Merge branch 'ikev1'

Conflicts:
	configure.in
	man/ipsec.conf.5.in
	src/libcharon/encoding/generator.c
	src/libcharon/encoding/payloads/notify_payload.c
	src/libcharon/encoding/payloads/notify_payload.h
	src/libcharon/encoding/payloads/payload.c
	src/libcharon/network/receiver.c
	src/libcharon/sa/authenticator.c
	src/libcharon/sa/authenticator.h
	src/libcharon/sa/ikev2/tasks/ike_init.c
	src/libcharon/sa/task_manager.c
	src/libstrongswan/credentials/auth_cfg.c

7 files changed, 58 insertions, 75 deletions

diff --git a/src/starter/args.c b/src/starter/args.c
index 65d0a753c..0699eb058 100644
--- a/src/starter/args.c
+++ b/src/starter/args.c
@@ -204,9 +204,9 @@ static const token_info_t token_info[] =
 	{ ARG_MISC, 0, NULL  /* KW_PFS */                                              },
 	{ ARG_MISC, 0, NULL  /* KW_COMPRESS */                                         },
 	{ ARG_ENUM, offsetof(starter_conn_t, install_policy), LST_bool                 },
+	{ ARG_ENUM, offsetof(starter_conn_t, aggressive), LST_bool                     },
 	{ ARG_MISC, 0, NULL  /* KW_AUTH */                                             },
 	{ ARG_MISC, 0, NULL  /* KW_AUTHBY */                                           },
-	{ ARG_MISC, 0, NULL  /* KW_EAP */                                              },
 	{ ARG_STR,  offsetof(starter_conn_t, eap_identity), NULL                       },
 	{ ARG_STR,  offsetof(starter_conn_t, aaa_identity), NULL                       },
 	{ ARG_MISC, 0, NULL  /* KW_MOBIKE */                                           },
diff --git a/src/starter/confread.c b/src/starter/confread.c
index 627601e88..2fb329c85 100644
--- a/src/starter/confread.c
+++ b/src/starter/confread.c
@@ -22,8 +22,6 @@
 
 #include <freeswan.h>
 
-#include <eap/eap.h>
-
 #include "../pluto/constants.h"
 #include "../pluto/defs.h"
 #include "../pluto/log.h"
@@ -466,7 +464,7 @@ static void handle_dns_failure(const char *label, starter_end_t *end,
 			plog("# fallback to %s=%%any due to '%%' prefix or %sallowany=yes",
 				label, label);
 		}
-		else if (!end->host || conn->keyexchange == KEY_EXCHANGE_IKEV1)
+		else if (!end->host)
 		{
 			/* declare an error */
 			cfg->err++;
@@ -668,7 +666,7 @@ static void load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg
 					{
 						conn->policy |= POLICY_XAUTH_RSASIG | POLICY_ENCRYPT;
 					}
-					else if (streq(value, "xauthpsk") || streq(value, "eap"))
+					else if (streq(value, "xauthpsk"))
 					{
 						conn->policy |= POLICY_XAUTH_PSK | POLICY_ENCRYPT;
 					}
@@ -687,36 +685,6 @@ static void load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg
 				}
 			}
 			break;
-		case KW_EAP:
-		{
-			char *sep;
-
-			/* check for vendor-type format */
-			sep = strchr(kw->value, '-');
-			if (sep)
-			{
-				*(sep++) = '\0';
-				conn->eap_type = atoi(kw->value);
-				conn->eap_vendor = atoi(sep);
-				if (conn->eap_type == 0 || conn->eap_vendor == 0)
-				{
-					plog("# invalid EAP type: %s=%s", kw->entry->name, kw->value);
-					cfg->err++;
-				}
-				break;
-			}
-			conn->eap_type = eap_type_from_string(kw->value);
-			if (conn->eap_type == 0)
-			{
-				conn->eap_type = atoi(kw->value);
-				if (conn->eap_type == 0)
-				{
-					plog("# unknown EAP type: %s=%s", kw->entry->name, kw->value);
-					cfg->err++;
-				}
-			}
-			break;
-		}
 		case KW_MARK:
 			if (!handle_mark(kw->value, &conn->mark_in))
 			{
diff --git a/src/starter/confread.h b/src/starter/confread.h
index 9cb919ce5..655c97084 100644
--- a/src/starter/confread.h
+++ b/src/starter/confread.h
@@ -39,9 +39,10 @@ typedef enum {
 } starter_state_t;
 
