📄 plutoalg.c
字号:
case ESP_3DES: case ESP_NULL: case ESP_CAST: break; default: if (!esp_info->esp_ealg_keylen) { /** * algos that need KEY_LENGTH * * Note: this is a very dirty hack ;-) * * XXX:jjo * Idea: Add a key_length_needed attribute to * esp_ealg ?? */ esp_info->esp_ealg_keylen= esp_ealg[ealg_i].sadb_alg_maxbits; } }}static bool kernel_alg_db_add(struct db_context *db_ctx , struct esp_info *esp_info , lset_t policy){ int ealg_i, aalg_i; ealg_i=esp_info->esp_ealg_id; if (!ESP_EALG_PRESENT(ealg_i)) { DBG_log("kernel_alg_db_add() " "kernel enc ealg_id=%d not present", ealg_i); return FALSE; } if (!(policy & POLICY_AUTHENTICATE)) { /* skip ESP auth attrs for AH*/ aalg_i=alg_info_esp_aa2sadb(esp_info->esp_aalg_id); if (!ESP_AALG_PRESENT(aalg_i)) { DBG_log("kernel_alg_db_add() kernel auth " "aalg_id=%d not present", aalg_i); return FALSE; } } /* do algo policy */ kernel_alg_policy_algorithms(esp_info); /* open new transformation */ db_trans_add(db_ctx, ealg_i); /* add ESP auth attr */ if (!(policy & POLICY_AUTHENTICATE)) db_attr_add_values(db_ctx, AUTH_ALGORITHM, esp_info->esp_aalg_id); /* add keylegth if specified in esp= string */ if (esp_info->esp_ealg_keylen) { db_attr_add_values(db_ctx, KEY_LENGTH, esp_info->esp_ealg_keylen); } return TRUE;}/* * Create proposal with runtime kernel algos, merging * with passed proposal if not NULL * * for now this function does free() previous returned * malloced pointer (this quirk allows easier spdb.c change) */struct db_context * kernel_alg_db_new(struct alg_info_esp *alg_info, lset_t policy ){ int ealg_i, aalg_i, tn=0; int i; const struct esp_info *esp_info; struct esp_info tmp_esp_info; struct db_context *ctx_new=NULL; struct db_trans *t; struct db_prop *prop; int trans_cnt; if (!(policy & POLICY_ENCRYPT)) { /* possible for AH-only modes */ DBG(DBG_CONTROL , DBG_log("algo code only works for encryption modes")); return NULL; } trans_cnt=(esp_ealg_num*esp_aalg_num); DBG(DBG_EMITTING, DBG_log("kernel_alg_db_new() " "initial trans_cnt=%d", trans_cnt)); /* pass aprox. number of transforms and attributes */ ctx_new = db_prop_new(PROTO_IPSEC_ESP, trans_cnt, trans_cnt * 2); /* * Loop: for each element (struct esp_info) of * alg_info, if kernel support is present then * build the transform (and attrs) * * if NULL alg_info, propose everything ... */ /* passert(alg_info!=0); */ if (alg_info) { ALG_INFO_ESP_FOREACH(alg_info, esp_info, i) { tmp_esp_info = *esp_info; kernel_alg_db_add(ctx_new, &tmp_esp_info, policy); } } else { ESP_EALG_FOR_EACH_UPDOWN(ealg_i) { tmp_esp_info.esp_ealg_id=ealg_i; tmp_esp_info.esp_ealg_keylen=0; ESP_AALG_FOR_EACH(aalg_i) { tmp_esp_info.esp_aalg_id=alg_info_esp_sadb2aa(aalg_i); tmp_esp_info.esp_aalg_keylen=0; kernel_alg_db_add(ctx_new, &tmp_esp_info, policy); } } } prop=db_prop_get(ctx_new); DBG(DBG_CONTROL|DBG_EMITTING, DBG_log("kernel_alg_db_new() " "will return p_new->protoid=%d, p_new->trans_cnt=%d", prop->protoid, prop->trans_cnt)); for(t=prop->trans,tn=0; t!= NULL && t[tn].transid != 0 && tn<prop->trans_cnt; tn++) { DBG(DBG_CONTROL|DBG_EMITTING, DBG_log("kernel_alg_db_new() " " trans[%d]: transid=%d, attr_cnt=%d, " "attrs[0].type=%d, attrs[0].val=%d" , tn , t[tn].transid, t[tn].attr_cnt , t[tn].attrs ? t[tn].attrs[0].type : -1 , t[tn].attrs ? t[tn].attrs[0].val : -1 )); } prop->trans_cnt = tn; return ctx_new;}/* * ML: make F_STRICT logic consider enc,auth algorithms */boolkernel_alg_esp_ok_final(int ealg, unsigned int key_len, int aalg, struct alg_info_esp *alg_info){ int ealg_insecure; /* * key_len passed comes from esp_attrs read from peer * For many older algoritms (eg 3DES) this key_len is fixed * and get passed as 0. * ... then get