added mediation server web frontend

updated charons medsrv plugin to updated database scheme
2008-06-11 14:13:24 +00:00 · 2008-06-11 14:13:24 +00:00 · 9529fb6836
parent 697678979e
commit 9529fb6836
29 changed files with 1991 additions and 18 deletions
--- a/configure.in
+++ b/configure.in
@ -16,7 +16,7 @@ dnl ===========================
 dnl  initialize & set some vars
 dnl ===========================

-AC_INIT(strongSwan,4.2.4)
+AC_INIT(strongSwan,4.2.4rc6)
 AM_INIT_AUTOMAKE(tar-ustar)
 AC_C_BIGENDIAN
 AC_SUBST(confdir, '${sysconfdir}')
@ -315,7 +315,7 @@ AC_ARG_ENABLE(

 AC_ARG_ENABLE(
 	[medsrv],
-	AS_HELP_STRING([--enable-medsrv],[enable mediation server configuration database plugin (default is NO).]),
+	AS_HELP_STRING([--enable-medsrv],[enable mediation server web frontend and daemon plugin (default is NO).]),
 	[if test x$enableval = xyes; then
 		medsrv=true
 	fi]
@ -589,6 +589,7 @@ fi

 if test x$medsrv = xtrue; then
 	me=true
+	fast=true
 fi

 if test x$medcli = xtrue; then
@ -865,5 +866,6 @@ AC_OUTPUT(
 	src/dumm/Makefile
 	src/libfast/Makefile
 	src/manager/Makefile
+	src/medsrv/Makefile
 	testing/Makefile
 )
--- a/src/Makefile.am
+++ b/src/Makefile.am
@ -11,6 +11,7 @@ endif
 if USE_PLUTO
  SUBDIRS += libcrypto pluto whack
 endif
+
 if USE_CHARON
  SUBDIRS += charon
 endif
@ -39,6 +40,10 @@ if USE_MANAGER
  SUBDIRS += manager
 endif

+if USE_MEDSRV
+  SUBDIRS += medsrv
+endif
+
 EXTRA_DIST = strongswan.conf

 install-exec-local :	
--- a/src/charon/plugins/medsrv/medsrv_config.c
+++ b/src/charon/plugins/medsrv/medsrv_config.c
@ -85,9 +85,9 @@ static enumerator_t* create_peer_cfg_enumerator(private_medsrv_config_t *this,
 		return NULL;
 	}
 	e = this->db->query(this->db,
-			"SELECT CONCAT(Peer.Alias, CONCAT('@', User.Login)) FROM "
-			"Peer JOIN User ON Peer.IdUser = User.IdUser "
-			"WHERE Peer.KeyID = ?", DB_BLOB, other->get_encoding(other),
+			"SELECT CONCAT(peer.alias, CONCAT('@', user.login)) FROM "
+			"peer JOIN user ON peer.user = user.id "
+			"WHERE peer.keyid = ?", DB_BLOB, other->get_encoding(other),
 			DB_TEXT);
 	if (e)
 	{
@ -137,8 +137,8 @@ medsrv_config_t *medsrv_config_create(database_t *db)
 	
 	this->db = db;
 	this->rekey = lib->settings->get_int(lib->settings,
-										 "medmanager.rekey", 20) * 60;
-	this->dpd = lib->settings->get_int(lib->settings, "medmanager.dpd", 300);
+										 "medsrv.rekey", 20) * 60;
+	this->dpd = lib->settings->get_int(lib->settings, "medsrv.dpd", 300);
 	this->ike = ike_cfg_create(FALSE, FALSE, "0.0.0.0", "0.0.0.0");
 	this->ike->add_proposal(this->ike, proposal_create_default(PROTO_IKE));
 	
--- a/src/charon/plugins/medsrv/medsrv_creds.c
+++ b/src/charon/plugins/medsrv/medsrv_creds.c
@ -121,7 +121,7 @@ static enumerator_t* create_cert_enumerator(private_medsrv_creds_t *this,
 	e->public.enumerate = (void*)cert_enumerator_enumerate;
 	e->public.destroy = (void*)cert_enumerator_destroy;
 	e->inner = this->db->query(this->db,
-							   "SELECT PublicKey FROM Peer WHERE KeyId = ?",
+							   "SELECT public_key FROM peer WHERE keyid = ?",
 							   DB_BLOB, id->get_encoding(id),
 							   DB_BLOB);
 	if (!e->inner)
--- a/src/charon/plugins/medsrv/mysql.sql
+++ b/src/charon/plugins/medsrv/mysql.sql
@ -1,12 +1,21 @@

-CREATE TABLE IF NOT EXISTS `Peer` (
-  `IdPeer` int(10) unsigned NOT NULL auto_increment,
-  `IdUser` int(10) unsigned NOT NULL,
-  `Alias` varchar(30) collate utf8_unicode_ci NOT NULL,
-  `KeyId` varbinary(20) NOT NULL,
-  `PublicKey` blob NOT NULL,
-  PRIMARY KEY  (`IdPeer`),
-  KEY `KeyId` (`KeyId`),
-  KEY `IdUser` (`IdUser`)
-) ENGINE=MyISAM  DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
+CREATE TABLE IF NOT EXISTS `peer` (
+  `id` int(10) unsigned NOT NULL auto_increment,
+  `user` int(10) unsigned NOT NULL,
+  `alias` varchar(30) NOT NULL,
+  `keyid` varbinary(20) NOT NULL,
+  `public_key` blob,
+  PRIMARY KEY  (`id`),
+  UNIQUE KEY (`user`,`alias`),
+  UNIQUE KEY (`keyid`),
+  KEY `user` (`user`)
+) ENGINE=MyISAM DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
+
+CREATE TABLE IF NOT EXISTS `user` (
+  `id` int(10) unsigned NOT NULL auto_increment,
+  `login` varchar(30) NOT NULL,
+  `password` varbinary(20) NOT NULL,
+  PRIMARY KEY  (`id`),
+  UNIQUE KEY (`login`)