 typedef enum {
-		KEY_EXCHANGE_IKE,
-		KEY_EXCHANGE_IKEV1,
-		KEY_EXCHANGE_IKEV2
+		/* shared with ike_version_t */
+		KEY_EXCHANGE_IKE = 0,
+		KEY_EXCHANGE_IKEV1 = 1,
+		KEY_EXCHANGE_IKEV2 = 2,
 } keyexchange_t;
 
 typedef enum {
@@ -109,8 +110,6 @@ struct starter_conn {
 		starter_state_t state;
 
 		keyexchange_t   keyexchange;
-		u_int32_t       eap_type;
-		u_int32_t       eap_vendor;
 		char            *eap_identity;
 		char            *aaa_identity;
 		char            *xauth_identity;
@@ -131,6 +130,7 @@ struct starter_conn {
 		sa_family_t     addr_family;
 		sa_family_t     tunnel_addr_family;
 		bool            install_policy;
+		bool            aggressive;
 		starter_end_t   left, right;
 
 		unsigned long   id;
diff --git a/src/starter/keywords.h b/src/starter/keywords.h
index 02be919ea..3374fa8c7 100644
--- a/src/starter/keywords.h
+++ b/src/starter/keywords.h
@@ -67,9 +67,9 @@ typedef enum {
 	KW_PFS,
 	KW_COMPRESS,
 	KW_INSTALLPOLICY,
+	KW_AGGRESSIVE,
 	KW_AUTH,
 	KW_AUTHBY,
-	KW_EAP,
 	KW_EAP_IDENTITY,
 	KW_AAA_IDENTITY,
 	KW_MOBIKE,
diff --git a/src/starter/keywords.txt b/src/starter/keywords.txt
index 548fa2f70..d31fd2461 100644
--- a/src/starter/keywords.txt
+++ b/src/starter/keywords.txt
@@ -47,7 +47,6 @@ nat_traversal,     KW_NAT_TRAVERSAL
 keep_alive,        KW_KEEP_ALIVE
 force_keepalive,   KW_FORCE_KEEPALIVE
 virtual_private,   KW_VIRTUAL_PRIVATE
-eap,               KW_EAP
 eap_identity,      KW_EAP_IDENTITY
 aaa_identity,      KW_AAA_IDENTITY
 mobike,	           KW_MOBIKE
@@ -61,6 +60,7 @@ type,              KW_TYPE
 pfs,               KW_PFS
 compress,          KW_COMPRESS
 installpolicy,     KW_INSTALLPOLICY
+aggressive,        KW_AGGRESSIVE
 auth,              KW_AUTH
 authby,            KW_AUTHBY
 keylife,           KW_KEYLIFE
diff --git a/src/starter/starter.c b/src/starter/starter.c
index 44e21431c..15c50c44b 100644
--- a/src/starter/starter.c
+++ b/src/starter/starter.c
@@ -764,14 +764,11 @@ int main (int argc, char **argv)
 
