diff options
author | Yves-Alexis Perez <corsac@corsac.net> | 2018-02-19 18:17:21 +0100 |
---|---|---|
committer | Yves-Alexis Perez <corsac@corsac.net> | 2018-02-19 18:17:21 +0100 |
commit | 7793611ee71b576dd9c66dee327349fa64e38740 (patch) | |
tree | f1379ec1aed52a3c772874d4ed690b90975b9623 /src/libstrongswan | |
parent | e1d78dc2faaa06e7c3f71ef674a71e4de2f0758e (diff) | |
download | vyos-strongswan-7793611ee71b576dd9c66dee327349fa64e38740.tar.gz vyos-strongswan-7793611ee71b576dd9c66dee327349fa64e38740.zip |
New upstream version 5.6.2
Diffstat (limited to 'src/libstrongswan')
37 files changed, 2021 insertions, 360 deletions
diff --git a/src/libstrongswan/Android.mk b/src/libstrongswan/Android.mk index 0247add96..fb7c62a8a 100644 --- a/src/libstrongswan/Android.mk +++ b/src/libstrongswan/Android.mk @@ -8,7 +8,7 @@ asn1/asn1.c asn1/asn1_parser.c asn1/oid.c bio/bio_reader.c bio/bio_writer.c \ collections/blocking_queue.c collections/enumerator.c collections/hashtable.c \ collections/array.c \ collections/linked_list.c crypto/crypters/crypter.c crypto/hashers/hasher.c \ -crypto/hashers/hash_algorithm_set.c \ +crypto/hashers/hash_algorithm_set.c crypto/proposal/proposal.c \ crypto/proposal/proposal_keywords.c crypto/proposal/proposal_keywords_static.c \ crypto/prfs/prf.c crypto/prfs/mac_prf.c crypto/pkcs5.c \ crypto/rngs/rng.c crypto/prf_plus.c crypto/signers/signer.c \ diff --git a/src/libstrongswan/Makefile.am b/src/libstrongswan/Makefile.am index a9759aeee..66539a879 100644 --- a/src/libstrongswan/Makefile.am +++ b/src/libstrongswan/Makefile.am @@ -6,7 +6,7 @@ asn1/asn1.c asn1/asn1_parser.c asn1/oid.c bio/bio_reader.c bio/bio_writer.c \ collections/blocking_queue.c collections/enumerator.c collections/hashtable.c \ collections/array.c \ collections/linked_list.c crypto/crypters/crypter.c crypto/hashers/hasher.c \ -crypto/hashers/hash_algorithm_set.c \ +crypto/hashers/hash_algorithm_set.c crypto/proposal/proposal.c \ crypto/proposal/proposal_keywords.c crypto/proposal/proposal_keywords_static.c \ crypto/prfs/prf.c crypto/prfs/mac_prf.c crypto/pkcs5.c \ crypto/rngs/rng.c crypto/prf_plus.c crypto/signers/signer.c \ @@ -69,7 +69,7 @@ asn1/asn1.h asn1/asn1_parser.h asn1/oid.h bio/bio_reader.h bio/bio_writer.h \ collections/blocking_queue.h collections/enumerator.h collections/hashtable.h \ collections/linked_list.h collections/array.h collections/dictionary.h \ crypto/crypters/crypter.h crypto/hashers/hasher.h \ -crypto/hashers/hash_algorithm_set.h crypto/mac.h \ +crypto/hashers/hash_algorithm_set.h crypto/mac.h crypto/proposal/proposal.h \ crypto/proposal/proposal_keywords.h crypto/proposal/proposal_keywords_static.h \ crypto/prfs/prf.h crypto/prfs/mac_prf.h crypto/rngs/rng.h crypto/nonce_gen.h \ crypto/prf_plus.h crypto/signers/signer.h crypto/signers/mac_signer.h \ diff --git a/src/libstrongswan/Makefile.in b/src/libstrongswan/Makefile.in index 356670dad..a0eb8b6b5 100644 --- a/src/libstrongswan/Makefile.in +++ b/src/libstrongswan/Makefile.in @@ -335,7 +335,7 @@ am__libstrongswan_la_SOURCES_DIST = library.c asn1/asn1.c \ collections/enumerator.c collections/hashtable.c \ collections/array.c collections/linked_list.c \ crypto/crypters/crypter.c crypto/hashers/hasher.c \ - crypto/hashers/hash_algorithm_set.c \ + crypto/hashers/hash_algorithm_set.c crypto/proposal/proposal.c \ crypto/proposal/proposal_keywords.c \ crypto/proposal/proposal_keywords_static.c crypto/prfs/prf.c \ crypto/prfs/mac_prf.c crypto/pkcs5.c crypto/rngs/rng.c \ @@ -425,6 +425,7 @@ am_libstrongswan_la_OBJECTS = library.lo asn1/asn1.lo \ collections/array.lo collections/linked_list.lo \ crypto/crypters/crypter.lo crypto/hashers/hasher.lo \ crypto/hashers/hash_algorithm_set.lo \ + crypto/proposal/proposal.lo \ crypto/proposal/proposal_keywords.lo \ crypto/proposal/proposal_keywords_static.lo crypto/prfs/prf.lo \ crypto/prfs/mac_prf.lo crypto/pkcs5.lo crypto/rngs/rng.lo \ @@ -556,7 +557,8 @@ am__nobase_strongswan_include_HEADERS_DIST = library.h asn1/asn1.h \ collections/linked_list.h collections/array.h \ collections/dictionary.h crypto/crypters/crypter.h \ crypto/hashers/hasher.h crypto/hashers/hash_algorithm_set.h \ - crypto/mac.h crypto/proposal/proposal_keywords.h \ + crypto/mac.h crypto/proposal/proposal.h \ + crypto/proposal/proposal_keywords.h \ crypto/proposal/proposal_keywords_static.h crypto/prfs/prf.h \ crypto/prfs/mac_prf.h crypto/rngs/rng.h crypto/nonce_gen.h \ crypto/prf_plus.h crypto/signers/signer.h \ @@ -942,7 +944,7 @@ libstrongswan_la_SOURCES = library.c asn1/asn1.c asn1/asn1_parser.c \ collections/hashtable.c collections/array.c \ collections/linked_list.c crypto/crypters/crypter.c \ crypto/hashers/hasher.c crypto/hashers/hash_algorithm_set.c \ - crypto/proposal/proposal_keywords.c \ + crypto/proposal/proposal.c crypto/proposal/proposal_keywords.c \ crypto/proposal/proposal_keywords_static.c crypto/prfs/prf.c \ crypto/prfs/mac_prf.c crypto/pkcs5.c crypto/rngs/rng.c \ crypto/prf_plus.c crypto/signers/signer.c \ @@ -1005,7 +1007,7 @@ settings/settings_types.h @USE_DEV_HEADERS_TRUE@collections/blocking_queue.h collections/enumerator.h collections/hashtable.h \ @USE_DEV_HEADERS_TRUE@collections/linked_list.h collections/array.h collections/dictionary.h \ @USE_DEV_HEADERS_TRUE@crypto/crypters/crypter.h crypto/hashers/hasher.h \ -@USE_DEV_HEADERS_TRUE@crypto/hashers/hash_algorithm_set.h crypto/mac.h \ +@USE_DEV_HEADERS_TRUE@crypto/hashers/hash_algorithm_set.h crypto/mac.h crypto/proposal/proposal.h \ @USE_DEV_HEADERS_TRUE@crypto/proposal/proposal_keywords.h crypto/proposal/proposal_keywords_static.h \ @USE_DEV_HEADERS_TRUE@crypto/prfs/prf.h crypto/prfs/mac_prf.h crypto/rngs/rng.h crypto/nonce_gen.h \ @USE_DEV_HEADERS_TRUE@crypto/prf_plus.h crypto/signers/signer.h crypto/signers/mac_signer.h \ @@ -1302,6 +1304,8 @@ crypto/proposal/$(am__dirstamp): crypto/proposal/$(DEPDIR)/$(am__dirstamp): @$(MKDIR_P) crypto/proposal/$(DEPDIR) @: > crypto/proposal/$(DEPDIR)/$(am__dirstamp) +crypto/proposal/proposal.lo: crypto/proposal/$(am__dirstamp) \ + crypto/proposal/$(DEPDIR)/$(am__dirstamp) crypto/proposal/proposal_keywords.lo: crypto/proposal/$(am__dirstamp) \ crypto/proposal/$(DEPDIR)/$(am__dirstamp) crypto/proposal/proposal_keywords_static.lo: \ @@ -1855,6 +1859,7 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@crypto/iv/$(DEPDIR)/iv_gen_seq.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@crypto/prfs/$(DEPDIR)/mac_prf.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@crypto/prfs/$(DEPDIR)/prf.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@crypto/proposal/$(DEPDIR)/proposal.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@crypto/proposal/$(DEPDIR)/proposal_keywords.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@crypto/proposal/$(DEPDIR)/proposal_keywords_static.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@crypto/rngs/$(DEPDIR)/rng.Plo@am__quote@ diff --git a/src/libstrongswan/asn1/oid.c b/src/libstrongswan/asn1/oid.c index 6d9f98ee4..a70aafdd9 100644 --- a/src/libstrongswan/asn1/oid.c +++ b/src/libstrongswan/asn1/oid.c @@ -205,8 +205,8 @@ const oid_t oid_names[] = { { 0x02, 193, 0, 7, "ecdsa-with-SHA256" }, /* 192 */ { 0x03, 194, 0, 7, "ecdsa-with-SHA384" }, /* 193 */ { 0x04, 0, 0, 7, "ecdsa-with-SHA512" }, /* 194 */ - {0x2B, 425, 1, 0, "" }, /* 195 */ - { 0x06, 336, 1, 1, "dod" }, /* 196 */ + {0x2B, 426, 1, 0, "" }, /* 195 */ + { 0x06, 337, 1, 1, "dod" }, /* 196 */ { 0x01, 0, 1, 2, "internet" }, /* 197 */ { 0x04, 287, 1, 3, "private" }, /* 198 */ { 0x01, 0, 1, 4, "enterprise" }, /* 199 */ @@ -299,211 +299,212 @@ const oid_t oid_names[] = { { 0x03, 0, 0, 9, "eess1-encodingMethods" }, /* 286 */ { 0x05, 0, 1, 3, "security" }, /* 287 */ { 0x05, 0, 1, 4, "mechanisms" }, /* 288 */ - { 0x07, 333, 1, 5, "id-pkix" }, /* 289 */ - { 0x01, 294, 1, 6, "id-pe" }, /* 290 */ + { 0x07, 334, 1, 5, "id-pkix" }, /* 289 */ + { 0x01, 295, 1, 6, "id-pe" }, /* 290 */ { 0x01, 292, 0, 7, "authorityInfoAccess" }, /* 291 */ { 0x03, 293, 0, 7, "qcStatements" }, /* 292 */ - { 0x07, 0, 0, 7, "ipAddrBlocks" }, /* 293 */ - { 0x02, 297, 1, 6, "id-qt" }, /* 294 */ - { 0x01, 296, 0, 7, "cps" }, /* 295 */ - { 0x02, 0, 0, 7, "unotice" }, /* 296 */ - { 0x03, 307, 1, 6, "id-kp" }, /* 297 */ - { 0x01, 299, 0, 7, "serverAuth" }, /* 298 */ - { 0x02, 300, 0, 7, "clientAuth" }, /* 299 */ - { 0x03, 301, 0, 7, "codeSigning" }, /* 300 */ - { 0x04, 302, 0, 7, "emailProtection" }, /* 301 */ - { 0x05, 303, 0, 7, "ipsecEndSystem" }, /* 302 */ - { 0x06, 304, 0, 7, "ipsecTunnel" }, /* 303 */ - { 0x07, 305, 0, 7, "ipsecUser" }, /* 304 */ - { 0x08, 306, 0, 7, "timeStamping" }, /* 305 */ - { 0x09, 0, 0, 7, "ocspSigning" }, /* 306 */ - { 0x08, 315, 1, 6, "id-otherNames" }, /* 307 */ - { 0x01, 309, 0, 7, "personalData" }, /* 308 */ - { 0x02, 310, 0, 7, "userGroup" }, /* 309 */ - { 0x03, 311, 0, 7, "id-on-permanentIdentifier" }, /* 310 */ - { 0x04, 312, 0, 7, "id-on-hardwareModuleName" }, /* 311 */ - { 0x05, 313, 0, 7, "xmppAddr" }, /* 312 */ - { 0x06, 314, 0, 7, "id-on-SIM" }, /* 313 */ - { 0x07, 0, 0, 7, "id-on-dnsSRV" }, /* 314 */ - { 0x0A, 320, 1, 6, "id-aca" }, /* 315 */ - { 0x01, 317, 0, 7, "authenticationInfo" }, /* 316 */ - { 0x02, 318, 0, 7, "accessIdentity" }, /* 317 */ - { 0x03, 319, 0, 7, "chargingIdentity" }, /* 318 */ - { 0x04, 0, 0, 7, "group" }, /* 319 */ - { 0x0B, 321, 0, 6, "subjectInfoAccess" }, /* 320 */ - { 0x30, 0, 1, 6, "id-ad" }, /* 321 */ - { 0x01, 330, 1, 7, "ocsp" }, /* 322 */ - { 0x01, 324, 0, 8, "basic" }, /* 323 */ - { 0x02, 325, 0, 8, "nonce" }, /* 324 */ - { 0x03, 326, 0, 8, "crl" }, /* 325 */ - { 0x04, 327, 0, 8, "response" }, /* 326 */ - { 0x05, 328, 0, 8, "noCheck" }, /* 327 */ - { 0x06, 329, 0, 8, "archiveCutoff" }, /* 328 */ - { 0x07, 0, 0, 8, "serviceLocator" }, /* 329 */ - { 0x02, 331, 0, 7, "caIssuers" }, /* 330 */ - { 0x03, 332, 0, 7, "timeStamping" }, /* 331 */ - { 0x05, 0, 0, 7, "caRepository" }, /* 332 */ - { 0x08, 0, 1, 5, "ipsec" }, /* 333 */ - { 0x02, 0, 1, 6, "certificate" }, /* 334 */ - { 0x02, 0, 0, 7, "iKEIntermediate" }, /* 335 */ - { 0x0E, 342, 1, 1, "oiw" }, /* 336 */ - { 0x03, 0, 1, 2, "secsig" }, /* 337 */ - { 0x02, 0, 1, 3, "algorithms" }, /* 338 */ - { 0x07, 340, 0, 4, "des-cbc" }, /* 339 */ - { 0x1A, 341, 0, 4, "sha-1" }, /* 340 */ - { 0x1D, 0, 0, 4, "sha-1WithRSASignature" }, /* 341 */ - { 0x24, 388, 1, 1, "TeleTrusT" }, /* 342 */ - { 0x03, 0, 1, 2, "algorithm" }, /* 343 */ - { 0x03, 0, 1, 3, "signatureAlgorithm" }, /* 344 */ - { 0x01, 349, 1, 4, "rsaSignature" }, /* 345 */ - { 0x02, 347, 0, 5, "rsaSigWithripemd160" }, /* 346 */ - { 0x03, 348, 0, 5, "rsaSigWithripemd128" }, /* 347 */ - { 0x04, 0, 0, 5, "rsaSigWithripemd256" }, /* 348 */ - { 0x02, 0, 1, 4, "ecSign" }, /* 349 */ - { 0x01, 351, 0, 5, "ecSignWithsha1" }, /* 350 */ - { 0x02, 352, 0, 5, "ecSignWithripemd160" }, /* 351 */ - { 0x03, 353, 0, 5, "ecSignWithmd2" }, /* 352 */ - { 0x04, 354, 0, 5, "ecSignWithmd5" }, /* 353 */ - { 0x05, 371, 1, 5, "ttt-ecg" }, /* 354 */ - { 0x01, 359, 1, 6, "fieldType" }, /* 355 */ - { 0x01, 0, 1, 7, "characteristictwoField" }, /* 356 */ - { 0x01, 0, 1, 8, "basisType" }, /* 357 */ - { 0x01, 0, 0, 9, "ipBasis" }, /* 358 */ - { 0x02, 361, 1, 6, "keyType" }, /* 359 */ - { 0x01, 0, 0, 7, "ecgPublicKey" }, /* 360 */ - { 0x03, 362, 0, 6, "curve" }, /* 361 */ - { 0x04, 369, 1, 6, "signatures" }, /* 362 */ - { 0x01, 364, 0, 7, "ecgdsa-with-RIPEMD160" }, /* 363 */ - { 0x02, 365, 0, 7, "ecgdsa-with-SHA1" }, /* 364 */ - { 0x03, 366, 0, 7, "ecgdsa-with-SHA224" }, /* 365 */ - { 0x04, 367, 0, 7, "ecgdsa-with-SHA256" }, /* 366 */ - { 0x05, 368, 0, 7, "ecgdsa-with-SHA384" }, /* 367 */ - { 0x06, 0, 0, 7, "ecgdsa-with-SHA512" }, /* 368 */ - { 0x05, 0, 1, 6, "module" }, /* 369 */ - { 0x01, 0, 0, 7, "1" }, /* 370 */ - { 0x08, 0, 1, 5, "ecStdCurvesAndGeneration" }, /* 371 */ - { 0x01, 0, 1, 6, "ellipticCurve" }, /* 372 */ - { 0x01, 0, 1, 7, "versionOne" }, /* 373 */ - { 0x01, 375, 0, 8, "brainpoolP160r1" }, /* 374 */ - { 0x02, 376, 0, 8, "brainpoolP160t1" }, /* 375 */ - { 0x03, 377, 0, 8, "brainpoolP192r1" }, /* 376 */ - { 0x04, 378, 0, 8, "brainpoolP192t1" }, /* 377 */ - { 0x05, 379, 0, 8, "brainpoolP224r1" }, /* 378 */ - { 0x06, 380, 0, 8, "brainpoolP224t1" }, /* 379 */ - { 0x07, 381, 0, 8, "brainpoolP256r1" }, /* 380 */ - { 0x08, 382, 0, 8, "brainpoolP256t1" }, /* 381 */ - { 0x09, 383, 0, 8, "brainpoolP320r1" }, /* 382 */ - { 0x0A, 384, 0, 8, "brainpoolP320t1" }, /* 383 */ - { 0x0B, 385, 0, 8, "brainpoolP384r1" }, /* 384 */ - { 0x0C, 386, 0, 8, "brainpoolP384t1" }, /* 385 */ - { 0x0D, 387, 0, 8, "brainpoolP512r1" }, /* 386 */ - { 0x0E, 0, 0, 8, "brainpoolP512t1" }, /* 387 */ - { 0x65, 391, 1, 1, "Thawte" }, /* 388 */ - { 0x70, 390, 0, 2, "id-Ed25519" }, /* 389 */ - { 0x71, 0, 0, 2, "id-Ed448" }, /* 390 */ - { 0x81, 0, 1, 1, "" }, /* 391 */ - { 0x04, 0, 1, 2, "Certicom" }, /* 392 */ - { 0x00, 0, 1, 3, "curve" }, /* 393 */ - { 0x01, 395, 0, 4, "sect163k1" }, /* 394 */ - { 0x02, 396, 0, 4, "sect163r1" }, /* 395 */ - { 0x03, 397, 0, 4, "sect239k1" }, /* 396 */ - { 0x04, 398, 0, 4, "sect113r1" }, /* 397 */ - { 0x05, 399, 0, 4, "sect113r2" }, /* 398 */ - { 0x06, 400, 0, 4, "secp112r1" }, /* 399 */ - { 0x07, 401, 0, 4, "secp112r2" }, /* 400 */ - { 0x08, 402, 0, 4, "secp160r1" }, /* 401 */ - { 0x09, 403, 0, 4, "secp160k1" }, /* 402 */ - { 0x0A, 404, 0, 4, "secp256k1" }, /* 403 */ - { 0x0F, 405, 0, 4, "sect163r2" }, /* 404 */ - { 0x10, 406, 0, 4, "sect283k1" }, /* 405 */ - { 0x11, 407, 0, 4, "sect283r1" }, /* 406 */ - { 0x16, 408, 0, 4, "sect131r1" }, /* 407 */ - { 0x17, 409, 0, 4, "sect131r2" }, /* 408 */ - { 0x18, 410, 0, 4, "sect193r1" }, /* 409 */ - { 0x19, 411, 0, 4, "sect193r2" }, /* 410 */ - { 0x1A, 412, 0, 4, "sect233k1" }, /* 411 */ - { 0x1B, 413, 0, 4, "sect233r1" }, /* 412 */ - { 0x1C, 414, 0, 4, "secp128r1" }, /* 413 */ - { 0x1D, 415, 0, 4, "secp128r2" }, /* 414 */ - { 0x1E, 416, 0, 4, "secp160r2" }, /* 415 */ - { 0x1F, 417, 0, 4, "secp192k1" }, /* 416 */ - { 0x20, 418, 0, 4, "secp224k1" }, /* 417 */ - { 0x21, 419, 0, 4, "secp224r1" }, /* 418 */ - { 0x22, 420, 0, 4, "secp384r1" }, /* 419 */ - { 0x23, 421, 0, 4, "secp521r1" }, /* 420 */ - { 0x24, 422, 0, 4, "sect409k1" }, /* 421 */ - { 0x25, 423, 0, 4, "sect409r1" }, /* 422 */ - { 0x26, 424, 0, 4, "sect571k1" }, /* 423 */ - { 0x27, 0, 0, 4, "sect571r1" }, /* 424 */ - {0x60, 488, 1, 0, "" }, /* 425 */ - { 0x86, 0, 1, 1, "" }, /* 426 */ - { 0x48, 0, 1, 2, "" }, /* 427 */ - { 0x01, 0, 1, 3, "organization" }, /* 428 */ - { 0x65, 464, 1, 4, "gov" }, /* 429 */ - { 0x03, 0, 1, 5, "csor" }, /* 430 */ - { 0x04, 0, 1, 6, "nistalgorithm" }, /* 431 */ - { 0x01, 442, 1, 7, "aes" }, /* 432 */ - { 0x02, 434, 0, 8, "id-aes128-CBC" }, /* 433 */ - { 0x06, 435, 0, 8, "id-aes128-GCM" }, /* 434 */ - { 0x07, 436, 0, 8, "id-aes128-CCM" }, /* 435 */ - { 0x16, 437, 0, 8, "id-aes192-CBC" }, /* 436 */ - { 0x1A, 438, 0, 8, "id-aes192-GCM" }, /* 437 */ - { 0x1B, 439, 0, 8, "id-aes192-CCM" }, /* 438 */ - { 0x2A, 440, 0, 8, "id-aes256-CBC" }, /* 439 */ - { 0x2E, 441, 0, 8, "id-aes256-GCM" }, /* 440 */ - { 0x2F, 0, 0, 8, "id-aes256-CCM" }, /* 441 */ - { 0x02, 455, 1, 7, "hashAlgs" }, /* 442 */ - { 0x01, 444, 0, 8, "id-sha256" }, /* 443 */ - { 0x02, 445, 0, 8, "id-sha384" }, /* 444 */ - { 0x03, 446, 0, 8, "id-sha512" }, /* 445 */ - { 0x04, 447, 0, 8, "id-sha224" }, /* 446 */ - { 0x05, 448, 0, 8, "id-sha512-224" }, /* 447 */ - { 0x06, 449, 0, 8, "id-sha512-256" }, /* 448 */ - { 0x07, 450, 0, 8, "id-sha3-224" }, /* 449 */ - { 0x08, 451, 0, 8, "id-sha3-256" }, /* 450 */ - { 0x09, 452, 0, 8, "id-sha3-384" }, /* 451 */ - { 0x0A, 453, 0, 8, "id-sha3-512" }, /* 452 */ - { 0x0B, 454, 0, 8, "id-shake128" }, /* 453 */ - { 0x0C, 0, 0, 8, "id-shake256" }, /* 454 */ - { 0x03, 0, 1, 7, "sigAlgs" }, /* 455 */ - { 0x09, 457, 0, 8, "id-ecdsa-with-sha3-224" }, /* 456 */ - { 0x0A, 458, 0, 8, "id-ecdsa-with-sha3-256" }, /* 457 */ - { 0x0B, 459, 0, 8, "id-ecdsa-with-sha3-384" }, /* 458 */ - { 0x0C, 460, 0, 8, "id-ecdsa-with-sha3-512" }, /* 459 */ - { 0x0D, 461, 0, 8, "id-rsassa-pkcs1v15-with-sha3-224"}, /* 460 */ - { 0x0E, 462, 0, 8, "id-rsassa-pkcs1v15-with-sha3-256"}, /* 461 */ - { 0x0F, 463, 0, 8, "id-rsassa-pkcs1v15-with-sha3-384"}, /* 462 */ - { 0x10, 0, 0, 8, "id-rsassa-pkcs1v15-with-sha3-512"}, /* 463 */ - { 0x86, 0, 1, 4, "" }, /* 464 */ - { 0xf8, 0, 1, 5, "" }, /* 465 */ - { 0x42, 478, 1, 6, "netscape" }, /* 466 */ - { 0x01, 473, 1, 7, "" }, /* 467 */ - { 0x01, 469, 0, 8, "nsCertType" }, /* 468 */ - { 0x03, 470, 0, 8, "nsRevocationUrl" }, /* 469 */ - { 0x04, 471, 0, 8, "nsCaRevocationUrl" }, /* 470 */ - { 0x08, 472, 0, 8, "nsCaPolicyUrl" }, /* 471 */ - { 0x0d, 0, 0, 8, "nsComment" }, /* 472 */ - { 0x03, 476, 1, 7, "directory" }, /* 473 */ - { 0x01, 0, 1, 8, "" }, /* 474 */ - { 0x03, 0, 0, 9, "employeeNumber" }, /* 475 */ - { 0x04, 0, 1, 7, "policy" }, /* 476 */ - { 0x01, 0, 0, 8, "nsSGC" }, /* 477 */ - { 0x45, 0, 1, 6, "verisign" }, /* 478 */ - { 0x01, 0, 1, 7, "pki" }, /* 479 */ - { 0x09, 0, 1, 8, "attributes" }, /* 480 */ - { 0x02, 482, 0, 9, "messageType" }, /* 481 */ - { 0x03, 483, 0, 9, "pkiStatus" }, /* 482 */ - { 0x04, 484, 0, 9, "failInfo" }, /* 483 */ - { 0x05, 485, 0, 9, "senderNonce" }, /* 484 */ - { 0x06, 486, 0, 9, "recipientNonce" }, /* 485 */ - { 0x07, 487, 0, 9, "transID" }, /* 486 */ - { 0x08, 0, 0, 9, "extensionReq" }, /* 487 */ - {0x67, 0, 1, 0, "" }, /* 488 */ - { 0x81, 0, 1, 1, "" }, /* 489 */ - { 0x05, 0, 1, 2, "" }, /* 490 */ - { 0x02, 0, 1, 3, "tcg-attribute" }, /* 491 */ - { 0x01, 493, 0, 4, "tcg-at-tpmManufacturer" }, /* 492 */ - { 0x02, 494, 0, 4, "tcg-at-tpmModel" }, /* 493 */ - { 0x03, 495, 0, 4, "tcg-at-tpmVersion" }, /* 494 */ - { 0x0F, 0, 0, 4, "tcg-at-tpmIdLabel" } /* 495 */ + { 0x07, 294, 0, 7, "ipAddrBlocks" }, /* 293 */ + { 0x18, 0, 0, 7, "tlsfeature" }, /* 294 */ + { 0x02, 298, 1, 6, "id-qt" }, /* 295 */ + { 0x01, 297, 0, 7, "cps" }, /* 296 */ + { 0x02, 0, 0, 7, "unotice" }, /* 297 */ + { 0x03, 308, 1, 6, "id-kp" }, /* 298 */ + { 0x01, 300, 0, 7, "serverAuth" }, /* 299 */ + { 0x02, 301, 0, 7, "clientAuth" }, /* 300 */ + { 0x03, 302, 0, 7, "codeSigning" }, /* 301 */ + { 0x04, 303, 0, 7, "emailProtection" }, /* 302 */ + { 0x05, 304, 0, 7, "ipsecEndSystem" }, /* 303 */ + { 0x06, 305, 0, 7, "ipsecTunnel" }, /* 304 */ + { 0x07, 306, 0, 7, "ipsecUser" }, /* 305 */ + { 0x08, 307, 0, 7, "timeStamping" }, /* 306 */ + { 0x09, 0, 0, 7, "ocspSigning" }, /* 307 */ + { 0x08, 316, 1, 6, "id-otherNames" }, /* 308 */ + { 0x01, 310, 0, 7, "personalData" }, /* 309 */ + { 0x02, 311, 0, 7, "userGroup" }, /* 310 */ + { 0x03, 312, 0, 7, "id-on-permanentIdentifier" }, /* 311 */ + { 0x04, 313, 0, 7, "id-on-hardwareModuleName" }, /* 312 */ + { 0x05, 314, 0, 7, "xmppAddr" }, /* 313 */ + { 0x06, 315, 0, 7, "id-on-SIM" }, /* 314 */ + { 0x07, 0, 0, 7, "id-on-dnsSRV" }, /* 315 */ + { 0x0A, 321, 1, 6, "id-aca" }, /* 316 */ + { 0x01, 318, 0, 7, "authenticationInfo" }, /* 317 */ + { 0x02, 319, 0, 7, "accessIdentity" }, /* 318 */ + { 0x03, 320, 0, 7, "chargingIdentity" }, /* 319 */ + { 0x04, 0, 0, 7, "group" }, /* 320 */ + { 0x0B, 322, 0, 6, "subjectInfoAccess" }, /* 321 */ + { 0x30, 0, 1, 6, "id-ad" }, /* 322 */ + { 0x01, 331, 1, 7, "ocsp" }, /* 323 */ + { 0x01, 325, 0, 8, "basic" }, /* 324 */ + { 0x02, 326, 0, 8, "nonce" }, /* 325 */ + { 0x03, 327, 0, 8, "crl" }, /* 326 */ + { 0x04, 328, 0, 8, "response" }, /* 327 */ + { 0x05, 329, 0, 8, "noCheck" }, /* 328 */ + { 0x06, 330, 0, 8, "archiveCutoff" }, /* 329 */ + { 0x07, 0, 0, 8, "serviceLocator" }, /* 330 */ + { 0x02, 332, 0, 7, "caIssuers" }, /* 331 */ + { 0x03, 333, 0, 7, "timeStamping" }, /* 332 */ + { 0x05, 0, 0, 7, "caRepository" }, /* 333 */ + { 0x08, 0, 1, 5, "ipsec" }, /* 334 */ + { 0x02, 0, 1, 6, "certificate" }, /* 335 */ + { 0x02, 0, 0, 7, "iKEIntermediate" }, /* 336 */ + { 0x0E, 343, 1, 1, "oiw" }, /* 337 */ + { 0x03, 0, 1, 2, "secsig" }, /* 338 */ + { 0x02, 0, 1, 3, "algorithms" }, /* 339 */ + { 0x07, 341, 0, 4, "des-cbc" }, /* 340 */ + { 0x1A, 342, 0, 4, "sha-1" }, /* 341 */ + { 0x1D, 0, 0, 4, "sha-1WithRSASignature" }, /* 342 */ + { 0x24, 389, 1, 1, "TeleTrusT" }, /* 343 */ + { 0x03, 0, 1, 2, "algorithm" }, /* 344 */ + { 0x03, 0, 1, 3, "signatureAlgorithm" }, /* 345 */ + { 0x01, 350, 1, 4, "rsaSignature" }, /* 346 */ + { 0x02, 348, 0, 5, "rsaSigWithripemd160" }, /* 347 */ + { 0x03, 349, 0, 5, "rsaSigWithripemd128" }, /* 348 */ + { 0x04, 0, 0, 5, "rsaSigWithripemd256" }, /* 349 */ + { 0x02, 0, 1, 4, "ecSign" }, /* 350 */ + { 0x01, 352, 0, 5, "ecSignWithsha1" }, /* 351 */ + { 0x02, 353, 0, 5, "ecSignWithripemd160" }, /* 352 */ + { 0x03, 354, 0, 5, "ecSignWithmd2" }, /* 353 */ + { 0x04, 355, 0, 5, "ecSignWithmd5" }, /* 354 */ + { 0x05, 372, 1, 5, "ttt-ecg" }, /* 355 */ + { 0x01, 360, 1, 6, "fieldType" }, /* 356 */ + { 0x01, 0, 1, 7, "characteristictwoField" }, /* 357 */ + { 0x01, 0, 1, 8, "basisType" }, /* 358 */ + { 0x01, 0, 0, 9, "ipBasis" }, /* 359 */ + { 0x02, 362, 1, 6, "keyType" }, /* 360 */ + { 0x01, 0, 0, 7, "ecgPublicKey" }, /* 361 */ + { 0x03, 363, 0, 6, "curve" }, /* 362 */ + { 0x04, 370, 1, 6, "signatures" }, /* 363 */ + { 0x01, 365, 0, 7, "ecgdsa-with-RIPEMD160" }, /* 364 */ + { 0x02, 366, 0, 7, "ecgdsa-with-SHA1" }, /* 365 */ + { 0x03, 367, 0, 7, "ecgdsa-with-SHA224" }, /* 366 */ + { 0x04, 368, 0, 7, "ecgdsa-with-SHA256" }, /* 367 */ + { 0x05, 369, 0, 7, "ecgdsa-with-SHA384" }, /* 368 */ + { 0x06, 0, 0, 7, "ecgdsa-with-SHA512" }, /* 369 */ + { 0x05, 0, 1, 6, "module" }, /* 370 */ + { 0x01, 0, 0, 7, "1" }, /* 371 */ + { 0x08, 0, 1, 5, "ecStdCurvesAndGeneration" }, /* 372 */ + { 0x01, 0, 1, 6, "ellipticCurve" }, /* 373 */ + { 0x01, 0, 1, 7, "versionOne" }, /* 374 */ + { 0x01, 376, 0, 8, "brainpoolP160r1" }, /* 375 */ + { 0x02, 377, 0, 8, "brainpoolP160t1" }, /* 376 */ + { 0x03, 378, 0, 8, "brainpoolP192r1" }, /* 377 */ + { 0x04, 379, 0, 8, "brainpoolP192t1" }, /* 378 */ + { 0x05, 380, 0, 8, "brainpoolP224r1" }, /* 379 */ + { 0x06, 381, 0, 8, "brainpoolP224t1" }, /* 380 */ + { 0x07, 382, 0, 8, "brainpoolP256r1" }, /* 381 */ + { 0x08, 383, 0, 8, "brainpoolP256t1" }, /* 382 */ + { 0x09, 384, 0, 8, "brainpoolP320r1" }, /* 383 */ + { 0x0A, 385, 0, 8, "brainpoolP320t1" }, /* 384 */ + { 0x0B, 386, 0, 8, "brainpoolP384r1" }, /* 385 */ + { 0x0C, 387, 0, 8, "brainpoolP384t1" }, /* 386 */ + { 0x0D, 388, 0, 8, "brainpoolP512r1" }, /* 387 */ + { 0x0E, 0, 0, 8, "brainpoolP512t1" }, /* 388 */ + { 0x65, 392, 1, 1, "Thawte" }, /* 389 */ + { 0x70, 391, 0, 2, "id-Ed25519" }, /* 390 */ + { 0x71, 0, 0, 2, "id-Ed448" }, /* 391 */ + { 0x81, 0, 1, 1, "" }, /* 392 */ + { 0x04, 0, 1, 2, "Certicom" }, /* 393 */ + { 0x00, 0, 1, 3, "curve" }, /* 394 */ + { 0x01, 396, 0, 4, "sect163k1" }, /* 395 */ + { 0x02, 397, 0, 4, "sect163r1" }, /* 396 */ + { 0x03, 398, 0, 4, "sect239k1" }, /* 397 */ + { 0x04, 399, 0, 4, "sect113r1" }, /* 398 */ + { 0x05, 400, 0, 4, "sect113r2" }, /* 399 */ + { 0x06, 401, 0, 4, "secp112r1" }, /* 400 */ + { 0x07, 402, 0, 4, "secp112r2" }, /* 401 */ + { 0x08, 403, 0, 4, "secp160r1" }, /* 402 */ + { 0x09, 404, 0, 4, "secp160k1" }, /* 403 */ + { 0x0A, 405, 0, 4, "secp256k1" }, /* 404 */ + { 0x0F, 406, 0, 4, "sect163r2" }, /* 405 */ + { 0x10, 407, 0, 4, "sect283k1" }, /* 406 */ + { 0x11, 408, 0, 4, "sect283r1" }, /* 407 */ + { 0x16, 409, 0, 4, "sect131r1" }, /* 408 */ + { 0x17, 410, 0, 4, "sect131r2" }, /* 409 */ + { 0x18, 411, 0, 4, "sect193r1" }, /* 410 */ + { 0x19, 412, 0, 4, "sect193r2" }, /* 411 */ + { 0x1A, 413, 0, 4, "sect233k1" }, /* 412 */ + { 0x1B, 414, 0, 4, "sect233r1" }, /* 413 */ + { 0x1C, 415, 0, 4, "secp128r1" }, /* 414 */ + { 0x1D, 416, 0, 4, "secp128r2" }, /* 415 */ + { 0x1E, 417, 0, 4, "secp160r2" }, /* 416 */ + { 0x1F, 418, 0, 4, "secp192k1" }, /* 417 */ + { 0x20, 419, 0, 4, "secp224k1" }, /* 418 */ + { 0x21, 420, 0, 4, "secp224r1" }, /* 419 */ + { 0x22, 421, 0, 4, "secp384r1" }, /* 420 */ + { 0x23, 422, 0, 4, "secp521r1" }, /* 421 */ + { 0x24, 423, 0, 4, "sect409k1" }, /* 422 */ + { 0x25, 424, 0, 4, "sect409r1" }, /* 423 */ + { 0x26, 425, 0, 4, "sect571k1" }, /* 424 */ + { 0x27, 0, 0, 4, "sect571r1" }, /* 425 */ + {0x60, 489, 1, 0, "" }, /* 426 */ + { 0x86, 0, 1, 1, "" }, /* 427 */ + { 0x48, 0, 1, 2, "" }, /* 428 */ + { 0x01, 0, 1, 3, "organization" }, /* 429 */ + { 0x65, 465, 1, 4, "gov" }, /* 430 */ + { 0x03, 0, 1, 5, "csor" }, /* 431 */ + { 0x04, 0, 1, 6, "nistalgorithm" }, /* 432 */ + { 0x01, 443, 1, 7, "aes" }, /* 433 */ + { 0x02, 435, 0, 8, "id-aes128-CBC" }, /* 434 */ + { 0x06, 436, 0, 8, "id-aes128-GCM" }, /* 435 */ + { 0x07, 437, 0, 8, "id-aes128-CCM" }, /* 436 */ + { 0x16, 438, 0, 8, "id-aes192-CBC" }, /* 437 */ + { 0x1A, 439, 0, 8, "id-aes192-GCM" }, /* 438 */ + { 0x1B, 440, 0, 8, "id-aes192-CCM" }, /* 439 */ + { 0x2A, 441, 0, 8, "id-aes256-CBC" }, /* 440 */ + { 0x2E, 442, 0, 8, "id-aes256-GCM" }, /* 441 */ + { 0x2F, 0, 0, 8, "id-aes256-CCM" }, /* 442 */ + { 0x02, 456, 1, 7, "hashAlgs" }, /* 443 */ + { 0x01, 445, 0, 8, "id-sha256" }, /* 444 */ + { 0x02, 446, 0, 8, "id-sha384" }, /* 445 */ + { 0x03, 447, 0, 8, "id-sha512" }, /* 446 */ + { 0x04, 448, 0, 8, "id-sha224" }, /* 447 */ + { 0x05, 449, 0, 8, "id-sha512-224" }, /* 