diff options
Diffstat (limited to 'src/charon/config/backends')
-rw-r--r-- | src/charon/config/backends/backend.h | 96 | ||||
-rw-r--r-- | src/charon/config/backends/local_backend.c | 274 | ||||
-rw-r--r-- | src/charon/config/backends/local_backend.h | 60 | ||||
-rw-r--r-- | src/charon/config/backends/writeable_backend.h | 64 |
4 files changed, 494 insertions, 0 deletions
diff --git a/src/charon/config/backends/backend.h b/src/charon/config/backends/backend.h new file mode 100644 index 000000000..acab660b6 --- /dev/null +++ b/src/charon/config/backends/backend.h @@ -0,0 +1,96 @@ +/** + * @file backend.h + * + * @brief Interface backend_t. + * + */ + +/* + * Copyright (C) 2007 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#ifndef BACKEND_H_ +#define BACKEND_H_ + +typedef struct backend_t backend_t; + +#include <library.h> +#include <config/ike_cfg.h> +#include <config/peer_cfg.h> +#include <utils/linked_list.h> + +/** + * @brief The interface for a configuration backend. + * + * A configuration backend is loaded by the backend_manager. It does the actual + * configuration lookup for the method it implements. See backend_manager_t for + * more information. + * + * @b Constructors: + * - implementations constructors + * + * @ingroup backends + */ +struct backend_t { + + /** + * @brief Get an ike_cfg identified by two hosts. + * + * @param this calling object + * @param my_host address of own host + * @param other_host address of remote host + * @return matching ike_config, or NULL if none found + */ + ike_cfg_t *(*get_ike_cfg)(backend_t *this, + host_t *my_host, host_t *other_host); + + /** + * @brief Get a peer_cfg identified by two IDs. + * + * Select a config based on the two IDs and the other's certificate issuer + * + * @param this calling object + * @param my_id own ID + * @param other_id peer ID + * @param other_ca_info info record on issuer of peer certificate + * @return matching peer_config, or NULL if none found + */ + peer_cfg_t *(*get_peer_cfg)(backend_t *this, + identification_t *my_id, identification_t *other_id, + ca_info_t *other_ca_info); + + /** + * @brief Check if a backend is writable and implements writable_backend_t. + * + * @param this calling object + * @return TRUE if backend implements writable_backend_t. + */ + bool (*is_writeable)(backend_t *this); + + /** + * @brief Destroy a backend. + * + * @param this calling object + */ + void (*destroy)(backend_t *this); +}; + + +/** + * Construction to create a backend. + */ +typedef backend_t*(*backend_constructor_t)(void); + +#endif /* BACKEND_H_ */ + diff --git a/src/charon/config/backends/local_backend.c b/src/charon/config/backends/local_backend.c new file mode 100644 index 000000000..2e80cc870 --- /dev/null +++ b/src/charon/config/backends/local_backend.c @@ -0,0 +1,274 @@ +/** + * @file local_backend.c + * + * @brief Implementation of local_backend_t. + * + */ + +/* + * Copyright (C) 2006 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include <string.h> + +#include "local_backend.h" + +#include <daemon.h> +#include <utils/linked_list.h> +#include <crypto/ca.h> + + +typedef struct private_local_backend_t private_local_backend_t; + +/** + * Private data of an local_backend_t object + */ +struct private_local_backend_t { + + /** + * Public part + */ + local_backend_t public; + + /** + * list of configs + */ + linked_list_t *cfgs; + + /** + * Mutex to exclusivly access list + */ + pthread_mutex_t mutex; +}; + +/** + * implements backen_t.get_ike_cfg. + */ +static ike_cfg_t *get_ike_cfg(private_local_backend_t *this, + host_t *my_host, host_t *other_host) +{ + peer_cfg_t *peer; + ike_cfg_t *current, *found = NULL; + iterator_t *iterator; + host_t *my_candidate, *other_candidate; + enum { + MATCH_NONE = 0x00, + MATCH_ANY = 0x01, + MATCH_ME = 0x04, + MATCH_OTHER = 0x08, + } prio, best = MATCH_ANY; + + DBG2(DBG_CFG, "looking for a config for %H...