projects / strongswan.git / blob
? search:


0e1200d1061521043d33df81dd0899e543a11d7b
[strongswan.git] / src / charon / threads / stroke_interface.c
1 /**
2 * @file stroke.c
3 *
4 * @brief Implementation of stroke_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2006 Martin Willi
10 * Hochschule fuer Technik Rapperswil
11 *
12 * This program is free software; you can redistribute it and/or modify it
13 * under the terms of the GNU General Public License as published by the
14 * Free Software Foundation; either version 2 of the License, or (at your
15 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
16 *
17 * This program is distributed in the hope that it will be useful, but
18 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
19 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
20 * for more details.
21 */
22
23 #include <stdlib.h>
24 #include <sys/types.h>
25 #include <sys/stat.h>
26 #include <sys/socket.h>
27 #include <sys/un.h>
28 #include <sys/fcntl.h>
29 #include <unistd.h>
30 #include <dirent.h>
31 #include <errno.h>
32 #include <pthread.h>
33 #include <signal.h>
34
35 #include "stroke_interface.h"
36
37 #include <library.h>
38 #include <stroke.h>
39 #include <daemon.h>
40 #include <crypto/x509.h>
41 #include <crypto/crl.h>
42 #include <queues/jobs/initiate_job.h>
43 #include <queues/jobs/route_job.h>
44 #include <utils/leak_detective.h>
45
46 #define IKE_PORT 500
47 #define PATH_BUF 256
48
49
50 struct sockaddr_un socket_addr = { AF_UNIX, STROKE_SOCKET};
51
52
53 typedef struct private_stroke_t private_stroke_t;
54
55 /**
56 * Private data of an stroke_t object.
57 */
58 struct private_stroke_t {
59
60 /**
61 * Public part of stroke_t object.
62 */
63 stroke_t public;
64
65 /**
66 * Output stream (stroke console)
67 */
68 FILE *out;
69
70 /**
71 * Unix socket to listen for strokes
72 */
73 int socket;
74
75 /**
76 * Thread which reads from the Socket
77 */
78 pthread_t assigned_thread;
79 };
80
81 /**
82 * Helper function which corrects the string pointers
83 * in a stroke_msg_t. Strings in a stroke_msg sent over "wire"
84 * contains RELATIVE addresses (relative to the beginning of the
85 * stroke_msg). They must be corrected if they reach our address
86 * space...
87 */
88 static void pop_string(stroke_msg_t *msg, char **string)
89 {
90 if (*string == NULL)
91 return;
92
93 /* check for sanity of string pointer and string */
94 if (string < (char**)msg
95 || string > (char**)msg + sizeof(stroke_msg_t)
96 || (unsigned long)*string < (unsigned long)((char*)msg->buffer - (char*)msg)
97 || (unsigned long)*string > msg->length)
98 {
99 *string = "(invalid pointer in stroke msg)";
100 }
101 else
102 {
103 *string = (char*)msg + (unsigned long)*string;
104 }
105 }
106
107 /**
108 * Load end entitity certificate
109 */
110 static x509_t* load_end_certificate(const char *filename, identification_t **idp)
111 {
112 char path[PATH_BUF];
113 x509_t *cert;
114
115 if (*filename == '/')
116 {
117 /* absolute path name */
118 snprintf(path, sizeof(path), "%s", filename);
119 }
120 else
121 {
122 /* relative path name */
123 snprintf(path, sizeof(path), "%s/%s", CERTIFICATE_DIR, filename);
124 }
125
126 cert = x509_create_from_file(path, "end entity certificate");
127
128 if (cert)
129 {
130 identification_t *id = *idp;
131 identification_t *subject = cert->get_subject(cert);
132
133 err_t ugh = cert->is_valid(cert, NULL);
134
135 if (ugh != NULL)
136 {
137 DBG1(DBG_CFG, "warning: certificate %s", ugh);
138 }
139 if (!id->equals(id, subject) && !cert->equals_subjectAltName(cert, id))
140 {
141 id->destroy(id);
142 id = subject;
143 *idp = id->clone(id);
144 }
145 return charon->credentials->add_end_certificate(charon->credentials, cert);
146 }
147 return NULL;
148 }
149
