Add support for draft-ietf-ipsec-nat-t-ike-03 and earlier
[strongswan.git] / src / stroke / stroke.c
1 /* Stroke for charon is the counterpart to whack from pluto
2 * Copyright (C) 2007-2012 Tobias Brunner
3 * Copyright (C) 2006 Martin Willi
4 * Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 #include <stdlib.h>
18 #include <sys/types.h>
19 #include <sys/stat.h>
20 #include <sys/socket.h>
21 #include <sys/un.h>
22 #include <unistd.h>
23 #include <dirent.h>
24 #include <errno.h>
25 #include <stdio.h>
26 #include <stddef.h>
27 #include <string.h>
28
29 #include <library.h>
30
31 #include "stroke_msg.h"
32 #include "stroke_keywords.h"
33
34 struct stroke_token {
35 char *name;
36 stroke_keyword_t kw;
37 };
38
39 static char* push_string(stroke_msg_t *msg, char *string)
40 {
41 unsigned long string_start = msg->length;
42
43 if (string == NULL || msg->length + strlen(string) >= sizeof(stroke_msg_t))
44 {
45 return NULL;
46 }
47 else
48 {
49 msg->length += strlen(string) + 1;
50 strcpy((char*)msg + string_start, string);
51 return (char*)string_start;
52 }
53 }
54
55 static int send_stroke_msg (stroke_msg_t *msg)
56 {
57 struct sockaddr_un ctl_addr;
58 int sock, byte_count;
59 char buffer[512], *pass;
60
61 ctl_addr.sun_family = AF_UNIX;
62 strcpy(ctl_addr.sun_path, STROKE_SOCKET);
63
64 msg->output_verbosity = 1; /* CONTROL */
65
66 sock = socket(AF_UNIX, SOCK_STREAM, 0);
67 if (sock < 0)
68 {
69 fprintf(stderr, "Opening unix socket %s: %s\n", STROKE_SOCKET, strerror(errno));
70 return -1;
71 }
72 if (connect(sock, (struct sockaddr *)&ctl_addr,
73 offsetof(struct sockaddr_un, sun_path) + strlen(ctl_addr.sun_path)) < 0)
74 {
75 fprintf(stderr, "Connect to socket failed: %s\n", strerror(errno));
76 close(sock);
77 return -1;
78 }
79
80 /* send message */
81 if (write(sock, msg, msg->length) != msg->length)
82 {
83 fprintf(stderr, "writing to socket failed: %s\n", strerror(errno));
84 close(sock);
85 return -1;
86 }
87
88 while ((byte_count = read(sock, buffer, sizeof(buffer)-1)) > 0)
89 {
90 buffer[byte_count] = '\0';
91
92 /* we prompt if we receive a magic keyword */
93 if ((byte_count >= 12 &&
94 strcmp(buffer + byte_count - 12, "Passphrase:\n") == 0) ||
95 (byte_count >= 10 &&
96 strcmp(buffer + byte_count - 10, "Password:\n") == 0) ||
97 (byte_count >= 5 &&
98 strcmp(buffer + byte_count - 5, "PIN:\n") == 0))
99 {
100 /* remove trailing newline */
101 pass = strrchr(buffer, '\n');
102 if (pass)
103 {
104 *pass = ' ';
105 }
106 #ifdef HAVE_GETPASS
107 pass = getpass(buffer);
108 #else
109 pass = "";
110 #endif
111 if (pass)
112 {
113 ignore_result(write(sock, pass, strlen(pass)));
114 ignore_result(write(sock, "\n", 1));
115 }
116 }
117 else
118 {
119 printf("%s", buffer);
120 }
121 }
122 if (byte_count < 0)
123 {
124 fprintf(stderr, "reading from socket failed: %s\n", strerror(errno));
125 }
126
127 close(sock);
128 return 0;
129 }
130
131 static int add_connection(char *name,
132 char *my_id, char *other_id,
133 char *my_addr, char *other_addr,
134 char *my_nets, char *other_nets)
135 {
136 stroke_msg_t msg;
137
138 memset(&msg, 0, sizeof(msg));
139 msg.length = offsetof(stroke_msg_t, buffer);
140 msg.type = STR_ADD_CONN;
141
