specifying keysize in bits, as it is required in IKEv2
added generic kernel SA algorithm handling, which brings us: aes-128, aes-256, blowfish, des, 3des and null encryption for CHILD_SAs
This commit is contained in:
parent
b7f9ca5837
commit
5c131a016b
|
@ -112,7 +112,7 @@ struct algorithm_t {
|
|||
u_int16_t algorithm;
|
||||
|
||||
/**
|
||||
* the associated key size, or zero if not needed
|
||||
* the associated key size in bits, or zero if not needed
|
||||
*/
|
||||
u_int16_t key_size;
|
||||
};
|
||||
|
|
|
@ -473,12 +473,15 @@ transform_substructure_t *transform_substructure_create_type(transform_type_t tr
|
|||
transform->set_transform_type(transform,transform_type);
|
||||
transform->set_transform_id(transform,transform_id);
|
||||
|
||||
/* a keylength attribute is only created for AES encryption */
|
||||
/* a keylength attribute is only created for variable length algos */
|
||||
if (transform_type == ENCRYPTION_ALGORITHM &&
|
||||
transform_id == ENCR_AES_CBC)
|
||||
(transform_id == ENCR_AES_CBC ||
|
||||
transform_id == ENCR_IDEA ||
|
||||
transform_id == ENCR_CAST ||
|
||||
transform_id == ENCR_BLOWFISH))
|
||||
{
|
||||
transform_attribute_t *attribute = transform_attribute_create_key_length(key_length);
|
||||
transform->add_transform_attribute(transform,attribute);
|
||||
transform->add_transform_attribute(transform,attribute);
|
||||
}
|
||||
|
||||
return transform;
|
||||
|
|
|
@ -164,13 +164,9 @@ static status_t alloc(private_child_sa_t *this, linked_list_t *proposals)
|
|||
static status_t install(private_child_sa_t *this, proposal_t *proposal, prf_plus_t *prf_plus, bool mine)
|
||||
{
|
||||
u_int32_t spi;
|
||||
encryption_algorithm_t enc_algo;
|
||||
integrity_algorithm_t int_algo;
|
||||
chunk_t enc_key, int_key;
|
||||
algorithm_t *algo;
|
||||
crypter_t *crypter;
|
||||
signer_t *signer;
|
||||
size_t key_size;
|
||||
algorithm_t *enc_algo, *int_algo;
|
||||
algorithm_t enc_algo_none = {ENCR_UNDEFINED, 0};
|
||||
algorithm_t int_algo_none = {AUTH_UNDEFINED, 0};
|
||||
host_t *src;
|
||||
host_t *dst;
|
||||
status_t status;
|
||||
|
@ -201,75 +197,44 @@ static status_t install(private_child_sa_t *this, proposal_t *proposal, prf_plus
|
|||
this->other.spi = spi;
|
||||
}
|
||||
|
||||
/* derive encryption key first */
|
||||
if (proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &algo))
|
||||
this->logger->log(this->logger, CONTROL|LEVEL1, "Adding %s %s SA",
|
||||
mine ? "inbound" : "outbound",
|
||||
mapping_find(protocol_id_m, this->protocol));
|
||||
|
||||
/* select encryption algo */
|
||||
if (proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &enc_algo))
|
||||
{
|
||||
enc_algo = algo->algorithm;
|
||||
this->logger->log(this->logger, CONTROL|LEVEL1, "%s for %s: using %s %s, ",
|
||||
mapping_find(protocol_id_m, this->protocol),
|
||||
mine ? "me" : "other",
|
||||
mapping_find(transform_type_m, ENCRYPTION_ALGORITHM),
|
||||
mapping_find(encryption_algorithm_m, enc_algo));
|
||||
|
||||
/* we must create a (unused) crypter, since its the only way to get the size
|
||||
* of the key. This is not so nice, since charon must support all algorithms
|
||||
* the kernel supports...
