[thirdparty/strongswan.git] / src / starter / starterstroke.c

/*
 * Copyright (C) 2007-2015 Tobias Brunner
 * Copyright (C) 2006 Martin Willi
 *
 * This program is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License as published by the
 * Free Software Foundation; either version 2 of the License, or (at your
 * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
 * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 * for more details.
 */

#include <unistd.h>
#include <stdlib.h>
#include <stdint.h>
#include <string.h>

#include <credentials/auth_cfg.h>

#include <library.h>
#include <utils/debug.h>

#include <stroke_msg.h>

#include "starterstroke.h"
#include "confread.h"
#include "files.h"

#define IPV4_LEN	 4
#define IPV6_LEN	16

static stroke_msg_t *create_stroke_msg(int type)
{
	stroke_msg_t *msg;

	INIT(msg,
		.type = type,
		.length = offsetof(stroke_msg_t, buffer),
	);
	return msg;
}

#define push_string(msg, field, str) \
	push_string_impl(msg, offsetof(stroke_msg_t, field), str)
#define push_string_end(msg, offset, field, str) \
	push_string_impl(msg, offset + offsetof(stroke_end_t, field), str)

static void push_string_impl(stroke_msg_t **msg, size_t offset, char *string)
{
	size_t cur_len = (*msg)->length, str_len;

	if (!string)
	{
		return;
	}
	str_len = strlen(string) + 1;
	if (cur_len + str_len >= UINT16_MAX)
	{
		(*msg)->length = UINT16_MAX;
		return;
	}
	while (cur_len + str_len > sizeof(stroke_msg_t) + (*msg)->buflen)
	{
		*msg = realloc(*msg, sizeof(stroke_msg_t) + (*msg)->buflen +
					   STROKE_BUF_LEN_INC);
		(*msg)->buflen += STROKE_BUF_LEN_INC;
	}
	(*msg)->length += str_len;
	strcpy((char*)*msg + cur_len, string);
	*(char**)((char*)*msg + offset) = (char*)cur_len;
}

static int send_stroke_msg(stroke_msg_t *msg)
{
	stream_t *stream;
	char *uri, buffer[64];
	int count;

	if (msg->length == UINT16_MAX)
	{
		DBG1(DBG_APP, "stroke message exceeds maximum buffer size");
		free(msg);
		return -1;
	}

	/* starter is not called from commandline, and therefore absolutely silent */
	msg->output_verbosity = -1;

	uri = lib->settings->get_str(lib->settings, "%s.plugins.stroke.socket",
								 "unix://" CHARON_CTL_FILE, daemon_name);
	stream = lib->streams->connect(lib->streams, uri);
	if (!stream)
	{
		DBG1(DBG_APP, "failed to connect to stroke socket '%s'", uri);
		free(msg);
		return -1;
	}

	if (!stream->write_all(stream, msg, msg->length))
	{
		DBG1(DBG_APP, "sending stroke message failed");
		stream->destroy(stream);
		free(msg);
		return -1;
	}
	while ((count = stream->read(stream, buffer, sizeof(buffer)-1, TRUE)) > 0)
	{
		buffer[count] = '\0';
		DBG1(DBG_APP, "%s", buffer);
	}
	if (count < 0)
	{
		DBG1(DBG_APP, "reading stroke response failed");
	}
	stream->destroy(stream);
	free(msg);
	return 0;
}

static char* connection_name(starter_conn_t *conn)
{
	 /* if connection name is '%auto', create a new name like conn_xxxxx */
	static char buf[32];

	if (streq(conn->name, "%auto"))
	{
		sprintf(buf, "conn_%lu", conn->id);
		return buf;
	}
	return conn->name;
}

static void add_end(stroke_msg_t **msg, size_t offset, starter_end_t *conn_end)
{
	stroke_end_t *msg_end;