142 msg.add_conn.name = push_string(&msg, name);
143 msg.add_conn.version = 2;
144 msg.add_conn.mode = 1;
145 msg.add_conn.mobike = 1;
146 msg.add_conn.dpd.action = 1;
147
148 msg.add_conn.me.id = push_string(&msg, my_id);
149 msg.add_conn.me.address = push_string(&msg, my_addr);
150 msg.add_conn.me.ikeport = 500;
151 msg.add_conn.me.subnets = push_string(&msg, my_nets);
152 msg.add_conn.me.sendcert = 1;
153
154 msg.add_conn.other.id = push_string(&msg, other_id);
155 msg.add_conn.other.address = push_string(&msg, other_addr);
156 msg.add_conn.other.ikeport = 500;
157 msg.add_conn.other.subnets = push_string(&msg, other_nets);
158 msg.add_conn.other.sendcert = 1;
159
160 return send_stroke_msg(&msg);
161 }
162
163 static int del_connection(char *name)
164 {
165 stroke_msg_t msg;
166
167 msg.length = offsetof(stroke_msg_t, buffer);
168 msg.type = STR_DEL_CONN;
169 msg.initiate.name = push_string(&msg, name);
170 return send_stroke_msg(&msg);
171 }
172
173 static int initiate_connection(char *name)
174 {
175 stroke_msg_t msg;
176
177 msg.length = offsetof(stroke_msg_t, buffer);
178 msg.type = STR_INITIATE;
179 msg.initiate.name = push_string(&msg, name);
180 return send_stroke_msg(&msg);
181 }
182
183 static int terminate_connection(char *name)
184 {
185 stroke_msg_t msg;
186
187 msg.type = STR_TERMINATE;
188 msg.length = offsetof(stroke_msg_t, buffer);
189 msg.initiate.name = push_string(&msg, name);
190 return send_stroke_msg(&msg);
191 }
192
193 static int terminate_connection_srcip(char *start, char *end)
194 {
195 stroke_msg_t msg;
196
197 msg.type = STR_TERMINATE_SRCIP;
198 msg.length = offsetof(stroke_msg_t, buffer);
199 msg.terminate_srcip.start = push_string(&msg, start);
200 msg.terminate_srcip.end = push_string(&msg, end);
201 return send_stroke_msg(&msg);
202 }
203
204 static int rekey_connection(char *name)
205 {
206 stroke_msg_t msg;
207
208 msg.type = STR_REKEY;
209 msg.length = offsetof(stroke_msg_t, buffer);
210 msg.rekey.name = push_string(&msg, name);
211 return send_stroke_msg(&msg);
212 }
213
214 static int route_connection(char *name)
215 {
216 stroke_msg_t msg;
217
218 msg.type = STR_ROUTE;
219 msg.length = offsetof(stroke_msg_t, buffer);
220 msg.route.name = push_string(&msg, name);
221 return send_stroke_msg(&msg);
222 }
223
224 static int unroute_connection(char *name)
225 {
226 stroke_msg_t msg;
227
228 msg.type = STR_UNROUTE;
229 msg.length = offsetof(stroke_msg_t, buffer);
230 msg.unroute.name = push_string(&msg, name);
231 return send_stroke_msg(&msg);
232 }
233
234 static int show_status(stroke_keyword_t kw, char *connection)
235 {
236 stroke_msg_t msg;
237
238 switch (kw)
239 {
240 case STROKE_STATUSALL:
241 msg.type = STR_STATUS_ALL;
242 break;
243 case STROKE_STATUSALL_NOBLK:
244 msg.type = STR_STATUS_ALL_NOBLK;
245 break;
246 default:
247 msg.type = STR_STATUS;
248 break;
249 }
250 msg.length = offsetof(stroke_msg_t, buffer);
251 msg.status.name = push_string(&msg, connection);
252 return send_stroke_msg(&msg);
253 }
254
255 static int list_flags[] = {
256 LIST_PUBKEYS,
257 LIST_CERTS,
258 LIST_CACERTS,
259 LIST_OCSPCERTS,
260 LIST_AACERTS,
261 LIST_ACERTS,
262 LIST_GROUPS,
263 LIST_CAINFOS,
264 LIST_CRLS,
265 LIST_OCSP,
266 LIST_ALGS,
267 LIST_PLUGINS,
268 LIST_COUNTERS,
269 LIST_ALL
270 };
271
272 static int list(stroke_keyword_t kw, int utc)
273 {
274 stroke_msg_t msg;
275
276 msg.type = STR_LIST;
277 msg.length = offsetof(stroke_msg_t, buffer);
278 msg.list.utc = utc;
279 msg.list.flags = list_flags[kw - STROKE_LIST_FIRST];
280 return send_stroke_msg(&msg);
281 }
282
283 static int reread_flags[] = {
284 REREAD_SECRETS,
285 REREAD_CACERTS,
286 REREAD_OCSPCERTS,
287 REREAD_AACERTS,
288 REREAD_ACERTS,
289 REREAD_CRLS,
290 REREAD_ALL
291 };
292
293 static int reread(stroke_keyword_t kw)
294 {
295 stroke_msg_t msg;
296
297 msg.type = STR_REREAD;
298 msg.length = offsetof(stroke_msg_t, buffer);
299 msg.reread.flags = reread_flags[kw - STROKE_REREAD_FIRST];
300 return send_stroke_msg(&msg);
301 }
302
303 static int purge_flags[] = {
304 PURGE_OCSP,
305 PURGE_CRLS,
306 PURGE_CERTS,
307 PURGE_IKE,
308 };
309
310 static int purge(stroke_keyword_t kw)
311 {
312 stroke_msg_t msg;
313
314 msg.type = STR_PURGE;
315 msg.length = offsetof(stroke_msg_t, buffer);
316 msg.purge.flags = purge_flags[kw - STROKE_PURGE_FIRST];
317 return send_stroke_msg(&msg);
318 }
319
320 static int export_flags[] = {
321 EXPORT_X509,
322 };
323
324 static int export(stroke_keyword_t kw, char *selector)
325 {
326 stroke_msg_t msg;
327
328 msg.type = STR_EXPORT;
329 msg.length = offsetof(stroke_msg_t, buffer);
330 msg.export.selector = push_string(&msg, selector);
331 msg.export.flags = export_flags[kw - STROKE_EXPORT_FIRST];
332 return send_stroke_msg(&msg);
333 }
334
335 static int leases(stroke_keyword_t kw, char *pool, char *address)
336 {
337 stroke_msg_t msg;
338
339 msg.type = STR_LEASES;
340 msg.length = offsetof(stroke_msg_t, buffer);
341 msg.leases.pool = push_string(&msg, pool);
342 msg.leases.address = push_string(&msg, address);
343 return send_stroke_msg(&msg);
344 }
345
346 static int memusage()
347 {
348 stroke_msg_t msg;
349
350 msg.type = STR_MEMUSAGE;
351 msg.length = offsetof(stroke_msg_t, buffer);
352 return send_stroke_msg(&msg);
353 }
354
355 static int user_credentials(char *name, char *user, char *pass)
356 {
357 stroke_msg_t msg;
358
359 msg.type = STR_USER_CREDS;
360 msg.length = offsetof(stroke_msg_t, buffer);
361 msg.user_creds.name = push_string(&msg, name);
362 msg.user_creds.username = push_string(&msg, user);
363 msg.user_creds.password = push_string(&msg, pass);
364 return send_stroke_msg(&msg);
365 }
366
367 static int set_loglevel(char *type, u_int level)
368 {
369 stroke_msg_t msg;
370
371 msg.type = STR_LOGLEVEL;
372 msg.length = offsetof(stroke_msg_t, buffer);
373 msg.loglevel.type = push_string(&msg, type);
374 msg.loglevel.level = level;
375 return send_stroke_msg(&msg);
376 }
377
378 static void exit_error(char *error)
379 {
380 if (error)
381 {
382 fprintf(stderr, "%s\n", error);
383 }
384 exit(-1);
385 }
386
387 static void exit_usage(char *error)
388 {
389 printf("Usage:\n");
390 printf(" Add a connection:\n");
391 printf(" stroke add NAME MY_ID OTHER_ID MY_ADDR OTHER_ADDR\\\n");
392 printf(" MY_NET OTHER_NET MY_NETBITS OTHER_NETBITS\n");
393 printf(" where: ID is any IKEv2 ID \n");
394 printf(" ADDR is a IPv4 address\n");
395 printf(" NET is a IPv4 subnet in CIDR notation\n");
396 printf(" Delete a connection:\n");
397 printf(" stroke delete NAME\n");
398 printf(" where: NAME is a connection name added with \"stroke add\"\n");
399 printf(" Initiate a connection:\n");
400 printf(" stroke up NAME\n");
401 printf(" where: NAME is a connection name added with \"stroke add\"\n");
402 printf(" Terminate a connection:\n");
403 printf(" stroke down NAME\n");
404 printf(" where: NAME is a connection name added with \"stroke add\"\n");
405 printf(" Terminate a connection by remote srcip:\n");
406 printf(" stroke down-srcip START [END]\n");
407 printf(" where: START and optional END define the clients source IP\n");
408 printf(" Set loglevel for a logging type:\n");
409 printf(" stroke loglevel TYPE LEVEL\n");
410 printf(" where: TYPE is any|dmn|mgr|ike|chd|job|cfg|knl|net|asn|enc|tnc|imc|imv|pts|tls|esp|lib\n");
411 printf(" LEVEL is -1|0|1|2|3|4\n");
412 printf(" Show connection status:\n");
413 printf(" stroke status\n");
414 printf(" Show extended status information:\n");
415 printf(" stroke statusall\n");
416 printf(" Show extended status information without blocking:\n");
417 printf(" stroke statusallnb\n");
418 printf(" Show list of authority and attribute certificates:\n");
419 printf(" stroke listcacerts|listocspcerts|listaacerts|listacerts\n");
420 printf(" Show list of end entity certificates, ca info records and crls:\n");
421 printf(" stroke listcerts|listcainfos|listcrls|listcounters|listall\n");
422 printf(" Show list of supported algorithms:\n");
423 printf(" stroke listalgs\n");
424 printf(" Reload authority and attribute certificates:\n");
425 printf(" stroke rereadcacerts|rereadocspcerts|rereadaacerts|rereadacerts\n");
426 printf(" Reload secrets and crls:\n");
427 printf(" stroke rereadsecrets|rereadcrls|rereadall\n");
428 printf(" Purge ocsp cache entries:\n");
429 printf(" stroke purgeocsp\n");
430 printf(" Purge CRL cache entries:\n");
431 printf(" stroke purgecrls\n");
432 printf(" Purge X509 cache entries:\n");
433 printf(" stroke purgecerts\n");
434 printf(" Purge IKE_SAs without a CHILD_SA:\n");
435 printf(" stroke purgeike\n");
436 printf(" Export credentials to the console:\n");
437 printf(" stroke exportx509 DN\n");
438 printf(" Show current memory usage:\n");
439 printf(" stroke memusage\n");
440 printf(" Show leases of a pool:\n");
441 printf(" stroke leases [POOL [ADDRESS]]\n");
442 printf(" Set username and password for a connection:\n");
443 printf(" stroke user-creds NAME USERNAME [PASSWORD]\n");
444 printf(" where: NAME is a connection name added with \"stroke add\"\n");
445 printf(" USERNAME is the username\n");
446 printf(" PASSWORD is the optional password, you'll be asked to enter it if not given\n");
447 exit_error(error);
448 }
449
450 int main(int argc, char *argv[])
451 {
452 const stroke_token_t *token;
453 int res = 0;
454
455 library_init(NULL);
456 atexit(library_deinit);
457
458 if (argc < 2)
459 {
460 exit_usage(NULL);
461 }
462
463 token = in_word_set(argv[1], strlen(argv[1]));
464
465 if (token == NULL)
466 {
467 exit_usage("unknown keyword");
468 }
469
470 switch (token->kw)
471 {
472 case STROKE_ADD:
473 if (argc < 11)
474 {
475 exit_usage("\"add\" needs more parameters...");
476 }
477 res = add_connection(argv[2],
478 argv[3], argv[4],
479 argv[5], argv[6],
480 argv[7], argv[8]);
481 break;
482 case STROKE_DELETE:
483 case STROKE_DEL:
484 if (argc < 3)
485 {
486 exit_usage("\"delete\" needs a connection name");
487 }
488 res = del_connection(argv[2]);
489 break;
490 case STROKE_UP:
491 if (argc < 3)
492 {
493 exit_usage("\"up\" needs a connection name");
494 }
495 res = initiate_connection(argv[2]);
496 break;
497 case STROKE_DOWN:
498 if (argc < 3)
499 {
500 exit_usage("\"down\" needs a connection name");
501 }
502 res = terminate_connection(argv[2]);
503 break;
504 case STROKE_DOWN_SRCIP:
505 if (argc < 3)
506 {
507 exit_usage("\"down-srcip\" needs start and optional end address");
508 }
509 res = terminate_connection_srcip(argv[2], argc > 3 ? argv[3] : NULL);
510 break;
511 case STROKE_REKEY:
512 if (argc < 3)
513 {
514 exit_usage("\"rekey\" needs a connection name");
515 }
516 res = rekey_connection(argv[2]);
517 break;
518 case STROKE_ROUTE:
519 if (argc < 3)
520 {
521 exit_usage("\"route\" needs a connection name");
522 }
523 res = route_connection(argv[2]);
524 break;
525 case STROKE_UNROUTE:
526 if (argc < 3)
527 {
528 exit_usage("\"unroute\" needs a connection name");
529 }
530 res = unroute_connection(argv[2]);
531 break;
532 case STROKE_LOGLEVEL:
533 if (argc < 4)
534 {
535 exit_usage("\"logtype\" needs more parameters...");
536 }
537 res = set_loglevel(argv[2], atoi(argv[3]));
538 break;
539 case STROKE_STATUS:
540 case STROKE_STATUSALL:
541 case STROKE_STATUSALL_NOBLK:
542 res = show_status(token->kw, argc > 2 ? argv[2] : NULL);
543 break;
544 case STROKE_LIST_PUBKEYS:
545 case STROKE_LIST_CERTS:
546 case STROKE_LIST_CACERTS:
547 case STROKE_LIST_OCSPCERTS:
548 case STROKE_LIST_AACERTS:
549 case STROKE_LIST_ACERTS:
550 case STROKE_LIST_CAINFOS:
551 case STROKE_LIST_CRLS:
552 case STROKE_LIST_OCSP:
553 case STROKE_LIST_ALGS:
554 case STROKE_LIST_PLUGINS:
555 case STROKE_LIST_COUNTERS:
556 case STROKE_LIST_ALL:
557 res = list(token->kw, argc > 2 && strcmp(argv[2], "--utc") == 0);
558 break;
559 case STROKE_REREAD_SECRETS:
560 case STROKE_REREAD_CACERTS:
561 case STROKE_REREAD_OCSPCERTS:
562 case STROKE_REREAD_AACERTS:
563 case STROKE_REREAD_ACERTS:
564 case STROKE_REREAD_CRLS:
565 case STROKE_REREAD_ALL:
566 res = reread(token->kw);
567 break;
568 case STROKE_PURGE_OCSP:
569 case STROKE_PURGE_CRLS:
570 case STROKE_PURGE_CERTS:
571 case STROKE_PURGE_IKE:
572 res = purge(token->kw);
573 break;
574 case STROKE_EXPORT_X509:
575 if (argc != 3)
576 {
577 exit_usage("\"exportx509\" needs a distinguished name");
578 }
579 res = export(token->kw, argv[2]);
580 break;
581 case STROKE_LEASES:
582 res = leases(token->kw, argc > 2 ? argv[2] : NULL,
583 argc > 3 ? argv[3] : NULL);
584 break;
585 case STROKE_MEMUSAGE:
586 res = memusage();
587 break;
588 case STROKE_USER_CREDS:
589 if (argc < 4)
590 {
591 exit_usage("\"user-creds\" needs a connection name, "
592 "username and optionally a password");
593 }
594 res = user_credentials(argv[2], argv[3], argc > 4 ? argv[4] : NULL);
595 break;
596 default:
597 exit_usage(NULL);
598 }
599 return res;
600 }