4 files changed, 112 insertions, 68 deletions
diff --git a/src/charon/config/backends/sqlite_backend.c b/src/charon/config/backends/sqlite_backend.c
index 33093a735..e1c96c870 100644
--- a/src/charon/config/backends/sqlite_backend.c
+++ b/src/charon/config/backends/sqlite_backend.c
@@ -186,15 +186,15 @@ static peer_cfg_t *process_peer_cfg_row(private_sqlite_backend_t *this,
 			2, ike_cfg,	local_id, remote_id, NULL, NULL, linked_list_create(),
 			sqlite3_column_int(stmt, 4),				/* cert_policy */
 			sqlite3_column_int(stmt, 5),				/* auth_method */
-			sqlite3_column_int(stmt, 6),				/* eap_type */
+			sqlite3_column_int(stmt, 6), 0				/* eap_type, vendor */
 			sqlite3_column_int(stmt, 7),				/* keyingtries */
-			sqlite3_column_int(stmt, 8),				/* lifetime */
-			sqlite3_column_int(stmt, 9),				/* rekeytime */
-			sqlite3_column_int(stmt, 10),				/* jitter */
-			sqlite3_column_int(stmt, 13),				/* reauth */
+			sqlite3_column_int(stmt, 8),				/* rekey_time */
+			sqlite3_column_int(stmt, 9),				/* reauth_time */
+			sqlite3_column_int(stmt, 10),				/* jitter_time */
+			sqlite3_column_int(stmt, 11),				/* over_time */
 			sqlite3_column_int(stmt, 14),				/* mobike */
-			sqlite3_column_int(stmt, 11),				/* dpd_delay */
-			sqlite3_column_int(stmt, 12),				/* dpd_action */
+			sqlite3_column_int(stmt, 12),				/* dpd_delay */
+			sqlite3_column_int(stmt, 13),				/* dpd_action */
 			local_vip, remote_vip, FALSE, NULL, NULL);
 		add_children(this, peer_cfg, sqlite3_column_int(stmt, 0));
 		return peer_cfg;
@@ -225,8 +225,9 @@ static peer_cfg_t *get_peer_cfg(private_sqlite_backend_t *this,
 	
 	if (sqlite3_prepare_v2(this->db,
 			"SELECT peer_configs.oid, name, local_id, remote_id, cert_policy, "
-				   "auth_method, eap_type, keyingtries, lifetime, rekeytime, jitter, "
-				   "dpd_delay, dpd_action, reauth, mobike, local_vip, remote_vip, "
+				   "auth_method, eap_type, keyingtries, "
+				   "rekey_time, reauth_time, jitter_time, over_time, "
+				   "dpd_delay, dpd_action, mobike, local_vip, remote_vip, "
 				   "local, remote, certreq "
 			"FROM peer_configs, ike_configs "
 				"ON peer_configs.ike_cfg = ike_configs.oid "
diff --git a/src/charon/config/credentials/local_credential_store.c b/src/charon/config/credentials/local_credential_store.c
index b71e9e9e2..b838f032d 100644
--- a/src/charon/config/credentials/local_credential_store.c
+++ b/src/charon/config/credentials/local_credential_store.c
@@ -18,6 +18,8 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
+ *
+ * RCSID $Id: local_credential_store.c 3346 2007-11-16 20:23:29Z andreas $
  */
 
 #include <sys/stat.h>
@@ -1394,7 +1396,7 @@ static void load_secrets(private_local_credential_store_t *this, bool reload)
 			{
 				continue;
 			}
-			if (!extract_token(&ids, ':', &line))
+			if (!extract_last_token(&ids, ':', &line))
 			{
 				DBG1(DBG_CFG, "line %d: missing ':' separator", line_nr);
 				goto error;
diff --git a/src/charon/config/peer_cfg.c b/src/charon/config/peer_cfg.c
index d61ed9512..0b5d391c4 100644
--- a/src/charon/config/peer_cfg.c
+++ b/src/charon/config/peer_cfg.c
@@ -127,14 +127,14 @@ struct private_peer_cfg_t {
 	eap_type_t eap_type;
 	
