projects / strongswan.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
- config pkg
[strongswan.git] / Source / charon / config / configuration_manager.c
1 /**
2 * @file configuration.c
3 *
4 * @brief Configuration class used to store IKE_SA-configurations.
5 *
6 * Object of this type represents the configuration for all IKE_SA's and their child_sa's.
7 *
8 */
9
10 /*
11 * Copyright (C) 2005 Jan Hutter, Martin Willi
12 * Hochschule fuer Technik Rapperswil
13 *
14 * This program is free software; you can redistribute it and/or modify it
15 * under the terms of the GNU General Public License as published by the
16 * Free Software Foundation; either version 2 of the License, or (at your
17 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
18 *
19 * This program is distributed in the hope that it will be useful, but
20 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
21 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
22 * for more details.
23 */
24
25 #include <stdlib.h>
26
27 #include "configuration_manager.h"
28
29 #include <types.h>
30 #include <globals.h>
31 #include <utils/allocator.h>
32 #include <encoding/payloads/nonce_payload.h>
33 #include <encoding/payloads/proposal_substructure.h>
34 #include <encoding/payloads/ke_payload.h>
35 #include <encoding/payloads/transform_attribute.h>
36
37 /**
38 * Private data of an configuration_t object
39 */
40 typedef struct private_configuration_manager_s private_configuration_manager_t;
41
42 struct private_configuration_manager_s {
43
44 /**
45 * Public part
46 */
47 configuration_manager_t public;
48
49 /**
50 * Assigned logger object
51 */
52 logger_t *logger;
53 };
54
55 /**
56 * Implements function configuration_manager_t.get_remote_host.
57 */
58 static status_t get_remote_host(private_configuration_manager_t *this, char *name, host_t **host)
59 {
60 /*
61 * For testing purposes, hard coded host informations for two configurations are returned.
62 *
63 * Further improvements could store them in a linked list or hash table.
64 */
65
66 host_t *remote;
67 status_t status = SUCCESS;
68
69 if (strcmp(name, "pinflb30") == 0)
70 {
71 remote = host_create(AF_INET, "152.96.193.130", 500);
72 }
73 else if (strcmp(name, "pinflb31") == 0)
74 {
75 remote = host_create(AF_INET, "152.96.193.131", 500);
76 }
77 else
78 {
79 status = NOT_FOUND;
80 }
81 if ((status != NOT_FOUND) && (remote == NULL))
82 {
83 return OUT_OF_RES;
84 }
85
86 *host = remote;
87 return status;
88 }
89
90 /**
91 * Implements function configuration_manager_t.get_local_host.
92 */
93 static status_t get_local_host(private_configuration_manager_t *this, char *name, host_t **host)
94 {
95 /*
96 * For testing purposes, only the default route is returned for each configuration.
97 *
98 * Further improvements could store different local host informations in a linked list or hash table.
99 */
100 host_t *local;
101 local = host_create(AF_INET, "0.0.0.0", 0);
102 if (local == NULL)
103 {
104 return OUT_OF_RES;
105 }
106 *host = local;
107 return SUCCESS;
108 }
109
110 /**
111 * Implements function configuration_manager_t.get_dh_group_number.
112 */
113 static status_t get_dh_group_number(private_configuration_manager_t *this,char *name, u_int16_t *dh_group_number, u_int16_t priority)
114 {
115 /* Currently only two dh_group_numbers are supported for each configuration*/
116
117 if (priority == 1)
118 {
119 *dh_group_number = MODP_1024_BIT;
120 }
121 else
122 {
123 *dh_group_number = MODP_768_BIT;
124 }
125 return SUCCESS;
126 }
127
128 /**
129 * Implements function configuration_manager_t.get_proposals_for_host.
