added hostaccess support; moved auth_method to policy
authorAndreas Steffen <andreas.steffen@strongswan.org>
Mon, 25 Sep 2006 05:51:16 +0000 (05:51 -0000)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Mon, 25 Sep 2006 05:51:16 +0000 (05:51 -0000)
src/charon/config/policies/local_policy_store.c
src/charon/config/policies/policy.c
src/charon/config/policies/policy.h

index 9ab8948..1ad0aaa 100644 (file)
@@ -179,7 +179,7 @@ static policy_t *get_policy(private_local_policy_store_t *this,
                identification_t *found_my_id = found->get_my_id(found);
                identification_t *found_other_id = found->get_other_id(found);
                
-               this->logger->log(this->logger, CONTROL|LEVEL1,
+               this->logger->log(this->logger, CONTROL,
                                                  "found matching policy '%s': %s...%s (prio=%d)",
                                                  found->get_name(found),
                                                  found_my_id->get_string(found_my_id),
index f64447a..e3a1100 100644 (file)
 #include <utils/identification.h>
 #include <utils/logger_manager.h>
 
-mapping_t dpd_action_m[] = {
-       {DPD_CLEAR, "DPD_CLEAR"},
-       {DPD_ROUTE, "DPD_ROUTE"},
-       {DPD_RESTART, "DPD_RESTART"},
-       {MAPPING_END, NULL},
+/** 
+ * String mappings for auth_method_t.
+ */
+static const char *const auth_method_name[] = {
+       "RSA signature",
+       "pre-shared key",
+       "DSS signature"
+};
+
+enum_names auth_method_names =
+    { RSA_DIGITAL_SIGNATURE, DSS_DIGITAL_SIGNATURE, auth_method_name, NULL };
+
+/** 
+ * String mappings for dpd_action_t.
+ */
+static const char *const dpd_action_name[] = {
+       "DPD_NONE",
+       "DPD_CLEAR",
+       "DPD_ROUTE",
+       "DPD_RESTART"
 };
 
+enum_names dpd_action_names =
+    { DPD_NONE, DPD_RESTART, dpd_action_name, NULL };
+
 typedef struct private_policy_t private_policy_t;
 
 /**
@@ -71,6 +89,11 @@ struct private_policy_t {
        identification_t *other_id;
        
        /**
+        * Method to use for own authentication data
+        */
+       auth_method_t auth_method;
+       
+       /**
         * we have a cert issued by this CA
         */
        identification_t *my_ca;
@@ -86,6 +109,11 @@ struct private_policy_t {
        char *updown;
        
        /**
+        * allow host access
+        */
+       bool hostaccess;
+       
+       /**
         * list for all proposals
         */
        linked_list_t *proposals;
@@ -152,6 +180,14 @@ static identification_t *get_other_id(private_policy_t *this)
 }
 
 /**
+ * Implementation of connection_t.auth_method_t.
+ */
+static auth_method_t get_auth_method(private_policy_t *this)
+{
+       return this->auth_method;
+}
+
+/**
  * Get traffic selectors, with wildcard-address update
  */
 static linked_list_t *get_traffic_selectors(private_policy_t *this, linked_list_t *list, host_t *host)
@@ -341,6 +377,14 @@ static char* get_updown(private_policy_t *this)
 }
 
 /**
+ * Implementation of policy_t.get_hostaccess
+ */
+static bool get_hostaccess(private_policy_t *this)
+{
+       return this->hostaccess;
+}
+
+/**
  * Implements policy_t.get_dpd_action
  */
 static dpd_action_t get_dpd_action(private_policy_t *this)
@@ -461,40 +505,46 @@ static void destroy(private_policy_t *this)
  * Described in header-file
  */
 policy_t *policy_create(char *name, identification_t *my_id, identification_t *other_id,
+                                               auth_method_t auth_method,
                                                u_int32_t hard_lifetime, u_int32_t soft_lifetime, 
-                                               u_int32_t jitter, char *updown, dpd_action_t dpd_action)
+                                               u_int32_t jitter, char *updown, bool hostaccess,
+                                               dpd_action_t dpd_action)
 {
        private_policy_t *this = malloc_thing(private_policy_t);
 
