diff options
-rw-r--r-- | src/charon-cmd/cmd/cmd_connection.c | 20 | ||||
-rw-r--r-- | src/charon-nm/nm/nm_service.c | 17 | ||||
-rw-r--r-- | src/conftest/config.c | 10 | ||||
-rw-r--r-- | src/frontends/android/app/src/main/jni/libandroidbridge/backend/android_service.c | 15 | ||||
-rw-r--r-- | src/frontends/osx/charon-xpc/xpc_dispatch.c | 17 | ||||
-rw-r--r-- | src/libcharon/config/peer_cfg.c | 63 | ||||
-rw-r--r-- | src/libcharon/config/peer_cfg.h | 81 | ||||
-rw-r--r-- | src/libcharon/plugins/ha/ha_tunnel.c | 13 | ||||
-rw-r--r-- | src/libcharon/plugins/load_tester/load_tester_config.c | 20 | ||||
-rw-r--r-- | src/libcharon/plugins/maemo/maemo_service.c | 17 | ||||
-rw-r--r-- | src/libcharon/plugins/medcli/medcli_config.c | 50 | ||||
-rw-r--r-- | src/libcharon/plugins/medsrv/medsrv_config.c | 20 | ||||
-rw-r--r-- | src/libcharon/plugins/sql/sql_config.c | 30 | ||||
-rw-r--r-- | src/libcharon/plugins/stroke/stroke_config.c | 53 | ||||
-rw-r--r-- | src/libcharon/plugins/uci/uci_config.c | 17 | ||||
-rw-r--r-- | src/libcharon/plugins/vici/vici_config.c | 23 |
16 files changed, 266 insertions, 200 deletions
diff --git a/src/charon-cmd/cmd/cmd_connection.c b/src/charon-cmd/cmd/cmd_connection.c index 48e7dd309..71df92f7e 100644 --- a/src/charon-cmd/cmd/cmd_connection.c +++ b/src/charon-cmd/cmd/cmd_connection.c @@ -144,8 +144,16 @@ static peer_cfg_t* create_peer_cfg(private_cmd_connection_t *this) peer_cfg_t *peer_cfg; uint16_t local_port, remote_port = IKEV2_UDP_PORT; ike_version_t version = IKE_ANY; - bool aggressive = FALSE; proposal_t *proposal; + peer_cfg_create_t peer = { + .cert_policy = CERT_SEND_IF_ASKED, + .unique = UNIQUE_REPLACE, + .keyingtries = 1, + .rekey_time = 36000, /* 10h */ + .jitter_time = 600, /* 10min */ + .over_time = 600, /* 10min */ + .dpd = 30, + }; switch (this->profile) { @@ -159,7 +167,7 @@ static peer_cfg_t* create_peer_cfg(private_cmd_connection_t *this) case PROF_V1_XAUTH_AM: case PROF_V1_XAUTH_PSK_AM: case PROF_V1_HYBRID_AM: - aggressive = TRUE; + peer.aggressive = TRUE; /* FALL */ case PROF_V1_PUB: case PROF_V1_XAUTH: @@ -189,13 +197,7 @@ static peer_cfg_t* create_peer_cfg(private_cmd_connection_t *this) ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE)); ike_cfg->add_proposal(ike_cfg, proposal_create_default_aead(PROTO_IKE)); } - peer_cfg = peer_cfg_create("cmd", ike_cfg, - CERT_SEND_IF_ASKED, UNIQUE_REPLACE, 1, /* keyingtries */ - 36000, 0, /* rekey 10h, reauth none */ - 600, 600, /* jitter, over 10min */ - TRUE, aggressive, TRUE, /* mobike, aggressive, pull */ - 30, 0, /* DPD delay, timeout */ - FALSE, NULL, NULL); /* mediation */ + peer_cfg = peer_cfg_create("cmd", ike_cfg, &peer); return peer_cfg; } diff --git a/src/charon-nm/nm/nm_service.c b/src/charon-nm/nm/nm_service.c index f6ef9ecaf..5991c2465 100644 --- a/src/charon-nm/nm/nm_service.c +++ b/src/charon-nm/nm/nm_service.c @@ -300,6 +300,14 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection, certificate_t *cert = NULL; x509_t *x509; bool agent = FALSE, smartcard = FALSE, loose_gateway_id = FALSE; + peer_cfg_create_t peer = { + .cert_policy = CERT_SEND_IF_ASKED, + .unique = UNIQUE_REPLACE, + .keyingtries = 1, + .rekey_time = 36000, /* 10h */ + .jitter_time = 600, /* 10min */ + .over_time = 600, /* 10min */ + }; child_cfg_create_t child = { .lifetime = { .time = { @@ -533,13 +541,8 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection, FRAGMENTATION_NO, 0); ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE)); ike_cfg->add_proposal(ike_cfg, proposal_create_default_aead(PROTO_IKE)); - peer_cfg = peer_cfg_create(priv->name, ike_cfg, - CERT_SEND_IF_ASKED, UNIQUE_REPLACE, 1, /* keyingtries */ - 36000, 0, /* rekey 10h, reauth none */ - 600, 600, /* jitter, over 10min */ - TRUE, FALSE, TRUE, /* mobike, aggressive, pull */ - 0, 0, /* DPD delay, timeout */ - FALSE, NULL, NULL); /* mediation */ + + peer_cfg = peer_cfg_create(priv->name, ike_cfg, &peer); if (virtual) { peer_cfg->add_virtual_ip(peer_cfg, host_create_from_string("0.0.0.0", 0)); diff --git a/src/conftest/config.c b/src/conftest/config.c index 46a21b3ab..06a685047 100644 --- a/src/conftest/config.c +++ b/src/conftest/config.c @@ -247,11 +247,15 @@ static peer_cfg_t *load_peer_config(private_config_t *this, identification_t *lid, *rid; char *child, *policy, *pool; uintptr_t strength; + peer_cfg_create_t peer = { + .cert_policy = CERT_ALWAYS_SEND, + .unique = UNIQUE_NO, + .keyingtries = 1, + .no_mobike = TRUE, + }; ike_cfg = load_ike_config(this, settings, config); - peer_cfg = peer_cfg_create(config, ike_cfg, CERT_ALWAYS_SEND, - UNIQUE_NO, 1, 0, 0, 0, 0, FALSE, FALSE, TRUE, - 0, 0, FALSE, NULL, NULL); + peer_cfg = peer_cfg_create(config, ike_cfg, &peer); auth = auth_cfg_create(); auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY); diff --git a/src/frontends/android/app/src/main/jni/libandroidbridge/backend/android_service.c b/src/frontends/android/app/src/main/jni/libandroidbridge/backend/android_service.c index ba5c9e28e..b3e91d808 100644 --- a/src/frontends/android/app/src/main/jni/libandroidbridge/backend/android_service.c +++ b/src/frontends/android/app/src/main/jni/libandroidbridge/backend/android_service.c @@ -673,6 +673,13 @@ static job_requeue_t initiate(private_android_service_t *this) traffic_selector_t *ts; ike_sa_t *ike_sa; auth_cfg_t *auth; + peer_cfg_create_t peer = { + .cert_policy = CERT_SEND_IF_ASKED, + .unique = UNIQUE_REPLACE, + .rekey_time = 36000, /* 10h */ + .jitter_time = 600, /* 10min */ + .over_time = 600, /* 10min */ + }; child_cfg_create_t child = { .lifetime = { .time = { @@ -697,13 +704,7 @@ static job_requeue_t initiate(private_android_service_t *this) ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE)); ike_cfg->add_proposal(ike_cfg, proposal_create_default_aead(PROTO_IKE)); - peer_cfg = peer_cfg_create("android", ike_cfg, CERT_SEND_IF_ASKED, - UNIQUE_REPLACE, 0, /* keyingtries */ - 36000, 0, /* rekey 10h, reauth none */ - 600, 600, /* jitter, over 10min */ - TRUE, FALSE, TRUE, /* mobike, aggressive, pull */ - 0, 0, /* DPD delay, timeout */ - FALSE, NULL, NULL); /* mediation */ + peer_cfg = peer_cfg_create("android", ike_cfg, &peer); peer_cfg->add_virtual_ip(peer_cfg, host_create_any(AF_INET)); peer_cfg->add_virtual_ip(peer_cfg, host_create_any(AF_INET6)); diff --git a/src/frontends/osx/charon-xpc/xpc_dispatch.c b/src/frontends/osx/charon-xpc/xpc_dispatch.c index c8079cce8..0483199df 100644 --- a/src/frontends/osx/charon-xpc/xpc_dispatch.c +++ b/src/frontends/osx/charon-xpc/xpc_dispatch.c @@ -78,6 +78,15 @@ static peer_cfg_t* create_peer_cfg(char *name, char *host) ike_cfg_t *ike_cfg; peer_cfg_t *peer_cfg; uint16_t local_port, remote_port = IKEV2_UDP_PORT; + peer_cfg_create_t peer = { + .cert_policy = CERT_SEND_IF_ASKED, + .unique = UNIQUE_REPLACE, + .keyingtries = 1, + .rekey_time = 36000, /* 10h */ + .jitter_time = 600, /* 10min */ + .over_time = 600, /* 10min */ + .dpd = 30, + }; local_port = charon->socket->get_port(charon->socket, FALSE); if (local_port != IKEV2_UDP_PORT) @@ -88,13 +97,7 @@ static peer_cfg_t* create_peer_cfg(char *name, char *host) host, remote_port, FRAGMENTATION_NO, 0); ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE)); ike_cfg->add_proposal(ike_cfg, proposal_create_default_aead(PROTO_IKE)); - peer_cfg = peer_cfg_create(name, ike_cfg, - CERT_SEND_IF_ASKED, UNIQUE_REPLACE, 1, /* keyingtries */ - 36000, 0, /* rekey 10h, reauth none */ - 600, 600, /* jitter, over 10min */ - TRUE, FALSE, TRUE, /* mobike, aggressive, pull */ - 30, 0, /* DPD delay, timeout */ - FALSE, NULL, NULL); /* mediation */ + peer_cfg = peer_cfg_create(name, ike_cfg, &peer); peer_cfg->add_virtual_ip(peer_cfg, host_create_from_string("0.0.0.0", 0)); return peer_cfg; diff --git a/src/libcharon/config/peer_cfg.c b/src/libcharon/config/peer_cfg.c index 4eebfb09d..6463c7a36 100644 --- a/src/libcharon/config/peer_cfg.c +++ b/src/libcharon/config/peer_cfg.