2 * Copyright (C) 2012 Tobias Brunner
3 * Copyright (C) 2008 Martin Willi
4 * Hochschule fuer Technik Rapperswil
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
17 #include "stroke_config.h"
21 #include <threading/mutex.h>
22 #include <utils/lexparser.h>
24 typedef struct private_stroke_config_t private_stroke_config_t
;
27 * private data of stroke_config
29 struct private_stroke_config_t
{
34 stroke_config_t
public;
42 * mutex to lock config list
57 * Virtual IP pool / DNS backend
59 stroke_attribute_t
*attributes
;
62 METHOD(backend_t
, create_peer_cfg_enumerator
, enumerator_t
*,
63 private_stroke_config_t
*this, identification_t
*me
, identification_t
*other
)
65 this->mutex
->lock(this->mutex
);
66 return enumerator_create_cleaner(this->list
->create_enumerator(this->list
),
67 (void*)this->mutex
->unlock
, this->mutex
);
71 * filter function for ike configs
73 static bool ike_filter(void *data
, peer_cfg_t
**in
, ike_cfg_t
**out
)
75 *out
= (*in
)->get_ike_cfg(*in
);
79 METHOD(backend_t
, create_ike_cfg_enumerator
, enumerator_t
*,
80 private_stroke_config_t
*this, host_t
*me
, host_t
*other
)
82 this->mutex
->lock(this->mutex
);
83 return enumerator_create_filter(this->list
->create_enumerator(this->list
),
84 (void*)ike_filter
, this->mutex
,
85 (void*)this->mutex
->unlock
);
88 METHOD(backend_t
, get_peer_cfg_by_name
, peer_cfg_t
*,
89 private_stroke_config_t
*this, char *name
)
91 enumerator_t
*e1
, *e2
;
92 peer_cfg_t
*current
, *found
= NULL
;
95 this->mutex
->lock(this->mutex
);
96 e1
= this->list
->create_enumerator(this->list
);
97 while (e1
->enumerate(e1
, ¤t
))
99 /* compare peer_cfgs name first */
100 if (streq(current
->get_name(current
), name
))
103 found
->get_ref(found
);
106 /* compare all child_cfg names otherwise */
107 e2
= current
->create_child_cfg_enumerator(current
);
108 while (e2
->enumerate(e2
, &child
))
110 if (streq(child
->get_name(child
), name
))
113 found
->get_ref(found
);
124 this->mutex
->unlock(this->mutex
);
129 * parse a proposal string, either into ike_cfg or child_cfg
131 static void add_proposals(private_stroke_config_t
*this, char *string
,
132 ike_cfg_t
*ike_cfg
, child_cfg_t
*child_cfg
)
138 proposal_t
*proposal
;
139 protocol_id_t proto
= PROTO_ESP
;
145 strict
= string
+ strlen(string
) - 1;
154 while ((single
= strsep(&string
, ",")))
156 proposal
= proposal_create_from_string(proto
, single
);
161 ike_cfg
->add_proposal(ike_cfg
, proposal
);
165 child_cfg
->add_proposal(child_cfg
, proposal
);
169 DBG1(DBG_CFG
, "skipped invalid proposal string: %s", single
);
175 /* add default porposal to the end if not strict */
179 ike_cfg
->add_proposal(ike_cfg
, proposal_create_default(PROTO_IKE
));
183 child_cfg
->add_proposal(child_cfg
, proposal_create_default(PROTO_ESP
));
188 * Build an IKE config from a stroke message
190 static ike_cfg_t
*build_ike_cfg(private_stroke_config_t
*this, stroke_msg_t
*msg
)
192 stroke_end_t tmp_end
;
198 host
= host_create_from_dns(msg
->add_conn
.other
.address
, 0, 0);
201 interface
= hydra
->kernel_interface
->get_interface(
202 hydra
->kernel_interface
, host
);
206 DBG2(DBG_CFG
, "left is other host, swapping ends");
207 tmp_end
= msg
->add_conn
.me
;
208 msg
->add_conn
.me
= msg
->add_conn
.other
;
209 msg
->add_conn
.other
= tmp_end
;
214 host
= host_create_from_dns(msg
->add_conn
.me
.address
, 0, 0);
217 interface
= hydra
->kernel_interface
->get_interface(
218 hydra
->kernel_interface
, host
);
222 DBG1(DBG_CFG
, "left nor right host is our side, "
223 "assuming left=local");
233 ikeport
= msg
->add_conn
.me
.ikeport
;
234 ikeport
= (ikeport
== IKEV2_UDP_PORT
) ?
