summaryrefslogtreecommitdiff
path: root/src/pluto
diff options
context:
space:
mode:
authorRene Mayrhofer <rene@mayrhofer.eu.org>2009-10-21 11:18:20 +0000
committerRene Mayrhofer <rene@mayrhofer.eu.org>2009-10-21 11:18:20 +0000
commita9b7f8d4a4a4202facd9690580b38542e7933f00 (patch)
treed82a9d506c62cff257e5292845b68df3ca5c60dc /src/pluto
parent12263dccbbb6747d53b97333c3d6f0f17e1bffea (diff)
downloadvyos-strongswan-a9b7f8d4a4a4202facd9690580b38542e7933f00.tar.gz
vyos-strongswan-a9b7f8d4a4a4202facd9690580b38542e7933f00.zip
- New upstream release.
- Don't disable internal crypto plugins, pluto expects to find them in some cases. - Enable integrity checking.
Diffstat (limited to 'src/pluto')
-rw-r--r--src/pluto/Makefile.am5
-rw-r--r--src/pluto/Makefile.in17
-rw-r--r--src/pluto/alg_info.c32
-rw-r--r--src/pluto/connections.c1
-rw-r--r--src/pluto/constants.c3
-rw-r--r--src/pluto/crypto.c15
-rw-r--r--src/pluto/crypto.h2
-rw-r--r--src/pluto/ipsec_doi.c122
-rw-r--r--src/pluto/kernel.c187
-rw-r--r--src/pluto/kernel_alg.c54
-rw-r--r--src/pluto/kernel_netlink.c357
-rw-r--r--src/pluto/keys.c3
-rw-r--r--src/pluto/ocsp.c2
-rw-r--r--src/pluto/pem.c1
-rw-r--r--src/pluto/pgpcert.c62
-rw-r--r--src/pluto/plutomain.c41
-rw-r--r--src/pluto/spdb.c88
-rw-r--r--src/pluto/state.c1
-rw-r--r--src/pluto/timer.c10
-rw-r--r--src/pluto/timer.h2
-rw-r--r--src/pluto/vendor.c8
-rw-r--r--src/pluto/vendor.h10
22 files changed, 603 insertions, 420 deletions
diff --git a/src/pluto/Makefile.am b/src/pluto/Makefile.am
index 01237305b..c9cb6651f 100644
--- a/src/pluto/Makefile.am
+++ b/src/pluto/Makefile.am
@@ -110,11 +110,6 @@ if USE_SMARTCARD
AM_CFLAGS += -DSMARTCARD
endif
-# This compile option activates the integrity test of libstrongswan
-if USE_INTEGRITY_TEST
- AM_CFLAGS += -DINTEGRITY_TEST
-endif
-
if USE_CAPABILITIES
pluto_LDADD += -lcap
endif
diff --git a/src/pluto/Makefile.in b/src/pluto/Makefile.in
index 01bda8540..871f0c905 100644
--- a/src/pluto/Makefile.in
+++ b/src/pluto/Makefile.in
@@ -52,11 +52,8 @@ ipsec_PROGRAMS = pluto$(EXEEXT) _pluto_adns$(EXEEXT)
# This compile option activates smartcard support
@USE_SMARTCARD_TRUE@am__append_5 = -DSMARTCARD
-
-# This compile option activates the integrity test of libstrongswan
-@USE_INTEGRITY_TEST_TRUE@am__append_6 = -DINTEGRITY_TEST
-@USE_CAPABILITIES_TRUE@am__append_7 = -lcap
-@USE_THREADS_TRUE@am__append_8 = -DTHREADS
+@USE_CAPABILITIES_TRUE@am__append_6 = -lcap
+@USE_THREADS_TRUE@am__append_7 = -DTHREADS
subdir = src/pluto
DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.am \
$(srcdir)/Makefile.in
@@ -116,12 +113,14 @@ ETAGS = etags
CTAGS = ctags
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
@@ -186,6 +185,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
@@ -226,7 +226,9 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
@@ -325,11 +327,10 @@ AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" -DIPSEC_CONFDIR=\"${confdir}\" \
-DSTRONGSWAN_CONF=\"${strongswan_conf}\" -DKERNEL26_SUPPORT \
-DKERNEL26_HAS_KAME_DUPLICATES -DPLUTO -DKLIPS -DDEBUG \
$(am__append_1) $(am__append_2) $(am__append_3) \
- $(am__append_4) $(am__append_5) $(am__append_6) \
- $(am__append_8)
+ $(am__append_4) $(am__append_5) $(am__append_7)
pluto_LDADD = $(LIBSTRONGSWANDIR)/libstrongswan.la \
$(LIBFREESWANDIR)/libfreeswan.a -lresolv -lpthread $(DLLIB) \
- $(am__append_7)
+ $(am__append_6)
_pluto_adns_LDADD = \
$(LIBFREESWANDIR)/libfreeswan.a \
-lresolv $(DLLIB)
diff --git a/src/pluto/alg_info.c b/src/pluto/alg_info.c
index a85a18905..c25418fc1 100644
--- a/src/pluto/alg_info.c
+++ b/src/pluto/alg_info.c
@@ -139,6 +139,24 @@ static void __alg_info_esp_add(struct alg_info_esp *alg_info, int ealg_id,
)
}
+/**
+ * Returns true if the given alg is an authenticated encryption algorithm
+ */
+static bool is_authenticated_encryption(int ealg_id)
+{
+ switch (ealg_id)
+ {
+ case ESP_AES_CCM_8:
+ case ESP_AES_CCM_12:
+ case ESP_AES_CCM_16:
+ case ESP_AES_GCM_8:
+ case ESP_AES_GCM_12:
+ case ESP_AES_GCM_16:
+ return TRUE;
+ }
+ return FALSE;
+}
+
/*
* Add ESP alg info _with_ logic (policy):
*/
@@ -152,7 +170,13 @@ static void alg_info_esp_add(struct alg_info *alg_info, int ealg_id,
}
if (ealg_id > 0)
{
- if (aalg_id > 0)
+ if (is_authenticated_encryption(ealg_id))
+ {
+ __alg_info_esp_add((struct alg_info_esp *)alg_info,
+ ealg_id, ek_bits,
+ AUTH_ALGORITHM_NONE, 0);
+ }
+ else if (aalg_id > 0)
{
__alg_info_esp_add((struct alg_info_esp *)alg_info,
ealg_id, ek_bits,
@@ -160,13 +184,13 @@ static void alg_info_esp_add(struct alg_info *alg_info, int ealg_id,
}
else
{
- /* Policy: default to MD5 and SHA1 */
+ /* Policy: default to SHA-1 and MD5 */
__alg_info_esp_add((struct alg_info_esp *)alg_info,
ealg_id, ek_bits,
- AUTH_ALGORITHM_HMAC_MD5, ak_bits);
+ AUTH_ALGORITHM_HMAC_SHA1, ak_bits);
__alg_info_esp_add((struct alg_info_esp *)alg_info,
ealg_id, ek_bits,
- AUTH_ALGORITHM_HMAC_SHA1, ak_bits);
+ AUTH_ALGORITHM_HMAC_MD5, ak_bits);
}
}
}
diff --git a/src/pluto/connections.c b/src/pluto/connections.c
index 4deb722f7..b800b1665 100644
--- a/src/pluto/connections.c
+++ b/src/pluto/connections.c
@@ -1,5 +1,6 @@
/* information about connections between hosts and clients
* Copyright (C) 1998-2002 D. Hugh Redelmeier.
