added support for "ike" and "esp" keywords

fixed bugs in proposal code
algorithm selection for charon works now with ipsec.conf
a lot of other fixes

3 files changed, 192 insertions, 9 deletions

diff --git a/src/charon/config/connections/connection.c b/src/charon/config/connections/connection.c
index 9a90f765a..a938d8b64 100644
--- a/src/charon/config/connections/connection.c
+++ b/src/charon/config/connections/connection.c
@@ -200,20 +200,20 @@ static diffie_hellman_group_t get_dh_group(private_connection_t *this)
 	iterator_t *iterator;
 	proposal_t *proposal;
 	algorithm_t *algo;
+	diffie_hellman_group_t dh_group = MODP_NONE;
 	
 	iterator = this->proposals->create_iterator(this->proposals, TRUE);
 	while (iterator->has_next(iterator))
 	{
 		iterator->current(iterator, (void**)&proposal);
-		proposal->get_algorithm(proposal, DIFFIE_HELLMAN_GROUP, &algo);
-		if (algo)
+		if (proposal->get_algorithm(proposal, DIFFIE_HELLMAN_GROUP, &algo))
 		{
-			iterator->destroy(iterator);
-			return algo->algorithm;
+			dh_group = algo->algorithm;
+			break;
 		}
 	}
 	iterator->destroy(iterator);
-	return MODP_NONE;
+	return dh_group;
 }
 
 /**
diff --git a/src/charon/config/proposal.c b/src/charon/config/proposal.c
index ef2ec94cb..3eb081544 100644
--- a/src/charon/config/proposal.c
+++ b/src/charon/config/proposal.c
@@ -27,6 +27,10 @@
 #include <utils/linked_list.h>
 #include <utils/identification.h>
 #include <utils/logger.h>
+#include <utils/lexparser.h>
+#include <crypto/prfs/prf.h>
+#include <crypto/crypters/crypter.h>
+#include <crypto/signers/signer.h>
 
 
 /** 
@@ -115,8 +119,9 @@ struct private_proposal_t {
  */
 static void add_algo(linked_list_t *list, u_int8_t algo, size_t key_size)
 {
-	algorithm_t *algo_key = malloc_thing(algorithm_t);
+	algorithm_t *algo_key;
 	
+	algo_key = malloc_thing(algorithm_t);
 	algo_key->algorithm = algo;
 	algo_key->key_size = key_size;
 	list->insert_last(list, (void*)algo_key);
@@ -414,6 +419,83 @@ static void free_algo_list(linked_list_t *list)
 	list->destroy(list);
 }
 
+static status_t add_string_algo(private_proposal_t *this, chunk_t alg)
+{
+	if (strncmp(alg.ptr, "aes128", alg.len) == 0)
+	{
+		add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 128);
+	}
+	else if (strncmp(alg.ptr, "aes192", alg.len) == 0)
+	{
+		add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 192);
+	}
+	else if (strncmp(alg.ptr, "aes256", alg.len) == 0)
+	{
+		add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 256);
+	}
+	else if (strncmp(alg.ptr, "3des", alg.len) == 0)
+	{
+		add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_3DES, 0);
+	}
+	/* blowfish only uses some predefined key sizes yet */
+	else if (strncmp(alg.ptr, "blowfish128", alg.len) == 0)
+	{
+		add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 128);
+	}
+	else if (strncmp(alg.ptr, "blowfish192", alg.len) == 0)
+	{
+		add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 192);
+	}
+	else if (strncmp(alg.ptr, "blowfish256", alg.len) == 0)
+	{
+		add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 256);
+	}
+	else if (strncmp(alg.ptr, "sha", alg.len) == 0 ||
+			 strncmp(alg.ptr, "sha1", alg.len) == 0)
+	{
+		/* sha means we use SHA for both, PRF and AUTH */
+		add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0);
+		if (this->protocol == PROTO_IKE)
+		{
+			add_algorithm(this, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA1, 0);
+		}
+	}
+	else if (strncmp(alg.ptr, "md5", alg.len) == 0)
+	{
+		/* same for MD5 */
+		add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 0);
+		if (this->protocol == PROTO_IKE)
+		{
+			add_algorithm(this, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_MD5, 0);
+		}
+	}
+	else if (strncmp(alg.ptr, "modp1024", alg.len) == 0)
+	{
+		add_algorithm(this, DIFFIE_HELLMAN_GROUP, MODP_1024_BIT, 0);
+	}
+	else if (strncmp(alg.ptr, "modp1536", alg.len) == 0)
+	{
+		add_algorithm(this, DIFFIE_HELLMAN_GROUP, MODP_1536_BIT, 0);
+	}
+	else if (strncmp(alg.ptr, "modp2048", alg.len) == 0)
+	{
+		add_algorithm(this, DIFFIE_HELLMAN_GROUP, MODP_2048_BIT, 0);
+	}
+	else if (strncmp(alg.ptr, "modp4096", alg.len) == 0)
+	{
+		add_algorithm(this, DIFFIE_HELLMAN_GROUP, MODP_4096_BIT, 0);
+	}
+	else if (strncmp(alg.ptr, "modp8192", alg.len) == 0)
+	{
+		add_algorithm(this, DIFFIE_HELLMAN_GROUP, MODP_8192_BIT, 0);
+	}
+	else
+	{
+		return FAILED;
+	}
+	return SUCCESS;
+}
+
 /**
  * Implements proposal_t.destroy.
  */
@@ -455,3 +537,77 @@ proposal_t *proposal_create(protocol_id_t protocol)
 	
