diff options
author | Rene Mayrhofer <rene@mayrhofer.eu.org> | 2009-10-21 11:18:20 +0000 |
---|---|---|
committer | Rene Mayrhofer <rene@mayrhofer.eu.org> | 2009-10-21 11:18:20 +0000 |
commit | a9b7f8d4a4a4202facd9690580b38542e7933f00 (patch) | |
tree | d82a9d506c62cff257e5292845b68df3ca5c60dc /src/pluto | |
parent | 12263dccbbb6747d53b97333c3d6f0f17e1bffea (diff) | |
download | vyos-strongswan-a9b7f8d4a4a4202facd9690580b38542e7933f00.tar.gz vyos-strongswan-a9b7f8d4a4a4202facd9690580b38542e7933f00.zip |
- New upstream release.
- Don't disable internal crypto plugins, pluto expects to find them in
some cases.
- Enable integrity checking.
Diffstat (limited to 'src/pluto')
-rw-r--r-- | src/pluto/Makefile.am | 5 | ||||
-rw-r--r-- | src/pluto/Makefile.in | 17 | ||||
-rw-r--r-- | src/pluto/alg_info.c | 32 | ||||
-rw-r--r-- | src/pluto/connections.c | 1 | ||||
-rw-r--r-- | src/pluto/constants.c | 3 | ||||
-rw-r--r-- | src/pluto/crypto.c | 15 | ||||
-rw-r--r-- | src/pluto/crypto.h | 2 | ||||
-rw-r--r-- | src/pluto/ipsec_doi.c | 122 | ||||
-rw-r--r-- | src/pluto/kernel.c | 187 | ||||
-rw-r--r-- | src/pluto/kernel_alg.c | 54 | ||||
-rw-r--r-- | src/pluto/kernel_netlink.c | 357 | ||||
-rw-r--r-- | src/pluto/keys.c | 3 | ||||
-rw-r--r-- | src/pluto/ocsp.c | 2 | ||||
-rw-r--r-- | src/pluto/pem.c | 1 | ||||
-rw-r--r-- | src/pluto/pgpcert.c | 62 | ||||
-rw-r--r-- | src/pluto/plutomain.c | 41 | ||||
-rw-r--r-- | src/pluto/spdb.c | 88 | ||||
-rw-r--r-- | src/pluto/state.c | 1 | ||||
-rw-r--r-- | src/pluto/timer.c | 10 | ||||
-rw-r--r-- | src/pluto/timer.h | 2 | ||||
-rw-r--r-- | src/pluto/vendor.c | 8 | ||||
-rw-r--r-- | src/pluto/vendor.h | 10 |
22 files changed, 603 insertions, 420 deletions
diff --git a/src/pluto/Makefile.am b/src/pluto/Makefile.am index 01237305b..c9cb6651f 100644 --- a/src/pluto/Makefile.am +++ b/src/pluto/Makefile.am @@ -110,11 +110,6 @@ if USE_SMARTCARD AM_CFLAGS += -DSMARTCARD endif -# This compile option activates the integrity test of libstrongswan -if USE_INTEGRITY_TEST - AM_CFLAGS += -DINTEGRITY_TEST -endif - if USE_CAPABILITIES pluto_LDADD += -lcap endif diff --git a/src/pluto/Makefile.in b/src/pluto/Makefile.in index 01bda8540..871f0c905 100644 --- a/src/pluto/Makefile.in +++ b/src/pluto/Makefile.in @@ -52,11 +52,8 @@ ipsec_PROGRAMS = pluto$(EXEEXT) _pluto_adns$(EXEEXT) # This compile option activates smartcard support @USE_SMARTCARD_TRUE@am__append_5 = -DSMARTCARD - -# This compile option activates the integrity test of libstrongswan -@USE_INTEGRITY_TEST_TRUE@am__append_6 = -DINTEGRITY_TEST -@USE_CAPABILITIES_TRUE@am__append_7 = -lcap -@USE_THREADS_TRUE@am__append_8 = -DTHREADS +@USE_CAPABILITIES_TRUE@am__append_6 = -lcap +@USE_THREADS_TRUE@am__append_7 = -DTHREADS subdir = src/pluto DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.am \ $(srcdir)/Makefile.in @@ -116,12 +113,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -186,6 +185,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -226,7 +226,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -325,11 +327,10 @@ AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" -DIPSEC_CONFDIR=\"${confdir}\" \ -DSTRONGSWAN_CONF=\"${strongswan_conf}\" -DKERNEL26_SUPPORT \ -DKERNEL26_HAS_KAME_DUPLICATES -DPLUTO -DKLIPS -DDEBUG \ $(am__append_1) $(am__append_2) $(am__append_3) \ - $(am__append_4) $(am__append_5) $(am__append_6) \ - $(am__append_8) + $(am__append_4) $(am__append_5) $(am__append_7) pluto_LDADD = $(LIBSTRONGSWANDIR)/libstrongswan.la \ $(LIBFREESWANDIR)/libfreeswan.a -lresolv -lpthread $(DLLIB) \ - $(am__append_7) + $(am__append_6) _pluto_adns_LDADD = \ $(LIBFREESWANDIR)/libfreeswan.a \ -lresolv $(DLLIB) diff --git a/src/pluto/alg_info.c b/src/pluto/alg_info.c index a85a18905..c25418fc1 100644 --- a/src/pluto/alg_info.c +++ b/src/pluto/alg_info.c @@ -139,6 +139,24 @@ static void __alg_info_esp_add(struct alg_info_esp *alg_info, int ealg_id, ) } +/** + * Returns true if the given alg is an authenticated encryption algorithm + */ +static bool is_authenticated_encryption(int ealg_id) +{ + switch (ealg_id) + { + case ESP_AES_CCM_8: + case ESP_AES_CCM_12: + case ESP_AES_CCM_16: + case ESP_AES_GCM_8: + case ESP_AES_GCM_12: + case ESP_AES_GCM_16: + return TRUE; + } + return FALSE; +} + /* * Add ESP alg info _with_ logic (policy): */ @@ -152,7 +170,13 @@ static void alg_info_esp_add(struct alg_info *alg_info, int ealg_id, } if (ealg_id > 0) { - if (aalg_id > 0) + if (is_authenticated_encryption(ealg_id)) + { + __alg_info_esp_add((struct alg_info_esp *)alg_info, + ealg_id, ek_bits, + AUTH_ALGORITHM_NONE, 0); + } + else if (aalg_id > 0) { __alg_info_esp_add((struct alg_info_esp *)alg_info, ealg_id, ek_bits, @@ -160,13 +184,13 @@ static void alg_info_esp_add(struct alg_info *alg_info, int ealg_id, } else { - /* Policy: default to MD5 and SHA1 */ + /* Policy: default to SHA-1 and MD5 */ __alg_info_esp_add((struct alg_info_esp *)alg_info, ealg_id, ek_bits, - AUTH_ALGORITHM_HMAC_MD5, ak_bits); + AUTH_ALGORITHM_HMAC_SHA1, ak_bits); __alg_info_esp_add((struct alg_info_esp *)alg_info, ealg_id, ek_bits, - AUTH_ALGORITHM_HMAC_SHA1, ak_bits); + AUTH_ALGORITHM_HMAC_MD5, ak_bits); } } } diff --git a/src/pluto/connections.c b/src/pluto/connections.c index 4deb722f7..b800b1665 100644 --- a/src/pluto/connections.c +++ b/src/pluto/connections.c @@ -1,5 +1,6 @@ /* information about connections between hosts and clients * Copyright (C) 1998-2002 D. Hugh Redelmeier. + * Copyright (C) 2009 Andreas Steffen - Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the diff --git a/src/pluto/constants.c b/src/pluto/constants.c index adcd77131..e46728d84 100644 --- a/src/pluto/constants.c +++ b/src/pluto/constants.c @@ -663,6 +663,7 @@ enum_names enc_mode_names = /* Auth Algorithm attribute */ static const char *const auth_alg_name[] = { + "AUTH_NONE", "HMAC_MD5", "HMAC_SHA1", "DES_MAC", @@ -683,7 +684,7 @@ enum_names extended_auth_alg_names = { AUTH_ALGORITHM_NULL, AUTH_ALGORITHM_NULL, extended_auth_alg_name, NULL }; enum_names auth_alg_names = - { AUTH_ALGORITHM_HMAC_MD5, AUTH_ALGORITHM_SIG_RSA, auth_alg_name + { AUTH_ALGORITHM_NONE, AUTH_ALGORITHM_SIG_RSA, auth_alg_name , &extended_auth_alg_names }; /* From draft-beaulieu-ike-xauth */ diff --git a/src/pluto/crypto.c b/src/pluto/crypto.c index 1adccc74e..f47ad1eeb 100644 --- a/src/pluto/crypto.c +++ b/src/pluto/crypto.c @@ -235,7 +235,7 @@ static struct dh_desc dh_desc_ecp_224 = { ke_size: 2*224 / BITS_PER_BYTE }; -void init_crypto(void) +bool init_crypto(void) { enumerator_t *enumerator; encryption_algorithm_t encryption_alg; @@ -275,13 +275,13 @@ void init_crypto(void) } enumerator->destroy(enumerator); - if (no_sha1) + if (no_sha1 || no_md5) { - exit_log("pluto cannot run without a SHA-1 hasher"); - } - if (no_md5) - { - exit_log("pluto cannot run without an MD5 hasher"); + plog("pluto cannot run without a %s%s%s hasher", + (no_sha1) ? "SHA-1" : "", + (no_sha1 && no_md5) ? " and " : "", + (no_md5) ? "MD5" : ""); + return FALSE; } enumerator = lib->crypto->create_crypter_enumerator(lib->crypto); @@ -363,6 +363,7 @@ void init_crypto(void) ike_alg_add((struct ike_alg *)desc); } enumerator->destroy(enumerator); + return TRUE; } void free_crypto(void) diff --git a/src/pluto/crypto.h b/src/pluto/crypto.h index 06c4e1d1a..019ba5764 100644 --- a/src/pluto/crypto.h +++ b/src/pluto/crypto.h @@ -20,7 +20,7 @@ #include "ike_alg.h" -extern void init_crypto(void); +extern bool init_crypto(void); extern void free_crypto(void); extern const struct dh_desc unset_group; /* magic signifier */ diff --git a/src/pluto/ipsec_doi.c b/src/pluto/ipsec_doi.c index 929768ee9..57f4fb54b 100644 --- a/src/pluto/ipsec_doi.c +++ b/src/pluto/ipsec_doi.c @@ -2639,77 +2639,78 @@ static void compute_proto_keymat(struct state *st, u_int8_t protoid, */ switch (protoid) { - case PROTO_IPSEC_ESP: + case PROTO_IPSEC_ESP: + { + needed_len = kernel_alg_esp_enc_keylen(pi->attrs.transid); + + if (needed_len && pi->attrs.key_len) + { + needed_len = pi->attrs.key_len / BITS_PER_BYTE; + } + switch (pi->attrs.transid) { - case ESP_NULL: - needed_len = 0; - break; - case ESP_DES: - needed_len = DES_CBC_BLOCK_SIZE; - break; - case ESP_3DES: - needed_len = DES_CBC_BLOCK_SIZE * 3; - break; - default: -#ifndef NO_KERNEL_ALG - if((needed_len=kernel_alg_esp_enc_keylen(pi->attrs.transid))>0) { - /* XXX: check key_len "coupling with kernel.c's */ - if (pi->attrs.key_len) { - needed_len=pi->attrs.key_len/8; - DBG(DBG_PARSING, DBG_log("compute_proto_keymat:" - "key_len=%d from peer", - (int)needed_len)); - } - break; - } -#endif - bad_case(pi->attrs.transid); + case ESP_NULL: + needed_len = 0; + break; + case ESP_AES_CCM_8: + case ESP_AES_CCM_12: + case ESP_AES_CCM_16: + needed_len += 3; + break; + case ESP_AES_GCM_8: + case ESP_AES_GCM_12: + case ESP_AES_GCM_16: + case ESP_AES_CTR: + needed_len += 4; + break; + default: + if (needed_len == 0) + { + bad_case(pi->attrs.transid); + } } -#ifndef NO_KERNEL_ALG - DBG(DBG_PARSING, DBG_log("compute_proto_keymat:" - "needed_len (after ESP enc)=%d", - (int)needed_len)); - if (kernel_alg_esp_auth_ok(pi->attrs.auth, NULL)) { + if (kernel_alg_esp_auth_ok(pi->attrs.auth, NULL)) + { needed_len += kernel_alg_esp_auth_keylen(pi->attrs.auth); - } else -#endif - switch (pi->attrs.auth) + } + else { - case AUTH_ALGORITHM_NONE: - break; - case AUTH_ALGORITHM_HMAC_MD5: - needed_len += HMAC_MD5_KEY_LEN; - break; - case AUTH_ALGORITHM_HMAC_SHA1: - needed_len += HMAC_SHA1_KEY_LEN; - break; - case AUTH_ALGORITHM_DES_MAC: - default: - bad_case(pi->attrs.auth); + switch (pi->attrs.auth) + { + case AUTH_ALGORITHM_NONE: + break; + case AUTH_ALGORITHM_HMAC_MD5: + needed_len += HMAC_MD5_KEY_LEN; + break; + case AUTH_ALGORITHM_HMAC_SHA1: + needed_len += HMAC_SHA1_KEY_LEN; + break; + case AUTH_ALGORITHM_DES_MAC: + default: + bad_case(pi->attrs.auth); + } } - DBG(DBG_PARSING, DBG_log("compute_proto_keymat:" - "needed_len (after ESP auth)=%d", - (int)needed_len)); break; - - case PROTO_IPSEC_AH: + } + case PROTO_IPSEC_AH: + { switch (pi->attrs.transid) { - case AH_MD5: - needed_len = HMAC_MD5_KEY_LEN; - break; - case AH_SHA: - needed_len = HMAC_SHA1_KEY_LEN; - break; - default: - bad_case(pi->attrs.transid); + case AH_MD5: + needed_len = HMAC_MD5_KEY_LEN; + break; + case AH_SHA: + needed_len = HMAC_SHA1_KEY_LEN; + break; + default: + bad_case(pi->attrs.transid); } break; - - default: - bad_case(protoid); + } + default: + bad_case(protoid); } pi->keymat_len = needed_len; @@ -5444,7 +5445,8 @@ stf_status dpd_inR(struct state *st, struct isakmp_notification *const n, if (!st->st_dpd_expectseqno && seqno != st->st_dpd_expectseqno) { loglog(RC_LOG_SERIOUS - , "DPD: R_U_THERE_ACK has unexpected sequence number"); + , "DPD: R_U_THERE_ACK has unexpected sequence number %u (expected %u)" + , seqno, st->st_dpd_expectseqno); return STF_FAIL + PAYLOAD_MALFORMED; } diff --git a/src/pluto/kernel.c b/src/pluto/kernel.c index f698de2c8..46edac1cd 100644 --- a/src/pluto/kernel.c +++ b/src/pluto/kernel.c @@ -1,6 +1,7 @@ /* routines that interface with the kernel's IPsec mechanism * Copyright (C) 1997 Angelos D. Keromytis. * Copyright (C) 1998-2002 D. Hugh Redelmeier. + * Copyright (C) 2009 Andreas Steffen - Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -1849,7 +1850,7 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound) if (st->nat_traversal & NAT_T_DETECTED) { natt_type = (st->nat_traversal & NAT_T_WITH_PORT_FLOATING) ? - ESPINUDP_WITH_NON_ESP : ESPINUDP_WITH_NON_IKE; + ESPINUDP_WITH_NON_ESP : ESPINUDP_WITH_NON_IKE; natt_sport = inbound? c->spd.that.host_port : c->spd.this.host_port; natt_dport = inbound? c->spd.this.host_port : c->spd.that.host_port; natt_oa = st->nat_oa; @@ -1860,12 +1861,11 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound) if (ei == &esp_info[countof(esp_info)]) { /* Check for additional kernel alg */ -#ifndef NO_KERNEL_ALG if ((ei=kernel_alg_esp_info(st->st_esp.attrs.transid, - st->st_esp.attrs.auth))!=NULL) { - break; + st->st_esp.attrs.auth))!=NULL) + { + break; } -#endif /* note: enum_show may use a static buffer, so two * calls in one printf would be a mistake. @@ -1878,9 +1878,11 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound) goto fail; } - if (st->st_esp.attrs.transid == ei->transid - && st->st_esp.attrs.auth == ei->auth) + if (st->st_esp.attrs.transid == ei->transid && + st->st_esp.attrs.auth == ei->auth) + { break; + } } key_len = st->st_esp.attrs.key_len/8; @@ -1899,40 +1901,52 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound) { key_len = ei->enckeylen; } - /* Grrrrr.... f*cking 7 bits jurassic algos */ - - /* 168 bits in kernel, need 192 bits for keymat_len */ - if (ei->transid == ESP_3DES && key_len == 21) - key_len = 24; - /* 56 bits in kernel, need 64 bits for keymat_len */ - if (ei->transid == ESP_DES && key_len == 7) - key_len = 8; + switch (ei->transid) + { + case ESP_3DES: + /* 168 bits in kernel, need 192 bits for keymat_len */ + if (key_len == 21) + { + key_len = 24; + } + break; + case ESP_DES: + /* 56 bits in kernel, need 64 bits for keymat_len */ + if (key_len == 7) + { + key_len = 8; + } + break; + case ESP_AES_CCM_8: + case ESP_AES_CCM_12: + case ESP_AES_CCM_16: + key_len += 3; + break; + case ESP_AES_GCM_8: + case ESP_AES_GCM_12: + case ESP_AES_GCM_16: + case ESP_AES_CTR: + key_len += 4; + break; + default: + break; + } /* divide up keying material */ - /* passert(st->st_esp.keymat_len == ei->enckeylen + ei->authkeylen); */ - DBG(DBG_KLIPS|DBG_CONTROL|DBG_PARSING, - if(st->st_esp.keymat_len != key_len + ei->authkeylen) - DBG_log("keymat_len=%d key_len=%d authkeylen=%d", - st->st_esp.keymat_len, (int)key_len, (int)ei->authkeylen); - ) - passert(st->st_esp.keymat_len == key_len + ei->authkeylen); - set_text_said(text_said, &dst.addr, esp_spi, SA_ESP); - said_next->src = &src.addr; said_next->dst = &dst.addr; said_next->src_client = &src_client; said_next->dst_client = &dst_client; said_next->spi = esp_spi; said_next->satype = SADB_SATYPE_ESP; - said_next->replay_window = (kernel_ops->type == KERNEL_TYPE_KLIPS) ? REPLAY_WINDOW : REPLAY_WINDOW_XFRM; + said_next->replay_window = (kernel_ops->type == KERNEL_TYPE_KLIPS) ? + REPLAY_WINDOW : REPLAY_WINDOW_XFRM; said_next->authalg = ei->authalg; said_next->authkeylen = ei->authkeylen; - /* said_next->authkey = esp_dst_keymat + ei->enckeylen; */ said_next->authkey = esp_dst_keymat + key_len; said_next->encalg = ei->encryptalg; - /* said_next->enckeylen = ei->enckeylen; */ said_next->enckeylen = key_len; said_next->enckey = esp_dst_keymat; said_next->encapsulation = encapsulation; @@ -1945,10 +1959,10 