+ * Copyright (C) 2009 Andreas Steffen - Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
diff --git a/src/pluto/constants.c b/src/pluto/constants.c
index adcd77131..e46728d84 100644
--- a/src/pluto/constants.c
+++ b/src/pluto/constants.c
@@ -663,6 +663,7 @@ enum_names enc_mode_names =
/* Auth Algorithm attribute */
static const char *const auth_alg_name[] = {
+ "AUTH_NONE",
"HMAC_MD5",
"HMAC_SHA1",
"DES_MAC",
@@ -683,7 +684,7 @@ enum_names extended_auth_alg_names =
{ AUTH_ALGORITHM_NULL, AUTH_ALGORITHM_NULL, extended_auth_alg_name, NULL };
enum_names auth_alg_names =
- { AUTH_ALGORITHM_HMAC_MD5, AUTH_ALGORITHM_SIG_RSA, auth_alg_name
+ { AUTH_ALGORITHM_NONE, AUTH_ALGORITHM_SIG_RSA, auth_alg_name
, &extended_auth_alg_names };
/* From draft-beaulieu-ike-xauth */
diff --git a/src/pluto/crypto.c b/src/pluto/crypto.c
index 1adccc74e..f47ad1eeb 100644
--- a/src/pluto/crypto.c
+++ b/src/pluto/crypto.c
@@ -235,7 +235,7 @@ static struct dh_desc dh_desc_ecp_224 = {
ke_size: 2*224 / BITS_PER_BYTE
};
-void init_crypto(void)
+bool init_crypto(void)
{
enumerator_t *enumerator;
encryption_algorithm_t encryption_alg;
@@ -275,13 +275,13 @@ void init_crypto(void)
}
enumerator->destroy(enumerator);
- if (no_sha1)
+ if (no_sha1 || no_md5)
{
- exit_log("pluto cannot run without a SHA-1 hasher");
- }
- if (no_md5)
- {
- exit_log("pluto cannot run without an MD5 hasher");
+ plog("pluto cannot run without a %s%s%s hasher",
+ (no_sha1) ? "SHA-1" : "",
+ (no_sha1 && no_md5) ? " and " : "",
+ (no_md5) ? "MD5" : "");
+ return FALSE;
}
enumerator = lib->crypto->create_crypter_enumerator(lib->crypto);
@@ -363,6 +363,7 @@ void init_crypto(void)
ike_alg_add((struct ike_alg *)desc);
}
enumerator->destroy(enumerator);
+ return TRUE;
}
void free_crypto(void)
diff --git a/src/pluto/crypto.h b/src/pluto/crypto.h
index 06c4e1d1a..019ba5764 100644
--- a/src/pluto/crypto.h
+++ b/src/pluto/crypto.h
@@ -20,7 +20,7 @@
#include "ike_alg.h"
-extern void init_crypto(void);
+extern bool init_crypto(void);
extern void free_crypto(void);
extern const struct dh_desc unset_group; /* magic signifier */
diff --git a/src/pluto/ipsec_doi.c b/src/pluto/ipsec_doi.c
index 929768ee9..57f4fb54b 100644
--- a/src/pluto/ipsec_doi.c
+++ b/src/pluto/ipsec_doi.c
@@ -2639,77 +2639,78 @@ static void compute_proto_keymat(struct state *st, u_int8_t protoid,
*/
switch (protoid)
{
- case PROTO_IPSEC_ESP:
+ case PROTO_IPSEC_ESP:
+ {
+ needed_len = kernel_alg_esp_enc_keylen(pi->attrs.transid);
+
+ if (needed_len && pi->attrs.key_len)
+ {
+ needed_len = pi->attrs.key_len / BITS_PER_BYTE;
+ }
+
switch (pi->attrs.transid)
{
- case ESP_NULL:
- needed_len = 0;
- break;
- case ESP_DES:
- needed_len = DES_CBC_BLOCK_SIZE;
- break;
- case ESP_3DES:
- needed_len = DES_CBC_BLOCK_SIZE * 3;
- break;
- default:
-#ifndef NO_KERNEL_ALG
- if((needed_len=kernel_alg_esp_enc_keylen(pi->attrs.transid))>0) {
- /* XXX: check key_len "coupling with kernel.c's */
- if (pi->attrs.key_len) {
- needed_len=pi->attrs.key_len/8;
- DBG(DBG_PARSING, DBG_log("compute_proto_keymat:"
- "key_len=%d from peer",
- (int)needed_len));
- }
- break;
- }
-#endif
- bad_case(pi->attrs.transid);
+ case ESP_NULL:
+ needed_len = 0;
+ break;
+ case ESP_AES_CCM_8:
+ case ESP_AES_CCM_12:
+ case ESP_AES_CCM_16:
+ needed_len += 3;
+ break;
+ case ESP_AES_GCM_8:
+ case ESP_AES_GCM_12:
+ case ESP_AES_GCM_16:
+ case ESP_AES_CTR:
+ needed_len += 4;
+ break;
+ default:
+ if (needed_len == 0)
+ {
+ bad_case(pi->attrs.transid);
+ }
}
-#ifndef NO_KERNEL_ALG
- DBG(DBG_PARSING, DBG_log("compute_proto_keymat:"
- "needed_len (after ESP enc)=%d",
- (int)needed_len));
- if (kernel_alg_esp_auth_ok(pi->attrs.auth, NULL)) {
+ if (kernel_alg_esp_auth_ok(pi->attrs.auth, NULL))
+ {
needed_len += kernel_alg_esp_auth_keylen(pi->attrs.auth);
- } else
-#endif
- switch (pi->attrs.auth)
+ }
+ else
{
- case AUTH_ALGORITHM_NONE:
- break;
- case AUTH_ALGORITHM_HMAC_MD5:
- needed_len += HMAC_MD5_KEY_LEN;
- break;
- case AUTH_ALGORITHM_HMAC_SHA1:
- needed_len += HMAC_SHA1_KEY_LEN;
- break;
- case AUTH_ALGORITHM_DES_MAC:
- default:
- bad_case(pi->attrs.auth);
+ switch (pi->attrs.auth)
+ {
+ case AUTH_ALGORITHM_NONE:
+ break;
+ case AUTH_ALGORITHM_HMAC_MD5:
+ needed_len += HMAC_MD5_KEY_LEN;
+ break;
+ case AUTH_ALGORITHM_HMAC_SHA1:
+ needed_len += HMAC_SHA1_KEY_LEN;
+ break;
+ case AUTH_ALGORITHM_DES_MAC:
+ default:
+ bad_case(pi->attrs.auth);
+ }
}
- DBG(DBG_PARSING, DBG_log("compute_proto_keymat:"
- "needed_len (after ESP auth)=%d",
- (int)needed_len));
break;
-
- case PROTO_IPSEC_AH:
+ }
+ case PROTO_IPSEC_AH:
+ {
switch (pi->attrs.transid)
{
- case AH_MD5:
- needed_len = HMAC_MD5_KEY_LEN;
- break;
- case AH_SHA:
- needed_len = HMAC_SHA1_KEY_LEN;
- break;
- default:
- bad_case(pi->attrs.transid);
+ case AH_MD5:
+ needed_len = HMAC_MD5_KEY_LEN;
+ break;
+ case AH_SHA:
+ needed_len = HMAC_SHA1_KEY_LEN;
+ break;
+ default:
+ bad_case(pi->attrs.transid);
}
break;
-
- default:
- bad_case(protoid);
+ }
+ default:
+ bad_case(protoid);
}
pi->keymat_len = needed_len;
@@ -5444,7 +5445,8 @@ stf_status dpd_inR(struct state *st, struct isakmp_notification *const n,
if (!st->st_dpd_expectseqno && seqno != st->st_dpd_expectseqno)
{
loglog(RC_LOG_SERIOUS
- , "DPD: R_U_THERE_ACK has unexpected sequence number");
+ , "DPD: R_U_THERE_ACK has unexpected sequence number %u (expected %u)"
+ , seqno, st->st_dpd_expectseqno);
return STF_FAIL + PAYLOAD_MALFORMED;
}
diff --git a/src/pluto/kernel.c b/src/pluto/kernel.c
index f698de2c8..46edac1cd 100644
--- a/src/pluto/kernel.c
+++ b/src/pluto/kernel.c
@@ -1,6 +1,7 @@
/* routines that interface with the kernel's IPsec mechanism
* Copyright (C) 1997 Angelos D. Keromytis.
* Copyright (C) 1998-2002 D. Hugh Redelmeier.
+ * Copyright (C) 2009 Andreas Steffen - Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@@ -1849,7 +1850,7 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound)
if (st->nat_traversal & NAT_T_DETECTED)
{
natt_type = (st->nat_traversal & NAT_T_WITH_PORT_FLOATING) ?
- ESPINUDP_WITH_NON_ESP : ESPINUDP_WITH_NON_IKE;
+ ESPINUDP_WITH_NON_ESP : ESPINUDP_WITH_NON_IKE;
natt_sport = inbound? c->spd.that.host_port : c->spd.this.host_port;
natt_dport = inbound? c->spd.this.host_port : c->spd.that.host_port;
natt_oa = st->nat_oa;
@@ -1860,12 +1861,11 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound)
if (ei == &esp_info[countof(esp_info)])
{
/* Check for additional kernel alg */
-#ifndef NO_KERNEL_ALG
if ((ei=kernel_alg_esp_info(st->st_esp.attrs.transid,
- st->st_esp.attrs.auth))!=NULL) {
- break;
+ st->st_esp.attrs.auth))!=NULL)
+ {
+ break;
}
-#endif
/* note: enum_show may use a static buffer, so two
* calls in one printf would be a mistake.
@@ -1878,9 +1878,11 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound)
goto fail;
}
- if (st->st_esp.attrs.transid == ei->transid
- && st->st_esp.attrs.auth == ei->auth)
+ if (st->st_esp.attrs.transid == ei->transid &&
+ st->st_esp.attrs.auth == ei->auth)
+ {
break;
+ }
}
key_len = st->st_esp.attrs.key_len/8;
@@ -1899,40 +1901,52 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound)
{
key_len = ei->enckeylen;
}
- /* Grrrrr.... f*cking 7 bits jurassic algos */
-
- /* 168 bits in kernel, need 192 bits for keymat_len */
- if (ei->transid == ESP_3DES && key_len == 21)
- key_len = 24;
- /* 56 bits in kernel, need 64 bits for keymat_len */
- if (ei->transid == ESP_DES && key_len == 7)
- key_len = 8;
+ switch (ei->transid)
+ {
+ case ESP_3DES:
+ /* 168 bits in kernel, need 192 bits for keymat_len */
+ if (key_len == 21)
+ {
+ key_len = 24;
+ }
+ break;
+ case ESP_DES:
+ /* 56 bits in kernel, need 64 bits for keymat_len */
+ if (key_len == 7)
+ {
+ key_len = 8;
+ }
+ break;
+ case ESP_AES_CCM_8:
+ case ESP_AES_CCM_12:
+ case ESP_AES_CCM_16:
+ key_len += 3;
+ break;
+ case ESP_AES_GCM_8:
+ case ESP_AES_GCM_12:
+ case ESP_AES_GCM_16:
+ case ESP_AES_CTR:
+ key_len += 4;
+ break;
+ default:
+ break;
+ }
/* divide up keying material */
- /* passert(st->st_esp.keymat_len == ei->enckeylen + ei->authkeylen); */
- DBG(DBG_KLIPS|DBG_CONTROL|DBG_PARSING,
- if(st->st_esp.keymat_len != key_len + ei->authkeylen)
- DBG_log("keymat_len=%d key_len=%d authkeylen=%d",
- st->st_esp.keymat_len, (int)key_len, (int)ei->authkeylen);
- )
- passert(st->st_esp.keymat_len == key_len + ei->authkeylen);
-
set_text_said(text_said, &dst.addr, esp_spi, SA_ESP);
-
said_next->src = &src.addr;
said_next->dst = &dst.addr;
said_next->src_client = &src_client;
said_next->dst_client = &dst_client;
said_next->spi = esp_spi;
said_next->satype = SADB_SATYPE_ESP;
- said_next->replay_window = (kernel_ops->type == KERNEL_TYPE_KLIPS) ? REPLAY_WINDOW : REPLAY_WINDOW_XFRM;
+ said_next->replay_window = (kernel_ops->type == KERNEL_TYPE_KLIPS) ?