%H", + my_host, other_host); + + iterator = this->cfgs->create_iterator_locked(this->cfgs, &this->mutex); + while (iterator->iterate(iterator, (void**)&peer)) + { + prio = MATCH_NONE; + current = peer->get_ike_cfg(peer); + my_candidate = current->get_my_host(current); + other_candidate = current->get_other_host(current); + + if (my_candidate->ip_equals(my_candidate, my_host)) + { + prio += MATCH_ME; + } + else if (my_candidate->is_anyaddr(my_candidate)) + { + prio += MATCH_ANY; + } + + if (other_candidate->ip_equals(other_candidate, other_host)) + { + prio += MATCH_OTHER; + } + else if (other_candidate->is_anyaddr(other_candidate)) + { + prio += MATCH_ANY; + } + + DBG2(DBG_CFG, " candidate '%s': %H...%H, prio %d", + peer->get_name(peer), my_candidate, other_candidate, prio); + + /* we require at least two MATCH_ANY */ + if (prio > best) + { + best = prio; + found = current; + } + } + if (found) + { + found->get_ref(found); + } + iterator->destroy(iterator); + return found; +} + +#define PRIO_NO_MATCH_FOUND 256 + +/** + * implements backend_t.get_peer. + */ +static peer_cfg_t *get_peer_cfg(private_local_backend_t *this, + identification_t *my_id, identification_t *other_id, + ca_info_t *other_ca_info) +{ + peer_cfg_t *current, *found = NULL; + iterator_t *iterator; + identification_t *my_candidate, *other_candidate; + int best = PRIO_NO_MATCH_FOUND; + + DBG2(DBG_CFG, "looking for a config for %D...%D", my_id, other_id); + + iterator = this->cfgs->create_iterator_locked(this->cfgs, &this->mutex); + while (iterator->iterate(iterator, (void**)¤t)) + { + int wc1, wc2; + + my_candidate = current->get_my_id(current); + other_candidate = current->get_other_id(current); + + if (my_candidate->matches(my_candidate, my_id, &wc1) + && other_id->matches(other_id, other_candidate, &wc2)) + { + int prio = (wc1 + wc2) * (MAX_CA_PATH_LEN + 1); + int pathlen = 0; + identification_t *other_candidate_ca = current->get_other_ca(current); + + /* are there any ca constraints? */ + if (other_candidate_ca->get_type(other_candidate_ca) != ID_ANY) + { + ca_info_t *ca_info = other_ca_info; + + for (pathlen = 0; pathlen < MAX_CA_PATH_LEN; pathlen++) + { + if (ca_info == NULL) + { + prio = PRIO_NO_MATCH_FOUND; + break; + } + else + { + x509_t *cacert = ca_info->get_certificate(ca_info); + identification_t *other_ca = cacert->get_subject(cacert); + + if (other_candidate_ca->equals(other_candidate_ca, other_ca)) + { + /* found a ca match */ + break; + } + if (cacert->is_self_signed(cacert)) + { + /* reached the root ca without a match */ + prio = PRIO_NO_MATCH_FOUND; + break; + } + /* move a level upward in the trust path hierarchy */ + ca_info = charon->credentials->get_issuer(charon->credentials, cacert); + } + } + if (pathlen == MAX_CA_PATH_LEN) + { + DBG1(DBG_CFG, "maximum ca path length of %d levels reached", MAX_CA_PATH_LEN); + prio = PRIO_NO_MATCH_FOUND; + } + } + if (prio == PRIO_NO_MATCH_FOUND) + { + DBG2(DBG_CFG, " candidate '%s': %D...%D, no ca match", + current->get_name(current), my_candidate, other_candidate); + } + else + { + prio += pathlen; + DBG2(DBG_CFG, " candidate '%s': %D...%D, prio %d", + current->get_name(current), my_candidate, other_candidate, prio); + + if (prio < best) + { + found = current; + best = prio; + } + } + } + } + if (found) + { + DBG1(DBG_CFG, "found matching config \"%s\": %D...