![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to stroke_config.c CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / src / libcharon / plugins / stroke|
Return to stroke_config.c CVS log | Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / src / libcharon / plugins / stroke |
1.1 misho 1: /*
2: * Copyright (C) 2012-2014 Tobias Brunner
3: * Copyright (C) 2008 Martin Willi
4: * HSR Hochschule fuer Technik Rapperswil
5: *
6: * This program is free software; you can redistribute it and/or modify it
7: * under the terms of the GNU General Public License as published by the
8: * Free Software Foundation; either version 2 of the License, or (at your
9: * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10: *
11: * This program is distributed in the hope that it will be useful, but
12: * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13: * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14: * for more details.
15: */
16:
17: #include "stroke_config.h"
18:
19: #include <daemon.h>
20: #include <threading/mutex.h>
21: #include <utils/lexparser.h>
22:
23: #include <netdb.h>
24:
25: typedef struct private_stroke_config_t private_stroke_config_t;
26:
27: /**
28: * private data of stroke_config
29: */
30: struct private_stroke_config_t {
31:
32: /**
33: * public functions
34: */
35: stroke_config_t public;
36:
37: /**
38: * list of peer_cfg_t
39: */
40: linked_list_t *list;
41:
42: /**
43: * mutex to lock config list
44: */
45: mutex_t *mutex;
46:
47: /**
48: * ca sections
49: */
50: stroke_ca_t *ca;
51:
52: /**
53: * credentials
54: */
55: stroke_cred_t *cred;
56:
57: /**
58: * Virtual IP pool / DNS backend
59: */
60: stroke_attribute_t *attributes;
61: };
62:
63: METHOD(backend_t, create_peer_cfg_enumerator, enumerator_t*,
64: private_stroke_config_t *this, identification_t *me, identification_t *other)
65: {
66: this->mutex->lock(this->mutex);
67: return enumerator_create_cleaner(this->list->create_enumerator(this->list),
68: (void*)this->mutex->unlock, this->mutex);
69: }
70:
71: CALLBACK(ike_filter, bool,
72: void *data, enumerator_t *orig, va_list args)
73: {
74: peer_cfg_t *cfg;
75: ike_cfg_t **out;
76:
77: VA_ARGS_VGET(args, out);
78:
79: if (orig->enumerate(orig, &cfg))
80: {
81: *out = cfg->get_ike_cfg(cfg);
82: return TRUE;
83: }
84: return FALSE;
85: }
86:
87: METHOD(backend_t, create_ike_cfg_enumerator, enumerator_t*,
88: private_stroke_config_t *this, host_t *me, host_t *other)
89: {
90: this->mutex->lock(this->mutex);
91: return enumerator_create_filter(this->list->create_enumerator(this->list),
92: ike_filter, this->mutex,
93: (void*)this->mutex->unlock);
94: }
95:
96: METHOD(backend_t, get_peer_cfg_by_name, peer_cfg_t*,
97: private_stroke_config_t *this, char *name)
98: {
99: enumerator_t *e1, *e2;
100: peer_cfg_t *current, *found = NULL;
101: child_cfg_t *child;
102:
103: this->mutex->lock(this->mutex);
104: e1 = this->list->create_enumerator(this->list);
105: while (e1->enumerate(e1, ¤t))
106: {
107: /* compare peer_cfgs name first */
108: if (streq(current->get_name(current), name))
109: {
110: found = current;
111: found->get_ref(found);
112: break;
113: }
114: /* compare all child_cfg names otherwise */
115: e2 = current->create_child_cfg_enumerator(current);
116: while (e2->enumerate(e2, &child))
117: {
118: if (streq(child->get_name(child), name))
119: {
120: found = current;
121: found->get_ref(found);
122: break;
123: }
124: }
125: e2->destroy(e2);
126: if (found)
127: {
128: break;
129: }
130: }
131: e1->destroy(e1);
132: this->mutex->unlock(this->mutex);
133: return found;
134: }
135:
136: /**
137: * parse a proposal string, either into ike_cfg or child_cfg
138: */
139: static bool add_proposals(private_stroke_config_t *this, char *string,
140: ike_cfg_t *ike_cfg, child_cfg_t *child_cfg, protocol_id_t proto)
141: {
142: if (string)
143: {
144: char *single;
145: char *strict;
146: proposal_t *proposal;
147:
148: strict = string + strlen(string) - 1;
149: if (*strict == '!')