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2007-2015 Tobias Brunner + * Copyright (C) 2007-2016 Tobias Brunner * Copyright (C) 2005-2009 Martin Willi * Copyright (C) 2005 Jan Hutter - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -724,29 +724,22 @@ METHOD(peer_cfg_t, destroy, void, /* * Described in header-file */ -peer_cfg_t *peer_cfg_create(char *name, - ike_cfg_t *ike_cfg, cert_policy_t cert_policy, - unique_policy_t unique, uint32_t keyingtries, - uint32_t rekey_time, uint32_t reauth_time, - uint32_t jitter_time, uint32_t over_time, - bool mobike, bool aggressive, bool pull_mode, - uint32_t dpd, uint32_t dpd_timeout, - bool mediation, peer_cfg_t *mediated_by, - identification_t *peer_id) +peer_cfg_t *peer_cfg_create(char *name, ike_cfg_t *ike_cfg, + peer_cfg_create_t *data) { private_peer_cfg_t *this; - if (rekey_time && jitter_time > rekey_time) + if (data->rekey_time && data->jitter_time > data->rekey_time) { - jitter_time = rekey_time; + data->jitter_time = data->rekey_time; } - if (reauth_time && jitter_time > reauth_time) + if (data->reauth_time && data->jitter_time > data->reauth_time) { - jitter_time = reauth_time; + data->jitter_time = data->reauth_time; } - if (dpd && dpd_timeout && dpd > dpd_timeout) + if (data->dpd && data->dpd_timeout && data->dpd > data->dpd_timeout) { - dpd_timeout = dpd; + data->dpd_timeout = data->dpd; } INIT(this, @@ -789,33 +782,29 @@ peer_cfg_t *peer_cfg_create(char *name, .ike_cfg = ike_cfg, .child_cfgs = linked_list_create(), .mutex = mutex_create(MUTEX_TYPE_DEFAULT), - .cert_policy = cert_policy, - .unique = unique, - .keyingtries = keyingtries, - .rekey_time = rekey_time, - .reauth_time = reauth_time, - .jitter_time = jitter_time, - .over_time = over_time, - .use_mobike = mobike, - .aggressive = aggressive, - .pull_mode = pull_mode, - .dpd = dpd, - .dpd_timeout = dpd_timeout, + .cert_policy = data->cert_policy, + .unique = data->unique, + .keyingtries = data->keyingtries, + .rekey_time = data->rekey_time, + .reauth_time = data->reauth_time, + .jitter_time = data->jitter_time, + .over_time = data->over_time, + .use_mobike = !data->no_mobike, + .aggressive = data->aggressive, + .pull_mode = !data->push_mode, + .dpd = data->dpd, + .dpd_timeout = data->dpd_timeout, .vips = linked_list_create(), .pools = linked_list_create(), .local_auth = linked_list_create(), .remote_auth = linked_list_create(), .refcount = 1, - ); - #ifdef ME - this->mediation = mediation; - this->mediated_by = mediated_by; - this->peer_id = peer_id; -#else /* ME */ - DESTROY_IF(mediated_by); - DESTROY_IF(peer_id); + .mediation = data->mediation, + .mediated_by = data->mediated_by, + .peer_id = data->peer_id, #endif /* ME */ + ); return &this->public; } diff --git a/src/libcharon/config/peer_cfg.h b/src/libcharon/config/peer_cfg.h index a4646af87..2e7959307 100644 --- a/src/libcharon/config/peer_cfg.h +++ b/src/libcharon/config/peer_cfg.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2007-2015 Tobias Brunner + * Copyright (C) 2007-2016 Tobias Brunner * Copyright (C) 2005-2009 Martin Willi * Copyright (C) 2005 Jan Hutter - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -26,6 +26,7 @@ typedef enum cert_policy_t cert_policy_t; typedef enum unique_policy_t unique_policy_t; typedef struct peer_cfg_t peer_cfg_t; +typedef struct peer_cfg_create_t peer_cfg_create_t; #include <library.h> #include <utils/identification.h> @@ -367,42 +368,52 @@ struct peer_cfg_t { }; /** + * Data passed to the constructor of a peer_cfg_t object. + */ +struct peer_cfg_create_t { + /** Whether to send a certificate payload */ + cert_policy_t cert_policy; + /** Uniqueness of an IKE_SA */ + unique_policy_t unique; + /** How many keying tries should be done before giving up */ + uint32_t keyingtries; + /** Timeout in seconds before starting rekeying */ + uint32_t rekey_time; + /** Timeout in seconds before starting reauthentication */ + uint32_t reauth_time; + /** Time