ca25051897d1ba3c181c16d68a2fffc958649862
[strongswan.git] / src / libcharon / config / backend_manager.c
1 /*
2 * Copyright (C) 2007-2009 Martin Willi
3 * Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "backend_manager.h"
17
18 #include <sys/types.h>
19
20 #include <daemon.h>
21 #include <collections/linked_list.h>
22 #include <threading/rwlock.h>
23
24
25 typedef struct private_backend_manager_t private_backend_manager_t;
26
27 /**
28 * Private data of an backend_manager_t object.
29 */
30 struct private_backend_manager_t {
31
32 /**
33 * Public part of backend_manager_t object.
34 */
35 backend_manager_t public;
36
37 /**
38 * list of registered backends
39 */
40 linked_list_t *backends;
41
42 /**
43 * rwlock for backends
44 */
45 rwlock_t *lock;
46 };
47
48 /**
49 * match of an ike_cfg
50 */
51 typedef enum ike_cfg_match_t {
52 /* doesn't match at all */
53 MATCH_NONE = 0x00,
54 /* match for a %any host. For both hosts, hence skip 0x02 */
55 MATCH_ANY = 0x01,
56 /* IKE version matches exactly (config is not for any version) */
57 MATCH_VERSION = 0x04,
58 /* local identity matches */
59 MATCH_ME = 0x08,
60 /* remote identity matches */
61 MATCH_OTHER = 0x10,
62 } ike_cfg_match_t;
63
64 /**
65 * data to pass nested IKE enumerator
66 */
67 typedef struct {
68 private_backend_manager_t *this;
69 host_t *me;
70 host_t *other;
71 } ike_data_t;
72
73 /**
74 * inner enumerator constructor for IKE cfgs
75 */
76 static enumerator_t *ike_enum_create(backend_t *backend, ike_data_t *data)
77 {
78 return backend->create_ike_cfg_enumerator(backend, data->me, data->other);
79 }
80
81 /**
82 * get a match of a candidate ike_cfg for two hosts
83 */
84 static ike_cfg_match_t get_ike_match(ike_cfg_t *cand, host_t *me, host_t *other,
85 ike_version_t version)
86 {
87 ike_cfg_match_t match = MATCH_NONE;
88 int quality;
89
90 if (cand->get_version(cand) != IKE_ANY &&
91 version != cand->get_version(cand))
92 {
93 return MATCH_NONE;
94 }
95
96 if (me)
97 {
98 quality = cand->match_me(cand, me);
99 if (!quality)
100 {
101 return MATCH_NONE;
102 }
103 match += quality * MATCH_ME;
104 }
105 else
106 {
107 match += MATCH_ANY;
108 }
109
110 if (other)
111 {
112 quality = cand->match_other(cand, other);
113 if (!quality)
114 {
115 return MATCH_NONE;
116 }
117 match += quality * MATCH_OTHER;
118 }
119 else
120 {
121 match += MATCH_ANY;
122 }
123
124 if (match != MATCH_NONE &&
125 cand->get_version(cand) != IKE_ANY)
126 { /* if we have a match, improve it if candidate version specified */
127 match += MATCH_VERSION;
128 }
129 return match;
130 }
131
132 METHOD(backend_manager_t, get_ike_cfg, ike_cfg_t*,
133 private_backend_manager_t *this, host_t *me, host_t *other,
134 ike_version_t version)
135 {
136 ike_cfg_t *current, *found = NULL;
137 char *my_addr, *other_addr;
138 bool my_allow_any, other_allow_any;
139 enumerator_t *enumerator;
140 ike_cfg_match_t match, best = MATCH_ANY;
141 ike_data_t *data;
142
143 INIT(data,
144 .this = this,
145 .me = me,
146 .other = other,
147 );
148
149 DBG2(DBG_CFG, "looking for an ike config for %H...%H", me, other);
150
151 this->lock->read_lock(this->lock);
152 enumerator = enumerator_create_nested(
153 this->backends->create_enumerator(this->backends),
154 (void*)ike_enum_create, data, (void*)free);
155 while (enumerator->enumerate(enumerator, (void**)&current))
156 {
157 match = get_ike_match(current, me, other, version);
158 DBG3(DBG_CFG, "ike config match: %d (%H %H %N)",
159 match, me, other, ike_version_names, version);
160 if (match)
161 {
162 my_addr = current->get_my_addr(current, &my_allow_any);
163 other_addr = current->get_other_addr(current, &other_allow_any);
164 DBG2(DBG_CFG, " candidate: %s%s...%s%s, prio %d",
165 my_allow_any ? "%":"", my_addr,
166 other_allow_any ? "%":"", other_addr, match);
167 if (match > best)
168 {
169 DESTROY_IF(found);
