- New upstream release.

8 files changed, 250 insertions, 251 deletions

diff --git a/src/charon/config/backend_manager.c b/src/charon/config/backend_manager.c
index d77c05fd7..c2b408ca9 100644
--- a/src/charon/config/backend_manager.c
+++ b/src/charon/config/backend_manager.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: backend_manager.c 4044 2008-06-06 15:05:54Z martin $
+ * $Id: backend_manager.c 4134 2008-07-01 11:10:37Z martin $
  */
 
 #include "backend_manager.h"
@@ -49,6 +49,16 @@ struct private_backend_manager_t {
 };
 
 /**
+ * match of an ike_cfg
+ */
+typedef enum ike_cfg_match_t {
+	MATCH_NONE  = 0x00,
+	MATCH_ANY   = 0x01,
+	MATCH_ME    = 0x04,
+	MATCH_OTHER = 0x08,
+} ike_cfg_match_t;
+
+/**
  * data to pass nested IKE enumerator
  */
 typedef struct {
@@ -108,6 +118,48 @@ static enumerator_t *peer_enum_create_all(backend_t *backend)
 }
 
 /**
+ * get a match of a candidate ike_cfg for two hosts
+ */
+static ike_cfg_match_t get_match(ike_cfg_t *cand, host_t *me, host_t *other)
+{
+	host_t *me_cand, *other_cand;
+	ike_cfg_match_t match = MATCH_NONE;
+	
+	me_cand = host_create_from_dns(cand->get_my_addr(cand),
+								   me->get_family(me), 0);
+	if (!me_cand)
+	{
+		return MATCH_NONE;
+	}
+	if (me_cand->ip_equals(me_cand, me))
+	{
+		match += MATCH_ME;
+	}
+	else if (me_cand->is_anyaddr(me_cand))
+	{
+		match += MATCH_ANY;
+	}
+	me_cand->destroy(me_cand);
+	
+	other_cand = host_create_from_dns(cand->get_other_addr(cand),
+									  other->get_family(other), 0);
+	if (!other_cand)
+	{
+		return MATCH_NONE;
+	}
+	if (other_cand->ip_equals(other_cand, other))
+	{
+		match += MATCH_OTHER;
+	}
+	else if (other_cand->is_anyaddr(other_cand))
+	{
+		match += MATCH_ANY;
+	}
+	other_cand->destroy(other_cand);
+	return match;
+}
+
+/**
  * implements backend_manager_t.get_ike_cfg.
  */
 static ike_cfg_t *get_ike_cfg(private_backend_manager_t *this, 
@@ -115,14 +167,8 @@ static ike_cfg_t *get_ike_cfg(private_backend_manager_t *this,
 {
 	ike_cfg_t *current, *found = NULL;
 	enumerator_t *enumerator;
-	host_t *my_candidate, *other_candidate;
+	ike_cfg_match_t match, best = MATCH_ANY;
 	ike_data_t *data;
-	enum {
-		MATCH_NONE  = 0x00,
-		MATCH_ANY   = 0x01,
-		MATCH_ME    = 0x04,
-		MATCH_OTHER = 0x08,
-	} prio, best = MATCH_ANY;
 	
