Fixed some typos in comments
[strongswan.git] / src / libcharon / plugins / stroke / stroke_config.c
1 /*
2 * Copyright (C) 2012 Tobias Brunner
3 * Copyright (C) 2008 Martin Willi
4 * Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 #include "stroke_config.h"
18
19 #include <hydra.h>
20 #include <daemon.h>
21 #include <threading/mutex.h>
22 #include <utils/lexparser.h>
23
24 typedef struct private_stroke_config_t private_stroke_config_t;
25
26 /**
27 * private data of stroke_config
28 */
29 struct private_stroke_config_t {
30
31 /**
32 * public functions
33 */
34 stroke_config_t public;
35
36 /**
37 * list of peer_cfg_t
38 */
39 linked_list_t *list;
40
41 /**
42 * mutex to lock config list
43 */
44 mutex_t *mutex;
45
46 /**
47 * ca sections
48 */
49 stroke_ca_t *ca;
50
51 /**
52 * credentials
53 */
54 stroke_cred_t *cred;
55
56 /**
57 * Virtual IP pool / DNS backend
58 */
59 stroke_attribute_t *attributes;
60 };
61
62 METHOD(backend_t, create_peer_cfg_enumerator, enumerator_t*,
63 private_stroke_config_t *this, identification_t *me, identification_t *other)
64 {
65 this->mutex->lock(this->mutex);
66 return enumerator_create_cleaner(this->list->create_enumerator(this->list),
67 (void*)this->mutex->unlock, this->mutex);
68 }
69
70 /**
71 * filter function for ike configs
72 */
73 static bool ike_filter(void *data, peer_cfg_t **in, ike_cfg_t **out)
74 {
75 *out = (*in)->get_ike_cfg(*in);
76 return TRUE;
77 }
78
79 METHOD(backend_t, create_ike_cfg_enumerator, enumerator_t*,
80 private_stroke_config_t *this, host_t *me, host_t *other)
81 {
82 this->mutex->lock(this->mutex);
83 return enumerator_create_filter(this->list->create_enumerator(this->list),
84 (void*)ike_filter, this->mutex,
85 (void*)this->mutex->unlock);
86 }
87
88 METHOD(backend_t, get_peer_cfg_by_name, peer_cfg_t*,
89 private_stroke_config_t *this, char *name)
90 {
91 enumerator_t *e1, *e2;
92 peer_cfg_t *current, *found = NULL;
93 child_cfg_t *child;
94
95 this->mutex->lock(this->mutex);
96 e1 = this->list->create_enumerator(this->list);
97 while (e1->enumerate(e1, &current))
98 {
99 /* compare peer_cfgs name first */
100 if (streq(current->get_name(current), name))
101 {
102 found = current;
103 found->get_ref(found);
104 break;
105 }
106 /* compare all child_cfg names otherwise */
107 e2 = current->create_child_cfg_enumerator(current);
108 while (e2->enumerate(e2, &child))
109 {
110 if (streq(child->get_name(child), name))
111 {
112 found = current;
113 found->get_ref(found);
114 break;
115 }
116 }
117 e2->destroy(e2);
118 if (found)
119 {
120 break;
121 }
122 }
123 e1->destroy(e1);
124 this->mutex->unlock(this->mutex);
125 return found;
126 }
127
128 /**
129 * parse a proposal string, either into ike_cfg or child_cfg
130 */
131 static void add_proposals(private_stroke_config_t *this, char *string,
132 ike_cfg_t *ike_cfg, child_cfg_t *child_cfg)
133 {
134 if (string)
135 {
136 char *single;
137 char *strict;
138 proposal_t *proposal;
139 protocol_id_t proto = PROTO_ESP;
140
141 if (ike_cfg)
142 {
143 proto = PROTO_IKE;
144 }
145 strict = string + strlen(string) - 1;
146 if (*strict == '!')
147 {
148 *strict = '\0';
149 }
150 else
151 {
152 strict = NULL;
153 }
154 while ((single = strsep(&string, ",")))
155 {
156 proposal = proposal_create_from_string(proto, single);
157 if (proposal)
158 {
159 if (ike_cfg)
160 {
161 ike_cfg->add_proposal(ike_cfg, proposal);
162 }
163 else
164 {
165 child_cfg->add_proposal(child_cfg, proposal);
166 }
167 continue;
168 }
169 DBG1(DBG_CFG, "skipped invalid proposal string: %s", single);
170 }
171 if (strict)
172 {
173 return;
174 }
175 /* add default porposal to the end if not strict */
176 }
177 if (ike_cfg)
178 {
179 ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
180 }
181 else
182 {
183 child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
184 }
185 }
186
187 /**
188 * Build an IKE config from a stroke message
189 */
190 static ike_cfg_t *build_ike_cfg(private_stroke_config_t *this, stroke_msg_t *msg)
191 {
192 stroke_end_t tmp_end;
193 ike_cfg_t *ike_cfg;
194 host_t *host;
195 u_int16_t ikeport;
196
197 host = host_create_from_dns(msg->add_conn.other.address, 0, 0);
198 if (host)
199 {
200 if (hydra->kernel_interface->get_interface(hydra->kernel_interface,
201 host, NULL))
202 {
203 DBG2(DBG_CFG, "left is other host, swapping ends");
204 tmp_end = msg->add_conn.me;
205 msg->add_conn.me = msg->add_conn.other;
206 msg->add_conn.other = tmp_end;
207 host->destroy(host);
208 }
209 else
210 {
211 host->destroy(host);
212 host = host_create_from_dns(msg->add_conn.me.address, 0, 0);
213 if (host)
214 {
215 if (!hydra->kernel_interface->get_interface(
216 hydra->kernel_interface, host, NULL))
217 {
218 DBG1(DBG_CFG, "left nor right host is our side, "
219 "assuming left=local");
220 }
221 host->destroy(host);
222 }
223 }
224 }
225 ikeport = msg->add_conn.me.ikeport;
226 ikeport = (ikeport == IKEV2_UDP_PORT) ?
