Imported Upstream version 5.1.0

1 files changed, 498 insertions, 0 deletions

diff --git a/src/charon-cmd/cmd/cmd_connection.c b/src/charon-cmd/cmd/cmd_connection.c
new file mode 100644
index 000000000..5c459f99f
--- /dev/null
+++ b/src/charon-cmd/cmd/cmd_connection.c
@@ -0,0 +1,498 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "cmd_connection.h"
+
+#include <signal.h>
+#include <unistd.h>
+
+#include <utils/debug.h>
+#include <processing/jobs/callback_job.h>
+#include <threading/thread.h>
+#include <daemon.h>
+
+typedef enum profile_t profile_t;
+typedef struct private_cmd_connection_t private_cmd_connection_t;
+
+/**
+ * Connection profiles we support
+ */
+enum profile_t {
+	PROF_UNDEF,
+	PROF_V2_PUB,
+	PROF_V2_EAP,
+	PROF_V2_PUB_EAP,
+	PROF_V1_PUB,
+	PROF_V1_PUB_AM,
+	PROF_V1_XAUTH,
+	PROF_V1_XAUTH_AM,
+	PROF_V1_XAUTH_PSK,
+	PROF_V1_XAUTH_PSK_AM,
+	PROF_V1_HYBRID,
+	PROF_V1_HYBRID_AM,
+};
+
+ENUM(profile_names, PROF_V2_PUB, PROF_V1_HYBRID_AM,
+	"ikev2-pub",
+	"ikev2-eap",
+	"ikev2-pub-eap",
+	"ikev1-pub",
+	"ikev1-pub-am",
+	"ikev1-xauth",
+	"ikev1-xauth-am",
+	"ikev1-xauth-psk",
+	"ikev1-xauth-psk-am",
+	"ikev1-hybrid",
+	"ikev1-hybrid-am",
+);
+
+/**
+ * Private data of an cmd_connection_t object.
+ */
+struct private_cmd_connection_t {
+
+	/**
+	 * Public cmd_connection_t interface.
+	 */
+	cmd_connection_t public;
+
+	/**
+	 * Process ID to terminate on failure
+	 */
+	pid_t pid;
+
+	/**
+	 * List of local traffic selectors
+	 */
+	linked_list_t *local_ts;
+
+	/**
+	 * List of remote traffic selectors
+	 */
+	linked_list_t *remote_ts;
+
+	/**
+	 * Hostname to connect to
+	 */
+	char *host;
+
+	/**
+	 * Server identity, or NULL to use host
+	 */
+	char *server;
+
+	/**
+	 * Local identity
+	 */
+	char *identity;
+
+	/**
+	 * XAuth/EAP identity
+	 */
+	char *xautheap;
+
+	/**
+	 * Is a private key configured
+	 */
+	bool key_seen;
+
+	/**
+	 * Selected connection profile
+	 */
+	profile_t profile;
+};
+
+/**
+ * Shut down application
+ */
+static void terminate(pid_t pid)
+{
+	kill(pid, SIGUSR1);
+}
+
+/**
+ * Create peer config with associated ike config
+ */
+static peer_cfg_t* create_peer_cfg(private_cmd_connection_t *this)
+{
+	ike_cfg_t *ike_cfg;
+	peer_cfg_t *peer_cfg;
+	u_int16_t local_port, remote_port = IKEV2_UDP_PORT;
+	ike_version_t version = IKE_ANY;
+	bool aggressive = FALSE;
+
+	switch (this->profile)
+	{
+		case PROF_UNDEF:
+		case PROF_V2_PUB:
+		case PROF_V2_EAP:
+		case PROF_V2_PUB_EAP:
+			version = IKEV2;
+			break;
+		case PROF_V1_PUB_AM:
+		case PROF_V1_XAUTH_AM:
+		case PROF_V1_XAUTH_PSK_AM:
+		case PROF_V1_HYBRID_AM:
+			aggressive = TRUE;
+			/* FALL */
+		case PROF_V1_PUB:
+		case PROF_V1_XAUTH:
+		case PROF_V1_XAUTH_PSK:
+		case PROF_V1_HYBRID:
+			version = IKEV1;
+			break;
+	}
+
+	local_port = charon->socket->get_port(charon->socket, FALSE);
