id-aes128-CBC" }, /* 433 */
- { 0x06, 435, 0, 8, "id-aes128-GCM" }, /* 434 */
- { 0x07, 436, 0, 8, "id-aes128-CCM" }, /* 435 */
- { 0x16, 437, 0, 8, "id-aes192-CBC" }, /* 436 */
- { 0x1A, 438, 0, 8, "id-aes192-GCM" }, /* 437 */
- { 0x1B, 439, 0, 8, "id-aes192-CCM" }, /* 438 */
- { 0x2A, 440, 0, 8, "id-aes256-CBC" }, /* 439 */
- { 0x2E, 441, 0, 8, "id-aes256-GCM" }, /* 440 */
- { 0x2F, 0, 0, 8, "id-aes256-CCM" }, /* 441 */
- { 0x02, 455, 1, 7, "hashAlgs" }, /* 442 */
- { 0x01, 444, 0, 8, "id-sha256" }, /* 443 */
- { 0x02, 445, 0, 8, "id-sha384" }, /* 444 */
- { 0x03, 446, 0, 8, "id-sha512" }, /* 445 */
- { 0x04, 447, 0, 8, "id-sha224" }, /* 446 */
- { 0x05, 448, 0, 8, "id-sha512-224" }, /* 447 */
- { 0x06, 449, 0, 8, "id-sha512-256" }, /* 448 */
- { 0x07, 450, 0, 8, "id-sha3-224" }, /* 449 */
- { 0x08, 451, 0, 8, "id-sha3-256" }, /* 450 */
- { 0x09, 452, 0, 8, "id-sha3-384" }, /* 451 */
- { 0x0A, 453, 0, 8, "id-sha3-512" }, /* 452 */
- { 0x0B, 454, 0, 8, "id-shake128" }, /* 453 */
- { 0x0C, 0, 0, 8, "id-shake256" }, /* 454 */
- { 0x03, 0, 1, 7, "sigAlgs" }, /* 455 */
- { 0x09, 457, 0, 8, "id-ecdsa-with-sha3-224" }, /* 456 */
- { 0x0A, 458, 0, 8, "id-ecdsa-with-sha3-256" }, /* 457 */
- { 0x0B, 459, 0, 8, "id-ecdsa-with-sha3-384" }, /* 458 */
- { 0x0C, 460, 0, 8, "id-ecdsa-with-sha3-512" }, /* 459 */
- { 0x0D, 461, 0, 8, "id-rsassa-pkcs1v15-with-sha3-224"}, /* 460 */
- { 0x0E, 462, 0, 8, "id-rsassa-pkcs1v15-with-sha3-256"}, /* 461 */
- { 0x0F, 463, 0, 8, "id-rsassa-pkcs1v15-with-sha3-384"}, /* 462 */
- { 0x10, 0, 0, 8, "id-rsassa-pkcs1v15-with-sha3-512"}, /* 463 */
- { 0x86, 0, 1, 4, "" }, /* 464 */
- { 0xf8, 0, 1, 5, "" }, /* 465 */
- { 0x42, 478, 1, 6, "netscape" }, /* 466 */
- { 0x01, 473, 1, 7, "" }, /* 467 */
- { 0x01, 469, 0, 8, "nsCertType" }, /* 468 */
- { 0x03, 470, 0, 8, "nsRevocationUrl" }, /* 469 */
- { 0x04, 471, 0, 8, "nsCaRevocationUrl" }, /* 470 */
- { 0x08, 472, 0, 8, "nsCaPolicyUrl" }, /* 471 */
- { 0x0d, 0, 0, 8, "nsComment" }, /* 472 */
- { 0x03, 476, 1, 7, "directory" }, /* 473 */
- { 0x01, 0, 1, 8, "" }, /* 474 */
- { 0x03, 0, 0, 9, "employeeNumber" }, /* 475 */
- { 0x04, 0, 1, 7, "policy" }, /* 476 */
- { 0x01, 0, 0, 8, "nsSGC" }, /* 477 */
- { 0x45, 0, 1, 6, "verisign" }, /* 478 */
- { 0x01, 0, 1, 7, "pki" }, /* 479 */
- { 0x09, 0, 1, 8, "attributes" }, /* 480 */
- { 0x02, 482, 0, 9, "messageType" }, /* 481 */
- { 0x03, 483, 0, 9, "pkiStatus" }, /* 482 */
- { 0x04, 484, 0, 9, "failInfo" }, /* 483 */
- { 0x05, 485, 0, 9, "senderNonce" }, /* 484 */
- { 0x06, 486, 0, 9, "recipientNonce" }, /* 485 */
- { 0x07, 487, 0, 9, "transID" }, /* 486 */
- { 0x08, 0, 0, 9, "extensionReq" }, /* 487 */
- {0x67, 0, 1, 0, "" }, /* 488 */
- { 0x81, 0, 1, 1, "" }, /* 489 */
- { 0x05, 0, 1, 2, "" }, /* 490 */
- { 0x02, 0, 1, 3, "tcg-attribute" }, /* 491 */
- { 0x01, 493, 0, 4, "tcg-at-tpmManufacturer" }, /* 492 */
- { 0x02, 494, 0, 4, "tcg-at-tpmModel" }, /* 493 */
- { 0x03, 495, 0, 4, "tcg-at-tpmVersion" }, /* 494 */
- { 0x0F, 0, 0, 4, "tcg-at-tpmIdLabel" } /* 495 */
+ { 0x07, 294, 0, 7, "ipAddrBlocks" }, /* 293 */
+ { 0x18, 0, 0, 7, "tlsfeature" }, /* 294 */
+ { 0x02, 298, 1, 6, "id-qt" }, /* 295 */
+ { 0x01, 297, 0, 7, "cps" }, /* 296 */
+ { 0x02, 0, 0, 7, "unotice" }, /* 297 */
+ { 0x03, 308, 1, 6, "id-kp" }, /* 298 */
+ { 0x01, 300, 0, 7, "serverAuth" }, /* 299 */
+ { 0x02, 301, 0, 7, "clientAuth" }, /* 300 */
+ { 0x03, 302, 0, 7, "codeSigning" }, /* 301 */
+ { 0x04, 303, 0, 7, "emailProtection" }, /* 302 */
+ { 0x05, 304, 0, 7, "ipsecEndSystem" }, /* 303 */
+ { 0x06, 305, 0, 7, "ipsecTunnel" }, /* 304 */
+ { 0x07, 306, 0, 7, "ipsecUser" }, /* 305 */
+ { 0x08, 307, 0, 7, "timeStamping" }, /* 306 */
+ { 0x09, 0, 0, 7, "ocspSigning" }, /* 307 */
+ { 0x08, 316, 1, 6, "id-otherNames" }, /* 308 */
+ { 0x01, 310, 0, 7, "personalData" }, /* 309 */
+ { 0x02, 311, 0, 7, "userGroup" }, /* 310 */
+ { 0x03, 312, 0, 7, "id-on-permanentIdentifier" }, /* 311 */
+ { 0x04, 313, 0, 7, "id-on-hardwareModuleName" }, /* 312 */
+ { 0x05, 314, 0, 7, "xmppAddr" }, /* 313 */
+ { 0x06, 315, 0, 7, "id-on-SIM" }, /* 314 */
+ { 0x07, 0, 0, 7, "id-on-dnsSRV" }, /* 315 */
+ { 0x0A, 321, 1, 6, "id-aca" }, /* 316 */
+ { 0x01, 318, 0, 7, "authenticationInfo" }, /* 317 */
+ { 0x02, 319, 0, 7, "accessIdentity" }, /* 318 */
+ { 0x03, 320, 0, 7, "chargingIdentity" }, /* 319 */
+ { 0x04, 0, 0, 7, "group" }, /* 320 */
+ { 0x0B, 322, 0, 6, "subjectInfoAccess" }, /* 321 */
+ { 0x30, 0, 1, 6, "id-ad" }, /* 322 */
+ { 0x01, 331, 1, 7, "ocsp" }, /* 323 */
+ { 0x01, 325, 0, 8, "basic" }, /* 324 */
+ { 0x02, 326, 0, 8, "nonce" }, /* 325 */
+ { 0x03, 327, 0, 8, "crl" }, /* 326 */
+ { 0x04, 328, 0, 8, "response" }, /* 327 */
+ { 0x05, 329, 0, 8, "noCheck" }, /* 328 */
+ { 0x06, 330, 0, 8, "archiveCutoff" }, /* 329 */
+ { 0x07, 0, 0, 8, "serviceLocator" }, /* 330 */
+ { 0x02, 332, 0, 7, "caIssuers" }, /* 331 */
+ { 0x03, 333, 0, 7, "timeStamping" }, /* 332 */
+ { 0x05, 0, 0, 7, "caRepository" }, /* 333 */
+ { 0x08, 0, 1, 5, "ipsec" }, /* 334 */
+ { 0x02, 0, 1, 6, "certificate" }, /* 335 */
+ { 0x02, 0, 0, 7, "iKEIntermediate" }, /* 336 */
+ { 0x0E, 343, 1, 1, "oiw" }, /* 337 */
+ { 0x03, 0, 1, 2, "secsig" }, /* 338 */
+ { 0x02, 0, 1, 3, "algorithms" }, /* 339 */
+ { 0x07, 341, 0, 4, "des-cbc" }, /* 340 */
+ { 0x1A, 342, 0, 4, "sha-1" }, /* 341 */
+ { 0x1D, 0, 0, 4, "sha-1WithRSASignature" }, /* 342 */
+ { 0x24, 389, 1, 1, "TeleTrusT" }, /* 343 */
+ { 0x03, 0, 1, 2, "algorithm" }, /* 344 */
+ { 0x03, 0, 1, 3, "signatureAlgorithm" }, /* 345 */
+ { 0x01, 350, 1, 4, "rsaSignature" }, /* 346 */
+ { 0x02, 348, 0, 5, "rsaSigWithripemd160" }, /* 347 */
+ { 0x03, 349, 0, 5, "rsaSigWithripemd128" }, /* 348 */
+ { 0x04, 0, 0, 5, "rsaSigWithripemd256" }, /* 349 */
+ { 0x02, 0, 1, 4, "ecSign" }, /* 350 */
+ { 0x01, 352, 0, 5, "ecSignWithsha1" }, /* 351 */
+ { 0x02, 353, 0, 5, "ecSignWithripemd160" }, /* 352 */
+ { 0x03, 354, 0, 5, "ecSignWithmd2" }, /* 353 */
+ { 0x04, 355, 0, 5, "ecSignWithmd5" }, /* 354 */
+ { 0x05, 372, 1, 5, "ttt-ecg" }, /* 355 */
+ { 0x01, 360, 1, 6, "fieldType" }, /* 356 */
+ { 0x01, 0, 1, 7, "characteristictwoField" }, /* 357 */
+ { 0x01, 0, 1, 8, "basisType" }, /* 358 */
+ { 0x01, 0, 0, 9, "ipBasis" }, /* 359 */
+ { 0x02, 362, 1, 6, "keyType" }, /* 360 */
+ { 0x01, 0, 0, 7, "ecgPublicKey" }, /* 361 */
+ { 0x03, 363, 0, 6, "curve" }, /* 362 */
+ { 0x04, 370, 1, 6, "signatures" }, /* 363 */
+ { 0x01, 365, 0, 7, "ecgdsa-with-RIPEMD160" }, /* 364 */
+ { 0x02, 366, 0, 7, "ecgdsa-with-SHA1" }, /* 365 */
+ { 0x03, 367, 0, 7, "ecgdsa-with-SHA224" }, /* 366 */
+ { 0x04, 368, 0, 7, "ecgdsa-with-SHA256" }, /* 367 */
+ { 0x05, 369, 0, 7, "ecgdsa-with-SHA384" }, /* 368 */
+ { 0x06, 0, 0, 7, "ecgdsa-with-SHA512" }, /* 369 */
+ { 0x05, 0, 1, 6, "module" }, /* 370 */
+ { 0x01, 0, 0, 7, "1" }, /* 371 */
+ { 0x08, 0, 1, 5, "ecStdCurvesAndGeneration" }, /* 372 */
+ { 0x01, 0, 1, 6, "ellipticCurve" }, /* 373 */
+ { 0x01, 0, 1, 7, "versionOne" }, /* 374 */
+ { 0x01, 376, 0, 8, "brainpoolP160r1" }, /* 375 */
+ { 0x02, 377, 0, 8, "brainpoolP160t1" }, /* 376 */
+ { 0x03, 378, 0, 8, "brainpoolP192r1" }, /* 377 */
+ { 0x04, 379, 0, 8, "brainpoolP192t1" }, /* 378 */
+ { 0x05, 380, 0, 8, "brainpoolP224r1" }, /* 379 */
+ { 0x06, 381, 0, 8, "brainpoolP224t1" }, /* 380 */
+ { 0x07, 382, 0, 8, "brainpoolP256r1" }, /* 381 */
+ { 0x08, 383, 0, 8, "brainpoolP256t1" }, /* 382 */
+ { 0x09, 384, 0, 8, "brainpoolP320r1" }, /* 383 */
+ { 0x0A, 385, 0, 8, "brainpoolP320t1" }, /* 384 */
+ { 0x0B, 386, 0, 8, "brainpoolP384r1" }, /* 385 */
+ { 0x0C, 387, 0, 8, "brainpoolP384t1" }, /* 386 */
+ { 0x0D, 388, 0, 8, "brainpoolP512r1" }, /* 387 */
+ { 0x0E, 0, 0, 8, "brainpoolP512t1" }, /* 388 */
+ { 0x65, 392, 1, 1, "Thawte" }, /* 389 */
+ { 0x70, 391, 0, 2, "id-Ed25519" }, /* 390 */
+ { 0x71, 0, 0, 2, "id-Ed448" }, /* 391 */
+ { 0x81, 0, 1, 1, "" }, /* 392 */
+ { 0x04, 0, 1, 2, "Certicom" }, /* 393 */
+ { 0x00, 0, 1, 3, "curve" }, /* 394 */
+ { 0x01, 396, 0, 4, "sect163k1" }, /* 395 */
+ { 0x02, 397, 0, 4, "sect163r1" }, /* 396 */
+ { 0x03, 398, 0, 4, "sect239k1" }, /* 397 */
+ { 0x04, 399, 0, 4, "sect113r1" }, /* 398 */
+ { 0x05, 400, 0, 4, "sect113r2" }, /* 399 */
+ { 0x06, 401, 0, 4, "secp112r1" }, /* 400 */
+ { 0x07, 402, 0, 4, "secp112r2" }, /* 401 */
+ { 0x08, 403, 0, 4, "secp160r1" }, /* 402 */
+ { 0x09, 404, 0, 4, "secp160k1" }, /* 403 */
+ { 0x0A, 405, 0, 4, "secp256k1" }, /* 404 */
+ { 0x0F, 406, 0, 4, "sect163r2" }, /* 405 */
+ { 0x10, 407, 0, 4, "sect283k1" }, /* 406 */
+ { 0x11, 408, 0, 4, "sect283r1" }, /* 407 */
+ { 0x16, 409, 0, 4, "sect131r1" }, /* 408 */
+ { 0x17, 410, 0, 4, "sect131r2" }, /* 409 */
+ { 0x18, 411, 0, 4, "sect193r1" }, /* 410 */
+ { 0x19, 412, 0, 4, "sect193r2" }, /* 411 */
+ { 0x1A, 413, 0, 4, "sect233k1" }, /* 412 */
+ { 0x1B, 414, 0, 4, "sect233r1" }, /* 413 */
+ { 0x1C, 415, 0, 4, "secp128r1" }, /* 414 */
+ { 0x1D, 416, 0, 4, "secp128r2" }, /* 415 */
+ { 0x1E, 417, 0, 4, "secp160r2" }, /* 416 */
+ { 0x1F, 418, 0, 4, "secp192k1" }, /* 417 */
+ { 0x20, 419, 0, 4, "secp224k1" }, /* 418 */
+ { 0x21, 420, 0, 4, "secp224r1" }, /* 419 */
+ { 0x22, 421, 0, 4, "secp384r1" }, /* 420 */
+ { 0x23, 422, 0, 4, "secp521r1" }, /* 421 */
+ { 0x24, 423, 0, 4, "sect409k1" }, /* 422 */
+ { 0x25, 424, 0, 4, "sect409r1" }, /* 423 */
+ { 0x26, 425, 0, 4, "sect571k1" }, /* 424 */
