5 files changed, 71 insertions, 28 deletions

diff --git a/src/swanctl/Makefile.in b/src/swanctl/Makefile.in
index 7e2a1da6b..b5313a37d 100644
--- a/src/swanctl/Makefile.in
+++ b/src/swanctl/Makefile.in
@@ -375,6 +375,7 @@ docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
+fuzz_plugins = @fuzz_plugins@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 host = @host@
@@ -397,6 +398,7 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libfuzzer = @libfuzzer@
 libiptc_CFLAGS = @libiptc_CFLAGS@
 libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
diff --git a/src/swanctl/commands/load_creds.c b/src/swanctl/commands/load_creds.c
index 848d8512c..d8541061e 100644
--- a/src/swanctl/commands/load_creds.c
+++ b/src/swanctl/commands/load_creds.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2016 Tobias Brunner
+ * Copyright (C) 2016-2017 Tobias Brunner
  * Copyright (C) 2015 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
@@ -34,8 +34,6 @@
 
 #include <vici_cert_info.h>
 
-#define HASH_SIZE_SHA1_HEX (2 * HASH_SIZE_SHA1)
-
 /**
  * Context used to track loaded secrets
  */
@@ -144,6 +142,7 @@ static bool load_key(load_ctx_t *ctx, char *dir, char *type, chunk_t data)
 	vici_req_t *req;
 	vici_res_t *res;
 	bool ret = TRUE;
+	char *id;
 
 	req = vici_begin("load-key");
 
@@ -178,6 +177,8 @@ static bool load_key(load_ctx_t *ctx, char *dir, char *type, chunk_t data)
 	else
 	{
 		printf("loaded %s key from '%s'\n", type, dir);
+		id = vici_find_str(res, "", "id");
+		free(ctx->keys->remove(ctx->keys, id));
 	}
 	vici_free_res(res);
 	return ret;
@@ -190,8 +191,7 @@ static bool load_key_anytype(load_ctx_t *ctx, char *path,
 							 private_key_t *private)
 {
 	bool loaded = FALSE;
-	chunk_t encoding, keyid;
-	char hex[HASH_SIZE_SHA1_HEX + 1];
+	chunk_t encoding;
 
 	if (!private->get_encoding(private, PRIVKEY_ASN1_DER, &encoding))
 	{
@@ -213,13 +213,6 @@ static bool load_key_anytype(load_ctx_t *ctx, char *path,
 			fprintf(stderr, "unsupported key type in '%s'\n", path);
 			break;
 	}
-
-	if (loaded &&
-		private->get_fingerprint(private, KEYID_PUBKEY_SHA1, &keyid) &&
-		snprintf(hex, sizeof(hex), "%+B", &keyid) == HASH_SIZE_SHA1_HEX)
-	{
-		free(ctx->keys->remove(ctx->keys, hex));
-	}
 	chunk_clear(&encoding);
 	return loaded;
 }
@@ -408,7 +401,7 @@ static void* decrypt_with_config(load_ctx_t *ctx, char *name, char *type,
 /**
  * Try to decrypt and load a private key
  */
-static bool load_encrypted_key(load_ctx_t *ctx,  char *rel, char *path,
+static bool load_encrypted_key(load_ctx_t *ctx, char *rel, char *path,
 							   char *type, chunk_t data)
 {
 	private_key_t *private;
diff --git a/src/swanctl/swanctl.conf b/src/swanctl/swanctl.conf
index 789b128fd..b2045a3d8 100644
--- a/src/swanctl/swanctl.conf
+++ b/src/swanctl/swanctl.conf
@@ -47,7 +47,7 @@
         # Timeout for DPD checks (IKEV1 only).
         # dpd_timeout = 0s
 
-        # Use IKE UDP datagram fragmentation.  (yes, no or force).
+        # Use IKE UDP datagram fragmentation.  (yes, accept, no or force).
         # fragmentation = yes
 
         # Send certificate requests payloads (yes or no).
@@ -227,6 +227,9 @@
                 # ESP proposals to offer for the CHILD_SA.
                 # esp_proposals = default
 
+                # Use incorrect 96-bit truncation for HMAC-SHA-256.
+                # sha256_96 = no
+
                 # Local traffic selectors to include in CHILD_SA.
                 # local_ts = dynamic
 
@@ -308,6 +311,10 @@
                 # IPsec replay window to configure for this CHILD_SA.
                 # replay_window = 32
 
