Hi, On Mon, Jul 26, 2010 at 09:45:05AM +0200, Martin Willi wrote: > > However, strongSwan automatically uses any integrity algorithm > > specified in a ike= proposal definition > > This is a limitation inherited from the configuration syntax for IKEv1. > > I don't know if it makes sense for real setups
me neither. I don't know it you want to do this just for the sake of passing ipv6ready one day. Why not... >, but extending the syntax should be no problem. The question > would be how we distinguish PRF and integrity algorithms in our > proposal string (psha1,psha256?). For testing purposes, I applied the following patch to strongSwan. Any algorithm prefixed with "integrity_" will not be automatically used for PRF and any algorithm prefixed with "prf_" will not be used for integrity. Thus, "ike=3des-integrity_sha1-prf_sha1-modp1024" is equivalent to "ike=3des-sha1-modp1024". "ike=3des,integrity_md5-prf-sha1-modp1024" will create a proposal which you can not cpecify with the current syntax. The patch (with appropriately tweaked TAHI remote scripts) allowed quite a few of the failing tests to pass. This could be more cleanly implemented defining new new AUTH_ONLY_ALGORITHM_TYPE and PRF_ALGORITHM constants and adding the new prefixed keywords to the hash table in src/libstrongswan/crypto/proposal/proposal_keywords.txt I used this patch to avoid having to re-run gperf after patching. Index: strongswan-4.4.0/src/libcharon/config/proposal.c =================================================================== --- strongswan-4.4.0.orig/src/libcharon/config/proposal.c 2010-07-26 12:32:46.000000000 +0200 +++ strongswan-4.4.0/src/libcharon/config/proposal.c 2010-07-26 13:58:24.000000000 +0200 @@ -588,18 +588,44 @@ static void check_proposal(private_propo /** * add a algorithm identified by a string to the proposal. */ + +#define INTEGRITY_ONLY_PREFIX "integrity_" +#define INTEGRITY_ONLY_PREFIX_LEN (sizeof(INTEGRITY_ONLY_PREFIX) - 1) +#define PRF_ONLY_PREFIX "prf_" +#define PRF_ONLY_PREFIX_LEN (sizeof(PRF_ONLY_PREFIX) - 1) + static status_t add_string_algo(private_proposal_t *this, chunk_t alg) { - const proposal_token_t *token = proposal_get_token(alg.ptr, alg.len); + const proposal_token_t *token; + int integrity_only = 0, prf_only = 0; + + /* algorithms prefixed with "integrity_" / "prf_" will not be automatically added as + both integrity and PRF algorithms */ + if (INTEGRITY_ONLY_PREFIX_LEN < alg.len && + !strncmp(alg.ptr, INTEGRITY_ONLY_PREFIX, INTEGRITY_ONLY_PREFIX_LEN)) { + integrity_only = 1; + alg.ptr += INTEGRITY_ONLY_PREFIX_LEN; + alg.len -= INTEGRITY_ONLY_PREFIX_LEN; + } + else if (PRF_ONLY_PREFIX_LEN < alg.len && + !strncmp(alg.ptr, PRF_ONLY_PREFIX, PRF_ONLY_PREFIX_LEN)) { + prf_only = 1; + alg.ptr += PRF_ONLY_PREFIX_LEN; + alg.len -= PRF_ONLY_PREFIX_LEN; + } + + token = proposal_get_token(alg.ptr, alg.len); if (token == NULL) { return FAILED; } - add_algorithm(this, token->type, token->algorithm, token->keysize); + if (!prf_only) + add_algorithm(this, token->type, token->algorithm, token->keysize); - if (this->protocol == PROTO_IKE && token->type == INTEGRITY_ALGORITHM) + if (this->protocol == PROTO_IKE && token->type == INTEGRITY_ALGORITHM && + !integrity_only) { pseudo_random_function_t prf; Rgards, -- Jiri Bohac <jbo...@suse.cz> SUSE Labs, SUSE CZ _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users