projects / strongswan.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Add uniqueids=never to ignore INITIAL_CONTACT notifies
[strongswan.git] / src / libcharon / plugins / stroke / stroke_config.c
1 /*
2 * Copyright (C) 2012 Tobias Brunner
3 * Copyright (C) 2008 Martin Willi
4 * Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 #include "stroke_config.h"
18
19 #include <hydra.h>
20 #include <daemon.h>
21 #include <threading/mutex.h>
22 #include <utils/lexparser.h>
23
24 typedef struct private_stroke_config_t private_stroke_config_t;
25
26 /**
27 * private data of stroke_config
28 */
29 struct private_stroke_config_t {
30
31 /**
32 * public functions
33 */
34 stroke_config_t public;
35
36 /**
37 * list of peer_cfg_t
38 */
39 linked_list_t *list;
40
41 /**
42 * mutex to lock config list
43 */
44 mutex_t *mutex;
45
46 /**
47 * ca sections
48 */
49 stroke_ca_t *ca;
50
51 /**
52 * credentials
53 */
54 stroke_cred_t *cred;
55
56 /**
57 * Virtual IP pool / DNS backend
58 */
59 stroke_attribute_t *attributes;
60 };
61
62 METHOD(backend_t, create_peer_cfg_enumerator, enumerator_t*,
63 private_stroke_config_t *this, identification_t *me, identification_t *other)
64 {
65 this->mutex->lock(this->mutex);
66 return enumerator_create_cleaner(this->list->create_enumerator(this->list),
67 (void*)this->mutex->unlock, this->mutex);
68 }
69
70 /**
71 * filter function for ike configs
72 */
73 static bool ike_filter(void *data, peer_cfg_t **in, ike_cfg_t **out)
74 {
75 *out = (*in)->get_ike_cfg(*in);
76 return TRUE;
77 }
78
79 METHOD(backend_t, create_ike_cfg_enumerator, enumerator_t*,
80 private_stroke_config_t *this, host_t *me, host_t *other)
81 {
82 this->mutex->lock(this->mutex);
83 return enumerator_create_filter(this->list->create_enumerator(this->list),
84 (void*)ike_filter, this->mutex,
85 (void*)this->mutex->unlock);
86 }
87
88 METHOD(backend_t, get_peer_cfg_by_name, peer_cfg_t*,
89 private_stroke_config_t *this, char *name)
90 {
91 enumerator_t *e1, *e2;
92 peer_cfg_t *current, *found = NULL;
93 child_cfg_t *child;
94
95 this->mutex->lock(this->mutex);
96 e1 = this->list->create_enumerator(this->list);
97 while (e1->enumerate(e1, &current))
98 {
99 /* compare peer_cfgs name first */
100 if (streq(current->get_name(current), name))
101 {
102 found = current;
103 found->get_ref(found);
104 break;
105 }
106 /* compare all child_cfg names otherwise */
107 e2 = current->create_child_cfg_enumerator(current);
108 while (e2->enumerate(e2, &child))
109 {
110 if (streq(child->get_name(child), name))
111 {
112 found = current;
113 found->get_ref(found);
114 break;
115 }
116 }
117 e2->destroy(e2);
118 if (found)
119 {
120 break;
121 }
122 }
123 e1->destroy(e1);
124 this->mutex->unlock(this->mutex);
125 return found;
126 }
127
128 /**
129 * parse a proposal string, either into ike_cfg or child_cfg
130 */
131 static void add_proposals(private_stroke_config_t *this, char *string,
132 ike_cfg_t *ike_cfg, child_cfg_t *child_cfg)
133 {
134 if (string)
135 {
136 char *single;
137 char *strict;
138 proposal_t *proposal;
139 protocol_id_t proto = PROTO_ESP;
140
141 if (ike_cfg)
142 {
143 proto = PROTO_IKE;
144 }
145 strict = string + strlen(string) - 1;
146 if (*strict == '!')
147 {
148 *strict = '\0';
149 }
150 else
151 {
152 strict = NULL;
153 }
154 while ((single = strsep(&string, ",")))
155 {
156 proposal = proposal_create_from_string(proto, single);
157 if (proposal)
158 {
159 if (ike_cfg)
160 {
161 ike_cfg->add_proposal(ike_cfg, proposal);
162 }
163 else
164 {
165 child_cfg->add_proposal(child_cfg, proposal);
166 }
167 continue;
168 }
169 DBG1(DBG_CFG, "skipped invalid proposal string: %s", single);
170 }
171 if (strict)
172 {
173 return;
174 }
175 /* add default porposal to the end if not strict */
176 }
177 if (ike_cfg)
178 {
179 ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
180 }
181 else
182 {
183 child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
184 }
185 }
186
187 /**
188 * Build an IKE config from a stroke message
189 */
190 static ike_cfg_t *build_ike_cfg(private_stroke_config_t *this, stroke_msg_t *msg)
191 {
192 stroke_end_t tmp_end;
193 ike_cfg_t *ike_cfg;
194 char *interface;
195 host_t *host;
196 u_int16_t ikeport;
197
198 host = host_create_from_dns(msg->add_conn.other.address, 0, 0);
199 if (host)
200 {
201 interface = hydra->kernel_interface->get_interface(
202 hydra->kernel_interface, host);
203 host->destroy(host);
204 if (interface)
205 {
206 DBG2(DBG_CFG, "left is other host, swapping ends");
207 tmp_end = msg->add_conn.me;
208 msg->add_conn.me = msg->add_conn.other;
209 msg->add_conn.other = tmp_end;
210 free(interface);
211 }
212 else
213 {
214 host = host_create_from_dns(msg->add_conn.me.address, 0, 0);
215 if (host)
216 {
217 interface = hydra->kernel_interface->get_interface(
218 hydra->kernel_interface, host);
219 host->destroy(host);
220 if (!interface)
221 {
222 DBG1(DBG_CFG, "left nor right host is our side, "
223 "assuming left=local");
224 }
225 else
226 {
227 free(interface);
228 }
229
230 }
231 }
232 }
233 ikeport = msg->add_conn.me.ikeport;
234 ikeport = (ikeport == IKEV2_UDP_PORT) ?
