projects / strongswan.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
some NEWS
[strongswan.git] / src / charon / plugins / medcli / medcli_config.c
1 /*
2 * Copyright (C) 2008 Martin Willi
3 * Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 *
15 * $Id$
16 */
17
18 #define _GNU_SOURCE
19 #include <string.h>
20
21 #include "medcli_config.h"
22
23 #include <daemon.h>
24 #include <processing/jobs/callback_job.h>
25
26 typedef struct private_medcli_config_t private_medcli_config_t;
27
28 /**
29 * Private data of an medcli_config_t object
30 */
31 struct private_medcli_config_t {
32
33 /**
34 * Public part
35 */
36 medcli_config_t public;
37
38 /**
39 * database connection
40 */
41 database_t *db;
42
43 /**
44 * rekey time
45 */
46 int rekey;
47
48 /**
49 * dpd delay
50 */
51 int dpd;
52
53 /**
54 * default ike config
55 */
56 ike_cfg_t *ike;
57 };
58
59 /**
60 * create a traffic selector from a CIDR notation string
61 */
62 static traffic_selector_t *ts_from_string(char *str)
63 {
64 if (str)
65 {
66 int netbits = 32;
67 host_t *net;
68 char *pos;
69
70 str = strdupa(str);
71 pos = strchr(str, '/');
72 if (pos)
73 {
74 *pos++ = '\0';
75 netbits = atoi(pos);
76 }
77 else
78 {
79 if (strchr(str, ':'))
80 {
81 netbits = 128;
82 }
83 }
84 net = host_create_from_string(str, 0);
85 if (net)
86 {
87 return traffic_selector_create_from_subnet(net, netbits, 0, 0);
88 }
89 }
90 return traffic_selector_create_dynamic(0, 0, 65535);
91 }
92
93 /**
94 * implements backend_t.get_peer_cfg_by_name.
95 */
96 static peer_cfg_t *get_peer_cfg_by_name(private_medcli_config_t *this, char *name)
97 {
98 enumerator_t *e;
99 peer_cfg_t *peer_cfg, *med_cfg;
100 ike_cfg_t *ike_cfg;
101 child_cfg_t *child_cfg;
102 chunk_t me, other;
103 char *address, *local_net, *remote_net;
104
105 /* query mediation server config:
106 * - build ike_cfg/peer_cfg for mediation connection on-the-fly
107 */
108 e = this->db->query(this->db,
109 "SELECT Address, ClientConfig.KeyId, MediationServerConfig.KeyId "
110 "FROM MediationServerConfig JOIN ClientConfig",
111 DB_TEXT, DB_BLOB, DB_BLOB);
112 if (!e || !e->enumerate(e, &address, &me, &other))
113 {
114 DESTROY_IF(e);
115 return NULL;
116 }
117 ike_cfg = ike_cfg_create(FALSE, FALSE, "0.0.0.0", address);
118 ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
119 med_cfg = peer_cfg_create(
120 "mediation", 2, ike_cfg,
121 identification_create_from_encoding(ID_KEY_ID, me),
122 identification_create_from_encoding(ID_KEY_ID, other),
123 CERT_NEVER_SEND, UNIQUE_REPLACE,
124 1, this->rekey*60, 0, /* keytries, rekey, reauth */
125 this->rekey*5, this->rekey*3, /* jitter, overtime */
126 TRUE, this->dpd, /* mobike, dpddelay */
127 NULL, NULL, /* vip, pool */
128 TRUE, NULL, NULL); /* mediation, med by, peer id */
129 e->destroy(e);
130
131 /* query mediated config:
132 * - use any-any ike_cfg
133 * - build peer_cfg on-the-fly using med_cfg
134 * - add a child_cfg
135 */
136 e = this->db->query(this->db,
137 "SELECT ClientConfig.KeyId, Connection.KeyId, "
138 "Connection.LocalSubnet, Connection.RemoteSubnet "
139 "FROM ClientConfig JOIN Connection "
140 "WHERE Active AND Alias = ?", DB_TEXT, name,
141 DB_BLOB, DB_BLOB, DB_TEXT, DB_TEXT);
142 if (!e || !e->enumerate(e, &me, &other, &local_net, &remote_net))
143 {
144 DESTROY_IF(e);
145 return NULL;
146 }
147 peer_cfg = peer_cfg_create(
148 name, 2, this->ike->get_ref(this->ike),
149 identification_create_from_encoding(ID_KEY_ID, me),
150 identification_create_from_encoding(ID_KEY_ID, other),
151 CERT_NEVER_SEND, UNIQUE_REPLACE,
152 1, this->rekey*60, 0, /* keytries, rekey, reauth */
153 this->rekey*5, this->rekey*3, /* jitter, overtime */
154 TRUE, this->dpd, /* mobike, dpddelay */
155 NULL, NULL, /* vip, pool */
156 FALSE, med_cfg, /* mediation, med by */
157 identification_create_from_encoding(ID_KEY_ID, other));
158
159 child_cfg = child_cfg_create(name, this->rekey*60 + this->rekey,
160 this->rekey*60, this->rekey, NULL, TRUE,
161 MODE_TUNNEL, ACTION_NONE, ACTION_NONE, FALSE);
162 child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
163 child_cfg->add_traffic_selector(child_cfg, TRUE, ts_from_string(local_net));
164 child_cfg->add_traffic_selector(child_cfg, FALSE, ts_from_string(remote_net));
165 peer_cfg->add_child_cfg(peer_cfg, child_cfg);
166 e->destroy(e);
167 return peer_cfg;
168 }
169
170 /**
171 * Implementation of backend_t.create_ike_cfg_enumerator.
