diff options
Diffstat (limited to 'src/charon/config')
| -rw-r--r-- | src/charon/config/backends/local_backend.c | 7 | ||||
| -rw-r--r-- | src/charon/config/peer_cfg.c | 32 | ||||
| -rw-r--r-- | src/charon/config/peer_cfg.h | 21 |
3 files changed, 49 insertions, 11 deletions
diff --git a/src/charon/config/backends/local_backend.c b/src/charon/config/backends/local_backend.c index 2e80cc870..b5795098a 100644 --- a/src/charon/config/backends/local_backend.c +++ b/src/charon/config/backends/local_backend.c @@ -146,6 +146,13 @@ static peer_cfg_t *get_peer_cfg(private_local_backend_t *this, int prio = (wc1 + wc2) * (MAX_CA_PATH_LEN + 1); int pathlen = 0; identification_t *other_candidate_ca = current->get_other_ca(current); + linked_list_t *groups = current->get_groups(current); + + /* is a group membership required? */ + if (groups->get_count(groups) > 0) + { + DBG1(DBG_CFG, " group membership required"); + } /* are there any ca constraints? */ if (other_candidate_ca->get_type(other_candidate_ca) != ID_ANY) diff --git a/src/charon/config/peer_cfg.c b/src/charon/config/peer_cfg.c index 4a802d551..6733df08c 100644 --- a/src/charon/config/peer_cfg.c +++ b/src/charon/config/peer_cfg.c @@ -28,6 +28,7 @@ #include <utils/linked_list.h> #include <utils/identification.h> +#include <crypto/ietf_attr_list.h> ENUM(cert_policy_names, CERT_ALWAYS_SEND, CERT_NEVER_SEND, "CERT_ALWAYS_SEND", @@ -105,6 +106,11 @@ struct private_peer_cfg_t { identification_t *other_ca; /** + * we require the other end to belong to at least one group + */ + linked_list_t *groups; + + /** * should we send a certificate */ cert_policy_t cert_policy; @@ -279,10 +285,21 @@ static identification_t *get_my_ca(private_peer_cfg_t *this) return this->my_ca; } +/** + * Implementation of peer_cfg_t.get_other_ca + */ static identification_t *get_other_ca(private_peer_cfg_t *this) { return this->other_ca; -} +} + +/** + * Implementation of peer_cfg_t.get_groups + */ +static linked_list_t *get_groups(private_peer_cfg_t *this) +{ + return this->groups; +} /** * Implementation of peer_cfg_t.get_cert_policy. @@ -417,9 +434,9 @@ static void destroy(private_peer_cfg_t *this) this->other_id->destroy(this->other_id); DESTROY_IF(this->my_ca); DESTROY_IF(this->other_ca); - DESTROY_IF(this->my_virtual_ip); DESTROY_IF(this->other_virtual_ip); + ietfAttr_list_destroy(this->groups); free(this->name); free(this); } @@ -431,10 +448,11 @@ static void destroy(private_peer_cfg_t *this) peer_cfg_t *peer_cfg_create(char *name, u_int ike_version, ike_cfg_t *ike_cfg, identification_t *my_id, identification_t *other_id, identification_t *my_ca, identification_t *other_ca, - cert_policy_t cert_policy, auth_method_t auth_method, - eap_type_t eap_type, u_int32_t keyingtries, - u_int32_t lifetime, u_int32_t rekeytime, - u_int32_t jitter, bool reauth, bool mobike, + linked_list_t *groups, cert_policy_t cert_policy, + auth_method_t auth_method, eap_type_t eap_type, + u_int32_t keyingtries, u_int32_t lifetime, + u_int32_t rekeytime, u_int32_t jitter, + bool reauth, bool mobike, u_int32_t dpd_delay, dpd_action_t dpd_action, host_t *my_virtual_ip, host_t *other_virtual_ip) { @@ -451,6 +469,7 @@ peer_cfg_t *peer_cfg_create(char *name, u_int ike_version, ike_cfg_t *ike_cfg, this->public.get_other_id = (identification_t* (*)(peer_cfg_t *))get_other_id; this->public.get_my_ca = (identification_t* (*)(peer_cfg_t *))get_my_ca; this->public.get_other_ca = (identification_t* (*)(peer_cfg_t *))get_other_ca; + this->public.get_groups = (linked_list_t* (*)(peer_cfg_t *))get_groups; this->public.get_cert_policy = (cert_policy_t (*) (peer_cfg_t *))get_cert_policy; this->public.get_auth_method = (auth_method_t (*) (peer_cfg_t *))get_auth_method; this->public.get_eap_type = (eap_type_t (*) (peer_cfg_t *))get_eap_type; @@ -475,6 +494,7 @@ peer_cfg_t *peer_cfg_create(char *name, u_int ike_version, ike_cfg_t *ike_cfg, this->other_id = other_id; this->my_ca = my_ca; this->other_ca = other_ca; + this->groups = groups; this->cert_policy = cert_policy; this->auth_method = auth_method; this->eap_type = eap_type; diff --git a/src/charon/config/peer_cfg.h b/src/charon/config/peer_cfg.h index edbcd956c..1c6051f16 100644 --- a/src/charon/config/peer_cfg.h +++ b/src/charon/config/peer_cfg.h @@ -30,6 +30,7 @@ typedef struct peer_cfg_t peer_cfg_t; #include <library.h> #include <utils/identification.h> +#include <utils/linked_list.h> #include <config/traffic_selector.h> #include <config/proposal.h> #include <config/ike_cfg.h> @@ -194,7 +195,7 @@ struct peer_cfg_t { identification_t* (*get_my_ca)(peer_cfg_t *this); /** - * @brief Get peers CA. + * @brief Get peer CA. * * @param this calling object * @return other ca @@ -202,6 +203,14 @@ struct peer_cfg_t { identification_t* (*get_other_ca)(peer_cfg_t *this); /** + * @brief Get list of group attributes. + * + * @param this calling object + * @return linked list of group attributes + */ + linked_list_t* (*get_groups)(peer_cfg_t *this); + + /** * @brief Should be sent a certificate for this connection? * * @param this calling object @@ -347,6 +356,7 @@ struct peer_cfg_t { * @param other_id identification_t for the remote guy * @param my_ca CA to use for us * @param other_ca CA to use for other + * @param groups list of group memberships * @param cert_policy should we send a certificate payload? * @param auth_method auth method to use to authenticate us * @param eap_type EAP type to use for peer authentication @@ -367,10 +377,11 @@ struct peer_cfg_t { peer_cfg_t *peer_cfg_create(char *name, u_int ikev_version, ike_cfg_t *ike_cfg, identification_t *my_id, identification_t *other_id, identification_t *my_ca, identification_t *other_ca, - cert_policy_t cert_policy, auth_method_t auth_method, - eap_type_t eap_type, u_int32_t keyingtries, - u_int32_t lifetime, u_int32_t rekeytime, - u_int32_t jitter, bool use_reauth, bool use_mobike, + linked_list_t *groups, cert_policy_t cert_policy, + auth_method_t auth_method, eap_type_t eap_type, + u_int32_t keyingtries, u_int32_t lifetime, + u_int32_t rekeytime, u_int32_t jitter, + bool reauth, bool mobike, u_int32_t dpd_delay, dpd_action_t dpd_action, host_t *my_virtual_ip, host_t *other_virtual_ip); |