]> git.ipfire.org Git - thirdparty/strongswan.git/blob - src/libcharon/config/ike_cfg.c
projects / thirdparty / strongswan.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
ike-cfg: Fix memory leak when checking for configured address
[thirdparty/strongswan.git] / src / libcharon / config / ike_cfg.c
1 /*
2 * Copyright (C) 2012-2017 Tobias Brunner
3 * Copyright (C) 2005-2007 Martin Willi
4 * Copyright (C) 2005 Jan Hutter
5 * Hochschule fuer Technik Rapperswil
6 *
7 * This program is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by the
9 * Free Software Foundation; either version 2 of the License, or (at your
10 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 *
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 * for more details.
16 */
17
18 #define _GNU_SOURCE /* for stdndup() */
19 #include <string.h>
20
21 #include "ike_cfg.h"
22
23 #include <daemon.h>
24
25 ENUM(ike_version_names, IKE_ANY, IKEV2,
26 "IKEv1/2",
27 "IKEv1",
28 "IKEv2",
29 );
30
31 typedef struct private_ike_cfg_t private_ike_cfg_t;
32
33 /**
34 * Private data of an ike_cfg_t object
35 */
36 struct private_ike_cfg_t {
37
38 /**
39 * Public part
40 */
41 ike_cfg_t public;
42
43 /**
44 * Number of references hold by others to this ike_cfg
45 */
46 refcount_t refcount;
47
48 /**
49 * IKE version to use
50 */
51 ike_version_t version;
52
53 /**
54 * Address list string for local host
55 */
56 char *me;
57
58 /**
59 * Address list string for remote host
60 */
61 char *other;
62
63 /**
64 * Local single host or DNS names, as allocated char*
65 */
66 linked_list_t *my_hosts;
67
68 /**
69 * Remote single host or DNS names, as allocated char*
70 */
71 linked_list_t *other_hosts;
72
73 /**
74 * Local ranges/subnets this config matches to, as traffic_selector_t*
75 */
76 linked_list_t *my_ranges;
77
78 /**
79 * Remote ranges/subnets this config matches to, as traffic_selector_t*
80 */
81 linked_list_t *other_ranges;
82
83 /**
84 * our source port
85 */
86 uint16_t my_port;
87
88 /**
89 * destination port
90 */
91 uint16_t other_port;
92
93 /**
94 * should we send a certificate request?
95 */
96 bool certreq;
97
98 /**
99 * enforce UDP encapsulation
100 */
101 bool force_encap;
102
103 /**
104 * use IKEv1 fragmentation
105 */
106 fragmentation_t fragmentation;
107
108 /**
109 * DSCP value to use on sent IKE packets
110 */
111 uint8_t dscp;
112
113 /**
114 * List of proposals to use
115 */
116 linked_list_t *proposals;
117 };
118
119 METHOD(ike_cfg_t, get_version, ike_version_t,
120 private_ike_cfg_t *this)
121 {
122 return this->version;
123 }
124
125 METHOD(ike_cfg_t, send_certreq, bool,
126 private_ike_cfg_t *this)
127 {
128 return this->certreq;
129 }
130
131 METHOD(ike_cfg_t, force_encap_, bool,
132 private_ike_cfg_t *this)
133 {
134 return this->force_encap;
135 }
136
137 METHOD(ike_cfg_t, fragmentation, fragmentation_t,
138 private_ike_cfg_t *this)
139 {
140 return this->fragmentation;
141 }
142
143 /**
144 * Common function for resolve_me/other
145 */
146 static host_t* resolve(linked_list_t *hosts, int family, uint16_t port)
147 {
148 enumerator_t *enumerator;
149 host_t *host = NULL;
150 bool tried = FALSE;
151 char *str;
152
153 enumerator = hosts->create_enumerator(hosts);
154 while (enumerator->enumerate(enumerator, &str))
155 {
156 host = host_create_from_dns(str, family, port);
157 if (host)
158 {
159 break;
160 }
161 tried = TRUE;
162 }
163 enumerator->destroy(enumerator);
164
165 if (!host && !tried)
166 {
167 /* we have no single host configured, return %any */
168 host = host_create_any(family ?: AF_INET);
169 host->set_port(host, port);
170 }
171 return host;
172 }
173
174 METHOD(ike_cfg_t, resolve_me, host_t*,
175 private_ike_cfg_t *this, int family)
176 {
177 return resolve(this->my_hosts, family, this->my_port);
178 }
179
180 METHOD(ike_cfg_t, resolve_other, host_t*,
181 private_ike_cfg_t *this, int family)
182 {
183 return resolve(this->other_hosts, family, this->other_port);
184 }
185
186 /**
