some improvements in signaling code
[strongswan.git] / src / charon / threads / stroke_interface.c
1 /**
2 * @file stroke.c
3 *
4 * @brief Implementation of stroke_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2006 Martin Willi
10 * Hochschule fuer Technik Rapperswil
11 *
12 * This program is free software; you can redistribute it and/or modify it
13 * under the terms of the GNU General Public License as published by the
14 * Free Software Foundation; either version 2 of the License, or (at your
15 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
16 *
17 * This program is distributed in the hope that it will be useful, but
18 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
19 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
20 * for more details.
21 */
22
23 #include <stdlib.h>
24 #include <sys/types.h>
25 #include <sys/stat.h>
26 #include <sys/socket.h>
27 #include <sys/un.h>
28 #include <sys/fcntl.h>
29 #include <unistd.h>
30 #include <dirent.h>
31 #include <errno.h>
32 #include <pthread.h>
33 #include <signal.h>
34
35 #include "stroke_interface.h"
36
37 #include <types.h>
38 #include <stroke.h>
39 #include <daemon.h>
40 #include <crypto/x509.h>
41 #include <crypto/crl.h>
42 #include <queues/jobs/initiate_job.h>
43 #include <queues/jobs/route_job.h>
44 #include <utils/leak_detective.h>
45
46 #define IKE_PORT 500
47 #define PATH_BUF 256
48
49
50 struct sockaddr_un socket_addr = { AF_UNIX, STROKE_SOCKET};
51
52
53 typedef struct private_stroke_t private_stroke_t;
54
55 /**
56 * Private data of an stroke_t object.
57 */
58 struct private_stroke_t {
59
60 /**
61 * Public part of stroke_t object.
62 */
63 stroke_t public;
64
65 /**
66 * Output stream (stroke console)
67 */
68 FILE *out;
69
70 /**
71 * Unix socket to listen for strokes
72 */
73 int socket;
74
75 /**
76 * Thread which reads from the Socket
77 */
78 pthread_t assigned_thread;
79 };
80
81 /**
82 * Helper function which corrects the string pointers
83 * in a stroke_msg_t. Strings in a stroke_msg sent over "wire"
84 * contains RELATIVE addresses (relative to the beginning of the
85 * stroke_msg). They must be corrected if they reach our address
86 * space...
87 */
88 static void pop_string(stroke_msg_t *msg, char **string)
89 {
90 if (*string == NULL)
91 return;
92
93 /* check for sanity of string pointer and string */
94 if (string < (char**)msg
95 || string > (char**)msg + sizeof(stroke_msg_t)
96 || (u_int)*string < (u_int)((char*)msg->buffer - (char*)msg)
97 || (u_int)*string > msg->length)
98 {
99 *string = "(invalid pointer in stroke msg)";
100 }
101 else
102 {
103 *string = (char*)msg + (u_int)*string;
104 }
105 }
106
107 /**
108 * Load end entitity certificate
109 */
110 static x509_t* load_end_certificate(const char *filename, identification_t **idp)
111 {
112 char path[PATH_BUF];
113 x509_t *cert;
114
115 if (*filename == '/')
116 {
117 /* absolute path name */
118 snprintf(path, sizeof(path), "%s", filename);
119 }
120 else
121 {
122 /* relative path name */
123 snprintf(path, sizeof(path), "%s/%s", CERTIFICATE_DIR, filename);
124 }
125
126 cert = x509_create_from_file(path, "end entity certificate");
127
128 if (cert)
129 {
130 identification_t *id = *idp;
131 identification_t *subject = cert->get_subject(cert);
132
133 err_t ugh = cert->is_valid(cert, NULL);
134
135 if (ugh != NULL)
136 {
137 DBG1(DBG_CFG, "warning: certificate %s", ugh);
138 }
139 if (!id->equals(id, subject) && !cert->equals_subjectAltName(cert, id))
140 {
141 id->destroy(id);
142 id = subject;
143 *idp = id->clone(id);
144 }
145 return charon->credentials->add_end_certificate(charon->credentials, cert);
146 }
147 return NULL;
148 }
149
150 /**
151 * Add a connection to the configuration list