+) ENGINE=MyISAM DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;

--- a/src/medsrv/Makefile.am
+++ b/src/medsrv/Makefile.am
@ -0,0 +1,42 @@
+medsrvdir = ${ipsecdir}/medsrv
+
+medsrv_PROGRAMS = medsrv.fcgi
+
+medsrv_fcgi_SOURCES = user.h user.c \
+main.c filter/auth_filter.c filter/auth_filter.h \
+controller/user_controller.c controller/user_controller.h \
+controller/peer_controller.c controller/peer_controller.h
+
+medsrv_fcgi_LDADD = $(top_builddir)/src/libfast/libfast.la
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libfast
+AM_CFLAGS = -rdynamic \
+  -DSTRONGSWAN_CONF=\"${strongswan_conf}\" \
+  -DIPSECDIR=\"${ipsecdir}\" \
+  -DIPSEC_PIDDIR=\"${piddir}\" \
+  -DIPSEC_PLUGINDIR=\"${plugindir}\"\
+  -DPLUGINS=\""${libstrongswan_plugins}\""
+
+# Don't forget to add templates to EXTRA_DIST !!! How to automate?
+medsrv_templatesdir = ${medsrvdir}/templates
+medsrv_templates_DATA = templates/header.cs templates/footer.cs
+
+medsrv_templates_userdir = ${medsrv_templatesdir}/user
+medsrv_templates_user_DATA = templates/user/add.cs templates/user/edit.cs \
+templates/user/login.cs templates/user/help.cs
+  
+medsrv_templates_peerdir = ${medsrv_templatesdir}/peer
+medsrv_templates_peer_DATA = templates/peer/add.cs templates/peer/edit.cs \
+templates/peer/list.cs 
+
+medsrv_templates_staticdir = ${medsrv_templatesdir}/static
+medsrv_templates_static_DATA = templates/header.cs templates/footer.cs \
+templates/static/style.css templates/static/strongswan.png \
+templates/static/favicon.ico templates/static/mootools.js
+
+EXTRA_DIST = templates/header.cs templates/footer.cs \
+templates/static/style.css templates/static/strongswan.png \
+templates/static/favicon.ico templates/static/mootools.js \
+templates/peer/add.cs templates/peer/edit.cs templates/peer/list.cs \
+templates/user/login.cs templates/user/add.cs templates/user/edit.cs \
+templates/user/help.cs
--- a/src/medsrv/controller/peer_controller.c
+++ b/src/medsrv/controller/peer_controller.c
@ -0,0 +1,377 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Copyright (C) 2008 Philip Boetschi, Adrian Doerig
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+#define _GNU_SOURCE
+#include <string.h>
+
+#include "peer_controller.h"
+
+#include <library.h>
+#include <debug.h>
+#include <asn1/asn1.h>
+#include <asn1/oid.h>
+
+typedef struct private_peer_controller_t private_peer_controller_t;
+
+/**
+ * private data of the peer_controller
+ */
+struct private_peer_controller_t {
+
+	/**
+	 * public functions
+	 */
+	peer_controller_t public;
+
+	/**
+	 * active user session
+	 */
+	user_t *user;
+	
+	/** 
+	 * underlying database
+	 */
+	database_t *db;
+};
+
+/**
+ * list the configured peer configs
+ */
+static void list(private_peer_controller_t *this, request_t *request)
+{
+	enumerator_t *query;
+	
+	query = this->db->query(this->db,
+			"SELECT id, alias, keyid FROM peer WHERE user = ? ORDER BY alias",
+			DB_UINT, this->user->get_user(this->user),
+			DB_UINT, DB_TEXT, DB_BLOB);
+	
+	if (query)
+	{
+		u_int id;
+		char *alias;
+		chunk_t keyid;
+		identification_t *identifier;
+	
+		while (query->enumerate(query, &id, &alias, &keyid))
+		{
+			request->setf(request, "peers.%d.alias=%s", id, alias);
+			identifier = identification_create_from_encoding(ID_KEY_ID, keyid);
+			request->setf(request, "peers.%d.identifier=%D", id, identifier);
+			identifier->destroy(identifier);
+		}
+		query->destroy(query);
+	}
+	request->render(request, "templates/peer/list.cs");
+}
+
+/**
+ * verify a peer alias
+ */
+static bool verify_alias(private_peer_controller_t *this, request_t *request,
+						 char *alias)
+{
+	if (!alias || *alias == '\0')
+	{
+		request->setf(request, "error=Alias is missing.");
+		return FALSE;	
+	}
+	while (*alias != '\0')
+	{
+		switch (*alias)
+		{
+			case 'a' ... 'z':
+			case 'A' ... 'Z':
+			case '0' ... '9':
+			case '-':
+			case '_':
+			case '@':
+			case '.':
+				alias++;
+				continue;
+			default:
+				request->setf(request, "error=Alias invalid, "
+							  "valid characters: A-Z a-z 0-9 - _ @ .");
+				return FALSE;
+		}
+	}
+	return TRUE;
+}
+
+/**
+ * parse and verify a public key
+ */
+static bool parse_public_key(private_peer_controller_t *this,
+							 request_t *request, char *public_key,
+							 chunk_t *encoding, chunk_t *keyid)
