peer-cfg: Use flags for boolean options

Makes it potentially easier to add new flags.

The mediation flag is not converted as the #ifdefs make it awkward.

diff --git a/src/charon-cmd/cmd/cmd_connection.c b/src/charon-cmd/cmd/cmd_connection.c
index e220e33a62a265ea19cec92a2719cebd0fe54633..aa61642e9583950b2a317490469a52d3db2c379b 100644 (file)
--- a/src/charon-cmd/cmd/cmd_connection.c
+++ b/src/charon-cmd/cmd/cmd_connection.c
@@ -170,7 +170,7 @@ static peer_cfg_t* create_peer_cfg(private_cmd_connection_t *this)
                case PROF_V1_XAUTH_AM:
                case PROF_V1_XAUTH_PSK_AM:
                case PROF_V1_HYBRID_AM:
-                       peer.aggressive = TRUE;
+                       peer.options |= OPT_IKEV1_AGGRESSIVE;
                        /* FALL */
                case PROF_V1_PUB:
                case PROF_V1_XAUTH:

diff --git a/src/conftest/config.c b/src/conftest/config.c
index a6dc61f7403ed49a26b7d5a923cde2936d2ba0b9..a0339798ca28e9c1bee85730465fc0dc55b7d5aa 100644 (file)
--- a/src/conftest/config.c
+++ b/src/conftest/config.c
@@ -265,7 +265,7 @@ static peer_cfg_t *load_peer_config(private_config_t *this,
                .cert_policy = CERT_ALWAYS_SEND,
                .unique = UNIQUE_NO,
                .keyingtries = 1,
-               .no_mobike = TRUE,
+               .options = OPT_NO_MOBIKE,
        };
 
        ike_cfg = load_ike_config(this, settings, config);

diff --git a/src/libcharon/config/peer_cfg.c b/src/libcharon/config/peer_cfg.c
index 4ccb5df1678534cb11fdc30204d6587ff6f25c7e..c44f87025a3e37387094d2472715ada489aecb1a 100644 (file)
--- a/src/libcharon/config/peer_cfg.c
+++ b/src/libcharon/config/peer_cfg.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2007-2019 Tobias Brunner
+ * Copyright (C) 2007-2025 Tobias Brunner
  * Copyright (C) 2005-2009 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  *
@@ -68,6 +68,11 @@ struct private_peer_cfg_t {
         */
        char *name;
 
+       /**
+        * Options
+        */
+       peer_cfg_option_t options;
+
        /**
         * IKE config associated to this peer config
         */
@@ -103,21 +108,6 @@ struct private_peer_cfg_t {
         */
        uint32_t keyingtries;
 
-       /**
-        * enable support for MOBIKE
-        */
-       bool use_mobike;
-
-       /**
-        * Use aggressive mode?
-        */
-       bool aggressive;
-
-       /**
-        * Use pull or push in mode config?
-        */
-       bool pull_mode;
-
        /**
         * Time before starting rekeying
         */
@@ -183,11 +173,6 @@ struct private_peer_cfg_t {
         */
        identification_t *ppk_id;
 
-       /**
-        * Whether a PPK is required
-        */
-       bool ppk_required;
-
 #ifdef ME
        /**
         * Is this a mediation connection?
@@ -213,6 +198,12 @@ METHOD(peer_cfg_t, get_name, char*,
        return this->name;
 }
 
+METHOD(peer_cfg_t, has_option, bool,
+       private_peer_cfg_t *this, peer_cfg_option_t option)
+{
+       return this->options & option;
+}
+
 METHOD(peer_cfg_t, get_ike_version, ike_version_t,
        private_peer_cfg_t *this)
 {
@@ -559,24 +550,6 @@ METHOD(peer_cfg_t, get_over_time, uint32_t,
        return this->over_time;
 }
 
-METHOD(peer_cfg_t, use_mobike, bool,
-       private_peer_cfg_t *this)
-{
-       return this->use_mobike;
-}
-
-METHOD(peer_cfg_t, use_aggressive, bool,
-       private_peer_cfg_t *this)
-{
-       return this->aggressive;
-}
-
-METHOD(peer_cfg_t, use_pull_mode, bool,
-       private_peer_cfg_t *this)
-{
-       return this->pull_mode;
-}
-
 METHOD(peer_cfg_t, get_dpd, uint32_t,
        private_peer_cfg_t *this)
 {
@@ -648,12 +621,6 @@ METHOD(peer_cfg_t, get_ppk_id, identification_t*,
        return this->ppk_id;
 }
 
