diff options
Diffstat (limited to 'src/charon')
| -rw-r--r-- | src/charon/config/backends/local_backend.c | 7 | ||||
| -rw-r--r-- | src/charon/config/peer_cfg.c | 32 | ||||
| -rw-r--r-- | src/charon/config/peer_cfg.h | 21 | ||||
| -rwxr-xr-x | src/charon/control/interfaces/stroke_interface.c | 22 |
4 files changed, 70 insertions, 12 deletions
diff --git a/src/charon/config/backends/local_backend.c b/src/charon/config/backends/local_backend.c index 2e80cc870..b5795098a 100644 --- a/src/charon/config/backends/local_backend.c +++ b/src/charon/config/backends/local_backend.c @@ -146,6 +146,13 @@ static peer_cfg_t *get_peer_cfg(private_local_backend_t *this, int prio = (wc1 + wc2) * (MAX_CA_PATH_LEN + 1); int pathlen = 0; identification_t *other_candidate_ca = current->get_other_ca(current); + linked_list_t *groups = current->get_groups(current); + + /* is a group membership required? */ + if (groups->get_count(groups) > 0) + { + DBG1(DBG_CFG, " group membership required"); + } /* are there any ca constraints? */ if (other_candidate_ca->get_type(other_candidate_ca) != ID_ANY) diff --git a/src/charon/config/peer_cfg.c b/src/charon/config/peer_cfg.c index 4a802d551..6733df08c 100644 --- a/src/charon/config/peer_cfg.c +++ b/src/charon/config/peer_cfg.c @@ -28,6 +28,7 @@ #include <utils/linked_list.h> #include <utils/identification.h> +#include <crypto/ietf_attr_list.h> ENUM(cert_policy_names, CERT_ALWAYS_SEND, CERT_NEVER_SEND, "CERT_ALWAYS_SEND", @@ -105,6 +106,11 @@ struct private_peer_cfg_t { identification_t *other_ca; /** + * we require the other end to belong to at least one group + */ + linked_list_t *groups; + + /** * should we send a certificate */ cert_policy_t cert_policy; @@ -279,10 +285,21 @@ static identification_t *get_my_ca(private_peer_cfg_t *this) return this->my_ca; } +/** + * Implementation of peer_cfg_t.get_other_ca + */ static identification_t *get_other_ca(private_peer_cfg_t *this) { return this->other_ca; -} +} + +/** + * Implementation of peer_cfg_t.get_groups + */ +static linked_list_t *get_groups(private_peer_cfg_t *this) +{ + return this->groups; +} /** * Implementation of peer_cfg_t.get_cert_policy. @@ -417,9 +434,9 @@ static void destroy(private_peer_cfg_t *this) this->other_id->destroy(this->other_id); DESTROY_IF(this->my_ca); DESTROY_IF(this->other_ca); - DESTROY_IF(this->my_virtual_ip); DESTROY_IF(this->other_virtual_ip); + ietfAttr_list_destroy(this->groups); free(this->name); free(this); } @@ -431,10 +448,11 @@ static void destroy(private_peer_cfg_t *this) peer_cfg_t *peer_cfg_create(char *name, u_int ike_version, ike_cfg_t *ike_cfg, identification_t *my_id, identification_t *other_id, identification_t *my_ca, identification_t *other_ca, - cert_policy_t cert_policy, auth_method_t auth_method, - eap_type_t eap_type, u_int32_t keyingtries, - u_int32_t lifetime, u_int32_t rekeytime, - u_int32_t jitter, bool reauth, bool mobike, + linked_list_t *groups, cert_policy_t cert_policy, + auth_method_t auth_method, eap_type_t eap_type, + u_int32_t keyingtries, u_int32_t lifetime, + u_int32_t rekeytime, u_int32_t jitter, + bool reauth, bool mobike, u_int32_t dpd_delay, dpd_action_t dpd_action, host_t *my_virtual_ip, host_t *other_virtual_ip) { @@ -451,6 +469,7 @@ peer_cfg_t *peer_cfg_create(char *name, u_int ike_version, ike_cfg_t *ike_cfg, this->public.get_other_id = (identification_t* (*)(peer_cfg_t *))get_other_id; this->public.get_my_ca = (identification_t* (*)(peer_cfg_t *))get_my_ca; this->public.get_other_ca = (identification_t* (*)(peer_cfg_t *))get_other_ca; + this->public.get_groups = (linked_list_t* (*)(peer_cfg_t *))get_groups; this->public.get_cert_policy = (cert_policy_t (*) (peer_cfg_t *))get_cert_policy; this->public.get_auth_method = (auth_method_t (*) (peer_cfg_t *))get_auth_method; this->public.get_eap_type = (eap_type_t (*) (peer_cfg_t *))get_eap_type; @@ -475,6 +494,7 @@ peer_cfg_t *peer_cfg_create(char *name, u_int ike_version, ike_cfg_t *ike_cfg, this->other_id = other_id; this->my_ca = my_ca; this->other_ca = other_ca; + this->groups = groups; this->cert_policy = cert_policy; this->auth_method = auth_method; this->eap_type = eap_type; diff --git a/src/charon/config/peer_cfg.h b/src/charon/config/peer_cfg.h index edbcd956c..1c6051f16 100644 --- a/src/charon/config/peer_cfg.h +++ b/src/charon/config/peer_cfg.h @@ -30,6 +30,7 @@ typedef struct peer_cfg_t peer_cfg_t; #include <library.h> #include <utils/identification.h> +#include <utils/linked_list.h> #include <config/traffic_selector.h> #include <config/proposal.h> #include <config/ike_cfg.h> @@ -194,7 +195,7 @@ struct peer_cfg_t { identification_t* (*get_my_ca)(peer_cfg_t *this); /** - * @brief Get peers CA. + * @brief Get peer CA. * * @param this calling object * @return other ca @@ -202,6 +203,14 @@ struct peer_cfg_t { identification_t* (*get_other_ca)(peer_cfg_t *this); /** + * @brief Get list of group attributes. + * + * @param this calling object + * @return linked list of group attributes + */ + linked_list_t* (*get_groups)(peer_cfg_t *this); + + /** * @brief Should be sent a certificate for this connection? * * @param this calling object @@ -347,6 +356,7 @@ struct peer_cfg_t { * @param other_id identification_t for the remote guy * @param my_ca CA to use for us * @param other_ca CA to use for other + * @param groups list of group memberships * @param cert_policy should we send a certificate payload? * @param auth_method auth method to use to authenticate us * @param eap_type EAP type to use for peer authentication @@ -367,10 +377,11 @@ struct peer_cfg_t { peer_cfg_t *peer_cfg_create(char *name, u_int ikev_version, ike_cfg_t *ike_cfg, identification_t *my_id, identification_t *other_id, identification_t *my_ca, identification_t *other_ca, - cert_policy_t cert_policy, auth_method_t auth_method, - eap_type_t eap_type, u_int32_t keyingtries, - u_int32_t lifetime, u_int32_t rekeytime, - u_int32_t jitter, bool use_reauth, bool use_mobike, + linked_list_t *groups, cert_policy_t cert_policy, + auth_method_t auth_method, eap_type_t eap_type, + u_int32_t keyingtries, u_int32_t lifetime, + u_int32_t rekeytime, u_int32_t jitter, + bool reauth, bool mobike, u_int32_t dpd_delay, dpd_action_t dpd_action, host_t *my_virtual_ip, host_t *other_virtual_ip); diff --git a/src/charon/control/interfaces/stroke_interface.c b/src/charon/control/interfaces/stroke_interface.c index 7350c11d2..0da646532 100755 --- a/src/charon/control/interfaces/stroke_interface.c +++ b/src/charon/control/interfaces/stroke_interface.c @@ -38,6 +38,7 @@ #include <stroke.h> #include <daemon.h> #include <crypto/x509.h> +#include <crypto/ietf_attr_list.h> #include <crypto/ac.h> #include <crypto/ca.h> #include <crypto/crl.h> @@ -238,6 +239,8 @@ static void stroke_add_conn(stroke_msg_t *msg, FILE *out) bool other_ca_same =FALSE; host_t *my_host, *other_host, *my_subnet, *other_subnet; host_t *my_vip = NULL, *other_vip = NULL; + linked_list_t *my_groups = linked_list_create(); + linked_list_t *other_groups = linked_list_create(); proposal_t *proposal; traffic_selector_t *my_ts, *other_ts; char *interface; @@ -475,6 +478,11 @@ static void stroke_add_conn(stroke_msg_t *msg, FILE *out) DBG2(DBG_CFG, " my ca: '%D'", my_ca); DBG2(DBG_CFG, " other ca:'%D'", other_ca); + if (msg->add_conn.other.groups) + { + ietfAttr_list_create_from_string(msg->add_conn.other.groups, other_groups); + } + /* have a look for an (almost) identical peer config to reuse */ iterator = charon->backends->create_iterator(charon->backends); while (iterator->iterate(iterator, (void**)&peer_cfg)) @@ -485,6 +493,7 @@ static void stroke_add_conn(stroke_msg_t *msg, FILE *out) && my_host->equals(my_host, ike_cfg->get_my_host(ike_cfg)) && other_host->equals(other_host, ike_cfg->get_other_host(ike_cfg)) && other_ca->equals(other_ca, peer_cfg->get_other_ca(peer_cfg)) + && ietfAttr_list_equals(other_groups, peer_cfg->get_groups(peer_cfg)) && peer_cfg->get_ike_version(peer_cfg) == (msg->add_conn.ikev2 ? 2 : 1) && peer_cfg->get_auth_method(peer_cfg) == msg->add_conn.auth_method && peer_cfg->get_eap_type(peer_cfg) == msg->add_conn.eap_type) @@ -507,6 +516,8 @@ static void stroke_add_conn(stroke_msg_t *msg, FILE *out) other_host->destroy(other_host); other_id->destroy(other_id); other_ca->destroy(other_ca); + ietfAttr_list_destroy(my_groups); + ietfAttr_list_destroy(other_groups); } else { @@ -554,7 +565,8 @@ static void stroke_add_conn(stroke_msg_t *msg, FILE *out) peer_cfg = peer_cfg_create(msg->add_conn.name, msg->add_conn.ikev2 ? 2 : 1, - ike_cfg, my_id, other_id, my_ca, other_ca, msg->add_conn.me.sendcert, + ike_cfg, my_id, other_id, my_ca, other_ca, other_groups, + msg->add_conn.me.sendcert, msg->add_conn.auth_method, msg->add_conn.eap_type, msg->add_conn.rekey.tries, msg->add_conn.rekey.ike_lifetime, msg->add_conn.rekey.ike_lifetime - msg->add_conn.rekey.margin, @@ -1251,6 +1263,7 @@ static void stroke_status(stroke_msg_t *msg, FILE *out, bool all) { identification_t *my_ca = peer_cfg->get_my_ca(peer_cfg); identification_t *other_ca = peer_cfg->get_other_ca(peer_cfg); + linked_list_t *groups = peer_cfg->get_groups(peer_cfg); if (my_ca->get_type(my_ca) != ID_ANY || other_ca->get_type(other_ca) != ID_ANY) @@ -1258,6 +1271,13 @@ static void stroke_status(stroke_msg_t *msg, FILE *out, bool all) fprintf(out, "%12s: CAs: '%D'...'%D'\n", peer_cfg->get_name(peer_cfg), my_ca, other_ca); } + if (groups->get_count(groups) > 0) + { + fprintf(out, "%12s: groups: ", peer_cfg->get_name(peer_cfg)); + ietfAttr_list_list(groups, out); + fprintf(out, "\n"); + } + } children = peer_cfg->create_child_cfg_iterator(peer_cfg); while (children->iterate(children, (void**)&child_cfg)) |