172 */
173 static enumerator_t* create_ike_cfg_enumerator(private_medcli_config_t *this,
174 host_t *me, host_t *other)
175 {
176 return enumerator_create_single(this->ike, NULL);
177 }
178
179 typedef struct {
180 /** implements enumerator */
181 enumerator_t public;
182 /** inner SQL enumerator */
183 enumerator_t *inner;
184 /** currently enumerated peer config */
185 peer_cfg_t *current;
186 /** ike cfg to use in peer cfg */
187 ike_cfg_t *ike;
188 /** rekey time */
189 int rekey;
190 /** dpd time */
191 int dpd;
192 } peer_enumerator_t;
193
194 /**
195 * Implementation of peer_enumerator_t.public.enumerate
196 */
197 static bool peer_enumerator_enumerate(peer_enumerator_t *this, peer_cfg_t **cfg)
198 {
199 char *name, *local_net, *remote_net;
200 chunk_t me, other;
201 child_cfg_t *child_cfg;
202
203 DESTROY_IF(this->current);
204 if (!this->inner->enumerate(this->inner, &name, &me, &other,
205 &local_net, &remote_net))
206 {
207 this->current = NULL;
208 return FALSE;
209 }
210 this->current = peer_cfg_create(
211 name, 2, this->ike->get_ref(this->ike),
212 identification_create_from_encoding(ID_KEY_ID, me),
213 identification_create_from_encoding(ID_KEY_ID, other),
214 CERT_NEVER_SEND, UNIQUE_REPLACE,
215 1, this->rekey*60, 0, /* keytries, rekey, reauth */
216 this->rekey*5, this->rekey*3, /* jitter, overtime */
217 TRUE, this->dpd, /* mobike, dpddelay */
218 NULL, NULL, /* vip, pool */
219 FALSE, NULL, NULL); /* mediation, med by, peer id */
220 child_cfg = child_cfg_create(
221 name, this->rekey*60 + this->rekey,
222 this->rekey*60, this->rekey, NULL, TRUE,
223 MODE_TUNNEL, ACTION_NONE, ACTION_NONE, FALSE);
224 child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
225 child_cfg->add_traffic_selector(child_cfg, TRUE, ts_from_string(local_net));
226 child_cfg->add_traffic_selector(child_cfg, FALSE, ts_from_string(remote_net));
227 this->current->add_child_cfg(this->current, child_cfg);
228 *cfg = this->current;
229 return TRUE;
230 }
231
232 /**
233 * Implementation of peer_enumerator_t.public.destroy
234 */
235 static void peer_enumerator_destroy(peer_enumerator_t *this)
236 {
237 DESTROY_IF(this->current);
238 this->inner->destroy(this->inner);
239 free(this);
240 }
241
242 /**
243 * Implementation of backend_t.create_peer_cfg_enumerator.