235 charon
->socket
->get_port(charon
->socket
, FALSE
) : ikeport
;
236 ike_cfg
= ike_cfg_create(msg
->add_conn
.other
.sendcert
!= CERT_NEVER_SEND
,
237 msg
->add_conn
.force_encap
,
238 msg
->add_conn
.me
.address
,
239 msg
->add_conn
.me
.allow_any
,
241 msg
->add_conn
.other
.address
,
242 msg
->add_conn
.other
.allow_any
,
243 msg
->add_conn
.other
.ikeport
);
244 add_proposals(this, msg
->add_conn
.algorithms
.ike
, ike_cfg
, NULL
);
249 * Add CRL constraint to config
251 static void build_crl_policy(auth_cfg_t
*cfg
, bool local
, int policy
)
253 /* CRL/OCSP policy, for remote config only */
259 /* if yes, we require a GOOD validation */
260 cfg
->add(cfg
, AUTH_RULE_CRL_VALIDATION
, VALIDATION_GOOD
);
262 case CRL_STRICT_IFURI
:
263 /* for ifuri, a SKIPPED validation is sufficient */
264 cfg
->add(cfg
, AUTH_RULE_CRL_VALIDATION
, VALIDATION_SKIPPED
);
273 * Parse public key / signature strength constraints
275 static void parse_pubkey_constraints(char *auth
, auth_cfg_t
*cfg
)
277 enumerator_t
*enumerator
;
278 bool rsa
= FALSE
, ecdsa
= FALSE
, rsa_len
= FALSE
, ecdsa_len
= FALSE
;
282 enumerator
= enumerator_create_token(auth
, "-", "");
283 while (enumerator
->enumerate(enumerator
, &token
))
289 signature_scheme_t scheme
;
292 { "md5", SIGN_RSA_EMSA_PKCS1_MD5
, KEY_RSA
, },
293 { "sha1", SIGN_RSA_EMSA_PKCS1_SHA1
, KEY_RSA
, },
294 { "sha224", SIGN_RSA_EMSA_PKCS1_SHA224
, KEY_RSA
, },
295 { "sha256", SIGN_RSA_EMSA_PKCS1_SHA256
, KEY_RSA
, },
296 { "sha384", SIGN_RSA_EMSA_PKCS1_SHA384
, KEY_RSA
, },
297 { "sha512", SIGN_RSA_EMSA_PKCS1_SHA512
, KEY_RSA
, },
298 { "sha1", SIGN_ECDSA_WITH_SHA1_DER
, KEY_ECDSA
, },
299 { "sha256", SIGN_ECDSA_WITH_SHA256_DER
, KEY_ECDSA
, },
300 { "sha384", SIGN_ECDSA_WITH_SHA384_DER
, KEY_ECDSA
, },
301 { "sha512", SIGN_ECDSA_WITH_SHA512_DER
, KEY_ECDSA
, },
302 { "sha256", SIGN_ECDSA_256
, KEY_ECDSA
, },
303 { "sha384", SIGN_ECDSA_384
, KEY_ECDSA
, },
304 { "sha512", SIGN_ECDSA_521
, KEY_ECDSA
, },
307 if (rsa_len
|| ecdsa_len
)
308 { /* expecting a key strength token */
309 strength
= atoi(token
);
314 cfg
->add(cfg
, AUTH_RULE_RSA_STRENGTH
, (uintptr_t)strength
);
318 cfg
->add(cfg
, AUTH_RULE_ECDSA_STRENGTH
, (uintptr_t)strength
);
321 rsa_len
= ecdsa_len
= FALSE
;
327 if (streq(token
, "rsa"))
329 rsa
= rsa_len
= TRUE
;
332 if (streq(token
, "ecdsa"))
334 ecdsa
= ecdsa_len
= TRUE
;
337 if (streq(token
, "pubkey"))
342 for (i
= 0; i
< countof(schemes
); i
++)
344 if (streq(schemes
[i
].name
, token
))
346 /* for each matching string, allow the scheme, if:
347 * - it is an RSA scheme, and we enforced RSA
348 * - it is an ECDSA scheme, and we enforced ECDSA
349 * - it is not a key type specific scheme
351 if ((rsa
&& schemes
[i
].key
== KEY_RSA
) ||
352 (ecdsa
&& schemes
[i
].key
== KEY_ECDSA
) ||
355 cfg
->add(cfg
, AUTH_RULE_SIGNATURE_SCHEME
,
356 (uintptr_t)schemes
[i
].scheme
);
363 DBG1(DBG_CFG
, "ignoring invalid auth token: '%s'", token
);
366 enumerator
->destroy(enumerator
);
370 * build authentication config
372 static auth_cfg_t
*build_auth_cfg(private_stroke_config_t
*this,
373 stroke_msg_t
*msg
, bool local
, bool primary
)
375 identification_t
*identity
;
376 certificate_t
*certificate
;
377 char *auth
, *id
, *pubkey
, *cert
, *ca
, *groups
;
378 stroke_end_t
*end
, *other_end
;
384 end
= &msg
->add_conn
.me
;
385 other_end
= &msg
->add_conn
.other
;
389 end
= &msg
->add_conn
.other
;
390 other_end
= &msg
->add_conn
.me
;