152 */
153 static void stroke_add_conn(private_stroke_t *this, stroke_msg_t *msg)
154 {
155 connection_t *connection;
156 policy_t *policy;
157 identification_t *my_id, *other_id;
158 identification_t *my_ca = NULL;
159 identification_t *other_ca = NULL;
160 bool my_ca_same = FALSE;
161 bool other_ca_same =FALSE;
162 host_t *my_host, *other_host, *my_subnet, *other_subnet;
163 proposal_t *proposal;
164 traffic_selector_t *my_ts, *other_ts;
165
166 pop_string(msg, &msg->add_conn.name);
167 pop_string(msg, &msg->add_conn.me.address);
168 pop_string(msg, &msg->add_conn.other.address);
169 pop_string(msg, &msg->add_conn.me.subnet);
170 pop_string(msg, &msg->add_conn.other.subnet);
171 pop_string(msg, &msg->add_conn.me.id);
172 pop_string(msg, &msg->add_conn.other.id);
173 pop_string(msg, &msg->add_conn.me.cert);
174 pop_string(msg, &msg->add_conn.other.cert);
175 pop_string(msg, &msg->add_conn.me.ca);
176 pop_string(msg, &msg->add_conn.other.ca);
177 pop_string(msg, &msg->add_conn.me.updown);
178 pop_string(msg, &msg->add_conn.other.updown);
179 pop_string(msg, &msg->add_conn.algorithms.ike);
180 pop_string(msg, &msg->add_conn.algorithms.esp);
181
182 DBG1(DBG_CFG, "received stroke: add connection '%s'", msg->add_conn.name);
183
184 DBG2(DBG_CFG, "conn %s", msg->add_conn.name);
185 DBG2(DBG_CFG, " right=%s", msg->add_conn.me.address);
186 DBG2(DBG_CFG, " left=%s", msg->add_conn.other.address);
187 DBG2(DBG_CFG, " rightsubnet=%s", msg->add_conn.me.subnet);
188 DBG2(DBG_CFG, " leftsubnet=%s", msg->add_conn.other.subnet);
189 DBG2(DBG_CFG, " rightid=%s", msg->add_conn.me.id);
190 DBG2(DBG_CFG, " leftid=%s", msg->add_conn.other.id);
191 DBG2(DBG_CFG, " rightcert=%s", msg->add_conn.me.cert);
192 DBG2(DBG_CFG, " leftcert=%s", msg->add_conn.other.cert);
193 DBG2(DBG_CFG, " rightca=%s", msg->add_conn.me.ca);
194 DBG2(DBG_CFG, " leftca=%s", msg->add_conn.other.ca);
195 DBG2(DBG_CFG, " ike=%s", msg->add_conn.algorithms.ike);
196 DBG2(DBG_CFG, " esp=%s", msg->add_conn.algorithms.esp);
197
198 my_host = msg->add_conn.me.address?
199 host_create_from_string(msg->add_conn.me.address, IKE_PORT) : NULL;
200 if (my_host == NULL)
201 {
202 DBG1(DBG_CFG, "invalid host: %s\n", msg->add_conn.me.address);
203 return;
204 }
205
206 other_host = msg->add_conn.other.address ?
207 host_create_from_string(msg->add_conn.other.address, IKE_PORT) : NULL;
208 if (other_host == NULL)
209 {
210 DBG1(DBG_CFG, "invalid host: %s\n", msg->add_conn.other.address);
211 my_host->destroy(my_host);
212 return;
213 }
214
215 if (charon->socket->is_local_address(charon->socket, other_host, NULL))
216 {
217 stroke_end_t tmp_end;
218 host_t *tmp_host;
219
220 DBG2(DBG_CFG, "left is other host, swapping ends\n");
221
222 tmp_host = my_host;
223 my_host = other_host;
224 other_host = tmp_host;
225
226 tmp_end = msg->add_conn.me;
227 msg->add_conn.me = msg->add_conn.other;
228 msg->add_conn.other = tmp_end;
229 }
230 else if (!charon->socket->is_local_address(charon->socket, my_host, NULL))
231 {
232 DBG1(DBG_CFG, "left nor right host is our side, aborting\n");
233 goto destroy_hosts;
234 }
235
236 my_id = identification_create_from_string(msg->add_conn.me.id ?
237 msg->add_conn.me.id : msg->add_conn.me.address);
238 if (my_id == NULL)
239 {
240 DBG1(DBG_CFG, "invalid ID: %s\n", msg->add_conn.me.id);
241 goto destroy_hosts;
242 }
243
244 other_id = identification_create_from_string(msg->add_conn.other.id ?
245 msg->add_conn.other.id : msg->add_conn.other.address);
246 if (other_id == NULL)
247 {
248 DBG1(DBG_CFG, "invalid ID: %s\n", msg->add_conn.other.id);
249 my_id->destroy(my_id);
250 goto destroy_hosts;
251 }
252
253 my_subnet = host_create_from_string(msg->add_conn.me.subnet ?