235 charon->socket->get_port(charon->socket, FALSE) : ikeport;
236 ike_cfg = ike_cfg_create(msg->add_conn.other.sendcert != CERT_NEVER_SEND,
237 msg->add_conn.force_encap,
238 msg->add_conn.me.address,
239 msg->add_conn.me.allow_any,
240 ikeport,
241 msg->add_conn.other.address,
242 msg->add_conn.other.allow_any,
243 msg->add_conn.other.ikeport);
244 add_proposals(this, msg->add_conn.algorithms.ike, ike_cfg, NULL);
245 return ike_cfg;
246 }
247
248 /**
249 * Add CRL constraint to config
250 */
251 static void build_crl_policy(auth_cfg_t *cfg, bool local, int policy)
252 {
253 /* CRL/OCSP policy, for remote config only */
254 if (!local)
255 {
256 switch (policy)
257 {
258 case CRL_STRICT_YES:
259 /* if yes, we require a GOOD validation */
260 cfg->add(cfg, AUTH_RULE_CRL_VALIDATION, VALIDATION_GOOD);
261 break;
262 case CRL_STRICT_IFURI:
263 /* for ifuri, a SKIPPED validation is sufficient */
264 cfg->add(cfg, AUTH_RULE_CRL_VALIDATION, VALIDATION_SKIPPED);
265 break;
266 default:
267 break;
268 }
269 }
270 }
271
272 /**
273 * Parse public key / signature strength constraints
274 */
275 static void parse_pubkey_constraints(char *auth, auth_cfg_t *cfg)
276 {
277 enumerator_t *enumerator;
278 bool rsa = FALSE, ecdsa = FALSE, rsa_len = FALSE, ecdsa_len = FALSE;
279 int strength;
280 char *token;
281
282 enumerator = enumerator_create_token(auth, "-", "");
283 while (enumerator->enumerate(enumerator, &token))
284 {
285 bool found = FALSE;
286 int i;
287 struct {
288 char *name;
289 signature_scheme_t scheme;
290 key_type_t key;
291 } schemes[] = {
292 { "md5", SIGN_RSA_EMSA_PKCS1_MD5, KEY_RSA, },
293 { "sha1", SIGN_RSA_EMSA_PKCS1_SHA1, KEY_RSA, },
294 { "sha224", SIGN_RSA_EMSA_PKCS1_SHA224, KEY_RSA, },
295 { "sha256", SIGN_RSA_EMSA_PKCS1_SHA256, KEY_RSA, },
296 { "sha384", SIGN_RSA_EMSA_PKCS1_SHA384, KEY_RSA, },
297 { "sha512", SIGN_RSA_EMSA_PKCS1_SHA512, KEY_RSA, },
298 { "sha1", SIGN_ECDSA_WITH_SHA1_DER, KEY_ECDSA, },
299 { "sha256", SIGN_ECDSA_WITH_SHA256_DER, KEY_ECDSA, },
300 { "sha384", SIGN_ECDSA_WITH_SHA384_DER, KEY_ECDSA, },
301 { "sha512", SIGN_ECDSA_WITH_SHA512_DER, KEY_ECDSA, },
302 { "sha256", SIGN_ECDSA_256, KEY_ECDSA, },
303 { "sha384", SIGN_ECDSA_384, KEY_ECDSA, },
304 { "sha512", SIGN_ECDSA_521, KEY_ECDSA, },
305 };
306
307 if (rsa_len || ecdsa_len)
308 { /* expecting a key strength token */
309 strength = atoi(token);
310 if (strength)
311 {
312 if (rsa_len)
313 {
314 cfg->add(cfg, AUTH_RULE_RSA_STRENGTH, (uintptr_t)strength);
315 }
316 else if (ecdsa_len)
317 {
318 cfg->add(cfg, AUTH_RULE_ECDSA_STRENGTH, (uintptr_t)strength);
319 }
320 }
321 rsa_len = ecdsa_len = FALSE;
322 if (strength)
323 {
324 continue;
325 }
326 }
327 if (streq(token, "rsa"))
328 {
329 rsa = rsa_len = TRUE;
330 continue;
331 }
332 if (streq(token, "ecdsa"))
333 {
334 ecdsa = ecdsa_len = TRUE;
335 continue;
336 }
337 if (streq(token, "pubkey"))
338 {
339 continue;
340 }
341
342 for (i = 0; i < countof(schemes); i++)
343 {
344 if (streq(schemes[i].name, token))
345 {
346 /* for each matching string, allow the scheme, if:
347 * - it is an RSA scheme, and we enforced RSA
348 * - it is an ECDSA scheme, and we enforced ECDSA
349 * - it is not a key type specific scheme
350 */
351 if ((rsa && schemes[i].key == KEY_RSA) ||
352 (ecdsa && schemes[i].key == KEY_ECDSA) ||
353 (!rsa && !ecdsa))
354 {
355 cfg->add(cfg, AUTH_RULE_SIGNATURE_SCHEME,
356 (uintptr_t)schemes[i].scheme);
357 }
358 found = TRUE;
359 }
360 }
361 if (!found)
362 {
363 DBG1(DBG_CFG, "ignoring invalid auth token: '%s'", token);
364 }
365 }
366 enumerator->destroy(enumerator);
367 }
368
369 /**
370 * build authentication config
371 */
372 static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
373 stroke_msg_t *msg, bool local, bool primary)
374 {
375 identification_t *identity;
376 certificate_t *certificate;
377 char *auth, *id, *pubkey, *cert, *ca, *groups;
378 stroke_end_t *end, *other_end;
379 auth_cfg_t *cfg;
380
381 /* select strings */
382 if (local)
383 {
384 end = &msg->add_conn.me;
385 other_end = &msg->add_conn.other;
386 }
387 else
388 {
