projects / strongswan.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
*** HISTORICAL MOMENT: IKEv2 becomes the default! ***
[strongswan.git] / src / starter / starterstroke.c
1 /* Stroke for charon is the counterpart to whack from pluto
2 * Copyright (C) 2006 Martin Willi
3 * Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include <sys/types.h>
17 #include <sys/socket.h>
18 #include <sys/un.h>
19 #include <stddef.h>
20 #include <unistd.h>
21 #include <stdlib.h>
22 #include <string.h>
23 #include <errno.h>
24 #include <netinet/in.h>
25 #include <arpa/inet.h>
26
27 #include <freeswan.h>
28
29 #include <constants.h>
30 #include <defs.h>
31 #include <log.h>
32
33 #include <stroke_msg.h>
34
35 #include "starterstroke.h"
36 #include "confread.h"
37 #include "files.h"
38
39 #define IPV4_LEN 4
40 #define IPV6_LEN 16
41
42 /**
43 * Authentication methods, must be the same as in charons authenticator.h
44 */
45 enum auth_method_t {
46 AUTH_PUBKEY = 1,
47 AUTH_PSK = 2,
48 AUTH_EAP = 3
49 };
50
51 static char* push_string(stroke_msg_t *msg, char *string)
52 {
53 unsigned long string_start = msg->length;
54
55 if (string == NULL || msg->length + strlen(string) >= sizeof(stroke_msg_t))
56 {
57 return NULL;
58 }
59 else
60 {
61 msg->length += strlen(string) + 1;
62 strcpy((char*)msg + string_start, string);
63 return (char*)string_start;
64 }
65 }
66
67 static int send_stroke_msg (stroke_msg_t *msg)
68 {
69 struct sockaddr_un ctl_addr;
70 int byte_count;
71 char buffer[64];
72
73 ctl_addr.sun_family = AF_UNIX;
74 strcpy(ctl_addr.sun_path, CHARON_CTL_FILE);
75
76 /* starter is not called from commandline, and therefore absolutely silent */
77 msg->output_verbosity = -1;
78
79 int sock = socket(AF_UNIX, SOCK_STREAM, 0);
80
81 if (sock < 0)
82 {
83 plog("socket() failed: %s", strerror(errno));
84 return -1;
85 }
86 if (connect(sock, (struct sockaddr *)&ctl_addr, offsetof(struct sockaddr_un, sun_path) + strlen(ctl_addr.sun_path)) < 0)
87 {
88 plog("connect(charon_ctl) failed: %s", strerror(errno));
89 close(sock);
90 return -1;
91 }
92
93 /* send message */
94 if (write(sock, msg, msg->length) != msg->length)
95 {
96 plog("write(charon_ctl) failed: %s", strerror(errno));
97 close(sock);
98 return -1;
99 }
100 while ((byte_count = read(sock, buffer, sizeof(buffer)-1)) > 0)
101 {
102 buffer[byte_count] = '\0';
103 plog("%s", buffer);
104 }
105 if (byte_count < 0)
106 {
107 plog("read() failed: %s", strerror(errno));
108 }
109
110 close(sock);
111 return 0;
112 }
113
114 static char* connection_name(starter_conn_t *conn)
115 {
116 /* if connection name is '%auto', create a new name like conn_xxxxx */
117 static char buf[32];
118
119 if (streq(conn->name, "%auto"))
120 {
121 sprintf(buf, "conn_%ld", conn->id);
122 return buf;
123 }
124 return conn->name;
125 }
126
127 static void ip_address2string(ip_address *addr, char *buffer, size_t len)
128 {
129 switch (((struct sockaddr*)addr)->sa_family)
130 {
131 case AF_INET6:
132 {
133 struct sockaddr_in6* sin6 = (struct sockaddr_in6*)addr;
134 u_int8_t zeroes[IPV6_LEN];
135
136 memset(zeroes, 0, IPV6_LEN);
137 if (memcmp(zeroes, &(sin6->sin6_addr.s6_addr), IPV6_LEN) &&
138 inet_ntop(AF_INET6, &sin6->sin6_addr, buffer, len))
139 {
140 return;
141 }
142 snprintf(buffer, len, "%%any6");
143 break;
144 }
145 case AF_INET:
146 {
147 struct sockaddr_in* sin = (struct sockaddr_in*)addr;
