Hello community,
here is the log from the commit of package strongswan for openSUSE:Factory
checked in at 2017-08-24 18:45:53
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/strongswan (Old)
and /work/SRC/openSUSE:Factory/.strongswan.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "strongswan"
Thu Aug 24 18:45:53 2017 rev:64 rq:514549 version:5.5.3
Changes:
--------
--- /work/SRC/openSUSE:Factory/strongswan/strongswan.changes 2016-11-29
12:50:29.000000000 +0100
+++ /work/SRC/openSUSE:Factory/.strongswan.new/strongswan.changes
2017-08-24 18:46:10.094058758 +0200
@@ -1,0 +2,80 @@
+Mon Jul 31 18:30:28 CEST 2017 - n...@suse.de
+
+- Updated to strongSwan 5.3.5 providing the following changes:
+ *Fixed a DoS vulnerability in the gmp plugin that was caused by
insufficient input
+ validation when verifying RSA signatures. More specifically,
mpz_powm_sec() has two
+ requirements regarding the passed exponent and modulus that the plugin did
not
+ enforce, if these are not met the calculation will result in a floating
point exception
+ that crashes the whole process.
+ This vulnerability has been registered as CVE-2017-9022.
+ Please refer to our blog for details.
+
+ *Fixed a DoS vulnerability in the x509 plugin that was caused because the
ASN.1 parser
+ didn't handle ASN.1 CHOICE types properly, which could result in an
infinite loop when
+ parsing X.509 extensions that use such types.
+ This vulnerability has been registered as CVE-2017-9023.
+ Please refer to our blog for details.
+
+ *The behavior during IKEv2 CHILD_SA rekeying has been changed in order to
avoid
+ traffic loss. When responding to a CREATE_CHILD_SA request to rekey a
CHILD_SA
+ the responder already has everything available to install and use the new
CHILD_SA.
+ However, this could lead to lost traffic as the initiator won't be able to
process
+ inbound packets until it processed the CREATE_CHILD_SA response and
updated the
+ inbound SA. To avoid this the responder now only installs the new inbound
SA and
+ delays installing the outbound SA until it receives the DELETE for the
replaced CHILD_SA.
+
+ *The messages transporting these DELETEs could reach the peer before
packets sent
+ with the deleted outbound SAs reach it. To reduce the chance of traffic
loss due
+ to this the inbound SA of the replaced CHILD_SA is not removed for a
configurable
+ amount of seconds (charon.delete_rekeyed_delay) after the DELETE has been
processed.
+
+ *The code base has been ported to Apple's ARM64 iOS platform, which
required several
+ changes regarding the use of variadic functions. This was necessary
because the calling
+ conventions for variadic and regular functions are different there.
+ This means that assigning a non-variadic function to a variadic function
pointer, as we
+ did with our enumerator_t::enumerate() implementations and several
callbacks, will
+ result in crashes as the called function accesses the arguments
differently than the
+ caller provided them. To avoid this issue the enumerator_t interface has
been changed
+ and the signature of the callback functions for enumerator_create_filter()
and two
+ methods on linked_list_t have been changed. Refer to the developer notes
below
+ for details.
+
+ *Adds support for fuzzing the certificate parser provided by the default
plugins
+ (x509, pem, gmp etc.) on Google's OSS-Fuzz infrastructure (or generally
with
+ libFuzzer). Several issues found while fuzzing these plugins were fixed.
+
+ *Two new options have been added to charon's retransmission settings:
+ retransmit_limit and retransmit_jitter. The former adds an upper limit to
the
+ calculated retransmission timeout, the latter randomly reduces it.
+ Refer to Retransmission for details.
+
+ *A bug in swanctl's --load-creds command was fixed that caused unencrypted
+ private keys to get unloaded if the command was called multiple times.
+ The load-key VICI command now returns the key ID of the loaded key on
success.
+
+ *The credential manager now enumerates local credential sets before global
ones.
+ This means certificates supplied by the peer will now be preferred over
certificates
+ with the same identity that may be locally stored (e.g. in the certificate
cache).
+
+ *Adds support for hardware offload of IPsec SAs as introduced by Linux
4.11 for
+ specific hardware that supports this.
+
+ *The pki tool loads the curve25519 plugin by default.