	push_string_end(msg, offset, auth, conn_end->auth);
	push_string_end(msg, offset, auth2, conn_end->auth2);
	push_string_end(msg, offset, id, conn_end->id);
	push_string_end(msg, offset, id2, conn_end->id2);
	push_string_end(msg, offset, rsakey, conn_end->rsakey);
	push_string_end(msg, offset, cert, conn_end->cert);
	push_string_end(msg, offset, cert2, conn_end->cert2);
	push_string_end(msg, offset, cert_policy, conn_end->cert_policy);
	push_string_end(msg, offset, ca, conn_end->ca);
	push_string_end(msg, offset, ca2, conn_end->ca2);
	push_string_end(msg, offset, groups, conn_end->groups);
	push_string_end(msg, offset, groups2, conn_end->groups2);
	push_string_end(msg, offset, updown, conn_end->updown);
	if (conn_end->host)
	{
		push_string_end(msg, offset, address, conn_end->host);
	}
	else
	{
		push_string_end(msg, offset, address, "%any");
	}
	push_string_end(msg, offset, subnets, conn_end->subnet);
	push_string_end(msg, offset, sourceip, conn_end->sourceip);
	push_string_end(msg, offset, dns, conn_end->dns);

	/* we can't assign it earlier as msg might change */
	msg_end = (stroke_end_t*)((char*)(*msg) + offset);
	msg_end->ikeport = conn_end->ikeport;
	msg_end->sendcert = conn_end->sendcert;
	msg_end->hostaccess = conn_end->hostaccess;
	msg_end->tohost = !conn_end->subnet;
	msg_end->allow_any = conn_end->allow_any;
	msg_end->protocol = conn_end->protocol;
	msg_end->from_port = conn_end->from_port;
	msg_end->to_port = conn_end->to_port;
}

int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn)
{
	stroke_msg_t *msg;

	msg = create_stroke_msg(STR_ADD_CONN);
	msg->add_conn.version = conn->keyexchange;
	push_string(&msg, add_conn.name, connection_name(conn));
	push_string(&msg, add_conn.eap_identity, conn->eap_identity);
	push_string(&msg, add_conn.aaa_identity, conn->aaa_identity);
	push_string(&msg, add_conn.xauth_identity, conn->xauth_identity);

	msg->add_conn.mode = conn->mode;
	msg->add_conn.proxy_mode = conn->proxy_mode;

	if (!(conn->options & SA_OPTION_DONT_REKEY))
	{
		msg->add_conn.rekey.reauth = !(conn->options & SA_OPTION_DONT_REAUTH);
		msg->add_conn.rekey.ipsec_lifetime = conn->sa_ipsec_life_seconds;
		msg->add_conn.rekey.ike_lifetime = conn->sa_ike_life_seconds;
		msg->add_conn.rekey.margin = conn->sa_rekey_margin;
		msg->add_conn.rekey.life_bytes = conn->sa_ipsec_life_bytes;
		msg->add_conn.rekey.margin_bytes = conn->sa_ipsec_margin_bytes;
		msg->add_conn.rekey.life_packets = conn->sa_ipsec_life_packets;
		msg->add_conn.rekey.margin_packets = conn->sa_ipsec_margin_packets;
		msg->add_conn.rekey.fuzz = conn->sa_rekey_fuzz;
	}
	msg->add_conn.rekey.tries = conn->sa_keying_tries;