 	return &this->public;
 }
+
+/*
+ * Describtion in header-file
+ */
+proposal_t *proposal_create_default(protocol_id_t protocol)
+{
+	private_proposal_t *this = (private_proposal_t*)proposal_create(protocol);
+	
+	switch (protocol)
+	{
+		case PROTO_IKE:
+			add_algorithm(this, ENCRYPTION_ALGORITHM,   ENCR_AES_CBC,    128);
+			add_algorithm(this, INTEGRITY_ALGORITHM,    AUTH_HMAC_SHA1_96, 0);
+			add_algorithm(this, INTEGRITY_ALGORITHM,    AUTH_HMAC_MD5_96,  0);
+			add_algorithm(this, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA1,     0);
+			add_algorithm(this, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_MD5,      0);
+			add_algorithm(this, DIFFIE_HELLMAN_GROUP,   MODP_2048_BIT,     0);
+			add_algorithm(this, DIFFIE_HELLMAN_GROUP,   MODP_1536_BIT,     0);
+			add_algorithm(this, DIFFIE_HELLMAN_GROUP,   MODP_1024_BIT,     0);
+			add_algorithm(this, DIFFIE_HELLMAN_GROUP,   MODP_4096_BIT,     0);
+			add_algorithm(this, DIFFIE_HELLMAN_GROUP,   MODP_8192_BIT,     0);
+			break;
+		case PROTO_ESP:
+			add_algorithm(this, ENCRYPTION_ALGORITHM,   ENCR_AES_CBC,    128);
+			add_algorithm(this, ENCRYPTION_ALGORITHM,   ENCR_AES_CBC,    192);
+			add_algorithm(this, ENCRYPTION_ALGORITHM,   ENCR_AES_CBC,    256);
+			add_algorithm(this, ENCRYPTION_ALGORITHM,   ENCR_3DES,         0);
+			add_algorithm(this, ENCRYPTION_ALGORITHM,   ENCR_BLOWFISH,   256);
+			add_algorithm(this, INTEGRITY_ALGORITHM,    AUTH_HMAC_SHA1_96, 0);
+			add_algorithm(this, INTEGRITY_ALGORITHM,    AUTH_HMAC_MD5_96,  0);
+			break;
+		case PROTO_AH:
+			add_algorithm(this, INTEGRITY_ALGORITHM,    AUTH_HMAC_SHA1_96, 0);
+			add_algorithm(this, INTEGRITY_ALGORITHM,    AUTH_HMAC_MD5_96,  0);
+			break;
+	}
+	
+	return &this->public;
+}
+
+/*
+ * Describtion in header-file
+ */
+proposal_t *proposal_create_from_string(protocol_id_t protocol, const char *algs)
+{
+	private_proposal_t *this = (private_proposal_t*)proposal_create(protocol);
+	chunk_t string = {(void*)algs, strlen(algs)};
+	chunk_t alg;
+	status_t status = SUCCESS;
+	
+	eat_whitespace(&string);
+	if (string.len < 1)
+	{
+		destroy(this);
+		return NULL;
+	}
+	
+	/* get all tokens, separated by '-' */
+	while (extract_token(&alg, '-', &string))
+	{
+		status |= add_string_algo(this, alg);
+	}
+	if (string.len)
+	{
+		status |= add_string_algo(this, string);
+	}
+	if (status != SUCCESS)
+	{
+		destroy(this);
+		return NULL;
+	}
+	
+	return &this->public;
+}
diff --git a/src/charon/config/proposal.h b/src/charon/config/proposal.h
index 9cb8f04aa..ab58ed3bf 100644
--- a/src/charon/config/proposal.h
+++ b/src/charon/config/proposal.h
@@ -1,6 +1,6 @@
 /**
  * @file proposal.h
- * 
+ *
  * @brief Interface of proposal_t.
  *
  */
@@ -232,12 +232,39 @@ struct proposal_t {
 
 /**
  * @brief Create a child proposal for AH, ESP or IKE.
- * 
+ *
  * @param protocol			protocol, such as PROTO_ESP
  * @return 					proposal_t object
- * 
+ *
  * @ingroup config
  */
 proposal_t *proposal_create(protocol_id_t protocol);
 
+/**
+ * @brief Create a default proposal if nothing further specified.
+ *
+ * @param protocol			protocol, such as PROTO_ESP
+ * @return 					proposal_t object
+ *
+ * @ingroup config
+ */
+proposal_t *proposal_create_default(protocol_id_t protocol);
+
+/**
+ * @brief Create a proposal from a string identifying the algorithms.
+ *
+ * The string is in the same form as a in the ipsec.conf file.
+ * E.g.:	aes128-sha2_256-modp2048
+ *          3des-md5
+ * An additional '!' at the end of the string forces this proposal,
+ * without it the peer may choose another algorithm we support.
+ *
+ * @param protocol			protocol, such as PROTO_ESP
+ * @param algs				algorithms as string
+ * @return 					proposal_t object
+ * 
+ * @ingroup config
+ */
+proposal_t *proposal_create_from_string(protocol_id_t protocol, const char *algs);
+
 #endif /* PROPOSAL_H_ */