397 { /* leftid/rightid fallback to address */
402 if (ca
&& streq(ca
, "%same"))
412 { /* leftid2 falls back to leftid */
417 if (ca
&& streq(ca
, "%same"))
430 { /* no second authentication round, fine. But load certificates
431 * for other purposes (EAP-TLS) */
434 certificate
= this->cred
->load_peer(this->cred
, cert
);
437 certificate
->destroy(certificate
);
444 cfg
= auth_cfg_create();
446 /* add identity and peer certifcate */
447 identity
= identification_create_from_string(id
);
450 certificate
= this->cred
->load_peer(this->cred
, cert
);
455 this->ca
->check_for_hash_and_url(this->ca
, certificate
);
457 cfg
->add(cfg
, AUTH_RULE_SUBJECT_CERT
, certificate
);
458 if (identity
->get_type(identity
) == ID_ANY
||
459 !certificate
->has_subject(certificate
, identity
))
461 DBG1(DBG_CFG
, " id '%Y' not confirmed by certificate, "
462 "defaulting to '%Y'", identity
,
463 certificate
->get_subject(certificate
));
464 identity
->destroy(identity
);
465 identity
= certificate
->get_subject(certificate
);
466 identity
= identity
->clone(identity
);
470 if (identity
->get_type(identity
) != ID_ANY
)
472 cfg
->add(cfg
, AUTH_RULE_IDENTITY
, identity
);
476 identity
->destroy(identity
);
479 /* add raw RSA public key */
480 pubkey
= end
->rsakey
;
481 if (pubkey
&& !streq(pubkey
, "") && !streq(pubkey
, "%cert"))
483 certificate
= this->cred
->load_pubkey(this->cred
, KEY_RSA
, pubkey
,
487 cfg
->add(cfg
, AUTH_RULE_SUBJECT_CERT
, certificate
);
494 identity
= identification_create_from_string(ca
);
495 certificate
= lib
->credmgr
->get_cert(lib
->credmgr
, CERT_X509
,
496 KEY_ANY
, identity
, TRUE
);
497 identity
->destroy(identity
);
500 cfg
->add(cfg
, AUTH_RULE_CA_CERT
, certificate
);
504 DBG1(DBG_CFG
, "CA certificate \"%s\" not found, discarding CA "
510 groups
= primary
? end
->groups
: end
->groups2
;
513 enumerator_t
*enumerator
;
516 enumerator
= enumerator_create_token(groups
, ",", " ");
517 while (enumerator
->enumerate(enumerator
, &group
))
519 cfg
->add(cfg
, AUTH_RULE_GROUP
,
520 identification_create_from_string(group
));
522 enumerator
->destroy(enumerator
);
525 /* certificatePolicies */
526 if (end
->cert_policy
)
528 enumerator_t
*enumerator
;
531 enumerator
= enumerator_create_token(end
->cert_policy
, ",", " ");
532 while (enumerator
->enumerate(enumerator
, &policy
))
534 cfg
->add(cfg
, AUTH_RULE_CERT_POLICY
, strdup(policy
));
536 enumerator
->destroy(enumerator
);
539 /* authentication metod (class, actually) */
540 if (strneq(auth
, "pubkey", strlen("pubkey")) ||
541 strneq(auth
, "rsa", strlen("rsa")) ||
542 strneq(auth
, "ecdsa", strlen("ecdsa")))
544 cfg
->add(cfg
, AUTH_RULE_AUTH_CLASS
, AUTH_CLASS_PUBKEY
);
545 build_crl_policy(cfg
, local
, msg
->add_conn
.crl_policy
);
547 parse_pubkey_constraints(auth
, cfg
);
549 else if (streq(auth
, "psk") || streq(auth
, "secret"))
551 cfg
->add(cfg
, AUTH_RULE_AUTH_CLASS
, AUTH_CLASS_PSK
);
553 else if (strneq(auth
, "xauth", 5))
557 pos
= strchr(auth
, '-');
560 cfg
->add(cfg
, AUTH_RULE_XAUTH_BACKEND
, strdup(++pos
));
562 cfg
->add(cfg
, AUTH_RULE_AUTH_CLASS
, AUTH_CLASS_XAUTH
);
563 if (msg
->add_conn
.xauth_identity
)
565 cfg
->add(cfg
, AUTH_RULE_XAUTH_IDENTITY
,
566 identification_create_from_string(msg
->add_conn
.xauth_identity
));
569 else if (strneq(auth
, "eap", 3))
571 enumerator_t
*enumerator
;
573 int i
= 0, type
= 0, vendor
;
575 cfg
->add(cfg
, AUTH_RULE_AUTH_CLASS
, AUTH_CLASS_EAP
);