227 charon->socket->get_port(charon->socket, FALSE) : ikeport;
228 ike_cfg = ike_cfg_create(msg->add_conn.version,
229 msg->add_conn.other.sendcert != CERT_NEVER_SEND,
230 msg->add_conn.force_encap,
231 msg->add_conn.me.address,
232 msg->add_conn.me.allow_any,
233 ikeport,
234 msg->add_conn.other.address,
235 msg->add_conn.other.allow_any,
236 msg->add_conn.other.ikeport);
237 add_proposals(this, msg->add_conn.algorithms.ike, ike_cfg, NULL);
238 return ike_cfg;
239 }
240
241 /**
242 * Add CRL constraint to config
243 */
244 static void build_crl_policy(auth_cfg_t *cfg, bool local, int policy)
245 {
246 /* CRL/OCSP policy, for remote config only */
247 if (!local)
248 {
249 switch (policy)
250 {
251 case CRL_STRICT_YES:
252 /* if yes, we require a GOOD validation */
253 cfg->add(cfg, AUTH_RULE_CRL_VALIDATION, VALIDATION_GOOD);
254 break;
255 case CRL_STRICT_IFURI:
256 /* for ifuri, a SKIPPED validation is sufficient */
257 cfg->add(cfg, AUTH_RULE_CRL_VALIDATION, VALIDATION_SKIPPED);
258 break;
259 default:
260 break;
261 }
262 }
263 }
264
265 /**
266 * Parse public key / signature strength constraints
267 */
268 static void parse_pubkey_constraints(char *auth, auth_cfg_t *cfg)
269 {
270 enumerator_t *enumerator;
271 bool rsa = FALSE, ecdsa = FALSE, rsa_len = FALSE, ecdsa_len = FALSE;
272 int strength;
273 char *token;
274
275 enumerator = enumerator_create_token(auth, "-", "");
276 while (enumerator->enumerate(enumerator, &token))
277 {
278 bool found = FALSE;
279 int i;
280 struct {
281 char *name;
282 signature_scheme_t scheme;
283 key_type_t key;
284 } schemes[] = {
285 { "md5", SIGN_RSA_EMSA_PKCS1_MD5, KEY_RSA, },
286 { "sha1", SIGN_RSA_EMSA_PKCS1_SHA1, KEY_RSA, },
287 { "sha224", SIGN_RSA_EMSA_PKCS1_SHA224, KEY_RSA, },
288 { "sha256", SIGN_RSA_EMSA_PKCS1_SHA256, KEY_RSA, },
289 { "sha384", SIGN_RSA_EMSA_PKCS1_SHA384, KEY_RSA, },
290 { "sha512", SIGN_RSA_EMSA_PKCS1_SHA512, KEY_RSA, },
291 { "sha1", SIGN_ECDSA_WITH_SHA1_DER, KEY_ECDSA, },
292 { "sha256", SIGN_ECDSA_WITH_SHA256_DER, KEY_ECDSA, },
293 { "sha384", SIGN_ECDSA_WITH_SHA384_DER, KEY_ECDSA, },
294 { "sha512", SIGN_ECDSA_WITH_SHA512_DER, KEY_ECDSA, },
295 { "sha256", SIGN_ECDSA_256, KEY_ECDSA, },
296 { "sha384", SIGN_ECDSA_384, KEY_ECDSA, },
297 { "sha512", SIGN_ECDSA_521, KEY_ECDSA, },
298 };
299
300 if (rsa_len || ecdsa_len)
301 { /* expecting a key strength token */
302 strength = atoi(token);
303 if (strength)
304 {
305 if (rsa_len)
306 {
307 cfg->add(cfg, AUTH_RULE_RSA_STRENGTH, (uintptr_t)strength);
308 }
309 else if (ecdsa_len)
310 {
311 cfg->add(cfg, AUTH_RULE_ECDSA_STRENGTH, (uintptr_t)strength);
312 }
313 }
314 rsa_len = ecdsa_len = FALSE;
315 if (strength)
316 {
317 continue;
318 }
319 }
320 if (streq(token, "rsa"))
321 {
322 rsa = rsa_len = TRUE;
323 continue;
324 }
325 if (streq(token, "ecdsa"))
326 {
327 ecdsa = ecdsa_len = TRUE;
328 continue;
329 }
330 if (streq(token, "pubkey"))
331 {
332 continue;
333 }
334
335 for (i = 0; i < countof(schemes); i++)
336 {
337 if (streq(schemes[i].name, token))
338 {
339 /* for each matching string, allow the scheme, if:
340 * - it is an RSA scheme, and we enforced RSA
341 * - it is an ECDSA scheme, and we enforced ECDSA
342 * - it is not a key type specific scheme
343 */
344 if ((rsa && schemes[i].key == KEY_RSA) ||
345 (ecdsa && schemes[i].key == KEY_ECDSA) ||
346 (!rsa && !ecdsa))
347 {
348 cfg->add(cfg, AUTH_RULE_SIGNATURE_SCHEME,
349 (uintptr_t)schemes[i].scheme);
350 }
351 found = TRUE;
352 }
353 }
354 if (!found)
355 {
356 DBG1(DBG_CFG, "ignoring invalid auth token: '%s'", token);
357 }
358 }
359 enumerator->destroy(enumerator);
360 }
361
362 /**
363 * build authentication config
364 */
365 static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
366 stroke_msg_t *msg, bool local, bool primary)
367 {
368 identification_t *identity;
369 certificate_t *certificate;
370 char *auth, *id, *pubkey, *cert, *ca, *groups;
371 stroke_end_t *end, *other_end;
372 auth_cfg_t *cfg;
373 bool loose = FALSE;
374
375 /* select strings */
376 if (local)
377 {
378 end = &msg->add_conn.me;
379 other_end = &msg->add_conn.other;
