src/starter/starterstroke.c

   1 /* Stroke for charon is the counterpart to whack from pluto
   2  * Copyright (C) 2006 Martin Willi - Hochschule fuer Technik Rapperswil
   3  *
   4  * This program is free software; you can redistribute it and/or modify it
   5  * under the terms of the GNU General Public License as published by the
   6  * Free Software Foundation; either version 2 of the License, or (at your
   7  * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
   8  *
   9  * This program is distributed in the hope that it will be useful, but
  10  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  11  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  12  * for more details.
  13  *
  14  * RCSID $Id: starterstroke.c $
  15  */
  16
  17 #include <sys/types.h>
  18 #include <sys/socket.h>
  19 #include <sys/un.h>
  20 #include <stddef.h>
  21 #include <unistd.h>
  22 #include <stdlib.h>
  23 #include <errno.h>
  24 #include <netinet/in.h>
  25 #include <arpa/inet.h>
  26
  27 #include <freeswan.h>
  28
  29 #include <constants.h>
  30 #include <defs.h>
  31 #include <log.h>
  32
  33 #include <stroke.h>
  34
  35 #include "starterstroke.h"
  36 #include "confread.h"
  37 #include "files.h"
  38
  39 /**
  40  * Authentication mehtods, must be the same values as in charon
  41  */
  42 enum auth_method_t {
  43         AUTH_RSA = 1,
  44         AUTH_PSK = 2,
  45         AUTH_DSS = 3,
  46         AUTH_EAP = 201,
  47 };
  48
  49 static char* push_string(stroke_msg_t *msg, char *string)
  50 {
  51         unsigned long string_start = msg->length;
  52
  53         if (string == NULL || msg->length + strlen(string) >= sizeof(stroke_msg_t))
  54         {
  55                 return NULL;
  56         }
  57         else
  58         {
  59                 msg->length += strlen(string) + 1;
  60                 strcpy((char*)msg + string_start, string);
  61                 return (char*)string_start;
  62         }
  63 }
  64
  65 static int send_stroke_msg (stroke_msg_t *msg)
  66 {
  67         struct sockaddr_un ctl_addr = { AF_UNIX, CHARON_CTL_FILE };
  68         int byte_count;
  69         char buffer[64];
  70
  71         /* starter is not called from commandline, and therefore absolutely silent */
  72         msg->output_verbosity = -1;
  73
  74         int sock = socket(AF_UNIX, SOCK_STREAM, 0);
  75
  76         if (sock < 0)
  77         {
  78                 plog("socket() failed: %s", strerror(errno));
  79                 return -1;
  80         }
  81         if (connect(sock, (struct sockaddr *)&ctl_addr, offsetof(struct sockaddr_un, sun_path) + strlen(ctl_addr.sun_path)) < 0)
  82         {
  83                 plog("connect(charon_ctl) failed: %s", strerror(errno));
  84                 close(sock);
  85                 return -1;
  86         }
  87
  88         /* send message */
  89         if (write(sock, msg, msg->length) != msg->length)
  90         {
  91                 plog("write(charon_ctl) failed: %s", strerror(errno));
  92                 close(sock);
  93                 return -1;
  94         }
  95         while ((byte_count = read(sock, buffer, sizeof(buffer)-1)) > 0)
  96         {
  97                 buffer[byte_count] = '\0';
  98                 plog("%s", buffer);
  99         }
 100         if (byte_count < 0)
 101         {
 102                 plog("read() failed: %s", strerror(errno));
 103         }
 104
 105         close(sock);
 106         return 0;
 107 }
 108
 109 static char* connection_name(starter_conn_t *conn)
 110 {