+ REPLAY_WINDOW : REPLAY_WINDOW_XFRM;
said_next->authalg = ei->authalg;
said_next->authkeylen = ei->authkeylen;
- /* said_next->authkey = esp_dst_keymat + ei->enckeylen; */
said_next->authkey = esp_dst_keymat + key_len;
said_next->encalg = ei->encryptalg;
- /* said_next->enckeylen = ei->enckeylen; */
said_next->enckeylen = key_len;
said_next->enckey = esp_dst_keymat;
said_next->encapsulation = encapsulation;
@@ -1945,10 +1959,10 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound)
said_next->text_said = text_said;
if (!kernel_ops->add_sa(said_next, replace))
+ {
goto fail;
-
+ }
said_next++;
-
encapsulation = ENCAPSULATION_MODE_TRANSPORT;
}
@@ -1963,29 +1977,27 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound)
switch (st->st_ah.attrs.auth)
{
- case AUTH_ALGORITHM_HMAC_MD5:
- authalg = SADB_AALG_MD5HMAC;
- break;
-
- case AUTH_ALGORITHM_HMAC_SHA1:
- authalg = SADB_AALG_SHA1HMAC;
- break;
-
- default:
- loglog(RC_LOG_SERIOUS, "%s not implemented yet"
- , enum_show(&auth_alg_names, st->st_ah.attrs.auth));
+ case AUTH_ALGORITHM_HMAC_MD5:
+ authalg = SADB_AALG_MD5HMAC;
+ break;
+ case AUTH_ALGORITHM_HMAC_SHA1:
+ authalg = SADB_AALG_SHA1HMAC;
+ break;
+ default:
+ loglog(RC_LOG_SERIOUS, "%s not implemented yet",
+ enum_show(&auth_alg_names, st->st_ah.attrs.auth));
goto fail;
}
set_text_said(text_said, &dst.addr, ah_spi, SA_AH);
-
said_next->src = &src.addr;
said_next->dst = &dst.addr;
said_next->src_client = &src_client;
said_next->dst_client = &dst_client;
said_next->spi = ah_spi;
said_next->satype = SADB_SATYPE_AH;
- said_next->replay_window = (kernel_ops->type == KERNEL_TYPE_KLIPS) ? REPLAY_WINDOW : REPLAY_WINDOW_XFRM;
+ said_next->replay_window = (kernel_ops->type == KERNEL_TYPE_KLIPS) ?
+ REPLAY_WINDOW : REPLAY_WINDOW_XFRM;
said_next->authalg = authalg;
said_next->authkeylen = st->st_ah.keymat_len;
said_next->authkey = ah_dst_keymat;
@@ -1994,10 +2006,10 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound)
said_next->text_said = text_said;
if (!kernel_ops->add_sa(said_next, replace))
+ {
goto fail;
-
+ }
said_next++;
-
encapsulation = ENCAPSULATION_MODE_TRANSPORT;
}
@@ -2093,7 +2105,9 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound)
s[1].text_said = text_said1;
if (!kernel_ops->grp_sa(s + 1, s))
+ {
goto fail;
+ }
}
/* could update said, but it will not be used */
}
@@ -2104,8 +2118,10 @@ fail:
{
/* undo the done SPIs */
while (said_next-- != said)
- (void) del_spi(said_next->spi, said_next->proto
- , &src.addr, said_next->dst);
+ {
+ (void) del_spi(said_next->spi, said_next->proto, &src.addr,
+ said_next->dst);
+ }
return FALSE;
}
}
@@ -2216,8 +2232,9 @@ bool get_sa_info(struct state *st, bool inbound, u_int *bytes, time_t *use_time)
*use_time = UNDEFINED_TIME;
if (kernel_ops->get_sa == NULL || !st->st_esp.present)
+ {
return FALSE;
-
+ }
memset(&sa, 0, sizeof(sa));
sa.proto = SA_ESP;
@@ -2241,7 +2258,9 @@ bool get_sa_info(struct state *st, bool inbound, u_int *bytes, time_t *use_time)
DBG_log("get %s", text_said)
)
if (!kernel_ops->get_sa(&sa, bytes))
+ {
return FALSE;
+ }
DBG(DBG_KLIPS,
DBG_log(" current: %d bytes", *bytes)
)
@@ -2266,7 +2285,9 @@ bool get_sa_info(struct state *st, bool inbound, u_int *bytes, time_t *use_time)
sa.dst_client = &c->spd.that.client;
}
if (!kernel_ops->get_policy(&sa, inbound, use_time))
+ {
return FALSE;
+ }
DBG(DBG_KLIPS,
DBG_log(" use_time: %T", use_time, FALSE)
)
@@ -2349,15 +2370,21 @@ bool install_inbound_ipsec_sa(struct state *st)
struct connection *o = route_owner(c, &esr, NULL, NULL);
if (o == NULL)
+ {
break; /* nobody has a route */
+ }
/* note: we ignore the client addresses at this end */
- if (sameaddr(&o->spd.that.host_addr, &c->spd.that.host_addr)
- && o->interface == c->interface)
+ if (sameaddr(&o->spd.that.host_addr, &c->spd.that.host_addr) &&
+ o->interface == c->interface)
+ {
break; /* existing route is compatible */
+ }
if (o->kind == CK_TEMPLATE && streq(o->name, c->name))
+ {
break; /* ??? is this good enough?? */
+ }
loglog(RC_LOG_SERIOUS, "route to peer's client conflicts with \"%s\" %s; releasing old connection to free the route"
, o->name, ip_str(&o->spd.that.host_addr));
@@ -2369,12 +2396,11 @@ bool install_inbound_ipsec_sa(struct state *st)
/* check that we will be able to route and eroute */
switch (could_route(c))
{
- case route_easy:
- case route_nearconflict:
- break;
-
- default:
- return FALSE;
+ case route_easy:
+ case route_nearconflict:
+ break;
+ default:
+ return FALSE;
}
#ifdef KLIPS
@@ -2471,10 +2497,14 @@ bool route_and_eroute(struct connection *c USED_BY_KLIPS,
/* if no state provided, then install a shunt for later */
if (st == NULL)
+ {
eroute_installed = shunt_eroute(c, sr, RT_ROUTED_PROSPECTIVE
, ERO_ADD, "add");
+ }
else
+ {
eroute_installed = sag_eroute(st, sr, ERO_ADD, "add");
+ }
}
/* notify the firewall of a new tunnel */
@@ -2507,8 +2537,7 @@ bool route_and_eroute(struct connection *c USED_BY_KLIPS,
(void) do_command(c, sr, "prepare"); /* just in case; ignore failure */
route_installed = do_command(c, sr, "route");
}
- else if (routed(sr->routing)
- || routes_agree(ro, c))
+ else if (routed(sr->routing) || routes_agree(ro, c))
{
route_installed = TRUE; /* nothing to be done */
}
@@ -2658,11 +2687,13 @@ bool route_and_eroute(struct connection *c USED_BY_KLIPS,
{
/* there was no previous eroute: delete whatever we installed */
if (st == NULL)
- (void) shunt_eroute(c, sr
- , sr->routing, ERO_DELETE, "delete");
+ {
+ (void) shunt_eroute(c, sr, sr->routing, ERO_DELETE, "delete");
+ }
else
- (void) sag_eroute(st, sr
- , ERO_DELETE, "delete");
+ {
+ (void) sag_eroute(st, sr, ERO_DELETE, "delete");
+ }
}
}
@@ -2685,18 +2716,19 @@ bool install_ipsec_sa(struct state *st, bool inbound_also USED_BY_KLIPS)
switch (could_route(st->st_connection))
{
- case route_easy:
- case route_nearconflict:
- break;
-
- default:
- return FALSE;
+ case route_easy:
+ case route_nearconflict:
+ break;
+ default:
+ return FALSE;
}
/* (attempt to) actually set up the SA group */
- if ((inbound_also && !setup_half_ipsec_sa(st, TRUE))
- || !setup_half_ipsec_sa(st, FALSE))
+ if ((inbound_also && !setup_half_ipsec_sa(st, TRUE)) ||
+ !setup_half_ipsec_sa(st, FALSE))
+ {
return FALSE;
+ }
for (sr = &st->st_connection->spd; sr != NULL; sr = sr->next)
{
@@ -2730,12 +2762,11 @@ bool install_ipsec_sa(struct state *st, bool inbound_also USED_BY_KLIPS)
switch (could_route(st->st_connection))
{
- case route_easy:
- case route_nearconflict:
- break;
-
- default:
- return FALSE;
+ case route_easy:
+ case route_nearconflict:
+ break;
+ default:
+ return FALSE;
}
@@ -2778,8 +2809,7 @@ void delete_ipsec_sa(struct state *st USED_BY_KLIPS,
? RT_ROUTED_PROSPECTIVE : RT_ROUTED_FAILURE;
(void) do_command(c, sr, "down");
- if ((c->policy & POLICY_DONT_REKEY)
- && c->kind == CK_INSTANCE)
+ if ((c->policy & POLICY_DONT_REKEY) && c->kind == CK_INSTANCE)
{
/* in this special case, even if the connection
* is still alive (due to an ISAKMP SA),
@@ -2888,8 +2918,7 @@ bool was_eroute_idle(struct state *st, time_t idle_max, time_t *idle_time)
/* Can't open the file, perhaps were are on 26sec? */
time_t use_time;
- if (get_sa_info(st, TRUE, &bytes, &use_time)
- && use_time != UNDEFINED_TIME)
+ if (get_sa_info(st, TRUE, &bytes, &use_time) && use_time != UNDEFINED_TIME)
