diff -urNp openswan-2.6.32-patched/include/ietf_constants.h openswan-2.6.32-current/include/ietf_constants.h --- openswan-2.6.32-patched/include/ietf_constants.h 2012-02-01 13:42:07.073535499 -0500 +++ openswan-2.6.32-current/include/ietf_constants.h 2012-02-01 13:42:07.448535921 -0500 @@ -508,6 +508,7 @@ extern const char *const sit_bit_names[] /* Critical bit in each payload */ /* extern enum_names critical_names; */ +extern const char *const critical_names[]; #define ISAKMP_PAYLOAD_NONCRITICAL 0x00 #define ISAKMP_PAYLOAD_CRITICAL 0x80 diff -urNp openswan-2.6.32-patched/include/names_constant.h openswan-2.6.32-current/include/names_constant.h --- openswan-2.6.32-patched/include/names_constant.h 2012-02-01 13:42:07.067535493 -0500 +++ openswan-2.6.32-current/include/names_constant.h 2012-02-01 13:42:07.447535920 -0500 @@ -61,7 +61,7 @@ extern enum_names notification_names; extern enum_names ipsec_notification_names; /* IKEv2 */ -extern enum_names critical_names; +//extern enum_names critical_names; extern enum_names ikev2_auth_names; extern enum_names trans_type_names; extern enum_names trans_type_encr_names; diff -urNp openswan-2.6.32-patched/lib/libopenswan/constants.c openswan-2.6.32-current/lib/libopenswan/constants.c --- openswan-2.6.32-patched/lib/libopenswan/constants.c 2012-02-01 13:42:06.725535107 -0500 +++ openswan-2.6.32-current/lib/libopenswan/constants.c 2012-02-01 13:42:07.419535889 -0500 @@ -1066,14 +1066,28 @@ enum_names attr_msg_type_names = /* * IKEv2 CRITICAL BYTE "enum" */ -const char *const critical_name[]= { "Payload-Critical", NULL }; -const char *const no_critical_name[]= { "Payload-Non-Critical", NULL }; -enum_names no_crit_names ={ ISAKMP_PAYLOAD_NONCRITICAL, - ISAKMP_PAYLOAD_NONCRITICAL, - no_critical_name, NULL}; -enum_names critical_names = -{ ISAKMP_PAYLOAD_CRITICAL, ISAKMP_PAYLOAD_CRITICAL, - critical_name, &no_crit_names}; +//const char *const critical_name[]= { "Payload-Critical", NULL }; +//const char *const no_critical_name[]= { "Payload-Non-Critical", NULL }; +//enum_names no_crit_names ={ ISAKMP_PAYLOAD_NONCRITICAL, +// ISAKMP_PAYLOAD_NONCRITICAL, +// no_critical_name, NULL}; +//enum_names critical_names = +//{ ISAKMP_PAYLOAD_CRITICAL, ISAKMP_PAYLOAD_CRITICAL, +// critical_name, &no_crit_names}; + + +/* IKEv2 Critical bit and RESERVED (7) bits*/ +const char *const critical_names[] = { + "RESERVED", /* bit 0 */ + "RESERVED", /* bit 1 */ + "RESERVED", /* bit 2 */ + "RESERVED", /* bit 3 */ + "RESERVED", /* bit 4 */ + "RESERVED", /* bit 5 */ + "RESERVED", /* bit 6 */ + "PAYLOAD_CRITICAL", /* bit 7*/ + }; + /* Transform-type Encryption */ const char *const trans_type_encr_name[]={ diff -urNp openswan-2.6.32-patched/lib/libpluto/packet.c openswan-2.6.32-current/lib/libpluto/packet.c --- openswan-2.6.32-patched/lib/libpluto/packet.c 2012-02-01 13:42:06.782535171 -0500 +++ openswan-2.6.32-current/lib/libpluto/packet.c 2012-02-01 23:04:32.333132215 -0500 @@ -610,7 +610,7 @@ struct_desc isakmp_nat_oa = { "ISAKMP NA */ static field_desc ikev2generic_fields[] = { { ft_enum, 8/BITS_PER_BYTE, "next payload type", &payload_names }, - { ft_enum, 8/BITS_PER_BYTE, "critical bit", &critical_names}, + { ft_set, 8/BITS_PER_BYTE, "critical bit", critical_names}, { ft_len, 16/BITS_PER_BYTE, "length", NULL }, { ft_end, 0, NULL, NULL } }; @@ -752,7 +752,8 @@ struct_desc ikev2_trans_attr_desc = { */ static field_desc ikev2ke_fields[] = { { ft_enum, 8/BITS_PER_BYTE, "next payload type", &payload_names }, - { ft_mbz, 8/BITS_PER_BYTE, NULL, NULL }, + //{ ft_mbz, 8/BITS_PER_BYTE, NULL, NULL }, + { ft_set, 8/BITS_PER_BYTE, "critical bit", critical_names}, { ft_len, 16/BITS_PER_BYTE, "length", NULL }, { ft_nat, 16/BITS_PER_BYTE, "transform type", &oakley_group_names }, { ft_mbz, 16/BITS_PER_BYTE, NULL, NULL }, @@ -795,7 +796,8 @@ struct_desc ikev2_ke_desc = { "IKEv2 Key static field_desc ikev2id_fields[] = { { ft_enum, 8/BITS_PER_BYTE, "next payload type", &payload_names }, - { ft_mbz, 8/BITS_PER_BYTE, NULL, NULL }, + //{ ft_mbz, 8/BITS_PER_BYTE, NULL, NULL }, + { ft_set, 8/BITS_PER_BYTE, "critical bit", critical_names}, { ft_len, 16/BITS_PER_BYTE, "length", NULL }, { ft_enum, 8/BITS_PER_BYTE, "id_type", &ident_names }, { ft_mbz, 8/BITS_PER_BYTE, NULL, NULL }, @@ -823,7 +825,8 @@ struct_desc ikev2_id_desc = { "IKEv2 Ide */ static field_desc ikev2_cert_fields[] = { { ft_enum, 8/BITS_PER_BYTE, "next payload type", &payload_names }, - { ft_enum, 8/BITS_PER_BYTE, "critical bit", &critical_names }, + //{ ft_enum, 8/BITS_PER_BYTE, "critical bit", &critical_names }, + { ft_set, 8/BITS_PER_BYTE, "critical bit", critical_names}, { ft_len, 16/BITS_PER_BYTE, "length", NULL }, { ft_enum, 8/BITS_PER_BYTE, "ikev2 cert encoding", &ikev2_cert_type_names }, { ft_end, 0, NULL, NULL } @@ -850,7 +853,8 @@ struct_desc ikev2_certificate_desc = { " static field_desc ikev2_cert_req_fields[] = { { ft_enum, 8/BITS_PER_BYTE, "next payload type", &payload_names }, - { ft_enum, 8/BITS_PER_BYTE, "critical bit", &critical_names }, + //{ ft_enum, 8/BITS_PER_BYTE, "critical bit", &critical_names }, + { ft_set, 8/BITS_PER_BYTE, "critical bit", critical_names}, { ft_len, 16/BITS_PER_BYTE, "length", NULL }, { ft_enum, 8/BITS_PER_BYTE, "ikev2 cert encoding", &ikev2_cert_type_names }, { ft_end, 0, NULL, NULL } @@ -878,7 +882,8 @@ struct_desc ikev2_certificate_req_desc = */ static field_desc ikev2a_fields[] = { { ft_enum, 8/BITS_PER_BYTE, "next payload type", &payload_names }, - { ft_mbz, 8/BITS_PER_BYTE, NULL, NULL }, + //{ ft_mbz, 8/BITS_PER_BYTE, NULL, NULL }, + { ft_set, 8/BITS_PER_BYTE, "critical bit", critical_names}, { ft_len, 16/BITS_PER_BYTE, "length", NULL }, { ft_enum, 8/BITS_PER_BYTE, "auth method", &ikev2_auth_names }, { ft_mbz, 8/BITS_PER_BYTE, NULL, NULL }, @@ -937,7 +942,8 @@ struct_desc ikev2_nonce_desc = { "IKEv2 */ static field_desc ikev2_notify_fields[] = { { ft_enum, 8/BITS_PER_BYTE, "next payload type", &payload_names }, - { ft_enum, 8/BITS_PER_BYTE, "critical bit", &critical_names }, + //{ ft_enum, 8/BITS_PER_BYTE, "critical bit", &critical_names }, + { ft_set, 8/BITS_PER_BYTE, "critical bit", critical_names}, { ft_len, 16/BITS_PER_BYTE, "length", NULL }, { ft_enum, 8/BITS_PER_BYTE, "Protocol ID", &protocol_names }, /* names used are v1 names may be we should use 4306 3.3.1 names */ @@ -949,6 +955,37 @@ static field_desc ikev2_notify_fields[] struct_desc ikev2_notify_desc = { "IKEv2 Notify Payload", ikev2_notify_fields, sizeof(struct ikev2_notify) }; + +/* IKEv2 Delete Payload + * layout from RFC 5996 Section 3.11 + * This is followed by a variable length SPI. + * + * 1 2 3 + * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + * ! Next Payload !C| RESERVED ! Payload Length ! + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + * ! Protocol ID ! SPI Size ! Num of SPIs ! + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + * ! ! + * ~ Security Parameter Index(es) (SPI) ~ + * ! ! + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + */ + +static field_desc ikev2_delete_fields[] = { + { ft_enum, 8/BITS_PER_BYTE, "next payload type", &payload_names }, + { ft_set, 8/BITS_PER_BYTE, "critical bit", critical_names}, + { ft_len, 16/BITS_PER_BYTE, "length", NULL }, + { ft_nat, 8/BITS_PER_BYTE, "protocol ID", NULL }, + { ft_nat, 8/BITS_PER_BYTE, "SPI size", NULL }, + { ft_nat, 16/BITS_PER_BYTE, "number of SPIs", NULL }, + { ft_end, 0, NULL, NULL } +}; + +struct_desc ikev2_delete_desc = { "IKEv2 Delete Payload", + ikev2_delete_fields, sizeof(struct ikev2_delete) }; + /* * 3.12. Vendor ID Payload * @@ -993,7 +1030,8 @@ struct_desc ikev2_vendor_id_desc = { "IK */ static field_desc ikev2ts_fields[] = { { ft_enum, 8/BITS_PER_BYTE, "next payload type", &payload_names }, - { ft_mbz, 8/BITS_PER_BYTE, NULL, NULL }, + //{ ft_mbz, 8/BITS_PER_BYTE, NULL, NULL }, + { ft_set, 8/BITS_PER_BYTE, "critical bit", critical_names}, { ft_len, 16/BITS_PER_BYTE, "length", NULL }, { ft_nat, 8/BITS_PER_BYTE, "number of TS", NULL}, { ft_mbz, 8/BITS_PER_BYTE, NULL, NULL }, @@ -1107,7 +1145,7 @@ struct_desc *const payload_descs[ISAKMP_ &ikev2_a_desc, /* 39 */ &ikev2_nonce_desc, /* 40 */ &ikev2_notify_desc, /* 41 */ - NULL, /* 42 */ + &ikev2_delete_desc, /* 42 */ &ikev2_vendor_id_desc, /* 43 */ &ikev2_ts_desc, &ikev2_ts_desc, /* 44, 45 */ &ikev2_e_desc, /* 46 */ diff -urNp openswan-2.6.32-patched/programs/pluto/demux.c openswan-2.6.32-current/programs/pluto/demux.c --- openswan-2.6.32-patched/programs/pluto/demux.c 2012-02-01 13:42:06.206534523 -0500 +++ openswan-2.6.32-current/programs/pluto/demux.c 2012-02-01 13:42:07.269535719 -0500 @@ -135,9 +135,16 @@ process_packet(struct msg_digest **mdp) SEND_NOTIFICATION(INVALID_MINOR_VERSION); return; } - } + } + else { + /* Although the comments above says that all IKEv2 minor version are acceptable */ + /* but it does not take of it, and in case a peer sends a different minor version */ + /* other than 0, it still sends PAYLOAD_MALFORMED packet, so fixing it here */ + /* it checks if the in_struct failure is due to minor version with ikev2 */ + /* As per RFC 4306, ignore minor version numbers */ SEND_NOTIFICATION(PAYLOAD_MALFORMED); return; + } } if (md->packet_pbs.roof != md->message_pbs.roof) diff -urNp openswan-2.6.32-patched/programs/pluto/hmac.c openswan-2.6.32-current/programs/pluto/hmac.c --- openswan-2.6.32-patched/programs/pluto/hmac.c 2012-02-01 13:42:06.134534439 -0500 +++ openswan-2.6.32-current/programs/pluto/hmac.c 2012-02-09 14:32:41.612709357 -0500 @@ -158,9 +158,13 @@ hmac_update(struct hmac_ctx *ctx, const u_char *data, size_t data_len) { #ifdef HAVE_LIBNSS + DBG(DBG_CRYPT, DBG_dump("hmac_update data value: ", data, data_len)); if(data_len > 0) { + DBG(DBG_CRYPT, DBG_log("hmac_update: inside if")); SECStatus status = PK11_DigestOp(ctx->ctx_nss, data, data_len); + DBG(DBG_CRYPT, DBG_log("hmac_update: after digest")); PR_ASSERT(status == SECSuccess); + DBG(DBG_CRYPT, DBG_log("hmac_update: after assert")); } #else ctx->h->hash_update(&ctx->hash_ctx, data, data_len);