starter: Parse authby as string.
[strongswan.git] / src / starter / starterstroke.c
1 /* Stroke for charon is the counterpart to whack from pluto
2 * Copyright (C) 2006 Martin Willi
3 * Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include <sys/types.h>
17 #include <sys/socket.h>
18 #include <sys/un.h>
19 #include <stddef.h>
20 #include <unistd.h>
21 #include <stdlib.h>
22 #include <string.h>
23 #include <errno.h>
24 #include <netinet/in.h>
25 #include <arpa/inet.h>
26
27 #include <credentials/auth_cfg.h>
28
29 #include <library.h>
30 #include <debug.h>
31
32 #include <constants.h>
33 #include <defs.h>
34
35 #include <stroke_msg.h>
36
37 #include "starterstroke.h"
38 #include "confread.h"
39 #include "files.h"
40
41 #define IPV4_LEN 4
42 #define IPV6_LEN 16
43
44 static char* push_string(stroke_msg_t *msg, char *string)
45 {
46 unsigned long string_start = msg->length;
47
48 if (string == NULL || msg->length + strlen(string) >= sizeof(stroke_msg_t))
49 {
50 return NULL;
51 }
52 else
53 {
54 msg->length += strlen(string) + 1;
55 strcpy((char*)msg + string_start, string);
56 return (char*)string_start;
57 }
58 }
59
60 static int send_stroke_msg (stroke_msg_t *msg)
61 {
62 struct sockaddr_un ctl_addr;
63 int byte_count;
64 char buffer[64];
65
66 ctl_addr.sun_family = AF_UNIX;
67 strcpy(ctl_addr.sun_path, CHARON_CTL_FILE);
68
69 /* starter is not called from commandline, and therefore absolutely silent */
70 msg->output_verbosity = -1;
71
72 int sock = socket(AF_UNIX, SOCK_STREAM, 0);
73
74 if (sock < 0)
75 {
76 DBG1(DBG_APP, "socket() failed: %s", strerror(errno));
77 return -1;
78 }
79 if (connect(sock, (struct sockaddr *)&ctl_addr, offsetof(struct sockaddr_un, sun_path) + strlen(ctl_addr.sun_path)) < 0)
80 {
81 DBG1(DBG_APP, "connect(charon_ctl) failed: %s", strerror(errno));
82 close(sock);
83 return -1;
84 }
85
86 /* send message */
87 if (write(sock, msg, msg->length) != msg->length)
88 {
89 DBG1(DBG_APP, "write(charon_ctl) failed: %s", strerror(errno));
90 close(sock);
91 return -1;
92 }
93 while ((byte_count = read(sock, buffer, sizeof(buffer)-1)) > 0)
94 {
95 buffer[byte_count] = '\0';
96 DBG1(DBG_APP, "%s", buffer);
97 }
98 if (byte_count < 0)
99 {
100 DBG1(DBG_APP, "read() failed: %s", strerror(errno));
101 }
102
103 close(sock);
104 return 0;
105 }
106
107 static char* connection_name(starter_conn_t *conn)
108 {
109 /* if connection name is '%auto', create a new name like conn_xxxxx */
110 static char buf[32];
111
112 if (streq(conn->name, "%auto"))
113 {
114 sprintf(buf, "conn_%lu", conn->id);
115 return buf;
116 }
117 return conn->name;
118 }
119
120 static void ip_address2string(ip_address *addr, char *buffer, size_t len)
121 {
122 switch (((struct sockaddr*)addr)->sa_family)
123 {
124 case AF_INET6:
125 {
126 struct sockaddr_in6* sin6 = (struct sockaddr_in6*)addr;
127 u_int8_t zeroes[IPV6_LEN];
128
129 memset(zeroes, 0, IPV6_LEN);
