diff options
author | Rene Mayrhofer <rene@mayrhofer.eu.org> | 2010-11-28 11:42:20 +0000 |
---|---|---|
committer | Rene Mayrhofer <rene@mayrhofer.eu.org> | 2010-11-28 11:42:20 +0000 |
commit | f73fba54dc8b30c6482e1e8abf15bbf455592fcd (patch) | |
tree | a449515607c5e51a5c703d7a9b1149c9e4a11560 /src/libcharon/config | |
parent | b8064f4099997a9e2179f3ad4ace605f5ccac3a1 (diff) | |
download | vyos-strongswan-f73fba54dc8b30c6482e1e8abf15bbf455592fcd.tar.gz vyos-strongswan-f73fba54dc8b30c6482e1e8abf15bbf455592fcd.zip |
[svn-upgrade] new version strongswan (4.5.0)
Diffstat (limited to 'src/libcharon/config')
-rw-r--r-- | src/libcharon/config/child_cfg.c | 9 | ||||
-rw-r--r-- | src/libcharon/config/child_cfg.h | 53 | ||||
-rw-r--r-- | src/libcharon/config/proposal.c | 205 | ||||
-rw-r--r-- | src/libcharon/config/proposal.h | 10 |
4 files changed, 103 insertions, 174 deletions
diff --git a/src/libcharon/config/child_cfg.c b/src/libcharon/config/child_cfg.c index 70f38b285..1cdfd5949 100644 --- a/src/libcharon/config/child_cfg.c +++ b/src/libcharon/config/child_cfg.c @@ -27,15 +27,6 @@ ENUM(action_names, ACTION_NONE, ACTION_RESTART, "restart", ); -ENUM_BEGIN(ipcomp_transform_names, IPCOMP_NONE, IPCOMP_NONE, - "IPCOMP_NONE"); -ENUM_NEXT(ipcomp_transform_names, IPCOMP_OUI, IPCOMP_LZJH, IPCOMP_NONE, - "IPCOMP_OUI", - "IPCOMP_DEFLATE", - "IPCOMP_LZS", - "IPCOMP_LZJH"); -ENUM_END(ipcomp_transform_names, IPCOMP_LZJH); - typedef struct private_child_cfg_t private_child_cfg_t; /** diff --git a/src/libcharon/config/child_cfg.h b/src/libcharon/config/child_cfg.h index d34835ead..1e6fe3fe9 100644 --- a/src/libcharon/config/child_cfg.h +++ b/src/libcharon/config/child_cfg.h @@ -24,9 +24,6 @@ #define CHILD_CFG_H_ typedef enum action_t action_t; -typedef enum ipcomp_transform_t ipcomp_transform_t; -typedef struct lifetime_cfg_t lifetime_cfg_t; -typedef struct mark_t mark_t; typedef struct child_cfg_t child_cfg_t; #include <library.h> @@ -52,48 +49,6 @@ enum action_t { extern enum_name_t *action_names; /** - * IPComp transform IDs, as in RFC 4306 - */ -enum ipcomp_transform_t { - IPCOMP_NONE = 241, - IPCOMP_OUI = 1, - IPCOMP_DEFLATE = 2, - IPCOMP_LZS = 3, - IPCOMP_LZJH = 4, -}; - -/** - * enum strings for ipcomp_transform_t. - */ -extern enum_name_t *ipcomp_transform_names; - -/** - * A lifetime_cfg_t defines the lifetime limits of a CHILD_SA. - * - * Set any of these values to 0 to ignore. - */ -struct lifetime_cfg_t { - struct { - /** Limit before the CHILD_SA gets invalid. */ - u_int64_t life; - /** Limit before the CHILD_SA gets rekeyed. */ - u_int64_t rekey; - /** The range of a random value subtracted from rekey. */ - u_int64_t jitter; - } time, bytes, packets; -}; - -/** - * A mark_t defines an optional mark in a CHILD_SA. - */ -struct mark_t { - /** Mark value */ - u_int32_t value; - /** Mark mask */ - u_int32_t mask; -}; - -/** * A child_cfg_t defines the config template for a CHILD_SA. * * After creation, proposals and traffic selectors may be added to the config. @@ -238,7 +193,7 @@ struct child_cfg_t { * Check whether IPComp should be used, if the other peer supports it. * * @return TRUE, if IPComp should be used - * FALSE, otherwise + * FALSE, otherwise */ bool (*use_ipcomp)(child_cfg_t *this); @@ -259,7 +214,7 @@ struct child_cfg_t { /** * Optional mark