charon-cmd: authenticate with EAP if no private key is given
[strongswan.git] / src / charon-cmd / cmd / cmd_connection.c
1 /*
2 * Copyright (C) 2013 Martin Willi
3 * Copyright (C) 2013 revosec AG
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "cmd_connection.h"
17
18 #include <signal.h>
19 #include <unistd.h>
20
21 #include <utils/debug.h>
22 #include <processing/jobs/callback_job.h>
23 #include <daemon.h>
24
25 typedef struct private_cmd_connection_t private_cmd_connection_t;
26
27 /**
28 * Private data of an cmd_connection_t object.
29 */
30 struct private_cmd_connection_t {
31
32 /**
33 * Public cmd_connection_t interface.
34 */
35 cmd_connection_t public;
36
37 /**
38 * Process ID to terminate on failure
39 */
40 pid_t pid;
41
42 /**
43 * Hostname to connect to
44 */
45 char *host;
46
47 /**
48 * Local identity
49 */
50 char *identity;
51
52 /**
53 * Is a private key configured
54 */
55 bool key_seen;
56 };
57
58 /**
59 * Shut down application
60 */
61 static void terminate(private_cmd_connection_t *this)
62 {
63 kill(this->pid, SIGUSR1);
64 }
65
66 /**
67 * Create peer config with associated ike config
68 */
69 static peer_cfg_t* create_peer_cfg(private_cmd_connection_t *this)
70 {
71 ike_cfg_t *ike_cfg;
72 peer_cfg_t *peer_cfg;
73 u_int16_t local_port, remote_port = IKEV2_UDP_PORT;
74
75 local_port = charon->socket->get_port(charon->socket, FALSE);
76 if (local_port != IKEV2_UDP_PORT)
77 {
78 remote_port = IKEV2_NATT_PORT;
79 }
80 ike_cfg = ike_cfg_create(IKEV2, TRUE, FALSE, "0.0.0.0", FALSE, local_port,
81 this->host, FALSE, remote_port, FRAGMENTATION_NO, 0);
82 ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
83 peer_cfg = peer_cfg_create("cmd", ike_cfg,
84 CERT_SEND_IF_ASKED, UNIQUE_REPLACE, 1, /* keyingtries */
85 36000, 0, /* rekey 10h, reauth none */
86 600, 600, /* jitter, over 10min */
87 TRUE, FALSE, /* mobike, aggressive */
88 30, 0, /* DPD delay, timeout */
89 FALSE, NULL, NULL); /* mediation */
90 peer_cfg->add_virtual_ip(peer_cfg, host_create_from_string("0.0.0.0", 0));
91
92 return peer_cfg;
93 }
94
95 /**
96 * Attach authentication configs to peer config
97 */
98 static void add_auth_cfgs(private_cmd_connection_t *this, peer_cfg_t *peer_cfg)
99 {
100 auth_cfg_t *auth;
101 auth_class_t class;
102
103 if (this->key_seen)
104 {
105 class = AUTH_CLASS_PUBKEY;
106 }
107 else
108 {
109 class = AUTH_CLASS_EAP;
110 }
111 auth = auth_cfg_create();
112 auth->add(auth, AUTH_RULE_AUTH_CLASS, class);
113 auth->add(auth, AUTH_RULE_IDENTITY,
114 identification_create_from_string(this->identity));
115 peer_cfg->add_auth_cfg(peer_cfg, auth, TRUE);
116
117 auth = auth_cfg_create();
118
119 auth->add(auth, AUTH_RULE_IDENTITY,
120 identification_create_from_string(this->host));
121 peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE);
122 }
123
124 /**
125 * Attach child config to peer config
126 */
127 static child_cfg_t* create_child_cfg(private_cmd_connection_t *this)
128 {
129 child_cfg_t *child_cfg;
130 traffic_selector_t *ts;
131 lifetime_cfg_t lifetime = {
132 .time = {
133 .life = 10800 /* 3h */,
134 .rekey = 10200 /* 2h50min */,
135 .jitter = 300 /* 5min */
136 }
137 };
138
139 child_cfg = child_cfg_create("cmd", &lifetime,
140 NULL, FALSE, MODE_TUNNEL, /* updown, hostaccess */
141 ACTION_NONE, ACTION_NONE, ACTION_NONE, FALSE,
142 0, 0, NULL, NULL, 0);
143 child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
144 ts = traffic_selector_create_dynamic(0, 0, 65535);
145 child_cfg->add_traffic_selector(child_cfg, TRUE, ts);
146 ts = traffic_selector_create_from_string(0, TS_IPV4_ADDR_RANGE,
147 "0.0.0.0", 0, "255.255.255.255", 65535);
148 child_cfg->add_traffic_selector(child_cfg, FALSE, ts);
149
150 return child_cfg;
151 }
152
153 /**
154 * Initiate the configured connection
155 */
156 static job_requeue_t initiate(private_cmd_connection_t *this)
157 {
158 peer_cfg_t *peer_cfg;
159 child_cfg_t *child_cfg;
160
161 if (!this->host)
162 {
163 DBG1(DBG_CFG, "unable to initiate, missing --host option");
164 terminate(this);
165 return JOB_REQUEUE_NONE;
166 }
167 if (!this->identity)
168 {
169 DBG1(DBG_CFG, "unable to initiate, missing --identity option");
170 terminate(this);
171 return JOB_REQUEUE_NONE;
172 }
173
174 peer_cfg = create_peer_cfg(this);
175
176 add_auth_cfgs(this, peer_cfg);
177
178 child_cfg = create_child_cfg(this);
179 peer_cfg->add_child_cfg(peer_cfg, child_cfg->get_ref(child_cfg));
180
181 if (charon->controller->initiate(charon->controller, peer_cfg, child_cfg,
182 controller_cb_empty, NULL, 0) != SUCCESS)
183 {
184 terminate(this);
185 }
186 return JOB_REQUEUE_NONE;
187 }
188
189 METHOD(cmd_connection_t, handle, bool,
190 private_cmd_connection_t *this, cmd_option_type_t opt, char *arg)
191 {
192 switch (opt)
193 {
194 case CMD_OPT_HOST:
195 this->host = arg;
196 break;
197 case CMD_OPT_IDENTITY:
198 this->identity = arg;
199 break;
200 case CMD_OPT_RSA:
201 this->key_seen = TRUE;
202 break;
203 default:
204 return FALSE;
205 }
206 return TRUE;
207 }
208
209 METHOD(cmd_connection_t, destroy, void,
210 private_cmd_connection_t *this)
211 {
212 free(this);
213 }
214
215 /**
216 * See header
217 */
218 cmd_connection_t *cmd_connection_create()
219 {
220 private_cmd_connection_t *this;
221
222 INIT(this,
223 .public = {
224 .handle = _handle,
225 .destroy = _destroy,
226 },
227 .pid = getpid(),
228 );
229
230 /* queue job, gets initiated as soon as we are up and running */
231 lib->processor->queue_job(lib->processor,
232 (job_t*)callback_job_create_with_prio(
233 (callback_job_cb_t)initiate, this, NULL,
234 (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
235
236 return &this->public;
237 }