int main(void) { struct db_context *ctx=db_prop_new(PROTO_ISAKMP, 0, 0); db_trans_add(ctx, KEY_IKE); db_attr_add_values(ctx, OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_DES_CBC); db_attr_add_values(ctx, OAKLEY_HASH_ALGORITHM, OAKLEY_MD5); db_attr_add_values(ctx, OAKLEY_AUTHENTICATION_METHOD, OAKLEY_RSA_SIG); db_attr_add_values(ctx, OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP1024); db_trans_add(ctx, KEY_IKE); db_attr_add_values(ctx, OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_3DES_CBC); db_attr_add_values(ctx, OAKLEY_HASH_ALGORITHM, OAKLEY_MD5); db_attr_add_values(ctx, OAKLEY_AUTHENTICATION_METHOD, OAKLEY_RSA_SIG); db_attr_add_values(ctx, OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP1024); db_trans_add(ctx, KEY_IKE); db_attr_add_values(ctx, OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_AES_CBC); db_attr_add_values(ctx, OAKLEY_HASH_ALGORITHM, OAKLEY_MD5); db_attr_add_values(ctx, OAKLEY_AUTHENTICATION_METHOD, OAKLEY_PRESHARED_KEY); db_attr_add_values(ctx, OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP1536); db_trans_add(ctx, ESP_3DES); db_attr_add_values(ctx, AUTH_ALGORITHM, AUTH_ALGORITHM_HMAC_SHA1); db_trans_add(ctx, ESP_DES); db_attr_add_values(ctx, AUTH_ALGORITHM, AUTH_ALGORITHM_HMAC_SHA1); db_print(ctx); db_destroy(ctx); return 0; }
/* * Create proposal with runtime kernel algos, merging * with passed proposal if not NULL * * for now this function does free() previous returned * malloced pointer (this quirk allows easier spdb.c change) */ struct db_context * kernel_alg_db_new(struct alg_info_esp *alg_info, lset_t policy, bool logit) { int ealg_i, aalg_i; unsigned int tn=0; int i; const struct esp_info *esp_info; struct esp_info tmp_esp_info; struct db_context *ctx_new=NULL; struct db_trans *t; struct db_prop *prop; unsigned int trans_cnt; bool success = TRUE; int protoid; if(policy & POLICY_ENCRYPT) { trans_cnt=(esp_ealg_num*esp_aalg_num); protoid = PROTO_IPSEC_ESP; } else if(policy & POLICY_AUTHENTICATE) { trans_cnt=esp_aalg_num; protoid = PROTO_IPSEC_AH; } DBG(DBG_EMITTING, DBG_log("kernel_alg_db_new() " "initial trans_cnt=%d", trans_cnt)); /* pass aprox. number of transforms and attributes */ ctx_new = db_prop_new(protoid, trans_cnt, trans_cnt * 2); /* * Loop: for each element (struct esp_info) of * alg_info, if kernel support is present then * build the transform (and attrs) * * if NULL alg_info, propose everything ... */ /* passert(alg_info!=0); */ if (alg_info) { ALG_INFO_ESP_FOREACH(alg_info, esp_info, i) { bool thistime; tmp_esp_info = *esp_info; thistime = kernel_alg_db_add(ctx_new , &tmp_esp_info , policy, logit); if(thistime == FALSE) { success=FALSE; } } } else {
