2 * Copyright (C) 2007-2015 Tobias Brunner
3 * Copyright (C) 2006 Martin Willi
5 * Copyright (C) secunet Security Networks AG
7 * This program is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by the
9 * Free Software Foundation; either version 2 of the License, or (at your
10 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
27 #include "stroke_msg.h"
28 #include "stroke_keywords.h"
35 static char *daemon_name
= "charon";
36 static int output_verbosity
= 1; /* CONTROL */
38 static stroke_msg_t
*create_stroke_msg(int type
)
44 .length
= offsetof(stroke_msg_t
, buffer
),
49 #define push_string(msg, field, str) \
50 push_string_impl(msg, offsetof(stroke_msg_t, field), str)
52 static void push_string_impl(stroke_msg_t
**msg
, size_t offset
, char *string
)
54 size_t cur_len
= (*msg
)->length
, str_len
;
60 str_len
= strlen(string
) + 1;
61 if (cur_len
+ str_len
>= UINT16_MAX
)
63 (*msg
)->length
= UINT16_MAX
;
66 while (cur_len
+ str_len
> sizeof(stroke_msg_t
) + (*msg
)->buflen
)
68 *msg
= realloc(*msg
, sizeof(stroke_msg_t
) + (*msg
)->buflen
+
70 (*msg
)->buflen
+= STROKE_BUF_LEN_INC
;
72 (*msg
)->length
+= str_len
;
73 strcpy((char*)*msg
+ cur_len
, string
);
74 *(char**)((char*)*msg
+ offset
) = (char*)cur_len
;
77 static int send_stroke_msg(stroke_msg_t
*msg
)
80 char *uri
, buffer
[512], *pass
;
83 if (msg
->length
== UINT16_MAX
)
85 fprintf(stderr
, "stroke message exceeds maximum buffer size");
90 msg
->output_verbosity
= output_verbosity
;
92 uri
= lib
->settings
->get_str(lib
->settings
, "%s.plugins.stroke.socket",
93 "unix://" STROKE_SOCKET
, daemon_name
);
94 stream
= lib
->streams
->connect(lib
->streams
, uri
);
97 fprintf(stderr
, "failed to connect to stroke socket '%s'\n", uri
);
102 if (!stream
->write_all(stream
, msg
, msg
->length
))
104 fprintf(stderr
, "sending stroke message failed\n");
105 stream
->destroy(stream
);
110 while ((count
= stream
->read(stream
, buffer
, sizeof(buffer
)-1, TRUE
)) > 0)
112 buffer
[count
] = '\0';
114 /* we prompt if we receive a magic keyword */
115 if ((count
>= 12 && streq(buffer
+ count
- 12, "Passphrase:\n")) ||
116 (count
>= 10 && streq(buffer
+ count
- 10, "Password:\n")) ||
117 (count
>= 5 && streq(buffer
+ count
- 5, "PIN:\n")))
119 /* remove trailing newline */
120 pass
= strrchr(buffer
, '\n');
126 pass
= getpass(buffer
);
132 stream
->write_all(stream
, pass
, strlen(pass
));
133 memwipe(pass
, strlen(pass
));
134 stream
->write_all(stream
, "\n", 1);
139 printf("%s", buffer
);
144 fprintf(stderr
, "reading stroke response failed\n");
146 stream
->destroy(stream
);
151 static int add_connection(char *name
,
152 char *my_id
, char *other_id
,
153 char *my_addr
, char *other_addr
,
154 char *my_nets
, char *other_nets
)
158 msg
= create_stroke_msg(STR_ADD_CONN
);
160 push_string(&msg
, add_conn
.name
, name
);
161 msg
->add_conn
.version
= 2;
162 msg
->add_conn
.mode
= 1;
163 msg
->add_conn
.mobike
= 1;
164 msg
->add_conn
.dpd
.action
= 1;
165 msg
->add_conn
.install_policy
= 1;
167 push_string(&msg
