diff options
Diffstat (limited to 'src/charon/config')
| -rw-r--r-- | src/charon/config/attributes/attribute_manager.c | 6 | ||||
| -rw-r--r-- | src/charon/config/attributes/attribute_manager.h | 7 | ||||
| -rw-r--r-- | src/charon/config/attributes/attribute_provider.h | 4 | ||||
| -rw-r--r-- | src/charon/config/auth_cfg.c | 770 | ||||
| -rw-r--r-- | src/charon/config/auth_cfg.h | 201 | ||||
| -rw-r--r-- | src/charon/config/backend.h | 16 | ||||
| -rw-r--r-- | src/charon/config/backend_manager.c | 312 | ||||
| -rw-r--r-- | src/charon/config/backend_manager.h | 30 | ||||
| -rw-r--r-- | src/charon/config/peer_cfg.c | 147 | ||||
| -rw-r--r-- | src/charon/config/peer_cfg.h | 76 | ||||
| -rw-r--r-- | src/charon/config/proposal.c | 240 | ||||
| -rw-r--r-- | src/charon/config/proposal_keywords.h | 26 | ||||
| -rw-r--r-- | src/charon/config/proposal_keywords.txt | 101 |
13 files changed, 1511 insertions, 425 deletions
diff --git a/src/charon/config/attributes/attribute_manager.c b/src/charon/config/attributes/attribute_manager.c index a069c954a..f0ae4ffa0 100644 --- a/src/charon/config/attributes/attribute_manager.c +++ b/src/charon/config/attributes/attribute_manager.c @@ -49,7 +49,7 @@ struct private_attribute_manager_t { */ static host_t* acquire_address(private_attribute_manager_t *this, char *pool, identification_t *id, - auth_info_t *auth, host_t *requested) + host_t *requested) { enumerator_t *enumerator; attribute_provider_t *current; @@ -59,7 +59,7 @@ static host_t* acquire_address(private_attribute_manager_t *this, enumerator = this->providers->create_enumerator(this->providers); while (enumerator->enumerate(enumerator, ¤t)) { - host = current->acquire_address(current, pool, id, auth, requested); + host = current->acquire_address(current, pool, id, requested); if (host) { break; @@ -143,7 +143,7 @@ attribute_manager_t *attribute_manager_create() { private_attribute_manager_t *this = malloc_thing(private_attribute_manager_t); - this->public.acquire_address = (host_t*(*)(attribute_manager_t*, char*, identification_t*,auth_info_t*,host_t*))acquire_address; + this->public.acquire_address = (host_t*(*)(attribute_manager_t*, char*, identification_t*,host_t*))acquire_address; this->public.release_address = (void(*)(attribute_manager_t*, char *, host_t*, identification_t*))release_address; this->public.add_provider = (void(*)(attribute_manager_t*, attribute_provider_t *provider))add_provider; this->public.remove_provider = (void(*)(attribute_manager_t*, attribute_provider_t *provider))remove_provider; diff --git a/src/charon/config/attributes/attribute_manager.h b/src/charon/config/attributes/attribute_manager.h index aef6e7b6e..0ac37e78a 100644 --- a/src/charon/config/attributes/attribute_manager.h +++ b/src/charon/config/attributes/attribute_manager.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2008 Martin Willi + * Copyright (C) 2008-2009 Martin Willi * Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -36,14 +36,13 @@ struct attribute_manager_t { * Acquire a virtual IP address to assign to a peer. * * @param pool pool name to acquire address from - * @param id peer identity to get address for - * @param auth authorization infos of peer + * @param id peer identity to get address forua * @param requested IP in configuration request * @return allocated address, NULL to serve none */ host_t* (*acquire_address)(attribute_manager_t *this, char *pool, identification_t *id, - auth_info_t *auth, host_t *requested); + host_t *requested); /** * Release a previously acquired address. diff --git a/src/charon/config/attributes/attribute_provider.h b/src/charon/config/attributes/attribute_provider.h index 5d563e86b..cbd0075ad 100644 --- a/src/charon/config/attributes/attribute_provider.h +++ b/src/charon/config/attributes/attribute_provider.h @@ -25,7 +25,6 @@ #include <library.h> #include <utils/host.h> -#include <credentials/auth_info.h> typedef struct attribute_provider_t attribute_provider_t; @@ -39,13 +38,12 @@ struct attribute_provider_t { * * @param pool name of the pool to acquire address from * @param id peer ID - * @param auth authorization infos * @param requested IP in configuration request * @return allocated address, NULL to serve none */ host_t* (*acquire_address)(attribute_provider_t *this, char *pool, identification_t *id, - auth_info_t *auth, host_t *requested); + host_t *requested); /** * Release a previously acquired address. * diff --git a/src/charon/config/auth_cfg.c b/src/charon/config/auth_cfg.c new file mode 100644 index 000000000..90fe9877d --- /dev/null +++ b/src/charon/config/auth_cfg.c @@ -0,0 +1,770 @@ +/* + * Copyright (C) 2007-2009 Martin Willi + * Copyright (C) 2008 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + * + * $Id$ + */ + +#include "auth_cfg.h" + +#include <daemon.h> +#include <utils/linked_list.h> +#include <utils/identification.h> +#include <credentials/certificates/certificate.h> + +ENUM(auth_rule_names, AUTH_RULE_IDENTITY, AUTH_HELPER_SUBJECT_HASH_URL, + "RULE_IDENTITY", + "RULE_AUTH_CLASS", + "RULE_EAP_IDENTITY", + "RULE_EAP_TYPE", + "RULE_EAP_VENDOR", + "RULE_CA_CERT", + "RULE_IM_CERT", + "RULE_SUBJECT_CERT", + "RULE_CRL_VALIDATION", + "RULE_OCSP_VALIDATION", + "RULE_AC_GROUP", + "HELPER_IM_CERT", + "HELPER_SUBJECT_CERT", + "HELPER_IM_HASH_URL", + "HELPER_SUBJECT_HASH_URL", +); + +typedef struct private_auth_cfg_t private_auth_cfg_t; + +/** + * private data of item_set + */ +struct private_auth_cfg_t { + + /** + * public functions + */ + auth_cfg_t public; + + /** + * list of entry_t + */ + linked_list_t *entries; +}; + +typedef struct entry_t entry_t; + +struct entry_t { + /** rule type */ + auth_rule_t type; + /** associated value */ + void *value; +}; + +/** + * enumerator for auth_cfg_t.create_enumerator() + */ +typedef struct { + /** implements enumerator_t */ + enumerator_t public; + /** inner enumerator from linked_list_t */ + enumerator_t *inner; + /** current entry */ + entry_t *current; +} entry_enumerator_t; + +/** + * enumerate function for item_enumerator_t + */ +static bool enumerate(entry_enumerator_t *this, auth_rule_t *type, void **value) +{ + entry_t *entry; + + if (this->inner->enumerate(this->inner, &entry)) + { + this->current = entry; + *type = entry->type; + *value = entry->value; + return TRUE; + } + return FALSE; +} + +/** + * destroy function for item_enumerator_t + */ +static void entry_enumerator_destroy(entry_enumerator_t *this) +{ + this->inner->destroy(this->inner); + free(this); +} + +/** + * Implementation of auth_cfg_t.create_enumerator. + */ +static enumerator_t* create_enumerator(private_auth_cfg_t *this) +{ + entry_enumerator_t *enumerator; + + enumerator = malloc_thing(entry_enumerator_t); + enumerator->inner = this->entries->create_enumerator(this->entries); + enumerator->public.enumerate = (void*)enumerate; + enumerator->public.destroy = (void*)entry_enumerator_destroy; + enumerator->current = NULL; + return &enumerator->public; +} + +/** + * Destroy the value associated with an entry + */ +static void destroy_entry_value(entry_t *entry) +{ + switch (entry->type) + { + case AUTH_RULE_IDENTITY: + case AUTH_RULE_EAP_IDENTITY: + case AUTH_RULE_AC_GROUP: + { + identification_t *id = (identification_t*)entry->value; + id->destroy(id); + break; + } + case AUTH_RULE_CA_CERT: + case AUTH_RULE_IM_CERT: + case AUTH_RULE_SUBJECT_CERT: + case AUTH_HELPER_IM_CERT: + case AUTH_HELPER_SUBJECT_CERT: + { + certificate_t *cert = (certificate_t*)entry->value; + cert->destroy(cert); + break; + } + case AUTH_HELPER_IM_HASH_URL: + case AUTH_HELPER_SUBJECT_HASH_URL: + { + free(entry->value); + break; + } + case AUTH_RULE_AUTH_CLASS: + case AUTH_RULE_EAP_TYPE: + case AUTH_RULE_EAP_VENDOR: + case AUTH_RULE_CRL_VALIDATION: + case AUTH_RULE_OCSP_VALIDATION: + break; + } +} + +/** + * Implementation of auth_cfg_t.replace. + */ +static void replace(auth_cfg_t *this, entry_enumerator_t *enumerator, + auth_rule_t type, ...) +{ + if (enumerator->current) + { + va_list args; + + va_start(args, type); + + destroy_entry_value(enumerator->current); + enumerator->current->type = type; + switch (type) + { + case AUTH_RULE_AUTH_CLASS: + case AUTH_RULE_EAP_TYPE: + case AUTH_RULE_EAP_VENDOR: + case AUTH_RULE_CRL_VALIDATION: + case AUTH_RULE_OCSP_VALIDATION: + /* integer type */ + enumerator->current->value = (void*)va_arg(args, u_int); + break; + case AUTH_RULE_IDENTITY: + case AUTH_RULE_EAP_IDENTITY: + case AUTH_RULE_AC_GROUP: + case AUTH_RULE_CA_CERT: + case AUTH_RULE_IM_CERT: + case AUTH_RULE_SUBJECT_CERT: + case AUTH_HELPER_IM_CERT: + case AUTH_HELPER_SUBJECT_CERT: + case AUTH_HELPER_IM_HASH_URL: + case AUTH_HELPER_SUBJECT_HASH_URL: + /* pointer type */ + enumerator->current->value = va_arg(args, void*); + break; + } + va_end(args); + } +} + +/** + * Implementation of auth_cfg_t.get. + */ +static void* get(private_auth_cfg_t *this, auth_rule_t type) +{ + enumerator_t *enumerator; + void *current_value, *best_value = NULL; + auth_rule_t current_type; + bool found = FALSE; + + enumerator = create_enumerator(this); + while (enumerator->enumerate(enumerator, ¤t_type, ¤t_value)) + { + if (type == current_type) + { + if (type == AUTH_RULE_CRL_VALIDATION || + type == AUTH_RULE_OCSP_VALIDATION) + { /* for CRL/OCSP validation, always get() the highest value */ + if (!found || current_value > best_value) + { + best_value = current_value; + } + found = TRUE; + continue; + } + best_value = current_value; + found = TRUE; + break; + } + } + enumerator->destroy(enumerator); + if (found) + { + return best_value; + } + switch (type) + { + /* use some sane defaults if we don't find an entry */ + case AUTH_RULE_AUTH_CLASS: + return (void*)AUTH_CLASS_ANY; + case AUTH_RULE_EAP_TYPE: + return (void*)EAP_NAK; + case AUTH_RULE_EAP_VENDOR: + return (void*)0; + case AUTH_RULE_CRL_VALIDATION: + case AUTH_RULE_OCSP_VALIDATION: + return (void*)VALIDATION_FAILED; + case AUTH_RULE_IDENTITY: + case AUTH_RULE_EAP_IDENTITY: + case AUTH_RULE_AC_GROUP: + case AUTH_RULE_CA_CERT: + case AUTH_RULE_IM_CERT: + case AUTH_RULE_SUBJECT_CERT: + case AUTH_HELPER_IM_CERT: + case AUTH_HELPER_SUBJECT_CERT: + case AUTH_HELPER_IM_HASH_URL: + case AUTH_HELPER_SUBJECT_HASH_URL: + default: + return NULL; + } +} + +/** + * Implementation of auth_cfg_t.add. + */ +static void add(private_auth_cfg_t *this, auth_rule_t type, ...) +{ + entry_t *entry = malloc_thing(entry_t); + va_list args; + + va_start(args, type); + entry->type = type; + switch (type) + { + case AUTH_RULE_AUTH_CLASS: + case AUTH_RULE_EAP_TYPE: + case AUTH_RULE_EAP_VENDOR: + case AUTH_RULE_CRL_VALIDATION: + case AUTH_RULE_OCSP_VALIDATION: + /* integer type */ + entry->value = (void*)va_arg(args, u_int); + break; + case AUTH_RULE_IDENTITY: + case AUTH_RULE_EAP_IDENTITY: + case AUTH_RULE_AC_GROUP: + case AUTH_RULE_CA_CERT: + case AUTH_RULE_IM_CERT: + case AUTH_RULE_SUBJECT_CERT: + case AUTH_HELPER_IM_CERT: + case AUTH_HELPER_SUBJECT_CERT: + case AUTH_HELPER_IM_HASH_URL: + case AUTH_HELPER_SUBJECT_HASH_URL: + /* pointer type */ + entry->value = va_arg(args, void*); + break; + } + va_end(args); + this->entries->insert_last(this->entries, entry); +} + +/** + * Implementation of auth_cfg_t.complies. + */ +static bool complies(private_auth_cfg_t *this, auth_cfg_t *constraints, + bool log_error) +{ + enumerator_t *e1, *e2; + bool success = TRUE; + auth_rule_t t1, t2; + void *value; + + e1 = constraints->create_enumerator(constraints); + while (e1->enumerate(e1, &t1, &value)) + { + switch (t1) + { + case AUTH_RULE_CA_CERT: + case AUTH_RULE_IM_CERT: + { + certificate_t *c1, *c2; + + c1 = (certificate_t*)value; + + success = FALSE; + e2 = create_enumerator(this); + while (e2->enumerate(e2, &t2, &c2)) + { + if ((t2 == AUTH_RULE_CA_CERT || t2 == AUTH_RULE_IM_CERT) && + c1->equals(c1, c2)) + { + success = TRUE; + } + } + e2->destroy(e2); + if (!success && log_error) + { + DBG1(DBG_CFG, "constraint check failed: peer not " + "authenticated by CA '%D'.", c1->get_subject(c1)); + } + break; + } + case AUTH_RULE_SUBJECT_CERT: + { + certificate_t *c1, *c2; + + c1 = (certificate_t*)value; + c2 = get(this, AUTH_RULE_SUBJECT_CERT); + if (!c2 || !c1->equals(c1, c2)) + { + success = FALSE; + if (log_error) + { + DBG1(DBG_CFG, "constraint check failed: peer not " + "authenticated with peer cert '%D'.", + c1->get_subject(c1)); + } + } + break; + } + case AUTH_RULE_CRL_VALIDATION: + case AUTH_RULE_OCSP_VALIDATION: + { + cert_validation_t validated, required; + + required = (uintptr_t)value; + validated = (uintptr_t)get(this, t1); + switch (required) + { + case VALIDATION_FAILED: + /* no constraint */ + break; + case VALIDATION_SKIPPED: + if (validated == VALIDATION_SKIPPED) + { + break; + } + /* FALL */ + case VALIDATION_GOOD: + if (validated == VALIDATION_GOOD) + { + break; + } + /* FALL */ + default: + success = FALSE; + if (log_error) + { + DBG1(DBG_CFG, "constraint check failed: %N is %N, " + "but requires at least %N", auth_rule_names, + t1, cert_validation_names, validated, + cert_validation_names, required); + } + break; + } + break; + } + case AUTH_RULE_IDENTITY: + case AUTH_RULE_EAP_IDENTITY: + { + identification_t *id1, *id2; + + id1 = (identification_t*)value; + id2 = get(this, t1); + if (!id2 || !id2->matches(id2, id1)) + { + success = FALSE; + if (log_error) + { + DBG1(DBG_CFG, "constraint check failed: %sidentity '%D'" + " required ", t1 == AUTH_RULE_IDENTITY ? "" : + "EAP ", id1); + } + } + break; + } + case AUTH_RULE_AUTH_CLASS: + { + if ((uintptr_t)value != AUTH_CLASS_ANY && + (uintptr_t)value != (uintptr_t)get(this, t1)) + { + success = FALSE; + if (log_error) + { + DBG1(DBG_CFG, "constraint requires %N authentication, " + "but %N was used", auth_class_names, (uintptr_t)value, + auth_class_names, (uintptr_t)get(this, t1)); + } + } + break; + } + case AUTH_RULE_EAP_TYPE: + { + if ((uintptr_t)value != (uintptr_t)get(this, t1)) + { + success = FALSE; + if (log_error) + { + DBG1(DBG_CFG, "constraint requires %N, " + "but %N was used", eap_type_names, (uintptr_t)value, + eap_type_names, (uintptr_t)get(this, t1)); + } + } + break; + } + case AUTH_RULE_EAP_VENDOR: + { + if ((uintptr_t)value != (uintptr_t)get(this, t1)) + { + success = FALSE; + if (log_error) + { + DBG1(DBG_CFG, "constraint requires EAP vendor %d, " + "but %d was used", (uintptr_t)value, + (uintptr_t)get(this, t1)); + } + } + break; + } + case AUTH_RULE_AC_GROUP: + { + success = FALSE; + if (log_error) + { + DBG1(DBG_CFG, "constraint check %N not implemented!", + auth_rule_names, t1); + } + break; + } + case AUTH_HELPER_IM_CERT: + case AUTH_HELPER_SUBJECT_CERT: + case AUTH_HELPER_IM_HASH_URL: + case AUTH_HELPER_SUBJECT_HASH_URL: + /* skip helpers */ + continue; + } + if (!success) + { + break; + } + } + e1->destroy(e1); + return success; +} + +/** + * Implementation of auth_cfg_t.merge. + */ +static void merge(private_auth_cfg_t *this, private_auth_cfg_t *other, bool copy) +{ + if (!other) + { /* nothing to merge */ + return; + } + if (copy) + { + enumerator_t *enumerator; + auth_rule_t type; + void *value; + + enumerator = create_enumerator(other); + while (enumerator->enumerate(enumerator, &type, &value)) + { + switch (type) + { + case AUTH_RULE_CA_CERT: + case AUTH_RULE_IM_CERT: + case AUTH_RULE_SUBJECT_CERT: + case AUTH_HELPER_IM_CERT: + case AUTH_HELPER_SUBJECT_CERT: + { + certificate_t *cert = (certificate_t*)value; + + add(this, type, cert->get_ref(cert)); + break; + } + case AUTH_RULE_CRL_VALIDATION: + case AUTH_RULE_OCSP_VALIDATION: + case AUTH_RULE_AUTH_CLASS: + case AUTH_RULE_EAP_TYPE: + case AUTH_RULE_EAP_VENDOR: + { + add(this, type, (uintptr_t)value); + break; + } + case AUTH_RULE_IDENTITY: + case AUTH_RULE_EAP_IDENTITY: + case AUTH_RULE_AC_GROUP: + { + identification_t *id = (identification_t*)value; + + add(this, type, id->clone(id)); + break; + } + case AUTH_HELPER_IM_HASH_URL: + case AUTH_HELPER_SUBJECT_HASH_URL: + { + add(this, type, strdup((char*)value)); + break; + } + } + } + enumerator->destroy(enumerator); + } + else + { + entry_t *entry; + + while (other->entries->remove_first(other->entries, + (void**)&entry) == SUCCESS) + { + this->entries->insert_last(this->entries, entry); + } + } +} + +/** + * Implementation of auth_cfg_t.equals. + */ +static bool equals(private_auth_cfg_t *this, private_auth_cfg_t *other) +{ + enumerator_t *e1, *e2; + entry_t *i1, *i2; + bool equal = TRUE, found; + + if (this->entries->get_count(this->entries) != + other->entries->get_count(other->entries)) + { + return FALSE; + } + e1 = this->entries->create_enumerator(this->entries); + while (e1->enumerate(e1, &i1)) + { + found = FALSE; + e2 = other->entries->create_enumerator(other->entries); + while (e2->enumerate(e2, &i2)) + { + if (i1->type == i2->type) + { + switch (i1->type) + { + case AUTH_RULE_AUTH_CLASS: + case AUTH_RULE_EAP_TYPE: + case AUTH_RULE_EAP_VENDOR: + case AUTH_RULE_CRL_VALIDATION: + case AUTH_RULE_OCSP_VALIDATION: + { + if (i1->value == i2->value) + { + found = TRUE; + break; + } + continue; + } + case AUTH_RULE_CA_CERT: + case AUTH_RULE_IM_CERT: + case AUTH_RULE_SUBJECT_CERT: + case AUTH_HELPER_IM_CERT: + case AUTH_HELPER_SUBJECT_CERT: + { + certificate_t *c1, *c2; + + c1 = (certificate_t*)i1->value; + c2 = (certificate_t*)i2->value; + + if (c1->equals(c1, c2)) + { + found = TRUE; + break; + } + continue; + } + case AUTH_RULE_IDENTITY: + case AUTH_RULE_EAP_IDENTITY: + case AUTH_RULE_AC_GROUP: + { + identification_t *id1, *id2; + + id1 = (identification_t*)i1->value; + id2 = (identification_t*)i2->value; + + if (id1->equals(id1, id2)) + { + found = TRUE; + break; + } + continue; + } + case AUTH_HELPER_IM_HASH_URL: + case AUTH_HELPER_SUBJECT_HASH_URL: + { + if (streq(i1->value, i2->value)) + { + found = TRUE; + break; + } + continue; + } + } + break; + } + } + e2->destroy(e2); + if (!found) + { + equal = FALSE; + break; + } + } + e1->destroy(e1); + return equal; +} + +/** + * Implementation of auth_cfg_t.purge + */ +static void purge(private_auth_cfg_t *this, bool keep_ca) +{ + entry_t *entry; + linked_list_t *cas; + + cas = linked_list_create(); + while (this->entries->remove_last(this->entries, (void**)&entry) == SUCCESS) + { + if (keep_ca && entry->type == AUTH_RULE_CA_CERT) + { + cas->insert_first(cas, entry); + } + else + { + destroy_entry_value(entry); + free(entry); + } + } + while (cas->remove_last(cas, (void**)&entry) == SUCCESS) + { + this->entries->insert_first(this->entries, entry); + } + cas->destroy(cas); +} + +/** + * Implementation of auth_cfg_t.clone + */ +static auth_cfg_t* clone_(private_auth_cfg_t *this) +{ + enumerator_t *enumerator; + auth_cfg_t *clone; + entry_t *entry; + + clone = auth_cfg_create(); + enumerator = this->entries->create_enumerator(this->entries); + while (enumerator->enumerate(enumerator, &entry)) + { + switch (entry->type) + { + case AUTH_RULE_IDENTITY: + case AUTH_RULE_EAP_IDENTITY: + case AUTH_RULE_AC_GROUP: + { + identification_t *id = (identification_t*)entry->value; + clone->add(clone, entry->type, id->clone(id)); + break; + } + case AUTH_RULE_CA_CERT: + case AUTH_RULE_IM_CERT: + case AUTH_RULE_SUBJECT_CERT: + case AUTH_HELPER_IM_CERT: + case AUTH_HELPER_SUBJECT_CERT: + { + certificate_t *cert = (certificate_t*)entry->value; + clone->add(clone, entry->type, cert->get_ref(cert)); + break; + } + case AUTH_HELPER_IM_HASH_URL: + case AUTH_HELPER_SUBJECT_HASH_URL: + { + clone->add(clone, entry->type, strdup(entry->value)); + break; + } + case AUTH_RULE_AUTH_CLASS: + case AUTH_RULE_EAP_TYPE: + case AUTH_RULE_EAP_VENDOR: + case AUTH_RULE_CRL_VALIDATION: + case AUTH_RULE_OCSP_VALIDATION: + clone->add(clone, entry->type, (uintptr_t)entry->value); + break; + } + } + enumerator->destroy(enumerator); + return clone; +} + +/** + * Implementation of auth_cfg_t.destroy + */ +static void destroy(private_auth_cfg_t *this) +{ + purge(this, FALSE); + this->entries->destroy(this->entries); + free(this); +} + +/* + * see header file + */ +auth_cfg_t *auth_cfg_create() +{ + private_auth_cfg_t *this = malloc_thing(private_auth_cfg_t); + + this->public.add = (void(*)(auth_cfg_t*, auth_rule_t type, ...))add; + this->public.get = (void*(*)(auth_cfg_t*, auth_rule_t type))get; + this->public.create_enumerator = (enumerator_t*(*)(auth_cfg_t*))create_enumerator; + this->public.replace = (void(*)(auth_cfg_t*,enumerator_t*,auth_rule_t,...))replace; + this->public.complies = (bool(*)(auth_cfg_t*, auth_cfg_t *,bool))complies; + this->public.merge = (void(*)(auth_cfg_t*, auth_cfg_t *other,bool))merge; + this->public.purge = (void(*)(auth_cfg_t*,bool))purge; + this->public.equals = (bool(*)(auth_cfg_t*, auth_cfg_t *other))equals; + this->public.clone = (auth_cfg_t*(*)(auth_cfg_t*))clone_; + this->public.destroy = (void(*)(auth_cfg_t*))destroy; + + this->entries = linked_list_create(); + + return &this->public; +} + diff --git a/src/charon/config/auth_cfg.h b/src/charon/config/auth_cfg.h new file mode 100644 index 000000000..c6bc1959b --- /dev/null +++ b/src/charon/config/auth_cfg.h @@ -0,0 +1,201 @@ +/* + * Copyright (C) 2007-2009 Martin Willi + * Copyright (C) 2008 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup auth_cfg auth_cfg + * @{ @ingroup config + */ + +#ifndef AUTH_CFG_H_ +#define AUTH_CFG_H_ + +#include <utils/enumerator.h> + +typedef struct auth_cfg_t auth_cfg_t; +typedef enum auth_rule_t auth_rule_t; + +/** + * Authentication config to use during authentication process. + * + * Each authentication config contains a set of rules. These rule-sets are used + * in two ways: + * - For configs specifying local authentication behavior, the rules define + * which authentication method in which way. + * - For configs specifying remote peer authentication, the rules define + * constraints the peer has to fullfill. + * + * Additionally to the rules, there is a set of helper items. These are used + * to transport credentials during the authentication process. + */ +enum auth_rule_t { + + /** identity to use for IKEv2 authentication exchange, identification_t* */ + AUTH_RULE_IDENTITY, + /** authentication class, auth_class_t */ + AUTH_RULE_AUTH_CLASS, + /** EAP identity to use within EAP-Identity exchange, identification_t* */ + AUTH_RULE_EAP_IDENTITY, + /** EAP type to propose for peer authentication, eap_type_t */ + AUTH_RULE_EAP_TYPE, + /** EAP vendor for vendor specific type, u_int32_t */ + AUTH_RULE_EAP_VENDOR, + /** certificate authority, certificate_t* */ + AUTH_RULE_CA_CERT, + /** intermediate certificate in trustchain, certificate_t* */ + AUTH_RULE_IM_CERT, + /** subject certificate, certificate_t* */ + AUTH_RULE_SUBJECT_CERT, + /** result of a CRL validation, cert_validation_t */ + AUTH_RULE_CRL_VALIDATION, + /** result of a OCSP validation, cert_validation_t */ + AUTH_RULE_OCSP_VALIDATION, + /** subject is in attribute certificate group, identification_t* */ + AUTH_RULE_AC_GROUP, + + /** intermediate certificate, certificate_t* */ + AUTH_HELPER_IM_CERT, + /** subject certificate, certificate_t* */ + AUTH_HELPER_SUBJECT_CERT, + /** Hash and URL of a intermediate certificate, char* */ + AUTH_HELPER_IM_HASH_URL, + /** Hash and URL of a end-entity certificate, char* */ + AUTH_HELPER_SUBJECT_HASH_URL, +}; + +/** + * enum name for auth_rule_t. + */ +extern enum_name_t *auth_rule_names; + +/** + * Authentication/Authorization round. + * + * RFC4739 defines multiple authentication rounds. This class defines such + * a round from a configuration perspective, either for the local or the remote + * peer. Local config are called "rulesets", as they define how we authenticate. + * Remote peer configs are called "constraits", they define what is needed to + * complete the authentication round successfully. + * + * @verbatim + + [Repeat for each configuration] + +--------------------------------------------------+ + | | + | | + | +----------+ IKE_AUTH +--------- + | + | | config | -----------> | | | + | | ruleset | | | | + | +----------+ [ <----------- ] | | | + | [ optional EAP ] | Peer | | + | +----------+ [ -----------> ] | | | + | | config | | | | + | | constr. | <----------- | | | + | +----------+ IKE_AUTH +--------- + | + | | + | | + +--------------------------------------------------+ + + @endverbatim + * + * Values for each items are either pointers (casted to void*) or short + * integers (use uintptr_t cast). + */ +struct auth_cfg_t { + + /** + * Add an rule to the set. + * + * @param rule rule type + * @param ... associated value to rule + */ + void (*add)(auth_cfg_t *this, auth_rule_t rule, ...); + + /** + * Get an rule value. + * + * @param rule rule type + * @return bool if item has been found + */ + void* (*get)(auth_cfg_t *this, auth_rule_t rule); + + /** + * Create an enumerator over added rules. + * + * @return enumerator over (auth_rule_t, union{void*,uintpr_t}) + */ + enumerator_t* (*create_enumerator)(auth_cfg_t *this); + + /** + * Replace an rule at enumerator position. + * + * @param pos enumerator position position + * @param rule rule type + * @param ... associated value to rule + */ + void (*replace)(auth_cfg_t *this, enumerator_t *pos, + auth_rule_t