[svn-upgrade] new version strongswan (4.4.1)

7 files changed, 23 insertions, 120 deletions

diff --git a/src/libcharon/sa/authenticators/authenticator.c b/src/libcharon/sa/authenticators/authenticator.c
index 13586a23e..cd340e53e 100644
--- a/src/libcharon/sa/authenticators/authenticator.c
+++ b/src/libcharon/sa/authenticators/authenticator.c
@@ -34,13 +34,6 @@ ENUM_NEXT(auth_method_names, AUTH_ECDSA_256, AUTH_ECDSA_521, AUTH_DSS,
 	"ECDSA-521 signature");
 ENUM_END(auth_method_names, AUTH_ECDSA_521);
 
-ENUM(auth_class_names, AUTH_CLASS_ANY, AUTH_CLASS_EAP,
-	"any",
-	"public key",
-	"pre-shared key",
-	"EAP",
-);
-
 /**
  * Described in header.
  */
diff --git a/src/libcharon/sa/authenticators/authenticator.h b/src/libcharon/sa/authenticators/authenticator.h
index fff91ed34..89178b5cf 100644
--- a/src/libcharon/sa/authenticators/authenticator.h
+++ b/src/libcharon/sa/authenticators/authenticator.h
@@ -24,11 +24,10 @@
 #define AUTHENTICATOR_H_
 
 typedef enum auth_method_t auth_method_t;
-typedef enum auth_class_t auth_class_t;
 typedef struct authenticator_t authenticator_t;
 
 #include <library.h>
-#include <config/auth_cfg.h>
+#include <credentials/auth_cfg.h>
 #include <sa/ike_sa.h>
 
 /**
@@ -76,27 +75,6 @@ enum auth_method_t {
 extern enum_name_t *auth_method_names;
 
 /**
- * Class of authentication to use. This is different to auth_method_t in that
- * it does not specify a method, but a class of acceptable methods. The found
- * certificate finally dictates wich method is used.
- */
-enum auth_class_t {
-	/** any class acceptable */
-	AUTH_CLASS_ANY = 0,
-	/** authentication using public keys (RSA, ECDSA) */
-	AUTH_CLASS_PUBKEY = 1,
-	/** authentication using a pre-shared secrets */
-	AUTH_CLASS_PSK = 2,
-	/** authentication using EAP */
-	AUTH_CLASS_EAP = 3,
-};
-
-/**
- * enum strings for auth_class_t
- */
-extern enum_name_t *auth_class_names;
-
-/**
  * Authenticator interface implemented by the various authenticators.
  *
  * An authenticator implementation handles AUTH and EAP payloads. Received
diff --git a/src/libcharon/sa/authenticators/eap/eap_method.c b/src/libcharon/sa/authenticators/eap/eap_method.c
index 91fa5305f..ad7b92cfa 100644
--- a/src/libcharon/sa/authenticators/eap/eap_method.c
+++ b/src/libcharon/sa/authenticators/eap/eap_method.c
@@ -15,44 +15,6 @@
 
 #include "eap_method.h"
 