+                # Enable hardware offload for this CHILD_SA, if supported by the
+                # IPsec implementation.
+                # hw_offload = no
+
                 # Action to perform after loading the configuration (none, trap,
                 # start).
                 # start_action = none
diff --git a/src/swanctl/swanctl.conf.5.main b/src/swanctl/swanctl.conf.5.main
index 6e1e9adfb..9f4044d7e 100644
--- a/src/swanctl/swanctl.conf.5.main
+++ b/src/swanctl/swanctl.conf.5.main
@@ -168,18 +168,29 @@ Use IKE fragmentation (proprietary IKEv1 extension or RFC 7383 IKEv2
 fragmentation).  Acceptable  values  are
 .RI "" "yes" ""
 (the        default),
+.RI "" "accept" ","
 .RI "" "force" ""
 and
 .RI "" "no" "."
-Fragmented IKE messages sent by a peer are always accepted irrespective of
-the  value  of  this option. If set to
+If set to
 .RI "" "yes" ","
-and the peer supports it,
-oversized IKE messages will be sent in fragments.  If set  to
+and the peer     supports it, oversized IKE
+messages will be sent in fragments. If set to
+.RI "" "accept" ","
+support for
+fragmentation is announced to the peer but the daemon does not send its own
+messages in fragments.  If set to
 .RI "" "force" ""
-(only
-supported  for IKEv1) the initial IKE message will already be fragmented if
-required.
+(only supported for IKEv1) the initial
+IKE message will already be fragmented if required. Finally, setting the option
+to
+.RI "" "no" ""
+will disable announcing support for this feature.
+
+Note that fragmented IKE messages sent by a peer are always accepted
+irrespective of the value of this option (even when set to
+.RI "" "no" ")."
+
 
 .TP
 .BR connections.<conn>.send_certreq " [yes]"
@@ -786,6 +797,14 @@ interoperability. If no algorithms are specified for AH nor ESP, the
 set of algorithms for ESP is included.
 
 .TP
+.BR connections.<conn>.children.<child>.sha256_96 " [no]"
+HMAC\-SHA\-256 is used with 128\-bit truncation with IPsec. For compatibility with
+implementations that incorrectly use 96\-bit truncation this option may be
+enabled to configure the shorter truncation length in the kernel.  This is not
+negotiated, so this only works with peers that use the incorrect truncation
+length (or have this option enabled).
+
+.TP
 .BR connections.<conn>.children.<child>.local_ts " [dynamic]"
 Comma separated list of local traffic selectors to include in CHILD_SA. Each
 selector is a CIDR subnet definition, followed by an optional proto/port
@@ -1065,6 +1084,11 @@ default of 32 are supported using the Netlink backend only, a value of 0
 disables IPsec replay protection.
 
 .TP
+.BR connections.<conn>.children.<child>.hw_offload " [no]"
+Enable hardware offload for this CHILD_SA, if supported by the IPsec
+implementation.
+
+.TP
 .BR connections.<conn>.children.<child>.start_action " [none]"
 Action to perform after loading the configuration. The default of
 .RI "" "none" ""
diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt
index bdd92177f..7e204db61 100644
--- a/src/swanctl/swanctl.opt
+++ b/src/swanctl/swanctl.opt
@@ -154,15 +154,19 @@ connections.<conn>.dpd_timeout = 0s
 	specified; this option has no effect on connections using IKE2.
 
 connections.<conn>.fragmentation = yes
-	Use IKE UDP datagram fragmentation.  (_yes_, _no_ or _force_).
+	Use IKE UDP datagram fragmentation.  (_yes_, _accept_, _no_ or _force_).
 
 	Use IKE fragmentation (proprietary IKEv1 extension or RFC 7383 IKEv2
-	fragmentation).  Acceptable  values  are _yes_ (the	default), _force_ and
-	_no_. Fragmented IKE messages sent by a peer are always accepted
-	irrespective of  the  value  of  this option. If set to _yes_, and the peer
-	supports it, oversized IKE messages will be sent in fragments.  If set  to
-	_force_  (only  supported  for IKEv1) the initial IKE message will already
-	be fragmented if required.
+	fragmentation).  Acceptable  values  are _yes_ (the	default), _accept_,
+	_force_ and _no_. If set to _yes_, and the peer	supports it, oversized IKE
+	messages will be sent in fragments. If set to _accept_, support for
+	fragmentation is announced to the peer but the daemon does not send its own
+	messages in fragments.  If set to _force_ (only supported for IKEv1) the
+	initial IKE message will already be fragmented if required. Finally, setting
+	the option to _no_ will disable announcing support for this feature.
+
+	Note that fragmented IKE messages sent by a peer are always accepted
+	irrespective of the value of this option (even when set to _no_).
 
 connections.<conn>.send_certreq = yes
 	Send certificate requests payloads (_yes_ or _no_).
@@ -647,6 +651,15 @@ connections.<conn>.children.<child>.esp_proposals = default
 	for interoperability. If no algorithms are specified for AH nor ESP,
 	the _default_ set of algorithms for ESP is included.
 
+connections.<conn>.children.<child>.sha256_96 = no
+	Use incorrect 96-bit truncation for HMAC-SHA-256.
+
+	HMAC-SHA-256 is used with 128-bit truncation with IPsec. For compatibility
+	with implementations that incorrectly use 96-bit truncation this option may
+	be enabled to configure the shorter truncation length in the kernel.  This
+	is not negotiated, so this only works with peers that use the incorrect
+	truncation length (or have this option enabled).
+
 connections.<conn>.children.<child>.local_ts = dynamic
 	Local traffic selectors to include in CHILD_SA.
 
@@ -884,6 +897,10 @@ connections.<conn>.children.<child>.replay_window = 32
 	default of 32 are supported using the Netlink backend only, a value of 0
 	disables IPsec replay protection.
 
+connections.<conn>.children.<child>.hw_offload = no
+	Enable hardware offload for this CHILD_SA, if supported by the IPsec
+	implementation.
+
 connections.<conn>.children.<child>.start_action = none
 	Action to perform after loading the configuration (_none_, _trap_, _start_).