diff options
Diffstat (limited to 'src/charon/config')
-rw-r--r-- | src/charon/config/backend_manager.c | 183 | ||||
-rw-r--r-- | src/charon/config/backend_manager.h | 7 | ||||
-rw-r--r-- | src/charon/config/child_cfg.c | 24 | ||||
-rw-r--r-- | src/charon/config/child_cfg.h | 27 | ||||
-rw-r--r-- | src/charon/config/peer_cfg.c | 52 | ||||
-rw-r--r-- | src/charon/config/peer_cfg.h | 44 | ||||
-rw-r--r-- | src/charon/config/proposal.c | 139 | ||||
-rw-r--r-- | src/charon/config/traffic_selector.c | 25 |
8 files changed, 250 insertions, 251 deletions
diff --git a/src/charon/config/backend_manager.c b/src/charon/config/backend_manager.c index d77c05fd7..c2b408ca9 100644 --- a/src/charon/config/backend_manager.c +++ b/src/charon/config/backend_manager.c @@ -12,7 +12,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * $Id: backend_manager.c 4044 2008-06-06 15:05:54Z martin $ + * $Id: backend_manager.c 4134 2008-07-01 11:10:37Z martin $ */ #include "backend_manager.h" @@ -49,6 +49,16 @@ struct private_backend_manager_t { }; /** + * match of an ike_cfg + */ +typedef enum ike_cfg_match_t { + MATCH_NONE = 0x00, + MATCH_ANY = 0x01, + MATCH_ME = 0x04, + MATCH_OTHER = 0x08, +} ike_cfg_match_t; + +/** * data to pass nested IKE enumerator */ typedef struct { @@ -108,6 +118,48 @@ static enumerator_t *peer_enum_create_all(backend_t *backend) } /** + * get a match of a candidate ike_cfg for two hosts + */ +static ike_cfg_match_t get_match(ike_cfg_t *cand, host_t *me, host_t *other) +{ + host_t *me_cand, *other_cand; + ike_cfg_match_t match = MATCH_NONE; + + me_cand = host_create_from_dns(cand->get_my_addr(cand), + me->get_family(me), 0); + if (!me_cand) + { + return MATCH_NONE; + } + if (me_cand->ip_equals(me_cand, me)) + { + match += MATCH_ME; + } + else if (me_cand->is_anyaddr(me_cand)) + { + match += MATCH_ANY; + } + me_cand->destroy(me_cand); + + other_cand = host_create_from_dns(cand->get_other_addr(cand), + other->get_family(other), 0); + if (!other_cand) + { + return MATCH_NONE; + } + if (other_cand->ip_equals(other_cand, other)) + { + match += MATCH_OTHER; + } + else if (other_cand->is_anyaddr(other_cand)) + { + match += MATCH_ANY; + } + other_cand->destroy(other_cand); + return match; +} + +/** * implements backend_manager_t.get_ike_cfg. */ static ike_cfg_t *get_ike_cfg(private_backend_manager_t *this, @@ -115,14 +167,8 @@ static ike_cfg_t *get_ike_cfg(private_backend_manager_t *this, { ike_cfg_t *current, *found = NULL; enumerator_t *enumerator; - host_t *my_candidate, *other_candidate; + ike_cfg_match_t match, best = MATCH_ANY; ike_data_t *data; - enum { - MATCH_NONE = 0x00, - MATCH_ANY = 0x01, - MATCH_ME = 0x04, - MATCH_OTHER = 0x08, - } prio, best = MATCH_ANY; data = malloc_thing(ike_data_t); data->this = this; @@ -137,51 +183,20 @@ static ike_cfg_t *get_ike_cfg(private_backend_manager_t *this, (void*)ike_enum_create, data, (void*)ike_enum_destroy); while (enumerator->enumerate(enumerator, (void**)¤t)) { - prio = MATCH_NONE; - - my_candidate = host_create_from_dns(current->get_my_addr(current), - me->get_family(me), 0); - if (!my_candidate) - { - continue; - } - if (my_candidate->ip_equals(my_candidate, me)) - { - prio += MATCH_ME; - } - else if (my_candidate->is_anyaddr(my_candidate)) - { - prio += MATCH_ANY; - } - my_candidate->destroy(my_candidate); - - other_candidate = host_create_from_dns(current->get_other_addr(current), - other->get_family(other), 0); - if (!other_candidate) - { - continue; - } - if (other_candidate->ip_equals(other_candidate, other)) - { - prio += MATCH_OTHER; - } - else if (other_candidate->is_anyaddr(other_candidate)) - { - prio += MATCH_ANY; - } - other_candidate->destroy(other_candidate); - - DBG2(DBG_CFG, " candidate: %s...