130 */
131 static status_t get_proposals_for_host(private_configuration_manager_t *this, host_t *host, linked_list_iterator_t *iterator)
132 {
133 /*
134 * Currently the following hard coded proposal is created and returned for all hosts:
135 * - ENCR_AES_CBC 128Bit
136 * - PRF_HMAC_MD5 128Bit
137 * - AUTH_HMAC_MD5_96 128Bit
138 * - MODP_1024_BIT
139 */
140 proposal_substructure_t *proposal;
141 transform_substructure_t *transform;
142 transform_attribute_t *attribute;
143 status_t status;
144
145 proposal = proposal_substructure_create();
146 if (proposal == NULL)
147 {
148 return OUT_OF_RES;
149 }
150
151 proposal->set_proposal_number(proposal, 1);
152 proposal->set_protocol_id(proposal, 1);
153
154 /*
155 * Encryption Algorithm
156 */
157 transform = transform_substructure_create();
158 if (transform == NULL)
159 {
160 proposal->destroy(proposal);
161 return OUT_OF_RES;
162 }
163 status = proposal->add_transform_substructure(proposal, transform);
164 if (status != SUCCESS)
165 {
166 proposal->destroy(proposal);
167 return OUT_OF_RES;
168 }
169 transform->set_transform_type(transform, ENCRYPTION_ALGORITHM);
170 transform->set_transform_id(transform, ENCR_AES_CBC);
171
172 attribute = transform_attribute_create();
173 if (attribute == NULL)
174 {
175 proposal->destroy(proposal);
176 return OUT_OF_RES;
177 }
178 status = transform->add_transform_attribute(transform, attribute);
179 if (status != SUCCESS)
180 {
181 proposal->destroy(proposal);
182 return OUT_OF_RES;
183 }
184 attribute->set_attribute_type(attribute, KEY_LENGTH);
185 attribute->set_value(attribute, 16);
186
187 /*
188 * Pseudo-random Function
189 */
190 transform = transform_substructure_create();
191 if (transform == NULL)
192 {
193 proposal->destroy(proposal);
194 return OUT_OF_RES;
195 }
196 status = proposal->add_transform_substructure(proposal, transform);
197 if (status != SUCCESS)
198 {
199 proposal->destroy(proposal);
200 return OUT_OF_RES;
201 }
202 transform->set_transform_type(transform, PSEUDO_RANDOM_FUNCTION);
203 transform->set_transform_id(transform, PRF_HMAC_MD5);
204
205 attribute = transform_attribute_create();
206 if (attribute == NULL)
207 {
208 proposal->destroy(proposal);
209 return OUT_OF_RES;
210 }
211 status = transform->add_transform_attribute(transform, attribute);
212 if (status != SUCCESS)
213 {
214 proposal->destroy(proposal);
215 return OUT_OF_RES;
216 }
217 attribute->set_attribute_type(attribute, KEY_LENGTH);
218 attribute->set_value(attribute, 16);
219
220
221 /*
222 * Integrity Algorithm
223 */
224 transform = transform_substructure_create();
225 if (transform == NULL)
226 {
227 proposal->destroy(proposal);
228 return OUT_OF_RES;
229 }
230 status = proposal->add_transform_substructure(proposal, transform);
231 if (status != SUCCESS)
232 {
233 proposal->destroy(proposal);
234 return OUT_OF_RES;
235 }
236 transform->set_transform_type(transform, INTEGRITIY_ALGORITHM);
237 transform->set_transform_id(transform, AUTH_HMAC_MD5_96);
238
239 attribute = transform_attribute_create();
240 if (attribute == NULL)
241 {
242 proposal->destroy(proposal);
243 return OUT_OF_RES;
244 }
245 status = transform->add_transform_attribute(transform, attribute);
246 if (status != SUCCESS)
247 {
248 proposal->destroy(proposal);
249 return OUT_OF_RES;
250 }
251 attribute->set_attribute_type(attribute, KEY_LENGTH);
252 attribute->set_value(attribute, 16);
253
254
255 /*
256 * Diffie-Hellman Group
257 */
258 transform = transform_substructure_create();
259 if (transform == NULL)
260 {
261 proposal->destroy(proposal);
262 return OUT_OF_RES;
263 }
264 status = proposal->add_transform_substructure(proposal, transform);
265 if (status != SUCCESS)
266 {
267 proposal->destroy(proposal);
268 return OUT_OF_RES;
269 }
270 transform->set_transform_type(transform, DIFFIE_HELLMAN_GROUP);
271 transform->set_transform_id(transform, MODP_1024_BIT);
272
273 iterator->insert_after(iterator, (void*)proposal);
274
275 return SUCCESS;
276 }
277
278 /**
279 * Implements function configuration_manager_t.select_proposals_for_host.
