sharpetronics/strongswan
1
0
Fork 0
mirror of https://github.com/strongswan/strongswan.git synced 2025-10-06 00:00:47 -04:00
Code Issues Projects Releases Wiki Activity

android: Use optional custom proposals for IKE and ESP

Browse Source 
If the proposal is invalid we fall back to the defaults.
This commit is contained in:
Tobias Brunner 2017-11-14 09:49:24 +01:00
parent 24c22a3fa8
commit a7c43544dd
2 changed files with 63 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/frontends/android/app/src/main/java/org/strongswan/android/logic/CharonVpnService.java
View File

@ -261,6 +261,8 @@ public class CharonVpnService extends VpnService implements Runnable, VpnStateSe
writer.setValue("connection.local_id", mCurrentProfile.getLocalId()); writer.setValue("connection.local_id", mCurrentProfile.getLocalId());
writer.setValue("connection.remote_id", mCurrentProfile.getRemoteId()); writer.setValue("connection.remote_id", mCurrentProfile.getRemoteId());
writer.setValue("connection.certreq", (mCurrentProfile.getFlags() & VpnProfile.FLAGS_SUPPRESS_CERT_REQS) == 0); writer.setValue("connection.certreq", (mCurrentProfile.getFlags() & VpnProfile.FLAGS_SUPPRESS_CERT_REQS) == 0);
writer.setValue("connection.ike_proposal", mCurrentProfile.getIkeProposal());
writer.setValue("connection.esp_proposal", mCurrentProfile.getEspProposal());
initiate(writer.serialize()); initiate(writer.serialize());
} }
else else

85
src/frontends/android/app/src/main/jni/libandroidbridge/backend/android_service.c
View File