range in seconds to randomly subtract from rekey/reauth time */ + uint32_t jitter_time; + /** Maximum overtime in seconds before closing a rekeying/reauth SA */ + uint32_t over_time; + /** Disable MOBIKE (RFC4555) */ + bool no_mobike; + /** Use/accept aggressive mode with IKEv1 */ + bool aggressive; + /** TRUE to use modeconfig push, FALSE for pull */ + bool push_mode; + /** DPD check interval, 0 to disable */ + uint32_t dpd; + /** DPD timeout interval (IKEv1 only), if 0 default applies */ + uint32_t dpd_timeout; +#ifdef ME + /** TRUE if this is a mediation connection */ + bool mediation; + /** peer_cfg_t of the mediation connection to mediate through (adopted) */ + peer_cfg_t *mediated_by; + /** ID that identifies our peer at the mediation server (adopted) */ + identification_t *peer_id; +#endif /* ME */ +}; + +/** * Create a configuration object for IKE_AUTH and later. * - * name-string gets cloned, ID's not. - * Virtual IPs are used if they are != NULL. A %any host means the virtual - * IP should be obtained from the other peer. - * Lifetimes are in seconds. To prevent to peers to start rekeying at the - * same time, a jitter may be specified. Rekeying of an SA starts at - * (rekeylifetime - random(0, jitter)). - * - * @param name name of the peer_cfg - * @param ike_cfg IKE config to use when acting as initiator - * @param cert_policy should we send a certificate payload? - * @param unique uniqueness of an IKE_SA - * @param keyingtries how many keying tries should be done before giving up - * @param rekey_time timeout before starting rekeying - * @param reauth_time timeout before starting reauthentication - * @param jitter_time timerange to randomly subtract from rekey/reauth time - * @param over_time maximum overtime before closing a rekeying/reauth SA - * @param mobike use MOBIKE (RFC4555) if peer supports it - * @param aggressive use/accept aggressive mode with IKEv1 - * @param pull_mode TRUE to use modeconfig pull, FALSE for push - * @param dpd DPD check interval, 0 to disable - * @param dpd_timeout DPD timeout interval (IKEv1 only), if 0 default applies - * @param mediation TRUE if this is a mediation connection - * @param mediated_by peer_cfg_t of the mediation connection to mediate through - * @param peer_id ID that identifies our peer at the mediation server + * @param name name of the peer_cfg (cloned) + * @param ike_cfg IKE config to use when acting as initiator (adopted) + * @param data data for this peer_cfg * @return peer_cfg_t object */ -peer_cfg_t *peer_cfg_create(char *name, - ike_cfg_t *ike_cfg, cert_policy_t cert_policy, - unique_policy_t unique, uint32_t keyingtries, - uint32_t rekey_time, uint32_t reauth_time, - uint32_t jitter_time, uint32_t over_time, - bool mobike, bool aggressive, bool pull_mode, - uint32_t dpd, uint32_t dpd_timeout, - bool mediation, peer_cfg_t *mediated_by, - identification_t *peer_id); +peer_cfg_t *peer_cfg_create(char *name, ike_cfg_t *ike_cfg, + peer_cfg_create_t *data); #endif /** PEER_CFG_H_ @}*/ diff --git a/src/libcharon/plugins/ha/ha_tunnel.c b/src/libcharon/plugins/ha/ha_tunnel.c index fc956ac94..a0e514614 100644 --- a/src/libcharon/plugins/ha/ha_tunnel.c +++ b/src/libcharon/plugins/ha/ha_tunnel.c @@ -183,6 +183,15 @@ static void setup_tunnel(private_ha_tunnel_t *this, auth_cfg_t *auth_cfg; child_cfg_t *child_cfg; traffic_selector_t *ts; + peer_cfg_create_t peer = { + .cert_policy = CERT_NEVER_SEND, + .unique = UNIQUE_KEEP, + .rekey_time = 86400, /* 24h */ + .jitter_time = 7200, /* 2h */ + .over_time = 3600, /* 1h */ + .no_mobike = TRUE, + .dpd = 30, + }; child_cfg_create_t child = { .lifetime = { .time = { @@ -211,9 +220,7 @@ static void setup_tunnel(private_ha_tunnel_t *this, remote, IKEV2_UDP_PORT, FRAGMENTATION_NO, 0); ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE)); ike_cfg->add_proposal(ike_cfg, proposal_create_default_aead(PROTO_IKE)); - peer_cfg = peer_cfg_create("ha", ike_cfg, CERT_NEVER_SEND, - UNIQUE_KEEP, 