creating default IKE proposals dynamically using algorithm enumeration API
authorMartin Willi <martin@strongswan.org>
Thu, 28 Aug 2008 11:07:57 +0000 (11:07 -0000)
committerMartin Willi <martin@strongswan.org>
Thu, 28 Aug 2008 11:07:57 +0000 (11:07 -0000)
configure.in
src/charon/config/proposal.c
src/libstrongswan/plugins/des/des_plugin.c
src/libstrongswan/plugins/gmp/gmp_plugin.c
src/libstrongswan/plugins/hmac/hmac_plugin.c
src/libstrongswan/plugins/openssl/openssl_plugin.c

index 3cb3c58..289e627 100644 (file)
@@ -750,21 +750,18 @@ fi
 if test x$des = xtrue; then
        libstrongswan_plugins=${libstrongswan_plugins}" des"
 fi
-if test x$md5 = xtrue; then
-       libstrongswan_plugins=${libstrongswan_plugins}" md5"
-fi
 if test x$sha1 = xtrue; then
        libstrongswan_plugins=${libstrongswan_plugins}" sha1"
 fi
 if test x$sha2 = xtrue; then
        libstrongswan_plugins=${libstrongswan_plugins}" sha2"
 fi
+if test x$md5 = xtrue; then
+       libstrongswan_plugins=${libstrongswan_plugins}" md5"
+fi
 if test x$fips_prf = xtrue; then
        libstrongswan_plugins=${libstrongswan_plugins}" fips-prf"
 fi
-if test x$gmp = xtrue; then
-       libstrongswan_plugins=${libstrongswan_plugins}" gmp"
-fi
 if test x$random = xtrue; then
        libstrongswan_plugins=${libstrongswan_plugins}" random"
 fi
@@ -774,12 +771,12 @@ fi
 if test x$pubkey = xtrue; then
        libstrongswan_plugins=${libstrongswan_plugins}" pubkey"
 fi
-if test x$hmac = xtrue; then
-       libstrongswan_plugins=${libstrongswan_plugins}" hmac"
-fi
 if test x$xcbc = xtrue; then
        libstrongswan_plugins=${libstrongswan_plugins}" xcbc"
 fi
+if test x$hmac = xtrue; then
+       libstrongswan_plugins=${libstrongswan_plugins}" hmac"
+fi
 if test x$mysql = xtrue; then
        libstrongswan_plugins=${libstrongswan_plugins}" mysql"
 fi
@@ -792,6 +789,9 @@ fi
 if test x$openssl = xtrue; then
        libstrongswan_plugins=${libstrongswan_plugins}" openssl"
 fi
+if test x$gmp = xtrue; then
+       libstrongswan_plugins=${libstrongswan_plugins}" gmp"
+fi
 
 AC_SUBST(libstrongswan_plugins)
 
index 043bbba..75d75f2 100644 (file)
@@ -938,6 +938,112 @@ proposal_t *proposal_create(protocol_id_t protocol)
        return &this->public;
 }
 