 111          /* if connection name is '%auto', create a new name like conn_xxxxx */
 112         static char buf[32];
 113
 114         if (streq(conn->name, "%auto"))
 115         {
 116                 sprintf(buf, "conn_%ld", conn->id);
 117                 return buf;
 118         }
 119         return conn->name;
 120 }
 121
 122 static void ip_address2string(ip_address *addr, char *buffer, size_t len)
 123 {
 124         switch (((struct sockaddr*)addr)->sa_family)
 125         {
 126                 case AF_INET:
 127                 {
 128                         struct sockaddr_in* sin = (struct sockaddr_in*)addr;
 129                         if (inet_ntop(AF_INET, &sin->sin_addr, buffer, len))
 130                         {
 131                                 return;
 132                         }
 133                         break;
 134                 }
 135                 case AF_INET6:
 136                 {
 137                         struct sockaddr_in6* sin6 = (struct sockaddr_in6*)addr;
 138                         if (inet_ntop(AF_INET6, &sin6->sin6_addr, buffer, len))
 139                         {
 140                                 return;
 141                         }
 142                         break;
 143                 }
 144                 default:
 145                         break;
 146         }
 147         /* failed */
 148         snprintf(buffer, len, "0.0.0.0");
 149 }
 150
 151
 152 static void starter_stroke_add_end(stroke_msg_t *msg, stroke_end_t *msg_end, starter_end_t *conn_end)
 153 {
 154         char buffer[INET6_ADDRSTRLEN];
 155
 156         msg_end->id = push_string(msg, conn_end->id);
 157         msg_end->cert = push_string(msg, conn_end->cert);
 158         msg_end->ca = push_string(msg, conn_end->ca);
 159         msg_end->groups = push_string(msg, conn_end->groups);
 160         msg_end->updown = push_string(msg, conn_end->updown);
 161         ip_address2string(&conn_end->addr, buffer, sizeof(buffer));
 162         msg_end->address = push_string(msg, buffer);
 163         ip_address2string(&conn_end->subnet.addr, buffer, sizeof(buffer));
 164         msg_end->subnet = push_string(msg, buffer);
 165         msg_end->subnet_mask = conn_end->subnet.maskbits;
 166         msg_end->sendcert = conn_end->sendcert;
 167         msg_end->hostaccess = conn_end->hostaccess;
 168         msg_end->tohost = !conn_end->has_client;
 169         msg_end->protocol = conn_end->protocol;
 170         msg_end->port = conn_end->port;
 171         msg_end->virtual_ip = conn_end->modecfg || conn_end->has_srcip;
 172         ip_address2string(&conn_end->srcip, buffer, sizeof(buffer));
 173         msg_end->sourceip = push_string(msg, buffer);
 174 }
 175
 176 int starter_stroke_add_conn(starter_conn_t *conn)
 177 {
 178         stroke_msg_t msg;
 179
 180         msg.type = STR_ADD_CONN;
 181         msg.length = offsetof(stroke_msg_t, buffer);
 182         msg.add_conn.ikev2 = conn->keyexchange == KEY_EXCHANGE_IKEV2;
 183         msg.add_conn.name = push_string(&msg, connection_name(conn));
 184
 185         /* RSA is preferred before PSK and EAP */
 186         if (conn->policy & POLICY_RSASIG)
 187         {
 188                 msg.add_conn.auth_method = AUTH_RSA;
 189         }
 190         else if (conn->policy & POLICY_PSK)
 191         {
 192                 msg.add_conn.auth_method = AUTH_PSK;
 193         }
 194         else
 195         {
 196                 msg.add_conn.auth_method = AUTH_EAP;
 197         }
 198         msg.add_conn.eap_type = conn->eap;
 199
 200         if (conn->policy & POLICY_TUNNEL)
 201         {