+ { 0x27, 0, 0, 4, "sect571r1" }, /* 425 */
+ {0x60, 489, 1, 0, "" }, /* 426 */
+ { 0x86, 0, 1, 1, "" }, /* 427 */
+ { 0x48, 0, 1, 2, "" }, /* 428 */
+ { 0x01, 0, 1, 3, "organization" }, /* 429 */
+ { 0x65, 465, 1, 4, "gov" }, /* 430 */
+ { 0x03, 0, 1, 5, "csor" }, /* 431 */
+ { 0x04, 0, 1, 6, "nistalgorithm" }, /* 432 */
+ { 0x01, 443, 1, 7, "aes" }, /* 433 */
+ { 0x02, 435, 0, 8, "id-aes128-CBC" }, /* 434 */
+ { 0x06, 436, 0, 8, "id-aes128-GCM" }, /* 435 */
+ { 0x07, 437, 0, 8, "id-aes128-CCM" }, /* 436 */
+ { 0x16, 438, 0, 8, "id-aes192-CBC" }, /* 437 */
+ { 0x1A, 439, 0, 8, "id-aes192-GCM" }, /* 438 */
+ { 0x1B, 440, 0, 8, "id-aes192-CCM" }, /* 439 */
+ { 0x2A, 441, 0, 8, "id-aes256-CBC" }, /* 440 */
+ { 0x2E, 442, 0, 8, "id-aes256-GCM" }, /* 441 */
+ { 0x2F, 0, 0, 8, "id-aes256-CCM" }, /* 442 */
+ { 0x02, 456, 1, 7, "hashAlgs" }, /* 443 */
+ { 0x01, 445, 0, 8, "id-sha256" }, /* 444 */
+ { 0x02, 446, 0, 8, "id-sha384" }, /* 445 */
+ { 0x03, 447, 0, 8, "id-sha512" }, /* 446 */
+ { 0x04, 448, 0, 8, "id-sha224" }, /* 447 */
+ { 0x05, 449, 0, 8, "id-sha512-224" }, /* 448 */
+ { 0x06, 450, 0, 8, "id-sha512-256" }, /* 449 */
+ { 0x07, 451, 0, 8, "id-sha3-224" }, /* 450 */
+ { 0x08, 452, 0, 8, "id-sha3-256" }, /* 451 */
+ { 0x09, 453, 0, 8, "id-sha3-384" }, /* 452 */
+ { 0x0A, 454, 0, 8, "id-sha3-512" }, /* 453 */
+ { 0x0B, 455, 0, 8, "id-shake128" }, /* 454 */
+ { 0x0C, 0, 0, 8, "id-shake256" }, /* 455 */
+ { 0x03, 0, 1, 7, "sigAlgs" }, /* 456 */
+ { 0x09, 458, 0, 8, "id-ecdsa-with-sha3-224" }, /* 457 */
+ { 0x0A, 459, 0, 8, "id-ecdsa-with-sha3-256" }, /* 458 */
+ { 0x0B, 460, 0, 8, "id-ecdsa-with-sha3-384" }, /* 459 */
+ { 0x0C, 461, 0, 8, "id-ecdsa-with-sha3-512" }, /* 460 */
+ { 0x0D, 462, 0, 8, "id-rsassa-pkcs1v15-with-sha3-224"}, /* 461 */
+ { 0x0E, 463, 0, 8, "id-rsassa-pkcs1v15-with-sha3-256"}, /* 462 */
+ { 0x0F, 464, 0, 8, "id-rsassa-pkcs1v15-with-sha3-384"}, /* 463 */
+ { 0x10, 0, 0, 8, "id-rsassa-pkcs1v15-with-sha3-512"}, /* 464 */
+ { 0x86, 0, 1, 4, "" }, /* 465 */
+ { 0xf8, 0, 1, 5, "" }, /* 466 */
+ { 0x42, 479, 1, 6, "netscape" }, /* 467 */
+ { 0x01, 474, 1, 7, "" }, /* 468 */
+ { 0x01, 470, 0, 8, "nsCertType" }, /* 469 */
+ { 0x03, 471, 0, 8, "nsRevocationUrl" }, /* 470 */
+ { 0x04, 472, 0, 8, "nsCaRevocationUrl" }, /* 471 */
+ { 0x08, 473, 0, 8, "nsCaPolicyUrl" }, /* 472 */
+ { 0x0d, 0, 0, 8, "nsComment" }, /* 473 */
+ { 0x03, 477, 1, 7, "directory" }, /* 474 */
+ { 0x01, 0, 1, 8, "" }, /* 475 */
+ { 0x03, 0, 0, 9, "employeeNumber" }, /* 476 */
+ { 0x04, 0, 1, 7, "policy" }, /* 477 */
+ { 0x01, 0, 0, 8, "nsSGC" }, /* 478 */
+ { 0x45, 0, 1, 6, "verisign" }, /* 479 */
+ { 0x01, 0, 1, 7, "pki" }, /* 480 */
+ { 0x09, 0, 1, 8, "attributes" }, /* 481 */
+ { 0x02, 483, 0, 9, "messageType" }, /* 482 */
+ { 0x03, 484, 0, 9, "pkiStatus" }, /* 483 */
+ { 0x04, 485, 0, 9, "failInfo" }, /* 484 */
+ { 0x05, 486, 0, 9, "senderNonce" }, /* 485 */
+ { 0x06, 487, 0, 9, "recipientNonce" }, /* 486 */
+ { 0x07, 488, 0, 9, "transID" }, /* 487 */
+ { 0x08, 0, 0, 9, "extensionReq" }, /* 488 */
+ {0x67, 0, 1, 0, "" }, /* 489 */
+ { 0x81, 0, 1, 1, "" }, /* 490 */
+ { 0x05, 0, 1, 2, "" }, /* 491 */
+ { 0x02, 0, 1, 3, "tcg-attribute" }, /* 492 */
+ { 0x01, 494, 0, 4, "tcg-at-tpmManufacturer" }, /* 493 */
+ { 0x02, 495, 0, 4, "tcg-at-tpmModel" }, /* 494 */
+ { 0x03, 496, 0, 4, "tcg-at-tpmVersion" }, /* 495 */
+ { 0x0F, 0, 0, 4, "tcg-at-tpmIdLabel" } /* 496 */
};
diff --git a/src/libstrongswan/asn1/oid.h b/src/libstrongswan/asn1/oid.h
index 0e9b7ea24..230fe2f87 100644
--- a/src/libstrongswan/asn1/oid.h
+++ b/src/libstrongswan/asn1/oid.h
@@ -167,110 +167,110 @@ extern const oid_t oid_names[];
#define OID_BLOWFISH_CBC 247
#define OID_AUTHORITY_INFO_ACCESS 291
#define OID_IP_ADDR_BLOCKS 293
-#define OID_POLICY_QUALIFIER_CPS 295
-#define OID_POLICY_QUALIFIER_UNOTICE 296
-#define OID_SERVER_AUTH 298
-#define OID_CLIENT_AUTH 299
-#define OID_OCSP_SIGNING 306
-#define OID_XMPP_ADDR 312
-#define OID_AUTHENTICATION_INFO 316
-#define OID_ACCESS_IDENTITY 317
-#define OID_CHARGING_IDENTITY 318
-#define OID_GROUP 319
-#define OID_OCSP 322
-#define OID_BASIC 323
-#define OID_NONCE 324
-#define OID_CRL 325
-#define OID_RESPONSE 326
-#define OID_NO_CHECK 327
-#define OID_ARCHIVE_CUTOFF 328
-#define OID_SERVICE_LOCATOR 329
-#define OID_CA_ISSUERS 330
-#define OID_IKE_INTERMEDIATE 335
-#define OID_DES_CBC 339
-#define OID_SHA1 340
-#define OID_SHA1_WITH_RSA_OIW 341
-#define OID_ECGDSA_PUBKEY 360
-#define OID_ECGDSA_SIG_WITH_RIPEMD160 363
-#define OID_ECGDSA_SIG_WITH_SHA1 364
-#define OID_ECGDSA_SIG_WITH_SHA224 365
-#define OID_ECGDSA_SIG_WITH_SHA256 366
-#define OID_ECGDSA_SIG_WITH_SHA384 367
-#define OID_ECGDSA_SIG_WITH_SHA512 368
-#define OID_ED25519 389
-#define OID_ED448 390
-#define OID_SECT163K1 394
-#define OID_SECT163R1 395
-#define OID_SECT239K1 396
-#define OID_SECT113R1 397
-#define OID_SECT113R2 398
-#define OID_SECT112R1 399
-#define OID_SECT112R2 400
-#define OID_SECT160R1 401
-#define OID_SECT160K1 402
-#define OID_SECT256K1 403
-#define OID_SECT163R2 404
-#define OID_SECT283K1 405
-#define OID_SECT283R1 406
-#define OID_SECT131R1 407
-#define OID_SECT131R2 408
-#define OID_SECT193R1 409
-#define OID_SECT193R2 410
-#define OID_SECT233K1 411
-#define OID_SECT233R1 412
-#define OID_SECT128R1 413
-#define OID_SECT128R2 414
-#define OID_SECT160R2 415
-#define OID_SECT192K1 416
-#define OID_SECT224K1 417
-#define OID_SECT224R1 418
-#define OID_SECT384R1 419
-#define OID_SECT521R1 420
-#define OID_SECT409K1 421
-#define OID_SECT409R1 422
-#define OID_SECT571K1 423
-#define OID_SECT571R1 424
-#define OID_AES128_CBC 433
-#define OID_AES128_GCM 434
-#define OID_AES128_CCM 435
-#define OID_AES192_CBC 436
-#define OID_AES192_GCM 437
-#define OID_AES192_CCM 438
-#define OID_AES256_CBC 439
-#define OID_AES256_GCM 440
-#define OID_AES256_CCM 441
-#define OID_SHA256 443
-#define OID_SHA384 444
-#define OID_SHA512 445
-#define OID_SHA224 446
-#define OID_SHA3_224 449
-#define OID_SHA3_256 450
-#define OID_SHA3_384 451
-#define OID_SHA3_512 452
-#define OID_ECDSA_WITH_SHA3_224 456
-#define OID_ECDSA_WITH_SHA3_256 457
-#define OID_ECDSA_WITH_SHA3_384 458
-#define OID_ECDSA_WITH_SHA3_512 459
-#define OID_RSASSA_PKCS1V15_WITH_SHA3_224 460
-#define OID_RSASSA_PKCS1V15_WITH_SHA3_256 461
-#define OID_RSASSA_PKCS1V15_WITH_SHA3_384 462
-#define OID_RSASSA_PKCS1V15_WITH_SHA3_512 463
-#define OID_NS_REVOCATION_URL 469
-#define OID_NS_CA_REVOCATION_URL 470
-#define OID_NS_CA_POLICY_URL 471
-#define OID_NS_COMMENT 472
-#define OID_EMPLOYEE_NUMBER 475
-#define OID_PKI_MESSAGE_TYPE 481
-#define OID_PKI_STATUS 482
-#define OID_PKI_FAIL_INFO 483
-#define OID_PKI_SENDER_NONCE 484
-#define OID_PKI_RECIPIENT_NONCE 485
-#define OID_PKI_TRANS_ID 486
-#define OID_TPM_MANUFACTURER 492
-#define OID_TPM_MODEL 493
-#define OID_TPM_VERSION 494
-#define OID_TPM_ID_LABEL 495
+#define OID_POLICY_QUALIFIER_CPS 296
+#define OID_POLICY_QUALIFIER_UNOTICE 297
+#define OID_SERVER_AUTH 299
+#define OID_CLIENT_AUTH 300
+#define OID_OCSP_SIGNING 307
+#define OID_XMPP_ADDR 313
+#define OID_AUTHENTICATION_INFO 317
+#define OID_ACCESS_IDENTITY 318
+#define OID_CHARGING_IDENTITY 319
+#define OID_GROUP 320
+#define OID_OCSP 323
+#define OID_BASIC 324
+#define OID_NONCE 325
+#define OID_CRL 326
+#define OID_RESPONSE 327
+#define OID_NO_CHECK 328
+#define OID_ARCHIVE_CUTOFF 329
+#define OID_SERVICE_LOCATOR 330
+#define OID_CA_ISSUERS 331
+#define OID_IKE_INTERMEDIATE 336
+#define OID_DES_CBC 340
+#define OID_SHA1 341
+#define OID_SHA1_WITH_RSA_OIW 342
+#define OID_ECGDSA_PUBKEY 361
+#define OID_ECGDSA_SIG_WITH_RIPEMD160 364
+#define OID_ECGDSA_SIG_WITH_SHA1 365
+#define OID_ECGDSA_SIG_WITH_SHA224 366
+#define OID_ECGDSA_SIG_WITH_SHA256 367
+#define OID_ECGDSA_SIG_WITH_SHA384 368
+#define OID_ECGDSA_SIG_WITH_SHA512 369
+#define OID_ED25519 390
+#define OID_ED448 391
+#define OID_SECT163K1 395
+#define OID_SECT163R1 396
+#define OID_SECT239K1 397
+#define OID_SECT113R1 398
+#define OID_SECT113R2 399
+#define OID_SECT112R1 400
+#define OID_SECT112R2 401
+#define OID_SECT160R1 402
+#define OID_SECT160K1 403
+#define OID_SECT256K1 404
+#define OID_SECT163R2 405
+#define OID_SECT283K1 406
+#define OID_SECT283R1 407
+#define OID_SECT131R1 408
+#define OID_SECT131R2 409
+#define OID_SECT193R1 410
+#define OID_SECT193R2 411
+#define OID_SECT233K1 412
+#define OID_SECT233R1 413
+#define OID_SECT128R1 414
+#define OID_SECT128R2 415
+#define OID_SECT160R2 416
+#define OID_SECT192K1 417
+#define OID_SECT224K1 418
+#define OID_SECT224R1 419
+#define OID_SECT384R1 420
+#define OID_SECT521R1 421
+#define OID_SECT409K1 422
+#define OID_SECT409R1 423
+#define OID_SECT571K1 424
+#define OID_SECT571R1 425
+#define OID_AES128_CBC 434
+#define OID_AES128_GCM 435
+#define OID_AES128_CCM 436
+#define OID_AES192_CBC 437
+#define OID_AES192_GCM 438
+#define OID_AES192_CCM 439
+#define OID_AES256_CBC 440
+#define OID_AES256_GCM 441
+#define OID_AES256_CCM 442
+#define OID_SHA256 444
+#define OID_SHA384 445
+#define OID_SHA512 446
+#define OID_SHA224 447
+#define OID_SHA3_224 450
+#define OID_SHA3_256 451
+#define OID_SHA3_384 452
+#define OID_SHA3_512 453
+#define OID_ECDSA_WITH_SHA3_224 457
+#define OID_ECDSA_WITH_SHA3_256 458
+#define OID_ECDSA_WITH_SHA3_384 459
+#define OID_ECDSA_WITH_SHA3_512 460