380 }
381 else
382 {
383 end = &msg->add_conn.other;
384 other_end = &msg->add_conn.me;
385 }
386 if (primary)
387 {
388 auth = end->auth;
389 id = end->id;
390 if (!id)
391 { /* leftid/rightid fallback to address */
392 id = end->address;
393 }
394 cert = end->cert;
395 ca = end->ca;
396 if (ca && streq(ca, "%same"))
397 {
398 ca = other_end->ca;
399 }
400 }
401 else
402 {
403 auth = end->auth2;
404 id = end->id2;
405 if (local && !id)
406 { /* leftid2 falls back to leftid */
407 id = end->id;
408 }
409 cert = end->cert2;
410 ca = end->ca2;
411 if (ca && streq(ca, "%same"))
412 {
413 ca = other_end->ca2;
414 }
415 }
416 if (id && *id == '%' && !streq(id, "%any"))
417 { /* has only an effect on rightid/2 */
418 loose = !local;
419 id++;
420 }
421
422 if (!auth)
423 {
424 if (primary)
425 {
426 auth = "pubkey";
427 }
428 else
429 { /* no second authentication round, fine. But load certificates
430 * for other purposes (EAP-TLS) */
431 if (cert)
432 {
433 certificate = this->cred->load_peer(this->cred, cert);
434 if (certificate)
435 {
436 certificate->destroy(certificate);
437 }
438 }
439 return NULL;
440 }
441 }
442
443 cfg = auth_cfg_create();
444
445 /* add identity and peer certificate */
446 identity = identification_create_from_string(id);
447 if (cert)
448 {
449 certificate = this->cred->load_peer(this->cred, cert);
450 if (certificate)
451 {
452 if (local)
453 {
454 this->ca->check_for_hash_and_url(this->ca, certificate);
455 }
456 cfg->add(cfg, AUTH_RULE_SUBJECT_CERT, certificate);
457 if (identity->get_type(identity) == ID_ANY ||
458 !certificate->has_subject(certificate, identity))
459 {
460 DBG1(DBG_CFG, " id '%Y' not confirmed by certificate, "
461 "defaulting to '%Y'", identity,
462 certificate->get_subject(certificate));
463 identity->destroy(identity);
464 identity = certificate->get_subject(certificate);
465 identity = identity->clone(identity);
466 }
467 }
468 }
469 if (identity->get_type(identity) != ID_ANY)
470 {
471 cfg->add(cfg, AUTH_RULE_IDENTITY, identity);
472 if (loose)
473 {
474 cfg->add(cfg, AUTH_RULE_IDENTITY_LOOSE, TRUE);
475 }
476 }
477 else
478 {
479 identity->destroy(identity);
480 }
481
482 /* add raw RSA public key */
483 pubkey = end->rsakey;
484 if (pubkey && !streq(pubkey, "") && !streq(pubkey, "%cert"))
485 {
486 certificate = this->cred->load_pubkey(this->cred, KEY_RSA, pubkey,
487 identity);
488 if (certificate)
489 {
490 cfg->add(cfg, AUTH_RULE_SUBJECT_CERT, certificate);
491 }
492 }
493
494 /* CA constraint */
495 if (ca)
496 {
497 identity = identification_create_from_string(ca);
498 certificate = lib->credmgr->get_cert(lib->credmgr, CERT_X509,
499 KEY_ANY, identity, TRUE);
500 identity->destroy(identity);
501 if (certificate)
502 {
503 cfg->add(cfg, AUTH_RULE_CA_CERT, certificate);
504 }
505 else
506 {
507 DBG1(DBG_CFG, "CA certificate \"%s\" not found, discarding CA "
508 "constraint", ca);
509 }
510 }
511
512 /* groups */
513 groups = primary ? end->groups : end->groups2;
514 if (groups)
515 {
516 enumerator_t *enumerator;
517 char *group;
518
519 enumerator = enumerator_create_token(groups, ",", " ");
520 while (enumerator->enumerate(enumerator, &group))
521 {
522 cfg->add(cfg, AUTH_RULE_GROUP,
523 identification_create_from_string(group));
524 }
525 enumerator->destroy(enumerator);
526 }
527
528 /* certificatePolicies */
529 if (end->cert_policy)
530 {
531 enumerator_t *enumerator;
532 char *policy;
533
534 enumerator = enumerator_create_token(end->cert_policy, ",", " ");
535 while (enumerator->enumerate(enumerator, &policy))
536 {
537 cfg->add(cfg, AUTH_RULE_CERT_POLICY, strdup(policy));
538 }
539 enumerator->destroy(enumerator);
540 }
541
542 /* authentication metod (class, actually) */
543 if (strneq(auth, "pubkey", strlen("pubkey")) ||
544 strneq(auth, "rsa", strlen("rsa")) ||
545 strneq(auth, "ecdsa", strlen("ecdsa")))
546 {
547 cfg->add(cfg, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
548 build_crl_policy(cfg, local, msg->add_conn.crl_policy);
549
550 parse_pubkey_constraints(auth, cfg);
551 }
552 else if (streq(auth, "psk") || streq(auth, "secret"))
553 {