+{
+	public_key_t *public;
+	identification_t *id;
+		
+	if (!public_key || *public_key == '\0')
+	{
+		request->setf(request, "error=Public key is missing.");
+		return FALSE;
+	}
+	public = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ANY,
+								BUILD_BLOB_ASN1_PEM, public_key,
+								BUILD_END);
+	if (!public)
+	{
+		request->setf(request, "error=Parsing public key failed.");
+		return FALSE;
+	}
+	/* TODO: use get_encoding() with an encoding type */
+	*encoding = asn1_wrap(ASN1_SEQUENCE, "cm",
+						  asn1_algorithmIdentifier(OID_RSA_ENCRYPTION),
+						  asn1_bitstring("m", public->get_encoding(public)));
+	id = public->get_id(public, ID_PUBKEY_SHA1);
+	*keyid = chunk_clone(id->get_encoding(id));
+	public->destroy(public);
+	return TRUE;
+}
+
+/**
+ * register a new peer
+ */
+static void add(private_peer_controller_t *this, request_t *request)
+{
+	char *alias = "", *public_key = "";
+	
+	if (request->get_query_data(request, "back"))
+	{
+		return request->redirect(request, "peer/list");
+	}
+	while (request->get_query_data(request, "add"))
+	{
+		chunk_t encoding, keyid;
+	
+		alias = request->get_query_data(request, "alias");
+		public_key = request->get_query_data(request, "public_key");
+		
+		if (!verify_alias(this, request, alias))
+		{
+			break;
+		}
+		if (!parse_public_key(this, request, public_key, &encoding, &keyid))
+		{
+			break;
+		}
+		if (this->db->execute(this->db, NULL,
+						  "INSERT INTO peer (user, alias, public_key, keyid) "
+						  "VALUES (?, ?, ?, ?)",
+						  DB_UINT, this->user->get_user(this->user),
+						  DB_TEXT, alias, DB_BLOB, encoding,
+						  DB_BLOB, keyid) <= 0)
+		{
+			request->setf(request, "error=Peer already exists.");
+			free(keyid.ptr);
+			free(encoding.ptr);
+			break;
+		}
+		free(keyid.ptr);
+		free(encoding.ptr);
+		return request->redirect(request, "peer/list");
+	}
+	request->set(request, "alias", alias);
+	request->set(request, "public_key", public_key);
+	
+	return request->render(request, "templates/peer/add.cs");
+}
+
+/**
+ * pem encode a public key into an allocated string
+ */
+char* pem_encode(chunk_t der)
+{
+	static const char *begin = "-----BEGIN PUBLIC KEY-----\n";
+	static const char *end = "-----END PUBLIC KEY-----";
+	size_t len;
+	char *pem;
+	chunk_t base64;
+	int i = 0;
+	
+	base64 = chunk_to_base64(der, NULL);
+	len = strlen(begin) + base64.len + base64.len/64 + strlen(end) + 2;
+	pem = malloc(len + 1);
+
+	strcpy(pem, begin);
+	do
+	{
+		strncat(pem, base64.ptr + i, 64);
+		strcat(pem, "\n");
+		i += 64;
+	}
+	while (i < base64.len - 2);
+	strcat(pem, end);
+	
+	free(base64.ptr);
+	return pem;
+}
+
+/**
+ * edit a peer
+ */
+static void edit(private_peer_controller_t *this, request_t *request, int id)
+{
+	char *alias = "", *public_key = "", *pem;
+	chunk_t encoding, keyid;
+	
+	if (request->get_query_data(request, "back"))
+	{
+		return request->redirect(request, "peer/list");
+	}
+	if (request->get_query_data(request, "delete"))
+	{
+		this->db->execute(this->db, NULL,
+						  "DELETE FROM peer WHERE id = ? AND user = ?",
+						  DB_INT, id, DB_UINT, this->user->get_user(this->user));
+		return request->redirect(request, "peer/list");
+	}
+	if (request->get_query_data(request, "save"))
+	{
+		while (TRUE)
+		{
+			alias = request->get_query_data(request, "alias");
+			public_key = request->get_query_data(request, "public_key");
+		
+			if (!verify_alias(this, request, alias))
+			{
+				break;
+			}
+			if (!parse_public_key(this, request, public_key, &encoding, &keyid))
+			{
+				break;
+			}
+			if (this->db->execute(this->db, NULL,
+				  "UPDATE peer SET alias = ?, public_key = ?, keyid = ? "
+				  "WHERE id = ? AND user = ?",
+				  DB_TEXT, alias, DB_BLOB, encoding, DB_BLOB, keyid,
+				  DB_INT, id, DB_UINT, this->user->get_user(this->user)) < 0)
+			{
+				request->setf(request, "error=Peer already exists.");
+				free(keyid.ptr);
+				free(encoding.ptr);
+				break;
+			}
+			free(keyid.ptr);
+			free(encoding.ptr);
+			return request->redirect(request, "peer/list");
+		}
+	}
+	else
+	{
+		enumerator_t *query = this->db->query(this->db,
+				"SELECT alias, public_key FROM peer WHERE id = ? AND user = ?",
+				DB_INT, id, DB_UINT, this->user->get_user(this->user),
+				DB_TEXT, DB_BLOB);