150 /**
151 * Add a connection to the configuration list
152 */
153 static void stroke_add_conn(private_stroke_t *this, stroke_msg_t *msg)
154 {
155 connection_t *connection;
156 policy_t *policy;
157 identification_t *my_id, *other_id;
158 identification_t *my_ca = NULL;
159 identification_t *other_ca = NULL;
160 bool my_ca_same = FALSE;
161 bool other_ca_same =FALSE;
162 host_t *my_host, *other_host, *my_subnet, *other_subnet;
163 proposal_t *proposal;
164 traffic_selector_t *my_ts, *other_ts;
165
166 pop_string(msg, &msg->add_conn.name);
167 pop_string(msg, &msg->add_conn.me.address);
168 pop_string(msg, &msg->add_conn.other.address);
169 pop_string(msg, &msg->add_conn.me.subnet);
170 pop_string(msg, &msg->add_conn.other.subnet);
171 pop_string(msg, &msg->add_conn.me.id);
172 pop_string(msg, &msg->add_conn.other.id);
173 pop_string(msg, &msg->add_conn.me.cert);
174 pop_string(msg, &msg->add_conn.other.cert);
175 pop_string(msg, &msg->add_conn.me.ca);
176 pop_string(msg, &msg->add_conn.other.ca);
177 pop_string(msg, &msg->add_conn.me.updown);
178 pop_string(msg, &msg->add_conn.other.updown);
179 pop_string(msg, &msg->add_conn.algorithms.ike);
180 pop_string(msg, &msg->add_conn.algorithms.esp);
181
182 DBG1(DBG_CFG, "received stroke: add connection '%s'", msg->add_conn.name);
183
184 DBG2(DBG_CFG, "conn %s", msg->add_conn.name);
185 DBG2(DBG_CFG, " right=%s", msg->add_conn.me.address);
186 DBG2(DBG_CFG, " left=%s", msg->add_conn.other.address);
187 DBG2(DBG_CFG, " rightsubnet=%s", msg->add_conn.me.subnet);
188 DBG2(DBG_CFG, " leftsubnet=%s", msg->add_conn.other.subnet);
189 DBG2(DBG_CFG, " rightid=%s", msg->add_conn.me.id);
190 DBG2(DBG_CFG, " leftid=%s", msg->add_conn.other.id);
191 DBG2(DBG_CFG, " rightcert=%s", msg->add_conn.me.cert);
192 DBG2(DBG_CFG, " leftcert=%s", msg->add_conn.other.cert);
193 DBG2(DBG_CFG, " rightca=%s", msg->add_conn.me.ca);
194 DBG2(DBG_CFG, " leftca=%s", msg->add_conn.other.ca);
195 DBG2(DBG_CFG, " ike=%s", msg->add_conn.algorithms.ike);
196 DBG2(DBG_CFG, " esp=%s", msg->add_conn.algorithms.esp);
197
198 my_host = msg->add_conn.me.address?
199 host_create_from_string(msg->add_conn.me.address, IKE_PORT) : NULL;
200 if (my_host == NULL)
201 {
202 DBG1(DBG_CFG, "invalid host: %s\n", msg->add_conn.me.address);
203 return;
204 }
205
206 other_host = msg->add_conn.other.address ?
207 host_create_from_string(msg->add_conn.other.address, IKE_PORT) : NULL;
208 if (other_host == NULL)
209 {
210 DBG1(DBG_CFG, "invalid host: %s\n", msg->add_conn.other.address);
211 my_host->destroy(my_host);
212 return;
213 }
214
215 if (charon->socket->is_local_address(charon->socket, other_host, NULL))
216 {
217 stroke_end_t tmp_end;
218 host_t *tmp_host;
219
220 DBG2(DBG_CFG, "left is other host, swapping ends\n");
221
222 tmp_host = my_host;
223 my_host = other_host;
224 other_host = tmp_host;
225
226 tmp_end = msg->add_conn.me;
227 msg->add_conn.me = msg->add_conn.other;
228 msg->add_conn.other = tmp_end;
229 }
230 else if (!charon->socket->is_local_address(charon->socket, my_host, NULL))
231 {
232 DBG1(DBG_CFG, "left nor right host is our side, aborting\n");
233 goto destroy_hosts;
234 }
235
236 my_id = identification_create_from_string(msg->add_conn.me.id ?
237 msg->add_conn.me.id : msg->add_conn.me.address);
238 if (my_id == NULL)
239 {
240 DBG1(DBG_CFG, "invalid ID: %s\n", msg->add_conn.me.id);
241 goto destroy_hosts;
242 }
243
244 other_id = identification_create_from_string(msg->add_conn.other.id ?
245 msg->add_conn.other.id : msg->add_conn.other.address);
246 if (other_id == NULL)
247 {
248 DBG1(DBG_CFG, "invalid ID: %s\n", msg->add_conn.other.id);
249 my_id->destroy(my_id);
250 goto destroy_hosts;
251 }
252
253 my_subnet = host_create_from_string(msg->add_conn.me.subnet ?