{
*idle_time = time(NULL) - use_time;
ret = *idle_time >= idle_max;
diff --git a/src/pluto/kernel_alg.c b/src/pluto/kernel_alg.c
index 1590bdf02..7e7d25872 100644
--- a/src/pluto/kernel_alg.c
+++ b/src/pluto/kernel_alg.c
@@ -341,7 +341,7 @@ void kernel_alg_register_pfkey(const struct sadb_msg *msg_buf, int buflen)
sadb.msg++;
- while(msglen)
+ while (msglen)
{
int supp_exttype = sadb.supported->sadb_supported_exttype;
int supp_len = sadb.supported->sadb_supported_len*IPSEC_PFKEYv2_ALIGN;
@@ -361,14 +361,14 @@ void kernel_alg_register_pfkey(const struct sadb_msg *msg_buf, int buflen)
supp_len;
supp_len -= sizeof(struct sadb_alg), sadb.alg++,i++)
{
- int ret = kernel_alg_add(satype, supp_exttype, sadb.alg);
+ kernel_alg_add(satype, supp_exttype, sadb.alg);
DBG(DBG_KLIPS,
DBG_log("kernel_alg_register_pfkey(): SADB_SATYPE_%s: "
"alg[%d], exttype=%d, satype=%d, alg_id=%d, "
"alg_ivlen=%d, alg_minbits=%d, alg_maxbits=%d, "
- "res=%d, ret=%d"
- , satype==SADB_SATYPE_ESP? "ESP" : "AH"
+ "res=%d"
+ , satype == SADB_SATYPE_ESP? "ESP" : "AH"
, i
, supp_exttype
, satype
@@ -376,9 +376,25 @@ void kernel_alg_register_pfkey(const struct sadb_msg *msg_buf, int buflen)
, sadb.alg->sadb_alg_ivlen
, sadb.alg->sadb_alg_minbits
, sadb.alg->sadb_alg_maxbits
- , sadb.alg->sadb_alg_reserved
- , ret)
+ , sadb.alg->sadb_alg_reserved)
)
+ /* if AES_CBC is registered then also register AES_CCM and AES_GCM */
+ if (satype == SADB_SATYPE_ESP &&
+ sadb.alg->sadb_alg_id == SADB_X_EALG_AESCBC)
+ {
+ struct sadb_alg alg = *sadb.alg;
+ int alg_id;
+
+ for (alg_id = SADB_X_EALG_AES_CCM_ICV8;
+ alg_id <= SADB_X_EALG_AES_GCM_ICV16; alg_id++)
+ {
+ if (alg_id != ESP_UNASSIGNED_17)
+ {
+ alg.sadb_alg_id = alg_id;
+ kernel_alg_add(satype, supp_exttype, &alg);
+ }
+ }
+ }
}
}
}
@@ -388,8 +404,9 @@ u_int kernel_alg_esp_enc_keylen(u_int alg_id)
u_int keylen = 0;
if (!ESP_EALG_PRESENT(alg_id))
+ {
goto none;
-
+ }
keylen = esp_ealg[alg_id].sadb_alg_maxbits/BITS_PER_BYTE;
switch (alg_id)
@@ -407,8 +424,7 @@ u_int kernel_alg_esp_enc_keylen(u_int alg_id)
none:
DBG(DBG_KLIPS,
- DBG_log("kernel_alg_esp_enc_keylen():"
- "alg_id=%d, keylen=%d",
+ DBG_log("kernel_alg_esp_enc_keylen(): alg_id=%d, keylen=%d",
alg_id, keylen)
)
return keylen;
@@ -515,7 +531,7 @@ void kernel_alg_show_connection(struct connection *c, const char *instance)
}
bool kernel_alg_esp_auth_ok(u_int auth,
- struct alg_info_esp *alg_info __attribute__((unused)))
+ struct alg_info_esp *alg_info __attribute__((unused)))
{
return ESP_AALG_PRESENT(alg_info_esp_aa2sadb(auth));
}
@@ -619,14 +635,15 @@ static bool kernel_alg_db_add(struct db_context *db_ctx,
return FALSE;
}
- if (!(policy & POLICY_AUTHENTICATE)) /* skip ESP auth attrs for AH */
+ if (!(policy & POLICY_AUTHENTICATE) && /* skip ESP auth attrs for AH */
+ esp_info->esp_aalg_id != AUTH_ALGORITHM_NONE)
{
aalg_id = alg_info_esp_aa2sadb(esp_info->esp_aalg_id);
if (!ESP_AALG_PRESENT(aalg_id))
{
- DBG_log("kernel_alg_db_add() kernel auth "
- "aalg_id=%d not present", aalg_id);
+ DBG_log("kernel_alg_db_add() kernel auth aalg_id=%d not present",
+ aalg_id);
return FALSE;
}
}
@@ -637,13 +654,18 @@ static bool kernel_alg_db_add(struct db_context *db_ctx,
/* open new transformation */
db_trans_add(db_ctx, ealg_id);
- /* add ESP auth attr */
- if (!(policy & POLICY_AUTHENTICATE))
+ /* add ESP auth attr if not AH or AEAD */
+ if (!(policy & POLICY_AUTHENTICATE) &&
+ esp_info->esp_aalg_id != AUTH_ALGORITHM_NONE)
+ {
db_attr_add_values(db_ctx, AUTH_ALGORITHM, esp_info->esp_aalg_id);
+ }
- /* add keylegth if specified in esp= string */
+ /* add keylength if specified in esp= string */
if (esp_info->esp_ealg_keylen)
+ {
db_attr_add_values(db_ctx, KEY_LENGTH, esp_info->esp_ealg_keylen);
+ }
return TRUE;
}
diff --git a/src/pluto/kernel_netlink.c b/src/pluto/kernel_netlink.c
index b4b4774c7..0376e817b 100644
--- a/src/pluto/kernel_netlink.c
+++ b/src/pluto/kernel_netlink.c
@@ -49,69 +49,76 @@ static int netlink_bcast_fd = NULL_FD;
#define NE(x) { x, #x } /* Name Entry -- shorthand for sparse_names */
static sparse_names xfrm_type_names = {
- NE(NLMSG_NOOP),
- NE(NLMSG_ERROR),
- NE(NLMSG_DONE),
- NE(NLMSG_OVERRUN),
+ NE(NLMSG_NOOP),
+ NE(NLMSG_ERROR),
+ NE(NLMSG_DONE),
+ NE(NLMSG_OVERRUN),
- NE(XFRM_MSG_NEWSA),
- NE(XFRM_MSG_DELSA),
- NE(XFRM_MSG_GETSA),
+ NE(XFRM_MSG_NEWSA),
+ NE(XFRM_MSG_DELSA),
+ NE(XFRM_MSG_GETSA),
- NE(XFRM_MSG_NEWPOLICY),
- NE(XFRM_MSG_DELPOLICY),
- NE(XFRM_MSG_GETPOLICY),
+ NE(XFRM_MSG_NEWPOLICY),
+ NE(XFRM_MSG_DELPOLICY),
+ NE(XFRM_MSG_GETPOLICY),
- NE(XFRM_MSG_ALLOCSPI),
- NE(XFRM_MSG_ACQUIRE),
- NE(XFRM_MSG_EXPIRE),
+ NE(XFRM_MSG_ALLOCSPI),
+ NE(XFRM_MSG_ACQUIRE),
+ NE(XFRM_MSG_EXPIRE),
- NE(XFRM_MSG_UPDPOLICY),
- NE(XFRM_MSG_UPDSA),
+ NE(XFRM_MSG_UPDPOLICY),
+ NE(XFRM_MSG_UPDSA),
- NE(XFRM_MSG_POLEXPIRE),
+ NE(XFRM_MSG_POLEXPIRE),
- NE(XFRM_MSG_MAX),
+ NE(XFRM_MSG_MAX),
- { 0, sparse_end }
+ { 0, sparse_end }
};
#undef NE
/* Authentication algorithms */
static sparse_names aalg_list = {
- { SADB_X_AALG_NULL, "digest_null" },
- { SADB_AALG_MD5HMAC, "md5" },
- { SADB_AALG_SHA1HMAC, "sha1" },
- { SADB_X_AALG_SHA2_256HMAC, "sha256" },
- { SADB_X_AALG_SHA2_384HMAC, "sha384" },
- { SADB_X_AALG_SHA2_512HMAC, "sha512" },
- { SADB_X_AALG_RIPEMD160HMAC, "ripemd160" },
- { SADB_X_AALG_AES_XCBC_MAC, "xcbc(aes)"},
- { SADB_X_AALG_NULL, "null" },
- { 0, sparse_end }
+ { SADB_X_AALG_NULL, "digest_null" },
+ { SADB_AALG_MD5HMAC, "md5" },
+ { SADB_AALG_SHA1HMAC, "sha1" },
+ { SADB_X_AALG_SHA2_256HMAC, "sha256" },
+ { SADB_X_AALG_SHA2_384HMAC, "sha384" },
+ { SADB_X_AALG_SHA2_512HMAC, "sha512" },
+ { SADB_X_AALG_RIPEMD160HMAC, "ripemd160" },
+ { SADB_X_AALG_AES_XCBC_MAC, "xcbc(aes)"},
+ { SADB_X_AALG_NULL, "null" },
+ { 0, sparse_end }
};
/* Encryption algorithms */
static sparse_names ealg_list = {
- { SADB_EALG_NULL, "cipher_null" },
- { SADB_EALG_DESCBC, "des" },
- { SADB_EALG_3DESCBC, "des3_ede" },
- { SADB_X_EALG_CASTCBC, "cast128" },
- { SADB_X_EALG_BLOWFISHCBC, "blowfish" },
- { SADB_X_EALG_AESCBC, "aes" },
- { SADB_X_EALG_CAMELLIACBC, "cbc(camellia)" },
- { SADB_X_EALG_SERPENTCBC, "serpent" },
- { SADB_X_EALG_TWOFISHCBC, "twofish" },
- { 0, sparse_end }
+ { SADB_EALG_NULL, "cipher_null" },
+ { SADB_EALG_DESCBC, "des" },
+ { SADB_EALG_3DESCBC, "des3_ede" },
+ { SADB_X_EALG_CASTCBC, "cast128" },
+ { SADB_X_EALG_BLOWFISHCBC, "blowfish" },
+ { SADB_X_EALG_AESCBC, "aes" },
+ { SADB_X_EALG_AESCTR, "rfc3686(ctr(aes))" },
+ { SADB_X_EALG_AES_CCM_ICV8, "rfc4309(ccm(aes))" },
+ { SADB_X_EALG_AES_CCM_ICV12, "rfc4309(ccm(aes))" },
+ { SADB_X_EALG_AES_CCM_ICV16, "rfc4309(ccm(aes))" },
+ { SADB_X_EALG_AES_GCM_ICV8, "rfc4106(gcm(aes))" },
+ { SADB_X_EALG_AES_GCM_ICV12, "rfc4106(gcm(aes))" },
+ { SADB_X_EALG_AES_GCM_ICV16, "rfc4106(gcm(aes))" },
+ { SADB_X_EALG_CAMELLIACBC, "cbc(camellia)" },
+ { SADB_X_EALG_SERPENTCBC, "serpent" },
+ { SADB_X_EALG_TWOFISHCBC, "twofish" },
+ { 0, sparse_end }
};
/* Compression algorithms */
static sparse_names calg_list = {
- { SADB_X_CALG_DEFLATE, "deflate" },
- { SADB_X_CALG_LZS, "lzs" },
- { SADB_X_CALG_LZJH, "lzjh" },
- { 0, sparse_end }
+ { SADB_X_CALG_DEFLATE, "deflate" },
+ { SADB_X_CALG_LZS, "lzs" },
+ { SADB_X_CALG_LZJH, "lzjh" },
+ { 0, sparse_end }
};
/** ip2xfrm - Take an IP address and convert to an xfrm.
