forked from pool/strongswan
Accepting request 514549 from network:vpn
1 OBS-URL: https://build.opensuse.org/request/show/514549 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/strongswan?expand=0&rev=64
This commit is contained in:
commit
ce390f0920
27
0005-ikev1-Don-t-retransmit-Aggressive-Mode-response.patch
Normal file
27
0005-ikev1-Don-t-retransmit-Aggressive-Mode-response.patch
Normal file
@ -0,0 +1,27 @@
|
||||
From 4e16732c1c668c27e73574724d2d90537a74f67a Mon Sep 17 00:00:00 2001
|
||||
From: Tobias Brunner <tobias@strongswan.org>
|
||||
Date: Fri, 17 Jun 2016 18:19:48 +0200
|
||||
Subject: [PATCH] ikev1: Don't retransmit Aggressive Mode response
|
||||
|
||||
These could theoretically be used for an amplified DDoS attack.
|
||||
---
|
||||
src/libcharon/sa/ikev1/task_manager_v1.c | 3 +--
|
||||
1 file changed, 1 insertion(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/libcharon/sa/ikev1/task_manager_v1.c b/src/libcharon/sa/ikev1/task_manager_v1.c
|
||||
index 48ec3e7..0912555 100644
|
||||
--- a/src/libcharon/sa/ikev1/task_manager_v1.c
|
||||
+++ b/src/libcharon/sa/ikev1/task_manager_v1.c
|
||||
@@ -770,8 +770,7 @@ static status_t build_response(private_task_manager_t *this, message_t *request)
|
||||
continue;
|
||||
case NEED_MORE:
|
||||
/* processed, but task needs another exchange */
|
||||
- if (task->get_type(task) == TASK_QUICK_MODE ||
|
||||
- task->get_type(task) == TASK_AGGRESSIVE_MODE)
|
||||
+ if (task->get_type(task) == TASK_QUICK_MODE)
|
||||
{ /* we rely on initiator retransmission, except for
|
||||
* three-message exchanges */
|
||||
expect_request = TRUE;
|
||||
--
|
||||
2.13.2
|
||||
|
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:2c84b663da652b1ff180a1a73c24a3d7b9fc4b9b8ba6bd07f94a1e33092e6350
|
||||
size 4415297
|
@ -1,14 +0,0 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
Version: GnuPG v1
|
||||
|
||||
iQGcBAABAgAGBQJWVtUVAAoJEN9CwXCzTbp3dpUL/j5Dio8w6LbKtCf4QRItnG2/
|
||||
3U6apa56nxDWD3rpnN20OjSUzgulMIOjv/ZtRuruRPGWoFwrG6WzrsY/0ZrV929J
|
||||
hSmEVuu6qgt/2i/OJdBUHfNGbhJ9JbTXGMxnWUp38mr4SasZlzHZAxbiKmnKXKtO
|
||||
H5XebtVFR0/yNBPkv6wcJID/vFhJxfWpU2dblvVfSVo9VgV7lXkD0W+S++LJDTVo
|
||||
PgV/a8NZEFswLIZCPct4i3QBYCDkCiS5MGlGCa+xltPYdLpwQUqhEBUkvF8yur7K
|
||||
hnpT9cLk/gMSfFQmSOoN/31yx+ZSHTGR75QEh0pXRvo+oLJse7tw5/MJOHEJu+Hp
|
||||
c/0iVL7qSIXbX5DBF3c03nG3ZdWcVQW32VEp//mC5yEpqFz28dlNSpVwWHLMym/D
|
||||
kddiJjkZGCm7jBaPWTHSq2l8y9zdQzyHNNQ0HUpchUcpCn7B2nQO4tDSz3AFBECT
|
||||
32LKSXnpRb7BAnIW/TZhZqWs1WzbQHogUF+wx+Rl6w==
|
||||
=+fm3
|
||||
-----END PGP SIGNATURE-----
|
3
strongswan-5.5.3.tar.bz2
Normal file
3
strongswan-5.5.3.tar.bz2
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:c5ea54b199174708de11af9b8f4ecf28b5b0743d4bc0e380e741f25b28c0f8d4
|
||||
size 4768820
|
14
strongswan-5.5.3.tar.bz2.sig
Normal file
14
strongswan-5.5.3.tar.bz2.sig
Normal file
