/*
* Copyright (C) 2018 Tobias Brunner
* Copyright (C) 2007-2009 Martin Willi
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
#include "backend_manager.h"
#include <sys/types.h>
#include <daemon.h>
#include <collections/linked_list.h>
#include <threading/rwlock.h>
typedef struct private_backend_manager_t private_backend_manager_t;
/**
* Private data of an backend_manager_t object.
*/
struct private_backend_manager_t {
/**
* Public part of backend_manager_t object.
*/
backend_manager_t public;
/**
* list of registered backends
*/
linked_list_t *backends;
/**
* rwlock for backends
*/
rwlock_t *lock;
};
/**
* match of an ike_cfg
*/
typedef enum ike_cfg_match_t {
/* doesn't match at all */
MATCH_NONE = 0x00,
/* match for a %any host. For both hosts, hence skip 0x02 */
MATCH_ANY = 0x01,
/* IKE version matches exactly (config is not for any version) */
MATCH_VERSION = 0x04,
/* local identity matches */
MATCH_ME = 0x08,
/* remote identity matches */
MATCH_OTHER = 0x10,
} ike_cfg_match_t;
/**
* data to pass nested IKE enumerator
*/
typedef struct {
private_backend_manager_t *this;
host_t *me;
host_t *other;
} ike_data_t;
/**
* inner enumerator constructor for IKE cfgs
*/
static enumerator_t *ike_enum_create(backend_t *backend, ike_data_t *data)
{
return backend->create_ike_cfg_enumerator(backend, data->me, data->other);
}
/**
* get a match of a candidate ike_cfg for two hosts
*/
static ike_cfg_match_t get_ike_match(ike_cfg_t *cand, host_t *me, host_t *other,
ike_version_t version)
{
ike_cfg_match_t match = MATCH_NONE;
int quality;
if (cand->get_version(cand) != IKE_ANY &&
version != cand->get_version(cand))
{
return MATCH_NONE;
}
if (me)
{
quality = cand->match_me(cand, me);
if (!quality)
{
return MATCH_NONE;
}
match += quality * MATCH_ME;
}
else
{
match += MATCH_ANY;
}
if (other)
{
quality = cand->match_other(cand, other);
if (!quality)
{
return MATCH_NONE;
}
match += quality * MATCH_OTHER;
}
else
{
match += MATCH_ANY;
}
if (match != MATCH_NONE &&
cand->get_version(cand) != IKE_ANY)
{ /* if we have a match, improve it if candidate version specified */
match += MATCH_VERSION;
}
return match;
}
/**
* list element to help sorting
*/
typedef struct {
ike_cfg_match_t match;
ike_cfg_t *cfg;
} ike_match_entry_t;
CALLBACK(ike_enum_filter, bool,
linked_list_t *configs, enumerator_t *orig, va_list args)
{
ike_match_entry_t *entry;
ike_cfg_t **out;
VA_ARGS_VGET(args, out);
if (orig->enumerate(orig, &entry))
{
*out = entry->cfg;
return TRUE;
}
return FALSE;
}
CALLBACK(ike_match_entry_list_destroy, void,
linked_list_t *configs)
{
ike_match_entry_t *entry;
while (configs->remove_last(configs, (void**)&entry) == SUCCESS)
{
entry->cfg->destroy(entry->cfg);
free(entry);
}
configs->destroy(configs);
}
/**
* Insert entry into match-sorted list
*/
static void insert_sorted_ike(ike_match_entry_t *entry, linked_list_t *list)
{
enumerator_t *enumerator;
ike_match_entry_t *current;
enumerator = list->create_enumerator(list);
while (enumerator->enumerate(enumerator, ¤t))
{
if (entry->match > current->match)
{
break;
}
}
list->insert_before(list, enumerator, entry);
enumerator->destroy(enumerator);
}
/**
* Create a sorted list of all matching IKE configs
*/
static linked_list_t *get_matching_ike_cfgs(private_backend_manager_t *this,
host_t *me, host_t *other,
ike_version_t version)
{
ike_cfg_t *current;
char *my_addr, *other_addr;
enumerator_t *enumerator;
ike_data_t *data;
linked_list_t *configs;
ike_cfg_match_t match;
ike_match_entry_t *entry;
INIT(data,
.this = this,
.me = me,
.other = other,
);
configs = linked_list_create();
this->lock->read_lock(this->lock);
enumerator = enumerator_create_nested(
this->backends->create_enumerator(this->backends),
(void*)ike_enum_create, data, (void*)free);
while (enumerator->enumerate(enumerator, ¤t))
{
my_addr = current->get_my_addr(current);
other_addr = current->get_other_addr(current);
match = get_ike_match(current, me, other, version);
