6 files changed, 132 insertions, 11 deletions
diff --git a/src/charon-cmd/Makefile.in b/src/charon-cmd/Makefile.in
index d484f6463..62d6cd725 100644
--- a/src/charon-cmd/Makefile.in
+++ b/src/charon-cmd/Makefile.in
@@ -221,8 +221,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -290,6 +288,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -378,12 +381,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -398,6 +405,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/charon-cmd/charon-cmd.8.in b/src/charon-cmd/charon-cmd.8.in
index 25d706995..a2d424e9a 100644
--- a/src/charon-cmd/charon-cmd.8.in
+++ b/src/charon-cmd/charon-cmd.8.in
@@ -116,6 +116,24 @@ address will always be proposed.
 .BI "\-\-remote\-ts " subnet
 Traffic selector to propose for remote side, defaults to 0.0.0.0/0.
 .TP
+.BI "\-\-ike\-proposal " proposal
+IKE proposal to offer instead of default. For IKEv1, a single proposal consists
+of one encryption algorithm, an integrity/PRF algorithm and a DH group. IKEv2
+can propose multiple algorithms of the same kind. To specify multiple proposals,
+repeat the option.
+.TP
+.BI "\-\-esp\-proposal " proposal
+ESP proposal to offer instead of default. For IKEv1, a single proposal consists
+of one encryption algorithm, an integrity algorithm and an optional DH group for
+Perfect Forward Secrecy rekeying. IKEv2 can propose multiple algorithms of the
+same kind. To specify multiple proposals, repeat the option.
+.TP
+.BI "\-\-ah\-proposal " proposal
+AH proposal to offer instead of ESP. For IKEv1, a single proposal consists
+of an integrity algorithm and an optional DH group for Perfect Forward Secrecy
+rekeying. IKEv2 can propose multiple algorithms of the same kind. To specify
+multiple proposals, repeat the option.
+.TP
 .BI "\-\-profile " name
 Authentication profile to use, the list of supported profiles can be found
 in the
diff --git a/src/charon-cmd/charon-cmd.c b/src/charon-cmd/charon-cmd.c
index 5f4787b58..a70d314af 100644
--- a/src/charon-cmd/charon-cmd.c
+++ b/src/charon-cmd/charon-cmd.c
@@ -322,7 +322,7 @@ int main(int argc, char *argv[])
 
 	dbg = dbg_stderr;
 	atexit(library_deinit);
-	if (!library_init(NULL))
+	if (!library_init(NULL, "charon-cmd"))
 	{
 		exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
 	}
@@ -334,12 +334,12 @@ int main(int argc, char *argv[])
 		}
 	}
 	atexit(libhydra_deinit);
-	if (!libhydra_init("charon-cmd"))
+	if (!libhydra_init())
 	{
 		exit(SS_RC_INITIALIZATION_FAILED);
 	}
 	atexit(libcharon_deinit);
-	if (!libcharon_init("charon-cmd"))
+	if (!libcharon_init())
 	{
 		exit(SS_RC_INITIALIZATION_FAILED);
 	}
@@ -389,6 +389,7 @@ int main(int argc, char *argv[])
 	sigaddset(&action.sa_mask, SIGINT);
 	sigaddset(&action.sa_mask, SIGTERM);
 	sigaddset(&action.sa_mask, SIGHUP);
+	sigaddset(&action.sa_mask, SIGUSR1);
 	sigaction(SIGSEGV, &action, NULL);
 	sigaction(SIGILL, &action, NULL);
 	sigaction(SIGBUS, &action, NULL);
diff --git a/src/charon-cmd/cmd/cmd_connection.c b/src/charon-cmd/cmd/cmd_connection.c
index 180e8da98..ac085e131 100644
--- a/src/charon-cmd/cmd/cmd_connection.c
+++ b/src/charon-cmd/cmd/cmd_connection.c
@@ -87,6 +87,16 @@ struct private_cmd_connection_t {
 	linked_list_t *remote_ts;
 
 	/**
+	 * List of IKE proposals
+	 */
+	linked_list_t *ike_proposals;
+
+	/**
+	 * List of CHILD proposals
+	 */
+	linked_list_t *child_proposals;
+
+	/**
 	 * Hostname to connect to
 	 */
 	char *host;
@@ -135,6 +145,7 @@ static peer_cfg_t* create_peer_cfg(private_cmd_connection_t *this)
 	u_int16_t local_port, remote_port = IKEV2_UDP_PORT;
 	ike_version_t version = IKE_ANY;
 	bool aggressive = FALSE;
+	proposal_t *proposal;
 
