more concise listing of ESP algorithms
[strongswan.git] / src / pluto / rcv_whack.c
1 /* whack communicating routines
2 * Copyright (C) 1997 Angelos D. Keromytis.
3 * Copyright (C) 1998-2001 D. Hugh Redelmeier.
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include <stdio.h>
17 #include <stddef.h>
18 #include <stdlib.h>
19 #include <string.h>
20 #include <unistd.h>
21 #include <errno.h>
22 #include <sys/types.h>
23 #include <sys/socket.h>
24 #include <sys/un.h>
25 #include <netinet/in.h>
26 #include <arpa/inet.h>
27 #include <resolv.h>
28 #include <arpa/nameser.h> /* missing from <resolv.h> on old systems */
29 #include <sys/queue.h>
30 #include <fcntl.h>
31
32 #include <freeswan.h>
33
34 #include "constants.h"
35 #include "defs.h"
36 #include "id.h"
37 #include "ca.h"
38 #include "certs.h"
39 #include "ac.h"
40 #include "smartcard.h"
41 #include "connections.h"
42 #include "foodgroups.h"
43 #include "whack.h" /* needs connections.h */
44 #include "packet.h"
45 #include "demux.h" /* needs packet.h */
46 #include "state.h"
47 #include "ipsec_doi.h" /* needs demux.h and state.h */
48 #include "kernel.h"
49 #include "rcv_whack.h"
50 #include "log.h"
51 #include "keys.h"
52 #include "adns.h" /* needs <resolv.h> */
53 #include "dnskey.h" /* needs keys.h and adns.h */
54 #include "server.h"
55 #include "fetch.h"
56 #include "ocsp.h"
57 #include "crl.h"
58
59 #include "kernel_alg.h"
60 #include "ike_alg.h"
61 /* helper variables and function to decode strings from whack message */
62
63 static char *next_str
64 , *str_roof;
65
66 static bool
67 unpack_str(char **p)
68 {
69 char *end = memchr(next_str, '\0', str_roof - next_str);
70
71 if (end == NULL)
72 {
73 return FALSE; /* fishy: no end found */
74 }
75 else
76 {
77 *p = next_str == end? NULL : next_str;
78 next_str = end + 1;
79 return TRUE;
80 }
81 }
82
83 /* bits loading keys from asynchronous DNS */
84
85 enum key_add_attempt {
86 ka_TXT,
87 #ifdef USE_KEYRR
88 ka_KEY,
89 #endif
90 ka_roof /* largest value + 1 */
91 };
92
93 struct key_add_common {
94 int refCount;
95 char *diag[ka_roof];
96 int whack_fd;
97 bool success;
98 };
99
100 struct key_add_continuation {
101 struct adns_continuation ac; /* common prefix */
102 struct key_add_common *common; /* common data */
103 enum key_add_attempt lookingfor;
104 };
105
106 static void
107 key_add_ugh(const struct id *keyid, err_t ugh)
108 {
109 char name[BUF_LEN]; /* longer IDs will be truncated in message */
110
111 (void)idtoa(keyid, name, sizeof(name));
112 loglog(RC_NOKEY
113 , "failure to fetch key for %s from DNS: %s", name, ugh);
114 }
115
116 /* last one out: turn out the lights */
117 static void
118 key_add_merge(struct key_add_common *oc, const struct id *keyid)
119 {