|
||||
* TODO: build something of a encryption algorithm lookup function
|
||||
*/
|
||||
crypter = crypter_create(enc_algo, algo->key_size);
|
||||
key_size = crypter->get_key_size(crypter);
|
||||
crypter->destroy(crypter);
|
||||
prf_plus->allocate_bytes(prf_plus, key_size, &enc_key);
|
||||
this->logger->log_chunk(this->logger, PRIVATE, "key:", enc_key);
|
||||
this->logger->log(this->logger, CONTROL|LEVEL2, " using %s for encryption",
|
||||
mapping_find(encryption_algorithm_m, enc_algo->algorithm));
|
||||
}
|
||||
else
|
||||
{
|
||||
enc_algo = ENCR_UNDEFINED;
|
||||
enc_algo = &enc_algo_none;
|
||||
}
|
||||
|
||||
/* derive integrity key */
|
||||
if (proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM, &algo))
|
||||
/* select integrity algo */
|
||||
if (proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM, &int_algo))
|
||||
{
|
||||
int_algo = algo->algorithm;
|
||||
this->logger->log(this->logger, CONTROL|LEVEL1, "%s for %s: using %s %s,",
|
||||
mapping_find(protocol_id_m, this->protocol),
|
||||
mine ? "me" : "other",
|
||||
mapping_find(transform_type_m, INTEGRITY_ALGORITHM),
|
||||
mapping_find(integrity_algorithm_m, algo->algorithm));
|
||||
|
||||
signer = signer_create(int_algo);
|
||||
key_size = signer->get_key_size(signer);
|
||||
signer->destroy(signer);
|
||||
prf_plus->allocate_bytes(prf_plus, key_size, &int_key);
|
||||
this->logger->log_chunk(this->logger, PRIVATE, "key:", int_key);
|
||||
this->logger->log(this->logger, CONTROL|LEVEL2, " using %s for integrity",
|
||||
mapping_find(integrity_algorithm_m, int_algo->algorithm));
|
||||
}
|
||||
else
|
||||
{
|
||||
int_algo = AUTH_UNDEFINED;
|
||||
int_algo = &int_algo_none;
|
||||
}
|
||||
|
||||
/* send keys down to kernel */
|
||||
this->logger->log(this->logger, CONTROL|LEVEL1,
|
||||
"installing 0x%.8x for %s, src %s dst %s",
|
||||
ntohl(spi), mapping_find(protocol_id_m, this->protocol),
|
||||
src->get_address(src), dst->get_address(dst));
|
||||
/* send SA down to the kernel */
|
||||
this->logger->log(this->logger, CONTROL|LEVEL2,
|
||||
" SPI 0x%.8x, src %s dst %s",
|
||||
ntohl(spi), src->get_address(src), dst->get_address(dst));
|
||||
status = charon->kernel_interface->add_sa(charon->kernel_interface,
|
||||
src, dst,
|
||||
spi, this->protocol,
|
||||
this->reqid,
|
||||
mine ? 0 : this->soft_lifetime,
|
||||
this->hard_lifetime,
|
||||
enc_algo, enc_key,
|
||||
int_algo, int_key, mine);
|
||||
/* clean up */
|
||||
if (enc_algo != ENCR_UNDEFINED)
|
||||
{
|
||||
chunk_free(&enc_key);
|
||||
}
|
||||
if (int_algo != AUTH_UNDEFINED)
|
||||
{
|
||||
chunk_free(&int_key);
|
||||
}
|
||||
enc_algo, int_algo, prf_plus, mine);
|
||||
|
||||
return status;
|
||||
}
|
||||
