diff options
Diffstat (limited to 'src/pluto')
| -rw-r--r-- | src/pluto/Makefile.in | 12 | ||||
| -rw-r--r-- | src/pluto/adns.c | 1 | ||||
| -rw-r--r-- | src/pluto/alg_info.c | 4 | ||||
| -rw-r--r-- | src/pluto/ca.c | 4 | ||||
| -rw-r--r-- | src/pluto/connections.c | 6 | ||||
| -rw-r--r-- | src/pluto/crl.c | 23 | ||||
| -rw-r--r-- | src/pluto/crypto.c | 233 | ||||
| -rw-r--r-- | src/pluto/demux.c | 17 | ||||
| -rw-r--r-- | src/pluto/fetch.c | 5 | ||||
| -rw-r--r-- | src/pluto/ike_alg.c | 67 | ||||
| -rw-r--r-- | src/pluto/ike_alg.h | 16 | ||||
| -rw-r--r-- | src/pluto/ipsec_doi.c | 185 | ||||
| -rw-r--r-- | src/pluto/kernel.c | 18 | ||||
| -rw-r--r-- | src/pluto/kernel_alg.c | 51 | ||||
| -rw-r--r-- | src/pluto/keys.c | 9 | ||||
| -rw-r--r-- | src/pluto/log.c | 17 | ||||
| -rw-r--r-- | src/pluto/modecfg.c | 25 | ||||
| -rw-r--r-- | src/pluto/ocsp.c | 7 | ||||
| -rw-r--r-- | src/pluto/plugins/xauth/Makefile.in | 12 | ||||
| -rw-r--r-- | src/pluto/plugins/xauth/xauth_plugin.c | 23 | ||||
| -rw-r--r-- | src/pluto/pluto.8 | 14 | ||||
| -rw-r--r-- | src/pluto/plutomain.c | 5 | ||||
| -rw-r--r-- | src/pluto/spdb.c | 4 | ||||
| -rw-r--r-- | src/pluto/state.c | 32 | ||||
| -rw-r--r-- | src/pluto/x509.c | 10 |
25 files changed, 211 insertions, 589 deletions
diff --git a/src/pluto/Makefile.in b/src/pluto/Makefile.in index eb7f2c28a..92e66db17 100644 --- a/src/pluto/Makefile.in +++ b/src/pluto/Makefile.in @@ -304,13 +304,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -<<<<<<< HEAD -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ -======= -ipsecgroup = @ipsecgroup@ ->>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -331,6 +325,8 @@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ openac_plugins = @openac_plugins@ p_plugins = @p_plugins@ +pcsclite_CFLAGS = @pcsclite_CFLAGS@ +pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ piddir = @piddir@ pki_plugins = @pki_plugins@ @@ -349,14 +345,12 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ -<<<<<<< HEAD -======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ ->>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ +systemdsystemunitdir = @systemdsystemunitdir@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ diff --git a/src/pluto/adns.c b/src/pluto/adns.c index 95e22b96f..5d6979447 100644 --- a/src/pluto/adns.c +++ b/src/pluto/adns.c @@ -224,6 +224,7 @@ worker(int qfd, int afd) a.amagic = ADNS_A_MAGIC; a.serial = q.serial; + a.continuation = NULL; a.result = res_nquery(statp, q.name_buf, C_IN, q.type, a.ans, sizeof(a.ans)); a.h_errno_val = h_errno; diff --git a/src/pluto/alg_info.c b/src/pluto/alg_info.c index d06e09007..fe27c10b2 100644 --- a/src/pluto/alg_info.c +++ b/src/pluto/alg_info.c @@ -539,7 +539,7 @@ alg_info_snprint(char *buf, int buflen, struct alg_info *alg_info) buflen -= np; if (esp_info->esp_ealg_keylen) { - np = snprintf(ptr, buflen, "_%u", esp_info->esp_ealg_keylen); + np = snprintf(ptr, buflen, "_%zu", esp_info->esp_ealg_keylen); ptr += np; buflen -= np; } @@ -571,7 +571,7 @@ alg_info_snprint(char *buf, int buflen, struct alg_info *alg_info) buflen -= np; if (ike_info->ike_eklen) { - np = snprintf(ptr, buflen, "_%u", ike_info->ike_eklen); + np = snprintf(ptr, buflen, "_%zu", ike_info->ike_eklen); ptr += np; buflen -= np; } diff --git a/src/pluto/ca.c b/src/pluto/ca.c index 713d56ef1..add85def8 100644 --- a/src/pluto/ca.c +++ b/src/pluto/ca.c @@ -629,11 +629,7 @@ void add_ca_info(const whack_message_t *msg) if (strncasecmp(msg->ocspuri, "http", 4) == 0) ca->ocspuri = clone_str(msg->ocspuri); else -<<<<<<< HEAD - plog(" ignoring ocspuri with unkown protocol"); -======= plog(" ignoring ocspuri with unknown protocol"); ->>>>>>> upstream/4.5.1 } /* add crl uris */ diff --git a/src/pluto/connections.c b/src/pluto/connections.c index 9f277e135..2194362d2 100644 --- a/src/pluto/connections.c +++ b/src/pluto/connections.c @@ -673,7 +673,7 @@ size_t format_end(char *buf, size_t buf_len, const struct end *this, } else if (subnetisnone(&this->client)) { - strcpy(client, "?"); + strncpy(client, "?", sizeof(client)); } else { @@ -685,7 +685,7 @@ size_t format_end(char *buf, size_t buf_len, const struct end *this, /* we are mode config client, or a server with a pool */ client_sep = "==="; client[0] = '%'; - strcpy(client+1, this->pool ? this->pool : "modecfg"); + strncpy(client+1, this->pool ?: "modecfg", sizeof(client)-1); } /* host */ @@ -1443,11 +1443,11 @@ static connection_t *instantiate(connection_t *c, const ip_address *him, connect_to_host_pair(d); - return d; if (sameaddr(&d->spd.that.host_addr, &d->spd.this.host_nexthop)) { d->spd.this.host_nexthop = *him; } + return d; } connection_t *rw_instantiate(connection_t *c, const ip_address *him, diff --git a/src/pluto/crl.c b/src/pluto/crl.c index d8f962501..38db0f2fd 100644 --- a/src/pluto/crl.c +++ b/src/pluto/crl.c @@ -163,7 +163,7 @@ bool insert_crl(x509crl_t *x509crl, char *crl_uri, bool cache_crl) { /* keep any known CRL distribution points */ add_distribution_points(x509crl->distributionPoints, - oldcrl->distributionPoints); + oldcrl->distributionPoints); /* now delete the old CRL */ free_first_crl(); @@ -199,7 +199,7 @@ bool insert_crl(x509crl_t *x509crl, char *crl_uri, bool cache_crl) chunk_t hex, encoding; hex = chunk_to_hex(crl->get_authKeyIdentifier(crl), NULL, FALSE); - snprintf(buf, sizeof(buf), "%s/%s.crl", CRL_PATH, hex); + snprintf(buf, sizeof(buf), "%s/%s.crl", CRL_PATH, hex.ptr); free(hex.ptr); if (cert_crl->get_encoding(cert_crl, CERT_ASN1_DER, &encoding)) @@ -352,11 +352,7 @@ cert_status_t verify_by_crl(cert_t *cert, time_t *until, time_t *revocationDate, x509crl_t *x509crl; ca_info_t *ca; enumerator_t *enumerator; -<<<<<<< HEAD - char *point; -======= x509_cdp_t *cdp; ->>>>>>> upstream/4.5.1 ca = get_ca_info(issuer, authKeyID); @@ -380,15 +376,9 @@ cert_status_t verify_by_crl(cert_t *cert, time_t *until, time_t *revocationDate, } enumerator = x509->create_crl_uri_enumerator(x509); -<<<<<<< HEAD - while (enumerator->enumerate(enumerator, &point)) - { - add_distribution_point(crluris, point); -======= while (enumerator->enumerate(enumerator, &cdp)) { add_distribution_point(crluris, cdp->uri); ->>>>>>> upstream/4.5.1 } enumerator->destroy(enumerator); @@ -426,22 +416,17 @@ cert_status_t verify_by_crl(cert_t *cert, time_t *until, time_t *revocationDate, } enumerator = x509->create_crl_uri_enumerator(x509); -<<<<<<< HEAD - while (enumerator->enumerate(enumerator, &point)) - { - add_distribution_point(x509crl->distributionPoints, point); -======= while (enumerator->enumerate(enumerator, &cdp)) { add_distribution_point(x509crl->distributionPoints, cdp->uri); ->>>>>>> upstream/4.5.1 } enumerator->destroy(enumerator); lock_authcert_list("verify_by_crl"); issuer_cert = get_authcert(issuer, authKeyID, X509_CA); - trusted = cert_crl->issued_by(cert_crl, issuer_cert->cert); + trusted = issuer_cert ? cert_crl->issued_by(cert_crl, issuer_cert->cert) + : FALSE; unlock_authcert_list("verify_by_crl"); diff --git a/src/pluto/crypto.c b/src/pluto/crypto.c index 695035ea1..f01966c72 100644 --- a/src/pluto/crypto.c +++ b/src/pluto/crypto.c @@ -26,16 +26,6 @@ static struct encrypt_desc encrypt_desc_3des = { -<<<<<<< HEAD - algo_type: IKE_ALG_ENCRYPT, - algo_id: OAKLEY_3DES_CBC, - algo_next: NULL, - - enc_blocksize: DES_BLOCK_SIZE, - keydeflen: DES_BLOCK_SIZE * 3 * BITS_PER_BYTE, - keyminlen: DES_BLOCK_SIZE * 3 * BITS_PER_BYTE, - keymaxlen: DES_BLOCK_SIZE * 3 * BITS_PER_BYTE, -======= algo_type: IKE_ALG_ENCRYPT, algo_id: OAKLEY_3DES_CBC, plugin_name: NULL, @@ -45,7 +35,6 @@ static struct encrypt_desc encrypt_desc_3des = keydeflen: DES_BLOCK_SIZE * 3 * BITS_PER_BYTE, keyminlen: DES_BLOCK_SIZE * 3 * BITS_PER_BYTE, keymaxlen: DES_BLOCK_SIZE * 3 * BITS_PER_BYTE, ->>>>>>> upstream/4.5.1 }; #define AES_KEY_MIN_LEN 128 @@ -54,16 +43,6 @@ static struct encrypt_desc encrypt_desc_3des = static struct encrypt_desc encrypt_desc_aes = { -<<<<<<< HEAD - algo_type: IKE_ALG_ENCRYPT, - algo_id: OAKLEY_AES_CBC, - algo_next: NULL, - - enc_blocksize: AES_BLOCK_SIZE, - keyminlen: AES_KEY_MIN_LEN, - keydeflen: AES_KEY_DEF_LEN, - keymaxlen: AES_KEY_MAX_LEN, -======= algo_type: IKE_ALG_ENCRYPT, algo_id: OAKLEY_AES_CBC, plugin_name: NULL, @@ -73,7 +52,6 @@ static struct encrypt_desc encrypt_desc_aes = keyminlen: AES_KEY_MIN_LEN, keydeflen: AES_KEY_DEF_LEN, keymaxlen: AES_KEY_MAX_LEN, ->>>>>>> upstream/4.5.1 }; #define CAMELLIA_KEY_MIN_LEN 128 @@ -82,16 +60,6 @@ static struct encrypt_desc encrypt_desc_aes = static struct encrypt_desc encrypt_desc_camellia = { -<<<<<<< HEAD - algo_type: IKE_ALG_ENCRYPT, - algo_id: OAKLEY_CAMELLIA_CBC, - algo_next: NULL, - - enc_blocksize: CAMELLIA_BLOCK_SIZE, - keyminlen: CAMELLIA_KEY_MIN_LEN, - keydeflen: CAMELLIA_KEY_DEF_LEN, - keymaxlen: CAMELLIA_KEY_MAX_LEN, -======= algo_type: IKE_ALG_ENCRYPT, algo_id: OAKLEY_CAMELLIA_CBC, plugin_name: NULL, @@ -101,7 +69,6 @@ static struct encrypt_desc encrypt_desc_camellia = keyminlen: CAMELLIA_KEY_MIN_LEN, keydeflen: CAMELLIA_KEY_DEF_LEN, keymaxlen: CAMELLIA_KEY_MAX_LEN, ->>>>>>> upstream/4.5.1 }; #define BLOWFISH_KEY_MIN_LEN 128 @@ -109,16 +76,6 @@ static struct encrypt_desc encrypt_desc_camellia = static struct encrypt_desc encrypt_desc_blowfish = { -<<<<<<< HEAD - algo_type: IKE_ALG_ENCRYPT, - algo_id: OAKLEY_BLOWFISH_CBC, - algo_next: NULL, - - enc_blocksize: BLOWFISH_BLOCK_SIZE, - keyminlen: BLOWFISH_KEY_MIN_LEN, - keydeflen: BLOWFISH_KEY_MIN_LEN, - keymaxlen: BLOWFISH_KEY_MAX_LEN, -======= algo_type: IKE_ALG_ENCRYPT, algo_id: OAKLEY_BLOWFISH_CBC, plugin_name: NULL, @@ -128,7 +85,6 @@ static struct encrypt_desc encrypt_desc_blowfish = keyminlen: BLOWFISH_KEY_MIN_LEN, keydeflen: BLOWFISH_KEY_MIN_LEN, keymaxlen: BLOWFISH_KEY_MAX_LEN, ->>>>>>> upstream/4.5.1 }; #define SERPENT_KEY_MIN_LEN 128 @@ -137,16 +93,6 @@ static struct encrypt_desc encrypt_desc_blowfish = static struct encrypt_desc encrypt_desc_serpent = { -<<<<<<< HEAD - algo_type: IKE_ALG_ENCRYPT, - algo_id: OAKLEY_SERPENT_CBC, - algo_next: NULL, - - enc_blocksize: SERPENT_BLOCK_SIZE, - keyminlen: SERPENT_KEY_MIN_LEN, - keydeflen: SERPENT_KEY_DEF_LEN, - keymaxlen: SERPENT_KEY_MAX_LEN, -======= algo_type: IKE_ALG_ENCRYPT, algo_id: OAKLEY_SERPENT_CBC, plugin_name: NULL, @@ -156,7 +102,6 @@ static struct encrypt_desc encrypt_desc_serpent = keyminlen: SERPENT_KEY_MIN_LEN, keydeflen: SERPENT_KEY_DEF_LEN, keymaxlen: SERPENT_KEY_MAX_LEN, ->>>>>>> upstream/4.5.1 }; #define TWOFISH_KEY_MIN_LEN 128 @@ -165,16 +110,6 @@ static struct encrypt_desc encrypt_desc_serpent = static struct encrypt_desc encrypt_desc_twofish = { -<<<<<<< HEAD - algo_type: IKE_ALG_ENCRYPT, - algo_id: OAKLEY_TWOFISH_CBC, - algo_next: NULL, - - enc_blocksize: TWOFISH_BLOCK_SIZE, - keydeflen: TWOFISH_KEY_MIN_LEN, - keyminlen: TWOFISH_KEY_DEF_LEN, - keymaxlen: TWOFISH_KEY_MAX_LEN, -======= algo_type: IKE_ALG_ENCRYPT, algo_id: OAKLEY_TWOFISH_CBC, plugin_name: NULL, @@ -184,21 +119,10 @@ static struct encrypt_desc encrypt_desc_twofish = keydeflen: TWOFISH_KEY_MIN_LEN, keyminlen: TWOFISH_KEY_DEF_LEN, keymaxlen: TWOFISH_KEY_MAX_LEN, ->>>>>>> upstream/4.5.1 }; static struct encrypt_desc encrypt_desc_twofish_ssh = { -<<<<<<< HEAD - algo_type: IKE_ALG_ENCRYPT, - algo_id: OAKLEY_TWOFISH_CBC_SSH, - algo_next: NULL, - - enc_blocksize: TWOFISH_BLOCK_SIZE, - keydeflen: TWOFISH_KEY_MIN_LEN, - keyminlen: TWOFISH_KEY_DEF_LEN, - keymaxlen: TWOFISH_KEY_MAX_LEN, -======= algo_type: IKE_ALG_ENCRYPT, algo_id: OAKLEY_TWOFISH_CBC_SSH, plugin_name: NULL, @@ -208,17 +132,13 @@ static struct encrypt_desc encrypt_desc_twofish_ssh = keydeflen: TWOFISH_KEY_MIN_LEN, keyminlen: TWOFISH_KEY_DEF_LEN, keymaxlen: TWOFISH_KEY_MAX_LEN, ->>>>>>> upstream/4.5.1 }; static struct hash_desc hash_desc_md5 = { algo_type: IKE_ALG_HASH, algo_id: OAKLEY_MD5, -<<<<<<< HEAD -======= plugin_name: NULL, ->>>>>>> upstream/4.5.1 algo_next: NULL, hash_digest_size: HASH_SIZE_MD5, }; @@ -227,10 +147,7 @@ static struct hash_desc hash_desc_sha1 = { algo_type: IKE_ALG_HASH, algo_id: OAKLEY_SHA, -<<<<<<< HEAD -======= plugin_name: NULL, ->>>>>>> upstream/4.5.1 algo_next: NULL, hash_digest_size: HASH_SIZE_SHA1, }; @@ -238,10 +155,7 @@ static struct hash_desc hash_desc_sha1 = static struct hash_desc hash_desc_sha2_256 = { algo_type: IKE_ALG_HASH, algo_id: OAKLEY_SHA2_256, -<<<<<<< HEAD -======= plugin_name: NULL, ->>>>>>> upstream/4.5.1 algo_next: NULL, hash_digest_size: HASH_SIZE_SHA256, }; @@ -249,10 +163,7 @@ static struct hash_desc hash_desc_sha2_256 = { static struct hash_desc hash_desc_sha2_384 = { algo_type: IKE_ALG_HASH, algo_id: OAKLEY_SHA2_384, -<<<<<<< HEAD -======= plugin_name: NULL, ->>>>>>> upstream/4.5.1 algo_next: NULL, hash_digest_size: HASH_SIZE_SHA384, }; @@ -260,119 +171,12 @@ static struct hash_desc hash_desc_sha2_384 = { static struct hash_desc hash_desc_sha2_512 = { algo_type: IKE_ALG_HASH, algo_id: OAKLEY_SHA2_512, -<<<<<<< HEAD -======= plugin_name: NULL, ->>>>>>> upstream/4.5.1 algo_next: NULL, hash_digest_size: HASH_SIZE_SHA512, }; const struct dh_desc unset_group = { -<<<<<<< HEAD - algo_type: IKE_ALG_DH_GROUP, - algo_id: MODP_NONE, - algo_next: NULL, - ke_size: 0 -}; - -static struct dh_desc dh_desc_modp_1024 = { - algo_type: IKE_ALG_DH_GROUP, - algo_id: MODP_1024_BIT, - algo_next: NULL, - ke_size: 1024 / BITS_PER_BYTE -}; - -static struct dh_desc dh_desc_modp_1536 = { - algo_type: IKE_ALG_DH_GROUP, - algo_id: MODP_1536_BIT, - algo_next: NULL, - ke_size: 1536 / BITS_PER_BYTE -}; - -static struct dh_desc dh_desc_modp_2048 = { - algo_type: IKE_ALG_DH_GROUP, - algo_id: MODP_2048_BIT, - algo_next: NULL, - ke_size: 2048 / BITS_PER_BYTE -}; - -static struct dh_desc dh_desc_modp_3072 = { - algo_type: IKE_ALG_DH_GROUP, - algo_id: MODP_3072_BIT, - algo_next: NULL, - ke_size: 3072 / BITS_PER_BYTE -}; - -static struct dh_desc dh_desc_modp_4096 = { - algo_type: IKE_ALG_DH_GROUP, - algo_id: MODP_4096_BIT, - algo_next: NULL, - ke_size: 4096 / BITS_PER_BYTE -}; - -static struct dh_desc dh_desc_modp_6144 = { - algo_type: IKE_ALG_DH_GROUP, - algo_id: MODP_6144_BIT, - algo_next: NULL, - ke_size: 6144 / BITS_PER_BYTE -}; - -static struct dh_desc dh_desc_modp_8192 = { - algo_type: IKE_ALG_DH_GROUP, - algo_id: MODP_8192_BIT, - algo_next: NULL, - ke_size: 8192 / BITS_PER_BYTE -}; - -static struct dh_desc dh_desc_ecp_256 = { - algo_type: IKE_ALG_DH_GROUP, - algo_id: ECP_256_BIT, - algo_next: NULL, - ke_size: 2*256 / BITS_PER_BYTE -}; - -static struct dh_desc dh_desc_ecp_384 = { - algo_type: IKE_ALG_DH_GROUP, - algo_id: ECP_384_BIT, - algo_next: NULL, - ke_size: 2*384 / BITS_PER_BYTE -}; - -static struct dh_desc dh_desc_ecp_521 = { - algo_type: IKE_ALG_DH_GROUP, - algo_id: ECP_521_BIT, - algo_next: NULL, - ke_size: 2*528 / BITS_PER_BYTE -}; - -static struct dh_desc dh_desc_modp_1024_160 = { - algo_type: IKE_ALG_DH_GROUP, - algo_id: MODP_1024_160, - algo_next: NULL, - ke_size: 1024 / BITS_PER_BYTE -}; - -static struct dh_desc dh_desc_modp_2048_224 = { - algo_type: IKE_ALG_DH_GROUP, - algo_id: MODP_2048_224, - algo_next: NULL, - ke_size: 2048 / BITS_PER_BYTE -}; - -static struct dh_desc dh_desc_modp_2048_256 = { - algo_type: IKE_ALG_DH_GROUP, - algo_id: MODP_2048_256, - algo_next: NULL, - ke_size: 2048 / BITS_PER_BYTE -}; - -static struct dh_desc dh_desc_ecp_192 = { - algo_type: IKE_ALG_DH_GROUP, - algo_id: ECP_192_BIT, - algo_next: NULL, - ke_size: 2*192 / BITS_PER_BYTE -======= algo_type: IKE_ALG_DH_GROUP, algo_id: MODP_NONE, plugin_name: NULL, @@ -489,20 +293,14 @@ static struct dh_desc dh_desc_ecp_192 = { plugin_name: NULL, algo_next: NULL, ke_size: 2*192 / BITS_PER_BYTE ->>>>>>> upstream/4.5.1 }; static struct dh_desc dh_desc_ecp_224 = { algo_type: IKE_ALG_DH_GROUP, algo_id: ECP_224_BIT, -<<<<<<< HEAD - algo_next: NULL, - ke_size: 2*224 / BITS_PER_BYTE -======= plugin_name: NULL, algo_next: NULL, ke_size: 2*224 / BITS_PER_BYTE ->>>>>>> upstream/4.5.1 }; bool init_crypto(void) @@ -511,19 +309,12 @@ bool init_crypto(void) encryption_algorithm_t encryption_alg; hash_algorithm_t hash_alg; diffie_hellman_group_t dh_group; -<<<<<<< HEAD -======= const char *plugin_name; ->>>>>>> upstream/4.5.1 bool no_md5 = TRUE; bool no_sha1 = TRUE; enumerator = lib->crypto->create_hasher_enumerator(lib->crypto); -<<<<<<< HEAD - while (enumerator->enumerate(enumerator, &hash_alg)) -======= while (enumerator->enumerate(enumerator, &hash_alg, &plugin_name)) ->>>>>>> upstream/4.5.1 { const struct hash_desc *desc; @@ -549,11 +340,7 @@ bool init_crypto(void) default: continue; } -<<<<<<< HEAD - ike_alg_add((struct ike_alg *)desc); -======= ike_alg_add((struct ike_alg *)desc, plugin_name); ->>>>>>> upstream/4.5.1 } enumerator->destroy(enumerator); @@ -567,11 +354,7 @@ bool init_crypto(void) } enumerator = lib->crypto->create_crypter_enumerator(lib->crypto); -<<<<<<< HEAD - while (enumerator->enumerate(enumerator, &encryption_alg)) -======= while (enumerator->enumerate(enumerator, &encryption_alg, &plugin_name)) ->>>>>>> upstream/4.5.1 { const struct encrypt_desc *desc; @@ -591,12 +374,8 @@ bool init_crypto(void) break; case ENCR_TWOFISH_CBC: desc = &encrypt_desc_twofish; -<<<<<<< HEAD - ike_alg_add((struct ike_alg *)&encrypt_desc_twofish_ssh); -======= ike_alg_add((struct ike_alg *)&encrypt_desc_twofish_ssh, plugin_name); ->>>>>>> upstream/4.5.1 break; case ENCR_SERPENT_CBC: desc = &encrypt_desc_serpent; @@ -604,20 +383,12 @@ bool init_crypto(void) default: continue; } -<<<<<<< HEAD - ike_alg_add((struct ike_alg *)desc); -======= ike_alg_add((struct ike_alg *)desc, plugin_name); ->>>>>>> upstream/4.5.1 } enumerator->destroy(enumerator); enumerator = lib->crypto->create_dh_enumerator(lib->crypto); -<<<<<<< HEAD - while (enumerator->enumerate(enumerator, &dh_group)) -======= while (enumerator->enumerate(enumerator, &dh_group, &plugin_name)) ->>>>>>> upstream/4.5.1 { const struct dh_desc *desc; @@ -671,11 +442,7 @@ bool init_crypto(void) default: continue; } -<<<<<<< HEAD - ike_alg_add((struct ike_alg *)desc); -======= ike_alg_add((struct ike_alg *)desc, plugin_name); ->>>>>>> upstream/4.5.1 } enumerator->destroy(enumerator); return TRUE; diff --git a/src/pluto/demux.c b/src/pluto/demux.c index 22976fe9a..294601295 100644 --- a/src/pluto/demux.c +++ b/src/pluto/demux.c @@ -770,7 +770,7 @@ check_msg_errqueue(const struct iface *ifp, short interest) /* note dirty trick to suppress ~ at start of format * if we know what state to blame. */ - if ((packet_len == 1) && (buffer[0] = 0xff) + if ((packet_len == 1) && (buffer[0] == 0xff) #ifdef DEBUG && ((cur_debugging & DBG_NATT) == 0) #endif @@ -966,7 +966,9 @@ malloc_md(void) * - .note = NOTHING_WRONG * - .encrypted = FALSE */ - static const struct msg_digest blank_md; + static const struct msg_digest blank_md = { + .next = NULL, + }; if (md == NULL) { @@ -1142,17 +1144,14 @@ read_packet(struct msg_digest *md) , ifp->rname , ip_str(&md->sender), (unsigned)md->sender_port)); } - + free(buffer); return FALSE; } else if (from_ugh != NULL) { -<<<<<<< HEAD - plog("recvfrom on %s returned misformed source sockaddr: %s" -======= plog("recvfrom on %s returned malformed source sockaddr: %s" ->>>>>>> upstream/4.5.1 , ifp->rname, from_ugh); + free(buffer); return FALSE; } cur_from = &md->sender; @@ -1166,6 +1165,7 @@ read_packet(struct msg_digest *md) { plog("recvfrom %s:%u too small packet (%d)" , ip_str(cur_from), (unsigned) cur_from_port, packet_len); + free(buffer); return FALSE; } memcpy(&non_esp, buffer, sizeof(u_int32_t)); @@ -1173,6 +1173,7 @@ read_packet(struct msg_digest *md) { plog("recvfrom %s:%u has no Non-ESP marker" , ip_str(cur_from), (unsigned) cur_from_port); + free(buffer); return FALSE; } packet_len -= sizeof(u_int32_t); @@ -1665,7 +1666,7 @@ process_packet(struct msg_digest **mdp) * Look up the appropriate microcode based on state and * possibly Oakley Auth type. */ - passert(STATE_IKE_FLOOR <= from_state && from_state <= STATE_IKE_ROOF); + passert(STATE_IKE_FLOOR <= from_state && from_state < STATE_IKE_ROOF); smc = ike_microcode_index[from_state - STATE_IKE_FLOOR]; if (st != NULL) diff --git a/src/pluto/fetch.c b/src/pluto/fetch.c index 1d2d13371..3dfc1386f 100644 --- a/src/pluto/fetch.c +++ b/src/pluto/fetch.c @@ -309,8 +309,9 @@ static char* complete_uri(char *distPoint, const char *ldaphost) char uri[BUF_LEN]; /* insert the ldaphost into the uri */ - snprintf(uri, BUF_LEN, "%.