]> git.ipfire.org Git - thirdparty/strongswan.git/blob - src/libcharon/plugins/medcli/medcli_config.c
projects / thirdparty / strongswan.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
ike-cfg: Pass arguments as struct
[thirdparty/strongswan.git] / src / libcharon / plugins / medcli / medcli_config.c
1 /*
2 * Copyright (C) 2008 Martin Willi
3 * HSR Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #define _GNU_SOURCE
17 #include <string.h>
18
19 #include "medcli_config.h"
20
21 #include <daemon.h>
22 #include <processing/jobs/callback_job.h>
23
24 typedef struct private_medcli_config_t private_medcli_config_t;
25
26 /**
27 * Name of the mediation connection
28 */
29 #define MEDIATION_CONN_NAME "medcli-mediation"
30
31 /**
32 * Private data of an medcli_config_t object
33 */
34 struct private_medcli_config_t {
35
36 /**
37 * Public part
38 */
39 medcli_config_t public;
40
41 /**
42 * database connection
43 */
44 database_t *db;
45
46 /**
47 * rekey time
48 */
49 int rekey;
50
51 /**
52 * dpd delay
53 */
54 int dpd;
55
56 /**
57 * default ike config
58 */
59 ike_cfg_t *ike;
60 };
61
62 /**
63 * create a traffic selector from a CIDR notation string
64 */
65 static traffic_selector_t *ts_from_string(char *str)
66 {
67 if (str)
68 {
69 traffic_selector_t *ts;
70
71 ts = traffic_selector_create_from_cidr(str, 0, 0, 65535);
72 if (ts)
73 {
74 return ts;
75 }
76 }
77 return traffic_selector_create_dynamic(0, 0, 65535);
78 }
79
80 /**
81 * Build a mediation config
82 */
83 static peer_cfg_t *build_mediation_config(private_medcli_config_t *this,
84 peer_cfg_create_t *defaults)
85 {
86 enumerator_t *e;
87 auth_cfg_t *auth;
88 ike_cfg_t *ike_cfg;
89 peer_cfg_t *med_cfg;
90 ike_cfg_create_t ike = {
91 .version = IKEV2,
92 .local = "0.0.0.0",
93 .local_port = charon->socket->get_port(charon->socket, FALSE),
94 .remote_port = IKEV2_UDP_PORT,
95 .no_certreq = TRUE,
96 };
97 peer_cfg_create_t peer = *defaults;
98 chunk_t me, other;
99
100 /* query mediation server config:
101 * - build ike_cfg/peer_cfg for mediation connection on-the-fly
102 */
103 e = this->db->query(this->db,
104 "SELECT Address, ClientConfig.KeyId, MediationServerConfig.KeyId "
105 "FROM MediationServerConfig JOIN ClientConfig",
106 DB_TEXT, DB_BLOB, DB_BLOB);
107 if (!e || !e->enumerate(e, &ike.remote, &me, &other))
108 {
109 DESTROY_IF(e);
110 return NULL;
111 }
112 ike_cfg = ike_cfg_create(&ike);
113 ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
114 ike_cfg->add_proposal(ike_cfg, proposal_create_default_aead(PROTO_IKE));
115
116 peer.mediation = TRUE;
117 med_cfg = peer_cfg_create(MEDIATION_CONN_NAME, ike_cfg, &peer);
118 e->destroy(e);
119
120 auth = auth_cfg_create();
121 auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
122 auth->add(auth, AUTH_RULE_IDENTITY,
123 identification_create_from_encoding(ID_KEY_ID, me));
124 med_cfg->add_auth_cfg(med_cfg, auth, TRUE);
125 auth = auth_cfg_create();
126 auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
127 auth->add(auth, AUTH_RULE_IDENTITY,
128 identification_create_from_encoding(ID_KEY_ID, other));
129 med_cfg->add_auth_cfg(med_cfg, auth, FALSE);
130 return med_cfg;
131 }
132
133 METHOD(backend_t, get_peer_cfg_by_name, peer_cfg_t*,
134 private_medcli_config_t *this, char *name)
135 {
136 enumerator_t *e;
137 auth_cfg_t *auth;
138 peer_cfg_t *peer_cfg;
139 child_cfg_t *child_cfg;
140 chunk_t me, other;
141 char *local_net, *remote_net;
142 peer_cfg_create_t peer = {
143 .cert_policy = CERT_NEVER_SEND,
144 .unique = UNIQUE_REPLACE,
145 .keyingtries = 1,
146 .rekey_time = this->rekey * 60,
147 .jitter_time = this->rekey * 5,
148 .over_time = this->rekey * 3,
149 .dpd = this->dpd,
150 };
151 child_cfg_create_t child = {
152 .lifetime = {
153 .time = {
154 .life = this->rekey * 60 + this->rekey,
155 .rekey = this->rekey,
156 .jitter = this->rekey
157 },
158 },
159 .mode = MODE_TUNNEL,
160 };
161
162 if (streq(name, "medcli-mediation"))
163 {
164 return build_mediation_config(this, &peer);
165 }
166
167 /* query mediated config:
168 * - use any-any ike_cfg
169 * - build peer_cfg on-the-fly using med_cfg
170 * - add a child_cfg
171 */
172 e = this->db->query(this->db,
173 "SELECT ClientConfig.KeyId, Connection.KeyId, "
174 "Connection.LocalSubnet, Connection.RemoteSubnet "
175 "FROM ClientConfig JOIN Connection "
176 "WHERE Active AND Alias = ?", DB_TEXT, name,
177 DB_BLOB, DB_BLOB, DB_TEXT, DB_TEXT);
178 if (!e || !e->enumerate(e, &me, &other, &local_net, &remote_net))
179 {
180 DESTROY_IF(e);
181 return NULL;
182 }
183 peer.mediated_by = MEDIATION_CONN_NAME;