120 if (oc->refCount == 0)
121 {
122 enum key_add_attempt kaa;
123
124 /* if no success, print all diagnostics */
125 if (!oc->success)
126 for (kaa = ka_TXT; kaa != ka_roof; kaa++)
127 key_add_ugh(keyid, oc->diag[kaa]);
128
129 for (kaa = ka_TXT; kaa != ka_roof; kaa++)
130 {
131 free(oc->diag[kaa]);
132 }
133 close(oc->whack_fd);
134 free(oc);
135 }
136 }
137
138 static void
139 key_add_continue(struct adns_continuation *ac, err_t ugh)
140 {
141 struct key_add_continuation *kc = (void *) ac;
142 struct key_add_common *oc = kc->common;
143
144 passert(whack_log_fd == NULL_FD);
145 whack_log_fd = oc->whack_fd;
146
147 if (ugh != NULL)
148 {
149 oc->diag[kc->lookingfor] = clone_str(ugh);
150 }
151 else
152 {
153 oc->success = TRUE;
154 transfer_to_public_keys(kc->ac.gateways_from_dns
155 #ifdef USE_KEYRR
156 , &kc->ac.keys_from_dns
157 #endif /* USE_KEYRR */
158 );
159 }
160
161 oc->refCount--;
162 key_add_merge(oc, &ac->id);
163 whack_log_fd = NULL_FD;
164 }
165
166 static void
167 key_add_request(const whack_message_t *msg)
168 {
169 struct id keyid;
170 err_t ugh = atoid(msg->keyid, &keyid, FALSE);
171
172 if (ugh != NULL)
173 {
174 loglog(RC_BADID, "bad --keyid \"%s\": %s", msg->keyid, ugh);
175 }
176 else
177 {
178 if (!msg->whack_addkey)
179 delete_public_keys(&keyid, msg->pubkey_alg
180 , chunk_empty, chunk_empty);
181
182 if (msg->keyval.len == 0)
183 {
184 struct key_add_common *oc = malloc_thing(struct key_add_common);
185 enum key_add_attempt kaa;
186
187 /* initialize state shared by queries */
188 oc->refCount = 0;
189 oc->whack_fd = dup_any(whack_log_fd);
190 oc->success = FALSE;
191
192 for (kaa = ka_TXT; kaa != ka_roof; kaa++)
193 {
194 struct key_add_continuation *kc;
195
196 oc->diag[kaa] = NULL;
197 oc->refCount++;
198 kc = malloc_thing(struct key_add_continuation);
199 kc->common = oc;
200 kc->lookingfor = kaa;
201
202 switch (kaa)
203 {
204 case ka_TXT:
205 ugh = start_adns_query(&keyid
206 , &keyid /* same */
207 , T_TXT
208 , key_add_continue
209 , &kc->ac);
210 break;
211 #ifdef USE_KEYRR
212 case ka_KEY:
213 ugh = start_adns_query(&keyid
214 , NULL
215 , T_KEY
216 , key_add_continue
217 , &kc->ac);
218 break;
219 #endif /* USE_KEYRR */
220 default:
221 bad_case(kaa); /* suppress gcc warning */
222 }
223 if (ugh != NULL)
224 {
225 oc->diag[kaa] = clone_str(ugh);
226 oc->refCount--;
227 }
228 }
229
230 /* Done launching queries.
231 * Handle total failure case.
232 */
233 key_add_merge(oc, &keyid);
234 }
235 else
236 {
237 if (!add_public_key(&keyid, DAL_LOCAL, msg->pubkey_alg, msg->keyval,
238 &pubkeys))
239 {
240 loglog(RC_LOG_SERIOUS, "failed to add public key");
241 }
242 }
243 }
244 }
245
246 /* Handle a kernel request. Supposedly, there's a message in
247 * the kernelsock socket.
