Return to medcli_config.c CVS log | Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / src / libcharon / plugins / medcli |
1.1 misho 1: /* 2: * Copyright (C) 2008 Martin Willi 3: * HSR Hochschule fuer Technik Rapperswil 4: * 5: * This program is free software; you can redistribute it and/or modify it 6: * under the terms of the GNU General Public License as published by the 7: * Free Software Foundation; either version 2 of the License, or (at your 8: * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. 9: * 10: * This program is distributed in the hope that it will be useful, but 11: * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY 12: * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 13: * for more details. 14: */ 15: 16: #define _GNU_SOURCE 17: #include <string.h> 18: 19: #include "medcli_config.h" 20: 21: #include <daemon.h> 22: #include <processing/jobs/callback_job.h> 23: 24: typedef struct private_medcli_config_t private_medcli_config_t; 25: 26: /** 27: * Name of the mediation connection 28: */ 29: #define MEDIATION_CONN_NAME "medcli-mediation" 30: 31: /** 32: * Private data of an medcli_config_t object 33: */ 34: struct private_medcli_config_t { 35: 36: /** 37: * Public part 38: */ 39: medcli_config_t public; 40: 41: /** 42: * database connection 43: */ 44: database_t *db; 45: 46: /** 47: * rekey time 48: */ 49: int rekey; 50: 51: /** 52: * dpd delay 53: */ 54: int dpd; 55: 56: /** 57: * default ike config 58: */ 59: ike_cfg_t *ike; 60: }; 61: 62: /** 63: * create a traffic selector from a CIDR notation string 64: */ 65: static traffic_selector_t *ts_from_string(char *str) 66: { 67: if (str) 68: { 69: traffic_selector_t *ts; 70: 71: ts = traffic_selector_create_from_cidr(str, 0, 0, 65535); 72: if (ts) 73: { 74: return ts; 75: } 76: } 77: return traffic_selector_create_dynamic(0, 0, 65535); 78: } 79: 80: /** 81: * Build a mediation config 82: */ 83: static peer_cfg_t *build_mediation_config(private_medcli_config_t *this, 84: peer_cfg_create_t *defaults) 85: { 86: enumerator_t *e; 87: auth_cfg_t *auth; 88: ike_cfg_t *ike_cfg; 89: peer_cfg_t *med_cfg; 90: ike_cfg_create_t ike = { 91: .version = IKEV2, 92: .local = "0.0.0.0", 93: .local_port = charon->socket->get_port(charon->socket, FALSE), 94: .remote_port = IKEV2_UDP_PORT, 95: .no_certreq = TRUE, 96: }; 97: peer_cfg_create_t peer = *defaults; 98: chunk_t me, other; 99: 100: /* query mediation server config: 101: * - build ike_cfg/peer_cfg for mediation connection on-the-fly 102: */ 103: e = this->db->query(this->db, 104: "SELECT Address, ClientConfig.KeyId, MediationServerConfig.KeyId " 105: "FROM MediationServerConfig JOIN ClientConfig", 106: DB_TEXT, DB_BLOB, DB_BLOB); 107: if (!e || !e->enumerate(e, &ike.remote, &me, &other)) 108: { 109: DESTROY_IF(e); 110: return NULL; 111: } 112: ike_cfg = ike_cfg_create(&ike); 113: ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE)); 114: ike_cfg->add_proposal(ike_cfg, proposal_create_default_aead(PROTO_IKE)); 115: 116: peer.mediation = TRUE; 117: med_cfg = peer_cfg_create(MEDIATION_CONN_NAME, ike_cfg, &peer); 118: e->destroy(e); 119: 120: auth = auth_cfg_create(); 121: auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY); 122: auth->add(auth, AUTH_RULE_IDENTITY, 123: identification_create_from_encoding(ID_KEY_ID, me)); 124: med_cfg->add_auth_cfg(med_cfg, auth, TRUE); 125: auth = auth_cfg_create(); 126: auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY); 127: auth->add(auth, AUTH_RULE_IDENTITY, 128: identification_create_from_encoding(ID_KEY_ID, other)); 129: med_cfg->add_auth_cfg(med_cfg, auth, FALSE); 130: return med_cfg; 131: } 132: 133: METHOD(backend_t, get_peer_cfg_by_name, peer_cfg_t*, 134: private_medcli_config_t *this, char *name) 135: { 136: enumerator_t *e; 137: auth_cfg_t *auth; 138: peer_cfg_t *peer_cfg; 139: child_cfg_t *child_cfg; 140: chunk_t me, other; 141: char *local_net, *remote_net; 142: peer_cfg_create_t peer = { 143: .cert_policy = CERT_NEVER_SEND, 144: .unique = UNIQUE_REPLACE, 145: .keyingtries = 1, 146: .rekey_time = this->rekey * 60, 147: .jitter_time = this->rekey * 5, 148: .over_time = this->rekey * 3, 149: .dpd = this->dpd, 150: }; 151: child_cfg_create_t child = { 152: .lifetime = { 153: .time = { 154: .life = this->rekey * 60 + this->rekey, 155: .rekey = this->rekey, 156: .jitter = this->rekey 157: }, 158: }, 159: .mode = MODE_TUNNEL, 160: }; 161: 162: if (streq(name, "medcli-mediation")) 163: { 164: return build_mediation_config(this, &peer); 165: } 166: 167: /* query mediated config: 168: * - use any-any ike_cfg 169: * - build peer_cfg on-the-fly using med_cfg 170: * - add a child_cfg 171: */ 172: e = this->db->query(this->db, 173: "SELECT ClientConfig.KeyId, Connection.KeyId, " 174: "Connection.LocalSubnet, Connection.RemoteSubnet " 175: "FROM ClientConfig JOIN Connection " 176: "WHERE Active AND Alias = ?", DB_TEXT, name, 177: DB_BLOB, DB_BLOB, DB_TEXT, DB_TEXT); 178: if (!e || !e->enumerate(e, &me, &other, &local_net, &remote_net)) 179: { 180: DESTROY_IF(e); 181: return NULL; 182: } 183: peer.mediated_by = MEDIATION_CONN_NAME; 184: peer.peer_id = identification_create_from_encoding(ID_KEY_ID, other); 185: peer_cfg = peer_cfg_create(name, this->ike->get_ref(this->ike), &peer); 186: 187: auth = auth_cfg_create(); 188: auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY); 189: auth->add(auth, AUTH_RULE_IDENTITY, 190: identification_create_from_encoding(ID_KEY_ID, me)); 191: peer_cfg->add_auth_cfg(peer_cfg, auth, TRUE); 192: auth = auth_cfg_create(); 193: auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY); 194: auth->add(auth, AUTH_RULE_IDENTITY, 195: identification_create_from_encoding(ID_KEY_ID, other)); 196: peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE); 197: 198: child_cfg = child_cfg_create(name, &child); 199: child_cfg->add_proposal(child_cfg, proposal_create_default_aead(PROTO_ESP)); 1.1.1.2 ! misho 200: child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP)); 1.1 misho 201: child_cfg->add_traffic_selector(child_cfg, TRUE, ts_from_string(local_net)); 202: child_cfg->add_traffic_selector(child_cfg, FALSE, ts_from_string(remote_net)); 203: peer_cfg->add_child_cfg(peer_cfg, child_cfg); 204: e->destroy(e); 205: return peer_cfg; 206: } 207: 208: METHOD(backend_t, create_ike_cfg_enumerator, enumerator_t*, 209: private_medcli_config_t *this, host_t *me, host_t *other) 210: { 211: return enumerator_create_single(this->ike, NULL); 212: } 213: 214: typedef struct { 215: /** implements enumerator */ 216: enumerator_t public; 217: /** inner SQL enumerator */ 218: enumerator_t *inner; 219: /** currently enumerated peer config */ 220: peer_cfg_t *current; 221: /** ike cfg to use in peer cfg */ 222: ike_cfg_t *ike; 223: /** rekey time */ 224: int rekey; 225: /** dpd time */ 226: int dpd; 227: } peer_enumerator_t; 228: 229: METHOD(enumerator_t, peer_enumerator_enumerate, bool, 230: peer_enumerator_t *this, va_list args) 231: { 232: char *name, *local_net, *remote_net; 233: chunk_t me, other; 234: peer_cfg_t **cfg; 235: child_cfg_t *child_cfg; 236: auth_cfg_t *auth; 237: peer_cfg_create_t peer = { 238: .cert_policy = CERT_NEVER_SEND, 239: .unique = UNIQUE_REPLACE, 240: .keyingtries = 1, 241: .rekey_time = this->rekey * 60, 242: .jitter_time = this->rekey * 5, 243: .over_time = this->rekey * 3, 244: .dpd = this->dpd, 245: }; 246: child_cfg_create_t child = { 247: .lifetime = { 248: .time = { 249: .life = this->rekey * 60 + this->rekey, 250: .rekey = this->rekey, 251: .jitter = this->rekey 252: }, 253: }, 254: .mode = MODE_TUNNEL, 255: }; 256: 257: VA_ARGS_VGET(args, cfg); 258: 259: DESTROY_IF(this->current); 260: if (!this->inner->enumerate(this->inner, &name, &me, &other, 261: &local_net, &remote_net)) 262: { 263: this->current = NULL; 264: return FALSE; 265: } 266: this->current = peer_cfg_create(name, this->ike->get_ref(this->ike), &peer); 267: 268: auth = auth_cfg_create(); 269: auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY); 270: auth->add(auth, AUTH_RULE_IDENTITY, 271: identification_create_from_encoding(ID_KEY_ID, me)); 272: this->current->add_auth_cfg(this->current, auth, TRUE); 273: auth = auth_cfg_create(); 274: auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY); 275: auth->add(auth, AUTH_RULE_IDENTITY, 276: identification_create_from_encoding(ID_KEY_ID, other)); 277: this->current->add_auth_cfg(this->current, auth, FALSE); 278: 279: child_cfg = child_cfg_create(name, &child); 280: child_cfg->add_proposal(child_cfg, proposal_create_default_aead(PROTO_ESP)); 1.1.1.2 ! misho 281: child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP)); 1.1 misho 282: child_cfg->add_traffic_selector(child_cfg, TRUE, ts_from_string(local_net)); 283: child_cfg->add_traffic_selector(child_cfg, FALSE, ts_from_string(remote_net)); 284: this->current->add_child_cfg(this->current, child_cfg); 285: *cfg = this->current; 286: return TRUE; 287: } 288: 289: METHOD(enumerator_t, peer_enumerator_destroy, void, 290: peer_enumerator_t *this) 291: { 292: DESTROY_IF(this->current); 293: this->inner->destroy(this->inner); 294: free(this); 295: } 296: 297: METHOD(backend_t, create_peer_cfg_enumerator, enumerator_t*, 298: private_medcli_config_t *this, identification_t *me, 299: identification_t *other) 300: { 301: peer_enumerator_t *e; 302: 303: INIT(e, 304: .public = { 305: .enumerate = enumerator_enumerate_default, 306: .venumerate = _peer_enumerator_enumerate, 307: .destroy = _peer_enumerator_destroy, 308: }, 309: .ike = this->ike, 310: .rekey = this->rekey, 311: .dpd = this->dpd, 312: ); 313: 314: /* filter on IDs: NULL or ANY or matching KEY_ID */ 315: e->inner = this->db->query(this->db, 316: "SELECT Alias, ClientConfig.KeyId, Connection.KeyId, " 317: "Connection.LocalSubnet, Connection.RemoteSubnet " 318: "FROM ClientConfig JOIN Connection " 319: "WHERE Active AND " 320: "(? OR ClientConfig.KeyId = ?) AND (? OR Connection.KeyId = ?)", 321: DB_INT, me == NULL || me->get_type(me) == ID_ANY, 322: DB_BLOB, me && me->get_type(me) == ID_KEY_ID ? 