![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to ike_config.c CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / src / libcharon / sa / ikev2 / tasks|
Return to ike_config.c CVS log | Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / src / libcharon / sa / ikev2 / tasks |
1.1 misho 1: /*
2: * Copyright (C) 2007 Martin Willi
3: * Copyright (C) 2006-2007 Fabian Hartmann, Noah Heusser
4: * HSR Hochschule fuer Technik Rapperswil
5: *
6: * This program is free software; you can redistribute it and/or modify it
7: * under the terms of the GNU General Public License as published by the
8: * Free Software Foundation; either version 2 of the License, or (at your
9: * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10: *
11: * This program is distributed in the hope that it will be useful, but
12: * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13: * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14: * for more details.
15: */
16:
17: #include "ike_config.h"
18:
19: #include <daemon.h>
20: #include <encoding/payloads/cp_payload.h>
21:
22: typedef struct private_ike_config_t private_ike_config_t;
23:
24: /**
25: * Private members of a ike_config_t task.
26: */
27: struct private_ike_config_t {
28:
29: /**
30: * Public methods and task_t interface.
31: */
32: ike_config_t public;
33:
34: /**
35: * Assigned IKE_SA.
36: */
37: ike_sa_t *ike_sa;
38:
39: /**
40: * Are we the initiator?
41: */
42: bool initiator;
43:
44: /**
45: * Did we request a virtual IP?
46: */
47: bool vip_requested;
48:
49: /**
50: * Received list of virtual IPs, host_t*
51: */
52: linked_list_t *vips;
53:
54: /**
55: * list of attributes requested and its handler, entry_t
56: */
57: linked_list_t *requested;
58: };
59:
60: /**
61: * Entry for a requested attribute and the requesting handler
62: */
63: typedef struct {
64: /** attribute requested */
65: configuration_attribute_type_t type;
66: /** handler requesting this attribute */
67: attribute_handler_t *handler;
68: } entry_t;
69:
70: /**
71: * build INTERNAL_IPV4/6_ADDRESS attribute from virtual ip
72: */
73: static configuration_attribute_t *build_vip(host_t *vip)
74: {
75: configuration_attribute_type_t type;
76: chunk_t chunk, prefix;
77:
78: if (vip->get_family(vip) == AF_INET)
79: {
80: type = INTERNAL_IP4_ADDRESS;
81: if (vip->is_anyaddr(vip))
82: {
83: chunk = chunk_empty;
84: }
85: else
86: {
87: chunk = vip->get_address(vip);
88: }
89: }
90: else
91: {
92: type = INTERNAL_IP6_ADDRESS;
93: if (vip->is_anyaddr(vip))
94: {
95: chunk = chunk_empty;
96: }
97: else
98: {
99: prefix = chunk_alloca(1);
100: *prefix.ptr = 64;
101: chunk = vip->get_address(vip);
102: chunk = chunk_cata("cc", chunk, prefix);
103: }
104: }
105: return configuration_attribute_create_chunk(PLV2_CONFIGURATION_ATTRIBUTE,
106: type, chunk);
107: }
108:
109: /**
110: * Handle a received attribute as initiator
111: */
112: static void handle_attribute(private_ike_config_t *this,
113: configuration_attribute_t *ca)
114: {
115: attribute_handler_t *handler = NULL;
116: enumerator_t *enumerator;
117: entry_t *entry;
118:
119: /* find the handler which requested this attribute */
120: enumerator = this->requested->create_enumerator(this->requested);
121: while (enumerator->enumerate(enumerator, &entry))
122: {
123: if (entry->type == ca->get_type(ca))
124: {
125: handler = entry->handler;
126: this->requested->remove_at(this->requested, enumerator);
127: free(entry);
128: break;
129: }
130: }
131: enumerator->destroy(enumerator);
132:
133: /* and pass it to the handle function */
134: handler = charon->attributes->handle(charon->attributes,
135: this->ike_sa, handler, ca->get_type(ca), ca->get_chunk(ca));
