diff options
Diffstat (limited to 'src/charon-cmd/cmd/cmd_connection.c')
-rw-r--r-- | src/charon-cmd/cmd/cmd_connection.c | 498 |
1 files changed, 498 insertions, 0 deletions
diff --git a/src/charon-cmd/cmd/cmd_connection.c b/src/charon-cmd/cmd/cmd_connection.c new file mode 100644 index 000000000..5c459f99f --- /dev/null +++ b/src/charon-cmd/cmd/cmd_connection.c @@ -0,0 +1,498 @@ +/* + * Copyright (C) 2013 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * + * Copyright (C) 2013 Martin Willi + * Copyright (C) 2013 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "cmd_connection.h" + +#include <signal.h> +#include <unistd.h> + +#include <utils/debug.h> +#include <processing/jobs/callback_job.h> +#include <threading/thread.h> +#include <daemon.h> + +typedef enum profile_t profile_t; +typedef struct private_cmd_connection_t private_cmd_connection_t; + +/** + * Connection profiles we support + */ +enum profile_t { + PROF_UNDEF, + PROF_V2_PUB, + PROF_V2_EAP, + PROF_V2_PUB_EAP, + PROF_V1_PUB, + PROF_V1_PUB_AM, + PROF_V1_XAUTH, + PROF_V1_XAUTH_AM, + PROF_V1_XAUTH_PSK, + PROF_V1_XAUTH_PSK_AM, + PROF_V1_HYBRID, + PROF_V1_HYBRID_AM, +}; + +ENUM(profile_names, PROF_V2_PUB, PROF_V1_HYBRID_AM, + "ikev2-pub", + "ikev2-eap", + "ikev2-pub-eap", + "ikev1-pub", + "ikev1-pub-am", + "ikev1-xauth", + "ikev1-xauth-am", + "ikev1-xauth-psk", + "ikev1-xauth-psk-am", + "ikev1-hybrid", + "ikev1-hybrid-am", +); + +/** + * Private data of an cmd_connection_t object. + */ +struct private_cmd_connection_t { + + /** + * Public cmd_connection_t interface. + */ + cmd_connection_t public; + + /** + * Process ID to terminate on failure + */ + pid_t pid; + + /** + * List of local traffic selectors + */ + linked_list_t *local_ts; + + /** + * List of remote traffic selectors + */ + linked_list_t *remote_ts; + + /** + * Hostname to connect to + */ + char *host; + + /** + * Server identity, or NULL to use host + */ + char *server; + + /** + * Local identity + */ + char *identity; + + /** + * XAuth/EAP identity + */ + char *xautheap; + + /** + * Is a private key configured + */ + bool key_seen; + + /** + * Selected connection profile + */ + profile_t profile; +}; + +/** + * Shut down application + */ +static void terminate(pid_t pid) +{ + kill(pid, SIGUSR1); +} + +/** + * Create peer config with associated ike config + */ +static peer_cfg_t* create_peer_cfg(private_cmd_connection_t *this) +{ + ike_cfg_t *ike_cfg; + peer_cfg_t *peer_cfg; + u_int16_t local_port, remote_port = IKEV2_UDP_PORT; + ike_version_t version = IKE_ANY; + bool aggressive = FALSE; + + switch (this->profile) + { + case PROF_UNDEF: + case PROF_V2_PUB: + case PROF_V2_EAP: + case PROF_V2_PUB_EAP: + version = IKEV2; + break; + case PROF_V1_PUB_AM: + case PROF_V1_XAUTH_AM: + case PROF_V1_XAUTH_PSK_AM: + case PROF_V1_HYBRID_AM: + aggressive = TRUE; + /* FALL */ + case PROF_V1_PUB: + case PROF_V1_XAUTH: + case PROF_V1_XAUTH_PSK: + case PROF_V1_HYBRID: + version = IKEV1; + break; + } + + local_port = charon->socket->get_port(charon->socket, FALSE); + if (local_port != IKEV2_UDP_PORT) + { + remote_port = IKEV2_NATT_PORT; + } + ike_cfg = ike_cfg_create(version, TRUE, FALSE, "0.0.0.0", FALSE, local_port, + this->host, FALSE, remote_port, FRAGMENTATION_NO, 0); + ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE)); + peer_cfg = peer_cfg_create("cmd", ike_cfg, + CERT_SEND_IF_ASKED, UNIQUE_REPLACE, 1, /* keyingtries */ + 36000, 0, /* rekey 10h, reauth none */ + 600, 600, /* jitter, over 10min */ + TRUE, aggressive, /* mobike, aggressive */ + 30, 0, /* DPD delay, timeout */ + FALSE, NULL, NULL); /* mediation */ + peer_cfg->add_virtual_ip(peer_cfg, host_create_from_string("0.0.0.0", 0)); + + return peer_cfg; +} + +/** + * Add a single auth cfg of given