summaryrefslogtreecommitdiff
path: root/src/charon/config
diff options
context:
space:
mode:
Diffstat (limited to 'src/charon/config')
-rw-r--r--src/charon/config/backend_manager.c183
-rw-r--r--src/charon/config/backend_manager.h7
-rw-r--r--src/charon/config/child_cfg.c24
-rw-r--r--src/charon/config/child_cfg.h27
-rw-r--r--src/charon/config/peer_cfg.c52
-rw-r--r--src/charon/config/peer_cfg.h44
-rw-r--r--src/charon/config/proposal.c139
-rw-r--r--src/charon/config/traffic_selector.c25
8 files changed, 250 insertions, 251 deletions
diff --git a/src/charon/config/backend_manager.c b/src/charon/config/backend_manager.c
index d77c05fd7..c2b408ca9 100644
--- a/src/charon/config/backend_manager.c
+++ b/src/charon/config/backend_manager.c
@@ -12,7 +12,7 @@
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*
- * $Id: backend_manager.c 4044 2008-06-06 15:05:54Z martin $
+ * $Id: backend_manager.c 4134 2008-07-01 11:10:37Z martin $
*/
#include "backend_manager.h"
@@ -49,6 +49,16 @@ struct private_backend_manager_t {
};
/**
+ * match of an ike_cfg
+ */
+typedef enum ike_cfg_match_t {
+ MATCH_NONE = 0x00,
+ MATCH_ANY = 0x01,
+ MATCH_ME = 0x04,
+ MATCH_OTHER = 0x08,
+} ike_cfg_match_t;
+
+/**
* data to pass nested IKE enumerator
*/
typedef struct {
@@ -108,6 +118,48 @@ static enumerator_t *peer_enum_create_all(backend_t *backend)
}
/**
+ * get a match of a candidate ike_cfg for two hosts
+ */
+static ike_cfg_match_t get_match(ike_cfg_t *cand, host_t *me, host_t *other)
+{
+ host_t *me_cand, *other_cand;
+ ike_cfg_match_t match = MATCH_NONE;
+
+ me_cand = host_create_from_dns(cand->get_my_addr(cand),
+ me->get_family(me), 0);
+ if (!me_cand)
+ {
+ return MATCH_NONE;
+ }
+ if (me_cand->ip_equals(me_cand, me))
+ {
+ match += MATCH_ME;
+ }
+ else if (me_cand->is_anyaddr(me_cand))
+ {
+ match += MATCH_ANY;
+ }
+ me_cand->destroy(me_cand);
+
+ other_cand = host_create_from_dns(cand->get_other_addr(cand),
+ other->get_family(other), 0);
+ if (!other_cand)
+ {
+ return MATCH_NONE;
+ }
+ if (other_cand->ip_equals(other_cand, other))
+ {
+ match += MATCH_OTHER;
+ }
+ else if (other_cand->is_anyaddr(other_cand))
+ {
+ match += MATCH_ANY;
+ }
+ other_cand->destroy(other_cand);
+ return match;
+}
+
+/**
* implements backend_manager_t.get_ike_cfg.