136: this->ike_sa->add_configuration_attribute(this->ike_sa,
137: handler, ca->get_type(ca), ca->get_chunk(ca));
138: }
139:
140: /**
141: * process a single configuration attribute
142: */
143: static void process_attribute(private_ike_config_t *this,
144: configuration_attribute_t *ca)
145: {
146: host_t *ip;
147: chunk_t addr;
148: int family = AF_INET6;
149:
150: switch (ca->get_type(ca))
151: {
152: case INTERNAL_IP4_ADDRESS:
153: family = AF_INET;
154: /* fall */
155: case INTERNAL_IP6_ADDRESS:
156: {
157: if (this->initiator && !this->vip_requested)
158: {
159: handle_attribute(this, ca);
160: return;
161: }
162:
163: addr = ca->get_chunk(ca);
164: if (addr.len == 0)
165: {
166: ip = host_create_any(family);
167: }
168: else
169: {
170: /* skip prefix byte in IPv6 payload*/
171: if (family == AF_INET6)
172: {
173: addr.len--;
174: }
175: ip = host_create_from_chunk(family, addr, 0);
176: }
177: if (ip)
178: {
179: this->vips->insert_last(this->vips, ip);
180: }
181: break;
182: }
183: case INTERNAL_IP4_SERVER:
184: case INTERNAL_IP6_SERVER:
185: /* assume it's a Windows client if we see proprietary attributes */
186: this->ike_sa->enable_extension(this->ike_sa, EXT_MS_WINDOWS);
187: /* fall */
188: default:
189: {
190: if (this->initiator)
191: {
192: handle_attribute(this, ca);
193: }
194: }
195: }
196: }
197:
198: /**
199: * Scan for configuration payloads and attributes
200: */
201: static void process_payloads(private_ike_config_t *this, message_t *message)
202: {
203: enumerator_t *enumerator, *attributes;
204: payload_t *payload;
205:
206: enumerator = message->create_payload_enumerator(message);
207: while (enumerator->enumerate(enumerator, &payload))
208: {
209: if (payload->get_type(payload) == PLV2_CONFIGURATION)
210: {
211: cp_payload_t *cp = (cp_payload_t*)payload;
212: configuration_attribute_t *ca;
213:
214: switch (cp->get_type(cp))
215: {
216: case CFG_REQUEST:
217: case CFG_REPLY:
218: {
219: attributes = cp->create_attribute_enumerator(cp);
220: while (attributes->enumerate(attributes, &ca))
221: {
222: DBG2(DBG_IKE, "processing %N attribute",
223: configuration_attribute_type_names, ca->get_type(ca));
224: process_attribute(this, ca);
225: }
226: attributes->destroy(attributes);
227: break;
228: }
229: default:
230: DBG1(DBG_IKE, "ignoring %N config payload",
231: config_type_names, cp->get_type(cp));
232: break;
233: }
234: }
235: }
236: enumerator->destroy(enumerator);
237: }
238:
239: METHOD(task_t, build_i, status_t,
240: private_ike_config_t *this, message_t *message)
241: {
242: if (message->get_message_id(message) == 1)
243: { /* in first IKE_AUTH only */
244: cp_payload_t *cp = NULL;
245: enumerator_t *enumerator;
246: attribute_handler_t *handler;
247: peer_cfg_t *config;
248: configuration_attribute_type_t type;
249: chunk_t data;
250: linked_list_t *vips;
251: host_t *host;
252:
253: vips = linked_list_create();
254:
255: /* reuse virtual IP if we already have one */
256: enumerator = this->ike_sa->create_virtual_ip_enumerator(this->ike_sa,
257: TRUE);
258: while (enumerator->enumerate(enumerator, &host))
259: {
260: vips->insert_last(vips, host);
261: }
262: enumerator->destroy(enumerator);
263:
264: if (vips->get_count(vips) == 0)
265: {
266: config = this->ike_sa->get_peer_cfg(this->ike_sa);
267: enumerator = config->create_virtual_ip_enumerator(config);
268: while (enumerator->enumerate(enumerator, &host))
269: {
270: vips->insert_last(vips, host);
271: }
272: enumerator->destroy(enumerator);
273: }
274:
275: if (vips->get_count(vips))
276: {
277: cp = cp_payload_create_type(PLV2_CONFIGURATION, CFG_REQUEST);
278: enumerator = vips->create_enumerator(vips);