 	data = malloc_thing(ike_data_t);
 	data->this = this;
@@ -137,51 +183,20 @@ static ike_cfg_t *get_ike_cfg(private_backend_manager_t *this,
 						(void*)ike_enum_create, data, (void*)ike_enum_destroy);
 	while (enumerator->enumerate(enumerator, (void**)&current))
 	{
-		prio = MATCH_NONE;
-		
-		my_candidate = host_create_from_dns(current->get_my_addr(current),
-											me->get_family(me), 0);
-		if (!my_candidate)
-		{
-			continue;
-		}
-		if (my_candidate->ip_equals(my_candidate, me))
-		{
-			prio += MATCH_ME;
-		}
-		else if (my_candidate->is_anyaddr(my_candidate))
-		{
-			prio += MATCH_ANY;
-		}
-		my_candidate->destroy(my_candidate);
-		
-		other_candidate = host_create_from_dns(current->get_other_addr(current),
-											   other->get_family(other), 0);
-		if (!other_candidate)
-		{
-			continue;
-		}
-		if (other_candidate->ip_equals(other_candidate, other))
-		{
-			prio += MATCH_OTHER;
-		}
-		else if (other_candidate->is_anyaddr(other_candidate))
-		{
-			prio += MATCH_ANY;
-		}
-		other_candidate->destroy(other_candidate);
-		
-		DBG2(DBG_CFG, "  candidate: %s...%s, prio %d", 
-			 current->get_my_addr(current), current->get_other_addr(current),
-			 prio);
-		
-		/* we require at least two MATCH_ANY */
-		if (prio > best)
+		match = get_match(current, me, other);
+
+		if (match)
 		{
-			best = prio;
-			DESTROY_IF(found);
-			found = current;
-			found->get_ref(found);
+			DBG2(DBG_CFG, "  candidate: %s...%s, prio %d", 
+				 current->get_my_addr(current), current->get_other_addr(current),
+				 match);
+			if (match > best)
+			{
+				DESTROY_IF(found);
+				found = current;
+				found->get_ref(found);
+				best = match;
+			}
 		}
 	}
 	enumerator->destroy(enumerator);
@@ -202,22 +217,23 @@ static enumerator_t *create_peer_cfg_enumerator(private_backend_manager_t *this)
 /**
  * implements backend_manager_t.get_peer_cfg.
  */			
-static peer_cfg_t *get_peer_cfg(private_backend_manager_t *this,
-								identification_t *me, identification_t *other,
-								auth_info_t *auth)
+static peer_cfg_t *get_peer_cfg(private_backend_manager_t *this, host_t *me,
+								host_t *other, identification_t *my_id,
+								identification_t *other_id, auth_info_t *auth)
 {
 	peer_cfg_t *current, *found = NULL;
 	enumerator_t *enumerator;
-	identification_t *my_candidate, *other_candidate;
-	id_match_t best = ID_MATCH_NONE;
+	id_match_t best_peer = ID_MATCH_NONE;
+	ike_cfg_match_t best_ike = MATCH_NONE;
 	peer_data_t *data;
 	
-	DBG2(DBG_CFG, "looking for a config for %D...%D", me, other);
+	DBG2(DBG_CFG, "looking for a config for %H[%D]...%H[%D]",
+		 me, my_id, other, other_id);
 	
 	data = malloc_thing(peer_data_t);
 	data->this = this;
-	data->me = me;
-	data->other = other;
+	data->me = my_id;
+	data->other = other_id;
 	
 	this->mutex->lock(this->mutex);
 	enumerator = enumerator_create_nested(
@@ -225,42 +241,45 @@ static peer_cfg_t *get_peer_cfg(private_backend_manager_t *this,
 						(void*)peer_enum_create, data, (void*)peer_enum_destroy);
 	while (enumerator->enumerate(enumerator, &current))
 	{
-		id_match_t m1, m2, sum;
+		identification_t *my_cand, *other_cand;
+		id_match_t m1, m2, match_peer;
+		ike_cfg_match_t match_ike;
 
-		my_candidate = current->get_my_id(current);
-		other_candidate = current->get_other_id(current);
+		my_cand = current->get_my_id(current);
+		other_cand = current->get_other_id(current);
 		
 		/* own ID may have wildcards in both, config and request (missing IDr) */
-		m1 = my_candidate->matches(my_candidate, me);
+		m1 = my_cand->matches(my_cand, my_id);
 		if (!m1)
 		{
-			m1 = me->matches(me, my_candidate);
+			m1 = my_id->matches(my_id, my_cand);
 		}
-		m2 = other->matches(other, other_candidate);
-		sum = m1 + m2;
+		m2 = other_id->matches(other_id, other_cand);
+		
+		match_peer = m1 + m2;
+		match_ike = get_match(current->get_ike_cfg(current), me, other);
 		
-		if (m1 && m2)
+		if (m1 && m2 && match_ike && 
+			auth->complies(auth, current->get_auth(current)))
 		{
-			if (auth->complies(auth, current->get_auth(current)))
+			DBG2(DBG_CFG, "  candidate '%s': %D...%D, prio %d.%d",
+			 	 current->get_name(current), my_cand, other_cand,
+			 	 match_peer, match_ike);
+			if (match_peer >= best_peer && match_ike > best_ike)
 			{
-				DBG2(DBG_CFG, "  candidate '%s': %D...%D, prio %d",
-				 	 current->get_name(current), my_candidate,
-				 	 other_candidate, sum);
-				if (sum > best)
-				{
-					DESTROY_IF(found);
-					found = current;
-					found->get_ref(found);
-					best = sum;
-				}
+				DESTROY_IF(found);
+				found = current;
+				found->get_ref(found);
+				best_peer = match_peer;
+				best_ike = match_ike;
 			}
 		}
 	}
 	if (found)
 	{
-		DBG1(DBG_CFG, "found matching config \"%s\": %D...%D, prio %d",
+		DBG1(DBG_CFG, "found matching config \"%s\": %D...%D, prio %d.%d",
 			 found->get_name(found), found->get_my_id(found),
-			 found->get_other_id(found), best);
+			 found->get_other_id(found), best_peer, best_ike);
 	}
 	enumerator->destroy(enumerator);
 	this->mutex->unlock(this->mutex);
@@ -325,7 +344,7 @@ backend_manager_t *backend_manager_create()
 	private_backend_manager_t *this = malloc_thing(private_backend_manager_t);
 	
