From: Tobias Brunner Date: Fri, 28 Mar 2025 13:06:16 +0000 (+0100) Subject: peer-cfg: Use flags for boolean options X-Git-Tag: 6.0.2dr1~48 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6ed63be6125ba7a7c23e95a0a4e39e2a26b9b8b8;p=thirdparty%2Fstrongswan.git peer-cfg: Use flags for boolean options Makes it potentially easier to add new flags. The mediation flag is not converted as the #ifdefs make it awkward. --- diff --git a/src/charon-cmd/cmd/cmd_connection.c b/src/charon-cmd/cmd/cmd_connection.c index e220e33a62..aa61642e95 100644 --- a/src/charon-cmd/cmd/cmd_connection.c +++ b/src/charon-cmd/cmd/cmd_connection.c @@ -170,7 +170,7 @@ static peer_cfg_t* create_peer_cfg(private_cmd_connection_t *this) case PROF_V1_XAUTH_AM: case PROF_V1_XAUTH_PSK_AM: case PROF_V1_HYBRID_AM: - peer.aggressive = TRUE; + peer.options |= OPT_IKEV1_AGGRESSIVE; /* FALL */ case PROF_V1_PUB: case PROF_V1_XAUTH: diff --git a/src/conftest/config.c b/src/conftest/config.c index a6dc61f740..a0339798ca 100644 --- a/src/conftest/config.c +++ b/src/conftest/config.c @@ -265,7 +265,7 @@ static peer_cfg_t *load_peer_config(private_config_t *this, .cert_policy = CERT_ALWAYS_SEND, .unique = UNIQUE_NO, .keyingtries = 1, - .no_mobike = TRUE, + .options = OPT_NO_MOBIKE, }; ike_cfg = load_ike_config(this, settings, config); diff --git a/src/libcharon/config/peer_cfg.c b/src/libcharon/config/peer_cfg.c index 4ccb5df167..c44f87025a 100644 --- a/src/libcharon/config/peer_cfg.c +++ b/src/libcharon/config/peer_cfg.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2007-2019 Tobias Brunner + * Copyright (C) 2007-2025 Tobias Brunner * Copyright (C) 2005-2009 Martin Willi * Copyright (C) 2005 Jan Hutter * @@ -68,6 +68,11 @@ struct private_peer_cfg_t { */ char *name; + /** + * Options + */ + peer_cfg_option_t options; + /** * IKE config associated to this peer config */ @@ -103,21 +108,6 @@ struct private_peer_cfg_t { */ uint32_t keyingtries; - /** - * enable support for MOBIKE - */ - bool use_mobike; - - /** - * Use aggressive mode? - */ - bool aggressive; - - /** - * Use pull or push in mode config? - */ - bool pull_mode; - /** * Time before starting rekeying */ @@ -183,11 +173,6 @@ struct private_peer_cfg_t { */ identification_t *ppk_id; - /** - * Whether a PPK is required - */ - bool ppk_required; - #ifdef ME /** * Is this a mediation connection? @@ -213,6 +198,12 @@ METHOD(peer_cfg_t, get_name, char*, return this->name; } +METHOD(peer_cfg_t, has_option, bool, + private_peer_cfg_t *this, peer_cfg_option_t option) +{ + return this->options & option; +} + METHOD(peer_cfg_t, get_ike_version, ike_version_t, private_peer_cfg_t *this) { @@ -559,24 +550,6 @@ METHOD(peer_cfg_t, get_over_time, uint32_t, return this->over_time; } -METHOD(peer_cfg_t, use_mobike, bool, - private_peer_cfg_t *this) -{ - return this->use_mobike; -} - -METHOD(peer_cfg_t, use_aggressive, bool, - private_peer_cfg_t *this) -{ - return this->aggressive; -} - -METHOD(peer_cfg_t, use_pull_mode, bool, - private_peer_cfg_t *this) -{ - return this->pull_mode; -} - METHOD(peer_cfg_t, get_dpd, uint32_t, private_peer_cfg_t *this) { @@ -648,12 +621,6 @@ METHOD(peer_cfg_t, get_ppk_id, identification_t*, return this->ppk_id; } -METHOD(peer_cfg_t, ppk_required, bool, - private_peer_cfg_t *this) -{ - return this->ppk_required; -} - #ifdef ME METHOD(peer_cfg_t, is_mediation, bool, private_peer_cfg_t *this) @@ -757,23 +724,20 @@ METHOD(peer_cfg_t, equals, bool, return FALSE; } return ( + this->options == other->options && get_ike_version(this) == get_ike_version(other) && this->cert_policy == other->cert_policy && this->ocsp_policy == other->ocsp_policy && this->unique == other->unique && this->keyingtries == other->keyingtries && - this->use_mobike == other->use_mobike && this->rekey_time == other->rekey_time && this->reauth_time == other->reauth_time && this->jitter_time == other->jitter_time && this->over_time == other->over_time && this->dpd == other->dpd && - this->aggressive == other->aggressive && - this->pull_mode == other->pull_mode && auth_cfg_equal(this, other) && this->if_id_in == other->if_id_in && this->if_id_out == other->if_id_out && - this->ppk_required == other->ppk_required && id_equal(this->ppk_id, other->ppk_id) #ifdef ME && this->mediation == other->mediation && @@ -839,6 +803,7 @@ peer_cfg_t *peer_cfg_create(char *name, ike_cfg_t *ike_cfg, INIT(this, .public = { .get_name = _get_name, + .has_option = _has_option, .get_ike_version = _get_ike_version, .get_ike_cfg = _get_ike_cfg, .add_child_cfg = _add_child_cfg, @@ -853,9 +818,6 @@ peer_cfg_t *peer_cfg_create(char *name, ike_cfg_t *ike_cfg, .get_rekey_time = _get_rekey_time, .get_reauth_time = _get_reauth_time, .get_over_time = _get_over_time, - .use_mobike = _use_mobike, - .use_aggressive = _use_aggressive, - .use_pull_mode = _use_pull_mode, .get_dpd = _get_dpd, .get_dpd_timeout = _get_dpd_timeout, .add_virtual_ip = _add_virtual_ip, @@ -866,7 +828,6 @@ peer_cfg_t *peer_cfg_create(char *name, ike_cfg_t *ike_cfg, .create_auth_cfg_enumerator = _create_auth_cfg_enumerator, .get_if_id = _get_if_id, .get_ppk_id = _get_ppk_id, - .ppk_required = _ppk_required, .equals = (void*)_equals, .get_ref = _get_ref, .destroy = _destroy, @@ -877,6 +838,7 @@ peer_cfg_t *peer_cfg_create(char *name, ike_cfg_t *ike_cfg, #endif /* ME */ }, .name = strdup(name), + .options = data->options, .ike_cfg = ike_cfg, .child_cfgs = linked_list_create(), .lock = rwlock_create(RWLOCK_TYPE_DEFAULT), @@ -888,15 +850,11 @@ peer_cfg_t *peer_cfg_create(char *name, ike_cfg_t *ike_cfg, .reauth_time = data->reauth_time, .jitter_time = data->jitter_time, .over_time = data->over_time, - .use_mobike = !data->no_mobike, - .aggressive = data->aggressive, - .pull_mode = !data->push_mode, .dpd = data->dpd, .dpd_timeout = data->dpd_timeout, .if_id_in = data->if_id_in, .if_id_out = data->if_id_out, .ppk_id = data->ppk_id, - .ppk_required = data->ppk_required, .vips = linked_list_create(), .pools = linked_list_create(), .local_auth = linked_list_create(), diff --git a/src/libcharon/config/peer_cfg.h b/src/libcharon/config/peer_cfg.h index 69ea97e75b..54bef68d56 100644 --- a/src/libcharon/config/peer_cfg.h +++ b/src/libcharon/config/peer_cfg.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2007-2019 Tobias Brunner + * Copyright (C) 2007-2025 Tobias Brunner * Copyright (C) 2005-2009 Martin Willi * Copyright (C) 2005 Jan Hutter * @@ -27,6 +27,7 @@ typedef enum cert_policy_t cert_policy_t; typedef enum ocsp_policy_t ocsp_policy_t; typedef enum unique_policy_t unique_policy_t; +typedef enum peer_cfg_option_t peer_cfg_option_t; typedef struct peer_cfg_t peer_cfg_t; typedef struct peer_cfg_create_t peer_cfg_create_t; @@ -147,6 +148,14 @@ struct peer_cfg_t { */ char* (*get_name) (peer_cfg_t *this); + /** + * Check if an option flag is set. + * + * @param option option flag to check + * @return TRUE if option flag set, FALSE otherwise + */ + bool (*has_option)(peer_cfg_t *this, peer_cfg_option_t option); + /** * Get the IKE version to use for initiating. * @@ -277,27 +286,6 @@ struct peer_cfg_t { */ uint32_t (*get_over_time)(peer_cfg_t *this); - /** - * Use MOBIKE (RFC4555) if peer supports it? - * - * @return TRUE to enable MOBIKE support - */ - bool (*use_mobike) (peer_cfg_t *this); - - /** - * Use/Accept aggressive mode with IKEv1?. - * - * @return TRUE to use aggressive mode - */ - bool (*use_aggressive)(peer_cfg_t *this); - - /** - * Use pull or push mode for mode config? - * - * @return TRUE to use pull, FALSE to use push mode - */ - bool (*use_pull_mode)(peer_cfg_t *this); - /** * Get the DPD check interval. * @@ -357,13 +345,6 @@ struct peer_cfg_t { */ identification_t *(*get_ppk_id)(peer_cfg_t *this); - /** - * Whether a PPK is required with this peer. - * - * @return TRUE, if a PPK is required - */ - bool (*ppk_required)(peer_cfg_t *this); - #ifdef ME /** * Is this a mediation connection? @@ -418,10 +399,30 @@ struct peer_cfg_t { void (*destroy) (peer_cfg_t *this); }; +/** + * Option flags that may be set on a peer_cfg_t object. + */ +enum peer_cfg_option_t { + + /** Disable MOBIKE (RFC 4555) */ + OPT_NO_MOBIKE = (1<<0), + + /** Use/accept aggressive mode with IKEv1 */ + OPT_IKEV1_AGGRESSIVE = (1<<1), + + /** Use IKEv1 modeconfig in push mode (otherwise, pull mode is used) */ + OPT_IKEV1_PUSH_MODE = (1<<2), + + /** Require a PPK (otherwise, it's optional) */ + OPT_PPK_REQUIRED = (1<<3), +}; + /** * Data passed to the constructor of a peer_cfg_t object. */ struct peer_cfg_create_t { + /** Options set for peer_cfg_t */ + peer_cfg_option_t options; /** Whether to send a certificate payload */ cert_policy_t cert_policy; /** Whether to send OCSP status request/response */ @@ -438,12 +439,6 @@ struct peer_cfg_create_t { uint32_t jitter_time; /** Maximum overtime in seconds before closing a rekeying/reauth SA */ uint32_t over_time; - /** Disable MOBIKE (RFC4555) */ - bool no_mobike; - /** Use/accept aggressive mode with IKEv1 */ - bool aggressive; - /** TRUE to use modeconfig push, FALSE for pull */ - bool push_mode; /** DPD check interval, 0 to disable */ uint32_t dpd; /** DPD timeout interval (IKEv1 only), if 0 default applies */ @@ -454,8 +449,6 @@ struct peer_cfg_create_t { uint32_t if_id_out; /** Postquantum Preshared Key ID (adopted) */ identification_t *ppk_id; - /** TRUE if a PPK is required, FALSE if it's optional */ - bool ppk_required; #ifdef ME /** TRUE if this is a mediation connection */ bool mediation; diff --git a/src/libcharon/encoding/message.c b/src/libcharon/encoding/message.c index 5d05e2091c..634cba98fa 100644 --- a/src/libcharon/encoding/message.c +++ b/src/libcharon/encoding/message.c @@ -2100,7 +2100,7 @@ static message_t *create_fragment(private_message_t *this, payload_type_t next, * or transaction messages. */ ike_sa = charon->bus->get_sa(charon->bus); if (ike_sa && (peer_cfg = ike_sa->get_peer_cfg(ike_sa)) && - peer_cfg->use_aggressive(peer_cfg)) + peer_cfg->has_option(peer_cfg, OPT_IKEV1_AGGRESSIVE)) { message->set_exchange_type(message, AGGRESSIVE); } diff --git a/src/libcharon/plugins/ha/ha_tunnel.c b/src/libcharon/plugins/ha/ha_tunnel.c index d7e83a06b3..91e0cd8998 100644 --- a/src/libcharon/plugins/ha/ha_tunnel.c +++ b/src/libcharon/plugins/ha/ha_tunnel.c @@ -205,7 +205,7 @@ static void setup_tunnel(private_ha_tunnel_t *this, .rekey_time = 86400, /* 24h */ .jitter_time = 7200, /* 2h */ .over_time = 3600, /* 1h */ - .no_mobike = TRUE, + .options = OPT_NO_MOBIKE, .dpd = 30, }; child_cfg_create_t child = { diff --git a/src/libcharon/plugins/load_tester/load_tester_config.c b/src/libcharon/plugins/load_tester/load_tester_config.c index d36d76392c..2a440aa630 100644 --- a/src/libcharon/plugins/load_tester/load_tester_config.c +++ b/src/libcharon/plugins/load_tester/load_tester_config.c @@ -709,7 +709,7 @@ static peer_cfg_t* generate_config(private_load_tester_config_t *this, u_int num .keyingtries = 1, .rekey_time = this->ike_rekey, .over_time = this->ike_rekey, - .no_mobike = TRUE, + .options = OPT_NO_MOBIKE, .dpd = this->dpd_delay, .dpd_timeout = this->dpd_timeout, }; diff --git a/src/libcharon/plugins/sql/sql_config.c b/src/libcharon/plugins/sql/sql_config.c index aef1e1c347..f1f8ca1d50 100644 --- a/src/libcharon/plugins/sql/sql_config.c +++ b/src/libcharon/plugins/sql/sql_config.c @@ -415,7 +415,7 @@ static peer_cfg_t *build_peer_cfg(private_sql_config_t *this, enumerator_t *e, .reauth_time = reauthtime, .jitter_time = jitter, .over_time = overtime, - .no_mobike = !mobike, + .options = (mobike ? 0 : OPT_NO_MOBIKE), .dpd = dpd_delay, #ifdef ME .mediation = mediation, diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c index f42b261930..b6e700fa9c 100644 --- a/src/libcharon/plugins/stroke/stroke_config.c +++ b/src/libcharon/plugins/stroke/stroke_config.c @@ -635,9 +635,9 @@ static peer_cfg_t *build_peer_cfg(private_stroke_config_t *this, peer_cfg_create_t peer = { .cert_policy = msg->add_conn.me.sendcert, .keyingtries = msg->add_conn.rekey.tries, - .no_mobike = !msg->add_conn.mobike, - .aggressive = msg->add_conn.aggressive, - .push_mode = msg->add_conn.pushmode, + .options = (msg->add_conn.mobike ? 