Merge branch 'android-proposals'
[strongswan.git] / src / frontends / android / app / src / main / jni / libandroidbridge / backend / android_service.c
index cbf36da..986854c 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2010-2016 Tobias Brunner
+ * Copyright (C) 2010-2017 Tobias Brunner
  * Copyright (C) 2012 Giuliano Grassi
  * Copyright (C) 2012 Ralf Sager
  * HSR Hochschule fuer Technik Rapperswil
@@ -707,6 +707,27 @@ static bool add_auth_cfg_cert(private_android_service_t *this,
        return TRUE;
 }
 
+static proposal_t *parse_proposal(private_android_service_t *this,
+                                                                 protocol_id_t proto, char *opt)
+{
+       proposal_t *proposal = NULL;
+       char *prop;
+
+       prop = this->settings->get_str(this->settings, opt, NULL);
+       if (!prop || !strlen(prop))
+       {
+               return NULL;
+       }
+
+       proposal = proposal_create_from_string(proto, prop);
+       if (!proposal)
+       {
+               DBG1(DBG_CFG, "invalid %N proposal '%s', falling back to defaults",
+                        protocol_id_names, proto, prop);
+       }
+       return proposal;
+}
+
 static job_requeue_t initiate(private_android_service_t *this)
 {
        identification_t *gateway = NULL;
@@ -714,6 +735,7 @@ static job_requeue_t initiate(private_android_service_t *this)
        peer_cfg_t *peer_cfg;
        child_cfg_t *child_cfg;
        traffic_selector_t *ts;
+       proposal_t *proposal;
        ike_sa_t *ike_sa;
        auth_cfg_t *auth;
        peer_cfg_create_t peer = {
@@ -747,8 +769,16 @@ static job_requeue_t initiate(private_android_service_t *this)
        ike_cfg = ike_cfg_create(IKEV2, certreq, TRUE, "0.0.0.0",
                                                         charon->socket->get_port(charon->socket, FALSE),
                                                         server, port, FRAGMENTATION_YES, 0);
-       ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
-       ike_cfg->add_proposal(ike_cfg, proposal_create_default_aead(PROTO_IKE));
+       proposal = parse_proposal(this, PROTO_IKE, "connection.ike_proposal");
+       if (proposal)
+       {
+               ike_cfg->add_proposal(ike_cfg, proposal);
+       }
+       else
+       {
+               ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
+               ike_cfg->add_proposal(ike_cfg, proposal_create_default_aead(PROTO_IKE));
+       }
 
        peer_cfg = peer_cfg_create("android", ike_cfg, &peer);
        peer_cfg->add_virtual_ip(peer_cfg, host_create_any(AF_INET));
@@ -795,27 +825,34 @@ static job_requeue_t initiate(private_android_service_t *this)
        peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE);
 
        child_cfg = child_cfg_create("android", &child);
-       /* create ESP proposals with and without DH groups, let responder decide
-        * if PFS is used */
-       child_cfg->add_proposal(child_cfg, proposal_create_from_string(PROTO_ESP,
-                                                       "aes128gcm16-aes256gcm16-chacha20poly1305-"
-                                                       "curve25519-ecp256-modp3072"));
-       child_cfg->add_proposal(child_cfg, proposal_create_from_string(PROTO_ESP,
-                                                       "aes128-sha256-curve25519-ecp256-modp3072"));
-       child_cfg->add_proposal(child_cfg, proposal_create_from_string(PROTO_ESP,
-                                                       "aes256-sha384-ecp521-modp8192"));
-       child_cfg->add_proposal(child_cfg, proposal_create_from_string(PROTO_ESP,
-                                                       "aes128-aes192-aes256-sha1-sha256-sha384-sha512-"
-                                                       "curve25519-ecp256-ecp384-ecp521-"
-                                                       "modp2048-modp3072-modp4096"));
-       child_cfg->add_proposal(child_cfg, proposal_create_from_string(PROTO_ESP,
-                                                       "aes128gcm16-aes256gcm16-chacha20poly1305"));
-       child_cfg->add_proposal(child_cfg, proposal_create_from_string(PROTO_ESP,
-                                                       "aes128-sha256"));
-       child_cfg->add_proposal(child_cfg, proposal_create_from_string(PROTO_ESP,
-                                                       "aes256-sha384"));
-       child_cfg->add_proposal(child_cfg, proposal_create_from_string(PROTO_ESP,
-                                                       "aes128-aes192-aes256-sha1-sha256-sha384-sha512"));
+       proposal = parse_proposal(this, PROTO_ESP, "connection.esp_proposal");
+       if (proposal)
+       {
+               child_cfg->add_proposal(child_cfg, proposal);
+       }
+       else
+       {       /* create ESP proposals with and without DH groups, let responder decide
+                * if PFS is used */
+               child_cfg->add_proposal(child_cfg, proposal_create_from_string(PROTO_ESP,
+                                                               "aes128gcm16-aes256gcm16-chacha20poly1305-"
+                                                               "curve25519-ecp256-modp3072"));
+               child_cfg->add_proposal(child_cfg, proposal_create_from_string(PROTO_ESP,
+                                                               "aes128-sha256-curve25519-ecp256-modp3072"));
+               child_cfg->add_proposal(child_cfg, proposal_create_from_string(PROTO_ESP,
+                                                               "aes256-sha384-ecp521-modp8192"));
+               child_cfg->add_proposal(child_cfg, proposal_create_from_string(PROTO_ESP,
+                                                               "aes128-aes192-aes256-sha1-sha256-sha384-sha512-"
+                                                               "curve25519-ecp256-ecp384-ecp521-"
+                                                               "modp2048-modp3072-modp4096"));
+               child_cfg->add_proposal(child_cfg, proposal_create_from_string(PROTO_ESP,
+                                                               "aes128gcm16-aes256gcm16-chacha20poly1305"));
+               child_cfg->add_proposal(child_cfg, proposal_create_from_string(PROTO_ESP,
+                                                               "aes128-sha256"));
+               child_cfg->add_proposal(child_cfg, proposal_create_from_string(PROTO_ESP,
+                                                               "aes256-sha384"));
+               child_cfg->add_proposal(child_cfg, proposal_create_from_string(PROTO_ESP,
+                                                               "aes128-aes192-aes256-sha1-sha256-sha384-sha512"));
+       }
        ts = traffic_selector_create_from_cidr("0.0.0.0/0", 0, 0, 65535);
        child_cfg->add_traffic_selector(child_cfg, TRUE, ts);
        ts = traffic_selector_create_from_cidr("0.0.0.0/0", 0, 0, 65535);