254 msg->add_conn.me.subnet : msg->add_conn.me.address, IKE_PORT);
255 if (my_subnet == NULL)
256 {
257 DBG1(DBG_CFG, "invalid subnet: %s\n", msg->add_conn.me.subnet);
258 goto destroy_ids;
259 }
260
261 other_subnet = host_create_from_string(msg->add_conn.other.subnet ?
262 msg->add_conn.other.subnet : msg->add_conn.other.address, IKE_PORT);
263 if (other_subnet == NULL)
264 {
265 DBG1(DBG_CFG, "invalid subnet: %s\n", msg->add_conn.me.subnet);
266 my_subnet->destroy(my_subnet);
267 goto destroy_ids;
268 }
269
270 my_ts = traffic_selector_create_from_subnet(my_subnet,
271 msg->add_conn.me.subnet ? msg->add_conn.me.subnet_mask : 0,
272 msg->add_conn.me.protocol, msg->add_conn.me.port);
273 my_subnet->destroy(my_subnet);
274
275 other_ts = traffic_selector_create_from_subnet(other_subnet,
276 msg->add_conn.other.subnet ? msg->add_conn.other.subnet_mask : 0,
277 msg->add_conn.other.protocol, msg->add_conn.other.port);
278 other_subnet->destroy(other_subnet);
279
280 if (msg->add_conn.me.ca)
281 {
282 if (streq(msg->add_conn.me.ca, "%same"))
283 {
284 my_ca_same = TRUE;
285 }
286 else
287 {
288 my_ca = identification_create_from_string(msg->add_conn.me.ca);
289 }
290 }
291 if (msg->add_conn.other.ca)
292 {
293 if (streq(msg->add_conn.other.ca, "%same"))
294 {
295 other_ca_same = TRUE;
296 }
297 else
298 {
299 other_ca = identification_create_from_string(msg->add_conn.other.ca);
300 }
301 }
302 if (msg->add_conn.me.cert)
303 {
304 x509_t *cert = load_end_certificate(msg->add_conn.me.cert, &my_id);
305
306 if (my_ca == NULL && !my_ca_same && cert)
307 {
308 identification_t *issuer = cert->get_issuer(cert);
309
310 my_ca = issuer->clone(issuer);
311 }
312 }
313 if (msg->add_conn.other.cert)
314 {
315 x509_t *cert = load_end_certificate(msg->add_conn.other.cert, &other_id);
316
317 if (other_ca == NULL && !other_ca_same && cert)
318 {
319 identification_t *issuer = cert->get_issuer(cert);
320
321 other_ca = issuer->clone(issuer);
322 }
323 }
324 if (other_ca_same && my_ca)
325 {
326 other_ca = my_ca->clone(my_ca);
327 }
328 else if (my_ca_same && other_ca)
329 {
330 my_ca = other_ca->clone(other_ca);
331 }
332 if (my_ca == NULL)
333 {
334 my_ca = identification_create_from_string("%any");
335 }
336 if (other_ca == NULL)
337 {
338 other_ca = identification_create_from_string("%any");
339 }
340 DBG2(DBG_CFG, " my ca: '%D'", my_ca);
341 DBG2(DBG_CFG, " other ca:'%D'", other_ca);
342 DBG2(DBG_CFG, " updown: '%s'", msg->add_conn.me.updown);
343
344 connection = connection_create(msg->add_conn.name,
345 msg->add_conn.ikev2,
346 msg->add_conn.me.sendcert,
347 msg->add_conn.other.sendcert,
348 my_host, other_host,
349 msg->add_conn.dpd.delay,
350 msg->add_conn.rekey.tries,
351 msg->add_conn.rekey.ike_lifetime,
352 msg->add_conn.rekey.ike_lifetime - msg->add_conn.rekey.margin,
353 msg->add_conn.rekey.margin * msg->add_conn.rekey.fuzz / 100);
354
355 if (msg->add_conn.algorithms.ike)
356 {
357 char *proposal_string;
358 char *strict = msg->add_conn.algorithms.ike + strlen(msg->add_conn.algorithms.ike) - 1;
359
360 if (*strict == '!')