248 */
249 void
250 whack_handle(int whackctlfd)
251 {
252 whack_message_t msg;
253 struct sockaddr_un whackaddr;
254 int whackaddrlen = sizeof(whackaddr);
255 int whackfd = accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen);
256 /* Note: actual value in n should fit in int. To print, cast to int. */
257 ssize_t n;
258
259 if (whackfd < 0)
260 {
261 log_errno((e, "accept() failed in whack_handle()"));
262 return;
263 }
264 if (fcntl(whackfd, F_SETFD, FD_CLOEXEC) < 0)
265 {
266 log_errno((e, "failed to set CLOEXEC in whack_handle()"));
267 close(whackfd);
268 return;
269 }
270
271 n = read(whackfd, &msg, sizeof(msg));
272
273 if (n == -1)
274 {
275 log_errno((e, "read() failed in whack_handle()"));
276 close(whackfd);
277 return;
278 }
279
280 whack_log_fd = whackfd;
281
282 /* sanity check message */
283 {
284 err_t ugh = NULL;
285
286 next_str = msg.string;
287 str_roof = (char *)&msg + n;
288
289 if ((size_t)n < offsetof(whack_message_t, whack_shutdown) + sizeof(msg.whack_shutdown))
290 {
291 ugh = builddiag("ignoring runt message from whack: got %d bytes", (int)n);
292 }
293 else if (msg.magic != WHACK_MAGIC)
294 {
295 if (msg.magic == WHACK_BASIC_MAGIC)
296 {
297 /* Only shutdown command. Simpler inter-version compatability. */
298 if (msg.whack_shutdown)
299 {
300 plog("shutting down");
301 exit_pluto(0); /* delete lock and leave, with 0 status */
302 }
303 ugh = ""; /* bail early, but without complaint */
304 }
305 else
306 {
307 ugh = builddiag("ignoring message from whack with bad magic %d; should be %d; probably wrong version"
308 , msg.magic, WHACK_MAGIC);
309 }
310 }
311 else if (next_str > str_roof)
312 {
313 ugh = builddiag("ignoring truncated message from whack: got %d bytes; expected %u"
314 , (int) n, (unsigned) sizeof(msg));
315 }
316 else if (!unpack_str(&msg.name) /* string 1 */
317 || !unpack_str(&msg.left.id) /* string 2 */
318 || !unpack_str(&msg.left.cert) /* string 3 */
319 || !unpack_str(&msg.left.ca) /* string 4 */
320 || !unpack_str(&msg.left.groups) /* string 5 */
321 || !unpack_str(&msg.left.updown) /* string 6 */
322 || !unpack_str(&msg.left.virt) /* string 7 */
323 || !unpack_str(&msg.right.id) /* string 8 */
324 || !unpack_str(&msg.right.cert) /* string 9 */
325 || !unpack_str(&msg.right.ca) /* string 10 */
326 || !unpack_str(&msg.right.groups) /* string 11 */
327 || !unpack_str(&msg.right.updown) /* string 12 */
328 || !unpack_str(&msg.right.virt) /* string 13 */
329 || !unpack_str(&msg.keyid) /* string 14 */
330 || !unpack_str(&msg.myid) /* string 15 */
331 || !unpack_str(&msg.cacert) /* string 16 */
332 || !unpack_str(&msg.ldaphost) /* string 17 */
333 || !unpack_str(&msg.ldapbase) /* string 18 */
334 || !unpack_str(&msg.crluri) /* string 19 */
335 || !unpack_str(&msg.crluri2) /* string 20 */
336 || !unpack_str(&msg.ocspuri) /* string 21 */
337 || !unpack_str(&msg.ike) /* string 22 */
338 || !unpack_str(&msg.esp) /* string 23 */
339 || !unpack_str(&msg.sc_data) /* string 24 */
340 || str_roof - next_str != (ptrdiff_t)msg.keyval.len) /* check chunk */
341 {
342 ugh = "message from whack contains bad string";
343 }
344 else
345 {
346 msg.keyval.ptr = next_str; /* grab chunk */
347 }
348
349 if (ugh != NULL)
350 {
351 if (*ugh != '\0')
352 loglog(RC_BADWHACKMESSAGE, "%s", ugh);
353 whack_log_fd = NULL_FD;
354 close(whackfd);
355 return;
356 }
357 }
358
359 if (msg.whack_options)
360 {
361 #ifdef DEBUG
362 if (msg.name == NULL)
363 {
364 /* we do a two-step so that if either old or new would
365 * cause the message to print, it will be printed.
366 */
367 cur_debugging |= msg.debugging;
368 DBG(DBG_CONTROL
369 , DBG_log("base debugging = %s"
370 , bitnamesof(debug_bit_names, msg.debugging)));
371 cur_debugging = base_debugging = msg.debugging;
372 }
373 else if (!msg.whack_connection)
374 {
375 struct connection *c = con_by_name(msg.name, TRUE);
376
377 if (c != NULL)
378 {
379 c->extra_debugging = msg.debugging;
380 DBG(DBG_CONTROL
381 , DBG_log("\"%s\" extra_debugging = %s"
382 , c->name
383 , bitnamesof(debug_bit_names, c->extra_debugging)));
384 }
385 }
386 #endif
387 }
388
389 if (msg.whack_myid)
390 set_myid(MYID_SPECIFIED, msg.myid);
391
392 /* Deleting combined with adding a connection works as replace.