+/**
+ * Add supported IKE algorithms to proposal
+ */
+static void proposal_add_supported_ike(private_proposal_t *this)
+{
+       enumerator_t *enumerator;
+       encryption_algorithm_t encryption;
+       integrity_algorithm_t integrity;
+       pseudo_random_function_t prf;
+       diffie_hellman_group_t group;
+       
+       enumerator = lib->crypto->create_crypter_enumerator(lib->crypto);
+       while (enumerator->enumerate(enumerator, &encryption))
+       {
+               switch (encryption)
+               {
+                       case ENCR_AES_CBC:
+                               /* we assume that we support all AES sizes */
+                               add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 128);
+                               add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 192);
+                               add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 256);
+                               break;
+                       case ENCR_3DES:
+                       case ENCR_AES_CTR:
+                       case ENCR_AES_CCM_ICV8:
+                       case ENCR_AES_CCM_ICV12:
+                       case ENCR_AES_CCM_ICV16:
+                       case ENCR_AES_GCM_ICV8:
+                       case ENCR_AES_GCM_ICV12:
+                       case ENCR_AES_GCM_ICV16:
+                               add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 0);
+                               break;
+                       case ENCR_DES:
+                               /* no, thanks */
+                               break;
+                       default:
+                               break;
+               }       
+       }
+       enumerator->destroy(enumerator);
+       
+       enumerator = lib->crypto->create_signer_enumerator(lib->crypto);
+       while (enumerator->enumerate(enumerator, &integrity))
+       {
+               switch (integrity)
+               {
+                       case AUTH_HMAC_SHA1_96:
+                       case AUTH_HMAC_SHA2_256_128:
+                       case AUTH_HMAC_SHA2_384_192:
+                       case AUTH_HMAC_SHA2_512_256:
+                       case AUTH_HMAC_MD5_96:
+                       case AUTH_AES_XCBC_96:
+                               add_algorithm(this, INTEGRITY_ALGORITHM, integrity, 0);
+                               break;
+                       default:
+                               break;
+               }       
+       }
+       enumerator->destroy(enumerator);
+       
+       enumerator = lib->crypto->create_prf_enumerator(lib->crypto);
+       while (enumerator->enumerate(enumerator, &prf))
+       {
+               switch (prf)
+               {
+                       case PRF_HMAC_SHA1:
+                       case PRF_HMAC_SHA2_256:
+                       case PRF_HMAC_SHA2_384:
+                       case PRF_HMAC_SHA2_512:
+                       case PRF_HMAC_MD5:
+                       case PRF_AES128_XCBC:
+                               add_algorithm(this, PSEUDO_RANDOM_FUNCTION, prf, 0);
+                               break;
+                       default:
+                               break;
+               }
+       }
+       enumerator->destroy(enumerator);
+       
+       enumerator = lib->crypto->create_dh_enumerator(lib->crypto);
+       while (enumerator->enumerate(enumerator, &group))
+       {
+               switch (group)
+               {
+                       case MODP_768_BIT:
+                               /* weak */
+                               break;
+                       case MODP_1024_BIT:
+                       case MODP_1536_BIT:
+                       case MODP_2048_BIT:
+                       case MODP_4096_BIT:
+                       case MODP_8192_BIT:
+                       case ECP_256_BIT:
+                       case ECP_384_BIT:
+                       case ECP_521_BIT:
+                       case ECP_192_BIT:
+                       case ECP_224_BIT:
+                               add_algorithm(this, DIFFIE_HELLMAN_GROUP, group, 0);
+                               break;
+                       default:
+                               break;
+               }
+       }
+       enumerator->destroy(enumerator);
+}
+
 /*
  * Describtion in header-file
  */
@@ -948,27 +1054,7 @@ proposal_t *proposal_create_default(protocol_id_t protocol)
        switch (protocol)
        {
                case PROTO_IKE:
-                       add_algorithm(this, ENCRYPTION_ALGORITHM,   ENCR_AES_CBC,         128);
-                       add_algorithm(this, ENCRYPTION_ALGORITHM,   ENCR_AES_CBC,         192);
-                       add_algorithm(this, ENCRYPTION_ALGORITHM,   ENCR_AES_CBC,         256);
-                       add_algorithm(this, ENCRYPTION_ALGORITHM,   ENCR_3DES,              0);
-                       add_algorithm(this, INTEGRITY_ALGORITHM,    AUTH_AES_XCBC_96,       0);
-                       add_algorithm(this, INTEGRITY_ALGORITHM,    AUTH_HMAC_SHA2_256_128, 0);
-                       add_algorithm(this, INTEGRITY_ALGORITHM,    AUTH_HMAC_SHA1_96,      0);
-                       add_algorithm(this, INTEGRITY_ALGORITHM,    AUTH_HMAC_MD5_96,       0);
-                       add_algorithm(this, INTEGRITY_ALGORITHM,    AUTH_HMAC_SHA2_384_192, 0);
-                       add_algorithm(this, INTEGRITY_ALGORITHM,    AUTH_HMAC_SHA2_512_256, 0);
-                       add_algorithm(this, PSEUDO_RANDOM_FUNCTION, PRF_AES128_XCBC,        0);
-                       add_algorithm(this, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_256,      0);
-                       add_algorithm(this, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA1,          0);
-                       add_algorithm(this, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_MD5,           0);
-                       add_algorithm(this, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_384,      0);
-                       add_algorithm(this, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_512,      0);
-                       add_algorithm(this, DIFFIE_HELLMAN_GROUP,   MODP_2048_BIT,          0);
-                       add_algorithm(this, DIFFIE_HELLMAN_GROUP,   MODP_1536_BIT,          0);
-                       add_algorithm(this, DIFFIE_HELLMAN_GROUP,   MODP_1024_BIT,          0);
-                       add_algorithm(this, DIFFIE_HELLMAN_GROUP,   MODP_4096_BIT,          0);
-                       add_algorithm(this, DIFFIE_HELLMAN_GROUP,   MODP_8192_BIT,          0);
+                       proposal_add_supported_ike(this);
                        break;
                case PROTO_ESP:
                        add_algorithm(this, ENCRYPTION_ALGORITHM,   ENCR_AES_CBC,         128);
@@ -990,7 +1076,6 @@ proposal_t *proposal_create_default(protocol_id_t protocol)
                default:
                        break;
        }
-       
        return &this->public;
 }
 