187 * Common function for match_me/other
188 */
189 static u_int match(linked_list_t *hosts, linked_list_t *ranges, host_t *cand)
190 {
191 enumerator_t *enumerator;
192 traffic_selector_t *ts;
193 char *str;
194 host_t *host;
195 uint8_t mask;
196 u_int quality = 0;
197
198 /* try single hosts first */
199 enumerator = hosts->create_enumerator(hosts);
200 while (enumerator->enumerate(enumerator, &str))
201 {
202 host = host_create_from_dns(str, cand->get_family(cand), 0);
203 if (host)
204 {
205 if (host->ip_equals(host, cand))
206 {
207 quality = max(quality, 128 + 1);
208 }
209 if (host->is_anyaddr(host))
210 {
211 quality = max(quality, 1);
212 }
213 host->destroy(host);
214 }
215 }
216 enumerator->destroy(enumerator);
217
218 /* then ranges/subnets */
219 enumerator = ranges->create_enumerator(ranges);
220 while (enumerator->enumerate(enumerator, &ts))
221 {
222 if (ts->includes(ts, cand))
223 {
224 if (ts->to_subnet(ts, &host, &mask))
225 {
226 quality = max(quality, mask + 1);
227 }
228 else
229 {
230 quality = max(quality, 1);
231 }
232 host->destroy(host);
233 }
234 }
235 enumerator->destroy(enumerator);
236
237 return quality;
238 }
239
240 METHOD(ike_cfg_t, match_me, u_int,
241 private_ike_cfg_t *this, host_t *host)
242 {
243 return match(this->my_hosts, this->my_ranges, host);
244 }
245
246 METHOD(ike_cfg_t, match_other, u_int,
247 private_ike_cfg_t *this, host_t *host)
248 {
249 return match(this->other_hosts, this->other_ranges, host);
250 }
251
252 METHOD(ike_cfg_t, get_my_addr, char*,
253 private_ike_cfg_t *this)
254 {
255 return this->me;
256 }
257
258 METHOD(ike_cfg_t, get_other_addr, char*,
259 private_ike_cfg_t *this)
260 {
261 return this->other;
262 }
263
264 METHOD(ike_cfg_t, get_my_port, uint16_t,
265 private_ike_cfg_t *this)
266 {
267 return this->my_port;
268 }
269
270 METHOD(ike_cfg_t, get_other_port, uint16_t,
271 private_ike_cfg_t *this)
272 {
273 return this->other_port;
274 }
275
276 METHOD(ike_cfg_t, get_dscp, uint8_t,
277 private_ike_cfg_t *this)
278 {
279 return this->dscp;
280 }
281
282 METHOD(ike_cfg_t, add_proposal, void,
283 private_ike_cfg_t *this, proposal_t *proposal)
284 {
285 if (proposal)
286 {
287 this->proposals->insert_last(this->proposals, proposal);
288 }
289 }
290
291 METHOD(ike_cfg_t, get_proposals, linked_list_t*,
292 private_ike_cfg_t *this)
293 {
294 enumerator_t *enumerator;
295 proposal_t *current;
296 linked_list_t *proposals;
297
298 proposals = linked_list_create();
299 enumerator = this->proposals->create_enumerator(this->proposals);
300 while (enumerator->enumerate(enumerator, &current))
301 {
302 current = current->clone(current);
303 proposals->insert_last(proposals, current);
304 }
305 enumerator->destroy(enumerator);
306
307 DBG2(DBG_CFG, "configured proposals: %#P", proposals);
308
309 return proposals;
310 }
311
312 METHOD(ike_cfg_t, select_proposal, proposal_t*,
313 private_ike_cfg_t *this, linked_list_t *proposals, bool private,
314 bool prefer_self)
315 {
316 enumerator_t *prefer_enum, *match_enum;
317 proposal_t *proposal, *match, *selected = NULL;
318
319 if (prefer_self)
320 {
321 prefer_enum = this->proposals->create_enumerator(this->proposals);
322 match_enum = proposals->create_enumerator(proposals);
323 }
324 else
325 {
326 prefer_enum = proposals->create_enumerator(proposals);
327 match_enum = this->proposals->create_enumerator(this->proposals);
328 }
329
330 while (prefer_enum->enumerate(prefer_enum, (void**)&proposal))
331 {
332 if (prefer_self)
333 {
334 proposals->reset_enumerator(proposals, match_enum);
335 }
336 else
337 {
338 this->proposals->reset_enumerator(this->proposals, match_enum);
339 }
340 while (match_enum->enumerate(match_enum, (void**)&match))
341 {
342 selected = proposal->select(proposal, match, prefer_self, private);
343 if (selected)
344 {
345 DBG2(DBG_CFG, "received proposals: %#P", proposals);
346 DBG2(DBG_CFG, "configured proposals: %#P", this->proposals);