	msg->add_conn.mobike = conn->options & SA_OPTION_MOBIKE;
	msg->add_conn.force_encap = conn->options & SA_OPTION_FORCE_ENCAP;
	msg->add_conn.fragmentation = conn->fragmentation;
	msg->add_conn.ikedscp = conn->ikedscp;
	msg->add_conn.ipcomp = conn->options & SA_OPTION_COMPRESS;
	msg->add_conn.install_policy = conn->install_policy;
	msg->add_conn.aggressive = conn->aggressive;
	msg->add_conn.pushmode = conn->options & SA_OPTION_MODECFG_PUSH;
	msg->add_conn.crl_policy = (crl_policy_t)cfg->setup.strictcrlpolicy;
	msg->add_conn.unique = cfg->setup.uniqueids;
	push_string(&msg, add_conn.algorithms.ike, conn->ike);
	push_string(&msg, add_conn.algorithms.esp, conn->esp);
	push_string(&msg, add_conn.algorithms.ah, conn->ah);
	msg->add_conn.dpd.delay = conn->dpd_delay;
	msg->add_conn.dpd.timeout = conn->dpd_timeout;
	msg->add_conn.dpd.action = conn->dpd_action;
	msg->add_conn.close_action = conn->close_action;
	msg->add_conn.sha256_96 = conn->sha256_96;
	msg->add_conn.inactivity = conn->inactivity;
	msg->add_conn.ikeme.mediation = conn->me_mediation;
	push_string(&msg, add_conn.ikeme.mediated_by, conn->me_mediated_by);
	push_string(&msg, add_conn.ikeme.peerid, conn->me_peerid);
	msg->add_conn.reqid = conn->reqid;
	msg->add_conn.replay_window = conn->replay_window;
	msg->add_conn.mark_in.value = conn->mark_in.value;
	msg->add_conn.mark_in.mask = conn->mark_in.mask;
	msg->add_conn.mark_out.value = conn->mark_out.value;
	msg->add_conn.mark_out.mask = conn->mark_out.mask;
	msg->add_conn.tfc = conn->tfc;

	add_end(&msg, offsetof(stroke_msg_t, add_conn.me), &conn->left);
	add_end(&msg, offsetof(stroke_msg_t, add_conn.other), &conn->right);

	if (!msg->add_conn.me.auth && !msg->add_conn.other.auth &&
		 conn->authby)
	{	/* leftauth/rightauth not set, use legacy options */
		if (streq(conn->authby, "rsa")   || streq(conn->authby, "rsasig")   ||
			streq(conn->authby, "ecdsa") || streq(conn->authby, "ecdsasig") ||
			streq(conn->authby, "pubkey"))
		{
			push_string(&msg, add_conn.me.auth, "pubkey");
			push_string(&msg, add_conn.other.auth, "pubkey");
		}
		else if (streq(conn->authby, "secret") || streq(conn->authby, "psk"))
		{
			push_string(&msg, add_conn.me.auth, "psk");
			push_string(&msg, add_conn.other.auth, "psk");
		}
		else if (streq(conn->authby, "xauthrsasig"))
		{
			push_string(&msg, add_conn.me.auth, "pubkey");
			push_string(&msg, add_conn.other.auth, "pubkey");
			if (conn->options & SA_OPTION_XAUTH_SERVER)
			{
				push_string(&msg, add_conn.other.auth2, "xauth");
			}
			else
			{
				push_string(&msg, add_conn.me.auth2, "xauth");
			}
		}
		else if (streq(conn->authby, "xauthpsk"))
		{
			push_string(&msg, add_conn.me.auth, "psk");
			push_string(&msg, add_conn.other.auth, "psk");
			if (conn->options & SA_OPTION_XAUTH_SERVER)
			{
				push_string(&msg, add_conn.other.auth2, "xauth");
			}
			else
			{
				push_string(&msg, add_conn.me.auth2, "xauth");
			}
		}
	}
	return send_stroke_msg(msg);
}

int starter_stroke_del_conn(starter_conn_t *conn)
{
	stroke_msg_t *msg;

	msg = create_stroke_msg(STR_DEL_CONN);
	push_string(&msg, del_conn.name, connection_name(conn));
	return send_stroke_msg(msg);
}

int starter_stroke_route_conn(starter_conn_t *conn)
{
	stroke_msg_t *msg;

	msg = create_stroke_msg(STR_ROUTE);
	push_string(&msg, route.name, connection_name(conn));
	return send_stroke_msg(msg);
}

int starter_stroke_unroute_conn(starter_conn_t *conn)
{
	stroke_msg_t *msg;

	msg = create_stroke_msg(STR_UNROUTE);
	push_string(&msg, route.name, connection_name(conn));
	return send_stroke_msg(msg);
}

int starter_stroke_initiate_conn(starter_conn_t *conn)
{
	stroke_msg_t *msg;

	msg = create_stroke_msg(STR_INITIATE);
	push_string(&msg, initiate.name, connection_name(conn));
	return send_stroke_msg(msg);
}