@ -0,0 +1,14 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
Version: GnuPG v1
|
||||
|
||||
iQGcBAABAgAGBQJZK+1/AAoJEN9CwXCzTbp3vvAMAJ6SQBu+q41eol6inaXmD1k2
|
||||
pwLgBYgMa/TG3dhvX2PxkpypratmYLY96GOy8WFP58/7z2gJL63SjCjN8MaNSZ7V
|
||||
UemJD5sEqu3lKGhR+q3Vsz/7xTBWYJSNoE1m/AdwftR6oF0CcIQLgrkjQa1OiU71
|
||||
SNqb2KFOafsSFicmhW44tdG9YFx56pzuoOgZhfDNEC9kMBKf7/rMpUeqAxsZah1I
|
||||
fETj26gYKPMZAzFdZJvcVLMT70WaHkDU3Oo3/UfIKrucLm+uvYjcrzQnP00laLvx
|
||||
LdgjuHXjXixrV92XzWCsa9Bbc39kmz2cBYlm6JPLfyON1x/DtUBdIoRcuO9y8nek
|
||||
HAiO8rLG0vyQsbhiaW5TJ6wfR/uyNGhKCIyabU90Nmo0dzVMlb5ro/1q0XcQM5Dl
|
||||
D4+FGErM3UdeDu0gj2klr1TyXwdOF6ZdlOtRBwRVH69mFz7o22Q6eGiw9o3Yf+9b
|
||||
cJCpzSQXEgZybV8XSYOzGnY9cVeD4Il4FxgYuxViXg==
|
||||
=9WTk
|
||||
-----END PGP SIGNATURE-----
|
@ -1,3 +1,83 @@
|
||||
-------------------------------------------------------------------
|
||||
Mon Jul 31 18:30:28 CEST 2017 - ndas@suse.de
|
||||
|
||||
- Updated to strongSwan 5.3.5 providing the following changes:
|
||||
*Fixed a DoS vulnerability in the gmp plugin that was caused by insufficient input
|
||||
validation when verifying RSA signatures. More specifically, mpz_powm_sec() has two
|
||||
requirements regarding the passed exponent and modulus that the plugin did not
|
||||
enforce, if these are not met the calculation will result in a floating point exception
|
||||
that crashes the whole process.
|
||||
This vulnerability has been registered as CVE-2017-9022.
|
||||
Please refer to our blog for details.
|
||||
|
||||
*Fixed a DoS vulnerability in the x509 plugin that was caused because the ASN.1 parser
|
||||
didn't handle ASN.1 CHOICE types properly, which could result in an infinite loop when
|
||||
parsing X.509 extensions that use such types.
|
||||
This vulnerability has been registered as CVE-2017-9023.
|
||||
Please refer to our blog for details.
|
||||
|
||||
*The behavior during IKEv2 CHILD_SA rekeying has been changed in order to avoid
|
||||
traffic loss. When responding to a CREATE_CHILD_SA request to rekey a CHILD_SA
|
||||
the responder already has everything available to install and use the new CHILD_SA.
|
||||
However, this could lead to lost traffic as the initiator won't be able to process
|
||||
inbound packets until it processed the CREATE_CHILD_SA response and updated the
|
||||
inbound SA. To avoid this the responder now only installs the new inbound SA and
|
||||
delays installing the outbound SA until it receives the DELETE for the replaced CHILD_SA.
|
||||
|
||||
*The messages transporting these DELETEs could reach the peer before packets sent
|
||||
with the deleted outbound SAs reach it. To reduce the chance of traffic loss due
|
||||
to this the inbound SA of the replaced CHILD_SA is not removed for a configurable
|
||||
amount of seconds (charon.delete_rekeyed_delay) after the DELETE has been processed.