170 found = current;
171 found->get_ref(found);
172 best = match;
173 }
174 }
175 }
176 enumerator->destroy(enumerator);
177 this->lock->unlock(this->lock);
178 if (found)
179 {
180 my_addr = found->get_my_addr(found, &my_allow_any);
181 other_addr = found->get_other_addr(found, &other_allow_any);
182 DBG2(DBG_CFG, "found matching ike config: %s%s...%s%s with prio %d",
183 my_allow_any ? "%":"", my_addr,
184 other_allow_any ? "%":"", other_addr, best);
185 }
186 return found;
187 }
188
189 /**
190 * Get the best ID match in one of the configs auth_cfg
191 */
192 static id_match_t get_peer_match(identification_t *id,
193 peer_cfg_t *cfg, bool local)
194 {
195 enumerator_t *enumerator;
196 auth_cfg_t *auth;
197 identification_t *candidate;
198 id_match_t match = ID_MATCH_NONE;
199 char *where = local ? "local" : "remote";
200 chunk_t data;
201
202 if (!id)
203 {
204 DBG3(DBG_CFG, "peer config match %s: %d (%N)",
205 where, ID_MATCH_ANY, id_type_names, ID_ANY);
206 return ID_MATCH_ANY;
207 }
208
209 /* compare first auth config only */
210 enumerator = cfg->create_auth_cfg_enumerator(cfg, local);
211 if (enumerator->enumerate(enumerator, &auth))
212 {
213 candidate = auth->get(auth, AUTH_RULE_IDENTITY);
214 if (candidate)
215 {
216 match = id->matches(id, candidate);
217 /* match vice-versa, as the proposed IDr might be ANY */
218 if (!match)
219 {
220 match = candidate->matches(candidate, id);
221 }
222 }
223 else
224 {
225 match = ID_MATCH_ANY;
226 }
227 }
228 enumerator->destroy(enumerator);
229
230 data = id->get_encoding(id);
231 DBG3(DBG_CFG, "peer config match %s: %d (%N -> %#B)",
232 where, match, id_type_names, id->get_type(id), &data);
233 return match;
234 }
235
236 /**
237 * data to pass nested peer enumerator
238 */
239 typedef struct {
240 rwlock_t *lock;
241 identification_t *me;
242 identification_t *other;
243 } peer_data_t;
244
245 /**
246 * list element to help sorting
247 */
248 typedef struct {
249 id_match_t match_peer;
250 ike_cfg_match_t match_ike;
251 peer_cfg_t *cfg;
252 } match_entry_t;
253
254 /**
255 * inner enumerator constructor for peer cfgs
256 */
257 static enumerator_t *peer_enum_create(backend_t *backend, peer_data_t *data)
258 {
259 return backend->create_peer_cfg_enumerator(backend, data->me, data->other);
260 }
261
262 /**
263 * unlock/cleanup peer enumerator
264 */
265 static void peer_enum_destroy(peer_data_t *data)
266 {
267 data->lock->unlock(data->lock);
268 free(data);
269 }
270
271 /**
272 * convert enumerator value from match_entry to config
273 */
274 static bool peer_enum_filter(linked_list_t *configs,
275 match_entry_t **in, peer_cfg_t **out)
276 {
277 *out = (*in)->cfg;
278 return TRUE;
279 }
280
281 /**
282 * Clean up temporary config list
283 */
284 static void peer_enum_filter_destroy(linked_list_t *configs)
285 {
286 match_entry_t *entry;
287
288 while (configs->remove_last(configs, (void**)&entry) == SUCCESS)
289 {
290 entry->cfg->destroy(entry->cfg);
291 free(entry);
292 }
293 configs->destroy(configs);
294 }
295
296 /**
297 * Insert entry into match-sorted list, using helper
298 */
299 static void insert_sorted(match_entry_t *entry, linked_list_t *list,
300 linked_list_t *helper)
301 {
302 match_entry_t *current;
303
304 while (list->remove_first(list, (void**)&current) == SUCCESS)
305 {
306 helper->insert_last(helper, current);
307 }
308 while (helper->remove_first(helper, (void**)&current) == SUCCESS)
309 {
310 if (entry && (
311 (entry->match_ike > current->match_ike &&
312 entry->match_peer >= current->match_peer) ||
313 (entry->match_ike >= current->match_ike &&
314 entry->match_peer > current->match_peer)))
315 {
316 list->insert_last(list, entry);
317 entry = NULL;
318 }
319 list->insert_last(list, current);
320 }
321 if (entry)
322 {
323 list->insert_last(list, entry);
324 }
325 }
326