|
||||
|
|
|
@ -486,8 +486,8 @@ static status_t build_transforms(private_ike_sa_t *this, proposal_t *proposal, d
|
|||
this->crypter_responder->destroy(this->crypter_responder);
|
||||
}
|
||||
|
||||
this->crypter_initiator = crypter_create(algo->algorithm, algo->key_size);
|
||||
this->crypter_responder = crypter_create(algo->algorithm, algo->key_size);
|
||||
this->crypter_initiator = crypter_create(algo->algorithm, algo->key_size / 8);
|
||||
this->crypter_responder = crypter_create(algo->algorithm, algo->key_size / 8);
|
||||
if (this->crypter_initiator == NULL || this->crypter_responder == NULL)
|
||||
{
|
||||
this->logger->log(this->logger, ERROR|LEVEL1,
|
||||
|
|
|
@ -39,24 +39,18 @@ void test_kernel_interface(protected_tester_t *tester)
|
|||
u_int32_t spi;
|
||||
host_t *me, *other, *left, *right;
|
||||
status_t status;
|
||||
|
||||
u_int8_t enc_key_bytes[] = {
|
||||
0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,
|
||||
prf_plus_t *prf_plus;
|
||||
prf_t *prf;
|
||||
u_int8_t key_bytes[] = {
|
||||
0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08
|
||||
};
|
||||
chunk_t key = chunk_from_buf(key_bytes);
|
||||
algorithm_t int_alg = {AUTH_HMAC_MD5_96, 0};
|
||||
algorithm_t enc_alg = {ENCR_AES_CBC, 128};
|
||||
|
||||
u_int8_t inc_key_bytes[] = {
|
||||
0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,
|
||||
0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08
|
||||
};
|
||||
|
||||
chunk_t enc_key,inc_key;
|
||||
enc_key.ptr = enc_key_bytes;
|
||||
enc_key.len = sizeof(enc_key_bytes);
|
||||
inc_key.ptr = inc_key_bytes;
|
||||
inc_key.len = sizeof(inc_key_bytes);
|
||||
|
||||
|
||||
prf = prf_create(PRF_HMAC_MD5);
|
||||
prf->set_key(prf, key);
|
||||
prf_plus = prf_plus_create(prf, key);
|
||||
|
||||
kernel_interface = kernel_interface_create();
|
||||
|
||||
|
@ -66,7 +60,7 @@ void test_kernel_interface(protected_tester_t *tester)
|
|||
status = kernel_interface->get_spi(kernel_interface, me, other, 50, 1234, &spi);
|
||||
tester->assert_true(tester, status == SUCCESS, "spi get");
|
||||
|
||||
status = kernel_interface->add_sa(kernel_interface, me, other, spi, 50, 1234, 5, 10, ENCR_AES_CBC, enc_key,AUTH_UNDEFINED,inc_key,TRUE);
|
||||
status = kernel_interface->add_sa(kernel_interface, me, other, spi, 50, 1234, 5, 10, &enc_alg, &int_alg, prf_plus, TRUE);
|
||||
tester->assert_true(tester, status == SUCCESS, "add sa");
|
||||
|
||||
left = host_create(AF_INET, "10.1.0.0", 0);
|
||||
|
|
|
@ -45,7 +45,7 @@
|
|||
|
||||
#define SPD_PRIORITY 1024
|
||||
|
||||
#define XFRM_DATA_LENGTH 512
|
||||
#define XFRM_DATA_LENGTH 1024
|
||||
|
||||
|
||||
typedef struct xfrm_data_t xfrm_data_t;
|
||||
|
@ -109,6 +109,85 @@ struct netlink_message_t {