-METHOD(peer_cfg_t, ppk_required, bool,
-       private_peer_cfg_t *this)
-{
-       return this->ppk_required;
-}
-
 #ifdef ME
 METHOD(peer_cfg_t, is_mediation, bool,
        private_peer_cfg_t *this)
@@ -757,23 +724,20 @@ METHOD(peer_cfg_t, equals, bool,
                return FALSE;
        }
        return (
+               this->options == other->options &&
                get_ike_version(this) == get_ike_version(other) &&
                this->cert_policy == other->cert_policy &&
                this->ocsp_policy == other->ocsp_policy &&
                this->unique == other->unique &&
                this->keyingtries == other->keyingtries &&
-               this->use_mobike == other->use_mobike &&
                this->rekey_time == other->rekey_time &&
                this->reauth_time == other->reauth_time &&
                this->jitter_time == other->jitter_time &&
                this->over_time == other->over_time &&
                this->dpd == other->dpd &&
-               this->aggressive == other->aggressive &&
-               this->pull_mode == other->pull_mode &&
                auth_cfg_equal(this, other) &&
                this->if_id_in == other->if_id_in &&
                this->if_id_out == other->if_id_out &&
-               this->ppk_required == other->ppk_required &&
                id_equal(this->ppk_id, other->ppk_id)
 #ifdef ME
                && this->mediation == other->mediation &&
@@ -839,6 +803,7 @@ peer_cfg_t *peer_cfg_create(char *name, ike_cfg_t *ike_cfg,
        INIT(this,
                .public = {
                        .get_name = _get_name,
+                       .has_option = _has_option,
                        .get_ike_version = _get_ike_version,
                        .get_ike_cfg = _get_ike_cfg,
                        .add_child_cfg = _add_child_cfg,
@@ -853,9 +818,6 @@ peer_cfg_t *peer_cfg_create(char *name, ike_cfg_t *ike_cfg,
                        .get_rekey_time = _get_rekey_time,
                        .get_reauth_time = _get_reauth_time,
                        .get_over_time = _get_over_time,
-                       .use_mobike = _use_mobike,
-                       .use_aggressive = _use_aggressive,
-                       .use_pull_mode = _use_pull_mode,
                        .get_dpd = _get_dpd,
                        .get_dpd_timeout = _get_dpd_timeout,
                        .add_virtual_ip = _add_virtual_ip,
@@ -866,7 +828,6 @@ peer_cfg_t *peer_cfg_create(char *name, ike_cfg_t *ike_cfg,
                        .create_auth_cfg_enumerator = _create_auth_cfg_enumerator,
                        .get_if_id = _get_if_id,
                        .get_ppk_id = _get_ppk_id,
-                       .ppk_required = _ppk_required,
                        .equals = (void*)_equals,
                        .get_ref = _get_ref,
                        .destroy = _destroy,
@@ -877,6 +838,7 @@ peer_cfg_t *peer_cfg_create(char *name, ike_cfg_t *ike_cfg,
 #endif /* ME */
                },
                .name = strdup(name),
+               .options = data->options,
                .ike_cfg = ike_cfg,
                .child_cfgs = linked_list_create(),
                .lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
@@ -888,15 +850,11 @@ peer_cfg_t *peer_cfg_create(char *name, ike_cfg_t *ike_cfg,
                .reauth_time = data->reauth_time,
                .jitter_time = data->jitter_time,
                .over_time = data->over_time,
-               .use_mobike = !data->no_mobike,
-               .aggressive = data->aggressive,
-               .pull_mode = !data->push_mode,
                .dpd = data->dpd,
                .dpd_timeout = data->dpd_timeout,
                .if_id_in = data->if_id_in,
                .if_id_out = data->if_id_out,
                .ppk_id = data->ppk_id,
-               .ppk_required = data->ppk_required,
                .vips = linked_list_create(),
                .pools = linked_list_create(),
                .local_auth = linked_list_create(),

diff --git a/src/libcharon/config/peer_cfg.h b/src/libcharon/config/peer_cfg.h
index 69ea97e75b72b71c14a267b44814bf05b0516a46..54bef68d56de04be56bff1fa196b92be696332c6 100644 (file)
--- a/src/libcharon/config/peer_cfg.h
+++ b/src/libcharon/config/peer_cfg.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2007-2019 Tobias Brunner
+ * Copyright (C) 2007-2025 Tobias Brunner
  * Copyright (C) 2005-2009 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  *
@@ -27,6 +27,7 @@
 typedef enum cert_policy_t cert_policy_t;
 typedef enum ocsp_policy_t ocsp_policy_t;
 typedef enum unique_policy_t unique_policy_t;
+typedef enum peer_cfg_option_t peer_cfg_option_t;
 typedef struct peer_cfg_t peer_cfg_t;
 typedef struct peer_cfg_create_t peer_cfg_create_t;
 
@@ -147,6 +148,14 @@ struct peer_cfg_t {
         */
        char* (*get_name) (peer_cfg_t *this);
 
+       /**
+        * Check if an option flag is set.
+        *
+        * @param option                option flag to check
+        * @return                              TRUE if option flag set, FALSE otherwise
+        */
+       bool (*has_option)(peer_cfg_t *this, peer_cfg_option_t option);
+
        /**
         * Get the IKE version to use for initiating.
         *
@@ -277,27 +286,6 @@ struct peer_cfg_t {
         */
        uint32_t (*get_over_time)(peer_cfg_t *this);
 
-       /**
-        * Use MOBIKE (RFC4555) if peer supports it?
-        *
-        * @return                      TRUE to enable MOBIKE support
-        */
-       bool (*use_mobike) (peer_cfg_t *this);
-
-       /**
-        * Use/Accept aggressive mode with IKEv1?.
-        *
-        * @return                      TRUE to use aggressive mode
-        */
-       bool (*use_aggressive)(peer_cfg_t *this);
-
-       /**
-        * Use pull or push mode for mode config?
-        *
-        * @return                      TRUE to use pull, FALSE to use push mode
-        */
-       bool (*use_pull_mode)(peer_cfg_t *this);
-
        /**
         * Get the DPD check interval.
         *
@@ -357,13 +345,6 @@ struct peer_cfg_t {
         */
        identification_t *(*get_ppk_id)(peer_cfg_t *this);
 
-       /**
-        * Whether a PPK is required with this peer.
-        *
-        * @return                              TRUE, if a PPK is required
-        */
-       bool (*ppk_required)(peer_cfg_t *this);
-
 #ifdef ME
        /**
         * Is this a mediation connection?
@@ -418,10 +399,30 @@ struct peer_cfg_t {
        void (*destroy) (peer_cfg_t *this);
 };
 
