diff -urNp openswan-2.6.32-patched/include/ietf_constants.h openswan-2.6.32-current/include/ietf_constants.h
--- openswan-2.6.32-patched/include/ietf_constants.h 2012-02-01 13:42:07.073535499 -0500
+++ openswan-2.6.32-current/include/ietf_constants.h 2012-02-01 13:42:07.448535921 -0500
@@ -508,6 +508,7 @@ extern const char *const sit_bit_names[]
/* Critical bit in each payload */
/* extern enum_names critical_names; */
+extern const char *const critical_names[];
#define ISAKMP_PAYLOAD_NONCRITICAL 0x00
#define ISAKMP_PAYLOAD_CRITICAL 0x80
diff -urNp openswan-2.6.32-patched/include/names_constant.h openswan-2.6.32-current/include/names_constant.h
--- openswan-2.6.32-patched/include/names_constant.h 2012-02-01 13:42:07.067535493 -0500
+++ openswan-2.6.32-current/include/names_constant.h 2012-02-01 13:42:07.447535920 -0500
@@ -61,7 +61,7 @@ extern enum_names notification_names;
extern enum_names ipsec_notification_names;
/* IKEv2 */
-extern enum_names critical_names;
+//extern enum_names critical_names;
extern enum_names ikev2_auth_names;
extern enum_names trans_type_names;
extern enum_names trans_type_encr_names;
diff -urNp openswan-2.6.32-patched/lib/libopenswan/constants.c openswan-2.6.32-current/lib/libopenswan/constants.c
--- openswan-2.6.32-patched/lib/libopenswan/constants.c 2012-02-01 13:42:06.725535107 -0500
+++ openswan-2.6.32-current/lib/libopenswan/constants.c 2012-02-01 13:42:07.419535889 -0500
@@ -1066,14 +1066,28 @@ enum_names attr_msg_type_names =
/*
* IKEv2 CRITICAL BYTE "enum"
*/
-const char *const critical_name[]= { "Payload-Critical", NULL };
-const char *const no_critical_name[]= { "Payload-Non-Critical", NULL };
-enum_names no_crit_names ={ ISAKMP_PAYLOAD_NONCRITICAL,
- ISAKMP_PAYLOAD_NONCRITICAL,
- no_critical_name, NULL};
-enum_names critical_names =
-{ ISAKMP_PAYLOAD_CRITICAL, ISAKMP_PAYLOAD_CRITICAL,
- critical_name, &no_crit_names};
+//const char *const critical_name[]= { "Payload-Critical", NULL };
+//const char *const no_critical_name[]= { "Payload-Non-Critical", NULL };
+//enum_names no_crit_names ={ ISAKMP_PAYLOAD_NONCRITICAL,
+// ISAKMP_PAYLOAD_NONCRITICAL,
+// no_critical_name, NULL};
+//enum_names critical_names =
+//{ ISAKMP_PAYLOAD_CRITICAL, ISAKMP_PAYLOAD_CRITICAL,
+// critical_name, &no_crit_names};
+
+
+/* IKEv2 Critical bit and RESERVED (7) bits*/
+const char *const critical_names[] = {
+ "RESERVED", /* bit 0 */
+ "RESERVED", /* bit 1 */
+ "RESERVED", /* bit 2 */
+ "RESERVED", /* bit 3 */
+ "RESERVED", /* bit 4 */
+ "RESERVED", /* bit 5 */
+ "RESERVED", /* bit 6 */
+ "PAYLOAD_CRITICAL", /* bit 7*/
+ };
+
/* Transform-type Encryption */
const char *const trans_type_encr_name[]={
diff -urNp openswan-2.6.32-patched/lib/libpluto/packet.c openswan-2.6.32-current/lib/libpluto/packet.c
--- openswan-2.6.32-patched/lib/libpluto/packet.c 2012-02-01 13:42:06.782535171 -0500
+++ openswan-2.6.32-current/lib/libpluto/packet.c 2012-02-01 23:04:32.333132215 -0500
@@ -610,7 +610,7 @@ struct_desc isakmp_nat_oa = { "ISAKMP NA
*/
static field_desc ikev2generic_fields[] = {
{ ft_enum, 8/BITS_PER_BYTE, "next payload type", &payload_names },
- { ft_enum, 8/BITS_PER_BYTE, "critical bit", &critical_names},
+ { ft_set, 8/BITS_PER_BYTE, "critical bit", critical_names},
{ ft_len, 16/BITS_PER_BYTE, "length", NULL },
