2006-04-28 07:17:32 +00:00
|
|
|
/* Stroke for charon is the counterpart to whack from pluto
|
2007-10-03 15:10:41 +00:00
|
|
|
* Copyright (C) 2007 Tobias Brunner
|
|
|
|
|
* Copyright (C) 2006 Martin Willi
|
|
|
|
|
* Hochschule fuer Technik Rapperswil
|
2006-04-28 07:17:32 +00:00
|
|
|
*
|
|
|
|
|
* This program is free software; you can redistribute it and/or modify it
|
|
|
|
|
* under the terms of the GNU General Public License as published by the
|
|
|
|
|
* Free Software Foundation; either version 2 of the License, or (at your
|
|
|
|
|
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
|
|
|
|
|
*
|
|
|
|
|
* This program is distributed in the hope that it will be useful, but
|
|
|
|
|
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
|
|
|
|
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
|
|
|
|
* for more details.
|
|
|
|
|
*
|
2007-10-08 19:57:54 +00:00
|
|
|
* RCSID $Id$
|
2006-04-28 07:17:32 +00:00
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#include <sys/types.h>
|
|
|
|
|
#include <sys/socket.h>
|
|
|
|
|
#include <sys/un.h>
|
2006-12-14 15:58:32 +00:00
|
|
|
#include <stddef.h>
|
2006-04-28 07:17:32 +00:00
|
|
|
#include <unistd.h>
|
|
|
|
|
#include <stdlib.h>
|
|
|
|
|
#include <errno.h>
|
|
|
|
|
#include <netinet/in.h>
|
|
|
|
|
#include <arpa/inet.h>
|
|
|
|
|
|
|
|
|
|
#include <freeswan.h>
|
|
|
|
|
|
2006-05-16 14:24:03 +00:00
|
|
|
#include <constants.h>
|
|
|
|
|
#include <defs.h>
|
|
|
|
|
#include <log.h>
|
2006-04-28 07:17:32 +00:00
|
|
|
|
2008-03-13 14:14:44 +00:00
|
|
|
#include <stroke_msg.h>
|
2006-04-28 07:17:32 +00:00
|
|
|
|
|
|
|
|
#include "starterstroke.h"
|
|
|
|
|
#include "confread.h"
|
|
|
|
|
#include "files.h"
|
|
|
|
|
|
2006-09-18 07:46:16 +00:00
|
|
|
/**
|
2007-02-12 15:56:47 +00:00
|
|
|
* Authentication mehtods, must be the same values as in charon
|
2006-09-18 07:46:16 +00:00
|
|
|
*/
|
|
|
|
|
enum auth_method_t {
|
2007-02-12 15:56:47 +00:00
|
|
|
AUTH_RSA = 1,
|
|
|
|
|
AUTH_PSK = 2,
|
|
|
|
|
AUTH_DSS = 3,
|
|
|
|
|
AUTH_EAP = 201,
|
2006-09-18 07:46:16 +00:00
|
|
|
};
|
|
|
|
|
|
2006-05-29 07:14:57 +00:00
|
|
|
static char* push_string(stroke_msg_t *msg, char *string)
|
2006-04-28 07:17:32 +00:00
|
|
|
{
|
2006-10-31 23:17:21 +00:00
|
|
|
unsigned long string_start = msg->length;
|
2006-05-29 07:14:57 +00:00
|
|
|
|
|
|
|
|
if (string == NULL || msg->length + strlen(string) >= sizeof(stroke_msg_t))
|
|
|
|
|
{
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
msg->length += strlen(string) + 1;
|
|
|
|
|
strcpy((char*)msg + string_start, string);
|
|
|
|
|
return (char*)string_start;
|
|
|
|
|
}
|
2006-04-28 07:17:32 +00:00
|
|
|
}
|
|
|
|
|
|
2006-05-29 07:14:57 +00:00
|
|
|
static int send_stroke_msg (stroke_msg_t *msg)
|
2006-04-28 07:17:32 +00:00