+ [- 0006-Make-sure-the-modulus-is-odd-and-the-exponent-not-zero.patch,
+ - 0007-asn1-parser-Fix-CHOICE-parsing.patch]
+- libhydra is removed as all kernel plugins moved to libcharon
+
+-------------------------------------------------------------------
+Tue May 23 14:25:32 CEST 2017 - n...@suse.de
+
+- Applied patch for "Don't retransmit Aggressive Mode response"
+ bsc#985012.
+- Applied upstream patch for "Insufficient Input Validation in gmp Plugin"
+ bsc#1039514(CVE-2017-9022).
+- Applied upstream patch for "Incorrect x509 ASN.1 parser error handling"
+ bsc#1039515(CVE-2017-9023).
+ [+0005-ikev1-Don-t-retransmit-Aggressive-Mode-response.patch,
+ +0006-Make-sure-the-modulus-is-odd-and-the-exponent-not-zero.patch,
+ +0007-asn1-parser-Fix-CHOICE-parsing.patch]
+
+-------------------------------------------------------------------
Old:
----
strongswan-5.3.5-rpmlintrc
strongswan-5.3.5.tar.bz2
strongswan-5.3.5.tar.bz2.sig
New:
----
0005-ikev1-Don-t-retransmit-Aggressive-Mode-response.patch
strongswan-5.5.3-rpmlintrc
strongswan-5.5.3.tar.bz2
strongswan-5.5.3.tar.bz2.sig
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ strongswan.spec ++++++
--- /var/tmp/diff_new_pack.XrnW46/_old 2017-08-24 18:46:11.105916286 +0200
+++ /var/tmp/diff_new_pack.XrnW46/_new 2017-08-24 18:46:11.109915722 +0200
@@ -1,7 +1,7 @@
#
# spec file for package strongswan
#
-# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -17,7 +17,7 @@
Name: strongswan
-Version: 5.3.5
+Version: 5.5.3
Release: 0
%define upstream_version %{version}
%define strongswan_docdir %{_docdir}/%{name}
@@ -82,6 +82,7 @@
Patch3: %{name}_fipscheck.patch
Patch4: %{name}_fipsfilter.patch
%endif
+Patch5: 0005-ikev1-Don-t-retransmit-Aggressive-Mode-response.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: bison
BuildRequires: curl-devel
@@ -289,9 +290,10 @@
%patch1 -p0
%patch2 -p0
%if %{with fipscheck}
-%patch3 -p0
+%patch3 -p1
%patch4 -p1
%endif
+%patch5 -p1
sed -e 's|@libexecdir@|%_libexecdir|g' \
< $RPM_SOURCE_DIR/strongswan.init.in \
> strongswan.init
@@ -566,13 +568,14 @@
%{_libexecdir}/ipsec/_fipscheck
%{_libexecdir}/ipsec/.*.hmac
%{_sbindir}/.ipsec.hmac
-
%endif
%files ipsec
%defattr(-,root,root)
%config(noreplace) %attr(600,root,root) %{_sysconfdir}/ipsec.conf
%config(noreplace) %attr(600,root,root) %{_sysconfdir}/ipsec.secrets
+%config(noreplace) %attr(600,root,root) %{_sysconfdir}/swanctl/swanctl.conf
+%dir %{_sysconfdir}/swanctl
%dir %{_sysconfdir}/ipsec.d
%dir %{_sysconfdir}/ipsec.d/crls
%dir %{_sysconfdir}/ipsec.d/reqs
@@ -584,6 +587,7 @@
%dir %attr(700,root,root) %{_sysconfdir}/ipsec.d/private
%if %{with systemd}
%{_unitdir}/strongswan.service
+%{_sysconfdir}/dbus-1/system.d/nm-strongswan-service.conf
%{_sbindir}/rcstrongswan
%else
%config %{_sysconfdir}/init.d/ipsec
@@ -591,6 +595,7 @@
%endif
%{_bindir}/pki
%{_sbindir}/ipsec
+%{_sbindir}/swanctl