{ ft_end, 0, NULL, NULL }
};
@@ -752,7 +752,8 @@ struct_desc ikev2_trans_attr_desc = {
*/
static field_desc ikev2ke_fields[] = {
{ ft_enum, 8/BITS_PER_BYTE, "next payload type", &payload_names },
- { ft_mbz, 8/BITS_PER_BYTE, NULL, NULL },
+ //{ ft_mbz, 8/BITS_PER_BYTE, NULL, NULL },
+ { ft_set, 8/BITS_PER_BYTE, "critical bit", critical_names},
{ ft_len, 16/BITS_PER_BYTE, "length", NULL },
{ ft_nat, 16/BITS_PER_BYTE, "transform type", &oakley_group_names },
{ ft_mbz, 16/BITS_PER_BYTE, NULL, NULL },
@@ -795,7 +796,8 @@ struct_desc ikev2_ke_desc = { "IKEv2 Key
static field_desc ikev2id_fields[] = {
{ ft_enum, 8/BITS_PER_BYTE, "next payload type", &payload_names },
- { ft_mbz, 8/BITS_PER_BYTE, NULL, NULL },
+ //{ ft_mbz, 8/BITS_PER_BYTE, NULL, NULL },
+ { ft_set, 8/BITS_PER_BYTE, "critical bit", critical_names},
{ ft_len, 16/BITS_PER_BYTE, "length", NULL },
{ ft_enum, 8/BITS_PER_BYTE, "id_type", &ident_names },
{ ft_mbz, 8/BITS_PER_BYTE, NULL, NULL },
@@ -823,7 +825,8 @@ struct_desc ikev2_id_desc = { "IKEv2 Ide
*/
static field_desc ikev2_cert_fields[] = {
{ ft_enum, 8/BITS_PER_BYTE, "next payload type", &payload_names },
- { ft_enum, 8/BITS_PER_BYTE, "critical bit", &critical_names },
+ //{ ft_enum, 8/BITS_PER_BYTE, "critical bit", &critical_names },
+ { ft_set, 8/BITS_PER_BYTE, "critical bit", critical_names},
{ ft_len, 16/BITS_PER_BYTE, "length", NULL },
{ ft_enum, 8/BITS_PER_BYTE, "ikev2 cert encoding", &ikev2_cert_type_names },
{ ft_end, 0, NULL, NULL }
@@ -850,7 +853,8 @@ struct_desc ikev2_certificate_desc = { "
static field_desc ikev2_cert_req_fields[] = {
{ ft_enum, 8/BITS_PER_BYTE, "next payload type", &payload_names },
- { ft_enum, 8/BITS_PER_BYTE, "critical bit", &critical_names },
+ //{ ft_enum, 8/BITS_PER_BYTE, "critical bit", &critical_names },
+ { ft_set, 8/BITS_PER_BYTE, "critical bit", critical_names},
{ ft_len, 16/BITS_PER_BYTE, "length", NULL },
{ ft_enum, 8/BITS_PER_BYTE, "ikev2 cert encoding", &ikev2_cert_type_names },
{ ft_end, 0, NULL, NULL }
@@ -878,7 +882,8 @@ struct_desc ikev2_certificate_req_desc =
*/
static field_desc ikev2a_fields[] = {
{ ft_enum, 8/BITS_PER_BYTE, "next payload type", &payload_names },
- { ft_mbz, 8/BITS_PER_BYTE, NULL, NULL },
+ //{ ft_mbz, 8/BITS_PER_BYTE, NULL, NULL },
+ { ft_set, 8/BITS_PER_BYTE, "critical bit", critical_names},
{ ft_len, 16/BITS_PER_BYTE, "length", NULL },
{ ft_enum, 8/BITS_PER_BYTE, "auth method", &ikev2_auth_names },
{ ft_mbz, 8/BITS_PER_BYTE, NULL, NULL },
@@ -937,7 +942,8 @@ struct_desc ikev2_nonce_desc = { "IKEv2
*/
static field_desc ikev2_notify_fields[] = {
{ ft_enum, 8/BITS_PER_BYTE, "next payload type", &payload_names },
- { ft_enum, 8/BITS_PER_BYTE, "critical bit", &critical_names },
+ //{ ft_enum, 8/BITS_PER_BYTE, "critical bit", &critical_names },
+ { ft_set, 8/BITS_PER_BYTE, "critical bit", critical_names},
{ ft_len, 16/BITS_PER_BYTE, "length", NULL },
{ ft_enum, 8/BITS_PER_BYTE, "Protocol ID", &protocol_names },
/* names used are v1 names may be we should use 4306 3.3.1 names */
@@ -949,6 +955,37 @@ static field_desc ikev2_notify_fields[]
struct_desc ikev2_notify_desc = { "IKEv2 Notify Payload",
ikev2_notify_fields, sizeof(struct ikev2_notify) };
+
+/* IKEv2 Delete Payload
+ * layout from RFC 5996 Section 3.11
+ * This is followed by a variable length SPI.