|
|
|
{
|
2006-05-29 07:14:57 +00:00
|
|
|
struct sockaddr_un ctl_addr = { AF_UNIX, CHARON_CTL_FILE };
|
|
|
|
|
int byte_count;
|
|
|
|
|
char buffer[64];
|
2006-10-24 08:44:47 +00:00
|
|
|
|
|
|
|
|
/* starter is not called from commandline, and therefore absolutely silent */
|
|
|
|
|
msg->output_verbosity = -1;
|
2006-05-29 07:14:57 +00:00
|
|
|
|
|
|
|
|
int sock = socket(AF_UNIX, SOCK_STREAM, 0);
|
|
|
|
|
|
|
|
|
|
if (sock < 0)
|
|
|
|
|
{
|
|
|
|
|
plog("socket() failed: %s", strerror(errno));
|
|
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
if (connect(sock, (struct sockaddr *)&ctl_addr, offsetof(struct sockaddr_un, sun_path) + strlen(ctl_addr.sun_path)) < 0)
|
|
|
|
|
{
|
|
|
|
|
plog("connect(charon_ctl) failed: %s", strerror(errno));
|
|
|
|
|
close(sock);
|
|
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* send message */
|
|
|
|
|
if (write(sock, msg, msg->length) != msg->length)
|
|
|
|
|
{
|
|
|
|
|
plog("write(charon_ctl) failed: %s", strerror(errno));
|
|
|
|
|
close(sock);
|
|
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
while ((byte_count = read(sock, buffer, sizeof(buffer)-1)) > 0)
|
|
|
|
|
{
|
|
|
|
|
buffer[byte_count] = '\0';
|
|
|
|
|
plog("%s", buffer);
|
|
|
|
|
}
|
|
|
|
|
if (byte_count < 0)
|
|
|
|
|
{
|
|
|
|
|
plog("read() failed: %s", strerror(errno));
|
|
|
|
|
}
|
2006-05-18 06:02:28 +00:00
|
|
|
|
2006-04-28 07:17:32 +00:00
|
|
|
close(sock);
|
2006-05-29 07:14:57 +00:00
|
|
|
return 0;
|
2006-04-28 07:17:32 +00:00
|
|
|
}
|
|
|
|
|
|
2006-05-29 07:14:57 +00:00
|
|
|
static char* connection_name(starter_conn_t *conn)
|
2006-04-28 07:17:32 +00:00
|
|
|
{
|
2006-05-29 07:14:57 +00:00
|
|
|
/* if connection name is '%auto', create a new name like conn_xxxxx */
|
|
|
|
|
static char buf[32];
|
|
|
|
|
|
|
|
|
|
if (streq(conn->name, "%auto"))
|
|
|
|
|
{
|
|
|
|
|
sprintf(buf, "conn_%ld", conn->id);
|
|
|
|
|
return buf;
|
|
|
|
|
}
|
|
|
|
|
return conn->name;
|
2006-04-28 07:17:32 +00:00
|
|
|
}
|
|
|
|
|
|
2006-08-30 17:12:56 +00:00
|
|
|
static void ip_address2string(ip_address *addr, char *buffer, size_t len)
|
|
|
|
|
{
|
|
|
|
|
switch (((struct sockaddr*)addr)->sa_family)
|
|
|
|
|
{
|
|
|
|
|
case AF_INET:
|
|
|
|
|
{
|
|
|
|
|
struct sockaddr_in* sin = (struct sockaddr_in*)addr;
|
|
|
|
|
if (inet_ntop(AF_INET, &sin->sin_addr, buffer, len))
|
|
|
|
|
{
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
case AF_INET6:
|
|
|
|
|
{
|
|
|
|
|
struct sockaddr_in6* sin6 = (struct sockaddr_in6*)addr;
|
|
|
|
|
if (inet_ntop(AF_INET6, &sin6->sin6_addr, buffer, len))
|
|
|
|
|
{
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
default:
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
/* failed */
|
|
|
|
|
snprintf(buffer, len, "0.0.0.0");