%s, prio %d", - current->get_my_addr(current), current->get_other_addr(current), - prio); - - /* we require at least two MATCH_ANY */ - if (prio > best) + match = get_match(current, me, other); + + if (match) { - best = prio; - DESTROY_IF(found); - found = current; - found->get_ref(found); + DBG2(DBG_CFG, " candidate: %s...%s, prio %d", + current->get_my_addr(current), current->get_other_addr(current), + match); + if (match > best) + { + DESTROY_IF(found); + found = current; + found->get_ref(found); + best = match; + } } } enumerator->destroy(enumerator); @@ -202,22 +217,23 @@ static enumerator_t *create_peer_cfg_enumerator(private_backend_manager_t *this) /** * implements backend_manager_t.get_peer_cfg. */ -static peer_cfg_t *get_peer_cfg(private_backend_manager_t *this, - identification_t *me, identification_t *other, - auth_info_t *auth) +static peer_cfg_t *get_peer_cfg(private_backend_manager_t *this, host_t *me, + host_t *other, identification_t *my_id, + identification_t *other_id, auth_info_t *auth) { peer_cfg_t *current, *found = NULL; enumerator_t *enumerator; - identification_t *my_candidate, *other_candidate; - id_match_t best = ID_MATCH_NONE; + id_match_t best_peer = ID_MATCH_NONE; + ike_cfg_match_t best_ike = MATCH_NONE; peer_data_t *data; - DBG2(DBG_CFG, "looking for a config for %D...%D", me, other); + DBG2(DBG_CFG, "looking for a config for %H[%D]...%H[%D]", + me, my_id, other, other_id); data = malloc_thing(peer_data_t); data->this = this; - data->me = me; - data->other = other; + data->me = my_id; + data->other = other_id; this->mutex->lock(this->mutex); enumerator = enumerator_create_nested( @@ -225,42 +241,45 @@ static peer_cfg_t *get_peer_cfg(private_backend_manager_t *this, (void*)peer_enum_create, data, (void*)peer_enum_destroy); while (enumerator->enumerate(enumerator, ¤t)) { - id_match_t m1, m2, sum; + identification_t *my_cand, *other_cand; + id_match_t m1, m2, match_peer; + ike_cfg_match_t match_ike; - my_candidate = current->get_my_id(current); - other_candidate = current->get_other_id(current); + my_cand = current->get_my_id(current); + other_cand = current->get_other_id(current); /* own ID may have wildcards in both, config and request (missing IDr) */ - m1 = my_candidate->matches(my_candidate, me); + m1 = my_cand->matches(my_cand, my_id); if (!m1) { - m1 = me->matches(me, my_candidate); + m1 = my_id->matches(my_id, my_cand); } - m2 = other->matches(other, other_candidate); - sum = m1 + m2; + m2 = other_id->matches(other_id, other_cand); + + match_peer = m1 + m2; + match_ike = get_match(current->get_ike_cfg(current), me, other); - if (m1 && m2) + if (m1 && m2 && match_ike && + auth->complies(auth, current->get_auth(current))) { - if (auth->complies(auth, current->get_auth(current))) + DBG2(DBG_CFG, " candidate '%s': %D...%D, prio %d.%d", + current->get_name(current), my_cand, other_cand, + match_peer, match_ike); + if (match_peer >= best_peer && match_ike > best_ike) { - DBG2(DBG_CFG, " candidate '%s': %D...