254 msg->add_conn.me.subnet : msg->add_conn.me.address, IKE_PORT);
255 if (my_subnet == NULL)
256 {
257 DBG1(DBG_CFG, "invalid subnet: %s\n", msg->add_conn.me.subnet);
258 goto destroy_ids;
259 }
260
261 other_subnet = host_create_from_string(msg->add_conn.other.subnet ?
262 msg->add_conn.other.subnet : msg->add_conn.other.address, IKE_PORT);
263 if (other_subnet == NULL)
264 {
265 DBG1(DBG_CFG, "invalid subnet: %s\n", msg->add_conn.me.subnet);
266 my_subnet->destroy(my_subnet);
267 goto destroy_ids;
268 }
269
270 my_ts = traffic_selector_create_from_subnet(my_subnet,
271 msg->add_conn.me.subnet ? msg->add_conn.me.subnet_mask : 0,
272 msg->add_conn.me.protocol, msg->add_conn.me.port);
273 my_subnet->destroy(my_subnet);
274
275 other_ts = traffic_selector_create_from_subnet(other_subnet,
276 msg->add_conn.other.subnet ? msg->add_conn.other.subnet_mask : 0,
277 msg->add_conn.other.protocol, msg->add_conn.other.port);
278 other_subnet->destroy(other_subnet);
279
280 if (msg->add_conn.me.ca)
281 {
282 if (streq(msg->add_conn.me.ca, "%same"))
283 {
284 my_ca_same = TRUE;
285 }
286 else
287 {
288 my_ca = identification_create_from_string(msg->add_conn.me.ca);
289 }
290 }
291 if (msg->add_conn.other.ca)
292 {
293 if (streq(msg->add_conn.other.ca, "%same"))
294 {
295 other_ca_same = TRUE;
296 }
297 else
298 {
299 other_ca = identification_create_from_string(msg->add_conn.other.ca);
300 }
301 }
302 if (msg->add_conn.me.cert)
303 {
304 x509_t *cert = load_end_certificate(msg->add_conn.me.cert, &my_id);
305
306 if (my_ca == NULL && !my_ca_same && cert)
307 {
308 identification_t *issuer = cert->get_issuer(cert);
309
310 my_ca = issuer->clone(issuer);
311 }
312 }
313 if (msg->add_conn.other.cert)
314 {
315 x509_t *cert = load_end_certificate(msg->add_conn.other.cert, &other_id);
316
317 if (other_ca == NULL && !other_ca_same && cert)
318 {
319 identification_t *issuer = cert->get_issuer(cert);
320
321 other_ca = issuer->clone(issuer);
322 }
323 }
324 if (other_ca_same && my_ca)
325 {
326 other_ca = my_ca->clone(my_ca);
327 }
328 else if (my_ca_same && other_ca)
329 {
330 my_ca = other_ca->clone(other_ca);
331 }
332 if (my_ca == NULL)
333 {
334 my_ca = identification_create_from_string("%any");
335 }
336 if (other_ca == NULL)
337 {
338 other_ca = identification_create_from_string("%any");
339 }
340 DBG2(DBG_CFG, " my ca: '%D'", my_ca);
341 DBG2(DBG_CFG, " other ca:'%D'", other_ca);
342 DBG2(DBG_CFG, " updown: '%s'", msg->add_conn.me.updown);
343
344 connection = connection_create(msg->add_conn.name,
345 msg->add_conn.ikev2,
346 msg->add_conn.me.sendcert,
347 msg->add_conn.other.sendcert,
348 my_host, other_host,
349 msg->add_conn.dpd.delay,
350 msg->add_conn.rekey.tries,
351 msg->add_conn.rekey.ike_lifetime,
352 msg->add_conn.rekey.ike_lifetime - msg->add_conn.rekey.margin,
353 msg->add_conn.rekey.margin * msg->add_conn.rekey.fuzz / 100);
354
355 if (msg->add_conn.algorithms.ike)
356 {
357 char *proposal_string;
358 char *strict = msg->add_conn.algorithms.ike + strlen(msg->add_conn.algorithms.ike) - 1;
359
360 if (*strict == '!')
