2 * Copyright (C) 2012-2014 Tobias Brunner
3 * Copyright (C) 2008 Martin Willi
4 * Hochschule fuer Technik Rapperswil
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
17 #include "stroke_config.h"
20 #include <threading/mutex.h>
21 #include <utils/lexparser.h>
25 typedef struct private_stroke_config_t private_stroke_config_t
;
28 * private data of stroke_config
30 struct private_stroke_config_t
{
35 stroke_config_t
public;
43 * mutex to lock config list
58 * Virtual IP pool / DNS backend
60 stroke_attribute_t
*attributes
;
63 METHOD(backend_t
, create_peer_cfg_enumerator
, enumerator_t
*,
64 private_stroke_config_t
*this, identification_t
*me
, identification_t
*other
)
66 this->mutex
->lock(this->mutex
);
67 return enumerator_create_cleaner(this->list
->create_enumerator(this->list
),
68 (void*)this->mutex
->unlock
, this->mutex
);
72 * filter function for ike configs
74 static bool ike_filter(void *data
, peer_cfg_t
**in
, ike_cfg_t
**out
)
76 *out
= (*in
)->get_ike_cfg(*in
);
80 METHOD(backend_t
, create_ike_cfg_enumerator
, enumerator_t
*,
81 private_stroke_config_t
*this, host_t
*me
, host_t
*other
)
83 this->mutex
->lock(this->mutex
);
84 return enumerator_create_filter(this->list
->create_enumerator(this->list
),
85 (void*)ike_filter
, this->mutex
,
86 (void*)this->mutex
->unlock
);
89 METHOD(backend_t
, get_peer_cfg_by_name
, peer_cfg_t
*,
90 private_stroke_config_t
*this, char *name
)
92 enumerator_t
*e1
, *e2
;
93 peer_cfg_t
*current
, *found
= NULL
;
96 this->mutex
->lock(this->mutex
);
97 e1
= this->list
->create_enumerator(this->list
);
98 while (e1
->enumerate(e1
, ¤t
))
100 /* compare peer_cfgs name first */
101 if (streq(current
->get_name(current
), name
))
104 found
->get_ref(found
);
107 /* compare all child_cfg names otherwise */
108 e2
= current
->create_child_cfg_enumerator(current
);
109 while (e2
->enumerate(e2
, &child
))
111 if (streq(child
->get_name(child
), name
))
114 found
->get_ref(found
);
125 this->mutex
->unlock(this->mutex
);
130 * parse a proposal string, either into ike_cfg or child_cfg
132 static void add_proposals(private_stroke_config_t
*this, char *string
,
133 ike_cfg_t
*ike_cfg
, child_cfg_t
*child_cfg
, protocol_id_t proto
)
139 proposal_t
*proposal
;
141 strict
= string
+ strlen(string
) - 1;
150 while ((single
= strsep(&string
, ",")))
152 proposal
= proposal_create_from_string(proto
, single
);
157 ike_cfg
->add_proposal(ike_cfg
, proposal
);
161 child_cfg
->add_proposal(child_cfg
, proposal
);
165 DBG1(DBG_CFG
, "skipped invalid proposal string: %s", single
);
171 /* add default porposal to the end if not strict */
175 ike_cfg
->add_proposal(ike_cfg
, proposal_create_default(proto
));
176 ike_cfg
->add_proposal(ike_cfg
, proposal_create_default_aead(proto
));
180 child_cfg
->add_proposal(child_cfg
, proposal_create_default(proto
));
181 child_cfg
->add_proposal(child_cfg
, proposal_create_default_aead(proto
));
186 * Check if any addresses in the given string are local
188 static bool is_local(char *address
, bool any_allowed
)
190 enumerator_t
*enumerator
;
195 enumerator
= enumerator_create_token(address
, ",", " ");
196 while (enumerator
->enumerate(enumerator
, &token
))
198 if (!strchr(token
, '/'))
200 host
= host_create_from_dns(token
, 0, 0);
203 if (charon
->kernel
->get_interface(charon
->kernel
, host
, NULL
))
207 else if (any_allowed
&& host
->is_anyaddr(host
))
219 enumerator
->destroy(enumerator
);
224 * Swap ends if indicated by left|right
226 static void swap_ends(stroke_msg_t
*msg
)
228 if (!lib
->settings
->get_bool(lib
->settings
, "%s.plugins.stroke.allow_swap",
234 if (is_local(msg
->add_conn
.other
.address
, FALSE
))
236 stroke_end_t tmp_end
;
238 DBG2(DBG_CFG
, "left is other host, swapping ends");
239 tmp_end
= msg
->add_conn
.me
;
240 msg
->add_conn
.me
= msg
->add_conn
.other
;
241 msg
->add_conn
.other
= tmp_end
;
243 else if (!is_local(msg
->add_conn
.me
.address
, TRUE
))
245 DBG1(DBG_CFG
, "left nor right host is our side, assuming left=local");
250 * Build an IKE config from a stroke message
252 static ike_cfg_t
*build_ike_cfg(private_stroke_config_t
*this, stroke_msg_t
*msg
)
256 char me
[256], other
[256];
260 if (msg
->add_conn
.me
.allow_any
)
262 snprintf(me
, sizeof(me
), "%s,0.0.0.0/0,::/0",
263 msg
->add_conn
.me
.address
);
265 if (msg
->add_conn
.other
.allow_any
)
267 snprintf(other
, sizeof(other
), "%s,0.0.0.0/0,::/0",
268 msg
->add_conn
.other
.address
);
270 ikeport
= msg
->add_conn
.me
.ikeport
;
271 ikeport
= (ikeport
== IKEV2_UDP_PORT
) ?