327 METHOD(backend_manager_t, create_peer_cfg_enumerator, enumerator_t*,
328 private_backend_manager_t *this, host_t *me, host_t *other,
329 identification_t *my_id, identification_t *other_id, ike_version_t version)
330 {
331 enumerator_t *enumerator;
332 peer_data_t *data;
333 peer_cfg_t *cfg;
334 linked_list_t *configs, *helper;
335
336 INIT(data,
337 .lock = this->lock,
338 .me = my_id,
339 .other = other_id,
340 );
341
342 /* create a sorted list with all matches */
343 this->lock->read_lock(this->lock);
344 enumerator = enumerator_create_nested(
345 this->backends->create_enumerator(this->backends),
346 (void*)peer_enum_create, data, (void*)peer_enum_destroy);
347
348 if (!me && !other && !my_id && !other_id)
349 { /* shortcut if we are doing a "listall" */
350 return enumerator;
351 }
352
353 configs = linked_list_create();
354 /* only once allocated helper list for sorting */
355 helper = linked_list_create();
356 while (enumerator->enumerate(enumerator, &cfg))
357 {
358 id_match_t match_peer_me, match_peer_other;
359 ike_cfg_match_t match_ike;
360 match_entry_t *entry;
361
362 match_peer_me = get_peer_match(my_id, cfg, TRUE);
363 match_peer_other = get_peer_match(other_id, cfg, FALSE);
364 match_ike = get_ike_match(cfg->get_ike_cfg(cfg), me, other, version);
365 DBG3(DBG_CFG, "ike config match: %d (%H %H %N)",
366 match_ike, me, other, ike_version_names, version);
367
368 if (match_peer_me && match_peer_other && match_ike)
369 {
370 DBG2(DBG_CFG, " candidate \"%s\", match: %d/%d/%d (me/other/ike)",
371 cfg->get_name(cfg), match_peer_me, match_peer_other, match_ike);
372
373 INIT(entry,
374 .match_peer = match_peer_me + match_peer_other,
375 .match_ike = match_ike,
376 .cfg = cfg->get_ref(cfg),
377 );
378 insert_sorted(entry, configs, helper);
379 }
380 }
381 enumerator->destroy(enumerator);
382 helper->destroy(helper);
383
384 return enumerator_create_filter(configs->create_enumerator(configs),
385 (void*)peer_enum_filter, configs,
386 (void*)peer_enum_filter_destroy);
387 }
388
389 METHOD(backend_manager_t, get_peer_cfg_by_name, peer_cfg_t*,
390 private_backend_manager_t *this, char *name)
391 {
392 backend_t *backend;
393 peer_cfg_t *config = NULL;
394 enumerator_t *enumerator;
395
396 this->lock->read_lock(this->lock);
397 enumerator = this->backends->create_enumerator(this->backends);
398 while (config == NULL && enumerator->enumerate(enumerator, (void**)&backend))
399 {
400 config = backend->get_peer_cfg_by_name(backend, name);
401 }
402 enumerator->destroy(enumerator);
403 this->lock->unlock(this->lock);
404 return config;
405 }
406
407 METHOD(backend_manager_t, remove_backend, void,
408 private_backend_manager_t *this, backend_t *backend)
409 {
410 this->lock->write_lock(this->lock);
411 this->backends->remove(this->backends, backend, NULL);
412 this->lock->unlock(this->lock);
413 }
414
415 METHOD(backend_manager_t, add_backend, void,
416 private_backend_manager_t *this, backend_t *backend)
417 {
418 this->lock->write_lock(this->lock);
419 this->backends->insert_last(this->backends, backend);
420 this->lock->unlock(this->lock);
421 }
422
423 METHOD(backend_manager_t, destroy, void,
424 private_backend_manager_t *this)
425 {
426 this->backends->destroy(this->backends);
427 this->lock->destroy(this->lock);
428 free(this);
429 }
430
431 /*
432 * Described in header-file
433
434 */
435 backend_manager_t *backend_manager_create()
436 {
437 private_backend_manager_t *this;
438
439 INIT(this,
440 .public = {
441 .get_ike_cfg = _get_ike_cfg,
442 .get_peer_cfg_by_name = _get_peer_cfg_by_name,
443 .create_peer_cfg_enumerator = _create_peer_cfg_enumerator,
444 .add_backend = _add_backend,
445 .remove_backend = _remove_backend,
446 .destroy = _destroy,
447 },
448 .backends = linked_list_create(),
449 .lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
450 );
451
452 return &this->public;
453 }