148 u_int8_t zeroes[IPV4_LEN];
149
150 memset(zeroes, 0, IPV4_LEN);
151 if (memcmp(zeroes, &(sin->sin_addr.s_addr), IPV4_LEN) &&
152 inet_ntop(AF_INET, &sin->sin_addr, buffer, len))
153 {
154 return;
155 }
156 /* fall through to default */
157 }
158 default:
159 snprintf(buffer, len, "%%any");
160 break;
161 }
162 }
163
164 static void starter_stroke_add_end(stroke_msg_t *msg, stroke_end_t *msg_end, starter_end_t *conn_end)
165 {
166 char buffer[INET6_ADDRSTRLEN];
167
168 msg_end->auth = push_string(msg, conn_end->auth);
169 msg_end->auth2 = push_string(msg, conn_end->auth2);
170 msg_end->id = push_string(msg, conn_end->id);
171 msg_end->id2 = push_string(msg, conn_end->id2);
172 msg_end->cert = push_string(msg, conn_end->cert);
173 msg_end->cert2 = push_string(msg, conn_end->cert2);
174 msg_end->ca = push_string(msg, conn_end->ca);
175 msg_end->ca2 = push_string(msg, conn_end->ca2);
176 msg_end->groups = push_string(msg, conn_end->groups);
177 msg_end->updown = push_string(msg, conn_end->updown);
178 ip_address2string(&conn_end->addr, buffer, sizeof(buffer));
179 msg_end->address = push_string(msg, buffer);
180 msg_end->ikeport = conn_end->ikeport;
181 msg_end->subnets = push_string(msg, conn_end->subnet);
182 msg_end->sourceip = push_string(msg, conn_end->sourceip);
183 msg_end->sourceip_mask = conn_end->sourceip_mask;
184 msg_end->sendcert = conn_end->sendcert;
185 msg_end->hostaccess = conn_end->hostaccess;
186 msg_end->tohost = !conn_end->has_client;
187 msg_end->protocol = conn_end->protocol;
188 msg_end->port = conn_end->port;
189 }
190
191 int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn)
192 {
193 stroke_msg_t msg;
194
195 memset(&msg, 0, sizeof(msg));
196 msg.type = STR_ADD_CONN;
197 msg.length = offsetof(stroke_msg_t, buffer);
198 msg.add_conn.ikev2 = conn->keyexchange != KEY_EXCHANGE_IKEV1;
199 msg.add_conn.name = push_string(&msg, connection_name(conn));
200
201 /* PUBKEY is preferred to PSK and EAP */
202 if (conn->policy & POLICY_PUBKEY)
203 {
204 msg.add_conn.auth_method = AUTH_PUBKEY;
205 }
206 else if (conn->policy & POLICY_PSK)
207 {
208 msg.add_conn.auth_method = AUTH_PSK;
209 }
210 else
211 {
212 msg.add_conn.auth_method = AUTH_EAP;
213 }
214 msg.add_conn.eap_type = conn->eap_type;
215 msg.add_conn.eap_vendor = conn->eap_vendor;
216 msg.add_conn.eap_identity = push_string(&msg, conn->eap_identity);
217 msg.add_conn.aaa_identity = push_string(&msg, conn->aaa_identity);
218
219 if (conn->policy & POLICY_TUNNEL)
220 {
221 msg.add_conn.mode = MODE_TUNNEL;
222 }
223 else if (conn->policy & POLICY_BEET)
224 {
225 msg.add_conn.mode = MODE_BEET;
226 }
227 else if (conn->policy & POLICY_PROXY)
228 {
229 msg.add_conn.mode = MODE_TRANSPORT;
230 msg.add_conn.proxy_mode = TRUE;
231 }
232 else
233 {
234 msg.add_conn.mode = MODE_TRANSPORT;
235 }
236
237 if (!(conn->policy & POLICY_DONT_REKEY))
238 {
239 msg.add_conn.rekey.reauth = (conn->policy & POLICY_DONT_REAUTH) == LEMPTY;
240 msg.add_conn.rekey.ipsec_lifetime = conn->sa_ipsec_life_seconds;
241 msg.add_conn.rekey.ike_lifetime = conn->sa_ike_life_seconds;
242 msg.add_conn.rekey.margin = conn->sa_rekey_margin;
243 msg.add_conn.rekey.life_bytes = conn->sa_ipsec_life_bytes;
244 msg.add_conn.rekey.margin_bytes = conn->sa_ipsec_margin_bytes;
245 msg.add_conn.rekey.life_packets = conn->sa_ipsec_life_packets;
246 msg.add_conn.rekey.margin_packets = conn->sa_ipsec_margin_packets;
