Hi,
On Mon, Jul 26, 2010 at 09:45:05AM +0200, Martin Willi wrote:
> > However, strongSwan automatically uses any integrity algorithm
> > specified in a ike= proposal definition
>
> This is a limitation inherited from the configuration syntax for IKEv1.
>
> I don't know if it makes sense for real setups
me neither. I don't know it you want to do this just for the sake
of passing ipv6ready one day. Why not...
>, but extending the syntax should be no problem. The question
> would be how we distinguish PRF and integrity algorithms in our
> proposal string (psha1,psha256?).
For testing purposes, I applied the following patch to
strongSwan. Any algorithm prefixed with "integrity_" will not
be automatically used for PRF and any algorithm prefixed with
"prf_" will not be used for integrity.
Thus, "ike=3des-integrity_sha1-prf_sha1-modp1024" is equivalent
to "ike=3des-sha1-modp1024".
"ike=3des,integrity_md5-prf-sha1-modp1024" will create a proposal
which you can not cpecify with the current syntax.
The patch (with appropriately tweaked TAHI remote scripts)
allowed quite a few of the failing tests to pass.
This could be more cleanly implemented defining new
new AUTH_ONLY_ALGORITHM_TYPE and PRF_ALGORITHM constants and
adding the new prefixed keywords to the hash table in
src/libstrongswan/crypto/proposal/proposal_keywords.txt
I used this patch to avoid having to re-run gperf after patching.
Index: strongswan-4.4.0/src/libcharon/config/proposal.c
===================================================================
--- strongswan-4.4.0.orig/src/libcharon/config/proposal.c 2010-07-26
12:32:46.000000000 +0200
+++ strongswan-4.4.0/src/libcharon/config/proposal.c 2010-07-26
13:58:24.000000000 +0200
@@ -588,18 +588,44 @@ static void check_proposal(private_propo
/**
* add a algorithm identified by a string to the proposal.
*/
+
+#define INTEGRITY_ONLY_PREFIX "integrity_"
+#define INTEGRITY_ONLY_PREFIX_LEN (sizeof(INTEGRITY_ONLY_PREFIX) - 1)
+#define PRF_ONLY_PREFIX "prf_"
+#define PRF_ONLY_PREFIX_LEN (sizeof(PRF_ONLY_PREFIX) - 1)
+
static status_t add_string_algo(private_proposal_t *this, chunk_t alg)
{
- const proposal_token_t *token = proposal_get_token(alg.ptr, alg.len);
+ const proposal_token_t *token;
+ int integrity_only = 0, prf_only = 0;
+
+ /* algorithms prefixed with "integrity_" / "prf_" will not be
automatically added as
+ both integrity and PRF algorithms */
+ if (INTEGRITY_ONLY_PREFIX_LEN < alg.len &&
+ !strncmp(alg.ptr, INTEGRITY_ONLY_PREFIX,
INTEGRITY_ONLY_PREFIX_LEN)) {
+ integrity_only = 1;
+ alg.ptr += INTEGRITY_ONLY_PREFIX_LEN;
+ alg.len -= INTEGRITY_ONLY_PREFIX_LEN;
+ }
+ else if (PRF_ONLY_PREFIX_LEN < alg.len &&
+ !strncmp(alg.ptr, PRF_ONLY_PREFIX, PRF_ONLY_PREFIX_LEN)) {
+ prf_only = 1;
+ alg.ptr += PRF_ONLY_PREFIX_LEN;
+ alg.len -= PRF_ONLY_PREFIX_LEN;
+ }
+
+ token = proposal_get_token(alg.ptr, alg.len);
if (token == NULL)
{
return FAILED;
}
- add_algorithm(this, token->type, token->algorithm, token->keysize);
+ if (!prf_only)
+ add_algorithm(this, token->type, token->algorithm,
token->keysize);
- if (this->protocol == PROTO_IKE && token->type == INTEGRITY_ALGORITHM)
+ if (this->protocol == PROTO_IKE && token->type == INTEGRITY_ALGORITHM &&
+ !integrity_only)
{
pseudo_random_function_t prf;
Rgards,
--
Jiri Bohac <jbo...@suse.cz>
SUSE Labs, SUSE CZ
_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