+/**
+ * Option flags that may be set on a peer_cfg_t object.
+ */
+enum peer_cfg_option_t {
+
+       /** Disable MOBIKE (RFC 4555) */
+       OPT_NO_MOBIKE = (1<<0),
+
+       /** Use/accept aggressive mode with IKEv1 */
+       OPT_IKEV1_AGGRESSIVE = (1<<1),
+
+       /** Use IKEv1 modeconfig in push mode (otherwise, pull mode is used) */
+       OPT_IKEV1_PUSH_MODE = (1<<2),
+
+       /** Require a PPK (otherwise, it's optional) */
+       OPT_PPK_REQUIRED = (1<<3),
+};
+
 /**
  * Data passed to the constructor of a peer_cfg_t object.
  */
 struct peer_cfg_create_t {
+       /** Options set for peer_cfg_t */
+       peer_cfg_option_t options;
        /** Whether to send a certificate payload */
        cert_policy_t cert_policy;
        /** Whether to send OCSP status request/response */
@@ -438,12 +439,6 @@ struct peer_cfg_create_t {
        uint32_t jitter_time;
        /** Maximum overtime in seconds before closing a rekeying/reauth SA */
        uint32_t over_time;
-       /** Disable MOBIKE (RFC4555) */
-       bool no_mobike;
-       /** Use/accept aggressive mode with IKEv1 */
-       bool aggressive;
-       /** TRUE to use modeconfig push, FALSE for pull */
-       bool push_mode;
        /** DPD check interval, 0 to disable */
        uint32_t dpd;
        /** DPD timeout interval (IKEv1 only), if 0 default applies */
@@ -454,8 +449,6 @@ struct peer_cfg_create_t {
        uint32_t if_id_out;
        /** Postquantum Preshared Key ID (adopted) */
        identification_t *ppk_id;
-       /** TRUE if a PPK is required, FALSE if it's optional */
-       bool ppk_required;
 #ifdef ME
        /** TRUE if this is a mediation connection */
        bool mediation;

diff --git a/src/libcharon/encoding/message.c b/src/libcharon/encoding/message.c
index 5d05e2091c956fbdc7ef8afb052cd1fab8ce9fdf..634cba98fa62df9326981cb8c0c4a8e1e197f826 100644 (file)
--- a/src/libcharon/encoding/message.c
+++ b/src/libcharon/encoding/message.c
@@ -2100,7 +2100,7 @@ static message_t *create_fragment(private_message_t *this, payload_type_t next,
                 * or transaction messages. */
                ike_sa = charon->bus->get_sa(charon->bus);
                if (ike_sa && (peer_cfg = ike_sa->get_peer_cfg(ike_sa)) &&
-                       peer_cfg->use_aggressive(peer_cfg))
+                       peer_cfg->has_option(peer_cfg, OPT_IKEV1_AGGRESSIVE))
                {
                        message->set_exchange_type(message, AGGRESSIVE);
                }

diff --git a/src/libcharon/plugins/ha/ha_tunnel.c b/src/libcharon/plugins/ha/ha_tunnel.c
index d7e83a06b399199a1b6edd8951058e25da6e80a8..91e0cd899808fa9134ca14f8dddb69dc7428eb74 100644 (file)
--- a/src/libcharon/plugins/ha/ha_tunnel.c
+++ b/src/libcharon/plugins/ha/ha_tunnel.c
@@ -205,7 +205,7 @@ static void setup_tunnel(private_ha_tunnel_t *this,
                .rekey_time = 86400, /* 24h */
                .jitter_time = 7200, /* 2h */
                .over_time = 3600, /* 1h */
-               .no_mobike = TRUE,
+               .options = OPT_NO_MOBIKE,
                .dpd = 30,
        };
        child_cfg_create_t child = {

diff --git a/src/libcharon/plugins/load_tester/load_tester_config.c b/src/libcharon/plugins/load_tester/load_tester_config.c
index d36d76392c620c0e88a55a9ba3dab86befa6cf4b..2a440aa630ba1532f9550ad79a7aba8bd2049d9a 100644 (file)
--- a/src/libcharon/plugins/load_tester/load_tester_config.c
+++ b/src/libcharon/plugins/load_tester/load_tester_config.c
@@ -709,7 +709,7 @@ static peer_cfg_t* generate_config(private_load_tester_config_t *this, u_int num
                .keyingtries = 1,
                .rekey_time = this->ike_rekey,
                .over_time = this->ike_rekey,
-               .no_mobike = TRUE,
+               .options = OPT_NO_MOBIKE,
                .dpd = this->dpd_delay,
                .dpd_timeout = this->dpd_timeout,
        };

diff --git a/src/libcharon/plugins/sql/sql_config.c b/src/libcharon/plugins/sql/sql_config.c
index aef1e1c347c023f1bda6d9413719765ab8821c95..f1f8ca1d502d18e980354b45246eedb95c33fa73 100644 (file)
--- a/src/libcharon/plugins/sql/sql_config.c
+++ b/src/libcharon/plugins/sql/sql_config.c
@@ -415,7 +415,7 @@ static peer_cfg_t *build_peer_cfg(private_sql_config_t *this, enumerator_t *e,
                                .reauth_time = reauthtime,
                                .jitter_time = jitter,
                                .over_time = overtime,
-                               .no_mobike = !mobike,
+                               .options = (mobike ? 0 : OPT_NO_MOBIKE),
                                .dpd = dpd_delay,
 #ifdef ME
                                .mediation = mediation,

diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c
index f42b2619302c0463489fd0857c3cecea6d4968b6..b6e700fa9c70da33733704f6004aa05222b03b14 100644 (file)
--- a/src/libcharon/plugins/stroke/stroke_config.c
+++ b/src/libcharon/plugins/stroke/stroke_config.c
@@ -635,9 +635,9 @@ static peer_cfg_t *build_peer_cfg(private_stroke_config_t *this,
        peer_cfg_create_t peer = {
                .cert_policy = msg->add_conn.me.sendcert,
                .keyingtries = msg->add_conn.rekey.tries,
-               .no_mobike = !msg->add_conn.mobike,
-               .aggressive = msg->add_conn.aggressive,
-               .push_mode = msg->add_conn.pushmode,
+               .options = (msg->add_conn.mobike ? 0 : OPT_NO_MOBIKE) |
+                                  (msg->add_conn.aggressive ? OPT_IKEV1_AGGRESSIVE : 0) |
+                                  (msg->add_conn.pushmode ? OPT_IKEV1_PUSH_MODE : 0),
                .dpd = msg->add_conn.dpd.delay,
                .dpd_timeout = msg->add_conn.dpd.timeout,
        };

diff --git a/src/libcharon/plugins/stroke/stroke_list.c b/src/libcharon/plugins/stroke/stroke_list.c
index 4c9f75cf761e8f77a6138d1a039410f9ceabb306..34d840f75a24888260b682620b873204443b4958 100644 (file)
--- a/src/libcharon/plugins/stroke/stroke_list.c
+++ b/src/libcharon/plugins/stroke/stroke_list.c
@@ -566,7 +566,8 @@ METHOD(stroke_list_t, status, void,
                        fprintf(out, "%12s:  %s...%s  %N", peer_cfg->get_name(peer_cfg),
                                        my_addr, other_addr, ike_version_names, ike_version);
 
