From ddb083c164ffb150ab914238ffb82a55a16b9dab Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Fri, 29 Mar 2019 15:06:20 +0100 Subject: [PATCH] ike-cfg: Add setting for childless IKE_SAs --- src/libcharon/config/ike_cfg.c | 16 +++++++++++++++- src/libcharon/config/ike_cfg.h | 24 +++++++++++++++++++++++- 2 files changed, 38 insertions(+), 2 deletions(-) diff --git a/src/libcharon/config/ike_cfg.c b/src/libcharon/config/ike_cfg.c index cb75b7054..d99abbced 100644 --- a/src/libcharon/config/ike_cfg.c +++ b/src/libcharon/config/ike_cfg.c @@ -101,10 +101,15 @@ struct private_ike_cfg_t { bool force_encap; /** - * use IKEv1 fragmentation + * use IKE fragmentation */ fragmentation_t fragmentation; + /** + * childless IKE_SAs + */ + childless_t childless; + /** * DSCP value to use on sent IKE packets */ @@ -140,6 +145,12 @@ METHOD(ike_cfg_t, fragmentation, fragmentation_t, return this->fragmentation; } +METHOD(ike_cfg_t, childless, childless_t, + private_ike_cfg_t *this) +{ + return this->childless; +} + /** * Common function for resolve_me/other */ @@ -424,6 +435,7 @@ METHOD(ike_cfg_t, equals, bool, this->certreq == other->certreq && this->force_encap == other->force_encap && this->fragmentation == other->fragmentation && + this->childless == other->childless && streq(this->me, other->me) && streq(this->other, other->other) && this->my_port == other->my_port && @@ -622,6 +634,7 @@ ike_cfg_t *ike_cfg_create(ike_cfg_create_t *data) .send_certreq = _send_certreq, .force_encap = _force_encap_, .fragmentation = _fragmentation, + .childless = _childless, .resolve_me = _resolve_me, .resolve_other = _resolve_other, .match_me = _match_me, @@ -645,6 +658,7 @@ ike_cfg_t *ike_cfg_create(ike_cfg_create_t *data) .certreq = !data->no_certreq, .force_encap = data->force_encap, .fragmentation = data->fragmentation, + .childless = data->childless, .me = strdup(data->local), .my_ranges = linked_list_create(), .my_hosts = linked_list_create(), diff --git a/src/libcharon/config/ike_cfg.h b/src/libcharon/config/ike_cfg.h index 92a9915e0..9c697dadc 100644 --- a/src/libcharon/config/ike_cfg.h +++ b/src/libcharon/config/ike_cfg.h @@ -25,6 +25,7 @@ typedef enum ike_version_t ike_version_t; typedef enum fragmentation_t fragmentation_t; +typedef enum childless_t childless_t; typedef struct ike_cfg_t ike_cfg_t; typedef struct ike_cfg_create_t ike_cfg_create_t; @@ -61,6 +62,18 @@ enum fragmentation_t { FRAGMENTATION_FORCE, }; +/** + * Childless IKE_SAs (RFC 6023) + */ +enum childless_t { + /** Allow childless IKE_SAs as responder, but initiate regular IKE_SAs */ + CHILDLESS_ALLOW, + /** Don't accept childless IKE_SAs as responder, don't initiate them */ + CHILDLESS_NEVER, + /** Only accept the creation of childless IKE_SAs (also as responder) */ + CHILDLESS_FORCE, +}; + /** * enum strings for ike_version_t */ @@ -204,12 +217,19 @@ struct ike_cfg_t { bool (*force_encap) (ike_cfg_t *this); /** - * Use proprietary IKEv1 fragmentation + * Use IKE fragmentation * * @return TRUE to use fragmentation */ fragmentation_t (*fragmentation) (ike_cfg_t *this); + /** + * Whether to initiate/accept childless IKE_SAs + * + * @return initiate/accept childless IKE_SAs + */ + childless_t (*childless)(ike_cfg_t *this); + /** * Get the DH group to use for IKE_SA setup. * @@ -266,6 +286,8 @@ struct ike_cfg_create_t { bool force_encap; /** Use IKE fragmentation */ fragmentation_t fragmentation; + /** Childless IKE_SA configuration */ + childless_t childless; /** DSCP value to send IKE packets with */ uint8_t dscp; };