323: me->get_encoding(me) : chunk_empty, 324: DB_INT, other == NULL || other->get_type(other) == ID_ANY, 325: DB_BLOB, other && other->get_type(other) == ID_KEY_ID ? 326: other->get_encoding(other) : chunk_empty, 327: DB_TEXT, DB_BLOB, DB_BLOB, DB_TEXT, DB_TEXT); 328: if (!e->inner) 329: { 330: free(e); 331: return NULL; 332: } 333: return &e->public; 334: } 335: 336: /** 337: * initiate a peer config 338: */ 339: static job_requeue_t initiate_config(peer_cfg_t *peer_cfg) 340: { 341: enumerator_t *enumerator; 342: child_cfg_t *child_cfg = NULL;; 343: 344: enumerator = peer_cfg->create_child_cfg_enumerator(peer_cfg); 345: enumerator->enumerate(enumerator, &child_cfg); 346: if (child_cfg) 347: { 348: child_cfg->get_ref(child_cfg); 349: peer_cfg->get_ref(peer_cfg); 350: enumerator->destroy(enumerator); 351: charon->controller->initiate(charon->controller, 352: peer_cfg, child_cfg, NULL, NULL, 0, FALSE); 353: } 354: else 355: { 356: enumerator->destroy(enumerator); 357: } 358: return JOB_REQUEUE_NONE; 359: } 360: 361: /** 362: * schedule initiation of all "active" connections 363: */ 364: static void schedule_autoinit(private_medcli_config_t *this) 365: { 366: enumerator_t *e; 367: char *name; 368: 369: e = this->db->query(this->db, "SELECT Alias FROM Connection WHERE Active", 370: DB_TEXT); 371: if (e) 372: { 373: while (e->enumerate(e, &name)) 374: { 375: peer_cfg_t *peer_cfg; 376: 377: peer_cfg = get_peer_cfg_by_name(this, name); 378: if (peer_cfg) 379: { 380: /* schedule asynchronous initiation job */ 381: lib->processor->queue_job(lib->processor, 382: (job_t*)callback_job_create( 383: (callback_job_cb_t)initiate_config, 384: peer_cfg, (void*)peer_cfg->destroy, NULL)); 385: } 386: } 387: e->destroy(e); 388: } 389: } 390: 391: METHOD(medcli_config_t, destroy, void, 392: private_medcli_config_t *this) 393: { 394: this->ike->destroy(this->ike); 395: free(this); 396: } 397: 398: /** 399: * Described in header. 400: */ 401: medcli_config_t *medcli_config_create(database_t *db) 402: { 403: private_medcli_config_t *this; 404: ike_cfg_create_t ike = { 405: .version = IKEV2, 406: .local = "0.0.0.0", 407: .local_port = charon->socket->get_port(charon->socket, FALSE), 408: .remote = "0.0.0.0", 409: .remote_port = IKEV2_UDP_PORT, 410: .no_certreq = TRUE, 411: }; 412: 413: INIT(this, 414: .public = { 415: .backend = { 416: .create_peer_cfg_enumerator = _create_peer_cfg_enumerator, 417: .create_ike_cfg_enumerator = _create_ike_cfg_enumerator, 418: .get_peer_cfg_by_name = _get_peer_cfg_by_name, 419: }, 420: .destroy = _destroy, 421: }, 422: .db = db, 423: .rekey = lib->settings->get_time(lib->settings, "medcli.rekey", 1200), 424: .dpd = lib->settings->get_time(lib->settings, "medcli.dpd", 300), 425: .ike = ike_cfg_create(&ike), 426: ); 427: this->ike->add_proposal(this->ike, proposal_create_default(PROTO_IKE)); 428: this->ike->add_proposal(this->ike, proposal_create_default_aead(PROTO_IKE)); 429: 430: schedule_autoinit(this); 431: 432: return &this->public; 433: }