-ENUM_BEGIN(eap_type_names, EAP_IDENTITY, EAP_GTC,
-	"EAP_IDENTITY",
-	"EAP_NOTIFICATION",
-	"EAP_NAK",
-	"EAP_MD5",
-	"EAP_OTP",
-	"EAP_GTC");
-ENUM_NEXT(eap_type_names, EAP_SIM, EAP_SIM, EAP_GTC,
-	"EAP_SIM");
-ENUM_NEXT(eap_type_names, EAP_AKA, EAP_AKA, EAP_SIM,
-	"EAP_AKA");
-ENUM_NEXT(eap_type_names, EAP_MSCHAPV2, EAP_MSCHAPV2, EAP_AKA,
-	"EAP_MSCHAPV2");
-ENUM_NEXT(eap_type_names, EAP_RADIUS, EAP_EXPERIMENTAL, EAP_MSCHAPV2,
-	"EAP_RADIUS",
-	"EAP_EXPANDED",
-	"EAP_EXPERIMENTAL");
-ENUM_END(eap_type_names, EAP_EXPERIMENTAL);
-
-ENUM_BEGIN(eap_type_short_names, EAP_IDENTITY, EAP_GTC,
-	"ID",
-	"NTF",
-	"NAK",
-	"MD5",
-	"OTP",
-	"GTC");
-ENUM_NEXT(eap_type_short_names, EAP_SIM, EAP_SIM, EAP_GTC,
-	"SIM");
-ENUM_NEXT(eap_type_short_names, EAP_AKA, EAP_AKA, EAP_SIM,
-	"AKA");
-ENUM_NEXT(eap_type_short_names, EAP_MSCHAPV2, EAP_MSCHAPV2, EAP_AKA,
-	"MSCHAPV2");
-ENUM_NEXT(eap_type_short_names, EAP_RADIUS, EAP_EXPERIMENTAL, EAP_MSCHAPV2,
-	"RAD",
-	"EXP",
-	"XP");
-ENUM_END(eap_type_short_names, EAP_EXPERIMENTAL);
-
 /*
  * See header
  */
diff --git a/src/libcharon/sa/authenticators/eap/eap_method.h b/src/libcharon/sa/authenticators/eap/eap_method.h
index 4cab84535..df354edb4 100644
--- a/src/libcharon/sa/authenticators/eap/eap_method.h
+++ b/src/libcharon/sa/authenticators/eap/eap_method.h
@@ -23,7 +23,6 @@
 
 typedef struct eap_method_t eap_method_t;
 typedef enum eap_role_t eap_role_t;
-typedef enum eap_type_t eap_type_t;
 typedef enum eap_code_t eap_code_t;
 
 #include <library.h>
@@ -43,35 +42,6 @@ enum eap_role_t {
 extern enum_name_t *eap_role_names;
 
 /**
- * EAP types, defines the EAP method implementation
- */
-enum eap_type_t {
-	EAP_IDENTITY = 1,
-	EAP_NOTIFICATION = 2,
-	EAP_NAK = 3,
-	EAP_MD5 = 4,
-	EAP_OTP = 5,
-	EAP_GTC = 6,
-	EAP_SIM = 18,
-	EAP_AKA = 23,
-	EAP_MSCHAPV2 = 26,
-	/** not a method, but an implementation providing different methods */
-	EAP_RADIUS = 253,
-	EAP_EXPANDED = 254,
-	EAP_EXPERIMENTAL = 255,
-};
-
-/**
- * enum names for eap_type_t.
- */
-extern enum_name_t *eap_type_names;
-
-/**
- * short string enum names for eap_type_t.
- */
-extern enum_name_t *eap_type_short_names;
-
-/**
  * Lookup the EAP method type from a string.
  *
  * @param name		EAP method name (such as "md5", "aka")
diff --git a/src/libcharon/sa/authenticators/eap_authenticator.c b/src/libcharon/sa/authenticators/eap_authenticator.c
index 4617c4d8d..3c0f3c358 100644
--- a/src/libcharon/sa/authenticators/eap_authenticator.c
+++ b/src/libcharon/sa/authenticators/eap_authenticator.c
@@ -140,17 +140,26 @@ static eap_payload_t* server_initiate_eap(private_eap_authenticator_t *this,
 		id = auth->get(auth, AUTH_RULE_EAP_IDENTITY);
 		if (id)
 		{
-			this->method = load_method(this, EAP_IDENTITY, 0, EAP_SERVER);
-			if (this->method)
+			if (id->get_type(id) == ID_ANY)
 			{
-				if (this->method->initiate(this->method, &out) == NEED_MORE)
+				this->method = load_method(this, EAP_IDENTITY, 0, EAP_SERVER);
+				if (this->method)
 				{
-					DBG1(DBG_IKE, "initiating EAP-Identity request");
-					return out;
+					if (this->method->initiate(this->method, &out) == NEED_MORE)
+					{
+						DBG1(DBG_IKE, "initiating EAP-Identity request");
+						return out;
+					}
+					this->method->destroy(this->method);
 				}
-				this->method->destroy(this->method);
+				DBG1(DBG_IKE, "EAP-Identity request configured, "
+					 "but not supported");
+			}
+			else
+			{
+				DBG1(DBG_IKE, "using configured EAP-Identity %Y", id);
+				this->eap_identity = id->clone(id);
 			}
-			DBG1(DBG_IKE, "EAP-Identity request configured, but not supported");
 		}
 	}
 	/* invoke real EAP method */
@@ -220,7 +229,6 @@ static eap_payload_t* server_process_eap(private_eap_authenticator_t *this,
 	eap_type_t type, received_type;
 	u_int32_t vendor, received_vendor;
 	eap_payload_t *out;
-	auth_cfg_t *cfg;
 