150: {
151: *strict = '\0';
152: }
153: else
154: {
155: strict = NULL;
156: }
157: while ((single = strsep(&string, ",")))
158: {
159: proposal = proposal_create_from_string(proto, single);
160: if (proposal)
161: {
162: if (ike_cfg)
163: {
164: ike_cfg->add_proposal(ike_cfg, proposal);
165: }
166: else
167: {
168: child_cfg->add_proposal(child_cfg, proposal);
169: }
170: continue;
171: }
172: DBG1(DBG_CFG, "skipped invalid proposal string: %s", single);
173: return FALSE;
174: }
175: if (strict)
176: {
177: return TRUE;
178: }
179: /* add default proposal to the end if not strict */
180: }
181: if (ike_cfg)
182: {
183: ike_cfg->add_proposal(ike_cfg, proposal_create_default(proto));
184: ike_cfg->add_proposal(ike_cfg, proposal_create_default_aead(proto));
185: }
186: else
187: {
188: child_cfg->add_proposal(child_cfg, proposal_create_default(proto));
189: child_cfg->add_proposal(child_cfg, proposal_create_default_aead(proto));
190: }
191: return TRUE;
192: }
193:
194: /**
195: * Check if any addresses in the given string are local
196: */
197: static bool is_local(char *address, bool any_allowed)
198: {
199: enumerator_t *enumerator;
200: host_t *host;
201: char *token;
202: bool found = FALSE;
203:
204: enumerator = enumerator_create_token(address, ",", " ");
205: while (enumerator->enumerate(enumerator, &token))
206: {
207: if (!strchr(token, '/'))
208: {
209: host = host_create_from_dns(token, 0, 0);
210: if (host)
211: {
212: if (charon->kernel->get_interface(charon->kernel, host, NULL))
213: {
214: found = TRUE;
215: }
216: else if (any_allowed && host->is_anyaddr(host))
217: {
218: found = TRUE;
219: }
220: host->destroy(host);
221: if (found)
222: {
223: break;
224: }
225: }
226: }
227: }
228: enumerator->destroy(enumerator);
229: return found;
230: }
231:
232: /**
233: * Swap ends if indicated by left|right
234: */
235: static void swap_ends(stroke_msg_t *msg)
236: {
237: if (!lib->settings->get_bool(lib->settings, "%s.plugins.stroke.allow_swap",
238: TRUE, lib->ns))
239: {
240: return;
241: }
242:
243: if (is_local(msg->add_conn.other.address, FALSE))
244: {
245: stroke_end_t tmp_end;
246:
247: DBG2(DBG_CFG, "left is other host, swapping ends");
248: tmp_end = msg->add_conn.me;
249: msg->add_conn.me = msg->add_conn.other;
250: msg->add_conn.other = tmp_end;
251: }
252: else if (!is_local(msg->add_conn.me.address, TRUE))
253: {
254: DBG1(DBG_CFG, "left nor right host is our side, assuming left=local");
255: }
256: }
257:
258: /**
259: * Build an IKE config from a stroke message
260: */
261: static ike_cfg_t *build_ike_cfg(private_stroke_config_t *this, stroke_msg_t *msg)
262: {
263: ike_cfg_create_t ike;
264: ike_cfg_t *ike_cfg;
265: char me[256], other[256];
266:
267: swap_ends(msg);
268:
269: ike = (ike_cfg_create_t){
270: .version = msg->add_conn.version,
271: .local = msg->add_conn.me.address,
272: .local_port = msg->add_conn.me.ikeport,
273: .remote = msg->add_conn.other.address,
274: .remote_port = msg->add_conn.other.ikeport,
275: .no_certreq = msg->add_conn.other.sendcert == CERT_NEVER_SEND,
276: .force_encap = msg->add_conn.force_encap,
277: .fragmentation = msg->add_conn.fragmentation,
278: .dscp = msg->add_conn.ikedscp,
279: };
280: if (msg->add_conn.me.allow_any)
281: {
282: snprintf(me, sizeof(me), "%s,0.0.0.0/0,::/0",
283: msg->add_conn.me.address);
284: ike.local = me;
285: }
286: if (msg->add_conn.other.allow_any)
287: {
288: snprintf(other, sizeof(other), "%s,0.0.0.0/0,::/0",
289: msg->add_conn.other.address);
290: ike.remote = other;
291: }
292: if (ike.local_port == IKEV2_UDP_PORT)
293: {
294: ike.local_port = charon->socket->get_port(charon->socket, FALSE);
295: }
296: ike_cfg = ike_cfg_create(&ike);
297:
298: if (!add_proposals(this, msg->add_conn.algorithms.ike, ike_cfg,
299: NULL, PROTO_IKE))
300: {
301: ike_cfg->destroy(ike_cfg);
302: return NULL;
303: }
304: return ike_cfg;
305: }
306:
307: /**
308: * Add CRL constraint to config
309: */
310: static void build_crl_policy(auth_cfg_t *cfg, bool local, int policy)
311: {
312: /* CRL/OCSP policy, for remote config only */
313: if (!local)
314: {
315: switch (policy)
316: {
317: case CRL_STRICT_YES:
318: /* if yes, we require a GOOD validation */
319: cfg->add(cfg, AUTH_RULE_CRL_VALIDATION, VALIDATION_GOOD);
320: break;
321: case CRL_STRICT_IFURI:
322: /* for ifuri, a SKIPPED validation is sufficient */
323: cfg->add(cfg, AUTH_RULE_CRL_VALIDATION, VALIDATION_SKIPPED);
324: break;
325: default:
326: break;
327: }
328: }
329: }
330:
331: /**
332: * build authentication config
333: */
334: static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
335: stroke_msg_t *msg, bool local, bool primary)
336: {
337: identification_t *identity;
338: certificate_t *certificate;
339: char *auth, *id, *pubkey, *cert, *ca, *groups;
340: stroke_end_t *end, *other_end;
341: auth_cfg_t *cfg;
342: bool loose = FALSE;
343:
344: /* select strings */
345: if (local)
346: {
347: end = &msg->add_conn.me;
348: other_end = &msg->add_conn.other;
349: }
350: else
351: {
352: end = &msg->add_conn.other;
353: other_end = &msg->add_conn.me;
354: }
355: if (primary)
356: {
357: auth = end->auth;
358: id = end->id;
359: if (!id)
360: { /* leftid/rightid fallback to address */
361: id = end->address;
362: }
363: cert = end->cert;
364: ca = end->ca;
365: if (ca && streq(ca, "%same"))
366: {
367: ca = other_end->ca;
368: }
369: }
370: else
371: {
372: auth = end->auth2;
373: id = end->id2;
374: if (local && !id)
375: { /* leftid2 falls back to leftid */
376: id = end->id;
377: }