554 cfg->add(cfg, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PSK);
555 }
556 else if (strneq(auth, "xauth", 5))
557 {
558 char *pos;
559
560 pos = strchr(auth, '-');
561 if (pos)
562 {
563 cfg->add(cfg, AUTH_RULE_XAUTH_BACKEND, strdup(++pos));
564 }
565 cfg->add(cfg, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_XAUTH);
566 if (msg->add_conn.xauth_identity)
567 {
568 cfg->add(cfg, AUTH_RULE_XAUTH_IDENTITY,
569 identification_create_from_string(msg->add_conn.xauth_identity));
570 }
571 }
572 else if (strneq(auth, "eap", 3))
573 {
574 eap_vendor_type_t *type;
575
576 cfg->add(cfg, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_EAP);
577
578 type = eap_vendor_type_from_string(auth);
579 if (type)
580 {
581 cfg->add(cfg, AUTH_RULE_EAP_TYPE, type->type);
582 if (type->vendor)
583 {
584 cfg->add(cfg, AUTH_RULE_EAP_VENDOR, type->vendor);
585 }
586 free(type);
587 }
588
589 if (msg->add_conn.eap_identity)
590 {
591 if (streq(msg->add_conn.eap_identity, "%identity"))
592 {
593 identity = identification_create_from_encoding(ID_ANY,
594 chunk_empty);
595 }
596 else
597 {
598 identity = identification_create_from_string(
599 msg->add_conn.eap_identity);
600 }
601 cfg->add(cfg, AUTH_RULE_EAP_IDENTITY, identity);
602 }
603 if (msg->add_conn.aaa_identity)
604 {
605 cfg->add(cfg, AUTH_RULE_AAA_IDENTITY,
606 identification_create_from_string(msg->add_conn.aaa_identity));
607 }
608 }
609 else
610 {
611 if (!streq(auth, "any"))
612 {
613 DBG1(DBG_CFG, "authentication method %s unknown, fallback to any",
614 auth);
615 }
616 build_crl_policy(cfg, local, msg->add_conn.crl_policy);
617 }
618 return cfg;
619 }
620
621 /**
622 * build a peer_cfg from a stroke msg
623 */
624 static peer_cfg_t *build_peer_cfg(private_stroke_config_t *this,
625 stroke_msg_t *msg, ike_cfg_t *ike_cfg)
626 {
627 identification_t *peer_id = NULL;
628 peer_cfg_t *mediated_by = NULL;
629 unique_policy_t unique;
630 u_int32_t rekey = 0, reauth = 0, over, jitter;
631 peer_cfg_t *peer_cfg;
632 auth_cfg_t *auth_cfg;
633
634 #ifdef ME
635 if (msg->add_conn.ikeme.mediation && msg->add_conn.ikeme.mediated_by)
636 {
637 DBG1(DBG_CFG, "a mediation connection cannot be a mediated connection "
638 "at the same time, aborting");
639 return NULL;
640 }
641
642 if (msg->add_conn.ikeme.mediation)
643 {
644 /* force unique connections for mediation connections */
645 msg->add_conn.unique = 1;
646 }
647
648 if (msg->add_conn.ikeme.mediated_by)
649 {
650 mediated_by = charon->backends->get_peer_cfg_by_name(charon->backends,
651 msg->add_conn.ikeme.mediated_by);
652 if (!mediated_by)
653 {
654 DBG1(DBG_CFG, "mediation connection '%s' not found, aborting",
655 msg->add_conn.ikeme.mediated_by);
656 return NULL;
657 }
658 if (!mediated_by->is_mediation(mediated_by))
659 {
660 DBG1(DBG_CFG, "connection '%s' as referred to by '%s' is "
661 "no mediation connection, aborting",
662 msg->add_conn.ikeme.mediated_by, msg->add_conn.name);
663 mediated_by->destroy(mediated_by);
664 return NULL;
665 }
666 if (msg->add_conn.ikeme.peerid)
667 {
668 peer_id = identification_create_from_string(msg->add_conn.ikeme.peerid);
669 }
670 else if (msg->add_conn.other.id)
671 {
672 peer_id = identification_create_from_string(msg->add_conn.other.id);
673 }
674 }
675 #endif /* ME */
676
677 jitter = msg->add_conn.rekey.margin * msg->add_conn.rekey.fuzz / 100;
678 over = msg->add_conn.rekey.margin;
679 if (msg->add_conn.rekey.reauth)
680 {
681 reauth = msg->add_conn.rekey.ike_lifetime - over;
682 }
683 else
684 {
685 rekey = msg->add_conn.rekey.ike_lifetime - over;
686 }
687 switch (msg->add_conn.unique)
688 {
689 case 1: /* yes */
690 case 2: /* replace */
691 unique = UNIQUE_REPLACE;
692 break;
693 case 3: /* keep */
694 unique = UNIQUE_KEEP;
695 break;
696 case 4: /* never */
697 unique = UNIQUE_NEVER;
698 break;
699 default: /* no */
700 unique = UNIQUE_NO;
701 break;
702 }
703 if (msg->add_conn.dpd.action == 0)
704 { /* dpdaction=none disables DPD */
705 msg->add_conn.dpd.delay = 0;
706 }
707
708 /* other.sourceip is managed in stroke_attributes. If it is set, we define