361 *strict = '\0';
362 else
363 strict = NULL;
364
365 while ((proposal_string = strsep(&msg->add_conn.algorithms.ike, ",")))
366 {
367 proposal = proposal_create_from_string(PROTO_IKE, proposal_string);
368 if (proposal == NULL)
369 {
370 DBG1(DBG_CFG, "invalid IKE proposal string: %s", proposal_string);
371 my_id->destroy(my_id);
372 other_id->destroy(other_id);
373 my_ts->destroy(my_ts);
374 other_ts->destroy(other_ts);
375 my_ca->destroy(my_ca);
376 other_ca->destroy(other_ca);
377 connection->destroy(connection);
378 return;
379 }
380 connection->add_proposal(connection, proposal);
381 }
382 if (!strict)
383 {
384 proposal = proposal_create_default(PROTO_IKE);
385 connection->add_proposal(connection, proposal);
386 }
387 }
388 else
389 {
390 proposal = proposal_create_default(PROTO_IKE);
391 connection->add_proposal(connection, proposal);
392 }
393
394 policy = policy_create(msg->add_conn.name, my_id, other_id,
395 msg->add_conn.auth_method,
396 msg->add_conn.rekey.ipsec_lifetime,
397 msg->add_conn.rekey.ipsec_lifetime - msg->add_conn.rekey.margin,
398 msg->add_conn.rekey.margin * msg->add_conn.rekey.fuzz / 100,
399 msg->add_conn.me.updown, msg->add_conn.me.hostaccess,
400 msg->add_conn.dpd.action);
401 policy->add_my_traffic_selector(policy, my_ts);
402 policy->add_other_traffic_selector(policy, other_ts);
403 policy->add_authorities(policy, my_ca, other_ca);
404
405 if (msg->add_conn.algorithms.esp)
406 {
407 char *proposal_string;
408 char *strict = msg->add_conn.algorithms.esp + strlen(msg->add_conn.algorithms.esp) - 1;
409
410 if (*strict == '!')
411 *strict = '\0';
412 else
413 strict = NULL;
414
415 while ((proposal_string = strsep(&msg->add_conn.algorithms.esp, ",")))
416 {
417 proposal = proposal_create_from_string(PROTO_ESP, proposal_string);
418 if (proposal == NULL)
419 {
420 DBG1(DBG_CFG, "invalid ESP proposal string: %s", proposal_string);
421 policy->destroy(policy);
422 connection->destroy(connection);
423 return;
424 }
425 policy->add_proposal(policy, proposal);
426 }
427 if (!strict)
428 {
429 proposal = proposal_create_default(PROTO_ESP);
430 policy->add_proposal(policy, proposal);
431 }
432 }
433 else
434 {
435 proposal = proposal_create_default(PROTO_ESP);
436 policy->add_proposal(policy, proposal);
437 }
438
439 /* add to global connection list */
440 charon->connections->add_connection(charon->connections, connection);
441 DBG1(DBG_CFG, "added connection '%s': %H[%D]...%H[%D]",
442 msg->add_conn.name, my_host, my_id, other_host, other_id);
443 /* add to global policy list */
444 charon->policies->add_policy(charon->policies, policy);
445
446 return;
447
448 /* mopping up after parsing errors */
449
450 destroy_ids:
451 my_id->destroy(my_id);
452 other_id->destroy(other_id);
453
454 destroy_hosts:
455 my_host->destroy(my_host);
456 other_host->destroy(other_host);
457 }
458
459 /**
460 * Delete a connection from the list
461 */
462 static void stroke_del_conn(private_stroke_t *this, stroke_msg_t *msg)
463 {
464 status_t status;
465
466 pop_string(msg, &(msg->del_conn.name));
467 DBG1(DBG_CFG, "received stroke: delete '%s'", msg->del_conn.name);
468
469 status = charon->connections->delete_connection(charon->connections,
470 msg->del_conn.name);
471 charon->policies->delete_policy(charon->policies, msg->del_conn.name);
472 if (status == SUCCESS)
473 {
474 fprintf(this->out, "deleted connection '%s'\n", msg->del_conn.name);
475 }
476 else
477 {
478 fprintf(this->out, "no connection named '%s'\n", msg->del_conn.name);
479 }
480 }
481
482 /**
483 * initiate a connection by name
484 */
485 static void stroke_initiate(private_stroke_t *this, stroke_msg_t *msg)
486 {
487 initiate_job_t *job;
488 connection_t *connection;
489 policy_t *policy;
490 ike_sa_t *init_ike_sa = NULL;
491 signal_t signal;
492
493 pop_string(msg, &(msg->initiate.name));
494 DBG1(DBG_CFG, "received stroke: initiate '%s'", msg->initiate.name);
495
496 connection = charon->connections->get_connection_by_name(charon->connections,
497 msg->initiate.name);
498 if (connection == NULL)
499 {
500 if (msg->output_verbosity >= 0)
501 {
502 fprintf(this->out, "no connection named '%s'\n", msg->initiate.name);
503 }
504 return;
505 }
506 if (!connection->is_ikev2(connection))
507 {
508 connection->destroy(connection);
509 return;
510 }
511
512 policy = charon->policies->get_policy_by_name(charon->policies,
513 msg->initiate.name);
514 if (policy == NULL)
515 {
516 if (msg->output_verbosity >= 0)
517 {
518 fprintf(this->out, "no policy named '%s'\n", msg->initiate.name);
519 }
520 connection->destroy(connection);
521 return;
522 }
523
524 job = initiate_job_create(connection, policy);
525 /*
526 if (msg->output_verbosity < 0)
527 {
528 TODO: detach immediately if verbosity is SILENT. Local credential store
529 is not threadsave yet, so this would cause crashes!!