 	this->public.get_ike_cfg = (ike_cfg_t* (*)(backend_manager_t*, host_t*, host_t*))get_ike_cfg;
-	this->public.get_peer_cfg = (peer_cfg_t* (*)(backend_manager_t*,identification_t*,identification_t*,auth_info_t*))get_peer_cfg;
+	this->public.get_peer_cfg = (peer_cfg_t* (*)(backend_manager_t*,host_t*,host_t*,identification_t*,identification_t*,auth_info_t*))get_peer_cfg;
 	this->public.get_peer_cfg_by_name = (peer_cfg_t* (*)(backend_manager_t*,char*))get_peer_cfg_by_name;
 	this->public.create_peer_cfg_enumerator = (enumerator_t* (*)(backend_manager_t*))create_peer_cfg_enumerator;
 	this->public.add_backend = (void(*)(backend_manager_t*, backend_t *backend))add_backend;
diff --git a/src/charon/config/backend_manager.h b/src/charon/config/backend_manager.h
index 6400bd7fd..17df26dad 100644
--- a/src/charon/config/backend_manager.h
+++ b/src/charon/config/backend_manager.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: backend_manager.h 3589 2008-03-13 14:14:44Z martin $
+ * $Id: backend_manager.h 4132 2008-07-01 09:05:20Z martin $
  */
 
 /**
@@ -66,12 +66,15 @@ struct backend_manager_t {
 	/**
 	 * Get a peer_config identified by two IDs and authorization info.
 	 *
+	 * @param me				own address
+	 * @param other				peer address
 	 * @param my_id				own ID
 	 * @param other_id			peer ID
 	 * @param auth_info			authorization info
 	 * @return					matching peer_config, or NULL if none found
 	 */
-	peer_cfg_t* (*get_peer_cfg)(backend_manager_t *this, identification_t *my_id,
+	peer_cfg_t* (*get_peer_cfg)(backend_manager_t *this, host_t *me,
+								host_t *other, identification_t *my_id,
 								identification_t *other_id, auth_info_t *auth);
 	
 	/**
diff --git a/src/charon/config/child_cfg.c b/src/charon/config/child_cfg.c
index f929927ef..24242345b 100644
--- a/src/charon/config/child_cfg.c
+++ b/src/charon/config/child_cfg.c
@@ -14,25 +14,17 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: child_cfg.c 4062 2008-06-12 11:42:19Z martin $
+ * $Id: child_cfg.c 4358 2008-09-25 13:56:23Z tobias $
  */
 
 #include "child_cfg.h"
 
 #include <daemon.h>
 
-ENUM(mode_names, MODE_TRANSPORT, MODE_BEET,
-	"TRANSPORT",
-	"TUNNEL",
-	"2",
-	"3",
-	"BEET",
-);
-
 ENUM(action_names, ACTION_NONE, ACTION_RESTART,
-	"ACTION_NONE",
-	"ACTION_ROUTE",
-	"ACTION_RESTART",
+	"clear",
+	"hold",
+	"restart",
 );
 
 ENUM_BEGIN(ipcomp_transform_names, IPCOMP_NONE, IPCOMP_NONE, 
@@ -94,7 +86,7 @@ struct private_child_cfg_t {
 	/**
 	 * Mode to propose for a initiated CHILD: tunnel/transport
 	 */
-	mode_t mode;
+	ipsec_mode_t mode;
 	