709 * the pool name as the connection name, which the attribute provider
710 * uses to serve pool addresses. */
711 peer_cfg = peer_cfg_create(msg->add_conn.name, ike_cfg,
712 msg->add_conn.me.sendcert, unique,
713 msg->add_conn.rekey.tries, rekey, reauth, jitter, over,
714 msg->add_conn.mobike, msg->add_conn.aggressive,
715 msg->add_conn.dpd.delay, msg->add_conn.dpd.timeout,
716 msg->add_conn.ikeme.mediation, mediated_by, peer_id);
717
718 if (msg->add_conn.other.sourceip)
719 {
720 enumerator_t *enumerator;
721 char *token;
722
723 enumerator = enumerator_create_token(msg->add_conn.other.sourceip,
724 ",", " ");
725 while (enumerator->enumerate(enumerator, &token))
726 {
727 if (streq(token, "%modeconfig") || streq(token, "%modecfg") ||
728 streq(token, "%config") || streq(token, "%cfg") ||
729 streq(token, "%config4") || streq(token, "%config6"))
730 {
731 /* empty pool, uses connection name */
732 this->attributes->add_pool(this->attributes,
733 mem_pool_create(msg->add_conn.name, NULL, 0));
734 peer_cfg->add_pool(peer_cfg, msg->add_conn.name);
735 }
736 else if (*token == '%')
737 {
738 /* external named pool */
739 peer_cfg->add_pool(peer_cfg, token + 1);
740 }
741 else
742 {
743 /* in-memory pool, named using CIDR notation */
744 host_t *base;
745 int bits;
746
747 base = host_create_from_subnet(token, &bits);
748 if (base)
749 {
750 this->attributes->add_pool(this->attributes,
751 mem_pool_create(token, base, bits));
752 peer_cfg->add_pool(peer_cfg, token);
753 base->destroy(base);
754 }
755 else
756 {
757 DBG1(DBG_CFG, "IP pool %s invalid, ignored", token);
758 }
759 }
760 }
761 enumerator->destroy(enumerator);
762 }
763
764 if (msg->add_conn.me.sourceip)
765 {
766 enumerator_t *enumerator;
767 char *token;
768
769 enumerator = enumerator_create_token(msg->add_conn.me.sourceip, ",", " ");
770 while (enumerator->enumerate(enumerator, &token))
771 {
772 host_t *vip = NULL;
773
774 if (streq(token, "%modeconfig") || streq(token, "%modecfg") ||
775 streq(token, "%config") || streq(token, "%cfg"))
776 { /* try to deduce an address family */
777 if (msg->add_conn.me.subnets)
778 { /* use the same family as in local subnet, if any */
779 if (strchr(msg->add_conn.me.subnets, '.'))
780 {
781 vip = host_create_any(AF_INET);
782 }
783 else
784 {
785 vip = host_create_any(AF_INET6);
786 }
787 }
788 else if (msg->add_conn.other.subnets)
789 { /* use the same family as in remote subnet, if any */
790 if (strchr(msg->add_conn.other.subnets, '.'))
791 {
792 vip = host_create_any(AF_INET);
793 }
794 else
795 {
796 vip = host_create_any(AF_INET6);
797 }
798 }
799 else
800 {
801 if (strchr(ike_cfg->get_my_addr(ike_cfg, NULL), ':'))
802 {
803 vip = host_create_any(AF_INET6);
804 }
805 else
806 {
807 vip = host_create_any(AF_INET);
808 }
809 }
810 }
811 else if (streq(token, "%config4"))
812 {
813 vip = host_create_any(AF_INET);
814 }
815 else if (streq(token, "%config6"))
816 {
817 vip = host_create_any(AF_INET6);
818 }
819 else
820 {
821 vip = host_create_from_string(token, 0);
822 if (vip)
823 {
824 DBG1(DBG_CFG, "ignored invalid subnet token: %s", token);
825 }
826 }
827
828 if (vip)
829 {
830 peer_cfg->add_virtual_ip(peer_cfg, vip);
831 }
832 }
833 enumerator->destroy(enumerator);
834 }
835
836 /* build leftauth= */
837 auth_cfg = build_auth_cfg(this, msg, TRUE, TRUE);
838 if (auth_cfg)
839 {
840 peer_cfg->add_auth_cfg(peer_cfg, auth_cfg, TRUE);
841 }
842 else
843 { /* we require at least one config on our side */
844 peer_cfg->destroy(peer_cfg);
845 return NULL;
846 }
847 /* build leftauth2= */
848 auth_cfg = build_auth_cfg(this, msg, TRUE, FALSE);
849 if (auth_cfg)
850 {
851 peer_cfg->add_auth_cfg(peer_cfg, auth_cfg, TRUE);
852 }
853 /* build rightauth= */
854 auth_cfg = build_auth_cfg(this, msg, FALSE, TRUE);
855 if (auth_cfg)
856 {
857 peer_cfg->add_auth_cfg(peer_cfg, auth_cfg, FALSE);
858 }
859 /* build rightauth2= */
860 auth_cfg = build_auth_cfg(this, msg, FALSE, FALSE);
861 if (auth_cfg)
862 {
863 peer_cfg->add_auth_cfg(peer_cfg, auth_cfg, FALSE);
864 }
865 return peer_cfg;
866 }
867
868 /**
869 * build a traffic selector from a stroke_end
