charon-cmd: add --local/remote-ts options to set traffic selectors
[strongswan.git] / src / charon-cmd / cmd / cmd_connection.c
1 /*
2 * Copyright (C) 2013 Martin Willi
3 * Copyright (C) 2013 revosec AG
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "cmd_connection.h"
17
18 #include <signal.h>
19 #include <unistd.h>
20
21 #include <utils/debug.h>
22 #include <processing/jobs/callback_job.h>
23 #include <daemon.h>
24
25 typedef struct private_cmd_connection_t private_cmd_connection_t;
26
27 /**
28 * Private data of an cmd_connection_t object.
29 */
30 struct private_cmd_connection_t {
31
32 /**
33 * Public cmd_connection_t interface.
34 */
35 cmd_connection_t public;
36
37 /**
38 * Process ID to terminate on failure
39 */
40 pid_t pid;
41
42 /**
43 * List of local traffic selectors
44 */
45 linked_list_t *local_ts;
46
47 /**
48 * List of remote traffic selectors
49 */
50 linked_list_t *remote_ts;
51
52 /**
53 * Hostname to connect to
54 */
55 char *host;
56
57 /**
58 * Local identity
59 */
60 char *identity;
61
62 /**
63 * Is a private key configured
64 */
65 bool key_seen;
66 };
67
68 /**
69 * Shut down application
70 */
71 static void terminate(private_cmd_connection_t *this)
72 {
73 kill(this->pid, SIGUSR1);
74 }
75
76 /**
77 * Create peer config with associated ike config
78 */
79 static peer_cfg_t* create_peer_cfg(private_cmd_connection_t *this)
80 {
81 ike_cfg_t *ike_cfg;
82 peer_cfg_t *peer_cfg;
83 u_int16_t local_port, remote_port = IKEV2_UDP_PORT;
84
85 local_port = charon->socket->get_port(charon->socket, FALSE);
86 if (local_port != IKEV2_UDP_PORT)
87 {
88 remote_port = IKEV2_NATT_PORT;
89 }
90 ike_cfg = ike_cfg_create(IKEV2, TRUE, FALSE, "0.0.0.0", FALSE, local_port,
91 this->host, FALSE, remote_port, FRAGMENTATION_NO, 0);
92 ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
93 peer_cfg = peer_cfg_create("cmd", ike_cfg,
94 CERT_SEND_IF_ASKED, UNIQUE_REPLACE, 1, /* keyingtries */
95 36000, 0, /* rekey 10h, reauth none */
96 600, 600, /* jitter, over 10min */
97 TRUE, FALSE, /* mobike, aggressive */
98 30, 0, /* DPD delay, timeout */
99 FALSE, NULL, NULL); /* mediation */
100 peer_cfg->add_virtual_ip(peer_cfg, host_create_from_string("0.0.0.0", 0));
101
102 return peer_cfg;
103 }
104
105 /**
106 * Attach authentication configs to peer config
107 */
108 static void add_auth_cfgs(private_cmd_connection_t *this, peer_cfg_t *peer_cfg)
109 {
110 auth_cfg_t *auth;
111 auth_class_t class;
112
113 if (this->key_seen)
114 {
115 class = AUTH_CLASS_PUBKEY;
116 }
117 else
118 {
119 class = AUTH_CLASS_EAP;
120 }
121 auth = auth_cfg_create();
122 auth->add(auth, AUTH_RULE_AUTH_CLASS, class);
123 auth->add(auth, AUTH_RULE_IDENTITY,
124 identification_create_from_string(this->identity));
125 peer_cfg->add_auth_cfg(peer_cfg, auth, TRUE);
126
127 auth = auth_cfg_create();
128
129 auth->add(auth, AUTH_RULE_IDENTITY,
130 identification_create_from_string(this->host));
131 peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE);
132 }
133
134 /**
135 * Attach child config to peer config
136 */
137 static child_cfg_t* create_child_cfg(private_cmd_connection_t *this)
138 {
139 child_cfg_t *child_cfg;
140 traffic_selector_t *ts;
141 lifetime_cfg_t lifetime = {
142 .time = {
143 .life = 10800 /* 3h */,
144 .rekey = 10200 /* 2h50min */,
145 .jitter = 300 /* 5min */
146 }
147 };
148
149 child_cfg = child_cfg_create("cmd", &lifetime,
150 NULL, FALSE, MODE_TUNNEL, /* updown, hostaccess */
151 ACTION_NONE, ACTION_NONE, ACTION_NONE, FALSE,
152 0, 0, NULL, NULL, 0);
153 child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