*/
static ike_cfg_t *get_ike_cfg(private_backend_manager_t *this,
@@ -115,14 +167,8 @@ static ike_cfg_t *get_ike_cfg(private_backend_manager_t *this,
{
ike_cfg_t *current, *found = NULL;
enumerator_t *enumerator;
- host_t *my_candidate, *other_candidate;
+ ike_cfg_match_t match, best = MATCH_ANY;
ike_data_t *data;
- enum {
- MATCH_NONE = 0x00,
- MATCH_ANY = 0x01,
- MATCH_ME = 0x04,
- MATCH_OTHER = 0x08,
- } prio, best = MATCH_ANY;
data = malloc_thing(ike_data_t);
data->this = this;
@@ -137,51 +183,20 @@ static ike_cfg_t *get_ike_cfg(private_backend_manager_t *this,
(void*)ike_enum_create, data, (void*)ike_enum_destroy);
while (enumerator->enumerate(enumerator, (void**)&current))
{
- prio = MATCH_NONE;
-
- my_candidate = host_create_from_dns(current->get_my_addr(current),
- me->get_family(me), 0);
- if (!my_candidate)
- {
- continue;
- }
- if (my_candidate->ip_equals(my_candidate, me))
- {
- prio += MATCH_ME;
- }
- else if (my_candidate->is_anyaddr(my_candidate))
- {
- prio += MATCH_ANY;
- }
- my_candidate->destroy(my_candidate);
-
- other_candidate = host_create_from_dns(current->get_other_addr(current),
- other->get_family(other), 0);
- if (!other_candidate)
- {
- continue;
- }
- if (other_candidate->ip_equals(other_candidate, other))
- {
- prio += MATCH_OTHER;
- }
- else if (other_candidate->is_anyaddr(other_candidate))
- {
- prio += MATCH_ANY;
- }
- other_candidate->destroy(other_candidate);
-
- DBG2(DBG_CFG, " candidate: %s...%s, prio %d",
- current->get_my_addr(current), current->get_other_addr(current),
- prio);
-
- /* we require at least two MATCH_ANY */
- if (prio > best)
+ match = get_match(current, me, other);
+
+ if (match)
{
- best = prio;
- DESTROY_IF(found);
- found = current;
- found->get_ref(found);
+ DBG2(DBG_CFG, " candidate: %s...%s, prio %d",
+ current->get_my_addr(current), current->get_other_addr(current),
+ match);
+ if (match > best)
+ {
+ DESTROY_IF(found);
+ found = current;
+ found->get_ref(found);
+ best = match;
+ }
}
}
enumerator->destroy(enumerator);
@@ -202,22 +217,23 @@ static enumerator_t *create_peer_cfg_enumerator(private_backend_manager_t *this)
/**
* implements backend_manager_t.get_peer_cfg.
*/
-static peer_cfg_t *get_peer_cfg(private_backend_manager_t *this,
- identification_t *me, identification_t *other,
- auth_info_t *auth)
+static peer_cfg_t *get_peer_cfg(private_backend_manager_t *this, host_t *me,
+ host_t *other, identification_t *my_id,
+ identification_t *other_id, auth_info_t *auth)
{
peer_cfg_t *current, *found = NULL;
enumerator_t *enumerator;
- identification_t *my_candidate, *other_candidate;
- id_match_t best = ID_MATCH_NONE;
+ id_match_t best_peer = ID_MATCH_NONE;
+ ike_cfg_match_t best_ike = MATCH_NONE;
peer_data_t *data;
- DBG2(DBG_CFG, "looking for a config for %D...%D", me, other);
+ DBG2(DBG_CFG, "looking for a config for %H[%D]...%H[%D]",
+ me, my_id, other, other_id);
data = malloc_thing(peer_data_t);
data->this = this;
- data->me = me;
- data->other = other;
+ data->me = my_id;
+ data->other = other_id;
this->mutex->lock(this->mutex);
enumerator = enumerator_create_nested(
@@ -225,42 +241,45 @@ static peer_cfg_t *get_peer_cfg(private_backend_manager_t *this,
(void*)peer_enum_create, data, (void*)peer_enum_destroy);
while (enumerator->enumerate(enumerator, &current))
{
- id_match_t m1, m2, sum;
+ identification_t *my_cand, *other_cand;
+ id_match_t m1, m2, match_peer;
+ ike_cfg_match_t match_ike;
- my_candidate = current->get_my_id(current);
- other_candidate = current->get_other_id(current);
