[NetworkManager-libreswan/fg/fix_conn_import-rh1633174: 1/3] shared: remove useless XAUTH tracking boolean
- From: Francesco Giudici <fgiudici src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [NetworkManager-libreswan/fg/fix_conn_import-rh1633174: 1/3] shared: remove useless XAUTH tracking boolean
- Date: Fri, 28 Sep 2018 10:11:51 +0000 (UTC)
commit a0cb1f5a3f2dbd267222b41d3654c4d47681a150
Author: Francesco Giudici <fgiudici redhat com>
Date: Thu Sep 27 10:56:10 2018 +0200
shared: remove useless XAUTH tracking boolean
During recent reworks to extend the configuration options to allow IKEv2
we used a dedicated boolean to track if XAUTH was enabled or not: the
plan was to extend support to IKEv1 connections without XAUTH.
This however never happened: moreover, IKEv1 is old and we will probably
want to focus on improving IKEv2 scenarios support more than IKEv1 ones
(XAUTH is a IKEv1 thing).
So, remove the XAUTH bool var and just assume that it is always enabled
on IKEv1 connections as we already do in all the other part of the code.
shared/utils.c | 18 ++++++++++--------
1 file changed, 10 insertions(+), 8 deletions(-)
---
diff --git a/shared/utils.c b/shared/utils.c
index 047ce8e..0119221 100644
--- a/shared/utils.c
+++ b/shared/utils.c
@@ -118,7 +118,6 @@ nm_libreswan_config_write (gint fd,
const char *mobike;
const char *pfs;
gboolean is_ikev2 = FALSE;
- gboolean xauth_enabled = TRUE;
g_return_val_if_fail (fd > 0, FALSE);
g_return_val_if_fail (NM_IS_CONNECTION (connection), FALSE);
@@ -129,10 +128,9 @@ nm_libreswan_config_write (gint fd,
g_return_val_if_fail (NM_IS_SETTING_VPN (s_vpn), FALSE);
is_ikev2 = nm_libreswan_utils_setting_is_ikev2 (s_vpn, &ikev2);
- /* When IKEv1 is in place, we enforce XAUTH */
- xauth_enabled = !is_ikev2;
+
/* When using IKEv1 (default in our plugin), we should ensure that we make
- * it explicit to Libreswan (which defaults to IKEv2): when crypto algorithms
+ * it explicit to Libreswan (which now defaults to IKEv2): when crypto algorithms
* are not specified ("esp" & "ike") Libreswan will use system-wide crypto
* policies based on the IKE version in place.
*/
@@ -150,7 +148,7 @@ nm_libreswan_config_write (gint fd,
WRITE_CHECK (fd, debug_write_fcn, error, "conn %s", con_name);
if (leftid && strlen (leftid)) {
- if (xauth_enabled)
+ if (!is_ikev2)
WRITE_CHECK (fd, debug_write_fcn, error, " aggrmode=yes");
if ( leftid[0] == '%'
@@ -210,7 +208,11 @@ nm_libreswan_config_write (gint fd,
else
WRITE_CHECK (fd, debug_write_fcn, error, " rightsubnet=%s",
remote_network);
- if (xauth_enabled) {
+
+ if (!is_ikev2) {
+ /* When IKEv1 is in place, we enforce XAUTH: so, use IKE version
+ * also to check if XAUTH conf options should be passed to Libreswan.
+ */
WRITE_CHECK (fd, debug_write_fcn, error, " leftxauthclient=yes");
default_username = nm_setting_vpn_get_user_name (s_vpn);
@@ -236,13 +238,13 @@ nm_libreswan_config_write (gint fd,
*/
if (phase1_alg_str && strlen (phase1_alg_str))
WRITE_CHECK (fd, debug_write_fcn, error, " ike=%s", phase1_alg_str);
- else if (xauth_enabled && leftid)
+ else if (!is_ikev2 && leftid)
WRITE_CHECK (fd, debug_write_fcn, error, " ike=aes256-sha1;modp1536");
phase2_alg_str = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_ESP);
if (phase2_alg_str && strlen (phase2_alg_str))
WRITE_CHECK (fd, debug_write_fcn, error, " phase2alg=%s", phase2_alg_str);
- else if (xauth_enabled && leftid)
+ else if (!is_ikev2 && leftid)
WRITE_CHECK (fd, debug_write_fcn, error, " phase2alg=aes256-sha1");
pfs = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_PFS);
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]