870 */
871 static void add_ts(private_stroke_config_t *this,
872 stroke_end_t *end, child_cfg_t *child_cfg, bool local)
873 {
874 traffic_selector_t *ts;
875
876 if (end->tohost)
877 {
878 ts = traffic_selector_create_dynamic(end->protocol,
879 end->port ? end->port : 0, end->port ? end->port : 65535);
880 child_cfg->add_traffic_selector(child_cfg, local, ts);
881 }
882 else
883 {
884 if (!end->subnets)
885 {
886 host_t *net;
887
888 net = host_create_from_string(end->address, 0);
889 if (net)
890 {
891 ts = traffic_selector_create_from_subnet(net, 0, end->protocol,
892 end->port);
893 child_cfg->add_traffic_selector(child_cfg, local, ts);
894 }
895 }
896 else
897 {
898 enumerator_t *enumerator;
899 char *subnet;
900
901 enumerator = enumerator_create_token(end->subnets, ",", " ");
902 while (enumerator->enumerate(enumerator, &subnet))
903 {
904 ts = traffic_selector_create_from_cidr(subnet,
905 end->protocol, end->port);
906 if (ts)
907 {
908 child_cfg->add_traffic_selector(child_cfg, local, ts);
909 }
910 else
911 {
912 DBG1(DBG_CFG, "invalid subnet: %s, skipped", subnet);
913 }
914 }
915 enumerator->destroy(enumerator);
916 }
917 }
918 }
919
920 /**
921 * map starter magic values to our action type
922 */
923 static action_t map_action(int starter_action)
924 {
925 switch (starter_action)
926 {
927 case 2: /* =hold */
928 return ACTION_ROUTE;
929 case 3: /* =restart */
930 return ACTION_RESTART;
931 default:
932 return ACTION_NONE;
933 }
934 }
935
936 /**
937 * build a child config from the stroke message
938 */
939 static child_cfg_t *build_child_cfg(private_stroke_config_t *this,
940 stroke_msg_t *msg)
941 {
942 child_cfg_t *child_cfg;
943 lifetime_cfg_t lifetime = {
944 .time = {
945 .life = msg->add_conn.rekey.ipsec_lifetime,
946 .rekey = msg->add_conn.rekey.ipsec_lifetime - msg->add_conn.rekey.margin,
947 .jitter = msg->add_conn.rekey.margin * msg->add_conn.rekey.fuzz / 100
948 },
949 .bytes = {
950 .life = msg->add_conn.rekey.life_bytes,
951 .rekey = msg->add_conn.rekey.life_bytes - msg->add_conn.rekey.margin_bytes,
952 .jitter = msg->add_conn.rekey.margin_bytes * msg->add_conn.rekey.fuzz / 100
953 },
954 .packets = {
955 .life = msg->add_conn.rekey.life_packets,
956 .rekey = msg->add_conn.rekey.life_packets - msg->add_conn.rekey.margin_packets,
957 .jitter = msg->add_conn.rekey.margin_packets * msg->add_conn.rekey.fuzz / 100
958 }
959 };
960 mark_t mark_in = {
961 .value = msg->add_conn.mark_in.value,
962 .mask = msg->add_conn.mark_in.mask
963 };
964 mark_t mark_out = {
965 .value = msg->add_conn.mark_out.value,
966 .mask = msg->add_conn.mark_out.mask
967 };
968
969 child_cfg = child_cfg_create(
970 msg->add_conn.name, &lifetime, msg->add_conn.me.updown,
971 msg->add_conn.me.hostaccess, msg->add_conn.mode, ACTION_NONE,
972 map_action(msg->add_conn.dpd.action),
973 map_action(msg->add_conn.close_action), msg->add_conn.ipcomp,
974 msg->add_conn.inactivity, msg->add_conn.reqid,
975 &mark_in, &mark_out, msg->add_conn.tfc);
976 child_cfg->set_mipv6_options(child_cfg, msg->add_conn.proxy_mode,
977 msg->add_conn.install_policy);
978 add_ts(this, &msg->add_conn.me, child_cfg, TRUE);
979 add_ts(this, &msg->add_conn.other, child_cfg, FALSE);
980
981 add_proposals(this, msg->add_conn.algorithms.esp, NULL, child_cfg);
982
983 return child_cfg;
984 }
985
986 METHOD(stroke_config_t, add, void,
987 private_stroke_config_t *this, stroke_msg_t *msg)
988 {
989 ike_cfg_t *ike_cfg, *existing_ike;
990 peer_cfg_t *peer_cfg, *existing;
991 child_cfg_t *child_cfg;
992 enumerator_t *enumerator;
993 bool use_existing = FALSE;
994
995 ike_cfg = build_ike_cfg(this, msg);
996 if (!ike_cfg)
997 {
998 return;
999 }
1000 peer_cfg = build_peer_cfg(this, msg, ike_cfg);
1001 if (!peer_cfg)
1002 {
1003 ike_cfg->destroy(ike_cfg);
1004 return;
1005 }
1006
1007 enumerator = create_peer_cfg_enumerator(this, NULL, NULL);
1008 while (enumerator->enumerate(enumerator, &existing))
1009 {
1010 existing_ike = existing->get_ike_cfg(existing);
1011 if (existing->equals(existing, peer_cfg) &&
1012 existing_ike->equals(existing_ike, peer_cfg->get_ike_cfg(peer_cfg)))