+	if (local_port != IKEV2_UDP_PORT)
+	{
+		remote_port = IKEV2_NATT_PORT;
+	}
+	ike_cfg = ike_cfg_create(version, TRUE, FALSE, "0.0.0.0", FALSE, local_port,
+					this->host, FALSE, remote_port, FRAGMENTATION_NO, 0);
+	ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
+	peer_cfg = peer_cfg_create("cmd", ike_cfg,
+					CERT_SEND_IF_ASKED, UNIQUE_REPLACE, 1, /* keyingtries */
+					36000, 0, /* rekey 10h, reauth none */
+					600, 600, /* jitter, over 10min */
+					TRUE, aggressive, /* mobike, aggressive */
+					30, 0, /* DPD delay, timeout */
+					FALSE, NULL, NULL); /* mediation */
+	peer_cfg->add_virtual_ip(peer_cfg, host_create_from_string("0.0.0.0", 0));
+
+	return peer_cfg;
+}
+
+/**
+ * Add a single auth cfg of given class to peer cfg
+ */
+static void add_auth_cfg(private_cmd_connection_t *this, peer_cfg_t *peer_cfg,
+						 bool local, auth_class_t class)
+{
+	identification_t *id;
+	auth_cfg_t *auth;
+
+	auth = auth_cfg_create();
+	auth->add(auth, AUTH_RULE_AUTH_CLASS, class);
+	if (local)
+	{
+		id = identification_create_from_string(this->identity);
+		if (this->xautheap)
+		{
+			switch (class)
+			{
+				case AUTH_CLASS_EAP:
+					auth->add(auth, AUTH_RULE_EAP_IDENTITY,
+							identification_create_from_string(this->xautheap));
+					break;
+				case AUTH_CLASS_XAUTH:
+					auth->add(auth, AUTH_RULE_XAUTH_IDENTITY,
+							identification_create_from_string(this->xautheap));
+					break;
+				default:
+					break;
+			}
+		}
+	}
+	else
+	{
+		if (this->server)
+		{
+			id = identification_create_from_string(this->server);
+		}
+		else
+		{
+			id = identification_create_from_string(this->host);
+		}
+		auth->add(auth, AUTH_RULE_IDENTITY_LOOSE, TRUE);
+	}
+	auth->add(auth, AUTH_RULE_IDENTITY, id);
+	peer_cfg->add_auth_cfg(peer_cfg, auth, local);
+}
+
+/**
+ * Attach authentication configs to peer config
+ */
+static bool add_auth_cfgs(private_cmd_connection_t *this, peer_cfg_t *peer_cfg)
+{
+	if (this->profile == PROF_UNDEF)
+	{
+		if (this->key_seen)
+		{
+			this->profile = PROF_V2_PUB;
+		}
+		else
+		{
+			this->profile = PROF_V2_EAP;
+		}
+	}
+	switch (this->profile)
+	{
+		case PROF_V2_PUB:
+		case PROF_V2_PUB_EAP:
+		case PROF_V1_PUB:
+		case PROF_V1_XAUTH:
+		case PROF_V1_PUB_AM:
+		case PROF_V1_XAUTH_AM:
+			if (!this->key_seen)
+			{
+				DBG1(DBG_CFG, "missing private key for profile %N",
+					 profile_names, this->profile);
+				return FALSE;
+			}
+			break;
+		default:
+			break;
+	}
+
+	switch (this->profile)
+	{
+		case PROF_V2_PUB:
+			add_auth_cfg(this, peer_cfg, TRUE, AUTH_CLASS_PUBKEY);
+			add_auth_cfg(this, peer_cfg, FALSE, AUTH_CLASS_ANY);
+			break;
+		case PROF_V2_EAP:
+			add_auth_cfg(this, peer_cfg, TRUE, AUTH_CLASS_EAP);
+			add_auth_cfg(this, peer_cfg, FALSE, AUTH_CLASS_ANY);
+			break;
+		case PROF_V2_PUB_EAP:
+			add_auth_cfg(this, peer_cfg, TRUE, AUTH_CLASS_PUBKEY);