 	/**
 	 * action to take on DPD
@@ -379,7 +371,7 @@ static u_int32_t get_lifetime(private_child_cfg_t *this, bool rekey)
 /**
  * Implementation of child_cfg_t.get_mode
  */
-static mode_t get_mode(private_child_cfg_t *this)
+static ipsec_mode_t get_mode(private_child_cfg_t *this)
 {
 	return this->mode;
 }
@@ -462,7 +454,7 @@ static void destroy(private_child_cfg_t *this)
  */
 child_cfg_t *child_cfg_create(char *name, u_int32_t lifetime,
 							  u_int32_t rekeytime, u_int32_t jitter,
-							  char *updown, bool hostaccess, mode_t mode,
+							  char *updown, bool hostaccess, ipsec_mode_t mode,
 							  action_t dpd_action, action_t close_action, bool ipcomp)
 {
 	private_child_cfg_t *this = malloc_thing(private_child_cfg_t);
@@ -475,7 +467,7 @@ child_cfg_t *child_cfg_create(char *name, u_int32_t lifetime,
 	this->public.select_proposal = (proposal_t* (*) (child_cfg_t*,linked_list_t*,bool))select_proposal;
 	this->public.get_updown = (char* (*) (child_cfg_t*))get_updown;
 	this->public.get_hostaccess = (bool (*) (child_cfg_t*))get_hostaccess;
-	this->public.get_mode = (mode_t (*) (child_cfg_t *))get_mode;
+	this->public.get_mode = (ipsec_mode_t (*) (child_cfg_t *))get_mode;
 	this->public.get_dpd_action = (action_t (*) (child_cfg_t *))get_dpd_action;
 	this->public.get_close_action = (action_t (*) (child_cfg_t *))get_close_action;
 	this->public.get_lifetime = (u_int32_t (*) (child_cfg_t *,bool))get_lifetime;
diff --git a/src/charon/config/child_cfg.h b/src/charon/config/child_cfg.h
index 6d262c217..83d6cafe6 100644
--- a/src/charon/config/child_cfg.h
+++ b/src/charon/config/child_cfg.h
@@ -14,7 +14,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: child_cfg.h 3920 2008-05-08 16:19:11Z tobias $
+ * $Id: child_cfg.h 4358 2008-09-25 13:56:23Z tobias $
  */
 
 /**
@@ -25,7 +25,6 @@
 #ifndef CHILD_CFG_H_
 #define CHILD_CFG_H_
 
-typedef enum mode_t mode_t;
 typedef enum action_t action_t;
 typedef enum ipcomp_transform_t ipcomp_transform_t;
 typedef struct child_cfg_t child_cfg_t;
@@ -33,25 +32,7 @@ typedef struct child_cfg_t child_cfg_t;
 #include <library.h>
 #include <config/proposal.h>
 #include <config/traffic_selector.h>
-
-/**
- * Mode of an CHILD_SA.
- *
- * These are equal to those defined in XFRM, so don't change.
- */
-enum mode_t {
-	/** transport mode, no inner address */
-	MODE_TRANSPORT = 0,
-	/** tunnel mode, inner and outer addresses */
-	MODE_TUNNEL = 1,
-	/** BEET mode, tunnel mode but fixed, bound inner addresses */
-	MODE_BEET = 4,
-};
-
-/**
- * enum names for mode_t.
- */
-extern enum_name_t *mode_names;
+#include <kernel/kernel_ipsec.h>
 
 /**
  * Action to take when DPD detected/connection gets closed by peer.
@@ -208,7 +189,7 @@ struct child_cfg_t {
 	 * 
 	 * @return				ipsec mode
 	 */
-	mode_t (*get_mode) (child_cfg_t *this);
+	ipsec_mode_t (*get_mode) (child_cfg_t *this);
 	
 	/**
 	 * Action to take on DPD.
@@ -279,7 +260,7 @@ struct child_cfg_t {
  */
 child_cfg_t *child_cfg_create(char *name, u_int32_t lifetime,
 							  u_int32_t rekeytime, u_int32_t jitter,
-							  char *updown, bool hostaccess, mode_t mode,
+							  char *updown, bool hostaccess, ipsec_mode_t mode,
 							  action_t dpd_action, action_t close_action,
 							  bool ipcomp);
 
diff --git a/src/charon/config/peer_cfg.c b/src/charon/config/peer_cfg.c
index 0e56759c2..04f323128 100644
--- a/src/charon/config/peer_cfg.c
+++ b/src/charon/config/peer_cfg.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2007-2008 Tobias Brunner
- * Copyright (C) 2005-2007 Martin Willi
+ * Copyright (C) 2005-2008 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
  *
@@ -14,7 +14,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: peer_cfg.c 4051 2008-06-10 09:08:27Z tobias $
+ * $Id: peer_cfg.c 4276 2008-08-22 10:44:51Z martin $
  */
 
 #include <string.h>
@@ -37,12 +37,6 @@ ENUM(unique_policy_names, UNIQUE_NO, UNIQUE_KEEP,
 	"UNIQUE_KEEP",
 );
 