        /* public functions */
-       this->public.get_name = (char *(*)(policy_t*))get_name;
-       this->public.get_my_id = (identification_t*(*)(policy_t*))get_my_id;
-       this->public.get_other_id = (identification_t*(*)(policy_t*))get_other_id;
-       this->public.get_my_traffic_selectors = (linked_list_t*(*)(policy_t*,host_t*))get_my_traffic_selectors;
-       this->public.get_other_traffic_selectors = (linked_list_t*(*)(policy_t*,host_t*))get_other_traffic_selectors;
-       this->public.select_my_traffic_selectors = (linked_list_t*(*)(policy_t*,linked_list_t*,host_t*))select_my_traffic_selectors;
-       this->public.select_other_traffic_selectors = (linked_list_t*(*)(policy_t*,linked_list_t*,host_t*))select_other_traffic_selectors;
-       this->public.get_proposals = (linked_list_t*(*)(policy_t*))get_proposals;
-       this->public.select_proposal = (proposal_t*(*)(policy_t*,linked_list_t*))select_proposal;
-       this->public.add_my_traffic_selector = (void(*)(policy_t*,traffic_selector_t*))add_my_traffic_selector;
-       this->public.add_other_traffic_selector = (void(*)(policy_t*,traffic_selector_t*))add_other_traffic_selector;
-       this->public.add_proposal = (void(*)(policy_t*,proposal_t*))add_proposal;
-       this->public.add_authorities = (void(*)(policy_t*,identification_t*, identification_t*))add_authorities;
-       this->public.get_updown = (char*(*)(policy_t*))get_updown;
-       this->public.get_dpd_action = (dpd_action_t(*)(policy_t*))get_dpd_action;
+       this->public.get_name = (char* (*) (policy_t*))get_name;
+       this->public.get_my_id = (identification_t* (*) (policy_t*))get_my_id;
+       this->public.get_other_id = (identification_t* (*) (policy_t*))get_other_id;
+       this->public.get_auth_method = (auth_method_t (*) (policy_t*)) get_auth_method;
+       this->public.get_my_traffic_selectors = (linked_list_t* (*) (policy_t*,host_t*))get_my_traffic_selectors;
+       this->public.get_other_traffic_selectors = (linked_list_t* (*) (policy_t*,host_t*))get_other_traffic_selectors;
+       this->public.select_my_traffic_selectors = (linked_list_t* (*) (policy_t*,linked_list_t*,host_t*))select_my_traffic_selectors;
+       this->public.select_other_traffic_selectors = (linked_list_t* (*) (policy_t*,linked_list_t*,host_t*))select_other_traffic_selectors;
+       this->public.get_proposals = (linked_list_t* (*) (policy_t*))get_proposals;
+       this->public.select_proposal = (proposal_t* (*) (policy_t*,linked_list_t*))select_proposal;
+       this->public.add_my_traffic_selector = (void (*) (policy_t*,traffic_selector_t*))add_my_traffic_selector;
+       this->public.add_other_traffic_selector = (void (*) (policy_t*,traffic_selector_t*))add_other_traffic_selector;
+       this->public.add_proposal = (void (*) (policy_t*,proposal_t*))add_proposal;
+       this->public.add_authorities = (void (*) (policy_t*,identification_t*,identification_t*))add_authorities;
+       this->public.get_updown = (char* (*) (policy_t*))get_updown;
+       this->public.get_hostaccess = (bool (*) (policy_t*))get_hostaccess;
+       this->public.get_dpd_action = (dpd_action_t (*) (policy_t*))get_dpd_action;
        this->public.get_soft_lifetime = (u_int32_t (*) (policy_t *))get_soft_lifetime;
        this->public.get_hard_lifetime = (u_int32_t (*) (policy_t *))get_hard_lifetime;
-       this->public.get_ref = (void(*)(policy_t*))get_ref;
-       this->public.destroy = (void(*)(policy_t*))destroy;
+       this->public.get_ref = (void (*) (policy_t*))get_ref;
+       this->public.destroy = (void (*) (policy_t*))destroy;
        
        /* apply init values */
        this->name = strdup(name);
        this->my_id = my_id;
        this->other_id = other_id;
+       this->auth_method = auth_method;
        this->hard_lifetime = hard_lifetime;
        this->soft_lifetime = soft_lifetime;
        this->jitter = jitter;
        this->updown = (updown == NULL) ? NULL : strdup(updown);
+       this->hostaccess = hostaccess;
        this->dpd_action = dpd_action;
        