|
|||
u_int8_t data[XFRM_DATA_LENGTH];
|
||||
};
|
||||
|
||||
typedef struct kernel_algorithm_t kernel_algorithm_t;
|
||||
|
||||
/**
|
||||
* Mapping from the algorithms defined in IKEv2 to
|
||||
* kernel level algorithm names and their key length
|
||||
*/
|
||||
struct kernel_algorithm_t {
|
||||
/**
|
||||
* Identifier specified in IKEv2
|
||||
*/
|
||||
int ikev2_id;
|
||||
|
||||
/**
|
||||
* Name of the algorithm, as used as kernel identifier
|
||||
*/
|
||||
char *name;
|
||||
|
||||
/**
|
||||
* Key length in bits, if fixed size
|
||||
*/
|
||||
u_int key_size;
|
||||
};
|
||||
#define END_OF_LIST -1
|
||||
|
||||
/**
|
||||
* Algorithms for encryption
|
||||
*/
|
||||
kernel_algorithm_t encryption_algs[] = {
|
||||
/* {ENCR_DES_IV64, "***", 0}, */
|
||||
{ENCR_DES, "des", 64},
|
||||
{ENCR_3DES, "des3_ede", 192},
|
||||
/* {ENCR_RC5, "***", 0}, */
|
||||
/* {ENCR_IDEA, "***", 0}, */
|
||||
{ENCR_CAST, "cast128", 0},
|
||||
{ENCR_BLOWFISH, "blowfish", 0},
|
||||
/* {ENCR_3IDEA, "***", 0}, */
|
||||
/* {ENCR_DES_IV32, "***", 0}, */
|
||||
{ENCR_NULL, "cipher_null", 0},
|
||||
{ENCR_AES_CBC, "aes", 0},
|
||||
/* {ENCR_AES_CTR, "***", 0}, */
|
||||
{END_OF_LIST, NULL, 0},
|
||||
};
|
||||
|
||||
/**
|
||||
* Algorithms for integrity protection
|
||||
*/
|
||||
kernel_algorithm_t integrity_algs[] = {
|
||||
{AUTH_HMAC_MD5_96, "md5", 128},
|
||||
{AUTH_HMAC_SHA1_96, "sha1", 160},
|
||||
/* {AUTH_DES_MAC, "***", 0}, */
|
||||
/* {AUTH_KPDK_MD5, "***", 0}, */
|
||||
/* {AUTH_AES_XCBC_96, "***", 0}, */
|
||||
{END_OF_LIST, NULL, 0},
|
||||
};
|
||||
|
||||
/**
|
||||
* Look up a kernel algorithm name and its key size
|
||||
*/
|
||||
char* lookup_algorithm(kernel_algorithm_t *kernel_algo, algorithm_t *ikev2_algo, u_int *key_size)
|
||||
{
|
||||
while (kernel_algo->ikev2_id != END_OF_LIST)
|
||||
{
|
||||
if (ikev2_algo->algorithm == kernel_algo->ikev2_id)
|
||||
{
|
||||
/* match, evaluate key length */
|
||||
if (ikev2_algo->key_size)
|
||||
{ /* variable length */
|
||||
*key_size = ikev2_algo->key_size;
|
||||
}
|
||||
else
|
||||
{ /* fixed length */
|
||||
*key_size = kernel_algo->key_size;
|
||||
}
|
||||
return kernel_algo->name;
|
||||
}
|
||||
kernel_algo++;
|
||||
}
|
||||
return NULL;
|
||||
}
|
||||
|
||||
typedef struct private_kernel_interface_t private_kernel_interface_t;
|
||||
|
||||
|
@ -173,42 +252,6 @@ struct private_kernel_interface_t {
|
|||
status_t (*send_message) (private_kernel_interface_t *this, netlink_message_t *request, netlink_message_t **response);
|
||||
};
|
||||
|
||||
/**
|
||||
* In the kernel, algorithms are identified as strings, we use our
|
||||
* mapping functions...
|
||||
* Algorithms for encryption.
