7 files changed, 119 insertions, 165 deletions

diff --git a/src/libcharon/config/backend_manager.c b/src/libcharon/config/backend_manager.c
index 79f1d9fee..4f154df9b 100644
--- a/src/libcharon/config/backend_manager.c
+++ b/src/libcharon/config/backend_manager.c
@@ -265,20 +265,24 @@ static void peer_enum_destroy(peer_data_t *data)
 	free(data);
 }
 
-/**
- * convert enumerator value from match_entry to config
- */
-static bool peer_enum_filter(linked_list_t *configs,
-							 match_entry_t **in, peer_cfg_t **out)
+CALLBACK(peer_enum_filter, bool,
+	linked_list_t *configs, enumerator_t *orig, va_list args)
 {
-	*out = (*in)->cfg;
-	return TRUE;
+	match_entry_t *entry;
+	peer_cfg_t **out;
+
+	VA_ARGS_VGET(args, out);
+
+	if (orig->enumerate(orig, &entry))
+	{
+		*out = entry->cfg;
+		return TRUE;
+	}
+	return FALSE;
 }
 
-/**
- * Clean up temporary config list
- */
-static void peer_enum_filter_destroy(linked_list_t *configs)
+CALLBACK(peer_enum_filter_destroy, void,
+	linked_list_t *configs)
 {
 	match_entry_t *entry;
 
@@ -379,8 +383,8 @@ METHOD(backend_manager_t, create_peer_cfg_enumerator, enumerator_t*,
 	helper->destroy(helper);
 
 	return enumerator_create_filter(configs->create_enumerator(configs),
-									(void*)peer_enum_filter, configs,
-									(void*)peer_enum_filter_destroy);
+									peer_enum_filter, configs,
+									peer_enum_filter_destroy);
 }
 
 METHOD(backend_manager_t, get_peer_cfg_by_name, peer_cfg_t*,
diff --git a/src/libcharon/config/child_cfg.c b/src/libcharon/config/child_cfg.c
index 3c6dd5198..ec2a12431 100644
--- a/src/libcharon/config/child_cfg.c
+++ b/src/libcharon/config/child_cfg.c
@@ -1,6 +1,6 @@
 /*
+ * Copyright (C) 2008-2017 Tobias Brunner
  * Copyright (C) 2016 Andreas Steffen
- * Copyright (C) 2008-2016 Tobias Brunner
  * Copyright (C) 2005-2007 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * HSR Hochschule fuer Technik Rapperswil
@@ -54,6 +54,11 @@ struct private_child_cfg_t {
 	char *name;
 
 	/**
+	 * Options
+	 */
+	child_cfg_option_t options;
+
+	/**
 	 * list for all proposals
 	 */
 	linked_list_t *proposals;
@@ -74,11 +79,6 @@ struct private_child_cfg_t {
 	char *updown;
 
 	/**
-	 * allow host access
-	 */
-	bool hostaccess;
-
-	/**
 	 * Mode to propose for a initiated CHILD: tunnel/transport
 	 */
 	ipsec_mode_t mode;
@@ -104,11 +104,6 @@ struct private_child_cfg_t {
 	lifetime_cfg_t lifetime;
 
 	/**
-	 * enable IPComp
-	 */
-	bool use_ipcomp;
-
-	/**
 	 * Inactivity timeout
 	 */
 	uint32_t inactivity;
@@ -144,21 +139,6 @@ struct private_child_cfg_t {
 	char *interface;
 
 	/**
-	 * set up IPsec transport SA in MIPv6 proxy mode
-	 */
-	bool proxy_mode;
-
-	/**
-	 * enable installation and removal of kernel IPsec policies
-	 */
-	bool install_policy;
-
-	/**
-	 * Install outbound FWD policies
-	 */
-	bool fwd_out_policy;
-
-	/**
 	 * anti-replay window size
 	 */
 	uint32_t replay_window;
@@ -170,6 +150,12 @@ METHOD(child_cfg_t, get_name, char*,
 	return this->name;
 }
 
+METHOD(child_cfg_t, has_option, bool,
+	private_child_cfg_t *this, child_cfg_option_t option)
+{
+	return this->options & option;
+}
+
 METHOD(child_cfg_t, add_proposal, void,
 	private_child_cfg_t *this, proposal_t *proposal)
 {
@@ -179,8 +165,12 @@ METHOD(child_cfg_t, add_proposal, void,
 	}
 }
 
-static bool match_proposal(proposal_t *item, proposal_t *proposal)
+CALLBACK(match_proposal, bool,
+	proposal_t *item, va_list args)
 {
+	proposal_t *proposal;
+
+	VA_ARGS_VGET(args, proposal);
 	return item->equals(item, proposal);
 }
 