448 */ + { 0x06, 450, 0, 8, "id-sha512-256" }, /* 449 */ + { 0x07, 451, 0, 8, "id-sha3-224" }, /* 450 */ + { 0x08, 452, 0, 8, "id-sha3-256" }, /* 451 */ + { 0x09, 453, 0, 8, "id-sha3-384" }, /* 452 */ + { 0x0A, 454, 0, 8, "id-sha3-512" }, /* 453 */ + { 0x0B, 455, 0, 8, "id-shake128" }, /* 454 */ + { 0x0C, 0, 0, 8, "id-shake256" }, /* 455 */ + { 0x03, 0, 1, 7, "sigAlgs" }, /* 456 */ + { 0x09, 458, 0, 8, "id-ecdsa-with-sha3-224" }, /* 457 */ + { 0x0A, 459, 0, 8, "id-ecdsa-with-sha3-256" }, /* 458 */ + { 0x0B, 460, 0, 8, "id-ecdsa-with-sha3-384" }, /* 459 */ + { 0x0C, 461, 0, 8, "id-ecdsa-with-sha3-512" }, /* 460 */ + { 0x0D, 462, 0, 8, "id-rsassa-pkcs1v15-with-sha3-224"}, /* 461 */ + { 0x0E, 463, 0, 8, "id-rsassa-pkcs1v15-with-sha3-256"}, /* 462 */ + { 0x0F, 464, 0, 8, "id-rsassa-pkcs1v15-with-sha3-384"}, /* 463 */ + { 0x10, 0, 0, 8, "id-rsassa-pkcs1v15-with-sha3-512"}, /* 464 */ + { 0x86, 0, 1, 4, "" }, /* 465 */ + { 0xf8, 0, 1, 5, "" }, /* 466 */ + { 0x42, 479, 1, 6, "netscape" }, /* 467 */ + { 0x01, 474, 1, 7, "" }, /* 468 */ + { 0x01, 470, 0, 8, "nsCertType" }, /* 469 */ + { 0x03, 471, 0, 8, "nsRevocationUrl" }, /* 470 */ + { 0x04, 472, 0, 8, "nsCaRevocationUrl" }, /* 471 */ + { 0x08, 473, 0, 8, "nsCaPolicyUrl" }, /* 472 */ + { 0x0d, 0, 0, 8, "nsComment" }, /* 473 */ + { 0x03, 477, 1, 7, "directory" }, /* 474 */ + { 0x01, 0, 1, 8, "" }, /* 475 */ + { 0x03, 0, 0, 9, "employeeNumber" }, /* 476 */ + { 0x04, 0, 1, 7, "policy" }, /* 477 */ + { 0x01, 0, 0, 8, "nsSGC" }, /* 478 */ + { 0x45, 0, 1, 6, "verisign" }, /* 479 */ + { 0x01, 0, 1, 7, "pki" }, /* 480 */ + { 0x09, 0, 1, 8, "attributes" }, /* 481 */ + { 0x02, 483, 0, 9, "messageType" }, /* 482 */ + { 0x03, 484, 0, 9, "pkiStatus" }, /* 483 */ + { 0x04, 485, 0, 9, "failInfo" }, /* 484 */ + { 0x05, 486, 0, 9, "senderNonce" }, /* 485 */ + { 0x06, 487, 0, 9, "recipientNonce" }, /* 486 */ + { 0x07, 488, 0, 9, "transID" }, /* 487 */ + { 0x08, 0, 0, 9, "extensionReq" }, /* 488 */ + {0x67, 0, 1, 0, "" }, /* 489 */ + { 0x81, 0, 1, 1, "" }, /* 490 */ + { 0x05, 0, 1, 2, "" }, /* 491 */ + { 0x02, 0, 1, 3, "tcg-attribute" }, /* 492 */ + { 0x01, 494, 0, 4, "tcg-at-tpmManufacturer" }, /* 493 */ + { 0x02, 495, 0, 4, "tcg-at-tpmModel" }, /* 494 */ + { 0x03, 496, 0, 4, "tcg-at-tpmVersion" }, /* 495 */ + { 0x0F, 0, 0, 4, "tcg-at-tpmIdLabel" } /* 496 */ }; diff --git a/src/libstrongswan/asn1/oid.h b/src/libstrongswan/asn1/oid.h index 0e9b7ea24..230fe2f87 100644 --- a/src/libstrongswan/asn1/oid.h +++ b/src/libstrongswan/asn1/oid.h @@ -167,110 +167,110 @@ extern const oid_t oid_names[]; #define OID_BLOWFISH_CBC 247 #define OID_AUTHORITY_INFO_ACCESS 291 #define OID_IP_ADDR_BLOCKS 293 -#define OID_POLICY_QUALIFIER_CPS 295 -#define OID_POLICY_QUALIFIER_UNOTICE 296 -#define OID_SERVER_AUTH 298 -#define OID_CLIENT_AUTH 299 -#define OID_OCSP_SIGNING 306 -#define OID_XMPP_ADDR 312 -#define OID_AUTHENTICATION_INFO 316 -#define OID_ACCESS_IDENTITY 317 -#define OID_CHARGING_IDENTITY 318 -#define OID_GROUP 319 -#define OID_OCSP 322 -#define OID_BASIC 323 -#define OID_NONCE 324 -#define OID_CRL 325 -#define OID_RESPONSE 326 -#define OID_NO_CHECK 327 -#define OID_ARCHIVE_CUTOFF 328 -#define OID_SERVICE_LOCATOR 329 -#define OID_CA_ISSUERS 330 -#define OID_IKE_INTERMEDIATE 335 -#define OID_DES_CBC 339 -#define OID_SHA1 340 -#define OID_SHA1_WITH_RSA_OIW 341 -#define OID_ECGDSA_PUBKEY 360 -#define OID_ECGDSA_SIG_WITH_RIPEMD160 363 -#define OID_ECGDSA_SIG_WITH_SHA1 364 -#define OID_ECGDSA_SIG_WITH_SHA224 365 -#define OID_ECGDSA_SIG_WITH_SHA256 366 -#define OID_ECGDSA_SIG_WITH_SHA384 367 -#define OID_ECGDSA_SIG_WITH_SHA512 368 -#define OID_ED25519 389 -#define OID_ED448 390 -#define OID_SECT163K1 394 -#define OID_SECT163R1 395 -#define OID_SECT239K1 396 -#define OID_SECT113R1 397 -#define OID_SECT113R2 398 -#define OID_SECT112R1 399 -#define OID_SECT112R2 400 -#define OID_SECT160R1 401 -#define OID_SECT160K1 402 -#define OID_SECT256K1 403 -#define OID_SECT163R2 404 -#define OID_SECT283K1 405 -#define OID_SECT283R1 406 -#define OID_SECT131R1 407 -#define OID_SECT131R2 408 -#define OID_SECT193R1 409 -#define OID_SECT193R2 410 -#define OID_SECT233K1 411 -#define OID_SECT233R1 412 -#define OID_SECT128R1 413 -#define OID_SECT128R2 414 -#define OID_SECT160R2 415 -#define OID_SECT192K1 416 -#define OID_SECT224K1 417 -#define OID_SECT224R1 418 -#define OID_SECT384R1 419 -#define OID_SECT521R1 420 -#define OID_SECT409K1 421 -#define OID_SECT409R1 422 -#define OID_SECT571K1 423 -#define OID_SECT571R1 424 -#define OID_AES128_CBC 433 -#define OID_AES128_GCM 434 -#define OID_AES128_CCM 435 -#define OID_AES192_CBC 436 -#define OID_AES192_GCM 437 -#define OID_AES192_CCM 438 -#define OID_AES256_CBC 439 -#define OID_AES256_GCM 440 -#define OID_AES256_CCM 441 -#define OID_SHA256 443 -#define OID_SHA384 444 -#define OID_SHA512 445 -#define OID_SHA224 446 -#define OID_SHA3_224 449 -#define OID_SHA3_256 450 -#define OID_SHA3_384 451 -#define OID_SHA3_512 452 -#define OID_ECDSA_WITH_SHA3_224 456 -#define OID_ECDSA_WITH_SHA3_256 457 -#define OID_ECDSA_WITH_SHA3_384 458 -#define OID_ECDSA_WITH_SHA3_512 459 -#define OID_RSASSA_PKCS1V15_WITH_SHA3_224 460 -#define OID_RSASSA_PKCS1V15_WITH_SHA3_256 461 -#define OID_RSASSA_PKCS1V15_WITH_SHA3_384 462 -#define OID_RSASSA_PKCS1V15_WITH_SHA3_512 463 -#define OID_NS_REVOCATION_URL 469 -#define OID_NS_CA_REVOCATION_URL 470 -#define OID_NS_CA_POLICY_URL 471 -#define OID_NS_COMMENT 472 -#define OID_EMPLOYEE_NUMBER 475 -#define OID_PKI_MESSAGE_TYPE 481 -#define OID_PKI_STATUS 482 -#define OID_PKI_FAIL_INFO 483 -#define OID_PKI_SENDER_NONCE 484 -#define OID_PKI_RECIPIENT_NONCE 485 -#define OID_PKI_TRANS_ID 486 -#define OID_TPM_MANUFACTURER 492 -#define OID_TPM_MODEL 493 -#define OID_TPM_VERSION 494 -#define OID_TPM_ID_LABEL 495 +#define OID_POLICY_QUALIFIER_CPS 296 +#define OID_POLICY_QUALIFIER_UNOTICE 297 +#define OID_SERVER_AUTH 299 +#define OID_CLIENT_AUTH 300 +#define OID_OCSP_SIGNING 307 +#define OID_XMPP_ADDR 313 +#define OID_AUTHENTICATION_INFO 317 +#define OID_ACCESS_IDENTITY 318 +#define OID_CHARGING_IDENTITY 319 +#define OID_GROUP 320 +#define OID_OCSP 323 +#define OID_BASIC 324 +#define OID_NONCE 325 +#define OID_CRL 326 +#define OID_RESPONSE 327 +#define OID_NO_CHECK 328 +#define OID_ARCHIVE_CUTOFF 329 +#define OID_SERVICE_LOCATOR 330 +#define OID_CA_ISSUERS 331 +#define OID_IKE_INTERMEDIATE 336 +#define OID_DES_CBC 340 +#define OID_SHA1 341 +#define OID_SHA1_WITH_RSA_OIW 342 +#define OID_ECGDSA_PUBKEY 361 +#define OID_ECGDSA_SIG_WITH_RIPEMD160 364 +#define OID_ECGDSA_SIG_WITH_SHA1 365 +#define OID_ECGDSA_SIG_WITH_SHA224 366 +#define OID_ECGDSA_SIG_WITH_SHA256 367 +#define OID_ECGDSA_SIG_WITH_SHA384 368 +#define OID_ECGDSA_SIG_WITH_SHA512 369 +#define OID_ED25519 390 +#define OID_ED448 391 +#define OID_SECT163K1 395 +#define OID_SECT163R1 396 +#define OID_SECT239K1 397 +#define OID_SECT113R1 398 +#define OID_SECT113R2 399 +#define OID_SECT112R1 400 +#define OID_SECT112R2 401 +#define OID_SECT160R1 402 +#define OID_SECT160K1 403 +#define OID_SECT256K1 404 +#define OID_SECT163R2 405 +#define OID_SECT283K1 406 +#define OID_SECT283R1 407 +#define OID_SECT131R1 408 +#define OID_SECT131R2 409 +#define OID_SECT193R1 410 +#define OID_SECT193R2 411 +#define OID_SECT233K1 412 +#define OID_SECT233R1 413 +#define OID_SECT128R1 414 +#define OID_SECT128R2 415 +#define OID_SECT160R2 416 +#define OID_SECT192K1 417 +#define OID_SECT224K1 418 +#define OID_SECT224R1 419 +#define OID_SECT384R1 420 +#define OID_SECT521R1 421 +#define OID_SECT409K1 422 +#define OID_SECT409R1 423 +#define OID_SECT571K1 424 +#define OID_SECT571R1 425 +#define OID_AES128_CBC 434 +#define OID_AES128_GCM 435 +#define OID_AES128_CCM 436 +#define OID_AES192_CBC 437 +#define OID_AES192_GCM 438 +#define OID_AES192_CCM 439 +#define OID_AES256_CBC 440 +#define OID_AES256_GCM 441 +#define OID_AES256_CCM 442 +#define OID_SHA256 444 +#define OID_SHA384 445 +#define OID_SHA512 446 +#define OID_SHA224 447 +#define OID_SHA3_224 450 +#define OID_SHA3_256 451 +#define OID_SHA3_384 452 +#define OID_SHA3_512 453 +#define OID_ECDSA_WITH_SHA3_224 457 +#define OID_ECDSA_WITH_SHA3_256 458 +#define OID_ECDSA_WITH_SHA3_384 459 +#define OID_ECDSA_WITH_SHA3_512 460 +#define OID_RSASSA_PKCS1V15_WITH_SHA3_224 461 +#define OID_RSASSA_PKCS1V15_WITH_SHA3_256 462 +#define OID_RSASSA_PKCS1V15_WITH_SHA3_384 463 +#define OID_RSASSA_PKCS1V15_WITH_SHA3_512 464 +#define OID_NS_REVOCATION_URL 470 +#define OID_NS_CA_REVOCATION_URL 471 +#define OID_NS_CA_POLICY_URL 472 +#define OID_NS_COMMENT 473 +#define OID_EMPLOYEE_NUMBER 476 +#define OID_PKI_MESSAGE_TYPE 482 +#define OID_PKI_STATUS 483 +#define OID_PKI_FAIL_INFO 484 +#define OID_PKI_SENDER_NONCE 485 +#define OID_PKI_RECIPIENT_NONCE 486 +#define OID_PKI_TRANS_ID 487 +#define OID_TPM_MANUFACTURER 493 +#define OID_TPM_MODEL 494 +#define OID_TPM_VERSION 495 +#define OID_TPM_ID_LABEL 496 -#define OID_MAX 496 +#define OID_MAX 497 #endif /* OID_H_ */ diff --git a/src/libstrongswan/asn1/oid.txt b/src/libstrongswan/asn1/oid.txt index 9583baa5e..369f6f899 100644 --- a/src/libstrongswan/asn1/oid.txt +++ b/src/libstrongswan/asn1/oid.txt @@ -292,6 +292,7 @@ 0x01 "authorityInfoAccess" OID_AUTHORITY_INFO_ACCESS 0x03 "qcStatements" 0x07 "ipAddrBlocks" OID_IP_ADDR_BLOCKS + 0x18 "tlsfeature" 0x02 "id-qt" 0x01 "cps" OID_POLICY_QUALIFIER_CPS 0x02 "unotice" OID_POLICY_QUALIFIER_UNOTICE diff --git a/src/libstrongswan/collections/linked_list.h b/src/libstrongswan/collections/linked_list.h index 246b9a5c5..c99cb836b 100644 --- a/src/libstrongswan/collections/linked_list.h +++ b/src/libstrongswan/collections/linked_list.h @@ -195,7 +195,7 @@ struct linked_list_t { * If a linked list contains objects with function pointers, * invoke() can call a method on each of the objects. The * method is specified by an offset of the function pointer, - * which can be evalutated at compile time using the offsetof + * which can be evaluated at compile time using the offsetof * macro, e.g.: list->invoke(list, offsetof(object_t, method)); * * @param offset offset of the method to invoke on objects diff --git a/src/libstrongswan/credentials/auth_cfg.c b/src/libstrongswan/credentials/auth_cfg.c index d1be7b401..278c67405 100644 --- a/src/libstrongswan/credentials/auth_cfg.c +++ b/src/libstrongswan/credentials/auth_cfg.c @@ -73,9 +73,6 @@ static inline bool is_multi_value_rule(auth_rule_t type) case AUTH_RULE_AUTH_CLASS: case AUTH_RULE_EAP_TYPE: case AUTH_RULE_EAP_VENDOR: - case AUTH_RULE_RSA_STRENGTH: - case AUTH_RULE_ECDSA_STRENGTH: - case AUTH_RULE_BLISS_STRENGTH: case AUTH_RULE_IDENTITY: case AUTH_RULE_IDENTITY_LOOSE: case AUTH_RULE_EAP_IDENTITY: @@ -94,6 +91,9 @@ static inline bool is_multi_value_rule(auth_rule_t type) case AUTH_RULE_CA_CERT: case AUTH_RULE_IM_CERT: case AUTH_RULE_CERT_POLICY: + case AUTH_RULE_RSA_STRENGTH: + case AUTH_RULE_ECDSA_STRENGTH: + case AUTH_RULE_BLISS_STRENGTH: case AUTH_RULE_SIGNATURE_SCHEME: case AUTH_RULE_IKE_SIGNATURE_SCHEME: case AUTH_HELPER_IM_CERT: @@ -737,8 +737,8 @@ METHOD(auth_cfg_t, add_pubkey_constraints, void, } enumerator->destroy(enumerator); - /* if no explicit IKE signature contraints were added we add them for all - * configured signature contraints */ + /* if no explicit IKE signature constraints were added we add them for all + * configured signature constraints */ if (ike && !ike_added && lib->settings->get_bool(lib->settings, "%s.signature_authentication_constraints", TRUE, diff --git a/src/libstrongswan/credentials/cred_encoding.c b/src/libstrongswan/credentials/cred_encoding.c index 303816391..d6523821e 100644 --- a/src/libstrongswan/credentials/cred_encoding.c +++ b/src/libstrongswan/credentials/cred_encoding.c @@ -39,7 +39,7 @@ struct private_cred_encoding_t { hashtable_t *cache[CRED_ENCODING_MAX]; /** - * Registered encoding fuctions, cred_encoder_t + * Registered encoding functions, cred_encoder_t */ linked_list_t *encoders; diff --git a/src/libstrongswan/credentials/keys/signature_params.c b/src/libstrongswan/credentials/keys/signature_params.c index 6b4d22e7b..8f42fb940 100644 --- a/src/libstrongswan/credentials/keys/signature_params.c +++ b/src/libstrongswan/credentials/keys/signature_params.c @@ -280,13 +280,17 @@ bool rsa_pss_params_parse(chunk_t asn1, int level0, rsa_pss_params_t *params) case RSASSA_PSS_PARAMS_MGF_ALG: if (object.len) { - chunk_t hash; + chunk_t hash = chunk_empty; alg = asn1_parse_algorithmIdentifier(object, level, &hash); if (alg != OID_MGF1) { goto end; } + if (!hash.len) + { + goto end; + } alg = asn1_parse_algorithmIdentifier(hash, level+1, NULL); params->mgf1_hash = hasher_algorithm_from_oid(alg); if (params->mgf1_hash == HASH_UNKNOWN) diff --git a/src/libstrongswan/credentials/sets/cert_cache.c b/src/libstrongswan/credentials/sets/cert_cache.c index 0e64f0350..f1579c60a 100644 --- a/src/libstrongswan/credentials/sets/cert_cache.c +++ b/src/libstrongswan/credentials/sets/cert_cache.c @@ -239,7 +239,7 @@ METHOD(cert_cache_t, issued_by, bool, } /** - * certificate enumerator implemenation + * certificate enumerator implementation */ typedef struct { /** implements enumerator_t interface */ diff --git a/src/libstrongswan/crypto/proposal/proposal.c b/src/libstrongswan/crypto/proposal/proposal.c new file mode 100644 index 000000000..bb0a02b59 --- /dev/null +++ b/src/libstrongswan/crypto/proposal/proposal.c @@ -0,0 +1,1134 @@ +/* + * Copyright (C) 2008-2018 Tobias Brunner + * Copyright (C) 2006-2010 Martin Willi + * Copyright (C) 2013-2015 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include <string.h> + +#include "proposal.h" + +#include <collections/array.h> +#include <utils/identification.h> + +#include <crypto/transform.h> +#include <crypto/prfs/prf.h> +#include <crypto/crypters/crypter.h> +#include <crypto/signers/signer.h> + +ENUM(protocol_id_names, PROTO_NONE, PROTO_IPCOMP, + "PROTO_NONE", + "IKE", + "AH", + "ESP", + "IPCOMP", +); + +typedef struct private_proposal_t private_proposal_t; + +/** + * Private data of an proposal_t object + */ +struct private_proposal_t { + + /** + * Public part + */ + proposal_t public; + + /** + * protocol (ESP or AH) + */ + protocol_id_t protocol; + + /** + * Priority ordered list of transforms, as entry_t + */ + array_t *transforms; + + /** + * senders SPI + */ + uint64_t spi; + + /** + * Proposal number + */ + u_int number; +}; + +/** + * Struct used to store different kinds of algorithms. + */ +typedef struct { + /** Type of the transform */ + transform_type_t type; + /** algorithm identifier */ + uint16_t alg; + /** key size in bits, or zero if not needed */ + uint16_t key_size; +} entry_t; + +METHOD(proposal_t, add_algorithm, void, + private_proposal_t *this, transform_type_t type, + uint16_t alg, uint16_t key_size) +{ + entry_t entry = { + .type = type, + .alg = alg, + .key_size = key_size, + }; + + array_insert(this->transforms, ARRAY_TAIL, &entry); +} + +CALLBACK(alg_filter, bool, + uintptr_t type, enumerator_t *orig, va_list args) +{ + entry_t *entry; + uint16_t *alg, *key_size; + + VA_ARGS_VGET(args, alg, key_size); + + while (orig->enumerate(orig, &entry)) + { + if (entry->type != type) + { + continue; + } + if (alg) + { + *alg = entry->alg; + } + if (key_size) + { + *key_size = entry->key_size; + } + return TRUE; + } + return FALSE; +} + +METHOD(proposal_t, create_enumerator, enumerator_t*, + private_proposal_t *this, transform_type_t type) +{ + return enumerator_create_filter( + array_create_enumerator(this->transforms), + alg_filter, (void*)(uintptr_t)type, NULL); +} + +METHOD(proposal_t, get_algorithm, bool, + private_proposal_t *this, transform_type_t type, + uint16_t *alg, uint16_t *key_size) +{ + enumerator_t *enumerator; + bool found = FALSE; + + enumerator = create_enumerator(this, type); + if (enumerator->enumerate(enumerator, alg, key_size)) + { + found = TRUE; + } + enumerator->destroy(enumerator); + + return found; +} + +METHOD(proposal_t, has_dh_group, bool, + private_proposal_t *this, diffie_hellman_group_t group) +{ + bool found = FALSE, any = FALSE; + enumerator_t *enumerator; + uint16_t current; + + enumerator = create_enumerator(this, DIFFIE_HELLMAN_GROUP); + while (enumerator->enumerate(enumerator, ¤t, NULL)) + { + any = TRUE; + if (current == group) + { + found = TRUE; + break; + } + } + enumerator->destroy(enumerator); + + if (!any && group == MODP_NONE) + { + found = TRUE; + } + return found; +} + +METHOD(proposal_t, promote_dh_group, bool, + private_proposal_t *this, diffie_hellman_group_t group) +{ + enumerator_t *enumerator; + entry_t *entry; + bool found = FALSE; + + enumerator = array_create_enumerator(this->transforms); + while (enumerator->enumerate(enumerator, &entry)) + { + if (entry->type == DIFFIE_HELLMAN_GROUP && + entry->alg == group) + { + array_remove_at(this->transforms, enumerator); + found = TRUE; + } + } + enumerator->destroy(enumerator); + + if (found) + { + entry_t entry = { + .type = DIFFIE_HELLMAN_GROUP, + .alg = group, + }; + array_insert(this->transforms, ARRAY_HEAD, &entry); + } + return found; +} + +METHOD(proposal_t, strip_dh, void, + private_proposal_t *this, diffie_hellman_group_t keep) +{ + enumerator_t *enumerator; + entry_t *entry; + + enumerator = array_create_enumerator(this->transforms); + while (enumerator->enumerate(enumerator, &entry)) + { + if (entry->type == DIFFIE_HELLMAN_GROUP && + entry->alg != keep) + { + array_remove_at(this->transforms, enumerator); + } + } + enumerator->destroy(enumerator); +} + +/** + * Select a matching proposal from this and other, insert into selected. + */ +static bool select_algo(private_proposal_t *this, proposal_t *other, + proposal_t *selected, transform_type_t type, bool priv) +{ + enumerator_t *e1, *e2; + uint16_t alg1, alg2, ks1, ks2; + bool found = FALSE, optional = FALSE; + + if (type == INTEGRITY_ALGORITHM && + selected->get_algorithm(selected, ENCRYPTION_ALGORITHM, &alg1, NULL) && + encryption_algorithm_is_aead(alg1)) + { + /* no integrity algorithm required, we have an AEAD */ + return TRUE; + } + if (type == DIFFIE_HELLMAN_GROUP) + { + optional = this->protocol == PROTO_ESP || this->protocol == PROTO_AH; + } + + e1 = create_enumerator(this, type); + e2 = other->create_enumerator(other, type); + if (!e1->enumerate(e1, &alg1, NULL)) + { + if (!e2->enumerate(e2, &alg2, NULL)) + { + found = TRUE; + } + else if (optional) + { + do + { /* if NONE is proposed, we accept the proposal */ + found = !alg2; + } + while (!found && e2->enumerate(e2, &alg2, NULL)); + } + } + else if (!e2->enumerate(e2, NULL, NULL)) + { + if (optional) + { + do + { /* if NONE is proposed, we accept the proposal */ + found = !alg1; + } + while (!found && e1->enumerate(e1, &alg1, NULL)); + } + } + + e1->destroy(e1); + e1 = create_enumerator(this, type); + /* compare algs, order of algs in "first" is preferred */ + while (!found && e1->enumerate(e1, &alg1, &ks1)) + { + e2->destroy(e2); + e2 = other->create_enumerator(other, type); + while (e2->enumerate(e2, &alg2, &ks2)) + { + if (alg1 == alg2 && ks1 == ks2) + { + if (!priv && alg1 >= 1024) + { + /* accept private use algorithms only if requested */ + DBG1(DBG_CFG, "an algorithm from private space would match, " + "but peer implementation is unknown, skipped"); + continue; + } + selected->add_algorithm(selected, type, alg1, ks1); + found = TRUE; + break; + } + } + } + /* no match in all comparisons */ + e1->destroy(e1); + e2->destroy(e2); + + if (!found) + { + DBG2(DBG_CFG, " no acceptable %N found", transform_type_names, type); + } + return found; +} + +METHOD(proposal_t, select_proposal, proposal_t*, + private_proposal_t *this, proposal_t *other, bool other_remote, + bool private) +{ + proposal_t *selected; + + DBG2(DBG_CFG, "selecting proposal:"); + + if (this->protocol != other->get_protocol(other)) + { + DBG2(DBG_CFG, " protocol mismatch, skipping"); + return NULL; + } + + if (other_remote) + { + selected = proposal_create(this->protocol, other->get_number(other)); + selected->set_spi(selected, other->get_spi(other)); + } + else + { + selected = proposal_create(this->protocol, this->number); + selected->set_spi(selected, this->spi); + + } + + if (!select_algo(this, other, selected, ENCRYPTION_ALGORITHM, private) || + !select_algo(this, other, selected, PSEUDO_RANDOM_FUNCTION, private) || + !select_algo(this, other, selected, INTEGRITY_ALGORITHM, private) || + !select_algo(this, other, selected, DIFFIE_HELLMAN_GROUP, private) || + !select_algo(this, other, selected, EXTENDED_SEQUENCE_NUMBERS, private)) + { + selected->destroy(selected); + return NULL; + } + + DBG2(DBG_CFG, " proposal matches"); + return selected; +} + +METHOD(proposal_t, get_protocol, protocol_id_t, + private_proposal_t *this) +{ + return this->protocol; +} + +METHOD(proposal_t, set_spi, void, + private_proposal_t *this, uint64_t spi) +{ + this->spi = spi; +} + +METHOD(proposal_t, get_spi, uint64_t, + private_proposal_t *this) +{ + return this->spi; +} + +/** + * Check if two proposals have the same algorithms for a given transform type + */ +static bool algo_list_equals(private_proposal_t *this, proposal_t *other, + transform_type_t type) +{ + enumerator_t *e1, *e2; + uint16_t alg1, alg2, ks1, ks2; + bool equals = TRUE; + + e1 = create_enumerator(this, type); + e2 = other->create_enumerator(other, type); + while (e1->enumerate(e1, &alg1, &ks1)) + { + if (!e2->enumerate(e2, &alg2, &ks2)) + { + /* this has more algs */ + equals = FALSE; + break; + } + if (alg1 != alg2 || ks1 != ks2) + { + equals = FALSE; + break; + } + } + if (e2->enumerate(e2, &alg2, &ks2)) + { + /* other has more algs */ + equals = FALSE; + } + e1->destroy(e1); + e2->destroy(e2); + + return equals; +} + +METHOD(proposal_t, get_number, u_int, + private_proposal_t *this) +{ + return this->number; +} + +METHOD(proposal_t, equals, bool, + private_proposal_t *this, proposal_t *other) +{ + if (&this->public == other) + { + return TRUE; + } + return ( + algo_list_equals(this, other, ENCRYPTION_ALGORITHM) && + algo_list_equals(this, other, INTEGRITY_ALGORITHM) && + algo_list_equals(this, other, PSEUDO_RANDOM_FUNCTION) && + algo_list_equals(this, other, DIFFIE_HELLMAN_GROUP) && + algo_list_equals(this, other, EXTENDED_SEQUENCE_NUMBERS)); +} + +METHOD(proposal_t, clone_, proposal_t*, + private_proposal_t *this) +{ + private_proposal_t *clone; + enumerator_t *enumerator; + entry_t *entry; + + clone = (private_proposal_t*)proposal_create(this->protocol, 0); + + enumerator = array_create_enumerator(this->transforms); + while (enumerator->enumerate(enumerator, &entry)) + { + array_insert(clone->transforms, ARRAY_TAIL, entry); + } + enumerator->destroy(enumerator); + + clone->spi = this->spi; + clone->number = this->number; + + return &clone->public; +} + +/** + * Map integrity algorithms to the PRF functions using the same algorithm. + */ +static const struct { + integrity_algorithm_t integ; + pseudo_random_function_t prf; +} integ_prf_map[] = { + {AUTH_HMAC_SHA1_96, PRF_HMAC_SHA1 }, + {AUTH_HMAC_SHA1_160, PRF_HMAC_SHA1 }, + {AUTH_HMAC_SHA2_256_128, PRF_HMAC_SHA2_256 }, + {AUTH_HMAC_SHA2_384_192, PRF_HMAC_SHA2_384 }, + {AUTH_HMAC_SHA2_512_256, PRF_HMAC_SHA2_512 }, + {AUTH_HMAC_MD5_96, PRF_HMAC_MD5 }, + {AUTH_HMAC_MD5_128, PRF_HMAC_MD5 }, + {AUTH_AES_XCBC_96, PRF_AES128_XCBC }, + {AUTH_CAMELLIA_XCBC_96, PRF_CAMELLIA128_XCBC }, + {AUTH_AES_CMAC_96, PRF_AES128_CMAC }, +}; + +/** + * Remove all entries of the given transform type + */ +static void remove_transform(private_proposal_t *this, transform_type_t type) +{ + enumerator_t *e; + entry_t *entry; + + e = array_create_enumerator(this->transforms); + while (e->enumerate(e, &entry)) + { + if (entry->type == type) + { + array_remove_at(this->transforms, e); + } + } + e->destroy(e); +} + +/** + * Checks the proposal read from a string. + */ +static bool check_proposal(private_proposal_t *this) +{ + enumerator_t *e; + entry_t *entry; + uint16_t alg, ks; + bool all_aead = TRUE, any_aead = FALSE, any_enc = FALSE; + int i; + + if (this->protocol == PROTO_IKE) + { + if (!get_algorithm(this, PSEUDO_RANDOM_FUNCTION, NULL, NULL)) + { /* No explicit PRF found. We assume the same algorithm as used + * for integrity checking. */ + e = create_enumerator(this, INTEGRITY_ALGORITHM); + while (e->enumerate(e, &alg, &ks)) + { + for (i = 0; i < countof(integ_prf_map); i++) + { + if (alg == integ_prf_map[i].integ) + { + add_algorithm(this, PSEUDO_RANDOM_FUNCTION, + integ_prf_map[i].prf, 0); + break; + } + } + } + e->destroy(e); + } + if (!get_algorithm(this, PSEUDO_RANDOM_FUNCTION, NULL, NULL)) + { + DBG1(DBG_CFG, "a PRF algorithm is mandatory in IKE proposals"); + return FALSE; + } + /* remove MODP_NONE from IKE proposal */ + e = array_create_enumerator(this->transforms); + while (e->enumerate(e, &entry)) + { + if (entry->type == DIFFIE_HELLMAN_GROUP && !entry->alg) + { + array_remove_at(this->transforms, e); + } + } + e->destroy(e); + if (!get_algorithm(this, DIFFIE_HELLMAN_GROUP, NULL, NULL)) + { + DBG1(DBG_CFG, "a DH group is mandatory in IKE proposals"); + return FALSE; + } + } + else + { /* remove PRFs from ESP/AH