361 *strict = '\0';
362 else
363 strict = NULL;
364
365 while ((proposal_string = strsep(&msg->add_conn.algorithms.ike, ",")))
366 {
367 proposal = proposal_create_from_string(PROTO_IKE, proposal_string);
368 if (proposal == NULL)
369 {
370 DBG1(DBG_CFG, "invalid IKE proposal string: %s", proposal_string);
371 my_id->destroy(my_id);
372 other_id->destroy(other_id);
373 my_ts->destroy(my_ts);
374 other_ts->destroy(other_ts);
375 my_ca->destroy(my_ca);
376 other_ca->destroy(other_ca);
377 connection->destroy(connection);
378 return;
379 }
380 connection->add_proposal(connection, proposal);
381 }
382 if (!strict)
383 {
384 proposal = proposal_create_default(PROTO_IKE);
385 connection->add_proposal(connection, proposal);
386 }
387 }
388 else
389 {
390 proposal = proposal_create_default(PROTO_IKE);
391 connection->add_proposal(connection, proposal);
392 }
393
394 policy = policy_create(msg->add_conn.name, my_id, other_id,
395 msg->add_conn.auth_method,
396 msg->add_conn.rekey.ipsec_lifetime,
397 msg->add_conn.rekey.ipsec_lifetime - msg->add_conn.rekey.margin,
398 msg->add_conn.rekey.margin * msg->add_conn.rekey.fuzz / 100,
399 msg->add_conn.me.updown, msg->add_conn.me.hostaccess,
400 msg->add_conn.dpd.action);
401 policy->add_my_traffic_selector(policy, my_ts);
402 policy->add_other_traffic_selector(policy, other_ts);
403 policy->add_authorities(policy, my_ca, other_ca);
404
405 if (msg->add_conn.algorithms.esp)
406 {
407 char *proposal_string;
408 char *strict = msg->add_conn.algorithms.esp + strlen(msg->add_conn.algorithms.esp) - 1;
409
410 if (*strict == '!')
411 *strict = '\0';
412 else
413 strict = NULL;
414
415 while ((proposal_string = strsep(&msg->add_conn.algorithms.esp, ",")))
416 {
417 proposal = proposal_create_from_string(PROTO_ESP, proposal_string);
418 if (proposal == NULL)
419 {
420 DBG1(DBG_CFG, "invalid ESP proposal string: %s", proposal_string);
421 policy->destroy(policy);
422 connection->destroy(connection);
423 return;
424 }
425 policy->add_proposal(policy, proposal);
426 }
427 if (!strict)
428 {
429 proposal = proposal_create_default(PROTO_ESP);
430 policy->add_proposal(policy, proposal);
431 }
432 }
433 else
434 {
435 proposal = proposal_create_default(PROTO_ESP);
436 policy->add_proposal(policy, proposal);
437 }
438
439 /* add to global connection list */
440 charon->connections->add_connection(charon->connections, connection);
441 DBG1(DBG_CFG, "added connection '%s': %H[%D]...%H[%D]",
442 msg->add_conn.name, my_host, my_id, other_host, other_id);
443 /* add to global policy list */
444 charon->policies->add_policy(charon->policies, policy);
445
446 return;
447
448 /* mopping up after parsing errors */
449
450 destroy_ids:
451 my_id->destroy(my_id);
452 other_id->destroy(other_id);
453
454 destroy_hosts:
455 my_host->destroy(my_host);
456 other_host->destroy(other_host);
457 }
458
459 /**
460 * Delete a connection from the list
461 */
462 static void stroke_del_conn(private_stroke_t *this, stroke_msg_t *msg)
463 {
464 status_t status;
465
466 pop_string(msg, &(msg->del_conn.name));
467 DBG1(DBG_CFG, "received stroke: delete '%s'", msg->del_conn.name);
468
469 status = charon->connections->delete_connection(charon->connections,
470 msg->del_conn.name);
471 charon->policies->delete_policy(charon->policies, msg->del_conn.name);
472 if (status == SUCCESS)
473 {
474 fprintf(this->out, "deleted connection '%s'\n", msg->del_conn.name);
475 }
476 else
477 {
478 fprintf(this->out, "no connection named '%s'\n", msg->del_conn.name);
479 }
480 }
481
482 /**
483 * initiate a connection by name
484 */
485 static void stroke_initiate(private_stroke_t *this, stroke_msg_t *msg)
486 {
487 initiate_job_t *job;
488 connection_t *connection;
489 policy_t *policy;
490 ike_sa_t *init_ike_sa = NULL;
491 signal_t signal;
492
493 pop_string(msg, &(msg->initiate.name));
494 DBG1(DBG_CFG, "received stroke: initiate '%s'", msg->initiate.name);
495
496 connection = charon->connections->get_connection_by_name(charon->connections,
497 msg->initiate.name);
498 if (connection == NULL)
499 {
500 if (msg->output_verbosity >= 0)
501 {
502 fprintf(this->out, "no connection named '%s'\n", msg->initiate.name);
503 }
504 return;
505 }
506 if (!connection->is_ikev2(connection))
507 {
508 connection->destroy(connection);
509 return;
510 }
511
512 policy = charon->policies->get_policy_by_name(charon->policies,
513 msg->initiate.name);
514 if (policy == NULL)
515 {
516 if (msg->output_verbosity >= 0)
517 {
518 fprintf(this->out, "no policy named '%s'\n", msg->initiate.name);
519 }
520 connection->destroy(connection);
521 return;
522 }
523
524 job = initiate_job_create(connection, policy);
525 /*
526 if (msg->output_verbosity < 0)
527 {
528 TODO: detach immediately if verbosity is SILENT. Local credential store
529 is not threadsave yet, so this would cause crashes!!
