]>
Commit | Line | Data |
---|---|---|
0b14fdb9 | 1 | /* |
9f1b303a | 2 | * Copyright (C) 2012 Tobias Brunner |
0b14fdb9 MW |
3 | * Copyright (C) 2008 Martin Willi |
4 | * Hochschule fuer Technik Rapperswil | |
5 | * | |
6 | * This program is free software; you can redistribute it and/or modify it | |
7 | * under the terms of the GNU General Public License as published by the | |
8 | * Free Software Foundation; either version 2 of the License, or (at your | |
9 | * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. | |
10 | * | |
11 | * This program is distributed in the hope that it will be useful, but | |
12 | * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY | |
13 | * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License | |
14 | * for more details. | |
0b14fdb9 MW |
15 | */ |
16 | ||
17 | #include "stroke_config.h" | |
18 | ||
f6659688 | 19 | #include <hydra.h> |
0b14fdb9 | 20 | #include <daemon.h> |
eba64cef | 21 | #include <threading/mutex.h> |
a1db79b3 | 22 | #include <utils/lexparser.h> |
0b14fdb9 MW |
23 | |
24 | typedef struct private_stroke_config_t private_stroke_config_t; | |
25 | ||
26 | /** | |
27 | * private data of stroke_config | |
28 | */ | |
29 | struct private_stroke_config_t { | |
30 | ||
31 | /** | |
32 | * public functions | |
33 | */ | |
34 | stroke_config_t public; | |
7daf5226 | 35 | |
0b14fdb9 MW |
36 | /** |
37 | * list of peer_cfg_t | |
38 | */ | |
39 | linked_list_t *list; | |
7daf5226 | 40 | |
0b14fdb9 MW |
41 | /** |
42 | * mutex to lock config list | |
43 | */ | |
44 | mutex_t *mutex; | |
7daf5226 | 45 | |
6439267a TB |
46 | /** |
47 | * ca sections | |
48 | */ | |
49 | stroke_ca_t *ca; | |
7daf5226 | 50 | |
0b14fdb9 MW |
51 | /** |
52 | * credentials | |
53 | */ | |
54 | stroke_cred_t *cred; | |
96c2b3cf MW |
55 | |
56 | /** | |
57 | * Virtual IP pool / DNS backend | |
58 | */ | |
59 | stroke_attribute_t *attributes; | |
0b14fdb9 MW |
60 | }; |
61 | ||
a9ac8c51 AS |
62 | METHOD(backend_t, create_peer_cfg_enumerator, enumerator_t*, |
63 | private_stroke_config_t *this, identification_t *me, identification_t *other) | |
0b14fdb9 | 64 | { |
0b14fdb9 | 65 | this->mutex->lock(this->mutex); |
a44bb934 MW |
66 | return enumerator_create_cleaner(this->list->create_enumerator(this->list), |
67 | (void*)this->mutex->unlock, this->mutex); | |
0b14fdb9 MW |
68 | } |
69 | ||
70 | /** | |
71 | * filter function for ike configs | |
72 | */ | |
a44bb934 | 73 | static bool ike_filter(void *data, peer_cfg_t **in, ike_cfg_t **out) |
0b14fdb9 | 74 | { |
5a22a021 MW |
75 | *out = (*in)->get_ike_cfg(*in); |
76 | return TRUE; | |
0b14fdb9 MW |
77 | } |
78 | ||
a9ac8c51 AS |
79 | METHOD(backend_t, create_ike_cfg_enumerator, enumerator_t*, |
80 | private_stroke_config_t *this, host_t *me, host_t *other) | |
0b14fdb9 | 81 | { |
0b14fdb9 MW |
82 | this->mutex->lock(this->mutex); |
83 | return enumerator_create_filter(this->list->create_enumerator(this->list), | |
a44bb934 MW |
84 | (void*)ike_filter, this->mutex, |
85 | (void*)this->mutex->unlock); | |
0b14fdb9 MW |
86 | } |
87 | ||
a9ac8c51 AS |
88 | METHOD(backend_t, get_peer_cfg_by_name, peer_cfg_t*, |
89 | private_stroke_config_t *this, char *name) | |
0b14fdb9 MW |
90 | { |
91 | enumerator_t *e1, *e2; | |
92 | peer_cfg_t *current, *found = NULL; | |
93 | child_cfg_t *child; | |
7daf5226 | 94 | |
0b14fdb9 MW |
95 | this->mutex->lock(this->mutex); |
96 | e1 = this->list->create_enumerator(this->list); | |
97 | while (e1->enumerate(e1, ¤t)) | |
98 | { | |
a44bb934 MW |
99 | /* compare peer_cfgs name first */ |
100 | if (streq(current->get_name(current), name)) | |
101 | { | |
102 | found = current; | |
103 | found->get_ref(found); | |
104 | break; | |
105 | } | |
106 | /* compare all child_cfg names otherwise */ | |
107 | e2 = current->create_child_cfg_enumerator(current); | |
108 | while (e2->enumerate(e2, &child)) | |
109 | { | |
110 | if (streq(child->get_name(child), name)) | |
111 | { | |
112 | found = current; | |
113 | found->get_ref(found); | |
114 | break; | |
115 | } | |
116 | } | |
117 | e2->destroy(e2); | |
118 | if (found) | |
119 | { | |
120 | break; | |
121 | } | |
0b14fdb9 MW |
122 | } |
123 | e1->destroy(e1); | |
124 | this->mutex->unlock(this->mutex); | |
125 | return found; | |
126 | } | |
127 | ||
0b14fdb9 MW |
128 | /** |
129 | * parse a proposal string, either into ike_cfg or child_cfg | |
130 | */ | |
131 | static void add_proposals(private_stroke_config_t *this, char *string, | |
132 | ike_cfg_t *ike_cfg, child_cfg_t *child_cfg) | |
133 | { | |
134 | if (string) | |
135 | { | |
136 | char *single; | |
137 | char *strict; | |
138 | proposal_t *proposal; | |
139 | protocol_id_t proto = PROTO_ESP; | |
7daf5226 | 140 | |
0b14fdb9 MW |
141 | if (ike_cfg) |
142 | { | |
143 | proto = PROTO_IKE; | |
144 | } | |
145 | strict = string + strlen(string) - 1; | |
146 | if (*strict == '!') | |
147 | { | |
148 | *strict = '\0'; | |
149 | } | |
150 | else | |
151 | { | |
152 | strict = NULL; | |
153 | } | |
154 | while ((single = strsep(&string, ","))) | |
155 | { | |
156 | proposal = proposal_create_from_string(proto, single); | |
157 | if (proposal) | |
158 | { | |
159 | if (ike_cfg) | |
160 | { | |
161 | ike_cfg->add_proposal(ike_cfg, proposal); | |
162 | } | |
163 | else | |
164 | { | |
165 | child_cfg->add_proposal(child_cfg, proposal); | |
166 | } | |
167 | continue; | |
168 | } | |
169 | DBG1(DBG_CFG, "skipped invalid proposal string: %s", single); | |
170 | } | |
171 | if (strict) | |
172 | { | |
173 | return; | |
174 | } | |
175 | /* add default porposal to the end if not strict */ | |
176 | } | |
177 | if (ike_cfg) | |
178 | { | |
179 | ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE)); | |
180 | } | |
181 | else | |
182 | { | |
183 | child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP)); | |
