spdb.c

This a good VPN source

    };
#endif

/* In this table, either PSK or RSA sig is accepted.
 * The order matters, but I don't know what would be best.
 */
static struct db_trans oakley_trans_pskrsasig[] = {
#ifdef TEST_INDECENT_PROPOSAL
	{ KEY_IKE, AD(otpsk1024des3tiger) },
#endif
	{ KEY_IKE, AD(otrsasig1536des3md5) },
	{ KEY_IKE, AD(otpsk1536des3md5) },
	{ KEY_IKE, AD(otrsasig1536des3sha) },
	{ KEY_IKE, AD(otpsk1536des3sha) },
	{ KEY_IKE, AD(otrsasig1024des3sha) },
	{ KEY_IKE, AD(otpsk1024des3sha) },
	{ KEY_IKE, AD(otrsasig1024des3md5) },
	{ KEY_IKE, AD(otpsk1024des3md5) },
    };

#ifdef XAUTH
static struct db_trans oakley_trans_pskrsasig_xauthc[] = {
	{ KEY_IKE, AD(otrsasig1536des3md5_xauthc) },
	{ KEY_IKE, AD(otpsk1536des3md5_xauthc) },
	{ KEY_IKE, AD(otrsasig1536des3sha_xauthc) },
	{ KEY_IKE, AD(otpsk1536des3sha_xauthc) },
	{ KEY_IKE, AD(otrsasig1024des3sha_xauthc) },
	{ KEY_IKE, AD(otpsk1024des3sha_xauthc) },
	{ KEY_IKE, AD(otrsasig1024des3md5_xauthc) },
	{ KEY_IKE, AD(otpsk1024des3md5_xauthc) },
    };

static struct db_trans oakley_trans_pskrsasig_xauths[] = {
	{ KEY_IKE, AD(otrsasig1536des3md5_xauths) },
	{ KEY_IKE, AD(otpsk1536des3md5_xauths) },
	{ KEY_IKE, AD(otrsasig1536des3sha_xauths) },
	{ KEY_IKE, AD(otpsk1536des3sha_xauths) },
	{ KEY_IKE, AD(otrsasig1024des3sha_xauths) },
	{ KEY_IKE, AD(otpsk1024des3sha_xauths) },
	{ KEY_IKE, AD(otrsasig1024des3md5_xauths) },
	{ KEY_IKE, AD(otpsk1024des3md5_xauths) },
    };
#endif

/*
 * array of proposals to be conjoined (can only be one for Oakley)
 * AND of protocols.
 */
static struct db_prop oakley_pc_psk[] =
    { { PROTO_ISAKMP, AD(oakley_trans_psk) } };

static struct db_prop oakley_pc_rsasig[] =
    { { PROTO_ISAKMP, AD(oakley_trans_rsasig) } };

static struct db_prop oakley_pc_pskrsasig[] =
    { { PROTO_ISAKMP, AD(oakley_trans_pskrsasig) } };

#ifdef XAUTH
static struct db_prop oakley_pc_psk_xauths[] =
    { { PROTO_ISAKMP, AD(oakley_trans_psk_xauths) } };

static struct db_prop oakley_pc_rsasig_xauths[] =
    { { PROTO_ISAKMP, AD(oakley_trans_rsasig_xauths) } };

static struct db_prop oakley_pc_pskrsasig_xauths[] =
    { { PROTO_ISAKMP, AD(oakley_trans_pskrsasig_xauths) } };

static struct db_prop oakley_pc_psk_xauthc[] =
    { { PROTO_ISAKMP, AD(oakley_trans_psk_xauthc) } };

static struct db_prop oakley_pc_rsasig_xauthc[] =
    { { PROTO_ISAKMP, AD(oakley_trans_rsasig_xauthc) } };

static struct db_prop oakley_pc_pskrsasig_xauthc[] =
    { { PROTO_ISAKMP, AD(oakley_trans_pskrsasig_xauthc) } };
#endif

/* array of proposal conjuncts (can only be one) (OR of protocol) */
static struct db_prop_conj oakley_props_psk[] = { { AD(oakley_pc_psk) } };

static struct db_prop_conj oakley_props_rsasig[] = { { AD(oakley_pc_rsasig) } };

static struct db_prop_conj oakley_props_pskrsasig[] = { { AD(oakley_pc_pskrsasig) } };