530 charon->job_queue->add(charon->job_queue, (job_t*)job);
531 return;
532 }*/
533
534 charon->bus->set_listen_state(charon->bus, TRUE);
535 charon->job_queue->add(charon->job_queue, (job_t*)job);
536 while (TRUE)
537 {
538 level_t level;
539 int thread;
540 ike_sa_t *ike_sa;
541 char* format;
542 va_list args;
543
544 signal = charon->bus->listen(charon->bus, &level, &thread, &ike_sa, &format, &args);
545
546 if ((init_ike_sa == NULL || ike_sa == init_ike_sa) &&
547 level <= msg->output_verbosity)
548 {
549 if (vfprintf(this->out, format, args) < 0 ||
550 fprintf(this->out, "\n") < 0 ||
551 fflush(this->out))
552 {
553 charon->bus->set_listen_state(charon->bus, FALSE);
554 break;
555 }
556 }
557
558 switch (signal)
559 {
560 case CHILD_UP_SUCCESS:
561 case CHILD_UP_FAILED:
562 if (ike_sa == init_ike_sa)
563 {
564 charon->bus->set_listen_state(charon->bus, FALSE);
565 return;
566 }
567 continue;
568 case CHILD_UP_START:
569 case IKE_UP_START:
570 if (init_ike_sa == NULL)
571 {
572 init_ike_sa = ike_sa;
573 }
574 continue;
575 default:
576 continue;
577 }
578 }
579 }
580
581 /**
582 * route/unroute a policy (install SPD entries)
583 */
584 static void stroke_route(private_stroke_t *this, stroke_msg_t *msg, bool route)
585 {
586 route_job_t *job;
587 connection_t *connection;
588 policy_t *policy;
589
590 pop_string(msg, &(msg->route.name));
591 DBG1(DBG_CFG, "received stroke: %s '%s'",
592 route ? "route" : "unroute", msg->route.name);
593
594 /* we wouldn't need a connection, but we only want to route policies
595 * whose connections are keyexchange=ikev2. */
596 connection = charon->connections->get_connection_by_name(charon->connections,
597 msg->route.name);
598 if (connection == NULL)
599 {
600 fprintf(this->out, "no connection named '%s'\n", msg->route.name);
601 return;
602 }
603 if (!connection->is_ikev2(connection))
604 {
605 connection->destroy(connection);
606 return;
607 }
608
609 policy = charon->policies->get_policy_by_name(charon->policies,
610 msg->route.name);
611 if (policy == NULL)
612 {
613 fprintf(this->out, "no policy named '%s'\n", msg->route.name);
614 connection->destroy(connection);
615 return;
616 }
617 fprintf(this->out, "%s policy '%s'\n",
618 route ? "routing" : "unrouting", msg->route.name);
619 job = route_job_create(connection, policy, route);
620 charon->job_queue->add(charon->job_queue, (job_t*)job);
621 }
622
623 /**
624 * terminate a connection by name
625 */
626 static void stroke_terminate(private_stroke_t *this, stroke_msg_t *msg)
627 {
628 pop_string(msg, &(msg->terminate.name));
629 DBG1(DBG_CFG, "received stroke: terminate '%s'", msg->terminate.name);
630
631 charon->ike_sa_manager->delete_by_name(charon->ike_sa_manager, msg->terminate.name);
632 }
633
634 /**
635 * show status of daemon
636 */
637 static void stroke_statusall(private_stroke_t *this, stroke_msg_t *msg)
638 {
639 iterator_t *iterator;
640 linked_list_t *list;
641 host_t *host;
642 connection_t *connection;
643 policy_t *policy;
644 ike_sa_t *ike_sa;
645
646 leak_detective_status(this->out);
647
648 fprintf(this->out, "worker threads idle: %d of %d\n",
649 charon->thread_pool->get_idle_threads(charon->thread_pool),
650 charon->thread_pool->get_pool_size(charon->thread_pool));
651 fprintf(this->out, "job queue load: %d\n",
652 charon->job_queue->get_count(charon->job_queue));
653 fprintf(this->out, "scheduled events: %d\n",