-                       if (ike_version == IKEV1 && peer_cfg->use_aggressive(peer_cfg))
+                       if (ike_version == IKEV1 &&
+                               peer_cfg->has_option(peer_cfg, OPT_IKEV1_AGGRESSIVE))
                        {
                                fprintf(out, " Aggressive");
                        }

diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c
index 1a00424d63cdabda2a9f617bd1465ffdbecf0f70..c0acd6d3596a9083306a47f359a389dd367eb0e9 100644 (file)
--- a/src/libcharon/plugins/vici/vici_config.c
+++ b/src/libcharon/plugins/vici/vici_config.c
@@ -314,14 +314,11 @@ static void free_auth_data(auth_data_t *data)
  */
 typedef struct {
        request_data_t *request;
+       peer_cfg_option_t options;
        uint32_t version;
-       bool aggressive;
        bool encap;
-       bool mobike;
        bool send_certreq;
-       bool pull;
        identification_t *ppk_id;
-       bool ppk_required;
        cert_policy_t send_cert;
        ocsp_policy_t ocsp;
        uint64_t dpd_delay;
@@ -419,6 +416,11 @@ static void log_auth(auth_cfg_t *auth)
        enumerator->destroy(enumerator);
 }
 
+/**
+ * Helper macro to check if an option flag is set
+ */
+#define has_opt(cfg, opt) ({ ((cfg)->options & (opt)) == (opt); })
+
 /**
  * Log parsed peer data
  */
@@ -437,9 +439,10 @@ static void log_peer_data(peer_data_t *data)
        DBG2(DBG_CFG, "  send_cert = %N", cert_policy_names, data->send_cert);
        DBG2(DBG_CFG, "  ocsp = %N", ocsp_policy_names, data->ocsp);
        DBG2(DBG_CFG, "  ppk_id = %Y",  data->ppk_id);
-       DBG2(DBG_CFG, "  ppk_required = %u",  data->ppk_required);
-       DBG2(DBG_CFG, "  mobike = %u", data->mobike);
-       DBG2(DBG_CFG, "  aggressive = %u", data->aggressive);
+       DBG2(DBG_CFG, "  ppk_required = %u", has_opt(data, OPT_PPK_REQUIRED));
+       DBG2(DBG_CFG, "  mobike = %u", !has_opt(data, OPT_NO_MOBIKE));
+       DBG2(DBG_CFG, "  aggressive = %u", has_opt(data, OPT_IKEV1_AGGRESSIVE));
+       DBG2(DBG_CFG, "  pull = %u", !has_opt(data, OPT_IKEV1_PUSH_MODE));
        DBG2(DBG_CFG, "  dscp = 0x%.2x", data->dscp);
        DBG2(DBG_CFG, "  encap = %u", data->encap);
        DBG2(DBG_CFG, "  dpd_delay = %llu", data->dpd_delay);
@@ -533,7 +536,6 @@ static void log_child_data(child_data_t *data, char *name)
 {
        child_cfg_create_t *cfg DBG_UNUSED = &data->cfg;
 
-#define has_opt(opt) ({ (cfg->options & (opt)) == (opt); })
        DBG2(DBG_CFG, "  child %s:", name);
        DBG2(DBG_CFG, "   rekey_time = %llu", cfg->lifetime.time.rekey);
        DBG2(DBG_CFG, "   life_time = %llu", cfg->lifetime.time.life);
@@ -545,12 +547,13 @@ static void log_child_data(child_data_t *data, char *name)
        DBG2(DBG_CFG, "   life_packets = %llu", cfg->lifetime.packets.life);
        DBG2(DBG_CFG, "   rand_packets = %llu", cfg->lifetime.packets.jitter);
        DBG2(DBG_CFG, "   updown = %s", cfg->updown);
-       DBG2(DBG_CFG, "   hostaccess = %u", has_opt(OPT_HOSTACCESS));
-       DBG2(DBG_CFG, "   ipcomp = %u", has_opt(OPT_IPCOMP));
+       DBG2(DBG_CFG, "   hostaccess = %u", has_opt(cfg, OPT_HOSTACCESS));
+       DBG2(DBG_CFG, "   ipcomp = %u", has_opt(cfg, OPT_IPCOMP));
        DBG2(DBG_CFG, "   mode = %N%s", ipsec_mode_names, cfg->mode,
-                has_opt(OPT_PROXY_MODE) ? "_PROXY" : "");
-       DBG2(DBG_CFG, "   policies = %u", !has_opt(OPT_NO_POLICIES));
-       DBG2(DBG_CFG, "   policies_fwd_out = %u", has_opt(OPT_FWD_OUT_POLICIES));
+                has_opt(cfg, OPT_PROXY_MODE) ? "_PROXY" : "");
+       DBG2(DBG_CFG, "   policies = %u", !has_opt(cfg, OPT_NO_POLICIES));
+       DBG2(DBG_CFG, "   policies_fwd_out = %u",
+                has_opt(cfg, OPT_FWD_OUT_POLICIES));
        if (data->replay_window != REPLAY_UNDEFINED)
        {
                DBG2(DBG_CFG, "   replay_window = %u", data->replay_window);
@@ -566,7 +569,7 @@ static void log_child_data(child_data_t *data, char *name)
        DBG2(DBG_CFG, "   if_id_out = %u", cfg->if_id_out);
        DBG2(DBG_CFG, "   mark_in = %u/%u",
                 cfg->mark_in.value, cfg->mark_in.mask);
-       DBG2(DBG_CFG, "   mark_in_sa = %u", has_opt(OPT_MARK_IN_SA));
+       DBG2(DBG_CFG, "   mark_in_sa = %u", has_opt(cfg, OPT_MARK_IN_SA));
        DBG2(DBG_CFG, "   mark_out = %u/%u",
                 cfg->mark_out.value, cfg->mark_out.mask);
        DBG2(DBG_CFG, "   set_mark_in = %u/%u",
@@ -581,9 +584,9 @@ static void log_child_data(child_data_t *data, char *name)
        DBG2(DBG_CFG, "   local_ts = %#R", data->local_ts);
        DBG2(DBG_CFG, "   remote_ts = %#R", data->remote_ts);
        DBG2(DBG_CFG, "   hw_offload = %N", hw_offload_names, cfg->hw_offload);
-       DBG2(DBG_CFG, "   sha256_96 = %u", has_opt(OPT_SHA256_96));
-       DBG2(DBG_CFG, "   copy_df = %u", !has_opt(OPT_NO_COPY_DF));
-       DBG2(DBG_CFG, "   copy_ecn = %u", !has_opt(OPT_NO_COPY_ECN));
+       DBG2(DBG_CFG, "   sha256_96 = %u", has_opt(cfg, OPT_SHA256_96));
+       DBG2(DBG_CFG, "   copy_df = %u", !has_opt(cfg, OPT_NO_COPY_DF));
+       DBG2(DBG_CFG, "   copy_ecn = %u", !has_opt(cfg, OPT_NO_COPY_ECN));
        DBG2(DBG_CFG, "   copy_dscp = %N", dscp_copy_names, cfg->copy_dscp);
 }
 
