starter: Use stream abstraction to communicate with stroke plugin
[strongswan.git] / src / starter / starterstroke.c
1 /*
2 * Copyright (C) 2006 Martin Willi
3 * Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include <unistd.h>
17 #include <stdlib.h>
18 #include <string.h>
19
20 #include <credentials/auth_cfg.h>
21
22 #include <library.h>
23 #include <utils/debug.h>
24
25 #include <stroke_msg.h>
26
27 #include "starterstroke.h"
28 #include "confread.h"
29 #include "files.h"
30
31 #define IPV4_LEN 4
32 #define IPV6_LEN 16
33
34 static char* push_string(stroke_msg_t *msg, char *string)
35 {
36 unsigned long string_start = msg->length;
37
38 if (string == NULL || msg->length + strlen(string) >= sizeof(stroke_msg_t))
39 {
40 return NULL;
41 }
42 else
43 {
44 msg->length += strlen(string) + 1;
45 strcpy((char*)msg + string_start, string);
46 return (char*)string_start;
47 }
48 }
49
50 static int send_stroke_msg (stroke_msg_t *msg)
51 {
52 stream_t *stream;
53 char *uri, buffer[64];
54 int count;
55
56 /* starter is not called from commandline, and therefore absolutely silent */
57 msg->output_verbosity = -1;
58
59 uri = lib->settings->get_str(lib->settings, "%s.plugins.stroke.socket",
60 "unix://" CHARON_CTL_FILE, daemon_name);
61 stream = lib->streams->connect(lib->streams, uri);
62 if (!stream)
63 {
64 DBG1(DBG_APP, "failed to connect to stroke socket '%s'", uri);
65 return -1;
66 }
67
68 if (!stream->write_all(stream, msg, msg->length))
69 {
70 DBG1(DBG_APP, "sending stroke message failed");
71 stream->destroy(stream);
72 return -1;
73 }
74 while ((count = stream->read(stream, buffer, sizeof(buffer)-1, TRUE)) > 0)
75 {
76 buffer[count] = '\0';
77 DBG1(DBG_APP, "%s", buffer);
78 }
79 if (count < 0)
80 {
81 DBG1(DBG_APP, "reading stroke response failed");
82 }
83 stream->destroy(stream);
84 return 0;
85 }
86
87 static char* connection_name(starter_conn_t *conn)
88 {
89 /* if connection name is '%auto', create a new name like conn_xxxxx */
90 static char buf[32];
91
92 if (streq(conn->name, "%auto"))
93 {
94 sprintf(buf, "conn_%lu", conn->id);
95 return buf;
96 }
97 return conn->name;
98 }
99
100 static void starter_stroke_add_end(stroke_msg_t *msg, stroke_end_t *msg_end, starter_end_t *conn_end)
101 {
102 msg_end->auth = push_string(msg, conn_end->auth);
103 msg_end->auth2 = push_string(msg, conn_end->auth2);
104 msg_end->id = push_string(msg, conn_end->id);
105 msg_end->id2 = push_string(msg, conn_end->id2);
106 msg_end->rsakey = push_string(msg, conn_end->rsakey);
107 msg_end->cert = push_string(msg, conn_end->cert);
108 msg_end->cert2 = push_string(msg, conn_end->cert2);
109 msg_end->cert_policy = push_string(msg, conn_end->cert_policy);
110 msg_end->ca = push_string(msg, conn_end->ca);
111 msg_end->ca2 = push_string(msg, conn_end->ca2);
112 msg_end->groups = push_string(msg, conn_end->groups);
113 msg_end->groups2 = push_string(msg, conn_end->groups2);
114 msg_end->updown = push_string(msg, conn_end->updown);
115 if (conn_end->host)
116 {
117 msg_end->address = push_string(msg, conn_end->host);
118 }
119 else
120 {
121 msg_end->address = push_string(msg, "%any");
122 }
123 msg_end->ikeport = conn_end->ikeport;
124 msg_end->subnets = push_string(msg, conn_end->subnet);
125 msg_end->sourceip = push_string(msg, conn_end->sourceip);
126 msg_end->dns = push_string(msg, conn_end->dns);
127 msg_end->sendcert = conn_end->sendcert;
128 msg_end->hostaccess = conn_end->hostaccess;