+		if (query && query->enumerate(query, &alias, &encoding))
+		{
+			alias = strdupa(alias);
+			pem = pem_encode(encoding);
+			public_key = strdupa(pem);
+			free(pem);
+		}
+		else
+		{
+			return request->redirect(request, "peer/list");
+		}
+		DESTROY_IF(query);
+	}
+	request->set(request, "alias", alias);
+	request->set(request, "public_key", public_key);
+	return request->render(request, "templates/peer/edit.cs");
+}
+
+/**
+ * delete a peer from the database
+ */
+static void delete(private_peer_controller_t *this, request_t *request, int id)
+{
+	this->db->execute(this->db, NULL,
+					  "DELETE FROM peer WHERE id = ? AND user = ?",
+					  DB_INT, id, DB_UINT, this->user->get_user(this->user));
+}
+
+/**
+ * Implementation of controller_t.get_name
+ */
+static char* get_name(private_peer_controller_t *this)
+{
+	return "peer";
+}
+
+/**
+ * Implementation of controller_t.handle
+ */
+static void handle(private_peer_controller_t *this, request_t *request,
+				   char *action, char *idstr)
+{
+	if (action)
+	{
+		int id = 0;
+		if (idstr)
+		{
+			id = atoi(idstr);
+		}
+		
+		if (streq(action, "list"))
+		{
+			return list(this, request);
+		}
+		else if (streq(action, "add"))
+		{
+			return add(this, request);
+		}
+		else if (streq(action, "edit") && id)
+		{
+			return edit(this, request, id);
+		}
+		else if (streq(action, "delete") && id)
+		{
+			delete(this, request, id);
+		}
+	}
+	request->redirect(request, "peer/list");
+}
+
+/**
+ * Implementation of controller_t.destroy
+ */
+static void destroy(private_peer_controller_t *this)
+{
+	free(this);
+}
+
+/*
+ * see header file
+ */
+controller_t *peer_controller_create(user_t *user, database_t *db)
+{
+	private_peer_controller_t *this= malloc_thing(private_peer_controller_t);
+
+	this->public.controller.get_name = (char*(*)(controller_t*))get_name;
+	this->public.controller.handle = (void(*)(controller_t*, request_t*, char*, char*, char*, char*, char*))handle;
+	this->public.controller.destroy = (void(*)(controller_t*))destroy;
+
+	this->user = user;
+	this->db = db;
+
+	return &this->public.controller;
+}
+
--- a/src/medsrv/controller/peer_controller.h
+++ b/src/medsrv/controller/peer_controller.h
@ -0,0 +1,50 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Copyright (C) 2008 Philip Boetschi, Adrian Doerig
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+/**
+ * @defgroup peer_controller_server peer_controller
+ * @{ @ingroup controller_server
+ */
+
+#ifndef PEER_CONTROLLER_H_
+#define PEER_CONTROLLER_H_
+
+#include <user.h>
+
+#include <controller.h>
+#include <database/database.h>
+
+typedef struct peer_controller_t peer_controller_t;
+
+/**
+ * Peer controller. Manages peers associated to a user.
+ */
+struct peer_controller_t {
+
+	/**
+	 * Implements controller_t interface.
+	 */
+	controller_t controller;
+};
+
+/**
+ * Create a peer_controller controller instance.
+ */
+controller_t *peer_controller_create(user_t *user, database_t *db);
+
+#endif /* PEER_CONTROLLER_H_ @} */
--- a/src/medsrv/controller/user_controller.c
+++ b/src/medsrv/controller/user_controller.c
@ -0,0 +1,363 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Copyright (C) 2008 Philip Boetschi, Adrian Doerig
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+#define _GNU_SOURCE
+#include <string.h>
+
+#include "user_controller.h"
+
+#include <library.h>
+
+typedef struct private_user_controller_t private_user_controller_t;
+
+/**
+ * private data of the user_controller
+ */
+struct private_user_controller_t {
+
+	/**
+	 * public functions
+	 */
+	user_controller_t public;
+
+	/**
+	 * database connection
+	 */
+	database_t *db;
+	
+	/**
+	 * user session
+	 */
+	user_t *user;
+	
+	/**
+	 * minimum required password lenght
+	 */
+	u_int password_length;
+};
+
+/**
+ * hash the password for database storage
+ */
+static chunk_t hash_password(char *login, char *password)
+{
+	hasher_t *hasher;
+	chunk_t hash, data;
+	
+	hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
+	if (!hasher)
+	{
+		return chunk_empty;
+	}
+	data = chunk_cata("cc",	chunk_create(login, strlen(login)),
+							chunk_create(password, strlen(password)));
+	hasher->allocate_hash(hasher, data, &hash);
+	hasher->destroy(hasher);
+	return hash;
+}
+
+/**
+ * Login a user.
