proposal: correctly enumerate registered AEADs to build default IKE proposal
[strongswan.git] / src / libcharon / config / backend_manager.c
1 /*
2 * Copyright (C) 2007-2009 Martin Willi
3 * Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "backend_manager.h"
17
18 #include <sys/types.h>
19
20 #include <daemon.h>
21 #include <collections/linked_list.h>
22 #include <threading/rwlock.h>
23
24
25 typedef struct private_backend_manager_t private_backend_manager_t;
26
27 /**
28 * Private data of an backend_manager_t object.
29 */
30 struct private_backend_manager_t {
31
32 /**
33 * Public part of backend_manager_t object.
34 */
35 backend_manager_t public;
36
37 /**
38 * list of registered backends
39 */
40 linked_list_t *backends;
41
42 /**
43 * rwlock for backends
44 */
45 rwlock_t *lock;
46 };
47
48 /**
49 * match of an ike_cfg
50 */
51 typedef enum ike_cfg_match_t {
52 /* doesn't match at all */
53 MATCH_NONE = 0x00,
54 /* match for a %any host. For both hosts, hence skip 0x02 */
55 MATCH_ANY = 0x01,
56 /* IKE version matches exactly (config is not for any version) */
57 MATCH_VERSION = 0x04,
58 /* local identity matches */
59 MATCH_ME = 0x08,
60 /* remote identity matches */
61 MATCH_OTHER = 0x10,
62 } ike_cfg_match_t;
63
64 /**
65 * data to pass nested IKE enumerator
66 */
67 typedef struct {
68 private_backend_manager_t *this;
69 host_t *me;
70 host_t *other;
71 } ike_data_t;
72
73 /**
74 * inner enumerator constructor for IKE cfgs
75 */
76 static enumerator_t *ike_enum_create(backend_t *backend, ike_data_t *data)
77 {
78 return backend->create_ike_cfg_enumerator(backend, data->me, data->other);
79 }
80
81 /**
82 * get a match of a candidate ike_cfg for two hosts
83 */
84 static ike_cfg_match_t get_ike_match(ike_cfg_t *cand, host_t *me, host_t *other,
85 ike_version_t version)
86 {
87 host_t *me_cand, *other_cand;
88 char *my_addr, *other_addr;
89 bool my_allow_any, other_allow_any;
90 ike_cfg_match_t match = MATCH_NONE;
91
92 if (cand->get_version(cand) != IKE_ANY &&
93 version != cand->get_version(cand))
94 {
95 return MATCH_NONE;
96 }
97
98 if (me)
99 {
100 my_addr = cand->get_my_addr(cand, &my_allow_any);
101 me_cand = host_create_from_dns(my_addr, me->get_family(me), 0);
102 if (!me_cand)
103 {
104 return MATCH_NONE;
105 }
106 if (me_cand->ip_equals(me_cand, me))
107 {
108 match += MATCH_ME;
109 }
110 else if (my_allow_any || me_cand->is_anyaddr(me_cand))
111 {
112 match += MATCH_ANY;
113 }
114 else
115 {
116 me_cand->destroy(me_cand);
117 return MATCH_NONE;
118 }
119 me_cand->destroy(me_cand);
120 }
121 else
122 {
123 match += MATCH_ANY;
124 }
125
126 if (other)
127 {
128 other_addr = cand->get_other_addr(cand, &other_allow_any);
129 other_cand = host_create_from_dns(other_addr, other->get_family(other), 0);
130 if (!other_cand)
131 {
132 return MATCH_NONE;
133 }
134 if (other_cand->ip_equals(other_cand, other))
135 {
136 match += MATCH_OTHER;
137 }
138 else if (other_allow_any || other_cand->is_anyaddr(other_cand))
139 {
140 match += MATCH_ANY;
141 }
142 else
143 {
144 other_cand->destroy(other_cand);
145 return MATCH_NONE;
146 }
147 other_cand->destroy(other_cand);
148 }
149 else
150 {
151 match += MATCH_ANY;
152 }
153
154 if (match != MATCH_NONE &&
155 cand->get_version(cand) != IKE_ANY)
156 { /* if we have a match, improve it if candidate version specified */
157 match += MATCH_VERSION;
158 }
159 return match;
160 }
161
162 METHOD(backend_manager_t, get_ike_cfg, ike_cfg_t*,
163 private_backend_manager_t *this, host_t *me, host_t *other,
164 ike_version_t version)
165 {
166 ike_cfg_t *current, *found = NULL;
167 char *my_addr, *other_addr;
168 bool my_allow_any, other_allow_any;
169 enumerator_t *enumerator;
170 ike_cfg_match_t match, best = MATCH_ANY;
171 ike_data_t *data;
172
173 INIT(data,
174 .this = this,
175 .me = me,
176 .other = other,
177 );
178
179 DBG2(DBG_CFG, "looking for an ike config for %H...%H", me, other);
180
181 this->lock->read_lock(this->lock);
182 enumerator = enumerator_create_nested(
183 this->backends->create_enumerator(this->backends),
184 (void*)ike_enum_create, data, (void*)free);