+ my_cand = current->get_my_id(current);
+ other_cand = current->get_other_id(current);
/* own ID may have wildcards in both, config and request (missing IDr) */
- m1 = my_candidate->matches(my_candidate, me);
+ m1 = my_cand->matches(my_cand, my_id);
if (!m1)
{
- m1 = me->matches(me, my_candidate);
+ m1 = my_id->matches(my_id, my_cand);
}
- m2 = other->matches(other, other_candidate);
- sum = m1 + m2;
+ m2 = other_id->matches(other_id, other_cand);
+
+ match_peer = m1 + m2;
+ match_ike = get_match(current->get_ike_cfg(current), me, other);
- if (m1 && m2)
+ if (m1 && m2 && match_ike &&
+ auth->complies(auth, current->get_auth(current)))
{
- if (auth->complies(auth, current->get_auth(current)))
+ DBG2(DBG_CFG, " candidate '%s': %D...%D, prio %d.%d",
+ current->get_name(current), my_cand, other_cand,
+ match_peer, match_ike);
+ if (match_peer >= best_peer && match_ike > best_ike)
{
- DBG2(DBG_CFG, " candidate '%s': %D...%D, prio %d",
- current->get_name(current), my_candidate,
- other_candidate, sum);
- if (sum > best)
- {
- DESTROY_IF(found);
- found = current;
- found->get_ref(found);
- best = sum;
- }
+ DESTROY_IF(found);
+ found = current;
+ found->get_ref(found);
+ best_peer = match_peer;
+ best_ike = match_ike;
}
}
}
if (found)
{
- DBG1(DBG_CFG, "found matching config \"%s\": %D...%D, prio %d",
+ DBG1(DBG_CFG, "found matching config \"%s\": %D...%D, prio %d.%d",
found->get_name(found), found->get_my_id(found),
- found->get_other_id(found), best);
+ found->get_other_id(found), best_peer, best_ike);
}
enumerator->destroy(enumerator);
this->mutex->unlock(this->mutex);
@@ -325,7 +344,7 @@ backend_manager_t *backend_manager_create()
private_backend_manager_t *this = malloc_thing(private_backend_manager_t);
this->public.get_ike_cfg = (ike_cfg_t* (*)(backend_manager_t*, host_t*, host_t*))get_ike_cfg;
- this->public.get_peer_cfg = (peer_cfg_t* (*)(backend_manager_t*,identification_t*,identification_t*,auth_info_t*))get_peer_cfg;
+ this->public.get_peer_cfg = (peer_cfg_t* (*)(backend_manager_t*,host_t*,host_t*,identification_t*,identification_t*,auth_info_t*))get_peer_cfg;
this->public.get_peer_cfg_by_name = (peer_cfg_t* (*)(backend_manager_t*,char*))get_peer_cfg_by_name;
this->public.create_peer_cfg_enumerator = (enumerator_t* (*)(backend_manager_t*))create_peer_cfg_enumerator;
this->public.add_backend = (void(*)(backend_manager_t*, backend_t *backend))add_backend;
diff --git a/src/charon/config/backend_manager.h b/src/charon/config/backend_manager.h
index 6400bd7fd..17df26dad 100644
--- a/src/charon/config/backend_manager.h
+++ b/src/charon/config/backend_manager.h
@@ -12,7 +12,7 @@
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*
- * $Id: backend_manager.h 3589 2008-03-13 14:14:44Z martin $
+ * $Id: backend_manager.h 4132 2008-07-01 09:05:20Z martin $
*/
/**
@@ -66,12 +66,15 @@ struct backend_manager_t {
/**
* Get a peer_config identified by two IDs and authorization info.
*
+ * @param me own address
+ * @param other peer address
* @param my_id own ID
* @param other_id peer ID
* @param auth_info authorization info
* @return matching peer_config, or NULL if none found
*/
- peer_cfg_t* (*get_peer_cfg)(backend_manager_t *this, identification_t *my_id,
+ peer_cfg_t* (*get_peer_cfg)(backend_manager_t *this, host_t *me,
+ host_t *other, identification_t *my_id,
identification_t *other_id, auth_info_t *auth);
/**
diff --git a/src/charon/config/child_cfg.c b/src/charon/config/child_cfg.c
index f929927ef..24242345b 100644
--- a/src/charon/config/child_cfg.c