393 * To make this more useful, in only this combination,
394 * delete will silently ignore the lack of the connection.
395 */
396 if (msg.whack_delete)
397 {
398 if (msg.whack_ca)
399 find_ca_info_by_name(msg.name, TRUE);
400 else
401 delete_connections_by_name(msg.name, !msg.whack_connection);
402 }
403
404 if (msg.whack_deletestate)
405 {
406 struct state *st = state_with_serialno(msg.whack_deletestateno);
407
408 if (st == NULL)
409 {
410 loglog(RC_UNKNOWN_NAME, "no state #%lu to delete"
411 , msg.whack_deletestateno);
412 }
413 else
414 {
415 delete_state(st);
416 }
417 }
418
419 if (msg.whack_crash)
420 delete_states_by_peer(&msg.whack_crash_peer);
421
422 if (msg.whack_connection)
423 add_connection(&msg);
424
425 if (msg.whack_ca && msg.cacert != NULL)
426 add_ca_info(&msg);
427
428 /* process "listen" before any operation that could require it */
429 if (msg.whack_listen)
430 {
431 close_peerlog(); /* close any open per-peer logs */
432 plog("listening for IKE messages");
433 listening = TRUE;
434 daily_log_reset();
435 reset_adns_restart_count();
436 set_myFQDN();
437 find_ifaces();
438 load_preshared_secrets(NULL_FD);
439 load_groups();
440 }
441 if (msg.whack_unlisten)
442 {
443 plog("no longer listening for IKE messages");
444 listening = FALSE;
445 }
446
447 if (msg.whack_reread & REREAD_SECRETS)
448 {
449 load_preshared_secrets(whackfd);
450 }
451
452 if (msg.whack_reread & REREAD_CACERTS)
453 {
454 load_authcerts("CA cert", CA_CERT_PATH, AUTH_CA);
455 }
456
457 if (msg.whack_reread & REREAD_AACERTS)
458 {
459 load_authcerts("AA cert", AA_CERT_PATH, AUTH_AA);
460 }
461
462 if (msg.whack_reread & REREAD_OCSPCERTS)
463 {
464 load_authcerts("OCSP cert", OCSP_CERT_PATH, AUTH_OCSP);
465 }
466
467 if (msg.whack_reread & REREAD_ACERTS)
468 {
469 load_acerts();
470 }
471
472 if (msg.whack_reread & REREAD_CRLS)
473 {
474 load_crls();
475 }
476
477 if (msg.whack_purgeocsp)
478 {
479 free_ocsp_fetch();
480 free_ocsp_cache();
481 }
482
483 if (msg.whack_list & LIST_PUBKEYS)
484 {
485 list_public_keys(msg.whack_utc);
486 }
487
488 if (msg.whack_list & LIST_CERTS)
489 {
490 list_certs(msg.whack_utc);
491 }
492
493 if (msg.whack_list & LIST_CACERTS)
494 {
495 list_authcerts("CA", AUTH_CA, msg.whack_utc);
496 }
497
498 if (msg.whack_list & LIST_AACERTS)
499 {
500 list_authcerts("AA", AUTH_AA, msg.whack_utc);
501 }
502
503 if (msg.whack_list & LIST_OCSPCERTS)
504 {
505 list_authcerts("OCSP", AUTH_OCSP, msg.whack_utc);
506 }
507
508 if (msg.whack_list & LIST_ACERTS)
509 {
510 list_acerts(msg.whack_utc);
511 }
512
513 if (msg.whack_list & LIST_GROUPS)
514 {
515 list_groups(msg.whack_utc);
516 }
517
518 if (msg.whack_list & LIST_CAINFOS)
519 {
520 list_ca_infos(msg.whack_utc);
521 }
522
523 if (msg.whack_list & LIST_CRLS)
524 {
525 list_crls(msg.whack_utc, strict_crl_policy);
526 list_crl_fetch_requests(msg.whack_utc);
527 }
528
529 if (msg.whack_list & LIST_OCSP)
530 {
531 list_ocsp_cache(msg.whack_utc, strict_crl_policy);
532 list_ocsp_fetch_requests(msg.whack_utc);
533 }
534
535 if (msg.whack_list & LIST_CARDS)
536 {
