added hostaccess support; moved auth_method to policy

author: Andreas Steffen <andreas.steffen@strongswan.org> 2006-09-25 05:51:16 +0000
committer: Andreas Steffen <andreas.steffen@strongswan.org> 2006-09-25 05:51:16 +0000
commit: 54c6c4711f46cd9ccd6cf59f1b71eae18eaf5f2a (patch)
tree: 28823cf74377004a13786cdb970324979c699c7a /src
parent: 380d91b9bee098fc8115786cb9d73a8f3cf82181 (diff)
download: strongswan-54c6c4711f46cd9ccd6cf59f1b71eae18eaf5f2a.tar.bz2
strongswan-54c6c4711f46cd9ccd6cf59f1b71eae18eaf5f2a.tar.xz
3 files changed, 138 insertions, 31 deletions
diff --git a/src/charon/config/policies/local_policy_store.c b/src/charon/config/policies/local_policy_store.c
index 9ab894818..1ad0aaa9d 100644
--- a/src/charon/config/policies/local_policy_store.c
+++ b/src/charon/config/policies/local_policy_store.c
@@ -179,7 +179,7 @@ static policy_t *get_policy(private_local_policy_store_t *this,
 		identification_t *found_my_id = found->get_my_id(found);
 		identification_t *found_other_id = found->get_other_id(found);
 		
-		this->logger->log(this->logger, CONTROL|LEVEL1,
+		this->logger->log(this->logger, CONTROL,
 						  "found matching policy '%s': %s...%s (prio=%d)",
 						  found->get_name(found),
 						  found_my_id->get_string(found_my_id),
diff --git a/src/charon/config/policies/policy.c b/src/charon/config/policies/policy.c
index f64447a52..e3a1100b9 100644
--- a/src/charon/config/policies/policy.c
+++ b/src/charon/config/policies/policy.c
@@ -31,13 +31,31 @@
 #include <utils/identification.h>
 #include <utils/logger_manager.h>
 
-mapping_t dpd_action_m[] = {
-	{DPD_CLEAR, "DPD_CLEAR"},
-	{DPD_ROUTE, "DPD_ROUTE"},
-	{DPD_RESTART, "DPD_RESTART"},
-	{MAPPING_END, NULL},
+/** 
+ * String mappings for auth_method_t.
+ */
+static const char *const auth_method_name[] = {
+	"RSA signature",
+	"pre-shared key",
+	"DSS signature"
+};
+
+enum_names auth_method_names =
+    { RSA_DIGITAL_SIGNATURE, DSS_DIGITAL_SIGNATURE, auth_method_name, NULL };
+
+/** 
+ * String mappings for dpd_action_t.
+ */
+static const char *const dpd_action_name[] = {
+	"DPD_NONE",
+	"DPD_CLEAR",
+	"DPD_ROUTE",
+	"DPD_RESTART"
 };
 
+enum_names dpd_action_names =
+    { DPD_NONE, DPD_RESTART, dpd_action_name, NULL };
+
 typedef struct private_policy_t private_policy_t;
 
 /**
@@ -71,6 +89,11 @@ struct private_policy_t {
 	identification_t *other_id;
 	
 	/**
+	 * Method to use for own authentication data
+	 */
+	auth_method_t auth_method;
+	
+	/**
 	 * we have a cert issued by this CA
 	 */
 	identification_t *my_ca;
@@ -86,6 +109,11 @@ struct private_policy_t {
 	char *updown;
 	
 	/**
+	 * allow host access
+	 */
+	bool hostaccess;
+	
+	/**
 	 * list for all proposals
 	 */
 	linked_list_t *proposals;
@@ -152,6 +180,14 @@ static identification_t *get_other_id(private_policy_t *this)
 }
 
 /**
+ * Implementation of connection_t.auth_method_t.
+ */
+static auth_method_t get_auth_method(private_policy_t *this)
+{
+	return this->auth_method;
+}
+
+/**
  * Get traffic selectors, with wildcard-address update
  */
 static linked_list_t *get_traffic_selectors(private_policy_t *this, linked_list_t *list, host_t *host)
@@ -341,6 +377,14 @@ static char* get_updown(private_policy_t *this)
 }
 
 /**
+ * Implementation of policy_t.get_hostaccess
+ */
+static bool get_hostaccess(private_policy_t *this)
+{
+	return this->hostaccess;
+}
+
+/**
  * Implements policy_t.get_dpd_action
  */
 static dpd_action_t get_dpd_action(private_policy_t *this)
@@ -461,40 +505,46 @@ static void destroy(private_policy_t *this)
  * Described in header-file
  */
 policy_t *policy_create(char *name, identification_t *my_id, identification_t *other_id,
+						auth_method_t auth_method,
 						u_int32_t hard_lifetime, u_int32_t soft_lifetime, 
-						u_int32_t jitter, char *updown, dpd_action_t dpd_action)
+						u_int32_t jitter, char *updown, bool hostaccess,
+						dpd_action_t dpd_action)
 {
 	private_policy_t *this = malloc_thing(private_policy_t);
 
