From: Tobias Brunner Date: Fri, 29 Mar 2019 11:11:10 +0000 (+0100) Subject: ike-cfg: Pass arguments as struct X-Git-Tag: 5.8.0rc1~24^2~11 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9486a2e5b0b5b1e133097c8c25491ca97a31d1db;p=thirdparty%2Fstrongswan.git ike-cfg: Pass arguments as struct --- diff --git a/src/charon-cmd/cmd/cmd_connection.c b/src/charon-cmd/cmd/cmd_connection.c index 1cf431ff22..b91c89830a 100644 --- a/src/charon-cmd/cmd/cmd_connection.c +++ b/src/charon-cmd/cmd/cmd_connection.c @@ -142,9 +142,13 @@ static peer_cfg_t* create_peer_cfg(private_cmd_connection_t *this) { ike_cfg_t *ike_cfg; peer_cfg_t *peer_cfg; - uint16_t local_port, remote_port = IKEV2_UDP_PORT; - ike_version_t version = IKE_ANY; proposal_t *proposal; + ike_cfg_create_t ike = { + .local = "0.0.0.0", + .remote = this->host, + .remote_port = IKEV2_UDP_PORT, + .fragmentation = FRAGMENTATION_YES, + }; peer_cfg_create_t peer = { .cert_policy = CERT_SEND_IF_ASKED, .unique = UNIQUE_REPLACE, @@ -161,7 +165,7 @@ static peer_cfg_t* create_peer_cfg(private_cmd_connection_t *this) case PROF_V2_PUB: case PROF_V2_EAP: case PROF_V2_PUB_EAP: - version = IKEV2; + ike.version = IKEV2; break; case PROF_V1_PUB_AM: case PROF_V1_XAUTH_AM: @@ -173,17 +177,16 @@ static peer_cfg_t* create_peer_cfg(private_cmd_connection_t *this) case PROF_V1_XAUTH: case PROF_V1_XAUTH_PSK: case PROF_V1_HYBRID: - version = IKEV1; + ike.version = IKEV1; break; } - local_port = charon->socket->get_port(charon->socket, FALSE); - if (local_port != IKEV2_UDP_PORT) + ike.local_port = charon->socket->get_port(charon->socket, FALSE); + if (ike.local_port != IKEV2_UDP_PORT) { - remote_port = IKEV2_NATT_PORT; + ike.remote_port = IKEV2_NATT_PORT; } - ike_cfg = ike_cfg_create(version, TRUE, FALSE, "0.0.0.0", local_port, - this->host, remote_port, FRAGMENTATION_NO, 0); + ike_cfg = ike_cfg_create(&ike); if (this->ike_proposals->get_count(this->ike_proposals)) { while (this->ike_proposals->remove_first(this->ike_proposals, diff --git a/src/charon-nm/nm/nm_service.c b/src/charon-nm/nm/nm_service.c index e207ac851c..1b07230fd3 100644 --- a/src/charon-nm/nm/nm_service.c +++ b/src/charon-nm/nm/nm_service.c @@ -381,8 +381,8 @@ static gboolean connect_(NMVpnServicePlugin *plugin, NMConnection *connection, NMSettingVpn *vpn; enumerator_t *enumerator; identification_t *user = NULL, *gateway = NULL; - const char *address, *str; - bool virtual, encap, proposal; + const char *str; + bool virtual, proposal; proposal_t *prop; ike_cfg_t *ike_cfg; peer_cfg_t *peer_cfg; @@ -394,6 +394,13 @@ static gboolean connect_(NMVpnServicePlugin *plugin, NMConnection *connection, certificate_t *cert = NULL; x509_t *x509; bool agent = FALSE, smartcard = FALSE, loose_gateway_id = FALSE; + ike_cfg_create_t ike = { + .version = IKEV2, + .local = "%any", + .local_port = charon->socket->get_port(charon->socket, FALSE), + .remote_port = IKEV2_UDP_PORT, + .fragmentation = FRAGMENTATION_YES, + }; peer_cfg_create_t peer = { .cert_policy = CERT_SEND_IF_ASKED, .unique = UNIQUE_REPLACE, @@ -430,8 +437,8 @@ static gboolean connect_(NMVpnServicePlugin *plugin, NMConnection *connection, priv->name); DBG4(DBG_CFG, "%s", nm_setting_to_string(NM_SETTING(vpn))); - address = nm_setting_vpn_get_data_item(vpn, "address"); - if (!address || !*address) + ike.remote = (char*)nm_setting_vpn_get_data_item(vpn, "address"); + if (!ike.remote || !