rule, ...); + + /** + * Check if a used config fulfills a set of configured constraints. + * + * @param constraints required authorization rules + * @param log_error wheter to log compliance errors + * @return TRUE if this complies with constraints + */ + bool (*complies)(auth_cfg_t *this, auth_cfg_t *constraints, bool log_error); + + /** + * Merge items from other into this. + * + * @param other items to read for merge + * @param copy TRUE to copy items, FALSE to move them + */ + void (*merge)(auth_cfg_t *this, auth_cfg_t *other, bool copy); + + /** + * Purge all rules in a config. + * + * @param keep_ca wheter to keep AUTH_RULE_CA_CERT entries + */ + void (*purge)(auth_cfg_t *this, bool keep_ca); + + /** + * Check two configs for equality. + * + * @param other other config to compaire against this + * @return TRUE if auth infos identical + */ + bool (*equals)(auth_cfg_t *this, auth_cfg_t *other); + + /** + * Clone a authentication config, including all rules. + * + * @return cloned configuration + */ + auth_cfg_t* (*clone)(auth_cfg_t *this); + + /** + * Destroy a config with all associated rules/values. + */ + void (*destroy)(auth_cfg_t *this); +}; + +/** + * Create a authentication config. + */ +auth_cfg_t *auth_cfg_create(); + +#endif /** AUTH_CFG_H_ @}*/ diff --git a/src/charon/config/backend.h b/src/charon/config/backend.h index 4673d3984..42633f73b 100644 --- a/src/charon/config/backend.h +++ b/src/charon/config/backend.h @@ -28,7 +28,6 @@ typedef struct backend_t backend_t; #include <library.h> #include <config/ike_cfg.h> #include <config/peer_cfg.h> -#include <credentials/auth_info.h> #include <utils/linked_list.h> /** @@ -45,6 +44,10 @@ struct backend_t { * * Hosts may be NULL to get all. * + * There is no requirement for the backend to filter the configurations + * using the supplied hosts; but it may do so if it increases lookup times + * (e.g. include hosts in SQL query). + * * @param me address of local host * @param other address of remote host * @return enumerator over ike_cfg_t's @@ -52,10 +55,17 @@ struct backend_t { enumerator_t* (*create_ike_cfg_enumerator)(backend_t *this, host_t *me, host_t *other); /** - * Create an enumerator over all Peer configs matching two IDs. + * Create an enumerator over all peer configs matching two identities. * * IDs may be NULL to get all. * + * As configurations are looked up in the first authentication round (when + * multiple authentication), the backend implementation should compare + * the identities to the first auth_cfgs only. + * There is no requirement for the backend to filter the configurations + * using the supplied identities; but it may do so if it increases lookup + * times (e.g. include hosts in SQL query). + * * @param me identity of ourself * @param other identity of remote host * @return enumerator over peer_cfg_t @@ -64,7 +74,7 @@ struct backend_t { identification_t *me, identification_t *other); /** - * Get a peer_cfg identified by it's name, or a name of its child. + * Get a peer_cfg identified by it's name, or a name of its children. * * @param name name of peer/child cfg * @return matching peer_config, or NULL if none found diff --git a/src/charon/config/backend_manager.c b/src/charon/config/backend_manager.c index c31df8d04..28e50ef0a 100644 --- a/src/charon/config/backend_manager.c +++ b/src/charon/config/backend_manager.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2007 Martin Willi + * Copyright (C) 2007-2009 Martin Willi * Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -68,15 +68,6 @@ typedef struct { } ike_data_t; /** - * data to pass nested peer enumerator - */ -typedef struct { - private_backend_manager_t *this; - identification_t *me; - identification_t *other; -} peer_data_t; - -/** * inner enumerator constructor for IKE cfgs */ static enumerator_t *ike_enum_create(backend_t *backend, ike_data_t *data) @@ -85,59 +76,58 @@ static enumerator_t *ike_enum_create(backend_t *backend, ike_data_t *data) } /** - * inner enumerator constructor for Peer cfgs - */ -static enumerator_t *peer_enum_create(backend_t *backend, peer_data_t *data) -{ - return backend->create_peer_cfg_enumerator(backend, data->me, data->other); -} -/** - * inner enumerator constructor for all Peer cfgs - */ -static enumerator_t *peer_enum_create_all(backend_t *backend) -{ - return backend->create_peer_cfg_enumerator(backend, NULL, NULL); -} - -/** * get a match of a candidate ike_cfg for two hosts */ -static ike_cfg_match_t get_match(ike_cfg_t *cand, host_t *me, host_t *other) +static ike_cfg_match_t get_ike_match(ike_cfg_t *cand, host_t *me, host_t *other) { host_t *me_cand, *other_cand; ike_cfg_match_t match = MATCH_NONE; - me_cand = host_create_from_dns(cand->get_my_addr(cand), - me->get_family(me), 0); - if (!me_cand) - { - return MATCH_NONE; - } - if (me_cand->ip_equals(me_cand, me)) + if (me) { - match += MATCH_ME; + me_cand = host_create_from_dns(cand->get_my_addr(cand), + me->get_family(me), 0); + if (!me_cand) + { + return MATCH_NONE; + } + if (me_cand->ip_equals(me_cand, me)) + { + match += MATCH_ME; + } + else if (me_cand->is_anyaddr(me_cand)) + { + match += MATCH_ANY; + } + me_cand->destroy(me_cand); } - else if (me_cand->is_anyaddr(me_cand)) + else { match += MATCH_ANY; } - me_cand->destroy(me_cand); - other_cand = host_create_from_dns(cand->get_other_addr(cand), - other->get_family(other), 0); - if (!other_cand) - { - return MATCH_NONE; - } - if (other_cand->ip_equals(other_cand, other)) + if (other) { - match += MATCH_OTHER; + other_cand = host_create_from_dns(cand->get_other_addr(cand), + other->get_family(other), 0); + if (!other_cand) + { + return MATCH_NONE; + } + if (other_cand->ip_equals(other_cand, other)) + { + match += MATCH_OTHER; + } + else if (other_cand->is_anyaddr(other_cand)) + { + match += MATCH_ANY; + } + other_cand->destroy(other_cand); } - else if (other_cand->is_anyaddr(other_cand)) + else { match += MATCH_ANY; } - other_cand->destroy(other_cand); return match; } @@ -165,7 +155,7 @@ static ike_cfg_t *get_ike_cfg(private_backend_manager_t *this, (void*)ike_enum_create, data, (void*)free); while (enumerator->enumerate(enumerator, (void**)¤t)) { - match = get_match(current, me, other); + match = get_ike_match(current, me, other); if (match) { @@ -191,87 +181,198 @@ static ike_cfg_t *get_ike_cfg(private_backend_manager_t *this, return found; } +/** + * Get the best ID match in one of the configs auth_cfg + */ +static id_match_t get_peer_match(identification_t *id, + peer_cfg_t *cfg, bool local) +{ + enumerator_t *enumerator; + auth_cfg_t *auth; + identification_t *candidate; + id_match_t match = ID_MATCH_NONE; + + if (!id) + { + return ID_MATCH_ANY; + } + + /* compare first auth config only */ + enumerator = cfg->create_auth_cfg_enumerator(cfg, local); + if (enumerator->enumerate(enumerator, &auth)) + { + candidate = auth->get(auth, AUTH_RULE_IDENTITY); + if (candidate) + { + match = id->matches(id, candidate); + /* match vice-versa, as the proposed IDr might be ANY */ + if (!match) + { + match = candidate->matches(candidate, id); + } + } + else + { + match = ID_MATCH_ANY; + } + } + enumerator->destroy(enumerator); + return match; +} + +/** + * data to pass nested peer enumerator + */ +typedef struct { + rwlock_t *lock; + identification_t *me; + identification_t *other; +} peer_data_t; -static enumerator_t *create_peer_cfg_enumerator(private_backend_manager_t *this) +/** + * list element to help sorting + */ +typedef struct { + id_match_t match_peer; + ike_cfg_match_t match_ike; + peer_cfg_t *cfg; +} match_entry_t; + +/** + * inner enumerator constructor for peer cfgs + */ +static enumerator_t *peer_enum_create(backend_t *backend, peer_data_t *data) { - this->lock->read_lock(this->lock); - return enumerator_create_nested( - this->backends->create_enumerator(this->backends), - (void*)peer_enum_create_all, this->lock, - (void*)this->lock->unlock); + return backend->create_peer_cfg_enumerator(backend, data->me, data->other); +} + +/** + * unlock/cleanup peer enumerator + */ +static void peer_enum_destroy(peer_data_t *data) +{ + data->lock->unlock(data->lock); + free(data); +} + +/** + * convert enumerator value from match_entry to config + */ +static bool peer_enum_filter(linked_list_t *configs, + match_entry_t **in, peer_cfg_t **out) +{ + *out = (*in)->cfg; + return