, add_conn
.me
.id
, my_id
);
168 push_string(&msg
, add_conn
.me
.address
, my_addr
);
169 msg
->add_conn
.me
.ikeport
= 500;
170 push_string(&msg
, add_conn
.me
.subnets
, my_nets
);
171 msg
->add_conn
.me
.sendcert
= 1;
172 msg
->add_conn
.me
.to_port
= 65535;
174 push_string(&msg
, add_conn
.other
.id
, other_id
);
175 push_string(&msg
, add_conn
.other
.address
, other_addr
);
176 msg
->add_conn
.other
.ikeport
= 500;
177 push_string(&msg
, add_conn
.other
.subnets
, other_nets
);
178 msg
->add_conn
.other
.sendcert
= 1;
179 msg
->add_conn
.other
.to_port
= 65535;
181 return send_stroke_msg(msg
);
184 static int del_connection(char *name
)
188 msg
= create_stroke_msg(STR_DEL_CONN
);
189 push_string(&msg
, initiate
.name
, name
);
190 return send_stroke_msg(msg
);
193 static int initiate_connection(char *name
)
197 msg
= create_stroke_msg(STR_INITIATE
);
198 push_string(&msg
, initiate
.name
, name
);
199 return send_stroke_msg(msg
);
202 static int terminate_connection(char *name
)
206 msg
= create_stroke_msg(STR_TERMINATE
);
207 push_string(&msg
, initiate
.name
, name
);
208 return send_stroke_msg(msg
);
211 static int terminate_connection_srcip(char *start
, char *end
)
215 msg
= create_stroke_msg(STR_TERMINATE_SRCIP
);
216 push_string(&msg
, terminate_srcip
.start
, start
);
217 push_string(&msg
, terminate_srcip
.end
, end
);
218 return send_stroke_msg(msg
);
221 static int rekey_connection(char *name
)
225 msg
= create_stroke_msg(STR_REKEY
);
226 push_string(&msg
, rekey
.name
, name
);
227 return send_stroke_msg(msg
);
230 static int route_connection(char *name
)
234 msg
= create_stroke_msg(STR_ROUTE
);
235 push_string(&msg
, route
.name
, name
);
236 return send_stroke_msg(msg
);
239 static int unroute_connection(char *name
)
243 msg
= create_stroke_msg(STR_UNROUTE
);
244 push_string(&msg
, unroute
.name
, name
);
245 return send_stroke_msg(msg
);
248 static int show_status(stroke_keyword_t kw
, char *connection
)
254 case STROKE_STATUSALL
:
255 msg
= create_stroke_msg(STR_STATUS_ALL
);
257 case STROKE_STATUSALL_NOBLK
:
258 msg
= create_stroke_msg(STR_STATUS_ALL_NOBLK
);
261 msg
= create_stroke_msg(STR_STATUS
);
264 push_string(&msg
, status
.name
, connection
);
265 return send_stroke_msg(msg
);
268 static int list_flags
[] = {
284 static int list(stroke_keyword_t kw
, bool utc
)
288 msg
= create_stroke_msg(STR_LIST
);
290 msg
->list
.flags
= list_flags
[kw
- STROKE_LIST_FIRST
];
291 return send_stroke_msg(msg
);
294 static int reread_flags
[] = {
304 static int reread(stroke_keyword_t kw
)
308 msg
= create_stroke_msg(STR_REREAD
);
309 msg
->reread
.flags
= reread_flags
[kw
- STROKE_REREAD_FIRST
];
310 return send_stroke_msg(msg
);
313 static int purge_flags
[] = {
320 static int purge(stroke_keyword_t kw
)
324 msg
= create_stroke_msg(STR_PURGE
);
325 msg
->purge
.flags
= purge_flags
[kw
- STROKE_PURGE_FIRST
];
326 return send_stroke_msg(msg
);
329 static int export_flags
[] = {
335 static int export(stroke_keyword_t kw
, char *selector