DBG3(DBG_CFG, "ike config match: %d (%s...%s %N)", match, my_addr,
other_addr, ike_version_names, current->get_version(current));
if (match)
{
DBG2(DBG_CFG, " candidate: %s...%s, prio %d",
my_addr, other_addr, match);
INIT(entry,
.match = match,
.cfg = current->get_ref(current),
);
insert_sorted_ike(entry, configs);
}
}
enumerator->destroy(enumerator);
this->lock->unlock(this->lock);
return configs;
}
METHOD(backend_manager_t, get_ike_cfg, ike_cfg_t*,
private_backend_manager_t *this, host_t *me, host_t *other,
ike_version_t version)
{
linked_list_t *configs;
ike_match_entry_t *entry;
ike_cfg_t *found = NULL;
char *my_addr, *other_addr;
DBG2(DBG_CFG, "looking for an %N config for %H...%H", ike_version_names,
version, me, other);
configs = get_matching_ike_cfgs(this, me, other, version);
if (configs->get_first(configs, (void**)&entry) == SUCCESS)
{
found = entry->cfg->get_ref(entry->cfg);
my_addr = found->get_my_addr(found);
other_addr = found->get_other_addr(found);
DBG2(DBG_CFG, "found matching ike config: %s...%s with prio %d",
my_addr, other_addr, entry->match);
}
ike_match_entry_list_destroy(configs);
return found;
}
METHOD(backend_manager_t, create_ike_cfg_enumerator, enumerator_t*,
private_backend_manager_t *this, host_t *me, host_t *other,
ike_version_t version)
{
linked_list_t *configs;
DBG2(DBG_CFG, "looking for %N configs for %H...%H", ike_version_names,
version, me, other);
configs = get_matching_ike_cfgs(this, me, other, version);
return enumerator_create_filter(configs->create_enumerator(configs),
ike_enum_filter, configs,
ike_match_entry_list_destroy);
}
/**
* Get the best ID match in one of the configs auth_cfg
*/
static id_match_t get_peer_match(identification_t *id,
peer_cfg_t *cfg, bool local)
{
enumerator_t *enumerator;
auth_cfg_t *auth;
identification_t *candidate;
id_match_t match = ID_MATCH_NONE;
char *where = local ? "local" : "remote";
chunk_t data;
if (!id)
{
DBG3(DBG_CFG, " %s id match: %d (%N)",
where, ID_MATCH_ANY, id_type_names, ID_ANY);
return ID_MATCH_ANY;
}
/* compare first auth config only */
enumerator = cfg->create_auth_cfg_enumerator(cfg, local);
if (enumerator->enumerate(enumerator, &auth))
{
candidate = auth->get(auth, AUTH_RULE_IDENTITY);
if (candidate)
{
match = id->matches(id, candidate);
/* match vice-versa, as the proposed IDr might be ANY */
if (!match)
{
match = candidate->matches(candidate, id);
}
}
else
{
match = ID_MATCH_ANY;
}
}
enumerator->destroy(enumerator);
data = id->get_encoding(id);
DBG3(DBG_CFG, " %s id match: %d (%N: %#B)",
where, match, id_type_names, id->get_type(id), &data);
return match;
}
/**
* data to pass nested peer enumerator
*/
typedef struct {
rwlock_t *lock;
identification_t *me;
identification_t *other;
} peer_data_t;
/**
* list element to help sorting
*/
typedef struct {
id_match_t match_peer;
ike_cfg_match_t match_ike;
peer_cfg_t *cfg;
} match_entry_t;
/**
* inner enumerator constructor for peer cfgs
*/
static enumerator_t *peer_enum_create(backend_t *backend, peer_data_t *data)
{
return backend->create_peer_cfg_enumerator(backend, data->me, data->other);
}
/**
* unlock/cleanup peer enumerator
*/
static void peer_enum_destroy(peer_data_t *data)
{
data->lock->unlock(data->lock);
free(data);
}
CALLBACK(peer_enum_filter, bool,
linked_list_t *configs, enumerator_t *orig, va_list args)
{
match_entry_t *entry;
peer_cfg_t **out;
VA_ARGS_VGET(args, out);
if (orig->enumerate(orig, &entry))
{
*out = entry->cfg;
return TRUE;
}
return FALSE;
}
CALLBACK(peer_enum_filter_destroy, void,
linked_list_t *configs)
{
match_entry_t *entry;
while (configs->remove_last(configs, (void**)&entry) == SUCCESS)
{
entry->cfg->destroy(entry->cfg);
free(entry);
}
configs->destroy(configs);
}
/**
* Insert entry into match-sorted list
*/
static void insert_sorted(match_entry_t *entry, linked_list_t *list)
{
enumerator_t *enumerator;
match_entry_t *current;
enumerator = list->create_enumerator(list);
while (enumerator->enumerate(enumerator, ¤t))
{
