summaryrefslogtreecommitdiff
path: root/src/pluto/ipsec_doi.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/pluto/ipsec_doi.c')
-rw-r--r--src/pluto/ipsec_doi.c122
1 files changed, 62 insertions, 60 deletions
diff --git a/src/pluto/ipsec_doi.c b/src/pluto/ipsec_doi.c
index 929768ee9..57f4fb54b 100644
--- a/src/pluto/ipsec_doi.c
+++ b/src/pluto/ipsec_doi.c
@@ -2639,77 +2639,78 @@ static void compute_proto_keymat(struct state *st, u_int8_t protoid,
*/
switch (protoid)
{
- case PROTO_IPSEC_ESP:
+ case PROTO_IPSEC_ESP:
+ {
+ needed_len = kernel_alg_esp_enc_keylen(pi->attrs.transid);
+
+ if (needed_len && pi->attrs.key_len)
+ {
+ needed_len = pi->attrs.key_len / BITS_PER_BYTE;
+ }
+
switch (pi->attrs.transid)
{
- case ESP_NULL:
- needed_len = 0;
- break;
- case ESP_DES:
- needed_len = DES_CBC_BLOCK_SIZE;
- break;
- case ESP_3DES:
- needed_len = DES_CBC_BLOCK_SIZE * 3;
- break;
- default:
-#ifndef NO_KERNEL_ALG
- if((needed_len=kernel_alg_esp_enc_keylen(pi->attrs.transid))>0) {
- /* XXX: check key_len "coupling with kernel.c's */
- if (pi->attrs.key_len) {
- needed_len=pi->attrs.key_len/8;
- DBG(DBG_PARSING, DBG_log("compute_proto_keymat:"
- "key_len=%d from peer",
- (int)needed_len));
- }
- break;
- }
-#endif
- bad_case(pi->attrs.transid);
+ case ESP_NULL:
+ needed_len = 0;
+ break;
+ case ESP_AES_CCM_8:
+ case ESP_AES_CCM_12:
+ case ESP_AES_CCM_16:
+ needed_len += 3;
+ break;
+ case ESP_AES_GCM_8:
+ case ESP_AES_GCM_12:
+ case ESP_AES_GCM_16:
+ case ESP_AES_CTR:
+ needed_len += 4;
+ break;
+ default:
+ if (needed_len == 0)
+ {
+ bad_case(pi->attrs.transid);
+ }
}
-#ifndef NO_KERNEL_ALG
- DBG(DBG_PARSING, DBG_log("compute_proto_keymat:"
- "needed_len (after ESP enc)=%d",
- (int)needed_len));
- if (kernel_alg_esp_auth_ok(pi->attrs.auth, NULL)) {
+ if (kernel_alg_esp_auth_ok(pi->attrs.auth, NULL))
+ {
needed_len += kernel_alg_esp_auth_keylen(pi->attrs.auth);
- } else
-#endif
- switch (pi->attrs.auth)
+ }
+ else
{
- case AUTH_ALGORITHM_NONE:
- break;
- case AUTH_ALGORITHM_HMAC_MD5:
- needed_len += HMAC_MD5_KEY_LEN;
- break;
- case AUTH_ALGORITHM_HMAC_SHA1:
- needed_len += HMAC_SHA1_KEY_LEN;
- break;
- case AUTH_ALGORITHM_DES_MAC:
- default:
- bad_case(pi->attrs.auth);
+ switch (pi->attrs.auth)
+ {
+ case AUTH_ALGORITHM_NONE:
+ break;
+ case AUTH_ALGORITHM_HMAC_MD5:
+ needed_len += HMAC_MD5_KEY_LEN;
+ break;
+ case AUTH_ALGORITHM_HMAC_SHA1:
+ needed_len += HMAC_SHA1_KEY_LEN;
+ break;
+ case AUTH_ALGORITHM_DES_MAC:
+ default:
+ bad_case(pi->attrs.auth);
+ }
}
- DBG(DBG_PARSING, DBG_log("compute_proto_keymat:"
- "needed_len (after ESP auth)=%d",
- (int)needed_len));
break;
-
- case PROTO_IPSEC_AH:
+ }
+ case PROTO_IPSEC_AH:
+ {
switch (pi->attrs.transid)
{
- case AH_MD5:
- needed_len = HMAC_MD5_KEY_LEN;
- break;
- case AH_SHA:
- needed_len = HMAC_SHA1_KEY_LEN;
- break;
- default:
- bad_case(pi->attrs.transid);
+ case AH_MD5:
+ needed_len = HMAC_MD5_KEY_LEN;
+ break;
+ case AH_SHA:
+ needed_len = HMAC_SHA1_KEY_LEN;
+ break;
+ default:
+ bad_case(pi->attrs.transid);
}
break;
-
- default:
- bad_case(protoid);
+ }
+ default:
+ bad_case(protoid);
}
pi->keymat_len = needed_len;
@@ -5444,7 +5445,8 @@ stf_status dpd_inR(struct state *st, struct isakmp_notification *const n,
if (!st->st_dpd_expectseqno && seqno != st->st_dpd_expectseqno)
{
loglog(RC_LOG_SERIOUS
- , "DPD: R_U_THERE_ACK has unexpected sequence number");
+ , "DPD: R_U_THERE_ACK has unexpected sequence number %u (expected %u)"
+ , seqno, st->st_dpd_expectseqno);
return STF_FAIL + PAYLOAD_MALFORMED;
}