154 while (this->local_ts->remove_first(this->local_ts, (void**)&ts) == SUCCESS)
155 {
156 child_cfg->add_traffic_selector(child_cfg, TRUE, ts);
157 }
158 if (this->remote_ts->get_count(this->remote_ts) == 0)
159 {
160 /* add a 0.0.0.0/0 TS for remote side if none given */
161 ts = traffic_selector_create_from_string(0, TS_IPV4_ADDR_RANGE,
162 "0.0.0.0", 0, "255.255.255.255", 65535);
163 this->remote_ts->insert_last(this->remote_ts, ts);
164 }
165 while (this->remote_ts->remove_first(this->remote_ts,
166 (void**)&ts) == SUCCESS)
167 {
168 child_cfg->add_traffic_selector(child_cfg, FALSE, ts);
169 }
170
171 return child_cfg;
172 }
173
174 /**
175 * Initiate the configured connection
176 */
177 static job_requeue_t initiate(private_cmd_connection_t *this)
178 {
179 peer_cfg_t *peer_cfg;
180 child_cfg_t *child_cfg;
181
182 if (!this->host)
183 {
184 DBG1(DBG_CFG, "unable to initiate, missing --host option");
185 terminate(this);
186 return JOB_REQUEUE_NONE;
187 }
188 if (!this->identity)
189 {
190 DBG1(DBG_CFG, "unable to initiate, missing --identity option");
191 terminate(this);
192 return JOB_REQUEUE_NONE;
193 }
194
195 peer_cfg = create_peer_cfg(this);
196
197 add_auth_cfgs(this, peer_cfg);
198
199 child_cfg = create_child_cfg(this);
200 peer_cfg->add_child_cfg(peer_cfg, child_cfg->get_ref(child_cfg));
201
202 if (charon->controller->initiate(charon->controller, peer_cfg, child_cfg,
203 controller_cb_empty, NULL, 0) != SUCCESS)
204 {
205 terminate(this);
206 }
207 return JOB_REQUEUE_NONE;
208 }
209
210 /**
211 * Create a traffic selector from string, add to list
212 */
213 static void add_ts(private_cmd_connection_t *this,
214 linked_list_t *list, char *string)
215 {
216 traffic_selector_t *ts;
217
218 ts = traffic_selector_create_from_cidr(string, 0, 0, 65535);
219 if (!ts)
220 {
221 DBG1(DBG_CFG, "invalid traffic selector: %s", string);
222 exit(1);
223 }
224 list->insert_last(list, ts);
225 }
226
227 METHOD(cmd_connection_t, handle, bool,
228 private_cmd_connection_t *this, cmd_option_type_t opt, char *arg)
229 {
230 switch (opt)
231 {
232 case CMD_OPT_HOST:
233 this->host = arg;
234 break;
235 case CMD_OPT_IDENTITY:
236 this->identity = arg;
237 break;
238 case CMD_OPT_RSA:
239 this->key_seen = TRUE;
240 break;
241 case CMD_OPT_LOCAL_TS:
242 add_ts(this, this->local_ts, arg);
243 break;
244 case CMD_OPT_REMOTE_TS:
245 add_ts(this, this->remote_ts, arg);
246 break;
247 default:
248 return FALSE;
249 }
250 return TRUE;
251 }
252
253 METHOD(cmd_connection_t, destroy, void,
254 private_cmd_connection_t *this)
255 {
256 this->local_ts->destroy_offset(this->local_ts,
257 offsetof(traffic_selector_t, destroy));
258 this->remote_ts->destroy_offset(this->remote_ts,
259 offsetof(traffic_selector_t, destroy));
260 free(this);
261 }
262
263 /**
264 * See header
265 */
266 cmd_connection_t *cmd_connection_create()
267 {
268 private_cmd_connection_t *this;
269
270 INIT(this,
271 .public = {
272 .handle = _handle,
273 .destroy = _destroy,
274 },
275 .pid = getpid(),
276 .local_ts = linked_list_create(),
277 .remote_ts = linked_list_create(),
278 );
279
280 /* always include the virtual IP in traffic selector list */
281 this->local_ts->insert_last(this->local_ts,
282 traffic_selector_create_dynamic(0, 0, 65535));
283
284 /* queue job, gets initiated as soon as we are up and running */
285 lib->processor->queue_job(lib->processor,
286 (job_t*)callback_job_create_with_prio(
287 (callback_job_cb_t)initiate, this, NULL,
288 (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
289
290 return &this->public;
291 }