supporting multiple comma seperated subnets in left/rightsubnet definition
[strongswan.git] / src / starter / starterstroke.c
1 /* Stroke for charon is the counterpart to whack from pluto
2 * Copyright (C) 2006 Martin Willi
3 * Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 *
15 * RCSID $Id$
16 */
17
18 #include <sys/types.h>
19 #include <sys/socket.h>
20 #include <sys/un.h>
21 #include <stddef.h>
22 #include <unistd.h>
23 #include <stdlib.h>
24 #include <errno.h>
25 #include <netinet/in.h>
26 #include <arpa/inet.h>
27
28 #include <freeswan.h>
29
30 #include <constants.h>
31 #include <defs.h>
32 #include <log.h>
33
34 #include <stroke_msg.h>
35
36 #include "starterstroke.h"
37 #include "confread.h"
38 #include "files.h"
39
40 /**
41 * Authentication mehtods, must be the same values as in charon
42 */
43 enum auth_method_t {
44 AUTH_RSA = 1,
45 AUTH_PSK = 2,
46 AUTH_DSS = 3,
47 AUTH_EAP = 201,
48 };
49
50 static char* push_string(stroke_msg_t *msg, char *string)
51 {
52 unsigned long string_start = msg->length;
53
54 if (string == NULL || msg->length + strlen(string) >= sizeof(stroke_msg_t))
55 {
56 return NULL;
57 }
58 else
59 {
60 msg->length += strlen(string) + 1;
61 strcpy((char*)msg + string_start, string);
62 return (char*)string_start;
63 }
64 }
65
66 static int send_stroke_msg (stroke_msg_t *msg)
67 {
68 struct sockaddr_un ctl_addr = { AF_UNIX, CHARON_CTL_FILE };
69 int byte_count;
70 char buffer[64];
71
72 /* starter is not called from commandline, and therefore absolutely silent */
73 msg->output_verbosity = -1;
74
75 int sock = socket(AF_UNIX, SOCK_STREAM, 0);
76
77 if (sock < 0)
78 {
79 plog("socket() failed: %s", strerror(errno));
80 return -1;
81 }
82 if (connect(sock, (struct sockaddr *)&ctl_addr, offsetof(struct sockaddr_un, sun_path) + strlen(ctl_addr.sun_path)) < 0)
83 {
84 plog("connect(charon_ctl) failed: %s", strerror(errno));
85 close(sock);
86 return -1;
87 }
88
89 /* send message */
90 if (write(sock, msg, msg->length) != msg->length)
91 {
92 plog("write(charon_ctl) failed: %s", strerror(errno));
93 close(sock);
94 return -1;
95 }
96 while ((byte_count = read(sock, buffer, sizeof(buffer)-1)) > 0)
97 {
98 buffer[byte_count] = '\0';
99 plog("%s", buffer);
100 }
101 if (byte_count < 0)
102 {
103 plog("read() failed: %s", strerror(errno));
104 }
105
106 close(sock);
107 return 0;
108 }
109
110 static char* connection_name(starter_conn_t *conn)
111 {
112 /* if connection name is '%auto', create a new name like conn_xxxxx */
113 static char buf[32];
114
115 if (streq(conn->name, "%auto"))
116 {
117 sprintf(buf, "conn_%ld", conn->id);
118 return buf;
119 }
120 return conn->name;
121 }
122
123 static void ip_address2string(ip_address *addr, char *buffer, size_t len)
124 {
125 switch (((struct sockaddr*)addr)->sa_family)
126 {
127 case AF_INET:
128 {
129 struct sockaddr_in* sin = (struct sockaddr_in*)addr;
130 if (inet_ntop(AF_INET, &sin->sin_addr, buffer, len))
131 {
132 return;
133 }
134 break;
135 }
136 case AF_INET6:
137 {
138 struct sockaddr_in6* sin6 = (struct sockaddr_in6*)addr;