|
||||
|
||||
*The code base has been ported to Apple's ARM64 iOS platform, which required several
|
||||
changes regarding the use of variadic functions. This was necessary because the calling
|
||||
conventions for variadic and regular functions are different there.
|
||||
This means that assigning a non-variadic function to a variadic function pointer, as we
|
||||
did with our enumerator_t::enumerate() implementations and several callbacks, will
|
||||
result in crashes as the called function accesses the arguments differently than the
|
||||
caller provided them. To avoid this issue the enumerator_t interface has been changed
|
||||
and the signature of the callback functions for enumerator_create_filter() and two
|
||||
methods on linked_list_t have been changed. Refer to the developer notes below
|
||||
for details.
|
||||
|
||||
*Adds support for fuzzing the certificate parser provided by the default plugins
|
||||
(x509, pem, gmp etc.) on Google's OSS-Fuzz infrastructure (or generally with
|
||||
libFuzzer). Several issues found while fuzzing these plugins were fixed.
|
||||
|
||||
*Two new options have been added to charon's retransmission settings:
|
||||
retransmit_limit and retransmit_jitter. The former adds an upper limit to the
|
||||
calculated retransmission timeout, the latter randomly reduces it.
|
||||
Refer to Retransmission for details.
|
||||
|
||||
*A bug in swanctl's --load-creds command was fixed that caused unencrypted
|
||||
private keys to get unloaded if the command was called multiple times.
|
||||
The load-key VICI command now returns the key ID of the loaded key on success.
|
||||
|
||||
*The credential manager now enumerates local credential sets before global ones.
|
||||
This means certificates supplied by the peer will now be preferred over certificates
|
||||
with the same identity that may be locally stored (e.g. in the certificate cache).
|
||||
|
||||
*Adds support for hardware offload of IPsec SAs as introduced by Linux 4.11 for
|
||||
specific hardware that supports this.
|
||||
|
||||
*The pki tool loads the curve25519 plugin by default.
|
||||
[- 0006-Make-sure-the-modulus-is-odd-and-the-exponent-not-zero.patch,
|
||||
- 0007-asn1-parser-Fix-CHOICE-parsing.patch]
|
||||
- libhydra is removed as all kernel plugins moved to libcharon
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue May 23 14:25:32 CEST 2017 - ndas@suse.de
|
||||
|
||||
- Applied patch for "Don't retransmit Aggressive Mode response"
|
||||
bsc#985012.
|
||||
- Applied upstream patch for "Insufficient Input Validation in gmp Plugin"
|
||||
bsc#1039514(CVE-2017-9022).
|
||||
- Applied upstream patch for "Incorrect x509 ASN.1 parser error handling"
|
||||
bsc#1039515(CVE-2017-9023).
|
||||
[+0005-ikev1-Don-t-retransmit-Aggressive-Mode-response.patch,
|
||||
+0006-Make-sure-the-modulus-is-odd-and-the-exponent-not-zero.patch,
|
||||
+0007-asn1-parser-Fix-CHOICE-parsing.patch]
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Jul 4 12:00:00 UTC 2016 - doug@uq.edu.au
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
#
|
||||
# spec file for package strongswan
|
||||
#
|
||||
# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
|
||||
# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
|
||||
#
|
||||
# All modifications and additions to the file contributed by third parties
|
||||
# remain the property of their copyright owners, unless otherwise agreed
|
||||
@ -17,7 +17,7 @@
|
||||
|
||||
|
||||
Name: strongswan
|
||||
Version: 5.3.5
|
||||
Version: 5.5.3
|
||||
Release: 0
|
||||
%define upstream_version %{version}
|
||||
%define strongswan_docdir %{_docdir}/%{name}
|
||||
@ -82,6 +82,7 @@ Patch2: %{name}_ipsec_service.patch
|
||||
Patch3: %{name}_fipscheck.patch
|
||||
Patch4: %{name}_fipsfilter.patch
|
||||
%endif
|
||||
Patch5: 0005-ikev1-Don-t-retransmit-Aggressive-Mode-response.patch
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
BuildRequires: bison
|
||||
BuildRequires: curl-devel
|
||||
@ -289,9 +290,10 @@ and the load testing plugin for IKEv2 daemon.