+#define OID_RSASSA_PKCS1V15_WITH_SHA3_224 461
+#define OID_RSASSA_PKCS1V15_WITH_SHA3_256 462
+#define OID_RSASSA_PKCS1V15_WITH_SHA3_384 463
+#define OID_RSASSA_PKCS1V15_WITH_SHA3_512 464
+#define OID_NS_REVOCATION_URL 470
+#define OID_NS_CA_REVOCATION_URL 471
+#define OID_NS_CA_POLICY_URL 472
+#define OID_NS_COMMENT 473
+#define OID_EMPLOYEE_NUMBER 476
+#define OID_PKI_MESSAGE_TYPE 482
+#define OID_PKI_STATUS 483
+#define OID_PKI_FAIL_INFO 484
+#define OID_PKI_SENDER_NONCE 485
+#define OID_PKI_RECIPIENT_NONCE 486
+#define OID_PKI_TRANS_ID 487
+#define OID_TPM_MANUFACTURER 493
+#define OID_TPM_MODEL 494
+#define OID_TPM_VERSION 495
+#define OID_TPM_ID_LABEL 496
-#define OID_MAX 496
+#define OID_MAX 497
#endif /* OID_H_ */
diff --git a/src/libstrongswan/asn1/oid.txt b/src/libstrongswan/asn1/oid.txt
index 9583baa5e..369f6f899 100644
--- a/src/libstrongswan/asn1/oid.txt
+++ b/src/libstrongswan/asn1/oid.txt
@@ -292,6 +292,7 @@
0x01 "authorityInfoAccess" OID_AUTHORITY_INFO_ACCESS
0x03 "qcStatements"
0x07 "ipAddrBlocks" OID_IP_ADDR_BLOCKS
+ 0x18 "tlsfeature"
0x02 "id-qt"
0x01 "cps" OID_POLICY_QUALIFIER_CPS
0x02 "unotice" OID_POLICY_QUALIFIER_UNOTICE
diff --git a/src/libstrongswan/collections/linked_list.h b/src/libstrongswan/collections/linked_list.h
index 246b9a5c5..c99cb836b 100644
--- a/src/libstrongswan/collections/linked_list.h
+++ b/src/libstrongswan/collections/linked_list.h
@@ -195,7 +195,7 @@ struct linked_list_t {
* If a linked list contains objects with function pointers,
* invoke() can call a method on each of the objects. The
* method is specified by an offset of the function pointer,
- * which can be evalutated at compile time using the offsetof
+ * which can be evaluated at compile time using the offsetof
* macro, e.g.: list->invoke(list, offsetof(object_t, method));
*
* @param offset offset of the method to invoke on objects
diff --git a/src/libstrongswan/credentials/auth_cfg.c b/src/libstrongswan/credentials/auth_cfg.c
index d1be7b401..278c67405 100644
--- a/src/libstrongswan/credentials/auth_cfg.c
+++ b/src/libstrongswan/credentials/auth_cfg.c
@@ -73,9 +73,6 @@ static inline bool is_multi_value_rule(auth_rule_t type)
case AUTH_RULE_AUTH_CLASS:
case AUTH_RULE_EAP_TYPE:
case AUTH_RULE_EAP_VENDOR:
- case AUTH_RULE_RSA_STRENGTH:
- case AUTH_RULE_ECDSA_STRENGTH:
- case AUTH_RULE_BLISS_STRENGTH:
case AUTH_RULE_IDENTITY:
case AUTH_RULE_IDENTITY_LOOSE:
case AUTH_RULE_EAP_IDENTITY:
@@ -94,6 +91,9 @@ static inline bool is_multi_value_rule(auth_rule_t type)
case AUTH_RULE_CA_CERT:
case AUTH_RULE_IM_CERT:
case AUTH_RULE_CERT_POLICY:
+ case AUTH_RULE_RSA_STRENGTH:
+ case AUTH_RULE_ECDSA_STRENGTH:
+ case AUTH_RULE_BLISS_STRENGTH:
case AUTH_RULE_SIGNATURE_SCHEME:
case AUTH_RULE_IKE_SIGNATURE_SCHEME:
case AUTH_HELPER_IM_CERT:
@@ -737,8 +737,8 @@ METHOD(auth_cfg_t, add_pubkey_constraints, void,
}
enumerator->destroy(enumerator);
- /* if no explicit IKE signature contraints were added we add them for all
- * configured signature contraints */
+ /* if no explicit IKE signature constraints were added we add them for all
+ * configured signature constraints */
if (ike && !ike_added &&
lib->settings->get_bool(lib->settings,
"%s.signature_authentication_constraints", TRUE,
diff --git a/src/libstrongswan/credentials/cred_encoding.c b/src/libstrongswan/credentials/cred_encoding.c
index 303816391..d6523821e 100644
--- a/src/libstrongswan/credentials/cred_encoding.c
+++ b/src/libstrongswan/credentials/cred_encoding.c
@@ -39,7 +39,7 @@ struct private_cred_encoding_t {
hashtable_t *cache[CRED_ENCODING_MAX];
/**
- * Registered encoding fuctions, cred_encoder_t
+ * Registered encoding functions, cred_encoder_t
*/
linked_list_t *encoders;
diff --git a/src/libstrongswan/credentials/keys/signature_params.c b/src/libstrongswan/credentials/keys/signature_params.c
index 6b4d22e7b..8f42fb940 100644
--- a/src/libstrongswan/credentials/keys/signature_params.c
+++ b/src/libstrongswan/credentials/keys/signature_params.c
@@ -280,13 +280,17 @@ bool rsa_pss_params_parse(chunk_t asn1, int level0, rsa_pss_params_t *params)
case RSASSA_PSS_PARAMS_MGF_ALG:
if (object.len)
{
- chunk_t hash;
+ chunk_t hash = chunk_empty;
alg = asn1_parse_algorithmIdentifier(object, level, &hash);
if (alg != OID_MGF1)
{
goto end;
}
+ if (!hash.len)
+ {
+ goto end;
+ }
alg = asn1_parse_algorithmIdentifier(hash, level+1, NULL);
params->mgf1_hash = hasher_algorithm_from_oid(alg);
if (params->mgf1_hash == HASH_UNKNOWN)
diff --git a/src/libstrongswan/credentials/sets/cert_cache.c b/src/libstrongswan/credentials/sets/cert_cache.c
index 0e64f0350..f1579c60a 100644
--- a/src/libstrongswan/credentials/sets/cert_cache.c
+++ b/src/libstrongswan/credentials/sets/cert_cache.c
@@ -239,7 +239,7 @@ METHOD(cert_cache_t, issued_by, bool,
}
/**
- * certificate enumerator implemenation
+ * certificate enumerator implementation
*/
typedef struct {
/** implements enumerator_t interface */
diff --git a/src/libstrongswan/crypto/proposal/proposal.c b/src/libstrongswan/crypto/proposal/proposal.c
new file mode 100644
index 000000000..bb0a02b59
--- /dev/null
+++ b/src/libstrongswan/crypto/proposal/proposal.c
@@ -0,0 +1,1134 @@
+/*
+ * Copyright (C) 2008-2018 Tobias Brunner
+ * Copyright (C) 2006-2010 Martin Willi
+ * Copyright (C) 2013-2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include <string.h>
+
+#include "proposal.h"
+
+#include <collections/array.h>
+#include <utils/identification.h>
+
+#include <crypto/transform.h>
+#include <crypto/prfs/prf.h>
+#include <crypto/crypters/crypter.h>
+#include <crypto/signers/signer.h>
+
+ENUM(protocol_id_names, PROTO_NONE, PROTO_IPCOMP,
+ "PROTO_NONE",
+ "IKE",
+ "AH",
+ "ESP",
+ "IPCOMP",
+);
+
+typedef struct private_proposal_t private_proposal_t;
+
+/**
+ * Private data of an proposal_t object
+ */
+struct private_proposal_t {
+
+ /**
+ * Public part
+ */
+ proposal_t public;
+
+ /**
+ * protocol (ESP or AH)
+ */
+ protocol_id_t protocol;
+
+ /**
+ * Priority ordered list of transforms, as entry_t
+ */
+ array_t *transforms;
+
+ /**
+ * senders SPI
+ */
+ uint64_t spi;
+
+ /**
+ * Proposal number
+ */
+ u_int number;
+};
+
+/**
+ * Struct used to store different kinds of algorithms.
+ */
+typedef struct {
+ /** Type of the transform */
+ transform_type_t type;
+ /** algorithm identifier */
+ uint16_t alg;
+ /** key size in bits, or zero if not needed */
+ uint16_t key_size;
+} entry_t;
+
+METHOD(proposal_t, add_algorithm, void,
+ private_proposal_t *this, transform_type_t type,
+ uint16_t alg, uint16_t key_size)
+{
+ entry_t entry = {
+ .type = type,
+ .alg = alg,
+ .key_size = key_size,
+ };
+
+ array_insert(this->transforms, ARRAY_TAIL, &entry);
+}
+
+CALLBACK(alg_filter, bool,
+ uintptr_t type, enumerator_t *orig, va_list args)
+{
+ entry_t *entry;
+ uint16_t *alg, *key_size;
+
+ VA_ARGS_VGET(args, alg, key_size);
+
+ while (orig->enumerate(orig, &entry))
+ {
+ if (entry->type != type)
+ {
+ continue;
+ }
+ if (alg)
+ {
+ *alg = entry->alg;
+ }
+ if (key_size)
+ {
+ *key_size = entry->key_size;
+ }
+ return TRUE;
+ }
+ return FALSE;
+}
+
+METHOD(proposal_t, create_enumerator, enumerator_t*,
+ private_proposal_t *this, transform_type_t type)
+{
+ return enumerator_create_filter(
+ array_create_enumerator(this->transforms),
+ alg_filter, (void*)(uintptr_t)type, NULL);
+}
+
+METHOD(proposal_t, get_algorithm, bool,
+ private_proposal_t *this, transform_type_t type,
+ uint16_t *alg, uint16_t *key_size)
+{
+ enumerator_t *enumerator;
+ bool found = FALSE;
+
+ enumerator = create_enumerator(this, type);
+ if (enumerator->enumerate(enumerator, alg, key_size))
+ {
+ found = TRUE;
+ }
+ enumerator->destroy(enumerator);
+
+ return found;
+}
+
+METHOD(proposal_t, has_dh_group, bool,
+ private_proposal_t *this, diffie_hellman_group_t group)
+{
+ bool found = FALSE, any = FALSE;
+ enumerator_t *enumerator;
+ uint16_t current;
+
+ enumerator = create_enumerator(this, DIFFIE_HELLMAN_GROUP);
+ while (enumerator->enumerate(enumerator, &current, NULL))
+ {
+ any = TRUE;
+ if (current == group)
+ {
+ found = TRUE;
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+
+ if (!any && group == MODP_NONE)
+ {
+ found = TRUE;
+ }
+ return found;
+}
+
+METHOD(proposal_t, promote_dh_group, bool,
+ private_proposal_t *this, diffie_hellman_group_t group)
+{
+ enumerator_t *enumerator;
+ entry_t *entry;
+ bool found = FALSE;
+
+ enumerator = array_create_enumerator(this->transforms);
+ while (enumerator->enumerate(enumerator, &entry))
+ {
+ if (entry->type == DIFFIE_HELLMAN_GROUP &&
+ entry->alg == group)
+ {
+ array_remove_at(this->transforms, enumerator);
+ found = TRUE;
+ }
+ }
+ enumerator->destroy(enumerator);
+
+ if (found)
+ {
+ entry_t entry = {
+ .type = DIFFIE_HELLMAN_GROUP,
+ .alg = group,
+ };
+ array_insert(this->transforms, ARRAY_HEAD, &entry);
+ }
+ return found;
+}
+
+METHOD(proposal_t, strip_dh, void,
+ private_proposal_t *this, diffie_hellman_group_t keep)
+{
+ enumerator_t *enumerator;
+ entry_t *entry;
+
+ enumerator = array_create_enumerator(this->transforms);
+ while (enumerator->enumerate(enumerator, &entry))
+ {
+ if (entry->type == DIFFIE_HELLMAN_GROUP &&
+ entry->alg != keep)
+ {
+ array_remove_at(this->transforms, enumerator);
+ }
+ }
+ enumerator->destroy(enumerator);
+}
+
+/**
+ * Select a matching proposal from this and other, insert into selected.