@@ -916,6 +919,65 @@ CALLBACK(parse_mode, bool,
        return FALSE;
 }
 
+/**
+ * Macro to parse an option flag, add it if parsed value is either TRUE or FALSE.
+ */
+#define PARSE_OPTION(out, opt, v, add_if_true) \
+       bool val; \
+       if (parse_bool(&val, v)) { \
+               if (val == add_if_true) { \
+                       *out |= opt; \
+               } \
+               return TRUE; \
+       } \
+       return FALSE;
+
+/**
+ * Enable a peer_cfg_option_t, the flag controls whether the option is enabled
+ * if the parsed value is TRUE or FALSE.
+ */
+static bool parse_peer_option(peer_cfg_option_t *out, peer_cfg_option_t opt,
+                                                         chunk_t v, bool add_if_true)
+{
+       PARSE_OPTION(out, opt, v, add_if_true)
+}
+
+/**
+ * Parse OPT_NO_MOBIKE option
+ */
+CALLBACK(parse_opt_mobike, bool,
+       peer_cfg_option_t *out, chunk_t v)
+{
+       return parse_peer_option(out, OPT_NO_MOBIKE, v, FALSE);
+}
+
+/**
+ * Parse OPT_IKEV1_AGGRESSIVE option
+ */
+CALLBACK(parse_opt_aggr, bool,
+       peer_cfg_option_t *out, chunk_t v)
+{
+       return parse_peer_option(out, OPT_IKEV1_AGGRESSIVE, v, TRUE);
+}
+
+/**
+ * Parse OPT_IKEV1_PUSH_MODE option
+ */
+CALLBACK(parse_opt_pull, bool,
+       peer_cfg_option_t *out, chunk_t v)
+{
+       return parse_peer_option(out, OPT_IKEV1_PUSH_MODE, v, FALSE);
+}
+
+/**
+ * Parse OPT_PPK_REQUIRED option
+ */
+CALLBACK(parse_opt_ppk_req, bool,
+       peer_cfg_option_t *out, chunk_t v)
+{
+       return parse_peer_option(out, OPT_PPK_REQUIRED, v, TRUE);
+}
+
 /**
  * Enable a child_cfg_option_t, the flag controls whether the option is enabled
  * if the parsed value is TRUE or FALSE.
@@ -923,17 +985,7 @@ CALLBACK(parse_mode, bool,
 static bool parse_option(child_cfg_option_t *out, child_cfg_option_t opt,
                                                 chunk_t v, bool add_if_true)
 {
-       bool val;
-
-       if (parse_bool(&val, v))
-       {
-               if (val == add_if_true)
-               {
-                       *out |= opt;
-               }
-               return TRUE;
-       }
-       return FALSE;
+       PARSE_OPTION(out, opt, v, add_if_true)
 }
 
 /**
@@ -1939,11 +1991,11 @@ CALLBACK(peer_kv, bool,
 {
        parse_rule_t rules[] = {
                { "version",            parse_uint32,           &peer->version                          },
-               { "aggressive",         parse_bool,                     &peer->aggressive                       },
-               { "pull",                       parse_bool,                     &peer->pull                                     },
+               { "aggressive",         parse_opt_aggr,         &peer->options                          },
+               { "pull",                       parse_opt_pull,         &peer->options                          },
                { "dscp",                       parse_dscp,                     &peer->dscp                                     },
                { "encap",                      parse_bool,                     &peer->encap                            },
-               { "mobike",                     parse_bool,                     &peer->mobike                           },
+               { "mobike",                     parse_opt_mobike,       &peer->options                          },
                { "dpd_delay",          parse_time,                     &peer->dpd_delay                        },
                { "dpd_timeout",        parse_time,                     &peer->dpd_timeout                      },
                { "fragmentation",      parse_frag,                     &peer->fragmentation            },
@@ -1960,7 +2012,7 @@ CALLBACK(peer_kv, bool,
                { "over_time",          parse_time,                     &peer->over_time                        },
                { "rand_time",          parse_time,                     &peer->rand_time                        },
                { "ppk_id",                     parse_peer_id,          &peer->ppk_id                           },
-               { "ppk_required",       parse_bool,                     &peer->ppk_required                     },
+               { "ppk_required",       parse_opt_ppk_req,      &peer->options                          },
                { "if_id_in",           parse_if_id,            &peer->if_id_in                         },
                { "if_id_out",          parse_if_id,            &peer->if_id_out                        },
 #ifdef ME
@@ -2712,9 +2764,7 @@ CALLBACK(config_sn, bool,
                .vips = linked_list_create(),
                .children = linked_list_create(),
                .proposals = linked_list_create(),
-               .mobike = TRUE,
                .send_certreq = TRUE,
-               .pull = TRUE,
                .send_cert = CERT_SEND_IF_ASKED,
                .ocsp = OCSP_SEND_REPLY,
                .version = IKE_ANY,
@@ -2866,6 +2916,7 @@ CALLBACK(config_sn, bool,
        ike_cfg = ike_cfg_create(&ike);
 
