diff options
Diffstat (limited to 'src/pluto')
| -rw-r--r-- | src/pluto/Makefile.in | 3 | ||||
| -rw-r--r-- | src/pluto/adns.c | 1 | ||||
| -rw-r--r-- | src/pluto/alg_info.c | 4 | ||||
| -rw-r--r-- | src/pluto/connections.c | 6 | ||||
| -rw-r--r-- | src/pluto/crl.c | 7 | ||||
| -rw-r--r-- | src/pluto/demux.c | 13 | ||||
| -rw-r--r-- | src/pluto/fetch.c | 5 | ||||
| -rw-r--r-- | src/pluto/ike_alg.c | 4 | ||||
| -rw-r--r-- | src/pluto/ipsec_doi.c | 185 | ||||
| -rw-r--r-- | src/pluto/kernel.c | 6 | ||||
| -rw-r--r-- | src/pluto/kernel_alg.c | 6 | ||||
| -rw-r--r-- | src/pluto/keys.c | 1 | ||||
| -rw-r--r-- | src/pluto/log.c | 17 | ||||
| -rw-r--r-- | src/pluto/modecfg.c | 25 | ||||
| -rw-r--r-- | src/pluto/ocsp.c | 2 | ||||
| -rw-r--r-- | src/pluto/plugins/xauth/Makefile.in | 3 | ||||
| -rw-r--r-- | src/pluto/plugins/xauth/xauth_plugin.c | 23 | ||||
| -rw-r--r-- | src/pluto/plutomain.c | 5 | ||||
| -rw-r--r-- | src/pluto/spdb.c | 4 | ||||
| -rw-r--r-- | src/pluto/state.c | 32 |
20 files changed, 211 insertions, 141 deletions
diff --git a/src/pluto/Makefile.in b/src/pluto/Makefile.in index 1428854ee..92e66db17 100644 --- a/src/pluto/Makefile.in +++ b/src/pluto/Makefile.in @@ -325,6 +325,8 @@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ openac_plugins = @openac_plugins@ p_plugins = @p_plugins@ +pcsclite_CFLAGS = @pcsclite_CFLAGS@ +pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ piddir = @piddir@ pki_plugins = @pki_plugins@ @@ -348,6 +350,7 @@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ +systemdsystemunitdir = @systemdsystemunitdir@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ diff --git a/src/pluto/adns.c b/src/pluto/adns.c index 95e22b96f..5d6979447 100644 --- a/src/pluto/adns.c +++ b/src/pluto/adns.c @@ -224,6 +224,7 @@ worker(int qfd, int afd) a.amagic = ADNS_A_MAGIC; a.serial = q.serial; + a.continuation = NULL; a.result = res_nquery(statp, q.name_buf, C_IN, q.type, a.ans, sizeof(a.ans)); a.h_errno_val = h_errno; diff --git a/src/pluto/alg_info.c b/src/pluto/alg_info.c index d06e09007..fe27c10b2 100644 --- a/src/pluto/alg_info.c +++ b/src/pluto/alg_info.c @@ -539,7 +539,7 @@ alg_info_snprint(char *buf, int buflen, struct alg_info *alg_info) buflen -= np; if (esp_info->esp_ealg_keylen) { - np = snprintf(ptr, buflen, "_%u", esp_info->esp_ealg_keylen); + np = snprintf(ptr, buflen, "_%zu", esp_info->esp_ealg_keylen); ptr += np; buflen -= np; } @@ -571,7 +571,7 @@ alg_info_snprint(char *buf, int buflen, struct alg_info *alg_info) buflen -= np; if (ike_info->ike_eklen) { - np = snprintf(ptr, buflen, "_%u", ike_info->ike_eklen); + np = snprintf(ptr, buflen, "_%zu", ike_info->ike_eklen); ptr += np; buflen -= np; } diff --git a/src/pluto/connections.c b/src/pluto/connections.c index 9f277e135..2194362d2 100644 --- a/src/pluto/connections.c +++ b/src/pluto/connections.c @@ -673,7 +673,7 @@ size_t format_end(char *buf, size_t buf_len, const struct end *this, } else if (subnetisnone(&this->client)) { - strcpy(client, "?"); + strncpy(client, "?", sizeof(client)); } else { @@ -685,7 +685,7 @@ size_t format_end(char *buf, size_t buf_len, const struct end *this, /* we are mode config client, or a server with a pool */ client_sep = "==="; client[0] = '%'; - strcpy(client+1, this->pool ? this->pool : "modecfg"); + strncpy(client+1, this->pool ?: "modecfg", sizeof(client)-1); } /* host */ @@ -1443,11 +1443,11 @@ static connection_t *instantiate(connection_t *c, const ip_address *him, connect_to_host_pair(d); - return d; if (sameaddr(&d->spd.that.host_addr, &d->spd.this.host_nexthop)) { d->spd.this.host_nexthop = *him; } + return d; } connection_t *rw_instantiate(connection_t *c, const ip_address *him, diff --git a/src/pluto/crl.c b/src/pluto/crl.c index 1c9c9a8cc..38db0f2fd 100644 --- a/src/pluto/crl.c +++ b/src/pluto/crl.c @@ -163,7 +163,7 @@ bool insert_crl(x509crl_t *x509crl, char *crl_uri, bool cache_crl) { /* keep any known CRL distribution points */ add_distribution_points(x509crl->distributionPoints, - oldcrl->distributionPoints); + oldcrl->distributionPoints); /* now delete the old CRL */ free_first_crl(); @@ -199,7 +199,7 @@ bool insert_crl(x509crl_t *x509crl, char *crl_uri, bool cache_crl) chunk_t hex, encoding; hex = chunk_to_hex(crl->get_authKeyIdentifier(crl), NULL, FALSE); - snprintf(buf, sizeof(buf), "%s/%s.crl", CRL_PATH, hex); + snprintf(buf, sizeof(buf), "%s/%s.crl", CRL_PATH, hex.ptr); free(hex.ptr); if (cert_crl->get_encoding(cert_crl, CERT_ASN1_DER, &encoding)) @@ -425,7 +425,8 @@ cert_status_t verify_by_crl(cert_t *cert, time_t *until, time_t *revocationDate, lock_authcert_list("verify_by_crl"); issuer_cert = get_authcert(issuer, authKeyID, X509_CA); - trusted = cert_crl->issued_by(cert_crl, issuer_cert->cert); + trusted = issuer_cert ? cert_crl->issued_by(cert_crl, issuer_cert->cert) + : FALSE; unlock_authcert_list("verify_by_crl"); diff --git a/src/pluto/demux.c b/src/pluto/demux.c index 249e645ed..294601295 100644 --- a/src/pluto/demux.c +++ b/src/pluto/demux.c @@ -770,7 +770,7 @@ check_msg_errqueue(const struct iface *ifp, short interest) /* note dirty trick to suppress ~ at start of format * if we know what state to blame. */ - if ((packet_len == 1) && (buffer[0] = 0xff) + if ((packet_len == 1) && (buffer[0] == 0xff) #ifdef DEBUG && ((cur_debugging & DBG_NATT) == 0) #endif @@ -966,7 +966,9 @@ malloc_md(void) * - .note = NOTHING_WRONG * - .encrypted = FALSE */ - static const struct msg_digest blank_md; + static const struct msg_digest blank_md = { + .next = NULL, + }; if (md == NULL) { @@ -1142,13 +1144,14 @@ read_packet(struct msg_digest *md) , ifp->rname , ip_str(&md->sender), (unsigned)md->sender_port)); } - + free(buffer); return FALSE; } else if (from_ugh != NULL) { plog("recvfrom on %s returned malformed source sockaddr: %s" , ifp->rname, from_ugh); + free(buffer); return FALSE; } cur_from = &md->sender; @@ -1162,6 +1165,7 @@ read_packet(struct msg_digest *md) { plog("recvfrom %s:%u too small packet (%d)" , ip_str(cur_from), (unsigned) cur_from_port, packet_len); + free(buffer); return FALSE; } memcpy(&non_esp, buffer, sizeof(u_int32_t)); @@ -1169,6 +1173,7 @@ read_packet(struct msg_digest *md) { plog("recvfrom %s:%u has no Non-ESP marker" , ip_str(cur_from), (unsigned) cur_from_port); + free(buffer); return FALSE; } packet_len -= sizeof(u_int32_t); @@ -1661,7 +1666,7 @@ process_packet(struct msg_digest **mdp) * Look up the appropriate microcode based on state and * possibly Oakley Auth type. */ - passert(STATE_IKE_FLOOR <= from_state && from_state <= STATE_IKE_ROOF); + passert(STATE_IKE_FLOOR <= from_state && from_state < STATE_IKE_ROOF); smc = ike_microcode_index[from_state - STATE_IKE_FLOOR]; if (st != NULL) diff --git a/src/pluto/fetch.c b/src/pluto/fetch.c index 1d2d13371..3dfc1386f 100644 --- a/src/pluto/fetch.c +++ b/src/pluto/fetch.c @@ -309,8 +309,9 @@ static char* complete_uri(char *distPoint, const char *ldaphost) char uri[BUF_LEN]; /* insert the ldaphost into the uri */ - snprintf(uri, BUF_LEN, "%.*s%s%.*s", strlen(distPoint)-len, - distPoint, ldaphost, len, symbol); + snprintf(uri, BUF_LEN, "%.*s%s%.