proposals */ + remove_transform(this, PSEUDO_RANDOM_FUNCTION); + } + + if (this->protocol == PROTO_IKE || this->protocol == PROTO_ESP) + { + e = create_enumerator(this, ENCRYPTION_ALGORITHM); + while (e->enumerate(e, &alg, &ks)) + { + any_enc = TRUE; + if (encryption_algorithm_is_aead(alg)) + { + any_aead = TRUE; + continue; + } + all_aead = FALSE; + } + e->destroy(e); + + if (!any_enc) + { + DBG1(DBG_CFG, "an encryption algorithm is mandatory in %N proposals", + protocol_id_names, this->protocol); + return FALSE; + } + else if (any_aead && !all_aead) + { + DBG1(DBG_CFG, "classic and combined-mode (AEAD) encryption " + "algorithms can't be contained in the same %N proposal", + protocol_id_names, this->protocol); + return FALSE; + } + else if (all_aead) + { /* if all encryption algorithms in the proposal are AEADs, + * we MUST NOT propose any integrity algorithms */ + remove_transform(this, INTEGRITY_ALGORITHM); + } + } + else + { /* AES-GMAC is parsed as encryption algorithm, so we map that to the + * proper integrity algorithm */ + e = array_create_enumerator(this->transforms); + while (e->enumerate(e, &entry)) + { + if (entry->type == ENCRYPTION_ALGORITHM) + { + if (entry->alg == ENCR_NULL_AUTH_AES_GMAC) + { + entry->type = INTEGRITY_ALGORITHM; + ks = entry->key_size; + entry->key_size = 0; + switch (ks) + { + case 128: + entry->alg = AUTH_AES_128_GMAC; + continue; + case 192: + entry->alg = AUTH_AES_192_GMAC; + continue; + case 256: + entry->alg = AUTH_AES_256_GMAC; + continue; + default: + break; + } + } + /* remove all other encryption algorithms */ + array_remove_at(this->transforms, e); + } + } + e->destroy(e); + + if (!get_algorithm(this, INTEGRITY_ALGORITHM, NULL, NULL)) + { + DBG1(DBG_CFG, "an integrity algorithm is mandatory in AH " + "proposals"); + return FALSE; + } + } + + if (this->protocol == PROTO_AH || this->protocol == PROTO_ESP) + { + if (!get_algorithm(this, EXTENDED_SEQUENCE_NUMBERS, NULL, NULL)) + { /* ESN not specified, assume not supported */ + add_algorithm(this, EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS, 0); + } + } + + array_compress(this->transforms); + return TRUE; +} + +/** + * add a algorithm identified by a string to the proposal. + */ +static bool add_string_algo(private_proposal_t *this, const char *alg) +{ + const proposal_token_t *token; + + token = lib->proposal->get_token(lib->proposal, alg); + if (token == NULL) + { + DBG1(DBG_CFG, "algorithm '%s' not recognized", alg); + return FALSE; + } + + add_algorithm(this, token->type, token->algorithm, token->keysize); + + return TRUE; +} + +/** + * print all algorithms of a kind to buffer + */ +static int print_alg(private_proposal_t *this, printf_hook_data_t *data, + u_int kind, void *names, bool *first) +{ + enumerator_t *enumerator; + size_t written = 0; + uint16_t alg, size; + + enumerator = create_enumerator(this, kind); + while (enumerator->enumerate(enumerator, &alg, &size)) + { + if (*first) + { + written += print_in_hook(data, "%N", names, alg); + *first = FALSE; + } + else + { + written += print_in_hook(data, "/%N", names, alg); + } + if (size) + { + written += print_in_hook(data, "_%u", size); + } + } + enumerator->destroy(enumerator); + return written; +} + +/** + * Described in header. + */ +int proposal_printf_hook(printf_hook_data_t *data, printf_hook_spec_t *spec, + const void *const *args) +{ + private_proposal_t *this = *((private_proposal_t**)(args[0])); + linked_list_t *list = *((linked_list_t**)(args[0])); + enumerator_t *enumerator; + size_t written = 0; + bool first = TRUE; + + if (this == NULL) + { + return print_in_hook(data, "(null)"); + } + + if (spec->hash) + { + enumerator = list->create_enumerator(list); + while (enumerator->enumerate(enumerator, &this)) + { /* call recursively */ + if (first) + { + written += print_in_hook(data, "%P", this); + first = FALSE; + } + else + { + written += print_in_hook(data, ", %P", this); + } + } + enumerator->destroy(enumerator); + return written; + } + + written = print_in_hook(data, "%N:", protocol_id_names, this->protocol); + written += print_alg(this, data, ENCRYPTION_ALGORITHM, + encryption_algorithm_names, &first); + written += print_alg(this, data, INTEGRITY_ALGORITHM, + integrity_algorithm_names, &first); + written += print_alg(this, data, PSEUDO_RANDOM_FUNCTION, + pseudo_random_function_names, &first); + written += print_alg(this, data, DIFFIE_HELLMAN_GROUP, + diffie_hellman_group_names, &first); + written += print_alg(this, data, EXTENDED_SEQUENCE_NUMBERS, + extended_sequence_numbers_names, &first); + return written; +} + +METHOD(proposal_t, destroy, void, + private_proposal_t *this) +{ + array_destroy(this->transforms); + free(this); +} + +/* + * Described in header + */ +proposal_t *proposal_create(protocol_id_t protocol, u_int number) +{ + private_proposal_t *this; + + INIT(this, + .public = { + .add_algorithm = _add_algorithm, + .create_enumerator = _create_enumerator, + .get_algorithm = _get_algorithm, + .has_dh_group = _has_dh_group, + .promote_dh_group = _promote_dh_group, + .strip_dh = _strip_dh, + .select = _select_proposal, + .get_protocol = _get_protocol, + .set_spi = _set_spi, + .get_spi = _get_spi, + .get_number = _get_number, + .equals = _equals, + .clone = _clone_, + .destroy = _destroy, + }, + .protocol = protocol, + .number = number, + .transforms = array_create(sizeof(entry_t), 0), + ); + + return &this->public; +} + +/** + * Add supported IKE algorithms to proposal + */ +static bool proposal_add_supported_ike(private_proposal_t *this, bool aead) +{ + enumerator_t *enumerator; + encryption_algorithm_t encryption; + integrity_algorithm_t integrity; + pseudo_random_function_t prf; + diffie_hellman_group_t group; + const char *plugin_name; + + if (aead) + { + /* Round 1 adds algorithms with at least 128 bit security strength */ + enumerator = lib->crypto->create_aead_enumerator(lib->crypto); + while (enumerator->enumerate(enumerator, &encryption, &plugin_name)) + { + switch (encryption) + { + case ENCR_AES_GCM_ICV16: + case ENCR_AES_CCM_ICV16: + case ENCR_CAMELLIA_CCM_ICV16: + /* we assume that we support all AES/Camellia sizes */ + add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 128); + add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 192); + add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 256); + break; + case ENCR_CHACHA20_POLY1305: + add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 256); + break; + default: + break; + } + } + enumerator->destroy(enumerator); + + /* Round 2 adds algorithms with less than 128 bit security strength */ + enumerator = lib->crypto->create_aead_enumerator(lib->crypto); + while (enumerator->enumerate(enumerator, &encryption, &plugin_name)) + { + switch (encryption) + { + case ENCR_AES_GCM_ICV12: + case ENCR_AES_GCM_ICV8: + case ENCR_AES_CCM_ICV12: + case ENCR_AES_CCM_ICV8: + case ENCR_CAMELLIA_CCM_ICV12: + case ENCR_CAMELLIA_CCM_ICV8: + /* we assume that we support all AES/Camellia sizes */ + add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 128); + add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 192); + add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 256); + break; + default: + break; + } + } + enumerator->destroy(enumerator); + + if (!array_count(this->transforms)) + { + return FALSE; + } + } + else + { + /* Round 1 adds algorithms with at least 128 bit security strength */ + enumerator = lib->crypto->create_crypter_enumerator(lib->crypto); + while (enumerator->enumerate(enumerator, &encryption, &plugin_name)) + { + switch (encryption) + { + case ENCR_AES_CBC: + case ENCR_AES_CTR: + case ENCR_CAMELLIA_CBC: + case ENCR_CAMELLIA_CTR: + /* we assume that we support all AES/Camellia sizes */ + add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 128); + add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 192); + add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 256); + break; + default: + break; + } + } + enumerator->destroy(enumerator); + + /* Round 2 adds algorithms with less than 128 bit security strength */ + enumerator = lib->crypto->create_crypter_enumerator(lib->crypto); + while (enumerator->enumerate(enumerator, &encryption, &plugin_name)) + { + switch (encryption) + { + case ENCR_3DES: + add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 0); + break; + case ENCR_DES: + /* no, thanks */ + break; + default: + break; + } + } + enumerator->destroy(enumerator); + + if (!array_count(this->transforms)) + { + return FALSE; + } + + /* Round 1 adds algorithms with at least 128 bit security strength */ + enumerator = lib->crypto->create_signer_enumerator(lib->crypto); + while (enumerator->enumerate(enumerator, &integrity, &plugin_name)) + { + switch (integrity) + { + case AUTH_HMAC_SHA2_256_128: + case AUTH_HMAC_SHA2_384_192: + case AUTH_HMAC_SHA2_512_256: + add_algorithm(this, INTEGRITY_ALGORITHM, integrity, 0); + break; + default: + break; + } + } + enumerator->destroy(enumerator); + + /* Round 2 adds algorithms with less than 128 bit security strength */ + enumerator = lib->crypto->create_signer_enumerator(lib->crypto); + while (enumerator->enumerate(enumerator, &integrity, &plugin_name)) + { + switch (integrity) + { + case AUTH_AES_XCBC_96: + case AUTH_AES_CMAC_96: + case AUTH_HMAC_SHA1_96: + add_algorithm(this, INTEGRITY_ALGORITHM, integrity, 0); + break; + case AUTH_HMAC_MD5_96: + /* no, thanks */ + default: + break; + } + } + enumerator->destroy(enumerator); + } + + /* Round 1 adds algorithms with at least 128 bit security strength */ + enumerator = lib->crypto->create_prf_enumerator(lib->crypto); + while (enumerator->enumerate(enumerator, &prf, &plugin_name)) + { + switch (prf) + { + case PRF_HMAC_SHA2_256: + case PRF_HMAC_SHA2_384: + case PRF_HMAC_SHA2_512: + case PRF_AES128_XCBC: + case PRF_AES128_CMAC: + add_algorithm(this, PSEUDO_RANDOM_FUNCTION, prf, 0); + break; + default: + break; + } + } + enumerator->destroy(enumerator); + + /* Round 2 adds algorithms with less than 128 bit security strength */ + enumerator = lib->crypto->create_prf_enumerator(lib->crypto); + while (enumerator->enumerate(enumerator, &prf, &plugin_name)) + { + switch (prf) + { + case PRF_HMAC_SHA1: + add_algorithm(this, PSEUDO_RANDOM_FUNCTION, prf, 0); + break; + case PRF_HMAC_MD5: + /* no, thanks */ + break; + default: + break; + } + } + enumerator->destroy(enumerator); + + /* Round 1 adds ECC and NTRU algorithms with at least 128 bit security strength */ + enumerator = lib->crypto->create_dh_enumerator(lib->crypto); + while (enumerator->enumerate(enumerator, &group, &plugin_name)) + { + switch (group) + { + case ECP_256_BIT: + case ECP_384_BIT: + case ECP_521_BIT: + case ECP_256_BP: + case ECP_384_BP: + case ECP_512_BP: + case CURVE_25519: + case CURVE_448: + case NTRU_128_BIT: + case NTRU_192_BIT: + case NTRU_256_BIT: + case NH_128_BIT: + add_algorithm(this, DIFFIE_HELLMAN_GROUP, group, 0); + break; + default: + break; + } + } + enumerator->destroy(enumerator); + + /* Round 2 adds other algorithms with at least 128 bit security strength */ + enumerator = lib->crypto->create_dh_enumerator(lib->crypto); + while (enumerator->enumerate(enumerator, &group, &plugin_name)) + { + switch (group) + { + case MODP_3072_BIT: + case MODP_4096_BIT: + case MODP_6144_BIT: + case MODP_8192_BIT: + add_algorithm(this, DIFFIE_HELLMAN_GROUP, group, 0); + break; + default: + break; + } + } + enumerator->destroy(enumerator); + + /* Round 3 adds algorithms with less than 128 bit security strength */ + enumerator = lib->crypto->create_dh_enumerator(lib->crypto); + while (enumerator->enumerate(enumerator, &group, &plugin_name)) + { + switch (group) + { + case MODP_NULL: + /* only for testing purposes */ + break; + case MODP_768_BIT: + case MODP_1024_BIT: + case MODP_1536_BIT: + /* weak */ + break; + case MODP_1024_160: + case MODP_2048_224: + case MODP_2048_256: + /* RFC 5114 primes are of questionable source */ + break; + case ECP_224_BIT: + case ECP_224_BP: + case ECP_192_BIT: + case NTRU_112_BIT: + /* rarely used */ + break; + case MODP_2048_BIT: + add_algorithm(this, DIFFIE_HELLMAN_GROUP, group, 0); + break; + default: + break; + } + } + enumerator->destroy(enumerator); + + return TRUE; +} + +/* + * Described in header + */ +proposal_t *proposal_create_default(protocol_id_t protocol) +{ + private_proposal_t *this = (private_proposal_t*)proposal_create(protocol, 0); + + switch (protocol) + { + case PROTO_IKE: + if (!proposal_add_supported_ike(this, FALSE)) + { + destroy(this); + return NULL; + } + break; + case