378: cert = end->cert2;
379: ca = end->ca2;
380: if (ca && streq(ca, "%same"))
381: {
382: ca = other_end->ca2;
383: }
384: }
385: if (id && *id == '%' && !streq(id, "%any") && !streq(id, "%any6"))
386: { /* has only an effect on rightid/2 */
387: loose = !local;
388: id++;
389: }
390:
391: if (!auth)
392: {
393: if (primary)
394: {
395: auth = "pubkey";
396: }
397: else
398: { /* no second authentication round, fine. But load certificates
399: * for other purposes (EAP-TLS) */
400: if (cert)
401: {
402: certificate = this->cred->load_peer(this->cred, cert);
403: if (certificate)
404: {
405: certificate->destroy(certificate);
406: }
407: }
408: return NULL;
409: }
410: }
411:
412: cfg = auth_cfg_create();
413:
414: /* add identity and peer certificate */
415: identity = identification_create_from_string(id);
416: if (cert)
417: {
418: enumerator_t *enumerator;
419: bool has_subject = FALSE;
420: certificate_t *first = NULL;
421:
422: enumerator = enumerator_create_token(cert, ",", " ");
423: while (enumerator->enumerate(enumerator, &cert))
424: {
425: certificate = this->cred->load_peer(this->cred, cert);
426: if (certificate)
427: {
428: cfg->add(cfg, AUTH_RULE_SUBJECT_CERT, certificate);
429: if (!first)
430: {
431: first = certificate;
432: }
433: if (identity->get_type(identity) != ID_ANY &&
434: certificate->has_subject(certificate, identity))
435: {
436: has_subject = TRUE;
437: }
438: }
439: }
440: enumerator->destroy(enumerator);
441:
442: if (first && !has_subject)
443: {
444: DBG1(DBG_CFG, " id '%Y' not confirmed by certificate, "
445: "defaulting to '%Y'", identity, first->get_subject(first));
446: identity->destroy(identity);
447: identity = first->get_subject(first);
448: identity = identity->clone(identity);
449: }
450: }
451: /* add raw RSA public key */
452: pubkey = end->rsakey;
453: if (pubkey && !streq(pubkey, "") && !streq(pubkey, "%cert"))
454: {
455: certificate = this->cred->load_pubkey(this->cred, pubkey, identity);
456: if (certificate)
457: {
458: cfg->add(cfg, AUTH_RULE_SUBJECT_CERT, certificate);
459: }
460: }
461: if (identity->get_type(identity) != ID_ANY)
462: {
463: cfg->add(cfg, AUTH_RULE_IDENTITY, identity);
464: if (loose)
465: {
466: cfg->add(cfg, AUTH_RULE_IDENTITY_LOOSE, TRUE);
467: }
468: }
469: else
470: {
471: identity->destroy(identity);
472: }
473:
474: /* CA constraint */
475: if (ca)
476: {
477: identity = identification_create_from_string(ca);
478: certificate = lib->credmgr->get_cert(lib->credmgr, CERT_X509,
479: KEY_ANY, identity, TRUE);
480: identity->destroy(identity);
481: if (certificate)
482: {
483: cfg->add(cfg, AUTH_RULE_CA_CERT, certificate);
484: }
485: else
486: {
487: DBG1(DBG_CFG, "CA certificate \"%s\" not found, discarding CA "
488: "constraint", ca);
489: }
490: }
491:
492: /* groups */
493: groups = primary ? end->groups : end->groups2;
494: if (groups)
495: {
496: enumerator_t *enumerator;
497: char *group;
498:
499: enumerator = enumerator_create_token(groups, ",", " ");
500: while (enumerator->enumerate(enumerator, &group))
501: {
502: cfg->add(cfg, AUTH_RULE_GROUP,
503: identification_create_from_string(group));
504: }
505: enumerator->destroy(enumerator);
506: }
507:
508: /* certificatePolicies */
509: if (end->cert_policy)
510: {
511: enumerator_t *enumerator;
512: char *policy;
513:
514: enumerator = enumerator_create_token(end->cert_policy, ",", " ");
515: while (enumerator->enumerate(enumerator, &policy))
516: {
517: cfg->add(cfg, AUTH_RULE_CERT_POLICY, strdup(policy));
518: }
519: enumerator->destroy(enumerator);
520: }
521:
522: /* authentication method (class, actually) */
523: if (strpfx(auth, "ike:") ||
524: strpfx(auth, "pubkey") ||
525: strpfx(auth, "rsa") ||
526: strpfx(auth, "ecdsa") ||
527: strpfx(auth, "bliss"))
528: {
529: cfg->add(cfg, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
530: build_crl_policy(cfg, local, msg->add_conn.crl_policy);
531: cfg->add_pubkey_constraints(cfg, auth, TRUE);
532: }
533: else if (streq(auth, "psk") || streq(auth, "secret"))
534: {
535: cfg->add(cfg, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PSK);
536: }
537: else if (strpfx(auth, "xauth"))
538: {
539: char *pos;
540:
541: pos = strchr(auth, '-');
542: if (pos)
543: {
544: cfg->add(cfg, AUTH_RULE_XAUTH_BACKEND, strdup(++pos));
545: }
546: cfg->add(cfg, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_XAUTH);
547: if (msg->add_conn.xauth_identity)
548: {
549: cfg->add(cfg, AUTH_RULE_XAUTH_IDENTITY,
550: identification_create_from_string(msg->add_conn.xauth_identity));
551: }
552: }
553: else if (strpfx(auth, "eap"))
554: {
555: eap_vendor_type_t *type;
556: char *pos;
557:
558: cfg->add(cfg, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_EAP);
559: /* check for public key constraints for EAP-TLS etc. */
560: pos = strchr(auth, ':');
561: if (pos)
562: {
563: *pos = 0;
564: cfg->add_pubkey_constraints(cfg, pos + 1, FALSE);
565: }
566: type = eap_vendor_type_from_string(auth);
567: if (type)
568: {
569: cfg->add(cfg, AUTH_RULE_EAP_TYPE, type->type);
570: if (type->vendor)
571: {
572: cfg->add(cfg, AUTH_RULE_EAP_VENDOR, type->vendor);
573: }
574: free(type);
575: }
576:
577: if (msg->add_conn.eap_identity)
578: {
579: if (streq(msg->add_conn.eap_identity, "%identity"))
580: {
581: identity = identification_create_from_encoding(ID_ANY,
582: chunk_empty);
583: }
584: else
585: {
586: identity = identification_create_from_string(
587: msg->add_conn.eap_identity);
588: }
589: cfg->add(cfg, AUTH_RULE_EAP_IDENTITY, identity);
590: }
