diff options
Diffstat (limited to 'src/libipsec')
| -rw-r--r-- | src/libipsec/Makefile.am | 3 | ||||
| -rw-r--r-- | src/libipsec/Makefile.in | 65 | ||||
| -rw-r--r-- | src/libipsec/esp_context.c | 160 | ||||
| -rw-r--r-- | src/libipsec/esp_context.h | 18 | ||||
| -rw-r--r-- | src/libipsec/esp_packet.c | 67 | ||||
| -rw-r--r-- | src/libipsec/ipsec_event_relay.c | 1 | ||||
| -rw-r--r-- | src/libipsec/ipsec_sa_mgr.c | 7 | ||||
| -rw-r--r-- | src/libipsec/ipsec_sa_mgr.h | 6 |
8 files changed, 190 insertions, 137 deletions
diff --git a/src/libipsec/Makefile.am b/src/libipsec/Makefile.am index 35b8d7916..74379f1d5 100644 --- a/src/libipsec/Makefile.am +++ b/src/libipsec/Makefile.am @@ -15,7 +15,7 @@ ipsec_sa_mgr.c ipsec_sa_mgr.h libipsec_la_LIBADD = -INCLUDES = \ +AM_CPPFLAGS = \ -I$(top_srcdir)/src/libstrongswan EXTRA_DIST = Android.mk @@ -28,4 +28,3 @@ SUBDIRS = else SUBDIRS = . endif - diff --git a/src/libipsec/Makefile.in b/src/libipsec/Makefile.in index 24940df7c..3dbf34ed2 100644 --- a/src/libipsec/Makefile.in +++ b/src/libipsec/Makefile.in @@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ $(top_srcdir)/m4/macros/add-plugin.m4 \ - $(top_srcdir)/configure.in + $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) mkinstalldirs = $(install_sh) -d @@ -104,19 +104,35 @@ am_libipsec_la_OBJECTS = ipsec.lo esp_context.lo esp_packet.lo \ ipsec_policy_mgr.lo ipsec_processor.lo ipsec_sa.lo \ ipsec_sa_mgr.lo libipsec_la_OBJECTS = $(am_libipsec_la_OBJECTS) +AM_V_lt = $(am__v_lt_@AM_V@) +am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) +am__v_lt_0 = --silent DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = $(SHELL) $(top_srcdir)/depcomp am__depfiles_maybe = depfiles am__mv = mv -f COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ - --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ - $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \ + $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ + $(AM_CFLAGS) $(CFLAGS) +AM_V_CC = $(am__v_CC_@AM_V@) +am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@) +am__v_CC_0 = @echo " CC " $@; +AM_V_at = $(am__v_at_@AM_V@) +am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) +am__v_at_0 = @ CCLD = $(CC) -LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ - --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ - $(LDFLAGS) -o $@ +LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(AM_LDFLAGS) $(LDFLAGS) -o $@ +AM_V_CCLD = $(am__v_CCLD_@AM_V@) +am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) +am__v_CCLD_0 = @echo " CCLD " $@; +AM_V_GEN = $(am__v_GEN_@AM_V@) +am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) +am__v_GEN_0 = @echo " GEN " $@; SOURCES = $(libipsec_la_SOURCES) DIST_SOURCES = $(libipsec_la_SOURCES) RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \ @@ -168,6 +184,7 @@ am__relativize = \ ACLOCAL = @ACLOCAL@ ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ +AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ @@ -180,6 +197,8 @@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ CHECK_CFLAGS = @CHECK_CFLAGS@ CHECK_LIBS = @CHECK_LIBS@ +COVERAGE_CFLAGS = @COVERAGE_CFLAGS@ +COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ @@ -195,6 +214,7 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +GENHTML = @GENHTML@ GPERF = @GPERF@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ @@ -203,6 +223,7 @@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LCOV = @LCOV@ LD = @LD@ LDFLAGS = @LDFLAGS@ LEX = @LEX@ @@ -249,6 +270,7 @@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ +UNWINDLIB = @UNWINDLIB@ VERSION = @VERSION@ YACC = @YACC@ YFLAGS = @YFLAGS@ @@ -277,6 +299,7 @@ charon_natt_port = @charon_natt_port@ charon_plugins = @charon_plugins@ charon_udp_port = @charon_udp_port@ clearsilver_LIBS = @clearsilver_LIBS@ +cmd_plugins = @cmd_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ dbusservicedir = @dbusservicedir@ @@ -369,7 +392,7 @@ ipsec_sa.c ipsec_sa.h \ ipsec_sa_mgr.c ipsec_sa_mgr.h libipsec_la_LIBADD = -INCLUDES = \ +AM_CPPFLAGS = \ -I$(top_srcdir)/src/libstrongswan EXTRA_DIST = Android.mk @@ -445,7 +468,7 @@ clean-ipseclibLTLIBRARIES: rm -f "$${dir}/so_locations"; \ done libipsec.la: $(libipsec_la_OBJECTS) $(libipsec_la_DEPENDENCIES) $(EXTRA_libipsec_la_DEPENDENCIES) - $(LINK) -rpath $(ipseclibdir) $(libipsec_la_OBJECTS) $(libipsec_la_LIBADD) $(LIBS) + $(AM_V_CCLD)$(LINK) -rpath $(ipseclibdir) $(libipsec_la_OBJECTS) $(libipsec_la_LIBADD) $(LIBS) mostlyclean-compile: -rm -f *.$(OBJEXT) @@ -465,25 +488,25 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipsec_sa_mgr.Plo@am__quote@ .c.o: -@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< -@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(COMPILE) -c $< +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c $< .c.obj: -@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` -@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'` .c.lo: -@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< -@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $< mostlyclean-libtool: -rm -f *.lo diff --git a/src/libipsec/esp_context.c b/src/libipsec/esp_context.c index 44b1117d9..bbcb62add 100644 --- a/src/libipsec/esp_context.c +++ b/src/libipsec/esp_context.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012 Tobias Brunner + * Copyright (C) 2012-2013 Tobias Brunner * Copyright (C) 2012 Giuliano Grassi * Copyright (C) 2012 Ralf Sager * Hochschule fuer Technik Rapperswil @@ -22,8 +22,6 @@ #include <library.h> #include <utils/debug.h> -#include <crypto/crypters/crypter.h> -#include <crypto/signers/signer.h> /** * Should be a multiple of 8 @@ -43,14 +41,9 @@ struct private_esp_context_t { esp_context_t public; /** - * Crypter used to encrypt/decrypt ESP packets + * AEAD wrapper or method to encrypt/decrypt/authenticate ESP packets */ - crypter_t *crypter; - - /** - * Signer to authenticate ESP packets - */ - signer_t *signer; + aead_t *aead; /** * The highest sequence number that was successfully verified @@ -197,97 +190,150 @@ METHOD(esp_context_t, next_seqno, bool, return TRUE; } -METHOD(esp_context_t, get_signer, signer_t *, - private_esp_context_t *this) -{ - return this->signer; -} - -METHOD(esp_context_t, get_crypter, crypter_t *, - private_esp_context_t *this) +METHOD(esp_context_t, get_aead, aead_t*, + private_esp_context_t *this) { - return this->crypter; + return this->aead; } METHOD(esp_context_t, destroy, void, - private_esp_context_t *this) + private_esp_context_t *this) { chunk_free(&this->window); - DESTROY_IF(this->crypter); - DESTROY_IF(this->signer); + DESTROY_IF(this->aead); free(this); } /** - * Described in header. + * Create an AEAD algorithm */ -esp_context_t *esp_context_create(int enc_alg, chunk_t enc_key, - int int_alg, chunk_t int_key, bool inbound) +static bool create_aead(private_esp_context_t *this, int alg, + chunk_t key) { - private_esp_context_t *this; + switch (alg) + { + case ENCR_AES_GCM_ICV8: + case ENCR_AES_GCM_ICV12: + case ENCR_AES_GCM_ICV16: + /* the key includes a 4 byte salt */ + this->aead = lib->crypto->create_aead(lib->crypto, alg, key.len-4); + break; + default: + break; + } + if (!this->aead) + { + DBG1(DBG_ESP, "failed to create ESP context: unsupported AEAD " + "algorithm"); + return FALSE; + } + if (!this->aead->set_key(this->aead, key)) + { + DBG1(DBG_ESP, "failed to create ESP context: setting AEAD key failed"); + return FALSE; + } + return TRUE; +} - INIT(this, - .public = { - .get_crypter = _get_crypter, - .get_signer = _get_signer, - .get_seqno = _get_seqno, - .next_seqno = _next_seqno, - .verify_seqno = _verify_seqno, - .set_authenticated_seqno = _set_authenticated_seqno, - .destroy = _destroy, - }, - .inbound = inbound, - .window_size = ESP_DEFAULT_WINDOW_SIZE, - ); +/** + * Create AEAD wrapper around traditional encryption/integrity algorithms + */ +static bool create_traditional(private_esp_context_t *this, int enc_alg, + chunk_t enc_key, int int_alg, chunk_t int_key) +{ + crypter_t *crypter = NULL; + signer_t *signer = NULL; - switch(enc_alg) + switch (enc_alg) { case ENCR_AES_CBC: - this->crypter = lib->crypto->create_crypter(lib->crypto, enc_alg, - enc_key.len); + crypter = lib->crypto->create_crypter(lib->crypto, enc_alg, + enc_key.len); break; default: break; } - if (!this->crypter) + if (!crypter) { DBG1(DBG_ESP, "failed to create ESP context: unsupported encryption " "algorithm"); - destroy(this); - return NULL; + goto failed; } - if (!this->crypter->set_key(this->crypter, enc_key)) + if (!crypter->set_key(crypter, enc_key)) { DBG1(DBG_ESP, "failed to create ESP context: setting encryption key " "failed"); - destroy(this); - return NULL; + goto failed; } - switch(int_alg) + switch (int_alg) { case AUTH_HMAC_SHA1_96: case AUTH_HMAC_SHA2_256_128: case AUTH_HMAC_SHA2_384_192: case AUTH_HMAC_SHA2_512_256: - this->signer = lib->crypto->create_signer(lib->crypto, int_alg); + signer = lib->crypto->create_signer(lib->crypto, int_alg); break; default: break; } - if (!this->signer) + if (!signer) { DBG1(DBG_ESP, "failed to create ESP context: unsupported integrity " "algorithm"); - destroy(this); - return NULL; + goto failed; } - if (!this->signer->set_key(this->signer, int_key)) + if (!signer->set_key(signer, int_key)) { DBG1(DBG_ESP, "failed to create ESP context: setting signature key " "failed"); - destroy(this); - return NULL; + goto failed; + } + this->aead = aead_create(crypter, signer); + return TRUE; + +failed: + DESTROY_IF(crypter); + DESTROY_IF(signer); + return FALSE; +} + +/** + * Described in header. + */ +esp_context_t *esp_context_create(int enc_alg, chunk_t enc_key, + int int_alg, chunk_t int_key, bool inbound) +{ + private_esp_context_t *this; + + INIT(this, + .public = { + .get_aead = _get_aead, + .get_seqno = _get_seqno, + .next_seqno = _next_seqno, + .verify_seqno = _verify_seqno, + .set_authenticated_seqno = _set_authenticated_seqno, + .destroy = _destroy, + }, + .inbound = inbound, + .window_size = ESP_DEFAULT_WINDOW_SIZE, + ); + + if (encryption_algorithm_is_aead(enc_alg)) + { + if (!create_aead(this, enc_alg, enc_key)) + { + destroy(this); + return NULL; + } + } + else + { + if (!create_traditional(this, enc_alg, enc_key, int_alg, int_key)) + { + destroy(this); + return NULL; + } } if (inbound) @@ -297,5 +343,3 @@ esp_context_t *esp_context_create(int enc_alg, chunk_t enc_key, } return &this->public; } - - diff --git a/src/libipsec/esp_context.h b/src/libipsec/esp_context.h index db247dced..b33daf589 100644 --- a/src/libipsec/esp_context.h +++ b/src/libipsec/esp_context.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012 Tobias Brunner + * Copyright (C) 2012-2013 Tobias Brunner * Copyright (C) 2012 Giuliano Grassi * Copyright (C) 2012 Ralf Sager * Hochschule fuer Technik Rapperswil @@ -24,8 +24,7 @@ #define ESP_CONTEXT_H_ #include <library.h> -#include <crypto/crypters/crypter.h> -#include <crypto/signers/signer.h> +#include <crypto/aead.h> typedef struct esp_context_t esp_context_t; @@ -35,18 +34,11 @@ typedef struct esp_context_t esp_context_t; struct esp_context_t { /** - * Get the crypter. + * Get AEAD wrapper or method to encrypt/decrypt/authenticate ESP packets. * - * @return crypter + * @return AEAD wrapper of method */ - crypter_t *(*get_crypter)(esp_context_t *this); - - /** - * Get the signer. - * - * @return signer - */ - signer_t *(*get_signer)(esp_context_t *this); + aead_t *(*get_aead)(esp_context_t *this); /** * Get the current outbound ESP sequence number or the highest authenticated diff --git a/src/libipsec/esp_packet.c b/src/libipsec/esp_packet.c index 43a3c2a97..61389daa4 100644 --- a/src/libipsec/esp_packet.c +++ b/src/libipsec/esp_packet.