projects / strongswan.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Handling of new lifetime limits added to stroke.
[strongswan.git] / src / starter / starterstroke.c
1 /* Stroke for charon is the counterpart to whack from pluto
2 * Copyright (C) 2006 Martin Willi
3 * Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include <sys/types.h>
17 #include <sys/socket.h>
18 #include <sys/un.h>
19 #include <stddef.h>
20 #include <unistd.h>
21 #include <stdlib.h>
22 #include <string.h>
23 #include <errno.h>
24 #include <netinet/in.h>
25 #include <arpa/inet.h>
26
27 #include <freeswan.h>
28
29 #include <constants.h>
30 #include <defs.h>
31 #include <log.h>
32
33 #include <stroke_msg.h>
34
35 #include "starterstroke.h"
36 #include "confread.h"
37 #include "files.h"
38
39 #define IPV4_LEN 4
40 #define IPV6_LEN 16
41
42 /**
43 * Mode of an IPsec SA, must be the same as in charons kernel_ipsec.h
44 */
45 enum ipsec_mode_t {
46 MODE_TRANSPORT = 1,
47 MODE_TUNNEL,
48 MODE_BEET
49 };
50
51 /**
52 * Authentication methods, must be the same as in charons authenticator.h
53 */
54 enum auth_method_t {
55 AUTH_PUBKEY = 1,
56 AUTH_PSK = 2,
57 AUTH_EAP = 3
58 };
59
60 static char* push_string(stroke_msg_t *msg, char *string)
61 {
62 unsigned long string_start = msg->length;
63
64 if (string == NULL || msg->length + strlen(string) >= sizeof(stroke_msg_t))
65 {
66 return NULL;
67 }
68 else
69 {
70 msg->length += strlen(string) + 1;
71 strcpy((char*)msg + string_start, string);
72 return (char*)string_start;
73 }
74 }
75
76 static int send_stroke_msg (stroke_msg_t *msg)
77 {
78 struct sockaddr_un ctl_addr;
79 int byte_count;
80 char buffer[64];
81
82 ctl_addr.sun_family = AF_UNIX;
83 strcpy(ctl_addr.sun_path, CHARON_CTL_FILE);
84
85 /* starter is not called from commandline, and therefore absolutely silent */
86 msg->output_verbosity = -1;
87
88 int sock = socket(AF_UNIX, SOCK_STREAM, 0);
89
90 if (sock < 0)
91 {
92 plog("socket() failed: %s", strerror(errno));
93 return -1;
94 }
95 if (connect(sock, (struct sockaddr *)&ctl_addr, offsetof(struct sockaddr_un, sun_path) + strlen(ctl_addr.sun_path)) < 0)
96 {
97 plog("connect(charon_ctl) failed: %s", strerror(errno));
98 close(sock);
99 return -1;
100 }
101
102 /* send message */
103 if (write(sock, msg, msg->length) != msg->length)
104 {
105 plog("write(charon_ctl) failed: %s", strerror(errno));
106 close(sock);
107 return -1;
108 }
109 while ((byte_count = read(sock, buffer, sizeof(buffer)-1)) > 0)
110 {
111 buffer[byte_count] = '\0';
112 plog("%s", buffer);
113 }
114 if (byte_count < 0)
115 {
116 plog("read() failed: %s", strerror(errno));
117 }
118
119 close(sock);
120 return 0;
121 }
122
123 static char* connection_name(starter_conn_t *conn)
124 {
125 /* if connection name is '%auto', create a new name like conn_xxxxx */
126 static char buf[32];
127
128 if (streq(conn->name, "%auto"))
129 {
130 sprintf(buf, "conn_%ld", conn->id);
131 return buf;
132 }
133 return conn->name;
134 }
135
136 static void ip_address2string(ip_address *addr, char *buffer, size_t len)
137 {
138 switch (((struct sockaddr*)addr)->sa_family)
139 {
140 case AF_INET6:
141 {
142 struct sockaddr_in6* sin6 = (struct sockaddr_in6*)addr;
143 u_int8_t zeroes[IPV6_LEN];
144
145 memset(zeroes, 0, IPV6_LEN);
146 if (memcmp(zeroes, &(sin6->sin6_addr.s6_addr), IPV6_LEN) &&
147 inet_ntop(AF_INET6, &sin6->sin6_addr, buffer, len))
148 {
149 return;
150 }
151 snprintf(buffer, len, "%%any6");
152 break;
153 }
154 case AF_INET:
155 {
156 struct sockaddr_in* sin = (struct sockaddr_in*)addr;