+ */
+static void login(private_user_controller_t *this, request_t *request)
+{
+	if (request->get_query_data(request, "submit"))
+	{
+		char *login, *password;
+		
+		login = request->get_query_data(request, "login");
+		password = request->get_query_data(request, "password");
+		
+		if (login && password)
+		{
+			enumerator_t *query;
+			u_int id = 0;
+			chunk_t hash;
+			
+			hash = hash_password(login, password);
+			query = this->db->query(this->db,
+						"SELECT id FROM user WHERE login = ? AND password = ?",
+						DB_TEXT, login, DB_BLOB, hash, DB_UINT);
+			if (query)
+			{
+				query->enumerate(query, &id);
+				query->destroy(query);
+			}
+			free(hash.ptr);
+			if (id)
+			{
+				this->user->set_user(this->user, id);
+				return request->redirect(request, "peer/list");
+			}
+		}
+		request->setf(request, "error=Invalid username or password.");
+	}
+	request->render(request, "templates/user/login.cs");
+}
+
+/**
+ * Logout a user.
+ */
+static void logout(private_user_controller_t *this, request_t *request)
+{
+	request->redirect(request, "user/login");
+	request->close_session(request);
+}
+
+/**
+ * verify a user entered username for validity
+ */
+static bool verify_login(private_user_controller_t *this, request_t *request,
+						 char *login)
+{
+	if (!login || *login == '\0')
+	{
+		request->setf(request, "error=Username is missing.");
+		return FALSE;	
+	}
+	while (*login != '\0')
+	{
+		switch (*login)
+		{
+			case 'a' ... 'z':
+			case 'A' ... 'Z':
+			case '0' ... '9':
+			case '-':
+			case '_':
+			case '@':
+			case '.':
+				login++;
+				continue;
+			default:
+				request->setf(request, "error=Username invalid, "
+							  "valid characters: A-Z a-z 0-9 - _ @ .");
+		}
+	}
+	return TRUE;
+}
+
+/**
+ * verify a user entered password for validity
+ */
+static bool verify_password(private_user_controller_t *this, request_t *request,
+							char *password, char *confirm)
+{
+	if (!password || *password == '\0')
+	{
+		request->setf(request, "error=Password is missing.");
+		return FALSE;
+	}
+	if (strlen(password) < this->password_length)
+	{
+		request->setf(request, "error=Password requires at least %d characters.",
+					  this->password_length);
+		return FALSE;
+	}
+	if (!confirm || !streq(password, confirm))
+	{
+		request->setf(request, "error=Password not confirmed.");
+		return FALSE;
+	}
+	return TRUE;
+}
+
+/**
+ * Register a user.
+ */
+static void add(private_user_controller_t *this, request_t *request)
+{
+	char *login = "";
+
+	while (request->get_query_data(request, "register"))
+	{
+		char *password, *confirm;
+		chunk_t hash;
+		u_int id;
+
+		login = request->get_query_data(request, "new_login");
+		password = request->get_query_data(request, "new_password");
+		confirm = request->get_query_data(request, "confirm_password");
+		
+		if (!verify_login(this, request, login) ||
+			!verify_password(this, request, password, confirm))
+		{
+			break;
+		}
+		
+		hash = hash_password(login, password);
+		if (!hash.ptr || this->db->execute(this->db, &id,
+							"INSERT INTO user (login, password) VALUES (?, ?)",
+							DB_TEXT, login, DB_BLOB, hash) < 0)
+		{
+			request->setf(request, "error=Username already exists.");
+			free(hash.ptr);
+			break;
+		}
+		free(hash.ptr);
+		this->user->set_user(this->user, id);
+		return request->redirect(request, "peer/list");
+	}
+	request->set(request, "new_login", login);
+	request->setf(request, "password_length=%d", this->password_length);
+	request->render(request, "templates/user/add.cs");
+}
+
+/**
+ * Edit the logged in user
+ */
+static void edit(private_user_controller_t *this, request_t *request)
+{
+	enumerator_t *query;
+	char *old_login;
+	
+	/* lookup old login */
+	query = this->db->query(this->db, "SELECT login FROM user WHERE id = ?",
+							DB_INT, this->user->get_user(this->user),
+							DB_TEXT);
+	if (!query || !query->enumerate(query, &old_login))
+	{
+		DESTROY_IF(query);
+		request->close_session(request);
+		return request->redirect(request, "user/login");
+	}
+	old_login = strdupa(old_login);
+	query->destroy(query);
+
+	/* back pressed */
+	if (request->get_query_data(request, "back"))
+	{
+		return request->redirect(request, "peer/list");
+	}
+	/* delete pressed */
+	if (request->get_query_data(request, "delete"))
+	{
+		this->db->execute(this->db, NULL, "DELETE FROM user WHERE id = ?",
+						  DB_UINT, this->user->get_user(this->user));
+		this->db->execute(this->db, NULL,
+						  "DELETE FROM peer WHERE user = ?",
+						  DB_UINT, this->user->get_user(this->user));
+		return logout(this, request);
+	}
+	/* save pressed */
+	while (request->get_query_data(request, "save"))
+	{
+		char *new_login, *old_pass, *new_pass, *confirm;
+		chunk_t old_hash, new_hash;
+		
+		new_login = request->get_query_data(request, "old_login");
+		old_pass = request->get_query_data(request, "old_password");
+		new_pass = request->get_query_data(request, "new_password");
+		confirm = request->get_query_data(request, "confirm_password");
+		
+		if (!verify_login(this, request, new_login) ||
+			!verify_password(this, request, new_pass, confirm))
+		{
+			old_login = new_login;
+			break;
+		}
+		old_hash = hash_password(old_login, old_pass);
+		new_hash = hash_password(new_login, new_pass);
+		
+		if (this->db->execute(this->db, NULL,
+			"UPDATE user SET login = ?, password = ? "
+			"WHERE id = ? AND password = ?",
+			DB_TEXT, new_login, DB_BLOB, new_hash,