 					if (conn->startup == STARTUP_START)
 					{
-						if (conn->keyexchange != KEY_EXCHANGE_IKEV1)
+						if (starter_charon_pid())
 						{
-							if (starter_charon_pid())
-							{
-								starter_stroke_initiate_conn(conn);
-							}
+							starter_stroke_initiate_conn(conn);
 						}
-						else
+						if (conn->keyexchange == KEY_EXCHANGE_IKEV1)
 						{
 							if (starter_pluto_pid())
 							{
@@ -781,14 +778,11 @@ int main (int argc, char **argv)
 					}
 					else if (conn->startup == STARTUP_ROUTE)
 					{
-						if (conn->keyexchange != KEY_EXCHANGE_IKEV1)
+						if (starter_charon_pid())
 						{
-							if (starter_charon_pid())
-							{
-								starter_stroke_route_conn(conn);
-							}
+							starter_stroke_route_conn(conn);
 						}
-						else
+						if (conn->keyexchange == KEY_EXCHANGE_IKEV1)
 						{
 							if (starter_pluto_pid())
 							{
diff --git a/src/starter/starterstroke.c b/src/starter/starterstroke.c
index ae04c20dd..2b6f55bc8 100644
--- a/src/starter/starterstroke.c
+++ b/src/starter/starterstroke.c
@@ -197,30 +197,11 @@ int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn)
 	memset(&msg, 0, sizeof(msg));
 	msg.type = STR_ADD_CONN;
 	msg.length = offsetof(stroke_msg_t, buffer);
-	msg.add_conn.ikev2 = conn->keyexchange != KEY_EXCHANGE_IKEV1;
+	msg.add_conn.version = conn->keyexchange;
 	msg.add_conn.name = push_string(&msg, connection_name(conn));
-
-	/* PUBKEY is preferred to PSK and EAP */
-	if (conn->policy & POLICY_PUBKEY)
-	{
-		msg.add_conn.auth_method = AUTH_CLASS_PUBKEY;
-	}
-	else if (conn->policy & POLICY_PSK)
-	{
-		msg.add_conn.auth_method = AUTH_CLASS_PSK;
-	}
-	else if (conn->policy & POLICY_XAUTH_PSK)
-	{
-		msg.add_conn.auth_method = AUTH_CLASS_EAP;
-	}
-	else
-	{
-		msg.add_conn.auth_method = AUTH_CLASS_ANY;
-	}
-	msg.add_conn.eap_type = conn->eap_type;
-	msg.add_conn.eap_vendor = conn->eap_vendor;
 	msg.add_conn.eap_identity = push_string(&msg, conn->eap_identity);
 	msg.add_conn.aaa_identity = push_string(&msg, conn->aaa_identity);
+	msg.add_conn.xauth_identity = push_string(&msg, conn->xauth_identity);
 
 	if (conn->policy & POLICY_TUNNEL)
 	{
@@ -265,6 +246,7 @@ int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn)
 	msg.add_conn.force_encap = (conn->policy & POLICY_FORCE_ENCAP) != 0;
 	msg.add_conn.ipcomp = (conn->policy & POLICY_COMPRESS) != 0;
 	msg.add_conn.install_policy = conn->install_policy;
+	msg.add_conn.aggressive = conn->aggressive;
 	msg.add_conn.crl_policy = cfg->setup.strictcrlpolicy;
 	msg.add_conn.unique = cfg->setup.uniqueids;
 	msg.add_conn.algorithms.ike = push_string(&msg, conn->ike);
@@ -286,6 +268,45 @@ int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn)
 	starter_stroke_add_end(&msg, &msg.add_conn.me, &conn->left);
 	starter_stroke_add_end(&msg, &msg.add_conn.other, &conn->right);
 
+	if (!msg.add_conn.me.auth && !msg.add_conn.other.auth)
+	{	/* leftauth/rightauth not set, use legacy options */
+		if (conn->policy & POLICY_PUBKEY)
+		{
+			msg.add_conn.me.auth = push_string(&msg, "pubkey");
+			msg.add_conn.other.auth = push_string(&msg, "pubkey");
+		}
+		else if (conn->policy & POLICY_PSK)
+		{
+			msg.add_conn.me.auth = push_string(&msg, "psk");
+			msg.add_conn.other.auth = push_string(&msg, "psk");
+		}
+		else if (conn->policy & POLICY_XAUTH_RSASIG)
+		{
+			msg.add_conn.me.auth = push_string(&msg, "pubkey");
+			msg.add_conn.other.auth = push_string(&msg, "pubkey");
+			if (conn->policy & POLICY_XAUTH_SERVER)
+			{
+				msg.add_conn.other.auth2 = push_string(&msg, "xauth");
+			}
+			else
+			{
+				msg.add_conn.me.auth2 = push_string(&msg, "xauth");
+			}
+		}
+		else if (conn->policy & POLICY_XAUTH_PSK)
+		{
+			msg.add_conn.me.auth = push_string(&msg, "psk");
+			msg.add_conn.other.auth = push_string(&msg, "psk");
+			if (conn->policy & POLICY_XAUTH_SERVER)
+			{
+				msg.add_conn.other.auth2 = push_string(&msg, "xauth");
+			}
+			else
+			{
+				msg.add_conn.me.auth2 = push_string(&msg, "xauth");
+			}
+		}
+	}
 	return send_stroke_msg(&msg);
 }