157 u_int8_t zeroes[IPV4_LEN];
158
159 memset(zeroes, 0, IPV4_LEN);
160 if (memcmp(zeroes, &(sin->sin_addr.s_addr), IPV4_LEN) &&
161 inet_ntop(AF_INET, &sin->sin_addr, buffer, len))
162 {
163 return;
164 }
165 /* fall through to default */
166 }
167 default:
168 snprintf(buffer, len, "%%any");
169 break;
170 }
171 }
172
173 static void starter_stroke_add_end(stroke_msg_t *msg, stroke_end_t *msg_end, starter_end_t *conn_end)
174 {
175 char buffer[INET6_ADDRSTRLEN];
176
177 msg_end->auth = push_string(msg, conn_end->auth);
178 msg_end->auth2 = push_string(msg, conn_end->auth2);
179 msg_end->id = push_string(msg, conn_end->id);
180 msg_end->id2 = push_string(msg, conn_end->id2);
181 msg_end->cert = push_string(msg, conn_end->cert);
182 msg_end->cert2 = push_string(msg, conn_end->cert2);
183 msg_end->ca = push_string(msg, conn_end->ca);
184 msg_end->ca2 = push_string(msg, conn_end->ca2);
185 msg_end->groups = push_string(msg, conn_end->groups);
186 msg_end->updown = push_string(msg, conn_end->updown);
187 ip_address2string(&conn_end->addr, buffer, sizeof(buffer));
188 msg_end->address = push_string(msg, buffer);
189 msg_end->subnets = push_string(msg, conn_end->subnet);
190 msg_end->sendcert = conn_end->sendcert;
191 msg_end->hostaccess = conn_end->hostaccess;
192 msg_end->tohost = !conn_end->has_client;
193 msg_end->protocol = conn_end->protocol;
194 msg_end->port = conn_end->port;
195 if (conn_end->srcip)
196 {
197 if (conn_end->srcip[0] == '%')
198 { /* %poolname, strip % */
199 msg_end->sourceip_size = 0;
200 msg_end->sourceip = push_string(msg, conn_end->srcip + 1);
201 }
202 else
203 {
204 char *pos = strchr(conn_end->srcip, '/');
205 if (pos)
206 { /* CIDR subnet definition */
207 snprintf(buffer, pos - conn_end->srcip + 1, "%s", conn_end->srcip);
208 msg_end->sourceip = push_string(msg, buffer);
209 msg_end->sourceip_size = atoi(pos + 1);
210 }
211 else
212 { /* a single address */
213 msg_end->sourceip = push_string(msg, conn_end->srcip);
214 if (strchr(conn_end->srcip, ':'))
215 { /* IPv6 */
216 msg_end->sourceip_size = 128;
217 }
218 else
219 { /* IPv4 */
220 msg_end->sourceip_size = 32;
221 }
222 }
223 }
224 }
225 else if (conn_end->modecfg)
226 {
227 msg_end->sourceip_size = 1;
228 }
229 }
230
231 int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn)
232 {
233 stroke_msg_t msg;
234
235 memset(&msg, 0, sizeof(msg));
236 msg.type = STR_ADD_CONN;
237 msg.length = offsetof(stroke_msg_t, buffer);
238 msg.add_conn.ikev2 = conn->keyexchange == KEY_EXCHANGE_IKEV2;
239 msg.add_conn.name = push_string(&msg, connection_name(conn));
240
241 /* PUBKEY is preferred to PSK and EAP */
242 if (conn->policy & POLICY_PUBKEY)
243 {
244 msg.add_conn.auth_method = AUTH_PUBKEY;
245 }
246 else if (conn->policy & POLICY_PSK)
247 {
248 msg.add_conn.auth_method = AUTH_PSK;
249 }
250 else
251 {
252 msg.add_conn.auth_method = AUTH_EAP;
253 }
254 msg.add_conn.eap_type = conn->eap_type;
255 msg.add_conn.eap_vendor = conn->eap_vendor;
256 msg.add_conn.eap_identity = push_string(&msg, conn->eap_identity);
257
258 if (conn->policy & POLICY_TUNNEL)
259 {
260 msg.add_conn.mode = MODE_TUNNEL;
261 }
262 else if (conn->policy & POLICY_BEET)
263 {
264 msg.add_conn.mode = MODE_BEET;
265 }
266 else if (conn->policy & POLICY_PROXY)
267 {
268 msg.add_conn.mode = MODE_TRANSPORT;
269 msg.add_conn.proxy_mode = TRUE;
270 }
271 else
272 {
273 msg.add_conn.mode = MODE_TRANSPORT;
274 }
275
276 if (!(conn->policy & POLICY_DONT_REKEY))
277 {
278 msg.add_conn.rekey.reauth = (conn->policy & POLICY_DONT_REAUTH) == LEMPTY;