|
||||
%patch1 -p0
|
||||
%patch2 -p0
|
||||
%if %{with fipscheck}
|
||||
%patch3 -p0
|
||||
%patch3 -p1
|
||||
%patch4 -p1
|
||||
%endif
|
||||
%patch5 -p1
|
||||
sed -e 's|@libexecdir@|%_libexecdir|g' \
|
||||
< $RPM_SOURCE_DIR/strongswan.init.in \
|
||||
> strongswan.init
|
||||
@ -566,13 +568,14 @@ fi
|
||||
%{_libexecdir}/ipsec/_fipscheck
|
||||
%{_libexecdir}/ipsec/.*.hmac
|
||||
%{_sbindir}/.ipsec.hmac
|
||||
|
||||
%endif
|
||||
|
||||
%files ipsec
|
||||
%defattr(-,root,root)
|
||||
%config(noreplace) %attr(600,root,root) %{_sysconfdir}/ipsec.conf
|
||||
%config(noreplace) %attr(600,root,root) %{_sysconfdir}/ipsec.secrets
|
||||
%config(noreplace) %attr(600,root,root) %{_sysconfdir}/swanctl/swanctl.conf
|
||||
%dir %{_sysconfdir}/swanctl
|
||||
%dir %{_sysconfdir}/ipsec.d
|
||||
%dir %{_sysconfdir}/ipsec.d/crls
|
||||
%dir %{_sysconfdir}/ipsec.d/reqs
|
||||
@ -584,6 +587,7 @@ fi
|
||||
%dir %attr(700,root,root) %{_sysconfdir}/ipsec.d/private
|
||||
%if %{with systemd}
|
||||
%{_unitdir}/strongswan.service
|
||||
%{_sysconfdir}/dbus-1/system.d/nm-strongswan-service.conf
|
||||
%{_sbindir}/rcstrongswan
|
||||
%else
|
||||
%config %{_sysconfdir}/init.d/ipsec
|
||||
@ -591,6 +595,7 @@ fi
|
||||
%endif
|
||||
%{_bindir}/pki
|
||||
%{_sbindir}/ipsec
|
||||
%{_sbindir}/swanctl
|
||||
%{_mandir}/man1/pki*.1*
|
||||
%{_mandir}/man8/ipsec.8*
|
||||
%{_mandir}/man5/ipsec.conf.5*
|
||||
@ -626,6 +631,8 @@ fi
|
||||
%{strongswan_docdir}/AUTHORS
|
||||
%{strongswan_docdir}/ChangeLog
|
||||
%{_mandir}/man8/scepclient.8*
|
||||
%{_mandir}/man5/swanctl.conf.5.*
|
||||
%{_mandir}/man8/swanctl.8.*
|
||||
|
||||
%files libs0
|
||||
%defattr(-,root,root)
|
||||
@ -643,8 +650,11 @@ fi
|
||||
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/scepclient.conf
|
||||
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/starter.conf
|
||||
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/tnc.conf
|
||||
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/swanctl.conf
|
||||
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/addrblock.conf
|
||||
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/aes.conf
|
||||
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/curve25519.conf
|
||||
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/vici.conf
|
||||
%if %{with afalg}
|
||||
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/af-alg.conf
|
||||
%endif
|
||||
@ -739,7 +749,10 @@ fi
|
||||
%{strongswan_libdir}/libchecksum.so
|
||||
%endif
|
||||
%{strongswan_libdir}/libcharon.so.*
|
||||
%{strongswan_libdir}/libhydra.so.*
|
||||
%{strongswan_libdir}/libtpmtss.so.*
|
||||