537 scx_list(msg.whack_utc);
538 }
539
540 if (msg.whack_list & LIST_ALGS)
541 {
542 ike_alg_list();
543 kernel_alg_list();
544 }
545
546 if (msg.whack_key)
547 {
548 /* add a public key */
549 key_add_request(&msg);
550 }
551
552 if (msg.whack_route)
553 {
554 if (!listening)
555 {
556 whack_log(RC_DEAF, "need --listen before --route");
557 }
558 if (msg.name == NULL)
559 {
560 whack_log(RC_UNKNOWN_NAME
561 , "whack --route requires a connection name");
562 }
563 else
564 {
565 struct connection *c = con_by_name(msg.name, TRUE);
566
567 if (c != NULL && c->ikev1)
568 {
569 set_cur_connection(c);
570 if (!oriented(*c))
571 whack_log(RC_ORIENT
572 , "we have no ipsecN interface for either end of this connection");
573 else if (c->policy & POLICY_GROUP)
574 route_group(c);
575 else if (!trap_connection(c))
576 whack_log(RC_ROUTE, "could not route");
577 reset_cur_connection();
578 }
579 }
580 }
581
582 if (msg.whack_unroute)
583 {
584 if (msg.name == NULL)
585 {
586 whack_log(RC_UNKNOWN_NAME
587 , "whack --unroute requires a connection name");
588 }
589 else
590 {
591 struct connection *c = con_by_name(msg.name, TRUE);
592
593 if (c != NULL && c->ikev1)
594 {
595 struct spd_route *sr;
596 int fail = 0;
597
598 set_cur_connection(c);
599
600 for (sr = &c->spd; sr != NULL; sr = sr->next)
601 {
602 if (sr->routing >= RT_ROUTED_TUNNEL)
603 fail++;
604 }
605 if (fail > 0)
606 whack_log(RC_RTBUSY, "cannot unroute: route busy");
607 else if (c->policy & POLICY_GROUP)
608 unroute_group(c);
609 else
610 unroute_connection(c);
611 reset_cur_connection();
612 }
613 }
614 }
615
616 if (msg.whack_initiate)
617 {
618 if (!listening)
619 {
620 whack_log(RC_DEAF, "need --listen before --initiate");
621 }
622 else if (msg.name == NULL)
623 {
624 whack_log(RC_UNKNOWN_NAME
625 , "whack --initiate requires a connection name");
626 }
627 else
628 {
629 initiate_connection(msg.name
630 , msg.whack_async? NULL_FD : dup_any(whackfd));
631 }
632 }
633
634 if (msg.whack_oppo_initiate)
635 {
636 if (!listening)
637 whack_log(RC_DEAF, "need --listen before opportunistic initiation");
638 else
639 initiate_opportunistic(&msg.oppo_my_client, &msg.oppo_peer_client, 0
640 , FALSE
641 , msg.whack_async? NULL_FD : dup_any(whackfd));
642 }
643
644 if (msg.whack_terminate)
645 {
646 if (msg.name == NULL)
647 {
648 whack_log(RC_UNKNOWN_NAME
649 , "whack --terminate requires a connection name");
650 }
651 else
652 {
653 terminate_connection(msg.name);
654 }
655 }
656
657 if (msg.whack_status)
658 show_status(msg.whack_statusall, msg.name);
659
660 if (msg.whack_shutdown)
661 {
662 plog("shutting down");
663 exit_pluto(0); /* delete lock and leave, with 0 status */
664 }
665
666 if (msg.whack_sc_op != SC_OP_NONE)
667 {
668 if (pkcs11_proxy)
669 scx_op_via_whack(msg.sc_data, msg.inbase, msg.outbase
670 , msg.whack_sc_op, msg.keyid, whackfd);
671 else
672 plog("pkcs11 access to smartcard not allowed (set pkcs11proxy=yes)");
673 }
674
675 whack_log_fd = NULL_FD;
676 close(whackfd);
677 }
678
679 /*
680 * Local Variables:
681 * c-basic-offset:4
682 * c-style: pluto
683 * End:
684 */