index 4fb98c1..0dd6c1d 100644 (file)
@@ -52,10 +52,10 @@ plugin_t *plugin_create()
        
        this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
        
-       lib->crypto->add_crypter(lib->crypto, ENCR_DES,
-                                                        (crypter_constructor_t)des_crypter_create);
        lib->crypto->add_crypter(lib->crypto, ENCR_3DES,
                                                         (crypter_constructor_t)des_crypter_create);
+       lib->crypto->add_crypter(lib->crypto, ENCR_DES,
+                                                        (crypter_constructor_t)des_crypter_create);
        
        return &this->public.plugin;
 }
index ffae669..c153d86 100644 (file)
@@ -58,14 +58,10 @@ plugin_t *plugin_create()
        
        this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
        
-       lib->crypto->add_dh(lib->crypto, MODP_768_BIT, 
-                                               (dh_constructor_t)gmp_diffie_hellman_create);
-       lib->crypto->add_dh(lib->crypto, MODP_1024_BIT,
+       lib->crypto->add_dh(lib->crypto, MODP_2048_BIT, 
                                                (dh_constructor_t)gmp_diffie_hellman_create);
        lib->crypto->add_dh(lib->crypto, MODP_1536_BIT, 
                                                (dh_constructor_t)gmp_diffie_hellman_create);
-       lib->crypto->add_dh(lib->crypto, MODP_2048_BIT, 
-                                               (dh_constructor_t)gmp_diffie_hellman_create);
        lib->crypto->add_dh(lib->crypto, MODP_3072_BIT, 
                                                (dh_constructor_t)gmp_diffie_hellman_create);
        lib->crypto->add_dh(lib->crypto, MODP_4096_BIT, 
@@ -74,6 +70,10 @@ plugin_t *plugin_create()
                                                (dh_constructor_t)gmp_diffie_hellman_create);
        lib->crypto->add_dh(lib->crypto, MODP_8192_BIT, 
                                                (dh_constructor_t)gmp_diffie_hellman_create);
+       lib->crypto->add_dh(lib->crypto, MODP_1024_BIT,
+                                               (dh_constructor_t)gmp_diffie_hellman_create);
+       lib->crypto->add_dh(lib->crypto, MODP_768_BIT, 
+                                               (dh_constructor_t)gmp_diffie_hellman_create);
        
        lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
                                                (builder_constructor_t)gmp_rsa_private_key_builder);
index 246fbb0..bf9626b 100644 (file)
@@ -55,25 +55,25 @@ plugin_t *plugin_create()
        
        this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
        
-       lib->crypto->add_prf(lib->crypto, PRF_HMAC_MD5
+       lib->crypto->add_prf(lib->crypto, PRF_HMAC_SHA2_256
                                                 (prf_constructor_t)hmac_prf_create);
        lib->crypto->add_prf(lib->crypto, PRF_HMAC_SHA1, 
                                                 (prf_constructor_t)hmac_prf_create);
-       lib->crypto->add_prf(lib->crypto, PRF_HMAC_SHA2_256
+       lib->crypto->add_prf(lib->crypto, PRF_HMAC_MD5
                                                 (prf_constructor_t)hmac_prf_create);
        lib->crypto->add_prf(lib->crypto, PRF_HMAC_SHA2_384, 
                                                 (prf_constructor_t)hmac_prf_create);
        lib->crypto->add_prf(lib->crypto, PRF_HMAC_SHA2_512, 
                                                 (prf_constructor_t)hmac_prf_create);
        
-       lib->crypto->add_signer(lib->crypto, AUTH_HMAC_MD5_96, 
-                                                       (signer_constructor_t)hmac_signer_create);
        lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA1_96, 
                                                        (signer_constructor_t)hmac_signer_create);
        lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA1_128, 
                                                        (signer_constructor_t)hmac_signer_create);
        lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_256_128, 
                                                        (signer_constructor_t)hmac_signer_create);
+       lib->crypto->add_signer(lib->crypto, AUTH_HMAC_MD5_96, 
+                                                       (signer_constructor_t)hmac_signer_create);
        lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_384_192, 
                                                        (signer_constructor_t)hmac_signer_create);
        lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_512_256, 
index a45e46a..d4e0f6f 100644 (file)
@@ -87,7 +87,7 @@ plugin_t *plugin_create()
        ENGINE_register_all_complete();
        