PROTO_ESP: + add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 128); + add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 192); + add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 256); + add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_256_128, 0); + add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_384_192, 0); + add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_512_256, 0); + add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0); + add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_AES_XCBC_96, 0); + add_algorithm(this, EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS, 0); + break; + case PROTO_AH: + add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_256_128, 0); + add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_384_192, 0); + add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_512_256, 0); + add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0); + add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_AES_XCBC_96, 0); + add_algorithm(this, EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS, 0); + break; + default: + break; + } + return &this->public; +} + +/* + * Described in header + */ +proposal_t *proposal_create_default_aead(protocol_id_t protocol) +{ + private_proposal_t *this; + + switch (protocol) + { + case PROTO_IKE: + this = (private_proposal_t*)proposal_create(protocol, 0); + if (!proposal_add_supported_ike(this, TRUE)) + { + destroy(this); + return NULL; + } + return &this->public; + case PROTO_ESP: + /* we currently don't include any AEAD proposal for ESP, as we + * don't know if our kernel backend actually supports it. */ + return NULL; + case PROTO_AH: + default: + return NULL; + } +} + +/* + * Described in header + */ +proposal_t *proposal_create_from_string(protocol_id_t protocol, const char *algs) +{ + private_proposal_t *this; + enumerator_t *enumerator; + bool failed = TRUE; + char *alg; + + this = (private_proposal_t*)proposal_create(protocol, 0); + + /* get all tokens, separated by '-' */ + enumerator = enumerator_create_token(algs, "-", " "); + while (enumerator->enumerate(enumerator, &alg)) + { + if (!add_string_algo(this, alg)) + { + failed = TRUE; + break; + } + failed = FALSE; + } + enumerator->destroy(enumerator); + + if (failed || !check_proposal(this)) + { + destroy(this); + return NULL; + } + + return &this->public; +} diff --git a/src/libstrongswan/crypto/proposal/proposal.h b/src/libstrongswan/crypto/proposal/proposal.h new file mode 100644 index 000000000..0052674b9 --- /dev/null +++ b/src/libstrongswan/crypto/proposal/proposal.h @@ -0,0 +1,246 @@ +/* + * Copyright (C) 2009-2018 Tobias Brunner + * Copyright (C) 2006 Martin Willi + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup proposal proposal + * @{ @ingroup crypto + */ + +#ifndef PROPOSAL_H_ +#define PROPOSAL_H_ + +typedef enum protocol_id_t protocol_id_t; +typedef enum extended_sequence_numbers_t extended_sequence_numbers_t; +typedef struct proposal_t proposal_t; + +#include <library.h> +#include <utils/identification.h> +#include <collections/linked_list.h> +#include <networking/host.h> +#include <crypto/transform.h> +#include <crypto/crypters/crypter.h> +#include <crypto/signers/signer.h> +#include <crypto/diffie_hellman.h> +#include <selectors/traffic_selector.h> + +/** + * Protocol ID of a proposal. + */ +enum protocol_id_t { + PROTO_NONE = 0, + PROTO_IKE = 1, + PROTO_AH = 2, + PROTO_ESP = 3, + PROTO_IPCOMP = 4, /* IKEv1 only */ +}; + +/** + * enum names for protocol_id_t + */ +extern enum_name_t *protocol_id_names; + +/** + * Stores a set of algorithms used for an SA. + * + * A proposal stores algorithms for a specific + * protocol. It can store algorithms for one protocol. + * Proposals with multiple protocols are not supported, + * as it's not specified in RFC4301 anymore. + */ +struct proposal_t { + + /** + * Add an algorithm to the proposal. + * + * The algorithms are stored by priority, first added + * is the most preferred. + * Key size is only needed for encryption algorithms + * with variable key size (such as AES). Must be set + * to zero if key size is not specified. + * The alg parameter accepts encryption_algorithm_t, + * integrity_algorithm_t, dh_group_number_t and + * extended_sequence_numbers_t. + * + * @param type kind of algorithm + * @param alg identifier for algorithm + * @param key_size key size to use + */ + void (*add_algorithm) (proposal_t *this, transform_type_t type, + uint16_t alg, uint16_t key_size); + + /** + * Get an enumerator over algorithms for a specific algo type. + * + * @param type kind of algorithm + * @return enumerator over uint16_t alg, uint16_t key_size + */ + enumerator_t *(*create_enumerator) (proposal_t *this, transform_type_t type); + + /** + * Get the algorithm for a type to use. + * + * If there are multiple algorithms, only the first is returned. + * + * @param type kind of algorithm + * @param alg pointer which receives algorithm + * @param key_size pointer which receives the key size + * @return TRUE if algorithm of this kind available + */ + bool (*get_algorithm) (proposal_t *this, transform_type_t type, + uint16_t *alg, uint16_t *key_size); + + /** + * Check if the proposal has a specific DH group. + * + * @param group group to check for + * @return TRUE if algorithm included + */ + bool (*has_dh_group)(proposal_t *this, diffie_hellman_group_t group); + + /** + * Move the given DH group to the front of the list if it was contained in + * the proposal. + * + * @param group group to promote + * @return TRUE if algorithm included + */ + bool (*promote_dh_group)(proposal_t *this, diffie_hellman_group_t group); + + /** + * Strip DH groups from proposal to use it without PFS. + * + * @param keep group to keep (MODP_NONE to remove all) + */ + void (*strip_dh)(proposal_t *this, diffie_hellman_group_t keep); + + /** + * Compare two proposal, and select a matching subset. + * + * If the proposals are for the same protocols (AH/ESP), they are + * compared. If they have at least one algorithm of each type + * in common, a resulting proposal of this kind is created. + * + * @param other proposal to compare against + * @param other_remote whether other is the remote proposal from which to + * copy SPI and proposal number to the result, + * otherwise copy from this proposal + * @param private accepts algorithms allocated in a private range + * @return selected proposal, NULL if proposals don't match + */ + proposal_t *(*select)(proposal_t *this, proposal_t *other, + bool other_remote, bool private); + + /** + * Get the protocol ID of the proposal. + * + * @return protocol of the proposal + */ + protocol_id_t (*get_protocol) (proposal_t *this); + + /** + * Get the SPI of the proposal. + * + * @return spi for proto + */ + uint64_t (*get_spi) (proposal_t *this); + + /** + * Set the SPI of the proposal. + * + * @param spi spi to set for proto + */ + void (*set_spi) (proposal_t *this, uint64_t spi); + + /** + * Get the proposal number, as encoded in SA payload + * + * @return proposal number + */ + u_int (*get_number)(proposal_t *this); + + /** + * Check for the eqality of two proposals. + * + * @param other other proposal to check for equality + * @return TRUE if other equal to this + */ + bool (*equals)(proposal_t *this, proposal_t *other); + + /** + * Clone a proposal. + * + * @return clone of proposal + */ + proposal_t *(*clone) (proposal_t *this); + + /** + * Destroys the proposal object. + */ + void (*destroy) (proposal_t *this); +}; + +/** + * Create a child proposal for AH, ESP or IKE. + * + * @param protocol protocol, such as PROTO_ESP + * @param number proposal number, as encoded in SA payload + * @return proposal_t object + */ +proposal_t *proposal_create(protocol_id_t protocol, u_int number); + +/** + * Create a default proposal if nothing further specified. + * + * @param protocol protocol, such as PROTO_ESP + * @return proposal_t object + */ +proposal_t *proposal_create_default(protocol_id_t protocol); + +/** + * Create a default proposal for supported AEAD algorithms + * + * @param protocol protocol, such as PROTO_ESP + * @return proposal_t object, NULL if none supported + */ +proposal_t *proposal_create_default_aead(protocol_id_t protocol); + +/** + * Create a proposal from a string identifying the algorithms. + * + * The string is in the same form as a in the ipsec.conf file. + * E.g.: aes128-sha2_256-modp2048 + * 3des-md5 + * An additional '!' at the end of the string forces this proposal, + * without it the peer may choose another algorithm we support. + * + * @param protocol protocol, such as PROTO_ESP + * @param algs algorithms as string + * @return proposal_t object + */ +proposal_t *proposal_create_from_string(protocol_id_t protocol, const char *algs); + +/** + * printf hook function for proposal_t. + * + * Arguments are: + * proposal_t *proposal + * With the #-specifier, arguments are: + * linked_list_t *list containing proposal_t* + */ +int proposal_printf_hook(printf_hook_data_t *data, printf_hook_spec_t *spec, + const void *const *args); + +#endif /** PROPOSAL_H_ @}*/ diff --git a/src/libstrongswan/crypto/proposal/proposal_keywords.h b/src/libstrongswan/crypto/proposal/proposal_keywords.h index 856abdce6..b062221e5 100644 --- a/src/libstrongswan/crypto/proposal/proposal_keywords.h +++ b/src/libstrongswan/crypto/proposal/proposal_keywords.h @@ -37,7 +37,7 @@ /** * @defgroup proposal_keywords proposal_keywords - * @{ @ingroup crypto + * @{ @ingroup proposal */ #ifndef PROPOSAL_KEYWORDS_H_ diff --git a/src/libstrongswan/eap/eap.c b/src/libstrongswan/eap/eap.c index 64b5dbe51..2b7295e3d 100644 --- a/src/libstrongswan/eap/eap.c +++ b/src/libstrongswan/eap/eap.c @@ -157,6 +157,7 @@ eap_vendor_type_t *eap_vendor_type_from_string(char *str) type = eap_type_from_string(part); if (!type) { + errno = 0; type = strtoul(part, &end, 0); if (*end != '\0' || errno) { @@ -166,6 +167,7 @@ eap_vendor_type_t *eap_vendor_type_from_string(char *str) } continue; } + errno = 0; vendor = strtoul(part, &end, 0); if (*end != '\0' || errno) { diff --git a/src/libstrongswan/ipsec/ipsec_types.c b/src/libstrongswan/ipsec/ipsec_types.c index 68c3935b9..c992eb5ad 100644 --- a/src/libstrongswan/ipsec/ipsec_types.c +++ b/src/libstrongswan/ipsec/ipsec_types.c @@ -104,7 +104,10 @@ bool mark_from_string(const char *value, mark_t *mark) { mark->mask = 0xffffffff; } - /* apply the mask to ensure the value is in range */ - mark->value &= mark->mask; + if (!MARK_IS_UNIQUE(mark->value)) + { + /* apply the mask to ensure the value is in range */ + mark->value &= mark->mask; + } return TRUE; } diff --git a/src/libstrongswan/library.c b/src/libstrongswan/library.c index 7944b9356..dbdf5cfe9 100644 --- a/src/libstrongswan/library.c +++ b/src/libstrongswan/library.c @@ -26,6 +26,7 @@ #include <collections/hashtable.h> #include <utils/backtrace.h> #include <selectors/traffic_selector.h> +#include <crypto/proposal/proposal.h> #define CHECKSUM_LIBRARY IPSEC_LIB_DIR"/libchecksum.so" @@ -369,6 +370,8 @@ bool library_init(char *settings, const char *namespace) PRINTF_HOOK_ARGTYPE_POINTER, PRINTF_HOOK_ARGTYPE_END); pfh->add_handler(pfh, 'R', traffic_selector_printf_hook, PRINTF_HOOK_ARGTYPE_POINTER, PRINTF_HOOK_ARGTYPE_END); + pfh->add_handler(pfh, 'P', proposal_printf_hook, + PRINTF_HOOK_ARGTYPE_POINTER, PRINTF_HOOK_ARGTYPE_END); this->objects = hashtable_create((hashtable_hash_t)hash, (hashtable_equals_t)equals, 4); diff --git a/src/libstrongswan/plugins/blowfish/bf_enc.c b/src/libstrongswan/plugins/blowfish/bf_enc.c index ebcc5dbdf..f9591c1a4 100644 --- a/src/libstrongswan/plugins/blowfish/bf_enc.c +++ b/src/libstrongswan/plugins/blowfish/bf_enc.c @@ -7,7 +7,7 @@ * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions + * the following conditions are adhered to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms @@ -32,7 +32,7 @@ * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library + * The word 'cryptographic' can be left out if the routines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: diff --git a/src/libstrongswan/plugins/blowfish/bf_locl.h b/src/libstrongswan/plugins/blowfish/bf_locl.h index 1375a0aa9..e5f49280b 100644 --- a/src/libstrongswan/plugins/blowfish/bf_locl.h +++ b/src/libstrongswan/plugins/blowfish/bf_locl.h @@ -7,7 +7,7 @@ * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions + * the following conditions are adhered to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms @@ -32,7 +32,7 @@ * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library + * The word 'cryptographic' can be left out if the routines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: diff --git a/src/libstrongswan/plugins/blowfish/bf_pi.h b/src/libstrongswan/plugins/blowfish/bf_pi.h index 79d23db6c..86c2ef366 100644 --- a/src/libstrongswan/plugins/blowfish/bf_pi.h +++ b/src/libstrongswan/plugins/blowfish/bf_pi.h @@ -7,7 +7,7 @@ * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions + * the following conditions are adhered to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms @@ -32,7 +32,7 @@ * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library + * The word 'cryptographic' can be left out if the routines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: diff --git a/src/libstrongswan/plugins/blowfish/bf_skey.c b/src/libstrongswan/plugins/blowfish/bf_skey.c index ceec3b8d4..52a051890 100644 --- a/src/libstrongswan/plugins/blowfish/bf_skey.c +++ b/src/libstrongswan/plugins/blowfish/bf_skey.c @@ -7,7 +7,7 @@ * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions + * the following conditions are adhered to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms @@ -32,7 +32,7 @@ * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library + * The word 'cryptographic' can be left out if the routines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: diff --git a/src/libstrongswan/plugins/blowfish/blowfish.h b/src/libstrongswan/plugins/blowfish/blowfish.h index 9aa30df4b..3c8f77a0f 100644 --- a/src/libstrongswan/plugins/blowfish/blowfish.h +++ b/src/libstrongswan/plugins/blowfish/blowfish.h @@ -7,7 +7,7 @@ * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions + * the following conditions are adhered to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms @@ -32,7 +32,7 @@ * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library + * The word 'cryptographic' can be left out if the routines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: diff --git a/src/libstrongswan/plugins/blowfish/blowfish_crypter.c b/src/libstrongswan/plugins/blowfish/blowfish_crypter.c index 1708e078d..6d8d1d709 100644 --- a/src/libstrongswan/plugins/blowfish/blowfish_crypter.c +++ b/src/libstrongswan/plugins/blowfish/blowfish_crypter.c @@ -6,7 +6,7 @@ * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions + * the following conditions are adhered to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms @@ -31,7 +31,7 @@ * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library + * The word 'cryptographic' can be left out if the routines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: diff --git a/src/libstrongswan/plugins/des/des_crypter.c b/src/libstrongswan/plugins/des/des_crypter.c index d236bd429..cb5064d90 100644 --- a/src/libstrongswan/plugins/des/des_crypter.c +++ b/src/libstrongswan/plugins/des/des_crypter.c @@ -13,7 +13,7 @@ * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. + * the following conditions are adhered to. * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. @@ -34,7 +34,7 @@ * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library + * The word 'cryptographic' can be left out if the routines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: @@ -309,7 +309,7 @@ YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED!!!!! #endif /* The changes to this macro may help or hinder, depending on the - * compiler and the achitecture. gcc2 always seems to do well :-). + * compiler and the architecture. gcc2 always seems to do well :-). * Inspired by Dana How <how@isl.stanford.edu> * DO NOT use the alternative version on machines with 8 byte longs. * It does not seem to work on the Alpha, even when DES_LONG is 4 diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c index aca232c86..241ef7d3b 100644 --- a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c +++ b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c @@ -936,7 +936,12 @@ static bool calculate_pq(private_gmp_rsa_private_key_t *this) bool success = FALSE; gmp_randinit_default(rstate); - mpz_inits(k, r, g, y, n1, x, NULL); + mpz_init(k); + mpz_init(r); + mpz_init(g); + mpz_init(y); + mpz_init(n1); + mpz_init(x); /* k = (d * e) - 1 */ mpz_mul(k, *this->d, this->e); mpz_sub_ui(k, k, 1); @@ -956,7 +961,7 @@ static bool calculate_pq(private_gmp_rsa_private_key_t *this) { /* generate random integer g in [0, n-1] */ mpz_urandomm(g, rstate, this->n); /* y = g^r mod n */ - mpz_powm_sec(y, g, r, this->n); + mpz_powm(y, g, r, this->n); /* try again if y == 1 or y == n-1 */ if (mpz_cmp_ui(y, 1) == 0 || mpz_cmp(y, n1) == 0) { diff --git a/src/libstrongswan/plugins/newhope/newhope_ke.c b/src/libstrongswan/plugins/newhope/newhope_ke.c index 28956d5fb..72b7e034c 100644 --- a/src/libstrongswan/plugins/newhope/newhope_ke.c +++ b/src/libstrongswan/plugins/newhope/newhope_ke.c @@ -246,7 +246,7 @@ static uint32_t* multiply_ntt_inv_poly(private_newhope_ke_t *this, uint32_t *b) } /** - * Pack four 2-bit coefficents into one byte + * Pack four 2-bit coefficients into one byte */ static void pack_rec(private_newhope_ke_t *this, uint8_t *x, uint8_t *r) { diff --git a/src/libstrongswan/plugins/pkcs7/pkcs7_attributes.c b/src/libstrongswan/plugins/pkcs7/pkcs7_attributes.c index ca6899786..efcd2b30a 100644 --- a/src/libstrongswan/plugins/pkcs7/pkcs7_attributes.c +++ b/src/libstrongswan/plugins/pkcs7/pkcs7_attributes.c @@ -202,7 +202,7 @@ pkcs7_attributes_t *pkcs7_attributes_create(void) } /** - * ASN.1 definition of the X.501 atttribute type + * ASN.1 definition of the X.501 attribute type */ static const asn1Object_t attributesObjects[] = { { 0, "attributes", ASN1_SET, ASN1_LOOP }, /* 0 */ diff --git a/src/libstrongswan/plugins/plugin_loader.h b/src/libstrongswan/plugins/plugin_loader.h index 92a860615..156bd8656 100644 --- a/src/libstrongswan/plugins/plugin_loader.h +++ b/src/libstrongswan/plugins/plugin_loader.h @@ -76,7 +76,7 @@ struct plugin_loader_t { * If \<ns>.load_modular is enabled (where \<ns> is lib->ns) the plugins to * load are determined via a load option in their respective plugin config * section e.g. \<ns>.plugins.\<plugin>.load = <priority|bool>. - * The oder is determined by the configured priority. If two plugins have + * The order is determined by the configured priority. If two plugins have * the same priority the order as seen in list is preserved. Plugins not * found in list are loaded first, in alphabetical order. * diff --git a/src/libstrongswan/plugins/revocation/revocation_validator.c b/src/libstrongswan/plugins/revocation/revocation_validator.c index 16ee0ecc7..1b68320df 100644 --- a/src/libstrongswan/plugins/revocation/revocation_validator.c +++ b/src/libstrongswan/plugins/revocation/revocation_validator.c @@ -444,7 +444,7 @@ static certificate_t *get_better_crl(certificate_t *cand, certificate_t *best, enumerator_t *enumerator; time_t revocation; crl_reason_t reason; - chunk_t serial; + chunk_t subject_serial, serial; crl_t *crl = (crl_t*)cand; if (base) @@ -473,10 +473,11 @@ static certificate_t *get_better_crl(certificate_t *cand, certificate_t *best, return best; } + subject_serial = chunk_skip_zero(subject->get_serial(subject)); enumerator = crl->create_enumerator(crl); while (enumerator->enumerate(enumerator, &serial, &revocation, &reason)) { - if (chunk_equals(serial, subject->get_serial(subject))) + if (chunk_equals(subject_serial, chunk_skip_zero(serial))) { if (reason != CRL_REASON_CERTIFICATE_HOLD) { diff --git a/src/libstrongswan/processing/scheduler.h b/src/libstrongswan/processing/scheduler.h index 1cd96d976..239487dae 100644 --- a/src/libstrongswan/processing/scheduler.h +++ b/src/libstrongswan/processing/scheduler.h @@ -45,7 +45,7 @@ typedef struct scheduler_t scheduler_t; * in-between got slower, as the number of events grew larger (O(n)). * For each connection there could be several events: IKE-rekey, NAT-keepalive, * retransmissions, expire (half-open), and others. So a gateway that probably - * has to handle thousands of concurrent connnections has to be able to queue a + * has to handle thousands of concurrent connections has to be able to queue a * large number of events as fast as possible. Locking makes this even worse, to * provide thread-safety, no events can be processed, while an event is queued, * so making the insertion fast is even more important. @@ -97,13 +97,13 @@ struct scheduler_t { void (*schedule_job_ms) (scheduler_t *this, job_t *job, uint32_t ms); /** - * Adds a event to the queue, using an absolut time. + * Adds a event to the queue, using an absolute time. * * The passed timeval should be calculated based on the time_monotonic() * function. * * @param job job to schedule - * @param time absolut time to schedule job + * @param time absolute time to schedule job */ void (*schedule_job_tv) (scheduler_t *this, job_t *job, timeval_t tv); diff --git a/src/libstrongswan/tests/Makefile.am b/src/libstrongswan/tests/Makefile.am index 07f5eb5f2..5737e7a17 100644 --- a/src/libstrongswan/tests/Makefile.am +++ b/src/libstrongswan/tests/Makefile.am @@ -47,6 +47,7 @@ libstrongswan_tests_SOURCES = tests.h tests.c \ suites/test_auth_cfg.c \ suites/test_hasher.c \ suites/test_crypter.c \ + suites/test_proposal.c \ suites/test_crypto_factory.c \ suites/test_iv_gen.c \ suites/test_pen.c \ diff --git a/src/libstrongswan/tests/Makefile.in b/src/libstrongswan/tests/Makefile.in index f8f8ce83e..20cb27cf3 100644 --- a/src/libstrongswan/tests/Makefile.in +++ b/src/libstrongswan/tests/Makefile.in @@ -152,6 +152,7 @@ am_libstrongswan_tests_OBJECTS = libstrongswan_tests-tests.$(OBJEXT) \ suites/libstrongswan_tests-test_auth_cfg.$(OBJEXT) \ suites/libstrongswan_tests-test_hasher.$(OBJEXT) \ suites/libstrongswan_tests-test_crypter.$(OBJEXT) \ + suites/libstrongswan_tests-test_proposal.$(OBJEXT) \ suites/libstrongswan_tests-test_crypto_factory.$(OBJEXT) \ suites/libstrongswan_tests-test_iv_gen.$(OBJEXT) \ suites/libstrongswan_tests-test_pen.$(OBJEXT) \ @@ -535,6 +536,7 @@ libstrongswan_tests_SOURCES = tests.h tests.c \ suites/test_auth_cfg.c \ suites/test_hasher.c \ suites/test_crypter.c \ + suites/test_proposal.c \ suites/test_crypto_factory.c \ suites/test_iv_gen.c \ suites/test_pen.c \ @@ -683,6 +685,8 @@ suites/libstrongswan_tests-test_hasher.$(OBJEXT): \ suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) suites/libstrongswan_tests-test_crypter.$(OBJEXT): \ suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) +suites/libstrongswan_tests-test_proposal.$(OBJEXT): \ + suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) suites/libstrongswan_tests-test_crypto_factory.$(OBJEXT): \ suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) suites/libstrongswan_tests-test_iv_gen.$(OBJEXT): \ @@ -750,6 +754,7 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_pen.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_printf.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_process.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_proposal.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_rsa.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_settings.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_signature_params.Po@am__quote@ @@ -1199,6 +1204,20 @@ suites/libstrongswan_tests-test_crypter.obj: suites/test_crypter.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_crypter.obj `if test -f 'suites/test_crypter.c'; then $(CYGPATH_W) 'suites/test_crypter.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_crypter.c'; fi` +suites/libstrongswan_tests-test_proposal.o: suites/test_proposal.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_proposal.o -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_proposal.Tpo -c -o suites/libstrongswan_tests-test_proposal.o `test -f 'suites/test_proposal.c' || echo '$(srcdir)/'`suites/test_proposal.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_proposal.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_proposal.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_proposal.c' object='suites/libstrongswan_tests-test_proposal.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_proposal.o `test -f 'suites/test_proposal.c' || echo '$(srcdir)/'`suites/test_proposal.c + +suites/libstrongswan_tests-test_proposal.obj: suites/test_proposal.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_proposal.obj -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_proposal.Tpo -c -o suites/libstrongswan_tests-test_proposal.obj `if test -f 'suites/test_proposal.c'; then $(CYGPATH_W) 'suites/test_proposal.