 	/**
-	 * number of tries after giving up if peer does not respond
+	 * EAP vendor ID if vendor specific type is used
 	 */
-	u_int32_t keyingtries;
+	u_int32_t eap_vendor;
 	
 	/**
-	 * user reauthentication instead of rekeying
+	 * number of tries after giving up if peer does not respond
 	 */
-	bool use_reauth;
+	u_int32_t keyingtries;
 	
 	/**
 	 * enable support for MOBIKE
@@ -142,20 +142,24 @@ struct private_peer_cfg_t {
 	bool use_mobike;
 	
 	/**
-	 * Time before an SA gets invalid
+	 * Time before starting rekeying
+	 */
+	u_int32_t rekey_time;
+	
+	/**
+	 * Time before starting reauthentication
 	 */
-	u_int32_t lifetime;
+	u_int32_t reauth_time;
 	
 	/**
-	 * Time before an SA gets rekeyed
+	 * Time, which specifies the range of a random value substracted from above.
 	 */
-	u_int32_t rekeytime;
+	u_int32_t jitter_time;
 	
 	/**
-	 * Time, which specifies the range of a random value
-	 * substracted from lifetime.
+	 * Delay before deleting a rekeying/reauthenticating SA
 	 */
-	u_int32_t jitter;
+	u_int32_t over_time;
 	
 	/**
 	 * What to do with an SA when other peer seams to be dead?
@@ -339,8 +343,9 @@ static auth_method_t get_auth_method(private_peer_cfg_t *this)
 /**
  * Implementation of connection_t.get_eap_type.
  */
-static eap_type_t get_eap_type(private_peer_cfg_t *this)
+static eap_type_t get_eap_type(private_peer_cfg_t *this, u_int32_t *vendor)
 {
+	*vendor = this->eap_vendor;
 	return this->eap_type;
 }
 
@@ -353,29 +358,45 @@ static u_int32_t get_keyingtries(private_peer_cfg_t *this)
 }
 