+++ b/src/charon/config/child_cfg.c
@@ -14,25 +14,17 @@
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*
- * $Id: child_cfg.c 4062 2008-06-12 11:42:19Z martin $
+ * $Id: child_cfg.c 4358 2008-09-25 13:56:23Z tobias $
*/
#include "child_cfg.h"
#include <daemon.h>
-ENUM(mode_names, MODE_TRANSPORT, MODE_BEET,
- "TRANSPORT",
- "TUNNEL",
- "2",
- "3",
- "BEET",
-);
-
ENUM(action_names, ACTION_NONE, ACTION_RESTART,
- "ACTION_NONE",
- "ACTION_ROUTE",
- "ACTION_RESTART",
+ "clear",
+ "hold",
+ "restart",
);
ENUM_BEGIN(ipcomp_transform_names, IPCOMP_NONE, IPCOMP_NONE,
@@ -94,7 +86,7 @@ struct private_child_cfg_t {
/**
* Mode to propose for a initiated CHILD: tunnel/transport
*/
- mode_t mode;
+ ipsec_mode_t mode;
/**
* action to take on DPD
@@ -379,7 +371,7 @@ static u_int32_t get_lifetime(private_child_cfg_t *this, bool rekey)
/**
* Implementation of child_cfg_t.get_mode
*/
-static mode_t get_mode(private_child_cfg_t *this)
+static ipsec_mode_t get_mode(private_child_cfg_t *this)
{
return this->mode;
}
@@ -462,7 +454,7 @@ static void destroy(private_child_cfg_t *this)
*/
child_cfg_t *child_cfg_create(char *name, u_int32_t lifetime,
u_int32_t rekeytime, u_int32_t jitter,
- char *updown, bool hostaccess, mode_t mode,
+ char *updown, bool hostaccess, ipsec_mode_t mode,
action_t dpd_action, action_t close_action, bool ipcomp)
{
private_child_cfg_t *this = malloc_thing(private_child_cfg_t);
@@ -475,7 +467,7 @@ child_cfg_t *child_cfg_create(char *name, u_int32_t lifetime,
this->public.select_proposal = (proposal_t* (*) (child_cfg_t*,linked_list_t*,bool))select_proposal;
this->public.get_updown = (char* (*) (child_cfg_t*))get_updown;
this->public.get_hostaccess = (bool (*) (child_cfg_t*))get_hostaccess;
- this->public.get_mode = (mode_t (*) (child_cfg_t *))get_mode;
+ this->public.get_mode = (ipsec_mode_t (*) (child_cfg_t *))get_mode;
this->public.get_dpd_action = (action_t (*) (child_cfg_t *))get_dpd_action;
this->public.get_close_action = (action_t (*) (child_cfg_t *))get_close_action;
this->public.get_lifetime = (u_int32_t (*) (child_cfg_t *,bool))get_lifetime;
diff --git a/src/charon/config/child_cfg.h b/src/charon/config/child_cfg.h
index 6d262c217..83d6cafe6 100644
--- a/src/charon/config/child_cfg.h
+++ b/src/charon/config/child_cfg.h
@@ -14,7 +14,7 @@
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*
- * $Id: child_cfg.h 3920 2008-05-08 16:19:11Z tobias $
+ * $Id: child_cfg.h 4358 2008-09-25 13:56:23Z tobias $
*/
/**
@@ -25,7 +25,6 @@
#ifndef CHILD_CFG_H_
#define CHILD_CFG_H_
-typedef enum mode_t mode_t;
typedef enum action_t action_t;
typedef enum ipcomp_transform_t ipcomp_transform_t;
typedef struct child_cfg_t child_cfg_t;
@@ -33,25 +32,7 @@ typedef struct child_cfg_t child_cfg_t;
#include <library.h>
#include <config/proposal.h>
#include <config/traffic_selector.h>
-
-/**
- * Mode of an CHILD_SA.
- *
- * These are equal to those defined in XFRM, so don't change.
- */
-enum mode_t {
- /** transport mode, no inner address */
- MODE_TRANSPORT = 0,
- /** tunnel mode, inner and outer addresses */
- MODE_TUNNEL = 1,
- /** BEET mode, tunnel mode but fixed, bound inner addresses */
- MODE_BEET = 4,
-};
-
-/**
- * enum names for mode_t.
- */
-extern enum_name_t *mode_names;
+#include <kernel/kernel_ipsec.h>
/**
* Action to take when DPD detected/connection gets closed by peer.
@@ -208,7 +189,7 @@ struct child_cfg_t {
*
* @return ipsec mode
*/
- mode_t (*get_mode) (child_cfg_t *this);
+ ipsec_mode_t (*get_mode) (child_cfg_t *this);
/**
* Action to take on DPD.