184 | } | |
185 | } | |
186 | ||
187 | /** | |
188 | * Build an IKE config from a stroke message | |
189 | */ | |
190 | static ike_cfg_t *build_ike_cfg(private_stroke_config_t *this, stroke_msg_t *msg) | |
191 | { | |
0b14fdb9 MW |
192 | stroke_end_t tmp_end; |
193 | ike_cfg_t *ike_cfg; | |
5a22a021 | 194 | host_t *host; |
e7ea057f | 195 | u_int16_t ikeport; |
7daf5226 | 196 | |
5a22a021 MW |
197 | host = host_create_from_dns(msg->add_conn.other.address, 0, 0); |
198 | if (host) | |
0b14fdb9 | 199 | { |
9ba36c0f TB |
200 | if (hydra->kernel_interface->get_interface(hydra->kernel_interface, |
201 | host, NULL)) | |
0b14fdb9 | 202 | { |
5a22a021 MW |
203 | DBG2(DBG_CFG, "left is other host, swapping ends"); |
204 | tmp_end = msg->add_conn.me; | |
205 | msg->add_conn.me = msg->add_conn.other; | |
206 | msg->add_conn.other = tmp_end; | |
9ba36c0f | 207 | host->destroy(host); |
0b14fdb9 MW |
208 | } |
209 | else | |
210 | { | |
9ba36c0f | 211 | host->destroy(host); |
5a22a021 MW |
212 | host = host_create_from_dns(msg->add_conn.me.address, 0, 0); |
213 | if (host) | |
214 | { | |
9ba36c0f TB |
215 | if (!hydra->kernel_interface->get_interface( |
216 | hydra->kernel_interface, host, NULL)) | |
5a22a021 MW |
217 | { |
218 | DBG1(DBG_CFG, "left nor right host is our side, " | |
219 | "assuming left=local"); | |
220 | } | |
9ba36c0f | 221 | host->destroy(host); |
5a22a021 | 222 | } |
0b14fdb9 MW |
223 | } |
224 | } | |
e7ea057f | 225 | ikeport = msg->add_conn.me.ikeport; |
b223d517 TB |
226 | ikeport = (ikeport == IKEV2_UDP_PORT) ? |
227 | charon->socket->get_port(charon->socket, FALSE) : ikeport; | |
9fc7cc6f MW |
228 | ike_cfg = ike_cfg_create(msg->add_conn.version, |
229 | msg->add_conn.other.sendcert != CERT_NEVER_SEND, | |
1d315bdd AS |
230 | msg->add_conn.force_encap, |
231 | msg->add_conn.me.address, | |
232 | msg->add_conn.me.allow_any, | |
e7ea057f | 233 | ikeport, |
1d315bdd AS |
234 | msg->add_conn.other.address, |
235 | msg->add_conn.other.allow_any, | |
97973f86 | 236 | msg->add_conn.other.ikeport, |
306a269e | 237 | msg->add_conn.fragmentation, |
7fbe516f | 238 | msg->add_conn.ikedscp); |
0b14fdb9 | 239 | add_proposals(this, msg->add_conn.algorithms.ike, ike_cfg, NULL); |
484a06bc | 240 | return ike_cfg; |
0b14fdb9 | 241 | } |
a44bb934 | 242 | |
0b14fdb9 | 243 | /** |
a44bb934 | 244 | * Add CRL constraint to config |
0b14fdb9 | 245 | */ |
a44bb934 | 246 | static void build_crl_policy(auth_cfg_t *cfg, bool local, int policy) |
0b14fdb9 | 247 | { |
a44bb934 MW |
248 | /* CRL/OCSP policy, for remote config only */ |
249 | if (!local) | |
250 | { | |
251 | switch (policy) | |
252 | { | |
253 | case CRL_STRICT_YES: | |
254 | /* if yes, we require a GOOD validation */ | |
255 | cfg->add(cfg, AUTH_RULE_CRL_VALIDATION, VALIDATION_GOOD); | |
256 | break; | |
257 | case CRL_STRICT_IFURI: | |
258 | /* for ifuri, a SKIPPED validation is sufficient */ | |
259 | cfg->add(cfg, AUTH_RULE_CRL_VALIDATION, VALIDATION_SKIPPED); | |
260 | break; | |
261 | default: | |
262 | break; | |
263 | } | |
264 | } | |
265 | } | |
266 | ||
e35bbb97 MW |
267 | /** |
268 | * Parse public key / signature strength constraints | |
269 | */ | |
270 | static void parse_pubkey_constraints(char *auth, auth_cfg_t *cfg) | |
271 | { | |
272 | enumerator_t *enumerator; | |
273 | bool rsa = FALSE, ecdsa = FALSE, rsa_len = FALSE, ecdsa_len = FALSE; | |
274 | int strength; | |
275 | char *token; | |
276 | ||
277 | enumerator = enumerator_create_token(auth, "-", ""); | |
278 | while (enumerator->enumerate(enumerator, &token)) | |
279 | { | |
280 | bool found = FALSE; | |
281 | int i; | |
282 | struct { | |
283 | char *name; | |
284 | signature_scheme_t scheme; | |
285 | key_type_t key; | |
286 | } schemes[] = { | |
287 | { "md5", SIGN_RSA_EMSA_PKCS1_MD5, KEY_RSA, }, | |
288 | { "sha1", SIGN_RSA_EMSA_PKCS1_SHA1, KEY_RSA, }, | |
289 | { "sha224", SIGN_RSA_EMSA_PKCS1_SHA224, KEY_RSA, }, | |
290 | { "sha256", SIGN_RSA_EMSA_PKCS1_SHA256, KEY_RSA, }, | |
291 | { "sha384", SIGN_RSA_EMSA_PKCS1_SHA384, KEY_RSA, }, | |
292 | { "sha512", SIGN_RSA_EMSA_PKCS1_SHA512, KEY_RSA, }, | |
293 | { "sha1", SIGN_ECDSA_WITH_SHA1_DER, KEY_ECDSA, }, | |
294 | { "sha256", SIGN_ECDSA_WITH_SHA256_DER, KEY_ECDSA, }, | |
295 | { "sha384", SIGN_ECDSA_WITH_SHA384_DER, KEY_ECDSA, }, | |
296 | { "sha512", SIGN_ECDSA_WITH_SHA512_DER, KEY_ECDSA, }, | |
297 | { "sha256", SIGN_ECDSA_256, KEY_ECDSA, }, | |
298 | { "sha384", SIGN_ECDSA_384, KEY_ECDSA, }, | |
299 | { "sha512", SIGN_ECDSA_521, KEY_ECDSA, }, | |
300 | }; | |
301 | ||
302 | if (rsa_len || ecdsa_len) | |
303 | { /* expecting a key strength token */ | |
304 | strength = atoi(token); | |
305 | if (strength) | |
306 | { | |
307 | if (rsa_len) | |
308 | { | |
309 | cfg->add(cfg, AUTH_RULE_RSA_STRENGTH, (uintptr_t)strength); | |
310 | } | |
311 | else if (ecdsa_len) | |
312 | { | |
313 | cfg->add(cfg, AUTH_RULE_ECDSA_STRENGTH, (uintptr_t)strength); | |
314 | } | |
315 | } | |
316 | rsa_len = ecdsa_len = FALSE; | |
317 | if (strength) | |
318 | { | |
319 | continue; | |
320 | } | |
321 | } | |
322 | if (streq(token, "rsa")) | |
323 | { | |
324 | rsa = rsa_len = TRUE; | |
325 | continue; | |
326 | } | |
327 | if (streq(token, "ecdsa")) | |
328 | { | |
329 | ecdsa = ecdsa_len = TRUE; | |
330 | continue; | |
331 | } | |
332 | if (streq(token, "pubkey")) | |
333 | { | |
334 | continue; | |
335 | } | |
336 | ||
337 | for (i = 0; i < countof(schemes); i++) | |
338 | { | |
339 | if (streq(schemes[i].name, token)) | |
340 | { | |
341 | /* for each matching string, allow the scheme, if: | |
342 | * - it is an RSA scheme, and we enforced RSA | |
343 | * - it is an ECDSA scheme, and we enforced ECDSA | |
344 | * - it is not a key type specific scheme | |
345 | */ | |
346 | if ((rsa && schemes[i].key == KEY_RSA) || | |
347 | (ecdsa && schemes[i].key == KEY_ECDSA) || | |