530 charon->job_queue->add(charon->job_queue, (job_t*)job);
531 return;
532 }*/
533
534 charon->bus->set_listen_state(charon->bus, TRUE);
535 charon->job_queue->add(charon->job_queue, (job_t*)job);
536 while (TRUE)
537 {
538 level_t level;
539 int thread;
540 ike_sa_t *ike_sa;
541 char* format;
542 va_list args;
543
544 signal = charon->bus->listen(charon->bus, &level, &thread, &ike_sa, &format, &args);
545
546 if ((init_ike_sa == NULL || ike_sa == init_ike_sa) &&
547 level <= msg->output_verbosity)
548 {
549 if (vfprintf(this->out, format, args) < 0 ||
550 fprintf(this->out, "\n") < 0 ||
551 fflush(this->out))
552 {
553 charon->bus->set_listen_state(charon->bus, FALSE);
554 break;
555 }
556 }
557
558 switch (signal)
559 {
560 case CHILD_UP_SUCCESS:
561 case CHILD_UP_FAILED:
562 if (ike_sa == init_ike_sa)
563 {
564 charon->bus->set_listen_state(charon->bus, FALSE);
565 return;
566 }
567 continue;
568 case CHILD_UP_START:
569 case IKE_UP_START:
570 if (init_ike_sa == NULL)
571 {
572 init_ike_sa = ike_sa;
573 }
574 continue;
575 default:
576 continue;
577 }
578 }
579 }
580
581 /**
582 * route/unroute a policy (install SPD entries)
583 */
584 static void stroke_route(private_stroke_t *this, stroke_msg_t *msg, bool route)
585 {
586 route_job_t *job;
587 connection_t *connection;
588 policy_t *policy;
589
590 pop_string(msg, &(msg->route.name));
591 DBG1(DBG_CFG, "received stroke: %s '%s'",
592 route ? "route" : "unroute", msg->route.name);
593
594 /* we wouldn't need a connection, but we only want to route policies
595 * whose connections are keyexchange=ikev2. */
596 connection = charon->connections->get_connection_by_name(charon->connections,
597 msg->route.name);
598 if (connection == NULL)
599 {
600 fprintf(this->out, "no connection named '%s'\n", msg->route.name);
601 return;
602 }
603 if (!connection->is_ikev2(connection))
604 {
605 connection->destroy(connection);
606 return;
607 }
608
609 policy = charon->policies->get_policy_by_name(charon->policies,
610 msg->route.name);
611 if (policy == NULL)
612 {
613 fprintf(this->out, "no policy named '%s'\n", msg->route.name);
614 connection->destroy(connection);
615 return;
616 }
617 fprintf(this->out, "%s policy '%s'\n",
618 route ? "routing" : "unrouting", msg->route.name);
619 job = route_job_create(connection, policy, route);
620 charon->job_queue->add(charon->job_queue, (job_t*)job);
621 }
622
623 /**
624 * terminate a connection by name
625 */
626 static void stroke_terminate(private_stroke_t *this, stroke_msg_t *msg)
627 {
628 pop_string(msg, &(msg->terminate.name));
629 DBG1(DBG_CFG, "received stroke: terminate '%s'", msg->terminate.name);
630
631 charon->ike_sa_manager->delete_by_name(charon->ike_sa_manager, msg->terminate.name);
632 }
633
634 /**
635 * show status of daemon
636 */
637 static void stroke_statusall(private_stroke_t *this, stroke_msg_t *msg)
638 {
639 iterator_t *iterator;
640 linked_list_t *list;
641 host_t *host;
642 connection_t *connection;
643 policy_t *policy;
644 ike_sa_t *ike_sa;
645
646 leak_detective_status(this->out);
647
648 fprintf(this->out, "Performance:\n");
649 fprintf(this->out, " worker threads: %d idle of %d,",
650 charon->thread_pool->get_idle_threads(charon->thread_pool),
651 charon->thread_pool->get_pool_size(charon->thread_pool));
652 fprintf(this->out, " job queue load: %d,",
653 charon->job_queue->get_count(charon->job_queue));
654 fprintf(this->out, " scheduled events: %d\n",
655 charon->event_queue->get_count(charon->event_queue));