247 msg.add_conn.rekey.tries = conn->sa_keying_tries;
248 msg.add_conn.rekey.fuzz = conn->sa_rekey_fuzz;
249 }
250 msg.add_conn.mobike = (conn->policy & POLICY_MOBIKE) != 0;
251 msg.add_conn.force_encap = (conn->policy & POLICY_FORCE_ENCAP) != 0;
252 msg.add_conn.ipcomp = (conn->policy & POLICY_COMPRESS) != 0;
253 msg.add_conn.install_policy = conn->install_policy;
254 msg.add_conn.crl_policy = cfg->setup.strictcrlpolicy;
255 msg.add_conn.unique = cfg->setup.uniqueids;
256 msg.add_conn.algorithms.ike = push_string(&msg, conn->ike);
257 msg.add_conn.algorithms.esp = push_string(&msg, conn->esp);
258 msg.add_conn.dpd.delay = conn->dpd_delay;
259 msg.add_conn.dpd.action = conn->dpd_action;
260 msg.add_conn.inactivity = conn->inactivity;
261 msg.add_conn.ikeme.mediation = conn->me_mediation;
262 msg.add_conn.ikeme.mediated_by = push_string(&msg, conn->me_mediated_by);
263 msg.add_conn.ikeme.peerid = push_string(&msg, conn->me_peerid);
264 msg.add_conn.reqid = conn->reqid;
265 msg.add_conn.mark_in.value = conn->mark_in.value;
266 msg.add_conn.mark_in.mask = conn->mark_in.mask;
267 msg.add_conn.mark_out.value = conn->mark_out.value;
268 msg.add_conn.mark_out.mask = conn->mark_out.mask;
269
270 starter_stroke_add_end(&msg, &msg.add_conn.me, &conn->left);
271 starter_stroke_add_end(&msg, &msg.add_conn.other, &conn->right);
272
273 return send_stroke_msg(&msg);
274 }
275
276 int starter_stroke_del_conn(starter_conn_t *conn)
277 {
278 stroke_msg_t msg;
279
280 msg.type = STR_DEL_CONN;
281 msg.length = offsetof(stroke_msg_t, buffer);
282 msg.del_conn.name = push_string(&msg, connection_name(conn));
283 return send_stroke_msg(&msg);
284 }
285
286 int starter_stroke_route_conn(starter_conn_t *conn)
287 {
288 stroke_msg_t msg;
289
290 msg.type = STR_ROUTE;
291 msg.length = offsetof(stroke_msg_t, buffer);
292 msg.route.name = push_string(&msg, connection_name(conn));
293 return send_stroke_msg(&msg);
294 }
295
296 int starter_stroke_initiate_conn(starter_conn_t *conn)
297 {
298 stroke_msg_t msg;
299
300 msg.type = STR_INITIATE;
301 msg.length = offsetof(stroke_msg_t, buffer);
302 msg.initiate.name = push_string(&msg, connection_name(conn));
303 return send_stroke_msg(&msg);
304 }
305
306 int starter_stroke_add_ca(starter_ca_t *ca)
307 {
308 stroke_msg_t msg;
309
310 msg.type = STR_ADD_CA;
311 msg.length = offsetof(stroke_msg_t, buffer);
312 msg.add_ca.name = push_string(&msg, ca->name);
313 msg.add_ca.cacert = push_string(&msg, ca->cacert);
314 msg.add_ca.crluri = push_string(&msg, ca->crluri);
315 msg.add_ca.crluri2 = push_string(&msg, ca->crluri2);
316 msg.add_ca.ocspuri = push_string(&msg, ca->ocspuri);
317 msg.add_ca.ocspuri2 = push_string(&msg, ca->ocspuri2);
318 msg.add_ca.certuribase = push_string(&msg, ca->certuribase);
319 return send_stroke_msg(&msg);
320 }
321
322 int starter_stroke_del_ca(starter_ca_t *ca)
323 {
324 stroke_msg_t msg;
325
326 msg.type = STR_DEL_CA;
327 msg.length = offsetof(stroke_msg_t, buffer);
328 msg.del_ca.name = push_string(&msg, ca->name);
329 return send_stroke_msg(&msg);
330 }
331
332 int starter_stroke_configure(starter_config_t *cfg)
333 {
334 stroke_msg_t msg;
335
336 if (cfg->setup.cachecrls)
337 {
338 msg.type = STR_CONFIG;
339 msg.length = offsetof(stroke_msg_t, buffer);
340 msg.config.cachecrl = 1;
341 return send_stroke_msg(&msg);
342 }
343 return 0;
344 }
345
strongSwan - IPsec VPN