 /**
- * Implementation of peer_cfg_t.get_soft_lifetime
+ * Implementation of peer_cfg_t.get_rekey_time.
  */
-static u_int32_t get_lifetime(private_peer_cfg_t *this, bool rekey)
+static u_int32_t get_rekey_time(private_peer_cfg_t *this)
 {
-	if (rekey)
+	if (this->rekey_time == 0)
 	{
-		if (this->jitter == 0)
-		{
-			return this->rekeytime;
-		}
-		return this->rekeytime - (random() % this->jitter);
+		return 0;
+	}
+	if (this->jitter_time == 0)
+	{
+		return this->rekey_time;
 	}
-	return this->lifetime;
+	return this->rekey_time - (random() % this->jitter_time);
 }
-	
+
+/**
+ * Implementation of peer_cfg_t.get_reauth_time.
+ */
+static u_int32_t get_reauth_time(private_peer_cfg_t *this)
+{
+	if (this->reauth_time == 0)
+	{
+		return 0;
+	}
+	if (this->jitter_time == 0)
+	{
+		return this->reauth_time;
+	}
+	return this->reauth_time - (random() % this->jitter_time);
+}
+
 /**
- * Implementation of peer_cfg_t.use_reauth.
+ * Implementation of peer_cfg_t.get_over_time.
  */
-static bool use_reauth(private_peer_cfg_t *this)
+static u_int32_t get_over_time(private_peer_cfg_t *this)
 {
-	return this->use_reauth;
+	return this->over_time;
 }
-	
+
 /**
  * Implementation of peer_cfg_t.use_mobike.
  */
@@ -503,9 +524,10 @@ peer_cfg_t *peer_cfg_create(char *name, u_int ike_version, ike_cfg_t *ike_cfg,
 							identification_t *my_ca, identification_t *other_ca,
 							linked_list_t *groups, cert_policy_t cert_policy,
 							auth_method_t auth_method, eap_type_t eap_type,
-							u_int32_t keyingtries, u_int32_t lifetime,
-							u_int32_t rekeytime, u_int32_t jitter,
-							bool reauth, bool mobike,
+							u_int32_t eap_vendor,
+							u_int32_t keyingtries, u_int32_t rekey_time,
+							u_int32_t reauth_time, u_int32_t jitter_time,
+							u_int32_t over_time, bool mobike,
 							u_int32_t dpd_delay, dpd_action_t dpd_action,
 							host_t *my_virtual_ip, host_t *other_virtual_ip,
 							bool p2p_mediation, peer_cfg_t *p2p_mediated_by,
@@ -527,10 +549,11 @@ peer_cfg_t *peer_cfg_create(char *name, u_int ike_version, ike_cfg_t *ike_cfg,
 	this->public.get_groups = (linked_list_t* (*)(peer_cfg_t *))get_groups;
 	this->public.get_cert_policy = (cert_policy_t (*) (peer_cfg_t *))get_cert_policy;
 	this->public.get_auth_method = (auth_method_t (*) (peer_cfg_t *))get_auth_method;
-	this->public.get_eap_type = (eap_type_t (*) (peer_cfg_t *))get_eap_type;
+	this->public.get_eap_type = (eap_type_t (*) (peer_cfg_t *,u_int32_t*))get_eap_type;
 	this->public.get_keyingtries = (u_int32_t (*) (peer_cfg_t *))get_keyingtries;
-	this->public.get_lifetime = (u_int32_t (*) (peer_cfg_t *, bool rekey))get_lifetime;
-	this->public.use_reauth = (bool (*) (peer_cfg_t *))use_reauth;
+	this->public.get_rekey_time = (u_int32_t(*)(peer_cfg_t*))get_rekey_time;
+	this->public.get_reauth_time = (u_int32_t(*)(peer_cfg_t*))get_reauth_time;
+	this->public.get_over_time = (u_int32_t(*)(peer_cfg_t*))get_over_time;
 	this->public.use_mobike = (bool (*) (peer_cfg_t *))use_mobike;
 	this->public.get_dpd_delay = (u_int32_t (*) (peer_cfg_t *))get_dpd_delay;
 	this->public.get_dpd_action = (dpd_action_t (*) (peer_cfg_t *))get_dpd_action;
@@ -558,11 +581,20 @@ peer_cfg_t *peer_cfg_create(char *name, u_int ike_version, ike_cfg_t *ike_cfg,
 	this->cert_policy = cert_policy;
 	this->auth_method = auth_method;
 	this->eap_type = eap_type;
+	this->eap_vendor = eap_vendor;
 	this->keyingtries = keyingtries;
-	this->lifetime = lifetime;
-	this->rekeytime = rekeytime;
-	this->jitter = jitter;
-	this->use_reauth = reauth;
+	this->rekey_time = rekey_time;
+	this->reauth_time = reauth_time;
+	if (rekey_time && jitter_time > rekey_time)
+	{
+		jitter_time = rekey_time;
+	}
+	if (reauth_time && jitter_time > reauth_time)
+	{
+		jitter_time = reauth_time;
+	}
+	this->jitter_time = jitter_time;
+	this->over_time = over_time;
 	this->use_mobike = mobike;
 	this->dpd_delay = dpd_delay;
 	this->dpd_action = dpd_action;
diff --git a/src/charon/config/peer_cfg.h b/src/charon/config/peer_cfg.h
index 3d238e6aa..7f1dbcab6 100644
--- a/src/charon/config/peer_cfg.h
+++ b/src/charon/config/peer_cfg.h
@@ -229,11 +229,16 @@ struct peer_cfg_t {
 	
 	/**
 	 * @brief Get the EAP type to use for peer authentication.
+	 *
+	 * If vendor specific types are used, a vendor ID != 0 is returned to
+	 * to vendor argument. Then the returned type is specific for that 
+	 * vendor ID.
 	 * 
 	 * @param this		calling object
+	 * @param vendor	receives vendor specifier, 0 for predefined EAP types
 	 * @return			authentication method
 	 */
-	eap_type_t (*get_eap_type) (peer_cfg_t *this);
+	eap_type_t (*get_eap_type) (peer_cfg_t *this, u_int32_t *vendor);
 	
