From 1d86d1d65af61f123269f0c09bfd5039af7b63ab Mon Sep 17 00:00:00 2001 From: Andreas Steffen Date: Tue, 8 Mar 2016 22:27:30 +0100 Subject: [PATCH 1/3] Implemented IPv4/IPv6 subnet and range identities The IKEv1 IPV4_ADDR_SUBNET, IPV6_ADDR_SUBNET, IPV4_ADDR_RANGE and IPV6_ADDR_RANGE identities have been fully implemented and can be used as owners of shared secrets (PSKs). --- .../tests/suites/test_identification.c | 255 +++++++++--- src/libstrongswan/utils/identification.c | 387 ++++++++++++++++-- 2 files changed, 563 insertions(+), 79 deletions(-) diff --git a/src/libstrongswan/tests/suites/test_identification.c b/src/libstrongswan/tests/suites/test_identification.c index b5afa00fe..c0a21fe34 100644 --- a/src/libstrongswan/tests/suites/test_identification.c +++ b/src/libstrongswan/tests/suites/test_identification.c @@ -1,7 +1,8 @@ /* * Copyright (C) 2013-2015 Tobias Brunner + * Copyright (C) 2016 Andreas Steffen * Copyright (C) 2009 Martin Willi - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -122,67 +123,122 @@ static struct { } data; } result; } string_data[] = { - {NULL, ID_ANY, { .type = ENC_CHUNK }}, - {"", ID_ANY, { .type = ENC_CHUNK }}, - {"%any", ID_ANY, { .type = ENC_CHUNK }}, - {"%any6", ID_ANY, { .type = ENC_CHUNK }}, - {"0.0.0.0", ID_ANY, { .type = ENC_CHUNK }}, - {"0::0", ID_ANY, { .type = ENC_CHUNK }}, - {"::", ID_ANY, { .type = ENC_CHUNK }}, - {"*", ID_ANY, { .type = ENC_CHUNK }}, - {"any", ID_FQDN, { .type = ENC_SIMPLE }}, - {"any6", ID_FQDN, { .type = ENC_SIMPLE }}, - {"0", ID_FQDN, { .type = ENC_SIMPLE }}, - {"**", ID_FQDN, { .type = ENC_SIMPLE }}, - {"192.168.1.1", ID_IPV4_ADDR, { .type = ENC_CHUNK, + {NULL, ID_ANY, { .type = ENC_CHUNK }}, + {"", ID_ANY, { .type = ENC_CHUNK }}, + {"%any", ID_ANY, { .type = ENC_CHUNK }}, + {"%any6", ID_ANY, { .type = ENC_CHUNK }}, + {"0.0.0.0", ID_ANY, { .type = ENC_CHUNK }}, + {"0::0", ID_ANY, { .type = ENC_CHUNK }}, + {"::", ID_ANY, { .type = ENC_CHUNK }}, + {"*", ID_ANY, { .type = ENC_CHUNK }}, + {"any", ID_FQDN, { .type = ENC_SIMPLE }}, + {"any6", ID_FQDN, { .type = ENC_SIMPLE }}, + {"0", ID_FQDN, { .type = ENC_SIMPLE }}, + {"**", ID_FQDN, { .type = ENC_SIMPLE }}, + {"192.168.1.1", ID_IPV4_ADDR, { .type = ENC_CHUNK, .data.c = chunk_from_chars(0xc0,0xa8,0x01,0x01) }}, - {"192.168.", ID_FQDN, { .type = ENC_SIMPLE }}, - {".", ID_FQDN, { .type = ENC_SIMPLE }}, - {"fec0::1", ID_IPV6_ADDR, { .type = ENC_CHUNK, + {"192.168.", ID_FQDN, { .type = ENC_SIMPLE }}, + {".", ID_FQDN, { .type = ENC_SIMPLE }}, + {"192.168.1.1/33", ID_FQDN, { .type = ENC_SIMPLE }}, + {"192.168.1.1/32", ID_IPV4_ADDR_SUBNET, { .type = ENC_CHUNK, + .data.c = chunk_from_chars(0xc0,0xa8,0x01,0x01,0xff,0xff,0xff,0xff) }}, + {"192.168.1.1/31", ID_IPV4_ADDR_SUBNET, { .type = ENC_CHUNK, + .data.c = chunk_from_chars(0xc0,0xa8,0x01,0x00,0xff,0xff,0xff,0xfe) }}, + {"192.168.1.8/30", ID_IPV4_ADDR_SUBNET, { .type = ENC_CHUNK, + .data.c = chunk_from_chars(0xc0,0xa8,0x01,0x08,0xff,0xff,0xff,0xfc) }}, + {"192.168.1.128/25", ID_IPV4_ADDR_SUBNET, { .type = ENC_CHUNK, + .data.c = chunk_from_chars(0xc0,0xa8,0x01,0x80,0xff,0xff,0xff,0x80) }}, + {"192.168.1.0/24", ID_IPV4_ADDR_SUBNET, { .type = ENC_CHUNK, + .data.c = chunk_from_chars(0xc0,0xa8,0x01,0x00,0xff,0xff,0xff,0x00) }}, + {"192.168.1.0/23", ID_IPV4_ADDR_SUBNET, { .type = ENC_CHUNK, + .data.c = chunk_from_chars(0xc0,0xa8,0x00,0x00,0xff,0xff,0xfe,0x00) }}, + {"192.168.4.0/22", ID_IPV4_ADDR_SUBNET, { .type = ENC_CHUNK, + .data.c = chunk_from_chars(0xc0,0xa8,0x04,0x00,0xff,0xff,0xfc,0x00) }}, + {"0.0.0.0/0", ID_IPV4_ADDR_SUBNET, { .type = ENC_CHUNK, + .data.c = chunk_from_chars(0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00) }}, + {"192.168.1.0-192.168.1.40",ID_IPV4_ADDR_RANGE, { .type = ENC_CHUNK, + .data.c = chunk_from_chars(0xc0,0xa8,0x01,0x00,0xc0,0xa8,0x01,0x28) }}, + {"0.0.0.0-255.255.255.255", ID_IPV4_ADDR_RANGE, { .type = ENC_CHUNK, + .data.c = chunk_from_chars(0x00,0x00,0x00,0x00,0xff,0xff,0xff,0xff) }}, + {"192.168.1.40-192.168.1.0",ID_FQDN, { .type = ENC_SIMPLE }}, + {"fec0::1", ID_IPV6_ADDR, { .type = ENC_CHUNK, .data.c = chunk_from_chars(0xfe,0xc0,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01) }}, - {"fec0::", ID_IPV6_ADDR, { .type = ENC_CHUNK, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01) }}, + {"fec0::", ID_IPV6_ADDR, { .type = ENC_CHUNK, .data.c = chunk_from_chars(0xfe,0xc0,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00) }}, - {"fec0:", ID_KEY_ID, { .type = ENC_SIMPLE }}, - {":", ID_KEY_ID, { .type = ENC_SIMPLE }}, - {"alice@strongswan.org", ID_RFC822_ADDR, { .type = ENC_SIMPLE }}, - {"alice@strongswan", ID_RFC822_ADDR, { .type = ENC_SIMPLE }}, - {"alice@", ID_RFC822_ADDR, { .type = ENC_SIMPLE }}, - {"alice", ID_FQDN, { .type = ENC_SIMPLE }}, - {"@", ID_FQDN, { .type = ENC_CHUNK }}, - {" @", ID_RFC822_ADDR, { .type = ENC_SIMPLE }}, - {"@strongswan.org", ID_FQDN, { .type = ENC_STRING, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00) }}, + {"fec0:", ID_KEY_ID, { .type = ENC_SIMPLE }}, + {":", ID_KEY_ID, { .type = ENC_SIMPLE }}, + {"fec0::1/129", ID_KEY_ID, { .type = ENC_SIMPLE }}, + {"fec0::1/128", ID_IPV6_ADDR_SUBNET, { .type = ENC_CHUNK, + .data.c = chunk_from_chars(0xfe,0xc0,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01, + 0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff, + 0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff ) }}, + {"fec0::1/127", ID_IPV6_ADDR_SUBNET, { .type = ENC_CHUNK, + .data.c = chunk_from_chars(0xfe,0xc0,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, + 0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff, + 0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xfe ) }}, + {"fec0::4/126", ID_IPV6_ADDR_SUBNET, { .type = ENC_CHUNK, + .data.c = chunk_from_chars(0xfe,0xc0,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x04, + 0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff, + 0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xfc ) }}, + {"fec0::100/120", ID_IPV6_ADDR_SUBNET, { .type = ENC_CHUNK, + .data.c = chunk_from_chars(0xfe,0xc0,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00, + 0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff, + 0xff,0xff,0xff,0xff,0xff,0xff,0xff,0x00 ) }}, + {"::/0", ID_IPV6_ADDR_SUBNET, { .type = ENC_CHUNK, + .data.c = chunk_from_chars(0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ) }}, + {"fec0::1-fec0::4fff", ID_IPV6_ADDR_RANGE, { .type = ENC_CHUNK, + .data.c = chunk_from_chars(0xfe,0xc0,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01, + 0xfe,0xc0,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x4f,0xff ) }}, + {"fec0::4fff-fec0::1", ID_KEY_ID, { .type = ENC_SIMPLE }}, + {"fec0::1-", ID_KEY_ID, { .type = ENC_SIMPLE }}, + {"alice@strongswan.org", ID_RFC822_ADDR, { .type = ENC_SIMPLE }}, + {"alice@strongswan", ID_RFC822_ADDR, { .type = ENC_SIMPLE }}, + {"alice@", ID_RFC822_ADDR, { .type = ENC_SIMPLE }}, + {"alice", ID_FQDN, { .type = ENC_SIMPLE }}, + {"@", ID_FQDN, { .type = ENC_CHUNK }}, + {" @", ID_RFC822_ADDR, { .type = ENC_SIMPLE }}, + {"@strongswan.org", ID_FQDN, { .type = ENC_STRING, .data.s = "strongswan.org" }}, - {"@#deadbeef", ID_KEY_ID, { .type = ENC_CHUNK, + {"@#deadbeef", ID_KEY_ID, { .type = ENC_CHUNK, .data.c = chunk_from_chars(0xde,0xad,0xbe,0xef) }}, - {"@#deadbee", ID_KEY_ID, { .type = ENC_CHUNK, + {"@#deadbee", ID_KEY_ID, { .type = ENC_CHUNK, .data.c = chunk_from_chars(0x0d,0xea,0xdb,0xee) }}, - {"foo=bar", ID_KEY_ID, { .type = ENC_SIMPLE }}, - {"foo=", ID_KEY_ID, { .type = ENC_SIMPLE }}, - {"=bar", ID_KEY_ID, { .type = ENC_SIMPLE }}, - {"C=", ID_DER_ASN1_DN, { .type = ENC_CHUNK, + {"foo=bar", ID_KEY_ID, { .type = ENC_SIMPLE }}, + {"foo=", ID_KEY_ID, { .type = ENC_SIMPLE }}, + {"=bar", ID_KEY_ID, { .type = ENC_SIMPLE }}, + {"C=", ID_DER_ASN1_DN, { .type = ENC_CHUNK, .data.c = chunk_from_chars(0x30,0x0b,0x31,0x09,0x30,0x07,0x06, 0x03,0x55,0x04,0x06,0x13,0x00) }}, - {"C=CH", ID_DER_ASN1_DN, { .type = ENC_CHUNK, + {"C=CH", ID_DER_ASN1_DN, { .type = ENC_CHUNK, .data.c = chunk_from_chars(0x30,0x0d,0x31,0x0b,0x30,0x09,0x06, 0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x48) }}, - {"C=CH,", ID_DER_ASN1_DN, { .type = ENC_CHUNK, + {"C=CH,", ID_DER_ASN1_DN, { .type = ENC_CHUNK, .data.c = chunk_from_chars(0x30,0x0d,0x31,0x0b,0x30,0x09,0x06, 0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x48) }}, - {"C=CH, ", ID_DER_ASN1_DN, { .type = ENC_CHUNK, + {"C=CH, ", ID_DER_ASN1_DN, { .type = ENC_CHUNK, .data.c = chunk_from_chars(0x30,0x0d,0x31,0x0b,0x30,0x09,0x06, 0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x48) }}, - {"C=CH, O", ID_KEY_ID, { .type = ENC_SIMPLE }}, - {"IPv4:#c0a80101", ID_IPV4_ADDR, { .type = ENC_CHUNK, + {"C=CH, O", ID_KEY_ID, { .type = ENC_SIMPLE }}, + {"IPv4:#c0a80101", ID_IPV4_ADDR, { .type = ENC_CHUNK, .data.c = chunk_from_chars(0xc0,0xa8,0x01,0x01) }}, - { "email:tester", ID_RFC822_ADDR, { .type = ENC_STRING, + { "email:tester", ID_RFC822_ADDR, { .type = ENC_STRING, .data.s = "tester" }}, - { "{1}:#c0a80101", ID_IPV4_ADDR, { .type = ENC_CHUNK, + { "{1}:#c0a80101", ID_IPV4_ADDR, { .type = ENC_CHUNK, .data.c = chunk_from_chars(0xc0,0xa8,0x01,0x01) }}, - { "{0x02}:tester", ID_FQDN, { .type = ENC_STRING, + { "{0x02}:tester", ID_FQDN, { .type = ENC_STRING, .data.s = "tester" }}, - { "{99}:somedata", 99, { .type = ENC_STRING, + { "{99}:somedata", 99, { .type = ENC_STRING, .data.s = "somedata" }}, }; @@ -264,14 +320,33 @@ START_TEST(test_printf_hook) string_equals("192.168.1.1", "192.168.1.1"); string_equals_id("(invalid