%D, prio %d", - current->get_name(current), my_candidate, - other_candidate, sum); - if (sum > best) - { - DESTROY_IF(found); - found = current; - found->get_ref(found); - best = sum; - } + DESTROY_IF(found); + found = current; + found->get_ref(found); + best_peer = match_peer; + best_ike = match_ike; } } } if (found) { - DBG1(DBG_CFG, "found matching config \"%s\": %D...%D, prio %d", + DBG1(DBG_CFG, "found matching config \"%s\": %D...%D, prio %d.%d", found->get_name(found), found->get_my_id(found), - found->get_other_id(found), best); + found->get_other_id(found), best_peer, best_ike); } enumerator->destroy(enumerator); this->mutex->unlock(this->mutex); @@ -325,7 +344,7 @@ backend_manager_t *backend_manager_create() private_backend_manager_t *this = malloc_thing(private_backend_manager_t); this->public.get_ike_cfg = (ike_cfg_t* (*)(backend_manager_t*, host_t*, host_t*))get_ike_cfg; - this->public.get_peer_cfg = (peer_cfg_t* (*)(backend_manager_t*,identification_t*,identification_t*,auth_info_t*))get_peer_cfg; + this->public.get_peer_cfg = (peer_cfg_t* (*)(backend_manager_t*,host_t*,host_t*,identification_t*,identification_t*,auth_info_t*))get_peer_cfg; this->public.get_peer_cfg_by_name = (peer_cfg_t* (*)(backend_manager_t*,char*))get_peer_cfg_by_name; this->public.create_peer_cfg_enumerator = (enumerator_t* (*)(backend_manager_t*))create_peer_cfg_enumerator; this->public.add_backend = (void(*)(backend_manager_t*, backend_t *backend))add_backend; diff --git a/src/charon/config/backend_manager.h b/src/charon/config/backend_manager.h index 6400bd7fd..17df26dad 100644 --- a/src/charon/config/backend_manager.h +++ b/src/charon/config/backend_manager.h @@ -12,7 +12,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * $Id: backend_manager.h 3589 2008-03-13 14:14:44Z martin $ + * $Id: backend_manager.h 4132 2008-07-01 09:05:20Z martin $ */ /** @@ -66,12 +66,15 @@ struct backend_manager_t { /** * Get a peer_config identified by two IDs and authorization info. * + * @param me own address + * @param other peer address * @param my_id own ID * @param other_id peer ID * @param auth_info authorization info * @return matching peer_config, or NULL if none found */ - peer_cfg_t* (*get_peer_cfg)(backend_manager_t *this, identification_t *my_id, + peer_cfg_t* (*get_peer_cfg)(backend_manager_t *this, host_t *me, + host_t *other, identification_t *my_id, identification_t *other_id, auth_info_t *auth); /** diff --git a/src/charon/config/child_cfg.c b/src/charon/config/child_cfg.c index f929927ef..24242345b 100644 --- a/src/charon/config/child_cfg.c +++ b/src/charon/config/child_cfg.c @@ -14,25 +14,17 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * $Id: child_cfg.c 4062 2008-06-12 11:42:19Z martin $ + * $Id: child_cfg.c 4358 2008-09-25 13:56:23Z tobias $ */ #include "child_cfg.h" #include <daemon.h> -ENUM(mode_names, MODE_TRANSPORT, MODE_BEET, - "TRANSPORT", - "TUNNEL", - "2", - "3", - "BEET", -); - ENUM(action_names, ACTION_NONE, ACTION_RESTART, - "ACTION_NONE", - "ACTION_ROUTE", - "ACTION_RESTART", + "clear", + "hold", + "restart", ); ENUM_BEGIN(ipcomp_transform_names, IPCOMP_NONE, IPCOMP_NONE, @@ -94,7 +86,7 @@ struct private_child_cfg_t { /** * Mode to propose for a initiated CHILD: tunnel/transport */ - mode_t mode; + ipsec_mode_t mode; /** * action to take on DPD @@ -379,7 +371,7 @@ static u_int32_t get_lifetime(private_child_cfg_t *this, bool rekey) /** * Implementation of child_cfg_t.get_mode */ -static mode_t get_mode(private_child_cfg_t *this) +static ipsec_mode_t get_mode(private_child_cfg_t *this) { return this->mode; } @@ -462,7 +454,7 @@ static void destroy(private_child_cfg_t *this) */ child_cfg_t *child_cfg_create(char *name, u_int32_t lifetime, u_int32_t rekeytime, u_int32_t jitter, - char *updown, bool hostaccess, mode_t mode, + char *updown, bool hostaccess, ipsec_mode_t mode, action_t dpd_action, action_t close_action, bool ipcomp) { private_child_cfg_t *this = malloc_thing(private_child_cfg_t); @@ -475,7 +467,7 @@ child_cfg_t *child_cfg_create(char *name, u_int32_t lifetime, this->public.select_proposal = (proposal_t* (*) (child_cfg_t*,linked_list_t*,bool))select_proposal; this->public.get_updown = (char* (*) (child_cfg_t*))get_updown; this->public.get_hostaccess = (bool (*) (child_cfg_t*))get_hostaccess; - this->public.get_mode = (mode_t (*) (child_cfg_t *))get_mode; + this->public.get_mode = (ipsec_mode_t (*) (child_cfg_t *))get_mode; this->public.get_dpd_action = (action_t (*) (child_cfg_t *))get_dpd_action; this->public.get_close_action = (action_t (*) (child_cfg_t *))get_close_action; this->public.get_lifetime = (u_int32_t (*) (child_cfg_t *,bool))get_lifetime; diff --git a/src/charon/config/child_cfg.h b/src/charon/config/child_cfg.h index 6d262c217..83d6cafe6 100644 --- a/src/charon/config/child_cfg.h +++ b/src/charon/config/child_cfg.h @@ -14,7 +14,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * $Id: child_cfg.h 3920 2008-05-08 16:19:11Z tobias $ + * $Id: child_cfg.h 4358 2008-09-25 13:56:23Z tobias $ */ /** @@ -25,7 +25,6 @@ #ifndef CHILD_CFG_H_ #define CHILD_CFG_H_ -typedef enum mode_t mode_t; typedef enum action_t action_t; typedef enum ipcomp_transform_t ipcomp_transform_t; typedef struct child_cfg_t child_cfg_t; @@ -33,25 +32,7 @@ typedef struct child_cfg_t child_cfg_t; #include <library.h> #include <config/proposal.h> #include <config/traffic_selector.h> - -/** - * Mode of an CHILD_SA. - * - * These are equal to those defined in XFRM, so don't change. - */ -enum mode_t { - /** transport mode, no inner address */ - MODE_TRANSPORT = 0, - /** tunnel mode, inner and outer addresses */ - MODE_TUNNEL = 1, - /** BEET mode, tunnel mode but fixed, bound inner addresses */ - MODE_BEET = 4, -}; - -/** - * enum names for mode_t. - */ -extern enum_name_t *mode_names; +#include <kernel/kernel_ipsec.h> /** * Action to take when DPD detected/connection gets closed by peer. @@ -208,7 +189,7 @@ struct child_cfg_t { * * @return ipsec mode */ - mode_t (*get_mode) (child_cfg_t *this); + ipsec_mode_t (*get_mode) (child_cfg_t *this); /** * Action to take on DPD. @@ -279,7 +260,7 @@ struct child_cfg_t { */ child_cfg_t *child_cfg_create(char *name, u_int32_t lifetime, u_int32_t rekeytime, u_int32_t jitter, - char *updown, bool hostaccess, mode_t mode, + char *updown, bool hostaccess, ipsec_mode_t mode, action_t dpd_action, action_t close_action, bool ipcomp); diff --git a/src/charon/config/peer_cfg.c b/src/charon/config/peer_cfg.c index 0e56759c2..04f323128 100644 --- a/src/charon/config/peer_cfg.c +++ b/src/charon/config/peer_cfg.c @@ -1,6 +1,6 @@ /* * Copyright (C) 2007-2008 Tobias Brunner - * Copyright (C) 2005-2007 Martin Willi + * Copyright (C) 2005-2008 Martin Willi * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil * @@ -14,7 +14,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * $Id: peer_cfg.c 4051 2008-06-10 09:08:27Z tobias $ + * $Id: peer_cfg.c 4276 2008-08-22 10:44:51Z martin $ */ #include <string.h> @@ -37,12 +37,6 @@ ENUM(unique_policy_names, UNIQUE_NO, UNIQUE_KEEP, "UNIQUE_KEEP", ); -ENUM(config_auth_method_names, CONF_AUTH_PUBKEY, CONF_AUTH_EAP, - "CONF_AUTH_PUBKEY", - "CONF_AUTH_PSK", - "CONF_AUTH_EAP", -); - typedef struct private_peer_cfg_t private_peer_cfg_t; /** @@ -106,21 +100,6 @@ struct private_peer_cfg_t { unique_policy_t unique; /** - * Method to use for own authentication data - */ - config_auth_method_t auth_method; - - /** - * EAP type to use for peer authentication - */ - eap_type_t eap_type; - - /** - * EAP vendor ID if vendor specific type is used - */ - u_int32_t eap_vendor; - - /** * number of tries after giving up if peer does not respond */ u_int32_t keyingtries; @@ -319,23 +298,6 @@ static unique_policy_t get_unique_policy(private_peer_cfg_t *this) } /** - * Implementation of peer_cfg_t.get_auth_method. - */ -static config_auth_method_t get_auth_method(private_peer_cfg_t *this) -{ - return this->auth_method; -} - -/** - * Implementation of peer_cfg_t.get_eap_type. - */ -static eap_type_t get_eap_type(private_peer_cfg_t *this, u_int32_t *vendor) -{ - *vendor = this->eap_vendor; - return this->eap_type; -} - -/** * Implementation of peer_cfg_t.get_keyingtries. */ static u_int32_t get_keyingtries(private_peer_cfg_t *this) @@ -469,9 +431,6 @@ static bool equals(private_peer_cfg_t *this, private_peer_cfg_t *other) this->other_id->equals(this->other_id, other->other_id) && this->cert_policy == other->cert_policy && this->unique == other->unique && - this->auth_method == other->auth_method && - this->eap_type == other->eap_type && - this->eap_vendor == other->eap_vendor && this->keyingtries == other->keyingtries && this->use_mobike == other->use_mobike && this->rekey_time == other->rekey_time && @@ -533,8 +492,6 @@ static void destroy(private_peer_cfg_t *this) peer_cfg_t *peer_cfg_create(char *name, u_int ike_version, ike_cfg_t *ike_cfg, identification_t *my_id, identification_t *other_id, cert_policy_t cert_policy, unique_policy_t unique, - config_auth_method_t auth_method, eap_type_t eap_type, - u_int32_t eap_vendor, u_int32_t keyingtries, u_int32_t rekey_time, u_int32_t reauth_time, u_int32_t jitter_time, u_int32_t over_time, bool mobike, u_int32_t dpd, @@ -556,8 +513,6 @@ peer_cfg_t *peer_cfg_create(char *name, u_int ike_version, ike_cfg_t *ike_cfg, this->public.get_other_id = (identification_t* (*)(peer_cfg_t *))get_other_id; this->public.get_cert_policy = (cert_policy_t (*) (peer_cfg_t *))get_cert_policy; this->public.get_unique_policy = (unique_policy_t (*) (peer_cfg_t *))get_unique_policy; - this->public.get_auth_method = (config_auth_method_t (*) (peer_cfg_t *))get_auth_method; - this->public.get_eap_type = (eap_type_t (*) (peer_cfg_t *,u_int32_t*))get_eap_type; this->public.get_keyingtries = (u_int32_t (*) (peer_cfg_t *))get_keyingtries; this->public.get_rekey_time = (u_int32_t(*)(peer_cfg_t*))get_rekey_time; this->public.get_reauth_time = (u_int32_t(*)(peer_cfg_t*))get_reauth_time; @@ -586,9 +541,6 @@ peer_cfg_t *peer_cfg_create(char *name, u_int ike_version, ike_cfg_t *ike_cfg, this->other_id = other_id; this->cert_policy = cert_policy; this->unique = unique; - this->auth_method = auth_method; - this->eap_type = eap_type; - this->eap_vendor = eap_vendor; this->keyingtries = keyingtries; this->rekey_time = rekey_time; this->reauth_time = reauth_time; diff --git a/src/charon/config/peer_cfg.h b/src/charon/config/peer_cfg.h index 5662b48df..473cdfd04 100644 --- a/src/charon/config/peer_cfg.h +++ b/src/charon/config/peer_cfg.h @@ -14,7 +14,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * $Id: peer_cfg.h 4054 2008-06-10 20:31:53Z andreas $ + * $Id: peer_cfg.h 4276 2008-08-22 10:44:51Z martin $ */ /** @@ -27,7 +27,6 @@ typedef enum cert_policy_t cert_policy_t; typedef enum unique_policy_t unique_policy_t; -typedef enum config_auth_method_t config_auth_method_t; typedef struct peer_cfg_t peer_cfg_t; #include <library.h> @@ -82,23 +81,6 @@ enum unique_policy_t { extern enum_name_t *unique_policy_names; /** - * Authentication method for this IKE_SA. - */ -enum config_auth_method_t { - /** authentication using public keys (RSA, ECDSA) */ - CONF_AUTH_PUBKEY = 1, - /** authentication using a pre-shared secret */ - CONF_AUTH_PSK = 2, - /** authentication using EAP */ - CONF_AUTH_EAP = 3, -}; - -/** - * enum strings for config_auth_method_t - */ -extern enum_name_t *config_auth_method_names; - -/** * Configuration of a peer, specified by IDs. * * The peer config defines a connection between two given IDs. It contains @@ -220,25 +202,6 @@ struct peer_cfg_t { * @return unique policy */ unique_policy_t (*get_unique_policy) (peer_cfg_t *this); - - /** - * Get the authentication method to use to authenticate us. - * - * @return authentication method - */ - config_auth_method_t (*get_auth_method) (peer_cfg_t *this); - - /** - * Get the EAP type to use for peer authentication. - * - * If vendor specific types are used, a vendor ID != 0 is returned to - * to vendor argument. Then the returned type is specific for that - * vendor ID. - * - * @param vendor receives vendor specifier, 0 for predefined EAP types - * @return authentication method - */ - eap_type_t (*get_eap_type) (peer_cfg_t *this, u_int32_t *vendor); /** * Get the max number of retries after timeout. @@ -372,9 +335,6 @@ struct peer_cfg_t { * @param other_id identification_t for the remote guy * @param cert_policy should we send a certificate payload? * @param unique uniqueness of an IKE_SA - * @param auth_method auth method to use to authenticate us - * @param eap_type EAP type to use for peer authentication - * @param eap_vendor EAP vendor identifier, if vendor specific type is used * @param keyingtries how many keying tries should be done before giving up * @param rekey_time timeout before starting rekeying * @param reauth_time timeout before starting reauthentication @@ -393,8 +353,6 @@ struct peer_cfg_t { peer_cfg_t *peer_cfg_create(char *name, u_int ikev_version, ike_cfg_t *ike_cfg, identification_t *my_id, identification_t *other_id, cert_policy_t cert_policy, unique_policy_t unique, - config_auth_method_t auth_method, eap_type_t eap_type, - u_int32_t eap_vendor, u_int32_t keyingtries, u_int32_t rekey_time, u_int32_t reauth_time, u_int32_t jitter_time, u_int32_t over_time, bool mobike, u_int32_t dpd, diff --git a/src/charon/config/proposal.c b/src/charon/config/proposal.c index 803cf8ae4..b1c049fe8 100644 --- a/src/charon/config/proposal.c +++ b/src/charon/config/proposal.c @@ -13,7 +13,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * $Id: proposal.c 4062 2008-06-12 11:42:19Z martin $ + * $Id: proposal.c 4390 2008-10-08 12:57:11Z martin $ */ #include <string.h> @@ -755,10 +755,18 @@ static status_t add_string_algo(private_proposal_t *this, chunk_t alg) { add_algorithm(this, DIFFIE_HELLMAN_GROUP, MODP_2048_BIT, 0); } + else if (strncmp(alg.ptr, "modp3072", alg.len) == 0) + { + add_algorithm(this, DIFFIE_HELLMAN_GROUP, MODP_3072_BIT, 0); + } else if (strncmp(alg.ptr, "modp4096", alg.len) == 0) { add_algorithm(this, DIFFIE_HELLMAN_GROUP, MODP_4096_BIT, 0); } + else if (strncmp(alg.ptr, "modp6144", alg.len) == 0) + { + add_algorithm(this, DIFFIE_HELLMAN_GROUP, MODP_6144_BIT, 0); + } else if (strncmp(alg.ptr, "modp8192", alg.len) == 0) { add_algorithm(this, DIFFIE_HELLMAN_GROUP, MODP_8192_BIT, 0); @@ -938,6 +946,112 @@ proposal_t *proposal_create(protocol_id_t protocol) return &this->public; } +/** + * Add supported IKE algorithms to proposal + */ +static void proposal_add_supported_ike(private_proposal_t *this) +{ + enumerator_t *enumerator; + encryption_algorithm_t encryption; + integrity_algorithm_t integrity; + pseudo_random_function_t prf; + diffie_hellman_group_t group; + + enumerator = lib->crypto->create_crypter_enumerator(lib->crypto); + while (enumerator->enumerate(enumerator, &encryption)) + { + switch (encryption) + { + case ENCR_AES_CBC: + /* we assume that we support all AES sizes */ + add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 128); + add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 192); + add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 256); + break; + case ENCR_3DES: + case ENCR_AES_CTR: + case ENCR_AES_CCM_ICV8: + case ENCR_AES_CCM_ICV12: + case ENCR_AES_CCM_ICV16: + case ENCR_AES_GCM_ICV8: + case ENCR_AES_GCM_ICV12: + case ENCR_AES_GCM_ICV16: + add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 0); + break; + case ENCR_DES: + /* no, thanks */ + break; + default: + break; + } + } + enumerator->destroy(enumerator); + + enumerator = lib->crypto->create_signer_enumerator(lib->crypto); + while (enumerator->enumerate(enumerator, &integrity)) + { + switch (integrity) + { + case AUTH_HMAC_SHA1_96: + case AUTH_HMAC_SHA2_256_128: + case AUTH_HMAC_SHA2_384_192: + case AUTH_HMAC_SHA2_512_256: + case AUTH_HMAC_MD5_96: + case AUTH_AES_XCBC_96: + add_algorithm(this, INTEGRITY_ALGORITHM, integrity, 0); + break; + default: + break; + } + } + enumerator->destroy(enumerator); + + enumerator = lib->crypto->create_prf_enumerator(lib->crypto); + while (enumerator->enumerate(enumerator, &prf)) + { + switch (prf) + { + case PRF_HMAC_SHA1: + case PRF_HMAC_SHA2_256: + case PRF_HMAC_SHA2_384: + case PRF_HMAC_SHA2_512: + case PRF_HMAC_MD5: + case PRF_AES128_XCBC: + add_algorithm(this, PSEUDO_RANDOM_FUNCTION, prf, 0); + break; + default: + break; + } + } + enumerator->destroy(enumerator); + + enumerator = lib->crypto->create_dh_enumerator(lib->crypto); + while (enumerator->enumerate(enumerator, &group)) + { + switch (group) + { + case MODP_768_BIT: + /* weak */ + break; + case MODP_1024_BIT: + case MODP_1536_BIT: + case MODP_2048_BIT: + case MODP_4096_BIT: + case MODP_8192_BIT: + case ECP_256_BIT: + case ECP_384_BIT: + case ECP_521_BIT: + case ECP_192_BIT: + case ECP_224_BIT: + add_algorithm(this, DIFFIE_HELLMAN_GROUP, group, 0); + break; + default: + break; + } + } + enumerator->destroy(enumerator); +} + /* * Describtion