389 end = &msg->add_conn.other;
390 other_end = &msg->add_conn.me;
391 }
392 if (primary)
393 {
394 auth = end->auth;
395 id = end->id;
396 if (!id)
397 { /* leftid/rightid fallback to address */
398 id = end->address;
399 }
400 cert = end->cert;
401 ca = end->ca;
402 if (ca && streq(ca, "%same"))
403 {
404 ca = other_end->ca;
405 }
406 }
407 else
408 {
409 auth = end->auth2;
410 id = end->id2;
411 if (local && !id)
412 { /* leftid2 falls back to leftid */
413 id = end->id;
414 }
415 cert = end->cert2;
416 ca = end->ca2;
417 if (ca && streq(ca, "%same"))
418 {
419 ca = other_end->ca2;
420 }
421 }
422
423 if (!auth)
424 {
425 if (primary)
426 {
427 auth = "pubkey";
428 }
429 else
430 { /* no second authentication round, fine. But load certificates
431 * for other purposes (EAP-TLS) */
432 if (cert)
433 {
434 certificate = this->cred->load_peer(this->cred, cert);
435 if (certificate)
436 {
437 certificate->destroy(certificate);
438 }
439 }
440 return NULL;
441 }
442 }
443
444 cfg = auth_cfg_create();
445
446 /* add identity and peer certifcate */
447 identity = identification_create_from_string(id);
448 if (cert)
449 {
450 certificate = this->cred->load_peer(this->cred, cert);
451 if (certificate)
452 {
453 if (local)
454 {
455 this->ca->check_for_hash_and_url(this->ca, certificate);
456 }
457 cfg->add(cfg, AUTH_RULE_SUBJECT_CERT, certificate);
458 if (identity->get_type(identity) == ID_ANY ||
459 !certificate->has_subject(certificate, identity))
460 {
461 DBG1(DBG_CFG, " id '%Y' not confirmed by certificate, "
462 "defaulting to '%Y'", identity,
463 certificate->get_subject(certificate));
464 identity->destroy(identity);
465 identity = certificate->get_subject(certificate);
466 identity = identity->clone(identity);
467 }
468 }
469 }
470 if (identity->get_type(identity) != ID_ANY)
471 {
472 cfg->add(cfg, AUTH_RULE_IDENTITY, identity);
473 }
474 else
475 {
476 identity->destroy(identity);
477 }
478
479 /* add raw RSA public key */
480 pubkey = end->rsakey;
481 if (pubkey && !streq(pubkey, "") && !streq(pubkey, "%cert"))
482 {
483 certificate = this->cred->load_pubkey(this->cred, KEY_RSA, pubkey,
484 identity);
485 if (certificate)
486 {
487 cfg->add(cfg, AUTH_RULE_SUBJECT_CERT, certificate);
488 }
489 }
490
491 /* CA constraint */
492 if (ca)
493 {
494 identity = identification_create_from_string(ca);
495 certificate = lib->credmgr->get_cert(lib->credmgr, CERT_X509,
496 KEY_ANY, identity, TRUE);
497 identity->destroy(identity);
498 if (certificate)
499 {
500 cfg->add(cfg, AUTH_RULE_CA_CERT, certificate);
501 }
502 else
503 {
504 DBG1(DBG_CFG, "CA certificate \"%s\" not found, discarding CA "
505 "constraint", ca);
506 }
507 }
508
509 /* groups */
510 groups = primary ? end->groups : end->groups2;
511 if (groups)
512 {
513 enumerator_t *enumerator;
514 char *group;
515
516 enumerator = enumerator_create_token(groups, ",", " ");
517 while (enumerator->enumerate(enumerator, &group))
518 {
519 cfg->add(cfg, AUTH_RULE_GROUP,
520 identification_create_from_string(group));
521 }
522 enumerator->destroy(enumerator);
523 }
524
525 /* certificatePolicies */
526 if (end->cert_policy)
527 {
528 enumerator_t *enumerator;
529 char *policy;
530
531 enumerator = enumerator_create_token(end->cert_policy, ",", " ");
532 while (enumerator->enumerate(enumerator, &policy))
533 {
534 cfg->add(cfg, AUTH_RULE_CERT_POLICY, strdup(policy));
535 }
536 enumerator->destroy(enumerator);
537 }
538
539 /* authentication metod (class, actually) */
540 if (strneq(auth, "pubkey", strlen("pubkey")) ||
541 strneq(auth, "rsa", strlen("rsa")) ||
542 strneq(auth, "ecdsa", strlen("ecdsa")))
543 {
544 cfg->add(cfg, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
545 build_crl_policy(cfg, local, msg->add_conn.crl_policy);
546
547 parse_pubkey_constraints(auth, cfg);
548 }
549 else if (streq(auth, "psk") || streq(auth, "secret"))
550 {
551 cfg->add(cfg, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PSK);
552 }
553 else if (strneq(auth, "xauth", 5))
554 {
555 char *pos;
556
557 pos = strchr(auth, '-');
558 if (pos)
559 {
560 cfg->add(cfg, AUTH_RULE_XAUTH_BACKEND, strdup(++pos));