if ((entry->match_ike > current->match_ike &&
entry->match_peer >= current->match_peer) ||
(entry->match_ike >= current->match_ike &&
entry->match_peer > current->match_peer))
{
break;
}
}
list->insert_before(list, enumerator, entry);
enumerator->destroy(enumerator);
}
METHOD(backend_manager_t, create_peer_cfg_enumerator, enumerator_t*,
private_backend_manager_t *this, host_t *me, host_t *other,
identification_t *my_id, identification_t *other_id, ike_version_t version)
{
enumerator_t *enumerator;
peer_data_t *data;
peer_cfg_t *cfg;
linked_list_t *configs;
INIT(data,
.lock = this->lock,
.me = my_id,
.other = other_id,
);
/* create a sorted list with all matches */
this->lock->read_lock(this->lock);
enumerator = enumerator_create_nested(
this->backends->create_enumerator(this->backends),
(void*)peer_enum_create, data, (void*)peer_enum_destroy);
if (!me && !other && !my_id && !other_id)
{ /* shortcut if we are doing a "listall" */
return enumerator;
}
configs = linked_list_create();
while (enumerator->enumerate(enumerator, &cfg))
{
ike_cfg_t *ike_cfg = cfg->get_ike_cfg(cfg);
ike_cfg_match_t match_ike;
id_match_t match_peer_me, match_peer_other;
match_entry_t *entry;
char *my_addr, *other_addr;
match_ike = get_ike_match(ike_cfg, me, other, version);
my_addr = ike_cfg->get_my_addr(ike_cfg);
other_addr = ike_cfg->get_other_addr(ike_cfg);
DBG3(DBG_CFG, "peer config \"%s\", ike match: %d (%s...%s %N)",
cfg->get_name(cfg), match_ike, my_addr, other_addr,
ike_version_names, ike_cfg->get_version(ike_cfg));
if (!match_ike)
{
continue;
}
match_peer_me = get_peer_match(my_id, cfg, TRUE);
if (!match_peer_me)
{
continue;
}
match_peer_other = get_peer_match(other_id, cfg, FALSE);
if (match_peer_other)
{
DBG2(DBG_CFG, " candidate \"%s\", match: %d/%d/%d (me/other/ike)",
cfg->get_name(cfg), match_peer_me, match_peer_other, match_ike);
INIT(entry,
.match_peer = match_peer_me + match_peer_other,
.match_ike = match_ike,
.cfg = cfg->get_ref(cfg),
);
insert_sorted(entry, configs);
}
}
enumerator->destroy(enumerator);
return enumerator_create_filter(configs->create_enumerator(configs),
peer_enum_filter, configs,
peer_enum_filter_destroy);
}
METHOD(backend_manager_t, get_peer_cfg_by_name, peer_cfg_t*,
private_backend_manager_t *this, char *name)
{
backend_t *backend;
peer_cfg_t *config = NULL;
enumerator_t *enumerator;
this->lock->read_lock(this->lock);
enumerator = this->backends->create_enumerator(this->backends);
while (config == NULL && enumerator->enumerate(enumerator, (void**)&backend))
{
config = backend->get_peer_cfg_by_name(backend, name);
}
enumerator->destroy(enumerator);
this->lock->unlock(this->lock);
return config;
}
METHOD(backend_manager_t, remove_backend, void,
private_backend_manager_t *this, backend_t *backend)
{
this->lock->write_lock(this->lock);
this->backends->remove(this->backends, backend, NULL);
this->lock->unlock(this->lock);
}
METHOD(backend_manager_t, add_backend, void,
private_backend_manager_t *this, backend_t *backend)
{
this->lock->write_lock(this->lock);
this->backends->insert_last(this->backends, backend);
this->lock->unlock(this->lock);
}
METHOD(backend_manager_t, destroy, void,
private_backend_manager_t *this)
{
this->backends->destroy(this->backends);
this->lock->destroy(this->lock);
free(this);
}
/*
* Described in header
*/
backend_manager_t *backend_manager_create()
{
private_backend_manager_t *this;
INIT(this,
.public = {
.get_ike_cfg = _get_ike_cfg,
.create_ike_cfg_enumerator = _create_ike_cfg_enumerator,
.get_peer_cfg_by_name = _get_peer_cfg_by_name,
.create_peer_cfg_enumerator = _create_peer_cfg_enumerator,
.add_backend = _add_backend,
.remove_backend = _remove_backend,
.destroy = _destroy,
},
.backends = linked_list_create(),
.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
);
return &this->public;
}
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to backend_manager.c CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / src / libcharon / config