130 if (memcmp(zeroes, &(sin6->sin6_addr.s6_addr), IPV6_LEN) &&
131 inet_ntop(AF_INET6, &sin6->sin6_addr, buffer, len))
132 {
133 return;
134 }
135 snprintf(buffer, len, "%%any6");
136 break;
137 }
138 case AF_INET:
139 {
140 struct sockaddr_in* sin = (struct sockaddr_in*)addr;
141 u_int8_t zeroes[IPV4_LEN];
142
143 memset(zeroes, 0, IPV4_LEN);
144 if (memcmp(zeroes, &(sin->sin_addr.s_addr), IPV4_LEN) &&
145 inet_ntop(AF_INET, &sin->sin_addr, buffer, len))
146 {
147 return;
148 }
149 /* fall through to default */
150 }
151 default:
152 snprintf(buffer, len, "%%any");
153 break;
154 }
155 }
156
157 static void starter_stroke_add_end(stroke_msg_t *msg, stroke_end_t *msg_end, starter_end_t *conn_end)
158 {
159 char buffer[INET6_ADDRSTRLEN];
160
161 msg_end->auth = push_string(msg, conn_end->auth);
162 msg_end->auth2 = push_string(msg, conn_end->auth2);
163 msg_end->id = push_string(msg, conn_end->id);
164 msg_end->id2 = push_string(msg, conn_end->id2);
165 msg_end->rsakey = push_string(msg, conn_end->rsakey);
166 msg_end->cert = push_string(msg, conn_end->cert);
167 msg_end->cert2 = push_string(msg, conn_end->cert2);
168 msg_end->cert_policy = push_string(msg, conn_end->cert_policy);
169 msg_end->ca = push_string(msg, conn_end->ca);
170 msg_end->ca2 = push_string(msg, conn_end->ca2);
171 msg_end->groups = push_string(msg, conn_end->groups);
172 msg_end->updown = push_string(msg, conn_end->updown);
173 if (conn_end->host)
174 {
175 msg_end->address = push_string(msg, conn_end->host);
176 }
177 else
178 {
179 ip_address2string(&conn_end->addr, buffer, sizeof(buffer));
180 msg_end->address = push_string(msg, buffer);
181 }
182 msg_end->ikeport = conn_end->ikeport;
183 msg_end->subnets = push_string(msg, conn_end->subnet);
184 msg_end->sourceip = push_string(msg, conn_end->sourceip);
185 msg_end->sourceip_mask = conn_end->sourceip_mask;
186 msg_end->sendcert = conn_end->sendcert;
187 msg_end->hostaccess = conn_end->hostaccess;
188 msg_end->tohost = !conn_end->has_client;
189 msg_end->allow_any = conn_end->allow_any;
190 msg_end->protocol = conn_end->protocol;
191 msg_end->port = conn_end->port;
192 }
193
194 int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn)
195 {
196 stroke_msg_t msg;
197
198 memset(&msg, 0, sizeof(msg));
199 msg.type = STR_ADD_CONN;
200 msg.length = offsetof(stroke_msg_t, buffer);
201 msg.add_conn.version = conn->keyexchange;
202 msg.add_conn.name = push_string(&msg, connection_name(conn));
203 msg.add_conn.eap_identity = push_string(&msg, conn->eap_identity);
204 msg.add_conn.aaa_identity = push_string(&msg, conn->aaa_identity);
205 msg.add_conn.xauth_identity = push_string(&msg, conn->xauth_identity);
206
207 if (conn->policy & POLICY_TUNNEL)
208 {
209 msg.add_conn.mode = MODE_TUNNEL;
210 }
211 else if (conn->policy & POLICY_BEET)
212 {
213 msg.add_conn.mode = MODE_BEET;
214 }
215 else if (conn->policy & POLICY_PROXY)
216 {
217 msg.add_conn.mode = MODE_TRANSPORT;