@@ -119,8 +126,7 @@ static sparse_names calg_list = {
* @param addr ip_address
* @param xaddr xfrm_address_t - IPv[46] Address from addr is copied here.
*/
-static void
-ip2xfrm(const ip_address *addr, xfrm_address_t *xaddr)
+static void ip2xfrm(const ip_address *addr, xfrm_address_t *xaddr)
{
if (addr->u.v4.sin_family == AF_INET)
{
@@ -135,35 +141,41 @@ ip2xfrm(const ip_address *addr, xfrm_address_t *xaddr)
/** init_netlink - Initialize the netlink inferface. Opens the sockets and
* then binds to the broadcast socket.
*/
-static void
-init_netlink(void)
+static void init_netlink(void)
{
struct sockaddr_nl addr;
netlinkfd = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_XFRM);
if (netlinkfd < 0)
+ {
exit_log_errno((e, "socket() in init_netlink()"));
-
+ }
if (fcntl(netlinkfd, F_SETFD, FD_CLOEXEC) != 0)
+ {
exit_log_errno((e, "fcntl(FD_CLOEXEC) in init_netlink()"));
-
+ }
netlink_bcast_fd = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_XFRM);
if (netlink_bcast_fd < 0)
+ {
exit_log_errno((e, "socket() for bcast in init_netlink()"));
-
+ }
if (fcntl(netlink_bcast_fd, F_SETFD, FD_CLOEXEC) != 0)
+ {
exit_log_errno((e, "fcntl(FD_CLOEXEC) for bcast in init_netlink()"));
-
+ }
if (fcntl(netlink_bcast_fd, F_SETFL, O_NONBLOCK) != 0)
+ {
exit_log_errno((e, "fcntl(O_NONBLOCK) for bcast in init_netlink()"));
-
+ }
addr.nl_family = AF_NETLINK;
addr.nl_pid = getpid();
addr.nl_groups = XFRMGRP_ACQUIRE | XFRMGRP_EXPIRE;
if (bind(netlink_bcast_fd, (struct sockaddr *)&addr, sizeof(addr)) != 0)
+ {
exit_log_errno((e, "Failed to bind bcast socket in init_netlink()"));
+ }
}
/** send_netlink_msg
@@ -176,9 +188,9 @@ init_netlink(void)
* @param text_said - String
* @return bool True if the message was succesfully sent.
*/
-static bool
-send_netlink_msg(struct nlmsghdr *hdr, struct nlmsghdr *rbuf, size_t rbuf_len
-, const char *description, const char *text_said)
+static bool send_netlink_msg(struct nlmsghdr *hdr, struct nlmsghdr *rbuf,
+ size_t rbuf_len, const char *description,
+ const char *text_said)
{
struct {
struct nlmsghdr n;
@@ -200,7 +212,9 @@ send_netlink_msg(struct nlmsghdr *hdr, struct nlmsghdr *rbuf, size_t rbuf_len
len = hdr->nlmsg_len;
do {
r = write(netlinkfd, hdr, len);
- } while (r < 0 && errno == EINTR);
+ }
+ while (r < 0 && errno == EINTR);
+
if (r < 0)
{
log_errno((e
@@ -221,7 +235,8 @@ send_netlink_msg(struct nlmsghdr *hdr, struct nlmsghdr *rbuf, size_t rbuf_len
return FALSE;
}
- for (;;) {
+ for (;;)
+ {
socklen_t alen;
alen = sizeof(addr);
@@ -322,8 +337,8 @@ send_netlink_msg(struct nlmsghdr *hdr, struct nlmsghdr *rbuf, size_t rbuf_len
* @param text_said - String
* @return boolean
*/
-static bool
-netlink_policy(struct nlmsghdr *hdr, bool enoent_ok, const char *text_said)
+static bool netlink_policy(struct nlmsghdr *hdr, bool enoent_ok,
+ const char *text_said)
{
struct {
struct nlmsghdr n;
@@ -372,18 +387,17 @@ netlink_policy(struct nlmsghdr *hdr, bool enoent_ok, const char *text_said)
* @param ip int
* @return boolean True if successful
*/
-static bool
-netlink_raw_eroute(const ip_address *this_host
- , const ip_subnet *this_client
- , const ip_address *that_host
- , const ip_subnet *that_client
- , ipsec_spi_t spi
- , unsigned int satype
- , unsigned int transport_proto
- , const struct pfkey_proto_info *proto_info
- , time_t use_lifetime UNUSED
- , unsigned int op
- , const char *text_said)
+static bool netlink_raw_eroute(const ip_address *this_host
+ , const ip_subnet *this_client
+ , const ip_address *that_host
+ , const ip_subnet *that_client
+ , ipsec_spi_t spi
+ , unsigned int satype
+ , unsigned int transport_proto
+ , const struct pfkey_proto_info *proto_info
+ , time_t use_lifetime UNUSED
+ , unsigned int op
+ , const char *text_said)
{
struct {
struct nlmsghdr n;
@@ -568,8 +582,7 @@ netlink_raw_eroute(const ip_address *this_host
* @param replace boolean - true if this replaces an existing SA
* @return bool True if successfull
*/
-static bool
-netlink_add_sa(const struct kernel_sa *sa, bool replace)
+static bool netlink_add_sa(const struct kernel_sa *sa, bool replace)
{
struct {
struct nlmsghdr n;
@@ -577,6 +590,7 @@ netlink_add_sa(const struct kernel_sa *sa, bool replace)
char data[1024];
} req;
struct rtattr *attr;
+ u_int16_t icv_size = 64;
memset(&req, 0, sizeof(req));
req.n.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
@@ -606,11 +620,17 @@ netlink_add_sa(const struct kernel_sa *sa, bool replace)
const char *name;
name = sparse_name(aalg_list, sa->authalg);
- if (!name) {
+ if (!name)
+ {
loglog(RC_LOG_SERIOUS, "unknown authentication algorithm: %u"
, sa->authalg);
return FALSE;
}
+ DBG(DBG_CRYPT,
+ DBG_log("configured authentication algorithm %s with key size %d",
+ enum_show(&auth_alg_names, sa->authalg),
+ sa->authkeylen * BITS_PER_BYTE)
+ )
strcpy(algo.alg_name, name);
algo.alg_key_len = sa->authkeylen * BITS_PER_BYTE;
@@ -626,30 +646,78 @@ netlink_add_sa(const struct kernel_sa *sa, bool replace)
attr = (struct rtattr *)((char *)attr + attr->rta_len);
}
- if (sa->encalg)
+ switch (sa->encalg)
{
- struct xfrm_algo algo;
- const char *name;
+ case SADB_EALG_NONE:
+ /* no encryption */
+ break;
+ case SADB_X_EALG_AES_CCM_ICV16:
+ case SADB_X_EALG_AES_GCM_ICV16:
+ icv_size += 32;
+ /* FALL */
+ case SADB_X_EALG_AES_CCM_ICV12:
+ case SADB_X_EALG_AES_GCM_ICV12:
+ icv_size += 32;
+ /* FALL */
+ case SADB_X_EALG_AES_CCM_ICV8:
+ case SADB_X_EALG_AES_GCM_ICV8:
+ {
+ struct xfrm_algo_aead *algo;
+ const char *name;
- name = sparse_name(ealg_list, sa->encalg);
- if (!name) {
- loglog(RC_LOG_SERIOUS, "unknown encryption algorithm: %u"
- , sa->encalg);
- return FALSE;
+ name = sparse_name(ealg_list, sa->encalg);
+ if (!name)
+ {
+ loglog(RC_LOG_SERIOUS, "unknown encryption algorithm: %u",
+ sa->encalg);
+ return FALSE;
+ }
+ DBG(DBG_CRYPT,
+ DBG_log("configured esp encryption algorithm %s with key size %d",
+ enum_show(&esp_transformid_names, sa->encalg),
+ sa->enckeylen * BITS_PER_BYTE)
+ )
+ attr->rta_type = XFRMA_ALG_AEAD;
+ attr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo_aead) + sa->enckeylen);
+ req.n.nlmsg_len += attr->rta_len;
+
+ algo = (struct xfrm_algo_aead*)RTA_DATA(attr);
+ algo->alg_key_len = sa->enckeylen * BITS_PER_BYTE;
+ algo->alg_icv_len = icv_size;
+ strcpy(algo->alg_name, name);
+ memcpy(algo->alg_key, sa->enckey, sa->enckeylen);
+
+ attr = (struct rtattr *)((char *)attr + attr->rta_len);
+ break;
}
+ default:
+ {
+ struct xfrm_algo *algo;
+ const char *name;
- strcpy(algo.alg_name, name);
- algo.alg_key_len = sa->enckeylen * BITS_PER_BYTE;
-
- attr->rta_type = XFRMA_ALG_CRYPT;
- attr->rta_len = RTA_LENGTH(sizeof(algo) + sa->enckeylen);
-
- memcpy(RTA_DATA(attr), &algo, sizeof(algo));
- memcpy((char *)RTA_DATA(attr) + sizeof(algo), sa->enckey
- , sa->enckeylen);
-
- req.n.nlmsg_len += attr->rta_len;
- attr = (struct rtattr *)((char *)attr + attr->rta_len);
+ name = sparse_name(ealg_list, sa->encalg);
+ if (!name)
+ {
+ loglog(RC_LOG_SERIOUS, "unknown encryption algorithm: %u",
+ sa->encalg);
+ return FALSE;
+ }
+ DBG(DBG_CRYPT,
+ DBG_log("configured esp encryption algorithm %s with key size %d",
+ enum_show(&esp_transformid_names, sa->encalg),
+ sa->enckeylen * BITS_PER_BYTE)
+ )
+ attr->rta_type = XFRMA_ALG_CRYPT;
+ attr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + sa->enckeylen);
+ req.n.nlmsg_len += attr->rta_len;
+
+ algo = (struct xfrm_algo*)RTA_DATA(attr);
+ algo->alg_key_len = sa->enckeylen * BITS_PER_BYTE;
+ strcpy(algo->alg_name, name);
+ memcpy(algo->alg_key, sa->enckey, sa->enckeylen);
+
+ attr = (struct rtattr *)((char *)attr + attr->rta_len);
+ }
}
if (sa->compalg)
@@ -658,7 +726,8 @@ netlink_add_sa(const struct kernel_sa *sa, bool replace)
const char *name;
name = sparse_name(calg_list, sa->compalg);
- if (!name) {
+ if (!name)
+ {
loglog(RC_LOG_SERIOUS, "unknown compression algorithm: %u"
, sa->compalg);
return FALSE;
@@ -702,8 +771,7 @@ netlink_add_sa(const struct kernel_sa *sa, bool replace)
* @param sa Kernel SA to be deleted
* @return bool True if successfull
*/
-static bool
-netlink_del_sa(const struct kernel_sa *sa)
+static bool netlink_del_sa(const struct kernel_sa *sa)
{
struct {
struct nlmsghdr n;
@@ -726,9 +794,8 @@ netlink_del_sa(const struct kernel_sa *sa)
return send_netlink_msg(&req.n, NULL, 0, "Del SA", sa->text_said);
}
-static bool
-netlink_error(const char *req_type, const struct nlmsghdr *n
-, const struct nlmsgerr *e, int rsp_size)
+static bool netlink_error(const char *req_type, const struct nlmsghdr *n,
+ const struct nlmsgerr *e, int rsp_size)
{
if (n->nlmsg_type == NLMSG_ERROR)
{
@@ -751,8 +818,8 @@ netlink_error(const char *req_type, const struct nlmsghdr *n
return FALSE;
}
-static bool
-netlink_get_policy(const struct kernel_sa *sa, bool inbound, time_t *use_time)
+static bool netlink_get_policy(const struct kernel_sa *sa, bool inbound,
+ time_t *use_time)
{
struct {
struct nlmsghdr n;
@@ -789,11 +856,13 @@ netlink_get_policy(const struct kernel_sa *sa, bool inbound, time_t *use_time)
req.id.dir = (inbound)? XFRM_POLICY_IN:XFRM_POLICY_OUT;
if (!send_netlink_msg(&req.n, &rsp.n, sizeof(rsp), "Get policy", "?"))