272 charon
->socket
->get_port(charon
->socket
, FALSE
) : ikeport
;
273 ike_cfg
= ike_cfg_create(msg
->add_conn
.version
,
274 msg
->add_conn
.other
.sendcert
!= CERT_NEVER_SEND
,
275 msg
->add_conn
.force_encap
,
276 msg
->add_conn
.me
.allow_any
?
277 me
: msg
->add_conn
.me
.address
,
279 msg
->add_conn
.other
.allow_any
?
280 other
: msg
->add_conn
.other
.address
,
281 msg
->add_conn
.other
.ikeport
,
282 msg
->add_conn
.fragmentation
,
283 msg
->add_conn
.ikedscp
);
285 add_proposals(this, msg
->add_conn
.algorithms
.ike
, ike_cfg
, NULL
, PROTO_IKE
);
290 * Add CRL constraint to config
292 static void build_crl_policy(auth_cfg_t
*cfg
, bool local
, int policy
)
294 /* CRL/OCSP policy, for remote config only */
300 /* if yes, we require a GOOD validation */
301 cfg
->add(cfg
, AUTH_RULE_CRL_VALIDATION
, VALIDATION_GOOD
);
303 case CRL_STRICT_IFURI
:
304 /* for ifuri, a SKIPPED validation is sufficient */
305 cfg
->add(cfg
, AUTH_RULE_CRL_VALIDATION
, VALIDATION_SKIPPED
);
314 * build authentication config
316 static auth_cfg_t
*build_auth_cfg(private_stroke_config_t
*this,
317 stroke_msg_t
*msg
, bool local
, bool primary
)
319 identification_t
*identity
;
320 certificate_t
*certificate
;
321 char *auth
, *id
, *pubkey
, *cert
, *ca
, *groups
;
322 stroke_end_t
*end
, *other_end
;
329 end
= &msg
->add_conn
.me
;
330 other_end
= &msg
->add_conn
.other
;
334 end
= &msg
->add_conn
.other
;
335 other_end
= &msg
->add_conn
.me
;
342 { /* leftid/rightid fallback to address */
347 if (ca
&& streq(ca
, "%same"))
357 { /* leftid2 falls back to leftid */
362 if (ca
&& streq(ca
, "%same"))
367 if (id
&& *id
== '%' && !streq(id
, "%any") && !streq(id
, "%any6"))
368 { /* has only an effect on rightid/2 */
380 { /* no second authentication round, fine. But load certificates
381 * for other purposes (EAP-TLS) */
384 certificate
= this->cred
->load_peer(this->cred
, cert
);
387 certificate
->destroy(certificate
);
394 cfg
= auth_cfg_create();
396 /* add identity and peer certificate */
397 identity
= identification_create_from_string(id
);
400 enumerator_t
*enumerator
;
401 bool has_subject
= FALSE
;
402 certificate_t
*first
= NULL
;
404 enumerator
= enumerator_create_token(cert
, ",", " ");
405 while (enumerator
->enumerate(enumerator
, &cert
))
407 certificate
= this->cred
->load_peer(this->cred
, cert
);
412 this->ca
->check_for_hash_and_url(this->ca
, certificate
);
414 cfg
->add(cfg
, AUTH_RULE_SUBJECT_CERT
, certificate
);
419 if (identity
->get_type(identity
) != ID_ANY
&&
420 certificate
->has_subject(certificate
, identity
))
426 enumerator
->destroy(enumerator
);
428 if (first
&& !has_subject
)
430 DBG1(DBG_CFG
, " id '%Y' not confirmed by certificate, "
431 "defaulting to '%Y'", identity
, first
->get_subject(first
));
432 identity
->destroy(identity
);
433 identity
= first
->get_subject(first
);
434 identity
= identity
->clone(identity
);
437 /* add raw RSA public key */
438 pubkey
= end
->rsakey
;
439 if (pubkey
&& !streq(pubkey
, "") && !streq(pubkey
, "%cert"))
441 certificate
= this->cred
->load_pubkey(this->cred
, pubkey
, identity
);
444 cfg
->add(cfg
, AUTH_RULE_SUBJECT_CERT
, certificate
);
447 if (identity
->get_type(identity
) != ID_ANY
)
449 cfg
->add(cfg
, AUTH_RULE_IDENTITY
, identity
);
452 cfg
->add(cfg
, AUTH_RULE_IDENTITY_LOOSE
, TRUE
);
457 identity
->destroy(identity
);
463 identity
= identification_create_from_string(ca
);
464 certificate
= lib
->credmgr
->get_cert(lib
->credmgr
, CERT_X509
,
465 KEY_ANY
, identity
, TRUE
);
466 identity
->destroy(identity
);
469 cfg
->add(cfg
, AUTH_RULE_CA_CERT
, certificate
);
473 DBG1(DBG_CFG