int starter_stroke_add_ca(starter_ca_t *ca)
{
	stroke_msg_t *msg;

	msg = create_stroke_msg(STR_ADD_CA);
	push_string(&msg, add_ca.name, ca->name);
	push_string(&msg, add_ca.cacert, ca->cacert);
	push_string(&msg, add_ca.crluri, ca->crluri);
	push_string(&msg, add_ca.crluri2, ca->crluri2);
	push_string(&msg, add_ca.ocspuri, ca->ocspuri);
	push_string(&msg, add_ca.ocspuri2, ca->ocspuri2);
	push_string(&msg, add_ca.certuribase, ca->certuribase);
	return send_stroke_msg(msg);
}

int starter_stroke_del_ca(starter_ca_t *ca)
{
	stroke_msg_t *msg;

	msg = create_stroke_msg(STR_DEL_CA);
	push_string(&msg, del_ca.name, ca->name);
	return send_stroke_msg(msg);
}

int starter_stroke_configure(starter_config_t *cfg)
{
	stroke_msg_t *msg;

	if (cfg->setup.cachecrls)
	{
		msg = create_stroke_msg(STR_CONFIG);
		msg->config.cachecrl = 1;
		return send_stroke_msg(msg);
	}
	return 0;
}
Commit	Line	Data
6d065f14	1	/*
d8fe354a	2	* Copyright (C) 2007-2015 Tobias Brunner
d5cc1758	3	* Copyright (C) 2006 Martin Willi
a3678ca2 MW	4	*
	5	* This program is free software; you can redistribute it and/or modify it
	6	* under the terms of the GNU General Public License as published by the
	7	* Free Software Foundation; either version 2 of the License, or (at your
	8	* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
	9	*
	10	* This program is distributed in the hope that it will be useful, but
	11	* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
	12	* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
	13	* for more details.
a3678ca2 MW	14	*/
a3678ca2 MW	15
a3678ca2 MW	16	#include <unistd.h>
a3678ca2 MW	17	#include <stdlib.h>
2d5b3d34	18	#include <stdint.h>
d24a74c5	19	#include <string.h>
a3678ca2	20
f8799170 AS	21	#include <credentials/auth_cfg.h>
f8799170 AS	22
163b2273	23	#include <library.h>
f05b4272	24	#include <utils/debug.h>
a3678ca2	25
552cc11b	26	#include <stroke_msg.h>
a3678ca2 MW	27
	28	#include "starterstroke.h"
	29	#include "confread.h"
	30	#include "files.h"
	31
2e655695 AS	32	#define IPV4_LEN 4
2e655695 AS	33	#define IPV6_LEN 16
61670ba2	34
d8fe354a	35	static stroke_msg_t *create_stroke_msg(int type)
a3678ca2	36	{
d8fe354a	37	stroke_msg_t *msg;
2e655695	38
d8fe354a TB	39	INIT(msg,
	40	.type = type,
	41	.length = offsetof(stroke_msg_t, buffer),
	42	);
	43	return msg;
	44	}
	45
	46	#define push_string(msg, field, str) \
	47	push_string_impl(msg, offsetof(stroke_msg_t, field), str)
	48	#define push_string_end(msg, offset, field, str) \
	49	push_string_impl(msg, offset + offsetof(stroke_end_t, field), str)
	50
	51	static void push_string_impl(stroke_msg_t *msg, size_t offset, char string)
	52	{
	53	size_t cur_len = (*msg)->length, str_len;
	54
	55	if (!string)
2e655695	56	{
d8fe354a	57	return;
2e655695	58	}
d8fe354a TB	59	str_len = strlen(string) + 1;
d8fe354a TB	60	if (cur_len + str_len >= UINT16_MAX)
eaa964b3	61	{
d8fe354a TB	62	(*msg)->length = UINT16_MAX;
d8fe354a TB	63	return;