577 /* parse EAP string, format: eap[-type[-vendor]] */
578 enumerator
= enumerator_create_token(auth
, "-", " ");
579 while (enumerator
->enumerate(enumerator
, &str
))
584 type
= eap_type_from_string(str
);
590 DBG1(DBG_CFG
, "unknown EAP method: %s", str
);
594 cfg
->add(cfg
, AUTH_RULE_EAP_TYPE
, type
);
602 cfg
->add(cfg
, AUTH_RULE_EAP_VENDOR
, vendor
);
606 DBG1(DBG_CFG
, "unknown EAP vendor: %s", str
);
615 enumerator
->destroy(enumerator
);
617 if (msg
->add_conn
.eap_identity
)
619 if (streq(msg
->add_conn
.eap_identity
, "%identity"))
621 identity
= identification_create_from_encoding(ID_ANY
,
626 identity
= identification_create_from_string(
627 msg
->add_conn
.eap_identity
);
629 cfg
->add(cfg
, AUTH_RULE_EAP_IDENTITY
, identity
);
631 if (msg
->add_conn
.aaa_identity
)
633 cfg
->add(cfg
, AUTH_RULE_AAA_IDENTITY
,
634 identification_create_from_string(msg
->add_conn
.aaa_identity
));
639 if (!streq(auth
, "any"))
641 DBG1(DBG_CFG
, "authentication method %s unknown, fallback to any",
644 build_crl_policy(cfg
, local
, msg
->add_conn
.crl_policy
);
650 * build a peer_cfg from a stroke msg
652 static peer_cfg_t
*build_peer_cfg(private_stroke_config_t
*this,
653 stroke_msg_t
*msg
, ike_cfg_t
*ike_cfg
)
655 identification_t
*peer_id
= NULL
;
656 peer_cfg_t
*mediated_by
= NULL
;
657 unique_policy_t unique
;
658 u_int32_t rekey
= 0, reauth
= 0, over
, jitter
;
659 peer_cfg_t
*peer_cfg
;
660 auth_cfg_t
*auth_cfg
;
663 if (msg
->add_conn
.ikeme
.mediation
&& msg
->add_conn
.ikeme
.mediated_by
)
665 DBG1(DBG_CFG
, "a mediation connection cannot be a mediated connection "
666 "at the same time, aborting");
670 if (msg
->add_conn
.ikeme
.mediation
)
672 /* force unique connections for mediation connections */
673 msg
->add_conn
.unique
= 1;
676 if (msg
->add_conn
.ikeme
.mediated_by
)
678 mediated_by
= charon
->backends
->get_peer_cfg_by_name(charon
->backends
,
679 msg
->add_conn
.ikeme
.mediated_by
);
682 DBG1(DBG_CFG
, "mediation connection '%s' not found, aborting",
683 msg
->add_conn
.ikeme
.mediated_by
);
686 if (!mediated_by
->is_mediation(mediated_by
))
688 DBG1(DBG_CFG
, "connection '%s' as referred to by '%s' is "
689 "no mediation connection, aborting",
690 msg
->add_conn
.ikeme
.mediated_by
, msg
->add_conn
.name
);
691 mediated_by
->destroy(mediated_by
);
694 if (msg
->add_conn
.ikeme
.peerid
)
696 peer_id
= identification_create_from_string(msg
->add_conn
.ikeme
.peerid
);
698 else if (msg
->add_conn
.other
.id
)
700 peer_id
= identification_create_from_string(msg
->add_conn
.other
.id
);
705 jitter
= msg
->add_conn
.rekey
.margin
* msg
->add_conn
.rekey
.fuzz
/ 100;
706 over
= msg
->add_conn
.rekey
.margin
;
707 if (msg
->add_conn
.rekey
.reauth
)
709 reauth
= msg
->add_conn
.rekey
.ike_lifetime
- over
;
713 rekey
= msg
->add_conn
.rekey
.ike_lifetime
- over
;
715 switch (msg
->add_conn
.unique
)
718 case 2: /* replace */
719 unique
= UNIQUE_REPLACE
;
722 unique
= UNIQUE_KEEP
;
728 if (msg
->add_conn
.dpd
.action
== 0)
729 { /* dpdaction=none disables DPD */
730 msg
->add_conn
.dpd
.delay
= 0;
733 /* other.sourceip is managed in stroke_attributes. If it is set, we define
734 * the pool name as the connection name, which the attribute provider
735 * uses to serve pool addresses. */
736 peer_cfg
= peer_cfg_create(msg
->add_conn
.name
,
737 msg
->add_conn
.version
, ike_cfg
,
738 msg
->add_conn
.me
.sendcert
, unique
,
739 msg
->add_conn
.rekey
.tries
, rekey
, reauth
, jitter
