automatically establish a PSK authenticated SA between cluster nodes
[strongswan.git] / src / charon / plugins / ha_sync / ha_sync_socket.c
1 /*
2 * Copyright (C) 2008-2009 Martin Willi
3 * Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "ha_sync_socket.h"
17
18 #include <sys/types.h>
19 #include <sys/socket.h>
20 #include <errno.h>
21 #include <unistd.h>
22 #include <pthread.h>
23
24 #include <daemon.h>
25 #include <utils/host.h>
26 #include <processing/jobs/callback_job.h>
27
28 typedef struct private_ha_sync_socket_t private_ha_sync_socket_t;
29 typedef struct ha_backend_t ha_backend_t;
30 typedef struct ha_creds_t ha_creds_t;
31
32 /**
33 * Serves credentials for the HA sync SA
34 */
35 struct ha_creds_t {
36
37 /**
38 * Implements credential_set_t
39 */
40 credential_set_t public;
41
42 /**
43 * own identity
44 */
45 identification_t *local;
46
47 /**
48 * peer identity
49 */
50 identification_t *remote;
51
52 /**
53 * Shared key to serve
54 */
55 shared_key_t *key;
56 };
57
58 /**
59 * Serves configurations for the HA sync SA
60 */
61 struct ha_backend_t {
62
63 /**
64 * Implements backend_t
65 */
66 backend_t public;
67
68 /**
69 * peer config we serve
70 */
71 peer_cfg_t *cfg;
72 };
73
74 /**
75 * Private data of an ha_sync_socket_t object.
76 */
77 struct private_ha_sync_socket_t {
78
79 /**
80 * Public ha_sync_socket_t interface.
81 */
82 ha_sync_socket_t public;
83
84 /**
85 * UDP communication socket fd
86 */
87 int fd;
88
89 /**
90 * remote host to receive/send to
91 */
92 host_t *remote;
93
94 /**
95 * Reqid of installed trap
96 */
97 u_int32_t trap;
98
99 /**
100 * backend for sync SA
101 */
102 ha_backend_t backend;
103
104 /**
105 * credential set for sync SA
106 */
107 ha_creds_t creds;
108 };
109
110 /**
111 * Data to pass to the send_message() callback job
112 */
113 typedef struct {
114 ha_sync_message_t *message;
115 private_ha_sync_socket_t *this;
116 } job_data_t;
117
118 /**
119 * Cleanup job data
120 */
121 static void job_data_destroy(job_data_t *this)
122 {
123 this->message->destroy(this->message);
124 free(this);
125 }
126
127 /**
128 * Callback to asynchronously send messages
129 */
130 static job_requeue_t send_message(job_data_t *data)
131 {
132 private_ha_sync_socket_t *this;
133 chunk_t chunk;
134
135 this = data->this;
136 chunk = data->message->get_encoding(data->message);
137 if (sendto(this->fd, chunk.ptr, chunk.len, 0,
138 this->remote->get_sockaddr(this->remote),
139 *this->remote->get_sockaddr_len(this->remote)) < chunk.len)
140 {
141 DBG1(DBG_CFG, "pushing HA sync message failed: %s", strerror(errno));
142 }
143 return JOB_REQUEUE_NONE;
144 }
145
146 /**
147 * Implementation of ha_sync_socket_t.push
148 */
149 static void push(private_ha_sync_socket_t *this, ha_sync_message_t *message)
150 {
151 if (this->trap)
152 {
153 callback_job_t *job;
154 job_data_t *data;
155
156 data = malloc_thing(job_data_t);
157 data->message = message;
158 data->this = this;
159
160 /* we send sync message asynchronously. This is required, as sendto()
161 * is a blocking call if it acquires a policy. Otherwise we could
162 * end up in a deadlock, as we own an IKE_SA. */
163 job = callback_job_create((callback_job_cb_t)send_message,
164 data, (void*)job_data_destroy, NULL);
165 charon->processor->queue_job(charon->processor, (job_t*)job);
166 }
167 else
168 {
169 job_data_t data;
170
171 data.message = message;
172 data.this = this;
173 send_message(&data);
174 message->destroy(message);
175 }
176 }
177
178 /**
179 * Implementation of ha_sync_socket_t.pull
180 */
181 static ha_sync_message_t *pull(private_ha_sync_socket_t *this)
182 {
183 while (TRUE)
184 {
185 ha_sync_message_t *message;
186 char buf[1024];
187 int oldstate;
188 ssize_t len;
189
190 pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
191 len = recvfrom(this->fd, buf, sizeof(buf), 0,
192 this->remote->get_sockaddr(this->remote),
193 this->remote->get_sockaddr_len(this->remote));
194 pthread_setcancelstate(oldstate, NULL);
195 if (len <= 0)
196 {
197 if (errno != EINTR)
198 {
199 DBG1(DBG_CFG, "pulling HA sync message failed: %s",
200 strerror(errno));
201 sleep(1);
202 }
203 continue;
204 }