)
339 msg
= create_stroke_msg(STR_EXPORT
);
340 push_string(&msg
, export
.selector
, selector
);
341 msg
->export
.flags
= export_flags
[kw
- STROKE_EXPORT_FIRST
];
342 return send_stroke_msg(msg
);
345 static int leases(stroke_keyword_t kw
, char *pool
, char *address
)
349 msg
= create_stroke_msg(STR_LEASES
);
350 push_string(&msg
, leases
.pool
, pool
);
351 push_string(&msg
, leases
.address
, address
);
352 return send_stroke_msg(msg
);
355 static int memusage()
359 msg
= create_stroke_msg(STR_MEMUSAGE
);
360 return send_stroke_msg(msg
);
363 static int user_credentials(char *name
, char *user
, char *pass
)
367 msg
= create_stroke_msg(STR_USER_CREDS
);
368 push_string(&msg
, user_creds
.name
, name
);
369 push_string(&msg
, user_creds
.username
, user
);
370 push_string(&msg
, user_creds
.password
, pass
);
371 return send_stroke_msg(msg
);
374 static int counters(int reset
, char *name
)
378 msg
= create_stroke_msg(STR_COUNTERS
);
379 push_string(&msg
, counters
.name
, name
);
380 msg
->counters
.reset
= reset
;
381 return send_stroke_msg(msg
);
384 static int set_loglevel(char *type
, u_int level
)
388 msg
= create_stroke_msg(STR_LOGLEVEL
);
389 push_string(&msg
, loglevel
.type
, type
);
390 msg
->loglevel
.level
= level
;
391 return send_stroke_msg(msg
);
394 static int usage(char *error
)
396 FILE *out
= error ? stderr
: stdout
;
398 fprintf(out
, "stroke [OPTIONS] command [ARGUMENTS]\n\n");
399 fprintf(out
, "Options:\n");
400 fprintf(out
, " -h, --help print this information.\n");
401 fprintf(out
, " -d, --daemon=NAME name of the daemon.\n");
402 fprintf(out
, "Commands:\n");
403 fprintf(out
, " Add a connection:\n");
404 fprintf(out
, " stroke add NAME MY_ID OTHER_ID MY_ADDR OTHER_ADDR\\\n");
405 fprintf(out
, " MY_NET OTHER_NET\n");
406 fprintf(out
, " where: ID is any IKEv2 ID \n");
407 fprintf(out
, " ADDR is a IPv4 address\n");
408 fprintf(out
, " NET is a IPv4 subnet in CIDR notation\n");
409 fprintf(out
, " Delete a connection:\n");
410 fprintf(out
, " stroke delete NAME\n");
411 fprintf(out
, " where: NAME is a connection name added with \"stroke add\"\n");
412 fprintf(out
, " Initiate a connection:\n");
413 fprintf(out
, " stroke up NAME\n");
414 fprintf(out
, " where: NAME is a connection name added with \"stroke add\"\n");
415 fprintf(out
, " Initiate a connection without blocking:\n");
416 fprintf(out
, " stroke up-nb NAME\n");
417 fprintf(out
, " where: NAME is a connection name added with \"stroke add\"\n");
418 fprintf(out
, " Terminate a connection:\n");
419 fprintf(out
, " stroke down NAME\n");
420 fprintf(out
, " where: NAME is a connection name added with \"stroke add\"\n");
421 fprintf(out
, " Terminate a connection without blocking:\n");
422 fprintf(out
, " stroke down-nb NAME\n");
423 fprintf(out
, " where: NAME is a connection name added with \"stroke add\"\n");
424 fprintf(out
, " Terminate a connection by remote srcip:\n");
425 fprintf(out
, " stroke down-srcip START [END]\n");
426 fprintf(out