 	if (in->get_code(in) != EAP_RESPONSE)
 	{
@@ -283,12 +291,6 @@ static eap_payload_t* server_process_eap(private_eap_authenticator_t *this,
 			}
 			this->ike_sa->set_condition(this->ike_sa, COND_EAP_AUTHENTICATED,
 										TRUE);
-			cfg = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
-			cfg->add(cfg, AUTH_RULE_EAP_TYPE, type);
-			if (vendor)
-			{
-				cfg->add(cfg, AUTH_RULE_EAP_VENDOR, vendor);
-			}
 			this->eap_complete = TRUE;
 			return eap_payload_create_code(EAP_SUCCESS, in->get_identifier(in));
 		case FAILED:
diff --git a/src/libcharon/sa/authenticators/psk_authenticator.c b/src/libcharon/sa/authenticators/psk_authenticator.c
index 67197d690..e69f30dcf 100644
--- a/src/libcharon/sa/authenticators/psk_authenticator.c
+++ b/src/libcharon/sa/authenticators/psk_authenticator.c
@@ -63,8 +63,7 @@ static status_t build(private_psk_authenticator_t *this, message_t *message)
 	other_id = this->ike_sa->get_other_id(this->ike_sa);
 	DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N",
 		 my_id, auth_method_names, AUTH_PSK);
-	key = charon->credentials->get_shared(charon->credentials, SHARED_IKE,
-										  my_id, other_id);
+	key = lib->credmgr->get_shared(lib->credmgr, SHARED_IKE, my_id, other_id);
 	if (key == NULL)
 	{
 		DBG1(DBG_IKE, "no shared key found for '%Y' - '%Y'", my_id, other_id);
@@ -107,8 +106,8 @@ static status_t process(private_psk_authenticator_t *this, message_t *message)
 	recv_auth_data = auth_payload->get_data(auth_payload);
 	my_id = this->ike_sa->get_my_id(this->ike_sa);
 	other_id = this->ike_sa->get_other_id(this->ike_sa);
-	enumerator = charon->credentials->create_shared_enumerator(
-							charon->credentials, SHARED_IKE, my_id, other_id);
+	enumerator = lib->credmgr->create_shared_enumerator(lib->credmgr,
+												SHARED_IKE, my_id, other_id);
 	while (!authenticated && enumerator->enumerate(enumerator, &key, NULL, NULL))
 	{
 		keys_found++;
diff --git a/src/libcharon/sa/authenticators/pubkey_authenticator.c b/src/libcharon/sa/authenticators/pubkey_authenticator.c
index f1dca2702..3c67f6db6 100644
--- a/src/libcharon/sa/authenticators/pubkey_authenticator.c
+++ b/src/libcharon/sa/authenticators/pubkey_authenticator.c
@@ -65,8 +65,7 @@ static status_t build(private_pubkey_authenticator_t *this, message_t *message)
 
 	id = this->ike_sa->get_my_id(this->ike_sa);
 	auth = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
-	private = charon->credentials->get_private(charon->credentials, KEY_ANY,
-											   id, auth);
+	private = lib->credmgr->get_private(lib->credmgr, KEY_ANY, id, auth);
 	if (private == NULL)
 	{
 		DBG1(DBG_IKE, "no private key found for '%Y'", id);
@@ -178,8 +177,8 @@ static status_t process(private_pubkey_authenticator_t *this, message_t *message
 	octets = keymat->get_auth_octets(keymat, TRUE, this->ike_sa_init,
 									 this->nonce, id);
 	auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
-	enumerator = charon->credentials->create_public_enumerator(
-										charon->credentials, key_type, id, auth);
+	enumerator = lib->credmgr->create_public_enumerator(lib->credmgr,
+														key_type, id, auth);
 	while (enumerator->enumerate(enumerator, &public, &current_auth))
 	{
 		if (public->verify(public, scheme, octets, auth_data))