TRUE; +} + +/** + * Clean up temporary config list + */ +static void peer_enum_filter_destroy(linked_list_t *configs) +{ + match_entry_t *entry; + + while (configs->remove_last(configs, (void**)&entry) == SUCCESS) + { + entry->cfg->destroy(entry->cfg); + free(entry); + } + configs->destroy(configs); +} + +/** + * Insert entry into match-sorted list, using helper + */ +static void insert_sorted(match_entry_t *entry, linked_list_t *list, + linked_list_t *helper) +{ + match_entry_t *current; + + while (list->remove_first(list, (void**)¤t) == SUCCESS) + { + helper->insert_last(helper, current); + } + while (helper->remove_first(helper, (void**)¤t) == SUCCESS) + { + if (entry && ( + (entry->match_ike > current->match_ike && + entry->match_peer >= current->match_peer) || + (entry->match_ike >= current->match_ike && + entry->match_peer > current->match_peer))) + { + list->insert_last(list, entry); + entry = NULL; + } + list->insert_last(list, current); + } + if (entry) + { + list->insert_last(list, entry); + } } /** - * implements backend_manager_t.get_peer_cfg. + * Implements backend_manager_t.create_peer_cfg_enumerator. */ -static peer_cfg_t *get_peer_cfg(private_backend_manager_t *this, host_t *me, - host_t *other, identification_t *my_id, - identification_t *other_id, auth_info_t *auth) +static enumerator_t *create_peer_cfg_enumerator(private_backend_manager_t *this, + host_t *me, host_t *other, identification_t *my_id, + identification_t *other_id) { - peer_cfg_t *current, *found = NULL; enumerator_t *enumerator; - id_match_t best_peer = ID_MATCH_NONE; - ike_cfg_match_t best_ike = MATCH_NONE; peer_data_t *data; - - DBG2(DBG_CFG, "looking for a peer config for %H[%D]...%H[%D]", - me, my_id, other, other_id); + peer_cfg_t *cfg; + linked_list_t *configs, *helper; data = malloc_thing(peer_data_t); - data->this = this; + data->lock = this->lock; data->me = my_id; data->other = other_id; + /* create a sorted list with all matches */ this->lock->read_lock(this->lock); enumerator = enumerator_create_nested( - this->backends->create_enumerator(this->backends), - (void*)peer_enum_create, data, (void*)free); - while (enumerator->enumerate(enumerator, ¤t)) + this->backends->create_enumerator(this->backends), + (void*)peer_enum_create, data, (void*)peer_enum_destroy); + + if (!me && !other && !my_id && !other_id) + { /* shortcut if we are doing a "listall" */ + return enumerator; + } + + DBG1(DBG_CFG, "looking for peer configs matching %H[%D]...%H[%D]", + me, my_id, other, other_id); + + configs = linked_list_create(); + /* only once allocated helper list for sorting */ + helper = linked_list_create(); + while (enumerator->enumerate(enumerator, &cfg)) { - identification_t *my_cand, *other_cand; - id_match_t m1, m2, match_peer; + id_match_t match_peer_me, match_peer_other; ike_cfg_match_t match_ike; + match_entry_t *entry; - my_cand = current->get_my_id(current); - other_cand = current->get_other_id(current); - - /* own ID may have wildcards in both, config and request (missing IDr) */ - m1 = my_cand->matches(my_cand, my_id); - if (!m1) - { - m1 = my_id->matches(my_id, my_cand); - } - m2 = other_id->matches(other_id, other_cand); - - match_peer = m1 + m2; - match_ike = get_match(current->get_ike_cfg(current), me, other); + match_peer_me = get_peer_match(my_id, cfg, TRUE); + match_peer_other = get_peer_match(other_id, cfg, FALSE); + match_ike = get_ike_match(cfg->get_ike_cfg(cfg), me, other); - if (m1 && m2 && match_ike && - auth->complies(auth, current->get_auth(current))) + if (match_peer_me && match_peer_other && match_ike) { - DBG2(DBG_CFG, " candidate \"%s\": %D...%D with prio %d.%d", - current->get_name(current), my_cand, other_cand, - match_peer, match_ike); - if ((match_peer > best_peer && match_ike >= best_ike) || - (match_peer >= best_peer && match_ike > best_ike)) - { - DESTROY_IF(found); - found = current; - found->get_ref(found); - best_peer = match_peer; - best_ike = match_ike; - } + DBG2(DBG_CFG, " candidate \"%s\", match: %d/%d/%d (me/other/ike)", + cfg->get_name(cfg), match_peer_me, match_peer_other, match_ike); + + entry = malloc_thing(match_entry_t); + entry->match_peer = match_peer_me + match_peer_other; + entry->match_ike = match_ike; + entry->cfg = cfg->get_ref(cfg); + insert_sorted(entry, configs, helper); } } - if (found) - { - DBG1(DBG_CFG, "found matching peer config \"%s\": %D...%D with prio %d.%d", - found->get_name(found), found->get_my_id(found), - found->get_other_id(found), best_peer, best_ike); - } enumerator->destroy(enumerator); - this->lock->unlock(this->lock); - return found; + helper->destroy(helper); + + return enumerator_create_filter(configs->create_enumerator(configs), + (void*)peer_enum_filter, configs, + (void*)peer_enum_filter_destroy); } /** @@ -332,9 +433,8 @@ backend_manager_t *backend_manager_create() private_backend_manager_t *this = malloc_thing(private_backend_manager_t); this->public.get_ike_cfg = (ike_cfg_t* (*)(backend_manager_t*, host_t*, host_t*))get_ike_cfg; - this->public.get_peer_cfg = (peer_cfg_t* (*)(backend_manager_t*,host_t*,host_t*,identification_t*,identification_t*,auth_info_t*))get_peer_cfg; this->public.get_peer_cfg_by_name = (peer_cfg_t* (*)(backend_manager_t*,char*))get_peer_cfg_by_name; - this->public.create_peer_cfg_enumerator = (enumerator_t* (*)(backend_manager_t*))create_peer_cfg_enumerator; + this->public.create_peer_cfg_enumerator = (enumerator_t* (*)(backend_manager_t*,host_t*,host_t*,identification_t*,identification_t*))create_peer_cfg_enumerator; this->public.add_backend = (void(*)(backend_manager_t*, backend_t *backend))add_backend; this->public.remove_backend = (void(*)(backend_manager_t*, backend_t *backend))remove_backend; this->public.destroy = (void (*)(backend_manager_t*))destroy; diff --git a/src/charon/config/backend_manager.h b/src/charon/config/backend_manager.h index 1fd921c48..b3c74fb7b 100644 --- a/src/charon/config/backend_manager.h +++ b/src/charon/config/backend_manager.h @@ -64,20 +64,6 @@ struct backend_manager_t { host_t *my_host, host_t *other_host); /** - * Get a peer_config identified by two IDs and authorization info. - * - * @param me own address - * @param other peer address - * @param my_id own ID - * @param other_id peer ID - * @param auth_info authorization info - * @return matching peer_config, or NULL if none found - */ - peer_cfg_t* (*get_peer_cfg)(backend_manager_t *this, host_t *me, - host_t *other, identification_t *my_id, - identification_t *other_id, auth_info_t *auth); - - /** * Get a peer_config identified by it's name. * * @param name name of the peer_config @@ -86,12 +72,20 @@ struct backend_manager_t { peer_cfg_t* (*get_peer_cfg_by_name)(backend_manager_t *this, char *name); /** - * Create an enumerator over all peer configs. + * Create an enumerator over all matching peer configs. + * + * Pass NULL as parameters to match any. The enumerator enumerates over + * peer_cfgs, ordered by priority (best match first). * - * @return enumerator over peer configs + * @param me local address + * @param other remote address + * @param my_id IDr in first authentication round + * @param other_id IDi in first authentication round + * @return enumerator over peer_cfg_t */ - enumerator_t* (*create_peer_cfg_enumerator)(backend_manager_t *this); - + enumerator_t* (*create_peer_cfg_enumerator)(backend_manager_t *this, + host_t *me, host_t *other, identification_t *my_id, + identification_t *other_id); /** * Register a backend on the manager. * diff --git a/src/charon/config/peer_cfg.c b/src/charon/config/peer_cfg.c index 398244f6d..5d9db1b22 100644 --- a/src/charon/config/peer_cfg.c +++ b/src/charon/config/peer_cfg.c @@ -1,6 +1,6 @@ /* * Copyright (C) 2007-2008 Tobias Brunner - * Copyright (C) 2005-2008 Martin Willi + * Copyright (C) 2005-2009 Martin Willi * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil * @@ -82,16 +82,6 @@ struct private_peer_cfg_t { mutex_t *mutex; /** - * id to use to identify us - */ - identification_t *my_id; - - /** - * allowed id for other - */ - identification_t *other_id; - - /** * should we send a certificate */ cert_policy_t cert_policy; @@ -147,10 +137,15 @@ struct private_peer_cfg_t { char *pool; /** - * required authorization constraints + * local authentication configs (rulesets) */ - auth_info_t *auth; - + linked_list_t *local_auth; + + /** + * remote