#ifdef XAUTH
static struct db_prop_conj oakley_props_psk_xauthc[] = { { AD(oakley_pc_psk_xauthc) } };

static struct db_prop_conj oakley_props_rsasig_xauthc[] = { { AD(oakley_pc_rsasig_xauthc) } };

static struct db_prop_conj oakley_props_pskrsasig_xauthc[] = { { AD(oakley_pc_pskrsasig_xauthc) } };

static struct db_prop_conj oakley_props_psk_xauths[] = { { AD(oakley_pc_psk_xauths) } };

static struct db_prop_conj oakley_props_rsasig_xauths[] = { { AD(oakley_pc_rsasig_xauths) } };

static struct db_prop_conj oakley_props_pskrsasig_xauths[] = { { AD(oakley_pc_pskrsasig_xauths) } };
#endif

/* the sadb entry, subscripted by POLICY_PSK and POLICY_RSASIG bits */
struct db_sa oakley_sadb[] = {
    { AD_NULL },	                /* none */
    { AD(oakley_props_psk) },	        /* POLICY_PSK */
    { AD(oakley_props_rsasig) },	/* POLICY_RSASIG */
    { AD(oakley_props_pskrsasig) },	/* POLICY_PSK + POLICY_RSASIG */
#ifdef XAUTH
    { AD_NULL },                        /* POLICY_XAUTHSERVER + none */
    { AD(oakley_props_psk_xauths) },    /* POLICY_XAUTHSERVER + PSK */
    { AD(oakley_props_rsasig_xauths) }, /* POLICY_XAUTHSERVER + RSA */
    { AD(oakley_props_pskrsasig_xauths)},/* POLICY_XAUTHSERVER + RSA+PSK */
    { AD_NULL },                        /* POLICY_XAUTHCLIENT + none */
    { AD(oakley_props_psk_xauthc) },    /* POLICY_XAUTHCLIENT + PSK */
    { AD(oakley_props_rsasig_xauthc)},  /* POLICY_XAUTHCLIENT + RSA */
    { AD(oakley_props_pskrsasig_xauthc)},/* POLICY_XAUTHCLIENT + RSA+PSK */
    { AD_NULL },                        /* XAUTHCLIENT+XAUTHSERVER + none */
    { AD_NULL },                        /* XAUTHCLIENT+XAUTHSERVER + PSK */
    { AD_NULL },                        /* XAUTHCLIENT+XAUTHSERVER + RSA */
    { AD_NULL },                        /* XAUTHCLIENT+XAUTHSERVER + RSA+PSK */
#else /* XAUTH */
    { AD_NULL },                        /* POLICY_XAUTHSERVER + none */
    { AD_NULL },                        /* POLICY_XAUTHSERVER + PSK */
    { AD_NULL },                        /* POLICY_XAUTHSERVER + RSA */
    { AD_NULL },                        /* POLICY_XAUTHSERVER + RSA+PSK */
    { AD_NULL },                        /* POLICY_XAUTHCLIENT + none */
    { AD_NULL },                        /* POLICY_XAUTHCLIENT + PSK */
    { AD_NULL },                        /* POLICY_XAUTHCLIENT + RSA */
    { AD_NULL },                        /* POLICY_XAUTHCLIENT + RSA+PSK */
    { AD_NULL },                        /* XAUTHCLIENT+XAUTHSERVER + none */
    { AD_NULL },                        /* XAUTHCLIENT+XAUTHSERVER + PSK */
    { AD_NULL },                        /* XAUTHCLIENT+XAUTHSERVER + RSA */
    { AD_NULL },                        /* XAUTHCLIENT+XAUTHSERVER + RSA+PSK */
#endif /* XAUTH */
    };

#if defined(AGGRESSIVE)
/**************** Oakley (aggressive mode) SA database ****************/
/*
 * the Aggressive mode attributes must be seperate, because there
 * can be no choices --- since we must computer keying material,
 * we must actually just agree on what we are going to use.
 */

#if !defined(XAUTH) && defined(AGGRESSIVE)
#error there is no point in compiling aggressive mode without XAUTH
#endif

