diff options
Diffstat (limited to 'src/libcharon/config/proposal.c')
| -rw-r--r-- | src/libcharon/config/proposal.c | 170 |
1 files changed, 109 insertions, 61 deletions
diff --git a/src/libcharon/config/proposal.c b/src/libcharon/config/proposal.c index 2ecdb4f2e..4d881cd2f 100644 --- a/src/libcharon/config/proposal.c +++ b/src/libcharon/config/proposal.c @@ -627,7 +627,7 @@ proposal_t *proposal_create(protocol_id_t protocol, u_int number) /** * Add supported IKE algorithms to proposal */ -static void proposal_add_supported_ike(private_proposal_t *this) +static bool proposal_add_supported_ike(private_proposal_t *this, bool aead) { enumerator_t *enumerator; encryption_algorithm_t encryption; @@ -636,76 +636,91 @@ static void proposal_add_supported_ike(private_proposal_t *this) diffie_hellman_group_t group; const char *plugin_name; - enumerator = lib->crypto->create_crypter_enumerator(lib->crypto); - while (enumerator->enumerate(enumerator, &encryption, &plugin_name)) + if (aead) { - switch (encryption) + enumerator = lib->crypto->create_aead_enumerator(lib->crypto); + while (enumerator->enumerate(enumerator, &encryption, &plugin_name)) { - case ENCR_AES_CBC: - case ENCR_AES_CTR: - case ENCR_CAMELLIA_CBC: - case ENCR_CAMELLIA_CTR: - /* we assume that we support all AES/Camellia sizes */ - add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 128); - add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 192); - add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 256); - break; - case ENCR_3DES: - add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 0); - break; - case ENCR_DES: - /* no, thanks */ - break; - default: - break; + switch (encryption) + { + case ENCR_AES_CCM_ICV8: + case ENCR_AES_CCM_ICV12: + case ENCR_AES_CCM_ICV16: + case ENCR_AES_GCM_ICV8: + case ENCR_AES_GCM_ICV12: + case ENCR_AES_GCM_ICV16: + case ENCR_CAMELLIA_CCM_ICV8: + case ENCR_CAMELLIA_CCM_ICV12: + case ENCR_CAMELLIA_CCM_ICV16: + /* we assume that we support all AES/Camellia sizes */ + add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 128); + add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 192); + add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 256); + break; + default: + break; + } } - } - enumerator->destroy(enumerator); + enumerator->destroy(enumerator); - enumerator = lib->crypto->create_aead_enumerator(lib->crypto); - while (enumerator->enumerate(enumerator, &encryption, &plugin_name)) - { - switch (encryption) + if (!array_count(this->transforms)) { - case ENCR_AES_CCM_ICV8: - case ENCR_AES_CCM_ICV12: - case ENCR_AES_CCM_ICV16: - case ENCR_AES_GCM_ICV8: - case ENCR_AES_GCM_ICV12: - case ENCR_AES_GCM_ICV16: - case ENCR_CAMELLIA_CCM_ICV8: - case ENCR_CAMELLIA_CCM_ICV12: - case ENCR_CAMELLIA_CCM_ICV16: - /* we assume that we support all AES/Camellia sizes */ - add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 128); - add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 192); - add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 256); - break; - default: - break; + return FALSE; } } - enumerator->destroy(enumerator); - - enumerator = lib->crypto->create_signer_enumerator(lib->crypto); - while (enumerator->enumerate(enumerator, &integrity, &plugin_name)) + else { - switch (integrity) + enumerator = lib->crypto->create_crypter_enumerator(lib->crypto); + while (enumerator->enumerate(enumerator, &encryption, &plugin_name)) { - case AUTH_HMAC_SHA1_96: - case AUTH_HMAC_SHA2_256_128: - case AUTH_HMAC_SHA2_384_192: - case AUTH_HMAC_SHA2_512_256: - case AUTH_HMAC_MD5_96: - case AUTH_AES_XCBC_96: - case AUTH_AES_CMAC_96: - add_algorithm(this, INTEGRITY_ALGORITHM, integrity, 0); - break; - default: - break; + switch (encryption) + { + case ENCR_AES_CBC: + case ENCR_AES_CTR: + case ENCR_CAMELLIA_CBC: + case ENCR_CAMELLIA_CTR: + /* we assume that we support all AES/Camellia sizes */ + add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 128); + add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 192); + add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 256); + break; + case ENCR_3DES: + add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 0); + break; + case ENCR_DES: + /* no, thanks */ + break; + default: + break; + } } + enumerator->destroy(enumerator); + + if (!array_count(this->transforms)) + { + return FALSE; + } + + enumerator = lib->crypto->create_signer_enumerator(lib->crypto); + while (enumerator->enumerate(enumerator, &integrity, &plugin_name)) + { + switch (integrity) + { + case AUTH_HMAC_SHA1_96: + case AUTH_HMAC_SHA2_256_128: + case AUTH_HMAC_SHA2_384_192: + case AUTH_HMAC_SHA2_512_256: + case AUTH_HMAC_MD5_96: + case AUTH_AES_XCBC_96: + case AUTH_AES_CMAC_96: + add_algorithm(this, INTEGRITY_ALGORITHM, integrity, 0); + break; + default: + break; + } + } + enumerator->destroy(enumerator); } - enumerator->destroy(enumerator); enumerator = lib->crypto->create_prf_enumerator(lib->crypto); while (enumerator->enumerate(enumerator, &prf, &plugin_name)) @@ -767,6 +782,8 @@ static void proposal_add_supported_ike(private_proposal_t *this) } } enumerator->destroy(enumerator); + + return TRUE; } /* @@ -779,7 +796,11 @@ proposal_t *proposal_create_default(protocol_id_t protocol) switch (protocol) { case PROTO_IKE: - proposal_add_supported_ike(this); + if (!proposal_add_supported_ike(this, FALSE)) + { + destroy(this); + return NULL; + } break; case PROTO_ESP: add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 128); @@ -807,6 +828,33 @@ proposal_t *proposal_create_default(protocol_id_t protocol) /* * Describtion in header-file */ +proposal_t *proposal_create_default_aead(protocol_id_t protocol) +{ + private_proposal_t *this; + + switch (protocol) + { + case PROTO_IKE: + this = (private_proposal_t*)proposal_create(protocol, 0); + if (!proposal_add_supported_ike(this, TRUE)) + { + destroy(this); + return NULL; + } + return &this->public; + case PROTO_ESP: + /* we currently don't include any AEAD proposal for ESP, as we + * don't know if our kernel backend actually supports it. */ + return NULL; + case PROTO_AH: + default: + return NULL; + } +} + +/* + * Describtion in header-file + */ proposal_t *proposal_create_from_string(protocol_id_t protocol, const char *algs) { private_proposal_t *this; |