@@ -279,7 +260,7 @@ struct child_cfg_t {
*/
child_cfg_t *child_cfg_create(char *name, u_int32_t lifetime,
u_int32_t rekeytime, u_int32_t jitter,
- char *updown, bool hostaccess, mode_t mode,
+ char *updown, bool hostaccess, ipsec_mode_t mode,
action_t dpd_action, action_t close_action,
bool ipcomp);
diff --git a/src/charon/config/peer_cfg.c b/src/charon/config/peer_cfg.c
index 0e56759c2..04f323128 100644
--- a/src/charon/config/peer_cfg.c
+++ b/src/charon/config/peer_cfg.c
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2007-2008 Tobias Brunner
- * Copyright (C) 2005-2007 Martin Willi
+ * Copyright (C) 2005-2008 Martin Willi
* Copyright (C) 2005 Jan Hutter
* Hochschule fuer Technik Rapperswil
*
@@ -14,7 +14,7 @@
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*
- * $Id: peer_cfg.c 4051 2008-06-10 09:08:27Z tobias $
+ * $Id: peer_cfg.c 4276 2008-08-22 10:44:51Z martin $
*/
#include <string.h>
@@ -37,12 +37,6 @@ ENUM(unique_policy_names, UNIQUE_NO, UNIQUE_KEEP,
"UNIQUE_KEEP",
);
-ENUM(config_auth_method_names, CONF_AUTH_PUBKEY, CONF_AUTH_EAP,
- "CONF_AUTH_PUBKEY",
- "CONF_AUTH_PSK",
- "CONF_AUTH_EAP",
-);
-
typedef struct private_peer_cfg_t private_peer_cfg_t;
/**
@@ -106,21 +100,6 @@ struct private_peer_cfg_t {
unique_policy_t unique;
/**
- * Method to use for own authentication data
- */
- config_auth_method_t auth_method;
-
- /**
- * EAP type to use for peer authentication
- */
- eap_type_t eap_type;
-
- /**
- * EAP vendor ID if vendor specific type is used
- */
- u_int32_t eap_vendor;
-
- /**
* number of tries after giving up if peer does not respond
*/
u_int32_t keyingtries;
@@ -319,23 +298,6 @@ static unique_policy_t get_unique_policy(private_peer_cfg_t *this)
}
/**
- * Implementation of peer_cfg_t.get_auth_method.
- */
-static config_auth_method_t get_auth_method(private_peer_cfg_t *this)
-{
- return this->auth_method;
-}
-
-/**
- * Implementation of peer_cfg_t.get_eap_type.
- */
-static eap_type_t get_eap_type(private_peer_cfg_t *this, u_int32_t *vendor)
-{
- *vendor = this->eap_vendor;
- return this->eap_type;
-}
-
-/**
* Implementation of peer_cfg_t.get_keyingtries.
*/
static u_int32_t get_keyingtries(private_peer_cfg_t *this)
@@ -469,9 +431,6 @@ static bool equals(private_peer_cfg_t *this, private_peer_cfg_t *other)
this->other_id->equals(this->other_id, other->other_id) &&
this->cert_policy == other->cert_policy &&
this->unique == other->unique &&
- this->auth_method == other->auth_method &&
- this->eap_type == other->eap_type &&
- this->eap_vendor == other->eap_vendor &&
this->keyingtries == other->keyingtries &&
this->use_mobike == other->use_mobike &&
this->rekey_time == other->rekey_time &&
@@ -533,8 +492,6 @@ static void destroy(private_peer_cfg_t *this)
peer_cfg_t *peer_cfg_create(char *name, u_int ike_version, ike_cfg_t *ike_cfg,
identification_t *my_id, identification_t *other_id,
cert_policy_t cert_policy, unique_policy_t unique,
- config_auth_method_t auth_method, eap_type_t eap_type,
- u_int32_t eap_vendor,
u_int32_t keyingtries, u_int32_t rekey_time,
u_int32_t reauth_time, u_int32_t jitter_time,
u_int32_t over_time, bool mobike, u_int32_t dpd,