-ENUM(config_auth_method_names, CONF_AUTH_PUBKEY, CONF_AUTH_EAP,
-	"CONF_AUTH_PUBKEY",
-	"CONF_AUTH_PSK",
-	"CONF_AUTH_EAP",
-);
-
 typedef struct private_peer_cfg_t private_peer_cfg_t;
 
 /**
@@ -106,21 +100,6 @@ struct private_peer_cfg_t {
 	unique_policy_t unique;
 	
 	/**
-	 * Method to use for own authentication data
-	 */
-	config_auth_method_t auth_method;
-	
-	/**
-	 * EAP type to use for peer authentication
-	 */
-	eap_type_t eap_type;
-	
-	/**
-	 * EAP vendor ID if vendor specific type is used
-	 */
-	u_int32_t eap_vendor;
-	
-	/**
 	 * number of tries after giving up if peer does not respond
 	 */
 	u_int32_t keyingtries;
@@ -319,23 +298,6 @@ static unique_policy_t get_unique_policy(private_peer_cfg_t *this)
 }
 
 /**
- * Implementation of peer_cfg_t.get_auth_method.
- */
-static config_auth_method_t get_auth_method(private_peer_cfg_t *this)
-{
-	return this->auth_method;
-}
-
-/**
- * Implementation of peer_cfg_t.get_eap_type.
- */
-static eap_type_t get_eap_type(private_peer_cfg_t *this, u_int32_t *vendor)
-{
-	*vendor = this->eap_vendor;
-	return this->eap_type;
-}
-
-/**
  * Implementation of peer_cfg_t.get_keyingtries.
  */
 static u_int32_t get_keyingtries(private_peer_cfg_t *this)
@@ -469,9 +431,6 @@ static bool equals(private_peer_cfg_t *this, private_peer_cfg_t *other)
 		this->other_id->equals(this->other_id, other->other_id) &&
 		this->cert_policy == other->cert_policy &&
 		this->unique == other->unique &&
-		this->auth_method == other->auth_method &&
-		this->eap_type == other->eap_type &&
-		this->eap_vendor == other->eap_vendor &&
 		this->keyingtries == other->keyingtries &&
 		this->use_mobike == other->use_mobike &&
 		this->rekey_time == other->rekey_time &&
@@ -533,8 +492,6 @@ static void destroy(private_peer_cfg_t *this)
 peer_cfg_t *peer_cfg_create(char *name, u_int ike_version, ike_cfg_t *ike_cfg,
 							identification_t *my_id, identification_t *other_id,
 							cert_policy_t cert_policy, unique_policy_t unique,
-							config_auth_method_t auth_method, eap_type_t eap_type,
-							u_int32_t eap_vendor,
 							u_int32_t keyingtries, u_int32_t rekey_time,
 							u_int32_t reauth_time, u_int32_t jitter_time,
 							u_int32_t over_time, bool mobike, u_int32_t dpd,
@@ -556,8 +513,6 @@ peer_cfg_t *peer_cfg_create(char *name, u_int ike_version, ike_cfg_t *ike_cfg,
 	this->public.get_other_id = (identification_t* (*)(peer_cfg_t *))get_other_id;
 	this->public.get_cert_policy = (cert_policy_t (*) (peer_cfg_t *))get_cert_policy;
 	this->public.get_unique_policy = (unique_policy_t (*) (peer_cfg_t *))get_unique_policy;
-	this->public.get_auth_method = (config_auth_method_t (*) (peer_cfg_t *))get_auth_method;
-	this->public.get_eap_type = (eap_type_t (*) (peer_cfg_t *,u_int32_t*))get_eap_type;
 	this->public.get_keyingtries = (u_int32_t (*) (peer_cfg_t *))get_keyingtries;
 	this->public.get_rekey_time = (u_int32_t(*)(peer_cfg_t*))get_rekey_time;
 	this->public.get_reauth_time = (u_int32_t(*)(peer_cfg_t*))get_reauth_time;
@@ -586,9 +541,6 @@ peer_cfg_t *peer_cfg_create(char *name, u_int ike_version, ike_cfg_t *ike_cfg,
 	this->other_id = other_id;
 	this->cert_policy = cert_policy;
 	this->unique = unique;
-	this->auth_method = auth_method;
-	this->eap_type = eap_type;
-	this->eap_vendor = eap_vendor;
 	this->keyingtries = keyingtries;
 	this->rekey_time = rekey_time;
 	this->reauth_time = reauth_time;
diff --git a/src/charon/config/peer_cfg.h b/src/charon/config/peer_cfg.h
index 5662b48df..473cdfd04 100644
--- a/src/charon/config/peer_cfg.h
+++ b/src/charon/config/peer_cfg.h
@@ -14,7 +14,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: peer_cfg.h 4054 2008-06-10 20:31:53Z andreas $
+ * $Id: peer_cfg.h 4276 2008-08-22 10:44:51Z martin $
  */
 
