src/charon-cmd/cmd/cmd_connection.c

   1 /*
   2  * Copyright (C) 2013 Martin Willi
   3  * Copyright (C) 2013 revosec AG
   4  *
   5  * This program is free software; you can redistribute it and/or modify it
   6  * under the terms of the GNU General Public License as published by the
   7  * Free Software Foundation; either version 2 of the License, or (at your
   8  * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
   9  *
  10  * This program is distributed in the hope that it will be useful, but
  11  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  12  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  13  * for more details.
  14  */
  15
  16 #include "cmd_connection.h"
  17
  18 #include <signal.h>
  19 #include <unistd.h>
  20
  21 #include <utils/debug.h>
  22 #include <processing/jobs/callback_job.h>
  23 #include <daemon.h>
  24
  25 typedef struct private_cmd_connection_t private_cmd_connection_t;
  26
  27 /**
  28  * Private data of an cmd_connection_t object.
  29  */
  30 struct private_cmd_connection_t {
  31
  32         /**
  33          * Public cmd_connection_t interface.
  34          */
  35         cmd_connection_t public;
  36
  37         /**
  38          * Process ID to terminate on failure
  39          */
  40         pid_t pid;
  41
  42         /**
  43          * Hostname to connect to
  44          */
  45         char *host;
  46
  47         /**
  48          * Local identity
  49          */
  50         char *identity;
  51
  52         /**
  53          * Is a private key configured
  54          */
  55         bool key_seen;
  56 };
  57
  58 /**
  59  * Shut down application
  60  */
  61 static void terminate(private_cmd_connection_t *this)
  62 {
  63         kill(this->pid, SIGUSR1);
  64 }
  65
  66 /**
  67  * Create peer config with associated ike config
  68  */
  69 static peer_cfg_t* create_peer_cfg(private_cmd_connection_t *this)
  70 {
  71         ike_cfg_t *ike_cfg;
  72         peer_cfg_t *peer_cfg;
  73         u_int16_t local_port, remote_port = IKEV2_UDP_PORT;
  74
  75         local_port = charon->socket->get_port(charon->socket, FALSE);
  76         if (local_port != IKEV2_UDP_PORT)
  77         {
  78                 remote_port = IKEV2_NATT_PORT;
  79         }
  80         ike_cfg = ike_cfg_create(IKEV2, TRUE, FALSE, "0.0.0.0", FALSE, local_port,
  81                                         this->host, FALSE, remote_port, FRAGMENTATION_NO, 0);
  82         ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
  83         peer_cfg = peer_cfg_create("cmd", ike_cfg,
  84                                         CERT_SEND_IF_ASKED, UNIQUE_REPLACE, 1, /* keyingtries */
  85                                         36000, 0, /* rekey 10h, reauth none */
  86                                         600, 600, /* jitter, over 10min */
  87                                         TRUE, FALSE, /* mobike, aggressive */
  88                                         30, 0, /* DPD delay, timeout */
  89                                         FALSE, NULL, NULL); /* mediation */
  90         peer_cfg->add_virtual_ip(peer_cfg, host_create_from_string("0.0.0.0", 0));
  91
  92         return peer_cfg;
  93 }
  94
  95 /**
  96  * Attach authentication configs to peer config
  97  */
  98 static void add_auth_cfgs(private_cmd_connection_t *this, peer_cfg_t *peer_cfg)
  99 {
 100         auth_cfg_t *auth;
 101         auth_class_t class;
 102
 103         if (this->key_seen)
 104         {
 105                 class = AUTH_CLASS_PUBKEY;
 106         }
 107         else
 108         {
 109                 class = AUTH_CLASS_EAP;
 110         }
 111         auth = auth_cfg_create();
 112         auth->add(auth, AUTH_RULE_AUTH_CLASS, class);
 113         auth->add(auth, AUTH_RULE_IDENTITY,
 114                           identification_create_from_string(this->identity));
 115         peer_cfg->add_auth_cfg(peer_cfg, auth, TRUE);
 116
 117         auth = auth_cfg_create();
 118
 119         auth->add(auth, AUTH_RULE_IDENTITY,
 120                           identification_create_from_string(this->host));
 121         peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE);
 122 }
 123