205 message = ha_sync_message_parse(chunk_create(buf, len));
206 if (message)
207 {
208 return message;
209 }
210 }
211 }
212
213 /**
214 * Implementation of ha_sync_socket_t.is_sync_sa
215 */
216 static bool is_sync_sa(private_ha_sync_socket_t *this, ike_sa_t *ike_sa)
217 {
218 peer_cfg_t *cfg = this->backend.cfg;
219
220 return cfg && ike_sa->get_ike_cfg(ike_sa) == cfg->get_ike_cfg(cfg);
221 }
222
223 /**
224 * Enumerator over HA shared_key
225 */
226 typedef struct {
227 /** Implements enumerator_t */
228 enumerator_t public;
229 /** a single secret we serve */
230 shared_key_t *key;
231 } shared_enum_t;
232
233 /**
234 * Implementation of shared_enum_t.enumerate
235 */
236 static bool shared_enumerate(shared_enum_t *this, shared_key_t **key,
237 id_match_t *me, id_match_t *other)
238 {
239 if (this->key)
240 {
241 if (me)
242 {
243 *me = ID_MATCH_PERFECT;
244 }
245 if (other)
246 {
247 *other = ID_MATCH_PERFECT;
248 }
249 *key = this->key;
250 this->key = NULL;
251 return TRUE;
252 }
253 return FALSE;
254 }
255
256 /**
257 * Implements ha_creds_t.create_shared_enumerator
258 */
259 static enumerator_t* create_shared_enumerator(ha_creds_t *this,
260 shared_key_type_t type, identification_t *me,
261 identification_t *other)
262 {
263 shared_enum_t *enumerator;
264
265 if (type != SHARED_IKE && type != SHARED_ANY)
266 {
267 return NULL;
268 }
269 if (me && !me->equals(me, this->local))
270 {
271 return NULL;
272 }
273 if (other && !other->equals(other, this->remote))
274 {
275 return NULL;
276 }
277
278 enumerator = malloc_thing(shared_enum_t);
279 enumerator->public.enumerate = (void*)shared_enumerate;
280 enumerator->public.destroy = (void*)free;
281 enumerator->key = this->key;
282
283 return &enumerator->public;
284 }
285
286 /**
287 * Implementation of backend_t.create_peer_cfg_enumerator.
288 */
289 static enumerator_t* create_peer_cfg_enumerator(ha_backend_t *this,
290 identification_t *me, identification_t *other)
291 {
292 return enumerator_create_single(this->cfg, NULL);
293 }
294
295 /**
296 * Implementation of backend_t.create_ike_cfg_enumerator.
297 */
298 static enumerator_t* create_ike_cfg_enumerator(ha_backend_t *this,
299 host_t *me, host_t *other)
300 {
301 return enumerator_create_single(this->cfg->get_ike_cfg(this->cfg), NULL);
302 }
303
304 /**
305 * Install configs and a a trap for secured sync
306 */
307 static void setup_sync_tunnel(private_ha_sync_socket_t *this)
308 {
309 char *local, *remote, *secret;
310 peer_cfg_t *peer_cfg;
311 ike_cfg_t *ike_cfg;
312 auth_cfg_t *auth_cfg;
313 child_cfg_t *child_cfg;
314 traffic_selector_t *ts;
315
316 secret = lib->settings->get_str(lib->settings,
317 "charon.plugins.ha_sync.secret", NULL);
318 if (!secret)
319 {
320 DBG1(DBG_CFG, "no HA sync secret defined, using unencrypted sync");
321 return;
322 }
323 local = lib->settings->get_str(lib->settings,
324 "charon.plugins.ha_sync.local", NULL);
325 remote = lib->settings->get_str(lib->settings,
326 "charon.plugins.ha_sync.remote", NULL);
327
328 /* setup credentials */
329 this->creds.key = shared_key_create(SHARED_IKE,
330 chunk_clone(chunk_create(secret, strlen(secret))));
331 this->creds.local = identification_create_from_string(local);
332 this->creds.remote = identification_create_from_string(remote);
333 this->creds.public.create_private_enumerator = (void*)return_null;
334 this->creds.public.create_cert_enumerator = (void*)return_null;
335 this->creds.public.create_shared_enumerator = (void*)create_shared_enumerator;
336 this->creds.public.create_cdp_enumerator = (void*)return_null;
337 this->creds.public.cache_cert = (void*)nop;
338
339 charon->credentials->add_set(charon->credentials, &this->creds.public);
340
341 /* create config and backend */
342 ike_cfg = ike_cfg_create(FALSE, FALSE, local, remote);
343 ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
344 peer_cfg = peer_cfg_create("ha-sync", 2, ike_cfg, CERT_NEVER_SEND,
345 UNIQUE_KEEP, 0, 86400, 0, 7200, 3600, FALSE, 30,
346 NULL, NULL, FALSE, NULL, NULL);
347
348 auth_cfg = auth_cfg_create();
349 auth_cfg->add(auth_cfg, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PSK);
350 auth_cfg->add(auth_cfg, AUTH_RULE_IDENTITY,
351 identification_create_from_string(local));
