Hello community, here is the log from the commit of package strongswan for openSUSE:Factory checked in at 2017-08-24 18:45:53 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/strongswan (Old) and /work/SRC/openSUSE:Factory/.strongswan.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "strongswan" Thu Aug 24 18:45:53 2017 rev:64 rq:514549 version:5.5.3 Changes: -------- --- /work/SRC/openSUSE:Factory/strongswan/strongswan.changes 2016-11-29 12:50:29.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.strongswan.new/strongswan.changes 2017-08-24 18:46:10.094058758 +0200 @@ -1,0 +2,80 @@ +Mon Jul 31 18:30:28 CEST 2017 - n...@suse.de + +- Updated to strongSwan 5.3.5 providing the following changes: + *Fixed a DoS vulnerability in the gmp plugin that was caused by insufficient input + validation when verifying RSA signatures. More specifically, mpz_powm_sec() has two + requirements regarding the passed exponent and modulus that the plugin did not + enforce, if these are not met the calculation will result in a floating point exception + that crashes the whole process. + This vulnerability has been registered as CVE-2017-9022. + Please refer to our blog for details. + + *Fixed a DoS vulnerability in the x509 plugin that was caused because the ASN.1 parser + didn't handle ASN.1 CHOICE types properly, which could result in an infinite loop when + parsing X.509 extensions that use such types. + This vulnerability has been registered as CVE-2017-9023. + Please refer to our blog for details. + + *The behavior during IKEv2 CHILD_SA rekeying has been changed in order to avoid + traffic loss. When responding to a CREATE_CHILD_SA request to rekey a CHILD_SA + the responder already has everything available to install and use the new CHILD_SA. + However, this could lead to lost traffic as the initiator won't be able to process + inbound packets until it processed the CREATE_CHILD_SA response and updated the + inbound SA. To avoid this the responder now only installs the new inbound SA and + delays installing the outbound SA until it receives the DELETE for the replaced CHILD_SA. + + *The messages transporting these DELETEs could reach the peer before packets sent + with the deleted outbound SAs reach it. To reduce the chance of traffic loss due + to this the inbound SA of the replaced CHILD_SA is not removed for a configurable + amount of seconds (charon.delete_rekeyed_delay) after the DELETE has been processed. + + *The code base has been ported to Apple's ARM64 iOS platform, which required several + changes regarding the use of variadic functions. This was necessary because the calling + conventions for variadic and regular functions are different there. + This means that assigning a non-variadic function to a variadic function pointer, as we + did with our enumerator_t::enumerate() implementations and several callbacks, will + result in crashes as the called function accesses the arguments differently than the + caller provided them. To avoid this issue the enumerator_t interface has been changed + and the signature of the callback functions for enumerator_create_filter() and two + methods on linked_list_t have been changed. Refer to the developer notes below + for details. + + *Adds support for fuzzing the certificate parser provided by the default plugins + (x509, pem, gmp etc.) on Google's OSS-Fuzz infrastructure (or generally with + libFuzzer). Several issues found while fuzzing these plugins were fixed. + + *Two new options have been added to charon's retransmission settings: + retransmit_limit and retransmit_jitter. The former adds an upper limit to the + calculated retransmission timeout, the latter randomly reduces it. + Refer to Retransmission for details. + + *A bug in swanctl's --load-creds command was fixed that caused unencrypted + private keys to get unloaded if the command was called multiple times. + The load-key VICI command now returns the key ID of the loaded key on success. + + *The credential manager now enumerates local credential sets before global ones. + This means certificates supplied by the peer will now be preferred over certificates + with the same identity that may be locally stored (e.g. in the certificate cache). + + *Adds support for hardware offload of IPsec SAs as introduced by Linux 4.11 for + specific hardware that supports this. + + *The pki tool loads the curve25519 plugin by default. + [- 0006-Make-sure-the-modulus-is-odd-and-the-exponent-not-zero.patch, + - 0007-asn1-parser-Fix-CHOICE-parsing.patch] +- libhydra is removed as all kernel plugins moved to libcharon + +------------------------------------------------------------------- +Tue May 23 14:25:32 CEST 2017 - n...