185 while (enumerator->enumerate(enumerator, (void**)&current))
186 {
187 match = get_ike_match(current, me, other, version);
188 DBG3(DBG_CFG, "ike config match: %d (%H %H %N)",
189 match, me, other, ike_version_names, version);
190 if (match)
191 {
192 my_addr = current->get_my_addr(current, &my_allow_any);
193 other_addr = current->get_other_addr(current, &other_allow_any);
194 DBG2(DBG_CFG, " candidate: %s%s...%s%s, prio %d",
195 my_allow_any ? "%":"", my_addr,
196 other_allow_any ? "%":"", other_addr, match);
197 if (match > best)
198 {
199 DESTROY_IF(found);
200 found = current;
201 found->get_ref(found);
202 best = match;
203 }
204 }
205 }
206 enumerator->destroy(enumerator);
207 this->lock->unlock(this->lock);
208 if (found)
209 {
210 my_addr = found->get_my_addr(found, &my_allow_any);
211 other_addr = found->get_other_addr(found, &other_allow_any);
212 DBG2(DBG_CFG, "found matching ike config: %s%s...%s%s with prio %d",
213 my_allow_any ? "%":"", my_addr,
214 other_allow_any ? "%":"", other_addr, best);
215 }
216 return found;
217 }
218
219 /**
220 * Get the best ID match in one of the configs auth_cfg
221 */
222 static id_match_t get_peer_match(identification_t *id,
223 peer_cfg_t *cfg, bool local)
224 {
225 enumerator_t *enumerator;
226 auth_cfg_t *auth;
227 identification_t *candidate;
228 id_match_t match = ID_MATCH_NONE;
229 char *where = local ? "local" : "remote";
230 chunk_t data;
231
232 if (!id)
233 {
234 DBG3(DBG_CFG, "peer config match %s: %d (%N)",
235 where, ID_MATCH_ANY, id_type_names, ID_ANY);
236 return ID_MATCH_ANY;
237 }
238
239 /* compare first auth config only */
240 enumerator = cfg->create_auth_cfg_enumerator(cfg, local);
241 if (enumerator->enumerate(enumerator, &auth))
242 {
243 candidate = auth->get(auth, AUTH_RULE_IDENTITY);
244 if (candidate)
245 {
246 match = id->matches(id, candidate);
247 /* match vice-versa, as the proposed IDr might be ANY */
248 if (!match)
249 {
250 match = candidate->matches(candidate, id);
251 }
252 }
253 else
254 {
255 match = ID_MATCH_ANY;
256 }
257 }
258 enumerator->destroy(enumerator);
259
260 data = id->get_encoding(id);
261 DBG3(DBG_CFG, "peer config match %s: %d (%N -> %#B)",
262 where, match, id_type_names, id->get_type(id), &data);
263 return match;
264 }
265
266 /**
267 * data to pass nested peer enumerator
268 */
269 typedef struct {
270 rwlock_t *lock;
271 identification_t *me;
272 identification_t *other;
273 } peer_data_t;
274
275 /**
276 * list element to help sorting
277 */
278 typedef struct {
279 id_match_t match_peer;
280 ike_cfg_match_t match_ike;
281 peer_cfg_t *cfg;
282 } match_entry_t;
283
284 /**
285 * inner enumerator constructor for peer cfgs
286 */
287 static enumerator_t *peer_enum_create(backend_t *backend, peer_data_t *data)
288 {
289 return backend->create_peer_cfg_enumerator(backend, data->me, data->other);
290 }
291
292 /**
293 * unlock/cleanup peer enumerator
294 */
295 static void peer_enum_destroy(peer_data_t *data)
296 {
297 data->lock->unlock(data->lock);
298 free(data);
299 }
300
301 /**
302 * convert enumerator value from match_entry to config
303 */
304 static bool peer_enum_filter(linked_list_t *configs,
305 match_entry_t **in, peer_cfg_t **out)
306 {
307 *out = (*in)->cfg;
308 return TRUE;
309 }
310
311 /**
312 * Clean up temporary config list
313 */
314 static void peer_enum_filter_destroy(linked_list_t *configs)
315 {
316 match_entry_t *entry;
317
318 while (configs->remove_last(configs, (void**)&entry) == SUCCESS)
319 {
320 entry->cfg->destroy(entry->cfg);
321 free(entry);
322 }
323 configs->destroy(configs);
324 }
325
326 /**
327 * Insert entry into match-sorted list, using helper
328 */
329 static void insert_sorted(match_entry_t *entry, linked_list_t *list,
330 linked_list_t *helper)
331 {
332 match_entry_t *current;
333
334 while (list->remove_first(list, (void**)&current) == SUCCESS)
335 {
336 helper->insert_last(helper, current);
337 }
338 while (helper->remove_first(helper, (void**)&current) == SUCCESS)
339 {
340 if (entry && (
341 (entry->match_ike > current->match_ike &&
342 entry->match_peer >= current->match_peer) ||
343 (entry->match_ike >= current->match_ike &&