%{_mandir}/man1/pki*.1*
%{_mandir}/man8/ipsec.8*
%{_mandir}/man5/ipsec.conf.5*
@@ -626,6 +631,8 @@
%{strongswan_docdir}/AUTHORS
%{strongswan_docdir}/ChangeLog
%{_mandir}/man8/scepclient.8*
+%{_mandir}/man5/swanctl.conf.5.*
+%{_mandir}/man8/swanctl.8.*
%files libs0
%defattr(-,root,root)
@@ -643,8 +650,11 @@
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/scepclient.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/starter.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/tnc.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/swanctl.conf
%config(noreplace) %attr(600,root,root)
%{strongswan_configs}/charon/addrblock.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/aes.conf
+%config(noreplace) %attr(600,root,root)
%{strongswan_configs}/charon/curve25519.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/vici.conf
%if %{with afalg}
%config(noreplace) %attr(600,root,root)
%{strongswan_configs}/charon/af-alg.conf
%endif
@@ -739,7 +749,10 @@
%{strongswan_libdir}/libchecksum.so
%endif
%{strongswan_libdir}/libcharon.so.*
-%{strongswan_libdir}/libhydra.so.*
+%{strongswan_libdir}/libtpmtss.so.*
+%{strongswan_libdir}/libtpmtss.so
+%{strongswan_libdir}/libvici.so
+%{strongswan_libdir}/libvici.so.*
%{strongswan_libdir}/libpttls.so.*
%{strongswan_libdir}/libradius.so.*
%{strongswan_libdir}/libsimaka.so.*
@@ -842,6 +855,8 @@
%{strongswan_plugins}/libstrongswan-xauth-generic.so
%{strongswan_plugins}/libstrongswan-xauth-pam.so
%{strongswan_plugins}/libstrongswan-xcbc.so
+%{strongswan_plugins}/libstrongswan-curve25519.so
+%{strongswan_plugins}/libstrongswan-vici.so
%dir %{strongswan_datadir}
%dir %{strongswan_templates}
%dir %{strongswan_templates}/config
@@ -942,6 +957,8 @@
%{strongswan_templates}/config/plugins/xauth-generic.conf
%{strongswan_templates}/config/plugins/xauth-pam.conf
%{strongswan_templates}/config/plugins/xcbc.conf
+%{strongswan_templates}/config/plugins/curve25519.conf
+%{strongswan_templates}/config/plugins/vici.conf
%{strongswan_templates}/config/strongswan.d/charon-logging.conf
%{strongswan_templates}/config/strongswan.d/charon.conf
%{strongswan_templates}/config/strongswan.d/imcv.conf
@@ -950,6 +967,7 @@
%{strongswan_templates}/config/strongswan.d/scepclient.conf
%{strongswan_templates}/config/strongswan.d/starter.conf
%{strongswan_templates}/config/strongswan.d/tnc.conf
+%{strongswan_templates}/config/strongswan.d/swanctl.conf
%{strongswan_templates}/database/imv/data.sql
%{strongswan_templates}/database/imv/tables.sql
++++++ 0005-ikev1-Don-t-retransmit-Aggressive-Mode-response.patch ++++++
>From 4e16732c1c668c27e73574724d2d90537a74f67a Mon Sep 17 00:00:00 2001
From: Tobias Brunner <tob...@strongswan.org>
Date: Fri, 17 Jun 2016 18:19:48 +0200
Subject: [PATCH] ikev1: Don't retransmit Aggressive Mode response
These could theoretically be used for an amplified DDoS attack.