654 charon->event_queue->get_count(charon->event_queue));
655 list = charon->socket->create_local_address_list(charon->socket);
656 fprintf(this->out, "listening on %d addresses:\n", list->get_count(list));
657 while (list->remove_first(list, (void**)&host) == SUCCESS)
658 {
659 fprintf(this->out, " %H\n", host);
660 host->destroy(host);
661 }
662 list->destroy(list);
663
664 if (msg->status.name)
665 {
666 pop_string(msg, &(msg->status.name));
667 }
668
669 fprintf(this->out, "connections:\n");
670 iterator = charon->connections->create_iterator(charon->connections);
671 while (iterator->iterate(iterator, (void**)&connection))
672 {
673 if (connection->is_ikev2(connection) && (msg->status.name == NULL ||
674 streq(msg->status.name, connection->get_name(connection))))
675 {
676 fprintf(this->out, "%10s: %H...%H\n",
677 connection->get_name(connection),
678 connection->get_my_host(connection),
679 connection->get_other_host(connection));
680 }
681 }
682 iterator->destroy(iterator);
683
684 fprintf(this->out, "policies:\n");
685 iterator = charon->policies->create_iterator(charon->policies);
686 while (iterator->iterate(iterator, (void**)&policy))
687 {
688 if (msg->status.name == NULL ||
689 streq(msg->status.name, policy->get_name(policy)))
690 {
691 fprintf(this->out, "%10s: %D...%D\n",
692 policy->get_name(policy),
693 policy->get_my_id(policy),
694 policy->get_other_id(policy));
695 }
696 }
697 iterator->destroy(iterator);
698
699 fprintf(this->out, "IKE_SAs:\n");
700 iterator = charon->ike_sa_manager->create_iterator(charon->ike_sa_manager);
701 while (iterator->iterate(iterator, (void**)&ike_sa))
702 {
703 bool ike_sa_printed = FALSE;
704 child_sa_t *child_sa;
705 iterator_t *children = ike_sa->create_child_sa_iterator(ike_sa);
706 while (children->iterate(children, (void**)&child_sa))
707 {
708 if (!ike_sa_printed &&
709 (msg->status.name == NULL ||
710 streq(msg->status.name, child_sa->get_name(child_sa)) ||
711 streq(msg->status.name, ike_sa->get_name(ike_sa))))
712 {
713 fprintf(this->out, "%#K\n", ike_sa);
714 ike_sa_printed = TRUE;
715 }
716 if (ike_sa_printed)
717 {
718 fprintf(this->out, "%#P\n", child_sa);
719 }
720 }
721 children->destroy(children);
722 }
723 iterator->destroy(iterator);
724 }
725
726 /**
727 * show status of daemon
728 */
729 static void stroke_status(private_stroke_t *this, stroke_msg_t *msg)
730 {
731 iterator_t *iterator;
732 ike_sa_t *ike_sa;
733
734 if (msg->status.name)
735 {
736 pop_string(msg, &(msg->status.name));
737 }
738
739 iterator = charon->ike_sa_manager->create_iterator(charon->ike_sa_manager);
740 while (iterator->iterate(iterator, (void**)&ike_sa))
741 {
742 bool ike_sa_printed = FALSE;
743 child_sa_t *child_sa;
744 iterator_t *children = ike_sa->create_child_sa_iterator(ike_sa);
745 while (children->iterate(children, (void**)&child_sa))
746 {
747 if (!ike_sa_printed &&
748 (msg->status.name == NULL ||
749 streq(msg->status.name, child_sa->get_name(child_sa)) ||
750 streq(msg->status.name, ike_sa->get_name(ike_sa))))
751 {
752 fprintf(this->out, "%K\n", ike_sa);
753 ike_sa_printed = TRUE;
754 }
755 if (ike_sa_printed)
756 {
757 fprintf(this->out, "%P\n", child_sa);
758 }
759 }
760 children->destroy(children);
761 }
762 iterator->destroy(iterator);
763 }
764
765 /**
766 * list various information
767 */
768 static void stroke_list(private_stroke_t *this, stroke_msg_t *msg)
769 {