%{strongswan_libdir}/libtpmtss.so
|
||||
%{strongswan_libdir}/libvici.so
|
||||
%{strongswan_libdir}/libvici.so.*
|
||||
%{strongswan_libdir}/libpttls.so.*
|
||||
%{strongswan_libdir}/libradius.so.*
|
||||
%{strongswan_libdir}/libsimaka.so.*
|
||||
@ -842,6 +855,8 @@ fi
|
||||
%{strongswan_plugins}/libstrongswan-xauth-generic.so
|
||||
%{strongswan_plugins}/libstrongswan-xauth-pam.so
|
||||
%{strongswan_plugins}/libstrongswan-xcbc.so
|
||||
%{strongswan_plugins}/libstrongswan-curve25519.so
|
||||
%{strongswan_plugins}/libstrongswan-vici.so
|
||||
%dir %{strongswan_datadir}
|
||||
%dir %{strongswan_templates}
|
||||
%dir %{strongswan_templates}/config
|
||||
@ -942,6 +957,8 @@ fi
|
||||
%{strongswan_templates}/config/plugins/xauth-generic.conf
|
||||
%{strongswan_templates}/config/plugins/xauth-pam.conf
|
||||
%{strongswan_templates}/config/plugins/xcbc.conf
|
||||
%{strongswan_templates}/config/plugins/curve25519.conf
|
||||
%{strongswan_templates}/config/plugins/vici.conf
|
||||
%{strongswan_templates}/config/strongswan.d/charon-logging.conf
|
||||
%{strongswan_templates}/config/strongswan.d/charon.conf
|
||||
%{strongswan_templates}/config/strongswan.d/imcv.conf
|
||||
@ -950,6 +967,7 @@ fi
|
||||
%{strongswan_templates}/config/strongswan.d/scepclient.conf
|
||||
%{strongswan_templates}/config/strongswan.d/starter.conf
|
||||
%{strongswan_templates}/config/strongswan.d/tnc.conf
|
||||
%{strongswan_templates}/config/strongswan.d/swanctl.conf
|
||||
%{strongswan_templates}/database/imv/data.sql
|
||||
%{strongswan_templates}/database/imv/tables.sql
|
||||
|
||||
|
@ -1,8 +1,10 @@
|
||||
--- src/ipsec/_ipsec.in
|
||||
+++ src/ipsec/_ipsec.in
|
||||
@@ -44,6 +44,26 @@ export IPSEC_DIR IPSEC_BINDIR IPSEC_SBINDIR IPSEC_CONFDIR IPSEC_PIDDIR IPSEC_SCR
|
||||
diff --git a/src/ipsec/_ipsec.in b/src/ipsec/_ipsec.in
|
||||
index ea399b8..ea8ed8a 100644
|
||||
--- a/src/ipsec/_ipsec.in
|
||||
+++ b/src/ipsec/_ipsec.in
|
||||
@@ -46,6 +46,26 @@ IPSEC_DISTRO="Institute for Internet Technologies and Applications\nUniversity o
|
||||
|
||||
IPSEC_DISTRO="Institute for Internet Technologies and Applications\nUniversity of Applied Sciences Rapperswil, Switzerland"
|
||||
command_dir="$IPSEC_DIR"
|
||||
|
||||
+fipscheck()
|
||||
+{
|
||||
@ -27,7 +29,7 @@
|
||||
case "$1" in
|
||||
'')
|
||||
echo "$IPSEC_SCRIPT command [arguments]"
|
||||
@@ -155,6 +175,7 @@ rereadall|purgeocsp|listcounters|resetcounters)
|
||||
@@ -153,6 +173,7 @@ rereadall|purgeocsp|listcounters|resetcounters)
|
||||
shift
|
||||
if [ -e $IPSEC_CHARON_PID ]
|
||||
then
|
||||
@ -35,7 +37,7 @@
|
||||
$IPSEC_STROKE "$op" "$@"
|
||||
rc="$?"