561 }
562 cfg->add(cfg, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_XAUTH);
563 if (msg->add_conn.xauth_identity)
564 {
565 cfg->add(cfg, AUTH_RULE_XAUTH_IDENTITY,
566 identification_create_from_string(msg->add_conn.xauth_identity));
567 }
568 }
569 else if (strneq(auth, "eap", 3))
570 {
571 eap_vendor_type_t *type;
572
573 cfg->add(cfg, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_EAP);
574
575 type = eap_vendor_type_from_string(auth);
576 if (type)
577 {
578 cfg->add(cfg, AUTH_RULE_EAP_TYPE, type->type);
579 if (type->vendor)
580 {
581 cfg->add(cfg, AUTH_RULE_EAP_VENDOR, type->vendor);
582 }
583 free(type);
584 }
585
586 if (msg->add_conn.eap_identity)
587 {
588 if (streq(msg->add_conn.eap_identity, "%identity"))
589 {
590 identity = identification_create_from_encoding(ID_ANY,
591 chunk_empty);
592 }
593 else
594 {
595 identity = identification_create_from_string(
596 msg->add_conn.eap_identity);
597 }
598 cfg->add(cfg, AUTH_RULE_EAP_IDENTITY, identity);
599 }
600 if (msg->add_conn.aaa_identity)
601 {
602 cfg->add(cfg, AUTH_RULE_AAA_IDENTITY,
603 identification_create_from_string(msg->add_conn.aaa_identity));
604 }
605 }
606 else
607 {
608 if (!streq(auth, "any"))
609 {
610 DBG1(DBG_CFG, "authentication method %s unknown, fallback to any",
611 auth);
612 }
613 build_crl_policy(cfg, local, msg->add_conn.crl_policy);
614 }
615 return cfg;
616 }
617
618 /**
619 * build a peer_cfg from a stroke msg
620 */
621 static peer_cfg_t *build_peer_cfg(private_stroke_config_t *this,
622 stroke_msg_t *msg, ike_cfg_t *ike_cfg)
623 {
624 identification_t *peer_id = NULL;
625 peer_cfg_t *mediated_by = NULL;
626 unique_policy_t unique;
627 u_int32_t rekey = 0, reauth = 0, over, jitter;
628 peer_cfg_t *peer_cfg;
629 auth_cfg_t *auth_cfg;
630
631 #ifdef ME
632 if (msg->add_conn.ikeme.mediation && msg->add_conn.ikeme.mediated_by)
633 {
634 DBG1(DBG_CFG, "a mediation connection cannot be a mediated connection "
635 "at the same time, aborting");
636 return NULL;
637 }
638
639 if (msg->add_conn.ikeme.mediation)
640 {
641 /* force unique connections for mediation connections */
642 msg->add_conn.unique = 1;
643 }
644
645 if (msg->add_conn.ikeme.mediated_by)
646 {
647 mediated_by = charon->backends->get_peer_cfg_by_name(charon->backends,
648 msg->add_conn.ikeme.mediated_by);
649 if (!mediated_by)
650 {
651 DBG1(DBG_CFG, "mediation connection '%s' not found, aborting",
652 msg->add_conn.ikeme.mediated_by);
653 return NULL;
654 }
655 if (!mediated_by->is_mediation(mediated_by))
656 {
657 DBG1(DBG_CFG, "connection '%s' as referred to by '%s' is "
658 "no mediation connection, aborting",
659 msg->add_conn.ikeme.mediated_by, msg->add_conn.name);
660 mediated_by->destroy(mediated_by);
661 return NULL;
662 }
663 if (msg->add_conn.ikeme.peerid)
664 {
665 peer_id = identification_create_from_string(msg->add_conn.ikeme.peerid);
666 }
667 else if (msg->add_conn.other.id)
668 {
669 peer_id = identification_create_from_string(msg->add_conn.other.id);
670 }
671 }
672 #endif /* ME */
673
674 jitter = msg->add_conn.rekey.margin * msg->add_conn.rekey.fuzz / 100;
675 over = msg->add_conn.rekey.margin;
676 if (msg->add_conn.rekey.reauth)
677 {
678 reauth = msg->add_conn.rekey.ike_lifetime - over;
679 }
680 else
681 {
682 rekey = msg->add_conn.rekey.ike_lifetime - over;
683 }
684 switch (msg->add_conn.unique)
685 {
686 case 1: /* yes */
687 case 2: /* replace */
688 unique = UNIQUE_REPLACE;
689 break;
690 case 3: /* keep */
691 unique = UNIQUE_KEEP;
692 break;
693 case 4: /* never */
694 unique = UNIQUE_NEVER;
695 break;
696 default: /* no */
697 unique = UNIQUE_NO;
698 break;
699 }
700 if (msg->add_conn.dpd.action == 0)
701 { /* dpdaction=none disables DPD */
702 msg->add_conn.dpd.delay = 0;
703 }
704
705 /* other.sourceip is managed in stroke_attributes. If it is set, we define
706 * the pool name as the connection name, which the attribute provider
707 * uses to serve pool addresses. */
708 peer_cfg = peer_cfg_create(msg->add_conn.name,
709 msg->add_conn.version, ike_cfg,
710 msg->add_conn.me.sendcert, unique,