/* tables of transforms, in preference order (select based on AUTH) */
static struct db_trans oakley_am_trans_psk[] = {
	{ KEY_IKE, AD(otpsk1536des3sha) },
    };

static struct db_trans oakley_am_trans_psk_xauthc[] = {
	{ KEY_IKE, AD(otpsk1536des3sha_xauthc) },
    };
static struct db_trans oakley_am_trans_psk_xauths[] = {
	{ KEY_IKE, AD(otpsk1536des3sha_xauths) },
    };

static struct db_trans oakley_am_trans_rsasig[] = {
	{ KEY_IKE, AD(otrsasig1536des3sha) },
    };

static struct db_trans oakley_am_trans_rsasig_xauthc[] = {
	{ KEY_IKE, AD(otrsasig1536des3sha_xauthc) },
    };
static struct db_trans oakley_am_trans_rsasig_xauths[] = {
	{ KEY_IKE, AD(otrsasig1536des3sha_xauths) },
    };

/* array of proposals to be conjoined (can only be one for Oakley) */
static struct db_prop oakley_am_pc_psk[] =
    { { PROTO_ISAKMP, AD(oakley_am_trans_psk) } };

static struct db_prop oakley_am_pc_rsasig[] =
    { { PROTO_ISAKMP, AD(oakley_am_trans_rsasig) } };

static struct db_prop oakley_am_pc_psk_xauths[] =
    { { PROTO_ISAKMP, AD(oakley_am_trans_psk_xauths) } };

static struct db_prop oakley_am_pc_rsasig_xauths[] =
    { { PROTO_ISAKMP, AD(oakley_am_trans_rsasig_xauths) } };

static struct db_prop oakley_am_pc_psk_xauthc[] =
    { { PROTO_ISAKMP, AD(oakley_am_trans_psk_xauthc) } };

static struct db_prop oakley_am_pc_rsasig_xauthc[] =
    { { PROTO_ISAKMP, AD(oakley_am_trans_rsasig_xauthc) } };

/* array of proposal conjuncts (can only be one) */
static struct db_prop_conj oakley_am_props_psk[] =
    { { AD(oakley_am_pc_psk) } };

static struct db_prop_conj oakley_am_props_rsasig[] =
    { { AD(oakley_am_pc_rsasig) } };

static struct db_prop_conj oakley_am_props_psk_xauthc[] =
    { { AD(oakley_am_pc_psk_xauthc) } };

static struct db_prop_conj oakley_am_props_rsasig_xauthc[] =
    { { AD(oakley_am_pc_rsasig_xauthc) } };

static struct db_prop_conj oakley_am_props_psk_xauths[] =
    { { AD(oakley_am_pc_psk_xauths) } };

static struct db_prop_conj oakley_am_props_rsasig_xauths[] =
    { { AD(oakley_am_pc_rsasig_xauths) } };

/*
 * the sadb entry, subscripted
 *   by [ WEAK, XAUTHSERVER, XAUTHCLIENT, POLICY_RSASIG, POLICY_PSK ] bits
 */
struct db_sa oakley_am_sadb[] = {
    /* STRONG ALGORITHMS */
    { AD_NULL },	                /* none */
    { AD(oakley_am_props_psk) },	/* POLICY_PSK */
    { AD(oakley_am_props_rsasig) },	/* POLICY_RSASIG */
    { AD_NULL }, 	                /* PSK + RSASIG => invalid in AM */
    { AD_NULL },                        /* POLICY_XAUTHSERVER + none */
    { AD(oakley_am_props_psk_xauths) },    /* POLICY_XAUTHSERVER + PSK */
    { AD(oakley_am_props_rsasig_xauths) }, /* POLICY_XAUTHSERVER + RSA */
    { AD_NULL },                        /* XAUTHSERVER + RSA+PSK=>invalid */
    { AD_NULL },                        /* POLICY_XAUTHCLIENT + none */
    { AD(oakley_am_props_psk_xauthc) },    /* POLICY_XAUTHCLIENT + PSK */
    { AD(oakley_am_props_rsasig_xauthc)},  /* POLICY_XAUTHCLIENT + RSA */
    { AD_NULL },                        /* XAUTHCLIENT + RSA+PSK=>invalid */
    { AD_NULL },                        /* XAUTHCLIENT+XAUTHSERVER + none */
    { AD_NULL },                        /* XAUTHCLIENT+XAUTHSERVER + PSK */
    { AD_NULL },                        /* XAUTHCLIENT+XAUTHSERVER + RSA */
    { AD_NULL },                        /* XAUTHCLIENT+XAUTHSERVER + RSA+PSK */
#if 0
    /* weaker ALGORITHMS */
    { AD_NULL },	                /* none */
    { AD(oakley_am_props_psk) },	/* POLICY_PSK */
    { AD(oakley_am_props_rsasig) },	/* POLICY_RSASIG */
    { AD(oakley_am_props_pskrsasig) },	/* POLICY_PSK + POLICY_RSASIG */
    { AD_NULL },                        /* POLICY_XAUTHSERVER + none */
    { AD(oakley_am_props_psk_xauths) },    /* POLICY_XAUTHSERVER + PSK */
    { AD(oakley_am_props_rsasig_xauths) }, /* POLICY_XAUTHSERVER + RSA */
    { AD(oakley_am_props_pskrsasig_xauths)},/* POLICY_XAUTHSERVER + RSA+PSK */
    { AD_NULL },                        /* POLICY_XAUTHCLIENT + none */
    { AD(oakley_am_props_psk_xauthc) },    /* POLICY_XAUTHCLIENT + PSK */
    { AD(oakley_am_props_rsasig_xauthc)},  /* POLICY_XAUTHCLIENT + RSA */
    { AD(oakley_am_props_pskrsasig_xauthc)},/* POLICY_XAUTHCLIENT + RSA+PSK */
    { AD_NULL },                        /* XAUTHCLIENT+XAUTHSERVER + none */
    { AD_NULL },                        /* XAUTHCLIENT+XAUTHSERVER + PSK */
    { AD_NULL },                        /* XAUTHCLIENT+XAUTHSERVER + RSA */
    { AD_NULL },                        /* XAUTHCLIENT+XAUTHSERVER + RSA+PSK */
#endif
    };