348 | (!rsa && !ecdsa)) | |
349 | { | |
350 | cfg->add(cfg, AUTH_RULE_SIGNATURE_SCHEME, | |
351 | (uintptr_t)schemes[i].scheme); | |
352 | } | |
353 | found = TRUE; | |
354 | } | |
355 | } | |
356 | if (!found) | |
357 | { | |
358 | DBG1(DBG_CFG, "ignoring invalid auth token: '%s'", token); | |
359 | } | |
360 | } | |
361 | enumerator->destroy(enumerator); | |
362 | } | |
363 | ||
a44bb934 MW |
364 | /** |
365 | * build authentication config | |
366 | */ | |
367 | static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this, | |
368 | stroke_msg_t *msg, bool local, bool primary) | |
369 | { | |
370 | identification_t *identity; | |
371 | certificate_t *certificate; | |
46df61df | 372 | char *auth, *id, *pubkey, *cert, *ca, *groups; |
a44bb934 MW |
373 | stroke_end_t *end, *other_end; |
374 | auth_cfg_t *cfg; | |
b7a500e9 | 375 | bool loose = FALSE; |
7daf5226 | 376 | |
a44bb934 MW |
377 | /* select strings */ |
378 | if (local) | |
0b14fdb9 | 379 | { |
a44bb934 MW |
380 | end = &msg->add_conn.me; |
381 | other_end = &msg->add_conn.other; | |
0b14fdb9 | 382 | } |
a44bb934 | 383 | else |
0b14fdb9 | 384 | { |
a44bb934 MW |
385 | end = &msg->add_conn.other; |
386 | other_end = &msg->add_conn.me; | |
387 | } | |
388 | if (primary) | |
389 | { | |
390 | auth = end->auth; | |
391 | id = end->id; | |
392 | if (!id) | |
393 | { /* leftid/rightid fallback to address */ | |
394 | id = end->address; | |
395 | } | |
396 | cert = end->cert; | |
397 | ca = end->ca; | |
398 | if (ca && streq(ca, "%same")) | |
399 | { | |
400 | ca = other_end->ca; | |
401 | } | |
402 | } | |
403 | else | |
404 | { | |
405 | auth = end->auth2; | |
406 | id = end->id2; | |
407 | if (local && !id) | |
408 | { /* leftid2 falls back to leftid */ | |
409 | id = end->id; | |
410 | } | |
411 | cert = end->cert2; | |
412 | ca = end->ca2; | |
413 | if (ca && streq(ca, "%same")) | |
414 | { | |
415 | ca = other_end->ca2; | |
416 | } | |
417 | } | |
c4a49008 | 418 | if (id && *id == '%' && !streq(id, "%any") && !streq(id, "%any6")) |
b7a500e9 TB |
419 | { /* has only an effect on rightid/2 */ |
420 | loose = !local; | |
421 | id++; | |
422 | } | |
7daf5226 | 423 | |
a44bb934 MW |
424 | if (!auth) |
425 | { | |
426 | if (primary) | |
427 | { | |
c791def8 | 428 | auth = "pubkey"; |
a44bb934 MW |
429 | } |
430 | else | |
33b1a256 MW |
431 | { /* no second authentication round, fine. But load certificates |
432 | * for other purposes (EAP-TLS) */ | |
433 | if (cert) | |
434 | { | |
435 | certificate = this->cred->load_peer(this->cred, cert); | |
436 | if (certificate) | |
437 | { | |
438 | certificate->destroy(certificate); | |
439 | } | |
440 | } | |
a44bb934 MW |
441 | return NULL; |
442 | } | |
443 | } | |
7daf5226 | 444 | |
a44bb934 | 445 | cfg = auth_cfg_create(); |
7daf5226 | 446 | |
10eee5fc | 447 | /* add identity and peer certificate */ |
a44bb934 MW |
448 | identity = identification_create_from_string(id); |
449 | if (cert) | |
450 | { | |
78af36db MW |
451 | enumerator_t *enumerator; |
452 | bool has_subject = FALSE; | |
453 | certificate_t *first = NULL; | |
454 | ||
455 | enumerator = enumerator_create_token(cert, ",", " "); | |
456 | while (enumerator->enumerate(enumerator, &cert)) | |
a44bb934 | 457 | { |
78af36db MW |
458 | certificate = this->cred->load_peer(this->cred, cert); |
459 | if (certificate) | |
a44bb934 | 460 | { |
78af36db MW |
461 | if (local) |
462 | { | |
463 | this->ca->check_for_hash_and_url(this->ca, certificate); | |
464 | } | |
465 | cfg->add(cfg, AUTH_RULE_SUBJECT_CERT, certificate); | |
466 | if (!first) | |
467 | { | |
468 | first = certificate; | |
469 | } | |
470 | if (identity->get_type(identity) != ID_ANY && | |
471 | certificate->has_subject(certificate, identity)) | |
472 | { | |
473 | has_subject = TRUE; | |
474 | } | |
a44bb934 MW |
475 | } |
476 | } | |
78af36db MW |
477 | enumerator->destroy(enumerator); |
478 | ||
479 | if (first && !has_subject) | |
480 | { | |
481 | DBG1(DBG_CFG, " id '%Y' not confirmed by certificate, " | |
482 | "defaulting to '%Y'", identity, first->get_subject(first)); | |
483 | identity->destroy(identity); | |
484 | identity = first->get_subject(first); | |
485 | identity = identity->clone(identity); | |
486 | } | |
0b14fdb9 | 487 | } |
eca499f3 TB |
488 | /* add raw RSA public key */ |
489 | pubkey = end->rsakey; | |
490 | if (pubkey && !streq(pubkey, "") && !streq(pubkey, "%cert")) | |
491 | { | |
87692be2 | 492 | certificate = this->cred->load_pubkey(this->cred, pubkey, identity); |
eca499f3 TB |
493 | if (certificate) |
494 | { | |
495 | cfg->add(cfg, AUTH_RULE_SUBJECT_CERT, certificate); | |
496 | } | |
497 | } | |
874f7c7e MW |
498 | if (identity->get_type(identity) != ID_ANY) |
499 | { | |
500 | cfg->add(cfg, AUTH_RULE_IDENTITY, identity); | |
b7a500e9 TB |
501 | if (loose) |
502 | { | |
503 | cfg->add(cfg, AUTH_RULE_IDENTITY_LOOSE, TRUE); | |
504 | } | |
874f7c7e MW |
505 | } |
506 | else | |
507 | { | |
508 | identity->destroy(identity); | |
509 | } | |
7daf5226 | 510 | |
a44bb934 MW |
511 | /* CA constraint */ |
512 | if (ca) | |
513 | { | |
514 | identity = identification_create_from_string(ca); | |
2ccc02a4 MW |
515 | certificate = lib->credmgr->get_cert(lib->credmgr, CERT_X509, |
516 | KEY_ANY, identity, TRUE); | |
a44bb934 MW |
517 | identity->destroy(identity); |
518 | if (certificate) | |
519 | { | |
520 | cfg->add(cfg, AUTH_RULE_CA_CERT, certificate); | |
521 | } | |
522 | else | |
523 | { | |
a2ebc1bd | 524 | DBG1(DBG_CFG, "CA certificate \"%s\" not found, discarding CA " |
a44bb934 MW |
525 | "constraint", ca); |
526 | } | |
527 | } | |
7daf5226 | 528 | |
4172574b | 529 | /* groups */ |
46df61df MW |
530 | groups = primary ? end->groups : end->groups2; |
531 | if (groups) | |
a44bb934 MW |
532 | { |
533 | enumerator_t *enumerator; | |