default key_len */ if (key_len == 0) key_len = kernel_alg_esp_enc_keylen(ealg) * BITS_PER_BYTE; /* * simple test to toss low key_len, will accept it only * if specified in "esp" string */ ealg_insecure=(key_len < 128) ; if (ealg_insecure || (alg_info && alg_info->alg_info_flags & ALG_INFO_F_STRICT)) { int i; struct esp_info *esp_info; if (alg_info) { ALG_INFO_ESP_FOREACH(alg_info, esp_info, i) { if ((esp_info->esp_ealg_id == ealg) && ((esp_info->esp_ealg_keylen==0) || (key_len==0) || (esp_info->esp_ealg_keylen==key_len)) && (esp_info->esp_aalg_id == aalg)) { if (ealg_insecure) loglog(RC_LOG_SERIOUS, "You should NOT use insecure ESP algorithms [%s (%d)]!" , enum_name(&esp_transformid_names, ealg), key_len); return TRUE; } } } openswan_log("IPsec Transform [%s (%d), %s] refused due to %s", enum_name(&esp_transformid_names, ealg), key_len, enum_name(&auth_alg_names, aalg), ealg_insecure ? "insecure key_len and enc. alg. not listed in \"esp\" string" : "strict flag"); return FALSE; } return TRUE;}void kernel_alg_show_status(void){ unsigned sadb_id,id; struct sadb_alg *alg_p; ESP_EALG_FOR_EACH(sadb_id) { id=sadb_id; alg_p=&esp_ealg[sadb_id]; whack_log(RC_COMMENT, "algorithm ESP encrypt: id=%d, name=%s, " "ivlen=%d, keysizemin=%d, keysizemax=%d" , id , enum_name(&esp_transformid_names, id) , alg_p->sadb_alg_ivlen , alg_p->sadb_alg_minbits , alg_p->sadb_alg_maxbits ); } ESP_AALG_FOR_EACH(sadb_id) { id=alg_info_esp_sadb2aa(sadb_id); alg_p=&esp_aalg[sadb_id]; whack_log(RC_COMMENT, "algorithm ESP auth attr: id=%d, name=%s, " "keysizemin=%d, keysizemax=%d" , id , enum_name(&auth_alg_names, id) , alg_p->sadb_alg_minbits , alg_p->sadb_alg_maxbits ); }}voidkernel_alg_show_connection(struct connection *c, const char *instance){ char buf[256]; struct state *st; if(c->alg_info_esp == NULL) return; if (c->alg_info_esp) { alg_info_snprint(buf, sizeof(buf), (struct alg_info *)c->alg_info_esp, TRUE); whack_log(RC_COMMENT , "\"%s\"%s: ESP algorithms wanted: %s" , c->name , instance , buf); } if (c->alg_info_esp) { alg_info_snprint_esp(buf, sizeof(buf), c->alg_info_esp); whack_log(RC_COMMENT , "\"%s\"%s: ESP algorithms loaded: %s" , c->name , instance , buf); } st = state_with_serialno(c->newest_ipsec_sa); if (st && st->st_esp.present) whack_log(RC_COMMENT , "\"%s\"%s: ESP algorithm newest: %s_%d-%s; pfsgroup=%s" , c->name , instance , enum_show(&esp_transformid_names, st->st_esp.attrs.transid) +4 /* strlen("ESP_") */ , st->st_esp.attrs.key_len , enum_show(&auth_alg_names, st->st_esp.attrs.auth)+ +15 /* strlen("AUTH_ALGORITHM_") */ , c->policy & POLICY_PFS ? c->alg_info_esp->esp_pfsgroup ? enum_show(&oakley_group_names, c->alg_info_esp->esp_pfsgroup) +13 /*strlen("OAKLEY_GROUP_")*/ : "<Phase1>" : "<N/A>" );}struct db_sa *kernel_alg_makedb(struct alg_info_esp *ei){ struct db_context *dbnew; struct db_prop *p; struct db_prop_conj pc; struct db_sa t, *n; lset_t policy = POLICY_ENCRYPT; /* hack for now */ if(ei == NULL) { DBG(DBG_CONTROL, DBG_log("empty esp_info, returning empty")); return NULL; } dbnew=kernel_alg_db_new(ei, policy); if(!dbnew) { DBG(DBG_CONTROL, DBG_log("failed to translate esp_info to proposal, returning empty")); return NULL; } p = db_prop_get(dbnew); if(!p) { DBG(DBG_CONTROL, DBG_log("failed to get proposal from context, returning empty")); db_destroy(dbnew); return NULL; } pc.prop_cnt = 1; pc.props = p; t.prop_conj_cnt = 1; t.prop_conjs = &pc; /* make a fresh copy */ n = sa_copy_sa(&t, 0); db_destroy(dbnew); DBG(DBG_CONTROL , DBG_log("returning new proposal from esp_info")); return n;}/* * Local Variables: * c-basic-offset:4 * c-style: pluto * End: */⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -