starter: Add an 'ah' keyword for Authentication Header Security Associations
[strongswan.git] / src / starter / starterstroke.c
1 /*
2 * Copyright (C) 2006 Martin Willi
3 * Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include <sys/types.h>
17 #include <sys/socket.h>
18 #include <sys/un.h>
19 #include <stddef.h>
20 #include <unistd.h>
21 #include <stdlib.h>
22 #include <string.h>
23 #include <errno.h>
24 #include <netinet/in.h>
25 #include <arpa/inet.h>
26
27 #include <credentials/auth_cfg.h>
28
29 #include <library.h>
30 #include <utils/debug.h>
31
32 #include <stroke_msg.h>
33
34 #include "starterstroke.h"
35 #include "confread.h"
36 #include "files.h"
37
38 #define IPV4_LEN 4
39 #define IPV6_LEN 16
40
41 static char* push_string(stroke_msg_t *msg, char *string)
42 {
43 unsigned long string_start = msg->length;
44
45 if (string == NULL || msg->length + strlen(string) >= sizeof(stroke_msg_t))
46 {
47 return NULL;
48 }
49 else
50 {
51 msg->length += strlen(string) + 1;
52 strcpy((char*)msg + string_start, string);
53 return (char*)string_start;
54 }
55 }
56
57 static int send_stroke_msg (stroke_msg_t *msg)
58 {
59 struct sockaddr_un ctl_addr;
60 int byte_count;
61 char buffer[64];
62
63 ctl_addr.sun_family = AF_UNIX;
64 strcpy(ctl_addr.sun_path, CHARON_CTL_FILE);
65
66 /* starter is not called from commandline, and therefore absolutely silent */
67 msg->output_verbosity = -1;
68
69 int sock = socket(AF_UNIX, SOCK_STREAM, 0);
70
71 if (sock < 0)
72 {
73 DBG1(DBG_APP, "socket() failed: %s", strerror(errno));
74 return -1;
75 }
76 if (connect(sock, (struct sockaddr *)&ctl_addr, offsetof(struct sockaddr_un, sun_path) + strlen(ctl_addr.sun_path)) < 0)
77 {
78 DBG1(DBG_APP, "connect(charon_ctl) failed: %s", strerror(errno));
79 close(sock);
80 return -1;
81 }
82
83 /* send message */
84 if (write(sock, msg, msg->length) != msg->length)
85 {
86 DBG1(DBG_APP, "write(charon_ctl) failed: %s", strerror(errno));
87 close(sock);
88 return -1;
89 }
90 while ((byte_count = read(sock, buffer, sizeof(buffer)-1)) > 0)
91 {
92 buffer[byte_count] = '\0';
93 DBG1(DBG_APP, "%s", buffer);
94 }
95 if (byte_count < 0)
96 {
97 DBG1(DBG_APP, "read() failed: %s", strerror(errno));
98 }
99
100 close(sock);
101 return 0;
102 }
103
104 static char* connection_name(starter_conn_t *conn)
105 {
106 /* if connection name is '%auto', create a new name like conn_xxxxx */
107 static char buf[32];
108
109 if (streq(conn->name, "%auto"))
110 {
111 sprintf(buf, "conn_%lu", conn->id);
112 return buf;
113 }
114 return conn->name;
115 }
116
117 static void starter_stroke_add_end(stroke_msg_t *msg, stroke_end_t *msg_end, starter_end_t *conn_end)
118 {
119 msg_end->auth = push_string(msg, conn_end->auth);
120 msg_end->auth2 = push_string(msg, conn_end->auth2);
121 msg_end->id = push_string(msg, conn_end->id);
122 msg_end->id2 = push_string(msg, conn_end->id2);
123 msg_end->rsakey = push_string(msg, conn_end->rsakey);
124 msg_end->cert = push_string(msg, conn_end->cert);
125 msg_end->cert2 = push_string(msg, conn_end->cert2);
126 msg_end->cert_policy = push_string(msg, conn_end->cert_policy);
127 msg_end->ca = push_string(msg, conn_end->ca);
128 msg_end->ca2 = push_string(msg, conn_end->ca2);
129 msg_end->groups = push_string(msg, conn_end->groups);
130 msg_end->groups2 = push_string(msg, conn_end->groups2);
131 msg_end->updown = push_string(msg, conn_end->updown);
132 if (conn_end->host)
133 {
134 msg_end->address = push_string(msg, conn_end->host);
135 }
136 else
137 {
138 msg_end->address = push_string(msg, "%any");
139 }
140 msg_end->ikeport = conn_end->ikeport;
141 msg_end->subnets = push_string(msg, conn_end->subnet);
142 msg_end->sourceip = push_string(msg, conn_end->sourceip);
143 msg_end->dns = push_string(msg, conn_end->dns);
144 msg_end->sendcert = conn_end->sendcert;
145 msg_end->hostaccess = conn_end->hostaccess;
146 msg_end->tohost = !conn_end->subnet;
147 msg_end->allow_any = conn_end->allow_any;
148 msg_end->protocol = conn_end->protocol;
149 msg_end->from_port = conn_end->from_port;
150 msg_end->to_port = conn_end->to_port;
151 }
152
153 int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn)
154 {
155 stroke_msg_t msg;
156
157 memset(&msg, 0, sizeof(msg));
158 msg.type = STR_ADD_CONN;
159 msg.length = offsetof(stroke_msg_t, buffer);
160 msg.add_conn.version = conn->keyexchange;
161 msg.add_conn.name = push_string(&msg, connection_name(conn));
162 msg.add_conn.eap_identity = push_string(&msg, conn->eap_identity);
163 msg.add_conn.aaa_identity = push_string(&msg, conn->aaa_identity);
164 msg.add_conn.xauth_identity = push_string(&msg, conn->xauth_identity);
165
166 msg.add_conn.mode = conn->mode;
167 msg.add_conn.proxy_mode = conn->proxy_mode;
168
169 if (!(conn->options & SA_OPTION_DONT_REKEY))
170 {
171 msg.add_conn.rekey.reauth = !(conn->options & SA_OPTION_DONT_REAUTH);
172 msg.add_conn.rekey.ipsec_lifetime = conn->sa_ipsec_life_seconds;
173 msg.add_conn.rekey.ike_lifetime = conn->sa_ike_life_seconds;
174 msg.add_conn.rekey.margin = conn->sa_rekey_margin;
175 msg.add_conn.rekey.life_bytes = conn->sa_ipsec_life_bytes;
176 msg.add_conn.rekey.margin_bytes = conn->sa_ipsec_margin_bytes;
177 msg.add_conn.rekey.life_packets = conn->sa_ipsec_life_packets;
178 msg.add_conn.rekey.margin_packets = conn->sa_ipsec_margin_packets;
179 msg.add_conn.rekey.fuzz = conn->sa_rekey_fuzz;
180 }
181 msg.add_conn.rekey.tries = conn->sa_keying_tries;
182
183 msg.add_conn.mobike = conn->options & SA_OPTION_MOBIKE;
184 msg.add_conn.force_encap = conn->options & SA_OPTION_FORCE_ENCAP;
185 msg.add_conn.fragmentation = conn->fragmentation;
186 msg.add_conn.ikedscp = conn->ikedscp;
187 msg.add_conn.ipcomp = conn->options & SA_OPTION_COMPRESS;
188 msg.add_conn.install_policy = conn->install_policy;
189 msg.add_conn.aggressive = conn->aggressive;
190 msg.add_conn.pushmode = conn->options & SA_OPTION_MODECFG_PUSH;
191 msg.add_conn.crl_policy = (crl_policy_t)cfg->setup.strictcrlpolicy;
192 msg.add_conn.unique = cfg->setup.uniqueids;
193 msg.add_conn.algorithms.ike = push_string(&msg, conn->ike);
194 msg.add_conn.algorithms.esp = push_string(&msg, conn->esp);
195 msg.add_conn.algorithms.ah = push_string(&msg, conn->ah);
196 msg.add_conn.dpd.delay = conn->dpd_delay;
197 msg.add_conn.dpd.timeout = conn->dpd_timeout;
198 msg.add_conn.dpd.action = conn->dpd_action;
199 msg.add_conn.close_action = conn->close_action;
200 msg.add_conn.inactivity = conn->inactivity;
201 msg.add_conn.ikeme.mediation = conn->me_mediation;
202 msg.add_conn.ikeme.mediated_by = push_string(&msg, conn->me_mediated_by);
203 msg.add_conn.ikeme.peerid = push_string(&msg, conn->me_peerid);
204 msg.add_conn.reqid = conn->reqid;
205 msg.add_conn.mark_in.value = conn->mark_in.value;
206 msg.add_conn.mark_in.mask = conn->mark_in.mask;
207 msg.add_conn.mark_out.value = conn->mark_out.value;
208 msg.add_conn.mark_out.mask = conn->mark_out.mask;
209 msg.add_conn.tfc = conn->tfc;
210
211 starter_stroke_add_end(&msg, &msg.add_conn.me, &conn->left);
212 starter_stroke_add_end(&msg, &msg.add_conn.other, &conn->right);
213
214 if (!msg.add_conn.me.auth && !msg.add_conn.other.auth &&
215 conn->authby)
216 { /* leftauth/rightauth not set, use legacy options */
217 if (streq(conn->authby, "rsa") || streq(conn->authby, "rsasig") ||
218 streq(conn->authby, "ecdsa") || streq(conn->authby, "ecdsasig") ||
219 streq(conn->authby, "pubkey"))
220 {
221 msg.add_conn.me.auth = push_string(&msg, "pubkey");
222 msg.add_conn.other.auth = push_string(&msg, "pubkey");
223 }
224 else if (streq(conn->authby, "secret") || streq(conn->authby, "psk"))
225 {
226 msg.add_conn.me.auth = push_string(&msg, "psk");
227 msg.add_conn.other.auth = push_string(&msg, "psk");
228 }
229 else if (streq(conn->authby, "xauthrsasig"))
230 {
231 msg.add_conn.me.auth = push_string(&msg, "pubkey");
232 msg.add_conn.other.auth = push_string(&msg, "pubkey");
233 if (conn->options & SA_OPTION_XAUTH_SERVER)
234 {
235 msg.add_conn.other.auth2 = push_string(&msg, "xauth");
236 }
237 else
238 {
239 msg.add_conn.me.auth2 = push_string(&msg, "xauth");
240 }
241 }
242 else if (streq(conn->authby, "xauthpsk"))
243 {
244 msg.add_conn.me.auth = push_string(&msg, "psk");
245 msg.add_conn.other.auth = push_string(&msg, "psk");
246 if (conn->options & SA_OPTION_XAUTH_SERVER)
247 {
248 msg.add_conn.other.auth2 = push_string(&msg, "xauth");
249 }
250 else
251 {
252 msg.add_conn.me.auth2 = push_string(&msg, "xauth");
253 }
254 }
255 }
256 return send_stroke_msg(&msg);
257 }
258
259 int starter_stroke_del_conn(starter_conn_t *conn)
260 {
261 stroke_msg_t msg;
262
263 msg.type = STR_DEL_CONN;
264 msg.length = offsetof(stroke_msg_t, buffer);
265 msg.del_conn.name = push_string(&msg, connection_name(conn));
266 return send_stroke_msg(&msg);
267 }
268
269 int starter_stroke_route_conn(starter_conn_t *conn)
270 {
271 stroke_msg_t msg;
272
273 msg.type = STR_ROUTE;
274 msg.length = offsetof(stroke_msg_t, buffer);
275 msg.route.name = push_string(&msg, connection_name(conn));
276 return send_stroke_msg(&msg);
277 }
278
279 int starter_stroke_unroute_conn(starter_conn_t *conn)
280 {
281 stroke_msg_t msg;
282
283 msg.type = STR_UNROUTE;
284 msg.length = offsetof(stroke_msg_t, buffer);
285 msg.route.name = push_string(&msg, connection_name(conn));
286 return send_stroke_msg(&msg);
287 }
288
289 int starter_stroke_initiate_conn(starter_conn_t *conn)
290 {
291 stroke_msg_t msg;
292
293 msg.type = STR_INITIATE;
294 msg.length = offsetof(stroke_msg_t, buffer);
295 msg.initiate.name = push_string(&msg, connection_name(conn));
296 return send_stroke_msg(&msg);
297 }
298
299 int starter_stroke_add_ca(starter_ca_t *ca)
300 {
301 stroke_msg_t msg;
302
303 msg.type = STR_ADD_CA;
304 msg.length = offsetof(stroke_msg_t, buffer);
305 msg.add_ca.name = push_string(&msg, ca->name);
306 msg.add_ca.cacert = push_string(&msg, ca->cacert);
307 msg.add_ca.crluri = push_string(&msg, ca->crluri);
308 msg.add_ca.crluri2 = push_string(&msg, ca->crluri2);
309 msg.add_ca.ocspuri = push_string(&msg, ca->ocspuri);
310 msg.add_ca.ocspuri2 = push_string(&msg, ca->ocspuri2);
311 msg.add_ca.certuribase = push_string(&msg, ca->certuribase);
312 return send_stroke_msg(&msg);
313 }
314
315 int starter_stroke_del_ca(starter_ca_t *ca)
316 {
317 stroke_msg_t msg;
318
319 msg.type = STR_DEL_CA;
320 msg.length = offsetof(stroke_msg_t, buffer);
321 msg.del_ca.name = push_string(&msg, ca->name);
322 return send_stroke_msg(&msg);
323 }
324
325 int starter_stroke_configure(starter_config_t *cfg)
326 {
327 stroke_msg_t msg;
328
329 if (cfg->setup.cachecrls)
330 {
331 msg.type = STR_CONFIG;
332 msg.length = offsetof(stroke_msg_t, buffer);
333 msg.config.cachecrl = 1;
334 return send_stroke_msg(&msg);
335 }
336 return 0;
337 }