129 msg_end->tohost = !conn_end->subnet;
130 msg_end->allow_any = conn_end->allow_any;
131 msg_end->protocol = conn_end->protocol;
132 msg_end->from_port = conn_end->from_port;
133 msg_end->to_port = conn_end->to_port;
134 }
135
136 int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn)
137 {
138 stroke_msg_t msg;
139
140 memset(&msg, 0, sizeof(msg));
141 msg.type = STR_ADD_CONN;
142 msg.length = offsetof(stroke_msg_t, buffer);
143 msg.add_conn.version = conn->keyexchange;
144 msg.add_conn.name = push_string(&msg, connection_name(conn));
145 msg.add_conn.eap_identity = push_string(&msg, conn->eap_identity);
146 msg.add_conn.aaa_identity = push_string(&msg, conn->aaa_identity);
147 msg.add_conn.xauth_identity = push_string(&msg, conn->xauth_identity);
148
149 msg.add_conn.mode = conn->mode;
150 msg.add_conn.proxy_mode = conn->proxy_mode;
151
152 if (!(conn->options & SA_OPTION_DONT_REKEY))
153 {
154 msg.add_conn.rekey.reauth = !(conn->options & SA_OPTION_DONT_REAUTH);
155 msg.add_conn.rekey.ipsec_lifetime = conn->sa_ipsec_life_seconds;
156 msg.add_conn.rekey.ike_lifetime = conn->sa_ike_life_seconds;
157 msg.add_conn.rekey.margin = conn->sa_rekey_margin;
158 msg.add_conn.rekey.life_bytes = conn->sa_ipsec_life_bytes;
159 msg.add_conn.rekey.margin_bytes = conn->sa_ipsec_margin_bytes;
160 msg.add_conn.rekey.life_packets = conn->sa_ipsec_life_packets;
161 msg.add_conn.rekey.margin_packets = conn->sa_ipsec_margin_packets;
162 msg.add_conn.rekey.fuzz = conn->sa_rekey_fuzz;
163 }
164 msg.add_conn.rekey.tries = conn->sa_keying_tries;
165
166 msg.add_conn.mobike = conn->options & SA_OPTION_MOBIKE;
167 msg.add_conn.force_encap = conn->options & SA_OPTION_FORCE_ENCAP;
168 msg.add_conn.fragmentation = conn->fragmentation;
169 msg.add_conn.ikedscp = conn->ikedscp;
170 msg.add_conn.ipcomp = conn->options & SA_OPTION_COMPRESS;
171 msg.add_conn.install_policy = conn->install_policy;
172 msg.add_conn.aggressive = conn->aggressive;
173 msg.add_conn.pushmode = conn->options & SA_OPTION_MODECFG_PUSH;
174 msg.add_conn.crl_policy = (crl_policy_t)cfg->setup.strictcrlpolicy;
175 msg.add_conn.unique = cfg->setup.uniqueids;
176 msg.add_conn.algorithms.ike = push_string(&msg, conn->ike);
177 msg.add_conn.algorithms.esp = push_string(&msg, conn->esp);
178 msg.add_conn.algorithms.ah = push_string(&msg, conn->ah);
179 msg.add_conn.dpd.delay = conn->dpd_delay;
180 msg.add_conn.dpd.timeout = conn->dpd_timeout;
181 msg.add_conn.dpd.action = conn->dpd_action;
182 msg.add_conn.close_action = conn->close_action;
183 msg.add_conn.inactivity = conn->inactivity;
184 msg.add_conn.ikeme.mediation = conn->me_mediation;
185 msg.add_conn.ikeme.mediated_by = push_string(&msg, conn->me_mediated_by);
186 msg.add_conn.ikeme.peerid = push_string(&msg, conn->me_peerid);
187 msg.add_conn.reqid = conn->reqid;
188 msg.add_conn.replay_window = conn->replay_window;
189 msg.add_conn.mark_in.value = conn->mark_in.value;
190 msg.add_conn.mark_in.mask = conn->mark_in.mask;
191 msg.add_conn.mark_out.value = conn->mark_out.value;
192 msg.add_conn.mark_out.mask = conn->mark_out.mask;
193 msg.add_conn.tfc = conn->tfc;
194
195 starter_stroke_add_end(&msg, &msg.add_conn.me, &conn->left);
196 starter_stroke_add_end(&msg, &msg.add_conn.other, &conn->right);
197
198 if (!msg.add_conn.me.auth && !msg.add_conn.other.auth &&
199 conn->authby)
200 { /* leftauth/rightauth not set, use legacy options */
201 if (streq(conn->authby, "rsa") || streq(conn->authby, "rsasig") ||