, "CA certificate \"%s\" not found, discarding CA "
479 groups
= primary
? end
->groups
: end
->groups2
;
482 enumerator_t
*enumerator
;
485 enumerator
= enumerator_create_token(groups
, ",", " ");
486 while (enumerator
->enumerate(enumerator
, &group
))
488 cfg
->add(cfg
, AUTH_RULE_GROUP
,
489 identification_create_from_string(group
));
491 enumerator
->destroy(enumerator
);
494 /* certificatePolicies */
495 if (end
->cert_policy
)
497 enumerator_t
*enumerator
;
500 enumerator
= enumerator_create_token(end
->cert_policy
, ",", " ");
501 while (enumerator
->enumerate(enumerator
, &policy
))
503 cfg
->add(cfg
, AUTH_RULE_CERT_POLICY
, strdup(policy
));
505 enumerator
->destroy(enumerator
);
508 /* authentication metod (class, actually) */
509 if (strpfx(auth
, "pubkey") ||
510 strpfx(auth
, "rsa") ||
511 strpfx(auth
, "ecdsa") ||
512 strpfx(auth
, "bliss"))
514 cfg
->add(cfg
, AUTH_RULE_AUTH_CLASS
, AUTH_CLASS_PUBKEY
);
515 build_crl_policy(cfg
, local
, msg
->add_conn
.crl_policy
);
516 cfg
->add_pubkey_constraints(cfg
, auth
);
518 else if (streq(auth
, "psk") || streq(auth
, "secret"))
520 cfg
->add(cfg
, AUTH_RULE_AUTH_CLASS
, AUTH_CLASS_PSK
);
522 else if (strpfx(auth
, "xauth"))
526 pos
= strchr(auth
, '-');
529 cfg
->add(cfg
, AUTH_RULE_XAUTH_BACKEND
, strdup(++pos
));
531 cfg
->add(cfg
, AUTH_RULE_AUTH_CLASS
, AUTH_CLASS_XAUTH
);
532 if (msg
->add_conn
.xauth_identity
)
534 cfg
->add(cfg
, AUTH_RULE_XAUTH_IDENTITY
,
535 identification_create_from_string(msg
->add_conn
.xauth_identity
));
538 else if (strpfx(auth
, "eap"))
540 eap_vendor_type_t
*type
;
543 cfg
->add(cfg
, AUTH_RULE_AUTH_CLASS
, AUTH_CLASS_EAP
);
544 /* check for public key constraints for EAP-TLS etc. */
545 pos
= strchr(auth
, ':');
549 cfg
->add_pubkey_constraints(cfg
, pos
+ 1);
551 type
= eap_vendor_type_from_string(auth
);
554 cfg
->add(cfg
, AUTH_RULE_EAP_TYPE
, type
->type
);
557 cfg
->add(cfg
, AUTH_RULE_EAP_VENDOR
, type
->vendor
);
562 if (msg
->add_conn
.eap_identity
)
564 if (streq(msg
->add_conn
.eap_identity
, "%identity"))
566 identity
= identification_create_from_encoding(ID_ANY
,
571 identity
= identification_create_from_string(
572 msg
->add_conn
.eap_identity
);
574 cfg
->add(cfg
, AUTH_RULE_EAP_IDENTITY
, identity
);
576 if (msg
->add_conn
.aaa_identity
)
578 cfg
->add(cfg
, AUTH_RULE_AAA_IDENTITY
,
579 identification_create_from_string(msg
->add_conn
.aaa_identity
));
584 if (!streq(auth
, "any"))
586 DBG1(DBG_CFG
, "authentication method %s unknown, fallback to any",
589 build_crl_policy(cfg
, local
, msg
->add_conn
.crl_policy
);
595 * build a mem_pool_t from an address range
597 static mem_pool_t
*create_pool_range(char *str
)
602 if (!host_create_from_range(str
, &from
, &to
))
606 pool
= mem_pool_create_range(str
, from
, to
);
613 * build a peer_cfg from a stroke msg
615 static peer_cfg_t
*build_peer_cfg(private_stroke_config_t
*this,
616 stroke_msg_t
*msg
, ike_cfg_t
*ike_cfg
)
618 identification_t
*peer_id
= NULL
;
619 peer_cfg_t
*mediated_by
= NULL
;
620 unique_policy_t unique
;
621 u_int32_t rekey
= 0, reauth
= 0, over
, jitter
;
622 peer_cfg_t
*peer_cfg
;
623 auth_cfg_t
*auth_cfg
;
626 if (msg
->add_conn
.ikeme
.mediation
&& msg
->add_conn
.ikeme
.mediated_by
)
628 DBG1(DBG_CFG
, "a mediation connection cannot be a mediated connection "
629 "at the same time, aborting");
633 if (msg
->add_conn
.ikeme
.mediation
)
635 /* force unique connections for mediation connections */
636 msg
->add_conn
.unique
= 1;
639 if (msg
->add_conn
.ikeme
.mediated_by
)
641 mediated_by
= charon
->backends
->get_peer_cfg_by_name(charon
->backends
,
642 msg