|
||||
* TODO: Add missing algorithm strings
|
||||
*/
|
||||
mapping_t kernel_encryption_algs_m[] = {
|
||||
{ENCR_DES_IV64, ""},
|
||||
{ENCR_DES, "des"},
|
||||
{ENCR_3DES, "des3_ede"},
|
||||
{ENCR_RC5, ""},
|
||||
{ENCR_IDEA, "idea"},
|
||||
{ENCR_CAST, "cast128"},
|
||||
{ENCR_BLOWFISH, "blowfish"},
|
||||
{ENCR_3IDEA, ""},
|
||||
{ENCR_DES_IV32, ""},
|
||||
{ENCR_NULL, ""},
|
||||
{ENCR_AES_CBC, "aes"},
|
||||
{ENCR_AES_CTR, ""},
|
||||
{MAPPING_END, NULL}
|
||||
};
|
||||
/**
|
||||
* In the kernel, algorithms are identified as strings, we use our
|
||||
* mapping functions...
|
||||
* Algorithms for integrity protection.
|
||||
* TODO: Add missing algorithm strings
|
||||
*/
|
||||
mapping_t kernel_integrity_algs_m[] = {
|
||||
{AUTH_HMAC_MD5_96, "md5"},
|
||||
{AUTH_HMAC_SHA1_96, "sha1"},
|
||||
{AUTH_DES_MAC, ""},
|
||||
{AUTH_KPDK_MD5, ""},
|
||||
{AUTH_AES_XCBC_96, ""},
|
||||
{MAPPING_END, NULL}
|
||||
};
|
||||
|
||||
/**
|
||||
* Implementation of kernel_interface_t.get_spi.
|
||||
*/
|
||||
|
@ -277,15 +320,17 @@ static status_t add_sa( private_kernel_interface_t *this,
|
|||
u_int32_t reqid,
|
||||
u_int64_t expire_soft,
|
||||
u_int64_t expire_hard,
|
||||
encryption_algorithm_t enc_alg,
|
||||
chunk_t encryption_key,
|
||||
integrity_algorithm_t int_alg,
|
||||
chunk_t integrity_key,
|
||||
algorithm_t *enc_alg,
|
||||
algorithm_t *int_alg,
|
||||
prf_plus_t *prf_plus,
|
||||
bool replace)
|
||||
{
|
||||
netlink_message_t request, *response;
|
||||
memset(&request, 0, sizeof(request));
|
||||
status_t status = SUCCESS;
|
||||
int key_size;
|
||||
char *alg_name;
|
||||
|
||||
memset(&request, 0, sizeof(request));
|
||||
|
||||
this->logger->log(this->logger, CONTROL|LEVEL2, "adding SA");
|
||||
|
||||
|
@ -314,36 +359,52 @@ static status_t add_sa( private_kernel_interface_t *this,
|
|||
|
||||
request.hdr.nlmsg_len = NLMSG_ALIGN(NLMSG_LENGTH(sizeof(request.sa)));
|
||||
|
||||
if (enc_alg != ENCR_UNDEFINED)
|
||||
if (enc_alg->algorithm != ENCR_UNDEFINED)
|
||||
{
|
||||
xfrm_data_t *data = (xfrm_data_t*)(((u_int8_t*)&request) + request.hdr.nlmsg_len);
|
||||
|
||||
data->type = XFRMA_ALG_CRYPT;
|
||||
data->length = 4 + sizeof(data->algo) + encryption_key.len;
|
||||
data->algo.alg_key_len = encryption_key.len * 8;
|
||||
alg_name = lookup_algorithm(encryption_algs, enc_alg, &key_size);
|
||||
if (alg_name == NULL)
|
||||
{
|
||||
this->logger->log(this->logger, ERROR, "Algorithm %s not supported by kernel!",
|
||||
mapping_find(encryption_algorithm_m, enc_alg->algorithm));
|
||||
return FAILED;
|
||||
}
|
||||
this->logger->log(this->logger, CONTROL|LEVEL2, "using key size %d", key_size);
|
||||
data->length = 4 + sizeof(data->algo) + key_size;
|
||||
data->algo.alg_key_len = key_size;
|
||||
request.hdr.nlmsg_len += data->length;
|
||||
if (request.hdr.nlmsg_len > sizeof(request))
|
||||
{
|
||||
return FAILED;
|
||||
}
|
||||