279 msg.add_conn.rekey.ipsec_lifetime = conn->sa_ipsec_life_seconds;
280 msg.add_conn.rekey.ike_lifetime = conn->sa_ike_life_seconds;
281 msg.add_conn.rekey.margin = conn->sa_rekey_margin;
282 msg.add_conn.rekey.life_bytes = conn->sa_ipsec_life_bytes;
283 msg.add_conn.rekey.margin_bytes = conn->sa_ipsec_margin_bytes;
284 msg.add_conn.rekey.life_packets = conn->sa_ipsec_life_packets;
285 msg.add_conn.rekey.margin_packets = conn->sa_ipsec_margin_packets;
286 msg.add_conn.rekey.tries = conn->sa_keying_tries;
287 msg.add_conn.rekey.fuzz = conn->sa_rekey_fuzz;
288 }
289 msg.add_conn.mobike = (conn->policy & POLICY_MOBIKE) != 0;
290 msg.add_conn.force_encap = (conn->policy & POLICY_FORCE_ENCAP) != 0;
291 msg.add_conn.ipcomp = (conn->policy & POLICY_COMPRESS) != 0;
292 msg.add_conn.install_policy = conn->install_policy;
293 msg.add_conn.crl_policy = cfg->setup.strictcrlpolicy;
294 msg.add_conn.unique = cfg->setup.uniqueids;
295 msg.add_conn.algorithms.ike = push_string(&msg, conn->ike);
296 msg.add_conn.algorithms.esp = push_string(&msg, conn->esp);
297 msg.add_conn.dpd.delay = conn->dpd_delay;
298 msg.add_conn.dpd.action = conn->dpd_action;
299 msg.add_conn.ikeme.mediation = conn->me_mediation;
300 msg.add_conn.ikeme.mediated_by = push_string(&msg, conn->me_mediated_by);
301 msg.add_conn.ikeme.peerid = push_string(&msg, conn->me_peerid);
302
303 starter_stroke_add_end(&msg, &msg.add_conn.me, &conn->left);
304 starter_stroke_add_end(&msg, &msg.add_conn.other, &conn->right);
305
306 return send_stroke_msg(&msg);
307 }
308
309 int starter_stroke_del_conn(starter_conn_t *conn)
310 {
311 stroke_msg_t msg;
312
313 msg.type = STR_DEL_CONN;
314 msg.length = offsetof(stroke_msg_t, buffer);
315 msg.del_conn.name = push_string(&msg, connection_name(conn));
316 return send_stroke_msg(&msg);
317 }
318
319 int starter_stroke_route_conn(starter_conn_t *conn)
320 {
321 stroke_msg_t msg;
322
323 msg.type = STR_ROUTE;
324 msg.length = offsetof(stroke_msg_t, buffer);
325 msg.route.name = push_string(&msg, connection_name(conn));
326 return send_stroke_msg(&msg);
327 }
328
329 int starter_stroke_initiate_conn(starter_conn_t *conn)
330 {
331 stroke_msg_t msg;
332
333 msg.type = STR_INITIATE;
334 msg.length = offsetof(stroke_msg_t, buffer);
335 msg.initiate.name = push_string(&msg, connection_name(conn));
336 return send_stroke_msg(&msg);
337 }
338
339 int starter_stroke_add_ca(starter_ca_t *ca)
340 {
341 stroke_msg_t msg;
342
343 msg.type = STR_ADD_CA;
344 msg.length = offsetof(stroke_msg_t, buffer);
345 msg.add_ca.name = push_string(&msg, ca->name);
346 msg.add_ca.cacert = push_string(&msg, ca->cacert);
347 msg.add_ca.crluri = push_string(&msg, ca->crluri);
348 msg.add_ca.crluri2 = push_string(&msg, ca->crluri2);
349 msg.add_ca.ocspuri = push_string(&msg, ca->ocspuri);
350 msg.add_ca.ocspuri2 = push_string(&msg, ca->ocspuri2);
351 msg.add_ca.certuribase = push_string(&msg, ca->certuribase);
352 return send_stroke_msg(&msg);
353 }
354
355 int starter_stroke_del_ca(starter_ca_t *ca)
356 {
357 stroke_msg_t msg;
358
359 msg.type = STR_DEL_CA;
360 msg.length = offsetof(stroke_msg_t, buffer);
361 msg.del_ca.name = push_string(&msg, ca->name);
362 return send_stroke_msg(&msg);
363 }
364
365 int starter_stroke_configure(starter_config_t *cfg)
366 {
367 stroke_msg_t msg;
368
369 if (cfg->setup.cachecrls)
370 {
371 msg.type = STR_CONFIG;
372 msg.length = offsetof(stroke_msg_t, buffer);
373 msg.config.cachecrl = 1;
374 return send_stroke_msg(&msg);
375 }
376 return 0;
377 }
378
strongSwan - IPsec VPN