0 : OPT_NO_MOBIKE) | + (msg->add_conn.aggressive ? OPT_IKEV1_AGGRESSIVE : 0) | + (msg->add_conn.pushmode ? OPT_IKEV1_PUSH_MODE : 0), .dpd = msg->add_conn.dpd.delay, .dpd_timeout = msg->add_conn.dpd.timeout, }; diff --git a/src/libcharon/plugins/stroke/stroke_list.c b/src/libcharon/plugins/stroke/stroke_list.c index 4c9f75cf76..34d840f75a 100644 --- a/src/libcharon/plugins/stroke/stroke_list.c +++ b/src/libcharon/plugins/stroke/stroke_list.c @@ -566,7 +566,8 @@ METHOD(stroke_list_t, status, void, fprintf(out, "%12s: %s...%s %N", peer_cfg->get_name(peer_cfg), my_addr, other_addr, ike_version_names, ike_version); - if (ike_version == IKEV1 && peer_cfg->use_aggressive(peer_cfg)) + if (ike_version == IKEV1 && + peer_cfg->has_option(peer_cfg, OPT_IKEV1_AGGRESSIVE)) { fprintf(out, " Aggressive"); } diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c index 1a00424d63..c0acd6d359 100644 --- a/src/libcharon/plugins/vici/vici_config.c +++ b/src/libcharon/plugins/vici/vici_config.c @@ -314,14 +314,11 @@ static void free_auth_data(auth_data_t *data) */ typedef struct { request_data_t *request; + peer_cfg_option_t options; uint32_t version; - bool aggressive; bool encap; - bool mobike; bool send_certreq; - bool pull; identification_t *ppk_id; - bool ppk_required; cert_policy_t send_cert; ocsp_policy_t ocsp; uint64_t dpd_delay; @@ -419,6 +416,11 @@ static void log_auth(auth_cfg_t *auth) enumerator->destroy(enumerator); } +/** + * Helper macro to check if an option flag is set + */ +#define has_opt(cfg, opt) ({ ((cfg)->options & (opt)) == (opt); }) + /** * Log parsed peer data */ @@ -437,9 +439,10 @@ static void log_peer_data(peer_data_t *data) DBG2(DBG_CFG, " send_cert = %N", cert_policy_names, data->send_cert); DBG2(DBG_CFG, " ocsp = %N", ocsp_policy_names, data->ocsp); DBG2(DBG_CFG, " ppk_id = %Y", data->ppk_id); - DBG2(DBG_CFG, " ppk_required = %u", data->ppk_required); - DBG2(DBG_CFG, " mobike = %u", data->mobike); - DBG2(DBG_CFG, " aggressive = %u", data->aggressive); + DBG2(DBG_CFG, " ppk_required = %u", has_opt(data, OPT_PPK_REQUIRED)); + DBG2(DBG_CFG, " mobike = %u", !has_opt(data, OPT_NO_MOBIKE)); + DBG2(DBG_CFG, " aggressive = %u", has_opt(data, OPT_IKEV1_AGGRESSIVE)); + DBG2(DBG_CFG, " pull = %u", !has_opt(data, OPT_IKEV1_PUSH_MODE)); DBG2(DBG_CFG, " dscp = 0x%.2x", data->dscp); DBG2(DBG_CFG, " encap = %u", data->encap); DBG2(DBG_CFG, " dpd_delay = %llu", data->dpd_delay); @@ -533,7 +536,6 @@ static void log_child_data(child_data_t *data, char *name) { child_cfg_create_t *cfg DBG_UNUSED = &data->cfg; -#define has_opt(opt) ({ (cfg->options & (opt)) == (opt); }) DBG2(DBG_CFG, " child %s:", name); DBG2(DBG_CFG, " rekey_time = %llu", cfg->lifetime.time.rekey); DBG2(DBG_CFG, " life_time = %llu", cfg->lifetime.time.life); @@ -545,12 +547,13 @@ static void log_child_data(child_data_t *data, char *name) DBG2(DBG_CFG, " life_packets = %llu", cfg->lifetime.packets.life); DBG2(DBG_CFG, " rand_packets = %llu", cfg->lifetime.packets.jitter); DBG2(DBG_CFG, " updown = %s", cfg->updown); - DBG2(DBG_CFG, " hostaccess = %u", has_opt(OPT_HOSTACCESS)); - DBG2(DBG_CFG, " ipcomp = %u", has_opt(OPT_IPCOMP)); + DBG2(DBG_CFG, " hostaccess = %u", has_opt(cfg, OPT_HOSTACCESS)); + DBG2(DBG_CFG, " ipcomp = %u", has_opt(cfg, OPT_IPCOMP)); DBG2(DBG_CFG, " mode = %N%s", ipsec_mode_names, cfg->mode, - has_opt(OPT_PROXY_MODE) ? "_PROXY" : ""); - DBG2(DBG_CFG, " policies = %u", !has_opt(OPT_NO_POLICIES)); - DBG2(DBG_CFG, " policies_fwd_out = %u", has_opt(OPT_FWD_OUT_POLICIES)); + has_opt(cfg, OPT_PROXY_MODE) ? "_PROXY" : ""); + DBG2(DBG_CFG, " policies = %u", !has_opt(cfg, OPT_NO_POLICIES)); + DBG2(DBG_CFG, " policies_fwd_out = %u", + has_opt(cfg, OPT_FWD_OUT_POLICIES)); if (data->replay_window != REPLAY_UNDEFINED) { DBG2(DBG_CFG, " replay_window = %u", data->replay_window); @@ -566,7 +569,7 @@ static void log_child_data(child_data_t *data, char *name) DBG2(DBG_CFG, " if_id_out = %u", cfg->if_id_out); DBG2(DBG_CFG, " mark_in = %u/%u", cfg->mark_in.value, cfg->mark_in.mask); - DBG2(DBG_CFG, " mark_in_sa = %u", has_opt(OPT_MARK_IN_SA)); + DBG2(DBG_CFG, " mark_in_sa = %u", has_opt(cfg, OPT_MARK_IN_SA)); DBG2(DBG_CFG, " mark_out = %u/%u", cfg->mark_out.value, cfg->mark_out.mask); DBG2(DBG_CFG, " set_mark_in = %u/%u", @@ -581,9 +584,9 @@ static void log_child_data(child_data_t *data, char *name) DBG2(DBG_CFG, " local_ts = %#R", data->local_ts); DBG2(DBG_CFG, " remote_ts = %#R", data->remote_ts); DBG2(DBG_CFG, " hw_offload = %N", hw_offload_names, cfg->hw_offload); - DBG2(DBG_CFG, " sha256_96 = %u", has_opt(OPT_SHA256_96)); - DBG2(DBG_CFG, " copy_df = %u", !has_opt(OPT_NO_COPY_DF)); - DBG2(DBG_CFG, " copy_ecn = %u", !has_opt(OPT_NO_COPY_ECN)); + DBG2(DBG_CFG, " sha256_96 = %u", has_opt(cfg, OPT_SHA256_96)); + DBG2(DBG_CFG, " copy_df = %u", !has_opt(cfg, OPT_NO_COPY_DF)); + DBG2(DBG_CFG, " copy_ecn = %u", !has_opt(cfg, OPT_NO_COPY_ECN)); DBG2(DBG_CFG, " copy_dscp = %N", dscp_copy_names, cfg->copy_dscp); } @@ -916,6 +919,65 @@ CALLBACK(parse_mode, bool, return FALSE; } +/** + * Macro to parse an option flag, add it if parsed value is either TRUE or FALSE. + */ +#define PARSE_OPTION(out, opt, v, add_if_true) \ + bool val; \ + if (parse_bool(&val, v)) { \ + if (val == add_if_true) { \ + *out |= opt; \ + } \ + return TRUE; \ + } \ + return FALSE; + +/** + * Enable a peer_cfg_option_t, the flag controls whether the option is enabled + * if the parsed value is TRUE or FALSE. + */ +static bool parse_peer_option(peer_cfg_option_t *out, peer_cfg_option_t opt, + chunk_t v, bool add_if_true) +{ + PARSE_OPTION(out, opt, v, add_if_true) +} + +/** + * Parse OPT_NO_MOBIKE option + */ +CALLBACK(parse_opt_mobike, bool, + peer_cfg_option_t *out, chunk_t v) +{ + return parse_peer_option(out, OPT_NO_MOBIKE, v, FALSE); +} + +/** + * Parse OPT_IKEV1_AGGRESSIVE option + */ +CALLBACK(parse_opt_aggr, bool, + peer_cfg_option_t *out, chunk_t v) +{ + return parse_peer_option(out, OPT_IKEV1_AGGRESSIVE, v, TRUE); +} + +/** + * Parse OPT_IKEV1_PUSH_MODE option + */ +CALLBACK(parse_opt_pull, bool, + peer_cfg_option_t *out, chunk_t v) +{ + return parse_peer_option(out, OPT_IKEV1_PUSH_MODE, v, FALSE); +} + +/** + * Parse OPT_PPK_REQUIRED option + */ +CALLBACK(parse_opt_ppk_req, bool, + peer_cfg_option_t *out, chunk_t v) +{ + return parse_peer_option(out, OPT_PPK_REQUIRED, v, TRUE); +} + /** * Enable a child_cfg_option_t, the flag controls whether the option is enabled * if the parsed value is TRUE or FALSE. @@ -923,17 +985,7 @@ CALLBACK(parse_mode, bool, static bool parse_option(child_cfg_option_t *out, child_cfg_option_t opt, chunk_t v, bool add_if_true) { - bool val; - - if (parse_bool(&val, v)) - { - if (val == add_if_true) - { - *out |= opt; - } - return TRUE; - } - return FALSE; + PARSE_OPTION(out, opt, v, add_if_true) } /** @@ -1939,11 +1991,11 @@ CALLBACK(peer_kv, bool, { parse_rule_t rules[] = { { "version", parse_uint32, &peer->version }, - { "aggressive", parse_bool, &peer->aggressive }, - { "pull", parse_bool, &peer->pull }, + { "aggressive", parse_opt_aggr, &peer->options }, + { "pull", parse_opt_pull, &peer->options }, { "dscp", parse_dscp, &peer->dscp }, { "encap", parse_bool, &peer->encap }, - { "mobike", parse_bool, &peer->mobike }, + { "mobike", parse_opt_mobike, &peer->options }, { "dpd_delay", parse_time, &peer->dpd_delay }, { "dpd_timeout", parse_time, &peer->dpd_timeout }, { "fragmentation", parse_frag, &peer->fragmentation }, @@ -1960,7 +2012,7 @@ CALLBACK(peer_kv, bool, { "over_time", parse_time, &peer->over_time }, { "rand_time", parse_time, &peer->rand_time }, { "ppk_id", parse_peer_id, &peer->ppk_id }, - { "ppk_required", parse_bool, &peer->ppk_required }, + { "ppk_required", parse_opt_ppk_req, &peer->options }, { "if_id_in", parse_if_id, &peer->if_id_in }, { "if_id_out", parse_if_id, &peer->if_id_out }, #ifdef ME @@ -2712,9 +2764,7 @@ CALLBACK(config_sn, bool, .vips = linked_list_create(), .children = linked_list_create(), .proposals = linked_list_create(), - .mobike = TRUE, .send_certreq = TRUE, - .pull = TRUE, .send_cert = CERT_SEND_IF_ASKED, .ocsp = OCSP_SEND_REPLY, .version = IKE_ANY, @@ -2866,6 +2916,7 @@ CALLBACK(config_sn, bool, ike_cfg = ike_cfg_create(&ike); cfg = (peer_cfg_create_t){ + .options = peer.options, .cert_policy = peer.send_cert, .ocsp_policy = peer.ocsp, .unique = peer.unique, @@ -2874,13 +2925,9 @@ CALLBACK(config_sn, bool, .reauth_time = peer.reauth_time, .jitter_time = peer.rand_time, .over_time = peer.over_time, - .no_mobike = !peer.mobike, - .aggressive = peer.aggressive, - .push_mode = !peer.pull, .dpd = peer.dpd_delay, .dpd_timeout = peer.dpd_timeout, .ppk_id = peer.ppk_id ? peer.ppk_id->clone(peer.ppk_id) : NULL, - .ppk_required = peer.ppk_required, .if_id_in = peer.if_id_in, .if_id_out = peer.if_id_out, }; diff --git a/src/libcharon/plugins/vici/vici_query.c b/src/libcharon/plugins/vici/vici_query.c index 8ba614fb6b..628763e191 100644 --- a/src/libcharon/plugins/vici/vici_query.c +++ b/src/libcharon/plugins/vici/vici_query.c @@ -972,7 +972,7 @@ CALLBACK(list_conns, vici_message_t*, { b->add_kv(b, "ppk_id", "%Y", ppk_id); } - if (peer_cfg->ppk_required(peer_cfg)) + if (peer_cfg->has_option(peer_cfg, OPT_PPK_REQUIRED)) { b->add_kv(b, "ppk_required", "yes"); } diff --git a/src/libcharon/sa/ikev1/phase1.c b/src/libcharon/sa/ikev1/phase1.c index 61c400580b..ee3a5c8f2b 100644 --- a/src/libcharon/sa/ikev1/phase1.c +++ b/src/libcharon/sa/ikev1/phase1.c @@ -146,7 +146,7 @@ static shared_key_t *lookup_shared_key(private_phase1_t *this, if (other_auth) { my_id = this->ike_sa->get_my_id(this->ike_sa); - if (peer_cfg->use_aggressive(peer_cfg)) + if (peer_cfg->has_option(peer_cfg, OPT_IKEV1_AGGRESSIVE)) { other_id = this->ike_sa->get_other_id(this->ike_sa); } @@ -573,7 +573,7 @@ METHOD(phase1_t, select_config, peer_cfg_t*, while (enumerator->enumerate(enumerator, ¤t)) { if (check_auth_method(this, current, method) && - current->use_aggressive(current) == aggressive) + current->has_option(current, OPT_IKEV1_AGGRESSIVE) == aggressive) { current->get_ref(current); if (!this->peer_cfg) diff --git a/src/libcharon/sa/ikev1/task_manager_v1.c b/src/libcharon/sa/ikev1/task_manager_v1.c index 293a8c2263..c5a8e9a457 100644 --- a/src/libcharon/sa/ikev1/task_manager_v1.c +++ b/src/libcharon/sa/ikev1/task_manager_v1.c @@ -402,7 +402,7 @@ static bool mode_config_expected(private_task_manager_t *this) peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa); if (peer_cfg) { - if (peer_cfg->use_pull_mode(peer_cfg)) + if (!peer_cfg->has_option(peer_cfg, OPT_IKEV1_PUSH_MODE)) { enumerator = peer_cfg->create_pool_enumerator(peer_cfg); if (!enumerator->enumerate(enumerator, &pool)) @@ -1563,7 +1563,7 @@ METHOD(task_manager_t, queue_ike, void, queue_task(this, (task_t*)isakmp_cert_pre_create(this->ike_sa, TRUE)); } peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa); - if (peer_cfg->use_aggressive(peer_cfg)) + if (peer_cfg->has_option(peer_cfg, OPT_IKEV1_AGGRESSIVE)) { if (!has_queued(this, TASK_AGGRESSIVE_MODE)) { diff --git a/src/libcharon/sa/ikev1/tasks/aggressive_mode.c b/src/libcharon/sa/ikev1/tasks/aggressive_mode.c index 6dbaabe9cb..8e8b42f8ad 100644 --- a/src/libcharon/sa/ikev1/tasks/aggressive_mode.c +++ b/src/libcharon/sa/ikev1/tasks/aggressive_mode.c @@ -329,7 +329,8 @@ METHOD(task_t, build_i, status_t, /* check for and prepare mode config push/pull */ if (this->ph1->has_virtual_ip(this->ph1, this->peer_cfg)) { - if (this->peer_cfg->use_pull_mode(this->peer_cfg)) + if (!this->peer_cfg->has_option(this->peer_cfg, + OPT_IKEV1_PUSH_MODE)) { this->ike_sa->queue_task(this->ike_sa, (task_t*)mode_config_create(this->ike_sa, TRUE, TRUE)); @@ -341,7 +342,8 @@ METHOD(task_t, build_i, status_t, } else if (this->ph1->has_pool(this->ph1, this->peer_cfg)) { - if (this->peer_cfg->use_pull_mode(this->peer_cfg)) + if (!this->peer_cfg->has_option(this->peer_cfg, + OPT_IKEV1_PUSH_MODE)) { schedule_timeout(this->ike_sa); } @@ -540,7 +542,8 @@ METHOD(task_t, process_r, status_t, /* check for and prepare mode config push/pull */ if (this->ph1->has_virtual_ip(this->ph1, this->peer_cfg)) { - if (this->peer_cfg->use_pull_mode(this->peer_cfg)) + if (!this->peer_cfg->has_option(this->peer_cfg, + OPT_IKEV1_PUSH_MODE)) { this->ike_sa->queue_task(this->ike_sa, (task_t*)mode_config_create(this->ike_sa, TRUE, TRUE)); @@ -548,7 +551,8 @@ METHOD(task_t, process_r, status_t, } else if (this->ph1->has_pool(this->ph1, this->peer_cfg)) { - if (!this->peer_cfg->use_pull_mode(this->peer_cfg)) + if (this->peer_cfg->has_option(this->peer_cfg, + OPT_IKEV1_PUSH_MODE)) { if (job) { diff --git a/src/libcharon/sa/ikev1/tasks/main_mode.c b/src/libcharon/sa/ikev1/tasks/main_mode.c index 4248700d5e..18a13c5004 100644 --- a/src/libcharon/sa/ikev1/tasks/main_mode.c +++ b/src/libcharon/sa/ikev1/tasks/main_mode.c @@ -575,7 +575,8 @@ METHOD(task_t, build_r, status_t, } if (this->ph1->has_virtual_ip(this->ph1, this->peer_cfg)) { - if (this->peer_cfg->use_pull_mode(this->peer_cfg)) + if (!this->peer_cfg->has_option(this->peer_cfg, + OPT_IKEV1_PUSH_MODE)) { this->ike_sa->queue_task(this->ike_sa, (task_t*)mode_config_create(this->ike_sa, TRUE, TRUE)); @@ -583,7 +584,8 @@ METHOD(task_t, build_r, status_t, } else if (this->ph1->has_pool(this->ph1, this->peer_cfg)) { - if (!this->peer_cfg->use_pull_mode(this->peer_cfg)) + if (this->peer_cfg->has_option(this->peer_cfg, + OPT_IKEV1_PUSH_MODE)) { if (job) { @@ -758,7 +760,8 @@ METHOD(task_t, process_i, status_t, /* check for and prepare mode config push/pull */ if (this->ph1->has_virtual_ip(this->ph1, this->peer_cfg)) { - if (this->peer_cfg->use_pull_mode(this->peer_cfg)) + if (!this->peer_cfg->has_option(this->peer_cfg, + OPT_IKEV1_PUSH_MODE)) { this->ike_sa->queue_task(this->ike_sa, (task_t*)mode_config_create(this->ike_sa, TRUE, TRUE)); @@ -770,7 +773,8 @@ METHOD(task_t, process_i, status_t, } else if (this->ph1->has_pool(this->ph1, this->peer_cfg)) { - if (this->peer_cfg->use_pull_mode(this->peer_cfg)) + if (!this->peer_cfg->has_option(this->peer_cfg, + OPT_IKEV1_PUSH_MODE)) { schedule_timeout(this->ike_sa); } diff --git a/src/libcharon/sa/ikev1/tasks/mode_config.c b/src/libcharon/sa/ikev1/tasks/mode_config.c index b718042ea7..4730758714 100644 --- a/src/libcharon/sa/ikev1/tasks/mode_config.c +++ b/src/libcharon/sa/ikev1/tasks/mode_config.c @@ -189,7 +189,7 @@ static bool accept_push(private_mode_config_t *this) vip = enumerator->enumerate(enumerator, &host); enumerator->destroy(enumerator); - return vip && !config->use_pull_mode(config); + return vip && config->has_option(config, OPT_IKEV1_PUSH_MODE); } /** diff --git a/src/libcharon/sa/ikev1/tasks/xauth.c b/src/libcharon/sa/ikev1/tasks/xauth.c index 3bf2175e0c..08e32a76dc 100644 --- a/src/libcharon/sa/ikev1/tasks/xauth.c +++ b/src/libcharon/sa/ikev1/tasks/xauth.c @@ -229,7 +229,7 @@ static bool select_compliant_config(private_xauth_t *this) } DBG1(DBG_CFG, "selected peer config '%s' unacceptable", old->get_name(old)); - aggressive = old->use_aggressive(old); + aggressive = old->has_option(old, OPT_IKEV1_AGGRESSIVE); my_host = this->ike_sa->get_my_host(this->ike_sa); other_host = this->ike_sa->get_other_host(this->ike_sa); @@ -240,7 +240,7 @@ static bool select_compliant_config(private_xauth_t *this) while (enumerator->enumerate(enumerator, ¤t)) { if (!current->equals(current, old) && - current->use_aggressive(current) == aggressive && + current->has_option(current, OPT_IKEV1_AGGRESSIVE) == aggressive && is_compliant(this, current, FALSE)) { peer_cfg = current; diff --git a/src/libcharon/sa/ikev2/task_manager_v2.c b/src/libcharon/sa/ikev2/task_manager_v2.c index 86f9f8b49b..1e213aaaf5 100644 --- a/src/libcharon/sa/ikev2/task_manager_v2.c +++ b/src/libcharon/sa/ikev2/task_manager_v2.c @@ -2121,7 +2121,7 @@ METHOD(task_manager_t, queue_ike, void, peer_cfg_t *peer_cfg; peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa); - if (peer_cfg->use_mobike(peer_cfg)) + if (!peer_cfg->has_option(peer_cfg, OPT_NO_MOBIKE)) { queue_task(this, (task_t*)ike_mobike_create(this->ike_sa, TRUE)); } diff --git a/src/libcharon/sa/ikev2/tasks/ike_auth.c b/src/libcharon/sa/ikev2/tasks/ike_auth.c index 493cd5b837..80c0f47d3d 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_auth.c +++ b/src/libcharon/sa/ikev2/tasks/ike_auth.c @@ -564,7 +564,7 @@ static bool get_ppk(private_ike_auth_t *this, identification_t *ppk_id) key = lib->credmgr->get_shared(lib->credmgr, SHARED_PPK, ppk_id, NULL); if (!key) { - if (this->peer_cfg->ppk_required(this->peer_cfg)) + if (this->peer_cfg->has_option(this->peer_cfg, OPT_PPK_REQUIRED)) { DBG1(DBG_CFG, "PPK required but no PPK found for '%Y'", ppk_id); return FALSE; @@ -589,7 +589,7 @@ static bool get_ppk_i(private_ike_auth_t *this) if (!this->ike_sa->supports_extension(this->ike_sa, EXT_PPK)) { - if (this->peer_cfg->ppk_required(this->peer_cfg)) + if (this->peer_cfg->has_option(this->peer_cfg, OPT_PPK_REQUIRED)) { DBG1(DBG_CFG, "PPK required but peer does not support PPK"); return FALSE; @@ -600,7 +600,7 @@ static bool get_ppk_i(private_ike_auth_t *this) ppk_id = this->peer_cfg->get_ppk_id(this->peer_cfg); if (!ppk_id) { - if (this->peer_cfg->ppk_required(this->peer_cfg)) + if (this->peer_cfg->has_option(this->peer_cfg, OPT_PPK_REQUIRED)) { DBG1(DBG_CFG, "PPK required but no PPK_ID configured"); return FALSE; @@ -622,7 +622,7 @@ static bool get_ppk_r(private_ike_auth_t *this, message_t *msg) if (!this->ike_sa->supports_extension(this->ike_sa, EXT_PPK)) { - if (this->peer_cfg->ppk_required(this->peer_cfg)) + if (this->peer_cfg->has_option(this->peer_cfg, OPT_PPK_REQUIRED)) { DBG1(DBG_CFG, "PPK required but peer does not support PPK"); return FALSE; @@ -633,7 +633,7 @@ static bool get_ppk_r(private_ike_auth_t *this, message_t *msg) notify = msg->get_notify(msg, PPK_IDENTITY); if (!notify || !parse_ppk_identity(notify, &ppk_id)) { - if (this->peer_cfg->ppk_required(this->peer_cfg)) + if (this->peer_cfg->has_option(this->peer_cfg, OPT_PPK_REQUIRED)) { DBG1(DBG_CFG, "PPK required but no PPK_IDENTITY received"); return FALSE; @@ -816,7 +816,7 @@ METHOD(task_t, build_i, status_t, if (this->ppk.ptr && this->my_auth->use_ppk) { this->my_auth->use_ppk(this->my_auth, this->ppk, - !this->peer_cfg->ppk_required(this->peer_cfg)); + !this->peer_cfg->has_option(this->peer_cfg, OPT_PPK_REQUIRED)); } switch (this->my_auth->build(this->my_auth, message)) { diff --git a/src/libcharon/sa/ikev2/tasks/ike_mobike.c b/src/libcharon/sa/ikev2/tasks/ike_mobike.c index 0040d43bc6..0ff2be8eb6 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_mobike.c +++ b/src/libcharon/sa/ikev2/tasks/ike_mobike.c @@ -136,7 +136,7 @@ static void process_payloads(private_ike_mobike_t *this, message_t *message) peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa); if (!this->initiator && - peer_cfg && !peer_cfg->use_mobike(peer_cfg)) + peer_cfg && peer_cfg->has_option(peer_cfg, OPT_NO_MOBIKE)) { DBG1(DBG_IKE, "peer supports MOBIKE, but disabled in config"); } diff --git a/src/libcharon/sa/ikev2/tasks/ike_natd.c b/src/libcharon/sa/ikev2/tasks/ike_natd.c index a9cce2efb4..a442786399 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_natd.c +++ b/src/libcharon/sa/ikev2/tasks/ike_natd.c @@ -304,7 +304,7 @@ METHOD(task_t, process_i, status_t, peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa); if (this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY) || - (peer_cfg->use_mobike(peer_cfg) && + (!peer_cfg->has_option(peer_cfg, OPT_NO_MOBIKE) && this->ike_sa->supports_extension(this->ike_sa, EXT_NATT))) { /* if the peer supports NAT-T, we switch to port 4500 even if no * NAT is detected. can't be done later (when we would know