@ -1,5 +1,5 @@
/* /*
* Copyright (C) 2010-2016 Tobias Brunner * Copyright (C) 2010-2017 Tobias Brunner
* Copyright (C) 2012 Giuliano Grassi * Copyright (C) 2012 Giuliano Grassi
* Copyright (C) 2012 Ralf Sager * Copyright (C) 2012 Ralf Sager
* HSR Hochschule fuer Technik Rapperswil * HSR Hochschule fuer Technik Rapperswil
@ -707,6 +707,27 @@ static bool add_auth_cfg_cert(private_android_service_t *this,
return TRUE; return TRUE;
} }
static proposal_t *parse_proposal(private_android_service_t *this,
protocol_id_t proto, char *opt)
{
proposal_t *proposal = NULL;
char *prop;
prop = this->settings->get_str(this->settings, opt, NULL);
if (!prop || !strlen(prop))
{
return NULL;
}
proposal = proposal_create_from_string(proto, prop);
if (!proposal)
{
DBG1(DBG_CFG, "invalid %N proposal '%s', falling back to defaults",
protocol_id_names, proto, prop);
}
return proposal;
}
static job_requeue_t initiate(private_android_service_t *this) static job_requeue_t initiate(private_android_service_t *this)
{ {
identification_t *gateway = NULL; identification_t *gateway = NULL;
@ -714,6 +735,7 @@ static job_requeue_t initiate(private_android_service_t *this)
peer_cfg_t *peer_cfg; peer_cfg_t *peer_cfg;
child_cfg_t *child_cfg; child_cfg_t *child_cfg;
traffic_selector_t *ts; traffic_selector_t *ts;
proposal_t *proposal;
ike_sa_t *ike_sa; ike_sa_t *ike_sa;
auth_cfg_t *auth; auth_cfg_t *auth;
peer_cfg_create_t peer = { peer_cfg_create_t peer = {
@ -747,8 +769,16 @@ static job_requeue_t initiate(private_android_service_t *this)
ike_cfg = ike_cfg_create(IKEV2, certreq, TRUE, "0.0.0.0", ike_cfg = ike_cfg_create(IKEV2, certreq, TRUE, "0.0.0.0",
charon->socket->get_port(charon->socket, FALSE), charon->socket->get_port(charon->socket, FALSE),
server, port, FRAGMENTATION_YES, 0); server, port, FRAGMENTATION_YES, 0);
ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE)); proposal = parse_proposal(this, PROTO_IKE, "connection.ike_proposal");
ike_cfg->add_proposal(ike_cfg, proposal_create_default_aead(PROTO_IKE)); if (proposal)
{
ike_cfg->add_proposal(ike_cfg, proposal);
}
else
{
ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
ike_cfg->add_proposal(ike_cfg, proposal_create_default_aead(PROTO_IKE));
}
peer_cfg = peer_cfg_create("android", ike_cfg, &peer); peer_cfg = peer_cfg_create("android", ike_cfg, &peer);
peer_cfg->add_virtual_ip(peer_cfg, host_create_any(AF_INET)); peer_cfg->add_virtual_ip(peer_cfg, host_create_any(AF_INET));
@ -795,27 +825,34 @@ static job_requeue_t initiate(private_android_service_t *this)
peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE); peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE);
child_cfg = child_cfg_create("android", &child); child_cfg = child_cfg_create("android", &child);
/* create ESP proposals with and without DH groups, let responder decide proposal = parse_proposal(this, PROTO_ESP, "connection.esp_proposal");
* if PFS is used */ if (proposal)
child_cfg->add_proposal(child_cfg, proposal_create_from_string(PROTO_ESP, {
"aes128gcm16-aes256gcm16-chacha20poly1305-" child_cfg->add_proposal(child_cfg, proposal);
"curve25519-ecp256-modp3072")); }
child_cfg->add_proposal(child_cfg, proposal_create_from_string(PROTO_ESP, else
"aes128-sha256-curve25519-ecp256-modp3072")); { /* create ESP proposals with and without DH groups, let responder decide
child_cfg->add_proposal(child_cfg, proposal_create_from_string(PROTO_ESP, * if PFS is used */
"aes256-sha384-ecp521-modp8192")); child_cfg->add_proposal(child_cfg, proposal_create_from_string(PROTO_ESP,
child_cfg->add_proposal(child_cfg, proposal_create_from_string(PROTO_ESP, "aes128gcm16-aes256gcm16-chacha20poly1305-"
"aes128-aes192-aes256-sha1-sha256-sha384-sha512-" "curve25519-ecp256-modp3072"));
"curve25519-ecp256-ecp384-ecp521-" child_cfg->add_proposal(child_cfg, proposal_create_from_string(PROTO_ESP,
"modp2048-modp3072-modp4096-modp1024")); "aes128-sha256-curve25519-ecp256-modp3072"));
child_cfg->add_proposal(child_cfg, proposal_create_from_string(PROTO_ESP, child_cfg->add_proposal(child_cfg, proposal_create_from_string(PROTO_ESP,
"aes128gcm16-aes256gcm16-chacha20poly1305")); "aes256-sha384-ecp521-modp8192"));
child_cfg->add_proposal(child_cfg, proposal_create_from_string(PROTO_ESP, child_cfg->add_proposal(child_cfg, proposal_create_from_string(PROTO_ESP,
"aes128-sha256")); "aes128-aes192-aes256-sha1-sha256-sha384-sha512-"
child_cfg->add_proposal(child_cfg, proposal_create_from_string(PROTO_ESP, "curve25519-ecp256-ecp384-ecp521-"
"aes256-sha384")); "modp2048-modp3072-modp4096-modp1024"));
child_cfg->add_proposal(child_cfg, proposal_create_from_string(PROTO_ESP, child_cfg->add_proposal(child_cfg, proposal_create_from_string(PROTO_ESP,
"aes128-aes192-aes256-sha1-sha256-sha384-sha512")); "aes128gcm16-aes256gcm16-chacha20poly1305"));
child_cfg->add_proposal(child_cfg, proposal_create_from_string(PROTO_ESP,
"aes128-sha256"));
child_cfg->add_proposal(child_cfg, proposal_create_from_string(PROTO_ESP,
"aes256-sha384"));
child_cfg->add_proposal(child_cfg, proposal_create_from_string(PROTO_ESP,
"aes128-aes192-aes256-sha1-sha256-sha384-sha512"));
}
ts = traffic_selector_create_from_cidr("0.0.0.0/0", 0, 0, 65535); ts = traffic_selector_create_from_cidr("0.0.0.0/0", 0, 0, 65535);
child_cfg->add_traffic_selector(child_cfg, TRUE, ts); child_cfg->add_traffic_selector(child_cfg, TRUE, ts);
ts = traffic_selector_create_from_cidr("0.0.0.0/0", 0, 0, 65535); ts = traffic_selector_create_from_cidr("0.0.0.0/0", 0, 0, 65535);