@@ -556,8 +513,6 @@ peer_cfg_t *peer_cfg_create(char *name, u_int ike_version, ike_cfg_t *ike_cfg,
this->public.get_other_id = (identification_t* (*)(peer_cfg_t *))get_other_id;
this->public.get_cert_policy = (cert_policy_t (*) (peer_cfg_t *))get_cert_policy;
this->public.get_unique_policy = (unique_policy_t (*) (peer_cfg_t *))get_unique_policy;
- this->public.get_auth_method = (config_auth_method_t (*) (peer_cfg_t *))get_auth_method;
- this->public.get_eap_type = (eap_type_t (*) (peer_cfg_t *,u_int32_t*))get_eap_type;
this->public.get_keyingtries = (u_int32_t (*) (peer_cfg_t *))get_keyingtries;
this->public.get_rekey_time = (u_int32_t(*)(peer_cfg_t*))get_rekey_time;
this->public.get_reauth_time = (u_int32_t(*)(peer_cfg_t*))get_reauth_time;
@@ -586,9 +541,6 @@ peer_cfg_t *peer_cfg_create(char *name, u_int ike_version, ike_cfg_t *ike_cfg,
this->other_id = other_id;
this->cert_policy = cert_policy;
this->unique = unique;
- this->auth_method = auth_method;
- this->eap_type = eap_type;
- this->eap_vendor = eap_vendor;
this->keyingtries = keyingtries;
this->rekey_time = rekey_time;
this->reauth_time = reauth_time;
diff --git a/src/charon/config/peer_cfg.h b/src/charon/config/peer_cfg.h
index 5662b48df..473cdfd04 100644
--- a/src/charon/config/peer_cfg.h
+++ b/src/charon/config/peer_cfg.h
@@ -14,7 +14,7 @@
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*
- * $Id: peer_cfg.h 4054 2008-06-10 20:31:53Z andreas $
+ * $Id: peer_cfg.h 4276 2008-08-22 10:44:51Z martin $
*/
/**
@@ -27,7 +27,6 @@
typedef enum cert_policy_t cert_policy_t;
typedef enum unique_policy_t unique_policy_t;
-typedef enum config_auth_method_t config_auth_method_t;
typedef struct peer_cfg_t peer_cfg_t;
#include <library.h>
@@ -82,23 +81,6 @@ enum unique_policy_t {
extern enum_name_t *unique_policy_names;
/**
- * Authentication method for this IKE_SA.
- */
-enum config_auth_method_t {
- /** authentication using public keys (RSA, ECDSA) */
- CONF_AUTH_PUBKEY = 1,
- /** authentication using a pre-shared secret */
- CONF_AUTH_PSK = 2,
- /** authentication using EAP */
- CONF_AUTH_EAP = 3,
-};
-
-/**
- * enum strings for config_auth_method_t
- */
-extern enum_name_t *config_auth_method_names;
-
-/**
* Configuration of a peer, specified by IDs.
*
* The peer config defines a connection between two given IDs. It contains
@@ -220,25 +202,6 @@ struct peer_cfg_t {
* @return unique policy
*/
unique_policy_t (*get_unique_policy) (peer_cfg_t *this);
-
- /**
- * Get the authentication method to use to authenticate us.
- *
- * @return authentication method
- */
- config_auth_method_t (*get_auth_method) (peer_cfg_t *this);
-
- /**
- * Get the EAP type to use for peer authentication.
- *
- * If vendor specific types are used, a vendor ID != 0 is returned to
- * to vendor argument. Then the returned type is specific for that
- * vendor ID.
- *
- * @param vendor receives vendor specifier, 0 for predefined EAP types
- * @return authentication method
- */
- eap_type_t (*get_eap_type) (peer_cfg_t *this, u_int32_t *vendor);
/**
* Get the max number of retries after timeout.
@@ -372,9 +335,6 @@ struct peer_cfg_t {
* @param other_id identification_t for the remote guy
* @param cert_policy should we send a certificate payload?