@suse.de + +- Applied patch for "Don't retransmit Aggressive Mode response" + bsc#985012. +- Applied upstream patch for "Insufficient Input Validation in gmp Plugin" + bsc#1039514(CVE-2017-9022). +- Applied upstream patch for "Incorrect x509 ASN.1 parser error handling" + bsc#1039515(CVE-2017-9023). + [+0005-ikev1-Don-t-retransmit-Aggressive-Mode-response.patch, + +0006-Make-sure-the-modulus-is-odd-and-the-exponent-not-zero.patch, + +0007-asn1-parser-Fix-CHOICE-parsing.patch] + +------------------------------------------------------------------- Old: ---- strongswan-5.3.5-rpmlintrc strongswan-5.3.5.tar.bz2 strongswan-5.3.5.tar.bz2.sig New: ---- 0005-ikev1-Don-t-retransmit-Aggressive-Mode-response.patch strongswan-5.5.3-rpmlintrc strongswan-5.5.3.tar.bz2 strongswan-5.5.3.tar.bz2.sig ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ strongswan.spec ++++++ --- /var/tmp/diff_new_pack.XrnW46/_old 2017-08-24 18:46:11.105916286 +0200 +++ /var/tmp/diff_new_pack.XrnW46/_new 2017-08-24 18:46:11.109915722 +0200 @@ -1,7 +1,7 @@ # # spec file for package strongswan # -# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,7 +17,7 @@ Name: strongswan -Version: 5.3.5 +Version: 5.5.3 Release: 0 %define upstream_version %{version} %define strongswan_docdir %{_docdir}/%{name} @@ -82,6 +82,7 @@ Patch3: %{name}_fipscheck.patch Patch4: %{name}_fipsfilter.patch %endif +Patch5: 0005-ikev1-Don-t-retransmit-Aggressive-Mode-response.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: bison BuildRequires: curl-devel @@ -289,9 +290,10 @@ %patch1 -p0 %patch2 -p0 %if %{with fipscheck} -%patch3 -p0 +%patch3 -p1 %patch4 -p1 %endif +%patch5 -p1 sed -e 's|@libexecdir@|%_libexecdir|g' \ < $RPM_SOURCE_DIR/strongswan.init.in \ > strongswan.init @@ -566,13 +568,14 @@ %{_libexecdir}/ipsec/_fipscheck %{_libexecdir}/ipsec/.*.hmac %{_sbindir}/.ipsec.hmac - %endif %files ipsec %defattr(-,root,root) %config(noreplace) %attr(600,root,root) %{_sysconfdir}/ipsec.conf %config(noreplace) %attr(600,root,root) %{_sysconfdir}/ipsec.secrets +%config(noreplace) %attr(600,root,root) %{_sysconfdir}/swanctl/swanctl.conf +%dir %{_sysconfdir}/swanctl %dir %{_sysconfdir}/ipsec.d %dir %{_sysconfdir}/ipsec.d/crls %dir %{_sysconfdir}/ipsec.d/reqs @@ -584,6 +587,7 @@ %dir %attr(700,root,root) %{_sysconfdir}/ipsec.d/private %if %{with systemd} %{_unitdir}/strongswan.service +%{_sysconfdir}/dbus-1/system.d/nm-strongswan-service.conf %{_sbindir}/rcstrongswan %else %config %{_sysconfdir}/init.d/ipsec @@ -591,6 +595,7 @@ %endif %{_bindir}/pki %{_sbindir}/ipsec +%{_sbindir}/swanctl %{_mandir}/man1/pki*.1* %{_mandir}/man8/ipsec.8* %{_mandir}/man5/ipsec.conf.5* @@ -626,6 +631,8 @@ %{strongswan_docdir}/AUTHORS %{strongswan_docdir}/ChangeLog %{_mandir}/man8/scepclient.8* +%{_mandir}/man5/swanctl.conf.5.* +%{_mandir}/man8/swanctl.8.* %files libs0 %defattr(-,root,root) @@ -643,8 +650,11 @@ %config(noreplace) %attr(600,root,root) %{strongswan_configs}/scepclient.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/starter.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/tnc.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/swanctl.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/addrblock.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/aes.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/curve25519.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/vici.conf %if %{with afalg} %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/af-alg.conf %endif @@ -739,7 +749,10 @@ %{strongswan_libdir}/libchecksum.so %endif %{strongswan_libdir}/libcharon.so.* -%{strongswan_libdir}/libhydra.so.* +%{strongswan_libdir}/libtpmtss.so.* +%{strongswan_libdir}/libtpmtss.so +%{strongswan_libdir}/libvici.so +%{strongswan_libdir}/libvici.so.* %{strongswan_libdir}/libpttls.so.* %{strongswan_libdir}/libradius.so.* %{strongswan_libdir}/libsimaka.so.