184 peer.peer_id = identification_create_from_encoding(ID_KEY_ID, other);
185 peer_cfg = peer_cfg_create(name, this->ike->get_ref(this->ike), &peer);
186
187 auth = auth_cfg_create();
188 auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
189 auth->add(auth, AUTH_RULE_IDENTITY,
190 identification_create_from_encoding(ID_KEY_ID, me));
191 peer_cfg->add_auth_cfg(peer_cfg, auth, TRUE);
192 auth = auth_cfg_create();
193 auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
194 auth->add(auth, AUTH_RULE_IDENTITY,
195 identification_create_from_encoding(ID_KEY_ID, other));
196 peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE);
197
198 child_cfg = child_cfg_create(name, &child);
199 child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
200 child_cfg->add_proposal(child_cfg, proposal_create_default_aead(PROTO_ESP));
201 child_cfg->add_traffic_selector(child_cfg, TRUE, ts_from_string(local_net));
202 child_cfg->add_traffic_selector(child_cfg, FALSE, ts_from_string(remote_net));
203 peer_cfg->add_child_cfg(peer_cfg, child_cfg);
204 e->destroy(e);
205 return peer_cfg;
206 }
207
208 METHOD(backend_t, create_ike_cfg_enumerator, enumerator_t*,
209 private_medcli_config_t *this, host_t *me, host_t *other)
210 {
211 return enumerator_create_single(this->ike, NULL);
212 }
213
214 typedef struct {
215 /** implements enumerator */
216 enumerator_t public;
217 /** inner SQL enumerator */
218 enumerator_t *inner;
219 /** currently enumerated peer config */
220 peer_cfg_t *current;
221 /** ike cfg to use in peer cfg */
222 ike_cfg_t *ike;
223 /** rekey time */
224 int rekey;
225 /** dpd time */
226 int dpd;
227 } peer_enumerator_t;
228
229 METHOD(enumerator_t, peer_enumerator_enumerate, bool,
230 peer_enumerator_t *this, va_list args)
231 {
232 char *name, *local_net, *remote_net;
233 chunk_t me, other;
234 peer_cfg_t **cfg;
235 child_cfg_t *child_cfg;
236 auth_cfg_t *auth;
237 peer_cfg_create_t peer = {
238 .cert_policy = CERT_NEVER_SEND,
239 .unique = UNIQUE_REPLACE,
240 .keyingtries = 1,
241 .rekey_time = this->rekey * 60,
242 .jitter_time = this->rekey * 5,
243 .over_time = this->rekey * 3,
244 .dpd = this->dpd,
245 };
246 child_cfg_create_t child = {
247 .lifetime = {
248 .time = {
249 .life = this->rekey * 60 + this->rekey,
250 .rekey = this->rekey,
251 .jitter = this->rekey
252 },
253 },
254 .mode = MODE_TUNNEL,
255 };
256
257 VA_ARGS_VGET(args, cfg);
258
259 DESTROY_IF(this->current);
260 if (!this->inner->enumerate(this->inner, &name, &me, &other,
261 &local_net, &remote_net))
262 {
263 this->current = NULL;
264 return FALSE;
265 }
266 this->current = peer_cfg_create(name, this->ike->get_ref(this->ike), &peer);
267
268 auth = auth_cfg_create();
269 auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
270 auth->add(auth, AUTH_RULE_IDENTITY,
271 identification_create_from_encoding(ID_KEY_ID, me));
272 this->current->add_auth_cfg(this->current, auth, TRUE);
273 auth = auth_cfg_create();
274 auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
275 auth->add(auth, AUTH_RULE_IDENTITY,
276 identification_create_from_encoding(ID_KEY_ID, other));
277 this->current->add_auth_cfg(this->current, auth, FALSE);
278
279 child_cfg = child_cfg_create(name, &child);
280 child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
281 child_cfg->add_proposal(child_cfg, proposal_create_default_aead(PROTO_ESP));
282 child_cfg->add_traffic_selector(child_cfg, TRUE, ts_from_string(local_net));
283 child_cfg->add_traffic_selector(child_cfg, FALSE, ts_from_string(remote_net));
284 this->current->add_child_cfg(this->current, child_cfg);
285 *cfg = this->current;
286 return TRUE;
287 }
288
289 METHOD(enumerator_t, peer_enumerator_destroy, void,
290 peer_enumerator_t *this)
291 {
292 DESTROY_IF(this->current);
293 this->inner->destroy(this->inner);
294 free(this);
295 }
296
297 METHOD(backend_t, create_peer_cfg_enumerator, enumerator_t*,
298 private_medcli_config_t *this, identification_t *me,
299 identification_t *other)
300 {
301 peer_enumerator_t *e;
302
303 INIT(e,
304 .public = {
305 .enumerate = enumerator_enumerate_default,
306 .venumerate = _peer_enumerator_enumerate,
307 .destroy = _peer_enumerator_destroy,
308 },
309 .ike = this->ike,
310 .rekey = this->rekey,
311 .dpd = this->dpd,
312 );
313
314 /* filter on IDs: NULL or ANY or matching KEY_ID */
315 e->inner = this->db->query(this->db,
316 "SELECT Alias, ClientConfig.KeyId, Connection.KeyId, "
317 "Connection.LocalSubnet, Connection.RemoteSubnet "
318 "FROM ClientConfig JOIN Connection "
319 "WHERE Active AND "