        cfg = (peer_cfg_create_t){
+               .options = peer.options,
                .cert_policy = peer.send_cert,
                .ocsp_policy = peer.ocsp,
                .unique = peer.unique,
@@ -2874,13 +2925,9 @@ CALLBACK(config_sn, bool,
                .reauth_time = peer.reauth_time,
                .jitter_time = peer.rand_time,
                .over_time = peer.over_time,
-               .no_mobike = !peer.mobike,
-               .aggressive = peer.aggressive,
-               .push_mode = !peer.pull,
                .dpd = peer.dpd_delay,
                .dpd_timeout = peer.dpd_timeout,
                .ppk_id = peer.ppk_id ? peer.ppk_id->clone(peer.ppk_id) : NULL,
-               .ppk_required = peer.ppk_required,
                .if_id_in = peer.if_id_in,
                .if_id_out = peer.if_id_out,
        };

diff --git a/src/libcharon/plugins/vici/vici_query.c b/src/libcharon/plugins/vici/vici_query.c
index 8ba614fb6b7d8329c87c06238c6effc7c67dd7e1..628763e19183860dc7439b8114509922e3000635 100644 (file)
--- a/src/libcharon/plugins/vici/vici_query.c
+++ b/src/libcharon/plugins/vici/vici_query.c
@@ -972,7 +972,7 @@ CALLBACK(list_conns, vici_message_t*,
                {
                        b->add_kv(b, "ppk_id", "%Y", ppk_id);
                }
-               if (peer_cfg->ppk_required(peer_cfg))
+               if (peer_cfg->has_option(peer_cfg, OPT_PPK_REQUIRED))
                {
                        b->add_kv(b, "ppk_required", "yes");
                }

diff --git a/src/libcharon/sa/ikev1/phase1.c b/src/libcharon/sa/ikev1/phase1.c
index 61c400580b0b0eba48d2848d628e6f7c041ad1ec..ee3a5c8f2bde3011d9527c747b9a9ed1690fb9e2 100644 (file)
--- a/src/libcharon/sa/ikev1/phase1.c
+++ b/src/libcharon/sa/ikev1/phase1.c
@@ -146,7 +146,7 @@ static shared_key_t *lookup_shared_key(private_phase1_t *this,
                if (other_auth)
                {
                        my_id = this->ike_sa->get_my_id(this->ike_sa);
-                       if (peer_cfg->use_aggressive(peer_cfg))
+                       if (peer_cfg->has_option(peer_cfg, OPT_IKEV1_AGGRESSIVE))
                        {
                                other_id = this->ike_sa->get_other_id(this->ike_sa);
                        }
@@ -573,7 +573,7 @@ METHOD(phase1_t, select_config, peer_cfg_t*,
        while (enumerator->enumerate(enumerator, &current))
        {
                if (check_auth_method(this, current, method) &&
-                       current->use_aggressive(current) == aggressive)
+                       current->has_option(current, OPT_IKEV1_AGGRESSIVE) == aggressive)
                {
                        current->get_ref(current);
                        if (!this->peer_cfg)

diff --git a/src/libcharon/sa/ikev1/task_manager_v1.c b/src/libcharon/sa/ikev1/task_manager_v1.c
index 293a8c22636c8d7f7d5924f9c882e462075d384f..c5a8e9a4579318379a78451ff3777810fc2373d5 100644 (file)
--- a/src/libcharon/sa/ikev1/task_manager_v1.c
+++ b/src/libcharon/sa/ikev1/task_manager_v1.c
@@ -402,7 +402,7 @@ static bool mode_config_expected(private_task_manager_t *this)
        peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
        if (peer_cfg)
        {
-               if (peer_cfg->use_pull_mode(peer_cfg))
+               if (!peer_cfg->has_option(peer_cfg, OPT_IKEV1_PUSH_MODE))
                {
                        enumerator = peer_cfg->create_pool_enumerator(peer_cfg);
                        if (!enumerator->enumerate(enumerator, &pool))
@@ -1563,7 +1563,7 @@ METHOD(task_manager_t, queue_ike, void,
                queue_task(this, (task_t*)isakmp_cert_pre_create(this->ike_sa, TRUE));
        }
        peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
-       if (peer_cfg->use_aggressive(peer_cfg))
+       if (peer_cfg->has_option(peer_cfg, OPT_IKEV1_AGGRESSIVE))
        {
                if (!has_queued(this, TASK_AGGRESSIVE_MODE))
                {

diff --git a/src/libcharon/sa/ikev1/tasks/aggressive_mode.c b/src/libcharon/sa/ikev1/tasks/aggressive_mode.c
index 6dbaabe9cb803b4d15c2e559bfddece0c2118353..8e8b42f8ad9e73de01d3fff73a0a5706a40d8836 100644 (file)
--- a/src/libcharon/sa/ikev1/tasks/aggressive_mode.c
+++ b/src/libcharon/sa/ikev1/tasks/aggressive_mode.c
@@ -329,7 +329,8 @@ METHOD(task_t, build_i, status_t,
                        /* check for and prepare mode config push/pull */
                        if (this->ph1->has_virtual_ip(this->ph1, this->peer_cfg))
                        {
-                               if (this->peer_cfg->use_pull_mode(this->peer_cfg))
+                               if (!this->peer_cfg->has_option(this->peer_cfg,
+                                                                                               OPT_IKEV1_PUSH_MODE))
                                {
                                        this->ike_sa->queue_task(this->ike_sa,
                                                (task_t*)mode_config_create(this->ike_sa, TRUE, TRUE));
@@ -341,7 +342,8 @@ METHOD(task_t, build_i, status_t,
                        }
                        else if (this->ph1->has_pool(this->ph1, this->peer_cfg))
                        {
-                               if (this->peer_cfg->use_pull_mode(this->peer_cfg))
+                               if (!this->peer_cfg->has_option(this->peer_cfg,
+                                                                                               OPT_IKEV1_PUSH_MODE))
                                {
                                        schedule_timeout(this->ike_sa);
                                }
@@ -540,7 +542,8 @@ METHOD(task_t, process_r, status_t,
                        /* check for and prepare mode config push/pull */
                        if (this->ph1->has_virtual_ip(this->ph1, this->peer_cfg))
                        {
-                               if (this->peer_cfg->use_pull_mode(this->peer_cfg))
+                               if (!this->peer_cfg->has_option(this->peer_cfg,
+                                                                                               OPT_IKEV1_PUSH_MODE))
                                {
                                        this->ike_sa->queue_task(this->ike_sa,
                                                (task_t*)mode_config_create(this->ike_sa, TRUE, TRUE));
@@ -548,7 +551,8 @@ METHOD(task_t, process_r, status_t,
                        }
                        else if (this->ph1->has_pool(this->ph1, this->peer_cfg))
                        {
-                               if (!this->peer_cfg->use_pull_mode(this->peer_cfg))
+                               if (this->peer_cfg->has_option(this->peer_cfg,
+                                                                                          OPT_IKEV1_PUSH_MODE))
                                {
                                        if (job)
                                        {