347 DBG2(DBG_CFG, "selected proposal: %P", selected);
348 break;
349 }
350 }
351 if (selected)
352 {
353 break;
354 }
355 }
356 prefer_enum->destroy(prefer_enum);
357 match_enum->destroy(match_enum);
358 if (!selected)
359 {
360 DBG1(DBG_CFG, "received proposals: %#P", proposals);
361 DBG1(DBG_CFG, "configured proposals: %#P", this->proposals);
362 }
363 return selected;
364 }
365
366 METHOD(ike_cfg_t, get_dh_group, diffie_hellman_group_t,
367 private_ike_cfg_t *this)
368 {
369 enumerator_t *enumerator;
370 proposal_t *proposal;
371 uint16_t dh_group = MODP_NONE;
372
373 enumerator = this->proposals->create_enumerator(this->proposals);
374 while (enumerator->enumerate(enumerator, &proposal))
375 {
376 if (proposal->get_algorithm(proposal, DIFFIE_HELLMAN_GROUP, &dh_group, NULL))
377 {
378 break;
379 }
380 }
381 enumerator->destroy(enumerator);
382 return dh_group;
383 }
384
385 METHOD(ike_cfg_t, equals, bool,
386 private_ike_cfg_t *this, ike_cfg_t *other_public)
387 {
388 private_ike_cfg_t *other = (private_ike_cfg_t*)other_public;
389
390 if (this == other)
391 {
392 return TRUE;
393 }
394 if (this->public.equals != other->public.equals)
395 {
396 return FALSE;
397 }
398 if (!this->proposals->equals_offset(this->proposals, other->proposals,
399 offsetof(proposal_t, equals)))
400 {
401 return FALSE;
402 }
403 return
404 this->version == other->version &&
405 this->certreq == other->certreq &&
406 this->force_encap == other->force_encap &&
407 this->fragmentation == other->fragmentation &&
408 streq(this->me, other->me) &&
409 streq(this->other, other->other) &&
410 this->my_port == other->my_port &&
411 this->other_port == other->other_port;
412 }
413
414 METHOD(ike_cfg_t, get_ref, ike_cfg_t*,
415 private_ike_cfg_t *this)
416 {
417 ref_get(&this->refcount);
418 return &this->public;
419 }
420
421 METHOD(ike_cfg_t, destroy, void,
422 private_ike_cfg_t *this)
423 {
424 if (ref_put(&this->refcount))
425 {
426 this->proposals->destroy_offset(this->proposals,
427 offsetof(proposal_t, destroy));
428 free(this->me);
429 free(this->other);
430 this->my_hosts->destroy_function(this->my_hosts, free);
431 this->other_hosts->destroy_function(this->other_hosts, free);
432 this->my_ranges->destroy_offset(this->my_ranges,
433 offsetof(traffic_selector_t, destroy));
434 this->other_ranges->destroy_offset(this->other_ranges,
435 offsetof(traffic_selector_t, destroy));
436 free(this);
437 }
438 }
439
440 /**
441 * Try to parse a string as subnet
442 */
443 static traffic_selector_t* make_subnet(char *str)
444 {
445 char *pos;
446
447 pos = strchr(str, '/');
448 if (!pos)
449 {
450 return NULL;
451 }
452 return traffic_selector_create_from_cidr(str, 0, 0, 0);
453 }
454
455 /**
456 * Try to parse a string as an IP range
457 */
458 static traffic_selector_t* make_range(char *str)
459 {
460 traffic_selector_t *ts;
461 ts_type_t type;
462 host_t *from, *to;
463
464 if (!host_create_from_range(str, &from, &to))
465 {
466 return NULL;
467 }
468 if (to->get_family(to) == AF_INET)
469 {
470 type = TS_IPV4_ADDR_RANGE;
471 }
472 else
473 {
474 type = TS_IPV6_ADDR_RANGE;
475 }
476 ts = traffic_selector_create_from_bytes(0, type,
477 from->get_address(from), 0,
478 to->get_address(to), 0);
479 from->destroy(from);
480 to->destroy(to);
481 return ts;
482 }
483
484 /**
485 * Parse address string into lists of single hosts and ranges/subnets
486 */
487 static void parse_addresses(char *str, linked_list_t *hosts,
488 linked_list_t *ranges)
489 {
490 enumerator_t *enumerator;
491 traffic_selector_t *ts;
492
493 enumerator = enumerator_create_token(str, ",", " ");
494 while (enumerator->enumerate(enumerator, &str))
495 {
496 ts = make_subnet(str);
497 if (ts)
498 {
499 ranges->insert_last(ranges, ts);
500 continue;
501 }
502 ts = make_range(str);
503 if (ts)
504 {
505 ranges->insert_last(ranges, ts);
506 continue;
507 }
508 hosts->insert_last(hosts, strdup(str));
509 }
510 enumerator->destroy(enumerator);
511 }
512
513 /**
514 * Described in header.