->add_conn
.ikeme
.mediated_by
);
645 DBG1(DBG_CFG
, "mediation connection '%s' not found, aborting",
646 msg
->add_conn
.ikeme
.mediated_by
);
649 if (!mediated_by
->is_mediation(mediated_by
))
651 DBG1(DBG_CFG
, "connection '%s' as referred to by '%s' is "
652 "no mediation connection, aborting",
653 msg
->add_conn
.ikeme
.mediated_by
, msg
->add_conn
.name
);
654 mediated_by
->destroy(mediated_by
);
657 if (msg
->add_conn
.ikeme
.peerid
)
659 peer_id
= identification_create_from_string(msg
->add_conn
.ikeme
.peerid
);
661 else if (msg
->add_conn
.other
.id
)
663 peer_id
= identification_create_from_string(msg
->add_conn
.other
.id
);
668 jitter
= msg
->add_conn
.rekey
.margin
* msg
->add_conn
.rekey
.fuzz
/ 100;
669 over
= msg
->add_conn
.rekey
.margin
;
670 if (msg
->add_conn
.rekey
.reauth
)
672 reauth
= msg
->add_conn
.rekey
.ike_lifetime
- over
;
676 rekey
= msg
->add_conn
.rekey
.ike_lifetime
- over
;
678 switch (msg
->add_conn
.unique
)
681 case 2: /* replace */
682 unique
= UNIQUE_REPLACE
;
685 unique
= UNIQUE_KEEP
;
688 unique
= UNIQUE_NEVER
;
694 if (msg
->add_conn
.dpd
.action
== 0)
695 { /* dpdaction=none disables DPD */
696 msg
->add_conn
.dpd
.delay
= 0;
699 /* other.sourceip is managed in stroke_attributes. If it is set, we define
700 * the pool name as the connection name, which the attribute provider
701 * uses to serve pool addresses. */
702 peer_cfg
= peer_cfg_create(msg
->add_conn
.name
, ike_cfg
,
703 msg
->add_conn
.me
.sendcert
, unique
,
704 msg
->add_conn
.rekey
.tries
, rekey
, reauth
, jitter
, over
,
705 msg
->add_conn
.mobike
, msg
->add_conn
.aggressive
,
706 msg
->add_conn
.pushmode
== 0,
707 msg
->add_conn
.dpd
.delay
, msg
->add_conn
.dpd
.timeout
,
708 msg
->add_conn
.ikeme
.mediation
, mediated_by
, peer_id
);
710 if (msg
->add_conn
.other
.sourceip
)
712 enumerator_t
*enumerator
;
715 enumerator
= enumerator_create_token(msg
->add_conn
.other
.sourceip
,
717 while (enumerator
->enumerate(enumerator
, &token
))
719 if (streq(token
, "%modeconfig") || streq(token
, "%modecfg") ||
720 streq(token
, "%config") || streq(token
, "%cfg") ||
721 streq(token
, "%config4") || streq(token
, "%config6"))
723 /* empty pool, uses connection name */
724 this->attributes
->add_pool(this->attributes
,
725 mem_pool_create(msg
->add_conn
.name
, NULL
, 0));
726 peer_cfg
->add_pool(peer_cfg
, msg
->add_conn
.name
);
728 else if (*token
== '%')
730 /* external named pool */
731 peer_cfg
->add_pool(peer_cfg
, token
+ 1);
735 /* in-memory pool, using range or CIDR notation */
740 pool
= create_pool_range(token
);
743 base
= host_create_from_subnet(token
, &bits
);
746 pool
= mem_pool_create(token
, base
, bits
);
752 this->attributes
->add_pool(this->attributes
, pool
);
753 peer_cfg
->add_pool(peer_cfg
, token
);
757 DBG1(DBG_CFG
, "IP pool %s invalid, ignored", token
);
761 enumerator
->destroy(enumerator
);
764 if (msg
->add_conn
.me
.sourceip
&& msg
->add_conn
.other
.sourceip
)
766 DBG1(DBG_CFG
, "'%s' has both left- and rightsourceip, but IKE can "
767 "negotiate one virtual IP only, ignoring local virtual IP",
770 else if (msg
->add_conn
.me
.sourceip
)
772 enumerator_t
*enumerator
;
775 enumerator
= enumerator_create_token(msg
->add_conn
.me
.sourceip
, ",", " ");
776 while (enumerator
->enumerate(enumerator
, &token
))
780 if (streq(token
, "%modeconfig") || streq(token
, "%modecfg") ||
781 streq(token
, "%config") || streq(token
, "%cfg"))
782 { /* try to deduce an address family */
783 if (msg
->add_conn
.me
.subnets
)
784 { /* use the same family as in local subnet, if any */
785 if (strchr(msg
->add_conn
.me
.subnets
, '.'))