711 msg->add_conn.rekey.tries, rekey, reauth, jitter, over,
712 msg->add_conn.mobike, msg->add_conn.aggressive,
713 msg->add_conn.dpd.delay, msg->add_conn.dpd.timeout,
714 msg->add_conn.ikeme.mediation, mediated_by, peer_id);
715
716 if (msg->add_conn.other.sourceip)
717 {
718 enumerator_t *enumerator;
719 char *token;
720
721 enumerator = enumerator_create_token(msg->add_conn.other.sourceip,
722 ",", " ");
723 while (enumerator->enumerate(enumerator, &token))
724 {
725 if (streq(token, "%modeconfig") || streq(token, "%modecfg") ||
726 streq(token, "%config") || streq(token, "%cfg") ||
727 streq(token, "%config4") || streq(token, "%config6"))
728 {
729 /* empty pool, uses connection name */
730 this->attributes->add_pool(this->attributes,
731 mem_pool_create(msg->add_conn.name, NULL, 0));
732 peer_cfg->add_pool(peer_cfg, msg->add_conn.name);
733 }
734 else if (*token == '%')
735 {
736 /* external named pool */
737 peer_cfg->add_pool(peer_cfg, token + 1);
738 }
739 else
740 {
741 /* in-memory pool, named using CIDR notation */
742 host_t *base;
743 int bits;
744
745 base = host_create_from_subnet(token, &bits);
746 if (base)
747 {
748 this->attributes->add_pool(this->attributes,
749 mem_pool_create(token, base, bits));
750 peer_cfg->add_pool(peer_cfg, token);
751 base->destroy(base);
752 }
753 else
754 {
755 DBG1(DBG_CFG, "IP pool %s invalid, ignored", token);
756 }
757 }
758 }
759 enumerator->destroy(enumerator);
760 }
761
762 if (msg->add_conn.me.sourceip)
763 {
764 enumerator_t *enumerator;
765 char *token;
766
767 enumerator = enumerator_create_token(msg->add_conn.me.sourceip, ",", " ");
768 while (enumerator->enumerate(enumerator, &token))
769 {
770 host_t *vip = NULL;
771
772 if (streq(token, "%modeconfig") || streq(token, "%modecfg") ||
773 streq(token, "%config") || streq(token, "%cfg"))
774 { /* try to deduce an address family */
775 if (msg->add_conn.me.subnets)
776 { /* use the same family as in local subnet, if any */
777 if (strchr(msg->add_conn.me.subnets, '.'))
778 {
779 vip = host_create_any(AF_INET);
780 }
781 else
782 {
783 vip = host_create_any(AF_INET6);
784 }
785 }
786 else if (msg->add_conn.other.subnets)
787 { /* use the same family as in remote subnet, if any */
788 if (strchr(msg->add_conn.other.subnets, '.'))
789 {
790 vip = host_create_any(AF_INET);
791 }
792 else
793 {
794 vip = host_create_any(AF_INET6);
795 }
796 }
797 else
798 {
799 if (strchr(ike_cfg->get_my_addr(ike_cfg, NULL), ':'))
800 {
801 vip = host_create_any(AF_INET6);
802 }
803 else
804 {
805 vip = host_create_any(AF_INET);
806 }
807 }
808 }
809 else if (streq(token, "%config4"))
810 {
811 vip = host_create_any(AF_INET);
812 }
813 else if (streq(token, "%config6"))
814 {
815 vip = host_create_any(AF_INET6);
816 }
817 else
818 {
819 vip = host_create_from_string(token, 0);
820 if (vip)
821 {
822 DBG1(DBG_CFG, "ignored invalid subnet token: %s", token);
823 }
824 }
825
826 if (vip)
827 {
828 peer_cfg->add_virtual_ip(peer_cfg, vip);
829 }
830 }
831 enumerator->destroy(enumerator);
832 }
833
834 /* build leftauth= */
835 auth_cfg = build_auth_cfg(this, msg, TRUE, TRUE);
836 if (auth_cfg)
837 {
838 peer_cfg->add_auth_cfg(peer_cfg, auth_cfg, TRUE);
839 }
840 else
841 { /* we require at least one config on our side */
842 peer_cfg->destroy(peer_cfg);
843 return NULL;
844 }
845 /* build leftauth2= */
846 auth_cfg = build_auth_cfg(this, msg, TRUE, FALSE);
847 if (auth_cfg)
848 {
849 peer_cfg->add_auth_cfg(peer_cfg, auth_cfg, TRUE);
850 }
851 /* build rightauth= */
852 auth_cfg = build_auth_cfg(this, msg, FALSE, TRUE);
853 if (auth_cfg)
854 {
855 peer_cfg->add_auth_cfg(peer_cfg, auth_cfg, FALSE);
856 }
857 /* build rightauth2= */
858 auth_cfg = build_auth_cfg(this, msg, FALSE, FALSE);
859 if (auth_cfg)
860 {
861 peer_cfg->add_auth_cfg(peer_cfg, auth_cfg, FALSE);
862 }
863 return peer_cfg;
864 }
865
866 /**
867 * build a traffic selector from a stroke_end
868 */
869 static void add_ts(private_stroke_config_t *this,
870 stroke_end_t *end, child_cfg_t *child_cfg, bool local)
871 {
872 traffic_selector_t *ts;
873
874 if (end->tohost)
875 {