+ {
return FALSE;
-
+ }
if (netlink_error("XFRM_MSG_GETPOLICY", &rsp.n, &rsp.u.e, sizeof(rsp.u.info)))
+ {
return FALSE;
-
+ }
*use_time = (time_t)rsp.u.info.curlft.use_time;
if (inbound && sa->encapsulation == ENCAPSULATION_MODE_TUNNEL)
@@ -803,11 +872,13 @@ netlink_get_policy(const struct kernel_sa *sa, bool inbound, time_t *use_time)
req.id.dir = XFRM_POLICY_FWD;
if (!send_netlink_msg(&req.n, &rsp.n, sizeof(rsp), "Get policy", "?"))
+ {
return FALSE;
-
+ }
if (netlink_error("XFRM_MSG_GETPOLICY", &rsp.n, &rsp.u.e, sizeof(rsp.u.info)))
+ {
return FALSE;
-
+ }
use_time_fwd = (time_t)rsp.u.info.curlft.use_time;
*use_time = (*use_time > use_time_fwd)? *use_time : use_time_fwd;
}
@@ -820,8 +891,7 @@ netlink_get_policy(const struct kernel_sa *sa, bool inbound, time_t *use_time)
* @param sa Kernel SA to be queried
* @return bool True if successfull
*/
-static bool
-netlink_get_sa(const struct kernel_sa *sa, u_int *bytes)
+static bool netlink_get_sa(const struct kernel_sa *sa, u_int *bytes)
{
struct {
struct nlmsghdr n;
@@ -851,18 +921,18 @@ netlink_get_sa(const struct kernel_sa *sa, u_int *bytes)
rsp.n.nlmsg_type = XFRM_MSG_NEWSA;
if (!send_netlink_msg(&req.n, &rsp.n, sizeof(rsp), "Get SA", sa->text_said))
+ {
return FALSE;
-
+ }
if (netlink_error("XFRM_MSG_GETSA", &rsp.n, &rsp.u.e, sizeof(rsp.u.info)))
+ {
return FALSE;
-
+ }
*bytes = (u_int) rsp.u.info.curlft.bytes;
-
return TRUE;
}
-static void
-linux_pfkey_register_response(const struct sadb_msg *msg)
+static void linux_pfkey_register_response(const struct sadb_msg *msg)
{
switch (msg->sadb_msg_satype)
{
@@ -882,8 +952,7 @@ linux_pfkey_register_response(const struct sadb_msg *msg)
/** linux_pfkey_register - Register via PFKEY our capabilities
*
*/
-static void
-linux_pfkey_register(void)
+static void linux_pfkey_register(void)
{
pfkey_register_proto(SADB_SATYPE_AH, "AH");
pfkey_register_proto(SADB_SATYPE_ESP, "ESP");
@@ -898,8 +967,8 @@ linux_pfkey_register(void)
* @param dst ip_address formatted destination
* @return err_t NULL if okay, otherwise an error
*/
-static err_t
-xfrm_to_ip_address(unsigned family, const xfrm_address_t *src, ip_address *dst)
+static err_t xfrm_to_ip_address(unsigned family, const xfrm_address_t *src,
+ ip_address *dst)
{
switch (family)
{
@@ -922,10 +991,8 @@ xfrm_to_ip_address(unsigned family, const xfrm_address_t *src, ip_address *dst)
* @param dst ip_address formatted destination
* @return err_t NULL if okay, otherwise an error
*/
-static err_t
-xfrm_sel_to_ip_pair(const struct xfrm_selector *sel
- , ip_address *src
- , ip_address *dst)
+static err_t xfrm_sel_to_ip_pair(const struct xfrm_selector *sel,
+ ip_address *src, ip_address *dst)
{
int family;
err_t ugh;
@@ -934,7 +1001,9 @@ xfrm_sel_to_ip_pair(const struct xfrm_selector *sel
if ((ugh = xfrm_to_ip_address(family, &sel->saddr, src))
|| (ugh = xfrm_to_ip_address(family, &sel->daddr, dst)))
+ {
return ugh;
+ }
/* family has been verified in xfrm_to_ip_address. */
if (family == AF_INET)
@@ -951,8 +1020,7 @@ xfrm_sel_to_ip_pair(const struct xfrm_selector *sel
return NULL;
}
-static void
-netlink_acquire(struct nlmsghdr *n)
+static void netlink_acquire(struct nlmsghdr *n)
{
struct xfrm_user_acquire *acquire;
ip_address src, dst;
@@ -978,15 +1046,17 @@ netlink_acquire(struct nlmsghdr *n)
if (!(ugh = xfrm_sel_to_ip_pair(&acquire->sel, &src, &dst))
&& !(ugh = addrtosubnet(&src, &ours))
&& !(ugh = addrtosubnet(&dst, &his)))
+ {
record_and_initiate_opportunistic(&ours, &his, transport_proto
, "%acquire-netlink");
-
+ }
if (ugh != NULL)
+ {
plog("XFRM_MSG_ACQUIRE message from kernel malformed: %s", ugh);
+ }
}
-static void
-netlink_shunt_expire(struct xfrm_userpolicy_info *pol)
+static void netlink_shunt_expire(struct xfrm_userpolicy_info *pol)
{
ip_address src, dst;
unsigned transport_proto;
@@ -1004,8 +1074,7 @@ netlink_shunt_expire(struct xfrm_userpolicy_info *pol)
, "delete expired bare shunt");
}
-static void
-netlink_policy_expire(struct nlmsghdr *n)
+static void netlink_policy_expire(struct nlmsghdr *n)
{
struct xfrm_user_polexpire *upe;
struct {
@@ -1040,11 +1109,13 @@ netlink_policy_expire(struct nlmsghdr *n)
rsp.n.nlmsg_type = XFRM_MSG_NEWPOLICY;
if (!send_netlink_msg(&req.n, &rsp.n, sizeof(rsp), "Get policy", "?"))
+ {
return;
-
+ }
if (netlink_error("XFRM_MSG_GETPOLICY", &rsp.n, &rsp.u.e, sizeof(rsp.u.pol)))
+ {
return;
-
+ }
if (req.id.index != rsp.u.pol.index)
{
DBG(DBG_KLIPS,
@@ -1072,8 +1143,7 @@ netlink_policy_expire(struct nlmsghdr *n)
}
}
-static bool
-netlink_get(void)
+static bool netlink_get(void)
{
struct {
struct nlmsghdr n;
@@ -1137,22 +1207,15 @@ netlink_get(void)
return TRUE;
}
-static void
-netlink_process_msg(void)
+static void netlink_process_msg(void)
{
- while (netlink_get())
- ;
+ while (netlink_get());
}
-static ipsec_spi_t
-netlink_get_spi(const ip_address *src
-, const ip_address *dst
-, int proto
-, bool tunnel_mode
-, unsigned reqid
-, ipsec_spi_t min
-, ipsec_spi_t max
-, const char *text_said)
+static ipsec_spi_t netlink_get_spi(const ip_address *src, const ip_address *dst,
+ int proto, bool tunnel_mode, unsigned reqid,
+ ipsec_spi_t min, ipsec_spi_t max,
+ const char *text_said)
{
struct {
struct nlmsghdr n;
@@ -1185,11 +1248,13 @@ netlink_get_spi(const ip_address *src
rsp.n.nlmsg_type = XFRM_MSG_NEWSA;
if (!send_netlink_msg(&req.n, &rsp.n, sizeof(rsp), "Get SPI", text_said))
+ {
return 0;
-
+ }
if (netlink_error("XFRM_MSG_ALLOCSPI", &rsp.n, &rsp.u.e, sizeof(rsp.u.sa)))
+ {
return 0;
-
+ }
DBG(DBG_KLIPS,
DBG_log("netlink_get_spi: allocated 0x%x for %s"
, ntohl(rsp.u.sa.id.spi), text_said));
diff --git a/src/pluto/keys.c b/src/pluto/keys.c
index 6dfbd6732..516872e8e 100644
--- a/src/pluto/keys.c
+++ b/src/pluto/keys.c
@@ -1,5 +1,6 @@
/* mechanisms for preshared keys (public, private, and preshared secrets)
* Copyright (C) 1998-2001 D. Hugh Redelmeier.