+			DB_UINT, this->user->get_user(this->user), DB_BLOB, old_hash) <= 0)
+		{
+			free(new_hash.ptr);
+			free(old_hash.ptr);
+			old_login = new_login;
+			request->setf(request, "error=Password verification failed.");
+			break;
+		}
+		free(new_hash.ptr);
+		free(old_hash.ptr);
+		return request->redirect(request, "peer/list");
+	}
+	/* on error/template rendering */
+	request->set(request, "old_login", old_login);
+	request->setf(request, "password_length=%d", this->password_length);
+	request->render(request, "templates/user/edit.cs");
+}
+
+/**
+ * Implementation of controller_t.get_name
+ */
+static char* get_name(private_user_controller_t *this)
+{
+	return "user";
+}
+
+/**
+ * Implementation of controller_t.handle
+ */
+static void handle(private_user_controller_t *this, request_t *request, char *action)
+{
+	if (action)
+	{
+		if (streq(action, "add"))
+		{
+			return add(this, request);
+		}
+		if (streq(action, "login"))
+		{
+			return login(this, request);
+		}
+		else if (streq(action, "logout"))
+		{
+			return logout(this, request);
+		}
+		else if (streq(action, "edit"))
+		{
+			return edit(this, request);
+		}
+		else if (streq(action, "help"))
+		{
+			return request->render(request, "templates/user/help.cs");
+		}
+	}
+	request->redirect(request, "user/login");
+}
+
+/**
+ * Implementation of controller_t.destroy
+ */
+static void destroy(private_user_controller_t *this)
+{
+	free(this);
+}
+
+/*
+ * see header file
+ */
+controller_t *user_controller_create(user_t *user, database_t *db)
+{
+	private_user_controller_t *this= malloc_thing(private_user_controller_t);
+
+	this->public.controller.get_name = (char*(*)(controller_t*))get_name;
+	this->public.controller.handle = (void(*)(controller_t*, request_t*, char*, char*, char*, char*, char*))handle;
+	this->public.controller.destroy = (void(*)(controller_t*))destroy;
+
+	this->user = user;
+	this->db = db;
+	this->password_length = lib->settings->get_int(lib->settings,
+												   "medsrv.password_length", 6);
+
+	return &this->public.controller;
+}
+
--- a/src/medsrv/controller/user_controller.h
+++ b/src/medsrv/controller/user_controller.h
@ -0,0 +1,50 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Copyright (C) 2008 Philip Boetschi, Adrian Doerig
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+/**
+ * @defgroup user_controller_server user_controller
+ * @{ @ingroup controller_server
+ */
+
+#ifndef USER_CONTROLLER_H_
+#define USER_CONTROLLER_H_
+
+#include <user.h>
+
+#include <controller.h>
+#include <database/database.h>
+
+typedef struct user_controller_t user_controller_t;
+
+/**
+ * User controller. Register, Login and user management.
+ */
+struct user_controller_t {
+
+	/**
+	 * Implements controller_t interface.
+	 */
+	controller_t controller;
+};
+
+/**
+ * Create a user_controller controller instance.
+ */
+controller_t *user_controller_create(user_t *user, database_t *db);
+
+#endif /* USER_CONTROLLER_H_ @} */
--- a/src/medsrv/filter/auth_filter.c
+++ b/src/medsrv/filter/auth_filter.c
@ -0,0 +1,100 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Copyright (C) 2008 Philip Boetschi, Adrian Doerig
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+#include "auth_filter.h"
+
+#include <debug.h>
+
+typedef struct private_auth_filter_t private_auth_filter_t;
+
+/**
+ * private data of auth_filter
+ */
+struct private_auth_filter_t {
+	/**
+	 * public functions
+	 */
+	auth_filter_t public;
+
+	/**
+	 * user session
+	 */
+	user_t *user;
+	
+	/**
+	 * database connection
+	 */
+	database_t *db;
+};
+
+/**
+ * Implementation of filter_t.run
+ */
+static bool run(private_auth_filter_t *this, request_t *request,
+				char *controller, char *action)
+{
+	if (this->user->get_user(this->user))
+	{
+		enumerator_t *query;
+		char *login;
+	
+		query = this->db->query(this->db, "SELECT login FROM user WHERE id = ?",
+								DB_INT, this->user->get_user(this->user),
+								DB_TEXT);
+		if (query && query->enumerate(query, &login))
+		{
+			request->set(request, "login", login);
+			query->destroy(query);
+			return TRUE;
+		}
+		DESTROY_IF(query);
+		this->user->set_user(this->user, 0);
+	}
+	if (controller && streq(controller, "user") && action &&
+		(streq(action, "add") || streq(action, "login") || streq(action, "help")))
+	{	/* add/login allowed */
+		return TRUE;
+	}
+	request->redirect(request, "user/login");
+	return FALSE;
+}
+
+/**
+ * Implementation of filter_t.destroy
+ */
+static void destroy(private_auth_filter_t *this)
+{
+	free(this);
+}
+
+/*
+ * see header file
+ */
+filter_t *auth_filter_create(user_t *user, database_t *db)
+{
+	private_auth_filter_t *this= malloc_thing(private_auth_filter_t);
+
+	this->public.filter.destroy = (void(*)(filter_t*))destroy;
+	this->public.filter.run = (bool(*)(filter_t*, request_t*,char*,char*,char*,char*,char*,char*))run;
+
+	this->user = user;
+	this->db = db;
+
+	return &this->public.filter;
+}
+
--- a/src/medsrv/filter/auth_filter.h
+++ b/src/medsrv/filter/auth_filter.h
@ -0,0 +1,50 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Copyright (C) 2008 Philip Boetschi, Adrian Doerig
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+/**
+ * @defgroup auth_filter_server auth_filter
+ * @{ @ingroup filter_server
+ */
+
+#ifndef AUTH_FILTER_H_
+#define AUTH_FILTER_H_
+
+#include <library.h>
+#include <filter.h>
+
+#include "user.h"
+
+typedef struct auth_filter_t auth_filter_t;
+
+/**
+ * Authentication/Authorization filter.