876 ts = traffic_selector_create_dynamic(end->protocol,
877 end->port ? end->port : 0, end->port ? end->port : 65535);
878 child_cfg->add_traffic_selector(child_cfg, local, ts);
879 }
880 else
881 {
882 host_t *net;
883
884 if (!end->subnets)
885 {
886 net = host_create_from_string(end->address, 0);
887 if (net)
888 {
889 ts = traffic_selector_create_from_subnet(net, 0, end->protocol,
890 end->port);
891 child_cfg->add_traffic_selector(child_cfg, local, ts);
892 }
893 }
894 else
895 {
896 char *del, *start, *bits;
897
898 start = end->subnets;
899 do
900 {
901 int intbits = 0;
902
903 del = strchr(start, ',');
904 if (del)
905 {
906 *del = '\0';
907 }
908 bits = strchr(start, '/');
909 if (bits)
910 {
911 *bits = '\0';
912 intbits = atoi(bits + 1);
913 }
914
915 net = host_create_from_string(start, 0);
916 if (net)
917 {
918 ts = traffic_selector_create_from_subnet(net, intbits,
919 end->protocol, end->port);
920 child_cfg->add_traffic_selector(child_cfg, local, ts);
921 }
922 else
923 {
924 DBG1(DBG_CFG, "invalid subnet: %s, skipped", start);
925 }
926 start = del + 1;
927 }
928 while (del);
929 }
930 }
931 }
932
933 /**
934 * map starter magic values to our action type
935 */
936 static action_t map_action(int starter_action)
937 {
938 switch (starter_action)
939 {
940 case 2: /* =hold */
941 return ACTION_ROUTE;
942 case 3: /* =restart */
943 return ACTION_RESTART;
944 default:
945 return ACTION_NONE;
946 }
947 }
948
949 /**
950 * build a child config from the stroke message
951 */
952 static child_cfg_t *build_child_cfg(private_stroke_config_t *this,
953 stroke_msg_t *msg)
954 {
955 child_cfg_t *child_cfg;
956 lifetime_cfg_t lifetime = {
957 .time = {
958 .life = msg->add_conn.rekey.ipsec_lifetime,
959 .rekey = msg->add_conn.rekey.ipsec_lifetime - msg->add_conn.rekey.margin,
960 .jitter = msg->add_conn.rekey.margin * msg->add_conn.rekey.fuzz / 100
961 },
962 .bytes = {
963 .life = msg->add_conn.rekey.life_bytes,
964 .rekey = msg->add_conn.rekey.life_bytes - msg->add_conn.rekey.margin_bytes,
965 .jitter = msg->add_conn.rekey.margin_bytes * msg->add_conn.rekey.fuzz / 100
966 },
967 .packets = {
968 .life = msg->add_conn.rekey.life_packets,
969 .rekey = msg->add_conn.rekey.life_packets - msg->add_conn.rekey.margin_packets,
970 .jitter = msg->add_conn.rekey.margin_packets * msg->add_conn.rekey.fuzz / 100
971 }
972 };
973 mark_t mark_in = {
974 .value = msg->add_conn.mark_in.value,
975 .mask = msg->add_conn.mark_in.mask
976 };
977 mark_t mark_out = {
978 .value = msg->add_conn.mark_out.value,
979 .mask = msg->add_conn.mark_out.mask
980 };
981
982 child_cfg = child_cfg_create(
983 msg->add_conn.name, &lifetime, msg->add_conn.me.updown,
984 msg->add_conn.me.hostaccess, msg->add_conn.mode, ACTION_NONE,
985 map_action(msg->add_conn.dpd.action),
986 map_action(msg->add_conn.close_action), msg->add_conn.ipcomp,
987 msg->add_conn.inactivity, msg->add_conn.reqid,
988 &mark_in, &mark_out, msg->add_conn.tfc);
989 child_cfg->set_mipv6_options(child_cfg, msg->add_conn.proxy_mode,
990 msg->add_conn.install_policy);
991 add_ts(this, &msg->add_conn.me, child_cfg, TRUE);
992 add_ts(this, &msg->add_conn.other, child_cfg, FALSE);
993
994 add_proposals(this, msg->add_conn.algorithms.esp, NULL, child_cfg);
995
996 return child_cfg;
997 }
998
999 METHOD(stroke_config_t, add, void,
1000 private_stroke_config_t *this, stroke_msg_t *msg)
1001 {
1002 ike_cfg_t *ike_cfg, *existing_ike;
1003 peer_cfg_t *peer_cfg, *existing;
1004 child_cfg_t *child_cfg;
1005 enumerator_t *enumerator;
1006 bool use_existing = FALSE;
1007
1008 ike_cfg = build_ike_cfg(this, msg);
1009 if (!ike_cfg)
1010 {
1011 return;
1012 }
1013 peer_cfg = build_peer_cfg(this, msg, ike_cfg);
1014 if (!peer_cfg)
1015 {
1016 ike_cfg->destroy(ike_cfg);
1017 return;
1018 }
1019
1020 enumerator = create_peer_cfg_enumerator(this, NULL, NULL);
1021 while (enumerator->enumerate(enumerator, &existing))
1022 {
1023 existing_ike = existing->get_ike_cfg(existing);
1024 if (existing->equals(existing, peer_cfg) &&
1025 existing_ike->equals(existing_ike, peer_cfg->get_ike_cfg(peer_cfg)))