591: if (msg->add_conn.aaa_identity)
592: {
593: cfg->add(cfg, AUTH_RULE_AAA_IDENTITY,
594: identification_create_from_string(msg->add_conn.aaa_identity));
595: }
596: }
597: else
598: {
599: if (!streq(auth, "any"))
600: {
601: DBG1(DBG_CFG, "authentication method %s unknown, fallback to any",
602: auth);
603: }
604: build_crl_policy(cfg, local, msg->add_conn.crl_policy);
605: }
606: return cfg;
607: }
608:
609: /**
610: * build a mem_pool_t from an address range
611: */
612: static mem_pool_t *create_pool_range(char *str)
613: {
614: mem_pool_t *pool;
615: host_t *from, *to;
616:
617: if (!host_create_from_range(str, &from, &to))
618: {
619: return NULL;
620: }
621: pool = mem_pool_create_range(str, from, to);
622: from->destroy(from);
623: to->destroy(to);
624: return pool;
625: }
626:
627: /**
628: * build a peer_cfg from a stroke msg
629: */
630: static peer_cfg_t *build_peer_cfg(private_stroke_config_t *this,
631: stroke_msg_t *msg, ike_cfg_t *ike_cfg)
632: {
633: peer_cfg_t *peer_cfg;
634: auth_cfg_t *auth_cfg;
635: peer_cfg_create_t peer = {
636: .cert_policy = msg->add_conn.me.sendcert,
637: .keyingtries = msg->add_conn.rekey.tries,
638: .no_mobike = !msg->add_conn.mobike,
639: .aggressive = msg->add_conn.aggressive,
640: .push_mode = msg->add_conn.pushmode,
641: .dpd = msg->add_conn.dpd.delay,
642: .dpd_timeout = msg->add_conn.dpd.timeout,
643: };
644:
645: #ifdef ME
646: if (msg->add_conn.ikeme.mediation && msg->add_conn.ikeme.mediated_by)
647: {
648: DBG1(DBG_CFG, "a mediation connection cannot be a mediated connection "
649: "at the same time, aborting");
650: return NULL;
651: }
652:
653: if (msg->add_conn.ikeme.mediation)
654: {
655: peer.mediation = TRUE;
656: /* force unique connections for mediation connections */
657: msg->add_conn.unique = 1;
658: }
659: else if (msg->add_conn.ikeme.mediated_by)
660: {
661: peer.mediated_by = msg->add_conn.ikeme.mediated_by;
662: if (msg->add_conn.ikeme.peerid)
663: {
664: peer.peer_id = identification_create_from_string(
665: msg->add_conn.ikeme.peerid);
666: }
667: else if (msg->add_conn.other.id)
668: {
669: peer.peer_id = identification_create_from_string(
670: msg->add_conn.other.id);
671: }
672: }
673: #endif /* ME */
674:
675: peer.jitter_time = msg->add_conn.rekey.margin * msg->add_conn.rekey.fuzz / 100;
676: peer.over_time = msg->add_conn.rekey.margin;
677: if (msg->add_conn.rekey.reauth)
678: {
679: peer.reauth_time = msg->add_conn.rekey.ike_lifetime - peer.over_time;
680: }
681: else
682: {
683: peer.rekey_time = msg->add_conn.rekey.ike_lifetime - peer.over_time;
684: }
685: switch (msg->add_conn.unique)
686: {
687: case 1: /* yes */
688: case 2: /* replace */
689: peer.unique = UNIQUE_REPLACE;
690: break;
691: case 3: /* keep */
692: peer.unique = UNIQUE_KEEP;
693: break;
694: case 4: /* never */
695: peer.unique = UNIQUE_NEVER;
696: break;
697: default: /* no */
698: peer.unique = UNIQUE_NO;
699: break;
700: }
701: if (msg->add_conn.dpd.action == 0)
702: { /* dpdaction=none disables DPD */
703: peer.dpd = 0;
704: }
705:
706: /* other.sourceip is managed in stroke_attributes. If it is set, we define
707: * the pool name as the connection name, which the attribute provider
708: * uses to serve pool addresses. */
709: peer_cfg = peer_cfg_create(msg->add_conn.name, ike_cfg, &peer);
710:
711: if (msg->add_conn.other.sourceip)
712: {
713: enumerator_t *enumerator;
714: char *token;
715:
716: enumerator = enumerator_create_token(msg->add_conn.other.sourceip,
717: ",", " ");
718: while (enumerator->enumerate(enumerator, &token))
719: {
720: if (streq(token, "%modeconfig") || streq(token, "%modecfg") ||
721: streq(token, "%config") || streq(token, "%cfg") ||
722: streq(token, "%config4") || streq(token, "%config6"))
723: {
724: /* empty pool, uses connection name */
725: this->attributes->add_pool(this->attributes,
726: mem_pool_create(msg->add_conn.name, NULL, 0));
727: peer_cfg->add_pool(peer_cfg, msg->add_conn.name);
728: }
729: else if (*token == '%')
730: {
731: /* external named pool */
732: peer_cfg->add_pool(peer_cfg, token + 1);
733: }
734: else
735: {
736: /* in-memory pool, using range or CIDR notation */
737: mem_pool_t *pool;
738: host_t *base;
739: int bits;
740:
741: pool = create_pool_range(token);
742: if (!pool)
743: {
744: base = host_create_from_subnet(token, &bits);
745: if (base)
746: {
747: pool = mem_pool_create(token, base, bits);
748: base->destroy(base);
749: }
750: }
751: if (pool)
752: {
753: this->attributes->add_pool(this->attributes, pool);
754: peer_cfg->add_pool(peer_cfg, token);
755: }
756: else
757: {
758: DBG1(DBG_CFG, "IP pool %s invalid, ignored", token);
759: }
760: }
761: }
762: enumerator->destroy(enumerator);
763: }
764:
765: if (msg->add_conn.me.sourceip && msg->add_conn.other.sourceip)
766: {
767: DBG1(DBG_CFG, "'%s' has both left- and rightsourceip, but IKE can "
768: "negotiate one virtual IP only, ignoring local virtual IP",
769: msg->add_conn.name);
770: }
771: else if (msg->add_conn.me.sourceip)
772: {
773: enumerator_t *enumerator;
774: char *token;
775:
776: enumerator = enumerator_create_token(msg->add_conn.me.sourceip, ",", " ");
777: while (enumerator->enumerate(enumerator, &token))
778: {
779: host_t *vip = NULL;
780:
781: if (streq(token, "%modeconfig") || streq(token, "%modecfg") ||
782: streq(token, "%config") || streq(token, "%cfg"))
783: { /* try to deduce an address family */
784: if (msg->add_conn.me.subnets)
785: { /* use the same family as in local subnet, if any */
786: if (strchr(msg->add_conn.me.subnets, '.'))