, over
,
740 msg
->add_conn
.mobike
, msg
->add_conn
.aggressive
,
741 msg
->add_conn
.dpd
.delay
, msg
->add_conn
.dpd
.timeout
,
742 msg
->add_conn
.ikeme
.mediation
, mediated_by
, peer_id
);
744 if (msg
->add_conn
.other
.sourceip
)
746 enumerator_t
*enumerator
;
749 enumerator
= enumerator_create_token(msg
->add_conn
.other
.sourceip
,
751 while (enumerator
->enumerate(enumerator
, &token
))
753 if (streq(token
, "%modeconfig") || streq(token
, "%modecfg") ||
754 streq(token
, "%config") || streq(token
, "%cfg") ||
755 streq(token
, "%config4") || streq(token
, "%config6"))
757 /* empty pool, uses connection name */
758 this->attributes
->add_pool(this->attributes
,
759 mem_pool_create(msg
->add_conn
.name
, NULL
, 0));
760 peer_cfg
->add_pool(peer_cfg
, msg
->add_conn
.name
);
762 else if (*token
== '%')
764 /* external named pool */
765 peer_cfg
->add_pool(peer_cfg
, token
+ 1);
769 /* in-memory pool, named using CIDR notation */
773 base
= host_create_from_subnet(token
, &bits
);
776 this->attributes
->add_pool(this->attributes
,
777 mem_pool_create(token
, base
, bits
));
778 peer_cfg
->add_pool(peer_cfg
, token
);
783 DBG1(DBG_CFG
, "IP pool %s invalid, ignored", token
);
787 enumerator
->destroy(enumerator
);
790 if (msg
->add_conn
.me
.sourceip
)
792 enumerator_t
*enumerator
;
795 enumerator
= enumerator_create_token(msg
->add_conn
.me
.sourceip
, ",", " ");
796 while (enumerator
->enumerate(enumerator
, &token
))
800 if (streq(token
, "%modeconfig") || streq(token
, "%modecfg") ||
801 streq(token
, "%config") || streq(token
, "%cfg"))
802 { /* try to deduce an address family */
803 if (msg
->add_conn
.me
.subnets
)
804 { /* use the same family as in local subnet, if any */
805 if (strchr(msg
->add_conn
.me
.subnets
, '.'))
807 vip
= host_create_any(AF_INET
);
811 vip
= host_create_any(AF_INET6
);
814 else if (msg
->add_conn
.other
.subnets
)
815 { /* use the same family as in remote subnet, if any */
816 if (strchr(msg
->add_conn
.other
.subnets
, '.'))
818 vip
= host_create_any(AF_INET
);
822 vip
= host_create_any(AF_INET6
);
827 if (strchr(ike_cfg
->get_my_addr(ike_cfg
, NULL
), ':'))
829 vip
= host_create_any(AF_INET6
);
833 vip
= host_create_any(AF_INET
);
837 else if (streq(token
, "%config4"))
839 vip
= host_create_any(AF_INET
);
841 else if (streq(token
, "%config6"))
843 vip
= host_create_any(AF_INET6
);
847 vip
= host_create_from_string(token
, 0);
850 DBG1(DBG_CFG
, "ignored invalid subnet token: %s", token
);
856 peer_cfg
->add_virtual_ip(peer_cfg
, vip
);
859 enumerator
->destroy(enumerator
);
862 /* build leftauth= */
863 auth_cfg
= build_auth_cfg(this, msg
, TRUE
, TRUE
);
866 peer_cfg
->add_auth_cfg(peer_cfg
, auth_cfg
, TRUE
);
869 { /* we require at least one config on our side */
870 peer_cfg
->destroy(peer_cfg
);
873 /* build leftauth2= */
874 auth_cfg
= build_auth_cfg(this, msg
, TRUE
, FALSE
);
877 peer_cfg
->add_auth_cfg(peer_cfg
, auth_cfg
, TRUE
);
879 /* build rightauth= */
880 auth_cfg
= build_auth_cfg(this, msg
, FALSE
, TRUE
);
883 peer_cfg
->add_auth_cfg(peer_cfg
, auth_cfg
, FALSE
);
885 /* build rightauth2= */
886 auth_cfg
= build_auth_cfg(this, msg
, FALSE
, FALSE
);
889 peer_cfg
->add_auth_cfg(peer_cfg
, auth_cfg
, FALSE
);
895 * build a traffic selector from a stroke_end
897 static void add_ts(private_stroke_config_t
*this,
898 stroke_end_t
*end
, child_cfg_t
*child_cfg
, bool local
)
900 traffic_selector_t
*ts
;
904 ts