eaa964b3	64	}
d8fe354a	65	while (cur_len + str_len > sizeof(stroke_msg_t) + (*msg)->buflen)
2e655695	66	{
d8fe354a TB	67	msg = realloc(msg, sizeof(stroke_msg_t) + (*msg)->buflen +
	68	STROKE_BUF_LEN_INC);
	69	(*msg)->buflen += STROKE_BUF_LEN_INC;
2e655695	70	}
d8fe354a TB	71	(*msg)->length += str_len;
	72	strcpy((char)msg + cur_len, string);
	73	(char)((char)msg + offset) = (char)cur_len;
a3678ca2 MW	74	}
a3678ca2 MW	75
d8fe354a	76	static int send_stroke_msg(stroke_msg_t *msg)
a3678ca2	77	{
02de66e1 TB	78	stream_t *stream;
	79	char *uri, buffer[64];
	80	int count;
7daf5226	81
d8fe354a	82	if (msg->length == UINT16_MAX)
eaa964b3	83	{
d8fe354a TB	84	DBG1(DBG_APP, "stroke message exceeds maximum buffer size");
d8fe354a TB	85	free(msg);
eaa964b3 MW	86	return -1;
	87	}
	88
2e655695 AS	89	/* starter is not called from commandline, and therefore absolutely silent */
	90	msg->output_verbosity = -1;
	91
02de66e1 TB	92	uri = lib->settings->get_str(lib->settings, "%s.plugins.stroke.socket",
	93	"unix://" CHARON_CTL_FILE, daemon_name);
	94	stream = lib->streams->connect(lib->streams, uri);
	95	if (!stream)
2e655695	96	{
02de66e1	97	DBG1(DBG_APP, "failed to connect to stroke socket '%s'", uri);
d8fe354a	98	free(msg);
2e655695 AS	99	return -1;
2e655695 AS	100	}
ecadab2b	101
02de66e1	102	if (!stream->write_all(stream, msg, msg->length))
2e655695	103	{
02de66e1 TB	104	DBG1(DBG_APP, "sending stroke message failed");
02de66e1 TB	105	stream->destroy(stream);
d8fe354a	106	free(msg);
2e655695 AS	107	return -1;
2e655695 AS	108	}
02de66e1	109	while ((count = stream->read(stream, buffer, sizeof(buffer)-1, TRUE)) > 0)
2e655695	110	{
02de66e1	111	buffer[count] = '\0';
163b2273	112	DBG1(DBG_APP, "%s", buffer);
2e655695	113	}
02de66e1	114	if (count < 0)
2e655695	115	{
02de66e1	116	DBG1(DBG_APP, "reading stroke response failed");
2e655695	117	}
02de66e1	118	stream->destroy(stream);
d8fe354a	119	free(msg);
2e655695	120	return 0;
a3678ca2 MW	121	}
a3678ca2 MW	122
ecadab2b	123	static char* connection_name(starter_conn_t *conn)
a3678ca2	124	{
2e655695 AS	125	/* if connection name is '%auto', create a new name like conn_xxxxx */
	126	static char buf[32];
	127
	128	if (streq(conn->name, "%auto"))
	129	{
bac28c73	130	sprintf(buf, "conn_%lu", conn->id);
2e655695 AS	131	return buf;
	132	}
	133	return conn->name;
a3678ca2 MW	134	}
a3678ca2 MW	135
d8fe354a	136	static void add_end(stroke_msg_t *msg, size_t offset, starter_end_t conn_end)
b7f9ca58	137	{
d8fe354a TB	138	stroke_end_t *msg_end;
	139
	140	push_string_end(msg, offset, auth, conn_end->auth);
	141	push_string_end(msg, offset, auth2, conn_end->auth2);
	142	push_string_end(msg, offset, id, conn_end->id);
	143	push_string_end(msg, offset, id2, conn_end->id2);
	144	push_string_end(msg, offset, rsakey, conn_end->rsakey);
	145	push_string_end(msg, offset, cert, conn_end->cert);
	146	push_string_end(msg, offset, cert2, conn_end->cert2);