1013 {
1014 use_existing = TRUE;
1015 peer_cfg->destroy(peer_cfg);
1016 peer_cfg = existing;
1017 peer_cfg->get_ref(peer_cfg);
1018 DBG1(DBG_CFG, "added child to existing configuration '%s'",
1019 peer_cfg->get_name(peer_cfg));
1020 break;
1021 }
1022 }
1023 enumerator->destroy(enumerator);
1024
1025 child_cfg = build_child_cfg(this, msg);
1026 if (!child_cfg)
1027 {
1028 peer_cfg->destroy(peer_cfg);
1029 return;
1030 }
1031 peer_cfg->add_child_cfg(peer_cfg, child_cfg);
1032
1033 if (use_existing)
1034 {
1035 peer_cfg->destroy(peer_cfg);
1036 }
1037 else
1038 {
1039 /* add config to backend */
1040 DBG1(DBG_CFG, "added configuration '%s'", msg->add_conn.name);
1041 this->mutex->lock(this->mutex);
1042 this->list->insert_last(this->list, peer_cfg);
1043 this->mutex->unlock(this->mutex);
1044 }
1045 }
1046
1047 METHOD(stroke_config_t, del, void,
1048 private_stroke_config_t *this, stroke_msg_t *msg)
1049 {
1050 enumerator_t *enumerator, *children;
1051 peer_cfg_t *peer;
1052 child_cfg_t *child;
1053 bool deleted = FALSE;
1054
1055 this->mutex->lock(this->mutex);
1056 enumerator = this->list->create_enumerator(this->list);
1057 while (enumerator->enumerate(enumerator, (void**)&peer))
1058 {
1059 bool keep = FALSE;
1060
1061 /* remove any child with such a name */
1062 children = peer->create_child_cfg_enumerator(peer);
1063 while (children->enumerate(children, &child))
1064 {
1065 if (streq(child->get_name(child), msg->del_conn.name))
1066 {
1067 peer->remove_child_cfg(peer, children);
1068 child->destroy(child);
1069 deleted = TRUE;
1070 }
1071 else
1072 {
1073 keep = TRUE;
1074 }
1075 }
1076 children->destroy(children);
1077
1078 /* if peer config matches, or has no children anymore, remove it */
1079 if (!keep || streq(peer->get_name(peer), msg->del_conn.name))
1080 {
1081 this->list->remove_at(this->list, enumerator);
1082 peer->destroy(peer);
1083 deleted = TRUE;
1084 }
1085 }
1086 enumerator->destroy(enumerator);
1087 this->mutex->unlock(this->mutex);
1088
1089 if (deleted)
1090 {
1091 DBG1(DBG_CFG, "deleted connection '%s'", msg->del_conn.name);
1092 }
1093 else
1094 {
1095 DBG1(DBG_CFG, "connection '%s' not found", msg->del_conn.name);
1096 }
1097 }
1098
1099 METHOD(stroke_config_t, set_user_credentials, void,
1100 private_stroke_config_t *this, stroke_msg_t *msg, FILE *prompt)
1101 {
1102 enumerator_t *enumerator, *children, *remote_auth;
1103 peer_cfg_t *peer, *found = NULL;
1104 auth_cfg_t *auth_cfg, *remote_cfg;
1105 auth_class_t auth_class;
1106 child_cfg_t *child;
1107 identification_t *id, *identity, *gw = NULL;
1108 shared_key_type_t type = SHARED_ANY;
1109 chunk_t password = chunk_empty;
1110
1111 this->mutex->lock(this->mutex);
1112 enumerator = this->list->create_enumerator(this->list);
1113 while (enumerator->enumerate(enumerator, (void**)&peer))
1114 { /* find the peer (or child) config with the given name */
1115 if (streq(peer->get_name(peer), msg->user_creds.name))
1116 {
1117 found = peer;
1118 }
1119 else
1120 {
1121 children = peer->create_child_cfg_enumerator(peer);
1122 while (children->enumerate(children, &child))
1123 {
1124 if (streq(child->get_name(child), msg->user_creds.name))
1125 {
1126 found = peer;
1127 break;
1128 }
1129 }
1130 children->destroy(children);
1131 }
1132
1133 if (found)
1134 {
1135 break;
1136 }
1137 }
1138 enumerator->destroy(enumerator);
1139
1140 if (!found)
1141 {
1142 DBG1(DBG_CFG, " no config named '%s'", msg->user_creds.name);
1143 fprintf(prompt, "no config named '%s'\n", msg->user_creds.name);
1144 this->mutex->unlock(this->mutex);
1145 return;
1146 }
1147
1148 id = identification_create_from_string(msg->user_creds.username);
1149 if (strlen(msg->user_creds.username) == 0 ||
1150 !id || id->get_type(id) == ID_ANY)
1151 {
1152 DBG1(DBG_CFG, " invalid username '%s'", msg->user_creds.username);
1153 fprintf(prompt, "invalid username '%s'\n", msg->user_creds.username);
1154 this->mutex->unlock(this->mutex);
1155 DESTROY_IF(id);
1156 return;
1157 }
1158
1159 /* replace/set the username in the first EAP/XAuth auth_cfg, also look for
1160 * a suitable remote ID.