 202                 msg.add_conn.mode = 1; /* XFRM_MODE_TRANSPORT */
 203         }
 204         else if (conn->policy & POLICY_BEET)
 205         {
 206                 msg.add_conn.mode = 4; /* XFRM_MODE_BEET */
 207         }
 208         else
 209         {
 210                 msg.add_conn.mode = 0; /* XFRM_MODE_TUNNEL */
 211         }
 212
 213         if (conn->policy & POLICY_DONT_REKEY)
 214         {
 215                 msg.add_conn.rekey.ipsec_lifetime = 0;
 216                 msg.add_conn.rekey.ike_lifetime = 0;
 217                 msg.add_conn.rekey.margin = 0;
 218                 msg.add_conn.rekey.tries = 0;
 219                 msg.add_conn.rekey.fuzz = 0;
 220         }
 221         else
 222         {
 223                 msg.add_conn.rekey.reauth = (conn->policy & POLICY_DONT_REAUTH) == LEMPTY;
 224                 msg.add_conn.rekey.ipsec_lifetime = conn->sa_ipsec_life_seconds;
 225                 msg.add_conn.rekey.ike_lifetime = conn->sa_ike_life_seconds;
 226                 msg.add_conn.rekey.margin = conn->sa_rekey_margin;
 227                 msg.add_conn.rekey.tries = conn->sa_keying_tries;
 228                 msg.add_conn.rekey.fuzz = conn->sa_rekey_fuzz;
 229         }
 230         msg.add_conn.algorithms.ike = push_string(&msg, conn->ike);
 231         msg.add_conn.algorithms.esp = push_string(&msg, conn->esp);
 232         msg.add_conn.dpd.delay = conn->dpd_delay;
 233         msg.add_conn.dpd.action = conn->dpd_action;
 234
 235         starter_stroke_add_end(&msg, &msg.add_conn.me, &conn->left);
 236         starter_stroke_add_end(&msg, &msg.add_conn.other, &conn->right);
 237
 238         return send_stroke_msg(&msg);
 239 }
 240
 241 int starter_stroke_del_conn(starter_conn_t *conn)
 242 {
 243         stroke_msg_t msg;
 244
 245         msg.type = STR_DEL_CONN;
 246         msg.length = offsetof(stroke_msg_t, buffer);
 247         msg.del_conn.name = push_string(&msg, connection_name(conn));
 248         return send_stroke_msg(&msg);
 249 }
 250
 251 int starter_stroke_route_conn(starter_conn_t *conn)
 252 {
 253         stroke_msg_t msg;
 254
 255         msg.type = STR_ROUTE;
 256         msg.length = offsetof(stroke_msg_t, buffer);
 257         msg.route.name = push_string(&msg, connection_name(conn));
 258         return send_stroke_msg(&msg);
 259 }
 260
 261 int starter_stroke_initiate_conn(starter_conn_t *conn)
 262 {
 263         stroke_msg_t msg;
 264
 265         msg.type = STR_INITIATE;
 266         msg.length = offsetof(stroke_msg_t, buffer);
 267         msg.initiate.name = push_string(&msg, connection_name(conn));
 268         return send_stroke_msg(&msg);
 269 }
 270
 271 int starter_stroke_add_ca(starter_ca_t *ca)
 272 {
 273         stroke_msg_t msg;
 274
 275         msg.type = STR_ADD_CA;
 276         msg.length = offsetof(stroke_msg_t, buffer);
 277         msg.add_ca.name =     push_string(&msg, ca->name);
 278         msg.add_ca.cacert =   push_string(&msg, ca->cacert);
 279         msg.add_ca.crluri =   push_string(&msg, ca->crluri);
 280         msg.add_ca.crluri2 =  push_string(&msg, ca->crluri2);
 281         msg.add_ca.ocspuri =  push_string(&msg, ca->ocspuri);
 282         msg.add_ca.ocspuri2 = push_string(&msg, ca->ocspuri2);
 283         return send_stroke_msg(&msg);
 284 }
 285
 286 int starter_stroke_del_ca(starter_ca_t *ca)
 287 {
 288         stroke_msg_t msg;
 289
 290         msg.type = STR_DEL_CA;
 291         msg.length = offsetof(stroke_msg_t, buffer);
 292         msg.del_ca.name = push_string(&msg, ca->name);
 293         return send_stroke_msg(&msg);
 294 }
 295
 296