656 list = charon->socket->create_local_address_list(charon->socket);
657
658 fprintf(this->out, "Listening on %d IP addresses:\n", list->get_count(list));
659 while (list->remove_first(list, (void**)&host) == SUCCESS)
660 {
661 fprintf(this->out, " %H\n", host);
662 host->destroy(host);
663 }
664 list->destroy(list);
665
666 if (msg->status.name)
667 {
668 pop_string(msg, &(msg->status.name));
669 }
670
671 iterator = charon->connections->create_iterator(charon->connections);
672 if (iterator->get_count(iterator) > 0)
673 {
674 fprintf(this->out, "Connections:\n");
675 }
676 while (iterator->iterate(iterator, (void**)&connection))
677 {
678 if (connection->is_ikev2(connection) && (msg->status.name == NULL
679 || streq(msg->status.name, connection->get_name(connection))))
680 {
681 fprintf(this->out, "%12s: %H...%H\n",
682 connection->get_name(connection),
683 connection->get_my_host(connection),
684 connection->get_other_host(connection));
685 }
686 }
687 iterator->destroy(iterator);
688
689 iterator = charon->policies->create_iterator(charon->policies);
690 if (iterator->get_count(iterator) > 0)
691 {
692 fprintf(this->out, "Policies:\n");
693 }
694 while (iterator->iterate(iterator, (void**)&policy))
695 {
696 if (msg->status.name == NULL
697 || streq(msg->status.name, policy->get_name(policy)))
698 {
699 fprintf(this->out, "%12s: '%D'...'%D'\n",
700 policy->get_name(policy),
701 policy->get_my_id(policy),
702 policy->get_other_id(policy));
703 }
704 }
705 iterator->destroy(iterator);
706
707 iterator = charon->ike_sa_manager->create_iterator(charon->ike_sa_manager);
708 if (iterator->get_count(iterator) > 0)
709 {
710 fprintf(this->out, "Security Associations:\n");
711 }
712 while (iterator->iterate(iterator, (void**)&ike_sa))
713 {
714 bool ike_sa_printed = FALSE;
715 child_sa_t *child_sa;
716 iterator_t *children = ike_sa->create_child_sa_iterator(ike_sa);
717
718 while (children->iterate(children, (void**)&child_sa))
719 {
720 if (!ike_sa_printed
721 && (msg->status.name == NULL
722 || streq(msg->status.name, child_sa->get_name(child_sa))
723 || streq(msg->status.name, ike_sa->get_name(ike_sa))))
724 {
725 fprintf(this->out, "%#K\n", ike_sa);
726 ike_sa_printed = TRUE;
727 }
728 if (ike_sa_printed)
729 {
730 fprintf(this->out, "%#P\n", child_sa);
731 }
732 }
733 children->destroy(children);
734 }
735 iterator->destroy(iterator);
736 }
737
738 /**
739 * show status of daemon
740 */
741 static void stroke_status(private_stroke_t *this, stroke_msg_t *msg)
742 {
743 iterator_t *iterator;
744 ike_sa_t *ike_sa;
745
746 if (msg->status.name)
747 {
748 pop_string(msg, &(msg->status.name));
749 }
750
751 iterator = charon->ike_sa_manager->create_iterator(charon->ike_sa_manager);
752 while (iterator->iterate(iterator, (void**)&ike_sa))
753 {
754 bool ike_sa_printed = FALSE;
755 child_sa_t *child_sa;
756 iterator_t *children = ike_sa->create_child_sa_iterator(ike_sa);
757
758 while (children->iterate(children, (void**)&child_sa))
759 {
760 if (!ike_sa_printed
761 && (msg->status.name == NULL
762 || streq(msg->status.name, child_sa->get_name(child_sa))
763 || streq(msg->status.name, ike_sa->get_name(ike_sa))))
764 {
765 fprintf(this->out, "%K\n", ike_sa);
766 ike_sa_printed = TRUE;
767 }
768 if (ike_sa_printed)
769 {
770 fprintf(this->out, "%P\n", child_sa);
771 }
772 }
773 children->destroy(children);
774 }
775 iterator->destroy(iterator);
776 }
777
778 /**
779 * list various information
780 */