/* * Create proposal with runtime kernel algos, merging * with passed proposal if not NULL * * for now this function does free() previous returned * malloced pointer (this quirk allows easier spdb.c change) */ struct db_context * kernel_alg_db_new(struct alg_info_esp *alg_info, lset_t policy, bool logit) { int ealg_i, aalg_i, tn=0; int i; const struct esp_info *esp_info; struct esp_info tmp_esp_info; struct db_context *ctx_new=NULL; struct db_trans *t; struct db_prop *prop; int trans_cnt; bool success = TRUE; if (!(policy & POLICY_ENCRYPT)) { /* possible for AH-only modes */ DBG(DBG_CONTROL , DBG_log("algo code only works for encryption modes")); return NULL; } trans_cnt=(esp_ealg_num*esp_aalg_num); DBG(DBG_EMITTING, DBG_log("kernel_alg_db_new() " "initial trans_cnt=%d", trans_cnt)); /* pass aprox. number of transforms and attributes */ ctx_new = db_prop_new(PROTO_IPSEC_ESP, trans_cnt, trans_cnt * 2); /* * Loop: for each element (struct esp_info) of * alg_info, if kernel support is present then * build the transform (and attrs) * * if NULL alg_info, propose everything ... */ /* passert(alg_info!=0); */ if (alg_info) { ALG_INFO_ESP_FOREACH(alg_info, esp_info, i) { bool thistime; tmp_esp_info = *esp_info; thistime = kernel_alg_db_add(ctx_new , &tmp_esp_info , policy, logit); if(thistime == FALSE) { success=FALSE; } } } else {
/* * Create an OAKLEY proposal based on alg_info and policy */ struct db_context * ike_alg_db_new(struct alg_info_ike *ai , lset_t policy) { struct db_context *db_ctx = NULL; struct ike_info *ike_info; unsigned ealg, halg, modp, eklen=0; struct encrypt_desc *enc_desc; int i; if (!ai) { whack_log(RC_LOG_SERIOUS, "no IKE algorithms " "for this connection " "(check ike algorithm string)"); goto fail; } policy &= POLICY_ID_AUTH_MASK; db_ctx = db_prop_new(PROTO_ISAKMP, 8, 8 * 5); /* for each group */ ALG_INFO_IKE_FOREACH(ai, ike_info, i) { ealg = ike_info->ike_ealg; halg = ike_info->ike_halg; modp = ike_info->ike_modp; eklen= ike_info->ike_eklen; if (!ike_alg_enc_present(ealg)) { DBG_log(__FUNCTION__ "() " "ike enc ealg=%d not present", ealg); continue; } if (!ike_alg_hash_present(halg)) { DBG_log(__FUNCTION__ "() " "ike hash halg=%d not present", halg); continue; } enc_desc = ike_alg_get_encrypter(ealg); passert(enc_desc != NULL); if (eklen /* && eklen != enc_desc->keydeflen) */ && (eklen < enc_desc->keyminlen || eklen > enc_desc->keymaxlen)) { DBG_log(__FUNCTION__ "() " "ealg=%d (specified) keylen:%d, " "not valid " /* "keylen != %d" */ "min=%d, max=%d" , ealg , eklen /* , enc_desc->keydeflen */ , enc_desc->keyminlen , enc_desc->keymaxlen ); continue; } if (policy & POLICY_RSASIG) { db_trans_add(db_ctx, KEY_IKE); db_attr_add_values(db_ctx, OAKLEY_ENCRYPTION_ALGORITHM, ealg); db_attr_add_values(db_ctx, OAKLEY_HASH_ALGORITHM, halg); if (eklen) db_attr_add_values(db_ctx, OAKLEY_KEY_LENGTH, eklen); db_attr_add_values(db_ctx, OAKLEY_AUTHENTICATION_METHOD, OAKLEY_RSA_SIG); db_attr_add_values(db_ctx, OAKLEY_GROUP_DESCRIPTION, modp); } if (policy & POLICY_PSK) { db_trans_add(db_ctx, KEY_IKE); db_attr_add_values(db_ctx, OAKLEY_ENCRYPTION_ALGORITHM, ealg); db_attr_add_values(db_ctx, OAKLEY_HASH_ALGORITHM, halg); if (ike_info->ike_eklen) db_attr_add_values(db_ctx, OAKLEY_KEY_LENGTH, ike_info->ike_eklen); db_attr_add_values(db_ctx, OAKLEY_AUTHENTICATION_METHOD, OAKLEY_PRESHARED_KEY); db_attr_add_values(db_ctx, OAKLEY_GROUP_DESCRIPTION, modp); } }