+ */
+static bool select_algo(private_proposal_t *this, proposal_t *other,
+ proposal_t *selected, transform_type_t type, bool priv)
+{
+ enumerator_t *e1, *e2;
+ uint16_t alg1, alg2, ks1, ks2;
+ bool found = FALSE, optional = FALSE;
+
+ if (type == INTEGRITY_ALGORITHM &&
+ selected->get_algorithm(selected, ENCRYPTION_ALGORITHM, &alg1, NULL) &&
+ encryption_algorithm_is_aead(alg1))
+ {
+ /* no integrity algorithm required, we have an AEAD */
+ return TRUE;
+ }
+ if (type == DIFFIE_HELLMAN_GROUP)
+ {
+ optional = this->protocol == PROTO_ESP || this->protocol == PROTO_AH;
+ }
+
+ e1 = create_enumerator(this, type);
+ e2 = other->create_enumerator(other, type);
+ if (!e1->enumerate(e1, &alg1, NULL))
+ {
+ if (!e2->enumerate(e2, &alg2, NULL))
+ {
+ found = TRUE;
+ }
+ else if (optional)
+ {
+ do
+ { /* if NONE is proposed, we accept the proposal */
+ found = !alg2;
+ }
+ while (!found && e2->enumerate(e2, &alg2, NULL));
+ }
+ }
+ else if (!e2->enumerate(e2, NULL, NULL))
+ {
+ if (optional)
+ {
+ do
+ { /* if NONE is proposed, we accept the proposal */
+ found = !alg1;
+ }
+ while (!found && e1->enumerate(e1, &alg1, NULL));
+ }
+ }
+
+ e1->destroy(e1);
+ e1 = create_enumerator(this, type);
+ /* compare algs, order of algs in "first" is preferred */
+ while (!found && e1->enumerate(e1, &alg1, &ks1))
+ {
+ e2->destroy(e2);
+ e2 = other->create_enumerator(other, type);
+ while (e2->enumerate(e2, &alg2, &ks2))
+ {
+ if (alg1 == alg2 && ks1 == ks2)
+ {
+ if (!priv && alg1 >= 1024)
+ {
+ /* accept private use algorithms only if requested */
+ DBG1(DBG_CFG, "an algorithm from private space would match, "
+ "but peer implementation is unknown, skipped");
+ continue;
+ }
+ selected->add_algorithm(selected, type, alg1, ks1);
+ found = TRUE;
+ break;
+ }
+ }
+ }
+ /* no match in all comparisons */
+ e1->destroy(e1);
+ e2->destroy(e2);
+
+ if (!found)
+ {
+ DBG2(DBG_CFG, " no acceptable %N found", transform_type_names, type);
+ }
+ return found;
+}
+
+METHOD(proposal_t, select_proposal, proposal_t*,
+ private_proposal_t *this, proposal_t *other, bool other_remote,
+ bool private)
+{
+ proposal_t *selected;
+
+ DBG2(DBG_CFG, "selecting proposal:");
+
+ if (this->protocol != other->get_protocol(other))
+ {
+ DBG2(DBG_CFG, " protocol mismatch, skipping");
+ return NULL;
+ }
+
+ if (other_remote)
+ {
+ selected = proposal_create(this->protocol, other->get_number(other));
+ selected->set_spi(selected, other->get_spi(other));
+ }
+ else
+ {
+ selected = proposal_create(this->protocol, this->number);
+ selected->set_spi(selected, this->spi);
+
+ }
+
+ if (!select_algo(this, other, selected, ENCRYPTION_ALGORITHM, private) ||
+ !select_algo(this, other, selected, PSEUDO_RANDOM_FUNCTION, private) ||
+ !select_algo(this, other, selected, INTEGRITY_ALGORITHM, private) ||
+ !select_algo(this, other, selected, DIFFIE_HELLMAN_GROUP, private) ||
+ !select_algo(this, other, selected, EXTENDED_SEQUENCE_NUMBERS, private))
+ {
+ selected->destroy(selected);
+ return NULL;
+ }
+
+ DBG2(DBG_CFG, " proposal matches");
+ return selected;
+}
+
+METHOD(proposal_t, get_protocol, protocol_id_t,
+ private_proposal_t *this)
+{
+ return this->protocol;
+}
+
+METHOD(proposal_t, set_spi, void,
+ private_proposal_t *this, uint64_t spi)
+{
+ this->spi = spi;
+}
+
+METHOD(proposal_t, get_spi, uint64_t,
+ private_proposal_t *this)
+{
+ return this->spi;
+}
+
+/**
+ * Check if two proposals have the same algorithms for a given transform type
+ */
+static bool algo_list_equals(private_proposal_t *this, proposal_t *other,
+ transform_type_t type)
+{
+ enumerator_t *e1, *e2;
+ uint16_t alg1, alg2, ks1, ks2;
+ bool equals = TRUE;
+
+ e1 = create_enumerator(this, type);
+ e2 = other->create_enumerator(other, type);
+ while (e1->enumerate(e1, &alg1, &ks1))
+ {
+ if (!e2->enumerate(e2, &alg2, &ks2))
+ {
+ /* this has more algs */
+ equals = FALSE;
+ break;
+ }
+ if (alg1 != alg2 || ks1 != ks2)
+ {
+ equals = FALSE;
+ break;
+ }
+ }
+ if (e2->enumerate(e2, &alg2, &ks2))
+ {
+ /* other has more algs */
+ equals = FALSE;
+ }
+ e1->destroy(e1);
+ e2->destroy(e2);
+
+ return equals;
+}
+
+METHOD(proposal_t, get_number, u_int,
+ private_proposal_t *this)
+{
+ return this->number;
+}
+
+METHOD(proposal_t, equals, bool,
+ private_proposal_t *this, proposal_t *other)
+{
+ if (&this->public == other)
+ {
+ return TRUE;
+ }
+ return (
+ algo_list_equals(this, other, ENCRYPTION_ALGORITHM) &&
+ algo_list_equals(this, other, INTEGRITY_ALGORITHM) &&
+ algo_list_equals(this, other, PSEUDO_RANDOM_FUNCTION) &&
+ algo_list_equals(this, other, DIFFIE_HELLMAN_GROUP) &&
+ algo_list_equals(this, other, EXTENDED_SEQUENCE_NUMBERS));
+}
+
+METHOD(proposal_t, clone_, proposal_t*,
+ private_proposal_t *this)
+{
+ private_proposal_t *clone;
+ enumerator_t *enumerator;
+ entry_t *entry;
+
+ clone = (private_proposal_t*)proposal_create(this->protocol, 0);
+
+ enumerator = array_create_enumerator(this->transforms);
+ while (enumerator->enumerate(enumerator, &entry))
+ {
+ array_insert(clone->transforms, ARRAY_TAIL, entry);
+ }
+ enumerator->destroy(enumerator);
+
+ clone->spi = this->spi;
+ clone->number = this->number;
+
+ return &clone->public;
+}
+
+/**
+ * Map integrity algorithms to the PRF functions using the same algorithm.
+ */
+static const struct {
+ integrity_algorithm_t integ;
+ pseudo_random_function_t prf;
+} integ_prf_map[] = {
+ {AUTH_HMAC_SHA1_96, PRF_HMAC_SHA1 },
+ {AUTH_HMAC_SHA1_160, PRF_HMAC_SHA1 },
+ {AUTH_HMAC_SHA2_256_128, PRF_HMAC_SHA2_256 },
+ {AUTH_HMAC_SHA2_384_192, PRF_HMAC_SHA2_384 },
+ {AUTH_HMAC_SHA2_512_256, PRF_HMAC_SHA2_512 },
+ {AUTH_HMAC_MD5_96, PRF_HMAC_MD5 },
+ {AUTH_HMAC_MD5_128, PRF_HMAC_MD5 },
+ {AUTH_AES_XCBC_96, PRF_AES128_XCBC },
+ {AUTH_CAMELLIA_XCBC_96, PRF_CAMELLIA128_XCBC },
+ {AUTH_AES_CMAC_96, PRF_AES128_CMAC },
+};
+
+/**
+ * Remove all entries of the given transform type
+ */
+static void remove_transform(private_proposal_t *this, transform_type_t type)
+{
+ enumerator_t *e;
+ entry_t *entry;
+
+ e = array_create_enumerator(this->transforms);
+ while (e->enumerate(e, &entry))
+ {
+ if (entry->type == type)
+ {
+ array_remove_at(this->transforms, e);
+ }
+ }
+ e->destroy(e);
+}
+
+/**
+ * Checks the proposal read from a string.
+ */
+static bool check_proposal(private_proposal_t *this)
+{
+ enumerator_t *e;
+ entry_t *entry;
+ uint16_t alg, ks;
+ bool all_aead = TRUE, any_aead = FALSE, any_enc = FALSE;
+ int i;
+
+ if (this->protocol == PROTO_IKE)
+ {
+ if (!get_algorithm(this, PSEUDO_RANDOM_FUNCTION, NULL, NULL))
+ { /* No explicit PRF found. We assume the same algorithm as used
+ * for integrity checking. */
+ e = create_enumerator(this, INTEGRITY_ALGORITHM);
+ while (e->enumerate(e, &alg, &ks))
+ {
+ for (i = 0; i < countof(integ_prf_map); i++)
+ {
+ if (alg == integ_prf_map[i].integ)
+ {
+ add_algorithm(this, PSEUDO_RANDOM_FUNCTION,
+ integ_prf_map[i].prf, 0);
+ break;
+ }
+ }
+ }
+ e->destroy(e);
+ }
+ if (!get_algorithm(this, PSEUDO_RANDOM_FUNCTION, NULL, NULL))
+ {
+ DBG1(DBG_CFG, "a PRF algorithm is mandatory in IKE proposals");
+ return FALSE;
+ }
+ /* remove MODP_NONE from IKE proposal */
+ e = array_create_enumerator(this->transforms);
+ while (e->enumerate(e, &entry))
+ {
+ if (entry->type == DIFFIE_HELLMAN_GROUP && !entry->alg)
+ {
+ array_remove_at(this->transforms, e);
+ }
+ }
+ e->destroy(e);
+ if (!get_algorithm(this, DIFFIE_HELLMAN_GROUP, NULL, NULL))
+ {
+ DBG1(DBG_CFG, "a DH group is mandatory in IKE proposals");
+ return FALSE;
+ }
+ }
+ else
+ { /* remove PRFs from ESP/AH proposals */
+ remove_transform(this, PSEUDO_RANDOM_FUNCTION);
+ }
+
+ if (this->protocol == PROTO_IKE || this->protocol == PROTO_ESP)
+ {
+ e = create_enumerator(this, ENCRYPTION_ALGORITHM);
+ while (e->enumerate(e, &alg, &ks))
+ {
+ any_enc = TRUE;
+ if (encryption_algorithm_is_aead(alg))
+ {
+ any_aead = TRUE;
+ continue;
+ }
+ all_aead = FALSE;
+ }
+ e->destroy(e);
+
+ if (!any_enc)
+ {
+ DBG1(DBG_CFG, "an encryption algorithm is mandatory in %N proposals",
+ protocol_id_names, this->protocol);
+ return FALSE;
+ }
+ else if (any_aead && !all_aead)
+ {
+ DBG1(DBG_CFG, "classic and combined-mode (AEAD) encryption "
+ "algorithms can't be contained in the same %N proposal",
+ protocol_id_names, this->protocol);
+ return FALSE;
+ }
+ else if (all_aead)
+ { /* if all encryption algorithms in the proposal are AEADs,
+ * we MUST NOT propose any integrity algorithms */
+ remove_transform(this, INTEGRITY_ALGORITHM);
+ }
+ }
+ else
+ { /* AES-GMAC is parsed as encryption algorithm, so we map that to the
+ * proper integrity algorithm */
+ e = array_create_enumerator(this->transforms);
+ while (e->enumerate(e, &entry))
+ {
+ if (entry->type == ENCRYPTION_ALGORITHM)
+ {
+ if (entry->alg == ENCR_NULL_AUTH_AES_GMAC)
+ {
+ entry->type = INTEGRITY_ALGORITHM;
+ ks = entry->key_size;
+ entry->key_size = 0;
+ switch (ks)
+ {
+ case 128:
+ entry->alg = AUTH_AES_128_GMAC;
+ continue;
+ case 192:
+ entry->alg = AUTH_AES_192_GMAC;
+ continue;
+ case 256:
+ entry->alg = AUTH_AES_256_GMAC;
+ continue;
+ default:
+ break;
+ }
+ }
+ /* remove all other encryption algorithms */
+ array_remove_at(this->transforms, e);
+ }
+ }
+ e->destroy(e);
+
+ if (!get_algorithm(this, INTEGRITY_ALGORITHM, NULL, NULL))
+ {
+ DBG1(DBG_CFG, "an integrity algorithm is mandatory in AH "
+ "proposals");
+ return FALSE;
+ }
+ }
+
+ if (this->protocol == PROTO_AH || this->protocol == PROTO_ESP)
+ {
+ if (!get_algorithm(this, EXTENDED_SEQUENCE_NUMBERS, NULL, NULL))
+ { /* ESN not specified, assume not supported */
+ add_algorithm(this, EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS, 0);
+ }
+ }
+
+ array_compress(this->transforms);
+ return TRUE;
+}
+
+/**
+ * add a algorithm identified by a string to the proposal.
+ */
+static bool add_string_algo(private_proposal_t *this, const char *alg)
+{
+ const proposal_token_t *token;
+
+ token = lib->proposal->get_token(lib->proposal, alg);
+ if (token == NULL)
+ {
+ DBG1(DBG_CFG, "algorithm '%s' not recognized", alg);
+ return FALSE;
+ }
+
+ add_algorithm(this, token->type, token->algorithm, token->keysize);
+
+ return TRUE;
+}
+
+/**
+ * print all algorithms of a kind to buffer
+ */
+static int print_alg(private_proposal_t *this, printf_hook_data_t *data,
+ u_int kind, void *names, bool *first)
+{
+ enumerator_t *enumerator;
+ size_t written = 0;
+ uint16_t alg, size;
+
+ enumerator = create_enumerator(this, kind);
+ while (enumerator->enumerate(enumerator, &alg, &size))
+ {
+ if (*first)
+ {
+ written += print_in_hook(data, "%N", names, alg);
+ *first = FALSE;
+ }
+ else
+ {
+ written += print_in_hook(data, "/%N", names, alg);
+ }
+ if (size)
+ {
+ written += print_in_hook(data, "_%u", size);
+ }
+ }
+ enumerator->destroy(enumerator);
+ return written;
+}
+
+/**
+ * Described in header.