 	/**
 	 * @brief Get the max number of retries after timeout.
@@ -244,27 +249,28 @@ struct peer_cfg_t {
 	u_int32_t (*get_keyingtries) (peer_cfg_t *this);
 	
 	/**
-	 * @brief Get the lifetime of a IKE_SA.
+	 * @brief Get a time to start rekeying (is randomized with jitter).
 	 *
-	 * If "rekey" is set to TRUE, a lifetime is returned before the first
-	 * rekeying should be started. If it is FALSE, the actual lifetime is
-	 * returned when the IKE_SA must be deleted.
-	 * The rekey time automatically contains a jitter to avoid simlutaneous
-	 * rekeying.
-	 * 
-	 * @param this			child_config 
-	 * @param rekey			TRUE to get rekey time
-	 * @return				lifetime in seconds
+	 * @param this		calling object
+	 * @return			time in s when to start rekeying, 0 disables rekeying
 	 */
-	u_int32_t (*get_lifetime) (peer_cfg_t *this, bool rekey);
+	u_int32_t (*get_rekey_time)(peer_cfg_t *this);
 	
 	/**
-	 * @brief Should a full reauthentication be done instead of rekeying?
-	 * 
+	 * @brief Get a time to start reauthentication (is randomized with jitter).
+	 *
 	 * @param this		calling object
-	 * @return			TRUE to use full reauthentication
+	 * @return			time in s when to start reauthentication, 0 disables it
+	 */
+	u_int32_t (*get_reauth_time)(peer_cfg_t *this);
+	
+	/**
+	 * @brief Get the timeout of a rekeying/reauthenticating SA.
+	 *
+	 * @param thsi		calling object
+	 * @return			timeout in s
 	 */
-	bool (*use_reauth) (peer_cfg_t *this);
+	u_int32_t (*get_over_time)(peer_cfg_t *this);
 	
 	/**
 	 * @brief Use MOBIKE (RFC4555) if peer supports it?
@@ -392,10 +398,12 @@ struct peer_cfg_t {
  * @param cert_policy		should we send a certificate payload?
  * @param auth_method		auth method to use to authenticate us
  * @param eap_type			EAP type to use for peer authentication
+ * @param eap_vendor		EAP vendor identifier, if vendor specific type is used
  * @param keyingtries		how many keying tries should be done before giving up
- * @param lifetime			lifetime before deleting an SA
- * @param rekeytime			lifetime before rekeying an SA
- * @param jitter			range of random to substract from rekeytime
+ * @param rekey_time		timeout before starting rekeying
+ * @param reauth_time		timeout before starting reauthentication
+ * @param jitter_time		timerange to randomly substract from rekey/reauth time
+ * @param over_time			maximum overtime before closing a rekeying/reauth SA
  * @param reauth			sould be done reauthentication instead of rekeying?
  * @param mobike			use MOBIKE (RFC4555) if peer supports it
  * @param dpd_delay			after how many seconds of inactivity to check DPD
@@ -414,9 +422,10 @@ peer_cfg_t *peer_cfg_create(char *name, u_int ikev_version, ike_cfg_t *ike_cfg,
 							identification_t *my_ca, identification_t *other_ca,
 							linked_list_t *groups, cert_policy_t cert_policy,
 							auth_method_t auth_method, eap_type_t eap_type,
-							u_int32_t keyingtries, u_int32_t lifetime,
-							u_int32_t rekeytime, u_int32_t jitter,
-							bool reauth, bool mobike,
+							u_int32_t eap_vendor,
+							u_int32_t keyingtries, u_int32_t rekey_time,
+							u_int32_t reauth_time, u_int32_t jitter_time,
+							u_int32_t over_time, bool mobike,
 							u_int32_t dpd_delay, dpd_action_t dpd_action,
 							host_t *my_virtual_ip, host_t *other_virtual_ip,
 							bool p2p_mediation, peer_cfg_t *p2p_mediated_by,