Merge "Add null checking to two protectFromVpn calls"
am: 335d482d9d
Change-Id: I89afe81145a933a668503ca275308ff668fee169
diff --git a/setup.c b/setup.c
index 9056b63..58e86f1 100644
--- a/setup.c
+++ b/setup.c
@@ -85,6 +85,26 @@
}
}
+static void add_sainfo() {
+ if (pk_checkalg(algclass_ipsec_auth, algtype_hmac_sha2_512, 0) == 0) {
+ add_sainfo_algorithm(algclass_ipsec_auth, IPSECDOI_ATTR_AUTH_HMAC_SHA2_512, 0);
+ } else {
+ do_plog(LLV_WARNING, "Kernel does not support SHA512, not enabling\n");
+ }
+ if (pk_checkalg(algclass_ipsec_auth, algtype_hmac_sha2_384, 0) == 0) {
+ add_sainfo_algorithm(algclass_ipsec_auth, IPSECDOI_ATTR_AUTH_HMAC_SHA2_384, 0);
+ } else {
+ do_plog(LLV_WARNING, "Kernel does not support SHA384, not enabling\n");
+ }
+ add_sainfo_algorithm(algclass_ipsec_auth, IPSECDOI_ATTR_AUTH_HMAC_SHA1, 0);
+ add_sainfo_algorithm(algclass_ipsec_auth, IPSECDOI_ATTR_AUTH_HMAC_SHA2_256, 0);
+ add_sainfo_algorithm(algclass_ipsec_auth, IPSECDOI_ATTR_AUTH_HMAC_MD5, 0);
+ add_sainfo_algorithm(algclass_ipsec_enc, IPSECDOI_ESP_AES, 256);
+ add_sainfo_algorithm(algclass_ipsec_enc, IPSECDOI_ESP_AES, 128);
+ add_sainfo_algorithm(algclass_ipsec_enc, IPSECDOI_ESP_3DES, 0);
+ add_sainfo_algorithm(algclass_ipsec_enc, IPSECDOI_ESP_DES, 0);
+}
+
static void set_globals(char *server)
{
struct addrinfo hints = {
@@ -146,13 +166,6 @@
sainfo.lifetime = IPSECDOI_ATTR_SA_LD_SEC_DEFAULT;
sainfo.lifebyte = IPSECDOI_ATTR_SA_LD_KB_MAX;
- add_sainfo_algorithm(algclass_ipsec_auth, IPSECDOI_ATTR_AUTH_HMAC_SHA2_256, 0);
- add_sainfo_algorithm(algclass_ipsec_auth, IPSECDOI_ATTR_AUTH_HMAC_SHA1, 0);
- add_sainfo_algorithm(algclass_ipsec_auth, IPSECDOI_ATTR_AUTH_HMAC_MD5, 0);
- add_sainfo_algorithm(algclass_ipsec_enc, IPSECDOI_ESP_AES, 256);
- add_sainfo_algorithm(algclass_ipsec_enc, IPSECDOI_ESP_AES, 128);
- add_sainfo_algorithm(algclass_ipsec_enc, IPSECDOI_ESP_3DES, 0);
- add_sainfo_algorithm(algclass_ipsec_enc, IPSECDOI_ESP_DES, 0);
memset(script_names, 0, sizeof(script_names));
}
@@ -381,7 +394,8 @@
xauth->login = strtovchar(username);
xauth->login->l += 1;
xauth->pass = strtovchar(password);
- xauth->pass->l += 1;
+ // Unlike the code that reads login, the code that reads pass does not
+ // strip trailing nulls, so don't add one here.
remoteconf->xauth = xauth;
remoteconf->mode_cfg = TRUE;
remoteconf->script[SCRIPT_PHASE1_UP] = strtovchar(phase1_up);
@@ -418,8 +432,10 @@
if (pfkey_init() < 0 || isakmp_init() < 0) {
exit(1);
}
+ add_sainfo();
monitor_fd(localconf.sock_pfkey, (void *)pfkey_handler);
add_isakmp_handler(myaddrs[0].sock, argv[1]);
+
#ifdef ENABLE_NATT
add_isakmp_handler(myaddrs[1].sock, argv[1]);
natt_keepalive_init();
@@ -489,12 +505,23 @@
/* Add proposals. */
add_proposal(remoteconf, auth,
+ OAKLEY_ATTR_HASH_ALG_SHA2_384, OAKLEY_ATTR_ENC_ALG_AES, 256);
+ add_proposal(remoteconf, auth,
OAKLEY_ATTR_HASH_ALG_SHA2_256, OAKLEY_ATTR_ENC_ALG_AES, 256);
+ // VPNs to openswan breaks when SHA2_512 is used as the first proposal.
+ // openswan supports SHA2_256 or lower hash alg. With this add_proposal
+ // order, openswan picks SHA2_256 and others pick SHA2_384
+ add_proposal(remoteconf, auth,
+ OAKLEY_ATTR_HASH_ALG_SHA2_512, OAKLEY_ATTR_ENC_ALG_AES, 256);
add_proposal(remoteconf, auth,
OAKLEY_ATTR_HASH_ALG_SHA, OAKLEY_ATTR_ENC_ALG_AES, 256);
add_proposal(remoteconf, auth,
OAKLEY_ATTR_HASH_ALG_MD5, OAKLEY_ATTR_ENC_ALG_AES, 256);
add_proposal(remoteconf, auth,
+ OAKLEY_ATTR_HASH_ALG_SHA2_512, OAKLEY_ATTR_ENC_ALG_AES, 128);
+ add_proposal(remoteconf, auth,
+ OAKLEY_ATTR_HASH_ALG_SHA2_384, OAKLEY_ATTR_ENC_ALG_AES, 128);
+ add_proposal(remoteconf, auth,
OAKLEY_ATTR_HASH_ALG_SHA2_256, OAKLEY_ATTR_ENC_ALG_AES, 128);
add_proposal(remoteconf, auth,
OAKLEY_ATTR_HASH_ALG_SHA, OAKLEY_ATTR_ENC_ALG_AES, 128);