---
src/libcharon/sa/ikev1/task_manager_v1.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/src/libcharon/sa/ikev1/task_manager_v1.c
b/src/libcharon/sa/ikev1/task_manager_v1.c
index 48ec3e7..0912555 100644
--- a/src/libcharon/sa/ikev1/task_manager_v1.c
+++ b/src/libcharon/sa/ikev1/task_manager_v1.c
@@ -770,8 +770,7 @@ static status_t build_response(private_task_manager_t
*this, message_t *request)
continue;
case NEED_MORE:
/* processed, but task needs another exchange */
- if (task->get_type(task) == TASK_QUICK_MODE ||
- task->get_type(task) ==
TASK_AGGRESSIVE_MODE)
+ if (task->get_type(task) == TASK_QUICK_MODE)
{ /* we rely on initiator retransmission,
except for
* three-message exchanges */
expect_request = TRUE;
--
2.13.2
++++++ strongswan-5.3.5-rpmlintrc -> strongswan-5.5.3-rpmlintrc ++++++
++++++ strongswan-5.3.5.tar.bz2 -> strongswan-5.5.3.tar.bz2 ++++++
++++ 294371 lines of diff (skipped)
++++++ strongswan_fipscheck.patch ++++++
--- /var/tmp/diff_new_pack.XrnW46/_old 2017-08-24 18:46:20.660570967 +0200
+++ /var/tmp/diff_new_pack.XrnW46/_new 2017-08-24 18:46:20.660570967 +0200
@@ -1,8 +1,10 @@
---- src/ipsec/_ipsec.in
-+++ src/ipsec/_ipsec.in
-@@ -44,6 +44,26 @@ export IPSEC_DIR IPSEC_BINDIR IPSEC_SBINDIR IPSEC_CONFDIR
IPSEC_PIDDIR IPSEC_SCR
+diff --git a/src/ipsec/_ipsec.in b/src/ipsec/_ipsec.in
+index ea399b8..ea8ed8a 100644
+--- a/src/ipsec/_ipsec.in
++++ b/src/ipsec/_ipsec.in
+@@ -46,6 +46,26 @@ IPSEC_DISTRO="Institute for Internet Technologies and
Applications\nUniversity o
- IPSEC_DISTRO="Institute for Internet Technologies and
Applications\nUniversity of Applied Sciences Rapperswil, Switzerland"
+ command_dir="$IPSEC_DIR"
+fipscheck()
+{
@@ -27,7 +29,7 @@
case "$1" in
'')
echo "$IPSEC_SCRIPT command [arguments]"
-@@ -155,6 +175,7 @@ rereadall|purgeocsp|listcounters|resetcounters)
+@@ -153,6 +173,7 @@ rereadall|purgeocsp|listcounters|resetcounters)
shift
if [ -e $IPSEC_CHARON_PID ]
then
@@ -35,7 +37,7 @@
$IPSEC_STROKE "$op" "$@"
rc="$?"
fi
-@@ -164,6 +185,7 @@ purgeike|purgecrls|purgecerts)
+@@ -162,6 +183,7 @@ purgeike|purgecrls|purgecerts)
rc=7
if [ -e $IPSEC_CHARON_PID ]
then
@@ -43,7 +45,7 @@
$IPSEC_STROKE "$1"
rc="$?"
fi
-@@ -197,6 +219,7 @@ route|unroute)
+@@ -195,6 +217,7 @@ route|unroute)
fi
if [ -e $IPSEC_CHARON_PID ]
then
@@ -51,7 +53,7 @@
$IPSEC_STROKE "$op" "$1"
rc="$?"
fi
-@@ -206,6 +229,7 @@ secrets)
+@@ -204,6 +227,7 @@ secrets)
rc=7
if [ -e $IPSEC_CHARON_PID ]
then
@@ -59,7 +61,7 @@
$IPSEC_STROKE rereadsecrets
rc="$?"
fi
-@@ -213,6 +237,7 @@ secrets)
+@@ -211,6 +235,7 @@ secrets)
;;
start)
shift
@@ -67,7 +69,7 @@
if [ -d /var/lock/subsys ]; then
touch /var/lock/subsys/ipsec
fi
-@@ -286,6 +311,7 @@ up)
+@@ -289,6 +314,7 @@ up)
rc=7
if [ -e $IPSEC_CHARON_PID ]
then
@@ -75,7 +77,7 @@
$IPSEC_STROKE up "$1"
rc="$?"
