Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 307268 Details for
Bug 441383
IPV6DOD: openswan should negotiate CCM algorithm.
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
Resync 14rc5 with my patches
openswan-14rc5.patch (text/plain), 16.06 KB, created by
Herbert Xu
on 2008-05-31 11:38:49 UTC
(
hide
)
Description:
Resync 14rc5 with my patches
Filename:
MIME Type:
Creator:
Herbert Xu
Created:
2008-05-31 11:38:49 UTC
Size:
16.06 KB
patch
obsolete
>Only in openswan-2.6.14rc5: OBJ.linux.x86_64 >diff -ur openswan-2.6.14rc5.orig/include/ietf_constants.h openswan-2.6.14rc5/include/ietf_constants.h >--- openswan-2.6.14rc5.orig/include/ietf_constants.h 2008-05-29 04:13:42.000000000 +0800 >+++ openswan-2.6.14rc5/include/ietf_constants.h 2008-05-31 19:25:49.000000000 +0800 >@@ -684,7 +684,6 @@ > AUTH_ALGORITHM_HMAC_SHA2_512=7, > AUTH_ALGORITHM_HMAC_RIPEMD=8, > AUTH_ALGORITHM_AES_CBC=9, >- AUTH_ALGORITHM_NULL=251, > }; > > typedef u_int16_t ipsec_auth_t; >diff -ur openswan-2.6.14rc5.orig/lib/libipsecconf/confread.c openswan-2.6.14rc5/lib/libipsecconf/confread.c >--- openswan-2.6.14rc5.orig/lib/libipsecconf/confread.c 2008-05-29 04:13:42.000000000 +0800 >+++ openswan-2.6.14rc5/lib/libipsecconf/confread.c 2008-05-31 13:41:43.000000000 +0800 >@@ -63,6 +63,7 @@ > cfg->setup.options[KBF_UNIQUEIDS]= FALSE; > cfg->conn_default.options[KBF_TYPE] = KS_TUNNEL; > >+ cfg->conn_default.policy |= POLICY_IKEV2_ALLOW; > cfg->conn_default.policy = POLICY_RSASIG|POLICY_TUNNEL|POLICY_ENCRYPT|POLICY_PFS; > > cfg->conn_default.options[KBF_IKELIFETIME] = OAKLEY_ISAKMP_SA_LIFETIME_DEFAULT; >@@ -984,6 +985,28 @@ > conn->policy |= conn->options[KBF_PHASE2]; > } > >+ if(conn->options_set[KBF_IKEv2]) { >+ switch(conn->options[KBF_IKEv2]) { >+ case fo_never: >+ conn->policy &= ~POLICY_IKEV2_ALLOW; >+ break; >+ >+ case fo_permit: >+ /* this is the default for now */ >+ conn->policy |= POLICY_IKEV2_ALLOW; >+ break; >+ >+ case fo_propose: >+ conn->policy |= POLICY_IKEV2_ALLOW|POLICY_IKEV2_PROPOSE; >+ break; >+ >+ case fo_insist: >+ conn->policy |= POLICY_IKEV1_DISABLE; >+ conn->policy |= POLICY_IKEV2_ALLOW|POLICY_IKEV2_PROPOSE; >+ break; >+ } >+ } >+ > err += validate_end(conn, &conn->left, TRUE, resolvip, perr); > err += validate_end(conn, &conn->right, FALSE, resolvip, perr); > >diff -ur openswan-2.6.14rc5.orig/lib/libipsecconf/confwrite.c openswan-2.6.14rc5/lib/libipsecconf/confwrite.c >--- openswan-2.6.14rc5.orig/lib/libipsecconf/confwrite.c 2008-05-29 04:13:42.000000000 +0800 >+++ openswan-2.6.14rc5/lib/libipsecconf/confwrite.c 2008-05-31 13:46:52.000000000 +0800 >@@ -456,10 +456,12 @@ > > if(conn->policy) { > int auth_policy, phase2_policy, shunt_policy, failure_policy; >+ int ikev2_policy; > > phase2_policy = (conn->policy & (POLICY_AUTHENTICATE|POLICY_ENCRYPT)); > failure_policy = (conn->policy & POLICY_FAIL_MASK); > shunt_policy=(conn->policy & POLICY_SHUNT_MASK); >+ ikev2_policy = conn->policy & POLICY_IKEV2_MASK; > > switch(shunt_policy) { > case POLICY_SHUNT_TRAP: >@@ -541,6 +543,25 @@ > fprintf(out, "\tfailureshunt=reject\n"); > break; > } >+ >+ switch(ikev2_policy) { >+ case 0: >+ fprintf(out, "\tikev2=never\n"); >+ break; >+ >+ case POLICY_IKEV2_ALLOW: >+ /* it's the default, do not print anything */ >+ /* fprintf(out, "\tikev2=permit\n"); */ >+ break; >+ >+ case POLICY_IKEV2_ALLOW|POLICY_IKEV2_PROPOSE: >+ fprintf(out, "\tikev2=propose\n"); >+ break; >+ >+ case POLICY_IKEV1_DISABLE|POLICY_IKEV2_ALLOW|POLICY_IKEV2_PROPOSE: >+ fprintf(out, "\tikev2=insist\n"); >+ break; >+ } > break; > > case POLICY_SHUNT_PASS: >diff -ur openswan-2.6.14rc5.orig/lib/libipsecconf/keywords.c openswan-2.6.14rc5/lib/libipsecconf/keywords.c >--- openswan-2.6.14rc5.orig/lib/libipsecconf/keywords.c 2008-05-29 04:13:42.000000000 +0800 >+++ openswan-2.6.14rc5/lib/libipsecconf/keywords.c 2008-05-31 13:48:45.000000000 +0800 >@@ -57,6 +57,20 @@ > struct keyword_enum_values kw_keyexchange_list= > { kw_keyexchange_values, sizeof(kw_keyexchange_values)/sizeof(struct keyword_enum_value)}; > >+/* >+ * Values for Four-State options, such as ikev2 >+ */ >+struct keyword_enum_value kw_fourvalued_values[]={ >+ { "never", fo_never }, >+ { "permit", fo_permit }, >+ { "propose", fo_propose}, >+ { "insist", fo_insist }, >+ { "yes", fo_propose}, >+ { "always", fo_insist }, >+ { "no", fo_never } >+}; >+struct keyword_enum_values kw_fourvalued_list= >+{ kw_fourvalued_values, sizeof(kw_fourvalued_values)/sizeof(struct keyword_enum_value)}; > > /* > * Values for authby={rsasig, secret} >@@ -308,6 +322,7 @@ > {"type", kv_conn, kt_enum, KBF_TYPE, &kw_type_list}, > {"authby", kv_conn|kv_auto, kt_enum, KBF_AUTHBY, &kw_authby_list}, > {"keyexchange", kv_conn|kv_auto, kt_enum, KBF_KEYEXCHANGE, &kw_keyexchange_list}, >+ {"ikev2", kv_conn|kv_auto|kv_processed,kt_enum,KBF_IKEv2,&kw_fourvalued_list}, > {"pfs", kv_conn|kv_auto, kt_bool, KBF_PFS, NOT_ENUM}, > {"keylife", kv_conn|kv_auto|kv_alias, kt_time, KBF_SALIFETIME,NOT_ENUM}, > {"lifetime", kv_conn|kv_auto|kv_alias, kt_time, KBF_SALIFETIME,NOT_ENUM}, >diff -ur openswan-2.6.14rc5.orig/lib/libipsecconf/oeconns.c openswan-2.6.14rc5/lib/libipsecconf/oeconns.c >--- openswan-2.6.14rc5.orig/lib/libipsecconf/oeconns.c 2008-05-29 04:13:42.000000000 +0800 >+++ openswan-2.6.14rc5/lib/libipsecconf/oeconns.c 2008-05-31 13:51:56.000000000 +0800 >@@ -63,7 +63,7 @@ > .oe_cn = "packetdefault", > .oe_sc = { > .policy = POLICY_TUNNEL|POLICY_RSASIG|POLICY_ENCRYPT|POLICY_PFS| >- POLICY_OPPO|POLICY_FAIL_PASS, >+ POLICY_OPPO|POLICY_FAIL_PASS|POLICY_IKEV2_ALLOW, > > .options[KBF_REKEY]=FALSE, > .options_set[KBF_REKEY]=TRUE, >@@ -195,7 +195,7 @@ > .oe_sc = { > .policy = POLICY_RSASIG|POLICY_ENCRYPT|POLICY_TUNNEL|POLICY_PFS| > POLICY_DONT_REKEY|POLICY_OPPO|POLICY_GROUP|POLICY_GROUTED| >- POLICY_SHUNT_PASS|POLICY_FAIL_PASS, >+ POLICY_SHUNT_PASS|POLICY_FAIL_PASS|POLICY_IKEV2_ALLOW, > > .options[KBF_KEYINGTRIES]=3, > .options_set[KBF_KEYINGTRIES]=TRUE, >@@ -268,7 +268,7 @@ > .oe_sc = { > .policy = POLICY_RSASIG|POLICY_ENCRYPT|POLICY_TUNNEL|POLICY_PFS| > POLICY_DONT_REKEY|POLICY_OPPO|POLICY_GROUP|POLICY_GROUTED| >- POLICY_FAIL_PASS, >+ POLICY_FAIL_PASS|POLICY_IKEV2_ALLOW, > > .desired_state = STARTUP_ROUTE, > >@@ -341,7 +341,7 @@ > .oe_sc = { > .policy = POLICY_RSASIG|POLICY_ENCRYPT|POLICY_TUNNEL|POLICY_PFS| > POLICY_OPPO|POLICY_GROUP|POLICY_GROUTED| >- POLICY_FAIL_DROP, >+ POLICY_FAIL_DROP|POLICY_IKEV2_ALLOW, > > .options[KBF_REKEY]=FALSE, /* really want REKEY if used */ > .options_set[KBF_REKEY]=TRUE, >@@ -414,7 +414,8 @@ > .oe_cn = "block", > .oe_sc = { > .policy = POLICY_TUNNEL|POLICY_PFS| >- POLICY_GROUP|POLICY_GROUTED|POLICY_SHUNT_REJECT, >+ POLICY_GROUP|POLICY_GROUTED|POLICY_SHUNT_REJECT| >+ POLICY_IKEV2_ALLOW, > > .desired_state = STARTUP_ROUTE, > >diff -ur openswan-2.6.14rc5.orig/lib/libopenswan/alg_info.c openswan-2.6.14rc5/lib/libopenswan/alg_info.c >--- openswan-2.6.14rc5.orig/lib/libopenswan/alg_info.c 2008-05-29 04:13:42.000000000 +0800 >+++ openswan-2.6.14rc5/lib/libopenswan/alg_info.c 2008-05-31 19:25:33.000000000 +0800 >@@ -57,8 +57,6 @@ > return AH_SHA2_512; > case AUTH_ALGORITHM_HMAC_RIPEMD: > return AH_RIPEMD; >- /* XXX should we distinguish these two? */ >- case AUTH_ALGORITHM_NULL: > case AUTH_ALGORITHM_NONE: > return AH_NONE; > >diff -ur openswan-2.6.14rc5.orig/lib/libopenswan/constants.c openswan-2.6.14rc5/lib/libopenswan/constants.c >--- openswan-2.6.14rc5.orig/lib/libopenswan/constants.c 2008-05-29 04:13:42.000000000 +0800 >+++ openswan-2.6.14rc5/lib/libopenswan/constants.c 2008-05-31 19:27:52.000000000 +0800 >@@ -570,15 +570,9 @@ > "AUTH_ALGORITHM_AES_CBC", > }; > >-static const char *const null_auth_alg_name[] = { >- "AUTH_ALGORITHM_NULL", /* 251 */ >- }; >- > enum_names >- null_auth_alg_names = >- { AUTH_ALGORITHM_NULL, AUTH_ALGORITHM_NULL, null_auth_alg_name, NULL }, > auth_alg_names = >- { AUTH_ALGORITHM_NONE, AUTH_ALGORITHM_AES_CBC , auth_alg_name, &null_auth_alg_names }; >+ { AUTH_ALGORITHM_NONE, AUTH_ALGORITHM_AES_CBC , auth_alg_name, NULL }; > > /* From draft-beaulieu-ike-xauth */ > const char *const xauth_attr_name[] = { >diff -ur openswan-2.6.14rc5.orig/programs/_updown.bsdkame/_updown.bsdkame.8 openswan-2.6.14rc5/programs/_updown.bsdkame/_updown.bsdkame.8 >--- openswan-2.6.14rc5.orig/programs/_updown.bsdkame/_updown.bsdkame.8 2008-05-29 04:13:42.000000000 +0800 >+++ openswan-2.6.14rc5/programs/_updown.bsdkame/_updown.bsdkame.8 2008-05-29 19:23:25.000000000 +0800 >@@ -1,30 +1,122 @@ >-.TH _UPDOWN 8 "25 Apr 2002" >-.\" >-.\" RCSID $Id: _updown.8,v 1.2 2002/04/29 22:39:31 mcr Exp $ >-.\" >+.\"Generated by db2man.xsl. Don't modify this, modify the source. >+.de Sh \" Subsection >+.br >+.if t .Sp >+.ne 5 >+.PP >+\fB\\$1\fR >+.PP >+.. >+.de Sp \" Vertical space (when we can't use .PP) >+.if t .sp .5v >+.if n .sp >+.. >+.de Ip \" List item >+.br >+.ie \\n(.$>=3 .ne \\$3 >+.el .ne 3 >+.IP "\\$1" \\$2 >+.. >+.TH "_UPDOWN" 8 "" "" "" > .SH NAME >-ipsec _updown \- klips manipulation script >-.SH SYNOPSIS >-.I _updown >-is invoked by pluto when it has brought up a new connection. This script >-is used to insert the appropriate routing entries for IPsec operation. >-The interface to the script is documented in the pluto man page. >+ipsec _updown \- kernel and routing manipulation script >+.SH "SYNOPSIS" >+ >+.PP >+\fI_updown\fR is invoked by pluto when it has brought up a new connection\&. This script is used to insert the appropriate routing entries for IPsec operation on some kernel IPsec stacks, such as KLIPS and MAST, and may do other neccessary work that is kernel or user specific, such as defining custom firewall rules\&. The interface to the script is documented in the pluto man page\&. >+ >+.SH "VARIABLES" >+ >+.PP >+The \fI_updown\fR is passed along a number of variables which can be used to act differently based on the information: >+ >+.TP >+\fIPLUTO_VERSION\fR >+indicates what version of this interface is being used\&. This document describes version 1\&.1\&. This is upwardly compatible with version 1\&.0\&. >+ >+.TP >+\fIPLUTO_VERB\fR >+specifies the name of the operation to be performed, which can be one of \fBprepare\-host\fR, \fBprepare\-client\fR, \fBup\-host\fR, \fBup\-client\fR, \fBdown\-host\fR or \fBdown\-client\fR\&. If the address family for security gateway to security gateway communications is IPv6, then a suffix of \-v6 is added to this verb\&. >+ >+.TP >+\fIPLUTO_CONNECTION\fR >+is the name of the connection for which we are routing\&. >+ >+.TP >+\fIPLUTO_NEXT_HOP\fR >+is the next hop to which packets bound for the peer must be sent\&. >+ >+.TP >+\fIPLUTO_INTERFACE\fR >+is the name of the ipsec interface to be used\&. >+ >+.TP >+\fIPLUTO_ME\fR >+is the IP address of our host\&. >+ >+.TP >+\fIPLUTO_MY_CLIENT\fR >+is the IP address / count of our client subnet\&. If the client is just the host, this will be the hostâÂÂs own IP address / max (where max is 32 for IPv4 and 128 for IPv6)\&. >+ >+.TP >+\fIPLUTO_MY_CLIENT_NET\fR >+is the IP address of our client net\&. If the client is just the host, this will be the hostâÂÂs own IP address\&. >+ >+.TP >+\fIPLUTO_MY_CLIENT_MASK\fR >+is the mask for our client net\&. If the client is just the host, this will be 255\&.255\&.255\&.255\&. >+ >+.TP >+\fIPLUTO_PEER\fR >+is the IP address of our peer\&. >+ >+.TP >+\fIPLUTO_PEER_CLIENT\fR >+is the IP address / count of the peerâÂÂs client subnet\&. If the client is just the peer, this will be the peerâÂÂs own IP address / max (where max is 32 for IPv4 and 128 for IPv6)\&. >+ >+.TP >+\fIPLUTO_PEER_CLIENT_NET\fR >+is the IP address of the peerâÂÂs client net\&. If the client is just the peer, this will be the peerâÂÂs own IP address\&. >+ >+.TP >+\fIPLUTO_PEER_CLIENT_MASK\fR >+is the mask for the peerâÂÂs client net\&. If the client is just the peer, this will be 255\&.255\&.255\&.255\&. >+ >+.TP >+\fIPLUTO_MY_PROTOCOL\fR >+lists the protocols allowed over this IPsec SA\&. >+ >+.TP >+\fIPLUTO_PEER_PROTOCOL\fR >+lists the protocols the peer allows over this IPsec SA\&. >+ >+.TP >+\fIPLUTO_MY_PORT\fR >+lists the ports allowed over this IPsec SA\&. >+ >+.TP >+\fIPLUTO_PEER_PORT\fR >+lists the ports the peer allows over this IPsec SA\&. >+ >+.TP >+\fIPLUTO_MY_ID\fR >+lists our id\&. >+ >+.TP >+\fIPLUTO_PEER_ID\fR >+lists our peer's id\&. >+ >+.TP >+\fIPLUTO_PEER_CA\fR >+lists the peer's CA\&. >+ > .SH "SEE ALSO" >-ipsec(8), ipsec_pluto(8). >-.SH HISTORY >-Man page written for the Linux FreeS/WAN project <http://www.freeswan.org/> >-by Michael Richardson. Original program written by Henry Spencer. >-.\" >-.\" $Log: _updown.8,v $ >-.\" Revision 1.2 2002/04/29 22:39:31 mcr >-.\" added basic man page for all internal commands. >-.\" >-.\" Revision 1.1 2002/04/26 01:21:43 mcr >-.\" while tracking down a missing (not installed) /etc/ipsec.conf, >-.\" MCR has decided that it is not okay for each program subdir to have >-.\" some subset (determined with -f) of possible files. >-.\" Each subdir that defines $PROGRAM, MUST have a PROGRAM.8 file as well as a PROGRAM file. >-.\" Optional PROGRAM.5 files have been added to the makefiles. >-.\" >-.\" >-.\" >+ >+.PP >+\fBipsec\fR(8), \fBipsec_pluto\fR(8)\&. >+ >+.SH "HISTORY" >+ >+.PP >+Man page written for the Linux FreeS/WAN project <http://www\&.freeswan\&.org/: \fIhttp://www.freeswan.org/\fR> by Michael Richardson\&. Original program written by Henry Spencer\&. >+ >diff -ur openswan-2.6.14rc5.orig/programs/pluto/kernel_netlink.c openswan-2.6.14rc5/programs/pluto/kernel_netlink.c >--- openswan-2.6.14rc5.orig/programs/pluto/kernel_netlink.c 2008-05-29 04:13:42.000000000 +0800 >+++ openswan-2.6.14rc5/programs/pluto/kernel_netlink.c 2008-05-31 13:59:16.000000000 +0800 >@@ -697,22 +697,16 @@ > attr = (struct rtattr *)((char *)attr + attr->rta_len); > } > >- if (sa->enckeylen) >+ aead = get_aead_alg(sa->encalg); >+ if (aead) > { >- struct xfrm_algo algo; >- const char *name; >- >- name = sparse_name(ealg_list, sa->encalg); >- if (!name) { >- loglog(RC_LOG_SERIOUS, "unknown encryption algorithm: %u" >- , sa->encalg); >- return FALSE; >- } >+ struct xfrm_algo_aead algo; > >- strcpy(algo.alg_name, name); >+ strcpy(algo.alg_name, aead->name); > algo.alg_key_len = sa->enckeylen * BITS_PER_BYTE; >+ algo.alg_icv_len = aead->icvlen * BITS_PER_BYTE; > >- attr->rta_type = XFRMA_ALG_CRYPT; >+ attr->rta_type = XFRMA_ALG_AEAD; > attr->rta_len = RTA_LENGTH(sizeof(algo) + sa->enckeylen); > > memcpy(RTA_DATA(attr), &algo, sizeof(algo)); >@@ -722,17 +716,22 @@ > req.n.nlmsg_len += attr->rta_len; > attr = (struct rtattr *)((char *)attr + attr->rta_len); > } >- >- aead = get_aead_alg(sa->encalg); >- if (aead) >+ else > { >- struct xfrm_algo_aead algo; >+ struct xfrm_algo algo; >+ const char *name; > >- strcpy(algo.alg_name, aead->name); >+ name = sparse_name(ealg_list, sa->encalg); >+ if (!name) { >+ loglog(RC_LOG_SERIOUS, "unknown encryption algorithm: %u" >+ , sa->encalg); >+ return FALSE; >+ } >+ >+ strcpy(algo.alg_name, name); > algo.alg_key_len = sa->enckeylen * BITS_PER_BYTE; >- algo.alg_icv_len = aead->icvlen * BITS_PER_BYTE; > >- attr->rta_type = XFRMA_ALG_AEAD; >+ attr->rta_type = XFRMA_ALG_CRYPT; > attr->rta_len = RTA_LENGTH(sizeof(algo) + sa->enckeylen); > > memcpy(RTA_DATA(attr), &algo, sizeof(algo)); >@@ -742,7 +741,7 @@ > req.n.nlmsg_len += attr->rta_len; > attr = (struct rtattr *)((char *)attr + attr->rta_len); > } >- else >+ > if (sa->satype == SADB_X_SATYPE_IPCOMP) > { > struct xfrm_algo algo; >Only in openswan-2.6.14rc5/programs/pluto: kernel_netlink.c.orig >diff -ur openswan-2.6.14rc5.orig/programs/pluto/spdb_v2_struct.c openswan-2.6.14rc5/programs/pluto/spdb_v2_struct.c >--- openswan-2.6.14rc5.orig/programs/pluto/spdb_v2_struct.c 2008-05-29 04:13:42.000000000 +0800 >+++ openswan-2.6.14rc5/programs/pluto/spdb_v2_struct.c 2008-05-31 13:57:56.000000000 +0800 >@@ -846,7 +846,7 @@ > if(!out_struct(&r_trans, &ikev2_trans_desc > , &r_proposal_pbs, &r_trans_pbs)) > impossible(); >- if (ta.encrypter->keyminlen != ta.encrypter->keymaxlen) >+ if (ta.encrypter && ta.encrypter->keyminlen != ta.encrypter->keymaxlen) > ikev2_out_attr(IKEv2_KEY_LENGTH, ta.enckeylen > , &ikev2_trans_attr_desc, ikev2_trans_attr_val_descs > , &r_trans_pbs); >@@ -1356,9 +1356,12 @@ > ta.encrypter = (struct encrypt_desc *)ike_alg_ikev2_find(IKE_ALG_ENCRYPT > , ta.encrypt > , ta.enckeylen); >- passert(ta.encrypter != NULL); >- if (!ta.enckeylen) >- ta.enckeylen = ta.encrypter->keydeflen; >+ if (ta.encrypter) >+ { >+ if (!ta.enckeylen) >+ ta.enckeylen = ta.encrypter->keydeflen; >+ } else >+ passert(ta.encrypt == IKEv2_ENCR_NULL); > > /* this is really a mess having so many different numbers for auth > * algorithms. >Only in openswan-2.6.14rc5/programs/pluto: spdb_v2_struct.c.orig >Only in openswan-2.6.14rc5/programs/pluto: spdb_v2_struct.c.rej
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=307268">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 441383
:
306757
| 307268 |
307319