	147	push_string_end(msg, offset, cert_policy, conn_end->cert_policy);
	148	push_string_end(msg, offset, ca, conn_end->ca);
	149	push_string_end(msg, offset, ca2, conn_end->ca2);
	150	push_string_end(msg, offset, groups, conn_end->groups);
	151	push_string_end(msg, offset, groups2, conn_end->groups2);
	152	push_string_end(msg, offset, updown, conn_end->updown);
e59a5000 MW	153	if (conn_end->host)
e59a5000 MW	154	{
d8fe354a	155	push_string_end(msg, offset, address, conn_end->host);
e59a5000 MW	156	}
	157	else
	158	{
d8fe354a	159	push_string_end(msg, offset, address, "%any");
e59a5000	160	}
d8fe354a TB	161	push_string_end(msg, offset, subnets, conn_end->subnet);
	162	push_string_end(msg, offset, sourceip, conn_end->sourceip);
	163	push_string_end(msg, offset, dns, conn_end->dns);
	164
	165	/* we can't assign it earlier as msg might change */
	166	msg_end = (stroke_end_t)((char)(*msg) + offset);
667b7372	167	msg_end->ikeport = conn_end->ikeport;
2e655695 AS	168	msg_end->sendcert = conn_end->sendcert;
2e655695 AS	169	msg_end->hostaccess = conn_end->hostaccess;
eca839b0	170	msg_end->tohost = !conn_end->subnet;
1d315bdd	171	msg_end->allow_any = conn_end->allow_any;
2e655695	172	msg_end->protocol = conn_end->protocol;
cd41b951 MW	173	msg_end->from_port = conn_end->from_port;
cd41b951 MW	174	msg_end->to_port = conn_end->to_port;
b7f9ca58 AS	175	}
b7f9ca58 AS	176
552cc11b	177	int starter_stroke_add_conn(starter_config_t cfg, starter_conn_t conn)
a3678ca2	178	{
d8fe354a	179	stroke_msg_t *msg;
3d7a244b	180
d8fe354a TB	181	msg = create_stroke_msg(STR_ADD_CONN);
	182	msg->add_conn.version = conn->keyexchange;
	183	push_string(&msg, add_conn.name, connection_name(conn));
	184	push_string(&msg, add_conn.eap_identity, conn->eap_identity);
	185	push_string(&msg, add_conn.aaa_identity, conn->aaa_identity);
	186	push_string(&msg, add_conn.xauth_identity, conn->xauth_identity);
7daf5226	187
d8fe354a TB	188	msg->add_conn.mode = conn->mode;
d8fe354a TB	189	msg->add_conn.proxy_mode = conn->proxy_mode;
2e655695	190
5b09310e	191	if (!(conn->options & SA_OPTION_DONT_REKEY))
2e655695	192	{
d8fe354a TB	193	msg->add_conn.rekey.reauth = !(conn->options & SA_OPTION_DONT_REAUTH);
	194	msg->add_conn.rekey.ipsec_lifetime = conn->sa_ipsec_life_seconds;
	195	msg->add_conn.rekey.ike_lifetime = conn->sa_ike_life_seconds;
	196	msg->add_conn.rekey.margin = conn->sa_rekey_margin;
	197	msg->add_conn.rekey.life_bytes = conn->sa_ipsec_life_bytes;
	198	msg->add_conn.rekey.margin_bytes = conn->sa_ipsec_margin_bytes;
	199	msg->add_conn.rekey.life_packets = conn->sa_ipsec_life_packets;
	200	msg->add_conn.rekey.margin_packets = conn->sa_ipsec_margin_packets;
	201	msg->add_conn.rekey.fuzz = conn->sa_rekey_fuzz;
2e655695	202	}
d8fe354a TB	203	msg->add_conn.rekey.tries = conn->sa_keying_tries;
	204
	205	msg->add_conn.mobike = conn->options & SA_OPTION_MOBIKE;
	206	msg->add_conn.force_encap = conn->options & SA_OPTION_FORCE_ENCAP;
