support of %any address string
[strongswan.git] / src / starter / starterstroke.c
1 /* Stroke for charon is the counterpart to whack from pluto
2 * Copyright (C) 2006 Martin Willi
3 * Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 *
15 * RCSID $Id$
16 */
17
18 #include <sys/types.h>
19 #include <sys/socket.h>
20 #include <sys/un.h>
21 #include <stddef.h>
22 #include <unistd.h>
23 #include <stdlib.h>
24 #include <errno.h>
25 #include <netinet/in.h>
26 #include <arpa/inet.h>
27
28 #include <freeswan.h>
29
30 #include <constants.h>
31 #include <defs.h>
32 #include <log.h>
33
34 #include <stroke_msg.h>
35
36 #include "starterstroke.h"
37 #include "confread.h"
38 #include "files.h"
39
40 #define IPV4_LEN 4
41 #define IPV6_LEN 16
42
43 /**
44 * Authentication methods, must be the same as in charons authenticator.h
45 */
46 enum auth_method_t {
47 AUTH_PUBKEY = 1,
48 AUTH_PSK = 2,
49 AUTH_EAP = 3
50 };
51
52 static char* push_string(stroke_msg_t *msg, char *string)
53 {
54 unsigned long string_start = msg->length;
55
56 if (string == NULL || msg->length + strlen(string) >= sizeof(stroke_msg_t))
57 {
58 return NULL;
59 }
60 else
61 {
62 msg->length += strlen(string) + 1;
63 strcpy((char*)msg + string_start, string);
64 return (char*)string_start;
65 }
66 }
67
68 static int send_stroke_msg (stroke_msg_t *msg)
69 {
70 struct sockaddr_un ctl_addr = { AF_UNIX, CHARON_CTL_FILE };
71 int byte_count;
72 char buffer[64];
73
74 /* starter is not called from commandline, and therefore absolutely silent */
75 msg->output_verbosity = -1;
76
77 int sock = socket(AF_UNIX, SOCK_STREAM, 0);
78
79 if (sock < 0)
80 {
81 plog("socket() failed: %s", strerror(errno));
82 return -1;
83 }
84 if (connect(sock, (struct sockaddr *)&ctl_addr, offsetof(struct sockaddr_un, sun_path) + strlen(ctl_addr.sun_path)) < 0)
85 {
86 plog("connect(charon_ctl) failed: %s", strerror(errno));
87 close(sock);
88 return -1;
89 }
90
91 /* send message */
92 if (write(sock, msg, msg->length) != msg->length)
93 {
94 plog("write(charon_ctl) failed: %s", strerror(errno));
95 close(sock);
96 return -1;
97 }
98 while ((byte_count = read(sock, buffer, sizeof(buffer)-1)) > 0)
99 {
100 buffer[byte_count] = '\0';
101 plog("%s", buffer);
102 }
103 if (byte_count < 0)
104 {
105 plog("read() failed: %s", strerror(errno));
106 }
107
108 close(sock);
109 return 0;
110 }
111
112 static char* connection_name(starter_conn_t *conn)
113 {
114 /* if connection name is '%auto', create a new name like conn_xxxxx */
115 static char buf[32];
116
117 if (streq(conn->name, "%auto"))
118 {
119 sprintf(buf, "conn_%ld", conn->id);
120 return buf;
121 }
122 return conn->name;
123 }
124
125 static void ip_address2string(ip_address *addr, char *buffer, size_t len)
126 {
127 switch (((struct sockaddr*)addr)->sa_family)
128 {
129 case AF_INET:
130 {
131 struct sockaddr_in* sin = (struct sockaddr_in*)addr;
132 u_int8_t zeroes[IPV4_LEN];
133
134 memset(zeroes, 0, IPV4_LEN);
135 if (memcmp(zeroes, &(sin->sin_addr.s_addr), IPV4_LEN) &&
136 inet_ntop(AF_INET, &sin->sin_addr, buffer, len))
137 {
138 return;
139 }
140 break;
141 }
142 case AF_INET6:
143 {
144 struct sockaddr_in6* sin6 = (struct sockaddr_in6*)addr;