*s", + (int)strlen(distPoint) - len, distPoint, ldaphost, + len, symbol); return strdup(uri); } } diff --git a/src/pluto/ike_alg.c b/src/pluto/ike_alg.c index a36b5ce4e..3061630e0 100644 --- a/src/pluto/ike_alg.c +++ b/src/pluto/ike_alg.c @@ -149,7 +149,6 @@ struct db_context *ike_alg_db_new(connection_t *c, lset_t policy) struct alg_info_ike *ai = c->alg_info_ike; struct db_context *db_ctx = NULL; struct ike_info *ike_info; - struct encrypt_desc *enc_desc; u_int ealg, halg, modp, eklen = 0; int i; @@ -191,7 +190,6 @@ struct db_context *ike_alg_db_new(connection_t *c, lset_t policy) enum_show(&oakley_group_names, modp)); continue; } - enc_desc = ike_alg_get_crypter(ealg); if (policy & POLICY_PUBKEY) { @@ -312,7 +310,7 @@ static void print_alg(char *buf, int *len, enum_names *alg_names, int alg_type, { char alg_name[BUF_LEN]; int alg_name_len; - + alg_name_len = sprintf(alg_name, " %s[%s]", enum_name(alg_names, alg_type), plugin_name); if (*len + alg_name_len > CRYPTO_MAX_ALG_LINE) diff --git a/src/pluto/ipsec_doi.c b/src/pluto/ipsec_doi.c index 7ec547b0c..c8a347b45 100644 --- a/src/pluto/ipsec_doi.c +++ b/src/pluto/ipsec_doi.c @@ -104,6 +104,14 @@ #define RETURN_STF_FAILURE(f) \ { int r = (f); if (r != ISAKMP_NOTHING_WRONG) return STF_FAIL + r; } +/* The endpoint(s) for which an SA is getting installed, so keying material + * can be properly wiped. + */ +enum endpoint { + EP_LOCAL = 1, + EP_REMOTE = 1 << 1, +}; + /* create output HDR as replica of input HDR */ void echo_hdr(struct msg_digest *md, bool enc, u_int8_t np) { @@ -2196,9 +2204,9 @@ static void decode_cert(struct msg_digest *md) cert_t x509cert = cert_empty; x509cert.cert = lib->creds->create(lib->creds, - CRED_CERTIFICATE, CERT_X509, - BUILD_BLOB_ASN1_DER, blob, - BUILD_END); + CRED_CERTIFICATE, CERT_X509, + BUILD_BLOB_ASN1_DER, blob, + BUILD_END); if (x509cert.cert) { if (verify_x509cert(&x509cert, strict_crl_policy, &valid_until)) @@ -2741,13 +2749,59 @@ static bool has_preloaded_public_key(struct state *st) return FALSE; } +/* Compute keying material for an SA + */ +static void compute_keymat_internal(struct state *st, u_int8_t protoid, + ipsec_spi_t spi, size_t needed_len, + u_char **keymat_out) +{ + size_t i = 0, prf_block_size, needed_space; + chunk_t protoid_chunk = chunk_from_thing(protoid); + chunk_t spi_chunk = chunk_from_thing(spi); + pseudo_random_function_t prf_alg = oakley_to_prf(st->st_oakley.hash); + prf_t *prf = lib->crypto->create_prf(lib->crypto, prf_alg); + + prf->set_key(prf, st->st_skeyid_d); + prf_block_size = prf->get_block_size(prf); + + /* Although only needed_len bytes are desired, we must round up to a + * multiple of prf_block_size so that the buffer isn't overrun */ + needed_space = needed_len + pad_up(needed_len, prf_block_size); + replace(*keymat_out, malloc(needed_space)); + + for (;;) + { + char *keymat_i = (*keymat_out) + i; + chunk_t keymat = { keymat_i, prf_block_size }; + + if (st->st_shared.ptr != NULL) + { /* PFS: include the g^xy */ + prf->get_bytes(prf, st->st_shared, NULL); + } + prf->get_bytes(prf, protoid_chunk, NULL); + prf->get_bytes(prf, spi_chunk, NULL); + prf->get_bytes(prf, st->st_ni, NULL); + prf->get_bytes(prf, st->st_nr, keymat_i); + + i += prf_block_size; + if (i >= needed_space) + { + break; + } + + /* more keying material needed: prepare to go around again */ + prf->get_bytes(prf, keymat, NULL); + } + prf->destroy(prf); +} + /* * Produce the new key material of Quick Mode. * RFC 2409 "IKE" section 5.5 * specifies how this is to be done. */ static void compute_proto_keymat(struct state *st, u_int8_t protoid, - struct ipsec_proto_info *pi) + struct ipsec_proto_info *pi, enum endpoint ep) { size_t needed_len = 0; /* bytes of keying material needed */ @@ -2833,82 +2887,57 @@ static void compute_proto_keymat(struct state *st, u_int8_t protoid, pi->keymat_len = needed_len; - /* Allocate space for the keying material. Although only needed_len bytes - * are desired, we must round up to a multiple of hash_size - * so that our buffer isn't overrun. - */ + if (ep & EP_LOCAL) { - size_t needed_space; /* space needed for keying material (rounded up) */ - size_t i, prf_block_size; - chunk_t protoid_chunk = chunk_from_thing(protoid); - chunk_t spi_our = chunk_from_thing(pi->our_spi); - chunk_t spi_peer = chunk_from_thing(pi->attrs.spi); - pseudo_random_function_t prf_alg; - prf_t *prf_our, *prf_peer; - - prf_alg = oakley_to_prf(st->st_oakley.hash); - prf_our = lib->crypto->create_prf(lib->crypto, prf_alg); - prf_peer = lib->crypto->create_prf(lib->crypto, prf_alg); - prf_our->set_key(prf_our, st->st_skeyid_d); - prf_peer->set_key(prf_peer, st->st_skeyid_d); - prf_block_size = prf_our->get_block_size(prf_our); - - needed_space = needed_len + pad_up(needed_len, prf_block_size); - replace(pi->our_keymat, malloc(needed_space)); - replace(pi->peer_keymat, malloc(needed_space)); - - for (i = 0;; ) - { - char *keymat_i_our = pi->our_keymat + i; - char *keymat_i_peer = pi->peer_keymat + i; - chunk_t keymat_our = { keymat_i_our, prf_block_size }; - chunk_t keymat_peer = { keymat_i_peer, prf_block_size }; - - if (st->st_shared.ptr != NULL) - { - /* PFS: include the g^xy */ - prf_our->get_bytes(prf_our, st->st_shared, NULL); - prf_peer->get_bytes(prf_peer, st->st_shared, NULL); - } - prf_our->get_bytes(prf_our, protoid_chunk, NULL); - prf_peer->get_bytes(prf_peer, protoid_chunk, NULL); - - prf_our->get_bytes(prf_our, spi_our, NULL); - prf_peer->get_bytes(prf_peer, spi_peer, NULL); - - prf_our->get_bytes(prf_our, st->st_ni, NULL); - prf_peer->get_bytes(prf_peer, st->st_ni, NULL); - - prf_our->get_bytes(prf_our, st->st_nr, keymat_i_our); - prf_peer->get_bytes(prf_peer, st->st_nr, keymat_i_peer); + compute_keymat_internal(st, protoid, pi->our_spi, needed_len, + &pi->our_keymat); + DBG(DBG_CRYPT, + DBG_dump("KEYMAT computed:\n", pi->our_keymat, + pi->keymat_len)); + } + if (ep & EP_REMOTE) + { + compute_keymat_internal(st, protoid, pi->attrs.spi, needed_len, + &pi->peer_keymat); + DBG(DBG_CRYPT, + DBG_dump("Peer KEYMAT computed:\n", pi->peer_keymat, + pi->keymat_len)); + } +} - i += prf_block_size; - if (i >= needed_space) - { - break; - } +static void compute_keymats(struct state *st, enum endpoint ep) +{ + if (st->st_ah.present) + { + compute_proto_keymat(st, PROTO_IPSEC_AH, &st->st_ah, ep); + } + if (st->st_esp.present) + { + compute_proto_keymat(st, PROTO_IPSEC_ESP, &st->st_esp, ep); + } +} - /* more keying material needed: prepare to go around again */ - prf_our->get_bytes(prf_our, keymat_our, NULL); - prf_peer->get_bytes(prf_peer, keymat_peer, NULL); - } - prf_our->destroy(prf_our); - prf_peer->destroy(prf_peer); +static void wipe_proto_keymat(struct ipsec_proto_info *pi, enum endpoint ep) +{ + if (ep & EP_LOCAL) + { + memwipe(pi->our_keymat, pi->keymat_len); + } + if (ep & EP_REMOTE) + { + memwipe(pi->peer_keymat, pi->keymat_len); } - DBG(DBG_CRYPT, - DBG_dump("KEYMAT computed:\n", pi->our_keymat, pi->keymat_len); - DBG_dump("Peer KEYMAT computed:\n", pi->peer_keymat, pi->keymat_len)); } -static void compute_keymats(struct state *st) +static void wipe_keymats(struct state *st, enum endpoint ep) { if (st->st_ah.present) { - compute_proto_keymat(st, PROTO_IPSEC_AH, &st->st_ah); + wipe_proto_keymat(&st->st_ah, ep); } if (st->st_esp.present) { - compute_proto_keymat(st, PROTO_IPSEC_ESP, &st->st_esp); + wipe_proto_keymat(&st->st_esp, ep); } } @@ -3824,7 +3853,7 @@ main_id_and_auth(struct msg_digest *md case XAUTHInitRSA: case XAUTHRespRSA: r = check_signature(KEY_RSA, peer, st, hash, - &md->chain[ISAKMP_NEXT_SIG]->pbs, + &md->chain[ISAKMP_NEXT_SIG]->pbs, #ifdef USE_KEYRR kc == NULL ? NULL : kc->ac.keys_from_dns, #endif /* USE_KEYRR */ @@ -4975,6 +5004,7 @@ static stf_status quick_inI1_outR1_tail(struct verify_oppo_bundle *b, /* now that we are sure of our connection, create our new state */ { + enum endpoint ep = EP_LOCAL; struct state *const st = duplicate_state(p1st); /* first: fill in missing bits of our new state object @@ -5152,7 +5182,7 @@ static stf_status quick_inI1_outR1_tail(struct verify_oppo_bundle *b, , st, &st->st_msgid, TRUE); /* Derive new keying material */ - compute_keymats(st); + compute_keymats(st, ep); /* Tell the kernel to establish the new inbound SA * (unless the commit bit is set -- which we don't support). @@ -5161,8 +5191,10 @@ static stf_status quick_inI1_outR1_tail(struct verify_oppo_bundle *b, */ if (!install_inbound_ipsec_sa(st)) { + wipe_keymats(st, ep); return STF_INTERNAL_ERROR; /* ??? we may be partly committed */ } + wipe_keymats(st, ep); /* encrypt message, except for fixed part of header */ @@ -5206,6 +5238,7 @@ static void dpd_init(struct state *st) */ stf_status quick_inR1_outI2(struct msg_digest *md) { + enum endpoint ep = EP_LOCAL | EP_REMOTE; struct state *const st = md->st; const connection_t *c = st->st_connection; @@ -5325,7 +5358,7 @@ stf_status quick_inR1_outI2(struct msg_digest *md) } /* Derive new keying material */ - compute_keymats(st); + compute_keymats(st, ep); /* Tell the kernel to establish the inbound, outbound, and routing part * of the new SA (unless the commit bit is set -- which we don't support). @@ -5334,8 +5367,10 @@ stf_status quick_inR1_outI2(struct msg_digest *md) */ if (!install_ipsec_sa(st, TRUE)) { + wipe_keymats(st, ep); return STF_INTERNAL_ERROR; } + wipe_keymats(st, ep); /* encrypt message, except for fixed part of header */ @@ -5374,12 +5409,16 @@ stf_status quick_inR1_outI2(struct msg_digest *md) */ stf_status quick_inI2(struct msg_digest *md) { + enum endpoint ep = EP_REMOTE; struct state *const st = md->st; /* HASH(3) in */ CHECK_QUICK_HASH(md, quick_mode_hash3(hash_val, st) , "HASH(3)", "Quick I2"); + /* Derive keying material */ + compute_keymats(st, ep); + /* Tell the kernel to establish the outbound and routing part of the new SA * (the previous state established inbound) * (unless the commit bit is set -- which we don't support). @@ -5388,8 +5427,11 @@ stf_status quick_inI2(struct msg_digest *md) */ if (!install_ipsec_sa(st, FALSE)) { + wipe_keymats(st, ep); return STF_INTERNAL_ERROR; } + wipe_keymats(st, ep); + DBG(DBG_CONTROLMORE, DBG_log("inI2: instance %s[%ld], setting newest_ipsec_sa to #%ld (was #%ld) (spd.eroute=#%ld)" , st->st_connection->name @@ -5851,6 +5893,7 @@ dpd_timeout(struct state *st) /* caching the connection name before deletion */ strncpy(cname, c->name, BUF_LEN); + cname[BUF_LEN-1] = '\0'; if (c->kind == CK_INSTANCE) { diff --git a/src/pluto/kernel.c b/src/pluto/kernel.c index 104b6c2d4..8bed1fcfc 100644 --- a/src/pluto/kernel.c +++ b/src/pluto/kernel.c @@ -1185,7 +1185,7 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound) host_dst, ipcomp_spi, said_next->proto, c->spd.reqid, mark, 0, <_none, ENCR_UNDEFINED, chunk_empty, AUTH_UNDEFINED, chunk_empty, mode, - st->st_ipcomp.attrs.transid, 0 /* cpi */, FALSE, + st->st_ipcomp.attrs.transid, 0 /* cpi */, FALSE, FALSE, inbound, NULL, NULL) != SUCCESS) { goto fail; @@ -1294,7 +1294,7 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound) host_dst, esp_spi, said_next->proto, c->spd.reqid, mark, 0, <_none, enc_alg, enc_key, auth_alg, auth_key, mode, IPCOMP_NONE, 0 /* cpi */, - encap, inbound, NULL, NULL) != SUCCESS) + encap, FALSE, inbound, NULL, NULL) != SUCCESS) { goto fail; } @@ -1327,7 +1327,7 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound) host_dst, ah_spi, said_next->proto, c->spd.reqid, mark, 0, <_none, ENCR_UNDEFINED, chunk_empty, auth_alg, auth_key, mode, IPCOMP_NONE, 0 /* cpi */, - FALSE, inbound, NULL, NULL) != SUCCESS) + FALSE, FALSE, inbound, NULL, NULL) != SUCCESS) { goto fail; } diff --git a/src/pluto/kernel_alg.c b/src/pluto/kernel_alg.c index c82c376f8..eab2a8f06 100644 --- a/src/pluto/kernel_alg.c +++ b/src/pluto/kernel_alg.c @@ -404,7 +404,7 @@ static void print_alg(char *buf, int *len, enum_names *alg_names, int alg_type) { char alg_name[BUF_LEN]; int alg_name_len; - + alg_name_len = sprintf(alg_name, " %s", enum_name(alg_names, alg_type)); if (*len + alg_name_len > CRYPTO_MAX_ALG_LINE) { @@ -633,12 +633,11 @@ static bool kernel_alg_db_add(struct db_context *db_ctx, * malloced pointer (this quirk allows easier spdb.c change) */ struct db_context* kernel_alg_db_new(struct alg_info_esp *alg_info, - lset_t policy ) + lset_t policy) { const struct esp_info *esp_info; struct esp_info tmp_esp_info; struct db_context *ctx_new = NULL; - struct db_prop *prop; u_int trans_cnt = esp_ealg_num * esp_aalg_num; if (!(policy & POLICY_ENCRYPT)) /* not possible, I think */ @@ -659,7 +658,6 @@ struct db_context* kernel_alg_db_new(struct alg_info_esp *alg_info, kernel_alg_db_add(ctx_new, &tmp_esp_info, policy); } } - prop = db_prop_get(ctx_new); return ctx_new; } diff --git a/src/pluto/keys.c b/src/pluto/keys.c index 86b46c6c1..4b0e08791 100644 --- a/src/pluto/keys.c +++ b/src/pluto/keys.c @@ -494,7 +494,6 @@ static err_t process_rsa_secret(private_key_t **key) if (ugh) { ugh = builddiag("RSA data malformed (%s): %s", ugh, tok); - part++; goto end; } rsa_chunk[part] = chunk_create(buf, sz); diff --git a/src/pluto/log.c b/src/pluto/log.c index 6e70898a5..c5f1776ec 100644 --- a/src/pluto/log.c +++ b/src/pluto/log.c @@ -337,16 +337,16 @@ open_peerlog(connection_t *c) /* copy IP address, turning : and . into / */ { - char c, *p, *q; + char ch, *p, *q; p = peername; q = dname; do { - c = *p++; - if (c == '.' || c == ':') - c = '/'; - *q++ = c; - } while (c != '\0'); + ch = *p++; + if (ch == '.' || ch == ':') + ch = '/'; + *q++ = ch; + } while (ch != '\0'); } lf_len = peernamelen * 2 @@ -834,7 +834,8 @@ DBG_dump(const char *label, const void *p, size_t len) static void show_loaded_plugins() { - char buf[BUF_LEN], *plugin; + char buf[BUF_LEN]; + plugin_t *plugin; int len = 0; enumerator_t *enumerator; @@ -842,7 +843,7 @@ static void show_loaded_plugins() enumerator = lib->plugins->create_plugin_enumerator(lib->plugins); while (len < BUF_LEN && enumerator->enumerate(enumerator, &plugin)) { - len += snprintf(&buf[len], BUF_LEN-len, "%s ", plugin); + len += snprintf(&buf[len], BUF_LEN-len, "%s ", plugin->get_name(plugin)); } enumerator->destroy(enumerator); whack_log(RC_COMMENT, "loaded plugins: %s", buf); diff --git a/src/pluto/modecfg.c b/src/pluto/modecfg.c index a2acce23a..8298ea601 100644 --- a/src/pluto/modecfg.c +++ b/src/pluto/modecfg.c @@ -120,9 +120,10 @@ static void get_attributes(connection_t *c, linked_list_t *ca_list) int family; family = (ca->type == INTERNAL_IP4_ADDRESS) ? AF_INET : AF_INET6; + DESTROY_IF(requested_vip); requested_vip = (ca->value.len) ? host_create_from_chunk(family, ca->value, 0) : - host_create_any(family); + host_create_any(family); plog("peer requested virtual IP %H", requested_vip); break; } @@ -166,7 +167,7 @@ static void get_attributes(connection_t *c, linked_list_t *ca_list) requested_vip->destroy(requested_vip); /* if we have a virtual IP address - send it */ - if (!c->spd.that.host_srcip->is_anyaddr(c->spd.that.host_srcip)) + if (!c->spd.that.host_srcip->is_anyaddr(c->spd.that.host_srcip)) { vip = c->spd.that.host_srcip; plog("assigning virtual IP %H to peer", vip); @@ -179,7 +180,7 @@ static void get_attributes(connection_t *c, linked_list_t *ca_list) /* set the remote client subnet to virtual IP */ c->spd.that.client.addr = *(ip_address*)vip->get_sockaddr(vip); - c->spd.that.client.maskbits = (family == AF_INET) ? 32 : 128; + c->spd.that.client.maskbits = (family == AF_INET) ? 