diff options
Diffstat (limited to 'src/pluto/ipsec_doi.c')
-rw-r--r-- | src/pluto/ipsec_doi.c | 122 |
1 files changed, 62 insertions, 60 deletions
diff --git a/src/pluto/ipsec_doi.c b/src/pluto/ipsec_doi.c index 929768ee9..57f4fb54b 100644 --- a/src/pluto/ipsec_doi.c +++ b/src/pluto/ipsec_doi.c @@ -2639,77 +2639,78 @@ static void compute_proto_keymat(struct state *st, u_int8_t protoid, */ switch (protoid) { - case PROTO_IPSEC_ESP: + case PROTO_IPSEC_ESP: + { + needed_len = kernel_alg_esp_enc_keylen(pi->attrs.transid); + + if (needed_len && pi->attrs.key_len) + { + needed_len = pi->attrs.key_len / BITS_PER_BYTE; + } + switch (pi->attrs.transid) { - case ESP_NULL: - needed_len = 0; - break; - case ESP_DES: - needed_len = DES_CBC_BLOCK_SIZE; - break; - case ESP_3DES: - needed_len = DES_CBC_BLOCK_SIZE * 3; - break; - default: -#ifndef NO_KERNEL_ALG - if((needed_len=kernel_alg_esp_enc_keylen(pi->attrs.transid))>0) { - /* XXX: check key_len "coupling with kernel.c's */ - if (pi->attrs.key_len) { - needed_len=pi->attrs.key_len/8; - DBG(DBG_PARSING, DBG_log("compute_proto_keymat:" - "key_len=%d from peer", - (int)needed_len)); - } - break; - } -#endif - bad_case(pi->attrs.transid); + case ESP_NULL: + needed_len = 0; + break; + case ESP_AES_CCM_8: + case ESP_AES_CCM_12: + case ESP_AES_CCM_16: + needed_len += 3; + break; + case ESP_AES_GCM_8: + case ESP_AES_GCM_12: + case ESP_AES_GCM_16: + case ESP_AES_CTR: + needed_len += 4; + break; + default: + if (needed_len == 0) + { + bad_case(pi->attrs.transid); + } } -#ifndef NO_KERNEL_ALG - DBG(DBG_PARSING, DBG_log("compute_proto_keymat:" - "needed_len (after ESP enc)=%d", - (int)needed_len)); - if (kernel_alg_esp_auth_ok(pi->attrs.auth, NULL)) { + if (kernel_alg_esp_auth_ok(pi->attrs.auth, NULL)) + { needed_len += kernel_alg_esp_auth_keylen(pi->attrs.auth); - } else -#endif - switch (pi->attrs.auth) + } + else { - case AUTH_ALGORITHM_NONE: - break; - case AUTH_ALGORITHM_HMAC_MD5: - needed_len += HMAC_MD5_KEY_LEN; - break; - case AUTH_ALGORITHM_HMAC_SHA1: - needed_len += HMAC_SHA1_KEY_LEN; - break; - case AUTH_ALGORITHM_DES_MAC: - default: - bad_case(pi->attrs.auth); + switch (pi->attrs.auth) + { + case AUTH_ALGORITHM_NONE: + break; + case AUTH_ALGORITHM_HMAC_MD5: + needed_len += HMAC_MD5_KEY_LEN; + break; + case AUTH_ALGORITHM_HMAC_SHA1: + needed_len += HMAC_SHA1_KEY_LEN; + break; + case AUTH_ALGORITHM_DES_MAC: + default: + bad_case(pi->attrs.auth); + } } - DBG(DBG_PARSING, DBG_log("compute_proto_keymat:" - "needed_len (after ESP auth)=%d", - (int)needed_len)); break; - - case PROTO_IPSEC_AH: + } + case PROTO_IPSEC_AH: + { switch (pi->attrs.transid) { - case AH_MD5: - needed_len = HMAC_MD5_KEY_LEN; - break; - case AH_SHA: - needed_len = HMAC_SHA1_KEY_LEN; - break; - default: - bad_case(pi->attrs.transid); + case AH_MD5: + needed_len = HMAC_MD5_KEY_LEN; + break; + case AH_SHA: + needed_len = HMAC_SHA1_KEY_LEN; + break; + default: + bad_case(pi->attrs.transid); } break; - - default: - bad_case(protoid); + } + default: + bad_case(protoid); } pi->keymat_len = needed_len; @@ -5444,7 +5445,8 @@ stf_status dpd_inR(struct state *st, struct isakmp_notification *const n, if (!st->st_dpd_expectseqno && seqno != st->st_dpd_expectseqno) { loglog(RC_LOG_SERIOUS - , "DPD: R_U_THERE_ACK has unexpected sequence number"); + , "DPD: R_U_THERE_ACK has unexpected sequence number %u (expected %u)" + , seqno, st->st_dpd_expectseqno); return STF_FAIL + PAYLOAD_MALFORMED; } |