, " where: START and optional END define the clients source IP\n");
427 fprintf(out
, " Set loglevel for a logging type:\n");
428 fprintf(out
, " stroke loglevel TYPE LEVEL\n");
429 fprintf(out
, " where: TYPE is any|dmn|mgr|ike|chd|job|cfg|knl|net|asn|enc|tnc|imc|imv|pts|tls|esp|lib\n");
430 fprintf(out
, " LEVEL is -1|0|1|2|3|4\n");
431 fprintf(out
, " Show connection status:\n");
432 fprintf(out
, " stroke status\n");
433 fprintf(out
, " Show extended status information:\n");
434 fprintf(out
, " stroke statusall\n");
435 fprintf(out
, " Show extended status information without blocking:\n");
436 fprintf(out
, " stroke statusall-nb\n");
437 fprintf(out
, " Show list of authority and attribute certificates:\n");
438 fprintf(out
, " stroke listcacerts|listocspcerts|listaacerts|listacerts [--utc]\n");
439 fprintf(out
, " Show list of end entity certificates, ca info records and crls:\n");
440 fprintf(out
, " stroke listcerts|listcainfos|listcrls|listall [--utc]\n");
441 fprintf(out
, " Show list of supported algorithms:\n");
442 fprintf(out
, " stroke listalgs\n");
443 fprintf(out
, " Reload authority and attribute certificates:\n");
444 fprintf(out
, " stroke rereadcacerts|rereadocspcerts|rereadaacerts|rereadacerts\n");
445 fprintf(out
, " Reload secrets and crls:\n");
446 fprintf(out
, " stroke rereadsecrets|rereadcrls|rereadall\n");
447 fprintf(out
, " Purge ocsp cache entries:\n");
448 fprintf(out
, " stroke purgeocsp\n");
449 fprintf(out
, " Purge CRL cache entries:\n");
450 fprintf(out
, " stroke purgecrls\n");
451 fprintf(out
, " Purge X509 cache entries:\n");
452 fprintf(out
, " stroke purgecerts\n");
453 fprintf(out
, " Purge IKE_SAs without a CHILD_SA:\n");
454 fprintf(out
, " stroke purgeike\n");
455 fprintf(out
, " Export credentials to the console:\n");
456 fprintf(out
, " stroke exportx509 DN\n");
457 fprintf(out
, " stroke exportconncert connname\n");
458 fprintf(out
, " stroke exportconnchain connname\n");
459 fprintf(out
, " Show current memory usage:\n");
460 fprintf(out
, " stroke memusage\n");
461 fprintf(out
, " Show leases of a pool:\n");
462 fprintf(out
, " stroke leases [POOL [ADDRESS]]\n");
463 fprintf(out
, " Set username and password for a connection:\n");
464 fprintf(out
, " stroke user-creds NAME USERNAME [PASSWORD]\n");
465 fprintf(out
, " where: NAME is a connection name added with \"stroke add\"\n");
466 fprintf(out
, " USERNAME is the username\n");
467 fprintf(out
, " PASSWORD is the optional password, you'll be asked to enter it if not given\n");
468 fprintf(out
, " Show IKE counters:\n");
469 fprintf(out
, " stroke listcounters [connection-name]\n");
473 fprintf(out
, "\nError: %s\n", error
);
479 int main(int argc
, char *argv
[])
481 const stroke_token_t
*token
;
486 library_init(NULL
, "stroke");
487 atexit(library_deinit
);
491 struct option long_opts
[] = {
492 {"help", no_argument
, NULL
, 'h' },
493 {"utc", no_argument
, NULL
, 'u' },
494 {"daemon", required_argument
, NULL
, 'd' },
497 switch (getopt_long(argc
, argv
, "hd:", long_opts
, NULL
))