+			add_auth_cfg(this, peer_cfg, TRUE, AUTH_CLASS_EAP);
+			add_auth_cfg(this, peer_cfg, FALSE, AUTH_CLASS_ANY);
+			break;
+		case PROF_V1_PUB:
+		case PROF_V1_PUB_AM:
+			add_auth_cfg(this, peer_cfg, TRUE, AUTH_CLASS_PUBKEY);
+			add_auth_cfg(this, peer_cfg, FALSE, AUTH_CLASS_PUBKEY);
+			break;
+		case PROF_V1_XAUTH:
+		case PROF_V1_XAUTH_AM:
+			add_auth_cfg(this, peer_cfg, TRUE, AUTH_CLASS_PUBKEY);
+			add_auth_cfg(this, peer_cfg, TRUE, AUTH_CLASS_XAUTH);
+			add_auth_cfg(this, peer_cfg, FALSE, AUTH_CLASS_PUBKEY);
+			break;
+		case PROF_V1_XAUTH_PSK:
+		case PROF_V1_XAUTH_PSK_AM:
+			add_auth_cfg(this, peer_cfg, TRUE, AUTH_CLASS_PSK);
+			add_auth_cfg(this, peer_cfg, TRUE, AUTH_CLASS_XAUTH);
+			add_auth_cfg(this, peer_cfg, FALSE, AUTH_CLASS_PSK);
+			break;
+		case PROF_V1_HYBRID:
+		case PROF_V1_HYBRID_AM:
+			add_auth_cfg(this, peer_cfg, TRUE, AUTH_CLASS_XAUTH);
+			add_auth_cfg(this, peer_cfg, FALSE, AUTH_CLASS_PUBKEY);
+			break;
+		default:
+			return FALSE;
+	}
+	return TRUE;
+}
+
+/**
+ * Attach child config to peer config
+ */
+static child_cfg_t* create_child_cfg(private_cmd_connection_t *this)
+{
+	child_cfg_t *child_cfg;
+	traffic_selector_t *ts;
+	lifetime_cfg_t lifetime = {
+		.time = {
+			.life = 10800 /* 3h */,
+			.rekey = 10200 /* 2h50min */,
+			.jitter = 300 /* 5min */
+		}
+	};
+
+	child_cfg = child_cfg_create("cmd", &lifetime,
+								 NULL, FALSE, MODE_TUNNEL, /* updown, hostaccess */
+								 ACTION_NONE, ACTION_NONE, ACTION_NONE, FALSE,
+								 0, 0, NULL, NULL, 0);
+	child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
+	while (this->local_ts->remove_first(this->local_ts, (void**)&ts) == SUCCESS)
+	{
+		child_cfg->add_traffic_selector(child_cfg, TRUE, ts);
+	}
+	if (this->remote_ts->get_count(this->remote_ts) == 0)
+	{
+		/* add a 0.0.0.0/0 TS for remote side if none given */
+		ts = traffic_selector_create_from_string(0, TS_IPV4_ADDR_RANGE,
+									"0.0.0.0", 0, "255.255.255.255", 65535);
+		this->remote_ts->insert_last(this->remote_ts, ts);
+	}
+	while (this->remote_ts->remove_first(this->remote_ts,
+										 (void**)&ts) == SUCCESS)
+	{
+		child_cfg->add_traffic_selector(child_cfg, FALSE, ts);
+	}
+
+	return child_cfg;
+}
+
+/**
+ * Initiate the configured connection
+ */
+static job_requeue_t initiate(private_cmd_connection_t *this)
+{
+	peer_cfg_t *peer_cfg;
+	child_cfg_t *child_cfg;
+	pid_t pid = this->pid;
+
+	if (!this->host)
+	{
+		DBG1(DBG_CFG, "unable to initiate, missing --host option");
+		terminate(pid);
+		return JOB_REQUEUE_NONE;
+	}
+	if (!this->identity)
+	{
+		DBG1(DBG_CFG, "unable to initiate, missing --identity option");
+		terminate(pid);
+		return JOB_REQUEUE_NONE;
+	}
+
+	peer_cfg = create_peer_cfg(this);
+
+	if (!add_auth_cfgs(this, peer_cfg))
+	{
+		peer_cfg->destroy(peer_cfg);
+		terminate(pid);
+		return JOB_REQUEUE_NONE;