*s%s%.*s", strlen(distPoint)-len, - distPoint, ldaphost, len, symbol); + snprintf(uri, BUF_LEN, "%.*s%s%.*s", + (int)strlen(distPoint) - len, distPoint, ldaphost, + len, symbol); return strdup(uri); } } diff --git a/src/pluto/ike_alg.c b/src/pluto/ike_alg.c index eabe6c86e..3061630e0 100644 --- a/src/pluto/ike_alg.c +++ b/src/pluto/ike_alg.c @@ -72,11 +72,7 @@ static struct ike_alg *ike_alg_find(u_int algo_type, u_int algo_id, /** * "raw" ike_alg list adding function */ -<<<<<<< HEAD -int ike_alg_add(struct ike_alg* a) -======= int ike_alg_add(struct ike_alg* a, const char *plugin_name) ->>>>>>> upstream/4.5.1 { if (a->algo_type > IKE_ALG_MAX) { @@ -100,10 +96,7 @@ int ike_alg_add(struct ike_alg* a, const char *plugin_name) e = *ep; } *ep = a; -<<<<<<< HEAD -======= a->plugin_name = plugin_name; ->>>>>>> upstream/4.5.1 a->algo_next = e; return 0; } @@ -156,7 +149,6 @@ struct db_context *ike_alg_db_new(connection_t *c, lset_t policy) struct alg_info_ike *ai = c->alg_info_ike; struct db_context *db_ctx = NULL; struct ike_info *ike_info; - struct encrypt_desc *enc_desc; u_int ealg, halg, modp, eklen = 0; int i; @@ -198,7 +190,6 @@ struct db_context *ike_alg_db_new(connection_t *c, lset_t policy) enum_show(&oakley_group_names, modp)); continue; } - enc_desc = ike_alg_get_crypter(ealg); if (policy & POLICY_PUBKEY) { @@ -312,8 +303,6 @@ fail: } /** -<<<<<<< HEAD -======= * Print the name of an algorithm plus the name of the plugin that registered it */ static void print_alg(char *buf, int *len, enum_names *alg_names, int alg_type, @@ -321,7 +310,7 @@ static void print_alg(char *buf, int *len, enum_names *alg_names, int alg_type, { char alg_name[BUF_LEN]; int alg_name_len; - + alg_name_len = sprintf(alg_name, " %s[%s]", enum_name(alg_names, alg_type), plugin_name); if (*len + alg_name_len > CRYPTO_MAX_ALG_LINE) @@ -334,74 +323,21 @@ static void print_alg(char *buf, int *len, enum_names *alg_names, int alg_type, } /** ->>>>>>> upstream/4.5.1 * Show registered IKE algorithms */ void ike_alg_list(void) { -<<<<<<< HEAD - char buf[BUF_LEN]; - char *pos; - int n, len; -======= rng_quality_t quality; enumerator_t *enumerator; const char *plugin_name; char buf[BUF_LEN]; int len; ->>>>>>> upstream/4.5.1 struct ike_alg *a; whack_log(RC_COMMENT, " "); whack_log(RC_COMMENT, "List of registered IKEv1 Algorithms:"); whack_log(RC_COMMENT, " "); -<<<<<<< HEAD - pos = buf; - *pos = '\0'; - len = BUF_LEN; - for (a = ike_alg_base[IKE_ALG_ENCRYPT]; a != NULL; a = a->algo_next) - { - n = snprintf(pos, len, " %s", enum_name(&oakley_enc_names, a->algo_id)); - pos += n; - len -= n; - if (len <= 0) - { - break; - } - } - whack_log(RC_COMMENT, " encryption:%s", buf); - - pos = buf; - *pos = '\0'; - len = BUF_LEN; - for (a = ike_alg_base[IKE_ALG_HASH]; a != NULL; a = a->algo_next) - { - n = snprintf(pos, len, " %s", enum_name(&oakley_hash_names, a->algo_id)); - pos += n; - len -= n; - if (len <= 0) - { - break; - } - } - whack_log(RC_COMMENT, " integrity: %s", buf); - - pos = buf; - *pos = '\0'; - len = BUF_LEN; - for (a = ike_alg_base[IKE_ALG_DH_GROUP]; a != NULL; a = a->algo_next) - { - n = snprintf(pos, len, " %s", enum_name(&oakley_group_names, a->algo_id)); - pos += n; - len -= n; - if (len <= 0) - { - break; - } - } - whack_log(RC_COMMENT, " dh-group: %s", buf); -======= len = sprintf(buf, " encryption:"); for (a = ike_alg_base[IKE_ALG_ENCRYPT]; a != NULL; a = a->algo_next) { @@ -432,7 +368,6 @@ void ike_alg_list(void) } enumerator->destroy(enumerator); whack_log(RC_COMMENT, "%s", buf); ->>>>>>> upstream/4.5.1 } /** diff --git a/src/pluto/ike_alg.h b/src/pluto/ike_alg.h index 7ee2ca808..c3ce8bb38 100644 --- a/src/pluto/ike_alg.h +++ b/src/pluto/ike_alg.h @@ -22,20 +22,14 @@ struct ike_alg { u_int16_t algo_type; u_int16_t algo_id; -<<<<<<< HEAD -======= const char *plugin_name; ->>>>>>> upstream/4.5.1 struct ike_alg *algo_next; }; struct encrypt_desc { u_int16_t algo_type; u_int16_t algo_id; -<<<<<<< HEAD -======= const char *plugin_name; ->>>>>>> upstream/4.5.1 struct ike_alg *algo_next; size_t enc_blocksize; @@ -47,10 +41,7 @@ struct encrypt_desc { struct hash_desc { u_int16_t algo_type; u_int16_t algo_id; -<<<<<<< HEAD -======= const char *plugin_name; ->>>>>>> upstream/4.5.1 struct ike_alg *algo_next; size_t hash_digest_size; @@ -59,10 +50,7 @@ struct hash_desc { struct dh_desc { u_int16_t algo_type; u_int16_t algo_id; -<<<<<<< HEAD -======= const char *plugin_name; ->>>>>>> upstream/4.5.1 struct ike_alg *algo_next; size_t ke_size; @@ -73,11 +61,7 @@ struct dh_desc { #define IKE_ALG_DH_GROUP 2 #define IKE_ALG_MAX IKE_ALG_DH_GROUP -<<<<<<< HEAD -extern int ike_alg_add(struct ike_alg *a); -======= extern int ike_alg_add(struct ike_alg *a, const char *plugin_name); ->>>>>>> upstream/4.5.1 extern struct hash_desc *ike_alg_get_hasher(u_int alg); extern struct encrypt_desc *ike_alg_get_crypter(u_int alg); extern struct dh_desc *ike_alg_get_dh_group(u_int alg); diff --git a/src/pluto/ipsec_doi.c b/src/pluto/ipsec_doi.c index 7ec547b0c..c8a347b45 100644 --- a/src/pluto/ipsec_doi.c +++ b/src/pluto/ipsec_doi.c @@ -104,6 +104,14 @@ #define RETURN_STF_FAILURE(f) \ { int r = (f); if (r != ISAKMP_NOTHING_WRONG) return STF_FAIL + r; } +/* The endpoint(s) for which an SA is getting installed, so keying material + * can be properly wiped. + */ +enum endpoint { + EP_LOCAL = 1, + EP_REMOTE = 1 << 1, +}; + /* create output HDR as replica of input HDR */ void echo_hdr(struct msg_digest *md, bool enc, u_int8_t np) { @@ -2196,9 +2204,9 @@ static void decode_cert(struct msg_digest *md) cert_t x509cert = cert_empty; x509cert.cert = lib->creds->create(lib->creds, - CRED_CERTIFICATE, CERT_X509, - BUILD_BLOB_ASN1_DER, blob, - BUILD_END); + CRED_CERTIFICATE, CERT_X509, + BUILD_BLOB_ASN1_DER, blob, + BUILD_END); if (x509cert.cert) { if (verify_x509cert(&x509cert, strict_crl_policy, &valid_until)) @@ -2741,13 +2749,59 @@ static bool has_preloaded_public_key(struct state *st) return FALSE; } +/* Compute keying material for an SA + */ +static void compute_keymat_internal(struct state *st, u_int8_t protoid, + ipsec_spi_t spi, size_t needed_len, + u_char **keymat_out) +{ + size_t i = 0, prf_block_size, needed_space; + chunk_t protoid_chunk = chunk_from_thing(protoid); + chunk_t spi_chunk = chunk_from_thing(spi); + pseudo_random_function_t prf_alg = oakley_to_prf(st->st_oakley.hash); + prf_t *prf = lib->crypto->create_prf(lib->crypto, prf_alg); + + prf->set_key(prf, st->st_skeyid_d); + prf_block_size = prf->get_block_size(prf); + + /* Although only needed_len bytes are desired, we must round up to a + * multiple of prf_block_size so that the buffer isn't overrun */ + needed_space = needed_len + pad_up(needed_len, prf_block_size); + replace(*keymat_out, malloc(needed_space)); + + for (;;) + { + char *keymat_i = (*keymat_out) + i; + chunk_t keymat = { keymat_i, prf_block_size }; + + if (st->st_shared.ptr != NULL) + { /* PFS: include the g^xy */ + prf->get_bytes(prf, st->st_shared, NULL); + } + prf->get_bytes(prf, protoid_chunk, NULL); + prf->get_bytes(prf, spi_chunk, NULL); + prf->get_bytes(prf, st->st_ni, NULL); + prf->get_bytes(prf, st->st_nr, keymat_i); + + i += prf_block_size; + if (i >= needed_space) + { + break; + } + + /* more keying material needed: prepare to go around again */ + prf->get_bytes(prf, keymat, NULL); + } + prf->destroy(prf); +} + /* * Produce the new key material of Quick Mode. * RFC 2409 "IKE" section 5.5 * specifies how this is to be done. */ static void compute_proto_keymat(struct state *st, u_int8_t protoid, - struct ipsec_proto_info *pi) + struct ipsec_proto_info *pi, enum endpoint ep) { size_t needed_len = 0; /* bytes of keying material needed */ @@ -2833,82 +2887,57 @@ static void compute_proto_keymat(struct state *st, u_int8_t protoid, pi->keymat_len = needed_len; - /* Allocate space for the keying material. Although only needed_len bytes - * are desired, we must round up to a multiple of hash_size - * so that our buffer isn't overrun. - */ + if (ep & EP_LOCAL) { - size_t needed_space; /* space needed for keying material (rounded up) */ - size_t i, prf_block_size; - chunk_t protoid_chunk = chunk_from_thing(protoid); - chunk_t spi_our = chunk_from_thing(pi->our_spi); - chunk_t spi_peer = chunk_from_thing(pi->attrs.spi); - pseudo_random_function_t prf_alg; - prf_t *prf_our, *prf_peer; - - prf_alg = oakley_to_prf(st->st_oakley.hash); - prf_our = lib->crypto->create_prf(lib->crypto, prf_alg); - prf_peer = lib->crypto->create_prf(lib->crypto, prf_alg); - prf_our->set_key(prf_our, st->st_skeyid_d); - prf_peer->set_key(prf_peer, st->st_skeyid_d); - prf_block_size = prf_our->get_block_size(prf_our); - - needed_space = needed_len + pad_up(needed_len, prf_block_size); - replace(pi->our_keymat, malloc(needed_space)); - replace(pi->peer_keymat, malloc(needed_space)); - - for (i = 0;; ) - { - char *keymat_i_our = pi->our_keymat + i; - char *keymat_i_peer = pi->peer_keymat + i; - chunk_t keymat_our = { keymat_i_our, prf_block_size }; - chunk_t keymat_peer = { keymat_i_peer, prf_block_size }; - - if (st->st_shared.ptr != NULL) - { - /* PFS: include the g^xy */ - prf_our->get_bytes(prf_our, st->st_shared, NULL); - prf_peer->get_bytes(prf_peer, st->st_shared, NULL); - } - prf_our->get_bytes(prf_our, protoid_chunk, NULL); - prf_peer->get_bytes(prf_peer, protoid_chunk, NULL); - - prf_our->get_bytes(prf_our, spi_our, NULL); - prf_peer->get_bytes(prf_peer, spi_peer, NULL); - - prf_our->get_bytes(prf_our, st->st_ni, NULL); - prf_peer->get_bytes(prf_peer, st->st_ni, NULL); - - prf_our->get_bytes(prf_our, st->st_nr, keymat_i_our); - prf_peer->get_bytes(prf_peer, st->st_nr, keymat_i_peer); + compute_keymat_internal(st, protoid, pi->our_spi, needed_len, + &pi->our_keymat); + DBG(DBG_CRYPT, + DBG_dump("KEYMAT computed:\n", pi->our_keymat, + pi->keymat_len)); + } + if (ep & EP_REMOTE) + { + compute_keymat_internal(st, protoid, pi->attrs.spi, needed_len, + &pi->peer_keymat); + DBG(DBG_CRYPT, + DBG_dump("Peer KEYMAT computed:\n", pi->peer_keymat, + pi->keymat_len)); + } +} - i += prf_block_size; - if (i >= needed_space) - { - break; - } +static void compute_keymats(struct state *st, enum endpoint ep) +{ + if (st->st_ah.present) + { + compute_proto_keymat(st, PROTO_IPSEC_AH, &st->st_ah, ep); + } + if (st->st_esp.present) + { + compute_proto_keymat(st, PROTO_IPSEC_ESP, &st->st_esp, ep); + } +} - /* more keying material needed: prepare to go around again */ - prf_our->get_bytes(prf_our, keymat_our, NULL); - prf_peer->get_bytes(prf_peer, keymat_peer, NULL); - } - prf_our->destroy(prf_our); - prf_peer->destroy(prf_peer); +static void wipe_proto_keymat(struct ipsec_proto_info *pi, enum endpoint ep) +{ + if (ep & EP_LOCAL) + { + memwipe(pi->our_keymat, pi->keymat_len); + } + if (ep & EP_REMOTE) + { + memwipe(pi->peer_keymat, pi->keymat_len); } - DBG(DBG_CRYPT, - DBG_dump("KEYMAT computed:\n", pi->our_keymat, pi->keymat_len); - DBG_dump("Peer KEYMAT computed:\n", pi->peer_keymat, pi->keymat_len)); } -static void compute_keymats(struct state *st) +static void wipe_keymats(struct state *st, enum endpoint ep) { if (st->st_ah.present) { - compute_proto_keymat(st, PROTO_IPSEC_AH, &st->st_ah); + wipe_proto_keymat(&st->st_ah, ep); } if (st->st_esp.present) { - compute_proto_keymat(st, PROTO_IPSEC_ESP, &st->st_esp); + wipe_proto_keymat(&st->st_esp, ep); } } @@ -3824,7 +3853,7 @@ main_id_and_auth(struct msg_digest *md case XAUTHInitRSA: case XAUTHRespRSA: r = check_signature(KEY_RSA, peer, st, hash, - &md->chain[ISAKMP_NEXT_SIG]->pbs, + &md->chain[ISAKMP_NEXT_SIG]->pbs, #ifdef USE_KEYRR kc == NULL ? NULL : kc->ac.keys_from_dns, #endif /* USE_KEYRR */ @@ -4975,6 +5004,7 @@ static stf_status quick_inI1_outR1_tail(struct verify_oppo_bundle *b, /* now that we are sure of our connection, create our new state */ { + enum endpoint ep = EP_LOCAL; struct state *const st = duplicate_state(p1st); /* first: fill in missing bits of our new state object @@ -5152,7 +5182,7 @@ static stf_status quick_inI1_outR1_tail(struct verify_oppo_bundle *b, , st, &st->st_msgid, TRUE); /* Derive new keying material */ - compute_keymats(st); + compute_keymats(st, ep); /* Tell the kernel to establish the new inbound SA * (unless the commit bit is set -- which we don't support). @@ -5161,8 +5191,10 @@ static stf_status quick_inI1_outR1_tail(struct verify_oppo_bundle *b, */ if (!install_inbound_ipsec_sa(st)) { + wipe_keymats(st, ep); return STF_INTERNAL_ERROR; /* ??? we may be partly committed */ } + wipe_keymats(st, ep); /* encrypt message, except for fixed part of header */ @@ -5206,6 +5238,7 @@ static void dpd_init(struct state *st) */ stf_status quick_inR1_outI2(struct msg_digest *md) { + enum endpoint ep = EP_LOCAL | EP_REMOTE; struct state *const st = md->st; const connection_t *c = st->st_connection; @@ -5325,7 +5358,7 @@ stf_status quick_inR1_outI2(struct msg_digest *md) } /* Derive new keying material */ - compute_keymats(st); + compute_keymats(st, ep); /* Tell the kernel to establish the inbound, outbound, and routing part * of the new SA (unless the commit bit is set -- which we don't support). @@ -5334,8 +5367,10 @@ stf_status quick_inR1_outI2(struct msg_digest *md) */ if (!install_ipsec_sa(st, TRUE)) { + wipe_keymats(st, ep); return STF_INTERNAL_ERROR; } + wipe_keymats(st, ep); /* encrypt message, except for fixed part of header */ @@ -5374,12 +5409,16 @@ stf_status quick_inR1_outI2(struct msg_digest *md) */ stf_status quick_inI2(struct msg_digest *md) { + enum endpoint ep = EP_REMOTE; struct state *const st = md->st; /* HASH(3) in */ CHECK_QUICK_HASH(md, quick_mode_hash3(hash_val, st) , "HASH(3)", "Quick I2"); + /* Derive keying material */ + compute_keymats(st, ep); + /* Tell the kernel to establish the outbound and routing part of the new SA * (the previous state established inbound) * (unless the commit bit is set -- which we don't support). @@ -5388,8 +5427,11 @@ stf_status quick_inI2(struct msg_digest *md) */ if (!install_ipsec_sa(st, FALSE)) { + wipe_keymats(st, ep); return STF_INTERNAL_ERROR; } + wipe_keymats(st, ep); + DBG(DBG_CONTROLMORE, DBG_log("inI2: instance %s[%ld], setting newest_ipsec_sa to #%ld (was #%ld) (spd.eroute=#%ld)" , st->st_connection->name @@ -5851,6 +5893,7 @@ dpd_timeout(struct state *st) /* caching the connection name before deletion */ strncpy(cname, c->name, BUF_LEN); + cname[BUF_LEN-1] = '\0'; if (c->kind == CK_INSTANCE) { diff --git a/src/pluto/kernel.c b/src/pluto/kernel.c index 7d54b9e8e..8bed1fcfc 100644 --- a/src/pluto/kernel.c +++ b/src/pluto/kernel.c @@ -1183,13 +1183,9 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound) if (hydra->kernel_interface->add_sa(hydra->kernel_interface, host_src, host_dst, ipcomp_spi, said_next->proto, c->spd.reqid, -<<<<<<< HEAD - mark, <_none, ENCR_UNDEFINED, chunk_empty, -======= mark, 0, <_none, ENCR_UNDEFINED, chunk_empty, ->>>>>>> upstream/4.5.1 AUTH_UNDEFINED, chunk_empty, mode, - st->st_ipcomp.attrs.transid, 0 /* cpi */, FALSE, + st->st_ipcomp.attrs.transid, 0 /* cpi */, FALSE, FALSE, inbound, NULL, NULL) != SUCCESS) { goto fail; @@ -1296,13 +1292,9 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound) if (hydra->kernel_interface->add_sa(hydra->kernel_interface, host_src, host_dst, esp_spi, said_next->proto, c->spd.reqid, -<<<<<<< HEAD - mark, <_none, enc_alg, enc_key, -======= mark, 0, <_none, enc_alg, enc_key, ->>>>>>> upstream/4.5.1 auth_alg, auth_key, mode, IPCOMP_NONE, 0 /* cpi */, - encap, inbound, NULL, NULL) != SUCCESS) + encap, FALSE, inbound, NULL, NULL) != SUCCESS) { goto fail; } @@ -1333,13 +1325,9 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound) if (hydra->kernel_interface->add_sa(hydra->kernel_interface, host_src, host_dst, ah_spi, said_next->proto, c->spd.reqid, -<<<<<<< HEAD - mark, <_none, ENCR_UNDEFINED, chunk_empty, -======= mark, 0, <_none, ENCR_UNDEFINED, chunk_empty, ->>>>>>> upstream/4.5.1 auth_alg, auth_key, mode, IPCOMP_NONE, 0 /* cpi */, - FALSE, inbound, NULL, NULL) != SUCCESS) + FALSE, FALSE, inbound, NULL, NULL) != SUCCESS) { goto fail; } diff --git a/src/pluto/kernel_alg.c b/src/pluto/kernel_alg.c index 41155c619..eab2a8f06 100644 --- a/src/pluto/kernel_alg.c +++ b/src/pluto/kernel_alg.c @@ -397,13 +397,6 @@ struct sadb_alg* kernel_alg_esp_sadb_alg(u_int alg_id) return sadb_alg; } -<<<<<<< HEAD -void kernel_alg_list(void) -{ - char buf[BUF_LEN]; - char *pos; - int n, len; -======= /** * Print the name of a kernel algorithm */ @@ -411,7 +404,7 @@ static void print_alg(char *buf, int *len, enum_names *alg_names, int alg_type) { char alg_name[BUF_LEN]; int alg_name_len; - + alg_name_len = sprintf(alg_name, " %s", enum_name(alg_names, alg_type)); if (*len + alg_name_len > CRYPTO_MAX_ALG_LINE) { @@ -426,71 +419,33 @@ void kernel_alg_list(void) { char buf[BUF_LEN]; int len; ->>>>>>> upstream/4.5.1 u_int sadb_id; whack_log(RC_COMMENT, " "); whack_log(RC_COMMENT, "List of registered ESP Algorithms:"); whack_log(RC_COMMENT, " "); -<<<<<<< HEAD - pos = buf; - *pos = '\0'; - len = BUF_LEN; -======= len = sprintf(buf, " encryption:"); ->>>>>>> upstream/4.5.1 for (sadb_id = 1; sadb_id <= SADB_EALG_MAX; sadb_id++) { if (ESP_EALG_PRESENT(sadb_id)) { -<<<<<<< HEAD - n = snprintf(pos, len, " %s", - enum_name(&esp_transform_names, sadb_id)); - pos += n; - len -= n; - if (len <= 0) - { - break; - } - } - } - whack_log(RC_COMMENT, " encryption:%s", buf); - - pos = buf; - *pos = '\0'; - len = BUF_LEN; -======= print_alg(buf, &len, &esp_transform_names, sadb_id); } } whack_log(RC_COMMENT, "%s", buf); len = sprintf(buf, " integrity: "); ->>>>>>> upstream/4.5.1 for (sadb_id = 1; sadb_id <= SADB_AALG_MAX; sadb_id++) { if (ESP_AALG_PRESENT(sadb_id)) { u_int aaid = alg_info_esp_sadb2aa(sadb_id); -<<<<<<< HEAD - n = snprintf(pos, len, " %s", enum_name(&auth_alg_names, aaid)); - pos += n; - len -= n; - if (len <= 0) - { - break; - } - } - } - whack_log(RC_COMMENT, " integrity: %s", buf); -======= print_alg(buf, &len, &auth_alg_names, aaid); } } whack_log(RC_COMMENT, "%s", buf); ->>>>>>> upstream/4.5.1 } void kernel_alg_show_connection(connection_t *c, const char *instance) @@ -678,12 +633,11 @@ static bool kernel_alg_db_add(struct db_context *db_ctx, * malloced pointer (this quirk allows easier spdb.c change) */ struct db_context* kernel_alg_db_new(struct alg_info_esp *alg_info, - lset_t policy ) + lset_t policy) { const struct esp_info *esp_info; struct esp_info tmp_esp_info; struct db_context *ctx_new = NULL; - struct db_prop *prop; u_int trans_cnt = esp_ealg_num * esp_aalg_num; if (!(policy & POLICY_ENCRYPT)) /* not possible, I think */ @@ -704,7 +658,6 @@ struct db_context* kernel_alg_db_new(struct alg_info_esp *alg_info, kernel_alg_db_add(ctx_new, &tmp_esp_info, policy); } } - prop = db_prop_get(ctx_new); return ctx_new; } diff --git a/src/pluto/keys.c b/src/pluto/keys.c index e2c52fab0..4b0e08791 100644 --- a/src/pluto/keys.c +++ b/src/pluto/keys.c @@ -494,7 +494,6 @@ static err_t process_rsa_secret(private_key_t **key) if (ugh) { ugh = builddiag("RSA data malformed (%s): %s", ugh, tok); - part++; goto end; } rsa_chunk[part] = chunk_create(buf, sz); @@ -902,10 +901,7 @@ static void process_secret(secret_t *s, int whackfd) { loglog(RC_LOG_SERIOUS, "\"%s\" line %d: %s" , flp->filename, flp->lino, ugh); -<<<<<<< HEAD -======= s->ids->destroy_offset(s->ids, offsetof(identification_t, destroy)); ->>>>>>> upstream/4.5.1 free(s); } else if (flushline("expected record boundary in key")) @@ -1014,16 +1010,11 @@ static void process_secret_records(int whackfd) if (!shift()) { /* unexpected Record Boundary or EOF */ -<<<<<<< HEAD - loglog(RC_LOG_SERIOUS, "\"%s\" line %d: unexpected end of id list" - , flp->filename, flp->lino); -======= loglog(RC_LOG_SERIOUS, "\"%s\" line %d: unexpected end" " of id