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound) said_next->text_said = text_said; if (!kernel_ops->add_sa(said_next, replace)) + { goto fail; - + } said_next++; - encapsulation = ENCAPSULATION_MODE_TRANSPORT; } @@ -1963,29 +1977,27 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound) switch (st->st_ah.attrs.auth) { - case AUTH_ALGORITHM_HMAC_MD5: - authalg = SADB_AALG_MD5HMAC; - break; - - case AUTH_ALGORITHM_HMAC_SHA1: - authalg = SADB_AALG_SHA1HMAC; - break; - - default: - loglog(RC_LOG_SERIOUS, "%s not implemented yet" - , enum_show(&auth_alg_names, st->st_ah.attrs.auth)); + case AUTH_ALGORITHM_HMAC_MD5: + authalg = SADB_AALG_MD5HMAC; + break; + case AUTH_ALGORITHM_HMAC_SHA1: + authalg = SADB_AALG_SHA1HMAC; + break; + default: + loglog(RC_LOG_SERIOUS, "%s not implemented yet", + enum_show(&auth_alg_names, st->st_ah.attrs.auth)); goto fail; } set_text_said(text_said, &dst.addr, ah_spi, SA_AH); - said_next->src = &src.addr; said_next->dst = &dst.addr; said_next->src_client = &src_client; said_next->dst_client = &dst_client; said_next->spi = ah_spi; said_next->satype = SADB_SATYPE_AH; - said_next->replay_window = (kernel_ops->type == KERNEL_TYPE_KLIPS) ? REPLAY_WINDOW : REPLAY_WINDOW_XFRM; + said_next->replay_window = (kernel_ops->type == KERNEL_TYPE_KLIPS) ? + REPLAY_WINDOW : REPLAY_WINDOW_XFRM; said_next->authalg = authalg; said_next->authkeylen = st->st_ah.keymat_len; said_next->authkey = ah_dst_keymat; @@ -1994,10 +2006,10 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound) said_next->text_said = text_said; if (!kernel_ops->add_sa(said_next, replace)) + { goto fail; - + } said_next++; - encapsulation = ENCAPSULATION_MODE_TRANSPORT; } @@ -2093,7 +2105,9 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound) s[1].text_said = text_said1; if (!kernel_ops->grp_sa(s + 1, s)) + { goto fail; + } } /* could update said, but it will not be used */ } @@ -2104,8 +2118,10 @@ fail: { /* undo the done SPIs */ while (said_next-- != said) - (void) del_spi(said_next->spi, said_next->proto - , &src.addr, said_next->dst); + { + (void) del_spi(said_next->spi, said_next->proto, &src.addr, + said_next->dst); + } return FALSE; } } @@ -2216,8 +2232,9 @@ bool get_sa_info(struct state *st, bool inbound, u_int *bytes, time_t *use_time) *use_time = UNDEFINED_TIME; if (kernel_ops->get_sa == NULL || !st->st_esp.present) + { return FALSE; - + } memset(&sa, 0, sizeof(sa)); sa.proto = SA_ESP; @@ -2241,7 +2258,9 @@ bool get_sa_info(struct state *st, bool inbound, u_int *bytes, time_t *use_time) DBG_log("get %s", text_said) ) if (!kernel_ops->get_sa(&sa, bytes)) + { return FALSE; + } DBG(DBG_KLIPS, DBG_log(" current: %d bytes", *bytes) ) @@ -2266,7 +2285,9 @@ bool get_sa_info(struct state *st, bool inbound, u_int *bytes, time_t *use_time) sa.dst_client = &c->spd.that.client; } if (!kernel_ops->get_policy(&sa, inbound, use_time)) + { return FALSE; + } DBG(DBG_KLIPS, DBG_log(" use_time: %T", use_time, FALSE) ) @@ -2349,15 +2370,21 @@ bool install_inbound_ipsec_sa(struct state *st) struct connection *o = route_owner(c, &esr, NULL, NULL); if (o == NULL) + { break; /* nobody has a route */ + } /* note: we ignore the client addresses at this end */ - if (sameaddr(&o->spd.that.host_addr, &c->spd.that.host_addr) - && o->interface == c->interface) + if (sameaddr(&o->spd.that.host_addr, &c->spd.that.host_addr) && + o->interface == c->interface) + { break; /* existing route is compatible */ + } if (o->kind == CK_TEMPLATE && streq(o->name, c->name)) + { break; /* ??? is this good enough?? */ + } loglog(RC_LOG_SERIOUS, "route to peer's client conflicts with \"%s\" %s; releasing old connection to free the route" , o->name, ip_str(&o->spd.that.host_addr)); @@ -2369,12 +2396,11 @@ bool install_inbound_ipsec_sa(struct state *st) /* check that we will be able to route and eroute */ switch (could_route(c)) { - case route_easy: - case route_nearconflict: - break; - - default: - return FALSE; + case route_easy: + case route_nearconflict: + break; + default: + return FALSE; } #ifdef KLIPS @@ -2471,10 +2497,14 @@ bool route_and_eroute(struct connection *c USED_BY_KLIPS, /* if no state provided, then install a shunt for later */ if (st == NULL) + { eroute_installed = shunt_eroute(c, sr, RT_ROUTED_PROSPECTIVE , ERO_ADD, "add"); + } else + { eroute_installed = sag_eroute(st, sr, ERO_ADD, "add"); + } } /* notify the firewall of a new tunnel */ @@ -2507,8 +2537,7 @@ bool route_and_eroute(struct connection *c USED_BY_KLIPS, (void) do_command(c, sr, "prepare"); /* just in case; ignore failure */ route_installed = do_command(c, sr, "route"); } - else if (routed(sr->routing) - || routes_agree(ro, c)) + else if (routed(sr->routing) || routes_agree(ro, c)) { route_installed = TRUE; /* nothing to be done */ } @@ -2658,11 +2687,13 @@ bool route_and_eroute(struct connection *c USED_BY_KLIPS, { /* there was no previous eroute: delete whatever we installed */ if (st == NULL) - (void) shunt_eroute(c, sr - , sr->routing, ERO_DELETE, "delete"); + { + (void) shunt_eroute(c, sr, sr->routing, ERO_DELETE, "delete"); + } else - (void) sag_eroute(st, sr - , ERO_DELETE, "delete"); + { + (void) sag_eroute(st, sr, ERO_DELETE, "delete"); + } } } @@ -2685,18 +2716,19 @@ bool install_ipsec_sa(struct state *st, bool inbound_also USED_BY_KLIPS) switch (could_route(st->st_connection)) { - case route_easy: - case route_nearconflict: - break; - - default: - return FALSE; + case route_easy: + case route_nearconflict: + break; + default: + return FALSE; } /* (attempt to) actually set up the SA group */ - if ((inbound_also && !setup_half_ipsec_sa(st, TRUE)) - || !setup_half_ipsec_sa(st, FALSE)) + if ((inbound_also && !setup_half_ipsec_sa(st, TRUE)) || + !setup_half_ipsec_sa(st, FALSE)) + { return FALSE; + } for (sr = &st->st_connection->spd; sr != NULL; sr = sr->next) { @@ -2730,12 +2762,11 @@ bool install_ipsec_sa(struct state *st, bool inbound_also USED_BY_KLIPS) switch (could_route(st->st_connection)) { - case route_easy: - case route_nearconflict: - break; - - default: - return FALSE; + case route_easy: + case route_nearconflict: + break; + default: + return FALSE; } @@ -2778,8 +2809,7 @@ void delete_ipsec_sa(struct state *st USED_BY_KLIPS, ? RT_ROUTED_PROSPECTIVE : RT_ROUTED_FAILURE; (void) do_command(c, sr, "down"); - if ((c->policy & POLICY_DONT_REKEY) - && c->kind == CK_INSTANCE) + if ((c->policy & POLICY_DONT_REKEY) && c->kind == CK_INSTANCE) { /* in this special case, even if the connection * is still alive (due to an ISAKMP SA), @@ -2888,8 +2918,7 @@ bool was_eroute_idle(struct state *st, time_t idle_max, time_t *idle_time) /* Can't open the file, perhaps were are on 26sec? */ time_t use_time; - if (get_sa_info(st, TRUE, &bytes, &use_time) - && use_time != UNDEFINED_TIME) + if (get_sa_info(st, TRUE, &bytes, &use_time) && use_time != UNDEFINED_TIME) { *idle_time = time(NULL) - use_time; ret = *idle_time >= idle_max; diff --git a/src/pluto/kernel_alg.c b/src/pluto/kernel_alg.c index 1590bdf02..7e7d25872 100644 --- a/src/pluto/kernel_alg.c +++ b/src/pluto/kernel_alg.c @@ -341,7 +341,7 @@ void kernel_alg_register_pfkey(const struct sadb_msg *msg_buf, int buflen) sadb.msg++; - while(msglen) + while (msglen) { int supp_exttype = sadb.supported->sadb_supported_exttype; int supp_len = sadb.supported->sadb_supported_len*IPSEC_PFKEYv2_ALIGN; @@ -361,14 +361,14 @@ void kernel_alg_register_pfkey(const struct sadb_msg *msg_buf, int buflen) supp_len; supp_len -= sizeof(struct sadb_alg), sadb.alg++,i++) { - int ret = kernel_alg_add(satype, supp_exttype, sadb.alg); + kernel_alg_add(satype, supp_exttype, sadb.alg); DBG(DBG_KLIPS, DBG_log("kernel_alg_register_pfkey(): SADB_SATYPE_%s: " "alg[%d], exttype=%d, satype=%d, alg_id=%d, " "alg_ivlen=%d, alg_minbits=%d, alg_maxbits=%d, " - "res=%d, ret=%d" - , satype==SADB_SATYPE_ESP? "ESP" : "AH" + "res=%d" + , satype == SADB_SATYPE_ESP? "ESP" : "AH" , i , supp_exttype , satype @@ -376,9 +376,25 @@ void kernel_alg_register_pfkey(const struct sadb_msg *msg_buf, int buflen) , sadb.alg->sadb_alg_ivlen , sadb.alg->sadb_alg_minbits , sadb.alg->sadb_alg_maxbits - , sadb.alg->sadb_alg_reserved - , ret) + , sadb.alg->sadb_alg_reserved) ) + /* if AES_CBC is registered then also register AES_CCM and AES_GCM */ + if (satype == SADB_SATYPE_ESP && + sadb.alg->sadb_alg_id == SADB_X_EALG_AESCBC) + { + struct sadb_alg alg = *sadb.alg; + int alg_id; + + for (alg_id = SADB_X_EALG_AES_CCM_ICV8; + alg_id <= SADB_X_EALG_AES_GCM_ICV16; alg_id++) + { + if (alg_id != ESP_UNASSIGNED_17) + { + alg.sadb_alg_id = alg_id; + kernel_alg_add(satype, supp_exttype, &alg); + } + } + } } } } @@ -388,8 +404,9 @@ u_int kernel_alg_esp_enc_keylen(u_int alg_id) u_int keylen = 0; if (!ESP_EALG_PRESENT(alg_id)) + { goto none; - + } keylen = esp_ealg[alg_id].sadb_alg_maxbits/BITS_PER_BYTE; switch (alg_id) @@ -407,8 +424,7 @@ u_int kernel_alg_esp_enc_keylen(u_int alg_id) none: DBG(DBG_KLIPS, - DBG_log("kernel_alg_esp_enc_keylen():" - "alg_id=%d, keylen=%d", + DBG_log("kernel_alg_esp_enc_keylen(): alg_id=%d, keylen=%d", alg_id, keylen) ) return keylen; @@ -515,7 +531,7 @@ void kernel_alg_show_connection(struct connection *c, const char *instance) } bool kernel_alg_esp_auth_ok(u_int auth, - struct alg_info_esp *alg_info __attribute__((unused))) + struct alg_info_esp *alg_info __attribute__((unused))) { return ESP_AALG_PRESENT(alg_info_esp_aa2sadb(auth)); } @@ -619,14 +635,15 @@ static bool kernel_alg_db_add(struct db_context *db_ctx, return FALSE; } - if (!(policy & POLICY_AUTHENTICATE)) /* skip ESP auth attrs for AH */ + if (!(policy & POLICY_AUTHENTICATE) && /* skip ESP auth attrs for AH */ + esp_info->esp_aalg_id != AUTH_ALGORITHM_NONE) { aalg_id = alg_info_esp_aa2sadb(esp_info->esp_aalg_id); if (!ESP_AALG_PRESENT(aalg_id)) { - DBG_log("kernel_alg_db_add() kernel auth " - "aalg_id=%d not present", aalg_id); + DBG_log("kernel_alg_db_add() kernel auth aalg_id=%d not present", + aalg_id); return FALSE; } } @@ -637,13 +654,18 @@ static bool kernel_alg_db_add(struct db_context *db_ctx, /* open new transformation */ db_trans_add(db_ctx, ealg_id); - /* add ESP auth attr */ - if (!(policy & POLICY_AUTHENTICATE)) + /* add ESP auth attr if not AH or AEAD */ + if (!(policy & POLICY_AUTHENTICATE) && + esp_info->esp_aalg_id != AUTH_ALGORITHM_NONE) + { db_attr_add_values(db_ctx, AUTH_ALGORITHM, esp_info->esp_aalg_id); + } - /* add keylegth if specified in esp= string */ + /* add keylength if specified in esp= string */ if (esp_info->esp_ealg_keylen) + { db_attr_add_values(db_ctx, KEY_LENGTH, esp_info->esp_ealg_keylen); + } return TRUE; } diff --git a/src/pluto/kernel_netlink.c b/src/pluto/kernel_netlink.c index b4b4774c7..0376e817b 100644 --- a/src/pluto/kernel_netlink.c +++ b/src/pluto/kernel_netlink.c @@ -49,69 +49,76 @@ static int netlink_bcast_fd = NULL_FD; #define NE(x) { x, #x } /* Name Entry -- shorthand for sparse_names */ static sparse_names xfrm_type_names = { - NE(NLMSG_NOOP), - NE(NLMSG_ERROR), - NE(NLMSG_DONE), - NE(NLMSG_OVERRUN), + NE(NLMSG_NOOP), + NE(NLMSG_ERROR), + NE(NLMSG_DONE), + NE(NLMSG_OVERRUN), - NE(XFRM_MSG_NEWSA), - NE(XFRM_MSG_DELSA), - NE(XFRM_MSG_GETSA), + NE(XFRM_MSG_NEWSA), + NE(XFRM_MSG_DELSA), + NE(XFRM_MSG_GETSA), - NE(XFRM_MSG_NEWPOLICY), - NE(XFRM_MSG_DELPOLICY), - NE(XFRM_MSG_GETPOLICY), + NE(XFRM_MSG_NEWPOLICY), + NE(XFRM_MSG_DELPOLICY), + NE(XFRM_MSG_GETPOLICY), - NE(XFRM_MSG_ALLOCSPI), - NE(XFRM_MSG_ACQUIRE), - NE(XFRM_MSG_EXPIRE), + NE(XFRM_MSG_ALLOCSPI), + NE(XFRM_MSG_ACQUIRE), + NE(XFRM_MSG_EXPIRE), - NE(XFRM_MSG_UPDPOLICY), - NE(XFRM_MSG_UPDSA), + NE(XFRM_MSG_UPDPOLICY), + NE(XFRM_MSG_UPDSA), - NE(XFRM_MSG_POLEXPIRE), + NE(XFRM_MSG_POLEXPIRE), - NE(XFRM_MSG_MAX), + NE(XFRM_MSG_MAX), - { 0, sparse_end } + { 0, sparse_end } }; #undef NE /* Authentication algorithms */ static sparse_names aalg_list = { - { SADB_X_AALG_NULL, "digest_null" }, - { SADB_AALG_MD5HMAC, "md5" }, - { SADB_AALG_SHA1HMAC, "sha1" }, - { SADB_X_AALG_SHA2_256HMAC, "sha256" }, - { SADB_X_AALG_SHA2_384HMAC, "sha384" }, - { SADB_X_AALG_SHA2_512HMAC, "sha512" }, - { SADB_X_AALG_RIPEMD160HMAC, "ripemd160" }, - { SADB_X_AALG_AES_XCBC_MAC, "xcbc(aes)"}, - { SADB_X_AALG_NULL, "null" }, - { 0, sparse_end } + { SADB_X_AALG_NULL, "digest_null" }, + { SADB_AALG_MD5HMAC, "md5" }, + { SADB_AALG_SHA1HMAC, "sha1" }, + { SADB_X_AALG_SHA2_256HMAC, "sha256" }, + { SADB_X_AALG_SHA2_384HMAC, "sha384" }, + { SADB_X_AALG_SHA2_512HMAC, "sha512" }, + { SADB_X_AALG_RIPEMD160HMAC, "ripemd160" }, + { SADB_X_AALG_AES_XCBC_MAC, "xcbc(aes)"}, + { SADB_X_AALG_NULL, "null" }, + { 0, sparse_end } }; /* Encryption algorithms */ static sparse_names ealg_list = { - { SADB_EALG_NULL, "cipher_null" }, - { SADB_EALG_DESCBC, "des" }, - { SADB_EALG_3DESCBC, "des3_ede" }, - { SADB_X_EALG_CASTCBC, "cast128" }, - { SADB_X_EALG_BLOWFISHCBC, "blowfish" }, - { SADB_X_EALG_AESCBC, "aes" }, - { SADB_X_EALG_CAMELLIACBC, "cbc(camellia)" }, - { SADB_X_EALG_SERPENTCBC, "serpent" }, - { SADB_X_EALG_TWOFISHCBC, "twofish" }, - { 0, sparse_end } + { SADB_EALG_NULL, "cipher_null" }, + { SADB_EALG_DESCBC, "des" }, + { SADB_EALG_3DESCBC, "des3_ede" }, + { SADB_X_EALG_CASTCBC, "cast128" }, + { SADB_X_EALG_BLOWFISHCBC, "blowfish" }, + { SADB_X_EALG_AESCBC, "aes" }, + { SADB_X_EALG_AESCTR, "rfc3686(ctr(aes))" }, + { SADB_X_EALG_AES_CCM_ICV8, "rfc4309(ccm(aes))" }, + { SADB_X_EALG_AES_CCM_ICV12, "rfc4309(ccm(aes))" }, + { SADB_X_EALG_AES_CCM_ICV16, "rfc4309(ccm(aes))" }, + { SADB_X_EALG_AES_GCM_ICV8, "rfc4106(gcm(aes))" }, + { SADB_X_EALG_AES_GCM_ICV12, "rfc4106(gcm(aes))" }, + { SADB_X_EALG_AES_GCM_ICV16, "rfc4106(gcm(aes))" }, + { SADB_X_EALG_CAMELLIACBC, "cbc(camellia)" }, + { SADB_X_EALG_SERPENTCBC, "serpent" }, + { SADB_X_EALG_TWOFISHCBC, "twofish" }, + { 0, sparse_end } }; /* Compression algorithms */ static sparse_names calg_list = { - { SADB_X_CALG_DEFLATE, "deflate" }, - { SADB_X_CALG_LZS, "lzs" }, - { SADB_X_CALG_LZJH, "lzjh" }, - { 0, sparse_end } + { SADB_X_CALG_DEFLATE, "deflate" }, + { SADB_X_CALG_LZS, "lzs" }, + { SADB_X_CALG_LZJH, "lzjh" }, + { 0, sparse_end } }; /** ip2xfrm - Take an IP address and convert to an xfrm. @@ -119,8 +126,7 @@ static sparse_names calg_list = { * @param addr ip_address * @param xaddr xfrm_address_t - IPv[46] Address from addr is copied here. */ -static void -ip2xfrm(const ip_address *addr, xfrm_address_t *xaddr) +static void ip2xfrm(const ip_address *addr, xfrm_address_t *xaddr) { if (addr->u.v4.sin_family == AF_INET) { @@ -135,35 +141,41 @@ ip2xfrm(const ip_address *addr, xfrm_address_t *xaddr) /** init_netlink - Initialize the netlink inferface. Opens the sockets and * then binds to the broadcast socket. */ -static void -init_netlink(void) +static void init_netlink(void) { struct sockaddr_nl addr; netlinkfd = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_XFRM); if (netlinkfd < 0) + { exit_log_errno((e, "socket() in init_netlink()")); - + } if (fcntl(netlinkfd, F_SETFD, FD_CLOEXEC) != 0) + { exit_log_errno((e, "fcntl(FD_CLOEXEC) in init_netlink()")); - + } netlink_bcast_fd = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_XFRM); if (netlink_bcast_fd < 0) + { exit_log_errno((e, "socket() for bcast in init_netlink()")); - + } if (fcntl(netlink_bcast_fd, F_SETFD, FD_CLOEXEC) != 0) + { exit_log_errno((e, "fcntl(FD_CLOEXEC) for bcast in init_netlink()")); - + } if (fcntl(netlink_bcast_fd, F_SETFL, O_NONBLOCK) != 0) + { exit_log_errno((e, "fcntl(O_NONBLOCK) for bcast in init_netlink()")); - + } addr.nl_family = AF_NETLINK; addr.nl_pid = getpid(); addr.nl_groups = XFRMGRP_ACQUIRE | XFRMGRP_EXPIRE; if (bind(netlink_bcast_fd, (struct sockaddr *)&addr, sizeof(addr)) != 0) + { exit_log_errno((e, "Failed to bind bcast socket in init_netlink()")); + } } /** send_netlink_msg @@ -176,9 +188,9 @@ init_netlink(void) * @param text_said - String * @return bool True if the message was succesfully sent. */ -static bool -send_netlink_msg(struct nlmsghdr *hdr, struct nlmsghdr *rbuf, size_t rbuf_len -, const char *description, const char *text_said) +static bool send_netlink_msg(struct nlmsghdr *hdr, struct nlmsghdr *rbuf, + size_t rbuf_len, const char *description, + const char *text_said) { struct { struct nlmsghdr n; @@ -200,7 +212,9 @@ send_netlink_msg(struct nlmsghdr *hdr, struct nlmsghdr *rbuf, size_t rbuf_len len = hdr->nlmsg_len; do { r = write(netlinkfd, hdr, len); - } while (r < 0 && errno == EINTR); + } + while (r < 0 && errno == EINTR); + if (r < 0) { log_errno((e @@ -221,7 +235,8 @@ send_netlink_msg(struct nlmsghdr *hdr, struct nlmsghdr *rbuf, size_t rbuf_len return FALSE; } - for (;;) { + for (;;) + { socklen_t alen; alen = sizeof(addr); @@ -322,8 +337,8 @@ send_netlink_msg(struct nlmsghdr *hdr, struct nlmsghdr *rbuf, size_t rbuf_len * @param text_said - String * @return boolean */ -static bool -netlink_policy(struct nlmsghdr *hdr, bool enoent_ok, const char *text_said) +static bool netlink_policy(struct nlmsghdr *hdr, bool enoent_ok, + const char *text_said) { struct { struct nlmsghdr n; @@ -372,18 +387,17 @@ netlink_policy(struct nlmsghdr *hdr, bool enoent_ok, const char *text_said) * @param ip int * @return boolean True if successful */ -static bool -netlink_raw_eroute(const ip_address *this_host - , const ip_subnet *this_client - , const ip_address *that_host - , const ip_subnet *that_client - , ipsec_spi_t spi - , unsigned int satype - , unsigned int transport_proto - , const struct pfkey_proto_info *proto_info - , time_t use_lifetime UNUSED - , unsigned int op - , const char *text_said) +static bool netlink_raw_eroute(const ip_address *this_host + , const ip_subnet *this_client + , const ip_address *that_host + , const ip_subnet *that_client + , ipsec_spi_t spi + , unsigned int satype + , unsigned int transport_proto + , const struct pfkey_proto_info *proto_info + , time_t use_lifetime UNUSED + , unsigned int op + , const char *text_said) { struct { struct nlmsghdr n; @@ -568,8 +582,7 @@ netlink_raw_eroute(const ip_address *this_host * @param replace boolean - true if this replaces an existing SA * @return bool True if successfull */ -static bool -netlink_add_sa(const struct kernel_sa *sa, bool replace) +static bool netlink_add_sa(const struct kernel_sa *sa, bool replace) { struct { struct nlmsghdr n; @@ -577,6 +590,7 @@ netlink_add_sa(const struct kernel_sa *sa, bool replace) char data[1024]; } req; struct rtattr *attr; + u_int16_t icv_size = 64; memset(&req, 0, sizeof(req)); req.n.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; @@ -606,11 +620,17 @@ netlink_add_sa(const struct kernel_sa *sa, bool replace) const char *name; name = sparse_name(aalg_list, sa->authalg); - if (!name) { + if (!name) + { loglog(RC_LOG_SERIOUS, "unknown authentication algorithm: %u" , sa->authalg); return FALSE; } + DBG(DBG_CRYPT, + DBG_log("configured authentication algorithm %s with key size %d", + enum_show(&auth_alg_names, sa->authalg), + sa->authkeylen * BITS_PER_BYTE) + ) strcpy(algo.alg_name, name); algo.alg_key_len = sa->authkeylen * BITS_PER_BYTE; @@ -626,30 +646,78 @@ netlink_add_sa(const struct kernel_sa *sa, bool replace) attr = (struct rtattr *)((char *)attr + attr->rta_len); } - if (sa->encalg) + switch (sa->encalg) { - struct xfrm_algo algo; - const char *name; + case SADB_EALG_NONE: + /* no encryption */ + break; + case SADB_X_EALG_AES_CCM_ICV16: + case SADB_X_EALG_AES_GCM_ICV16: + icv_size += 32; + /* FALL */ + case SADB_X_EALG_AES_CCM_ICV12: + case SADB_X_EALG_AES_GCM_ICV12: + icv_size += 32; + /* FALL */ + case SADB_X_EALG_AES_CCM_ICV8: + case SADB_X_EALG_AES_GCM_ICV8: + { + struct xfrm_algo_aead *algo; + const char *name; - name = sparse_name(ealg_list, sa->encalg); - if (!name) { - loglog(RC_LOG_SERIOUS, "unknown encryption algorithm: %u" - , sa->encalg); - return FALSE; + name = sparse_name(ealg_list, sa->encalg); + if (!name) + { + loglog(RC_LOG_SERIOUS, "unknown encryption algorithm: %u", + sa->encalg); + return FALSE; + } + DBG(DBG_CRYPT, + DBG_log("configured esp encryption algorithm %s with key size %d", + enum_show(&esp_transformid_names, sa->encalg), + sa->enckeylen * BITS_PER_BYTE) + ) + attr->rta_type = XFRMA_ALG_AEAD; + attr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo_aead) + sa->enckeylen); + req.n.nlmsg_len += attr->rta_len; + + algo = (struct xfrm_algo_aead*)RTA_DATA(attr); + algo->alg_key_len = sa->enckeylen * BITS_PER_BYTE; + algo->alg_icv_len = icv_size; + strcpy(algo->alg_name, name); + memcpy(algo->alg_key, sa->enckey, sa->enckeylen); + + attr = (struct rtattr *)((char *)attr + attr->rta_len); + break; } + default: + { + struct xfrm_algo *algo; + const char *name; - strcpy(algo.alg_name, name); - algo.alg_key_len = sa->enckeylen * BITS_PER_BYTE; - - attr->rta_type = XFRMA_ALG_CRYPT; - attr->rta_len = RTA_LENGTH(sizeof(algo) + sa->enckeylen); - - memcpy(RTA_DATA(attr), &algo, sizeof(algo)); - memcpy((char *)RTA_DATA(attr) + sizeof(algo), sa->enckey - , sa->enckeylen); - - req.n.nlmsg_len += attr->rta_len; - attr = (struct rtattr *)((char *)attr + attr->rta_len); + name = sparse_name(ealg_list, sa->encalg); + if (!name) + { + loglog(RC_LOG_SERIOUS, "unknown encryption algorithm: %u", + sa->encalg); + return FALSE; + } + DBG(DBG_CRYPT, + DBG_log("configured esp encryption algorithm %s with key size %d", + enum_show(&esp_transformid_names, sa->encalg), + sa->enckeylen * BITS_PER_BYTE) + ) + attr->rta_type = XFRMA_ALG_CRYPT; + attr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + sa->enckeylen); + req.n.nlmsg_len += attr->rta_len; + + algo = (struct xfrm_algo*)RTA_DATA(attr); + algo->alg_key_len = sa->enckeylen * BITS_PER_BYTE; + strcpy(algo->alg_name, name); + memcpy(algo->alg_key, sa->enckey, sa->enckeylen); + + attr = (struct rtattr *)((char *)attr + attr->rta_len); + } } if (sa->compalg) @@ -658,7 +726,8 @@ netlink_add_sa(const struct kernel_sa *sa, bool replace) const char *name; name = sparse_name(calg_list, sa->compalg); - if (!name) { + if (!name) + { loglog(RC_LOG_SERIOUS, "unknown compression