352 peer_cfg->add_auth_cfg(peer_cfg, auth_cfg, TRUE);
353
354 auth_cfg = auth_cfg_create();
355 auth_cfg->add(auth_cfg, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PSK);
356 auth_cfg->add(auth_cfg, AUTH_RULE_IDENTITY,
357 identification_create_from_string(remote));
358 peer_cfg->add_auth_cfg(peer_cfg, auth_cfg, FALSE);
359
360 child_cfg = child_cfg_create("ha-sync", 0, 21600, 1200, FALSE, TRUE,
361 MODE_TRANSPORT, ACTION_NONE, ACTION_NONE, FALSE);
362 ts = traffic_selector_create_dynamic(0, HA_SYNC_PORT, HA_SYNC_PORT);
363 child_cfg->add_traffic_selector(child_cfg, TRUE, ts);
364 ts = traffic_selector_create_dynamic(0, HA_SYNC_PORT, HA_SYNC_PORT);
365 child_cfg->add_traffic_selector(child_cfg, FALSE, ts);
366 child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
367 peer_cfg->add_child_cfg(peer_cfg, child_cfg);
368
369 this->backend.cfg = peer_cfg;
370 this->backend.public.create_peer_cfg_enumerator = (void*)create_peer_cfg_enumerator;
371 this->backend.public.create_ike_cfg_enumerator = (void*)create_ike_cfg_enumerator;
372 this->backend.public.get_peer_cfg_by_name = (void*)return_null;
373
374 charon->backends->add_backend(charon->backends, &this->backend.public);
375
376 /* install an acquiring trap */
377 this->trap = charon->traps->install(charon->traps, peer_cfg, child_cfg);
378 }
379
380 /**
381 * read local/remote node address from config
382 */
383 static host_t *get_host_config(char *key)
384 {
385 char *value;
386 host_t *host;
387
388 value = lib->settings->get_str(lib->settings,
389 "charon.plugins.ha_sync.%s", NULL, key);
390 if (!value)
391 {
392 DBG1(DBG_CFG, "no %s node specified for HA sync", key);
393 return NULL;
394 }
395 host = host_create_from_dns(value, 0, HA_SYNC_PORT);
396 if (!host)
397 {
398 DBG1(DBG_CFG, "%s node '%s' is invalid", key, value);
399 }
400 return host;
401 }
402
403 /**
404 * Open and connect the HA sync socket
405 */
406 static bool open_socket(private_ha_sync_socket_t *this)
407 {
408 host_t *local;
409
410 local = get_host_config("local");
411 if (!local)
412 {
413 return FALSE;
414 }
415
416 this->fd = socket(local->get_family(local), SOCK_DGRAM, 0);
417 if (!this->fd)
418 {
419 local->destroy(local);
420 DBG1(DBG_CFG, "opening HA sync socket failed: %s", strerror(errno));
421 return FALSE;
422 }
423
424 if (bind(this->fd, local->get_sockaddr(local),
425 *local->get_sockaddr_len(local)) == -1)
426 {
427 DBG1(DBG_CFG, "binding HA sync socket failed: %s", strerror(errno));
428 close(this->fd);
429 local->destroy(local);
430 return FALSE;
431 }
432 local->destroy(local);
433 return TRUE;
434 }
435
436 /**
437 * Implementation of ha_sync_socket_t.destroy.
438 */
439 static void destroy(private_ha_sync_socket_t *this)
440 {
441 close(this->fd);
442 if (this->backend.cfg)
443 {
444 charon->backends->remove_backend(charon->backends, &this->backend.public);
445 this->backend.cfg->destroy(this->backend.cfg);
446 }
447 if (this->creds.key)
448 {
449 charon->credentials->remove_set(charon->credentials, &this->creds.public);
450 this->creds.key->destroy(this->creds.key);
451 }
452 DESTROY_IF(this->creds.local);
453 DESTROY_IF(this->creds.remote);
454 DESTROY_IF(this->remote);
455 if (this->trap)
456 {
457 charon->traps->uninstall(charon->traps, this->trap);
458 }
459 free(this);
460 }
461
462 /**
463 * See header
464 */
465 ha_sync_socket_t *ha_sync_socket_create()
466 {
467 private_ha_sync_socket_t *this = malloc_thing(private_ha_sync_socket_t);
468
469 this->public.push = (void(*)(ha_sync_socket_t*, ha_sync_message_t*))push;
470 this->public.pull = (ha_sync_message_t*(*)(ha_sync_socket_t*))pull;
471 this->public.is_sync_sa = (bool(*)(ha_sync_socket_t*, ike_sa_t *ike_sa))is_sync_sa;
472 this->public.destroy = (void(*)(ha_sync_socket_t*))destroy;
473
474 this->remote = get_host_config("remote");
475 if (!this->remote)
476 {
477 free(this);
478 return NULL;
479 }
480 this->trap = 0;
481 this->creds.key = NULL;
482 this->creds.local = NULL;
483 this->creds.remote = NULL;
484 this->backend.cfg = NULL;
485
486 setup_sync_tunnel(this);
487
488 if (!open_socket(this))
489 {
490 free(this);
491 return NULL;
492 }
493
494 return &this->public;
495 }
496