 	switch (this->profile)
 	{
@@ -165,7 +176,18 @@ static peer_cfg_t* create_peer_cfg(private_cmd_connection_t *this)
 	}
 	ike_cfg = ike_cfg_create(version, TRUE, FALSE, "0.0.0.0", local_port,
 					this->host, remote_port, FRAGMENTATION_NO, 0);
-	ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
+	if (this->ike_proposals->get_count(this->ike_proposals))
+	{
+		while (this->ike_proposals->remove_first(this->ike_proposals,
+												 (void**)&proposal) == SUCCESS)
+		{
+			ike_cfg->add_proposal(ike_cfg, proposal);
+		}
+	}
+	else
+	{
+		ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
+	}
 	peer_cfg = peer_cfg_create("cmd", ike_cfg,
 					CERT_SEND_IF_ASKED, UNIQUE_REPLACE, 1, /* keyingtries */
 					36000, 0, /* rekey 10h, reauth none */
@@ -173,7 +195,6 @@ static peer_cfg_t* create_peer_cfg(private_cmd_connection_t *this)
 					TRUE, aggressive, TRUE, /* mobike, aggressive, pull */
 					30, 0, /* DPD delay, timeout */
 					FALSE, NULL, NULL); /* mediation */
-	peer_cfg->add_virtual_ip(peer_cfg, host_create_from_string("0.0.0.0", 0));
 
 	return peer_cfg;
 }
@@ -306,10 +327,13 @@ static bool add_auth_cfgs(private_cmd_connection_t *this, peer_cfg_t *peer_cfg)
 /**
  * Attach child config to peer config
  */
-static child_cfg_t* create_child_cfg(private_cmd_connection_t *this)
+static child_cfg_t* create_child_cfg(private_cmd_connection_t *this,
+									 peer_cfg_t *peer_cfg)
 {
 	child_cfg_t *child_cfg;
 	traffic_selector_t *ts;
+	proposal_t *proposal;
+	bool has_v4 = FALSE, has_v6 = FALSE;
 	lifetime_cfg_t lifetime = {
 		.time = {
 			.life = 10800 /* 3h */,
@@ -322,7 +346,18 @@ static child_cfg_t* create_child_cfg(private_cmd_connection_t *this)
 								 NULL, FALSE, MODE_TUNNEL, /* updown, hostaccess */
 								 ACTION_NONE, ACTION_NONE, ACTION_NONE, FALSE,
 								 0, 0, NULL, NULL, 0);
-	child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
+	if (this->child_proposals->get_count(this->child_proposals))
+	{
+		while (this->child_proposals->remove_first(this->child_proposals,
+												(void**)&proposal) == SUCCESS)
+		{
+			child_cfg->add_proposal(child_cfg, proposal);
+		}
+	}
+	else
+	{
+		child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
+	}
 	while (this->local_ts->remove_first(this->local_ts, (void**)&ts) == SUCCESS)
 	{
 		child_cfg->add_traffic_selector(child_cfg, TRUE, ts);
@@ -333,12 +368,31 @@ static child_cfg_t* create_child_cfg(private_cmd_connection_t *this)
 		ts = traffic_selector_create_from_string(0, TS_IPV4_ADDR_RANGE,
 									"0.0.0.0", 0, "255.255.255.255", 65535);
 		this->remote_ts->insert_last(this->remote_ts, ts);
+		has_v4 = TRUE;
 	}
 	while (this->remote_ts->remove_first(this->remote_ts,
 										 (void**)&ts) == SUCCESS)
 	{
+		switch (ts->get_type(ts))
+		{
+			case TS_IPV4_ADDR_RANGE:
+				has_v4 = TRUE;
+				break;
+			case TS_IPV6_ADDR_RANGE:
+				has_v6 = TRUE;
+				break;
+		}
 		child_cfg->add_traffic_selector(child_cfg, FALSE, ts);
 	}
+	if (has_v4)
+	{
+		peer_cfg->add_virtual_ip(peer_cfg, host_create_from_string("0.0.0.0", 0));
+	}
+	if (has_v6)
+	{
+		peer_cfg->add_virtual_ip(peer_cfg, host_create_from_string("::", 0));
+	}
+	peer_cfg->add_child_cfg(peer_cfg, child_cfg->get_ref(child_cfg));
 
 	return child_cfg;
 }
@@ -374,8 +428,7 @@ static job_requeue_t initiate(private_cmd_connection_t *this)
 		return JOB_REQUEUE_NONE;
 	}
 