#endif /* AGGRESSIVE */

/**************** IPsec (quick mode) SA database ****************/

/* arrays of attributes for transforms */

static struct db_attr espmd5_attr[] = {
    { AUTH_ALGORITHM, AUTH_ALGORITHM_HMAC_MD5 },
    };

static struct db_attr espsha1_attr[] = {
    { AUTH_ALGORITHM, AUTH_ALGORITHM_HMAC_SHA1 },
    };

static struct db_attr ah_HMAC_MD5_attr[] = {
    { AUTH_ALGORITHM, AUTH_ALGORITHM_HMAC_MD5 },
    };

static struct db_attr ah_HMAC_SHA1_attr[] = {
    { AUTH_ALGORITHM, AUTH_ALGORITHM_HMAC_SHA1 },
    };

/* arrays of transforms, each in in preference order */

static struct db_trans espa_trans[] = {
    { ESP_AES,  AD(espsha1_attr) },
    { ESP_AES,  AD(espmd5_attr) },
    { ESP_3DES,    AD(espsha1_attr) },
    { ESP_3DES,    AD(espmd5_attr) },
    };

static struct db_trans esp_trans[] = {
    { ESP_3DES, AD_NULL },
    };

#ifdef SUPPORT_ESP_NULL
static struct db_trans espnull_trans[] = {
    { ESP_NULL, AD(espsha1_attr) },
    { ESP_NULL, AD(espmd5_attr) },
    };
#endif /* SUPPORT_ESP_NULL */

static struct db_trans ah_trans[] = {
    { AH_SHA, AD(ah_HMAC_SHA1_attr) },
    { AH_MD5, AD(ah_HMAC_MD5_attr) },
    };

static struct db_trans ipcomp_trans[] = {
    { IPCOMP_DEFLATE, AD_NULL },
    };

/* arrays of proposals to be conjoined */

static struct db_prop ah_pc[] = {
    { PROTO_IPSEC_AH, AD(ah_trans) },
    };

#ifdef SUPPORT_ESP_NULL
static struct db_prop espnull_pc[] = {
    { PROTO_IPSEC_ESP, AD(espnull_trans) },
    };
#endif /* SUPPORT_ESP_NULL */

static struct db_prop esp_pc[] = {
    { PROTO_IPSEC_ESP, AD(espa_trans) },
    };

static struct db_prop ah_esp_pc[] = {
    { PROTO_IPSEC_AH, AD(ah_trans) },
    { PROTO_IPSEC_ESP, AD(esp_trans) },
    };

static struct db_prop compress_pc[] = {
    { PROTO_IPCOMP, AD(ipcomp_trans) },
    };

static struct db_prop ah_compress_pc[] = {
    { PROTO_IPSEC_AH, AD(ah_trans) },
    { PROTO_IPCOMP, AD(ipcomp_trans) },
    };

#ifdef SUPPORT_ESP_NULL