%D, prio %d", + found->get_name(found), + found->get_my_id(found), + found->get_other_id(found), + best); + found->get_ref(found); + } + iterator->destroy(iterator); + return found; +} + +/** + * Implementation of backend_t.is_writable. + */ +static bool is_writeable(private_local_backend_t *this) +{ + return TRUE; +} + +/** + * Implementation of writable_backend_t.create_iterator. + */ +static iterator_t* create_iterator(private_local_backend_t *this) +{ + return this->cfgs->create_iterator_locked(this->cfgs, &this->mutex); +} + +/** + * Implementation of writable_backend_t.add_peer_cfg. + */ +static void add_cfg(private_local_backend_t *this, peer_cfg_t *config) +{ + pthread_mutex_lock(&this->mutex); + this->cfgs->insert_last(this->cfgs, config); + pthread_mutex_unlock(&this->mutex); +} + +/** + * Implementation of backend_t.destroy. + */ +static void destroy(private_local_backend_t *this) +{ + this->cfgs->destroy_offset(this->cfgs, offsetof(peer_cfg_t, destroy)); + free(this); +} + +/** + * Described in header. + */ +backend_t *backend_create(void) +{ + private_local_backend_t *this = malloc_thing(private_local_backend_t); + + this->public.backend.backend.get_ike_cfg = (ike_cfg_t* (*)(backend_t*, host_t*, host_t*))get_ike_cfg; + this->public.backend.backend.get_peer_cfg = (peer_cfg_t* (*)(backend_t*,identification_t*,identification_t*,ca_info_t*))get_peer_cfg; + this->public.backend.backend.is_writeable = (bool(*) (backend_t*))is_writeable; + this->public.backend.backend.destroy = (void (*)(backend_t*))destroy; + this->public.backend.create_iterator = (iterator_t* (*)(writeable_backend_t*))create_iterator; + this->public.backend.add_cfg = (void (*)(writeable_backend_t*,peer_cfg_t*))add_cfg; + + /* private variables */ + this->cfgs = linked_list_create(); + pthread_mutex_init(&this->mutex, NULL); + + return &this->public.backend.backend; +} diff --git a/src/charon/config/backends/local_backend.h b/src/charon/config/backends/local_backend.h new file mode 100644 index 000000000..b33c6443b --- /dev/null +++ b/src/charon/config/backends/local_backend.h @@ -0,0 +1,60 @@ +/** + * @file local_backend.h + * + * @brief Interface of local_backend_t. + * + */ + +/* + * Copyright (C) 2007 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#ifndef LOCAL_BACKEND_H_ +#define LOCAL_BACKEND_H_ + +typedef struct local_backend_t local_backend_t; + +#include <library.h> +#include <config/backends/writeable_backend.h> + +/** + * @brief An in-memory backend to store configurations. + * + * The local_backend_t stores the configuration in a simple list. It + * implements both, backend_t and writeable_backend_t. + * + * @b Constructors: + * - local_backend_create() + * + * @ingroup backends + */ +struct local_backend_t { + + /** + * Implements writable_backend_t interface + */ + writeable_backend_t backend; +}; + +/** + * @brief Create a backend_t instance implemented as local backend. + * + * @return backend instance + * + * @ingroup backends + */ +backend_t *backend_create(void); + +#endif /* LOCAL_BACKEND_H_ */ + diff --git a/src/charon/config/backends/writeable_backend.h b/src/charon/config/backends/writeable_backend.h new file mode 100644 index 000000000..ea62f62c9 --- /dev/null +++ b/src/charon/config/backends/writeable_backend.h @@ -0,0 +1,64 @@ +/** + * @file writeable_backend.h + * + * @brief Interface of writeable_backend_t. + * + */ + +/* + * Copyright (C) 2007 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#ifndef WRITEABLE_BACKEND_H_ +#define WRITEABLE_BACKEND_H_ + +typedef struct writeable_backend_t writeable_backend_t; + +#include <library.h> +#include <config/backends/backend.h> + +/** + * @brief A writeable backend extends backend_t by modification functions. + * + * @b Constructors: + * - writeable_backend_create() + * + * @ingroup backends + */ +struct writeable_backend_t { + + /** + * Implements backend_t interface + */ + backend_t backend; + + /** + * @brief Add a peer_config to the backend. + * + * @param this calling object + * @param config peer_config to add to the backend + */ + void (*add_cfg)(writeable_backend_t *this, peer_cfg_t *config); + + /** + * @brief Create an iterator over all peer configs. + * + * @param this calling object + * @return iterator over peer configs + */ + iterator_t* (*create_iterator)(writeable_backend_t *this); +}; + +#endif /* WRITEABLE_BACKEND_H_ */ + |