@@ -199,8 +189,7 @@ METHOD(child_cfg_t, get_proposals, linked_list_t*,
 		{
 			current->strip_dh(current, MODP_NONE);
 		}
-		if (proposals->find_first(proposals, (linked_list_match_t)match_proposal,
-								  NULL, current) == SUCCESS)
+		if (proposals->find_first(proposals, match_proposal, NULL, current))
 		{
 			current->destroy(current);
 			continue;
@@ -311,8 +300,9 @@ METHOD(child_cfg_t, get_traffic_selectors, linked_list_t*,
 	{
 		if (hosts && hosts->get_count(hosts))
 		{	/* set hosts if TS is dynamic or as initiator in transport mode */
-			bool dynamic = ts1->is_dynamic(ts1);
-			if (dynamic || (this->mode == MODE_TRANSPORT && !this->proxy_mode &&
+			bool dynamic = ts1->is_dynamic(ts1),
+				 proxy_mode = has_option(this, OPT_PROXY_MODE);
+			if (dynamic || (this->mode == MODE_TRANSPORT && !proxy_mode &&
 							!supplied))
 			{
 				e2 = hosts->create_enumerator(hosts);
@@ -428,12 +418,6 @@ METHOD(child_cfg_t, get_updown, char*,
 	return this->updown;
 }
 
-METHOD(child_cfg_t, get_hostaccess, bool,
-	private_child_cfg_t *this)
-{
-	return this->hostaccess;
-}
-
 /**
  * Applies jitter to the rekey value. Returns the new rekey value.
  * Note: The distribution of random values is not perfect, but it
@@ -508,12 +492,6 @@ METHOD(child_cfg_t, get_dh_group, diffie_hellman_group_t,
 	return dh_group;
 }
 
-METHOD(child_cfg_t, use_ipcomp, bool,
-	private_child_cfg_t *this)
-{
-	return this->use_ipcomp;
-}
-
 METHOD(child_cfg_t, get_inactivity, uint32_t,
 	private_child_cfg_t *this)
 {
@@ -562,24 +540,6 @@ METHOD(child_cfg_t, set_replay_window, void,
 	this->replay_window = replay_window;
 }
 
-METHOD(child_cfg_t, use_proxy_mode, bool,
-	private_child_cfg_t *this)
-{
-	return this->proxy_mode;
-}
-
-METHOD(child_cfg_t, install_policy, bool,
-	private_child_cfg_t *this)
-{
-	return this->install_policy;
-}
-
-METHOD(child_cfg_t, install_fwd_out_policy, bool,
-	private_child_cfg_t *this)
-{
-	return this->fwd_out_policy;
-}
-
 #define LT_PART_EQUALS(a, b) ({ a.life == b.life && a.rekey == b.rekey && a.jitter == b.jitter; })
 #define LIFETIME_EQUALS(a, b) ({ LT_PART_EQUALS(a.time, b.time) && LT_PART_EQUALS(a.bytes, b.bytes) && LT_PART_EQUALS(a.packets, b.packets); })
 