+ * Copyright (C) 2009 Andreas Steffen - Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@@ -551,7 +552,7 @@ static err_t process_keyfile(private_key_t **key, key_type_t type, int whackfd)
}
*key = load_private_key(filename, &pass, type);
- return key ? NULL : "Private key file -- could not be loaded";
+ return *key ? NULL : "Private key file -- could not be loaded";
}
/**
diff --git a/src/pluto/ocsp.c b/src/pluto/ocsp.c
index 80164fa1d..8e428a759 100644
--- a/src/pluto/ocsp.c
+++ b/src/pluto/ocsp.c
@@ -1,6 +1,6 @@
/* Support of the Online Certificate Status Protocol (OCSP)
* Copyright (C) 2003 Christoph Gysin, Simon Zwahlen
- * Zuercher Hochschule Winterthur
+ * Copyright (C) 2009 Andreas Steffen - Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
diff --git a/src/pluto/pem.c b/src/pluto/pem.c
index 646447c1a..1a4a99af7 100644
--- a/src/pluto/pem.c
+++ b/src/pluto/pem.c
@@ -1,5 +1,6 @@
/* Loading of PEM encoded files with optional encryption
* Copyright (C) 2001-2009 Andreas Steffen
+ *
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
diff --git a/src/pluto/pgpcert.c b/src/pluto/pgpcert.c
index 7fb8232d5..1d5b14b26 100644
--- a/src/pluto/pgpcert.c
+++ b/src/pluto/pgpcert.c
@@ -85,7 +85,7 @@ static u_char pgp_version(chunk_t *blob)
}
/**
- * Parse OpenPGP signature packet defined in section 5.2.2 of RFC 2440
+ * Parse OpenPGP signature packet defined in section 5.2.2 of RFC 4880
*/
static bool parse_pgp_signature_packet(chunk_t *packet, pgpcert_t *cert)
{
@@ -171,8 +171,8 @@ static bool parse_pgp_pubkey_version_validity(chunk_t *packet, pgpcert_t *cert)
*/
static bool parse_pgp_pubkey_packet(chunk_t *packet, pgpcert_t *cert)
{
- pgp_pubkey_alg_t pubkey_alg;
- public_key_t *key;
+ chunk_t pubkey_packet = *packet;
+ pgp_pubkey_alg_t pubkey_alg;
if (!parse_pgp_pubkey_version_validity(packet, cert))
{
@@ -190,33 +190,51 @@ static bool parse_pgp_pubkey_packet(chunk_t *packet, pgpcert_t *cert)
{
case PGP_PUBKEY_ALG_RSA:
case PGP_PUBKEY_ALG_RSA_SIGN_ONLY:
- key = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
- BUILD_BLOB_PGP, *packet,
- BUILD_END);
- if (key == NULL)
+ cert->public_key = lib->creds->create(lib->creds,
+ CRED_PUBLIC_KEY, KEY_RSA,
+ BUILD_BLOB_PGP, *packet,
+ BUILD_END);
+ if (cert->public_key == NULL)
{
return FALSE;
}
- cert->public_key = key;
-
- if (cert->version == 3)
- {
- cert->fingerprint = key->get_id(key, ID_KEY_ID);
- if (cert->fingerprint == NULL)
- {
- return FALSE;
- }
- }
- else
- {
- plog(" computation of V4 key ID not implemented yet");
- return FALSE;
- }
break;
default:
plog(" non RSA public keys not supported");
return FALSE;
}
+
+ /* compute V4 or V3 fingerprint according to section 12.2 of RFC 4880 */
+ if (cert->version == 4)
+ {
+ char pubkey_packet_header_buf[] = {
+ 0x99, pubkey_packet.len / 256, pubkey_packet.len % 256
+ };
+ chunk_t pubkey_packet_header = chunk_from_buf(pubkey_packet_header_buf);
+ chunk_t hash;
+ hasher_t *hasher;
+
+ hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
+ if (hasher == NULL)
+ {
+ plog("no SHA-1 hasher available");
+ return FALSE;
+ }
+ hasher->allocate_hash(hasher, pubkey_packet_header, NULL);
+ hasher->allocate_hash(hasher, pubkey_packet, &hash);
+ hasher->destroy(hasher);
+ cert->fingerprint = identification_create_from_encoding(ID_KEY_ID, hash);
+ free(hash.ptr);
+ }
+ else
+ {
+ /* V3 fingerprint is computed by public_key_t class */
+ cert->fingerprint = cert->public_key->get_id(cert->public_key, ID_KEY_ID);
+ if (cert->fingerprint == NULL)
+ {
+ return FALSE;
+ }
+ }
return TRUE;
}
diff --git a/src/pluto/plutomain.c b/src/pluto/plutomain.c
index 39367cafa..5d0e008f3 100644
--- a/src/pluto/plutomain.c
+++ b/src/pluto/plutomain.c
@@ -43,11 +43,6 @@
#include <utils/enumerator.h>
#include <utils/optionsfrom.h>
-#ifdef INTEGRITY_TEST
-#include <fips/fips.h>
-#include <fips/fips_signature.h>
-#endif /* INTEGRITY_TEST */
-
#include <pfkeyv2.h>
#include <pfkey.h>
@@ -265,7 +260,18 @@ int main(int argc, char **argv)
#endif /* CAPABILITIES */
/* initialize library and optionsfrom */
- library_init(STRONGSWAN_CONF);
+ if (!library_init(STRONGSWAN_CONF))
+ {
+ library_deinit();
+ exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
+ }
+ if (lib->integrity &&
+ !lib->integrity->check_file(lib->integrity, "pluto", argv[0]))
+ {
+ fprintf(stderr, "integrity check of pluto failed\n");
+ library_deinit();
+ exit(SS_RC_DAEMON_INTEGRITY);
+ }
options = options_create();
/* handle arguments */
@@ -637,31 +643,28 @@ int main(int argc, char **argv)
plog("Starting IKEv1 pluto daemon (strongSwan "VERSION")%s",
compile_time_interop_options);
+ if (lib->integrity)
+ {
+ plog("integrity tests enabled:");
+ plog("lib 'libstrongswan': passed file and segment integrity tests");
+ plog("daemon 'pluto': passed file integrity test");
+ }
+
/* load plugins, further infrastructure may need it */
lib->plugins->load(lib->plugins, IPSEC_PLUGINDIR,
lib->settings->get_str(lib->settings, "pluto.load", PLUGINS));
print_plugins();
-#ifdef INTEGRITY_TEST
- DBG1("integrity test of libstrongswan code");
- if (fips_verify_hmac_signature(hmac_key, hmac_signature))
- {
- DBG1(" integrity test passed");
- }
- else
+ if (!init_secret() || !init_crypto())
{
- DBG1(" integrity test failed");
- abort();
+ plog("initialization failed - aborting pluto");
+ exit_pluto(SS_RC_INITIALIZATION_FAILED);
}
-#endif /* INTEGRITY_TEST */
-
init_nat_traversal(nat_traversal, keep_alive, force_keepalive, nat_t_spf);
init_virtual_ip(virtual_private);
scx_init(pkcs11_module_path, pkcs11_init_args);
xauth_init();
- init_secret();
init_states();
- init_crypto();
init_demux();
init_kernel();
init_adns();
diff --git a/src/pluto/spdb.c b/src/pluto/spdb.c
index b8f4a3c23..a86c9f215 100644
--- a/src/pluto/spdb.c
+++ b/src/pluto/spdb.c
@@ -473,14 +473,13 @@ out_sa(pb_stream *outs
if (!out_struct(&trans, trans_desc, &proposal_pbs, &trans_pbs))
return_on(ret, FALSE);
- /* Within tranform: Attributes. */
+ /* Within transform: Attributes. */
/* For Phase 2 / Quick Mode, GROUP_DESCRIPTION is
* automatically generated because it must be the same
* in every transform. Except IPCOMP.
*/
- if (p->protoid != PROTO_IPCOMP
- && st->st_pfs_group != NULL)
+ if (p->protoid != PROTO_IPCOMP && st->st_pfs_group != NULL)
{
passert(!oakley_mode);
passert(st->st_pfs_group != &unset_group);
@@ -582,8 +581,7 @@ return_out:
* The code is can only handle values that can fit in unsigned long.
* "Clamping" is probably an acceptable way to impose this limitation.
*/
-static u_int32_t
-decode_long_duration(pb_stream *pbs)
+static u_int32_t decode_long_duration(pb_stream *pbs)
{
u_int32_t val = 0;
@@ -631,8 +629,9 @@ preparse_isakmp_sa_body(const struct isakmp_sa *sa
/* Situation */
if (!in_struct(ipsecdoisit, &ipsec_sit_desc, sa_pbs, NULL))
+ {
return SITUATION_NOT_SUPPORTED;
-
+ }
if (*ipsecdoisit != SIT_IDENTITY_ONLY)
{
loglog(RC_LOG_SERIOUS, "unsupported IPsec DOI situation (%s)"
@@ -647,8 +646,9 @@ preparse_isakmp_sa_body(const struct isakmp_sa *sa
* There may well be multiple transforms.