534 | char *group; | |
7daf5226 | 535 | |
46df61df | 536 | enumerator = enumerator_create_token(groups, ",", " "); |
a44bb934 MW |
537 | while (enumerator->enumerate(enumerator, &group)) |
538 | { | |
4172574b MW |
539 | cfg->add(cfg, AUTH_RULE_GROUP, |
540 | identification_create_from_string(group)); | |
a44bb934 MW |
541 | } |
542 | enumerator->destroy(enumerator); | |
543 | } | |
7daf5226 | 544 | |
6367de28 MW |
545 | /* certificatePolicies */ |
546 | if (end->cert_policy) | |
547 | { | |
548 | enumerator_t *enumerator; | |
549 | char *policy; | |
550 | ||
551 | enumerator = enumerator_create_token(end->cert_policy, ",", " "); | |
552 | while (enumerator->enumerate(enumerator, &policy)) | |
553 | { | |
554 | cfg->add(cfg, AUTH_RULE_CERT_POLICY, strdup(policy)); | |
555 | } | |
556 | enumerator->destroy(enumerator); | |
557 | } | |
558 | ||
a44bb934 | 559 | /* authentication metod (class, actually) */ |
e35bbb97 | 560 | if (strneq(auth, "pubkey", strlen("pubkey")) || |
44e513a3 MW |
561 | strneq(auth, "rsa", strlen("rsa")) || |
562 | strneq(auth, "ecdsa", strlen("ecdsa"))) | |
a44bb934 MW |
563 | { |
564 | cfg->add(cfg, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY); | |
565 | build_crl_policy(cfg, local, msg->add_conn.crl_policy); | |
44e513a3 | 566 | |
e35bbb97 | 567 | parse_pubkey_constraints(auth, cfg); |
a44bb934 MW |
568 | } |
569 | else if (streq(auth, "psk") || streq(auth, "secret")) | |
570 | { | |
571 | cfg->add(cfg, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PSK); | |
572 | } | |
cbda13f6 | 573 | else if (strneq(auth, "xauth", 5)) |
23f4e4b4 | 574 | { |
cbda13f6 MW |
575 | char *pos; |
576 | ||
577 | pos = strchr(auth, '-'); | |
578 | if (pos) | |
579 | { | |
580 | cfg->add(cfg, AUTH_RULE_XAUTH_BACKEND, strdup(++pos)); | |
581 | } | |
96c9159d | 582 | cfg->add(cfg, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_XAUTH); |
21a4fc83 MW |
583 | if (msg->add_conn.xauth_identity) |
584 | { | |
585 | cfg->add(cfg, AUTH_RULE_XAUTH_IDENTITY, | |
586 | identification_create_from_string(msg->add_conn.xauth_identity)); | |
587 | } | |
b4e81535 | 588 | } |
a44bb934 MW |
589 | else if (strneq(auth, "eap", 3)) |
590 | { | |
72409149 | 591 | eap_vendor_type_t *type; |
7daf5226 | 592 | |
a44bb934 | 593 | cfg->add(cfg, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_EAP); |
7daf5226 | 594 | |
72409149 TB |
595 | type = eap_vendor_type_from_string(auth); |
596 | if (type) | |
a44bb934 | 597 | { |
72409149 TB |
598 | cfg->add(cfg, AUTH_RULE_EAP_TYPE, type->type); |
599 | if (type->vendor) | |
a44bb934 | 600 | { |
72409149 | 601 | cfg->add(cfg, AUTH_RULE_EAP_VENDOR, type->vendor); |
a44bb934 | 602 | } |
72409149 | 603 | free(type); |
a44bb934 | 604 | } |
7daf5226 | 605 | |
a44bb934 MW |
606 | if (msg->add_conn.eap_identity) |
607 | { | |
608 | if (streq(msg->add_conn.eap_identity, "%identity")) | |
609 | { | |
610 | identity = identification_create_from_encoding(ID_ANY, | |
611 | chunk_empty); | |
612 | } | |
613 | else | |
614 | { | |
615 | identity = identification_create_from_string( | |
616 | msg->add_conn.eap_identity); | |
617 | } | |
618 | cfg->add(cfg, AUTH_RULE_EAP_IDENTITY, identity); | |
619 | } | |
64d7b073 MW |
620 | if (msg->add_conn.aaa_identity) |
621 | { | |
622 | cfg->add(cfg, AUTH_RULE_AAA_IDENTITY, | |
623 | identification_create_from_string(msg->add_conn.aaa_identity)); | |
624 | } | |
a44bb934 MW |
625 | } |
626 | else | |
627 | { | |
628 | if (!streq(auth, "any")) | |
629 | { | |
630 | DBG1(DBG_CFG, "authentication method %s unknown, fallback to any", | |
631 | auth); | |
632 | } | |
633 | build_crl_policy(cfg, local, msg->add_conn.crl_policy); | |
634 | } | |
635 | return cfg; | |
636 | } | |
637 | ||
638 | /** | |
639 | * build a peer_cfg from a stroke msg | |
640 | */ | |
641 | static peer_cfg_t *build_peer_cfg(private_stroke_config_t *this, | |
642 | stroke_msg_t *msg, ike_cfg_t *ike_cfg) | |
643 | { | |
644 | identification_t *peer_id = NULL; | |
645 | peer_cfg_t *mediated_by = NULL; | |
a44bb934 MW |
646 | unique_policy_t unique; |
647 | u_int32_t rekey = 0, reauth = 0, over, jitter; | |
648 | peer_cfg_t *peer_cfg; | |
649 | auth_cfg_t *auth_cfg; | |
7daf5226 | 650 | |
dc04b7c7 TB |
651 | #ifdef ME |
652 | if (msg->add_conn.ikeme.mediation && msg->add_conn.ikeme.mediated_by) | |
0b14fdb9 | 653 | { |
484a06bc TB |
654 | DBG1(DBG_CFG, "a mediation connection cannot be a mediated connection " |
655 | "at the same time, aborting"); | |
0b14fdb9 MW |
656 | return NULL; |
657 | } | |
7daf5226 | 658 | |
73883705 TB |
659 | if (msg->add_conn.ikeme.mediation) |
660 | { | |
661 | /* force unique connections for mediation connections */ | |
662 | msg->add_conn.unique = 1; | |
663 | } | |
7daf5226 | 664 | |
dc04b7c7 | 665 | if (msg->add_conn.ikeme.mediated_by) |
0b14fdb9 MW |
666 | { |
667 | mediated_by = charon->backends->get_peer_cfg_by_name(charon->backends, | |
484a06bc | 668 | msg->add_conn.ikeme.mediated_by); |
0b14fdb9 MW |
669 | if (!mediated_by) |
670 | { | |
671 | DBG1(DBG_CFG, "mediation connection '%s' not found, aborting", | |
dc04b7c7 | 672 | msg->add_conn.ikeme.mediated_by); |
0b14fdb9 MW |
673 | return NULL; |
674 | } | |
0b14fdb9 MW |
675 | if (!mediated_by->is_mediation(mediated_by)) |
676 | { | |
484a06bc TB |
677 | DBG1(DBG_CFG, "connection '%s' as referred to by '%s' is " |
678 | "no mediation connection, aborting", | |
679 | msg->add_conn.ikeme.mediated_by, msg->add_conn.name); | |
0b14fdb9 | 680 | mediated_by->destroy(mediated_by); |
0b14fdb9 MW |
681 | return NULL; |
682 | } | |
a44bb934 | 683 | if (msg->add_conn.ikeme.peerid) |
0b14fdb9 | 684 | { |
a44bb934 | 685 | peer_id = identification_create_from_string(msg->add_conn.ikeme.peerid); |
0b14fdb9 | 686 | } |
a44bb934 | 687 | else if (msg->add_conn.other.id) |
0b14fdb9 | 688 | { |