@@ -611,13 +571,12 @@ METHOD(child_cfg_t, equals, bool,
 	{
 		return FALSE;
 	}
-	return this->hostaccess == other->hostaccess &&
+	return this->options == other->options &&
 		this->mode == other->mode &&
 		this->start_action == other->start_action &&
 		this->dpd_action == other->dpd_action &&
 		this->close_action == other->close_action &&
 		LIFETIME_EQUALS(this->lifetime, other->lifetime) &&
-		this->use_ipcomp == other->use_ipcomp &&
 		this->inactivity == other->inactivity &&
 		this->reqid == other->reqid &&
 		this->mark_in.value == other->mark_in.value &&
@@ -627,9 +586,6 @@ METHOD(child_cfg_t, equals, bool,
 		this->tfc == other->tfc &&
 		this->manual_prio == other->manual_prio &&
 		this->replay_window == other->replay_window &&
-		this->proxy_mode == other->proxy_mode &&
-		this->install_policy == other->install_policy &&
-		this->fwd_out_policy == other->fwd_out_policy &&
 		streq(this->updown, other->updown) &&
 		streq(this->interface, other->interface);
 }
@@ -672,14 +628,12 @@ child_cfg_t *child_cfg_create(char *name, child_cfg_create_t *data)
 			.get_proposals = _get_proposals,
 			.select_proposal = _select_proposal,
 			.get_updown = _get_updown,
-			.get_hostaccess = _get_hostaccess,
 			.get_mode = _get_mode,
 			.get_start_action = _get_start_action,
 			.get_dpd_action = _get_dpd_action,
 			.get_close_action = _get_close_action,
 			.get_lifetime = _get_lifetime,
 			.get_dh_group = _get_dh_group,
-			.use_ipcomp = _use_ipcomp,
 			.get_inactivity = _get_inactivity,
 			.get_reqid = _get_reqid,
 			.get_mark = _get_mark,
@@ -688,19 +642,16 @@ child_cfg_t *child_cfg_create(char *name, child_cfg_create_t *data)
 			.get_interface = _get_interface,
 			.get_replay_window = _get_replay_window,
 			.set_replay_window = _set_replay_window,
-			.use_proxy_mode = _use_proxy_mode,
-			.install_policy = _install_policy,
-			.install_fwd_out_policy = _install_fwd_out_policy,
+			.has_option = _has_option,
 			.equals = _equals,
 			.get_ref = _get_ref,
 			.destroy = _destroy,
 		},
 		.name = strdup(name),
+		.options = data->options,
 		.updown = strdupnull(data->updown),
-		.hostaccess = data->hostaccess,
 		.reqid = data->reqid,
 		.mode = data->mode,
-		.proxy_mode = data->proxy_mode,
 		.start_action = data->start_action,
 		.dpd_action = data->dpd_action,
 		.close_action = data->close_action,
@@ -708,12 +659,9 @@ child_cfg_t *child_cfg_create(char *name, child_cfg_create_t *data)
 		.mark_out = data->mark_out,
 		.lifetime = data->lifetime,
 		.inactivity = data->inactivity,
-		.use_ipcomp = data->ipcomp,
 		.tfc = data->tfc,
 		.manual_prio = data->priority,
 		.interface = strdupnull(data->interface),
-		.install_policy = !data->suppress_policies,
-		.fwd_out_policy = data->fwd_out_policies,
 		.refcount = 1,
 		.proposals = linked_list_create(),
 		.my_ts = linked_list_create(),
diff --git a/src/libcharon/config/child_cfg.h b/src/libcharon/config/child_cfg.h
index b85bfd9bc..a102c459c 100644
--- a/src/libcharon/config/child_cfg.h
+++ b/src/libcharon/config/child_cfg.h
@@ -1,6 +1,6 @@
 /*
+ * Copyright (C) 2008-2017 Tobias Brunner
  * Copyright (C) 2016 Andreas Steffen
- * Copyright (C) 2008-2016 Tobias Brunner
  * Copyright (C) 2005-2007 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * HSR Hochschule fuer Technik Rapperswil
@@ -25,6 +25,7 @@
 #define CHILD_CFG_H_
 
 typedef enum action_t action_t;
+typedef enum child_cfg_option_t child_cfg_option_t;
 typedef struct child_cfg_t child_cfg_t;
 typedef struct child_cfg_create_t child_cfg_create_t;
 
@@ -147,13 +148,6 @@ struct child_cfg_t {
 	char* (*get_updown)(child_cfg_t *this);
 
 	/**
-	 * Should we allow access to the local host (gateway)?
-	 *
-	 * @return				value of hostaccess flag
-	 */
-	bool (*get_hostaccess) (child_cfg_t *this);
-
-	/**
 	 * Get the lifetime configuration of a CHILD_SA.
 	 *
 	 * The rekey limits automatically contain a jitter to avoid simultaneous
@@ -203,14 +197,6 @@ struct child_cfg_t {
 	diffie_hellman_group_t (*get_dh_group)(child_cfg_t *this);
 
 	/**
-	 * Check whether IPComp should be used, if the other peer supports it.
-	 *
-	 * @return				TRUE, if IPComp should be used
-	 *						FALSE, otherwise
-	 */
-	bool (*use_ipcomp)(child_cfg_t *this);
-
-	/**
 	 * Get the inactivity timeout value.
 	 *
 	 * @return				inactivity timeout in s
@@ -263,33 +249,17 @@ struct child_cfg_t {
 	/**
 	 * Set anti-replay window size
 	 *
-	 * @param window		anti-replay window size
+	 * @param window        anti-replay window size
 	 */
 	void (*set_replay_window)(child_cfg_t *this, uint32_t window);
 