+ *
+ * 1 2 3
+ * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! Next Payload !C| RESERVED ! Payload Length !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! Protocol ID ! SPI Size ! Num of SPIs !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! !
+ * ~ Security Parameter Index(es) (SPI) ~
+ * ! !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+
+static field_desc ikev2_delete_fields[] = {
+ { ft_enum, 8/BITS_PER_BYTE, "next payload type", &payload_names },
+ { ft_set, 8/BITS_PER_BYTE, "critical bit", critical_names},
+ { ft_len, 16/BITS_PER_BYTE, "length", NULL },
+ { ft_nat, 8/BITS_PER_BYTE, "protocol ID", NULL },
+ { ft_nat, 8/BITS_PER_BYTE, "SPI size", NULL },
+ { ft_nat, 16/BITS_PER_BYTE, "number of SPIs", NULL },
+ { ft_end, 0, NULL, NULL }
+};
+
+struct_desc ikev2_delete_desc = { "IKEv2 Delete Payload",
+ ikev2_delete_fields, sizeof(struct ikev2_delete) };
+
/*
* 3.12. Vendor ID Payload
*
@@ -993,7 +1030,8 @@ struct_desc ikev2_vendor_id_desc = { "IK
*/
static field_desc ikev2ts_fields[] = {
{ ft_enum, 8/BITS_PER_BYTE, "next payload type", &payload_names },
- { ft_mbz, 8/BITS_PER_BYTE, NULL, NULL },
+ //{ ft_mbz, 8/BITS_PER_BYTE, NULL, NULL },
+ { ft_set, 8/BITS_PER_BYTE, "critical bit", critical_names},
{ ft_len, 16/BITS_PER_BYTE, "length", NULL },
{ ft_nat, 8/BITS_PER_BYTE, "number of TS", NULL},
{ ft_mbz, 8/BITS_PER_BYTE, NULL, NULL },
@@ -1107,7 +1145,7 @@ struct_desc *const payload_descs[ISAKMP_
&ikev2_a_desc, /* 39 */
&ikev2_nonce_desc, /* 40 */
&ikev2_notify_desc, /* 41 */
- NULL, /* 42 */
+ &ikev2_delete_desc, /* 42 */
&ikev2_vendor_id_desc, /* 43 */
&ikev2_ts_desc, &ikev2_ts_desc, /* 44, 45 */
&ikev2_e_desc, /* 46 */
diff -urNp openswan-2.6.32-patched/programs/pluto/demux.c openswan-2.6.32-current/programs/pluto/demux.c
--- openswan-2.6.32-patched/programs/pluto/demux.c 2012-02-01 13:42:06.206534523 -0500
+++ openswan-2.6.32-current/programs/pluto/demux.c 2012-02-01 13:42:07.269535719 -0500
@@ -135,9 +135,16 @@ process_packet(struct msg_digest **mdp)
SEND_NOTIFICATION(INVALID_MINOR_VERSION);
return;
}
- }
+ }
+ else {
+ /* Although the comments above says that all IKEv2 minor version are acceptable */
+ /* but it does not take of it, and in case a peer sends a different minor version */
+ /* other than 0, it still sends PAYLOAD_MALFORMED packet, so fixing it here */
+ /* it checks if the in_struct failure is due to minor version with ikev2 */
+ /* As per RFC 4306, ignore minor version numbers */
SEND_NOTIFICATION(PAYLOAD_MALFORMED);
return;
+ }
}
if (md->packet_pbs.roof != md->message_pbs.roof)
diff -urNp openswan-2.6.32-patched/programs/pluto/hmac.c openswan-2.6.32-current/programs/pluto/hmac.c
--- openswan-2.6.32-patched/programs/pluto/hmac.c 2012-02-01 13:42:06.134534439 -0500
+++ openswan-2.6.32-current/programs/pluto/hmac.c 2012-02-09 14:32:41.612709357 -0500
@@ -158,9 +158,13 @@ hmac_update(struct hmac_ctx *ctx,
const u_char *data, size_t data_len)
{
#ifdef HAVE_LIBNSS
+ DBG(DBG_CRYPT, DBG_dump("hmac_update data value: ", data, data_len));
if(data_len > 0) {
+ DBG(DBG_CRYPT, DBG_log("hmac_update: inside if"));
SECStatus status = PK11_DigestOp(ctx->ctx_nss, data, data_len);
+ DBG(DBG_CRYPT, DBG_log("hmac_update: after digest"));
PR_ASSERT(status == SECSuccess);
+ DBG(DBG_CRYPT, DBG_log("hmac_update: after assert"));
}
#else
ctx->h->hash_update(&ctx->hash_ctx, data, data_len);
distrib
>
Scientific%20Linux
>
5x
>
x86_64
>
by-pkgid
>
e8916e5cb6487118130934db089d8fa5
>
files
>
29