279: while (enumerator->enumerate(enumerator, &host))
280: {
281: cp->add_attribute(cp, build_vip(host));
282: }
283: enumerator->destroy(enumerator);
284: this->vip_requested = TRUE;
285: }
286:
287: enumerator = charon->attributes->create_initiator_enumerator(
288: charon->attributes, this->ike_sa, vips);
289: while (enumerator->enumerate(enumerator, &handler, &type, &data))
290: {
291: configuration_attribute_t *ca;
292: entry_t *entry;
293:
294: /* create configuration attribute */
295: DBG2(DBG_IKE, "building %N attribute",
296: configuration_attribute_type_names, type);
297: ca = configuration_attribute_create_chunk(PLV2_CONFIGURATION_ATTRIBUTE,
298: type, data);
299: if (!cp)
300: {
301: cp = cp_payload_create_type(PLV2_CONFIGURATION, CFG_REQUEST);
302: }
303: cp->add_attribute(cp, ca);
304:
305: /* save handler along with requested type */
306: entry = malloc_thing(entry_t);
307: entry->type = type;
308: entry->handler = handler;
309:
310: this->requested->insert_last(this->requested, entry);
311: }
312: enumerator->destroy(enumerator);
313:
314: vips->destroy(vips);
315:
316: if (cp)
317: {
318: message->add_payload(message, (payload_t*)cp);
319: }
320: else
321: { /* we don't expect a CFG_REPLY */
322: return SUCCESS;
323: }
324: }
325: return NEED_MORE;
326: }
327:
328: METHOD(task_t, process_r, status_t,
329: private_ike_config_t *this, message_t *message)
330: {
331: if (message->get_message_id(message) == 1)
332: { /* in first IKE_AUTH only */
333: process_payloads(this, message);
334: }
335: return NEED_MORE;
336: }
337:
338: METHOD(task_t, build_r, status_t,
339: private_ike_config_t *this, message_t *message)
340: {
341: if (this->ike_sa->get_state(this->ike_sa) == IKE_ESTABLISHED)
342: { /* in last IKE_AUTH exchange */
343: enumerator_t *enumerator;
344: configuration_attribute_type_t type;
345: chunk_t value;
346: cp_payload_t *cp = NULL;
347: peer_cfg_t *config;
348: identification_t *id;
349: linked_list_t *vips, *pools;
350: host_t *requested;
351:
352: if (this->ike_sa->has_condition(this->ike_sa, COND_REDIRECTED))
353: { /* don't assign attributes for redirected SAs */
354: return SUCCESS;
355: }
356:
357: id = this->ike_sa->get_other_eap_id(this->ike_sa);
358: config = this->ike_sa->get_peer_cfg(this->ike_sa);
359: vips = linked_list_create();
360: pools = linked_list_create_from_enumerator(
361: config->create_pool_enumerator(config));
362:
363: this->ike_sa->clear_virtual_ips(this->ike_sa, FALSE);
364:
365: enumerator = this->vips->create_enumerator(this->vips);
366: while (enumerator->enumerate(enumerator, &requested))
367: {
368: host_t *found = NULL;
369:
370: /* query all pools until we get an address */
371: DBG1(DBG_IKE, "peer requested virtual IP %H", requested);
372:
373: found = charon->attributes->acquire_address(charon->attributes,
374: pools, this->ike_sa, requested);
375: if (found)
376: {
377: DBG1(DBG_IKE, "assigning virtual IP %H to peer '%Y'", found, id);
378: this->ike_sa->add_virtual_ip(this->ike_sa, FALSE, found);
379: if (!cp)
380: {
381: cp = cp_payload_create_type(PLV2_CONFIGURATION, CFG_REPLY);
382: }
383: cp->add_attribute(cp, build_vip(found));
384: vips->insert_last(vips, found);
385: }
386: else
387: {
388: DBG1(DBG_IKE, "no virtual IP found for %H requested by '%Y'",
389: requested, id);
390: }
391: }
392: enumerator->destroy(enumerator);
393:
394: if (this->vips->get_count(this->vips) && !vips->get_count(vips))
395: {
396: DBG1(DBG_IKE, "no virtual IP found, sending %N",
397: notify_type_names, INTERNAL_ADDRESS_FAILURE);
398: charon->bus->alert(charon->bus, ALERT_VIP_FAILURE, this->vips);
399: message->add_notify(message, FALSE, INTERNAL_ADDRESS_FAILURE,
400: chunk_empty);