*/
if (!in_struct(proposal, &isakmp_proposal_desc, sa_pbs, proposal_pbs))
+ {
return PAYLOAD_MALFORMED;
-
+ }
if (proposal->isap_np != ISAKMP_NEXT_NONE)
{
loglog(RC_LOG_SERIOUS, "Proposal Payload must be alone in Oakley SA; found %s following Proposal"
@@ -711,35 +711,31 @@ static struct {
u_int8_t *roof;
} backup;
-/*
- * backup the pointer into a pb_stream
+/**
+ * Backup the pointer into a pb_stream
*/
-void
-backup_pbs(pb_stream *pbs)
+void backup_pbs(pb_stream *pbs)
{
backup.start = pbs->start;
backup.cur = pbs->cur;
backup.roof = pbs->roof;
}
-/*
- * restore the pointer into a pb_stream
+/**
+ * Restore the pointer into a pb_stream
*/
-void
-restore_pbs(pb_stream *pbs)
+void restore_pbs(pb_stream *pbs)
{
pbs->start = backup.start;
pbs->cur = backup.cur;
pbs->roof = backup.roof;
}
-/*
+/**
* Parse an ISAKMP Proposal Payload for RSA and PSK authentication policies
*/
-notification_t
-parse_isakmp_policy(pb_stream *proposal_pbs
- , u_int notrans
- , lset_t *policy)
+notification_t parse_isakmp_policy(pb_stream *proposal_pbs, u_int notrans,
+ lset_t *policy)
{
int last_transnum = -1;
@@ -753,8 +749,9 @@ parse_isakmp_policy(pb_stream *proposal_pbs
struct isakmp_transform trans;
if (!in_struct(&trans, &isakmp_isakmp_transform_desc, proposal_pbs, &trans_pbs))
+ {
return BAD_PROPOSAL_SYNTAX;
-
+ }
if (trans.isat_transnum <= last_transnum)
{
/* picky, picky, picky */
@@ -781,8 +778,9 @@ parse_isakmp_policy(pb_stream *proposal_pbs
pb_stream attr_pbs;
if (!in_struct(&a, &isakmp_oakley_attribute_desc, &trans_pbs, &attr_pbs))
+ {
return BAD_PROPOSAL_SYNTAX;
-
+ }
passert((a.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK) < 32);
switch (a.isaat_af_type)
@@ -827,11 +825,10 @@ parse_isakmp_policy(pb_stream *proposal_pbs
return NOTHING_WRONG;
}
-/*
- * check that we can find a preshared secret
+/**
+ * Check that we can find a preshared secret
*/
-static err_t
-find_preshared_key(struct state* st)
+static err_t find_preshared_key(struct state* st)
{
err_t ugh = NULL;
struct connection *c = st->st_connection;
@@ -842,9 +839,13 @@ find_preshared_key(struct state* st)
idtoa(&c->spd.this.id, my_id, sizeof(my_id));
if (his_id_was_instantiated(c))
+ {
strcpy(his_id, "%any");
+ }
else
+ {
idtoa(&c->spd.that.id, his_id, sizeof(his_id));
+ }
ugh = builddiag("Can't authenticate: no preshared key found for `%s' and `%s'"
, my_id, his_id);
}
@@ -860,13 +861,12 @@ find_preshared_key(struct state* st)
*
* This routine is used by main_inI1_outR1() and main_inR1_outI2().
*/
-notification_t
-parse_isakmp_sa_body(u_int32_t ipsecdoisit
- , pb_stream *proposal_pbs
- , struct isakmp_proposal *proposal
- , pb_stream *r_sa_pbs
- , struct state *st
- , bool initiator)
+notification_t parse_isakmp_sa_body(u_int32_t ipsecdoisit,
+ pb_stream *proposal_pbs,
+ struct isakmp_proposal *proposal,
+ pb_stream *r_sa_pbs,
+ struct state *st,
+ bool initiator)
{
struct connection *c = st->st_connection;
unsigned no_trans_left;
@@ -1326,17 +1326,14 @@ static const struct ipsec_trans_attrs null_ipsec_trans_attrs = {
0, /* key_rounds */
};
-static bool
-parse_ipsec_transform(struct isakmp_transform *trans
-, struct ipsec_trans_attrs *attrs
-, pb_stream *prop_pbs
-, pb_stream *trans_pbs
-, struct_desc *trans_desc
-, int previous_transnum /* or -1 if none */
-, bool selection
-, bool is_last
-, bool is_ipcomp
-, struct state *st) /* current state object */
+static bool parse_ipsec_transform(struct isakmp_transform *trans,
+ struct ipsec_trans_attrs *attrs,
+ pb_stream *prop_pbs,
+ pb_stream *trans_pbs,
+ struct_desc *trans_desc,
+ int previous_transnum, /* or -1 if none */
+ bool selection, bool is_last, bool is_ipcomp,
+ struct state *st) /* current state object */
{
lset_t seen_attrs = 0;
lset_t seen_durations = 0;
@@ -1344,8 +1341,9 @@ parse_ipsec_transform(struct isakmp_transform *trans
const struct dh_desc *pfs_group = NULL;
if (!in_struct(trans, trans_desc, prop_pbs, trans_pbs))
+ {
return FALSE;
-
+ }
if (trans->isat_transnum <= previous_transnum)
{
loglog(RC_LOG_SERIOUS, "Transform Numbers in Proposal are not monotonically increasing");
diff --git a/src/pluto/state.c b/src/pluto/state.c
index 6ce0d50e5..5bef36c5c 100644
--- a/src/pluto/state.c
+++ b/src/pluto/state.c
@@ -1,6 +1,7 @@
/* routines for state objects
* Copyright (C) 1997 Angelos D. Keromytis.
* Copyright (C) 1998-2001 D. Hugh Redelmeier.
+ * Copyright (C) 2009 Andreas Steffen - Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
diff --git a/src/pluto/timer.c b/src/pluto/timer.c
index ecbee740f..89082f88e 100644
--- a/src/pluto/timer.c
+++ b/src/pluto/timer.c
@@ -1,6 +1,7 @@
/* timer event handling
* Copyright (C) 1997 Angelos D. Keromytis.
* Copyright (C) 1998-2001 D. Hugh Redelmeier.
+ * Copyright (C) 2009 Andreas Steffen - Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@@ -139,14 +140,21 @@ void event_schedule(enum event_type type, time_t tm, struct state *st)
* Generate the secret value for responder cookies, and
* schedule an event for refresh.
*/
-void init_secret(void)
+bool init_secret(void)
{
rng_t *rng;
rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
+
+ if (rng == NULL)
+ {
+ plog("secret initialization failed, no RNG supported");
+ return FALSE;
+ }
rng->get_bytes(rng, sizeof(secret_of_the_day), secret_of_the_day);
rng->destroy(rng);
event_schedule(EVENT_REINIT_SECRET, EVENT_REINIT_SECRET_DELAY, NULL);
+ return true;
}
/**
diff --git a/src/pluto/timer.h b/src/pluto/timer.h
index 322aeba6a..c8e9b727c 100644
--- a/src/pluto/timer.h
+++ b/src/pluto/timer.h
@@ -31,4 +31,4 @@ extern void delete_event(struct state *st);
extern void delete_dpd_event(struct state *st);
extern void daily_log_event(void);
extern void free_events(void);
-extern void init_secret(void);
+extern bool init_secret(void);
diff --git a/src/pluto/vendor.c b/src/pluto/vendor.c
index ff145eb38..a532e50f2 100644
--- a/src/pluto/vendor.c
+++ b/src/pluto/vendor.c
@@ -197,9 +197,13 @@ static struct vid_struct _vid_tab[] = {
/*
* strongSwan
*/
- DEC_MD5_VID(STRONGSWAN, "strongSwan 4.3.2")
+ DEC_MD5_VID(STRONGSWAN, "strongSwan 4.3.4")
+ DEC_MD5_VID(STRONGSWAN_4_3_3, "strongSwan 4.3.3")
+ DEC_MD5_VID(STRONGSWAN_4_3_2, "strongSwan 4.3.2")
DEC_MD5_VID(STRONGSWAN_4_3_1, "strongSwan 4.3.1")
DEC_MD5_VID(STRONGSWAN_4_3_0, "strongSwan 4.3.0")
+ DEC_MD5_VID(STRONGSWAN_4_2_17,"strongSwan 4.2.17")
+ DEC_MD5_VID(STRONGSWAN_4_2_16,"strongSwan 4.2.16")
DEC_MD5_VID(STRONGSWAN_4_2_15,"strongSwan 4.2.15")
DEC_MD5_VID(STRONGSWAN_4_2_14,"strongSwan 4.2.14")
DEC_MD5_VID(STRONGSWAN_4_2_13,"strongSwan 4.2.13")
@@ -237,6 +241,8 @@ static struct vid_struct _vid_tab[] = {
DEC_MD5_VID(STRONGSWAN_4_0_1, "strongSwan 4.0.1")
DEC_MD5_VID(STRONGSWAN_4_0_0, "strongSwan 4.0.0")
+ DEC_MD5_VID(STRONGSWAN_2_8_11,"strongSwan 2.8.11")
+ DEC_MD5_VID(STRONGSWAN_2_8_10,"strongSwan 2.8.10")
DEC_MD5_VID(STRONGSWAN_2_8_9, "strongSwan 2.8.9")
DEC_MD5_VID(STRONGSWAN_2_8_8, "strongSwan 2.8.8")
DEC_MD5_VID(STRONGSWAN_2_8_7, "strongSwan 2.8.7")
diff --git a/src/pluto/vendor.h b/src/pluto/vendor.h
index 164c1aa6d..8aa2f6348 100644
--- a/src/pluto/vendor.h
+++ b/src/pluto/vendor.h
@@ -92,6 +92,8 @@ enum known_vendorid {
VID_STRONGSWAN_2_8_7 = 73,
VID_STRONGSWAN_2_8_8 = 74,
VID_STRONGSWAN_2_8_9 = 75,
+ VID_STRONGSWAN_2_8_10 = 76,
+ VID_STRONGSWAN_2_8_11 = 77,
VID_STRONGSWAN_4_0_0 = 80,
VID_STRONGSWAN_4_0_1 = 81,
@@ -130,8 +132,12 @@ enum known_vendorid {
VID_STRONGSWAN_4_2_13 =113,
VID_STRONGSWAN_4_2_14 =114,
VID_STRONGSWAN_4_2_15 =115,
- VID_STRONGSWAN_4_3_0 =116,
- VID_STRONGSWAN_4_3_1 =117,
+ VID_STRONGSWAN_4_2_16 =116,
+ VID_STRONGSWAN_4_2_17 =117,
+ VID_STRONGSWAN_4_3_0 =118,
+ VID_STRONGSWAN_4_3_1 =119,
+ VID_STRONGSWAN_4_3_2 =120,
+ VID_STRONGSWAN_4_3_3 =121,
/* 101 - 200 : NAT-Traversal */
VID_NATT_STENBERG_01 =151,