in header-file */ @@ -948,27 +1062,7 @@ proposal_t *proposal_create_default(protocol_id_t protocol) switch (protocol) { case PROTO_IKE: - add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 128); - add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 192); - add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 256); - add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_3DES, 0); - add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_AES_XCBC_96, 0); - add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_256_128, 0); - add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0); - add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 0); - add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_384_192, 0); - add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_512_256, 0); - add_algorithm(this, PSEUDO_RANDOM_FUNCTION, PRF_AES128_XCBC, 0); - add_algorithm(this, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_256, 0); - add_algorithm(this, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA1, 0); - add_algorithm(this, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_MD5, 0); - add_algorithm(this, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_384, 0); - add_algorithm(this, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_512, 0); - add_algorithm(this, DIFFIE_HELLMAN_GROUP, MODP_2048_BIT, 0); - add_algorithm(this, DIFFIE_HELLMAN_GROUP, MODP_1536_BIT, 0); - add_algorithm(this, DIFFIE_HELLMAN_GROUP, MODP_1024_BIT, 0); - add_algorithm(this, DIFFIE_HELLMAN_GROUP, MODP_4096_BIT, 0); - add_algorithm(this, DIFFIE_HELLMAN_GROUP, MODP_8192_BIT, 0); + proposal_add_supported_ike(this); break; case PROTO_ESP: add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 128); @@ -990,7 +1084,6 @@ proposal_t *proposal_create_default(protocol_id_t protocol) default: break; } - return &this->public; } diff --git a/src/charon/config/traffic_selector.c b/src/charon/config/traffic_selector.c index f41c39d30..63172f855 100644 --- a/src/charon/config/traffic_selector.c +++ b/src/charon/config/traffic_selector.c @@ -14,7 +14,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * $Id: traffic_selector.c 3658 2008-03-26 10:06:45Z martin $ + * $Id: traffic_selector.c 4199 2008-07-21 19:08:03Z andreas $ */ #include <arpa/inet.h> @@ -195,21 +195,22 @@ static int print(FILE *stream, const struct printf_info *info, memeq(this->from, from, this->type == TS_IPV4_ADDR_RANGE ? 4 : 16) && memeq(this->to, to, this->type == TS_IPV4_ADDR_RANGE ? 4 : 16)) { - return fprintf(stream, "dynamic/%d", - this->type == TS_IPV4_ADDR_RANGE ? 32 : 128); - } - - if (this->type == TS_IPV4_ADDR_RANGE) - { - inet_ntop(AF_INET, &this->from4, addr_str, sizeof(addr_str)); + written += fprintf(stream, "dynamic/%d", + this->type == TS_IPV4_ADDR_RANGE ? 32 : 128); } else { - inet_ntop(AF_INET6, &this->from6, addr_str, sizeof(addr_str)); + if (this->type == TS_IPV4_ADDR_RANGE) + { + inet_ntop(AF_INET, &this->from4, addr_str, sizeof(addr_str)); + } + else + { + inet_ntop(AF_INET6, &this->from6, addr_str, sizeof(addr_str)); + } + mask = calc_netbits(this); + written += fprintf(stream, "%s/%d", addr_str, mask); } - mask = calc_netbits(this); - - written += fprintf(stream, "%s/%d", addr_str, mask); /* check if we have protocol and/or port selectors */ has_proto = this->protocol != 0; |