*ike.remote) { g_set_error(err, NM_VPN_PLUGIN_ERROR, NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS, "Gateway address missing."); @@ -440,7 +447,7 @@ static gboolean connect_(NMVpnServicePlugin *plugin, NMConnection *connection, str = nm_setting_vpn_get_data_item(vpn, "virtual"); virtual = streq(str, "yes"); str = nm_setting_vpn_get_data_item(vpn, "encap"); - encap = streq(str, "yes"); + ike.force_encap = streq(str, "yes"); str = nm_setting_vpn_get_data_item(vpn, "ipcomp"); child.options |= streq(str, "yes") ? OPT_IPCOMP : 0; str = nm_setting_vpn_get_data_item(vpn, "method"); @@ -503,7 +510,7 @@ static gboolean connect_(NMVpnServicePlugin *plugin, NMConnection *connection, * of the gateway as its identity. This identity will be used for * certificate lookup and requires the configured IP/DNS to be * included in the gateway certificate. */ - gateway = identification_create_from_string((char*)address); + gateway = identification_create_from_string(ike.remote); DBG1(DBG_CFG, "using CA certificate, gateway identity '%Y'", gateway); loose_gateway_id = TRUE; } @@ -634,10 +641,7 @@ static gboolean connect_(NMVpnServicePlugin *plugin, NMConnection *connection, /** * Set up configurations */ - ike_cfg = ike_cfg_create(IKEV2, TRUE, encap, "%any", - charon->socket->get_port(charon->socket, FALSE), - (char*)address, IKEV2_UDP_PORT, - FRAGMENTATION_YES, 0); + ike_cfg = ike_cfg_create(&ike); str = nm_setting_vpn_get_data_item(vpn, "proposal"); proposal = streq(str, "yes"); diff --git a/src/conftest/config.c b/src/conftest/config.c index d926dfca25..ff47a77ee0 100644 --- a/src/conftest/config.c +++ b/src/conftest/config.c @@ -107,14 +107,21 @@ static ike_cfg_t *load_ike_config(private_config_t *this, ike_cfg_t *ike_cfg; proposal_t *proposal; char *token; + ike_cfg_create_t ike = { + .version = IKEV2, + .local = settings->get_str(settings, "configs.%s.lhost", + "%any", config), + .local_port = settings->get_int(settings, "configs.%s.lport", + 500, config), + .remote = settings->get_str(settings, "configs.%s.rhost", + "%any", config), + .remote_port = settings->get_int(settings, "configs.%s.rport", + 500, config), + .force_encap = settings->get_bool(settings, "configs.%s.fake_nat", + FALSE, config), + }; - ike_cfg = ike_cfg_create(IKEV2, TRUE, - settings->get_bool(settings, "configs.%s.fake_nat", FALSE, config), - settings->get_str(settings, "configs.%s.lhost", "%any", config), - settings->get_int(settings, "configs.%s.lport", 500, config), - settings->get_str(settings, "configs.%s.rhost", "%any", config), - settings->get_int(settings, "configs.%s.rport", 500, config), - FRAGMENTATION_NO, 0); + ike_cfg = ike_cfg_create(&ike); token = settings->get_str(settings, "configs.%s.proposal", NULL, config); if (token) { diff --git a/src/frontends/android/app/src/main/jni/libandroidbridge/backend/android_service.c b/src/frontends/android/app/src/main/jni/libandroidbridge/backend/android_service.c index a6b45059eb..de634891cb 100644 --- a/src/frontends/android/app/src/main/jni/libandroidbridge/backend/android_service.c +++ b/src/frontends/android/app/src/main/jni/libandroidbridge/backend/android_service.c @@ -742,6 +742,13 @@ static job_requeue_t initiate(private_android_service_t *this) proposal_t *proposal; ike_sa_t *ike_sa; auth_cfg_t *auth; + ike_cfg_create_t ike = { + .version = IKEV2, + .local = "0.0.0.0", + .local_port = charon->socket->get_port(charon->socket, FALSE), + .foce_encap = TRUE, + .fragmentation = FRAGMENTATION_YES, + }; peer_cfg_create_t peer = { .cert_policy = CERT_ALWAYS_SEND, .unique = UNIQUE_REPLACE, @@ -761,23 +768,20 @@ static job_requeue_t initiate(private_android_service_t *this) .dpd_action = ACTION_RESTART, .close_action = ACTION_RESTART, }; - char *type, *server, *remote_id; - int port; - bool certreq; + char *type, *remote_id; if (android_sdk_version >= ANDROID_LOLLIPOP) { /* only try once and notify the GUI on Android 5+ where we have a blocking TUN device */ peer.keyingtries = 1; } - server = this->settings->get_str(this->settings, "connection.server", NULL); - port = this->settings->get_int(this->settings, "connection.port", - IKEV2_UDP_PORT); - certreq = this->settings->get_bool(this->settings, "connection.certreq", - TRUE); - ike_cfg = ike_cfg_create(IKEV2, certreq, TRUE, "0.0.0.0", - charon->socket->get_port(charon->socket, FALSE), - server, port, FRAGMENTATION_YES, 0); + ike.remote = this->settings->get_str(this->settings, "connection.server", + NULL); + ike.remote_port = this->settings->get_int(this->settings, "connection.port", + IKEV2_UDP_PORT); + ike.no_certreq = !this->settings->get_bool(this->settings, + "connection.certreq", TRUE); + ike_cfg = ike_cfg_create(&ike); proposal = parse_proposal(this, PROTO_IKE, "connection.ike_proposal"); if (proposal) { diff --git a/src/frontends/osx/charon-xpc/xpc_dispatch.c b/src/frontends/osx/charon-xpc/xpc_dispatch.c index 0483199df5..51b2b5008a 100644 --- a/src/frontends/osx/charon-xpc/xpc_dispatch.c +++ b/src/frontends/osx/charon-xpc/xpc_dispatch.c @@ -78,6 +78,14 @@ static peer_cfg_t* create_peer_cfg(char *name, char *host) ike_cfg_t *ike_cfg; peer_cfg_t *peer_cfg; uint16_t local_port, remote_port = IKEV2_UDP_PORT; + ike_cfg_create_t ike = { + .version = IKEV2, + .local = "0.0.0.0", + .remote = host, + .remote_port = IKEV2_UDP_PORT, + .no_certreq = TRUE, + .fragmentation = FRAGMENTATION_YES, + }; peer_cfg_create_t peer = { .cert_policy = CERT_SEND_IF_ASKED, .unique = UNIQUE_REPLACE, @@ -88,13 +96,12 @@ static peer_cfg_t* create_peer_cfg(char *name, char *host) .dpd = 30, }; - local_port = charon->socket->get_port(charon->socket, FALSE); - if (local_port != IKEV2_UDP_PORT) + ike.local_port = charon->socket->get_port(charon->socket, FALSE); + if (ike.local_port != IKEV2_UDP_PORT) { - remote_port = IKEV2_NATT_PORT; + ike.remote_port = IKEV2_NATT_PORT; } - ike_cfg = ike_cfg_create(IKEV2, FALSE, FALSE, "0.0.0.0", local_port, - host, remote_port, FRAGMENTATION_NO, 0); + ike_cfg = ike_cfg_create(&ike); ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE)); ike_cfg->add_proposal(ike_cfg, proposal_create_default_aead(PROTO_IKE)); peer_cfg = peer_cfg_create(name, ike_cfg, &peer); diff --git a/src/libcharon/config/ike_cfg.c b/src/libcharon/config/ike_cfg.c index 357c4a73b7..cb75b70543 100644 --- a/src/libcharon/config/ike_cfg.c +++ b/src/libcharon/config/ike_cfg.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012-2018 Tobias Brunner + * Copyright (C) 2012-2019 Tobias Brunner * Copyright (C) 2005-2007 Martin Willi * Copyright (C) 2005 Jan Hutter * HSR Hochschule fuer Technik Rapperswil @@ -609,13 +609,10 @@ bool ike_cfg_has_address(ike_cfg_t *cfg, host_t *addr, bool local) return found; } -/** - * Described in header. +/* + * Described in header */ -ike_cfg_t *ike_cfg_create(ike_version_t version, bool certreq, bool force_encap, - char *me, uint16_t my_port, - char *other, uint16_t other_port, - fragmentation_t fragmentation, uint8_t dscp) +ike_cfg_t *ike_cfg_create(ike_cfg_create_t *data) { private_ike_cfg_t *this; @@ -644,24 +641,24 @@ ike_cfg_t *ike_cfg_create(ike_version_t version, bool certreq, bool force_encap, .destroy = _destroy, }, .refcount = 1, - .version = version, - .certreq = certreq, - .force_encap = force_encap, - .fragmentation = fragmentation, - .me = strdup(me), + .version = data->version, + .certreq = !data->no_certreq, + .force_encap = data->force_encap, + .fragmentation = data->fragmentation, + .me = strdup(data->local), .my_ranges = linked_list_create(), .my_hosts = linked_list_create(), - .other = strdup(other), + .other = strdup(data->remote), .other_ranges = linked_list_create(), .other_hosts = linked_list_create(), - .my_port = my_port, - .other_port = other_port, - .dscp = dscp, + .my_port = data->local_port, + .other_port = data->remote_port, + .dscp = data->dscp, .proposals = linked_list_create(), ); - parse_addresses(me, this->my_hosts, this->my_ranges); - parse_addresses(other, this->other_hosts, this->other_ranges); + parse_addresses(data->local, this->my_hosts, this->my_ranges); + parse_addresses(data->remote, this->other_hosts, this->other_ranges); return &this->public; } diff --git a/src/libcharon/config/ike_cfg.h b/src/libcharon/config/ike_cfg.h index 49690c8925..92a9915e0b 100644 --- a/src/libcharon/config/ike_cfg.h +++ b/src/libcharon/config/ike_cfg.