aboutsummaryrefslogtreecommitdiffstats
path: root/Source/charon/config
diff options
context:
space:
mode:
Diffstat (limited to 'Source/charon/config')
-rw-r--r--Source/charon/config/configuration_manager.c13
-rw-r--r--Source/charon/config/sa_config.c71
2 files changed, 68 insertions, 16 deletions
diff --git a/Source/charon/config/configuration_manager.c b/Source/charon/config/configuration_manager.c
index 73e5aab9a..f3c3cd4cc 100644
--- a/Source/charon/config/configuration_manager.c
+++ b/Source/charon/config/configuration_manager.c
@@ -152,7 +152,7 @@ static void load_default_config (private_configuration_manager_t *this)
init_config_t *init_config1, *init_config2, *init_config3;
ike_proposal_t proposals[2];
child_proposal_t child_proposals[1];
- sa_config_t *sa_config1, *sa_config2;
+ sa_config_t *sa_config1, *sa_config2, *sa_config3;
traffic_selector_t *ts;
init_config1 = init_config_create("152.96.193.131","152.96.193.131",IKEV2_UDP_PORT,IKEV2_UDP_PORT);
@@ -195,6 +195,13 @@ static void load_default_config (private_configuration_manager_t *this)
sa_config2->add_traffic_selector_initiator(sa_config2,ts);
sa_config2->add_traffic_selector_responder(sa_config2,ts);
+
+ sa_config3 = sa_config_create(ID_IPV4_ADDR, "127.0.0.1",
+ ID_IPV4_ADDR, "127.0.0.1",
+ SHARED_KEY_MESSAGE_INTEGRITY_CODE);
+
+ sa_config3->add_traffic_selector_initiator(sa_config3,ts);
+ sa_config3->add_traffic_selector_responder(sa_config3,ts);
ts->destroy(ts);
@@ -210,6 +217,7 @@ static void load_default_config (private_configuration_manager_t *this)
child_proposals[0].esp.encryption_algorithm = ENCR_AES_CBC;
child_proposals[0].esp.encryption_algorithm_key_size = 16;
child_proposals[0].esp.integrity_algorithm = AUTH_UNDEFINED;
+ child_proposals[0].esp.extended_sequence_numbers = NO_EXT_SEQ_NUMBERS;
child_proposals[0].esp.spi[0] = 2;
child_proposals[0].esp.spi[1] = 2;
child_proposals[0].esp.spi[2] = 2;
@@ -217,10 +225,11 @@ static void load_default_config (private_configuration_manager_t *this)
sa_config1->add_proposal(sa_config1, &child_proposals[0]);
sa_config2->add_proposal(sa_config2, &child_proposals[0]);
+ sa_config3->add_proposal(sa_config3, &child_proposals[0]);
this->add_new_configuration(this,"pinflb31",init_config1,sa_config2);
this->add_new_configuration(this,"pinflb30",init_config2,sa_config1);
- this->add_new_configuration(this,"localhost",init_config3,sa_config1);
+ this->add_new_configuration(this,"localhost",init_config3,sa_config3);
}
diff --git a/Source/charon/config/sa_config.c b/Source/charon/config/sa_config.c
index 2d91f7bbe..623f8be87 100644
--- a/Source/charon/config/sa_config.c
+++ b/Source/charon/config/sa_config.c
@@ -260,31 +260,74 @@ static child_proposal_t *select_proposal(private_sa_config_t *this, u_int8_t ah_
*/
static bool proposal_equals(private_sa_config_t *this, child_proposal_t *first, child_proposal_t *second)
{
+ /*
+ * Proto ? Mandatory ? Optional
+ * -----------------------------------
+ * ESP ? ENCR ? INTEG, D-H, ESN
+ * AH ? INTEG ? D-H, ESN
+ */
+
+ /* equality defaults to false, so return is FALSE if ah and esp not set */
bool equal = FALSE;
+ /* check ah, if set */
if (first->ah.is_set && second->ah.is_set)
{
- if ((first->ah.integrity_algorithm != second->ah.integrity_algorithm) ||
- (first->ah.integrity_algorithm_key_size != second->ah.integrity_algorithm_key_size) ||
- (first->ah.diffie_hellman_group != second->ah.diffie_hellman_group) ||
- (first->ah.extended_sequence_numbers != second->ah.extended_sequence_numbers))
+ /* integrity alg is mandatory, with key size */
+ if ((first->ah.integrity_algorithm == second->ah.integrity_algorithm) &&
+ (first->ah.integrity_algorithm_key_size == second->ah.integrity_algorithm_key_size))
{
- return FALSE;
+ /* dh group is optional, but must be NOT_SET when not set */
+ if (first->ah.diffie_hellman_group != second->ah.diffie_hellman_group)
+ {
+ return FALSE;
+ }
+ /* sequence numbers is optional, but must be NOT_SET when not set */
+ if (first->ah.extended_sequence_numbers != second->ah.extended_sequence_numbers)
+ {
+ return FALSE;
+ }
+ /* all checked, ah seems ok */
+ equal = TRUE;
+ }
+ else
+ {
+ return FALSE;
}
- equal = TRUE;
}
+ /* check esp, if set */
if (first->esp.is_set && second->esp.is_set)
{
- if ((first->esp.encryption_algorithm != second->esp.encryption_algorithm) ||
- (first->esp.encryption_algorithm_key_size != second->esp.encryption_algorithm_key_size) ||
- (first->esp.integrity_algorithm != second->esp.integrity_algorithm) ||
- (first->esp.integrity_algorithm_key_size != second->esp.integrity_algorithm_key_size) ||
- (first->esp.diffie_hellman_group != second->esp.diffie_hellman_group) ||
- (first->esp.extended_sequence_numbers != second->esp.extended_sequence_numbers))
+ /* encryption alg is mandatory, with key size */
+ if ((first->esp.encryption_algorithm == second->esp.encryption_algorithm) &&
+ (first->esp.encryption_algorithm_key_size == second->esp.encryption_algorithm_key_size))
+ {
+ /* int alg is optional, check key only when not NOT_SET */
+ if (first->esp.integrity_algorithm != second->esp.integrity_algorithm)
+ {
+ return FALSE;
+ }
+ if ((first->esp.integrity_algorithm != AUTH_UNDEFINED) &&
+ (first->esp.integrity_algorithm_key_size != second->esp.integrity_algorithm_key_size))
+ {
+ return FALSE;
+ }
+ /* dh group is optional, but must be NOT_SET when not set */
+ if (first->esp.diffie_hellman_group != second->esp.diffie_hellman_group)
+ {
+ return FALSE;
+ }
+ if (first->esp.extended_sequence_numbers != second->esp.extended_sequence_numbers)
+ {
+ return FALSE;
+ }
+ /* all checked, esp seems ok */
+ equal = TRUE;
+ }
+ else
{
- return FALSE;
+ return FALSE;
}
- equal = TRUE;
}
return equal;
}
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-24 21:44:24 +0000