a44bb934 | 689 | peer_id = identification_create_from_string(msg->add_conn.other.id); |
0b14fdb9 MW |
690 | } |
691 | } | |
a44bb934 | 692 | #endif /* ME */ |
7daf5226 | 693 | |
0b14fdb9 MW |
694 | jitter = msg->add_conn.rekey.margin * msg->add_conn.rekey.fuzz / 100; |
695 | over = msg->add_conn.rekey.margin; | |
696 | if (msg->add_conn.rekey.reauth) | |
697 | { | |
698 | reauth = msg->add_conn.rekey.ike_lifetime - over; | |
699 | } | |
700 | else | |
701 | { | |
702 | rekey = msg->add_conn.rekey.ike_lifetime - over; | |
484a06bc | 703 | } |
0644ebd3 MW |
704 | switch (msg->add_conn.unique) |
705 | { | |
706 | case 1: /* yes */ | |
707 | case 2: /* replace */ | |
708 | unique = UNIQUE_REPLACE; | |
709 | break; | |
710 | case 3: /* keep */ | |
711 | unique = UNIQUE_KEEP; | |
712 | break; | |
f4cc7ea1 TB |
713 | case 4: /* never */ |
714 | unique = UNIQUE_NEVER; | |
715 | break; | |
0644ebd3 MW |
716 | default: /* no */ |
717 | unique = UNIQUE_NO; | |
718 | break; | |
719 | } | |
140ed97c MW |
720 | if (msg->add_conn.dpd.action == 0) |
721 | { /* dpdaction=none disables DPD */ | |
722 | msg->add_conn.dpd.delay = 0; | |
723 | } | |
7daf5226 | 724 | |
cdcfe777 MW |
725 | /* other.sourceip is managed in stroke_attributes. If it is set, we define |
726 | * the pool name as the connection name, which the attribute provider | |
727 | * uses to serve pool addresses. */ | |
1fdd62ff | 728 | peer_cfg = peer_cfg_create(msg->add_conn.name, ike_cfg, |
484a06bc | 729 | msg->add_conn.me.sendcert, unique, |
0b14fdb9 | 730 | msg->add_conn.rekey.tries, rekey, reauth, jitter, over, |
80c5b17d AS |
731 | msg->add_conn.mobike, msg->add_conn.aggressive, |
732 | msg->add_conn.dpd.delay, msg->add_conn.dpd.timeout, | |
cdcfe777 | 733 | msg->add_conn.ikeme.mediation, mediated_by, peer_id); |
7daf5226 | 734 | |
96c2b3cf | 735 | if (msg->add_conn.other.sourceip) |
497ce2cf | 736 | { |
96c2b3cf MW |
737 | enumerator_t *enumerator; |
738 | char *token; | |
739 | ||
740 | enumerator = enumerator_create_token(msg->add_conn.other.sourceip, | |
741 | ",", " "); | |
742 | while (enumerator->enumerate(enumerator, &token)) | |
743 | { | |
744 | if (streq(token, "%modeconfig") || streq(token, "%modecfg") || | |
745 | streq(token, "%config") || streq(token, "%cfg") || | |
746 | streq(token, "%config4") || streq(token, "%config6")) | |
747 | { | |
748 | /* empty pool, uses connection name */ | |
749 | this->attributes->add_pool(this->attributes, | |
750 | mem_pool_create(msg->add_conn.name, NULL, 0)); | |
751 | peer_cfg->add_pool(peer_cfg, msg->add_conn.name); | |
752 | } | |
753 | else if (*token == '%') | |
754 | { | |
755 | /* external named pool */ | |
756 | peer_cfg->add_pool(peer_cfg, token + 1); | |
757 | } | |
758 | else | |
759 | { | |
760 | /* in-memory pool, named using CIDR notation */ | |
761 | host_t *base; | |
762 | int bits; | |
763 | ||
764 | base = host_create_from_subnet(token, &bits); | |
765 | if (base) | |
766 | { | |
767 | this->attributes->add_pool(this->attributes, | |
768 | mem_pool_create(token, base, bits)); | |
769 | peer_cfg->add_pool(peer_cfg, token); | |
770 | base->destroy(base); | |
771 | } | |
772 | else | |
773 | { | |
774 | DBG1(DBG_CFG, "IP pool %s invalid, ignored", token); | |
775 | } | |
776 | } | |
777 | } | |
778 | enumerator->destroy(enumerator); | |
497ce2cf | 779 | } |
96c2b3cf MW |
780 | |
781 | if (msg->add_conn.me.sourceip) | |
497ce2cf | 782 | { |
96c2b3cf MW |
783 | enumerator_t *enumerator; |
784 | char *token; | |
785 | ||
786 | enumerator = enumerator_create_token(msg->add_conn.me.sourceip, ",", " "); | |
787 | while (enumerator->enumerate(enumerator, &token)) | |
788 | { | |
789 | host_t *vip = NULL; | |
790 | ||
791 | if (streq(token, "%modeconfig") || streq(token, "%modecfg") || | |
792 | streq(token, "%config") || streq(token, "%cfg")) | |
793 | { /* try to deduce an address family */ | |
794 | if (msg->add_conn.me.subnets) | |
795 | { /* use the same family as in local subnet, if any */ | |
796 | if (strchr(msg->add_conn.me.subnets, '.')) | |
797 | { | |
798 | vip = host_create_any(AF_INET); | |
799 | } | |
800 | else | |
801 | { | |
802 | vip = host_create_any(AF_INET6); | |
803 | } | |
804 | } | |
805 | else if (msg->add_conn.other.subnets) | |
806 | { /* use the same family as in remote subnet, if any */ | |
807 | if (strchr(msg->add_conn.other.subnets, '.')) | |
808 | { | |
809 | vip = host_create_any(AF_INET); | |
810 | } | |
811 | else | |
812 | { | |
813 | vip = host_create_any(AF_INET6); | |
814 | } | |
815 | } | |
816 | else | |
817 | { | |
818 | if (strchr(ike_cfg->get_my_addr(ike_cfg, NULL), ':')) | |
819 | { | |
820 | vip = host_create_any(AF_INET6); | |
821 | } | |
822 | else | |
823 | { | |
824 | vip = host_create_any(AF_INET); | |
825 | } | |
826 | } | |
827 | } | |
828 | else if (streq(token, "%config4")) | |
829 | { | |
830 | vip = host_create_any(AF_INET); | |
831 | } | |
832 | else if (streq(token, "%config6")) | |
833 | { | |
834 | vip = host_create_any(AF_INET6); | |
835 | } | |
836 | else | |
837 | { | |
838 | vip = host_create_from_string(token, 0); | |
839 | if (vip) | |
840 | { | |
841 | DBG1(DBG_CFG, "ignored invalid subnet token: %s", token); | |
842 | } | |
843 | } | |
844 | ||
845 | if (vip) | |
846 | { | |
847 | peer_cfg->add_virtual_ip(peer_cfg, vip); | |
848 | } | |
849 | } | |
850 | enumerator->destroy(enumerator); | |
497ce2cf | 851 | } |
7daf5226 | 852 | |
a44bb934 MW |
853 | /* build leftauth= */ |
854 | auth_cfg = build_auth_cfg(this, msg, TRUE, TRUE); | |
855 | if (auth_cfg) | |
0b14fdb9 | 856 | { |
a44bb934 | 857 | peer_cfg->add_auth_cfg(peer_cfg, auth_cfg, TRUE); |
0b14fdb9 | 858 | } |
a44bb934 MW |
859 | else |
860 | { /* we require at least one config on our side */ | |
861 | peer_cfg->destroy(peer_cfg); | |
862 | return NULL; | |
0b14fdb9 | 863 | } |
