ike: Add an additional but separate AEAD proposal to IKE config, if supported
[strongswan.git] / src / conftest / config.c
index 1e70025..bd63df0 100644 (file)
@@ -101,9 +101,13 @@ static ike_cfg_t *load_ike_config(private_config_t *this,
        proposal_t *proposal;
        char *token;
 
-       ike_cfg = ike_cfg_create(TRUE, FALSE,
-               settings->get_str(settings, "configs.%s.lhost", "%any", config), 500,
-               settings->get_str(settings, "configs.%s.rhost", "%any", config), 500);
+       ike_cfg = ike_cfg_create(IKEV2, TRUE,
+               settings->get_bool(settings, "configs.%s.fake_nat", FALSE, config),
+               settings->get_str(settings, "configs.%s.lhost", "%any", config),
+               settings->get_int(settings, "configs.%s.lport", 500, config),
+               settings->get_str(settings, "configs.%s.rhost", "%any", config),
+               settings->get_int(settings, "configs.%s.rport", 500, config),
+               FRAGMENTATION_NO, 0);
        token = settings->get_str(settings, "configs.%s.proposal", NULL, config);
        if (token)
        {
@@ -125,6 +129,7 @@ static ike_cfg_t *load_ike_config(private_config_t *this,
        else
        {
                ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
+               ike_cfg->add_proposal(ike_cfg, proposal_create_default_aead(PROTO_IKE));
        }
        return ike_cfg;
 }
@@ -139,14 +144,20 @@ static child_cfg_t *load_child_config(private_config_t *this,
        enumerator_t *enumerator;
        proposal_t *proposal;
        traffic_selector_t *ts;
-       host_t *net;
+       ipsec_mode_t mode = MODE_TUNNEL;
        char *token;
-       int bits;
+       u_int32_t tfc;
 
-       child_cfg = child_cfg_create(child, &lifetime, NULL, FALSE,
-                                               settings->get_bool(settings, "configs.%s.%s.transport",
-                                                                                  FALSE, config, child),
-                                               ACTION_NONE, ACTION_NONE, FALSE, 0, 0, NULL, NULL);
+       if (settings->get_bool(settings, "configs.%s.%s.transport",
+                                                  FALSE, config, child))
+       {
+               mode = MODE_TRANSPORT;
+       }
+       tfc = settings->get_int(settings, "configs.%s.%s.tfc_padding",
+                                                       0, config, child);
+       child_cfg = child_cfg_create(child, &lifetime, NULL, FALSE, mode,
+                                                                ACTION_NONE, ACTION_NONE, ACTION_NONE,
+                                                                FALSE, 0, 0, NULL, NULL, tfc);
 
        token = settings->get_str(settings, "configs.%s.%s.proposal",
                                                          NULL, config, child);
@@ -172,16 +183,15 @@ static child_cfg_t *load_child_config(private_config_t *this,
                child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
        }
 
-       token = settings->get_str(settings, "configs.%s.%s.lts", NULL, config);
+       token = settings->get_str(settings, "configs.%s.%s.lts", NULL, config, child);
        if (token)
        {
                enumerator = enumerator_create_token(token, ",", " ");
                while (enumerator->enumerate(enumerator, &token))
                {
-                       net = host_create_from_subnet(token, &bits);
-                       if (net)
+                       ts = traffic_selector_create_from_cidr(token, 0, 0, 65535);
+                       if (ts)
                        {
-                               ts = traffic_selector_create_from_subnet(net, bits, 0, 0);
                                child_cfg->add_traffic_selector(child_cfg, TRUE, ts);
                        }
                        else
@@ -197,16 +207,15 @@ static child_cfg_t *load_child_config(private_config_t *this,
                child_cfg->add_traffic_selector(child_cfg, TRUE, ts);
        }
 
-       token = settings->get_str(settings, "configs.%s.%s.rts", NULL, config);
+       token = settings->get_str(settings, "configs.%s.%s.rts", NULL, config, child);
        if (token)
        {
                enumerator = enumerator_create_token(token, ",", " ");
                while (enumerator->enumerate(enumerator, &token))
                {
-                       net = host_create_from_subnet(token, &bits);
-                       if (net)
+                       ts = traffic_selector_create_from_cidr(token, 0, 0, 65535);
+                       if (ts)
                        {
-                               ts = traffic_selector_create_from_subnet(net, bits, 0, 0);
                                child_cfg->add_traffic_selector(child_cfg, FALSE, ts);
                        }
                        else
@@ -236,12 +245,13 @@ static peer_cfg_t *load_peer_config(private_config_t *this,
        child_cfg_t *child_cfg;
        enumerator_t *enumerator;
        identification_t *lid, *rid;
-       char *child;
+       char *child, *policy, *pool;
+       uintptr_t strength;
 
        ike_cfg = load_ike_config(this, settings, config);
-       peer_cfg = peer_cfg_create(config, 2, ike_cfg, CERT_ALWAYS_SEND,
-                                                          UNIQUE_NO, 1, 0, 0, 0, 0, TRUE, 0,
-                                                          NULL, NULL, FALSE, NULL, NULL);
+       peer_cfg = peer_cfg_create(config, ike_cfg, CERT_ALWAYS_SEND,
+                                                          UNIQUE_NO, 1, 0, 0, 0, 0, FALSE, FALSE, TRUE,
+                                                          0, 0, FALSE, NULL, NULL);
 
        auth = auth_cfg_create();
        auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
@@ -254,8 +264,28 @@ static peer_cfg_t *load_peer_config(private_config_t *this,
        auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
        rid = identification_create_from_string(
                                settings->get_str(settings, "configs.%s.rid", "%any", config));
+       strength = settings->get_int(settings, "configs.%s.rsa_strength", 0, config);
+       if (strength)
+       {
+               auth->add(auth, AUTH_RULE_RSA_STRENGTH, strength);
+       }
+       strength = settings->get_int(settings, "configs.%s.ecdsa_strength", 0, config);
+       if (strength)
+       {
+               auth->add(auth, AUTH_RULE_ECDSA_STRENGTH, strength);
+       }
+       policy = settings->get_str(settings, "configs.%s.cert_policy", NULL, config);
+       if (policy)
+       {
+               auth->add(auth, AUTH_RULE_CERT_POLICY, strdup(policy));
+       }
        auth->add(auth, AUTH_RULE_IDENTITY, rid);
        peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE);
+       pool = settings->get_str(settings, "configs.%s.named_pool", NULL, config);
+       if (pool)
+       {
+               peer_cfg->add_pool(peer_cfg, pool);
+       }
 
        DBG1(DBG_CFG, "loaded config %s: %Y - %Y", config, lid, rid);