0, 86400, 0, 7200, 3600, FALSE, FALSE, - TRUE, 30, 0, FALSE, NULL, NULL); + peer_cfg = peer_cfg_create("ha", ike_cfg, &peer); auth_cfg = auth_cfg_create(); auth_cfg->add(auth_cfg, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PSK); diff --git a/src/libcharon/plugins/load_tester/load_tester_config.c b/src/libcharon/plugins/load_tester/load_tester_config.c index efef3fbde..28421c212 100644 --- a/src/libcharon/plugins/load_tester/load_tester_config.c +++ b/src/libcharon/plugins/load_tester/load_tester_config.c @@ -688,6 +688,16 @@ static peer_cfg_t* generate_config(private_load_tester_config_t *this, uint num) peer_cfg_t *peer_cfg; char local[32], *remote; host_t *addr; + peer_cfg_create_t peer = { + .cert_policy = CERT_SEND_IF_ASKED, + .unique = UNIQUE_NO, + .keyingtries = 1, + .rekey_time = this->ike_rekey, + .over_time = this->ike_rekey, + .no_mobike = TRUE, + .dpd = this->dpd_delay, + .dpd_timeout = this->dpd_timeout, + }; child_cfg_create_t child = { .lifetime = { .time = { @@ -739,14 +749,8 @@ static peer_cfg_t* generate_config(private_load_tester_config_t *this, uint num) FRAGMENTATION_NO, 0); } ike_cfg->add_proposal(ike_cfg, this->proposal->clone(this->proposal)); - peer_cfg = peer_cfg_create("load-test", ike_cfg, - CERT_SEND_IF_ASKED, UNIQUE_NO, 1, /* keytries */ - this->ike_rekey, 0, /* rekey, reauth */ - 0, this->ike_rekey, /* jitter, overtime */ - FALSE, FALSE, TRUE, /* mobike, aggressive, pull */ - this->dpd_delay, /* dpd_delay */ - this->dpd_timeout, /* dpd_timeout */ - FALSE, NULL, NULL); + peer_cfg = peer_cfg_create("load-test", ike_cfg, &peer); + if (this->vip) { peer_cfg->add_virtual_ip(peer_cfg, this->vip->clone(this->vip)); diff --git a/src/libcharon/plugins/maemo/maemo_service.c b/src/libcharon/plugins/maemo/maemo_service.c index db0ce2cf7..3e5861b87 100644 --- a/src/libcharon/plugins/maemo/maemo_service.c +++ b/src/libcharon/plugins/maemo/maemo_service.c @@ -236,6 +236,14 @@ static gboolean initiate_connection(private_maemo_service_t *this, traffic_selector_t *ts; auth_cfg_t *auth; certificate_t *cert; + peer_cfg_create_t peer = { + .cert_policy = CERT_SEND_IF_ASKED, + .unique = UNIQUE_REPLACE, + .keyingtries = 1, + .rekey_time = 36000, /* 10h */ + .jitter_time = 600, /* 10min */ + .over_time = 600, /* 10min */ + }; child_cfg_create_t child = { .lifetime = { .time = { @@ -332,14 +340,7 @@ static gboolean initiate_connection(private_maemo_service_t *this, ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE)); ike_cfg->add_proposal(ike_cfg, proposal_create_default_aead(PROTO_IKE)); - peer_cfg = peer_cfg_create(this->current, ike_cfg, - CERT_SEND_IF_ASKED, - UNIQUE_REPLACE, 1, /* keyingtries */ - 36000, 0, /* rekey 10h, reauth none */ - 600, 600, /* jitter, over 10min */ - TRUE, FALSE, TRUE, /* mobike, aggressive, pull */ - 0, 0, /* DPD delay, timeout */ - FALSE, NULL, NULL); /* mediation */ + peer_cfg = peer_cfg_create(this->current, ike_cfg, &peer); peer_cfg->add_virtual_ip(peer_cfg, host_create_from_string("0.0.0.0", 0)); auth = auth_cfg_create(); diff --git a/src/libcharon/plugins/medcli/medcli_config.c b/src/libcharon/plugins/medcli/medcli_config.c index d3476e90f..4452739c1 100644 --- a/src/libcharon/plugins/medcli/medcli_config.c +++ b/src/libcharon/plugins/medcli/medcli_config.c @@ -82,6 +82,16 @@ METHOD(backend_t, get_peer_cfg_by_name, peer_cfg_t*, child_cfg_t *child_cfg; chunk_t me, other; char *address, *local_net, *remote_net; + peer_cfg_create_t peer = { + .cert_policy = CERT_NEVER_SEND, + .unique = UNIQUE_REPLACE, + .keyingtries = 1, + .rekey_time = this->rekey * 60, + .jitter_time = this->rekey * 5, + .over_time = this->rekey * 3, + .dpd = this->dpd, + .mediation = TRUE, + }; child_cfg_create_t child = { .lifetime = { .time = { @@ -110,14 +120,7 @@ METHOD(backend_t, get_peer_cfg_by_name, peer_cfg_t*, address, IKEV2_UDP_PORT, FRAGMENTATION_NO, 0); ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE)); ike_cfg->add_proposal(ike_cfg, proposal_create_default_aead(PROTO_IKE)); - med_cfg = peer_cfg_create( - "mediation", ike_cfg, - CERT_NEVER_SEND, UNIQUE_REPLACE, - 1, this->rekey*60, 0, /* keytries, rekey, reauth */ - this->rekey*5, this->rekey*3, /* jitter, overtime */ - TRUE, FALSE, TRUE, /* mobike, aggressive, pull */ - this->dpd, 0, /* DPD delay, timeout */ - TRUE, NULL, NULL); /* mediation, med by, peer id */ + med_cfg = peer_cfg_create("mediation", ike_cfg, &peer); e->destroy(e); auth = auth_cfg_create(); @@ -147,15 +150,10 @@ METHOD(backend_t, get_peer_cfg_by_name, peer_cfg_t*, DESTROY_IF(e); return NULL; } - peer_cfg = peer_cfg_create( - name, this->ike->get_ref(this->ike), - CERT_NEVER_SEND, UNIQUE_REPLACE, - 1, this->rekey*60, 0, /* keytries, rekey, reauth */ - this->rekey*5, this->rekey*3, /* jitter, overtime */ - TRUE, FALSE, TRUE, /* mobike, aggressive, pull */ - this->dpd, 0, /* DPD delay, timeout */ - FALSE, med_cfg, /* mediation, med by */ - identification_create_from_encoding(ID_KEY_ID, other)); + peer.mediation = FALSE; + peer.mediated_by = med_cfg; + peer.peer_id = identification_create_from_encoding(ID_KEY_ID, other); + peer_cfg = peer_cfg_create(name, this->ike->get_ref(this->ike), &peer); auth = auth_cfg_create(); auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY); @@ -206,6 +204,15 @@ METHOD(enumerator_t, peer_enumerator_enumerate, bool, chunk_t me, other; child_cfg_t *child_cfg; auth_cfg_t *auth; + peer_cfg_create_t peer = { + .cert_policy = CERT_NEVER_SEND, + .unique = UNIQUE_REPLACE, + .keyingtries = 1, + .rekey_time = this->rekey * 60, + .jitter_time = this->rekey * 5, + .over_time = this->rekey * 3, + .dpd = this->dpd, + }; child_cfg_create_t child = { .lifetime = { .time = { @@ -224,14 +231,7 @@ METHOD(enumerator_t, peer_enumerator_enumerate, bool, this->current = NULL; return FALSE; } - this->current = peer_cfg_create( - name, this->ike->get_ref(this->ike), - CERT_NEVER_SEND, UNIQUE_REPLACE, - 1, this->rekey*60, 0, /* keytries, rekey, reauth */ - this->rekey*5, this->rekey*3, /* jitter, overtime */ - TRUE, FALSE, TRUE, /* mobike, aggressive, pull */ - this->dpd, 0, /* DPD delay, timeout */ - FALSE, NULL, NULL); /* mediation, med by, peer id */ + this->current = peer_cfg_create(name, this->ike->get_ref(this->ike), &peer); auth = auth_cfg_create(); auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY); diff --git a/src/libcharon/plugins/medsrv/medsrv_config.c b/src/libcharon/plugins/medsrv/medsrv_config.c index 02d805e06..be7f481b6 100644 --- a/src/libcharon/plugins/medsrv/medsrv_config.c +++ b/src/libcharon/plugins/medsrv/medsrv_config.c @@ -87,14 +87,18 @@ METHOD(backend_t, create_peer_cfg_enumerator, enumerator_t*, if (e->enumerate(e, &name)) { - peer_cfg = peer_cfg_create( - name, this->ike->get_ref(this->ike), - CERT_NEVER_SEND, UNIQUE_REPLACE, - 1, this->rekey*60, 0, /* keytries, rekey, reauth */ - this->rekey*5, this->rekey*3, /* jitter, overtime */ - TRUE, FALSE, TRUE, /* mobike, aggressive, pull */ - this->dpd, 0, /* DPD delay, timeout */ - TRUE, NULL, NULL); /* mediation, med by, peer id */ + peer_cfg_create_t peer = { + .cert_policy = CERT_NEVER_SEND, + .unique = UNIQUE_REPLACE, + .keyingtries = 1, + .rekey_time = this->rekey * 60, + .jitter_time = this->rekey * 5, + .over_time = this->rekey * 3, + .dpd = this->dpd, + .mediation = TRUE, + }; + peer_cfg = peer_cfg_create(name, this->ike->get_ref(this->ike), + &peer); e->destroy(e); auth = auth_cfg_create(); diff --git a/src/libcharon/plugins/sql/sql_config.c b/src/libcharon/plugins/sql/sql_config.c index 25704b0de..bbc20dca7 100644 --- a/src/libcharon/plugins/sql/sql_config.c +++ b/src/libcharon/plugins/sql/sql_config.c @@ -300,6 +300,7 @@ static ike_cfg_t* get_ike_cfg_by_id(private_sql_config_t *this, int id) return ike_cfg; } +#ifdef ME /** * Query a peer config by its id */ @@ -332,6 +333,7 @@ static peer_cfg_t *get_peer_cfg_by_id(private_sql_config_t *this, int id) } return peer_cfg; } +#endif /* ME */ /** * Check if the two IDs match (the first one is optional) @@ -363,7 +365,7 @@ static peer_cfg_t *build_peer_cfg(private_sql_config_t *this, enumerator_t *e, &mediation, &mediated_by, &p_type, &p_data)) { identification_t *local_id, *remote_id, *peer_id = NULL; - peer_cfg_t *peer_cfg, *mediated_cfg; + peer_cfg_t *peer_cfg, *mediated_cfg = NULL; ike_cfg_t *ike; host_t *vip = NULL; auth_cfg_t *auth; @@ -377,22 +379,38 @@ static peer_cfg_t *build_peer_cfg(private_sql_config_t *this, enumerator_t *e, continue; } ike = get_ike_cfg_by_id(this, ike_cfg); + +#ifdef ME mediated_cfg = mediated_by ? get_peer_cfg_by_id(this, mediated_by) : NULL; if (p_type) { peer_id = identification_create_from_encoding(p_type, p_data); } +#endif if (virtual) { vip = host_create_from_string(virtual, 0); } if (ike) { - peer_cfg = peer_cfg_create( - name, ike, cert_policy, uniqueid, - keyingtries, rekeytime, reauthtime, jitter, overtime, - mobike, FALSE, TRUE, dpd_delay, 0, - mediation, mediated_cfg, peer_id); + peer_cfg_create_t peer = { + .cert_policy = cert_policy, + .unique = uniqueid, + .keyingtries = keyingtries, + .rekey_time = rekeytime, + .reauth_time = reauthtime, + .jitter_time = jitter, + .over_time = overtime, + .no_mobike = !mobike, + .dpd = dpd_delay, +#ifdef ME + .mediation = mediation, + .mediated_by = mediated_cfg, + .peer_id = peer_id, +#endif /* ME */ + }; + + peer_cfg = peer_cfg_create(name, ike, &peer); if (vip) { peer_cfg->add_virtual_ip(peer_cfg, vip); diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c index 9789163b7..f2d110434 100644 --- a/src/libcharon/plugins/stroke/stroke_config.c +++ b/src/libcharon/plugins/stroke/stroke_config.c @@ -616,12 +616,17 @@ static mem_pool_t *create_pool_range(char *str) static peer_cfg_t *build_peer_cfg(private_stroke_config_t *this, stroke_msg_t *msg, ike_cfg_t *ike_cfg) { - identification_t *peer_id = NULL; - peer_cfg_t *mediated_by = NULL; - unique_policy_t unique; - uint32_t rekey = 0, reauth = 0, over, jitter; peer_cfg_t *peer_cfg; auth_cfg_t *auth_cfg; + peer_cfg_create_t peer = { + .cert_policy = msg->add_conn.me.sendcert, + .keyingtries = msg->add_conn.rekey.tries, + .no_mobike = !msg->add_conn.mobike, + .aggressive = msg->add_conn.aggressive, + .push_mode = msg->add_conn.pushmode, + .dpd = msg->add_conn.dpd.delay, + .dpd_timeout = msg->add_conn.dpd.timeout, + }; #ifdef ME if (msg->add_conn.ikeme.mediation && msg->add_conn.ikeme.mediated_by) @@ -633,14 +638,17 @@ static peer_cfg_t *build_peer_cfg(private_stroke_config_t *this, if (msg->add_conn.ikeme.mediation) { + peer.mediation = TRUE; /* force unique connections for mediation connections */ msg->add_conn.unique = 1; } if (msg->add_conn.ikeme.mediated_by) { - mediated_by = charon->backends->get_peer_cfg_by_name(charon->backends, - msg->add_conn.ikeme.mediated_by); + peer_cfg_t *mediated_by; + + mediated_by = charon->backends->get_peer_cfg_by_name( + charon->backends, msg->add_conn.ikeme.mediated_by); if (!mediated_by) { DBG1(DBG_CFG, "mediation connection '%s' not found, aborting", @@ -655,58 +663,55 @@ static peer_cfg_t *build_peer_cfg(private_stroke_config_t *this, mediated_by->destroy(mediated_by); return NULL; } + peer.mediated_by = mediated_by; if (msg->add_conn.ikeme.peerid) { - peer_id = identification_create_from_string(msg->add_conn.ikeme.peerid); + peer.peer_id = identification_create_from_string( + msg->add_conn.ikeme.peerid); } else if (msg->add_conn.other.id) { - peer_id = identification_create_from_string(msg->add_conn.other.id); + peer.peer_id = identification_create_from_string( + msg->add_conn.other.id); } } #endif /* ME */ - jitter = msg->add_conn.rekey.margin * msg->add_conn.rekey.fuzz / 100; - over = msg->add_conn.rekey.margin; + peer.jitter_time = msg->add_conn.rekey.margin * msg->add_conn.rekey.fuzz / 100; + peer.over_time = msg->add_conn.rekey.margin; if (msg->add_conn.rekey.reauth) { - reauth = msg->add_conn.rekey.ike_lifetime - over; + peer.reauth_time = msg->add_conn.rekey.ike_lifetime - peer.over_time; } else { - rekey = msg->add_conn.rekey.ike_lifetime - over; + peer.rekey_time = msg->add_conn.rekey.ike_lifetime - peer.over_time; } switch (msg->add_conn.unique) { case 1: /* yes */ case 2: /* replace */ - unique = UNIQUE_REPLACE; + peer.unique = UNIQUE_REPLACE; break; case 3: /* keep */ - unique = UNIQUE_KEEP; + peer.unique = UNIQUE_KEEP; break; case 4: /* never */ - unique = UNIQUE_NEVER; + peer.unique = UNIQUE_NEVER; break; default: /* no */ - unique = UNIQUE_NO; + peer.unique = UNIQUE_NO; break; } if (msg->add_conn.dpd.action == 0) { /* dpdaction=none disables DPD */ - msg->add_conn.dpd.delay = 0; + peer.dpd = 0; } /* other.sourceip is managed in stroke_attributes. If it is set, we define * the pool name as the connection name, which the attribute provider * uses to serve pool addresses. */ - peer_cfg = peer_cfg_create(msg->add_conn.name, ike_cfg, - msg->add_conn.me.sendcert, unique, - msg->add_conn.rekey.tries, rekey, reauth, jitter, over, - msg->add_conn.mobike, msg->add_conn.aggressive, - msg->add_conn.pushmode == 0, - msg->add_conn.dpd.delay, msg->add_conn.dpd.timeout, - msg->add_conn.ikeme.mediation, mediated_by, peer_id); + peer_cfg = peer_cfg_create(msg->add_conn.name, ike_cfg, &peer); if (msg->add_conn.other.sourceip) { diff --git a/src/libcharon/plugins/uci/uci_config.c b/src/libcharon/plugins/uci/uci_config.c index 8d76bb454..e0578fe9b 100644 --- a/src/libcharon/plugins/uci/uci_config.c +++ b/src/libcharon/plugins/uci/uci_config.c @@ -126,6 +126,14 @@ METHOD(enumerator_t, peer_enumerator_enumerate, bool, child_cfg_t *child_cfg; ike_cfg_t *ike_cfg; auth_cfg_t *auth; + peer_cfg_create_t peer = { + .cert_policy = CERT_SEND_IF_ASKED, + .unique = UNIQUE_NO, + .keyingtries = 1, + .jitter_time = 1800, + .over_time = 900, + .dpd = 60, + }; child_cfg_create_t child = { .lifetime = { .time = { @@ -160,13 +168,8 @@ METHOD(enumerator_t, peer_enumerator_enumerate, bool, remote_addr, IKEV2_UDP_PORT, FRAGMENTATION_NO, 0); ike_cfg->add_proposal(ike_cfg, create_proposal(ike_proposal, PROTO_IKE)); - this->peer_cfg = peer_cfg_create( - name, ike_cfg, CERT_SEND_IF_ASKED, UNIQUE_NO, - 1, create_rekey(ike_rekey), 0, /* keytries, rekey, reauth */ - 1800, 900, /* jitter, overtime */ - TRUE, FALSE, TRUE, /* mobike, aggressive, pull */ - 60, 0, /* DPD delay, timeout */ - FALSE, NULL, NULL); /* mediation, med by, peer id */ + peer.rekey_time = create_rekey(ike_rekey); + this->peer_cfg = peer_cfg_create(name, ike_cfg, &peer); auth = auth_cfg_create(); auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PSK); auth->add(auth, AUTH_RULE_IDENTITY, diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c index f1c2fa860..e3fd9e9e3 100644 --- a/src/libcharon/plugins/vici/vici_config.c +++ b/src/libcharon/plugins/vici/vici_config.c @@ -1979,6 +1979,7 @@ CALLBACK(config_sn, bool, .rand_time = LFT_UNDEFINED, }; enumerator_t *enumerator; + peer_cfg_create_t cfg; peer_cfg_t *peer_cfg; ike_cfg_t *ike_cfg; child_cfg_t *child_cfg; @@ -2075,12 +2076,22 @@ CALLBACK(config_sn, bool, peer.local_addrs, peer.local_port, peer.remote_addrs, peer.remote_port, peer.fragmentation, 0); - peer_cfg = peer_cfg_create(name, ike_cfg, peer.send_cert, peer.unique, - peer.keyingtries, peer.rekey_time, peer.reauth_time, - peer.rand_time, peer.over_time, peer.mobike, - peer.aggressive, peer.pull, - peer.dpd_delay, peer.dpd_timeout, - FALSE, NULL, NULL); + + cfg = (peer_cfg_create_t){ + .cert_policy = peer.send_cert, + .unique = peer.unique, + .keyingtries = peer.keyingtries, + .rekey_time = peer.rekey_time, + .reauth_time = peer.reauth_time, + .jitter_time = peer.rand_time, + .over_time = peer.over_time, + .no_mobike = !peer.mobike, + .aggressive = peer.aggressive, + .push_mode = !peer.pull, + .dpd = peer.dpd_delay, + .dpd_timeout = peer.dpd_timeout, + }; + peer_cfg = peer_cfg_create(name, ike_cfg, &cfg); while (peer.local->remove_first(peer.local, (void**)&auth) == SUCCESS) |