algorithm: %u" , sa->compalg); return FALSE; @@ -702,8 +771,7 @@ netlink_add_sa(const struct kernel_sa *sa, bool replace) * @param sa Kernel SA to be deleted * @return bool True if successfull */ -static bool -netlink_del_sa(const struct kernel_sa *sa) +static bool netlink_del_sa(const struct kernel_sa *sa) { struct { struct nlmsghdr n; @@ -726,9 +794,8 @@ netlink_del_sa(const struct kernel_sa *sa) return send_netlink_msg(&req.n, NULL, 0, "Del SA", sa->text_said); } -static bool -netlink_error(const char *req_type, const struct nlmsghdr *n -, const struct nlmsgerr *e, int rsp_size) +static bool netlink_error(const char *req_type, const struct nlmsghdr *n, + const struct nlmsgerr *e, int rsp_size) { if (n->nlmsg_type == NLMSG_ERROR) { @@ -751,8 +818,8 @@ netlink_error(const char *req_type, const struct nlmsghdr *n return FALSE; } -static bool -netlink_get_policy(const struct kernel_sa *sa, bool inbound, time_t *use_time) +static bool netlink_get_policy(const struct kernel_sa *sa, bool inbound, + time_t *use_time) { struct { struct nlmsghdr n; @@ -789,11 +856,13 @@ netlink_get_policy(const struct kernel_sa *sa, bool inbound, time_t *use_time) req.id.dir = (inbound)? XFRM_POLICY_IN:XFRM_POLICY_OUT; if (!send_netlink_msg(&req.n, &rsp.n, sizeof(rsp), "Get policy", "?")) + { return FALSE; - + } if (netlink_error("XFRM_MSG_GETPOLICY", &rsp.n, &rsp.u.e, sizeof(rsp.u.info))) + { return FALSE; - + } *use_time = (time_t)rsp.u.info.curlft.use_time; if (inbound && sa->encapsulation == ENCAPSULATION_MODE_TUNNEL) @@ -803,11 +872,13 @@ netlink_get_policy(const struct kernel_sa *sa, bool inbound, time_t *use_time) req.id.dir = XFRM_POLICY_FWD; if (!send_netlink_msg(&req.n, &rsp.n, sizeof(rsp), "Get policy", "?")) + { return FALSE; - + } if (netlink_error("XFRM_MSG_GETPOLICY", &rsp.n, &rsp.u.e, sizeof(rsp.u.info))) + { return FALSE; - + } use_time_fwd = (time_t)rsp.u.info.curlft.use_time; *use_time = (*use_time > use_time_fwd)? *use_time : use_time_fwd; } @@ -820,8 +891,7 @@ netlink_get_policy(const struct kernel_sa *sa, bool inbound, time_t *use_time) * @param sa Kernel SA to be queried * @return bool True if successfull */ -static bool -netlink_get_sa(const struct kernel_sa *sa, u_int *bytes) +static bool netlink_get_sa(const struct kernel_sa *sa, u_int *bytes) { struct { struct nlmsghdr n; @@ -851,18 +921,18 @@ netlink_get_sa(const struct kernel_sa *sa, u_int *bytes) rsp.n.nlmsg_type = XFRM_MSG_NEWSA; if (!send_netlink_msg(&req.n, &rsp.n, sizeof(rsp), "Get SA", sa->text_said)) + { return FALSE; - + } if (netlink_error("XFRM_MSG_GETSA", &rsp.n, &rsp.u.e, sizeof(rsp.u.info))) + { return FALSE; - + } *bytes = (u_int) rsp.u.info.curlft.bytes; - return TRUE; } -static void -linux_pfkey_register_response(const struct sadb_msg *msg) +static void linux_pfkey_register_response(const struct sadb_msg *msg) { switch (msg->sadb_msg_satype) { @@ -882,8 +952,7 @@ linux_pfkey_register_response(const struct sadb_msg *msg) /** linux_pfkey_register - Register via PFKEY our capabilities * */ -static void -linux_pfkey_register(void) +static void linux_pfkey_register(void) { pfkey_register_proto(SADB_SATYPE_AH, "AH"); pfkey_register_proto(SADB_SATYPE_ESP, "ESP"); @@ -898,8 +967,8 @@ linux_pfkey_register(void) * @param dst ip_address formatted destination * @return err_t NULL if okay, otherwise an error */ -static err_t -xfrm_to_ip_address(unsigned family, const xfrm_address_t *src, ip_address *dst) +static err_t xfrm_to_ip_address(unsigned family, const xfrm_address_t *src, + ip_address *dst) { switch (family) { @@ -922,10 +991,8 @@ xfrm_to_ip_address(unsigned family, const xfrm_address_t *src, ip_address *dst) * @param dst ip_address formatted destination * @return err_t NULL if okay, otherwise an error */ -static err_t -xfrm_sel_to_ip_pair(const struct xfrm_selector *sel - , ip_address *src - , ip_address *dst) +static err_t xfrm_sel_to_ip_pair(const struct xfrm_selector *sel, + ip_address *src, ip_address *dst) { int family; err_t ugh; @@ -934,7 +1001,9 @@ xfrm_sel_to_ip_pair(const struct xfrm_selector *sel if ((ugh = xfrm_to_ip_address(family, &sel->saddr, src)) || (ugh = xfrm_to_ip_address(family, &sel->daddr, dst))) + { return ugh; + } /* family has been verified in xfrm_to_ip_address. */ if (family == AF_INET) @@ -951,8 +1020,7 @@ xfrm_sel_to_ip_pair(const struct xfrm_selector *sel return NULL; } -static void -netlink_acquire(struct nlmsghdr *n) +static void netlink_acquire(struct nlmsghdr *n) { struct xfrm_user_acquire *acquire; ip_address src, dst; @@ -978,15 +1046,17 @@ netlink_acquire(struct nlmsghdr *n) if (!(ugh = xfrm_sel_to_ip_pair(&acquire->sel, &src, &dst)) && !(ugh = addrtosubnet(&src, &ours)) && !(ugh = addrtosubnet(&dst, &his))) + { record_and_initiate_opportunistic(&ours, &his, transport_proto , "%acquire-netlink"); - + } if (ugh != NULL) + { plog("XFRM_MSG_ACQUIRE message from kernel malformed: %s", ugh); + } } -static void -netlink_shunt_expire(struct xfrm_userpolicy_info *pol) +static void netlink_shunt_expire(struct xfrm_userpolicy_info *pol) { ip_address src, dst; unsigned transport_proto; @@ -1004,8 +1074,7 @@ netlink_shunt_expire(struct xfrm_userpolicy_info *pol) , "delete expired bare shunt"); } -static void -netlink_policy_expire(struct nlmsghdr *n) +static void netlink_policy_expire(struct nlmsghdr *n) { struct xfrm_user_polexpire *upe; struct { @@ -1040,11 +1109,13 @@ netlink_policy_expire(struct nlmsghdr *n) rsp.n.nlmsg_type = XFRM_MSG_NEWPOLICY; if (!send_netlink_msg(&req.n, &rsp.n, sizeof(rsp), "Get policy", "?")) + { return; - + } if (netlink_error("XFRM_MSG_GETPOLICY", &rsp.n, &rsp.u.e, sizeof(rsp.u.pol))) + { return; - + } if (req.id.index != rsp.u.pol.index) { DBG(DBG_KLIPS, @@ -1072,8 +1143,7 @@ netlink_policy_expire(struct nlmsghdr *n) } } -static bool -netlink_get(void) +static bool netlink_get(void) { struct { struct nlmsghdr n; @@ -1137,22 +1207,15 @@ netlink_get(void) return TRUE; } -static void -netlink_process_msg(void) +static void netlink_process_msg(void) { - while (netlink_get()) - ; + while (netlink_get()); } -static ipsec_spi_t -netlink_get_spi(const ip_address *src -, const ip_address *dst -, int proto -, bool tunnel_mode -, unsigned reqid -, ipsec_spi_t min -, ipsec_spi_t max -, const char *text_said) +static ipsec_spi_t netlink_get_spi(const ip_address *src, const ip_address *dst, + int proto, bool tunnel_mode, unsigned reqid, + ipsec_spi_t min, ipsec_spi_t max, + const char *text_said) { struct { struct nlmsghdr n; @@ -1185,11 +1248,13 @@ netlink_get_spi(const ip_address *src rsp.n.nlmsg_type = XFRM_MSG_NEWSA; if (!send_netlink_msg(&req.n, &rsp.n, sizeof(rsp), "Get SPI", text_said)) + { return 0; - + } if (netlink_error("XFRM_MSG_ALLOCSPI", &rsp.n, &rsp.u.e, sizeof(rsp.u.sa))) + { return 0; - + } DBG(DBG_KLIPS, DBG_log("netlink_get_spi: allocated 0x%x for %s" , ntohl(rsp.u.sa.id.spi), text_said)); diff --git a/src/pluto/keys.c b/src/pluto/keys.c index 6dfbd6732..516872e8e 100644 --- a/src/pluto/keys.c +++ b/src/pluto/keys.c @@ -1,5 +1,6 @@ /* mechanisms for preshared keys (public, private, and preshared secrets) * Copyright (C) 1998-2001 D. Hugh Redelmeier. + * Copyright (C) 2009 Andreas Steffen - Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -551,7 +552,7 @@ static err_t process_keyfile(private_key_t **key, key_type_t