32 : 128; c->spd.that.has_client = TRUE; } @@ -264,8 +265,8 @@ static bool set_attributes(connection_t *c, linked_list_t *ca_list) setportof(0, &c->spd.this.client.addr); c->spd.this.has_client = TRUE; - vip_set = TRUE; - } + vip_set = TRUE; + } continue; case APPLICATION_VERSION: #ifdef CISCO_QUIRKS @@ -420,7 +421,7 @@ static stf_status modecfg_build_msg(struct state *st, pb_stream *rbody, } enumerator->destroy(enumerator); close_output_pbs(&strattr); - + modecfg_hash(r_hashval, r_hash_start, rbody->cur, st); close_message(rbody); encrypt_message(rbody, st); @@ -653,7 +654,7 @@ static stf_status modecfg_parse_msg(struct msg_digest *md, int isama_type, ca_list->destroy_function(ca_list, (void*)modecfg_attribute_destroy); return stat; } - + /* discard the parsed attributes and look for another payload */ while (ca_list->remove_last(ca_list, (void **)&ca) == SUCCESS) {} } @@ -670,7 +671,7 @@ stf_status modecfg_send_request(struct state *st) { connection_t *c = st->st_connection; stf_status stat; - modecfg_attribute_t *ca; + modecfg_attribute_t *ca; enumerator_t *enumerator; int family; chunk_t value; @@ -685,7 +686,7 @@ stf_status modecfg_send_request(struct state *st) value); ca_list->insert_last(ca_list, ca); - register_attribute_handlers(c); + register_attribute_handlers(c); enumerator = c->requested->create_enumerator(c->requested); while (enumerator->enumerate(enumerator, &ca)) { @@ -800,7 +801,7 @@ stf_status modecfg_send_set(struct state *st) * Used in ModeCfg push mode on the client (initiator) * called in demux.c from STATE_MODE_CFG_I0 * client <- CFG_SET - * client -> CFG_ACK + * client -> CFG_ACK * STF_OK transitions to STATE_MODE_CFG_I3 */ stf_status modecfg_inI0(struct msg_digest *md) @@ -865,7 +866,7 @@ stf_status modecfg_inI0(struct msg_digest *md) /** * Used in ModeCfg push mode on the server (responder) * called in demux.c from STATE_MODE_CFG_R3 - * server <- CFG_ACK + * server <- CFG_ACK * STF_OK transitions to STATE_MODE_CFG_R4 */ stf_status modecfg_inR3(struct msg_digest *md) @@ -1140,7 +1141,7 @@ stf_status xauth_inR1(struct msg_digest *md) xauth_user_name.ptr) ) DESTROY_IF(c->xauth_identity); - c->xauth_identity = identification_create_from_data(xauth_user_name); + c->xauth_identity = identification_create_from_data(xauth_user_name); DBG(DBG_PRIVATE, DBG_log("peer xauth user password is '%.*s'", xauth_user_password.len, diff --git a/src/pluto/ocsp.c b/src/pluto/ocsp.c index a3694b7b5..f5ee07398 100644 --- a/src/pluto/ocsp.c +++ b/src/pluto/ocsp.c @@ -192,7 +192,7 @@ static const asn1Object_t basicResponseObjects[] = { { 5, "critical", ASN1_BOOLEAN, ASN1_BODY | ASN1_DEF }, /* 16 */ { 5, "extnValue", ASN1_OCTET_STRING, ASN1_BODY }, /* 17 */ - { 4, "end loop", ASN1_EOC, ASN1_END }, /* 18 */ + { 3, "end loop", ASN1_EOC, ASN1_END }, /* 18 */ { 2, "end opt", ASN1_EOC, ASN1_END }, /* 19 */ { 1, "signatureAlgorithm", ASN1_EOC, ASN1_RAW }, /* 20 */ { 1, "signature", ASN1_BIT_STRING, ASN1_BODY }, /* 21 */ diff --git a/src/pluto/plugins/xauth/Makefile.in b/src/pluto/plugins/xauth/Makefile.in index 358805cc4..3ae6ea12b 100644 --- a/src/pluto/plugins/xauth/Makefile.in +++ b/src/pluto/plugins/xauth/Makefile.in @@ -239,6 +239,8 @@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ openac_plugins = @openac_plugins@ p_plugins = @p_plugins@ +pcsclite_CFLAGS = @pcsclite_CFLAGS@ +pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ piddir = @piddir@ pki_plugins = @pki_plugins@ @@ -262,6 +264,7 @@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ +systemdsystemunitdir = @systemdsystemunitdir@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ diff --git a/src/pluto/plugins/xauth/xauth_plugin.c b/src/pluto/plugins/xauth/xauth_plugin.c index 74e16eacd..bfc4820ed 100644 --- a/src/pluto/plugins/xauth/xauth_plugin.c +++ b/src/pluto/plugins/xauth/xauth_plugin.c @@ -18,10 +18,15 @@ #include "xauth_plugin.h" #include "xauth_default_provider.h" #include "xauth_default_verifier.h" -/** - * Implementation of plugin_t.destroy - */ -static void destroy(xauth_plugin_t *this) + +METHOD(plugin_t, get_name, char*, + xauth_plugin_t *this) +{ + return "xauth"; +} + +METHOD(plugin_t, destroy, void, + xauth_plugin_t *this) { free(this); } @@ -31,9 +36,15 @@ static void destroy(xauth_plugin_t *this) */ plugin_t *xauth_plugin_create() { - xauth_plugin_t *this = malloc_thing(xauth_plugin_t); + xauth_plugin_t *this; - this->plugin.destroy = (void(*)(plugin_t*))destroy; + INIT(this, + .plugin = { + .get_name = _get_name, + .reload = (void*)return_false, + .destroy = _destroy, + }, + ); pluto->xauth->add_provider(pluto->xauth, xauth_default_provider_create()); pluto->xauth->add_verifier(pluto->xauth, xauth_default_verifier_create()); diff --git a/src/pluto/plutomain.c b/src/pluto/plutomain.c index 627176c1b..309bde649 100644 --- a/src/pluto/plutomain.c +++ b/src/pluto/plutomain.c @@ -239,7 +239,8 @@ options_t *options; */ static void print_plugins() { - char buf[BUF_LEN], *plugin; + char buf[BUF_LEN]; + plugin_t *plugin; int len = 0; enumerator_t *enumerator; @@ -247,7 +248,7 @@ static void print_plugins() enumerator = lib->plugins->create_plugin_enumerator(lib->plugins); while (len < BUF_LEN && enumerator->enumerate(enumerator, &plugin)) { - len += snprintf(&buf[len], BUF_LEN-len, "%s ", plugin); + len += snprintf(&buf[len], BUF_LEN-len, "%s ", plugin->get_name(plugin)); } enumerator->destroy(enumerator); DBG1(DBG_DMN, "loaded plugins: %s", buf); diff --git a/src/pluto/spdb.c b/src/pluto/spdb.c index 2ed07bdfc..48585432b 100644 --- a/src/pluto/spdb.c +++ b/src/pluto/spdb.c @@ -591,7 +591,7 @@ static u_int32_t decode_long_duration(pb_stream *pbs) if (pbs_left(pbs) > sizeof(val)) { /* "clamp" too large value to max representable value */ - val -= 1; /* portable way to get to maximum value */ + val = UINT32_MAX; DBG(DBG_PARSING, DBG_log(" too large duration clamped to: %lu" , (unsigned long)val)); } @@ -881,7 +881,7 @@ notification_t parse_isakmp_sa_body(u_int32_t ipsecdoisit, lset_t seen_attrs = 0; lset_t seen_durations = 0; u_int16_t life_type = 0; - struct oakley_trans_attrs ta; + struct oakley_trans_attrs ta = { .encrypter = NULL }; err_t ugh = NULL; /* set to diagnostic when problem detected */ /* initialize only optional field in ta */ diff --git a/src/pluto/state.c b/src/pluto/state.c index 3639f944d..e4234bc87 100644 --- a/src/pluto/state.c +++ b/src/pluto/state.c @@ -166,7 +166,10 @@ static struct state **state_hash(const u_char *icookie, const u_char *rcookie, */ struct state *new_state(void) { - static const struct state blank_state; /* initialized all to zero & NULL */ + /* initialized all to zero & NULL */ + static const struct state blank_state = { + .st_serialno = 0, + }; static so_serial_t next_so = SOS_FIRST; struct state *st; @@ -347,19 +350,20 @@ void delete_state(struct state *st) DESTROY_IF(st->st_dh); - free(st->st_tpacket.ptr); - free(st->st_rpacket.ptr); - free(st->st_p1isa.ptr); - free(st->st_gi.ptr); - free(st->st_gr.ptr); - free(st->st_shared.ptr); - free(st->st_ni.ptr); - free(st->st_nr.ptr); - free(st->st_skeyid.ptr); - free(st->st_skeyid_d.ptr); - free(st->st_skeyid_a.ptr); - free(st->st_skeyid_e.ptr); - free(st->st_enc_key.ptr); + chunk_clear(&st->st_tpacket); + chunk_clear(&st->st_rpacket); + chunk_clear(&st->st_p1isa); + chunk_clear(&st->st_gi); + chunk_clear(&st->st_gr); + chunk_clear(&st->st_shared); + chunk_clear(&st->st_ni); + chunk_clear(&st->st_nr); + chunk_clear(&st->st_skeyid); + chunk_clear(&st->st_skeyid_d); + chunk_clear(&st->st_skeyid_a); + chunk_clear(&st->st_skeyid_e); + chunk_clear(&st->st_enc_key); + free(st->st_ah.our_keymat); free(st->st_ah.peer_keymat); free(st->st_esp.our_keymat); |