401: vips->destroy_offset(vips, offsetof(host_t, destroy));
402: pools->destroy(pools);
403: return SUCCESS;
404: }
405: charon->bus->assign_vips(charon->bus, this->ike_sa, TRUE);
406:
407: if (pools->get_count(pools) && !this->vips->get_count(this->vips))
408: {
409: DBG1(DBG_IKE, "expected a virtual IP request, sending %N",
410: notify_type_names, FAILED_CP_REQUIRED);
411: charon->bus->alert(charon->bus, ALERT_VIP_FAILURE, this->vips);
412: message->add_notify(message, FALSE, FAILED_CP_REQUIRED, chunk_empty);
413: vips->destroy_offset(vips, offsetof(host_t, destroy));
414: pools->destroy(pools);
415: return SUCCESS;
416: }
417:
418: /* query registered providers for additional attributes to include */
419: enumerator = charon->attributes->create_responder_enumerator(
420: charon->attributes, pools, this->ike_sa, vips);
421: while (enumerator->enumerate(enumerator, &type, &value))
422: {
423: if (!cp)
424: {
425: cp = cp_payload_create_type(PLV2_CONFIGURATION, CFG_REPLY);
426: }
427: DBG2(DBG_IKE, "building %N attribute",
428: configuration_attribute_type_names, type);
429: cp->add_attribute(cp,
430: configuration_attribute_create_chunk(PLV2_CONFIGURATION_ATTRIBUTE,
431: type, value));
432: }
433: enumerator->destroy(enumerator);
434: vips->destroy_offset(vips, offsetof(host_t, destroy));
435: pools->destroy(pools);
436:
437: if (cp)
438: {
439: message->add_payload(message, (payload_t*)cp);
440: }
441: return SUCCESS;
442: }
443: return NEED_MORE;
444: }
445:
446: METHOD(task_t, process_i, status_t,
447: private_ike_config_t *this, message_t *message)
448: {
449: if (this->ike_sa->get_state(this->ike_sa) == IKE_ESTABLISHED)
450: { /* in last IKE_AUTH exchange */
451: enumerator_t *enumerator;
452: host_t *host;
453:
454: process_payloads(this, message);
455:
456: this->ike_sa->clear_virtual_ips(this->ike_sa, TRUE);
457:
458: enumerator = this->vips->create_enumerator(this->vips);
459: while (enumerator->enumerate(enumerator, &host))
460: {
461: if (!host->is_anyaddr(host))
462: {
463: this->ike_sa->add_virtual_ip(this->ike_sa, TRUE, host);
464: }
465: }
466: enumerator->destroy(enumerator);
467:
468: charon->bus->handle_vips(charon->bus, this->ike_sa, TRUE);
469: return SUCCESS;
470: }
471: return NEED_MORE;
472: }
473:
474: METHOD(task_t, get_type, task_type_t,
475: private_ike_config_t *this)
476: {
477: return TASK_IKE_CONFIG;
478: }
479:
480: METHOD(task_t, migrate, void,
481: private_ike_config_t *this, ike_sa_t *ike_sa)
482: {
483: this->ike_sa = ike_sa;
484: this->vips->destroy_offset(this->vips, offsetof(host_t, destroy));
485: this->vips = linked_list_create();
486: this->requested->destroy_function(this->requested, free);
487: this->requested = linked_list_create();
488: }
489:
490: METHOD(task_t, destroy, void,
491: private_ike_config_t *this)
492: {
493: this->vips->destroy_offset(this->vips, offsetof(host_t, destroy));
494: this->requested->destroy_function(this->requested, free);
495: free(this);
496: }
497:
498: /*
499: * Described in header.
500: */
501: ike_config_t *ike_config_create(ike_sa_t *ike_sa, bool initiator)
502: {
503: private_ike_config_t *this;
504:
505: INIT(this,
506: .public = {
507: .task = {
508: .get_type = _get_type,
509: .migrate = _migrate,
510: .destroy = _destroy,
511: },
512: },
513: .initiator = initiator,
514: .ike_sa = ike_sa,
515: .vips = linked_list_create(),
516: .requested = linked_list_create(),
517: );
518:
519: if (initiator)
520: {
521: this->public.task.build = _build_i;
522: this->public.task.process = _process_i;
523: }
524: else
525: {
526: this->public.task.build = _build_r;
527: this->public.task.process = _process_r;
528: }
529:
530: return &this->public;
531: }