145 u_int8_t zeroes[IPV6_LEN];
146
147 memset(zeroes, 0, IPV6_LEN);
148 if (memcmp(zeroes, &(sin6->sin6_addr.s6_addr), IPV6_LEN) &&
149 inet_ntop(AF_INET6, &sin6->sin6_addr, buffer, len))
150 {
151 return;
152 }
153 break;
154 }
155 default:
156 break;
157 }
158 /* default */
159 snprintf(buffer, len, "%%any");
160 }
161
162
163 static void starter_stroke_add_end(stroke_msg_t *msg, stroke_end_t *msg_end, starter_end_t *conn_end)
164 {
165 char buffer[INET6_ADDRSTRLEN];
166
167 msg_end->id = push_string(msg, conn_end->id);
168 msg_end->cert = push_string(msg, conn_end->cert);
169 msg_end->ca = push_string(msg, conn_end->ca);
170 msg_end->groups = push_string(msg, conn_end->groups);
171 msg_end->updown = push_string(msg, conn_end->updown);
172 ip_address2string(&conn_end->addr, buffer, sizeof(buffer));
173 msg_end->address = push_string(msg, buffer);
174 msg_end->subnets = push_string(msg, conn_end->subnet);
175 msg_end->sendcert = conn_end->sendcert;
176 msg_end->hostaccess = conn_end->hostaccess;
177 msg_end->tohost = !conn_end->has_client;
178 msg_end->protocol = conn_end->protocol;
179 msg_end->port = conn_end->port;
180 if (conn_end->srcip)
181 {
182 if (conn_end->srcip[0] == '%')
183 { /* %poolname, strip % */
184 msg_end->sourceip_size = 0;
185 msg_end->sourceip = push_string(msg, conn_end->srcip + 1);
186 }
187 else
188 {
189 char *pos = strchr(conn_end->srcip, '/');
190 if (pos)
191 { /* CIDR subnet definition */
192 snprintf(buffer, pos - conn_end->srcip + 1, "%s", conn_end->srcip);
193 msg_end->sourceip = push_string(msg, buffer);
194 msg_end->sourceip_size = atoi(pos + 1);
195 }
196 else
197 { /* a single address */
198 msg_end->sourceip = push_string(msg, conn_end->srcip);
199 if (strchr(conn_end->srcip, ':'))
200 { /* IPv6 */
201 msg_end->sourceip_size = 128;
202 }
203 else
204 { /* IPv4 */
205 msg_end->sourceip_size = 32;
206 }
207 }
208 }
209 }
210 else if (conn_end->modecfg)
211 {
212 msg_end->sourceip_size = 1;
213 }
214 }
215
216 int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn)
217 {
218 stroke_msg_t msg;
219
220 memset(&msg, 0, sizeof(msg));
221 msg.type = STR_ADD_CONN;
222 msg.length = offsetof(stroke_msg_t, buffer);
223 msg.add_conn.ikev2 = conn->keyexchange == KEY_EXCHANGE_IKEV2;
224 msg.add_conn.name = push_string(&msg, connection_name(conn));
225
226 /* PUBKEY is preferred to PSK and EAP */
227 if (conn->policy & POLICY_RSASIG || conn->policy & POLICY_ECDSASIG)
228 {
229 msg.add_conn.auth_method = AUTH_PUBKEY;
230 }
231 else if (conn->policy & POLICY_PSK)
232 {
233 msg.add_conn.auth_method = AUTH_PSK;
234 }
235 else
236 {
237 msg.add_conn.auth_method = AUTH_EAP;
238 }
239 msg.add_conn.eap_type = conn->eap_type;
240 msg.add_conn.eap_vendor = conn->eap_vendor;
241 msg.add_conn.eap_identity = push_string(&msg, conn->eap_identity);
242
243 if (conn->policy & POLICY_TUNNEL)
244 {
245 msg.add_conn.mode = 1; /* XFRM_MODE_TRANSPORT */
246 }
247 else if (conn->policy & POLICY_BEET)
248 {
249 msg.add_conn.mode = 4; /* XFRM_MODE_BEET */
250 }
251 else
252 {
253 msg.add_conn.mode = 0; /* XFRM_MODE_TUNNEL */
254 }
255
256 if (!(conn->policy & POLICY_DONT_REKEY))
257 {
258 msg.add_conn.rekey.reauth = (conn->policy & POLICY_DONT_REAUTH) == LEMPTY;