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2006-06-09 05:50:41 +00:00
|
|
|
static void starter_stroke_add_end(stroke_msg_t *msg, stroke_end_t *msg_end, starter_end_t *conn_end)
|
|
|
|
|
{
|
2006-08-30 17:12:56 +00:00
|
|
|
char buffer[INET6_ADDRSTRLEN];
|
|
|
|
|
|
2006-06-09 05:50:41 +00:00
|
|
|
msg_end->id = push_string(msg, conn_end->id);
|
|
|
|
|
msg_end->cert = push_string(msg, conn_end->cert);
|
2006-06-12 08:43:46 +00:00
|
|
|
msg_end->ca = push_string(msg, conn_end->ca);
|
2007-05-20 15:38:36 +00:00
|
|
|
msg_end->groups = push_string(msg, conn_end->groups);
|
2006-07-03 06:21:14 +00:00
|
|
|
msg_end->updown = push_string(msg, conn_end->updown);
|
2006-08-30 17:12:56 +00:00
|
|
|
ip_address2string(&conn_end->addr, buffer, sizeof(buffer));
|
|
|
|
|
msg_end->address = push_string(msg, buffer);
|
|
|
|
|
ip_address2string(&conn_end->subnet.addr, buffer, sizeof(buffer));
|
|
|
|
|
msg_end->subnet = push_string(msg, buffer);
|
2006-06-09 05:50:41 +00:00
|
|
|
msg_end->subnet_mask = conn_end->subnet.maskbits;
|
|
|
|
|
msg_end->sendcert = conn_end->sendcert;
|
2006-09-25 05:46:56 +00:00
|
|
|
msg_end->hostaccess = conn_end->hostaccess;
|
2007-03-01 11:42:08 +00:00
|
|
|
msg_end->tohost = !conn_end->has_client;
|
2006-07-05 13:13:07 +00:00
|
|
|
msg_end->protocol = conn_end->protocol;
|
|
|
|
|
msg_end->port = conn_end->port;
|
2008-04-09 12:54:47 +00:00
|
|
|
if (conn_end->srcip)
|
|
|
|
|
{
|
|
|
|
|
if (conn_end->srcip[0] == '%')
|
|
|
|
|
{ /* %poolname, strip % */
|
|
|
|
|
msg_end->sourceip_size = 0;
|
|
|
|
|
msg_end->sourceip = push_string(msg, conn_end->srcip + 1);
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
char *pos = strchr(conn_end->srcip, '/');
|
|
|
|
|
if (pos)
|
|
|
|
|
{ /* CIDR subnet definition */
|
|
|
|
|
snprintf(buffer, pos - conn_end->srcip + 1, "%s", conn_end->srcip);
|
|
|
|
|
msg_end->sourceip = push_string(msg, buffer);
|
|
|
|
|
msg_end->sourceip_size = atoi(pos + 1);
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{ /* a sigle address */
|
|
|
|
|
msg_end->sourceip = push_string(msg, conn_end->srcip);
|
|
|
|
|
if (strchr(conn_end->srcip, ':'))
|
|
|
|
|
{ /* IPv6 */
|
|
|
|
|
msg_end->sourceip_size = 128;
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{ /* IPv4 */
|
|
|
|
|
msg_end->sourceip_size = 32;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
else if (conn_end->modecfg)
|
|
|
|
|
{
|
|
|
|
|
msg_end->sourceip_size = 1;
|
|
|
|
|
}
|
2006-06-09 05:50:41 +00:00
|
|
|
}
|
|
|
|
|
|
2008-03-13 14:14:44 +00:00
|
|
|
int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn)
|
2006-04-28 07:17:32 +00:00
|
|
|
{
|
2006-05-29 07:14:57 +00:00
|
|
|
stroke_msg_t msg;
|
|
|
|
|
|
2008-04-09 12:54:47 +00:00
|
|
|
memset(&msg, 0, sizeof(msg));
|
2006-05-29 07:14:57 +00:00
|
|
|