787 vip
= host_create_any(AF_INET
);
791 vip
= host_create_any(AF_INET6
);
794 else if (msg
->add_conn
.other
.subnets
)
795 { /* use the same family as in remote subnet, if any */
796 if (strchr(msg
->add_conn
.other
.subnets
, '.'))
798 vip
= host_create_any(AF_INET
);
802 vip
= host_create_any(AF_INET6
);
807 char *addr
, *next
, *hit
;
809 /* guess virtual IP family based on local address. If
810 * multiple addresses are specified, we look at the first
811 * only, as with leftallowany a ::/0 is always appended. */
812 addr
= ike_cfg
->get_my_addr(ike_cfg
);
813 next
= strchr(addr
, ',');
814 hit
= strchr(addr
, ':');
815 if (hit
&& (!next
|| hit
< next
))
817 vip
= host_create_any(AF_INET6
);
821 vip
= host_create_any(AF_INET
);
825 else if (streq(token
, "%config4"))
827 vip
= host_create_any(AF_INET
);
829 else if (streq(token
, "%config6"))
831 vip
= host_create_any(AF_INET6
);
835 vip
= host_create_from_string(token
, 0);
838 DBG1(DBG_CFG
, "ignored invalid subnet token: %s", token
);
844 peer_cfg
->add_virtual_ip(peer_cfg
, vip
);
847 enumerator
->destroy(enumerator
);
850 /* build leftauth= */
851 auth_cfg
= build_auth_cfg(this, msg
, TRUE
, TRUE
);
854 peer_cfg
->add_auth_cfg(peer_cfg
, auth_cfg
, TRUE
);
857 { /* we require at least one config on our side */
858 peer_cfg
->destroy(peer_cfg
);
861 /* build leftauth2= */
862 auth_cfg
= build_auth_cfg(this, msg
, TRUE
, FALSE
);
865 peer_cfg
->add_auth_cfg(peer_cfg
, auth_cfg
, TRUE
);
867 /* build rightauth= */
868 auth_cfg
= build_auth_cfg(this, msg
, FALSE
, TRUE
);
871 peer_cfg
->add_auth_cfg(peer_cfg
, auth_cfg
, FALSE
);
873 /* build rightauth2= */
874 auth_cfg
= build_auth_cfg(this, msg
, FALSE
, FALSE
);
877 peer_cfg
->add_auth_cfg(peer_cfg
, auth_cfg
, FALSE
);
883 * Parse a protoport specifier
885 static bool parse_protoport(char *token
, u_int16_t
*from_port
,
886 u_int16_t
*to_port
, u_int8_t
*protocol
)
888 char *sep
, *port
= "", *endptr
;
889 struct protoent
*proto
;
893 sep
= strrchr(token
, ']');
900 sep
= strchr(token
, '/');
902 { /* protocol/port */
907 if (streq(token
, "%any"))
913 proto
= getprotobyname(token
);
916 *protocol
= proto
->p_proto
;
920 p
= strtol(token
, &endptr
, 0);
921 if ((*token
&& *endptr
) || p
< 0 || p
> 0xff)
925 *protocol
= (u_int8_t
)p
;
928 if (streq(port
, "%any"))
933 else if (streq(port
, "%opaque"))
940 svc
= getservbyname(port
, NULL
);
943 *from_port
= *to_port
= ntohs(svc
->s_port
);
947 p
= strtol(port
, &endptr
, 0);
948 if (p
< 0 || p
> 0xffff)
956 p
= strtol(port
, &endptr
, 0);
957 if (p
< 0 || p
> 0xffff)
973 * build a traffic selector from a stroke_end
975 static void add_ts(private_stroke_config_t
*this,
976 stroke_end_t
*end
, child_cfg_t
*child_cfg
, bool local
)
978 traffic_selector_t
*ts
;
982 ts
= traffic_selector_create_dynamic(end
->protocol
,
983 end
->from_port
, end
->to_port
);
984 child_cfg
->add_traffic_selector(child_cfg
, local
, ts
);
992 net
= host_create_from_string(end
->address
, 0);
995 ts
= traffic_selector_create_from_subnet(net
, 0, end
->protocol
,
996 end
->from_port
, end
->to_port
);
997 child_cfg
->add_traffic_selector(child_cfg
, local
, ts
);
1002 enumerator_t
*enumerator
;
1004 u_int16_t from_port
, to_port
;
1007 enumerator
= enumerator_create_token(end
->subnets
, ",", " ");
1008 while (enumerator
->enumerate(enumerator
, &subnet
))
1010 from_port
= end
->from_port
;
1011 to_port
= end
->to_port
;
1012 proto
= end
->protocol