504 daemon_name
= optarg
;
510 return usage("invalid option");
517 return usage("command missing");
520 cmd
= argv
[optind
++];
521 token
= in_word_set(cmd
, strlen(cmd
));
524 return usage("unknown command");
527 /* make argv/argc only cover positional arguments */
528 argv
= &argv
[optind
];
529 argc
= argc
- optind
;
536 return usage("\"add\" needs more arguments...");
538 res
= add_connection(argv
[0], argv
[1], argv
[2], argv
[3], argv
[4],
545 return usage("\"delete\" needs a connection name");
547 res
= del_connection(argv
[0]);
549 case STROKE_UP_NOBLK
:
550 output_verbosity
= -1;
555 return usage("\"up\" needs a connection name");
557 res
= initiate_connection(argv
[0]);
559 case STROKE_DOWN_NOBLK
:
560 output_verbosity
= -1;
565 return usage("\"down\" needs a connection name");
567 res
= terminate_connection(argv
[0]);
569 case STROKE_DOWN_SRCIP
:
572 return usage("\"down-srcip\" needs start and optional end address");
574 res
= terminate_connection_srcip(argv
[0], argc
> 1 ? argv
[1] : NULL
);
579 return usage("\"rekey\" needs a connection name");
581 res
= rekey_connection(argv
[0]);
586 return usage("\"route\" needs a connection name");
588 res
= route_connection(argv
[0]);
593 return usage("\"unroute\" needs a connection name");
595 res
= unroute_connection(argv
[0]);
597 case STROKE_LOGLEVEL
:
600 return usage("\"logtype\" needs more parameters...");
602 res
= set_loglevel(argv
[0], atoi(argv
[1]));
605 case STROKE_STATUSALL
:
606 case STROKE_STATUSALL_NOBLK
:
607 res
= show_status(token
->kw
, argc ? argv
[0] : NULL
);
609 case STROKE_LIST_PUBKEYS
:
610 case STROKE_LIST_CERTS
:
611 case STROKE_LIST_CACERTS
:
612 case STROKE_LIST_OCSPCERTS
:
613 case STROKE_LIST_AACERTS
:
614 case STROKE_LIST_ACERTS
:
615 case STROKE_LIST_CAINFOS
:
616 case STROKE_LIST_CRLS
:
617 case STROKE_LIST_OCSP
:
618 case STROKE_LIST_ALGS
:
619 case STROKE_LIST_PLUGINS
:
620 case STROKE_LIST_ALL
:
621 res
= list(token
->kw
, utc
);
623 case STROKE_REREAD_SECRETS
:
624 case STROKE_REREAD_CACERTS
:
625 case STROKE_REREAD_OCSPCERTS
:
626 case STROKE_REREAD_AACERTS
:
627 case STROKE_REREAD_ACERTS
:
628 case STROKE_REREAD_CRLS
:
629 case STROKE_REREAD_ALL
:
630 res
= reread(token
->kw
);
632 case STROKE_PURGE_OCSP
:
633 case STROKE_PURGE_CRLS
:
634 case STROKE_PURGE_CERTS
:
635 case STROKE_PURGE_IKE
:
636 res
= purge(token
->kw
);
638 case STROKE_EXPORT_X509
:
639 case STROKE_EXPORT_CONN_CERT
:
640 case STROKE_EXPORT_CONN_CHAIN
:
643 return usage("\"export\" needs a name");
645 res
= export(token
->kw
, argv
[0]);
648 res
= leases(token
->kw
, argc ? argv
[0] : NULL
,
649 argc
> 1 ? argv
[1] : NULL
);
651 case STROKE_MEMUSAGE
:
654 case STROKE_USER_CREDS
:
657 return usage("\"user-creds\" needs a connection name, "
658 "username and optionally a password");
660 res
= user_credentials(argv
[0], argv
[1], argc
> 2 ? argv
[2] : NULL
);
662 case STROKE_COUNTERS
:
663 case STROKE_COUNTERS_RESET
:
664 res
= counters(token
->kw
== STROKE_COUNTERS_RESET
,
665 argc ? argv
[0] : NULL
);