msg.type = STR_ADD_CONN;
|
|
|
|
|
msg.length = offsetof(stroke_msg_t, buffer);
|
|
|
|
|
msg.add_conn.ikev2 = conn->keyexchange == KEY_EXCHANGE_IKEV2;
|
|
|
|
|
msg.add_conn.name = push_string(&msg, connection_name(conn));
|
2007-02-12 15:56:47 +00:00
|
|
|
|
|
|
|
|
/* RSA is preferred before PSK and EAP */
|
|
|
|
|
if (conn->policy & POLICY_RSASIG)
|
|
|
|
|
{
|
|
|
|
|
msg.add_conn.auth_method = AUTH_RSA;
|
|
|
|
|
}
|
|
|
|
|
else if (conn->policy & POLICY_PSK)
|
|
|
|
|
{
|
|
|
|
|
msg.add_conn.auth_method = AUTH_PSK;
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
msg.add_conn.auth_method = AUTH_EAP;
|
|
|
|
|
}
|
2007-12-13 17:31:21 +00:00
|
|
|
msg.add_conn.eap_type = conn->eap_type;
|
|
|
|
|
msg.add_conn.eap_vendor = conn->eap_vendor;
|
2007-02-12 15:56:47 +00:00
|
|
|
|
2007-01-03 13:16:21 +00:00
|
|
|
if (conn->policy & POLICY_TUNNEL)
|
|
|
|
|
{
|
|
|
|
|
msg.add_conn.mode = 1; /* XFRM_MODE_TRANSPORT */
|
|
|
|
|
}
|
|
|
|
|
else if (conn->policy & POLICY_BEET)
|
|
|
|
|
{
|
|
|
|
|
msg.add_conn.mode = 4; /* XFRM_MODE_BEET */
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
msg.add_conn.mode = 0; /* XFRM_MODE_TUNNEL */
|
|
|
|
|
}
|
2006-09-18 07:46:16 +00:00
|
|
|
|
2008-04-09 12:54:47 +00:00
|
|
|
if (!(conn->policy & POLICY_DONT_REKEY))
|
2006-06-15 11:02:15 +00:00
|
|
|
{
|
2006-12-21 20:05:08 +00:00
|
|
|
msg.add_conn.rekey.reauth = (conn->policy & POLICY_DONT_REAUTH) == LEMPTY;
|
2006-06-15 11:02:15 +00:00
|
|
|
msg.add_conn.rekey.ipsec_lifetime = conn->sa_ipsec_life_seconds;
|
|
|
|
|
msg.add_conn.rekey.ike_lifetime = conn->sa_ike_life_seconds;
|
|
|
|
|
msg.add_conn.rekey.margin = conn->sa_rekey_margin;
|
|
|
|
|
msg.add_conn.rekey.tries = conn->sa_keying_tries;
|
|
|
|
|
msg.add_conn.rekey.fuzz = conn->sa_rekey_fuzz;
|
|
|
|
|
}
|
2007-08-29 12:11:25 +00:00
|
|
|
msg.add_conn.mobike = conn->policy & POLICY_MOBIKE;
|
2007-10-01 16:41:34 +00:00
|
|
|
msg.add_conn.force_encap = conn->policy & POLICY_FORCE_ENCAP;
|
2008-03-13 14:14:44 +00:00
|
|
|
msg.add_conn.crl_policy = cfg->setup.strictcrlpolicy;
|
2008-04-14 13:23:24 +00:00
|
|
|
msg.add_conn.unique = cfg->setup.uniqueids;
|
2006-06-15 11:02:15 +00:00
|
|
|
msg.add_conn.algorithms.ike = push_string(&msg, conn->ike);
|
|
|
|
|
msg.add_conn.algorithms.esp = push_string(&msg, conn->esp);
|
2006-09-05 14:07:25 +00:00
|
|
|
msg.add_conn.dpd.delay = conn->dpd_delay;
|
2006-09-08 06:12:02 +00:00
|
|
|
msg.add_conn.dpd.action = conn->dpd_action;
|
2008-03-26 18:40:19 +00:00
|
|
|
msg.add_conn.ikeme.mediation = conn->me_mediation;
|
|
|
|
|
msg.add_conn.ikeme.mediated_by = push_string(&msg, conn->me_mediated_by);
|
|
|
|
|
msg.add_conn.ikeme.peerid = push_string(&msg, conn->me_peerid);
|
2006-05-29 07:14:57 +00:00
|
|
|
|
2007-02-15 12:13:18 +00:00
|
|
|