= traffic_selector_create_dynamic(end
->protocol
,
905 end
->port
? end
->port
: 0, end
->port
? end
->port
: 65535);
906 child_cfg
->add_traffic_selector(child_cfg
, local
, ts
);
914 net
= host_create_from_string(end
->address
, 0);
917 ts
= traffic_selector_create_from_subnet(net
, 0, end
->protocol
,
919 child_cfg
->add_traffic_selector(child_cfg
, local
, ts
);
924 char *del
, *start
, *bits
;
926 start
= end
->subnets
;
931 del
= strchr(start
, ',');
936 bits
= strchr(start
, '/');
940 intbits
= atoi(bits
+ 1);
943 net
= host_create_from_string(start
, 0);
946 ts
= traffic_selector_create_from_subnet(net
, intbits
,
947 end
->protocol
, end
->port
);
948 child_cfg
->add_traffic_selector(child_cfg
, local
, ts
);
952 DBG1(DBG_CFG
, "invalid subnet: %s, skipped", start
);
962 * map starter magic values to our action type
964 static action_t
map_action(int starter_action
)
966 switch (starter_action
)
970 case 3: /* =restart */
971 return ACTION_RESTART
;
978 * build a child config from the stroke message
980 static child_cfg_t
*build_child_cfg(private_stroke_config_t
*this,
983 child_cfg_t
*child_cfg
;
984 lifetime_cfg_t lifetime
= {
986 .life
= msg
->add_conn
.rekey
.ipsec_lifetime
,
987 .rekey
= msg
->add_conn
.rekey
.ipsec_lifetime
- msg
->add_conn
.rekey
.margin
,
988 .jitter
= msg
->add_conn
.rekey
.margin
* msg
->add_conn
.rekey
.fuzz
/ 100
991 .life
= msg
->add_conn
.rekey
.life_bytes
,
992 .rekey
= msg
->add_conn
.rekey
.life_bytes
- msg
->add_conn
.rekey
.margin_bytes
,
993 .jitter
= msg
->add_conn
.rekey
.margin_bytes
* msg
->add_conn
.rekey
.fuzz
/ 100
996 .life
= msg
->add_conn
.rekey
.life_packets
,
997 .rekey
= msg
->add_conn
.rekey
.life_packets
- msg
->add_conn
.rekey
.margin_packets
,
998 .jitter
= msg
->add_conn
.rekey
.margin_packets
* msg
->add_conn
.rekey
.fuzz
/ 100
1002 .value
= msg
->add_conn
.mark_in
.value
,
1003 .mask
= msg
->add_conn
.mark_in
.mask
1006 .value
= msg
->add_conn
.mark_out
.value
,
1007 .mask
= msg
->add_conn
.mark_out
.mask
1010 child_cfg
= child_cfg_create(
1011 msg
->add_conn
.name
, &lifetime
, msg
->add_conn
.me
.updown
,
1012 msg
->add_conn
.me
.hostaccess
, msg
->add_conn
.mode
, ACTION_NONE
,
1013 map_action(msg
->add_conn
.dpd
.action
),
1014 map_action(msg
->add_conn
.close_action
), msg
->add_conn
.ipcomp
,
1015 msg
->add_conn
.inactivity
, msg
->add_conn
.reqid
,
1016 &mark_in
, &mark_out
, msg
->add_conn
.tfc
);
1017 child_cfg
->set_mipv6_options(child_cfg
, msg
->add_conn
.proxy_mode
,
1018 msg
->add_conn
.install_policy
);
1019 add_ts(this, &msg
->add_conn
.me
, child_cfg
, TRUE
);
1020 add_ts(this, &msg
->add_conn
.other
, child_cfg
, FALSE
);
1022 add_proposals(this, msg
->add_conn
.algorithms
.esp
, NULL
, child_cfg
);
1027 METHOD(stroke_config_t
, add
, void,
1028 private_stroke_config_t
*this, stroke_msg_t
*msg
)
1030 ike_cfg_t
*ike_cfg
, *existing_ike
;
1031 peer_cfg_t
*peer_cfg
, *existing
;
1032 child_cfg_t
*child_cfg
;
1033 enumerator_t
*enumerator
;
1034 bool use_existing
= FALSE
;
1036 ike_cfg
= build_ike_cfg(this, msg
);
1041 peer_cfg
= build_peer_cfg(this, msg
, ike_cfg
);
1044 ike_cfg
->destroy(ike_cfg
);
1048 enumerator
= create_peer_cfg_enumerator(this, NULL
, NULL
);
1049 while (enumerator
->enumerate(enumerator
, &existing
))
1051 existing_ike
= existing
->get_ike_cfg(existing
);
1052 if (existing
->equals(existing
, peer_cfg
) &&
1053 existing_ike
->equals(existing_ike
, peer_cfg
->get_ike_cfg(peer_cfg
)))