 	/**
-	 * Check whether IPsec transport SA should be set up in proxy mode.
-	 *
-	 * @return				TRUE, if proxy mode should be used
-	 *						FALSE, otherwise
-	 */
-	bool (*use_proxy_mode)(child_cfg_t *this);
-
-	/**
-	 * Check whether IPsec policies should be installed in the kernel.
-	 *
-	 * @return				TRUE, if IPsec kernel policies should be installed
-	 *						FALSE, otherwise
-	 */
-	bool (*install_policy)(child_cfg_t *this);
-
-	/**
-	 * Check whether outbound FWD IPsec policies should be installed.
+	 * Check if an option flag is set.
 	 *
-	 * @return				TRUE, if outbound FWD policies should be installed
-	 *						FALSE, otherwise
+	 * @param option		option flag to check
+	 * @return				TRUE if option flag set, FALSE otherwise
 	 */
-	bool (*install_fwd_out_policy)(child_cfg_t *this);
+	bool (*has_option)(child_cfg_t *this, child_cfg_option_t option);
 
 	/**
 	 * Check if two child_cfg objects are equal.
@@ -315,11 +285,39 @@ struct child_cfg_t {
 	void (*destroy) (child_cfg_t *this);
 };
 
+/**
+ * Option flags that may be set on a child_cfg_t object
+ */
+enum child_cfg_option_t {
+
+	/** Use IPsec transport proxy mode */
+	OPT_PROXY_MODE = (1<<0),
+
+	/** Use IPComp, if peer supports it */
+	OPT_IPCOMP = (1<<1),
+
+	/** Allow access to the local host */
+	OPT_HOSTACCESS = (1<<2),
+
+	/** Don't install any IPsec policies */
+	OPT_NO_POLICIES = (1<<3),
+
+	/** Install outbound FWD IPsec policies to bypass drop policies */
+	OPT_FWD_OUT_POLICIES = (1<<4),
+
+	/** Enable hardware offload, if supported by the IPsec backend */
+	OPT_HW_OFFLOAD = (1<<5),
+
+	/** Force 96-bit truncation for SHA-256 */
+	OPT_SHA256_96 = (1<<6),
+};
 
 /**
  * Data passed to the constructor of a child_cfg_t object.
  */
 struct child_cfg_create_t {
+	/** Options set for CHILD_SA */
+	child_cfg_option_t options;
 	/** Specific reqid to use for CHILD_SA, 0 for auto assignment */
 	uint32_t reqid;
 	/** Optional inbound mark */
@@ -328,10 +326,6 @@ struct child_cfg_create_t {
 	mark_t mark_out;
 	/** Mode to propose for CHILD_SA */
 	ipsec_mode_t mode;
-	/** Use IPsec transport proxy mode */
-	bool proxy_mode;
-	/** Use IPComp, if peer supports it */
-	bool ipcomp;
 	/** TFC padding size, 0 to disable, -1 to pad to PMTU */
 	uint32_t tfc;
 	/** Optional manually-set IPsec policy priority */
@@ -350,12 +344,6 @@ struct child_cfg_create_t {
 	action_t close_action;
 	/** updown script to execute on up/down event (cloned) */
 	char *updown;
-	/** TRUE to allow access to the local host */
-	bool hostaccess;
-	/** Don't install IPsec policies */
-	bool suppress_policies;
-	/** Install outbound FWD IPsec policies to bypass drop policies */
-	bool fwd_out_policies;
 };
 
 /**
diff --git a/src/libcharon/config/ike_cfg.c b/src/libcharon/config/ike_cfg.c
index 480dd3720..93300781d 100644
--- a/src/libcharon/config/ike_cfg.c
+++ b/src/libcharon/config/ike_cfg.c
@@ -224,12 +224,12 @@ static u_int match(linked_list_t *hosts, linked_list_t *ranges, host_t *cand)
 			if (ts->to_subnet(ts, &host, &mask))
 			{
 				quality = max(quality, mask + 1);
-				host->destroy(host);
 			}
 			else
 			{
 				quality = max(quality, 1);
 			}
+			host->destroy(host);
 		}
 	}
 	enumerator->destroy(enumerator);
diff --git a/src/libcharon/config/ike_cfg.h b/src/libcharon/config/ike_cfg.h
index 4d37264f6..034996f60 100644
--- a/src/libcharon/config/ike_cfg.h
+++ b/src/libcharon/config/ike_cfg.h
@@ -47,14 +47,16 @@ enum ike_version_t {
 };
 
 /**
- * Proprietary IKEv1 fragmentation
+ * Proprietary IKEv1 fragmentation and IKEv2 fragmentation
  */
 enum fragmentation_t {
 	/** disable fragmentation */
 	FRAGMENTATION_NO,
-	/** enable fragmentation if supported by peer */
+	/** announce support, but don't send any fragments */
+	FRAGMENTATION_ACCEPT,
+	/** enable fragmentation, if supported by peer */
 	FRAGMENTATION_YES,
-	/** force use of fragmentation (even for the first message) */
+	/** force use of fragmentation (even for the first message for IKEv1) */
 	FRAGMENTATION_FORCE,
 };
 
diff --git a/src/libcharon/config/peer_cfg.c b/src/libcharon/config/peer_cfg.c
index 5d7ab076e..fcdd6fdeb 100644
--- a/src/libcharon/config/peer_cfg.c
+++ b/src/libcharon/config/peer_cfg.c
@@ -209,9 +209,12 @@ typedef struct {
 } child_cfgs_replace_enumerator_t;
 