starter_stroke_add_end(&msg, &msg.add_conn.me, &conn->left);
|
|
|
|
|
starter_stroke_add_end(&msg, &msg.add_conn.other, &conn->right);
|
2006-05-29 07:14:57 +00:00
|
|
|
|
|
|
|
|
return send_stroke_msg(&msg);
|
2006-04-28 07:17:32 +00:00
|
|
|
}
|
|
|
|
|
|
2006-05-29 07:14:57 +00:00
|
|
|
int starter_stroke_del_conn(starter_conn_t *conn)
|
2006-04-28 07:17:32 +00:00
|
|
|
{
|
2006-05-29 11:09:45 +00:00
|
|
|
stroke_msg_t msg;
|
|
|
|
|
|
|
|
|
|
msg.type = STR_DEL_CONN;
|
|
|
|
|
msg.length = offsetof(stroke_msg_t, buffer);
|
2006-07-21 13:31:53 +00:00
|
|
|
msg.del_conn.name = push_string(&msg, connection_name(conn));
|
2006-05-29 11:09:45 +00:00
|
|
|
return send_stroke_msg(&msg);
|
2006-04-28 07:17:32 +00:00
|
|
|
}
|
2006-05-18 06:02:28 +00:00
|
|
|
|
2006-05-29 07:14:57 +00:00
|
|
|
int starter_stroke_route_conn(starter_conn_t *conn)
|
2006-04-28 07:17:32 +00:00
|
|
|
{
|
2006-05-29 07:14:57 +00:00
|
|
|
stroke_msg_t msg;
|
|
|
|
|
|
2006-07-21 13:31:53 +00:00
|
|
|
msg.type = STR_ROUTE;
|
2006-05-29 07:14:57 +00:00
|
|
|
msg.length = offsetof(stroke_msg_t, buffer);
|
2006-07-21 13:31:53 +00:00
|
|
|
msg.route.name = push_string(&msg, connection_name(conn));
|
2006-05-29 07:14:57 +00:00
|
|
|
return send_stroke_msg(&msg);
|
2006-04-28 07:17:32 +00:00
|
|
|
}
|
|
|
|
|
|
2006-05-29 07:14:57 +00:00
|
|
|
int starter_stroke_initiate_conn(starter_conn_t *conn)
|
2006-04-28 07:17:32 +00:00
|
|
|
{
|
2006-05-29 07:14:57 +00:00
|
|
|
stroke_msg_t msg;
|
|
|
|
|
|
|
|
|
|
msg.type = STR_INITIATE;
|
|
|
|
|
msg.length = offsetof(stroke_msg_t, buffer);
|
|
|
|
|
msg.initiate.name = push_string(&msg, connection_name(conn));
|
|
|
|
|
return send_stroke_msg(&msg);
|
2006-04-28 07:17:32 +00:00
|
|
|
}
|
2007-02-14 01:02:09 +00:00
|
|
|
|
|
|
|
|
int starter_stroke_add_ca(starter_ca_t *ca)
|
|
|
|
|
{
|
|
|
|
|
stroke_msg_t msg;
|
|
|
|
|
|
|
|
|
|
msg.type = STR_ADD_CA;
|
|
|
|
|
msg.length = offsetof(stroke_msg_t, buffer);
|
2007-02-23 15:13:21 +00:00
|
|
|
msg.add_ca.name = push_string(&msg, ca->name);
|
|
|
|
|
msg.add_ca.cacert = push_string(&msg, ca->cacert);
|
|
|
|
|
msg.add_ca.crluri = push_string(&msg, ca->crluri);
|
|
|
|
|
msg.add_ca.crluri2 = push_string(&msg, ca->crluri2);
|
|
|
|
|
msg.add_ca.ocspuri = push_string(&msg, ca->ocspuri);
|
|
|
|
|
msg.add_ca.ocspuri2 = push_string(&msg, ca->ocspuri2);
|
2007-02-14 01:02:09 +00:00
|
|
|
return send_stroke_msg(&msg);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int starter_stroke_del_ca(starter_ca_t *ca)
|
|
|
|
|
{
|
|
|
|
|
stroke_msg_t msg;
|
|
|
|
|
|
|
|
|
|
msg.type = STR_DEL_CA;
|
|
|
|
|
msg.length = offsetof(stroke_msg_t, buffer);
|
|
|
|
|
msg.del_ca.name = push_string(&msg, ca->name);
|
|
|
|
|
return send_stroke_msg(&msg);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