fi
-@@ -325,6 +351,11 @@ esac
+@@ -338,6 +364,11 @@ esac
cmd="$1"
shift
@@ -84,6 +86,6 @@
+*) fipscheck || exit $? ;;
+esac
+
- path="$IPSEC_DIR/$cmd"
+ path="$command_dir/$cmd"
if [ ! -x "$path" ]
++++++ strongswan_fipsfilter.patch ++++++
--- /var/tmp/diff_new_pack.XrnW46/_old 2017-08-24 18:46:20.668569840 +0200
+++ /var/tmp/diff_new_pack.XrnW46/_new 2017-08-24 18:46:20.668569840 +0200
@@ -5,11 +5,20 @@
References: fate#316931,bnc#856322
+From 818cd5f1b6455237a82f385b60a2513cdd9c5eef Mon Sep 17 00:00:00 2001
+From: Nirmoy Das <n...@suse.de>
+Date: Mon, 17 Jul 2017 15:15:14 +0200
+Subject: [PATCH] strongswan_fipsfilter
+
+---
+ src/libcharon/config/proposal.c | 184 +++++++++++++++++++++++++++++++++++-----
+ 1 file changed, 165 insertions(+), 19 deletions(-)
+
diff --git a/src/libcharon/config/proposal.c b/src/libcharon/config/proposal.c
-index e59dcd9..f07f4a2 100644
+index 6c71f78..0640140 100644
--- a/src/libcharon/config/proposal.c
+++ b/src/libcharon/config/proposal.c
-@@ -26,6 +26,11 @@
+@@ -27,6 +27,11 @@
#include <crypto/prfs/prf.h>
#include <crypto/crypters/crypter.h>
#include <crypto/signers/signer.h>
@@ -21,7 +30,7 @@
ENUM(protocol_id_names, PROTO_NONE, PROTO_IPCOMP,
"PROTO_NONE",
-@@ -185,6 +190,122 @@ METHOD(proposal_t, strip_dh, void,
+@@ -190,6 +195,122 @@ METHOD(proposal_t, strip_dh, void,
enumerator->destroy(enumerator);
}
@@ -144,7 +153,7 @@
/**
* Select a matching proposal from this and other, insert into selected.
*/
-@@ -502,6 +623,11 @@ static bool add_string_algo(private_proposal_t *this,
const char *alg)
+@@ -611,6 +732,11 @@ static bool add_string_algo(private_proposal_t *this,
const char *alg)
return FALSE;
}
@@ -156,7 +165,7 @@
add_algorithm(this, token->type, token->algorithm, token->keysize);
return TRUE;
-@@ -643,6 +769,9 @@ static bool proposal_add_supported_ike(private_proposal_t
*this, bool aead)
+@@ -753,6 +879,9 @@ static bool proposal_add_supported_ike(private_proposal_t
*this, bool aead)
enumerator = lib->crypto->create_aead_enumerator(lib->crypto);
while (enumerator->enumerate(enumerator, &encryption,
&plugin_name))
{
@@ -165,8 +174,8 @@
+
switch (encryption)
{
- case ENCR_AES_CCM_ICV8:
-@@ -675,6 +804,9 @@ static bool proposal_add_supported_ike(private_proposal_t
*this, bool aead)
+ case ENCR_AES_GCM_ICV16:
+@@ -806,6 +935,9 @@ static bool proposal_add_supported_ike(private_proposal_t
*this, bool aead)
enumerator =
lib->crypto->create_crypter_enumerator(lib->crypto);
while (enumerator->enumerate(enumerator, &encryption,
&plugin_name))
{
@@ -176,7 +185,7 @@
switch (encryption)
{
case ENCR_AES_CBC:
-@@ -706,6 +838,9 @@ static bool proposal_add_supported_ike(private_proposal_t
*this, bool aead)
+@@ -850,6 +982,9 @@ static bool proposal_add_supported_ike(private_proposal_t
*this, bool aead)
enumerator = lib->crypto->create_signer_enumerator(lib->crypto);
while (enumerator->enumerate(enumerator, &integrity,
&plugin_name))
{
@@ -185,8 +194,8 @@
+
switch (integrity)
{
- case AUTH_HMAC_SHA1_96:
-@@ -727,6 +862,9 @@ static bool proposal_add_supported_ike(private_proposal_t
*this, bool aead)
+ case AUTH_HMAC_SHA2_256_128:
+@@ -905,6 +1040,9 @@ static bool proposal_add_supported_ike(private_proposal_t
*this, bool aead)
enumerator = lib->crypto->create_prf_enumerator(lib->crypto);
while (enumerator->enumerate(enumerator, &prf, &plugin_name))
{
@@ -196,7 +205,7 @@
switch (prf)
{
case PRF_HMAC_SHA1:
-@@ -747,6 +885,9 @@ static bool proposal_add_supported_ike(private_proposal_t
*this, bool aead)
+@@ -964,6 +1102,9 @@ static bool proposal_add_supported_ike(private_proposal_t
*this, bool aead)
enumerator = lib->crypto->create_dh_enumerator(lib->crypto);
while (enumerator->enumerate(enumerator, &group, &plugin_name))
{
@@ -206,7 +215,7 @@
switch (group)
{
case MODP_NULL:
-@@ -795,6 +936,10 @@ proposal_t *proposal_create_default(protocol_id_t
protocol)
+@@ -1004,6 +1145,10 @@ proposal_t *proposal_create_default(protocol_id_t
protocol)
{
private_proposal_t *this =
(private_proposal_t*)proposal_create(protocol, 0);
@@ -217,48 +226,58 @@
switch (protocol)
{
case PROTO_IKE:
-@@ -805,25 +950,28 @@ proposal_t *proposal_create_default(protocol_id_t
protocol)
+@@ -1014,31 +1159,32 @@ proposal_t *proposal_create_default(protocol_id_t
protocol)
}
break;
case PROTO_ESP:
-- add_algorithm(this, ENCRYPTION_ALGORITHM,
ENCR_AES_CBC, 128);
-- add_algorithm(this, ENCRYPTION_ALGORITHM,
ENCR_AES_CBC, 192);
-- add_algorithm(this, ENCRYPTION_ALGORITHM,
ENCR_AES_CBC, 256);
-- add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_3DES,
0);
-- add_algorithm(this, ENCRYPTION_ALGORITHM,
ENCR_BLOWFISH, 256);
-- add_algorithm(this, INTEGRITY_ALGORITHM,
AUTH_HMAC_SHA1_96, 0);
-- add_algorithm(this, INTEGRITY_ALGORITHM,
AUTH_AES_XCBC_96, 0);
-- add_algorithm(this, INTEGRITY_ALGORITHM,
AUTH_HMAC_MD5_96, 0);
-- add_algorithm(this, EXTENDED_SEQUENCE_NUMBERS,
NO_EXT_SEQ_NUMBERS, 0);
-+ fips_add_algorithm(this, ENCRYPTION_ALGORITHM,
ENCR_AES_CBC, 128);
-+ fips_add_algorithm(this, ENCRYPTION_ALGORITHM,
ENCR_AES_CBC, 192);
-+ fips_add_algorithm(this, ENCRYPTION_ALGORITHM,
ENCR_AES_CBC, 256);
-+ fips_add_algorithm(this, ENCRYPTION_ALGORITHM,
ENCR_3DES, 0);
-+ fips_add_algorithm(this, ENCRYPTION_ALGORITHM,
ENCR_BLOWFISH, 256);
-+ fips_add_algorithm(this, INTEGRITY_ALGORITHM,
AUTH_HMAC_SHA1_96, 0);
-+ fips_add_algorithm(this, INTEGRITY_ALGORITHM,
AUTH_AES_XCBC_96, 0);
-+ fips_add_algorithm(this, INTEGRITY_ALGORITHM,
AUTH_HMAC_MD5_96, 0);
-+ fips_add_algorithm(this, EXTENDED_SEQUENCE_NUMBERS,
NO_EXT_SEQ_NUMBERS, 0);
+- add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC,
128);
+- add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC,
192);
+- add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC,
256);
+- add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_3DES,
0);
+- add_algorithm(this, ENCRYPTION_ALGORITHM,
ENCR_BLOWFISH, 256);
+- add_algorithm(this, INTEGRITY_ALGORITHM,
AUTH_HMAC_SHA2_256_128, 0);