1026 {
1027 use_existing = TRUE;
1028 peer_cfg->destroy(peer_cfg);
1029 peer_cfg = existing;
1030 peer_cfg->get_ref(peer_cfg);
1031 DBG1(DBG_CFG, "added child to existing configuration '%s'",
1032 peer_cfg->get_name(peer_cfg));
1033 break;
1034 }
1035 }
1036 enumerator->destroy(enumerator);
1037
1038 child_cfg = build_child_cfg(this, msg);
1039 if (!child_cfg)
1040 {
1041 peer_cfg->destroy(peer_cfg);
1042 return;
1043 }
1044 peer_cfg->add_child_cfg(peer_cfg, child_cfg);
1045
1046 if (use_existing)
1047 {
1048 peer_cfg->destroy(peer_cfg);
1049 }
1050 else
1051 {
1052 /* add config to backend */
1053 DBG1(DBG_CFG, "added configuration '%s'", msg->add_conn.name);
1054 this->mutex->lock(this->mutex);
1055 this->list->insert_last(this->list, peer_cfg);
1056 this->mutex->unlock(this->mutex);
1057 }
1058 }
1059
1060 METHOD(stroke_config_t, del, void,
1061 private_stroke_config_t *this, stroke_msg_t *msg)
1062 {
1063 enumerator_t *enumerator, *children;
1064 peer_cfg_t *peer;
1065 child_cfg_t *child;
1066 bool deleted = FALSE;
1067
1068 this->mutex->lock(this->mutex);
1069 enumerator = this->list->create_enumerator(this->list);
1070 while (enumerator->enumerate(enumerator, (void**)&peer))
1071 {
1072 bool keep = FALSE;
1073
1074 /* remove any child with such a name */
1075 children = peer->create_child_cfg_enumerator(peer);
1076 while (children->enumerate(children, &child))
1077 {
1078 if (streq(child->get_name(child), msg->del_conn.name))
1079 {
1080 peer->remove_child_cfg(peer, children);
1081 child->destroy(child);
1082 deleted = TRUE;
1083 }
1084 else
1085 {
1086 keep = TRUE;
1087 }
1088 }
1089 children->destroy(children);
1090
1091 /* if peer config matches, or has no children anymore, remove it */
1092 if (!keep || streq(peer->get_name(peer), msg->del_conn.name))
1093 {
1094 this->list->remove_at(this->list, enumerator);
1095 peer->destroy(peer);
1096 deleted = TRUE;
1097 }
1098 }
1099 enumerator->destroy(enumerator);
1100 this->mutex->unlock(this->mutex);
1101
1102 if (deleted)
1103 {
1104 DBG1(DBG_CFG, "deleted connection '%s'", msg->del_conn.name);
1105 }
1106 else
1107 {
1108 DBG1(DBG_CFG, "connection '%s' not found", msg->del_conn.name);
1109 }
1110 }
1111
1112 METHOD(stroke_config_t, set_user_credentials, void,
1113 private_stroke_config_t *this, stroke_msg_t *msg, FILE *prompt)
1114 {
1115 enumerator_t *enumerator, *children, *remote_auth;
1116 peer_cfg_t *peer, *found = NULL;
1117 auth_cfg_t *auth_cfg, *remote_cfg;
1118 auth_class_t auth_class;
1119 child_cfg_t *child;
1120 identification_t *id, *identity, *gw = NULL;
1121 shared_key_type_t type = SHARED_ANY;
1122 chunk_t password = chunk_empty;
1123
1124 this->mutex->lock(this->mutex);
1125 enumerator = this->list->create_enumerator(this->list);
1126 while (enumerator->enumerate(enumerator, (void**)&peer))
1127 { /* find the peer (or child) config with the given name */
1128 if (streq(peer->get_name(peer), msg->user_creds.name))
1129 {
1130 found = peer;
1131 }
1132 else
1133 {
1134 children = peer->create_child_cfg_enumerator(peer);
1135 while (children->enumerate(children, &child))
1136 {
1137 if (streq(child->get_name(child), msg->user_creds.name))
1138 {
1139 found = peer;
1140 break;
1141 }
1142 }
1143 children->destroy(children);
1144 }
1145
1146 if (found)
1147 {
1148 break;
1149 }
1150 }
1151 enumerator->destroy(enumerator);
1152
1153 if (!found)
1154 {
1155 DBG1(DBG_CFG, " no config named '%s'", msg->user_creds.name);
1156 fprintf(prompt, "no config named '%s'\n", msg->user_creds.name);
1157 this->mutex->unlock(this->mutex);
1158 return;
1159 }
1160
1161 id = identification_create_from_string(msg->user_creds.username);
1162 if (strlen(msg->user_creds.username) == 0 ||
1163 !id || id->get_type(id) == ID_ANY)
1164 {
1165 DBG1(DBG_CFG, " invalid username '%s'", msg->user_creds.username);
1166 fprintf(prompt, "invalid username '%s'\n", msg->user_creds.username);
1167 this->mutex->unlock(this->mutex);
1168 DESTROY_IF(id);
1169 return;
1170 }
1171
1172 /* replace/set the username in the first EAP auth_cfg, also look for a
1173 * suitable remote ID.