770 iterator_t *iterator;
771
772 if (msg->list.flags & LIST_CERTS)
773 {
774 x509_t *cert;
775
776 iterator = charon->credentials->create_cert_iterator(charon->credentials);
777 if (iterator->get_count(iterator))
778 {
779 fprintf(this->out, "\n");
780 fprintf(this->out, "List of X.509 End Entity Certificates:\n");
781 fprintf(this->out, "\n");
782 }
783 while (iterator->iterate(iterator, (void**)&cert))
784 {
785 fprintf(this->out, "%#Q", cert, msg->list.utc);
786 if (charon->credentials->has_rsa_private_key(
787 charon->credentials, cert->get_public_key(cert)))
788 {
789 fprintf(this->out, ", has private key");
790 }
791 fprintf(this->out, "\n");
792
793 }
794 iterator->destroy(iterator);
795 }
796 if (msg->list.flags & LIST_CACERTS)
797 {
798 x509_t *cert;
799
800 iterator = charon->credentials->create_cacert_iterator(charon->credentials);
801 if (iterator->get_count(iterator))
802 {
803 fprintf(this->out, "\n");
804 fprintf(this->out, "List of X.509 CA Certificates:\n");
805 fprintf(this->out, "\n");
806 }
807 while (iterator->iterate(iterator, (void**)&cert))
808 {
809 fprintf(this->out, "%#Q\n", cert, msg->list.utc);
810 }
811 iterator->destroy(iterator);
812 }
813 if (msg->list.flags & LIST_CRLS)
814 {
815 crl_t *crl;
816
817 iterator = charon->credentials->create_crl_iterator(charon->credentials);
818 if (iterator->get_count(iterator))
819 {
820 fprintf(this->out, "\n");
821 fprintf(this->out, "List of X.509 CRLs:\n");
822 fprintf(this->out, "\n");
823 }
824 while (iterator->iterate(iterator, (void**)&crl))
825 {
826 fprintf(this->out, "%#U\n", crl, msg->list.utc);
827 }
828 iterator->destroy(iterator);
829 }
830 }
831
832 /**
833 * reread various information
834 */
835 static void stroke_reread(private_stroke_t *this, stroke_msg_t *msg)
836 {
837 if (msg->reread.flags & REREAD_CACERTS)
838 {
839 charon->credentials->load_ca_certificates(charon->credentials);
840 }
841 if (msg->reread.flags & REREAD_CRLS)
842 {
843 charon->credentials->load_crls(charon->credentials);
844 }
845 }
846
847 signal_t get_signal_from_logtype(char *type)
848 {
849 if (strcasecmp(type, "any") == 0) return SIG_ANY;
850 else if (strcasecmp(type, "mgr") == 0) return DBG_MGR;
851 else if (strcasecmp(type, "ike") == 0) return DBG_IKE;
852 else if (strcasecmp(type, "chd") == 0) return DBG_CHD;
853 else if (strcasecmp(type, "job") == 0) return DBG_JOB;
854 else if (strcasecmp(type, "cfg") == 0) return DBG_CFG;
855 else if (strcasecmp(type, "knl") == 0) return DBG_KNL;
856 else if (strcasecmp(type, "net") == 0) return DBG_NET;
857 else if (strcasecmp(type, "enc") == 0) return DBG_ENC;
858 else if (strcasecmp(type, "lib") == 0) return DBG_LIB;
859 else return -1;
860 }
861
862 /**
863 * set the verbosity debug output
864 */
865 static void stroke_loglevel(private_stroke_t *this, stroke_msg_t *msg)
866 {
867 signal_t signal;
868
869 pop_string(msg, &(msg->loglevel.type));
870 DBG1(DBG_CFG, "received stroke: loglevel %d for %s",
871 msg->loglevel.level, msg->loglevel.type);
872
873 signal = get_signal_from_logtype(msg->loglevel.type);
874 if (signal < 0)
875 {
876 fprintf(this->out, "invalid type (%s)!\n", msg->loglevel.type);
877 return;
878 }
879
880 charon->outlog->set_level(charon->outlog, signal, msg->loglevel.level);
881 charon->syslog->set_level(charon->syslog, signal, msg->loglevel.level);
882 }
883
884 /**
885 * Implementation of private_stroke_t.stroke_receive.