218 msg.add_conn.proxy_mode = TRUE;
219 }
220 else if (conn->policy & POLICY_SHUNT_PASS)
221 {
222 msg.add_conn.mode = MODE_PASS;
223 }
224 else if (conn->policy & (POLICY_SHUNT_DROP | POLICY_SHUNT_REJECT))
225 {
226 msg.add_conn.mode = MODE_DROP;
227 }
228 else
229 {
230 msg.add_conn.mode = MODE_TRANSPORT;
231 }
232
233 if (!(conn->policy & POLICY_DONT_REKEY))
234 {
235 msg.add_conn.rekey.reauth = (conn->policy & POLICY_DONT_REAUTH) == LEMPTY;
236 msg.add_conn.rekey.ipsec_lifetime = conn->sa_ipsec_life_seconds;
237 msg.add_conn.rekey.ike_lifetime = conn->sa_ike_life_seconds;
238 msg.add_conn.rekey.margin = conn->sa_rekey_margin;
239 msg.add_conn.rekey.life_bytes = conn->sa_ipsec_life_bytes;
240 msg.add_conn.rekey.margin_bytes = conn->sa_ipsec_margin_bytes;
241 msg.add_conn.rekey.life_packets = conn->sa_ipsec_life_packets;
242 msg.add_conn.rekey.margin_packets = conn->sa_ipsec_margin_packets;
243 msg.add_conn.rekey.tries = conn->sa_keying_tries;
244 msg.add_conn.rekey.fuzz = conn->sa_rekey_fuzz;
245 }
246 msg.add_conn.mobike = (conn->policy & POLICY_MOBIKE) != 0;
247 msg.add_conn.force_encap = (conn->policy & POLICY_FORCE_ENCAP) != 0;
248 msg.add_conn.ipcomp = (conn->policy & POLICY_COMPRESS) != 0;
249 msg.add_conn.install_policy = conn->install_policy;
250 msg.add_conn.aggressive = conn->aggressive;
251 msg.add_conn.crl_policy = (crl_policy_t)cfg->setup.strictcrlpolicy;
252 msg.add_conn.unique = cfg->setup.uniqueids;
253 msg.add_conn.algorithms.ike = push_string(&msg, conn->ike);
254 msg.add_conn.algorithms.esp = push_string(&msg, conn->esp);
255 msg.add_conn.dpd.delay = conn->dpd_delay;
256 msg.add_conn.dpd.timeout = conn->dpd_timeout;
257 msg.add_conn.dpd.action = conn->dpd_action;
258 msg.add_conn.close_action = conn->close_action;
259 msg.add_conn.inactivity = conn->inactivity;
260 msg.add_conn.ikeme.mediation = conn->me_mediation;
261 msg.add_conn.ikeme.mediated_by = push_string(&msg, conn->me_mediated_by);
262 msg.add_conn.ikeme.peerid = push_string(&msg, conn->me_peerid);
263 msg.add_conn.reqid = conn->reqid;
264 msg.add_conn.mark_in.value = conn->mark_in.value;
265 msg.add_conn.mark_in.mask = conn->mark_in.mask;
266 msg.add_conn.mark_out.value = conn->mark_out.value;
267 msg.add_conn.mark_out.mask = conn->mark_out.mask;
268 msg.add_conn.tfc = conn->tfc;
269
270 starter_stroke_add_end(&msg, &msg.add_conn.me, &conn->left);
271 starter_stroke_add_end(&msg, &msg.add_conn.other, &conn->right);
272
273 if (!msg.add_conn.me.auth && !msg.add_conn.other.auth &&
274 conn->authby)
275 { /* leftauth/rightauth not set, use legacy options */
276 if (streq(conn->authby, "rsa") || streq(conn->authby, "rsasig") ||
277 streq(conn->authby, "ecdsa") || streq(conn->authby, "ecdsasig") ||
278 streq(conn->authby, "pubkey"))
279 {
280 msg.add_conn.me.auth = push_string(&msg, "pubkey");
281 msg.add_conn.other.auth = push_string(&msg, "pubkey");
282 }