* @@ -842,6 +855,8 @@ %{strongswan_plugins}/libstrongswan-xauth-generic.so %{strongswan_plugins}/libstrongswan-xauth-pam.so %{strongswan_plugins}/libstrongswan-xcbc.so +%{strongswan_plugins}/libstrongswan-curve25519.so +%{strongswan_plugins}/libstrongswan-vici.so %dir %{strongswan_datadir} %dir %{strongswan_templates} %dir %{strongswan_templates}/config @@ -942,6 +957,8 @@ %{strongswan_templates}/config/plugins/xauth-generic.conf %{strongswan_templates}/config/plugins/xauth-pam.conf %{strongswan_templates}/config/plugins/xcbc.conf +%{strongswan_templates}/config/plugins/curve25519.conf +%{strongswan_templates}/config/plugins/vici.conf %{strongswan_templates}/config/strongswan.d/charon-logging.conf %{strongswan_templates}/config/strongswan.d/charon.conf %{strongswan_templates}/config/strongswan.d/imcv.conf @@ -950,6 +967,7 @@ %{strongswan_templates}/config/strongswan.d/scepclient.conf %{strongswan_templates}/config/strongswan.d/starter.conf %{strongswan_templates}/config/strongswan.d/tnc.conf +%{strongswan_templates}/config/strongswan.d/swanctl.conf %{strongswan_templates}/database/imv/data.sql %{strongswan_templates}/database/imv/tables.sql ++++++ 0005-ikev1-Don-t-retransmit-Aggressive-Mode-response.patch ++++++ >From 4e16732c1c668c27e73574724d2d90537a74f67a Mon Sep 17 00:00:00 2001 From: Tobias Brunner <tob...@strongswan.org> Date: Fri, 17 Jun 2016 18:19:48 +0200 Subject: [PATCH] ikev1: Don't retransmit Aggressive Mode response These could theoretically be used for an amplified DDoS attack. --- src/libcharon/sa/ikev1/task_manager_v1.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/libcharon/sa/ikev1/task_manager_v1.c b/src/libcharon/sa/ikev1/task_manager_v1.c index 48ec3e7..0912555 100644 --- a/src/libcharon/sa/ikev1/task_manager_v1.c +++ b/src/libcharon/sa/ikev1/task_manager_v1.c @@ -770,8 +770,7 @@ static status_t build_response(private_task_manager_t *this, message_t *request) continue; case NEED_MORE: /* processed, but task needs another exchange */ - if (task->get_type(task) == TASK_QUICK_MODE || - task->get_type(task) == TASK_AGGRESSIVE_MODE) + if (task->get_type(task) == TASK_QUICK_MODE) { /* we rely on initiator retransmission, except for * three-message exchanges */ expect_request = TRUE; -- 2.13.2 ++++++ strongswan-5.3.5-rpmlintrc -> strongswan-5.5.3-rpmlintrc ++++++ ++++++ strongswan-5.3.5.tar.bz2 -> strongswan-5.5.3.tar.bz2 ++++++ ++++ 294371 lines of diff (skipped) ++++++ strongswan_fipscheck.patch ++++++ --- /var/tmp/diff_new_pack.XrnW46/_old 2017-08-24 18:46:20.660570967 +0200 +++ /var/tmp/diff_new_pack.XrnW46/_new 2017-08-24 18:46:20.660570967 +0200 @@ -1,8 +1,10 @@ ---- src/ipsec/_ipsec.in -+++ src/ipsec/_ipsec.in -@@ -44,6 +44,26 @@ export IPSEC_DIR IPSEC_BINDIR IPSEC_SBINDIR IPSEC_CONFDIR IPSEC_PIDDIR IPSEC_SCR +diff --git a/src/ipsec/_ipsec.in b/src/ipsec/_ipsec.in +index ea399b8..ea8ed8a 100644 +--- a/src/ipsec/_ipsec.in ++++ b/src/ipsec/_ipsec.in +@@ -46,6 +46,26 @@ IPSEC_DISTRO="Institute for Internet Technologies and Applications\nUniversity o - IPSEC_DISTRO="Institute for Internet Technologies and Applications\nUniversity of Applied Sciences Rapperswil, Switzerland" + command_dir="$IPSEC_DIR" +fipscheck() +{ @@ -27,7 +29,7 @@ case "$1" in '') echo "$IPSEC_SCRIPT command [arguments]" -@@ -155,6 +175,7 @@ rereadall|purgeocsp|listcounters|resetcounters) +@@ -153,6 +173,7 @@ rereadall|purgeocsp|listcounters|resetcounters) shift if [ -e $IPSEC_CHARON_PID ] then @@ -35,7 +37,7 @@ $IPSEC_STROKE "$op" "$@" rc="$?" fi -@@ -164,6 +185,7 @@ purgeike|purgecrls|purgecerts) +@@ -162,6 +183,7 @@ purgeike|purgecrls|purgecerts) rc=7 if [ -e $IPSEC_CHARON_PID ] then @@ -43,7 +45,7 @@ $IPSEC_STROKE "$1" rc="$?" fi -@@ -197,6 +219,7 @@ route|unroute) +@@ -195,6 +217,7 @@ route|unroute) fi if [ -e $IPSEC_CHARON_PID ] then @@ -51,7 +53,7 @@ $IPSEC_STROKE "$op" "$1" rc="$?" fi -@@ -206,6 +229,7 @@ secrets) +@@ -204,6 +227,7 @@ secrets) rc=7 if [ -e $IPSEC_CHARON_PID ] then @@ -59,7 +61,7 @@ $IPSEC_STROKE rereadsecrets rc="$?" fi -@@ -213,6 +237,7 @@ secrets) +@@ -211,6 +235,7 @@ secrets) ;; start) shift @@ -67,7 +69,7 @@ if [ -d /var/lock/subsys ]; then touch /var/lock/subsys/ipsec fi -@@ -286,6 +311,7 @@ up) +@@ -289,6 +314,7 @@ up) rc=7 if [ -e $IPSEC_CHARON_PID ] then @@ -75,7 +77,7 @@ $IPSEC_STROKE up "$1" rc="$?" fi -@@ -325,6 +351,11 @@ esac +@@ -338,6 +364,11 @@ esac cmd="$1" shift @@ -84,6 +86,6 @@ +*) fipscheck || exit $? ;; +esac + - path="$IPSEC_DIR/$cmd" + path="$command_dir/$cmd" if [ ! -x "$path" ] ++++++ strongswan_fipsfilter.patch ++++++ --- /var/tmp/diff_new_pack.XrnW46/_old 2017-08-24 18:46:20.668569840 +0200 +++ /var/tmp/diff_new_pack.XrnW46/_new 2017-08-24 18:46:20.668569840 +0200 @@ -5,11 +5,20 @@ References: fate#316931,bnc#856322 +From 818cd5f1b6455237a82f385b60a2513cdd9c5eef Mon Sep 17 00:00:00 2001 +From: Nirmoy Das <n...