a44bb934 MW |
864 | /* build leftauth2= */ |
865 | auth_cfg = build_auth_cfg(this, msg, TRUE, FALSE); | |
866 | if (auth_cfg) | |
82290106 | 867 | { |
a44bb934 | 868 | peer_cfg->add_auth_cfg(peer_cfg, auth_cfg, TRUE); |
82290106 | 869 | } |
a44bb934 MW |
870 | /* build rightauth= */ |
871 | auth_cfg = build_auth_cfg(this, msg, FALSE, TRUE); | |
872 | if (auth_cfg) | |
82290106 | 873 | { |
a44bb934 | 874 | peer_cfg->add_auth_cfg(peer_cfg, auth_cfg, FALSE); |
82290106 | 875 | } |
a44bb934 MW |
876 | /* build rightauth2= */ |
877 | auth_cfg = build_auth_cfg(this, msg, FALSE, FALSE); | |
878 | if (auth_cfg) | |
b33c11b6 | 879 | { |
a44bb934 | 880 | peer_cfg->add_auth_cfg(peer_cfg, auth_cfg, FALSE); |
b33c11b6 | 881 | } |
a44bb934 | 882 | return peer_cfg; |
0b14fdb9 MW |
883 | } |
884 | ||
885 | /** | |
886 | * build a traffic selector from a stroke_end | |
887 | */ | |
34443902 MW |
888 | static void add_ts(private_stroke_config_t *this, |
889 | stroke_end_t *end, child_cfg_t *child_cfg, bool local) | |
0b14fdb9 | 890 | { |
34443902 | 891 | traffic_selector_t *ts; |
7daf5226 | 892 | |
0b14fdb9 MW |
893 | if (end->tohost) |
894 | { | |
34443902 | 895 | ts = traffic_selector_create_dynamic(end->protocol, |
cd41b951 | 896 | end->from_port, end->to_port); |
34443902 | 897 | child_cfg->add_traffic_selector(child_cfg, local, ts); |
0b14fdb9 MW |
898 | } |
899 | else | |
900 | { | |
34443902 | 901 | if (!end->subnets) |
0b14fdb9 | 902 | { |
1efd6c6f MW |
903 | host_t *net; |
904 | ||
4e18490e | 905 | net = host_create_from_string(end->address, 0); |
34443902 MW |
906 | if (net) |
907 | { | |
908 | ts = traffic_selector_create_from_subnet(net, 0, end->protocol, | |
cd41b951 | 909 | end->from_port, end->to_port); |
34443902 MW |
910 | child_cfg->add_traffic_selector(child_cfg, local, ts); |
911 | } | |
912 | } | |
913 | else | |
914 | { | |
1efd6c6f MW |
915 | enumerator_t *enumerator; |
916 | char *subnet; | |
7daf5226 | 917 | |
1efd6c6f MW |
918 | enumerator = enumerator_create_token(end->subnets, ",", " "); |
919 | while (enumerator->enumerate(enumerator, &subnet)) | |
34443902 | 920 | { |
a1db77de | 921 | ts = traffic_selector_create_from_cidr(subnet, end->protocol, |
cd41b951 | 922 | end->from_port, end->to_port); |
1efd6c6f | 923 | if (ts) |
34443902 | 924 | { |
34443902 MW |
925 | child_cfg->add_traffic_selector(child_cfg, local, ts); |
926 | } | |
927 | else | |
928 | { | |
1efd6c6f | 929 | DBG1(DBG_CFG, "invalid subnet: %s, skipped", subnet); |
34443902 | 930 | } |
34443902 | 931 | } |
1efd6c6f | 932 | enumerator->destroy(enumerator); |
0b14fdb9 | 933 | } |
0b14fdb9 MW |
934 | } |
935 | } | |
936 | ||
f34ebc84 MW |
937 | /** |
938 | * map starter magic values to our action type | |
939 | */ | |
940 | static action_t map_action(int starter_action) | |
941 | { | |
942 | switch (starter_action) | |
943 | { | |
944 | case 2: /* =hold */ | |
945 | return ACTION_ROUTE; | |
946 | case 3: /* =restart */ | |
947 | return ACTION_RESTART; | |
948 | default: | |
949 | return ACTION_NONE; | |
950 | } | |
951 | } | |
952 | ||
0b14fdb9 MW |
953 | /** |
954 | * build a child config from the stroke message | |
955 | */ | |
956 | static child_cfg_t *build_child_cfg(private_stroke_config_t *this, | |
957 | stroke_msg_t *msg) | |
958 | { | |
959 | child_cfg_t *child_cfg; | |
e75f4237 TB |
960 | lifetime_cfg_t lifetime = { |
961 | .time = { | |
962 | .life = msg->add_conn.rekey.ipsec_lifetime, | |
963 | .rekey = msg->add_conn.rekey.ipsec_lifetime - msg->add_conn.rekey.margin, | |
964 | .jitter = msg->add_conn.rekey.margin * msg->add_conn.rekey.fuzz / 100 | |
965 | }, | |
966 | .bytes = { | |
967 | .life = msg->add_conn.rekey.life_bytes, | |
968 | .rekey = msg->add_conn.rekey.life_bytes - msg->add_conn.rekey.margin_bytes, | |
969 | .jitter = msg->add_conn.rekey.margin_bytes * msg->add_conn.rekey.fuzz / 100 | |
970 | }, | |
971 | .packets = { | |
972 | .life = msg->add_conn.rekey.life_packets, | |
973 | .rekey = msg->add_conn.rekey.life_packets - msg->add_conn.rekey.margin_packets, | |
974 | .jitter = msg->add_conn.rekey.margin_packets * msg->add_conn.rekey.fuzz / 100 | |
975 | } | |
976 | }; | |
26c4d010 AS |
977 | mark_t mark_in = { |
978 | .value = msg->add_conn.mark_in.value, | |
979 | .mask = msg->add_conn.mark_in.mask | |
980 | }; | |
981 | mark_t mark_out = { | |
982 | .value = msg->add_conn.mark_out.value, | |
983 | .mask = msg->add_conn.mark_out.mask | |
ee26c537 | 984 | }; |
7daf5226 | 985 | |
e0a8a8c3 | 986 | child_cfg = child_cfg_create( |
f34ebc84 MW |
987 | msg->add_conn.name, &lifetime, msg->add_conn.me.updown, |
988 | msg->add_conn.me.hostaccess, msg->add_conn.mode, ACTION_NONE, | |
989 | map_action(msg->add_conn.dpd.action), | |
990 | map_action(msg->add_conn.close_action), msg->add_conn.ipcomp, | |
26c4d010 | 991 | msg->add_conn.inactivity, msg->add_conn.reqid, |
6c302616 | 992 | &mark_in, &mark_out, msg->add_conn.tfc); |
c117f24e | 993 | child_cfg->set_mipv6_options(child_cfg, msg->add_conn.proxy_mode, |
d487b4b7 | 994 | msg->add_conn.install_policy); |
34443902 MW |
995 | add_ts(this, &msg->add_conn.me, child_cfg, TRUE); |
996 | add_ts(this, &msg->add_conn.other, child_cfg, FALSE); | |
7daf5226 | 997 | |
0b14fdb9 | 998 | add_proposals(this, msg->add_conn.algorithms.esp, NULL, child_cfg); |
7daf5226 | 999 | |
0b14fdb9 MW |
1000 | return child_cfg; |
1001 | } | |
1002 | ||
a9ac8c51 AS |
1003 | METHOD(stroke_config_t, add, void, |
1004 | private_stroke_config_t *this, stroke_msg_t *msg) | |
0b14fdb9 MW |
1005 | { |
1006 | ike_cfg_t *ike_cfg, *existing_ike; | |
1007 | peer_cfg_t *peer_cfg, *existing; | |
1008 | child_cfg_t *child_cfg; | |
1009 | enumerator_t *enumerator; | |
1010 | bool use_existing = FALSE; | |
1011 | ||
1012 | ike_cfg = build_ike_cfg(this, msg); | |
1013 | if (!ike_cfg) | |
1014 | { | |
1015 | return; | |