+ */
+int proposal_printf_hook(printf_hook_data_t *data, printf_hook_spec_t *spec,
+ const void *const *args)
+{
+ private_proposal_t *this = *((private_proposal_t**)(args[0]));
+ linked_list_t *list = *((linked_list_t**)(args[0]));
+ enumerator_t *enumerator;
+ size_t written = 0;
+ bool first = TRUE;
+
+ if (this == NULL)
+ {
+ return print_in_hook(data, "(null)");
+ }
+
+ if (spec->hash)
+ {
+ enumerator = list->create_enumerator(list);
+ while (enumerator->enumerate(enumerator, &this))
+ { /* call recursively */
+ if (first)
+ {
+ written += print_in_hook(data, "%P", this);
+ first = FALSE;
+ }
+ else
+ {
+ written += print_in_hook(data, ", %P", this);
+ }
+ }
+ enumerator->destroy(enumerator);
+ return written;
+ }
+
+ written = print_in_hook(data, "%N:", protocol_id_names, this->protocol);
+ written += print_alg(this, data, ENCRYPTION_ALGORITHM,
+ encryption_algorithm_names, &first);
+ written += print_alg(this, data, INTEGRITY_ALGORITHM,
+ integrity_algorithm_names, &first);
+ written += print_alg(this, data, PSEUDO_RANDOM_FUNCTION,
+ pseudo_random_function_names, &first);
+ written += print_alg(this, data, DIFFIE_HELLMAN_GROUP,
+ diffie_hellman_group_names, &first);
+ written += print_alg(this, data, EXTENDED_SEQUENCE_NUMBERS,
+ extended_sequence_numbers_names, &first);
+ return written;
+}
+
+METHOD(proposal_t, destroy, void,
+ private_proposal_t *this)
+{
+ array_destroy(this->transforms);
+ free(this);
+}
+
+/*
+ * Described in header
+ */
+proposal_t *proposal_create(protocol_id_t protocol, u_int number)
+{
+ private_proposal_t *this;
+
+ INIT(this,
+ .public = {
+ .add_algorithm = _add_algorithm,
+ .create_enumerator = _create_enumerator,
+ .get_algorithm = _get_algorithm,
+ .has_dh_group = _has_dh_group,
+ .promote_dh_group = _promote_dh_group,
+ .strip_dh = _strip_dh,
+ .select = _select_proposal,
+ .get_protocol = _get_protocol,
+ .set_spi = _set_spi,
+ .get_spi = _get_spi,
+ .get_number = _get_number,
+ .equals = _equals,
+ .clone = _clone_,
+ .destroy = _destroy,
+ },
+ .protocol = protocol,
+ .number = number,
+ .transforms = array_create(sizeof(entry_t), 0),
+ );
+
+ return &this->public;
+}
+
+/**
+ * Add supported IKE algorithms to proposal
+ */
+static bool proposal_add_supported_ike(private_proposal_t *this, bool aead)
+{
+ enumerator_t *enumerator;
+ encryption_algorithm_t encryption;
+ integrity_algorithm_t integrity;
+ pseudo_random_function_t prf;
+ diffie_hellman_group_t group;
+ const char *plugin_name;
+
+ if (aead)
+ {
+ /* Round 1 adds algorithms with at least 128 bit security strength */
+ enumerator = lib->crypto->create_aead_enumerator(lib->crypto);
+ while (enumerator->enumerate(enumerator, &encryption, &plugin_name))
+ {
+ switch (encryption)
+ {
+ case ENCR_AES_GCM_ICV16:
+ case ENCR_AES_CCM_ICV16:
+ case ENCR_CAMELLIA_CCM_ICV16:
+ /* we assume that we support all AES/Camellia sizes */
+ add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 128);
+ add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 192);
+ add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 256);
+ break;
+ case ENCR_CHACHA20_POLY1305:
+ add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 256);
+ break;
+ default:
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+
+ /* Round 2 adds algorithms with less than 128 bit security strength */
+ enumerator = lib->crypto->create_aead_enumerator(lib->crypto);
+ while (enumerator->enumerate(enumerator, &encryption, &plugin_name))
+ {
+ switch (encryption)
+ {
+ case ENCR_AES_GCM_ICV12:
+ case ENCR_AES_GCM_ICV8:
+ case ENCR_AES_CCM_ICV12:
+ case ENCR_AES_CCM_ICV8:
+ case ENCR_CAMELLIA_CCM_ICV12:
+ case ENCR_CAMELLIA_CCM_ICV8:
+ /* we assume that we support all AES/Camellia sizes */
+ add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 128);
+ add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 192);
+ add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 256);
+ break;
+ default:
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+
+ if (!array_count(this->transforms))
+ {
+ return FALSE;
+ }
+ }
+ else
+ {
+ /* Round 1 adds algorithms with at least 128 bit security strength */
+ enumerator = lib->crypto->create_crypter_enumerator(lib->crypto);
+ while (enumerator->enumerate(enumerator, &encryption, &plugin_name))
+ {
+ switch (encryption)
+ {
+ case ENCR_AES_CBC:
+ case ENCR_AES_CTR:
+ case ENCR_CAMELLIA_CBC:
+ case ENCR_CAMELLIA_CTR:
+ /* we assume that we support all AES/Camellia sizes */
+ add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 128);
+ add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 192);
+ add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 256);
+ break;
+ default:
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+
+ /* Round 2 adds algorithms with less than 128 bit security strength */
+ enumerator = lib->crypto->create_crypter_enumerator(lib->crypto);
+ while (enumerator->enumerate(enumerator, &encryption, &plugin_name))
+ {
+ switch (encryption)
+ {
+ case ENCR_3DES:
+ add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 0);
+ break;
+ case ENCR_DES:
+ /* no, thanks */
+ break;
+ default:
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+
+ if (!array_count(this->transforms))
+ {
+ return FALSE;
+ }
+
+ /* Round 1 adds algorithms with at least 128 bit security strength */
+ enumerator = lib->crypto->create_signer_enumerator(lib->crypto);
+ while (enumerator->enumerate(enumerator, &integrity, &plugin_name))
+ {
+ switch (integrity)
+ {
+ case AUTH_HMAC_SHA2_256_128:
+ case AUTH_HMAC_SHA2_384_192:
+ case AUTH_HMAC_SHA2_512_256:
+ add_algorithm(this, INTEGRITY_ALGORITHM, integrity, 0);
+ break;
+ default:
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+
+ /* Round 2 adds algorithms with less than 128 bit security strength */
+ enumerator = lib->crypto->create_signer_enumerator(lib->crypto);
+ while (enumerator->enumerate(enumerator, &integrity, &plugin_name))
+ {
+ switch (integrity)
+ {
+ case AUTH_AES_XCBC_96:
+ case AUTH_AES_CMAC_96:
+ case AUTH_HMAC_SHA1_96:
+ add_algorithm(this, INTEGRITY_ALGORITHM, integrity, 0);
+ break;
+ case AUTH_HMAC_MD5_96:
+ /* no, thanks */
+ default:
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+ }
+
+ /* Round 1 adds algorithms with at least 128 bit security strength */
+ enumerator = lib->crypto->create_prf_enumerator(lib->crypto);
+ while (enumerator->enumerate(enumerator, &prf, &plugin_name))
+ {
+ switch (prf)
+ {
+ case PRF_HMAC_SHA2_256:
+ case PRF_HMAC_SHA2_384:
+ case PRF_HMAC_SHA2_512:
+ case PRF_AES128_XCBC:
+ case PRF_AES128_CMAC:
+ add_algorithm(this, PSEUDO_RANDOM_FUNCTION, prf, 0);
+ break;
+ default:
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+
+ /* Round 2 adds algorithms with less than 128 bit security strength */
+ enumerator = lib->crypto->create_prf_enumerator(lib->crypto);
+ while (enumerator->enumerate(enumerator, &prf, &plugin_name))
+ {
+ switch (prf)
+ {
+ case PRF_HMAC_SHA1:
+ add_algorithm(this, PSEUDO_RANDOM_FUNCTION, prf, 0);
+ break;
+ case PRF_HMAC_MD5:
+ /* no, thanks */
+ break;
+ default:
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+
+ /* Round 1 adds ECC and NTRU algorithms with at least 128 bit security strength */
+ enumerator = lib->crypto->create_dh_enumerator(lib->crypto);
+ while (enumerator->enumerate(enumerator, &group, &plugin_name))
+ {
+ switch (group)
+ {
+ case ECP_256_BIT:
+ case ECP_384_BIT:
+ case ECP_521_BIT:
+ case ECP_256_BP:
+ case ECP_384_BP:
+ case ECP_512_BP:
+ case CURVE_25519:
+ case CURVE_448:
+ case NTRU_128_BIT:
+ case NTRU_192_BIT:
+ case NTRU_256_BIT:
+ case NH_128_BIT:
+ add_algorithm(this, DIFFIE_HELLMAN_GROUP, group, 0);
+ break;
+ default:
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+
+ /* Round 2 adds other algorithms with at least 128 bit security strength */
+ enumerator = lib->crypto->create_dh_enumerator(lib->crypto);
+ while (enumerator->enumerate(enumerator, &group, &plugin_name))
+ {
+ switch (group)
+ {
+ case MODP_3072_BIT:
+ case MODP_4096_BIT:
+ case MODP_6144_BIT:
+ case MODP_8192_BIT:
+ add_algorithm(this, DIFFIE_HELLMAN_GROUP, group, 0);
+ break;
+ default:
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+
+ /* Round 3 adds algorithms with less than 128 bit security strength */
+ enumerator = lib->crypto->create_dh_enumerator(lib->crypto);
+ while (enumerator->enumerate(enumerator, &group, &plugin_name))
+ {
+ switch (group)
+ {
+ case MODP_NULL:
+ /* only for testing purposes */
+ break;
+ case MODP_768_BIT:
+ case MODP_1024_BIT:
+ case MODP_1536_BIT:
+ /* weak */
+ break;
+ case MODP_1024_160:
+ case MODP_2048_224:
+ case MODP_2048_256:
+ /* RFC 5114 primes are of questionable source */
+ break;
+ case ECP_224_BIT:
+ case ECP_224_BP:
+ case ECP_192_BIT:
+ case NTRU_112_BIT:
+ /* rarely used */
+ break;
+ case MODP_2048_BIT:
+ add_algorithm(this, DIFFIE_HELLMAN_GROUP, group, 0);
+ break;
+ default:
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+
+ return TRUE;
+}
+
+/*
+ * Described in header
+ */
+proposal_t *proposal_create_default(protocol_id_t protocol)
+{
+ private_proposal_t *this = (private_proposal_t*)proposal_create(protocol, 0);
+
+ switch (protocol)
+ {
+ case PROTO_IKE:
+ if (!proposal_add_supported_ike(this, FALSE))
+ {
+ destroy(this);
+ return NULL;
+ }
+ break;
+ case PROTO_ESP:
+ add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 128);
+ add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 192);
+ add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 256);
+ add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_256_128, 0);
+ add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_384_192, 0);
+ add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_512_256, 0);
+ add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0);
+ add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_AES_XCBC_96, 0);
+ add_algorithm(this, EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS, 0);
+ break;
+ case PROTO_AH:
+ add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_256_128, 0);
+ add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_384_192, 0);
+ add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_512_256, 0);
+ add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0);
+ add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_AES_XCBC_96, 0);
+ add_algorithm(this, EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS, 0);
+ break;
+ default:
+ break;
+ }
+ return &this->public;
+}
+
+/*
+ * Described in header
+ */
+proposal_t *proposal_create_default_aead(protocol_id_t protocol)
+{
+ private_proposal_t *this;
+
+ switch (protocol)
+ {
+ case PROTO_IKE:
+ this = (private_proposal_t*)proposal_create(protocol, 0);
+ if (!proposal_add_supported_ike(this, TRUE))
+ {
+ destroy(this);
+ return NULL;
+ }
+ return &this->public;
+ case PROTO_ESP:
+ /* we currently don't include any AEAD proposal for ESP, as we
+ * don't know if our kernel backend actually supports it. */
+ return NULL;
+ case PROTO_AH:
+ default:
+ return NULL;
+ }
+}
+
+/*
+ * Described in header
+ */
+proposal_t *proposal_create_from_string(protocol_id_t protocol, const char *algs)
+{
+ private_proposal_t *this;
+ enumerator_t *enumerator;
+ bool failed = TRUE;
+ char *alg;
+
+ this = (private_proposal_t*)proposal_create(protocol, 0);
+
+ /* get all tokens, separated by '-' */
+ enumerator = enumerator_create_token(algs, "-", " ");
+ while (enumerator->enumerate(enumerator, &alg))
+ {
+ if (!add_string_algo(this, alg))
+ {
+ failed = TRUE;
+ break;
+ }
+ failed = FALSE;
+ }
+ enumerator->destroy(enumerator);
+
+ if (failed || !check_proposal(this))
+ {
+ destroy(this);
+ return NULL;
+ }
+
+ return &this->public;
+}
diff --git a/src/libstrongswan/crypto/proposal/proposal.h b/src/libstrongswan/crypto/proposal/proposal.h
new file mode 100644
index 000000000..0052674b9
--- /dev/null
+++ b/src/libstrongswan/crypto/proposal/proposal.h
@@ -0,0 +1,246 @@
+/*
+ * Copyright (C) 2009-2018 Tobias Brunner
+ * Copyright (C) 2006 Martin Willi
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup proposal proposal
+ * @{ @ingroup crypto
+ */
+
+#ifndef PROPOSAL_H_
+#define PROPOSAL_H_
+
+typedef enum protocol_id_t protocol_id_t;
+typedef enum extended_sequence_numbers_t extended_sequence_numbers_t;
+typedef struct proposal_t proposal_t;
+
+#include <library.h>
+#include <utils/identification.h>
+#include <collections/linked_list.h>
+#include <networking/host.h>
+#include <crypto/transform.h>
+#include <crypto/crypters/crypter.h>
+#include <crypto/signers/signer.h>
+#include <crypto/diffie_hellman.h>
+#include <selectors/traffic_selector.h>
+
+/**
+ * Protocol ID of a proposal.