@suse.de> +Date: Mon, 17 Jul 2017 15:15:14 +0200 +Subject: [PATCH] strongswan_fipsfilter + +--- + src/libcharon/config/proposal.c | 184 +++++++++++++++++++++++++++++++++++----- + 1 file changed, 165 insertions(+), 19 deletions(-) + diff --git a/src/libcharon/config/proposal.c b/src/libcharon/config/proposal.c -index e59dcd9..f07f4a2 100644 +index 6c71f78..0640140 100644 --- a/src/libcharon/config/proposal.c +++ b/src/libcharon/config/proposal.c -@@ -26,6 +26,11 @@ +@@ -27,6 +27,11 @@ #include <crypto/prfs/prf.h> #include <crypto/crypters/crypter.h> #include <crypto/signers/signer.h> @@ -21,7 +30,7 @@ ENUM(protocol_id_names, PROTO_NONE, PROTO_IPCOMP, "PROTO_NONE", -@@ -185,6 +190,122 @@ METHOD(proposal_t, strip_dh, void, +@@ -190,6 +195,122 @@ METHOD(proposal_t, strip_dh, void, enumerator->destroy(enumerator); } @@ -144,7 +153,7 @@ /** * Select a matching proposal from this and other, insert into selected. */ -@@ -502,6 +623,11 @@ static bool add_string_algo(private_proposal_t *this, const char *alg) +@@ -611,6 +732,11 @@ static bool add_string_algo(private_proposal_t *this, const char *alg) return FALSE; } @@ -156,7 +165,7 @@ add_algorithm(this, token->type, token->algorithm, token->keysize); return TRUE; -@@ -643,6 +769,9 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead) +@@ -753,6 +879,9 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead) enumerator = lib->crypto->create_aead_enumerator(lib->crypto); while (enumerator->enumerate(enumerator, &encryption, &plugin_name)) { @@ -165,8 +174,8 @@ + switch (encryption) { - case ENCR_AES_CCM_ICV8: -@@ -675,6 +804,9 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead) + case ENCR_AES_GCM_ICV16: +@@ -806,6 +935,9 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead) enumerator = lib->crypto->create_crypter_enumerator(lib->crypto); while (enumerator->enumerate(enumerator, &encryption, &plugin_name)) { @@ -176,7 +185,7 @@ switch (encryption) { case ENCR_AES_CBC: -@@ -706,6 +838,9 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead) +@@ -850,6 +982,9 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead) enumerator = lib->crypto->create_signer_enumerator(lib->crypto); while (enumerator->enumerate(enumerator, &integrity, &plugin_name)) { @@ -185,8 +194,8 @@ + switch (integrity) { - case AUTH_HMAC_SHA1_96: -@@ -727,6 +862,9 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead) + case AUTH_HMAC_SHA2_256_128: +@@ -905,6 +1040,9 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead) enumerator = lib->crypto->create_prf_enumerator(lib->crypto); while (enumerator->enumerate(enumerator, &prf, &plugin_name)) { @@ -196,7 +205,7 @@ switch (prf) { case PRF_HMAC_SHA1: -@@ -747,6 +885,9 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead) +@@ -964,6 +1102,9 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead) enumerator = lib->crypto->create_dh_enumerator(lib->crypto); while (enumerator->enumerate(enumerator, &group, &plugin_name)) { @@ -206,7 +215,7 @@ switch (group) { case MODP_NULL: -@@ -795,6 +936,10 @@ proposal_t *proposal_create_default(protocol_id_t protocol) +@@ -1004,6 +1145,10 @@ proposal_t *proposal_create_default(protocol_id_t protocol) { private_proposal_t *this = (private_proposal_t*)proposal_create(protocol, 0); @@ -217,48 +226,58 @@ switch (protocol) { case PROTO_IKE: -@@ -805,25 +950,28 @@ proposal_t *proposal_create_default(protocol_id_t protocol) +@@ -1014,31 +1159,32 @@ proposal_t *proposal_create_default(protocol_id_t protocol) } break; case PROTO_ESP: -- add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 128); -- add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 192); -- add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 256); -- add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_3DES, 0); -- add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 256); -- add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0); -- add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_AES_XCBC_96, 