1055 use_existing
= TRUE
;
1056 peer_cfg
->destroy(peer_cfg
);
1057 peer_cfg
= existing
;
1058 peer_cfg
->get_ref(peer_cfg
);
1059 DBG1(DBG_CFG
, "added child to existing configuration '%s'",
1060 peer_cfg
->get_name(peer_cfg
));
1064 enumerator
->destroy(enumerator
);
1066 child_cfg
= build_child_cfg(this, msg
);
1069 peer_cfg
->destroy(peer_cfg
);
1072 peer_cfg
->add_child_cfg(peer_cfg
, child_cfg
);
1076 peer_cfg
->destroy(peer_cfg
);
1080 /* add config to backend */
1081 DBG1(DBG_CFG
, "added configuration '%s'", msg
->add_conn
.name
);
1082 this->mutex
->lock(this->mutex
);
1083 this->list
->insert_last(this->list
, peer_cfg
);
1084 this->mutex
->unlock(this->mutex
);
1088 METHOD(stroke_config_t
, del
, void,
1089 private_stroke_config_t
*this, stroke_msg_t
*msg
)
1091 enumerator_t
*enumerator
, *children
;
1094 bool deleted
= FALSE
;
1096 this->mutex
->lock(this->mutex
);
1097 enumerator
= this->list
->create_enumerator(this->list
);
1098 while (enumerator
->enumerate(enumerator
, (void**)&peer
))
1102 /* remove any child with such a name */
1103 children
= peer
->create_child_cfg_enumerator(peer
);
1104 while (children
->enumerate(children
, &child
))
1106 if (streq(child
->get_name(child
), msg
->del_conn
.name
))
1108 peer
->remove_child_cfg(peer
, children
);
1109 child
->destroy(child
);
1117 children
->destroy(children
);
1119 /* if peer config matches, or has no children anymore, remove it */
1120 if (!keep
|| streq(peer
->get_name(peer
), msg
->del_conn
.name
))
1122 this->list
->remove_at(this->list
, enumerator
);
1123 peer
->destroy(peer
);
1127 enumerator
->destroy(enumerator
);
1128 this->mutex
->unlock(this->mutex
);
1132 DBG1(DBG_CFG
, "deleted connection '%s'", msg
->del_conn
.name
);
1136 DBG1(DBG_CFG
, "connection '%s' not found", msg
->del_conn
.name
);
1140 METHOD(stroke_config_t
, set_user_credentials
, void,
1141 private_stroke_config_t
*this, stroke_msg_t
*msg
, FILE *prompt
)
1143 enumerator_t
*enumerator
, *children
, *remote_auth
;
1144 peer_cfg_t
*peer
, *found
= NULL
;
1145 auth_cfg_t
*auth_cfg
, *remote_cfg
;
1146 auth_class_t auth_class
;
1148 identification_t
*id
, *identity
, *gw
= NULL
;
1149 shared_key_type_t type
= SHARED_ANY
;
1150 chunk_t password
= chunk_empty
;
1152 this->mutex
->lock(this->mutex
);
1153 enumerator
= this->list
->create_enumerator(this->list
);
1154 while (enumerator
->enumerate(enumerator
, (void**)&peer
))
1155 { /* find the peer (or child) config with the given name */
1156 if (streq(peer
->get_name(peer
), msg
->user_creds
.name
))
1162 children
= peer
->create_child_cfg_enumerator(peer
);
1163 while (children
->enumerate(children
, &child
))
1165 if (streq(child
->get_name(child
), msg
->user_creds
.name
))
1171 children
->destroy(children
);
1179 enumerator
->destroy(enumerator
);
1183 DBG1(DBG_CFG
, " no config named '%s'", msg
->user_creds
.name
);
1184 fprintf(prompt
, "no config named '%s'\n", msg
->user_creds
.name
);
1185 this->mutex
->unlock(this->mutex
);
1189 id
= identification_create_from_string(msg
->user_creds
.username
);
1190 if (strlen(msg
->user_creds
.username
) == 0 ||
1191 !id
|| id
->get_type(id
) == ID_ANY
)
1193 DBG1(DBG_CFG
, " invalid username '%s'", msg
->user_creds
.username
);
1194 fprintf(prompt
, "invalid username '%s'\n", msg
->user_creds
.username
);
1195 this->mutex
->unlock(this->mutex
);
1200 /* replace/set the username in the first EAP auth_cfg, also look for a
1201 * suitable remote ID.