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012-2018 Tobias Brunner + * Copyright (C) 2012-2019 Tobias Brunner * Copyright (C) 2005-2007 Martin Willi * Copyright (C) 2005 Jan Hutter * HSR Hochschule fuer Technik Rapperswil @@ -26,6 +26,7 @@ typedef enum ike_version_t ike_version_t; typedef enum fragmentation_t fragmentation_t; typedef struct ike_cfg_t ike_cfg_t; +typedef struct ike_cfg_create_t ike_cfg_create_t; #include #include @@ -241,30 +242,41 @@ struct ike_cfg_t { }; /** - * Creates a ike_cfg_t object. + * Data passed to the constructor of an ike_cfg_t object. * - * Supplied hosts become owned by ike_cfg, strings get cloned. - * - * me and other are comma separated lists of IP addresses, DNS names, IP ranges - * or subnets. When initiating, the first non-range/subnet address is used - * as address. When responding, a match is performed against all items in the - * list. + * local and remote are comma separated lists of IP addresses, DNS names, + * IP ranges or subnets. When initiating, the first non-range/subnet address is + * used as address. When responding, a match is performed against all items in + * the list. + */ +struct ike_cfg_create_t { + /** IKE major version to use for this config */ + ike_version_t version; + /** Address/DNS name of local peer (cloned) */ + char *local; + /** IKE port to use as source, 500 uses IKEv2 port floating */ + uint16_t local_port; + /** Address/DNS name of remote peer (cloned) */ + char *remote; + /** IKE port to use as dest, 500 uses IKEv2 port floating */ + uint16_t remote_port; + /** TRUE to not send any certificate requests */ + bool no_certreq; + /** Enforce UDP encapsulation by faking NATD notify */ + bool force_encap; + /** Use IKE fragmentation */ + fragmentation_t fragmentation; + /** DSCP value to send IKE packets with */ + uint8_t dscp; +}; + +/** + * Creates an ike_cfg_t object. * - * @param version IKE major version to use for this config - * @param certreq TRUE to send a certificate request - * @param force_encap enforce UDP encapsulation by faking NATD notify - * @param me address/DNS name of local peer - * @param my_port IKE port to use as source, 500 uses IKEv2 port floating - * @param other address/DNS name of remote peer - * @param other_port IKE port to use as dest, 500 uses IKEv2 port floating - * @param fragmentation use IKEv1 fragmentation - * @param dscp DSCP value to send IKE packets with + * @param data data for this ike_cfg * @return ike_cfg_t object. */ -ike_cfg_t *ike_cfg_create(ike_version_t version, bool certreq, bool force_encap, - char *me, uint16_t my_port, - char *other, uint16_t other_port, - fragmentation_t fragmentation, uint8_t dscp); +ike_cfg_t *ike_cfg_create(ike_cfg_create_t *data); /** * Determine the address family of the local or remote address(es). If multiple diff --git a/src/libcharon/plugins/ha/ha_tunnel.c b/src/libcharon/plugins/ha/ha_tunnel.c index cfa896e934..f942915054 100644 --- a/src/libcharon/plugins/ha/ha_tunnel.c +++ b/src/libcharon/plugins/ha/ha_tunnel.c @@ -190,6 +190,14 @@ static void setup_tunnel(private_ha_tunnel_t *this, auth_cfg_t *auth_cfg; child_cfg_t *child_cfg; traffic_selector_t *ts; + ike_cfg_create_t ike = { + .version = IKEV2, + .local = local, + .local_port = charon->socket->get_port(charon->socket, FALSE), + .remote = remote, + .remote_port = IKEV2_UDP_PORT, + .no_certreq = TRUE, + }; peer_cfg_create_t peer = { .cert_policy = CERT_NEVER_SEND, .unique = UNIQUE_KEEP, @@ -222,9 +230,7 @@ static void setup_tunnel(private_ha_tunnel_t *this, lib->credmgr->add_set(lib->credmgr, &this->creds.public); /* create config and backend */ - ike_cfg = ike_cfg_create(IKEV2, FALSE, FALSE, local, - charon->socket->get_port(charon->socket, FALSE), - remote, IKEV2_UDP_PORT, FRAGMENTATION_NO, 0); + ike_cfg = ike_cfg_create(&ike); ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE)); ike_cfg->add_proposal(ike_cfg, proposal_create_default_aead(PROTO_IKE)); peer_cfg = peer_cfg_create(HA_CFG_NAME, ike_cfg, &peer); diff --git a/src/libcharon/plugins/load_tester/load_tester_config.c b/src/libcharon/plugins/load_tester/load_tester_config.c index 78be45f68d..6fb6673751 100644 --- a/src/libcharon/plugins/load_tester/load_tester_config.c +++ b/src/libcharon/plugins/load_tester/load_tester_config.c @@ -686,8 +686,12 @@ static peer_cfg_t* generate_config(private_load_tester_config_t *this, uint num) ike_cfg_t *ike_cfg; child_cfg_t *child_cfg; peer_cfg_t *peer_cfg; - char local[32], *remote; + char local[32]; host_t *addr; + ike_cfg_create_t ike = { + .version = this->version, + .remote_port = IKEV2_UDP_PORT, + }; peer_cfg_create_t peer = { .cert_policy = CERT_SEND_IF_ASKED, .unique = UNIQUE_NO, @@ -726,28 +730,25 @@ static peer_cfg_t* generate_config(private_load_tester_config_t *this, uint num) { snprintf(local, sizeof(local), "%s", this->initiator); } - remote = this->responder; + ike.remote = this->responder; } else { snprintf(local, sizeof(local), "%s", this->responder); - remote = this->initiator; + ike.remote = this->initiator; } + ike.local = local; if (this->port && num) { - ike_cfg = ike_cfg_create(this->version, TRUE, FALSE, - local, this->port + num - 1, - remote, IKEV2_NATT_PORT, - FRAGMENTATION_NO, 0); + ike.local_port = this->port + num - 1; + ike.remote_port = IKEV2_NATT_PORT; } else { - ike_cfg = ike_cfg_create(this->version, TRUE, FALSE, local, - charon->socket->get_port(charon->socket, FALSE), - remote, IKEV2_UDP_PORT, - FRAGMENTATION_NO, 0); + ike.local_port = charon->socket->get_port(charon->socket, FALSE); } + ike_cfg = ike_cfg_create(&ike); ike_cfg->add_proposal(ike_cfg, this->proposal->clone(this->proposal)); peer_cfg = peer_cfg_create("load-test", ike_cfg, &peer); diff --git a/src/libcharon/plugins/medcli/medcli_config.c b/src/libcharon/plugins/medcli/medcli_config.c index 789c01bae9..be42d7d7d0 100644 --- a/src/libcharon/plugins/medcli/medcli_config.c +++ b/src/libcharon/plugins/medcli/medcli_config.c @@ -87,9 +87,15 @@ static peer_cfg_t *build_mediation_config(private_medcli_config_t *this, auth_cfg_t *auth; ike_cfg_t *ike_cfg; peer_cfg_t *med_cfg; + ike_cfg_create_t ike = { + .version = IKEV2, + .local = "0.0.0.0", + .local_port = charon->socket->get_port(charon->socket, FALSE), + .remote_port = IKEV2_UDP_PORT, + .no_certreq = TRUE, + }; peer_cfg_create_t peer = *defaults; chunk_t me, other; - char *address; /* query mediation server config: * - build ike_cfg/peer_cfg for mediation connection on-the-fly @@ -98,14 +104,12 @@ static peer_cfg_t *build_mediation_config(private_medcli_config_t *this, "SELECT Address, ClientConfig.KeyId, MediationServerConfig.KeyId " "FROM MediationServerConfig JOIN ClientConfig", DB_TEXT, DB_BLOB, DB_BLOB); - if (!e || !e->enumerate(e, &address, &me, &other)) + if (!e || !e->enumerate(e, &ike.remote, &me, &other)) { DESTROY_IF(e); return NULL; } - ike_cfg = ike_cfg_create(IKEV2, FALSE, FALSE, "0.0.0.0", - charon->socket->get_port(charon->socket, FALSE), - address, IKEV2_UDP_PORT, FRAGMENTATION_NO, 0); + ike_cfg = ike_cfg_create(&ike); ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE)); ike_cfg->add_proposal(ike_cfg, proposal_create_default_aead(PROTO_IKE)); @@ -397,6 +401,14 @@ METHOD(medcli_config_t, destroy, void, medcli_config_t *medcli_config_create(database_t *db) { private_medcli_config_t *this; + ike_cfg_create_t ike = { + .version = IKEV2, + .local = "0.0.0.0", + .local_port = charon->socket->get_port(charon->socket, FALSE), + .remote = "0.0.0.0", + .remote_port = IKEV2_UDP_PORT, + .no_certreq = TRUE, + }; INIT(this, .public = { @@ -410,10 +422,7 @@ medcli_config_t *medcli_config_create(database_t *db) .db = db, .rekey = lib->settings->get_time(lib->settings, "medcli.rekey", 1200), .dpd = lib->settings->get_time(lib->settings, "medcli.dpd", 300), - .ike = ike_cfg_create(IKEV2, FALSE, FALSE, "0.0.0.0", - charon->socket->get_port(charon->socket, FALSE), - "0.0.0.0", IKEV2_UDP_PORT, - FRAGMENTATION_NO, 0), + .ike = ike_cfg_create(&ike), ); this->ike->add_proposal(this->ike, proposal_create_default(PROTO_IKE)); this->ike->add_proposal(this->ike, proposal_create_default_aead(PROTO_IKE)); diff --git a/src/libcharon/plugins/medsrv/medsrv_config.c b/src/libcharon/plugins/medsrv/medsrv_config.c index 6068022b11..b9dce8c0d7 100644 --- a/src/libcharon/plugins/medsrv/medsrv_config.c +++ b/src/libcharon/plugins/medsrv/medsrv_config.c @@ -130,6 +130,14 @@ METHOD(medsrv_config_t, destroy, void, medsrv_config_t *medsrv_config_create(database_t *db) { private_medsrv_config_t *this; + ike_cfg_create_t ike = { + .version = IKEV2, + .local = "0.0.0.0", + .local_port = charon->socket->get_port(charon->socket, FALSE), + .remote = "0.0.0.0", + .remote_port = IKEV2_UDP_PORT, + .no_certreq = TRUE, + }; INIT(this, .public = { @@ -143,10 +151,7 @@ medsrv_config_t *medsrv_config_create(database_t *db) .db = db, .rekey = lib->settings->get_time(lib->settings, "medsrv.rekey", 1200), .dpd = lib->settings->get_time(lib->settings, "medsrv.dpd", 300), - .ike = ike_cfg_create(IKEV2, FALSE, FALSE, "0.0.0.0", - charon->socket->get_port(charon->socket, FALSE), - "0.0.0.0", IKEV2_UDP_PORT, - FRAGMENTATION_NO, 0), + .ike = ike_cfg_create(&ike), ); this->ike->add_proposal(this->ike, proposal_create_default(PROTO_IKE)); this->ike->add_proposal(this->ike, proposal_create_default_aead(PROTO_IKE)); diff --git a/src/libcharon/plugins/sql/sql_config.c b/src/libcharon/plugins/sql/sql_config.c index bb1ba71db8..fb8ea8c5ef 100644 --- a/src/libcharon/plugins/sql/sql_config.c +++ b/src/libcharon/plugins/sql/sql_config.c @@ -272,10 +272,18 @@ static ike_cfg_t *build_ike_cfg(private_sql_config_t *this, enumerator_t *e, while (e->enumerate(e, &id, &certreq, &force_encap, &local, &remote)) { ike_cfg_t *ike_cfg; + ike_cfg_create_t ike = { + .version = IKEV2, + .local = local, + .local_port = charon->socket->get_port(charon->socket, FALSE), + .remote = remote, + .remote_port = IKEV2_UDP_PORT, + .no_certreq = !certreq, + .force_encap = force_encap, + .fragmentation = FRAGMENTATION_YES, + }; - ike_cfg = ike_cfg_create(IKEV2, certreq, force_encap, local, - charon->socket->get_port(charon->socket, FALSE), - remote, IKEV2_UDP_PORT, FRAGMENTATION_NO, 0); + ike_cfg = ike_cfg_create(&ike); add_ike_proposals(this, ike_cfg, id); return ike_cfg; } diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c index 8cdb5ef484..1514b74dd3 100644 --- a/src/libcharon/plugins/stroke/stroke_config.c +++ b/src/libcharon/plugins/stroke/stroke_config.c @@ -260,36 +260,40 @@ static void swap_ends(stroke_msg_t *msg) */ static ike_cfg_t *build_ike_cfg(private_stroke_config_t *this, stroke_msg_t *msg) { + ike_cfg_create_t ike; ike_cfg_t *ike_cfg; - uint16_t ikeport; char me[256], other[256]; swap_ends(msg); + ike = (ike_cfg_create_t){ + .version = msg->add_conn.version, + .local = msg->add_conn.me.address, + .local_port = msg->add_conn.me.ikeport, + .remote = msg->add_conn.other.address, + .remote_port = msg->add_conn.other.ikeport, + .no_certreq = msg->add_conn.other.sendcert == CERT_NEVER_SEND, + .force_encap = msg->add_conn.force_encap, + .fragmentation = msg->add_conn.fragmentation, + .dscp = msg->add_conn.ikedscp, + }; if (msg->add_conn.me.allow_any) { snprintf(me, sizeof(me), "%s,0.0.0.0/0,::/0", msg->add_conn.me.address); + ike.local = me; } if (msg->add_conn.other.allow_any) { snprintf(other, sizeof(other), "%s,0.0.0.0/0,::/0", msg->add_conn.other.address); + ike.remote = other; + } + if (ike.local_port == IKEV2_UDP_PORT) + { + ike.local_port = charon->socket->get_port(charon->socket, FALSE); } - ikeport = msg->add_conn.me.ikeport; - ikeport = (ikeport == IKEV2_UDP_PORT) ? - charon->socket->get_port(charon->socket, FALSE) : ikeport; - ike_cfg = ike_cfg_create(msg->add_conn.version, - msg->add_conn.other.sendcert != CERT_NEVER_SEND, - msg->add_conn.force_encap, - msg->add_conn.me.allow_any ? - me : msg->add_conn.me.address, - ikeport, - msg->add_conn.other.allow_any ? - other : msg->add_conn.other.address, - msg->add_conn.other.ikeport, - msg->add_conn.fragmentation, - msg->add_conn.ikedscp); + ike_cfg = ike_cfg_create(&ike); if (!add_proposals(this, msg->add_conn.algorithms.ike, ike_cfg, NULL, PROTO_IKE)) diff --git a/src/libcharon/plugins/uci/uci_config.c b/src/libcharon/plugins/uci/uci_config.c index 5654fc51ef..a66bb58cb6 100644 --- a/src/libcharon/plugins/uci/uci_config.c +++ b/src/libcharon/plugins/uci/uci_config.c @@ -121,12 +121,19 @@ METHOD(enumerator_t, peer_enumerator_enumerate, bool, peer_enumerator_t *this, va_list args) { char *name, *ike_proposal, *esp_proposal, *ike_rekey, *esp_rekey; - char *local_id, *local_addr, *local_net; - char *remote_id, *remote_addr, *remote_net; + char *local_id, *local_net, *remote_id, *remote_net; peer_cfg_t **cfg; child_cfg_t *child_cfg; ike_cfg_t *ike_cfg; auth_cfg_t *auth; + ike_cfg_create_t ike = { + .version = IKEV2, + .local = "0.0.0.0", + .local_port = charon->socket->get_port(charon->socket, FALSE), + .remote = "0.0.0.0", + .remote_port = IKEV2_UDP_PORT, + .no_certreq = TRUE, + }; peer_cfg_create_t peer = { .cert_policy = CERT_SEND_IF_ASKED, .unique = UNIQUE_NO, @@ -152,8 +159,6 @@ METHOD(enumerator_t, peer_enumerator_enumerate, bool, name = "unnamed"; local_id = NULL; remote_id = NULL; - local_addr = "0.0.0.0"; - remote_addr = "0.0.0.0"; local_net = NULL; remote_net = NULL; ike_proposal = NULL; @@ -162,14 +167,12 @@ METHOD(enumerator_t, peer_enumerator_enumerate, bool, esp_rekey = NULL; if (this->inner->enumerate(this->inner, &name, &local_id, &remote_id, - &local_addr, &remote_addr, &local_net, &remote_net, + &ike.local, &ike.remote, &local_net, &remote_net, &ike_proposal, &esp_proposal, &ike_rekey, &esp_rekey)) { + DESTROY_IF(this->peer_cfg); - ike_cfg = ike_cfg_create(IKEV2, FALSE, FALSE, local_addr, - charon->socket->get_port(charon->socket, FALSE), - remote_addr, IKEV2_UDP_PORT, - FRAGMENTATION_NO, 0); + ike_cfg = ike_cfg_create(&ike); ike_cfg->add_proposal(ike_cfg, create_proposal(ike_proposal, PROTO_IKE)); peer.rekey_time = create_rekey(ike_rekey); this->peer_cfg = peer_cfg_create(name, ike_cfg, &peer); @@ -248,23 +251,26 @@ METHOD(enumerator_t, ike_enumerator_enumerate, bool, ike_enumerator_t *this, va_list args) { ike_cfg_t **cfg; - char *local_addr, *remote_addr, *ike_proposal; + ike_cfg_create_t ike = { + .version = IKEV2, + .local = "0.0.0.0", + .local_port = charon->socket->get_port(charon->socket, FALSE), + .remote = "0.0.0.0", + .remote_port = IKEV2_UDP_PORT, + .no_certreq = TRUE, + }; + char *ike_proposal; VA_ARGS_VGET(args, cfg); /* defaults */ - local_addr = "0.0.0.0"; - remote_addr = "0.0.0.0"; ike_proposal = NULL; if (this->inner->enumerate(this->inner, NULL, - &local_addr, &remote_addr, &ike_proposal)) + &ike.local, &ike.remote, &ike_proposal)) { DESTROY_IF(this->ike_cfg); - this->ike_cfg = ike_cfg_create(IKEV2, FALSE, FALSE, local_addr, - charon->socket->get_port(charon->socket, FALSE), - remote_addr, IKEV2_UDP_PORT, - FRAGMENTATION_NO, 0); + this->ike_cfg = ike_cfg_create(&ike); this->ike_cfg->add_proposal(this->ike_cfg, create_proposal(ike_proposal, PROTO_IKE)); diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c index f86d5c9cd2..59aadfd915 100644 --- a/src/libcharon/plugins/vici/vici_config.c +++ b/src/libcharon/plugins/vici/vici_config.c @@ -2382,6 +2382,7 @@ CALLBACK(config_sn, bool, enumerator_t *enumerator; peer_cfg_create_t cfg; peer_cfg_t *peer_cfg; + ike_cfg_create_t ike; ike_cfg_t *ike_cfg; child_cfg_t *child_cfg; auth_data_t *auth; @@ -2509,10 +2510,18 @@ CALLBACK(config_sn, bool, log_peer_data(&peer); - ike_cfg = ike_cfg_create(peer.version, peer.send_certreq, peer.encap, - peer.local_addrs, peer.local_port, - peer.remote_addrs, peer.remote_port, - peer.fragmentation, peer.dscp); + ike = (ike_cfg_create_t){ + .version = peer.version, + .local = peer.local_addrs, + .local_port = peer.local_port, + .remote = peer.remote_addrs, + .remote_port = peer.remote_port, + .no_certreq = !peer.send_certreq, + .force_encap = peer.encap, + .fragmentation = peer.fragmentation, + .dscp = peer.dscp, + }; + ike_cfg = ike_cfg_create(&ike); cfg = (peer_cfg_create_t){ .cert_policy = peer.send_cert, diff --git a/src/libcharon/tests/suites/test_ike_cfg.c b/src/libcharon/tests/suites/test_ike_cfg.c index 9bbc064f73..ded0462b30 100644 --- a/src/libcharon/tests/suites/test_ike_cfg.c +++ b/src/libcharon/tests/suites/test_ike_cfg.c @@ -19,11 +19,17 @@ static void assert_family(int expected, char *addr, bool local) { + ike_cfg_create_t ike = { + .version = IKEV2, + .local = local ? addr : "%any", + .local_port = 500, + .remote = local ? "%any" : addr, + .remote_port = 500, + }; ike_cfg_t *cfg; int family; - cfg = ike_cfg_create(IKEV2, FALSE, FALSE, local ? addr : "%any", 500, - local ? "%any" : addr, 500, FRAGMENTATION_NO, 0); + cfg = ike_cfg_create(&ike); family = ike_cfg_get_family(cfg, local); ck_assert_msg(expected == family, "expected family %d != %d (addr: '%s')", expected, family, addr); diff --git a/src/libcharon/tests/suites/test_peer_cfg.c b/src/libcharon/tests/suites/test_peer_cfg.c index 02e38a3145..94337e2585 100644 --- a/src/libcharon/tests/suites/test_peer_cfg.c +++ b/src/libcharon/tests/suites/test_peer_cfg.c @@ -23,8 +23,14 @@ */ static ike_cfg_t *create_ike_cfg() { - return ike_cfg_create(IKEV2, TRUE, FALSE, "127.0.0.1", 500, - "127.0.0.1", 500, FRAGMENTATION_NO, 0); + ike_cfg_create_t ike = { + .version = IKEV2, + .local = "127.0.0.1", + .local_port = 500, + .remote = "127.0.0.1", + .remote_port = 500, + }; + return ike_cfg_create(&ike); } /** diff --git a/src/libcharon/tests/utils/exchange_test_helper.c b/src/libcharon/tests/utils/exchange_test_helper.c index bebf334638..39f0d16472 100644 --- a/src/libcharon/tests/utils/exchange_test_helper.c +++ b/src/libcharon/tests/utils/exchange_test_helper.c @@ -85,11 +85,17 @@ exchange_test_helper_t *exchange_test_helper; static ike_cfg_t *create_ike_cfg(bool initiator, exchange_test_sa_conf_t *conf) { + ike_cfg_create_t ike = { + .version = IKEV2, + .local = "127.0.0.1", + .local_port = IKEV2_UDP_PORT, + .remote = "127.0.0.1", + .remote_port = IKEV2_UDP_PORT, + }; ike_cfg_t *ike_cfg; char *proposal = NULL; - ike_cfg = ike_cfg_create(IKEV2, TRUE, FALSE, "127.0.0.1", IKEV2_UDP_PORT, - "127.0.0.1", IKEV2_UDP_PORT, FRAGMENTATION_NO, 0); + ike_cfg = ike_cfg_create(&ike); if (conf) { proposal = initiator ? conf->initiator.ike : conf->responder.ike;