NULL
};
+static const char *LST_authby[] = {
+ "psk",
+ "secret",
+ "pubkey",
+ "rsa",
+ "rsasig",
+ "ecdsa",
+ "ecdsasig",
+ "xauthpsk",
+ "xauthrsasig",
+ "never",
+ NULL
+};
+
typedef struct {
arg_t type;
size_t offset;
{ ARG_ENUM, offsetof(starter_conn_t, install_policy), LST_bool },
{ ARG_ENUM, offsetof(starter_conn_t, aggressive), LST_bool },
{ ARG_MISC, 0, NULL /* KW_AUTH */ },
- { ARG_MISC, 0, NULL /* KW_AUTHBY */ },
+ { ARG_STR, offsetof(starter_conn_t, authby), LST_authby },
{ ARG_STR, offsetof(starter_conn_t, eap_identity), NULL },
{ ARG_STR, offsetof(starter_conn_t, aaa_identity), NULL },
{ ARG_MISC, 0, NULL /* KW_MOBIKE */ },
case KW_AUTH:
KW_POLICY_FLAG("ah", "esp", POLICY_AUTHENTICATE)
break;
- case KW_AUTHBY:
- conn->policy &= ~(POLICY_ID_AUTH_MASK | POLICY_ENCRYPT);
-
- if (!streq(kw->value, "never"))
- {
- char *value = kw->value;
- char *second = strchr(kw->value, '|');
-
- if (second != NULL)
- {
- *second = '\0';
- }
-
- /* also handles the cases secret|rsasig and rsasig|secret */
- for (;;)
- {
- if (streq(value, "rsa") || streq(value, "rsasig") ||
- streq(value, "ecdsa") || streq(value, "ecdsasig") ||
- streq(value, "pubkey"))
- {
- conn->policy |= POLICY_PUBKEY | POLICY_ENCRYPT;
- }
- else if (streq(value, "secret") || streq(value, "psk"))
- {
- conn->policy |= POLICY_PSK | POLICY_ENCRYPT;
- }
- else if (streq(value, "xauthrsasig"))
- {
- conn->policy |= POLICY_XAUTH_RSASIG | POLICY_ENCRYPT;
- }
- else if (streq(value, "xauthpsk"))
- {
- conn->policy |= POLICY_XAUTH_PSK | POLICY_ENCRYPT;
- }
- else
- {
- DBG1(DBG_APP, "# bad policy value: %s=%s",
- kw->entry->name, kw->value);
- cfg->err++;
- break;
- }
- if (second == NULL)
- {
- break;
- }
- value = second;
- second = NULL; /* traverse the loop no more than twice */
- }
- }
- break;
case KW_MARK:
if (!handle_mark(kw->value, &conn->mark_in))
{
char *eap_identity;
char *aaa_identity;
char *xauth_identity;
+ char *authby;
lset_t policy;
time_t sa_ike_life_seconds;
time_t sa_ipsec_life_seconds;
time_t sa_rekey_margin;
- u_int64_t sa_ipsec_life_bytes;
- u_int64_t sa_ipsec_margin_bytes;
- u_int64_t sa_ipsec_life_packets;
- u_int64_t sa_ipsec_margin_packets;
+ u_int64_t sa_ipsec_life_bytes;
+ u_int64_t sa_ipsec_margin_bytes;
+ u_int64_t sa_ipsec_life_packets;
+ u_int64_t sa_ipsec_margin_packets;
unsigned long sa_keying_tries;
unsigned long sa_rekey_fuzz;
u_int32_t reqid;
char *crluri2;
char *ocspuri;
char *ocspuri2;
- char *certuribase;
+ char *certuribase;
bool strict;
starter_stroke_add_end(&msg, &msg.add_conn.me, &conn->left);
starter_stroke_add_end(&msg, &msg.add_conn.other, &conn->right);
- if (!msg.add_conn.me.auth && !msg.add_conn.other.auth)
+ if (!msg.add_conn.me.auth && !msg.add_conn.other.auth &&
+ conn->authby)
{ /* leftauth/rightauth not set, use legacy options */
- if (conn->policy & POLICY_PUBKEY)
+ if (streq(conn->authby, "rsa") || streq(conn->authby, "rsasig") ||
+ streq(conn->authby, "ecdsa") || streq(conn->authby, "ecdsasig") ||
+ streq(conn->authby, "pubkey"))
{
msg.add_conn.me.auth = push_string(&msg, "pubkey");
msg.add_conn.other.auth = push_string(&msg, "pubkey");
}
- else if (conn->policy & POLICY_PSK)
+ else if (streq(conn->authby, "secret") || streq(conn->authby, "psk"))
{
msg.add_conn.me.auth = push_string(&msg, "psk");
msg.add_conn.other.auth = push_string(&msg, "psk");
}
- else if (conn->policy & POLICY_XAUTH_RSASIG)
+ else if (streq(conn->authby, "xauthrsasig"))
{
msg.add_conn.me.auth = push_string(&msg, "pubkey");
msg.add_conn.other.auth = push_string(&msg, "pubkey");
msg.add_conn.me.auth2 = push_string(&msg, "xauth");
}
}
- else if (conn->policy & POLICY_XAUTH_PSK)
+ else if (streq(conn->authby, "xauthpsk"))
{
msg.add_conn.me.auth = push_string(&msg, "psk");
msg.add_conn.other.auth = push_string(&msg, "psk");
projects / thirdparty / strongswan.git / commitdiff