strcpy(data->algo.alg_name, mapping_find(kernel_encryption_algs_m, enc_alg));
|
||||
memcpy(data->algo.alg_key, encryption_key.ptr, encryption_key.len);
|
||||
strcpy(data->algo.alg_name, alg_name);
|
||||
prf_plus->get_bytes(prf_plus, key_size / 8, data->algo.alg_key);
|
||||
}
|
||||
|
||||
if (int_alg != AUTH_UNDEFINED)
|
||||
if (int_alg->algorithm != AUTH_UNDEFINED)
|
||||
{
|
||||
xfrm_data_t *data = (xfrm_data_t*)(((u_int8_t*)&request) + request.hdr.nlmsg_len);
|
||||
|
||||
data->type = XFRMA_ALG_AUTH;
|
||||
data->length = 4 + sizeof(data->algo) + integrity_key.len;
|
||||
data->algo.alg_key_len = integrity_key.len * 8;
|
||||
alg_name = lookup_algorithm(integrity_algs, int_alg, &key_size);
|
||||
if (alg_name == NULL)
|
||||
{
|
||||
this->logger->log(this->logger, ERROR, "Algorithm %s not supported by kernel!",
|
||||
mapping_find(integrity_algorithm_m, int_alg->algorithm));
|
||||
return FAILED;
|
||||
}
|
||||
this->logger->log(this->logger, CONTROL|LEVEL2, "using key size %d", key_size);
|
||||
data->length = 4 + sizeof(data->algo) + key_size;
|
||||
data->algo.alg_key_len = key_size;
|
||||
request.hdr.nlmsg_len += data->length;
|
||||
if (request.hdr.nlmsg_len > sizeof(request))
|
||||
{
|
||||
return FAILED;
|
||||
}
|
||||
strcpy(data->algo.alg_name, mapping_find(kernel_integrity_algs_m, int_alg));
|
||||
memcpy(data->algo.alg_key, integrity_key.ptr, integrity_key.len);
|
||||
strcpy(data->algo.alg_name, alg_name);
|
||||
prf_plus->get_bytes(prf_plus, key_size / 8, data->algo.alg_key);
|
||||
}
|
||||
|
||||
/* TODO: add IPComp here*/
|
||||
|
@ -739,7 +800,7 @@ kernel_interface_t *kernel_interface_create()
|
|||
|
||||
/* public functions */
|
||||
this->public.get_spi = (status_t(*)(kernel_interface_t*,host_t*,host_t*,protocol_id_t,u_int32_t,u_int32_t*))get_spi;
|
||||
this->public.add_sa = (status_t(*)(kernel_interface_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,encryption_algorithm_t,chunk_t,integrity_algorithm_t,chunk_t,bool))add_sa;
|
||||
this->public.add_sa = (status_t(*)(kernel_interface_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,algorithm_t*,algorithm_t*,prf_plus_t*,bool))add_sa;
|
||||
this->public.add_policy = (status_t(*)(kernel_interface_t*,host_t*, host_t*,host_t*,host_t*,u_int8_t,u_int8_t,int,int,bool,bool,u_int32_t))add_policy;
|
||||
this->public.del_sa = (status_t(*)(kernel_interface_t*,host_t*,u_int32_t,protocol_id_t))del_sa;
|
||||
this->public.del_policy = (status_t(*)(kernel_interface_t*,host_t*,host_t*,host_t*,host_t*,u_int8_t,u_int8_t,int,int))del_policy;
|
||||
|
|
|
@ -26,6 +26,7 @@
|
|||
#include <linux/xfrm.h>
|
||||
|
||||
#include <utils/host.h>
|
||||
#include <crypto/prf_plus.h>
|
||||
#include <encoding/payloads/proposal_substructure.h>
|
||||
|
||||
typedef struct kernel_interface_t kernel_interface_t;
|
||||
|
@ -70,7 +71,9 @@ struct kernel_interface_t {
|
|||
* SPI (via get_spi). In this case, the replace
|
||||
* flag must be set.