344 entry->match_peer > current->match_peer)))
345 {
346 list->insert_last(list, entry);
347 entry = NULL;
348 }
349 list->insert_last(list, current);
350 }
351 if (entry)
352 {
353 list->insert_last(list, entry);
354 }
355 }
356
357 METHOD(backend_manager_t, create_peer_cfg_enumerator, enumerator_t*,
358 private_backend_manager_t *this, host_t *me, host_t *other,
359 identification_t *my_id, identification_t *other_id, ike_version_t version)
360 {
361 enumerator_t *enumerator;
362 peer_data_t *data;
363 peer_cfg_t *cfg;
364 linked_list_t *configs, *helper;
365
366 INIT(data,
367 .lock = this->lock,
368 .me = my_id,
369 .other = other_id,
370 );
371
372 /* create a sorted list with all matches */
373 this->lock->read_lock(this->lock);
374 enumerator = enumerator_create_nested(
375 this->backends->create_enumerator(this->backends),
376 (void*)peer_enum_create, data, (void*)peer_enum_destroy);
377
378 if (!me && !other && !my_id && !other_id)
379 { /* shortcut if we are doing a "listall" */
380 return enumerator;
381 }
382
383 configs = linked_list_create();
384 /* only once allocated helper list for sorting */
385 helper = linked_list_create();
386 while (enumerator->enumerate(enumerator, &cfg))
387 {
388 id_match_t match_peer_me, match_peer_other;
389 ike_cfg_match_t match_ike;
390 match_entry_t *entry;
391
392 match_peer_me = get_peer_match(my_id, cfg, TRUE);
393 match_peer_other = get_peer_match(other_id, cfg, FALSE);
394 match_ike = get_ike_match(cfg->get_ike_cfg(cfg), me, other, version);
395 DBG3(DBG_CFG, "ike config match: %d (%H %H %N)",
396 match_ike, me, other, ike_version_names, version);
397
398 if (match_peer_me && match_peer_other && match_ike)
399 {
400 DBG2(DBG_CFG, " candidate \"%s\", match: %d/%d/%d (me/other/ike)",
401 cfg->get_name(cfg), match_peer_me, match_peer_other, match_ike);
402
403 INIT(entry,
404 .match_peer = match_peer_me + match_peer_other,
405 .match_ike = match_ike,
406 .cfg = cfg->get_ref(cfg),
407 );
408 insert_sorted(entry, configs, helper);
409 }
410 }
411 enumerator->destroy(enumerator);
412 helper->destroy(helper);
413
414 return enumerator_create_filter(configs->create_enumerator(configs),
415 (void*)peer_enum_filter, configs,
416 (void*)peer_enum_filter_destroy);
417 }
418
419 METHOD(backend_manager_t, get_peer_cfg_by_name, peer_cfg_t*,
420 private_backend_manager_t *this, char *name)
421 {
422 backend_t *backend;
423 peer_cfg_t *config = NULL;
424 enumerator_t *enumerator;
425
426 this->lock->read_lock(this->lock);
427 enumerator = this->backends->create_enumerator(this->backends);
428 while (config == NULL && enumerator->enumerate(enumerator, (void**)&backend))
429 {
430 config = backend->get_peer_cfg_by_name(backend, name);
431 }
432 enumerator->destroy(enumerator);
433 this->lock->unlock(this->lock);
434 return config;
435 }
436
437 METHOD(backend_manager_t, remove_backend, void,
438 private_backend_manager_t *this, backend_t *backend)
439 {
440 this->lock->write_lock(this->lock);
441 this->backends->remove(this->backends, backend, NULL);
442 this->lock->unlock(this->lock);
443 }
444
445 METHOD(backend_manager_t, add_backend, void,
446 private_backend_manager_t *this, backend_t *backend)
447 {
448 this->lock->write_lock(this->lock);
449 this->backends->insert_last(this->backends, backend);
450 this->lock->unlock(this->lock);
451 }
452
453 METHOD(backend_manager_t, destroy, void,
454 private_backend_manager_t *this)
455 {
456 this->backends->destroy(this->backends);
457 this->lock->destroy(this->lock);
458 free(this);
459 }
460
461 /*
462 * Described in header-file
463
464 */
465 backend_manager_t *backend_manager_create()
466 {
467 private_backend_manager_t *this;
468
469 INIT(this,
470 .public = {
471 .get_ike_cfg = _get_ike_cfg,
472 .get_peer_cfg_by_name = _get_peer_cfg_by_name,
473 .create_peer_cfg_enumerator = _create_peer_cfg_enumerator,
474 .add_backend = _add_backend,
475 .remove_backend = _remove_backend,
476 .destroy = _destroy,
477 },
478 .backends = linked_list_create(),
479 .lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
480 );
481
482 return &this->public;
483 }
484