+ */
+struct auth_filter_t {
+
+	/**
+	 * Implements filter_t interface.
+	 */
+	filter_t filter;
+};
+
+/**
+ * Create a auth_filter instance.
+ */
+filter_t *auth_filter_create(user_t *user, database_t *db);
+
+#endif /* AUTH_FILTER_H_  @}*/
--- a/src/medsrv/main.c
+++ b/src/medsrv/main.c
@ -0,0 +1,78 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Copyright (C) 2008 Philip Boetschi, Adrian Doerig
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+#include <stdio.h>
+
+#include <dispatcher.h>
+#include <debug.h>
+#include <database/database.h>
+
+#include "filter/auth_filter.h"
+#include "controller/user_controller.h"
+#include "controller/peer_controller.h"
+
+int main(int arc, char *argv[])
+{
+	dispatcher_t *dispatcher;
+	database_t *db;
+	char *socket;
+	bool debug;
+	char *uri;
+	int timeout, threads;
+	
+	library_init(STRONGSWAN_CONF);
+	lib->plugins->load(lib->plugins, IPSEC_PLUGINDIR,
+	    lib->settings->get_str(lib->settings, "medsrv.load", PLUGINS));
+	
+	socket = lib->settings->get_str(lib->settings, "medsrv.socket", NULL);
+	debug = lib->settings->get_bool(lib->settings, "medsrv.debug", FALSE);
+	timeout = lib->settings->get_int(lib->settings, "medsrv.timeout", 900);
+	threads = lib->settings->get_int(lib->settings, "medsrv.threads", 5);
+	uri = lib->settings->get_str(lib->settings, "medsrv.database", NULL);
+	if (uri == NULL)
+	{
+		fprintf(stderr, "database URI medsrv.database not defined.\n");
+		return 1;
+	}
+	
+	db = lib->db->create(lib->db, uri);
+	if (db == NULL)
+	{
+		fprintf(stderr, "opening database failed.\n");
+		return 1;
+	}
+	
+	dispatcher = dispatcher_create(socket, debug, timeout,
+								   (context_constructor_t)user_create, db);
+	dispatcher->add_filter(dispatcher,
+						(filter_constructor_t)auth_filter_create, db);
+	dispatcher->add_controller(dispatcher,
+						(controller_constructor_t)user_controller_create, db);
+	dispatcher->add_controller(dispatcher,
+						(controller_constructor_t)peer_controller_create, db);
+	
+	dispatcher->run(dispatcher, threads);
+	
+	dispatcher->waitsignal(dispatcher);
+	dispatcher->destroy(dispatcher);
+	db->destroy(db);
+	
+	library_deinit();
+	return 0;
+}
+
--- a/src/medsrv/templates/footer.cs
+++ b/src/medsrv/templates/footer.cs
@ -0,0 +1,4 @@
+      </div>    
+    </div>
+  </body>
+</html>
--- a/src/medsrv/templates/header.cs
+++ b/src/medsrv/templates/header.cs
@ -0,0 +1,31 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/2002/REC-xhtml1-20020801/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+  <head>
+    <title>strongSwan Mediation Service</title>
+    <link rel="stylesheet" type="text/css" href="<?cs var:base ?>/static/style.css"/>
+    <link rel="icon" href="<?cs var:base ?>/static/favicon.ico" type="image/x-icon" />
+    <script type="text/javascript" src="<?cs var:base ?>/static/mootools.js"></script>
+    <script type="text/javascript" src="<?cs var:base ?>/static/script.js"></script>
+  </head>
+  <body>
+  	<div class="fleft">
+      <a href="<?cs var:base ?>/peer/list">
+        <img class="fleft" src="<?cs var:base ?>/static/strongswan.png"/>
+      </a>
+      <h1>Mediation Service</h1>
+    </div>
+    <div class="menu">
+	     <?cs if:?login ?>
+	      Logged in as <i><?cs var:login ?></i> 
+	      | <a href="<?cs var:base ?>/user/edit">Edit</a>
+	      | <a href="<?cs var:base ?>/user/logout">Logout</a>
+	      | <a href="<?cs var:base ?>/user/help">Help</a>
+	     <?cs else ?>
+	      | <a href="<?cs var:base ?>/user/help">Help</a>
+	      | <a href="<?cs var:base ?>/user/login">Login</a>
+	      | <a href="<?cs var:base ?>/user/add">Register</a>
+	     <?cs /if ?>
+    </div>
+    <hr class="cleft"/>
+    <div class="center">
+      <div class="content">
--- a/src/medsrv/templates/peer/add.cs
+++ b/src/medsrv/templates/peer/add.cs
@ -0,0 +1,24 @@
+<?cs include:"templates/header.cs" ?>
+<form method="post">
+<?cs if:?error ?>
+  <div class="error"><?cs var:error ?></div>
+<?cs /if ?>
+  <table class="peer">