515 */
516 int ike_cfg_get_family(ike_cfg_t *cfg, bool local)
517 {
518 private_ike_cfg_t *this = (private_ike_cfg_t*)cfg;
519 enumerator_t *enumerator;
520 host_t *host;
521 char *str;
522 int family = AF_UNSPEC;
523
524 if (local)
525 {
526 enumerator = this->my_hosts->create_enumerator(this->my_hosts);
527 }
528 else
529 {
530 enumerator = this->other_hosts->create_enumerator(this->other_hosts);
531 }
532 while (enumerator->enumerate(enumerator, &str))
533 {
534 if (streq(str, "%any"))
535 { /* ignore %any as its family is undetermined */
536 continue;
537 }
538 host = host_create_from_string(str, 0);
539 if (host)
540 {
541 if (family == AF_UNSPEC)
542 {
543 family = host->get_family(host);
544 }
545 else if (family != host->get_family(host))
546 {
547 /* more than one address family defined */
548 family = AF_UNSPEC;
549 host->destroy(host);
550 break;
551 }
552 }
553 DESTROY_IF(host);
554 }
555 enumerator->destroy(enumerator);
556 return family;
557 }
558
559 /**
560 * Described in header.
561 */
562 bool ike_cfg_has_address(ike_cfg_t *cfg, host_t *addr, bool local)
563 {
564 private_ike_cfg_t *this = (private_ike_cfg_t*)cfg;
565 enumerator_t *enumerator;
566 host_t *host;
567 char *str;
568 bool found = FALSE;
569
570 if (local)
571 {
572 enumerator = this->my_hosts->create_enumerator(this->my_hosts);
573 }
574 else
575 {
576 enumerator = this->other_hosts->create_enumerator(this->other_hosts);
577 }
578 while (enumerator->enumerate(enumerator, &str))
579 {
580 host = host_create_from_string(str, 0);
581 if (host && addr->ip_equals(addr, host))
582 {
583 host->destroy(host);
584 found = TRUE;
585 break;
586 }
587 DESTROY_IF(host);
588 }
589 enumerator->destroy(enumerator);
590 return found;
591 }
592
593 /**
594 * Described in header.
595 */
596 ike_cfg_t *ike_cfg_create(ike_version_t version, bool certreq, bool force_encap,
597 char *me, uint16_t my_port,
598 char *other, uint16_t other_port,
599 fragmentation_t fragmentation, uint8_t dscp)
600 {
601 private_ike_cfg_t *this;
602
603 INIT(this,
604 .public = {
605 .get_version = _get_version,
606 .send_certreq = _send_certreq,
607 .force_encap = _force_encap_,
608 .fragmentation = _fragmentation,
609 .resolve_me = _resolve_me,
610 .resolve_other = _resolve_other,
611 .match_me = _match_me,
612 .match_other = _match_other,
613 .get_my_addr = _get_my_addr,
614 .get_other_addr = _get_other_addr,
615 .get_my_port = _get_my_port,
616 .get_other_port = _get_other_port,
617 .get_dscp = _get_dscp,
618 .add_proposal = _add_proposal,
619 .get_proposals = _get_proposals,
620 .select_proposal = _select_proposal,
621 .get_dh_group = _get_dh_group,
622 .equals = _equals,
623 .get_ref = _get_ref,
624 .destroy = _destroy,
625 },
626 .refcount = 1,
627 .version = version,
628 .certreq = certreq,
629 .force_encap = force_encap,
630 .fragmentation = fragmentation,
631 .me = strdup(me),
632 .my_ranges = linked_list_create(),
633 .my_hosts = linked_list_create(),
634 .other = strdup(other),
635 .other_ranges = linked_list_create(),
636 .other_hosts = linked_list_create(),
637 .my_port = my_port,
638 .other_port = other_port,
639 .dscp = dscp,
640 .proposals = linked_list_create(),
641 );
642
643 parse_addresses(me, this->my_hosts, this->my_ranges);
644 parse_addresses(other, this->other_hosts, this->other_ranges);
645
646 return &this->public;
647 }
Unnamed repository; edit this file 'description' to name the repository.