type, int whackfd) } *key = load_private_key(filename, &pass, type); - return key ? NULL : "Private key file -- could not be loaded"; + return *key ? NULL : "Private key file -- could not be loaded"; } /** diff --git a/src/pluto/ocsp.c b/src/pluto/ocsp.c index 80164fa1d..8e428a759 100644 --- a/src/pluto/ocsp.c +++ b/src/pluto/ocsp.c @@ -1,6 +1,6 @@ /* Support of the Online Certificate Status Protocol (OCSP) * Copyright (C) 2003 Christoph Gysin, Simon Zwahlen - * Zuercher Hochschule Winterthur + * Copyright (C) 2009 Andreas Steffen - Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the diff --git a/src/pluto/pem.c b/src/pluto/pem.c index 646447c1a..1a4a99af7 100644 --- a/src/pluto/pem.c +++ b/src/pluto/pem.c @@ -1,5 +1,6 @@ /* Loading of PEM encoded files with optional encryption * Copyright (C) 2001-2009 Andreas Steffen + * * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it diff --git a/src/pluto/pgpcert.c b/src/pluto/pgpcert.c index 7fb8232d5..1d5b14b26 100644 --- a/src/pluto/pgpcert.c +++ b/src/pluto/pgpcert.c @@ -85,7 +85,7 @@ static u_char pgp_version(chunk_t *blob) } /** - * Parse OpenPGP signature packet defined in section 5.2.2 of RFC 2440 + * Parse OpenPGP signature packet defined in section 5.2.2 of RFC 4880 */ static bool parse_pgp_signature_packet(chunk_t *packet, pgpcert_t *cert) { @@ -171,8 +171,8 @@ static bool parse_pgp_pubkey_version_validity(chunk_t *packet, pgpcert_t *cert) */ static bool parse_pgp_pubkey_packet(chunk_t *packet, pgpcert_t *cert) { - pgp_pubkey_alg_t pubkey_alg; - public_key_t *key; + chunk_t pubkey_packet = *packet; + pgp_pubkey_alg_t pubkey_alg; if (!parse_pgp_pubkey_version_validity(packet, cert)) { @@ -190,33 +190,51 @@ static bool parse_pgp_pubkey_packet(chunk_t *packet, pgpcert_t *cert) { case PGP_PUBKEY_ALG_RSA: case PGP_PUBKEY_ALG_RSA_SIGN_ONLY: - key = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_RSA, - BUILD_BLOB_PGP, *packet, - BUILD_END); - if (key == NULL) + cert->public_key = lib->creds->create(lib->creds, + CRED_PUBLIC_KEY, KEY_RSA, + BUILD_BLOB_PGP, *packet, + BUILD_END); + if (cert->public_key == NULL) { return FALSE; } - cert->public_key = key; - - if (cert->version == 3) - { - cert->fingerprint = key->get_id(key, ID_KEY_ID); - if (cert->fingerprint == NULL) - { - return FALSE; - } - } - else - { - plog(" computation of V4 key ID not implemented yet"); - return FALSE; - } break; default: plog(" non RSA public keys not supported"); return FALSE; } + + /* compute V4 or V3 fingerprint according to section 12.2 of RFC 4880 */ + if (cert->version == 4) + { + char pubkey_packet_header_buf[] = { + 0x99, pubkey_packet.len / 256, pubkey_packet.len % 256 + }; + chunk_t pubkey_packet_header = chunk_from_buf(pubkey_packet_header_buf); + chunk_t hash; + hasher_t *hasher; + + hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1); + if (hasher == NULL) + { + plog("no SHA-1 hasher available"); + return FALSE; + } + hasher->allocate_hash(hasher, pubkey_packet_header, NULL); + hasher->allocate_hash(hasher, pubkey_packet, &hash); + hasher->destroy(hasher); + cert->fingerprint = identification_create_from_encoding(ID_KEY_ID, hash); + free(hash.ptr); + } + else + { + /* V3 fingerprint is computed by public_key_t class */ + cert->fingerprint = cert->public_key->get_id(cert->public_key, ID_KEY_ID); + if (cert->fingerprint == NULL) + { + return FALSE; + } + } return TRUE; } diff --git a/src/pluto/plutomain.c b/src/pluto/plutomain.c index 39367cafa..5d0e008f3 100644 --- a/src/pluto/plutomain.c +++ b/src/pluto/plutomain.c @@ -43,11 +43,6 @@ #include <utils/enumerator.h> #include <utils/optionsfrom.h> -#ifdef INTEGRITY_TEST -#include <fips/fips.h> -#include <fips/fips_signature.h> -#endif /* INTEGRITY_TEST */ - #include <pfkeyv2.h> #include <pfkey.h> @@ -265,7 +260,18 @@ int main(int argc, char **argv) #endif /* CAPABILITIES */ /* initialize library and optionsfrom */ - library_init(STRONGSWAN_CONF); + if (!library_init(STRONGSWAN_CONF)) + { + library_deinit(); + exit(SS_RC_LIBSTRONGSWAN_INTEGRITY); + } + if (lib->integrity && + !lib->integrity->check_file(lib->integrity, "pluto", argv[0])) + { + fprintf(stderr, "integrity check of pluto failed\n"); + library_deinit(); + exit(SS_RC_DAEMON_INTEGRITY); + } options = options_create(); /* handle arguments */ @@ -637,31 +643,28 @@ int main(int argc, char **argv) plog("Starting IKEv1 pluto daemon (strongSwan "VERSION")%s", compile_time_interop_options); + if (lib->integrity) + { + plog("integrity tests enabled:"); + plog("lib 'libstrongswan': passed file and segment integrity tests"); + plog("daemon 'pluto': passed file integrity test"); + } + /* load plugins, further infrastructure may need it */ lib->plugins->load(lib->plugins, IPSEC_PLUGINDIR, lib->settings->get_str(lib->settings, "pluto.load", PLUGINS)); print_plugins(); -#ifdef INTEGRITY_TEST - DBG1("integrity test of libstrongswan code"); - if (fips_verify_hmac_signature(hmac_key, hmac_signature)) - { - DBG1(" integrity test passed"); - } - else + if (!init_secret() || !init_crypto()) { - DBG1(" integrity test failed"); - abort(); + plog("initialization failed - aborting pluto"); + exit_pluto(SS_RC_INITIALIZATION_FAILED); } -#endif /* INTEGRITY_TEST */ - init_nat_traversal(nat_traversal, keep_alive, force_keepalive, nat_t_spf); init_virtual_ip(virtual_private); scx_init(pkcs11_module_path, pkcs11_init_args); xauth_init(); - init_secret(); init_states(); - init_crypto(); init_demux(); init_kernel(); init_adns(); diff --git a/src/pluto/spdb.c b/src/pluto/spdb.c index b8f4a3c23..a86c9f215 100644 --- a/src/pluto/spdb.c +++ b/src/pluto/spdb.c @@ -473,14 +473,13 @@ out_sa(pb_stream *outs if (!out_struct(&trans, trans_desc, &proposal_pbs, &trans_pbs)) return_on(ret, FALSE); - /* Within tranform: Attributes. */ + /* Within transform: Attributes. */ /* For Phase 2 / Quick Mode, GROUP_DESCRIPTION is * automatically generated because it must be the same * in every transform. Except IPCOMP. */ - if (p->protoid != PROTO_IPCOMP - && st->st_pfs_group != NULL) + if (p->protoid != PROTO_IPCOMP && st->st_pfs_group != NULL) { passert(!oakley_mode); passert(st->st_pfs_group != &unset_group); @@ -582,8 +581,7 @@ return_out: * The code is can only handle values that can fit in unsigned long. * "Clamping" is probably an acceptable way to impose this limitation. */ -static u_int32_t -decode_long_duration(pb_stream *pbs) +static u_int32_t decode_long_duration(pb_stream *pbs) { u_int32_t val = 0; @@ -631,8 +629,9 @@ preparse_isakmp_sa_body(const struct isakmp_sa *sa /* Situation */ if (!in_struct(ipsecdoisit, &ipsec_sit_desc, sa_pbs, NULL)) + { return SITUATION_NOT_SUPPORTED; - + } if (*ipsecdoisit != SIT_IDENTITY_ONLY) { loglog(RC_LOG_SERIOUS, "unsupported IPsec DOI situation (%s)" @@ -647,8 +646,9 @@ preparse_isakmp_sa_body(const struct isakmp_sa *sa * There may well be multiple transforms. */ if (!in_struct(proposal, &isakmp_proposal_desc, sa_pbs, proposal_pbs)) + { return PAYLOAD_MALFORMED; - + } if (proposal->isap_np != ISAKMP_NEXT_NONE) { loglog(RC_LOG_SERIOUS, "Proposal Payload must be alone in Oakley SA; found %s following Proposal" @@ -711,35 +711,31 @@ static struct { u_int8_t *roof; } backup; -/* - * backup the pointer into a pb_stream +/** + * Backup the pointer into a pb_stream */ -void -backup_pbs(pb_stream *pbs) +void