ID_IPV4_ADDR)", - identification_create_from_encoding(ID_IPV4_ADDR, chunk_empty)); + identification_create_from_encoding(ID_IPV4_ADDR, chunk_empty)); + string_equals("192.168.1.1/32", "192.168.1.1/32"); + string_equals("192.168.1.2/31", "192.168.1.2/31"); + string_equals("192.168.1.0/24", "192.168.1.0/24"); + string_equals("192.168.2.0/23", "192.168.2.0/23"); + string_equals("0.0.0.0/0", "0.0.0.0/0"); + string_equals_id("(invalid ID_IPV4_ADDR_SUBNET)", + identification_create_from_encoding(ID_IPV4_ADDR_SUBNET, chunk_empty)); + string_equals("192.168.1.1-192.168.1.254", "192.168.1.1-192.168.1.254"); + string_equals("0.0.0.0-255.255.255.255", "0.0.0.0-255.255.255.255"); + string_equals_id("(invalid ID_IPV4_ADDR_RANGE)", + identification_create_from_encoding(ID_IPV4_ADDR_RANGE, chunk_empty)); string_equals("fec0::1", "fec0::1"); string_equals("fec0::1", "fec0:0:0::1"); string_equals_id("(invalid ID_IPV6_ADDR)", - identification_create_from_encoding(ID_IPV6_ADDR, chunk_empty)); - + identification_create_from_encoding(ID_IPV6_ADDR, chunk_empty)); + string_equals("fec0::1/128", "fec0::1/128"); + string_equals("fec0::2/127", "fec0::2/127"); + string_equals("fec0::100/120", "fec0::100/120"); + string_equals("::/0", "::/0"); + string_equals_id("(invalid ID_IPV6_ADDR_SUBNET)", + identification_create_from_encoding(ID_IPV6_ADDR_SUBNET, chunk_empty)); + string_equals("fec0::1-fec0::4fff", "fec0::1-fec0::4fff"); + string_equals_id("(invalid ID_IPV6_ADDR_RANGE)", + identification_create_from_encoding(ID_IPV6_ADDR_RANGE, chunk_empty)); string_equals_id("(unknown ID type: 255)", - identification_create_from_encoding(255, chunk_empty)); + identification_create_from_encoding(255, chunk_empty)); string_equals("moon@strongswan.org", "moon@strongswan.org"); string_equals("MOON@STRONGSWAN.ORG", "MOON@STRONGSWAN.ORG"); @@ -595,6 +670,89 @@ START_TEST(test_matches_binary) } END_TEST +START_TEST(test_matches_range) +{ + identification_t *a, *b; + + /* IPv4 addresses */ + a = identification_create_from_string("192.168.1.1"); + ck_assert(a->get_type(a) == ID_IPV4_ADDR); + ck_assert(id_matches(a, "%any", ID_MATCH_ANY)); + ck_assert(id_matches(a, "0.0.0.0/0", ID_MATCH_MAX_WILDCARDS)); + ck_assert(id_matches(a, "192.168.1.1", ID_MATCH_PERFECT)); + ck_assert(id_matches(a, "192.168.1.2", ID_MATCH_NONE)); + ck_assert(id_matches(a, "192.168.1.1/32", ID_MATCH_PERFECT)); + ck_assert(id_matches(a, "192.168.1.0/32", ID_MATCH_NONE)); + ck_assert(id_matches(a, "192.168.1.0/24", ID_MATCH_ONE_WILDCARD)); + ck_assert(id_matches(a, "192.168.0.0/24", ID_MATCH_NONE)); + ck_assert(id_matches(a, "192.168.1.1-192.168.1.1", ID_MATCH_PERFECT)); + ck_assert(id_matches(a, "192.168.1.0-192.168.1.64", ID_MATCH_ONE_WILDCARD)); + ck_assert(id_matches(a, "192.168.1.2-192.168.1.64", ID_MATCH_NONE)); + ck_assert(id_matches(a, "192.168.0.240-192.168.1.0", ID_MATCH_NONE)); + ck_assert(id_matches(a, "foo@bar", ID_MATCH_NONE)); + + /* Malformed IPv4 subnet and range encoding */ + b = identification_create_from_encoding(ID_IPV4_ADDR_SUBNET, chunk_empty); + ck_assert(a->matches(a, b) == ID_MATCH_NONE); + b->destroy(b); + b = identification_create_from_encoding(ID_IPV4_ADDR_RANGE, chunk_empty); + ck_assert(a->matches(a, b) == ID_MATCH_NONE); + b->destroy(b); + b = identification_create_from_encoding(ID_IPV4_ADDR_RANGE, + chunk_from_chars(0xc0,0xa8,0x01,0x28,0xc0,0xa8,0x01,0x00)); + ck_assert(a->matches(a, b) == ID_MATCH_NONE); + b->destroy(b); + + a->destroy(a); + + /* IPv6 addresses */ + a = identification_create_from_string("fec0::1"); + ck_assert(a->get_type(a) == ID_IPV6_ADDR); + ck_assert(id_matches(a, "%any", ID_MATCH_ANY)); + ck_assert(id_matches(a, "::/0", ID_MATCH_MAX_WILDCARDS)); + ck_assert(id_matches(a, "fec0::1", ID_MATCH_PERFECT)); + ck_assert(id_matches(a, "fec0::2", ID_MATCH_NONE)); + ck_assert(id_matches(a, "fec0::1/128", ID_MATCH_PERFECT)); + ck_assert(id_matches(a, "fec0::/128", ID_MATCH_NONE)); + ck_assert(id_matches(a, "fec0::/120", ID_MATCH_ONE_WILDCARD)); + ck_assert(id_matches(a, "fec0::100/120", ID_MATCH_NONE)); + ck_assert(id_matches(a, "fec0::1-fec0::1", ID_MATCH_PERFECT)); + ck_assert(id_matches(a, "fec0::0-fec0::5", ID_MATCH_ONE_WILDCARD)); + ck_assert(id_matches(a, "fec0::4001-fec0::4ffe", ID_MATCH_NONE)); + ck_assert(id_matches(a, "feb0::1-fec0::0", ID_MATCH_NONE)); + ck_assert(id_matches(a, "foo@bar", ID_MATCH_NONE)); + + /* Malformed IPv6 subnet and range encoding */ + b = identification_create_from_encoding(ID_IPV6_ADDR_SUBNET, chunk_empty); + ck_assert(a->matches(a, b) == ID_MATCH_NONE); + b->destroy(b); + b = identification_create_from_encoding(ID_IPV6_ADDR_RANGE, chunk_empty); + ck_assert(a->matches(a, b) == ID_MATCH_NONE); + b->destroy(b); + b = identification_create_from_encoding(ID_IPV6_ADDR_RANGE, + chunk_from_chars(0xfe,0xc0,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x4f,0xff, + 0xfe,0xc0,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01 )); + ck_assert(a->matches(a, b) == ID_MATCH_NONE); + b->destroy(b); + + a->destroy(a); + + /* Malformed IPv4 address encoding */ + a = identification_create_from_encoding(ID_IPV4_ADDR, chunk_empty); + ck_assert(id_matches(a, "0.0.0.0/0", ID_MATCH_NONE)); + ck_assert(id_matches(a, "0.0.0.0-255.255.255.255", ID_MATCH_NONE)); + a->destroy(a); + + /* Malformed IPv6 address encoding */ + a = identification_create_from_encoding(ID_IPV6_ADDR, chunk_empty); + ck_assert(id_matches(a, "::/0", ID_MATCH_NONE)); + ck_assert(id_matches(a, "::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", ID_MATCH_NONE)); + a->destroy(a); +} +END_TEST + START_TEST(test_matches_string) { identification_t *a; @@ -929,6 +1087,7 @@ Suite *identification_suite_create() tcase_add_test(tc, test_matches); tcase_add_test(tc, test_matches_any); tcase_add_test(tc, test_matches_binary); + tcase_add_test(tc, test_matches_range); tcase_add_test(tc, test_matches_string); tcase_add_loop_test(tc, test_matches_empty, ID_ANY, ID_KEY_ID + 1); tcase_add_loop_test(tc, test_matches_empty_reverse, ID_ANY, ID_KEY_ID + 1); diff --git a/src/libstrongswan/utils/identification.c b/src/libstrongswan/utils/identification.c index 1b0d05517..98424586f 100644 --- a/src/libstrongswan/utils/identification.c +++ b/src/libstrongswan/utils/identification.c @@ -1,8 +1,9 @@ /* + * Copyright (C) 2016 Andreas Steffen * Copyright (C) 2009-2015 Tobias Brunner * Copyright (C) 2005-2009 Martin Willi * Copyright (C) 2005 Jan Hutter - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -823,6 +824,154 @@ METHOD(identification_t, matches_dn, id_match_t, return ID_MATCH_NONE; } +/** + * Transform netmask to CIDR bits + */ +static int netmask_to_cidr(char *netmask, size_t address_size) +{ + uint8_t byte; + int i, netbits = 0; + + for (i = 0; i < address_size; i++) + { + byte = netmask[i]; + + if (byte == 0x00) + { + break; + } + if (byte == 0xff) + { + netbits += 8; + } + else + { + while (byte & 0x80) + { + netbits++; + byte <<= 1; + } + } + } + return netbits; +} + +METHOD(identification_t, matches_range, id_match_t, + private_identification_t *this, identification_t *other) +{ + chunk_t other_encoding; + uint8_t *address, *from, *to, *network, *netmask; + size_t address_size = 0; + int netbits, range_sign, i; + + if (other->get_type(other) == ID_ANY) + { + return ID_MATCH_ANY; + } + if (this->type == other->get_type(other) && + chunk_equals(this->encoded, other->get_encoding(other))) + { + return ID_MATCH_PERFECT; + } + if ((this->type == ID_IPV4_ADDR && + other->get_type(other) == ID_IPV4_ADDR_SUBNET)) + { + address_size = sizeof(struct in_addr); + } + else if ((this->type == ID_IPV6_ADDR && + other->get_type(other) == ID_IPV6_ADDR_SUBNET)) + { + address_size = sizeof(struct in6_addr); + } + if (address_size) + { + other_encoding = other->get_encoding(other); + if (this->encoded.len != address_size || + other_encoding.len != 2 * address_size) + { + return ID_MATCH_NONE; + } + address = this->encoded.ptr; + network = other_encoding.ptr; + netmask = other_encoding.ptr + address_size; + netbits = netmask_to_cidr(netmask, address_size); + + if (netbits == 0) + { + return ID_MATCH_MAX_WILDCARDS; + } + if (netbits == 8 * address_size) + { + return memeq(address, network, address_size) ? + ID_MATCH_PERFECT : ID_MATCH_NONE; + } + for (i = 0; i < (netbits + 7)/8; i++) + { + if ((address[i] ^ network[i]) & netmask[i]) + { + return ID_MATCH_NONE; + } + } + return ID_MATCH_ONE_WILDCARD; + } + if ((this->type == ID_IPV4_ADDR && + other->get_type(other) == ID_IPV4_ADDR_RANGE)) + { + address_size = sizeof(struct in_addr); + } + else if ((this->type == ID_IPV6_ADDR && + other->get_type(other) == ID_IPV6_ADDR_RANGE)) + { + address_size = sizeof(struct in6_addr); + } + if (address_size) + { + other_encoding = other->get_encoding(other); + if (this->encoded.len != address_size || + other_encoding.len != 2 * address_size) + { + return ID_MATCH_NONE; + } + address = this->encoded.ptr; + from = other_encoding.ptr; + to = other_encoding.ptr + address_size; + + range_sign = memcmp(to, from, address_size); + if (range_sign < 0) + { /* to is smaller than from */ + return ID_MATCH_NONE; + } + + /* check lower bound */ + for (i = 0; i < address_size; i++) + { + if (address[i] != from[i]) + { + if (address[i] < from[i]) + { + return ID_MATCH_NONE; + } + break; + } + } + + /* check upper bound */ + for (i = 0; i < address_size; i++) + { + if (address[i] != to[i]) + { + if (address[i] > to[i]) + { + return ID_MATCH_NONE; + } + break; + } + } + return range_sign ? ID_MATCH_ONE_WILDCARD : ID_MATCH_PERFECT; + } + return ID_MATCH_NONE; +} + /** * Described in header. */ @@ -831,7 +980,9 @@ int identification_printf_hook(printf_hook_data_t *data, { private_identification_t *this = *((private_identification_t**)(args[0])); chunk_t proper; - char buf[512]; + char buf[BUF_LEN]; + char *pos; + size_t written, len, address_size; if (this == NULL) { @@ -841,49 +992,115 @@ int identification_printf_hook(printf_hook_data_t *data, switch (this->type) { case ID_ANY: - snprintf(buf, sizeof(buf), "%%any"); + snprintf(buf, BUF_LEN, "%%any"); break; case ID_IPV4_ADDR: if (this->encoded.len < sizeof(struct in_addr) || - inet_ntop(AF_INET, this->encoded.ptr, buf, sizeof(buf)) == NULL) + inet_ntop(AF_INET, this->encoded.ptr, buf, BUF_LEN) == NULL) { - snprintf(buf, sizeof(buf), "(invalid ID_IPV4_ADDR)"); + snprintf(buf, BUF_LEN, "(invalid ID_IPV4_ADDR)"); + } + break; + case ID_IPV4_ADDR_SUBNET: + address_size = sizeof(struct in_addr); + if (this->encoded.len < 2 * address_size || + inet_ntop(AF_INET, this->encoded.ptr, buf, BUF_LEN) == NULL) + { + snprintf(buf, BUF_LEN, "(invalid ID_IPV4_ADDR_SUBNET)"); + break; + } + written = strlen(buf); + snprintf(buf + written, BUF_LEN - written, "/%d", + netmask_to_cidr(this->encoded.ptr + address_size, + address_size)); + break; + case ID_IPV4_ADDR_RANGE: + address_size = sizeof(struct in_addr); + if (this->encoded.len < 2 * address_size || + inet_ntop(AF_INET, this->encoded.ptr, buf, BUF_LEN) == NULL) + { + snprintf(buf, BUF_LEN, "(invalid ID_IPV4_ADDR_RANGE)"); + break; + } + written = strlen(buf); + pos = buf + written; + len = BUF_LEN - written; + written = snprintf(pos, len, "-"); + if (written < 0 || written >= len || + inet_ntop(AF_INET, this->encoded.ptr + address_size, + pos + written, len - written) == NULL) + { + snprintf(buf, BUF_LEN, "(invalid ID_IPV4_ADDR_RANGE)"); } break; case ID_IPV6_ADDR: if (this->encoded.len < sizeof(struct in6_addr) || - inet_ntop(AF_INET6, this->encoded.ptr, buf, INET6_ADDRSTRLEN) == NULL) + inet_ntop(AF_INET6, this->encoded.ptr, buf, BUF_LEN) == NULL) { - snprintf(buf, sizeof(buf), "(invalid ID_IPV6_ADDR)"); + snprintf(buf, BUF_LEN, "(invalid ID_IPV6_ADDR)"); + } + break; + case ID_IPV6_ADDR_SUBNET: + address_size = sizeof(struct in6_addr); + if (this->encoded.len < 2 * address_size || + inet_ntop(AF_INET6, this->encoded.ptr, buf, BUF_LEN) == NULL) + { + snprintf(buf, BUF_LEN, "(invalid ID_IPV6_ADDR_SUBNET)"); + } + else + { + written = strlen(buf); + snprintf(buf + written, BUF_LEN - written, "/%d", + netmask_to_cidr(this->encoded.ptr + address_size, + address_size)); + } + break; + case ID_IPV6_ADDR_RANGE: + address_size = sizeof(struct in6_addr); + if (this->encoded.len < 2 * address_size || + inet_ntop(AF_INET6, this->encoded.ptr, buf, BUF_LEN) == NULL) + { + snprintf(buf, BUF_LEN, "(invalid ID_IPV6_ADDR_RANGE)"); + break; + } + written = strlen(buf); + pos = buf + written; + len = BUF_LEN - written; + written = snprintf(pos, len, "-"); + if (written < 0 || written >= len || + inet_ntop(AF_INET6, this->encoded.ptr + address_size, + pos + written, len - written) == NULL) + { + snprintf(buf, BUF_LEN, "(invalid ID_IPV6_ADDR_RANGE)"); } break; case ID_FQDN: case ID_RFC822_ADDR: case ID_DER_ASN1_GN_URI: chunk_printable(this->encoded, &proper, '?'); - snprintf(buf, sizeof(buf), "%.*s", (int)proper.len, proper.ptr); + snprintf(buf, BUF_LEN, "%.*s", (int)proper.len, proper.ptr); chunk_free(&proper); break; case ID_DER_ASN1_DN: - dntoa(this->encoded, buf, sizeof(buf)); + dntoa(this->encoded, buf, BUF_LEN); break; case ID_DER_ASN1_GN: - snprintf(buf, sizeof(buf), "(ASN.1 general name)"); + snprintf(buf, BUF_LEN, "(ASN.1 general name)"); break; case ID_KEY_ID: if (chunk_printable(this->encoded, NULL, '?') && this->encoded.len != HASH_SIZE_SHA1) { /* fully printable, use ascii version */ - snprintf(buf, sizeof(buf), "%.*s", (int)this->encoded.len, + snprintf(buf, BUF_LEN, "%.*s", (int)this->encoded.len, this->encoded.ptr); } else { /* not printable, hex dump */ - snprintf(buf, sizeof(buf), "%#B", &this->encoded); + snprintf(buf, BUF_LEN, "%#B", &this->encoded); } break; default: - snprintf(buf, sizeof(buf), "(unknown ID type: %d)", this->type); + snprintf(buf, BUF_LEN, "(unknown ID type: %d)", this->type); break; } if (spec->minus) @@ -952,6 +1169,13 @@ static private_identification_t *identification_create(id_type_t type) this->public.matches = _matches_dn; this->public.contains_wildcards = _contains_wildcards_dn; break; + case ID_IPV4_ADDR: + case ID_IPV6_ADDR: + this->public.hash = _hash_binary; + this->public.equals = _equals_binary; + this->public.matches = _matches_range; + this->public.contains_wildcards = return_false; + break; default: this->public.hash = _hash_binary; this->public.equals = _equals_binary; @@ -973,6 +1197,10 @@ static private_identification_t* create_from_string_with_prefix_type(char *str) } prefixes[] = { { "ipv4:", ID_IPV4_ADDR }, { "ipv6:", ID_IPV6_ADDR }, + { "ipv4net:", ID_IPV4_ADDR_SUBNET }, + { "ipv6net:", ID_IPV6_ADDR_SUBNET }, + { "ipv4range:", ID_IPV4_ADDR_RANGE }, + { "ipv6range:", ID_IPV6_ADDR_RANGE }, { "rfc822:", ID_RFC822_ADDR }, { "email:", ID_RFC822_ADDR }, { "userfqdn:", ID_USER_FQDN }, @@ -1038,6 +1266,115 @@ static private_identification_t* create_from_string_with_num_type(char *str) return this; } +/** + * Convert to an IPv4/IPv6 host address, subnet or address range + */ +static private_identification_t* create_ip_address_from_string(char *string, + bool is_ipv4) +{ + private_identification_t *this; + uint8_t encoding[32]; + uint8_t *str, *pos, *address, *to_address, *netmask; + size_t address_size; + int bits, bytes, i; + bool has_subnet = FALSE, has_range = FALSE; + + address = encoding; + address_size = is_ipv4 ? sizeof(struct in_addr) : sizeof(struct in6_addr); + + str = strdup(string); + pos = strchr(str, '/'); + if (pos) + { /* separate IP address from optional netmask */ + + *pos = '\0'; + has_subnet = TRUE; + } + else + { + pos = strchr(str, '-'); + if (pos) + { /* separate lower address from upper address of IP range */ + *pos = '\0'; + has_range = TRUE; + } + } + + if (inet_pton(is_ipv4 ? AF_INET : AF_INET6, str, address) != 1) + { + free(str); + return NULL; + } + + if (has_subnet) + { /* is IP subnet */ + bits = atoi(pos + 1); + if (bits > 8 * address_size) + { + free(str); + return NULL; + } + bytes = bits / 8; + bits -= 8 * bytes; + netmask = encoding + address_size; + + for (i = 0; i < address_size; i++) + { + if (bytes) + { + *netmask = 0xff; + bytes--; + } + else if (bits) + { + *netmask = 0xff << (8 - bits); + bits = 0; + } + else + { + *netmask = 0x00; + } + *address++ &= *netmask++; + } + this = identification_create(is_ipv4 ? ID_IPV4_ADDR_SUBNET : + ID_IPV6_ADDR_SUBNET); + this->encoded = chunk_clone(chunk_create(encoding, 2 * address_size)); + } + else if (has_range) + { /* is IP range */ + to_address = encoding + address_size; + + if (inet_pton(is_ipv4 ? AF_INET : AF_INET6, pos + 1, to_address) != 1) + { + free(str); + return NULL; + } + for (i = 0; i < address_size; i++) + { + if (address[i] != to_address[i]) + { + if (address[i] > to_address[i]) + { + free(str); + return NULL; + } + break; + } + } + this = identification_create(is_ipv4 ? ID_IPV4_ADDR_RANGE : + ID_IPV6_ADDR_RANGE); + this->encoded = chunk_clone(chunk_create(encoding, 2 * address_size)); + } + else + { /* is IP host address */ + this = identification_create(is_ipv4 ? ID_IPV4_ADDR : ID_IPV6_ADDR); + this->encoded = chunk_clone(chunk_create(encoding, address_size)); + } + free(str); + + return this; +} + /* * Described in header. */ @@ -1095,15 +1432,9 @@ identification_t *identification_create_from_string(char *string) { if (strchr(string, ':') == NULL) { - struct in_addr address; - chunk_t chunk = {(void*)&address, sizeof(address)}; - - if (inet_pton(AF_INET, string, &address) > 0) - { /* is IPv4 */ - this = identification_create(ID_IPV4_ADDR); - this->encoded = chunk_clone(chunk); - } - else + /* IPv4 address or subnet */ + this = create_ip_address_from_string(string, TRUE); + if (!this) { /* not IPv4, mostly FQDN */ this = identification_create(ID_FQDN); this->encoded = chunk_from_str(strdup(string)); @@ -1112,15 +1443,9 @@ identification_t *identification_create_from_string(char *string) } else { - struct in6_addr address; - chunk_t chunk = {(void*)&address, sizeof(address)}; - - if (inet_pton(AF_INET6, string, &address) > 0) - { /* is IPv6 */ - this = identification_create(ID_IPV6_ADDR); - this->encoded = chunk_clone(chunk); - } - else + /* IPv6 address or subnet */ + this = create_ip_address_from_string(string, FALSE); + if (!this) { /* not IPv4/6 fallback to KEY_ID */ this = identification_create(ID_KEY_ID); this->encoded = chunk_from_str(strdup(string)); From 90ef7e8af61ca85a3c02cae086f1f110e3088fbb Mon Sep 17 00:00:00 2001 From: Andreas Steffen Date: Thu, 10 Mar 2016 08:02:44 +0100 Subject: [PATCH 2/3] Updated swanctl/rw-psk-ikev1 scenario --- .../swanctl/rw-psk-ikev1/description.txt | 17 +++++++++----- .../tests/swanctl/rw-psk-ikev1/evaltest.dat | 10 +++++---- .../hosts/carol/etc/swanctl/swanctl.conf | 7 ++---- .../hosts/dave/etc/swanctl/swanctl.conf | 8 +++---- .../hosts/moon/etc/swanctl/swanctl.conf | 22 ++++++++++++------- 5 files changed, 36 insertions(+), 28 deletions(-) diff --git a/testing/tests/swanctl/rw-psk-ikev1/description.txt b/testing/tests/swanctl/rw-psk-ikev1/description.txt index 438a2f338..73aac6fe6 100755 --- a/testing/tests/swanctl/rw-psk-ikev1/description.txt +++ b/testing/tests/swanctl/rw-psk-ikev1/description.txt @@ -1,10 +1,15 @@ The roadwarriors carol and dave set up a connection each -to gateway moon. The authentication is based on two pre-shared keys -bound to the two distinct gateway identities moon1.strongswan.org and -moon2.strongswan.org. On the gateway these two identities are bound to -two disjoint sets of client IP address ranges which allows IKEv1 Main Mode -to select the correct connection definition and via the gateway identity the -correct PSK. +to gateway moon. The IKEv1 main mode authentication is based on +pre-shared keys and IPv4 address identities. +On the gateway two connections with differing parameters are defined: +One for peers from the 192.168.0.96/28 subnet and one for peers from +the range 192.168.0.150-192.168.0.200. +