139 if (inet_ntop(AF_INET6, &sin6->sin6_addr, buffer, len))
140 {
141 return;
142 }
143 break;
144 }
145 default:
146 break;
147 }
148 /* failed */
149 snprintf(buffer, len, "0.0.0.0");
150 }
151
152
153 static void starter_stroke_add_end(stroke_msg_t *msg, stroke_end_t *msg_end, starter_end_t *conn_end)
154 {
155 char buffer[INET6_ADDRSTRLEN];
156
157 msg_end->id = push_string(msg, conn_end->id);
158 msg_end->cert = push_string(msg, conn_end->cert);
159 msg_end->ca = push_string(msg, conn_end->ca);
160 msg_end->groups = push_string(msg, conn_end->groups);
161 msg_end->updown = push_string(msg, conn_end->updown);
162 ip_address2string(&conn_end->addr, buffer, sizeof(buffer));
163 msg_end->address = push_string(msg, buffer);
164 msg_end->subnets = push_string(msg, conn_end->subnet);
165 msg_end->sendcert = conn_end->sendcert;
166 msg_end->hostaccess = conn_end->hostaccess;
167 msg_end->tohost = !conn_end->has_client;
168 msg_end->protocol = conn_end->protocol;
169 msg_end->port = conn_end->port;
170 if (conn_end->srcip)
171 {
172 if (conn_end->srcip[0] == '%')
173 { /* %poolname, strip % */
174 msg_end->sourceip_size = 0;
175 msg_end->sourceip = push_string(msg, conn_end->srcip + 1);
176 }
177 else
178 {
179 char *pos = strchr(conn_end->srcip, '/');
180 if (pos)
181 { /* CIDR subnet definition */
182 snprintf(buffer, pos - conn_end->srcip + 1, "%s", conn_end->srcip);
183 msg_end->sourceip = push_string(msg, buffer);
184 msg_end->sourceip_size = atoi(pos + 1);
185 }
186 else
187 { /* a sigle address */
188 msg_end->sourceip = push_string(msg, conn_end->srcip);
189 if (strchr(conn_end->srcip, ':'))
190 { /* IPv6 */
191 msg_end->sourceip_size = 128;
192 }
193 else
194 { /* IPv4 */
195 msg_end->sourceip_size = 32;
196 }
197 }
198 }
199 }
200 else if (conn_end->modecfg)
201 {
202 msg_end->sourceip_size = 1;
203 }
204 }
205
206 int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn)
207 {
208 stroke_msg_t msg;
209
210 memset(&msg, 0, sizeof(msg));
211 msg.type = STR_ADD_CONN;
212 msg.length = offsetof(stroke_msg_t, buffer);
213 msg.add_conn.ikev2 = conn->keyexchange == KEY_EXCHANGE_IKEV2;
214 msg.add_conn.name = push_string(&msg, connection_name(conn));
215
216 /* RSA is preferred before PSK and EAP */
217 if (conn->policy & POLICY_RSASIG)
218 {
219 msg.add_conn.auth_method = AUTH_RSA;
220 }
221 else if (conn->policy & POLICY_PSK)
222 {
223 msg.add_conn.auth_method = AUTH_PSK;
224 }
225 else
226 {
227 msg.add_conn.auth_method = AUTH_EAP;
228 }
229 msg.add_conn.eap_type = conn->eap_type;
230 msg.add_conn.eap_vendor = conn->eap_vendor;
231
232 if (conn->policy & POLICY_TUNNEL)
233 {
234 msg.add_conn.mode = 1; /* XFRM_MODE_TRANSPORT */
235 }
236 else if (conn->policy & POLICY_BEET)
237 {
238 msg.add_conn.mode = 4; /* XFRM_MODE_BEET */
239 }
240 else
241 {
242 msg.add_conn.mode = 0; /* XFRM_MODE_TUNNEL */
243 }
244
245 if (!(conn->policy & POLICY_DONT_REKEY))
246 {
247 msg.add_conn.rekey.reauth = (conn->policy & POLICY_DONT_REAUTH) == LEMPTY;
248 msg.add_conn.rekey.ipsec_lifetime = conn->sa_ipsec_life_seconds;