787: {
788: vip = host_create_any(AF_INET);
789: }
790: else
791: {
792: vip = host_create_any(AF_INET6);
793: }
794: }
795: else if (msg->add_conn.other.subnets)
796: { /* use the same family as in remote subnet, if any */
797: if (strchr(msg->add_conn.other.subnets, '.'))
798: {
799: vip = host_create_any(AF_INET);
800: }
801: else
802: {
803: vip = host_create_any(AF_INET6);
804: }
805: }
806: else
807: {
808: char *addr, *next, *hit;
809:
810: /* guess virtual IP family based on local address. If
811: * multiple addresses are specified, we look at the first
812: * only, as with leftallowany a ::/0 is always appended. */
813: addr = ike_cfg->get_my_addr(ike_cfg);
814: next = strchr(addr, ',');
815: hit = strchr(addr, ':');
816: if (hit && (!next || hit < next))
817: {
818: vip = host_create_any(AF_INET6);
819: }
820: else
821: {
822: vip = host_create_any(AF_INET);
823: }
824: }
825: }
826: else if (streq(token, "%config4"))
827: {
828: vip = host_create_any(AF_INET);
829: }
830: else if (streq(token, "%config6"))
831: {
832: vip = host_create_any(AF_INET6);
833: }
834: else
835: {
836: vip = host_create_from_string(token, 0);
837: if (!vip)
838: {
839: DBG1(DBG_CFG, "ignored invalid subnet token: %s", token);
840: }
841: }
842:
843: if (vip)
844: {
845: peer_cfg->add_virtual_ip(peer_cfg, vip);
846: }
847: }
848: enumerator->destroy(enumerator);
849: }
850:
851: /* build leftauth= */
852: auth_cfg = build_auth_cfg(this, msg, TRUE, TRUE);
853: if (auth_cfg)
854: {
855: peer_cfg->add_auth_cfg(peer_cfg, auth_cfg, TRUE);
856: }
857: else
858: { /* we require at least one config on our side */
859: peer_cfg->destroy(peer_cfg);
860: return NULL;
861: }
862: /* build leftauth2= */
863: auth_cfg = build_auth_cfg(this, msg, TRUE, FALSE);
864: if (auth_cfg)
865: {
866: peer_cfg->add_auth_cfg(peer_cfg, auth_cfg, TRUE);
867: }
868: /* build rightauth= */
869: auth_cfg = build_auth_cfg(this, msg, FALSE, TRUE);
870: if (auth_cfg)
871: {
872: peer_cfg->add_auth_cfg(peer_cfg, auth_cfg, FALSE);
873: }
874: /* build rightauth2= */
875: auth_cfg = build_auth_cfg(this, msg, FALSE, FALSE);
876: if (auth_cfg)
877: {
878: peer_cfg->add_auth_cfg(peer_cfg, auth_cfg, FALSE);
879: }
880: return peer_cfg;
881: }
882:
883: /**
884: * Parse a protoport specifier
885: */
886: static bool parse_protoport(char *token, uint16_t *from_port,
887: uint16_t *to_port, uint8_t *protocol)
888: {
889: char *sep, *port = "", *endptr;
890: struct protoent *proto;
891: struct servent *svc;
892: long int p;
893:
894: sep = strrchr(token, ']');
895: if (!sep)
896: {
897: return FALSE;
898: }
899: *sep = '\0';
900:
901: sep = strchr(token, '/');
902: if (sep)
903: { /* protocol/port */
904: *sep = '\0';
905: port = sep + 1;
906: }
907:
908: if (streq(token, "%any"))
909: {
910: *protocol = 0;
911: }
912: else
913: {
914: proto = getprotobyname(token);
915: if (proto)
916: {
917: *protocol = proto->p_proto;
918: }
919: else
920: {
921: p = strtol(token, &endptr, 0);
922: if ((*token && *endptr) || p < 0 || p > 0xff)
923: {
924: return FALSE;
925: }
926: *protocol = (uint8_t)p;
927: }
928: }
929: if (streq(port, "%any"))
930: {
931: *from_port = 0;
932: *to_port = 0xffff;
933: }
934: else if (streq(port, "%opaque"))
935: {
936: *from_port = 0xffff;
937: *to_port = 0;
938: }
939: else if (*port)
940: {
941: svc = getservbyname(port, NULL);
942: if (svc)
943: {
944: *from_port = *to_port = ntohs(svc->s_port);
945: }
946: else
947: {
948: p = strtol(port, &endptr, 0);
949: if (p < 0 || p > 0xffff)
950: {
951: return FALSE;
952: }
953: *from_port = p;
954: if (*endptr == '-')
955: {
956: port = endptr + 1;
957: p = strtol(port, &endptr, 0);
958: if (p < 0 || p > 0xffff)
959: {
960: return FALSE;
961: }
962: }
963: *to_port = p;
964: if (*endptr)
965: {
966: return FALSE;
967: }
968: }
969: }
970: return TRUE;
971: }
972:
973: /**
974: * build a traffic selector from a stroke_end
975: */
976: static void add_ts(private_stroke_config_t *this,
977: stroke_end_t *end, child_cfg_t *child_cfg, bool local)
978: {
979: traffic_selector_t *ts;
980: bool ts_added = FALSE;
981:
982: if (end->subnets)
983: {
984: enumerator_t *enumerator;
985: char *subnet, *pos;
986: uint16_t from_port, to_port;
987: uint8_t proto;
988:
989: enumerator = enumerator_create_token(end->subnets, ",", " ");
990: while (enumerator->enumerate(enumerator, &subnet))
991: {
992: from_port = end->from_port;
993: to_port = end->to_port;