781 static void stroke_list(private_stroke_t *this, stroke_msg_t *msg)
782 {
783 iterator_t *iterator;
784
785 if (msg->list.flags & LIST_CERTS)
786 {
787 x509_t *cert;
788
789 iterator = charon->credentials->create_cert_iterator(charon->credentials);
790 if (iterator->get_count(iterator))
791 {
792 fprintf(this->out, "\n");
793 fprintf(this->out, "List of X.509 End Entity Certificates:\n");
794 fprintf(this->out, "\n");
795 }
796 while (iterator->iterate(iterator, (void**)&cert))
797 {
798 fprintf(this->out, "%#Q", cert, msg->list.utc);
799 if (charon->credentials->has_rsa_private_key(
800 charon->credentials, cert->get_public_key(cert)))
801 {
802 fprintf(this->out, ", has private key");
803 }
804 fprintf(this->out, "\n");
805
806 }
807 iterator->destroy(iterator);
808 }
809 if (msg->list.flags & LIST_CACERTS)
810 {
811 x509_t *cert;
812
813 iterator = charon->credentials->create_cacert_iterator(charon->credentials);
814 if (iterator->get_count(iterator))
815 {
816 fprintf(this->out, "\n");
817 fprintf(this->out, "List of X.509 CA Certificates:\n");
818 fprintf(this->out, "\n");
819 }
820 while (iterator->iterate(iterator, (void**)&cert))
821 {
822 fprintf(this->out, "%#Q\n", cert, msg->list.utc);
823 }
824 iterator->destroy(iterator);
825 }
826 if (msg->list.flags & LIST_CRLS)
827 {
828 crl_t *crl;
829
830 iterator = charon->credentials->create_crl_iterator(charon->credentials);
831 if (iterator->get_count(iterator))
832 {
833 fprintf(this->out, "\n");
834 fprintf(this->out, "List of X.509 CRLs:\n");
835 fprintf(this->out, "\n");
836 }
837 while (iterator->iterate(iterator, (void**)&crl))
838 {
839 fprintf(this->out, "%#U\n", crl, msg->list.utc);
840 }
841 iterator->destroy(iterator);
842 }
843 }
844
845 /**
846 * reread various information
847 */
848 static void stroke_reread(private_stroke_t *this, stroke_msg_t *msg)
849 {
850 if (msg->reread.flags & REREAD_CACERTS)
851 {
852 charon->credentials->load_ca_certificates(charon->credentials);
853 }
854 if (msg->reread.flags & REREAD_CRLS)
855 {
856 charon->credentials->load_crls(charon->credentials);
857 }
858 }
859
860 signal_t get_signal_from_logtype(char *type)
861 {
862 if (strcasecmp(type, "any") == 0) return SIG_ANY;
863 else if (strcasecmp(type, "mgr") == 0) return DBG_MGR;
864 else if (strcasecmp(type, "ike") == 0) return DBG_IKE;
865 else if (strcasecmp(type, "chd") == 0) return DBG_CHD;
866 else if (strcasecmp(type, "job") == 0) return DBG_JOB;
867 else if (strcasecmp(type, "cfg") == 0) return DBG_CFG;
868 else if (strcasecmp(type, "knl") == 0) return DBG_KNL;
869 else if (strcasecmp(type, "net") == 0) return DBG_NET;
870 else if (strcasecmp(type, "enc") == 0) return DBG_ENC;
871 else if (strcasecmp(type, "lib") == 0) return DBG_LIB;
872 else return -1;
873 }
874
875 /**
876 * set the verbosity debug output
877 */
878 static void stroke_loglevel(private_stroke_t *this, stroke_msg_t *msg)
879 {
880 signal_t signal;
881
882 pop_string(msg, &(msg->loglevel.type));
883 DBG1(DBG_CFG, "received stroke: loglevel %d for %s",
884 msg->loglevel.level, msg->loglevel.type);
885
886 signal = get_signal_from_logtype(msg->loglevel.type);
887 if (signal < 0)
888 {
889 fprintf(this->out, "invalid type (%s)!\n", msg->loglevel.type);
890 return;
891 }
892
893 charon->outlog->set_level(charon->outlog, signal, msg->loglevel.level);
894 charon->syslog->set_level(charon->syslog, signal, msg->loglevel.level);
895 }
896
897 /**
898 * Implementation of private_stroke_t.stroke_receive.
