unity: Handle narrowing according to roles in the IKE_SA
[strongswan.git] / src / libcharon / plugins / unity / unity_narrow.c
1 /*
2 * Copyright (C) 2012 Martin Willi
3 * Copyright (C) 2012 revosec AG
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "unity_narrow.h"
17
18 #include <daemon.h>
19
20 typedef struct private_unity_narrow_t private_unity_narrow_t;
21
22 /**
23 * Private data of an unity_narrow_t object.
24 */
25 struct private_unity_narrow_t {
26
27 /**
28 * Public unity_narrow_t interface.
29 */
30 unity_narrow_t public;
31
32 /**
33 * Unity attribute handler
34 */
35 unity_handler_t *handler;
36 };
37
38 /**
39 * Narrow the given received traffic selector with the child configuration and
40 * put them into the given list of TS
41 */
42 static void narrow_ts(child_cfg_t *cfg, traffic_selector_t *ts,
43 linked_list_t *list)
44 {
45 linked_list_t *received, *selected;
46
47 received = linked_list_create();
48 received->insert_last(received, ts);
49 selected = cfg->get_traffic_selectors(cfg, FALSE, received, NULL);
50 while (selected->remove_first(selected, (void**)&ts) == SUCCESS)
51 {
52 list->insert_last(list, ts);
53 }
54 selected->destroy(selected);
55 received->destroy(received);
56 }
57
58 /**
59 * Narrow TS as initiator to Unity Split-Include/Local-LAN
60 */
61 static void narrow_initiator(private_unity_narrow_t *this, ike_sa_t *ike_sa,
62 child_cfg_t *cfg, linked_list_t *remote)
63 {
64 traffic_selector_t *current, *orig = NULL;
65 enumerator_t *enumerator;
66
67 enumerator = this->handler->create_include_enumerator(this->handler,
68 ike_sa->get_unique_id(ike_sa));
69 while (enumerator->enumerate(enumerator, &current))
70 {
71 if (orig == NULL)
72 { /* got one, replace original TS */
73 if (remote->remove_first(remote, (void**)&orig) != SUCCESS)
74 {
75 break;
76 }
77 }
78 narrow_ts(cfg, current, remote);
79 }
80 enumerator->destroy(enumerator);
81 if (orig)
82 {
83 DBG1(DBG_CFG, "narrowed CHILD_SA to %N %#R",
84 configuration_attribute_type_names,
85 UNITY_SPLIT_INCLUDE, remote);
86 orig->destroy(orig);
87 }
88 else
89 { /* since we originally changed the traffic selector to 0.0.0.0/0 local
90 * narrowing is not applied if no Split-Include attrs are received */
91 if (remote->remove_first(remote, (void**)&orig) == SUCCESS)
92 {
93 narrow_ts(cfg, orig, remote);
94 orig->destroy(orig);
95 }
96 }
97 }
98
99 /**
100 * As initiator and responder, bump up TS to 0.0.0.0/0 for on-the-wire bits
101 */
102 static void narrow_pre(linked_list_t *list, char *side)
103 {
104 traffic_selector_t *ts;
105
106 while (list->remove_first(list, (void**)&ts) == SUCCESS)
107 {
108 ts->destroy(ts);
109 }
110 ts = traffic_selector_create_from_string(0, TS_IPV4_ADDR_RANGE,
111 "0.0.0.0", 0,
112 "255.255.255.255", 65535);
113 if (ts)
114 {
115 DBG2(DBG_CFG, "changing proposed traffic selectors for %s:", side);
116 DBG2(DBG_CFG, " %R", ts);
117 list->insert_last(list, ts);
118 }
119 }
120
121 /**
122 * As responder, narrow down TS to configuration for installation
123 */
124 static void narrow_responder_post(child_cfg_t *child_cfg, linked_list_t *local)
125 {
126 traffic_selector_t *ts;
127 linked_list_t *configured;
128
129 while (local->remove_first(local, (void**)&ts) == SUCCESS)
130 {
131 ts->destroy(ts);
132 }
133 configured = child_cfg->get_traffic_selectors(child_cfg, TRUE, NULL, NULL);
134
135 while (configured->remove_first(configured, (void**)&ts) == SUCCESS)
136 {
137 local->insert_last(local, ts);
138 }
139 configured->destroy(configured);
140 }
141
142 METHOD(listener_t, narrow, bool,
143 private_unity_narrow_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa,
144 narrow_hook_t type, linked_list_t *local, linked_list_t *remote)
145 {
146 if (ike_sa->get_version(ike_sa) == IKEV1 &&
147 ike_sa->supports_extension(ike_sa, EXT_CISCO_UNITY))
148 {
149 /* depending on who initiates a rekeying the hooks will not match the
150 * roles in the IKE_SA */
151 if (ike_sa->has_condition(ike_sa, COND_ORIGINAL_INITIATOR))
152 {
153 switch (type)
154 {
155 case NARROW_INITIATOR_PRE_AUTH:
156 case NARROW_RESPONDER:
157 narrow_pre(remote, "other");
158 break;
159 case NARROW_INITIATOR_POST_AUTH:
160 case NARROW_RESPONDER_POST:
161 narrow_initiator(this, ike_sa,
162 child_sa->get_config(child_sa), remote);
163 break;
164 default:
165 break;
166 }
167 }
168 else
169 {
170 switch (type)
171 {
172 case NARROW_INITIATOR_PRE_AUTH:
173 case NARROW_RESPONDER:
174 narrow_pre(local, "us");
175 break;
176 case NARROW_INITIATOR_POST_AUTH:
177 case NARROW_RESPONDER_POST:
178 narrow_responder_post(child_sa->get_config(child_sa), local);
179 break;
180 default:
181 break;
182 }
183 }
184 }
185 return TRUE;
186 }
187
188 METHOD(unity_narrow_t, destroy, void,
189 private_unity_narrow_t *this)
190 {
191 free(this);
192 }
193
194 /**
195 * See header
196 */
197 unity_narrow_t *unity_narrow_create(unity_handler_t *handler)
198 {
199 private_unity_narrow_t *this;
200
201 INIT(this,
202 .public = {
203 .listener = {
204 .narrow = _narrow,
205 },
206 .destroy = _destroy,
207 },
208 .handler = handler,
209 );
210
211 return &this->public;
212 }