994: proto = end->protocol;
995:
996: pos = strchr(subnet, '[');
997: if (pos)
998: {
999: *(pos++) = '\0';
1000: if (!parse_protoport(pos, &from_port, &to_port, &proto))
1001: {
1002: DBG1(DBG_CFG, "invalid proto/port: %s, skipped subnet",
1003: pos);
1004: continue;
1005: }
1006: }
1007: if (streq(subnet, "%dynamic"))
1008: {
1009: ts = traffic_selector_create_dynamic(proto,
1010: from_port, to_port);
1011: }
1012: else
1013: {
1014: ts = traffic_selector_create_from_cidr(subnet, proto,
1015: from_port, to_port);
1016: }
1017: if (ts)
1018: {
1019: child_cfg->add_traffic_selector(child_cfg, local, ts);
1020: ts_added = TRUE;
1021: }
1022: else
1023: {
1024: DBG1(DBG_CFG, "invalid subnet: %s, skipped", subnet);
1025: }
1026: }
1027: enumerator->destroy(enumerator);
1028: }
1029: if (!ts_added)
1030: {
1031: ts = traffic_selector_create_dynamic(end->protocol,
1032: end->from_port, end->to_port);
1033: child_cfg->add_traffic_selector(child_cfg, local, ts);
1034: }
1035: }
1036:
1037: /**
1038: * map starter magic values to our action type
1039: */
1040: static action_t map_action(int starter_action)
1041: {
1042: switch (starter_action)
1043: {
1044: case 2: /* =hold */
1045: return ACTION_ROUTE;
1046: case 3: /* =restart */
1047: return ACTION_RESTART;
1048: default:
1049: return ACTION_NONE;
1050: }
1051: }
1052:
1053: /**
1054: * build a child config from the stroke message
1055: */
1056: static child_cfg_t *build_child_cfg(private_stroke_config_t *this,
1057: stroke_msg_t *msg)
1058: {
1059: child_cfg_t *child_cfg;
1060: bool success;
1061: child_cfg_create_t child = {
1062: .lifetime = {
1063: .time = {
1064: .life = msg->add_conn.rekey.ipsec_lifetime,
1065: .rekey = msg->add_conn.rekey.ipsec_lifetime - msg->add_conn.rekey.margin,
1066: .jitter = msg->add_conn.rekey.margin * msg->add_conn.rekey.fuzz / 100
1067: },
1068: .bytes = {
1069: .life = msg->add_conn.rekey.life_bytes,
1070: .rekey = msg->add_conn.rekey.life_bytes - msg->add_conn.rekey.margin_bytes,
1071: .jitter = msg->add_conn.rekey.margin_bytes * msg->add_conn.rekey.fuzz / 100
1072: },
1073: .packets = {
1074: .life = msg->add_conn.rekey.life_packets,
1075: .rekey = msg->add_conn.rekey.life_packets - msg->add_conn.rekey.margin_packets,
1076: .jitter = msg->add_conn.rekey.margin_packets * msg->add_conn.rekey.fuzz / 100
1077: },
1078: },
1079: .mark_in = {
1080: .value = msg->add_conn.mark_in.value,
1081: .mask = msg->add_conn.mark_in.mask
1082: },
1083: .mark_out = {
1084: .value = msg->add_conn.mark_out.value,
1085: .mask = msg->add_conn.mark_out.mask
1086: },
1087: .reqid = msg->add_conn.reqid,
1088: .mode = msg->add_conn.mode,
1089: .options = (msg->add_conn.proxy_mode ? OPT_PROXY_MODE : 0) |
1090: (msg->add_conn.ipcomp ? OPT_IPCOMP : 0) |
1091: (msg->add_conn.me.hostaccess ? OPT_HOSTACCESS : 0) |
1092: (msg->add_conn.install_policy ? 0 : OPT_NO_POLICIES) |
1093: (msg->add_conn.sha256_96 ? OPT_SHA256_96 : 0),
1094: .tfc = msg->add_conn.tfc,
1095: .inactivity = msg->add_conn.inactivity,
1096: .dpd_action = map_action(msg->add_conn.dpd.action),
1097: .close_action = map_action(msg->add_conn.close_action),
1098: .updown = msg->add_conn.me.updown,
1099: };
1100:
1101: child_cfg = child_cfg_create(msg->add_conn.name, &child);
1102: if (msg->add_conn.replay_window != -1)
1103: {
1104: child_cfg->set_replay_window(child_cfg, msg->add_conn.replay_window);
1105: }
1106: add_ts(this, &msg->add_conn.me, child_cfg, TRUE);
1107: add_ts(this, &msg->add_conn.other, child_cfg, FALSE);
1108:
1109: if (msg->add_conn.algorithms.ah)
1110: {
1111: success = add_proposals(this, msg->add_conn.algorithms.ah,
1112: NULL, child_cfg, PROTO_AH);
1113: }
1114: else
1115: {
1116: success = add_proposals(this, msg->add_conn.algorithms.esp,
1117: NULL, child_cfg, PROTO_ESP);
1118: }
1119: if (!success)
1120: {
1121: child_cfg->destroy(child_cfg);
1122: return NULL;
1123: }
1124: return child_cfg;
1125: }
1126:
1127: METHOD(stroke_config_t, add, void,
1128: private_stroke_config_t *this, stroke_msg_t *msg)
1129: {
1130: ike_cfg_t *ike_cfg, *existing_ike;
1131: peer_cfg_t *peer_cfg, *existing;
1132: child_cfg_t *child_cfg;
1133: enumerator_t *enumerator;
1134: bool use_existing = FALSE;
1135:
1136: ike_cfg = build_ike_cfg(this, msg);
1137: if (!ike_cfg)
1138: {
1139: return;
1140: }
1141: peer_cfg = build_peer_cfg(this, msg, ike_cfg);
1142: if (!peer_cfg)
1143: {
1144: ike_cfg->destroy(ike_cfg);
1145: return;
1146: }
1147:
1148: enumerator = create_peer_cfg_enumerator(this, NULL, NULL);
1149: while (enumerator->enumerate(enumerator, &existing))
1150: {
1151: existing_ike = existing->get_ike_cfg(existing);
1152: if (existing->equals(existing, peer_cfg) &&
1153: existing_ike->equals(existing_ike, peer_cfg->get_ike_cfg(peer_cfg)))
1154: {
1155: use_existing = TRUE;
1156: peer_cfg->destroy(peer_cfg);
1157: peer_cfg = existing;
1158: peer_cfg->get_ref(peer_cfg);
1159: DBG1(DBG_CFG, "added child to existing configuration '%s'",
1160: peer_cfg->get_name(peer_cfg));
1161: break;
1162: }
1163: }
1164: enumerator->destroy(enumerator);
1165:
1166: child_cfg = build_child_cfg(this, msg);
1167: if (!child_cfg)
1168: {
1169: peer_cfg->destroy(peer_cfg);
1170: return;
1171: }
1172: peer_cfg->add_child_cfg(peer_cfg, child_cfg);
1173:
1174: if (use_existing)
1175: {
1176: peer_cfg->destroy(peer_cfg);
1177: }
1178: else
1179: {
1180: /* add config to backend */
1181: DBG1(DBG_CFG, "added configuration '%s'", msg->add_conn.name);
1182: this->mutex->lock(this->mutex);
1183: this->list->insert_last(this->list, peer_cfg);
1184: this->mutex->unlock(this->mutex);
1185: }
1186: }
1187:
1188: METHOD(stroke_config_t, del, void,
1189: private_stroke_config_t *this, stroke_msg_t *msg)
1190: {
1191: enumerator_t *enumerator, *children;
1192: peer_cfg_t *peer;
1193: child_cfg_t *child;
1194: bool deleted = FALSE;
1195:
1196: this->mutex->lock(this->mutex);
1197: enumerator = this->list->create_enumerator(this->list);
1198: while (enumerator->enumerate(enumerator, &peer))
1199: {
1200: bool keep = FALSE;
1201:
1202: /* remove any child with such a name */
1203: children = peer->create_child_cfg_enumerator(peer);
1204: while (children->enumerate(children, &child))
1205: {
1206: if (streq(child->get_name(child), msg->del_conn.name))
1207: {
1208: peer->remove_child_cfg(peer, children);
1209: child->destroy(child);
1210: deleted = TRUE;
1211: }
1212: else
1213: {
1214: keep = TRUE;
1215: }
1216: }
1217: children->destroy(children);
1218:
1219: /* if peer config has no children anymore, remove it */
1220: if (!keep)
1221: {
1222: this->list->remove_at(this->list, enumerator);
1223: peer->destroy(peer);
1224: }
1225: }
1226: enumerator->destroy(enumerator);
1227: this->mutex->unlock(this->mutex);
1228:
1229: if (deleted)
1230: {
1231: DBG1(DBG_CFG, "deleted connection '%s'", msg->del_conn.name);
1232: }
1233: else
1234: {
1235: DBG1(DBG_CFG, "connection '%s' not found", msg->del_conn.name);
1236: }
1237: }
1238:
1239: METHOD(stroke_config_t, set_user_credentials, void,
1240: private_stroke_config_t *this, stroke_msg_t *msg, FILE *prompt)
1241: {
1242: enumerator_t *enumerator, *children, *remote_auth;
1243: peer_cfg_t *peer, *found = NULL;
1244: auth_cfg_t *auth_cfg, *remote_cfg;
1245: auth_class_t auth_class;
1246: child_cfg_t *child;
1247: identification_t *id, *identity, *gw = NULL;
1248: shared_key_type_t type = SHARED_ANY;
1249: chunk_t password = chunk_empty;
1250:
1251: this->mutex->lock(this->mutex);
1252: enumerator = this->list->create_enumerator(this->list);
1253: while (enumerator->enumerate(enumerator, (void**)&peer))
1254: { /* find the peer (or child) config with the given name */
1255: if (streq(peer->get_name(peer), msg->user_creds.name))
1256: {
1257: found = peer;
1258: }
1259: else
1260: {
1261: children = peer->create_child_cfg_enumerator(peer);
1262: while (children->enumerate(children, &child))
1263: {
1264: if (streq(child->get_name(child), msg->user_creds.name))
1265: {
1266: found = peer;
1267: break;
1268: }
1269: }
1270: children->destroy(children);
1271: }
1272:
1273: if (found)
1274: {
1275: break;
1276: }
1277: }
1278: enumerator->destroy(enumerator);
1279:
1280: if (!found)
1281: {
1282: DBG1(DBG_CFG, " no config named '%s'", msg->user_creds.name);
1283: fprintf(prompt, "no config named '%s'\n", msg->user_creds.name);
1284: this->mutex->unlock(this->mutex);
1285: return;
1286: }
1287:
1288: id = identification_create_from_string(msg->user_creds.username);
1289: if (strlen(msg->user_creds.username) == 0 ||
1290: !id || id->get_type(id) == ID_ANY)
1291: {
1292: DBG1(DBG_CFG, " invalid username '%s'", msg->user_creds.username);
1293: fprintf(prompt, "invalid username '%s'\n", msg->user_creds.username);
1294: this->mutex->unlock(this->mutex);
1295: DESTROY_IF(id);
1296: return;
1297: }
1298:
1299: /* replace/set the username in the first EAP/XAuth auth_cfg, also look for
1300: * a suitable remote ID.