for CHILD_SA * - * @param inbound TRUE for inbound, FALSE for outbound + * @param inbound TRUE for inbound, FALSE for outbound * @return mark */ mark_t (*get_mark)(child_cfg_t *this, bool inbound); @@ -277,7 +232,7 @@ struct child_cfg_t { * Check whether IPsec transport SA should be set up in proxy mode * * @return TRUE, if proxy mode should be used - * FALSE, otherwise + * FALSE, otherwise */ bool (*use_proxy_mode)(child_cfg_t *this); @@ -285,7 +240,7 @@ struct child_cfg_t { * Check whether IPsec policies should be installed in the kernel * * @return TRUE, if IPsec kernel policies should be installed - * FALSE, otherwise + * FALSE, otherwise */ bool (*install_policy)(child_cfg_t *this); diff --git a/src/libcharon/config/proposal.c b/src/libcharon/config/proposal.c index e86393028..5b8294599 100644 --- a/src/libcharon/config/proposal.c +++ b/src/libcharon/config/proposal.c @@ -1,6 +1,6 @@ /* * Copyright (C) 2008-2009 Tobias Brunner - * Copyright (C) 2006 Martin Willi + * Copyright (C) 2006-2010 Martin Willi * Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -87,6 +87,11 @@ struct private_proposal_t { * senders SPI */ u_int64_t spi; + + /** + * Proposal number + */ + u_int number; }; /** @@ -117,11 +122,9 @@ static void add_algo(linked_list_t *list, u_int16_t algo, u_int16_t key_size) list->insert_last(list, (void*)algo_key); } -/** - * Implements proposal_t.add_algorithm - */ -static void add_algorithm(private_proposal_t *this, transform_type_t type, - u_int16_t algo, u_int16_t key_size) +METHOD(proposal_t, add_algorithm, void, + private_proposal_t *this, transform_type_t type, + u_int16_t algo, u_int16_t key_size) { switch (type) { @@ -160,11 +163,8 @@ static bool alg_filter(void *null, algorithm_t **in, u_int16_t *alg, return TRUE; } -/** - * Implements proposal_t.create_enumerator. - */ -static enumerator_t *create_enumerator(private_proposal_t *this, - transform_type_t type) +METHOD(proposal_t, create_enumerator, enumerator_t*, + private_proposal_t *this, transform_type_t type) { linked_list_t *list; @@ -192,11 +192,9 @@ static enumerator_t *create_enumerator(private_proposal_t *this, (void*)alg_filter, NULL, NULL); } -/** - * Implements proposal_t.get_algorithm. - */ -static bool get_algorithm(private_proposal_t *this, transform_type_t type, - u_int16_t *alg, u_int16_t *key_size) +METHOD(proposal_t, get_algorithm, bool, + private_proposal_t *this, transform_type_t type, + u_int16_t *alg, u_int16_t *key_size) { enumerator_t *enumerator; bool found = FALSE; @@ -210,10 +208,8 @@ static bool get_algorithm(private_proposal_t *this, transform_type_t type, return found; } -/** - * Implements proposal_t.has_dh_group - */ -static bool has_dh_group(private_proposal_t *this, diffie_hellman_group_t group) +METHOD(proposal_t, has_dh_group, bool, + private_proposal_t *this, diffie_hellman_group_t group) { bool result = FALSE; @@ -240,10 +236,8 @@ static bool has_dh_group(private_proposal_t *this, diffie_hellman_group_t group) return result; } -/** - * Implementation of proposal_t.strip_dh. - */ -static void strip_dh(private_proposal_t *this) +METHOD(proposal_t, strip_dh, void, + private_proposal_t *this) { algorithm_t *alg; @@ -254,28 +248,6 @@ static void strip_dh(private_proposal_t *this) } /** - * Returns true if the given alg is an authenticated