1016 | } | |
a44bb934 | 1017 | peer_cfg = build_peer_cfg(this, msg, ike_cfg); |
0b14fdb9 MW |
1018 | if (!peer_cfg) |
1019 | { | |
1020 | ike_cfg->destroy(ike_cfg); | |
1021 | return; | |
1022 | } | |
7daf5226 | 1023 | |
0b14fdb9 MW |
1024 | enumerator = create_peer_cfg_enumerator(this, NULL, NULL); |
1025 | while (enumerator->enumerate(enumerator, &existing)) | |
1026 | { | |
1027 | existing_ike = existing->get_ike_cfg(existing); | |
1028 | if (existing->equals(existing, peer_cfg) && | |
1029 | existing_ike->equals(existing_ike, peer_cfg->get_ike_cfg(peer_cfg))) | |
1030 | { | |
1031 | use_existing = TRUE; | |
1032 | peer_cfg->destroy(peer_cfg); | |
1033 | peer_cfg = existing; | |
1034 | peer_cfg->get_ref(peer_cfg); | |
1035 | DBG1(DBG_CFG, "added child to existing configuration '%s'", | |
1036 | peer_cfg->get_name(peer_cfg)); | |
1037 | break; | |
1038 | } | |
1039 | } | |
1040 | enumerator->destroy(enumerator); | |
7daf5226 | 1041 | |
0b14fdb9 MW |
1042 | child_cfg = build_child_cfg(this, msg); |
1043 | if (!child_cfg) | |
1044 | { | |
1045 | peer_cfg->destroy(peer_cfg); | |
1046 | return; | |
1047 | } | |
1048 | peer_cfg->add_child_cfg(peer_cfg, child_cfg); | |
7daf5226 | 1049 | |
0b14fdb9 MW |
1050 | if (use_existing) |
1051 | { | |
1052 | peer_cfg->destroy(peer_cfg); | |
1053 | } | |
1054 | else | |
1055 | { | |
1056 | /* add config to backend */ | |
a44bb934 | 1057 | DBG1(DBG_CFG, "added configuration '%s'", msg->add_conn.name); |
0b14fdb9 MW |
1058 | this->mutex->lock(this->mutex); |
1059 | this->list->insert_last(this->list, peer_cfg); | |
1060 | this->mutex->unlock(this->mutex); | |
1061 | } | |
1062 | } | |
1063 | ||
a9ac8c51 AS |
1064 | METHOD(stroke_config_t, del, void, |
1065 | private_stroke_config_t *this, stroke_msg_t *msg) | |
0b14fdb9 MW |
1066 | { |
1067 | enumerator_t *enumerator, *children; | |
1068 | peer_cfg_t *peer; | |
1069 | child_cfg_t *child; | |
a8d938ca | 1070 | bool deleted = FALSE; |
7daf5226 | 1071 | |
0b14fdb9 MW |
1072 | this->mutex->lock(this->mutex); |
1073 | enumerator = this->list->create_enumerator(this->list); | |
1074 | while (enumerator->enumerate(enumerator, (void**)&peer)) | |
1075 | { | |
a8d938ca | 1076 | bool keep = FALSE; |
7daf5226 | 1077 | |
0b14fdb9 MW |
1078 | /* remove any child with such a name */ |
1079 | children = peer->create_child_cfg_enumerator(peer); | |
1080 | while (children->enumerate(children, &child)) | |
1081 | { | |
1082 | if (streq(child->get_name(child), msg->del_conn.name)) | |
1083 | { | |
a8d938ca | 1084 | peer->remove_child_cfg(peer, children); |
0b14fdb9 | 1085 | child->destroy(child); |
a8d938ca MW |
1086 | deleted = TRUE; |
1087 | } | |
1088 | else | |
1089 | { | |
1090 | keep = TRUE; | |
0b14fdb9 MW |
1091 | } |
1092 | } | |
1093 | children->destroy(children); | |
7daf5226 | 1094 | |
a8d938ca MW |
1095 | /* if peer config matches, or has no children anymore, remove it */ |
1096 | if (!keep || streq(peer->get_name(peer), msg->del_conn.name)) | |
1097 | { | |
1098 | this->list->remove_at(this->list, enumerator); | |
1099 | peer->destroy(peer); | |
1100 | deleted = TRUE; | |
1101 | } | |
0b14fdb9 MW |
1102 | } |
1103 | enumerator->destroy(enumerator); | |
1104 | this->mutex->unlock(this->mutex); | |
7daf5226 | 1105 | |
a8d938ca MW |
1106 | if (deleted) |
1107 | { | |
1108 | DBG1(DBG_CFG, "deleted connection '%s'", msg->del_conn.name); | |
1109 | } | |
1110 | else | |
1111 | { | |
1112 | DBG1(DBG_CFG, "connection '%s' not found", msg->del_conn.name); | |
1113 | } | |
0b14fdb9 MW |
1114 | } |
1115 | ||
9f1b303a TB |
1116 | METHOD(stroke_config_t, set_user_credentials, void, |
1117 | private_stroke_config_t *this, stroke_msg_t *msg, FILE *prompt) | |
1118 | { | |
80067cf9 | 1119 | enumerator_t *enumerator, *children, *remote_auth; |
9f1b303a | 1120 | peer_cfg_t *peer, *found = NULL; |
80067cf9 | 1121 | auth_cfg_t *auth_cfg, *remote_cfg; |
9f1b303a | 1122 | auth_class_t auth_class; |
9f1b303a | 1123 | child_cfg_t *child; |
80067cf9 | 1124 | identification_t *id, *identity, *gw = NULL; |
9f1b303a TB |
1125 | shared_key_type_t type = SHARED_ANY; |
1126 | chunk_t password = chunk_empty; | |
1127 | ||
1128 | this->mutex->lock(this->mutex); | |
1129 | enumerator = this->list->create_enumerator(this->list); | |
1130 | while (enumerator->enumerate(enumerator, (void**)&peer)) | |
1131 | { /* find the peer (or child) config with the given name */ | |
1132 | if (streq(peer->get_name(peer), msg->user_creds.name)) | |
1133 | { | |
1134 | found = peer; | |
1135 | } | |
1136 | else | |
1137 | { | |
1138 | children = peer->create_child_cfg_enumerator(peer); | |
1139 | while (children->enumerate(children, &child)) | |
1140 | { | |
1141 | if (streq(child->get_name(child), msg->user_creds.name)) | |
1142 | { | |
1143 | found = peer; | |
1144 | break; | |
1145 | } | |
1146 | } | |
1147 | children->destroy(children); | |
1148 | } | |
1149 | ||
1150 | if (found) | |
1151 | { | |
1152 | break; | |
1153 | } | |
1154 | } | |
1155 | enumerator->destroy(enumerator); | |
1156 | ||
1157 | if (!found) | |
1158 | { | |
1159 | DBG1(DBG_CFG, " no config named '%s'", msg->user_creds.name); | |
1160 | fprintf(prompt, "no config named '%s'\n", msg->user_creds.name); | |
1161 | this->mutex->unlock(this->mutex); | |
1162 | return; | |
1163 | } | |
1164 | ||
1165 | id = identification_create_from_string(msg->user_creds.username); | |
1166 | if (strlen(msg->user_creds.username) == 0 || | |
1167 | !id || id->get_type(id) == ID_ANY) | |
1168 | { | |
1169 | DBG1(DBG_CFG, " invalid username '%s'", msg->user_creds.username); | |
1170 | fprintf(prompt, "invalid username '%s'\n", msg->user_creds.username); | |
1171 | this->mutex->unlock(this->mutex); | |
1172 | DESTROY_IF(id); | |
1173 | return; | |
1174 | } | |
1175 | ||
8c19323c TB |