1301: * note that adding the identity here is not fully thread-safe as the
1302: * peer_cfg and in turn the auth_cfg could be in use. for the default use
1303: * case (setting user credentials before upping the connection) this will
1304: * not be a problem, though. */
1305: enumerator = found->create_auth_cfg_enumerator(found, TRUE);
1306: remote_auth = found->create_auth_cfg_enumerator(found, FALSE);
1307: while (enumerator->enumerate(enumerator, (void**)&auth_cfg))
1308: {
1309: if (remote_auth->enumerate(remote_auth, (void**)&remote_cfg))
1310: { /* fall back on rightid, in case aaa_identity is not specified */
1311: identity = remote_cfg->get(remote_cfg, AUTH_RULE_IDENTITY);
1312: if (identity && identity->get_type(identity) != ID_ANY)
1313: {
1314: gw = identity;
1315: }
1316: }
1317:
1318: auth_class = (uintptr_t)auth_cfg->get(auth_cfg, AUTH_RULE_AUTH_CLASS);
1319: if (auth_class == AUTH_CLASS_EAP || auth_class == AUTH_CLASS_XAUTH)
1320: {
1321: if (auth_class == AUTH_CLASS_EAP)
1322: {
1323: auth_cfg->add(auth_cfg, AUTH_RULE_EAP_IDENTITY, id->clone(id));
1324: /* if aaa_identity is specified use that as remote ID */
1325: identity = auth_cfg->get(auth_cfg, AUTH_RULE_AAA_IDENTITY);
1326: if (identity && identity->get_type(identity) != ID_ANY)
1327: {
1328: gw = identity;
1329: }
1330: DBG1(DBG_CFG, " configured EAP-Identity %Y", id);
1331: }
1332: else
1333: {
1334: auth_cfg->add(auth_cfg, AUTH_RULE_XAUTH_IDENTITY,
1335: id->clone(id));
1336: DBG1(DBG_CFG, " configured XAuth username %Y", id);
1337: }
1338: type = SHARED_EAP;
1339: break;
1340: }
1341: }
1342: enumerator->destroy(enumerator);
1343: remote_auth->destroy(remote_auth);
1344: /* clone the gw ID before unlocking the mutex */
1345: if (gw)
1346: {
1347: gw = gw->clone(gw);
1348: }
1349: this->mutex->unlock(this->mutex);
1350:
1351: if (type == SHARED_ANY)
1352: {
1353: DBG1(DBG_CFG, " config '%s' unsuitable for user credentials",
1354: msg->user_creds.name);
1355: fprintf(prompt, "config '%s' unsuitable for user credentials\n",
1356: msg->user_creds.name);
1357: id->destroy(id);
1358: DESTROY_IF(gw);
1359: return;
1360: }
1361:
1362: if (msg->user_creds.password)
1363: {
1364: char *pass;
1365:
1366: pass = msg->user_creds.password;
1367: password = chunk_clone(chunk_create(pass, strlen(pass)));
1368: memwipe(pass, strlen(pass));
1369: }
1370: else
1371: { /* prompt the user for the password */
1372: char buf[256];
1373:
1374: fprintf(prompt, "Password:\n");
1375: if (fgets(buf, sizeof(buf), prompt))
1376: {
1377: password = chunk_clone(chunk_create(buf, strlen(buf)));
1378: if (password.len > 0)
1379: { /* trim trailing \n */
1380: password.len--;
1381: }
1382: memwipe(buf, sizeof(buf));
1383: }
1384: }
1385:
1386: if (password.len)
1387: {
1388: shared_key_t *shared;
1389: linked_list_t *owners;
1390:
1391: shared = shared_key_create(type, password);
1392:
1393: owners = linked_list_create();
1394: owners->insert_last(owners, id->clone(id));
1395: if (gw && gw->get_type(gw) != ID_ANY)
1396: {
1397: owners->insert_last(owners, gw->clone(gw));
1398: DBG1(DBG_CFG, " added %N secret for %Y %Y", shared_key_type_names,
1399: type, id, gw);
1400: }
1401: else
1402: {
1403: DBG1(DBG_CFG, " added %N secret for %Y", shared_key_type_names,
1404: type, id);
1405: }
1406: this->cred->add_shared(this->cred, shared, owners);
1407: DBG4(DBG_CFG, " secret: %#B", &password);
1408: }
1409: else
1410: { /* in case a user answers the password prompt by just pressing enter */
1411: chunk_clear(&password);
1412: }
1413: id->destroy(id);
1414: DESTROY_IF(gw);
1415: }
1416:
1417: METHOD(stroke_config_t, destroy, void,
1418: private_stroke_config_t *this)
1419: {
1420: this->list->destroy_offset(this->list, offsetof(peer_cfg_t, destroy));
1421: this->mutex->destroy(this->mutex);
1422: free(this);
1423: }
1424:
1425: /*
1426: * see header file
1427: */
1428: stroke_config_t *stroke_config_create(stroke_ca_t *ca, stroke_cred_t *cred,
1429: stroke_attribute_t *attributes)
1430: {
1431: private_stroke_config_t *this;
1432:
1433: INIT(this,
1434: .public = {
1435: .backend = {
1436: .create_peer_cfg_enumerator = _create_peer_cfg_enumerator,
1437: .create_ike_cfg_enumerator = _create_ike_cfg_enumerator,
1438: .get_peer_cfg_by_name = _get_peer_cfg_by_name,
1439: },
1440: .add = _add,
1441: .del = _del,
1442: .set_user_credentials = _set_user_credentials,
1443: .destroy = _destroy,
1444: },
1445: .list = linked_list_create(),
1446: .mutex = mutex_create(MUTEX_TYPE_RECURSIVE),
1447: .ca = ca,
1448: .cred = cred,
1449: .attributes = attributes,
1450: );
1451:
1452: return &this->public;
1453: }