* @param unique uniqueness of an IKE_SA
- * @param auth_method auth method to use to authenticate us
- * @param eap_type EAP type to use for peer authentication
- * @param eap_vendor EAP vendor identifier, if vendor specific type is used
* @param keyingtries how many keying tries should be done before giving up
* @param rekey_time timeout before starting rekeying
* @param reauth_time timeout before starting reauthentication
@@ -393,8 +353,6 @@ struct peer_cfg_t {
peer_cfg_t *peer_cfg_create(char *name, u_int ikev_version, ike_cfg_t *ike_cfg,
identification_t *my_id, identification_t *other_id,
cert_policy_t cert_policy, unique_policy_t unique,
- config_auth_method_t auth_method, eap_type_t eap_type,
- u_int32_t eap_vendor,
u_int32_t keyingtries, u_int32_t rekey_time,
u_int32_t reauth_time, u_int32_t jitter_time,
u_int32_t over_time, bool mobike, u_int32_t dpd,
diff --git a/src/charon/config/proposal.c b/src/charon/config/proposal.c
index 803cf8ae4..b1c049fe8 100644
--- a/src/charon/config/proposal.c
+++ b/src/charon/config/proposal.c
@@ -13,7 +13,7 @@
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*
- * $Id: proposal.c 4062 2008-06-12 11:42:19Z martin $
+ * $Id: proposal.c 4390 2008-10-08 12:57:11Z martin $
*/
#include <string.h>
@@ -755,10 +755,18 @@ static status_t add_string_algo(private_proposal_t *this, chunk_t alg)
{
add_algorithm(this, DIFFIE_HELLMAN_GROUP, MODP_2048_BIT, 0);
}
+ else if (strncmp(alg.ptr, "modp3072", alg.len) == 0)
+ {
+ add_algorithm(this, DIFFIE_HELLMAN_GROUP, MODP_3072_BIT, 0);
+ }
else if (strncmp(alg.ptr, "modp4096", alg.len) == 0)
{
add_algorithm(this, DIFFIE_HELLMAN_GROUP, MODP_4096_BIT, 0);
}
+ else if (strncmp(alg.ptr, "modp6144", alg.len) == 0)
+ {
+ add_algorithm(this, DIFFIE_HELLMAN_GROUP, MODP_6144_BIT, 0);
+ }
else if (strncmp(alg.ptr, "modp8192", alg.len) == 0)
{
add_algorithm(this, DIFFIE_HELLMAN_GROUP, MODP_8192_BIT, 0);
@@ -938,6 +946,112 @@ proposal_t *proposal_create(protocol_id_t protocol)
return &this->public;
}
+/**
+ * Add supported IKE algorithms to proposal
+ */
+static void proposal_add_supported_ike(private_proposal_t *this)
+{
+ enumerator_t *enumerator;
+ encryption_algorithm_t encryption;
+ integrity_algorithm_t integrity;
+ pseudo_random_function_t prf;
+ diffie_hellman_group_t group;
+
+ enumerator = lib->crypto->create_crypter_enumerator(lib->crypto);
+ while (enumerator->enumerate(enumerator, &encryption))
+ {
+ switch (encryption)
+ {
+ case ENCR_AES_CBC:
+ /* we assume that we support all AES sizes */
+ add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 128);
+ add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 192);
+ add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 256);
+ break;
+ case ENCR_3DES:
+ case ENCR_AES_CTR:
+ case ENCR_AES_CCM_ICV8:
+ case ENCR_AES_CCM_ICV12:
+ case ENCR_AES_CCM_ICV16:
+ case ENCR_AES_GCM_ICV8:
+ case ENCR_AES_GCM_ICV12:
+ case ENCR_AES_GCM_ICV16:
+ add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 0);
+ break;
+ case ENCR_DES:
+ /* no, thanks */
+ break;
+ default:
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+
+ enumerator = lib->crypto->create_signer_enumerator(lib->crypto);
+ while (enumerator->enumerate(enumerator, &integrity))
+ {
+ switch (integrity)
+ {
+ case AUTH_HMAC_SHA1_96:
+ case AUTH_HMAC_SHA2_256_128:
+ case AUTH_HMAC_SHA2_384_192:
+ case AUTH_HMAC_SHA2_512_256:
+ case AUTH_HMAC_MD5_96:
+ case AUTH_AES_XCBC_96:
+ add_algorithm(this, INTEGRITY_ALGORITHM, integrity, 0);
+ break;
+ default:
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+
+ enumerator = lib->crypto->create_prf_enumerator(lib->crypto);
+ while (enumerator->enumerate(enumerator, &prf))
+ {
+ switch (prf)
+ {
+ case PRF_HMAC_SHA1:
+ case PRF_HMAC_SHA2_256:
+ case PRF_HMAC_SHA2_384:
+ case PRF_HMAC_SHA2_512:
+ case PRF_HMAC_MD5:
+ case PRF_AES128_XCBC:
+ add_algorithm(this, PSEUDO_RANDOM_FUNCTION, prf, 0);
+ break;
+ default:
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+
+ enumerator = lib->crypto->create_dh_enumerator(lib->crypto);
+ while (enumerator->enumerate(enumerator, &group))
+ {
+ switch (group)
+ {
+ case MODP_768_BIT:
+ /* weak */
+ break;
+ case MODP_1024_BIT:
+ case MODP_1536_BIT:
+ case MODP_2048_BIT:
+ case MODP_4096_BIT:
+ case MODP_8192_BIT:
+ case ECP_256_BIT:
+ case ECP_384_BIT:
+ case ECP_521_BIT:
+ case ECP_192_BIT:
+ case ECP_224_BIT:
+ add_algorithm(this, DIFFIE_HELLMAN_GROUP, group, 0);
+ break;
+ default:
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+}
+
/*
* Describtion in header-file
*/
@@ -948,27 +1062,7 @@ proposal_t *proposal_create_default(protocol_id_t protocol)
switch (protocol)
{
case PROTO_IKE:
- add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 128);
- add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 192);
- add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 256);
- add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_3DES, 0);
- add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_AES_XCBC_96, 0);
- add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_256_128, 0);
- add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0);
- add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 0);
- add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_384_192, 0);
- add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_512_256, 0);
- add_algorithm(this, PSEUDO_RANDOM_FUNCTION, PRF_AES128_XCBC, 0);
- add_algorithm(this, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_256, 0);
- add_algorithm(this, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA1, 0);
- add_algorithm(this, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_MD5, 0);
- add_algorithm(this, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_384, 0);
- add_algorithm(this, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_512, 0);
- add_algorithm(this, DIFFIE_HELLMAN_GROUP, MODP_2048_BIT, 0);
- add_algorithm(this, DIFFIE_HELLMAN_GROUP, MODP_1536_BIT, 0);
- add_algorithm(this, DIFFIE_HELLMAN_GROUP, MODP_1024_BIT, 0);
- add_algorithm(this, DIFFIE_HELLMAN_GROUP, MODP_4096_BIT, 0);
- add_algorithm(this, DIFFIE_HELLMAN_GROUP, MODP_8192_BIT, 0);
+ proposal_add_supported_ike(this);
break;
case PROTO_ESP:
add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 128);
@@ -990,7 +1084,6 @@ proposal_t *proposal_create_default(protocol_id_t protocol)
default:
break;
}
-
return &this->public;
}
diff --git a/src/charon/config/traffic_selector.c b/src/charon/config/traffic_selector.c
index f41c39d30..63172f855 100644
--- a/src/charon/config/traffic_selector.c
+++ b/src/charon/config/traffic_selector.c
@@ -14,7 +14,7 @@
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*
- * $Id: traffic_selector.c 3658 2008-03-26 10:06:45Z martin $
+ * $Id: traffic_selector.c 4199 2008-07-21 19:08:03Z andreas $
*/
#include <arpa/inet.h>
@@ -195,21 +195,22 @@ static int print(FILE *stream, const struct printf_info *info,
memeq(this->from, from, this->type == TS_IPV4_ADDR_RANGE ? 4 : 16) &&
memeq(this->to, to, this->type == TS_IPV4_ADDR_RANGE ? 4 : 16))
{
- return fprintf(stream, "dynamic/%d",
- this->type == TS_IPV4_ADDR_RANGE ? 32 : 128);
- }
-
- if (this->type == TS_IPV4_ADDR_RANGE)
- {
- inet_ntop(AF_INET, &this->from4, addr_str, sizeof(addr_str));
+ written += fprintf(stream, "dynamic/%d",
+ this->type == TS_IPV4_ADDR_RANGE ? 32 : 128);
}
else
{
- inet_ntop(AF_INET6, &this->from6, addr_str, sizeof(addr_str));
+ if (this->type == TS_IPV4_ADDR_RANGE)
+ {
+ inet_ntop(AF_INET, &this->from4, addr_str, sizeof(addr_str));
+ }
+ else
+ {
+ inet_ntop(AF_INET6, &this->from6, addr_str, sizeof(addr_str));
+ }
+ mask = calc_netbits(this);
+ written += fprintf(stream, "%s/%d", addr_str, mask);
}
- mask = calc_netbits(this);
-
- written += fprintf(stream, "%s/%d", addr_str, mask);
/* check if we have protocol and/or port selectors */
has_proto = this->protocol != 0;