	207	msg->add_conn.fragmentation = conn->fragmentation;
	208	msg->add_conn.ikedscp = conn->ikedscp;
	209	msg->add_conn.ipcomp = conn->options & SA_OPTION_COMPRESS;
	210	msg->add_conn.install_policy = conn->install_policy;
	211	msg->add_conn.aggressive = conn->aggressive;
	212	msg->add_conn.pushmode = conn->options & SA_OPTION_MODECFG_PUSH;
	213	msg->add_conn.crl_policy = (crl_policy_t)cfg->setup.strictcrlpolicy;
	214	msg->add_conn.unique = cfg->setup.uniqueids;
	215	push_string(&msg, add_conn.algorithms.ike, conn->ike);
	216	push_string(&msg, add_conn.algorithms.esp, conn->esp);
	217	push_string(&msg, add_conn.algorithms.ah, conn->ah);
	218	msg->add_conn.dpd.delay = conn->dpd_delay;
	219	msg->add_conn.dpd.timeout = conn->dpd_timeout;
	220	msg->add_conn.dpd.action = conn->dpd_action;
	221	msg->add_conn.close_action = conn->close_action;
4270c8fc	222	msg->add_conn.sha256_96 = conn->sha256_96;
d8fe354a TB	223	msg->add_conn.inactivity = conn->inactivity;
	224	msg->add_conn.ikeme.mediation = conn->me_mediation;
	225	push_string(&msg, add_conn.ikeme.mediated_by, conn->me_mediated_by);
	226	push_string(&msg, add_conn.ikeme.peerid, conn->me_peerid);
	227	msg->add_conn.reqid = conn->reqid;
	228	msg->add_conn.replay_window = conn->replay_window;
	229	msg->add_conn.mark_in.value = conn->mark_in.value;
	230	msg->add_conn.mark_in.mask = conn->mark_in.mask;
	231	msg->add_conn.mark_out.value = conn->mark_out.value;
	232	msg->add_conn.mark_out.mask = conn->mark_out.mask;
	233	msg->add_conn.tfc = conn->tfc;
	234
	235	add_end(&msg, offsetof(stroke_msg_t, add_conn.me), &conn->left);
	236	add_end(&msg, offsetof(stroke_msg_t, add_conn.other), &conn->right);
	237
	238	if (!msg->add_conn.me.auth && !msg->add_conn.other.auth &&
e838c39b	239	conn->authby)
c791def8	240	{ /* leftauth/rightauth not set, use legacy options */
e838c39b TB	241	if (streq(conn->authby, "rsa") \|\| streq(conn->authby, "rsasig") \|\|
	242	streq(conn->authby, "ecdsa") \|\| streq(conn->authby, "ecdsasig") \|\|
	243	streq(conn->authby, "pubkey"))
c791def8	244	{
d8fe354a TB	245	push_string(&msg, add_conn.me.auth, "pubkey");
d8fe354a TB	246	push_string(&msg, add_conn.other.auth, "pubkey");
c791def8	247	}
e838c39b	248	else if (streq(conn->authby, "secret") \|\| streq(conn->authby, "psk"))
c791def8	249	{
d8fe354a TB	250	push_string(&msg, add_conn.me.auth, "psk");
d8fe354a TB	251	push_string(&msg, add_conn.other.auth, "psk");
c791def8	252	}
e838c39b	253	else if (streq(conn->authby, "xauthrsasig"))
c791def8	254	{
d8fe354a TB	255	push_string(&msg, add_conn.me.auth, "pubkey");
d8fe354a TB	256	push_string(&msg, add_conn.other.auth, "pubkey");
5b09310e	257	if (conn->options & SA_OPTION_XAUTH_SERVER)
c791def8	258	{
d8fe354a	259	push_string(&msg, add_conn.other.auth2, "xauth");
c791def8 MW	260	}
	261	else
	262	{
d8fe354a	263	push_string(&msg, add_conn.me.auth2, "xauth");
c791def8 MW	264	}
c791def8 MW	265	}
e838c39b	266	else if (streq(conn->authby, "xauthpsk"))