 124 /**
 125  * Attach child config to peer config
 126  */
 127 static child_cfg_t* create_child_cfg(private_cmd_connection_t *this)
 128 {
 129         child_cfg_t *child_cfg;
 130         traffic_selector_t *ts;
 131         lifetime_cfg_t lifetime = {
 132                 .time = {
 133                         .life = 10800 /* 3h */,
 134                         .rekey = 10200 /* 2h50min */,
 135                         .jitter = 300 /* 5min */
 136                 }
 137         };
 138
 139         child_cfg = child_cfg_create("cmd", &lifetime,
 140                                                                  NULL, FALSE, MODE_TUNNEL, /* updown, hostaccess */
 141                                                                  ACTION_NONE, ACTION_NONE, ACTION_NONE, FALSE,
 142                                                                  0, 0, NULL, NULL, 0);
 143         child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
 144         ts = traffic_selector_create_dynamic(0, 0, 65535);
 145         child_cfg->add_traffic_selector(child_cfg, TRUE, ts);
 146         ts = traffic_selector_create_from_string(0, TS_IPV4_ADDR_RANGE,
 147                                                                         "0.0.0.0", 0, "255.255.255.255", 65535);
 148         child_cfg->add_traffic_selector(child_cfg, FALSE, ts);
 149
 150         return child_cfg;
 151 }
 152
 153 /**
 154  * Initiate the configured connection
 155  */
 156 static job_requeue_t initiate(private_cmd_connection_t *this)
 157 {
 158         peer_cfg_t *peer_cfg;
 159         child_cfg_t *child_cfg;
 160
 161         if (!this->host)
 162         {
 163                 DBG1(DBG_CFG, "unable to initiate, missing --host option");
 164                 terminate(this);
 165                 return JOB_REQUEUE_NONE;
 166         }
 167         if (!this->identity)
 168         {
 169                 DBG1(DBG_CFG, "unable to initiate, missing --identity option");
 170                 terminate(this);
 171                 return JOB_REQUEUE_NONE;
 172         }
 173
 174         peer_cfg = create_peer_cfg(this);
 175
 176         add_auth_cfgs(this, peer_cfg);
 177
 178         child_cfg = create_child_cfg(this);
 179         peer_cfg->add_child_cfg(peer_cfg, child_cfg->get_ref(child_cfg));
 180
 181         if (charon->controller->initiate(charon->controller, peer_cfg, child_cfg,
 182                                                                          controller_cb_empty, NULL, 0) != SUCCESS)
 183         {
 184                 terminate(this);
 185         }
 186         return JOB_REQUEUE_NONE;
 187 }
 188
 189 METHOD(cmd_connection_t, handle, bool,
 190         private_cmd_connection_t *this, cmd_option_type_t opt, char *arg)
 191 {
 192         switch (opt)
 193         {
 194                 case CMD_OPT_HOST:
 195                         this->host = arg;
 196                         break;
 197                 case CMD_OPT_IDENTITY:
 198                         this->identity = arg;
 199                         break;
 200                 case CMD_OPT_RSA:
 201                         this->key_seen = TRUE;
 202                         break;
 203                 default:
 204                         return FALSE;
 205         }
 206         return TRUE;
 207 }
 208
 209 METHOD(cmd_connection_t, destroy, void,
 210         private_cmd_connection_t *this)
 211 {
 212         free(this);
 213 }
 214
 215 /**
 216  * See header
 217  */
 218 cmd_connection_t *cmd_connection_create()
 219 {
 220         private_cmd_connection_t *this;
 221
 222         INIT(this,
 223                 .public = {
 224                         .handle = _handle,
 225                         .destroy = _destroy,
 226                 },
 227                 .pid = getpid(),
 228         );
 229
 230         /* queue job, gets initiated as soon as we are up and running */
 231         lib->processor->queue_job(lib->processor,
 232                 (job_t*)callback_job_create_with_prio(
 233                         (callback_job_cb_t)initiate, this, NULL,
 234                         (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
 235
 236         return &this->public;
 237 }