;
1014 pos
= strchr(subnet
, '[');
1018 if (!parse_protoport(pos
, &from_port
, &to_port
, &proto
))
1020 DBG1(DBG_CFG
, "invalid proto/port: %s, skipped subnet",
1025 if (streq(subnet
, "%dynamic"))
1027 ts
= traffic_selector_create_dynamic(proto
,
1028 from_port
, to_port
);
1032 ts
= traffic_selector_create_from_cidr(subnet
, proto
,
1033 from_port
, to_port
);
1037 child_cfg
->add_traffic_selector(child_cfg
, local
, ts
);
1041 DBG1(DBG_CFG
, "invalid subnet: %s, skipped", subnet
);
1044 enumerator
->destroy(enumerator
);
1050 * map starter magic values to our action type
1052 static action_t
map_action(int starter_action
)
1054 switch (starter_action
)
1057 return ACTION_ROUTE
;
1058 case 3: /* =restart */
1059 return ACTION_RESTART
;
1066 * build a child config from the stroke message
1068 static child_cfg_t
*build_child_cfg(private_stroke_config_t
*this,
1071 child_cfg_t
*child_cfg
;
1072 lifetime_cfg_t lifetime
= {
1074 .life
= msg
->add_conn
.rekey
.ipsec_lifetime
,
1075 .rekey
= msg
->add_conn
.rekey
.ipsec_lifetime
- msg
->add_conn
.rekey
.margin
,
1076 .jitter
= msg
->add_conn
.rekey
.margin
* msg
->add_conn
.rekey
.fuzz
/ 100
1079 .life
= msg
->add_conn
.rekey
.life_bytes
,
1080 .rekey
= msg
->add_conn
.rekey
.life_bytes
- msg
->add_conn
.rekey
.margin_bytes
,
1081 .jitter
= msg
->add_conn
.rekey
.margin_bytes
* msg
->add_conn
.rekey
.fuzz
/ 100
1084 .life
= msg
->add_conn
.rekey
.life_packets
,
1085 .rekey
= msg
->add_conn
.rekey
.life_packets
- msg
->add_conn
.rekey
.margin_packets
,
1086 .jitter
= msg
->add_conn
.rekey
.margin_packets
* msg
->add_conn
.rekey
.fuzz
/ 100
1090 .value
= msg
->add_conn
.mark_in
.value
,
1091 .mask
= msg
->add_conn
.mark_in
.mask
1094 .value
= msg
->add_conn
.mark_out
.value
,
1095 .mask
= msg
->add_conn
.mark_out
.mask
1098 child_cfg
= child_cfg_create(
1099 msg
->add_conn
.name
, &lifetime
, msg
->add_conn
.me
.updown
,
1100 msg
->add_conn
.me
.hostaccess
, msg
->add_conn
.mode
, ACTION_NONE
,
1101 map_action(msg
->add_conn
.dpd
.action
),
1102 map_action(msg
->add_conn
.close_action
), msg
->add_conn
.ipcomp
,
1103 msg
->add_conn
.inactivity
, msg
->add_conn
.reqid
,
1104 &mark_in
, &mark_out
, msg
->add_conn
.tfc
);
1105 if (msg
->add_conn
.replay_window
!= -1)
1107 child_cfg
->set_replay_window(child_cfg
, msg
->add_conn
.replay_window
);
1109 child_cfg
->set_mipv6_options(child_cfg
, msg
->add_conn
.proxy_mode
,
1110 msg
->add_conn
.install_policy
);
1111 add_ts(this, &msg
->add_conn
.me
, child_cfg
, TRUE
);
1112 add_ts(this, &msg
->add_conn
.other
, child_cfg
, FALSE
);
1114 if (msg
->add_conn
.algorithms
.ah
)
1116 add_proposals(this, msg
->add_conn
.algorithms
.ah
,
1117 NULL
, child_cfg
, PROTO_AH
);
1121 add_proposals(this, msg
->add_conn
.algorithms
.esp
,
1122 NULL
, child_cfg
, PROTO_ESP
);
1127 METHOD(stroke_config_t
, add
, void,
1128 private_stroke_config_t
*this, stroke_msg_t
*msg
)
1130 ike_cfg_t
*ike_cfg
, *existing_ike
;
1131 peer_cfg_t
*peer_cfg
, *existing
;
1132 child_cfg_t
*child_cfg
;
1133 enumerator_t
*enumerator
;
1134 bool use_existing
= FALSE
;
1136 ike_cfg
= build_ike_cfg(this, msg
);
1141 peer_cfg
= build_peer_cfg(this, msg
, ike_cfg
);
1144 ike_cfg
->destroy(ike_cfg
);
1148 enumerator
= create_peer_cfg_enumerator(this, NULL
, NULL
);
1149 while (enumerator
->enumerate(enumerator
, &existing
))
1151 existing_ike
= existing
->get_ike_cfg(existing
);
1152 if (existing
->equals(existing
, peer_cfg
) &&