c791def8	267	{
d8fe354a TB	268	push_string(&msg, add_conn.me.auth, "psk");
d8fe354a TB	269	push_string(&msg, add_conn.other.auth, "psk");
5b09310e	270	if (conn->options & SA_OPTION_XAUTH_SERVER)
c791def8	271	{
d8fe354a	272	push_string(&msg, add_conn.other.auth2, "xauth");
c791def8 MW	273	}
	274	else
	275	{
d8fe354a	276	push_string(&msg, add_conn.me.auth2, "xauth");
c791def8 MW	277	}
	278	}
	279	}
d8fe354a	280	return send_stroke_msg(msg);
a3678ca2 MW	281	}
a3678ca2 MW	282
ecadab2b	283	int starter_stroke_del_conn(starter_conn_t *conn)
a3678ca2	284	{
d8fe354a	285	stroke_msg_t *msg;
9fe14f4b	286
d8fe354a TB	287	msg = create_stroke_msg(STR_DEL_CONN);
	288	push_string(&msg, del_conn.name, connection_name(conn));
	289	return send_stroke_msg(msg);
a3678ca2	290	}
b5e15606	291
ecadab2b	292	int starter_stroke_route_conn(starter_conn_t *conn)
a3678ca2	293	{
d8fe354a	294	stroke_msg_t *msg;
ecadab2b	295
d8fe354a TB	296	msg = create_stroke_msg(STR_ROUTE);
	297	push_string(&msg, route.name, connection_name(conn));
	298	return send_stroke_msg(msg);
a3678ca2 MW	299	}
a3678ca2 MW	300
9e730ef9 TB	301	int starter_stroke_unroute_conn(starter_conn_t *conn)
9e730ef9 TB	302	{
d8fe354a	303	stroke_msg_t *msg;
9e730ef9	304
d8fe354a TB	305	msg = create_stroke_msg(STR_UNROUTE);
	306	push_string(&msg, route.name, connection_name(conn));
	307	return send_stroke_msg(msg);
9e730ef9 TB	308	}
9e730ef9 TB	309
ecadab2b	310	int starter_stroke_initiate_conn(starter_conn_t *conn)
a3678ca2	311	{
d8fe354a	312	stroke_msg_t *msg;
ecadab2b	313
d8fe354a TB	314	msg = create_stroke_msg(STR_INITIATE);
	315	push_string(&msg, initiate.name, connection_name(conn));
	316	return send_stroke_msg(msg);
a3678ca2	317	}
06133e1d AS	318
	319	int starter_stroke_add_ca(starter_ca_t *ca)
	320	{
d8fe354a TB	321	stroke_msg_t *msg;
	322
	323	msg = create_stroke_msg(STR_ADD_CA);
	324	push_string(&msg, add_ca.name, ca->name);
	325	push_string(&msg, add_ca.cacert, ca->cacert);
	326	push_string(&msg, add_ca.crluri, ca->crluri);
	327	push_string(&msg, add_ca.crluri2, ca->crluri2);
	328	push_string(&msg, add_ca.ocspuri, ca->ocspuri);
	329	push_string(&msg, add_ca.ocspuri2, ca->ocspuri2);
	330	push_string(&msg, add_ca.certuribase, ca->certuribase);
	331	return send_stroke_msg(msg);
06133e1d AS	332	}
	333
	334	int starter_stroke_del_ca(starter_ca_t *ca)
	335	{
d8fe354a	336	stroke_msg_t *msg;
06133e1d	337
d8fe354a TB	338	msg = create_stroke_msg(STR_DEL_CA);
	339	push_string(&msg, del_ca.name, ca->name);
	340	return send_stroke_msg(msg);
06133e1d AS	341	}
06133e1d AS	342
b360e393 MW	343	int starter_stroke_configure(starter_config_t *cfg)
b360e393 MW	344	{
d8fe354a	345	stroke_msg_t *msg;
7daf5226	346
2e655695 AS	347	if (cfg->setup.cachecrls)
2e655695 AS	348	{
d8fe354a TB	349	msg = create_stroke_msg(STR_CONFIG);
	350	msg->config.cachecrl = 1;
	351	return send_stroke_msg(msg);
2e655695 AS	352	}
2e655695 AS	353	return 0;
b360e393	354	}