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_proposal.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_proposal.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_proposal.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_proposal.c' object='suites/libstrongswan_tests-test_proposal.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_proposal.obj `if test -f 'suites/test_proposal.c'; then $(CYGPATH_W) 'suites/test_proposal.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_proposal.c'; fi` + suites/libstrongswan_tests-test_crypto_factory.o: suites/test_crypto_factory.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_crypto_factory.o -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_crypto_factory.Tpo -c -o suites/libstrongswan_tests-test_crypto_factory.o `test -f 'suites/test_crypto_factory.c' || echo '$(srcdir)/'`suites/test_crypto_factory.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_crypto_factory.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_crypto_factory.Po diff --git a/src/libstrongswan/tests/suites/test_proposal.c b/src/libstrongswan/tests/suites/test_proposal.c new file mode 100644 index 000000000..1a2f97d5f --- /dev/null +++ b/src/libstrongswan/tests/suites/test_proposal.c @@ -0,0 +1,220 @@ +/* + * Copyright (C) 2016-2018 Tobias Brunner + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "test_suite.h" + +#include <crypto/proposal/proposal.h> + +static struct { + protocol_id_t proto; + char *proposal; + char *expected; +} create_data[] = { + { PROTO_IKE, "", NULL }, + { PROTO_IKE, "sha256", NULL }, + { PROTO_IKE, "sha256-modp3072", NULL }, + { PROTO_IKE, "null-sha256-modp3072", "IKE:NULL/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072" }, + { PROTO_IKE, "aes128", NULL }, + { PROTO_IKE, "aes128-sha256", NULL }, + { PROTO_IKE, "aes128-sha256-modpnone", NULL }, + { PROTO_IKE, "aes128-sha256-modp3072", "IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072" }, + { PROTO_IKE, "aes128-sha256-prfsha384-modp3072", "IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_384/MODP_3072" }, + { PROTO_IKE, "aes128gcm16-modp3072", NULL }, + { PROTO_IKE, "aes128gcm16-prfsha256-modp3072", "IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/MODP_3072" }, + { PROTO_IKE, "aes128gcm16-sha256-modp3072", "IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/MODP_3072" }, + { PROTO_IKE, "aes128gcm16-aes128-modp3072", NULL }, + { PROTO_IKE, "aes128gcm16-aes128-sha256-modp3072", NULL }, + { PROTO_ESP, "", NULL }, + { PROTO_ESP, "sha256", NULL }, + { PROTO_ESP, "aes128-sha256", "ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ" }, + { PROTO_ESP, "aes128-sha256-esn", "ESP:AES_CBC_128/HMAC_SHA2_256_128/EXT_SEQ" }, + { PROTO_ESP, "aes128-sha256-noesn", "ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ" }, + { PROTO_ESP, "aes128-sha256-esn-noesn", "ESP:AES_CBC_128/HMAC_SHA2_256_128/EXT_SEQ/NO_EXT_SEQ" }, + { PROTO_ESP, "aes128-sha256-prfsha256-modp3072", "ESP:AES_CBC_128/HMAC_SHA2_256_128/MODP_3072/NO_EXT_SEQ" }, + { PROTO_ESP, "aes128gcm16-aes128-sha256-modp3072", NULL }, + { PROTO_ESP, "aes128gmac", "ESP:NULL_AES_GMAC_128/NO_EXT_SEQ" }, + { PROTO_AH, "", NULL }, + { PROTO_AH, "aes128", NULL }, + { PROTO_AH, "aes128-sha256", "AH:HMAC_SHA2_256_128/NO_EXT_SEQ" }, + { PROTO_AH, "sha256-sha1", "AH:HMAC_SHA2_256_128/HMAC_SHA1_96/NO_EXT_SEQ" }, + { PROTO_AH, "aes128gmac-sha256", "AH:AES_128_GMAC/HMAC_SHA2_256_128/NO_EXT_SEQ" }, + { PROTO_AH, "aes128gmac-sha256-prfsha256", "AH:AES_128_GMAC/HMAC_SHA2_256_128/NO_EXT_SEQ" }, + { PROTO_AH, "aes128gmac-aes256gmac-aes128-sha256", "AH:AES_128_GMAC/AES_256_GMAC/HMAC_SHA2_256_128/NO_EXT_SEQ" }, + { PROTO_AH, "sha256-esn", "AH:HMAC_SHA2_256_128/EXT_SEQ" }, + { PROTO_AH, "sha256-noesn", "AH:HMAC_SHA2_256_128/NO_EXT_SEQ" }, + { PROTO_AH, "sha256-esn-noesn", "AH:HMAC_SHA2_256_128/EXT_SEQ/NO_EXT_SEQ" }, +}; + +static void assert_proposal_eq(proposal_t *proposal, char *expected) +{ + char str[BUF_LEN]; + + if (!expected) + { + ck_assert(!proposal); + return; + } + snprintf(str, sizeof(str), "%P", proposal); + ck_assert_str_eq(expected, str); +} + +START_TEST(test_create_from_string) +{ + proposal_t *proposal; + + proposal = proposal_create_from_string(create_data[_i].proto, + create_data[_i].proposal); + assert_proposal_eq(proposal, create_data[_i].expected); + DESTROY_IF(proposal); +} +END_TEST + +static struct { + protocol_id_t proto; + char *self; + char *other; + char *expected; +} select_data[] = { + { PROTO_ESP, "aes128", "aes128", "aes128" }, + { PROTO_ESP, "aes128", "aes256", NULL }, + { PROTO_ESP, "aes128-aes256", "aes256-aes128", "aes128" }, + { PROTO_ESP, "aes256-aes128", "aes128-aes256", "aes256" }, + { PROTO_ESP, "aes128-aes256-sha1-sha256", "aes256-aes128-sha256-sha1", "aes128-sha1" }, + { PROTO_ESP, "aes256-aes128-sha256-sha1", "aes128-aes256-sha1-sha256", "aes256-sha256" }, + { PROTO_ESP, "aes128-sha256-modp3072", "aes128-sha256", NULL }, + { PROTO_ESP, "aes128-sha256", "aes128-sha256-modp3072", NULL }, + { PROTO_ESP, "aes128-sha256-modp3072", "aes128-sha256-modpnone", NULL }, + { PROTO_ESP, "aes128-sha256-modpnone", "aes128-sha256-modp3072", NULL }, + { PROTO_ESP, "aes128-sha256-modp3072-modpnone", "aes128-sha256", "aes128-sha256" }, + { PROTO_ESP, "aes128-sha256", "aes128-sha256-modp3072-modpnone", "aes128-sha256" }, + { PROTO_ESP, "aes128-sha256-modp3072-modpnone", "aes128-sha256-modpnone-modp3072", "aes128-sha256-modp3072" }, + { PROTO_ESP, "aes128-sha256-modpnone-modp3072", "aes128-sha256-modp3072-modpnone", "aes128-sha256-modpnone" }, + { PROTO_IKE, "aes128-sha256-modp3072", "aes128-sha256-modp3072", "aes128-sha256-modp3072" }, + { PROTO_IKE, "aes128-sha256-modp3072", "aes128-sha256-modp3072-modpnone", "aes128-sha256-modp3072" }, + { PROTO_IKE, "aes128-sha256-modp3072-modpnone", "aes128-sha256-modp3072", "aes128-sha256-modp3072" }, +}; + +START_TEST(test_select) +{ + proposal_t *self, *other, *selected, *expected; + + self = proposal_create_from_string(select_data[_i].proto, + select_data[_i].self); + other = proposal_create_from_string(select_data[_i].proto, + select_data[_i].other); + selected = self->select(self, other, TRUE, FALSE); + if (select_data[_i].expected) + { + expected = proposal_create_from_string(select_data[_i].proto, + select_data[_i].expected); + ck_assert(selected); + ck_assert_msg(expected->equals(expected, selected), "proposal %P does " + "not match expected %P", selected, expected); + expected->destroy(expected); + } + else + { + ck_assert(!selected); + } + DESTROY_IF(selected); + other->destroy(other); + self->destroy(self); +} +END_TEST + +START_TEST(test_select_spi) +{ + proposal_t *self, *other, *selected; + + self = proposal_create_from_string(PROTO_ESP, "aes128-sha256-modp3072"); + other = proposal_create_from_string(PROTO_ESP, "aes128-sha256-modp3072"); + other->set_spi(other, 0x12345678); + + selected = self->select(self, other, TRUE, FALSE); + ck_assert(selected); + ck_assert_int_eq(selected->get_spi(selected), other->get_spi(other)); + selected->destroy(selected); + + selected = self->select(self, other, FALSE, FALSE); + ck_assert(selected); + ck_assert_int_eq(selected->get_spi(selected), self->get_spi(self)); + selected->destroy(selected); + + other->destroy(other); + self->destroy(self); +} +END_TEST + +START_TEST(test_promote_dh_group) +{ + proposal_t *proposal; + + proposal = proposal_create_from_string(PROTO_IKE, + "aes128-sha256-modp3072-ecp256"); + ck_assert(proposal->promote_dh_group(proposal, ECP_256_BIT)); + assert_proposal_eq(proposal, "IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256/MODP_3072"); + proposal->destroy(proposal); +} +END_TEST + +START_TEST(test_promote_dh_group_already_front) +{ + proposal_t *proposal; + + proposal = proposal_create_from_string(PROTO_IKE, + "aes128-sha256-modp3072-ecp256"); + ck_assert(proposal->promote_dh_group(proposal, MODP_3072_BIT)); + assert_proposal_eq(proposal, "IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072/ECP_256"); + proposal->destroy(proposal); +} +END_TEST + +START_TEST(test_promote_dh_group_not_contained) +{ + proposal_t *proposal; + + proposal = proposal_create_from_string(PROTO_IKE, + "aes128-sha256-modp3072-ecp256"); + + ck_assert(!proposal->promote_dh_group(proposal, MODP_2048_BIT)); + assert_proposal_eq(proposal, "IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072/ECP_256"); + proposal->destroy(proposal); +} +END_TEST + +Suite *proposal_suite_create() +{ + Suite *s; + TCase *tc; + + s = suite_create("proposal"); + + tc = tcase_create("create_from_string"); + tcase_add_loop_test(tc, test_create_from_string, 0, countof(create_data)); + suite_add_tcase(s, tc); + + tc = tcase_create("select"); + tcase_add_loop_test(tc, test_select, 0, countof(select_data)); + tcase_add_test(tc, test_select_spi); + suite_add_tcase(s, tc); + + tc = tcase_create("promote_dh_group"); + tcase_add_test(tc, test_promote_dh_group); + tcase_add_test(tc, test_promote_dh_group_already_front); + tcase_add_test(tc, test_promote_dh_group_not_contained); + suite_add_tcase(s, tc); + + return s; +} diff --git a/src/libstrongswan/tests/suites/test_utils.c b/src/libstrongswan/tests/suites/test_utils.c index 353010aaf..b423d7d2d 100644 --- a/src/libstrongswan/tests/suites/test_utils.c +++ b/src/libstrongswan/tests/suites/test_utils.c @@ -877,8 +877,23 @@ static struct { {"/0xff", TRUE, { 0, 0xff }}, {"/x", FALSE, { 0 }}, {"x/x", FALSE, { 0 }}, - {"0xffffffff/0x0000ffff", TRUE, { 0x0000ffff, 0x0000ffff }}, - {"0xffffffff/0xffffffff", TRUE, { 0xffffffff, 0xffffffff }}, + {"0xfffffff0/0x0000ffff", TRUE, { 0x0000fff0, 0x0000ffff }}, + {"%unique", TRUE, { MARK_UNIQUE, 0xffffffff }}, + {"%unique/", TRUE, { MARK_UNIQUE, 0 }}, + {"%unique/0x0000ffff", TRUE, { MARK_UNIQUE, 0x0000ffff }}, + {"%unique/0xffffffff", TRUE, { MARK_UNIQUE, 0xffffffff }}, + {"%unique0xffffffffff", FALSE, { 0, 0 }}, + {"0xffffffff/0x0000ffff", TRUE, { MARK_UNIQUE, 0x0000ffff }}, + {"0xffffffff/0xffffffff", TRUE, { MARK_UNIQUE, 0xffffffff }}, + {"%unique-dir", TRUE, { MARK_UNIQUE_DIR, 0xffffffff }}, + {"%unique-dir/", TRUE, { MARK_UNIQUE_DIR, 0 }}, + {"%unique-dir/0x0000ffff", TRUE, { MARK_UNIQUE_DIR, 0x0000ffff }}, + {"%unique-dir/0xffffffff", TRUE, { MARK_UNIQUE_DIR, 0xffffffff }}, + {"%unique-dir0xffffffff", FALSE, { 0, 0 }}, + {"0xfffffffe/0x0000ffff", TRUE, { MARK_UNIQUE_DIR, 0x0000ffff }}, + {"0xfffffffe/0xffffffff", TRUE, { MARK_UNIQUE_DIR, 0xffffffff }}, + {"%unique-/0xffffffff", FALSE, { 0, 0 }}, + {"%unique-foo/0xffffffff", FALSE, { 0, 0 }}, }; START_TEST(test_mark_from_string) diff --git a/src/libstrongswan/tests/tests.h b/src/libstrongswan/tests/tests.h index 525bdeb94..5fab227f2 100644 --- a/src/libstrongswan/tests/tests.h +++ b/src/libstrongswan/tests/tests.h @@ -40,6 +40,7 @@ TEST_SUITE(printf_suite_create) TEST_SUITE(auth_cfg_suite_create) TEST_SUITE(hasher_suite_create) TEST_SUITE(crypter_suite_create) +TEST_SUITE(proposal_suite_create) TEST_SUITE(crypto_factory_suite_create) TEST_SUITE_DEPEND(iv_gen_suite_create, RNG, RNG_STRONG) TEST_SUITE(pen_suite_create) diff --git a/src/libstrongswan/threading/semaphore.h b/src/libstrongswan/threading/semaphore.h index d3ab0f3d9..bb384e669 100644 --- a/src/libstrongswan/threading/semaphore.h +++ b/src/libstrongswan/threading/semaphore.h @@ -29,7 +29,7 @@ typedef struct semaphore_t semaphore_t; * A semaphore is basically an integer whose value is never allowed to be * lower than 0. Two operations can be performed on it: increment the * value by one, and decrement the value by one. If the value is currently - * zero, then the decrement operation will blcok until the value becomes + * zero, then the decrement operation will block until the value becomes * greater than zero. */ struct semaphore_t { diff --git a/src/libstrongswan/utils/chunk.c b/src/libstrongswan/utils/chunk.c index 8f4b7efff..3a7984098 100644 --- a/src/libstrongswan/utils/chunk.c +++ b/src/libstrongswan/utils/chunk.c @@ -478,7 +478,7 @@ chunk_t chunk_to_hex(chunk_t chunk, char *buf, bool uppercase) } /** - * convert a signle hex character to its binary value + * convert a single hex character to its binary value */ static char hex2bin(char hex) { @@ -859,7 +859,7 @@ static inline uint64_t siplast(size_t len, u_char *pos) } /** - * Caculate SipHash-2-4 with an optional first block given as argument. + * Calculate SipHash-2-4 with an optional first block given as argument. */ static uint64_t chunk_mac_inc(chunk_t chunk, u_char *key, uint64_t m) { |