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012 Tobias Brunner + * Copyright (C) 2012-2013 Tobias Brunner * Copyright (C) 2012 Giuliano Grassi * Copyright (C) 2012 Ralf Sager * Hochschule fuer Technik Rapperswil @@ -212,28 +212,27 @@ METHOD(esp_packet_t, decrypt, status_t, { bio_reader_t *reader; u_int32_t spi, seq; - chunk_t data, iv, icv, ciphertext, plaintext; - crypter_t *crypter; - signer_t *signer; + chunk_t data, iv, icv, aad, ciphertext, plaintext; + aead_t *aead; DESTROY_IF(this->payload); this->payload = NULL; data = this->packet->get_data(this->packet); - crypter = esp_context->get_crypter(esp_context); - signer = esp_context->get_signer(esp_context); + aead = esp_context->get_aead(esp_context); reader = bio_reader_create(data); if (!reader->read_uint32(reader, &spi) || !reader->read_uint32(reader, &seq) || - !reader->read_data(reader, crypter->get_iv_size(crypter), &iv) || - !reader->read_data_end(reader, signer->get_block_size(signer), &icv) || - reader->remaining(reader) % crypter->get_block_size(crypter)) + !reader->read_data(reader, aead->get_iv_size(aead), &iv) || + !reader->read_data_end(reader, aead->get_icv_size(aead), &icv) || + reader->remaining(reader) % aead->get_block_size(aead)) { DBG1(DBG_ESP, "ESP decryption failed: invalid length"); return PARSE_ERROR; } ciphertext = reader->peek(reader); + ciphertext.len += icv.len; reader->destroy(reader); if (!esp_context->verify_seqno(esp_context, seq)) @@ -246,20 +245,15 @@ METHOD(esp_packet_t, decrypt, status_t, DBG3(DBG_ESP, "ESP decryption:\n SPI %.8x [seq %u]\n IV %B\n " "encrypted %B\n ICV %B", spi, seq, &iv, &ciphertext, &icv); - if (!signer->get_signature(signer, chunk_create(data.ptr, 8), NULL) || - !signer->get_signature(signer, iv, NULL) || - !signer->verify_signature(signer, ciphertext, icv)) - { - DBG1(DBG_ESP, "ICV verification failed!"); - return FAILED; - } - esp_context->set_authenticated_seqno(esp_context, seq); + /* aad = spi + seq */ + aad = chunk_create(data.ptr, 8); - if (!crypter->decrypt(crypter, ciphertext, iv, &plaintext)) + if (!aead->decrypt(aead, ciphertext, aad, iv, &plaintext)) { - DBG1(DBG_ESP, "ESP decryption failed"); + DBG1(DBG_ESP, "ESP decryption or ICV verification failed"); return FAILED; } + esp_context->set_authenticated_seqno(esp_context, seq); if (!remove_padding(this, plaintext)) { @@ -284,12 +278,11 @@ static void generate_padding(chunk_t padding) METHOD(esp_packet_t, encrypt, status_t, private_esp_packet_t *this, esp_context_t *esp_context, u_int32_t spi) { - chunk_t iv, icv, padding, payload, ciphertext, auth_data; + chunk_t iv, icv, aad, padding, payload, ciphertext; bio_writer_t *writer; u_int32_t next_seqno; size_t blocksize, plainlen; - crypter_t *crypter; - signer_t *signer; + aead_t *aead; rng_t *rng; this->packet->set_data(this->packet, chunk_empty); @@ -306,12 +299,11 @@ METHOD(esp_packet_t, encrypt, status_t, DBG1(DBG_ESP, "ESP encryption failed: could not find RNG"); return NOT_FOUND; } - crypter = esp_context->get_crypter(esp_context); - signer = esp_context->get_signer(esp_context); + aead = esp_context->get_aead(esp_context); - blocksize = crypter->get_block_size(crypter); - iv.len = crypter->get_iv_size(crypter); - icv.len = signer->get_block_size(signer); + blocksize = aead->get_block_size(aead); + iv.len = aead->get_iv_size(aead); + icv.len = aead->get_icv_size(aead); /* plaintext = payload, padding, pad_length, next_header */ payload = this->payload ? this->payload->get_encoding(this->payload) @@ -349,24 +341,19 @@ METHOD(esp_packet_t, encrypt, status_t, writer->write_uint8(writer, padding.len); writer->write_uint8(writer, this->next_header); + /* aad = spi + seq */ + aad = writer->get_buf(writer); + aad.len = 8; + icv = writer->skip(writer, icv.len); + DBG3(DBG_ESP, "ESP before encryption:\n payload = %B\n padding = %B\n " "padding length = %hhu, next header = %hhu", &payload, &padding, (u_int8_t)padding.len, this->next_header); - /* encrypt the content inline */ - if (!crypter->encrypt(crypter, ciphertext, iv, NULL)) - { - DBG1(DBG_ESP, "ESP encryption failed"); - writer->destroy(writer); - return FAILED; - } - - /* calculate signature */ - auth_data = writer->get_buf(writer); - icv = writer->skip(writer, icv.len); - if (!signer->get_signature(signer, auth_data, icv.ptr)) + /* encrypt/authenticate the content inline */ + if (!aead->encrypt(aead, ciphertext, aad, iv, NULL)) { - DBG1(DBG_ESP, "ESP encryption failed: signature generation failed"); + DBG1(DBG_ESP, "ESP encryption or ICV generation failed"); writer->destroy(writer); return FAILED; } diff --git a/src/libipsec/ipsec_event_relay.c b/src/libipsec/ipsec_event_relay.c index d7d7e8276..c6b2a550d 100644 --- a/src/libipsec/ipsec_event_relay.c +++ b/src/libipsec/ipsec_event_relay.c @@ -118,6 +118,7 @@ static job_requeue_t handle_events(private_ipsec_event_relay_t *this) } enumerator->destroy(enumerator); this->lock->unlock(this->lock); + free(event); return JOB_REQUEUE_DIRECT; } diff --git a/src/libipsec/ipsec_sa_mgr.c b/src/libipsec/ipsec_sa_mgr.c index 28748971d..928a53d50 100644 --- a/src/libipsec/ipsec_sa_mgr.c +++ b/src/libipsec/ipsec_sa_mgr.c @@ -332,6 +332,11 @@ static void schedule_expiration(private_ipsec_sa_mgr_t *this, callback_job_t *job; u_int32_t timeout; + if (!lifetime->time.life) + { /* no expiration at all */ + return; + } + INIT(expired, .manager = this, .entry = entry, @@ -438,7 +443,7 @@ METHOD(ipsec_sa_mgr_t, add_sa, status_t, u_int8_t protocol, u_int32_t reqid, mark_t mark, u_int32_t tfc, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key, u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp, - u_int16_t cpi, bool encap, bool esn, bool inbound, + u_int16_t cpi, bool initiator, bool encap, bool esn, bool inbound, traffic_selector_t *src_ts, traffic_selector_t *dst_ts) { ipsec_sa_entry_t *entry; diff --git a/src/libipsec/ipsec_sa_mgr.h b/src/libipsec/ipsec_sa_mgr.h index 3ff092038..e9ce5ee8f 100644 --- a/src/libipsec/ipsec_sa_mgr.h +++ b/src/libipsec/ipsec_sa_mgr.h @@ -70,6 +70,7 @@ struct ipsec_sa_mgr_t { * @param mode mode for this SA (only tunnel mode is supported) * @param ipcomp IPcomp transform (not supported, use IPCOMP_NONE) * @param cpi CPI for IPcomp (ignored) + * @param initiator TRUE if initiator of the exchange creating this SA * @param encap enable UDP encapsulation (must be TRUE) * @param esn Extended Sequence Numbers (currently not supported) * @param inbound TRUE if this is an inbound SA, FALSE otherwise @@ -82,8 +83,9 @@ struct ipsec_sa_mgr_t { mark_t mark, u_int32_t tfc, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key, u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp, - u_int16_t cpi, bool encap, bool esn, bool inbound, - traffic_selector_t *src_ts, traffic_selector_t *dst_ts); + u_int16_t cpi, bool initiator, bool encap, bool esn, + bool inbound, traffic_selector_t *src_ts, + traffic_selector_t *dst_ts); /** * Update the hosts on an installed SA. |