+- add_algorithm(this, INTEGRITY_ALGORITHM,
AUTH_HMAC_SHA2_384_192, 0);
+- add_algorithm(this, INTEGRITY_ALGORITHM,
AUTH_HMAC_SHA2_512_256, 0);
+- add_algorithm(this, INTEGRITY_ALGORITHM,
AUTH_HMAC_SHA1_96, 0);
+- add_algorithm(this, INTEGRITY_ALGORITHM,
AUTH_AES_XCBC_96, 0);
+- add_algorithm(this, INTEGRITY_ALGORITHM,
AUTH_HMAC_MD5_96, 0);
+- add_algorithm(this, EXTENDED_SEQUENCE_NUMBERS,
NO_EXT_SEQ_NUMBERS, 0);
++ fips_add_algorithm(this, ENCRYPTION_ALGORITHM,
ENCR_AES_CBC, 128);
++ fips_add_algorithm(this, ENCRYPTION_ALGORITHM,
ENCR_AES_CBC, 192);
++ fips_add_algorithm(this, ENCRYPTION_ALGORITHM,
ENCR_AES_CBC, 256);
++ fips_add_algorithm(this, ENCRYPTION_ALGORITHM,
ENCR_3DES, 0);
++ fips_add_algorithm(this, ENCRYPTION_ALGORITHM,
ENCR_BLOWFISH, 256);
++ fips_add_algorithm(this, INTEGRITY_ALGORITHM,
AUTH_HMAC_SHA2_256_128, 0);
++ fips_add_algorithm(this, INTEGRITY_ALGORITHM,
AUTH_HMAC_SHA2_384_192, 0);
++ fips_add_algorithm(this, INTEGRITY_ALGORITHM,
AUTH_HMAC_SHA2_512_256, 0);
++ fips_add_algorithm(this, INTEGRITY_ALGORITHM,
AUTH_HMAC_SHA1_96, 0);
++ fips_add_algorithm(this, INTEGRITY_ALGORITHM,
AUTH_AES_XCBC_96, 0);
++ fips_add_algorithm(this, INTEGRITY_ALGORITHM,
AUTH_HMAC_MD5_96, 0);
++ fips_add_algorithm(this, EXTENDED_SEQUENCE_NUMBERS,
NO_EXT_SEQ_NUMBERS, 0);
break;
case PROTO_AH:
-- add_algorithm(this, INTEGRITY_ALGORITHM,
AUTH_HMAC_SHA1_96, 0);
-- add_algorithm(this, INTEGRITY_ALGORITHM,
AUTH_AES_XCBC_96, 0);
-- add_algorithm(this, INTEGRITY_ALGORITHM,
AUTH_HMAC_MD5_96, 0);
-- add_algorithm(this, EXTENDED_SEQUENCE_NUMBERS,
NO_EXT_SEQ_NUMBERS, 0);
-+ fips_add_algorithm(this, INTEGRITY_ALGORITHM,
AUTH_HMAC_SHA1_96, 0);
-+ fips_add_algorithm(this, INTEGRITY_ALGORITHM,
AUTH_AES_XCBC_96, 0);
-+ fips_add_algorithm(this, INTEGRITY_ALGORITHM,
AUTH_HMAC_MD5_96, 0);
-+ fips_add_algorithm(this, EXTENDED_SEQUENCE_NUMBERS,
NO_EXT_SEQ_NUMBERS, 0);
+- add_algorithm(this, INTEGRITY_ALGORITHM,
AUTH_HMAC_SHA2_256_128, 0);
+- add_algorithm(this, INTEGRITY_ALGORITHM,
AUTH_HMAC_SHA2_384_192, 0);
+- add_algorithm(this, INTEGRITY_ALGORITHM,
AUTH_HMAC_SHA2_512_256, 0);
+- add_algorithm(this, INTEGRITY_ALGORITHM,
AUTH_HMAC_SHA1_96, 0);
+- add_algorithm(this, INTEGRITY_ALGORITHM,
AUTH_AES_XCBC_96, 0);
+- add_algorithm(this, INTEGRITY_ALGORITHM,
AUTH_HMAC_MD5_96, 0);
+- add_algorithm(this, EXTENDED_SEQUENCE_NUMBERS,
NO_EXT_SEQ_NUMBERS, 0);
++ fips_add_algorithm(this, INTEGRITY_ALGORITHM,
AUTH_HMAC_SHA2_256_128, 0);
++ fips_add_algorithm(this, INTEGRITY_ALGORITHM,
AUTH_HMAC_SHA2_384_192, 0);
++ fips_add_algorithm(this, INTEGRITY_ALGORITHM,
AUTH_HMAC_SHA2_512_256, 0);
++ fips_add_algorithm(this, INTEGRITY_ALGORITHM,
AUTH_HMAC_SHA1_96, 0);
++ fips_add_algorithm(this, INTEGRITY_ALGORITHM,
AUTH_AES_XCBC_96, 0);
++ fips_add_algorithm(this, INTEGRITY_ALGORITHM,
AUTH_HMAC_MD5_96, 0);
++ fips_add_algorithm(this, EXTENDED_SEQUENCE_NUMBERS,
NO_EXT_SEQ_NUMBERS, 0);
break;
default:
break;
}
-+
+#undef fips_add_algorithm
-+
return &this->public;
}
--
-2.2.1
+2.13.2