1176 | /* replace/set the username in the first EAP/XAuth auth_cfg, also look for |
1177 | * a suitable remote ID. | |
80067cf9 TB |
1178 | * note that adding the identity here is not fully thread-safe as the |
1179 | * peer_cfg and in turn the auth_cfg could be in use. for the default use | |
1180 | * case (setting user credentials before upping the connection) this will | |
1181 | * not be a problem, though. */ | |
9f1b303a | 1182 | enumerator = found->create_auth_cfg_enumerator(found, TRUE); |
80067cf9 | 1183 | remote_auth = found->create_auth_cfg_enumerator(found, FALSE); |
9f1b303a TB |
1184 | while (enumerator->enumerate(enumerator, (void**)&auth_cfg)) |
1185 | { | |
80067cf9 TB |
1186 | if (remote_auth->enumerate(remote_auth, (void**)&remote_cfg)) |
1187 | { /* fall back on rightid, in case aaa_identity is not specified */ | |
1188 | identity = remote_cfg->get(remote_cfg, AUTH_RULE_IDENTITY); | |
1189 | if (identity && identity->get_type(identity) != ID_ANY) | |
1190 | { | |
1191 | gw = identity; | |
1192 | } | |
1193 | } | |
1194 | ||
9f1b303a | 1195 | auth_class = (uintptr_t)auth_cfg->get(auth_cfg, AUTH_RULE_AUTH_CLASS); |
8c19323c | 1196 | if (auth_class == AUTH_CLASS_EAP || auth_class == AUTH_CLASS_XAUTH) |
9f1b303a | 1197 | { |
8c19323c | 1198 | if (auth_class == AUTH_CLASS_EAP) |
9f1b303a | 1199 | { |
8c19323c TB |
1200 | auth_cfg->add(auth_cfg, AUTH_RULE_EAP_IDENTITY, id->clone(id)); |
1201 | /* if aaa_identity is specified use that as remote ID */ | |
1202 | identity = auth_cfg->get(auth_cfg, AUTH_RULE_AAA_IDENTITY); | |
1203 | if (identity && identity->get_type(identity) != ID_ANY) | |
1204 | { | |
1205 | gw = identity; | |
1206 | } | |
1207 | DBG1(DBG_CFG, " configured EAP-Identity %Y", id); | |
1208 | } | |
1209 | else | |
1210 | { | |
1211 | auth_cfg->add(auth_cfg, AUTH_RULE_XAUTH_IDENTITY, | |
1212 | id->clone(id)); | |
1213 | DBG1(DBG_CFG, " configured XAuth username %Y", id); | |
9f1b303a TB |
1214 | } |
1215 | type = SHARED_EAP; | |
1216 | break; | |
1217 | } | |
1218 | } | |
1219 | enumerator->destroy(enumerator); | |
80067cf9 TB |
1220 | remote_auth->destroy(remote_auth); |
1221 | /* clone the gw ID before unlocking the mutex */ | |
1222 | if (gw) | |
1223 | { | |
1224 | gw = gw->clone(gw); | |
1225 | } | |
1226 | this->mutex->unlock(this->mutex); | |
9f1b303a TB |
1227 | |
1228 | if (type == SHARED_ANY) | |
1229 | { | |
1230 | DBG1(DBG_CFG, " config '%s' unsuitable for user credentials", | |
1231 | msg->user_creds.name); | |
1232 | fprintf(prompt, "config '%s' unsuitable for user credentials\n", | |
1233 | msg->user_creds.name); | |
9f1b303a | 1234 | id->destroy(id); |
80067cf9 | 1235 | DESTROY_IF(gw); |
9f1b303a TB |
1236 | return; |
1237 | } | |
9f1b303a TB |
1238 | |
1239 | if (msg->user_creds.password) | |
1240 | { | |
1241 | char *pass; | |
1242 | ||
1243 | pass = msg->user_creds.password; | |
1244 | password = chunk_clone(chunk_create(pass, strlen(pass))); | |
1245 | memwipe(pass, strlen(pass)); | |
1246 | } | |
1247 | else | |
1248 | { /* prompt the user for the password */ | |
1249 | char buf[256]; | |
1250 | ||
1251 | fprintf(prompt, "Password:\n"); | |
1252 | if (fgets(buf, sizeof(buf), prompt)) | |
1253 | { | |
1254 | password = chunk_clone(chunk_create(buf, strlen(buf))); | |
1255 | if (password.len > 0) | |
1256 | { /* trim trailing \n */ | |
1257 | password.len--; | |
1258 | } | |
1259 | memwipe(buf, sizeof(buf)); | |
1260 | } | |
1261 | } | |
1262 | ||
1263 | if (password.len) | |
1264 | { | |
1265 | shared_key_t *shared; | |
1266 | linked_list_t *owners; | |
1267 | ||
1268 | shared = shared_key_create(type, password); | |
1269 | ||
1270 | owners = linked_list_create(); | |
1271 | owners->insert_last(owners, id->clone(id)); | |
80067cf9 TB |
1272 | if (gw && gw->get_type(gw) != ID_ANY) |
1273 | { | |
1274 | owners->insert_last(owners, gw->clone(gw)); | |
1275 | DBG1(DBG_CFG, " added %N secret for %Y %Y", shared_key_type_names, | |
1276 | type, id, gw); | |
1277 | } | |
1278 | else | |
1279 | { | |
1280 | DBG1(DBG_CFG, " added %N secret for %Y", shared_key_type_names, | |
1281 | type, id); | |
1282 | } | |
9f1b303a | 1283 | this->cred->add_shared(this->cred, shared, owners); |
9f1b303a TB |
1284 | DBG4(DBG_CFG, " secret: %#B", &password); |
1285 | } | |
1286 | else | |
1287 | { /* in case a user answers the password prompt by just pressing enter */ | |
1288 | chunk_clear(&password); | |
1289 | } | |
80067cf9 TB |
1290 | id->destroy(id); |
1291 | DESTROY_IF(gw); | |
9f1b303a TB |
1292 | } |
1293 | ||
a9ac8c51 AS |
1294 | METHOD(stroke_config_t, destroy, void, |
1295 | private_stroke_config_t *this) | |
0b14fdb9 MW |
1296 | { |
1297 | this->list->destroy_offset(this->list, offsetof(peer_cfg_t, destroy)); | |
1298 | this->mutex->destroy(this->mutex); | |
1299 | free(this); | |
1300 | } | |
1301 | ||
1302 | /* | |
1303 | * see header file | |
1304 | */ | |
96c2b3cf MW |
1305 | stroke_config_t *stroke_config_create(stroke_ca_t *ca, stroke_cred_t *cred, |
1306 | stroke_attribute_t *attributes) | |
0b14fdb9 | 1307 | { |
a9ac8c51 AS |
1308 | private_stroke_config_t *this; |
1309 | ||
1310 | INIT(this, | |
1311 | .public = { | |
1312 | .backend = { | |
1313 | .create_peer_cfg_enumerator = _create_peer_cfg_enumerator, | |
1314 | .create_ike_cfg_enumerator = _create_ike_cfg_enumerator, | |
1315 | .get_peer_cfg_by_name = _get_peer_cfg_by_name, | |
1316 | }, | |
1317 | .add = _add, | |
1318 | .del = _del, | |
9f1b303a | 1319 | .set_user_credentials = _set_user_credentials, |
a9ac8c51 AS |
1320 | .destroy = _destroy, |
1321 | }, | |
1322 | .list = linked_list_create(), | |
1323 | .mutex = mutex_create(MUTEX_TYPE_RECURSIVE), | |
1324 | .ca = ca, | |
1325 | .cred = cred, | |
96c2b3cf | 1326 | .attributes = attributes, |
a9ac8c51 | 1327 | ); |
7daf5226 | 1328 | |
0b14fdb9 MW |
1329 | return &this->public; |
1330 | } |