+ */
+enum protocol_id_t {
+ PROTO_NONE = 0,
+ PROTO_IKE = 1,
+ PROTO_AH = 2,
+ PROTO_ESP = 3,
+ PROTO_IPCOMP = 4, /* IKEv1 only */
+};
+
+/**
+ * enum names for protocol_id_t
+ */
+extern enum_name_t *protocol_id_names;
+
+/**
+ * Stores a set of algorithms used for an SA.
+ *
+ * A proposal stores algorithms for a specific
+ * protocol. It can store algorithms for one protocol.
+ * Proposals with multiple protocols are not supported,
+ * as it's not specified in RFC4301 anymore.
+ */
+struct proposal_t {
+
+ /**
+ * Add an algorithm to the proposal.
+ *
+ * The algorithms are stored by priority, first added
+ * is the most preferred.
+ * Key size is only needed for encryption algorithms
+ * with variable key size (such as AES). Must be set
+ * to zero if key size is not specified.
+ * The alg parameter accepts encryption_algorithm_t,
+ * integrity_algorithm_t, dh_group_number_t and
+ * extended_sequence_numbers_t.
+ *
+ * @param type kind of algorithm
+ * @param alg identifier for algorithm
+ * @param key_size key size to use
+ */
+ void (*add_algorithm) (proposal_t *this, transform_type_t type,
+ uint16_t alg, uint16_t key_size);
+
+ /**
+ * Get an enumerator over algorithms for a specific algo type.
+ *
+ * @param type kind of algorithm
+ * @return enumerator over uint16_t alg, uint16_t key_size
+ */
+ enumerator_t *(*create_enumerator) (proposal_t *this, transform_type_t type);
+
+ /**
+ * Get the algorithm for a type to use.
+ *
+ * If there are multiple algorithms, only the first is returned.
+ *
+ * @param type kind of algorithm
+ * @param alg pointer which receives algorithm
+ * @param key_size pointer which receives the key size
+ * @return TRUE if algorithm of this kind available
+ */
+ bool (*get_algorithm) (proposal_t *this, transform_type_t type,
+ uint16_t *alg, uint16_t *key_size);
+
+ /**
+ * Check if the proposal has a specific DH group.
+ *
+ * @param group group to check for
+ * @return TRUE if algorithm included
+ */
+ bool (*has_dh_group)(proposal_t *this, diffie_hellman_group_t group);
+
+ /**
+ * Move the given DH group to the front of the list if it was contained in
+ * the proposal.
+ *
+ * @param group group to promote
+ * @return TRUE if algorithm included
+ */
+ bool (*promote_dh_group)(proposal_t *this, diffie_hellman_group_t group);
+
+ /**
+ * Strip DH groups from proposal to use it without PFS.
+ *
+ * @param keep group to keep (MODP_NONE to remove all)
+ */
+ void (*strip_dh)(proposal_t *this, diffie_hellman_group_t keep);
+
+ /**
+ * Compare two proposal, and select a matching subset.
+ *
+ * If the proposals are for the same protocols (AH/ESP), they are
+ * compared. If they have at least one algorithm of each type
+ * in common, a resulting proposal of this kind is created.
+ *
+ * @param other proposal to compare against
+ * @param other_remote whether other is the remote proposal from which to
+ * copy SPI and proposal number to the result,
+ * otherwise copy from this proposal
+ * @param private accepts algorithms allocated in a private range
+ * @return selected proposal, NULL if proposals don't match
+ */
+ proposal_t *(*select)(proposal_t *this, proposal_t *other,
+ bool other_remote, bool private);
+
+ /**
+ * Get the protocol ID of the proposal.
+ *
+ * @return protocol of the proposal
+ */
+ protocol_id_t (*get_protocol) (proposal_t *this);
+
+ /**
+ * Get the SPI of the proposal.
+ *
+ * @return spi for proto
+ */
+ uint64_t (*get_spi) (proposal_t *this);
+
+ /**
+ * Set the SPI of the proposal.
+ *
+ * @param spi spi to set for proto
+ */
+ void (*set_spi) (proposal_t *this, uint64_t spi);
+
+ /**
+ * Get the proposal number, as encoded in SA payload
+ *
+ * @return proposal number
+ */
+ u_int (*get_number)(proposal_t *this);
+
+ /**
+ * Check for the eqality of two proposals.
+ *
+ * @param other other proposal to check for equality
+ * @return TRUE if other equal to this
+ */
+ bool (*equals)(proposal_t *this, proposal_t *other);
+
+ /**
+ * Clone a proposal.
+ *
+ * @return clone of proposal
+ */
+ proposal_t *(*clone) (proposal_t *this);
+
+ /**
+ * Destroys the proposal object.
+ */
+ void (*destroy) (proposal_t *this);
+};
+
+/**
+ * Create a child proposal for AH, ESP or IKE.
+ *
+ * @param protocol protocol, such as PROTO_ESP
+ * @param number proposal number, as encoded in SA payload
+ * @return proposal_t object
+ */
+proposal_t *proposal_create(protocol_id_t protocol, u_int number);
+
+/**
+ * Create a default proposal if nothing further specified.
+ *
+ * @param protocol protocol, such as PROTO_ESP
+ * @return proposal_t object
+ */
+proposal_t *proposal_create_default(protocol_id_t protocol);
+
+/**
+ * Create a default proposal for supported AEAD algorithms
+ *
+ * @param protocol protocol, such as PROTO_ESP
+ * @return proposal_t object, NULL if none supported
+ */
+proposal_t *proposal_create_default_aead(protocol_id_t protocol);
+
+/**
+ * Create a proposal from a string identifying the algorithms.
+ *
+ * The string is in the same form as a in the ipsec.conf file.
+ * E.g.: aes128-sha2_256-modp2048
+ * 3des-md5
+ * An additional '!' at the end of the string forces this proposal,
+ * without it the peer may choose another algorithm we support.
+ *
+ * @param protocol protocol, such as PROTO_ESP
+ * @param algs algorithms as string
+ * @return proposal_t object
+ */
+proposal_t *proposal_create_from_string(protocol_id_t protocol, const char *algs);
+
+/**
+ * printf hook function for proposal_t.
+ *
+ * Arguments are:
+ * proposal_t *proposal
+ * With the #-specifier, arguments are:
+ * linked_list_t *list containing proposal_t*
+ */
+int proposal_printf_hook(printf_hook_data_t *data, printf_hook_spec_t *spec,
+ const void *const *args);
+
+#endif /** PROPOSAL_H_ @}*/
diff --git a/src/libstrongswan/crypto/proposal/proposal_keywords.h b/src/libstrongswan/crypto/proposal/proposal_keywords.h
index 856abdce6..b062221e5 100644
--- a/src/libstrongswan/crypto/proposal/proposal_keywords.h
+++ b/src/libstrongswan/crypto/proposal/proposal_keywords.h
@@ -37,7 +37,7 @@
/**
* @defgroup proposal_keywords proposal_keywords
- * @{ @ingroup crypto
+ * @{ @ingroup proposal
*/
#ifndef PROPOSAL_KEYWORDS_H_
diff --git a/src/libstrongswan/eap/eap.c b/src/libstrongswan/eap/eap.c
index 64b5dbe51..2b7295e3d 100644
--- a/src/libstrongswan/eap/eap.c
+++ b/src/libstrongswan/eap/eap.c
@@ -157,6 +157,7 @@ eap_vendor_type_t *eap_vendor_type_from_string(char *str)
type = eap_type_from_string(part);
if (!type)
{
+ errno = 0;
type = strtoul(part, &end, 0);
if (*end != '\0' || errno)
{
@@ -166,6 +167,7 @@ eap_vendor_type_t *eap_vendor_type_from_string(char *str)
}
continue;
}
+ errno = 0;
vendor = strtoul(part, &end, 0);
if (*end != '\0' || errno)
{
diff --git a/src/libstrongswan/ipsec/ipsec_types.c b/src/libstrongswan/ipsec/ipsec_types.c
index 68c3935b9..c992eb5ad 100644
--- a/src/libstrongswan/ipsec/ipsec_types.c
+++ b/src/libstrongswan/ipsec/ipsec_types.c
@@ -104,7 +104,10 @@ bool mark_from_string(const char *value, mark_t *mark)
{
mark->mask = 0xffffffff;
}
- /* apply the mask to ensure the value is in range */
- mark->value &= mark->mask;
+ if (!MARK_IS_UNIQUE(mark->value))
+ {
+ /* apply the mask to ensure the value is in range */
+ mark->value &= mark->mask;
+ }
return TRUE;
}
diff --git a/src/libstrongswan/library.c b/src/libstrongswan/library.c
index 7944b9356..dbdf5cfe9 100644
--- a/src/libstrongswan/library.c
+++ b/src/libstrongswan/library.c
@@ -26,6 +26,7 @@
#include <collections/hashtable.h>
#include <utils/backtrace.h>
#include <selectors/traffic_selector.h>
+#include <crypto/proposal/proposal.h>
#define CHECKSUM_LIBRARY IPSEC_LIB_DIR"/libchecksum.so"
@@ -369,6 +370,8 @@ bool library_init(char *settings, const char *namespace)
PRINTF_HOOK_ARGTYPE_POINTER, PRINTF_HOOK_ARGTYPE_END);
pfh->add_handler(pfh, 'R', traffic_selector_printf_hook,
PRINTF_HOOK_ARGTYPE_POINTER, PRINTF_HOOK_ARGTYPE_END);
+ pfh->add_handler(pfh, 'P', proposal_printf_hook,
+ PRINTF_HOOK_ARGTYPE_POINTER, PRINTF_HOOK_ARGTYPE_END);
this->objects = hashtable_create((hashtable_hash_t)hash,
(hashtable_equals_t)equals, 4);
diff --git a/src/libstrongswan/plugins/blowfish/bf_enc.c b/src/libstrongswan/plugins/blowfish/bf_enc.c
index ebcc5dbdf..f9591c1a4 100644
--- a/src/libstrongswan/plugins/blowfish/bf_enc.c
+++ b/src/libstrongswan/plugins/blowfish/bf_enc.c
@@ -7,7 +7,7 @@
* The implementation was written so as to conform with Netscapes SSL.
*
* This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to. The following conditions
+ * the following conditions are adhered to. The following conditions
* apply to all code found in this distribution, be it the RC4, RSA,
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
* included with this distribution is covered by the same copyright terms
@@ -32,7 +32,7 @@
* must display the following acknowledgement:
* "This product includes cryptographic software written by
* Eric Young (eay@cryptsoft.com)"
- * The word 'cryptographic' can be left out if the rouines from the library
+ * The word 'cryptographic' can be left out if the routines from the library
* being used are not cryptographic related :-).
* 4. If you include any Windows specific code (or a derivative thereof) from
* the apps directory (application code) you must include an acknowledgement:
diff --git a/src/libstrongswan/plugins/blowfish/bf_locl.h b/src/libstrongswan/plugins/blowfish/bf_locl.h
index 1375a0aa9..e5f49280b 100644
--- a/src/libstrongswan/plugins/blowfish/bf_locl.h
+++ b/src/libstrongswan/plugins/blowfish/bf_locl.h
@@ -7,7 +7,7 @@
* The implementation was written so as to conform with Netscapes SSL.
*
* This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to. The following conditions
+ * the following conditions are adhered to. The following conditions
* apply to all code found in this distribution, be it the RC4, RSA,
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
* included with this distribution is covered by the same copyright terms
@@ -32,7 +32,7 @@
* must display the following acknowledgement:
* "This product includes cryptographic software written by
* Eric Young (eay@cryptsoft.com)"
- * The word 'cryptographic' can be left out if the rouines from the library
+ * The word 'cryptographic' can be left out if the routines from the library
* being used are not cryptographic related :-).
* 4. If you include any Windows specific code (or a derivative thereof) from
* the apps directory (application code) you must include an acknowledgement:
diff --git a/src/libstrongswan/plugins/blowfish/bf_pi.h b/src/libstrongswan/plugins/blowfish/bf_pi.h
index 79d23db6c..86c2ef366 100644
--- a/src/libstrongswan/plugins/blowfish/bf_pi.h
+++ b/src/libstrongswan/plugins/blowfish/bf_pi.h
@@ -7,7 +7,7 @@
* The implementation was written so as to conform with Netscapes SSL.
*
* This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to. The following conditions
+ * the following conditions are adhered to. The following conditions
* apply to all code found in this distribution, be it the RC4, RSA,
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
* included with this distribution is covered by the same copyright terms
@@ -32,7 +32,7 @@
* must display the following acknowledgement:
* "This product includes cryptographic software written by
* Eric Young (eay@cryptsoft.com)"
- * The word 'cryptographic' can be left out if the rouines from the library
+ * The word 'cryptographic' can be left out if the routines from the library
* being used are not cryptographic related :-).
* 4. If you include any Windows specific code (or a derivative thereof) from
* the apps directory (application code) you must include an acknowledgement:
diff --git a/src/libstrongswan/plugins/blowfish/bf_skey.c b/src/libstrongswan/plugins/blowfish/bf_skey.c
index ceec3b8d4..52a051890 100644
--- a/src/libstrongswan/plugins/blowfish/bf_skey.c
+++ b/src/libstrongswan/plugins/blowfish/bf_skey.c
@@ -7,7 +7,7 @@
* The implementation was written so as to conform with Netscapes SSL.
*
* This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to. The following conditions
+ * the following conditions are adhered to. The following conditions
* apply to all code found in this distribution, be it the RC4, RSA,
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
* included with this distribution is covered by the same copyright terms
@@ -32,7 +32,7 @@
* must display the following acknowledgement:
* "This product includes cryptographic software written by
* Eric Young (eay@cryptsoft.com)"
- * The word 'cryptographic' can be left out if the rouines from the library
+ * The word 'cryptographic' can be left out if the routines from the library
* being used are not cryptographic related :-).
* 4. If you include any Windows specific code (or a derivative thereof) from
* the apps directory (application code) you must include an acknowledgement:
diff --git a/src/libstrongswan/plugins/blowfish/blowfish.h b/src/libstrongswan/plugins/blowfish/blowfish.h
index 9aa30df4b..3c8f77a0f 100644
--- a/src/libstrongswan/plugins/blowfish/blowfish.h
+++ b/src/libstrongswan/plugins/blowfish/blowfish.h
@@ -7,7 +7,7 @@
* The implementation was written so as to conform with Netscapes SSL.