-	child_cfg = create_child_cfg(this);
-	peer_cfg->add_child_cfg(peer_cfg, child_cfg->get_ref(child_cfg));
+	child_cfg = create_child_cfg(this, peer_cfg);
 
 	if (charon->controller->initiate(charon->controller, peer_cfg, child_cfg,
 									 controller_cb_empty, NULL, 0) != SUCCESS)
@@ -421,6 +474,8 @@ static void set_profile(private_cmd_connection_t *this, char *name)
 METHOD(cmd_connection_t, handle, bool,
 	private_cmd_connection_t *this, cmd_option_type_t opt, char *arg)
 {
+	proposal_t *proposal;
+
 	switch (opt)
 	{
 		case CMD_OPT_HOST:
@@ -447,6 +502,30 @@ METHOD(cmd_connection_t, handle, bool,
 		case CMD_OPT_REMOTE_TS:
 			add_ts(this, this->remote_ts, arg);
 			break;
+		case CMD_OPT_IKE_PROPOSAL:
+			proposal = proposal_create_from_string(PROTO_IKE, arg);
+			if (!proposal)
+			{
+				exit(1);
+			}
+			this->ike_proposals->insert_last(this->ike_proposals, proposal);
+			break;
+		case CMD_OPT_ESP_PROPOSAL:
+			proposal = proposal_create_from_string(PROTO_ESP, arg);
+			if (!proposal)
+			{
+				exit(1);
+			}
+			this->child_proposals->insert_last(this->child_proposals, proposal);
+			break;
+		case CMD_OPT_AH_PROPOSAL:
+			proposal = proposal_create_from_string(PROTO_AH, arg);
+			if (!proposal)
+			{
+				exit(1);
+			}
+			this->child_proposals->insert_last(this->child_proposals, proposal);
+			break;
 		case CMD_OPT_PROFILE:
 			set_profile(this, arg);
 			break;
@@ -459,6 +538,10 @@ METHOD(cmd_connection_t, handle, bool,
 METHOD(cmd_connection_t, destroy, void,
 	private_cmd_connection_t *this)
 {
+	this->ike_proposals->destroy_offset(this->ike_proposals,
+								offsetof(proposal_t, destroy));
+	this->child_proposals->destroy_offset(this->child_proposals,
+								offsetof(proposal_t, destroy));
 	this->local_ts->destroy_offset(this->local_ts,
 								offsetof(traffic_selector_t, destroy));
 	this->remote_ts->destroy_offset(this->remote_ts,
@@ -481,6 +564,8 @@ cmd_connection_t *cmd_connection_create()
 		.pid = getpid(),
 		.local_ts = linked_list_create(),
 		.remote_ts = linked_list_create(),
+		.ike_proposals = linked_list_create(),
+		.child_proposals = linked_list_create(),
 		.profile = PROF_UNDEF,
 	);
 
diff --git a/src/charon-cmd/cmd/cmd_options.c b/src/charon-cmd/cmd/cmd_options.c
index 597ccda1f..5428941ff 100644
--- a/src/charon-cmd/cmd/cmd_options.c
+++ b/src/charon-cmd/cmd/cmd_options.c
@@ -56,6 +56,12 @@ cmd_option_t cmd_options[CMD_OPT_COUNT] = {
 	  "additional traffic selector to propose for our side", {}},
 	{ CMD_OPT_REMOTE_TS, "remote-ts", required_argument, "subnet",
 	  "traffic selector to propose for remote side", {}},
+	{ CMD_OPT_IKE_PROPOSAL, "ike-proposal", required_argument, "proposal",
+	  "a single IKE proposal to offer instead of the default", {}},
+	{ CMD_OPT_ESP_PROPOSAL, "esp-proposal", required_argument, "proposal",
+	  "a single ESP proposal to offer instead of the default", {}},
+	{ CMD_OPT_AH_PROPOSAL, "ah-proposal", required_argument, "proposal",
+	  "a single AH proposal to offer instead of the default", {}},
 	{ CMD_OPT_PROFILE, "profile", required_argument, "name",
 	  "authentication profile to use, where name is one of:", {
 		"  ikev2-pub, ikev2-eap, ikev2-pub-eap",
diff --git a/src/charon-cmd/cmd/cmd_options.h b/src/charon-cmd/cmd/cmd_options.h
index 6b8b04cdf..c7441e795 100644
--- a/src/charon-cmd/cmd/cmd_options.h
+++ b/src/charon-cmd/cmd/cmd_options.h
@@ -45,6 +45,9 @@ enum cmd_option_type_t {
 	CMD_OPT_AGENT,
 	CMD_OPT_LOCAL_TS,
 	CMD_OPT_REMOTE_TS,
+	CMD_OPT_IKE_PROPOSAL,
+	CMD_OPT_AH_PROPOSAL,
+	CMD_OPT_ESP_PROPOSAL,
 	CMD_OPT_PROFILE,
 
 	CMD_OPT_COUNT