diff --git a/src/libcharon/sa/ikev1/tasks/main_mode.c b/src/libcharon/sa/ikev1/tasks/main_mode.c
index 4248700d5e02e2fb00b0c9565ac39664b5e69a35..18a13c50047de5ca757eb86a296b7e346af06f32 100644 (file)
--- a/src/libcharon/sa/ikev1/tasks/main_mode.c
+++ b/src/libcharon/sa/ikev1/tasks/main_mode.c
@@ -575,7 +575,8 @@ METHOD(task_t, build_r, status_t,
                        }
                        if (this->ph1->has_virtual_ip(this->ph1, this->peer_cfg))
                        {
-                               if (this->peer_cfg->use_pull_mode(this->peer_cfg))
+                               if (!this->peer_cfg->has_option(this->peer_cfg,
+                                                                                               OPT_IKEV1_PUSH_MODE))
                                {
                                        this->ike_sa->queue_task(this->ike_sa,
                                                (task_t*)mode_config_create(this->ike_sa, TRUE, TRUE));
@@ -583,7 +584,8 @@ METHOD(task_t, build_r, status_t,
                        }
                        else if (this->ph1->has_pool(this->ph1, this->peer_cfg))
                        {
-                               if (!this->peer_cfg->use_pull_mode(this->peer_cfg))
+                               if (this->peer_cfg->has_option(this->peer_cfg,
+                                                                                          OPT_IKEV1_PUSH_MODE))
                                {
                                        if (job)
                                        {
@@ -758,7 +760,8 @@ METHOD(task_t, process_i, status_t,
                        /* check for and prepare mode config push/pull */
                        if (this->ph1->has_virtual_ip(this->ph1, this->peer_cfg))
                        {
-                               if (this->peer_cfg->use_pull_mode(this->peer_cfg))
+                               if (!this->peer_cfg->has_option(this->peer_cfg,
+                                                                                               OPT_IKEV1_PUSH_MODE))
                                {
                                        this->ike_sa->queue_task(this->ike_sa,
                                                (task_t*)mode_config_create(this->ike_sa, TRUE, TRUE));
@@ -770,7 +773,8 @@ METHOD(task_t, process_i, status_t,
                        }
                        else if (this->ph1->has_pool(this->ph1, this->peer_cfg))
                        {
-                               if (this->peer_cfg->use_pull_mode(this->peer_cfg))
+                               if (!this->peer_cfg->has_option(this->peer_cfg,
+                                                                                               OPT_IKEV1_PUSH_MODE))
                                {
                                        schedule_timeout(this->ike_sa);
                                }

diff --git a/src/libcharon/sa/ikev1/tasks/mode_config.c b/src/libcharon/sa/ikev1/tasks/mode_config.c
index b718042ea73bbb037c695ec384968d5d137755f5..4730758714d5dcbd246a47df5e696703e9da525e 100644 (file)
--- a/src/libcharon/sa/ikev1/tasks/mode_config.c
+++ b/src/libcharon/sa/ikev1/tasks/mode_config.c
@@ -189,7 +189,7 @@ static bool accept_push(private_mode_config_t *this)
        vip = enumerator->enumerate(enumerator, &host);
        enumerator->destroy(enumerator);
 
-       return vip && !config->use_pull_mode(config);
+       return vip && config->has_option(config, OPT_IKEV1_PUSH_MODE);
 }
 
 /**

diff --git a/src/libcharon/sa/ikev1/tasks/xauth.c b/src/libcharon/sa/ikev1/tasks/xauth.c
index 3bf2175e0c097aa1d63b520567803edf5ea4e92b..08e32a76dc3c97f1dccdeaaea646fc9fc6356012 100644 (file)
--- a/src/libcharon/sa/ikev1/tasks/xauth.c
+++ b/src/libcharon/sa/ikev1/tasks/xauth.c
@@ -229,7 +229,7 @@ static bool select_compliant_config(private_xauth_t *this)
        }
        DBG1(DBG_CFG, "selected peer config '%s' unacceptable",
                 old->get_name(old));
-       aggressive = old->use_aggressive(old);
+       aggressive = old->has_option(old, OPT_IKEV1_AGGRESSIVE);
 
        my_host = this->ike_sa->get_my_host(this->ike_sa);
        other_host = this->ike_sa->get_other_host(this->ike_sa);
@@ -240,7 +240,7 @@ static bool select_compliant_config(private_xauth_t *this)
        while (enumerator->enumerate(enumerator, &current))
        {
                if (!current->equals(current, old) &&
-                       current->use_aggressive(current) == aggressive &&
+                       current->has_option(current, OPT_IKEV1_AGGRESSIVE) == aggressive &&
                        is_compliant(this, current, FALSE))
                {
                        peer_cfg = current;

