diff --git a/src/frontends/android/app/src/main/java/org/strongswan/android/logic/CharonVpnService.java b/src/frontends/android/app/src/main/java/org/strongswan/android/logic/CharonVpnService.java index 61535ffa2e..95c2ccd1f3 100644 --- a/src/frontends/android/app/src/main/java/org/strongswan/android/logic/CharonVpnService.java +++ b/src/frontends/android/app/src/main/java/org/strongswan/android/logic/CharonVpnService.java @@ -261,6 +261,8 @@ public class CharonVpnService extends VpnService implements Runnable, VpnStateSe writer.setValue("connection.local_id", mCurrentProfile.getLocalId()); writer.setValue("connection.remote_id", mCurrentProfile.getRemoteId()); writer.setValue("connection.certreq", (mCurrentProfile.getFlags() & VpnProfile.FLAGS_SUPPRESS_CERT_REQS) == 0); + writer.setValue("connection.ike_proposal", mCurrentProfile.getIkeProposal()); + writer.setValue("connection.esp_proposal", mCurrentProfile.getEspProposal()); initiate(writer.serialize()); } else diff --git a/src/frontends/android/app/src/main/jni/libandroidbridge/backend/android_service.c b/src/frontends/android/app/src/main/jni/libandroidbridge/backend/android_service.c index 809814b535..5c4a03842f 100644 --- a/src/frontends/android/app/src/main/jni/libandroidbridge/backend/android_service.c +++ b/src/frontends/android/app/src/main/jni/libandroidbridge/backend/android_service.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2010-2016 Tobias Brunner + * Copyright (C) 2010-2017 Tobias Brunner * Copyright (C) 2012 Giuliano Grassi * Copyright (C) 2012 Ralf Sager * HSR Hochschule fuer Technik Rapperswil @@ -707,6 +707,27 @@ static bool add_auth_cfg_cert(private_android_service_t *this, return TRUE; } +static proposal_t *parse_proposal(private_android_service_t *this, + protocol_id_t proto, char *opt) +{ + proposal_t *proposal = NULL; + char *prop; + + prop = this->settings->get_str(this->settings, opt, NULL); + if (!prop || !strlen(prop)) + { + return NULL; + } + + proposal = proposal_create_from_string(proto, prop); + if (!proposal) + { + DBG1(DBG_CFG, "invalid %N proposal '%s', falling back to defaults", + protocol_id_names, proto, prop); + } + return proposal; +} + static job_requeue_t initiate(private_android_service_t *this) { identification_t *gateway = NULL; @@ -714,6 +735,7 @@ static job_requeue_t initiate(private_android_service_t *this) peer_cfg_t *peer_cfg; child_cfg_t *child_cfg; traffic_selector_t *ts; + proposal_t *proposal; ike_sa_t *ike_sa; auth_cfg_t *auth; peer_cfg_create_t peer = { @@ -747,8 +769,16 @@ static job_requeue_t initiate(private_android_service_t *this) ike_cfg = ike_cfg_create(IKEV2, certreq, TRUE, "0.0.0.0", charon->socket->get_port(charon->socket, FALSE), server, port, FRAGMENTATION_YES, 0); - ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE)); - ike_cfg->add_proposal(ike_cfg, proposal_create_default_aead(PROTO_IKE)); + proposal = parse_proposal(this, PROTO_IKE, "connection.ike_proposal"); + if (proposal) + { + ike_cfg->add_proposal(ike_cfg, proposal); + } + else + { + ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE)); + ike_cfg->add_proposal(ike_cfg, proposal_create_default_aead(PROTO_IKE)); + } peer_cfg = peer_cfg_create("android", ike_cfg, &peer); peer_cfg->add_virtual_ip(peer_cfg, host_create_any(AF_INET)); @@ -795,27 +825,34 @@ static job_requeue_t initiate(private_android_service_t *this) peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE); child_cfg = child_cfg_create("android", &child); - /* create ESP proposals with and without DH groups, let responder decide - * if PFS is used */ - child_cfg->add_proposal(child_cfg, proposal_create_from_string(PROTO_ESP, - "aes128gcm16-aes256gcm16-chacha20poly1305-" - "curve25519-ecp256-modp3072")); - child_cfg->add_proposal(child_cfg, proposal_create_from_string(PROTO_ESP, - "aes128-sha256-curve25519-ecp256-modp3072")); - child_cfg->add_proposal(child_cfg, proposal_create_from_string(PROTO_ESP, - "aes256-sha384-ecp521-modp8192")); - child_cfg->add_proposal(child_cfg, proposal_create_from_string(PROTO_ESP, - "aes128-aes192-aes256-sha1-sha256-sha384-sha512-" - "curve25519-ecp256-ecp384-ecp521-" - "modp2048-modp3072-modp4096-modp1024")); - child_cfg->add_proposal(child_cfg, proposal_create_from_string(PROTO_ESP, - "aes128gcm16-aes256gcm16-chacha20poly1305")); - child_cfg->add_proposal(child_cfg, proposal_create_from_string(PROTO_ESP, - "aes128-sha256")); - child_cfg->add_proposal(child_cfg, proposal_create_from_string(PROTO_ESP, - "aes256-sha384")); - child_cfg->add_proposal(child_cfg, proposal_create_from_string(PROTO_ESP, - "aes128-aes192-aes256-sha1-sha256-sha384-sha512")); + proposal = parse_proposal(this, PROTO_ESP, "connection.esp_proposal"); + if (proposal) + { + child_cfg->add_proposal(child_cfg, proposal); + } + else + { /* create ESP proposals with and without DH groups, let responder decide + * if PFS is used */ + child_cfg->add_proposal(child_cfg, proposal_create_from_string(PROTO_ESP, + "aes128gcm16-aes256gcm16-chacha20poly1305-" + "curve25519-ecp256-modp3072")); + child_cfg->add_proposal(child_cfg, proposal_create_from_string(PROTO_ESP, + "aes128-sha256-curve25519-ecp256-modp3072")); + child_cfg->add_proposal(child_cfg, proposal_create_from_string(PROTO_ESP, + "aes256-sha384-ecp521-modp8192")); + child_cfg->add_proposal(child_cfg, proposal_create_from_string(PROTO_ESP, + "aes128-aes192-aes256-sha1-sha256-sha384-sha512-" + "curve25519-ecp256-ecp384-ecp521-" + "modp2048-modp3072-modp4096-modp1024")); + child_cfg->add_proposal(child_cfg, proposal_create_from_string(PROTO_ESP, + "aes128gcm16-aes256gcm16-chacha20poly1305")); + child_cfg->add_proposal(child_cfg, proposal_create_from_string(PROTO_ESP, + "aes128-sha256")); + child_cfg->add_proposal(child_cfg, proposal_create_from_string(PROTO_ESP, + "aes256-sha384")); + child_cfg->add_proposal(child_cfg, proposal_create_from_string(PROTO_ESP, + "aes128-aes192-aes256-sha1-sha256-sha384-sha512")); + } ts = traffic_selector_create_from_cidr("0.0.0.0/0", 0, 0, 65535); child_cfg->add_traffic_selector(child_cfg, TRUE, ts); ts = traffic_selector_create_from_cidr("0.0.0.0/0", 0, 0, 65535);