280 */
281 static status_t select_proposals_for_host(private_configuration_manager_t *this, host_t *host, linked_list_iterator_t *in, linked_list_iterator_t *out)
282 {
283 /* Currently the first suggested proposal is selected, cloned and then returned*/
284 status_t status;
285 proposal_substructure_t *first_suggested_proposal;
286 proposal_substructure_t *selected_proposal;
287
288 this->logger->log(this->logger,CONTROL | MORE, "Going to select first suggested proposal");
289 if (!in->has_next(in))
290 {
291 this->logger->log(this->logger,ERROR | MORE, "No proposal suggested");
292 /* no suggested proposal! */
293 return FAILED;
294 }
295
296 status = in->current(in,(void **) &first_suggested_proposal);
297 if (status != SUCCESS)
298 {
299 this->logger->log(this->logger,ERROR, "Fatal error: could not get first proposal from iterator");
300 return status;
301 }
302 status = first_suggested_proposal->clone(first_suggested_proposal,&selected_proposal);
303 if (status != SUCCESS)
304 {
305 this->logger->log(this->logger,ERROR, "Fatal error: could not clone proposal");
306 /* could not clone proposal */
307 return status;
308 }
309
310 status = out->insert_after(out,selected_proposal);
311 if (status != SUCCESS)
312 {
313 this->logger->log(this->logger,ERROR, "Fatal error: could not insert selected proposal in out iterator");
314 }
315 return status;
316 }
317
318 /**
319 * Implements function configuration_manager_t.get_transforms_for_host_and_proposals.
320 */
321 static status_t get_transforms_for_host_and_proposals (private_configuration_manager_t *this, host_t *host, linked_list_iterator_t *proposals,encryption_algorithm_t *encryption_algorithm,pseudo_random_function_t *pseudo_random_function, integrity_algorithm_t *integrity_algorithm)
322 {
323 /*
324 * Currently the given proposals are not checked if they are valid for specific host!
325 *
326 * The first proposal is taken and the appropriate transform objects are created (only if they are supported)
327 */
328
329 encryption_algorithm_t selected_encryption_algorithm = ENCR_UNDEFINED;
330 pseudo_random_function_t selected_pseudo_random_function = PRF_UNDEFINED;
331 integrity_algorithm_t selected_integrity_algorithm = AUTH_UNDEFINED;
332 proposal_substructure_t *proposal;
333 linked_list_iterator_t *transforms;
334 status_t status;
335
336 this->logger->log(this->logger,ERROR, "Going to get transforms for given proposal");
337
338 if (!proposals->has_next(proposals))
339 {
340 this->logger->log(this->logger,ERROR | MORE, "No proposal available");
341 return FAILED;
342 }
343
344 status = proposals->current(proposals,(void **) &(proposal));
345 if (status != SUCCESS)
346 {
347 this->logger->log(this->logger,ERROR, "Fatal error: could not get first proposal from iterator");
348 return status;
349 }
350
351 status = proposal->create_transform_substructure_iterator(proposal,&transforms,TRUE);
352 if (status != SUCCESS)
353 {
354 this->logger->log(this->logger,ERROR, "Fatal error: could not create iterator of transforms");
355 return status;
356 }
357
358 while (transforms->has_next(transforms))
359 {
360 transform_substructure_t *current_transform;
361 transform_type_t transform_type;
362 u_int16_t transform_id;
363
364 status = transforms->current(transforms,(void **) &(current_transform));
365 if (status != SUCCESS)
366 {
367 this->logger->log(this->logger,ERROR, "Fatal error: could not get current transform substructure object");
368 transforms->destroy(transforms);
369 return status;
370 }
371
372 transform_type = current_transform->get_transform_type(current_transform);
373 transform_id = current_transform->get_transform_id(current_transform);
374
375 this->logger->log(this->logger,CONTROL | MOST, "Going to process transform of type %s",mapping_find(transform_type_m,transform_type));
376 switch (transform_type)
377 {
378 case ENCRYPTION_ALGORITHM:
379 {
380 this->logger->log(this->logger,CONTROL | MORE, "Encryption algorithm: %s",mapping_find(encryption_algorithm_m,transform_id));
381 selected_encryption_algorithm = transform_id;
382 break;
383 }
384 case PSEUDO_RANDOM_FUNCTION:
385 {
386 this->logger->log(this->logger,CONTROL | MORE, "Create transform object for PRF of type %s",mapping_find(pseudo_random_function_m,transform_id));
387 selected_pseudo_random_function = transform_id;
388 break;
389 }
390 case INTEGRITIY_ALGORITHM:
391 {
392 this->logger->log(this->logger,CONTROL | MORE, "Integrity algorithm: %s",mapping_find(integrity_algorithm_m,transform_id));
393 selected_integrity_algorithm = transform_id;
394 break;
395 }
396 case DIFFIE_HELLMAN_GROUP:
397 {
398 this->logger->log(this->logger,CONTROL | MORE, "DH Group: %s",mapping_find(diffie_hellman_group_m,transform_id));
399 break;
400 }
401 default:
402 {
403 this->logger->log(this->logger,ERROR | MORE, "Transform type not supported!");
404 transforms->destroy(transforms);
405 return FAILED;
406 }
407 }
408 }
409
410 transforms->destroy(transforms);
411
412 *encryption_algorithm = selected_encryption_algorithm;
413 *pseudo_random_function = selected_pseudo_random_function;
414 *integrity_algorithm = selected_integrity_algorithm;
415 return SUCCESS;
416 }
417
418 /**
419 * Implements function configuration_manager_t.is_dh_group_allowed_for_host.