 /**
@@ -27,7 +27,6 @@
 
 typedef enum cert_policy_t cert_policy_t;
 typedef enum unique_policy_t unique_policy_t;
-typedef enum config_auth_method_t config_auth_method_t;
 typedef struct peer_cfg_t peer_cfg_t;
 
 #include <library.h>
@@ -82,23 +81,6 @@ enum unique_policy_t {
 extern enum_name_t *unique_policy_names;
 
 /**
- * Authentication method for this IKE_SA.
- */
-enum config_auth_method_t {
-	/** authentication using public keys (RSA, ECDSA) */
-	CONF_AUTH_PUBKEY =	1,
-	/** authentication using a pre-shared secret */
-	CONF_AUTH_PSK = 	2,
-	/** authentication using EAP */
-	CONF_AUTH_EAP = 	3,
-};
-
-/**
- * enum strings for config_auth_method_t
- */
-extern enum_name_t *config_auth_method_names;
-
-/**
  * Configuration of a peer, specified by IDs.
  *
  * The peer config defines a connection between two given IDs. It contains
@@ -220,25 +202,6 @@ struct peer_cfg_t {
 	 * @return			unique policy
 	 */
 	unique_policy_t (*get_unique_policy) (peer_cfg_t *this);
-
-	/**
-	 * Get the authentication method to use to authenticate us.
-	 * 
-	 * @return			authentication method
-	 */
-	config_auth_method_t (*get_auth_method) (peer_cfg_t *this);
-	
-	/**
-	 * Get the EAP type to use for peer authentication.
-	 *
-	 * If vendor specific types are used, a vendor ID != 0 is returned to
-	 * to vendor argument. Then the returned type is specific for that 
-	 * vendor ID.
-	 * 
-	 * @param vendor	receives vendor specifier, 0 for predefined EAP types
-	 * @return			authentication method
-	 */
-	eap_type_t (*get_eap_type) (peer_cfg_t *this, u_int32_t *vendor);
 	
 	/**
 	 * Get the max number of retries after timeout.
@@ -372,9 +335,6 @@ struct peer_cfg_t {
  * @param other_id 			identification_t for the remote guy
  * @param cert_policy		should we send a certificate payload?
  * @param unique			uniqueness of an IKE_SA
- * @param auth_method		auth method to use to authenticate us
- * @param eap_type			EAP type to use for peer authentication
- * @param eap_vendor		EAP vendor identifier, if vendor specific type is used
  * @param keyingtries		how many keying tries should be done before giving up
  * @param rekey_time		timeout before starting rekeying
  * @param reauth_time		timeout before starting reauthentication
@@ -393,8 +353,6 @@ struct peer_cfg_t {
 peer_cfg_t *peer_cfg_create(char *name, u_int ikev_version, ike_cfg_t *ike_cfg,
 							identification_t *my_id, identification_t *other_id,
 							cert_policy_t cert_policy, unique_policy_t unique,
-							config_auth_method_t auth_method, eap_type_t eap_type,
-							u_int32_t eap_vendor,
 							u_int32_t keyingtries, u_int32_t rekey_time,
 							u_int32_t reauth_time, u_int32_t jitter_time,
 							u_int32_t over_time, bool mobike, u_int32_t dpd,
diff --git a/src/charon/config/proposal.c b/src/charon/config/proposal.c
index 803cf8ae4..b1c049fe8 100644
--- a/src/charon/config/proposal.c
+++ b/src/charon/config/proposal.c
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: proposal.c 4062 2008-06-12 11:42:19Z martin $
+ * $Id: proposal.c 4390 2008-10-08 12:57:11Z martin $
  */
 