+	}
+
+	child_cfg = create_child_cfg(this);
+	peer_cfg->add_child_cfg(peer_cfg, child_cfg->get_ref(child_cfg));
+
+	if (charon->controller->initiate(charon->controller, peer_cfg, child_cfg,
+									 controller_cb_empty, NULL, 0) != SUCCESS)
+	{
+		terminate(pid);
+	}
+	return JOB_REQUEUE_NONE;
+}
+
+/**
+ * Create a traffic selector from string, add to list
+ */
+static void add_ts(private_cmd_connection_t *this,
+				   linked_list_t *list, char *string)
+{
+	traffic_selector_t *ts;
+
+	ts = traffic_selector_create_from_cidr(string, 0, 0, 65535);
+	if (!ts)
+	{
+		DBG1(DBG_CFG, "invalid traffic selector: %s", string);
+		exit(1);
+	}
+	list->insert_last(list, ts);
+}
+
+/**
+ * Parse profile name identifier
+ */
+static void set_profile(private_cmd_connection_t *this, char *name)
+{
+	int profile;
+
+	profile = enum_from_name(profile_names, name);
+	if (profile == -1)
+	{
+		DBG1(DBG_CFG, "unknown connection profile: %s", name);
+		exit(1);
+	}
+	this->profile = profile;
+}
+
+METHOD(cmd_connection_t, handle, bool,
+	private_cmd_connection_t *this, cmd_option_type_t opt, char *arg)
+{
+	switch (opt)
+	{
+		case CMD_OPT_HOST:
+			this->host = arg;
+			break;
+		case CMD_OPT_REMOTE_IDENTITY:
+			this->server = arg;
+			break;
+		case CMD_OPT_IDENTITY:
+			this->identity = arg;
+			break;
+		case CMD_OPT_EAP_IDENTITY:
+		case CMD_OPT_XAUTH_USER:
+			this->xautheap = arg;
+			break;
+		case CMD_OPT_RSA:
+		case CMD_OPT_AGENT:
+		case CMD_OPT_PKCS12:
+			this->key_seen = TRUE;
+			break;
+		case CMD_OPT_LOCAL_TS:
+			add_ts(this, this->local_ts, arg);
+			break;
+		case CMD_OPT_REMOTE_TS:
+			add_ts(this, this->remote_ts, arg);
+			break;
+		case CMD_OPT_PROFILE:
+			set_profile(this, arg);
+			break;
+		default:
+			return FALSE;
+	}
+	return TRUE;
+}
+
+METHOD(cmd_connection_t, destroy, void,
+	private_cmd_connection_t *this)
+{
+	this->local_ts->destroy_offset(this->local_ts,
+								offsetof(traffic_selector_t, destroy));
+	this->remote_ts->destroy_offset(this->remote_ts,
+								offsetof(traffic_selector_t, destroy));
+	free(this);
+}
+
+/**
+ * See header
+ */
+cmd_connection_t *cmd_connection_create()
+{
+	private_cmd_connection_t *this;
+
+	INIT(this,
+		.public = {
+			.handle = _handle,
+			.destroy = _destroy,
+		},
+		.pid = getpid(),
+		.local_ts = linked_list_create(),
+		.remote_ts = linked_list_create(),
+		.profile = PROF_UNDEF,
+	);
+
+	/* always include the virtual IP in traffic selector list */
+	this->local_ts->insert_last(this->local_ts,
+								traffic_selector_create_dynamic(0, 0, 65535));
+
+	/* queue job, gets initiated as soon as we are up and running */
+	lib->processor->queue_job(lib->processor,
+		(job_t*)callback_job_create_with_prio(
+			(callback_job_cb_t)initiate, this, NULL,
+			(callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
+
+	return &this->public;
+}