249 msg.add_conn.rekey.ike_lifetime = conn->sa_ike_life_seconds;
250 msg.add_conn.rekey.margin = conn->sa_rekey_margin;
251 msg.add_conn.rekey.tries = conn->sa_keying_tries;
252 msg.add_conn.rekey.fuzz = conn->sa_rekey_fuzz;
253 }
254 msg.add_conn.mobike = conn->policy & POLICY_MOBIKE;
255 msg.add_conn.force_encap = conn->policy & POLICY_FORCE_ENCAP;
256 msg.add_conn.crl_policy = cfg->setup.strictcrlpolicy;
257 msg.add_conn.unique = cfg->setup.uniqueids;
258 msg.add_conn.algorithms.ike = push_string(&msg, conn->ike);
259 msg.add_conn.algorithms.esp = push_string(&msg, conn->esp);
260 msg.add_conn.dpd.delay = conn->dpd_delay;
261 msg.add_conn.dpd.action = conn->dpd_action;
262 msg.add_conn.ikeme.mediation = conn->me_mediation;
263 msg.add_conn.ikeme.mediated_by = push_string(&msg, conn->me_mediated_by);
264 msg.add_conn.ikeme.peerid = push_string(&msg, conn->me_peerid);
265
266 starter_stroke_add_end(&msg, &msg.add_conn.me, &conn->left);
267 starter_stroke_add_end(&msg, &msg.add_conn.other, &conn->right);
268
269 return send_stroke_msg(&msg);
270 }
271
272 int starter_stroke_del_conn(starter_conn_t *conn)
273 {
274 stroke_msg_t msg;
275
276 msg.type = STR_DEL_CONN;
277 msg.length = offsetof(stroke_msg_t, buffer);
278 msg.del_conn.name = push_string(&msg, connection_name(conn));
279 return send_stroke_msg(&msg);
280 }
281
282 int starter_stroke_route_conn(starter_conn_t *conn)
283 {
284 stroke_msg_t msg;
285
286 msg.type = STR_ROUTE;
287 msg.length = offsetof(stroke_msg_t, buffer);
288 msg.route.name = push_string(&msg, connection_name(conn));
289 return send_stroke_msg(&msg);
290 }
291
292 int starter_stroke_initiate_conn(starter_conn_t *conn)
293 {
294 stroke_msg_t msg;
295
296 msg.type = STR_INITIATE;
297 msg.length = offsetof(stroke_msg_t, buffer);
298 msg.initiate.name = push_string(&msg, connection_name(conn));
299 return send_stroke_msg(&msg);
300 }
301
302 int starter_stroke_add_ca(starter_ca_t *ca)
303 {
304 stroke_msg_t msg;
305
306 msg.type = STR_ADD_CA;
307 msg.length = offsetof(stroke_msg_t, buffer);
308 msg.add_ca.name = push_string(&msg, ca->name);
309 msg.add_ca.cacert = push_string(&msg, ca->cacert);
310 msg.add_ca.crluri = push_string(&msg, ca->crluri);
311 msg.add_ca.crluri2 = push_string(&msg, ca->crluri2);
312 msg.add_ca.ocspuri = push_string(&msg, ca->ocspuri);
313 msg.add_ca.ocspuri2 = push_string(&msg, ca->ocspuri2);
314 msg.add_ca.certuribase = push_string(&msg, ca->certuribase);
315 return send_stroke_msg(&msg);
316 }
317
318 int starter_stroke_del_ca(starter_ca_t *ca)
319 {
320 stroke_msg_t msg;
321
322 msg.type = STR_DEL_CA;
323 msg.length = offsetof(stroke_msg_t, buffer);
324 msg.del_ca.name = push_string(&msg, ca->name);
325 return send_stroke_msg(&msg);
326 }
327
328 int starter_stroke_configure(starter_config_t *cfg)
329 {
330 stroke_msg_t msg;
331
332 if (cfg->setup.cachecrls)
333 {
334 msg.type = STR_CONFIG;
335 msg.length = offsetof(stroke_msg_t, buffer);
336 msg.config.cachecrl = 1;
337 return send_stroke_msg(&msg);
338 }
339 return 0;
340 }
341