authentication configs (constraints) + */ + linked_list_t *remote_auth; + #ifdef ME /** * Is this a mediation connection? @@ -287,22 +282,6 @@ static child_cfg_t* select_child_cfg(private_peer_cfg_t *this, } /** - * Implementation of peer_cfg_t.get_my_id - */ -static identification_t *get_my_id(private_peer_cfg_t *this) -{ - return this->my_id; -} - -/** - * Implementation of peer_cfg_t.get_other_id - */ -static identification_t *get_other_id(private_peer_cfg_t *this) -{ - return this->other_id; -} - -/** * Implementation of peer_cfg_t.get_cert_policy. */ static cert_policy_t get_cert_policy(private_peer_cfg_t *this) @@ -397,13 +376,34 @@ static char* get_pool(private_peer_cfg_t *this) { return this->pool; } - + /** - * Implementation of peer_cfg_t.get_auth. + * Implementation of peer_cfg_t.add_auth_cfg */ -static auth_info_t* get_auth(private_peer_cfg_t *this) +static void add_auth_cfg(private_peer_cfg_t *this, + auth_cfg_t *cfg, bool local) { - return this->auth; + if (local) + { + this->local_auth->insert_last(this->local_auth, cfg); + } + else + { + this->remote_auth->insert_last(this->remote_auth, cfg); + } +} + +/** + * Implementation of peer_cfg_t.create_auth_cfg_enumerator + */ +static enumerator_t* create_auth_cfg_enumerator(private_peer_cfg_t *this, + bool local) +{ + if (local) + { + return this->local_auth->create_enumerator(this->local_auth); + } + return this->remote_auth->create_enumerator(this->remote_auth); } #ifdef ME @@ -433,6 +433,60 @@ static identification_t* get_peer_id(private_peer_cfg_t *this) #endif /* ME */ /** + * check auth configs for equality + */ +static bool auth_cfg_equal(private_peer_cfg_t *this, private_peer_cfg_t *other) +{ + enumerator_t *e1, *e2; + auth_cfg_t *cfg1, *cfg2; + bool equal = TRUE; + + if (this->local_auth->get_count(this->local_auth) != + other->local_auth->get_count(other->local_auth)) + { + return FALSE; + } + if (this->remote_auth->get_count(this->remote_auth) != + other->remote_auth->get_count(other->remote_auth)) + { + return FALSE; + } + + e1 = this->local_auth->create_enumerator(this->local_auth); + e2 = other->local_auth->create_enumerator(other->local_auth); + while (e1->enumerate(e1, &cfg1) && e2->enumerate(e2, &cfg2)) + { + if (!cfg1->equals(cfg1, cfg2)) + { + equal = FALSE; + break; + } + } + e1->destroy(e1); + e2->destroy(e2); + + if (!equal) + { + return FALSE; + } + + e1 = this->remote_auth->create_enumerator(this->remote_auth); + e2 = other->remote_auth->create_enumerator(other->remote_auth); + while (e1->enumerate(e1, &cfg1) && e2->enumerate(e2, &cfg2)) + { + if (!cfg1->equals(cfg1, cfg2)) + { + equal = FALSE; + break; + } + } + e1->destroy(e1); + e2->destroy(e2); + + return equal; +} + +/** * Implementation of peer_cfg_t.equals. */ static bool equals(private_peer_cfg_t *this, private_peer_cfg_t *other) @@ -448,8 +502,6 @@ static bool equals(private_peer_cfg_t *this, private_peer_cfg_t *other) return ( this->ike_version == other->ike_version && - this->my_id->equals(this->my_id, other->my_id) && - this->other_id->equals(this->other_id, other->other_id) && this->cert_policy == other->cert_policy && this->unique == other->unique && this->keyingtries == other->keyingtries && @@ -464,7 +516,7 @@ static bool equals(private_peer_cfg_t *this, private_peer_cfg_t *other) this->virtual_ip->equals(this->virtual_ip, other->virtual_ip))) && (this->pool == other->pool || (this->pool && other->pool && streq(this->pool, other->pool))) && - this->auth->equals(this->auth, other->auth) + auth_cfg_equal(this, other) #ifdef ME && this->mediation == other->mediation && this->mediated_by == other->mediated_by && @@ -492,11 +544,13 @@ static void destroy(private_peer_cfg_t *this) if (ref_put(&this->refcount)) { this->ike_cfg->destroy(this->ike_cfg); - this->child_cfgs->destroy_offset(this->child_cfgs, offsetof(child_cfg_t, destroy)); - this->my_id->destroy(this->my_id); - this->other_id->destroy(this->other_id); + this->child_cfgs->destroy_offset(this->child_cfgs, + offsetof(child_cfg_t, destroy)); DESTROY_IF(this->virtual_ip); - this->auth->destroy(this->auth); + this->local_auth->destroy_offset(this->local_auth, + offsetof(auth_cfg_t, destroy)); + this->remote_auth->destroy_offset(this->remote_auth, + offsetof(auth_cfg_t, destroy)); #ifdef ME DESTROY_IF(this->mediated_by); DESTROY_IF(this->peer_id); @@ -512,7 +566,6 @@ static void destroy(private_peer_cfg_t *this) * Described in header-file */ peer_cfg_t *peer_cfg_create(char *name, u_int ike_version, ike_cfg_t *ike_cfg, - identification_t *my_id, identification_t *other_id, cert_policy_t cert_policy, unique_policy_t unique, u_int32_t keyingtries, u_int32_t rekey_time, u_int32_t reauth_time, u_int32_t jitter_time, @@ -531,8 +584,6 @@ peer_cfg_t *peer_cfg_create(char *name, u_int ike_version, ike_cfg_t *ike_cfg, this->public.remove_child_cfg = (void(*)(peer_cfg_t*, enumerator_t*))remove_child_cfg; this->public.create_child_cfg_enumerator = (enumerator_t* (*) (peer_cfg_t *))create_child_cfg_enumerator; this->public.select_child_cfg = (child_cfg_t* (*) (peer_cfg_t *,linked_list_t*,linked_list_t*,host_t*,host_t*))select_child_cfg; - this->public.get_my_id = (identification_t* (*)(peer_cfg_t*))get_my_id; - this->public.get_other_id = (identification_t* (*)(peer_cfg_t *))get_other_id; this->public.get_cert_policy = (cert_policy_t (*) (peer_cfg_t *))get_cert_policy; this->public.get_unique_policy = (unique_policy_t (*) (peer_cfg_t *))get_unique_policy; this->public.get_keyingtries = (u_int32_t (*) (peer_cfg_t *))get_keyingtries; @@ -543,7 +594,8 @@ peer_cfg_t *peer_cfg_create(char *name, u_int ike_version, ike_cfg_t *ike_cfg, this->public.get_dpd = (u_int32_t (*) (peer_cfg_t *))get_dpd; this->public.get_virtual_ip = (host_t* (*) (peer_cfg_t *))get_virtual_ip; this->public.get_pool = (char*(*)(peer_cfg_t*))get_pool; - this->public.get_auth = (auth_info_t*(*)(peer_cfg_t*))get_auth; + this->public.add_auth_cfg = (void(*)(peer_cfg_t*, auth_cfg_t *cfg, bool local))add_auth_cfg; + this->public.create_auth_cfg_enumerator = (enumerator_t*(*)(peer_cfg_t*, bool local))create_auth_cfg_enumerator; this->public.equals = (bool(*)(peer_cfg_t*, peer_cfg_t *other))equals; this->public.get_ref = (peer_cfg_t*(*)(peer_cfg_t *))get_ref; this->public.destroy = (void(*)(peer_cfg_t *))destroy; @@ -559,8 +611,6 @@ peer_cfg_t *peer_cfg_create(char *name, u_int ike_version, ike_cfg_t *ike_cfg, this->ike_cfg = ike_cfg; this->child_cfgs = linked_list_create(); this->mutex = mutex_create(MUTEX_DEFAULT); - this->my_id = my_id; - this->other_id = other_id; this->cert_policy = cert_policy; this->unique = unique; this->keyingtries = keyingtries; @@ -580,7 +630,8 @@ peer_cfg_t *peer_cfg_create(char *name, u_int ike_version, ike_cfg_t *ike_cfg, this->dpd = dpd; this->virtual_ip = virtual_ip; this->pool = pool ? strdup(pool) : NULL; - this->auth = auth_info_create(); + this->local_auth = linked_list_create(); + this->remote_auth = linked_list_create(); this->refcount = 1; #ifdef ME this->mediation = mediation; diff --git a/src/charon/config/peer_cfg.h b/src/charon/config/peer_cfg.h index 3a776927e..7cfe61207 100644 --- a/src/charon/config/peer_cfg.h +++ b/src/charon/config/peer_cfg.h @@ -1,6 +1,6 @@ /* * Copyright (C) 2007-2008 Tobias Brunner - * Copyright (C) 2005-2007 Martin Willi + * Copyright (C) 2005-2009 Martin Willi * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil * @@ -38,7 +38,7 @@ typedef struct peer_cfg_t peer_cfg_t; #include <config/child_cfg.h> #include <sa/authenticators/authenticator.h> #include <sa/authenticators/eap/eap_method.h> -#include <credentials/auth_info.h> +#include <config/auth_cfg.h> /** * Certificate sending policy. This is also used for certificate @@ -87,27 +87,33 @@ extern enum_name_t *unique_policy_names; * exactly one ike_cfg_t, which is use for initiation. Additionally, it contains * multiple child_cfg_t defining which CHILD_SAs are allowed for this peer. * @verbatim - - +-------------------+ +---------------+ - +---------------+ | peer_cfg | +---------------+ | - | ike_cfg | +-------------------+ | child_cfg | | - +---------------+ | - ids | +---------------+ | - | - hosts | 1 1 | - cas | 1 n | - proposals | | - | - proposals |<------| - auth info |-------->| - traffic sel | | - | - ... | | - dpd config | | - ... |-+ - +---------------+ | - ... | +---------------+ - +-------------------+ - ^ - | - +-------------------+ - | auth_info | - +-------------------+ - | auth_items | - +-------------------+ + +-------------------+ +---------------+ + +---------------+ | peer_cfg | +---------------+ | + | ike_cfg | +-------------------+ | child_cfg | | + +---------------+ | - ids | +---------------+ | + | - hosts | 1 1 | - cas | 1 n | - proposals | | + | - proposals |<-----| - auth info |----->| - traffic sel | | + | - ... | | - dpd config | | - ... |-+ + +---------------+ | - ... | +---------------+ + +-------------------+ + | 1 0 | + | | + v n n V + +-------------------+ +-------------------+ + +-------------------+ | +-------------------+ | + | auth_cfg | | | auth_cfg | | + +-------------------+ | +-------------------+ | + | - local rules |-+ | - remote constr. |-+ + +-------------------+ +-------------------+ @endverbatim - * The auth_info_t object associated to the peer_cfg holds additional - * authorization constraints. A peer who wants to use a config needs to fullfil - * the requirements defined in auth_info. + * + * Each peer_cfg has two lists of authentication config attached. Local + * authentication configs define how to authenticate ourself against the remote + * peer. Each config is enforced using the multiple authentication extension + * (RFC4739). + * The remote authentication configs are handled as constraints. The peer has + * to fullfill each of these rules (using multiple authentication, in any order) + * to gain access to the configuration. */ struct peer_cfg_t { @@ -169,25 +175,20 @@ struct peer_cfg_t { host_t *other_host); /** - * Get the authentication constraint items. + * Add an authentication config to the peer configuration. * - * @return auth_info object to manipulate requirements + * @param config config to add + * @param local TRUE for local rules, FALSE for remote constraints */ - auth_info_t* (*get_auth)(peer_cfg_t *this); - - /** - * Get own ID. - * - * @return own id - */ - identification_t* (*get_my_id)(peer_cfg_t *this); + void (*add_auth_cfg)(peer_cfg_t *this, auth_cfg_t *cfg, bool local); /** - * Get peers ID. - * - * @return other id + * Create an enumerator over registered authentication configs. + * + * @param local TRUE for local rules, FALSE for remote constraints + * @return enumerator over auth_cfg_t* */ - identification_t* (*get_other_id)(peer_cfg_t *this); + enumerator_t* (*create_auth_cfg_enumerator)(peer_cfg_t *this, bool local); /** * Should be sent a certificate for this connection? @@ -331,8 +332,6 @@ struct peer_cfg_t { * @param name name of the peer_cfg * @param ike_version which IKE version we sould use for this peer * @param ike_cfg IKE config to use when acting as initiator - * @param my_id identification_t for ourselves - * @param other_id identification_t for the remote guy * @param cert_policy should we send a certificate payload? * @param unique uniqueness of an IKE_SA * @param keyingtries how many keying tries should be done before giving up @@ -350,7 +349,6 @@ struct peer_cfg_t { * @return peer_cfg_t object */ peer_cfg_t *peer_cfg_create(char *name, u_int ike_version, ike_cfg_t *ike_cfg, - identification_t *my_id, identification_t *other_id, cert_policy_t cert_policy, unique_policy_t unique, u_int32_t keyingtries, u_int32_t rekey_time, u_int32_t reauth_time, u_int32_t jitter_time, diff --git a/src/charon/config/proposal.c b/src/charon/config/proposal.c index da6973925..7bddff174 100644 --- a/src/charon/config/proposal.c +++ b/src/charon/config/proposal.c @@ -19,6 +19,7 @@ #include <string.h> #include "proposal.h" +#include "proposal_keywords.h" #include <daemon.h> #include <utils/linked_list.h> @@ -583,222 +584,59 @@ static void check_proposal(private_proposal_t *this) } } +struct proposal_token { + char *name; + transform_type_t type; + u_int16_t algorithm; + u_int16_t keysize; +}; + /** * add a algorithm identified by a string to the proposal. - * TODO: we could use gperf here. */ static status_t add_string_algo(private_proposal_t *this, chunk_t alg) { - if (strncmp(alg.ptr, "null", alg.len) == 0) - { - add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_NULL, 0); - } - else if (strncmp(alg.ptr, "aes128", alg.len) == 0) - { - add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 128); - } - else if (strncmp(alg.ptr, "aes192", alg.len) == 0) - { - add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 192); - } - else if (strncmp(alg.ptr, "aes256", alg.len) == 0) + const proposal_token_t *token = in_word_set(alg.ptr, alg.len); + + if (token == NULL) { - add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 256); + return FAILED; } - else if (strstr(alg.ptr, "ccm")) - { - u_int16_t key_size, icv_size; - if (sscanf(alg.ptr, "aes%huccm%hu", &key_size, &icv_size) == 2) - { - if (key_size == 128 || key_size == 192 || key_size == 256) - { - switch (icv_size) - { - case 8: /* octets */ - case 64: /* bits */ - add_algorithm(this, ENCRYPTION_ALGORITHM, - ENCR_AES_CCM_ICV8, key_size); - break; - case 12: /* octets */ - case 96: /* bits */ - add_algorithm(this, ENCRYPTION_ALGORITHM, - ENCR_AES_CCM_ICV12, key_size); - break; - case 16: /* octets */ - case 128: /* bits */ - add_algorithm(this, ENCRYPTION_ALGORITHM, - ENCR_AES_CCM_ICV16, key_size); - break; - default: - /* invalid ICV size */ - break; - } - } - } - } - else if (strstr(alg.ptr, "gcm")) - { - u_int16_t key_size, icv_size; + add_algorithm(this, token->type, token->algorithm, token->keysize); - if (sscanf(alg.ptr, "aes%hugcm%hu", &key_size, &icv_size) == 2) - { - if (key_size == 128 || key_size == 192 || key_size == 256) - { - switch (icv_size) - { - case 8: /* octets */ - case 64: /* bits */ - add_algorithm(this, ENCRYPTION_ALGORITHM, - ENCR_AES_GCM_ICV8, key_size); - break; - case 12: /* octets */ - case 96: /* bits */ - add_algorithm(this, ENCRYPTION_ALGORITHM, - ENCR_AES_GCM_ICV12, key_size); - break; - case 16: /* octets */ - case 128: /* bits */ - add_algorithm(this, ENCRYPTION_ALGORITHM, - ENCR_AES_GCM_ICV16, key_size); - break; - default: - /* invalid ICV size */ - break; - } - } - } - } - else if (strncmp(alg.ptr, "3des", alg.len) == 0) - { - add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_3DES, 0); - } - /* blowfish only uses some predefined key sizes yet */ - else if (strncmp(alg.ptr, "blowfish128", alg.len) == 0) - { - add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 128); - } - else if (strncmp(alg.ptr, "blowfish192", alg.len) == 0) - { - add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 192); - } - else if (strncmp(alg.ptr, "blowfish256", alg.len) == 0) - { - add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 256); - } - else if (strncmp(alg.ptr, "sha", alg.len) == 0 || - strncmp(alg.ptr, "sha1", alg.len) == 0) - { - /* sha means we use SHA for both, PRF and AUTH */ - add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0); - if (this->protocol == PROTO_IKE) - { - add_algorithm(this, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA1, 0); - } - } - else if (strncmp(alg.ptr, "sha256", alg.len) == 0 || - strncmp(alg.ptr, "sha2_256", alg.len) == 0) + if (this->protocol == PROTO_IKE && token->type == INTEGRITY_ALGORITHM) { - add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_256_128, 0); - if (this->protocol == PROTO_IKE) - { - add_algorithm(this, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_256, 0); - } - } - else if (strncmp(alg.ptr, "sha384", alg.len) == 0 || - strncmp(alg.ptr, "sha2_384", alg.len) == 0) - { - add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_384_192, 0); - if (this->protocol == PROTO_IKE) - { - add_algorithm(this, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_384, 0); - } - } - else if (strncmp(alg.ptr, "sha512", alg.len) == 0 || - strncmp(alg.ptr, "sha2_512", alg.len) == 0) - { - add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_512_256, 0); - if (this->protocol == PROTO_IKE) - { - add_algorithm(this, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_512, 0); - } - } - else if (strncmp(alg.ptr, "md5", alg.len) == 0) - { - add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 0); - if (this->protocol == PROTO_IKE) + pseudo_random_function_t prf; + + switch (token->algorithm) { - add_algorithm(this, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_MD5, 0); + case AUTH_HMAC_SHA1_96: + prf = PRF_HMAC_SHA1; + break; + case