1153 existing_ike
->equals(existing_ike
, peer_cfg
->get_ike_cfg(peer_cfg
)))
1155 use_existing
= TRUE
;
1156 peer_cfg
->destroy(peer_cfg
);
1157 peer_cfg
= existing
;
1158 peer_cfg
->get_ref(peer_cfg
);
1159 DBG1(DBG_CFG
, "added child to existing configuration '%s'",
1160 peer_cfg
->get_name(peer_cfg
));
1164 enumerator
->destroy(enumerator
);
1166 child_cfg
= build_child_cfg(this, msg
);
1169 peer_cfg
->destroy(peer_cfg
);
1172 peer_cfg
->add_child_cfg(peer_cfg
, child_cfg
);
1176 peer_cfg
->destroy(peer_cfg
);
1180 /* add config to backend */
1181 DBG1(DBG_CFG
, "added configuration '%s'", msg
->add_conn
.name
);
1182 this->mutex
->lock(this->mutex
);
1183 this->list
->insert_last(this->list
, peer_cfg
);
1184 this->mutex
->unlock(this->mutex
);
1188 METHOD(stroke_config_t
, del
, void,
1189 private_stroke_config_t
*this, stroke_msg_t
*msg
)
1191 enumerator_t
*enumerator
, *children
;
1194 bool deleted
= FALSE
;
1196 this->mutex
->lock(this->mutex
);
1197 enumerator
= this->list
->create_enumerator(this->list
);
1198 while (enumerator
->enumerate(enumerator
, &peer
))
1202 /* remove any child with such a name */
1203 children
= peer
->create_child_cfg_enumerator(peer
);
1204 while (children
->enumerate(children
, &child
))
1206 if (streq(child
->get_name(child
), msg
->del_conn
.name
))
1208 peer
->remove_child_cfg(peer
, children
);
1209 child
->destroy(child
);
1217 children
->destroy(children
);
1219 /* if peer config has no children anymore, remove it */
1222 this->list
->remove_at(this->list
, enumerator
);
1223 peer
->destroy(peer
);
1226 enumerator
->destroy(enumerator
);
1227 this->mutex
->unlock(this->mutex
);
1231 DBG1(DBG_CFG
, "deleted connection '%s'", msg
->del_conn
.name
);
1235 DBG1(DBG_CFG
, "connection '%s' not found", msg
->del_conn
.name
);
1239 METHOD(stroke_config_t
, set_user_credentials
, void,
1240 private_stroke_config_t
*this, stroke_msg_t
*msg
, FILE *prompt
)
1242 enumerator_t
*enumerator
, *children
, *remote_auth
;
1243 peer_cfg_t
*peer
, *found
= NULL
;
1244 auth_cfg_t
*auth_cfg
, *remote_cfg
;
1245 auth_class_t auth_class
;
1247 identification_t
*id
, *identity
, *gw
= NULL
;
1248 shared_key_type_t type
= SHARED_ANY
;
1249 chunk_t password
= chunk_empty
;
1251 this->mutex
->lock(this->mutex
);
1252 enumerator
= this->list
->create_enumerator(this->list
);
1253 while (enumerator
->enumerate(enumerator
, (void**)&peer
))
1254 { /* find the peer (or child) config with the given name */
1255 if (streq(peer
->get_name(peer
), msg
->user_creds
.name
))
1261 children
= peer
->create_child_cfg_enumerator(peer
);
1262 while (children
->enumerate(children
, &child
))
1264 if (streq(child
->get_name(child
), msg
->user_creds
.name
))
1270 children
->destroy(children
);
1278 enumerator
->destroy(enumerator
);
1282 DBG1(DBG_CFG
, " no config named '%s'", msg
->user_creds
.name
);
1283 fprintf(prompt
, "no config named '%s'\n", msg
->user_creds
.name
);
1284 this->mutex
->unlock(this->mutex
);
1288 id
= identification_create_from_string(msg
->user_creds
.username
);
1289 if (strlen(msg
->user_creds
.username
) == 0 ||
1290 !id
|| id
->get_type(id
) == ID_ANY
)
1292 DBG1(DBG_CFG
, " invalid username '%s'", msg
->user_creds
.username
);
1293 fprintf(prompt
, "invalid username '%s'\n", msg
->user_creds
.username
);
1294 this->mutex
->unlock(this->mutex
);
1299 /* replace/set the username in the first EAP/XAuth auth_cfg, also look for
1300 * a suitable remote ID.