320 "(? OR ClientConfig.KeyId = ?) AND (? OR Connection.KeyId = ?)",
321 DB_INT, me == NULL || me->get_type(me) == ID_ANY,
322 DB_BLOB, me && me->get_type(me) == ID_KEY_ID ?
323 me->get_encoding(me) : chunk_empty,
324 DB_INT, other == NULL || other->get_type(other) == ID_ANY,
325 DB_BLOB, other && other->get_type(other) == ID_KEY_ID ?
326 other->get_encoding(other) : chunk_empty,
327 DB_TEXT, DB_BLOB, DB_BLOB, DB_TEXT, DB_TEXT);
328 if (!e->inner)
329 {
330 free(e);
331 return NULL;
332 }
333 return &e->public;
334 }
335
336 /**
337 * initiate a peer config
338 */
339 static job_requeue_t initiate_config(peer_cfg_t *peer_cfg)
340 {
341 enumerator_t *enumerator;
342 child_cfg_t *child_cfg = NULL;;
343
344 enumerator = peer_cfg->create_child_cfg_enumerator(peer_cfg);
345 enumerator->enumerate(enumerator, &child_cfg);
346 if (child_cfg)
347 {
348 child_cfg->get_ref(child_cfg);
349 peer_cfg->get_ref(peer_cfg);
350 enumerator->destroy(enumerator);
351 charon->controller->initiate(charon->controller,
352 peer_cfg, child_cfg, NULL, NULL, 0, FALSE);
353 }
354 else
355 {
356 enumerator->destroy(enumerator);
357 }
358 return JOB_REQUEUE_NONE;
359 }
360
361 /**
362 * schedule initiation of all "active" connections
363 */
364 static void schedule_autoinit(private_medcli_config_t *this)
365 {
366 enumerator_t *e;
367 char *name;
368
369 e = this->db->query(this->db, "SELECT Alias FROM Connection WHERE Active",
370 DB_TEXT);
371 if (e)
372 {
373 while (e->enumerate(e, &name))
374 {
375 peer_cfg_t *peer_cfg;
376
377 peer_cfg = get_peer_cfg_by_name(this, name);
378 if (peer_cfg)
379 {
380 /* schedule asynchronous initiation job */
381 lib->processor->queue_job(lib->processor,
382 (job_t*)callback_job_create(
383 (callback_job_cb_t)initiate_config,
384 peer_cfg, (void*)peer_cfg->destroy, NULL));
385 }
386 }
387 e->destroy(e);
388 }
389 }
390
391 METHOD(medcli_config_t, destroy, void,
392 private_medcli_config_t *this)
393 {
394 this->ike->destroy(this->ike);
395 free(this);
396 }
397
398 /**
399 * Described in header.
400 */
401 medcli_config_t *medcli_config_create(database_t *db)
402 {
403 private_medcli_config_t *this;
404 ike_cfg_create_t ike = {
405 .version = IKEV2,
406 .local = "0.0.0.0",
407 .local_port = charon->socket->get_port(charon->socket, FALSE),
408 .remote = "0.0.0.0",
409 .remote_port = IKEV2_UDP_PORT,
410 .no_certreq = TRUE,
411 };
412
413 INIT(this,
414 .public = {
415 .backend = {
416 .create_peer_cfg_enumerator = _create_peer_cfg_enumerator,
417 .create_ike_cfg_enumerator = _create_ike_cfg_enumerator,
418 .get_peer_cfg_by_name = _get_peer_cfg_by_name,
419 },
420 .destroy = _destroy,
421 },
422 .db = db,
423 .rekey = lib->settings->get_time(lib->settings, "medcli.rekey", 1200),
424 .dpd = lib->settings->get_time(lib->settings, "medcli.dpd", 300),
425 .ike = ike_cfg_create(&ike),
426 );
427 this->ike->add_proposal(this->ike, proposal_create_default(PROTO_IKE));
428 this->ike->add_proposal(this->ike, proposal_create_default_aead(PROTO_IKE));
429
430 schedule_autoinit(this);
431
432 return &this->public;
433 }
Unnamed repository; edit this file 'description' to name the repository.