202 streq(conn->authby, "ecdsa") || streq(conn->authby, "ecdsasig") ||
203 streq(conn->authby, "pubkey"))
204 {
205 msg.add_conn.me.auth = push_string(&msg, "pubkey");
206 msg.add_conn.other.auth = push_string(&msg, "pubkey");
207 }
208 else if (streq(conn->authby, "secret") || streq(conn->authby, "psk"))
209 {
210 msg.add_conn.me.auth = push_string(&msg, "psk");
211 msg.add_conn.other.auth = push_string(&msg, "psk");
212 }
213 else if (streq(conn->authby, "xauthrsasig"))
214 {
215 msg.add_conn.me.auth = push_string(&msg, "pubkey");
216 msg.add_conn.other.auth = push_string(&msg, "pubkey");
217 if (conn->options & SA_OPTION_XAUTH_SERVER)
218 {
219 msg.add_conn.other.auth2 = push_string(&msg, "xauth");
220 }
221 else
222 {
223 msg.add_conn.me.auth2 = push_string(&msg, "xauth");
224 }
225 }
226 else if (streq(conn->authby, "xauthpsk"))
227 {
228 msg.add_conn.me.auth = push_string(&msg, "psk");
229 msg.add_conn.other.auth = push_string(&msg, "psk");
230 if (conn->options & SA_OPTION_XAUTH_SERVER)
231 {
232 msg.add_conn.other.auth2 = push_string(&msg, "xauth");
233 }
234 else
235 {
236 msg.add_conn.me.auth2 = push_string(&msg, "xauth");
237 }
238 }
239 }
240 return send_stroke_msg(&msg);
241 }
242
243 int starter_stroke_del_conn(starter_conn_t *conn)
244 {
245 stroke_msg_t msg;
246
247 msg.type = STR_DEL_CONN;
248 msg.length = offsetof(stroke_msg_t, buffer);
249 msg.del_conn.name = push_string(&msg, connection_name(conn));
250 return send_stroke_msg(&msg);
251 }
252
253 int starter_stroke_route_conn(starter_conn_t *conn)
254 {
255 stroke_msg_t msg;
256
257 msg.type = STR_ROUTE;
258 msg.length = offsetof(stroke_msg_t, buffer);
259 msg.route.name = push_string(&msg, connection_name(conn));
260 return send_stroke_msg(&msg);
261 }
262
263 int starter_stroke_unroute_conn(starter_conn_t *conn)
264 {
265 stroke_msg_t msg;
266
267 msg.type = STR_UNROUTE;
268 msg.length = offsetof(stroke_msg_t, buffer);
269 msg.route.name = push_string(&msg, connection_name(conn));
270 return send_stroke_msg(&msg);
271 }
272
273 int starter_stroke_initiate_conn(starter_conn_t *conn)
274 {
275 stroke_msg_t msg;
276
277 msg.type = STR_INITIATE;
278 msg.length = offsetof(stroke_msg_t, buffer);
279 msg.initiate.name = push_string(&msg, connection_name(conn));
280 return send_stroke_msg(&msg);
281 }
282
283 int starter_stroke_add_ca(starter_ca_t *ca)
284 {
285 stroke_msg_t msg;
286
287 msg.type = STR_ADD_CA;
288 msg.length = offsetof(stroke_msg_t, buffer);
289 msg.add_ca.name = push_string(&msg, ca->name);
290 msg.add_ca.cacert = push_string(&msg, ca->cacert);
291 msg.add_ca.crluri = push_string(&msg, ca->crluri);
292 msg.add_ca.crluri2 = push_string(&msg, ca->crluri2);
293 msg.add_ca.ocspuri = push_string(&msg, ca->ocspuri);
294 msg.add_ca.ocspuri2 = push_string(&msg, ca->ocspuri2);
295 msg.add_ca.certuribase = push_string(&msg, ca->certuribase);
296 return send_stroke_msg(&msg);
297 }
298
299 int starter_stroke_del_ca(starter_ca_t *ca)
300 {
301 stroke_msg_t msg;
302
303 msg.type = STR_DEL_CA;
304 msg.length = offsetof(stroke_msg_t, buffer);
305 msg.del_ca.name = push_string(&msg, ca->name);
306 return send_stroke_msg(&msg);
307 }
308
309 int starter_stroke_configure(starter_config_t *cfg)
310 {
311 stroke_msg_t msg;
312
313 if (cfg->setup.cachecrls)
314 {
315 msg.type = STR_CONFIG;
316 msg.length = offsetof(stroke_msg_t, buffer);
317 msg.config.cachecrl = 1;
318 return send_stroke_msg(&msg);
319 }
320 return 0;
321 }