|
||||
fi
|
||||
@@ -164,6 +185,7 @@ purgeike|purgecrls|purgecerts)
|
||||
@@ -162,6 +183,7 @@ purgeike|purgecrls|purgecerts)
|
||||
rc=7
|
||||
if [ -e $IPSEC_CHARON_PID ]
|
||||
then
|
||||
@ -43,7 +45,7 @@
|
||||
$IPSEC_STROKE "$1"
|
||||
rc="$?"
|
||||
fi
|
||||
@@ -197,6 +219,7 @@ route|unroute)
|
||||
@@ -195,6 +217,7 @@ route|unroute)
|
||||
fi
|
||||
if [ -e $IPSEC_CHARON_PID ]
|
||||
then
|
||||
@ -51,7 +53,7 @@
|
||||
$IPSEC_STROKE "$op" "$1"
|
||||
rc="$?"
|
||||
fi
|
||||
@@ -206,6 +229,7 @@ secrets)
|
||||
@@ -204,6 +227,7 @@ secrets)
|
||||
rc=7
|
||||
if [ -e $IPSEC_CHARON_PID ]
|
||||
then
|
||||
@ -59,7 +61,7 @@
|
||||
$IPSEC_STROKE rereadsecrets
|
||||
rc="$?"
|
||||
fi
|
||||
@@ -213,6 +237,7 @@ secrets)
|
||||
@@ -211,6 +235,7 @@ secrets)
|
||||
;;
|
||||
start)
|
||||
shift
|
||||
@ -67,7 +69,7 @@
|
||||
if [ -d /var/lock/subsys ]; then
|
||||
touch /var/lock/subsys/ipsec
|
||||
fi
|
||||
@@ -286,6 +311,7 @@ up)
|
||||
@@ -289,6 +314,7 @@ up)
|
||||
rc=7
|
||||
if [ -e $IPSEC_CHARON_PID ]
|
||||
then
|
||||
@ -75,7 +77,7 @@
|
||||
$IPSEC_STROKE up "$1"
|
||||
rc="$?"
|
||||
fi
|
||||
@@ -325,6 +351,11 @@ esac
|
||||
@@ -338,6 +364,11 @@ esac
|
||||
cmd="$1"
|
||||
shift
|
||||
|
||||
@ -84,6 +86,6 @@
|
||||
+*) fipscheck || exit $? ;;
|
||||
+esac
|
||||
+
|
||||
path="$IPSEC_DIR/$cmd"
|
||||
path="$command_dir/$cmd"
|
||||
|
||||
if [ ! -x "$path" ]
|
||||
|
@ -5,11 +5,20 @@ Subject: [PATCH] strongswan: filter algorithms for fips mode
|
||||
|
||||
References: fate#316931,bnc#856322
|
||||
|
||||
From 818cd5f1b6455237a82f385b60a2513cdd9c5eef Mon Sep 17 00:00:00 2001
|
||||
From: Nirmoy Das <ndas@suse.de>
|
||||
Date: Mon, 17 Jul 2017 15:15:14 +0200
|
||||
Subject: [PATCH] strongswan_fipsfilter
|
||||
|
||||
---
|
||||
src/libcharon/config/proposal.c | 184 +++++++++++++++++++++++++++++++++++-----
|
||||
1 file changed, 165 insertions(+), 19 deletions(-)
|
||||
|
||||
diff --git a/src/libcharon/config/proposal.c b/src/libcharon/config/proposal.c
|
||||
index e59dcd9..f07f4a2 100644
|
||||
index 6c71f78..0640140 100644
|
||||
--- a/src/libcharon/config/proposal.c
|
||||
+++ b/src/libcharon/config/proposal.c
|
||||
@@ -26,6 +26,11 @@
|
||||
@@ -27,6 +27,11 @@
|
||||
#include <crypto/prfs/prf.h>
|
||||
#include <crypto/crypters/crypter.h>
|
||||
#include <crypto/signers/signer.h>
|
||||
@ -21,7 +30,7 @@ index e59dcd9..f07f4a2 100644
|
||||
|
||||
ENUM(protocol_id_names, PROTO_NONE, PROTO_IPCOMP,
|
||||
"PROTO_NONE",
|
||||
@@ -185,6 +190,122 @@ METHOD(proposal_t, strip_dh, void,
|
||||
@@ -190,6 +195,122 @@ METHOD(proposal_t, strip_dh, void,
|
||||
enumerator->destroy(enumerator);
|
||||
}
|
||||
|
||||
@ -144,7 +153,7 @@ index e59dcd9..f07f4a2 100644
|
||||
/**
|
||||
* Select a matching proposal from this and other, insert into selected.