244 */
245 static enumerator_t* create_peer_cfg_enumerator(private_medcli_config_t *this,
246 identification_t *me,
247 identification_t *other)
248 {
249 peer_enumerator_t *e = malloc_thing(peer_enumerator_t);
250
251 e->current = NULL;
252 e->ike = this->ike;
253 e->rekey = this->rekey;
254 e->dpd = this->dpd;
255 e->public.enumerate = (void*)peer_enumerator_enumerate;
256 e->public.destroy = (void*)peer_enumerator_destroy;
257
258 /* filter on IDs: NULL or ANY or matching KEY_ID */
259 e->inner = this->db->query(this->db,
260 "SELECT Alias, ClientConfig.KeyId, Connection.KeyId, "
261 "Connection.LocalSubnet, Connection.RemoteSubnet "
262 "FROM ClientConfig JOIN Connection "
263 "WHERE Active AND "
264 "(? OR ClientConfig.KeyId = ?) AND (? OR Connection.KeyId = ?)",
265 DB_INT, me == NULL || me->get_type(me) == ID_ANY,
266 DB_BLOB, me && me->get_type(me) == ID_KEY_ID ?
267 me->get_encoding(me) : chunk_empty,
268 DB_INT, other == NULL || other->get_type(other) == ID_ANY,
269 DB_BLOB, other && other->get_type(other) == ID_KEY_ID ?
270 other->get_encoding(other) : chunk_empty,
271 DB_TEXT, DB_BLOB, DB_BLOB, DB_TEXT, DB_TEXT);
272 if (!e->inner)
273 {
274 free(e);
275 return NULL;
276 }
277 return &e->public;
278 }
279
280 /**
281 * initiate a peer config
282 */
283 static job_requeue_t initiate_config(peer_cfg_t *peer_cfg)
284 {
285 enumerator_t *enumerator;
286 child_cfg_t *child_cfg = NULL;;
287
288 enumerator = peer_cfg->create_child_cfg_enumerator(peer_cfg);
289 enumerator->enumerate(enumerator, &child_cfg);
290 if (child_cfg)
291 {
292 child_cfg->get_ref(child_cfg);
293 peer_cfg->get_ref(peer_cfg);
294 enumerator->destroy(enumerator);
295 charon->controller->initiate(charon->controller,
296 peer_cfg, child_cfg, NULL, NULL);
297 }
298 else
299 {
300 enumerator->destroy(enumerator);
301 }
302 return JOB_REQUEUE_NONE;
303 }
304
305 /**
306 * schedule initation of all "active" connections
307 */
308 static void schedule_autoinit(private_medcli_config_t *this)
309 {
310 enumerator_t *e;
311 char *name;
312
313 e = this->db->query(this->db, "SELECT Alias FROM Connection WHERE Active",
314 DB_TEXT);
315 if (e)
316 {
317 while (e->enumerate(e, &name))
318 {
319 peer_cfg_t *peer_cfg;
320
321 peer_cfg = get_peer_cfg_by_name(this, name);
322 if (peer_cfg)
323 {
324 /* schedule asynchronous initiation job */
325 charon->processor->queue_job(charon->processor,
326 (job_t*)callback_job_create(
327 (callback_job_cb_t)initiate_config,
328 peer_cfg, (void*)peer_cfg->destroy, NULL));
329 }
330 }
331 e->destroy(e);
332 }
333 }
334
335 /**
336 * Implementation of medcli_config_t.destroy.
337 */
338 static void destroy(private_medcli_config_t *this)
339 {
340 this->ike->destroy(this->ike);
341 free(this);
342 }
343
344 /**
345 * Described in header.
346 */
347 medcli_config_t *medcli_config_create(database_t *db)
348 {
349 private_medcli_config_t *this = malloc_thing(private_medcli_config_t);
350
351 this->public.backend.create_peer_cfg_enumerator = (enumerator_t*(*)(backend_t*, identification_t *me, identification_t *other))create_peer_cfg_enumerator;
352 this->public.backend.create_ike_cfg_enumerator = (enumerator_t*(*)(backend_t*, host_t *me, host_t *other))create_ike_cfg_enumerator;
353 this->public.backend.get_peer_cfg_by_name = (peer_cfg_t* (*)(backend_t*,char*))get_peer_cfg_by_name;
354 this->public.destroy = (void(*)(medcli_config_t*))destroy;
355
356 this->db = db;
357 this->rekey = lib->settings->get_int(lib->settings,
358 "medcli.rekey", 20) * 60;
359 this->dpd = lib->settings->get_int(lib->settings, "medcli.dpd", 300);
360 this->ike = ike_cfg_create(FALSE, FALSE, "0.0.0.0", "0.0.0.0");
361 this->ike->add_proposal(this->ike, proposal_create_default(PROTO_IKE));
362
363 schedule_autoinit(this);
364
365 return &this->public;
366 }
367
strongSwan - IPsec VPN