1301 * note that adding the identity here is not fully thread-safe as the
1302 * peer_cfg and in turn the auth_cfg could be in use. for the default use
1303 * case (setting user credentials before upping the connection) this will
1304 * not be a problem, though. */
1305 enumerator
= found
->create_auth_cfg_enumerator(found
, TRUE
);
1306 remote_auth
= found
->create_auth_cfg_enumerator(found
, FALSE
);
1307 while (enumerator
->enumerate(enumerator
, (void**)&auth_cfg
))
1309 if (remote_auth
->enumerate(remote_auth
, (void**)&remote_cfg
))
1310 { /* fall back on rightid, in case aaa_identity is not specified */
1311 identity
= remote_cfg
->get(remote_cfg
, AUTH_RULE_IDENTITY
);
1312 if (identity
&& identity
->get_type(identity
) != ID_ANY
)
1318 auth_class
= (uintptr_t)auth_cfg
->get(auth_cfg
, AUTH_RULE_AUTH_CLASS
);
1319 if (auth_class
== AUTH_CLASS_EAP
|| auth_class
== AUTH_CLASS_XAUTH
)
1321 if (auth_class
== AUTH_CLASS_EAP
)
1323 auth_cfg
->add(auth_cfg
, AUTH_RULE_EAP_IDENTITY
, id
->clone(id
));
1324 /* if aaa_identity is specified use that as remote ID */
1325 identity
= auth_cfg
->get(auth_cfg
, AUTH_RULE_AAA_IDENTITY
);
1326 if (identity
&& identity
->get_type(identity
) != ID_ANY
)
1330 DBG1(DBG_CFG
, " configured EAP-Identity %Y", id
);
1334 auth_cfg
->add(auth_cfg
, AUTH_RULE_XAUTH_IDENTITY
,
1336 DBG1(DBG_CFG
, " configured XAuth username %Y", id
);
1342 enumerator
->destroy(enumerator
);
1343 remote_auth
->destroy(remote_auth
);
1344 /* clone the gw ID before unlocking the mutex */
1349 this->mutex
->unlock(this->mutex
);
1351 if (type
== SHARED_ANY
)
1353 DBG1(DBG_CFG
, " config '%s' unsuitable for user credentials",
1354 msg
->user_creds
.name
);
1355 fprintf(prompt
, "config '%s' unsuitable for user credentials\n",
1356 msg
->user_creds
.name
);
1362 if (msg
->user_creds
.password
)
1366 pass
= msg
->user_creds
.password
;
1367 password
= chunk_clone(chunk_create(pass
, strlen(pass
)));
1368 memwipe(pass
, strlen(pass
));
1371 { /* prompt the user for the password */
1374 fprintf(prompt
, "Password:\n");
1375 if (fgets(buf
, sizeof(buf
), prompt
))
1377 password
= chunk_clone(chunk_create(buf
, strlen(buf
)));
1378 if (password
.len
> 0)
1379 { /* trim trailing \n */
1382 memwipe(buf
, sizeof(buf
));
1388 shared_key_t
*shared
;
1389 linked_list_t
*owners
;
1391 shared
= shared_key_create(type
, password
);
1393 owners
= linked_list_create();
1394 owners
->insert_last(owners
, id
->clone(id
));
1395 if (gw
&& gw
->get_type(gw
) != ID_ANY
)
1397 owners
->insert_last(owners
, gw
->clone(gw
));
1398 DBG1(DBG_CFG
, " added %N secret for %Y %Y", shared_key_type_names
,
1403 DBG1(DBG_CFG
, " added %N secret for %Y", shared_key_type_names
,
1406 this->cred
->add_shared(this->cred
, shared
, owners
);
1407 DBG4(DBG_CFG
, " secret: %#B", &password
);
1410 { /* in case a user answers the password prompt by just pressing enter */
1411 chunk_clear(&password
);
1417 METHOD(stroke_config_t
, destroy
, void,
1418 private_stroke_config_t
*this)
1420 this->list
->destroy_offset(this->list
, offsetof(peer_cfg_t
, destroy
));
1421 this->mutex
->destroy(this->mutex
);
1428 stroke_config_t
*stroke_config_create(stroke_ca_t
*ca
, stroke_cred_t
*cred
,
1429 stroke_attribute_t
*attributes
)
1431 private_stroke_config_t
*this;
1436 .create_peer_cfg_enumerator
= _create_peer_cfg_enumerator
,
1437 .create_ike_cfg_enumerator
= _create_ike_cfg_enumerator
,
1438 .get_peer_cfg_by_name
= _get_peer_cfg_by_name
,
1442 .set_user_credentials
= _set_user_credentials
,
1443 .destroy
= _destroy
,
1445 .list
= linked_list_create(),
1446 .mutex
= mutex_create(MUTEX_TYPE_RECURSIVE
),
1449 .attributes
= attributes
,
1452 return &this->public;