420 */
421 static status_t is_dh_group_allowed_for_host(private_configuration_manager_t *this, host_t *host, diffie_hellman_group_t group, bool *allowed)
422 {
423 /*
424 * Only the two DH groups 768 and 1024 are supported for each configuration
425 */
426
427 if (group == MODP_768_BIT || group == MODP_1024_BIT)
428 {
429 *allowed = TRUE;
430 }
431 *allowed = FALSE;
432
433 this->logger->log(this->logger,CONTROL | MORE, "DH group %s is %s",mapping_find(diffie_hellman_group_m, group),(allowed)? "allowed" : "not allowed");
434 return SUCCESS;
435 }
436
437
438 /**
439 * Implements function destroy of configuration_t.
440 * See #configuration_s.destroy for description.
441 */
442 static status_t destroy(private_configuration_manager_t *this)
443 {
444 this->logger->log(this->logger,CONTROL | MORE, "Going to destroy configuration manager ");
445
446 this->logger->log(this->logger,CONTROL | MOST, "Destroy assigned logger");
447 global_logger_manager->destroy_logger(global_logger_manager,this->logger);
448 allocator_free(this);
449 return SUCCESS;
450 }
451
452 /*
453 * Described in header-file
454 */
455 configuration_manager_t *configuration_manager_create()
456 {
457 private_configuration_manager_t *this = allocator_alloc_thing(private_configuration_manager_t);
458
459 if (this == NULL)
460 {
461 return NULL;
462 }
463
464 /* public functions */
465 this->public.destroy = (status_t(*)(configuration_manager_t*))destroy;
466 this->public.get_remote_host = (status_t(*)(configuration_manager_t*,char*,host_t**))get_remote_host;
467 this->public.get_local_host = (status_t(*)(configuration_manager_t*,char*,host_t**))get_local_host;
468 this->public.get_dh_group_number = (status_t(*)(configuration_manager_t*,char*,u_int16_t *, u_int16_t))get_dh_group_number;
469 this->public.get_proposals_for_host = (status_t(*)(configuration_manager_t*,host_t*,linked_list_iterator_t*))get_proposals_for_host;
470 this->public.select_proposals_for_host = (status_t(*)(configuration_manager_t*,host_t*,linked_list_iterator_t*,linked_list_iterator_t*))select_proposals_for_host;
471 this->public.get_transforms_for_host_and_proposals = (status_t (*) (configuration_manager_t *, host_t *, linked_list_iterator_t *,encryption_algorithm_t *,pseudo_random_function_t *, integrity_algorithm_t *)) get_transforms_for_host_and_proposals;
472 this->public.is_dh_group_allowed_for_host = (status_t(*)(configuration_manager_t*,host_t*,diffie_hellman_group_t,bool*)) is_dh_group_allowed_for_host;
473
474 /* private variables */
475 this->logger = global_logger_manager->create_logger(global_logger_manager,CONFIGURATION_MANAGER,NULL);
476
477 if (this->logger == NULL)
478 {
479 allocator_free(this);
480 return NULL;
481 }
482
483 return (&this->public);
484 }
strongSwan - IPsec VPN