 #include <string.h>
@@ -755,10 +755,18 @@ static status_t add_string_algo(private_proposal_t *this, chunk_t alg)
 	{
 		add_algorithm(this, DIFFIE_HELLMAN_GROUP, MODP_2048_BIT, 0);
 	}
+	else if (strncmp(alg.ptr, "modp3072", alg.len) == 0)
+	{
+		add_algorithm(this, DIFFIE_HELLMAN_GROUP, MODP_3072_BIT, 0);
+	}
 	else if (strncmp(alg.ptr, "modp4096", alg.len) == 0)
 	{
 		add_algorithm(this, DIFFIE_HELLMAN_GROUP, MODP_4096_BIT, 0);
 	}
+	else if (strncmp(alg.ptr, "modp6144", alg.len) == 0)
+	{
+		add_algorithm(this, DIFFIE_HELLMAN_GROUP, MODP_6144_BIT, 0);
+	}
 	else if (strncmp(alg.ptr, "modp8192", alg.len) == 0)
 	{
 		add_algorithm(this, DIFFIE_HELLMAN_GROUP, MODP_8192_BIT, 0);
@@ -938,6 +946,112 @@ proposal_t *proposal_create(protocol_id_t protocol)
 	return &this->public;
 }
 
+/**
+ * Add supported IKE algorithms to proposal
+ */
+static void proposal_add_supported_ike(private_proposal_t *this)
+{
+	enumerator_t *enumerator;
+	encryption_algorithm_t encryption;
+	integrity_algorithm_t integrity;
+	pseudo_random_function_t prf;
+	diffie_hellman_group_t group;
+	
+	enumerator = lib->crypto->create_crypter_enumerator(lib->crypto);
+	while (enumerator->enumerate(enumerator, &encryption))
+	{
+		switch (encryption)
+		{
+			case ENCR_AES_CBC:
+				/* we assume that we support all AES sizes */
+				add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 128);
+				add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 192);
+				add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 256);
+				break;
+			case ENCR_3DES:
+			case ENCR_AES_CTR:
+			case ENCR_AES_CCM_ICV8:
+			case ENCR_AES_CCM_ICV12:
+			case ENCR_AES_CCM_ICV16:
+			case ENCR_AES_GCM_ICV8:
+			case ENCR_AES_GCM_ICV12:
+			case ENCR_AES_GCM_ICV16:
+				add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 0);
+				break;
+			case ENCR_DES:
+				/* no, thanks */
+				break;
+			default:
+				break;
+		}	
+	}
+	enumerator->destroy(enumerator);
+	
+	enumerator = lib->crypto->create_signer_enumerator(lib->crypto);
+	while (enumerator->enumerate(enumerator, &integrity))
+	{
+		switch (integrity)
+		{
+			case AUTH_HMAC_SHA1_96:
+			case AUTH_HMAC_SHA2_256_128:
+			case AUTH_HMAC_SHA2_384_192:
+			case AUTH_HMAC_SHA2_512_256:
+			case AUTH_HMAC_MD5_96:
+			case AUTH_AES_XCBC_96:
+				add_algorithm(this, INTEGRITY_ALGORITHM, integrity, 0);
+				break;
+			default:
+				break;
+		}	
+	}
+	enumerator->destroy(enumerator);
+	
+	enumerator = lib->crypto->create_prf_enumerator(lib->crypto);
+	while (enumerator->enumerate(enumerator, &prf))
+	{
+		switch (prf)
+		{
+			case PRF_HMAC_SHA1:
+			case PRF_HMAC_SHA2_256:
+			case PRF_HMAC_SHA2_384:
+			case PRF_HMAC_SHA2_512:
+			case PRF_HMAC_MD5:
+			case PRF_AES128_XCBC:
+				add_algorithm(this, PSEUDO_RANDOM_FUNCTION, prf, 0);
+				break;
+			default:
+				break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	
+	enumerator = lib->crypto->create_dh_enumerator(lib->crypto);
+	while (enumerator->enumerate(enumerator, &group))
+	{
+		switch (group)
+		{
+			case MODP_768_BIT:
+				/* weak */
+				break;
+			case MODP_1024_BIT:
+			case MODP_1536_BIT:
+			case MODP_2048_BIT:
+			case MODP_4096_BIT:
+			case MODP_8192_BIT:
+			case ECP_256_BIT:
+			case ECP_384_BIT:
+			case ECP_521_BIT:
+			case ECP_192_BIT:
+			case ECP_224_BIT:
+				add_algorithm(this, DIFFIE_HELLMAN_GROUP, group, 0);
+				break;
+			default:
+				break;
+		}
+	}
+	enumerator->destroy(enumerator);
+}
+
 /*
  * Describtion in header-file
  */
@@ -948,27 +1062,7 @@ proposal_t *proposal_create_default(protocol_id_t protocol)
 	switch (protocol)
 	{
 		case PROTO_IKE:
-			add_algorithm(this, ENCRYPTION_ALGORITHM,   ENCR_AES_CBC,         128);
-			add_algorithm(this, ENCRYPTION_ALGORITHM,   ENCR_AES_CBC,         192);
-			add_algorithm(this, ENCRYPTION_ALGORITHM,   ENCR_AES_CBC,         256);
-			add_algorithm(this, ENCRYPTION_ALGORITHM,   ENCR_3DES,              0);
-			add_algorithm(this, INTEGRITY_ALGORITHM,    AUTH_AES_XCBC_96,       0);
-			add_algorithm(this, INTEGRITY_ALGORITHM,    AUTH_HMAC_SHA2_256_128, 0);
-			add_algorithm(this, INTEGRITY_ALGORITHM,    AUTH_HMAC_SHA1_96,      0);
-			add_algorithm(this, INTEGRITY_ALGORITHM,    AUTH_HMAC_MD5_96,       0);
-			add_algorithm(this, INTEGRITY_ALGORITHM,    AUTH_HMAC_SHA2_384_192, 0);
-			add_algorithm(this, INTEGRITY_ALGORITHM,    AUTH_HMAC_SHA2_512_256, 0);
-			add_algorithm(this, PSEUDO_RANDOM_FUNCTION, PRF_AES128_XCBC,        0);
-			add_algorithm(this, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_256,      0);
-			add_algorithm(this, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA1,          0);
-			add_algorithm(this, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_MD5,           0);
-			add_algorithm(this, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_384,      0);
-			add_algorithm(this, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_512,      0);
-			add_algorithm(this, DIFFIE_HELLMAN_GROUP,   MODP_2048_BIT,          0);
-			add_algorithm(this, DIFFIE_HELLMAN_GROUP,   MODP_1536_BIT,          0);
-			add_algorithm(this, DIFFIE_HELLMAN_GROUP,   MODP_1024_BIT,          0);
-			add_algorithm(this, DIFFIE_HELLMAN_GROUP,   MODP_4096_BIT,          0);
-			add_algorithm(this, DIFFIE_HELLMAN_GROUP,   MODP_8192_BIT,          0);
+			proposal_add_supported_ike(this);
 			break;
 		case PROTO_ESP:
 			add_algorithm(this, ENCRYPTION_ALGORITHM,   ENCR_AES_CBC,         128);
@@ -990,7 +1084,6 @@ proposal_t *proposal_create_default(protocol_id_t protocol)
 		default:
 			break;
 	}
-	
 	return &this->public;
 }
 