1202 * note that adding the identity here is not fully thread-safe as the
1203 * peer_cfg and in turn the auth_cfg could be in use. for the default use
1204 * case (setting user credentials before upping the connection) this will
1205 * not be a problem, though. */
1206 enumerator
= found
->create_auth_cfg_enumerator(found
, TRUE
);
1207 remote_auth
= found
->create_auth_cfg_enumerator(found
, FALSE
);
1208 while (enumerator
->enumerate(enumerator
, (void**)&auth_cfg
))
1210 if (remote_auth
->enumerate(remote_auth
, (void**)&remote_cfg
))
1211 { /* fall back on rightid, in case aaa_identity is not specified */
1212 identity
= remote_cfg
->get(remote_cfg
, AUTH_RULE_IDENTITY
);
1213 if (identity
&& identity
->get_type(identity
) != ID_ANY
)
1219 auth_class
= (uintptr_t)auth_cfg
->get(auth_cfg
, AUTH_RULE_AUTH_CLASS
);
1220 if (auth_class
== AUTH_CLASS_EAP
)
1222 auth_cfg
->add(auth_cfg
, AUTH_RULE_EAP_IDENTITY
, id
->clone(id
));
1223 /* if aaa_identity is specified use that as remote ID */
1224 identity
= auth_cfg
->get(auth_cfg
, AUTH_RULE_AAA_IDENTITY
);
1225 if (identity
&& identity
->get_type(identity
) != ID_ANY
)
1229 DBG1(DBG_CFG
, " configured EAP-Identity %Y", id
);
1234 enumerator
->destroy(enumerator
);
1235 remote_auth
->destroy(remote_auth
);
1236 /* clone the gw ID before unlocking the mutex */
1241 this->mutex
->unlock(this->mutex
);
1243 if (type
== SHARED_ANY
)
1245 DBG1(DBG_CFG
, " config '%s' unsuitable for user credentials",
1246 msg
->user_creds
.name
);
1247 fprintf(prompt
, "config '%s' unsuitable for user credentials\n",
1248 msg
->user_creds
.name
);
1254 if (msg
->user_creds
.password
)
1258 pass
= msg
->user_creds
.password
;
1259 password
= chunk_clone(chunk_create(pass
, strlen(pass
)));
1260 memwipe(pass
, strlen(pass
));
1263 { /* prompt the user for the password */
1266 fprintf(prompt
, "Password:\n");
1267 if (fgets(buf
, sizeof(buf
), prompt
))
1269 password
= chunk_clone(chunk_create(buf
, strlen(buf
)));
1270 if (password
.len
> 0)
1271 { /* trim trailing \n */
1274 memwipe(buf
, sizeof(buf
));
1280 shared_key_t
*shared
;
1281 linked_list_t
*owners
;
1283 shared
= shared_key_create(type
, password
);
1285 owners
= linked_list_create();
1286 owners
->insert_last(owners
, id
->clone(id
));
1287 if (gw
&& gw
->get_type(gw
) != ID_ANY
)
1289 owners
->insert_last(owners
, gw
->clone(gw
));
1290 DBG1(DBG_CFG
, " added %N secret for %Y %Y", shared_key_type_names
,
1295 DBG1(DBG_CFG
, " added %N secret for %Y", shared_key_type_names
,
1298 this->cred
->add_shared(this->cred
, shared
, owners
);
1299 DBG4(DBG_CFG
, " secret: %#B", &password
);
1302 { /* in case a user answers the password prompt by just pressing enter */
1303 chunk_clear(&password
);
1309 METHOD(stroke_config_t
, destroy
, void,
1310 private_stroke_config_t
*this)
1312 this->list
->destroy_offset(this->list
, offsetof(peer_cfg_t
, destroy
));
1313 this->mutex
->destroy(this->mutex
);
1320 stroke_config_t
*stroke_config_create(stroke_ca_t
*ca
, stroke_cred_t
*cred
,
1321 stroke_attribute_t
*attributes
)
1323 private_stroke_config_t
*this;
1328 .create_peer_cfg_enumerator
= _create_peer_cfg_enumerator
,
1329 .create_ike_cfg_enumerator
= _create_ike_cfg_enumerator
,
1330 .get_peer_cfg_by_name
= _get_peer_cfg_by_name
,
1334 .set_user_credentials
= _set_user_credentials
,
1335 .destroy
= _destroy
,
1337 .list
= linked_list_create(),
1338 .mutex
= mutex_create(MUTEX_TYPE_RECURSIVE
),
1341 .attributes
= attributes
,
1344 return &this->public;