AUTH_HMAC_SHA2_256_128: + prf = PRF_HMAC_SHA2_256; + break; + case AUTH_HMAC_SHA2_384_192: + prf = PRF_HMAC_SHA2_384; + break; + case AUTH_HMAC_SHA2_512_256: + prf = PRF_HMAC_SHA2_512; + break; + case AUTH_HMAC_MD5_96: + prf = PRF_HMAC_MD5; + break; + case AUTH_AES_XCBC_96: + prf = PRF_AES128_XCBC; + break; + default: + prf = PRF_UNDEFINED; } - } - else if (strncmp(alg.ptr, "aesxcbc", alg.len) == 0) - { - add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_AES_XCBC_96, 0); - if (this->protocol == PROTO_IKE) + if (prf != PRF_UNDEFINED) { - add_algorithm(this, PSEUDO_RANDOM_FUNCTION, PRF_AES128_XCBC, 0); + add_algorithm(this, PSEUDO_RANDOM_FUNCTION, prf, 0); } } - else if (strncmp(alg.ptr, "modpnull", alg.len) == 0) - { - add_algorithm(this, DIFFIE_HELLMAN_GROUP, MODP_NULL, 0); - } - else if (strncmp(alg.ptr, "modp768", alg.len) == 0) - { - add_algorithm(this, DIFFIE_HELLMAN_GROUP, MODP_768_BIT, 0); - } - else if (strncmp(alg.ptr, "modp1024", alg.len) == 0) - { - add_algorithm(this, DIFFIE_HELLMAN_GROUP, MODP_1024_BIT, 0); - } - else if (strncmp(alg.ptr, "modp1536", alg.len) == 0) - { - add_algorithm(this, DIFFIE_HELLMAN_GROUP, MODP_1536_BIT, 0); - } - else if (strncmp(alg.ptr, "modp2048", alg.len) == 0) - { - add_algorithm(this, DIFFIE_HELLMAN_GROUP, MODP_2048_BIT, 0); - } - else if (strncmp(alg.ptr, "modp3072", alg.len) == 0) - { - add_algorithm(this, DIFFIE_HELLMAN_GROUP, MODP_3072_BIT, 0); - } - else if (strncmp(alg.ptr, "modp4096", alg.len) == 0) - { - add_algorithm(this, DIFFIE_HELLMAN_GROUP, MODP_4096_BIT, 0); - } - else if (strncmp(alg.ptr, "modp6144", alg.len) == 0) - { - add_algorithm(this, DIFFIE_HELLMAN_GROUP, MODP_6144_BIT, 0); - } - else if (strncmp(alg.ptr, "modp8192", alg.len) == 0) - { - add_algorithm(this, DIFFIE_HELLMAN_GROUP, MODP_8192_BIT, 0); - } - else if (strncmp(alg.ptr, "ecp192", alg.len) == 0) - { - add_algorithm(this, DIFFIE_HELLMAN_GROUP, ECP_192_BIT, 0); - } - else if (strncmp(alg.ptr, "ecp224", alg.len) == 0) - { - add_algorithm(this, DIFFIE_HELLMAN_GROUP, ECP_224_BIT, 0); - } - else if (strncmp(alg.ptr, "ecp256", alg.len) == 0) - { - add_algorithm(this, DIFFIE_HELLMAN_GROUP, ECP_256_BIT, 0); - } - else if (strncmp(alg.ptr, "ecp384", alg.len) == 0) - { - add_algorithm(this, DIFFIE_HELLMAN_GROUP, ECP_384_BIT, 0); - } - else if (strncmp(alg.ptr, "ecp521", alg.len) == 0) - { - add_algorithm(this, DIFFIE_HELLMAN_GROUP, ECP_521_BIT, 0); - } - else - { - return FAILED; - } return SUCCESS; } diff --git a/src/charon/config/proposal_keywords.h b/src/charon/config/proposal_keywords.h new file mode 100644 index 000000000..ae10d3464 --- /dev/null +++ b/src/charon/config/proposal_keywords.h @@ -0,0 +1,26 @@ +/* proposal keywords + * Copyright (C) 2009 Andreas Steffen + * Hochschule fuer Technik Rapperswil, Switzerland + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + * + * RCSID $Id:$ + */ + +#ifndef _PROPOSAL_KEYWORDS_H_ +#define _PROPOSAL_KEYWORDS_H_ + +typedef struct proposal_token proposal_token_t; + +extern const proposal_token_t* in_word_set(register const char *str, register unsigned int len); + +#endif /* _PROPOSAL_KEYWORDS_H_ */ + diff --git a/src/charon/config/proposal_keywords.txt b/src/charon/config/proposal_keywords.txt new file mode 100644 index 000000000..e195b1f72 --- /dev/null +++ b/src/charon/config/proposal_keywords.txt @@ -0,0 +1,101 @@ +%{ +/* proposal keywords + * Copyright (C) 2009 Andreas Steffen + * Hochschule fuer Technik Rapperswil, Switzerland + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + * + * RCSID $Id:$ + */ + +#include <string.h> + +#include "proposal.h" + +#include <crypto/crypters/crypter.h> +#include <crypto/signers/signer.h> + +%} +struct proposal_token { + char *name; + transform_type_t type; + u_int16_t algorithm; + u_int16_t keysize; +}; +%% +null, ENCRYPTION_ALGORITHM, ENCR_NULL, 0 +aes128, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 128 +aes192, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 192 +aes256, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 256 +aes128ccm8, ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8, 128 +aes128ccm64, ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8, 128 +aes128ccm12, ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12, 128 +aes128ccm96, ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12, 128 +aes128ccm16, ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16, 128 +aes128ccm128, ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16, 128 +aes192ccm8, ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8, 192 +aes192ccm64, ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8, 192 +aes192ccm12, ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12, 192 +aes192ccm96, ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12, 192 +aes192ccm16, ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16, 192 +aes192ccm128, ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16, 192 +aes256ccm8, ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8, 256 +aes256ccm64, ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8, 256 +aes256ccm12, ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12, 256 +aes256ccm96, ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12, 256 +aes256ccm16, ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16, 256 +aes256ccm128, ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16, 256 +aes128gcm8, ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8, 128 +aes128gcm64, ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8, 128 +aes128gcm12, ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12, 128 +aes128gcm96, ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12, 128 +aes128gcm16, ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16, 128 +aes128gcm128, ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16, 128 +aes192gcm8, ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8, 192 +aes192gcm64, ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8, 192 +aes192gcm12, ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12, 192 +aes192gcm96, ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12, 192 +aes192gcm16, ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16, 192 +aes192gcm128, ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16, 192 +aes256gcm8, ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8, 256 +aes256gcm64, ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8, 256 +aes256gcm12, ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12, 256 +aes256gcm96, ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12, 256 +aes256gcm16, ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16, 256 +aes256gcm128, ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16, 256 +3des, ENCRYPTION_ALGORITHM, ENCR_3DES, 0 +blowfish128, ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 128 +blowfish192, ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 192 +blowfish256, ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 256 +sha, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0 +sha1, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0 +sha256, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_256_128, 0 +sha2_256, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_256_128, 0 +sha384, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_384_192, 0 +sha2_384, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_384_192, 0 +sha512, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_512_256, 0 +sha2_512, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_512_256, 0 +md5, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 0 +aesxcbc, INTEGRITY_ALGORITHM, AUTH_AES_XCBC_96, 0 +modpnull, DIFFIE_HELLMAN_GROUP, MODP_NULL, 0 +modp768, DIFFIE_HELLMAN_GROUP, MODP_768_BIT, 0 +modp1024, DIFFIE_HELLMAN_GROUP, MODP_1024_BIT, 0 +modp1536, DIFFIE_HELLMAN_GROUP, MODP_1536_BIT, 0 +modp2048, DIFFIE_HELLMAN_GROUP, MODP_2048_BIT, 0 +modp3072, DIFFIE_HELLMAN_GROUP, MODP_3072_BIT, 0 +modp4096, DIFFIE_HELLMAN_GROUP, MODP_4096_BIT, 0 +modp6144, DIFFIE_HELLMAN_GROUP, MODP_6144_BIT, 0 +modp8192, DIFFIE_HELLMAN_GROUP, MODP_8192_BIT, 0 +ecp192, DIFFIE_HELLMAN_GROUP, ECP_192_BIT, 0 +ecp224, DIFFIE_HELLMAN_GROUP, ECP_224_BIT, 0 +ecp256, DIFFIE_HELLMAN_GROUP, ECP_256_BIT, 0 +ecp384, DIFFIE_HELLMAN_GROUP, ECP_384_BIT, 0 +ecp521, DIFFIE_HELLMAN_GROUP, ECP_521_BIT, 0 |