diff --git a/src/libcharon/sa/ikev2/task_manager_v2.c b/src/libcharon/sa/ikev2/task_manager_v2.c
index 86f9f8b49be8e9522c81b7bbc168987d6a68b4a7..1e213aaaf579fc42a313eebf9de0ffc5de4d790b 100644 (file)
--- a/src/libcharon/sa/ikev2/task_manager_v2.c
+++ b/src/libcharon/sa/ikev2/task_manager_v2.c
@@ -2121,7 +2121,7 @@ METHOD(task_manager_t, queue_ike, void,
                peer_cfg_t *peer_cfg;
 
                peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
-               if (peer_cfg->use_mobike(peer_cfg))
+               if (!peer_cfg->has_option(peer_cfg, OPT_NO_MOBIKE))
                {
                        queue_task(this, (task_t*)ike_mobike_create(this->ike_sa, TRUE));
                }

diff --git a/src/libcharon/sa/ikev2/tasks/ike_auth.c b/src/libcharon/sa/ikev2/tasks/ike_auth.c
index 493cd5b8378a2736d74d6f844dc7cabeee9efd34..80c0f47d3d6496ccc55093f2c604b85f917313af 100644 (file)
--- a/src/libcharon/sa/ikev2/tasks/ike_auth.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_auth.c
@@ -564,7 +564,7 @@ static bool get_ppk(private_ike_auth_t *this, identification_t *ppk_id)
        key = lib->credmgr->get_shared(lib->credmgr, SHARED_PPK, ppk_id, NULL);
        if (!key)
        {
-               if (this->peer_cfg->ppk_required(this->peer_cfg))
+               if (this->peer_cfg->has_option(this->peer_cfg, OPT_PPK_REQUIRED))
                {
                        DBG1(DBG_CFG, "PPK required but no PPK found for '%Y'", ppk_id);
                        return FALSE;
@@ -589,7 +589,7 @@ static bool get_ppk_i(private_ike_auth_t *this)
 
        if (!this->ike_sa->supports_extension(this->ike_sa, EXT_PPK))
        {
-               if (this->peer_cfg->ppk_required(this->peer_cfg))
+               if (this->peer_cfg->has_option(this->peer_cfg, OPT_PPK_REQUIRED))
                {
                        DBG1(DBG_CFG, "PPK required but peer does not support PPK");
                        return FALSE;
@@ -600,7 +600,7 @@ static bool get_ppk_i(private_ike_auth_t *this)
        ppk_id = this->peer_cfg->get_ppk_id(this->peer_cfg);
        if (!ppk_id)
        {
-               if (this->peer_cfg->ppk_required(this->peer_cfg))
+               if (this->peer_cfg->has_option(this->peer_cfg, OPT_PPK_REQUIRED))
                {
                        DBG1(DBG_CFG, "PPK required but no PPK_ID configured");
                        return FALSE;
@@ -622,7 +622,7 @@ static bool get_ppk_r(private_ike_auth_t *this, message_t *msg)
 
        if (!this->ike_sa->supports_extension(this->ike_sa, EXT_PPK))
        {
-               if (this->peer_cfg->ppk_required(this->peer_cfg))
+               if (this->peer_cfg->has_option(this->peer_cfg, OPT_PPK_REQUIRED))
                {
                        DBG1(DBG_CFG, "PPK required but peer does not support PPK");
                        return FALSE;
@@ -633,7 +633,7 @@ static bool get_ppk_r(private_ike_auth_t *this, message_t *msg)
        notify = msg->get_notify(msg, PPK_IDENTITY);
        if (!notify || !parse_ppk_identity(notify, &ppk_id))
        {
-               if (this->peer_cfg->ppk_required(this->peer_cfg))
+               if (this->peer_cfg->has_option(this->peer_cfg, OPT_PPK_REQUIRED))
                {
                        DBG1(DBG_CFG, "PPK required but no PPK_IDENTITY received");
                        return FALSE;
@@ -816,7 +816,7 @@ METHOD(task_t, build_i, status_t,
        if (this->ppk.ptr && this->my_auth->use_ppk)
        {
                this->my_auth->use_ppk(this->my_auth, this->ppk,
-                                                       !this->peer_cfg->ppk_required(this->peer_cfg));
+                               !this->peer_cfg->has_option(this->peer_cfg, OPT_PPK_REQUIRED));
        }
        switch (this->my_auth->build(this->my_auth, message))
        {

diff --git a/src/libcharon/sa/ikev2/tasks/ike_mobike.c b/src/libcharon/sa/ikev2/tasks/ike_mobike.c
index 0040d43bc642f9dc2a6647f28f6376fa04ddc8bf..0ff2be8eb632887eba378e955bd00ce9d2ebfcf1 100644 (file)
--- a/src/libcharon/sa/ikev2/tasks/ike_mobike.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_mobike.c
@@ -136,7 +136,7 @@ static void process_payloads(private_ike_mobike_t *this, message_t *message)
 
                                peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
                                if (!this->initiator &&
-                                       peer_cfg && !peer_cfg->use_mobike(peer_cfg))
+                                       peer_cfg && peer_cfg->has_option(peer_cfg, OPT_NO_MOBIKE))
                                {
                                        DBG1(DBG_IKE, "peer supports MOBIKE, but disabled in config");
                                }

diff --git a/src/libcharon/sa/ikev2/tasks/ike_natd.c b/src/libcharon/sa/ikev2/tasks/ike_natd.c
index a9cce2efb42dd609282878bfac681613c669ef9e..a442786399bde6962ed9ef158ee1b29212aec59f 100644 (file)
--- a/src/libcharon/sa/ikev2/tasks/ike_natd.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_natd.c
@@ -304,7 +304,7 @@ METHOD(task_t, process_i, status_t,
 
                peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
                if (this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY) ||
-                       (peer_cfg->use_mobike(peer_cfg) &&
+                       (!peer_cfg->has_option(peer_cfg, OPT_NO_MOBIKE) &&
                         this->ike_sa->supports_extension(this->ike_sa, EXT_NATT)))
                {       /* if the peer supports NAT-T, we switch to port 4500 even if no
                         * NAT is detected. can't be done later (when we would know