encryption algorithm - */ -static bool is_authenticated_encryption(u_int16_t alg) -{ - switch(alg) - { - case ENCR_AES_CCM_ICV8: - case ENCR_AES_CCM_ICV12: - case ENCR_AES_CCM_ICV16: - case ENCR_AES_GCM_ICV8: - case ENCR_AES_GCM_ICV12: - case ENCR_AES_GCM_ICV16: - case ENCR_CAMELLIA_CCM_ICV8: - case ENCR_CAMELLIA_CCM_ICV12: - case ENCR_CAMELLIA_CCM_ICV16: - case ENCR_NULL_AUTH_AES_GMAC: - return TRUE; - } - return FALSE; -} - -/** * Find a matching alg/keysize in two linked lists */ static bool select_algo(linked_list_t *first, linked_list_t *second, bool priv, @@ -326,12 +298,10 @@ static bool select_algo(linked_list_t *first, linked_list_t *second, bool priv, return FALSE; } -/** - * Implements proposal_t.select. - */ -static proposal_t *select_proposal(private_proposal_t *this, - private_proposal_t *other, bool private) +METHOD(proposal_t, select_proposal, proposal_t*, + private_proposal_t *this, proposal_t *other_pub, bool private) { + private_proposal_t *other = (private_proposal_t*)other_pub; proposal_t *selected; u_int16_t algo; size_t key_size; @@ -346,7 +316,7 @@ static proposal_t *select_proposal(private_proposal_t *this, return NULL; } - selected = proposal_create(this->protocol); + selected = proposal_create(this->protocol, other->number); /* select encryption algorithm */ if (select_algo(this->encryption_algos, other->encryption_algos, private, @@ -366,7 +336,7 @@ static proposal_t *select_proposal(private_proposal_t *this, return NULL; } /* select integrity algorithm */ - if (!is_authenticated_encryption(algo)) + if (!encryption_algorithm_is_aead(algo)) { if (select_algo(this->integrity_algos, other->integrity_algos, private, &add, &algo, &key_size)) @@ -442,26 +412,20 @@ static proposal_t *select_proposal(private_proposal_t *this, return selected; } -/** - * Implements proposal_t.get_protocols. - */ -static protocol_id_t get_protocol(private_proposal_t *this) +METHOD(proposal_t, get_protocol, protocol_id_t, + private_proposal_t *this) { return this->protocol; } -/** - * Implements proposal_t.set_spi. - */ -static void set_spi(private_proposal_t *this, u_int64_t spi) +METHOD(proposal_t, set_spi, void, + private_proposal_t *this, u_int64_t spi) { this->spi = spi; } -/** - * Implements proposal_t.get_spi. - */ -static u_int64_t get_spi(private_proposal_t *this) +METHOD(proposal_t, get_spi, u_int64_t, + private_proposal_t *this) { return this->spi; } @@ -514,19 +478,21 @@ static bool algo_list_equals(linked_list_t *l1, linked_list_t *l2) return equals; } -/** - * Implementation of proposal_t.equals. - */ -static bool equals(private_proposal_t *this, private_proposal_t *other) +METHOD(proposal_t, get_number, u_int, + private_proposal_t *this) +{ + return this->number; +} + +METHOD(proposal_t, equals, bool, + private_proposal_t *this, proposal_t *other_pub) { + private_proposal_t *other = (private_proposal_t*)other_pub; + if (this == other) { return TRUE; } - if (this->public.equals != other->public.equals) - { - return FALSE; - } return ( algo_list_equals(this->encryption_algos, other->encryption_algos) && algo_list_equals(this->integrity_algos, other->integrity_algos) && @@ -535,13 +501,12 @@ static bool equals(private_proposal_t *this, private_proposal_t *other) algo_list_equals(this->esns, other->esns)); } -/** - * Implements