class to peer cfg + */ +static void add_auth_cfg(private_cmd_connection_t *this, peer_cfg_t *peer_cfg, + bool local, auth_class_t class) +{ + identification_t *id; + auth_cfg_t *auth; + + auth = auth_cfg_create(); + auth->add(auth, AUTH_RULE_AUTH_CLASS, class); + if (local) + { + id = identification_create_from_string(this->identity); + if (this->xautheap) + { + switch (class) + { + case AUTH_CLASS_EAP: + auth->add(auth, AUTH_RULE_EAP_IDENTITY, + identification_create_from_string(this->xautheap)); + break; + case AUTH_CLASS_XAUTH: + auth->add(auth, AUTH_RULE_XAUTH_IDENTITY, + identification_create_from_string(this->xautheap)); + break; + default: + break; + } + } + } + else + { + if (this->server) + { + id = identification_create_from_string(this->server); + } + else + { + id = identification_create_from_string(this->host); + } + auth->add(auth, AUTH_RULE_IDENTITY_LOOSE, TRUE); + } + auth->add(auth, AUTH_RULE_IDENTITY, id); + peer_cfg->add_auth_cfg(peer_cfg, auth, local); +} + +/** + * Attach authentication configs to peer config + */ +static bool add_auth_cfgs(private_cmd_connection_t *this, peer_cfg_t *peer_cfg) +{ + if (this->profile == PROF_UNDEF) + { + if (this->key_seen) + { + this->profile = PROF_V2_PUB; + } + else + { + this->profile = PROF_V2_EAP; + } + } + switch (this->profile) + { + case PROF_V2_PUB: + case PROF_V2_PUB_EAP: + case PROF_V1_PUB: + case PROF_V1_XAUTH: + case PROF_V1_PUB_AM: + case PROF_V1_XAUTH_AM: + if (!this->key_seen) + { + DBG1(DBG_CFG, "missing private key for profile %N", + profile_names, this->profile); + return FALSE; + } + break; + default: + break; + } + + switch (this->profile) + { + case PROF_V2_PUB: + add_auth_cfg(this, peer_cfg, TRUE, AUTH_CLASS_PUBKEY); + add_auth_cfg(this, peer_cfg, FALSE, AUTH_CLASS_ANY); + break; + case PROF_V2_EAP: + add_auth_cfg(this, peer_cfg, TRUE, AUTH_CLASS_EAP); + add_auth_cfg(this, peer_cfg, FALSE, AUTH_CLASS_ANY); + break; + case PROF_V2_PUB_EAP: + add_auth_cfg(this, peer_cfg, TRUE, AUTH_CLASS_PUBKEY); + add_auth_cfg(this, peer_cfg, TRUE, AUTH_CLASS_EAP); + add_auth_cfg(this, peer_cfg, FALSE, AUTH_CLASS_ANY); + break; + case PROF_V1_PUB: + case PROF_V1_PUB_AM: + add_auth_cfg(this, peer_cfg, TRUE, AUTH_CLASS_PUBKEY); + add_auth_cfg(this, peer_cfg, FALSE, AUTH_CLASS_PUBKEY); + break; + case PROF_V1_XAUTH: + case PROF_V1_XAUTH_AM: + add_auth_cfg(this, peer_cfg, TRUE, AUTH_CLASS_PUBKEY); + add_auth_cfg(this, peer_cfg, TRUE, AUTH_CLASS_XAUTH); + add_auth_cfg(this, peer_cfg, FALSE, AUTH_CLASS_PUBKEY); + break; + case PROF_V1_XAUTH_PSK: + case PROF_V1_XAUTH_PSK_AM: + add_auth_cfg(this, peer_cfg, TRUE, AUTH_CLASS_PSK); + add_auth_cfg(this, peer_cfg, TRUE, AUTH_CLASS_XAUTH); + add_auth_cfg(this, peer_cfg, FALSE, AUTH_CLASS_PSK); + break; + case PROF_V1_HYBRID: + case PROF_V1_HYBRID_AM: + add_auth_cfg(this, peer_cfg, TRUE, AUTH_CLASS_XAUTH); + add_auth_cfg(this, peer_cfg, FALSE, AUTH_CLASS_PUBKEY); + break; + default: + return FALSE; + } + return TRUE; +} + +/** + * Attach child config to peer config + */ +static child_cfg_t* create_child_cfg(private_cmd_connection_t *this) +{ + child_cfg_t *child_cfg; + traffic_selector_t *ts; + lifetime_cfg_t lifetime = { + .time = { + .life = 10800 /* 3h */, + .rekey = 10200 /* 2h50min */, + .jitter = 300 /* 5min */ + } + }; + + child_cfg = child_cfg_create("cmd", &lifetime, + NULL, FALSE, MODE_TUNNEL, /* updown, hostaccess */ + ACTION_NONE, ACTION_NONE, ACTION_NONE, FALSE, + 0, 0, NULL, NULL, 0); + child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP)); + while (this->local_ts->remove_first(this->local_ts, (void**)&ts) == SUCCESS) + { + child_cfg->add_traffic_selector(child_cfg, TRUE, ts); + } + if (this->remote_ts->get_count(this->remote_ts) == 0) + { + /* add a 0.0.0.0/0 TS for