0); -- add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 0); -- add_algorithm(this, EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS, 0); -+ fips_add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 128); -+ fips_add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 192); -+ fips_add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 256); -+ fips_add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_3DES, 0); -+ fips_add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 256); -+ fips_add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0); -+ fips_add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_AES_XCBC_96, 0); -+ fips_add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 0); -+ fips_add_algorithm(this, EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS, 0); +- add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 128); +- add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 192); +- add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 256); +- add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_3DES, 0); +- add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 256); +- add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_256_128, 0); +- add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_384_192, 0); +- add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_512_256, 0); +- add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0); +- add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_AES_XCBC_96, 0); +- add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 0); +- add_algorithm(this, EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS, 0); ++ fips_add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 128); ++ fips_add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 192); ++ fips_add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 256); ++ fips_add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_3DES, 0); ++ fips_add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 256); ++ fips_add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_256_128, 0); ++ fips_add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_384_192, 0); ++ fips_add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_512_256, 0); ++ fips_add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0); ++ fips_add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_AES_XCBC_96, 0); ++ fips_add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 0); ++ fips_add_algorithm(this, EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS, 0); break; case PROTO_AH: -- add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0); -- add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_AES_XCBC_96, 0); -- add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 0); -- add_algorithm(this, EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS, 0); -+ fips_add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0); -+ fips_add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_AES_XCBC_96, 0); -+ fips_add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 0); -+ fips_add_algorithm(this, EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS, 0); +- add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_256_128, 0); +- add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_384_192, 0); +- add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_512_256, 0); +- add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0); +- add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_AES_XCBC_96, 0); +- add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 0); +- add_algorithm(this, EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS, 0); ++ fips_add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_256_128, 0); ++ fips_add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_384_192, 0); ++ fips_add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_512_256, 0); ++ fips_add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0); ++ fips_add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_AES_XCBC_96, 0); ++ fips_add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 0); ++ fips_add_algorithm(this, EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS, 0); break; default: break; } -+ +#undef fips_add_algorithm -+ return &this->public; } -- -2.2.1 +2.13.2