        /* initialize private members*/
index 48d9f70..6d80319 100644 (file)
 #include <utils/identification.h>
 #include <config/traffic_selector.h>
 #include <config/proposal.h>
-#include <encoding/payloads/auth_payload.h>
+
+typedef enum auth_method_t auth_method_t;
+
+/**
+ * AUTH Method to use.
+ * 
+ * @ingroup config
+ */
+enum auth_method_t {
+       /**
+        * Computed as specified in section 2.15 of RFC using 
+        * an RSA private key over a PKCS#1 padded hash.
+        */
+       RSA_DIGITAL_SIGNATURE = 1,
+       
+       /** 
+        * Computed as specified in section 2.15 of RFC using the 
+        * shared key associated with the identity in the ID payload 
+        * and the negotiated prf function
+        */
+       SHARED_KEY_MESSAGE_INTEGRITY_CODE = 2,
+       
+       /**
+        * Computed as specified in section 2.15 of RFC using a 
+        * DSS private key over a SHA-1 hash.
+        */
+       DSS_DIGITAL_SIGNATURE = 3,
+};
+
+/**
+ * string mappings for auth_method_t.
+ * 
+ * @ingroup config
+ */
+extern enum_names auth_method_names;
 
 
 typedef enum dpd_action_t dpd_action_t;
@@ -41,18 +75,20 @@ typedef enum dpd_action_t dpd_action_t;
  * @ingroup config
  */
 enum dpd_action_t {
+       /** DPD disabled */
+       DPD_NONE,
        /** remove CHILD_SA without replacement */
-       DPD_CLEAR = 1,
+       DPD_CLEAR,
        /** route the CHILD_SA to resetup when needed */
-       DPD_ROUTE = 2,
+       DPD_ROUTE,
        /** restart CHILD_SA in a new IKE_SA, immediately */
-       DPD_RESTART = 3,
+       DPD_RESTART,
 };
 
 /**
- * String mappings for dpd_action_t
+ * String mappings for dpd_action_t.
  */
-extern mapping_t dpd_action_m[];
+extern enum_names dpd_action_names;
 
 
 typedef struct policy_t policy_t;
@@ -101,6 +137,14 @@ struct policy_t {
        identification_t *(*get_other_id) (policy_t *this);
        
        /**
+        * @brief Get the authentication method to use.
+        * 
+        * @param this          calling object
+        * @return                      authentication method
+        */
+       auth_method_t (*get_auth_method) (policy_t *this);
+       
+       /**
         * @brief Get configured traffic selectors for our site.
         * 
         * Returns a list with all traffic selectors for the local
@@ -228,6 +272,14 @@ struct policy_t {
        char* (*get_updown) (policy_t *this);
        
        /**
+        * @brief Get hostaccess flag
+        * 
+        * @param this                  calling object
+        * @return                              value of hostaccess flag
+        */
+       bool (*get_hostaccess) (policy_t *this);
+       
+       /**
         * @brief What should be done with a CHILD_SA, when other peer does not respond.
         *
         * @param this          calling object
@@ -292,10 +344,12 @@ struct policy_t {
  * @param name                         name of the policy
  * @param my_id                        identification_t for ourselves
  * @param other_id                     identification_t for the remote guy
+ * @param auth_method          Authentication method to use for our(!) auth data
  * @param hard_lifetime                lifetime before deleting an SA
  * @param soft_lifetime                lifetime before rekeying an SA
  * @param jitter                       range of randomization time
  * @param updown                       updown script to execute on up/down event
+ * @param hostaccess           allow access to the host itself (used by the updown script)
  * @param dpd_action           what to to with a CHILD_SA when other peer does not respond
  * @return                                     policy_t object
  * 
@@ -303,7 +357,10 @@ struct policy_t {
  */
 policy_t *policy_create(char *name, 
                                                identification_t *my_id, identification_t *other_id,
+                                               auth_method_t auth_method,
                                                u_int32_t hard_lifetime, u_int32_t soft_lifetime,
-                                               u_int32_t jitter, char *updown, dpd_action_t dpd_action);
+                                               u_int32_t jitter,
+                                               char *updown, bool hostaccess,
+                                               dpd_action_t dpd_action);
 
 #endif /* POLICY_H_ */