*
* This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to. The following conditions
+ * the following conditions are adhered to. The following conditions
* apply to all code found in this distribution, be it the RC4, RSA,
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
* included with this distribution is covered by the same copyright terms
@@ -32,7 +32,7 @@
* must display the following acknowledgement:
* "This product includes cryptographic software written by
* Eric Young (eay@cryptsoft.com)"
- * The word 'cryptographic' can be left out if the rouines from the library
+ * The word 'cryptographic' can be left out if the routines from the library
* being used are not cryptographic related :-).
* 4. If you include any Windows specific code (or a derivative thereof) from
* the apps directory (application code) you must include an acknowledgement:
diff --git a/src/libstrongswan/plugins/blowfish/blowfish_crypter.c b/src/libstrongswan/plugins/blowfish/blowfish_crypter.c
index 1708e078d..6d8d1d709 100644
--- a/src/libstrongswan/plugins/blowfish/blowfish_crypter.c
+++ b/src/libstrongswan/plugins/blowfish/blowfish_crypter.c
@@ -6,7 +6,7 @@
* The implementation was written so as to conform with Netscapes SSL.
*
* This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to. The following conditions
+ * the following conditions are adhered to. The following conditions
* apply to all code found in this distribution, be it the RC4, RSA,
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
* included with this distribution is covered by the same copyright terms
@@ -31,7 +31,7 @@
* must display the following acknowledgement:
* "This product includes cryptographic software written by
* Eric Young (eay@cryptsoft.com)"
- * The word 'cryptographic' can be left out if the rouines from the library
+ * The word 'cryptographic' can be left out if the routines from the library
* being used are not cryptographic related :-).
* 4. If you include any Windows specific code (or a derivative thereof) from
* the apps directory (application code) you must include an acknowledgement:
diff --git a/src/libstrongswan/plugins/des/des_crypter.c b/src/libstrongswan/plugins/des/des_crypter.c
index d236bd429..cb5064d90 100644
--- a/src/libstrongswan/plugins/des/des_crypter.c
+++ b/src/libstrongswan/plugins/des/des_crypter.c
@@ -13,7 +13,7 @@
* The implementation was written so as to conform with Netscapes SSL.
*
* This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.
+ * the following conditions are adhered to.
*
* Copyright remains Eric Young's, and as such any Copyright notices in
* the code are not to be removed.
@@ -34,7 +34,7 @@
* must display the following acknowledgement:
* "This product includes cryptographic software written by
* Eric Young (eay@cryptsoft.com)"
- * The word 'cryptographic' can be left out if the rouines from the library
+ * The word 'cryptographic' can be left out if the routines from the library
* being used are not cryptographic related :-).
* 4. If you include any Windows specific code (or a derivative thereof) from
* the apps directory (application code) you must include an acknowledgement:
@@ -309,7 +309,7 @@ YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED!!!!!
#endif
/* The changes to this macro may help or hinder, depending on the
- * compiler and the achitecture. gcc2 always seems to do well :-).
+ * compiler and the architecture. gcc2 always seems to do well :-).
* Inspired by Dana How <how@isl.stanford.edu>
* DO NOT use the alternative version on machines with 8 byte longs.
* It does not seem to work on the Alpha, even when DES_LONG is 4
diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c
index aca232c86..241ef7d3b 100644
--- a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c
+++ b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c
@@ -936,7 +936,12 @@ static bool calculate_pq(private_gmp_rsa_private_key_t *this)
bool success = FALSE;
gmp_randinit_default(rstate);
- mpz_inits(k, r, g, y, n1, x, NULL);
+ mpz_init(k);
+ mpz_init(r);
+ mpz_init(g);
+ mpz_init(y);
+ mpz_init(n1);
+ mpz_init(x);
/* k = (d * e) - 1 */
mpz_mul(k, *this->d, this->e);
mpz_sub_ui(k, k, 1);
@@ -956,7 +961,7 @@ static bool calculate_pq(private_gmp_rsa_private_key_t *this)
{ /* generate random integer g in [0, n-1] */
mpz_urandomm(g, rstate, this->n);
/* y = g^r mod n */
- mpz_powm_sec(y, g, r, this->n);
+ mpz_powm(y, g, r, this->n);
/* try again if y == 1 or y == n-1 */
if (mpz_cmp_ui(y, 1) == 0 || mpz_cmp(y, n1) == 0)
{
diff --git a/src/libstrongswan/plugins/newhope/newhope_ke.c b/src/libstrongswan/plugins/newhope/newhope_ke.c
index 28956d5fb..72b7e034c 100644
--- a/src/libstrongswan/plugins/newhope/newhope_ke.c
+++ b/src/libstrongswan/plugins/newhope/newhope_ke.c
@@ -246,7 +246,7 @@ static uint32_t* multiply_ntt_inv_poly(private_newhope_ke_t *this, uint32_t *b)
}
/**
- * Pack four 2-bit coefficents into one byte
+ * Pack four 2-bit coefficients into one byte
*/
static void pack_rec(private_newhope_ke_t *this, uint8_t *x, uint8_t *r)
{
diff --git a/src/libstrongswan/plugins/pkcs7/pkcs7_attributes.c b/src/libstrongswan/plugins/pkcs7/pkcs7_attributes.c
index ca6899786..efcd2b30a 100644
--- a/src/libstrongswan/plugins/pkcs7/pkcs7_attributes.c
+++ b/src/libstrongswan/plugins/pkcs7/pkcs7_attributes.c
@@ -202,7 +202,7 @@ pkcs7_attributes_t *pkcs7_attributes_create(void)
}
/**
- * ASN.1 definition of the X.501 atttribute type
+ * ASN.1 definition of the X.501 attribute type
*/
static const asn1Object_t attributesObjects[] = {
{ 0, "attributes", ASN1_SET, ASN1_LOOP }, /* 0 */
diff --git a/src/libstrongswan/plugins/plugin_loader.h b/src/libstrongswan/plugins/plugin_loader.h
index 92a860615..156bd8656 100644
--- a/src/libstrongswan/plugins/plugin_loader.h
+++ b/src/libstrongswan/plugins/plugin_loader.h
@@ -76,7 +76,7 @@ struct plugin_loader_t {
* If \<ns>.load_modular is enabled (where \<ns> is lib->ns) the plugins to
* load are determined via a load option in their respective plugin config
* section e.g. \<ns>.plugins.\<plugin>.load = <priority|bool>.
- * The oder is determined by the configured priority. If two plugins have
+ * The order is determined by the configured priority. If two plugins have
* the same priority the order as seen in list is preserved. Plugins not
* found in list are loaded first, in alphabetical order.
*
diff --git a/src/libstrongswan/plugins/revocation/revocation_validator.c b/src/libstrongswan/plugins/revocation/revocation_validator.c
index 16ee0ecc7..1b68320df 100644
--- a/src/libstrongswan/plugins/revocation/revocation_validator.c
+++ b/src/libstrongswan/plugins/revocation/revocation_validator.c
@@ -444,7 +444,7 @@ static certificate_t *get_better_crl(certificate_t *cand, certificate_t *best,
enumerator_t *enumerator;
time_t revocation;
crl_reason_t reason;
- chunk_t serial;
+ chunk_t subject_serial, serial;
crl_t *crl = (crl_t*)cand;
if (base)
@@ -473,10 +473,11 @@ static certificate_t *get_better_crl(certificate_t *cand, certificate_t *best,
return best;
}
+ subject_serial = chunk_skip_zero(subject->get_serial(subject));
enumerator = crl->create_enumerator(crl);
while (enumerator->enumerate(enumerator, &serial, &revocation, &reason))
{
- if (chunk_equals(serial, subject->get_serial(subject)))
+ if (chunk_equals(subject_serial, chunk_skip_zero(serial)))
{
if (reason != CRL_REASON_CERTIFICATE_HOLD)
{
diff --git a/src/libstrongswan/processing/scheduler.h b/src/libstrongswan/processing/scheduler.h
index 1cd96d976..239487dae 100644
--- a/src/libstrongswan/processing/scheduler.h
+++ b/src/libstrongswan/processing/scheduler.h
@@ -45,7 +45,7 @@ typedef struct scheduler_t scheduler_t;
* in-between got slower, as the number of events grew larger (O(n)).
* For each connection there could be several events: IKE-rekey, NAT-keepalive,
* retransmissions, expire (half-open), and others. So a gateway that probably
- * has to handle thousands of concurrent connnections has to be able to queue a
+ * has to handle thousands of concurrent connections has to be able to queue a
* large number of events as fast as possible. Locking makes this even worse, to
* provide thread-safety, no events can be processed, while an event is queued,
* so making the insertion fast is even more important.
@@ -97,13 +97,13 @@ struct scheduler_t {
void (*schedule_job_ms) (scheduler_t *this, job_t *job, uint32_t ms);
/**
- * Adds a event to the queue, using an absolut time.
+ * Adds a event to the queue, using an absolute time.
*
* The passed timeval should be calculated based on the time_monotonic()
* function.
*
* @param job job to schedule
- * @param time absolut time to schedule job
+ * @param time absolute time to schedule job
*/
void (*schedule_job_tv) (scheduler_t *this, job_t *job, timeval_t tv);
diff --git a/src/libstrongswan/tests/Makefile.am b/src/libstrongswan/tests/Makefile.am
index 07f5eb5f2..5737e7a17 100644
--- a/src/libstrongswan/tests/Makefile.am
+++ b/src/libstrongswan/tests/Makefile.am
@@ -47,6 +47,7 @@ libstrongswan_tests_SOURCES = tests.h tests.c \
suites/test_auth_cfg.c \
suites/test_hasher.c \
suites/test_crypter.c \
+ suites/test_proposal.c \
suites/test_crypto_factory.c \
suites/test_iv_gen.c \
suites/test_pen.c \
diff --git a/src/libstrongswan/tests/Makefile.in b/src/libstrongswan/tests/Makefile.in
index f8f8ce83e..20cb27cf3 100644
--- a/src/libstrongswan/tests/Makefile.in
+++ b/src/libstrongswan/tests/Makefile.in
@@ -152,6 +152,7 @@ am_libstrongswan_tests_OBJECTS = libstrongswan_tests-tests.$(OBJEXT) \
suites/libstrongswan_tests-test_auth_cfg.$(OBJEXT) \
suites/libstrongswan_tests-test_hasher.$(OBJEXT) \
suites/libstrongswan_tests-test_crypter.$(OBJEXT) \
+ suites/libstrongswan_tests-test_proposal.$(OBJEXT) \
suites/libstrongswan_tests-test_crypto_factory.$(OBJEXT) \
suites/libstrongswan_tests-test_iv_gen.$(OBJEXT) \
suites/libstrongswan_tests-test_pen.$(OBJEXT) \
@@ -535,6 +536,7 @@ libstrongswan_tests_SOURCES = tests.h tests.c \
suites/test_auth_cfg.c \
suites/test_hasher.c \
suites/test_crypter.c \
+ suites/test_proposal.c \
suites/test_crypto_factory.c \
suites/test_iv_gen.c \
suites/test_pen.c \
@@ -683,6 +685,8 @@ suites/libstrongswan_tests-test_hasher.$(OBJEXT): \
suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp)
suites/libstrongswan_tests-test_crypter.$(OBJEXT): \
suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp)
+suites/libstrongswan_tests-test_proposal.$(OBJEXT): \
+ suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp)
suites/libstrongswan_tests-test_crypto_factory.$(OBJEXT): \
suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp)
suites/libstrongswan_tests-test_iv_gen.$(OBJEXT): \
@@ -750,6 +754,7 @@ distclean-compile:
@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_pen.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_printf.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_process.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_proposal.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_rsa.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_settings.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_signature_params.Po@am__quote@
@@ -1199,6 +1204,20 @@ suites/libstrongswan_tests-test_crypter.obj: suites/test_crypter.c
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_crypter.obj `if test -f 'suites/test_crypter.c'; then $(CYGPATH_W) 'suites/test_crypter.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_crypter.c'; fi`
+suites/libstrongswan_tests-test_proposal.o: suites/test_proposal.c
+@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_proposal.o -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_proposal.Tpo -c -o suites/libstrongswan_tests-test_proposal.o `test -f 'suites/test_proposal.c' || echo '$(srcdir)/'`suites/test_proposal.c
+@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_proposal.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_proposal.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_proposal.c' object='suites/libstrongswan_tests-test_proposal.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_proposal.o `test -f 'suites/test_proposal.c' || echo '$(srcdir)/'`suites/test_proposal.c
+
+suites/libstrongswan_tests-test_proposal.obj: suites/test_proposal.c
+@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_proposal.obj -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_proposal.Tpo -c -o suites/libstrongswan_tests-test_proposal.obj `if test -f 'suites/test_proposal.c'; then $(CYGPATH_W) 'suites/test_proposal.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_proposal.c'; fi`