1174 * note that adding the identity here is not fully thread-safe as the
1175 * peer_cfg and in turn the auth_cfg could be in use. for the default use
1176 * case (setting user credentials before upping the connection) this will
1177 * not be a problem, though. */
1178 enumerator = found->create_auth_cfg_enumerator(found, TRUE);
1179 remote_auth = found->create_auth_cfg_enumerator(found, FALSE);
1180 while (enumerator->enumerate(enumerator, (void**)&auth_cfg))
1181 {
1182 if (remote_auth->enumerate(remote_auth, (void**)&remote_cfg))
1183 { /* fall back on rightid, in case aaa_identity is not specified */
1184 identity = remote_cfg->get(remote_cfg, AUTH_RULE_IDENTITY);
1185 if (identity && identity->get_type(identity) != ID_ANY)
1186 {
1187 gw = identity;
1188 }
1189 }
1190
1191 auth_class = (uintptr_t)auth_cfg->get(auth_cfg, AUTH_RULE_AUTH_CLASS);
1192 if (auth_class == AUTH_CLASS_EAP)
1193 {
1194 auth_cfg->add(auth_cfg, AUTH_RULE_EAP_IDENTITY, id->clone(id));
1195 /* if aaa_identity is specified use that as remote ID */
1196 identity = auth_cfg->get(auth_cfg, AUTH_RULE_AAA_IDENTITY);
1197 if (identity && identity->get_type(identity) != ID_ANY)
1198 {
1199 gw = identity;
1200 }
1201 DBG1(DBG_CFG, " configured EAP-Identity %Y", id);
1202 type = SHARED_EAP;
1203 break;
1204 }
1205 }
1206 enumerator->destroy(enumerator);
1207 remote_auth->destroy(remote_auth);
1208 /* clone the gw ID before unlocking the mutex */
1209 if (gw)
1210 {
1211 gw = gw->clone(gw);
1212 }
1213 this->mutex->unlock(this->mutex);
1214
1215 if (type == SHARED_ANY)
1216 {
1217 DBG1(DBG_CFG, " config '%s' unsuitable for user credentials",
1218 msg->user_creds.name);
1219 fprintf(prompt, "config '%s' unsuitable for user credentials\n",
1220 msg->user_creds.name);
1221 id->destroy(id);
1222 DESTROY_IF(gw);
1223 return;
1224 }
1225
1226 if (msg->user_creds.password)
1227 {
1228 char *pass;
1229
1230 pass = msg->user_creds.password;
1231 password = chunk_clone(chunk_create(pass, strlen(pass)));
1232 memwipe(pass, strlen(pass));
1233 }
1234 else
1235 { /* prompt the user for the password */
1236 char buf[256];
1237
1238 fprintf(prompt, "Password:\n");
1239 if (fgets(buf, sizeof(buf), prompt))
1240 {
1241 password = chunk_clone(chunk_create(buf, strlen(buf)));
1242 if (password.len > 0)
1243 { /* trim trailing \n */
1244 password.len--;
1245 }
1246 memwipe(buf, sizeof(buf));
1247 }
1248 }
1249
1250 if (password.len)
1251 {
1252 shared_key_t *shared;
1253 linked_list_t *owners;
1254
1255 shared = shared_key_create(type, password);
1256
1257 owners = linked_list_create();
1258 owners->insert_last(owners, id->clone(id));
1259 if (gw && gw->get_type(gw) != ID_ANY)
1260 {
1261 owners->insert_last(owners, gw->clone(gw));
1262 DBG1(DBG_CFG, " added %N secret for %Y %Y", shared_key_type_names,
1263 type, id, gw);
1264 }
1265 else
1266 {
1267 DBG1(DBG_CFG, " added %N secret for %Y", shared_key_type_names,
1268 type, id);
1269 }
1270 this->cred->add_shared(this->cred, shared, owners);
1271 DBG4(DBG_CFG, " secret: %#B", &password);
1272 }
1273 else
1274 { /* in case a user answers the password prompt by just pressing enter */
1275 chunk_clear(&password);
1276 }
1277 id->destroy(id);
1278 DESTROY_IF(gw);
1279 }
1280
1281 METHOD(stroke_config_t, destroy, void,
1282 private_stroke_config_t *this)
1283 {
1284 this->list->destroy_offset(this->list, offsetof(peer_cfg_t, destroy));
1285 this->mutex->destroy(this->mutex);
1286 free(this);
1287 }
1288
1289 /*
1290 * see header file
1291 */
1292 stroke_config_t *stroke_config_create(stroke_ca_t *ca, stroke_cred_t *cred,
1293 stroke_attribute_t *attributes)
1294 {
1295 private_stroke_config_t *this;
1296
1297 INIT(this,
1298 .public = {
1299 .backend = {
1300 .create_peer_cfg_enumerator = _create_peer_cfg_enumerator,
1301 .create_ike_cfg_enumerator = _create_ike_cfg_enumerator,
1302 .get_peer_cfg_by_name = _get_peer_cfg_by_name,
1303 },
1304 .add = _add,
1305 .del = _del,
1306 .set_user_credentials = _set_user_credentials,
1307 .destroy = _destroy,
1308 },
1309 .list = linked_list_create(),
1310 .mutex = mutex_create(MUTEX_TYPE_RECURSIVE),
1311 .ca = ca,
1312 .cred = cred,
1313 .attributes = attributes,
1314 );
1315
1316 return &this->public;
1317 }
1318
strongSwan - IPsec VPN