remote side if none given */ + ts = traffic_selector_create_from_string(0, TS_IPV4_ADDR_RANGE, + "0.0.0.0", 0, "255.255.255.255", 65535); + this->remote_ts->insert_last(this->remote_ts, ts); + } + while (this->remote_ts->remove_first(this->remote_ts, + (void**)&ts) == SUCCESS) + { + child_cfg->add_traffic_selector(child_cfg, FALSE, ts); + } + + return child_cfg; +} + +/** + * Initiate the configured connection + */ +static job_requeue_t initiate(private_cmd_connection_t *this) +{ + peer_cfg_t *peer_cfg; + child_cfg_t *child_cfg; + pid_t pid = this->pid; + + if (!this->host) + { + DBG1(DBG_CFG, "unable to initiate, missing --host option"); + terminate(pid); + return JOB_REQUEUE_NONE; + } + if (!this->identity) + { + DBG1(DBG_CFG, "unable to initiate, missing --identity option"); + terminate(pid); + return JOB_REQUEUE_NONE; + } + + peer_cfg = create_peer_cfg(this); + + if (!add_auth_cfgs(this, peer_cfg)) + { + peer_cfg->destroy(peer_cfg); + terminate(pid); + return JOB_REQUEUE_NONE; + } + + child_cfg = create_child_cfg(this); + peer_cfg->add_child_cfg(peer_cfg, child_cfg->get_ref(child_cfg)); + + if (charon->controller->initiate(charon->controller, peer_cfg, child_cfg, + controller_cb_empty, NULL, 0) != SUCCESS) + { + terminate(pid); + } + return JOB_REQUEUE_NONE; +} + +/** + * Create a traffic selector from string, add to list + */ +static void add_ts(private_cmd_connection_t *this, + linked_list_t *list, char *string) +{ + traffic_selector_t *ts; + + ts = traffic_selector_create_from_cidr(string, 0, 0, 65535); + if (!ts) + { + DBG1(DBG_CFG, "invalid traffic selector: %s", string); + exit(1); + } + list->insert_last(list, ts); +} + +/** + * Parse profile name identifier + */ +static void set_profile(private_cmd_connection_t *this, char *name) +{ + int profile; + + profile = enum_from_name(profile_names, name); + if (profile == -1) + { + DBG1(DBG_CFG, "unknown connection profile: %s", name); + exit(1); + } + this->profile = profile; +} + +METHOD(cmd_connection_t, handle, bool, + private_cmd_connection_t *this, cmd_option_type_t opt, char *arg) +{ + switch (opt) + { + case CMD_OPT_HOST: + this->host = arg; + break; + case CMD_OPT_REMOTE_IDENTITY: + this->server = arg; + break; + case CMD_OPT_IDENTITY: + this->identity = arg; + break; + case CMD_OPT_EAP_IDENTITY: + case CMD_OPT_XAUTH_USER: + this->xautheap = arg; + break; + case CMD_OPT_RSA: + case CMD_OPT_AGENT: + case CMD_OPT_PKCS12: + this->key_seen = TRUE; + break; + case CMD_OPT_LOCAL_TS: + add_ts(this, this->local_ts, arg); + break; + case CMD_OPT_REMOTE_TS: + add_ts(this, this->remote_ts, arg); + break; + case CMD_OPT_PROFILE: + set_profile(this, arg); + break; + default: + return FALSE; + } + return TRUE; +} + +METHOD(cmd_connection_t, destroy, void, + private_cmd_connection_t *this) +{ + this->local_ts->destroy_offset(this->local_ts, + offsetof(traffic_selector_t, destroy)); + this->remote_ts->destroy_offset(this->remote_ts, + offsetof(traffic_selector_t, destroy)); + free(this); +} + +/** + * See header + */ +cmd_connection_t *cmd_connection_create() +{ + private_cmd_connection_t *this; + + INIT(this, + .public = { + .handle = _handle, + .destroy = _destroy, + }, + .pid = getpid(), + .local_ts = linked_list_create(), + .remote_ts = linked_list_create(), + .profile = PROF_UNDEF, + ); + + /* always include the virtual IP in traffic selector list */ + this->local_ts->insert_last(this->local_ts, + traffic_selector_create_dynamic(0, 0, 65535)); + + /* queue job, gets initiated as soon as we are up and running */ + lib->processor->queue_job(lib->processor, + (job_t*)callback_job_create_with_prio( + (callback_job_cb_t)initiate, this, NULL, + (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL)); + + return &this->public; +} |