 	/* public functions */
-	this->public.get_name = (char *(*)(policy_t*))get_name;
-	this->public.get_my_id = (identification_t*(*)(policy_t*))get_my_id;
-	this->public.get_other_id = (identification_t*(*)(policy_t*))get_other_id;
-	this->public.get_my_traffic_selectors = (linked_list_t*(*)(policy_t*,host_t*))get_my_traffic_selectors;
-	this->public.get_other_traffic_selectors = (linked_list_t*(*)(policy_t*,host_t*))get_other_traffic_selectors;
-	this->public.select_my_traffic_selectors = (linked_list_t*(*)(policy_t*,linked_list_t*,host_t*))select_my_traffic_selectors;
-	this->public.select_other_traffic_selectors = (linked_list_t*(*)(policy_t*,linked_list_t*,host_t*))select_other_traffic_selectors;
-	this->public.get_proposals = (linked_list_t*(*)(policy_t*))get_proposals;
-	this->public.select_proposal = (proposal_t*(*)(policy_t*,linked_list_t*))select_proposal;
-	this->public.add_my_traffic_selector = (void(*)(policy_t*,traffic_selector_t*))add_my_traffic_selector;
-	this->public.add_other_traffic_selector = (void(*)(policy_t*,traffic_selector_t*))add_other_traffic_selector;
-	this->public.add_proposal = (void(*)(policy_t*,proposal_t*))add_proposal;
-	this->public.add_authorities = (void(*)(policy_t*,identification_t*, identification_t*))add_authorities;
-	this->public.get_updown = (char*(*)(policy_t*))get_updown;
-	this->public.get_dpd_action = (dpd_action_t(*)(policy_t*))get_dpd_action;
+	this->public.get_name = (char* (*) (policy_t*))get_name;
+	this->public.get_my_id = (identification_t* (*) (policy_t*))get_my_id;
+	this->public.get_other_id = (identification_t* (*) (policy_t*))get_other_id;
+	this->public.get_auth_method = (auth_method_t (*) (policy_t*)) get_auth_method;
+	this->public.get_my_traffic_selectors = (linked_list_t* (*) (policy_t*,host_t*))get_my_traffic_selectors;
+	this->public.get_other_traffic_selectors = (linked_list_t* (*) (policy_t*,host_t*))get_other_traffic_selectors;
+	this->public.select_my_traffic_selectors = (linked_list_t* (*) (policy_t*,linked_list_t*,host_t*))select_my_traffic_selectors;
+	this->public.select_other_traffic_selectors = (linked_list_t* (*) (policy_t*,linked_list_t*,host_t*))select_other_traffic_selectors;
+	this->public.get_proposals = (linked_list_t* (*) (policy_t*))get_proposals;
+	this->public.select_proposal = (proposal_t* (*) (policy_t*,linked_list_t*))select_proposal;
+	this->public.add_my_traffic_selector = (void (*) (policy_t*,traffic_selector_t*))add_my_traffic_selector;
+	this->public.add_other_traffic_selector = (void (*) (policy_t*,traffic_selector_t*))add_other_traffic_selector;
+	this->public.add_proposal = (void (*) (policy_t*,proposal_t*))add_proposal;
+	this->public.add_authorities = (void (*) (policy_t*,identification_t*,identification_t*))add_authorities;
+	this->public.get_updown = (char* (*) (policy_t*))get_updown;
+	this->public.get_hostaccess = (bool (*) (policy_t*))get_hostaccess;
+	this->public.get_dpd_action = (dpd_action_t (*) (policy_t*))get_dpd_action;
 	this->public.get_soft_lifetime = (u_int32_t (*) (policy_t *))get_soft_lifetime;
 	this->public.get_hard_lifetime = (u_int32_t (*) (policy_t *))get_hard_lifetime;
-	this->public.get_ref = (void(*)(policy_t*))get_ref;
-	this->public.destroy = (void(*)(policy_t*))destroy;
+	this->public.get_ref = (void (*) (policy_t*))get_ref;
+	this->public.destroy = (void (*) (policy_t*))destroy;
 	
 	/* apply init values */
 	this->name = strdup(name);
 	this->my_id = my_id;
 	this->other_id = other_id;
+	this->auth_method = auth_method;
 	this->hard_lifetime = hard_lifetime;
 	this->soft_lifetime = soft_lifetime;
 	this->jitter = jitter;
 	this->updown = (updown == NULL) ? NULL : strdup(updown);
+	this->hostaccess = hostaccess;
 	this->dpd_action = dpd_action;
 	