list", flp->filename, flp->lino); s->ids->destroy_offset(s->ids, offsetof(identification_t, destroy)); free(s); ->>>>>>> upstream/4.5.1 break; } } diff --git a/src/pluto/log.c b/src/pluto/log.c index 6e70898a5..c5f1776ec 100644 --- a/src/pluto/log.c +++ b/src/pluto/log.c @@ -337,16 +337,16 @@ open_peerlog(connection_t *c) /* copy IP address, turning : and . into / */ { - char c, *p, *q; + char ch, *p, *q; p = peername; q = dname; do { - c = *p++; - if (c == '.' || c == ':') - c = '/'; - *q++ = c; - } while (c != '\0'); + ch = *p++; + if (ch == '.' || ch == ':') + ch = '/'; + *q++ = ch; + } while (ch != '\0'); } lf_len = peernamelen * 2 @@ -834,7 +834,8 @@ DBG_dump(const char *label, const void *p, size_t len) static void show_loaded_plugins() { - char buf[BUF_LEN], *plugin; + char buf[BUF_LEN]; + plugin_t *plugin; int len = 0; enumerator_t *enumerator; @@ -842,7 +843,7 @@ static void show_loaded_plugins() enumerator = lib->plugins->create_plugin_enumerator(lib->plugins); while (len < BUF_LEN && enumerator->enumerate(enumerator, &plugin)) { - len += snprintf(&buf[len], BUF_LEN-len, "%s ", plugin); + len += snprintf(&buf[len], BUF_LEN-len, "%s ", plugin->get_name(plugin)); } enumerator->destroy(enumerator); whack_log(RC_COMMENT, "loaded plugins: %s", buf); diff --git a/src/pluto/modecfg.c b/src/pluto/modecfg.c index a2acce23a..8298ea601 100644 --- a/src/pluto/modecfg.c +++ b/src/pluto/modecfg.c @@ -120,9 +120,10 @@ static void get_attributes(connection_t *c, linked_list_t *ca_list) int family; family = (ca->type == INTERNAL_IP4_ADDRESS) ? AF_INET : AF_INET6; + DESTROY_IF(requested_vip); requested_vip = (ca->value.len) ? host_create_from_chunk(family, ca->value, 0) : - host_create_any(family); + host_create_any(family); plog("peer requested virtual IP %H", requested_vip); break; } @@ -166,7 +167,7 @@ static void get_attributes(connection_t *c, linked_list_t *ca_list) requested_vip->destroy(requested_vip); /* if we have a virtual IP address - send it */ - if (!c->spd.that.host_srcip->is_anyaddr(c->spd.that.host_srcip)) + if (!c->spd.that.host_srcip->is_anyaddr(c->spd.that.host_srcip)) { vip = c->spd.that.host_srcip; plog("assigning virtual IP %H to peer", vip); @@ -179,7 +180,7 @@ static void get_attributes(connection_t *c, linked_list_t *ca_list) /* set the remote client subnet to virtual IP */ c->spd.that.client.addr = *(ip_address*)vip->get_sockaddr(vip); - c->spd.that.client.maskbits = (family == AF_INET) ? 32 : 128; + c->spd.that.client.maskbits = (family == AF_INET) ? 32 : 128; c->spd.that.has_client = TRUE; } @@ -264,8 +265,8 @@ static bool set_attributes(connection_t *c, linked_list_t *ca_list) setportof(0, &c->spd.this.client.addr); c->spd.this.has_client = TRUE; - vip_set = TRUE; - } + vip_set = TRUE; + } continue; case APPLICATION_VERSION: #ifdef CISCO_QUIRKS @@ -420,7 +421,7 @@ static stf_status modecfg_build_msg(struct state *st, pb_stream *rbody, } enumerator->destroy(enumerator); close_output_pbs(&strattr); - + modecfg_hash(r_hashval, r_hash_start, rbody->cur, st); close_message(rbody); encrypt_message(rbody, st); @@ -653,7 +654,7 @@ static stf_status modecfg_parse_msg(struct msg_digest *md, int isama_type, ca_list->destroy_function(ca_list, (void*)modecfg_attribute_destroy); return stat; } - + /* discard the parsed attributes and look for another payload */ while (ca_list->remove_last(ca_list, (void **)&ca) == SUCCESS) {} } @@ -670,7 +671,7 @@ stf_status modecfg_send_request(struct state *st) { connection_t *c = st->st_connection; stf_status stat; - modecfg_attribute_t *ca; + modecfg_attribute_t *ca; enumerator_t *enumerator; int family; chunk_t value; @@ -685,7 +686,7 @@ stf_status modecfg_send_request(struct state *st) value); ca_list->insert_last(ca_list, ca); - register_attribute_handlers(c); + register_attribute_handlers(c); enumerator = c->requested->create_enumerator(c->requested); while (enumerator->enumerate(enumerator, &ca)) { @@ -800,7 +801,7 @@ stf_status modecfg_send_set(struct state *st) * Used in ModeCfg push mode on the client (initiator) * called in demux.c from STATE_MODE_CFG_I0 * client <- CFG_SET - * client -> CFG_ACK + * client -> CFG_ACK * STF_OK transitions to STATE_MODE_CFG_I3 */ stf_status modecfg_inI0(struct msg_digest *md) @@ -865,7 +866,7 @@ stf_status modecfg_inI0(struct msg_digest *md) /** * Used in ModeCfg push mode on the server (responder) * called in demux.c from STATE_MODE_CFG_R3 - * server <- CFG_ACK + * server <- CFG_ACK * STF_OK transitions to STATE_MODE_CFG_R4 */ stf_status modecfg_inR3(struct msg_digest *md) @@ -1140,7 +1141,7 @@ stf_status xauth_inR1(struct msg_digest *md) xauth_user_name.ptr) ) DESTROY_IF(c->xauth_identity); - c->xauth_identity = identification_create_from_data(xauth_user_name); + c->xauth_identity = identification_create_from_data(xauth_user_name); DBG(DBG_PRIVATE, DBG_log("peer xauth user password is '%.*s'", xauth_user_password.len, diff --git a/src/pluto/ocsp.c b/src/pluto/ocsp.c index 14e5cbb96..f5ee07398 100644 --- a/src/pluto/ocsp.c +++ b/src/pluto/ocsp.c @@ -192,7 +192,7 @@ static const asn1Object_t basicResponseObjects[] = { { 5, "critical", ASN1_BOOLEAN, ASN1_BODY | ASN1_DEF }, /* 16 */ { 5, "extnValue", ASN1_OCTET_STRING, ASN1_BODY }, /* 17 */ - { 4, "end loop", ASN1_EOC, ASN1_END }, /* 18 */ + { 3, "end loop", ASN1_EOC, ASN1_END }, /* 18 */ { 2, "end opt", ASN1_EOC, ASN1_END }, /* 19 */ { 1, "signatureAlgorithm", ASN1_EOC, ASN1_RAW }, /* 20 */ { 1, "signature", ASN1_BIT_STRING, ASN1_BODY }, /* 21 */ @@ -1045,13 +1045,8 @@ static bool valid_ocsp_response(response_t *res) ) /* check path length constraint */ -<<<<<<< HEAD - pathlen_constraint = x509->get_pathLenConstraint(x509); - if (pathlen_constraint != X509_NO_PATH_LEN_CONSTRAINT && -======= pathlen_constraint = x509->get_constraint(x509, X509_PATH_LEN); if (pathlen_constraint != X509_NO_CONSTRAINT && ->>>>>>> upstream/4.5.1 pathlen > pathlen_constraint) { plog("path length of %d violates constraint of %d", diff --git a/src/pluto/plugins/xauth/Makefile.in b/src/pluto/plugins/xauth/Makefile.in index 793a0e88d..3ae6ea12b 100644 --- a/src/pluto/plugins/xauth/Makefile.in +++ b/src/pluto/plugins/xauth/Makefile.in @@ -218,13 +218,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -<<<<<<< HEAD -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ -======= -ipsecgroup = @ipsecgroup@ ->>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -245,6 +239,8 @@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ openac_plugins = @openac_plugins@ p_plugins = @p_plugins@ +pcsclite_CFLAGS = @pcsclite_CFLAGS@ +pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ piddir = @piddir@ pki_plugins = @pki_plugins@ @@ -263,14 +259,12 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ -<<<<<<< HEAD -======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ ->>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ +systemdsystemunitdir = @systemdsystemunitdir@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ diff --git a/src/pluto/plugins/xauth/xauth_plugin.c b/src/pluto/plugins/xauth/xauth_plugin.c index 74e16eacd..bfc4820ed 100644 --- a/src/pluto/plugins/xauth/xauth_plugin.c +++ b/src/pluto/plugins/xauth/xauth_plugin.c @@ -18,10 +18,15 @@ #include "xauth_plugin.h" #include "xauth_default_provider.h" #include "xauth_default_verifier.h" -/** - * Implementation of plugin_t.destroy - */ -static void destroy(xauth_plugin_t *this) + +METHOD(plugin_t, get_name, char*, + xauth_plugin_t *this) +{ + return "xauth"; +} + +METHOD(plugin_t, destroy, void, + xauth_plugin_t *this) { free(this); } @@ -31,9 +36,15 @@ static void destroy(xauth_plugin_t *this) */ plugin_t *xauth_plugin_create() { - xauth_plugin_t *this = malloc_thing(xauth_plugin_t); + xauth_plugin_t *this; - this->plugin.destroy = (void(*)(plugin_t*))destroy; + INIT(this, + .plugin = { + .get_name = _get_name, + .reload = (void*)return_false, + .destroy = _destroy, + }, + ); pluto->xauth->add_provider(pluto->xauth, xauth_default_provider_create()); pluto->xauth->add_verifier(pluto->xauth, xauth_default_verifier_create()); diff --git a/src/pluto/pluto.8 b/src/pluto/pluto.8 index 1efb1a6f7..9ac537bd9 100644 --- a/src/pluto/pluto.8 +++ b/src/pluto/pluto.8 @@ -1,14 +1,8 @@ .TH IPSEC_PLUTO 8 "28 March 1999" .SH NAME -<<<<<<< HEAD -ipsec pluto \- IPsec IKE keying daemon -.br -ipsec whack \- control interface for IPSEC keying daemon -======= pluto \- IPsec IKE keying daemon and control interface .PP whack \- control interface for IKE keying daemon ->>>>>>> upstream/4.5.1 .SH SYNOPSIS .na .nh @@ -1015,11 +1009,7 @@ specifies the name of the operation to be performed \fBup-host\fP, \fBup-client\fP, \fBdown-host\fP, or \fBdown-client\fP). If the address family for security gateway to security gateway communications is IPv6, then -<<<<<<< HEAD -a suffix of -v6 is added to the verb. -======= a suffix of \-v6 is added to the verb. ->>>>>>> upstream/4.5.1 .TP \fBPLUTO_CONNECTION\fP is the name of the connection for which we are routing. @@ -1581,11 +1571,7 @@ rejected with ECONNREFUSED (kernel supplied no details)''. John Denker suggests that this command is useful for tracking down the source of these problems: .br -<<<<<<< HEAD - tcpdump -i eth0 icmp[0] != 8 and icmp[0] != 0 -======= tcpdump \-i eth0 icmp[0] != 8 and icmp[0] != 0 ->>>>>>> upstream/4.5.1 .br Substitute your public interface for eth0 if it is different. .LP diff --git a/src/pluto/plutomain.c b/src/pluto/plutomain.c index 627176c1b..309bde649 100644 --- a/src/pluto/plutomain.c +++ b/src/pluto/plutomain.c @@ -239,7 +239,8 @@ options_t *options; */ static void print_plugins() { - char buf[BUF_LEN], *plugin; + char buf[BUF_LEN]; + plugin_t *plugin; int len = 0; enumerator_t *enumerator; @@ -247,7 +248,7 @@ static void print_plugins() enumerator = lib->plugins->create_plugin_enumerator(lib->plugins); while (len < BUF_LEN && enumerator->enumerate(enumerator, &plugin)) { - len += snprintf(&buf[len], BUF_LEN-len, "%s ", plugin); + len += snprintf(&buf[len], BUF_LEN-len, "%s ", plugin->get_name(plugin)); } enumerator->destroy(enumerator); DBG1(DBG_DMN, "loaded plugins: %s", buf); diff --git a/src/pluto/spdb.c b/src/pluto/spdb.c index 2ed07bdfc..48585432b 100644 --- a/src/pluto/spdb.c +++ b/src/pluto/spdb.c @@ -591,7 +591,7 @@ static u_int32_t decode_long_duration(pb_stream *pbs) if (pbs_left(pbs) > sizeof(val)) { /* "clamp" too large value to max representable value */ - val -= 1; /* portable way to get to maximum value */ + val = UINT32_MAX; DBG(DBG_PARSING, DBG_log(" too large duration clamped to: %lu" , (unsigned long)val)); } @@ -881,7 +881,7 @@ notification_t parse_isakmp_sa_body(u_int32_t ipsecdoisit, lset_t seen_attrs = 0; lset_t seen_durations = 0; u_int16_t life_type = 0; - struct oakley_trans_attrs ta; + struct oakley_trans_attrs ta = { .encrypter = NULL }; err_t ugh = NULL; /* set to diagnostic when problem detected */ /* initialize only optional field in ta */ diff --git a/src/pluto/state.c b/src/pluto/state.c index 3639f944d..e4234bc87 100644 --- a/src/pluto/state.c +++ b/src/pluto/state.c @@ -166,7 +166,10 @@ static struct state **state_hash(const u_char *icookie, const u_char *rcookie, */ struct state *new_state(void) { - static const struct state blank_state; /* initialized all to zero & NULL */ + /* initialized all to zero & NULL */ + static const struct state blank_state = { + .st_serialno = 0, + }; static so_serial_t next_so = SOS_FIRST; struct state *st; @@ -347,19 +350,20 @@ void delete_state(struct state *st) DESTROY_IF(st->st_dh); - free(st->st_tpacket.ptr); - free(st->st_rpacket.ptr); - free(st->st_p1isa.ptr); - free(st->st_gi.ptr); - free(st->st_gr.ptr); - free(st->st_shared.ptr); - free(st->st_ni.ptr); - free(st->st_nr.ptr); - free(st->st_skeyid.ptr); - free(st->st_skeyid_d.ptr); - free(st->st_skeyid_a.ptr); - free(st->st_skeyid_e.ptr); - free(st->st_enc_key.ptr); + chunk_clear(&st->st_tpacket); + chunk_clear(&st->st_rpacket); + chunk_clear(&st->st_p1isa); + chunk_clear(&st->st_gi); + chunk_clear(&st->st_gr); + chunk_clear(&st->st_shared); + chunk_clear(&st->st_ni); + chunk_clear(&st->st_nr); + chunk_clear(&st->st_skeyid); + chunk_clear(&st->st_skeyid_d); + chunk_clear(&st->st_skeyid_a); + chunk_clear(&st->st_skeyid_e); + chunk_clear(&st->st_enc_key); + free(st->st_ah.our_keymat); free(st->st_ah.peer_keymat); free(st->st_esp.our_keymat); diff --git a/src/pluto/x509.c b/src/pluto/x509.c index b76f02845..7e2aca862 100644 --- a/src/pluto/x509.c +++ b/src/pluto/x509.c @@ -255,13 +255,8 @@ bool verify_x509cert(cert_t *cert, bool strict, time_t *until) unlock_authcert_list("verify_x509cert"); /* check path length constraint */ -<<<<<<< HEAD - pathlen_constraint = x509->get_pathLenConstraint(x509); - if (pathlen_constraint != X509_NO_PATH_LEN_CONSTRAINT && -======= pathlen_constraint = x509->get_constraint(x509, X509_PATH_LEN); if (pathlen_constraint != X509_NO_CONSTRAINT && ->>>>>>> upstream/4.5.1 pathlen > pathlen_constraint) { plog("path length of %d violates constraint of %d", @@ -455,13 +450,8 @@ void list_x509cert_chain(const char *caption, cert_t* cert, } /* list optional pathLenConstraint */ -<<<<<<< HEAD - pathlen = x509->get_pathLenConstraint(x509); - if (pathlen != X509_NO_PATH_LEN_CONSTRAINT) -======= pathlen = x509->get_constraint(x509, X509_PATH_LEN); if (pathlen != X509_NO_CONSTRAINT) ->>>>>>> upstream/4.5.1 { whack_log(RC_COMMENT, " pathlen: %d", pathlen); } |