backup_pbs(pb_stream *pbs) { backup.start = pbs->start; backup.cur = pbs->cur; backup.roof = pbs->roof; } -/* - * restore the pointer into a pb_stream +/** + * Restore the pointer into a pb_stream */ -void -restore_pbs(pb_stream *pbs) +void restore_pbs(pb_stream *pbs) { pbs->start = backup.start; pbs->cur = backup.cur; pbs->roof = backup.roof; } -/* +/** * Parse an ISAKMP Proposal Payload for RSA and PSK authentication policies */ -notification_t -parse_isakmp_policy(pb_stream *proposal_pbs - , u_int notrans - , lset_t *policy) +notification_t parse_isakmp_policy(pb_stream *proposal_pbs, u_int notrans, + lset_t *policy) { int last_transnum = -1; @@ -753,8 +749,9 @@ parse_isakmp_policy(pb_stream *proposal_pbs struct isakmp_transform trans; if (!in_struct(&trans, &isakmp_isakmp_transform_desc, proposal_pbs, &trans_pbs)) + { return BAD_PROPOSAL_SYNTAX; - + } if (trans.isat_transnum <= last_transnum) { /* picky, picky, picky */ @@ -781,8 +778,9 @@ parse_isakmp_policy(pb_stream *proposal_pbs pb_stream attr_pbs; if (!in_struct(&a, &isakmp_oakley_attribute_desc, &trans_pbs, &attr_pbs)) + { return BAD_PROPOSAL_SYNTAX; - + } passert((a.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK) < 32); switch (a.isaat_af_type) @@ -827,11 +825,10 @@ parse_isakmp_policy(pb_stream *proposal_pbs return NOTHING_WRONG; } -/* - * check that we can find a preshared secret +/** + * Check that we can find a preshared secret */ -static err_t -find_preshared_key(struct state* st) +static err_t find_preshared_key(struct state* st) { err_t ugh = NULL; struct connection *c = st->st_connection; @@ -842,9 +839,13 @@ find_preshared_key(struct state* st) idtoa(&c->spd.this.id, my_id, sizeof(my_id)); if (his_id_was_instantiated(c)) + { strcpy(his_id, "%any"); + } else + { idtoa(&c->spd.that.id, his_id, sizeof(his_id)); + } ugh = builddiag("Can't authenticate: no preshared key found for `%s' and `%s'" , my_id, his_id); } @@ -860,13 +861,12 @@ find_preshared_key(struct state* st) * * This routine is used by main_inI1_outR1() and main_inR1_outI2(). */ -notification_t -parse_isakmp_sa_body(u_int32_t ipsecdoisit - , pb_stream *proposal_pbs - , struct isakmp_proposal *proposal - , pb_stream *r_sa_pbs - , struct state *st - , bool initiator) +notification_t parse_isakmp_sa_body(u_int32_t ipsecdoisit, + pb_stream *proposal_pbs, + struct isakmp_proposal *proposal, + pb_stream *r_sa_pbs, + struct state *st, + bool initiator) { struct connection *c = st->st_connection; unsigned no_trans_left; @@ -1326,17 +1326,14 @@ static const struct ipsec_trans_attrs null_ipsec_trans_attrs = { 0, /* key_rounds */ }; -static bool -parse_ipsec_transform(struct isakmp_transform *trans -, struct ipsec_trans_attrs *attrs -, pb_stream *prop_pbs -, pb_stream *trans_pbs -, struct_desc *trans_desc -, int previous_transnum /* or -1 if none */ -, bool selection -, bool is_last -, bool is_ipcomp -, struct state *st) /* current state object */ +static bool parse_ipsec_transform(struct isakmp_transform *trans, + struct ipsec_trans_attrs *attrs, + pb_stream *prop_pbs, + pb_stream *trans_pbs, + struct_desc *trans_desc, + int previous_transnum, /* or -1 if none */ + bool selection, bool is_last, bool is_ipcomp, + struct state *st) /* current state object */ { lset_t seen_attrs = 0; lset_t seen_durations = 0; @@ -1344,8 +1341,9 @@ parse_ipsec_transform(struct isakmp_transform *trans const struct dh_desc *pfs_group = NULL; if (!in_struct(trans, trans_desc, prop_pbs, trans_pbs)) + { return FALSE; - + } if (trans->isat_transnum <= previous_transnum) { loglog(RC_LOG_SERIOUS, "Transform Numbers in Proposal are not monotonically increasing"); diff --git a/src/pluto/state.c b/src/pluto/state.c index 6ce0d50e5..5bef36c5c 100644 --- a/src/pluto/state.c +++ b/src/pluto/state.c @@ -1,6 +1,7 @@ /* routines for state objects * Copyright (C) 1997 Angelos D. Keromytis. * Copyright (C) 1998-2001 D. Hugh Redelmeier. + * Copyright (C) 2009 Andreas Steffen - Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the diff --git a/src/pluto/timer.c b/src/pluto/timer.c index ecbee740f..89082f88e 100644 --- a/src/pluto/timer.c +++ b/src/pluto/timer.c @@ -1,6 +1,7 @@ /* timer event handling * Copyright (C) 1997 Angelos D. Keromytis. * Copyright (C) 1998-2001 D. Hugh Redelmeier. + * Copyright (C) 2009 Andreas Steffen - Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -139,14 +140,21 @@ void event_schedule(enum event_type type, time_t tm, struct state *st) * Generate the secret value for responder cookies, and * schedule an event for refresh. */ -void init_secret(void) +bool init_secret(void) { rng_t *rng; rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG); + + if (rng == NULL) + { + plog("secret initialization failed, no RNG supported"); + return FALSE; + } rng->get_bytes(rng, sizeof(secret_of_the_day), secret_of_the_day); rng->destroy(rng); event_schedule(EVENT_REINIT_SECRET, EVENT_REINIT_SECRET_DELAY, NULL); + return true; } /** diff --git a/src/pluto/timer.h b/src/pluto/timer.h index 322aeba6a..c8e9b727c 100644 --- a/src/pluto/timer.h +++ b/src/pluto/timer.h @@ -31,4 +31,4 @@ extern void delete_event(struct state *st); extern void delete_dpd_event(struct state *st); extern void daily_log_event(void); extern void free_events(void); -extern void init_secret(void); +extern bool init_secret(void); diff --git a/src/pluto/vendor.c b/src/pluto/vendor.c index ff145eb38..a532e50f2 100644 --- a/src/pluto/vendor.c +++ b/src/pluto/vendor.c @@ -197,9 +197,13 @@ static struct vid_struct _vid_tab[] = { /* * strongSwan */ - DEC_MD5_VID(STRONGSWAN, "strongSwan 4.3.2") + DEC_MD5_VID(STRONGSWAN, "strongSwan 4.3.4") + DEC_MD5_VID(STRONGSWAN_4_3_3, "strongSwan 4.3.3") + DEC_MD5_VID(STRONGSWAN_4_3_2, "strongSwan 4.3.2") DEC_MD5_VID(STRONGSWAN_4_3_1, "strongSwan 4.3.1") DEC_MD5_VID(STRONGSWAN_4_3_0, "strongSwan 4.3.0") + DEC_MD5_VID(STRONGSWAN_4_2_17,"strongSwan 4.2.17") + DEC_MD5_VID(STRONGSWAN_4_2_16,"strongSwan 4.2.16") DEC_MD5_VID(STRONGSWAN_4_2_15,"strongSwan 4.2.15") DEC_MD5_VID(STRONGSWAN_4_2_14,"strongSwan 4.2.14") DEC_MD5_VID(STRONGSWAN_4_2_13,"strongSwan 4.2.13") @@ -237,6 +241,8 @@ static struct vid_struct _vid_tab[] = { DEC_MD5_VID(STRONGSWAN_4_0_1, "strongSwan 4.0.1") DEC_MD5_VID(STRONGSWAN_4_0_0, "strongSwan 4.0.0") + DEC_MD5_VID(STRONGSWAN_2_8_11,"strongSwan 2.8.11") + DEC_MD5_VID(STRONGSWAN_2_8_10,"strongSwan 2.8.10") DEC_MD5_VID(STRONGSWAN_2_8_9, "strongSwan 2.8.9") DEC_MD5_VID(STRONGSWAN_2_8_8, "strongSwan 2.8.8") DEC_MD5_VID(STRONGSWAN_2_8_7, "strongSwan 2.8.7") diff --git a/src/pluto/vendor.h b/src/pluto/vendor.h index 164c1aa6d..8aa2f6348 100644 --- a/src/pluto/vendor.h +++ b/src/pluto/vendor.h @@ -92,6 +92,8 @@ enum known_vendorid { VID_STRONGSWAN_2_8_7 = 73, VID_STRONGSWAN_2_8_8 = 74, VID_STRONGSWAN_2_8_9 = 75, + VID_STRONGSWAN_2_8_10 = 76, + VID_STRONGSWAN_2_8_11 = 77, VID_STRONGSWAN_4_0_0 = 80, VID_STRONGSWAN_4_0_1 = 81, @@ -130,8 +132,12 @@ enum known_vendorid { VID_STRONGSWAN_4_2_13 =113, VID_STRONGSWAN_4_2_14 =114, VID_STRONGSWAN_4_2_15 =115, - VID_STRONGSWAN_4_3_0 =116, - VID_STRONGSWAN_4_3_1 =117, + VID_STRONGSWAN_4_2_16 =116, + VID_STRONGSWAN_4_2_17 =117, + VID_STRONGSWAN_4_3_0 =118, + VID_STRONGSWAN_4_3_1 =119, + VID_STRONGSWAN_4_3_2 =120, + VID_STRONGSWAN_4_3_3 =121, /* 101 - 200 : NAT-Traversal */ VID_NATT_STENBERG_01 =151, |