1 files changed, 39 insertions, 5 deletions

diff --git a/src/pluto/constants.h b/src/pluto/constants.h
index c8946be37..bbacd2f50 100644
--- a/src/pluto/constants.h
+++ b/src/pluto/constants.h
@@ -506,11 +506,18 @@ enum state_kind {
     STATE_INFO,
     STATE_INFO_PROTECTED,
 
-    STATE_MODE_CFG_R0,           /* these states are used on the responder */
+    /* XAUTH states */
+
+    STATE_XAUTH_R0,              /* server state: sent request, awaiting reply */
+    STATE_XAUTH_R1,              /* server state: sent success/fail, awaiting reply */
+
+    /* Mode Config states */
+
+    STATE_MODE_CFG_R0,           /* responder states */
     STATE_MODE_CFG_R1,
     STATE_MODE_CFG_R2,
 
-    STATE_MODE_CFG_I1,           /* this is used on the initiator */
+    STATE_MODE_CFG_I1,           /* initiator states */
     STATE_MODE_CFG_I2,
     STATE_MODE_CFG_I3,
 
@@ -640,7 +647,32 @@ extern enum_names attr_msg_type_names;
 #define    SUPPORTED_ATTRIBUTES       14
 #define    INTERNAL_IP6_SUBNET        15
 
+#define    MODECFG_ROOF               16
+
 extern enum_names modecfg_attr_names;
+/* XAUTH attribute values */
+#define    XAUTH_TYPE                16520
+#define    XAUTH_USER_NAME           16521
+#define    XAUTH_USER_PASSWORD       16522
+#define    XAUTH_PASSCODE            16523
+#define    XAUTH_MESSAGE             16524
+#define    XAUTH_CHALLENGE           16525
+#define    XAUTH_DOMAIN              16526
+#define    XAUTH_STATUS              16527
+#define    XAUTH_NEXT_PIN            16528
+#define    XAUTH_ANSWER              16529
+
+#define    XAUTH_BASE                XAUTH_TYPE
+
+extern enum_names xauth_attr_names;
+
+/* XAUTH authentication types */
+#define XAUTH_TYPE_GENERIC 0
+#define XAUTH_TYPE_CHAP    1
+#define XAUTH_TYPE_OTP     2
+#define XAUTH_TYPE_SKEY    3
+
+extern enum_names xauth_type_names;
 
 /* Exchange types
  * RFC2408 "Internet Security Association and Key Management Protocol (ISAKMP)"
@@ -754,7 +786,7 @@ extern const char *prettypolicy(lset_t policy);
 #define POLICY_RSASIG        LELEM(1)
 
 #define POLICY_ISAKMP_SHIFT	0	/* log2(POLICY_PSK) */
-#define POLICY_ID_AUTH_MASK	LRANGES(POLICY_PSK, POLICY_RSASIG)
+#define POLICY_ID_AUTH_MASK	(POLICY_PSK | POLICY_RSASIG | POLICY_XAUTH_PSK | POLICY_XAUTH_RSASIG)
 #define POLICY_ISAKMP_MASK	POLICY_ID_AUTH_MASK	/* all so far */
 
 /* Quick Mode (IPSEC) attributes */
@@ -796,7 +828,9 @@ extern const char *prettypolicy(lset_t policy);
 #define POLICY_GROUTED		LELEM(15)	/* do we want this group routed? */
 #define POLICY_UP		LELEM(16)	/* do we want this up? */
 #define POLICY_MODECFG_PUSH	LELEM(17)	/* is modecfg pushed by server? */
-
+#define POLICY_XAUTH_PSK	LELEM(18)	/* do we support XAUTH????PreShared? */
+#define POLICY_XAUTH_RSASIG	LELEM(19)	/* do we support XAUTH????RSA? */
+#define POLICY_XAUTH_SERVER	LELEM(20)	/* are we an XAUTH server? */
 
 /* Any IPsec policy?  If not, a connection description
  * is only for ISAKMP SA, not IPSEC SA.  (A pun, I admit.)
@@ -806,7 +840,7 @@ extern const char *prettypolicy(lset_t policy);
 #define HAS_IPSEC_POLICY(p) (((p) & POLICY_IPSEC_MASK) != 0)
 
 /* Don't allow negotiation? */
-#define NEVER_NEGOTIATE(p)  (LDISJOINT((p), POLICY_PSK | POLICY_RSASIG))
+#define NEVER_NEGOTIATE(p)  (LDISJOINT((p), POLICY_ID_AUTH_MASK))
 
 
 /* Oakley transform attributes