diff options
| -rw-r--r-- | src/charon/config/policies/local_policy_store.c | 2 | ||||
| -rw-r--r-- | src/charon/config/policies/policy.c | 96 | ||||
| -rw-r--r-- | src/charon/config/policies/policy.h | 71 |
3 files changed, 138 insertions, 31 deletions
diff --git a/src/charon/config/policies/local_policy_store.c b/src/charon/config/policies/local_policy_store.c index 9ab894818..1ad0aaa9d 100644 --- a/src/charon/config/policies/local_policy_store.c +++ b/src/charon/config/policies/local_policy_store.c @@ -179,7 +179,7 @@ static policy_t *get_policy(private_local_policy_store_t *this, identification_t *found_my_id = found->get_my_id(found); identification_t *found_other_id = found->get_other_id(found); - this->logger->log(this->logger, CONTROL|LEVEL1, + this->logger->log(this->logger, CONTROL, "found matching policy '%s': %s...%s (prio=%d)", found->get_name(found), found_my_id->get_string(found_my_id), diff --git a/src/charon/config/policies/policy.c b/src/charon/config/policies/policy.c index f64447a52..e3a1100b9 100644 --- a/src/charon/config/policies/policy.c +++ b/src/charon/config/policies/policy.c @@ -31,13 +31,31 @@ #include <utils/identification.h> #include <utils/logger_manager.h> -mapping_t dpd_action_m[] = { - {DPD_CLEAR, "DPD_CLEAR"}, - {DPD_ROUTE, "DPD_ROUTE"}, - {DPD_RESTART, "DPD_RESTART"}, - {MAPPING_END, NULL}, +/** + * String mappings for auth_method_t. + */ +static const char *const auth_method_name[] = { + "RSA signature", + "pre-shared key", + "DSS signature" +}; + +enum_names auth_method_names = + { RSA_DIGITAL_SIGNATURE, DSS_DIGITAL_SIGNATURE, auth_method_name, NULL }; + +/** + * String mappings for dpd_action_t. + */ +static const char *const dpd_action_name[] = { + "DPD_NONE", + "DPD_CLEAR", + "DPD_ROUTE", + "DPD_RESTART" }; +enum_names dpd_action_names = + { DPD_NONE, DPD_RESTART, dpd_action_name, NULL }; + typedef struct private_policy_t private_policy_t; /** @@ -71,6 +89,11 @@ struct private_policy_t { identification_t *other_id; /** + * Method to use for own authentication data + */ + auth_method_t auth_method; + + /** * we have a cert issued by this CA */ identification_t *my_ca; @@ -86,6 +109,11 @@ struct private_policy_t { char *updown; /** + * allow host access + */ + bool hostaccess; + + /** * list for all proposals */ linked_list_t *proposals; @@ -152,6 +180,14 @@ static identification_t *get_other_id(private_policy_t *this) } /** + * Implementation of connection_t.auth_method_t. + */ +static auth_method_t get_auth_method(private_policy_t *this) +{ + return this->auth_method; +} + +/** * Get traffic selectors, with wildcard-address update */ static linked_list_t *get_traffic_selectors(private_policy_t *this, linked_list_t *list, host_t *host) @@ -341,6 +377,14 @@ static char* get_updown(private_policy_t *this) } /** + * Implementation of policy_t.get_hostaccess + */ +static bool get_hostaccess(private_policy_t *this) +{ + return this->hostaccess; +} + +/** * Implements policy_t.get_dpd_action */ static dpd_action_t get_dpd_action(private_policy_t *this) @@ -461,40 +505,46 @@ static void destroy(private_policy_t *this) * Described in header-file */ policy_t *policy_create(char *name, identification_t *my_id, identification_t *other_id, + auth_method_t auth_method, u_int32_t hard_lifetime, u_int32_t soft_lifetime, - u_int32_t jitter, char *updown, dpd_action_t dpd_action) + u_int32_t jitter, char *updown, bool hostaccess, + dpd_action_t dpd_action) { private_policy_t *this = malloc_thing(private_policy_t); /* public functions */ - this->public.get_name = (char *(*)(policy_t*))get_name; - this->public.get_my_id = (identification_t*(*)(policy_t*))get_my_id; - this->public.get_other_id = (identification_t*(*)(policy_t*))get_other_id; - this->public.get_my_traffic_selectors = (linked_list_t*(*)(policy_t*,host_t*))get_my_traffic_selectors; - this->public.get_other_traffic_selectors = (linked_list_t*(*)(policy_t*,host_t*))get_other_traffic_selectors; - this->public.select_my_traffic_selectors = (linked_list_t*(*)(policy_t*,linked_list_t*,host_t*))select_my_traffic_selectors; - this->public.select_other_traffic_selectors = (linked_list_t*(*)(policy_t*,linked_list_t*,host_t*))select_other_traffic_selectors; - this->public.get_proposals = (linked_list_t*(*)(policy_t*))get_proposals; - this->public.select_proposal = (proposal_t*(*)(policy_t*,linked_list_t*))select_proposal; - this->public.add_my_traffic_selector = (void(*)(policy_t*,traffic_selector_t*))add_my_traffic_selector; - this->public.add_other_traffic_selector = (void(*)(policy_t*,traffic_selector_t*))add_other_traffic_selector; - this->public.add_proposal = (void(*)(policy_t*,proposal_t*))add_proposal; - this->public.add_authorities = (void(*)(policy_t*,identification_t*, identification_t*))add_authorities; - this->public.get_updown = (char*(*)(policy_t*))get_updown; - this->public.get_dpd_action = (dpd_action_t(*)(policy_t*))get_dpd_action; + this->public.get_name = (char* (*) (policy_t*))get_name; + this->public.get_my_id = (identification_t* (*) (policy_t*))get_my_id; + this->public.get_other_id = (identification_t* (*) (policy_t*))get_other_id; + this->public.get_auth_method = (auth_method_t (*) (policy_t*)) get_auth_method; + this->public.get_my_traffic_selectors = (linked_list_t* (*) (policy_t*,host_t*))get_my_traffic_selectors; + this->public.get_other_traffic_selectors = (linked_list_t* (*) (policy_t*,host_t*))get_other_traffic_selectors; + this->public.select_my_traffic_selectors = (linked_list_t* (*) (policy_t*,linked_list_t*,host_t*))select_my_traffic_selectors; + this->public.select_other_traffic_selectors = (linked_list_t* (*) (policy_t*,linked_list_t*,host_t*))select_other_traffic_selectors; + this->public.get_proposals = (linked_list_t* (*) (policy_t*))get_proposals; + this->public.select_proposal = (proposal_t* (*) (policy_t*,linked_list_t*))select_proposal; + this->public.add_my_traffic_selector = (void (*) (policy_t*,traffic_selector_t*))add_my_traffic_selector; + this->public.add_other_traffic_selector = (void (*) (policy_t*,traffic_selector_t*))add_other_traffic_selector; + this->public.add_proposal = (void (*) (policy_t*,proposal_t*))add_proposal; + this->public.add_authorities = (void (*) (policy_t*,identification_t*,identification_t*))add_authorities; + this->public.get_updown = (char* (*) (policy_t*))get_updown; + this->public.get_hostaccess = (bool (*) (policy_t*))get_hostaccess; + this->public.get_dpd_action = (dpd_action_t (*) (policy_t*))get_dpd_action; this->public.get_soft_lifetime = (u_int32_t (*) (policy_t *))get_soft_lifetime; this->public.get_hard_lifetime = (u_int32_t (*) (policy_t *))get_hard_lifetime; - this->public.get_ref = (void(*)(policy_t*))get_ref; - this->public.destroy = (void(*)(policy_t*))destroy; + this->public.get_ref = (void (*) (policy_t*))get_ref; + this->public.destroy = (void (*) (policy_t*))destroy; /* apply init values */ this->name = strdup(name); this->my_id = my_id; this->other_id = other_id; + this->auth_method = auth_method; this->hard_lifetime = hard_lifetime; this->soft_lifetime = soft_lifetime; this->jitter = jitter; this->updown = (updown == NULL) ? NULL : strdup(updown); + this->hostaccess = hostaccess; this->dpd_action = dpd_action; /* initialize private members*/ diff --git a/src/charon/config/policies/policy.h b/src/charon/config/policies/policy.h index 48d9f70e7..6d80319b4 100644 --- a/src/charon/config/policies/policy.h +++ b/src/charon/config/policies/policy.h @@ -28,7 +28,41 @@ #include <utils/identification.h> #include <config/traffic_selector.h> #include <config/proposal.h> -#include <encoding/payloads/auth_payload.h> + +typedef enum auth_method_t auth_method_t; + +/** + * AUTH Method to use. + * + * @ingroup config + */ +enum auth_method_t { + /** + * Computed as specified in section 2.15 of RFC using + * an RSA private key over a PKCS#1 padded hash. + */ + RSA_DIGITAL_SIGNATURE = 1, + + /** + * Computed as specified in section 2.15 of RFC using the + * shared key associated with the identity in the ID payload + * and the negotiated prf function + */ + SHARED_KEY_MESSAGE_INTEGRITY_CODE = 2, + + /** + * Computed as specified in section 2.15 of RFC using a + * DSS private key over a SHA-1 hash. + */ + DSS_DIGITAL_SIGNATURE = 3, +}; + +/** + * string mappings for auth_method_t. + * + * @ingroup config + */ +extern enum_names auth_method_names; typedef enum dpd_action_t dpd_action_t; @@ -41,18 +75,20 @@ typedef enum dpd_action_t dpd_action_t; * @ingroup config */ enum dpd_action_t { + /** DPD disabled */ + DPD_NONE, /** remove CHILD_SA without replacement */ - DPD_CLEAR = 1, + DPD_CLEAR, /** route the CHILD_SA to resetup when needed */ - DPD_ROUTE = 2, + DPD_ROUTE, /** restart CHILD_SA in a new IKE_SA, immediately */ - DPD_RESTART = 3, + DPD_RESTART, }; /** - * String mappings for dpd_action_t + * String mappings for dpd_action_t. */ -extern mapping_t dpd_action_m[]; +extern enum_names dpd_action_names; typedef struct policy_t policy_t; @@ -101,6 +137,14 @@ struct policy_t { identification_t *(*get_other_id) (policy_t *this); /** + * @brief Get the authentication method to use. + * + * @param this calling object + * @return authentication method + */ + auth_method_t (*get_auth_method) (policy_t *this); + + /** * @brief Get configured traffic selectors for our site. * * Returns a list with all traffic selectors for the local @@ -228,6 +272,14 @@ struct policy_t { char* (*get_updown) (policy_t *this); /** + * @brief Get hostaccess flag + * + * @param this calling object + * @return value of hostaccess flag + */ + bool (*get_hostaccess) (policy_t *this); + + /** * @brief What should be done with a CHILD_SA, when other peer does not respond. * * @param this calling object @@ -292,10 +344,12 @@ struct policy_t { * @param name name of the policy * @param my_id identification_t for ourselves * @param other_id identification_t for the remote guy + * @param auth_method Authentication method to use for our(!) auth data * @param hard_lifetime lifetime before deleting an SA * @param soft_lifetime lifetime before rekeying an SA * @param jitter range of randomization time * @param updown updown script to execute on up/down event + * @param hostaccess allow access to the host itself (used by the updown script) * @param dpd_action what to to with a CHILD_SA when other peer does not respond * @return policy_t object * @@ -303,7 +357,10 @@ struct policy_t { */ policy_t *policy_create(char *name, identification_t *my_id, identification_t *other_id, + auth_method_t auth_method, u_int32_t hard_lifetime, u_int32_t soft_lifetime, - u_int32_t jitter, char *updown, dpd_action_t dpd_action); + u_int32_t jitter, + char *updown, bool hostaccess, + dpd_action_t dpd_action); #endif /* POLICY_H_ */ |