diff --git a/src/charon/config/traffic_selector.c b/src/charon/config/traffic_selector.c
index f41c39d30..63172f855 100644
--- a/src/charon/config/traffic_selector.c
+++ b/src/charon/config/traffic_selector.c
@@ -14,7 +14,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: traffic_selector.c 3658 2008-03-26 10:06:45Z martin $
+ * $Id: traffic_selector.c 4199 2008-07-21 19:08:03Z andreas $
  */
 
 #include <arpa/inet.h>
@@ -195,21 +195,22 @@ static int print(FILE *stream, const struct printf_info *info,
 		memeq(this->from, from, this->type == TS_IPV4_ADDR_RANGE ? 4 : 16) && 
 		memeq(this->to, to, this->type == TS_IPV4_ADDR_RANGE ? 4 : 16))
 	{
-		return fprintf(stream, "dynamic/%d",
-					   this->type == TS_IPV4_ADDR_RANGE ? 32 : 128);
-	}
-	
-	if (this->type == TS_IPV4_ADDR_RANGE)
-	{
-		inet_ntop(AF_INET, &this->from4, addr_str, sizeof(addr_str));
+		written += fprintf(stream, "dynamic/%d",
+						   this->type == TS_IPV4_ADDR_RANGE ? 32 : 128);
 	}
 	else
 	{
-		inet_ntop(AF_INET6, &this->from6, addr_str, sizeof(addr_str));
+		if (this->type == TS_IPV4_ADDR_RANGE)
+		{
+			inet_ntop(AF_INET, &this->from4, addr_str, sizeof(addr_str));
+		}
+		else
+		{
+			inet_ntop(AF_INET6, &this->from6, addr_str, sizeof(addr_str));
+		}
+		mask = calc_netbits(this);
+		written += fprintf(stream, "%s/%d", addr_str, mask);
 	}
-	mask = calc_netbits(this);
-	
-	written += fprintf(stream, "%s/%d", addr_str, mask);
 	
 	/* check if we have protocol and/or port selectors */
 	has_proto = this->protocol != 0;