+    <tr>
+      <td><label for="alias">Alias</label></td>
+      <td><input type="text" id="alias" name="alias" class="focus" maxlength="30" value="<?cs var:alias ?>";"/></td>
+    </tr>
+    <tr>
+      <td valign="top"><label for="public_key">Public Key</label></td>
+      <td><textarea id="public_key" name="public_key"><?cs var:public_key ?></textarea></td>
+    </tr>
+    <tr>
+      <td></td>
+      <td class="right">
+        <input type="submit" value="Back" name="back"/> 
+        <input type="submit" value="Add" name="add"/>
+      </td>
+    </tr>
+</table>
+</form>
+<?cs include:"templates/footer.cs" ?>
--- a/src/medsrv/templates/peer/edit.cs
+++ b/src/medsrv/templates/peer/edit.cs
@ -0,0 +1,25 @@
+<?cs include:"templates/header.cs" ?>
+<form method="post" name="form">
+<?cs if:?error ?>
+  <div class="error"><?cs var:error ?></div>
+<?cs /if ?>
+  <table class="peer">
+    <tr>
+      <td><label for="alias">Alias</label></td>
+      <td><input type="text" id="alias" name="alias" maxlength="30" class="focus" value="<?cs var:alias ?>"/></td>
+    </tr>
+    <tr>
+      <td valign="top"><label for="public_key">Public Key</label></td>
+      <td><textarea id="public_key" name="public_key"><?cs var:public_key ?></textarea></td>
+    </tr>
+    <tr>
+      <td></td>
+      <td align="right">
+        <input type="submit" value="Back" name="back"/>
+        <input type="submit" value="Delete" name="delete" onclick="return confirm('Permanently delete this peer?')"/> 
+      	<input type="submit" value="Save" name="save"/>
+      </td>
+    </tr>
+</table>
+</form>
+<?cs include:"templates/footer.cs" ?>
--- a/src/medsrv/templates/peer/list.cs
+++ b/src/medsrv/templates/peer/list.cs
@ -0,0 +1,28 @@
+<?cs include:"templates/header.cs" ?>
+<div>
+<?cs if subcount(peers) > 0 ?>
+<table class="list">
+  <tr>
+    <th>Alias</th>
+    <th>Key Identifier</th>
+  </tr>
+<?cs each:peer = peers ?>
+  <tr>
+    <td>
+      <a href="<?cs var:base ?>/peer/edit/<?cs name:peer?>"><?cs var:peer.alias ?></a>
+    </td>
+    <td>
+      <a href="<?cs var:base ?>/peer/edit/<?cs name:peer?>"><?cs var:peer.identifier ?></a>
+    </td>
+  </tr>
+<?cs /each ?>
+</table>
+<?cs else ?>
+No peers defined.
+<?cs /if ?>
+<div class="right">
+<form action="<?cs var:base ?>/peer/add" method="get">
+    <input type="submit" value="Add Peer"/></td>
+</form>
+</div>
+<?cs include:"templates/footer.cs" ?>
--- a/src/medsrv/templates/static/favicon.ico
+++ b/src/medsrv/templates/static/favicon.ico
--- a/src/medsrv/templates/static/mootools.js
+++ b/src/medsrv/templates/static/mootools.js
@ -0,0 +1,341 @@
+//MooTools, <http://mootools.net>, My Object Oriented (JavaScript) Tools. Copyright (c) 2006-2008 Valerio Proietti, <http://mad4milk.net>, MIT Style License.
+
+var MooTools={version:"1.2dev",build:""};var Native=function(J){J=J||{};var F=J.afterImplement||function(){};var G=J.generics;G=(G!==false);var H=J.legacy;
+var E=J.initialize;var B=J.protect;var A=J.name;var C=E||H;C.constructor=Native;C.$family={name:"native"};if(H&&E){C.prototype=H.prototype;}C.prototype.constructor=C;
+if(A){var D=A.toLowerCase();C.prototype.$family={name:D};Native.typize(C,D);}var I=function(M,K,N,L){if(!B||L||!M.prototype[K]){M.prototype[K]=N;}if(G){Native.genericize(M,K,B);
+}F.call(M,K,N);return M;};C.implement=function(L,K,N){if(typeof L=="string"){return I(this,L,K,N);}for(var M in L){I(this,M,L[M],K);}return this;};C.alias=function(M,K,N){if(typeof M=="string"){M=this.prototype[M];
+if(M){I(this,K,M,N);}}else{for(var L in M){this.alias(L,M[L],K);}}return this;};return C;};Native.implement=function(D,C){for(var B=0,A=D.length;B<A;B++){D[B].implement(C);
+}};Native.genericize=function(B,C,A){if((!A||!B[C])&&typeof B.prototype[C]=="function"){B[C]=function(){var D=Array.prototype.slice.call(arguments);return B.prototype[C].apply(D.shift(),D);
+};}};Native.typize=function(A,B){if(!A.type){A.type=function(C){return($type(C)===B);};}};Native.alias=function(E,B,A,F){for(var D=0,C=E.