|
||||
*/
|
||||
@@ -502,6 +623,11 @@ static bool add_string_algo(private_proposal_t *this, const char *alg)
|
||||
@@ -611,6 +732,11 @@ static bool add_string_algo(private_proposal_t *this, const char *alg)
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
@ -156,7 +165,7 @@ index e59dcd9..f07f4a2 100644
|
||||
add_algorithm(this, token->type, token->algorithm, token->keysize);
|
||||
|
||||
return TRUE;
|
||||
@@ -643,6 +769,9 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead)
|
||||
@@ -753,6 +879,9 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead)
|
||||
enumerator = lib->crypto->create_aead_enumerator(lib->crypto);
|
||||
while (enumerator->enumerate(enumerator, &encryption, &plugin_name))
|
||||
{
|
||||
@ -165,8 +174,8 @@ index e59dcd9..f07f4a2 100644
|
||||
+
|
||||
switch (encryption)
|
||||
{
|
||||
case ENCR_AES_CCM_ICV8:
|
||||
@@ -675,6 +804,9 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead)
|
||||
case ENCR_AES_GCM_ICV16:
|
||||
@@ -806,6 +935,9 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead)
|
||||
enumerator = lib->crypto->create_crypter_enumerator(lib->crypto);
|
||||
while (enumerator->enumerate(enumerator, &encryption, &plugin_name))
|
||||
{
|
||||
@ -176,7 +185,7 @@ index e59dcd9..f07f4a2 100644
|
||||
switch (encryption)
|
||||
{
|
||||
case ENCR_AES_CBC:
|
||||
@@ -706,6 +838,9 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead)
|
||||
@@ -850,6 +982,9 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead)
|
||||
enumerator = lib->crypto->create_signer_enumerator(lib->crypto);
|
||||
while (enumerator->enumerate(enumerator, &integrity, &plugin_name))
|
||||
{
|
||||
@ -185,8 +194,8 @@ index e59dcd9..f07f4a2 100644
|
||||
+
|
||||
switch (integrity)
|
||||
{
|
||||
case AUTH_HMAC_SHA1_96:
|
||||
@@ -727,6 +862,9 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead)
|
||||
case AUTH_HMAC_SHA2_256_128:
|
||||
@@ -905,6 +1040,9 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead)
|
||||
enumerator = lib->crypto->create_prf_enumerator(lib->crypto);
|
||||
while (enumerator->enumerate(enumerator, &prf, &plugin_name))
|
||||
{
|
||||
@ -196,7 +205,7 @@ index e59dcd9..f07f4a2 100644
|
||||
switch (prf)
|
||||
{
|
||||
case PRF_HMAC_SHA1:
|
||||
@@ -747,6 +885,9 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead)
|
||||
@@ -964,6 +1102,9 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead)
|
||||
enumerator = lib->crypto->create_dh_enumerator(lib->crypto);
|
||||
while (enumerator->enumerate(enumerator, &group, &plugin_name))
|
||||
{
|
||||
@ -206,7 +215,7 @@ index e59dcd9..f07f4a2 100644
|
||||
switch (group)
|
||||
{
|
||||
case MODP_NULL:
|
||||
@@ -795,6 +936,10 @@ proposal_t *proposal_create_default(protocol_id_t protocol)
|
||||
@@ -1004,6 +1145,10 @@ proposal_t *proposal_create_default(protocol_id_t protocol)
|
||||
{
|
||||
private_proposal_t *this = (private_proposal_t*)proposal_create(protocol, 0);
|
||||
|
||||
@ -217,48 +226,58 @@ index e59dcd9..f07f4a2 100644
|
||||
switch (protocol)
|
||||
{
|
||||
case PROTO_IKE:
|
||||
@@ -805,25 +950,28 @@ proposal_t *proposal_create_default(protocol_id_t protocol)
|
||||
@@ -1014,31 +1159,32 @@ proposal_t *proposal_create_default(protocol_id_t protocol)
|
||||
}
|
||||
break;
|
||||
case PROTO_ESP:
|
||||
- add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 128);
|
||||
- add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 192);
|
||||
- add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 256);
|
||||
- add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_3DES, 0);
|
||||
- add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 256);
|
||||
- add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0);
|
||||
- add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_AES_XCBC_96, 0);
|
||||
- add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 0);
|
||||
- add_algorithm(this, EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS, 0);
|
||||
+ fips_add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 128);
|
||||
+ fips_add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 192);
|
||||
+ fips_add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 256);
|
||||
+ fips_add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_3DES, 0);
|
||||