886 */
887 static void stroke_receive(private_stroke_t *this)
888 {
889 stroke_msg_t *msg;
890 u_int16_t msg_length;
891 struct sockaddr_un strokeaddr;
892 int strokeaddrlen = sizeof(strokeaddr);
893 ssize_t bytes_read;
894 int strokefd;
895 int oldstate;
896
897 /* ignore sigpipe. writing over the pipe back to the console
898 * only fails if SIGPIPE is ignored. */
899 signal(SIGPIPE, SIG_IGN);
900
901 /* disable cancellation by default */
902 pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, NULL);
903
904 while (1)
905 {
906 /* wait for connections, but allow thread to terminate */
907 pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
908 strokefd = accept(this->socket, (struct sockaddr *)&strokeaddr, &strokeaddrlen);
909 pthread_setcancelstate(oldstate, NULL);
910
911 if (strokefd < 0)
912 {
913 DBG1(DBG_CFG, "accepting stroke connection failed: %m");
914 continue;
915 }
916
917 /* peek the length */
918 bytes_read = recv(strokefd, &msg_length, sizeof(msg_length), MSG_PEEK);
919 if (bytes_read != sizeof(msg_length))
920 {
921 DBG1(DBG_CFG, "reading lenght of stroke message failed");
922 close(strokefd);
923 continue;
924 }
925
926 /* read message */
927 msg = malloc(msg_length);
928 bytes_read = recv(strokefd, msg, msg_length, 0);
929 if (bytes_read != msg_length)
930 {
931 DBG1(DBG_CFG, "reading stroke message failed: %m");
932 close(strokefd);
933 continue;
934 }
935
936 this->out = fdopen(dup(strokefd), "w");
937 if (this->out == NULL)
938 {
939 DBG1(DBG_CFG, "opening stroke output channel failed: %m");
940 close(strokefd);
941 free(msg);
942 continue;
943 }
944
945 DBG3(DBG_CFG, "stroke message %b", (void*)msg, msg_length);
946
947 switch (msg->type)
948 {
949 case STR_INITIATE:
950 stroke_initiate(this, msg);
951 break;
952 case STR_ROUTE:
953 stroke_route(this, msg, TRUE);
954 break;
955 case STR_UNROUTE:
956 stroke_route(this, msg, FALSE);
957 break;
958 case STR_TERMINATE:
959 stroke_terminate(this, msg);
960 break;
961 case STR_STATUS:
962 stroke_status(this, msg);
963 break;
964 case STR_STATUS_ALL:
965 stroke_statusall(this, msg);
966 break;
967 case STR_ADD_CONN:
968 stroke_add_conn(this, msg);
969 break;
970 case STR_DEL_CONN:
971 stroke_del_conn(this, msg);
972 break;
973 case STR_LOGLEVEL:
974 stroke_loglevel(this, msg);
975 break;
976 case STR_LIST:
977 stroke_list(this, msg);
978 break;
979 case STR_REREAD:
980 stroke_reread(this, msg);
981 break;
982 default:
983 DBG1(DBG_CFG, "received unknown stroke");
984 }
985 fclose(this->out);
986 close(strokefd);
987 free(msg);
988 }
989 }
990
991 /**
992 * Implementation of stroke_t.destroy.
993 */
994 static void destroy(private_stroke_t *this)
995 {
996 pthread_cancel(this->assigned_thread);
997 pthread_join(this->assigned_thread, NULL);
998
999 close(this->socket);
1000 unlink(socket_addr.sun_path);
1001 free(this);
1002 }
1003
1004 /*
1005 * Described in header-file
1006 */
1007 stroke_t *stroke_create()
1008 {
1009 private_stroke_t *this = malloc_thing(private_stroke_t);
1010 mode_t old;
1011
1012 /* public functions */
1013 this->public.destroy = (void (*)(stroke_t*))destroy;
1014
1015 /* set up unix socket */
1016 this->socket = socket(AF_UNIX, SOCK_STREAM, 0);
1017 if (this->socket == -1)
1018 {
1019 DBG1(DBG_CFG, "could not create whack socket");
1020 free(this);
1021 return NULL;
1022 }
1023
1024 old = umask(~S_IRWXU);
1025 if (bind(this->socket, (struct sockaddr *)&socket_addr, sizeof(socket_addr)) < 0)
1026 {
1027 DBG1(DBG_CFG, "could not bind stroke socket: %m");
1028 close(this->socket);
1029 free(this);
1030 return NULL;
1031 }
1032 umask(old);
1033
1034 if (listen(this->socket, 0) < 0)
1035 {
1036 DBG1(DBG_CFG, "could not listen on stroke socket: %m");
1037 close(this->socket);
1038 unlink(socket_addr.sun_path);
1039 free(this);
1040 return NULL;
1041 }
1042
1043 /* start a thread reading from the socket */
1044 if (pthread_create(&(this->assigned_thread), NULL, (void*(*)(void*))stroke_receive, this) != 0)
1045 {
1046 DBG1(DBG_CFG, "could not spawn stroke thread");
1047 close(this->socket);
1048 unlink(socket_addr.sun_path);
1049 free(this);
1050 return NULL;
1051 }
1052
1053 return (&this->public);
1054 }