+On the gateway for different shared keys are defined for the following +hierarchcal peer address ranges: 0.0.0.0/0 0::0/0, +192.168.0.96/28, 192.168.0.150-192.168.0.200 and +192.168.0.200. Client carol uses the first and client dave +the fourth PSK.

Upon the successful establishment of the IPsec tunnels, carol pings the client alice and dave the client venus lying in two different diff --git a/testing/tests/swanctl/rw-psk-ikev1/evaltest.dat b/testing/tests/swanctl/rw-psk-ikev1/evaltest.dat index 0fcf54241..96d74c877 100755 --- a/testing/tests/swanctl/rw-psk-ikev1/evaltest.dat +++ b/testing/tests/swanctl/rw-psk-ikev1/evaltest.dat @@ -1,11 +1,13 @@ +dave::cat /var/log/daemon.log::updown approximates remote TS 10.1.0.17..10.1.0.20 by next larger subnet::YES +moon::cat /var/log/daemon.log::updown approximates local TS 10.1.0.17..10.1.0.20 by next larger subnet::YES alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_req=1::YES venus::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_req=1::YES alice::ping -c 1 -W 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_req=1::NO venus::ping -c 1 -W 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_req=1::NO -carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon1.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES -dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon2.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=192.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES -moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-1.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon1.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net-1.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32] -moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-2.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon2.strongswan.org remote-host=192.168.0.200 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=MODP_3072.*child-sas.*net-2.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=192.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32] +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=192.168.0.100 remote-host=192.168.0.1 remote-port=500 remote-id=192.168.0.1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=192.168.0.200 remote-host=192.168.0.1 remote-port=500 remote-id=192.168.0.1 initiator=yes.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=192.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.17..10.1.0.20]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-1.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=192.168.0.1 remote-host=192.168.0.100 remote-port=500 remote-id=192.168.0.100.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net-1.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32] +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-2.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=192.168.0.1 remote-host=192.168.0.200 remote-port=500 remote-id=192.168.0.200.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=MODP_3072.*child-sas.*net-2.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=192.*local-ts=\[10.1.0.17..10.1.0.20] remote-ts=\[192.168.0.200/32] moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/rw-psk-ikev1/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-psk-ikev1/hosts/carol/etc/swanctl/swanctl.conf index cedb76619..dcfcd0b4e 100755 --- a/testing/tests/swanctl/rw-psk-ikev1/hosts/carol/etc/swanctl/swanctl.conf +++ b/testing/tests/swanctl/rw-psk-ikev1/hosts/carol/etc/swanctl/swanctl.conf @@ -6,11 +6,9 @@ connections { local { auth = psk - id = carol@strongswan.org } remote { auth = psk - id = moon1.strongswan.org } children { home { @@ -27,10 +25,9 @@ connections { secrets { - ike-moon1 { - id = moon1.strongswan.org + ike-moon { + id = 192.168.0.1 # hex value equal to base64 0sFpZAZqEN6Ti9sqt4ZP5EWcqx secret = 0x16964066a10de938bdb2ab7864fe4459cab1 } } - diff --git a/testing/tests/swanctl/rw-psk-ikev1/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-psk-ikev1/hosts/dave/etc/swanctl/swanctl.conf index 6ea10576f..8cd79ea20 100755 --- a/testing/tests/swanctl/rw-psk-ikev1/hosts/dave/etc/swanctl/swanctl.conf +++ b/testing/tests/swanctl/rw-psk-ikev1/hosts/dave/etc/swanctl/swanctl.conf @@ -6,15 +6,13 @@ connections { local { auth = psk - id = dave@strongswan.org } remote { auth = psk - id = moon2.strongswan.org } children { home { - remote_ts = 10.1.0.16/28 + remote_ts = 10.1.0.17-10.1.0.20 updown = /usr/local/libexec/ipsec/_updown iptables esp_proposals = aes192gcm128-modp3072 @@ -27,8 +25,8 @@ connections { secrets { - ike-moon2 { - id = moon2.strongswan.org + ike-moon { + id = 192.168.0.1 secret = 0sjVzONCF02ncsgiSlmIXeqhGN } } diff --git a/testing/tests/swanctl/rw-psk-ikev1/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-psk-ikev1/hosts/moon/etc/swanctl/swanctl.conf index 30870be31..be1bf8afe 100755 --- a/testing/tests/swanctl/rw-psk-ikev1/hosts/moon/etc/swanctl/swanctl.conf +++ b/testing/tests/swanctl/rw-psk-ikev1/hosts/moon/etc/swanctl/swanctl.conf @@ -6,7 +6,6 @@ connections { local { auth = psk - id = moon1.strongswan.org } remote { auth = psk @@ -25,18 +24,17 @@ connections { rw-2 { local_addrs = 192.168.0.1 - remote_addrs = 192.168.0.192/28 + remote_addrs = 192.168.0.150-192.168.0.200 local { auth = psk - id = moon2.strongswan.org } remote { auth = psk } children { net-2 { - local_ts = 10.1.0.16/28 + local_ts = 10.1.0.17-10.1.0.20 updown = /usr/local/libexec/ipsec/_updown iptables esp_proposals = aes192gcm128-modp3072 @@ -50,12 +48,20 @@ connections { secrets { - ike-moon1 { - id = moon1.strongswan.org + ike-any { + id = 0.0.0.0/0 0::0/0 + secret = 0soBAJZLI7Bwwi61Rl113FqD/3 + } + ike-rw-1 { + id = 192.168.0.96/28 secret = 0sFpZAZqEN6Ti9sqt4ZP5EWcqx } - ike-moon2 { - id = moon2.strongswan.org + ike-rw-2 { + id = 192.168.0.150-192.168.0.200 + secret = 0s8qPdxyhDeGfk1l211cS8urXc + } + ike-dave { + id = 192.168.0.200 secret = 0sjVzONCF02ncsgiSlmIXeqhGN } } From 3f1de98678c4d0fc880a425248f907bc2366434f Mon Sep 17 00:00:00 2001 From: Andreas Steffen Date: Thu, 10 Mar 2016 12:00:56 +0100 Subject: [PATCH 3/3] Support of IP address ranges in traffic selectors --- src/libcharon/plugins/updown/updown_listener.c | 16 ++++++++++------ src/libcharon/plugins/vici/vici_config.c | 18 +++++++++++++++++- 2 files changed, 27 insertions(+), 7 deletions(-) diff --git a/src/libcharon/plugins/updown/updown_listener.c b/src/libcharon/plugins/updown/updown_listener.c index e472a178e..e51caab10 100644 --- a/src/libcharon/plugins/updown/updown_listener.c +++ b/src/libcharon/plugins/updown/updown_listener.c @@ -311,11 +311,13 @@ static void invoke_once(private_updown_listener_t *this, ike_sa_t *ike_sa, ike_sa->get_unique_id(ike_sa)); push_env(envp, countof(envp), "PLUTO_ME=%H", me); push_env(envp, countof(envp), "PLUTO_MY_ID=%Y", ike_sa->get_my_id(ike_sa)); - if (my_ts->to_subnet(my_ts, &host, &mask)) + if (!my_ts->to_subnet(my_ts, &host, &mask)) { - push_env(envp, countof(envp), "PLUTO_MY_CLIENT=%+H/%u", host, mask); - host->destroy(host); + DBG1(DBG_CHD, "updown approximates local TS %R " + "by next larger subnet", my_ts); } + push_env(envp, countof(envp), "PLUTO_MY_CLIENT=%+H/%u", host, mask); + host->destroy(host); push_env(envp, countof(envp), "PLUTO_MY_PORT=%s", get_port(my_ts, other_ts, port_buf, TRUE)); push_env(envp, countof(envp), "PLUTO_MY_PROTOCOL=%u", @@ -323,11 +325,13 @@ static void invoke_once(private_updown_listener_t *this, ike_sa_t *ike_sa, push_env(envp, countof(envp), "PLUTO_PEER=%H", other); push_env(envp, countof(envp), "PLUTO_PEER_ID=%Y", ike_sa->get_other_id(ike_sa)); - if (other_ts->to_subnet(other_ts, &host, &mask)) + if (!other_ts->to_subnet(other_ts, &host, &mask)) { - push_env(envp, countof(envp), "PLUTO_PEER_CLIENT=%+H/%u", host, mask); - host->destroy(host); + DBG1(DBG_CHD, "updown approximates remote TS %R " + "by next larger subnet", other_ts); } + push_env(envp, countof(envp), "PLUTO_PEER_CLIENT=%+H/%u", host, mask); + host->destroy(host); push_env(envp, countof(envp), "PLUTO_PEER_PORT=%s", get_port(my_ts, other_ts, port_buf, FALSE)); push_env(envp, countof(envp), "PLUTO_PEER_PROTOCOL=%u", diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c index 27268a512..6da663b83 100644 --- a/src/libcharon/plugins/vici/vici_config.c +++ b/src/libcharon/plugins/vici/vici_config.c @@ -3,7 +3,7 @@ * Copyright (C) 2014 revosec AG * * Copyright (C) 2015-2016 Tobias Brunner - * Copyright (C) 2015 Andreas Steffen + * Copyright (C) 2015-2016 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -646,6 +646,22 @@ CALLBACK(parse_ts, bool, { ts = traffic_selector_create_dynamic(proto, from, to); } + else if (strchr(buf, '-')) + { + host_t *lower, *upper; + ts_type_t type; + + if (host_create_from_range(buf, &lower, &upper)) + { + type = (lower->get_family(lower) == AF_INET) ? + TS_IPV4_ADDR_RANGE : TS_IPV6_ADDR_RANGE; + ts = traffic_selector_create_from_bytes(proto, type, + lower->get_address(lower), from, + upper->get_address(upper), to); + lower->destroy(lower); + upper->destroy(upper); + } + } else { ts = traffic_selector_create_from_cidr(buf, proto, from, to);