899 */
900 static void stroke_receive(private_stroke_t *this)
901 {
902 stroke_msg_t *msg;
903 u_int16_t msg_length;
904 struct sockaddr_un strokeaddr;
905 int strokeaddrlen = sizeof(strokeaddr);
906 ssize_t bytes_read;
907 int strokefd;
908 int oldstate;
909
910 /* ignore sigpipe. writing over the pipe back to the console
911 * only fails if SIGPIPE is ignored. */
912 signal(SIGPIPE, SIG_IGN);
913
914 /* disable cancellation by default */
915 pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, NULL);
916
917 while (1)
918 {
919 /* wait for connections, but allow thread to terminate */
920 pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
921 strokefd = accept(this->socket, (struct sockaddr *)&strokeaddr, &strokeaddrlen);
922 pthread_setcancelstate(oldstate, NULL);
923
924 if (strokefd < 0)
925 {
926 DBG1(DBG_CFG, "accepting stroke connection failed: %m");
927 continue;
928 }
929
930 /* peek the length */
931 bytes_read = recv(strokefd, &msg_length, sizeof(msg_length), MSG_PEEK);
932 if (bytes_read != sizeof(msg_length))
933 {
934 DBG1(DBG_CFG, "reading lenght of stroke message failed");
935 close(strokefd);
936 continue;
937 }
938
939 /* read message */
940 msg = malloc(msg_length);
941 bytes_read = recv(strokefd, msg, msg_length, 0);
942 if (bytes_read != msg_length)
943 {
944 DBG1(DBG_CFG, "reading stroke message failed: %m");
945 close(strokefd);
946 continue;
947 }
948
949 this->out = fdopen(dup(strokefd), "w");
950 if (this->out == NULL)
951 {
952 DBG1(DBG_CFG, "opening stroke output channel failed: %m");
953 close(strokefd);
954 free(msg);
955 continue;
956 }
957
958 DBG3(DBG_CFG, "stroke message %b", (void*)msg, msg_length);
959
960 switch (msg->type)
961 {
962 case STR_INITIATE:
963 stroke_initiate(this, msg);
964 break;
965 case STR_ROUTE:
966 stroke_route(this, msg, TRUE);
967 break;
968 case STR_UNROUTE:
969 stroke_route(this, msg, FALSE);
970 break;
971 case STR_TERMINATE:
972 stroke_terminate(this, msg);
973 break;
974 case STR_STATUS:
975 stroke_status(this, msg);
976 break;
977 case STR_STATUS_ALL:
978 stroke_statusall(this, msg);
979 break;
980 case STR_ADD_CONN:
981 stroke_add_conn(this, msg);
982 break;
983 case STR_DEL_CONN:
984 stroke_del_conn(this, msg);
985 break;
986 case STR_LOGLEVEL:
987 stroke_loglevel(this, msg);
988 break;
989 case STR_LIST:
990 stroke_list(this, msg);
991 break;
992 case STR_REREAD:
993 stroke_reread(this, msg);
994 break;
995 default:
996 DBG1(DBG_CFG, "received unknown stroke");
997 }
998 fclose(this->out);
999 close(strokefd);
1000 free(msg);
1001 }
1002 }
1003
1004 /**
1005 * Implementation of stroke_t.destroy.
1006 */
1007 static void destroy(private_stroke_t *this)
1008 {
1009 pthread_cancel(this->assigned_thread);
1010 pthread_join(this->assigned_thread, NULL);
1011
1012 close(this->socket);
1013 unlink(socket_addr.sun_path);
1014 free(this);
1015 }
1016
1017 /*
1018 * Described in header-file
1019 */
1020 stroke_t *stroke_create()
1021 {
1022 private_stroke_t *this = malloc_thing(private_stroke_t);
1023 mode_t old;
1024
1025 /* public functions */
1026 this->public.destroy = (void (*)(stroke_t*))destroy;
1027
1028 /* set up unix socket */
1029 this->socket = socket(AF_UNIX, SOCK_STREAM, 0);
1030 if (this->socket == -1)
1031 {
1032 DBG1(DBG_CFG, "could not create whack socket");
1033 free(this);
1034 return NULL;
1035 }
1036
1037 old = umask(~S_IRWXU);
1038 if (bind(this->socket, (struct sockaddr *)&socket_addr, sizeof(socket_addr)) < 0)
1039 {
1040 DBG1(DBG_CFG, "could not bind stroke socket: %m");
1041 close(this->socket);
1042 free(this);
1043 return NULL;
1044 }
1045 umask(old);
1046
1047 if (listen(this->socket, 0) < 0)
1048 {
1049 DBG1(DBG_CFG, "could not listen on stroke socket: %m");
1050 close(this->socket);
1051 unlink(socket_addr.sun_path);
1052 free(this);
1053 return NULL;
1054 }
1055
1056 /* start a thread reading from the socket */
1057 if (pthread_create(&(this->assigned_thread), NULL, (void*(*)(void*))stroke_receive, this) != 0)
1058 {
1059 DBG1(DBG_CFG, "could not spawn stroke thread");
1060 close(this->socket);
1061 unlink(socket_addr.sun_path);
1062 free(this);
1063 return NULL;
1064 }
1065
1066 return (&this->public);
1067 }
strongSwan - IPsec VPN