 	/* initialize private members*/
diff --git a/src/charon/config/policies/policy.h b/src/charon/config/policies/policy.h
index 48d9f70e7..6d80319b4 100644
--- a/src/charon/config/policies/policy.h
+++ b/src/charon/config/policies/policy.h
@@ -28,7 +28,41 @@
 #include <utils/identification.h>
 #include <config/traffic_selector.h>
 #include <config/proposal.h>
-#include <encoding/payloads/auth_payload.h>
+
+typedef enum auth_method_t auth_method_t;
+
+/**
+ * AUTH Method to use.
+ * 
+ * @ingroup config
+ */
+enum auth_method_t {
+	/**
+	 * Computed as specified in section 2.15 of RFC using 
+	 * an RSA private key over a PKCS#1 padded hash.
+	 */
+	RSA_DIGITAL_SIGNATURE = 1,
+	
+	/** 
+	 * Computed as specified in section 2.15 of RFC using the 
+	 * shared key associated with the identity in the ID payload 
+	 * and the negotiated prf function
+	 */
+	SHARED_KEY_MESSAGE_INTEGRITY_CODE = 2,
+	
+	/**
+	 * Computed as specified in section 2.15 of RFC using a 
+	 * DSS private key over a SHA-1 hash.
+	 */
+	DSS_DIGITAL_SIGNATURE = 3,
+};
+
+/**
+ * string mappings for auth_method_t.
+ * 
+ * @ingroup config
+ */
+extern enum_names auth_method_names;
 
 
 typedef enum dpd_action_t dpd_action_t;
@@ -41,18 +75,20 @@ typedef enum dpd_action_t dpd_action_t;
  * @ingroup config
  */
 enum dpd_action_t {
+	/** DPD disabled */
+	DPD_NONE,
 	/** remove CHILD_SA without replacement */
-	DPD_CLEAR = 1,
+	DPD_CLEAR,
 	/** route the CHILD_SA to resetup when needed */
-	DPD_ROUTE = 2,
+	DPD_ROUTE,
 	/** restart CHILD_SA in a new IKE_SA, immediately */
-	DPD_RESTART = 3,
+	DPD_RESTART,
 };
 
 /**
- * String mappings for dpd_action_t
+ * String mappings for dpd_action_t.
  */
-extern mapping_t dpd_action_m[];
+extern enum_names dpd_action_names;
 
 
 typedef struct policy_t policy_t;
@@ -101,6 +137,14 @@ struct policy_t {
 	identification_t *(*get_other_id) (policy_t *this);
 	
 	/**
+	 * @brief Get the authentication method to use.
+	 * 
+	 * @param this		calling object
+	 * @return			authentication method
+	 */
+	auth_method_t (*get_auth_method) (policy_t *this);
+	
+	/**
 	 * @brief Get configured traffic selectors for our site.
 	 * 
 	 * Returns a list with all traffic selectors for the local
@@ -228,6 +272,14 @@ struct policy_t {
 	char* (*get_updown) (policy_t *this);
 	
 	/**
+	 * @brief Get hostaccess flag
+	 * 
+	 * @param this			calling object
+	 * @return				value of hostaccess flag
+	 */
+	bool (*get_hostaccess) (policy_t *this);
+	
+	/**
 	 * @brief What should be done with a CHILD_SA, when other peer does not respond.
 	 *
 	 * @param this 		calling object
@@ -292,10 +344,12 @@ struct policy_t {
  * @param name				name of the policy
  * @param my_id 			identification_t for ourselves
  * @param other_id 			identification_t for the remote guy
+ * @param auth_method		Authentication method to use for our(!) auth data
  * @param hard_lifetime		lifetime before deleting an SA
  * @param soft_lifetime		lifetime before rekeying an SA
  * @param jitter			range of randomization time
  * @param updown			updown script to execute on up/down event
+ * @param hostaccess		allow access to the host itself (used by the updown script)
  * @param dpd_action		what to to with a CHILD_SA when other peer does not respond
  * @return 					policy_t object
  * 
@@ -303,7 +357,10 @@ struct policy_t {
  */
 policy_t *policy_create(char *name, 
 						identification_t *my_id, identification_t *other_id,
+						auth_method_t auth_method,
 						u_int32_t hard_lifetime, u_int32_t soft_lifetime,
-						u_int32_t jitter, char *updown, dpd_action_t dpd_action);
+						u_int32_t jitter,
+						char *updown, bool hostaccess,
+						dpd_action_t dpd_action);
 
 #endif /* POLICY_H_ */
author	Andreas Steffen <andreas.steffen@strongswan.org>	2006-09-25 05:51:16 +0000
committer	Andreas Steffen <andreas.steffen@strongswan.org>	2006-09-25 05:51:16 +0000
commit	54c6c4711f46cd9ccd6cf59f1b71eae18eaf5f2a (patch)
tree	28823cf74377004a13786cdb970324979c699c7a /src
parent	380d91b9bee098fc8115786cb9d73a8f3cf82181 (diff)
download	strongswan-54c6c4711f46cd9ccd6cf59f1b71eae18eaf5f2a.tar.bz2 strongswan-54c6c4711f46cd9ccd6cf59f1b71eae18eaf5f2a.tar.xz