|
||||
* This function does install a single SA for a
|
||||
* single protocol in one direction.
|
||||
* single protocol in one direction. The kernel-interface
|
||||
* gets the keys itself from the PRF, as we don't know
|
||||
* his algorithms and key sizes.
|
||||
*
|
||||
* @param this calling object
|
||||
* @param src source address for this SA
|
||||
|
@ -81,9 +84,8 @@ struct kernel_interface_t {
|
|||
* @param expire_soft lifetime in seconds before rekeying
|
||||
* @param expire_hard lieftime in seconds before delete
|
||||
* @param enc_alg Algorithm to use for encryption (ESP only)
|
||||
* @param enc_key Key to use for encryption
|
||||
* @param int_alg Algorithm to use for integrity protection
|
||||
* @param int_key Key for integrity protection
|
||||
* @param prf_plus PRF to derive keys
|
||||
* @param replace Should an already installed SA be updated?
|
||||
* @return
|
||||
* - SUCCESS
|
||||
|
@ -96,10 +98,9 @@ struct kernel_interface_t {
|
|||
u_int32_t reqid,
|
||||
u_int64_t expire_soft,
|
||||
u_int64_t expire_hard,
|
||||
encryption_algorithm_t enc_alg,
|
||||
chunk_t enc_key,
|
||||
integrity_algorithm_t int_alg,
|
||||
chunk_t int_key,
|
||||
algorithm_t *enc_alg,
|
||||
algorithm_t *int_alg,
|
||||
prf_plus_t *prf_plus,
|
||||
bool replace);
|
||||
/**
|
||||
* @brief Delete a previusly installed SA from the SAD.
|
||||
|
|
|
@ -311,7 +311,7 @@ static void stroke_add_conn(private_stroke_t *this, stroke_msg_t *msg)
|
|||
my_host, other_host,
|
||||
RSA_DIGITAL_SIGNATURE);
|
||||
proposal = proposal_create(PROTO_IKE);
|
||||
proposal->add_algorithm(proposal, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 16);
|
||||
proposal->add_algorithm(proposal, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 128);
|
||||
proposal->add_algorithm(proposal, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0);
|
||||
proposal->add_algorithm(proposal, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 0);
|
||||
proposal->add_algorithm(proposal, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA1, 0);
|
||||
|
@ -334,8 +334,12 @@ static void stroke_add_conn(private_stroke_t *this, stroke_msg_t *msg)
|
|||
|
||||
policy = policy_create(msg->add_conn.name, my_id, other_id);
|
||||
proposal = proposal_create(PROTO_ESP);
|
||||
proposal->add_algorithm(proposal, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 16);
|
||||
proposal->add_algorithm(proposal, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 128);
|
||||
proposal->add_algorithm(proposal, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 256);
|
||||
proposal->add_algorithm(proposal, ENCRYPTION_ALGORITHM, ENCR_3DES, 0);
|
||||
proposal->add_algorithm(proposal, ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 256);
|
||||
proposal->add_algorithm(proposal, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0);
|
||||
proposal->add_algorithm(proposal, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 0);
|
||||
policy->add_proposal(policy, proposal);
|
||||
policy->add_my_traffic_selector(policy, my_ts);
|
||||
policy->add_other_traffic_selector(policy, other_ts);
|
||||
|
@ -514,6 +518,7 @@ logger_context_t get_context(char *context)
|
|||
else if (strcasecmp(context, "CONFG") == 0) return CONFIG;
|
||||
else if (strcasecmp(context, "ENCPL") == 0) return ENCRYPTION_PAYLOAD;
|
||||
else if (strcasecmp(context, "PAYLD") == 0) return PAYLOAD;
|
||||
else if (strcasecmp(context, "XFRM") == 0) return XFRM;
|
||||
else return -2;
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in New Issue