        /* crypter */
-       lib->crypto->add_crypter(lib->crypto, ENCR_DES,
+       lib->crypto->add_crypter(lib->crypto, ENCR_AES_CBC,
                                        (crypter_constructor_t)openssl_crypter_create);
        lib->crypto->add_crypter(lib->crypto, ENCR_3DES,
                                        (crypter_constructor_t)openssl_crypter_create);
@@ -99,9 +99,9 @@ plugin_t *plugin_create()
                                        (crypter_constructor_t)openssl_crypter_create);
        lib->crypto->add_crypter(lib->crypto, ENCR_BLOWFISH,
                                        (crypter_constructor_t)openssl_crypter_create);
-       lib->crypto->add_crypter(lib->crypto, ENCR_NULL,
+       lib->crypto->add_crypter(lib->crypto, ENCR_DES,
                                        (crypter_constructor_t)openssl_crypter_create);
-       lib->crypto->add_crypter(lib->crypto, ENCR_AES_CBC,
+       lib->crypto->add_crypter(lib->crypto, ENCR_NULL,
                                        (crypter_constructor_t)openssl_crypter_create);
        
        /* hasher */
@@ -118,15 +118,23 @@ plugin_t *plugin_create()
        lib->crypto->add_hasher(lib->crypto, HASH_SHA512,
                                        (hasher_constructor_t)openssl_hasher_create);
        
+       /* ec diffie hellman */
+       lib->crypto->add_dh(lib->crypto, ECP_192_BIT,
+                                               (dh_constructor_t)openssl_ec_diffie_hellman_create);
+       lib->crypto->add_dh(lib->crypto, ECP_224_BIT,
+                                               (dh_constructor_t)openssl_ec_diffie_hellman_create);
+       lib->crypto->add_dh(lib->crypto, ECP_256_BIT,
+                                               (dh_constructor_t)openssl_ec_diffie_hellman_create);
+       lib->crypto->add_dh(lib->crypto, ECP_384_BIT,
+                                               (dh_constructor_t)openssl_ec_diffie_hellman_create);
+       lib->crypto->add_dh(lib->crypto, ECP_521_BIT,
+                                               (dh_constructor_t)openssl_ec_diffie_hellman_create);
+       
        /* diffie hellman */
-       lib->crypto->add_dh(lib->crypto, MODP_768_BIT, 
-                                               (dh_constructor_t)openssl_diffie_hellman_create);
-       lib->crypto->add_dh(lib->crypto, MODP_1024_BIT,
+       lib->crypto->add_dh(lib->crypto, MODP_2048_BIT, 
                                                (dh_constructor_t)openssl_diffie_hellman_create);
        lib->crypto->add_dh(lib->crypto, MODP_1536_BIT, 
                                                (dh_constructor_t)openssl_diffie_hellman_create);
-       lib->crypto->add_dh(lib->crypto, MODP_2048_BIT, 
-                                               (dh_constructor_t)openssl_diffie_hellman_create);
        lib->crypto->add_dh(lib->crypto, MODP_3072_BIT, 
                                                (dh_constructor_t)openssl_diffie_hellman_create);
        lib->crypto->add_dh(lib->crypto, MODP_4096_BIT, 
@@ -135,18 +143,10 @@ plugin_t *plugin_create()
                                                (dh_constructor_t)openssl_diffie_hellman_create);
        lib->crypto->add_dh(lib->crypto, MODP_8192_BIT, 
                                                (dh_constructor_t)openssl_diffie_hellman_create);
-       
-       /* ec diffie hellman */
-       lib->crypto->add_dh(lib->crypto, ECP_192_BIT,
-                                               (dh_constructor_t)openssl_ec_diffie_hellman_create);
-       lib->crypto->add_dh(lib->crypto, ECP_224_BIT,
-                                               (dh_constructor_t)openssl_ec_diffie_hellman_create);
-       lib->crypto->add_dh(lib->crypto, ECP_256_BIT,
-                                               (dh_constructor_t)openssl_ec_diffie_hellman_create);
-       lib->crypto->add_dh(lib->crypto, ECP_384_BIT,
-                                               (dh_constructor_t)openssl_ec_diffie_hellman_create);
-       lib->crypto->add_dh(lib->crypto, ECP_521_BIT,
-                                               (dh_constructor_t)openssl_ec_diffie_hellman_create);
+       lib->crypto->add_dh(lib->crypto, MODP_1024_BIT,
+                                               (dh_constructor_t)openssl_diffie_hellman_create);
+       lib->crypto->add_dh(lib->crypto, MODP_768_BIT, 
+                                               (dh_constructor_t)openssl_diffie_hellman_create);
        
        /* rsa */
        lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,