+ fips_add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 256);
|
||||
+ fips_add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0);
|
||||
+ fips_add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_AES_XCBC_96, 0);
|
||||
+ fips_add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 0);
|
||||
+ fips_add_algorithm(this, EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS, 0);
|
||||
- add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 128);
|
||||
- add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 192);
|
||||
- add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 256);
|
||||
- add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_3DES, 0);
|
||||
- add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 256);
|
||||
- add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_256_128, 0);
|
||||
- add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_384_192, 0);
|
||||
- add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_512_256, 0);
|
||||
- add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0);
|
||||
- add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_AES_XCBC_96, 0);
|
||||
- add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 0);
|
||||
- add_algorithm(this, EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS, 0);
|
||||
+ fips_add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 128);
|
||||
+ fips_add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 192);
|
||||
+ fips_add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 256);
|
||||
+ fips_add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_3DES, 0);
|
||||
+ fips_add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 256);
|
||||
+ fips_add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_256_128, 0);
|
||||
+ fips_add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_384_192, 0);
|
||||
+ fips_add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_512_256, 0);
|
||||
+ fips_add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0);
|
||||
+ fips_add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_AES_XCBC_96, 0);
|
||||
+ fips_add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 0);
|
||||
+ fips_add_algorithm(this, EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS, 0);
|
||||
break;
|
||||
case PROTO_AH:
|
||||
- add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0);
|
||||
- add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_AES_XCBC_96, 0);
|
||||
- add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 0);
|
||||
- add_algorithm(this, EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS, 0);
|
||||
+ fips_add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0);
|
||||
+ fips_add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_AES_XCBC_96, 0);
|
||||
+ fips_add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 0);
|
||||
+ fips_add_algorithm(this, EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS, 0);
|
||||
- add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_256_128, 0);
|
||||
- add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_384_192, 0);
|
||||
- add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_512_256, 0);
|
||||
- add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0);
|
||||
- add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_AES_XCBC_96, 0);
|
||||
- add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 0);
|
||||
- add_algorithm(this, EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS, 0);
|
||||
+ fips_add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_256_128, 0);
|
||||
+ fips_add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_384_192, 0);
|
||||
+ fips_add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_512_256, 0);
|
||||
+ fips_add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0);
|
||||
+ fips_add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_AES_XCBC_96, 0);
|
||||
+ fips_add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 0);
|
||||
+ fips_add_algorithm(this, EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS, 0);
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
}
|
||||
+
|
||||
+#undef fips_add_algorithm
|
||||
+
|
||||
return &this->public;
|
||||
}
|
||||
|
||||
--
|
||||
2.2.1
|
||||
2.13.2
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user