proposal_t.clone - */ -static proposal_t *clone_(private_proposal_t *this) +METHOD(proposal_t, clone_, proposal_t*, + private_proposal_t *this) { - private_proposal_t *clone = (private_proposal_t*)proposal_create(this->protocol); + private_proposal_t *clone; + clone = (private_proposal_t*)proposal_create(this->protocol, 0); clone_algo_list(this->encryption_algos, clone->encryption_algos); clone_algo_list(this->integrity_algos, clone->integrity_algos); clone_algo_list(this->prf_algos, clone->prf_algos); @@ -549,6 +514,7 @@ static proposal_t *clone_(private_proposal_t *this) clone_algo_list(this->esns, clone->esns); clone->spi = this->spi; + clone->number = this->number; return &clone->public; } @@ -565,7 +531,7 @@ static void check_proposal(private_proposal_t *this) e = this->encryption_algos->create_enumerator(this->encryption_algos); while (e->enumerate(e, &alg)) { - if (!is_authenticated_encryption(alg->algorithm)) + if (!encryption_algorithm_is_aead(alg->algorithm)) { all_aead = FALSE; break; @@ -623,6 +589,9 @@ static status_t add_string_algo(private_proposal_t *this, chunk_t alg) case AUTH_AES_XCBC_96: prf = PRF_AES128_XCBC; break; + case AUTH_CAMELLIA_XCBC_96: + prf = PRF_CAMELLIA128_XCBC; + break; default: prf = PRF_UNDEFINED; } @@ -715,10 +684,8 @@ int proposal_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec, return written; } -/** - * Implements proposal_t.destroy. - */ -static void destroy(private_proposal_t *this) +METHOD(proposal_t, destroy, void, + private_proposal_t *this) { this->encryption_algos->destroy_function(this->encryption_algos, free); this->integrity_algos->destroy_function(this->integrity_algos, free); @@ -731,31 +698,34 @@ static void destroy(private_proposal_t *this) /* * Describtion in header-file */ -proposal_t *proposal_create(protocol_id_t protocol) +proposal_t *proposal_create(protocol_id_t protocol, u_int number) { - private_proposal_t *this = malloc_thing(private_proposal_t); - - this->public.add_algorithm = (void (*)(proposal_t*,transform_type_t,u_int16_t,u_int16_t))add_algorithm; - this->public.create_enumerator = (enumerator_t* (*)(proposal_t*,transform_type_t))create_enumerator; - this->public.get_algorithm = (bool (*)(proposal_t*,transform_type_t,u_int16_t*,u_int16_t*))get_algorithm; - this->public.has_dh_group = (bool (*)(proposal_t*,diffie_hellman_group_t))has_dh_group; - this->public.strip_dh = (void(*)(proposal_t*))strip_dh; - this->public.select = (proposal_t* (*)(proposal_t*,proposal_t*,bool))select_proposal; - this->public.get_protocol = (protocol_id_t(*)(proposal_t*))get_protocol; - this->public.set_spi = (void(*)(proposal_t*,u_int64_t))set_spi; - this->public.get_spi = (u_int64_t(*)(proposal_t*))get_spi; - this->public.equals = (bool(*)(proposal_t*, proposal_t *other))equals; - this->public.clone = (proposal_t*(*)(proposal_t*))clone_; - this->public.destroy = (void(*)(proposal_t*))destroy; - - this->spi = 0; - this->protocol = protocol; - - this->encryption_algos = linked_list_create(); - this->integrity_algos = linked_list_create(); - this->prf_algos = linked_list_create(); - this->dh_groups = linked_list_create(); - this->esns = linked_list_create(); + private_proposal_t *this; + + INIT(this, + .public = { + .add_algorithm = _add_algorithm, + .create_enumerator = _create_enumerator, + .get_algorithm = _get_algorithm, + .has_dh_group = _has_dh_group, + .strip_dh = _strip_dh, + .select = _select_proposal, + .get_protocol = _get_protocol, + .set_spi = _set_spi, + .get_spi = _get_spi, + .get_number = _get_number, + .equals = _equals, + .clone = _clone_, + .destroy = _destroy, + }, + .protocol = protocol, + .number = number, + .encryption_algos = linked_list_create(), + .integrity_algos = linked_list_create(), + .prf_algos = linked_list_create(), + .dh_groups = linked_list_create(), + .esns = linked_list_create(), + ); return &this->public; } @@ -777,19 +747,24 @@ static void proposal_add_supported_ike(private_proposal_t *this) switch (encryption) { case ENCR_AES_CBC: - /* we assume that we support all AES sizes */ - add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 128); - add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 192); - add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 256); - break; - case ENCR_3DES: case ENCR_AES_CTR: + case ENCR_CAMELLIA_CBC: + case ENCR_CAMELLIA_CTR: case ENCR_AES_CCM_ICV8: case ENCR_AES_CCM_ICV12: case ENCR_AES_CCM_ICV16: case ENCR_AES_GCM_ICV8: case ENCR_AES_GCM_ICV12: case ENCR_AES_GCM_ICV16: + case ENCR_CAMELLIA_CCM_ICV8: + case ENCR_CAMELLIA_CCM_ICV12: + case ENCR_CAMELLIA_CCM_ICV16: + /* we assume that we support all AES/Camellia sizes */ + add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 128); + add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 192); + add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 256); + break; + case ENCR_3DES: add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 0); break; case ENCR_DES: @@ -877,7 +852,7 @@ static void proposal_add_supported_ike(private_proposal_t *this) */ proposal_t *proposal_create_default(protocol_id_t protocol) { - private_proposal_t *this = (private_proposal_t*)proposal_create(protocol); + private_proposal_t *this = (private_proposal_t*)proposal_create(protocol, 0); switch (protocol) { @@ -912,7 +887,7 @@ proposal_t *proposal_create_default(protocol_id_t protocol) */ proposal_t *proposal_create_from_string(protocol_id_t protocol, const char *algs) { - private_proposal_t *this = (private_proposal_t*)proposal_create(protocol); + private_proposal_t *this = (private_proposal_t*)proposal_create(protocol, 0); chunk_t string = {(void*)algs, strlen(algs)}; chunk_t alg; status_t status = SUCCESS; diff --git a/src/libcharon/config/proposal.h b/src/libcharon/config/proposal.h index 30f63b80d..97af5b60b 100644 --- a/src/libcharon/config/proposal.h +++ b/src/libcharon/config/proposal.h @@ -161,6 +161,13 @@ struct proposal_t { void (*set_spi) (proposal_t *this, u_int64_t spi); /** + * Get the proposal number, as encoded in SA payload + * + * @return proposal number + */ + u_int (*get_number)(proposal_t *this); + + /** * Check for the eqality of two proposals. * * @param other other proposal to check for equality @@ -185,9 +192,10 @@ struct proposal_t { * Create a child proposal for AH, ESP or IKE. * * @param protocol protocol, such as PROTO_ESP + * @param number proposal number, as encoded in SA payload * @return proposal_t object */ -proposal_t *proposal_create(protocol_id_t protocol); +proposal_t *proposal_create(protocol_id_t protocol, u_int number); /** * Create a default proposal if nothing further specified. |