283 else if (streq(conn->authby, "secret") || streq(conn->authby, "psk"))
284 {
285 msg.add_conn.me.auth = push_string(&msg, "psk");
286 msg.add_conn.other.auth = push_string(&msg, "psk");
287 }
288 else if (streq(conn->authby, "xauthrsasig"))
289 {
290 msg.add_conn.me.auth = push_string(&msg, "pubkey");
291 msg.add_conn.other.auth = push_string(&msg, "pubkey");
292 if (conn->policy & POLICY_XAUTH_SERVER)
293 {
294 msg.add_conn.other.auth2 = push_string(&msg, "xauth");
295 }
296 else
297 {
298 msg.add_conn.me.auth2 = push_string(&msg, "xauth");
299 }
300 }
301 else if (streq(conn->authby, "xauthpsk"))
302 {
303 msg.add_conn.me.auth = push_string(&msg, "psk");
304 msg.add_conn.other.auth = push_string(&msg, "psk");
305 if (conn->policy & POLICY_XAUTH_SERVER)
306 {
307 msg.add_conn.other.auth2 = push_string(&msg, "xauth");
308 }
309 else
310 {
311 msg.add_conn.me.auth2 = push_string(&msg, "xauth");
312 }
313 }
314 }
315 return send_stroke_msg(&msg);
316 }
317
318 int starter_stroke_del_conn(starter_conn_t *conn)
319 {
320 stroke_msg_t msg;
321
322 msg.type = STR_DEL_CONN;
323 msg.length = offsetof(stroke_msg_t, buffer);
324 msg.del_conn.name = push_string(&msg, connection_name(conn));
325 return send_stroke_msg(&msg);
326 }
327
328 int starter_stroke_route_conn(starter_conn_t *conn)
329 {
330 stroke_msg_t msg;
331
332 msg.type = STR_ROUTE;
333 msg.length = offsetof(stroke_msg_t, buffer);
334 msg.route.name = push_string(&msg, connection_name(conn));
335 return send_stroke_msg(&msg);
336 }
337
338 int starter_stroke_initiate_conn(starter_conn_t *conn)
339 {
340 stroke_msg_t msg;
341
342 msg.type = STR_INITIATE;
343 msg.length = offsetof(stroke_msg_t, buffer);
344 msg.initiate.name = push_string(&msg, connection_name(conn));
345 return send_stroke_msg(&msg);
346 }
347
348 int starter_stroke_add_ca(starter_ca_t *ca)
349 {
350 stroke_msg_t msg;
351
352 msg.type = STR_ADD_CA;
353 msg.length = offsetof(stroke_msg_t, buffer);
354 msg.add_ca.name = push_string(&msg, ca->name);
355 msg.add_ca.cacert = push_string(&msg, ca->cacert);
356 msg.add_ca.crluri = push_string(&msg, ca->crluri);
357 msg.add_ca.crluri2 = push_string(&msg, ca->crluri2);
358 msg.add_ca.ocspuri = push_string(&msg, ca->ocspuri);
359 msg.add_ca.ocspuri2 = push_string(&msg, ca->ocspuri2);
360 msg.add_ca.certuribase = push_string(&msg, ca->certuribase);
361 return send_stroke_msg(&msg);
362 }
363
364 int starter_stroke_del_ca(starter_ca_t *ca)
365 {
366 stroke_msg_t msg;
367
368 msg.type = STR_DEL_CA;
369 msg.length = offsetof(stroke_msg_t, buffer);
370 msg.del_ca.name = push_string(&msg, ca->name);
371 return send_stroke_msg(&msg);
372 }
373
374 int starter_stroke_configure(starter_config_t *cfg)
375 {
376 stroke_msg_t msg;
377
378 if (cfg->setup.cachecrls)
379 {
380 msg.type = STR_CONFIG;
381 msg.length = offsetof(stroke_msg_t, buffer);
382 msg.config.cachecrl = 1;
383 return send_stroke_msg(&msg);
384 }
385 return 0;
386 }
387