Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 303896 Details for
Bug 439771
[IPv6-DoD] openswan and strongswan fail to interoperate with IKEv2
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
Receive IKEv2 key length attribute
openswan-rcv-ikev2-keylen.patch (text/plain), 8.14 KB, created by
Herbert Xu
on 2008-04-27 07:29:03 UTC
(
hide
)
Description:
Receive IKEv2 key length attribute
Filename:
MIME Type:
Creator:
Herbert Xu
Created:
2008-04-27 07:29:03 UTC
Size:
8.14 KB
patch
obsolete
>Only in openswan-2.6.12: OBJ.linux.x86_64 >diff -ur openswan-2.6.12.orig/programs/pluto/spdb_v2_struct.c openswan-2.6.12/programs/pluto/spdb_v2_struct.c >--- openswan-2.6.12.orig/programs/pluto/spdb_v2_struct.c 2008-04-26 15:37:42.000000000 +0800 >+++ openswan-2.6.12/programs/pluto/spdb_v2_struct.c 2008-04-26 18:23:17.000000000 +0800 >@@ -508,8 +508,11 @@ > spdb_v2_match_parent(struct db_sa *sadb > , unsigned propnum > , unsigned encr_transform >+ , int encr_keylen > , unsigned integ_transform >+ , int integ_keylen > , unsigned prf_transform >+ , int prf_keylen > , unsigned dh_transform) > { > struct db_v2_prop *pd; >@@ -534,27 +537,38 @@ > if(pj->protoid != PROTO_ISAKMP) continue; > > for(tr_cnt=0; tr_cnt < pj->trans_cnt; tr_cnt++) { >+ int keylen = -1; >+ unsigned int attr_cnt; > > tr = &pj->trans[tr_cnt]; > >+ for (attr_cnt=0; attr_cnt < tr->attr_cnt; attr_cnt++) { >+ struct db_attr *attr = &tr->attrs[attr_cnt]; >+ >+ if (attr->type.ikev2 == IKEv2_KEY_LENGTH) >+ keylen = attr->val; >+ } >+ > /* shouldn't these assignments of tr->transid be inside their if statements? */ > switch(tr->transform_type) { > case IKEv2_TRANS_TYPE_ENCR: > encrid = tr->transid; >- if(tr->transid == encr_transform) >+ if(tr->transid == encr_transform && keylen == encr_keylen) > encr_matched=TRUE; > break; > > case IKEv2_TRANS_TYPE_INTEG: > integid = tr->transid; >- if(tr->transid == integ_transform) >+ if(tr->transid == integ_transform && keylen == integ_keylen) > integ_matched=TRUE; >+ keylen = integ_keylen; > break; > > case IKEv2_TRANS_TYPE_PRF: > prfid = tr->transid; >- if(tr->transid == prf_transform) >+ if(tr->transid == prf_transform && keylen == prf_keylen) > prf_matched=TRUE; >+ keylen = prf_keylen; > break; > > case IKEv2_TRANS_TYPE_DH: >@@ -602,10 +616,13 @@ > > struct ikev2_transform_list { > unsigned int encr_transforms[MAX_TRANS_LIST]; >+ int encr_keylens[MAX_TRANS_LIST]; > unsigned int encr_trans_next, encr_i; > unsigned int integ_transforms[MAX_TRANS_LIST]; >+ int integ_keylens[MAX_TRANS_LIST]; > unsigned int integ_trans_next, integ_i; > unsigned int prf_transforms[MAX_TRANS_LIST]; >+ int prf_keylens[MAX_TRANS_LIST]; > unsigned int prf_trans_next, prf_i; > unsigned int dh_transforms[MAX_TRANS_LIST]; > unsigned int dh_trans_next, dh_i; >@@ -644,9 +661,6 @@ > /* > * now that we have a list of all the possibilities, see if any > * of them fit. >- * >- * XXX - have to deal with attributes. >- * > */ > for(itl->encr_i=0; itl->encr_i < itl->encr_trans_next; itl->encr_i++) { > for(itl->integ_i=0; itl->integ_i < itl->integ_trans_next; itl->integ_i++) { >@@ -654,8 +668,11 @@ > for(itl->dh_i=0; itl->dh_i < itl->dh_trans_next; itl->dh_i++) { > if(spdb_v2_match_parent(sadb, propnum, > itl->encr_transforms[itl->encr_i], >+ itl->encr_keylens[itl->encr_i], > itl->integ_transforms[itl->integ_i], >+ itl->integ_keylens[itl->integ_i], > itl->prf_transforms[itl->prf_i], >+ itl->prf_keylens[itl->prf_i], > itl->dh_transforms[itl->dh_i])) { > return TRUE; > } >@@ -673,32 +690,48 @@ > { > while(prop->isap_numtrans-- > 0) { > pb_stream trans_pbs; >+ pb_stream attr_pbs; > //u_char *attr_start; > //size_t attr_len; > struct ikev2_trans trans; >+ struct isakmp_attribute a; >+ int keylen = -1; > //err_t ugh = NULL; /* set to diagnostic when problem detected */ > > if (!in_struct(&trans, &ikev2_trans_desc > , prop_pbs, &trans_pbs)) > return BAD_PROPOSAL_SYNTAX; >+ >+ while (pbs_left(&trans_pbs) != 0) { >+ if (!in_struct(&a, &isakmp_ikev2_attribute_desc, &trans_pbs >+ , &attr_pbs)) >+ return BAD_PROPOSAL_SYNTAX; >+ switch (a.isaat_af_type) { >+ case IKEv2_KEY_LENGTH | ISAKMP_ATTR_AF_TV: >+ keylen = a.isaat_lv; >+ break; >+ } >+ } > > /* we read the attributes if we need to see details. */ >- /* XXX deal with different sizes AES keys */ > switch(trans.isat_type) { > case IKEv2_TRANS_TYPE_ENCR: > if(itl->encr_trans_next < MAX_TRANS_LIST) { >+ itl->encr_keylens[itl->encr_trans_next]=keylen; > itl->encr_transforms[itl->encr_trans_next++]=trans.isat_transid; > } /* show failure with else */ > break; > > case IKEv2_TRANS_TYPE_INTEG: > if(itl->integ_trans_next < MAX_TRANS_LIST) { >+ itl->integ_keylens[itl->integ_trans_next]=keylen; > itl->integ_transforms[itl->integ_trans_next++]=trans.isat_transid; > } > break; > > case IKEv2_TRANS_TYPE_PRF: > if(itl->prf_trans_next < MAX_TRANS_LIST) { >+ itl->prf_keylens[itl->prf_trans_next]=keylen; > itl->prf_transforms[itl->prf_trans_next++]=trans.isat_transid; > } > break; >@@ -770,6 +803,9 @@ > if(!out_struct(&r_trans, &ikev2_trans_desc > , &r_proposal_pbs, &r_trans_pbs)) > impossible(); >+ if (ta.encrypter->keyminlen != ta.encrypter->keymaxlen) >+ out_attr(IKEv2_KEY_LENGTH, ta.enckeylen >+ , &isakmp_ikev2_attribute_desc, NULL, &r_trans_pbs); > close_output_pbs(&r_trans_pbs); > > /* Transform - integrity check */ >@@ -965,11 +1001,13 @@ > * winning value. > */ > ta.encrypt = itl->encr_transforms[itl->encr_i]; >+ ta.enckeylen = itl->encr_keylens[itl->encr_i]; > ta.encrypter = (struct encrypt_desc *)ike_alg_ikev2_find(IKE_ALG_ENCRYPT > , ta.encrypt >- , /*keysize*/0); >+ , ta.enckeylen); > passert(ta.encrypter != NULL); >- ta.enckeylen = ta.encrypter->keydeflen; >+ if (!ta.enckeylen) >+ ta.enckeylen = ta.encrypter->keydeflen; > > ta.integ_hash = itl->integ_transforms[itl->integ_i]; > ta.integ_hasher= (struct hash_desc *)ike_alg_ikev2_find(IKE_ALG_INTEG,ta.integ_hash, 0); >@@ -998,7 +1036,9 @@ > spdb_v2_match_child(struct db_sa *sadb > , unsigned propnum > , unsigned encr_transform >+ , int encr_keylen > , unsigned integ_transform >+ , int integ_keylen > , unsigned esn_transform) > { > struct db_v2_prop *pd; >@@ -1024,19 +1064,28 @@ > if(pj->protoid == PROTO_ISAKMP) continue; > > for(tr_cnt=0; tr_cnt < pj->trans_cnt; tr_cnt++) { >+ int keylen = -1; >+ unsigned int attr_cnt; > > tr = &pj->trans[tr_cnt]; >+ >+ for (attr_cnt=0; attr_cnt < tr->attr_cnt; attr_cnt++) { >+ struct db_attr *attr = &tr->attrs[attr_cnt]; >+ >+ if (attr->type.ikev2 == IKEv2_KEY_LENGTH) >+ keylen = attr->val; >+ } > > switch(tr->transform_type) { > case IKEv2_TRANS_TYPE_ENCR: > encrid = tr->transid; >- if(tr->transid == encr_transform) >+ if(tr->transid == encr_transform && keylen == encr_keylen) > encr_matched=TRUE; > break; > > case IKEv2_TRANS_TYPE_INTEG: > integid = tr->transid; >- if(tr->transid == integ_transform) >+ if(tr->transid == integ_transform && keylen == integ_keylen) > integ_matched=TRUE; > break; > >@@ -1097,16 +1146,15 @@ > /* > * now that we have a list of all the possibilities, see if any > * of them fit. >- * >- * XXX - have to deal with attributes. >- * > */ > for(itl->encr_i=0; itl->encr_i < itl->encr_trans_next; itl->encr_i++) { > for(itl->integ_i=0; itl->integ_i < itl->integ_trans_next; itl->integ_i++) { > for(itl->esn_i=0; itl->esn_i<itl->esn_trans_next; itl->esn_i++) { > if(spdb_v2_match_child(sadb, propnum, > itl->encr_transforms[itl->encr_i], >+ itl->encr_keylens[itl->encr_i], > itl->integ_transforms[itl->integ_i], >+ itl->integ_keylens[itl->integ_i], > itl->esn_transforms[itl->esn_i])) { > return TRUE; > } >@@ -1255,14 +1303,16 @@ > * winning value. > */ > ta.encrypt = itl->encr_transforms[itl->encr_i]; >+ ta.enckeylen = itl->encr_keylens[itl->encr_i]; > > /* this is REALLY not correct, because this is not an IKE algorithm */ > /* XXX maybe we can leave this to ikev2 child key derivation */ > ta.encrypter = (struct encrypt_desc *)ike_alg_ikev2_find(IKE_ALG_ENCRYPT > , ta.encrypt >- , /*keysize*/0); >+ , ta.enckeylen); > passert(ta.encrypter != NULL); >- ta.enckeylen = ta.encrypter->keydeflen; >+ if (!ta.enckeylen) >+ ta.enckeylen = ta.encrypter->keydeflen; > > /* this is really a mess having so many different numbers for auth > * algorithms.
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=303896">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 439771
:
299701
|
299702
|
299703
|
299704
|
299705
|
299706
|
300892
|
303405
|
303894
|
303895
|
303896
|
303963
|
303964
|
304445
|
305744
|
305745
|
305940