 METHOD(enumerator_t, child_cfgs_replace_enumerate, bool,
-	child_cfgs_replace_enumerator_t *this, child_cfg_t **chd, bool *added)
+	child_cfgs_replace_enumerator_t *this, va_list args)
 {
-	child_cfg_t *child_cfg;
+	child_cfg_t *child_cfg, **chd;
+	bool *added;
+
+	VA_ARGS_VGET(args, chd, added);
 
 	if (!this->wrapped)
 	{
@@ -303,8 +306,9 @@ METHOD(peer_cfg_t, replace_child_cfgs, enumerator_t*,
 
 	INIT(enumerator,
 		.public = {
-			.enumerate = (void*)_child_cfgs_replace_enumerate,
-			.destroy = (void*)_child_cfgs_replace_enumerator_destroy,
+			.enumerate = enumerator_enumerate_default,
+			.venumerate = _child_cfgs_replace_enumerate,
+			.destroy = _child_cfgs_replace_enumerator_destroy,
 		},
 		.removed = removed,
 		.added = added,
@@ -336,8 +340,11 @@ METHOD(enumerator_t, child_cfg_enumerator_destroy, void,
 }
 
 METHOD(enumerator_t, child_cfg_enumerate, bool,
-	child_cfg_enumerator_t *this, child_cfg_t **chd)
+	child_cfg_enumerator_t *this, va_list args)
 {
+	child_cfg_t **chd;
+
+	VA_ARGS_VGET(args, chd);
 	return this->wrapped->enumerate(this->wrapped, chd);
 }
 
@@ -348,8 +355,9 @@ METHOD(peer_cfg_t, create_child_cfg_enumerator, enumerator_t*,
 
 	INIT(enumerator,
 		.public = {
-			.enumerate = (void*)_child_cfg_enumerate,
-			.destroy = (void*)_child_cfg_enumerator_destroy,
+			.enumerate = enumerator_enumerate_default,
+			.venumerate = _child_cfg_enumerate,
+			.destroy = _child_cfg_enumerator_destroy,
 		},
 		.mutex = this->mutex,
 		.wrapped = this->child_cfgs->create_enumerator(this->child_cfgs),
diff --git a/src/libcharon/config/proposal.c b/src/libcharon/config/proposal.c
index a2dc113a5..6c71f78d3 100644
--- a/src/libcharon/config/proposal.c
+++ b/src/libcharon/config/proposal.c
@@ -94,27 +94,31 @@ METHOD(proposal_t, add_algorithm, void,
 	array_insert(this->transforms, ARRAY_TAIL, &entry);
 }
 
-/**
- * filter function for peer configs
- */
-static bool alg_filter(uintptr_t type, entry_t **in, uint16_t *alg,
-					   void **unused, uint16_t *key_size)
+CALLBACK(alg_filter, bool,
+	uintptr_t type, enumerator_t *orig, va_list args)
 {
-	entry_t *entry = *in;
+	entry_t *entry;
+	uint16_t *alg, *key_size;
 
-	if (entry->type != type)
-	{
-		return FALSE;
-	}
-	if (alg)
-	{
-		*alg = entry->alg;
-	}
-	if (key_size)
+	VA_ARGS_VGET(args, alg, key_size);
+
+	while (orig->enumerate(orig, &entry))
 	{
-		*key_size = entry->key_size;
+		if (entry->type != type)
+		{
+			continue;
+		}
+		if (alg)
+		{
+			*alg = entry->alg;
+		}
+		if (key_size)
+		{
+			*key_size = entry->key_size;
+		}
+		return TRUE;
 	}
-	return TRUE;
+	return FALSE;
 }
 
 METHOD(proposal_t, create_enumerator, enumerator_t*,
@@ -122,7 +126,7 @@ METHOD(proposal_t, create_enumerator, enumerator_t*,
 {
 	return enumerator_create_filter(
 						array_create_enumerator(this->transforms),
-						(void*)alg_filter, (void*)(uintptr_t)type, NULL);
+						alg_filter, (void*)(uintptr_t)type, NULL);
 }
 
 METHOD(proposal_t, get_algorithm, bool,