1161 * note that adding the identity here is not fully thread-safe as the
1162 * peer_cfg and in turn the auth_cfg could be in use. for the default use
1163 * case (setting user credentials before upping the connection) this will
1164 * not be a problem, though. */
1165 enumerator = found->create_auth_cfg_enumerator(found, TRUE);
1166 remote_auth = found->create_auth_cfg_enumerator(found, FALSE);
1167 while (enumerator->enumerate(enumerator, (void**)&auth_cfg))
1168 {
1169 if (remote_auth->enumerate(remote_auth, (void**)&remote_cfg))
1170 { /* fall back on rightid, in case aaa_identity is not specified */
1171 identity = remote_cfg->get(remote_cfg, AUTH_RULE_IDENTITY);
1172 if (identity && identity->get_type(identity) != ID_ANY)
1173 {
1174 gw = identity;
1175 }
1176 }
1177
1178 auth_class = (uintptr_t)auth_cfg->get(auth_cfg, AUTH_RULE_AUTH_CLASS);
1179 if (auth_class == AUTH_CLASS_EAP || auth_class == AUTH_CLASS_XAUTH)
1180 {
1181 if (auth_class == AUTH_CLASS_EAP)
1182 {
1183 auth_cfg->add(auth_cfg, AUTH_RULE_EAP_IDENTITY, id->clone(id));
1184 /* if aaa_identity is specified use that as remote ID */
1185 identity = auth_cfg->get(auth_cfg, AUTH_RULE_AAA_IDENTITY);
1186 if (identity && identity->get_type(identity) != ID_ANY)
1187 {
1188 gw = identity;
1189 }
1190 DBG1(DBG_CFG, " configured EAP-Identity %Y", id);
1191 }
1192 else
1193 {
1194 auth_cfg->add(auth_cfg, AUTH_RULE_XAUTH_IDENTITY,
1195 id->clone(id));
1196 DBG1(DBG_CFG, " configured XAuth username %Y", id);
1197 }
1198 type = SHARED_EAP;
1199 break;
1200 }
1201 }
1202 enumerator->destroy(enumerator);
1203 remote_auth->destroy(remote_auth);
1204 /* clone the gw ID before unlocking the mutex */
1205 if (gw)
1206 {
1207 gw = gw->clone(gw);
1208 }
1209 this->mutex->unlock(this->mutex);
1210
1211 if (type == SHARED_ANY)
1212 {
1213 DBG1(DBG_CFG, " config '%s' unsuitable for user credentials",
1214 msg->user_creds.name);
1215 fprintf(prompt, "config '%s' unsuitable for user credentials\n",
1216 msg->user_creds.name);
1217 id->destroy(id);
1218 DESTROY_IF(gw);
1219 return;
1220 }
1221
1222 if (msg->user_creds.password)
1223 {
1224 char *pass;
1225
1226 pass = msg->user_creds.password;
1227 password = chunk_clone(chunk_create(pass, strlen(pass)));
1228 memwipe(pass, strlen(pass));
1229 }
1230 else
1231 { /* prompt the user for the password */
1232 char buf[256];
1233
1234 fprintf(prompt, "Password:\n");
1235 if (fgets(buf, sizeof(buf), prompt))
1236 {
1237 password = chunk_clone(chunk_create(buf, strlen(buf)));
1238 if (password.len > 0)
1239 { /* trim trailing \n */
1240 password.len--;
1241 }
1242 memwipe(buf, sizeof(buf));
1243 }
1244 }
1245
1246 if (password.len)
1247 {
1248 shared_key_t *shared;
1249 linked_list_t *owners;
1250
1251 shared = shared_key_create(type, password);
1252
1253 owners = linked_list_create();
1254 owners->insert_last(owners, id->clone(id));
1255 if (gw && gw->get_type(gw) != ID_ANY)
1256 {
1257 owners->insert_last(owners, gw->clone(gw));
1258 DBG1(DBG_CFG, " added %N secret for %Y %Y", shared_key_type_names,
1259 type, id, gw);
1260 }
1261 else
1262 {
1263 DBG1(DBG_CFG, " added %N secret for %Y", shared_key_type_names,
1264 type, id);
1265 }
1266 this->cred->add_shared(this->cred, shared, owners);
1267 DBG4(DBG_CFG, " secret: %#B", &password);
1268 }
1269 else
1270 { /* in case a user answers the password prompt by just pressing enter */
1271 chunk_clear(&password);
1272 }
1273 id->destroy(id);
1274 DESTROY_IF(gw);
1275 }
1276
1277 METHOD(stroke_config_t, destroy, void,
1278 private_stroke_config_t *this)
1279 {
1280 this->list->destroy_offset(this->list, offsetof(peer_cfg_t, destroy));
1281 this->mutex->destroy(this->mutex);
1282 free(this);
1283 }
1284
1285 /*
1286 * see header file
1287 */
1288 stroke_config_t *stroke_config_create(stroke_ca_t *ca, stroke_cred_t *cred,
1289 stroke_attribute_t *attributes)
1290 {
1291 private_stroke_config_t *this;
1292
1293 INIT(this,
1294 .public = {
1295 .backend = {
1296 .create_peer_cfg_enumerator = _create_peer_cfg_enumerator,
1297 .create_ike_cfg_enumerator = _create_ike_cfg_enumerator,
1298 .get_peer_cfg_by_name = _get_peer_cfg_by_name,
1299 },
1300 .add = _add,
1301 .del = _del,
1302 .set_user_credentials = _set_user_credentials,
1303 .destroy = _destroy,
1304 },
1305 .list = linked_list_create(),
1306 .mutex = mutex_create(MUTEX_TYPE_RECURSIVE),
1307 .ca = ca,
1308 .cred = cred,
1309 .attributes = attributes,
1310 );
1311
1312 return &this->public;
1313 }
1314