aboutsummaryrefslogtreecommitdiffstats
path: root/src/libtls/tls_crypto.c
diff options
context:
space:
mode:
authorMartin Willi <martin@revosec.ch>2010-09-06 16:37:45 +0200
committerMartin Willi <martin@revosec.ch>2010-09-06 16:51:04 +0200
commit24a5b935e7d00eb917deb6b92fe1706a4fb96ce8 (patch)
treeb81c007715a077e7e3bb53ad643a1fc4477039dc /src/libtls/tls_crypto.c
parenta92a34809223bbf88d2d368a5990843c56508c54 (diff)
downloadstrongswan-24a5b935e7d00eb917deb6b92fe1706a4fb96ce8.tar.bz2
strongswan-24a5b935e7d00eb917deb6b92fe1706a4fb96ce8.tar.xz
Added strongswan.conf options to filter cipher suites by specific algorithms
Diffstat (limited to 'src/libtls/tls_crypto.c')
-rw-r--r--src/libtls/tls_crypto.c173
1 files changed, 173 insertions, 0 deletions
diff --git a/src/libtls/tls_crypto.c b/src/libtls/tls_crypto.c
index 495b8cb85..7c70cb405 100644
--- a/src/libtls/tls_crypto.c
+++ b/src/libtls/tls_crypto.c
@@ -687,6 +687,174 @@ static void filter_key_suites(private_tls_crypto_t *this,
}
/**
+ * Filter suites by key exchange user config
+ */
+static void filter_key_exchange_config_suites(private_tls_crypto_t *this,
+ suite_algs_t suites[], int *count)
+{
+ enumerator_t *enumerator;
+ int i, remaining = 0;
+ char *token, *config;
+
+ config = lib->settings->get_str(lib->settings, "libtls.key_exchange", NULL);
+ if (config)
+ {
+ for (i = 0; i < *count; i++)
+ {
+ enumerator = enumerator_create_token(config, ",", " ");
+ while (enumerator->enumerate(enumerator, &token))
+ {
+ if (strcaseeq(token, "ecdhe-ecdsa") &&
+ diffie_hellman_group_is_ec(suites[i].dh) &&
+ suites[i].key == KEY_ECDSA)
+ {
+ suites[remaining++] = suites[i];
+ break;
+ }
+ if (strcaseeq(token, "ecdhe-rsa") &&
+ diffie_hellman_group_is_ec(suites[i].dh) &&
+ suites[i].key == KEY_RSA)
+ {
+ suites[remaining++] = suites[i];
+ break;
+ }
+ if (strcaseeq(token, "dhe-rsa") &&
+ !diffie_hellman_group_is_ec(suites[i].dh) &&
+ suites[i].dh != MODP_NONE &&
+ suites[i].key == KEY_RSA)
+ {
+ suites[remaining++] = suites[i];
+ break;
+ }
+ if (strcaseeq(token, "rsa") &&
+ suites[i].dh == MODP_NONE &&
+ suites[i].key == KEY_RSA)
+ {
+ suites[remaining++] = suites[i];
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+ }
+ *count = remaining;
+ }
+}
+
+/**
+ * Filter suites by cipher user config
+ */
+static void filter_cipher_config_suites(private_tls_crypto_t *this,
+ suite_algs_t suites[], int *count)
+{
+ enumerator_t *enumerator;
+ int i, remaining = 0;
+ char *token, *config;
+
+ config = lib->settings->get_str(lib->settings, "libtls.cipher", NULL);
+ if (config)
+ {
+ for (i = 0; i < *count; i++)
+ {
+ enumerator = enumerator_create_token(config, ",", " ");
+ while (enumerator->enumerate(enumerator, &token))
+ {
+ if (strcaseeq(token, "aes128") &&
+ suites[i].encr == ENCR_AES_CBC &&
+ suites[i].encr_size == 16)
+ {
+ suites[remaining++] = suites[i];
+ break;
+ }
+ if (strcaseeq(token, "aes256") &&
+ suites[i].encr == ENCR_AES_CBC &&
+ suites[i].encr_size == 32)
+ {
+ suites[remaining++] = suites[i];
+ break;
+ }
+ if (strcaseeq(token, "camellia128") &&
+ suites[i].encr == ENCR_CAMELLIA_CBC &&
+ suites[i].encr_size == 16)
+ {
+ suites[remaining++] = suites[i];
+ break;
+ }
+ if (strcaseeq(token, "camellia256") &&
+ suites[i].encr == ENCR_CAMELLIA_CBC &&
+ suites[i].encr_size == 32)
+ {
+ suites[remaining++] = suites[i];
+ break;
+ }
+ if (strcaseeq(token, "3des") &&
+ suites[i].encr == ENCR_3DES)
+ {
+ suites[remaining++] = suites[i];
+ break;
+ }
+ if (strcaseeq(token, "null") &&
+ suites[i].encr == ENCR_NULL)
+ {
+ suites[remaining++] = suites[i];
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+ }
+ *count = remaining;
+ }
+}
+
+/**
+ * Filter suites by mac user config
+ */
+static void filter_mac_config_suites(private_tls_crypto_t *this,
+ suite_algs_t suites[], int *count)
+{
+ enumerator_t *enumerator;
+ int i, remaining = 0;
+ char *token, *config;
+
+ config = lib->settings->get_str(lib->settings, "libtls.mac", NULL);
+ if (config)
+ {
+ for (i = 0; i < *count; i++)
+ {
+ enumerator = enumerator_create_token(config, ",", " ");
+ while (enumerator->enumerate(enumerator, &token))
+ {
+ if (strcaseeq(token, "md5") &&
+ suites[i].hash == HASH_MD5)
+ {
+ suites[remaining++] = suites[i];
+ break;
+ }
+ if (strcaseeq(token, "sha1") &&
+ suites[i].hash == HASH_SHA1)
+ {
+ suites[remaining++] = suites[i];
+ break;
+ }
+ if (strcaseeq(token, "sha256") &&
+ suites[i].hash == HASH_SHA256)
+ {
+ suites[remaining++] = suites[i];
+ break;
+ }
+ if (strcaseeq(token, "sha384") &&
+ suites[i].hash == HASH_SHA384)
+ {
+ suites[remaining++] = suites[i];
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+ }
+ *count = remaining;
+ }
+}
+
+/**
* Initialize the cipher suite list
*/
static void build_cipher_suite_list(private_tls_crypto_t *this,
@@ -725,6 +893,11 @@ static void build_cipher_suite_list(private_tls_crypto_t *this,
filter_suite(this, suites, &count, offsetof(suite_algs_t, dh),
lib->crypto->create_dh_enumerator);
+ /* filter suites with strongswan.conf options */
+ filter_key_exchange_config_suites(this, suites, &count);
+ filter_cipher_config_suites(this, suites, &count);
+ filter_mac_config_suites(this, suites, &count);
+
free(this->suites);
this->suite_count = count;
this->suites = malloc(sizeof(tls_cipher_suite_t) * count);
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-23 07:28:56 +0000