+@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_proposal.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_proposal.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_proposal.c' object='suites/libstrongswan_tests-test_proposal.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_proposal.obj `if test -f 'suites/test_proposal.c'; then $(CYGPATH_W) 'suites/test_proposal.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_proposal.c'; fi`
+
suites/libstrongswan_tests-test_crypto_factory.o: suites/test_crypto_factory.c
@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_crypto_factory.o -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_crypto_factory.Tpo -c -o suites/libstrongswan_tests-test_crypto_factory.o `test -f 'suites/test_crypto_factory.c' || echo '$(srcdir)/'`suites/test_crypto_factory.c
@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_crypto_factory.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_crypto_factory.Po
diff --git a/src/libstrongswan/tests/suites/test_proposal.c b/src/libstrongswan/tests/suites/test_proposal.c
new file mode 100644
index 000000000..1a2f97d5f
--- /dev/null
+++ b/src/libstrongswan/tests/suites/test_proposal.c
@@ -0,0 +1,220 @@
+/*
+ * Copyright (C) 2016-2018 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+#include <crypto/proposal/proposal.h>
+
+static struct {
+ protocol_id_t proto;
+ char *proposal;
+ char *expected;
+} create_data[] = {
+ { PROTO_IKE, "", NULL },
+ { PROTO_IKE, "sha256", NULL },
+ { PROTO_IKE, "sha256-modp3072", NULL },
+ { PROTO_IKE, "null-sha256-modp3072", "IKE:NULL/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072" },
+ { PROTO_IKE, "aes128", NULL },
+ { PROTO_IKE, "aes128-sha256", NULL },
+ { PROTO_IKE, "aes128-sha256-modpnone", NULL },
+ { PROTO_IKE, "aes128-sha256-modp3072", "IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072" },
+ { PROTO_IKE, "aes128-sha256-prfsha384-modp3072", "IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_384/MODP_3072" },
+ { PROTO_IKE, "aes128gcm16-modp3072", NULL },
+ { PROTO_IKE, "aes128gcm16-prfsha256-modp3072", "IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/MODP_3072" },
+ { PROTO_IKE, "aes128gcm16-sha256-modp3072", "IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/MODP_3072" },
+ { PROTO_IKE, "aes128gcm16-aes128-modp3072", NULL },
+ { PROTO_IKE, "aes128gcm16-aes128-sha256-modp3072", NULL },
+ { PROTO_ESP, "", NULL },
+ { PROTO_ESP, "sha256", NULL },
+ { PROTO_ESP, "aes128-sha256", "ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ" },
+ { PROTO_ESP, "aes128-sha256-esn", "ESP:AES_CBC_128/HMAC_SHA2_256_128/EXT_SEQ" },
+ { PROTO_ESP, "aes128-sha256-noesn", "ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ" },
+ { PROTO_ESP, "aes128-sha256-esn-noesn", "ESP:AES_CBC_128/HMAC_SHA2_256_128/EXT_SEQ/NO_EXT_SEQ" },
+ { PROTO_ESP, "aes128-sha256-prfsha256-modp3072", "ESP:AES_CBC_128/HMAC_SHA2_256_128/MODP_3072/NO_EXT_SEQ" },
+ { PROTO_ESP, "aes128gcm16-aes128-sha256-modp3072", NULL },
+ { PROTO_ESP, "aes128gmac", "ESP:NULL_AES_GMAC_128/NO_EXT_SEQ" },
+ { PROTO_AH, "", NULL },
+ { PROTO_AH, "aes128", NULL },
+ { PROTO_AH, "aes128-sha256", "AH:HMAC_SHA2_256_128/NO_EXT_SEQ" },
+ { PROTO_AH, "sha256-sha1", "AH:HMAC_SHA2_256_128/HMAC_SHA1_96/NO_EXT_SEQ" },
+ { PROTO_AH, "aes128gmac-sha256", "AH:AES_128_GMAC/HMAC_SHA2_256_128/NO_EXT_SEQ" },
+ { PROTO_AH, "aes128gmac-sha256-prfsha256", "AH:AES_128_GMAC/HMAC_SHA2_256_128/NO_EXT_SEQ" },
+ { PROTO_AH, "aes128gmac-aes256gmac-aes128-sha256", "AH:AES_128_GMAC/AES_256_GMAC/HMAC_SHA2_256_128/NO_EXT_SEQ" },
+ { PROTO_AH, "sha256-esn", "AH:HMAC_SHA2_256_128/EXT_SEQ" },
+ { PROTO_AH, "sha256-noesn", "AH:HMAC_SHA2_256_128/NO_EXT_SEQ" },
+ { PROTO_AH, "sha256-esn-noesn", "AH:HMAC_SHA2_256_128/EXT_SEQ/NO_EXT_SEQ" },
+};
+
+static void assert_proposal_eq(proposal_t *proposal, char *expected)
+{
+ char str[BUF_LEN];
+
+ if (!expected)
+ {
+ ck_assert(!proposal);
+ return;
+ }
+ snprintf(str, sizeof(str), "%P", proposal);
+ ck_assert_str_eq(expected, str);
+}
+
+START_TEST(test_create_from_string)
+{
+ proposal_t *proposal;
+
+ proposal = proposal_create_from_string(create_data[_i].proto,
+ create_data[_i].proposal);
+ assert_proposal_eq(proposal, create_data[_i].expected);
+ DESTROY_IF(proposal);
+}
+END_TEST
+
+static struct {
+ protocol_id_t proto;
+ char *self;
+ char *other;
+ char *expected;
+} select_data[] = {
+ { PROTO_ESP, "aes128", "aes128", "aes128" },
+ { PROTO_ESP, "aes128", "aes256", NULL },
+ { PROTO_ESP, "aes128-aes256", "aes256-aes128", "aes128" },
+ { PROTO_ESP, "aes256-aes128", "aes128-aes256", "aes256" },
+ { PROTO_ESP, "aes128-aes256-sha1-sha256", "aes256-aes128-sha256-sha1", "aes128-sha1" },
+ { PROTO_ESP, "aes256-aes128-sha256-sha1", "aes128-aes256-sha1-sha256", "aes256-sha256" },
+ { PROTO_ESP, "aes128-sha256-modp3072", "aes128-sha256", NULL },
+ { PROTO_ESP, "aes128-sha256", "aes128-sha256-modp3072", NULL },
+ { PROTO_ESP, "aes128-sha256-modp3072", "aes128-sha256-modpnone", NULL },
+ { PROTO_ESP, "aes128-sha256-modpnone", "aes128-sha256-modp3072", NULL },
+ { PROTO_ESP, "aes128-sha256-modp3072-modpnone", "aes128-sha256", "aes128-sha256" },
+ { PROTO_ESP, "aes128-sha256", "aes128-sha256-modp3072-modpnone", "aes128-sha256" },
+ { PROTO_ESP, "aes128-sha256-modp3072-modpnone", "aes128-sha256-modpnone-modp3072", "aes128-sha256-modp3072" },
+ { PROTO_ESP, "aes128-sha256-modpnone-modp3072", "aes128-sha256-modp3072-modpnone", "aes128-sha256-modpnone" },
+ { PROTO_IKE, "aes128-sha256-modp3072", "aes128-sha256-modp3072", "aes128-sha256-modp3072" },
+ { PROTO_IKE, "aes128-sha256-modp3072", "aes128-sha256-modp3072-modpnone", "aes128-sha256-modp3072" },
+ { PROTO_IKE, "aes128-sha256-modp3072-modpnone", "aes128-sha256-modp3072", "aes128-sha256-modp3072" },
+};
+
+START_TEST(test_select)
+{
+ proposal_t *self, *other, *selected, *expected;
+
+ self = proposal_create_from_string(select_data[_i].proto,
+ select_data[_i].self);
+ other = proposal_create_from_string(select_data[_i].proto,
+ select_data[_i].other);
+ selected = self->select(self, other, TRUE, FALSE);
+ if (select_data[_i].expected)
+ {
+ expected = proposal_create_from_string(select_data[_i].proto,
+ select_data[_i].expected);
+ ck_assert(selected);
+ ck_assert_msg(expected->equals(expected, selected), "proposal %P does "
+ "not match expected %P", selected, expected);
+ expected->destroy(expected);
+ }
+ else
+ {
+ ck_assert(!selected);
+ }
+ DESTROY_IF(selected);
+ other->destroy(other);
+ self->destroy(self);
+}
+END_TEST
+
+START_TEST(test_select_spi)
+{
+ proposal_t *self, *other, *selected;
+
+ self = proposal_create_from_string(PROTO_ESP, "aes128-sha256-modp3072");
+ other = proposal_create_from_string(PROTO_ESP, "aes128-sha256-modp3072");
+ other->set_spi(other, 0x12345678);
+
+ selected = self->select(self, other, TRUE, FALSE);
+ ck_assert(selected);
+ ck_assert_int_eq(selected->get_spi(selected), other->get_spi(other));
+ selected->destroy(selected);
+
+ selected = self->select(self, other, FALSE, FALSE);
+ ck_assert(selected);
+ ck_assert_int_eq(selected->get_spi(selected), self->get_spi(self));
+ selected->destroy(selected);
+
+ other->destroy(other);
+ self->destroy(self);
+}
+END_TEST
+
+START_TEST(test_promote_dh_group)
+{
+ proposal_t *proposal;
+
+ proposal = proposal_create_from_string(PROTO_IKE,
+ "aes128-sha256-modp3072-ecp256");
+ ck_assert(proposal->promote_dh_group(proposal, ECP_256_BIT));
+ assert_proposal_eq(proposal, "IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256/MODP_3072");
+ proposal->destroy(proposal);
+}
+END_TEST
+
+START_TEST(test_promote_dh_group_already_front)
+{
+ proposal_t *proposal;
+
+ proposal = proposal_create_from_string(PROTO_IKE,
+ "aes128-sha256-modp3072-ecp256");
+ ck_assert(proposal->promote_dh_group(proposal, MODP_3072_BIT));
+ assert_proposal_eq(proposal, "IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072/ECP_256");
+ proposal->destroy(proposal);
+}
+END_TEST
+
+START_TEST(test_promote_dh_group_not_contained)
+{
+ proposal_t *proposal;
+
+ proposal = proposal_create_from_string(PROTO_IKE,
+ "aes128-sha256-modp3072-ecp256");
+
+ ck_assert(!proposal->promote_dh_group(proposal, MODP_2048_BIT));
+ assert_proposal_eq(proposal, "IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072/ECP_256");
+ proposal->destroy(proposal);
+}
+END_TEST
+
+Suite *proposal_suite_create()
+{
+ Suite *s;
+ TCase *tc;
+
+ s = suite_create("proposal");
+
+ tc = tcase_create("create_from_string");
+ tcase_add_loop_test(tc, test_create_from_string, 0, countof(create_data));
+ suite_add_tcase(s, tc);
+
+ tc = tcase_create("select");
+ tcase_add_loop_test(tc, test_select, 0, countof(select_data));
+ tcase_add_test(tc, test_select_spi);
+ suite_add_tcase(s, tc);
+
+ tc = tcase_create("promote_dh_group");
+ tcase_add_test(tc, test_promote_dh_group);
+ tcase_add_test(tc, test_promote_dh_group_already_front);
+ tcase_add_test(tc, test_promote_dh_group_not_contained);
+ suite_add_tcase(s, tc);
+
+ return s;
+}
diff --git a/src/libstrongswan/tests/suites/test_utils.c b/src/libstrongswan/tests/suites/test_utils.c
index 353010aaf..b423d7d2d 100644
--- a/src/libstrongswan/tests/suites/test_utils.c
+++ b/src/libstrongswan/tests/suites/test_utils.c
@@ -877,8 +877,23 @@ static struct {
{"/0xff", TRUE, { 0, 0xff }},
{"/x", FALSE, { 0 }},
{"x/x", FALSE, { 0 }},
- {"0xffffffff/0x0000ffff", TRUE, { 0x0000ffff, 0x0000ffff }},
- {"0xffffffff/0xffffffff", TRUE, { 0xffffffff, 0xffffffff }},
+ {"0xfffffff0/0x0000ffff", TRUE, { 0x0000fff0, 0x0000ffff }},
+ {"%unique", TRUE, { MARK_UNIQUE, 0xffffffff }},
+ {"%unique/", TRUE, { MARK_UNIQUE, 0 }},
+ {"%unique/0x0000ffff", TRUE, { MARK_UNIQUE, 0x0000ffff }},
+ {"%unique/0xffffffff", TRUE, { MARK_UNIQUE, 0xffffffff }},
+ {"%unique0xffffffffff", FALSE, { 0, 0 }},
+ {"0xffffffff/0x0000ffff", TRUE, { MARK_UNIQUE, 0x0000ffff }},
+ {"0xffffffff/0xffffffff", TRUE, { MARK_UNIQUE, 0xffffffff }},
+ {"%unique-dir", TRUE, { MARK_UNIQUE_DIR, 0xffffffff }},
+ {"%unique-dir/", TRUE, { MARK_UNIQUE_DIR, 0 }},
+ {"%unique-dir/0x0000ffff", TRUE, { MARK_UNIQUE_DIR, 0x0000ffff }},
+ {"%unique-dir/0xffffffff", TRUE, { MARK_UNIQUE_DIR, 0xffffffff }},
+ {"%unique-dir0xffffffff", FALSE, { 0, 0 }},
+ {"0xfffffffe/0x0000ffff", TRUE, { MARK_UNIQUE_DIR, 0x0000ffff }},
+ {"0xfffffffe/0xffffffff", TRUE, { MARK_UNIQUE_DIR, 0xffffffff }},
+ {"%unique-/0xffffffff", FALSE, { 0, 0 }},
+ {"%unique-foo/0xffffffff", FALSE, { 0, 0 }},
};
START_TEST(test_mark_from_string)
diff --git a/src/libstrongswan/tests/tests.h b/src/libstrongswan/tests/tests.h
index 525bdeb94..5fab227f2 100644
--- a/src/libstrongswan/tests/tests.h
+++ b/src/libstrongswan/tests/tests.h
@@ -40,6 +40,7 @@ TEST_SUITE(printf_suite_create)
TEST_SUITE(auth_cfg_suite_create)
TEST_SUITE(hasher_suite_create)
TEST_SUITE(crypter_suite_create)
+TEST_SUITE(proposal_suite_create)
TEST_SUITE(crypto_factory_suite_create)
TEST_SUITE_DEPEND(iv_gen_suite_create, RNG, RNG_STRONG)
TEST_SUITE(pen_suite_create)
diff --git a/src/libstrongswan/threading/semaphore.h b/src/libstrongswan/threading/semaphore.h
index d3ab0f3d9..bb384e669 100644
--- a/src/libstrongswan/threading/semaphore.h
+++ b/src/libstrongswan/threading/semaphore.h
@@ -29,7 +29,7 @@ typedef struct semaphore_t semaphore_t;
* A semaphore is basically an integer whose value is never allowed to be
* lower than 0. Two operations can be performed on it: increment the
* value by one, and decrement the value by one. If the value is currently
- * zero, then the decrement operation will blcok until the value becomes
+ * zero, then the decrement operation will block until the value becomes
* greater than zero.
*/
struct semaphore_t {
diff --git a/src/libstrongswan/utils/chunk.c b/src/libstrongswan/utils/chunk.c
index 8f4b7efff..3a7984098 100644
--- a/src/libstrongswan/utils/chunk.c
+++ b/src/libstrongswan/utils/chunk.c
@@ -478,7 +478,7 @@ chunk_t chunk_to_hex(chunk_t chunk, char *buf, bool uppercase)
}
/**
- * convert a signle hex character to its binary value
+ * convert a single hex character to its binary value
*/
static char hex2bin(char hex)
{
@@ -859,7 +859,7 @@ static inline uint64_t siplast(size_t len, u_char *pos)
}
/**
- * Caculate SipHash-2-4 with an optional first block given as argument.
+ * Calculate SipHash-2-4 with an optional first block given as argument.
*/
static uint64_t chunk_mac_inc(chunk_t chunk, u_char *key, uint64_t m)
{