259 msg.add_conn.rekey.ipsec_lifetime = conn->sa_ipsec_life_seconds;
260 msg.add_conn.rekey.ike_lifetime = conn->sa_ike_life_seconds;
261 msg.add_conn.rekey.margin = conn->sa_rekey_margin;
262 msg.add_conn.rekey.tries = conn->sa_keying_tries;
263 msg.add_conn.rekey.fuzz = conn->sa_rekey_fuzz;
264 }
265 msg.add_conn.mobike = conn->policy & POLICY_MOBIKE;
266 msg.add_conn.force_encap = conn->policy & POLICY_FORCE_ENCAP;
267 msg.add_conn.ipcomp = conn->policy & POLICY_COMPRESS;
268 msg.add_conn.crl_policy = cfg->setup.strictcrlpolicy;
269 msg.add_conn.unique = cfg->setup.uniqueids;
270 msg.add_conn.algorithms.ike = push_string(&msg, conn->ike);
271 msg.add_conn.algorithms.esp = push_string(&msg, conn->esp);
272 msg.add_conn.dpd.delay = conn->dpd_delay;
273 msg.add_conn.dpd.action = conn->dpd_action;
274 msg.add_conn.ikeme.mediation = conn->me_mediation;
275 msg.add_conn.ikeme.mediated_by = push_string(&msg, conn->me_mediated_by);
276 msg.add_conn.ikeme.peerid = push_string(&msg, conn->me_peerid);
277
278 starter_stroke_add_end(&msg, &msg.add_conn.me, &conn->left);
279 starter_stroke_add_end(&msg, &msg.add_conn.other, &conn->right);
280
281 return send_stroke_msg(&msg);
282 }
283
284 int starter_stroke_del_conn(starter_conn_t *conn)
285 {
286 stroke_msg_t msg;
287
288 msg.type = STR_DEL_CONN;
289 msg.length = offsetof(stroke_msg_t, buffer);
290 msg.del_conn.name = push_string(&msg, connection_name(conn));
291 return send_stroke_msg(&msg);
292 }
293
294 int starter_stroke_route_conn(starter_conn_t *conn)
295 {
296 stroke_msg_t msg;
297
298 msg.type = STR_ROUTE;
299 msg.length = offsetof(stroke_msg_t, buffer);
300 msg.route.name = push_string(&msg, connection_name(conn));
301 return send_stroke_msg(&msg);
302 }
303
304 int starter_stroke_initiate_conn(starter_conn_t *conn)
305 {
306 stroke_msg_t msg;
307
308 msg.type = STR_INITIATE;
309 msg.length = offsetof(stroke_msg_t, buffer);
310 msg.initiate.name = push_string(&msg, connection_name(conn));
311 return send_stroke_msg(&msg);
312 }
313
314 int starter_stroke_add_ca(starter_ca_t *ca)
315 {
316 stroke_msg_t msg;
317
318 msg.type = STR_ADD_CA;
319 msg.length = offsetof(stroke_msg_t, buffer);
320 msg.add_ca.name = push_string(&msg, ca->name);
321 msg.add_ca.cacert = push_string(&msg, ca->cacert);
322 msg.add_ca.crluri = push_string(&msg, ca->crluri);
323 msg.add_ca.crluri2 = push_string(&msg, ca->crluri2);
324 msg.add_ca.ocspuri = push_string(&msg, ca->ocspuri);
325 msg.add_ca.ocspuri2 = push_string(&msg, ca->ocspuri2);
326 msg.add_ca.certuribase = push_string(&msg, ca->certuribase);
327 return send_stroke_msg(&msg);
328 }
329
330 int starter_stroke_del_ca(starter_ca_t *ca)
331 {
332 stroke_msg_t msg;
333
334 msg.type = STR_DEL_CA;
335 msg.length = offsetof(stroke_msg_t, buffer);
336 msg.del_ca.name = push_string(&msg, ca->name);
337 return send_stroke_msg(&msg);
338 }
339
340 int starter_stroke_configure(starter_config_t *cfg)
341 {
342 stroke_msg_t msg;
343
344 if (cfg->setup.cachecrls)
345 {
346 msg.type = STR_CONFIG;
347 msg.length = offsetof(stroke_msg_t, buffer);
348 msg.config.cachecrl = 1;
349 return send_stroke_msg(&msg);
350 }
351 return 0;
352 }
353